Windows "Explorer" randomly crashes

B

Big Dawg

Member
Joined
Jan 16, 2016
Posts
11
My computer's Window "Explorer" started randomly crashing about a month ago. It doesn't seem to happen more than 1 or 2 times a week. The computer doesn't "Blue Screen" but Explorer stops working. When it does you must restart "Explorer" to get computer functions back.
I saved one of the mini dumps as well as ran an !analyze -v log on the latest crash dump.
By the way this crash dump file is saved in C:\user\my computer\appdata\local\crashdumps
Anyone know where I can get these dump files looked at to see what is causing this issue?
Windows 7 Ultimate 64bit.
Thanks for the help.
BD
 
jcgriff2:
Thanks for the reply but are you saying that getting the crash dump file read wouldn't give me a more direct clue as to what's causing the random Explorer crash?
 
Hi. . .

There is no crash dump from Windows Explorer -- at least not a kernel, post-mortem dump. There may be a user-mode dump lying around, but they all give the same answer - that a "break" occurred - and are of little/no use to us.

Have you received a BSOD as the result of an Explorer crash?

If so, by all means run - https://www.sysnative.com/forums/bs...ng-instructions-windows-10-8-1-8-7-vista.html

Explorer crashes are almost always the result of a bad shell extension. That's what the Nirsoft software can help identify. System Restore would be even better because the bad shell generally comes from an installed app.

Regards. . .

John

EDIT: Another cause of Explorer crashes can be Internet Security Suites like Norton, McAfee, KIS, etc...

Also, just for info - the Explorer crashes you are describing have the following traits (??) - blue circle spinning; white background fades; "Not Responding" message appears on the screen; Explorer restarts itself. Is this generally true?
 
Last edited:
John:
When Explorer crashes, it does leave a dmp file (C:\user\my computer\appdata\local\crashdumps\explorer.exe.#####.dmp {where # is a set of numbers}). I can open it in the Windows Debugging tool for Windows 64bit.
I just don't know how to read and interpret it.
When Explorer crashes there is no BSOD. The only thing that happens is a message pops up saying something about Explorer has crashed with an options to check online for solutions or restart Explorer. The computer is not usable until I click restart Explorer, in the same way if you were to go into Task Manager and kill Explorer and then reload it. The screen that you are on, when the crash occurs, is still there as are most of the system tray icons. And quickly become usable again once Explorer is restarted.

In addition the Event log will show, after each crash, the following:
Faulting application name: Explorer.EXE, version: 6.1.7601.17567, time stamp: 0x4d672ee4
Faulting module name: msutb.dll, version: 6.1.7600.16385, time stamp: 0x4a5bdfba
Exception code: 0xc0000005
Fault offset: 0x0000000000008067
Faulting process id: 0x5cc
Faulting application start time: 0x01d14c70d2ff657a
Faulting application path: C:\Windows\Explorer.EXE
Faulting module path: C:\Windows\system32\msutb.dll
Report Id: 165047dd-b8da-11e5-89dc-f46d04484749

Note: the faulting module stated isn't always the same, so I'm not sure it really is the module causing the problem.

As far as the Nirsoft sofware...I installed both the Shellmenu and the Shellview but have no understanding how these two programs can help tell me which shell is the offending party. All they do is show me lists. I don't see anything that would indicate the offending party. If uploading the dmp file is not going to help, then how do I use these programs to pinpoint the offender?
BD
 
Hi BD. . .

If you wish to upload the dump (be sure to zip it), I'll be glad to take a look at it, but fear it is a user-mode dump and will contain information like:
This dump file has an exception of interest stored in it.
The stored exception information can be accessed via .ecxr.
(115cd0.115f20): Access violation - code c0000005
Click to expand...

In fact, the info you provided from your last post does contain a 0xc5 exception code (which translates to "memory access violation" -
Code: 
Faulting application name: Explorer.EXE, version: 6.1.7601.17567, time stamp: 0x4d672ee4
 Faulting module name: msutb.dll, version: 6.1.7600.16385, time stamp: 0x4a5bdfba
 Exception code: 0xc0000005
The faulting module named - msutb.dll has a version number of 6.1.7600 on it, which tells us that it is a Windows 7 Microsoft driver. The chances that something is wrong with this module is next to zero.

You can also look in "WER" - Windows Error Reporting for crash info, located -
- C:\Users\<username>\AppData\Local\Microsoft\Windows\WER\ReportArchive
- C:\ProgramData\Microsoft\Windows\WER\ReportArchive

Look for folders that contain the word "Explorer"; then files named "Report.wer"

Here is a "Report.wer" for an Explorer crash on my system -
Code: 
Version=1
EventType=APPCRASH
EventTime=130556688343609523
ReportType=2
Consent=1
UploadTime=130826993058447713
ReportFlags=524288
ReportIdentifier=05238ec1-4091-11e4-8272-a01d48c2bd4c
IntegratorReportIdentifier=05238ec0-4091-11e4-8272-a01d48c2bd4c
NsAppName=Explorer.EXE
Response.BucketId=1bd5447ef5b399740a9f41edaf77f212
Response.BucketTable=4
Response.LegacyBucketId=85956908666
Response.type=4
Sig[0].Name=Application Name
Sig[0].Value=Explorer.EXE
Sig[1].Name=Application Version
Sig[1].Value=6.3.9600.17284
Sig[2].Name=Application Timestamp
Sig[2].Value=53f816dc
Sig[3].Name=Fault Module Name
Sig[3].Value=SHELL32.dll
Sig[4].Name=Fault Module Version
Sig[4].Value=6.3.9600.17238
Sig[5].Name=Fault Module Timestamp
Sig[5].Value=53d0c68a
Sig[6].Name=Exception Code
Sig[6].Value=c0000005
Sig[7].Name=Exception Offset
Sig[7].Value=0000000000070dc5
DynamicSig[1].Name=OS Version
DynamicSig[1].Value=6.3.9600.2.0.0.768.101
DynamicSig[2].Name=Locale ID
DynamicSig[2].Value=1033
DynamicSig[22].Name=Additional Information 1
DynamicSig[22].Value=3e17
DynamicSig[23].Name=Additional Information 2
DynamicSig[23].Value=3e179755734daace86fa3c8a1f47dbd1
DynamicSig[24].Name=Additional Information 3
DynamicSig[24].Value=43db
DynamicSig[25].Name=Additional Information 4
DynamicSig[25].Value=43dbcfdf8ba64123edc76bb3d6888be7
UI[2]=C:\Windows\Explorer.EXE
LoadedModule[0]=C:\Windows\Explorer.EXE
LoadedModule[1]=C:\Windows\SYSTEM32\ntdll.dll
LoadedModule[2]=C:\Windows\system32\KERNEL32.DLL
LoadedModule[3]=C:\Windows\system32\KERNELBASE.dll
LoadedModule[4]=C:\Windows\system32\apphelp.dll
LoadedModule[5]=C:\Windows\system32\msvcrt.dll
LoadedModule[6]=C:\Windows\system32\OLEAUT32.dll
LoadedModule[7]=C:\Windows\SYSTEM32\combase.dll
LoadedModule[8]=C:\Windows\SYSTEM32\powrprof.dll
LoadedModule[9]=C:\Windows\SYSTEM32\advapi32.dll
LoadedModule[10]=C:\Windows\system32\USER32.dll
LoadedModule[11]=C:\Windows\system32\GDI32.dll
LoadedModule[12]=C:\Windows\SYSTEM32\SHCORE.dll
LoadedModule[13]=C:\Windows\system32\SHLWAPI.dll
LoadedModule[14]=C:\Windows\system32\SHELL32.dll
LoadedModule[15]=C:\Windows\SYSTEM32\UxTheme.dll
LoadedModule[16]=C:\Windows\SYSTEM32\dwmapi.dll
LoadedModule[17]=C:\Windows\SYSTEM32\TWINAPI.dll
LoadedModule[18]=C:\Windows\SYSTEM32\d3d11.dll
LoadedModule[19]=C:\Windows\SYSTEM32\dcomp.dll
LoadedModule[20]=C:\Windows\SYSTEM32\SspiCli.dll
LoadedModule[21]=C:\Windows\SYSTEM32\sechost.dll
LoadedModule[22]=C:\Windows\SYSTEM32\USERENV.dll
LoadedModule[23]=C:\Windows\SYSTEM32\PROPSYS.dll
LoadedModule[24]=C:\Windows\system32\RPCRT4.dll
LoadedModule[25]=C:\Windows\SYSTEM32\SLC.dll
LoadedModule[26]=C:\Windows\SYSTEM32\profapi.dll
LoadedModule[27]=C:\Windows\SYSTEM32\dxgi.dll
LoadedModule[28]=C:\Windows\SYSTEM32\sppc.dll
LoadedModule[29]=C:\Windows\system32\IMM32.DLL
LoadedModule[30]=C:\Windows\system32\MSCTF.dll
LoadedModule[31]=C:\Windows\SYSTEM32\kernel.appcore.dll
LoadedModule[32]=C:\Windows\SYSTEM32\CRYPTBASE.dll
LoadedModule[33]=C:\Windows\SYSTEM32\bcryptPrimitives.dll
LoadedModule[34]=C:\Windows\system32\ole32.dll
LoadedModule[35]=C:\Windows\SYSTEM32\clbcatq.dll
LoadedModule[36]=C:\Windows\SYSTEM32\WINSTA.dll
LoadedModule[37]=C:\Windows\SYSTEM32\Bcp47Langs.dll
LoadedModule[38]=C:\Windows\System32\IDStore.dll
LoadedModule[39]=C:\Windows\System32\SAMLIB.dll
LoadedModule[40]=C:\Windows\SYSTEM32\SETTINGSYNCPOLICY.dll
LoadedModule[41]=C:\Windows\SYSTEM32\DUI70.dll
LoadedModule[42]=C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17031_none_6242a4b3ecbb55a1\Comctl32.dll
LoadedModule[43]=C:\Windows\SYSTEM32\DUser.dll
LoadedModule[44]=C:\Windows\SYSTEM32\SndVolSSO.DLL
LoadedModule[45]=C:\Windows\SYSTEM32\HID.DLL
LoadedModule[46]=C:\Windows\System32\MMDevApi.dll
LoadedModule[47]=C:\Windows\System32\DEVOBJ.dll
LoadedModule[48]=C:\Windows\SYSTEM32\cfgmgr32.dll
LoadedModule[49]=C:\Windows\SYSTEM32\OLEACC.dll
LoadedModule[50]=C:\Windows\SYSTEM32\D3D10Warp.dll
LoadedModule[51]=C:\Windows\system32\twinui.dll
LoadedModule[52]=C:\Windows\SYSTEM32\twinapi.appcore.dll
LoadedModule[53]=C:\Windows\system32\XmlLite.dll
LoadedModule[54]=C:\Windows\system32\Windows.UI.Immersive.dll
LoadedModule[55]=C:\Windows\SYSTEM32\ntmarta.dll
LoadedModule[56]=C:\Windows\SYSTEM32\CRYPTSP.dll
LoadedModule[57]=C:\Windows\system32\rsaenh.dll
LoadedModule[58]=C:\Windows\SYSTEM32\bcrypt.dll
LoadedModule[59]=C:\Windows\System32\actxprxy.dll
LoadedModule[60]=C:\Windows\system32\windowscodecs.dll
LoadedModule[61]=C:\Windows\system32\explorerframe.dll
LoadedModule[62]=C:\Windows\SYSTEM32\tabbtn.dll
LoadedModule[63]=C:\Windows\System32\TabBtnEx.dll
LoadedModule[64]=C:\Windows\System32\windows.immersiveshell.serviceprovider.dll
LoadedModule[65]=C:\Program Files\Common Files\microsoft shared\ink\TipBand.dll
LoadedModule[66]=C:\Windows\SYSTEM32\WLDP.DLL
LoadedModule[67]=C:\Windows\SYSTEM32\WTSAPI32.dll
LoadedModule[68]=C:\Windows\System32\twinui.appcore.dll
LoadedModule[69]=C:\Windows\System32\wpncore.dll
LoadedModule[70]=C:\Windows\system32\dwrite.dll
LoadedModule[71]=C:\Windows\System32\UIAnimation.dll
LoadedModule[72]=C:\Windows\SYSTEM32\igd10iumd64.dll
LoadedModule[73]=C:\Windows\SYSTEM32\ncrypt.dll
LoadedModule[74]=C:\Windows\SYSTEM32\NTASN1.dll
LoadedModule[75]=C:\Windows\SYSTEM32\igdusc64.dll
LoadedModule[76]=C:\Windows\System32\wlidprov.dll
LoadedModule[77]=C:\Windows\System32\thumbcache.dll
LoadedModule[78]=C:\Windows\System32\Windows.Networking.Connectivity.dll
LoadedModule[79]=C:\Windows\System32\InputSwitch.dll
LoadedModule[80]=C:\Windows\system32\stobject.dll
LoadedModule[81]=C:\Windows\system32\BatMeter.dll
LoadedModule[82]=C:\Windows\SYSTEM32\sxs.dll
LoadedModule[83]=C:\Windows\system32\SETUPAPI.dll
LoadedModule[84]=C:\Windows\system32\WINTRUST.dll
LoadedModule[85]=C:\Windows\system32\CRYPT32.dll
LoadedModule[86]=C:\Windows\system32\MSASN1.dll
LoadedModule[87]=C:\Windows\System32\WININET.dll
LoadedModule[88]=C:\Windows\System32\iertutil.dll
LoadedModule[89]=C:\Windows\SYSTEM32\Secur32.dll
LoadedModule[90]=C:\Windows\system32\es.dll
LoadedModule[91]=C:\Windows\system32\prnfldr.dll
LoadedModule[92]=C:\Windows\system32\WINSPOOL.DRV
LoadedModule[93]=C:\Windows\system32\wevtapi.dll
LoadedModule[94]=C:\Windows\system32\dxp.dll
LoadedModule[95]=C:\Windows\WinSxS\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.9600.17227_none_932c0e57474f5080\gdiplus.dll
LoadedModule[96]=C:\Windows\system32\SHDOCVW.dll
LoadedModule[97]=C:\Windows\System32\Actioncenter.dll
LoadedModule[98]=C:\Windows\SYSTEM32\ntshrui.dll
LoadedModule[99]=C:\Windows\SYSTEM32\srvcli.dll
LoadedModule[100]=C:\Windows\system32\Syncreg.dll
LoadedModule[101]=C:\Windows\SYSTEM32\cscapi.dll
LoadedModule[102]=C:\Windows\SYSTEM32\netutils.dll
LoadedModule[103]=C:\Windows\SYSTEM32\LINKINFO.dll
LoadedModule[104]=C:\Windows\System32\npmproxy.dll
LoadedModule[105]=C:\Windows\System32\IPHLPAPI.DLL
LoadedModule[106]=C:\Windows\system32\NSI.dll
LoadedModule[107]=C:\Windows\System32\WINNSI.DLL
LoadedModule[108]=C:\Windows\system32\IconCodecService.dll
LoadedModule[109]=C:\Windows\SYSTEM32\wlanapi.dll
LoadedModule[110]=C:\Windows\System32\WinTypes.dll
LoadedModule[111]=C:\Windows\System32\wcmapi.dll
LoadedModule[112]=C:\Windows\system32\wpdshserviceobj.dll
LoadedModule[113]=C:\Windows\System32\PortableDeviceTypes.dll
LoadedModule[114]=C:\Windows\System32\PortableDeviceApi.dll
LoadedModule[115]=C:\Windows\system32\SettingMonitor.dll
LoadedModule[116]=C:\Program Files\Windows Portable Devices\SqmApi.dll
LoadedModule[117]=C:\Windows\System32\srchadmin.dll
LoadedModule[118]=C:\Windows\system32\mssprxy.dll
LoadedModule[119]=C:\Windows\System32\SyncCenter.dll
LoadedModule[120]=C:\Windows\System32\imapi2.dll
LoadedModule[121]=C:\Windows\System32\ieframe.dll
LoadedModule[122]=C:\Windows\SYSTEM32\AUDIOSES.DLL
LoadedModule[123]=C:\Windows\system32\authui.dll
LoadedModule[124]=C:\Windows\SYSTEM32\urlmon.dll
LoadedModule[125]=C:\Windows\System32\AltTab.dll
LoadedModule[126]=C:\Windows\system32\Windows.UI.Search.dll
LoadedModule[127]=C:\Windows\system32\wincorlib.DLL
LoadedModule[128]=C:\Windows\system32\WSClient.dll
LoadedModule[129]=C:\Windows\system32\UIAutomationCore.DLL
LoadedModule[130]=C:\Windows\system32\WSShared.dll
LoadedModule[131]=C:\Windows\system32\WSSync.dll
LoadedModule[132]=C:\Windows\system32\wer.dll
LoadedModule[133]=C:\Windows\system32\elscore.dll
LoadedModule[134]=C:\Windows\system32\NetworkExplorer.dll
LoadedModule[135]=C:\Windows\System32\pnidui.dll
LoadedModule[136]=C:\Windows\system32\NetworkStatus.dll
LoadedModule[137]=C:\Windows\System32\MrmCoreR.dll
LoadedModule[138]=C:\Windows\System32\Windows.UI.dll
LoadedModule[139]=C:\Windows\System32\NInput.dll
LoadedModule[140]=C:\Windows\System32\netprofm.dll
LoadedModule[141]=C:\Windows\system32\WS2_32.dll
LoadedModule[142]=C:\Program Files\a3b4\utils\salextx64.dll
LoadedModule[143]=C:\Windows\SYSTEM32\ondemandconnroutehelper.dll
LoadedModule[144]=C:\Windows\System32\Windows.UI.Xaml.dll
LoadedModule[145]=C:\Windows\SYSTEM32\winhttp.dll
LoadedModule[146]=C:\Program Files\a3\utils\salextx64.dll
LoadedModule[147]=C:\Windows\system32\mswsock.dll
LoadedModule[148]=C:\Program Files\a3.2\utils\salextx64.dll
LoadedModule[149]=C:\Windows\SYSTEM32\DNSAPI.dll
LoadedModule[150]=C:\Windows\System32\rasadhlp.dll
LoadedModule[151]=C:\Windows\System32\bthprops.cpl
LoadedModule[152]=C:\Windows\System32\BluetoothApis.dll
LoadedModule[153]=C:\Windows\system32\searchfolder.dll
LoadedModule[154]=C:\Windows\SYSTEM32\d2d1.dll
LoadedModule[155]=C:\Windows\System32\StructuredQuery.dll
LoadedModule[156]=C:\Windows\System32\dhcpcsvc6.DLL
LoadedModule[157]=C:\Windows\System32\dhcpcsvc.DLL
LoadedModule[158]=C:\Windows\System32\msxml6.dll
LoadedModule[159]=C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\GROOVEEX.DLL
LoadedModule[160]=C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\MSVCR100.dll
LoadedModule[161]=C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\MSVCP100.dll
LoadedModule[162]=C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\ATL100.DLL
LoadedModule[163]=C:\Windows\System32\fwpuclnt.dll
LoadedModule[164]=C:\Windows\SYSTEM32\msi.dll
LoadedModule[165]=C:\Windows\SYSTEM32\MLANG.dll
LoadedModule[166]=C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\1033\GrooveIntlResource.dll
LoadedModule[167]=C:\Windows\System32\EhStorShell.dll
LoadedModule[168]=C:\Windows\SYSTEM32\MsftEdit.dll
LoadedModule[169]=C:\Windows\SYSTEM32\MSIMG32.dll
LoadedModule[170]=C:\Program Files\Common Files\microsoft shared\ink\tiptsf.dll
LoadedModule[171]=C:\Windows\System32\shacct.dll
LoadedModule[172]=C:\Windows\System32\samcli.dll
LoadedModule[173]=C:\Windows\system32\wkscli.dll
LoadedModule[174]=C:\Windows\System32\hgcpl.dll
LoadedModule[175]=C:\Windows\System32\provsvc.dll
LoadedModule[176]=C:\Windows\SYSTEM32\apprepapi.dll
LoadedModule[177]=C:\Windows\SYSTEM32\tbs.dll
LoadedModule[178]=C:\Windows\SYSTEM32\pcacli.dll
LoadedModule[179]=C:\Windows\SYSTEM32\MPR.dll
LoadedModule[180]=C:\Windows\System32\sfc_os.dll
LoadedModule[181]=C:\Program Files\Internet Explorer\ieproxy.dll
LoadedModule[182]=C:\Windows\SYSTEM32\msiltcfg.dll
LoadedModule[183]=C:\Windows\SYSTEM32\VERSION.dll
