Content Type
Profiles
Forums
Events
Everything posted by cluberti
-
Need assistance analyzing an Explorer Application Error Minidump
cluberti replied to zan2828's topic in Windows XP
I agree with that person as well, and that's why I asked you to disable DEP - it can mask virus issues . -
Well, you've got 2 PTE corruption dumps in ConanPatcher.exe and AgeOfConan.exe, an NTFS LCB teardown corruption dump accessing pool in a third from the kernel, and the fourth is an actual nonpaged pool corruption dump directly. Since all of these point back to kernel pool memory, and memory corruption, this is one of the few times I'm going to strongly suggest doing a thorough RAM check to make sure that it's not a bad stick. However, these all track back to pool corruption, so it very well may be a kernel mode filter driver causing this as well, that's always a possibility. A complete dump would be more helpful.
-
Yes, when you installed the tool from the link above it did install a Windows Performance Analyzer tool in your start menu to open the .etl file.
-
Need assistance analyzing an Explorer Application Error Minidump
cluberti replied to zan2828's topic in Windows XP
Yes, this is the culprit thread: # 1 Id: 76c.784 Suspend: -1 Teb: 7ffdb000 Unfrozen ChildEBP RetAddr Args to Child WARNING: Frame IP not in any known module. Following frames may be wrong. 0150fa74 7599840c 00000000 039764d0 0150fad0 0x4a3c530 0150fa90 75993a2f 00000002 010464f8 00000000 msgina!CDimmedWindow::Create+0x12 0150faa4 7ca78a05 0150fac0 0150fad0 010460f8 msgina!_ShellDimScreen+0x67 0150fcd8 7ca78cca 0001009c 00000002 0150fcfc shell32!CloseWindowsDialog+0x51 0150fce8 010341ff 0001009c 000001fa 010460f8 shell32!ExitWindowsDialog+0x2a 0150fcfc 01026668 0001009c 00000000 00000111 explorer!CTray::_DoExitWindows+0x86 0150fd30 0101c43e 000001fa 00000111 010460f8 explorer!CTray::_Command+0x2da 0150fde8 01001b5c 00030048 00000111 000001fa explorer!CTray::v_WndProc+0x981 0150fe0c 7e418734 00030048 00000111 000001fa explorer!CImpWndProc::s_WndProc+0x65 0150fe38 7e418816 01001b1d 00030048 00000111 user32!InternalCallWinProc+0x28 0150fea0 7e4189cd 000a04d8 01001b1d 00030048 user32!UserCallWinProcCheckWow+0x150 0150ff00 7e418a10 0150ff28 00000000 0150ff44 user32!DispatchMessageWorker+0x306 0150ff10 01001a35 0150ff28 00000000 010460f8 user32!DispatchMessageW+0xf 0150ff44 0100ffd1 00000000 0150ffb4 77f76f42 explorer!CTray::_MessageLoop+0xd9 0150ff50 77f76f42 010460f8 0000005c 00000000 explorer!CTray::MainThreadProc+0x29 0150ffb4 7c80b713 00000000 0000005c 00000000 shlwapi!WrapperThreadProc+0x94 0150ffec 00000000 77f76ed3 0007fdbc 00000000 kernel32!BaseThreadStart+0x37 However, there's literally nothing at all even close to loaded in that memory range, and it also looks like msgina is doing a debugger check: 0:001> ub 7599840c msgina!CDimmedWindow::Create+0x3: 759983fd 8bec mov ebp,esp 759983ff 51 push ecx 75998400 51 push ecx 75998401 53 push ebx 75998402 56 push esi 75998403 57 push edi 75998404 8bf1 mov esi,ecx 75998406 ff1528139775 call dword ptr [msgina!_imp__IsDebuggerPresent (75971328)] 0:001> u 75971328 msgina!_imp__IsDebuggerPresent: 75971328 2331 and esi,dword ptr [ecx] 7597132a 817cc4a8827c0031 cmp dword ptr [esp+eax*8-58h],31007C82h 75971332 817c6eac807ce605 cmp dword ptr [esi+ebp*2-54h],5E67C80h 7597133a 837cdbae80 cmp dword ptr [ebx+ebx*8-52h],0FFFFFF80h 7597133f 7cd4 jl msgina!_imp__EnterCriticalSection+0x1 (75971315) 75971341 25837c64a1 and eax,0A1647C83h 75971346 807c8ede80 cmp byte ptr [esi+ecx*4-22h],80h 7597134b 7ccb jl msgina!_imp__LeaveCriticalSection (75971318) Here's a thought - if you disable DEP entirely (add /noexecute=alwaysoff in your boot.ini), does the problem go away? -
1, upgrade to the RC1 bits if you can. 2, did you install the hyper-v integration components into the VM?
