I
icey_kitsune
So I have a laptop about 3 years old windows 10 pro generally up to date, drivers are hit or miss due to OEM not bothering (clevo/sager model). I was playing a game and needed to move to another room, unplugged, got to the other room when an alert sound (figure it was low battery and attempting to hibernate) and then turned off before it could hibernate. upon rebooting the system was screen was dim as if it was on battery but a replug-in fixed that, after logging in explorer entered what I can best describe as a crash loop, it would load the desktop and task bar and then crash with no error messages.
if I am quick enough to end the active explorer task before it crashes then it will stay crashed however its hard to do anything. I was able to get to task manager and power shell to try a few fixes which I will list below, I also at the time tried to launch the windows settings with run ms-settings: which only gave an error message of "file system error (###########)" (numbers I don't remember). I rebooted to see if that worked and then tried safe mode where I got a message on log in from explorer.exe - system error "the system detected an overrun of a stack-based buffer in this application. this overrun could potentially allow a malicious user to gain control of this application", if I clicked the ok button it would restart explorer and the window would pop up again each time. while in safe mode I was able to load the settings app but still did not get the windows update page to load.
I tried to reset power options figuring it might be something there but it didn't change anything. checking event viewer gave me little help showing:
Faulting application name: explorer.exe, version: 10.0.18362.387, time stamp: 0x0e377b6c
Faulting module name: SHELL32.dll, version: 10.0.18362.387, time stamp: 0xdeca38c3
Exception code: 0xc0000409
Fault offset: 0x0000000000138cf6
Faulting process id: 0x4a38
Faulting application start time: 0x01d598b7351e9346
Faulting application path: C:\WINDOWS\explorer.exe
Faulting module path: C:\WINDOWS\System32\SHELL32.dll
Report Id: b0eeae59-e03a-4f14-bf84-435aa296dc4f
Faulting package full name:
Faulting package-relative application ID:
after trying a few other things such as:
clearing icon/thumbnail cache
changing account types
moving to local account
running DISM commands (scan/restore)
sfc /scannow, did find errors but a few reboots and tries now says everything is fine
clean boots
scaning with Malwarebytes (clean)
I did an in-place upgrade install. after the install, logging in still showed the same problem. I did find some information out there that mentioned someone with a crash loop of explorer but rather than the faulting module being shell32 it was sihost. they mentioned they got the crash loop to stop by disabling windows error reporting which did work in a sense that it doesn't keep looping but brings up the same error as in safe mode which now shows up on the log in screen. at this point I did try making another user account to see if it was windows or profile based and the other profile works fine and if this new profile was the last selected the error message doesn't show up on the log in screen until you select my real profile.
with my profile somewhat stable I was able to run windows update and gain access to the settings menu but nothing seemed to help there. after more searching I found mentions of getting a crash dump from specific programs via the registry which I did and then ran through windbg which showed:
Microsoft (R) Windows Debugger Version 10.0.19494.1001 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:\rashDumps\explorer.exe.6728.dmp]
User Mini Dump File: Only registers, stack and portions of memory are available
************* Path validation summary **************
Response Time (ms) Location
Deferred srv*
Symbol search path is: srv*
Executable search path is:
Windows 10 Version 18362 MP (8 procs) Free x64
Product: WinNt, suite: SingleUserTS
18362.1.amd64fre.19h1_release.190318-1202
Machine Name:
Debug session time: Sun Nov 10 12:09:38.000 2019 (UTC - 8:00)
System Uptime: not available
Process Uptime: 0 days 0:00:03.000
................................................................
................................................................
................................................................
...........................................
Loading unloaded module list
......
This dump file has an exception of interest stored in it.
The stored exception information can be accessed via .ecxr.
