dllhost.exe crashes after you deploy a Sysprep image or perform a Cortana search when Exploit Prevention is enabled

Technical Articles ID: KB89023
Last Modified: 1/5/2022

Environment

Host Intrusion Prevention (Host IPS) 8.0

Microsoft Windows 10 Fall Creators Update
Microsoft Windows 10 Creators Update
Microsoft Windows Sysprep

Problem

If Host IPS Exploit Prevention is enabled, the following issues can occur:

You deploy a Sysprep image with Host IPS installed on a Windows 10 Creators Update or Fall Creators Update system. The Microsoft process dllhost.exe crashes and the system fails to boot with the following error message:

COM Surrogate has stopped working

The Windows Application log contains the following details: Faulting application name: DllHost.exe, version: 10.0.15063.0, and time stamp: 0xb54cdbe6.
The Microsoft process dllhost.exe generates a crash dump after you perform a Cortana search on a Windows 10 Creators Update or Fall Creators Update system.

Cause

The issue occurs when Exploit Prevention fails to inject to the dllhost.exe process, which causes the process to not load and crash.

Solution

This issue is resolved in Host IPS 8.0 Update 10, which is available from the Product Downloads site at: https://www.mcafee.com/enterprise/en-us/downloads/my-products.html.

NOTE: You need a valid Grant Number for access. See KB56057 - How to download Enterprise product updates and documentation for more information about the Product Downloads site, and alternate locations for some products.

Updates are cumulative; Technical Support recommends that you install the latest one.

Workaround

Stop injection from being performed on the dllhost.exe process, so a crash isn't generated.

Add an Application Protection Rule for dllhost.exe and select Exclude for the Inclusion Status option. Create the rule in the ePO console at Policy Catalog, Host Intrusion Prevention 8.0:IPS, Category: IPS Rules (Windows, Linux, Solaris), Application Protection Rules tab.

The process dllhost.exe maps to two Exploit Content Signatures: 428, Generic Buffer Overflow Protection, and 3761, CVE-2006-3440.

Microsoft Windows 10 Creators Update/Fall Creators Update isn’t vulnerable to CVE-2006-3440.

Labs researchers examined Windows 10 Creators Update and Fall Creators Update dllhost.exe with windbg to check the binary and found that DllCharacteristics is set to 0xc160. The Microsoft documentation indicates that the NX COMPAT Data Execution Prevention (DEP) bit is set on the Windows 10 Creators Update and Fall Creators Update version of dllhost.exe. The DEP setting prevents the execution of code using Buffer Overflow techniques because both stack and heap are execute-protected. Any such attempts lead to an access violation.

0:000> dx -r1 (*((ntdll!_IMAGE_OPTIONAL_HEADER64 *)0x7ff740750110))
(*((ntdll!_IMAGE_OPTIONAL_HEADER64 *)0x7ff740750110))                 [Type: _IMAGE_OPTIONAL_HEADER64]
    [+0x000] Magic            : 0x20b [Type: unsigned short]
    [+0x002] MajorLinkerVersion : 0xe [Type: unsigned char]
    [+0x003] MinorLinkerVersion : 0xa [Type: unsigned char]
    [+0x004] SizeOfCode       : 0x1200 [Type: unsigned long]
    [+0x008] SizeOfInitializedData : 0x2200 [Type: unsigned long]
    [+0x00c] SizeOfUninitializedData : 0x0 [Type: unsigned long]
    [+0x010] AddressOfEntryPoint : 0x1440 [Type: unsigned long]
    [+0x014] BaseOfCode       : 0x1000 [Type: unsigned long]
    [+0x018] ImageBase        : 0x7ff740750000 [Type: unsigned __int64]
    [+0x020] SectionAlignment : 0x1000 [Type: unsigned long]
    [+0x024] FileAlignment    : 0x200 [Type: unsigned long]
    [+0x028] MajorOperatingSystemVersion : 0xa [Type: unsigned short]
    [+0x02a] MinorOperatingSystemVersion : 0x0 [Type: unsigned short]
    [+0x02c] MajorImageVersion : 0xa [Type: unsigned short]
    [+0x02e] MinorImageVersion : 0x0 [Type: unsigned short]
    [+0x030] MajorSubsystemVersion : 0xa [Type: unsigned short]
    [+0x032] MinorSubsystemVersion : 0x0 [Type: unsigned short]
    [+0x034] Win32VersionValue : 0x0 [Type: unsigned long]
    [+0x038] SizeOfImage      : 0x9000 [Type: unsigned long]
    [+0x03c] SizeOfHeaders    : 0x400 [Type: unsigned long]
    [+0x040] CheckSum         : 0x144ae [Type: unsigned long]
    [+0x044] Subsystem        : 0x2 [Type: unsigned short]
    [+0x046] DllCharacteristics : 0xc160 [Type: unsigned short]
    [+0x048] SizeOfStackReserve : 0x100000 [Type: unsigned __int64]
    [+0x050] SizeOfStackCommit : 0x8000 [Type: unsigned __int64]
    [+0x058] SizeOfHeapReserve : 0x100000 [Type: unsigned __int64]
    [+0x060] SizeOfHeapCommit : 0x1000 [Type: unsigned __int64]
    [+0x068] LoaderFlags      : 0x0 [Type: unsigned long]
    [+0x06c] NumberOfRvaAndSizes : 0x10 [Type: unsigned long]
    [+0x070] DataDirectory    [Type: _IMAGE_DATA_DIRECTORY [16]]

Related Information

For instructions to create Application Protection Rules, see: KB79850 - How to create an Application Protection exclusion for Host Intrusion Prevention.

Affected Products

Host Intrusion Prevention 8.0 (EOL)
Known Issue/Product Defect

Languages:

This article is available in the following languages:

English United States
Spanish Spain
French
Italian
Japanese
Portuguese Brasileiro

Knowledge Center

dllhost.exe crashes after you deploy a Sysprep image or perform a Cortana search when Exploit Prevention is enabled

Environment

Problem

Cause

Solution

Workaround

Related Information

Affected Products

Languages:

Title

Title

Knowledge Center

dllhost.exe crashes after you deploy a Sysprep image or perform a Cortana search when Exploit Prevention is enabled

Environment

Problem

Cause

Solution

Workaround

Related Information

Affected Products

Languages:

Choose your region

Title

Title