-
The request never left the browser, because the new window (actually, it looks like it's a tab) was never opened: // The UI thread, which is trying to create a new browser window (ieframe!BrowwserNewThreadProc), // and it's waiting on multiple objects (events, in this case) before it can continue. Since this is the UI // thread, it will "hang" IE's UI completely until these events clear... . 0 Id: 1f04.1fa4 Suspend: 1 Teb: 7efdd000 Unfrozen ChildEBP RetAddr Args to Child 003be5d4 7636edb5 00000002 003be624 00000001 ntdll!NtWaitForMultipleObjects+0x15 003be670 7623944c 003be624 003be698 00000000 kernel32!WaitForMultipleObjectsEx+0x11d 003be6c4 7135605c 00000048 003be6f8 ffffffff user32!RealMsgWaitForMultipleObjectsEx+0x14d 003be6e4 7135634e 000004ff ffffffff 00000000 ieui!CoreSC::Wait+0x49 003be70c 71356178 000004ff 00000000 730199b5 ieui!CoreSC::WaitMessage+0x54 003be718 730199b5 00473698 00451f50 00000000 ieui!WaitMessageEx+0x33 003be748 7300ac3c 004738d0 003be778 7300bcab ieframe!CBrowserFrame::FrameMessagePump+0x199 003be754 7300bcab 00000000 00000000 00473698 ieframe!BrowserThreadProc+0x3f 003be778 7300bbf9 15310008 00473698 00000000 ieframe!BrowserNewThreadProc+0x7b 003bf7e8 7300baa9 00473698 759d6bc1 00000000 ieframe!SHOpenFolderWindow+0x188 003bfa18 00a7147c 0046ee88 00000001 00a80070 ieframe!IEWinMain+0x2d9 003bfe5c 00a71317 00a70000 00000000 00451070 iexplore!wWinMain+0x2c1 003bfef0 763d19f1 7efde000 003bff3c 7774d109 iexplore!__wmainCRTStartup+0x150 003bfefc 7774d109 7efde000 003b010d 00000000 kernel32!BaseThreadInitThunk+0xe 003bff3c 00000000 00a72e45 7efde000 00000000 ntdll!_RtlUserThreadStart+0x23 // The worker thread spawned to create a new window via the C runtimes and ieui. It's also waiting // on multiple event objects in another thread... 1 Id: 1f04.1d58 Suspend: 1 Teb: 7efda000 Unfrozen ChildEBP RetAddr Args to Child 02aafb68 7636edb5 00000002 02aafbb8 00000001 ntdll!NtWaitForMultipleObjects+0x15 02aafc04 7623944c 02aafbb8 02aafc2c 00000000 kernel32!WaitForMultipleObjectsEx+0x11d 02aafc58 7135605c 0000013c 02aafc8c ffffffff user32!RealMsgWaitForMultipleObjectsEx+0x14d 02aafc78 71359441 000004ff ffffffff 00000001 ieui!CoreSC::Wait+0x49 02aafcac 71359982 02aafcec 00000000 00000000 ieui!CoreSC::xwProcessNL+0xa4 02aafccc 713598e0 02aafcec 00000000 00000000 ieui!GetMessageExA+0x44 02aafd20 760662b6 00000000 0f0ef223 00000000 ieui!ResourceManager::SharedThreadProc+0xb6 02aafd58 760663de 02aafd6c 763d19f1 00f64648 msvcrt!_callthreadstartex+0x1b 02aafd60 763d19f1 00f64648 02aafdac 7774d109 msvcrt!_threadstartex+0x5f 02aafd6c 7774d109 00f64648 02aa039d 00000000 kernel32!BaseThreadInitThunk+0xe 02aafdac 00000000 7606639b 00f64648 00000000 ntdll!