zan2828

When I press Start and type a file name into the search field, both the initial result and "Search Everywhere" are highlighted, so that when I press enter, Advanced Search results open. How can I change this behavior so that only the search result is highlighted, and when I press enter, the file opens? When programs are searched, only the search result is highlighted. Seems like this annoyance only occurs for files.

How would I go about setting a breakpoint so that the debugging breaks when the module unloads?

Impressive. I think I can manage from here. I am very grateful for all your help, and I have learned a lot as well from your methodical and detailed posts. If you don't mind me asking, do you do this sort of work for a living, or is it simply a hobby?

I found it. Debugger attached to explorer, prior to viewing folder: 0:016> u kernel32!isdebuggerpresent kernel32!IsDebuggerPresent: 7c813123 64a118000000 mov eax,dword ptr fs:[00000018h] 7c813129 8b4030 mov eax,dword ptr [eax+30h] 7c81312c 0fb64002 movzx eax,byte ptr [eax+2] 7c813130 c3 ret 7c813131 90 nop 7c813132 90 nop 7c813133 90 nop 7c813134 90 nop 0:016> !chkimg kernel32 -d 0 errors : kernel32 I then input "g" to let the debugee run, and proceed to view the folder, then Ctrl+Break. 0:016> !chkimg kernel32 6 errors : kernel32 (7c813123-7c813128) 0:016> u kernel32!isdebuggerpresent kernel32!IsDebuggerPresent: *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\Combined Community Codec Pack\Filters\Mpeg2DecFilter.ax - 7c813123 e90894ea86 jmp Mpeg2DecFilter!DllUnregisterServer+0x40 (036bc530) //[b]here it is![/b] 7c813128 cc int 3 7c813129 8b4030 mov eax,dword ptr [eax+30h] 7c81312c 0fb64002 movzx eax,byte ptr [eax+2] 7c813130 c3 ret 7c813131 90 nop 7c813132 90 nop 7c813133 90 nop However, start/shutdown does not crash explorer immediately upon viewing of the folder though. This is what I am confused about. Any ideas?

Finally, we may have found the culprit. http://www.adrive.com/public/e62af6a25841d...454a4990ba.html dump generated after explorer hangs with "ba w1 kernel32!isdebuggerpresent" breakpoint. this happened as explorer was generating thumbnails for a video folder. appears to be consistent too. after explorer reloads and I have the debugger set up again, I can cause a hang browsing through the same folder again. i noticed that explorer was not able to generate a thumbnail for a certain file. isolating the particular file in its own folder, I can induce a hang just by accessing that folder. however, running with the debugger off, I access the folder, and then shut down, but the error does not occur. so it is still a mystery to me. I await your findings. Thank you.

doesn't work. however: would this be useful? only those two addresses would be accepted by the debugger.

0:016> x kernel32!IsDebuggerPresent 7c813123 kernel32!IsDebuggerPresent = <no type information> ba w4 7c813123 also returns a syntax error. however, inputting "ba w4 7599840c (return address of the function)" is accepted by the debugger. is this correct?

which command should i be entering? 1st one returns a "syntax error: data breakpoint must be aligned" and 2nd just returns a "syntax error" A quick Google search shows that correct syntax should be ba w4 <target address>. How would I go about finding the target address for "kernel32!IsDebuggerPresent"? Thanks.

3 dump folders, rar'd: hang1crash, hang1nocrash, crash http://www.adrive.com/public/bcb90437c39b9...59ef35a457.html

The most frustrating thing about this problem is that I cannot easily reproduce it. It does not happen every time i try to shut down. The exact sequence of events: 1. start, shutdown 2. a bit of hard disk activity/busy mouse pointer is present 3. error msg: Windows explorer has encountered a problem and needs to close. Click OK, etc. the shutdown option menu does not load. it will stop, allowing me to click OK. when i do, explorer crashes and reloads. i am then able to shut down normally. i will have the crashed dump uploaded within the next day.

http://www.adrive.com/public/a37998f403844...948224434f.html (try copy and pasting link if it doesnt connect) complete dump (no crash) and 2 dll's. i have the explorer crashed dump ready to upload if you need it. thanks

I feel stupid. I know why the dump is corrupt. I would press reset right after seeing the blue screen, assuming the dump was complete as soon as the screen popped up. I now know to let the memory dump timer finish before rebooting. Would you still prefer a complete memory dump or will a kernel dump suffice?

http://www6.sendthisfile.com/d.jsp?t=Y0Bu3...yG9yvITNqwHsYtGalright I have the complete memory dump along with 2 dll's uploaded. Thank you once again for your help.

bump

Well I'm back because the problem is back. I have the complete system dump and 2 dll's ready, problem is finding a suitable place to upload this beast of a file (rar is 1.3 gig). Any suggestions?

I seemed to have finally solved the problem, although it may just be hiding itself momentarily, like problems seem to do. I re-installed my Nvidia drivers to fix a completely unrelated problem, and explorer.exe has not crashed on shutdown for two days now. This goes perfectly with what you mentioned about the display setting function being hooked by something. In addition, the error messages that appear in the event viewer are nearly identical to the ones mentioned in this thread: http://forums.nvidia.com/lofiversion/index.php?t61227.html If I do not post back, it means that my problem has indeed been fixed. Thank you all very much for your help.

windows defender perhaps?

HKLM\SECURITY\Policy\Secrets\SAC* 5/28/2008 7:34 PM 0 bytes Key name contains embedded nulls (*) HKLM\SECURITY\Policy\Secrets\SAI* 5/28/2008 7:34 PM 0 bytes Key name contains embedded nulls (*) C:\Documents and Settings\Billy Lau\Local Settings\Application Data\Mozilla\Firefox\Profiles\g34fzsyr.default\Cache\C6935067d01 6/7/2008 8:09 PM 50.26 KB Hidden from Windows API. C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb 6/7/2008 8:05 PM 64.00 KB Visible in Windows API, but not in MFT or directory index. output of rootkit scan. does anything look suspicious?

As you requested: Volume in drive C is Stuff Volume Serial Number is E8A6-DB4E Directory of C:\WINDOWS\system32 12/20/1999 01:16 PM 15,360 asfsipc.dll 1 File(s) 15,360 bytes Total Files Listed: 1 File(s) 15,360 bytes 0 Dir(s) 50,379,988,992 bytes free uxtheme.dll is the only system dll I have replaced, and I can confirm that the crashes existed prior to my replacing it. I have two other systems with modified uxtheme.dll and the problem does not occur. As for game emulation or cracks, I dont have anything of the sort installed. I'll try out your suggestions. Thank you so much though for narrowing it down. Just wondering: from which dump were you able to extract all this information?