LoadedModule[184]=C:\Windows\system32\DEVRTL.dll
LoadedModule[185]=C:\Windows\SYSTEM32\WINMM.dll
LoadedModule[186]=C:\Windows\SYSTEM32\WINMMBASE.dll
LoadedModule[187]=C:\Windows\SYSTEM32\wdmaud.drv
LoadedModule[188]=C:\Windows\SYSTEM32\ksuser.dll
LoadedModule[189]=C:\Windows\SYSTEM32\AVRT.dll
LoadedModule[190]=C:\Windows\SYSTEM32\msacm32.drv
LoadedModule[191]=C:\Windows\SYSTEM32\MSACM32.dll
LoadedModule[192]=C:\Program Files (x86)\TechSmith\Snagit 12\SnagItShellExtRes.dll
LoadedModule[193]=C:\Windows\System32\wscinterop.dll
LoadedModule[194]=C:\Windows\System32\WSCAPI.dll
LoadedModule[195]=C:\Windows\System32\wscui.cpl
LoadedModule[196]=C:\Windows\System32\werconcpl.dll
LoadedModule[197]=C:\Windows\System32\framedynos.dll
LoadedModule[198]=C:\Windows\System32\wercplsupport.dll
LoadedModule[199]=C:\Windows\System32\hcproviders.dll
LoadedModule[200]=C:\Windows\System32\van.dll
LoadedModule[201]=C:\Windows\system32\wshbth.dll
LoadedModule[202]=C:\Windows\SYSTEM32\datusage.dll
LoadedModule[203]=C:\Windows\SYSTEM32\SrumAPI.dll
LoadedModule[204]=C:\Windows\system32\windows.globalization.fontgroups.dll
LoadedModule[205]=C:\Windows\System32\Windows.Web.dll
LoadedModule[206]=C:\Windows\System32\wpc.dll
LoadedModule[207]=C:\Windows\System32\NETAPI32.dll
LoadedModule[208]=C:\Windows\system32\Normaliz.dll
LoadedModule[209]=C:\Windows\System32\Windows.Devices.Geolocation.dll
LoadedModule[210]=C:\Windows\System32\MSWB7.dll
LoadedModule[211]=C:\Windows\System32\threadpoolwinrt.dll
LoadedModule[212]=C:\Windows\system32\ElsLad.dll
LoadedModule[213]=C:\Windows\SYSTEM32\PhotoMetadataHandler.dll
LoadedModule[214]=C:\Windows\system32\timedate.cpl
LoadedModule[215]=C:\Windows\system32\ATL.DLL
LoadedModule[216]=C:\Windows\System32\qmgrprxy.dll
LoadedModule[217]=C:\Windows\System32\WorkfoldersShell.dll
LoadedModule[218]=C:\Windows\SYSTEM32\UIRibbonRes.dll
LoadedModule[219]=C:\Windows\System32\SkydriveShell.dll
LoadedModule[220]=C:\Windows\System32\dlnashext.dll
LoadedModule[221]=C:\Windows\System32\DevDispItemProvider.dll
LoadedModule[222]=C:\Windows\system32\imagehlp.dll
LoadedModule[223]=C:\Windows\System32\comsvcs.dll
LoadedModule[224]=C:\Windows\SYSTEM32\VirtDisk.dll
LoadedModule[225]=C:\Windows\SYSTEM32\FLTLIB.DLL
LoadedModule[226]=C:\Windows\SYSTEM32\netjoin.dll
LoadedModule[227]=C:\Windows\system32\igfxrENU.lrc
LoadedModule[228]=C:\Windows\system32\windowscodecsext.dll
LoadedModule[229]=C:\Windows\SYSTEM32\mscms.dll
LoadedModule[230]=C:\Windows\System32\msxml3.dll
LoadedModule[231]=C:\Program Files (x86)\CyberLink\YouCam\CLCredProv\x64\CLCredProv.dll
LoadedModule[232]=C:\Windows\system32\themeui.dll
LoadedModule[233]=C:\Windows\SYSTEM32\webservices.dll
LoadedModule[234]=C:\Windows\system32\DeviceCenter.dll
LoadedModule[235]=C:\Windows\SYSTEM32\printui.dll
LoadedModule[236]=C:\Windows\SYSTEM32\puiapi.dll
LoadedModule[237]=C:\Windows\System32\nlaapi.dll
LoadedModule[238]=C:\Windows\system32\zipfldr.dll
LoadedModule[239]=C:\Windows\system32\UIRibbon.dll
LoadedModule[240]=C:\Windows\system32\wpdshext.dll
LoadedModule[241]=C:\Program Files\ESET\ESET NOD32 Antivirus\shellExt.dll
LoadedModule[242]=C:\Windows\system32\syncui.dll
LoadedModule[243]=C:\Windows\system32\SYNCENG.dll
LoadedModule[244]=C:\Windows\system32\twext.dll
LoadedModule[245]=C:\Program Files (x86)\TechSmith\Snagit 12\DLLx64\SnagitShellExt64.dll
LoadedModule[246]=C:\Windows\system32\COMDLG32.dll
LoadedModule[247]=C:\Program Files\7-Zip\7-zip.dll
LoadedModule[248]=C:\Windows\SYSTEM32\CHARTV.dll
State[0].Key=Transport.DoneStage1
State[0].Value=1
FriendlyEventName=Stopped working
ConsentKey=APPCRASH
AppName=Windows Explorer
AppPath=C:\Windows\Explorer.EXE
NsPartner=windows
NsGroup=windows8
ApplicationIdentity=346CB44573137696C511B752A176C0D0

