SentinelAgent and think-cell trigger: COMBASE.DLL STATUS_ACCESS_VIOLATION

Problem

At some point after working with the internal datasheet of think-cell I receive a COMBASE.DLL STATUS_ACCESS_VIOLATION error message.

Reproduction Steps

1. Open PowerPoint

2. Insert think-cell stacked chart:
   Insert → think-cell → Elements → Stacked → click on slide to insert chart
   → internal datasheet opens (Excel process shown in Task Manager → (More Details) → Details)

3. Close internal datasheet
   → Wait until Excel process closes in Task Manager → (More Details) → Details) (may take ~30s)
   → CRITICALWITHMSG COMBASE.DLL 10.0.18362.1645+0x1BEBBE: STATUS_ACCESS_VIOLATION
   → After dismissing error message, Excel process is closed

Analysis

This only occurs when think-cell and SentinelOne's SentinelAgent are enabled together. Our developers analyzed the issue in detail. It looks like SentinelAgent started using CoGetInterceptor function of Windows and think-cell uses the COM ContextSwitcher. The two do not work together, which seems like a bug in Windows:

Workaround

A think-cell customer received the following workaround from SentinelOne:

1. Get the SentinelOne passphrase for the machine

2. Run CMD as administrator:
   cd "C:\Program Files\SentinelOne\Sentinel Agent <X.X.X.XXX\>"
sentinelctl config agent.relinking.com false -k "PASS PHRASE FROM STEP ONE"
sentinelctl config agent.relinking.com
   (the returned value should be: false)

3. Wait 5 minutes and then reboot the machine.

For further information concerning this workaround, contact your SentinelOne support and refer to ticket: #652625.

Solution

We reported the problem to Microsoft and are waiting on their next steps. If your company has a Microsoft Office support contract and you want to contact Microsoft with further inquires about the issue, you may refer to Premier case number 2111150060003389. Please also inform your SentinelOne support about this issue and the Microsoft case number.