IronsideSecurity
asked on
WMI Crashes - Server 2003
Hello all,
Specs: Windows Server 2003 for Small Business SP2
3 GB RAM
Intel Xeon E5420 @ 2.5
Problem: wmiprvse.exe crashes every day 2-3 times a day.
Event ID:1004 is logged repeatedly which I know is a generic error and not very helpful but here it is anyways:
Reporting queued error: faulting application wmiprvse.exe, version 5.2.3790.4455, faulting module msvcrt.dll, version 7.0.3790.3959, fault address 0x00038efa
Loaded Mdump into WinDbg loaded symbols etc.
WinDbg shows the following and I hope someone can be so kind and review and let me know what is causing this.
: FAULTING_IP:
msvcrt!wcslen+8
77bd8efa 668b08 mov cx,word ptr [eax]
EXCEPTION_RECORD: ffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 77bd8efa (msvcrt!wcslen+0x00000008)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: 006e3000
Attempt to read from address 006e3000
CONTEXT: 00000000 -- (.cxr 0x0;r)
eax=00000000 ebx=80070000 ecx=c0000005 edx=00000000 esi=00000208 edi=00000000
eip=7c82845c esp=00cc99d4 ebp=00cc9a44 iopl=0 nv up ei ng nz ac pe cy
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000297
ntdll!KiFastSystemCallRet:
7c82845c c3 ret
DEFAULT_BUCKET_ID: INVALID_POINTER_READ
PROCESS_NAME: wmiprvse.exe
ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.
EXCEPTION_PARAMETER1: 00000000
EXCEPTION_PARAMETER2: 006e3000
READ_ADDRESS: 006e3000
FOLLOWUP_IP:
msvcrt!wcslen+8
77bd8efa 668b08 mov cx,word ptr [eax]
NTGLOBALFLAG: 0
APP: wmiprvse.exe
ANALYSIS_VERSION: 6.3.9600.16384 (debuggers(dbg).130821-162 3) amd64fre
LAST_CONTROL_TRANSFER: from 7d0e40f1 to 77bd8efa
FAULTING_THREAD: 00001f90
PRIMARY_PROBLEM_CLASS: INVALID_POINTER_READ
BUGCHECK_STR: APPLICATION_FAULT_INVALID_ POINTER_RE AD
STACK_TEXT:
00ccf3d0 77bd8efa msvcrt!wcslen+0x8
00ccf3d8 7d0e40f1 oleaut32!SysAllocString+0x 18
00ccf3e4 5b7ac834 stdprov!GetStr+0x7b
00ccf424 5b7ad48d stdprov!CImpReg::MethodAsy nc+0x4f3
00ccf4ac 5b7a6f25 stdprov!CImpDyn::ExecMetho dAsync+0x2 2
00ccf4cc 01019e6d wmiprvse!CInterceptor_IWbe mSyncProvi der::Helpe r_ExecMeth odAsync+0x 16e
00ccf518 0101a002 wmiprvse!CInterceptor_IWbe mSyncProvi der::ExecM ethodAsync +0x72
00ccf560 77c80365 rpcrt4!Invoke+0x30
00ccf590 77ce43e1 rpcrt4!NdrStubCall2+0x299
00ccf998 77ce3ed5 rpcrt4!CStdStubBuffer_Invo ke+0xc6
00ccf9f0 7557e67e fastprox!CBaseStublet::Inv oke+0x22
00ccfa04 7778d01b ole32!SyncStubInvoke+0x37
00ccfa48 7778cfc8 ole32!StubInvoke+0xa7
00ccfa90 776c121b ole32!CCtxComChnl::Context Invoke+0xe c
00ccfb6c 776c0c05 ole32!MTAInvoke+0x1a
00ccfb88 7778d2a7 ole32!AppInvoke+0xa3
00ccfbb8 7778cd66 ole32!ComInvokeWithLockAnd IPID+0x2c5
00ccfc8c 7778d2c6 ole32!ThreadInvoke+0x2e3
00ccfcd8 77c8014a rpcrt4!DispatchToStubInCNo Avrf+0x38
00ccfd0c 77c805ff rpcrt4!RPC_INTERFACE::Disp atchToStub Worker+0x1 1f
00ccfd60 77c80525 rpcrt4!RPC_INTERFACE::Disp atchToStub +0xa3
00ccfd84 77c7e294 rpcrt4!RPC_INTERFACE::Disp atchToStub WithObject +0xc0
00ccfdc4 77c7e240 rpcrt4!LRPC_SCALL::DealWit hRequestMe ssage+0x41 e
00ccfe04 77c814c2 rpcrt4!LRPC_ADDRESS::DealW ithLRPCReq uest+0x127
00ccfe28 77c88858 rpcrt4!LRPC_ADDRESS::Recei veLotsaCal ls+0x430
00ccff8c 77c88972 rpcrt4!RecvLotsaCallsWrapp er+0xd
00ccff94 77c8890d rpcrt4!BaseCachedThreadRou tine+0x9d
00ccffb4 77c7b2ab rpcrt4!ThreadStartRoutine+ 0x1b
00ccffc0 77e6482f kernel32!BaseThreadStart+0 x34
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: msvcrt!wcslen+8
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: msvcrt
IMAGE_NAME: msvcrt.dll
DEBUG_FLR_IMAGE_TIMESTAMP: 45d70b06
STACK_COMMAND: .ecxr ; kb ; dps ccf3d0 ; kb
FAILURE_BUCKET_ID: INVALID_POINTER_READ_c0000 005_msvcrt .dll!wcsle n
BUCKET_ID: APPLICATION_FAULT_INVALID_ POINTER_RE AD_msvcrt! wcslen+8
WATSON_IBUCKET: 1231062341
WATSON_IBUCKETTABLE: 1
ANALYSIS_SOURCE: UM
FAILURE_ID_HASH_STRING: um:invalid_pointer_read_c0 000005_msv crt.dll!wc slen
FAILURE_ID_HASH: {4c9a3dd7-6f5e-c94c-e77d-a 4d2646a611 7}
Followup: MachineOwner
---------
Thanks
Ironside.