(1a48.1db4): Security check failure or stack buffer overrun - code c0000409 (first/second chance not available)
Subcode: 0x7 FAST_FAIL_FATAL_APP_EXIT
For analysis of this file, run !analyze -v
KERNELBASE!RaiseFailFastException+0xaf:
00007fff`091bf10f 0f1f440000 nop dword ptr [rax+rax]
0:068> !analyze -v
*******************************************************************************
* *
* Exception Analysis *
* *
*******************************************************************************
DEBUG_FLR_EXCEPTION_CODE(8000ffff) and the ".exr -1" ExceptionCode(c0000409) don't match
KEY_VALUES_STRING: 1
Key : Analysis.CPU.Sec
Value: 8
Key : Analysis.DebugAnalysisProvider.CPP
Value: Create: 8007007e on LAPTOP
Key : Analysis.DebugData
Value: CreateObject
Key : Analysis.DebugModel
Value: CreateObject
Key : Analysis.Elapsed.Sec
Value: 257
Key : Analysis.Memory.CommitPeak.Mb
Value: 383
Key : Analysis.System
Value: CreateObject
Key : Timeline.Process.Start.DeltaSec
Value: 3
NTGLOBALFLAG: 0
PROCESS_BAM_CURRENT_THROTTLED: 0
PROCESS_BAM_PREVIOUS_THROTTLED: 0
APPLICATION_VERIFIER_FLAGS: 0
CONTEXT: (.ecxr)
rax=000000001a56d750 rbx=000000001a56dcc0 rcx=000000001a56d750
rdx=0000000000000000 rsi=0000000000000000 rdi=000000001a56d750
rip=00007fff091bf10f rsp=000000001a56d670 rbp=ffffffffffffffff
r8=0000000000000000 r9=0000000000000000 r10=00000fffe1237e0d
r11=0000000000002000 r12=0000000009ab42f0 r13=000000000000001f
r14=0000000000000000 r15=000000001a56f3d0
iopl=0 nv up ei pl zr na po nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000244
KERNELBASE!RaiseFailFastException+0xaf:
00007fff`091bf10f 0f1f440000 nop dword ptr [rax+rax]
Resetting default scope
EXCEPTION_RECORD: (.exr -1)
ExceptionAddress: 00007fff0a558cf6 (shell32!wil::make_unique_string_nothrow<wil::unique_any_t<wil::details::unique_storage<wil::details::resource_policy<unsigned short *,void (__cdecl*)(void *),&CoTaskMemFree,wistd::integral_constant<unsigned __int64,0>,unsigned short *,unsigned short *,0,std::nullptr_t> > > >+0x00000000000cbb06)
ExceptionCode: c0000409 (Security check failure or stack buffer overrun)
ExceptionFlags: 00000001
NumberParameters: 3
Parameter[0]: 0000000000000007
Parameter[1]: ffffffff8000ffff
Parameter[2]: 0000000000000c76
Subcode: 0x7 FAST_FAIL_FATAL_APP_EXIT
PROCESS_NAME: explorer.exe
EXCEPTION_CODE_STR: 8000ffff
STACK_TEXT:
00000000`1a56d670 00007fff`0a5b8145 : 00000000`00000000 00007fff`091bf060 00000000`00000000 00000000`1a56dcc0 : KERNELBASE!RaiseFailFastException+0xaf
00000000`1a56dc40 00007fff`0a5b8210 : 00000000`1a56ddf0 00000000`00000000 00000000`1a56de80 00000000`1a56ddf0 : shell32!wil::details::WilDynamicLoadRaiseFailFastException+0x55
00000000`1a56dc70 00007fff`0a5b81ef : 00000000`00000000 00000000`00000003 00000000`00000000 00007fff`0a4cb620 : shell32!wil::details::WilRaiseFailFastException+0x18
00000000`1a56dca0 00007fff`0a4c33d8 : 00007fff`0a971e17 00000000`00000003 ffffffff`ffffffff 00000000`00000000 : shell32!wil::details::WilFailFast+0x93
00000000`1a56dd70 00007fff`0a4c32f8 : 00000000`00000000 00000000`1a56f3e0 00000000`00000083 00007fff`0a49f5e0 : shell32!wil::details::ReportFailure+0xd4
00000000`1a56f2b0 00007fff`0a5b7618 : 00000000`00000000 00000000`1a56f5c0 00000000`1a56f3e0 00000000`1a56f5c0 : shell32!wil::details::ReportFailure_Hr+0x44
00000000`1a56f310 00007fff`0a558cf6 : 00007fff`00000000 0000d93b`6d4de25a 00000000`00000000 00000000`08f38400 : shell32!wil::details::in1diag3::FailFast_Unexpected+0x2c
00000000`1a56f360 00007fff`0a971e17 : 00000000`00000000 00000000`08f38400 00000000`00000000 00000000`1a56f4d0 : shell32!wil::make_unique_string_nothrow<wil::unique_any_t<wil::details::unique_storage<wil::details::resource_policy<unsigned short *,void (__cdecl*)(void *),&CoTaskMemFree,wistd::integral_constant<unsigned __int64,0>,unsigned short *,unsigned short *,0,std::nullptr_t> > > >+0xcbb06
00000000`1a56f3a0 00007fff`0a58bb6b : 00000000`08f38400 00000000`08f38400 00000000`00000000 00000000`00000000 : shell32!Microsoft::Windows::FileExplorer::Banners::BannerData::GetFolderScope+0x27
00000000`1a56f3d0 00007fff`0a4cac52 : 00000000`09b5d4a0 00000000`09b5d4a0 00000000`00000000 00000000`00000000 : shell32!Microsoft::Windows::FileExplorer::Banners::BannerDataModel::LoadSchema+0xc11bb
00000000`1a56fa50 00007fff`0b077bd4 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : shell32!<lambda_07579e966cc2827f70049d382fdfee89>:
perator()+0x52
00000000`1a56fbe0 00007fff`0b8eced1 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : kernel32!BaseThreadInitThunk+0x14
00000000`1a56fc10 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x21
