Explorer.exe crashing randomly a lot

[Dave-H]

Even easier, download and use this -
http://www.nirsoft.net/utils/shexview.html
This utility will display all of the Shell Extensions on the system and allow you to easily disable some or all of them.
HTH.

[kuja killer]

I mentioned already in one of my earlier replies in feburary that i checked with that shellex program before and didnt have anything at all that would be suspect. so that didnt help at all.

 

[Dave-H]

Ah, sorry I had forgotten!
Editing the registry wouldn't do anything different to what the ShellExView program does, so I guess it isn't a shell extension causing the problem this time (normally that would be the number one suspect).

[kuja killer]

yea.. well,i just went ahead and uploaded that crash dump file to mediafire. i dont know why it has to be such a ridiculously huge size like this. I dont know anything about coding and all that stuff so all i ever knew what to try was "analyze -v" ..and getting stupid question marks as i showed in that screenshot earlier. 

http://www.mediafire.com/file/ygwvkqu3ekgok6w/explorer+crash.dmp/file

Edited November 3, 2020 by kuja killer

[Dave-H]

Well here's what I managed to pull out of it, FWIW -

Microsoft (R) Windows Debugger Version 6.12.0002.633 X86
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [E:\Dump Folder\explorer crash.dmp]
User Mini Dump File with Full Memory: Only application data is available

Comment: '2nd_chance_AccessViolation_exception_in_EXPLORER.EXE_running_on_YOUR-7D8859AF69'
Symbol search path is: srv*d:\programf\microsof\windowss.1\debuggin\symbols*http://msdl.microsoft.com/download/symbols;symsrv*symsrv.dll*d:\win-nt\localsymbols*http://msdl.microsoft.com/download/symbols
Executable search path is: 
Windows XP Version 2600 (Service Pack 3) MP (2 procs) Free x86 compatible
Product: WinNt, suite: SingleUserTS
Machine Name:
Debug session time: Wed Jul  8 10:02:31.000 2020 (UTC + 0:00)
System Uptime: 11 days 13:04:15.434
Process Uptime: 4 days 5:46:39.000
................................................................
................................................................
.................................
Loading unloaded module list
..............
This dump file has an exception of interest stored in it.
The stored exception information can be accessed via .ecxr.
(f4c.454): Access violation - code c0000005 (first/second chance not available)
eax=0174fc9c ebx=00000000 ecx=00000000 edx=00000000 esi=077444f6 edi=04d069f0
eip=077444f6 esp=0174fc84 ebp=0174fccc iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
077444f6 ??              ???
0:003> !analyze -v
*******************************************************************************
*                                                                             *
*                        Exception Analysis                                   *
*                                                                             *
*******************************************************************************

Failed calling InternetOpenUrl, GLE=12029

FAULTING_IP: 
+73
077444f6 ??              ???

EXCEPTION_RECORD:  ffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 077444f6
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 00000000
   Parameter[1]: 077444f6
Attempt to read from address 077444f6

DEFAULT_BUCKET_ID:  BAD_INSTRUCTION_PTR

PROCESS_NAME:  explorer.exe

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".

EXCEPTION_PARAMETER1:  00000000

EXCEPTION_PARAMETER2:  077444f6

READ_ADDRESS:  077444f6 

FOLLOWUP_IP: 
ntdll!RtlpWaitOrTimerCallout+73
7c927d39 834dfcff        or      dword ptr [ebp-4],0FFFFFFFFh

FAILED_INSTRUCTION_ADDRESS: 
+1e22faf00fddf58
077444f6 ??              ???

MOD_LIST: <ANALYSIS/>

NTGLOBALFLAG:  0

APPLICATION_VERIFIER_FLAGS:  0

IP_ON_HEAP:  077444f6

IP_IN_FREE_BLOCK: 77444f6

FAULTING_THREAD:  00000454

PRIMARY_PROBLEM_CLASS:  BAD_INSTRUCTION_PTR

BUGCHECK_STR:  APPLICATION_FAULT_BAD_INSTRUCTION_PTR_INVALID_POINTER_READ

LAST_CONTROL_TRANSFER:  from 7c927d39 to 077444f6

STACK_TEXT:  
WARNING: Frame IP not in any known module. Following frames may be wrong.
0174fc80 7c927d39 04d069f0 00000000 0014e800 0x77444f6
0174fccc 7c92a600 077444f6 04d069f0 00000000 ntdll!RtlpWaitOrTimerCallout+0x73
0174fcf8 7c92a54e 0014e800 00000004 00000020 ntdll!RtlpProcessWaitCompletion+0x112
0174ffb4 7c80b729 00000000 00000020 00f4fce4 ntdll!RtlpWaitThread+0x277
0174ffec 00000000 7c92a3f3 00000000 00000000 kernel32!BaseThreadStart+0x37


STACK_COMMAND:  ~3s; .ecxr ; kb

SYMBOL_STACK_INDEX:  1

SYMBOL_NAME:  ntdll!RtlpWaitOrTimerCallout+73

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: ntdll

IMAGE_NAME:  ntdll.dll

DEBUG_FLR_IMAGE_TIMESTAMP:  4d00f27d

FAILURE_BUCKET_ID:  BAD_INSTRUCTION_PTR_c0000005_ntdll.dll!RtlpWaitOrTimerCallout

BUCKET_ID:  APPLICATION_FAULT_BAD_INSTRUCTION_PTR_INVALID_POINTER_READ_BAD_IP_ntdll!RtlpWaitOrTimerCallout+73

WATSON_STAGEONE_URL:  http://watson.microsoft.com/StageOne/explorer_exe/6_0_2900_5512/48025c30/unknown/0_0_0_0/bbbbbbb4/c0000005/077444f6.htm?Retriage=1

Followup: MachineOwner
---------

Hope this helps.
You could try searching on some of the entries. Nothing stood out to me as identifying the culprit here, but I'm not expert at interpreting debug logs either!

