Explorer Crash on RMB

Joe

Unable to produce a full report as the path (New step5) are not compatable, as I do not have a C:\winnt directory, is there an easy way to produce an error report?

Paul

 

Paul - try putting in Windows every place the script has Winnt.

 

Tried that but C:\windows\minidump - does not have the file mini071304-04.dmp so it fails?????

Paul

 

Feel free to show some initiative in interpeting that command line.

kd
-y SRV*c:\symbols*http://msdl.microsoft.com/download/symbols static, leave this alone
-i c:\winnt;c:\winnt\system32;c:\winnt\system32\drivers This is the path to your %systemroot%, the directory you have windows installed in and a few subdirectories.
-z c:\winnt\minidump\Mini071304-04.dmp This is your dump file. I dont know where you put it or what its named, but it probably looks similar to the above.

 

Joe

Hopefully this what you require:

http://myweb.tiscali.co.uk/paulbristow/debug.htm

Could not paste directly into forum as warned to many characters for a post

Paul

 

Ok. i know it was a lot of effort, once more round and we are done. Now we know whats happening on your machine. A DLL has loaded itself, registered itself as a shell extension, then unloaded without removing itself from the list of things to be called when someone right clicks.

The next step is to determine who it is that loads within the range of 01a12eec. In order to do this, we need to cause some drama on your machine. We are going to attach a debugger to the explorer process from initialization, and then see if we can catch it loading and unloading.

Here is the proceedure. Open a command prompt, and do steps 1,2 and 3 of the dump analysis. Then, open task manager, go to the Processes Tab, and End Process on explorer. This will nuke your shell, and it should not auto-restart.

type this:

Code:

cdb -logo c:\debug2.txt -c  "sxn ld;sxn ud;g" explorer

It will run some spew, let it settle down (10-15 seconds), then reproduce the crash with right clicking. It will drop back to a 0:012> looking prompt. Type

Code:

[B].logclose;q[/B]  

and your done. Post up the debug2.txt log file, and we will know who's dll is misbehaving.





Some interesting reading for those of you following along..
http://www.codeproject.com/shell/shellextguide7.asp?tid=129584&forumid=1226&select=129584

Code:

eax=0331b1c8 ebx=00000003 ecx=01a12eec edx=00000003 esi=00000000 edi=01b2c930
eip=77416983 esp=0093edf8 ebp=0093ee14 iopl=0         nv up ei pl zr na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
shell32!HDXA_GetCommandString+0x6e:
77416983 8b11             mov     edx,[ecx]         ds:0023:[B][U]01a12eec[/U][/B]=????????
ChildEBP RetAddr  Args to Child
0093ee14 77416931 00000000 00000005 00000004 shell32!HDXA_GetCommandString+0x6e(FPO: [Non-Fpo])
0093ee40 77416733 01bce298 0000002b 00000004 shell32!CDefFolderMenu::GetCommandString+0x133 (FPO: [Non-Fpo])
0093ee98 77416867 020900e1 0000000a 0000003e shell32!CDefFolderMenu::_GetMenuVerb+0x6b (FPO: [Non-Fpo])
0093efcc 77415e7d 00000001 0000000a 0000003e shell32!CDefFolderMenu::_UnduplicateVerbs+0x75 (FPO: [3,66,3])
0093f038 7177d1ae 00000000 020900e1 01bb23a8 shell32!CDefFolderMenu::QueryContextMenu+0x3c7 (FPO: [Non-Fpo])
0093f094 7177e9ea 01bce298 01b2fba8 000d2d6c SHDOCVW!CNscTree::_CreateContextMenu+0x3b (FPO: [Non-Fpo])
0093f0d8 71743d87 0138012c 00000138 00165ea8 SHDOCVW!CNscTree::_OnContextMenu+0x148 (FPO: [Non-Fpo])

 

Joe

Results of debug2.txt:

http://myweb.tiscali.co.uk/paulbristow/debug.htm

Paul

 

Bah! another dll threw an exception and messed up our debug. We will have to bypass that activty.Once more into the breech my friend!

Code:

Folder createdModLoad: 01570000 015e2000   C:\WINDOWS\System32\cfssvradmin.dll
[U][B](f1c.f64): Invalid handle - code c0000008 (first chance)[/B][/U]
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=c0000008 ebx=00000000 ecx=014ecb90 edx=77f75df8 esi=014ecbb4 edi=00020019
eip=77f75e2f esp=014ecb3c ebp=014ecb8c iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206
ntdll!KiRaiseUserExceptionDispatcher+0x37:
77f75e2f 8b0424           mov     eax,[esp]         ss:0023:014ecb3c=c0000008
0:010> 

See the bolded line.. This will say (blah.blah) Access Violation - code c0000005 (second chance) when its about to crash. If it drops to a prompt before it says that just hit G and press enter.

Since we know its going to throw this one, change your command line to be the following, that should bypass the invalid handle exception.

Code:

cdb -logo c:\debug2.txt -c  "sxn ld;sxn ud;sxd ch;g" explorer

Boy isnt this fun! We're gonna have to write a nasty letter to the guy who wrote the bad software

 

Joe

Results of debug3.txt:

http://myweb.tiscali.co.uk/paulbristow/debug.htm

Hope we are getting close my head is hurting I will think I will stick to web development work.

Paul

 

ModLoad:02bd0000 02bec000 C:\PROGRA~1\Webroot\SPYSWE~1\Language.dll

You need to remove the following shell extension which is a naughty little program.

"Webroot Spy Sweeper Context Menu Integration" C:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll
Based on some googling, it will probably be under CLSID: {7C9D5882-CB4A-4090-96C8-430BFE8B795B}

Check out the following web pages for how to yank out that shell extension without disturbing the rest of your Spy Sweeper install..
(manual method) http://www.mvps.org/sramesh2k/slowrightclick.htm
(a nice gui) http://www.snapfiles.com/get/shellexview.html

Ultimatly, you could contact the vendor and complain.. You have some nice dumps to show them Sorry it was such a pain to isolate this one..

IN_a_Rut: you should see if you have the same software, and follow the same process for removal as above if you do..

 

aaah indeed i do have the same software...i will have to try all of this

 

well that seemed to fix my problem. deleted the extension using http://www.snapfiles.com/get/shellexview.html
then everything went back to normal, even after rebooting =). thank you!

 

Joe

Thanks for your patience and time on this one all is back to normal, I managed to remove the dll from loading by going into the program and unticking the "Add Sweep for Spyware to Windows Explorer Context Menu" although I have downloaded the "shellexview" program which may come in handy if I ever need to do this again.

I have also removed Ad-Aware6 by the same method (but I hasten to say this program DID not cause any problems) as I never use them this way I always launch the program. My rule is now not to have have programs from the context menu (Panic Mode)........

Thanks again
Paul

 

great, glad to hear it from both of you guys. A nasty problem to diagnose.

 

I had exactly the same symptoms.

I do have SpySweeper installed, but I went through all the debugging steps as well, just in case some other context menu item was causing the trouble.

Nope, it was SpySweeper. But, the analysis method is awesome. Well done, and thank you very much for such comprehensive and accurate info. Outstanding advice! I am quite impressed. I have heard of others with similar symptoms, I'll direct them here post haste.

Thank you again.