_RtlUserThreadStart+0x23 // ...and this thread is actually responsible for tracking the window creating, but it failed to create // the event proxy, and the new window has stalled/failed): 2 Id: 1f04.1da0 Suspend: 1 Teb: 7efac000 Unfrozen ChildEBP RetAddr Args to Child 0368f78c 72fff38c 00000000 00000000 004d7b78 user32!NtUserWaitMessage+0x15 0368f7f0 763d19f1 004e4478 0368f83c 7774d109 ieframe!CTabWindow::_TabWindowThreadProc+0x2d0 0368f7fc 7774d109 004d7b78 0368060d 00000000 kernel32!BaseThreadInitThunk+0xe 0368f83c 00000000 72ffe48c 004d7b78 00000000 ntdll!_RtlUserThreadStart+0x23 The HRESULT for this (the return value that CTabWindow::_TabWindowThreadProc actually returns) was 2147483655, which translates to OPERATION_ABORTED. I think what's actually happening is the navigation abort is probably a timing issue in IE7, and the abort is happening early or somesuch and IE gets stuck because the other events are not signaled causing the hang up. If possible, check your PM.
-
Need assistance analyzing an Explorer Application Error Minidump
cluberti replied to zan2828's topic in Windows XP
No, that's incorrect. Whatever was loaded at 0x4d2c530 is the culprit. But because this is a minidump, and because symbols aren't configured, !analyze -v is guessing. Need an actual .dmp file - can it be uploaded somewhere? -
Trust me, those instructions are easy. Just do what it says, and you'll be OK. Have faith in yourself!
-
How Do I replace shell32 on windows 98 se?
cluberti replied to slangdriver4's topic in Windows 9x/ME
No, MSDN specifically says it was introduced in version 5.0 of shell32. Doesn't matter the year, those are version 4.x, so it's not gonna be in there. -
Follow the instructions here for gathering a memory dump of the entire system. That can then be analyzed to see what's happening.
-
The OEM / sysprep problem with AMD machines stems from the OEM using a sysprep image created on an Intel machine and placing this image on an AMD box. The Intel power management driver, after SP3, causes the BSODs (because the AMD processor doesn't understand what the Intel driver is saying, in layman's terms, and the box bugchecks). Fresh SP3 installs on an AMD machine should not be a problem.
-
That is my personal opinion on what I debugged, yes. I don't think the bad RAM caused the BSODs, but it would have caused some eventually. However, most bad RAM problems end up in lots of random memory corruption BSODs, not IRQL level issues like this. Those do happen, but they're *really* rare - it's almost always a driver in this case.Glad you found the bad RAM stick before it got ya though .
-
Hardware to replace Xbox Media Center
cluberti replied to tain's topic in Hard Drive and Removable Media
LOL on one of those quotes: "Yes, Apple has done very well attracting those who don't understand technology." -
That's the tool. Can you post the contents that the tool put into C:\TEMP somewhere for us to take a look at, perhaps?
-
Maybe, but I'd need to see the .dmp file myself .
