Me, myself & IT

Bugs in NTDLL.dll of non-english Editions of Windows^™ Embedded POSReady 2009 alias Windows^™ XP

Bug

Manifestation

Demonstration

Tidbit

Incompatibility

Bug

Note: see the definition of NTSTATUS severity codes.

Manifestation

Note: the following 6 cases present the message texts from german editions of Windows XP and Windows Embedded POSReady 2009; the bug but exists in all non-english editions of these versions of Windows NT!

1. If a dependent DLL is empty or corrupted, non-english editions of Windows XP and Windows Embedded POSReady 2009 display the text for the message identifier 0xC000007C alias STATUS_NO_TOKEN

   Es wurde versucht, auf einen Token zu verweisen, der nicht existiert.
   Dies erfolgt im Normalfall durch Ansprechen des mit dem Thread verknüpften Token,
   wenn der Thread nicht die Identität eines Client angenommen hat.

   instead of the proper text for the message identifier 0xC000007B alias STATUS_INVALID_IMAGE_FORMAT

   {Abbild fehlerhaft}
   Die Anwendung oder DLL %hs ist keine gültige Windows-Datei.
   Überprüfen Sie dies mit der Installationsdiskette.

2. If a dependent DLL is an invalid or wrong portable executable file, non-english editions of Windows XP and Windows Embedded POSReady 2009 display a bogus error message

   {Auslagerungsdatei konnte nicht erstellt werden}
   Exception Processing Message c0000145 Parameters c000007b 75b0bf7c 75b0bf7c 75b0bf7c

   instead of the proper text for the message identifier 0xC0000145 alias STATUS_APP_INIT_FAILURE

   {Fehler in Anwendung}
   Die Anwendung konnte nicht richtig initialisiert werden (0x%lx).
   Klicken Sie auf "OK", um die Anwendung zu beenden.

   Note: the expected wrong error message should but display the text for the message identifier 0xC0000146 alias STATUS_PAGEFILE_CREATE_FAILED

   {Auslagerungsdatei konnte nicht erstellt werden}
   Die Erstellung der Auslagerungsdatei %hs ist fehlgeschlagen (%lx).
   Die angeforderte Größe war %ld.

3. If an entry point is missing in a dependent DLL, non-english editions of Windows Embedded POSReady 2009 and Windows XP display the text for the message identifier 0xC000013A alias STATUS_CONTROL_C_EXIT

   {Anwendung mit STRG+C beendet}
   Die Anwendung wurde mit STRG+C unterbrochen.

   instead of the proper text for the message identifier 0xC0000139 alias STATUS_ENTRYPOINT_NOT_FOUND

   {Einsprungpunkt nicht gefunden}
   Der Prozedureinsprungpunkt "%hs" wurde in der DLL "%hs" nicht gefunden.

4. If a dependent DLL is missing, non-english editions of Windows XP and Windows Embedded POSReady 2009 display the text for the message identifier 0xC0000136 alias STATUS_OPEN_FAILED

   NtCreateFile-API ist fehlgeschlagen.
   Dieser Fehler sollte keiner Anwendung zurückgegeben werden,
   da er ein Platzhalter für den Windows-Redirector ist, damit
   dieser seine internen Fehlerzuordnungsroutinen verwenden kann.

   instead of the proper text for the message identifier 0xC0000135 alias STATUS_DLL_NOT_FOUND

   {Komponente nicht gefunden}
   Die Anwendung konnte nicht gestartet werden, weil %hs nicht gefunden wurde.
   Neuinstallation der Anwendung könnte das Problem beheben.

5. If a dependent DLL is not accessible, non-english editions of Windows XP and Windows Embedded POSReady 2009 display a bogus error message

   {Auslagerungsdatei konnte nicht erstellt werden}
   Exception Processing Message c0000145 Parameters c0000022 75b0bf7c 75b0bf7c 75b0bf7c

   instead of the proper text for the message identifier 0xC0000145 alias STATUS_APP_INIT_FAILURE

   {Fehler in Anwendung}
   Die Anwendung konnte nicht richtig initialisiert werden (0x%lx).
   Klicken Sie auf "OK", um die Anwendung zu beenden.

   Note: the expected wrong error message should but display the text for the message identifier 0xC0000146 alias STATUS_PAGEFILE_CREATE_FAILED

   {Auslagerungsdatei konnte nicht erstellt werden}
   Die Erstellung der Auslagerungsdatei %hs ist fehlgeschlagen (%lx).
   Die angeforderte Größe war %ld.

