Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

Windows processus 'explorer.exe' random crash

Gova_GimerGova_Gimer Member - All Emails Posts: 43

Hello,

In my driver disk file system i have random problem : no bsod but explorer.exe random crash (exception).

Explorer.exe exit and restart when i handle my file hosted in my virtual disk filesystem because there is a exception.

How i do solve it ?

Thank.

Faulting application name: explorer.exe, version: 10.0.10240.17319, time stamp: 0x58ba458b
Faulting module name: ntdll.dll, version: 10.0.10240.17184, time stamp: 0x580ee916
Exception code: 0xc0000005
Fault offset: 0x000000000007007a
Faulting process id: 0x12b8
Faulting application start time: 0x01d5af931a491317
Faulting application path: C:\Windows\explorer.exe
Faulting module path: C:\Windows\SYSTEM32\ntdll.dll
Report Id: 364058fe-0903-410e-8c64-f0a05fd60879
Faulting package full name:
Faulting package-relative application ID:

Faulting application name: explorer.exe, version: 10.0.10240.17319, time stamp: 0x58ba458b
Faulting module name: ntmarta.dll, version: 10.0.10240.16384, time stamp: 0x559f3990
Exception code: 0xc0000005
Fault offset: 0x0000000000005c70
Faulting process id: 0x1c14
Faulting application start time: 0x01d5af93285c501a
Faulting application path: C:\Windows\explorer.exe
Faulting module path: C:\Windows\SYSTEM32\ntmarta.dll
Report Id: d2ace8b7-c103-4f3b-b9c3-1f7219e163d0
Faulting package full name:
Faulting package-relative application ID:

Faulting application name: explorer.exe, version: 10.0.10240.17319, time stamp: 0x58ba458b
Faulting module name: ntdll.dll, version: 10.0.10240.17184, time stamp: 0x580ee916
Exception code: 0xc0000005
Fault offset: 0x000000000007007a
Faulting process id: 0x184
Faulting application start time: 0x01d5af934a61d078
Faulting application path: C:\Windows\explorer.exe
Faulting module path: C:\Windows\SYSTEM32\ntdll.dll
Report Id: caec26e5-9d0f-42a1-a61a-45ca727b8cae
Faulting package full name:
Faulting package-relative application ID:

Comments

  • rod_widdowsonrod_widdowson Member - All Emails Posts: 1,090

    I’d grab a Procrun trace and see what explorer had asked for just before the crash.

    But I would probably have run ifstest over my file system first and fixed the egregious bugs

  • Gova_GimerGova_Gimer Member - All Emails Posts: 43
    edited December 2019

    Sorry , but I can't find the link for download 'ifstest' utility.
    I can't find procrun.

  • rod_widdowsonrod_widdowson Member - All Emails Posts: 1,090

    Sorry procrun is something else. I meant procmon. IFSTEST is currently part of the WLKs or the HCKs or whatever they are called this week.

    https://docs.microsoft.com/en-us/windows-hardware/test/hlk/testref/14b230f3-7eee-437e-ab2f-375b200de6f3

  • Gova_GimerGova_Gimer Member - All Emails Posts: 43
    edited December 2019

    I have test procmon it work good but a now i had a bsod with old version.
    I updated to last version then i don't know

    Microsoft (R) Windows Debugger Version 10.0.15063.468 AMD64
    Copyright (c) Microsoft Corporation. All rights reserved.

    Kernel Bitmap Dump File: Kernel address space is available, User address space may not be available.

    Symbol search path is: srv*
    Executable search path is:
    Windows 10 Kernel Version 10240 MP (2 procs) Free x64
    Product: WinNt, suite: TerminalServer SingleUserTS
    Built by: 10240.17443.amd64fre.th1.170602-2340
    Machine Name:
    Kernel base = 0xfffff800f9c18000 PsLoadedModuleList = 0xfffff800f9f3c070
    Debug session time: Wed Dec 11 18:01:48.806 2019 (UTC + 1:00)
    System Uptime: 0 days 7:56:13.148
    Loading Kernel Symbols
    ...............................................................
    .....Page 1b44a not present in the dump file. Type ".hh dbgerr004" for details
    .......Page 1016fe not present in the dump file. Type ".hh dbgerr004" for details
    ...............................................Page 14044b not present in the dump file. Type ".hh dbgerr004" for details
    .Page 15bc56 not present in the dump file. Type ".hh dbgerr004" for details
    ....
    ..Page c1dad not present in the dump file. Type ".hh dbgerr004" for details
    ..............................
    Loading User Symbols
    PEB is paged out (Peb.Ldr = 00007ff6`53b98018). Type ".hh dbgerr001" for details

    Use !analyze -v to get detailed debugging information.

    BugCheck CC, {ffffcf8034142d77, 0, fffff800f9cf0cd9, 0}

    *** ERROR: Module load completed but symbols could not be loaded for FSpy.sys
    Probably caused by : fileinfo.sys ( fileinfo!FIPostCreateCallback+153 )

    Followup: MachineOwner

    1: kd> !analyze -v

    PAGE_FAULT_IN_FREED_SPECIAL_POOL (cc)
    Memory was referenced after it was freed.
    This cannot be protected by try-except.
    When possible, the guilty driver's name (Unicode string) is printed on
    the bugcheck screen and saved in KiBugCheckDriver.
    Arguments:
    Arg1: ffffcf8034142d77, memory referenced
    Arg2: 0000000000000000, value 0 = read operation, 1 = write operation
    Arg3: fffff800f9cf0cd9, if non-zero, the address which referenced memory.
    Arg4: 0000000000000000, Mm internal code.

    Debugging Details:

    DUMP_CLASS: 1

    DUMP_QUALIFIER: 401

    BUILD_VERSION_STRING: 10240.17443.amd64fre.th1.170602-2340

    SYSTEM_MANUFACTURER: innotek GmbH

    VIRTUAL_MACHINE: VirtualBox

    SYSTEM_PRODUCT_NAME: VirtualBox

    SYSTEM_VERSION: 1.2

    BIOS_VENDOR: innotek GmbH

    BIOS_VERSION: VirtualBox

    BIOS_DATE: 12/01/2006

    BASEBOARD_MANUFACTURER: Oracle Corporation

    BASEBOARD_PRODUCT: VirtualBox

    BASEBOARD_VERSION: 1.2

    DUMP_TYPE: 1

    BUGCHECK_P1: ffffcf8034142d77

    BUGCHECK_P2: 0

    BUGCHECK_P3: fffff800f9cf0cd9

    BUGCHECK_P4: 0

    READ_ADDRESS: ffffcf8034142d77 Special pool

    FAULTING_IP:
    nt!FsRtlLookupReservedPerStreamContext+9
    fffff800`f9cf0cd9 0fb64107 movzx eax,byte ptr [rcx+7]

    MM_INTERNAL_CODE: 0

    CPU_COUNT: 2

    CPU_MHZ: fa0

    CPU_VENDOR: AuthenticAMD

    CPU_FAMILY: 15

    CPU_MODEL: 2

    CPU_STEPPING: 0

    DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULT

    BUGCHECK_STR: 0xCC

    PROCESS_NAME: explorer.exe

    CURRENT_IRQL: 2

    ANALYSIS_SESSION_HOST: DESKTOP-J0KVJ3N

    ANALYSIS_SESSION_TIME: 12-11-2019 18:54:06.0651

    ANALYSIS_VERSION: 10.0.15063.468 amd64fre

    TRAP_FRAME: ffffd00133469ba0 -- (.trap 0xffffd00133469ba0)
    NOTE: The trap frame does not contain all registers.
    Some register values may be zeroed or incorrect.
    rax=fffff800f9f20448 rbx=0000000000000000 rcx=ffffcf8034142d70
    rdx=ffffe0011dbd6280 rsi=0000000000000000 rdi=0000000000000000
    rip=fffff800f9cf0cd9 rsp=ffffd00133469d30 rbp=ffffd00133469e88
    r8=0000000000000000 r9=ffffd00133469e10 r10=fffff80031900000
    r11=0000000000000000 r12=0000000000000000 r13=0000000000000000
    r14=0000000000000000 r15=0000000000000000
    iopl=0 nv up ei ng nz na pe nc
    nt!FsRtlLookupReservedPerStreamContext+0x9:
    fffff800f9cf0cd9 0fb64107 movzx eax,byte ptr [rcx+7] ds:ffffcf8034142d77=??
    Resetting default scope

    LAST_CONTROL_TRANSFER: from fffff800f9daf714 to fffff800f9d675f0

    STACK_TEXT:
    ffffd00133469958 fffff800f9daf714 : 0000000000000050 ffffcf8034142d77 0000000000000000 ffffd00133469ba0 : nt!KeBugCheckEx
    ffffd00133469960 fffff800f9c4ceb6 : 0000000000000000 0000000000000000 ffffd00133469ba0 fffff6fc001910d8 : nt! ?? ::FNODOBFM::string'+0x39514 ffffd00133469a50 fffff800f9d706bd : ffffe0011e510080 0000000000000010 fffff8003221bb60 fffff800f9f59cf0 : nt!MmAccessFault+0x696 ffffd00133469ba0 fffff800f9cf0cd9 : ffffcf8034180dc0 fffff80000000000 ffffe00100000000 00001f80010864e9 : nt!KiPageFault+0x13d ffffd00133469d30 fffff8003190701d : ffffd00133469f08 0000000000000000 0000000000000000 fffff80031900000 : nt!FsRtlLookupReservedPerStreamContext+0x9 ffffd00133469d60 fffff80031906f51 : ffffe0011dbd6280 0000000000000000 0000000000000000 0000000000000000 : FLTMGR!FltpGetStreamListCtrl+0x4d ffffd00133469dd0 fffff8003221bcb3 : 0000000000000000 0000000000000000 ffffe0011dd65d40 0000000000000000 : FLTMGR!FltGetStreamContext+0x21 ffffd00133469e10 fffff80031903652 : 0000000000000000 fffff80031a4c0ed ffffe0011dd65d40 ffffd00133469fd0 : fileinfo!FIPostCreateCallback+0x153 ffffd00133469ec0 fffff80031903086 : ffffe0011f30c300 ffffe0011f30c400 ffffcf8034180dc0 0000000000000000 : FLTMGR!FltpPerformPostCallbacks+0x2b2 ffffd00133469f90 fffff8003190525a : ffffe0011f30c408 ffffe0011f30c3f0 ffffcf8034180dc0 ffffcf8034180f20 : FLTMGR!FltpPassThroughCompletionWorker+0x76 ffffd00133469fd0 fffff8003193383a : ffffe0011dde48f0 fffff800fa352009 ffffe00100000103 ffffe001205f21c8 : FLTMGR!FltpLegacyProcessingAfterPreCallbacksCompleted+0x33a ffffd0013346a050 fffff800fa343044 : ffffcf8034180d00 ffffcf8034180dc0 ffffe00100000000 ffffe001205f2010 : FLTMGR!FltpCreate+0x34a ffffd0013346a100 fffff800f9c2ad42 : ffffe0011e59dd20 0000000000000000 0000000000000000 ffffe0011fe3f1b0 : nt!IovCallDriver+0x3d8 ffffd0013346a160 fffff800344f10f5 : ffffe001a0000000 fffff80031904ec2 fffff80031924000 ffffd0013346a1d8 : nt!IofCallDriver+0x72 ffffd0013346a1a0 fffff800344f1333 : ffffcf8034180dc0 ffffe0011e59dd20 0000000000000002 ffffe0011f5c4dc0 : FSpy+0x10f5 ffffd0013346a210 fffff800fa343044 : ffffcf8034180dc0 0000000000000002 ffffd0013346a264 ffffe001205f2240 : FSpy+0x1333 ffffd0013346a240 fffff800f9c2ad42 : ffffe0011ff29900 0000000000000000 ffffcf8034180dc0 ffffe0011f5c4dc0 : nt!IovCallDriver+0x3d8 ffffd0013346a2a0 fffff800319051c4 : ffffd0013346a3a9 ffffcf8034180dc0 ffffe0011f191610 ffffe0011f191668 : nt!IofCallDriver+0x72 ffffd0013346a2e0 fffff8003193383a : ffffe0011fe0cdf0 ffffe001202f3010 0000000000000001 fffff80000000000 : FLTMGR!FltpLegacyProcessingAfterPreCallbacksCompleted+0x2a4 ffffd0013346a360 fffff800fa343044 : ffffcf8034180d00 ffffcf8034180dc0 6d4e6f4900000005 0000000000000000 : FLTMGR!FltpCreate+0x34a ffffd0013346a410 fffff800f9c2ad42 : 0000000000000085 ffffd0013346a7c0 ffffe0011f191610 ffffe0011fed9790 : nt!IovCallDriver+0x3d8 ffffd0013346a470 fffff800fa031245 : 0000000000000085 ffffd0013346a7c0 ffffe0011f191610 ffffe00100000000 : nt!IofCallDriver+0x72 ffffd0013346a4b0 fffff800fa0365d0 : fffff800f9c18000 fffff800f9c18000 0000000000000000 fffff800fa02f860 : nt!IopParseDevice+0x19e5 ffffd0013346a6c0 fffff800fa03440c : ffffe00120aa6b00 ffffd0013346a8b8 0000000000000040 ffffe00119576f20 : nt!ObpLookupObjectName+0x9f0 ffffd0013346a830 fffff800fa099e5c : 0000000000000001 ffffe001202f3010 0000000006dfc570 0000000006dfc560 : nt!ObOpenObjectByName+0x1ec ffffd0013346a960 fffff800fa099a2c : 00000000184e3698 ffffe0011fde0300 0000000006dfc570 0000000006dfc560 : nt!IopCreateFile+0x38c ffffd0013346aa00 fffff800f9d71c63 : ffffe0011d1c0840 0000000006dfc088 ffffd0013346aaa8 0000000006dfc5d0 : nt!NtOpenFile+0x58 ffffd0013346aa90 00007ffd114e3b5a : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : nt!KiSystemServiceCopyEnd+0x13 0000000006dfc518 0000000000000000 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : 0x00007ffd114e3b5a

    STACK_COMMAND: kb

    THREAD_SHA1_HASH_MOD_FUNC: 0279078ba70937b635d7d9340f54873408376cdb

    THREAD_SHA1_HASH_MOD_FUNC_OFFSET: f8e42bf6d000efcb4795bdc022f912f7d0c8427a

    THREAD_SHA1_HASH_MOD: 3ece0f0830f3e25e4e89407f7e0e049e2312afa9

    FOLLOWUP_IP:
    fileinfo!FIPostCreateCallback+153
    fffff800`3221bcb3 448be0 mov r12d,eax

    FAULT_INSTR_CODE: 85e08b44

    SYMBOL_STACK_INDEX: 7

    SYMBOL_NAME: fileinfo!FIPostCreateCallback+153

    FOLLOWUP_NAME: MachineOwner

    MODULE_NAME: fileinfo

    IMAGE_NAME: fileinfo.sys

    DEBUG_FLR_IMAGE_TIMESTAMP: 559f38b1

    BUCKET_ID_FUNC_OFFSET: 153

    FAILURE_BUCKET_ID: 0xCC_VRF_R_INVALID_fileinfo!FIPostCreateCallback

    BUCKET_ID: 0xCC_VRF_R_INVALID_fileinfo!FIPostCreateCallback

    PRIMARY_PROBLEM_CLASS: 0xCC_VRF_R_INVALID_fileinfo!FIPostCreateCallback

    TARGET_TIME: 2019-12-11T17:01:48.000Z

    OSBUILD: 10240

    OSSERVICEPACK: 0

    SERVICEPACK_NUMBER: 0

    OS_REVISION: 0

    SUITE_MASK: 272

    PRODUCT_TYPE: 1

    OSPLATFORM_TYPE: x64

    OSNAME: Windows 10

    OSEDITION: Windows 10 WinNt TerminalServer SingleUserTS

    OS_LOCALE:

    USER_LCID: 0

    OSBUILD_TIMESTAMP: 2017-06-03 13:24:02

    BUILDDATESTAMP_STR: 170602-2340

    BUILDLAB_STR: th1

    BUILDOSVER_STR: 10.0.10240.17443.amd64fre.th1.170602-2340

    ANALYSIS_SESSION_ELAPSED_TIME: 918

    ANALYSIS_SOURCE: KM

    FAILURE_ID_HASH_STRING: km:0xcc_vrf_r_invalid_fileinfo!fipostcreatecallback

    FAILURE_ID_HASH: {f457b6e3-30f6-5237-081a-8fb50b58947b}

    Followup: MachineOwner

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
Writing WDF Drivers 21 Oct 2019 OSR Seminar Space & ONLINE
Internals & Software Drivers 18 Nov 2019 Dulles, VA
Kernel Debugging 30 Mar 2020 OSR Seminar Space
Developing Minifilters 27 Apr 2020 OSR Seminar Space & ONLINE