SYMBOL_NAME: shell32!wil::make_unique_string_nothrow<wil::unique_any_t<wil::details::unique_storage<wil::details::resource_policy<unsigned short *,void (__cdecl*)+cbb06
MODULE_NAME: shell32
IMAGE_NAME: shell32.dll
STACK_COMMAND: ~68s ; .ecxr ; kb
FAILURE_BUCKET_ID: FAIL_FAST_FATAL_APP_EXIT_8000ffff_shell32.dll!wil::make_unique_string_nothrow_wil::unique_any_t_wil::details::unique_storage_wil::details::resource_policy_unsigned_short_*,void_
OS_VERSION: 10.0.18362.1
BUILDLAB_STR: 19h1_release
OSPLATFORM_TYPE: x64
OSNAME: Windows 10
FAILURE_ID_HASH: {08c993ff-b0b1-6fc8-db8f-8ff76719e694}
Followup: MachineOwner
---------
i tried to look up any information about the errors reported but was unable to find any useful information that helped.
i also attempted to use windbg to debug an active copy of explorer and the only thing that I saw come up at some point was
internal\sdk\inc\wil\opensource\wil\resource.h(3190)\SHELL32.dll!00007FFBFDBF8CF6: (caller: 00007FFBFE011E17) FailFast(1) tid(2b18) 8000FFFF Catastrophic failure
CallContext:[\Initialization\DataModelLoad]
which didn't seem to lead anywhere.
i know I have already gone very long on this but I am trying to give as much information as possible so I don't get the usual "run sfc/dism/reinstall" I am trying to find if someone can lead me in some direction to get a fix for my user profile if possible. I have a feeling it is something in the user registry that was being written to at the time and on being loaded it is not finding the end of that data block. I tried seeing if I could figure out what explorer is loading around the time of the crash with process monitor but even narrowing down I see lots of buffer overflow, name not found, name collision, fast io disallowed and other things that I don't know for sure are the root cause.
if you need any more information I will try to respond promptly and I hope someone will have some insight on this issue.
Continue reading...
if I am quick enough to end the active explorer task before it crashes then it will stay crashed however its hard to do anything. I was able to get to task manager and power shell to try a few fixes which I will list below, I also at the time tried to launch the windows settings with run ms-settings: which only gave an error message of "file system error (###########)" (numbers I don't remember). I rebooted to see if that worked and then tried safe mode where I got a message on log in from explorer.exe - system error "the system detected an overrun of a stack-based buffer in this application. this overrun could potentially allow a malicious user to gain control of this application", if I clicked the ok button it would restart explorer and the window would pop up again each time. while in safe mode I was able to load the settings app but still did not get the windows update page to load.
I tried to reset power options figuring it might be something there but it didn't change anything. checking event viewer gave me little help showing:
Faulting application name: explorer.exe, version: 10.0.18362.387, time stamp: 0x0e377b6c
Faulting module name: SHELL32.dll, version: 10.0.18362.387, time stamp: 0xdeca38c3
Exception code: 0xc0000409
Fault offset: 0x0000000000138cf6
Faulting process id: 0x4a38
Faulting application start time: 0x01d598b7351e9346
Faulting application path: C:\WINDOWS\explorer.exe
Faulting module path: C:\WINDOWS\System32\SHELL32.dll
Report Id: b0eeae59-e03a-4f14-bf84-435aa296dc4f
Faulting package full name:
Faulting package-relative application ID:
after trying a few other things such as:
clearing icon/thumbnail cache
changing account types
moving to local account
running DISM commands (scan/restore)
sfc /scannow, did find errors but a few reboots and tries now says everything is fine
clean boots
scaning with Malwarebytes (clean)
I did an in-place upgrade install. after the install, logging in still showed the same problem. I did find some information out there that mentioned someone with a crash loop of explorer but rather than the faulting module being shell32 it was sihost. they mentioned they got the crash loop to stop by disabling windows error reporting which did work in a sense that it doesn't keep looping but brings up the same error as in safe mode which now shows up on the log in screen. at this point I did try making another user account to see if it was windows or profile based and the other profile works fine and if this new profile was the last selected the error message doesn't show up on the log in screen until you select my real profile.
