Case of the Windows 11 SystemSettings.exe Crash

Posted on January 24, 2022 by chentiangemalc

Collecting user mode dumps with dumptype set to 2 via Windows Error Reporting registry configuration as documented here

Noticed two SystemSettings.exe crashes, both with similar stack traces. The following information was logged in the Windows application event log:

Faulting application name: SystemSettings.exe, version: 10.0.22000.348, time stamp: 0x27a6d211
Faulting module name: MusUpdateHandlers.dll, version: 10.0.22000.348, time stamp: 0x5aa0c31b
Exception code: 0xc0000005
Fault offset: 0x0000000000092185
Faulting process id: 0x53c0
Faulting application start time: 0x01d802f49e9d7598
Faulting application path: C:\Windows\ImmersiveControlPanel\SystemSettings.exe
Faulting module path: C:\Windows\System32\MusUpdateHandlers.dll
Report Id: 75fce6a5-9ef4-42a1-a895-83bc2a6b6c9b
Faulting package full name: windows.immersivecontrolpanel_10.0.6.1000_neutral_neutral_cw5n1h2txyewy
Faulting package-relative application ID: microsoft.windows.immersivecontrolpanel

Normally some quick potential correlation may be found with Reliability Monitor to see if issues started occurring after specific system change, however possibly due to a major update installing it seems all noted crashes/changes/etc made to system on these dates earlier in the month when crash occurred no longer had any information available.

Initial analysis pointed to culprit being a null reference exception in MusUpdateHandlers.dll which is the Modern Update Settings Handler Implementation.

0:018> !analyze -v
*******************************************************************************
*                                                                             *
*                        Exception Analysis                                   *
*                                                                             *
*******************************************************************************


KEY_VALUES_STRING: 1

    Key  : AV.Dereference
    Value: NullPtr

    Key  : AV.Fault
    Value: Read

    Key  : Analysis.CPU.mSec
    Value: 2827

    Key  : Analysis.DebugAnalysisManager
    Value: Create

    Key  : Analysis.Elapsed.mSec
    Value: 12646

    Key  : Analysis.Init.CPU.mSec
    Value: 265

    Key  : Analysis.Init.Elapsed.mSec
    Value: 6821

    Key  : Analysis.Memory.CommitPeak.Mb
    Value: 285

    Key  : Timeline.OS.Boot.DeltaSec
    Value: 201950

    Key  : Timeline.Process.Start.DeltaSec
    Value: 201231

    Key  : WER.OS.Branch
    Value: co_release

    Key  : WER.OS.Timestamp
    Value: 2021-06-04T16:28:00Z

    Key  : WER.OS.Version
    Value: 10.0.22000.1

    Key  : WER.Process.Version
    Value: 10.0.22000.348


FILE_IN_CAB:  SystemSettings.exe.16748.dmp

NTGLOBALFLAG:  400

PROCESS_BAM_CURRENT_THROTTLED: 0

PROCESS_BAM_PREVIOUS_THROTTLED: 0

APPLICATION_VERIFIER_FLAGS:  0

CONTEXT:  (.ecxr)
rax=00007107f20fec8f rbx=0000004b595ff744 rcx=0000000000000000
rdx=0000004b595ff744 rsi=0000000000000002 rdi=0000000000000001
rip=00007ffe2ebd2185 rsp=0000004b595ff680 rbp=0000004b595ff7d0
 r8=0000000000000001  r9=0000000000000001 r10=0000000000009100
r11=0000004b595ff6b0 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=00007ffe2ec40328
iopl=0         nv up ei pl nz na po nc
cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010206
MusUpdateHandlers!SystemSettings::Update::CMusOrchModel::GetSeekerUXDisplayRank+0x55:
00007ffe`2ebd2185 488b01          mov     rax,qword ptr [rcx] ds:00000000`00000000=????????????????
Resetting default scope

EXCEPTION_RECORD:  (.exr -1)
ExceptionAddress: 00007ffe2ebd2185 (MusUpdateHandlers!SystemSettings::Update::CMusOrchModel::GetSeekerUXDisplayRank+0x0000000000000055)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 0000000000000000
   Parameter[1]: 0000000000000000
Attempt to read from address 0000000000000000

PROCESS_NAME:  SystemSettings.exe

READ_ADDRESS:  0000000000000000 

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.

EXCEPTION_CODE_STR:  c0000005

EXCEPTION_PARAMETER1:  0000000000000000

EXCEPTION_PARAMETER2:  0000000000000000

STACK_TEXT:  
0000004b`595ff680 00007ffe`2eb8a93c     : 0000015a`dec14700 0000015a`dec14700 0000015a`dec14700 00000000`00000001 : MusUpdateHandlers!SystemSettings::Update::CMusOrchModel::GetSeekerUXDisplayRank+0x55
0000004b`595ff6d0 00007ffe`2eb6b013     : 0000015a`e0ca8110 0000015a`e0ca8110 0000015a`e0ca8110 00000000`00000000 : MusUpdateHandlers!SystemSettings::Update::CMusSeekerUpdate::InitializeState+0x38c
0000004b`595ff850 00007ffe`2eb6c0ee     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : MusUpdateHandlers!<lambda_547ec51b376960035aba27ef737bbd82>::operator()+0x257
0000004b`595ff960 00007ffe`8ad36c0c     : 0000015a`e565e280 00000000`00000000 00000000`00000000 00000000`00000000 : MusUpdateHandlers!std::thread::_Invoke<std::tuple<<lambda_547ec51b376960035aba27ef737bbd82> >,0>+0xe
0000004b`595ff990 00007ffe`8bd454e0     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ucrtbase!thread_start<unsigned int (__cdecl*)(void *),1>+0x4c
0000004b`595ff9c0 00007ffe`8cfa485b     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : kernel32!BaseThreadInitThunk+0x10
0000004b`595ff9f0 00000000`00000000     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x2b


SYMBOL_NAME:  MusUpdateHandlers!SystemSettings::Update::CMusOrchModel::GetSeekerUXDisplayRank+55

MODULE_NAME: MusUpdateHandlers

IMAGE_NAME:  MusUpdateHandlers.dll

STACK_COMMAND:  ~18s ; .ecxr ; kb

FAILURE_BUCKET_ID:  NULL_POINTER_READ_c0000005_MusUpdateHandlers.dll!SystemSettings::Update::CMusOrchModel::GetSeekerUXDisplayRank

OS_VERSION:  10.0.22000.1

BUILDLAB_STR:  co_release

OSPLATFORM_TYPE:  x64

OSNAME:  Windows 10

IMAGE_VERSION:  10.0.22000.348

FAILURE_ID_HASH:  {39aeb642-c99a-f672-5c69-96a915aec9c5}

Followup:     MachineOwner

The crash seems to be related to a class CMusOrchModel

What is that? Checking all references to the string in IDA pro we find related methods but the symbol names are mangled i.e in a format like ??_E?$_Ref_count_obj2@VCMusOrchModel@Update@SystemSettings@@@std@@UEAAPEAXI@Z so all search results are copied and pasted into an online GCC/MSVC C++ demangler here http://demangler.com/

