G
Guest
[I had previously piggybacked this on another post, but since no response,
here it is as its own thread]
One of our customers is getting a Data Execution Error on a particular
instance of svchost.exe. It comes back no matter how many times you click on
send or don't send the error report to Microsoft. The OS is XP Home SP2
(OEM) with all the latest updates. It had been running for months without a
problem. We tried a system restore to a date prior to when the problem
surfaced, with no success.
The only way the customer can get any work done is to drag the DEP message
box off the side. Although I can understand this happening if a non-MS module
loads under svchost.exe, that is not the case in this instance.
Looking at the appcompat.txt file that is part of the error report shows
that all dlls running under this particular instance of svchost are all WinXP
dlls. All are identified in the appcompat.txt file as Microsoft files. Here
is the list of the files running under this particular instance of
svchost.exe and their versions:
advapi32.dll 5.1.2600.2180
gdi32.dll 5.1.2600.2180
kernel32.dll 5.1.2600.2180
ntdll.dll 5.1.2600.2180
ole32.dll 5.1.2600.2595
oleaut32.dll 5.1.2600.2180
shell32.dll 6.0.2900.2578
user32.dll 5.1.2600.2180
wininet.dll 6.0.2900.2577
winsock.dll 3.10.0.103
These match the versions on my trusted bench machine, except for ntdll.dll ,
which on my machine is version 5.1.2600.1106. Since my version is older,
might this be causing the problem? Not sure why my machine has an older
version of this file, but it was upgraded from SP1 to SP2 using the
downloaded SP2 package, and has all of the available Windows updates (as of
4/6/05), whereas the customer's shipped with SP2 (OEM)
Is it the case that the DEP could be triggered by interaction of one of the
valid MS dlls with something else running in the system? Norton says no
viruses or adware found. A cursory look reveals no adware (I remove it for a
living, so I know what to look for. If the answer to #1 is yes, I will give
it a throrough adware removal process, but I have to charge the customer
field rates, and don't want to do that if it is not going to cure the problem.
I can provide the appcompat.txt, the WER hexdumps
and the system and application event logs in text format, on request.
Jerry
here it is as its own thread]
One of our customers is getting a Data Execution Error on a particular
instance of svchost.exe. It comes back no matter how many times you click on
send or don't send the error report to Microsoft. The OS is XP Home SP2
(OEM) with all the latest updates. It had been running for months without a
problem. We tried a system restore to a date prior to when the problem
surfaced, with no success.
The only way the customer can get any work done is to drag the DEP message
box off the side. Although I can understand this happening if a non-MS module
loads under svchost.exe, that is not the case in this instance.
Looking at the appcompat.txt file that is part of the error report shows
that all dlls running under this particular instance of svchost are all WinXP
dlls. All are identified in the appcompat.txt file as Microsoft files. Here
is the list of the files running under this particular instance of
svchost.exe and their versions:
advapi32.dll 5.1.2600.2180
gdi32.dll 5.1.2600.2180
kernel32.dll 5.1.2600.2180
ntdll.dll 5.1.2600.2180
ole32.dll 5.1.2600.2595
oleaut32.dll 5.1.2600.2180
shell32.dll 6.0.2900.2578
user32.dll 5.1.2600.2180
wininet.dll 6.0.2900.2577
winsock.dll 3.10.0.103
These match the versions on my trusted bench machine, except for ntdll.dll ,
which on my machine is version 5.1.2600.1106. Since my version is older,
might this be causing the problem? Not sure why my machine has an older
version of this file, but it was upgraded from SP1 to SP2 using the
downloaded SP2 package, and has all of the available Windows updates (as of
4/6/05), whereas the customer's shipped with SP2 (OEM)
Is it the case that the DEP could be triggered by interaction of one of the
valid MS dlls with something else running in the system? Norton says no
viruses or adware found. A cursory look reveals no adware (I remove it for a
living, so I know what to look for. If the answer to #1 is yes, I will give
it a throrough adware removal process, but I have to charge the customer
field rates, and don't want to do that if it is not going to cure the problem.
I can provide the appcompat.txt, the WER hexdumps
and the system and application event logs in text format, on request.
Jerry