I am having a hell of a time trying to figure this one out! I enabled explorer.exe local dumps to my C drive and I was able to analyze these dumps below. I have disabled any 3rd party Context Menu's using ShellExView and these are still occurring. I see all originate from one users account based off of file ownership. I rebuilt that users profile and now I get 2 others from another user who has never logged a crash after a week of logging. This is a Windows 2008R2 Enterprise Server running as a Terminal Server. The event log always references ntdll.dll as the culprit. Below is when I could actually get my windbg to work for me.
Microsoft (R) Windows Debugger Version 6.12.0002.633 AMD64 Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:\LocalDumps\explorer.exe.25072.dmp] User Mini Dump File: Only registers, stack and portions of memory are available
Symbol search path is: SRVc:\symbolshxxp://msdl.microsoft.com/download/symbols Executable search path is: Windows 7 Version 7601 (Service Pack 1) MP (2 procs) Free x64 Product: Server, suite: Enterprise TerminalServer Machine Name: Debug session time: Fri Aug 30 11:25:18.000 2013 (UTC - 7:00) System Uptime: not available Process Uptime: 0 days 0:11:03.000 ................................................................ ................................................................ ...................... Loading unloaded module list .......................... This dump file has an exception of interest stored in it. The stored exception information can be accessed via .ecxr. (61f0.63a0): Access violation - code c0000005 (first/second chance not available) ntdll!NtWaitForMultipleObjects+0xa: 00000000`76ec186a c3 ret 0:018> !analyze -v
GetPageUrlData failed, server returned HTTP status 404 URL requested: hxxp://watson.microsoft.com/StageOne/explorer_exe/6_1_7601_17567/4d672ee4/ntdll_dll/6_1_7601_18205/51dba4e7/c0000005/00053290.htm?Retriage=1
FAULTING_IP: ntdll!RtlFreeHeap+d0 00000000`76ec3290 4c8b6308 mov r12,qword ptr [rbx+8]
EXCEPTION_RECORD: ffffffffffffffff -- (.exr 0xffffffffffffffff) ExceptionAddress: 0000000076ec3290 (ntdll!RtlFreeHeap+0x00000000000000d0) ExceptionCode: c0000005 (Access violation) ExceptionFlags: 00000000 NumberParameters: 2 Parameter[0]: 0000000000000000 Parameter[1]: 000006b18dc02968 Attempt to read from address 000006b18dc02968
PROCESS_NAME: explorer.exe
ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.
EXCEPTION_PARAMETER1: 0000000000000000
EXCEPTION_PARAMETER2: 000006b18dc02968
READ_ADDRESS: 000006b18dc02968
FOLLOWUP_IP: ntdll!RtlFreeHeap+d0 00000000`76ec3290 4c8b6308 mov r12,qword ptr [rbx+8]
MOD_LIST:
NTGLOBALFLAG: 0
APPLICATION_VERIFIER_FLAGS: 0
ADDITIONAL_DEBUG_TEXT: Enable Pageheap/AutoVerifer
FAULTING_THREAD: 00000000000063a0
DEFAULT_BUCKET_ID: HEAP_CORRUPTION
PRIMARY_PROBLEM_CLASS: HEAP_CORRUPTION
BUGCHECK_STR: APPLICATION_FAULT_HEAP_CORRUPTION_INVALID_POINTER_READ_FILL_PATTERN_ffffffff
LAST_CONTROL_TRANSFER: from 00000000768b300a to 0000000076ec3290
STACK_TEXT:
000000000773f5d0 00000000
768b300a : 000000000676d9b0 00000000
00000000 0000000000000002 00000000
00000000 : ntdll!RtlFreeHeap+0xd0
000000000773f650 000007fe
fbd40b50 : 000000000676d9b0 000007fe
feb696b5 00000000066aa090 000007fe
fe7b8a17 : kernel32!HeapFree+0xa
000000000773f680 000007fe
f051b9d0 : 00000000065b2320 00000000
00000000 0000000003e4b050 0000a596
24af0ec9 : comctl32!DSA_Destroy+0x34
000000000773f6b0 000007fe
f057cb52 : 0000000003932450 00000000
03932450 0000000007fcb090 000007fe
fd39557a : EXPLORERFRAME!DSA_Destroy+0x38
000000000773f6e0 000007fe
f057c9fc : 0000000000000001 00000000
00000000 0000000000000002 00000000
00000000 : EXPLORERFRAME!CExplorerFrame::~CExplorerFrame+0x181
000000000773f710 000007fe
f057bf2a : 0000000000000000 00000000
00000000 0000000000000000 00000000
00000000 : EXPLORERFRAME!CExplorerFrame::scalar deleting destructor'+0x14
00000000
0773f740 000007fef0524995 : 00000000
80000000 0000000000000000 00000000
03932450 000006e2000c000b : EXPLORERFRAME!CExplorerFrame::Release+0x29
00000000
0773f770 000007fef052509b : 00000000
068e2758 0000000003ed0480 00000000
00000000 0000000000000000 : EXPLORERFRAME!BrowserThreadProc+0x1f0
00000000
0773f7f0 000007fef0525032 : 1431217f
00000001 000000000657f6f0 00000000
7fffffff 000007fefd389f40 : EXPLORERFRAME!BrowserNewThreadProc+0x53
00000000
0773f820 000007fef051be50 : 00000000
0657f810 0000000003938880 00000000
00000000 000007fefd81f280 : EXPLORERFRAME!CExplorerTask::InternalResumeRT+0x12
00000000
0773f850 000007fefd81f1cf : 80000000
01000000 000000000773f8e0 00000000
0657f810 0000000000000008 : EXPLORERFRAME!CRunnableTask::Run+0xda
00000000
0773f880 000007fefd822d6e : 00000000
0657f810 0000000000000000 00000000
0657f810 0000000000000002 : shell32!CShellTask::TT_Run+0x124
00000000
0773f8b0 000007fefd822eba : 00000000
003ddc00 00000000003ddc00 00000000
00000000 0000000000000010 : shell32!CShellTaskThread::ThreadProc+0x1d2
00000000
0773f950 000007fefe7bc71e : 00000000
00000000 0000000000000000 00000000
00000000 0000000000000000 : shell32!CShellTaskThread::s_ThreadProc+0x22
00000000
0773f980 00000000768a652d : 00000000
00000000 0000000000000000 00000000
00000000 0000000000000000 : shlwapi!WrapperThreadProc+0x19b
00000000
0773fa80 0000000076e9c541 : 00000000
00000000 0000000000000000 00000000
00000000 0000000000000000 : kernel32!BaseThreadInitThunk+0xd
00000000
0773fab0 0000000000000000 : 00000000
00000000 0000000000000000 00000000
00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x1d
SYMBOL_NAME: heap_corruption!heap_corruption
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: heap_corruption
IMAGE_NAME: heap_corruption
DEBUG_FLR_IMAGE_TIMESTAMP: 0
STACK_COMMAND: ~18s; .ecxr ; kb
FAILURE_BUCKET_ID: HEAP_CORRUPTION_c0000005_heap_corruption!heap_corruption
BUCKET_ID: X64_APPLICATION_FAULT_HEAP_CORRUPTION_INVALID_POINTER_READ_FILL_PATTERN_ffffffff_heap_corruption!heap_corruption
WATSON_STAGEONE_URL: hxxp://watson.microsoft.com/StageOne/explorer_exe/6_1_7601_17567/4d672ee4/ntdll_dll/6_1_7601_18205/51dba4e7/c0000005/00053290.htm?Retriage=1
0:018> lmvm shlwapi
start end module name
000007fefe7b0000 000007fe
fe821000 shlwapi (pdb symbols) c:\symbols\shlwapi.pdb\0820A0750C1A4E2597E17DEA57D049542\shlwapi.pdb
Loaded symbol image file: shlwapi.dll
Mapped memory image file: c:\symbols\shlwapi.dll\4CE7C9AB71000\shlwapi.dll
Image path: C:\Windows\System32\shlwapi.dll
Image name: shlwapi.dll
Timestamp: Sat Nov 20 05:14:19 2010 (4CE7C9AB)
CheckSum: 0007CD14
ImageSize: 00071000
File version: 6.1.7601.17514
Product version: 6.1.7601.17514
File flags: 0 (Mask 3F)
File OS: 40004 NT Win32
File type: 2.0 Dll
File date: 00000000.00000000
Translations: 0409.04b0
CompanyName: Microsoft Corporation
ProductName: Microsoft® Windows® Operating System
InternalName: SHLWAPI
OriginalFilename: SHLWAPI.DLL
ProductVersion: 6.1.7601.17514
FileVersion: 6.1.7601.17514 (win7sp1_rtm.101119-1850)
FileDescription: Shell Light-weight Utility Library
LegalCopyright: © Microsoft Corporation. All rights reserved.
0:018> lmvm kernel32
start end module name
0000000076890000 00000000
769af000 kernel32 (pdb symbols) c:\symbols\kernel32.pdb\C4312728BA1F4691955E99B2E026FAFC2\kernel32.pdb
Loaded symbol image file: kernel32.dll
Mapped memory image file: c:\symbols\kernel32.dll\50B8479A11f000\kernel32.dll
Image path: C:\Windows\System32\kernel32.dll
Image name: kernel32.dll
Timestamp: Thu Nov 29 21:43:54 2012 (50B8479A)
CheckSum: 00123FEF
ImageSize: 0011F000
File version: 6.1.7601.18015
Product version: 6.1.7601.18015
File flags: 0 (Mask 3F)
File OS: 40004 NT Win32
File type: 2.0 Dll
File date: 00000000.00000000
Translations: 0409.04b0
CompanyName: Microsoft Corporation
ProductName: Microsoft® Windows® Operating System
InternalName: kernel32
OriginalFilename: kernel32
ProductVersion: 6.1.7601.18015
FileVersion: 6.1.7601.18015 (win7sp1_gdr.121129-1432)
FileDescription: Windows NT BASE API Client DLL
LegalCopyright: © Microsoft Corporation. All rights reserved.
Here is a 2nd one
Microsoft (R) Windows Debugger Version 6.12.0002.633 AMD64 Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:\LocalDumps\explorer.exe.13372.dmp] User Mini Dump File with Full Memory: Only application data is available
Symbol search path is: SRVC:\symbolshxxp://msdl.microsoft.com/download/symbols Executable search path is: Windows 7 Version 7601 (Service Pack 1) MP (2 procs) Free x64 Product: Server, suite: Enterprise TerminalServer Machine Name: Debug session time: Thu Sep 5 12:04:15.000 2013 (UTC - 7:00) System Uptime: 0 days 11:38:22.995 Process Uptime: 0 days 4:09:49.000 ................................................................ ................................................................ ......... Loading unloaded module list ............................ This dump file has an exception of interest stored in it. The stored exception information can be accessed via .ecxr. (343c.5744): Unknown exception - code c0000374 (first/second chance not available) ntdll!ZwWaitForSingleObject+0xa: 00000000`770812fa c3 ret 0:019> !analyze -v
GetPageUrlData failed, server returned HTTP status 404 URL requested: http://watson.microsoft.com/StageOne/explorer_exe/6_1_7601_17567/4d672ee4/ntdll_dll/6_1_7601_18205/51dba4e7/c0000374/000c4102.htm?Retriage=1
FAULTING_IP:
ntdll!RtlReportCriticalFailure+62
00000000770f4102 eb00 jmp ntdll!RtlReportCriticalFailure+0x64 (00000000
770f4104)
EXCEPTION_RECORD: ffffffffffffffff -- (.exr 0xffffffffffffffff) ExceptionAddress: 00000000770f4102 (ntdll!RtlReportCriticalFailure+0x0000000000000062) ExceptionCode: c0000374 ExceptionFlags: 00000001 NumberParameters: 1 Parameter[0]: 000000007716b4b0
DEFAULT_BUCKET_ID: STATUS_HEAP_CORRUPTION
PROCESS_NAME: explorer.exe
ERROR_CODE: (NTSTATUS) 0xc0000374 - A heap has been corrupted.
EXCEPTION_CODE: (NTSTATUS) 0xc0000374 - A heap has been corrupted.
