crash - Windows Rundll32 (child process of DllHost) is crashing. How can I even identify it? - Super User


windows 10 home / "x64-based pc" / dell xps 13 9360

in reliability monitor, have many "app failures" every day. go way 2017-12-04 without variation (the details below identical), when believe machine first used. problem marked having been reported (apart problem instances in past few minutes).

@magicandre1981 suggested open public problem in windows app feedback hub reason.

my question is: how can identify this? causes crashes? can resolved somehow?

problem details

  • faulting application path: c:\windows\system32\rundll32.exe
  • problem event name: appcrash
  • fault module name: windows.ui.immersive.dll
  • fault module version: 10.0.16299.125
  • exception offset: 00000000000ac885
  • exception code: c0000005
  • os version: 10.0.16299.2.0.0.768.101
  • bucket id: ab5106f0b0020ee0d7e0c2d4f71642fb (1720589277589816059)

"anti-virus" installed (mcafee virussafe) , running no alerts, no quarantined items, no significant logs can find. sfc /scannow gives system clean bill of health.

triggering problem manually

it seems possible trigger crash logging in. isn't has been causing in past, because machine doesn't have user logging in , out (or turning machine on , off).

process monitor allows trace process creation , exit. running second user, able see crashing process:

  • command line: "c:\windows\system32\rundll32.exe" -localserver 22d8c27b-47a1-48d1-ad08-7da7abd79617.

it's not clear uuid is. -localserver option not appear documented. google finds question, answer claims "process profiling performance analysis program (windows performance counter program)". admittedly can see profapi.dll , powrprof.dll loaded in process.

  • parent process: dllhost.exe ("com surrogate").

described "i don't feel code, i'm going ask com host in process. way, if crashes, it's com surrogate sacrificial process crashes instead of me".

  • command line: c:\windows\system32\dllhost.exe /processid:{133eac4f-5891-4d04-bada-d84870380a80}

this uuid in parent's command line can found in registry. associated name "shell create object task server". using registry tracking in process monitor, see dllhost loads shell32.dll, located via hkcr\clsid\{133eac...}\inprocserver32).

=> think can identify parent process, shell32.dll / "shell create object task server", , part of os.

both processes run user nt authority\system. seems possible venue of investigation. privileged part of gui software doing, needs run in separate process?

crash backtrace

after running procdump -ma -i c:\dumps, able capture crash dumps. (procdump -u stop capturing). analyzer debugdiag able open them , run crashhanganalysis:

in rundll32.exe_171225_165805.dmp assembly instruction @ windows_ui_immersive!cusertilevalidator::_setreadonlycapability+1d in c:\windows\system32\windows.ui.immersive.dll microsoft corporation has caused access violation exception (0xc0000005) when trying read memory location 0x00000000 on thread 0.

the following threads in rundll32.exe_171225_165805.dmp processing inbound rpc call on lrpc ole54bfb094974a828ace9fbfe5a353 endpoint:

( 0 )

thread 0 - system id 4332

  • entry point rundll32!wwinmaincrtstartup
  • create time 25/12/2017 16:58:04
  • time spent in user mode 0 days 00:00:00.000
  • time spent in kernel mode 0 days 00:00:00.000 
ntdll!ntwaitformultipleobjects+14  ntdll!werpwaitforcrashreporting+a8  ntdll!rtlreportexceptionhelper+33e  ntdll!rtlreportexception+9d  combase!serverexceptionfilter+71  combase!appinvokeexceptionfilterwithmethodaddress+62  combase!`objectmethodexceptionhandlingaction<<lambda_76d9e92c799d246a4afbe64a2bf5673d> >'::`1'::filt$0+77  ucrtbase!_c_specific_handler+a0  ntdll!rtlpexecutehandlerforexception+d  ntdll!rtldispatchexception+358  ntdll!kiuserexceptiondispatch+2e  windows_ui_immersive!cusertilevalidator::_setreadonlycapability+1d  windows_ui_immersive!cusertilevalidator::_generatelargefromdynamicandreset+23  windows_ui_immersive!cusertilevalidator::validateusertile+141  rpcrt4!invoke+73  rpcrt4!ndrstubcall2+3a5  rpcrt4!ndrstubcall3+e3  combase!cstdstubbuffer_invoke+62  rpcrt4!cstdstubbuffer_invoke+3b  combase!objectmethodexceptionhandlingaction<<lambda_76d9e92c799d246a4afbe64a2bf5673d> >+53  combase!defaultstubinvoke+2d2  combase!servercall::contextinvoke+492  combase!appinvoke+99e  combase!cominvokewithlockandipid+55b  combase!cominvoke+210  combase!threaddispatch+d4  combase!threadwndproc+e8  user32!usercallwinproccheckwow+2ad  user32!dispatchmessageworker+19f  rundll32!_invokelocalserver+1b9  rundll32!wwinmain+168  rundll32!operator delete+2eb  kernel32!basethreadinitthunk+14  ntdll!rtluserthreadstart+21  
inbound rpc call:  protocol sequence    ncalrpc  endpoint ole54bfb094974a828ace9fbfe5a353  source process id 1160  source thread id 2624

