1
I experience application freezes everyday, several times a day, for a few days now, on my Windows 7 system. This system has been stable for 4 years, so something new is happening.
The main symptom was that Thunderbird froze at startup, and become unusable. I have thought that it was a problem with Thunderbird, and eventually created a new profile because my profile is more than 10 years old.
Why did I thought of the profile ? Because I found out that I could not delete some .msf files without a reboot. Trying to do so froze Explorer that had to be restarted.
With a new profile, Thunderbird continued to freeze, but less frequently, so I was able to read mail and to compose a quick answer.
Yesterday I was editing an .hmtl file with gvim, and, at the same time, I was loading it into Firefox to look at the result.
After an hour of work, it froze again. Any process trying to manipulate the .hmtl file was frozen. Killing both Firefox and gvim did not help.
Using process explorer (NOT launched as administrator) could not show the .hmtl file with its handle search function. Handle.exe couldn't either.
Rebooting unlocks the file which is not damaged.
I have chkdsk /B my two devices (C: is a SSD, D: is a HDD), as the .msf file was on D: and the .hmtl was on C:.
I suspected Windows search, and cleared its database.
I tried deactivating Windows search, my antivirus (Avast), and two sync/backup tools working as a service.
Did not release any lock.
I have found this interesting windbg use : Hung process in Windows: Is there any way to see why?
I've attached Thunderbird process, currently freezing, and I now see this :
FAULTING_IP:
ntdll!DbgBreakPoint+0
00000000`7772cc90 cc int 3
EXCEPTION_RECORD: ffffffffffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 000000007772cc90 (ntdll!DbgBreakPoint)
ExceptionCode: 80000003 (Break instruction exception)
ExceptionFlags: 00000000
NumberParameters: 1
Parameter[0]: 0000000000000000
FAULTING_THREAD: 0000000000000000
BUGCHECK_STR: HANG
PROCESS_NAME: thunderbird.exe
ERROR_CODE: (NTSTATUS) 0xcfffffff - <Unable to get error code text>
EXCEPTION_CODE: (NTSTATUS) 0xcfffffff - <Unable to get error code text>
EXCEPTION_PARAMETER1: 0000000000000000
NTGLOBALFLAG: 0
APPLICATION_VERIFIER_FLAGS: 0
DERIVED_WAIT_CHAIN:
Dl Eid Cid WaitType
-- --- ------- --------------------------
56 74c.1a04 Speculated (Triage) -->
0 74c.12b4 File IO
WAIT_CHAIN_COMMAND: ~56s;k;;~0s;k;;
BLOCKING_THREAD: 00000000000012b4
DEFAULT_BUCKET_ID: APPLICATION_HANG_BlockedOn_FileIO
PRIMARY_PROBLEM_CLASS: APPLICATION_HANG_BlockedOn_FileIO
LAST_CONTROL_TRANSFER: from 00000000751dc1ff to 000000007772df0a
STACK_TEXT:
00000000`0024ddd8 00000000`751dc1ff : 00000000`003becdc 00000000`003becf4 00000000`005847e0
000000ba`00340201 : ntdll!ZwCreateFile+0xa
00000000`0024dde0 00000000`751cd18f : 00000000`003becdc 00000000`00000000 00000000`00000000
00000000`00000060 : wow64!whNtCreateFile+0x10f
00000000`0024deb0 00000000`75152776 : 00000000`77360745 00000000`751c0023 00000000`00000246
00000000`003bf2f8 : wow64!Wow64SystemServiceEx+0xd7
00000000`0024e770 00000000`751cd286 : 00000000`00000000 00000000`75151920 ffffffff`fc5f0000
00000000`7770dfc1 : wow64cpu!TurboDispatchJumpAddressEnd+0x2d
00000000`0024e830 00000000`751cc69e : 00000000`00000000 00000000`00000000 00000000`751c4b10
