locked
Explorer crashes caused by ntdll.dll? RRS feed

  • Question

  • Hi,

    At work, I have six Windows 8.1 x64 machines that regularly suffer from explorer crashes. Of course, I've done standard troubleshooting things but this did not fix the problem. Before we installated 8.1 on the machines they where using Windows 7, where these issues were also present. 

    I have a log file of one of the computers below, which is made with WinDBG. From what I understand reading the file is that the ntdll.dll has something to do with the explorer crash. I now want to know what is causing it. Is it one of the third party applications running on the machine? Help is very much appreciated!

    Log file:

    ************* Symbol Path validation summary **************
    Response Time (ms) Location
    Deferred srv*C:\DbgSymbols*http://msdl.microsoft.com/download/symbols
    Deferred srv*http://msdl.microsoft.com/download/symbols

    Microsoft (R) Windows Debugger Version 10.0.15063.468 X86
    Copyright (c) Microsoft Corporation. All rights reserved.

    Loading Dump File [C:\Temp\PURA0G014PC\explorer.exe.6856.dmp]
    User Mini Dump File with Full Memory: Only application data is available

    ************* Symbol Path validation summary **************
    Response Time (ms) Location
    Deferred srv*C:\DbgSymbols*http://msdl.microsoft.com/download/symbols
    Deferred srv*http://msdl.microsoft.com/download/symbols
    Symbol search path is: srv*C:\DbgSymbols*http://msdl.microsoft.com/download/symbols;srv*http://msdl.microsoft.com/download/symbols
    Executable search path is:
    Windows 8.1 Version 9600 MP (8 procs) Free x64
    Product: WinNt, suite: SingleUserTS
    6.3.9600.17031 (winblue_gdr.140221-1952)
    Machine Name:
    Debug session time: Tue Oct 24 09:36:03.000 2017 (UTC + 1:00)
    System Uptime: 0 days 22:50:34.110
    Process Uptime: 0 days 2:22:45.000
    ................................................................
    ................................................................
    ................................................................
    ................................................................
    .....................
    Loading unloaded module list
    ................................................................
    This dump file has an exception of interest stored in it.
    The stored exception information can be accessed via .ecxr.
    (1ac8.1cf0): Unknown exception - code c0000374 (first/second chance not available)
    ntdll!NtWaitForMultipleObjects+0xa:
    00007ffc`f6ff0c6a c3 ret
    0:119> !analyze -v
    *******************************************************************************
    * *
    * Exception Analysis *
    * *
    *******************************************************************************

    *** ERROR: Symbol file could not be found. Defaulted to export symbols for FujiWebU.dll -
    *** ERROR: Symbol file could not be found. Defaulted to export symbols for FujiFldL.dll -
    *** ERROR: Symbol file could not be found. Defaulted to export symbols for sppc.dll -
    *** ERROR: Symbol file could not be found. Defaulted to export symbols for ClassicStartMenuDLL.dll -
    *** ERROR: Symbol file could not be found. Defaulted to export symbols for DBCmds.dll -
    *** WARNING: Unable to verify checksum for b8idxx64.dll
    *** ERROR: Symbol file could not be found. Defaulted to export symbols for b8idxx64.dll -
    *** ERROR: Symbol file could not be found. Defaulted to export symbols for PowerScribeIntegration.dll -
    GetUrlPageData2 (WinHttp) failed: 12002.

    DUMP_CLASS: 2

    DUMP_QUALIFIER: 400

    CONTEXT: (.ecxr)
    rax=0000000004cb99a8 rbx=00000000c0000374 rcx=00007ffce2c0d000
    rdx=0000000000000000 rsi=0000000000000000 rdi=00007ffcf708ed40
    rip=00007ffcf7051b70 rsp=0000000004cb9e40 rbp=0000000000000000
    r8=0000000000000003 r9=00007ffcf708eda8 r10=00007ffcf6fb3dc7
    r11=0000000000000000 r12=0000000021b6f158 r13=0000000000000000
    r14=0000000000000008 r15=0000000021996d80
    iopl=0 nv up ei pl nz na po nc
    cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206
    ntdll!RtlReportCriticalFailure+0x8c:
    00007ffc`f7051b70 eb00 jmp ntdll!RtlReportCriticalFailure+0x8e (00007ffc`f7051b72)
    Resetting default scope

