Dave-H Posted November 3, 2020 Share Posted November 3, 2020 Even easier, download and use this - http://www.nirsoft.net/utils/shexview.html This utility will display all of the Shell Extensions on the system and allow you to easily disable some or all of them. HTH. Link to comment Share on other sites More sharing options...
kuja killer Posted November 3, 2020 Author Share Posted November 3, 2020 I mentioned already in one of my earlier replies in feburary that i checked with that shellex program before and didnt have anything at all that would be suspect. so that didnt help at all. Link to comment Share on other sites More sharing options...
Dave-H Posted November 3, 2020 Share Posted November 3, 2020 Ah, sorry I had forgotten! Editing the registry wouldn't do anything different to what the ShellExView program does, so I guess it isn't a shell extension causing the problem this time (normally that would be the number one suspect). Link to comment Share on other sites More sharing options...
kuja killer Posted November 3, 2020 Author Share Posted November 3, 2020 (edited) yea.. well,i just went ahead and uploaded that crash dump file to mediafire. i dont know why it has to be such a ridiculously huge size like this. I dont know anything about coding and all that stuff so all i ever knew what to try was "analyze -v" ..and getting stupid question marks as i showed in that screenshot earlier. http://www.mediafire.com/file/ygwvkqu3ekgok6w/explorer+crash.dmp/file Edited November 3, 2020 by kuja killer Link to comment Share on other sites More sharing options...
Dave-H Posted November 3, 2020 Share Posted November 3, 2020 Well here's what I managed to pull out of it, FWIW - Microsoft (R) Windows Debugger Version 6.12.0002.633 X86 Copyright (c) Microsoft Corporation. All rights reserved. Loading Dump File [E:\Dump Folder\explorer crash.dmp] User Mini Dump File with Full Memory: Only application data is available Comment: '2nd_chance_AccessViolation_exception_in_EXPLORER.EXE_running_on_YOUR-7D8859AF69' Symbol search path is: srv*d:\programf\microsof\windowss.1\debuggin\symbols*http://msdl.microsoft.com/download/symbols;symsrv*symsrv.dll*d:\win-nt\localsymbols*http://msdl.microsoft.com/download/symbols Executable search path is: Windows XP Version 2600 (Service Pack 3) MP (2 procs) Free x86 compatible Product: WinNt, suite: SingleUserTS Machine Name: Debug session time: Wed Jul 8 10:02:31.000 2020 (UTC + 0:00) System Uptime: 11 days 13:04:15.434 Process Uptime: 4 days 5:46:39.000 ................................................................ ................................................................ ................................. Loading unloaded module list .............. This dump file has an exception of interest stored in it. The stored exception information can be accessed via .ecxr. (f4c.454): Access violation - code c0000005 (first/second chance not available) eax=0174fc9c ebx=00000000 ecx=00000000 edx=00000000 esi=077444f6 edi=04d069f0 eip=077444f6 esp=0174fc84 ebp=0174fccc iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246 077444f6 ?? ??? 0:003> !analyze -v ******************************************************************************* * * * Exception Analysis * * * ******************************************************************************* Failed calling InternetOpenUrl, GLE=12029 FAULTING_IP: +73 077444f6 ?? ??? EXCEPTION_RECORD: ffffffff -- (.exr 0xffffffffffffffff) ExceptionAddress: 077444f6 ExceptionCode: c0000005 (Access violation) ExceptionFlags: 00000000 NumberParameters: 2 Parameter[0]: 00000000 Parameter[1]: 077444f6 Attempt to read from address 077444f6 DEFAULT_BUCKET_ID: BAD_INSTRUCTION_PTR PROCESS_NAME: explorer.exe ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s". EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s". EXCEPTION_PARAMETER1: 00000000 EXCEPTION_PARAMETER2: 077444f6 READ_ADDRESS: 077444f6 FOLLOWUP_IP: ntdll!RtlpWaitOrTimerCallout+73 7c927d39 834dfcff or dword ptr [ebp-4],0FFFFFFFFh FAILED_INSTRUCTION_ADDRESS: +1e22faf00fddf58 077444f6 ?? ??? MOD_LIST: <ANALYSIS/> NTGLOBALFLAG: 0 APPLICATION_VERIFIER_FLAGS: 0 IP_ON_HEAP: 077444f6 IP_IN_FREE_BLOCK: 77444f6 FAULTING_THREAD: 00000454 PRIMARY_PROBLEM_CLASS: BAD_INSTRUCTION_PTR BUGCHECK_STR: APPLICATION_FAULT_BAD_INSTRUCTION_PTR_INVALID_POINTER_READ LAST_CONTROL_TRANSFER: from 7c927d39 to 077444f6 STACK_TEXT: WARNING: Frame IP not in any known module. Following frames may be wrong. 0174fc80 7c927d39 04d069f0 00000000 0014e800 0x77444f6 0174fccc 7c92a600 077444f6 04d069f0 00000000 ntdll!RtlpWaitOrTimerCallout+0x73 0174fcf8 7c92a54e 0014e800 00000004 00000020 ntdll!RtlpProcessWaitCompletion+0x112 0174ffb4 7c80b729 00000000 00000020 00f4fce4 ntdll!RtlpWaitThread+0x277 0174ffec 00000000 7c92a3f3 00000000 00000000 kernel32!BaseThreadStart+0x37 STACK_COMMAND: ~3s; .ecxr ; kb SYMBOL_STACK_INDEX: 1 SYMBOL_NAME: ntdll!RtlpWaitOrTimerCallout+73 FOLLOWUP_NAME: MachineOwner MODULE_NAME: ntdll IMAGE_NAME: ntdll.dll DEBUG_FLR_IMAGE_TIMESTAMP: 4d00f27d FAILURE_BUCKET_ID: BAD_INSTRUCTION_PTR_c0000005_ntdll.dll!RtlpWaitOrTimerCallout BUCKET_ID: APPLICATION_FAULT_BAD_INSTRUCTION_PTR_INVALID_POINTER_READ_BAD_IP_ntdll!RtlpWaitOrTimerCallout+73 WATSON_STAGEONE_URL: http://watson.microsoft.com/StageOne/explorer_exe/6_0_2900_5512/48025c30/unknown/0_0_0_0/bbbbbbb4/c0000005/077444f6.htm?Retriage=1 Followup: MachineOwner --------- Hope this helps. You could try searching on some of the entries. Nothing stood out to me as identifying the culprit here, but I'm not expert at interpreting debug logs either! 1 Link to comment Share on other sites More sharing options...
kuja killer Posted November 3, 2020 Author Share Posted November 3, 2020 (edited) yea theres those worthless question marks. but i mean, it cant possibly be ntdll right ? cause that's not ever been touched since i've had this computer around 2010. it wasnt ever modified or anything like that. https://i.imgur.com/Uq4Eyb9.png i also tried searching for like ID 454, but there was no such thing in all the running exe's at the time, explorer was process ID 3916 it said, in the "process list" text file. Edited November 3, 2020 by kuja killer Link to comment Share on other sites More sharing options...
Dave-H Posted November 3, 2020 Share Posted November 3, 2020 (edited) I'm intrigued by this entry - Failed calling InternetOpenUrl, GLE=12029 FAULTING_IP: +73 077444f6 ?? ??? What exactly is that? The last part looks like a mobile phone number. The +73 code is for Kazakhstan. Could that be something from a piece of malware? Edited November 3, 2020 by Dave-H Typo Link to comment Share on other sites More sharing options...
kuja killer Posted November 3, 2020 Author Share Posted November 3, 2020 (edited) Doesn't seem like it cause that number is at the end of the ntdll line as a "hex" value like the other lines. 0174fccc 7c92a600 077444f6 04d069f0 00000000 ntdll!RtlpWaitOrTimerCallout+0x73 I have MalwareBytes AntiMalware and i've scanned with that several times this year with the latest defintion update(s) since this first started, and i've always come up clean (0 detections) everytime. :| Edited November 3, 2020 by kuja killer Link to comment Share on other sites More sharing options...
Dave-H Posted November 4, 2020 Share Posted November 4, 2020 InternetOpenUrl looks like a call which goes to an internet address. https://docs.microsoft.com/en-us/windows/win32/api/wininet/nf-wininet-internetopenurla That might be worth investigating. Link to comment Share on other sites More sharing options...
kuja killer Posted November 5, 2020 Author Share Posted November 5, 2020 (edited) I wondered about that "internet open url" but how am i supposed to even know what caused it ? Like i said it couldnt have been the ntdll.dll cause that's not ever been touched... and that article you linked i dont understand anything about it since it's all "coding" related ...not talking about any issues or problems or crashes...so i dont have a clue what i'm supposed to look for then. Does that windbg have any other more advanced commands for seeing exactly what file or whatever those question marks were referring to ?? i dont know anything about debugging stuff besides just the "analyze -v" thing which wasnt useful at all ...cause of question marks. And as i've mentioned before, these goddamn crashes are purely no way to predict when it will happen.. maybe after a week, month... I dont have any idea how to reproduce it, cause this time it took 4 months for it just happen out of a blue while just casually doing anything like viewing images or videos in my folders, or notepad text's, or any other kinds of programs like playing games, etc etc. Edited November 5, 2020 by kuja killer Link to comment Share on other sites More sharing options...
Dave-H Posted November 5, 2020 Share Posted November 5, 2020 Unfortunately very intermittent faults which cannot be triggered at will are always extremely difficult to pin down. I agree that ntdll.dll is extremely unlikely to be the culprit, it's recorded as having been involved in the crash, but it probably wouldn't have actually caused it. I think the only thing you can do is to uninstall the K-Lite Codec Pack and see if the problem goes away, as it seemed to appear after you installed it. I realise this isn't ideal, as it could be months before you can prove whether the problem has actually gone away or not! Incidentally, you said you installed K-Lite version 13.8.5. My understanding is that the last XP compatible version is 13.8.2, which is an update to the last compatible full version which is 13.8.0. It is just possible that 13.8.5 does in fact contain something which isn't actually XP compatible, and is causing the problem. I have had 13.8.2 installed for several years, and it has caused no problems, so perhaps trying that version might be an idea. 1 Link to comment Share on other sites More sharing options...
UCyborg Posted November 5, 2020 Share Posted November 5, 2020 I suggest verifying if hardware is actually functioning properly. Run Prime95's stress test for several hours. Scroll down to find XP compatible version. Also, if CPU isn't fed sufficient voltage, it can't be expected to operate 100% properly. Link to comment Share on other sites More sharing options...
jumper Posted November 5, 2020 Share Posted November 5, 2020 The question marks indicate that no memory is mapped at that address or it is otherwise not readable. ntdll!RtlpWaitOrTimerCallout+0x73 0x73 bytes into this function is the next instruction after a CALL instruction. Its address is the return address pushed onto the stack by the CALL. IP = instruction pointer 077444f6 seems to be the callback address of the executable code for an event handler. It was probably in a DLL that was prematurely unloaded. 1 Link to comment Share on other sites More sharing options...
kuja killer Posted November 5, 2020 Author Share Posted November 5, 2020 (edited) Ucyborg - I doubt any hardware is causing it, this is a laptop by the way. I've never had any sort of "hard lock" or freeze's where the system would be completely frozen and forced holding power button to turn off for example. "not" talking about BSOD. And speaking of that, i never have had any "unexpected" BSOD's before for as long as i can remember, only if it's something i know would make it happen like a PC game i cant play cause of this having a "integrated" intel graphics when i'd need nvidia/amd - which is impossible to have for this laptop. But otherwise I don't get any BSOD for reasons that im unaware of or "out of the blue" Cpu has always been fine. I still doubt that's a cause. It's a "intel core 2 duo T 7600" not like that detail matters. :| I always look at Event Viewer => System like once everyday or so and dont ever see any errors. only usually just "windows time didnt sync" once in awhile. but it usually always works the next day or whatever (the clock in taskbar) Dave-H - i had the version 13.8.5 because this page is what it said...is it actually wrong ?? https://codecguide.com/download_kl_old.htm Edited November 5, 2020 by kuja killer Link to comment Share on other sites More sharing options...
Dave-H Posted November 5, 2020 Share Posted November 5, 2020 (edited) I doubt that page is wrong, as it's the official download page from the K-Lite developers of course, but I'm sure that when 13.8.2 came out, they said that was the last XP version, because I labelled the installation file as such. It is of course possible that they then changed their mind and produced a further XP version! All I know is that 13.8.2 has worked for me for several years now with no problems. It might still be worth trying it if you can find a copy, I doubt that 13.8.5 is very different. Edited November 5, 2020 by Dave-H Amendment Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now