Jump to content

Windows Explorer crashing and restarting


RYU81

Recommended Posts


If you can get your box to work in safe mode, consider running ShellExView and Autoruns to disable all non-Microsoft shell extensions and startup items, then reboot regularly and see if that fixes it (almost always does). Then, if you need something you disabled, re-enable things one at a time or in small bunches until the problem returns, and you can then pinpoint what you enabled that caused the problem.

Link to comment
Share on other sites

I disable all non-Microsoft shell extensions and startup items and is still show me same error.also I disable all Microsoft shell extensions only "shell rebar bandsite" but my Explorer.exe not working.

ddd007dr7.th.gif

Link to comment
Share on other sites

...you did check for viruses and bad bugs ?? yes?

yes.nothing there.

A dump of explorer.exe crashing would be nice too - also, if it worked in safe mode but not regularly, something else is amiss :).

how to do it?

Try with disabling Dr. Watson. I know that while running XP I had problem with it.

i disable Dr. Watson but error still show.

Cheers ;)

Link to comment
Share on other sites

Well, I hate to sound ornery, but you didn't accomplish disabling shell extensions or startup items as previously suggested. Your explorer "crashed" (and I use this lightly, because it wasn't actually a crash!) due to something using the FindAtom function to find a string, and then calling ExitProcess to kill explorer.exe after it failed - note that this is NOT a call to TerminateProcess, which would forcefully tear it down, but ExitProcess, a graceful exit (similar to clicking the X on a running Window to close it - a graceful process shutdown). Something on your machine is actually calling explorer.exe to crash. I looked at the loaded module list, and found that you have quite a few non-Microsoft modules loaded that I would consider unnecessary for operation, and should be disabled. I did find very interesting that part of the crash is indeed an exception in a binary (not explorer.exe, though) right before the crash. The eax register shows us this (eax is used as the register to store the return of a call to some function), and it looks like we're hitting an except block in something:

// The registers at the time of the crash, some of which are very important:
0:000> r
eax=77c280e4 ebx=00000000 ecx=77c112b0 edx=77c61a70 esi=7c90e88e edi=c0000005
eip=7c90eb94 esp=0119fea4 ebp=0119ffa0 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
ntdll!KiFastSystemCallRet:
7c90eb94 c3 ret

// Not good to see us doing this:
0:000> u 77c280e4
msvcrt!__CxxRestoreUnhandledExceptionFilter:
77c280e4 ff35fc17c677 push dword ptr [msvcrt!UnDecorator::fGetTemplateArgumentList+0x3 (77c617fc)]
77c280ea ff15b810c177 call dword ptr [msvcrt!_imp__SetUnhandledExceptionFilter (77c110b8)]
77c280f0 c3 ret
77c280f1 cc int 3
77c280f2 cc int 3
77c280f3 cc int 3
77c280f4 cc int 3
77c280f5 cc int 3

// This is definitely coming from the C runtimes, so we know someone linked this:
0:000> !object 77c280e4
No export object found
0:000> !address 77c280e4
77c10000 : 77c11000 - 0004c000
Type 01000000 MEM_IMAGE
Protect 00000020 PAGE_EXECUTE_READ
State 00001000 MEM_COMMIT
Usage RegionUsageImage
FullPath C:\WINDOWS\system32\msvcrt.dll

// We can see the exit itself in edx:
0:000> u 77c61a70
msvcrt!_C_Exit_Done+0x1c:
77c61a70 e0c8 loopne msvcrt!__initenv+0x2 (77c61a3a)
77c61a72 97 xchg eax,edi
77c61a73 7cff jl msvcrt!_C_Exit_Done+0x20 (77c61a74)
...

// esi should point to the NtTerminateProcess function, which it does:
0:000> u 7c90e88e
ntdll!NtTerminateProcess:
7c90e88e b801010000 mov eax,101h
7c90e893 ba0003fe7f mov edx,offset SharedUserData!SystemCallStub (7ffe0300)
7c90e898 ff12 call dword ptr [edx]
7c90e89a c20800 ret 8
...

// edi should have the error code, c0000005:
0:000> !error c0000005
Error code: (NTSTATUS) 0xc0000005 (3221225477) - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.

So we know the FindAtomW function that was called by something inside explorer.exe tried to read the string from an invalid location (and thus excepted, causing explorer to crash - but we still don't know who caused this, however, we do now know why.

// Looking at the stack pointer (esp), we can get an idea of what happened,
// hopefully - there's the call, btw, and likely populated eax (the exception):
0:000> u 0119fea4
0119fea4 9ae8907c5eca81 call 81CA:5E7C90E8
0119feab 7cff jl 0119feac
0119fead ff ???
0119feae ff ???
0119feaf ff050000c000 inc dword ptr ds:[0C00000h]
0119feb5 0000 add byte ptr [eax],al
0119feb7 0000 add byte ptr [eax],al
0119feb9 0000 add byte ptr [eax],al

// Looking at the memory structure of the stack, it looks like this wasn't
// explorer.exe; rpc and remote threads usually mean something else is amiss:

// stack pointer:
0:000> dds 0119fea4
0119fea4 7c90e89a ntdll!ZwTerminateProcess+0xc
0119fea8 7c81ca5e kernel32!_ExitProcess+0x62
0119feac ffffffff
0119feb0 c0000005
0119feb4 00000000
0119feb8 00000000
0119febc 00000000
0119fec0 00000000
0119fec4 00300014
0119fec8 00000002
0119fecc 00000a64
0119fed0 00000f84
0119fed4 0008088a
0119fed8 00000000
0119fedc 00000000
0119fee0 00010003
0119fee4 00000000
0119fee8 000d8590
0119feec c0000005
0119fef0 77f6952b shlwapi!ExecuteWorkItem
0119fef4 00000000
0119fef8 0119ff40
0119fefc 7c927545 ntdll!RtlpWorkerCallout+0x70
0119ff00 000dd0d0
0119ff04 7c97c3a0 ntdll!NumExecutingWorkerThreads
0119ff08 000dd0e8
0119ff0c 00000000
0119ff10 00000014
0119ff14 00000001
0119ff18 00000000
0119ff1c 00000000
0119ff20 00000010

// base pointer:
0:000> dds 0119ffa0
0119ffa0 0119ffb4
0119ffa4 7c81cab6 kernel32!ExitProcess+0x14
0119ffa8 c0000005
0119ffac 77e8f3b0 rpcrt4!SECURITY_CONTEXT::InitializeThirdLeg+0x18f
0119ffb0 ffffffff
0119ffb4 0119ffec
0119ffb8 7c83aa89 kernel32!CreateRemoteThread+0x56
0119ffbc c0000005
0119ffc0 00f8fce4
0119ffc4 00f8fce8
0119ffc8 00000000
0119ffcc 7ffd9000
0119ffd0 c0000005
0119ffd4 0119ffc0
0119ffd8 0119ef3c
0119ffdc ffffffff
0119ffe0 7c8399f3 kernel32!_except_handler3
0119ffe4 7c80b518 kernel32!`string'+0x88
0119ffe8 ffffffff
0119ffec 00000000
0119fff0 00000000
0119fff4 7c910760 ntdll!RtlpWorkerThread
0119fff8 00000000
0119fffc 00000000
011a0000 ????????
011a0004 ????????
011a0008 ????????
011a000c ????????
011a0010 ????????
011a0014 ????????
011a0018 ????????
011a001c ????????


So it's not obvious what's going on, other than it looks like something outside of explorer.exe's code doing it. Here's the non-Microsoft modules loaded or unloaded at the time of the dump:

0:000> lm
module name
RarExt.dll
TRshell.dll
JetFlExt.dll
Jccatch.dll
pdfshell.dll
NeroDigitalExt.dll
WZSHLSTB.DLL
NavShExt.dll
ccL60U.dll
ccVrTrst.dll

Unloaded modules:
WZCAB3.DLL
wzshlex1.dll

0:000> lmvm rarext
start end module name
018a0000 018cb000 RarExt (export symbols) RarExt.dll
Loaded symbol image file: RarExt.dll
Image path: C:\Program Files\WinRAR\RarExt.dll
Image name: RarExt.dll
Timestamp: Sun Dec 26 10:34:37 2004 (41CEDA0D)
CheckSum: 00021AC9
ImageSize: 0002B000
File version: 0.0.0.0
Product version: 0.0.0.0
File flags: 0 (Mask 0)
File OS: 0 Unknown Base
File type: 0.0 Unknown
File date: 00000000.00000000
Translations: 0000.04b0 0000.04e0 0409.04b0 0409.04e0

0:000> lmvm trshell
start end module name
01cd0000 01cf8000 TRshell (export symbols) TRshell.dll
Loaded symbol image file: TRshell.dll
Image path: C:\Program Files\TagRename\TRshell.dll
Image name: TRshell.dll
Timestamp: Fri Jun 19 18:22:17 1992 (2A425E19)
CheckSum: 0002D0CA
ImageSize: 00028000
File version: 3.5.7.19
Product version: 3.5.7.19
File flags: 0 (Mask 3F)
File OS: 4 Unknown Win32
File type: 1.0 App
File date: 00000000.00000000
Translations: 0409.04e4
CompanyName: Softpointer Inc
ProductName:
InternalName: TRShell.dll
OriginalFilename:
ProductVersion:
FileVersion: 3.5.7.19
FileDescription: Tag&Rename shell extension
LegalCopyright:
LegalTrademarks:
Comments:

0:000> lmvm JetFlExt
start end module name
01f00000 01f29000 JetFlExt C (export symbols) JetFlExt.dll
Loaded symbol image file: JetFlExt.dll
Image path: C:\Program Files\JetAudio\JetFlExt.dll
Image name: JetFlExt.dll
Timestamp: Wed May 09 15:52:42 2007 (4642268A)
CheckSum: 00000000
ImageSize: 00029000
File version: 6.0.0.9751
Product version: 6.0.0.0
File flags: 0 (Mask 3F)
File OS: 4 Unknown Win32
File type: 2.0 Dll
File date: 00000000.00000000
Translations: 0409.04b0
CompanyName: COWON America
ProductName: JetFlExt Module
InternalName: JetFlExt
OriginalFilename: JetFlExt.DLL
ProductVersion: 6, 0, 0, 0
FileVersion: 6, 0, 0, 9751
PrivateBuild: 6, 0, 0, 9751
SpecialBuild: 6, 0, 0, 9751
FileDescription: Shell Extension for jetAudio
LegalCopyright: Copyright 2005-2006, All rights reserved.
LegalTrademarks: Copyright 2005-2006, All rights reserved.
Comments: Copyright 2005-2006, All rights reserved.

0:000> lmvm jccatch
start end module name
02630000 02645000 Jccatch C (export symbols) Jccatch.dll
Loaded symbol image file: Jccatch.dll
Image path: C:\Program Files\FlashGet\Jccatch.dll
Image name: Jccatch.dll
Timestamp: Tue May 16 03:19:40 2006 (44697D0C)
CheckSum: 00000000
ImageSize: 00015000
File version: 1.1.5.0
Product version: 1.1.5.0
File flags: 0 (Mask 3F)
File OS: 4 Unknown Win32
File type: 2.0 Dll
File date: 00000000.00000000
Translations: 0409.04b0
CompanyName: FlashGet
ProductName: jccatch Module
InternalName: jccatch
OriginalFilename: jccatch.DLL
ProductVersion: 1, 1, 5, 0
FileVersion: 1, 1, 5, 0
PrivateBuild: 1, 1, 5, 0
SpecialBuild: 1, 1, 5, 0
FileDescription: jccatch Module
LegalCopyright: Copyright 1999 by FlashGet
LegalTrademarks: Copyright 1999 by FlashGet
Comments: Copyright 1999 by FlashGet

