[RESOLVED] Win2008SP2: 0xc0000005 in wsxica!GetAutologonCredentials3+ab1

Status: Resolved, external.

Update 121122: Shame on me for not updating this yet... Citrix eventually resolved this issue, please contact them when you encounter the issue below.

At the moment we are working together with Citrix on an issue where the Terminal Service svchost.exe process crashes in wsxica!GetAutologonCredentials3+ab1. This looks to be caused by heap corruption.

!analyze -v will show you "X64APPLICATION_FAULT_INVALID_POINTER_READ_wsxica!GetAutologonCredentials3+ab1" and in the current dump I have, which unfortunately is only a user mini dump, the stack of the crashing thread looks like:

0:044> knL
 # Child-SP RetAddr Call Site
00 00000000`20d6e8f0 00000000`00000040 wsxica!GetAutologonCredentials3+0xab1
01 00000000`20d6e8f8 00000000`20d6f250 0x40
02 00000000`20d6e900 00000000`00000001 0x20d6f250
03 00000000`20d6e908 00000000`00000001 0x1
04 00000000`20d6e910 00000000`00000000 0x1

To get to this stack you will also need to add the Citrix Symbol Server (https://ctxsym.citrix.com/symbols) to your symbol path, using .sympath+. When dumping the raw stack this gives a bit more information:

0:044> dps 00000000`20d6e8f0-8 00000000`20d6f948
00000000`20d6e8e8 000007fe`f3677ebb wsxica!GetAutologonCredentials3+0x97b
00000000`20d6e918 000007fe`ff0610c0 msvcrt!free+0x1c
00000000`20d6e948 000007fe`fd15157d winsta!CSmartPublicBinding::~CSmartPublicBinding+0x60
00000000`20d6e988 00000000`76e59635 ntdll!RtlAllocateHeap+0x151
00000000`20d6ea38 00000000`76e58d95 ntdll!RtlFreeHeap+0x1a2
00000000`20d6ea48 00000000`76e36801 ntdll!RtlQueryInformationActivationContext+0x125
00000000`20d6ea88 00000000`76cfced6 kernel32!LocalAlloc+0x62
00000000`20d6eab8 00000000`76cfc192 kernel32!LocalFree+0x2e

Using gflags.exe we enabled pageheap, and we are currently awaiting further data to analyze. If you experience this issue, please drop me an e-mail.