SentinelAgent and think-cell trigger: "COMBASE.DLL STATUS_ACCESS_VIOLATION"
Problem
SentinelOne's SentinelAgent security tool is installed on my computer. At some point after working with the internal datasheet of think-cell, I receive a COMBASE.DLL STATUS_ACCESS_VIOLATION error message.
In some cases, the error message does not appear and a new Excel window (of the regular, stand-alone Excel application) starts up instead.
Solution
The problem will be resolved by installing the following Microsoft Windows updates.
Note: In a previous version of this article, we communicated the third week of October 2022 as the expected release date for the initial wave of Windows updates, based on the information we had received from Microsoft. However, Microsoft eventually postponed this wave to November. The currently available information as of December 1, 2022, follows.
For the Windows versions listed below, Microsoft published optional releases in November 2022 (i.e., the 11C release in Microsoft's naming convention). Refer to Microsoft's release information on November 15, 2022—KB5020030 (OS Builds 19042.2311, 19043.2311, 19044.2311, and 19045.2311) Preview
- Windows 10 v22H2 (Build 19045)
- Windows 10 v21H2 (Build 19044)
- Windows 10 v21H1 (Build 19043)
- Windows 10 v20H2 (Build 19042)
For the following Windows versions, updates were originally expected for November, and we have not yet received updated information. However, January 2023 is most likely, as December updates are reserved for security issues.
- Windows 11
- Windows Server 2022
- Windows 10 v2004
For this Windows version, an update was originally expected for January 2023, and we have not received information of a change.
- Windows 10 v1809: 1B (standard relase, second Tuesday of January 2023)
It is expected that Microsoft will subsequently move the optional "C" releases to standard "B" releases.
If you still experience problems after installing the appropriate Windows update, please contact our support team.
Reproduction Steps
If you are not sure if you are experiencing this error or a similar one, try these reproduction steps:
-
Open PowerPoint
-
Insert a think-cell stacked chart:
Insert → think-cell → Elements → Stacked → click on slide to insert chart
→ internal datasheet opens (Excel process shown in Task Manager → (More Details) → Details) -
Close internal datasheet
→ Wait until Excel process closes in Task Manager → (More Details) → Details) (may take ~30s)
→CRITICALWITHMSG COMBASE.DLL 10.0.18362.1645+0x1BEBBE: STATUS_ACCESS_VIOLATIONor a new Excel window starts up
→ After dismissing error message, Excel process is closed
Analysis
This issue only occured in affected Windows versions when think-cell and SentinelOne's SentinelAgent were enabled together. Our developers analyzed the issue in detail:
The crash occured in COMBASE.DLL within the CCtxChnl::OnCall function. We investigated the problem in 64-bit COMBASE.DLL 10.0.19041.1202 and the following address offsets and symbol names are from this version.
Most of the code in CCtxChnl::OnCall appeared to be robust against the this->_pIFaceEntry->_pID member being null (e.g., CStdWrapper::IsNAWrapper was called from CCtxChnl::OnCall and had code to handle this).
If, however, the IsCallTracingEnabled call in CCtxChnl::OnCall returned true, the code attempted to access
this->_pIFaceEntry->_pID->_oid.Data1 without checking whether this->_pIFaceEntry->_pID was null, and this resulted in an access violation (COMBASE.DLL!Imagebase+0x00000000001A77B0).
Temporary workaround
If you cannot update Windows to one of the fixed versions yet, your IT may try this workaround:
A think-cell customer received this workaround from SentinelOne before the fixed Windows versions were available. For further information concerning this workaround, contact your SentinelOne support and refer to ticket #652625.
-
Get the SentinelOne passphrase for the machine
-
Run CMD as administrator:
cd "C:\Program Files\SentinelOne\Sentinel Agent <X.X.X.XXX\>"
sentinelctl config agent.relinking.com false -k "PASS PHRASE FROM STEP ONE"
sentinelctl config agent.relinking.com
(the returned value should be:false) -
Wait 5 minutes and then reboot the machine.