Windows explorer crashes randomly
I have a user on windows 10 that is having windows explorer crash at seemingly random times. It does not look like it always shows up in the EventLog but here are two times I have seen it:
Faulting application name: explorer.exe, version: 10.0.14393.479, time stamp: 0x58258a90
Faulting module name: verifier.dll, version: 10.0.14393.0, time stamp: 0x57899a0f
Exception code: 0x80000003
Fault offset: 0x00000000000067ea
Faulting process id: 0x25fc
Faulting application start time: 0x01d2a268dd411f2e
Faulting application path: C:\Windows\explorer.exe
Faulting module path: C:\Windows\System32\verifier.dll
Report Id: abed9bed-5ee2-400a-b02b-e9ca156152e3
Faulting package full name:
Faulting package-relative application ID:
Faulting application name: explorer.exe, version: 10.0.14393.479, time stamp: 0x58258a90
Faulting module name: ntdll.dll, version: 10.0.14393.479, time stamp: 0x5825887f
Exception code: 0xc0000374
Fault offset: 0x00000000000f8283
Faulting process id: 0x1e70
Faulting application start time: 0x01d29f6e3e1544fd
Faulting application path: C:\Windows\explorer.exe
Faulting module path: C:\Windows\SYSTEM32\ntdll.dll
Report Id: ec2775c1-336e-4d5f-bd96-d41b76e515e6
Faulting package full name:
Faulting package-relative application ID:
Here are links to two dumps I have collected. Unfortunately, I do not have any experience with dumps so I am hoping someone might be able use them.
Link1
Link2
Any help would be greatly appreciated!
The dumps are BREAKPOINT dumps ( STATUS_BREAKPOINT - (NTSTATUS) 0x80000003
because App Verifier is enabled. In the callstack I see telemetry related calls that trigger the crash:
ntdll!NtWaitForMultipleObjects
ntdll!WerpWaitForCrashReporting
ntdll!RtlReportExceptionHelper
ntdll!RtlReportException
verifier!AVrfpVectoredExceptionHandler
ntdll!RtlpCallVectoredHandlers
ntdll!RtlDispatchException
ntdll!KiUserExceptionDispatch
verifier!VerifierStopMessageEx
verifier!AVrfpHandleSanityChecks
verifier!AVrfpNtQueryInformationProcess
windows_storage!DefaultAssocTelemetry::UtilGetProcessTelemetryAppSessionGuid
windows_storage!DefaultAssocTelemetry::CreateAssociatedProcess_
windows_storage!DefaultAssocTelemetry::CreateAssociatedProcess<enum ShellExecuteDdeStages & __ptr64,long & __ptr64,long & __ptr64,_PROCESS_INFORMATION & __ptr64,unsigned long & __ptr64,IUnknown * __ptr64 & __ptr64>
windows_storage!CInvokeCreateProcessVerb::Launch
windows_storage!CInvokeCreateProcessVerb::Execute
windows_storage!CBindAndInvokeStaticVerb::_DoCommand
windows_storage!CBindAndInvokeStaticVerb::_TryCreateProcessDdeHandler
windows_storage!CBindAndInvokeStaticVerb::Execute
windows_storage!CRegDataDrivenCommand::_TryInvokeAssociation
windows_storage!CRegDataDrivenCommand::_Invoke
shell32!CRegistryVerbsContextMenu::_Execute
shell32!CRegistryVerbsContextMenu::InvokeCommand
shell32!HDXA_LetHandlerProcessCommandEx
shell32!CDefFolderMenu::InvokeCommand
shell32!SHInvokeCommandOnContextMenu2
shell32!s_DoInvokeVerb
SHCore!Microsoft::WRL::Details::RuntimeClass<Microsoft::WRL::Details::InterfaceList<CRandomAccessStreamBase,Microsoft::WRL::Details::InterfaceList<Windows::Storage::Streams::IRandomAccessStreamWithContentType,Microsoft::WRL::Details::InterfaceList<Windows::Storage::Streams::IContentTypeProvider,Microsoft::WRL::Details::InterfaceList<Microsoft::WRL::Implements<Microsoft::WRL::RuntimeClassFlags<3>,Microsoft::WRL::CloakedIid<IRandomAccessStreamMode>,Microsoft::WRL::CloakedIid<IRandomAccessStreamFileAccessMode>,Microsoft::WRL::CloakedIid<IObjectWithDeferredInvoke>,Microsoft::WRL::CloakedIid<IObjectWithFileHandle>,Microsoft::WRL::CloakedIid<IUnbufferedFileHandleProvider>,Microsoft::WRL::CloakedIid<IRandomAccessStreamPrivate>,Microsoft::WRL::CloakedIid<ITransactedModeOverride>,Microsoft::WRL::CloakedIid<CFTMCrossProcServer>,Microsoft::WRL::Details::Nil>,Microsoft::WRL::Details::Nil> > > >,Microsoft::WRL::RuntimeClassFlags<3>,1,1,0>::~RuntimeClass<Microsoft::WRL::Details::InterfaceList<CRandomAccessStreamBase,Microsoft::WRL::Details::InterfaceList<Windows::Storage::Streams::IRandomAccessStreamWithContentType,Microsoft::WRL::Details::InterfaceList<Windows::Storage::Streams::IContentTypeProvider,Microsoft::WRL::Details::InterfaceList<Microsoft::WRL::Implements<Microsoft::WRL::RuntimeClassFlags<3>,Microsoft::WRL::CloakedIid<IRandomAccessStreamMode>,Microsoft::WRL::CloakedIid<IRandomAccessStreamFileAccessMode>,Microsoft::WRL::CloakedIid<IObjectWithDeferredInvoke>,Microsoft::WRL::CloakedIid<IObjectWithFileHandle>,Microsoft::WRL::CloakedIid<IUnbufferedFileHandleProvider>,Microsoft::WRL::CloakedIid<IRandomAccessStreamPrivate>,Microsoft::WRL::CloakedIid<ITransactedModeOverride>,Microsoft::WRL::CloakedIid<CFTMCrossProcServer>,Microsoft::WRL::Details::Nil>,Microsoft::WRL::Details::Nil> > > >,Microsoft::WRL::RuntimeClassFlags<3>,1,1,0>
verifier!AVrfpStandardThreadFunction
kernel32!BaseThreadInitThunk
ntdll!RtlUserThreadStart
Here an invalid handle (that is NULL) is used by Windows.
APPLICATION_VERIFIER_HANDLES_NULL_HANDLE (303)
NULL handle passed as parameter. A valid handle must be used.
This stop is generated if the function on the top of the stack passed a
NULL handle to system routines.
Import this .reg file to disable to disable app verifier and dump creation. this should lower the amount of crashes.
I also see that the GROOVEEX.dll is loaded:
*** ERROR: Symbol file could not be found. Defaulted to export symbols for GROOVEEX.DLL -
Use ShellExView to disable Office Groove entries and look if this fixes it.
Also, have you used tools that try to disable Windows 10 telemetry? if yes, undo those changes.