-
How Do I replace shell32 on windows 98 se?
cluberti replied to slangdriver4's topic in Windows 9x/ME
looks like you've asked this on multiple boards, but I'll bite. It's saying that their .dll file, exl.dll, is attempting to use an API that is exported by shell32.dll (SHCreateDirectoryExW) and that the .dll doesn't seem to have this export. According to the MSDN page for this API, it seems this wasn't introduced until Windows ME and Windows 2000. So their claim of Win98 support is bogus, because the API they call was not introduced in Windows 98 (as a matter of fact, most "wide" functions, ending in W, were not as per this KB article). -
Can you put that somewhere? It appears thread 0 (the UI thread) is in a wait on something else in process.
-
One problem (major) - you used a 64bit debugger to dump a 32bit process (wow64). You really should download/install the x86 version of the debugging tools, open a command prompt, and run adplus against the iexplore.exe process (instructions here).
-
Page faulting in nonpaged pool means a driver is attempting to read from memory (RAM) that doesn't have valid data - this will cause a page fault. However, memory in nonpaged pool cannot be paged out (hence the name "nonpaged" pool). This causes the bugcheck you see. As to the dump file, because it's a minidump, the pool information is unavailable. Can you change the dump type to a complete dump, and make sure you have your pagefile set to RAM+50MB for both the MIN and MAX numbers? I know for sure it's a RAW (USB or PS2) device, though, because win32k is in the process of reading the system threads responsible for RAW input: 0: kd> kb ChildEBP RetAddr Args to Child ba9a7ac8 bf89fc88 00000000 f000e2c3 00000000 win32k!xxxSwitchDesktop+0x2c ba9a7d30 bf884705 ba967490 00000002 ba9a7d54 win32k!RawInputThread+0x4c6 ba9a7d40 bf80110a ba967490 ba9a7d64 006efff4 win32k!xxxCreateSystemThreads+0x60 ba9a7d54 8054161c 00000000 00000022 00000000 win32k!NtUserCallOneParam+0x23 ba9a7d54 7c90e4f4 00000000 00000022 00000000 nt!KiFastCallEntry+0xfc WARNING: Frame IP not in any known module. Following frames may be wrong. 00000000 00000000 00000000 00000000 00000000 0x7c90e4f4 See if you can get a better (complete) dump.
-
I looked - when you're connecting by name, you're using kerberos over SMB and your session is setup within 2 hundredths of a second. However, when you connect by IP, the client and server do the same negotiate protocol handshake, the client chooses NTLMSSP_NEGOTIATE, the netapp sends an NTLMSSP_CHALLENGE request, the client sends the netapp it's credentials (AONIN1\netsoladm), the netapp ACKs the cred packet, but doesn't respond with the Session Setup AndX Response packet for 16 seconds. The problem is likely on the netapp . The client shows no delays, but the netapp appears to be having trouble with NTLM. Were you able to get the netapp folks to gather a trace from the netapp when you were using the IP to connect? There's nothing client-side here that is at fault, so you'll have to get them to show you what happened on the netapp during those 16 seconds.
-
Why IE only got scrollbar on right, and not left as well?
cluberti replied to JayScore's topic in Windows XP
Yes, left-to-right languages will give you a scrollbar on the left of the screen (text on the right to left). Not sure why this is the de-facto standard, but honestly it makes sense to have the mouse cursor/pointer AWAY from the text (it does take up screen real-estate) to scroll, rather than over it (which it would be, given it's right-to-left lean on most cursor patterns). Scroll wheels on mice and keyboards work great for this too, but that's probably not your question. -
Indeed this is enabled. What is that service used for specifically? When I installed DNS, it turned that on as well, or perhaps it was already running before the machine was given to me for testing... Routing and remote access should only be enabled if you're running a VPN, DHCP Relay agent, or making Windows run as a router.
-
I've only ever seen this before when RRAS was running on the same box (and thus fighting for UDP port 67).
-
open program as "High Priority" from some places
cluberti replied to Eliasrd's topic in Customizing Windows
Why exactly do you want to do this? High priority processes can consume almost all CPU time for their duration, and that can cause... interesting side effects for other applications that might want to do something during this time.