Command line tools ( like adb.exe ) fail with Exception code: 0xc0000005 when HIPS is on (Windows)

[mdkm 0]

Hi all,

just opened account here to share my experience and many hours wasted trying to figure out why command prompt programs (like adb.exe) would simply not work through command prompt, terminal, powershell (elevated or not) on Windows 11. For example typing adb.exe (in command promt opened in folder where Google platform tools where extracted) would give no output at all.

Checking Application logs gave me "generic" error:

Faulting application name: adb.exe, version: 0.0.0.0, time stamp: 0xbd7c0bf9
Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception code: 0xc0000005
Fault offset: 0x75591412
Faulting process id: 0x0x1270
Faulting application start time: 0x0x1DA76B7F8BE4DA2
Faulting application path: E:\adbV35\adb.exe
Faulting module path: unknown
Report Id: 77bc79dc-ab8a-4666-be66-d9edf2e37570
Faulting package full name: 
Faulting package-relative application ID: 

Tried everything online. Nothing helped. The system was ok but it seemed like something was preventing program from running. Today I revisited the problem for the nth time. Disabled NOD32 (again) nothing happened.

Disabled Host Intrusion Prevention System (HIPS), restarted computer, tried adb and voila - it worked. Checking HIPS log in Nod32 showed no trace of Nod blocking adb.exe form running but disabling HIPS definitely helped. It would be awesome if Nod would notify user when prevented app from running and I hope they will.

Now, I am not comfortable leaving HIPS disabled hence opening this thread hoping to find consensus on best setting to prevent silent stopping of program execution prevention and also have programs work when you start them. Also this is for all the people trying to find out why all of the sudden programs stopped working.

Please note this was not a problem with adb.exe only but with many command line tools as well. 

I will continue to explore this and edit OP with findings.

Important note: this is not a suggestion to disable HIPS. I do not think HIPS should be disabled. It is a useful tool but it should be more informative when preventing an action.

 

[Marcos 5,074]

Couldn't it be that you have Crowdstrike installed?

[mdkm 0]

No Crowdstrike installed

[Marcos 5,074]

Do you have HIPS in automatic mode with no custom rules created? Does temporarily disabling only Deep Behavior Inspection make a difference?

[mdkm 0]

HIPS was in automatic mode with no custom rules created.

Restoring HIPS and disabling only Deep Behavior Inspection fix the problem. 

[Marcos 5,074]

Does it help if you add adb.exe to DBI exclusions?

[mdkm 0]

Yes, enabling HIPS Deep Behavior Inspection ON and adding adb.exe to exclusion list fixed the issue. 

I am adding 2 screenshots that shows that disabling HIPS helped. The best option is to add app it to exclusion list. 

Just would like to point out that showing notification when HIPS prevent an app from running would be VERY helpful.

[mdkm 0]

Just adding final screenshot for future reference.

HIPS On

Deep Behavior Inspection ON

adb.exe added to exclusion list

 

[Marcos 5,074]

I've reported the issue to developers. If a particular operation is blocked by a HIPS rule, it can be logged in the HIPS log. In this case it's not caused by a HIPS rule.

Please provide logs collected with ESET Log Collector.

[mdkm 0]

Here are log logs collected with ESET Log Collector. Hope it will help. Nothing was logged in HIPS log. When I add adb.exe to HIPS exclusions it works. When I remove it from exception list it does not work. 

eav_logs.zip

[Marcos 5,074]

On 3/15/2024 at 4:38 PM, mdkm said:

Here are log logs collected with ESET Log Collector. Hope it will help. Nothing was logged in HIPS log. When I add adb.exe to HIPS exclusions it works. When I remove it from exception list it does not work. 

Please confirm or deny if uninstalling Windhawk makes a difference.

[mdkm 0]

I can confirm that uninstalling Windhawk resolved the issue. Installed it again (with no plugins active) and the issue was there. Definitely the culprit was Widhawk. Than you very much. I will mark response above as correct solution.