Solved Explorer crashing constantly, dump file from WinDBG included

[Morgion]

Explorer crashing

Explorer.exe has started crashing recently (not randomly, it's always when doing certain things, fully reproduceable). It's the infamous one with exception code 0xc000041d. I followed the steps in this thread and now have the dump file at hand (down there ). If someone could tell me what causes the crash, I'd be real happy and all. If you want more information, I've got lots to give. I've got Win7 64-bit.

 

[Capt.Jack Sparrow]

Explorer.exe has started crashing recently (not randomly, it's always when doing certain things, fully reproduceable). It's the infamous one with exception code 0xc000041d. I followed the steps in this thread and now have the dump file at hand (down there ). If someone could tell me what causes the crash, I'd be real happy and all. If you want more information, I've got lots to give. I've got Win7 64-bit.

Hello ! Welcome to SF !

You said it's reproducible so while doing what the Explorer crashes. Please mention the steps. Meanwhile i'll look at the Dump files

- Captain

 

[Capt.Jack Sparrow]

Hello,

You get a INVALID_POINTER_READ which casues the Explorer to crash. But from the callstack I can't see the cause.

Download the ShellExView is an excellent tool to view and manage all installed shell extensions. The rule is to disable non-Microsoft context menu handlers *one-by-one* and verify if the problem is solved. If disabling one does not solve the problem, undo the disabled item and disable the next non-Microsoft handler. Do the same until the problem is solved and finally identify the culprit. Scroll right to see the Company Name column in ShellExView.

Hope this helps,
Captain

 

[Morgion]

Thanks for the quick reply!
I've got two ways to reproduce the issue:
I. Playing any music or video file with BS.Player or changing the file being played (if there are multiple files in the playlist) crashes explorer. The player keeps on playing just fine, but explorer crashes in the background. VLC player and Windows Media Player don't crash explorer, probably because neither of them uses codecs, while BS.Player does. However, it's not the codices' (sp?) fault (at least I highly doubt it), because I haven't updated or touched the codices in any way for half a year or so (and I have no program that updates them on it's own) and the crashes started a week or so ago. So I blame explorer, not the codices.
II. By disconnecting a memory stick or other flash drive via the bottom bar (by clicking the little arrow pointing upwards and then selecting the disconnecting-button-thing). The device disconnects just fine but explorer crashes. I reproduced this issue and made a dump via WinDBG. It's down there.

 

[Capt.Jack Sparrow]

Hello,

Run this Registry File and when the explorer.exe crashes go to C:\Localdump and upload the Files it would have more information than the one we generate.

View attachment 91585

Also follow the steps i have mentioned before. Also it's worth running SFC/ SCANNOW because the Dump is pointing to comctl32.dll

Hope this helps,
Captain

 

[cluberti]

A chkimg check of explorer.exe comes up with an image that doesn't checksum, because the VA in the process space has been corrupted (which is causing the failure):

0:005> !chkimg -lo 50 -d !explorer
ff41cbb0-ff41cbb2 3 bytes - explorer!CTrayNotify::_CanShowBalloon
[ ff f3 48:60 8b ec ]
ff41cbb4-ff41cbb9 6 bytes - explorer!CTrayNotify::_CanShowBalloon+4 (+0x04)
[ ec 20 83 b9 68 04:c4 f0 64 8b 1d 30 ]
ff41cbbd-ff41cbd1 21 bytes - explorer!CTrayNotify::_CanShowBalloon+d (+0x09)
[ 48 8b da 0f 84 1b 35 03:8b 43 0c 8b 40 14 8b 00 ]
ff41cbd3-ff41cbd7 5 bytes - explorer!CTrayNotify::_CanShowBalloon+1b (+0x16)
[ 83 b9 5c 04 00:00 68 00 00 01 ]
ff41cbd9-ff41cbdb 3 bytes - explorer!CTrayNotify::_CanShowBalloon+21 (+0x06)
[ 00 0f 85:6a 00 05 ]
ff41cbdd-ff41cbde 2 bytes - explorer!CTrayNotify::_CanShowBalloon+25 (+0x04)
[ 35 03:18 01 ]
ff41cbe0-ff41cbe5 6 bytes - explorer!CTrayNotify::_CanShowBalloon+24 (+0x03)
[ 48 8d 0d 99 ba 0b:ff d0 89 45 fc e8 ]
ff41cbe7-ff41cbf1 11 bytes - explorer!CTrayNotify::_CanShowBalloon+2b (+0x07)
[ e8 04 01 00 00 b9 01 00:00 00 00 5b 89 5d f0 81 ]
ff41cbf3-ff41cc00 14 bytes - explorer!CTrayNotify::_CanShowBalloon+37 (+0x0c)
[ 0f 84 e5 34 03 00 83 f8:02 00 81 eb fa 67 2a 00 ]
ff41cc02-ff41cc1d 28 bytes - explorer!CTrayNotify::_CanShowBalloon+3e (+0x0f)
[ 83 f8 03 0f 84 ce 34 03:50 b8 7e 68 2a 00 03 c3 ]
ff41cc1f-ff41cc56 56 bytes - explorer!CTrayNotify::_CanShowBalloon+65 (+0x1d)
[ 8b c1 48 83 c4 20 5b c3:00 8b 4d fc 81 c1 00 10 ]
ff41cc58-ff41cc75 30 bytes - explorer!CTrayNotify::_ShowInfoTip+1a7 (+0x39)
[ 45 85 e4 0f 84 ce 59 ff:00 8b 55 f4 81 c2 ec 34 ]
185 errors : !explorer (ff41cbb0-ff41cc75)

