Jump to content
Tuts 4 You
LCF-AT

ntdll exception C0000374 problems!

Recommended Posts

LCF-AT

Hi guys,

today I did study a little my system log about crashs I got in the past and  found always this exception above created by VLC player and some of my own apps.I tried to find out why I get this error also because it seems to happen randomly anyhow.

The error and offset are always same...

Name der fehlerhaften Anwendung: vlc.exe
Version: 2.2.6.0
Name des fehlerhaften Moduls: ntdll.dll
Version: 6.1.7601.24388
Ausnahmecode: 0xc0000374  <--
Fehleroffset: 0x000c3bd3  <--

or this...

Problemsignatur:
  Problemereignisname:	APPCRASH
  Anwendungsname:	bones.exe
  Anwendungsversion:	1.0.0.0
  Fehlermodulname:	StackHash_f283
  Fehlermodulversion:	6.1.7601.24388
  Ausnahmecode:	c0000374     <--
  Ausnahmeoffset:	000c3bd3 <--
  Betriebsystemversion:	6.1.7601.2.1.0.768.3

...now,if I check the ntdll module at this offset / RVA then I see this...module base = 77840000 in this case...

$-9      77903BCA      8D45 98                 LEA EAX,DWORD PTR SS:[EBP-0x68]
$-6      77903BCD      50                      PUSH EAX   
$-5      77903BCE      E8 4530F8FF             CALL 77886C18                                  ; ntdll.RtlRaiseException
$ ==>    77903BD3      EB 12                   JMP SHORT 77903BE7                             ; 000c3bd3
$+2      77903BD5      8B45 EC                 MOV EAX,DWORD PTR SS:[EBP-0x14]
$+5      77903BD8      8B08                    MOV ECX,DWORD PTR DS:[EAX]
$+7      77903BDA      8B09                    MOV ECX,DWORD PTR DS:[ECX]

...a short jump command!=?Right after RtlRaiseException.I dont check this,so why does it log this address with this c0000374 exception?

I also tried to catch possible exceptions and added my exception logger into my own app to get some results back.....

Exception: C0000374 (Unknown exception)

regEax 0006EF40
regEcx 7FFFFFFF
regEdx 00000000
regEbx 00000000
regEsp 0006EF30
regEbp 0006EFA8
regEsi 001A0000
regEdi 00241310
regEip 77B23BD3 Exception Address

C:\.......\bones.exe

BaseAddress:    00415000
AllocationBase: 00400000


BaseAddress:    77B23000
AllocationBase: 77A60000

Exception occurs into module: ntdll.dll

API address and name at or before Exception: 77B2215B RtlpNtMakeTemporaryKey

Stack: 77B23BD3
------------------------------
00000000 | 0006EF30 | 7689B9D2 RPCRT4.dll
00000004 | 0006EF34 | 00241310 
00000008 | 0006EF38 | 001A0000 
0000000C | 0006EF3C | 00000000 
00000010 | 0006EF40 | C0000374 
00000014 | 0006EF44 | 00000001 
00000018 | 0006EF48 | 00000000 
0000001C | 0006EF4C | 77B23BD3 ntdll.dll
00000020 | 0006EF50 | 00000001 
00000024 | 0006EF54 | 77B3EDD8 ntdll.dll
00000028 | 0006EF58 | 7689B9F6 RPCRT4.dll
0000002C | 0006EF5C | 00000020 
00000030 | 0006EF60 | 00000002 
00000034 | 0006EF64 | 77B3EE10 ntdll.dll
00000038 | 0006EF68 | 0006EF8C 
0000003C | 0006EF6C | 0006EF8C 
00000040 | 0006EF70 | 00000022 
00000044 | 0006EF74 | 0006EF58 
00000048 | 0006EF78 | 00000000 
0000004C | 0006EF7C | 0006EFDC 
00000050 | 0006EF80 | 77A7E355 ntdll.dll
00000054 | 0006EF84 | 00000000 
00000058 | 0006EF88 | 77AC70D3 ntdll.dll
0000005C | 0006EF8C | 19DBA606 
00000060 | 0006EF90 | 0006EF30 
00000064 | 0006EF94 | 7FFFFFFF 
00000068 | 0006EF98 | 0006EFDC 
0000006C | 0006EF9C | 77A7E355 ntdll.dll
00000070 | 0006EFA0 | 01244E82 
00000074 | 0006EFA4 | 00000000 
00000078 | 0006EFA8 | 0006EFB8 
0000007C | 0006EFAC | 77B24B03 ntdll.dll
00000080 | 0006EFB0 | C0000374 
00000084 | 0006EFB4 | 77B3EDD8 ntdll.dll
00000088 | 0006EFB8 | 0006EFEC 
0000008C | 0006EFBC | 77B24BE3 ntdll.dll
00000090 | 0006EFC0 | 00000002 
00000094 | 0006EFC4 | 7689B996 RPCRT4.dll
00000098 | 0006EFC8 | 00000000 
0000009C | 0006EFCC | 001A0000 
000000A0 | 0006EFD0 | 00241318 
000000A4 | 0006EFD4 | 0006EFC4 
000000A8 | 0006EFD8 | 00897D4C 
000000AC | 0006EFDC | 0006F054 
000000B0 | 0006EFE0 | 77A7E355 ntdll.dll
000000B4 | 0006EFE4 | 01244F62 
000000B8 | 0006EFE8 | FFFFFFFE 
000000BC | 0006EFEC | 0006F01C 
000000C0 | 0006EFF0 | 77ADD7DF ntdll.dll
000000C4 | 0006EFF4 | 00000008 
000000C8 | 0006EFF8 | 001A0000 
000000CC | 0006EFFC | 00241310 
000000D0 | 0006F000 | 00000000 
000000D4 | 0006F004 | 00000000 
000000D8 | 0006F008 | 00000000 
000000DC | 0006F00C | 00000000 
000000E0 | 0006F010 | 0006F298 
000000E4 | 0006F014 | 00000000 
000000E8 | 0006F018 | 00000000 
000000EC | 0006F01C | 0006F064 
000000F0 | 0006F020 | 7583761C KERNELBASE.dll
000000F4 | 0006F024 | 001A0000 
000000F8 | 0006F028 | 00000000 
000000FC | 0006F02C | 00241318 
00000100 | 0006F030 | 3C0335BD 
00000104 | 0006F034 | 0006F298 
00000108 | 0006F038 | 00000000 
0000010C | 0006F03C | 00000000 
00000110 | 0006F040 | 00000000 
00000114 | 0006F044 | 00000111 
00000118 | 0006F048 | 0006F060 
0000011C | 0006F04C | 0006F030 
00000120 | 0006F050 | 0013055C 
00000124 | 0006F054 | 0006F2B4 
00000128 | 0006F058 | 758506BD KERNELBASE.dll
0000012C | 0006F05C | 4986B3E1 
00000130 | 0006F060 | 00000000 
00000134 | 0006F064 | 0006F21C 
00000138 | 0006F068 | 00407970 bones.exe
0000013C | 0006F06C | 00241318 
00000140 | 0006F070 | 000B059C 
00000144 | 0006F074 | 008E6BB0 
00000148 | 0006F078 | 00000024 
0000014C | 0006F07C | 774943BA user32.dll
00000150 | 0006F080 | 7749440D user32.dll
00000154 | 0006F084 | 000B059C 
00000158 | 0006F088 | 00000000 
0000015C | 0006F08C | 00000020 
00000160 | 0006F090 | 00000001 
00000164 | 0006F094 | 0006F414 
00000168 | 0006F098 | 00000000 
0000016C | 0006F09C | FFFFFFF4 
00000170 | 0006F0A0 | 0006F0B8 
00000174 | 0006F0A4 | 77488B78 user32.dll
00000178 | 0006F0A8 | 000B059C 
0000017C | 0006F0AC | 00000000 
00000180 | 0006F0B0 | 00000020 
00000184 | 0006F0B4 | 00000001 
00000188 | 0006F0B8 | 0006F1D4 
0000018C | 0006F0BC | 0040EA94 bones.exe


