I’ve been bugging with an explorer crash which recently appears in my Windows XP machine.
Problem : Explorer crashes on closing last remaining explorer window)
I can’t totally figure out what’s really happening inside. My vial guess was towards some problematic explorer plug-in or perhaps my machine might be infect by some malware. The chance for the latter is rare as I believe I’m running with the very latest updates of Norton Antivirus (I’m not saying Norton is completely risk free).
Anyway I decided for a postmortem debugging and installed Dr.Watson as my default application debugger (Run-> drwtsn32 –I). But what really happened was, on crashing explorer window, Dr.Watson was getting hang and not dumping the explorer process. Again the default application debugger changed to WinDBG (Run->($Debugging-Tools-path)\WinDBG.exe –I ).
then I reproduced the problem again and WinDBG caught the exception. When I checked the problematic thread’s call stack, I could see that, the issues are happening with a thread which is trying to unload
[sourcecode language='cpp']
ChildEBP RetAddr Args to Child
WARNING: Frame IP not in any known module. Following frames may be wrong.
0436ffa8 001e02ba 000047c4 0436ffec 7c80b713
0436ffb4 7c80b713 02c7ee5c 00000000 00000000 0x1e02ba
0436ffec 00000000 03151685 02c7ee5c 00000000 kernel32!BaseThreadStart+0×37
[/sourcecode]
Also, when I checked using “lm” command, it has given the loaded and unloaded modules’ list. In the unloaded modules list, iefdm2.dll was there. It was quite sure that the problematic DLL was a plug-in DLL named iefdm2.dll which solely belongs to “Free Download Manager”. FDM ver 2.5 was installed in my system. My Internet Explorer version was IE 8 – Beta and recently updated to RC1.
Solution: The latest version (ver 3.0) is working fine without any problems in my machine. If you’re not ready for an upgrade, the best thing can do is to disable particular add-on and sacrifice the FDM-IE integrated services. Disable add-on from Tools->Options->Programs(Tab)->Manage Addon, See the figure below.
If you’re much interested in further debugging analysis, see the below output from “analyze –v” command
[sourcecode language='cpp']
FAULTING_IP:
iefdm2+16ce
02f516ce ?? ???
EXCEPTION_RECORD: ffffffff — (.exr 0xffffffffffffffff)
ExceptionAddress: 02f516ce (
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: 02f516ce
Attempt to read from address 02f516ce
FAULTING_THREAD: 00001f40
DEFAULT_BUCKET_ID: BAD_INSTRUCTION_PTR
PROCESS_NAME: explorer.exe
ERROR_CODE: (NTSTATUS) 0xc0000005 – The instruction at “0x%08lx” referenced memory at “0x%08lx”. The memory could not be “%s”.
READ_ADDRESS: 02f516ce
NTGLOBALFLAG: 0
APPLICATION_VERIFIER_FLAGS: 0
IP_MODULE_UNLOADED:
iefdm2+16ce
02f516ce ?? ???
LAST_CONTROL_TRANSFER: from 000e0908 to 02f516ce
PRIMARY_PROBLEM_CLASS: BAD_INSTRUCTION_PTR
BUGCHECK_STR: APPLICATION_FAULT_BAD_INSTRUCTION_PTR
IP_ON_HEAP: 000e0908
FRAME_ONE_INVALID: 1
STACK_TEXT:
02f516ce iefdm2
FAILED_INSTRUCTION_ADDRESS:
iefdm2+16ce
02f516ce ?? ???
FOLLOWUP_IP:
iefdm2+16ce
02f516ce ?? ???
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: iefdm2+16ce
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: iefdm2
IMAGE_NAME: iefdm2.dll
DEBUG_FLR_IMAGE_TIMESTAMP: 48588784
STACK_COMMAND: dds 2f516ce ; kb
FAILURE_BUCKET_ID: BAD_INSTRUCTION_PTR_c0000005_iefdm2.dll!Unloaded
BUCKET_ID: APPLICATION_FAULT_BAD_INSTRUCTION_PTR_BAD_IP_iefdm2+16ce
Followup: MachineOwner
———
[/sourcecode]