This shows us function names involved:

public: virtual void * __ptr64 __cdecl std::_Ref_count_obj2<class SystemSettings::Update::CMusOrchModel>::`vector deleting destructor'(unsigned int) __ptr64
public: virtual void * __ptr64 __cdecl SystemSettings::Update::CMusOrchModel::`scalar deleting destructor'(unsigned int) __ptr64
public: __cdecl SystemSettings::Update::CMusOrchModel::CMusOrchModel(void) __ptr64
public: virtual __cdecl SystemSettings::Update::CMusOrchModel::~CMusOrchModel(void) __ptr64
private: virtual void __cdecl std::_Ref_count_obj2<class SystemSettings::Update::CMusOrchModel>::_Destroy(void) __ptr64
protected: long __cdecl SystemSettings::Update::CMusOrchModel::AcceptAllUpdateEulas(void) __ptr64
public: long __cdecl SystemSettings::Update::CMusOrchModel::AddSeekerUpdateToApprovalList(class wil::com_ptr_t<struct IMoUsoUpdate,struct wil::err_returncode_policy>) __ptr64
public: long __cdecl SystemSettings::Update::CMusOrchModel::AddSeekerUpdateToApprovalList(class std::shared_ptr<class UxUsoUpdateShim>) __ptr64
public: long __cdecl SystemSettings::Update::CMusOrchModel::ApproveAllSeekerUpdatesFromApprovalList(void) __ptr64
protected: long __cdecl SystemSettings::Update::CMusOrchModel::ApproveSeekerFeatureUpdateForInstall(void) __ptr64
protected: long __cdecl SystemSettings::Update::CMusOrchModel::ApproveSeekerQualityUpdateForInstall(void) __ptr64
public: BOOL __cdecl SystemSettings::Update::CMusOrchModel::AreUpdatesPaused(void) __ptr64
public: BOOL __cdecl SystemSettings::Update::CMusOrchModel::AreUpdatesPausedByPolicy(void) __ptr64
public: BOOL __cdecl SystemSettings::Update::CMusOrchModel::AreUsoObjectsInitialized(void) __ptr64
public: long __cdecl SystemSettings::Update::CMusOrchModel::CanExtendPauseUpdates(unsigned long,int * __ptr64) __ptr64
public: BOOL __cdecl SystemSettings::Update::CMusOrchModel::CanPauseUpdates(void) __ptr64
protected: long __cdecl SystemSettings::Update::CMusOrchModel::CreateNotifyPropertyChangedThread(enum SystemSettings::Update::UXUpdateReason) __ptr64
protected: long __cdecl SystemSettings::Update::CMusOrchModel::CreateUpdateResultsTaskSchedule(void) __ptr64
public: long __cdecl SystemSettings::Update::CMusOrchModel::DecrementPauseUpdates(unsigned long) __ptr64
public: long __cdecl SystemSettings::Update::CMusOrchModel::DoesRebootScheduleExist(BOOL * __ptr64) __ptr64
public: long __cdecl SystemSettings::Update::CMusOrchModel::ExtendPauseUpdates(unsigned long) __ptr64
public: long __cdecl SystemSettings::Update::CMusOrchModel::FixServiceUnavailable(void) __ptr64
public: long __cdecl SystemSettings::Update::CMusOrchModel::get_ActiveHours(unsigned short * __ptr64,unsigned short * __ptr64) __ptr64
public: long __cdecl SystemSettings::Update::CMusOrchModel::get_ActiveHoursIntervalLimit(unsigned short * __ptr64) __ptr64
public: long __cdecl SystemSettings::Update::CMusOrchModel::get_ApplicableUpdates(class std::vector<class wil::com_ptr_t<struct IMoUsoUpdate,struct wil::err_returncode_policy>,class std::allocator<class wil::com_ptr_t<struct IMoUsoUpdate,struct wil::err_returncode_policy> > > & __ptr64) __ptr64
public: long __cdecl SystemSettings::Update::CMusOrchModel::get_ApplicableUpdates(class std::vector<class std::shared_ptr<class UxUsoUpdateShim>,class std::allocator<class std::shared_ptr<class UxUsoUpdateShim> > > & __ptr64) __ptr64
public: long __cdecl SystemSettings::Update::CMusOrchModel::get_ApplicableUpdatesPayloadInfo(struct PayloadInfo * __ptr64) __ptr64
public: long __cdecl SystemSettings::Update::CMusOrchModel::get_ApprovedSeekerUpdates(class std::vector<class wil::com_ptr_t<struct IMoUsoUpdate,struct wil::err_returncode_policy>,class std::allocator<class wil::com_ptr_t<struct IMoUsoUpdate,struct wil::err_returncode_policy> > > & __ptr64) __ptr64
public: long __cdecl SystemSettings::Update::CMusOrchModel::get_ApprovedSeekerUpdates(class std::vector<class std::shared_ptr<class UxUsoUpdateShim>,class std::allocator<class std::shared_ptr<class UxUsoUpdateShim> > > & __ptr64) __ptr64
public: long __cdecl SystemSettings::Update::CMusOrchModel::get_CanScheduleUpdate(struct PayloadInfo & __ptr64,BOOL * __ptr64) __ptr64
public: enum NormalizedPolicy __cdecl SystemSettings::Update::CMusOrchModel::get_EnforcedAuPolicy(void) __ptr64
public: long __cdecl SystemSettings::Update::CMusOrchModel::get_OptInToMu(BOOL * __ptr64) __ptr64
public: long __cdecl SystemSettings::Update::CMusOrchModel::get_RebootSchedule(struct _SYSTEMTIME * __ptr64) __ptr64
public: long __cdecl SystemSettings::Update::CMusOrchModel::get_SchedulePickerOption(enum SchedulePickerOption * __ptr64) __ptr64
public: long __cdecl SystemSettings::Update::CMusOrchModel::get_SeekerUpdates(class std::vector<class wil::com_ptr_t<struct IMoUsoUpdate,struct wil::err_returncode_policy>,class std::allocator<class wil::com_ptr_t<struct IMoUsoUpdate,struct wil::err_returncode_policy> > > & __ptr64) __ptr64
public: long __cdecl SystemSettings::Update::CMusOrchModel::get_SeekerUpdates(class std::vector<class std::shared_ptr<class UxUsoUpdateShim>,class std::allocator<class std::shared_ptr<class UxUsoUpdateShim> > > & __ptr64) __ptr64
public: enum UxSettingType __cdecl SystemSettings::Update::CMusOrchModel::get_UpdateUxOption(void) __ptr64
public: long __cdecl SystemSettings::Update::CMusOrchModel::get_UserChoiceActiveHoursEnd(BOOL * __ptr64,unsigned long * __ptr64) __ptr64
public: long __cdecl SystemSettings::Update::CMusOrchModel::get_UserChoiceActiveHoursStart(BOOL * __ptr64,unsigned long * __ptr64) __ptr64
public: long __cdecl SystemSettings::Update::CMusOrchModel::GetApprovedSeekerUpdatesCounts(unsigned long * __ptr64,unsigned long * __ptr64) __ptr64
public: long __cdecl SystemSettings::Update::CMusOrchModel::GetAvailableUpdateStatusCounts(unsigned long * __ptr64,unsigned long * __ptr64,unsigned long * __ptr64,unsigned long * __ptr64) __ptr64
public: long __cdecl SystemSettings::Update::CMusOrchModel::GetCompatBlockInfo(class std::optional<class std::basic_string<unsigned short,struct std::char_traits<unsigned short>,class std::allocator<unsigned short> > > & __ptr64,class std::optional<class std::vector<class std::basic_string<unsigned short,struct std::char_traits<unsigned short>,class std::allocator<unsigned short> >,class std::allocator<class std::basic_string<unsigned short,struct std::char_traits<unsigned short>,class std::allocator<unsigned short> > > > > & __ptr64,class std::optional<unsigned int> & __ptr64) __ptr64
public: long __cdecl SystemSettings::Update::CMusOrchModel::GetDaysSinceRebootRequired(unsigned long * __ptr64) __ptr64
public: long __cdecl SystemSettings::Update::CMusOrchModel::GetDefaultRebootScheduleTime(struct _SYSTEMTIME * __ptr64,struct _FILETIME,struct _FILETIME) __ptr64
public: long __cdecl SystemSettings::Update::CMusOrchModel::GetDeviceEosStatus(BOOL * __ptr64,BOOL * __ptr64) __ptr64
public: long __cdecl SystemSettings::Update::CMusOrchModel::GetDowntimeEstimateInfo(unsigned long * __ptr64,int * __ptr64) __ptr64
public: static class std::shared_ptr<class SystemSettings::Update::CMusOrchModel> __cdecl SystemSettings::Update::CMusOrchModel::GetInstanceShared(void)
public: BOOL __cdecl SystemSettings::Update::CMusOrchModel::GetIsSingletonDeinitializing(void) __ptr64
public: long __cdecl SystemSettings::Update::CMusOrchModel::GetMaximumAllowedPauseDays(unsigned long * __ptr64) __ptr64
public: long __cdecl SystemSettings::Update::CMusOrchModel::GetMgmtDefaultScheduleTime(struct _SYSTEMTIME * __ptr64) __ptr64
public: long __cdecl SystemSettings::Update::CMusOrchModel::GetOptionsForUpdateNotificationLevelPolicy(enum UpdateNotificationOption * __ptr64) __ptr64
public: long __cdecl SystemSettings::Update::CMusOrchModel::GetOrchModelShimInstance(class std::shared_ptr<class SystemSettings::Update::OrchModelShim> & __ptr64) __ptr64
public: long __cdecl SystemSettings::Update::CMusOrchModel::GetPauseUpdatesExpiryTime(struct _FILETIME * __ptr64) __ptr64
public: long __cdecl SystemSettings::Update::CMusOrchModel::GetPolicyValue(enum NormalizedPolicy,enum tagUpdatePolicyStatus * __ptr64,struct tagVARIANT * __ptr64) __ptr64
public: long __cdecl SystemSettings::Update::CMusOrchModel::GetSeekerFeatureUpdateBuildNumber(class std::optional<unsigned int> & __ptr64) __ptr64
public: long __cdecl SystemSettings::Update::CMusOrchModel::GetSeekerUpdatesCounts(unsigned long * __ptr64,unsigned long * __ptr64,unsigned long * __ptr64,unsigned long * __ptr64) __ptr64
public: long __cdecl SystemSettings::Update::CMusOrchModel::GetSeekerUpdateTitle(unsigned short * __ptr64 * __ptr64) __ptr64
public: long __cdecl SystemSettings::Update::CMusOrchModel::GetSeekerUXDisplayRank(unsigned long * __ptr64) __ptr64
public: long __cdecl SystemSettings::Update::CMusOrchModel::GetUpdateHistoryDefinition(class std::vector<class wil::com_ptr_t<struct IUsoUpdateHistoryEntry,struct wil::err_returncode_policy>,class std::allocator<class wil::com_ptr_t<struct IUsoUpdateHistoryEntry,struct wil::err_returncode_policy> > > & __ptr64,struct _FILETIME * __ptr64) __ptr64
public: long __cdecl SystemSettings::Update::CMusOrchModel::GetUpdateHistoryDriver(class std::vector<class wil::com_ptr_t<struct IUsoUpdateHistoryEntry,struct wil::err_returncode_policy>,class std::allocator<class wil::com_ptr_t<struct IUsoUpdateHistoryEntry,struct wil::err_returncode_policy> > > & __ptr64,struct _FILETIME * __ptr64) __ptr64
public: long __cdecl SystemSettings::Update::CMusOrchModel::GetUpdateHistoryFeature(class std::vector<class wil::com_ptr_t<struct IUsoUpdateHistoryEntry,struct wil::err_returncode_policy>,class std::allocator<class wil::com_ptr_t<struct IUsoUpdateHistoryEntry,struct wil::err_returncode_policy> > > & __ptr64,struct _FILETIME * __ptr64) __ptr64
public: long __cdecl SystemSettings::Update::CMusOrchModel::GetUpdateHistoryOther(class std::vector<class wil::com_ptr_t<struct IUsoUpdateHistoryEntry,struct wil::err_returncode_policy>,class std::allocator<class wil::com_ptr_t<struct IUsoUpdateHistoryEntry,struct wil::err_returncode_policy> > > & __ptr64,struct _FILETIME * __ptr64) __ptr64
public: long __cdecl SystemSettings::Update::CMusOrchModel::GetUpdateHistoryQuality(class std::vector<class wil::com_ptr_t<struct IUsoUpdateHistoryEntry,struct wil::err_returncode_policy>,class std::allocator<class wil::com_ptr_t<struct IUsoUpdateHistoryEntry,struct wil::err_returncode_policy> > > & __ptr64,struct _FILETIME * __ptr64) __ptr64
public: long __cdecl SystemSettings::Update::CMusOrchModel::GetUpdatePayloadSize(enum tagUsoUpdatePayloadType,unsigned __int64 * __ptr64,unsigned __int64 * __ptr64) __ptr64
public: long __cdecl SystemSettings::Update::CMusOrchModel::GetUXElementStoreForSurface(enum UXSurface,class UXElementStore * __ptr64) __ptr64
public: long __cdecl SystemSettings::Update::CMusOrchModel::GetValidScheduleRange(struct _FILETIME * __ptr64,struct _FILETIME * __ptr64) __ptr64
public: long __cdecl SystemSettings::Update::CMusOrchModel::GetValidScheduleRangeWithFallback(struct _FILETIME * __ptr64,struct _FILETIME * __ptr64,BOOL) __ptr64
public: long __cdecl SystemSettings::Update::CMusOrchModel::GetWOSCOneSettingsInstance(struct IUxOneSettings * __ptr64 * __ptr64) __ptr64
public: long __cdecl SystemSettings::Update::CMusOrchModel::InitializeUpdateHistory(void) __ptr64
public: long __cdecl SystemSettings::Update::CMusOrchModel::InvokeAction(struct HWND__ * __ptr64,enum SystemSettings::Update::MusActionType const & __ptr64) __ptr64
public: long __cdecl SystemSettings::Update::CMusOrchModel::InvokeReboot(BOOL,unsigned long * __ptr64) __ptr64
public: long __cdecl SystemSettings::Update::CMusOrchModel::IsActiveHourIntervalValid(unsigned short,unsigned short,BOOL * __ptr64) __ptr64
public: BOOL __cdecl SystemSettings::Update::CMusOrchModel::IsActiveHoursUXApplicable(void) __ptr64
public: long __cdecl SystemSettings::Update::CMusOrchModel::IsAutoApproveSeekerQualityUpdatesEnabled(BOOL * __ptr64) __ptr64
public: long __cdecl SystemSettings::Update::CMusOrchModel::IsAutoRestartDeadlinePolicyConfigured(BOOL * __ptr64) __ptr64
public: BOOL __cdecl SystemSettings::Update::CMusOrchModel::IsCTA(void) __ptr64
public: BOOL __cdecl SystemSettings::Update::CMusOrchModel::IsDirectEngagedReboot(void) __ptr64
public: BOOL __cdecl SystemSettings::Update::CMusOrchModel::IsDisableUXAccessPolicyEnabled(void) __ptr64
public: BOOL __cdecl SystemSettings::Update::CMusOrchModel::IsEngagedRebootAllowedByPolicy(void) __ptr64
public: long __cdecl SystemSettings::Update::CMusOrchModel::IsEngagedRestartDeadlinePolicyConfigured(BOOL * __ptr64) __ptr64
public: BOOL __cdecl SystemSettings::Update::CMusOrchModel::IsFeatureUpdatePausedByPolicy(void) __ptr64
public: BOOL __cdecl SystemSettings::Update::CMusOrchModel::IsGraceDeadlinePolicyConfigured(void) __ptr64
public: BOOL __cdecl SystemSettings::Update::CMusOrchModel::IsMgmtPolicyValidForSchedulingReboot(void) __ptr64
public: BOOL __cdecl SystemSettings::Update::CMusOrchModel::IsNotifyToRebootPolicyApplicable(void) __ptr64
public: BOOL __cdecl SystemSettings::Update::CMusOrchModel::IsPolicyConfigured(enum NormalizedPolicy) __ptr64
public: BOOL __cdecl SystemSettings::Update::CMusOrchModel::IsPolicyConfiguredAndEnabled(enum NormalizedPolicy) __ptr64
public: BOOL __cdecl SystemSettings::Update::CMusOrchModel::IsPolicyConfiguredToMapToAutomaticReboot(void) __ptr64
public: BOOL __cdecl SystemSettings::Update::CMusOrchModel::IsQualityUpdatePausedByPolicy(void) __ptr64
public: long __cdecl SystemSettings::Update::CMusOrchModel::IsRebootRequired(BOOL * __ptr64) __ptr64
public: BOOL __cdecl SystemSettings::Update::CMusOrchModel::IsRestartForced(void) __ptr64
public: long __cdecl SystemSettings::Update::CMusOrchModel::IsSeekerFeatureOrQualityUpdatesAvailable(BOOL * __ptr64) __ptr64
public: long __cdecl SystemSettings::Update::CMusOrchModel::IsSeekerHighCompatMessageEnabled(BOOL * __ptr64) __ptr64
public: long __cdecl SystemSettings::Update::CMusOrchModel::IsSeekerOnDemandUxEnabled(BOOL * __ptr64) __ptr64
public: long __cdecl SystemSettings::Update::CMusOrchModel::IsSeekerUpdateInApprovalList(class wil::com_ptr_t<struct IMoUsoUpdate,struct wil::err_returncode_policy>,BOOL * __ptr64) __ptr64
public: long __cdecl SystemSettings::Update::CMusOrchModel::IsSeekerUpdateInApprovalList(class std::shared_ptr<class UxUsoUpdateShim>,BOOL * __ptr64) __ptr64
public: BOOL __cdecl SystemSettings::Update::CMusOrchModel::IsSihUpdatePendingReboot(void) __ptr64
public: BOOL __cdecl SystemSettings::Update::CMusOrchModel::IsSmartActiveHoursSuggestionNeeded(void) __ptr64
public: BOOL __cdecl SystemSettings::Update::CMusOrchModel::IsUpdateErrorIgnorable(long) __ptr64
public: BOOL __cdecl SystemSettings::Update::CMusOrchModel::IsUSOAvailable(void) __ptr64
public: BOOL __cdecl SystemSettings::Update::CMusOrchModel::IsUXCampaignApplicable(enum UXSurface) __ptr64
public: BOOL __cdecl SystemSettings::Update::CMusOrchModel::IsWindowsInsiderAttentionNeeded(void) __ptr64
public: long __cdecl SystemSettings::Update::CMusOrchModel::LoadDynamicElementById(enum UXSurface,enum UXElementType,unsigned int,struct HSTRING__ * __ptr64 * __ptr64) __ptr64
public: long __cdecl SystemSettings::Update::CMusOrchModel::LoadDynamicUXStringById(unsigned int,struct HSTRING__ * __ptr64 * __ptr64) __ptr64
public: static long __cdecl SystemSettings::Update::CMusOrchModel::LocalizeWsxUpdateTitle(class std::basic_string_view<unsigned short,struct std::char_traits<unsigned short> > const & __ptr64,unsigned short * __ptr64 * __ptr64)
public: void __cdecl SystemSettings::Update::CMusOrchModel::NotifyInit(class SystemSettings::DataModel::CSingletonHelper<struct SystemSettings::Update::MusNotification>::CCallback * __ptr64) __ptr64
public: void __cdecl SystemSettings::Update::CMusOrchModel::NotifyPropertyChanged(enum SystemSettings::Update::UXUpdateReason) __ptr64
protected: virtual void __cdecl SystemSettings::Update::CMusOrchModel::OnAsyncInitComplete(void) __ptr64
protected: virtual void __cdecl SystemSettings::Update::CMusOrchModel::OnSingletonDeinit(void) __ptr64
protected: virtual long __cdecl SystemSettings::Update::CMusOrchModel::OnSingletonInit(void) __ptr64
protected: void __cdecl SystemSettings::Update::CMusOrchModel::OrchestratorUpdateCallback(char const & __ptr64,enum SystemSettings::Update::UXUpdateReason) __ptr64
public: long __cdecl SystemSettings::Update::CMusOrchModel::PauseUpdates(unsigned long) __ptr64
protected: static void __cdecl SystemSettings::Update::CMusOrchModel::RefreshElementStoresCallback(struct _TP_CALLBACK_INSTANCE * __ptr64,void * __ptr64,struct _TP_TIMER * __ptr64)
protected: long __cdecl SystemSettings::Update::CMusOrchModel::RefreshSeekerSessionState(BOOL * __ptr64) __ptr64
public: long __cdecl SystemSettings::Update::CMusOrchModel::RemoveSeekerUpdateFromApprovalList(class wil::com_ptr_t<struct IMoUsoUpdate,struct wil::err_returncode_policy>) __ptr64
public: long __cdecl SystemSettings::Update::CMusOrchModel::RemoveSeekerUpdateFromApprovalList(class std::shared_ptr<class UxUsoUpdateShim>) __ptr64
public: long __cdecl SystemSettings::Update::CMusOrchModel::ResumeUpdates(void) __ptr64
private: long __cdecl SystemSettings::Update::CMusOrchModel::RunElevatedInstall(struct HWND__ * __ptr64) __ptr64
public: long __cdecl SystemSettings::Update::CMusOrchModel::ScheduleReboot(struct _SYSTEMTIME,enum SchedulePickerOption) __ptr64
public: long __cdecl SystemSettings::Update::CMusOrchModel::SendCTAApprovedData(void) __ptr64
public: long __cdecl SystemSettings::Update::CMusOrchModel::set_ActiveHoursEnd(unsigned short) __ptr64
public: long __cdecl SystemSettings::Update::CMusOrchModel::set_ActiveHoursStart(unsigned short) __ptr64
public: long __cdecl SystemSettings::Update::CMusOrchModel::set_DoMicrosoftScan(BOOL) __ptr64
public: long __cdecl SystemSettings::Update::CMusOrchModel::set_SchedulePickerOption(enum SchedulePickerOption) __ptr64
public: long __cdecl SystemSettings::Update::CMusOrchModel::set_UserChoiceActiveHoursEnd(unsigned long) __ptr64
public: long __cdecl SystemSettings::Update::CMusOrchModel::set_UserChoiceActiveHoursStart(unsigned long) __ptr64
protected: void __cdecl SystemSettings::Update::CMusOrchModel::SingletonDeinitialize(void) __ptr64
protected: long __cdecl SystemSettings::Update::CMusOrchModel::SingletonInitialize(void) __ptr64
protected: void __cdecl SystemSettings::Update::CMusOrchModel::StopTracing(void) __ptr64

The crash seems to have occured in function “GetSeekerUXDisplayRank” which is called by “CMusSeekerUpdate::InitializeState

References to seeker:

class WRL::Details::ComPtr<class SystemSettings::Update::CMusSeekerOnDemand> __cdecl Microsoft::WRL::Details::V::Make(void)
class WRL::Details::ComPtr<class SystemSettings::Update::CMusSeekerUpdate> __cdecl Microsoft::WRL::Details::V::Make(void)
private: long __cdecl SystemSettings::Update::CMusSeekerOnDemand::InitiateSeekerUpdateTitle(void) __ptr64
private: long __cdecl SystemSettings::Update::CMusSeekerOnDemand::MoInitiateSeekerUpdateTitle(void) __ptr64
private: long __cdecl SystemSettings::Update::CMusSeekerUpdate::InitiateSeekerUpdateTitle(void) __ptr64
private: long __cdecl SystemSettings::Update::CMusSeekerUpdate::InitiateWhatsNewUrl(void) __ptr64
private: long __cdecl UxUsoShim::GetNonSeekerOrApprovedUpdates(class std::vector<class wil::com_ptr_t<struct IMoUsoUpdate,struct wil::err_returncode_policy>,class std::allocator<class wil::com_ptr_t<struct IMoUsoUpdate,struct wil::err_returncode_policy> > > & __ptr64) __ptr64
protected: long __cdecl SystemSettings::Update::CMusOrchModel::ApproveSeekerFeatureUpdateForInstall(void) __ptr64
protected: long __cdecl SystemSettings::Update::CMusOrchModel::ApproveSeekerQualityUpdateForInstall(void) __ptr64
protected: long __cdecl SystemSettings::Update::CMusOrchModel::RefreshSeekerSessionState(BOOL * __ptr64) __ptr64
protected: virtual long __cdecl SystemSettings::Update::CMusSeekerOnDemand::InitializeState(struct SystemSettings::Update::MusNotification) __ptr64
protected: virtual long __cdecl SystemSettings::Update::CMusSeekerOnDemand::Invoke(struct HWND__ * __ptr64) __ptr64
protected: virtual long __cdecl SystemSettings::Update::CMusSeekerUpdate::InitializeState(struct SystemSettings::Update::MusNotification) __ptr64
protected: virtual long __cdecl SystemSettings::Update::CMusSeekerUpdate::Invoke(struct HWND__ * __ptr64) __ptr64
protected: virtual void __cdecl SystemSettings::Update::CMusSeekerUpdate::RaiseValueChangedEvents(void) __ptr64
public: __cdecl Microsoft::WRL::Details::MakeAllocator<class SystemSettings::Update::CMusSeekerOnDemand>::~MakeAllocator<class SystemSettings::Update::CMusSeekerOnDemand>(void) __ptr64
public: __cdecl SystemSettings::Update::CMusSeekerOnDemand::CMusSeekerOnDemand(void) __ptr64
public: __cdecl SystemSettings::Update::CMusSeekerUpdate::CMusSeekerUpdate(void) __ptr64
public: long __cdecl SystemSettings::Update::CMusOrchModel::AddSeekerUpdateToApprovalList(class std::shared_ptr<class UxUsoUpdateShim>) __ptr64
public: long __cdecl SystemSettings::Update::CMusOrchModel::AddSeekerUpdateToApprovalList(class wil::com_ptr_t<struct IMoUsoUpdate,struct wil::err_returncode_policy>) __ptr64
public: long __cdecl SystemSettings::Update::CMusOrchModel::ApproveAllSeekerUpdatesFromApprovalList(void) __ptr64
public: long __cdecl SystemSettings::Update::CMusOrchModel::get_ApprovedSeekerUpdates(class std::vector<class std::shared_ptr<class UxUsoUpdateShim>,class std::allocator<class std::shared_ptr<class UxUsoUpdateShim> > > & __ptr64) __ptr64
public: long __cdecl SystemSettings::Update::CMusOrchModel::get_ApprovedSeekerUpdates(class std::vector<class wil::com_ptr_t<struct IMoUsoUpdate,struct wil::err_returncode_policy>,class std::allocator<class wil::com_ptr_t<struct IMoUsoUpdate,struct wil::err_returncode_policy> > > & __ptr64) __ptr64
public: long __cdecl SystemSettings::Update::CMusOrchModel::get_SeekerUpdates(class std::vector<class std::shared_ptr<class UxUsoUpdateShim>,class std::allocator<class std::shared_ptr<class UxUsoUpdateShim> > > & __ptr64) __ptr64
public: long __cdecl SystemSettings::Update::CMusOrchModel::get_SeekerUpdates(class std::vector<class wil::com_ptr_t<struct IMoUsoUpdate,struct wil::err_returncode_policy>,class std::allocator<class wil::com_ptr_t<struct IMoUsoUpdate,struct wil::err_returncode_policy> > > & __ptr64) __ptr64
public: long __cdecl SystemSettings::Update::CMusOrchModel::GetApprovedSeekerUpdatesCounts(unsigned long * __ptr64,unsigned long * __ptr64) __ptr64
public: long __cdecl SystemSettings::Update::CMusOrchModel::GetSeekerFeatureUpdateBuildNumber(class std::optional<unsigned int> & __ptr64) __ptr64
public: long __cdecl SystemSettings::Update::CMusOrchModel::GetSeekerUpdatesCounts(unsigned long * __ptr64,unsigned long * __ptr64,unsigned long * __ptr64,unsigned long * __ptr64) __ptr64
public: long __cdecl SystemSettings::Update::CMusOrchModel::GetSeekerUpdateTitle(unsigned short * __ptr64 * __ptr64) __ptr64
public: long __cdecl SystemSettings::Update::CMusOrchModel::GetSeekerUXDisplayRank(unsigned long * __ptr64) __ptr64
public: long __cdecl SystemSettings::Update::CMusOrchModel::IsAutoApproveSeekerQualityUpdatesEnabled(BOOL * __ptr64) __ptr64
public: long __cdecl SystemSettings::Update::CMusOrchModel::IsSeekerFeatureOrQualityUpdatesAvailable(BOOL * __ptr64) __ptr64
public: long __cdecl SystemSettings::Update::CMusOrchModel::IsSeekerHighCompatMessageEnabled(BOOL * __ptr64) __ptr64
public: long __cdecl SystemSettings::Update::CMusOrchModel::IsSeekerOnDemandUxEnabled(BOOL * __ptr64) __ptr64
public: long __cdecl SystemSettings::Update::CMusOrchModel::IsSeekerUpdateInApprovalList(class std::shared_ptr<class UxUsoUpdateShim>,BOOL * __ptr64) __ptr64
public: long __cdecl SystemSettings::Update::CMusOrchModel::IsSeekerUpdateInApprovalList(class wil::com_ptr_t<struct IMoUsoUpdate,struct wil::err_returncode_policy>,BOOL * __ptr64) __ptr64
public: long __cdecl SystemSettings::Update::CMusOrchModel::RemoveSeekerUpdateFromApprovalList(class std::shared_ptr<class UxUsoUpdateShim>) __ptr64
