Skip navigation
All Places > Knowledge Base & Downloads > Blog > 2018 > July
2018

Problem

An application starts to become unstable or crash. A process dump, memory dump, or Windows Event Log application event implicates one of the following DLLs:

  • 64-bit application faults
    • AppProfiler.x64.dll
    • pt64.dll
    • ptm64.dll
  • 32-bit application faults
    • AppProfiler.x32.dll
    • pt32.dll
    • ptm32.dll

Background

Applications running in a Microsoft Windows environment augment their feature/functionality by loading additional plug-ins at the time they are launched. These plug-ins run inside the “container” of the application. At the same time, other Windows applications, like data-loss prevention software, antivirus software, or anti-malware tools often “inject” their own plug-ins into applications for their purposes, notably to prevent the spread of computer viruses or to secure the information being transmitted by the application.

The Pharos Systems Print Scout and Preton Toner Saver client software packages also can inject a plug-in into running applications for their purposes, notably to make capturing the print job’s source application easier (Pharos Systems Print Scout) or to intercept the print job to apply the toner saving algorithm (Preton Toner Saver). Operationally, this injection has been designed to occur without interfering with the user or their task at hand; the user doesn't see any difference in the operation at all, and the client software performs its work, silently, in the background.

Cause

By default, both the Pharos Print Scout and Preton Toner Saver clients "inject" their plug-in into running applications via Windows' ntdll.dll's provided "LdrLoadDll" function. Again, the Print Scout does so to capture the name of the application (winword.exe, iexplore.exe, acrord32.exe, etc.) that generates the print job. Preton Toner Saver does so to redirect the file for toner savings or otherwise identify a monitored print job. However, there are several cases where injection may cause a problem for the end user:

  1. The 64-bit DLL is injected into a 64-bit application and put into the "lower" address space (aka: the "32-bit address space", under the 4GB mark) and not the "upper" address space (above the 4GB mark). This is more of a problem after Microsoft KB 3126593 is applied and older (produced prior to April 2016) Print Scout or Toner Saver are installed. This normally just expresses itself as instability, slowness, or crashing.
  2. The 32-bit DLL is injected into a 32-bit application and the upper registers of the 4GB address space are unavailable (used by the application, used by another injected process). This normally expresses itself as instability or crashing, but will also be seen in the Windows Event Viewer Application log as an access violation:
    Faulting application name: Acrobat.exe, version: 11.0.11.18, time stamp: 0x5543b1c0
    Faulting module name: PT32.dll, version: 10.0.2.17, time stamp: 0x54a56b84
    Exception code: 0xc0000005
  3. A third-party security package (antivirus, anti-malware, data loss prevention (DLP) app, or similar) has been configured to block injection for applications, and this is causing contention.

 

Resolution

Resolving these problems is relatively straightforward, but may require "pushing" (using Microsoft SCCM, CA LanDesk, IBM Tivoli, etc.) a revised configuration or installation. Common resolution methods are found below.

  1. If the problem is the 64-bit "lower" address space injection, update your Pharos Print Scout (releases after May 2016 already have revised code to contend with KB 3126593) or Preton Toner Saver client (resolved in 3.3.2.118 and higher). Contact Pharos Technical Support for a download link for either software package.
  2. When the Preton Toner Saver injection is affected by the memory access violation (exception code 0xc0000005), it can normally be resolved by increasing the injection delay time (version 3.3.2.124 and higher) from 1000 milliseconds (the default) to 5000 milliseconds or more. If version 3.3.2.124 or higher is already installed, edit the C:\Program Files\Preton\PretonSaver\PretonService.exe.Config file, changing the value for the "InjectionDelay" key to 5000. Once saved, restart the Preton Toner Saver service for the change to take effect. If the change fails in test, just make this value higher (stepping by 1000) until successful. Slower workstations will require longer delay values. If the problem persists, the application can be Protected from toner savings using Blueprint Administrator, and the DLL will not be injected:
    1. Choose Policy Print > Application Toner Savings
    2. Change the mode to "Advanced Mode."
    3. Select the application from the list and change "Application Savings Mode" to Protect.
    4. Apply the change. The Preton Toner Saver client will update at the workstation as it gets its update from the server.
  3. When the Pharos Print Scout is affected by the memory access violation (exception code 0xc0000005), it must be resolved by excluding the application from injection, or disabling injection altogether. This is done within the Blueprint Administrator application on the Collector(s) hosting Print Scout.
    1. Choose Print Scout > Settings from the shortcut bar on the left.
    2. Select the "Application Tracking" tab.
    3. Do one of the following:
      1. Untick the "Enabled" box to completely disable Application Tracking. Click the "Apply" button when finished.
      2. Click the "Add" button and enter the name of the EXE to exclude from injection. Click the "Apply" button when finished.
    4. For the change to take effect on the Print Scout, the workstations must either be rebooted, or the "Pharos Systems Print Scout" service must be restarted.
  4. If the problem is being caused because antivirus, anti-malware, or some other data protection application is blocking injection, whitelist (or otherwise allow) injection from Print Scout or Preton Toner Saver. If that type of granular injection control is unavailable, then disable the Print Scout's function (see above) and, if applicable, uninstall the Preton Toner Saver application as its entire operation requires injection of the application.