Windows BBS The Place for Microsoft Windows Support! Windows, Support, Help Site

Go Back   Windows BBS > Operating Systems > Windows 2000
Reload this Page

Access violation - code c0000005 (!!! second chance !!!) + winlogon

Register FAQDonate Mark Forums Read

Windows 2000 Post your Windows 2000 related questions here.

Register your FREE account to unlock additional features at WindowsBBS.com
Register
Welcome to WindowsBBS.com
Microsoft Windows Support

Mission Statement

WindowsBBS is an online community dedicated to easily accessible technical support for those using Microsoft operating systems and other Windows software.

Our goal is to become the leading resource for computer users that require assistance with their day-to-day computer usage, including full support for networking PC's, virus & malware removal, system upgrades and general support questions.

Discussion Forums
Operating Systems
Windows 7 Windows 7
Windows Vista Windows Vista
Windows XP Windows XP
Windows Server System Windows Server System
Windows 2000 Windows 2000
Windows 95/98/Me/NT Windows 95/98/Me/NT
Internet & Networking
Networking
Internet Explorer
Microsoft Mail
Firefox, Thunderbird
      & SeaMonkey
General Internet
Security
General Security
Malware and Virus
     Removal
Other
Other Software
Hardware
Test Posts
Community
Introductions
General Discussions
Comments
      & Suggestions
News @ WindowsBBS

Reply
 
LinkBack Thread Tools
Old 19th October 2005   #1
Inactive
 
Profile:
Join Date: Oct 2005
Posts: 3
Computer Experience:
intermediate
fulgenfj Reputation Level
Access violation - code c0000005 (!!! second chance !!!) + winlogon
Well. I´m using my own gina to validate users in w2000 SP4 through a smart card. That´s why I wrote it.

But I´m experiencing some winlogon crashes on my system. These are;

1.-
Sas window: Winlogon.exe: The instruction at "0x784ad989" referenced memory at "0x04550306". The
memory could not be "written".

2.-
Dialog: Winlogon.exe: The instruction at "0x784ab333" referenced memory at "0x0054004e". The
memory could not be "written".

I have debug both with windbg; first through a winlogon.dmp end the second through user.dmp and drwt32.log.

I´m writting the results at the end of this post.
But I do think is something about ntdll.dll library

I have found this link to solve this issue; but I do have right now SP4 installed; and I´m not sure about it cause I´ve found this information.

So what should I do to solve this issue; should I update to SP4 or not; or should I debug my own Gina accoording to this link?

Thanks o lot about your replies,and
these are the results:

1.-
Microsoft (R) Windows Debugger Version 6.5.0003.7

Copyright (c) Microsoft Corporation. All rights reserved.



Loading Dump File [D:\WINLOGON168.dmp]

User Dump File: Only application data is available



Windows 2000 Version 2195 UP Free x86 compatible
Product: WinNt

Debug session time: Sun Oct 16 14:14:33.015 2005 (GMT+2)

System Uptime: 0 days 0:38:18.687

Process Uptime: not available

Symbol search path is: SRV*c:\symbols*http://msdl.microsoft.com/download/symbols

Executable search path is:

........................................................................... ......

(c0.a8): Access violation - code c0000005 (!!! second chance !!!)

eax=0f301131 ebx=00070000 ecx=04550306 edx=00137e18 esi=00137df8 edi=00137e18

eip=784ad989 esp=0006fc4c ebp=0006fc58 iopl=0 nv up ei pl nz ac po nc

cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00010216

ntdll!RtlpCoalesceFreeBlocks+0x2fb:

784ad989 8901 mov [ecx],eax ds:0023:04550306=????????

0:000> .reload



2.-

Microsoft (R) Windows Debugger Version 6.5.0003.7 Copyright (e) Microsoft corporation. All rights reserved.
Loading Dump File [D:\user.dmp]
User Dump File: Only applieation data is available
Windows 2000 Version 2195 UP Free x86 compatible
product: WinNt
Debug session time: Mon Oet 17 19:28:32.500 2005 (GMT+2)
System Uptime: O days 1:16:28.167
Process Uptime: not available
Symbol seareh path is: SRV*e:\symbols*http://msdl.mierosoft.eom/download/symbols Exeeutable search path is:
.
(c0.a8): Access violation - code C0000005 (!!! seeond chance !!!) eax=004e0049 ebx=00000396 ecx=0054004e edx=00072178 esi=00070000 edi=000704e8
eip=784ab333 esp=0006f7e8 ebp=0006f9b4 iopl=O nv up ei ng nz na po ey
cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00000287
ntdll!RtlAlloeateHeap+0x649:
784ab333 8901 mov
0:000> .reload
[ecx] ,eax
ds:0023:0054004e=????????


Drwtsn32.log (spanish written)


Excepción de aplicación ocurrida:

Aplicación: winlogon.exe (pid=192)

Fecha y hora: 17/10/2005 a las 19:28:32.000

Número de excepción: c0000005 (infracción de acceso)



*----> Información del sistema <----*

Nombre de equipo: FPKRL1J

Nombre de usuario: SYSTEM

Número de procesadores: 1

Tipo de procesador: x86 Family 15 Model 4 Stepping 1

Versión de Windows 2000 : 5.0

Versión actual: 2195

Service Pack: 4

Tipo actual: Uniprocessor Free

Organización registrada: UC

Propietario registrado: BUC



*----> Lista de tareas <----*

0 Idle.exe

8 System.exe

144 smss.exe

172 csrss.exe

192 WINLOGON.exe

220 SERVICES.exe

232 LSASS.exe

352 scardsvr.exe

420 svchost.exe

448 spoolsv.exe

484 client32.exe

520 svchost.exe

608 Srvany.exe

628 inflocal.exe

636 MDM.exe

708 regsvc.exe

744 rtmservice.exe

756 mstask.exe

808 stisvc.exe

868 userdump.exe

888 winmgmt.exe

900 svchost.exe

120 drwtsn32.exe

0 _Total.exe



(01000000 - 01031000)

(78460000 - 784E2000)

(78FF0000 - 79055000)

(79450000 - 7950D000)

(77120000 - 77198000)

(77F40000 - 77F7F000)

(77E10000 - 77E79000)

(78000000 - 78045000)

(76970000 - 76977000)

(68FC0000 - 68FCB000)

(7CE00000 - 7CE53000)

(77980000 - 779A4000)

(75000000 - 75009000)

(74FE0000 - 74FF4000)

(74FD0000 - 74FD8000)

(75170000 - 75176000)

(77BF0000 - 77C01000)

(77950000 - 7797C000)

(790D0000 - 790DF000)

(75100000 - 75110000)

(76950000 - 7696B000)

(67EC0000 - 67FB1000)

(78DF0000 - 78E55000)

(10000000 - 1007E000)

(76930000 - 76947000)

(79520000 - 79531000)

(7CF70000 - 7D1CC000)

(71710000 - 71794000)

(772A0000 - 77306000)

(7CE60000 - 7CF61000)

(779B0000 - 77A4B000)

(76980000 - 769DC000)

(655E0000 - 655ED000)

(77550000 - 77581000)

(783C0000 - 78451000)

(72C90000 - 72D20000)

(69B10000 - 69C32000)

(4FF90000 - 4FFE4000)

(74F80000 - 74F9E000)

(74FC0000 - 74FC7000)

(77840000 - 7784C000)

(77320000 - 77333000)

(77500000 - 77505000)

(01510000 - 01527000)

(77390000 - 773BF000)

(77360000 - 77383000)

(77830000 - 7783E000)

(774C0000 - 774F4000)

(774A0000 - 774B1000)

(77510000 - 77532000)

(77340000 - 77359000)

(777E0000 - 777E8000)

(777F0000 - 777F5000)

(77540000 - 77548000)

(76900000 - 7692B000)

(79640000 - 796CC000)

(77410000 - 77421000)

(77920000 - 77943000)

(769E0000 - 769E5000)

(7CA00000 - 7CA23000)

(77820000 - 77827000)

(75980000 - 75986000)

(770A0000 - 770C3000)

(768F0000 - 76900000)

(75530000 - 75554000)

(773C0000 - 773D5000)

(77800000 - 7781E000)

(782D0000 - 782F2000)

(02340000 - 02351000)

(02360000 - 0236A000)

(76260000 - 7629E000)

(74130000 - 74194000)

(773E0000 - 773E8000)

(773F0000 - 77403000)

(79600000 - 79613000)

(68F70000 - 68F7B000)

(75A80000 - 75A85000)

(68210000 - 68218000)

(75110000 - 7511C000)

(751C0000 - 751D5000)

(75180000 - 751B8000)

(02D40000 - 02D98000)

(02DA0000 - 02DBE000)

(11200000 - 11205000)







Muestra de estado para identificador de subproceso 0xa8


eax=004e0049 ebx=00000396 ecx=0054004e edx=00072178 esi=00070000 edi=000704c8

eip=784ab333 esp=0006f7e8 ebp=0006f9b4 iopl=0 nv up ei ng nz na po cy

cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00000287




función: RtlAllocateHeap

784ab30f 884705 mov [edi+0x5],al ds:00b3a3ae=??

784ab312 ff75d0 push dword ptr [ebp+0xd0] ss:00b3989a=????????

784ab315 8b75a4 mov esi,[ebp+0xa4] ss:00b3989a=????????

784ab318 56 push esi

784ab319 e8d120fdff call RtlIsValidIndexHandle+0x182f (7847d3ef)

784ab31e 8b4dd0 mov ecx,[ebp+0xd0] ss:00b3989a=????????

784ab321 8b4108 mov eax,[ecx+0x8] ds:01009f34=8ad2335c

784ab324 8985d4feffff mov [ebp+0xfffffed4],eax ss:0006f888=004e0049

784ab32a 8b490c mov ecx,[ecx+0xc] ds:01009f34=8ad2335c

784ab32d 898dd0feffff mov [ebp+0xfffffed0],ecx ss:0006f884=0054004e

ERROR -> 784ab333 8901 mov [ecx],eax ds:0054004e=????????
784ab335 894804 mov [eax+0x4],ecx ds:00fa9f2f=????????

784ab338 3bc1 cmp eax,ecx

784ab33a 7531 jnz 784b3e6d

784ab33c 8b45d0 mov eax,[ebp+0xd0] ss:00b3989a=????????

784ab33f 668b00 mov ax,[eax] ds:004e0049=????

784ab342 663d8000 cmp ax,0x80

784ab346 7325 jnb RtlAddRange+0x1e9 (784ac26d)

784ab348 0fb7c8 movzx ecx,ax

784ab34b 8bc1 mov eax,ecx

784ab34d c1e803 shr eax,0x3

784ab350 8985c8feffff mov [ebp+0xfffffec8],eax ss:0006f87c=0006f8ec
fulgenfj is offline   Reply With Quote
Didn't find the information you thought to find?
Check out these Similar Threads
Old 19th October 2005   #2
Inactive
 
Profile:
Join Date: Oct 2005
Posts: 3
Computer Experience:
intermediate
fulgenfj Reputation Level
drwtsn32.log about the post
that´s the second part (spanish written)


*----> Seguimiento regresivo de pila <----*



FramePtr ReturnAd Param#1 Param#2 Param#3 Param#4 Nombre función

0006F9B4 77E2C774 00070000 00000000 00000108 77E6D1E0 ntdll!RtlAllocateHeap

0006F9E8 77E34F0B 003F3B80 00000081 00000000 0006FAB0 user32!GetDesktopWindow

0006FA0C 77E4158F 00040062 00000081 00000000 0006FAB0 user32!EditWndProc

0006FA2C 77E3C19D 77E34EB8 00040062 00000081 00000000 user32!GetTopWindow

0006FA48 77E322C5 003F3B80 00000081 00000000 0006FAB0 user32!DefWindowProcW

0006FA78 78471BAF 0006FA88 00000060 00000060 00000000 user32!LockWindowUpdate

0006FBBC 77E340BB 10000000 00000006 00000000 003F1EA0 ntdll!KiUserCallbackDispatcher

0006FBEC 77E3410F 10000000 1003DF18 00000000 01002230 user32!DestroyWindow

0006FC0C 77E291C6 10000000 1003DF18 00000000 01002230 user32!DialogBoxIndirectParamAorW

0006FC30 0100404E 10000000 0000009C 00000000 01002230 user32!DialogBoxParamW

0006FC6C 0100400E 00075EB8 10000000 0000009C 00000000 winlogon!<nosymbols>

0006FCA4 10014DB5 00075EB8 10000000 0000009C 00000000 winlogon!<nosymbols>

0006FCEC 77E4158F 00180050 00000111 00000408 001D0110 !<nosymbols>

0006FD0C 77E3279C 01002230 00180050 00000111 00000408 user32!GetTopWindow

0006FD48 77E32BC8 00180050 00000111 00000408 001D0110 user32!SetWindowLongW

0006FD78 77E3B811 003F1798 00000111 00000408 001D0110 user32!IsDialogMessageW

0006FD98 77E24A58 00180050 00000111 00000408 001D0110 user32!SendMessageW

0006FDC8 77E32E67 00180050 003F1D68 00000000 00000000 user32!EnumDesktopWindows

0006FE04 77E340CE 00180050 00000000 00000001 00000000 user32!IsDialogMessageW

0006FE28 77E3410F 10000000 1003BCE8 00000000 01002230 user32!DestroyWindow

0006FE48 77E291C6 10000000 1003BCE8 00000000 01002230 user32!DialogBoxIndirectParamAorW

0006FE6C 0100404E 10000000 00000067 00000000 01002230 user32!DialogBoxParamW

0006FEA8 0100400E 00075EB8 10000000 00000067 00000000 winlogon!<nosymbols>

0006FEE0 100013F0 00075EB8 10000000 00000067 00000000 winlogon!<nosymbols>

0006FF20 01007E8C 00075EB8 00000005 0007360C 00000001 !<nosymbols>

0006FF58 0100AF70 00071FC8 00000000 0007360C 0000000A winlogon!<nosymbols>

0006FFF4 00000000 7FFDF000 000000C8 00000100 EEFFEEFF winlogon!<nosymbols>



*----> Muestra de pilas sin procesar <----*

0006f7e8 e0 d1 e6 77 00 00 00 00 - e0 d3 e6 77 54 72 61 63 ...w.......wTrac

0006f7f8 65 2b 3a 3d 44 45 47 55 - 47 3e 28 44 69 73 70 6c e+:=DEGUG>(Displ

0006f808 61 79 53 41 53 4e 6f 74 - 69 63 65 44 6c 67 50 72 aySASNoticeDlgPr

0006f818 6f 63 29 49 44 43 5f 52 - 45 53 45 52 56 41 53 0d oc)IDC_RESERVAS.

0006f828 0a 00 32 00 35 00 00 00 - 01 00 00 00 80 b0 f7 77 ..2.5..........w

0006f838 38 95 14 00 08 fa 06 00 - 00 00 00 00 00 00 00 00 8...............

0006f848 e0 c7 11 00 d0 88 14 00 - 98 fb 06 00 08 fa 06 00 ................

0006f858 4a df 03 10 9d 6f f4 77 - 64 f8 06 00 f5 ff ff ff J....o.wd.......

0006f868 80 b0 f7 77 70 05 3a 00 - 08 fa 06 00 00 00 00 00 ...wp.:.........

0006f878 19 06 0a c7 ec f8 06 00 - b6 73 f4 77 4e 00 54 00 .........s.wN.T.

0006f888 49 00 4e 00 9d 03 01 c6 - 08 fa 06 00 d3 73 f4 77 I.N..........s.w

0006f898 80 b0 f7 77 9d 03 01 c6 - 50 4b f4 77 a0 e7 12 00 ...w....PK.w....

0006f8a8 d2 fe ff ff ff ff df ff - 01 00 00 00 68 d4 e2 77 ............h..w

0006f8b8 d0 f8 06 00 ff ff ff ff - 00 00 00 00 ff ff df ff ................

0006f8c8 00 00 00 00 a0 e7 12 00 - 01 00 00 00 00 00 00 00 ................

0006f8d8 28 79 f4 77 77 00 00 00 - 01 00 00 00 c0 03 07 00 (y.ww...........

0006f8e8 c0 03 07 00 e4 f9 06 00 - 4a d7 e2 77 9d 03 01 c6 ........J..w....

0006f8f8 08 fa 06 00 3c e8 12 00 - 00 00 00 00 4c 01 18 00 ....<.......L...

0006f908 10 00 00 00 0d 00 00 00 - 03 00 00 00 03 00 00 00 ................

0006f918 00 00 00 00 07 00 00 00 - 0e 00 00 00 bc 02 00 00 ................



Muestra de estado para identificador de subproceso 0xd0



eax=000000c0 ebx=0006fe60 ecx=00000101 edx=00000000 esi=00000000 edi=00000000

eip=784683a3 esp=0078ffa0 ebp=0078ffb4 iopl=0 nv up ei pl zr na po nc

cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246





función: NtDelayExecution

78468398 b832000000 mov eax,0x32

7846839d 8d542404 lea edx,[esp+0x4] ss:01259e87=????????

784683a1 cd2e int 2e

784683a3 c20800 ret 0x8

784683a6 8bff mov edi,edi



*----> Seguimiento regresivo de pila <----*



FramePtr ReturnAd Param#1 Param#2 Param#3 Param#4 Nombre función

0078FFB4 7945B388 0006FE60 00000000 00000000 0006FE60 ntdll!NtDelayExecution

0078FFEC 00000000 78482348 0006FE60 00000000 00000000 kernel32!lstrcmpiW



*----> Muestra de pilas sin procesar <----*

0078ffa0 8a 23 48 78 01 00 00 00 - ac ff 78 00 00 00 00 00 .#Hx......x.....

0078ffb0 00 00 00 80 ec ff 78 00 - 88 b3 45 79 60 fe 06 00 ......x...Ey`...

0078ffc0 00 00 00 00 00 00 00 00 - 60 fe 06 00 00 c0 fd 7f ........`.......

0078ffd0 00 00 00 00 c0 ff 78 00 - 00 00 00 00 ff ff ff ff ......x.........

0078ffe0 54 1f 4a 79 08 2b 45 79 - 00 00 00 00 00 00 00 00 T.Jy.+Ey........

0078fff0 00 00 00 00 48 23 48 78 - 60 fe 06 00 00 00 00 00 ....H#Hx`.......

00790000 00 00 00 00 00 00 00 00 - 68 00 79 00 00 00 00 00 ........h.y.....

00790010 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................

00790020 00 00 00 00 00 00 00 00 - 01 00 00 00 00 00 10 00 ................

00790030 00 00 00 00 34 12 fa 00 - 00 00 00 00 00 00 00 00 ....4...........

00790040 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................

00790050 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................

00790060 00 00 00 00 00 00 00 00 - c8 00 79 00 08 00 79 00 ..........y...y.

00790070 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................

00790080 00 00 00 00 00 00 00 00 - 01 00 00 00 00 00 10 00 ................

00790090 00 00 00 00 34 12 fa 00 - 00 00 00 00 00 00 00 00 ....4...........

007900a0 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................

007900b0 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................

007900c0 00 00 00 00 00 00 00 00 - 28 01 79 00 68 00 79 00 ........(.y.h.y.

007900d0 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................



Muestra de estado para identificador de subproceso 0xd4



eax=00000000 ebx=00007530 ecx=0013efc4 edx=00000000 esi=0007b208 edi=00007530

eip=78468af7 esp=007dfebc ebp=007dfee4 iopl=0 nv up ei ng nz ac po cy

cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00000297





función: NtRemoveIoCompletion

78468aec b8a8000000 mov eax,0xa8

78468af1 8d542404 lea edx,[esp+0x4] ss:012a9da3=????????

78468af5 cd2e int 2e

78468af7 c21400 ret 0x14

78468afa 8bff mov edi,edi



*----> Seguimiento regresivo de pila <----*



FramePtr ReturnAd Param#1 Param#2 Param#3 Param#4 Nombre función

007DFEE4 7713FA03 0000009C 007DFF1C 007DFF0C 007DFF14 ntdll!NtRemoveIoCompletion

007DFF20 7713F964 00007530 007DFF60 007DFF5C 007DFF70 rpcrt4!PerformRpcInitialization

007DFF74 77133DD7 7713E003 0007B208 0006FA82 78466775 rpcrt4!PerformRpcInitialization

007DFFA8 7713AF16 0007BB18 007DFFEC 7945B388 000799D0 rpcrt4!RpcBindingSetOption

007DFFB4 7945B388 000799D0 0006FA82 78466775 000799D0 rpcrt4!RpcMgmtSetCancelTimeout

007DFFEC 00000000 00000000 00000000 00000000 00000000 kernel32!lstrcmpiW



Muestra de estado para identificador de subproceso 0xe0



eax=000000c0 ebx=0000003f ecx=00147684 edx=00000000 esi=0081ebfc edi=00000001

eip=78468f03 esp=0081ebe4 ebp=0081ffb4 iopl=0 nv up ei pl zr na po nc

cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246





función: NtWaitForMultipleObjects

78468ef8 b8e9000000 mov eax,0xe9

78468efd 8d542404 lea edx,[esp+0x4] ss:012e8acb=????????

78468f01 cd2e int 2e

78468f03 c21400 ret 0x14

78468f06 8bff mov edi,edi



*----> Seguimiento regresivo de pila <----*



FramePtr ReturnAd Param#1 Param#2 Param#3 Param#4 Nombre función

0081FFB4 7945B388 0006FE08 00000000 00000000 0006FE08 ntdll!NtWaitForMultipleObjects

0081FFEC 00000000 00000000 00000000 00000000 00000000 kernel32!lstrcmpiW



*----> Muestra de pilas sin procesar <----*

0081ebe4 f5 0f 48 78 08 00 00 00 - 18 ec 81 00 01 00 00 00 ..Hx............

0081ebf4 01 00 00 00 00 00 00 00 - 08 09 4b 78 08 09 4b 78 ..........Kx..Kx

0081ec04 c4 00 00 00 e0 00 00 00 - 08 00 00 00 08 00 00 00 ................

0081ec14 07 00 00 00 c8 00 00 00 - b8 00 00 00 bc 00 00 00 ................

0081ec24 40 01 00 00 f0 03 00 00 - 04 06 00 00 18 06 00 00 @...............

0081ec34 14 06 00 00 4c 00 00 00 - 5c 03 00 00 58 04 00 00 ....L...\...X...

0081ec44 f8 07 00 00 4c 00 00 00 - 4c 00 00 00 4c 00 00 00 ....L...L...L...

0081ec54 4c 00 00 00 4c 00 00 00 - 4c 00 00 00 4c 00 00 00 L...L...L...L...

0081ec64 4c 00 00 00 4c 00 00 00 - 4c 00 00 00 4c 00 00 00 L...L...L...L...

0081ec74 4c 00 00 00 4c 00 00 00 - 4c 00 00 00 50 07 00 00 L...L...L...P...

0081ec84 68 07 00 00 6c 07 00 00 - 00 00 00 00 00 00 00 00 h...l...........

0081ec94 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................

0081eca4 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................

0081ecb4 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................

0081ecc4 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................

0081ecd4 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................

0081ece4 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................

0081ecf4 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................

0081ed04 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................

0081ed14 00 00 00 00 00 00 00 00 - 98 c2 07 00 d0 c3 07 00 ................



Muestra de estado para identificador de subproceso 0x110



eax=00000219 ebx=0000014c ecx=00410c38 edx=00000000 esi=00dbff98 edi=77e41ebb

eip=77e41eb3 esp=00dbff34 ebp=00dbff4c iopl=0 nv up ei pl zr na po nc

cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00000246





función: DispatchMessageW

77e41e99 e8349dffff call GetFocus+0x50 (77e3bbd2)

77e41e9e e93effffff jmp GetWindowLongW+0x681 (77e41de1)

77e41ea3 90 nop

77e41ea4 90 nop

77e41ea5 90 nop

77e41ea6 90 nop

77e41ea7 90 nop

77e41ea8 b89a110000 mov eax,0x119a

77e41ead 8d542404 lea edx,[esp+0x4] ss:01889e1b=????????

77e41eb1 cd2e int 2e

77e41eb3 c21000 ret 0x10

77e41eb6 90 nop

77e41eb7 90 nop

77e41eb8 90 nop

77e41eb9 90 nop

77e41eba 90 nop



*----> Seguimiento regresivo de pila <----*



FramePtr ReturnAd Param#1 Param#2 Param#3 Param#4 Nombre función

00DBFF4C 77551435 00DBFF98 00000000 00000000 00000000 user32!DispatchMessageW

00DBFFB4 7945B388 00000000 00000000 00000000 00000000 winmm!<nosymbols>

00DBFFEC 00000000 00000000 00000000 00000000 00000000 kernel32!lstrcmpiW



Muestra de estado para identificador de subproceso 0x1dc



eax=00000000 ebx=00000103 ecx=00000000 edx=00000000 esi=003c3788 edi=0000015c

eip=78468a87 esp=00dffd54 ebp=00dffdc4 iopl=0 nv up ei pl nz na po nc

cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206





función: NtReadFile

78468a7c b8a1000000 mov eax,0xa1

78468a81 8d542404 lea edx,[esp+0x4] ss:018c9c3b=????????

78468a85 cd2e int 2e

78468a87 c22400 ret 0x24

78468a8a 8bff mov edi,edi



*----> Seguimiento regresivo de pila <----*



FramePtr ReturnAd Param#1 Param#2 Param#3 Param#4 Nombre función

00DFFDC4 7693B45D 0000015C 00DFFE20 00000008 00DFFDFC ntdll!NtReadFile

00DFFE04 7693B587 00DFFE20 00000008 003C3718 00000000 winscard!<nosymbols>

00DFFE2C 769368D8 003C3770 00000000 7693143C 003C3718 winscard!<nosymbols>

00DFFEBC 769359F6 000840B8 00084040 00000002 FFFFFFFF winscard!<nosymbols>

00DFFEF4 76934E05 003C8B88 00084040 00000002 FFFFFFFF winscard!<nosymbols>

00DFFF40 0101C1A8 003C36C0 FFFFFFFF 00084040 00000002 winscard!SCardGetStatusChangeW

00DFFFB4 7945B388 00081D60 0006FAEC 00000200 00081D60 winlogon!<nosymbols>

00DFFFEC 00000000 0101C00B 00081D60 00000000 000000C1 kernel32!lstrcmpiW



*----> Muestra de pilas sin procesar <----*

00dffd54 d9 62 46 79 5c 01 00 00 - 68 01 00 00 00 00 00 00 .bFy\...h.......

00dffd64 88 37 3c 00 88 37 3c 00 - 20 fe df 00 08 00 00 00 .7<..7<. .......

00dffd74 90 fd df 00 00 00 00 00 - 58 89 3c 00 70 37 3c 00 ........X.<.p7<.

00dffd84 00 00 00 00 50 16 46 78 - ff ff ff ff 00 00 00 00 ....P.Fx........

00dffd94 00 00 00 00 00 00 3c 00 - 00 00 00 00 30 00 00 00 ......<.....0...

00dffda4 18 37 3c 00 28 00 00 00 - 7c fd df 00 20 fe df 00 .7<.(...|... ...

00dffdb4 b0 fe df 00 54 1f 4a 79 - 80 1e 45 79 ff ff ff ff ....T.Jy..Ey....

00dffdc4 04 fe df 00 5d b4 93 76 - 5c 01 00 00 20 fe df 00 ....]..v\... ...

00dffdd4 08 00 00 00 fc fd df 00 - 88 37 3c 00 00 00 00 00 .........7<.....

00dffde4 58 89 3c 00 44 fe df 00 - bc fe df 00 37 7b 93 76 X.<.D.......7{.v

00dffdf4 20 00 00 00 01 00 00 00 - 00 00 00 00 00 00 00 00 ...............

00dffe04 2c fe df 00 87 b5 93 76 - 20 fe df 00 08 00 00 00 ,......v .......

00dffe14 18 37 3c 00 00 00 00 00 - 00 00 00 00 0b 00 00 00 .7<.............

00dffe24 20 00 00 00 7a 6a 93 76 - bc fe df 00 d8 68 93 76 ...zj.v.....h.v

00dffe34 70 37 3c 00 00 00 00 00 - 3c 14 93 76 18 37 3c 00 p7<.....<..v.7<.

00dffe44 a0 14 93 76 5c fe df 00 - 3c 14 93 76 a0 5c 3c 00 ...v\...<..v.\<.

00dffe54 60 00 00 00 68 00 00 00 - 3c 14 93 76 58 89 3c 00 `...h...<..vX.<.

00dffe64 20 00 00 00 28 00 00 00 - 3c 14 93 76 28 82 3c 00 ...(...<..v(.<.

00dffe74 22 00 00 00 22 00 00 00 - 3c 14 93 76 40 8b 3c 00 "..."...<..v@.<.

00dffe84 38 00 00 00 38 00 00 00 - 3c 14 93 76 48 5b 3c 00 8...8...<..vH[<.



Muestra de estado para identificador de subproceso 0x1ec



eax=00000102 ebx=80020000 ecx=80020000 edx=00000000 esi=0007c2d8 edi=0007c318

eip=78468b37 esp=00e8fe28 ebp=00e8ff74 iopl=0 nv up ei pl nz na pe nc

cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00000202





función: ZwReplyWaitReceivePortEx

78468b2c b8ac000000 mov eax,0xac

78468b31 8d542404 lea edx,[esp+0x4] ss:01959d0f=????????

78468b35 cd2e int 2e

78468b37 c21400 ret 0x14

78468b3a 8bff mov edi,edi



*----> Seguimiento regresivo de pila <----*



FramePtr ReturnAd Param#1 Param#2 Param#3 Param#4 Nombre función

00E8FF74 7713E0C0 7713E003 0007C2D8 7713F701 00070000 ntdll!ZwReplyWaitReceivePortEx

00E8FFA8 7713AF16 00089A38 00E8FFEC 7945B388 00089D78 rpcrt4!UuidCreate

00E8FFB4 7945B388 00089D78 7713F701 00070000 00089D78 rpcrt4!RpcMgmtSetCancelTimeout

00E8FFEC 00000000 00000000 00000000 00000000 00000000 kernel32!lstrcmpiW



Muestra de estado para identificador de subproceso 0x1f4



eax=00000001 ebx=00000004 ecx=00000101 edx=00000000 esi=78468ef8 edi=00000004

eip=78468f03 esp=0157fd24 ebp=0157fd70 iopl=0 nv up ei pl zr na po nc

cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00000246





función: NtWaitForMultipleObjects

78468ef8 b8e9000000 mov eax,0xe9

78468efd 8d542404 lea edx,[esp+0x4] ss:02049c0b=????????

78468f01 cd2e int 2e

78468f03 c21400 ret 0x14

78468f06 8bff mov edi,edi



*----> Seguimiento regresivo de pila <----*



FramePtr ReturnAd Param#1 Param#2 Param#3 Param#4 Nombre función

0157FD70 7947A10E 0157FD48 00000001 00000000 00000000 ntdll!NtWaitForMultipleObjects

0157FFB4 7945B388 00000005 000B000A 790480D0 000B53F8 kernel32!WaitForMultipleObjects

0157FFEC 00000000 778321FE 000B53F8 00000000 00000000 kernel32!lstrcmpiW



*----> Muestra de pilas sin procesar <----*

0157fd24 fb a1 47 79 04 00 00 00 - 48 fd 57 01 01 00 00 00 ..Gy....H.W.....

0157fd34 00 00 00 00 00 00 00 00 - 01 00 00 00 f8 53 0b 00 .............S..

0157fd44 01 00 00 00 c0 02 00 00 - c4 02 00 00 d4 02 00 00 ................

0157fd54 8c 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................

0157fd64 00 00 00 00 00 00 00 00 - 00 00 00 00 b4 ff 57 01 ..............W.

0157fd74 0e a1 47 79 48 fd 57 01 - 01 00 00 00 00 00 00 00 ..GyH.W.........

0157fd84 00 00 00 00 00 00 00 00 - b2 22 83 77 04 00 00 00 .........".w....

0157fd94 b0 fe 57 01 00 00 00 00 - ff ff ff ff f8 53 0b 00 ..W..........S..

0157fda4 d0 80 04 79 0a 00 0b 00 - 00 00 00 00 00 00 00 00 ...y............

0157fdb4 00 02 00 00 00 00 00 00 - 01 00 00 00 38 00 00 00 ............8...

0157fdc4 23 00 00 00 23 00 00 00 - 0a 00 0b 00 d0 80 04 79 #...#..........y

0157fdd4 f8 53 0b 00 ff ff ff ff - 80 f2 06 00 fe 21 83 77 .S...........!.w

0157fde4 f8 eb fd 7f 00 b7 45 79 - 1b 00 00 00 00 02 00 00 ......Ey........

0157fdf4 fc ff 57 01 23 00 00 00 - 10 67 06 00 00 00 00 00 ..W.#....g......

0157fe04 38 fa b8 e2 01 00 00 00 - f0 20 0b 82 00 00 00 00 8........ ......

0157fe14 f8 ea 3a e1 4c fc 8c eb - 00 00 00 00 00 00 00 00 ..:.L...........

0157fe24 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................

0157fe34 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................

0157fe44 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................

0157fe54 00 00 00 00 00 00 00 00 - 02 00 00 00 01 00 00 00 ................



Muestra de estado para identificador de subproceso 0x2dc



eax=78df6a2c ebx=00000003 ecx=00168548 edx=00000000 esi=78468ef8 edi=00000003

eip=78468f03 esp=01e0ff20 ebp=01e0ff6c iopl=0 nv up ei pl zr na po nc

cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00000246





third part comes now....
fulgenfj is offline   Reply With Quote
Old 19th October 2005   #3
Inactive
 
Profile:
Join Date: Oct 2005
Posts: 3
Computer Experience:
intermediate
fulgenfj Reputation Level
Third part about drwtsn32.log
here it comes (spanis written);

función: NtWaitForMultipleObjects

78468ef8 b8e9000000 mov eax,0xe9

78468efd 8d542404 lea edx,[esp+0x4] ss:028d9e07=????????

78468f01 cd2e int 2e

78468f03 c21400 ret 0x14

78468f06 8bff mov edi,edi



*----> Seguimiento regresivo de pila <----*



FramePtr ReturnAd Param#1 Param#2 Param#3 Param#4 Nombre función

01E0FF6C 7947A10E 01E0FF44 00000001 00000000 00000000 ntdll!NtWaitForMultipleObjects

00000000 00000000 00000000 00000000 00000000 00000000 kernel32!WaitForMultipleObjects



*----> Muestra de pilas sin procesar <----*

01e0ff20 fb a1 47 79 03 00 00 00 - 44 ff e0 01 01 00 00 00 ..Gy....D.......

01e0ff30 00 00 00 00 00 00 00 00 - 00 60 e4 78 00 00 00 00 .........`.x....

01e0ff40 6d 7e 45 79 b8 03 00 00 - bc 03 00 00 c0 03 00 00 m~Ey............

01e0ff50 00 00 00 00 00 00 00 00 - 00 4f 07 00 16 00 18 00 .........O......

01e0ff60 20 69 df 78 00 00 00 00 - 04 ff e0 01 00 00 00 00 i.x............

01e0ff70 0e a1 47 79 44 ff e0 01 - 01 00 00 00 00 00 00 00 ..GyD...........

01e0ff80 00 00 00 00 00 00 00 00 - 8b 6a df 78 03 00 00 00 .........j.x....

01e0ff90 44 60 e4 78 00 00 00 00 - ff ff ff ff 62 d5 46 78 D`.x........b.Fx

01e0ffa0 48 e7 4a 78 ec ff e0 01 - 00 00 00 00 00 00 00 00 H.Jx............

01e0ffb0 03 00 00 00 00 00 df 78 - 88 b3 45 79 00 00 00 00 .......x..Ey....

01e0ffc0 62 d5 46 78 48 e7 4a 78 - 00 00 00 00 00 d0 fa 7f b.FxH.Jx........

01e0ffd0 48 85 16 00 c0 ff e0 01 - 48 85 16 00 ff ff ff ff H.......H.......

01e0ffe0 54 1f 4a 79 08 2b 45 79 - 00 00 00 00 00 00 00 00 T.Jy.+Ey........

01e0fff0 00 00 00 00 2c 6a df 78 - 00 00 00 00 00 00 00 00 ....,j.x........

01e10000 08 00 00 00 01 01 00 00 - ee ff ee ff 00 00 00 00 ................

01e10010 00 00 07 00 00 40 02 00 - 00 00 e1 01 00 01 00 00 .....@..........

01e10020 40 00 e1 01 00 00 f1 01 - 29 00 00 00 03 00 00 00 @.......).......

01e10030 b8 05 07 00 00 00 00 00 - d8 3f ed 01 00 00 00 00 .........?......

01e10040 08 00 08 00 01 01 14 00 - 31 00 37 00 2f 00 31 00 ........1.7./.1.

01e10050 30 00 2f 00 32 00 30 00 - 30 00 35 00 20 00 20 00 0./.2.0.0.5. . .



Muestra de estado para identificador de subproceso 0x3a8



eax=78df9fdb ebx=00000003 ecx=78df1513 edx=00000000 esi=78468ef8 edi=00000003

eip=78468f03 esp=01f9fefc ebp=01f9ff48 iopl=0 nv up ei pl zr na po nc

cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00000246





función: NtWaitForMultipleObjects

78468ef8 b8e9000000 mov eax,0xe9

78468efd 8d542404 lea edx,[esp+0x4] ss:02a69de3=????????

78468f01 cd2e int 2e

78468f03 c21400 ret 0x14

78468f06 8bff mov edi,edi



*----> Seguimiento regresivo de pila <----*



FramePtr ReturnAd Param#1 Param#2 Param#3 Param#4 Nombre función

01F9FF48 7947A10E 01F9FF20 00000001 00000000 00000000 ntdll!NtWaitForMultipleObjects

01F9FFB4 7945B388 01E16830 01F5FA5C 78DF1513 01E16830 kernel32!WaitForMultipleObjects

01F9FFEC 00000000 00000000 00000000 00000000 00000000 kernel32!lstrcmpiW



Muestra de estado para identificador de subproceso 0x34c



eax=000005f0 ebx=00000004 ecx=01010101 edx=00000000 esi=78468ef8 edi=00000004

eip=78468f03 esp=01fdfe7c ebp=01fdfec8 iopl=0 nv up ei pl zr na po nc

cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00000246





función: NtWaitForMultipleObjects

78468ef8 b8e9000000 mov eax,0xe9

78468efd 8d542404 lea edx,[esp+0x4] ss:02aa9d63=????????

78468f01 cd2e int 2e

78468f03 c21400 ret 0x14

78468f06 8bff mov edi,edi



*----> Seguimiento regresivo de pila <----*



FramePtr ReturnAd Param#1 Param#2 Param#3 Param#4 Nombre función

01FDFEC8 7947A10E 01FDFEA0 00000001 00000000 01FDFEC0 ntdll!NtWaitForMultipleObjects

01FDFF38 770A6CA8 0049ECCE 0049ECCE 00000000 0049ECCE kernel32!WaitForMultipleObjects

01FDFFB4 7945B388 001068C0 00000000 00000000 001068C0 cscdll!MprServiceProc

01FDFFEC 00000000 00000000 00000000 00000000 00000000 kernel32!lstrcmpiW



Muestra de estado para identificador de subproceso 0x3b4



eax=01e94000 ebx=0009eea4 ecx=0201fc8c edx=00000000 esi=00000000 edi=00096e74

eip=78468f03 esp=0201ff6c ebp=0201ffb4 iopl=0 nv up ei pl zr na po nc

cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00000246





función: NtWaitForMultipleObjects

78468ef8 b8e9000000 mov eax,0xe9

78468efd 8d542404 lea edx,[esp+0x4] ss:02ae9e53=????????

78468f01 cd2e int 2e

78468f03 c21400 ret 0x14

78468f06 8bff mov edi,edi



*----> Seguimiento regresivo de pila <----*



FramePtr ReturnAd Param#1 Param#2 Param#3 Param#4 Nombre función

0201FFB4 7945B388 00000000 00000000 0000005A 00000000 ntdll!NtWaitForMultipleObjects

0201FFEC 00000000 7695423E 00000000 00000000 000000C8 kernel32!lstrcmpiW



*----> Muestra de pilas sin procesar <----*

0201ff6c 2e 44 95 76 01 00 00 00 - 70 6e 09 00 00 00 00 00 .D.v....pn......

0201ff7c 01 00 00 00 00 00 00 00 - 00 00 00 00 5a 00 00 00 ............Z...

0201ff8c 00 00 00 00 00 00 00 00 - e0 4c 09 00 b0 5b e5 01 .........L...[..

0201ff9c 98 ee 09 00 70 6e 09 00 - fc 00 00 00 01 00 00 00 ....pn..........

0201ffac e0 4c 09 00 e0 55 e5 01 - ec ff 01 02 88 b3 45 79 .L...U........Ey

0201ffbc 00 00 00 00 00 00 00 00 - 5a 00 00 00 00 00 00 00 ........Z.......

0201ffcc 00 a0 fa 7f ff ff ff ff - c0 ff 01 02 ff ff ff ff ................

0201ffdc ff ff ff ff 54 1f 4a 79 - 08 2b 45 79 00 00 00 00 ....T.Jy.+Ey....

0201ffec 00 00 00 00 00 00 00 00 - 3e 42 95 76 00 00 00 00 ........>B.v....

0201fffc 00 00 00 00 c8 00 00 00 - 00 01 00 00 ff ee ff ee ................

0202000c 02 10 00 00 00 00 00 00 - 00 fe 00 00 00 00 10 00 ................

0202001c 00 20 00 00 00 02 00 00 - 00 20 00 00 2f 02 00 00 . ....... ../...

0202002c ff ef fd 7f 0f 00 08 06 - 00 00 00 00 00 00 00 00 ................

0202003c 00 00 00 00 00 00 00 00 - 98 05 02 02 0f 00 00 00 ................

0202004c f8 ff ff ff 50 00 02 02 - 50 00 02 02 40 06 02 02 ....P...P...@...

0202005c 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................

0202006c 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................

0202007c 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................

0202008c 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................

0202009c 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................



