Jump to content
Microsoft Windows Bulletin Board

Update KB933729 problems

Guest crtombes@yahoo.se

By Guest crtombes@yahoo.se
in Archives (READ ONLY)

 Share

Recommended Posts

Guest crtombes@yahoo.se

Guest crtombes@yahoo.se

Posted
Posted

I recently downloaded the KB933729 update for Windows XP home edition.

After installing this patch for the RPC vulnerability I have had

several services crash (one at a time) due to a file that is part of

the RPC update, rpcrt4.dll. The services crashing have been random.

Uninstalling the update makes everything work as normal but I figure

this patch is important to have installed and would appreciate

feedback for a solution.

I should add that I have reinstalled the patch twice with AV and other

active software disabled.

 

Below is the dump file debugged with rpcrt4.dll version information,

perhaps somone with more knowledge can understand more of this,

thanks.

 

 

******

This dump file has an exception of interest stored in it.

The stored exception information can be accessed via .ecxr.

(9b8.b8c): Access violation - code c0000005 (first/second chance not

available)

eax=89abcdef ebx=001879a8 ecx=0125fe18 edx=7c90eb94 esi=0017d4a0

edi=00000000

eip=77ef65e1 esp=0125fe30 ebp=0125ff80 iopl=0 nv up ei ng nz

na po nc

cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000

efl=00000282

rpcrt4!CStdAsyncStubBuffer2_Release+0x2b:

77ef65e1 8b08 mov ecx,dword ptr [eax] ds:

0023:89abcdef=????????

0:002> !analyze -v

*******************************************************************************

*

*

* Exception

Analysis *

*

*

*******************************************************************************

 

*** ERROR: Symbol file could not be found. Defaulted to export

symbols for SiteAdv.dll -

 

FAULTING_IP:

rpcrt4!CStdAsyncStubBuffer2_Release+2b

77ef65e1 8b08 mov ecx,dword ptr [eax]

 

EXCEPTION_RECORD: ffffffff -- (.exr ffffffffffffffff)

ExceptionAddress: 77ef65e1 (rpcrt4!CStdAsyncStubBuffer2_Release

+0x0000002b)

ExceptionCode: c0000005 (Access violation)

ExceptionFlags: 00000000

NumberParameters: 2

Parameter[0]: 00000000

Parameter[1]: 89abcdef

Attempt to read from address 89abcdef

 

DEFAULT_BUCKET_ID: BAD_PTR_DEREFERENCE

 

PROCESS_NAME: SiteAdv.exe

 

ERROR_CODE: (NTSTATUS) 0xc0000005 - Instruktionen p "0x%08lx"

refererade till minnet p "0x%08lx". Det gick inte att utf ra en

minnes tg rd. F ljande fel returnerades: The memory could not be "%s".

 

READ_ADDRESS: 89abcdef

 

BUGCHECK_STR: ACCESS_VIOLATION

 

LAST_CONTROL_TRANSFER: from 77e76c9f to 77ef65e1

 

STACK_TEXT:

0125ff80 77e76c9f 0125ffa8 77e76ac1 0017d4a0 rpcrt4!

CStdAsyncStubBuffer2_Release+0x2b

0125ff88 77e76ac1 0017d4a0 00000000 00d0e92c rpcrt4!

RecvLotsaCallsWrapper+0xd

0125ffa8 77e76c87 001855c8 0125ffec 7c80b683 rpcrt4!

BaseCachedThreadRoutine+0x79

0125ffb4 7c80b683 00187ac0 00000000 00d0e92c rpcrt4!ThreadStartRoutine

+0x1a

0125ffec 00000000 77e76c6d 00187ac0 00000000 kernel32!BaseThreadStart

+0x37

 

 

STACK_COMMAND: ~2s .ecxr kb

 

FAULTING_THREAD: 00000b8c

 

PRIMARY_PROBLEM_CLASS: BAD_PTR_DEREFERENCE

 

FOLLOWUP_IP:

rpcrt4!CStdAsyncStubBuffer2_Release+2b

77ef65e1 8b08 mov ecx,dword ptr [eax]

 

SYMBOL_STACK_INDEX: 0

 

SYMBOL_NAME: rpcrt4!CStdAsyncStubBuffer2_Release+2b

 

FOLLOWUP_NAME: MachineOwner

 

MODULE_NAME: rpcrt4

 

IMAGE_NAME: rpcrt4.dll

 

DEBUG_FLR_IMAGE_TIMESTAMP: 46923632

 

FAILURE_BUCKET_ID: ACCESS_VIOLATION_rpcrt4!

CStdAsyncStubBuffer2_Release+2b

 

BUCKET_ID: ACCESS_VIOLATION_rpcrt4!CStdAsyncStubBuffer2_Release+2b

 

Followup: MachineOwner

---------

 

0:002> lmvm rpcrt4

start end module name

77e70000 77f01000 rpcrt4 (pdb symbols) I:\symbols

\rpcrt4.pdb\436F11D9044249B8AB818CAD4D9079E72\rpcrt4.pdb

Loaded symbol image file: rpcrt4.dll

Mapped memory image file: I:\symbols\rpcrt4.dll

\4692363291000\rpcrt4.dll

Image path: I:\WINDOWS\system32\rpcrt4.dll

Image name: rpcrt4.dll

Timestamp: Mon Jul 09 15:20:50 2007 (46923632)

CheckSum: 0009B60A

ImageSize: 00091000

File version: 5.1.2600.3173

Product version: 5.1.2600.3173

File flags: 0 (Mask 3F)

File OS: 40004 NT Win32

File type: 2.0 Dll

File date: 00000000.00000000

Translations: 0409.04b0

CompanyName: Microsoft Corporation

ProductName: Microsoft® Windows® Operating System

InternalName: rpcrt4.dll

OriginalFilename: rpcrt4.dll

ProductVersion: 5.1.2600.3173

FileVersion: 5.1.2600.3173 (xpsp_sp2_qfe.070709-0052)

FileDescription: Remote Procedure Call Runtime

LegalCopyright: © Microsoft Corporation. All rights reserved.

******

Guest MowGreen

Guest MowGreen

Posted
Posted

> PROCESS_NAME: SiteAdv.exe

 

The issue appears to be a conflict between Site Adviser and the update

to RPC. Recommend that you contact McAfee and MS to report this.

Since this is a Security update:

> Support

> • Customers in the U.S. and Canada can receive technical support from Microsoft Product

> Support Services at 1-866-PCSAFETY. There is no charge for support calls that are

> associated with security updates.

> • International customers can receive support from their local Microsoft subsidiaries.

> There is no charge for support that is associated with security updates. For more

> information about how to contact Microsoft for support issues, visit the International

> Support Web site.

 

Not sure how to go about contacting McAfee. Let's check the Site Adviser

site. Try here: http://www.siteadvisor.com/feedback.html

Use the drop down window and choose 'General McAfee Product Support'.

Hopefully, you'll receive a response. )

 

MowGreen [MVP 2003-2008]

===============

*-343-* FDNY

Never Forgotten

===============

 

 

 

crtombes@yahoo.se wrote:

> I recently downloaded the KB933729 update for Windows XP home edition.

> After installing this patch for the RPC vulnerability I have had

> several services crash (one at a time) due to a file that is part of

> the RPC update, rpcrt4.dll. The services crashing have been random.

> Uninstalling the update makes everything work as normal but I figure

> this patch is important to have installed and would appreciate

> feedback for a solution.

> I should add that I have reinstalled the patch twice with AV and other

> active software disabled.

>

> Below is the dump file debugged with rpcrt4.dll version information,

> perhaps somone with more knowledge can understand more of this,

> thanks.

>

>

> ******

> This dump file has an exception of interest stored in it.

> The stored exception information can be accessed via .ecxr.