ADplus 1st and 2nd chance memory dump Windbg output: 0:000> !analyze -v ******************************************************************************* * * * Exception Analysis * * * ******************************************************************************* ************************************************************************* *** *** *** *** *** Your debugger is not using the correct symbols *** *** *** *** In order for this command to work properly, your symbol path *** *** must point to .pdb files that have full type information. *** *** *** *** Certain .pdb files (such as the public OS symbols) do not *** *** contain the required information. Contact the group that *** *** provided you with these symbols if you need this command to *** *** work. *** *** *** *** Type referenced: kernel32!pNlsUserInfo *** *** *** ************************************************************************* ************************************************************************* *** *** *** *** *** Your debugger is not using the correct symbols *** *** *** *** In order for this command to work properly, your symbol path *** *** must point to .pdb files that have full type information. *** *** *** *** Certain .pdb files (such as the public OS symbols) do not *** *** contain the required information. Contact the group that *** *** provided you with these symbols if you need this command to *** *** work. *** *** *** *** Type referenced: kernel32!pNlsUserInfo *** *** *** ************************************************************************* FAULTING_IP: +0 00000000 ?? ??? EXCEPTION_RECORD: ffffffff -- (.exr 0xffffffffffffffff) ExceptionAddress: 00000000 ExceptionCode: 80000003 (Break instruction exception) ExceptionFlags: 00000000 NumberParameters: 0 FAULTING_THREAD: 00000adc DEFAULT_BUCKET_ID: STATUS_BREAKPOINT PROCESS_NAME: explorer.exe ERROR_CODE: (NTSTATUS) 0x80000003 - {EXCEPTION} Breakpoint A breakpoint has been reached. NTGLOBALFLAG: 0 APPLICATION_VERIFIER_FLAGS: 0 PRIMARY_PROBLEM_CLASS: STATUS_BREAKPOINT BUGCHECK_STR: APPLICATION_FAULT_STATUS_BREAKPOINT LAST_CONTROL_TRANSFER: from 7c90da8c to 7c90e4f4 STACK_TEXT: 01a8fe14 7c90da8c 77e765e3 000001b0 01a8ff74 ntdll!KiFastSystemCallRet 01a8fe18 77e765e3 000001b0 01a8ff74 00000000 ntdll!ZwReplyWaitReceivePortEx+0xc 01a8ff80 77e76caf 01a8ffa8 77e76ad1 000ba6b0 rpcrt4!LRPC_ADDRESS::ReceiveLotsaCalls+0x12a 01a8ff88 77e76ad1 000ba6b0 0145f9bc 020a7f88 rpcrt4!RecvLotsaCallsWrapper+0xd 01a8ffa8 77e76c97 000ba568 01a8ffec 7c80b713 rpcrt4!BaseCachedThreadRoutine+0x79 01a8ffb4 7c80b713 020c12e0 0145f9bc 020a7f88 rpcrt4!ThreadStartRoutine+0x1a 01a8ffec 00000000 77e76c7d 020c12e0 00000000 kernel32!BaseThreadStart+0x37 STACK_COMMAND: ~0s; .ecxr ; kb FOLLOWUP_IP: rpcrt4!LRPC_ADDRESS::ReceiveLotsaCalls+12a 77e765e3 8b7df4 mov edi,dword ptr [ebp-0Ch] SYMBOL_STACK_INDEX: 2 SYMBOL_NAME: rpcrt4!LRPC_ADDRESS::ReceiveLotsaCalls+12a FOLLOWUP_NAME: MachineOwner MODULE_NAME: rpcrt4 IMAGE_NAME: rpcrt4.dll DEBUG_FLR_IMAGE_TIMESTAMP: 4802a106 FAILURE_BUCKET_ID: STATUS_BREAKPOINT_80000003_rpcrt4.dll!LRPC_ADDRESS::ReceiveLotsaCalls BUCKET_ID: APPLICATION_FAULT_STATUS_BREAKPOINT_rpcrt4!LRPC_ADDRESS::ReceiveLotsaCalls+12a Followup: MachineOwner --------- 0:001> !analyze -v ******************************************************************************* * * * Exception Analysis * * * ******************************************************************************* ************************************************************************* *** *** *** *** *** Your debugger is not using the correct symbols *** *** *** *** In order for this command to work properly, your symbol path *** *** must point to .pdb files that have full type information. *** *** *** *** Certain .pdb files (such as the public OS symbols) do not *** *** contain the required information. Contact the group that *** *** provided you with these symbols if you need this command to *** *** work. *** *** *** *** Type referenced: kernel32!pNlsUserInfo *** *** *** ************************************************************************* ************************************************************************* *** *** *** *** *** Your debugger is not using the correct symbols *** *** *** *** In order for this command to work properly, your symbol path *** *** must point to .pdb files that have full type information. *** *** *** *** Certain .pdb files (such as the public OS symbols) do not *** *** contain the required information. Contact the group that *** *** provided you with these symbols if you need this command to *** *** work. *** *** *** *** Type referenced: kernel32!pNlsUserInfo *** *** *** ************************************************************************* FAULTING_IP: +3e6c530 03e6c530 ?? ??? EXCEPTION_RECORD: ffffffff -- (.exr 0xffffffffffffffff) ExceptionAddress: 03e6c530 ExceptionCode: c0000005 (Access violation) ExceptionFlags: 00000000 NumberParameters: 2 Parameter[0]: 00000000 Parameter[1]: 03e6c530 Attempt to read from address 03e6c530 DEFAULT_BUCKET_ID: NULL_INSTRUCTION_PTR PROCESS_NAME: explorer.exe ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s". READ_ADDRESS: 03e6c530 FAILED_INSTRUCTION_ADDRESS: +3e6c530 03e6c530 ?? ??? NTGLOBALFLAG: 0 APPLICATION_VERIFIER_FLAGS: 0 IP_ON_HEAP: 03e6c530 IP_IN_FREE_BLOCK: 3e6c530 FAULTING_THREAD: 00000748 PRIMARY_PROBLEM_CLASS: NULL_INSTRUCTION_PTR BUGCHECK_STR: APPLICATION_FAULT_NULL_INSTRUCTION_PTR LAST_CONTROL_TRANSFER: from 7599840c to 03e6c530 STACK_TEXT: WARNING: Frame IP not in any known module. Following frames may be wrong. 0149fa74 7599840c 00000000 02e6acb0 0149fad0 0x3e6c530 0149fa90 75993a2f 00000002 010464f8 00000000 msgina!CDimmedWindow::Create+0x12 0149faa4 7ca78a05 0149fac0 0149fad0 010460f8 msgina!_ShellDimScreen+0x67 0149fcd8 7ca78cca 0001009c 00000002 0149fcfc shell32!CloseWindowsDialog+0x51 0149fce8 010341ff 0001009c 000001fa 010460f8 shell32!ExitWindowsDialog+0x2a 0149fcfc 01026668 0001009c 00000000 00000111 explorer!CTray::_DoExitWindows+0x86 0149fd30 0101c43e 000001fa 00000111 010460f8 explorer!CTray::_Command+0x2da 0149fde8 01001b5c 00040038 00000111 000001fa explorer!CTray::v_WndProc+0x981 0149fe0c 7e418734 00040038 00000111 000001fa explorer!CImpWndProc::s_WndProc+0x65 0149fe38 7e418816 01001b1d 00040038 00000111 user32!InternalCallWinProc+0x28 0149fea0 7e4189cd 000a04a0 01001b1d 00040038 user32!UserCallWinProcCheckWow+0x150 0149ff00 7e418a10 0149ff28 00000000 0149ff44 user32!DispatchMessageWorker+0x306 0149ff10 01001a35 0149ff28 00000000 010460f8 user32!DispatchMessageW+0xf 0149ff44 0100ffd1 00000000 0149ffb4 77f76f42 explorer!CTray::_MessageLoop+0xd9 0149ff50 77f76f42 010460f8 0000005c 00000000 explorer!CTray::MainThreadProc+0x29 0149ffb4 7c80b713 00000000 0000005c 00000000 shlwapi!WrapperThreadProc+0x94 0149ffec 00000000 77f76ed3 0007fdbc 00000000 kernel32!BaseThreadStart+0x37 STACK_COMMAND: ~1s; .ecxr ; kb FOLLOWUP_IP: msgina!CDimmedWindow::Create+12 7599840c 8b3d78169775 mov edi,dword ptr [msgina!_imp__GetSystemMetrics (75971678)] SYMBOL_STACK_INDEX: 1 SYMBOL_NAME: msgina!CDimmedWindow::Create+12 FOLLOWUP_NAME: MachineOwner MODULE_NAME: msgina IMAGE_NAME: msgina.dll DEBUG_FLR_IMAGE_TIMESTAMP: 4802a149 FAILURE_BUCKET_ID: NULL_INSTRUCTION_PTR_c0000005_msgina.dll!CDimmedWindow::Create BUCKET_ID: APPLICATION_FAULT_NULL_INSTRUCTION_PTR_BAD_IP_msgina!CDimmedWindow::Create+12 Followup: MachineOwner --------- Here are dumps. http://rapidshare.com/files/120695269/Cras...1-17PM.rar.html

