SentinelAgent and think-cell trigger: "COMBASE.DLL STATUS_ACCESS_VIOLATION"
Problem
At some point after working with the internal datasheet of think-cell I receive a COMBASE.DLL STATUS_ACCESS_VIOLATION
error message.

Reproduction Steps
-
Open PowerPoint
-
Insert think-cell stacked chart: Insert → think-cell → Elements → Stacked → click on slide to insert chart → internal datasheet opens (Excel process shown in Task Manager → (More Details) → Details)
-
Close internal datasheet → Wait until Excel process closes in Task Manager → (More Details) → Details) (may take ~30s) →
CRITICALWITHMSG COMBASE.DLL 10.0.18362.1645+0x1BEBBE: STATUS_ACCESS_VIOLATION
→ After dismissing error message, Excel process is closed
Analysis
This only occurs when think-cell and SentinelOne's SentinelAgent are enabled together. Our developers analyzed the issue in detail.
It looks like SentinelAgent started using CoGetInterceptor
function of Windows and think-cell uses the COM ContextSwitcher
.
The two do not work together, which seems like a bug in Windows:
COMBASE.DLL
within the CCtxChnl::OnCall
function. We investigated the problem in 64-bit COMBASE.DLL 10.0.19041.1202 and
the following address offsets and symbol names are from this version.
Most of the code in CCtxChnl::OnCall
appears to be robust against the this->_pIFaceEntry->_pID
member being null
(e.g. CStdWrapper::IsNAWrapper
is called from CCtxChnl::OnCall
and has code to handle this).
If, however, the IsCallTracingEnabled
call in CCtxChnl::OnCall
returns true
then the code attempts to access
this->_pIFaceEntry->_pID->_oid.Data1
without checking whether this->_pIFaceEntry->_pID
is null
and this results
in an access violation (COMBASE.DLL!Imagebase+0x00000000001A77B0
). This looks to us like a bug.
Workaround
A think-cell customer received the following workaround from SentinelOne:
-
Get the SentinelOne passphrase for the machine
-
Run CMD as administrator:
cd "C:\Program Files\SentinelOne\Sentinel Agent <X.X.X.XXX\>"
sentinelctl config agent.relinking.com false -k "PASS PHRASE FROM STEP ONE"
sentinelctl config agent.relinking.com
(the returned value should be:false
) -
Wait 5 minutes and then reboot the machine.
For further information concerning this workaround, contact your SentinelOne support and refer to ticket: #652625.
Solution
We reported the problem to Microsoft and are waiting on their next steps. If your company has a Microsoft support contract and you want to contact Microsoft with further inquires about the issue, you may refer to Premier case number 2111150060003389. Please also inform your SentinelOne support about this issue and the Microsoft case number.