Muestra de estado para identificador de subproceso 0x3c0



eax=00000000 ebx=0209ff80 ecx=00000000 edx=00000000 esi=78468f08 edi=00000634

eip=78468f13 esp=0209ff64 ebp=0209ff88 iopl=0 nv up ei ng nz ac po cy

cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00000297





función: ZwWaitForSingleObject

78468f08 b8ea000000 mov eax,0xea

78468f0d 8d542404 lea edx,[esp+0x4] ss:02b69e4b=????????

78468f11 cd2e int 2e

78468f13 c20c00 ret 0xc

78468f16 8bff mov edi,edi



*----> Seguimiento regresivo de pila <----*



FramePtr ReturnAd Param#1 Param#2 Param#3 Param#4 Nombre función

0209FF88 7945B3DB 00000634 0000EA60 00000000 770A2FCF ntdll!ZwWaitForSingleObject

004558DE 00000000 00000000 00000000 00000000 00000000 kernel32!WaitForSingleObject



Muestra de estado para identificador de subproceso 0x3c4



eax=01e3e208 ebx=0009ee98 ecx=125e8983 edx=00000000 esi=01e94028 edi=00000029

eip=78468f03 esp=020dff6c ebp=020dffb4 iopl=0 nv up ei pl nz na pe nc

cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00000202





función: NtWaitForMultipleObjects

78468ef8 b8e9000000 mov eax,0xe9

78468efd 8d542404 lea edx,[esp+0x4] ss:02ba9e53=????????

78468f01 cd2e int 2e

78468f03 c21400 ret 0x14

78468f06 8bff mov edi,edi



*----> Seguimiento regresivo de pila <----*



FramePtr ReturnAd Param#1 Param#2 Param#3 Param#4 Nombre función

020DFFB4 7945B388 0009EE98 00000000 00000000 0009EE98 ntdll!NtWaitForMultipleObjects

020DFFEC 00000000 00000000 00000000 00000000 00000000 kernel32!lstrcmpiW



Muestra de estado para identificador de subproceso 0x3c8



eax=00d00008 ebx=000000b4 ecx=00000007 edx=00000000 esi=0211ff98 edi=77e2793f

eip=77e41eb3 esp=0211ff58 ebp=0211ff78 iopl=0 nv up ei pl zr na po nc

cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00000246





función: DispatchMessageW

77e41e99 e8349dffff call GetFocus+0x50 (77e3bbd2)

77e41e9e e93effffff jmp GetWindowLongW+0x681 (77e41de1)

77e41ea3 90 nop

77e41ea4 90 nop

77e41ea5 90 nop

77e41ea6 90 nop

77e41ea7 90 nop

77e41ea8 b89a110000 mov eax,0x119a

77e41ead 8d542404 lea edx,[esp+0x4] ss:02be9e3f=????????

77e41eb1 cd2e int 2e

77e41eb3 c21000 ret 0x10

77e41eb6 90 nop

77e41eb7 90 nop

77e41eb8 90 nop

77e41eb9 90 nop

77e41eba 90 nop



*----> Seguimiento regresivo de pila <----*



FramePtr ReturnAd Param#1 Param#2 Param#3 Param#4 Nombre función

0211FF78 77555C36 0211FF98 00000000 00000000 00000000 user32!DispatchMessageW

0211FFB4 7945B388 000000B4 77575428 0006F048 000000B4 winmm!midiOutGetNumDevs

0211FFEC 00000000 00000000 00000000 00000000 00000000 kernel32!lstrcmpiW



Muestra de estado para identificador de subproceso 0x3bc



eax=77542bda ebx=00000002 ecx=0016d280 edx=00000000 esi=78468ef8 edi=00000002

eip=78468f03 esp=023eff24 ebp=023eff70 iopl=0 nv up ei pl zr na po nc

cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00000246





función: NtWaitForMultipleObjects

78468ef8 b8e9000000 mov eax,0xe9

78468efd 8d542404 lea edx,[esp+0x4] ss:02eb9e0b=????????

78468f01 cd2e int 2e

78468f03 c21400 ret 0x14

78468f06 8bff mov edi,edi



*----> Seguimiento regresivo de pila <----*



FramePtr ReturnAd Param#1 Param#2 Param#3 Param#4 Nombre función

023EFF70 7947A10E 023EFF48 00000001 00000000 00000000 ntdll!NtWaitForMultipleObjects

023EFFB4 7945B388 00000000 00000019 00000000 00000000 kernel32!WaitForMultipleObjects

023EFFEC 00000000 00000000 00000000 00000000 00000000 kernel32!lstrcmpiW



Muestra de estado para identificador de subproceso 0x3f4



eax=00000000 ebx=00000102 ecx=7cf52e10 edx=00000000 esi=78468398 edi=02e9ff74

eip=784683a3 esp=02e9ff60 ebp=02e9ff7c iopl=0 nv up ei pl nz na po nc

cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00000206





función: NtDelayExecution

78468398 b832000000 mov eax,0x32

7846839d 8d542404 lea edx,[esp+0x4] ss:03969e47=????????

784683a1 cd2e int 2e

784683a3 c20800 ret 0x8

784683a6 8bff mov edi,edi



*----> Seguimiento regresivo de pila <----*



FramePtr ReturnAd Param#1 Param#2 Param#3 Param#4 Nombre función

02E9FF7C 7947A25A 0000EA60 00000000 7CEB5D45 0000EA60 ntdll!NtDelayExecution

00007530 00000000 00000000 00000000 00000000 00000000 kernel32!Sleep



Muestra de estado para identificador de subproceso 0x538



eax=74f86311 ebx=01e18c60 ecx=00070748 edx=00000000 esi=74f9a3a0 edi=00000000

eip=78468af7 esp=02f2ff84 ebp=02f2ffb4 iopl=0 nv up ei pl nz na pe nc

cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00000202





función: NtRemoveIoCompletion

78468aec b8a8000000 mov eax,0xa8

78468af1 8d542404 lea edx,[esp+0x4] ss:039f9e6b=????????

78468af5 cd2e int 2e

78468af7 c21400 ret 0x14

78468afa 8bff mov edi,edi



*----> Seguimiento regresivo de pila <----*



FramePtr ReturnAd Param#1 Param#2 Param#3 Param#4 Nombre función

02F2FFB4 7945B388 74F89048 78463148 FFFFFFFF 01E18C60 ntdll!NtRemoveIoCompletion

02F2FFEC 00000000 00000000 00000000 00000000 00000000 kernel32!lstrcmpiW



Muestra de estado para identificador de subproceso 0x12c



eax=00000000 ebx=00013880 ecx=00167b10 edx=00000000 esi=00000000 edi=00000000

eip=78468af7 esp=0324ff24 ebp=0324ffb4 iopl=0 nv up ei ng nz na po nc

cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000286





función: NtRemoveIoCompletion

78468aec b8a8000000 mov eax,0xa8

78468af1 8d542404 lea edx,[esp+0x4] ss:03d19e0b=????????

78468af5 cd2e int 2e

78468af7 c21400 ret 0x14

78468afa 8bff mov edi,edi



*----> Seguimiento regresivo de pila <----*



FramePtr ReturnAd Param#1 Param#2 Param#3 Param#4 Nombre función

0324FFB4 7945B388 031FFEF4 00000002 00000001 031FFEF4 ntdll!NtRemoveIoCompletion

0324FFEC 00000000 00000000 00000000 00000000 00000000 kernel32!lstrcmpiW



Muestra de estado para identificador de subproceso 0x234



eax=00000102 ebx=00007530 ecx=00000102 edx=00000000 esi=0007b208 edi=00007530

eip=78468af7 esp=0334febc ebp=0334fee4 iopl=0 nv up ei ng nz ac po cy

cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00000297





función: NtRemoveIoCompletion

78468aec b8a8000000 mov eax,0xa8

78468af1 8d542404 lea edx,[esp+0x4] ss:03e19da3=????????

78468af5 cd2e int 2e

78468af7 c21400 ret 0x14

78468afa 8bff mov edi,edi



*----> Seguimiento regresivo de pila <----*



FramePtr ReturnAd Param#1 Param#2 Param#3 Param#4 Nombre función

0334FEE4 7713FA03 000000A0 0334FF1C 0334FF0C 0334FF14 ntdll!NtRemoveIoCompletion

0334FF20 7713F964 00007530 0334FF60 0334FF5C 0334FF70 rpcrt4!PerformRpcInitialization

0334FF74 77133DD7 7713E003 0007B208 782D7591 007DFCA4 rpcrt4!PerformRpcInitialization

0334FFA8 7713AF16 00167E70 0334FFEC 7945B388 00083330 rpcrt4!RpcBindingSetOption

0334FFB4 7945B388 00083330 782D7591 007DFCA4 00083330 rpcrt4!RpcMgmtSetCancelTimeout

0334FFEC 00000000 00000000 00000000 00000000 00000000 kernel32!lstrcmpiW



Muestra de estado para identificador de subproceso 0x41c



eax=01ebbc68 ebx=00075eb8 ecx=0012c540 edx=00000000 esi=0338ff98 edi=77e41ebb

eip=77e41eb3 esp=0338fe60 ebp=0338fe78 iopl=0 nv up ei pl zr na po nc

cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00000246





función: DispatchMessageW

77e41e99 e8349dffff call GetFocus+0x50 (77e3bbd2)

77e41e9e e93effffff jmp GetWindowLongW+0x681 (77e41de1)

77e41ea3 90 nop

77e41ea4 90 nop

77e41ea5 90 nop

77e41ea6 90 nop

77e41ea7 90 nop

77e41ea8 b89a110000 mov eax,0x119a

77e41ead 8d542404 lea edx,[esp+0x4] ss:03e59d47=????????

77e41eb1 cd2e int 2e

77e41eb3 c21000 ret 0x10

77e41eb6 90 nop

77e41eb7 90 nop

77e41eb8 90 nop

77e41eb9 90 nop

77e41eba 90 nop



*----> Seguimiento regresivo de pila <----*



FramePtr ReturnAd Param#1 Param#2 Param#3 Param#4 Nombre función

0338FE78 010021C7 0338FF98 00000000 00000000 00000000 user32!DispatchMessageW

0338FFB4 7945B388 00075EB8 100170E4 10033638 00075EB8 winlogon!<nosymbols>

0338FFEC 00000000 010020F3 00075EB8 00000000 000A00D5 kernel32!lstrcmpiW



*----> Muestra de pilas sin procesar <----*

0338fe60 e4 1e e4 77 98 ff 38 03 - 00 00 00 00 00 00 00 00 ...w..8.........

0338fe70 00 00 00 00 00 00 00 00 - b4 ff 38 03 c7 21 00 01 ..........8..!..

0338fe80 98 ff 38 03 00 00 00 00 - 00 00 00 00 00 00 00 00 ..8.............

0338fe90 e4 70 01 10 38 36 03 10 - 00 00 00 00 00 00 00 00 .p..86..........

0338fea0 00 f0 fa 7f a8 c6 b5 81 - 01 77 d0 81 00 00 00 00 .........w......

0338feb0 bc fe 1f c0 00 00 00 00 - 56 06 00 00 e7 02 00 00 ........V.......

0338fec0 00 00 00 00 00 00 00 00 - 01 00 00 00 80 0c 1f b7 ................

0338fed0 ed cb 44 80 1c 00 30 c0 - 00 70 00 c0 00 00 00 00 ..D...0..p......

0338fee0 20 76 d0 81 00 00 00 00 - 00 00 00 00 00 f0 fa 7f v..............

0338fef0 ff ff c3 01 01 83 b6 81 - 00 00 00 00 20 c0 af 81 ............ ...

0338ff00 01 00 00 00 90 6a d7 81 - 60 bc d7 81 aa 4b 45 80 .....j..`....KE.

0338ff10 38 60 d5 e2 20 76 d0 81 - 00 00 00 82 00 00 00 02 8`.. v..........

0338ff20 60 0c 1f b7 40 f1 48 80 - 88 3d 0a 82 38 60 d5 e2 `...@.H..=..8`..

0338ff30 60 cd d6 81 c0 47 a9 81 - 00 00 00 00 50 49 a9 81 `....G......PI..

0338ff40 60 0c 1f b7 63 c3 42 80 - 6b c3 42 80 c0 47 a9 81 `...c.B.k.B..G..

0338ff50 20 49 a9 81 d4 4b 06 80 - a5 8d 46 80 6c 0c 1f b7 I...K....F.l...

0338ff60 00 00 00 00 20 c0 af 81 - 00 00 00 00 b0 0c 1f b7 .... ...........

0338ff70 00 00 00 00 50 49 a9 81 - 05 00 00 00 00 00 00 00 ....PI..........

0338ff80 00 00 00 00 00 00 00 00 - 51 f6 42 80 00 00 00 00 ........Q.B.....

0338ff90 00 00 00 00 fc f6 42 80 - 60 cd d6 81 c0 47 a9 81 ......B.`....G..
fulgenfj is offline   Reply With Quote
Old 26th October 2005   #4
Inactive
 
Profile:
Join Date: Jul 2005
Location: HK
Posts: 367
Computer Experience:
Experienced
cpc2004 Reputation Level
Hi,

It crashes at routine RtlAllocateHeap. Probably it is faulty ram. Run memtest to stress test the ram.

cpc2004
cpc2004 is offline   Reply With Quote
Reply

« Lost Administrator account - How can I access my system? | Emergency Repair Disk »
Thread Tools


Similar Threads
Thread Thread Starter Forum Replies Last Post
Sluggish Computer with PopUps iujmheb Malware and Virus Removal 29 2nd August 2005 23:36
Look2Me is way2evil - Help please! Steev Malware and Virus Removal 7 26th July 2005 11:59
I took the plunge and deleted Kazaa Brinic Malware and Virus Removal 9 25th July 2005 06:31
ceres and isearch help.....Here is my Hijack this log astrospook Malware and Virus Removal 15 14th April 2005 02:31
System clean from trend micro missmissy General Security 13 19th July 2004 16:31


All times are GMT +1. The time now is 00:09.




Advertise - Contact Us - Windows BBS - Archive - Privacy Statement - Top

Advertisements do not imply our endorsement of the product or service advertised.
Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2009, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO 3.3.2
Copyright © 2002 - 2009 WindowsBBS.com. All rights reserved.
Terms of Use, Legal Information & Privacy Policy
[]

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32