Aw, snap! What if Every Tab Crashes?

For a small number of users of Chromium-based browsers (including Chrome and the new Microsoft Edge) on Windows 10, after updating to 78.0.3875.0, every new tab crashes immediately when the browser starts.

Impacted users can open as many new tabs as they like, but each will instantly crash:

EveryTabCrashes

EdgeHavingAProblem

As of Chrome 81.0.3992, the page will show the string Error Code: STATUS_INVALID_IMAGE_HASH.

What’s going wrong?

This problem relates to a security/reliability improvement made to Chromium’s sandboxing. Chromium runs each of the tabs (and extensions) within locked down (“sandboxed”) processes:

JAIL

In Chrome 78, a change was made to prevent 3rd-party code from injecting itself into these sandboxed processes. 3rd-party code is a top source of browser reliability and performance problems, and it has been a longstanding goal for browser vendors to get this code out of the web platform engine.

This new feature relies on setting a Windows 10 Process Mitigation policy that instructs the OS loader to refuse to load binaries that aren’t signed by Microsoft. Edge 13 enabled this mitigation in 2015, and the Chromium change brings parity to the new Edge 78+. Notably, Chrome’s own DLLs aren’t signed by Microsoft so they are specially exempted by the Chromium sandboxing code.

Unfortunately, the impact of this change is that the renderer is killed (resulting in the “Aw snap” page) if any disallowed DLL attempts to load, for instance, if your antivirus software attempts to inject its DLLs into the renderer processes. For example, Symantec Endpoint Protection versions before 14.2 are known to trigger this problem.

If you encounter this problem, you should follow the following steps:

Update any security software you have to the latest version.

Other than malware, security software is the other likely cause of code being unexpectedly injected into the renderers.

Temporarily disable the new protection

You can temporarily launch the browser without this sandbox feature to verify that it’s the source of the crashes.

  1. Close all browser instances (verify that there are no hidden chrome.exe or msedge.exe processes using Task Manager)
  2. Use Windows+R to launch the browser with the command line override:
  msedge.exe --disable-features=RendererCodeIntegrity

or

  chrome.exe --disable-features=RendererCodeIntegrity

Ensure that the tab processes work properly when code integrity checks are disabled.

If so, you’ve proven that code integrity checks are causing the crashes.

Hunt down the culprit

Navigate your browser to the URL chrome://conflicts#R to show the list of modules loaded by the client. Look for any files that are not Signed By Microsoft or Google.

If you see any, they are suspects. (There will likely be a few listed as Shell Extensions; e.g. 7-Zip.dll, that do not cause this problem)– check for an R in the Process types column to find modules loading in the Renderers.

You should install any available updates for any of your suspects to see if doing so fixes the problem.

Check the Event Log

The Windows Event Log will contain information about modules denied loading. Open Event Viewer. Expand Applications and Services Logs > Microsoft > Windows > CodeIntegrity > Operational and look for events with ID 3033. The detail information will indicate the name and location of the DLL that caused the crash:CodeIntegrity

Optional: Use Enterprise Policy to disable the new protection

If needed, IT Adminstrators can disable the new protection using the RendererCodeIntegrity policy for Chrome and Edge. You should outreach to the software vendors responsible for the problematic applications and request that they update them.

Other possible causes

Note that it’s possible that you could have a PC that encounters symptoms like this (all subprocesses crash) but not a result of the new code integrity check. In such cases, the Error Code on the crash page will be something other than STATUS_INVALID_IMAGE_HASH.

  • For instance, Chromium once had an obscure bug in its sandboxing code that caused all sandboxes to crash depending on the random memory mapping of Address Space Layout Randomization.
  • Similarly, Chrome and Edge still have an active bug where all renderers crash on startup if the PC has AppLocker enabled and the browser is launched elevated (as Administrator).

-Eric

Published by ericlaw

Impatient optimist. Dad. Author/speaker. Created Fiddler & SlickRun. PM @ MSFT '01-'12, and '18-, presently working on Microsoft Edge. My words are my own.

12 thoughts on “Aw, snap! What if Every Tab Crashes?

  1. Thanks for the info. Here’s what I found after going to the edge://conflicts. The are only 3 that weren’t signed by MS or Google. All are up to date. Figured I’d pass the info on in hopes that it will help find the problem.

    Symantec CMC Firewall sysfer Symantec Corporation sysfer.dll 5A1ADC9695000 BR %systemroot%\system32\ sysfer.dll

    Radeon Settings: Desktop Control Panel Advanced Micro Devices, Inc. atiacm64.dll 5D781A1616c000 None %programfiles%\amd\cnext\cnext\ atiacm64.dll ( Shell extension )

    Adobe Acrobat Context Menu Adobe Systems, Incorporated contextmenushim64.dll 5507CE7E289000 None c:\program files (x86)\adobe\acrobat 2015\acrobat elements\ contextmenushim64.dll ( Shell extension )

    1. The Symantec DLL is your culprit here; note that it’s got an “R” (meaning Renderer). I’m not sure how you determined that it’s “up-to-date”: What version of Symantec Endpoint Protection do you have installed?

      1. The first eight digits after the DLL name are the build time-stamp in hexadecimal. 5A1ADC96 translates to 2017-11-26 07:24:06 so you have a very old DLL.

  2. It shows location like this in error, really annoying
    Device\HarddiskVolume5\Windows\System 32\winhafnt64.dll

  3. Alright I followed each step. Found many events with the ID 3033. It basically says that “code integrity determined that a process*file name* attempted to load *file name* that did not meet the Microsoft signing level requirements.” What to do next?

  4. Oh and there was only one non-microsoft signed module in edge://conflicts/#R and it’s this: Symantec CMC Firewall sysfer Symantec Corporation 12.1.7004.6500 576A283789000 BR %systemroot%\system32\ sysfer.dll

    1. And there’s your answer– you are running the outdated version of Symantec that is not compatible with RendererCodeIntegrity. You will need to install the update from Symantec.

      1. But i did the LiveUpdate just before that. It says that there are no updates available. How do i update it further or properly?

  5. Alright. Thank you very much for the explanation and help. I am embarrassed to admit how long I have been browser-less.

  6. LiveUpdate does not always update the Symantec program itself. Mostly LiveUpdate is for virus definitions. It’s best to do a reinstall from an up-to-date source.

Leave a Reply to ericlaw Cancel reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s