with my profile somewhat stable I was able to run windows update and gain access to the settings menu but nothing seemed to help there. after more searching I found mentions of getting a crash dump from specific programs via the registry which I did and then ran through windbg which showed:
Microsoft (R) Windows Debugger Version 10.0.19494.1001 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:\rashDumps\explorer.exe.6728.dmp]
User Mini Dump File: Only registers, stack and portions of memory are available
************* Path validation summary **************
Response Time (ms) Location
Deferred srv*
Symbol search path is: srv*
Executable search path is:
Windows 10 Version 18362 MP (8 procs) Free x64
Product: WinNt, suite: SingleUserTS
18362.1.amd64fre.19h1_release.190318-1202
Machine Name:
Debug session time: Sun Nov 10 12:09:38.000 2019 (UTC - 8:00)
System Uptime: not available
Process Uptime: 0 days 0:00:03.000
................................................................
................................................................
................................................................
...........................................
Loading unloaded module list
......
This dump file has an exception of interest stored in it.
The stored exception information can be accessed via .ecxr.
(1a48.1db4): Security check failure or stack buffer overrun - code c0000409 (first/second chance not available)
Subcode: 0x7 FAST_FAIL_FATAL_APP_EXIT
For analysis of this file, run !analyze -v
KERNELBASE!RaiseFailFastException+0xaf:
00007fff`091bf10f 0f1f440000 nop dword ptr [rax+rax]
0:068> !analyze -v
*******************************************************************************
* *
* Exception Analysis *
* *
*******************************************************************************
DEBUG_FLR_EXCEPTION_CODE(8000ffff) and the ".exr -1" ExceptionCode(c0000409) don't match
KEY_VALUES_STRING: 1
Key : Analysis.CPU.Sec
Value: 8
Key : Analysis.DebugAnalysisProvider.CPP
Value: Create: 8007007e on LAPTOP
Key : Analysis.DebugData
Value: CreateObject
Key : Analysis.DebugModel
Value: CreateObject
Key : Analysis.Elapsed.Sec
Value: 257
Key : Analysis.Memory.CommitPeak.Mb
Value: 383
Key : Analysis.System
Value: CreateObject
Key : Timeline.Process.Start.DeltaSec
Value: 3
NTGLOBALFLAG: 0
PROCESS_BAM_CURRENT_THROTTLED: 0
PROCESS_BAM_PREVIOUS_THROTTLED: 0
APPLICATION_VERIFIER_FLAGS: 0
CONTEXT: (.ecxr)
rax=000000001a56d750 rbx=000000001a56dcc0 rcx=000000001a56d750
rdx=0000000000000000 rsi=0000000000000000 rdi=000000001a56d750
rip=00007fff091bf10f rsp=000000001a56d670 rbp=ffffffffffffffff
r8=0000000000000000 r9=0000000000000000 r10=00000fffe1237e0d
r11=0000000000002000 r12=0000000009ab42f0 r13=000000000000001f
r14=0000000000000000 r15=000000001a56f3d0
iopl=0 nv up ei pl zr na po nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000244
KERNELBASE!RaiseFailFastException+0xaf:
00007fff`091bf10f 0f1f440000 nop dword ptr [rax+rax]
Resetting default scope
EXCEPTION_RECORD: (.exr -1)
ExceptionAddress: 00007fff0a558cf6 (shell32!wil::make_unique_string_nothrow<wil::unique_any_t<wil::details::unique_storage<wil::details::resource_policy<unsigned short *,void (__cdecl*)(void *),&CoTaskMemFree,wistd::integral_constant<unsigned __int64,0>,unsigned short *,unsigned short *,0,std::nullptr_t> > > >+0x00000000000cbb06)
ExceptionCode: c0000409 (Security check failure or stack buffer overrun)
ExceptionFlags: 00000001
NumberParameters: 3
Parameter[0]: 0000000000000007
Parameter[1]: ffffffff8000ffff
Parameter[2]: 0000000000000c76
Subcode: 0x7 FAST_FAIL_FATAL_APP_EXIT
PROCESS_NAME: explorer.exe
EXCEPTION_CODE_STR: 8000ffff
STACK_TEXT:
00000000`1a56d670 00007fff`0a5b8145 : 00000000`00000000 00007fff`091bf060 00000000`00000000 00000000`1a56dcc0 : KERNELBASE!RaiseFailFastException+0xaf
00000000`1a56dc40 00007fff`0a5b8210 : 00000000`1a56ddf0 00000000`00000000 00000000`1a56de80 00000000`1a56ddf0 : shell32!wil::details::WilDynamicLoadRaiseFailFastException+0x55
