Windows Defender: application failed to initialize: 0x80070006

I have been experiencing the following error on Windows Vista64 startup for 7 monthes:

Application failed to initialize: 0x80070006. The handle is invalid.

I could live without Windows Defender and SpyNet. But today, I took time to debug.

The most obvious thing to do is to query the Microsoft knowledge base. And it worked ! Quoting KB935511:

Method 1: Use System Restore to restore Windows Vista

Method 2: Reinstall Windows Vista

Ok ... maybe I'll try something else.

Then I thought that interesting logs could appear in PerfMon, because Windows Defender implements WPP software tracing. I managed to find the right Event Trace Provider (Microsoft-Windows-Windows Defender), create a Data Collector ... but nothing was eventually logged. Therefore I gave up this option.

Then I had a look at the C:\Program Files\Windows Defender\MpCmdRun.exe command-line utility.

----------------------------------------------------------------------

Windows Defender Command Line Utility (c) 2006 Microsoft Corporation

Use this tool to automate and troubleshoot Windows Defender

Usage:

mpcmdrun.exe [command] [-options]

Command Description

-? [h] Displays all available options for this tool

-Scan [-ScanType] Scans for malicious software

-SignatureUpdate Checks for new definition updates

-Trace [-Grouping] [-Level] Starts diagnostic tracing

-GetFiles Collects support information

-RemoveDefinitions [-All] Restores the installed signature definitions

to a previous backup copy or to the original

default set of signatures

-GetSWE Exports information about software installed

on your computer

----------------------------------------------------------------------

I tried -GetFiles, went through all log files but ... found nothing interesting either.

Looks like it is time to get out with IDA Pro Debugger ... Fortunately, remote Vista64 debugging is available through the win64_remotex64.exe stub ! Of course this is not for the faint of heart :)

Fortunately, the error is pretty easy to figure out: Windows Defender cannot acquire a handle on the WinDefend service ... because this service does not exist!

Why on earth was the WinDefend service removed from my computer ? I guess I'll never know. But for the time being, it is enough to export the following registry key from another Vista computer, and to import it back again:

HKLM\SYSTEM\CurrentControlSet\Services\WinDefend

Case solved !

MOVB-19 Vista, 1 year later ...

Microsoft Vista has been available for IT professionals as soon as 30th, November 2006. But it has been launched to the public on 31st, January 2007 (if I remember well).

Consequently, there has been some press activity about Vista first anniversary.

Microsoft point of view is that "the press and critics have lauded Windows Vista for its beautiful graphics and increased usability".

Here is my personal press review, though:

• The 15 Biggest Tech Disappointments of 2007 (Vista is #1)
• The 10 biggest technology belly flops of 2007 (Vista ranks #2 only :)
• Vista at one year: Progress and pain

Did SP1 change something? More (file copy is now as fast as on Windows XP) or less (a key audio driver is not compatible with Vista SP1) ...

So in the end :

• Most people stick to Windows XP for now.
• 90% of IT professionals do not want Vista.
• Gartner: Windows is collapsing.
  

Fortunately, Microsoft has a refreshing video for motivating depressed salesmen :)

MOVB-18 I am not alone

Truth is out there: I have the less stable hardware configuration for running Windows Vista.

Read the full story on ArsTechnica.

MOVB-17 Got to love this one

Stop error message when you start a Windows Vista-based computer: "0xC1F5"

(Knowledge base article 946084, accessed on March 20th, 2008)

[...]
WORKAROUND

If you have only one disk installed, and if you have access to Windows XP or Windows 2000 installation media, restart the computer by using the Windows XP or Windows 2000 installation media. Next, format the offending disk, and then reinstall Windows Vista.
[...]

Hu ho, looks pretty bad :)

MOVB-16 Vista SP1: first bug

Yet another kernel bug triggered by FireFox.

