After ".\gpg --recv-keys" Finishes Executing, Process Explorer Crashes

Gpg4win help-en
1

Hello,

For a couple of days I had been running processexp64.exe (created by some Microsoft gurus that call themselves sysinternals), and just this morning, a millisecond after the gpg command --recv-keys would finished executing, the process explorer crashed.

I know process explorer is not associated to GnuGP, but since I expect no response, or a delayed one, from the Microsoft forums, I hope somebody here can give me some pointers to figure out why this is happening and fix it.

I was recording my screen when I experienced the problem, and as I review the video ( https://www.youtube.com/watch?v=-lxULUeyAdE&t=450s ), I can see the following loop:

  1. procexp64.exe and PowerShell are running. (All commands I call/run will be through PowerShell, and I infer procexp64.exe is running when I can see the program’s icon in the taskbar).
  2. I run the command “.\gpg --recv-keys 031EC2536E580D8EA286A9F22071B08A33BD3F06,” and I can see the icon of procexp64.exe in the taskbar. I can see gpg’s debugging information on the screen.
  3. The PowerShell prompt if ready for entry (e.g., the gpg command finished executing)
  4. The procexp64.exe icon disappears from the task bar
  5. I call procexp64.exe through PowerShell, and after a few seconds, its window pops opened. I filter for dirmngr, and I see an instance running
  6. I call “.\gpg-config --kill dirmngr”
  7. I run the command “.\gpg --recv-keys 031EC2536E580D8EA286A9F22071B08A33BD3F06,” and I can see the procexp64.exe icon in the taskbar
  8. The PowerShell prompt if ready for entry (e.g., the gpg command finished executing)
  9. The procexp64.exe icon disappears from the task bar
  10. I call procexp64.exe through PowerShell, and after a few seconds, its window pops opened. I filter for dirmngr, and I see an instance running
    REPEAT AD NAUSEAM

Below is the information that Windows Event Viewer logged:

******************BEGINNING OF EVENT VIEWER LOGGED INFORMATION ******************

Event Time: 9/15/2021 9:17:53 AM.223
Record ID: 11985
Event ID: 1001
Level: Information
Channel: Application
Provider: Windows Error Reporting
Description: Fault bucket 1609796576240296912 type 4

Event Name: APPCRASH
Response: Not available
Cab Id: 0

Problem signature:
P1: procexp64.exe
P2: 16.43.0.0
P3: 611b18e1
P4: procexp64.exe
P5: 16.43.0.0
P6: 611b18e1
P7: c000041d
P8: 0000000000040b40
P9:
P10:

Attached files:
\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WERDAFA.tmp.mdmp
\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WERDD0E.tmp.WERInternalMetadata.xml
\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WERDDBB.tmp.xml
\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WERDE19.tmp.csv
\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WERDE78.tmp.txt
\?\C:\Users\SomeUser\AppData\Local\Temp\WERDF24.tmp.appcompat.txt

These files may be available here:
\?\C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_procexp64.exe_dbab7ec7d00bc871158944e434e86f47e4bb560_c2ae7e9e_931b3ca1-8a8a-4318-97dc-02a5581527b5

Analysis symbol:
Rechecking for solution: 0
Report Id: c4fd20d3-4a18-43f0-8bdb-1303e64460c2
Report Status: 268435456
Hashed bucket: ec11c4e2f37a93ffd6572574ff7163d0

******************END OF EVENT VIEWER LOGGED INFORMATION ******************

OF THE ERROR GENERATED FILES referenced by event viewer, I only found C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_procexp64.exe_dbab7ec7d00bc871158944e434e86f47e4bb560_c2ae7e9e_931b3ca1-8a8a-4318-97dc-02a5581527b5\Report.wer. The content is below:

******************BEGINNING OF REPORT.WER CONTENT ******************

Version=1
EventType=APPCRASH
EventTime=132761962695246351
ReportType=2
Consent=1
UploadTime=132761962719245607
ReportStatus=268435456
ReportIdentifier=931b3ca1-8a8a-4318-97dc-02a5581527b5
IntegratorReportIdentifier=c4fd20d3-4a18-43f0-8bdb-1303e64460c2
Wow64Host=34404
NsAppName=procexp64.exe
OriginalFilename=Procexp.exe
AppSessionGuid=000073b0-0005-004d-bd93-12c64caad701
TargetAppId=W:00063b8a1b9bb575663585011ecd5b422fcb00000904!0000d3dc46078a137f17c50887ff6f17be40dab20626!procexp64.exe
TargetAppVer=2021//08//17:02:03:13!174ad2!procexp64.exe
BootId=4294967295
TargetAsId=11492
UserImpactVector=806355760
IsFatal=1
EtwNonCollectReason=4
Response.BucketId=ec11c4e2f37a93ffd6572574ff7163d0
Response.BucketTable=4
Response.LegacyBucketId=1609796576240296912
Response.type=4
Sig[0].Name=Application Name
Sig[0].Value=procexp64.exe
Sig[1].Name=Application Version
Sig[1].Value=16.43.0.0
Sig[2].Name=Application Timestamp
Sig[2].Value=611b18e1
Sig[3].Name=Fault Module Name
Sig[3].Value=procexp64.exe
Sig[4].Name=Fault Module Version
Sig[4].Value=16.43.0.0
Sig[5].Name=Fault Module Timestamp
Sig[5].Value=611b18e1
Sig[6].Name=Exception Code
Sig[6].Value=c000041d
Sig[7].Name=Exception Offset
Sig[7].Value=0000000000040b40
DynamicSig[1].Name=OS Version
DynamicSig[1].Value=10.0.19042.2.0.0.768.101
DynamicSig[2].Name=Locale ID
DynamicSig[2].Value=1033
DynamicSig[22].Name=Additional Information 1
DynamicSig[22].Value=f552
DynamicSig[23].Name=Additional Information 2
DynamicSig[23].Value=f5525a7bfe390a118fa62329258a9cf1
DynamicSig[24].Name=Additional Information 3
DynamicSig[24].Value=c2a9
DynamicSig[25].Name=Additional Information 4
DynamicSig[25].Value=c2a916903a0584c515dfe33eda93d5ae
UI[2]=C:\Users\SomeUser\AppData\Local\Temp\procexp64.exe
LoadedModule[0]=C:\Users\SomeUser\AppData\Local\Temp\procexp64.exe
LoadedModule[1]=C:\WINDOWS\SYSTEM32\ntdll.dll
LoadedModule[2]=C:\WINDOWS\System32\KERNEL32.DLL
LoadedModule[3]=C:\WINDOWS\System32\KERNELBASE.dll
LoadedModule[4]=C:\WINDOWS\System32\SHLWAPI.dll
LoadedModule[5]=C:\WINDOWS\System32\msvcrt.dll
LoadedModule[6]=C:\WINDOWS\System32\WS2_32.dll
LoadedModule[7]=C:\WINDOWS\System32\RPCRT4.dll
LoadedModule[8]=C:\WINDOWS\System32\SETUPAPI.dll
LoadedModule[9]=C:\WINDOWS\System32\cfgmgr32.dll
LoadedModule[10]=C:\WINDOWS\System32\ucrtbase.dll
LoadedModule[11]=C:\WINDOWS\System32\bcrypt.dll
LoadedModule[12]=C:\WINDOWS\System32\CRYPT32.dll
LoadedModule[13]=C:\WINDOWS\System32\GDI32.dll
