KnowledgeBase Archive

An Archive of Early Microsoft KnowledgeBase Articles

View on GitHub

Q189612: Access Violation Occurs in Windows NT Explorer (Explorer.exe)

Article: Q189612
Product(s): Microsoft Windows NT
Version(s): WinNT:4.0
Operating System(s): 
Keyword(s): kbWinNT400sp4fix
Last Modified: 09-AUG-2001

-------------------------------------------------------------------------------
The information in this article applies to:

- Microsoft Windows NT Server version 4.0 
- Microsoft Windows NT Workstation version 4.0 
- Microsoft Windows NT Server, Enterprise Edition version 4.0 
- Microsoft Windows NT Server version 4.0, Terminal Server Edition 
-------------------------------------------------------------------------------


SYMPTOMS
========

An access violation occurs in Windows NT Explorer (Explorer.exe), which
generates a Dr. Watson log similar to the following:

State Dump for Thread Id 0xd1

eax=00000004 ebx=00000000 ecx=001745a0 edx=00188c44 esi=00140000
edi=fffffffc
eip=77f64b53 esp=0103fa2c ebp=0103fa44 iopl=0         nv up ei pl zr na po
nc
cs=001b  ss=0023  ds=0023  es=0023  fs=0038  gs=0000
efl=00000246

function: RtlFreeHeap
       77f64b32 53               push    ebx
       77f64b33 56               push    esi
       77f64b34 57               push    edi
       77f64b35 0f84d7010000     je      RtlFreeHeap+0x1ec (77f64d12)
       77f64b3b 8b7508           mov     esi,[ebp+0x8]
ss:0239e44a=????????
       77f64b3e 8b5d0c           mov     ebx,[ebp+0xc]
ss:0239e44a=????????
       77f64b41 0b5e10           or      ebx,[esi+0x10]
ds:0149ea06=00000000
       77f64b44 f7c3600f036f     test    ebx,0x6f030f60
       77f64b4a 0f85b8010000     jne     RtlFreeHeap+0x1e2 (77f64d08)
       77f64b50 8d78f8           lea     edi,[eax-0x8]
ds:0135ea0a=890c8d92

FAULT ->77f64b53 f6470501         test    byte ptr [edi+0x5],0x1
ds:0135ea02=89
       77f64b57 0f8485010000     je      RtlFreeHeap+0x1bc (77f64ce2)
       77f64b5d a807             test    al,0x7
       77f64b5f 0f857d010000     jne     RtlFreeHeap+0x1bc (77f64ce2)
       77f64b65 807f0410         cmp     byte ptr [edi+0x4],0x10
ds:0135ea02=89
       77f64b69 0f8373010000     jnb     RtlFreeHeap+0x1bc (77f64ce2)
       77f64b6f 83e301           and     ebx,0x1
       77f64b72 750b             jnz     RtlFreeHeap+0x59 (77f64b7f)
       77f64b74 ffb6b8040000     push    dword ptr [esi+0x4b8]
ds:001404b8=00140548
       77f64b7a e891280000       call    RtlEnterCriticalSection
(77f67410)
       77f64b7f f6470508         test    byte ptr [edi+0x5],0x8
ds:0135ea02=89
       77f64b83 0f85f8000000     jne     RtlFreeHeap+0x15b (77f64c81)

*----> Stack Back Trace <----*

FramePtr ReturnAd Function Name
0103fa44 77e11012 ntdll!RtlFreeHeap
0103fa54 77e11489 rpcrt4!operator delete
0103fa64 77e1bc32 rpcrt4!CLIENT_AUTH_INFO::~CLIENT_AUTH_INFO [omap]
0103fa78 77e15903 rpcrt4!WMSG_CASSOCIATION::~WMSG_CASSOCIATION [omap]
0103fa8c 77e1b9e1 rpcrt4!WMSG_CASSOCIATION::RemoveReference [omap]
0103faa0 77e1ba42 rpcrt4!WMSG_BINDING_HANDLE::~WMSG_BINDING_HANDLE [omap]
0103faa8 77e1ba8e rpcrt4!WMSG_BINDING_HANDLE::`scalar deleting destructor'
[omap]
0103fab8 77e16705 rpcrt4!WMSG_BINDING_HANDLE::BindingFree [omap]
0103fac8 77ba82e5 rpcrt4!RpcBindingFree [omap]
0103fad4 77ba808a ole32!CRpcChannelBuffer::~CRpcChannelBuffer [omap]
0103fae0 77b455cb ole32!CErrorObject::`vftable' [omap]
0103fb3c 77b252ea ole32!CStdMarshal::DisconnectCliIPIDs [omap]
0103fb48 77b25520 ole32!CStdMarshal::Disconnect [omap]
00157f28 77bb0ce8 ole32!CStdIdentity::Disconnect [omap]
77bb0d10 77b2110d ole32!IProxyManager::`vftable' [omap]
77bb0d28 77b77862 ole32!CStdIdentity::CInternalUnk::Release [omap]
77b77836 0824448b ole32!CStdIdentity::CreateServerWithHandler [omap]