0: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pageable (or completely invalid) address at an interrupt request level (IRQL) that is too high. This is usually caused by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: c0075000, memory referenced
Arg2: 00000000, IRQL
Arg3: 00000000, bitfield :
bit 0 : value 0 = read operation, 1 = write operation
bit 3 : value 0 = not an execute operation, 1 = execute operation (only on chips which support this level of status)
Arg4: 81eabf99, address which referenced memory

Debugging Details:
------------------

READ_ADDRESS: GetPointerFromAddress: unable to read from 81f53868
Unable to read MiSystemVaType memory at 81f33420
c0075000

CURRENT_IRQL: 0

FAULTING_IP:
nt!MiAgeWorkingSet+1a2
81eabf99 8b1e mov ebx,dword ptr [esi]

CUSTOMER_CRASH_COUNT: 1

DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT

BUGCHECK_STR: 0xA

PROCESS_NAME: firefox.exe

TRAP_FRAME: 86f8fa54 -- (.trap 0xffffffff86f8fa54)
ErrCode = 00000000
eax=c0802d18 ebx=00a3a000 ecx=00002408 edx=00a39000 esi=c0075000 edi=c080bd38
eip=81eabf99 esp=86f8fac8 ebp=86f8fc44 iopl=0 nv up ei ng nz na pe cy
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010287
nt!MiAgeWorkingSet+0x1a2:
81eabf99 8b1e mov ebx,dword ptr [esi] ds:0023:c0075000=????????
Resetting default scope

LAST_CONTROL_TRANSFER: from 81eabf99 to 81e76d84

STACK_TEXT:
86f8fa54 81eabf99 badb0d00 00a39000 81f099a9 nt!KiTrap0E+0x2ac
86f8fc44 81eab9af 8521bf60 00000003 86f8fc80 nt!MiAgeWorkingSet+0x1a2
86f8fc98 81eab3e4 00000002 86f8fcb4 00000001 nt!MiProcessWorkingSets+0x1ff
86f8fcd8 81e57612 00000000 8356e020 00000000 nt!MmWorkingSetManager+0x199
86f8fd7c 81ff1a1c 00000000 aea14805 00000000 nt!KeBalanceSetManager+0x12a
86f8fdc0 81e4aa3e 81e574e8 00000000 00000000 nt!PspSystemThreadStartup+0x9d
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16

STACK_COMMAND: kb

FOLLOWUP_IP:
nt!MiAgeWorkingSet+1a2
81eabf99 8b1e mov ebx,dword ptr [esi]

SYMBOL_STACK_INDEX: 1

SYMBOL_NAME: nt!MiAgeWorkingSet+1a2

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: nt

DEBUG_FLR_IMAGE_TIMESTAMP: 47918b12

IMAGE_NAME: memory_corruption

FAILURE_BUCKET_ID: 0xA_nt!MiAgeWorkingSet+1a2

BUCKET_ID: 0xA_nt!MiAgeWorkingSet+1a2

Followup: MachineOwner
---------

MOVB-15 "I cannot auto-terminate"

Yet another kernel bug delivered by FireFox+YouTube combination.

NtTerminateProcess() failed with the infamous IRQL_NOT_LESS_OR_EQUAL. It seems that MiDeleteAddressesInWorkingSet() tried to access data without any probe or exception handling. Did Vista kernel passed WHQL?

0: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pageable (or completely invalid) address at an interrupt request level (IRQL) that is too high. This is usually caused by drivers using improper addresses. If a kernel debugger is available get the stack backtrace.

Arguments:
Arg1: c0053000, memory referenced
Arg2: 00000000, IRQL
Arg3: 00000000, bitfield :
bit 0 : value 0 = read operation, 1 = write operation
bit 3 : value 0 = not an execute operation, 1 = execute operation (only on chips which support this level of status)
Arg4: 8201985f, address which referenced memory

Debugging Details:
------------------
Missing image name, possible paged-out or corrupt data.
Unable to read KLDR_DATA_TABLE_ENTRY at 00000000 - NTSTATUS 0xC0000147

WARNING: .reload failed, module list may be incomplete
Missing image name, possible paged-out or corrupt data.
Unable to read KLDR_DATA_TABLE_ENTRY at 00000000 - NTSTATUS 0xC0000147

WARNING: .reload failed, module list may be incomplete

READ_ADDRESS: c0053000

CURRENT_IRQL: 0

FAULTING_IP:
nt!MiDeleteAddressesInWorkingSet+141
8201985f 8b0e mov ecx,dword ptr [esi]

DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT

BUGCHECK_STR: 0xA

TRAP_FRAME: af78f79c -- (.trap 0xffffffffaf78f79c)
ErrCode = 00000000
eax=0a600201 ebx=84ded3a8 ecx=c080f514 edx=c080a50c esi=c0053000 edi=c0801000
eip=8201985f esp=af78f810 ebp=af78fc6c iopl=0 nv up ei ng nz na pe cy
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010287
nt!MiDeleteAddressesInWorkingSet+0x141:
8201985f 8b0e mov ecx,dword ptr [esi] ds:0023:c0053000=????????
Resetting default scope

