K
karliwatson
Guest
Hi,
I'm having a problem where every second time I reboot, explorer.exe enters a crashloop rendering my PC unusable. The only way I can restart is via the PC reset button (restarting via Ctrl+Alt+Del starts a restart that never finishes).
I've tried several things that I've seen elsewhere, for example the extensive list here: Desktop and Taskbar crashing/refreshing when signed into Microsoft account, but so far nothing has worked. The solution on that page (to delete the HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\BannerStore registry key) doesn't work as I get an error when I try to delete it (even after taking ownership of the key). However, I think my error may be different anyway. I've attached a WinDbg analysis of an explorer.exe .dmp file below - the error is thrown in ucrtbase, but appears to originate in windows_immersiveshell_serviceprovider (judging by the name of the thread - the stack doesn't seem to include this info).
I'm very much at the limit of my knowledge here and am unsure how to proceed. I have a hunch (from that thread name) that it could be a failing shell plugin, but I'm not sure how to identify which. Can anyone offer any help or advice?
Thanks,
Karli
------------------------------------ WinDbg analysis -----------------------------------
Microsoft (R) Windows Debugger Version 10.0.20153.1000 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:\Users\karli\AppData\Local\CrashDumps\explorer.exe.2300.dmp]
User Mini Dump File with Full Memory: Only application data is available
************* Path validation summary **************
Response Time (ms) Location
Deferred srv*
Symbol search path is: srv*
Executable search path is:
Windows 10 Version 19042 MP (32 procs) Free x64
Product: WinNt, suite: SingleUserTS Personal
Edition build lab: 19041.1.amd64fre.vb_release.191206-1406
Machine Name:
Debug session time: Wed Nov 18 22:49:04.000 2020 (UTC + 0:00)
System Uptime: 0 days 0:01:03.796
Process Uptime: 0 days 0:00:01.000
................................................................
.................................................
This dump file has an exception of interest stored in it.
The stored exception information can be accessed via .ecxr.
(8fc.3358): Security check failure or stack buffer overrun - code c0000409 (first/second chance not available)
Subcode: 0x7 FAST_FAIL_FATAL_APP_EXIT
For analysis of this file, run !analyze -v
ucrtbase!abort+0x4e:
00007ffa`4b0c287e cd29 int 29h
0:021> !analyze -v
*******************************************************************************
* *
* Exception Analysis *
* *
*******************************************************************************
KEY_VALUES_STRING: 1
Key : Analysis.CPU.mSec
Value: 1686
Key : Analysis.DebugAnalysisProvider.CPP
Value: Create: 8007007e on KRONOS
Key : Analysis.DebugData
Value: CreateObject
Key : Analysis.DebugModel
Value: CreateObject
Key : Analysis.Elapsed.mSec
Value: 61082
Key : Analysis.Memory.CommitPeak.Mb
Value: 260
Key : Analysis.System
Value: CreateObject
Key : Timeline.OS.Boot.DeltaSec
Value: 63
Key : Timeline.Process.Start.DeltaSec
Value: 1
Key : WER.OS.Branch
Value: vb_release
Key : WER.OS.Timestamp
Value: 2019-12-06T14:06:00Z
Key : WER.OS.Version
Value: 10.0.19041.1
Key : WER.Process.Version
Value: 10.0.19041.610
ADDITIONAL_XML: 1
OS_BUILD_LAYERS: 1
NTGLOBALFLAG: 0
APPLICATION_VERIFIER_FLAGS: 0
CONTEXT: (.ecxr)
rax=0000000000000001 rbx=00000000069fdde0 rcx=0000000000000007
rdx=000000000000000f rsi=00000000069fd450 rdi=0000000000000000
rip=00007ffa4b0c287e rsp=00000000069fcb20 rbp=00000000069fcc80
r8=0000000000000001 r9=00000000069fcac8 r10=0000000000000012
r11=0088000002002080 r12=0000000000000001 r13=00007ffa3f326500
r14=00000000069fce30 r15=00000000069fcc70
iopl=0 nv up ei pl nz na pe nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202
ucrtbase!abort+0x4e:
00007ffa`4b0c287e cd29 int 29h
Resetting default scope
EXCEPTION_RECORD: (.exr -1)
ExceptionAddress: 00007ffa4b0c287e (ucrtbase!abort+0x000000000000004e)
ExceptionCode: c0000409 (Security check failure or stack buffer overrun)
ExceptionFlags: 00000001
NumberParameters: 1
Parameter[0]: 0000000000000007
Subcode: 0x7 FAST_FAIL_FATAL_APP_EXIT
PROCESS_NAME: explorer.exe
ERROR_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.