*----> Stack Back Trace <----*

FramePtr ReturnAd Function Name
0103fa44 77e11012 ntdll!RtlFreeHeap
0103fa54 77e11489 rpcrt4!operator delete
0103fa64 77e1bc32 rpcrt4!CLIENT_AUTH_INFO::~CLIENT_AUTH_INFO [omap]
0103fa78 77e15903 rpcrt4!WMSG_CASSOCIATION::~WMSG_CASSOCIATION [omap]
0103fa8c 77e1b9e1 rpcrt4!WMSG_CASSOCIATION::RemoveReference [omap]
0103faa0 77e1ba42 rpcrt4!WMSG_BINDING_HANDLE::~WMSG_BINDING_HANDLE [omap]
0103faa8 77e1ba8e rpcrt4!WMSG_BINDING_HANDLE::`scalar deleting destructor'
[omap]
0103fab8 77e16705 rpcrt4!WMSG_BINDING_HANDLE::BindingFree [omap]
0103fac8 77ba82e5 rpcrt4!RpcBindingFree [omap]
0103fad4 77ba808a ole32!CRpcChannelBuffer::~CRpcChannelBuffer [omap]
0103fae0 77b455cb ole32!CErrorObject::`vftable' [omap]
0103fb3c 77b252ea ole32!CStdMarshal::DisconnectCliIPIDs [omap]
0103fb48 77b25520 ole32!CStdMarshal::Disconnect [omap]
00157f28 77bb0ce8 ole32!CStdIdentity::Disconnect [omap]
77bb0d10 77b2110d ole32!IProxyManager::`vftable' [omap]
77bb0d28 77b77862 ole32!CStdIdentity::CInternalUnk::Release [omap]
77b77836 0824448b ole32!CStdIdentity::CreateServerWithHandler [omap]

CAUSE
=====

This problem is caused by a problem in Rpcrt.dll, which generates a message with
an invalid memory address that results in the above access violation. This
problem has been seen most often when running Microsoft Transaction Server
(MTS), but can occur in other situations and can cause problems in applications
other than Windows NT Explorer.

RESOLUTION
==========

To resolve this problem, obtain the latest service pack for Windows NT 4.0 or
Windows NT Server 4.0, Terminal Server Edition. For additional information,
please see the following article in the Microsoft Knowledge Base:

  Q152734 How to Obtain the Latest Windows NT 4.0 Service Pack


This fix is also included in a rollup of fixes for Microsoft Exchange 5.5 and
Microsoft Internet Information Server 4.0, which is available on the Microsoft
FTP Site. For more information on this rollup, please see the following article
in the Microsoft Knowledge Base:

  ARTICLE-ID: Q147222
  TITLE : Group of Hotfixes for Exchange 5.5 and IIS 4.0

STATUS
======

Microsoft has confirmed this to be a problem in Windows NT 4.0 and Windows NT
Server 4.0, Terminal Server Edition. This problem was first corrected in Windows
NT 4.0 Service Pack 4.0 and Windows NT Server 4.0, Terminal Server Edition
Service Pack 4.

======================================================================
Keywords          : kbWinNT400sp4fix 
Technology        : kbWinNTsearch kbWinNTWsearch kbWinNTW400 kbWinNTW400search kbWinNT400search kbWinNTSsearch kbWinNTSEntSearch kbWinNTSEnt400 kbWinNTS400search kbWinNTS400 kbNTTermServ400 kbNTTermServSearch
Version           : WinNT:4.0
Hardware          : ALPHA x86
Issue type        : kbbug
Solution Type     : kbfix

=============================================================================

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.

Copyright Microsoft Corporation 1986-2002.