Rehips 2.5: system crash at shutdown or restart

Started by droncula, January 25, 2022, 11:44:42 PM

Previous topic - Next topic

droncula

Hello all

I have a rather strange issue with Rehips 2.5. I can install Rehips fine and it is working correct. But the system crashrf with a reboot or shutdown. The system also rebooted when I try to stop or stop/restart the Rehips service.

In the eventlog there is an entry with eventid 1001: The computer has rebooted from a bugcheck.  The bugcheck was: 0x000000ef (..). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: <ID>.

I traced the issue back to some local group policies. I am working with a set of policies to harden my machines. On a clean VM Rehips is working fine. When I load the local group policies with LGPO and restart the VM, the issue is back. For the moment I am not able to find which policy setting or combo is causing the issue.

Does anyone have an idea?

Thanks

Kind regards,


fixer

#1
Hello, droncula. And welcome to our forum.
Uploading the crash-dump and sending me link in PM might help find cause of crash. But it won't necessary help find the policy responsible. If I were debugging the issue, I'd try to apply only half of policies until I find the one responsible.
P.S. Looks like some critical process dies, but by bugcheck code it's impossible to say why.

droncula

Hello Fixer,

Thanks for the respons. I have send you a PM with a download link to to the memory dump file.

Kind regards,

Droncula

fixer


fixer

Some critical process indeed unexpectedly died. svchost in session 0, to be exact. But doesn't look like you're using the latest ReHIPS 2.5.0 release. More like some 2.5.0 RC version.
1. Does it happen on latest 2.5.0 release?
2. Looks like the process crashed with ACCESS VIOLATION. But from this dump it's impossible to say what caused the exception. Any events about exception in windows journals?

HookDll may do some non-standard stuff to unload itself. So maybe you enabled some policy that forces system processes (since it's a system svchost process) to operate only the standard way, it may trigger the policy. Something like denying code execution from dynamically allocated memory or forcing additional checks to fight ROP-exploits.

droncula

Hello Fixer,

Thanks for looking into it. It seems the issue is there when I install version 2.5.

I am going to make a clean VM and retest it.

The only events I see are the "The computer has rebooted from a bugcheck.  The bugcheck was: 0x000000ef (0xffffda0f7db7b2c0, 0x0000000000000000, 0x0000000000000000, 0x0000000000000000). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: aea74302-cbac-4e40-a1b7-ef67e98d3b16." and that a critical one that the computer recovers from a severe error.

Kind regards,

fixer

Any way I could reproduce it on our test PCs? Maybe some policy rules that make OS crash after I install them?

droncula

Hello Fixer

After rebuilding my policy configuration it seems that the policy "Enable svchost.exe mitigration options" is causing the issue. More info about the policy: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.ServiceControlManager::SvchostProcessMitigationEnable.

On a brand new system, I have set my policy settings and installed Rehips 2.5. For the moment I have no issues anymore. I will test it on an other machine to be sure.

Kind regards,

fixer

This includes a policy requiring all binaries loaded in these processes to be signed by microsoft, as well as a policy disallowing dynamically-generated code.

Most likely it's because of "disallowing dynamically-generated code". Thank you for your report, will try to find some compatible solution.

fixer


droncula

Hello Fixer

Do I need to download a new version of Rehips?

Thanks

fixer

I expect a new version with this fix included should be publicly available in several days. In case you don't want to wait and want to try upcoming beta, you can get it here
https://rehips.com/ReHIPSSetup2.6.0-sirius.zip

Changelog:
-internal debugging moved to WPP;
-fixed bug with inherited access rights cache of isolated programs;
-some hooks are skipped and other honor ProhibitDynamicCode policy;
-fixed incorrect memory free in volume control;
-fixed incorrect folder unfolding to FOLDERID;
-added basic support of state and progress, overlay icons, minibuttons and preview with tooltip of isolated desktops taskbar;
-"Send to ReHIPS folder" submenu added to Explorer.
-InnoSetup updated from 6.1.2 to 6.2.0;
-added several programs and trusted command lines/vendors to RulesManager.

droncula

Hello Fixer

Thanks for the new version. I tested it today on a VM. Works like a charm :). I will test it this week on a physical machine.

Thanks for the beta version & the changes.

Kind regards,

Droncula

droncula

Hello Fixer

I am testing Rehips 2.6 beta since a week on a physical machine with the same Windows Group Policies. No issues so far :).

Kind regards,

Droncula

fixer

Thank you for the update.

It's good to hear since 2.6 release is ready and will be published soon.