spoolsv.exe crash on ntdll.dll module

L

longlongDC

hi, all

I don't know why spoolsv crash on ntdll. (almost point to heap corruption). and this happen many times. need help!!!



[COLOR=rgba(30, 30, 30, 1)]Microsoft (R) Windows Debugger Version 10.0.20153.1000 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\Users\user\Documents\spoolsv.exe.3356.dmp]
User Mini Dump File with Full Memory: Only application data is available


************* Path validation summary **************
Response Time (ms) Location
Deferred srv*
DBGHELP: Symbol Search Path: cache*;SRV*Symbol information
Symbol search path is: srv*
Executable search path is:
Windows 7 Version 7601 (Service Pack 1) MP (4 procs) Free x64
Product: WinNt, suite: SingleUserTS
Machine Name:
Debug session time: Fri Jan 29 14:50:14.000 2021 (UTC + 8:00)
System Uptime: 0 days 6:18:35.842
Process Uptime: 0 days 0:01:38.000
................................................................
........................
Loading unloaded module list
....................................
DBGHELP: Symbol Search Path: cache*;SRV*Symbol information
This dump file has an exception of interest stored in it.
The stored exception information can be accessed via .ecxr.
(d1c.f08): Access violation - code c0000005 (first/second chance not available)
For analysis of this file, run [/COLOR][COLOR=rgba(0, 0, 255, 1)]!analyze -v
[/COLOR][COLOR=rgba(30, 30, 30, 1)]SYMSRV: BYINDEX: 0x1
C:\ProgramData\Dbg\sym
ntdll.pdb
6192BFDB9F04442995FFCB0BE95172E12
SYMSRV: PATH: C:\ProgramData\Dbg\sym\ntdll.pdb\6192BFDB9F04442995FFCB0BE95172E12\ntdll.pdb
SYMSRV: RESULT: 0x00000000
DBGHELP: ntdll - public symbols
C:\ProgramData\Dbg\sym\ntdll.pdb\6192BFDB9F04442995FFCB0BE95172E12\ntdll.pdb
SYMSRV: BYINDEX: 0x2
C:\ProgramData\Dbg\sym
kernelbase.pdb
FF31C2F3216C4621A7F009584AC0D68F2
SYMSRV: PATH: C:\ProgramData\Dbg\sym\kernelbase.pdb\FF31C2F3216C4621A7F009584AC0D68F2\kernelbase.pdb
SYMSRV: RESULT: 0x00000000
DBGHELP: KERNELBASE - public symbols
C:\ProgramData\Dbg\sym\kernelbase.pdb\FF31C2F3216C4621A7F009584AC0D68F2\kernelbase.pdb
ntdll!ZwWaitForMultipleObjects+0xa:
00000000`76d818ca c3 ret

Loading Dump File [C:\Users\user\Documents\spoolsv.exe.3356.dmp]
User Mini Dump File with Full Memory: Only application data is available

Can't set dump file contexts
MachineInfo::SetContext failed - Thread: 000001B2403FEBC0 Handle: 14 Id: f08 - Error == 0x8000FFFF

************* Path validation summary **************
Response Time (ms) Location
Deferred srv*
DBGHELP: Symbol Search Path: cache*;SRV*Symbol information
SYMSRV: BYINDEX: 0x3
C:\ProgramData\Dbg\sym
ntdll.pdb
6192BFDB9F04442995FFCB0BE95172E12
SYMSRV: PATH: C:\ProgramData\Dbg\sym\ntdll.pdb\6192BFDB9F04442995FFCB0BE95172E12\ntdll.pdb
SYMSRV: RESULT: 0x00000000
DBGHELP: ntdll - public symbols
C:\ProgramData\Dbg\sym\ntdll.pdb\6192BFDB9F04442995FFCB0BE95172E12\ntdll.pdb
DBGHELP: Symbol Search Path: cache*;SRV*Symbol information
Symbol search path is: srv*
Executable search path is:
Windows 7 Version 7601 (Service Pack 1) MP (4 procs) Free x64
Product: WinNt, suite: SingleUserTS
Machine Name:
Debug session time: Fri Jan 29 14:50:14.000 2021 (UTC + 8:00)
System Uptime: 0 days 6:18:35.842
Process Uptime: 0 days 0:01:38.000
................................................................
........................
Loading unloaded module list
....................................
DBGHELP: Symbol Search Path: cache*;SRV*Symbol information
SYMSRV: BYINDEX: 0x4
C:\ProgramData\Dbg\sym
ntdll.pdb
6192BFDB9F04442995FFCB0BE95172E12
SYMSRV: PATH: C:\ProgramData\Dbg\sym\ntdll.pdb\6192BFDB9F04442995FFCB0BE95172E12\ntdll.pdb
SYMSRV: RESULT: 0x00000000
DBGHELP: ntdll - public symbols
C:\ProgramData\Dbg\sym\ntdll.pdb\6192BFDB9F04442995FFCB0BE95172E12\ntdll.pdb
DBGHELP: Symbol Search Path: cache*;SRV*Symbol information
This dump file has an exception of interest stored in it.
The stored exception information can be accessed via .ecxr.
(d1c.f08): Access violation - code c0000005 (first/second chance not available)
SYMSRV: BYINDEX: 0x5
C:\ProgramData\Dbg\sym
ntdll.pdb
6192BFDB9F04442995FFCB0BE95172E12
SYMSRV: PATH: C:\ProgramData\Dbg\sym\ntdll.pdb\6192BFDB9F04442995FFCB0BE95172E12\ntdll.pdb
SYMSRV: RESULT: 0x00000000
DBGHELP: ntdll - public symbols
C:\ProgramData\Dbg\sym\ntdll.pdb\6192BFDB9F04442995FFCB0BE95172E12\ntdll.pdb
SYMSRV: BYINDEX: 0x6
C:\ProgramData\Dbg\sym
kernelbase.pdb
FF31C2F3216C4621A7F009584AC0D68F2
SYMSRV: PATH: C:\ProgramData\Dbg\sym\kernelbase.pdb\FF31C2F3216C4621A7F009584AC0D68F2\kernelbase.pdb
SYMSRV: RESULT: 0x00000000
DBGHELP: KERNELBASE - public symbols
C:\ProgramData\Dbg\sym\kernelbase.pdb\FF31C2F3216C4621A7F009584AC0D68F2\kernelbase.pdb
ntdll!ZwWaitForMultipleObjects+0xa:
00000000`76d818ca c3 ret

Loading Dump File [C:\Users\user\Documents\spoolsv.exe.3356.dmp]
User Mini Dump File with Full Memory: Only application data is available

Can't set dump file contexts
MachineInfo::SetContext failed - Thread: 000001B242178320 Handle: 14 Id: f08 - Error == 0x8000FFFF

