Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Event ID 1000, Application Error - svchost.exe_DiagTrack, ntdll.dll


  • Please log in to reply
9 replies to this topic

#1 eq_eldar

eq_eldar

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:50 AM

Posted 06 June 2015 - 04:22 PM

Hey all,

I am having trouble finding information online about the following error in Event Viewer:


Log Name: Application
Source: Application Error
Event ID: 1000
Level: Error


General Description

Faulting application name: svchost.exe_DiagTrack, version: 6.1.7600.16385, time stamp: 0x4a5bc3c1
Faulting module name: ntdll.dll, version: 6.1.7601.18839, time stamp: 0x553e8bfa
Exception code: 0xc000000d
Fault offset: 0x000000000006ec12
Faulting process id: 0x8a4
Faulting application start time: 0x01d08a5f336e38da
Faulting application path: C:\Windows\System32\svchost.exe
Faulting module path: C:\Windows\SYSTEM32\ntdll.dll
Report Id: 8684482e-f65a-11e4-b0e4-7824afc062a2


I am not suffering any noticeable PC performance issues as a result of this error, but nonetheless, it exists in event viewer and has got me concerned.

Could anybody with troubleshooting experience please offer me some insight into this error? (particularly the meaning of svchost.exe_DiagTrack & ntdll.dll)

Thanks in advance,
Eldar



BC AdBot (Login to Remove)

 


m

#2 usasma

usasma

    Still visually handicapped (avatar is memory developed by my Dad


  • BSOD Kernel Dump Expert
  • 24,819 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Southeastern CT, USA
  • Local time:05:50 AM

Posted 06 June 2015 - 05:07 PM

How often does this appear in Event Viewer?

My view on these errors is "no harm = no foul"

In other words, if it's not causing you a problem - then it's not worth looking into.

 

BUT, this is an error with 2 Windows files - so that (to me) is a concern.

The Exception Code of 0xc000000d is "An invalid parameter was passed to a service or function."

I wonder if it's ntdll.dll passing an invalid parameter to svchost.exe - or is there a 3rd party program involved in this somewhere further down the chain?

 

svchost.exe is a program that hosts other programs running in the OS.

ntdll.dll is NT Layer DLL - the exact definition of this eludes me, but what it is is a core Windows file

 

As such, it's protected by several different functions in the operating system and is likely not the problem.

This means (to me) that a 3rd party program is most likely involved here.

 

Now, let's just confuse things with a caveat here....

I'm a kernel specialist.  That means that I work with system level stuff, and tend to avoid the application level stuff (which this is a part of).
As such I'm not all that familiar with it - but I do know enough to cause a bit of trouble.

 

Finally, how I troubleshoot these sort of errors is by looking a Windows reports and trying to find patterns - or things that just don't fit quite right (such as older drivers, or unfamiliar programs).  Then I experiment with them (mostly by uninstalling and reinstalling them) to see what impact that has on the errors.

But, as I said in the beginning, if it's not causing you problems then I wouldn't worry about it now.

Good luck!


Edited by usasma, 06 June 2015 - 05:08 PM.

- John  (my website: http://www.carrona.org/ )
**If you need a more detailed explanation, please ask for it. I have the Knack. **  If I haven't replied in 48 hours, please send me a message.

 

My eye problems have recently increased and I'm having difficult reading posts. (23 Nov 2017)
FYI - I am completely blind in the right eye and ~30% blind in the left eye.

If the eye problems get worse suddenly, I may not be able to respond.
If that's the case and help is needed, please PM a staff member for assistance.


#3 eq_eldar

eq_eldar
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:50 AM

Posted 06 June 2015 - 07:01 PM

Hi Usasma,

 

Thanks for your reply.  Here is some more information on the issue.  At the very end I will post some 'side questions' that are indirectly related to this issue, but I feel I need clearing up, because I'm pretty new to this event viewer troubleshooting.

How often does this appear in Event Viewer?

My view on these errors is "no harm = no foul"

In other words, if it's not causing you a problem - then it's not worth looking into.

 

After looking at the dates when this error appears I noticed that it only appeared for a brief period of time during the early stages of computer setup (installing windows 7 and drivers).  In fact, it happened daily between 6th May - 11th May 2015.  It has not occured since.  Having looked into 'programs and features' I can see that these dates coincide with installing win7, drivers, and I also installed 'acronis true image 2010' which I have later uninstalled.  This leads me to the theory that it could well have been relating to 'acronis true image 2010', as this issue hasn't happened since 11th May (I approximate that this was around the time when I uninstalled acronis 2010).

