Explorer crashing constantly, dump file from WinDBG included


  1. Posts : 3
    Windows 7 64-bit
       #1

    Explorer crashing


    Explorer.exe has started crashing recently (not randomly, it's always when doing certain things, fully reproduceable). It's the infamous one with exception code 0xc000041d. I followed the steps in this thread and now have the dump file at hand (down there ). If someone could tell me what causes the crash, I'd be real happy and all. If you want more information, I've got lots to give. :) I've got Win7 64-bit.
    Last edited by Morgion; 16 Aug 2010 at 16:17.
      My Computer


  2. Posts : 4,772
    Windows 7 Ultimate - 64-bit | Windows 8 Pro - 64-bit
       #2

    Morgion said:
    Explorer.exe has started crashing recently (not randomly, it's always when doing certain things, fully reproduceable). It's the infamous one with exception code 0xc000041d. I followed the steps in this thread and now have the dump file at hand (down there ). If someone could tell me what causes the crash, I'd be real happy and all. If you want more information, I've got lots to give. :) I've got Win7 64-bit.
    Hello ! Welcome to SF !

    You said it's reproducible so while doing what the Explorer crashes. Please mention the steps. Meanwhile i'll look at the Dump files

    - Captain
      My Computer


  3. Posts : 4,772
    Windows 7 Ultimate - 64-bit | Windows 8 Pro - 64-bit
       #3

    Hello,

    You get a INVALID_POINTER_READ which casues the Explorer to crash. But from the callstack I can't see the cause.

    Download the ShellExView is an excellent tool to view and manage all installed shell extensions. The rule is to disable non-Microsoft context menu handlers *one-by-one* and verify if the problem is solved. If disabling one does not solve the problem, undo the disabled item and disable the next non-Microsoft handler. Do the same until the problem is solved and finally identify the culprit. Scroll right to see the Company Name column in ShellExView.

    Hope this helps,
    Captain
      My Computer


  4. Posts : 3
    Windows 7 64-bit
    Thread Starter
       #4

    Thanks for the quick reply!
    I've got two ways to reproduce the issue:
    I. Playing any music or video file with BS.Player or changing the file being played (if there are multiple files in the playlist) crashes explorer. The player keeps on playing just fine, but explorer crashes in the background. VLC player and Windows Media Player don't crash explorer, probably because neither of them uses codecs, while BS.Player does. However, it's not the codices' (sp?) fault (at least I highly doubt it), because I haven't updated or touched the codices in any way for half a year or so (and I have no program that updates them on it's own) and the crashes started a week or so ago. So I blame explorer, not the codices.
    II. By disconnecting a memory stick or other flash drive via the bottom bar (by clicking the little arrow pointing upwards and then selecting the disconnecting-button-thing). The device disconnects just fine but explorer crashes. I reproduced this issue and made a dump via WinDBG. It's down there.
      My Computer


  5. Posts : 4,772
    Windows 7 Ultimate - 64-bit | Windows 8 Pro - 64-bit
       #5

    Hello,

    Run this Registry File and when the explorer.exe crashes go to C:\Localdump and upload the Files it would have more information than the one we generate.

    Attachment 91585

    Also follow the steps i have mentioned before. Also it's worth running SFC/ SCANNOW because the Dump is pointing to comctl32.dll

