天道酬勤,学无止境

Unexplained crashes related to ntdll.dll

I have an application that I've written that crashes intermittently, but I'm unable to capture an exception at the application layer. I always get an entry in the event log but doesn't give me much info:

Faulting application name: BCS-UI.exe, version: 1.0.11.0, time stamp: 0x5c0edcbd
Faulting module name: ntdll.dll, version: 10.0.17134.376, time stamp: 0x4358e406
Exception code: 0xc0000374
Fault offset: 0x000d8829
Faulting process id: 0x39b0
Faulting application start time: 0x01d49161c80079a0
Faulting application path: C:\Gogs Local\SMR_Windows_UI\BCS-UI\BCS-UI\bin\Release\BCS-UI.exe
Faulting module path: C:\WINDOWS\SYSTEM32\ntdll.dll
Report Id: 1fbc4761-d256-44b0-99b0-4d9d758e4fe0
Faulting package full name: 
Faulting package-relative application ID: 

    - System 

  - Provider 

   [ Name]  Application Error 

  - EventID 1000 

   [ Qualifiers]  0 

   Level 2 

   Task 100 

   Keywords 0x80000000000000 

  - TimeCreated 

   [ SystemTime]  2018-12-11T15:12:28.109191000Z 

   EventRecordID 23318 

   Channel Application 

   Computer Leviathan 

   Security 


- EventData 

   BCS-UI.exe 
   1.0.11.0 
   5c0edcbd 
   ntdll.dll 
   10.0.17134.376 
   4358e406 
   c0000374 
   000d8829 
   39b0 
   01d49161c80079a0 
   C:\Gogs Local\SMR_Windows_UI\BCS-UI\BCS-UI\bin\Release\BCS-UI.exe 
   C:\WINDOWS\SYSTEM32\ntdll.dll 
   1fbc4761-d256-44b0-99b0-4d9d758e4fe0 

As you can see, I get this:

Faulting module path: C:\WINDOWS\SYSTEM32\ntdll.dll.

I'm not sure what that is or how it relates to the crashes, but I've been able to reproduce it on multiple machines and I'm at a loss on how to determine the cause or prevent it from happening.

Update: I've gotten to a point where the application crashes on startup with the above reason. It gets to the end of the MainWindow constructor (it is a WPF application), sits there for about 10 seconds on a white screen and then dies. I've rolled back to older versions of the software and reproduced this behavior. I have also moved it to another machine and did NOT see this behavior, so my current theory is in agreement with what was said in the comments - that something corrupted the heap and it only gets cleared up on a reboot.

Update 2: I'm able to produce this error message when running outside of the debugger, although when running in the debugger, I'm not able to get it to stop on an exception:

a generic error occurred in GDI+

So that's what I'll be hunting today. Interestingly and disturbingly enough, the app crashes every time on startup, even after rebooting. The same behavior does not occur on other machines at this time.

标签

评论

To debug these kind of system internal issues, I suggest you try Process Monitor.

Process Monitor is an advanced monitoring tool for Windows that shows real-time file system, Registry and process/thread activity.

enter image description here

Basically you need to look out for the "NAME NOT FOUND" errors, which means missing dlls or registry keys, or any other suspisious errors in the monitor screen.

The last time I had a similar crash in my app that pointed to ntdll.dll as the faulting module, the reality was that my own code had a memory leak. I did a strcpy on a string that was not allocated memory. Something like,

char * str;
strcpy(str, "Hello");

I found this after a strenuous walkthrough of my code.

Check your code for leaks.

受限制的 HTML

  • 允许的HTML标签:<a href hreflang> <em> <strong> <cite> <blockquote cite> <code> <ul type> <ol start type> <li> <dl> <dt> <dd> <h2 id> <h3 id> <h4 id> <h5 id> <h6 id>
  • 自动断行和分段。
  • 网页和电子邮件地址自动转换为链接。