 

If I have not seen this issue since, should I have any reason to investigate or try and go back in time and 'fix' it?

 

 

BUT, this is an error with 2 Windows files - so that (to me) is a concern.

The Exception Code of 0xc000000d is "An invalid parameter was passed to a service or function."

I wonder if it's ntdll.dll passing an invalid parameter to svchost.exe - or is there a 3rd party program involved in this somewhere further down the chain?

 

svchost.exe is a program that hosts other programs running in the OS.

ntdll.dll is NT Layer DLL - the exact definition of this eludes me, but what it is is a core Windows file

 

As such, it's protected by several different functions in the operating system and is likely not the problem.

This means (to me) that a 3rd party program is most likely involved here.

 

Should I run 'system file checker' from command line?

 

Also, is there any evidence so far to suggest this could be a hardware issue?  (my instincts say its unlikely, as its all new hardware)

 

 

svchost.exe is a program that hosts other programs running in the OS.

ntdll.dll is NT Layer DLL - the exact definition of this eludes me, but what it is is a core Windows file

 

As such, it's protected by several different functions in the operating system and is likely not the problem.

This means (to me) that a 3rd party program is most likely involved here.

 

Excuse me for being a newbie, but when you say '3rd party program' do you mean something such as example 'vlc media player' or 'mozilla firefox'?

 

Also, what are the chances that svchost.exe and ntdll.dll are damaged?  Is there a way I can verify this?

 

 

Finally, here are my 'side questions':

 

Q1.  Am I correct in thinking that troubleshooting in event viewer should only be done if the user experiences issues with real world PC performance?  Can any argument be made for weeding out all the errors just to be 'safe'?

 

Q2.  If a PC is healthy, then is it normal to see some errors and warnings in event viewer?  Would it be unrealistic to expect to see 0 errors, 0 warnings?

 

Q3.  I see 926 events under:  Event Viewer ----> Custom Views ----> Administrative Events.  Most of these are errors or warnings.  Can you give me a sanity check by checking how many you are seeing? 

 

Q4.  In a previous build I stumbled across 'kernelbase.dll' errors (note that this is not the current build).  Would you be able to elaborate on what they are?

 

I know this is a long one, but any help would be most appreciated.

 

Thanks in advance,

Eldar
 



#4 usasma

usasma

    Still visually handicapped (avatar is memory developed by my Dad


  • BSOD Kernel Dump Expert
  • 24,819 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Southeastern CT, USA
  • Local time:05:50 AM

Posted 07 June 2015 - 04:55 AM

First, it's not causing you any problems and hasn't even been seen for a while (in almost a month).  Leave it alone.

Windows collects data and labels it a Warning or an Error depending on collection criteria - which isn't necessarily related to it causing problems for you.

 

As for running SFC (system file checker), there's no need - but it wouldn't hurt if you did it.

But then you'd possibly open yourself up to a whole new bunch of errors.

Again, as it's not currently spitting errors into event viewer and it's not causing you any problems - leave it alone.

 

As for hardware problems, what sort of hardware causes an error and then stops for almost a month?

I have seen nothing to indicate that it might be a hardware problem.

 

3rd party programs is a term used to refer to non-Windows programs.  It gets a bit confusing when talking about Microsoft mouse and keyboard hardware - but the point is that it's a program that the Windows folks didn't include in the distribution of the OS.  Things like Skype and hardware updates through Windows Update confuse it even more - but most of the 3rd party programs are just programs that didn't come with Windows.

 

So, yes, that means VLC and Firefox

 

The chances that svchost.exe and ntdll.dll are damaged isn't likely.  As they are core Windows files, I'd expect many more problems if they were damaged.

Additionally, WIndows has many methods to protect and repair these files - so again, it's unlikely.

Finally, you can "repair" them in several ways (replacing it directly, using sfc.exe, or doing a repair install) - but as this isn't causing you problems - leave it alone.

