From: Kerem Gümrükcü on 24 Sep 2009 12:06 Hi Bob, i am pretty sure you will fix it and please do not forget to post what exactly the problem was and what ShellExt did crash it,... Thanks in advance,... Regards Kerem -- -- ----------------------- Beste Gr�sse / Best regards / Votre bien devoue Kerem G�mr�kc� Latest Project: http://www.pro-it-education.de/software/deviceremover Latest Open-Source Projects: http://entwicklung.junetz.de ----------------------- "This reply is provided as is, without warranty express or implied."
From: Bob Altman on 5 Oct 2009 11:49 Hello, I managed to get a crash dump (actually, two of them, one for the "first chance exception" and one for the "second change exception"). PSEXEC requires that all of the downstream commands and files be fully specified, so I needed to put the following command into a batch file so that I can run the batch file as administrator: psexec -s C:\Windows\System32\CScript C:\DebuggingTools\adplus.vbs -crash -pn explorer.exe -o C:\dumps I opened the crash dump in WinDbg, but the automagic analysis was less than completely helpful. Apparently, by the time the exception occurs, the instruction pointer is off in space somewhere: Microsoft (R) Windows Debugger Version 6.11.0001.404 X86 Copyright (c) Microsoft Corporation. All rights reserved. Loading Dump File [C:\dumps\Crash_Mode__Date_10-05-2009__Time_07-53-46AM\PID-544__EXPLORER.EXE__1st_chance_AccessViolation__mini_1f90_2009-10-05_08-10-10-215_0220.dmp] User Mini Dump File: Only registers, stack and portions of memory are available Comment: '1st_chance_AccessViolation_exception_in_EXPLORER.EXE_running_on_ALTMAN01' Symbol search path is: symsrv*symsrv.dll*E:\DbgSymbols*http://msdl.microsoft.com/download/symbols Executable search path is: Windows Server 2008/Windows Vista Version 6002 (Service Pack 2) MP (2 procs) Free x86 compatible Product: WinNt, suite: SingleUserTS Machine Name: Debug session time: Mon Oct 5 08:10:12.000 2009 (GMT-7) System Uptime: not available Process Uptime: 0 days 0:16:54.000 ................................................................. ................................................................. ..................................... This dump file has an exception of interest stored in it. The stored exception information can be accessed via .ecxr. (220.1d08): Access violation - code c0000005 (first/second chance not available) eax=00000000 ebx=00010044 ecx=75c9fe61 edx=00000030 esi=00000000 edi=00000002 eip=66903f88 esp=02e9fb18 ebp=00000113 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246 66903f88 ?? ??? 0:001> !analyze -v ******************************************************************************* * * * Exception Analysis * * * ******************************************************************************* ************************************************************************* *** *** *** *** *** Your debugger is not using the correct symbols *** *** *** *** In order for this command to work properly, your symbol path *** *** must point to .pdb files that have full type information. *** *** *** *** Certain .pdb files (such as the public OS symbols) do not *** *** contain the required information. Contact the group that *** *** provided you with these symbols if you need this command to *** *** work. *** *** *** *** Type referenced: kernel32!pNlsUserInfo *** *** *** ************************************************************************* ************************************************************************* *** *** *** *** *** Your debugger is not using the correct symbols *** *** *** *** In order for this command to work properly, your symbol path *** *** must point to .pdb files that have full type information. *** *** *** *** Certain .pdb files (such as the public OS symbols) do not *** *** contain the required information. Contact the group that *** *** provided you with these symbols if you need this command to *** *** work. *** *** *** *** Type referenced: kernel32!pNlsUserInfo *** *** *** ************************************************************************* FAULTING_IP: +23 66903f88 ?? ??? EXCEPTION_RECORD: ffffffff -- (.exr 0xffffffffffffffff) ExceptionAddress: 66903f88 ExceptionCode: c0000005 (Access violation) ExceptionFlags: 00000000 NumberParameters: 2 Parameter[0]: 00000000 Parameter[1]: 66903f88 Attempt to read from address 66903f88 DEFAULT_BUCKET_ID: BAD_INSTRUCTION_PTR PROCESS_NAME: explorer.exe ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s. EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s. EXCEPTION_PARAMETER1: 00000000 EXCEPTION_PARAMETER2: 66903f88 READ_ADDRESS: 66903f88 FOLLOWUP_IP: user32!InternalCallWinProc+23 75c9fd72 648025ca0f0000fe and byte ptr fs:[0FCAh],0FEh FAILED_INSTRUCTION_ADDRESS: +6408952f01c4ddb8 66903f88 ?? ??? APPLICATION_VERIFIER_FLAGS: 0 IP_ON_HEAP: 66903f88 The fault address in not in any loaded module, please check your build's rebase log at <releasedir>\bin\build_logs\timebuild\ntrebase.log for module which may contain the address if it were loaded. FAULTING_THREAD: 00001d08 PRIMARY_PROBLEM_CLASS: BAD_INSTRUCTION_PTR BUGCHECK_STR: APPLICATION_FAULT_BAD_INSTRUCTION_PTR_INVALID_POINTER_READ IP_ON_STACK: +6408952f01c4ddb8 02e9fba0 9d popfd FRAME_ONE_INVALID: 1 LAST_CONTROL_TRANSFER: from 02e9fba0 to 66903f88 STACK_TEXT: WARNING: Frame IP not in any known module. Following frames may be wrong. 02e9fb14 02e9fba0 00000113 02e9fb50 00000000 0x66903f88 02e9fb24 75c9fd72 00010044 00000113 00000002 0x2e9fba0 00000000 00000000 00000000 00000000 00000000 user32!InternalCallWinProc+0x23 STACK_COMMAND: ~1s; .ecxr ; kb SYMBOL_STACK_INDEX: 2 SYMBOL_NAME: user32!InternalCallWinProc+23 FOLLOWUP_NAME: MachineOwner MODULE_NAME: user32 IMAGE_NAME: user32.dll DEBUG_FLR_IMAGE_TIMESTAMP: 49e0380e FAILURE_BUCKET_ID: BAD_INSTRUCTION_PTR_c0000005_user32.dll!InternalCallWinProc BUCKET_ID: APPLICATION_FAULT_BAD_INSTRUCTION_PTR_INVALID_POINTER_READ_BAD_IP_user32!InternalCallWinProc+23 WATSON_STAGEONE_URL: http://watson.microsoft.com/StageOne/explorer_exe/6_0_6002_18005/49e01da5/unknown/0_0_0_0/bbbbbbb4/c0000005/66903f88.htm?Retriage=1 Followup: MachineOwner ---------
From: "Jialiang Ge [MSFT]" on 6 Oct 2009 02:48 Hello According to the output of windbg, eip=66903f88 esp=02e9fb18 ebp=00000113 Both eip and ebp are corrupted. Esp=02e9fb18 seems still right. Please verify the value of esp by checking whether its value is in the range of Stack Base and Stack Limit: !teb TEB at 7FFD8000 ExceptionList: 15bfa58 Stack Base: XXXXX Stack Limit: YYYYY If it is in the range, then we can say that the esp value is right. Then we can possibly fix the stack trace based on esp: kvn = 02e9fb18 Please let me know whether this helps. Regards, Jialiang Ge Microsoft Online Community Support ================================================= Delighting our customers is our #1 priority. We welcome your comments and suggestions about how we can improve the support we provide to you. Please feel free to let my manager know what you think of the level of service provided. You can send feedback directly to my manager at: msdnmg(a)microsoft.com. This posting is provided "AS IS" with no warranties, and confers no rights. =================================================
From: Bob Altman on 8 Oct 2009 10:52 Hi, Just want to let you know that I'll get back to this issue next week. My wife and I are off to Las Vegas for a weekend getaway. (We live in Orange County, a pleasant 5-hour drive from Vegas.) Bob
From: Bob Altman on 11 Oct 2009 12:26 Ok, I got a fresh dump file from the crash this morning. It looks similar to the one I looked at last week: esp looks ok, but eip and ebp are corrupted. I used the kv command to display the stack, which doesn't get me much more than I got from !analyze -v. I assume that this probably means that something corrupted the stack and sent the instruction pointer off to an invalid adress via a subroutine return. ----------------------------- Microsoft (R) Windows Debugger Version 6.11.0001.404 X86 Copyright (c) Microsoft Corporation. All rights reserved. Loading Dump File [C:\Users\RDA\Desktop\Crash_Mode__Date_10-11-2009__Time_08-33-45AM\PID-8136__EXPLORER.EXE__2nd_chance_AccessViolation__full_114c_2009-10-11_08-52-28-750_1fc8.dmp] User Mini Dump File with Full Memory: Only application data is available Comment: '2nd_chance_AccessViolation_exception_in_EXPLORER.EXE_running_on_ALTMAN01' Symbol search path is: symsrv*symsrv.dll*E:\DbgSymbols*http://msdl.microsoft.com/download/symbols Executable search path is: Windows Server 2008/Windows Vista Version 6002 (Service Pack 2) MP (2 procs) Free x86 compatible Product: WinNt, suite: SingleUserTS Machine Name: Debug session time: Sun Oct 11 08:52:29.000 2009 (GMT-7) System Uptime: 5 days 1:03:11.941 Process Uptime: 0 days 0:19:14.000 ................................ Loading unloaded module list ............... This dump file has an exception of interest stored in it. The stored exception information can be accessed via .ecxr. (1fc8.c6c): Access violation - code c0000005 (first/second chance not available) eax=00000000 ebx=00010048 ecx=7671fe61 edx=00000030 esi=00000000 edi=00000002 eip=66903f88 esp=01d6f918 ebp=00000113 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246 66903f88 ?? ??? 0:001> !analyze -v <snip> FAULTING_IP: +23 66903f88 ?? ??? EXCEPTION_RECORD: ffffffff -- (.exr 0xffffffffffffffff) ExceptionAddress: 66903f88 ExceptionCode: c0000005 (Access violation) ExceptionFlags: 00000000 NumberParameters: 2 Parameter[0]: 00000000 Parameter[1]: 66903f88 Attempt to read from address 66903f88 DEFAULT_BUCKET_ID: BAD_INSTRUCTION_PTR PROCESS_NAME: explorer.exe ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s. EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s. EXCEPTION_PARAMETER1: 00000000 EXCEPTION_PARAMETER2: 66903f88 READ_ADDRESS: 66903f88 FOLLOWUP_IP: user32!InternalCallWinProc+23 7671fd72 648025ca0f0000fe and byte ptr fs:[0FCAh],0FEh FAILED_INSTRUCTION_ADDRESS: +61b2952f0217dd40 66903f88 ?? ??? NTGLOBALFLAG: 0 APPLICATION_VERIFIER_FLAGS: 0 IP_ON_HEAP: 66903f88 The fault address in not in any loaded module, please check your build's rebase log at <releasedir>\bin\build_logs\timebuild\ntrebase.log for module which may contain the address if it were loaded. IP_IN_FREE_BLOCK: 66903f88 FAULTING_THREAD: 00000c6c PRIMARY_PROBLEM_CLASS: BAD_INSTRUCTION_PTR BUGCHECK_STR: APPLICATION_FAULT_BAD_INSTRUCTION_PTR_INVALID_POINTER_READ IP_ON_STACK: +61b2952f0217dd40 01d6f9a0 3cfb cmp al,0FBh FRAME_ONE_INVALID: 1 LAST_CONTROL_TRANSFER: from 01d6f9a0 to 66903f88 STACK_TEXT: WARNING: Frame IP not in any known module. Following frames may be wrong. 01d6f914 01d6f9a0 00000113 01d6f950 00000000 0x66903f88 01d6f924 7671fd72 00010048 00000113 00000002 0x1d6f9a0 00000000 00000000 00000000 00000000 00000000 user32!InternalCallWinProc+0x23 STACK_COMMAND: ~1s; .ecxr ; kb SYMBOL_STACK_INDEX: 2 SYMBOL_NAME: user32!InternalCallWinProc+23 FOLLOWUP_NAME: MachineOwner MODULE_NAME: user32 IMAGE_NAME: user32.dll DEBUG_FLR_IMAGE_TIMESTAMP: 49e0380e FAILURE_BUCKET_ID: BAD_INSTRUCTION_PTR_c0000005_user32.dll!InternalCallWinProc BUCKET_ID: APPLICATION_FAULT_BAD_INSTRUCTION_PTR_INVALID_POINTER_READ_BAD_IP_user32!InternalCallWinProc+23 WATSON_STAGEONE_URL: http://watson.microsoft.com/StageOne/explorer_exe/6_0_6002_18005/49e01da5/unknown/0_0_0_0/bbbbbbb4/c0000005/66903f88.htm?Retriage=1 Followup: MachineOwner --------- 0:001> !teb TEB at 7ffdb000 ExceptionList: 01d6f9b8 StackBase: 01d70000 StackLimit: 01d5b000 SubSystemTib: 00000000 FiberData: 00001e00 ArbitraryUserPointer: 00000000 Self: 7ffdb000 EnvironmentPointer: 00000000 ClientId: 00001fc8 . 00000c6c RpcHandle: 00000000 Tls Storage: 7ffdb02c PEB Address: 7ffd5000 LastErrorValue: 0 LastStatusValue: 0 Count Owned Locks: 0 HardErrorMode: 0 0:001> kvn=01d6f918 # ChildEBP RetAddr Args to Child WARNING: Frame IP not in any known module. Following frames may be wrong. 00 01d6f914 01d6f9a0 00000113 01d6f950 00000000 0x66903f88 01 01d6f924 7671fd72 00010048 00000113 00000002 0x1d6f9a0 02 01d6f9c8 7672018d 00000000 66903f20 00010048 user32!InternalCallWinProc+0x23 03 01d6fb3c 778899f9 19fedb07 00000000 01d6fb64 user32!DispatchMessageWorker+0x322 (FPO: [SEH]) 04 01d6fb4c 778c198e 779ec224 0006f3e8 00000000 ntdll!RtlQueryInformationAcl+0x8b 05 01d6fb64 00000000 779ec224 0006f3e8 00000000 ntdll!_RtlUserThreadStart+0x1b (FPO: [2,2,0])
First
|
Prev
|
Next
|
Last
Pages: 1 2 3 Prev: KiFastSystemCall in the call stack Next: WM_QUERYENDSESSION behavior |