相关推荐
  • 在 ntdll 中使用 gdb 调试时突然出现断点(Breakpoints out of nowhere when debugging with gdb, inside ntdll)
    问题 我做了一个非常简单的程序,它为我自动化了一些事情。我用 C++ 编写它并在 Windows 上运行。 在 Codeblocks IDE 中使用 GDB 调试它时,我突然发现了许多断点。 我不知道是什么导致了这个问题。 断点似乎与内存问题有关......因为当我修复检测到的内存泄漏时,断点数量明显减少。 gdb 告诉我的确切信息是: Program received signal SIGTRAP, Trace/breakpoint trap. In ntdll!TpWaitForAlpcCompletion () (C:\Windows\system32\ntdll.dll) 我在我的程序中多次得到这个。 我认为我可能做错了一些事情,即使程序似乎运行得很好并且它完成了我想要它做的事情。 谁能告诉我有什么问题,因为我不知道在哪里看? 此外,如果这不是问题,那么有没有人知道如何禁用它,因为这会阻止我到达我自己设置的断点? 提前致谢! 编辑:(添加 GDB 的 where 命令的输出):我在哪里可以检查每个函数的作用,以便我可以看到我做错了什么? #0 0x76fefadd in ntdll!TpWaitForAlpcCompletion () from C:\Windows\system32\ntdll.dll #1 0x0028e894 in ?? () #2
  • Python程序因为ntdll.dll和QtGui4.dll崩溃(Python program crashes because of ntdll.dll and QtGui4.dll)
    问题 我设计了一个 Python 软件来从我的微控制器收集数据并制作实时绘图: 我的 GUI 中有十二个 matplotlib 动画(GUI 是用 PyQt 设计的)。 每个 matplotlib 动画都连接到一个 TCP 线程,通过该链接接收浮点数。 收到浮点数后,matplotlib 动画会向图中添加一个新点。 万岁,我们有现场情节! 我的软件可以平稳运行几秒钟(有时长达半分钟)。 然后灾难来袭。 Windows 提到“Python 已停止工作”。 我什至没有在终端窗口中打印异常报告(因为它通常会发生在我的所有其他错误中)。 Windows 询问我是否要调试 Python 应用程序,并建议为此使用 Visual Basic。 在 Visual Basic 中,我收到以下错误报告: Unhandled exception at 0x00007FFC596CE6FC (ntdll.dll) in python.exe: 0xC0000374: A heap has been corrupted (parameters: 0x00007FFC597222B0). Unhandled exception at 0x00007FFC56071F28 in python.exe: Microsoft C++ exception: std::bad_alloc at memory
  • 为什么 ntdll.dll 会导致我的 C++ 可执行文件崩溃?(Why is ntdll.dll crashing my c++ executable?)
    问题 我无法让 Visual C++ 可执行文件工作,应用程序崩溃,这是我在事件查看器中看到的。 Faulting application name: submit.exe, version: 0.0.0.0, time stamp: 0x50a3cce7 Faulting module name: ntdll.dll, version: 6.1.7601.17514, time stamp: 0x4ce7ba58 Exception code: 0xc0000374 Fault offset: 0x000ce653 Faulting process id: 0x8fc Faulting application start time: 0x01cdc2a3da4f2997 Faulting application path: c:\submit.exe Faulting module path: C:\Windows\SysWOW64\ntdll.dll Report Id: 1813823a-2e97-11e2-8675-000c29229191 在旧版本的 Visual Studio 中编译的可执行文件可以工作,但我在使用 2008 或 2010 等较新的 VS 编译的可执行文件时出现错误。请指教 回答1 解决此类问题可能是一个真正的挑战……尤其是当您不熟悉代码库时。
  • Segmentation-fault with PyObject_Call() in shared library for iTunes
    I'm experimenting with the iTunes SDK and Cython. The DLL entry-point seems to work, but using any "real Python" causes iTunes to crash. The following code compiles fine and the plugin-dll is loaded successfully by iTunes. cimport libc.stdio as stdio cdef extern from "iTunesAPI/iTunesAPI.h": ctypedef int OSType ctypedef int OSStatus ctypedef struct PluginMessageInfo: pass int unimpErr cdef public OSStatus iTunesPluginMain( OSType message, PluginMessageInfo* messageInfo, void* refCon ): cdef stdio.FILE* fl = stdio.fopen('C:/itunes_cyplugin_feedback.txt', 'wb') return unimpErr But adding a
  • iTunes 共享库中 PyObject_Call() 的分段错误(Segmentation-fault with PyObject_Call() in shared library for iTunes)
    问题 我正在试验 iTunes SDK 和 Cython。 DLL 入口点似乎有效,但使用任何“真正的 Python”都会导致 iTunes 崩溃。 以下代码编译良好,iTunes 成功加载了 plugin-dll。 cimport libc.stdio as stdio cdef extern from "iTunesAPI/iTunesAPI.h": ctypedef int OSType ctypedef int OSStatus ctypedef struct PluginMessageInfo: pass int unimpErr cdef public OSStatus iTunesPluginMain( OSType message, PluginMessageInfo* messageInfo, void* refCon ): cdef stdio.FILE* fl = stdio.fopen('C:/itunes_cyplugin_feedback.txt', 'wb') return unimpErr 但是添加 Python 表达式会导致 iTunes 崩溃,例如: # ... cdef public OSStatus iTunesPluginMain( OSType message, PluginMessageInfo* messageInfo, void*