It crashed again, this time with DEP turned off. The dump is exactly the same as last time. Im really at a loss as to what is going on. As I mentioned in first post, formatting the system did nothing to fix the problem. I am going to attach the relevant portion of the Dr. Watson log, if it helps any. I also was able to make another log by following these instructions: http://www.msfn.org/board/Creating-memory-dumps-t90244.html Again thank you for your efforts. log.txt PID_1840__EXPLORER.EXE__Date_06_06_2008__Time_18_41_17PM.rar user.rar

Crashed again, here is another dump file. I will try the boot.ini edit like you suggested. Also, is there a process where I can make more meaningful dumps? Just now, I set Dr Watson to generate full instead of mini dumps, and I noticed that the application errors were tagged with <nosymbols>. Where can I get appropriate symbols? user.rar

I haven't tried disabling DEP entirely or via the boot.ini method, but I have disabled it for explorer through the system properties menu. Now, instead of getting DEP error messages I just get a generic Application Error messsage upon explorer crashing. However, my antivirus caught something new (a variant of Win32/Injector.AU) with yesterday's definition update, so this problem MAY be due to an infiltration that was lurking around undetected. A Microsoft employee on a Windbg Google Group browsing the minidump output believes it is a virus too. I haven't crashed since then. I'll keep you posted. Here is the link to the other discussion, BTW. http://groups.google.com/group/microsoft.p...b941315d717753c

