uiautomationcore.dll 0xc0000409 Crash

[styris-ame]

Describe the bug

I am using Avalonia to make a Windows 11 OOBE replacement, and it works fine most of the time. However on certain systems I encounter this error in event viewer after the GUI starts to load:

Faulting application name: OOBE.exe, version: 2.0.0.0, time stamp: 0x67204b1b
Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception code: 0xc0000409
Fault offset: 0x00007ffc1f82328f
Faulting process id: 0x0x13E0
Faulting application start time: 0x0x1DB7BAE18DFE492
Faulting application path: C:\ProgramData\AME\OOBE\OOBE.exe
Faulting module path: unknown

There is no .NET exception due to the nature of the error. I got a crash dump from it and it reveals that the source of the error is uiautomationcore.dll:

SYMBOL_NAME: uiautomationcore!UiaNodeFactory::FromLocalProvider+67
MODULE_NAME: uiautomationcore
IMAGE_NAME: uiautomationcore.dll
STACK_COMMAND: dt ntdll!LdrpLastDllInitializer BaseDllName ; dt ntdll!LdrpFailureData ; ~0s ; .cxr ; kb
FAILURE_BUCKET_ID: FAIL_FAST_GUARD_ICALL_CHECK_FAILURE_c0000409_uiautomationcore.dll!UiaNodeFactory::FromLocalProvider
OS_VERSION: 10.0.26100.1
BUILDLAB_STR: ge_release
OSPLATFORM_TYPE: x64
OSNAME: Windows 10
IMAGE_VERSION: 7.2.26100.1591

