Windhawk seems to crash visual studio

[learn-more]

Recently I have noticed more visual studio (2019) crashes than before.

This entry from the event log seems to incriminate Windhawk:

Faulting application name: devenv.exe, version: 16.9.31205.134, time stamp: 0x606b75b3
Faulting module name: windhawk.dll, version: 0.9.1.0, time stamp: 0x62346d24
Exception code: 0xc0000005
Fault offset: 0x000084fe
Faulting process ID: 0x8380
Faulting application start time: 0x01d85ef9dc8c49a4
Faulting application path: C:\Program Files (x86)\Microsoft Visual Studio\2019\Professional\Common7\IDE\devenv.exe
Faulting module path: C:\Program Files\Windhawk\Engine\0.9.1\32\windhawk.dll
Report ID: cfafd42b-c7c3-4132-b12c-8c9ba7c13a27
Faulting package full name: 
Faulting package-relative application ID: 

The solutions I am commonly working with are medium-sized (150 - 250 projects loaded).

I am assuming this is not enough info for you to track the actual issue down, so what more info would you need / what steps can I take to aid you in debugging this?

----- edit ------
It crashed again, and this time I was able to capture a minidump.
This line was printed a ton of times, so I removed it from the output:
WARNING: Stack pointer is outside the normal stack bounds. Stack unwinding can be inaccurate.

Here is the output (with only that line removed from it):

0:143> !analyze -v
WARNING: Stack pointer is outside the normal stack bounds. Stack unwinding can be inaccurate.
*******************************************************************************
*                                                                             *
*                        Exception Analysis                                   *
*                                                                             *
*******************************************************************************

*** WARNING: Unable to verify checksum for Microsoft.VisualStudio.ScriptedHost.ni.dll
*** WARNING: Unable to verify checksum for PresentationFramework.ni.dll
*** WARNING: Unable to verify checksum for Microsoft.DiagnosticsHub.Presentation.ni.dll
*** WARNING: Unable to verify checksum for Microsoft.DiagnosticsHub.Runtime.ni.dll
*** WARNING: Unable to verify checksum for Microsoft.DiagnosticsHub.VisualStudio.Package.ni.dll
*** WARNING: Unable to verify checksum for Microsoft.VisualStudio.Threading.ni.dll
*** WARNING: Unable to verify checksum for WindowsBase.ni.dll
*** WARNING: Unable to verify checksum for Microsoft.VisualStudio.Shell.15.0.ni.dll
*** WARNING: Unable to verify checksum for System.ni.dll
*** WARNING: Unable to verify checksum for Microsoft.VisualStudio.ProjectSystem.Implementation.ni.dll
*** WARNING: Unable to verify checksum for Microsoft.VisualStudio.Telemetry.ni.dll
*** WARNING: Unable to verify checksum for Microsoft.VisualStudio.Shell.UI.Internal.ni.dll
*** WARNING: Unable to verify checksum for Microsoft.VisualStudio.Platform.VSEditor.ni.dll
*** WARNING: Unable to verify checksum for Microsoft.CodeAnalysis.Workspaces.ni.dll
*** WARNING: Unable to verify checksum for Microsoft.Build.ni.dll
*** WARNING: Unable to verify checksum for PresentationUI.ni.dll
Failed to request MethodData, not in JIT code range
WARNING: Stack pointer is outside the normal stack bounds. Stack unwinding can be inaccurate.

KEY_VALUES_STRING: 1

    Key  : AV.Fault
    Value: Read

    Key  : Analysis.CPU.mSec
    Value: 201999

    Key  : Analysis.DebugAnalysisManager
    Value: Create

    Key  : Analysis.Elapsed.mSec
    Value: 297038

    Key  : Analysis.Init.CPU.mSec
    Value: 874

    Key  : Analysis.Init.Elapsed.mSec
    Value: 14513

    Key  : Analysis.Memory.CommitPeak.Mb
    Value: 292

    Key  : CLR.BuiltBy
    Value: NET48REL1LAST_C

    Key  : CLR.Engine
    Value: CLR

    Key  : CLR.Version
    Value: 4.8.4300.0

    Key  : Timeline.OS.Boot.DeltaSec
    Value: 681141

    Key  : Timeline.Process.Start.DeltaSec
    Value: 61744

    Key  : WER.OS.Branch
    Value: vb_release

    Key  : WER.OS.Timestamp
    Value: 2019-12-06T14:06:00Z

    Key  : WER.OS.Version
    Value: 10.0.19041.1

    Key  : WER.Process.Version
    Value: 16.9.31205.134


NTGLOBALFLAG:  400

PROCESS_BAM_CURRENT_THROTTLED: 0

PROCESS_BAM_PREVIOUS_THROTTLED: 0

APPLICATION_VERIFIER_FLAGS:  0

CONTEXT:  (.ecxr)
eax=00000000 ebx=00000000 ecx=00000000 edx=00000000 esi=00000000 edi=000054c4
eip=778f385c esp=87aaeb1c ebp=87aaeb68 iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000202
ntdll!NtFlushInstructionCache+0xc:
778f385c c20c00          ret     0Ch
Resetting default scope
WARNING: Stack pointer is outside the normal stack bounds. Stack unwinding can be inaccurate.

EXCEPTION_RECORD:  (.exr -1)
ExceptionAddress: 739684fe (windhawk+0x000084fe)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000008
NumberParameters: 2
   Parameter[0]: 00000000
   Parameter[1]: 87aaeb58
Attempt to read from address 87aaeb58

PROCESS_NAME:  devenv.exe

READ_ADDRESS:  87aaeb58 

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.

EXCEPTION_CODE_STR:  c0000005

EXCEPTION_PARAMETER1:  00000000

EXCEPTION_PARAMETER2:  87aaeb58

FAULTING_THREAD:  ffffffff

STACK_TEXT:  
87aaeb1c 778f385c ntdll!NtFlushInstructionCache+0xc
87aaeb2c 7396769d windhawk+0x769d
87aaeb7c 73967bfb windhawk+0x7bfb
87aaec5c 7396e242 windhawk!InternalWh_FindCloseSymbol+0x2572
87aaec9c 7396e0ff windhawk!InternalWh_FindCloseSymbol+0x242f
87aaecd0 7650de8c KERNELBASE!CreateProcessW+0x2c
87aaed08 5da9a929 Microsoft_VisualStudio_ScriptedHost_ni+0xaa929
87aaedf8 5da9e840 Microsoft_VisualStudio_ScriptedHost_ni+0xae840
87aaef10 5da9e152 Microsoft_VisualStudio_ScriptedHost_ni+0xae152
87aaef78 72232e01 mscorlib_ni!System.Threading.ThreadHelper.ThreadStart_Context+0xa1
87aaef84 72258604 mscorlib_ni!System.Threading.ExecutionContext.RunInternal+0xc4
87aaefe8 72258537 mscorlib_ni!System.Threading.ExecutionContext.Run+0x17
87aaeffc 722584f4 mscorlib_ni!System.Threading.ExecutionContext.Run+0x44
87aaf018 72232d5b mscorlib_ni!System.Threading.ThreadHelper.ThreadStart+0x47
87aaf030 73acf036 clr!CallDescrWorkerInternal+0x34
87aaf03c 73ad22da clr!CallDescrWorkerWithHandler+0x6b
87aaf090 73ad859b clr!MethodDescCallSite::CallTargetWorker+0x16a
87aaf104 73be9657 clr!ThreadNative::KickOffThread_Worker+0x131
87aaf274 73c7e1e6 clr!ManagedThreadBase_DispatchInner+0x71
87aaf28c 73c7e271 clr!ManagedThreadBase_DispatchMiddle+0x7e
87aaf330 73c7e162 clr!ManagedThreadBase_DispatchOuter+0x99
87aaf384 73c7e351 clr!ManagedThreadBase_FullTransitionWithAD+0x2f
87aaf3a8 73be9508 clr!ThreadNative::KickOffThread+0x260
87aaf42c 73b94bb7 clr!Thread::intermediateThreadProc+0x58
87aafb4c 75d4fa29 kernel32!BaseThreadInitThunk+0x19
87aafb5c 778e7a9e ntdll!__RtlUserThreadStart+0x2f
87aafbb8 778e7a6e ntdll!_RtlUserThreadStart+0x1b


