Robert Hensing's Blog

Software Security . . . and stuff.

Strange DLLHost crashes on Vista

Strange DLLHost crashes on Vista

  • Comments 1
  • Likes

EDITED: 7/22/2007
I have traced the problem to Urge . . . I buy music from MTV Urge and it installs some components that appear to be responsible for the crash.  Moreover I discovered that there are two dllhosts on a 64bit version of Windows - there is a 64bit version and a 32bit version . . . the 32bit version of DLLHost is needed to run 32bit binaries (makes sense) and the Image File Execution Options that I was setting originally were only taking effect in the 64bit DLLHost which wasn't crashing!  Doh!  To get the debugger attached to the 64bit DLLHost I had to use this registry script (this also enabled pageheap so I could catch the heap corruption as it occurred):

Windows Registry Editor Version 5.00


[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dllhost.exe]

 "debugger"="c:\\debuggers\\windbg.exe -g -G"



 I have shared the memory dump with some folks internally who in turn should be able to get it shared with the Urge folks.


So for a while now I've been experiencing a strange heisenbug on Vista.  Every now and then I get a pop-up notifying me that a COM surrogate has crashed on my home machine.  It's pretty much the ONLY crash I ever get on my home machine. 

The 'Problem Reports and Solutions' tool offers me the following solution to the problem:

Follow these steps to troubleshoot problems with Haali Media Splitter


This problem was caused by Haali Media Splitter. Haali Media Splitter was created by Haali Media.


Haali Media Splitter is a codec. A codec is software that is used to compress or decompress a digital media file, such as a song or video. Media players and other programs use codecs to play and create digital media files.








To try to solve this problem, follow these steps. Each of the steps might solve your problem. If following a step doesn't fix your problem, then go on to the next step.


Disable thumbnail view in Windows Explorer


Open Folder Options by clicking the Start button, clicking Control Panel, clicking Appearance and Personalization, and then clicking Folder Options.

Click the View tab, and then select the Always show icons, never thumbnails check box.

Click Apply, and then click OK.


So apparently we've seen these crash dumps before.  The problem is I don't have the component mentioned installed on my box.  I COULD try the workaround mentioned about turning off thumbnail view but I'd rather know what's going on.  So here's what I'm doing.  First I figured out that it was a dllhost.exe that was crashing from the problem reports.  So I went into the registry and added this:

Windows Registry Editor Version 5.00


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dllhost.exe] "debugger"="c:\\debuggers\\windbg.exe -g -G"


This basically attaches WinDBG to every new instance of dllhost.exe that spawns.  It resumes the process as soon as it attaches and it avoids the breakpoint that happens when a process exits naturally.  I started clicking around the file system and was pretty surprised to see WinDBG pop-up every time I clicked on a file or folder . . . this feature is busy!  In the debugger I see the command line being used to launch the DLLHost.exe is this:

CommandLine: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

And the following DLL's seem to be loading - no 3rd party stuff that I can see:

ModLoad: 00000000`ff880000 00000000`ff887000   dllhost.exe

ModLoad: 00000000`76fb0000 00000000`7712a000   ntdll.dll

ModLoad: 00000000`76da0000 00000000`76ed1000 C:\Windows\system32\kernel32.dll

ModLoad: 000007fe`fe190000 000007fe`fe231000 C:\Windows\system32\msvcrt.dll

ModLoad: 000007fe`fd720000 000007fe`fd900000   C:\Windows\system32\ole32.dll

ModLoad: 000007fe`fdf70000 000007fe`fdfd1000   C:\Windows\system32\GDI32.dll

ModLoad: 00000000`76ee0000 00000000`76faa000 C:\Windows\system32\USER32.dll

ModLoad: 000007fe`fde70000 000007fe`fdf6f000 C:\Windows\system32\ADVAPI32.dll

ModLoad: 000007fe`fd9e0000 000007fe`fdb19000 C:\Windows\system32\RPCRT4.dll

ModLoad: 000007fe`fee80000 000007fe`feea8000   C:\Windows\system32\IMM32.DLL

ModLoad: 000007fe`fe080000 000007fe`fe184000   C:\Windows\system32\MSCTF.dll

ModLoad: 000007fe`fdc00000 000007fe`fdc0c000   C:\Windows\system32\LPK.DLL

ModLoad: 000007fe`ff210000 000007fe`ff2aa000   C:\Windows\system32\USP10.dll

ModLoad: 000007fe`fdfe0000 000007fe`fe07c000 C:\Windows\system32\CLBCatQ.DLL

ModLoad: 000007fe`fdb20000 000007fe`fdbf8000 C:\Windows\system32\OLEAUT32.dll

ModLoad: 000007fe`fc840000 000007fe`fc883000 C:\Windows\system32\rsaenh.dll

ModLoad: 000007fe`fb260000 000007fe`fb2b2000 C:\Windows\system32\uxtheme.dll

ModLoad: 000007fe`f2640000 000007fe`f2658000 C:\Windows\system32\thumbcache.dll

ModLoad: 000007fe`fd960000 000007fe`fd9d1000 C:\Windows\system32\SHLWAPI.dll

ModLoad: 000007fe`fe240000 000007fe`fee74000 C:\Windows\system32\SHELL32.dll

ModLoad: 000007fe`fc050000 000007fe`fc240000



ModLoad: 000007fe`fbb20000 000007fe`fbc02000 C:\Windows\system32\propsys.dll


After about 5 seconds - the DLLHost.exe exits . . . this happens for each file / folder where a thumbnail needs to be generated - which is to say a lot.

So I believe that the workaround returned by our online crash analysis thing will work - I'd rather figure out what's going on since and maybe help out the affected component team by giving them a good usable memory dump.

I'll post more here if I find a solution . . . for now I get to live with WinDBG popping up pretty frequently. :) 




  • <p>PingBack from <a rel="nofollow" target="_new" href=""></a></p>

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment