Endpoint Standard Sensor: Compatibility Issue With VMware Smart Card Interception DLL (vmwsci.dll)
search cancel

Endpoint Standard Sensor: Compatibility Issue With VMware Smart Card Interception DLL (vmwsci.dll)

book

Article ID: 289816

calendar_today

Updated On:

Products

Carbon Black Cloud Endpoint Standard (formerly Cb Defense)

Issue/Introduction

  • Internet Explorer Crashes when Endpoint Standard Sensor is Enabled
  • VMware's Smart Card Interception DLL (vmwsci.dll) is installed on the device
  • Exception Code:  c0000005 listed in the application crash event or ProcDump capture

Environment

  • Endpoint Standard Sensor: 3.3.x.x and lower
  • Microsoft Windows: All Supported Versions
  • Internet Explorer 11

Cause

  • When iexplore.exe is launched, both ctiuser.dll and VMware's Smart Card Interception DLL (vmwsci.dll) are loaded/injected in to iexplore.exe
  • ctiuser.dll then stores the address to call for "LoadLibraryExW" on app launch. At the time of app launch, this includes vmwsci.dll's injection in to the function "LoadLibraryExW"
  • When "LoadLibraryExW" is invoked by iexplore.exe, and the hook logic has completed, ctiuser.dll attempts to call the stored address
  • vmwsci.dll has unloaded, and has removed the "trampoline" code they had in place for their injection, resulting in the iexplore.exe crash

Resolution

  1. Remove smart card readers (if attached)
  2. Rename vmwsci.dll within C:\Windows\SysWOW64  
    vmwsci.dll --> vmwsci.dll.OLD
Powered by Wolken Software