Full Trace

STACK_TEXT:  
00000098`12d782f8 00007fff`2dea353f     : 00000098`12d78a80 00000098`12d78390 00007fff`2dfa32a4 00007fff`2dfa30d1 : 0x00007fff`2dfa328f
00000098`12d78300 00007fff`2dd5f358     : 00000000`00000000 00007fff`2dfa3000 00007fff`2dfa30d1 00007fff`2dfa32a4 : ntdll!RtlpExecuteHandlerForException+0xf
00000098`12d78330 00007fff`2dea2e7e     : 00000244`42e23690 00007ff7`0602ba1f 00000000`00000000 00000244`42e51390 : ntdll!RtlDispatchException+0x2c8
00000098`12d78a80 00007fff`2dfa30d1     : 00007fff`146d154f 00000000`000007cf 00000098`12d794e0 00007fff`2b83c890 : ntdll!KiUserExceptionDispatch+0x2e
00000098`12d79228 00007fff`146d154f     : 00000000`000007cf 00000098`12d794e0 00007fff`2b83c890 00000244`083c0020 : 0x00007fff`2dfa30d1
00000098`12d79230 00007fff`146cae71     : 00000000`00000000 00000000`00000000 00000000`000100d4 00000098`12d794e0 : uiautomationcore!UiaNodeFactory::FromLocalProvider+0x67
00000098`12d793a0 00007ff6`a82b8e48     : 00000098`12d7a580 00007ff6`a74831f0 00000000`00000000 00000000`00000000 : uiautomationcore!UiaReturnRawElementProvider+0x4f1
00000098`12d7a4e0 00007ff6`a73a951b     : 00000000`000100d4 00000000`50d5a881 ffffffff`ffffffe7 00000244`475459e8 : 0x00007ff6`a82b8e48
00000098`12d7a5f0 00007ff6`a73a86d7     : 00000244`46c8caf8 00000244`432e9090 00000000`00000000 00000000`00000001 : 0x00007ff6`a73a951b
00000098`12d7ace0 00007ff6`a73a85d8     : 00000244`46c8caf8 00000000`000100d4 00000098`0000003d 00000000`50d5a881 : 0x00007ff6`a73a86d7
00000098`12d7ad30 00007ff6`a6e6d55c     : 00000244`46c8caf8 00000000`000100d4 00000000`0000003d 00000000`50d5a881 : 0x00007ff6`a73a85d8
00000098`12d7ad90 00007fff`2be55801     : 00000000`000100d4 00000000`00000000 00000000`00000a00 ffffffff`ffffffe7 : 0x00007ff6`a6e6d55c
00000098`12d7ae10 00007fff`2be5509c     : 00000000`00000388 00007ff6`a68a3124 00000000`000100d4 00000000`80000000 : user32!UserCallWinProcCheckWow+0x341
00000098`12d7af70 00007fff`2be86243     : 00000000`00000000 00000000`00000000 00000000`50d5a881 00000000`00410e02 : user32!DispatchClientMessage+0x9c
00000098`12d7afd0 00007fff`2dea2e24     : 00001d45`0661e0a2 00000000`00000000 0000dd90`aa539c6e 00000000`00000000 : user32!_fnDWORD+0x33
00000098`12d7b030 00007fff`2b321334     : 00007fff`2be8fb2a 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!KiUserCallbackDispatcherContinue
00000098`12d7b0b8 00007fff`2be8fb2a     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : win32u!NtUserMessageCall+0x14
00000098`12d7b0c0 00007fff`14753f37     : 00000000`00000007 00000000`50d5a881 00007fff`1497cb68 00000000`000100d4 : user32!SendMessageTimeoutW+0xca
00000098`12d7b150 00007fff`1474568c     : 00000000`00000002 00000000`00000000 00000000`00000000 00000000`00000000 : uiautomationcore!HwndUtils::SendWmGetObject+0x223
00000098`12d7b2a0 00007fff`147454a7     : 00000098`12d7baa0 00000244`008d6210 00000000`00000000 00000000`00000a24 : uiautomationcore!ProviderEntryPoint::ConnectUsingHwnd+0x94
00000098`12d7b350 00007fff`1473a309     : 00000000`00000a34 00000000`00001000 00007fff`1498f970 00000098`12d7bcd0 : uiautomationcore!ProviderEntryPoint::ConnectToProvider+0x1df
00000098`12d7b4b0 00007fff`1473942d     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : uiautomationcore!ProviderEntryPoint::GetUiaNode+0xea1
00000098`12d7df90 00007fff`146fd46b     : 00000098`12d7e110 00000000`000100d4 00000000`000100d4 00000000`00000000 : uiautomationcore!ProviderEntryPoint::GetNativeUiaNode+0x5d