************* Path validation summary **************
Response Time (ms) Location
Deferred srv*
DBGHELP: Symbol Search Path: cache*;SRV*Symbol information
SYMSRV: BYINDEX: 0x7
C:\ProgramData\Dbg\sym
ntdll.pdb
6192BFDB9F04442995FFCB0BE95172E12
SYMSRV: PATH: C:\ProgramData\Dbg\sym\ntdll.pdb\6192BFDB9F04442995FFCB0BE95172E12\ntdll.pdb
SYMSRV: RESULT: 0x00000000
DBGHELP: ntdll - public symbols
C:\ProgramData\Dbg\sym\ntdll.pdb\6192BFDB9F04442995FFCB0BE95172E12\ntdll.pdb
DBGHELP: Symbol Search Path: cache*;SRV*Symbol information
SYMSRV: BYINDEX: 0x8
C:\ProgramData\Dbg\sym
ntdll.pdb
6192BFDB9F04442995FFCB0BE95172E12
SYMSRV: PATH: C:\ProgramData\Dbg\sym\ntdll.pdb\6192BFDB9F04442995FFCB0BE95172E12\ntdll.pdb
SYMSRV: RESULT: 0x00000000
DBGHELP: ntdll - public symbols
C:\ProgramData\Dbg\sym\ntdll.pdb\6192BFDB9F04442995FFCB0BE95172E12\ntdll.pdb
DBGHELP: Symbol Search Path: cache*;SRV*Symbol information
Symbol search path is: srv*
Executable search path is:
Windows 7 Version 7601 (Service Pack 1) MP (4 procs) Free x64
Product: WinNt, suite: SingleUserTS
Machine Name:
Debug session time: Fri Jan 29 14:50:14.000 2021 (UTC + 8:00)
System Uptime: 0 days 6:18:35.842
Process Uptime: 0 days 0:01:38.000
................................................................
........................
Loading unloaded module list
....................................
DBGHELP: Symbol Search Path: cache*;SRV*Symbol information
SYMSRV: BYINDEX: 0x9
C:\ProgramData\Dbg\sym
ntdll.pdb
6192BFDB9F04442995FFCB0BE95172E12
SYMSRV: PATH: C:\ProgramData\Dbg\sym\ntdll.pdb\6192BFDB9F04442995FFCB0BE95172E12\ntdll.pdb
SYMSRV: RESULT: 0x00000000
DBGHELP: ntdll - public symbols
C:\ProgramData\Dbg\sym\ntdll.pdb\6192BFDB9F04442995FFCB0BE95172E12\ntdll.pdb
DBGHELP: Symbol Search Path: cache*;SRV*Symbol information
SYMSRV: BYINDEX: 0xA
C:\ProgramData\Dbg\sym
ntdll.pdb
6192BFDB9F04442995FFCB0BE95172E12
SYMSRV: PATH: C:\ProgramData\Dbg\sym\ntdll.pdb\6192BFDB9F04442995FFCB0BE95172E12\ntdll.pdb
SYMSRV: RESULT: 0x00000000
DBGHELP: ntdll - public symbols
C:\ProgramData\Dbg\sym\ntdll.pdb\6192BFDB9F04442995FFCB0BE95172E12\ntdll.pdb
DBGHELP: Symbol Search Path: cache*;SRV*Symbol information
This dump file has an exception of interest stored in it.
The stored exception information can be accessed via .ecxr.
(d1c.f08): Access violation - code c0000005 (first/second chance not available)
SYMSRV: BYINDEX: 0xB
C:\ProgramData\Dbg\sym
ntdll.pdb
6192BFDB9F04442995FFCB0BE95172E12
SYMSRV: PATH: C:\ProgramData\Dbg\sym\ntdll.pdb\6192BFDB9F04442995FFCB0BE95172E12\ntdll.pdb
SYMSRV: RESULT: 0x00000000
DBGHELP: ntdll - public symbols
C:\ProgramData\Dbg\sym\ntdll.pdb\6192BFDB9F04442995FFCB0BE95172E12\ntdll.pdb
SYMSRV: BYINDEX: 0xC
C:\ProgramData\Dbg\sym
kernelbase.pdb
FF31C2F3216C4621A7F009584AC0D68F2
SYMSRV: PATH: C:\ProgramData\Dbg\sym\kernelbase.pdb\FF31C2F3216C4621A7F009584AC0D68F2\kernelbase.pdb
SYMSRV: RESULT: 0x00000000
DBGHELP: KERNELBASE - public symbols
C:\ProgramData\Dbg\sym\kernelbase.pdb\FF31C2F3216C4621A7F009584AC0D68F2\kernelbase.pdb
ntdll!ZwWaitForMultipleObjects+0xa:
00000000`76d818ca c3 ret
||2:2:059> !analyze -v
*******************************************************************************
* *
* Exception Analysis *
* *
*******************************************************************************

