zan2828 Posted June 8, 2008 Author Share Posted June 8, 2008 HKLM\SECURITY\Policy\Secrets\SAC* 5/28/2008 7:34 PM 0 bytes Key name contains embedded nulls (*)HKLM\SECURITY\Policy\Secrets\SAI* 5/28/2008 7:34 PM 0 bytes Key name contains embedded nulls (*)C:\Documents and Settings\Billy Lau\Local Settings\Application Data\Mozilla\Firefox\Profiles\g34fzsyr.default\Cache\C6935067d01 6/7/2008 8:09 PM 50.26 KB Hidden from Windows API.C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb 6/7/2008 8:05 PM 64.00 KB Visible in Windows API, but not in MFT or directory index.output of rootkit scan. does anything look suspicious? Link to comment Share on other sites More sharing options...
Mr Snrub Posted June 8, 2008 Share Posted June 8, 2008 Looks okay to me - first 2 are a couple of seed/secret related keys, last one is the log file used by Windows Update.Not sure why something in a Firefox profile would be hidden from the Windows API, but hopefully nothing executable cached in there anyway.Time to take a complete memory dump so we can take a look in the kernel:http://www.msfn.org/board/Creating-memory-dumps-t90244.htmlIf you zip up the MEMORY.DMP file produced manually, plus your copies of KERNEL32.DLL and USER32.DLL we should be able to see if the binaries on disk have been modified or if something in memory is hooking them at load time. Link to comment Share on other sites More sharing options...
cluberti Posted June 8, 2008 Share Posted June 8, 2008 Amen. Took the weekend off, and look what happens . Link to comment Share on other sites More sharing options...
zan2828 Posted June 10, 2008 Author Share Posted June 10, 2008 I seemed to have finally solved the problem, although it may just be hiding itself momentarily, like problems seem to do.I re-installed my Nvidia drivers to fix a completely unrelated problem, and explorer.exe has not crashed on shutdown for two days now. This goes perfectly with what you mentioned about the display setting function being hooked by something.In addition, the error messages that appear in the event viewer are nearly identical to the ones mentioned in this thread: http://forums.nvidia.com/lofiversion/index.php?t61227.htmlIf I do not post back, it means that my problem has indeed been fixed. Thank you all very much for your help. Link to comment Share on other sites More sharing options...
zan2828 Posted June 12, 2008 Author Share Posted June 12, 2008 Well I'm back because the problem is back.I have the complete system dump and 2 dll's ready, problem is finding a suitable place to upload this beast of a file (rar is 1.3 gig). Any suggestions? Link to comment Share on other sites More sharing options...
zan2828 Posted June 16, 2008 Author Share Posted June 16, 2008 bump Link to comment Share on other sites More sharing options...
TranceEnergy Posted June 16, 2008 Share Posted June 16, 2008 bumpdo you run with a custom modified windows login? Link to comment Share on other sites More sharing options...
zan2828 Posted June 18, 2008 Author Share Posted June 18, 2008 (edited) If you zip up the MEMORY.DMP file produced manually, plus your copies of KERNEL32.DLL and USER32.DLL we should be able to see if the binaries on disk have been modified or if something in memory is hooking them at load time.http://www6.sendthisfile.com/d.jsp?t=Y0Bu3...yG9yvITNqwHsYtGalright I have the complete memory dump along with 2 dll's uploaded. Thank you once again for your help. Edited June 18, 2008 by zan2828 Link to comment Share on other sites More sharing options...
Mr Snrub Posted June 18, 2008 Share Posted June 18, 2008 The dump is corrupt :/Kernel Complete Dump File: Full address space is availableMissing image name, possible paged-out or corrupt data.*** WARNING: Unable to verify timestamp for Unknown_Module_01fe012d*** ERROR: Module load completed but symbols could not be loaded for Unknown_Module_01fe012dDebugger can not determine kernel base addressWindows XP Kernel Version 2600 (Service Pack 3) MP (2 procs) Free x86 compatibleProduct: WinNt, suite: TerminalServer SingleUserTSBuilt by: 2600.xpsp.080413-2111Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055d720Debug session time: Thu Jun 12 12:46:47.616 2008 (GMT+2)System Uptime: 0 days 14:33:48.212Missing image name, possible paged-out or corrupt data.*** WARNING: Unable to verify timestamp for Unknown_Module_01fe012d*** ERROR: Module load completed but symbols could not be loaded for Unknown_Module_01fe012dDebugger can not determine kernel base addressLoading Kernel SymbolsMissing image name, possible paged-out or corrupt data..Unable to read KLDR_DATA_TABLE_ENTRY at 01f0012d - NTSTATUS 0xC00001470: kd> lmftstart end module name01fe012d 0399025c Unknown_Module_01fe012d Unknown_Module_01fe012d unavailable (FFFFFFFE)Not much of the data is going to be reliable or usable... we don't even have the base address for the kernel, but we can try to hack it in...0: kd> .reload nt=0x804d70000: kd> lmftstart end module name01fe012d 0399025c Unknown_Module_01fe012d Unknown_Module_01fe012d unavailable (FFFFFFFE)804d7000 806e4000 nt ntkrpamp.exe Sun Apr 13 20:31:06 2008 (4802516A)0: kd> lmvm ntstart end module name804d7000 806e4000 nt Loaded symbol image file: ntkrpamp.exe Image path: ntkrpamp.exe Image name: ntkrpamp.exe Timestamp: Sun Apr 13 20:31:06 2008 (4802516A) CheckSum: 001F442E ImageSize: 0020D000 File version: 5.1.2600.5512 Product version: 5.1.2600.5512 File flags: 0 (Mask 3F) File OS: 40004 NT Win32 File type: 1.0 App File date: 00000000.00000000 Translations: 0409.04b0 CompanyName: Microsoft Corporation ProductName: Microsoft® Windows® Operating System InternalName: ntkrpamp.exe OriginalFilename: ntkrpamp.exe ProductVersion: 5.1.2600.5512 FileVersion: 5.1.2600.5512 (xpsp.080413-2111) FileDescription: NT Kernel & System LegalCopyright: © Microsoft Corporation. All rights reserved.0: kd> !vm*** Virtual Memory Usage *** Physical Memory: 523883 ( 2095532 Kb) No Name for Paging File Current: 0 Kb Free Space: 0 Kb Minimum: 0 Kb Maximum: 0 Kb Available Pages: 359915 ( 1439660 Kb) ResAvail Pages: 431405 ( 1725620 Kb) Locked IO Pages: 397 ( 1588 Kb) Free System PTEs: 170367 ( 681468 Kb) Free NP PTEs: 32766 ( 131064 Kb) Free Special NP: 0 ( 0 Kb) Modified Pages: 172 ( 688 Kb) Modified PF Pages: 147 ( 588 Kb) NonPagedPool Usage: 9053 ( 36212 Kb) NonPagedPool Max: 65536 ( 262144 Kb) PagedPool 0 Usage: 1843320276 (7373281104 Kb) PagedPool 1 Usage: 68158125 ( 272632500 Kb) PagedPool 2 Usage: -740835438 (14216527432 Kb) PagedPool 3 Usage: 225447192 ( 901788768 Kb) PagedPool 4 Usage: 0 ( 0 Kb) PagedPool Usage: 1396090155 (5584360620 Kb) PagedPool Maximum: 92160 ( 368640 Kb) Shared Commit: 11105 ( 44420 Kb) Special Pool: 0 ( 0 Kb) Shared Process: 2891 ( 11564 Kb) PagedPool Commit: 33709 ( 134836 Kb) Driver Commit: 3669 ( 14676 Kb) Committed pages: 122721 ( 490884 Kb) Commit limit: 1021773 ( 4087092 Kb)Unable to read _EPROCESS at ffffff78ProcessCommitUsage could not be calculatedThe paged pool stats are complete garbage, let's see if we can figure out the module list...0: kd> dd nt!PsLoadedModuleList nt!PsLoadedModuleList8055d720 89e813980: kd> dc 89e8139889e81398 01f0012d 01f1012d 01f6012d 01f8012d -...-...-...-...89e813a8 01fb012d 01fd012d 01fe012d 019b012e -...-...-.......89e813b8 019b012f 01e10130 01ef0131 01e90132 /...0...1...2...89e813c8 019b0133 01f70133 01fa0133 01fc0134 3...3...3...4...89e813d8 01b90135 019f0136 01c90136 00000000 5...6...6.......89e813e8 00000001 2b745058 00000292 66666600 ....XPt+.....fff89e813f8 08666666 66086666 08666666 66086666 fff.ff.ffff.ff.f89e81408 66666608 01016666 01010101 01010101 .fffff..........89e81418 01010101 01010101 01010101 01010101 ................89e81428 01010101 01010101 01010101 01010101 ................The alleged location of the module list contains garbage - we can see where the debugger got the name "Unknown_Module_01fe012d", the garbage size and checkum from...0: kd> lmvm unk*start end module name01fe012d 0399025c Unknown_Module_01fe012d T (no symbols) Loaded symbol image file: Unknown_Module_01fe012d Image path: Unknown_Module_01fe012d Image name: Unknown_Module_01fe012d Timestamp: unavailable (FFFFFFFE) CheckSum: missing ImageSize: 019B012F0: kd> dc 89e8139889e81398 01f0012d 01f1012d 01f6012d 01f8012d -...-...-...-...89e813a8 01fb012d 01fd012d 01fe012d 019b012e -...-...-.......89e813b8 019b012f 01e10130 01ef0131 01e90132 /...0...1...2...89e813c8 019b0133 01f70133 01fa0133 01fc0134 3...3...3...4...0: kd> ? 01fe012d + 019b012fEvaluate expression: 60359260 = 0399025cUnfortunately none of the values around that address (89e81398) are even in the kernel address space, so I can't even begin to guess where the module list is/was Could you try setting the dump type to Kernel and produce another when you have the explorer.exe error message on the screen (without clicking OK)? Link to comment Share on other sites More sharing options...
zan2828 Posted June 18, 2008 Author Share Posted June 18, 2008 (edited) I feel stupid. I know why the dump is corrupt. I would press reset right after seeing the blue screen, assuming the dump was complete as soon as the screen popped up. I now know to let the memory dump timer finish before rebooting.Would you still prefer a complete memory dump or will a kernel dump suffice? Edited June 18, 2008 by zan2828 Link to comment Share on other sites More sharing options...
Mr Snrub Posted June 19, 2008 Share Posted June 19, 2008 Ahhhh, that explains it Complete dump is preferable for this issue, as we could do we seeing in kernel and user-mode space.Make a dump when the system is running normally, but with as few apps as possible running (including in the system tray) to keep the size and complexity down.(If we get a dump when explorer.exe has crashed during shutdown and presented a popup message then we might miss something that has already been unloaded - however we might need that next.) Link to comment Share on other sites More sharing options...
zan2828 Posted June 21, 2008 Author Share Posted June 21, 2008 (edited) http://www.adrive.com/public/a37998f403844...948224434f.html(try copy and pasting link if it doesnt connect)complete dump (no crash) and 2 dll's. i have the explorer crashed dump ready to upload if you need it. thanks Edited June 21, 2008 by zan2828 Link to comment Share on other sites More sharing options...
Mr Snrub Posted June 21, 2008 Share Posted June 21, 2008 Good news is I didn't find anything suspicious in the kernel.Bad news is that means we are back to a user-mode dump of explorer.exe being the best way forward...What is the exact error message displayed, and when does it appear?(i.e. when you click on Shut Down and the list of shutdown options appears, or when you select one of the options)Does it stop waiting for you to click OK?If so, what happens when you do, and can you shut Windows down gracefully at all?When you have the explorer.exe has crashed error on screen and the disk activity has stopped, produce another complete memory dump at that point if you would. Link to comment Share on other sites More sharing options...
zan2828 Posted June 22, 2008 Author Share Posted June 22, 2008 (edited) The most frustrating thing about this problem is that I cannot easily reproduce it. It does not happen every time i try to shut down. The exact sequence of events:1. start, shutdown2. a bit of hard disk activity/busy mouse pointer is present3. error msg: Windows explorer has encountered a problem and needs to close. Click OK, etc.the shutdown option menu does not load. it will stop, allowing me to click OK. when i do, explorer crashes and reloads. i am then able to shut down normally.i will have the crashed dump uploaded within the next day. Edited June 22, 2008 by zan2828 Link to comment Share on other sites More sharing options...
Mr Snrub Posted June 22, 2008 Share Posted June 22, 2008 Hmm, given what you have described and the explorer dump we have already seen, it sounds like a module that msgina.dll is supposed to call into has been unloaded "sometimes" when it comes to dim the screen when presenting the shutdown/restart/sleep options...Without resorting to time travel debugging, what we need are 3 dumps:- ADPlus hang mode dump of explorer before Start / Shut Down is clicked and the error does NOT occur- ADPlus hang mode dump of explorer before Start / Shut Down is clicked and the error DOES occur- ADPlus crash mode dump of explorer when it has the error1. Make sure no applications or Explorer windows are running.2. Open a command prompt and enter the commands:cd \progr*cd debug*(This should put you at the "C:\Program Files\Debugging Tools for Windows (x86)" prompt.)3. Then enter this command:adplus -hang -ctcf -o c:\dumps -pn explorer.exe(This should produce a hang-mode dump of all explorer.exe processes and put them into a unique folder in c:\dumps, wait for the procedure to complete.)4. Now enter the command:adplus -crash -ctcf -o c:\dumps -pn explorer.exe(Now there is a debugger attached to explorer.exe and it will generate a dump if the process raises an exception.)Following this command, click Start / Shut Down:- if the process does not crash, hit ESC on the dimmed window and rename the hang mode dump folder from step 3 to "Hang1NoCrash"- if the process does crash we should get a crash mode dump created and now there are 2 folders in c:\dumps - rename the first to "Hang1Crash" and "Crash"Repeat the procedure until you have hang mode dumps of the process when it did and did not crash, and the crash dump.By observing the difference in the 2 hang mode dumps, and the address of the exception in the crash dump, we may be able to figure out what is going on. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now