Mar 18, 2009
A few days ago I began experiencing an odd behavior on my Vista box, every time I opened the start menu and typed something into the search box explorer.exe crashed. Further investigation discovered that was also happening when typing anything into the Run command, into a window address bar and even when typing anything into a New Shortcut address.
View 2 Replies
NOTE: If you just want to know the solution go to the end of the post .
Using the great tools provided by Sysinternals and by Microsoft, I launched my comprehensive investigation of the problem.
First of all, I set WinDBG to be the default JIT debugger for crashed applications by running Code: windbg.exe -I.
Next, I caused explorer.exe to crash (which was easy) and analyzed the dump using !analyze -v.
Studying the dump I didn't find any interesting clues except that the call stack of the faulting thread showed that some ole32 and urlmonitor extensions of explorer were there.
So, using Autoruns (by Sysinternals) I first disabled 3rd party extensions like FileZilla shell extension and WinRAR shell extension. Crashed explorer, it restarted and the problem persisted. Next, I disabled all OLE32 and URLMON related extensions, but still explorer was crashing.
Well, if at first you don't succeed - USE MORE EXPLOSIVES!!!
Next, I disabled everything in the Explorer tab of Autoruns hoping that it wouldn't break anything and stop explorer from crashing but to no avail.
Now I got pissed, I launched Process Monitor and Process Explorer, and started crashing the hell out of explorer while comparing the dumps, call stacks, thread IDs, thread methods, file accessed by explorer prior to the crash and registry keys accessed by explorer prior to the crash.
Well, the thread causing the crash was running SHLWAPI.DLL!PathIsRootW and by examining the output of Process Monitor I could see that it was looking for whatever I typed into the address box in PATH folders, favorites and search locations.
Finally, I decided to become BFF with the WinDBG help and find out what else the !analyze extension could offer. Apparently, beside the (very useful) -v switch it also provides the -f and -hang switches that give you more information.
Using these I found that the problem was cause by urlmon.dll, specifically by the ~CUri destructor. From the call stack I could see that ntdll!RtlFreeHeap was the last method to be called, and it was called by the ~CUri destructor and caused a Heap Corruption Exception.
Anyway, since I was really annoyed by this problem for two days by now and in an hour I had to be at a wedding I did something that I regret, I used the first solution that came to mind.
!!! SOLUTION !!!
I deleted the Internet Explorer browsing history (address history).
It solved the problem which probably was caused by some address (and could be a bug in urlmon.dll) but now I can't further investigate to find what was the exact address in the history that caused the crash.
I apologize for the long story but I feel the need to pass the knowledge to others.
There might be some holes in the plot, but that is probably the best I can do at 3:30 AM after a long day....