LAST_CONTROL_TRANSFER: from 8201985f to 8208fd84

STACK_TEXT:
af78f79c 8201985f badb0d00 c080a50c 85382cb5 nt!KiTrap0E+0x2ac
af78fc6c 82019cc7 84ded1d8 84ded1d8 84ded1d8 nt!MiDeleteAddressesInWorkingSet+0x141
af78fc9c 8221bd12 84ded1d8 af784644 84daf818 nt!MmCleanProcessAddressSpace+0x14f
af78fd04 8221ad7a 00000000 00000000 84daf5b8 nt!PspExitThread+0x64a
af78fd24 8221b265 84daf5b8 00000000 00000001 nt!PspTerminateThreadByPointer+0x5b
af78fd54 8208caaa ffffffff 00000000 0012fea4 nt!NtTerminateProcess+0x1e0
af78fd54 77b20f34 ffffffff 00000000 0012fea4 nt!KiFastCallEntry+0x12a
WARNING: Frame IP not in any known module. Following frames may be wrong.
0012fea4 00000000 00000000 00000000 00000000 0x77b20f34

STACK_COMMAND: kb

FOLLOWUP_IP:
nt!MiDeleteAddressesInWorkingSet+141
8201985f 8b0e mov ecx,dword ptr [esi]

SYMBOL_STACK_INDEX: 1

SYMBOL_NAME: nt!MiDeleteAddressesInWorkingSet+141

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: nt

DEBUG_FLR_IMAGE_TIMESTAMP: 471ea39c

IMAGE_NAME: memory_corruption

FAILURE_BUCKET_ID: 0xA_nt!MiDeleteAddressesInWorkingSet+141

BUCKET_ID: 0xA_nt!MiDeleteAddressesInWorkingSet+141

MOVB-14 DirectX BSoD

I have been lucky on this one.

My daughter was watching videos on YouTube, so I could not deliver MOVB of the day. And then Vista died with a DirectX BSoD ... Enjoy !

0: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

MEMORY_MANAGEMENT (1a)
# Any other values for parameter 1 must be individually examined.
Arguments:
Arg1: 00000403, The subtype of the bugcheck.
Arg2: c004e000
Arg3: 000002f5
Arg4: 00000000

Debugging Details:
------------------

BUGCHECK_STR: 0x1a_403
CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT
PROCESS_NAME: firefox.exe
CURRENT_IRQL: 2
BAD_PAGES_DETECTED: 1
LAST_CONTROL_TRANSFER: from 82040566 to 8204099b

STACK_TEXT:
a9c778a0 82040566 c004e000 84c194f0 91f19768 nt!MiDeletePte+0x360
a9c779d4 820bf1bd 099c0000 09ebffff a9c7c12c nt!MiDeleteVirtualAddresses+0x8a1
a9c77a6c 8208caaa ffffffff 9073ccd0 9073cce4 nt!NtFreeVirtualMemory+0x655
a9c77a6c 8207e83d ffffffff 9073ccd0 9073cce4 nt!KiFastCallEntry+0x12a
a9c77af4 89461123 ffffffff 9073ccd0 9073cce4 nt!ZwFreeVirtualMemory+0x11
a9c77b1c 894621fb 9073ccc8 9246a008 850082d8 dxgkrnl!VIDMM_PROCESS_HEAP::Free+0x75
a9c77b50 89461b26 0006d258 00000001 00000000 dxgkrnl!VIDMM_GLOBAL::CloseLocalAllocation+0xd9
a9c77b90 89462b73 00000000 00000000 92548008 dxgkrnl!VIDMM_GLOBAL::CloseOneAllocation+0xe6
a9c77bb0 8946a49c af095c60 00000000 92548008 dxgkrnl!VIDMM_GLOBAL::CloseAllocation+0x37
a9c77c1c 89471394 b03d8e00 00000001 906d6268 dxgkrnl!DXGDEVICE::DestroyAllocations+0x176
a9c77c40 8946a96d b03d8e00 a94e3804 00000000 dxgkrnl!DXGDEVICE::DestroyResource+0x4b
a9c77c94 89463d14 a9c77cf0 00000001 a94e39c8 dxgkrnl!DXGDEVICE::DestroyAllocation+0x97
a9c77d58 8208caaa 099bfcfc 099bfd0c 76e80f34 dxgkrnl!DxgkDestroyAllocation+0x538
a9c77d58 76e80f34 099bfcfc 099bfd0c 76e80f34 nt!KiFastCallEntry+0x12a
WARNING: Frame IP not in any known module. Following frames may be wrong.
099bfd0c 00000000 00000000 00000000 00000000 0x76e80f34

