zan2828

When I press Start and type a file name into the search field, both the initial result and "Search Everywhere" are highlighted, so that when I press enter, Advanced Search results open. How can I change this behavior so that only the search result is highlighted, and when I press enter, the file opens? When programs are searched, only the search result is highlighted. Seems like this annoyance only occurs for files.

How would I go about setting a breakpoint so that the debugging breaks when the module unloads?

Impressive. I think I can manage from here. I am very grateful for all your help, and I have learned a lot as well from your methodical and detailed posts. If you don't mind me asking, do you do this sort of work for a living, or is it simply a hobby?

I found it. Debugger attached to explorer, prior to viewing folder: 0:016> u kernel32!isdebuggerpresent kernel32!IsDebuggerPresent: 7c813123 64a118000000 mov eax,dword ptr fs:[00000018h] 7c813129 8b4030 mov eax,dword ptr [eax+30h] 7c81312c 0fb64002 movzx eax,byte ptr [eax+2] 7c813130 c3 ret 7c813131 90 nop 7c813132 90 nop 7c813133 90 nop 7c813134 90 nop 0:016> !chkimg kernel32 -d 0 errors : kernel32 I then input "g" to let the debugee run, and proceed to view the folder, then Ctrl+Break. 0:016> !chkimg kernel32 6 errors : kernel32 (7c813123-7c813128) 0:016> u kernel32!isdebuggerpresent kernel32!IsDebuggerPresent: *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\Combined Community Codec Pack\Filters\Mpeg2DecFilter.ax - 7c813123 e90894ea86 jmp Mpeg2DecFilter!DllUnregisterServer+0x40 (036bc530) //[b]here it is![/b] 7c813128 cc int 3 7c813129 8b4030 mov eax,dword ptr [eax+30h] 7c81312c 0fb64002 movzx eax,byte ptr [eax+2] 7c813130 c3 ret 7c813131 90 nop 7c813132 90 nop 7c813133 90 nop However, start/shutdown does not crash explorer immediately upon viewing of the folder though. This is what I am confused about. Any ideas?

Finally, we may have found the culprit. http://www.adrive.com/public/e62af6a25841d...454a4990ba.html dump generated after explorer hangs with "ba w1 kernel32!isdebuggerpresent" breakpoint. this happened as explorer was generating thumbnails for a video folder. appears to be consistent too. after explorer reloads and I have the debugger set up again, I can cause a hang browsing through the same folder again. i noticed that explorer was not able to generate a thumbnail for a certain file. isolating the particular file in its own folder, I can induce a hang just by accessing that folder. however, running with the debugger off, I access the folder, and then shut down, but the error does not occur. so it is still a mystery to me. I await your findings. Thank you.

doesn't work. however: would this be useful? only those two addresses would be accepted by the debugger.

0:016> x kernel32!IsDebuggerPresent 7c813123 kernel32!IsDebuggerPresent = <no type information> ba w4 7c813123 also returns a syntax error. however, inputting "ba w4 7599840c (return address of the function)" is accepted by the debugger. is this correct?

which command should i be entering? 1st one returns a "syntax error: data breakpoint must be aligned" and 2nd just returns a "syntax error" A quick Google search shows that correct syntax should be ba w4 <target address>. How would I go about finding the target address for "kernel32!IsDebuggerPresent"? Thanks.

3 dump folders, rar'd: hang1crash, hang1nocrash, crash http://www.adrive.com/public/bcb90437c39b9...59ef35a457.html

The most frustrating thing about this problem is that I cannot easily reproduce it. It does not happen every time i try to shut down. The exact sequence of events: 1. start, shutdown 2. a bit of hard disk activity/busy mouse pointer is present 3. error msg: Windows explorer has encountered a problem and needs to close. Click OK, etc. the shutdown option menu does not load. it will stop, allowing me to click OK. when i do, explorer crashes and reloads. i am then able to shut down normally. i will have the crashed dump uploaded within the next day.

http://www.adrive.com/public/a37998f403844...948224434f.html (try copy and pasting link if it doesnt connect) complete dump (no crash) and 2 dll's. i have the explorer crashed dump ready to upload if you need it. thanks

I feel stupid. I know why the dump is corrupt. I would press reset right after seeing the blue screen, assuming the dump was complete as soon as the screen popped up. I now know to let the memory dump timer finish before rebooting. Would you still prefer a complete memory dump or will a kernel dump suffice?

http://www6.sendthisfile.com/d.jsp?t=Y0Bu3...yG9yvITNqwHsYtGalright I have the complete memory dump along with 2 dll's uploaded. Thank you once again for your help.

bump

Well I'm back because the problem is back. I have the complete system dump and 2 dll's ready, problem is finding a suitable place to upload this beast of a file (rar is 1.3 gig). Any suggestions?