Skip to content

Initialization Failure: Unable to walk EPROCESS and Failed LZ4 Decompression #66

New issue
New issue
Open
Open
Initialization Failure: Unable to walk EPROCESS and Failed LZ4 Decompression#66
@asdat3

Description

@asdat3
asdat3
opened on May 28, 2025

There is a good chance this is a user error, I just spent multiple hours trying to understand why keyboard cant be initilized.

I traced it back to the registry not being able to read (not the typical winlogon not found issue)

During initialization, the system fails to walk EPROCESS structures and cannot auto-identify the OS. Even after successful memory mapping and device recognition, symbol resolution is not sufficient for initialization. Additionally, LZ4 decompression initialization fails due to a missing tinylz4.dll.

DEVICE: FPGA: ScreamerM2 PCIe gen2 x1 [300,25,500] [v4.12,3100] [ASYNC,NORM,FWCUST]
[PROCESS]  Unable to fuzz EPROCESS offsets - trying debug symbols
[INFODB]   INIT: FAIL: va=0xfffff807b9c00000
[SYMBOL]   Initialized symbol subsystem (Microsoft).
[CORE]     Initialization Failed. Unable to walk EPROCESS. #5
[CORE]     Unable to auto-identify operating system.
           Specify PageDirectoryBase (DTB/CR3) in -dtb option if value if known.
           If arm64 dump, specify architecture: -arch arm64

[CORE]     Failed to initialize.

[CORE]     SHUTDOWN COMPLETED (000002A917F6E040).
[CORE]       TIME: 2025-05-28 19:17:35 UTC.
[CORE]       RUNTIME: 0s.

[!] Initialization failed with Memory map? Try without MMap
DEVICE: FPGA: ScreamerM2 PCIe gen2 x1 [300,25,500] [v4.12,3100] [ASYNC,NORM,FWCUST]
[INFODB]   INIT: FAIL: va=0xfffff807b9c00000
[SYMBOL]   Initialized symbol subsystem (Microsoft).
Initialized 64-bit Windows 10.0.26100
FPGA ID: 4
[CORE]     VmmProc: Start periodic cache flushing
DEVICE ID: 12544
success!
[+] VMMDLL_ConfigGet ID = 4 VERSION = 0.0
[-] Failed VMMDLL_InitializePlugins call
Failed to fix CR3
[+] Found Base Address for explorer.exe at 0x00007FF6250F0000
[+] Found Base Size for explorer.exe at 0x00000000002C7000
Process information of explorer.exe
PID: 14356
Base Address: 0x7ff6250f0000
Base Size: 0x2c7000
Failed to initialize keyboard hotkeys through kernel.
[VMM]      MemCompress_Initialize: Failed to initialize LZ4 decompression. Likely reason: tinylz4.dll is missing.
[CORE]     Exit periodic cache flushing
[API]      MEMORY NOT DEALLOCATED AT CLOSE: va=0x2a91e5dd170 size=0x124 tag=MODN
[API]      MEMORY NOT DEALLOCATED AT CLOSE: va=0x2a91e5d97e0 size=0x124 tag=MODN
[CORE]     SHUTDOWN COMPLETED (000002A917F64040).
[CORE]       TIME: 2025-05-28 19:17:36 UTC.
[CORE]       RUNTIME: 0s.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions