Need assistance analyzing an Explorer Application Error Minidump

[zan2828]

HKLM\SECURITY\Policy\Secrets\SAC* 5/28/2008 7:34 PM 0 bytes Key name contains embedded nulls (*)

HKLM\SECURITY\Policy\Secrets\SAI* 5/28/2008 7:34 PM 0 bytes Key name contains embedded nulls (*)

C:\Documents and Settings\Billy Lau\Local Settings\Application Data\Mozilla\Firefox\Profiles\g34fzsyr.default\Cache\C6935067d01 6/7/2008 8:09 PM 50.26 KB Hidden from Windows API.

C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb 6/7/2008 8:05 PM 64.00 KB Visible in Windows API, but not in MFT or directory index.

output of rootkit scan. does anything look suspicious?

[Mr Snrub]

Looks okay to me - first 2 are a couple of seed/secret related keys, last one is the log file used by Windows Update.

Not sure why something in a Firefox profile would be hidden from the Windows API, but hopefully nothing executable cached in there anyway.

Time to take a complete memory dump so we can take a look in the kernel:

http://www.msfn.org/board/Creating-memory-dumps-t90244.html

If you zip up the MEMORY.DMP file produced manually, plus your copies of KERNEL32.DLL and USER32.DLL we should be able to see if the binaries on disk have been modified or if something in memory is hooking them at load time.

[cluberti]

Amen. Took the weekend off, and look what happens .

[zan2828]

I seemed to have finally solved the problem, although it may just be hiding itself momentarily, like problems seem to do.

I re-installed my Nvidia drivers to fix a completely unrelated problem, and explorer.exe has not crashed on shutdown for two days now. This goes perfectly with what you mentioned about the display setting function being hooked by something.

In addition, the error messages that appear in the event viewer are nearly identical to the ones mentioned in this thread: http://forums.nvidia.com/lofiversion/index.php?t61227.html

If I do not post back, it means that my problem has indeed been fixed. Thank you all very much for your help.

[zan2828]

Well I'm back because the problem is back.

I have the complete system dump and 2 dll's ready, problem is finding a suitable place to upload this beast of a file (rar is 1.3 gig). Any suggestions?

[zan2828]

bump

[TranceEnergy]

bump

do you run with a custom modified windows login?

[zan2828]

If you zip up the MEMORY.DMP file produced manually, plus your copies of KERNEL32.DLL and USER32.DLL we should be able to see if the binaries on disk have been modified or if something in memory is hooking them at load time.

http://www6.sendthisfile.com/d.jsp?t=Y0Bu3...yG9yvITNqwHsYtG

alright I have the complete memory dump along with 2 dll's uploaded. Thank you once again for your help.

Edited June 18, 2008 by zan2828

[Mr Snrub]

The dump is corrupt :/

Kernel Complete Dump File: Full address space is available
Missing image name, possible paged-out or corrupt data.
*** WARNING: Unable to verify timestamp for Unknown_Module_01fe012d
*** ERROR: Module load completed but symbols could not be loaded for Unknown_Module_01fe012d
Debugger can not determine kernel base address
Windows XP Kernel Version 2600 (Service Pack 3) MP (2 procs) Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 2600.xpsp.080413-2111
Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055d720
Debug session time: Thu Jun 12 12:46:47.616 2008 (GMT+2)
System Uptime: 0 days 14:33:48.212
Missing image name, possible paged-out or corrupt data.
*** WARNING: Unable to verify timestamp for Unknown_Module_01fe012d
*** ERROR: Module load completed but symbols could not be loaded for Unknown_Module_01fe012d
Debugger can not determine kernel base address
Loading Kernel Symbols
Missing image name, possible paged-out or corrupt data.
.Unable to read KLDR_DATA_TABLE_ENTRY at 01f0012d - NTSTATUS 0xC0000147

0: kd> lmft
start	end		module name
01fe012d 0399025c   Unknown_Module_01fe012d Unknown_Module_01fe012d unavailable (FFFFFFFE)

Not much of the data is going to be reliable or usable... we don't even have the base address for the kernel, but we can try to hack it in...

0: kd> .reload nt=0x804d7000
0: kd> lmft
start	end		module name
01fe012d 0399025c   Unknown_Module_01fe012d Unknown_Module_01fe012d unavailable (FFFFFFFE)
804d7000 806e4000   nt	   ntkrpamp.exe Sun Apr 13 20:31:06 2008 (4802516A)

0: kd> lmvm nt
start	end		module name
804d7000 806e4000   nt
	Loaded symbol image file: ntkrpamp.exe
	Image path: ntkrpamp.exe
	Image name: ntkrpamp.exe
	Timestamp:		Sun Apr 13 20:31:06 2008 (4802516A)
	CheckSum:		 001F442E
	ImageSize:		0020D000
	File version:	 5.1.2600.5512
	Product version:  5.1.2600.5512
	File flags:	   0 (Mask 3F)
	File OS:		  40004 NT Win32
	File type:		1.0 App
	File date:		00000000.00000000
	Translations:	 0409.04b0
	CompanyName:	  Microsoft Corporation
	ProductName:	  Microsoft® Windows® Operating System
	InternalName:	 ntkrpamp.exe
	OriginalFilename: ntkrpamp.exe
	ProductVersion:   5.1.2600.5512
	FileVersion:	  5.1.2600.5512 (xpsp.080413-2111)
	FileDescription:  NT Kernel & System
	LegalCopyright:   © Microsoft Corporation. All rights reserved.

0: kd> !vm
*** Virtual Memory Usage ***
	Physical Memory:	  523883 (   2095532 Kb)
	No Name for Paging File
	  Current:		 0 Kb  Free Space:		 0 Kb
	  Minimum:		 0 Kb  Maximum:			0 Kb
	Available Pages:	  359915 (   1439660 Kb)
	ResAvail Pages:	   431405 (   1725620 Kb)
	Locked IO Pages:		 397 (	  1588 Kb)
	Free System PTEs:	 170367 (	681468 Kb)
	Free NP PTEs:		  32766 (	131064 Kb)
	Free Special NP:		   0 (		 0 Kb)
	Modified Pages:		  172 (	   688 Kb)
	Modified PF Pages:	   147 (	   588 Kb)
	NonPagedPool Usage:	 9053 (	 36212 Kb)
	NonPagedPool Max:	  65536 (	262144 Kb)
	PagedPool 0 Usage: 1843320276 (7373281104 Kb)
	PagedPool 1 Usage:  68158125 ( 272632500 Kb)
	PagedPool 2 Usage: -740835438 (14216527432 Kb)
	PagedPool 3 Usage: 225447192 ( 901788768 Kb)
	PagedPool 4 Usage:		 0 (		 0 Kb)
	PagedPool Usage:   1396090155 (5584360620 Kb)
	PagedPool Maximum:	 92160 (	368640 Kb)
	Shared Commit:		 11105 (	 44420 Kb)
	Special Pool:			  0 (		 0 Kb)
	Shared Process:		 2891 (	 11564 Kb)
	PagedPool Commit:	  33709 (	134836 Kb)
	Driver Commit:		  3669 (	 14676 Kb)
	Committed pages:	  122721 (	490884 Kb)
	Commit limit:		1021773 (   4087092 Kb)

Unable to read _EPROCESS at ffffff78
ProcessCommitUsage could not be calculated

The paged pool stats are complete garbage, let's see if we can figure out the module list...

0: kd> dd nt!PsLoadedModuleList nt!PsLoadedModuleList
8055d720  89e81398

0: kd> dc 89e81398
89e81398  01f0012d 01f1012d 01f6012d 01f8012d  -...-...-...-...
89e813a8  01fb012d 01fd012d 01fe012d 019b012e  -...-...-.......
89e813b8  019b012f 01e10130 01ef0131 01e90132  /...0...1...2...
89e813c8  019b0133 01f70133 01fa0133 01fc0134  3...3...3...4...
89e813d8  01b90135 019f0136 01c90136 00000000  5...6...6.......
89e813e8  00000001 2b745058 00000292 66666600  ....XPt+.....fff
89e813f8  08666666 66086666 08666666 66086666  fff.ff.ffff.ff.f
89e81408  66666608 01016666 01010101 01010101  .fffff..........
89e81418  01010101 01010101 01010101 01010101  ................
89e81428  01010101 01010101 01010101 01010101  ................

The alleged location of the module list contains garbage - we can see where the debugger got the name "Unknown_Module_01fe012d", the garbage size and checkum from...

0: kd> lmvm unk*

start end module name

01fe012d 0399025c Unknown_Module_01fe012d T (no symbols)

Loaded symbol image file: Unknown_Module_01fe012d

Image path: Unknown_Module_01fe012d

Image name: Unknown_Module_01fe012d

Timestamp: unavailable (FFFFFFFE)

CheckSum: missing

ImageSize: 019B012F

0: kd> dc 89e81398

89e81398 01f0012d 01f1012d 01f6012d 01f8012d -...-...-...-...

89e813a8 01fb012d 01fd012d 01fe012d 019b012e -...-...-.......

89e813b8 019b012f 01e10130 01ef0131 01e90132 /...0...1...2...

89e813c8 019b0133 01f70133 01fa0133 01fc0134 3...3...3...4...

0: kd> ? 01fe012d + 019b012f

Evaluate expression: 60359260 = 0399025c

Unfortunately none of the values around that address (89e81398) are even in the kernel address space, so I can't even begin to guess where the module list is/was

Could you try setting the dump type to Kernel and produce another when you have the explorer.exe error message on the screen (without clicking OK)?

[zan2828]

I feel stupid. I know why the dump is corrupt. I would press reset right after seeing the blue screen, assuming the dump was complete as soon as the screen popped up.

I now know to let the memory dump timer finish before rebooting.

Would you still prefer a complete memory dump or will a kernel dump suffice?

Edited June 18, 2008 by zan2828

[Mr Snrub]

Ahhhh, that explains it

Complete dump is preferable for this issue, as we could do we seeing in kernel and user-mode space.

Make a dump when the system is running normally, but with as few apps as possible running (including in the system tray) to keep the size and complexity down.

(If we get a dump when explorer.exe has crashed during shutdown and presented a popup message then we might miss something that has already been unloaded - however we might need that next.)

[zan2828]

http://www.adrive.com/public/a37998f403844...948224434f.html

(try copy and pasting link if it doesnt connect)

complete dump (no crash) and 2 dll's.

i have the explorer crashed dump ready to upload if you need it. thanks

Edited June 21, 2008 by zan2828

[Mr Snrub]

Good news is I didn't find anything suspicious in the kernel.

Bad news is that means we are back to a user-mode dump of explorer.exe being the best way forward...

What is the exact error message displayed, and when does it appear?

(i.e. when you click on Shut Down and the list of shutdown options appears, or when you select one of the options)

Does it stop waiting for you to click OK?

If so, what happens when you do, and can you shut Windows down gracefully at all?

When you have the explorer.exe has crashed error on screen and the disk activity has stopped, produce another complete memory dump at that point if you would.

[zan2828]

The most frustrating thing about this problem is that I cannot easily reproduce it. It does not happen every time i try to shut down.

The exact sequence of events:

1. start, shutdown

2. a bit of hard disk activity/busy mouse pointer is present

3. error msg: Windows explorer has encountered a problem and needs to close. Click OK, etc.

the shutdown option menu does not load. it will stop, allowing me to click OK. when i do, explorer crashes and reloads. i am then able to shut down normally.

i will have the crashed dump uploaded within the next day.

Edited June 22, 2008 by zan2828

[Mr Snrub]

Hmm, given what you have described and the explorer dump we have already seen, it sounds like a module that msgina.dll is supposed to call into has been unloaded "sometimes" when it comes to dim the screen when presenting the shutdown/restart/sleep options...

Without resorting to time travel debugging, what we need are 3 dumps:

- ADPlus hang mode dump of explorer before Start / Shut Down is clicked and the error does NOT occur

- ADPlus hang mode dump of explorer before Start / Shut Down is clicked and the error DOES occur

- ADPlus crash mode dump of explorer when it has the error

1. Make sure no applications or Explorer windows are running.

2. Open a command prompt and enter the commands:

cd \progr*

cd debug*

(This should put you at the "C:\Program Files\Debugging Tools for Windows (x86)" prompt.)

3. Then enter this command:

adplus -hang -ctcf -o c:\dumps -pn explorer.exe

(This should produce a hang-mode dump of all explorer.exe processes and put them into a unique folder in c:\dumps, wait for the procedure to complete.)

4. Now enter the command:

adplus -crash -ctcf -o c:\dumps -pn explorer.exe

(Now there is a debugger attached to explorer.exe and it will generate a dump if the process raises an exception.)

Following this command, click Start / Shut Down:

- if the process does not crash, hit ESC on the dimmed window and rename the hang mode dump folder from step 3 to "Hang1NoCrash"

- if the process does crash we should get a crash mode dump created and now there are 2 folders in c:\dumps - rename the first to "Hang1Crash" and "Crash"

Repeat the procedure until you have hang mode dumps of the process when it did and did not crash, and the crash dump.

By observing the difference in the 2 hang mode dumps, and the address of the exception in the crash dump, we may be able to figure out what is going on.