Again, it being a user-mode crash v. kernel-mode (post-mortem), there is little that I can do with it.

As for the Nirsoft apps - shexview.exe - ShellExView - go down the list and start disabling non-Microsoft shells. You can tell which are Microsoft by the version number - 6.1.7600 or 6.1.7601. It is likely that a 3rd party shell is at the root of your problem.

Any luck with System Restore? Do you have restore points that are ~1 month old to bring the system back to a point prior to the start of the Explorer crashes?

Regards. . .

John

EDIT: I would also recommend that you run sfc /scannow - type or paste it into an Admin CMD screen.
 
Thanks John:
If I understand you...my crash dump file will not provide any usable clues to what is causing the crashes. Kinda makes you wonder why a dump file is generated if it's not going to provide anything useful. So unless you tell me otherwise, I guess I'll abandon the crash dump reading idea.
As far as restore point, I do not use Windows Restore point since it is of little value, instead I do a complete image backup each day but only keep a rolling 7 days. Besides, I wouldn't want to re-image a backup from over a month ago at this point...too much has changed on the Hard Drive.
I guess the only thing I have left to do is uncheck, one at a time, all the non Microsoft shells and just wait. Since the crash happens sometimes only 1 per week or maybe even every couple of weeks, this process of trying to find out which one is the culprit, will be a very long process.
Thanks for the advice.
Oh and yea I already tried the scannow fix.
 
Big Dawg said:
Thanks John:
If I understand you...my crash dump file will not provide any usable clues to what is causing the crashes. Kinda makes you wonder why a dump file is generated if it's not going to provide anything useful. So unless you tell me otherwise, I guess I'll abandon the crash dump reading idea.
Click to expand...
Those user-mode dumps are often transmitted to Microsoft where there are experts that know exactly what do to with them (read them). Microsoft also has access to symbol files and source code, which I do not.

Apologies if I have not been clear enough, but I know how to read kernel-mode post-mortem BSOD dumps, but do not know how to read user-mode dumps. They make look the same to an outsider, but the information contained in them differ significantly. So the reason the user-mode dumps are generated is primarily for the use of Microsoft. Again - sorry if I didn't make my position clear enough.

Big Dawg said:
As far as restore point, I do not use Windows Restore point since it is of little value, instead I do a complete image backup each day but only keep a rolling 7 days. Besides, I wouldn't want to re-image a backup from over a month ago at this point...too much has changed on the Hard Drive.
Click to expand...
Why do you feel that Windows System Restore is a waste? System Restore has saved my bacon many times. System Restore may have had little-to-no value during the days of Windows XP, but starting with Vista, Microsoft really got on the ball. I would really suggest that you turn System Restore ON and allocate ~15% of hard drive space to it. System Restore certainly would have helped in this case, IMO.

I do understand why you don't want to re-image using a month+ old image.

Big Dawg said:
I guess the only thing I have left to do is uncheck, one at a time, all the non Microsoft shells and just wait. Since the crash happens sometimes only 1 per week or maybe even every couple of weeks, this process of trying to find out which one is the culprit, will be a very long process.
Thanks for the advice.
Oh and yea I already tried the scannow fix.
Click to expand...

What was the outcome of SFC? Was all clear?

Regards. . .

John

EDIT: As I mentioned in my prior post, feel free to zip up the dump and attach it to your next post. Who knows -- maybe there will be something in it that my user-mode untrained eyes will spot!
 
Last edited:
Hi BD. . .

You're missing symbol files for Windbg.

Open Windbg, then before loading a dump press CTRL-S; paste this exact line in:
Code: 
[NO-PARSE]SRV*c:\symbols*http://msdl.microsoft.com/download/symbols [/NO-PARSE]
Then click on OK; click on "File"; click "Save Workspace".

Doing so should retain the symbol file info.

What will now happen is that when running Windbg, the needed symbol files for that particular dump will be downloaded from the Microsoft MSDN MSDL Symbol site and will be stored in c:\symbols. It will grow in size as you run various dumps. Mine is currently 4.3 GB. You can delete them anytime you wish.

Having symbols will get rid of those large asterisk boxes telling you that symbols could not be loaded/are missing.

You should also register Windbg for dump file extensions so that you can just run Windbg by double-clicking on a dump file. Be sure to change Windbg shortcut's "Properties" to run Windbg "As Administrator".

https://www.sysnative.com/forums/bs...ster-windbg-dump-files-file-associations.html

These are the initial commands that I use (paste in on the kd> command line) -
Code: 
!analyze -v;r;kv;lmtn;lmtsmn;.bugcheck;!sysinfo cpuinfo;!sysinfo machineid; !sysinfo cpuspeed; !sysinfo smbios

I got your message about using .excr - it displays the exception record, which in your case was 0xc0000005 (0xc5 for short), which translates to "memory access violation"; a/k/a "Access Denied".

Regards. . .

John
 
Last edited:
It's not that it isn't hard to read user mode dumps.
In fact, they're significantly easier as you have access to all of their functions and memory addresses. It's that if the problem extends from a bug, for example, there is little to be done. We don't have access to modify explorer.exe.

Similarly with post mortem kernel dumps, we can find the cause of the crash, why if happened, who did it, etc. But we still can't modify a driver to fix the bug, it is something the developers will need to do.

The good news with user dumps, especially for Windows applications is that 99% of the time, the crash is influenced by another 3rd party program

Can you upload any new dumps?
 
Jared:
Thanks for the help.
It's interesting that since starting this post, I haven't had a crash (I probably shouldn't have said that).
So until one happens, I am sort of on hold.
If and when it does occur again, do you want me to run !analyze -v before zipping up the crash dump or just leave it in its native state?
 
Jared said:
It's not that it isn't hard to read user mode dumps.
In fact, they're significantly easier...
Click to expand...

Not to me!

I prefer working with kernel mode dumps and find a post-mortem dump far easier to process/analyze than user mode dumps.

To each his own! :)

I'll be interested to see what exactly you get out of an Explorer.exe user mode dump.
 
User-mode are no harder than kernel dumps - I wouldn't say they are easier, but they're not harder. Code is code.

If there's an explorer user dump, it'd be useful to see it, as Explorer.exe hitting a breakpoint would indicate code inside of it has caused a debug break. Retail-compiled code should NEVER debug break (breaks indicate debug code, and unless this is a beta or insider build of Windows, none of the code that ships in it should be running debug), which at least gives us a likely indication it's not coming from Windows itself. Given Explorer.exe is basically a shell for other code to hook into, a user-mode dump would be pretty beneficial if the problem happens with some regularity. I noticed that the spew from one of the uploaded .doc files indicated a crash in code that appeared to be an offset into the mfc90 dll, and that ships with the VS2008 SP1 redist, not Windows itself. That's another clue this is not Explorer crashing, but likely an extension built with dependencies on the VS runtimes.
 
Last edited:
cluberti said:
User-mode are no harder than kernel dumps - I wouldn't say they are easier, but they're not harder. Code is code.

If there's an explorer user dump, it'd be useful to see it, as Explorer.exe hitting a breakpoint would indicate code inside of it has caused a debug break. Retail-compiled code should NEVER debug break (breaks indicate debug code, and unless this is a beta or insider build of Windows, none of the code that ships in it should be running debug), which at least gives us a likely indication it's not coming from Windows itself. Given Explorer.exe is basically a shell for other code to hook into, a user-mode dump would be pretty beneficial if the problem happens with some regularity. I noticed that the spew from one of the uploaded .doc files indicated a crash in code that appeared to be an offset into the mfc90 dll, and that ships with the VS2008 SP1 redist, not Windows itself. That's another clue this is not Explorer crashing, but likely an extension built with dependencies on the VS runtimes.
Click to expand...

The OP sent me the download link for the dump.
https://www.mediafire.com/?7q91a1uf3ixikmk
 
Do you run Noscripts or have an ad blocker?
When I open the link, it loads a code (Captcha) that must be filled in before you can download it.
 
Looks like whatever caused the issue has already unloaded - here's the crash, showing the MSUTB binary trying to clean up it's thread local storage usage and crashing because the location no longer exists:
Code: 
//Thread showing the crash:
0:034> k # Child-SP          RetAddr           Call Site
00 00000000`07e4e758 000007fe`fd481430 ntdll!NtWaitForMultipleObjects+0xa
01 00000000`07e4e760 00000000`771e1893 KERNELBASE!WaitForMultipleObjectsEx+0xe8
02 00000000`07e4e860 00000000`7725b675 kernel32!WaitForMultipleObjectsExImplementation+0xb3
03 00000000`07e4e8f0 00000000`7725b7f7 kernel32!WerpReportFaultInternal+0x215
04 00000000`07e4e990 00000000`7725b84f kernel32!WerpReportFault+0x77
05 00000000`07e4e9c0 00000000`7725ba6c kernel32!BasepReportFault+0x1f
06 00000000`07e4e9f0 00000000`7746a0b8 kernel32!UnhandledExceptionFilter+0x1fc
07 00000000`07e4ead0 00000000`773f8008 ntdll! ?? ::FNODOBFM::`string'+0x2335
08 00000000`07e4eb00 00000000`7740905d ntdll!_C_specific_handler+0x8c
09 00000000`07e4eb70 00000000`773f8c0f ntdll!RtlpExecuteHandlerForException+0xd
0a 00000000`07e4eba0 00000000`7742d948 ntdll!RtlDispatchException+0x45a
0b 00000000`07e4f280 000007fe`fa1c8067 ntdll!KiUserExceptionDispatcher+0x2e
0c 00000000`07e4f980 000007fe`fa1c1bb6 msutb!CTipbarTLS::DestroyTLS+0x59
0d 00000000`07e4f9b0 000007fe`fa1c1c9e msutb!DllMain+0x46
0e 00000000`07e4f9e0 00000000`77423728 msutb!CRT_INIT+0x2af
0f 00000000`07e4fb40 00000000`77423668 ntdll!LdrShutdownThread+0x155
10 00000000`07e4fc40 000007fe`fd488757 ntdll!RtlExitUserThread+0x38
11 00000000`07e4fc80 00000000`771c4ef9 KERNELBASE!FreeLibraryAndExitThread+0x47
12 00000000`07e4fcb0 000007fe`fde7c791 kernel32!FreeLibraryAndExitThreadStub+0x9
13 00000000`07e4fce0 00000000`771d59ed shlwapi!WrapperThreadProc+0x259
14 00000000`07e4fde0 00000000`7740b831 kernel32!BaseThreadInitThunk+0xd
15 00000000`07e4fe10 00000000`00000000 ntdll!RtlUserThreadStart+0x1d

