From: Kerem Gümrükcü on
Hi Bob,

i am pretty sure you will fix it and please do
not forget to post what exactly the problem
was and what ShellExt did crash it,...

Thanks in advance,...

Regards

Kerem

--
--
-----------------------
Beste Gr�sse / Best regards / Votre bien devoue
Kerem G�mr�kc�
Latest Project: http://www.pro-it-education.de/software/deviceremover
Latest Open-Source Projects: http://entwicklung.junetz.de
-----------------------
"This reply is provided as is, without warranty express or implied."

From: Bob Altman on
Hello,

I managed to get a crash dump (actually, two of them, one for the "first
chance exception" and one for the "second change exception"). PSEXEC
requires that all of the downstream commands and files be fully specified,
so I needed to put the following command into a batch file so that I can run
the batch file as administrator:

psexec -s C:\Windows\System32\CScript
C:\DebuggingTools\adplus.vbs -crash -pn explorer.exe -o C:\dumps

I opened the crash dump in WinDbg, but the automagic analysis was less than
completely helpful. Apparently, by the time the exception occurs, the
instruction pointer is off in space somewhere:

Microsoft (R) Windows Debugger Version 6.11.0001.404 X86
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File
[C:\dumps\Crash_Mode__Date_10-05-2009__Time_07-53-46AM\PID-544__EXPLORER.EXE__1st_chance_AccessViolation__mini_1f90_2009-10-05_08-10-10-215_0220.dmp]
User Mini Dump File: Only registers, stack and portions of memory are
available

Comment:
'1st_chance_AccessViolation_exception_in_EXPLORER.EXE_running_on_ALTMAN01'
Symbol search path is:
symsrv*symsrv.dll*E:\DbgSymbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows Server 2008/Windows Vista Version 6002 (Service Pack 2) MP (2 procs)
Free x86 compatible
Product: WinNt, suite: SingleUserTS
Machine Name:
Debug session time: Mon Oct 5 08:10:12.000 2009 (GMT-7)
System Uptime: not available
Process Uptime: 0 days 0:16:54.000
.................................................................
.................................................................
.....................................
This dump file has an exception of interest stored in it.
The stored exception information can be accessed via .ecxr.
(220.1d08): Access violation - code c0000005 (first/second chance not
available)
eax=00000000 ebx=00010044 ecx=75c9fe61 edx=00000030 esi=00000000
edi=00000002
eip=66903f88 esp=02e9fb18 ebp=00000113 iopl=0 nv up ei pl zr na pe
nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000
efl=00010246
66903f88 ?? ???

0:001> !analyze -v
*******************************************************************************
*
*
* Exception Analysis
*
*
*
*******************************************************************************

*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: kernel32!pNlsUserInfo ***
*** ***
*************************************************************************
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: kernel32!pNlsUserInfo ***
*** ***
*************************************************************************

FAULTING_IP:
+23
66903f88 ?? ???

EXCEPTION_RECORD: ffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 66903f88
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: 66903f88
Attempt to read from address 66903f88

DEFAULT_BUCKET_ID: BAD_INSTRUCTION_PTR

PROCESS_NAME: explorer.exe

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced
memory at 0x%08lx. The memory could not be %s.

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx
referenced memory at 0x%08lx. The memory could not be %s.

EXCEPTION_PARAMETER1: 00000000

EXCEPTION_PARAMETER2: 66903f88

READ_ADDRESS: 66903f88

FOLLOWUP_IP:
user32!InternalCallWinProc+23
75c9fd72 648025ca0f0000fe and byte ptr fs:[0FCAh],0FEh

FAILED_INSTRUCTION_ADDRESS:
+6408952f01c4ddb8
66903f88 ?? ???

APPLICATION_VERIFIER_FLAGS: 0

IP_ON_HEAP: 66903f88
The fault address in not in any loaded module, please check your build's
rebase
log at <releasedir>\bin\build_logs\timebuild\ntrebase.log for module which
may
contain the address if it were loaded.

FAULTING_THREAD: 00001d08

PRIMARY_PROBLEM_CLASS: BAD_INSTRUCTION_PTR

BUGCHECK_STR: APPLICATION_FAULT_BAD_INSTRUCTION_PTR_INVALID_POINTER_READ

IP_ON_STACK:
+6408952f01c4ddb8
02e9fba0 9d popfd

FRAME_ONE_INVALID: 1

LAST_CONTROL_TRANSFER: from 02e9fba0 to 66903f88

STACK_TEXT:
WARNING: Frame IP not in any known module. Following frames may be wrong.
02e9fb14 02e9fba0 00000113 02e9fb50 00000000 0x66903f88
02e9fb24 75c9fd72 00010044 00000113 00000002 0x2e9fba0
00000000 00000000 00000000 00000000 00000000 user32!InternalCallWinProc+0x23


STACK_COMMAND: ~1s; .ecxr ; kb

SYMBOL_STACK_INDEX: 2

SYMBOL_NAME: user32!InternalCallWinProc+23

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: user32

IMAGE_NAME: user32.dll

DEBUG_FLR_IMAGE_TIMESTAMP: 49e0380e

FAILURE_BUCKET_ID:
BAD_INSTRUCTION_PTR_c0000005_user32.dll!InternalCallWinProc

BUCKET_ID:
APPLICATION_FAULT_BAD_INSTRUCTION_PTR_INVALID_POINTER_READ_BAD_IP_user32!InternalCallWinProc+23

WATSON_STAGEONE_URL:
http://watson.microsoft.com/StageOne/explorer_exe/6_0_6002_18005/49e01da5/unknown/0_0_0_0/bbbbbbb4/c0000005/66903f88.htm?Retriage=1

Followup: MachineOwner
---------


From: "Jialiang Ge [MSFT]" on
Hello

According to the output of windbg,
eip=66903f88 esp=02e9fb18 ebp=00000113

Both eip and ebp are corrupted. Esp=02e9fb18 seems still right. Please
verify the value of esp by checking whether its value is in the range of
Stack Base and Stack Limit:

!teb
TEB at 7FFD8000
ExceptionList: 15bfa58
Stack Base: XXXXX
Stack Limit: YYYYY

If it is in the range, then we can say that the esp value is right. Then we
can possibly fix the stack trace based on esp:

kvn = 02e9fb18

Please let me know whether this helps.

Regards,
Jialiang Ge
Microsoft Online Community Support

=================================================
Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
msdnmg(a)microsoft.com.

This posting is provided "AS IS" with no warranties, and confers no rights.
=================================================


From: Bob Altman on
Hi,

Just want to let you know that I'll get back to this issue next week. My
wife and I are off to Las Vegas for a weekend getaway. (We live in Orange
County, a pleasant 5-hour drive from Vegas.)

Bob

From: Bob Altman on
Ok, I got a fresh dump file from the crash this morning. It looks similar
to the one I looked at last week: esp looks ok, but eip and ebp are
corrupted. I used the kv command to display the stack, which doesn't get me
much more than I got from !analyze -v. I assume that this probably means
that something corrupted the stack and sent the instruction pointer off to
an invalid adress via a subroutine return.

-----------------------------

Microsoft (R) Windows Debugger Version 6.11.0001.404 X86
Copyright (c) Microsoft Corporation. All rights reserved.

Loading Dump File
[C:\Users\RDA\Desktop\Crash_Mode__Date_10-11-2009__Time_08-33-45AM\PID-8136__EXPLORER.EXE__2nd_chance_AccessViolation__full_114c_2009-10-11_08-52-28-750_1fc8.dmp]
User Mini Dump File with Full Memory: Only application data is available

Comment:
'2nd_chance_AccessViolation_exception_in_EXPLORER.EXE_running_on_ALTMAN01'
Symbol search path is:
symsrv*symsrv.dll*E:\DbgSymbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows Server 2008/Windows Vista Version 6002 (Service Pack 2) MP (2 procs)
Free x86 compatible
Product: WinNt, suite: SingleUserTS
Machine Name:
Debug session time: Sun Oct 11 08:52:29.000 2009 (GMT-7)
System Uptime: 5 days 1:03:11.941
Process Uptime: 0 days 0:19:14.000
................................
Loading unloaded module list
...............
This dump file has an exception of interest stored in it.
The stored exception information can be accessed via .ecxr.
(1fc8.c6c): Access violation - code c0000005 (first/second chance not
available)
eax=00000000 ebx=00010048 ecx=7671fe61 edx=00000030 esi=00000000
edi=00000002
eip=66903f88 esp=01d6f918 ebp=00000113 iopl=0 nv up ei pl zr na pe
nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000
efl=00010246
66903f88 ?? ???

0:001> !analyze -v
<snip>
FAULTING_IP:
+23
66903f88 ?? ???

EXCEPTION_RECORD: ffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 66903f88
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: 66903f88
Attempt to read from address 66903f88

DEFAULT_BUCKET_ID: BAD_INSTRUCTION_PTR

PROCESS_NAME: explorer.exe

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced
memory at 0x%08lx. The memory could not be %s.

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx
referenced memory at 0x%08lx. The memory could not be %s.

EXCEPTION_PARAMETER1: 00000000

EXCEPTION_PARAMETER2: 66903f88

READ_ADDRESS: 66903f88

FOLLOWUP_IP:
user32!InternalCallWinProc+23
7671fd72 648025ca0f0000fe and byte ptr fs:[0FCAh],0FEh

FAILED_INSTRUCTION_ADDRESS:
+61b2952f0217dd40
66903f88 ?? ???

NTGLOBALFLAG: 0

APPLICATION_VERIFIER_FLAGS: 0

IP_ON_HEAP: 66903f88
The fault address in not in any loaded module, please check your build's
rebase
log at <releasedir>\bin\build_logs\timebuild\ntrebase.log for module which
may
contain the address if it were loaded.

IP_IN_FREE_BLOCK: 66903f88

FAULTING_THREAD: 00000c6c

PRIMARY_PROBLEM_CLASS: BAD_INSTRUCTION_PTR

BUGCHECK_STR: APPLICATION_FAULT_BAD_INSTRUCTION_PTR_INVALID_POINTER_READ

IP_ON_STACK:
+61b2952f0217dd40
01d6f9a0 3cfb cmp al,0FBh

FRAME_ONE_INVALID: 1

LAST_CONTROL_TRANSFER: from 01d6f9a0 to 66903f88

STACK_TEXT:
WARNING: Frame IP not in any known module. Following frames may be wrong.
01d6f914 01d6f9a0 00000113 01d6f950 00000000 0x66903f88
01d6f924 7671fd72 00010048 00000113 00000002 0x1d6f9a0
00000000 00000000 00000000 00000000 00000000 user32!InternalCallWinProc+0x23


STACK_COMMAND: ~1s; .ecxr ; kb

SYMBOL_STACK_INDEX: 2

SYMBOL_NAME: user32!InternalCallWinProc+23

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: user32

IMAGE_NAME: user32.dll

DEBUG_FLR_IMAGE_TIMESTAMP: 49e0380e

FAILURE_BUCKET_ID:
BAD_INSTRUCTION_PTR_c0000005_user32.dll!InternalCallWinProc

BUCKET_ID:
APPLICATION_FAULT_BAD_INSTRUCTION_PTR_INVALID_POINTER_READ_BAD_IP_user32!InternalCallWinProc+23

WATSON_STAGEONE_URL:
http://watson.microsoft.com/StageOne/explorer_exe/6_0_6002_18005/49e01da5/unknown/0_0_0_0/bbbbbbb4/c0000005/66903f88.htm?Retriage=1

Followup: MachineOwner
---------

0:001> !teb
TEB at 7ffdb000
ExceptionList: 01d6f9b8
StackBase: 01d70000
StackLimit: 01d5b000
SubSystemTib: 00000000
FiberData: 00001e00
ArbitraryUserPointer: 00000000
Self: 7ffdb000
EnvironmentPointer: 00000000
ClientId: 00001fc8 . 00000c6c
RpcHandle: 00000000
Tls Storage: 7ffdb02c
PEB Address: 7ffd5000
LastErrorValue: 0
LastStatusValue: 0
Count Owned Locks: 0
HardErrorMode: 0

0:001> kvn=01d6f918
# ChildEBP RetAddr Args to Child
WARNING: Frame IP not in any known module. Following frames may be wrong.
00 01d6f914 01d6f9a0 00000113 01d6f950 00000000 0x66903f88
01 01d6f924 7671fd72 00010048 00000113 00000002 0x1d6f9a0
02 01d6f9c8 7672018d 00000000 66903f20 00010048
user32!InternalCallWinProc+0x23
03 01d6fb3c 778899f9 19fedb07 00000000 01d6fb64
user32!DispatchMessageWorker+0x322 (FPO: [SEH])
04 01d6fb4c 778c198e 779ec224 0006f3e8 00000000
ntdll!RtlQueryInformationAcl+0x8b
05 01d6fb64 00000000 779ec224 0006f3e8 00000000
ntdll!_RtlUserThreadStart+0x1b (FPO: [2,2,0])