some IT notes: May 2012

Finally, got the annoying "Windows Explorer stopped working" problem resolved!

Prior to that, I saw the following message box appearing from time to time:

Checking the Event Viewer doesn't shed much light in the dark:

Log Name:      Application

Source:        Application Error

Date:          4/8/2012 9:32:57 AM

Event ID:      1000

Task Category: (100)

Level:         Error

Keywords:      Classic

User:          N/A

Computer:      PC

Description:

Faulting application name: explorer.exe, version: 6.1.7601.17514, time stamp: 0x4ce796f3

Faulting module name: unknown, Version: 0.0.0.0, time stamp: 0x00000000

Exception code: 0xc0000005

Fault offset: 0x0413fc5c

Faulting process id: 0x1324

Faulting application start time: 0x01cd38a8fc8fbf3a

Faulting application path: C:\Windows\explorer.exe

Faulting module path: unknown

Event Xml:

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">

<System>

    <Provider Name="Application Error" />

    <EventID Qualifiers="0">1000</EventID>

    <Level>2</Level>

    <Task>100</Task>

    <Keywords>0x80000000000000</Keywords>

    <TimeCreated SystemTime="2012-05-23T06:00:09.000000000Z" />

    <EventRecordID>2169</EventRecordID>

    <Channel>Application</Channel>

    <Computer>PC</Computer>

    <Security />

</System>

<EventData>

    <Data>explorer.exe</Data>

    <Data>6.1.7601.17514</Data>

    <Data>4ce796f3</Data>

    <Data>unknown</Data>

    <Data>0.0.0.0</Data>

    <Data>00000000</Data>

    <Data>c0000005</Data>

    <Data>0413fc5c</Data>

    <Data>1324</Data>

    <Data>01cd38a8fc8fbf3a</Data>

    <Data>C:\Windows\explorer.exe</Data>

    <Data>unknown</Data>

</EventData>

</Event>

So I decided to enable "Windows Error Reporting", for generating a dump file during the next crash.
This was done by setting the following registry keys:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps\Explorer.exe]
"DumpFolder"=hex(2):43,00,3a,00,5c,00,54,00,65,00,6d,00,70,00,00,00
"DumpType"=dword:00000002

By using "WinDbg" from the "Debugging Tools for Windows", I've started analysing the dump file:

0:011> !analyze -v *****************************************************
*                                                   *
*                 Exception Analysis                *
*                                                   *
*****************************************************
FAULTING_IP:
+21
0413fc5c 0cfe            or      al,0FEh
EXCEPTION_RECORD: ffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 0413fc5c
   ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 00000008
   Parameter[1]: 0413fc5c
Attempt to execute non-executable address 0413fc5c
DEFAULT_BUCKET_ID: SOFTWARE_NX_FAULT
PROCESS_NAME: explorer.exe
ERROR_CODE: (NTSTATUS) 0xc0000005 - Die Anweisung in 0x%08lx verweist auf Speicher 0x%08lx. Der Vorgang %s konnte nicht im Speicher durchgef hrt werden.
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - Die Anweisung in 0x%08lx verweist auf Speicher 0x%08lx. Der Vorgang %s konnte nicht im Speicher durchgef hrt werden.
EXCEPTION_PARAMETER1: 00000008
EXCEPTION_PARAMETER2: 0413fc5c
WRITE_ADDRESS: 0413fc5c
FOLLOWUP_IP:
ole32!COIDTable::ThreadCleanup+0
76c89103 8bff            mov     edi,edi
FAILED_INSTRUCTION_ADDRESS:
+677f2faf03c8dbec
0413fc5c 0cfe            or      al,0FEh
MOD_LIST: <ANALYSIS/>
NTGLOBALFLAG: 0
APPLICATION_VERIFIER_FLAGS: 0
LAST_CONTROL_TRANSFER: from 76c55d3f to 0413fc5c
ADDITIONAL_DEBUG_TEXT: Followup set based on attribute [Is_ChosenCrashFollowupThread] from Frame:[0] on thread:[PSEUDO_THREAD]
FAULTING_THREAD: ffffffff
PRIMARY_PROBLEM_CLASS: SOFTWARE_NX_FAULT
BUGCHECK_STR: APPLICATION_FAULT_SOFTWARE_NX_FAULT
IP_ON_STACK:
+677f2faf03c8dbec
0413fc5c 0cfe            or      al,0FEh
STACK_TEXT:
0413fc4c 0413fc5c unknown!unknown+0x0
0413fc64 76c55d3f ole32!COIDTable::ThreadCleanup+0xcb
0413fe14 76c88f82 ole32!FinishShutdown+0x9d
0413fe58 76c88ec3 ole32!ApartmentUninitialize+0x96
0413fe78 76c7bac3 ole32!wCoUninitialize+0x153
0413fe90 76c888e8 ole32!CoUninitialize+0x72
0413feac 73b3314a networkitemfactory!FDBackgroundThreadHandler+0x21
0413feb4 771f43c0 shlwapi!WrapperThreadProc+0x1b5
0413ff3c 7702ed6c kernel32!BaseThreadInitThunk+0xe
0413ff48 773e377b ntdll!__RtlUserThreadStart+0x70
0413ff88 773e374e ntdll!_RtlUserThreadStart+0x1b

STACK_COMMAND: .cxr 0413F968 ; kb ; dds 413fc4c ; kb
SYMBOL_NAME: ole32!COIDTable::ThreadCleanup+0
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: ole32
IMAGE_NAME: ole32.dll
DEBUG_FLR_IMAGE_TIMESTAMP: 4ce7b96f
FAILURE_BUCKET_ID: SOFTWARE_NX_FAULT_c0000005_ole32.dll!COIDTable::ThreadCleanup
BUCKET_ID: APPLICATION_FAULT_SOFTWARE_NX_FAULT_BAD_IP_ole32!COIDTable::ThreadCleanup+0
WATSON_STAGEONE_URL: http://watson.microsoft.com/StageOne/explorer_exe/6_1_7601_17514/4ce796f3/unknown/0_0_0_0/bbbbbbb4/c0000005/0413fc5c.htm?Retriage=1
Followup: MachineOwner
---------

"Networkitemfactory"? Sounds strange..
A quick search on the web was forwarding me directly to the Microsoft Knowledgebase Article ID: 2494427

Windows Explorer may crash randomly when the network discovery state is set to On in Windows 7

Installed the hotfix, and the problem was solved!

some IT notes

Wednesday, May 23, 2012

Windows 7 Explorer Crash