Session Report | Powered by Rapid Reporter


Show autogenerated rows
TimeReporterTypeContentScreenshot RTF Note 
8/12/2012 22:08Shmuel Gershon(Rapid Reporter version)1.12.01.06  
8/12/2012 22:08Shmuel GershonSession ReporterShmuel Gershon  
8/12/2012 22:08Shmuel GershonSession CharterAngry Weasel Challenge - Figure out why TheApp.exe won't load and cause it to load by solving the problem.  
8/12/2012 22:09Shmuel GershonSetupWindows 7 Ent 64b; SP1; English edition. Intel i5 processor; 4Gb RAM. 4.8 Windows Experience Index.  
8/12/2012 22:10Shmuel GershonSetupApps installed: Visual Studio 2010; Office 2010; IE9. (these may have impact on executables running; between other apps)  
8/12/2012 22:15Shmuel GershonNoteWarning: Spoiler Alert: Go to this link to try the challenge for yourself before continuing.  
8/12/2012 22:15Shmuel GershonNoteShortcut: To skip investigations and jump directly to the solution, click here!!  
8/12/2012 22:18Shmuel GershonNoteSummary of information available on website (post text attached): a) App was compiled with Visual Studio 2012; b) it was compiled for 32b architecture; c) application is contained inside one executable TheApp.exe; d) it needs the VC runtime to run (it comes with msvcr110.dll); e) application should launch but doesn't; f) the failure to load is of such nature that it can be caused by having another app installed in the system. 1_20120812_221807.rtf 
8/12/2012 22:31Shmuel GershonSetupOpened the zip file and copied the contents to our own driver. We want to run it from a local path at this moment (running it in the least hostile environment possible in order to better isolate the problem).  
8/12/2012 22:32Shmuel GershonCheckAs if we didn't know we'll check that app works ('loads'/'runs'). But double click on the icon --> nothing seems to happen!  
8/12/2012 22:33Shmuel GershonBugTheApp.exe is not loading on double-click; on enter or on right-click-open. (This is the problem we want to troubleshoot during the testing session)  
8/12/2012 22:35Shmuel GershonTestWhat can cause an app not to load? One of the first things that comes to mind is lack of necessary privileges. We can test for this by ''Running as administrator'' --> Observation: Same (lack of) reaction.  
8/12/2012 22:37Shmuel GershonNoteWindows 7 has compatibility modes that emulate older processors or operating system or hardware platform in order to allow poorly-compatible software to remain operational. What if TheApp.exe is expecting a specific environment to run? Let's make some experiments.  
8/12/2012 22:39Shmuel GershonTestCompatibility modes can be selected; but there's a mode where Windows find the compatibility mode autonomously which can be activated by selecting ''Troubleshoot Compatibility'' on context menu. Windows recommends XP SP2 (why not SP3?); so let's try this configuration --> Observation: Same (lack of) reaction.  
8/12/2012 22:42Shmuel GershonTestInstead of only trying with Windows recommendation (SP2); let's try with SP3 as well --> Observation: No new behavior.  
8/12/2012 22:43Shmuel GershonBugAdditional information. App wont load on double-click; right-click; enter; admin mode; XPSP2; XPSP3.  
8/12/2012 22:45Shmuel GershonNoteBut in fact; we don't know yet that the app isn't loading. Maybe IT IS loading; but isn't showing any graphic interface. Let's try to look at the process execution and at the output on command line.  
8/12/2012 22:50Shmuel GershonTestTo try to catch TheApp.exe's process on Windows Task Manager we'll open the Task Manager window; sort by name; scroll to 'T' and repeatedly open TheApp.exe.  
8/12/2012 22:53Shmuel GershonTestObservation: TheApp.exe footprint in Task Manager is surprisingly low; you can barely see it running (even if leaving enter pressed). It has also (apparently) a protection against two instances of the processes running but I can't confirm that yet.  
8/12/2012 22:57Shmuel GershonTestRunning TheApp.exe from a command line console window (in admin mode) will show us if it is printing something before exit; anything that we can use as clue. Observation: No identifiable console output; see attachment for result including %errorlevel% exit status code.  
8/12/2012 23:01Shmuel GershonQuestionAs can be seen in past screenshot TheApp.exe is not printing an error before it exits or even returning a failure exit code (%errorlevel%) different than 0. Should the (re)design of the app include an error exit code for errors related to initial enironment condition? It's certainly help troubleshooting!  
8/12/2012 23:03Shmuel GershonTestApplications can mess with shared link libraries and disturb a different process' operation. Does TheApp.exe really need msvcr110.dll? Let's try to delete the DLL and see what happens --> Observation: System Error raised (see screenshot)  
8/12/2012 23:05Shmuel GershonTestMaybe TheApp.exe is set to work with the DLL as resource but doesn't use it (if Alan was particularly mischievious)? Let's try to empty the DLL's content by creating an empty file and renaming it - Observation: Interesting error in screenshot. Doesn't look like an app error but like another System error so we'll ignore this direction for now.  
8/12/2012 23:06Shmuel GershonNoteAccording to Alan Page's notes on website; the problem can happen by one app disturbing the other. I wonder if a mismatched DLL version can cause the problem.  
8/12/2012 23:08Shmuel GershonQuestionWhy would Alan write TheApp.exe with a dynamic linked library? It can be intentional to add mistery and complexity (for example) or accidental (by leaving the IDE's linking default values).  
8/12/2012 23:08Shmuel GershonNoteLet's change direction to the system configuration and resources. This is an area where one application can affect another.  
