Knowledge base KB0235

SentinelAgent and think-cell trigger: COMBASE.DLL STATUS_ACCESS_VIOLATION

Problem

At some point after working with the internal datasheet of think-cell I receive a COMBASE.DLL STATUS_ACCESS_VIOLATION error message.

think-cell error message

Reproduction Steps

  1. Open PowerPoint

  2. Insert think-cell stacked chart:
    Insertthink-cellElementsStacked → click on slide to insert chart
    → internal datasheet opens (Excel process shown in Task Manager → (More Details) → Details)

  3. Close internal datasheet
    → Wait until Excel process closes in Task Manager → (More Details) → Details) (may take ~30s)
    CRITICALWITHMSG COMBASE.DLL 10.0.18362.1645+0x1BEBBE: STATUS_ACCESS_VIOLATION
    → After dismissing error message, Excel process is closed

Analysis

This only occurs when think-cell and SentinelOne's SentinelAgent are enabled together. Our developers analyzed the issue in detail. It looks like SentinelAgent started using CoGetInterceptor function of Windows and think-cell uses the COM ContextSwitcher. The two do not work together, which seems like a bug in Windows:

The crash occurs in COMBASE.DLL within the CCtxChnl::OnCall function. We investigated the problem in 64-bit COMBASE.DLL 10.0.19041.1202 and the following address offsets and symbol names are from this version. Most of the code in CCtxChnl::OnCall appears to be robust against the this->_pIFaceEntry->_pID member being null (e.g. CStdWrapper::IsNAWrapper is called from CCtxChnl::OnCall and has code to handle this). If, however, the IsCallTracingEnabled call in CCtxChnl::OnCall returns true then the code attempts to access this->_pIFaceEntry->_pID->_oid.Data1 without checking whether this->_pIFaceEntry->_pID is null and this results in an access violation (COMBASE.DLL!Imagebase+0x00000000001A77B0). This looks to us like a bug.

Workaround

A think-cell customer received the following workaround from SentinelOne:

  1. Get the SentinelOne passphrase for the machine

  2. Run CMD as administrator:
    cd "C:\Program Files\SentinelOne\Sentinel Agent <X.X.X.XXX\>"
    sentinelctl config agent.relinking.com false -k "PASS PHRASE FROM STEP ONE"
    sentinelctl config agent.relinking.com
    (the returned value should be: false)

  3. Wait 5 minutes and then reboot the machine.

For further information concerning this workaround, contact your SentinelOne support and refer to ticket: #652625.

Solution

We reported the problem to Microsoft and are waiting on their next steps. If your company has a Microsoft Office support contract and you want to contact Microsoft with further inquires about the issue, you may refer to Premier case number 2111150060003389. Please also inform your SentinelOne support about this issue and the Microsoft case number.

Share