public: long __cdecl SystemSettings::Update::CMusOrchModel::RemoveSeekerUpdateFromApprovalList(class wil::com_ptr_t<struct IMoUsoUpdate,struct wil::err_returncode_policy>) __ptr64
public: long __cdecl UxUsoShim::GetApplicableSeekerUpdates(class std::vector<class std::shared_ptr<class UxUsoUpdateShim>,class std::allocator<class std::shared_ptr<class UxUsoUpdateShim> > > & __ptr64) __ptr64
public: long __cdecl UxUsoShim::GetApprovedSeekerUpdates(class std::vector<class std::shared_ptr<class UxUsoUpdateShim>,class std::allocator<class std::shared_ptr<class UxUsoUpdateShim> > > & __ptr64) __ptr64
public: static long __cdecl SystemSettings::Update::CMusSeekerOnDemand::CreateInstance(struct SystemSettings::DataModel::SettingDBItem const * __ptr64,struct SystemSettings::DataModel::ISettingItem * __ptr64 * __ptr64)
public: static long __cdecl SystemSettings::Update::CMusSeekerUpdate::CreateInstance(struct SystemSettings::DataModel::SettingDBItem const * __ptr64,struct SystemSettings::DataModel::ISettingItem * __ptr64 * __ptr64)
public: static long __cdecl UpdateUtil::GetApprovedSeekerUpdatesCount(class UxUsoShim * __ptr64,unsigned long * __ptr64,unsigned long * __ptr64)
public: virtual __cdecl SystemSettings::Update::CMusSeekerOnDemand::~CMusSeekerOnDemand(void) __ptr64
public: virtual __cdecl SystemSettings::Update::CMusSeekerUpdate::~CMusSeekerUpdate(void) __ptr64
public: virtual long __cdecl SystemSettings::Update::CMusSeekerOnDemand::get_Description(struct HSTRING__ * __ptr64 * __ptr64) __ptr64
public: virtual long __cdecl SystemSettings::Update::CMusSeekerOnDemand::get_IsEnabled(unsigned char * __ptr64) __ptr64
public: virtual long __cdecl SystemSettings::Update::CMusSeekerOnDemand::GetProperty(struct HSTRING__ * __ptr64,struct IInspectable * __ptr64 * __ptr64) __ptr64
public: virtual long __cdecl SystemSettings::Update::CMusSeekerUpdate::get_Description(struct HSTRING__ * __ptr64 * __ptr64) __ptr64
public: virtual long __cdecl SystemSettings::Update::CMusSeekerUpdate::get_IsApplicable(unsigned char * __ptr64) __ptr64
public: virtual long __cdecl SystemSettings::Update::CMusSeekerUpdate::GetProperty(struct HSTRING__ * __ptr64,struct IInspectable * __ptr64 * __ptr64) __ptr64
public: virtual long __cdecl SystemSettings::Update::MoOrchModelShim::ApproveSeekerQualityUpdateForInstall(void) __ptr64
public: virtual long __cdecl SystemSettings::Update::MoOrchModelShim::GetApprovedSeekerUpdates(class std::vector<class std::shared_ptr<class UxUsoUpdateShim>,class std::allocator<class std::shared_ptr<class UxUsoUpdateShim> > > & __ptr64) __ptr64
public: virtual long __cdecl SystemSettings::Update::MoOrchModelShim::GetApprovedSeekerUpdates(class std::vector<class wil::com_ptr_t<struct IMoUsoUpdate,struct wil::err_returncode_policy>,class std::allocator<class wil::com_ptr_t<struct IMoUsoUpdate,struct wil::err_returncode_policy> > > & __ptr64) __ptr64
public: virtual long __cdecl SystemSettings::Update::MoOrchModelShim::GetApprovedSeekerUpdatesCount(unsigned long * __ptr64,unsigned long * __ptr64) __ptr64
public: virtual long __cdecl SystemSettings::Update::MoOrchModelShim::GetNonSelectableSeekerUpdates(class std::vector<class wil::com_ptr_t<struct IMoUsoUpdate,struct wil::err_returncode_policy>,class std::allocator<class wil::com_ptr_t<struct IMoUsoUpdate,struct wil::err_returncode_policy> > > & __ptr64) __ptr64
public: virtual long __cdecl SystemSettings::Update::MoOrchModelShim::GetSeekerSession(BOOL * __ptr64,BOOL * __ptr64) __ptr64
public: virtual long __cdecl SystemSettings::Update::MoOrchModelShim::GetSelectableSeekerUpdates(class std::vector<class wil::com_ptr_t<struct IMoUsoUpdate,struct wil::err_returncode_policy>,class std::allocator<class wil::com_ptr_t<struct IMoUsoUpdate,struct wil::err_returncode_policy> > > & __ptr64) __ptr64
public: virtual long __cdecl SystemSettings::Update::MoOrchModelShim::SetSeekerSession(BOOL) __ptr64
public: virtual long __cdecl SystemSettings::Update::OldOrchModelShim::ApproveSeekerQualityUpdateForInstall(void) __ptr64
public: virtual long __cdecl SystemSettings::Update::OldOrchModelShim::GetApprovedSeekerUpdates(class std::vector<class std::shared_ptr<class UxUsoUpdateShim>,class std::allocator<class std::shared_ptr<class UxUsoUpdateShim> > > & __ptr64) __ptr64
public: virtual long __cdecl SystemSettings::Update::OldOrchModelShim::GetApprovedSeekerUpdatesCount(unsigned long * __ptr64,unsigned long * __ptr64) __ptr64
public: virtual long __cdecl SystemSettings::Update::OldOrchModelShim::GetNonSelectableSeekerUpdates(class std::vector<class wil::com_ptr_t<struct IMoUsoUpdate,struct wil::err_returncode_policy>,class std::allocator<class wil::com_ptr_t<struct IMoUsoUpdate,struct wil::err_returncode_policy> > > & __ptr64) __ptr64
public: virtual long __cdecl SystemSettings::Update::OldOrchModelShim::GetSeekerSession(BOOL * __ptr64,BOOL * __ptr64) __ptr64
public: virtual long __cdecl SystemSettings::Update::OldOrchModelShim::GetSelectableSeekerUpdates(class std::vector<class std::shared_ptr<class UxUsoUpdateShim>,class std::allocator<class std::shared_ptr<class UxUsoUpdateShim> > > & __ptr64) __ptr64
public: virtual long __cdecl SystemSettings::Update::OldOrchModelShim::GetSelectableSeekerUpdates(class std::vector<class wil::com_ptr_t<struct IMoUsoUpdate,struct wil::err_returncode_policy>,class std::allocator<class wil::com_ptr_t<struct IMoUsoUpdate,struct wil::err_returncode_policy> > > & __ptr64) __ptr64
public: virtual long __cdecl SystemSettings::Update::OldOrchModelShim::SetSeekerSession(BOOL) __ptr64
public: virtual void * __ptr64 __cdecl SystemSettings::Update::CMusSeekerOnDemand::`vector deleting destructor'(unsigned int) __ptr64
public: virtual void * __ptr64 __cdecl SystemSettings::Update::CMusSeekerUpdate::`vector deleting destructor'(unsigned int) __ptr64