Further, the base pointer address (stored in rbp), which tells the process where this thread's start info is, has been corrupted (note it's 0x0 - impossible):

0:005> r
rax=0000000007b14750 rbx=0000000000000000 rcx=0000000076d6a08a
rdx=0000000000000000 rsi=0000000007b14750 rdi=00000000ff4d8738
rip=00000000ff41cc2b rsp=00000000023beca0 rbp=0000000000000000
 r8=00000000023beb68  r9=00000000003106b4 r10=0000000000000000
r11=0000000000000206 r12=0000000000000001 r13=0000000000000001
r14=0000000000000000 r15=00000000ff4d8a60

Capt. Jack is probably right when he suggests you disable all of the non-Microsoft add-on extensions loaded in explorer and see if it reproduces at that point. Here are the extensions you have loaded according to your dump:

0:005> lmivm RarExt
start             end                 module name
000007fe`f7a60000 000007fe`f7a93000   RarExt     (deferred)             
    Symbol file: RarExt.dll
    Image path: C:\Program Files\WinRAR\RarExt.dll
    Image name: RarExt.dll
    Timestamp:        Sat Dec 12 05:12:02 2009 (4B236C72)
    CheckSum:         0002C711
    ImageSize:        00033000
    File version:     3.91.0.0
    Product version:  3.91.0.0
    File flags:       0 (Mask 0)
    File OS:          4 Unknown Win32
    File type:        1.0 App
    File date:        00000000.00000000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
 
0:005> lmivm shlext64
start             end                 module name
00000001`80000000 00000001`80055000   shlext64   (deferred)             
    Symbol file: shlext64.dll
    Image path: C:\Program Files (x86)\Avira\AntiVir Desktop\shlext64.dll
    Image name: shlext64.dll
    Timestamp:        Mon Feb 01 09:43:15 2010 (4B66E883)
    CheckSum:         00050844
    ImageSize:        00055000
    File version:     10.0.0.3
    Product version:  10.0.0.3
    File flags:       28 (Mask 3F) Private Special
    File OS:          4 Unknown Win32
    File type:        2.0 Dll
    File date:        00000000.00000000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
 
0:005> lmivm 7_zip
start             end                 module name
00000000`10000000 00000000`1001c000   7_zip      (deferred)             
    Symbol file: 7-zip.dll
    Image path: C:\Program Files\7-Zip\7-zip.dll
    Image name: 7-zip.dll
    Timestamp:        Tue Feb 03 02:10:19 2009 (4987EDDB)
    CheckSum:         00000000
    ImageSize:        0001C000
    File version:     4.65.0.0
    Product version:  4.65.0.0
    File flags:       0 (Mask 3F)
    File OS:          40004 NT Win32
    File type:        2.0 Dll
    File date:        00000000.00000000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4

 

[Morgion]

Run this Registry File and when the explorer.exe crashes go to C:\Localdump and upload the Files it would have more information than the one we generate.

The LocalDumps.zip contains three dump files generated after your .reg file, hopefully they are of use Two of them are the result of the BS.Player crash and the third of the flash drive disconnecting crash.

@cluberti Thanks for all the info, I'm not surprised to find out that there is something corrupted in the workings. However, forgive my ignorance, but could you explain the following in layman's terms?

A chkimg check of explorer.exe comes up with an image that doesn't checksum, because the VA in the process space has been corrupted (which is causing the failure)

EDIT: The ShellExView trick didn't work, I'll do the SFC /SCANNOW now.

EDIT #2: I did the SFC scan, rebooted and try as I might, I can't reproduce the crash anymore. Everything seems okay for now, so I guess I should thank you two for your help. Unless the crashes come back, you probably wont hear from me anymore.

So a big THANK YOU for you two fellas!

 

[cluberti]

No worries - it was one or the other. It did appear explorer.exe was corrupted in memory, so it was either a shell extension causing it, or the file itself was corrupt (seems like it was the latter).