[tc9.12rc4 64bit] crashs on startup windows 10 in ntdll.dll

The behaviour described in the bug report is either by design, or would be far too complex/time-consuming to be changed

Moderators: white, Hacker, petermad, Stefan2

Post Reply
svha
Junior Member
Junior Member
Posts: 3
Joined: 2017-11-21, 06:45 UTC
Location: Dresden

[tc9.12rc4 64bit] crashs on startup windows 10 in ntdll.dll

Post by *svha »

Total Commander 64bit crashs. This happens with tc9.12rc4 and also with TC 9.10. The 32bit versions are running fine

System event viewer:
Name der fehlerhaften Anwendung: TOTALCMD64.EXE, Version: 9.1.2.0, Zeitstempel: 0x00000000
Name des fehlerhaften Moduls: ntdll.dll, Version: 10.0.15063.608, Zeitstempel: 0x8274fd8b
Ausnahmecode: 0xc0000005
Fehleroffset: 0x0000000000025432
ID des fehlerhaften Prozesses: 0x23fc
Startzeit der fehlerhaften Anwendung: 0x01d362936c45af6c
Pfad der fehlerhaften Anwendung: C:\MyPrograms\totalcmd\TOTALCMD64.EXE
Pfad des fehlerhaften Moduls: C:\Windows\SYSTEM32\ntdll.dll
Berichtskennung: 75e0bd49-1990-47f7-98c4-01d7c8336d89
Vollständiger Name des fehlerhaften Pakets:
Anwendungs-ID, die relativ zum fehlerhaften Paket ist:
User avatar
ghisler(Author)
Site Admin
Site Admin
Posts: 48021
Joined: 2003-02-04, 09:46 UTC
Location: Switzerland
Contact:

Post by *ghisler(Author) »

Unfortunately this doesn't help me because the crash is in a Windows library, not in Total Commander itself.

I need some kind of stack trace. Could you use the tool Procdump to create
one for me, please:
https://technet.microsoft.com/en-us/sysinternals/dd996900.aspx

1. Create new directory c:\dumps
2. Create a lnk file of procdump.exe or procdump64.exe (for 64-bit Windows)
with Ctrl+Shift+F5, e.g. procdump.lnk
3. Change the lnk file with alt+Enter
4. Change the command from c:\path\procdump.exe to
c:\path\procdump.exe -ma -i c:\dumps
5. Important: Click on "Advanced" and check option "As administrator"
6. Run procdump with this link file
7. Wait until the crash occurs.

The resulting crash dump is usually HUGE, but you can easily analyze it yourself with Windbg.

Windbg is made by Microsoft:
https://developer.microsoft.com/en-us/windows/hardware/download-windbg

Usage:
1. Create new directory c:\Symbols
2. Run Windbg
3. File - Symbol search path, add the following:
srv*C:\SYMBOLS*http://msdl.microsoft.com/download/symbols
4. File - Open crash dump - choose the dmp file
5. Enter the following in the command line:
!analyze -v
(including the exclamation mark!) and press ENTER.
6. Wait
7. When the result is there, select all, press Ctrl+C and paste
the result to the email body or to this forum.
Author of Total Commander
https://www.ghisler.com
svha
Junior Member
Junior Member
Posts: 3
Joined: 2017-11-21, 06:45 UTC
Location: Dresden

windbg output

Post by *svha »

Hello here is the windbg trace you have asked for. I hope this will help a bit. If you need more information please feel free to ask me for that.

Because of the crash in RtlUnicodeToMultiByteN: maybe a useful hint is that I use a german Windows10 installation but the total commander is set to english language.

Kind regards.


Microsoft (R) Windows Debugger Version 10.0.15063.468 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\box\procdumps\TOTALCMD64.EXE_171121_230024.dmp]
User Mini Dump File with Full Memory: Only application data is available

Comment: '
*** "C:\MyPrograms\Process Utilities\procdump64.exe" -accepteula -ma -j "c:\box\procdumps" 6856 340 0000000010050000
*** Just-In-Time debugger. PID: 6856 Event Handle: 340 JIT Context: .jdinfo 0x10050000'

