https://devblogs.microsoft.com/oldnewthing/20230324-00/?p=107966 Skip to main content [RE1Mu3b] Microsoft The Old New Thing The Old New Thing The Old New Thing * Home * DevBlogs * Developer + Visual Studio + Visual Studio Code + Visual Studio for Mac + DevOps + Windows Developer + Developer support + ISE Developer + Engineering@Microsoft + Azure SDK + Command Line + Perf and Diagnostics + Notification Hubs + Math in Office + React Native * Technology + DirectX + PIX + Semantic Kernel + SurfaceDuo + Startups + Sustainable Engineering + Windows AI Platform * Languages + C++ + C# + F# + TypeScript + PowerShell Community + PowerShell Team + Python + Q# + JavaScript + Java + Java Blog in Chinese * .NET + All .NET posts + .NET MAUI + ASP.NET Core + Blazor + Entity Framework + AI + Machine Learning + NuGet + Servicing + Xamarin + .NET Blog in Chinese * Platform Development + #ifdef Windows + Azure Depth Platform + Azure Government + Azure VM Runtime Team + Bing Dev Center + Microsoft Edge Dev + Microsoft Azure + Microsoft 365 Developer + Microsoft Entra Identity Developer Blog + Old New Thing + Power Platform + Windows MIDI and Music dev * Data Development + Azure Cosmos DB + Azure Data Studio + Azure SQL Database + OData + Revolutions R + SQL Server Data Tools * More [ ] Search Search * No results Cancel Adventures in application compatibility: The case of the jump into the middle of an instruction from nowhere [png] Raymond Chen March 24th, 202325 6 A spike of Explorer crashes occurred with the release of a particular Windows Insider build. The crash looked like this: explorer!SomeRandomInternalFunction+0x7d4: 00007ffe`27b00720 006639 add byte ptr [rsi+39h],ah ds:00000000`0000003a=?? This is most likely a nonsense instruction. There's no obvious reason to be adding a partial upper register. It looks like this is either a corrupted instruction pointer or corrupted code, because the first code byte is suspicious zero. And since the second byte is 66h, it looks like an off-by-one, since 66h is not an uncommon initial instruction byte. (It's the operand size override prefix.) Another clue is that the calling function, not shown here, has no reason to be calling the SomeRandomInternalFunction function, and in fact, checking the alleged caller, it indeed does not call it. Disassembling around the instruction shows that the instruction pointer is indeed in the middle of an instruction: 00007ffe`27b0071c b820000000 mov eax,20h 00007ffe`27b00721 6639853e020000 cmp word ptr [rbp+23Eh],ax The instruction pointer is one less than the actual start of the instruction, causing the zero byte at the end of the immediate of the previous instruction to be misinterpreted as the start of the instruction to be executed. How did we end up in the middle of an instruction? I did some bulk analysis of all the crash dumps that we received and observed that one third-party DLL was common to all of them. Further investigation shows that this third-party DLL is part of a "shell enhancement" program. This program patches Explorer in order to accomplish its enhancements, and apparently one of its patches went awry. The interesting thing here was how the program decided where to install its patches, and in particular how it managed to patch an function that was never exported or stored in a vtable: It found the function by contacting the Microsoft symbol server to get the names of all the functions in Explorer and their addresses! What happened is that we recently made changes to this internal function, and apparently those changes were enough to cause the patcher to go haywire. This is unfortunately a regular occurrence: Whenever a new build goes out, there's a spike of Explorer crashes because all of these patchers start patching the wrong code, and Explorer starts crashing across all the systems that have these "shell enhancement" programs installed. If you're really unlucky, their rogue patch crashes something in the Explorer startup path, and users finds themselves stuck with an unusable machine due to Explorer crash loops. This problem is particularly acute with monthly security patches, because we can't roll the fix back. That would expose systems to the security issues that the monthly security update was intended to fix. (And now that the fix went out, all the bad guys have reverse-engineered the security issue and are probably hard at work trying to weaponizing it and take advantage of unpatched systems.) We have to hope that enough of the users whose systems are crashing realize that it's due to the "shell enhancement" program (rather than blaming Windows itself, which is the more likely case), and uninstall or disable the programs in order to get their system working again. Unfortunately, these patchers also cause Windows customer satisfaction numbers to plunge every time an update goes out, particularly among users who don't realize that the problem was caused by that program their computer-savvy nephew installed for them. [png] Raymond Chen Follow Tagged Other Read next Why is there a large gap between some of the Windows system metrics indices? An artifact of the internal implementation. [png]Raymond Chen April 10, 2023 1 comment No, it is not a security vulnerability that there is no certificate of appreciation for reporting a bug It wasn't even a bug report. [png]Raymond Chen April 18, 2023 14 comments 25 comments Comments are closed. Login to edit/delete your existing comments * [png] Brian Dellisanti March 24, 2023 10:40 am 0 collapse this comment copy link to this comment As the OS vendor, MS should have powerful tools available to protect the integrity of its executables. Why doesn't it do that? * [png] Pavel Yosifovich March 24, 2023 10:58 am 17 collapse this comment copy link to this comment These "Explorer patchers" have no choice, as the normal Explorer in WIndows 11 has lost so much - I'm looking at you, Taskbar! If MS would only *add* new features and doesn't remove useful features, all will be well. + [png] Roger B March 24, 2023 11:31 am 11 collapse this comment copy link to this comment Indeed. There wouldn't be as much of a need if the windows shell team was smarter. As it stands they make the world a worse place each day they exist. If they feel like imposters, it's because they are. In fact I actively encourage, support, and celebrate efforts like this. Make their life hell and delay them. If they spend more time on investigating issues like this, they'll have less time to f**k something else up. + [png] Joshua Hudson March 24, 2023 2:08 pm 8 collapse this comment copy link to this comment Quite right unfortunately. Since swapping out explorer as the shell doesn't work anymore we are forced into terrible choices. I really do want to be able to run cmd.exe or something even more radical as the shell and still open uwp applications; but this just doesn't work. + [png] Jan Ringos March 29, 2023 11:45 am 4 collapse this comment copy link to this comment Or they could provide appropriate hooking APIs for the need of such extensions. + [png] Sebastian Kassai March 29, 2023 1:41 pm 7 collapse this comment copy link to this comment While I don't usually like to say this, this time, I have to agree. The shell has lost a lot of features in Windows 11 and this is the only real way to get some useful features back at the moment. It is MS's fault these programs exist and are used widely enough to cause big spikes in the statistics. There have been posts made by major news sites about how to use these programs. * [png] Yuhong Bao March 24, 2023 11:19 am 0 collapse this comment copy link to this comment This reminds me of MS08-067 where they used strsafe (for NT5) when a simpler fix would have sufficed. + [png] Yuhong Bao March 24, 2023 11:02 pm 0 collapse this comment copy link to this comment strsafe probably added less than 1KB to code size, but... * [png] jimbobmcgee March 24, 2023 3:41 pm 0 collapse this comment copy link to this comment Is there an argument for developing something else to bootstrap the basic desktop experience, instead of Explorer -- i.e. something that can't be patched/doesn't have extension support -- and having Explorer be a regular desktop app? I'm thinking something like the old days of Progman: without it you didn't have the Windows experience most people were used to, you just had the cyan desktop that didn't do very much. I guess I'm also thinking of the difference between a Linux distro's desktop environment vs its window manager. Would that "solve" the problem of extending Explorer? You could at least sign and/or validate it before any user code ran (maybe via UEFI/SecureBoot?) (I suppose, given both Server Core and RemoteApps exist -- or even the OOBE -- at least some of this idea already exists.) What do you see as the bare-minimum that Windows would need from such a bootstrapper? What additional problems might it introduce? + [png] Chris Warrick March 25, 2023 12:05 pm 0 collapse this comment copy link to this comment What would that bootstrapper help with, exactly? What would its responsibiilties be? The actual bootstrapper is userinit.exe, but without explorer.exe, Windows is quite useless (but you can still do things in apps you have open, or launch Task Manager to bring Explorer back). Windows could prevent third-party DLLs from loading, but the very loud community of such patchers would yell "Microsoft is evil, they're locking down Windows and forcing you to have the taskbar at the botom". Windows could split explorer.exe into files.exe, taskbar.exe, and desktop.exe, but the patcher community would probably just patch and cause crashes in three processes at once. o [png] Blubberich March 28, 2023 4:10 am 0 collapse this comment copy link to this comment "but without explorer.exe, Windows is quite useless (but you can still do things in apps you have open, or launch Task Manager to bring Explorer back)" Actually, only if Explorer