Server 2008R2 Terminal Server explorer.exe crashes ntdll.dll fault

-1

I am having a hell of a time trying to figure this one out! I enabled explorer.exe local dumps to my C drive and I was able to analyze these dumps below. I have disabled any 3rd party Context Menu's using ShellExView and these are still occurring. I see all originate from one users account based off of file ownership. I rebuilt that users profile and now I get 2 others from another user who has never logged a crash after a week of logging. This is a Windows 2008R2 Enterprise Server running as a Terminal Server. The event log always references ntdll.dll as the culprit. Below is when I could actually get my windbg to work for me.

Microsoft (R) Windows Debugger Version 6.12.0002.633 AMD64 Copyright (c) Microsoft Corporation. All rights reserved.

Loading Dump File [C:\LocalDumps\explorer.exe.25072.dmp] User Mini Dump File: Only registers, stack and portions of memory are available

Symbol search path is: SRVc:\symbolshxxp://msdl.microsoft.com/download/symbols Executable search path is: Windows 7 Version 7601 (Service Pack 1) MP (2 procs) Free x64 Product: Server, suite: Enterprise TerminalServer Machine Name: Debug session time: Fri Aug 30 11:25:18.000 2013 (UTC - 7:00) System Uptime: not available Process Uptime: 0 days 0:11:03.000 ................................................................ ................................................................ ...................... Loading unloaded module list .......................... This dump file has an exception of interest stored in it. The stored exception information can be accessed via .ecxr. (61f0.63a0): Access violation - code c0000005 (first/second chance not available) ntdll!NtWaitForMultipleObjects+0xa: 00000000`76ec186a c3 ret 0:018> !analyze -v

  • *
  • Exception Analysis *
  • *

GetPageUrlData failed, server returned HTTP status 404 URL requested: hxxp://watson.microsoft.com/StageOne/explorer_exe/6_1_7601_17567/4d672ee4/ntdll_dll/6_1_7601_18205/51dba4e7/c0000005/00053290.htm?Retriage=1

FAULTING_IP: ntdll!RtlFreeHeap+d0 00000000`76ec3290 4c8b6308 mov r12,qword ptr [rbx+8]

EXCEPTION_RECORD: ffffffffffffffff -- (.exr 0xffffffffffffffff) ExceptionAddress: 0000000076ec3290 (ntdll!RtlFreeHeap+0x00000000000000d0) ExceptionCode: c0000005 (Access violation) ExceptionFlags: 00000000 NumberParameters: 2 Parameter[0]: 0000000000000000 Parameter[1]: 000006b18dc02968 Attempt to read from address 000006b18dc02968

PROCESS_NAME: explorer.exe

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.

EXCEPTION_PARAMETER1: 0000000000000000

EXCEPTION_PARAMETER2: 000006b18dc02968

READ_ADDRESS: 000006b18dc02968

FOLLOWUP_IP: ntdll!RtlFreeHeap+d0 00000000`76ec3290 4c8b6308 mov r12,qword ptr [rbx+8]

MOD_LIST:

NTGLOBALFLAG: 0

APPLICATION_VERIFIER_FLAGS: 0

ADDITIONAL_DEBUG_TEXT: Enable Pageheap/AutoVerifer

FAULTING_THREAD: 00000000000063a0

DEFAULT_BUCKET_ID: HEAP_CORRUPTION

PRIMARY_PROBLEM_CLASS: HEAP_CORRUPTION

BUGCHECK_STR: APPLICATION_FAULT_HEAP_CORRUPTION_INVALID_POINTER_READ_FILL_PATTERN_ffffffff

LAST_CONTROL_TRANSFER: from 00000000768b300a to 0000000076ec3290

STACK_TEXT:
000000000773f5d0 00000000768b300a : 000000000676d9b0 0000000000000000 0000000000000002 0000000000000000 : ntdll!RtlFreeHeap+0xd0 000000000773f650 000007fefbd40b50 : 000000000676d9b0 000007fefeb696b5 00000000066aa090 000007fefe7b8a17 : kernel32!HeapFree+0xa 000000000773f680 000007fef051b9d0 : 00000000065b2320 0000000000000000 0000000003e4b050 0000a59624af0ec9 : comctl32!DSA_Destroy+0x34 000000000773f6b0 000007fef057cb52 : 0000000003932450 0000000003932450 0000000007fcb090 000007fefd39557a : EXPLORERFRAME!DSA_Destroy+0x38 000000000773f6e0 000007fef057c9fc : 0000000000000001 0000000000000000 0000000000000002 0000000000000000 : EXPLORERFRAME!CExplorerFrame::~CExplorerFrame+0x181 000000000773f710 000007fef057bf2a : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : EXPLORERFRAME!CExplorerFrame::scalar deleting destructor'+0x14 000000000773f740 000007fef0524995 : 0000000080000000 0000000000000000 0000000003932450 000006e2000c000b : EXPLORERFRAME!CExplorerFrame::Release+0x29 000000000773f770 000007fef052509b : 00000000068e2758 0000000003ed0480 0000000000000000 0000000000000000 : EXPLORERFRAME!BrowserThreadProc+0x1f0 000000000773f7f0 000007fef0525032 : 1431217f00000001 000000000657f6f0 000000007fffffff 000007fefd389f40 : EXPLORERFRAME!BrowserNewThreadProc+0x53 000000000773f820 000007fef051be50 : 000000000657f810 0000000003938880 0000000000000000 000007fefd81f280 : EXPLORERFRAME!CExplorerTask::InternalResumeRT+0x12 000000000773f850 000007fefd81f1cf : 8000000001000000 000000000773f8e0 000000000657f810 0000000000000008 : EXPLORERFRAME!CRunnableTask::Run+0xda 000000000773f880 000007fefd822d6e : 000000000657f810 0000000000000000 000000000657f810 0000000000000002 : shell32!CShellTask::TT_Run+0x124 000000000773f8b0 000007fefd822eba : 00000000003ddc00 00000000003ddc00 0000000000000000 0000000000000010 : shell32!CShellTaskThread::ThreadProc+0x1d2 000000000773f950 000007fefe7bc71e : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : shell32!CShellTaskThread::s_ThreadProc+0x22 000000000773f980 00000000768a652d : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : shlwapi!WrapperThreadProc+0x19b 000000000773fa80 0000000076e9c541 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : kernel32!BaseThreadInitThunk+0xd 000000000773fab0 0000000000000000 : 0000000000000000 0000000000000000 0000000000000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x1d

SYMBOL_NAME: heap_corruption!heap_corruption

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: heap_corruption

IMAGE_NAME: heap_corruption

DEBUG_FLR_IMAGE_TIMESTAMP: 0

STACK_COMMAND: ~18s; .ecxr ; kb

FAILURE_BUCKET_ID: HEAP_CORRUPTION_c0000005_heap_corruption!heap_corruption

BUCKET_ID: X64_APPLICATION_FAULT_HEAP_CORRUPTION_INVALID_POINTER_READ_FILL_PATTERN_ffffffff_heap_corruption!heap_corruption

WATSON_STAGEONE_URL: hxxp://watson.microsoft.com/StageOne/explorer_exe/6_1_7601_17567/4d672ee4/ntdll_dll/6_1_7601_18205/51dba4e7/c0000005/00053290.htm?Retriage=1

Followup: MachineOwner

0:018> lmvm shlwapi start end module name 000007fefe7b0000 000007fefe821000 shlwapi (pdb symbols) c:\symbols\shlwapi.pdb\0820A0750C1A4E2597E17DEA57D049542\shlwapi.pdb Loaded symbol image file: shlwapi.dll Mapped memory image file: c:\symbols\shlwapi.dll\4CE7C9AB71000\shlwapi.dll Image path: C:\Windows\System32\shlwapi.dll Image name: shlwapi.dll Timestamp: Sat Nov 20 05:14:19 2010 (4CE7C9AB) CheckSum: 0007CD14 ImageSize: 00071000 File version: 6.1.7601.17514 Product version: 6.1.7601.17514 File flags: 0 (Mask 3F) File OS: 40004 NT Win32 File type: 2.0 Dll File date: 00000000.00000000 Translations: 0409.04b0 CompanyName: Microsoft Corporation ProductName: Microsoft® Windows® Operating System InternalName: SHLWAPI OriginalFilename: SHLWAPI.DLL ProductVersion: 6.1.7601.17514 FileVersion: 6.1.7601.17514 (win7sp1_rtm.101119-1850) FileDescription: Shell Light-weight Utility Library LegalCopyright: © Microsoft Corporation. All rights reserved. 0:018> lmvm kernel32 start end module name 0000000076890000 00000000769af000 kernel32 (pdb symbols) c:\symbols\kernel32.pdb\C4312728BA1F4691955E99B2E026FAFC2\kernel32.pdb Loaded symbol image file: kernel32.dll Mapped memory image file: c:\symbols\kernel32.dll\50B8479A11f000\kernel32.dll Image path: C:\Windows\System32\kernel32.dll Image name: kernel32.dll Timestamp: Thu Nov 29 21:43:54 2012 (50B8479A) CheckSum: 00123FEF ImageSize: 0011F000 File version: 6.1.7601.18015 Product version: 6.1.7601.18015 File flags: 0 (Mask 3F) File OS: 40004 NT Win32 File type: 2.0 Dll File date: 00000000.00000000 Translations: 0409.04b0 CompanyName: Microsoft Corporation ProductName: Microsoft® Windows® Operating System InternalName: kernel32 OriginalFilename: kernel32 ProductVersion: 6.1.7601.18015 FileVersion: 6.1.7601.18015 (win7sp1_gdr.121129-1432) FileDescription: Windows NT BASE API Client DLL LegalCopyright: © Microsoft Corporation. All rights reserved.