SYMSRV: BYINDEX: 0x20
Symbol information
ntdll.dll
4CE7C8F91a9000
SYMSRV: BYINDEX: 0x20
Symbol information
ntdll.dll
4CE7C8F91a9000
SYMSRV: BYINDEX: 0x20
Symbol information
ntdll.dll
4CE7C8F91a9000
SYMSRV: PATH: C:\ProgramData\Dbg\sym\ntdll.dll\4CE7C8F91a9000\ntdll.dll
SYMSRV: PATH: C:\ProgramData\Dbg\sym\ntdll.dll\4CE7C8F91a9000\ntdll.dll
SYMSRV: PATH: C:\ProgramData\Dbg\sym\ntdll.dll\4CE7C8F91a9000\ntdll.dll
SYMSRV: RESULT: 0x00000000
SYMSRV: RESULT: 0x00000000
SYMSRV: RESULT: 0x00000000
DBGHELP: C:\ProgramData\Dbg\sym\ntdll.dll\4CE7C8F91a9000\ntdll.dll - OK
DBGHELP: C:\ProgramData\Dbg\sym\ntdll.dll\4CE7C8F91a9000\ntdll.dll - OK
DBGHELP: C:\ProgramData\Dbg\sym\ntdll.dll\4CE7C8F91a9000\ntdll.dll - OK
SYMSRV: BYINDEX: 0x21
C:\ProgramData\Dbg\sym
user32.pdb
953B04792B8A48B2883930E36FD22A6A2
SYMSRV: PATH: C:\ProgramData\Dbg\sym\user32.pdb\953B04792B8A48B2883930E36FD22A6A2\user32.pdb
SYMSRV: RESULT: 0x00000000
DBGHELP: user32 - public symbols
C:\ProgramData\Dbg\sym\user32.pdb\953B04792B8A48B2883930E36FD22A6A2\user32.pdb
SYMSRV: BYINDEX: 0x22
C:\ProgramData\Dbg\sym
ole32.pdb
EE489189724F4D47AECCFDB5534824352
SYMSRV: UNC: C:\ProgramData\Dbg\sym\ole32.pdb\EE489189724F4D47AECCFDB5534824352\ole32.pdb - file not found
SYMSRV: UNC: C:\ProgramData\Dbg\sym\ole32.pdb\EE489189724F4D47AECCFDB5534824352\ole32.pd_ - file not found
SYMSRV: UNC: C:\ProgramData\Dbg\sym\ole32.pdb\EE489189724F4D47AECCFDB5534824352\file.ptr - file not found
SYMSRV: RESULT: 0x80070002
SYMSRV: BYINDEX: 0x23
C:\ProgramData\Dbg\sym*Symbol information
ole32.pdb
EE489189724F4D47AECCFDB5534824352
SYMSRV: UNC: C:\ProgramData\Dbg\sym\ole32.pdb\EE489189724F4D47AECCFDB5534824352\ole32.pdb - file not found
SYMSRV: UNC: C:\ProgramData\Dbg\sym\ole32.pdb\EE489189724F4D47AECCFDB5534824352\ole32.pd_ - file not found
SYMSRV: UNC: C:\ProgramData\Dbg\sym\ole32.pdb\EE489189724F4D47AECCFDB5534824352\file.ptr - file not found
SYMSRV: HTTPGET: /download/symbols/ole32.pdb/EE489189724F4D47AECCFDB5534824352/ole32.pdb
SYMSRV: HttpQueryInfo: 801900c8 - HTTP_STATUS_OK
SYMSRV: ole32.pdb from Symbol information: 17681408 bytes - copied
SYMSRV: PATH: C:\ProgramData\Dbg\sym\ole32.pdb\EE489189724F4D47AECCFDB5534824352\ole32.pdb
SYMSRV: RESULT: 0x00000000