6. If initialisation of a dependent DLL fails, non-english editions of Windows Embedded POSReady 2009 and Windows XP display a bogus error message

   {Auslagerungsdatei konnte nicht erstellt werden}
   Exception Processing Message c0000145 Parameters c0000142 75b0bf7c 75b0bf7c 75b0bf7c

   instead of the proper text for the message identifier 0xC0000145 alias STATUS_APP_INIT_FAILURE

   {Fehler in Anwendung}
   Die Anwendung konnte nicht richtig initialisiert werden (0x%lx).
   Klicken Sie auf "OK", um die Anwendung zu beenden.

   Note: the expected wrong error message should but display the text for the message identifier 0xC0000146 alias STATUS_PAGEFILE_CREATE_FAILED

   {Auslagerungsdatei konnte nicht erstellt werden}
   Die Erstellung der Auslagerungsdatei %hs ist fehlgeschlagen (%lx).
   Die angeforderte Größe war %ld.

The reason hides in plain sight!

While the first (and only) format placeholder %lx of the proper message text specifies a numerical value, the first format placeholder %hs of the wrong message text but specifies a string value: the NTSTATUS values 0xC000007B, 0xC0000022 and 0xC0000142 are thus interpreted as addresses, resulting in access violation exceptions.
These are caught in Windows’ module loader, which displays its generic (english) error message text instead of the wrong message text, with the (localised) caption of the latter.

Demonstration

1. Create the text file FUBAR.C with the following content in an arbitrary, preferable empty directory:

   // Copyright © 2016-2024, Stefan Kanthak <‍stefan‍.‍kanthak‍@‍nexgo‍.‍de‍>
   
   #define STRICT
   #define WIN32_LEAN_AND_MEAN
   
   #include <windows.h>
   
   #ifdef _DLL
   const	LPCSTR	szReason[4] = {"DLL_PROCESS_DETACH\n",
   		               "DLL_PROCESS_ATTACH\n",
   		               "DLL_THREAD_ATTACH\n",
   		               "DLL_THREAD_DETACH\n"};
   
   BOOL	WINAPI	_DllMainCRTStartup(HANDLE hModule, DWORD dwReason, LPVOID lpReserved)
   {
   #ifdef VERBOSE
   	DWORD	dwConsole;
   
   	WriteConsoleA(GetStdHandle(STD_ERROR_HANDLE), szReason[dwReason], strlen(szReason[dwReason]), &dwConsole, NULL);
   #else
   	OutputDebugStringA(szReason[dwReason]);
   #endif
   	return FALSE;
   }
   
   __declspec(dllexport)
   const	CHAR	szFUBAR[] = "Fucked up beyond all recognition\b\b\b\b\b\b\b\b\b\b\b\b\b\b\bmessage identifier 0x8020000B\n";
   #else // _DLL
   __declspec(dllimport)
   extern	CHAR	szFUBAR[];
   
   __declspec(noreturn)
   VOID	CDECL	mainCRTStartup(VOID)
   {
   #ifdef VERBOSE
   	DWORD	dwConsole;
   
   	WriteConsoleA(GetStdHandle(STD_ERROR_HANDLE), szFUBAR, strlen(szFUBAR), &dwConsole, NULL);
   #else
   	OutputDebugStringA(szFUBAR);
   #endif
   	ExitProcess(GetLastError());
   }
   #endif // _DLL

2. Build the DLL FUBAR.DLL and the console application FUBAR.EXE from the source file FUBAR.C created in step 1.:

   SET CL=/Brepro /GF /Gy /Oi /W4 /wd4100 /Zl
   SET LINK=/MACHINE:I386 /MERGE:.rdata=.const /MERGE:.text=.code /NODEFAULTLIB /NXCOMPAT /OSVERSION:5.1 /RELEASE
   CL.EXE /LD /MD FUBAR.C KERNEL32.LIB
   SET LINK=/ENTRY:mainCRTStartup /MACHINE:I386 /MERGE:.rdata=.const /MERGE:.text=.code /NODEFAULTLIB /NXCOMPAT /OSVERSION:5.1 /RELEASE /SUBSYSTEM:CONSOLE
   CL.EXE FUBAR.C FUBAR.LIB KERNEL32.LIB

   For details and reference see the MSDN articles Compiler Options and Linker Options.

   Note: if necessary, see the MSDN article Use the Microsoft C++ toolset from the command line for an introduction.

   Note: both portable executables build without the MSVCRT libraries.