What is the process for this CMusSeekerUpdate::InitializeState function?

  1. A call to SystemSettings::Update::CMusSettings::InitializeState which checks for pending reboot.

It checks for pending reboot via SystemSettings::Update::CMusOrchModel::IsSihUpdatePendingReboot

I believe SIH in this case is referring to “Server Initiated Healing” which includes C:\Windows\System32\SIHClient.exe from checking C:\Windows\System32\en-US\SIHClient.exe.mui we find the following text:

This daily task launches the SIH client (server-initiated healing) to detect and fix system components that are vital to automatic updating of Windows and Microsoft software installed on the machine. This task can go online, evaluate applicability of healing actions, download necessary payloads to execute the actions, and execute healing actions.
This boot task launches the SIH client to finish executing healing actions to fix the system components vital to automatic updating of Windows and Microsoft software installed on the machine. It is enabled only when the daily SIH client task fails to complete execution of applicable healing actions. This boot task never goes online and does not evaluate applicability of healing actions.

(Note: SIH can also refer to Shell Infrastructure Host which is C:\Windows\System32\SIHost.exe)

IsSihUpdatePendingReboot calls UsoConfiguration::GetConfiguration(L”UsoServicingStack”, etc) which uses an internal function RegistryManager::GetHKLMValueOrDefault to retrieve a key with name UpdateOrchestratorConfigurationRoot

If GetConfiguration does not return a value of 1 IsSihUpdatePendingReboot exits immediately.

Otherwise it continues can calls RegistryManager::HKLMValueExists(L”Sih”, L”\UpdateStaged”, L”StagingTimeStamp”, x);

Finally IsSihUpdatePendingReboot checks SystemSettings::Update::OtaIsPendingExclusiveContent by calling GetUpdateResultsEx in UpdateAPI.dll.

OtaIsPendingExclusiveContent is true when GetUpdateResultsEx is 0 or greater.

Initialize state then calls SystemSettings::Update::CMusOrchModel::IsUSOAvailable

Here USO refers to Update Session Orchestrator (USO) which you can read about here

It checks if USO is available by checking Update Orchestrator Service (USOSvc) is available service and running.

There is then a check for SystemSettings::Update::CMusOrchModel::FixServiceUnavailable which seems to potentially update some telemetry and other stuff.

The total InitializeState function has some logic like this:

__int64 __fastcall SystemSettings::Update::CMusSettings<SystemSettings::DataModel::CActionSetting>::InitializeState(
        __int64 a1)
{
  bool IsSihUpdatePendingReboot; // bl
  char v3; // si

  IsSihUpdatePendingReboot = SystemSettings::Update::CMusOrchModel::IsSihUpdatePendingReboot(*(SystemSettings::Update::CMusOrchModel **)(a1 + 248));
  if ( !SystemSettings::Update::CMusOrchModel::IsUSOAvailable(*(SystemSettings::Update::CMusOrchModel **)(a1 + 248))
    || IsSihUpdatePendingReboot )
  {
    v3 = 0;
    if ( !IsSihUpdatePendingReboot )
      SystemSettings::Update::CMusOrchModel::FixServiceUnavailable(*(SystemSettings::Update::CMusOrchModel **)(a1 + 248));
  }
  else
  {
    v3 = 1;
  }
  EnterCriticalSection((LPCRITICAL_SECTION)(a1 + 312));
  *(_BYTE *)(a1 + 264) = v3;
  if ( a1 != -312 )
    LeaveCriticalSection((LPCRITICAL_SECTION)(a1 + 312));
  return 0i64;
}