DBGHELP: C:\ProgramData\Dbg\sym\ole32.pdb\EE489189724F4D47AECCFDB5534824352\ole32.pdb cached to C:\ProgramData\Dbg\sym\ole32.pdb\EE489189724F4D47AECCFDB5534824352\ole32.pdb
DBGHELP: ole32 - private symbols & lines
C:\ProgramData\Dbg\sym\ole32.pdb\EE489189724F4D47AECCFDB5534824352\ole32.pdb
SYMSRV: BYINDEX: 0x24
C:\ProgramData\Dbg\sym
ws2_32.pdb
348BE7D22346495B841B7FA203996BD02
SYMSRV: PATH: C:\ProgramData\Dbg\sym\ws2_32.pdb\348BE7D22346495B841B7FA203996BD02\ws2_32.pdb
SYMSRV: RESULT: 0x00000000
DBGHELP: ws2_32 - public symbols
C:\ProgramData\Dbg\sym\ws2_32.pdb\348BE7D22346495B841B7FA203996BD02\ws2_32.pdb
SYMSRV: BYINDEX: 0x25
C:\ProgramData\Dbg\sym
msxml6.pdb
8EF4A994F018436F8083CD5C89BF8EB72
SYMSRV: UNC: C:\ProgramData\Dbg\sym\msxml6.pdb\8EF4A994F018436F8083CD5C89BF8EB72\msxml6.pdb - file not found
SYMSRV: UNC: C:\ProgramData\Dbg\sym\msxml6.pdb\8EF4A994F018436F8083CD5C89BF8EB72\msxml6.pd_ - file not found
SYMSRV: UNC: C:\ProgramData\Dbg\sym\msxml6.pdb\8EF4A994F018436F8083CD5C89BF8EB72\file.ptr - file not found
SYMSRV: RESULT: 0x80070002
SYMSRV: BYINDEX: 0x26
C:\ProgramData\Dbg\sym*Symbol information
msxml6.pdb
8EF4A994F018436F8083CD5C89BF8EB72
SYMSRV: UNC: C:\ProgramData\Dbg\sym\msxml6.pdb\8EF4A994F018436F8083CD5C89BF8EB72\msxml6.pdb - file not found
SYMSRV: UNC: C:\ProgramData\Dbg\sym\msxml6.pdb\8EF4A994F018436F8083CD5C89BF8EB72\msxml6.pd_ - file not found
SYMSRV: UNC: C:\ProgramData\Dbg\sym\msxml6.pdb\8EF4A994F018436F8083CD5C89BF8EB72\file.ptr - file not found
SYMSRV: HTTPGET: /download/symbols/msxml6.pdb/8EF4A994F018436F8083CD5C89BF8EB72/msxml6.pdb
SYMSRV: HttpQueryInfo: 801900c8 - HTTP_STATUS_OK
SYMSRV: msxml6.pdb from Symbol information: 14502912 bytes - copied
SYMSRV: PATH: C:\ProgramData\Dbg\sym\msxml6.pdb\8EF4A994F018436F8083CD5C89BF8EB72\msxml6.pdb
SYMSRV: RESULT: 0x00000000
DBGHELP: C:\ProgramData\Dbg\sym\msxml6.pdb\8EF4A994F018436F8083CD5C89BF8EB72\msxml6.pdb cached to C:\ProgramData\Dbg\sym\msxml6.pdb\8EF4A994F018436F8083CD5C89BF8EB72\msxml6.pdb
DBGHELP: msxml6 - private symbols & lines
C:\ProgramData\Dbg\sym\msxml6.pdb\8EF4A994F018436F8083CD5C89BF8EB72\msxml6.pdb
DEBUG_FLR_EXCEPTION_CODE(c0000374) and the ".exr -1" ExceptionCode(c0000005) don't match