0:000> lmvm pdfshell
start end module name
03060000 030bb000 pdfshell (export symbols) pdfshell.dll
Loaded symbol image file: pdfshell.dll
Image path: C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\pdfshell.dll
Image name: pdfshell.dll
Timestamp: Mon Oct 23 03:28:04 2006 (453C6F04)
CheckSum: 0005D45D
ImageSize: 0005B000
File version: 8.0.0.0
Product version: 8.0.0.0
File flags: 0 (Mask 3F)
File OS: 40004 NT Win32
File type: 2.0 Dll
File date: 00000000.00000000
Translations: 0409.04b0
CompanyName: Adobe Systems, Inc.
ProductName: Adobe PDF Shell Extension
InternalName: PDFShell
OriginalFilename: PDFShell.dll
ProductVersion: 8.0.0.0
FileVersion: 8.0.0.0
FileDescription: PDF Shell Extension
LegalCopyright: Copyright 2000-2006 Adobe Systems, Inc.

0:000> lmvm NeroDigitalExt
start end module name
030f0000 032a8000 NeroDigitalExt (export symbols) NeroDigitalExt.dll
Loaded symbol image file: NeroDigitalExt.dll
Image path: C:\Program Files\Common Files\Nero\Lib\NeroDigitalExt.dll
Image name: NeroDigitalExt.dll
Timestamp: Fri Jul 20 05:26:38 2007 (46A07FCE)
CheckSum: 001C3D6D
ImageSize: 001B8000
File version: 3.1.0.8
Product version: 3.1.0.8
File flags: 0 (Mask 1F)
File OS: 4 Unknown Win32
File type: 2.0 Dll
File date: 00000000.00000000
Translations: 0409.04e4
CompanyName: Nero AG
ProductName: Nero Digital Tools
InternalName: NeroDigitalExt.dll
OriginalFilename: NeroDigitalExt.dll
ProductVersion: 3, 1, 0, 8
FileVersion: 3, 1, 0, 8
FileDescription: Nero Digital Shell Extension
LegalCopyright: Copyright (c) 1995-2005 Nero AG and its licensors.

0:000> lmvm WZSHLSTB
start end module name
16200000 16206000 WZSHLSTB C (export symbols) WZSHLSTB.DLL
Loaded symbol image file: WZSHLSTB.DLL
Image path: C:\Program Files\WinZip\WZSHLSTB.DLL
Image name: WZSHLSTB.DLL
Timestamp: Fri Nov 10 00:49:26 2006 (455412E6)
CheckSum: 00000000
ImageSize: 00006000
File version: 4.1.0.0
Product version: 11.0.0.0
File flags: 0 (Mask 3F)
File OS: 4 Unknown Win32
File type: 2.0 Dll
File date: 00000000.00000000
Translations: 0409.04e4
CompanyName: WinZip Computing LP
ProductName: WinZip
InternalName: WZSTUBSE.DLL
OriginalFilename: WZSTUBSE.DLL
ProductVersion: 11.0 (6595)
FileVersion: 4.1 (32-bit)
FileDescription: WinZip Shell Extension DLL
LegalCopyright: Copyright (c) WinZip International LLC 1991-2006 - All Rights Reserved
LegalTrademarks: WinZip is a registered trademark of WinZip International LLC
Comments: StringFileInfo: U.S. English

0:000> lmvm NavShExt
start end module name
6a090000 6a0b9000 NavShExt (export symbols) NavShExt.dll
Loaded symbol image file: NavShExt.dll
Image path: C:\Program Files\Norton AntiVirus\NavShExt.dll
Image name: NavShExt.dll
Timestamp: Sun Jan 14 04:08:04 2007 (45A9F2F4)
CheckSum: 0002D7B5
ImageSize: 00029000
File version: 14.2.0.29
Product version: 14.2.0.0
File flags: 0 (Mask 3F)
File OS: 40004 NT Win32
File type: 1.0 App
File date: 00000000.00000000
Translations: 0409.04b0
CompanyName: Symantec Corporation
ProductName: Norton AntiVirus
InternalName: NavShExt
OriginalFilename: NavShExt.dll
ProductVersion: 14.2.0
FileVersion: 14.2.0.29
FileDescription: Norton AntiVirus Shell Extension Module
LegalCopyright: Copyright © 2006 Symantec Corporation. All rights reserved.

