What makes NTDLL!_KiUserApcDispatcher jump to an address which doesn't belong to a module in a process?


I'm debugging a crash dump which gets an Access Violation exception (0xC0000005). The AVE comes from jumping to an address that doesn't belong to any of the 2 loaded modules in the process:

Call stack of Access Violation exception Loaded modules in crashing process

What would cause this so early in the process?

It appears that the process is mapping memory (_ZwCreateSection) to load a module... did the module fail to load in some way which LoadLibrary succeeds but the module isn't actually loaded?

asked on Stack Overflow Mar 13, 2015 by codekaizen • edited Mar 13, 2015 by codekaizen

1 Answer


The cause for this behavior was an anti-virus software (Norton) hijacking the DLL load. Running GFlags to debug LoadLibrary showed that the mscorlib.dll library was being prevented from loading.

answered on Stack Overflow Nov 16, 2019 by codekaizen

User contributions licensed under CC BY-SA 3.0