Sunday, April 17, 2011

The Case of the Mysterious Law Manager Startup Error

Getting Law Manager v2.4 to run on Windows 7
Overview
Several of my customers run old versions (circa 2003) of a legal case management application called Law Manager, since acquired by Bridgeway. These customers reported that their old versions of Law Manager “don’t work” on Windows 7 and that the vendor did not support running them on Windows 7. Normally, if the vendor of an incompatible app has a newer version that is compatible with Windows 7, we recommend upgrading to the new version. Sometimes, though, customers will choose for various reasons to try to continue using the version they have at least temporarily, even if it means that they will do so without vendor support. This article describes the troubleshooting and remediation steps I performed to get Law Manager working for one of those customers. The incompatibility turned out to be due to a very subtle change in a single registry value. Two different solutions to the problem are provided.
This case describes troubleshooting and remediation for a specific version of Law Manager. The results may be the same for other legacy versions of Law Manager, but they would each need to be verified separately. Sysinternals SigCheck with the -a command line option reports the following version information for this customer’s copy:

C:\Program Files\Law Manager, Inc\LawManager.Pro\lm2000.exe: 
    Verified: Unsigned 
    File date: 4:50 PM 10/6/2003 
    Publisher: Law Manager, Inc. 
    Description: LawManager.Pro 
    Product: LawManager.Pro 
    Version: 2.4 Service Pack 1 (204) 
    File version: 2.4 Service Pack 1 (204) 
    Strong Name: Unsigned 
    Original Name: lm2000.exe 
    Internal Name: lm2000.exe 
    Copyright: Copyright ⌐ Law Manager, Inc 1985-2002 
    Comments: leader in premier practice management software for large corporate legal departments, government agencies and multi-office law firms

The Diagnosis
After installing Law Manager (with administrative rights), I ran Law Manager from the Start menu as a standard user. It displayed a terse error message and then exited when the dialog was dismissed:
It turns out that this kind of error message is typical of runtime failures from Borland Delphi applications. As far as I can tell, when a Delphi app triggers an otherwise-unhandled exception, the outermost Delphi runtime code captures the exception, displays an error message like the one shown with an error code and a memory address, then exits. In Pascal and Delphi, error code 204 means “invalid pointer operation”. In addition to the Borland-style UI elements in a working version of Law Manager, I confirmed my suspicion that Law Manager is a Delphi application with the Sysinternals Strings utility:
strings -q lm2000.exe | findstr /i delp 
SOFTWARE\Borland\Delphi\RTL 
Software\Borland\Delphi\Locales 
Delphi Picture 
Delphi Component 
Delphi%.8X 
Software\Developer Express\Delphi\Design Forms\ 
Software\Developer Express\Delphi\Design Forms\ 
   | Compilation Flags: Win32, Production, TimerView, Delphi 6.0

To figure out what the app could be doing that would lead to failure, I turned to Sysinternals Process Monitor, a.k.a. Procmon, the best troubleshooting tool in the universe (well, at least for that part of the universe that runs Microsoft Windows).
Here is a troubleshooting pattern I use all the time. I started Procmon, which began capturing details about all file system and registry events as well as many types of process and network events. When the error message appeared, I stopped the Procmon trace and dragged the crosshairs “Include Process From Window” icon from the Procmon toolbar to the error message. This feature applies a filter to the results so that Procmon displays only those events associated with the process that owns the window; in this case lm2000.exe, process ID 3600. The events of interest are then usually near the end of the trace, so I went to the end of the trace and worked back. One thing to note is that displaying an error dialog usually involves a number of registry accesses. If the Procmon trace has clues, they usually show up right before the events involved in the error message display.
It took some digging, but the evidence turned up and can be seen in the following screenshot. The first event shown in the screenshot is a registry value read that appears to be related to COM component invocation. The retrieved value is a REG_EXPAND_SZ – a text string that can contain environment variables that need to be expanded before use: “%SystemRoot%\System32\hhctrl.ocx”. Two events later is an attempt to open a file system folder with the name “C:\Program Files\Law Manager, Inc\LawManager.Pro\%SystemRoot%\System32\”, which of course fails with “PATH NOT FOUND”. Evidently the program failed to expand the environment variable before calling a file system API with the returned data. The program probably also expected the API to succeed because the error and exit followed very quickly.

7701.ProcmonMainScreen_5F00_thumb.png