[kuja killer]

yea theres those worthless question marks. but i mean, it cant possibly be ntdll right ? cause that's not ever been touched since i've had this computer around 2010. it wasnt ever modified or anything like that.

https://i.imgur.com/Uq4Eyb9.png

i also tried searching for like ID 454, but there was no such thing in all the running exe's at the time, explorer was process ID 3916 it said, in the "process list" text file.

Edited November 3, 2020 by kuja killer

[Dave-H]

I'm intrigued by this entry -

Failed calling InternetOpenUrl, GLE=12029

FAULTING_IP: 
+73
077444f6 ??              ???

What exactly is that?
The last part looks like a mobile phone number.
The +73 code is for Kazakhstan.
Could that be something from a piece of malware?

Edited November 3, 2020 by Dave-H
Typo

[kuja killer]

Doesn't seem like it cause that number is at the end of the ntdll line as a "hex" value like the other lines.

0174fccc 7c92a600 077444f6 04d069f0 00000000 ntdll!RtlpWaitOrTimerCallout+0x73

I have MalwareBytes AntiMalware and i've scanned with that several times this year with the latest defintion update(s) since this first started, and i've always come up clean (0 detections) everytime. :|

Edited November 3, 2020 by kuja killer

[Dave-H]

InternetOpenUrl looks like a call which goes to an internet address.
https://docs.microsoft.com/en-us/windows/win32/api/wininet/nf-wininet-internetopenurla
That might be worth investigating.

[kuja killer]

I wondered about that "internet open url" but how am i supposed to even know what caused it ? Like i said it couldnt have been the ntdll.dll cause that's not ever been touched... and that article you linked i dont understand anything about it since it's all "coding" related ...not talking about any issues or problems or crashes...so i dont have a clue what i'm supposed to look for then.

Does that windbg have any other more advanced commands for seeing exactly what file or whatever those question marks were referring to ?? i dont know anything about debugging stuff besides just the "analyze -v" thing which wasnt useful at all ...cause of question marks.

And as i've mentioned before, these goddamn crashes are purely no way to predict when it will happen.. maybe after a week, month... I dont have any idea how to reproduce it, cause this time it took 4 months for it just happen out of a blue while just casually doing anything like viewing images or videos in my folders, or notepad text's, or any other kinds of programs like playing games, etc etc. 

Edited November 5, 2020 by kuja killer

[Dave-H]

Unfortunately very intermittent faults which cannot be triggered at will are always extremely difficult to pin down.
I agree that ntdll.dll is extremely unlikely to be the culprit, it's recorded as having been involved in the crash, but it probably wouldn't have actually caused it.
I think the only thing you can do is to uninstall the K-Lite Codec Pack and see if the problem goes away, as it seemed to appear after you installed it.
I realise this isn't ideal, as it could be months before you can prove whether the problem has actually gone away or not!

Incidentally, you said you installed K-Lite version 13.8.5.
My understanding is that the last XP compatible version is 13.8.2, which is an update to the last compatible full version which is 13.8.0.
It is just possible that 13.8.5 does in fact contain something which isn't actually XP compatible, and is causing the problem.
I have had 13.8.2 installed for several years, and it has caused no problems, so perhaps trying that version might be an idea.

[UCyborg]

I suggest verifying if hardware is actually functioning properly. Run Prime95's stress test for several hours. Scroll down to find XP compatible version. Also, if CPU isn't fed sufficient voltage, it can't be expected to operate 100% properly.

[jumper]

The question marks indicate that no memory is mapped at that address or it is otherwise not readable.

ntdll!RtlpWaitOrTimerCallout+0x73

0x73 bytes into this function is the next instruction after a CALL instruction. Its address is the return address pushed onto the stack by the CALL.

IP = instruction pointer

077444f6 seems to be the callback address of the executable code for an event handler.  It was probably in a DLL that was prematurely unloaded.

[kuja killer]

Ucyborg - I doubt any hardware is causing it, this is a laptop by the way. I've never had any sort of "hard lock" or freeze's where the system would be completely frozen and forced holding power button to turn off for example. "not" talking about BSOD.

And speaking of that, i never have had any "unexpected" BSOD's before for as long as i can remember, only if it's something i know would make it happen like a PC game i cant play cause of this having a "integrated" intel graphics when i'd need nvidia/amd - which is impossible to have for this laptop. But otherwise I don't get any BSOD for reasons that im unaware of or "out of the blue"

Cpu has always been fine. I still doubt that's a cause. It's a "intel core 2 duo T 7600" not like that detail matters. :|

I always look at Event Viewer => System like once everyday or so and dont ever see any errors. only usually just "windows time didnt sync" once in awhile. but it usually always works the next day or whatever (the clock in taskbar)

Dave-H - i had the version 13.8.5 because this page is what it said...is it actually wrong ??

https://codecguide.com/download_kl_old.htm

Edited November 5, 2020 by kuja killer

[Dave-H]

I doubt that page is wrong, as it's the official download page from the K-Lite developers of course, but I'm sure that when 13.8.2 came out, they said that was the last XP version, because I labelled the installation file as such.
It is of course possible that they then changed their mind and produced a further XP version!
All I know is that 13.8.2 has worked for me for several years now with no problems.
It might still be worth trying it if you can find a copy, I doubt that 13.8.5 is very different.

 

Edited November 5, 2020 by Dave-H
Amendment