Skip to content

Instantly share code, notes, and snippets.

@poqdavid

poqdavid/explorer.exe.14740.txt Secret

Created April 4, 2022 14:01
Show Gist options
  • Save poqdavid/e4dc16afa8cf5a01ae686e82189a62e9 to your computer and use it in GitHub Desktop.
Save poqdavid/e4dc16afa8cf5a01ae686e82189a62e9 to your computer and use it in GitHub Desktop.
Download ZIP
Windows 11 ucrtbase.dll explorer crash 0xc0000409
Raw
explorer.exe.14740.txt
Microsoft (R) Windows Debugger Version 10.0.22549.1000 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:\CrashDumps\explorer.exe.14740.dmp]
User Mini Dump File: Only registers, stack and portions of memory are available
************* Path validation summary **************
Response Time (ms) Location
Deferred srv*
Symbol search path is: srv*
Executable search path is:
Windows 10 Version 22000 MP (12 procs) Free x64
Product: WinNt, suite: SingleUserTS
Edition build lab: 22000.1.amd64fre.co_release.210604-1628
Machine Name:
Debug session time: Mon Apr 4 07:14:26.000 2022 (UTC - 4:00)
System Uptime: not available
Process Uptime: 0 days 1:28:10.000
................................................................
................................................................
................................................................
................................................................
..............................................
Loading unloaded module list
.............................................
This dump file has an exception of interest stored in it.
The stored exception information can be accessed via .ecxr.
(3994.1d44): Security check failure or stack buffer overrun - code c0000409 (first/second chance not available)
Subcode: 0x7 FAST_FAIL_FATAL_APP_EXIT
For analysis of this file, run !analyze -v
ucrtbase!abort+0x4e:
00007fff`0507dd7e cd29 int 29h
0:053> !analyze -v
*******************************************************************************
* *
* Exception Analysis *
* *
*******************************************************************************
KEY_VALUES_STRING: 1
Key : Analysis.CPU.mSec
Value: 8828
Key : Analysis.DebugAnalysisManager
Value: Create
Key : Analysis.Elapsed.mSec
Value: 13702
Key : Analysis.Init.CPU.mSec
Value: 765
Key : Analysis.Init.Elapsed.mSec
Value: 3717
Key : Analysis.Memory.CommitPeak.Mb
Value: 562
Key : FailFast.Name
Value: FATAL_APP_EXIT
Key : FailFast.Type
Value: 7
Key : Timeline.Process.Start.DeltaSec
Value: 5290
Key : WER.OS.Branch
Value: co_release
Key : WER.OS.Timestamp
Value: 2021-06-04T16:28:00Z
Key : WER.OS.Version
Value: 10.0.22000.1
Key : WER.Process.Version
Value: 10.0.22000.527
FILE_IN_CAB: explorer.exe.14740.dmp
NTGLOBALFLAG: 0
APPLICATION_VERIFIER_FLAGS: 0
CONTEXT: (.ecxr)
rax=0000000000000001 rbx=000000001027bfd8 rcx=0000000000000007
rdx=000000000000000f rsi=000000001027bfd8 rdi=0000000010c1f5b0
rip=00007fff0507dd7e rsp=0000000002e9f5b0 rbp=0000000002e9f679
r8=0000000000000001 r9=0000000002e9f558 r10=0000000000000012
r11=00007ffec1cc1579 r12=0000000000000000 r13=000000001023fba0
r14=000000001023fbd8 r15=00007ffec5854f30
iopl=0 nv up ei pl nz na pe nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202
ucrtbase!abort+0x4e:
00007fff`0507dd7e cd29 int 29h
Resetting default scope
EXCEPTION_RECORD: (.exr -1)
ExceptionAddress: 00007fff0507dd7e (ucrtbase!abort+0x000000000000004e)
ExceptionCode: c0000409 (Security check failure or stack buffer overrun)
ExceptionFlags: 00000001
NumberParameters: 1
Parameter[0]: 0000000000000007
Subcode: 0x7 FAST_FAIL_FATAL_APP_EXIT
PROCESS_NAME: explorer.exe
ERROR_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.
EXCEPTION_CODE_STR: c0000409
EXCEPTION_PARAMETER1: 0000000000000007
FAULTING_THREAD: 00001d44
STACK_TEXT:
00000000`02e9f5b0 00007fff`0507d499 : 00000000`00000003 00000000`00000003 00000000`00000000 0000e166`4a63b2a2 : ucrtbase!abort+0x4e
00000000`02e9f5e0 00007ffe`b121a5d4 : 00007ffe`b15590a0 00000000`00000002 00000000`134f35ec 00000000`00000068 : ucrtbase!terminate+0x29
00000000`02e9f610 00007ffe`b1472373 : 00000000`00000000 00000000`134f2fd0 00000000`00000000 00000000`10392410 : ExplorerExtensions!winrt::hstring::~hstring+0x64
00000000`02e9f640 00007ffe`b141525b : 00000000`00000000 00000000`10392410 00000000`10392420 00000000`10392418 : ExplorerExtensions!winrt::SystemTray::implementation::MicrophoneSystemTrayIconDataModel::OnCapabilityUsagechanged+0xd3
00000000`02e9f6e0 00007ffe`c5938298 : 00000000`00000000 00000000`00000000 00000000`00000000 00007fff`076bb680 : ExplorerExtensions!winrt::impl::delegate<winrt::Windows::Foundation::EventHandler<winrt::Windows::Foundation::IInspectable>,<lambda_3863875ba69e35d0218a25b15afef9eb> >::Invoke+0x3b
00000000`02e9f730 00007ffe`c593806d : 00000000`005f0c50 00000000`00000000 00000000`00000000 00000000`00000000 : windowsudk_shellcommon!winrt::Windows::Foundation::TypedEventHandler<winrt::WindowsUdk::Security::Authorization::AppCapabilityAccess::CapabilityUsageInfo,winrt::Windows::Foundation::IInspectable>::operator()+0x24
00000000`02e9f760 00007ffe`c5937e9d : 00000000`00000000 00000000`1023fbb0 00000000`00000000 00000000`00000000 : windowsudk_shellcommon!winrt::impl::invoke<winrt::Windows::Foundation::TypedEventHandler<winrt::WindowsUdk::Security::Authorization::AppCapabilityAccess::CapabilityUsageInfo,winrt::Windows::Foundation::IInspectable>,winrt::WindowsUdk::Security::Authorization::AppCapabilityAccess::implementation::CapabilityUsageInfo,std::nullptr_t>+0x25
00000000`02e9f790 00007ffe`c5855034 : 00000000`1023fbc0 00000000`0c68f6e0 00000000`10392410 00007fff`076c250d : windowsudk_shellcommon!winrt::event<winrt::Windows::Foundation::TypedEventHandler<winrt::WindowsUdk::Security::Authorization::AppCapabilityAccess::CapabilityUsageInfo,winrt::Windows::Foundation::IInspectable> >::operator()<winrt::WindowsUdk::Security::Authorization::AppCapabilityAccess::implementation::CapabilityUsageInfo,std::nullptr_t>+0x71
00000000`02e9f7d0 00007fff`076fa8cb : 00000000`00000000 02821b2c`a3bc4075 00000000`0c68ff90 00000000`10245df8 : windowsudk_shellcommon!winrt::WindowsUdk::Security::Authorization::AppCapabilityAccess::implementation::CapabilityUsageInfo::HandleAudioAssistantWNF+0x104
00000000`02e9f850 00007fff`076fa58a : 00000000`00000000 00000000`0c68f6a0 00000000`00000000 00000000`00000000 : ntdll!RtlpWnfWalkUserSubscriptionList+0x257
00000000`02e9f930 00007fff`076fa3e0 : 00000000`006c78d0 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlpWnfProcessCurrentDescriptor+0x10e
00000000`02e9f980 00007fff`076bfe52 : 00000000`00612000 00000000`00612188 00000000`7ffe0386 00007fff`076bfd5e : ntdll!RtlpWnfNotificationThread+0x80
00000000`02e9f9e0 00007fff`076b6d98 : 00000000`00612188 00000000`133a4380 00000000`00000000 00000000`1037dce0 : ntdll!TppExecuteWaitCallback+0xae
00000000`02e9fa30 00007fff`067554e0 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!TppWorkerThread+0x448
00000000`02e9fd20 00007fff`076a485b : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : kernel32!BaseThreadInitThunk+0x10
00000000`02e9fd50 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x2b
SYMBOL_NAME: ucrtbase!abort+4e
MODULE_NAME: ucrtbase
IMAGE_NAME: ucrtbase.dll
STACK_COMMAND: ~53s ; .cxr ; kb
FAILURE_BUCKET_ID: FAIL_FAST_FATAL_APP_EXIT_c0000409_ucrtbase.dll!abort
OS_VERSION: 10.0.22000.1
BUILDLAB_STR: co_release
OSPLATFORM_TYPE: x64
OSNAME: Windows 10
IMAGE_VERSION: 10.0.22000.1
FAILURE_ID_HASH: {e31753ac-c98a-8055-3663-47e707543d20}
Followup: MachineOwner
---------
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment