No process is on the other end of the pipe

[Mutamid]

I installed NTVDMx64 on Windows 10. It worked, but not always well, I think because the antivirus program deleted some files. I uninstalled it, deactivated the antivirus and reinstalled it. But since then I can't open a DOS program. I get the message: “NTVDM has encountered a System error. No process is on the other end of the pipe. Choose ‘closer’ to terminate the application”. I have uninstalled and reinstalled the application several times, and I always get the same message. The version of NTVDMx64 is the last one that appears on the page of E. Mendelson.

[leecher1337]

Looks like ERROR_PIPE_NOT_CONNECTED, the question is which function fails. Please use Debugview to check NTVDM debug log. It should spit out a line like: NTVDM:ErrNo ... Paste result here, so that function that fails on your machine can be identified.

[Mutamid]

Debugview shows this error: [5708] NTVDM:ErrNo 0xe9, z:\minnt\base\mvdm\softpc.new\host\src\nt_fulsc.c:3332

[leecher1337]

Looks like your Windows console is damaged: This error is the result of a call to GetConsoleMode(sc.InputHandle, &mode) where InputHandle = GetStdHandle(STD_INPUT_HANDLE) So I suspect this is not related to NTVDM but to your Windows console. Is your Windows console working correctly?

[Mutamid]

It's working. CMD works, but I cannot open DOS applications.

[Mutamid]

When I Boot Windows, Debugview shows in the beginning lines:

[11528] Hook_IAT_x64(638D0000, ext-ms-win-kernelbase-processthread-l1-1-0.dll, BasepProcessInvalidImage, 632622E4) [11528] Hooked -> 632622E4 [11528] LDNTVDM: BasepProcessInvalidImageReal = 65704790 [11528] LDNTVDM: BaseIsDosApplication = 65728EF0 [11528] LDNTVDM is running inside ConHost.exe [11528] Hook_IAT_x64_IAT(5BF10000, ntdll.dll, RtlAllocateHeap, 63262908, 63268AA8) [11712] [HC] -SetEndPointInfo

[leecher1337]

If you start up a DOS application, ntvdm should start up with a conhost.exe process attached to it. You can check with sysinternals Process Explorer,if there is a conhost.exe process attached and if it lists conhostv1.dll in its loaded modules. If conhost.exe loads conhostv2.dll instead, the wrong console gets loaded.

[Mutamid]

I have installed the application Process Explorer. I have startet a DOS application. There are not conhostv1.dll, conhostv2.dll, Conhost.exe, or Conhost.exe.mui in Process Explorer.

When I start a DOS application, Process Explorer shows conhost.exe a little while, and it quickly disappears. I finded conhost.exe in c:\Windows\System32. I executed this command and Process Explorer showed it . But when I start a DOS application, it disappears.

In System 32 there are conhost.exe and ConhostV1.dll, but not ConhostV2.dll.

[leecher1337]

Maybe conhost.exe crashes and then disappears making the pipe end of conhost disappear which in turn then results in the error message mentioned. You can check your system event log if it shows i.e. an access violation within conhost.exe that leads to a crash of the console host process.

Ensure that you don't have any Antivirus solution running. Windows Defender that ships with Windows seems to play well, but some other AVs are doing really nasty things, i.e. they could theoretically detect the ldntvdm-loader within the conhost.exe process and kill it which in turn crashes conhost.

If you need to debug conhost, you can start a dos-application in suspended state (CreateProcess with dwCreationFlags set to CREATE_SUSPENDED, then attach to conhost.exe, resume the ntvdm and then step through conhost with a debugger (i.e. x32dbg) to trace its execution flow.

[Mutamid]

In CMD, I typed: regsvr32 conhostv1.dll. And the result was (I use a Spanish Windows, this is a arproximate traduction into English):

Module 'conhostv1.dll' loaded, but DIIRegisterServer entry point not found. Make sure conhostv1.dll is a valid dll or OCX file and try again.

I replaced the original conhostv1.dll file with another one, but the result is the same. I have not understood the procedure CreateProcess.

[leecher1337]

conhostv1.dll is not a COM-Component, it's being loaded as a console implementaiton by conhost.exe, so regsvr32 doesn't make any sense.

Before starting to debug the conhost.exe process, did you have a look at the event log if there are traces of a conhost.exe crash in the appilcation log?

[Mutamid]

When I open a DOS application, Process Explorer shows a little moment WerFault.exe. The lines for conhost and WerFault.exe turn red and then disappear. In DebugView, before starting a DOS application, there isn't conhost.exe process. It shows several NTVDM: Spurius int!

[leecher1337]

Werfault indicates a conhost.exe crash. So, again: Is there an entry with more information about the conhost.exe crash in your system event log (located in the Control panel or by executing eventwvr.exe)?

Windows may have collected a crash dump in its crashdump folders already. For futher reading on crash dump collection see here: https://docs.microsoft.com/en-us/windows/win32/wer/collecting-user-mode-dumps

If you have a crashdump available, you can attach it here for further analysis.

If you want to debug conhost on your own, you can use the following little tool to start the ntvdm suspended: startapp.zip Start it with startapp [Path and filename of your DOS application] It then starts up ntvdm.exe in suspended state. At this stage, a console should be allocated to the ntvdm.exe process. If the console doesn't crash in this stage, you can then attach a debugger like x64dbg to the conhost.exe process, let it run,resume the main thread of the suspended ntvdm.exe (i.e. via process exporer or you can also attach with a second instance of x32dbg to ntvdm.exe and resume the main thread within the debugger). When the crash in conhost.exe occurs, your x64dbg should halt at the position. You can the njudge from the stack trace where the error occurs, it is possible to download debug symbols as well to have more meaningfull stacktraces.

[leecher1337]

No feedback has been given within 18 months, assuming ticket was resolved in the meantime, closing.