locked
Explorer.exe randomly crashs Windows 7 64bit RRS feed

  • Question

  • You can find the dump file here

    http://dl.dropbox.com/u/116150/explorer.exe.1872.dmp

     

    Please advise me if you require any additional information relating to this matter

     

    Thank you

    Friday, July 15, 2011 5:30 PM

Answers

All replies

  • FAULTING_IP: 
    ntdll!RtlUnhandledExceptionFilter+2d2
    00000000`76f740f2 eb00            jmp     ntdll!RtlUnhandledExceptionFilter+0x2d4 (00000000`76f740f4)
    EXCEPTION_RECORD:  ffffffffffffffff -- (.exr 0xffffffffffffffff)
    ExceptionAddress: 0000000076f740f2 (ntdll!RtlUnhandledExceptionFilter+0x00000000000002d2)
       ExceptionCode: c0000374
      ExceptionFlags: 00000001
    NumberParameters: 1
       Parameter[0]: 0000000076feb450
    DEFAULT_BUCKET_ID:  HEAP_CORRUPTION
    PROCESS_NAME:  explorer.exe
    FAULTING_MODULE: 0000000076eb0000 ntdll
    DEBUG_FLR_IMAGE_TIMESTAMP:  0
    ERROR_CODE: (NTSTATUS) 0xc0000374 - A heap has been corrupted.
    EXCEPTION_CODE: (NTSTATUS) 0xc0000374 - A heap has been corrupted.
    EXCEPTION_PARAMETER1:  0000000076feb450
    MOD_LIST: <ANALYSIS/>
    ADDITIONAL_DEBUG_TEXT:  
    Use '!findthebuild' command to search for the target build information.
    If the build information is available, run '!findthebuild -s ; .reload' to set symbol path and load symbols. ; Enable Pageheap/AutoVerifer
    FAULTING_THREAD:  0000000000001644
    PRIMARY_PROBLEM_CLASS:  HEAP_CORRUPTION
    BUGCHECK_STR:  APPLICATION_FAULT_HEAP_CORRUPTION_WRONG_SYMBOLS
    LAST_CONTROL_TRANSFER:  from 0000000076f74736 to 0000000076f740f2
    STACK_TEXT:  
    00000000`07dfef40 00000000`76f74736 : 00000000`00000002 00000000`00000023 ffffffff`80000001 00000000`00000003 : ntdll!RtlUnhandledExceptionFilter+0x2d2
    00000000`07dff010 00000000`76f75942 : 00000000`00000000 00000000`08255990 00000000`00000000 000007fe`fddb4981 : ntdll!EtwEnumerateProcessRegGuids+0x216
    00000000`07dff040 00000000`76f775f4 : 00000000`00260000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlQueryProcessLockInformation+0x972
    00000000`07dff070 00000000`76f1dc8f : 00000000`02b57200 00000000`00260000 00000000`02b57210 000007fe`fddb4981 : ntdll!RtlLogStackBackTrace+0x444
    00000000`07dff0a0 000007fe`fd161582 : 00000000`00000000 00000000`02b57210 00000000`08255a38 00000000`08251660 : ntdll!RtlIsDosDeviceName_U+0x1420f
    00000000`07dff120 000007fe`fdda7a72 : 00000000`02b57210 00000000`08251660 00000000`08251660 00000000`76db307a : KERNELBASE!LocalFree+0x32
    00000000`07dff160 000007fe`fdda7b9e : 000007fe`fd5908c0 000007fe`fdda9cee 000007fe`fdda7ea0 000007fe`fb6e0b75 : shell32!SHChangeNotification_Unlock+0x802
    00000000`07dff190 000007fe`fddaa1e5 : 00000000`00000000 000007fe`fdda9de7 000007fe`fdda7ea0 000007fe`fddb6909 : shell32!SHChangeNotification_Unlock+0x92e
    00000000`07dff1c0 000007fe`fd552d2f : 00000000`082257e8 00000000`08225760 00000000`081e8c80 000007fe`fdda7e92 : shell32!ILFree+0x2a5
    00000000`07dff1f0 000007fe`fd551bb3 : 00000000`07dff290 00000000`07dff860 00000000`081e8c80 000007fe`fdda9d64 : shlwapi!StrCmpCW+0x2f
    00000000`07dff220 000007fe`fdeb21fc : 00000000`00000001 00000000`07dff860 00000000`00000000 000007fe`fd551c19 : shlwapi!Ordinal268+0x23
    00000000`07dff250 000007fe`fddaa1e5 : 00000000`00000000 00000000`00000001 00000000`08251680 000042de`c66016b3 : shell32!SHSetTemporaryPropertyForItem+0x35bc
    00000000`07dff280 000007fe`fde6245b : 00000000`00000000 00000000`08251600 00000000`08251410 00000000`08251438 : shell32!ILFree+0x2a5
    00000000`07dff2b0 000007fe`fdd98f95 : 00000000`00000d98 00000000`07dff860 00000000`08251438 000007fe`fe1655b6 : shell32!Ordinal870+0x6ab
    00000000`07dff2e0 000007fe`fdd47398 : 00000000`00000002 00000000`081595c0 00000000`07dff860 00000000`08251438 : shell32!SHCLSIDFromString+0x15a5
    00000000`07dff760 000007fe`f0bec770 : 00000000`081d2680 00000000`76ca62b2 80010000`02010000 00000000`00000000 : shell32!SHCreateShellFolderView+0xfa8
    00000000`07dff7d0 000007fe`f0bbbe50 : 00000000`082dd300 00000000`08306110 00000000`00000000 00000000`00000000 : EXPLORERFRAME!DllCanUnloadNow+0x31660
    00000000`07dff900 000007fe`fddaf0eb : 80000000`01000000 00000000`07dff990 00000000`082dd300 00000000`0000000a : EXPLORERFRAME!DllCanUnloadNow+0xd40
    00000000`07dff930 000007fe`fddb2c8a : 00000000`082dd300 00000000`00000000 00000000`082dd300 00000000`00000002 : shell32!Ordinal767+0x63b
    00000000`07dff960 000007fe`fddb2de2 : 00000000`081b41c0 00000000`081b41c0 00000000`00000000 00000000`002af918 : shell32!SHGetPropertyStoreForWindow+0x160a
    00000000`07dffa00 000007fe`fd553843 : 000007ff`fff8a000 00000000`002f1350 00000000`002a5710 00000000`002af918 : shell32!SHGetPropertyStoreForWindow+0x1762
    00000000`07dffa30 00000000`76ed15ab : 00000000`0821eae0 00000000`0821eae0 00000000`00000000 00000000`00000006 : shlwapi!IUnknown_GetWindow+0x68f
    00000000`07dffa60 00000000`76ed0c26 : 00000000`00000000 00000000`081b4220 00000000`002a5710 00000000`0821ea88 : ntdll!TpCallbackMayRunLong+0x32b
    00000000`07dffb40 00000000`76da652d : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlRealSuccessor+0x136
    00000000`07dffe40 00000000`76edc521 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : kernel32!BaseThreadInitThunk+0xd
    00000000`07dffe70 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x21
    SYMBOL_NAME:  heap_corruption!heap_corruption
    FOLLOWUP_NAME:  MachineOwner
    MODULE_NAME: heap_corruption
    IMAGE_NAME:  heap_corruption
    STACK_COMMAND:  ~29s; .ecxr ; kb
    FAILURE_BUCKET_ID:  HEAP_CORRUPTION_c0000374_heap_corruption!heap_corruption
    BUCKET_ID:  X64_APPLICATION_FAULT_HEAP_CORRUPTION_WRONG_SYMBOLS_heap_corruption!heap_corruption
    WATSON_STAGEONE_URL:  http://watson.microsoft.com/StageOne/explorer_exe/6_1_7601_17567/4d672ee4/ntdll_dll/6_1_7601_17514/4ce7c8f9/c0000374/000c40f2.htm?Retriage=1
    Followup: MachineOwner
    ---------
    0:029> lmvm ntdll
    start             end                 module name
    00000000`76eb0000 00000000`77059000   ntdll      (export symbols)       ntdll.dll
        Loaded symbol image file: ntdll.dll
        Image path: C:\Windows\System32\ntdll.dll
        Image name: ntdll.dll
        Timestamp:        Sat Nov 20 14:11:21 2010 (4CE7C8F9)
        CheckSum:         001B55EA
        ImageSize:        001A9000
        File version:     6.1.7601.17514
        Product version:  6.1.7601.17514
        File flags:       0 (Mask 3F)
        File OS:          40004 NT Win32
        File type:        2.0 Dll
        File date:        00000000.00000000
        Translations:     0409.04b0
        CompanyName:      Microsoft Corporation
        ProductName:      Microsoft® Windows® Operating System
        InternalName:     ntdll.dll
        OriginalFilename: ntdll.dll
        ProductVersion:   6.1.7601.17514
        FileVersion:      6.1.7601.17514 (win7sp1_rtm.101119-1850)
        FileDescription:  NT Layer DLL
        LegalCopyright:   © Microsoft Corporation. All rights reserved.
    -------------------------------------------------------------------------------------------------------------------------------------------------------
    There is a problem with ntdll.dll. Run sfc /scannow and check if this solve your problem. If not, perform a repair install of your OS.

    This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Microsoft Student Partner 2010 / 2011
    Microsoft Certified Professional
    Microsoft Certified Systems Administrator: Security
    Microsoft Certified Systems Engineer: Security
    Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows 7, Configuring
    Microsoft Certified IT Professional: Enterprise Administrator

    Friday, July 15, 2011 6:42 PM
  • I had this problem once when i had Explorer shell extensions like winrar/notepad++ when they were not complaint with x64 platform

    install autoruns, go to explorer and check what extensions you have, try to disable them one by one , restart and check 

     

     

    Saturday, July 16, 2011 8:04 AM
  • Thanks for the input Mr X and George.

    I'll give both suggestions a try and let you know if it helps.

    Monday, July 18, 2011 11:25 AM
  • Have you installed any Shell Extensions (things that augment the functionality of Explorer)?  So many packages add Shell Extensions that a faulty one (or a conflict between two) might be responsible for the fault you're seeing.

    There are some good free tools for checking to see what's installed.  Specifically for Shell Extensions I'd recommend ShellExView.

    I like that package because it will show you non-Microsoft software highlighted in red, making it easy to see what 3rd party software you have installed.  It can also be used to disable specific shell extensions as I recall.

    It would also be a good idea to check your Windows logs (e.g., System, Application) to see if you're getting errors logged that might help point you in the right direction.

    -Noel

    Tuesday, July 19, 2011 12:08 AM
  • The third-party modules loaded were:

    Autodesk, Inc.  C:\Windows\System32\AcSignIcon.dll
    Autodesk, Inc.  C:\Program Files\Common Files\Autodesk Shared\AcSignCore16.dll
    LogMeIn, Inc.   C:\Windows\System32\LMIRfsClientNP.dll
    McAfee, Inc.   C:\Program Files (x86)\McAfee\VirusScan Enterprise\x64\mytilus3_worker.dll
    McAfee, Inc.   C:\Program Files (x86)\McAfee\VirusScan Enterprise\x64\scriptsn.dll
    McAfee, Inc.   C:\Program Files (x86)\McAfee\VirusScan Enterprise\x64\mytilus3.dll
    McAfee, Inc.   C:\Program Files (x86)\McAfee\VirusScan Enterprise\Res0900\McShield.DLL

    Given that it is heap corruption, and page heap was not enabled for Explorer.exe before it crashed, there isn't enough there to point a finger at what caused the heap corruption. So it's not that NTDLL.DLL is bad necessarily, but that we commonly fail in NTDLL.DLL when there is heap corruption.

    I would just try disabling the Autodesk and LogMeIn DLLs first to see if the crashes go away.

    Tuesday, July 19, 2011 1:02 AM
  • The third-party modules loaded were:

    Autodesk, Inc.  C:\Windows\System32\AcSignIcon.dll
    Autodesk, Inc.  C:\Program Files\Common Files\Autodesk Shared\AcSignCore16.dll
    LogMeIn, Inc.   C:\Windows\System32\LMIRfsClientNP.dll
    McAfee, Inc.   C:\Program Files (x86)\McAfee\VirusScan Enterprise\x64\mytilus3_worker.dll
    McAfee, Inc.   C:\Program Files (x86)\McAfee\VirusScan Enterprise\x64\scriptsn.dll
    McAfee, Inc.   C:\Program Files (x86)\McAfee\VirusScan Enterprise\x64\mytilus3.dll
    McAfee, Inc.   C:\Program Files (x86)\McAfee\VirusScan Enterprise\Res0900\McShield.DLL

    Given that it is heap corruption, and page heap was not enabled for Explorer.exe before it crashed, there isn't enough there to point a finger at what caused the heap corruption. So it's not that NTDLL.DLL is bad necessarily, but that we commonly fail in NTDLL.DLL when there is heap corruption.

    I would just try disabling the Autodesk and LogMeIn DLLs first to see if the crashes go away.

    What's the best way to disable them?

    I tried regsvr32 /u C:\Program Files\Common Files\Autodesk Shared\AcSignCore16.dll but received the error message:

    "The module "C:\Program Files\Common Files\Autodesk Shared\AcSignCore16.dll" was loaded by the entry-point DLLUnregisterServer was not found. Make sure that "C:\Program Files\Common Files\Autodesk Shared\AcSignCore16.dll " is a calid DLL or OCX file and then try again.

     

    I can rename them but I feel there is a better way.

    Tuesday, July 19, 2011 4:09 PM
  • I mentioned one way:  Download and run ShellExView

    Right-click on the item you want to disable and choose (you guessed it) "Disable Selected Items".

    -Noel

    Tuesday, July 19, 2011 5:42 PM
    1. Launch the Autoruns Sysinternals tool.

      http://technet.microsoft.com/en-us/sysinternals/bb963902

    2. On the Options menu select Hide Microsoft and Windows entries.

    3. On the File menu click Refresh (or just hit F5).

    4. Look at the Explorer tab for things that are loading under Explorer.exe.

    • Marked as answer by Niki Han Wednesday, July 27, 2011 10:07 AM
    Tuesday, July 19, 2011 6:08 PM

  • The third-party modules loaded were:

    Autodesk, Inc.  C:\Windows\System32\AcSignIcon.dll
    Autodesk, Inc.  C:\Program Files\Common Files\Autodesk Shared\AcSignCore16.dll
    LogMeIn, Inc.   C:\Windows\System32\LMIRfsClientNP.dll
    McAfee, Inc.   C:\Program Files (x86)\McAfee\VirusScan Enterprise\x64\mytilus3_worker.dll
    McAfee, Inc.   C:\Program Files (x86)\McAfee\VirusScan Enterprise\x64\scriptsn.dll
    McAfee, Inc.   C:\Program Files (x86)\McAfee\VirusScan Enterprise\x64\mytilus3.dll
    McAfee, Inc.   C:\Program Files (x86)\McAfee\VirusScan Enterprise\Res0900\McShield.DLL

    Given that it is heap corruption, and page heap was not enabled for Explorer.exe before it crashed, there isn't enough there to point a finger at what caused the heap corruption. So it's not that NTDLL.DLL is bad necessarily, but that we commonly fail in NTDLL.DLL when there is heap corruption.

    I would just try disabling the Autodesk and LogMeIn DLLs first to see if the crashes go away.

    What's the best way to disable them?

    I tried regsvr32 /u C:\Program Files\Common Files\Autodesk Shared\AcSignCore16.dll but received the error message:

     

    "The module "C:\Program Files\Common Files\Autodesk Shared\AcSignCore16.dll" was loaded by the entry-point DLLUnregisterServer was not found. Make sure that "C:\Program Files\Common Files\Autodesk Shared\AcSignCore16.dll " is a calid DLL or OCX file and then try again.

     

     

    I can rename them but I feel there is a better way.

    *thumbs up* log-me-in and Autodesk
    Tuesday, July 19, 2011 9:22 PM
  • I've disabled Autodesk and will wait before disabling LogMeIn, I'll keeo you updated.

     

    Thanks for the help thus far.

    Wednesday, July 20, 2011 1:33 PM
  • I've disabled everything under autoruns and it still will randomly crash. Any other ideas?

    The next thing I'm going to try it re-installing SP1.

    • Proposed as answer by webspinner Thursday, July 12, 2012 4:28 AM
    • Unproposed as answer by webspinner Thursday, July 12, 2012 4:29 AM
    Wednesday, August 3, 2011 7:30 PM
  • You might try the following.  I had almost any program I would try to open apparently crashing Explorer.

    Open Control Panel and review installed programs.  If you see ad software such as Conduit, uninstall it.  In my case I have not had a single Explorer crash since I removed Conduit.  The fact that there have been  no crashes since I uninstalled Conduit seems to confirm it was a problem.  Conduit and other ad serving software may be on your computer without your knowledge.  Conduit came bundled with one of the nicer programs I use.  I just did not spot it when I was installing the program.  

    I stress that this was my experience.  I have no interests or relationship with any business such as or similar to Conduit, nor do I work or campaign for anyone who may have reason/desire to give them a bad name.  Your mileage in trying what I did may vary.  You might also contact the vendor of any program that you suspect to be causing the crashes, they may be able to offer a fix of their own.  

    One Last Item:  BEFORE you uninstall, and IF you know the program the ad ware came with, check to make sure that removal does not render the program useless or subject you to a fee if ad support is removed.

    Thursday, July 12, 2012 4:44 AM