Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results
Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.More Info on Driver Writing and Debugging
The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.
Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/
Can anyone help analyze a crash dump of explorer.exe
Hi experts,
My explorer.exe always crash occasionally whenever I try to rename /new a file or folder. I tried to use WINDBG to do run the "!analyze -v" command but it always give a blank output. Can anyone help to analyze the attached dump file and help me to locate where the issue is ?
thanks
Han
Howdy, Stranger!
| Upcoming OSR Seminars | ||
|---|---|---|
| OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead! | ||
| Writing WDF Drivers | 12 September 2022 | Live, Online |
| Internals & Software Drivers | 23 October 2022 | Live, Online |
| Kernel Debugging | 14 November 2022 | Live, Online |
| Developing Minifilters | 5 December 2022 | Live, Online |
Comments
Hi
The crash is due to ShellExtension_x64.dll.
I don't have symbols for this dll.
Try removing this shell extension dll.
To know further provide me pdb of this dll.
0:024> !analyze -v
*** WARNING: Unable to verify timestamp for FileSyncShell64.dll
*** ERROR: Module load completed but symbols could not be loaded for FileSyncShell64.dll
DUMP_CLASS: 2
DUMP_QUALIFIER: 400
CONTEXT: (.ecxr)
rax=00007ffad523afc0 rbx=0000000000000000 rcx=00000000090f4170
rdx=0000000000000044 rsi=00000000000910aa rdi=0000000000000044
rip=00007ffaa99030a0 rsp=000000001e55e638 rbp=000000001e55e6d0
r8=00000000947aab5f r9=00000000090f4160 r10=00000fff5aa475f8
r11=0100000040001000 r12=000000001e55ed50 r13=000000001e55ed50
r14=000000000930da58 r15=0000000009430950
iopl=0 nv up ei pl zr na po cy
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010247
<Unloaded_wpdshext.dll>+0x1130a0:
00007ffa`a99030a0 ?? ???
Resetting default scope
FAULTING_IP:
wpdshext!unloaded+1130a0
00007ffa`a99030a0 ?? ???
EXCEPTION_RECORD: (.exr -1)
ExceptionAddress: 00007ffaa99030a0 (<Unloaded_wpdshext.dll>+0x00000000001130a0)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 0000000000000008
Parameter[1]: 00007ffaa99030a0
Attempt to execute non-executable address 00007ffaa99030a0
DEFAULT_BUCKET_ID: BAD_INSTRUCTION_PTR
PROCESS_NAME: explorer.exe
ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.
EXCEPTION_CODE_STR: c0000005
EXCEPTION_PARAMETER1: 0000000000000008
EXCEPTION_PARAMETER2: 00007ffaa99030a0
WRITE_ADDRESS: 00007ffaa99030a0
FOLLOWUP_IP:
windows_storage!SHCreateFileOperation+61
00007ffa`d5283355 8bd8 mov ebx,eax
FAILED_INSTRUCTION_ADDRESS:
wpdshext!unloaded+1130a0
00007ffa`a99030a0 ?? ???
WATSON_BKT_PROCSTAMP: b4a88dff
WATSON_BKT_PROCVER: 10.0.17134.677
PROCESS_VER_PRODUCT: Microsoft® Windows® Operating System
WATSON_BKT_MODULE: unknown
WATSON_BKT_MODVER: 0.0.0.0
WATSON_BKT_MODOFFSET: a99030a0
BUILD_VERSION_STRING: 10.0.17134.753 (WinBuild.160101.0800)
MODLIST_WITH_TSCHKSUM_HASH: c942d13804215539838e394c7bc8a3e9c382943e
MODLIST_SHA1_HASH: 43088930a88aa5969f0f88ae7c3ade208c31e6cc
NTGLOBALFLAG: 0
APPLICATION_VERIFIER_FLAGS: 0
DUMP_FLAGS: 94
DUMP_TYPE: 1
APP: explorer.exe
ANALYSIS_SESSION_HOST: INENTRIPAR5L1C
ANALYSIS_SESSION_TIME: 07-15-2019 15:32:49.0799
ANALYSIS_VERSION: 10.0.10586.567 amd64fre
THREAD_ATTRIBUTES:
OS_LOCALE: CHS
PROBLEM_CLASSES:
BAD_INSTRUCTION_PTR
Tid [0x21e0]
Frame [0x00]: wpdshext!unloaded
SOFTWARE_NX_FAULT
Tid [0x21e0]
Frame [0x00]: wpdshext!unloaded
BUGCHECK_STR: BAD_INSTRUCTION_PTR_SOFTWARE_NX_FAULT
LAST_CONTROL_TRANSFER: from 00007ffad5283355 to 00007ffaa99030a0
STACK_TEXT:
00000000
1e55e638 00007ffad5283355 : 0000000000000000 0000000009430950 000000001e55e6d0 00007ffad57687f8 : <Unloaded_wpdshext.dll>+0x1130a000000000
1e55e640 00007ffad564bf03 : 0000000000000000 000000001e55e720 0000000000000000 00007ffad4e17a1c : windows_storage!SHCreateFileOperation+0x6100000000
1e55e6a0 00007ffad564bd55 : 00000000094cd910 00000000094cd910 000000001e55ef60 00000000000910aa : windows_storage!RenameWithOperationsEngine+0xaf00000000
1e55e760 00007ffad55a5953 : 0000000000000000 000000001e55e940 000000001e55e940 0000000080070057 : windows_storage!RenameItemHelper+0x2ad00000000
1e55e840 00007ffad7006123 : 0000000004b61450 0000000006e447b0 00000000092f56b0 00000000092f5770 : windows_storage!CFSFolder::SetNameOf+0x3c300000000
1e55f1c0 00007ffad6ffbb94 : 0000000009253320 00007ffaad68ebb0 000000000929a1e8 00007ffad82e4abf : shell32!CDefView::_ExecuteRename+0x1bb00000000
1e55f270 00007ffaad7e339c : 0000000000003045 000000000000000d 000000000000000d 0000000009430a98 : shell32!CDefView::OnEndLabelEdit+0xb400000000
1e55f300 00007ffaad7e2e0d : 0000000000000000 0000000004b61450 0000000000000000 000000001e55f968 : explorerframe!CInplaceRename::_EndEdit+0x32c00000000
1e55f3c0 00007ffaad7e476f : 00000000001c0001 00000000002f106c 0000000000000100 00007ffad5e87649 : explorerframe!CInplaceRename::_EditSubclassProc+0x14500000000
1e55f410 00007ffac614d9c7 : 000000001e55f760 00000000001c0001 0000000000000000 0000000000000001 : explorerframe!CInplaceRename::s_EditSubclassProc+0x4f00000000
1e55f460 00007ffac614d737 : 00000000001c0001 00000000002f106c 00000000001c0001 0000000000000001 : comctl32!CallNextSubclassProc+0x11700000000
1e55f540 00007ffad6ef2ed2 : 00000000001c0001 00000000002f106c 0000000000000100 000000000f719da0 : comctl32!DefSubclassProc+0x7700000000
1e55f590 00007ffad70b29ca : 00000000060637e0 00000000001c0001 00000000002f106c 0000000000000000 : shell32!DefSubclassProc+0x4600000000
1e55f5d0 00007ffac614d9c7 : 0000000003c10288 00000000001c0001 0000000000000001 0000000000000000 : shell32!CInputLimiter::SubclassProc+0xca00000000
1e55f630 00007ffac614d802 : 0000000000000000 00000000002f106c 000000000000000d 0000000000000058 : comctl32!CallNextSubclassProc+0x11700000000
1e55f710 00007ffad82d6d41 : 000000008000a811 00007ffa9df4c940 00007ffad871a850 00000000002f106c : comctl32!MasterSubclassProc+0xa200000000
1e55f7b0 00007ffad82d6713 : 0000000006cc64e0 00007ffac614d760 00000000002f106c 00007ffa00000100 : user32!UserCallWinProcCheckWow+0x2c100000000
1e55f940 00007ffad6f94d20 : 000000001e55fb20 00007ffa00000000 00000000000910aa 00007ffad82d344a : user32!DispatchMessageWorker+0x1c300000000
1e55f9d0 00007ffaad7a4feb : 00000000091a1740 00000000091a1740 00000298f148d814 00007ffad6138ea2 : shell32!CDefView::TranslateAcceleratorW+0xa983000000000
1e55fa00 00007ffaad7a4e61 : 0000000080004005 000000000033093a 0000000000000001 000000001e55fb20 : explorerframe!CShellBrowser::_MayTranslateAcceleratorNoMenuband+0xf300000000
1e55fa30 00007ffaad7602ad : 00000000092566f0 00007ffad8343070 0000000000000001 000000001e55fb20 : explorerframe!CShellBrowser::_MayTranslateAccelerator+0xdd00000000
1e55fa60 00007ffaad7727c3 : 00000000092566f0 000000001e55fb20 0000000000000000 0000000001b64790 : explorerframe!CBrowserHost::TranslateAcceleratorIO+0x1d00000000
1e55fa90 00007ffaad76cca3 : 000000001e55fb20 00000000092566e0 0000000000000001 000000001e55fd80 : explorerframe!CInputObjectContainer::TranslateAcceleratorIO+0x6300000000
1e55fac0 00007ffaad722776 : 00000000ffffffff 00000000092566e0 00000000ffffffff 0000000000000002 : explorerframe!CExplorerFrame::TranslateAcceleratorIO+0x3300000000
1e55faf0 00007ffaad68d02e : 00000000092566e0 000000001e55fcb9 0000000000000039 0000000000000000 : explorerframe!CExplorerFrame::FrameMessagePump+0xa2ac600000000
1e55fb80 00007ffaad68d26e : 00000000092566e0 000000000942a940 0000000009497170 0000000000000000 : explorerframe!BrowserThreadProc+0x7600000000
1e55fbd0 00007ffaad68d1b2 : 1a9365dc00000001 00000000061ce030 000000001e55fd28 00007ffad5bb0fa5 : explorerframe!BrowserNewThreadProc+0x3a00000000
1e55fc00 00007ffaad6e3d05 : 0000000000000000 0000000000000001 000000000000ea60 00007ffad532d0f9 : explorerframe!CExplorerTask::InternalResumeRT+0x1200000000
1e55fc30 00007ffad532e1b4 : 0000000000000ca8 00000000000021e0 00000000000000ff 0000000000000009 : explorerframe!CRunnableTask::Run+0x8b500000000
1e55fd20 00007ffad532ce63 : fffffffffffffffe 0000000000000000 fffffffffffffffe 000000001e55fea9 : windows_storage!CShellTask::TT_Run+0x4c00000000
1e55fd50 00007ffad532cb6f : 000000000605ad20 000000000605ad20 000000001e55fea9 0000000000000000 : windows_storage!CShellTaskThread::ThreadProc+0xcb00000000
1e55fe00 00007ffad6503fb5 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : windows_storage!CShellTaskThread::s_ThreadProc+0x2f00000000
1e55fe30 00007ffad61a4034 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : SHCore!_WrapperThreadProc+0xf500000000
1e55ff10 00007ffad86f3691 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : kernel32!BaseThreadInitThunk+0x1400000000
1e55ff40 0000000000000000 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : ntdll!RtlUserThreadStart+0x21THREAD_SHA1_HASH_MOD_FUNC: cf8443bd73c9bd3014499df69e34cdbcfad0da92
THREAD_SHA1_HASH_MOD_FUNC_OFFSET: 91e261c7fc74cbeab836f00f83e03bc59e122fca
THREAD_SHA1_HASH_MOD: 8e24cff2d454c1834861dc555d37c759992b97bb
FAULT_INSTR_CODE: c085d88b
SYMBOL_STACK_INDEX: 1
SYMBOL_NAME: windows_storage!SHCreateFileOperation+61
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: windows_storage
IMAGE_NAME: windows.storage.dll