KEY_VALUES_STRING: 1

Key : AV.Fault
Value: Write

Key : Analysis.CPU.mSec
Value: 1609

Key : Analysis.DebugAnalysisProvider.CPP
Value: Create: 8007007e on DESKTOP-T63AU6S

Key : Analysis.DebugData
Value: CreateObject

Key : Analysis.DebugModel
Value: CreateObject

Key : Analysis.Elapsed.mSec
Value: 406948

Key : Analysis.Memory.CommitPeak.Mb
Value: 134

Key : Analysis.System
Value: CreateObject

Key : Timeline.OS.Boot.DeltaSec
Value: 22715

Key : Timeline.Process.Start.DeltaSec
Value: 98

Key : WER.OS.Branch
Value: win7sp1_rtm

Key : WER.OS.Timestamp
Value: 2010-11-19T18:50:00Z

Key : WER.OS.Version
Value: 6.1.7601.17514

Key : WER.Process.Version
Value: 6.1.7601.17514


ADDITIONAL_XML: 1

OS_BUILD_LAYERS: 1

NTGLOBALFLAG: 0

APPLICATION_VERIFIER_FLAGS: 0

CONTEXT: [/COLOR][COLOR=rgba(0, 0, 255, 1)](.ecxr)
[/COLOR][COLOR=rgba(30, 30, 30, 1)]rax=000007fef5690030 rbx=00000000000fa020 rcx=000000ffffffffff
rdx=00000000003568d0 rsi=00000000000f0000 rdi=00000000003568e0
rip=0000000076d83332 rsp=000000000317eae0 rbp=0000000000000001
r8=000007fef569004c r9=ff8017ffc689004d r10=0000000076e67c50
r11=0000000003a31930 r12=000007fef5690040 r13=0000000100000001
r14=ffffffff00007fff r15=00000000ffff0000
iopl=0 nv up ei ng nz na po nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010286
ntdll!RtlFreeHeap+0x132:
00000000`76d83332 488918 mov qword ptr [rax],rbx ds:000007fe`f5690030=90909090900000c2
Resetting default scope

EXCEPTION_RECORD: [/COLOR][COLOR=rgba(0, 0, 255, 1)](.exr -1)
[/COLOR][COLOR=rgba(30, 30, 30, 1)]ExceptionAddress: 0000000076d83332 (ntdll!RtlFreeHeap+0x0000000000000132)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 0000000000000001
Parameter[1]: 000007fef5690030
Attempt to write to address 000007fef5690030

PROCESS_NAME: spoolsv.exe

WRITE_ADDRESS: 000007fef5690030

ERROR_CODE: (NTSTATUS) 0xc0000005 - 0x%p 0x%p %s

EXCEPTION_CODE_STR: c0000005

EXCEPTION_PARAMETER1: 0000000000000001

EXCEPTION_PARAMETER2: 000007fef5690030

ADDITIONAL_DEBUG_TEXT: Enable Pageheap/AutoVerifer ; Followup set based on attribute [Is_ChosenCrashFollowupThread] from Frame:[0] on thread:[PSEUDO_THREAD]

FAULTING_THREAD: 00000f08

STACK_TEXT:
00000000`00000000 00000000`00000000 heap_corruption!spoolsv.exe+0x0


SYMBOL_NAME: heap_corruption!spoolsv.exe

MODULE_NAME: [/COLOR][COLOR=rgba(0, 0, 255, 1)]heap_corruption

[/COLOR][COLOR=rgba(30, 30, 30, 1)]IMAGE_NAME: heap_corruption

STACK_COMMAND: ** Pseudo Context ** ManagedPseudo ** Value: 1b242ed6040 ** ; kb

FAILURE_BUCKET_ID: HEAP_CORRUPTION_c0000005_heap_corruption!spoolsv.exe

OS_VERSION: 6.1.7601.17514

BUILDLAB_STR: win7sp1_rtm

OSPLATFORM_TYPE: x64

OSNAME: Windows 7

FAILURE_ID_HASH: {9c155293-d0a8-1d2b-f461-1f0a2f636e4e}

Followup: MachineOwner
---------
[/COLOR]82143dfe-f426-4262-8dfe-c5d2f8024489?upload=true.jpg

[COLOR=rgba(30, 30, 30, 1)]
[/COLOR]


Continue reading...
 
Back
Top Bottom