 

Q1 - Event viewer is a very complicated tool.  In most cases you don't need to even look at it unless you're experiencing problems.  As you learn more about how Windows Internals work, you may delve into it.  As for me, I use it primarily to look for problems - after someone has reported problems with their computer.  The only time I look at my own Event Viewer is either to cite examples, or if I'm having an issue.

 

Q2 - Yes, it is unrealistic to expect to see 0 errors and warnings in the Application/System/Admin log files.  I've never seen a system without them (unless the owner has turned the reporting mechanism off) - and I've been doing this intensively for many years.

 

Q3 - I can't tell you how many you have unless you zip up and upload the Admin log file for me to have a look at.  But 926 isn't very many.  Mine (I'm running Windows 10) has 709 over the last week (I must've cleared it out back then).  FYI - the Admin log is just a collection of different reports - it's not meant to be a complete reference.  For that you'll have to look at the Windows logs (and others).  The most common ones that we use hare are the Application and System log files.

 

Q4 - I'm not up to speed on kernelbase.dll.  It's the Windows NT BASE API Client DLL  In short, it's another core component of Windows.

As such, it's protected by the different mechanisms I discussed in the paragraph just before Q1.

 

Also, as it's not likely that these are the actual cause, that's where we start suspecting the 3rd party programs.

For that I sometimes use the Admin log to see if I can spot a pattern of errors (such as another error that always comes before the kernelbase.dll error).

 

Here's an example scenario from my BSOD research.  Remember that I'm a kernel specialist, so this'll be from that perspective (in other words, rules may be a bit different for user mode stuff).

Suppose a 3rd party driver writes to a memory address owned by a Windows driver.

Nothing may happen for a while if the Windows driver doesn't look at that memory address.

In the meantime the 3rd party driver can exit and we're left with no evidence of it.

Then, eventually, the Windows driver looks into the memory address that the 3rd party driver wrote to.

It doesn't see what it expects to see there - and it panics!

And when it panics, it quickly crashes in order to preserve the system.

 

At this point we're called in and we try to reconstruct things in order to find out what happened.

But the 3rd party program had already exited - so our job is made much, much harder :(


- John  (my website: http://www.carrona.org/ )
**If you need a more detailed explanation, please ask for it. I have the Knack. **  If I haven't replied in 48 hours, please send me a message.

 

My eye problems have recently increased and I'm having difficult reading posts. (23 Nov 2017)
FYI - I am completely blind in the right eye and ~30% blind in the left eye.

If the eye problems get worse suddenly, I may not be able to respond.
If that's the case and help is needed, please PM a staff member for assistance.


#5 eq_eldar

eq_eldar
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:50 AM

Posted 07 June 2015 - 05:56 AM

Thanks for the speedy reply Usasma.  Can't thank you enough for the help here :)

As for running SFC (system file checker), there's no need - but it wouldn't hurt if you did it.

But then you'd possibly open yourself up to a whole new bunch of errors.

Again, as it's not currently spitting errors into event viewer and it's not causing you any problems - leave it alone.

 

I think to air on the side of extreme caution, I will give system file checker a run.

 

 

As for hardware problems, what sort of hardware causes an error and then stops for almost a month?

I have seen nothing to indicate that it might be a hardware problem.

 

That is good to know.  My suspicion about potential hardware problems was seeded into my mind by a 'support technician' from the games company EA, who took a look at my msinfo32 file and I believe made the sweeping generalisation that the ntdll.dll error could be hardware related.  (long story short, I was contacting EA support for a game related issue I was having, which has since been resolved as a software glitch in the game).

 

 

Q1 - Event viewer is a very complicated tool.  In most cases you don't need to even look at it unless you're experiencing problems.  As you learn more about how Windows Internals work, you may delve into it.  As for me, I use it primarily to look for problems - after someone has reported problems with their computer.  The only time I look at my own Event Viewer is either to cite examples, or if I'm having an issue.

 

Q2 - Yes, it is unrealistic to expect to see 0 errors and warnings in the Application/System/Admin log files.  I've never seen a system without them (unless the owner has turned the reporting mechanism off) - and I've been doing this intensively for many years.

 

So, as I understand it, you are saying that it is perfectly normal to see errors and warnings in event viewer, and that no attention should be paid to them, unless the user is experiencing a 'real world' PC problem?

