locked
Windows 8.1 x64 Werfault.exe leaves crash process in suspended mode with no running threads, unable to end process ! RRS feed

  • Question

  • We religiously track Windows Application fault events in our environment.

    Recently we have noticed that when, Word 2013 x86 version (15.0.4823.1000, 15.0.4805.1001) running on Windows 8.1 x64,  crashes due to corrupted heap, we find suspended winword process that have no running threads.  the ccorrupt heap crashes are of the type  exception c0000374 in Ntdll.dll at offset 0x000e6054.  We have two different situations in which we can trigger a crash that will produce the corrupted heap.

    The problem is after the App crash the Windows Error Reporting service, attaches the WerFault.exe to the crashed process and saves the WER Dump file.  The problem is after this process is finished we are left with Winword.exe process that are in suspended state.  They are not visible in the TaskManager but they show-up in Procexp,  these process have no running threads and the End task or end task tree have no impact.  The only way to exit the suspended process is to log off the user session. 

    The suspended Winword.exe process cause problems when we re-launch a clean word, we have an add-in that detect's the suspended Winword and will not run.

    On a test machine we disabled the WER service and of course we no longer see suspended threads, this is not an option for use because stopping the WER service stops logging of all Application Fault event ID 1000 and Application hang 1001 entries from the Application log.

    We also tried to exclude Winword from the WER service by using  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\ExcludedApplications.  The result is WER does not save any dumps for the crashing Winword process but it still attaches the crashing process.

    Any thoughts ?

    Wednesday, May 18, 2016 1:02 PM

Answers

All replies

  • Hi naimco,

     

    Based on your description, I suggest that we may try process monitor to check the result.

    https://technet.microsoft.com/en-us/sysinternals/processmonitor.aspx?f=255&MSPPError=-2147217396

     

    Best Regards,

    Tao


    Please mark the reply as an answer if you find it is helpful.

    If you have feedback for TechNet Support, contact tnmff@microsoft.com

    Saturday, May 21, 2016 7:54 AM
  • Hi Tao - I am finding that on my windows 10 install every time an application crashes I get the same behaviour.  It gets stuck as a suspended process and can't be cleared via proc explorer - you must restart your session.

    Any more info would be great.  Can you point me at detailed information on how WER is managed by windows?

    DR

    Wednesday, July 6, 2016 11:05 PM