00000098`12d7e020 00007fff`147e4c54     : 00000000`000100d4 00007fff`11af03f0 00000000`00000000 00000000`00000000 : uiautomationcore!UiaNodeFactory::HasServerSideProvider+0xb3
00000098`12d7e0f0 00007fff`11a773a6     : 00000000`000100d4 00000000`00000000 00000244`42c31440 00007fff`2dd7aa50 : uiautomationcore!UiaHasServerSideProvider+0x24
00000098`12d7e140 00007fff`11a94887     : 00000244`018667e0 00000000`00000000 000030a2`acb00000 00000000`00000001 : tiptsf!CImmersiveFocusTracker::_HandleAutomationEvent+0x2f6
00000098`12d7e2a0 00007fff`11a74ee8     : 00000098`12beb000 00000098`12d7e568 00000244`42e72bd0 00000000`00000000 : tiptsf!CImmersiveFocusTracker::HandleAutomationEvent+0x17
00000098`12d7e2e0 00007fff`2be684ed     : 00000098`12beb000 00000000`00030000 00000000`00030000 00007fff`11af03f0 : tiptsf!TabletMsgWndProc+0x328
00000098`12d7e3c0 00007fff`2be6a3e8     : 00000098`12d7e478 00000098`12d7e498 00007ff6`a6fea958 00007ff6`a6fea958 : user32!DispatchHookW+0xad
00000098`12d7e450 00007fff`2be6a32c     : 00000000`00000000 00007ff7`067d35e8 00000098`12d7e598 00007ff7`05ffc81b : user32!CallHookWithSEH+0x28
00000098`12d7e4a0 00007fff`2dea2e24     : 00007ff7`067d38f8 00000000`00000000 00000098`12d7e6c0 00000000`00000000 : user32!_fnHkINLPMSG+0x7c
00000098`12d7e4f0 00007fff`2b321314     : 00007fff`2be78f72 00000000`00000001 00000000`00000000 00000000`00000000 : ntdll!KiUserCallbackDispatcherContinue
00000098`12d7e5a8 00007fff`2be78f72     : 00000000`00000001 00000000`00000000 00000000`00000000 00000244`00000001 : win32u!NtUserGetMessage+0x14
00000098`12d7e5b0 00007ff6`a71388a7     : 00000000`00000000 00000098`12d7e760 00007ff6`a6fe9d88 00007ff7`067d38f8 : user32!GetMessageW+0x22
00000098`12d7e610 00007ff6`a8243045     : 00000098`12d7e7e8 00000000`00000000 00000098`12d7e520 00000000`12345678 : 0x00007ff6`a71388a7
00000098`12d7e6d0 00007ff6`a8242cd2     : 00000244`46c47ec8 00000244`47514598 00007ff6`a8470b20 00000244`46c47ec8 : 0x00007ff6`a8243045
00000098`12d7e7e0 00007ff6`a82428e7     : 00000244`47514410 00000244`46c47ec8 00007ff6`a6a7e01c 00000000`00000010 : 0x00007ff6`a8242cd2
00000098`12d7e8c0 00007ff6`a8241dba     : 00000244`46c4b2c0 00000244`47514410 00000244`47514510 00007ff6`a7250700 : 0x00007ff6`a82428e7
00000098`12d7e940 00007ff6`a7b40d65     : 00000244`46c4b2c0 00000244`47076d68 00000000`00000218 00000000`00000000 : 0x00007ff6`a8241dba
00000098`12d7e9b0 00007ff6`a7b40cb0     : 00000244`46c2fa78 00000244`46c02570 00000244`470303e8 00000284`44800000 : 0x00007ff6`a7b40d65
00000098`12d7ea00 00007ff6`a6e3afd2     : 00000244`46c2fa78 00000244`46c02570 00000244`470303e8 00000284`44800000 : 0x00007ff6`a7b40cb0
00000098`12d7ea30 00007ff6`a6a35c5b     : 00000244`46c2f660 00000244`46c02570 00000000`00000000 00000244`47800000 : 0x00007ff6`a6e3afd2
00000098`12d7ea70 00007ff6`a69dda8b     : 00000244`46c025e0 00000244`46c02570 00007ff6`a6a7e01c 00000000`00000002 : 0x00007ff6`a6a35c5b
00000098`12d7eb00 00007ff7`065e3b63     : 00000244`46c02570 00000098`12d7edc0 00007ff7`0608590c 00000000`00000000 : 0x00007ff6`a69dda8b
00000098`12d7ebf0 00007ff7`060ef482     : 00000000`00000000 00000098`12d7ecc0 00000098`12d7edb0 00000098`12d7ec50 : OOBE!CallDescrWorkerInternal+0x83
00000098`12d7ec30 00007ff7`0600280d     : 00000000`00000005 00000000`00000000 00000000`00000000 00000000`00000001 : OOBE!MethodDescCallSite::CallTargetWorker+0x242
