sandboxie-plus / Sandboxie

Sandboxie Plus & Classic
https://Sandboxie-Plus.com
GNU General Public License v3.0
13.77k stars 1.54k forks source link

BSoD "CRITICAL_PROCESS_DIED" when terminate all sandboxed programs #1316

Open 0x391F opened 3 years ago

0x391F commented 3 years ago

Describe the bug BSoD "CRITICAL_PROCESS_DIED" when terminate all sandboxed programs.

To Reproduce Steps to reproduce the behavior:

  1. Run some programs in Sandboxie.
  2. Click on 'Terminate All Programs'
  3. BSoD "CRITICAL_PROCESS_DIED"

System details and installed software

If you have a compatibility issue

Additional context Add any other context about the problem here.

Sandboxie configuration If applicable, consider to attach your Sandboxie.ini configuration by copying the content on https://gist.github.com and sharing the resulting link. If you decide to paste the configuration here, make sure to use the backticks around strings, like in this working example:

My initial sandboxie.ini settings ``` [GlobalSettings] ..... [UserSettings_175D0429] ..... [DefaultBox] ..... ```
DavidXanatos commented 3 years ago

do you have a crash dump? do you know which process died? is the problem reproducable or a one of occurence?

Zymlex commented 3 years ago

I have encountered such a very rare BSOD, in one case was associated with kill of a single process through SandMan. I was not sure that this is not a hardware problem.

ghost commented 3 years ago

It was happening for me every time I have tried to shutdown my laptop on Windows 10. Now I have Windows 11. Shutdown seems to work fine. I had only one BSOD but dump was not generated for some reason

Zymlex commented 3 years ago

You can use this program to view: https://www.nirsoft.net/utils/blue_screen_view.html the main thing is to select the correct dump in the C:\Windows\MiniDump folder

ghost commented 3 years ago

Windbg is better

ghost commented 3 years ago

I receive memory management bsod when restarting the computer when Classic v5.51.6 in installed. However I can not be sure it is cause by sandboxie. Anyway, it is the fastest working version my slow pc with Windows 11. On the other hand v5.53.1 has some hiccups after starting Chrome and it is not so responsive. I will let you know if I still get BSOD. No far no minidumps were created

Zymlex commented 2 years ago

del

ImSpecial commented 2 years ago

Throwing my hat into the ring too, I've experienced this twice since upgrading from 5.51.5 to 5.53.3, I don't know the cause, it seems pretty rare, but both times, when doing the "terminate all" thing, a BSOD happened.

ghost commented 2 years ago

It happens every time I shut down my PC. However dump is never generated. It is enabled though. What's more, it does not seem to happen on restart. It did it on Windows 10 and it still does it after upgrading to Windows 11

ghost commented 2 years ago

There is a Windows glitch. If you manually select to use pagefile exclusively on systemdrive, it warns you that minidumps may not be generated at all. They are generated but somehow not saved. I switched the pagefile setting to system managed on all drives. So it should finally generate a minidump next time

shenm233 commented 2 years ago

I also encountered this problem, it may be caused by SbieSvc.exe process. Software Environment: Windows 10 21H2(19044.1645), Sandboxie v1.0.20 / 5.55.20

windbg_memorydump.txt memory.dump

3: kd> !thread THREAD ffffc90972d82080 Cid 0c38.0c9c Teb: 000000883adab000 Win32Thread: 0000000000000000 RUNNING on processor 3 Not impersonating DeviceMap ffffdc8601446720 Owning Process ffffc90972d650c0 Image: SbieSvc.exe Attached Process ffffc909721f3080 Image: svchost.exe Wait Start TickCount 3617322 Ticks: 0 Context Switch Count 1214289 IdealProcessor: 0
UserTime 00:00:07.671 KernelTime 00:00:22.078 Win32 Start Address 0x00007ff6c3d754c0 Stack Init fffffd8c3e3efb90 Current fffffd8c3e3eec70 Base fffffd8c3e3f0000 Limit fffffd8c3e3e9000 Call 0000000000000000 Priority 8 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5 Child-SP RetAddr : Args to Child : Call Site fffffd8c3e3ef838 fffff80669d087e2 : 00000000000000ef ffffc909721f3080 0000000000000000 0000000000000000 : nt!KeBugCheckEx fffffd8c3e3ef840 fffff80669c0ff81 : 0000000000000000 fffff806696fd8ad 0000000000000002 fffff806696fcec7 : nt!PspCatchCriticalBreak+0x10e fffffd8c3e3ef8e0 fffff80669ab5b94 : ffffc90900000000 0000000000000000 ffffc909721f3080 ffffc909721f34b8 : nt!PspTerminateAllThreads+0x15ab25 fffffd8c3e3ef950 fffff80669ab5ebc : ffffc90972d650c0 0000000000000000 0000000000000001 0000000000000c9c : nt!PspTerminateProcess+0xe0 fffffd8c3e3ef990 fffff806698092b5 : ffffc909721f3080 ffffc90972d82080 fffffd8c3e3efa80 ffffc90900000000 : nt!NtTerminateProcess+0x9c fffffd8c3e3efa00 00007ffa4f6ed2f4 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : nt!KiSystemServiceCopyEnd+0x25 (TrapFrame @ fffffd8c3e3efa00) 000000883bcfea18 0000000000000000 : 0000000000000000 0000000000000000 0000000000000000 00000000`00000000 : ntdll!NtTerminateProcess+0x14

ghost commented 2 years ago

My apologies. i found out this BSOD was occurring due to Veracrypt issue and only at end of shutting down PC

Zymlex commented 2 years ago

It looks like after the updates my problem was solved.

isaak654 commented 2 years ago

@0x391F Does this still happen to you?

0x391F commented 2 years ago

No, I think.

darkred commented 2 years ago

The issue occurred to me. Software Environment: Windows 11 21H2 x64 (22000.978), Sandboxie Plus v1.3.3 .

BSOD 'CRITICAL_PROCESS_DIED' while terminating all sandboxed programs.

I attach the minidump itself. Minidump.zip

I also attach the WinDbg output of both the minidump and the MEMORY.dmp: windbg_minidump.txt windbg_memorydump.txt

The latter reveals that the BSOD is caused by SbieSvc.exe process. Also, the latter file is in essence the same as the 2nd attachement of https://github.com/sandboxie-plus/Sandboxie/issues/1316#issuecomment-1121233038 .

!thread output: ```log 0: kd> !thread THREAD ffffd28188bea080 Cid 0cf0.0d98 Teb: 000000da571d6000 Win32Thread: 0000000000000000 RUNNING on processor 0 Not impersonating DeviceMap ffff8f8ce243abc0 Owning Process ffffd28188baa0c0 Image: SbieSvc.exe Attached Process ffffd281882020c0 Image: svchost.exe Wait Start TickCount 5435070 Ticks: 0 Context Switch Count 724745 IdealProcessor: 5 UserTime 00:00:05.218 KernelTime 00:00:17.703 Win32 Start Address 0x00007ff684f85980 Stack Init ffffba8e071dfb70 Current ffffba8e071df620 Base ffffba8e071e0000 Limit ffffba8e071d9000 Call 0000000000000000 Priority 9 BasePriority 8 PriorityDecrement 16 IoPriority 2 PagePriority 5 Child-SP RetAddr : Args to Child : Call Site ffffba8e`071df818 fffff801`123ad493 : 00000000`000000ef ffffd281`882020c0 00000000`00000000 00000000`00000000 : nt!KeBugCheckEx ffffba8e`071df820 fffff801`122dfd6f : ffffd281`882020c0 fffff801`11c4376d 00000000`00000002 fffff801`11c4365b : nt!PspCatchCriticalBreak+0x11b ffffba8e`071df8b0 fffff801`120c4194 : ffffd281`882020c0 00000000`00000001 ffffd281`882020c0 00000000`00000101 : nt!PspTerminateAllThreads+0x121e2b ffffba8e`071df920 fffff801`120c3f70 : ffffffff`ffffffff ffffd281`88baa0c0 ffffd281`88bea080 00000000`00000001 : nt!PspTerminateProcess+0xe0 ffffba8e`071df960 fffff801`11e2d375 : ffffd281`00000410 ffffd281`88bea080 ffffd281`882020c0 ffffd281`00000000 : nt!NtTerminateProcess+0xb0 ffffba8e`071df9e0 00007ffb`6c2a4104 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x25 (TrapFrame @ ffffba8e`071df9e0) 000000da`595fe9f8 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!NtTerminateProcess+0x14 ```

At the time of the BSOD I had opened this program (extract zip, then rightclick SUMo.exe | 'Run Sandboxed' and tick the 'Run As UAC Administrator' administrator).

isaak654 commented 1 year ago

@shenm233 @darkred

response_CRITICAL_PROCESS_DIED

At the time of the BSOD I had opened this program (extract zip, then rightclick SUMo.exe | 'Run Sandboxed' and tick the 'Run As UAC Administrator' administrator).

I can't reproduce it with current build v1.5.3 x64 - W10 21H2 x64 + W11 22H2 x64 (empty standard sandboxes).

0x391F commented 1 year ago

This bug reproduce today. I run VMware Workstation Pro (17.0.0 build-20800274) in sandbox and a VM is running, then delete contents without terminate all process manually, then BSoD "CRITICAL_PROCESS_DIED" happens.

offhub commented 1 year ago

I had this bsod yesterday too on Hyper-V.

APMichael commented 1 year ago

@DavidXanatos Are there any findings here? Unfortunately, I also have a BSoD every few weeks (sometimes after months). It always happens when a main program (e.g. Firefox, Edge) is closed and therefore the sandbox is cleaned and closed. I guess it requires some special timing or something, since I haven't managed to reproduce it manually yet either. It is now also happened under the current version 1.8.0. Do you possibly need the memory dump?

ghost commented 1 year ago

Do you use any AV or disk encryption software? I guess the dump or windbg analysis is always needed in such case

APMichael commented 1 year ago

Do you use any AV or disk encryption software? I guess the dump or windbg analysis is always needed in such case

Just Windows 10's Defender and no encryption software either. I'll send @DavidXanatos the crash/memory dumps if he wants them.

DavidXanatos commented 1 year ago

Do you use any AV or disk encryption software? I guess the dump or windbg analysis is always needed in such case

Just Windows 10's Defender and no encryption software either. I'll send @DavidXanatos the crash/memory dumps if he wants them.

yes please

pulsarclarinetokrabee commented 5 months ago

In the past few days I've had three BSOD crashes caused by the same issue, upon closing the last sandboxed program the crash occurs. Same configuration as listed here. I will try to downgrade to the previous Sandboxie release and report if there are any changes.

*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

CRITICAL_PROCESS_DIED (ef)
        A critical system process died
Arguments:
Arg1: ffff9485f9cd20c0, Process object or thread object
Arg2: 0000000000000000, If this is 0, a process died. If this is 1, a thread died.
Arg3: ffff9485fa98e080, The process object that initiated the termination.
Arg4: 0000000000000000

Debugging Details:
------------------

KEY_VALUES_STRING: 1

    Key  : Analysis.CPU.mSec
    Value: 9499

    Key  : Analysis.Elapsed.mSec
    Value: 16898

    Key  : Analysis.IO.Other.Mb
    Value: 0

    Key  : Analysis.IO.Read.Mb
    Value: 0

    Key  : Analysis.IO.Write.Mb
    Value: 0

    Key  : Analysis.Init.CPU.mSec
    Value: 906

    Key  : Analysis.Init.Elapsed.mSec
    Value: 26155

    Key  : Analysis.Memory.CommitPeak.Mb
    Value: 92

    Key  : Bugcheck.Code.LegacyAPI
    Value: 0xef

    Key  : Bugcheck.Code.TargetModel
    Value: 0xef

    Key  : CriticalProcessDied.ExceptionCode
    Value: fa9bd080

    Key  : CriticalProcessDied.Process
    Value: LsaIso.exe

    Key  : Dump.Attributes.AsUlong
    Value: 1808

    Key  : Dump.Attributes.DiagDataWrittenToHeader
    Value: 1

    Key  : Dump.Attributes.ErrorCode
    Value: 0

    Key  : Dump.Attributes.KernelGeneratedTriageDump
    Value: 1

    Key  : Dump.Attributes.LastLine
    Value: Dump completed successfully.

    Key  : Dump.Attributes.ProgressPercentage
    Value: 0

    Key  : Failure.Bucket
    Value: 0xEF_LsaIso.exe_BUGCHECK_CRITICAL_PROCESS_fa9bd080_nt!PspCatchCriticalBreak

    Key  : Failure.Hash
    Value: {7e1be42b-a31e-567f-e5f3-cbe7b3dc878c}

    Key  : Hypervisor.Enlightenments.ValueHex
    Value: 1417df84

    Key  : Hypervisor.Flags.AnyHypervisorPresent
    Value: 1

    Key  : Hypervisor.Flags.ApicEnlightened
    Value: 0

    Key  : Hypervisor.Flags.ApicVirtualizationAvailable
    Value: 1

    Key  : Hypervisor.Flags.AsyncMemoryHint
    Value: 0

    Key  : Hypervisor.Flags.CoreSchedulerRequested
    Value: 0

    Key  : Hypervisor.Flags.CpuManager
    Value: 1

    Key  : Hypervisor.Flags.DeprecateAutoEoi
    Value: 1

    Key  : Hypervisor.Flags.DynamicCpuDisabled
    Value: 1

    Key  : Hypervisor.Flags.Epf
    Value: 0

    Key  : Hypervisor.Flags.ExtendedProcessorMasks
    Value: 1

    Key  : Hypervisor.Flags.HardwareMbecAvailable
    Value: 1

    Key  : Hypervisor.Flags.MaxBankNumber
    Value: 0

    Key  : Hypervisor.Flags.MemoryZeroingControl
    Value: 0

    Key  : Hypervisor.Flags.NoExtendedRangeFlush
    Value: 0

    Key  : Hypervisor.Flags.NoNonArchCoreSharing
    Value: 1

    Key  : Hypervisor.Flags.Phase0InitDone
    Value: 1

    Key  : Hypervisor.Flags.PowerSchedulerQos
    Value: 0

    Key  : Hypervisor.Flags.RootScheduler
    Value: 0

    Key  : Hypervisor.Flags.SynicAvailable
    Value: 1

    Key  : Hypervisor.Flags.UseQpcBias
    Value: 0

    Key  : Hypervisor.Flags.Value
    Value: 21631230

    Key  : Hypervisor.Flags.ValueHex
    Value: 14a10fe

    Key  : Hypervisor.Flags.VpAssistPage
    Value: 1

    Key  : Hypervisor.Flags.VsmAvailable
    Value: 1

    Key  : Hypervisor.RootFlags.AccessStats
    Value: 1

    Key  : Hypervisor.RootFlags.CrashdumpEnlightened
    Value: 1

    Key  : Hypervisor.RootFlags.CreateVirtualProcessor
    Value: 1

    Key  : Hypervisor.RootFlags.DisableHyperthreading
    Value: 0

    Key  : Hypervisor.RootFlags.HostTimelineSync
    Value: 1

    Key  : Hypervisor.RootFlags.HypervisorDebuggingEnabled
    Value: 0

    Key  : Hypervisor.RootFlags.IsHyperV
    Value: 1

    Key  : Hypervisor.RootFlags.LivedumpEnlightened
    Value: 1

    Key  : Hypervisor.RootFlags.MapDeviceInterrupt
    Value: 1

    Key  : Hypervisor.RootFlags.MceEnlightened
    Value: 1

    Key  : Hypervisor.RootFlags.Nested
    Value: 0

    Key  : Hypervisor.RootFlags.StartLogicalProcessor
    Value: 1

    Key  : Hypervisor.RootFlags.Value
    Value: 1015

    Key  : Hypervisor.RootFlags.ValueHex
    Value: 3f7

BUGCHECK_CODE:  ef

BUGCHECK_P1: ffff9485f9cd20c0

BUGCHECK_P2: 0

BUGCHECK_P3: ffff9485fa98e080

BUGCHECK_P4: 0

FILE_IN_CAB:  051724-22078-01.dmp

TAG_NOT_DEFINED_202b:  *** Unknown TAG in analysis list 202b

DUMP_FILE_ATTRIBUTES: 0x1808
  Kernel Generated Triage Dump

PROCESS_NAME:  LsaIso.exe

CRITICAL_PROCESS:  LsaIso.exe

ERROR_CODE: (NTSTATUS) 0xfa9bd080 - <Unable to get error code text>

BLACKBOXBSD: 1 (!blackboxbsd)

BLACKBOXNTFS: 1 (!blackboxntfs)

BLACKBOXPNP: 1 (!blackboxpnp)

BLACKBOXWINLOGON: 1

CUSTOMER_CRASH_COUNT:  1

STACK_TEXT:  
ffffd283`d5764918 fffff805`67bb1f1b     : 00000000`000000ef ffff9485`f9cd20c0 00000000`00000000 ffff9485`fa98e080 : nt!KeBugCheckEx
ffffd283`d5764920 fffff805`67b2633f     : ffff9485`f9cd20c0 fffff805`674b3fd1 00000000`00000000 fffff805`6756ec97 : nt!PspCatchCriticalBreak+0x11b
ffffd283`d57649b0 fffff805`679e4f1b     : ffff9485`f9cd20c0 00000000`40010004 ffff9485`f9cd20c0 00000000`00000000 : nt!PspTerminateAllThreads+0x14134b
ffffd283`d5764a20 fffff805`679e4cf1     : ffffffff`ffffffff ffff9485`fa98e080 ffff9485`fa9bd080 ffff9485`f9cd20c0 : nt!PspTerminateProcess+0xe7
ffffd283`d5764a60 fffff805`6762d505     : ffff9485`00000244 ffff9485`fa9bd080 ffff9485`f9cd20c0 ffff9486`00000000 : nt!NtTerminateProcess+0xb1
ffffd283`d5764ae0 00007ffb`c564fed4     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x25
000000c0`748feb88 00000000`00000000     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x00007ffb`c564fed4

SYMBOL_NAME:  nt!PspCatchCriticalBreak+11b

MODULE_NAME: nt

IMAGE_NAME:  ntkrnlmp.exe

IMAGE_VERSION:  10.0.22621.3593

STACK_COMMAND:  .cxr; .ecxr ; kb

BUCKET_ID_FUNC_OFFSET:  11b

FAILURE_BUCKET_ID:  0xEF_LsaIso.exe_BUGCHECK_CRITICAL_PROCESS_fa9bd080_nt!PspCatchCriticalBreak

OSPLATFORM_TYPE:  x64

OSNAME:  Windows 10

FAILURE_ID_HASH:  {7e1be42b-a31e-567f-e5f3-cbe7b3dc878c}

Followup:     MachineOwner
---------

2: kd> !thread
THREAD ffff9485fa9bd080  Cid 0c5c.0cac  Teb: 000000c0739ac000 Win32Thread: 0000000000000000 RUNNING on processor 2
Not impersonating
GetUlongFromAddress: unable to read from fffff80567e0bfcc
Owning Process            ffff9485fa98e080       Image:         SbieSvc.exe
Attached Process          ffff9485f9cd20c0       Image:         LsaIso.exe
fffff78000000000: Unable to get shared data
Wait Start TickCount      4242329      
Context Switch Count      185861         IdealProcessor: 0             
ReadMemory error: Cannot get nt!KeMaximumIncrement value.
UserTime                  00:00:00.000
KernelTime                00:00:00.000
Win32 Start Address 0x00007ff67597da00
Stack Init ffffd283d5764c70 Current ffffd283d57638d0
Base ffffd283d5765000 Limit ffffd283d575f000 Call 0000000000000000
Priority 8  BasePriority 8  IoPriority 2  PagePriority 5
Child-SP          RetAddr               : Args to Child                                                           : Call Site
ffffd283`d5764918 fffff805`67bb1f1b     : 00000000`000000ef ffff9485`f9cd20c0 00000000`00000000 ffff9485`fa98e080 : nt!KeBugCheckEx
ffffd283`d5764920 fffff805`67b2633f     : ffff9485`f9cd20c0 fffff805`674b3fd1 00000000`00000000 fffff805`6756ec97 : nt!PspCatchCriticalBreak+0x11b
ffffd283`d57649b0 fffff805`679e4f1b     : ffff9485`f9cd20c0 00000000`40010004 ffff9485`f9cd20c0 00000000`00000000 : nt!PspTerminateAllThreads+0x14134b
ffffd283`d5764a20 fffff805`679e4cf1     : ffffffff`ffffffff ffff9485`fa98e080 ffff9485`fa9bd080 ffff9485`f9cd20c0 : nt!PspTerminateProcess+0xe7
ffffd283`d5764a60 fffff805`6762d505     : ffff9485`00000244 ffff9485`fa9bd080 ffff9485`f9cd20c0 ffff9486`00000000 : nt!NtTerminateProcess+0xb1
ffffd283`d5764ae0 00007ffb`c564fed4     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x25 (TrapFrame @ ffffd283`d5764ae0)
000000c0`748feb88 00000000`00000000     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x00007ffb`c564fed4
0x391F commented 5 months ago

This bug reproduce yesterday, but unfortunately, crash dump has been disabled.