STACK_COMMAND: kb
SYMBOL_NAME: PAGE_NOT_ZERO_VISTA
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: Unknown_Module
IMAGE_NAME: Unknown_Image
DEBUG_FLR_IMAGE_TIMESTAMP: 0
BUCKET_ID: PAGE_NOT_ZERO_VISTA

Followup: MachineOwner
---------

*** Memory manager detected 1 instance(s) of page corruption, target is likely to have memory corruption.

MOVB-13 Minor annoyances

When importing pictures from a digital camera, you cannot selected pictures individually.

When doing anything that requires elevation from a network share (e.g. installing software), you have to re-enter network credentials after elevation (this is logical because of UAC design, yet annoying if you have a super-secure password :).

When creating a new folder in a "privileged" location, you have to go through UAC twice: once for creating the "new folder" directory, once for renaming it. Depending on the scenario, the number of UAC prompts can be as high as 4. Hopefully, "SP1 reduces the number of UAC (User Account Control) prompts from 4 to 1 when creating or renaming a folder at a protected location".

You cannot drag and drop files anywhere (like on the desktop) from a network share. You are restricted to a subset of folders, such as "Documents".

You cannot drag and drop inside a CMD anymore. This is "by design".

Windows Vista users cannot easily access files on a Windows XP partition in a dual-boot configuration. Default XP users are admins, and most files are accessible by the "Administrators" group only. Vista users are not admins, and Explorer cannot be elevated.

".HLP" files are not supported anymore.

HyperTerminal is not bundled anymore. There is no easy way to access the serial port on Windows Vista.

Telnet (and many other commands) are not available by default. You have to "re-enable" them from the Control Panel.

Other interesting annoyances (FireWire drives, etc.) can be found here.

MOVB-12 Application compatibility

When trying to install third party software under Vista, you can run into the following trouble:

Software would like to disable UAC entirely.

Sample application: EasyBCD

Software needs to be added to DEP exemption list, because it's somehow protected ("packed").

... and the error message will puzzle most (if not all) end-users :)

Sample application: AuctionSentry

Software needs a compatibility pack from Microsoft

I guess compatibility packs rely on the Shim Engine, but I have never dug too deep in those mechanisms. Let's say that it is a database of big hacks to get crappy applications working :)

Sample : March 2007 Windows Vista Application Compatibility Update

You wait 3 monthes for an upgrade

Sample : iTunes [*], Microsoft Visual Studio 2005 [**]

[*] It seems also that iTunes will never be Vista64-compatible.
[**] Visual Studio 2005 still needs to be "elevated" to run properly on Vista.

You wait 3 monthes, but the upgrade is not free

Sample : some Adobe products


Oh yeah, I almost forgot. The software can play nice on 1st try! ;)

MOVB-11 Vista logging

A nice finding about Windows Vista logging:
http://www.heysoft.de/Frames/Vista_Remarks1_en.htm

In short, most event log files are not properly referenced in the registry. Under HKLM\System\CCS\Services\EventLog\*\, the "File" entry has a ".elf" suffix, whereas Vista file format is ".evtx".

Consequently, most remote log reading tools (like Windows XP's Event Viewer, but most log collection tools could be affected) are unable to access Vista event logs.

This has been confirmed on my up-to-date Vista 64 system.

The conclusion from this guy is: "I must admit that I do now better understand all those people why say that they never install a Windows operating system in a production environment before its first Service Pack is out."

Fortunately, SP1 is due for Q1 2008 :)

MOVB-10 Bug or security flaw?

[ MOVB is back on track ... time to finish up, before Vista SP1 being out! ]

An interesting bug from Microsoft Knowledge Base 945438:

Consider the following scenario:

• On a computer that is running Windows Vista, you use Microsoft Office PowerPoint 2007 to record audio, or you use another application to record audio.
• The application calls the acmFormatChoose function to display a dialog box so that you can select the waveform-audio format.

In this scenario, the application crashes.

What is more interesting is the logic behind this bug:

The acmFormatChoose function tries to free a pointer that was not allocated.

Bug or security flaw? Given Vista heap protections, this one might be hard to exploit, even locally. But who dares to say impossible, when it comes to bug exploitation?