    Hope this helps,
    Captain
      My Computer


  6. Posts : 2,528
    Windows 10 Pro x64
       #6

    A chkimg check of explorer.exe comes up with an image that doesn't checksum, because the VA in the process space has been corrupted (which is causing the failure):
    Code:
    0:005> !chkimg -lo 50 -d !explorer
    ff41cbb0-ff41cbb2 3 bytes - explorer!CTrayNotify::_CanShowBalloon
    [ ff f3 48:60 8b ec ]
    ff41cbb4-ff41cbb9 6 bytes - explorer!CTrayNotify::_CanShowBalloon+4 (+0x04)
    [ ec 20 83 b9 68 04:c4 f0 64 8b 1d 30 ]
    ff41cbbd-ff41cbd1 21 bytes - explorer!CTrayNotify::_CanShowBalloon+d (+0x09)
    [ 48 8b da 0f 84 1b 35 03:8b 43 0c 8b 40 14 8b 00 ]
    ff41cbd3-ff41cbd7 5 bytes - explorer!CTrayNotify::_CanShowBalloon+1b (+0x16)
    [ 83 b9 5c 04 00:00 68 00 00 01 ]
    ff41cbd9-ff41cbdb 3 bytes - explorer!CTrayNotify::_CanShowBalloon+21 (+0x06)
    [ 00 0f 85:6a 00 05 ]
    ff41cbdd-ff41cbde 2 bytes - explorer!CTrayNotify::_CanShowBalloon+25 (+0x04)
    [ 35 03:18 01 ]
    ff41cbe0-ff41cbe5 6 bytes - explorer!CTrayNotify::_CanShowBalloon+24 (+0x03)
    [ 48 8d 0d 99 ba 0b:ff d0 89 45 fc e8 ]
    ff41cbe7-ff41cbf1 11 bytes - explorer!CTrayNotify::_CanShowBalloon+2b (+0x07)
    [ e8 04 01 00 00 b9 01 00:00 00 00 5b 89 5d f0 81 ]
    ff41cbf3-ff41cc00 14 bytes - explorer!CTrayNotify::_CanShowBalloon+37 (+0x0c)
    [ 0f 84 e5 34 03 00 83 f8:02 00 81 eb fa 67 2a 00 ]
    ff41cc02-ff41cc1d 28 bytes - explorer!CTrayNotify::_CanShowBalloon+3e (+0x0f)
    [ 83 f8 03 0f 84 ce 34 03:50 b8 7e 68 2a 00 03 c3 ]
    ff41cc1f-ff41cc56 56 bytes - explorer!CTrayNotify::_CanShowBalloon+65 (+0x1d)
    [ 8b c1 48 83 c4 20 5b c3:00 8b 4d fc 81 c1 00 10 ]
    ff41cc58-ff41cc75 30 bytes - explorer!CTrayNotify::_ShowInfoTip+1a7 (+0x39)
    [ 45 85 e4 0f 84 ce 59 ff:00 8b 55 f4 81 c2 ec 34 ]
    185 errors : !explorer (ff41cbb0-ff41cc75)
    Further, the base pointer address (stored in rbp), which tells the process where this thread's start info is, has been corrupted (note it's 0x0 - impossible):
    Code:
    0:005> r
    rax=0000000007b14750 rbx=0000000000000000 rcx=0000000076d6a08a
    rdx=0000000000000000 rsi=0000000007b14750 rdi=00000000ff4d8738
    rip=00000000ff41cc2b rsp=00000000023beca0 rbp=0000000000000000
     r8=00000000023beb68  r9=00000000003106b4 r10=0000000000000000
    r11=0000000000000206 r12=0000000000000001 r13=0000000000000001
    r14=0000000000000000 r15=00000000ff4d8a60
    Capt. Jack is probably right when he suggests you disable all of the non-Microsoft add-on extensions loaded in explorer and see if it reproduces at that point. Here are the extensions you have loaded according to your dump:
    Code:
    0:005> lmivm RarExt
    start             end                 module name
    000007fe`f7a60000 000007fe`f7a93000   RarExt     (deferred)             
        Symbol file: RarExt.dll
        Image path: C:\Program Files\WinRAR\RarExt.dll
        Image name: RarExt.dll
        Timestamp:        Sat Dec 12 05:12:02 2009 (4B236C72)
        CheckSum:         0002C711
        ImageSize:        00033000
        File version:     3.91.0.0
        Product version:  3.91.0.0
        File flags:       0 (Mask 0)
        File OS:          4 Unknown Win32
        File type:        1.0 App
        File date:        00000000.00000000
        Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
     
    0:005> lmivm shlext64
    start             end                 module name
    00000001`80000000 00000001`80055000   shlext64   (deferred)             
        Symbol file: shlext64.dll
        Image path: C:\Program Files (x86)\Avira\AntiVir Desktop\shlext64.dll
        Image name: shlext64.dll
        Timestamp:        Mon Feb 01 09:43:15 2010 (4B66E883)
        CheckSum:         00050844
        ImageSize:        00055000
        File version:     10.0.0.3
        Product version:  10.0.0.3
        File flags:       28 (Mask 3F) Private Special
        File OS:          4 Unknown Win32
        File type:        2.0 Dll
        File date:        00000000.00000000
        Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
     
    0:005> lmivm 7_zip
    start             end                 module name
    00000000`10000000 00000000`1001c000   7_zip      (deferred)             
        Symbol file: 7-zip.dll
        Image path: C:\Program Files\7-Zip\7-zip.dll
        Image name: 7-zip.dll
        Timestamp:        Tue Feb 03 02:10:19 2009 (4987EDDB)
        CheckSum:         00000000
        ImageSize:        0001C000
        File version:     4.65.0.0
        Product version:  4.65.0.0
        File flags:       0 (Mask 3F)
        File OS:          40004 NT Win32
        File type:        2.0 Dll
        File date:        00000000.00000000
        Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
      My Computer


  7. Posts : 3
    Windows 7 64-bit
    Thread Starter
       #7

    Capt.Jack Sparrow said:
    Run this Registry File and when the explorer.exe crashes go to C:\Localdump and upload the Files it would have more information than the one we generate.
    The LocalDumps.zip contains three dump files generated after your .reg file, hopefully they are of use :) Two of them are the result of the BS.Player crash and the third of the flash drive disconnecting crash.

    @cluberti Thanks for all the info, I'm not surprised to find out that there is something corrupted in the workings. However, forgive my ignorance, but could you explain the following in layman's terms?
    A chkimg check of explorer.exe comes up with an image that doesn't checksum, because the VA in the process space has been corrupted (which is causing the failure)

    EDIT: The ShellExView trick didn't work, I'll do the SFC /SCANNOW now.

    EDIT #2: I did the SFC scan, rebooted and try as I might, I can't reproduce the crash anymore. Everything seems okay for now, so I guess I should thank you two for your help. Unless the crashes come back, you probably wont hear from me anymore.

    So a big THANK YOU for you two fellas!
    Last edited by Morgion; 17 Aug 2010 at 18:48.
      My Computer


  8. Posts : 2,528
    Windows 10 Pro x64
       #8

    No worries - it was one or the other. It did appear explorer.exe was corrupted in memory, so it was either a shell extension causing it, or the file itself was corrupt (seems like it was the latter).
      My Computer


 

  Related Discussions
Our Sites
Site Links
About Us
Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd
All times are GMT -5. The time now is 20:24.
Find Us