# Application Error -- Faulting application svchost.exe_SysMain



## VictorZ

I'm getting consistent/regular application errors involving "svchost.exe_SysMain" failures. A typical event message looks like the following:

-----------------------------------------------------------------------
Faulting application svchost.exe_SysMain, version 6.0.6001.18000, time stamp 0x47919291, faulting module sysmain.dll, version 6.0.6001.18000, time stamp 0x4791adbd, exception code 0xc0000005, fault offset 0x0000000000027bc4, process id 0x9b0, application start time 0x01c9c9b411570516.
-----------------------------------------------------------------------


This is followed (in the event log) by a cascade of errors from the "Service Control Manager Eventlog Provider" such as the following:

-----------------------------------------------------------------------
The ReadyBoost service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
-----------------------------------------------------------------------

The cascade of service/driver errors occurs within 3 to 6 seconds of the initial svchost.exe_SysMain failure and hits a dozen or so other services including but not limited to ... 

Windows Audio Endpoint Builder 
Offline Files service 
ReadyBoost service 
Human Interface Device Access service 
Network Connections service 
Program Compatibility Assistant Service 
Superfetch service 
Tablet PC Input Service 
Desktop Window Manager Session Manager service 
Diagnostic System Host service 
Portable Device Enumerator Service service 
Windows Driver Foundation - User-mode Driver Framework service 

The above being the list from the most recent event, but it's typical.

As an aside, I posted the following message earlier today, looking to track down another bogey ... the fact that the "busy" cursor starts flashing periodically for no apparent reason after the system has been running a while:

http://www.techsupportforum.com/mic...ursor-flashes-intermittently.html#post2110820 <--- click to view previous post.

I "think" that the above problem occurs as a result of the service failure cascade. From what little I've found on the cursor problem, it might be related to a service trying to restart. I haven't dug deep into what is running to see if something brought down by the svchost issue might be at the root of this problem ... I do offer it as an additional clue perhaps. In any case, I had set up a trigger on the svchost problem to pop up an error message ... which it just did ... and I notice that the cursor flashing issue is now visible whereas I did not notice it before. As noted in the above message, restarting clears the cursor problem and at least for a while, all services are running normally.

I don't notice any loss of functionality due to the svchost issue, at least, nothing obvious ... but clearly something is amiss.

Your help is GREATLY appreciated!

Thanks in advance ...
Victor


----------



## jcgriff2

SYSMAIN is Superfetch.

I see exception code = 0xc0000005. What anti-virus product(s) do you have installed? If "Internet Security" package w/ personal firewall like NIS, KIS, Mcafee, etc... - IT is the likely cause and s/b removed.

Regards. . .

jcgriff2

.


----------



## VictorZ

jcgriff2 said:


> SYSMAIN is Superfetch.
> 
> I see exception code = 0xc0000005. What anti-virus product(s) do you have installed? If "Internet Security" package w/ personal firewall like NIS, KIS, Mcafee, etc... - IT is the likely cause and s/b removed.
> 
> Regards. . .
> 
> jcgriff2
> 
> .


jcgriff2,

Thanks for the prompt reply. Superfetch, eh? Interesting. I used to get "superfetch has stopped working" (or some such) popups a lot, but haven't seen one in some time. I guess they're just not "popped" anymore but just buried in the event log.

I run ESET NOD32 antivirus. I'm not running a security "suite" or any other items. The built-in firewall is reasonable, I've got hardware security on the inbound and I'm pretty particular about what runs on the box so outbound threats aren't a worry to me. Spamware is the default Windows Defender which, too, is reasonable and again, safe computing goes a long way.

Anything else I might look at? I suppose I could disable superfetch for a bit and see if the problems disappear to pin that cause down.

In case I didn't mention ... (was listed in the other message) ... I'm running Vista 64 Ultimate on a box with 8Gb RAM. NVidia 8800 GTS video. Intel QuadCore @ 3 GHz. All patches, etc. up to date.

I also run VMWare Workstation to support a copy of my old XP Pro box setup for a few programs that don't play nice with Vista and for general software testing, fooling around with untested free/shareware stuff, etc. etc...

I should also note that I've run Memtest86 as well as the memory tester built into Vista and no errors have popped up. When the superfetch errors were popping up, I tried easing up on memory speed, timings, etc. to see if anything would help to no avail. Voltage looks ok, but I'm not ready to rule out PSU if necessary however it feels unlikely.

There's a lot I like about Vista ... and high hopes for Win7 ... but these nagging little issues are a nuisance. 

Again, thanks for your help in this matter.
Victor


----------



## jcgriff2

Hi - 

I too initially had trouble with Superfetch (*sysmain*) and also "Distributed Link Tracking Client" (*TrkWks*) and simply disabled both. Later on I did look into the problem and jumped through hoops to fix it. A subsequent re-install of Vista cleared both up.

Are you sure your system did not come with an Internet Security suite installed - like Norton? I ask b/c all of my systems did and found that even if I chose not to accept the trial offer, NIS would still partially install. This then left me with something worse than NIS itself - a corrupted NIS partial installation.

I have the exact same set-up on this Vista x64 system - Windows Firewall, Windows Defender and ESET NOD32 anti-virus.

What does the Event Viewer say about these crashes? WERCON?

E/V - START | *eventvwr.msc* | - Custom Views - Admin log -- 2x-click on an entry for add'l info

WERCON - START | *wercon* | View Problem History - 2x-click... per above

It is the 0xc0000005 exception that bothers me as I find them caused mostly by a 3rd party firewall.

Regards. . .

jcgriff2

.


----------



## jenae

Hi, you have plenty of memory have you at any stage used a flash drive to test "readyboost"?


----------



## VictorZ

jcgriff2 said:


> Hi -
> 
> I too initially had trouble with Superfetch (*sysmain*) and also "Distributed Link Tracking Client" (*TrkWks*) and simply disabled both. Later on I did look into the problem and jumped through hoops to fix it. A subsequent re-install of Vista cleared both up.
> 
> Are you sure your system did not come with an Internet Security suite installed - like Norton?
> 
> --- snip ---
> 
> 
> 
> What does the Event Viewer say about these crashes? WERCON?
> 
> E/V - START | *eventvwr.msc* | - Custom Views - Admin log -- 2x-click on an entry for add'l info
> 
> WERCON - START | *wercon* | View Problem History - 2x-click... per above
> 
> It is the 0xc0000005 exception that bothers me as I find them caused mostly by a 3rd party firewall.
> 
> .



Quite sure. System is home brew. OS was installed clean from a Vista64 SP1 DVD, so nothing beyond what Microsoft provided. There is no 3rd party firewall. I have used Online Armor on my XP boxes, but they don't have a 64bit edition for Vista. Has never been installed in this OS. I toyed around a few weeks ago with the most recent Comodo firewall as they _do_ have a 64bit version but I couldn't be sure it wasn't causing other issues so I trashed it and restored a clean Vista64 installation partition image from my backups. So. no, the short answer, no 3rd party firewall and no oddball suites installed in this system. Incidentally, the error had already occurred several times when the image was made but I was not as savvy with Vista yet at that time. Office, a few other items installed. Pretty much a clean backstop, disaster recovery partition image. Not far from squeaky just installed Vista clean in any case.

Full disclosure ... Spybot and SpywareBlaster are run periodically to immunize IE settings, etc. These do make changes to setups, host files and such, but do not involve any running programs, libraries, services, etc.

====================================

The eventviewer logs don't say much beyond what I've already posted at the top of the thread. What you see there is all there is and all it says. The main svchost failure (that triggers the others) ... faulting application is almost always sysmain.dll ... I did find one instance (out of quite a lot of'em) where it was w32time.dll ... but in any case, the exception code remains the same, 0xc0000005

====================================

As to Wercon ... There's a stack of superfetch errors ... here's a copy of what the most recent one says:

Problem signature
Problem Event Name:	APPCRASH
Application Name:	svchost.exe_SysMain
Application Version:	6.0.6001.18000
Application Timestamp:	47919291
Fault Module Name:	sysmain.dll
Fault Module Version:	6.0.6001.18000
Fault Module Timestamp:	4791adbd
Exception Code:	c0000005
Exception Offset:	000000000000c143
OS Version:	6.0.6001.2.1.0.256.1
Locale ID:	1033
Additional Information 1:	570e
Additional Information 2:	f87d907f6c95b3755cbb4bbb0beffc03
Additional Information 3:	1443
Additional Information 4:	47ae5a9cb4407b24bb761c6827b546be

Files that help describe the problem
Version.txt
AppCompat.txt
memory.hdmp
minidump.mdmp


Not sure it adds anything but it's greek to me. Any other fault you want listed? Or copies of dump files? If it helps solve the problem, just say the word.

Again, thanks ...
Victor


----------



## VictorZ

jenae said:


> Hi, you have plenty of memory have you at any stage used a flash drive to test "readyboost"?


Jenae,

I did at one time try putting a fast USB stick in, 8Gb I believe, to see what it would do. If I recall, it wasn't all sweetness and light.  There were several cases of superfetch and readyboost coughing up hairballs and error messages ... But then again, the superfetch issues were there before trying readyboost and, in any case, the current installation is a restored partition image (see above) that has never run readyboost.

Thanks for your reply...
Victor


----------



## jcgriff2

Let me take a look at a few system files - maybe I'll find something to help alleviate this problem. Please follow the instructions found in this post -

http://www.techsupportforum.com/1871981-post2.html

Attach resulting zip files to your next post.

