Generic Host Process for Win32 Services

[tubui]

I got this error randomly.. What is it, and how can I prevent it.

I recently opened a port for Warcraft 3 FT... I never got this before until then.

[ringfinger]

Are you completely up to date with all the SPs and hotfixes from M$? I've seen this before and a hotfix did the trick for me..

[cluberti]

That means that one of the svchost.exe "service hosts" on your machine is crashing. I'd say making sure your machine was clean would be a good idea, but assuming that your machine is clean, do the following to gather a dump of it the next time it crashes with userdump:

1. Download Userdump.

2. Double-click the downloaded file to extract the userdump installation files. By default, these will extract to C:\kktools\userdump8.1. Please click "Yes", then "Unzip" to extract the files.

3. Double-click the "setup.exe" file located in C:\kktools\userdump8.1\x86 to install the userdump utility. Please select the defaults when possible, and make certain to select the "Enable dump on process termination" feature when prompted.

NOTE: You may need to reboot the machine at this point for the installation to complete successfully.

4. Create a folder called C:\userdump.

5. Once installed, you will find a new icon in your control panel called "Process Dump". Please open this utility.

6. When the userdump window opens, please click the "New" button.

7. Please enter "svchost.exe" in the "Application name:" dialog box, and click "OK".

8. Click on the new listing for "svchost.exe", and click the "Rules" button.

9. Select the "Use custom rules" radio button.

10. Type "C:\userdump" in the "Dump file folder" dialog box.

11. Click the "All Exceptions" box.

12. Click the "OK" button.

13. Click the "Apply" button, then click "OK".

You should have a .dmp file (or series of .dmp files) in C:\userdump the next time it crashes. These memory dump files will help us in determining what caused the process to crash.

[tubui]

I tried this http://www.microsoft.com/downloads/details...;displaylang=en hotfix but it still happens. It usually occurs after I host a game in Warcraft III - Frozen Throne.. Heres more info..

[cluberti]

I would again recommend following my post above, because that hotfix isn't going to resolve your issue (if you had the issue that hotfix mentioned, you'd know it - the service would crash constantly, not just a few times a day).

[tubui]

Okay, I will try tomorrow but listen, this usually happens while I am playing a game in Warcraft III - The Frozen Throne. (I recently open my ports, etc, to allow to host games in W3, then I get this error)

Also, after getting this error, my sounds get messed up, they don't work anymore, say I play CS after W3, my sound doesn't work.

[cluberti]

Hopefully a dump will point us to the culprit, then, and you can go about getting everything working again .

[tubui]

kk, I did all that, tomorrow when this error pops up again, please let me know what to do. Thanks!

[cluberti]

If it's set up, the next time the error occurs you should have a dump file (or series of dump files) in C:\userdump. PM me when you've got them.

[tubui]

cluberti, some good news and some bad news.

Good news is that, I installed it, and got 2 dmp files.. (PMed to you)

Bad news is that, after I installed this, shut it down, the next day (today) I turned on my computer, it would always freeze when my startup programs load up, so after figuring out that this program might of caused this, I went into Safe Mode and uninstalled it. And now I can play my computer, BUT I didn't get a chance for the error to pop up... But seeing how I got 2 .dmp files, it might be something...

[cluberti]

According to the second dump, an event was written to the log (doesn't indicate which) by a WMI xsink at approximately 11:45.19 US Eastern Time - would you happen to have that event? Also, the actual error appears to have come from the wiaserv service, or the Windows Image Acquisition service, during a PNP Unregister Notification event. Was any PNP device disconnected from the machine at the time of the error?

From the first svchost.exe dump, the imgsvc svchost.exe process:

ChildEBP RetAddr  Args to Child			  
0007f808 77ea38d3 000006b5 00000001 00000000 kernel32!RaiseException+0x53
0007f820 77e91357 000006b5 77926a70 0007fc2c rpcrt4!RpcpRaiseException+0x24
0007f834 77ef3675 0007f87c 000a13fc 00000000 rpcrt4!NdrSendReceive+0x35
0007fc10 7792f318 77926a70 77929ecc 0007fc2c rpcrt4!NdrClientCall2+0x222
0007fc24 7792f2a9 000b4770 000e2444 77d664ef setupapi!PNP_UnregisterNotification+0x1b
0007fc64 77d66534 000e2440 77d664ef 75aea3d8 setupapi!CMP_UnregisterNotification+0x4a
0007fca4 75ac83db 000e2440 00000000 00000005 user32!UnregisterDeviceNotification+0x45
0007fcc8 75ac8575 0009ba88 75ac8520 00000000 wiaservc!StiServiceStop+0x80
0007fcdc 77deb603 00000005 00000000 00000000 wiaservc!StiServiceCtrlHandler+0x55
0007fd50 77deb568 00000074 0007fd7c 00000216 advapi32!ScDispatcherLoop+0x266
0007ffb0 01002585 00098278 7c910738 ffffffff advapi32!StartServiceCtrlDispatcherW+0xe3
0007ffc0 7c816d4f 7c910738 ffffffff 7ffd9000 svchost!_wmainCRTStartup+0x77
0007fff0 00000000 01002509 00000000 78746341 kernel32!BaseProcessStart+0x23

And from the second svchost.exe dump, the netsvcs svchost.exe process:

ChildEBP RetAddr  Args to Child			  
0189f718 77ea38d3 000006b5 00000001 00000000 kernel32!RaiseException+0x53
0189f730 77e91357 000006b5 77ddf110 0189fb3c rpcrt4!RpcpRaiseException+0x24
0189f744 77ef3675 0189f78c 001076a0 000da5c8 rpcrt4!NdrSendReceive+0x35
0189fb20 77de766c 77ddf110 77de644c 0189fb3c rpcrt4!NdrClientCall2+0x222
0189fb34 77de762f 000a53e8 45b4415b 00000004 advapi32!ElfrReportEventW+0x1b
0189fbac 77de7570 000a53e8 00000004 00000000 advapi32!ElfReportEventW+0x5a
0189fc18 73d35673 000a53e8 00000004 00000000 advapi32!ReportEventW+0xce
0189fcec 5981d2b7 005ba860 00d7c6c0 00000006 wbemcons!CEventLogSink::XSink::IndicateToConsumer+0x495
0189fd48 598206da 00000000 00d7c6c0 00000006 wmiprvsd!CInterceptor_IWbemSyncUnboundObjectSink::InternalEx_IndicateToConsumer+0x6d
0189fd60 59815bf8 000b7af0 00d7c6c0 00000006 wmiprvsd!CInterceptor_IWbemSyncUnboundObjectSink::IndicateToConsumer+0x18
0189fdbc 753ac47b 000b7af0 00d7c6c0 00000006 wmiprvsd!CInterceptor_IWbemUnboundObjectSink::IndicateToConsumer+0xba
0189fdf4 753ad40f 000bad38 00d7c6c0 00000006 wbemess!CPermanentConsumer::Indicate+0x28
0189fe3c 7539912d 00000006 0189fe74 00000000 wbemess!CPermanentConsumer::ActuallyDeliver+0xd3
0189fe60 75399648 00000000 00000006 0189fe74 wbemess!CQueueingEventSink::DeliverEvents+0x3a
0189ff04 753998a7 00db5e90 00d598e8 00d15e98 wbemess!CQueueingEventSink::DeliverSome+0x24f
0189ff38 7529f0a7 00db5e90 00d15e98 7c9010ed wbemess!CQueueingEventSink::DeliverAll+0x56
0189ff4c 7529eda9 00db5e90 756a0195 00db5e90 wbemcomn!CExecQueue::Execute+0x17
0189ff7c 753ac2da 00002ee0 756a0195 0120f3bc wbemcomn!CExecQueue::ThreadMain+0x11f
0189ffa8 7529edc2 00db5e90 0189ffec 7c80b50b wbemess!CEventQueue::ThreadMain+0x22
0189ffb4 7c80b50b 00db5e90 756a0195 0120f3bc wbemcomn!CExecQueue::_ThreadEntry+0xf

This smacks of a driver issue, but I can't figure out what from the current crop of data - some kernel-mode driver is calling up into the imgsvc svchost.exe process, which usually hosts scanners, cameras, etc. However, at the same time (which is why you have two dumps), the WMI event consumer is dumping an event to the event log for a permanent event consumer from the event queue, which indicates a WMI provider indicating either a problem or a warning on a WMI interface. I'd say it's a bad PNP device driver from what can be seen here, but I cannot say with 100% certainty that this is the case.

Perhaps making sure all of your drivers are 100% up to the latest versions (especially your network interface driver), and also trying to run with no 3rd party startup items and services (via autoruns from sysinternals) to see if this clears up. Also checking for any events in any event log, at around that time (Jan 21, 11:45PM ET) may help as well.

[tubui]

Well remember, this started happening when I opened some ports to run Battle.net games on Warcraft III - The Frozen Throne.. I also added the ports to my Windows Firewall..

And the error only pops up while I play a game in Warcraft. So what could it be for the driver?

[cluberti]

Honestly, I don't know from the data uploaded, as it's only giving me a WMI event sink due to a plug-and-play event. I'm not sure how warcraft works with the hardware, so you might want to send a quick email to support for that product on this - it could be some code in their network portion of the product has caused this when you allow it access to the 'net. Again, not sure, but from what I've got it looks like a PNP event raising an exception - it's either a buggy driver, or buggy software (or both ).

[tubui]

What driver/software should I be looking at?