ProcessExplorer 16.26 on Win10Pro 64bit system-power-state-change bug RRS feed

  • Question

  • Where should I report a bug for the process explorer tool?

    What details are needed from my system to get this bug adressed?

    procexp64.exe always crashes when I unplug the power cable from my laptop.

    When I plug the cable back in, so returning from battery to outlet power, the crash does not occur.

    Wednesday, July 24, 2019 7:57 PM

All replies

  • This is really interesting.. generally a power event that crash an app may be generated in the kernel, and so probably from the driver that Process Explorer install in the kernel.. In a case like this I would expect a Blue screen from the OS..

    In this case instead, if the only thing that crashes (but we are not sure) is the app,attach Procdump to Prcess explorer and capture a dump when the crash happens and share it with MarkC at syssite@microsoft.com.

    procdump64 -ma -e procexp64.exe c:\temp\dump\procexp.dmp


    Wednesday, July 24, 2019 9:16 PM
  • Yes would be very interested in seeing a dump file for this. If Windows Error reporting generated one for you, it should be in %LOCALAPPDATA%\CrashDumps by default. If WER is not enabled could you enable it by creating a DWORD registry value under  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps and setting this to 2 (Full dump). More detailed instructions are available at https://docs.microsoft.com/en-us/windows/win32/wer/collecting-user-mode-dumps.

    Alternatively as Mario suggested you could use procdump.Either way if you ping me offline at syssite@microsoft.com I will provide you with a location to upload it.

    Also are you seeing an application crash event (Event ID 1000) in the application event log? And what version of Windows are you using?


    Thursday, July 25, 2019 11:59 AM
  • Procdump only produces this output (cmd.exe run as administrator).

    No dump is generated when the app crashes when I pull the power plug.

    C:\WINDOWS\system32>C:\Data\Apps\Procdump\procdump64.exe -ma -e procexp64.exe C:\Data\Apps\Procdump\procexp.dmp
    ProcDump v9.0 - Sysinternals process dump utility
    Copyright (C) 2009-2017 Mark Russinovich and Andrew Richards
    Sysinternals - www.sysinternals.com
    Process:               procexp64.exe (10896)
    Process image:         C:\Data\Apps\ProcessExplorer\procexp64.exe
    CPU threshold:         n/a
    Performance counter:   n/a
    Commit threshold:      n/a
    Threshold seconds:     n/a
    Hung window check:     Disabled
    Log debug strings:     Disabled
    Exception monitor:     Unhandled
    Exception filter:      [Includes]
    Terminate monitor:     Disabled
    Cloning type:          Disabled
    Concurrent limit:      n/a
    Avoid outage:          n/a
    Number of dumps:       1
    Dump folder:           C:\Data\Apps\Procdump\
    Dump filename/mask:    procexp
    Queue to WER:          Disabled
    Kill after dump:       Disabled
    Press Ctrl-C to end monitoring without terminating the process.
    [17:27:14] Exception: C0000005.ACCESS_VIOLATION
    [17:27:14] Exception: C0000005.ACCESS_VIOLATION
    [17:27:14] Exception: C0000005.ACCESS_VIOLATION
    [17:27:14] Exception: C0000005.ACCESS_VIOLATION
    [17:27:20] Exception: C0000005.ACCESS_VIOLATION
    [17:27:20] Exception: C0000005.ACCESS_VIOLATION
    [17:27:24] Exception: C0000005.ACCESS_VIOLATION
    [17:27:24] Exception: C0000005.ACCESS_VIOLATION
    [17:27:25] The process has exited.
    [17:27:25] Dump count not reached.

    Friday, July 26, 2019 3:39 PM
  • WER is enabled (there are WER's from svchost.exe available, but not from around times when procexpl64 crashes) but no WER procexp64 report is generated.

    Nothing to be found in the "ReportArchive", nor in the "ReportQueue", nor in the "WER\Temp" dir.

    Friday, July 26, 2019 3:42 PM
  • That's even more strange.. You can try adding the - t switch to get a dump when procexp terminate but i think it will show nothing as the process seems to terminate cleanly.. Probably MarkC can have a look at the source code and see if there is a path where procexp terminate if the kernel driver gets unloaded. I suspect that your power event in some way corrupt the kernel driver of procexp.. Procexp eventually handle the situation closing itself cleanly.. And you don't get a bsod just by chance.. Lucky guy😉



    • Edited by mariora_ Friday, July 26, 2019 4:22 PM
    Friday, July 26, 2019 4:21 PM
  • With -t it shows this:

    [22:00:29] Exception: C0000005.ACCESS_VIOLATION
    [22:00:30] Exception: C0000005.ACCESS_VIOLATION
    [22:00:31] Dump 1 initiated: C:\Data\Apps\Procdump\procexp.dmp
    [22:00:32] Dump 1 writing: Estimated dump file size is 172 MB.
    [22:00:35] Dump 1 complete: 172 MB written in 3.8 seconds
    [22:00:35] The process has exited.
    [22:00:36] Dump count reached.

    The .dmp is 53MB after using 7zip.

    Friday, July 26, 2019 8:10 PM
  • Send an email to Mark Cook at syssite@microsoft.com and agree with him how to send in the dump..

    Let's see if Mark can spot something.


    Friday, July 26, 2019 8:31 PM
  • It's uploaded.

    Extra info, this issue exists for many years and in all the procexp versions and various laptops I've used in all these years. I only decided to report the issue now because I am so surprised that after so many years/versions the issue still exists... Probably because nobody took the time/effort/patience to report it.

    So I'd guess the issue will be somewhere in old code which has not changed for a long long time...

    • Edited by fun29 Friday, July 26, 2019 10:00 PM incomplete sentence
    Friday, July 26, 2019 9:10 PM
  • Thanks for taking the time to upload the dump file. Unfortunately the process has terminated cleanly so there is nothing in there to indicate why you are seeing this.

    I've not come across this issue before and I just tried on both of my two laptops and don't see it so I'm wondering if this only occurs when a specific option is enabled. Would you export the registry key at \HKEY_CURRENT_USER\Software\Sysinternals\Process Explorer and either email it to me or upload to the same location as the dump.

    Also do you see this both when you run as admin and non-admin or just one of these (both should be OK but they take different code paths so it may help narrow down where the problem lies).

    And finally I note that you didn't see any WER activity for this crash which is odd but did you see an Application Event ID 1000 in the Application Event Log ??

    MarkC (MSFT)

    Monday, July 29, 2019 10:35 AM
  • Registry exported and uploaded.

    But... EUREKA!

    I found something interesting, I didn't realise this when reporting this initially.

    Process explorer is started via the logon event in a task scheduler task.

    To allow you to troubleshoot if the issue was perhaps in that configuration somewhere I exported the task scheduler task to xml and was also curious if I could find the root cause in that xml.

    And I did find it!

    In the task scheduler task export I noticed this line:


    And because the "DisallowStartIfOnBatteries" was disabled, the "StopIfGoingOnBatteries" was grayed out => BUT STILL ACTIVE. I always assumed that "StopIfGoingOnBatteries" was also NOT active.

    After I enabled "DisallowStartIfOnBatteries" I was able to disable "StopIfGoingOnBatteries" and then I also disabled "DisallowStartIfOnBatteries" again and now the problem is resolved. Process Explorer does not stop ("crash") anymore.

    • Edited by fun29 Tuesday, July 30, 2019 7:28 PM incomplete sentence
    Tuesday, July 30, 2019 7:26 PM
  • Great work Awesome job tracking that down.

    I'll go ahead and close the issue but feel free to get back to me if you experience any further difficulties.

    MarkC (MSFT)

    Wednesday, July 31, 2019 2:30 PM