Skip to content

The Tor Browser installer doesn't run with mandatory ASLR on (0xc000007b)

We have received some feedback that Tor Browser can't be installed on Windows because of some error with code 0xc000007b.

Now we know that it is caused by mandatory ASLR turned on on some machines:

  1. Open Settings
  2. Search for Exploit protection in the left search bar
  3. Force randomization for Images (Mandatory ASLR) (it should be the third setting):
    • Set it to On by default to test the problem
    • Set it to Off by default (which is usually the default) if it's on and you want to install Tor Browser.

Please notice that the browser binaries work with this setting, and only the first installation fails. However, changing the settings requires admin privileges and a reboot. So, while it's a workaround, it might not always be feasible.

As for a real solution, I've already tried to pass -Wl,--dynamicbase when building NSIS. My conjecture is that makensis doesn't actually compile an exe, but appends stuff to the exe we build earlier.

It wasn't trivial, and it wasn't effective either. NSIS uses scons, I've tried with the APPEND_LINKFLAGS variable, but it didn't work (it stops finding zlib, when using this flag). So, I've replaced [% c("arch") %]-w64-mingw32-g++ with a script that invokes the real mingw g++ with the flags we need (I've copied the way from the Go build script).

FWIW, using MS tooling (from the VS cmd), I could see that our installers were already detected as with dynamic base on. I think that GCC/binutils now have --dynamicbase enabled by default (or it takes the flag that we pass - I thought they were for building the tools only).

Passing -Wl,--disable-dynamicbase in the way I've described above didn't work, either. But dumpbin /headers still lists "Dynamic base" under "Optional header values". I've checked also Firefox Installer.exe (the stub that downloads the actual installer): it doesn't contain "Dynamic base" (but it isn't an NSIS installer, either).

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information