    FAULTING_IP:
    ntdll!RtlReportCriticalFailure+8c
    00007ffc`f7051b70 eb00 jmp ntdll!RtlReportCriticalFailure+0x8e (00007ffc`f7051b72)

    EXCEPTION_RECORD: (.exr -1)
    ExceptionAddress: 00007ffcf7051b70 (ntdll!RtlReportCriticalFailure+0x000000000000008c)
    ExceptionCode: c0000374
    ExceptionFlags: 00000001
    NumberParameters: 1
    Parameter[0]: 00007ffcf708ed40

    PROCESS_NAME: explorer.exe

    ERROR_CODE: (NTSTATUS) 0xc0000374 - A heap has been corrupted.

    EXCEPTION_CODE: (NTSTATUS) 0xc0000374 - A heap has been corrupted.

    EXCEPTION_CODE_STR: c0000374

    EXCEPTION_PARAMETER1: 00007ffcf708ed40

    WATSON_BKT_PROCSTAMP: 54503a3a

    WATSON_BKT_PROCVER: 6.3.9600.17415

    PROCESS_VER_PRODUCT: Microsoft® Windows® Operating System

    WATSON_BKT_MODULE: ntdll.dll

    WATSON_BKT_MODSTAMP: 57ae642e

    WATSON_BKT_MODOFFSET: f1b70

    WATSON_BKT_MODVER: 6.3.9600.18438

    MODULE_VER_PRODUCT: Microsoft® Windows® Operating System

    BUILD_VERSION_STRING: 6.3.9600.17415 (winblue_r4.141028-1500)

    MODLIST_WITH_TSCHKSUM_HASH: f6b9895c58fb47a2e979e4c9388b51dcb1d0ee6d

    MODLIST_SHA1_HASH: a50e7063b3001fc697f238039620e4d45392e17f

    NTGLOBALFLAG: 0

    APPLICATION_VERIFIER_FLAGS: 0

    PRODUCT_TYPE: 1

    SUITE_MASK: 272

    DUMP_FLAGS: 8000c07

    DUMP_TYPE: 3

    ANALYSIS_SESSION_HOST: PC000954

    ANALYSIS_SESSION_TIME: 10-30-2017 13:11:05.0161

    ANALYSIS_VERSION: 10.0.15063.468 x86fre

    THREAD_ATTRIBUTES:
    LAST_CONTROL_TRANSFER: from 00007ffcf7054db2 to 00007ffcf7051b70

    FAULTING_THREAD: ffffffff

    THREAD_SHA1_HASH_MOD_FUNC: aa60ecb2e1c423aa16a6d3806ffdbb107148d46b

    THREAD_SHA1_HASH_MOD_FUNC_OFFSET: c1d1dd89a05c2e94c3501fe3b9024d9069e43352

    OS_LOCALE: NLD

    PROBLEM_CLASSES:

    ID: [0n244]
    Type: [ACTIONABLE]
    Class: Addendum
    Scope: DEFAULT_BUCKET_ID (Failure Bucket ID prefix)
    BUCKET_ID
    Name: Add
    Data: Add
    String: [BlockNotBusy]
    PID: [0x1ac8]
    TID: [0x1cf0]
    Frame: [2] : ntdll!RtlpLogHeapFailure

    ID: [0n245]
    Type: [HEAP_CORRUPTION]
    Class: Primary
    Scope: DEFAULT_BUCKET_ID (Failure Bucket ID prefix)
    BUCKET_ID
    Name: Add
    Data: Omit
    PID: [Unspecified]
    TID: [0x1cf0]
    Frame: [0] : ntdll!RtlReportCriticalFailure

    ID: [0n243]
    Type: [DOUBLE_FREE]
    Class: Addendum
    Scope: DEFAULT_BUCKET_ID (Failure Bucket ID prefix)
    BUCKET_ID
    Name: Add
    Data: Omit
    PID: [0x1ac8]
    TID: [0x1cf0]
    Frame: [2] : ntdll!RtlpLogHeapFailure

