C# – .NET Windows Service crashes in ntdll.dll

ccrashwindowswindows-services

I have a Windows Service written in C#. It is crashing when it calls into a 3rd party COM component. The problem only appears on Windows 7 (x86 and x64). When I run the same service code as a console application on Windows 7 (x86 and x64), it works fine.

When I run the same service on Windows 2003, it also works properly. I think it could be related to UAC. I am looking for suggestions/direction on debugging this service to identify what is causing the problem. Use debug symbols for ntdll.dll? Below the info from the event log.

Event ID: 1000, Level: Error
Faulting application name: ServiceHost.exe, version: 1.0.0.0, time stamp: 0x4f87bc9a
Faulting module name: ntdll.dll, version: 6.1.7601.17725, time stamp: 0x4ec49b60
Exception code: 0xc0000005
Fault offset: 0x0002bcbb
Faulting process id: 0x151c
Faulting application start time: 0x01cd1939c9017b2d
Faulting application path: E:\ServiceHost\bin\Debug\ServiceHost.exe
Faulting module path: C:\Windows\SYSTEM32\ntdll.dll
Report Id: 08da6aa3-852d-11e1-a889-00155d016f32

Best Answer

As a wild guess, you might be falling foul of Session 0 Isolation:

In Windows XP®, Windows Server® 2003, and earlier versions of the Windows® operating system, all services run in the same session as the first user who logs on to the console. This session is called Session 0. Running services and user applications together in Session 0 poses a security risk because services run at elevated privilege and therefore are targets for malicious agents that are looking for a means to elevate their own privilege levels.

Where this usually causes issues for services is if, for instance, something tries to create UI.

The easiest approach to dealing with this issue would be to talk to the vendor of the 3rd party component and ensure it's supported for use with services. However, if the vendor no longer exists, that may not be possible.

If the issue arises whilst the service is running, it may be possible to attach a debugger to it and capture a dump at the point at which the error happens (e.g. using something like adplus from the debugging tools for windows). If the issue is happening during service startup, it may be trickier to diagnose.

You really need to isolate the last function call in your code that brings on the error, and then try to diagnose from there.

Related Topic