RE: Data Execution Prevention vs svchost

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

Since there has been no response, FWIW, here is an update.

I had run across what appeared to be the cause of the problem - HP 7310
All-in-One PSC on the network. Apparently, HP's drivers can trigger this
problem, although it is not clear from any of the postings whether or not any
of HP's dlls show up in the accompat.txt associated with svchhost. In my
customer's case, only MS dlls are referenced.

HP has a critical update to the driver, but the problem persisted, and
continued to occur after uninstalling the printer software. I then disabled
everything in the startup portion of msconfig, and this got rid of the
problem. After iteratively enabling all that had been enabled, and the
problem still did not reappear.

I then reinstalled the HP PSC s/w, installed the update, and the problem
still has not recurred, at least over the past 24 hours.

Since the problem went away after disabling everything in msconfig/startup,
this indicates some kind of poisoned interaction between the implicated MS
dlls and something in the startup group, since no dlls are being directly
invoked from msconfig/startup. Since the DEP is implicating MS dlls, this
would still tend to appear to be an MS bug, unless it is the case that the
dll that is triggering the exception is not being recorded..


"wyocowboy" wrote:

> [I had previously piggybacked this on another post, but since no response,
> here it is as its own thread]
>
> One of our customers is getting a Data Execution Error on a particular
> instance of svchost.exe. It comes back no matter how many times you click on
> send or don't send the error report to Microsoft. The OS is XP Home SP2
> (OEM) with all the latest updates. It had been running for months without a
> problem. We tried a system restore to a date prior to when the problem
> surfaced, with no success.
>
> The only way the customer can get any work done is to drag the DEP message
> box off the side. Although I can understand this happening if a non-MS module
> loads under svchost.exe, that is not the case in this instance.
>
> Looking at the appcompat.txt file that is part of the error report shows
> that all dlls running under this particular instance of svchost are all WinXP
> dlls. All are identified in the appcompat.txt file as Microsoft files. Here
> is the list of the files running under this particular instance of
> svchost.exe and their versions:
>
> advapi32.dll 5.1.2600.2180
> gdi32.dll 5.1.2600.2180
> kernel32.dll 5.1.2600.2180
> ntdll.dll 5.1.2600.2180
> ole32.dll 5.1.2600.2595
> oleaut32.dll 5.1.2600.2180
> shell32.dll 6.0.2900.2578
> user32.dll 5.1.2600.2180
> wininet.dll 6.0.2900.2577
> winsock.dll 3.10.0.103
>
> These match the versions on my trusted bench machine, except for ntdll.dll ,
> which on my machine is version 5.1.2600.1106. Since my version is older,
> might this be causing the problem? Not sure why my machine has an older
> version of this file, but it was upgraded from SP1 to SP2 using the
> downloaded SP2 package, and has all of the available Windows updates (as of
> 4/6/05), whereas the customer's shipped with SP2 (OEM)
>
> Is it the case that the DEP could be triggered by interaction of one of the
> valid MS dlls with something else running in the system? Norton says no
> viruses or adware found. A cursory look reveals no adware (I remove it for a
> living, so I know what to look for. If the answer to #1 is yes, I will give
> it a throrough adware removal process, but I have to charge the customer
> field rates, and don't want to do that if it is not going to cure the problem.
>
> I can provide the appcompat.txt, the WER hexdumps
> and the system and application event logs in text format, on request.
>
> Jerry
.

Relevant Pages

  • Data Execution Prevention vs svchost
    ... The OS is XP Home SP2 ... The only way the customer can get any work done is to drag the DEP message ... that all dlls running under this particular instance of svchost are all WinXP ... viruses or adware found. ...
    (microsoft.public.windowsxp.general)
  • Re: System-wide hooking, VB+ASM
    ... > How else do I handle a response that seems to completely ignore every one ... > you know anything about VB, you surely are aware that VB can create DLLs. ... > why answer with a terse remark about system-wide hooks needing to be in a ... Prev by Date: ...
    (microsoft.public.vb.winapi)
  • Re: Deployment via stsadm fails, but via Central Administration works fine
    ... Thanks for your response, ... error message in that case. ... The package deploys 3 dlls to the GAC, ... All 3 dlls have strong names and there are no missing dependencies. ...
    (microsoft.public.sharepoint.portalserver.development)
  • Re: skurriler Fehler mit VFP9 SP1
    ... Aber vermutlich war das die erste Beta von SP2 und ich hab die dummerweise per SETUP einer VFP-Applikation auch auf die anderen Rechner übertragen. ... Ich hatte das zwar damals sorgsam rückgängig gemacht, aber nach einer Rechner-Neuinstallation dummerweise eine Installations-CD einer VFP-Applikation verwendet, die mit der Beta erstellt wurde. ... Die hat sich dann von hier, man kann fast sagen Viren-artig, auf alle anderen ausgebreitet, da der Wise-Installer die installierten DLLs verwendet. ...
    (microsoft.public.de.fox)
  • Re: Class not registered error
    ... This is strange that it is happening related to to SP2. ... if for some reason the relevant DLLs get hijacked by some other tool. ... The above DLL is used for DV AVI capture. ... > 'Class not registered' message occurrs when attempting 'capture part of ...
    (microsoft.public.windowsxp.moviemaker)