Problem

An application, or several applications, start to become unstable or crash. A process dump, memory dump, or Windows Event Log application event implicates one of the following DLLs:

  • 64-bit application faults
    • AppProfiler.x64.dll
    • pt64.dll
    • ptm64.dll
  • 32-bit application faults
    • AppProfiler.x32.dll
    • pt32.dll
    • ptm32.dll

 

Cause

By default, both the Pharos Print Scout and Preton Toner Saver clients "inject" a listener into running applications. Injection means that the running application didn't specifically call the DLL as part of its loading process; instead, another process (sometimes a Windows service, sometimes a background process) pushes the DLL into the process via Windows' ntdll.dll's "LdrLoadDll" function. The Print Scout does so to capture the name of the application (winword.exe, iexplore.exe, acrord32.exe, etc.) that generates the print job. Preton Toner Saver does so to eventually redirect the file for toner savings or otherwise identify a monitored print job. Operationally, this injection happens without much fanfare; the user doesn't see any difference in the operation at all. However, there are several cases where injection causes a problem for the end user:

  1. The 64-bit DLL is injected into a 64-bit application and put into the "lower" address space (aka: the "32-bit address space", under the 4GB mark) and not the "upper" address space (above the 4GB mark). This is more of a problem after Microsoft KB 3126593 is applied and older (produced prior to April 2016) Print Scout or Toner Saver are installed. This normally just expresses itself as instability, slowness, or crashing.
  2. The 32-bit DLL is injected into a 32-bit application and the upper registers of the 4GB address space are unavailable (used by the application, used by another injected process). This normally expresses itself as instability or crashing, but will also be seen in the Windows Event Viewer Application log as an access violation:
    Faulting application name: Acrobat.exe, version: 11.0.11.18, time stamp: 0x5543b1c0
    Faulting module name: PT32.dll, version: 10.0.2.17, time stamp: 0x54a56b84
    Exception code: 0xc0000005
  3. A third-party security package (antivirus, anti-malware, data loss prevention (DLP) app, or similar) has been configured to block injection for applications, and this is causing contention.

 

Resolution

Resolving these problems is relatively straightforward, but may require "pushing" (using Microsoft SCCM, CA LanDesk, IBM Tivoli, etc.) a revised configuration or installation. Common resolution methods are found below.

  1. If the problem is the 64-bit "lower" address space injection, update your Pharos Print Scout (releases after May 2016 already have revised code to contend with KB 3126593) or Preton Toner Saver client (resolved in 3.3.2.118 and higher). Contact Pharos Technical Support for a download link for either software package.
  2. When the Preton Toner Saver injection is affected by the memory access violation (exception code 0xc0000005), it can normally be resolved by increasing the injection delay time (version 3.3.2.124 and higher) from 1000 milliseconds (the default) to 5000 milliseconds or more. If version 3.3.2.124 or higher is already installed, edit the C:\Program Files\Preton\PretonSaver\PretonService.exe.Config file, changing the value for the "InjectionDelay" key to 5000. Once saved, restart the Preton Toner Saver service for the change to take effect. If the change fails in test, just make this value higher (stepping by 1000) until successful. Slower workstations will require longer delay values.
  3. When the Pharos Print Scout is affected by the memory access violation (exception code 0xc0000005), it must be resolved by excluding the application from injection, or disabling injection altogether. This is done within the Blueprint Administrator application on the Collector(s) hosting Print Scout.
    1. Choose Print Scout > Settings from the shortcut bar on the left.
    2. Select the "Application Tracking" tab.
    3. Do one of the following:
      1. Untick the "Enabled" box to completely disable Application Tracking. Click the "Apply" button when finished.
      2. Click the "Add" button and enter the name of the EXE to exclude from injection. Click the "Apply" button when finished.
    4. For the change to take effect on the Print Scout, the workstations must either be rebooted, or the "Pharos Systems Print Scout" service must be restarted.
  4. If the problem is being caused because antivirus, anti-malware, or some other data protection application is blocking injection, whitelist (or otherwise allow) injection from Print Scout or Preton Toner Saver. If that type of granular injection control is unavailable, then disable the Print Scout's function (see above) and, if applicable, uninstall the Preton Toner Saver application as its entire operation requires injection of the application.