Monday, June 16, 2014

Using WinDbg to find root cause of application crash

Below is steps taken to resolve issue with random application crashes occuring on machine.
Symptoms:
After Windows udpate Microsoft Word, Excel and bunch of third party applications started to crash on machine with following error message being displayed.



Common troubleshooting technics like booting in safe mode, running antivirus, using "sfc /scannow" did not yeld any results. Rolling back Windows patches did not revert behavior either.

Resolution
1. Obtain memory dump for failing process (winword.exe in this case). Follow this article to enable memory dump generation. (http://msdn.microsoft.com/en-us/library/windows/desktop/bb787181(v=vs.85).aspx)
2. Load generated dump in WinDbg and issue "lmv" command. This command will list modules loaded into process at the time of crash. Look for anything which is not signed or have no version or something which looks out of place. It was pretty obvious in my case.
74b00000 74b80000   uxtheme    (deferred)            
    Image path: C:\Windows\System32\uxtheme.dll
    Image name: uxtheme.dll
    Timestamp:        Mon Jul 13 20:11:24 2009 (4A5BDB3C)
    CheckSum:         000479E1
    ImageSize:        00080000
    File version:     6.1.7600.16385
    Product version:  6.1.7600.16385
    File flags:       0 (Mask 3F)
    File OS:          40004 NT Win32
    File type:        2.0 Dll
    File date:        00000000.00000000
    Translations:     0409.04b0
    CompanyName:      Microsoft Corporation
    ProductName:      Microsoft® Windows® Operating System
    InternalName:     UxTheme.dll
    OriginalFilename: UxTheme.dll
    ProductVersion:   6.1.7600.16385
    FileVersion:      6.1.7600.16385 (win7_rtm.090713-1255)
    FileDescription:  Microsoft UxTheme Library
    LegalCopyright:   © Microsoft Corporation. All rights reserved.
74d40000 75156000   FastAndSafe   (deferred)            
    Image path: c:\ProgramData\Fast And Safe\FastAndSafe.dll
    Image name: FastAndSafe.dll

    Timestamp:        Wed May 21 09:33:53 2014 (537CB951)
    CheckSum:         003FEFF5
    ImageSize:        00416000
    File version:     0.0.0.0
    Product version:  0.0.0.0
    File flags:       0 (Mask 0)
    File OS:          0 Unknown Base
    File type:        0.0 Unknown
    File date:        00000000.00000000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
75160000 75169000   version    (deferred)            
    Image path: C:\Windows\System32\version.dll
    Image name: version.dll
    Timestamp:        Mon Jul 13 20:11:07 2009 (4A5BDB2B)
    CheckSum:         000138C1
    ImageSize:        00009000
    File version:     6.1.7600.16385
    Product version:  6.1.7600.16385
    File flags:       0 (Mask 3F)
    File OS:          40004 NT Win32
    File type:        2.0 Dll
    File date:        00000000.00000000
    Translations:     0409.04b0
3. Find out how this got loaded into executable by using Sysinternals autoruns.exe. That utility also provides you solution to problem as well 


Post a Comment