Loading...

Knowledge Center


dllhost.exe crashes after you deploy a Sysprep image or perform a Cortana search on a Windows 10 Creators Update or Fall Creators Update system when Exploit Prevention is enabled
Technical Articles ID:   KB89023
Last Modified:  12/26/2017
Rated:


Environment

McAfee Endpoint Security (ENS) Threat Prevention 10.x
McAfee Host Intrusion Prevention (Host IPS) 8.0

Microsoft Windows 10 Fall Creators Update (also referred to as Windows 10 RS3)
Microsoft Windows 10 Creators Update (also referred to as Windows 10 RS2)
Microsoft Windows Sysprep

Problem

If ENS Threat Prevention Exploit Prevention or Host IPS Exploit Prevention is enabled, the following issues can occur:
  • After you deploy a Sysprep image with ENS or Host IPS installed on a Windows 10 Creators Update or Fall Creators Update system, the Microsoft process dllhost.exe crashes and the system fails to boot with the following error message:
     
    COM Surrogate has stopped working
     
    The Windows Application log contains the following details: Faulting application name: DllHost.exe, version: 10.0.15063.0, and time stamp: 0xb54cdbe6.
     
  • The Microsoft process dllhost.exe generates a crash dump after you perform a Cortana search on a Windows 10 Creators Update or Fall Creators Update system.

Cause

The issue occurs when Exploit Prevention fails to inject to the dllhost.exe process, which causes the process to not load and crash.

Solution

This issue is resolved in Endpoint Security 10.5.3, which is available from the Product Downloads site at: http://mcafee.com/us/downloads/downloads.aspx.

NOTE: You need a valid Grant Number for access. KB56057 provides additional information about the Product Downloads site, and alternate locations for some products.

Updates are cumulative; Technical Support recommends that you install the latest one.

Solution

This issue is resolved in Host IPS 8.0 Update 10, which is available from the Product Downloads site at: http://mcafee.com/us/downloads/downloads.aspx.

NOTE: You need a valid Grant Number for access. KB56057 provides additional information about the Product Downloads site, and alternate locations for some products.

Updates are cumulative; Technical Support recommends that you install the latest one.

Workaround

Use the following options to stop injection from being performed on the dllhost.exe process, so a crash will not be generated.

Add an Application Protection Rule for dllhost.exe and select Exclude for the Inclusion Status option:
  • For ENS, create the rule in the ePO console at Policy Catalog, Endpoint Security Threat Prevention, Category: Exploit Prevention, Application Protection Rules section.
  • For Host IPS, create the rule in the ePO console at Policy Catalog, Host Intrusion Prevention 8.0:IPS, Category: IPS Rules (Windows, Linux, Solaris), Application Protection Rules tab.
Alternatively for ENS, edit the McAfee-defined Application Protection Rule named Microsoft DLL Hosting Services (for dllhost.exe) and select Exclude for the Inclusion Status option.

NOTE: Because of known issue 1211550-1182188 described in KB82450, this workaround will be overwritten every time the Exploit Prevention content is updated, and you will need to repeat this workaround. ENS 10.5.2 Threat Prevention extension Hotfix 1213762 and ENS 10.5.3 correct the issue.

The process dllhost.exe maps to two Exploit Content Signatures: 428, Generic Buffer Overflow Protection, and 3761, CVE-2006-3440.

Microsoft Windows 10 Creators Update/Fall Creators Update is not vulnerable to CVE-2006-3440. See https://technet.microsoft.com/en-us/library/security/ms06-041.aspx for details.

McAfee Labs researchers examined Windows 10 Creators Update and Fall Creators Update dllhost.exe with windbg to check the binary and found that DllCharacteristics is set to 0xc160. The Microsoft documentation (https://msdn.microsoft.com/en-us/library/windows/desktop/ms680339(v=vs.85).aspx) indicates that the NX COMPAT Data Execution Prevention (DEP) bit is set on the Windows 10 Creators Update and Fall Creators Update version of dllhost.exe. The DEP setting prevents the execution of code using Buffer Overflow techniques because both stack and heap will be execute protected; any such attempt will lead to an access violation. 

0:000> dx -r1 (*((ntdll!_IMAGE_OPTIONAL_HEADER64 *)0x7ff740750110))
(*((ntdll!_IMAGE_OPTIONAL_HEADER64 *)0x7ff740750110))                 [Type: _IMAGE_OPTIONAL_HEADER64]
    [+0x000] Magic            : 0x20b [Type: unsigned short]
    [+0x002] MajorLinkerVersion : 0xe [Type: unsigned char]
    [+0x003] MinorLinkerVersion : 0xa [Type: unsigned char]
    [+0x004] SizeOfCode       : 0x1200 [Type: unsigned long]
    [+0x008] SizeOfInitializedData : 0x2200 [Type: unsigned long]
    [+0x00c] SizeOfUninitializedData : 0x0 [Type: unsigned long]
    [+0x010] AddressOfEntryPoint : 0x1440 [Type: unsigned long]
    [+0x014] BaseOfCode       : 0x1000 [Type: unsigned long]
    [+0x018] ImageBase        : 0x7ff740750000 [Type: unsigned __int64]
    [+0x020] SectionAlignment : 0x1000 [Type: unsigned long]
    [+0x024] FileAlignment    : 0x200 [Type: unsigned long]
    [+0x028] MajorOperatingSystemVersion : 0xa [Type: unsigned short]
    [+0x02a] MinorOperatingSystemVersion : 0x0 [Type: unsigned short]
    [+0x02c] MajorImageVersion : 0xa [Type: unsigned short]
    [+0x02e] MinorImageVersion : 0x0 [Type: unsigned short]
    [+0x030] MajorSubsystemVersion : 0xa [Type: unsigned short]
    [+0x032] MinorSubsystemVersion : 0x0 [Type: unsigned short]
    [+0x034] Win32VersionValue : 0x0 [Type: unsigned long]
    [+0x038] SizeOfImage      : 0x9000 [Type: unsigned long]
    [+0x03c] SizeOfHeaders    : 0x400 [Type: unsigned long]
    [+0x040] CheckSum         : 0x144ae [Type: unsigned long]
    [+0x044] Subsystem        : 0x2 [Type: unsigned short]
    [+0x046] DllCharacteristics : 0xc160 [Type: unsigned short]
    [+0x048] SizeOfStackReserve : 0x100000 [Type: unsigned __int64]
    [+0x050] SizeOfStackCommit : 0x8000 [Type: unsigned __int64]
    [+0x058] SizeOfHeapReserve : 0x100000 [Type: unsigned __int64]
    [+0x060] SizeOfHeapCommit : 0x1000 [Type: unsigned __int64]
    [+0x068] LoaderFlags      : 0x0 [Type: unsigned long]
    [+0x06c] NumberOfRvaAndSizes : 0x10 [Type: unsigned long]
    [+0x070] DataDirectory    [Type: _IMAGE_DATA_DIRECTORY [16]]

Rate this document

Beta Translate with

Select a desired language below to translate this page.

Languages:

This article is available in the following languages:

English United States
Spanish Spain
Japanese

Glossary of Technical Terms


 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.