STACK_COMMAND:  .ecxr ; kb ; ** Pseudo Context ** Pseudo ** Value: 92 ** ; kb

SYMBOL_NAME:  windhawk+769d

MODULE_NAME: windhawk

IMAGE_NAME:  windhawk.dll

FAILURE_BUCKET_ID:  INVALID_POINTER_READ_CONTEXT_MISMATCH_c0000005_windhawk.dll!Unknown

OS_VERSION:  10.0.19041.1

BUILDLAB_STR:  vb_release

OSPLATFORM_TYPE:  x86

OSNAME:  Windows 10

IMAGE_VERSION:  0.9.1.0

FAILURE_ID_HASH:  {0bb89155-ff74-9d6d-19ed-304672287170}

Followup:     MachineOwner
---------

And here is a dump of the 4 addresses in Windhawk:

0:143> d 7396769d
7396769d  8b d8 83 c4 34 85 db 75-08 85 d2 0f 84 05 01 00  ....4..u........
739676ad  00 a1 80 21 9a 73 85 c0-74 0a 8b 35 70 21 9a 73  ...!.s..t..5p!.s
739676bd  85 f6 75 35 68 7c 86 99-73 ff 15 5c 11 99 73 8b  ..u5h|..s..\..s.
739676cd  35 58 11 99 73 8b f8 68-04 96 99 73 57 ff d6 68  5X..s..h...sW..h
739676dd  1c 96 99 73 57 a3 80 21-9a 73 ff d6 8b f0 a1 80  ...sW..!.s......
739676ed  21 9a 73 89 35 70 21 9a-73 85 c0 74 0a 85 f6 74  !.s.5p!.s..t...t
739676fd  06 53 ff d0 50 ff d6 33-c0 5f 5e 5b 8b e5 5d c3  .S..P..3._^[..].
7396770d  64 a1 2c 00 00 00 8b 0d-24 1a 9a 73 8b 0c 88 a1  d.,.....$..s....

0:143> d 73967bfb
73967bfb  83 c4 08 85 c0 0f 84 18-01 00 00 eb 22 8b d6 8b  ............"...
73967c0b  cf e8 ff f5 ff ff 83 c4-08 89 45 dc c6 45 fc 0b  ..........E..E..
73967c1b  85 c0 0f 84 0d 01 00 00-50 ff 15 70 11 99 73 8b  ........P..p..s.
73967c2b  4d e0 85 c9 74 42 8b 55-e8 8b c1 2b d1 81 fa 00  M...tB.U...+....
73967c3b  10 00 00 72 14 8b 49 fc-83 c2 23 2b c1 83 c0 fc  ...r..I...#+....
73967c4b  83 f8 1f 0f 87 ee 00 00-00 52 51 e8 e0 3d 01 00  .........RQ..=..
73967c5b  83 c4 08 c7 45 e0 00 00-00 00 c7 45 e4 00 00 00  ....E......E....
73967c6b  00 c7 45 e8 00 00 00 00-8b 55 9c 83 fa 08 72 32  ..E......U....r2

0:143> d 7396e242
7396e242  64 a1 2c 00 00 00 83 c4-08 8b 0d 24 1a 9a 73 8b  d.,........$..s.
7396e252  1c 88 a1 2c 22 9a 73 3b-83 04 00 00 00 7e 3b 68  ...,".s;.....~;h
7396e262  2c 22 9a 73 e8 41 d9 00-00 a1 2c 22 9a 73 83 c4  ,".s.A....,".s..
7396e272  04 83 f8 ff 75 24 c6 45-fc 02 e8 cf ab ff ff 68  ....u$.E.......h
7396e282  2c 22 9a 73 a3 30 22 9a-73 c6 45 fc 01 e8 ce d8  ,".s.0".s.E.....
7396e292  00 00 a1 2c 22 9a 73 83-c4 04 83 3d 30 22 9a 73  ...,".s....=0".s
7396e2a2  02 0f 8c 68 ff ff ff 3b-83 04 00 00 00 7e 31 68  ...h...;.....~1h
7396e2b2  2c 22 9a 73 e8 f1 d8 00-00 83 c4 04 83 3d 2c 22  ,".s.........=,"