EXCEPTION_PARAMETER1: 000000007716b4b0
MOD_LIST:
NTGLOBALFLAG: 0
APPLICATION_VERIFIER_FLAGS: 0
FAULTING_THREAD: 0000000000005744
PRIMARY_PROBLEM_CLASS: STATUS_HEAP_CORRUPTION
BUGCHECK_STR: APPLICATION_FAULT_STATUS_HEAP_CORRUPTION
LAST_CONTROL_TRANSFER: from 00000000770f4746 to 00000000770f4102
STACK_TEXT:
0000000004adee50 00000000
770f4746 : 0000000000000002 00000000
00000023 0000000000000000 00000000
00000003 : ntdll!RtlReportCriticalFailure+0x62
0000000004adef20 00000000
770f5952 : 0000000000000000 00000000
00000000 0000000000000000 00000000
00000000 : ntdll!RtlpReportHeapFailure+0x26
0000000004adef50 00000000
770f7604 : 0000000000330000 00000000
00000000 0000000000000000 00000000
00000000 : ntdll!RtlpHeapHandleError+0x12
0000000004adef80 00000000
770a4616 : 0000000003563560 00000000
00330000 0000000003563550 00000000
00000000 : ntdll!RtlpLogHeapFailure+0xa4
0000000004adefb0 000007fe
fbf0173d : 0000000000000020 00000000
0355a1a0 00000000003b0d40 00000000
00000000 : ntdll! ?? ::FNODOBFM::string'+0x1c750
00000000
04adf0c0 000007fefbf00d39 : 00000000
00000000 000007fefdf7ad76 000007fe
fe340770 000007fefdf79dae : comctl32!CCv6s_HeapReallocArray<void>+0x51
00000000
04adf100 000007fefbf00e33 : 00000000
0355b3b0 0000000000000000 00000000
04adf200 0000000000000000 : comctl32!DSA_Preallocate+0x85
00000000
04adf150 000007fefdf62433 : 00000000
04adf200 000000000355a1a0 00000000
04adf2a8 00000000003d7db0 : comctl32!DSA_InsertItem+0x2f
00000000
04adf180 000007fefdf26b53 : 00000000
00000000 0000000000000038 00000000
03597bf0 0000000004adf2a8 : shell32!DSA_InsertItem+0x4b
00000000
04adf1b0 000007fefdf03dbc : 00000000
ffffffff 000007fefdc93981 00000000
0037b5b0 000007fefdc93c99 : shell32!CCollectionLock::GetSingleQueueItem+0x261
00000000
04adf270 000007fefdf4c6bc : 00000000
003c82d0 00000000035586c0 00000000
00000000 0000000000000000 : shell32!CChangeNotifyTask::InternalResumeRT+0x6f
00000000
04adf2d0 000007fefdf7f1cf : 80000000
01000000 0000000004adf360 00000000
003c82d0 000000000000000a : shell32!CRunnableTask::Run+0xda
00000000
04adf300 000007fefdf82d6e : 00000000
003c82d0 0000000000000000 00000000
003c82d0 0000000000000002 : shell32!CShellTask::TT_Run+0x124
00000000
04adf330 000007fefdf82eba : 00000000
034976a0 00000000034976a0 00000000
00000000 000000000037fd78 : shell32!CShellTaskThread::ThreadProc+0x1d2
00000000
04adf3d0 000007fefdac3843 : 000007ff
fffd9000 0000000000421800 00000000
00372ff0 000000000037fd78 : shell32!CShellTaskThread::s_ThreadProc+0x22
00000000
04adf400 00000000770515db : 00000000
03548400 0000000003548400 0000aa51
bbd1c4b8 0000000000000001 : shlwapi!ExecuteWorkItemThreadProc+0xf
00000000
04adf430 0000000077050c56 : 00000000
00000000 0000000003497780 00000000
00372ff0 0000000003554a88 : ntdll!RtlpTpWorkCallback+0x16b
00000000
04adf510 0000000076ab652d : 00000000
00000000 0000000000000000 00000000
00000000 0000000000000000 : ntdll!TppWorkerThread+0x5ff
00000000
04adf810 000000007705c541 : 00000000
00000000 0000000000000000 00000000
00000000 0000000000000000 : kernel32!BaseThreadInitThunk+0xd
00000000
04adf840 0000000000000000 : 00000000
00000000 0000000000000000 00000000
00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x1d
FOLLOWUP_IP:
shell32!DSA_InsertItem+4b
000007fefdf62433 eb00 jmp shell32!DSA_InsertItem+0x50 (000007fe
fdf62435)
SYMBOL_STACK_INDEX: 8
SYMBOL_NAME: shell32!DSA_InsertItem+4b
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: shell32
IMAGE_NAME: shell32.dll
DEBUG_FLR_IMAGE_TIMESTAMP: 512d9f39
STACK_COMMAND: ~19s; .ecxr ; kb
FAILURE_BUCKET_ID: STATUS_HEAP_CORRUPTION_c0000374_shell32.dll!DSA_InsertItem
BUCKET_ID: X64_APPLICATION_FAULT_STATUS_HEAP_CORRUPTION_shell32!DSA_InsertItem+4b
WATSON_STAGEONE_URL: hxxp://watson.microsoft.com/StageOne/explorer_exe/6_1_7601_17567/4d672ee4/ntdll_dll/6_1_7601_18205/51dba4e7/c0000374/000c4102.htm?Retriage=1
User contributions licensed under CC BY-SA 3.0