While trying to get work done, I was confronted by several disturbing messages printed on the console of a 64-bit Windows 7 system:
[0x7FEEFEFAAA0] ANOMALY: meaningless REX prefix used [0x7FEEFEE48C0] ANOMALY: meaningless REX prefix used [0x7FEEFEE54B0] ANOMALY: meaningless REX prefix used
This was disturbing because I pretty quickly established that the application I was running was not printing those messages. The expression “meaningless REX prefix” does actually convey comprehensible meaning to me, but I still don’t want to see it printed by some shadowy force, especially not without any clue as to why it might be printed.
A quick trip to a search engine only established the all-too familiar fact: there are lots of clueless people on the Internet. That includes people writing knowledge base articles. All in all, there are many avenues to ask the same question and get no useful answer.
There are all sorts of theories. It’s Windows 10. It’s anti-virus software. It’s Raptr. The winner is probably “my guess is that some non-Microsoft component (driver, software, utility) is installed and has “extended” the command processing environment with a REXX interpreter”. The old saying “better to remain silent and be thought a fool than to speak and to remove all doubt” certainly comes to mind.
Since I was not running Windows 10 or AVG, I could immediately dismiss some of those theories (and no, I didn’t take the REXX theory seriously for one second). But that didn’t help me much. So, where is that blasted message coming from?
What I could do was reproducibly provoke the “ANOMALY” message. Looking at the referenced addresses in WinDbg, it quickly turned out that they had a lot in common. Those were three entry points in opengl32.dll, namely wglSwapBuffers, wglSwapLayerBuffers, and wglMakeCurrent. It was also clear that they were all patched to jump inside ltc_game64-119906.dll. Which lives in the C:\PROGRA~2\RAPTRI~1\Raptr directory, also known as C:\Program Files (x86)\Raptr Inc\Raptr. And that’s something which comes with AMD’s Radeon drivers (the system has a Radeon R9 380 card in it).
So, let’s try our luck and see if the message might be coming from the Raptr DLL. Why yes, it does! And even better, next to it there’s an interesting looking string: ..\mhook\disasm\disasm.c – that looks like a source file name.
What Have We Learned?
Random libraries using
printf() to write to the console (stdout) are a terrible, terrible idea. In fact it’s a monumentally stupid idea. That’s not a problem with the mhook library per se, it’s the fault of whoever used it in a product and configured it that way (like Raptr and others).
It’s not just that incomprehensible (to most users) messages with no context are annoying, they are actively harmful. The “meaningless” message is known to have broken version string parsing for Java and node.js, and almost certainly caused problems elsewhere.
It’s fairly easy to see how this screw-up happened, at least in the Raptr case. Raptr is meant for games and generally graphical applications… where the messages won’t be visible. But console applications can initialize OpenGL too, and if they do—poof, unexpected junk on the console, interfering with expected output.
Just don’t do that, okay? It’s really not cool.
How To Find the Culprit
I used a debugger to track down the origin of the message because that’s what I had at hand. That’s probably not what most users want to do.
It may be possible to find the culprit using tracing tools like Process Monitor, but that has not been tried.
The unexpected “ANOMALY: meaningless REX prefix used” message and several similar “ANOMALY” messages come from the open-source mhook library, which is a generic library used for API hooking; the message is specific to 64-bit systems. Several products use the mhook library, including but not limited to Raptr aka Gaming Evolved (shipped with AMD Radeon and possibly other graphics drivers) and some versions of the AVG anti-virus software.
The message may only cause cosmetic issues, but can also interfere with the operation of various command-line tools. To eliminate the message, it is likely necessary to update or uninstall the software producing it, but establishing the precise origin of the message may unfortunately not be trivial.