Application Error: 0xc0000096 at location 0x7c8edf9e

[Mant]

Hallo MSFN !!

Don't know what corrupt causes this annoying error messages.

---------------------------------------------------------------------------------

Application Error : The exception Privileged instruction.

(0xc0000096) occurred in the application at location 0x7c8edf9e.

Click on OK to terminate the program.

---------------------------------------------------------------------------------

Tested with memtest86+, nothing wrong with hardware/memory.

Error message does NOT occur in F8 safe mode, but System Restore still can NOT fix.

Chkdsk /f /r result report clean.

I find several affected files, all most *.exe based, NO virus found.

Error occured when starting/closing this app:

imapi.exe

notepad.exe

rundll32.exe

cmd.exe

nero.exe

wmiprvse.exe

mmc.exe

wuauclt.exe

acrobat_sl.exe

userinit.exe

feedback.exe

logonui.exe

taskmgr.exe

and most others *.exe app

note: control panel/explorer.exe is not affected

app runs normally, occur ex: when logon windows starting imapi service or closing notepad.exe.

detail:

Windows XP 2600.xpsp_sp2_gdr.050301-1519 SP2, .netFX 2.0,

and some IE 7 beta 3, KIS 6.0, Outpost Firewall 4.0, AcronisTI 9.1, SocketShield 1.1, YahooMsgr 8.0, Nero 7.0, CfosSpeed 3.1 nothing startup run, maybe just Alcohol 120% and Acronis drivers.

Edited September 14, 2006 by Mant

[cluberti]

If the error doesn't happen in safe mode, this means that it's a driver or running application (background or service) causing this. Use msconfig or autoruns (from sysinternals) to disable all non-Microsoft startup items and services, and reboot. See if the problem recurs then - if not, use trial and error to see which service or startup application causes the issue when re-enabled. If you've got all non-Microsoft services and startup items disabled and the issue still occurs, then it's a driver or Data Execution Prevention causing the error.

Edited September 13, 2006 by cluberti

[Mant]

Thanks fast reply.

I have disable DEP via boot.ini, it says: "AlwaysOff"

[boot loader]

timeout=10

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Clean XP Professional" /noexecute=optin /fastdetect

multi(0)disk(0)rdisk(1)partition(1)\WINDOWS="Mant XP" /noexecute=AlwaysOff /fastdetect

ps: cases is in "Mant XP" Windows.

I use msconfig, set Startup Selection to Diagnostic Startup -mode load basic device and services only.

Then some little panic action -uninstalling Alcohol 120%, this will remove stpd.sys upon loading.

After reboot and starting windows in Diagnostic Startup mode, the error message is still recurs

but it was changed to:

--------------------------------------------------------------------------------------------------------------------------

The instruction at "0x7c8edff3" referenced memory at "0xffffffff" the memory could not be "read".

click on OK to terminate the program.

--------------------------------------------------------------------------------------------------------------------------

Edited September 14, 2006 by Mant

[cluberti]

Here are the instructions for configuring userdump to gather information on the notepad.exe process, since you did state the error occurs when starting notepad:

1. Download the userdump executable, located here:

http://www.microsoft.com/downloads/details...;DisplayLang=en

2. Double-click the downloaded .exe file to extract the userdump installation files. By default, these will extract to C:\kktools\userdump8.0. Please click "Yes", then "Unzip" to extract the files.

3. Double-click the "setup.exe" file located in C:\kktools\userdump8.0\x86 to install the userdump utility. Please select the defaults when possible, and make certain to select the "Enable dump on process termination" feature when prompted.

You may need to reboot the machine at this point for the installation to complete successfully.

4. Create a folder called C:\userdump.

5. Once installed, you will find a new icon in your control panel called "Process Dump". Please open this utility.

6. When the userdump window opens, please click the "New" button.

7. Please enter notepad.exe in the "Application name:" dialog box, and click "OK".

8. Click on the new listing for "notepad.exe", and click the "Rules" button.

9. Select the "Use custom rules" radio button.

10. Type "C:\userdump" (minus the quotes) in the "Dump file folder" dialog box.

11. Click the "All Exceptions" box.

12. Please click the "Dump on Process Termination" box.

13. Click the "OK" button.

14. Click the "Apply" button, then click "OK".

The next time notepad (notepad.exe) crashes, you will now have a .dmp file (or series of .dmp files) in C:\userdump. This will help us determine what caused the process to crash.

[Mant]

Hello,

This is what i got for debugging NOTEPAD.EXE:

Microsoft ® Windows Debugger Version 6.6.0007.5

Copyright © Microsoft Corporation. All rights reserved.

Loading Dump File [Desktop\userdump\notepad_END1366.dmp]

User Mini Dump File with Full Memory: Only application data is available

Comment: 'Userdump generated complete user-mode minidump with Exit Monitor function on »«'

Windows XP Version 2600 (Service Pack 2) UP Free x86 compatible

Product: WinNt, suite: SingleUserTS

Debug session time: Fri Sep 15 01:39:11.000 2006 (GMT+7)

System Uptime: 0 days 10:21:31.392

Process Uptime: 0 days 0:00:04.000

Symbol search path is: set _NT_SYMBOL_PATH=srv*DownstreamStore*http://msdl.microsoft.com/download/symbols

Executable search path is: %SystemRoot%\system32\NOTEPAD.EXE

............................

Loading unloaded module list

.

eax=000900c4 ebx=00000000 ecx=7ffdc000 edx=7ffdf000 esi=7c90e88e edi=c0000096

eip=7c90eb94 esp=0007fde8 ebp=0007fee4 iopl=0 nv up ei pl zr na pe nc

cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246

ntdll!KiFastSystemCallRet:

7c90eb94 c3 ret

Edited September 16, 2006 by Mant

[cluberti]

If you would please, run "~*kb" with the dump loaded, and post the output.

[Mant]

hello mr. cluberty

I have finished uploading notepad_END1336.dmp into your ftp at Sep 16 2006, 09:06 AM.

please help.

best regards.

[LLXX]

Have you checked the processor temperature?

[cluberti]

I'm still working on it, but it appears so far that the process is in an actual graceful exit routine, meaning something told the process to exit (and it's already gone off of the stack) - I'm wondering if there is any software on the machine, other than DEP, that is checking or regulating the launching of applications. There are LOTS of 3rd party .dll's loaded in the process I have dumped (notepad) which strikes me that one or more could be a potential issue, but so far it appears the application that called the exit routine (it wasn't notepad) has already closed (or it's being called by a hook into the process by another process, which is actually highly likely here).

Edited September 25, 2006 by cluberti

[Mant]

RESOLVED !!!

hello MSFN !!! special thanks to my friends mr. cluberti

for your hardwork for help me day after day and stay with me.

you don't have to work with it (notepad dmp code) anymore.

after a month i confused about this, now i've resolve the problem.

first, i read carefully from your last post. said that i have something another DEP.

then i make assesment list:

something self-defense/proactive-defense/anti-leak component is like my kaspersky 6.0 or outpost firewall 4.0.

something risk-of-corrupt component is like my o&o defrag (idle/screensaver defrag).

step by step i go into safe mode, uninstalling my outpost firewall 4.0.916.570 (beta/RC)

yes it is, resolved after entering normal windows. so the posibility result is:

1. the outpost firewall 4.0.916.570 itself (beta/RC -with anti leak component)

2. the riskware that came from the outpost firewall 4.0.916.570 setup (kaspersky detected)

3. the confilct driver between outpost firewall 4.0.916.570 with socketshield 1.1.0 0013

i still respect to the agnitum outpost firewall, it was a great firewall.

ps: i suggest don't download outpost firewall 4.0.916.570 from not-officially site like softpedia. kaspersky detected a riskware: trojan generic at temp folder used to setup outpost firewall 4.0.916.570 (this is out of topic so don't make any judgement). i still can't tell exactly the problem came from but the last word "RESOLVED" is make me VERY HAPPY !!

best regards.

Edited September 26, 2006 by Mant