Data Execution Prevention vs svchost

G

Guest

[I had previously piggybacked this on another post, but since no response,
here it is as its own thread]

One of our customers is getting a Data Execution Error on a particular
instance of svchost.exe. It comes back no matter how many times you click on
send or don't send the error report to Microsoft. The OS is XP Home SP2
(OEM) with all the latest updates. It had been running for months without a
problem. We tried a system restore to a date prior to when the problem
surfaced, with no success.

The only way the customer can get any work done is to drag the DEP message
box off the side. Although I can understand this happening if a non-MS module
loads under svchost.exe, that is not the case in this instance.

Looking at the appcompat.txt file that is part of the error report shows
that all dlls running under this particular instance of svchost are all WinXP
dlls. All are identified in the appcompat.txt file as Microsoft files. Here
is the list of the files running under this particular instance of
svchost.exe and their versions:

advapi32.dll 5.1.2600.2180
gdi32.dll 5.1.2600.2180
kernel32.dll 5.1.2600.2180
ntdll.dll 5.1.2600.2180
ole32.dll 5.1.2600.2595
oleaut32.dll 5.1.2600.2180
shell32.dll 6.0.2900.2578
user32.dll 5.1.2600.2180
wininet.dll 6.0.2900.2577
winsock.dll 3.10.0.103

These match the versions on my trusted bench machine, except for ntdll.dll ,
which on my machine is version 5.1.2600.1106. Since my version is older,
might this be causing the problem? Not sure why my machine has an older
version of this file, but it was upgraded from SP1 to SP2 using the
downloaded SP2 package, and has all of the available Windows updates (as of
4/6/05), whereas the customer's shipped with SP2 (OEM)

Is it the case that the DEP could be triggered by interaction of one of the
valid MS dlls with something else running in the system? Norton says no
viruses or adware found. A cursory look reveals no adware (I remove it for a
living, so I know what to look for. If the answer to #1 is yes, I will give
it a throrough adware removal process, but I have to charge the customer
field rates, and don't want to do that if it is not going to cure the problem.

I can provide the appcompat.txt, the WER hexdumps
and the system and application event logs in text format, on request.

Jerry
 
G

Guest

check this link, the patch is here for those of us who have HP all-in-one
printers. Worked fine.

ftp://ftp.hp.com/pub/softlib/software5/COL9797/oj-27722-1/hp_gr_scan_update.exe

http://h10025.www1.hp.com/ewfrf/wc/...product=420428&dlc=en&softwareitem=oj-27722-1

Cheers,

Raphael
wyocowboy said:
Since there has been no response, FWIW, here is an update.

I had run across what appeared to be the cause of the problem - HP 7310
All-in-One PSC on the network. Apparently, HP's drivers can trigger this
problem, although it is not clear from any of the postings whether or not any
of HP's dlls show up in the accompat.txt associated with svchhost. In my
customer's case, only MS dlls are referenced.

HP has a critical update to the driver, but the problem persisted, and
continued to occur after uninstalling the printer software. I then disabled
everything in the startup portion of msconfig, and this got rid of the
problem. After iteratively enabling all that had been enabled, and the
problem still did not reappear.

I then reinstalled the HP PSC s/w, installed the update, and the problem
still has not recurred, at least over the past 24 hours.

Since the problem went away after disabling everything in msconfig/startup,
this indicates some kind of poisoned interaction between the implicated MS
dlls and something in the startup group, since no dlls are being directly
invoked from msconfig/startup. Since the DEP is implicating MS dlls, this
would still tend to appear to be an MS bug, unless it is the case that the
dll that is triggering the exception is not being recorded..


wyocowboy said:
[I had previously piggybacked this on another post, but since no response,
here it is as its own thread]

One of our customers is getting a Data Execution Error on a particular
instance of svchost.exe. It comes back no matter how many times you click on
send or don't send the error report to Microsoft. The OS is XP Home SP2
(OEM) with all the latest updates. It had been running for months without a
problem. We tried a system restore to a date prior to when the problem
surfaced, with no success.

The only way the customer can get any work done is to drag the DEP message
box off the side. Although I can understand this happening if a non-MS module
loads under svchost.exe, that is not the case in this instance.

Looking at the appcompat.txt file that is part of the error report shows
that all dlls running under this particular instance of svchost are all WinXP
dlls. All are identified in the appcompat.txt file as Microsoft files. Here
is the list of the files running under this particular instance of
svchost.exe and their versions:

advapi32.dll 5.1.2600.2180
gdi32.dll 5.1.2600.2180
kernel32.dll 5.1.2600.2180
ntdll.dll 5.1.2600.2180
ole32.dll 5.1.2600.2595
oleaut32.dll 5.1.2600.2180
shell32.dll 6.0.2900.2578
user32.dll 5.1.2600.2180
wininet.dll 6.0.2900.2577
winsock.dll 3.10.0.103

These match the versions on my trusted bench machine, except for ntdll.dll ,
which on my machine is version 5.1.2600.1106. Since my version is older,
might this be causing the problem? Not sure why my machine has an older
version of this file, but it was upgraded from SP1 to SP2 using the
downloaded SP2 package, and has all of the available Windows updates (as of
4/6/05), whereas the customer's shipped with SP2 (OEM)

Is it the case that the DEP could be triggered by interaction of one of the
valid MS dlls with something else running in the system? Norton says no
viruses or adware found. A cursory look reveals no adware (I remove it for a
living, so I know what to look for. If the answer to #1 is yes, I will give
it a throrough adware removal process, but I have to charge the customer
field rates, and don't want to do that if it is not going to cure the problem.

I can provide the appcompat.txt, the WER hexdumps
and the system and application event logs in text format, on request.

Jerry
Click to expand...
Click to expand...
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

generic host process for win32 3
Data Execution prevention 4
Explorer.exe crashes! - Have detailed info, please help!! 13
DATA execution prevention 3
Explorer crashing - gdiplus.dll error 0
Data Execution Prevention- DEP 3
Alg.exe keeps crashing 1
Data Execution Prevention 12

Top