Faulting App 'explorer.exe', Faulting Module 'ntdll.dll'

[Guest]

Hey,

I'm struglling with this one:

I've a client who has a problem on his system in that when trying to browse
"My Computer", either by way of 'double-click' or 'right-click' the 'shell'
crashes with an application error.

The machine runs on XP Pro SP2, Office 2003 Pro. Is fully 'windowsupdated'.
I have run a barrage of malware checks on it, removed some errant software,
all withoutjoy.

What this machine has got (much to my horror), is Norton SystemWorks (with
GoBack). I suspect that this may have something to do with it. It certainly
is limiting me from deleting explorer.exe* (which would automatically be
recreated), it comes up "access denied".

*Deleting explorer.exe has assisted me on previous occasions when I've
encountered this.

A Hijackthis log is available for anyone who'd like to review it. As is the
'Application' Event Log.

The following lines do appear in the latter log, when the problem occurs:
1. "Faulting application explorer.exe, version 6.0.2900.2180, faulting
module ntdll.dll, version 5.1.2600.2180, fault address 0x000118d0."
2. "Fault bucket 128898581."
3. "The shell stopped unexpectedly and Explorer.exe was restarted."

Strangely the client can browse his "My Documents" folder without issue.
Similarly the "Desktop", but the moment "My Computer" is selected in the
'tree'/folder list, explorer crashes.

All office apps, Outlook and Internet Explorer work fine.


Any clues would be great. My 2nd last resort will be to remove Norton (oh
joy) and if that fails, re-install Windows (even more joy).


P.

 

[Gerry Cornell]

Paul

Bits of Error Reports aren't helpful as they start a guessing game!


Please check Event Viewer for Warning / Error Reports in the System and
Application logs for the last boot and post copies.

You can access Event Viewer by selecting Start, Administrative Tools,
and Event Viewer. When researching the meaning of the error, information
regarding Event ID, Source and Description are important.

HOW TO: View and Manage Event Logs in Event Viewer in Windows XP
http://support.microsoft.com/default.aspx?scid=kb;en-us;308427&sd=tech

A tip for posting copies of Error Reports! Run Event Viewer and double
click on the error you want to copy. In the window, which appears is a
button
resembling two pages. Click the button and close Event Viewer. Now
start your message (email) and do a paste into the body of the message.
This will paste the info from the Event Viewer Error Report into the
message. Make sure this is the first paste after exiting from Event
Viewer.


--

Hope this helps.

Gerry
~~~~
FCA
Stourport, England

Enquire, plan and execute
~~~~~~~~~~~~~~~~~~~

 

[Guest]

Hey Gerry,

Thanks for your response. after having gone through the Event Viewer and
discovering nothing out of the ordinary in the System log, I took a copy of
the Application log only.

The earliest problems of note started last Tuesday with the following:

Warning:
"Event Type: Warning
Event Source: MsiInstaller
Event Category: None
Event ID: 1015
Date: 12/12/2006
Time: 2:25:25 p.m.
User: S-1-5-21-299502267-507921405-725345543-1004
Computer: BRIANS-PC
Description:
Failed to connect to server. Error: 0x800401F0

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp."

This was repeated on about 50 lines. It coincides with a network issue at
the time. The DHCP server in the router was dishing out an oddball subnet :
255.255.0.0. Once that was solved Symantec LiveUpdate kicked in which is
shown as follows:

Info:
Event Type: Information
Event Source: Automatic LiveUpdate Scheduler
Event Category: (1)
Event ID: 101
Date: 12/12/2006
Time: 2:30:33 p.m.
User: NT AUTHORITY\SYSTEM
Computer: BRIANS-PC
Description:
The description for Event ID ( 101 ) in Source ( Automatic LiveUpdate
Scheduler ) cannot be found. The local computer may not have the necessary
registry information or message DLL files to display messages from a remote
computer. You may be able to use the /AUXSOURCE= flag to retrieve this
description; see Help and Support for details. The following information is
part of the event: success, Scheduler launched Automatic LiveUpdate.

Followed by :
Error:
Event Type: Error
Event Source: Application Hang
Event Category: (101)
Event ID: 1002
Date: 12/12/2006
Time: 2:31:12 p.m.
User: N/A
Computer: BRIANS-PC
Description:
Hanging application AutoPlay.exe, version 1.0.0.1, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 48 61 6e 67 ion Hang
0010: 20 20 41 75 74 6f 50 6c AutoPl
0018: 61 79 2e 65 78 65 20 31 ay.exe 1
0020: 2e 30 2e 30 2e 31 20 69 .0.0.1 i
0028: 6e 20 68 75 6e 67 61 70 n hungap
0030: 70 20 30 2e 30 2e 30 2e p 0.0.0.
0038: 30 20 61 74 20 6f 66 66 0 at off
0040: 73 65 74 20 30 30 30 30 set 0000
0048: 30 30 30 30 0000

and then Hey Presto! the originally suggested errors start:

Error:
Event Type: Error
Event Source: Application Error
Event Category: None
Event ID: 1000
Date: 12/12/2006
Time: 2:32:03 p.m.
User: N/A
Computer: BRIANS-PC
Description:
Faulting application explorer.exe, version 6.0.2900.2180, faulting module
ntdll.dll, version 5.1.2600.2180, fault address 0x000118d0.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 46 61 69 6c ion Fail
0010: 75 72 65 20 20 65 78 70 ure exp
0018: 6c 6f 72 65 72 2e 65 78 lorer.ex
0020: 65 20 36 2e 30 2e 32 39 e 6.0.29
0028: 30 30 2e 32 31 38 30 20 00.2180
0030: 69 6e 20 6e 74 64 6c 6c in ntdll
0038: 2e 64 6c 6c 20 35 2e 31 .dll 5.1
0040: 2e 32 36 30 30 2e 32 31 .2600.21
0048: 38 30 20 61 74 20 6f 66 80 at of
0050: 66 73 65 74 20 30 30 30 fset 000
0058: 31 31 38 64 30 0d 0a 118d0..

then :

Info:
Event Type: Information
Event Source: Winlogon
Event Category: None
Event ID: 1002
Date: 12/12/2006
Time: 2:32:10 p.m.
User: N/A
Computer: BRIANS-PC
Description:
The shell stopped unexpectedly and Explorer.exe was restarted.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

Info:
Event Type: Information
Event Source: Automatic LiveUpdate Scheduler
Event Category: (1)
Event ID: 101
Date: 12/12/2006
Time: 2:33:30 p.m.
User: NT AUTHORITY\SYSTEM
Computer: BRIANS-PC
Description:
The description for Event ID ( 101 ) in Source ( Automatic LiveUpdate
Scheduler ) cannot be found. The local computer may not have the necessary
registry information or message DLL files to display messages from a remote
computer. You may be able to use the /AUXSOURCE= flag to retrieve this
description; see Help and Support for details. The following information is
part of the event: success, Automatic LiveUpdate has terminated..

Info:
Event Type: Information
Event Source: Automatic LiveUpdate Scheduler
Event Category: (1)
Event ID: 101
Date: 12/12/2006
Time: 2:33:30 p.m.
User: NT AUTHORITY\SYSTEM
Computer: BRIANS-PC
Description:
The description for Event ID ( 101 ) in Source ( Automatic LiveUpdate
Scheduler ) cannot be found. The local computer may not have the necessary
registry information or message DLL files to display messages from a remote
computer. You may be able to use the /AUXSOURCE= flag to retrieve this
description; see Help and Support for details. The following information is
part of the event: success, The next run has been scheduled to occur at
approximately 6:03 PM..


The following sequence of messages occur everytime an attempt is made to
browse "My Computer" (or what actually triggered this thread), essentially on
demand. I've only taken a snapshot the last three entries in the specific log
for this:

Event Type: Error
Event Source: Application Error
Event Category: None
Event ID: 1000
Date: 14/12/2006
Time: 1:47:52 p.m.
User: N/A
Computer: BRIANS-PC
Description:
Faulting application explorer.exe, version 6.0.2900.2180, faulting module
ntdll.dll, version 5.1.2600.2180, fault address 0x000118d0.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 46 61 69 6c ion Fail
0010: 75 72 65 20 20 65 78 70 ure exp
0018: 6c 6f 72 65 72 2e 65 78 lorer.ex
0020: 65 20 36 2e 30 2e 32 39 e 6.0.29
0028: 30 30 2e 32 31 38 30 20 00.2180
0030: 69 6e 20 6e 74 64 6c 6c in ntdll
0038: 2e 64 6c 6c 20 35 2e 31 .dll 5.1
0040: 2e 32 36 30 30 2e 32 31 .2600.21
0048: 38 30 20 61 74 20 6f 66 80 at of
0050: 66 73 65 74 20 30 30 30 fset 000
0058: 31 31 38 64 30 0d 0a 118d0..

Event Type: Error
Event Source: Application Error
Event Category: None
Event ID: 1001
Date: 14/12/2006
Time: 1:50:33 p.m.
User: N/A
Computer: BRIANS-PC
Description:
Fault bucket 128898581.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 42 75 63 6b 65 74 3a 20 Bucket:
0008: 31 32 38 38 39 38 35 38 12889858
0010: 31 0d 0a 1..

Event Type: Information
Event Source: Winlogon
Event Category: None
Event ID: 1002
Date: 14/12/2006
Time: 1:52:41 p.m.
User: N/A
Computer: BRIANS-PC
Description:
The shell stopped unexpectedly and Explorer.exe was restarted.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.


If you want more than this, give me an email address and I send the file to
you. A 512k EVT log file is not an easy one to cut and paste all the content
from.

P.

 

[Gerry Cornell]

Paul

Replies inline

Hey Gerry,

Thanks for your response. after having gone through the Event Viewer
and
discovering nothing out of the ordinary in the System log, I took a
copy of
the Application log only.

The earliest problems of note started last Tuesday with the following:

Warning:
"Event Type: Warning
Event Source: MsiInstaller
Event Category: None
Event ID: 1015
Date: 12/12/2006
Time: 2:25:25 p.m.
User: S-1-5-21-299502267-507921405-725345543-1004
Computer: BRIANS-PC
Description:
Failed to connect to server. Error: 0x800401F0

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp."

Event ID 1015 is logged in the Application log when you use the
OHotFix program to install Office updates
http://support.microsoft.com/default.aspx/kb/907341

This was repeated on about 50 lines. It coincides with a network issue
at
the time. The DHCP server in the router was dishing out an oddball
subnet :
255.255.0.0. Once that was solved Symantec LiveUpdate kicked in which
is
shown as follows:

Info:
Event Type: Information
Event Source: Automatic LiveUpdate Scheduler
Event Category: (1)
Event ID: 101
Date: 12/12/2006
Time: 2:30:33 p.m.
User: NT AUTHORITY\SYSTEM
Computer: BRIANS-PC
Description:
The description for Event ID ( 101 ) in Source ( Automatic LiveUpdate
Scheduler ) cannot be found. The local computer may not have the
necessary
registry information or message DLL files to display messages from a
remote
computer. You may be able to use the /AUXSOURCE= flag to retrieve this
description; see Help and Support for details. The following
information is
part of the event: success, Scheduler launched Automatic LiveUpdate.

What version of Norton System Works? The delay be because you need to
update the installed version of Live Update. What version of Live Update
is installed?

Followed by :
Error:
Event Type: Error
Event Source: Application Hang
Event Category: (101)
Event ID: 1002
Date: 12/12/2006
Time: 2:31:12 p.m.
User: N/A
Computer: BRIANS-PC
Description:
Hanging application AutoPlay.exe, version 1.0.0.1, hang module
hungapp,
version 0.0.0.0, hang address 0x00000000.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 48 61 6e 67 ion Hang
0010: 20 20 41 75 74 6f 50 6c AutoPl
0018: 61 79 2e 65 78 65 20 31 ay.exe 1
0020: 2e 30 2e 30 2e 31 20 69 .0.0.1 i
0028: 6e 20 68 75 6e 67 61 70 n hungap
0030: 70 20 30 2e 30 2e 30 2e p 0.0.0.
0038: 30 20 61 74 20 6f 66 66 0 at off
0040: 73 65 74 20 30 30 30 30 set 0000
0048: 30 30 30 30 0000

Is there a matching Event ID: 1001? Has this error occurred more than
once? I could be copy protection kicking in.

and then Hey Presto! the originally suggested errors start:

Error:
Event Type: Error
Event Source: Application Error
Event Category: None
Event ID: 1000
Date: 12/12/2006
Time: 2:32:03 p.m.
User: N/A
Computer: BRIANS-PC
Description:
Faulting application explorer.exe, version 6.0.2900.2180, faulting
module
ntdll.dll, version 5.1.2600.2180, fault address 0x000118d0.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 46 61 69 6c ion Fail
0010: 75 72 65 20 20 65 78 70 ure exp
0018: 6c 6f 72 65 72 2e 65 78 lorer.ex
0020: 65 20 36 2e 30 2e 32 39 e 6.0.29
0028: 30 30 2e 32 31 38 30 20 00.2180
0030: 69 6e 20 6e 74 64 6c 6c in ntdll
0038: 2e 64 6c 6c 20 35 2e 31 .dll 5.1
0040: 2e 32 36 30 30 2e 32 31 .2600.21
0048: 38 30 20 61 74 20 6f 66 80 at of
0050: 66 73 65 74 20 30 30 30 fset 000
0058: 31 31 38 64 30 0d 0a 118d0..

This one is difficult.

Wondering this is worth trying:
http://windowsxp.mvps.org/slowrightclick.htm

What do you do to cause the error?

then :

Info:
Event Type: Information
Event Source: Winlogon
Event Category: None
Event ID: 1002
Date: 12/12/2006
Time: 2:32:10 p.m.
User: N/A
Computer: BRIANS-PC
Description:
The shell stopped unexpectedly and Explorer.exe was restarted.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

Info:
Event Type: Information
Event Source: Automatic LiveUpdate Scheduler
Event Category: (1)
Event ID: 101
Date: 12/12/2006
Time: 2:33:30 p.m.
User: NT AUTHORITY\SYSTEM
Computer: BRIANS-PC
Description:
The description for Event ID ( 101 ) in Source ( Automatic LiveUpdate
Scheduler ) cannot be found. The local computer may not have the
necessary
registry information or message DLL files to display messages from a
remote
computer. You may be able to use the /AUXSOURCE= flag to retrieve this
description; see Help and Support for details. The following
information is
part of the event: success, Automatic LiveUpdate has terminated..

Info:
Event Type: Information
Event Source: Automatic LiveUpdate Scheduler
Event Category: (1)
Event ID: 101
Date: 12/12/2006
Time: 2:33:30 p.m.
User: NT AUTHORITY\SYSTEM
Computer: BRIANS-PC
Description:
The description for Event ID ( 101 ) in Source ( Automatic LiveUpdate
Scheduler ) cannot be found. The local computer may not have the
necessary
registry information or message DLL files to display messages from a
remote
computer. You may be able to use the /AUXSOURCE= flag to retrieve this
description; see Help and Support for details. The following
information is
part of the event: success, The next run has been scheduled to occur
at
approximately 6:03 PM..


The following sequence of messages occur everytime an attempt is made
to
browse "My Computer" (or what actually triggered this thread),
essentially on
demand. I've only taken a snapshot the last three entries in the
specific log
for this:

Event Type: Error
Event Source: Application Error
Event Category: None
Event ID: 1000
Date: 14/12/2006
Time: 1:47:52 p.m.
User: N/A
Computer: BRIANS-PC
Description:
Faulting application explorer.exe, version 6.0.2900.2180, faulting
module
ntdll.dll, version 5.1.2600.2180, fault address 0x000118d0.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 46 61 69 6c ion Fail
0010: 75 72 65 20 20 65 78 70 ure exp
0018: 6c 6f 72 65 72 2e 65 78 lorer.ex
0020: 65 20 36 2e 30 2e 32 39 e 6.0.29
0028: 30 30 2e 32 31 38 30 20 00.2180
0030: 69 6e 20 6e 74 64 6c 6c in ntdll
0038: 2e 64 6c 6c 20 35 2e 31 .dll 5.1
0040: 2e 32 36 30 30 2e 32 31 .2600.21
0048: 38 30 20 61 74 20 6f 66 80 at of
0050: 66 73 65 74 20 30 30 30 fset 000
0058: 31 31 38 64 30 0d 0a 118d0..

Event Type: Error
Event Source: Application Error
Event Category: None
Event ID: 1001
Date: 14/12/2006
Time: 1:50:33 p.m.
User: N/A
Computer: BRIANS-PC
Description:
Fault bucket 128898581.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 42 75 63 6b 65 74 3a 20 Bucket:
0008: 31 32 38 38 39 38 35 38 12889858
0010: 31 0d 0a 1..

Event Type: Information
Event Source: Winlogon
Event Category: None
Event ID: 1002
Date: 14/12/2006
Time: 1:52:41 p.m.
User: N/A
Computer: BRIANS-PC
Description:
The shell stopped unexpectedly and Explorer.exe was restarted.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.


If you want more than this, give me an email address and I send the
file to
you. A 512k EVT log file is not an easy one to cut and paste all the
content
from.

P.

You can email me a copy of the Event Log and the HijackThis Report to
(e-mail address removed) but you need to reverse my initials.


--

Hope this helps.

Gerry
~~~~
FCA
Stourport, England

Enquire, plan and execute
~~~~~~~~~~~~~~~~~~~