  • 安装IE9后,Visual Studio 2012崩溃(错误模块ntdll.dll)(Visual Studio 2012 Crashes after installing IE9 (Faulting Module ntdll.dll))
    问题 好的.... 自从Visual Studio RTM在我的工作计算机上发布以来,我一直在运行它。 上周五,我安装了IE并将其更新至版本9,以测试JavaScript问题。 安装IE9并重新启动计算机后,Visual Studio 2012不再起作用,它将打开并显示开始页面约一秒钟,然后崩溃。 我尝试了以下失败: 恢复为IE8-仍然崩溃运行devenv / SafeMode-仍然崩溃运行devenv / ResetSettings-仍然崩溃修复VS2012-仍然崩溃完全卸载VS2012并重新安装-仍然崩溃完全卸载VS2012,删除所有VS2012文件夹和注册表项,然后重新安装-仍然崩溃 (重新)更新为IE9,卸载vs2012并重新安装-仍然崩溃 (每一个细致的步骤后无数重新启动) PS我无法运行“系统还原”,因为该操作“已被您的管理员禁用”,如果我可以使用的话,该操作将在上述步骤4之前进行... 当我运行devenv(是否使用安全模式)时,在应用程序事件日志中得到以下信息: Faulting application name: devenv.exe, version: 11.0.50727.1, time stamp: 0x5011ecaa Faulting module name: ntdll.dll, version: 6.1.7601.17725, time stamp
  • Visual Studio 2012 Crashes after installing IE9 (Faulting Module ntdll.dll)
    Okay.... I've been running Visual Studio RTM since it's release on my work computer. Last Friday I installed/Updated IE to version 9 to test a JavaScript issue. After installing IE9 and rebooting my computer Visual Studio 2012 no longer works, it opens shows the start page for about a second then crashes. I've unsuccessfully tried the following: Revert to IE8 -- still crashes Run devenv /SafeMode -- still crashes Run devenv /ResetSettings -- still crashes Repair VS2012 -- still crashes Uninstall VS2012 completely and Reinstall -- still crashes Uninstall VS2012 completely, removing all VS2012
  • Python program crashes because of ntdll.dll and QtGui4.dll
    I have designed a Python software to collect data from my microcontroller and make live plots: I have twelve matplotlib animations in my GUI (the GUI is designed with PyQt). Each matplotlib animation is connected to one TCP thread, receiving floating point numbers through that link. Upon receiving a floating point number, the matplotlib animation adds a new point to the graph. And huray, we got live plots! My software runs smoothly for a couple of seconds (sometimes up to half a minute). And then disaster strikes. Windows mentions "Python has stopped working". I don't even get an exception
  • Why is ntdll.dll crashing my c++ executable?
    I am having trouble to get a Visual C++ executable to work, the app crashes , here is what I have seen in the event viewer. Faulting application name: submit.exe, version: 0.0.0.0, time stamp: 0x50a3cce7 Faulting module name: ntdll.dll, version: 6.1.7601.17514, time stamp: 0x4ce7ba58 Exception code: 0xc0000374 Fault offset: 0x000ce653 Faulting process id: 0x8fc Faulting application start time: 0x01cdc2a3da4f2997 Faulting application path: c:\submit.exe Faulting module path: C:\Windows\SysWOW64\ntdll.dll Report Id: 1813823a-2e97-11e2-8675-000c29229191 The executable compiled in old versions of
  • vshost32.exe has stopped working when I call the ShowDialog method of OpenFileDialog
    I've a c# application, I'm doing a final test of it. But now, a function which has worked everytimes until now doesn't work anymore! I've a Button, when I click on it I want to browse files, I see the "Open file" windows, and an half second after, I got an uncaught visual studio error: vshost32.exe has stopped working: I'm sorry but the error is happening on a french localized computer: Signature du problème : Nom d’événement de problème: APPCRASH Nom de l’application: TOM.vshost.exe Version de l’application: 10.0.30319.1 Horodatage de l’application: 4ba2084b Nom du module par défaut: ntdll
  • 为什么 JVM 会因为 NTDLL.DLL 而在 Windows Server 2012 上随机崩溃?(Why does JVM randomly crashes on Windows Server 2012 due to NTDLL.DLL?)
    问题 我的生产服务器偶尔会崩溃 java.exe 服务,因此 myApplication Server Glassfish 4.1。 它随机发生,到目前为止我找不到解释这种行为的理由。 检查 Win Server 2012 事件查看器,表明应用程序错误是由于与 NTDLL.DLL 冲突。 在下面,我发布了这些崩溃之一后收集的转储: Version=1 EventType=APPCRASH EventTime=130971776990222439a ReportType=2 Consent=1 ReportIdentifier=60c166c2-ba16-11e5-8100-22000afdaf63 IntegratorReportIdentifier=60c166c1-ba16-11e5-8100-a22000afdaf63 NsAppName=java.exe Response.type=4 Sig[0].Name=Application Name Sig[0].Value=java.exe Sig[1].Name=Application Version Sig[1].Value=8.0.650.17 Sig[2].Name=Application Timestamp Sig[2].Value=56145db1 Sig[3].Name=Fault Module Name Sig
  • libxml2 crash on second use on Windows
    I've been using libxml2 push parsing (SAX) to parse an incoming XML stream, this works well first time but crashes on the second attempt every time, my code looks like this: xmlSAXHandler saxHandler; memset(&saxHandler, 0, sizeof(m_SaxHandler)); xmlSAXVersion(&saxHandler, 2); saxHandler.initialized = XML_SAX2_MAGIC; // so we do this to force parsing as SAX2. saxHandler.startElementNs = &startElementNs; saxHandler.endElementNs = &endElementNs; saxHandler.warning = &warning; saxHandler.error = &error; saxHandler.characters = &characters; xmlParserCtxtPtr pSaxCtx = xmlCreatePushParserCtxt(&m
  • msvcr110.dll!free(void * pBlock) 崩溃分析
    ntdll.dll!76fdfadc() 未知 [下面的框架可能不正确和/或缺失,没有为 ntdll.dll 加载符号] ntdll.dll!76fc4f92() 未知 ntdll.dll!76fa26fc() 未知 ntdll.dll!76fe0b37() 未知 ntdll.dll!76f9a967() 未知 kernel32.dll!750d14d1() 未知 msvcr110.dll!free(void * pBlock) 行 51 C CThreeGridCtrlWithSign::`scalar deleting destructor'(unsigned int) C++ wxWindowBase::DestroyChildren(void) 未知 wxNavigationEnabled<wxWindow>::~wxNavigationEnabled<wxWindow>() C++ wxPanelBase::~wxPanelBase() C++ wxPanel::~wxPanel() C++ CFlightInstrumentPanel::~CFlightInstrumentPanel() 行 152 C++ CFlightInstrumentPanel::`scalar deleting destructor'(unsigned int) C++在处理该问题上
  • How to run a PE image without linking kernel32.dll and ntdll.dll
    I tried to write a peloader. I first load the executable image and all it's dependent dlls(include kernel32.dll and ntdll.dll) into memory, process all import address table, rewrite all data which need relocation. Then I call all image's EntryPoint in order. I get the return code 0 from ntdll.dll's EntryPoint, but kernel32.dll returns 0xC0000000. When I tried to call the executable image's EntryPoint, the program crashed. I know the windows system already load ntdll.dll and kernel32.dll into process memory when the process is created. My question is how can I load another copy of ntdll.dll and
  • 在 Windows 上第二次使用时 libxml2 崩溃(libxml2 crash on second use on Windows)
    问题 我一直在使用 libxml2 推送解析 (SAX) 来解析传入的 XML 流,这第一次运行良好,但每次都在第二次尝试时崩溃,我的代码如下所示: xmlSAXHandler saxHandler; memset(&saxHandler, 0, sizeof(m_SaxHandler)); xmlSAXVersion(&saxHandler, 2); saxHandler.initialized = XML_SAX2_MAGIC; // so we do this to force parsing as SAX2. saxHandler.startElementNs = &startElementNs; saxHandler.endElementNs = &endElementNs; saxHandler.warning = &warning; saxHandler.error = &error; saxHandler.characters = &characters; xmlParserCtxtPtr pSaxCtx = xmlCreatePushParserCtxt(&m_SaxHandler, this, 0, 0, 0); 然后我使用xmlParseChunk()输入 XML 流并使用回调来处理数据,一旦解析完成,我调用xmlFreeParserCtxt(pSaxCtx
