ARTICLE AD BOX
I maintain a 32 bit program that is running as a service under Windows 11 (64 bit). The Program is written in Visual C++. One of the functions of the program is to count processes with a certain name. Some of these processes are 32 bit, others are 64 bit. I have no trouble locating the 32 bit processes. To identify the 64 bit processes, I am trying to call QueryFullProcessImageName, but doing so immediately ends my service. The same thing happens with IsWow64Process. Code and output is below - I would appreciate any help.
void GetProcessName(DWORD processID, char *pName) { char ProcessName[MAX_PATH] = ""; BOOL bret; DWORD derr=0, dwSize=MAX_PATH; HANDLE hProcess = NULL; PBOOL isWow=FALSE; // Note: processID is obtained from EnumProcesses() com_Log("debug2: in GetProcessName, processId=%ld, MAX_PATH=%d", processID, MAX_PATH); // Get a handle to the process. com_Log("debug2: calling OpenProcess"); hProcess = OpenProcess(PROCESS_QUERY_LIMITED_INFORMATION, FALSE, processID); derr = GetLastError(); if (hProcess == NULL) { com_Log("OpenProcess failed!, error=%ld", derr); return; } // Originally I did not have this - I was thinking that QueryFullProcessImageName would work // only on 64 bit processes. Unfortunately this idea did not work, since IsWow64Process crashes com_Log("debug2: calling IsWow"); bret = IsWow64Process(hProcess, isWow); if (bret) { com_Log("debug2: this is a 32 bit process"); return; } com_Log("debug2: starting QueryFullProcessImageName"); bret = QueryFullProcessImageName(hProcess, 0, ProcessName, &dwSize); com_Log("debug2: bret=%d, ProcessName=%s", ProcessName); return; }Output:
debug2: in GetProcessName, processId=0, MAX_PATH=260 debug2: calling OpenProcess OpenProcess failed!, error=87 debug2: in GetProcessName, processId=4, MAX_PATH=260 debug2: calling OpenProcess debug2: calling IsWowCrash dump analysis:
Loading Dump File [C:\crashdumps\tmagent.exe.42224.dmp] User Mini Dump File with Full Memory: Only application data is available WARNING: Whitespace at end of path element Error: Empty Path. WARNING: Whitespace at end of path element Symbol search path is: srv*https://msdl.microsoft.com/download/symbols Executable search path is: Windows 10 Version 22000 MP (20 procs) Free x86 compatible Product: WinNt, suite: SingleUserTS 22000.1.amd64fre.co_release.210604-1628 Machine Name: Debug session time: Sat Apr 25 15:22:36.000 2026 (UTC - 7:00) System Uptime: 7 days 5:34:05.565 Process Uptime: 0 days 0:00:31.000 ........................................................ This dump file has an exception of interest stored in it. The stored exception information can be accessed via .ecxr. (a4f0.a884): Access violation - code c0000005 (first/second chance not available) For analysis of this file, run !analyze -v eax=00000000 ebx=00000000 ecx=7fffffff edx=00000440 esi=00000003 edi=00000003 eip=77e051dc esp=02127194 ebp=02127324 iopl=0 nv up ei pl nz na po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202 ntdll!NtWaitForMultipleObjects+0xc: 77e051dc c21400 ret 14h 0:004> 0:004> 0:004> !analyze -v ******************************************************************************* * * * Exception Analysis * * * ******************************************************************************* KEY_VALUES_STRING: 1 Key : AV.Dereference Value: NullClassPtr Key : AV.Fault Value: Read Key : Analysis.CPU.Sec Value: 0 Key : Analysis.DebugAnalysisProvider.CPP Value: Create: 8007007e on JEFFMAIN2022 