is not there, not if it crashed/hung. I sometimes have a problem where Edge somehow blocks explorer.exe. It still runs but clicking on things does nothing. If you press Ctrl+Alt+Del and select Task Manager then the Ctrl+Alt+Del-screen goes a away but you get no task manager. But if it was already running and visible, the killing Edge, then Explorer and restarting Explorer gets you a useable PC again. + [png] Paulo Pinto March 27, 2023 6:11 am 0 collapse this comment copy link to this comment They could use out of process modern IPC like in Android, macOS/iOS (XPC), Linux (DBUS), instead of in-process COM, with tooling that has hardly changed the last 25 years. * [png] Ray Koopa March 24, 2023 6:33 pm 0 collapse this comment copy link to this comment There's at least one such utility out there that properly enough validates if their patches would work, or blocklist specific Windows builds known to break from it completely. I wish the other very-obvious-from-your-article software would do so too. * [png] Sigge Mannen March 25, 2023 3:02 pm 2 collapse this comment copy link to this comment Easiest fix for these issues is to dedicate some poor guy at explorer team to be a user of all those shell enchancement (pun intended) softwares. * [png] Daniel Roskams March 26, 2023 7:04 pm 2 collapse this comment copy link to this comment If this is a serious problem, it could be solved by: 1. having an alternate version of explorer (e.g. called axplorer.exe) which doesn't load 3rd party shell extensions or any other DLLs that aren't included with Windows. 2. having userinit (or whatever launches explorer, maybe winlogon?) detect when explorer crashes, and if it crashes more than a particular number of times in a given time frame, load the alternate version and display a dialog to the user explaining why all their shell extensions are not working anymore. I believe explorer already restarts when it crashes in newer versions of Windows (8 onwards) so part of this solution is already implemented. + [png] Raymond ChenMicrosoft employee March 26, 2023 7:40 pm 0 collapse this comment copy link to this comment If only these programs used normal shell extension mechanisms. But no, they patch the shell by nefarious means. o [png] Ismo Salonen March 26, 2023 9:18 pm 0 collapse this comment copy link to this comment But how do they get into the explorer.exe address space initially ? Do they load as extension and then break all the rules and start directly patching them ? Maybe you could reveal some tacticss they use and why said tactics are not good, maybe even tell how to do patching correctly ? This could be a new series articles like "the good,bad and ugly of shell patching" # [png] Raymond ChenMicrosoft employee March 26, 2023 9:37 pm 0 collapse this comment copy link to this comment They don't use the shell extension mechanism to get into the process. They sneak in by nefarious means. Patching is not supported. There is no "correct" way of doing it. Just different levels of bad. @ [png] Paulo Pinto March 27, 2023 6:08 am 1 collapse this comment copy link to this comment Some would consider having to deal with the primitive COM tooling for shell extensions equally bad. @ [png] Joshua Hudson March 27, 2023 12:08 pm 4 collapse this comment copy link to this comment The taskbar's also pretty bad. Maybe if it were disconnected from the file browser and from the UWP launcher your patching headaches would be much reduced. @ [png] Rafael Rivera March 28, 2023 9:59 pm 0 collapse this comment copy link to this comment "Just different levels of bad." I think you said that about me at one point. [grin] o [png] skSdnW March 28, 2023 5:06 pm 2 collapse this comment copy link to this comment There are no shell extension points for the taskbar/ desktop part of Explorer. Deskbars are dead and all other extension points are connected to the file browser and IShellView/IShellFolder. o [png] Jules Archinova March 31, 2023 2:35 am 1 collapse this comment copy link to this comment Did you provide the calls they need to accomplish their mission ? * [png] john williamson March 29, 2023 6:13 pm 8 collapse this comment copy link to this comment Not just this article, but far too often when articles such as this are written, about widely used 3rd party tweaks, and the commenting strongly supports the tweak in question, but MS charges forward that "all these enthusiasts are wrong, we will continue our way" is telling of how far out of touch the Win dev team is away from its user base. * [png] Keyboard Bug March 30, 2023 1:58 pm 6 collapse this comment copy link to this comment It's not my fault the only way to ungroup icons in the Taskbar is installing sketchy 3rd-party software. I bet someone got a really nice bonus for forcing the taskbar grouping on everyone. Archive * January 2024 * December 2023 * November 2023 * October 2023 * September 2023 * August 2023 * July 2023 * June 2023 * May 2023 * April 2023 * March 2023 * February 2023 * January 2023 * December 2022 * November 2022 * October 2022 * September 2022 * August 2022 * July 2022 * June 2022 * May 2022 * April 2022 * March 2022 * February 2022 * January 2022 * December 2021 * November 2021 * October 2021 * September 2021 * August 2021 * July 2021 * June 2021 * May 2021 * April 2021 * March 2021 * February 2021 * January 2021 * December 2020 * November 2020 * October 2020 * September 2020 * August 2020 * July 2020 * June 2020 * May 2020 * April 2020 * March 2020 * February 2020 * January 2020 * December 2019 * November 2019 * October 2019 * September 2019 * August 2019 * July 2019 * June 2019 * May 2019 * April 2019 * March 2019 * February 2019 * January 2019 * December 2018 * November 2018 * October 2018 * September 2018 * August 2018 * July 2018 * June 2018 * May 2018 * April 2018 * March 2018 * February 2018 * January 2018 * December 2017 * November 2017 * October 2017 * September 2017 * August 2017 * July 2017 * June 2017 * May 2017 * April 2017 * March 2017 * February 2017 * January 2017 * December 2016 * November 2016 * October 2016 * September 2016 * August 2016 * July 2016 * June 2016 * May 2016 * April 2016 * March 2016 * February 2016 * January 2016 * December 2015 * November 2015 * October 2015 * September 2015 * August 2015 * July 2015 * June 2015 * May 2015 * April 2015 * March 2015 * February 2015 * January 2015 * December 2014 * November 2014 * October 2014 * September 2014 * August 2014 * July 2014 * June 2014 * May 2014 * April 2014 * March 2014 * February 2014 * January 2014 * December 2013 * November 2013 * October 2013 * September 2013 * August 2013 * July 2013 * June 2013 * May 2013 * April 2013 * March 2013 * February 2013 * January 2013 * December 2012 * November 2012 * October 2012 * September 2012 * August 2012 * July 2012 * June 2012 * May 2012 * April 2012 * March 2012 * February 2012 * January 2012 * December 2011 * November 2011 * October 2011 * September 2011 * August 2011 * July 2011 * June 2011 * May 2011 * April 2011 * March 2011 * February 2011 * January 2011 * December 2010 * November 2010 * October 2010 * September 2010 * August 2010 * July 2010 * June 2010 * May 2010 * April 2010 * March 2010 * February 2010 * January 2010 * December 2009 * November 2009 * October 2009 * September 2009 * August 2009 * July 2009 * June 2009 * May 2009 * April 2009 * March 2009 * February 2009 * January 2009 * December 2008 * November 2008 * October 2008 * September 2008 * August 2008 * July 2008 * June 2008 * May 2008 * April 2008 * March 2008 * February 2008 * January 2008 * December 2007 * November 2007 * October 2007 * September 2007 * August 2007 * July 2007 * June 2007 * May 2007 * April 2007 * March 2007 * February 2007 * January 2007 * December 2006 * November 2006 * October 2006 * September 2006 * August 2006 * July 2006 * June 2006 * May 2006 * April 2006 * March 2006 * February 2006 * January 2006 * December 2005 * November 2005 * October 2005 * September 2005 * August 2005 * July 2005 * June 2005 * May 2005 * April 2005 * March 2005 * February 2005 * January 2005 * December 2004 * November 2004 * October 2004 * September 2004 * August 2004 * July 2004 * June 2004 * May 2004 * April 2004 * March 2004 * February 2004 * January 2004 * December 2003 * November 2003 * October 2003 * September 2003 * August 2003 * July 2003 Relevant Links I wrote a book Ground rules Disclaimers and such My necktie's Twitter Categories Code History Tips/Support Other Non-Computer Stay informed [ ] [Subscribe] By subscribing you agree to our Terms of Use and Privacy Policy Share on Social media * * * Login Theme * light-theme-iconLight * dark-theme-iconDark Code Block x Paste your code snippet [ ] Cancel Ok Feedback usabilla icon What's new * Surface Laptop Studio 2 * Surface Laptop Go 3 * Surface Pro 9 * Surface Laptop 5 * Surface Studio 2+ * Copilot in Windows * Microsoft 365 * Windows 11 apps Microsoft Store * Account profile * Download Center * Microsoft Store support * Returns * Order tracking * Certified Refurbished * Microsoft Store Promise * Flexible Payments Education * Microsoft in education * Devices for education * Microsoft Teams for Education * Microsoft 365 Education * How to buy for your school * Educator training and development * Deals for students and parents * Azure for students Business * Microsoft Cloud * Microsoft Security * Dynamics 365 * Microsoft 365 * Microsoft Power Platform * Microsoft Teams * Microsoft Industry * Small Business Developer & IT * Azure * Developer Center * Documentation * Microsoft Learn * Microsoft Tech Community * Azure Marketplace * AppSource * Visual Studio Company * Careers * About Microsoft * Company news * Privacy at Microsoft * Investors * Diversity and inclusion * Accessibility * Sustainability Your Privacy Choices Your Privacy Choices * Sitemap * Contact Microsoft * Privacy * Manage cookies * Terms of use * Trademarks * Safety & eco * Recycling * About our ads * (c) Microsoft 2024