Cannot register OCX control in Windows 2003 Server: Invalid Access to Memory Location

From Support

If you have a question or seek clarification, please call Technical Support.

Problem:

When installing WinSpool Electronic Forms on a Windows 2003 Server machine, we discovered that we could not run the RJS Text Layer Designer. It came back with an error stating that "ccrpsbrb.ocx" was either missing or was not registered properly.

I checked the install log and it stated that it was having a problem registering "ccrpsbrb.ocx"

I tried manually registering the OCX by running the command "regsvr32 C:\WINDOWS\system32\ccrpsbrb.ocx." This did not work. Instead I received an error: "LoadLibrary("ccrpsbrb.ocx") failed - Invalid access to memory location."

Solution:

After some searching, it turns out that this is a Windows 2003 Server security issue. There is a security system called DEP (Data Execution Prevention) which is designed to help protect against damage from viruses and other security threats. DEP gets installed with Service Pack 1 for Windows 2003 Server and is automatically configured to the highest security setting. This system limits what type of OCX controls can be registered and what programs can run without interference. In particular, it will block 16-bit OCX controls from being registered and from running.

Solution 1: Turn Off DEP

To do this, right-click on My Computer and select Properties to open the System Properties. On the Advanced Tab, locate the section Performance and click the Settings button. Select the tab labeled Data Execution Prevention (also known as DEP) On this page, make sure that the first option labeled "Turn on DEP for essential Windows programs and services only" is enabled

Solution 2: Change security for the RJS Merge Engine

To do this, right-click on My Computer and select Properties to open the System Properties. On the Advanced Tab, locate the section Performance and click the Settings button. Select the tab labeled Data Execution Prevention (also known as DEP) On this page, make sure that the second option labeled "Turn on DEP for all programs and services except those I select" is enabled In the list below this option, you will need to add the applications that were having problems to the list. The following applications are needed to get the Text Layer Designer to work: RJS Text Layer Designer - located at C:\WSPEFORM\RJSFormText.EXE (REQUIRED) Electronic Forms Merge Engine - located at C:\WSPEFORM\RJSFormMerge.EXE (REQUIRED) WinSpool Electronic Forms Print Server - located at C:\WSPEFORM\WSPeform.EXE (RECOMMENDED)

This will give these applications full permission to run and to use the OCX controls that were having problems. However, you will still need to register the OCX by running the following command on the RUN line. "regsvr32 C:\WINDOWS\system32\ccrpsbrb.ocx."

• • NOTE** These changes must be PERMANENT. If these applications are removed from the list, the Text Layer Designer (or any other app that you are trying to get working) will error out, even if the OCX control is properly registered.

MICROSOFT Description of Data Execution Prevention:

Data execution prevention

Data execution prevention (DEP) is a set of hardware and software technologies that perform additional checks on memory to help protect against malicious code exploits. Windows Server 2003 Service Pack 1 enforces DEP using both hardware and software.

Hardware-enforced DEP marks all memory locations in a process as non-executable unless the location explicitly contains executable code. There is a class of attacks that attempt to insert and execute code from non-executable memory locations. DEP helps prevent these attacks by intercepting them and raising an exception. Both Advanced Micro Devices™ (AMD) and Intel Corporation have defined and shipped Windows-compatible architectures that are compatible with DEP. Service Pack 1 utilizes the no-execute page-protection (NX) processor feature as defined by AMD or the Execute Disable bit (XD) feature as defined by Intel. (Note: 32-bit processors must be running in Physical Address Extension mode to make use of this function.)

An additional set of DEP security checks have been added to Windows Server 2003 with Service Pack 1. These checks, known as software-enforced DEP, are designed to mitigate exploits of exception handling mechanisms in Windows. Software-enforced DEP runs on any processor that can run Windows Server 2003 with Service Pack 1. By default, software-enforced DEP protects only limited system binaries, regardless of the hardware-enforced DEP capabilities of the processor.

Software-enforced DEP performs additional checks on exception handling mechanisms in Windows. If the program’s image files are built with Safe Structured Exception Handling (SafeSEH), software-enforced DEP ensures that before an exception is dispatched, the exception handler is registered in the function table located within the image file. If the program’s image files are not built with SafeSEH, software-enforced DEP ensures that before an exception is dispatched, the exception handler is located within a memory region marked as executable.

The primary benefit of DEP is that it helps prevent code execution from data pages such as the default heap, various stacks, and memory pools. In normal operations of the system, code is not typically executed from the default heap and stack. Hardware-enforced DEP detects code that is running from these locations and raises an exception when execution occurs. If the exception is unhandled, the process will be terminated. Execution of code from protected memory in kernel mode results in an error.

Although terminating a process or causing the system to fail with an error do not appear to be ideal experiences, this helps prevent malicious code from executing. Preventing malicious code from executing on the system may prevent damage to a customer’s system or propagation of malicious code whose harmful effects could easily exceed those of a terminated process or system error.

DEP can help mitigate a class of security exploits. Specifically, DEP can prevent the exploit in which a virus or other attack has injected a process with additional code and then attempts to execute the injected code. On a system with DEP, execution of the injected code would result in an exception. Software-enforced DEP can help mitigate exploits of exception--handling mechanisms within Windows.

A secondary benefit of DEP relates to good engineering and best practices for application and driver developers. DEP forces developers to avoid executing code out of data pages without explicitly marking the pages as executable.