77B23BD3   JMP 77B23BE7H
77B23BD5   MOV EAX , DWORD PTR [EBP-14H]
77B23BD8   MOV ECX , DWORD PTR [EAX]
77B23BDA   MOV ECX , DWORD PTR [ECX]
77B23BDC   PUSH EAX
77B23BDD   PUSH ECX
77B23BDE   CALL 77B23B52H
77B23BE3   RET 
77B23BE4   MOV ESP , DWORD PTR [EBP-18H]
77B23BE7   MOV DWORD PTR [EBP-04H] , FFFFFFFEH

....so  the exception happens at this 77B23BD3 address which is the small jump command as I told before.The code is same = was not changed or something and I dont see any reason for a exception there.Now if I check the stack log where the exception happens then I can find 2 addresses of my app called bones.exe.

00000138 | 0006F068 | 00407970 bones.exe
0000018C | 0006F0BC | 0040EA94 bones.exe

Now I did check from where it was calling from in  my app....

$-6      0040796A     50                      PUSH EAX     
$-5      0040796B     E8 E0780000             CALL 0040F250    ; <JMP.&kernel32.GlobalFree>
$ ==>    00407970     56                      PUSH ESI
  

$-10     0040EA84     B8 20000000             MOV EAX,0x20
$-B      0040EA89     50                      PUSH EAX            
$-A      0040EA8A     6A 00                   PUSH 0x0
$-8      0040EA8C     FF75 08                 PUSH DWORD PTR SS:[EBP+0x8]
$-5      0040EA8F     E8 66090000             CALL 0040F3FA    ; <JMP.&user32.SetWindowLongA>
$ ==>    0040EA94     C9                      LEAVE

....here I see the last call from my app before the exception happens was to the function GlobalFree.I thought maybe this function is the problem but I dont think so.Anyhow I cant find out whats the reason is for this exception which seems to happen randomly.Just would like to ask whether anyone of you has some ideas what it could be and how to handle this problem to get it fixed.Thanks.

greetz

Share this post


Link to post
deepzero

That exception code seems to be STATUS_HEAP_CORRUPTION. So the corruption of the heap might occur long before you get the crash.

  • Like 1

Share this post


Link to post
LCF-AT

Hi deep,

and what does it mean exactly?Something broken / damage in memory etc hardware?I have no ideas about that.

The problem with this exception happens already from the beginning (2017) in the error log.Just sometimes.All few days more or less etc like I said its anyhow randomly.No clue how to handle this problem.

greetz

Share this post


Link to post
fearless

Could be a number of things. Using GlobalFree on a memory location that has already been freed previously but the variable still holds the old reference location and another GlobalFree was called on it. Or could be stack issues or buffer overflows. Hard to chase down those sort of bugs. But at a guess its probably GlobalFree or accesing heap memory that was allocated and freed (allocated via GlobalAlloc, GlobalRealloc or VirutalAlloc etc)

  • Like 1

Share this post


Link to post
LCF-AT

Hi again,

hhmm.So in my own apps I am using GetProcessHeap / HeapAlloc / HeapFree too.

Ok,I found another strange thing.So if I start my CMD console outside of system32 folder (I have some same copys of CMD.exe in diffrent app folders too) then I get now always this message....

Das System hat keinen Meldungstext für die Meldungsnummer 0x2350 in der Meldungsdatei Application gefunden.

Copyright (c) 2009 Microsoft Corporation. Alle Rechte vorbehalten.
Für diesen Befehl ist nicht genügend Speicher verfügbar.

C:\Neuer Ordner>

...some text number 2350 not found and not enough memory there for this command!Just happens starting CMD from outside.If I start it from windows button / enter cmd then it starts normal...

Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. Alle Rechte vorbehalten.

C:\Users\MeHere>

...why this?

greetz

Share this post


Link to post
LCF-AT

Hi guys,

I removed the older VLC version and since now I dont get this exception error C0000374 anymore yet.Not sure whether it happens again.

About the other problem with CMD window starting outside of system32 folder.....still not fixed yet or found out whats the reason for this is.

1.) Starting CMD from windows button on left side in taskbar is working also via doubleclick from system32 folder.In the CMD bar I see Administrator c:\windows\...etc

2.) Starting CMD via right mouse + shift + choosing CMD is also working from any folder where I do this.

3.) Copy CMD.exe into any folder and doubeclick = Error info I did post in my last post.

4.) Copy CMD.exe into any folder selecting + right mouse and choosing execute as Admin is also not working = Error from above.

So what is that?Why isnt it working anymore starting CMD outside from system32 folder?Are there any rights changed or something?I remember I made a windows update few days ago and I think after this the problem started with CMD.I think so.

I tried to debug CMD.exe from system32 and one time from any other folder and the diffrents I see are in calling FormatMessage function which fails if I run the CMD outside from  system32 folder.Inside at RtlFindMessage function I get error values in eax back.

C00B0006 and C00B0001 and C0000109 and one time 00000000 = Ok and LastError is ERROR_MR_MID_NOT_FOUND (0000013D)

In the CMD from system32 I just get 0 back in eax and also no ERROR_MR_MID_NOT_FOUND (0000013D) error.

Whats the diffrent starting CMD outside?Is it no more allowed or something?No idea how to fix this now. :( Has anyone some ideas maybe?

Thank you and greetz

Share this post


Link to post
deepzero

There is no reason to copy cmd.exe outside the windows directory, and I very much doubt this is supported or even something Microsoft ever considered. Maybe you can get rid of t he error by setting its current-working-directory to c:\windows\system32, but the real solution here is to not copy cmd.exe outside the system folder.

  • Like 2

Share this post


Link to post
LCF-AT

Hi,

so you know that people using diffrent handling and methods.My was it to copy CMD into any folder I want to prevent using shift+right mouse to execute CMD in this location.Yes,it was working before without to get those messages but now no more.Ok,all is working of course also with these messages so I dont see any problem or so.Its just something I recognized.Thats why I did wonder you know.All in all I think the last update should be the reason of this.Before I did post about that exception error C0000374 was the CMD working same staring it from any xy folder.After this I thought I should try to update Windows and after this I have seen the CMD issue.I check now the update KB values and  found this info about KB4503292

Spoiler

Security updates to Windows App Platform and Frameworks, Microsoft Graphics Component, Windows Input and Composition, Windows Shell, Windows Server, Windows Authentication, Windows Datacenter Networking, Windows Storage and Filesystems, Windows Virtualization, Internet Information Services, and the Microsoft JET Database Engine.

Maybe this was it that changed the CMD access rights whatever you know.So you can beleive me,executing CMD.exe from any xy folder was working without those error messgaes before.Only thing what was never working was to copy calc.exe anywhere else and starting it.So that failed but CMD was ok.

greetz

Share this post


Link to post
deepzero

I dont have access to a win10 right now, but cant you create hard-links or soft-links to the version in system32?

I am not sure I understand your use case for copying it, if you explain it we can probably find a suitable workaround...

Good night. :)

  • Like 1

Share this post


Link to post
kao
On 7/2/2019 at 9:35 PM, LCF-AT said:

I have some same copys of CMD.exe in diffrent app folders too

Which is a bloody stupid idea in the first place. Just don't do it.

 

To answer the question - the cause of your problem is MUI files that were introduced in Windows Vista. They enable you to have Windows UI in your own (non-English) language. If you copy some of the Windows built-in executables, you also need to copy the corresponding MUI file to correct subfolder, otherwise it won't be able to load correct resources and you'll see the error you mentioned.

Example:

Spoiler

spacer.png

Further reading:
https://docs.microsoft.com/en-us/windows/win32/intl/mui-fundamental-concepts-explained
https://afana.me/archive/2016/06/27/restoring-classic-calculator-in-windows-10.aspx/
https://ntcore.com/?p=266

 

 

  • Like 3

Share this post


Link to post
LCF-AT

Hi,

thanks for this info kao.I have test it and it works now like you said.Ok,now its no more so nice to copy CMD + cmd.exe.mui with subfolder anywhere into.Ok all clear now so far.No more copy CMD and just starting it via shift+right mouse or via shortcut.Just need to change my behavior for this. :)

Thanks again

  • Like 1

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...