Vista x64: Unknown error code (-1073741502): The user defined managed entry point failed in the target process.

Jan 22, 2009 at 9:45 PM
Edited Jan 22, 2009 at 9:47 PM
Windows Vista 64-bit with UAC enabled.  I downloaded the source code (from here) and opened it in Visual Studio 2008.  The solution and projects were converted to VS2008 successfully with only a warning that it will use the default UAC settings (use same as launching process).

I then switched to x64 platform and started debugging the Debug target.  The first time the assemblies didn't load because I didn't launch Visual Studio as an administrator.  After launching as an admin (providing PID to explorer.exe) I get this in the output window:

[comment]: [GAC]:               SCHEME: <OPAQUE>  ID: <NlCeLzgTgL5QyVEfj5HfB1JA5XoqgCnUaJlF4twh>  DESCRIPTION : <A FileMon like demo application.>
Assembly D:\Source\EasyHook\Debug\x64\EasyHook.dll successfully added to the cache
              SCHEME: <OPAQUE>  ID: <NlCeLzgTgL5QyVEfj5HfB1JA5XoqgCnUaJlF4twh>  DESCRIPTION : <A FileMon like demo application.>
Assembly D:\Source\EasyHook\Debug\x64\FileMon.exe successfully added to the cache
              SCHEME: <OPAQUE>  ID: <NlCeLzgTgL5QyVEfj5HfB1JA5XoqgCnUaJlF4twh>  DESCRIPTION : <A FileMon like demo application.>
Assembly D:\Source\EasyHook\Debug\x64\FileMonInject.dll successfully added to the cache

Number of assemblies processed = 3
Number of assemblies installed = 3
Number of failures = 0

There was an error while connecting to target:
System.ApplicationException: Unknown error code (-1073741502): The user defined managed entry point failed in the target process. Make sure that EasyHook is registered in the GAC. Refer to event logs for more information. (Code: 13)
   at EasyHook.NativeAPI.Force(Int32 InErrorCode) in D:\Source\EasyHook\EasyHook\DllImport.cs:line 473
   at EasyHook.RemoteHooking.InjectEx(Int32 InHostPID, Int32 InTargetPID, Int32 InWakeUpTID, Int32 InNativeOptions, String InLibraryPath_x86, String InLibraryPath_x64, Boolean InCanBypassWOW64, Boolean InCanCreateService, Object[] InPassThruArgs) in D:\Source\EasyHook\EasyHook\RemoteHook.cs:line 674
   at EasyHook.RemoteHooking.Inject(Int32 InTargetPID, String InLibraryPath_x86, String InLibraryPath_x64, Object[] InPassThruArgs) in D:\Source\EasyHook\EasyHook\RemoteHook.cs:line 528
   at FileMon.Program.Main(String[] args) in D:\Source\EasyHook\Examples\FileMon\Program.cs:line 126



And this in my event log:
[error]: System.Runtime.Serialization.SerializationException: Unable to find assembly 'EasyHook, Version=2.5.0.0, Culture=neutral, PublicKeyToken=4b580fca19d0b0c5'.
   at System.Runtime.Serialization.Formatters.Binary.BinaryAssemblyInfo.GetAssembly()
   at System.Runtime.Serialization.Formatters.Binary.ObjectReader.GetType(BinaryAssemblyInfo assemblyInfo, String name)
   at System.Runtime.Serialization.Formatters.Binary.ObjectMap..ctor(String objectName, String[] memberNames, BinaryTypeEnum[] binaryTypeEnumA, Object[] typeInformationA, Int32[] memberAssemIds, ObjectReader objectReader, Int32 objectId, BinaryAssemblyInfo assemblyInfo, SizedArray assemIdToAssemblyTable)
   at System.Runtime.Serialization.Formatters.Binary.__BinaryParser.ReadObjectWithMapTyped(BinaryObjectWithMapTyped record)
   at System.Runtime.Serialization.Formatters.Binary.__BinaryParser.Run()
   at System.Runtime.Serialization.Formatters.Binary.ObjectReader.Deserialize(HeaderHandler handler, __BinaryParser serParser, Boolean fCheck, Boolean isCrossAppDomain, IMethodCallMessage methodCallMessage)
   at System.Runtime.Serialization.Formatters.Binary.BinaryFormatter.Deserialize(Stream serializationStream, HeaderHandler handler, Boolean fCheck, Boolean isCrossAppDomain, IMethodCallMessage methodCallMessage)
   at System.Runtime.Serialization.Formatters.Binary.BinaryFormatter.Deserialize(Stream serializationStream)
   at EasyHook.InjectionLoader.Main(String InParam) in D:\Source\EasyHook\EasyHook\InjectionLoader.cs:line 134


If I open the GAC (start > run > assembly) I see EasyHook 2.5.0.0 listed with MSIL as the processor architecture.
Jan 22, 2009 at 9:59 PM
I did notice that the InLibraryPath_x86 and InLibraryPath_x64 both contain the same path (which is an absolute path, not an assembly reference string like "MyAssembly, PublicKeyToken=248973975895496").  Could this be part of the problem or should it run fine since I'm using a 64-bit program to hook another 64-bit program (explorer.exe) with a 64-bit DLL?
Jan 22, 2009 at 10:07 PM
So interestingly, there are two explorer.exe instances running in Windows Vista x64.  The first one (PID 1704 in my case) is parent to the second one (PID 316 in my case).  The above problem is encountered with 1704 but if I instead hook into 316 it works perfectly.  It appears that 316 is an actual explorer file browser window while 1704 is the parent process to everything I launch (unless I launch something from the file browser window, in which case it is the parent until it's closed at which point parenthood changes to 1704).

I am curious though why I can't hook 1704 since it appears to be the same as 316 according to ProcessExplorer.
Jan 24, 2009 at 2:30 PM
Hi there

What does your code look like ?
For me it only worked once i did the run-time GAC-registration that's used in the example source-code.
Jan 24, 2009 at 7:24 PM
I was using the FileMon example code.
Jan 25, 2009 at 2:28 PM
Ah, are you running studio as administrator ?
Took me a few minutes to figure that one out, as i normally develop on xp.
If you're running studio as administrator and using the filemon example, I'm afraid I have no good suggestions...
Jan 25, 2009 at 7:49 PM
Yeah, I ran into the administrator problem at first but that is fixed now. The only issue left is that I can't attach to the primary explorer.exe (the one that owns my desktop, start menu, task bar, etc.) but I can attach to an explorer.exe folder browsing window.