Description
Description
I am reading forwarded events (WEF) from event log. When I try to read the TaskDisplayName for an event where it does not exists application crashes with access violation exception. This also happens when reading the "KeywordsDisplayNames"
Fatal error. System.AccessViolationException: Attempted to read or write protected memory. This is often an indication that other memory is corrupt.
Repeat 2 times:
--------------------------------
at Microsoft.Win32.UnsafeNativeMethods.EvtFormatMessage(System.Diagnostics.Eventing.Reader.EventLogHandle, System.Diagnostics.Eventing.Reader.EventLogHandle, UInt32, Int32, EvtStringVariant[], EvtFormatMessageFlags, Int32, Char[], Int32 ByRef)
--------------------------------
at System.Diagnostics.Eventing.Reader.NativeWrapper.EvtFormatMessageRenderName(System.Diagnostics.Eventing.Reader.EventLogHandle, System.Diagnostics.Eventing.Reader.EventLogHandle, EvtFormatMessageFlags)
at System.Diagnostics.Eventing.Reader.ProviderMetadataCachedInformation.GetTaskDisplayName(System.String, System.Diagnostics.Eventing.Reader.EventLogHandle)
at System.Diagnostics.Eventing.Reader.EventLogRecord.get_TaskDisplayName()
at EventLogCrash.Program.Main(System.String[])
When I checked the event in the event viewer it's xml does not have values for Task and Keywords under RenderingInfo.
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-DNS-Client" Guid="{1C95126E-7EEA-49A9-A3FE-A378B03DDB4D}" />
<EventID>1014</EventID>
<Version>0</Version>
<Level>3</Level>
<Task>1014</Task>
<Opcode>0</Opcode>
<Keywords>0x4000000010000000</Keywords>
<TimeCreated SystemTime="2024-03-21T23:32:09.577293500Z" />
<EventRecordID>1590</EventRecordID>
<Correlation />
<Execution ProcessID="844" ThreadID="1280" />
<Channel>System</Channel>
<Computer>DESKTOP-JP7LKRA.kovo.local</Computer>
<Security UserID="S-1-5-20" />
</System>
<EventData>
<Data Name="QueryName">wpad</Data>
<Data Name="AddressLength">128</Data>
<Data Name="Address">02000000AC106480000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000</Data>
</EventData>
<RenderingInfo Culture="en-US">
<Message>Name resolution for the name wpad timed out after none of the configured DNS servers responded.</Message>
<Level>Warning</Level>
<Task />
<Opcode>Info</Opcode>
<Channel>System</Channel>
<Provider>Microsoft-Windows-DNS Client Events</Provider>
<Keywords />
</RenderingInfo>
</Event>Reproduction Steps
The attached sample project contains an evtx file and the C# code tries to read the events from that file and it crashes with access violation.
Note: Make sure to set the current machine's culture to en-US before running the sample. Otherwise it will not try to read the rendering info and wont fail. Setting the cultureinfo in c# code will not work. Changing of UI culture is not required
Reproducible on Windows 11 and Windows Server 2022. Have not checked for other operating systems.
Expected behavior
The correct values should read and application should not crash.
Actual behavior
The application crashes with Access Violation exception.
Regression?
No response
Known Workarounds
No response
Configuration
- .NET 6.0.28 and 8.0.2
- Windows 11 and 2022
- x64
- I think it should happen to all operating systems.
Other information
No response