0:143> d 7396e0ff
7396e0ff  f6 45 20 04 75 09 ff 77-04 ff 15 3c 10 99 73 e8  .E .u..w...<..s.
7396e10f  0d ae ff ff 83 38 02 7c-31 e8 03 ae ff ff ba 5c  .....8.|1......\
7396e11f  9f 99 73 8b ca 85 db 0f-45 cb 51 8b 4d 0c 85 c9  ..s.....E.Q.M...
7396e12f  0f 45 d1 52 ff 77 08 68-6c 9f 99 73 68 a0 9f 99  .E.R.w.hl..sh...
7396e13f  73 50 e8 5a 2f ff ff 83-c4 18 8b 45 34 50 ff 15  sP.Z/......E4P..
7396e14f  6c 11 99 73 c7 45 fc fe-ff ff ff e8 17 00 00 00  l..s.E..........
7396e15f  8b 45 e4 8b 4d f0 64 89-0d 00 00 00 00 59 5f 5e  .E..M.d......Y_^
7396e16f  5b 8b e5 5d c2 30 00 a1-a0 21 9a 73 83 c0 08 f0  [..].0...!.s....

[m417z]

What I know so far:

The crash happens when Visual Studio, which is a 32-bit process, launches a 64-bit process.
The crash occurs here, while calling NtQueueApcThread via heaven's gate.
The wow64ext library is used for the heaven's gate call, and the crash inside wow64ext happens in 64-bit assembly code here.

According to the exception record, an access violation occurred while attempting to read from address 87aaeb58. The address looks valid, between esp and ebp (esp=87aaeb1c ebp=87aaeb68).

So it seems that everything is fine, and yet there's a crash. Last time I had to handle a crash related to a heaven's gate call, it was an AMD-specific bug. Let's hope this one will be easier to diagnose and fix.

Things that might help with the investigation:

• Finding out which process is being launched. A monitoring tool like procmon can be used.
• Making sure that the issue happens with no enabled mods too.

[m417z]

OK, I think I found the problem. The address is 87aaeb58, which has the upper bit set. When sign extended, it becomes ffffffff87aaeb58 which is obviously an invalid address. The sign extended operation occurs here. The error is not common because it only occurs with the /LARGEADDRESSAWARE flag which allows a user-mode address to have its upper bit set.

[m417z]

I can reproduce the crash with the following code:
https://gist.github.com/m417z/7177d820252ab42f4d86c905589b6f05

[m417z]

Fixed in Windhawk v0.9.2.

[learn-more]

Thanks!

[callmejed]

This is happening for me. I'm using Windhawk 1.4.1. I started using Windhawk on my Intel desktop at home without any issues to speak of, but at the office on my AMD laptop (not sure if it matters) my VSCode became unresponsive and crashed. I spent hours troubleshooting. I wasn't even able to run the latest VSCode installer. I was able to get through the installation process with an older installer I had, but I still couldn't open VSCode after it finished. It wasn't until I exited Windhawk on a whim, and now VSCode works perfectly. It installs correctly without issue (even the latest VSCode release). If I start up Windhawk again, the same issue occurs. Unable to install VSCode and unable to open VSCode via .exe or CLI.

It's a total bummer because I was loving the Taskbar Thumbnail Reorder mod... Any ideas?

EDIT: Oh just noticed this post is for Visual Studio, whereas my problem is with Microsoft VS Code.

[m417z]

@callmejed please open a new issue. In the new issue, please provide the following information:

Do you see the issues even when all mods are disabled?

Does excluding VSCode in Windhawk's advanced settings help?

Also, please capture a crash dump. You should be able to get it with the following steps:

• Open regedit
• Go to: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting
• Create a key named LocalDumps
• Create a DWORD value named DumpType with value 2
• Trigger the crash
• Go to the %LocalAppData%\CrashDumps folder, you should see a dump file in there