************* Symbol Path validation summary **************
Response Time (ms) Location
Deferred srv*C:\box
Executable search path is:
Windows 10 Version 15063 MP (2 procs) Free x64
Product: WinNt, suite: SingleUserTS
15063.0.amd64fre.rs2_release.170317-1834
Machine Name:
Debug session time: Tue Nov 21 23:00:25.000 2017 (UTC + 1:00)
System Uptime: 0 days 15:56:07.208
Process Uptime: 0 days 0:00:07.000
................................................................
.......
This dump file has an exception of interest stored in it.
The stored exception information can be accessed via .ecxr.
(1ac8.2078): Access violation - code c0000005 (first/second chance not available)
ntdll!RtlUnicodeToMultiByteN+0x132:
00007ffa`4be25432 884a0c mov byte ptr [rdx+0Ch],cl ds:00007ffa`3bbf0000=4d
0:010> !analyze -v
*******************************************************************************
* *
* Exception Analysis *
* *
*******************************************************************************

*** WARNING: Unable to verify timestamp for TOTALCMD64.EXE
*** ERROR: Module load completed but symbols could not be loaded for TOTALCMD64.EXE
*** ERROR: Symbol file could not be found. Defaulted to export symbols for SHNDLERS64.DLL -
GetUrlPageData2 (WinHttp) failed: 12002.

DUMP_CLASS: 2

DUMP_QUALIFIER: 400

CONTEXT: (.ecxr)
rax=0000000000005a4d rbx=00007ffa3bbf0000 rcx=00007ffa3bbf003f
rdx=00007ffa3bbefff4 rsi=0000000000000000 rdi=000000001401f290
rip=00007ffa4be25432 rsp=000000001401f1f8 rbp=0000000000000002
r8=00007ffa3bbeffe8 r9=00007ff5fffd0222 r10=0000000000000003
r11=0000000000000003 r12=0000000000000000 r13=0000000000000000
r14=00007ffa45782100 r15=0000000000000000
iopl=0 nv up ei pl zr na po nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010244
ntdll!RtlUnicodeToMultiByteN+0x132:
00007ffa`4be25432 884a0c mov byte ptr [rdx+0Ch],cl ds:00007ffa`3bbf0000=4d
Resetting default scope

FAULTING_IP:
ntdll!RtlUnicodeToMultiByteN+132
00007ffa`4be25432 884a0c mov byte ptr [rdx+0Ch],cl

EXCEPTION_RECORD: (.exr -1)
ExceptionAddress: 00007ffa4be25432 (ntdll!RtlUnicodeToMultiByteN+0x0000000000000132)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 0000000000000001
Parameter[1]: 00007ffa3bbf0000
Attempt to write to address 00007ffa3bbf0000

DEFAULT_BUCKET_ID: INVALID_POINTER_WRITE

PROCESS_NAME: TOTALCMD64.EXE

ERROR_CODE: (NTSTATUS) 0xc0000005 - Die Anweisung in 0x%p verwies auf Arbeitsspeicher bei 0x%p. Der Vorgang %s konnte im Arbeitsspeicher nicht durchgef hrt werden.

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - Die Anweisung in 0x%p verwies auf Arbeitsspeicher bei 0x%p. Der Vorgang %s konnte im Arbeitsspeicher nicht durchgef hrt werden.

EXCEPTION_CODE_STR: c0000005

EXCEPTION_PARAMETER1: 0000000000000001

EXCEPTION_PARAMETER2: 00007ffa3bbf0000

FOLLOWUP_IP:
TOTALCMD64+1c4dc9
00000000`005c4dc9 8945e0 mov dword ptr [rbp-20h],eax

WRITE_ADDRESS: 00007ffa3bbf0000

WATSON_BKT_PROCSTAMP: 0

WATSON_BKT_PROCVER: 9.1.2.0

PROCESS_VER_PRODUCT: Total Commander

WATSON_BKT_MODULE: ntdll.dll

WATSON_BKT_MODSTAMP: 8274fd8b

WATSON_BKT_MODOFFSET: 25432

WATSON_BKT_MODVER: 6.2.15063.608

MODULE_VER_PRODUCT: Microsoft® Windows® Operating System

BUILD_VERSION_STRING: 10.0.15063.296 (WinBuild.160101.0800)

MODLIST_WITH_TSCHKSUM_HASH: cca86dd1c1515873b4ae7c6c0e111f2fde519fd1

MODLIST_SHA1_HASH: 6af2b3eefdc6ec796cdab561c124404a98ed4eb4

NTGLOBALFLAG: 0

PROCESS_BAM_CURRENT_THROTTLED: 0

PROCESS_BAM_PREVIOUS_THROTTLED: 0

APPLICATION_VERIFIER_FLAGS: 0

PRODUCT_TYPE: 1

SUITE_MASK: 272

DUMP_FLAGS: 8000c07

DUMP_TYPE: 3

ANALYSIS_SESSION_HOST: SVEN3A

ANALYSIS_SESSION_TIME: 11-21-2017 23:19:03.0726

ANALYSIS_VERSION: 10.0.15063.468 amd64fre

THREAD_ATTRIBUTES:
OS_LOCALE: DEU

PROBLEM_CLASSES:

ID: [0n292]
Type: [@ACCESS_VIOLATION]
Class: Addendum
Scope: BUCKET_ID
Name: Omit
Data: Omit
PID: [Unspecified]
TID: [0x2078]
Frame: [0] : ntdll!RtlUnicodeToMultiByteN

ID: [0n265]
Type: [INVALID_POINTER_WRITE]
Class: Primary
Scope: DEFAULT_BUCKET_ID (Failure Bucket ID prefix)
BUCKET_ID
Name: Add
Data: Omit
PID: [Unspecified]
TID: [0x2078]
Frame: [0] : ntdll!RtlUnicodeToMultiByteN

BUGCHECK_STR: APPLICATION_FAULT_INVALID_POINTER_WRITE

PRIMARY_PROBLEM_CLASS: APPLICATION_FAULT

LAST_CONTROL_TRANSFER: from 00007ffa4be252ab to 00007ffa4be25432

STACK_TEXT:
00000000`1401f1f8 00007ffa`4be252ab : 00000000`1401f2a0 00000000`00000000 00000000`1401f290 00000000`00000000 : ntdll!RtlUnicodeToMultiByteN+0x132
00000000`1401f200 00007ffa`4577c10e : 00000000`1401f2a0 00000000`00000000 00000000`00000000 00000000`00000003 : ntdll!RtlUnicodeStringToAnsiString+0x8b
00000000`1401f270 00007ffa`4577c809 : 00000000`0fcbaf60 00000000`1401fd88 00000000`1401f870 00000000`1401fd80 : mpr!OutputStringToAnsiInPlace+0x42
00000000`1401f2c0 00000000`005c4dc9 : 00000000`00000001 00000000`1401fdc0 00000000`00000000 00000000`0921c020 : mpr!WNetEnumResourceA+0x49
00000000`1401f300 00000000`00000001 : 00000000`1401fdc0 00000000`00000000 00000000`0921c020 00000000`1401f428 : TOTALCMD64+0x1c4dc9
00000000`1401f308 00000000`1401fdc0 : 00000000`00000000 00000000`0921c020 00000000`1401f428 00000000`0000001f : 0x1
00000000`1401f310 00000000`00000000 : 00000000`0921c020 00000000`1401f428 00000000`0000001f 00000000`00000000 : 0x1401fdc0