Regards. . .

jcgriff2

.


----------



## VictorZ

JCGriff ...

Files attached as requested. I do apologize as I have a bit of egg on my face from when I said no internet security suite was on this system. Scanning through the logs, I noticed a couple of "Comodo" references, and sure enough there is a Comodo folder in the "Program Files" folder as well. It does not appear in the "Programs and Features" uninstall list. Apparently I only did a system restore after loading, trying, and tossing the software back almost immediately rather than restoring a partition image as I stated earlier. The Comodo program folder is still there and hasn't been deleted. Don't know if that has any bearing on the current issue although I can honestly say that SuperFetch issues go back long before Comodo. My bad. :-| Well, they do say that memory is the second thing to go. :-0

It's odd that the System Health report stated no spam or virus programs. Security center correctly identifies that NOD32 and Windows Defender are functional. Likewise that it reports the drive the system is loaded on (Disk2) as running quite a bit slower. All physical drives are SATA300. Motherboard is an ASUS P5K-E. I wonder if there might be a hardware issue with the system drive?

Note that any discontinuities in the logs between early Feb and late April represents time passed between the date the partition image was created and when it was restored. System stability had gotten pretty bad but I currently have the time (and interest) to go back to an earlier place and try to troubleshoot system issues.


Once again, thanks for your continued help.
Victor


----------



## VictorZ

JCGriff2 ...

The above post from this AM contains reports/dumps run after a system reboot, i.e. when things were running smoothly.

As I stated earlier, I set up a trigger to pop up a message when the svchost failure event occurs ... which it just did. I re-ran the reports/dumps and have attached them here as a comparison might be helpful? Same culprits and exception codes.

Also ... I believe I can confirm that the "blinking busy cursor" appears after the svchost and subsequent cascade of service failures and restarts.

Thanks,
Victor


----------



## VictorZ

JCGriff,

More grist for the mill ... BSOD about an hour ago, 'puter was just sitting idle, no programs running at the time, probably not even a screensaver as it blanks out the screen after a bit. Don't recall seeing this one before.

Thanks,
Victor


----------



## jcgriff2

Hi - 

The bugcheck on the dump is *0xa* - kernel mode driver tried to access pageable (or bad) memory at a time it should not have.

Comodo we'll get to, I assure you. Please get the dump file - c:\windows\minidump - copy out the file(s) in it to documents or other folder, then zip up and attach to next post.

There is more failing than just sysmain (a.k.a. Superfetch) - all at the same time (expected b/c they run under svchost)


Code:


[font=lucida console]
  [b]Date: 2009-04-30 T 20:44:07.000[/b]
The Windows Driver Foundation - User-mode Driver Framework service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 120000 milliseconds: Restart the service.
The Portable Device Enumerator Service service terminated unexpectedly.  It has done this 3 time(s).
The Diagnostic System Host service terminated unexpectedly.  It has done this 3 time(s).
The Desktop Window Manager Session Manager service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 120000 milliseconds: Restart the service.
The Tablet PC Input Service service terminated unexpectedly.  It has done this 3 time(s).
The [COLOR=Red]Superfetch[/COLOR] service terminated unexpectedly.  It has done this 3 time(s).
The Program Compatibility Assistant Service service terminated unexpectedly.  It has done this 3 time(s).
The Network Connections service terminated unexpectedly.  It has done this 3 time(s).
The Human Interface Device Access service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 120000 milliseconds: Restart the service.
The ReadyBoost service terminated unexpectedly.  It has done this 3 time(s).
The Offline Files service terminated unexpectedly.  It has done this 3 time(s).
The Windows Audio Endpoint Builder service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 60000 milliseconds: Restart the service.
[/font]


This is the Service Host (svchost.exe) that this group runs under - Process ID (PID) = 1132 (this may change each logon session) -


Code:


[font=lucida console]
svchost.exe                   [B]1132[/B] AudioEndpointBuilder, CscService, EMDMgmt,  
                                   hidserv, Netman, PcaSvc, SysMain,           
                                   TabletInputService, UxSms, WdiSystemHost,   
                                   WPDBusEnum, wudfsvc 
[/font]


Notice the "3" that most have. See the screenshot for details -



So... it is actually svchost.exe that appears to be failing since all the services fail at the same exact time. My problem was different - only sysmain would fail - the rest would keep running. Bring up TaskManager, click on Processes, click on the lower-left "all users", click on View, Select Columns, check the PID box.

Click on the "Services" tab, click on the Image Name to sort, look for sysmain, right-click on sysmain, select Go to process. Keep an eye on it if you can. Task Manager will stay over all screens, so shape it where it is visible & out of the way. When it fails - what are you doing?

Regards. . .

jcgriff2

.


----------



## VictorZ

svchost just failed a few minutes ago ... the details ...

Faulting application svchost.exe_SysMain, version 6.0.6001.18000, time stamp 0x47919291, faulting module sysmain.dll, version 6.0.6001.18000, time stamp 0x4791adbd, exception code 0xc0000005, fault offset 0x00000000000442b3, process id 0x4d0, application start time 0x01c9d31e366bf251.

This was followed (six seconds later) by a string of service failures as has been the pattern.

Since you asked me to keep an eye on what I was doing at the time ... this one was easy. I was in the shower. :smile: 

I'd just gotten back from a run, took a peek to see whether the was any email waiting for me, closed all open programs and then went to get cleaned up. There were no programs left running (aside from background processes) at the time. I believe the screen saver had kicked in by the time I got dried off and back to my desk; I seem to recall that the desktop was not visible. When I jiggled the mouse to restore the desktop, there was a message box onscreen informing me that SuperFetch had stopped working. A review of the Administrative Event log revealed the above ... which pretty much is what I've seen all along. This tends to happen as frequently when the computer is idle as any other time. I don't believe there's a pattern to it, or at least, not that I can find.

Thanks,
Victor


----------



## usasma

Do you have this update on your system?: http://support.microsoft.com/kb/941649

The svchost.exe process failed in module sysmain.dll. These are core Windows components, so it's most likely that something was accessing them in a way that caused them to crash. While a corruption of Windows is possible, it's less likely than the other possibilities (and you'd probably see more errors if Windows was corrupted).

Since this svchost.exe file was working the services above, it can be almost anything:
- audio drivers
- network drivers/protocols
- input devices
- Windows Updates
- etc

I wouldn't suspect memory as an issue as memory errors tend to be more dramatic and have more wide-ranging issues.

I'd check for the Minidump files that jcgriff2 mentioned. If they're not there, check the Windows directory for a file named memory.dmp. Let us know what size it is if you find it - as it may be too large to post (or, as another option, we can tell you how to reset the system to make smaller memory dump files).

Also, search your hard drive for files ending in .mdmp That should be the user mode crash of svchost.exe that you described in your last post. We can also analyze that, so zip it up and submit it with your next post.


----------



## VictorZ

John,

Thanks for your reply.

>> Do you have this update on your system?: KB941649

I don't believe so. I don't find it on the "installed updates" list. If there's a different way to check, point that out and I'll do so.

I agree with you that it's probably not memory. The chips have been checked and rechecked and passes muster with flying colors and zero errors. There is 8Gb on the system, 4x2Gb 1066 DDR2 Corsair Dominators. I mentioned to jcgriff (in PM) that since this thread was started, I've replaced the motherboard (now running a Gigabyte EP45-UD3P) because the built-in NIC failed on the prior one and I didn't want to have to figure in (or rule out) any other lurking issues it may have had as problems. While at it, I also replaced the power supply (now running an Antec 750W) and reinstalled Vista64 on a new hard drive. Same video card (NVidia 8800 GTS) from before, but I don't think that's the problem. All drivers are updated, all windows updates offered (that make sense) have been installed. And frankly, there's very little software loaded on the system at the moment. Office 2007 and a few other items, but it's about as clean and lean as possible. I'm really at a loss as to why this problem persists even after clean install and the above noted hardware changes. Maybe Vista doesn't like me! :grin:

There is no minidump file in the Windows directory at present. The system is set to create a small memory dump (128kb) in the systemroot, but there hasn't been a BSOD recently, only error messages in the administrative log.

I can certainly try that update if you think it prudent. No biggie to create an image of the partition to recover from if necessary.

Thanks again for your help,
Victor


----------



## usasma

I would try the update. It probably won't hurt anything and it may help (or it may refuse to install).

Have you had a chance to search for the .mdmp files? They may give us a clue as to the reason svchost.exe is crashing.


----------



## VictorZ

John,

Re. the update ... "It probably won't hurt anything..." Now *there's* a unequivocal endorsement. :grin: Based on the KB, that update is pretty old. As noted above, I haven't found it to be installed, but wouldn't it have been rolled up within SP1? Ah well, as soon as I get a chance to image the partition I will see if, as you also say, it even installs.

As far as .mdmp files ... the only thing I can find on the system is contained within a report.cab file buried under the WER directory. You'll find the file attached. There is/are no other minidump file(s) on the system at this time. There hasn't been a BSOD as a result of these failures ... yet.

And FYI ... Faulting application svchost.exe_SysMain, faulting module sysmain.dll ... occurred again yesterday afternoon, again while the computer was, for all intents, sitting idle.

Thanks for taking a look,
Victor


----------