8/12/2012 23:08Shmuel GershonNoteDependency Walker is a free utility that scans any 32-bit or 64-bit Windows module (exe; dll; ocx; sys; etc.) and builds a hierarchical tree diagram of all dependent modules. Let's run it and try to identify a missing dependency. 2_20120812_230855.rtf 
8/12/2012 23:13Shmuel GershonTestRunning depends show full completion of dependency for TheApp.exe (see screenshot). Depends warns about arch mismatch (32/64) and about not finding IESHIMS.DLL; both common errors that don't seem to point to a specific problem - yet.  
8/12/2012 23:19Shmuel GershonTestLet's run Russinovich's strings app. Maybe Alan has given us a hint inside. Results attached.  
8/12/2012 23:22Shmuel GershonNoteA few things are interesting to note within Strings result: a) the mention to ''MagicValue''; b) the success message (''congratulations''); c) the name of the functions used (don't seem to read from any file directly; but reads from register); d) the XML manifest.  
8/12/2012 23:25Shmuel GershonNoteLooking at other apps and the web the manifest looks Ok; even with the uiAccess value being false (i.e. it doesn't cause apps not to load). Note that when comparing to wikipedia's example; we don't even have the runtime limitation mentioned in TheApp.exe manifest.  
8/12/2012 23:32Shmuel GershonNoteOne think we could do is open the assembly instructions and see where we get a conditional jump for the success message (which is ''congratulations you have found the problem'') and then force the jump. But the challenge is about discovering a system or compatibility problem; without manipulating (too much) the executable file itself.  
8/12/2012 23:33Shmuel GershonNoteOn the other hand... why would anyone write about ''Magic Values'' on his software? Maybe it is a clue to the Magic Number of the executable file? Let's analyze the file's content.  
8/12/2012 23:37Shmuel GershonTestWhat if the Magic Number is incorrect (not likely somethin a different app would cause; but still...)? Observation: Opening it on a Hex editor shows 0x4D 0x5A; which seems to be a valid/legitimate Magic Value.  
8/12/2012 23:40Shmuel GershonTestWhat if the system can be configured to require the reverse Magic Value? What if the other app modifies this setting and breaks TheApp.exe operation? (of course; a plethora of other apps would start failing too if so). In any case the definition should allow for both. Observation: Reverting the Magic Value to 0x5A 0x4D (just for kicks!) causes a System Error.  
8/12/2012 23:41Shmuel GershonNoteAs we cannot identify the dependency resulting in failure from the system side; let's look at it from the application flow side.  
8/12/2012 23:43Shmuel GershonNoteProcess Monitor displays in real-time all file system activity on a Microsoft Windows operating system. Let's use it to monitor the resources and queries requested by TheApp.exe. 5_20120812_234221.rtf 
8/12/2012 23:44Shmuel GershonSetupIn order to make life easier; it is recommended to set a filter in Procmon. You may miss information in case the app calls other apps or differently named threads; but otherwise there's too much info. The filter used is shown in screenshot.  
8/12/2012 23:45NoteWhen using Process Monitor all information can be important but my experience shows it pays to focus on response errors first. It makes special sense when looking for a loading failure.  
8/12/2012 23:46Shmuel GershonTestThe first request failure of the application is missing the prefetch file on C:\Windows\prefetch. Windows manages the prefetch by itself; but maybe Alan is specifically (mischieviously) looking for it? Observation: Adding the file to Prefetch folder manually makes the error in ProcMon go away; but the app still doesn't load.  
8/12/2012 23:53Shmuel GershonNoteMany errors on requests appear when loading the app. Most of them are to be expected; and many are due to requests by the operating system dispatcher rather than the app itself. So all these failures close to the beginning before the app even tries to get to the 'Visual C Runtime DLL' may be less relevant.  
8/12/2012 23:54Shmuel GershonNoteLet's go to the latest failures; as all the initial ones are system failures and not TheApp.exe failures.  
8/12/2012 23:57Shmuel GershonNoteThe last failure before exiting is when trying to read the 'DisableMetaFiles' value inside HKLM Win NT Current Version. Perhaps we should study what can influence this value and what does it cause.  
8/12/2012 23:59Shmuel GershonNoteBut oh! Right before this failure there is a failure when trying to open the Registry key HKCU\SW\Ms\TheApp.exe! That shouldn't be a system request; this is Alan's; and is looking for an app-specific path!  
8/13/2012 0:01Shmuel GershonTestLet's add the key to the registry; see if now this causes the application to load. --> Bingo! No app loading yet but now the TheApp key request succeeds; and TheApp.exe looks for the MagicValue value!  
8/13/2012 0:06Shmuel GershonTestLet's add the magic value to the registry; see if this causes the application to load. --> Great success! Congratulations!  
8/13/2012 0:06Shmuel GershonNoteThe MagicValue can be a string; binary; DWORD... Apparently there is no check on type or content.  
8/13/2012 0:12Shmuel GershonNoteTheApp.exe deletes the Registry key and value right after showing the success dialog -- good thing to clean garbage from registry; and keeps the challenge ready to be solved again!  
8/13/2012 0:14Shmuel GershonNoteTheApp.exe loaded; problem solved; challenge resolved. But...  
8/13/2012 0:22Shmuel GershonQuestionWhat was the real story behind the problem that generated the exercise in Alan's mind? Can it be that one newly installed application deleted another one's private registry keys? Or deleted a shared system registry key? Have to ask Alan...  
8/13/2012 0:22Shmuel GershonNoteTroubleshooting Testing Session is now over. Conclusion: TheApp.exe requires a registry key/value available to load. Another application that changes or moves things around in the registry -- or perhaps a System Restore! -- can cause this registry key/value to disappear causing TheApp.exe to abort loading.  
8/13/2012 0:22Shmuel GershonSession End. Duration2:14:20