> (9b8.b8c): Access violation - code c0000005 (first/second chance not

> available)

> eax=89abcdef ebx=001879a8 ecx=0125fe18 edx=7c90eb94 esi=0017d4a0

> edi=00000000

> eip=77ef65e1 esp=0125fe30 ebp=0125ff80 iopl=0 nv up ei ng nz

> na po nc

> cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000

> efl=00000282

> rpcrt4!CStdAsyncStubBuffer2_Release+0x2b:

> 77ef65e1 8b08 mov ecx,dword ptr [eax] ds:

> 0023:89abcdef=????????

> 0:002> !analyze -v

> *******************************************************************************

> *

> *

> * Exception

> Analysis *

> *

> *

> *******************************************************************************

>

> *** ERROR: Symbol file could not be found. Defaulted to export

> symbols for SiteAdv.dll -

>

> FAULTING_IP:

> rpcrt4!CStdAsyncStubBuffer2_Release+2b

> 77ef65e1 8b08 mov ecx,dword ptr [eax]

>

> EXCEPTION_RECORD: ffffffff -- (.exr ffffffffffffffff)

> ExceptionAddress: 77ef65e1 (rpcrt4!CStdAsyncStubBuffer2_Release

> +0x0000002b)

> ExceptionCode: c0000005 (Access violation)

> ExceptionFlags: 00000000

> NumberParameters: 2

> Parameter[0]: 00000000

> Parameter[1]: 89abcdef

> Attempt to read from address 89abcdef

>

> DEFAULT_BUCKET_ID: BAD_PTR_DEREFERENCE

>

> PROCESS_NAME: SiteAdv.exe

>

> ERROR_CODE: (NTSTATUS) 0xc0000005 - Instruktionen p "0x%08lx"

> refererade till minnet p "0x%08lx". Det gick inte att utf ra en

> minnes tg rd. F ljande fel returnerades: The memory could not be "%s".

>

> READ_ADDRESS: 89abcdef

>

> BUGCHECK_STR: ACCESS_VIOLATION

>

> LAST_CONTROL_TRANSFER: from 77e76c9f to 77ef65e1

>

> STACK_TEXT:

> 0125ff80 77e76c9f 0125ffa8 77e76ac1 0017d4a0 rpcrt4!

> CStdAsyncStubBuffer2_Release+0x2b

> 0125ff88 77e76ac1 0017d4a0 00000000 00d0e92c rpcrt4!

> RecvLotsaCallsWrapper+0xd

> 0125ffa8 77e76c87 001855c8 0125ffec 7c80b683 rpcrt4!

> BaseCachedThreadRoutine+0x79

> 0125ffb4 7c80b683 00187ac0 00000000 00d0e92c rpcrt4!ThreadStartRoutine

> +0x1a

> 0125ffec 00000000 77e76c6d 00187ac0 00000000 kernel32!BaseThreadStart

> +0x37

>

>

> STACK_COMMAND: ~2s .ecxr kb

>

> FAULTING_THREAD: 00000b8c

>

> PRIMARY_PROBLEM_CLASS: BAD_PTR_DEREFERENCE

>

> FOLLOWUP_IP:

> rpcrt4!CStdAsyncStubBuffer2_Release+2b

> 77ef65e1 8b08 mov ecx,dword ptr [eax]

>

> SYMBOL_STACK_INDEX: 0

>

> SYMBOL_NAME: rpcrt4!CStdAsyncStubBuffer2_Release+2b

>

> FOLLOWUP_NAME: MachineOwner

>

> MODULE_NAME: rpcrt4

>

> IMAGE_NAME: rpcrt4.dll

>

> DEBUG_FLR_IMAGE_TIMESTAMP: 46923632

>

> FAILURE_BUCKET_ID: ACCESS_VIOLATION_rpcrt4!

> CStdAsyncStubBuffer2_Release+2b

>

> BUCKET_ID: ACCESS_VIOLATION_rpcrt4!CStdAsyncStubBuffer2_Release+2b

>

> Followup: MachineOwner

> ---------

>

> 0:002> lmvm rpcrt4

> start end module name

> 77e70000 77f01000 rpcrt4 (pdb symbols) I:\symbols

> \rpcrt4.pdb\436F11D9044249B8AB818CAD4D9079E72\rpcrt4.pdb

> Loaded symbol image file: rpcrt4.dll

> Mapped memory image file: I:\symbols\rpcrt4.dll

> \4692363291000\rpcrt4.dll

> Image path: I:\WINDOWS\system32\rpcrt4.dll

> Image name: rpcrt4.dll

> Timestamp: Mon Jul 09 15:20:50 2007 (46923632)

> CheckSum: 0009B60A

> ImageSize: 00091000

> File version: 5.1.2600.3173

> Product version: 5.1.2600.3173

> File flags: 0 (Mask 3F)

> File OS: 40004 NT Win32

> File type: 2.0 Dll

> File date: 00000000.00000000

> Translations: 0409.04b0

> CompanyName: Microsoft Corporation

> ProductName: Microsoft® Windows® Operating System

> InternalName: rpcrt4.dll

> OriginalFilename: rpcrt4.dll

> ProductVersion: 5.1.2600.3173

> FileVersion: 5.1.2600.3173 (xpsp_sp2_qfe.070709-0052)

> FileDescription: Remote Procedure Call Runtime

> LegalCopyright: © Microsoft Corporation. All rights reserved.

> ******

>

Guest Robert Aldwinckle

Guest Robert Aldwinckle

Posted
Posted

<crtombes@yahoo.se> wrote in message

news:1192644900.393662.231800@i38g2000prf.googlegroups.com

....

> Below is the dump file debugged with rpcrt4.dll version information,

> Translations: 0409.04b0

 

 

This is the same version that I have (EN-US).

However, noticing your E-mail address I wonder if that is the version

that you would want? E.g. are you running an SE version of Windows

and is there an SE version of the patch?

 

> FileVersion: 5.1.2600.3173 (xpsp_sp2_qfe.070709-0052)

 

 

I'm surprised to see that I have the QFE version too.

I have no idea when that would have happened.

Do you still have a QFE version after you uninstalled this one?

What are its properties? Hint: use filever.exe /v (in the XP Pro Support

Tools I don't know if XP Home users get the same tools or not.)

 

BTW you might get a better perspective of the other modules in the stack

for the crash event by using ProcMon. That might give you some other clues

too from other records for the crashing task just before the one for the crash.

 

 

HTH

 

Robert Aldwinckle

---

Guest crtombes@yahoo.se

Guest crtombes@yahoo.se

Posted
Posted

Thanks for the feedback much appreciated.

 

I will add that the services crashing are different, alg.exe,

lssas.exe, vmplayer.exe etc and at random interval. The debugged dump

in my first post is only one example but all the other dumps look

exaclty the same except another service being affected.

 

The following log message is the same for all services crashing except

the name of the service.

 

"Faulty/wrong program lsass.exe, version 5.1.2600.2180, faulty/wrong

modul rpcrt4.dll, version 5.1.2600.3173, faulty/wrong adress

0x000865e1."

 

As for the file versions I checked both the downloaded KB933729 and

the one available at MS download homepage, naturally I checked the SE

versions and both contain english versions of the files.

 

It seems the failure is when the below is processed but as im no

programmer I cant make out what kind of operation it is doing and what

might be the cause.

 

"FAILURE_BUCKET_ID: ACCESS_VIOLATION_rpcrt4!

CStdAsyncStubBuffer2_Release+2b"

 

 

So far the only solution has been to uninstall the KB933729 update.

The dmp/log have been sent to MS every time a service has crashed due

to rpcrt4.dll (RPC component).

 

Other maybe relevant information is that I use a dual-core CPU (AMD)

with AMD optimizer to sync the cores. Additionally disabling all the

services being affected (so far except critical services) has yield no

success.

Guest Ottmar Freudenberger

Guest Ottmar Freudenberger

Posted
Posted

<crtombes@yahoo.se> schrieb:

> I will add that the services crashing are different, alg.exe,

> lssas.exe, vmplayer.exe etc and at random interval.

 

Have you tried installing KB933729 *without* *any* McAfee and other

applications running in the background? Even in Safe Mode of Windows

XP?

 

Bye,

Freudi

 Share
Go to topic listing
×
×
  • Create New...