Here is a 2nd one

Microsoft (R) Windows Debugger Version 6.12.0002.633 AMD64 Copyright (c) Microsoft Corporation. All rights reserved.

Loading Dump File [C:\LocalDumps\explorer.exe.13372.dmp] User Mini Dump File with Full Memory: Only application data is available

Symbol search path is: SRVC:\symbolshxxp://msdl.microsoft.com/download/symbols Executable search path is: Windows 7 Version 7601 (Service Pack 1) MP (2 procs) Free x64 Product: Server, suite: Enterprise TerminalServer Machine Name: Debug session time: Thu Sep 5 12:04:15.000 2013 (UTC - 7:00) System Uptime: 0 days 11:38:22.995 Process Uptime: 0 days 4:09:49.000 ................................................................ ................................................................ ......... Loading unloaded module list ............................ This dump file has an exception of interest stored in it. The stored exception information can be accessed via .ecxr. (343c.5744): Unknown exception - code c0000374 (first/second chance not available) ntdll!ZwWaitForSingleObject+0xa: 00000000`770812fa c3 ret 0:019> !analyze -v

  • *
  • Exception Analysis *
  • *

GetPageUrlData failed, server returned HTTP status 404 URL requested: http://watson.microsoft.com/StageOne/explorer_exe/6_1_7601_17567/4d672ee4/ntdll_dll/6_1_7601_18205/51dba4e7/c0000374/000c4102.htm?Retriage=1

FAULTING_IP: ntdll!RtlReportCriticalFailure+62 00000000770f4102 eb00 jmp ntdll!RtlReportCriticalFailure+0x64 (00000000770f4104)

EXCEPTION_RECORD: ffffffffffffffff -- (.exr 0xffffffffffffffff) ExceptionAddress: 00000000770f4102 (ntdll!RtlReportCriticalFailure+0x0000000000000062) ExceptionCode: c0000374 ExceptionFlags: 00000001 NumberParameters: 1 Parameter[0]: 000000007716b4b0

DEFAULT_BUCKET_ID: STATUS_HEAP_CORRUPTION

PROCESS_NAME: explorer.exe

ERROR_CODE: (NTSTATUS) 0xc0000374 - A heap has been corrupted.

EXCEPTION_CODE: (NTSTATUS) 0xc0000374 - A heap has been corrupted.

EXCEPTION_PARAMETER1: 000000007716b4b0

MOD_LIST:

NTGLOBALFLAG: 0

APPLICATION_VERIFIER_FLAGS: 0

FAULTING_THREAD: 0000000000005744

PRIMARY_PROBLEM_CLASS: STATUS_HEAP_CORRUPTION

BUGCHECK_STR: APPLICATION_FAULT_STATUS_HEAP_CORRUPTION

LAST_CONTROL_TRANSFER: from 00000000770f4746 to 00000000770f4102

STACK_TEXT:
0000000004adee50 00000000770f4746 : 0000000000000002 0000000000000023 0000000000000000 0000000000000003 : ntdll!RtlReportCriticalFailure+0x62 0000000004adef20 00000000770f5952 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : ntdll!RtlpReportHeapFailure+0x26 0000000004adef50 00000000770f7604 : 0000000000330000 0000000000000000 0000000000000000 0000000000000000 : ntdll!RtlpHeapHandleError+0x12 0000000004adef80 00000000770a4616 : 0000000003563560 0000000000330000 0000000003563550 0000000000000000 : ntdll!RtlpLogHeapFailure+0xa4 0000000004adefb0 000007fefbf0173d : 0000000000000020 000000000355a1a0 00000000003b0d40 0000000000000000 : ntdll! ?? ::FNODOBFM::string'+0x1c750 0000000004adf0c0 000007fefbf00d39 : 0000000000000000 000007fefdf7ad76 000007fefe340770 000007fefdf79dae : comctl32!CCv6s_HeapReallocArray<void>+0x51 0000000004adf100 000007fefbf00e33 : 000000000355b3b0 0000000000000000 0000000004adf200 0000000000000000 : comctl32!DSA_Preallocate+0x85 0000000004adf150 000007fefdf62433 : 0000000004adf200 000000000355a1a0 0000000004adf2a8 00000000003d7db0 : comctl32!DSA_InsertItem+0x2f 0000000004adf180 000007fefdf26b53 : 0000000000000000 0000000000000038 0000000003597bf0 0000000004adf2a8 : shell32!DSA_InsertItem+0x4b 0000000004adf1b0 000007fefdf03dbc : 00000000ffffffff 000007fefdc93981 000000000037b5b0 000007fefdc93c99 : shell32!CCollectionLock::GetSingleQueueItem+0x261 0000000004adf270 000007fefdf4c6bc : 00000000003c82d0 00000000035586c0 0000000000000000 0000000000000000 : shell32!CChangeNotifyTask::InternalResumeRT+0x6f 0000000004adf2d0 000007fefdf7f1cf : 8000000001000000 0000000004adf360 00000000003c82d0 000000000000000a : shell32!CRunnableTask::Run+0xda 0000000004adf300 000007fefdf82d6e : 00000000003c82d0 0000000000000000 00000000003c82d0 0000000000000002 : shell32!CShellTask::TT_Run+0x124 0000000004adf330 000007fefdf82eba : 00000000034976a0 00000000034976a0 0000000000000000 000000000037fd78 : shell32!CShellTaskThread::ThreadProc+0x1d2 0000000004adf3d0 000007fefdac3843 : 000007fffffd9000 0000000000421800 0000000000372ff0 000000000037fd78 : shell32!CShellTaskThread::s_ThreadProc+0x22 0000000004adf400 00000000770515db : 0000000003548400 0000000003548400 0000aa51bbd1c4b8 0000000000000001 : shlwapi!ExecuteWorkItemThreadProc+0xf 0000000004adf430 0000000077050c56 : 0000000000000000 0000000003497780 0000000000372ff0 0000000003554a88 : ntdll!RtlpTpWorkCallback+0x16b 0000000004adf510 0000000076ab652d : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : ntdll!TppWorkerThread+0x5ff 0000000004adf810 000000007705c541 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : kernel32!BaseThreadInitThunk+0xd 0000000004adf840 0000000000000000 : 0000000000000000 0000000000000000 0000000000000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x1d

FOLLOWUP_IP: shell32!DSA_InsertItem+4b 000007fefdf62433 eb00 jmp shell32!DSA_InsertItem+0x50 (000007fefdf62435)

SYMBOL_STACK_INDEX: 8

SYMBOL_NAME: shell32!DSA_InsertItem+4b

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: shell32

IMAGE_NAME: shell32.dll

DEBUG_FLR_IMAGE_TIMESTAMP: 512d9f39

STACK_COMMAND: ~19s; .ecxr ; kb

FAILURE_BUCKET_ID: STATUS_HEAP_CORRUPTION_c0000374_shell32.dll!DSA_InsertItem

BUCKET_ID: X64_APPLICATION_FAULT_STATUS_HEAP_CORRUPTION_shell32!DSA_InsertItem+4b

WATSON_STAGEONE_URL: hxxp://watson.microsoft.com/StageOne/explorer_exe/6_1_7601_17567/4d672ee4/ntdll_dll/6_1_7601_18205/51dba4e7/c0000374/000c4102.htm?Retriage=1

Followup: MachineOwner

windows-server-2008-r2
windows-terminal-services
asked on Server Fault Sep 6, 2013 by user188938

0 Answers

Nobody has answered this question yet.

User contributions licensed under CC BY-SA 3.0