 

 

Q3 - I can't tell you how many you have unless you zip up and upload the Admin log file for me to have a look at.  But 926 isn't very many.  Mine (I'm running Windows 10) has 709 over the last week (I must've cleared it out back then).  FYI - the Admin log is just a collection of different reports - it's not meant to be a complete reference.  For that you'll have to look at the Windows logs (and others).  The most common ones that we use hare are the Application and System log files.

 

Ah yes, Sorry.  When I said sanity check I meant comparison of how many events I have listed, to how many you have listed, to see if I am way off track from an advanced user (I realise this test is extremely flawed, because no two systems are the same).  As I can see from your number, I am not far off the beaten track, which is good to know.

 

 

Q4 - I'm not up to speed on kernelbase.dll.  It's the Windows NT BASE API Client DLL  In short, it's another core component of Windows.

As such, it's protected by the different mechanisms I discussed in the paragraph just before Q1.

 

Also, as it's not likely that these are the actual cause, that's where we start suspecting the 3rd party programs.

For that I sometimes use the Admin log to see if I can spot a pattern of errors (such as another error that always comes before the kernelbase.dll error).

 

Here's an example scenario from my BSOD research.  Remember that I'm a kernel specialist, so this'll be from that perspective (in other words, rules may be a bit different for user mode stuff).

Suppose a 3rd party driver writes to a memory address owned by a Windows driver.

Nothing may happen for a while if the Windows driver doesn't look at that memory address.

In the meantime the 3rd party driver can exit and we're left with no evidence of it.

Then, eventually, the Windows driver looks into the memory address that the 3rd party driver wrote to.

It doesn't see what it expects to see there - and it panics!

And when it panics, it quickly crashes in order to preserve the system.

 

At this point we're called in and we try to reconstruct things in order to find out what happened.

But the 3rd party program had already exited - so our job is made much, much harder :(

 

It is quite a skill to be able to reconstruct such things.  I can see by your forum profile, you have been doing this many years.  I am glad there are good people like you around to help out newbies like myself.  It is most appreciated.

 

I am currently, digging through a number of these 'error' events in event viewer and if google doesn't turn up any answers, I shall be posting back here to investigate further.  Thanks for all the help so far!



#6 usasma

usasma

    Still visually handicapped (avatar is memory developed by my Dad


  • BSOD Kernel Dump Expert
  • 24,819 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Southeastern CT, USA
  • Local time:05:50 AM

Posted 07 June 2015 - 04:13 PM

Yes, don't worry about the event viewer unless you're having problems.

Don't even look at it - as it will cause you to worry.

The same goes for the results of SFC.EXE - don't worry about the errors.

If you're using Windows 8/8.1 you can also use DISM to do system repairs - and then there's a whole new set of errors to worry about :0)

 

Leave these errors alone.  You will drive yourself crazy trying to ferret each one out (and won't even fix very many of them).

"If it ain't broke, don't fix it!"


- John  (my website: http://www.carrona.org/ )
**If you need a more detailed explanation, please ask for it. I have the Knack. **  If I haven't replied in 48 hours, please send me a message.

 

My eye problems have recently increased and I'm having difficult reading posts. (23 Nov 2017)
FYI - I am completely blind in the right eye and ~30% blind in the left eye.

If the eye problems get worse suddenly, I may not be able to respond.
If that's the case and help is needed, please PM a staff member for assistance.


#7 eq_eldar

eq_eldar
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:50 AM

Posted 11 June 2015 - 02:33 PM

Hello Usasma,

 

I hope you are well.  I am wondering if you could help me to understand a little more about windows system files and what causes them to become corrupt or broken etc.  So far my understanding of a system file, is a file that resides on the hard disk, which is fundamental or essential to the correct running of the operating system.  I also understand that these files are located in 'protected' folders which are not easy to modify or edit.

 

Yes, don't worry about the event viewer unless you're having problems.

Don't even look at it - as it will cause you to worry.

The same goes for the results of SFC.EXE - don't worry about the errors.

If you're using Windows 8/8.1 you can also use DISM to do system repairs - and then there's a whole new set of errors to worry about :0)

 

Leave these errors alone.  You will drive yourself crazy trying to ferret each one out (and won't even fix very many of them).

"If it ain't broke, don't fix it!"

 

I ended up running sfc /scannow, from an elevated command prompt, and just as you so rightly said, It returned the 'windows has detected some corrupt files and was unable to fix some of them' report.  Now, I am aware that I should not be worrying about these errors, but I guess you could say the 'nerd' inside of me, is dying to find out in more detail what type of things typically would cause the 'corrupt files' report by SFC.

 

Would you be able to elaborate further on SFC and sanity check my understanding that a healthy system will see some errors in the report?

 

I realise I'm hard work, so thanks again for your patience in helping me.

 

Kind Regards,

Eldar



#8 eq_eldar

eq_eldar
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:50 AM

Posted 11 June 2015 - 06:45 PM

a quick update to previous post...

 

I am no longer having the report 'windows found corrupt files and could not fix some of them'.  Turns out SFC was broken in a recent microsoft update and has since been fixed in a new microsoft update.  Here is the link if you were curious.

 

http://www.infoworld.com/article/2926179/microsoft-windows/microsoft-confirms-patch-kb-3022345-breaks-sfc-scannow.html

 

Also, I'm stil intrigued about system files and the questions from previous post if you get time.

 

Thanks again :)



#9 usasma

usasma

    Still visually handicapped (avatar is memory developed by my Dad


  • BSOD Kernel Dump Expert
  • 24,819 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Southeastern CT, USA
  • Local time:05:50 AM

Posted 12 June 2015 - 04:12 PM

I don't mind answering questions - that's what I do when I don't know something.

 

There are many different reasons for things getting corrupted.
I recall a discussion among a bunch of techs a while back where we considered the impact of cosmic rays on errors.

A bit far-fetched, but still a possibility.

 

As I read the article that you posted, it appears that the sfc.exe patch is still reporting 2 files as broken - and Microsoft is telling us not to worry about it as they'll release a patch to it later on.

Thanks for the link - as I hadn't noticed that problem.

 

As for the procedure, sfc.exe checks a long, long list of files (I last found reference to it back in the XP days where it was said it checked over 2,000 files).

If corrupted, it tries to fix them using backup copies on the system.

When it can't fix it with backup copies, then it flags them as "Windows found corrupt files and could not fix some of them"

Then it's a matter of fixing them yourself.  Unfortunately, I do not do this.  There is a tool made by niemiro called SFCFix.exe that will repair some things.  But often the only fix is to manually source the corrupted files and reinsert them into the operating system.  This is an advanced technique, and the experts at it are very, very popular (and busy)!  If interested, you can apply to the Windows Update Barneskole located here:  http://www.sysnative.com/forums/windows-update-barneskole/

 

There aren't answers for every question that you may have.  As you learn more about Windows and how it was built, you'll see that there's plenty of room for errors that don't impact anything and that they are not even noticed by the programmers.  I'd strongly suggest that you start out by reading Windows Internals.  I've read each of the books from the first version to the latest (version 6).  Although there's a lot that I still don't understand, each time that I read a copy I learn a bit more about Windows and how it works.


- John  (my website: http://www.carrona.org/ )
**If you need a more detailed explanation, please ask for it. I have the Knack. **  If I haven't replied in 48 hours, please send me a message.

 

My eye problems have recently increased and I'm having difficult reading posts. (23 Nov 2017)
FYI - I am completely blind in the right eye and ~30% blind in the left eye.

If the eye problems get worse suddenly, I may not be able to respond.
If that's the case and help is needed, please PM a staff member for assistance.


#10 eq_eldar

eq_eldar
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:50 AM

Posted 13 June 2015 - 05:14 PM

I will have a look into those books that you mentioned, and having researched the universe a few years ago, albeit just documentary watching level, I do not doubt the possibility of cosmic rays causing all sorts of interference on planet earth.  I know that solar flares that get ejected from the sun are particularly worrying for power station companies and that there is some pretty convincing evidence to suggest that if a solar flare was big enough, it could reduce mankind to the middle ages by taking our power grids down.  Of course such things, we will never know until someday it happens.

 

With regards to that link...Microsoft have done a 'copy paste' job for the description to the most recent update on this.

 

https://support.microsoft.com/en-us/kb/3068708

 

In this fixed update (released June 8th), they have still included that there are some problems with SFC, however, over at windows 7 forums I got some members to field test this and they have all reported (including myself) that SFC now works perfectly after the above update.

 

Thanks again for your informative answers.


Edited by eq_eldar, 13 June 2015 - 05:15 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users