00000000`7ffe0030 : wow64!RunCpuSimulation+0xa
00000000`0024e880 00000000`777216a6 : 00000000`00584330 00000000`00000000 00000000`7780e670
00000000`777e1950 : wow64!Wow64LdrpInitialize+0x42a
00000000`0024edd0 00000000`7777d150 : 00000000`00000000 00000000`77720db1 00000000`0024f380
00000000`00000000 : ntdll!LdrpInitializeProcess+0x17e3
00000000`0024f2c0 00000000`7770b63e : 00000000`0024f380 00000000`00000000 00000000`fffdf000
00000000`00000000 : ntdll! ?? ::FNODOBFM::`string'+0x25b20
00000000`0024f330 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000
00000000`00000000 : ntdll!LdrInitializeThunk+0xe
FOLLOWUP_IP:
wow64!whNtCreateFile+10f
00000000`751dc1ff 448bd8 mov r11d,eax
SYMBOL_STACK_INDEX: 1
SYMBOL_NAME: wow64!whNtCreateFile+10f
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: wow64
IMAGE_NAME: wow64.dll
DEBUG_FLR_IMAGE_TIMESTAMP: 562593aa
STACK_COMMAND: ~0s ; kb
BUCKET_ID: X64_HANG_wow64!whNtCreateFile+10f
FAILURE_BUCKET_ID: APPLICATION_HANG_BlockedOn_FileIO_cfffffff_wow64.dll!whNtCreateFile
WATSON_STAGEONE_URL: http://watson.microsoft.com/0004cc90.htm?Retriage=1
Followup: MachineOwner
---------
So, OK, I was quite convinced that Thunderbird was blocking on an IO, and now, it's confirmed. According to the API documentation, this call can be the opening of an existing file. I tried to dump the argument giving the filename (as far as I understand) playing randomly with this command : "dt ntdll!_OBJECT_ATTRIBUTES 00000000`005847e0", but I'm not familiar with windbg and calling conventions, so I failed so far to dig into the structure.
So what can I do next ?
EDIT:
After changing my WinDbg to x86 version as suggested, my dumps became analyzable.
Freezes went out, as it always happens when you concentrate on a problem : it disappears briefly to avoid being solved, until this night, when Canon DPP froze during a batch processing of RAW files.
Here is the trace :
FAULTING_IP:
ntdll!DbgBreakPoint+0
7736000c cc int 3
EXCEPTION_RECORD: ffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 7736000c (ntdll!DbgBreakPoint)
ExceptionCode: 80000003 (Break instruction exception)
ExceptionFlags: 00000000
NumberParameters: 1
Parameter[0]: 00000000
FAULTING_THREAD: 00000000
BUGCHECK_STR: HANG
PROCESS_NAME: DPPBatch.exe
ERROR_CODE: (NTSTATUS) 0xcfffffff - <Unable to get error code text>
EXCEPTION_CODE: (NTSTATUS) 0xcfffffff - <Unable to get error code text>
EXCEPTION_PARAMETER1: 00000000
MOD_LIST: <ANALYSIS/>
NTGLOBALFLAG: 0
APPLICATION_VERIFIER_FLAGS: 0
DERIVED_WAIT_CHAIN:
Dl Eid Cid WaitType
-- --- ------- --------------------------
1 1b88.1ff4 Speculated (Triage) -->
0 1b88.1948 File IO
WAIT_CHAIN_COMMAND: ~1s;k;;~0s;k;;
BLOCKING_THREAD: 00001948
DEFAULT_BUCKET_ID: APPLICATION_HANG_BlockedOn_FileIO
PRIMARY_PROBLEM_CLASS: APPLICATION_HANG_BlockedOn_FileIO
LAST_CONTROL_TRANSFER: from 74e8c5fd to 77370106
STACK_TEXT:
0018ed8c 74e8c5fd 0018ee28 80100080 0018edcc ntdll!ZwCreateFile+0x12
0018ee30 76e53f56 00000060 80100080 00000001 KERNELBASE!CreateFileW+0x35e
0018ee5c 76e553b4 0058e300 80000000 00000001 kernel32!CreateFileWImplementation+0x69
0018ee8c 100dbf8e 01f4ed98 80000000 00000001 kernel32!CreateFileA+0x37
WARNING: Stack unwind information not available. Following frames may be wrong.
0018eeb8 10002275 01f40000 00000000 10002294 DPPDLL!GNZ_getFilenameFromScriptFile+0x3e
0018eef8 0018ef7c 01f4ed98 00000000 0018ef7c DPPDLL!UCSCloseProfile+0xea5
0018eefc 01f4ed98 00000000 0018ef7c 01f4fc20 0x18ef7c
0018ef7c 00000000 00000000 00000000 00000000 0x1f4ed98
FOLLOWUP_IP:
DPPDLL!GNZ_getFilenameFromScriptFile+3e
100dbf8e 8bf8 mov edi,eax
SYMBOL_STACK_INDEX: 4
SYMBOL_NAME: dppdll!GNZ_getFilenameFromScriptFile+3e
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: DPPDLL
IMAGE_NAME: DPPDLL.dll
DEBUG_FLR_IMAGE_TIMESTAMP: 52251a6c
STACK_COMMAND: ~0s ; kb
BUCKET_ID: HANG_dppdll!GNZ_getFilenameFromScriptFile+3e
FAILURE_BUCKET_ID: APPLICATION_HANG_BlockedOn_FileIO_cfffffff_DPPDLL.dll!GNZ_getFilenameFromScriptFile
WATSON_STAGEONE_URL: http://watson.microsoft.com/0001000c.htm?Retriage=1
Followup: MachineOwner
---------
I easily tracked down the corresponding file to be on my D: drive : D:\Sauvegarde\Tirages\photos\20151214 - totale D70\\GNZC0E116282C365.vbf. It hang the process after 2 hours of work. I was using the PC at this time.
It definitely looks like a file system corruption or device driver bug, so I'll run again chkdsk.
In the meantime, I've tried to launch ProcessExplorer to look for processes IO waiting on the file, it worked. Bu tI remembered it should be launched as admin, so I close it and right clicked on the icon and... it took about say, 5 minutes to pop up (I wasn't expecting it to pop up, it suprised me). Once again, according to Process Explorer, no handle is associated with the blocking file (I looked for"vbf").
Well, I think my question about the debugger is answered (existence of 2 versions of WinDbg), and my problem still needs to be solved, but I'm not sure it's the right place to get help on it.
SR_
Posted 2015-12-11T11:11:26.720
Reputation: 111
Sounds like a malware problem. Did you scan for malware? – LPChip – 2015-12-11T11:18:25.480
@LPChip what makes you think so ? I usually do not run 3rd party scanners as I do not trust them and it may harm my PC. But let's have a try : I've run HijackThis just now and the report does not help me. Avast finds nothing. sfc /scannow is not happy but wasn't before as well. – SR_ – 2015-12-11T14:04:06.443
wow64 shows that this a 64bit dump of a 32bit process. Use ProcessExplorer or the 32Bit taskmgr to create a dump. point to the thunderbird symbols server (srvD:\symbols\http://symbols.mozilla.org/thunderbird) and run !analyze -v -hang in windbg (x86 version)
– magicandre1981 – 2015-12-11T16:49:05.277@magicandre1981 Thanks a lot ! I now can dig into the stack and find my bits... yes ! This time, the file is one of my INBOX.msf. Hum, a right click on it in explorer. Boom, it hangs explorer. I run Process Explorer as admin, find handles and... not in the list, damn :( – SR_ – 2015-12-12T00:22:35.997
run chkdsk /f maybe you NTFS file system issues – magicandre1981 – 2015-12-12T08:26:18.133
@magicandre1981 chkdsk /B implies /F (through /R) – SR_ – 2015-12-12T10:07:51.033
have you tried chkdsk? Does it detect NTFS issues? – magicandre1981 – 2015-12-12T16:27:48.460
@magicandre1981 Yes I did chkdsk : "I have chkdsk /B my two devices". It detected nothing wrong. – SR_ – 2015-12-12T21:20:34.177
ok, capture a new (this time 32Bit) dump and analyze it – magicandre1981 – 2015-12-13T07:14:38.957
@magicandre1981 Edited the message accordingly. Even if I still face the problem, I'm not sure superuser.com is the right place to continue this discussion, the original question has been answered. – SR_ – 2015-12-15T08:46:08.450
Hum, another lead. After reboot, DPPBatch failed with the error (translated here) "insufficient disk space". I remember Thunderbird reporting the exact same error when compacting IMAP folders. I have a lot of free space. So that's not the problem. Maybe should I ask what it could be related to in a new question ? Reading NTFS documentation gives me a lot of information that I don't know what to do with. – SR_ – 2015-12-15T11:50:52.320
It might be worth creating a dump of the process with Procdump using the switches:
– HelpingHand – 2017-08-17T13:36:04.497procdump -ma -mk processnameThis will create you both the user-mode and kernel mode stacks. See: https://channel9.msdn.com/Shows/Defrag-Tools/Defrag-Tools-178-Sysinternals-ProcDump-v90 on how to work with this. Otherwise the output of fltmc.exe in an admin command prompt might be of interest to see what other file system filters are installed.