Does HookChildProcesses still conflict with Windows 10 x64?

[wegood9]

HookChildProcesses is still conflicting with Windows 10 1809 x64. I'm using Mactype 2018.1-beta5 with default.ini.

Specific behavior is that the majority of programs crash. The processes of these applications and the related Windows Error Reporter do launch but their windows don't pop up. These exes can be launched by running as an Administrator or a third-party file manager such as Total Commander.

Examples of crashing applications :
cmd 7-Zip Chrome Firefox winver

It is HookChildProcesses that caused crashes. Listed as known issues, the problem can be solved by setting HookChildProcesses to 0. But disabling HookChildProcesses provides a limited experience of Mactype including not rendering Chrome and Firefox. And switching loading mode doesn't work for me.
I have no anti-virus software installed and even disabled Windows Defender when testing.
It has existing on my PC since the first time I used Mactype on Windows 10. There are old issues of the similar situation in old versions. Only after I read the release note

Better compatibility with Windows 10 (in theory... I've never encountered any incompatibility before)

of the latest version did I decide to submit this duplicate issue to confirm whether it's a common problem or peculiar issue to me and whether it has been solved.
So I wonder how compatible Mactype currently is with Windows 10. Hope Windows 10 users could offer your Mactype working status for reference.

[snowie2000]

Personally, I've never encountered such crash in all my test VMs.
So probably, I am not able to fix this issue without a working memory dump as the error reporting in your event log will almost certainly point to a temporary memory address that MacType allocates every time a program started.

[wegood9]

Here is a dump file generated by procdump64.exe -ma -t -w 7zfm.exe
Mactype was loaded as standalone mode.
7zFM.exe_181209_104749.zip

[snowie2000]

Sorry, but this dump doesn't help because it doesn't break at the correct point.
A dump on the crash is what solves the problem. Please follow the procedures in https://stackoverflow.com/questions/20237201/best-way-to-have-crash-dumps-generated-when-processes-crash to let Windows do the dump for you.

Thank you for doing so much for MacType.💋

[wegood9]

Having regenerated dump file for notepad
notepad.exe.8692.zip

[snowie2000]

Where did you launch these applications? From explorer or from something else like a 32bit launcher?
And if it is not the explorer, is the launcher elevated?

[wegood9]

Windows explorer or start menu. The given example happened when I tried to start notepad from context menu in explorer.

[wegood9]

Total Commander I use is a 64 bit file manager and not elevated. Applications launched from it simply won't crash and will get rendered properly.

[snowie2000]

I'm quite confused with what I see in the dump.
So I made a little change to try to fix the problem.
Extract and overwrite the mactype64.dll file, and see if the problem is solved. Thank you.

MacType64.zip

[wegood9]

It doesn't work.

[snowie2000]

Alright, there is what I would like you to do to make things clear.
Download Process Explorer and navigate to explorer.exe, on the lower panel, enable column Base and ASLR.
Find the base of kernel32.dll and kernelbase.dll like the picture shown below:

[wegood9]

[snowie2000]

Okay, I think I found the problem. You used Locale Emulator which faked the API addresses.
Disable it and try again.

[wegood9]

I tried disabling LE and rebooted, but the problem still exists. I'm pretty sure that it's not LE that causes crashes because Mactype had caused crashes before I installed LE.

new screenshot of process explorer

[snowie2000]

MacType64-msg.zip

Disable mactype
extract file
overwrite file
Drag notepad.exe to macloader64.exe to launch it manual, DO NOT enable mactype system-wide or you'll be flooded with message boxes.
Start a another program from open dialog of the notepad.

This way, you'll get a message box telling you information MacType got to do hooking.

[wegood9]

The programs can be launched successfully with msgbox attached below.

[snowie2000]

So, the child process didn't crash? It only crashes when launched from explorer?
Then, only enable mactype to explorer.exe, launch a notepad, and disable mactype for explorer after msgbox immediately to avoid further popups.

[wegood9]

It seems that only child processes of explorer will crash.

[snowie2000]

See, the API address is not right compared to the value of the previous screenshot.
Can you give a full log of explorer.exe?
Here is how:

• select explorer.exe in process explorer
• enable another column called Mapped Size
• file->save as...

You'll get a txt file. Please upload here.

Thanks.

[wegood9]

Here is it
explorer.exe.txt

[snowie2000]

No dll is allocated at address 0x7ffe00000000. This must a dynamically allocated by a file and god knows that.
I believe the GetProcAddress is hooked as well so can't be trusted anymore. I need to manually search for the real address.

[snowie2000]

Try this one, please. Msgbox is still there, so don't enable it system-wide unless you're prepared for a hard reset.

MacType64-msg-customfunc.zip

[wegood9]

notepad still crashes :(
The msgbox is the same as I posted before.

[snowie2000]

What does the dialog say?

[snowie2000]

Alright, while I am trying other ways, could you please use the tool PCHunter to check the hooks of the explorer.exe?
This is how you do it: #441 (comment)

[wegood9]

PChunter refused to launch due to errors when loading its driver. My Windows version is Build 17763, while the free version of PChunter officially supports only up to Build 17134.
As far as I know, there is no public Anti-Rootkit tool which supports Windows 1809. It's a matter to use such a newly released Windows.

[snowie2000]

MacType64-reloc.zip

This build used a special way to get the API address. Try it to see if it works for you.

[snowie2000]

@wegood9 Hi, I would like to know if the last patch works for you.
PS: it is a version with popup, so please enable for explorer only.

[wegood9]

It doesn't work.
This is the msgbox that explorer gave:

This one is given by open dialog of notepad:

At this time, I can't launch programs by both explorer and the open dialog of notepad.

[snowie2000]

Thank you. This dialog tells me that it should work. It just needs a little tweak.

[wegood9]

I have no access to my computer during daytime, so please forgive me for the late replies.

[snowie2000]

It's ok. Thank you for replying at such a late time.

[snowie2000]

MacType64-fixed.zip

It should run as expected this time.

[wegood9]

It seems all right when I enable it only with explorer. The programs manage to get launched and render properly.

[snowie2000]

Good. Looks like my theory worked. I'll upload a version without msg box to finalize the problem.

I still recommend you to check your system as the crash bug is not really a bug. It means your system is hijacked by some kind of software. Strangely enough, the hijack only happens to your explorer.

[wegood9]

Sure, I will check my system later. Maybe my computer needs a clean reinstallation.
By the way, is it normal that a few wired problems such as taskmgr refusing to be launched when I enable the patch system-wide?

[snowie2000]

If you are using the old mactype64.dll, based on your situation, it is probably normal.

For the new one, it should launch normally. Anyway, let's see what will happen with my final solution tomorrow.

[wegood9]

Okay, Thanks for your answer.
I will close this issue after testing the final solution.

[snowie2000]

MacType64-final.zip

Here it is.

[wegood9]

Everything seems to work as expected. Thanks for your great efforts.