//Thread context:
0:034> .ecxr
rax=0000000600000000 rbx=0000000000000000 rcx=000000000a3555a0
rdx=0000000000000003 rsi=0000000002ae9530 rdi=0000000002ae9540
rip=000007fefa1c8067 rsp=0000000007e4f980 rbp=000007fefa1c0000
 r8=0000000000000000  r9=000000000a3b1ed0 r10=000000000000002d
r11=0000000004b45780 r12=000007fffffd8000 r13=0000000004b423c0
r14=000007fffffa4000 r15=000000007750e670
iopl=0         nv up ei pl nz na po nc
cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010206
msutb!CTipbarTLS::DestroyTLS+0x59:
000007fe`fa1c8067 ff5010          call    qword ptr [rax+10h] ds:00000006`00000010=????????????????

//Disassembly showing the call is indeed coming from msutb:
0:034> u
msutb!CTipbarTLS::DestroyTLS+0x59:
000007fe`fa1c8067 ff5010          call    qword ptr [rax+10h]
000007fe`fa1c806a 90              nop
000007fe`fa1c806b e97af1ffff      jmp     msutb!CTipbarTLS::DestroyTLS+0x5c (000007fe`fa1c71ea)
000007fe`fa1c8070 488b01          mov     rax,qword ptr [rcx]
000007fe`fa1c8073 ff5010          call    qword ptr [rax+10h]
000007fe`fa1c8076 90              nop
000007fe`fa1c8077 e97ef1ffff      jmp     msutb!CTipbarTLS::DestroyTLS+0x6e (000007fe`fa1c71fa)
000007fe`fa1c807c 488bcd          mov     rcx,rbp

Given the binary crashing (msutb) is responsible for language interface items and toolbars in the shell, and you're running ClassicShell (and a whole host of other Explorer add-ins to modify Explorer and the shell), can you reproduce this without something installed that modifies the very thing msutb is designed to create/draw/manage?

Code: 
slc                    The system cannot find the file specified : srv*e:\symbols*http://msdl.microsoft.com/download/symbols
IDSyncIntIcon64        The system cannot find the file specified : srv*e:\symbols*http://msdl.microsoft.com/download/symbols
ClassicExplorer64      The system cannot find the file specified : srv*e:\symbols*http://msdl.microsoft.com/download/symbols
ClassicStartMenuDLL    The system cannot find the file specified : srv*e:\symbols*http://msdl.microsoft.com/download/symbols
FXSRESM                No data is available : srv*e:\symbols*http://msdl.microsoft.com/download/symbols
WRusr                  The system cannot find the file specified : srv*e:\symbols*http://msdl.microsoft.com/download/symbols
dkticnsr               The system cannot find the file specified : srv*e:\symbols*http://msdl.microsoft.com/download/symbols
atiacm64               No data is available : srv*e:\symbols*http://msdl.microsoft.com/download/symbols
atiamenu               No data is available : srv*e:\symbols*http://msdl.microsoft.com/download/symbols
RarExt64               No data is available : srv*e:\symbols*http://msdl.microsoft.com/download/symbols
Eraser.Shell           The system cannot find the file specified : srv*e:\symbols*http://msdl.microsoft.com/download/symbols
MFC90ENU               No data is available : srv*e:\symbols*http://msdl.microsoft.com/download/symbols
UnlockerCOM            No data is available : srv*e:\symbols*http://msdl.microsoft.com/download/symbols
StartMenuHelper64      The system cannot find the file specified : srv*e:\symbols*http://msdl.microsoft.com/download/symbols
JetFlExt64             No data is available : srv*e:\symbols*http://msdl.microsoft.com/download/symbols
shellExt               The system cannot find the file specified : srv*e:\symbols*http://msdl.microsoft.com/download/symbols
RecuvaShell64          The system cannot find the file specified : srv*e:\symbols*http://msdl.microsoft.com/download/symbols
misosh64               The system cannot find the file specified : srv*e:\symbols*http://msdl.microsoft.com/download/symbols
UninstallMenuRight     The system cannot find the file specified : srv*e:\symbols*http://msdl.microsoft.com/download/symbols
IDContextMenu          No data is available : srv*e:\symbols*http://msdl.microsoft.com/download/symbols
RContextMenu           The system cannot find the file specified : srv*e:\symbols*http://msdl.microsoft.com/download/symbols
ASCExtMenu_64          No data is available : srv*e:\symbols*http://msdl.microsoft.com/download/symbols
 

Has Sysnative Forums helped you? Please consider donating to help us support the site!

Back
Top