   Note: the command lines can be copied and pasted as block into a Command Processor window.

   Microsoft (R) 32-bit C/C++ Optimizing Compiler Version 16.00.40219.01 for 80x86
   Copyright (C) Microsoft Corporation.  All rights reserved.
   
   FUBAR.C
   
   Microsoft (R) Incremental Linker Version 10.00.40219.386
   Copyright (C) Microsoft Corporation.  All rights reserved.
   
   /NODEFAULTLIB /NXCOMPAT /OPT:REF /OSVERSION:5.1 /RELEASE
   /out:FUBAR.dll
   /dll
   /implib:FUBAR.lib
   FUBAR.obj
   KERNEL32.LIB
      Creating library FUBAR.lib and object FUBAR.exp
   
   Microsoft (R) 32-bit C/C++ Optimizing Compiler Version 16.00.40219.01 for 80x86
   Copyright (C) Microsoft Corporation.  All rights reserved.
   
   FUBAR.C
   
   Microsoft (R) Incremental Linker Version 10.00.40219.386
   Copyright (C) Microsoft Corporation.  All rights reserved.
   
   /ENTRY:mainCRTStartup /NXCOMPAT /OPT:REF /OSVERSION:5.1 /RELEASE /SUBSYSTEM:CONSOLE
   /out:FUBAR.exe
   FUBAR.obj
   FUBAR.LIB
   KERNEL32.LIB

3. Execute the application FUBAR.EXE built in step 2. to demonstrate case 6.:

   FUBAR.EXE
   ECHO %ERRORLEVEL%

   

   -1073741502

   Note: -1073741502 is the decimal representation of 0xC0000142 alias STATUS_DLL_INIT_FAILED!

4. Deny access to the DLL FUBAR.DLL built in step 2., then execute the application FUBAR.EXE built in step 2. to demonstrate case 5.:

   CACLS.EXE FUBAR.DLL /E /D "%USERNAME%"
   FUBAR.EXE
   ECHO %ERRORLEVEL%

   

   -1073741790

   Note: -1073741790 is the decimal representation of 0xC0000022 alias STATUS_ACCESS_DENIED!

5. Erase the DLL FUBAR.DLL built in step 2., then execute the application FUBAR.EXE built in step 2. to demonstrate case 4.:

   ERASE FUBAR.DLL
   FUBAR.EXE
   ECHO %ERRORLEVEL%

   

   -1073741515

   Note: -1073741515 is the decimal representation of 0xC0000135 alias STATUS_DLL_NOT_FOUND!

6. Copy an arbitrary DLL as FUBAR.DLL, then execute the application FUBAR.EXE built in step 2. to demonstrate case 3.:

   COPY "%SystemRoot%\System32\NTDLL.DLL" FUBAR.DLL
   FUBAR.EXE
   ECHO %ERRORLEVEL%

   

   -1073741511

   Note: -1073741511 is the decimal representation of 0xC0000139 alias STATUS_ENTRYPOINT_NOT_FOUND!

7. Copy an arbitrary application as FUBAR.DLL, then execute the application FUBAR.EXE built in step 2. to demonstrate case 2.:

   COPY /Y FUBAR.EXE FUBAR.DLL
   FUBAR.EXE
   ECHO %ERRORLEVEL%

   

   -1073741701

   Note: -1073741701 is the decimal representation of 0xC000007B alias STATUS_INVALID_IMAGE_FORMAT!

8. Copy an arbitrary MS-DOS program as FUBAR.DLL, then execute the application FUBAR.EXE built in step 2. to demonstrate case 1.:

   COPY /Y "%SystemRoot%\System32\Command.com" FUBAR.DLL
   FUBAR.EXE
   ECHO %ERRORLEVEL%

   

   -1073741521

   Note: -1073741521 is the decimal representation of 0xC000012F alias STATUS_INVALID_IMAGE_NOT_MZ!

9. Copy an empty file as FUBAR.DLL, then execute the application FUBAR.EXE built in step 2. to demonstrate case 1. again:

   COPY /Y NUL: FUBAR.DLL
   FUBAR.EXE
   ECHO %ERRORLEVEL%

   

   -1073741792

   Note: -1073741792 is the decimal representation of 0xC0000020 alias STATUS_INVALID_FILE_FOR_SECTION!

Tidbit

If your application happens to cause an access violation exception on a german edition of Windows XP or Windows Embedded POSReady 2009, you’ll see a wrong error message with the text for the message identifier 0xC0000006 alias STATUS_IN_PAGE_ERROR including a rather long string of 81 hexadecimal digits

Die Anweisung "0x%08lx" verweist auf Speicher bei "0x%08lx".
Die Daten wurden wegen eines E/A-Fehlers in "0x%081x" nicht in den Arbeitsspeicher übertragen.

Die Anweisung in "0x%08lx" verweist auf Speicher in "0x%08lx".
Der Vorgang "%s" konnte nicht auf dem Speicher durchgeführt werden.

Incompatibility

Escape sequence	Meaning
%0	Terminates a message text line without a trailing new line character. This escape sequence can be used to build up long lines or to terminate the message itself without a trailing new line character. It is useful for prompt messages.
%n!format string!	Identifies an insert. The value of n can be in the range from 1 through 99. The format string (which must be surrounded by exclamation marks) is optional and defaults to !s! if not specified. […]

Note: corresponding to the NTSTATUS values 0xC0000144 alias STATUS_UNHANDLED_EXCEPTION and 0xC000021A alias STATUS_SYSTEM_PROCESS_TERMINATED, the Win32 error codes 574 alias ERROR_UNHANDLED_EXCEPTION and 591 alias ERROR_SYSTEM_PROCESS_TERMINATED were added in Windows Vista^® and newer versions of Windows^™ NT, but their message texts were copied unchanged from NTDLL.dll to the message tables of the Win32 system DLLs, thus porting this bug – on current versions of Windows NT, the command lines

NET.EXE HELPMSG 574
CERTUTIL.EXE /ERROR 574
NET.EXE HELPMSG 591
CERTUTIL.EXE /ERROR 591

{Application Error}
The exception s (0x

0x23e (WIN32: 574 ERROR_UNHANDLED_EXCEPTION) -- 574 (574)
Error message text: {Application Error}
The exception %s (0x
CertUtil: -error command completed successfully.

{Fatal System Error}
The hs system process terminated unexpectedly with a status of 0x

0x24f (WIN32: 591 ERROR_SYSTEM_PROCESS_TERMINATED) -- 591 (591)
Error message text: {Fatal System Error}
The %hs system process terminated unexpectedly with a status of 0x
CertUtil: -error command completed successfully.

{Application Error}
The exception %s (0x%08lx) occurred in the application at location 0x%08lx.

0x23e (WIN32: 574 ERROR_UNHANDLED_EXCEPTION) -- 574 (574)
Error message text: {Application Error}
The exception %s (0x%08lx) occurred in the application at location 0x%08lx.
CertUtil: -error command completed successfully.

{Fatal System Error}
The %hs system process terminated unexpectedly with a status of 0x%08x (0x%08x 0x%08x).
The system has been shut down.

0x24f (WIN32: 591 ERROR_SYSTEM_PROCESS_TERMINATED) -- 591 (591)
Error message text: {Fatal System Error}
The %hs system process terminated unexpectedly with a status of 0x%08x (0x%08x 0x%08x).
The system has been shut down.
CertUtil: -error command completed successfully.

Contact and Feedback

Use the X.509 certificate to send S/MIME encrypted mail.

Note: email in weird format and without a proper sender name is likely to be discarded!

I dislike HTML (and even weirder formats too) in email, I prefer to receive plain text.
I also expect to see your full (real) name as sender, not your nickname.
I abhor top posts and expect inline quotes in replies.

Terms and Conditions

• The software and the documentation on this site are provided as is without any warranty, neither express nor implied.
  In no event will the author be held liable for any damage(s) arising from the use of the software or the documentation.
• Permission is granted to use the current version of the software and the current version of the documentation solely for personal private and non-commercial purposes.
  An individuals use of the software or the documentation in his or her capacity or function as an agent, (independent) contractor, employee, member or officer of a business, corporation or organisation (commercial or non-commercial) does not qualify as personal private and non-commercial purpose.
• Without written approval from the author the software or the documentation must not be used for a business, for commercial, corporate, governmental, military or organisational purposes of any kind, or in a commercial, corporate, governmental, military or organisational environment of any kind.
• Redistribution of the software and the documentation is allowed only in unmodified form of its current version and free of charge.

Data Protection Declaration

The web service is operated and provided by

The web service provider stores a session cookie in the web browser and records every visit of this web site with the following data in an access log on their server(s):

• the (pseudonymised) IP address;
• the date and time of the request;
• the URL of the requested web page or file;
• the Referer and User-Agent HTTP headers sent by the web browser;
• the result (success or failure) of the request;
• the amount of data received and sent.