none
Windows 8.1 x64 Werfault.exe leaves crash process in suspended mode with no running threads, unable to end process ! RRS feed

  • Question

  • We religiously track Windows Application fault events in our environment.

    Recently we have noticed that when, Word 2013 x86 version (15.0.4823.1000, 15.0.4805.1001) running on Windows 8.1 x64,  crashes due to corrupted heap, we find suspended winword process that have no running threads.  the ccorrupt heap crashes are of the type  exception c0000374 in Ntdll.dll at offset 0x000e6054.  We have two different situations in which we can trigger a crash that will produce the corrupted heap.

    The problem is after the App crash the Windows Error Reporting service, attaches the WerFault.exe to the crashed process and saves the WER Dump file.  The problem is after this process is finished we are left with Winword.exe process that are in suspended state.  They are not visible in the TaskManager but they show-up in Procexp,  these process have no running threads and the End task or end task tree have no impact.  The only way to exit the suspended process is to log off the user session. 

    The suspended Winword.exe process cause problems when we re-launch a clean word, we have an add-in that detect's the suspended Winword and will not run.

    On a test machine we disabled the WER service and of course we no longer see suspended threads, this is not an option for use because stopping the WER service stops logging of all Application Fault event ID 1000 and Application hang 1001 entries from the Application log.

    We also tried to exclude Winword from the WER service by using  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\ExcludedApplications.  The result is WER does not save any dumps for the crashing Winword process but it still attaches the crashing process.

    Any thoughts ?

    Wednesday, May 18, 2016 1:02 PM

Answers

All replies