You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I am reading forwarded events (WEF) from event log. When I try to read the TaskDisplayName for an event where it does not exists application crashes with access violation exception. This also happens when reading the "KeywordsDisplayNames"
Fatal error. System.AccessViolationException: Attempted to read or write protected memory. This is often an indication that other memory is corrupt.
Repeat 2 times:
--------------------------------
at Microsoft.Win32.UnsafeNativeMethods.EvtFormatMessage(System.Diagnostics.Eventing.Reader.EventLogHandle, System.Diagnostics.Eventing.Reader.EventLogHandle, UInt32, Int32, EvtStringVariant[], EvtFormatMessageFlags, Int32, Char[], Int32 ByRef)
--------------------------------
at System.Diagnostics.Eventing.Reader.NativeWrapper.EvtFormatMessageRenderName(System.Diagnostics.Eventing.Reader.EventLogHandle, System.Diagnostics.Eventing.Reader.EventLogHandle, EvtFormatMessageFlags)
at System.Diagnostics.Eventing.Reader.ProviderMetadataCachedInformation.GetTaskDisplayName(System.String, System.Diagnostics.Eventing.Reader.EventLogHandle)
at System.Diagnostics.Eventing.Reader.EventLogRecord.get_TaskDisplayName()
at EventLogCrash.Program.Main(System.String[])
When I checked the event in the event viewer it's xml does not have values for Task and Keywords under RenderingInfo.
<Eventxmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<ProviderName="Microsoft-Windows-DNS-Client"Guid="{1C95126E-7EEA-49A9-A3FE-A378B03DDB4D}" />
<EventID>1014</EventID>
<Version>0</Version>
<Level>3</Level>
<Task>1014</Task>
<Opcode>0</Opcode>
<Keywords>0x4000000010000000</Keywords>
<TimeCreatedSystemTime="2024-03-21T23:32:09.577293500Z" />
<EventRecordID>1590</EventRecordID>
<Correlation />
<ExecutionProcessID="844"ThreadID="1280" />
<Channel>System</Channel>
<Computer>DESKTOP-JP7LKRA.kovo.local</Computer>
<SecurityUserID="S-1-5-20" />
</System>
<EventData>
<DataName="QueryName">wpad</Data>
<DataName="AddressLength">128</Data>
<DataName="Address">02000000AC106480000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000</Data>
</EventData>
<RenderingInfoCulture="en-US">
<Message>Name resolution for the name wpad timed out after none of the configured DNS servers responded.</Message>
<Level>Warning</Level>
<Task />
<Opcode>Info</Opcode>
<Channel>System</Channel>
<Provider>Microsoft-Windows-DNS Client Events</Provider>
<Keywords />
</RenderingInfo>
</Event>
The attached sample project contains an evtx file and the C# code tries to read the events from that file and it crashes with access violation.
Note: Make sure to set the current machine's culture to en-US before running the sample. Otherwise it will not try to read the rendering info and wont fail. Setting the cultureinfo in c# code will not work. Changing of UI culture is not required
Reproducible on Windows 11 and Windows Server 2022. Have not checked for other operating systems.
Expected behavior
The correct values should read and application should not crash.
Actual behavior
The application crashes with Access Violation exception.
Regression?
No response
Known Workarounds
No response
Configuration
.NET 6.0.28 and 8.0.2
Windows 11 and 2022
x64
I think it should happen to all operating systems.
Other information
No response
The text was updated successfully, but these errors were encountered:
Now https://learn.microsoft.com/en-us/windows/win32/api/winevt/nf-winevt-evtformatmessage documents that you can do this, and it normally works -- except when the message formatted has a length of zero. If it does, then EvtFormatMessage still tries to copy one character \0 to NULL and that's the AV. So this is a bug in a Windows API that was uncovered by a change to our interop.
We can workaround this by passing 1 character buffer to the API so that it won't AV.
Description
I am reading forwarded events (WEF) from event log. When I try to read the TaskDisplayName for an event where it does not exists application crashes with access violation exception. This also happens when reading the "KeywordsDisplayNames"
When I checked the event in the event viewer it's xml does not have values for Task and Keywords under RenderingInfo.
Reproduction Steps
EventLogCrash.zip
The attached sample project contains an evtx file and the C# code tries to read the events from that file and it crashes with access violation.
Note: Make sure to set the current machine's culture to en-US before running the sample. Otherwise it will not try to read the rendering info and wont fail. Setting the cultureinfo in c# code will not work. Changing of UI culture is not required
Reproducible on Windows 11 and Windows Server 2022. Have not checked for other operating systems.
Expected behavior
The correct values should read and application should not crash.
Actual behavior
The application crashes with Access Violation exception.
Regression?
No response
Known Workarounds
No response
Configuration
Other information
No response
The text was updated successfully, but these errors were encountered: