what causes "Exception code: C0000005 ACCESS_VIOLATION"

Hi,
"Exception code: C0000005 ACCESS_VIOLATION" seems to be a common experience. It appears that many people believe that it is related to the program which happen to cause the error, but there seem to be an awful lot of different programs causing it, thus it must be a more generic problem.

I cannot find a definition of WHEN and WHY would Windows respond with this message, this seems to be important to understand where the common thread is, as so different programs cause the same message.

I believe now that
- it is NOT related to any program per se
- it is related to how windows handles certain features
- it appears to happen more frequently when a MS-based file is imported or copy/pasted to a non-MS application


Anyhow, I am interested if someone has come across an explanation or even solution.

best
Werner

 

Your deductive reasoning has brought you very close to the answer. I'm going to answer your question in detail, and then at the bottom ask the question i think you came here to get addressed.

Computers have limits, they cannot divide a number by zero, nor read memory that isnt there, (and lots of other things).

They use a generic mechanism called Exceptions, to signal the software that it cannot do the operation it was requested to do, and some information as to why not.

Straight out of section 3.1.9, table 3-2 of Intel Processor Instruction Manual
0 #DE—Divide Error DIV and IDIV instructions.
13 #GP—General Protection Any memory reference andother protection checks.

Peruse this excerpt from the IA-32 Intel® Architecture Software Developer's Manual, Volume 3: System Programming Guide (bear with me, it gets better)

a #GP is a general protection fault. That means the program tried to access memory that is 'protected', it could not, and as you read above is handed to the fault handler.

Now.. If you've been in the game since Win98, you may have seen a GP_FAULT once or twice. Same thing, only now in NT/XP we get DrWatson complaing about an ACCESS_VIOLATION. This begs the question, what did it try to access that was a violation of normal runtime?

The operating system knows that programmers make mistakes, and make a special DMZ/No mans land at address 00000000 through address 0000FFFF, so that programs who try to reference NULL (a C programming way of saying Zero or Empty) will fail, rather than corrupt themselves and die horribly after corrupting your data.

Prove it, you say?? Can do.. i fire up my trusty debugger and examine this memory

Code:

0:000> !vadump          [I]***Note this command inspects the memory properties[/I]
BaseAddress:       00000000
RegionSize:        00010000
State:             00010000  MEM_FREE
[U]Protect:           00000001 [B] PAGE_NOACCESS[/B][/U]

BaseAddress:       00010000
RegionSize:        00001000
State:             00001000  MEM_COMMIT
Protect:           00000004  PAGE_READWRITE
Type:              00020000  MEM_PRIVATE

[I]***Here is no mans land***[/I]
0:000> dc 00000000   [I]***Note this command displays the contents of memory[/I]
00000000  ???????? ???????? ???????? ????????  ????????????????
00000010  ???????? ???????? ???????? ????????  ????????????????
00000020  ???????? ???????? ???????? ????????  ????????????????
00000030  ???????? ???????? ???????? ????????  ????????????????
00000040  ???????? ???????? ???????? ????????  ????????????????

[I]****as you can see here, the end of no mans land, and the beginning of real memory****[/I]
0:000> dc 00010000-30
0000ffd0  ???????? ???????? ???????? ????????  ????????????????
0000ffe0  ???????? ???????? ???????? ????????  ????????????????
0000fff0  ???????? ???????? ???????? ????????  ????????????????
00010000  0043003d 003d003a 003a0043 0044005c  =.C.:.=.C.:.\.D.
00010010  0063006f 006d0075 006e0065 00730074  o.c.u.m.e.n.t.s.
00010020  00610020 0064006e 00530020 00740065   .a.n.d. .S.e.t.
00010030  00690074 0067006e 005c0073 006f006a  t.i.n.g.s.\.j.o.

So, what is an access violation, a C0000005? This is the translated #GP code the fault handler raises, which the operating system displays as an 'Access Violation', whos numerical form is c thousand 5. Its the operating system telling you that a program has malfunctioned and tried to reference no mans land. It has nothing specific to do with any particular program, or a brand of software, this is straight from the CPU and kernel of the operating system.


NOW. On to your real question, you are probably seeing a lot of these on your machine, which made you come here in search of answers. You now need to determine which program is throwing the exception. It may be several, thats certainly possible. Use Start->Run Drwtsn32 and see whats in the exception handler log. Use the event viewer, if you prefer. Once you've identified the application that is faulting, the next time it crashes on you, note where it stuck the dump (probably \windows\minidump\3279272.dmp or in C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp) and run it through the dump data analysis tool in my signature, and ill tell you why it blew up, and try to recommend what to do to fix it.

 

I'm probably breaking a posting rule of some sort since I'm not contributing anything meaningful, but thanks for taking time to put together that amazing post. My head is still aching a bit from it.

 

thanks for the leads.
I also did the goggle search, with 1600+ hits, but after reading a bunch, did not get further. I would guess that among the 1600 there are some useful leads. Decided to enter this BBS and I am happy that I feel like I am on the track now. I could just live with every-5 min.-backups and constant crashes, a reboot works, but I do not like things when they do not behave right.

This does not have too much to do with my job in wildlife biology, but neither does my water turbine which creates the necessary electrons to send to you, but there are limits to self-teaching/doing.

I have kept some track of these misshapps, I also found these huge dump files which I regularly erased, as I could not deal with them. I downloaded the suggested programs and will investigate the next crashes.

best

Werner

Here a list of previous cases:

DrWtsn32
Application exception occurred:
App: (pid=696)
Exception number: c0000005 (access violation)
*----> Task List <----*
0 Idle.exe
8 System.exe
132 smss.exe
160 csrss.exe
156 winlogon.exe
208 services.exe
220 lsass.exe
376 svchost.exe
404 spoolsv.exe
448 svchost.exe
492 regsvc.exe
508 MSTask.exe
572 WinMgmt.exe
712 Explorer.exe
800 NewsUpd.exe
280 WINCMD32.exe
696 Stats50.exe
872 drwtsn32.exe
0 _Total.exe

Application exception occurred:
App: (pid=428)
Exception number: c0000005 (access violation)
428 CTSvcCDA.exe
Application exception occurred:
App: explorer.exe (pid=1076)
Exception number: c0000005 (access violation)
Application exception occurred:
App: (pid=300)
Exception number: c0000005 (access violation)
300 WPWIN8.exe
Application exception occurred:
App: (pid=756)
Exception number: c0000005 (access violation)
756 Pp70.exe
Application exception occurred:
App: (pid=592)
Exception number: c0000005 (access violation)
592 Mail.exe
Application exception occurred:
App: svchost.exe (pid=476)
Exception number: c0000005 (access violation)
476 svchost.exe
Application exception occurred:
App: (pid=604)
Exception number: c0000005 (access violation)
604 cvpnd.exe
Application exception occurred:
App: (pid=1284)
Exception number: c0000005 (access violation)
1284 Eudora.exe
Application exception occurred:
App: svchost.exe (pid=616)
Exception number: c0000005 (access violation)
616 svchost.exe
Application exception occurred:
App: (pid=1024)
Exception number: c0000005 (access violation)
1024 arccatalog.exe
Application exception occurred:
App: (pid=1512)
Exception number: c0000005 (access violation)
1512 SigOffline..exe

 

a first analysis of user.dmp from Access Violation

Hi Joe,

I installed these programs and still had 2 user.dmp files in recycling bin, I have the results. One observation: the message Your debugger is not using the correct symbols makes me believe that possibly the analysis did not work correctly?

I tried to include these debuglog files in message, but it will not take it, maybe due to size limitation? Let me know how I can get the file to you, thanks.

best Werner

 

you may have to split the output into two posts, or trim off the drivers list at the bottom with all those DLLs listed.
If it couldnt find symbols, that means it was trying to find them for a file that is not a microsoft file, or you were not connected to the internet, or you have some software firewall that prevented access like zonealarm or something. The debugger (cdb.exe) needs access to the internet via winsock in order to retrieve the correct symbols.
Go ahead and post one, and lets see whatcha got.

 

result part 1

I was not connected to internet while running initial analysis, so I repeated it now while connected. It took much longer to get final result:

Microsoft (R) Windows Debugger Version 6.4.0007.2
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\Documents and Settings\All Users.WINNT\Documents\DrWatson\user1.dmp]
User Dump File: Only application data is available

Windows 2000 Version 2195 UP Free x86 compatible
Symbol search path is: SRV*c:\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is: C:\WINNT;C:\WINNT\system32;C:\WINNT\system32\drivers
.....................................................................................
(590.5d4): Access violation - code c0000005 (!!! second chance !!!)
eax=00000000 ebx=001dffff ecx=0012f40d edx=00130608 esi=00143984 edi=00174314
eip=66506b56 esp=0012e508 ebp=0012e530 iopl=0 nv up ei pl zr ac po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000256
*** WARNING: Unable to verify checksum for Paige32.dll
*** ERROR: Symbol file could not be found. Defaulted to export symbols for Paige32.dll -
Paige32!pgParBoundaryProc+0x6f:
66506b56 380b cmp [ebx],cl ds:0023:001dffff=??
0:000> !analyze -v;r;kv;lmtn;.logclose;q
*******************************************************************************
Exception Analysis
*******************************************************************************
***
*** Your debugger is not using the correct symbols ***

*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***

*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***

*** Type referenced: ntdll!_PEB ***

*************************************************************************
*** ERROR: Symbol file could not be found. Defaulted to export symbols for Eudora.exe -

FAULTING_IP:
Paige32!pgParBoundaryProc+6f
66506b56 380b cmp [ebx],cl

EXCEPTION_RECORD: ffffffff -- (.exr ffffffffffffffff)
.exr ffffffffffffffff
ExceptionAddress: 66506b56 (Paige32!pgParBoundaryProc+0x0000006f)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: 001dffff
Attempt to read from address 001dffff

FAULTING_THREAD: 000005d4

DEFAULT_BUCKET_ID: APPLICATION_FAULT

PROCESS_NAME: Eudora.exe

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx ". The memory could not be "%s ".

READ_ADDRESS: 001dffff

BUGCHECK_STR: ACCESS_VIOLATION

THREAD_ATTRIBUTES:
LAST_CONTROL_TRANSFER: from 66507782 to 66506b56

 

results part 2

STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may be wrong.
0012e530 66507782 0d174314 0012e540 ffffffff Paige32!pgParBoundaryProc+0x6f
0012e548 66509df0 00167520 ffffffff 001a85ec Paige32!pgFindPar+0x1e
0012e570 665088e7 00000001 001672c4 000002e4 Paige32!pgFindParExclusionRun+0x126
0012e590 6651b8c5 001672c4 0012f440 00000001 Paige32!pgSetupOffsetRun+0x1cd
0012e5f8 6651b1c2 00167520 0012f440 00000000 Paige32!pgClearSpecialTabFlags+0x124
0012e61c 004a80f1 00167520 0012f440 00000000 Paige32!pgGetParInfo+0x1b
0012ec04 004a7214 0012f440 00000003 0012f5f8 Eudora!MemMgrSerializedRegionMT:perator=+0x81b9e
0012f454 004a70a9 00174314 0012f5f8 00000001 Eudora!MemMgrSerializedRegionMT:perator=+0x80cc1
0012f498 6650df38 00174314 0012f5f8 00000001 Eudora!MemMgrSerializedRegionMT:perator=+0x80b56
0012f5b4 6650bd88 00174314 00143984 001e006c Paige32!pgDeleteRawData+0x2a35
0012fa68 6650aaab 00000003 00000000 00000000 Paige32!pgDeleteRawData+0x885
0012fb58 6650a996 00167520 0012fb7c 00000000 Paige32!pgDoDisplay+0xcb
0012fb84 004aed23 00167520 00000000 001672bc Paige32!pgDisplay+0x28
0012fbf0 6c3c37a8 0012fc00 00000000 6c41369c Eudora!MemMgrSerializedRegionMT:perator=+0x887d0
0012fc60 6c3b9d0a 028a5220 028a5220 00134e70 MFC42!CView::OnPaint+0x3b
0012fcd8 6c3b99d5 0000000f 00000000 6c414158 MFC42!CWnd::OnWndMsg+0x313
0012fcf8 0049aff8 0000000f 00000000 00000000 MFC42!CWnd::WindowProc+0x22
0012fd14 6c3b88ee 0000000f 00000000 00000000 Eudora!MemMgrSerializedRegionMT:perator=+0x74aa5
0012fd74 6c3b8afb 00000000 001802f2 0000000f MFC42!AfxCallWndProc+0x90
0012fd94 6c3e13a8 001802f2 0000000f 00000000 MFC42!AfxWndProc+0x34
0012fdc0 77e12ca8 001802f2 0000000f 00000000 MFC42!AfxWndProcBase+0x39
0012fde0 77e14764 6c3e136f 001802f2 0000000f USER32!UserCallWinProc+0x18
0012fdfc 77e14720 00740980 0000000f 00000000 USER32!DispatchClientMessage+0x4b
0012fe24 77fa15ef 0012fe34 00000018 00740980 USER32!__fnDWORD+0x22
0012fe48 77e12ecf 00a718c4 00a718c4 00a71890 ntdll!KiUserCallbackDispatcher+0x13
0012fec4 77e1577d 00a718c4 00000001 6c3be710 USER32!DispatchMessageWorker+0x37f
0012fed0 6c3be710 00a718c4 00000001 00a71890 USER32!DispatchMessageA+0xb
0012fee0 6c3be1e6 00a71890 00a71890 0012ffc0 MFC42!CWinThread:umpMessage+0x3a
0012fef8 6c3be73c 00a71890 6c3bbdd3 00000000 MFC42!CWinThread::Run+0x47
0012ff00 6c3bbdd3 00000000 00134269 00000000 MFC42!CWinApp::Run+0x20
0012ff10 005da1e1 00400000 00000000 00134269 MFC42!AfxWinMain+0x67
0012ffc0 7c4e87f5 00000000 00000000 7ffdf000 Eudora!MemMgrSerializedRegionMT:perator=+0x1b3c8e
0012fff0 00000000 005d9fbc 00000000 000000c8 KERNEL32!BaseProcessStart+0x3d

FOLLOWUP_IP:
Paige32!pgParBoundaryProc+6f
66506b56 380b cmp [ebx],cl

SYMBOL_STACK_INDEX: 0

FOLLOWUP_NAME: MachineOwner

SYMBOL_NAME: Paige32!pgParBoundaryProc+6f

MODULE_NAME: Paige32

IMAGE_NAME: Paige32.dll

DEBUG_FLR_IMAGE_TIMESTAMP: 417828e4

STACK_COMMAND: ~0s ; kb

FAILURE_BUCKET_ID: ACCESS_VIOLATION_Paige32!pgParBoundaryProc+6f

BUCKET_ID: ACCESS_VIOLATION_Paige32!pgParBoundaryProc+6f

 

results part 3

Followup: MachineOwner
---------

eax=00000000 ebx=001dffff ecx=0012f40d edx=00130608 esi=00143984 edi=00174314
eip=66506b56 esp=0012e508 ebp=0012e530 iopl=0 nv up ei pl zr ac po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000256
Paige32!pgParBoundaryProc+0x6f:
66506b56 380b cmp [ebx],cl ds:0023:001dffff=??
ChildEBP RetAddr Args to Child
WARNING: Stack unwind information not available. Following frames may be wrong.
0012e530 66507782 0d174314 0012e540 ffffffff Paige32!pgParBoundaryProc+0x6f
0012e548 66509df0 00167520 ffffffff 001a85ec Paige32!pgFindPar+0x1e
0012e570 665088e7 00000001 001672c4 000002e4 Paige32!pgFindParExclusionRun+0x126
0012e590 6651b8c5 001672c4 0012f440 00000001 Paige32!pgSetupOffsetRun+0x1cd
0012e5f8 6651b1c2 00167520 0012f440 00000000 Paige32!pgClearSpecialTabFlags+0x124
0012e61c 004a80f1 00167520 0012f440 00000000 Paige32!pgGetParInfo+0x1b
0012ec04 004a7214 0012f440 00000003 0012f5f8 Eudora!MemMgrSerializedRegionMT operator=+0x81b9e
0012f454 004a70a9 00174314 0012f5f8 00000001 Eudora!MemMgrSerializedRegionMT operator=+0x80cc1
0012f498 6650df38 00174314 0012f5f8 00000001 Eudora!MemMgrSerializedRegionMT operator=+0x80b56
0012f5b4 6650bd88 00174314 00143984 001e006c Paige32!pgDeleteRawData+0x2a35
0012fa68 6650aaab 00000003 00000000 00000000 Paige32!pgDeleteRawData+0x885
0012fb58 6650a996 00167520 0012fb7c 00000000 Paige32!pgDoDisplay+0xcb
0012fb84 004aed23 00167520 00000000 001672bc Paige32!pgDisplay+0x28
0012fbf0 6c3c37a8 0012fc00 00000000 6c41369c Eudora!MemMgrSerializedRegionMT operator=+0x887d0
0012fc60 6c3b9d0a 028a5220 028a5220 00134e70 MFC42!CView::OnPaint+0x3b
0012fcd8 6c3b99d5 0000000f 00000000 6c414158 MFC42!CWnd::OnWndMsg+0x313
0012fcf8 0049aff8 0000000f 00000000 00000000 MFC42!CWnd::WindowProc+0x22
0012fd14 6c3b88ee 0000000f 00000000 00000000 Eudora!MemMgrSerializedRegionMT operator=+0x74aa5
0012fd74 6c3b8afb 00000000 001802f2 0000000f MFC42!AfxCallWndProc+0x90
0012fd94 6c3e13a8 001802f2 0000000f 00000000 MFC42!AfxWndProc+0x34
start end module name
00400000 006ac000 Eudora Eudora.exe Mon Nov 08 20:10:12 2004 (418FFCD4)
etc

 

This is eudora crashing as a result of a bug in Paige32.DLL, which is the DLL that renders the word processor looking window in email. You need to make sure you have the latest versions of eudora and paige32.dll

 

Werner - did Joe's last suggestion get you fixed?