0:000> lmvm ccL60U
start end module name
6ae80000 6af05000 ccL60U (export symbols) ccL60U.dll
Loaded symbol image file: ccL60U.dll
Image path: C:\Program Files\Common Files\Symantec Shared\ccL60U.dll
Image name: ccL60U.dll
Timestamp: Wed Jan 10 00:56:27 2007 (45A4800B)
CheckSum: 00089671
ImageSize: 00085000
File version: 106.2.0.21
Product version: 106.2.0.21
File flags: 0 (Mask 3F)
File OS: 40004 NT Win32
File type: 1.0 App
File date: 00000000.00000000
Translations: 0409.04b0
CompanyName: Symantec Corporation
ProductName: Symantec Security Technologies
InternalName: ccLib
OriginalFilename: ccL60.dll
ProductVersion: 106.2.0.21
FileVersion: 106.2.0.21
FileDescription: Symantec Library
LegalCopyright: Copyright (c) 2000-2006 Symantec Corporation. All rights reserved.

0:000> lmvm ccVrTrst
start end module name
6b790000 6b7af000 ccVrTrst (export symbols) ccVrTrst.dll
Loaded symbol image file: ccVrTrst.dll
Image path: C:\Program Files\Common Files\Symantec Shared\ccVrTrst.dll
Image name: ccVrTrst.dll
Timestamp: Wed Jan 10 00:56:52 2007 (45A48024)
CheckSum: 0002A0D1
ImageSize: 0001F000
File version: 106.2.0.21
Product version: 106.2.0.21
File flags: 0 (Mask 3F)
File OS: 40004 NT Win32
File type: 1.0 App
File date: 00000000.00000000
Translations: 0409.04b0
CompanyName: Symantec Corporation
ProductName: Symantec Security Technologies
InternalName: ccVrTrst
OriginalFilename: ccVrTrst.dll
ProductVersion: 106.2.0.21
FileVersion: 106.2.0.21
FileDescription: Symantec Trust Validation Engine
LegalCopyright: Copyright (c) 2000-2006 Symantec Corporation. All rights reserved.

I also noticed you had Windows Media, DRM, and Messenger .dll files in the unloaded modules list as well. Seems odd, if explorer is just starting, to have Windows Media indexer and DRM files loaded. What exactly did you do just before this started? I see what you were running, and I do suspect something multimedia-related or MSN messenger related:

 0 32	0 System Process  
Command Line:
0 32 4 System
Command Line:
0 32 444 smss.exe
Command Line: \SystemRoot\System32\smss.exe
0 32 508 csrss.exe Title:
Command Line: C:\WINDOWS\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16
0 32 532 winlogon.exe
Command Line: winlogon.exe
0 32 576 services.exe Svcs: Eventlog,PlugPlay
Command Line: C:\WINDOWS\system32\services.exe
0 32 588 lsass.exe Svcs: ProtectedStorage,SamSs
Command Line: C:\WINDOWS\system32\lsass.exe
0 32 740 svchost.exe Svcs: DcomLaunch,TermService
Command Line: C:\WINDOWS\system32\svchost -k DcomLaunch
0 32 788 svchost.exe Svcs: RpcSs
Command Line: C:\WINDOWS\system32\svchost -k rpcss
0 32 856 svchost.exe Svcs: AudioSrv,CryptSvc,Dhcp,dmserver,EventSystem,FastUserSwitchingCompatibility,helpsvc,lanmanworkst
ation,Netman,Nla,RasMan,Schedule,ShellHWDetection,TapiSrv,Themes,TrkWks,winmgmt,WZCSVC
Command Line: C:\WINDOWS\System32\svchost.exe -k netsvcs
0 32 908 svchost.exe Svcs: Dnscache
Command Line: C:\WINDOWS\system32\svchost.exe -k NetworkService
0 32 1040 ccSvcHst.exe Svcs: ccEvtMgr,ccSetMgr,LiveUpdate Notice Ex
Command Line: "C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon
0 32 1172 AppSvc32.exe Svcs: SymAppCore
Command Line: "C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe"
0 32 1444 svchost.exe Svcs: Alerter,WebClient
Command Line: C:\WINDOWS\system32\svchost.exe -k LocalService
0 32 1524 AluSchedulerSvc.exe Svcs: Automatic LiveUpdate Scheduler
Command Line: "C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe"
0 32 1900 ccSvcHst.exe Svcs: CLTNetCnService
Command Line: "C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h cltCommon
0 32 360 AHQTbU.exe Title:
Command Line: "C:\Program Files\Creative\SBLive\AudioHQ\AHQTBU.EXE"
0 32 368 zlclient.exe Title: ZoneAlarm Security Alert
Command Line: "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
0 32 376 ccApp.exe Title:
Command Line: "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
0 32 976 iemaximizer.exe Title: IE New Window Maximizer
Command Line: "C:\Program Files\IE New Window Maximizer\iemaximizer.exe"
0 32 1044 USBSafelyRemove.exe Title:
Command Line: "C:\Program Files\USB Safely Remove\USBSafelyRemove.exe" /startup
0 32 1108 MsnMsgr.Exe Title: Le MoNsTrE HuSsAiNoOoOoO - Conversation
Command Line: "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
0 32 1204 ctfmon.exe Title:
Command Line: "C:\WINDOWS\system32\ctfmon.exe"
0 32 1240 vsmon.exe Title:
Command Line: vsmon.exe -status
0 32 2784 winamp.exe Title: 1. Keith Power - Dark Sector Theme - Winamp [Stopped]
Command Line: "C:\Program Files\Winamp\winamp.exe"
0 32 928 symlcsvc.exe Svcs: Symantec Core LC
Command Line: "C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe"
0 32 4004 FIREFOX.EXE Title: Where is tlist.exe in Windows XP? - Mozilla Firefox
Command Line: "C:\PROGRA~1\MOZILL~1\FIREFOX.EXE" -requestPending -osint -url "http://www.youtube.com/watch?v=QWs9EvZhrwU"
0 32 3100 cmd.exe Title: C:\WINDOWS\system32\cmd.exe - cscript adplus.vbs -crash -pn explorer.exe -quiet -o c:\adplus
Command Line: "C:\WINDOWS\system32\cmd.exe"
0 32 2064 dllhost.exe Svcs: COMSysApp Mts: System Application
Command Line: C:\WINDOWS\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
0 32 3584 rsvp.exe Svcs: RSVP
Command Line: C:\WINDOWS\system32\rsvp.exe
0 32 2660 Explorer.EXE Title: Program Manager
Command Line: C:\WINDOWS\explorer.exe
0 32 2556 dwwin.exe Title: OfficeWatson
Command Line: C:\WINDOWS\system32\dwwin.exe -x -s 896
0 32 3232 cscript.exe Title:
Command Line: cscript adplus.vbs -crash -pn explorer.exe -quiet -o c:\adplus
0 32 1368 cmd.exe Title: C:\WINDOWS\system32\cmd.exe
Command Line: "C:\WINDOWS\system32\cmd.exe" /c tlist.exe -v >"c:\adplus\Crash_Mode__Date_03-10-2008__Time_03-05-47AM\Process_List.txt"
0 32 2484 tlist.exe
Command Line: tlist.exe -v

Ultimately, I need you to disable things with shellextview and autoruns if you don't see anything obvious here that jogs your memory. Oh:

Title: Where is tlist.exe in Windows XP? - Mozilla Firefox
Try tasklist.exe -v. ;)
Link to comment
Share on other sites

no,I try to disable all non-Microsoft shell extensions and startup items but nothing change.I'll try again.

about tlist.exe i saw it in log file when i made dump.then i try to find what is it in google.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...