EXCEPTION_CODE_STR: c0000409
EXCEPTION_PARAMETER1: 0000000000000007
STACK_TEXT:
00000000`069fcb20 00007ffa`4b0c1faf : 00000000`00000003 00000000`00000003 00000000`069fd610 00000000`069fce30 : ucrtbase!abort+0x4e
00000000`069fcb50 00007ffa`4b08e5d6 : 00000000`069fdde0 00000000`069fcc80 00000000`069fd450 00000000`00000000 : ucrtbase!terminate+0x1f
00000000`069fcb80 00007ffa`4b08f254 : 00000000`00000000 00007ffa`4b4083cb 00000000`00000001 00000000`069fdde0 : ucrtbase!FindHandler<__FrameHandler4>+0x50a
00000000`069fcd50 00007ffa`4b08d0c0 : 00007ffa`3f2d0000 00000000`069fdde0 00000000`069fd610 00000000`069fd450 : ucrtbase!__InternalCxxFrameHandler<__FrameHandler4>+0x278
00000000`069fcdf0 00007ffa`10913f34 : 00000000`069ff530 00007ffa`10db1b68 00000000`069fdde0 00000000`069ff530 : ucrtbase!_CxxFrameHandler4+0xa0
00000000`069fce60 00007ffa`4d8d10ff : 00000000`00000000 00000000`069fd400 00000000`069fdde0 00000000`00000001 : twinui_pcshell!DllCanUnloadNow+0x42184
00000000`069fce90 00000000`00000000 : 00000000`069fd400 00000000`069fdde0 00000000`00000001 00000000`069fd450 : ntdll!RtlpExecuteHandlerForException+0xf
SYMBOL_NAME: ucrtbase!abort+4e
MODULE_NAME: ucrtbase
IMAGE_NAME: ucrtbase.dll
STACK_COMMAND: ~21s ; .ecxr ; kb
FAILURE_BUCKET_ID: FAIL_FAST_FATAL_APP_EXIT_c0000409_ucrtbase.dll!abort
OS_VERSION: 10.0.19041.1
BUILDLAB_STR: vb_release
OSPLATFORM_TYPE: x64
OSNAME: Windows 10
IMAGE_VERSION: 10.0.19041.546
FAILURE_ID_HASH: {e31753ac-c98a-8055-3663-47e707543d20}
Followup: MachineOwner
---------
0:021> ~# kP 25
# Child-SP RetAddr Call Site
00 00000000`069fcb20 00007ffa`4b0c1faf ucrtbase!abort+0x4e
01 00000000`069fcb50 00007ffa`4b08e5d6 ucrtbase!terminate+0x1f
02 00000000`069fcb80 00007ffa`4b08f254 ucrtbase!FindHandler<__FrameHandler4>+0x50a
03 00000000`069fcd50 00007ffa`4b08d0c0 ucrtbase!__InternalCxxFrameHandler<__FrameHandler4>+0x278
04 00000000`069fcdf0 00007ffa`10913f34 ucrtbase!_CxxFrameHandler4+0xa0
05 00000000`069fce60 00007ffa`4d8d10ff twinui_pcshell!DllCanUnloadNow+0x42184
06 00000000`069fce90 00000000`00000000 ntdll!RtlpExecuteHandlerForException+0xf
0:021> dx Debugger.Sessions[0].Processes[2300].Threads[13144].Stack.Frames[6].SwitchTo();dv /t /v
Debugger.Sessions[0].Processes[2300].Threads[13144].Stack.Frames[6].SwitchTo()
Unable to enumerate locals, Win32 error 0n87
Private symbols (symbols.pri) are required for locals.
Type ".hh dbgerr005" for details.
Continue reading...
I'm having a problem where every second time I reboot, explorer.exe enters a crashloop rendering my PC unusable. The only way I can restart is via the PC reset button (restarting via Ctrl+Alt+Del starts a restart that never finishes).
I've tried several things that I've seen elsewhere, for example the extensive list here: Desktop and Taskbar crashing/refreshing when signed into Microsoft account, but so far nothing has worked. The solution on that page (to delete the HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\BannerStore registry key) doesn't work as I get an error when I try to delete it (even after taking ownership of the key). However, I think my error may be different anyway. I've attached a WinDbg analysis of an explorer.exe .dmp file below - the error is thrown in ucrtbase, but appears to originate in windows_immersiveshell_serviceprovider (judging by the name of the thread - the stack doesn't seem to include this info).
I'm very much at the limit of my knowledge here and am unsure how to proceed. I have a hunch (from that thread name) that it could be a failing shell plugin, but I'm not sure how to identify which. Can anyone offer any help or advice?
Thanks,
Karli
------------------------------------ WinDbg analysis -----------------------------------
Microsoft (R) Windows Debugger Version 10.0.20153.1000 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:\Users\karli\AppData\Local\CrashDumps\explorer.exe.2300.dmp]
User Mini Dump File with Full Memory: Only application data is available
************* Path validation summary **************
Response Time (ms) Location
Deferred srv*
Symbol search path is: srv*
Executable search path is:
Windows 10 Version 19042 MP (32 procs) Free x64
Product: WinNt, suite: SingleUserTS Personal
Edition build lab: 19041.1.amd64fre.vb_release.191206-1406
Machine Name:
Debug session time: Wed Nov 18 22:49:04.000 2020 (UTC + 0:00)
System Uptime: 0 days 0:01:03.796
Process Uptime: 0 days 0:00:01.000
................................................................
.................................................
This dump file has an exception of interest stored in it.
The stored exception information can be accessed via .ecxr.
(8fc.3358): Security check failure or stack buffer overrun - code c0000409 (first/second chance not available)
Subcode: 0x7 FAST_FAIL_FATAL_APP_EXIT
For analysis of this file, run !analyze -v
ucrtbase!abort+0x4e:
00007ffa`4b0c287e cd29 int 29h
0:021> !analyze -v
*******************************************************************************
* *
* Exception Analysis *
* *
*******************************************************************************
KEY_VALUES_STRING: 1
Key : Analysis.CPU.mSec
Value: 1686
Key : Analysis.DebugAnalysisProvider.CPP
Value: Create: 8007007e on KRONOS
Key : Analysis.DebugData
Value: CreateObject
Key : Analysis.DebugModel
Value: CreateObject
Key : Analysis.Elapsed.mSec
Value: 61082
Key : Analysis.Memory.CommitPeak.Mb
Value: 260
Key : Analysis.System
Value: CreateObject
Key : Timeline.OS.Boot.DeltaSec
Value: 63
Key : Timeline.Process.Start.DeltaSec
Value: 1
Key : WER.OS.Branch
Value: vb_release
Key : WER.OS.Timestamp
Value: 2019-12-06T14:06:00Z
Key : WER.OS.Version
Value: 10.0.19041.1
Key : WER.Process.Version
Value: 10.0.19041.610
ADDITIONAL_XML: 1
OS_BUILD_LAYERS: 1
NTGLOBALFLAG: 0
APPLICATION_VERIFIER_FLAGS: 0
CONTEXT: (.ecxr)
rax=0000000000000001 rbx=00000000069fdde0 rcx=0000000000000007
rdx=000000000000000f rsi=00000000069fd450 rdi=0000000000000000
rip=00007ffa4b0c287e rsp=00000000069fcb20 rbp=00000000069fcc80
r8=0000000000000001 r9=00000000069fcac8 r10=0000000000000012
r11=0088000002002080 r12=0000000000000001 r13=00007ffa3f326500
r14=00000000069fce30 r15=00000000069fcc70
iopl=0 nv up ei pl nz na pe nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202
ucrtbase!abort+0x4e:
00007ffa`4b0c287e cd29 int 29h
Resetting default scope
EXCEPTION_RECORD: (.exr -1)
ExceptionAddress: 00007ffa4b0c287e (ucrtbase!abort+0x000000000000004e)
ExceptionCode: c0000409 (Security check failure or stack buffer overrun)
ExceptionFlags: 00000001
NumberParameters: 1
Parameter[0]: 0000000000000007
Subcode: 0x7 FAST_FAIL_FATAL_APP_EXIT
PROCESS_NAME: explorer.exe
ERROR_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.
EXCEPTION_CODE_STR: c0000409
EXCEPTION_PARAMETER1: 0000000000000007
STACK_TEXT:
00000000`069fcb20 00007ffa`4b0c1faf : 00000000`00000003 00000000`00000003 00000000`069fd610 00000000`069fce30 : ucrtbase!abort+0x4e
00000000`069fcb50 00007ffa`4b08e5d6 : 00000000`069fdde0 00000000`069fcc80 00000000`069fd450 00000000`00000000 : ucrtbase!terminate+0x1f
00000000`069fcb80 00007ffa`4b08f254 : 00000000`00000000 00007ffa`4b4083cb 00000000`00000001 00000000`069fdde0 : ucrtbase!FindHandler<__FrameHandler4>+0x50a
00000000`069fcd50 00007ffa`4b08d0c0 : 00007ffa`3f2d0000 00000000`069fdde0 00000000`069fd610 00000000`069fd450 : ucrtbase!__InternalCxxFrameHandler<__FrameHandler4>+0x278
00000000`069fcdf0 00007ffa`10913f34 : 00000000`069ff530 00007ffa`10db1b68 00000000`069fdde0 00000000`069ff530 : ucrtbase!_CxxFrameHandler4+0xa0
00000000`069fce60 00007ffa`4d8d10ff : 00000000`00000000 00000000`069fd400 00000000`069fdde0 00000000`00000001 : twinui_pcshell!DllCanUnloadNow+0x42184
00000000`069fce90 00000000`00000000 : 00000000`069fd400 00000000`069fdde0 00000000`00000001 00000000`069fd450 : ntdll!RtlpExecuteHandlerForException+0xf
SYMBOL_NAME: ucrtbase!abort+4e
MODULE_NAME: ucrtbase
IMAGE_NAME: ucrtbase.dll
STACK_COMMAND: ~21s ; .ecxr ; kb
FAILURE_BUCKET_ID: FAIL_FAST_FATAL_APP_EXIT_c0000409_ucrtbase.dll!abort
OS_VERSION: 10.0.19041.1
BUILDLAB_STR: vb_release
OSPLATFORM_TYPE: x64
OSNAME: Windows 10
IMAGE_VERSION: 10.0.19041.546
FAILURE_ID_HASH: {e31753ac-c98a-8055-3663-47e707543d20}
Followup: MachineOwner
---------
0:021> ~# kP 25
# Child-SP RetAddr Call Site
00 00000000`069fcb20 00007ffa`4b0c1faf ucrtbase!abort+0x4e
01 00000000`069fcb50 00007ffa`4b08e5d6 ucrtbase!terminate+0x1f
02 00000000`069fcb80 00007ffa`4b08f254 ucrtbase!FindHandler<__FrameHandler4>+0x50a
03 00000000`069fcd50 00007ffa`4b08d0c0 ucrtbase!__InternalCxxFrameHandler<__FrameHandler4>+0x278
04 00000000`069fcdf0 00007ffa`10913f34 ucrtbase!_CxxFrameHandler4+0xa0
05 00000000`069fce60 00007ffa`4d8d10ff twinui_pcshell!DllCanUnloadNow+0x42184
06 00000000`069fce90 00000000`00000000 ntdll!RtlpExecuteHandlerForException+0xf
0:021> dx Debugger.Sessions[0].Processes[2300].Threads[13144].Stack.Frames[6].SwitchTo();dv /t /v
Debugger.Sessions[0].Processes[2300].Threads[13144].Stack.Frames[6].SwitchTo()
Unable to enumerate locals, Win32 error 0n87
Private symbols (symbols.pri) are required for locals.
Type ".hh dbgerr005" for details.
Continue reading...