bytecode77
Issue with Opening Chrome and Task Manager After Installing r77 v1.63
Hi,
I am encountering an issue where I am unable to open Chrome, Edge, or Task Manager after installing r77 v1.63. My target machine is running Windows 11 Home Edition (fresh installation), OS version 26100.3194.
Initially, Windows Defender was enabled during the installation of r77. However, after installation, I received an "Access Denied" error when attempting to open certain applications. I suspected that Windows Defender might have flagged some files as threats, preventing execution. To rule this out, I completely uninstalled Windows Defender using scripts from GitHub.
Strangely, even after uninstalling the antivirus and reinstalling r77, I am still unable to launch certain applications such as Chrome, Edge, and Task Manager. The errors I receive include:
- Chrome/Edge: Can't find "chrome_elf.dll" or "msedge.dll."
- Task Manager: "The procedure entry point ImageList_CoCreateInstance could not be located in the dynamic link library C:\Windows\system32\taskmgr.exe."
Could you provide any insights into what might have gone wrong or how I can resolve this issue?
Thank you so much for you time!
I did encounter the same error on task manager and I am pretty sure it's anti-virus doinig.As soon as disable defender and it works fine.The difference is I didn't test on windows 11 but windows server 2016
I tried to complete delete the windows defender and the system does not come with other AVs, still the same. Very confusing.
I updated Windows 11 on my VM to the version that you tested with, however, TaskMgr and Edge don't cause any crashes, even with Windows Defender on.
Of course the problem is obviously there. I'll just need to be able to reproduce it. Do you have any more insights that might be helpful?
It is indeed hard to reproduce. I can't see anything that is common among devices that ran into these errors, except they are relatively new laptops, running windows 11 24h2. In the screenshot it says lack of a dll file, but actually when I uninstall r77 chrome runs perfectly.
Another thing is, some application freeze after installing r77. Again, for no apparent reasons. Since I am not expert in relevant areas, if you can give me some information you need to diagnose the problem, so that next time I encounter something alike, I can try to collect them and send them to you.
I was getting "cant find chrome_elf.dll" error today in a windows server 2019 VM,but it only occurred at the first run of chrome
I was getting "cant find chrome_elf.dll" error today in a windows server 2019 VM,but it only occurred at the first run of chrome
Not necessarily the first time for me, it may happen a couple of time before chrome runs normally. But when I closed it and tried to re-open, this error message may appear again. It seems something wrong with the r77's dll injection process, maybe sometimes the injection was only partially completed, so that chrome.exe couldn't find the dll files it needs, at least, not until the injection is fully done.
also first run of edge,afterward,it becomes normal,no error pop up
console application sometimes still getting this kind of error
@wineggdrop Exactly! The thing is, this access denied thing never happens on my own computers, laptop or desktop, actual machine or vm, they all work fine. So I can't reproduce it... I'll use my friends laptop tmr to try it out, capture some system calls using Procmon. Hopefully I can get something useful.
That's really a bummer when a bug is obviously there but can't be reproduced :(
You mind doing some trial & erroring with me? That way I can hopefully get an idea of where the bug may be.
- Can you uncomment everything in
InitializeHooks()andUninitializeHooks(), compile and test again? This removes all features from r77 and just leaves us with an injected DLL that does nothing. - If that works, can you figure out whether one particular hook causes these issues by uncommenting everything BUT this hook?
- Can you uncomment either
NewProcessListenerThread = NewProcessListener(NewProcessCallback);orChildProcessListenerThread = ChildProcessListener(ChildProcessCallback);? (not both at the same time, though). I would like to explore the possibility of race conditions, even though I doubt they can be possible...
Thank you in advance for helping me with testing & isolating the issue!
the above test result is of removing all the hook s
VOID InitializeHooks() { }
VOID UninitializeHooks() { }
so pretty sure it's not the hook causing it.I have been testing if the hook causing the issue by removing one hook at a time for testing,and eventually with no hook at all,still getting that same issue. The problem is the randomness,I am using the bat script looping to run console commands for the test,sometimes it won't reproduct the issue in hours or only occur once. Moreover,in some VM,it just works flawlessly
Thanks for testing removing the hooks! What about 3.) uncommenting one of the injection routes - how does this play out?
Thanks for testing removing the hooks! What about 3.) uncommenting one of the injection routes - how does this play out?
I would try that the coming test
It turns out my friend's laptop CAN indeed reproduce this issue. When r77 is installed, try running ffmpeg in terminal will 100% trigger "access is denied". Even with ffmpeg.exe's DOS stub changed(r77 service process), it still 100% triggers winerror 5 access denied. But since I don't have a windows computer with all the things I need to compile r77 on my own, I can't test 3) as of right now. But I've collected some info using Procmon64 and windows event viewer.
Since the access denied error only happens in console application,I am thinking if involving injection too early issue since console program initiation is kind of different from GUI program,if the injecting data starts to run before the console program completing the initiation and start its main thread,it may cause that error.If that is the case,may need to switch NtCreateThreadEx to NtQueueAPCThread,which would make sure the newly created process would not start the injection data before its own initiation process completed
@wineggdrop Please help me to get things straight here. I wrote R77_HELPER_SIGNATURE into ffmpeg, so technically r77 won't try to inject. I don't understand why this would be a injection too early problem. :( Thanks!
@wineggdrop Please help me to get things straight here. I wrote R77_HELPER_SIGNATURE into ffmpeg, so technically r77 won't try to inject. I don't understand why this would be a injection too early problem. :( Thanks!
are you sure you do that right?if no injection,it won't affect ffmpeg at all because R77 will check if the target has been injected or not before performing the injection.you can add ffmpeg's process name into PROCESS_EXCLUSIONS and recompile R77
modify r77def.h
change to
#define PROCESS_EXCLUSIONS { L"MsMpEng.exe", L"MSBuild.exe" ,L"ffmpeg.exe"}
Assume the ffmpeg with the processname as ffmpeg.exe,if not,you can modify it.
then you can test again,that would make sure ffmpeg will not be injected.
Now I am 100% sure the hooking isn't the cause of that issue.Today I modified the R77 dll and using AppInit DLLs to load the code,it works flawlessly.All applications loading user32.dll will loaded the modified R77 dll,I tested a few hours in 4 different VMs,no issue found.
@wineggdrop Please help me to get things straight here. I wrote R77_HELPER_SIGNATURE into ffmpeg, so technically r77 won't try to inject. I don't understand why this would be a injection too early problem. :( Thanks!
are you sure you do that right?if no injection,it won't affect ffmpeg at all because R77 will check if the target has been injected or not before performing the injection.you can add ffmpeg's process name into PROCESS_EXCLUSIONS and recompile R77
Yes sir I am 100% percent positive I did that. In fact, I even let ffmpeg do some idle run so that it wouldn't get terminated, and I opened r77 console to check if ffmpeg was recognized as a r77 service process, and it did.
For some machine it's like there would only be an one-time error, or better, no error at all.