Andrey Bazhan

Two bugs in ieframe.dll

In this case Windows Explorer was not responding sporadically for about 10 seconds.

After collecting trace events with Windows Performance Recorder and opening it with Windows Performance Analyzer we can see that the UI delay started not in the Explorer.exe but in the Babylon.exe which called the IEGetProtectedModeCookie function and ended up waiting on some object for about 10 seconds.

UI Delays

CPU Usage (Precise)

The next step was to figuring out what object the _CheckIfIELowUtilReady function is waiting on and the reason for such long wait. After debugging the _EnsureLowUtilProcess and _CheckIfIELowUtilReady functions the pseudo code was generated and two bugs were found. 

BOOL
_CheckIfIELowUtilReady(
    VOID
    )
{
    Status = GetLowUtilBrokerObjectName(ObjectName, ...);

    if (SUCCEEDED(Status)) {

        //
        // ObjectName == L"IEUser_SID\\IELowUtilBrokerReadyEvent32123"
        //

        hEvent = OpenEvent(SYNCHRONIZE, FALSE, ObjectName);

        if (hEvent) {

            if (WAIT_OBJECT_0 == WaitForSingleObject(hEvent, 10000)) {

                return TRUE;
            }
        }
    }

    return FALSE;
}

HRESULT
_EnsureLowUtilProcess(
    ...
    )
{
    if (!_CheckIfIELowUtilReady()) {

        ObtainIELowUtilSyncObjects(...);

        ...

        CreateProcess(ielowutil.exe);

        _CheckIfIELowUtilReady();
    }
}

From the previous excerpt we can observe two issues:

  1. We’re waiting for 10 seconds each time if the IELowUtilBrokerReadyEvent32123 event object already exists (i.e., we or someone else has created it) and the object state is nonsignaled (i.e., ielowutil.exe isn’t running).
  2. We’re leaking event handle in _CheckIfIELowUtilReady.

Because of this delay, Babylon, which installs hooks to monitor certain types of events, wasn’t able to pump messages and was blocking the normal functioning of the Windows Explorer.

P.S. The version of the ieframe.dll:

0:000> lmvm ieframe
...
Loaded symbol image file: C:\Windows\SysWOW64\ieframe.dll
Image path: C:\Windows\SysWOW64\ieframe.dll
Image name: ieframe.dll
Timestamp:        Mon Jan 12 03:14:01 2015 (54B31FD9)
CheckSum:         00C3FD23
ImageSize:        00C42000
File version:     11.0.9600.17631
Product version:  11.0.9600.17631
File flags:       0 (Mask 3F)
File OS:          40004 NT Win32
File type:        2.0 Dll
File date:        00000000.00000000
Translations:     0409.04b0
CompanyName:      Microsoft Corporation
ProductName:      Internet Explorer
InternalName:     IEFRAME.DLL
OriginalFilename: IEFRAME.DLL
ProductVersion:   11.00.9600.17631
FileVersion:      11.00.9600.17631 (winblue_r7.150111-1500)
FileDescription:  Internet Browser
LegalCopyright:   © Microsoft Corporation. All rights reserved.

© Andrey Bazhan