Key : Analysis.DebugData Value: CreateObject Key : Analysis.DebugModel Value: CreateObject Key : Analysis.Elapsed.Sec Value: 12 Key : Analysis.Memory.CommitPeak.Mb Value: 78 Key : Analysis.System Value: CreateObject Key : Timeline.OS.Boot.DeltaSec Value: 624845 Key : Timeline.Process.Start.DeltaSec Value: 31 NTGLOBALFLAG: 0 APPLICATION_VERIFIER_FLAGS: 0 CONTEXT: (.ecxr) eax=0000001f ebx=7fffffff ecx=7fffffff edx=00000440 esi=00000440 edi=80000420 eip=00988614 esp=02127ae0 ebp=02127ae8 iopl=0 ov up ei ng nz na po cy cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010a83 tmagent!__crt_simd_traits<1,unsigned char>::compare_equals [inlined in tmagent!strnlen+0x74]: 00988614 c5f57402 vpcmpeqb ymm0,ymm1,ymmword ptr [edx] ds:002b:00000440=?? Resetting default scope EXCEPTION_RECORD: (.exr -1) ExceptionAddress: 00988614 (tmagent!__crt_simd_traits<1,unsigned char>::compare_equals) ExceptionCode: c0000005 (Access violation) ExceptionFlags: 00000000 NumberParameters: 2 Parameter[0]: 00000000 Parameter[1]: 00000440 Attempt to read from address 00000440 PROCESS_NAME: tmagent.exe READ_ADDRESS: 00000440 ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s. EXCEPTION_CODE_STR: c0000005 EXCEPTION_PARAMETER1: 00000000 EXCEPTION_PARAMETER2: 00000440 STACK_TEXT: 02127ae8 0098279a 00000440 7fffffff 02127fd8 tmagent!strnlen+0x74 02127b00 009818d9 1e3b5aeb 02127fd8 02127b90 tmagent!__crt_stdio_output::output_processor<char,__crt_stdio_output::string_output_adapter<char>,__crt_stdio_output::standard_base<char,__crt_stdio_output::string_output_adapter<char> > >::type_case_s+0x68 02127b48 00980d1c 021281c8 ffffffff 00000000 tmagent!__crt_stdio_output::output_processor<char,__crt_stdio_output::string_output_adapter<char>,__crt_stdio_output::standard_base<char,__crt_stdio_output::string_output_adapter<char> > >::state_case_type+0x108 02127b64 0097e972 00000000 76a71700 00000008 tmagent!__crt_stdio_output::output_processor<char,__crt_stdio_output::string_output_adapter<char>,__crt_stdio_output::standard_base<char,__crt_stdio_output::string_output_adapter<char> > >::process+0x262 02127fec 00982ec2 00000025 00000000 021281c8 tmagent!common_vsprintf<__crt_stdio_output::standard_base,char>+0xd8 0212803c 00973141 00000025 00000000 021281c8 tmagent!__stdio_common_vsprintf+0x2f 0212a1d0 009745e2 0099b758 0212e080 00000440 tmagent!com_Log+0xb1 0212e958 00975e35 00000440 00000000 015d7a00 tmagent!Counttmcmd+0x162 0212f210 00976b6a 015d7a00 015d7a10 00000013 tmagent!ScanForJobs+0x55 0212faa0 00973e19 00973d10 00000000 00000000 tmagent!SvcInit+0x51a 0212fb10 7767b766 00000001 015d7a10 7767b740 tmagent!SvcMain+0x109 0212fb28 767c6839 015d7a00 767c6820 0212fb90 sechost!ScSvcctrlThreadA+0x26 0212fb38 77df906f 015d7a00 28c23b3e 00000000 kernel32!BaseThreadInitThunk+0x19 0212fb90 77df903d ffffffff 77e2914b 00000000 ntdll!__RtlUserThreadStart+0x2b 0212fba0 00000000 7767b740 015d7a00 00000000 ntdll!_RtlUserThreadStart+0x1b FAULTING_SOURCE_LINE: minkernel\crts\ucrt\src\appcrt\string\strnlen.cpp FAULTING_SOURCE_FILE: minkernel\crts\ucrt\src\appcrt\string\strnlen.cpp FAULTING_SOURCE_LINE_NUMBER: 203 SYMBOL_NAME: tmagent!strnlen+74 MODULE_NAME: tmagent IMAGE_NAME: tmagent.exe STACK_COMMAND: ~4s ; .ecxr ; kb FAILURE_BUCKET_ID: NULL_CLASS_PTR_READ_c0000005_tmagent.exe!strnlen OS_VERSION: 10.0.22000.1 BUILDLAB_STR: co_release OSPLATFORM_TYPE: x86 OSNAME: Windows 10 FAILURE_ID_HASH: {c35a34d9-6b90-890b-2c52-f152ee945951} Followup: MachineOwner ---------