The ctiuser.dll thread can cause the crash if it accesses an uninitialized object inside TLS (Thread Local Storage), which can cause the crash of some 3rd party applications if the environment includes the Citrix MfAppHook.dll injection and hooking as well.

• Carbon Black Cloud Sensor: Version 4.x and higher
• Additional .dll with hooking capabilities: Citrix MfAppHook.dll (example)
• Custom 3rd party application (crash victim)
• TLS (Thread Local Storage) configuration
• Microsoft Windows: All Supported Versions

If two .dlls (Carbon Black ctiuser.dll and Citrix MfAppHook.dll for example) with hooking capabilities are loaded in the 3rd party application, the ctiuser.dll spawns a thread that accesses the TLS (Thread Local Storage) memory. This TLS memory is uninitialized since the main thread has not reached the initialization stage yet, and this causes the crash of the 3rd party application.

Workarounds:

• Disable the hooks of the additional identified .dlls (Example of how to disable Citrix MfApHook.dll hooking)
• Apply an API bypass rule for the 3rd party application that is crashing to prevent the ctiuser.dll from hooking the application.

Potential Future Fixes:

• The Carbon Black Cloud Sensor is going to eventually move away from ctiuser.dll hooking, but this is a roadmap idea that has no current timeline.
• Engineering is working to potentially expose configurable delay loading of ctiuser.dll, so that customers can configure this as needed for affected sensor groups.
• Engineering is also working to create a way to identify uninitialized objects before spawning any thread