00000098`12d7ed60 00007ff7`06002bdf     : 00000244`46c02570 00000244`47405208 00000000`00000001 00007ff7`00000001 : OOBE!RunMainInternal+0x20d
00000098`12d7ef30 00007ff7`060032df     : 00000244`42e72bd0 00000244`000000cb 00007ff6`a6acffb0 00000244`42df83a0 : OOBE!RunMain+0x2cf
00000098`12d7f080 00007ff7`0602a022     : 00000000`00000000 00000000`00000000 00000000`00000000 00000244`42e142b0 : OOBE!Assembly::ExecuteMainMethod+0x39f
00000098`12d7f370 00007ff7`06316a5b     : 00000000`00000001 00000000`00000000 00000000`00000000 00000000`00000000 : OOBE!CorHost2::ExecuteAssembly+0x392
00000098`12d7f4b0 00007ff7`062f5ff2     : 00000244`42e40350 00000000`00000001 00000098`12d7f650 00000244`42e0e860 : OOBE!coreclr_execute_assembly+0x13b
00000098`12d7f550 00007ff7`062f6267     : 00000244`42dfd888 00000244`42dfd880 00007ff7`067d0470 00000244`42dfd888 : OOBE!run_app_for_context+0x6b2
00000098`12d7f6b0 00007ff7`062f7078     : 00000000`00000000 00000000`00000000 00000244`42dfd880 00000244`42dfd880 : OOBE!run_app+0x37
00000098`12d7f6f0 00007ff7`062cd8da     : 00007fff`2b967c98 00000244`42e0d201 00000244`42e0d201 00000000`00000001 : OOBE!corehost_main+0x108
00000098`12d7f7e0 00007ff7`062d00f4     : 00007ff7`067d0400 00000244`42e0e9b0 00000244`42dfd880 00000000`00000000 : OOBE!execute_app+0x2aa
00000098`12d7f8b0 00007ff7`062d0a57     : 00007ff7`06714f80 00000244`42e0c560 00000098`12d7fac8 00000098`12d7fa80 : OOBE!`anonymous namespace'::read_config_and_execute+0xa4
00000098`12d7f960 00007ff7`062d07c2     : 00000098`12d7fb80 00000098`12d7fb80 00000098`12d7faf1 00000098`12d7fba0 : OOBE!fx_muxer_t::handle_exec_host_command+0x147
00000098`12d7fa10 00007ff7`062cbf1d     : 00000098`12d7fba0 00000000`00000000 00000244`42e0c970 00000244`42e0c970 : OOBE!fx_muxer_t::execute+0x282
00000098`12d7fb40 00007ff7`062c7e22     : 00007fff`2b967c98 00000000`03964b6f 00000000`00000030 00000000`00000040 : OOBE!hostfxr_main_bundle_startupinfo+0x15d
00000098`12d7fc50 00007ff7`062c822e     : 00007ff7`0671ee50 00000000`00000007 00000000`00000000 00000000`000002f8 : OOBE!exe_start+0x6f2
00000098`12d7fdf0 00007ff7`065e67a8     : 00007ff7`0664c4a8 00000000`00000000 00000000`00000000 00000000`00000000 : OOBE!wmain+0x12e
00000098`12d7fe60 00007fff`2c19dbe7     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : OOBE!__scrt_common_main_seh+0x10c
00000098`12d7fea0 00007fff`2ddc5a6c     : 00000000`00000000 00000000`00000000 000004f0`fffffb30 000004d0`fffffb30 : kernel32!BaseThreadInitThunk+0x17
00000098`12d7fed0 00000000`00000000     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x2c

I want to ask if there is any way to disable the usage of uiautomationcore.dll entirely? I have no need of its accessibility features, and this would solve the issue for me. I understand my use-case is fringe, but I figured I'd throw this out there before attempting to compile Avalonia myself. Perhaps a DisableAccessibility Win32PlatformOptions option would be a nice option.

To Reproduce

Create Avalonia app and set its binary path as the Shell value in HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon, then create a new user and you might be able to replicate it. Note that my main request is not a direct fix, but a way to disable the usage of uiautomationcore.dll.

Avalonia version

11.2.3

OS

Windows

Additional context

Windows 11 24H2
Probably not CET related since the tested machine is using an older non-CET i5-8250U CPU.

[kekekeks]

Try intercepting WM_OBJECT via Win32Properties.AddWndProcHookCallback