    BUGCHECK_STR: HEAP_CORRUPTION_ACTIONABLE_BlockNotBusy_DOUBLE_FREE

    DEFAULT_BUCKET_ID: HEAP_CORRUPTION_ACTIONABLE_BlockNotBusy_DOUBLE_FREE

    PRIMARY_PROBLEM_CLASS: HEAP_CORRUPTION

    STACK_TEXT:
    00007ffc`f708eda8 00007ffc`f700a56f ntdll!RtlFreeHeap+0x74eff
    00007ffc`f708edb0 00007ffc`f4cc1085 shell32!operator delete+0x21
    00007ffc`f708edb8 00007ffc`f527a9fd shell32!CMarshalByValue::`vector deleting destructor'+0x1d
    00007ffc`f708edc0 00007ffc`f50df141 shell32!`Microsoft::WRL::Module<1,Microsoft::WRL::Details::DefaultModule<5> >::Create'::`2'::`dynamic atexit destructor for 'module''+0x42a8d
    00007ffc`f708edc8 00007ffc`e2a72b8f explorerframe!CShellBrowser::_SaveTopView+0x4f
    00007ffc`f708edd0 00007ffc`e2ad06c9 explorerframe!CShellBrowser::OnNavigationResult+0xd9
    00007ffc`f708edd8 00007ffc`e2ad05d0 explorerframe!CPendingNavigation::OnConnectionCreated+0x90
    00007ffc`f708ede0 00007ffc`e2ad04f5 explorerframe!CShellViewFactory::BeginCreateConnection+0x85
    00007ffc`f708ede8 00007ffc`e2ad0393 explorerframe!CShellBrowser::_CreateConnectionForItem+0x243
    00007ffc`f708edf0 00007ffc`e2ad0106 explorerframe!CShellBrowser::_CreateNewConnection+0x92
    00007ffc`f708edf8 00007ffc`e2aceb7f explorerframe!CShellBrowser::_NavigateToPidl+0x123
    00007ffc`f708ee00 00007ffc`e2aa6865 explorerframe!CShellBrowser::_OnGoto+0xb5
    00007ffc`f708ee08 00007ffc`e2aa6778 explorerframe!CShellBrowser::WndProcBS+0x7e6
    00007ffc`f708ee10 00007ffc`e2a64749 explorerframe!IEFrameWndProc+0x85
    00007ffc`f708ee18 00007ffc`f6ad24fd user32!UserCallWinProcCheckWow+0x149
    00007ffc`f708ee20 00007ffc`f6ad2357 user32!DispatchMessageWorker+0x1a7
    00007ffc`f708ee28 00007ffc`f6b05c83 user32!DialogBox2+0x22d
    00007ffc`f708ee30 00007ffc`f6b076e2 user32!InternalDialogBox+0x132
    00007ffc`f708ee38 00007ffc`f6b077a6 user32!DialogBoxIndirectParamAorW+0x56
    00007ffc`f708ee40 00007ffc`f6b077e8 user32!DialogBoxIndirectParamW+0x18
    00007ffc`f708ee48 00000000`1b5d5207 FujiWebU!DllUnregisterServer+0x10367
    00007ffc`f708ee50 00000000`1b5e03ee FujiWebU!DllUnregisterServer+0x1b54e
    00007ffc`f708ee58 00000001`80237829 FujiFldL!DllUninstallServer+0x99799
    00007ffc`f708ee60 00000001`80237a49 FujiFldL!DllUninstallServer+0x999b9
    00007ffc`f708ee68 00000001`80237c3e FujiFldL!DllUninstallServer+0x99bae
    00007ffc`f708ee70 00000001`802380fa FujiFldL!DllUninstallServer+0x9a06a
    00007ffc`f708ee78 00000001`80250173 FujiFldL!DllUninstallServer+0xb20e3
    00007ffc`f708ee80 00000001`8025034a FujiFldL!DllUninstallServer+0xb22ba
    00007ffc`f708ee88 00000001`80250048 FujiFldL!DllUninstallServer+0xb1fb8
    00007ffc`f708ee90 00007ffc`e2aa0033 explorerframe!CShellBrowser::_SaveViewState+0x3f
    00007ffc`f708ee98 00007ffc`e2aa6053 explorerframe!CShellBrowser::_CreateNewConnection+0xee
    00007ffc`f708eea0 00007ffc`e2aceb7f explorerframe!CShellBrowser::_NavigateToPidl+0x123

    STACK_COMMAND: dps 7ffcf708eda8 ; kb

    THREAD_SHA1_HASH_MOD: c22bb30e168bd58b6ccf6b8ec2a703e2ee160958

    FOLLOWUP_IP:
    shell32!CMarshalByValue::`vector deleting destructor'+1d
    00007ffc`f527a9fd 488bc3 mov rax,rbx