  • Java 随机崩溃(可能的罪魁祸首:ntdll.dll?)(Java Randomly Crashing (Possible Culprite: ntdll.dll?))
    问题 我有一个用 Java 编写的程序,并使用 Windows 任务计划程序设置为每 5 分钟运行一次。 它执行“C:\Program Files\Java\jre7\bin\javaw.exe”并传递 jar 文件和所有命令行参数。 在大多数情况下,这运行得非常好,但时不时地,我会回到我的计算机并看到一个弹出窗口,说“Java(TM) Platform SE 二进制文件已停止工作”。 所以,起初,我认为这与我的代码有关,并添加了许多附加到文本文件的调试语句。 当它崩溃时,我检查了文本文件,其中没有列出未完成的运行。 然后我在我的主要方法中添加了一个打印语句: public static void main (String[] args) { System.out.println ("Main Method Called"); new Runner (args); } 然后我不断地从命令行运行 Java 程序,直到它崩溃,我注意到一些有趣的事情。 在崩溃时,它从未打印过“调用的主要方法”。 现在,我觉得这很有趣,因为这告诉我崩溃的不是我的 Java 程序,而是 Java 本身。 然后我继续向我的命令行添加详细的打印语句: java -verbose:class -verbose:gc -verbose:jni -jar ... 从那里,我继续这个过程,直到程序再次失败。 当它失败时
  • Why does JVM randomly crashes on Windows Server 2012 due to NTDLL.DLL?
    My production server occasionaly crashes the java.exe sevice and therefore myApplication Server Glassfish 4.1. It happens randomly and so far I couldn't find a reason to explain such behavior. Checking Win Server 2012 Event Viewer, it is stated that the Application Error is due to conflict with NTDLL.DLL. Down below I post the dump collected after one of these crashes: Version=1 EventType=APPCRASH EventTime=130971776990222439a ReportType=2 Consent=1 ReportIdentifier=60c166c2-ba16-11e5-8100-22000afdaf63 IntegratorReportIdentifier=60c166c1-ba16-11e5-8100-a22000afdaf63 NsAppName=java.exe Response
  • 是否存在与Windows 7内核符号有关的已知问题?(Is there a known issue relating to Windows 7 Kernel Symbols?)
    问题 我有几台Windows 7计算机,我无法读取它们的内存转储。 我发现一些我怀疑可能与之相关的东西,但并不肯定: https://twitter.com/aionescu/status/634028737458114560 我也发现了这一点:http://support.microsoft.com/kb/2528507 但是,在我的任何转储中都没有看到文档中给出的有关wow64exts的场景消息。 我现在也不能应用该修补程序来对其进行测试。 所以我只是在寻找更多信息或意见。 我可以打开任何其他操作系统转储以及我自己系统的Windows 7转储,但是还有其他2台运行Win 7的计算机,它告诉我我使用了错误的内核符号。 我尝试清除符号缓存,重新安装Windows SDK,还尝试在其他两台计算机上打开转储,结果相同。 如果很重要,则使用滚动锁定方法手动创建崩溃。 符号路径: SRV*c:\symbols*http://msdl.microsoft.com/download/symbols; 看到这些错误:后面跟着“引用的类型:nt!_KPRCB” 是否有人知道Twitter链接中Alex提到的问题,以及是否可能与我所看到的有关? 回答1 2015年10月22日更新: 随着Microsoft补丁程序发布日(2015-10-13)和KB3088195,符号再次可用。 但是
  • WinDbg x64: Cannot debug a crash dump - failed to load data access DLL
    I attached WinDbg to a running process and had the process crashed (I have a separate question re. that case). Once the program crashed, WinDbg stopped and allowed me to debug the program. I took a crash dump for further investigation with a command ".dump /ma". The program was compiled as "Any CPU" and I used WinDbg x64 to take the dump. Now I open WinDbg x64 on the same computer again and open the crash dump. Here is what it says: Loading Dump File [C:\crashdump.dmp] User Mini Dump File with Full Memory: Only application data is available Symbol search path is: SRV*c:\symbols*http://msdl
  • .NET 4.5: internal error in the .NET Runtime (80131506) / disabling concurrent GC
    I have a long-running .NET 4.5 application that crashes randomly, leaving the message I've mentioned in the question title in the event log. The issue is reproduced on 3 different machines and 2 different systems (2008 R2 and 2012). Application doesn't use any unsafe/unmanaged components, it's pure managed .NET, with the only unmanaged thing being the CLR itself. Here's the stack trace of the crash site that I've extracted from the dump: clr.dll!MethodTable::GetCanonicalMethodTable() clr.dll!SVR::CFinalize::ScanForFinalization() - 0x1a31b bytes clr.dll!SVR::gc_heap::mark_phase() + 0x328 bytes