# spoolsv.exe and ntdll.dll



## soccer5232

Here is the Window Log. I am getting it on all Windows 7 SP1 desktops. Any ideas?

Faulting application name: spoolsv.exe, version: 6.1.7601.17514, time stamp: 0x4ce7aa85
Faulting module name: ntdll.dll, version: 6.1.7601.17514, time stamp: 0x4ce7b96e
Exception code: 0xc0000374
Fault offset: 0x000c37b7
Faulting process id: 0x10d8
Faulting application start time: 0x01cc2f8aad6d33e2
Faulting application path: C:\Windows\System32\spoolsv.exe
Faulting module path: C:\Windows\SYSTEM32\ntdll.dll
Report Id: f91e0c2c-9b7d-11e0-b203-0019b932c70c


----------



## usasma

No clue about the error report, it blames common Windows components (which aren't usually to blame). Just FYI, if common components such as ntdll.dll are causing issues - I'd expect to see many more problems than just some app crashes. Also, these files are protected by Windows File Protection, so it's less likely that they'd be a problem than a 3rd party program.

How many systems is this happening on? Are they all networked together? Have you scanned for malware?

Please provide this info (even though you're not having BSOD's): http://www.techsupportforum.com/for...-instructions-windows-7-and-vista-452654.html


----------



## soccer5232

Yes they are all linked together connected to the same print server. It is everyones computer who we have upgraded to Windows 7.


----------



## soccer5232

They all have AVG installed and report no viruses/malware.


----------



## usasma

Still will need the info (that I requested) from at least one of the systems.
What are you using for a print server? Have you checked it for any problems?


----------



## soccer5232

We are using windows 2003. All but 1 of our printers are HP. All of the windows xp pro sp3 computers are working. The attached file below is the file.


----------



## soccer5232

Opps. Now the file is there.


----------



## usasma

The biggest problem here is that we're working with one system - not the entire network.
So documentation is a big part of this (so you can backtrack to see what's common between the systems).
So, I'll be including a lot of stuff here - just to be sure we catch everything.

I'm running late for work, so this post is only partial info. But I've found 2 things that relate to printing that may be issues:
- An HIPS driver that's missing/not installed from CA Antivirus/Internet Security. An incomplete removal could have left components of the firewall blocking stuff to/from the print server.
- Brother printer drivers from 2006. Would probably cause Windows 7 to throw a few fits - and I wonder about it's impact on the networking stuff (associated with the communications to the print server).

Here's the details (more after work today):

First is a missing driver in the perfmon report for your HIPS (Host Intrusion Protection System) from CA. But I see no evidence of CA products on your system. Can you search for KmxFilter.sys (probably in C:\Windows\System32\drivers), right click on it and select Properties, then select the Details tab to find out more about it?

This system only has 1.5 gB or RAM - and only 324 mB is available. That's a sure way to slow the system down - and if there's other issues, it's likely to cause problems also (the spoolsrv errors report NTSTATUS 0xc0000005 - memory access error).
From the systeminfo report:


> Total Physical Memory: 1,536 MB
> Available Physical Memory: 324 MB


Plenty of older drivers on this system - and enough are storage drivers of different types to lead me to think that this is an HP system ( HP DV4 Drivers ) I mention this because the older drivers aren't all necessary, but HP loads them anyway (and I don't know what their impact is on the system).

Here's a stack of Brother drivers from *2006* - maybe they're causing issues? I've seen problems with them on occasion.


> BrFiltLo Brother USB Mass-Stora Brother USB Mass-Stora Kernel Manual Stopped OK FALSE FALSE 0 8,576 0 8/6/2006 5:33:45 PM C:\Windows\system32\DRIVERS\BrFiltLo.sys 1,024
> 
> BrFiltUp Brother USB Mass-Stora Brother USB Mass-Stora Kernel Manual Stopped OK FALSE FALSE 0 1,792 0 8/6/2006 5:33:45 PM C:\Windows\system32\DRIVERS\BrFiltUp.sys 640
> 
> Brserid Brother MFC Serial Por Brother MFC Serial Por Kernel Manual Stopped OK FALSE FALSE 34,432 18,688 0 8/6/2006 5:33:50 PM C:\Windows\system32\Drivers\Brserid.sys 4,096
> 
> BrSerWdm Brother WDM Serial dri Brother WDM Serial dri Kernel Manual Stopped OK FALSE FALSE 30,208 25,472 0 8/6/2006 5:33:44 PM C:\Windows\system32\Drivers\BrSerWdm.sys 1,792
> 
> BrUsbMdm Brother MFC USB Fax On Brother MFC USB Fax On Kernel Manual Stopped OK FALSE FALSE 0 7,680 0 8/6/2006 5:33:43 PM C:\Windows\system32\Drivers\BrUsbMdm.sys 1,280
> 
> BrUsbSer Brother MFC USB Serial Brother MFC USB Serial Kernel Manual Stopped OK FALSE FALSE 0 7,552 0 8/9/2006 8:02:02 AM C:\Windows\system32\Drivers\BrUsbSer.sys 1,152