THREAD_SHA1_HASH_MOD_FUNC: d883866e54e88456713897d4010449475e911614

THREAD_SHA1_HASH_MOD_FUNC_OFFSET: a7a745841c6ccb5b7410ec839a250ebaf84649f5

THREAD_SHA1_HASH_MOD: 9de416d9916a0a758982924d5fd2160f70a5e87d

FAULT_INSTR_CODE: 8be04589

SYMBOL_STACK_INDEX: 4

SYMBOL_NAME: totalcmd64+1c4dc9

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: TOTALCMD64

IMAGE_NAME: TOTALCMD64.EXE

DEBUG_FLR_IMAGE_TIMESTAMP: 0

STACK_COMMAND: .ecxr ; kb

FAILURE_BUCKET_ID: INVALID_POINTER_WRITE_c0000005_TOTALCMD64.EXE!Unknown

BUCKET_ID: APPLICATION_FAULT_INVALID_POINTER_WRITE_totalcmd64+1c4dc9

FAILURE_EXCEPTION_CODE: c0000005

FAILURE_IMAGE_NAME: TOTALCMD64.EXE

BUCKET_ID_IMAGE_STR: TOTALCMD64.EXE

FAILURE_MODULE_NAME: TOTALCMD64

BUCKET_ID_MODULE_STR: TOTALCMD64

FAILURE_FUNCTION_NAME: Unknown

BUCKET_ID_FUNCTION_STR: Unknown

BUCKET_ID_OFFSET: 1c4dc9

BUCKET_ID_MODTIMEDATESTAMP: 0

BUCKET_ID_MODCHECKSUM: 87ffc8

BUCKET_ID_MODVER_STR: 9.1.2.0

BUCKET_ID_PREFIX_STR: APPLICATION_FAULT_INVALID_POINTER_WRITE_

FAILURE_PROBLEM_CLASS: APPLICATION_FAULT

FAILURE_SYMBOL_NAME: TOTALCMD64.EXE!Unknown

TARGET_TIME: 2017-11-21T22:00:25.000Z

OSBUILD: 15063

OSSERVICEPACK: 296

SERVICEPACK_NUMBER: 0

OS_REVISION: 0

OSPLATFORM_TYPE: x64

OSNAME: Windows 10

OSEDITION: Windows 10 WinNt SingleUserTS

USER_LCID: 0

OSBUILD_TIMESTAMP: unknown_date

BUILDDATESTAMP_STR: 160101.0800

BUILDLAB_STR: WinBuild

BUILDOSVER_STR: 10.0.15063.296

ANALYSIS_SESSION_ELAPSED_TIME: a028

ANALYSIS_SOURCE: UM

FAILURE_ID_HASH_STRING: um:invalid_pointer_write_c0000005_totalcmd64.exe!unknown

FAILURE_ID_HASH: {b3979966-ddf0-f938-85a5-7e21b4146d29}

Followup: MachineOwner
---------
User avatar
ghisler(Author)
Site Admin
Site Admin
Posts: 48021
Joined: 2003-02-04, 09:46 UTC
Location: Switzerland
Contact:

Post by *ghisler(Author) »

Thanks for the stack trace. The crash is happening in the Windows function WNetEnumResource which Total Commander calls for server name "\\tsclient" when it detects that it runs in a remote desktop connection.

This is done to get the list of drives of the local PC from which the user connects. Apparently there is something wrong with your network settings.

You can disable this function:

Please add the following string under section [Configuration] to the file wincmd.ini:
tsclient=

The empty string disables the function. Alternatively, you can specify a different server name in the form
tsclient=\\servername
Author of Total Commander
https://www.ghisler.com
svha
Junior Member
Junior Member
Posts: 3
Joined: 2017-11-21, 06:45 UTC
Location: Dresden

Confirm solution

Post by *svha »

Hello,

perfect! You workaround solves the problem. Thanks a lot.

Kind regards
User avatar
MarcinW
Power Member
Power Member
Posts: 852
Joined: 2012-01-23, 15:58 UTC
Location: Poland

Post by *MarcinW »

The stack trace shows, that TC calls WNetEnumResourceA - i.e. ANSI version of WNetEnumResource. According to the stack trace, the problem arises during conversion from Unicode to ANSI, when preparing result for the WNetEnumResourceA call. Maybe some network resource uses a name with Unicode characters, which - for some unknown reason - can't be converted to ANSI?

Since the crash report is from 64-bit TC, the WNetEnumResourceW could be used for sure. Maybe using it instead of WNetEnumResourceA would solve the problem? Even 32-bit TC could use WNetEnumResourceW, when launched on NT systems.

It's also interesting, if 32-bit TC also crashes is a similar manner.

The problematic resource name could be probably obtained from the dump file.

Regards
User avatar
ghisler(Author)
Site Admin
Site Admin
Posts: 48021
Joined: 2003-02-04, 09:46 UTC
Location: Switzerland
Contact:

Post by *ghisler(Author) »

2MarcinW
That's a good idea, I will change it. According to the thread starter, the 32-bit version does not crash...
Author of Total Commander
https://www.ghisler.com
User avatar
MarcinW
Power Member
Power Member
Posts: 852
Joined: 2012-01-23, 15:58 UTC
Location: Poland

Post by *MarcinW »

I looked at the Totalcmd64.exe's imports from mpr.dll, and there are more WNetXXX ANSI functions used. You may want also to take a look at them:

Code: Select all

WNetAddConnection3A
WNetCancelConnectionA
WNetEnumResourceA
WNetGetConnectionA
WNetGetUserA
WNetOpenEnumA

Accoding to this thread, I created also another thread here.

Regards
Post Reply