LoadedModule[14]=C:\WINDOWS\System32\win32u.dll
LoadedModule[15]=C:\WINDOWS\System32\gdi32full.dll
LoadedModule[16]=C:\WINDOWS\System32\msvcp_win.dll
LoadedModule[17]=C:\WINDOWS\System32\USER32.dll
LoadedModule[18]=C:\WINDOWS\System32\COMDLG32.dll
LoadedModule[19]=C:\WINDOWS\System32\combase.dll
LoadedModule[20]=C:\WINDOWS\System32\shcore.dll
LoadedModule[21]=C:\WINDOWS\System32\SHELL32.dll
LoadedModule[22]=C:\WINDOWS\System32\ADVAPI32.dll
LoadedModule[23]=C:\WINDOWS\System32\sechost.dll
LoadedModule[24]=C:\WINDOWS\System32\ole32.dll
LoadedModule[25]=C:\WINDOWS\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1110_none_60b5254171f9507e\COMCTL32.dll
LoadedModule[26]=C:\WINDOWS\SYSTEM32\IPHLPAPI.DLL
LoadedModule[27]=C:\WINDOWS\System32\OLEAUT32.dll
LoadedModule[28]=C:\WINDOWS\SYSTEM32\MPR.dll
LoadedModule[29]=C:\WINDOWS\SYSTEM32\VERSION.dll
LoadedModule[30]=C:\WINDOWS\SYSTEM32\credui.dll
LoadedModule[31]=C:\WINDOWS\SYSTEM32\ACLUI.dll
LoadedModule[32]=C:\WINDOWS\SYSTEM32\WTSAPI32.dll
LoadedModule[33]=C:\WINDOWS\SYSTEM32\POWRPROF.dll
LoadedModule[34]=C:\WINDOWS\SYSTEM32\UxTheme.dll
LoadedModule[35]=C:\WINDOWS\SYSTEM32\NTDSAPI.dll
LoadedModule[36]=C:\WINDOWS\SYSTEM32\WINHTTP.dll
LoadedModule[37]=C:\WINDOWS\SYSTEM32\XmlLite.dll
LoadedModule[38]=C:\WINDOWS\System32\IMM32.DLL
LoadedModule[39]=C:\WINDOWS\SYSTEM32\UMPDC.dll
LoadedModule[40]=C:\WINDOWS\SYSTEM32\winsta.dll
LoadedModule[41]=C:\WINDOWS\SYSTEM32\dbghelp.dll
LoadedModule[42]=C:\WINDOWS\SYSTEM32\dbgcore.DLL
LoadedModule[43]=C:\WINDOWS\System32\wow64cpu.DLL
LoadedModule[44]=C:\WINDOWS\System32\wow64.dll
LoadedModule[45]=C:\WINDOWS\System32\wow64win.dll
LoadedModule[46]=C:\WINDOWS\system32\mscoree.dll
LoadedModule[47]=C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll
LoadedModule[48]=C:\WINDOWS\SYSTEM32\kernel.appcore.dll
LoadedModule[49]=C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll
LoadedModule[50]=C:\WINDOWS\SYSTEM32\ucrtbase_clr0400.dll
LoadedModule[51]=C:\WINDOWS\SYSTEM32\VCRUNTIME140_CLR0400.dll
LoadedModule[52]=C:\WINDOWS\System32\bcryptPrimitives.dll
LoadedModule[53]=C:\WINDOWS\system32\netfxperf.dll
LoadedModule[54]=C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll
LoadedModule[55]=C:\WINDOWS\SYSTEM32\pdh.dll
LoadedModule[56]=C:\WINDOWS\System32\MSCTF.dll
LoadedModule[57]=C:\WINDOWS\SYSTEM32\TextShaping.dll
LoadedModule[58]=C:\WINDOWS\System32\Wintrust.dll
LoadedModule[59]=C:\WINDOWS\SYSTEM32\MSASN1.dll
LoadedModule[60]=C:\WINDOWS\SYSTEM32\textinputframework.dll
LoadedModule[61]=C:\WINDOWS\System32\CoreUIComponents.dll
LoadedModule[62]=C:\WINDOWS\System32\CoreMessaging.dll
LoadedModule[63]=C:\WINDOWS\SYSTEM32\wintypes.dll
LoadedModule[64]=C:\WINDOWS\SYSTEM32\ntmarta.dll
LoadedModule[65]=C:\WINDOWS\system32\Oleacc.dll
LoadedModule[66]=C:\WINDOWS\SYSTEM32\DEVOBJ.dll
LoadedModule[67]=C:\WINDOWS\System32\clbcatq.dll
LoadedModule[68]=C:\Windows\System32\taskschd.dll
LoadedModule[69]=C:\Windows\System32\SspiCli.dll
LoadedModule[70]=C:\WINDOWS\SYSTEM32\sxs.dll
LoadedModule[71]=C:\WINDOWS\SYSTEM32\CRYPTSP.dll
LoadedModule[72]=C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll
LoadedModule[73]=C:\WINDOWS\system32\rsaenh.dll
LoadedModule[74]=C:\WINDOWS\SYSTEM32\CRYPTBASE.dll
LoadedModule[75]=C:\WINDOWS\SYSTEM32\windows.storage.dll
LoadedModule[76]=C:\WINDOWS\SYSTEM32\Wldp.dll
LoadedModule[77]=C:\WINDOWS\System32\imagehlp.dll
LoadedModule[78]=C:\WINDOWS\system32\propsys.dll
LoadedModule[79]=C:\WINDOWS\SYSTEM32\gpapi.dll
LoadedModule[80]=C:\WINDOWS\SYSTEM32\profapi.dll
LoadedModule[81]=C:\WINDOWS\SYSTEM32\WindowsCodecs.dll
LoadedModule[82]=C:\WINDOWS\SYSTEM32\cryptnet.dll
LoadedModule[83]=C:\WINDOWS\SYSTEM32\WINNSI.DLL
LoadedModule[84]=C:\WINDOWS\System32\NSI.dll
LoadedModule[85]=C:\WINDOWS\SYSTEM32\MrmCoreR.dll
LoadedModule[86]=C:\WINDOWS\SYSTEM32\iertutil.dll
LoadedModule[87]=C:\Windows\System32\thumbcache.dll
LoadedModule[88]=C:\WINDOWS\SYSTEM32\policymanager.dll
LoadedModule[89]=C:\WINDOWS\SYSTEM32\msvcp110_win.dll
LoadedModule[90]=C:\WINDOWS\system32\wbem\wbemprox.dll
LoadedModule[91]=C:\WINDOWS\SYSTEM32\wbemcomn.dll
LoadedModule[92]=C:\WINDOWS\system32\wbem\wbemsvc.dll
LoadedModule[93]=C:\WINDOWS\system32\wbem\fastprox.dll
LoadedModule[94]=C:\WINDOWS\SYSTEM32\amsi.dll
LoadedModule[95]=C:\WINDOWS\SYSTEM32\USERENV.dll
LoadedModule[96]=C:\WINDOWS\system32\WRusr.dll
LoadedModule[97]=C:\WINDOWS\System32\PSAPI.DLL
LoadedModule[98]=C:\WINDOWS\SYSTEM32\MSIMG32.dll
LoadedModule[99]=C:\WINDOWS\SYSTEM32\webio.dll
LoadedModule[100]=C:\WINDOWS\system32\mswsock.dll
LoadedModule[101]=C:\WINDOWS\SYSTEM32\DNSAPI.dll
LoadedModule[102]=C:\Windows\System32\rasadhlp.dll
LoadedModule[103]=C:\WINDOWS\System32\fwpuclnt.dll
LoadedModule[104]=C:\WINDOWS\system32\schannel.DLL
LoadedModule[105]=C:\WINDOWS\SYSTEM32\mskeyprotect.dll
LoadedModule[106]=C:\WINDOWS\SYSTEM32\NTASN1.dll
LoadedModule[107]=C:\WINDOWS\SYSTEM32\ncrypt.dll
LoadedModule[108]=C:\WINDOWS\system32\ncryptsslp.dll
LoadedModule[109]=C:\WINDOWS\SYSTEM32\DPAPI.DLL
LoadedModule[110]=C:\WINDOWS\System32\coml2.dll
State[0].Key=Transport.DoneStage1
State[0].Value=1
OsInfo[0].Key=vermaj
OsInfo[0].Value=10
OsInfo[1].Key=vermin
OsInfo[1].Value=0
OsInfo[2].Key=verbld
OsInfo[2].Value=19042
OsInfo[3].Key=ubr
OsInfo[3].Value=1165
OsInfo[4].Key=versp
OsInfo[4].Value=0
OsInfo[5].Key=arch
OsInfo[5].Value=9
OsInfo[6].Key=lcid
OsInfo[6].Value=1033
OsInfo[7].Key=geoid
OsInfo[7].Value=244
OsInfo[8].Key=sku
OsInfo[8].Value=101
OsInfo[9].Key=domain
OsInfo[9].Value=0
OsInfo[10].Key=prodsuite
OsInfo[10].Value=768
OsInfo[11].Key=ntprodtype
OsInfo[11].Value=1
OsInfo[12].Key=platid
OsInfo[12].Value=10
OsInfo[13].Key=sr
OsInfo[13].Value=0
OsInfo[14].Key=tmsi
OsInfo[14].Value=221267222
OsInfo[15].Key=osinsty
OsInfo[15].Value=1
OsInfo[16].Key=iever
OsInfo[16].Value=11.789.19041.0-11.0.1000
OsInfo[17].Key=portos
OsInfo[17].Value=0
OsInfo[18].Key=ram
OsInfo[18].Value=8006
OsInfo[19].Key=svolsz
OsInfo[19].Value=930
OsInfo[20].Key=wimbt
OsInfo[20].Value=0
OsInfo[21].Key=blddt
OsInfo[21].Value=191206
OsInfo[22].Key=bldtm
OsInfo[22].Value=1406
OsInfo[23].Key=bldbrch
OsInfo[23].Value=vb_release
OsInfo[24].Key=bldchk
OsInfo[24].Value=0
OsInfo[25].Key=wpvermaj
OsInfo[25].Value=0
OsInfo[26].Key=wpvermin
OsInfo[26].Value=0
OsInfo[27].Key=wpbuildmaj
OsInfo[27].Value=0
OsInfo[28].Key=wpbuildmin
OsInfo[28].Value=0
OsInfo[29].Key=osver
OsInfo[29].Value=10.0.19041.1165.amd64fre.vb_release.191206-1406
OsInfo[30].Key=buildflightid
OsInfo[30].Value=CCA699D9-19E7-4B7A-B468-168C4C3ABEE7.1
OsInfo[31].Key=edition
OsInfo[31].Value=Core
OsInfo[32].Key=ring
OsInfo[32].Value=Retail
OsInfo[33].Key=expid
OsInfo[33].Value=RS:97A7
OsInfo[34].Key=fconid
OsInfo[35].Key=containerid
OsInfo[36].Key=containertype
OsInfo[37].Key=edu
OsInfo[37].Value=0
FriendlyEventName=Stopped working
ConsentKey=APPCRASH
AppName=Sysinternals Process Explorer
AppPath=C:\Users\SomeUser\AppData\Local\Temp\procexp64.exe
NsPartner=windows
NsGroup=windows8
ApplicationIdentity=82DF231D2A89ABA7A69459F990BC7F81
MetadataHash=396090815

******************END OF REPORT.WER CONTENT ******************

Any pointer or feedback would be great.

Thank you

2

Hi Veronics,
even after revisiting your post I have no good idea about why process explorer should crash.

But if this is a reproducable crash, it should interest the programmers at sysinternals.
A potential crash could be a leading point to a vulnerability.
As it is obviously some input data that cashes it.

Regards,
Bernhard