Jump to content

Explorer.exe keeps craching


moo2004

Recommended Posts

Whenever I access a network drive the explorer.exe crash.

It crashes when I access to the sixth or seventh folder in the network drive.

Here are some crach's logs:

Application popup: explorer.exe - Application Error : The instruction at "0x7c91888f" referenced memory at "0x072ba098". The memory could not be "read".

Application popup: Explorer.EXE - Application Error : The instruction at "0x7c9106c3" referenced memory at "0x0056005a". The memory could not be "written".

Application popup: explorer.exe - Application Error : The instruction at "0x7c9111de" referenced memory at "0x0065004c". The memory could not be "read".

Application popup: Explorer.EXE - Application Error : The exception unknown software exception (0xc000001e) occurred in the application at location 0x02920289.

Application popup: Explorer.EXE - Application Error : The instruction at "0x7c9111de" referenced memory at "0x0065004c". The memory could not be "read".

Application popup: Explorer.EXE - Application Error : The instruction at "0x7c9ecad2" referenced memory at "0x00660069". The memory could not be "read".

Application popup: explorer.exe - Application Error : The instruction at "0x76eb1d8f" referenced memory at "0x00000000". The memory could not be "written".

I have done a scan with; SPYboot S&D, Ad-aware,SPY boot doctor and Hijackthis but it haven't fixed it.

I also checked the RAM with Memtest and there were no errors.

I checked my C drive "Chkdsk /f" and it didn't help.

I changed the size of my Paging file but ot also didn't help

Please assist...

Link to comment
Share on other sites


Whenever I access a network drive the explorer.exe crash.

It crashes when I access to the sixth or seventh folder in the network drive.

Here are some crach's logs:

Application popup: explorer.exe - Application Error : The instruction at "0x7c91888f" referenced memory at "0x072ba098". The memory could not be "read".

Application popup: Explorer.EXE - Application Error : The instruction at "0x7c9106c3" referenced memory at "0x0056005a". The memory could not be "written".

Application popup: explorer.exe - Application Error : The instruction at "0x7c9111de" referenced memory at "0x0065004c". The memory could not be "read".

Application popup: Explorer.EXE - Application Error : The exception unknown software exception (0xc000001e) occurred in the application at location 0x02920289.

Application popup: Explorer.EXE - Application Error : The instruction at "0x7c9111de" referenced memory at "0x0065004c". The memory could not be "read".

Application popup: Explorer.EXE - Application Error : The instruction at "0x7c9ecad2" referenced memory at "0x00660069". The memory could not be "read".

Application popup: explorer.exe - Application Error : The instruction at "0x76eb1d8f" referenced memory at "0x00000000". The memory could not be "written".

I have done a scan with; SPYboot S&D, Ad-aware,SPY boot doctor and Hijackthis but it haven't fixed it.

I also checked the RAM with Memtest and there were no errors.

I checked my C drive "Chkdsk /f" and it didn't help.

I changed the size of my Paging file but ot also didn't help

Please assist...

i think the main problem is related to your networking. Pls. provide more information about your networking environment including routers/hubs/ethernet card

Link to comment
Share on other sites

On that machine, run "drwtsn32 -i" and see if Dr Watson catches the next crash - upload the zipped version here for analysis, if you aren't comfortable with that. If Dr. Watson doesn't work, there are other ways of making explorer.exe talk :).

Link to comment
Share on other sites

  • 2 weeks later...

Here's what is happening, according to the dr watson dump you attached:

This thread has created a critical section to do whatever the TDSHELL binary requests here (can't tell, as there's no symbols or export functions in the .dll):

0:003> kn
# ChildEBP RetAddr
00 00ffe98c 7c90e9c0 ntdll!KiFastSystemCallRet
01 00ffe990 7c8025cb ntdll!ZwWaitForSingleObject+0xc
02 00ffe9f4 7c802532 kernel32!WaitForSingleObjectEx+0xa8
03 00ffea08 00cca3b7 kernel32!WaitForSingleObject+0x12
04 00fff714 7e41f84a TDSHELL+0x3a3b7
05 00fff730 7e4563be user32!DispatchHookW+0x31
06 00fff75c 7e41b50c user32!fnHkINLPCWPRETSTRUCTW+0x5e
07 00fff784 7c90eae3 user32!__fnDWORD+0x24
08 00fff7a8 7e4194be ntdll!KiUserCallbackDispatcher+0x13
09 00fff7e4 7e41b903 user32!NtUserMessageCall+0xc
0a 00fff804 0100761e user32!SendMessageW+0x7f
0b 00fff83c 010075d9 explorer!CTrayItemManager::GetItemData+0x3c
0c 00fff850 010075a7 explorer!CTrayItemManager::GetItemDataByIndex+0x12
0d 00fff864 0100785f explorer!CTrayItemManager::FindItemAssociatedWithHwndUid+0x1e
0e 00fff88c 01007808 explorer!CTrayNotify::_TrayNotifyIcon+0x6b
0f 00fff89c 010077bc explorer!CTrayNotify::TrayNotify+0x33
10 00fff960 01001b5e explorer!CTray::v_WndProc+0x510
11 00fff984 7e418734 explorer!CImpWndProc::s_WndProc+0x65
12 00fff9b0 7e418816 user32!InternalCallWinProc+0x28
13 00fffa18 7e41b4c0 user32!UserCallWinProcCheckWow+0x150
14 00fffa6c 7e42e3b4 user32!DispatchClientMessage+0xa3
15 00fffa9c 7c90eae3 user32!__fnCOPYDATA+0x41
16 00fffea8 7e4193e9 ntdll!KiUserCallbackDispatcher+0x13
17 00fffed4 7e419402 user32!NtUserPeekMessage+0xc
18 00ffff00 010019c1 user32!PeekMessageW+0xbc
19 00ffff44 01011e8b explorer!CTray::_MessageLoop+0x24
1a 00ffff50 77f7429a explorer!CTray::MainThreadProc+0x29
1b 00ffffb4 7c80b683 shlwapi!WrapperThreadProc+0x94
1c 00ffffec 00000000 kernel32!BaseThreadStart+0x37


This thread is working on that critical section, and access violates writing to a particular virtual memory address:

0:005> kn
# ChildEBP RetAddr
00 0117fe7c 7c90104b ntdll!RtlpWaitForCriticalSection+0x8c
01 0117fe84 75f81ba7 ntdll!RtlEnterCriticalSection+0x46
02 0117fee0 77f69498 browseui!CShellTaskScheduler_ThreadProc+0x11e
03 0117fef8 7c927545 shlwapi!ExecuteWorkItem+0x1d
04 0117ff40 7c927583 ntdll!RtlpWorkerCallout+0x70
05 0117ff60 7c927645 ntdll!RtlpExecuteWorkerRequest+0x1a
06 0117ff74 7c92761c ntdll!RtlpApcCallout+0x11
07 0117ffb4 7c80b683 ntdll!RtlpWorkerThread+0x87
08 0117ffec 00000000 kernel32!BaseThreadStart+0x37

The eip register for this thread points to 7c918fea, which happens to be the critical section we've started waiting on.
The critical section we're waiting on looks like this (it's bogus, btw, it shouldn't look like this):

0:005> !critsec 7c918fea

DebugInfo for CritSec at 7c918fea could not be read
Probably NOT an initialized critical section.

CritSec ntdll!RtlpWaitForCriticalSection+8c at 7c918fea
LockCount -528221115
RecursionCount -398096127
OwningThread 40ff068b
*** Locked

The exception record for this thread looks like this:

EXCEPTION_RECORD: ffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 7c918fea (ntdll!RtlpWaitForCriticalSection+0x0000008c)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000001
Parameter[1]: 0065005c

Parameter 1 is most important, because it's the memory address we failed to write to - in this case 0065005c.
You'll notice that's the ds register for the critsec thread as well, but that it is also likely invalid:

0:003> ~5s
eax=0065004c ebx=00000000 ecx=00000000 edx=01d45d3c esi=01d45d3c edi=00000000
eip=7c918fea esp=0117fe08 ebp=0117fe7c iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206
ntdll!RtlpWaitForCriticalSection+0x8c:
7c918fea ff4010 inc dword ptr [eax+10h] ds:0023:0065005c=????????

I don't know for sure what is causing this, but it looks like one of three things - tdshell.dll, deskbar.dll, and possibly browseui or shlwapi.dll.


The tdshell.dll binary looks like this:

0:005> lmvm tdshell
start end module name
00c90000 00dfd000 TDSHELL
Loaded symbol image file: TDSHELL.DLL
Image path: C:\WINDOWS\system32\TDSHELL.DLL
Image name: TDSHELL.DLL
Timestamp: Thu Jul 27 08:41:03 2006 (44C8B45F)
CheckSum: 00000000
ImageSize: 0016D000
File version: 4.4.82.17
Product version: 4.4.82.17
File flags: 28 (Mask 3F) Private Special
File OS: 40004 NT Win32
File type: 2.0 Dll
File date: 00000000.00000000
Translations: 0000.04b0 0000.04e0 0409.04b0 0409.04e0

I'm not sure who owns this .dll, but I believe it's from TeamStream, which is a voice application vendor for gamers.


The deskbar.dll looks like this:

0:005> lmvm deskbar
start end module name
01420000 014b2000 deskbar
Loaded symbol image file: deskbar.dll
Image path: C:\Program Files\Windows Desktop Search\deskbar.dll
Image name: deskbar.dll
Timestamp: Mon Feb 05 18:40:31 2007 (45C7C06F)
CheckSum: 000912C8
ImageSize: 00092000
File version: 6.0.6000.16431
Product version: 6.0.6000.16431
File flags: 8 (Mask 3F) Private
File OS: 40004 NT Win32
File type: 2.0 Dll
File date: 00000000.00000000
Translations: 0000.04b0 0000.04e0 0409.04b0 0409.04e0

This is of course the Windows desktop search .dll, which loads the "search" option in the taskbar.


Browseui and Shlwapi look like this:

0:005> lmvm browseui
start end module name
75f80000 7607d000 browseui
Loaded symbol image file: browseui.dll
Image path: C:\WINDOWS\system32\browseui.dll
Image name: browseui.dll
Timestamp: Tue Feb 20 04:48:02 2007 (45DAC3D2)
CheckSum: 000FD3A7
ImageSize: 000FD000
File version: 6.0.2900.3086
Product version: 6.0.2900.3086
File flags: 0 (Mask 3F)
File OS: 40004 NT Win32
File type: 2.0 Dll
File date: 00000000.00000000
Translations: 0000.04b0 0000.04e0 0409.04b0 0409.04e0

0:005> lmvm shlwapi
start end module name
77f60000 77fd6000 shlwapi
Loaded symbol image file: shlwapi.dll
Image path: C:\WINDOWS\system32\shlwapi.dll
Image name: shlwapi.dll
Timestamp: Tue Feb 20 04:48:10 2007 (45DAC3DA)
CheckSum: 00080FD2
ImageSize: 00076000
File version: 6.0.2900.3086
Product version: 6.0.2900.3086
File flags: 0 (Mask 3F)
File OS: 40004 NT Win32
File type: 2.0 Dll
File date: 00000000.00000000
Translations: 0000.04b0 0000.04e0 0409.04b0 0409.04e0

It looks like you have the February cumulative update for IE installed (MS07-027) - did you install the QFE build for this update, perhaps? I'd say the next step is to remove desktop search and the TeamStream software, if possible, and see what happens - someone or something is causing corruption in the stack, which ultimately corrupts the registers stored, and causes the access violation. I'm sure that ds value should have been something valid, but it's not anymore due to corruption somewhere along the line; the eip register was probably meant to point to something valid as well, but currently does not point to a valid critical section address. I can't say with 100% certainty that it's one of those .dlls I've mentioned, but it looks like they're involved.

Link to comment
Share on other sites

  • 4 weeks later...

Sorry for the delay, but I was not at work for a long time.

I have removed Windows Desktop Messenger and stoped at startup the following DLL files:

*browseui.dll

*TDSHELL.DLL

That didn't fix the issue.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...