Need assistance analyzing an Explorer Application Error Minidump
BL
I am using Windows XP Professional SP3, and for the past few weeks
explorer.exe has been crashing when I attempt to shutdown the system.
Instead of displaying the shutdown dialog with the usual options,
there is a momentary stall and explorer.exe crashes with an
Application Error.
I have since checked the RAM with Memtest and reformatted the system,
but the issue persists. Perhaps one of you will be able to help me in
analyzing the minidump. The last three digits in the faulting address
(530) are consistent across all the dumps, and the named faulting
module, msgina.dll, is also consistent, which leads me to believe that
this is not the result of faulty hardware.
Exception Analysis Output:
---------------------------------------------------------------------------------------
0:001> !analyze -v
*******************************************************************************
*
*
* Exception
Analysis *
*
*
*******************************************************************************
*************************************************************************
***
***
***
***
*** Your debugger is not using the correct symbols
***
***
***
*** In order for this command to work properly, your symbol path
***
*** must point to .pdb files that have full type information.
***
***
***
*** Certain .pdb files (such as the public OS symbols) do not
***
*** contain the required information. Contact the group that
***
*** provided you with these symbols if you need this command to
***
*** work.
***
***
***
*** Type referenced: kernel32!pNlsUserInfo
***
***
***
*************************************************************************
*************************************************************************
***
***
***
***
*** Your debugger is not using the correct symbols
***
***
***
*** In order for this command to work properly, your symbol path
***
*** must point to .pdb files that have full type information.
***
***
***
*** Certain .pdb files (such as the public OS symbols) do not
***
*** contain the required information. Contact the group that
***
*** provided you with these symbols if you need this command to
***
*** work.
***
***
***
*** Type referenced: kernel32!pNlsUserInfo
***
***
***
*************************************************************************
FAULTING_IP:
+4d2c530
04d2c530 ?? ???
EXCEPTION_RECORD: ffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 04d2c530
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: 04d2c530
Attempt to read from address 04d2c530
DEFAULT_BUCKET_ID: NULL_INSTRUCTION_PTR
PROCESS_NAME: explorer.exe
ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx"
referenced memory at "0x%08lx". The memory could not be "%s".
READ_ADDRESS: 04d2c530
FAILED_INSTRUCTION_ADDRESS:
+4d2c530
04d2c530 ?? ???
IP_ON_HEAP: 04d2c530
FAULTING_THREAD: 00000780
PRIMARY_PROBLEM_CLASS: NULL_INSTRUCTION_PTR
BUGCHECK_STR: APPLICATION_FAULT_NULL_INSTRUCTION_PTR
LAST_CONTROL_TRANSFER: from 7599840c to 04d2c530
STACK_TEXT:
WARNING: Frame IP not in any known module. Following frames may be
wrong.
0150fa74 7599840c 00000000 01aee468 0150fad0 0x4d2c530
0150fa90 75993a2f 00000002 010464f8 00000000 msgina!
CDimmedWindow::Create+0x12
0150faa4 7ca78a05 0150fac0 0150fad0 010460f8 msgina!_ShellDimScreen
+0x67
0150fcd8 7ca78cca 0001009c 00000002 0150fcfc shell32!CloseWindowsDialog
+0x51
0150fce8 010341ff 0001009c 000001fa 010460f8 shell32!ExitWindowsDialog
+0x2a
0150fcfc 01026668 0001009c 00000000 00000111 explorer!
CTray::_DoExitWindows+0x86
0150fd30 0101c43e 000001fa 00000111 010460f8 explorer!CTray::_Command
+0x2da
0150fde8 01001b5c 0003004e 00000111 000001fa explorer!CTray::v_WndProc
+0x981
0150fe0c 7e418734 0003004e 00000111 000001fa explorer!
CImpWndProc::s_WndProc+0x65
0150fe38 7e418816 01001b1d 0003004e 00000111 user32!InternalCallWinProc
+0x28
0150fea0 7e4189cd 000a04d8 01001b1d 0003004e user32!
UserCallWinProcCheckWow+0x150
0150ff00 7e418a10 0150ff28 00000000 0150ff44 user32!
DispatchMessageWorker+0x306
0150ff10 01001a35 0150ff28 00000000 010460f8 user32!DispatchMessageW
+0xf
0150ff44 0100ffd1 00000000 0150ffb4 77f76f42 explorer!
CTray::_MessageLoop+0xd9
0150ff50 77f76f42 010460f8 0000005c 00000000 explorer!
CTray::MainThreadProc+0x29
0150ffb4 7c80b713 00000000 0000005c 00000000 shlwapi!WrapperThreadProc
+0x94
0150ffec 00000000 77f76ed3 0007fdbc 00000000 kernel32!BaseThreadStart
+0x37
STACK_COMMAND: ~1s; .ecxr ; kb
FOLLOWUP_IP:
msgina!CDimmedWindow::Create+12
7599840c 8b3d78169775 mov edi,dword ptr [msgina!
_imp__GetSystemMetrics (75971678)]
SYMBOL_STACK_INDEX: 1
SYMBOL_NAME: msgina!CDimmedWindow::Create+12
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: msgina
IMAGE_NAME: msgina.dll
DEBUG_FLR_IMAGE_TIMESTAMP: 4802a149
FAILURE_BUCKET_ID: NULL_INSTRUCTION_PTR_c0000005_msgina.dll!
CDimmedWindow::Create
BUCKET_ID: APPLICATION_FAULT_NULL_INSTRUCTION_PTR_BAD_IP_msgina!
CDimmedWindow::Create+12
Followup: MachineOwner
----------------------------------------------------------------
I would be very grateful for any assistance you may be able to
provide. Thank you.
![Ivan Brugiolo [MSFT]'s profile photo](https://lh3.googleusercontent.com/a/default-user=s40-c)
Ivan Brugiolo [MSFT]
and without having inspected the dump, there are a few possibilities:
My first take:
- you have some kind of hook installed that replaced the
import of `GetSystemMetrics` in msgina.dll
- the hook has trampoline code in the heap, the heap is marked
as non executable (because you have a NX capable CPU) and
the Execution Protection Feature in the OS prevents execution of arbitrary
code
The fact that msgina.dll has been hooked is quite worrysome.
Normally msgina is hosted in WinLogon.exe, and, that means
that you might have a virus or a password monitor/stealing system.
--
--
This posting is provided "AS IS" with no warranties, and confers no rights.
Use of any included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm
"BL" <zan...@gmail.com> wrote in message
news:a4f89fc0-d1c0-40b8...@p25g2000pri.googlegroups.com...
BL
<ivanb...@online.microsoft.com> wrote:
> Assuming the information reporte by !analyze is to be trusted,
> and without having inspected the dump, there are a few possibilities:
> My first take:
> - you have some kind of hook installed that replaced the
> import of `GetSystemMetrics` in msgina.dll
> - the hook has trampoline code in the heap, the heap is marked
> as non executable (because you have a NX capable CPU) and
> the Execution Protection Feature in the OS prevents execution of arbitrary
> code
>
> The fact that msgina.dll has been hooked is quite worrysome.
> Normally msgina is hosted in WinLogon.exe, and, that means
> that you might have a virus or a password monitor/stealing system.
>
> --
> --
> This posting is provided "AS IS" with no warranties, and confers no rights.
> Use of any included script samples are subject to the terms specified athttp://www.microsoft.com/info/cpyright.htm
>
I have dumps that I can attach, would that help in your analysis?
BL
BL
Link to another discussion of same issue.