    FAULT_INSTR_CODE: 48c38b48

    SYMBOL_STACK_INDEX: 2

    SYMBOL_NAME: shell32!CMarshalByValue::`vector deleting destructor'+1d

    FOLLOWUP_NAME: MachineOwner

    MODULE_NAME: shell32

    IMAGE_NAME: shell32.dll

    DEBUG_FLR_IMAGE_TIMESTAMP: 57bf5a3b

    BUCKET_ID: HEAP_CORRUPTION_ACTIONABLE_BlockNotBusy_DOUBLE_FREE_shell32!CMarshalByValue::_vector_deleting_destructor_+1d

    FAILURE_EXCEPTION_CODE: c0000374

    FAILURE_IMAGE_NAME: shell32.dll

    BUCKET_ID_IMAGE_STR: shell32.dll

    FAILURE_MODULE_NAME: shell32

    BUCKET_ID_MODULE_STR: shell32

    FAILURE_FUNCTION_NAME: CMarshalByValue::_vector_deleting_destructor_

    BUCKET_ID_FUNCTION_STR: CMarshalByValue::_vector_deleting_destructor_

    BUCKET_ID_OFFSET: 1d

    BUCKET_ID_MODTIMEDATESTAMP: 57bf5a3b

    BUCKET_ID_MODCHECKSUM: 15534dd

    BUCKET_ID_MODVER_STR: 6.3.9600.18458

    BUCKET_ID_PREFIX_STR: HEAP_CORRUPTION_ACTIONABLE_BlockNotBusy_DOUBLE_FREE_

    FAILURE_PROBLEM_CLASS: HEAP_CORRUPTION

    FAILURE_SYMBOL_NAME: shell32.dll!CMarshalByValue::_vector_deleting_destructor_

    FAILURE_BUCKET_ID: HEAP_CORRUPTION_ACTIONABLE_BlockNotBusy_DOUBLE_FREE_c0000374_shell32.dll!CMarshalByValue::_vector_deleting_destructor_

    WATSON_STAGEONE_URL: http://watson.microsoft.com/StageOne/explorer.exe/6.3.9600.17415/54503a3a/ntdll.dll/6.3.9600.18438/57ae642e/c0000374/000f1b70.htm?Retriage=1

    TARGET_TIME: 2017-10-24T08:36:03.000Z

    OSBUILD: 9600

    OSSERVICEPACK: 17415

    SERVICEPACK_NUMBER: 0

    OS_REVISION: 0

    OSPLATFORM_TYPE: x64

    OSNAME: Windows 8.1

    OSEDITION: Windows 8.1 WinNt SingleUserTS

    USER_LCID: 0

    OSBUILD_TIMESTAMP: 2014-10-29 03:45:30

    BUILDDATESTAMP_STR: 141028-1500

    BUILDLAB_STR: winblue_r4

    BUILDOSVER_STR: 6.3.9600.17415

    ANALYSIS_SESSION_ELAPSED_TIME: 4d128

    ANALYSIS_SOURCE: UM

    FAILURE_ID_HASH_STRING: um:heap_corruption_actionable_blocknotbusy_double_free_c0000374_shell32.dll!cmarshalbyvalue::_vector_deleting_destructor_

    FAILURE_ID_HASH: {bca875be-d403-b405-a7da-5e5e304b8606}

    Followup: MachineOwner
    ---------
    Thursday, November 9, 2017 1:27 PM

All replies

  • Hi,

    Did Windows Explorer crash when you do some specific operation?

    Is there any event created in Event Viewer?

    Please try to run the System File Checker tool (SFC.exe) to check system files and recovery corrupted files, here are steps:

    1. Open Command Prompt (as administrator).

    2. Type sfc /scannow, and then press Enter.

    Or you could also run DISM /online /cleanup-image /restorehealth in Command Prompt (as administrator)

     

    Please use clean boot to check if it is caused by third party application. Here is a link.

    How to perform a clean boot in Windows:

    https://support.microsoft.com/en-in/help/929135/how-to-perform-a-clean-boot-in-windows

     



    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Proposed as answer by Vera Hu Monday, November 13, 2017 1:29 AM
    Friday, November 10, 2017 2:50 AM