----------



## usasma

Outdated versions of Google Update have had issues in the past - I'd suggest ensuring that all systems have the latest version.

This warning logs in just before each of the Print Spooler crashes:


> The Group Policy Client Side Extension Folder Redirection was unable to apply one or more settings because the changes must be processed before system startup or user logon. The system will wait for Group Policy processing to finish completely before the next startup or logon for this user, and this may result in slow startup and boot performance.


Any recent changes to Group Policy that may have started this?

This error points at Heap Corruption (the code listed at P7):


> Event[0]:
> Log Name: Application
> Source: Windows Error Reporting
> Date: 2011-06-21T10:11:39.000
> Event ID: 1001
> Task: N/A
> Level: Information
> Opcode: Info
> Keyword: Classic
> User: N/A
> User Name: N/A
> Computer: I REMOVED THIS INFO
> Description:
> Fault bucket , type 0
> Event Name: APPCRASH
> Response: Not available
> Cab Id: 0
> 
> Problem signature:
> P1: spoolsv.exe
> P2: 6.1.7601.17514
> P3: 4ce7aa85
> P4: StackHash_ec0f
> P5: 6.1.7601.17514
> P6: 4ce7b96e
> P7: c0000374
> P8: 000c37b7
> P9:
> P10:
> 
> Attached files:
> 
> These files may be available here:
> C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_spoolsv.exe_156b13df9e6120bd119dbaa77f788822d9b551_12fa3523
> 
> Analysis symbol:
> Rechecking for solution: 0
> Report Id: 5f61a89c-9c10-11e0-ae68-000c29f092b2
> Report Status: 0


Please see if you can zip up and upload the reports from here: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\
Also search the system for files ending in .dmp and .mdmp (other than the C:\Windows\Minidump folder) and zip them up and upload them also.

That's about all I can extract from these reports.
Please upload the requested reports - or let us know if you can't find them.


----------



## soccer5232

Yes I know about the GP problems. I am rebuilding a new set of GP to fix the errors but those have been in the logs for over a month now. The only thing that really changed was we change an OU name from Users Test to Users.

On the server, I am working on removing any old printer drivers and updating them to the most current ones. I am also trying to delete any printer drivers which are not in use. 

Attached are the files requested. There are no dumps found.


----------



## usasma

Found a .mdmp file in the first WER report for spoolsv.exe crashing.
First thing of note is es4d5cUI.dll - a file that's associated with TOSHIBA TEC CORPORATION PART e-STUDIO Series Printer Driver

I'd also replace the hpcdmc32.DLL (HP LaserJet driver) simply because it's mentioned in the report.

Since it's relatively near the site of the crash (in the stack text), I'd have to wonder if it's causing the issues that you're experiencing (but I don't work with Application crashes, so I'm not real sure about the analysis). I've found other .mdmp files and the Toshiba print driver is in the same location on the stack text with them.


> Microsoft (R) Windows Debugger Version 6.12.0002.633 AMD64
> Copyright (c) Microsoft Corporation. All rights reserved.
> 
> 
> Loading Dump File [C:\Users\FUBAR\_jcgriff2_\dbug\__Kernel__\WER14BB.tmp.mdmp]
> User Mini Dump File: Only registers, stack and portions of memory are available
> 
> Symbol search path is: SRV*c:\symbols*http://msdl.microsoft.com/download/symbols
> Executable search path is: SRV*c:\symbols*http://msdl.microsoft.com/download/symbols
> Windows 7 Version 7601 (Service Pack 1) MP (2 procs) Free x86 compatible
> Product: WinNt, suite: SingleUserTS
> Machine Name:
> Debug session time: Fri Apr 29 11:13:26.000 2011 (UTC - 4:00)
> System Uptime: 0 days 0:21:56.273
> Process Uptime: 0 days 0:20:51.000
> ................................................................
> ................................................................
> ...
> Loading unloaded module list
> ................................................................
> This dump file has an exception of interest stored in it.
> The stored exception information can be accessed via .ecxr.
> (5f0.b58): Access violation - code c0000005 (first/second chance not available)
> eax=00000000 ebx=02efeb20 ecx=00000400 edx=00000000 esi=00000002 edi=00000000
> eip=774970b4 esp=02efead0 ebp=02efeb6c iopl=0 nv up ei pl zr na pe nc
> cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
> ntdll!KiFastSystemCallRet:
> 774970b4 c3 ret
> 0:016> !analyze -v
> *******************************************************************************
> * *
> * Exception Analysis *
> * *
> *******************************************************************************
> 
> Unable to load image C:\Windows\System32\spool\drivers\w32x86\3\es4dxlui.dll, Win32 error 0n2
> *** WARNING: Unable to verify timestamp for es4dxlui.dll
> *** ERROR: Module load completed but symbols could not be loaded for es4dxlui.dll
> Unable to load image C:\Windows\System32\spool\drivers\w32x86\3\hpcdmc32.DLL, Win32 error 0n2
> *** WARNING: Unable to verify timestamp for hpcdmc32.DLL
> *** ERROR: Module load completed but symbols could not be loaded for hpcdmc32.DLL
> 
> FAULTING_IP:
> ntdll!RtlpLowFragHeapFree+c5
> 774a2d94 8930 mov dword ptr [eax],esi
> 
> EXCEPTION_RECORD: ffffffff -- (.exr 0xffffffffffffffff)
> ExceptionAddress: 774a2d94 (ntdll!RtlpLowFragHeapFree+0x000000c5)
> ExceptionCode: c0000005 (Access violation)
> ExceptionFlags: 00000000
> NumberParameters: 2
> Parameter[0]: 00000001
> Parameter[1]: 00000000
> Attempt to write to address 00000000
> 
> PROCESS_NAME: spoolsv.exe
> 
> ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.
> 
> EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.
> 
> EXCEPTION_PARAMETER1: 00000001
> 
> EXCEPTION_PARAMETER2: 00000000
> 
> WRITE_ADDRESS: 00000000
> 
> FOLLOWUP_IP:
> ntdll!RtlpLowFragHeapFree+c5
> 774a2d94 8930 mov dword ptr [eax],esi
> 
> MOD_LIST: <ANALYSIS/>
> 
> NTGLOBALFLAG: 0
> 
> APPLICATION_VERIFIER_FLAGS: 0
> 
> ADDITIONAL_DEBUG_TEXT: Enable Pageheap/AutoVerifer
> 
> FAULTING_THREAD: 00000b58
> 
> DEFAULT_BUCKET_ID: HEAP_CORRUPTION
> 
> PRIMARY_PROBLEM_CLASS: HEAP_CORRUPTION
> 
> BUGCHECK_STR: APPLICATION_FAULT_HEAP_CORRUPTION_INVALID_POINTER_WRITE_NULL_POINTER_WRITE
> 
> LAST_CONTROL_TRANSFER: from 774a2ce8 to 774a2d94
> 
> STACK_TEXT:
> 02eff184 774a2ce8 0018f264 02d58870 0018f264 ntdll!RtlpLowFragHeapFree+0xc5
> 02eff19c 7535bbe4 00150000 00000000 02d58870 ntdll!RtlFreeHeap+0x105
> 02eff1b0 036d45fc 00150000 00000000 02d58870 kernel32!HeapFree+0x14
> WARNING: Stack unwind information not available. Following frames may be wrong.
> 02eff638 703c334d 02d58870 00000004 00000001 *es4dxlui*+0x645fc
> 02eff6a0 6fe7b67c 01e420cc 02d58870 00000004 PrintIsolationProxy!sandbox:rintSandboxObject::SandboxDriverEvent+0x101
> 02eff6cc 6fe7a645 01e420ec 02d58870 00000004 localspl!sandbox::SandboxObserver::SandboxDriverEvent+0x27
> 02eff704 6fe3baba 01e41548 02d58870 00000004 localspl!sandbox::SandboxPrinterDriverEvent+0xa8
> 02eff738 6fe3bbbd 02d58870 00000004 00000000 localspl!SplDriverEvent+0x47
> 02eff764 6fe1e400 00000001 00000004 00000000 localspl!PrinterDriverEvent+0xa2
> 02eff78c 6fe1f3d5 02d383b8 00000000 00000000 localspl!InternalDeletePrinter+0xdb
> 02eff7a8 6fb23d12 02890020 00000000 02eff7e0 localspl!SplDeletePrinterWithJobs+0x126
> 02eff7bc 6fafd280 00000000 02eff7e0 01e4de6c win32spl!NCSRCommon::TLocalPrinter:elete+0x13
> 02eff7e8 6fafe86a 01eb4ee8 02d696f0 00000000 win32spl!TPrintOpen::InternalDeletePrinterConnection+0x78
> 02eff888 0083a849 02d696f0 80070002 02eff900 win32spl!TPrintOpen:pDeletePrinterConnection+0x16f
> 02eff898 0083bace 01985270 02d696f0 00000000 spoolsv!CallDeletePrinterConnection+0x12
> 02eff900 0083e8bb 00442ff0 00000001 02eff924 spoolsv!InternalAddPrinterConnection2+0xcb
> 02eff93c 0083da42 00000001 00000000 01e73190 spoolsv!TConnection::Add+0xa8
> 02eff98c 0081f5e5 00443028 00040000 00000000 spoolsv!TSpoolerPerMachineConnections::AddConnection+0x4f
> 02eff9b8 0081012f 00000000 01e85360 00849104 spoolsv!TSpoolerPerMachineConnections:rocessConnectionList+0x96
> 02eff9e4 008117d1 01e5439c 01e54338 77480efc spoolsv!TSpoolerPerMachineConnections::MigrateAllConnectionsToUserWorker+0xb3
> 02effa00 00811754 00000000 01e54338 0080f040 spoolsv!TSpoolerPerMachineConnections::MigrateAllConnectionsToUser+0x66
> 02effa0c 0080f040 02effa34 0080f827 01e850d0 spoolsv!TSpoolerPerMachineConnections::Run+0x2a
> 02effa14 0080f827 01e850d0 7747fca0 01e54338 spoolsv!TPrinterConnectionConsumer:ataReady+0x21
> 02effa34 0080e839 001f2880 00447818 02effa6c spoolsv!NThreadingLibrary::TProducerConsumerManager<TPrinterConnectionEvent,NCoreLibrary::TFifoQueue<TPrinterConnectionEvent *> >::Run+0x84
> 02effa44 77480ed2 02effaa8 00447818 001f2880 spoolsv!NThreadingLibrary::TWorkCrew::tpWaitCallback+0x5a
> 02effa6c 77480842 02effaa8 001f28e0 75bd77ea ntdll!TppWaitpExecuteCallback+0x11b
> 02effbcc 75363c45 00172b48 02effc18 774b37f5 ntdll!TppWorkerThread+0x572
> 02effbd8 774b37f5 00172b48 75bd703e 00000000 kernel32!BaseThreadInitThunk+0xe
> 02effc18 774b37c8 774803e7 00172b48 00000000 ntdll!__RtlUserThreadStart+0x70
> 02effc30 00000000 774803e7 00172b48 00000000 ntdll!_RtlUserThreadStart+0x1b
> 
> 
> SYMBOL_NAME: heap_corruption!heap_corruption
> 
> FOLLOWUP_NAME: MachineOwner
> 
> MODULE_NAME: heap_corruption
> 
> IMAGE_NAME: heap_corruption
> 
> DEBUG_FLR_IMAGE_TIMESTAMP: 0
> 
> STACK_COMMAND: ~16s; .ecxr ; kb
> 
> FAILURE_BUCKET_ID: HEAP_CORRUPTION_c0000005_heap_corruption!heap_corruption
> 
> BUCKET_ID: APPLICATION_FAULT_HEAP_CORRUPTION_INVALID_POINTER_WRITE_NULL_POINTER_WRITE_heap_corruption!heap_corruption
> 
> WATSON_IBUCKET: -2020968184
> 
> WATSON_IBUCKETTABLE: 1
> 
> WATSON_STAGEONE_URL: http://watson.microsoft.com/StageOn...514/4ce7b96e/c0000005/00052d94.htm?Retriage=1
> 
> Followup: MachineOwner
> ---------


----------



## soccer5232

Sorry for the late response. That driver was the issue, I removed the driver from the computer and spoolsv.exe started. Updated the driver from 1.3 to like 4.4 or something absurd like that and everything is happy, except color does not work on the toshiba from windows 7 (just got to check all the settings when i have 4 seconds).


Thanks so much again. I will be hopefully using and contributing to this forum after my good experience here.


----------



## usasma

I'm glad to hear that it's fixed.
Thanks for letting us know!


----------