00000000`1a56dc70 00007fff`0a5b81ef : 00000000`00000000 00000000`00000003 00000000`00000000 00007fff`0a4cb620 : shell32!wil::details::WilRaiseFailFastException+0x18
00000000`1a56dca0 00007fff`0a4c33d8 : 00007fff`0a971e17 00000000`00000003 ffffffff`ffffffff 00000000`00000000 : shell32!wil::details::WilFailFast+0x93
00000000`1a56dd70 00007fff`0a4c32f8 : 00000000`00000000 00000000`1a56f3e0 00000000`00000083 00007fff`0a49f5e0 : shell32!wil::details::ReportFailure+0xd4
00000000`1a56f2b0 00007fff`0a5b7618 : 00000000`00000000 00000000`1a56f5c0 00000000`1a56f3e0 00000000`1a56f5c0 : shell32!wil::details::ReportFailure_Hr+0x44
00000000`1a56f310 00007fff`0a558cf6 : 00007fff`00000000 0000d93b`6d4de25a 00000000`00000000 00000000`08f38400 : shell32!wil::details::in1diag3::FailFast_Unexpected+0x2c
00000000`1a56f360 00007fff`0a971e17 : 00000000`00000000 00000000`08f38400 00000000`00000000 00000000`1a56f4d0 : shell32!wil::make_unique_string_nothrow<wil::unique_any_t<wil::details::unique_storage<wil::details::resource_policy<unsigned short *,void (__cdecl*)(void *),&CoTaskMemFree,wistd::integral_constant<unsigned __int64,0>,unsigned short *,unsigned short *,0,std::nullptr_t> > > >+0xcbb06
00000000`1a56f3a0 00007fff`0a58bb6b : 00000000`08f38400 00000000`08f38400 00000000`00000000 00000000`00000000 : shell32!Microsoft::Windows::FileExplorer::Banners::BannerData::GetFolderScope+0x27
00000000`1a56f3d0 00007fff`0a4cac52 : 00000000`09b5d4a0 00000000`09b5d4a0 00000000`00000000 00000000`00000000 : shell32!Microsoft::Windows::FileExplorer::Banners::BannerDataModel::LoadSchema+0xc11bb
00000000`1a56fa50 00007fff`0b077bd4 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : shell32!<lambda_07579e966cc2827f70049d382fdfee89>:
perator()+0x5200000000`1a56fbe0 00007fff`0b8eced1 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : kernel32!BaseThreadInitThunk+0x14
00000000`1a56fc10 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x21
SYMBOL_NAME: shell32!wil::make_unique_string_nothrow<wil::unique_any_t<wil::details::unique_storage<wil::details::resource_policy<unsigned short *,void (__cdecl*)+cbb06
MODULE_NAME: shell32
IMAGE_NAME: shell32.dll
STACK_COMMAND: ~68s ; .ecxr ; kb
FAILURE_BUCKET_ID: FAIL_FAST_FATAL_APP_EXIT_8000ffff_shell32.dll!wil::make_unique_string_nothrow_wil::unique_any_t_wil::details::unique_storage_wil::details::resource_policy_unsigned_short_*,void_
OS_VERSION: 10.0.18362.1
BUILDLAB_STR: 19h1_release
OSPLATFORM_TYPE: x64
OSNAME: Windows 10
FAILURE_ID_HASH: {08c993ff-b0b1-6fc8-db8f-8ff76719e694}
Followup: MachineOwner
---------
i tried to look up any information about the errors reported but was unable to find any useful information that helped.
i also attempted to use windbg to debug an active copy of explorer and the only thing that I saw come up at some point was
internal\sdk\inc\wil\opensource\wil\resource.h(3190)\SHELL32.dll!00007FFBFDBF8CF6: (caller: 00007FFBFE011E17) FailFast(1) tid(2b18) 8000FFFF Catastrophic failure
CallContext:[\Initialization\DataModelLoad]
which didn't seem to lead anywhere.
i know I have already gone very long on this but I am trying to give as much information as possible so I don't get the usual "run sfc/dism/reinstall" I am trying to find if someone can lead me in some direction to get a fix for my user profile if possible. I have a feeling it is something in the user registry that was being written to at the time and on being loaded it is not finding the end of that data block. I tried seeing if I could figure out what explorer is loading around the time of the crash with process monitor but even narrowing down I see lots of buffer overflow, name not found, name collision, fast io disallowed and other things that I don't know for sure are the root cause.
if you need any more information I will try to respond promptly and I hope someone will have some insight on this issue.
Continue reading...