Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

Can anyone help analyze a crash dump of explorer.exe

keyeokeyeo Member Posts: 1
in WINDBG

Hi experts,
My explorer.exe always crash occasionally whenever I try to rename /new a file or folder. I tried to use WINDBG to do run the "!analyze -v" command but it always give a blank output. Can anyone help to analyze the attached dump file and help me to locate where the issue is ?

thanks
Han

Comments

  • ashish_kohliashish_kohli Member - All Emails Posts: 60

    Hi

    The crash is due to ShellExtension_x64.dll.
    I don't have symbols for this dll.

    Try removing this shell extension dll.

    To know further provide me pdb of this dll.

  • NtDev_GeekNtDev_Geek Member - All Emails Posts: 102

    0:024> !analyze -v

    • *
    • Exception Analysis *
    • *

    *** WARNING: Unable to verify timestamp for FileSyncShell64.dll
    *** ERROR: Module load completed but symbols could not be loaded for FileSyncShell64.dll

    DUMP_CLASS: 2

    DUMP_QUALIFIER: 400

    CONTEXT: (.ecxr)
    rax=00007ffad523afc0 rbx=0000000000000000 rcx=00000000090f4170
    rdx=0000000000000044 rsi=00000000000910aa rdi=0000000000000044
    rip=00007ffaa99030a0 rsp=000000001e55e638 rbp=000000001e55e6d0
    r8=00000000947aab5f r9=00000000090f4160 r10=00000fff5aa475f8
    r11=0100000040001000 r12=000000001e55ed50 r13=000000001e55ed50
    r14=000000000930da58 r15=0000000009430950
    iopl=0 nv up ei pl zr na po cy
    cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010247
    <Unloaded_wpdshext.dll>+0x1130a0:
    00007ffa`a99030a0 ?? ???
    Resetting default scope

    FAULTING_IP:
    wpdshext!unloaded+1130a0
    00007ffa`a99030a0 ?? ???

    EXCEPTION_RECORD: (.exr -1)
    ExceptionAddress: 00007ffaa99030a0 (<Unloaded_wpdshext.dll>+0x00000000001130a0)
    ExceptionCode: c0000005 (Access violation)
    ExceptionFlags: 00000000
    NumberParameters: 2
    Parameter[0]: 0000000000000008
    Parameter[1]: 00007ffaa99030a0
    Attempt to execute non-executable address 00007ffaa99030a0

    DEFAULT_BUCKET_ID: BAD_INSTRUCTION_PTR

    PROCESS_NAME: explorer.exe

    ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.

    EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.

    EXCEPTION_CODE_STR: c0000005

    EXCEPTION_PARAMETER1: 0000000000000008

    EXCEPTION_PARAMETER2: 00007ffaa99030a0

    WRITE_ADDRESS: 00007ffaa99030a0

    FOLLOWUP_IP:
    windows_storage!SHCreateFileOperation+61
    00007ffa`d5283355 8bd8 mov ebx,eax

    FAILED_INSTRUCTION_ADDRESS:
    wpdshext!unloaded+1130a0
    00007ffa`a99030a0 ?? ???

    WATSON_BKT_PROCSTAMP: b4a88dff

    WATSON_BKT_PROCVER: 10.0.17134.677

    PROCESS_VER_PRODUCT: Microsoft® Windows® Operating System

    WATSON_BKT_MODULE: unknown

    WATSON_BKT_MODVER: 0.0.0.0

    WATSON_BKT_MODOFFSET: a99030a0

    BUILD_VERSION_STRING: 10.0.17134.753 (WinBuild.160101.0800)

    MODLIST_WITH_TSCHKSUM_HASH: c942d13804215539838e394c7bc8a3e9c382943e

    MODLIST_SHA1_HASH: 43088930a88aa5969f0f88ae7c3ade208c31e6cc

    NTGLOBALFLAG: 0

    APPLICATION_VERIFIER_FLAGS: 0

    DUMP_FLAGS: 94

    DUMP_TYPE: 1

    APP: explorer.exe

    ANALYSIS_SESSION_HOST: INENTRIPAR5L1C

    ANALYSIS_SESSION_TIME: 07-15-2019 15:32:49.0799

    ANALYSIS_VERSION: 10.0.10586.567 amd64fre

    THREAD_ATTRIBUTES:
    OS_LOCALE: CHS

    PROBLEM_CLASSES:

    BAD_INSTRUCTION_PTR
    Tid [0x21e0]
    Frame [0x00]: wpdshext!unloaded

    SOFTWARE_NX_FAULT
    Tid [0x21e0]
    Frame [0x00]: wpdshext!unloaded

    BUGCHECK_STR: BAD_INSTRUCTION_PTR_SOFTWARE_NX_FAULT

    LAST_CONTROL_TRANSFER: from 00007ffad5283355 to 00007ffaa99030a0

    STACK_TEXT:
    000000001e55e638 00007ffad5283355 : 0000000000000000 0000000009430950 000000001e55e6d0 00007ffad57687f8 : <Unloaded_wpdshext.dll>+0x1130a0
    000000001e55e640 00007ffad564bf03 : 0000000000000000 000000001e55e720 0000000000000000 00007ffad4e17a1c : windows_storage!SHCreateFileOperation+0x61
    000000001e55e6a0 00007ffad564bd55 : 00000000094cd910 00000000094cd910 000000001e55ef60 00000000000910aa : windows_storage!RenameWithOperationsEngine+0xaf
    000000001e55e760 00007ffad55a5953 : 0000000000000000 000000001e55e940 000000001e55e940 0000000080070057 : windows_storage!RenameItemHelper+0x2ad
    000000001e55e840 00007ffad7006123 : 0000000004b61450 0000000006e447b0 00000000092f56b0 00000000092f5770 : windows_storage!CFSFolder::SetNameOf+0x3c3
    000000001e55f1c0 00007ffad6ffbb94 : 0000000009253320 00007ffaad68ebb0 000000000929a1e8 00007ffad82e4abf : shell32!CDefView::_ExecuteRename+0x1bb
    000000001e55f270 00007ffaad7e339c : 0000000000003045 000000000000000d 000000000000000d 0000000009430a98 : shell32!CDefView::OnEndLabelEdit+0xb4
    000000001e55f300 00007ffaad7e2e0d : 0000000000000000 0000000004b61450 0000000000000000 000000001e55f968 : explorerframe!CInplaceRename::_EndEdit+0x32c
    000000001e55f3c0 00007ffaad7e476f : 00000000001c0001 00000000002f106c 0000000000000100 00007ffad5e87649 : explorerframe!CInplaceRename::_EditSubclassProc+0x145
    000000001e55f410 00007ffac614d9c7 : 000000001e55f760 00000000001c0001 0000000000000000 0000000000000001 : explorerframe!CInplaceRename::s_EditSubclassProc+0x4f
    000000001e55f460 00007ffac614d737 : 00000000001c0001 00000000002f106c 00000000001c0001 0000000000000001 : comctl32!CallNextSubclassProc+0x117
    000000001e55f540 00007ffad6ef2ed2 : 00000000001c0001 00000000002f106c 0000000000000100 000000000f719da0 : comctl32!DefSubclassProc+0x77
    000000001e55f590 00007ffad70b29ca : 00000000060637e0 00000000001c0001 00000000002f106c 0000000000000000 : shell32!DefSubclassProc+0x46
    000000001e55f5d0 00007ffac614d9c7 : 0000000003c10288 00000000001c0001 0000000000000001 0000000000000000 : shell32!CInputLimiter::SubclassProc+0xca
    000000001e55f630 00007ffac614d802 : 0000000000000000 00000000002f106c 000000000000000d 0000000000000058 : comctl32!CallNextSubclassProc+0x117
    000000001e55f710 00007ffad82d6d41 : 000000008000a811 00007ffa9df4c940 00007ffad871a850 00000000002f106c : comctl32!MasterSubclassProc+0xa2
    000000001e55f7b0 00007ffad82d6713 : 0000000006cc64e0 00007ffac614d760 00000000002f106c 00007ffa00000100 : user32!UserCallWinProcCheckWow+0x2c1
    000000001e55f940 00007ffad6f94d20 : 000000001e55fb20 00007ffa00000000 00000000000910aa 00007ffad82d344a : user32!DispatchMessageWorker+0x1c3
    000000001e55f9d0 00007ffaad7a4feb : 00000000091a1740 00000000091a1740 00000298f148d814 00007ffad6138ea2 : shell32!CDefView::TranslateAcceleratorW+0xa9830
    000000001e55fa00 00007ffaad7a4e61 : 0000000080004005 000000000033093a 0000000000000001 000000001e55fb20 : explorerframe!CShellBrowser::_MayTranslateAcceleratorNoMenuband+0xf3
    000000001e55fa30 00007ffaad7602ad : 00000000092566f0 00007ffad8343070 0000000000000001 000000001e55fb20 : explorerframe!CShellBrowser::_MayTranslateAccelerator+0xdd
    000000001e55fa60 00007ffaad7727c3 : 00000000092566f0 000000001e55fb20 0000000000000000 0000000001b64790 : explorerframe!CBrowserHost::TranslateAcceleratorIO+0x1d
    000000001e55fa90 00007ffaad76cca3 : 000000001e55fb20 00000000092566e0 0000000000000001 000000001e55fd80 : explorerframe!CInputObjectContainer::TranslateAcceleratorIO+0x63
    000000001e55fac0 00007ffaad722776 : 00000000ffffffff 00000000092566e0 00000000ffffffff 0000000000000002 : explorerframe!CExplorerFrame::TranslateAcceleratorIO+0x33
    000000001e55faf0 00007ffaad68d02e : 00000000092566e0 000000001e55fcb9 0000000000000039 0000000000000000 : explorerframe!CExplorerFrame::FrameMessagePump+0xa2ac6
    000000001e55fb80 00007ffaad68d26e : 00000000092566e0 000000000942a940 0000000009497170 0000000000000000 : explorerframe!BrowserThreadProc+0x76
    000000001e55fbd0 00007ffaad68d1b2 : 1a9365dc00000001 00000000061ce030 000000001e55fd28 00007ffad5bb0fa5 : explorerframe!BrowserNewThreadProc+0x3a
    000000001e55fc00 00007ffaad6e3d05 : 0000000000000000 0000000000000001 000000000000ea60 00007ffad532d0f9 : explorerframe!CExplorerTask::InternalResumeRT+0x12
    000000001e55fc30 00007ffad532e1b4 : 0000000000000ca8 00000000000021e0 00000000000000ff 0000000000000009 : explorerframe!CRunnableTask::Run+0x8b5
    000000001e55fd20 00007ffad532ce63 : fffffffffffffffe 0000000000000000 fffffffffffffffe 000000001e55fea9 : windows_storage!CShellTask::TT_Run+0x4c
    000000001e55fd50 00007ffad532cb6f : 000000000605ad20 000000000605ad20 000000001e55fea9 0000000000000000 : windows_storage!CShellTaskThread::ThreadProc+0xcb
    000000001e55fe00 00007ffad6503fb5 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : windows_storage!CShellTaskThread::s_ThreadProc+0x2f
    000000001e55fe30 00007ffad61a4034 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : SHCore!_WrapperThreadProc+0xf5
    000000001e55ff10 00007ffad86f3691 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : kernel32!BaseThreadInitThunk+0x14
    000000001e55ff40 0000000000000000 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : ntdll!RtlUserThreadStart+0x21

    THREAD_SHA1_HASH_MOD_FUNC: cf8443bd73c9bd3014499df69e34cdbcfad0da92

    THREAD_SHA1_HASH_MOD_FUNC_OFFSET: 91e261c7fc74cbeab836f00f83e03bc59e122fca

    THREAD_SHA1_HASH_MOD: 8e24cff2d454c1834861dc555d37c759992b97bb

    FAULT_INSTR_CODE: c085d88b

    SYMBOL_STACK_INDEX: 1

    SYMBOL_NAME: windows_storage!SHCreateFileOperation+61

    FOLLOWUP_NAME: MachineOwner

    MODULE_NAME: windows_storage

    IMAGE_NAME: windows.storage.dll

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Sign In Register

Quick Links

Upcoming OSR Seminars
Developing Minifilters 29 July 2019 OSR Seminar Space
Writing WDF Drivers 23 Sept 2019 OSR Seminar Space
Kernel Debugging 21 Oct 2019 OSR Seminar Space
Internals & Software Drivers 18 Nov 2019 Dulles, VA

Categories