pid 1160 svchost.exe instance "rpc" , "rpc endpoint mapper", according process explorer.

what causes crashes? can resolved somehow?

apparently, crashes caused validating usertile of specific user.

i believe refers picture shown when log in. after setting user's picture arbitrary image file taken pictures/, crash no longer triggered when go switch users , log in specific user.

how can identify this?

it looks "exception offset" code offset inside dll/exe (i.e. avoiding effect of relocation / address randomization). crash location can identified "exception offset" + specific dll/exe contents -

  • fault module name: windows.ui.immersive.dll
  • fault module version: 10.0.16299.125
  • "x64-based pc" (the 64 bit version of dll, not 32-bit "x86").

if have debugging symbols dll/exe, may able take effort location. use procdump described capture crash dump. open dump debugger supports microsoft symbol service, if dll/exe microsoft. names of symbols less change on time (or different hardware platforms) numeric addresses. debugger show full trace of nested function calls leading crash.

  • symbolic location: windows_ui_immersive!cusertilevalidator::_setreadonlycapability+1d etc.

Comments

Post a Comment

Popular posts from this blog

Windows XP installation, no previous version of Windows NT - Super User

i tried reinstall windows xp on lenovo s10e netbook, got error: no previous version of windows nt can found on computer. setup cannot verify qualify install upgrade product. quit setup, press f3 this notebook has no optical drive, installing xp via usb pendrive. old post. answering anyways in hope nobody ever need information since xp long since dead. xp , addional drivers: in order access harddrive need drives mass storage , drivers hdd controller. first build xp. second might be. if driver on xp installation cd not need anything. if driver not on standard cd have @ least 2 choices: create custom cd addition drives (slipstream), or load driver during setup. instructed installation process 'press f6 load additional drives'. @ stage press f6 , insert floppy relevant driver. xp , ahci in past used many storage devices. sorts of scsi, esda, ata etc etc. of these need drivers. time xp reached sp3 home systems had moved ata interface , there...
Read more

networking - Slave steals IP meant for bonded interface - Ask Ubuntu

i'm having issue combo. i'm trying set lacp bond using ubuntu 16.04 , cisco sg-300. have cisco configured lacp on 2 server's ports . in ubuntu have following config: # /etc/network/interfaces auto lo iface lo inet loopback auto eno1 iface eno1 inet manual bond-master bond0 auto eno2 iface eno2 inet manual bond-master bond0 auto bond0 iface bond0 inet static address 10.0.0.5 gateway 10.0.0.1 netmask 255.255.255.0 dns-nameserver 8.8.8.8 bond-mode 4 bond-miimon 100 bond-lacp-rate 1 bond-slaves eno1 eno2 xmit_hash_policy 0 this works has 1 issue. whenever system started [eno1 seems grab static ip bond0 10.0.0.5 , 10.0.0.5 unreachable on network. if 'ifdown eno1 && ifup eno1' bond grab 10.0.0.5 , start working normally. have clue why slave device grabbing static ip meant bond0 that? there static configuration in /etc/dhcpcd.conf. not sure how got there since i've used static on box. removed offending lines file removing dhcpcd5 pack...
Read more