Explorer Crashing Issue - Help need to analyse .dmp file

ince · 26 Jun 2012

We have alot of issues with windows 7 computers at our business. Todate we are unsure what is causing the issue as there is no way to replicate it and it seems to be happening randomly.

Most of the time explorer doesnt crash as there is no error log in event viewer in relation to explorer or any other error i can see. Most issues are with desktop views not updating or responding correctly, also pc not shutting down as the explorer process is hanging at 50%.

Ending explorer and restarting the process fixes the issue even though there is not crash log.

I have added registry logging as per Collecting User-Mode Dumps so if explorer properly crashes(you get the not responding/restart process window and a event in event viewer) it will log the crash into a user .dmp file.

These dump files are very large, about 300mb in size. I have tried to open them in Windbg but i dont really get enough info i think I need some help to open these correct and get some information on what can be causing the explorer crashes and issue.

Is there anyone out there who has had experience opening and analysing these types of files as im having alot of trouble and getting know where.

See below the info when i go to open the crash dump via windbg. (this is all i get i would expect to get more info seeing the .dmp files are so large)

_____________________________________________________________________

Microsoft (R) Windows Debugger Version 6.2.8400.0 X86
Copyright (c) Microsoft Corporation. All rights reserved.

Loading Dump File [C:\Users\5109\Desktop\explorer.exe.2960.dmp]
User Mini Dump File with Full Memory: Only application data is available
Symbol search path is: D:\Symbols
Executable search path is: C:\Users\5109\Desktop
Windows 7 Version 7601 (Service Pack 1) MP (2 procs) Free x86 compatible
Product: WinNt, suite: SingleUserTS
Machine Name:
Debug session time: Mon Jun 18 17:08:06.000 2012 (UTC + 1:00)
System Uptime: 0 days 13:21:54.028
Process Uptime: 0 days 7:41:25.000
................................................................
................................................................
................................................................
.......
Loading unloaded module list
................................................
This dump file has an exception of interest stored in it.
The stored exception information can be accessed via .ecxr.
(b90.17bc): Access violation - code c0000005 (first/second chance not available)
eax=00000000 ebx=01d5f3ec ecx=00000400 edx=00000000 esi=00000002 edi=00000000
eip=777d70b4 esp=01d5f39c ebp=01d5f438 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
ntdll!KiFastSystemCallRet:
777d70b4 c3 ret

usasma · 26 Jun 2012

Start by typing

!analyze -v

Into the bottom of the debugger - there's a small window there for typing commands.

Try zipping up the logs and uploading a few of them to a free file-hosting site.
Then post a link here so we can download and look at them.

Just FYI - I'm not real experienced with user mode dump files, but sometimes can muddle through them enough to get some ideas!

ince · 26 Jun 2012

Thanks, that gave more info but nothing that i can see that stood out.

I have posted the .dmp @ https://skydrive.live.com/redir?resi...A3665DD0EE!154

Thanks

Layback Bear · 26 Jun 2012

Sometimes running sfc /scannow 3 times booting between after each will repair Explore so it won't crash. I doesn't always solve the problem but it can't hurt.

ince · 27 Jun 2012

@layback bear. I have done this on one a while back but it did change anything also this is very wide spread issue so not really a great think to do being in a business environment and the amount of machines this is happening to.

usasma · 27 Jun 2012

It's a memory access issue, and it's blaming core Windows files. So, it's most likely a 3rd party program that's doing bad things to core Windows files somehow.

I'm going to ask a friend to have a look at this.

Also, I'd suggest posting the reports from the jcgriff2 pinned topic here (even though you're not having BSOD's): https://www.sevenforums.com/crashes-d...tructions.html My primary concern there will be the perfmon report, the systeminfo.txt file, the MSINFO32.nfo file and the event viewer logfiles (both application and system).

Posted the !analyze -v along with clicking on the links in the debug output:

Code:

Microsoft (R) Windows Debugger Version 6.2.8400.0 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\Users\John\Downloads\explorer.exe.2960\explorer.exe.2960.dmp]
User Mini Dump File with Full Memory: Only application data is available

Symbol search path is: SRV*c:\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is: SRV*c:\symbols*http://msdl.microsoft.com/download/symbols
Windows 7 Version 7601 (Service Pack 1) MP (2 procs) Free x86 compatible
Product: WinNt, suite: SingleUserTS
Machine Name:
Debug session time: Mon Jun 18 12:08:06.000 2012 (UTC - 4:00)
System Uptime: 0 days 13:21:54.028
Process Uptime: 0 days 7:41:25.000
................................................................
................................................................
................................................................
.......
Loading unloaded module list
................................................
This dump file has an exception of interest stored in it.
The stored exception information can be accessed via .ecxr.
(b90.17bc): Access violation - code c0000005 (first/second chance not available)
eax=00000000 ebx=01d5f3ec ecx=00000400 edx=00000000 esi=00000002 edi=00000000
eip=777d70b4 esp=01d5f39c ebp=01d5f438 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
ntdll!KiFastSystemCallRet:
777d70b4 c3              ret
0:001> !analyze -v
*******************************************************************************
*                                                                             *
*                        Exception Analysis                                   *
*                                                                             *
*******************************************************************************

*** ERROR: Module load completed but symbols could not be loaded for sxwmon32.dll

FAULTING_IP: 
ntdll!TppWaiterpDoTransitions+d0
777b80e9 8b08            mov     ecx,dword ptr [eax]

EXCEPTION_RECORD:  ffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 777b80e9 (ntdll!TppWaiterpDoTransitions+0x000000d0)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 00000000
   Parameter[1]: d3fcb1e4
Attempt to read from address d3fcb1e4

DEFAULT_BUCKET_ID:  INVALID_POINTER_READ

PROCESS_NAME:  explorer.exe

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.

EXCEPTION_PARAMETER1:  00000000

EXCEPTION_PARAMETER2:  d3fcb1e4

READ_ADDRESS:  d3fcb1e4 

FOLLOWUP_IP: 
ntdll!TppWaiterpDoTransitions+d0
777b80e9 8b08            mov     ecx,dword ptr [eax]

NTGLOBALFLAG:  0

APPLICATION_VERIFIER_FLAGS:  0

APP:  explorer.exe

FAULTING_THREAD:  000017bc

PRIMARY_PROBLEM_CLASS:  INVALID_POINTER_READ

BUGCHECK_STR:  APPLICATION_FAULT_INVALID_POINTER_READ

LAST_CONTROL_TRANSFER:  from 777bfd61 to 777b80e9

STACK_TEXT:  
01d5fa38 777bfd61 000bc898 776406cf 00000000 ntdll!TppWaiterpDoTransitions+0xd0
01d5fbbc 76a2ed6c 00000000 01d5fc08 777f37f5 ntdll!TppWaiterpThread+0x9e
01d5fbc8 777f37f5 000bc898 7764017b 00000000 kernel32!BaseThreadInitThunk+0xe
01d5fc08 777f37c8 777bfd0f 000bc898 00000000 ntdll!__RtlUserThreadStart+0x70
01d5fc20 00000000 777bfd0f 000bc898 00000000 ntdll!_RtlUserThreadStart+0x1b


STACK_COMMAND:  ~1s; .ecxr ; kb

SYMBOL_STACK_INDEX:  0

SYMBOL_NAME:  ntdll!TppWaiterpDoTransitions+d0

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: ntdll

IMAGE_NAME:  ntdll.dll

DEBUG_FLR_IMAGE_TIMESTAMP:  4ce7b96e

FAILURE_BUCKET_ID:  INVALID_POINTER_READ_c0000005_ntdll.dll!TppWaiterpDoTransitions

BUCKET_ID:  APPLICATION_FAULT_INVALID_POINTER_READ_ntdll!TppWaiterpDoTransitions+d0

WATSON_STAGEONE_URL:  http://watson.microsoft.com/StageOne/explorer_exe/6_1_7601_17514/4ce796f3/ntdll_dll/6_1_7601_17514/4ce7b96e/c0000005/000280e9.htm?Retriage=1

Followup: MachineOwner
---------

0:001> .exr 0xffffffffffffffff
ExceptionAddress: 777b80e9 (ntdll!TppWaiterpDoTransitions+0x000000d0)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 00000000
   Parameter[1]: d3fcb1e4
Attempt to read from address d3fcb1e4
0:001> lmvm ntdll
start    end        module name
77790000 778cc000   ntdll      (pdb symbols)          c:\symbols\ntdll.pdb\120028FA453F4CD5A6A404EC37396A582\ntdll.pdb
    Loaded symbol image file: ntdll.dll
    Image path: C:\Windows\System32\ntdll.dll
    Image name: ntdll.dll
    Timestamp:        Sat Nov 20 07:05:02 2010 (4CE7B96E)
    CheckSum:         001490D9
    ImageSize:        0013C000
    File version:     6.1.7601.17514
    Product version:  6.1.7601.17514
    File flags:       0 (Mask 3F)
    File OS:          40004 NT Win32
    File type:        2.0 Dll
    File date:        00000000.00000000
    Translations:     0409.04b0
    CompanyName:      Microsoft Corporation
    ProductName:      Microsoft® Windows® Operating System
    InternalName:     ntdll.dll
    OriginalFilename: ntdll.dll
    ProductVersion:   6.1.7601.17514
    FileVersion:      6.1.7601.17514 (win7sp1_rtm.101119-1850)
    FileDescription:  NT Layer DLL
    LegalCopyright:   © Microsoft Corporation. All rights reserved.

ince · 05 Jul 2012

Hi USAMSA,
Did you manage to get you friend to have a look?
I ran the Resource/Performance Monitor and the Diagnostic results all passed, i dont really want to public the report as it has alot of network info that i dont really want public if you know what i mean.

usasma · 05 Jul 2012

He's suspicious of the "3rd party corporate A/V", but hasn't been able to find anything in particular. I'd uninstall the antivirus and use one of the free removal tools to get rid of it's remnants: Antivirus Uninstallers

Then use a free Antivirus for testing purposes: Free AntiVirus
When finished testing feel free to install a fresh copy of your usual antivirus (if so desired).

Subtract out the info that you don't want to post and see what we've got. I don't know how much you'll provide, but I'll do my best with what I've got.