Thursday, November 19, 2009

Wierd Internet Explorer 8 error

A couple of days ago, a guy I know came with a IE8 interesting problem. Sometimes when he started IE, a error message would appear with a very vague description, "error map".

Using Process Explorer,, I found the process ID, and took a dump of the specific process.
I opened the dump in WinDbg and ouputted the call stack of all threads, to find the thread responsible for the message box.
0:000> ~* kb

5 Id: ae0.1358 Suspend: 1 Teb: 7ffda000 Unfrozen
ChildEBP RetAddr Args to Child
02e3cce4 7684073f 76853c9f 0002062a 00000001 ntdll!KiFastSystemCallRet
02e3cce8 76853c9f 0002062a 00000001 00000000 user32!NtUserWaitMessage+0xc
02e3cd1c 76852dc0 0002062c 0002062a 00000001 user32!DialogBox2+0x202
02e3cd44 7687cd48 76820000 00619a68 0002062a user32!InternalDialogBox+0xd0
02e3cde4 7687d2ca 00000030 00000000 ffffffff user32!SoftModalMessageBox+0x69f
02e3cf34 7687d3fc 02e3cf40 00000028 0002062a user32!MessageBoxWorker+0x2c7
02e3cf8c 7687d4a6 0002062a 068025b8 068b1aa8 user32!MessageBoxTimeoutW+0x7f
02e3cfc0 7687d654 0002062a 03ec504c 03ec5044 user32!MessageBoxTimeoutA+0xa1
02e3cfe0 6a6a403a 0002062a 03ec504c 03ec5044 user32!MessageBoxExA+0x1b
02e3d008 7687d6c6 0002062a 03ec504c 03ec5044 ieframe!Detour_MessageBoxExA+0x46
02e3d024 03ec1058 00000000 03ec504c 03ec5044 user32!MessageBoxA+0x45
WARNING: Stack unwind information not available. Following frames may be wrong.
02e3d044 03ec15a6 03ec0000 00000001 00000000 mausWay2k+0x1058
02e3d080 6b7a28cc 03ec0000 00000001 00000000 mausWay2k!mouseHookProc+0x407
02e3d0b4 773e16ac 03ec0000 00000001 00000000 IEShims!CShimBindings::s_DllMainHook+0x3b
02e3d0d4 773c9083 6b7a2891 03ec0000 00000001 ntdll!LdrpCallInitRoutine+0x14
02e3d1cc 773c96eb 00000000 7616b8bb 00000000 ntdll!LdrpRunInitializeRoutines+0x270
02e3d450 773c94af 00000000 0067f248 02e3d744 ntdll!LdrpLoadDll+0x49a
02e3d6d4 76b29355 0067f248 02e3d744 02e3d704 ntdll!LdrLoadDll+0x22a
02e3d738 6b7901d0 02e3d910 00000000 00000008 kernel32!LoadLibraryExW+0x252
02e3d794 7682e710 02e3d910 00000000 00000008 IEShims!NS_RedirectFiles::APIHook_LoadLibraryExW+0x14f
It appears that a module called mausWay2k are responsible for the message. mausWay2k is a program which record move movements, keyboard presses, etc.,
From the stack trace it looks like the error resides inside the mouseHookProc, but without the source code it's impossible to pinpoint the error more.
mausWay2k only had the problem with IE8, and it seems like the IEShims, IE Compability Shims, has something to do with this.
After mauseWay2k were removed the problem went away.