Hello all
I have a rather strange issue with Rehips 2.5. I can install Rehips fine and it is working correct. But the system crashrf with a reboot or shutdown. The system also rebooted when I try to stop or stop/restart the Rehips service.
In the eventlog there is an entry with eventid 1001: The computer has rebooted from a bugcheck. The bugcheck was: 0x000000ef (..). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: <ID>.
I traced the issue back to some local group policies. I am working with a set of policies to harden my machines. On a clean VM Rehips is working fine. When I load the local group policies with LGPO and restart the VM, the issue is back. For the moment I am not able to find which policy setting or combo is causing the issue.
Does anyone have an idea?
Thanks
Kind regards,
Hello, droncula. And welcome to our forum.
Uploading the crash-dump and sending me link in PM might help find cause of crash. But it won't necessary help find the policy responsible. If I were debugging the issue, I'd try to apply only half of policies until I find the one responsible.
P.S. Looks like some critical process dies, but by bugcheck code it's impossible to say why.
Hello Fixer,
Thanks for the respons. I have send you a PM with a download link to to the memory dump file.
Kind regards,
Droncula
Thank you, file received. Will take a look.
Some critical process indeed unexpectedly died. svchost in session 0, to be exact. But doesn't look like you're using the latest ReHIPS 2.5.0 release. More like some 2.5.0 RC version.
1. Does it happen on latest 2.5.0 release?
2. Looks like the process crashed with ACCESS VIOLATION. But from this dump it's impossible to say what caused the exception. Any events about exception in windows journals?
HookDll may do some non-standard stuff to unload itself. So maybe you enabled some policy that forces system processes (since it's a system svchost process) to operate only the standard way, it may trigger the policy. Something like denying code execution from dynamically allocated memory or forcing additional checks to fight ROP-exploits.
Hello Fixer,
Thanks for looking into it. It seems the issue is there when I install version 2.5.
I am going to make a clean VM and retest it.
The only events I see are the "The computer has rebooted from a bugcheck. The bugcheck was: 0x000000ef (0xffffda0f7db7b2c0, 0x0000000000000000, 0x0000000000000000, 0x0000000000000000). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: aea74302-cbac-4e40-a1b7-ef67e98d3b16." and that a critical one that the computer recovers from a severe error.
Kind regards,
Any way I could reproduce it on our test PCs? Maybe some policy rules that make OS crash after I install them?
Hello Fixer
After rebuilding my policy configuration it seems that the policy "Enable svchost.exe mitigration options" is causing the issue. More info about the policy: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.ServiceControlManager::SvchostProcessMitigationEnable.
On a brand new system, I have set my policy settings and installed Rehips 2.5. For the moment I have no issues anymore. I will test it on an other machine to be sure.
Kind regards,
This includes a policy requiring all binaries loaded in these processes to be signed by microsoft, as well as a policy disallowing dynamically-generated code.
Most likely it's because of "disallowing dynamically-generated code". Thank you for your report, will try to find some compatible solution.
Fixed.
Hello Fixer
Do I need to download a new version of Rehips?
Thanks
I expect a new version with this fix included should be publicly available in several days. In case you don't want to wait and want to try upcoming beta, you can get it here
https://rehips.com/ReHIPSSetup2.6.0-sirius.zip
Changelog:
-internal debugging moved to WPP;
-fixed bug with inherited access rights cache of isolated programs;
-some hooks are skipped and other honor ProhibitDynamicCode policy;
-fixed incorrect memory free in volume control;
-fixed incorrect folder unfolding to FOLDERID;
-added basic support of state and progress, overlay icons, minibuttons and preview with tooltip of isolated desktops taskbar;
-"Send to ReHIPS folder" submenu added to Explorer.
-InnoSetup updated from 6.1.2 to 6.2.0;
-added several programs and trusted command lines/vendors to RulesManager.
Hello Fixer
Thanks for the new version. I tested it today on a VM. Works like a charm :). I will test it this week on a physical machine.
Thanks for the beta version & the changes.
Kind regards,
Droncula
Hello Fixer
I am testing Rehips 2.6 beta since a week on a physical machine with the same Windows Group Policies. No issues so far :).
Kind regards,
Droncula
Thank you for the update.
It's good to hear since 2.6 release is ready and will be published soon.