Process terminates with Invalid_error in - NtWaitForWorkViaWorkerFactory

C S 1 Reputation point
2022-01-07T22:35:15.107+00:00

Hello,

I am trying to debug windows application termination without any crash dump. Application is simply in a WaitForMultipleObjects, and is calling CreateProcess when it gets the event.
windbg indicates no exception. Output of winDbg is below. Any pointers for further debugging is most appreciated.

0:019> g
ntdll!NtWaitForWorkViaWorkerFactory+0x14:
00007ffe`4c719454 c3 ret
0:018> g
^ No runnable debuggees error in 'g'
0:018> kp

Child-SP RetAddr Call Site

00 00000000043cfab8 00007ffe4c68eb5e ntdll!NtWaitForWorkViaWorkerFactory+0x14
01 00000000043cfac0 00007ffe4c4784d4 ntdll!TppWorkerThread+0x76e
02 00000000043cfec0 00007ffe4c6c1791 KERNEL32!BaseThreadInitThunk+0x14
03 00000000043cfef0 0000000000000000 ntdll!RtlUserThreadStart+0x21
0:018> .frame
00 00000000043cfab8 00007ffe4c68eb5e ntdll!NtWaitForWorkViaWorkerFactory+0x14
0:018> dx Debugger.Sessions[0].Processes[12112].Threads[10500].Stack.Frames[0].SwitchTo();dv /t /v
Debugger.Sessions[0].Processes[12112].Threads[10500].Stack.Frames[0].SwitchTo()
Unable to enumerate locals, Win32 error 0n87
Private symbols (symbols.pri) are required for locals.
0:018> kb

RetAddr : Args to Child : Call Site

00 00007ffe4c68eb5e : 000000000042fed8 000000000042fed8 000000000041ac48 0000000000000001 : ntdll!NtWaitForWorkViaWorkerFactory+0x14 01 00007ffe4c4784d4 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : ntdll!TppWorkerThread+0x76e
02 00007ffe4c6c1791 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : KERNEL32!BaseThreadInitThunk+0x14 03 0000000000000000 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : ntdll!RtlUserThreadStart+0x21
0:018> .exr -1
Last event was not an exception
0:018> .lastevent
Last event: 2f50.2904: Exit process 0:2f50, code 1
debugger time: Wed Jan 5 20:52:58.367 2022 (UTC - 8:00)
0:018> dx Debugger.Sessions[0].Processes[12112].Threads[10500].Stack.Frames[1].SwitchTo();dv /t /v
Debugger.Sessions[0].Processes[12112].Threads[10500].Stack.Frames[1].SwitchTo()
0:018> .frame
01 00000000043cfac0 00007ffe4c4784d4 ntdll!TppWorkerThread+0x76e
0:018> dx Debugger.Sessions[0].Processes[12112].Threads[10500].Stack.Frames[0].SwitchTo();dv /t /v
Debugger.Sessions[0].Processes[12112].Threads[10500].Stack.Frames[0].SwitchTo()
Unable to enumerate locals, Win32 error 0n87
Private symbols (symbols.pri) are required for locals.
0:018> !analyze -v
Last event: 2f50.2904: Exit process 0:2f50, code 1
debugger time: Wed Jan 5 20:52:58.367 2022 (UTC - 8:00)
0:018> !analyze -hang
Last event: 2f50.2904: Exit process 0:2f50, code 1
debugger time: Wed Jan 5 20:52:58.367 2022 (UTC - 8:00)
0:018> !analyze -f

  • *
  • Exception Analysis *
  • *

Event is not an exception - analysis may be incorrect

PROCESS_NAME: IASrvr.exe

ERROR_CODE: (NTSTATUS) 0x1 - STATUS_WAIT_1

SYMBOL_NAME: ntdll!NtWaitForWorkViaWorkerFactory+14

MODULE_NAME: ntdll

IMAGE_NAME: ntdll.dll

FAILURE_BUCKET_ID: APPLICATION_FAULT_1_ntdll.dll!NtWaitForWorkViaWorkerFactory

FAILURE_ID_HASH: {6ff6fe82-f6c0-ece5-1d0d-6bb2a0a2b37e}

Followup: MachineOwner

0:018> .kframes
Default stack trace depth is 0n256 frames
0:018> kb 5

RetAddr : Args to Child : Call Site

00 00007ffe4c68eb5e : 000000000042fed8 000000000042fed8 000000000041ac48 0000000000000001 : ntdll!NtWaitForWorkViaWorkerFactory+0x14 01 00007ffe4c4784d4 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : ntdll!TppWorkerThread+0x76e
02 00007ffe4c6c1791 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : KERNEL32!BaseThreadInitThunk+0x14 03 0000000000000000 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : ntdll!RtlUserThreadStart+0x21
0:018> .frame /r
00 00000000043cfab8 00007ffe4c68eb5e ntdll!NtWaitForWorkViaWorkerFactory+0x14
rax=00000000000000c0 rbx=000000000041b8e0 rcx=0000000000000000
rdx=0000000000000000 rsi=0000000000000010 rdi=000000000041bc60
rip=00007ffe4c719454 rsp=00000000043cfab8 rbp=0000000000000000
r8=0000000000000000 r9=0000000000000000 r10=0000000000000000
r11=0000000000000000 r12=0000000000000000 r13=00007ffe4c68d100
r14=00007ffe4c6aabc0 r15=0000000000424e40
iopl=0 nv up ei pl zr na po nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000244
ntdll!NtWaitForWorkViaWorkerFactory+0x14:
00007ffe`4c719454 c3 ret
0:018> !gle
LastErrorValue: (Win32) 0 (0) - The operation completed successfully.
LastStatusValue: (NTSTATUS) 0xc000000d - An invalid parameter was passed to a service or function.

Windows App SDK
Windows App SDK
A set of Microsoft open-source libraries, frameworks, components, and tools to be used in apps to access Windows platform functionality on many versions of Windows. Previously known as Project Reunion.
748 questions
Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,535 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Limitless Technology 39,496 Reputation points
    2022-01-13T08:51:25.693+00:00

    Hi there,

    You can use the Debugging Tools for Windows (WinDbg, KD, CDB, NTSD) which might help you in converging to result here. You could try using the adplus utility in the windows debugging tool package.

    adplus -crash -p yourprocessid

    Debugging Tools for Windows (WinDbg, KD, CDB, NTSD)
    https://video2.skills-academy.com/en-us/windows-hardware/drivers/debugger/

    Download Debugging Tools for Windows
    https://video2.skills-academy.com/en-us/windows-hardware/drivers/debugger/debugger-download-tools

    ---------------------------------------------------------------------------------------------------------------------------------------------

    --If the reply is helpful, please Upvote and Accept it as an answer--

    0 comments