2. Some configuration is checked related to “allow scan map” and “SeekerOnDemandScanOverride

 v7 = (char *)&SystemSettings::Update::CMusSeekerUpdate::sc_rgupeMap;
  v8 = 0i64;
  v9 = *(_DWORD *)a2;
  v10 = &SystemSettings::Update::CMusSeekerUpdate::sc_rgupeMap;
  v11 = 1;
  while ( *v10 != v9 )
  {
    v8 = (unsigned int)(v8 + 1);
    ++v10;
    if ( (unsigned int)v8 >= 0xA )
      goto LABEL_9;
  }
  v7 = (char *)&SystemSettings::Update::CMusSeekerUpdate::sc_rgupeMap + 4 * v8;
LABEL_9:
  v12 = (char *)&SystemSettings::Update::CMusSeekerUpdate::sc_rgupeAllowScanMap;
  v13 = 0i64;
  v14 = &SystemSettings::Update::CMusSeekerUpdate::sc_rgupeAllowScanMap;
  while ( *v14 != v9 )
  {
    v13 = (unsigned int)(v13 + 1);
    ++v14;
    if ( (unsigned int)v13 >= 0xB )
      goto LABEL_14;
  }
  v12 = (char *)&SystemSettings::Update::CMusSeekerUpdate::sc_rgupeAllowScanMap + 4 * v13;
LABEL_14:
  v35 = &SystemSettings::Update::CMusSeekerUpdate::sc_rgupeAllowScanMap != (_UNKNOWN *)v12;
  HKLMValueOr = RegistryManager::GetHKLMValueOrDefault<unsigned long>(
                  L"WindowsUpdateUXRoot",
                  L"\\TestHooks",
                  L"SeekerOnDemandScanOverride",
                  1);
  if ( HKLMValueOr < 0 )
  {
    v5 = 6871i64;
    goto LABEL_3;
  }
  if ( !v58[1] )
  {
    v15 = MusUpdateLogging::Provider();
    if ( *(_DWORD *)v15 > 4u )
    {
      v51 = (__int64)"Seeker on demand override is set so scan is not allowed immediately";
      _tlgWriteTemplate<long (_tlgProvider_t const *,void const *,_GUID const *,_GUID const *,unsigned int,_EVENT_DATA_DESCRIPTOR *),&long _tlgWriteTransfer_EventWriteTransfer(_tlgProvider_t const *,void const *,_GUID const *,_GUID const *,unsigned int,_EVENT_DATA_DESCRIPTOR *),_GUID const *,_GUID const *>::Write<_tlgWrapSz<char>>(
        (int)v15,
        (__int64)&v51);
    }
    v35 = 0;
  }

3. Some functions are called to check if UX access is blocked and if updates are paused i.e.

IsDisableUXAccessPolicyEnabled = SystemSettings::Update::CMusOrchModel::IsDisableUXAccessPolicyEnabled(*(SystemSettings::Update::CMusOrchModel **)(a1 + 248));
  if ( SystemSettings::Update::CMusOrchModel::AreUpdatesPaused(*(SystemSettings::Update::CMusOrchModel **)(a1 + 248))
    || (v16 = SystemSettings::Update::CMusOrchModel::AreUpdatesPausedByPolicy(*(SystemSettings::Update::CMusOrchModel **)(a1 + 248)),
        v33 = 0,
        v16) )
  {
    v33 = 1;
  }

4. Get Seeker Update counts are retrieved

HKLMValueOr = SystemSettings::Update::CMusOrchModel::GetSeekerUpdatesCounts(
                  *(SystemSettings::Update::CMusOrchModel **)(a1 + 248),
                  &v46[1],
                  &v47,
                  &v44,
                  &v45);
  if ( HKLMValueOr < 0 )
  {
    v5 = 6894i64;
    goto LABEL_3;
  }
  v17 = v46[1];
  v39 = v46[1] != 0;
  v18 = v47;
  v34 = v47 != 0;
  v19 = v45;
  if ( v44 || (v36 = 0, v45) )
    v36 = 1;
  v56 = 0;
  v57 = 0;
  HKLMValueOr = SystemSettings::Update::CMusOrchModel::GetApprovedSeekerUpdatesCounts(
                  *(SystemSettings::Update::CMusOrchModel **)(a1 + 248),
                  &v56,
                  &v57);
  if ( HKLMValueOr < 0 )
  {
    v5 = 6904i64;
    goto LABEL_3;
  }

5. Configuration is checked if quality updates are auto approved

 if ( v34 )
  {
    HKLMValueOr = SystemSettings::Update::CMusOrchModel::IsAutoApproveSeekerQualityUpdatesEnabled(
                    *(SystemSettings::Update::CMusOrchModel **)(a1 + 248),
                    &v32);
    if ( HKLMValueOr < 0 )
    {
      v5 = 6933i64;
      goto LABEL_3;
    }
    v23 = v32;
  }

6. We to spot where crash occurs, GetSeekerDisplayUXRank

 IsUXCampaignApplicable = 0;
  HKLMValueOr = SystemSettings::Update::CMusOrchModel::GetSeekerUXDisplayRank(
                  *(SystemSettings::Update::CMusOrchModel **)(a1 + 248),
                  v46);
  if ( HKLMValueOr < 0 )
  {
    v5 = 6938i64;
    goto LABEL_3;
  }
  v25 = v46[0];
  if ( v46[0] != 1 )
    IsUXCampaignApplicable = SystemSettings::Update::CMusOrchModel::IsUXCampaignApplicable(*(_QWORD *)(a1 + 248), 1i64);
  HKLMValueOr = SystemSettings::Update::CMusOrchModel::IsSeekerOnDemandUxEnabled(
                  *(SystemSettings::Update::CMusOrchModel **)(a1 + 248),
                  &v40);
  if ( HKLMValueOr < 0 )
  {
    v5 = 6948i64;
    goto LABEL_3;
  }
  v32 = 0;
  v37 = 0;
  HKLMValueOr = SystemSettings::Update::CMusOrchModel::GetDeviceEosStatus(
                  *(SystemSettings::Update::CMusOrchModel **)(a1 + 248),
                  &v32,
                  &v37);
  if ( HKLMValueOr < 0 )
  {
    v5 = 6954i64;
    goto LABEL_3;
  }
  HKLMValueOr = SystemSettings::Update::CMusOrchModel::IsSeekerHighCompatMessageEnabled(
                  *(SystemSettings::Update::CMusOrchModel **)(a1 + 248),
                  &v43);
  if ( HKLMValueOr < 0 )
  {
    v5 = 6957i64;
    goto LABEL_3;
  }

The crash occurs because a function pointer is null when attempting to call _guard_xfg_dispatch_icall_fptr

__int64 __fastcall SystemSettings::Update::CMusOrchModel::GetSeekerUXDisplayRank(
        SystemSettings::Update::CMusOrchModel *this,
        unsigned int *a2)
{
  __int64 v4; // rcx
  int v5; // eax
  unsigned int v6; // edi
  int v7; // [rsp+20h] [rbp-28h]
  unsigned int v8; // [rsp+30h] [rbp-18h] BYREF
  wil::details::in1diag3 *retaddr; // [rsp+48h] [rbp+0h]

  if ( a2 )
  {
    v4 = *((_QWORD *)this + 212);
    v8 = 1;
    v5 = _guard_xfg_dispatch_icall_fptr(v4, 90i64, 1i64, &v8);

This function is an Xtended Flow Guard (XFG) function generated by the compiler, a good introduction to this is here

It seems like the reference to this function has been overwritten with 0s preventing, causing the null reference when attempting to reference a pointer to the targeted function, although I am current unsure as to what actually caused this problem.

About chentiangemalc

specializes in end-user computing technologies. disclaimer 1) use at your own risk. test any solution in your environment. if you do not understand the impact/consequences of what you're doing please stop, and ask advice from somebody who does. 2) views are my own at the time of posting and do not necessarily represent my current view or the view of my employer and family members/relatives. 3) over the years Microsoft/Citrix/VMWare have given me a few free shirts, pens, paper notebooks/etc. despite these gifts i will try to remain unbiased.
This entry was posted in Uncategorized. Bookmark the permalink.

Leave a comment