Yes I will upload a dump. user.rar

Hello, I am using Windows XP Professional SP3, and for the past few weeks explorer.exe has been crashing when I attempt to shutdown the system. Instead of displaying the shutdown dialog with the usual options, there is a momentary stall and explorer.exe crashes with an Application Error. I have since checked the RAM with Memtest, reformatted the system, checked for spyware/malware, but the issue persists. Perhaps one of you will be able to help me in analyzing the minidump. The last three digits in the faulting address (530) are consistent across all the dumps, and the named faulting module, msgina.dll, is also consistent, which leads me to believe that this is not the result of faulty hardware. Below is output of a recent minidump, generated by WinDbg. 0:001> !analyze -v ******************************************************************************* * * * Exception Analysis * * * ******************************************************************************* ************************************************************************* *** *** *** *** *** Your debugger is not using the correct symbols *** *** *** *** In order for this command to work properly, your symbol path *** *** must point to .pdb files that have full type information. *** *** *** *** Certain .pdb files (such as the public OS symbols) do not *** *** contain the required information. Contact the group that *** *** provided you with these symbols if you need this command to *** *** work. *** *** *** *** Type referenced: kernel32!pNlsUserInfo *** *** *** ************************************************************************* ************************************************************************* *** *** *** *** *** Your debugger is not using the correct symbols *** *** *** *** In order for this command to work properly, your symbol path *** *** must point to .pdb files that have full type information. *** *** *** *** Certain .pdb files (such as the public OS symbols) do not *** *** contain the required information. Contact the group that *** *** provided you with these symbols if you need this command to *** *** work. *** *** *** *** Type referenced: kernel32!pNlsUserInfo *** *** *** ************************************************************************* FAULTING_IP: +4d2c530 04d2c530 ?? ??? EXCEPTION_RECORD: ffffffff -- (.exr 0xffffffffffffffff) ExceptionAddress: 04d2c530 ExceptionCode: c0000005 (Access violation) ExceptionFlags: 00000000 NumberParameters: 2 Parameter[0]: 00000000 Parameter[1]: 04d2c530 Attempt to read from address 04d2c530 DEFAULT_BUCKET_ID: NULL_INSTRUCTION_PTR PROCESS_NAME: explorer.exe ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s". READ_ADDRESS: 04d2c530 FAILED_INSTRUCTION_ADDRESS: +4d2c530 04d2c530 ?? ??? IP_ON_HEAP: 04d2c530 FAULTING_THREAD: 00000780 PRIMARY_PROBLEM_CLASS: NULL_INSTRUCTION_PTR BUGCHECK_STR: APPLICATION_FAULT_NULL_INSTRUCTION_PTR LAST_CONTROL_TRANSFER: from 7599840c to 04d2c530 STACK_TEXT: WARNING: Frame IP not in any known module. Following frames may be wrong. 0150fa74 7599840c 00000000 01aee468 0150fad0 0x4d2c530 0150fa90 75993a2f 00000002 010464f8 00000000 msgina!CDimmedWindow::Create+0x12 0150faa4 7ca78a05 0150fac0 0150fad0 010460f8 msgina!_ShellDimScreen+0x67 0150fcd8 7ca78cca 0001009c 00000002 0150fcfc shell32!CloseWindowsDialog+0x51 0150fce8 010341ff 0001009c 000001fa 010460f8 shell32!ExitWindowsDialog+0x2a 0150fcfc 01026668 0001009c 00000000 00000111 explorer!CTray::_DoExitWindows+0x86 0150fd30 0101c43e 000001fa 00000111 010460f8 explorer!CTray::_Command+0x2da 0150fde8 01001b5c 0003004e 00000111 000001fa explorer!CTray::v_WndProc+0x981 0150fe0c 7e418734 0003004e 00000111 000001fa explorer!CImpWndProc::s_WndProc+0x65 0150fe38 7e418816 01001b1d 0003004e 00000111 user32!InternalCallWinProc+0x28 0150fea0 7e4189cd 000a04d8 01001b1d 0003004e user32!UserCallWinProcCheckWow+0x150 0150ff00 7e418a10 0150ff28 00000000 0150ff44 user32!DispatchMessageWorker+0x306 0150ff10 01001a35 0150ff28 00000000 010460f8 user32!DispatchMessageW+0xf 0150ff44 0100ffd1 00000000 0150ffb4 77f76f42 explorer!CTray::_MessageLoop+0xd9 0150ff50 77f76f42 010460f8 0000005c 00000000 explorer!CTray::MainThreadProc+0x29 0150ffb4 7c80b713 00000000 0000005c 00000000 shlwapi!WrapperThreadProc+0x94 0150ffec 00000000 77f76ed3 0007fdbc 00000000 kernel32!BaseThreadStart+0x37 STACK_COMMAND: ~1s; .ecxr ; kb FOLLOWUP_IP: msgina!CDimmedWindow::Create+12 7599840c 8b3d78169775 mov edi,dword ptr [msgina!_imp__GetSystemMetrics (75971678)] SYMBOL_STACK_INDEX: 1 SYMBOL_NAME: msgina!CDimmedWindow::Create+12 FOLLOWUP_NAME: MachineOwner MODULE_NAME: msgina IMAGE_NAME: msgina.dll DEBUG_FLR_IMAGE_TIMESTAMP: 4802a149 FAILURE_BUCKET_ID: NULL_INSTRUCTION_PTR_c0000005_msgina.dll!CDimmedWindow::Create BUCKET_ID: APPLICATION_FAULT_NULL_INSTRUCTION_PTR_BAD_IP_msgina!CDimmedWindow::Create+12 Followup: MachineOwner --------- I would be very grateful for any assistance you may be able to provide. Thank you. P.S. How do I post a non-scrolling codebox?