Specs: Windows Server 2003 for Small Business SP2
3 GB RAM
Intel Xeon E5420 @ 2.5
Problem: wmiprvse.exe crashes every day 2-3 times a day.
Event ID:1004 is logged repeatedly which I know is a generic error and not very helpful but here it is anyways:
Reporting queued error: faulting application wmiprvse.exe, version 5.2.3790.4455, faulting module msvcrt.dll, version 7.0.3790.3959, fault address 0x00038efa
Loaded Mdump into WinDbg loaded symbols etc.
WinDbg shows the following and I hope someone can be so kind and review and let me know what is causing this.
: FAULTING_IP:
msvcrt!wcslen+8
77bd8efa 668b08 mov cx,word ptr [eax]
EXCEPTION_RECORD: ffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 77bd8efa (msvcrt!wcslen+0x00000008)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: 006e3000
Attempt to read from address 006e3000
CONTEXT: 00000000 -- (.cxr 0x0;r)
eax=00000000 ebx=80070000 ecx=c0000005 edx=00000000 esi=00000208 edi=00000000
eip=7c82845c esp=00cc99d4 ebp=00cc9a44 iopl=0 nv up ei ng nz ac pe cy
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000297
ntdll!KiFastSystemCallRet:
7c82845c c3 ret
DEFAULT_BUCKET_ID: INVALID_POINTER_READ
PROCESS_NAME: wmiprvse.exe
ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.
EXCEPTION_PARAMETER1: 00000000
EXCEPTION_PARAMETER2: 006e3000
READ_ADDRESS: 006e3000
FOLLOWUP_IP:
msvcrt!wcslen+8
77bd8efa 668b08 mov cx,word ptr [eax]
NTGLOBALFLAG: 0
APP: wmiprvse.exe
ANALYSIS_VERSION: 6.3.9600.16384 (debuggers(dbg).130821-162
LAST_CONTROL_TRANSFER: from 7d0e40f1 to 77bd8efa
FAULTING_THREAD: 00001f90
PRIMARY_PROBLEM_CLASS: INVALID_POINTER_READ
BUGCHECK_STR: APPLICATION_FAULT_INVALID_
STACK_TEXT:
00ccf3d0 77bd8efa msvcrt!wcslen+0x8
00ccf3d8 7d0e40f1 oleaut32!SysAllocString+0x
00ccf3e4 5b7ac834 stdprov!GetStr+0x7b
00ccf424 5b7ad48d stdprov!CImpReg::MethodAsy
00ccf4ac 5b7a6f25 stdprov!CImpDyn::ExecMetho
00ccf4cc 01019e6d wmiprvse!CInterceptor_IWbe
00ccf518 0101a002 wmiprvse!CInterceptor_IWbe
00ccf560 77c80365 rpcrt4!Invoke+0x30
00ccf590 77ce43e1 rpcrt4!NdrStubCall2+0x299
00ccf998 77ce3ed5 rpcrt4!CStdStubBuffer_Invo
00ccf9f0 7557e67e fastprox!CBaseStublet::Inv
00ccfa04 7778d01b ole32!SyncStubInvoke+0x37
00ccfa48 7778cfc8 ole32!StubInvoke+0xa7
00ccfa90 776c121b ole32!CCtxComChnl::Context
00ccfb6c 776c0c05 ole32!MTAInvoke+0x1a
00ccfb88 7778d2a7 ole32!AppInvoke+0xa3
00ccfbb8 7778cd66 ole32!ComInvokeWithLockAnd
00ccfc8c 7778d2c6 ole32!ThreadInvoke+0x2e3
00ccfcd8 77c8014a rpcrt4!DispatchToStubInCNo
00ccfd0c 77c805ff rpcrt4!RPC_INTERFACE::Disp
00ccfd60 77c80525 rpcrt4!RPC_INTERFACE::Disp
00ccfd84 77c7e294 rpcrt4!RPC_INTERFACE::Disp
00ccfdc4 77c7e240 rpcrt4!LRPC_SCALL::DealWit
00ccfe04 77c814c2 rpcrt4!LRPC_ADDRESS::DealW
00ccfe28 77c88858 rpcrt4!LRPC_ADDRESS::Recei
00ccff8c 77c88972 rpcrt4!RecvLotsaCallsWrapp
00ccff94 77c8890d rpcrt4!BaseCachedThreadRou
00ccffb4 77c7b2ab rpcrt4!ThreadStartRoutine+
00ccffc0 77e6482f kernel32!BaseThreadStart+0
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: msvcrt!wcslen+8
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: msvcrt
IMAGE_NAME: msvcrt.dll
DEBUG_FLR_IMAGE_TIMESTAMP:
STACK_COMMAND: .ecxr ; kb ; dps ccf3d0 ; kb
FAILURE_BUCKET_ID: INVALID_POINTER_READ_c0000
BUCKET_ID: APPLICATION_FAULT_INVALID_
WATSON_IBUCKET: 1231062341
WATSON_IBUCKETTABLE: 1
ANALYSIS_SOURCE: UM
FAILURE_ID_HASH_STRING: um:invalid_pointer_read_c0
FAILURE_ID_HASH: {4c9a3dd7-6f5e-c94c-e77d-a
Followup: MachineOwner
---------
Thanks
Ironside.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.