Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Dep Cuts In And Shuts Down Generic Host Process For Win32 Services


  • Please log in to reply
9 replies to this topic

#1 joemiller

joemiller

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Location:Beverly Hills, CA
  • Local time:08:25 PM

Posted 02 March 2007 - 01:23 AM

I have a Toshiba satellite laptop model 1955, running Windows XP Home with sp2 and all the updates. Whenever I start up Windows I get the message "Generic Host Process for Win32 Services encountered a problem and needed to close."

The error signature is:

EventType : BEX P1 : svchost.exe P2 : 5.1.2600.2180 P3 : 41107ed6
P4 : unknown P5 : 0.0.0.0 P6 : 00000000 P7 : 00aa96bc
P8 : c0000005 P9 : 00000008

Files included in the error report to Microsoft (which never answers) are:

C:\DOCUME~1\ELEANO~1\LOCALS~1\Temp\WERc87e.dir00\svchost.exe.mdmp
C:\DOCUME~1\ELEANO~1\LOCALS~1\Temp\WERc87e.dir00\appcompat.txt

I keep getting this message unless I kill the dumprep routine in Task Manager.

I have Norton Antivirus running all the time and it says I am virus-free. I also have their Internet Security package and use their firewall. I have run Spybot Search and Destroy as well as Ad-Aware and seem to have no spyware that can be detected by those programs. I also periodically run Norton SystemWorks and their one button checkup. I generally run CrapCleaner every day. I have recently run the disk optimizer in Norton, and am quite defragmented.

This problem has been going on for months. The main thing I notice is a general slowing of applications, the MS search routine, the little flashlight that comes on when you want to leave the default folder for the desktop or something.

Event viewer seems to see the same problem. It says under System:

The following boot-start or system-start driver(s) failed to load:
PptIRDA

The source is Service Conrol Manager and the event ID is 7026.

There is also an Application error under event viewer, Category 100, event ID 1004 with the following text:

Faulting application svchost.exe, version 5.1.2600.2180, faulting module unknown, version 0.0.0.0, fault address 0x00aa96bc.

Data under Bytes looks like this:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 46 61 69 6c ion Fail
0010: 75 72 65 20 20 73 76 63 ure svc
0018: 68 6f 73 74 2e 65 78 65 host.exe
0020: 20 35 2e 31 2e 32 36 30 5.1.260
0028: 30 2e 32 31 38 30 20 69 0.2180 i
0030: 6e 20 75 6e 6b 6e 6f 77 n unknow
0038: 6e 20 30 2e 30 2e 30 2e n 0.0.0.
0040: 30 20 61 74 20 6f 66 66 0 at off
0048: 73 65 74 20 30 30 61 61 set 00aa
0050: 39 36 62 63 96bc

I have a HijackThis log I can send, but I did not see anything obvious in it. I have also googled the various error messages. One other person had 0x00aa96bc fault address, but I could not contact her and her help forum did not respond either.

All I can figure is that svchost is calling some dll or something that the Windows DEP really does not like!
Any help would be appreciated.
Joe Miller
joemiller[color=#33FF33][size=5]

BC AdBot (Login to Remove)

 


#2 fozzie

fozzie

    aut viam inveniam aut faciam


  • Members
  • 3,516 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ossendrecht/The Netherlands
  • Local time:05:25 AM

Posted 02 March 2007 - 03:21 AM

Posted Image

http://smileygenerator.us/smileyletters/image.php?s=WELCOME%20TO%20BC&ext=.gif

Posted Image


Please do the following :
First, does this happen when booting in Safe Mode? - tap the F8 key from a restart.

If not, go into msconfig and uncheck all your startups - do this not connected to the net - pull the plug on the modem, and bootup.

Start > run > type msconfig > ok > startup tab.

If ok than :

Go into msconfig and re check the startups one by one and reboot after each one.

You can't keep the startups, especially for AV/Firewall off. The point is to narrow down which of the startups is causing the problem.

#3 joemiller

joemiller
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Location:Beverly Hills, CA
  • Local time:08:25 PM

Posted 03 March 2007 - 04:00 PM

Thanks, Fozzie,

I got rid of a great deal of unneeded stuff from the Startup folder, with a little help from BleepingComputer's very good list. That solved the main problem.

However, I still get ths error message from Event Viewer under System about the boot start or system start driver PptIRDA. I have tried BleepingComputer for that as well as googling and can't seem to find any info at all.

Any idea what this is or if it is important? I get this message at startup every time in the Event Viewer under Administrative Services.

joemiller
joemiller[color=#33FF33][size=5]

#4 joemiller

joemiller
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Location:Beverly Hills, CA
  • Local time:08:25 PM

Posted 08 March 2007 - 11:12 PM

I tried Fozzie's suggestion, got my startup folder down to the ezSP installer, two Symantec security files, a Spybot S&D file, and the dumprep routine that contacts Microsoft with the error message. This worked for about two days through maybe four startups. But now the same problem is back, for no apparent reason. So I disabled everything in Startup except dumprep and the error still occurred. I have looked at the services and they seem pretty normal. I do have a HijackThis file if anyone wants to look at it.

I'm completely baffled!
joemiller[color=#33FF33][size=5]

#5 TheTerrorist_75

TheTerrorist_75

  • Members
  • 645 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Fulton, NY > Snow country.
  • Local time:12:25 AM

Posted 09 March 2007 - 03:21 PM

Read this: Preparation Guide For Use Before Posting A Hijackthis Log, Instructions for receiving help in cleaning your computer

Then post a Hijack This log at this section of the forums: HijackThis Logs and Analysis
I am a transplant survivor.

Get Your Donor Card

#6 usasma

usasma

    Still visually handicapped (avatar is memory developed by my Dad


  • BSOD Kernel Dump Expert
  • 25,090 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Southeastern CT, USA
  • Local time:12:25 AM

Posted 10 March 2007 - 08:08 AM

I'd first suggest a free, online scan to ensure that something hasn't gotten past your Norton: http://safety.live.com/ (using IE).

Then, I'd try and capture that .mdmp file (it's usually deleted after you send the report) and analyze it using this reference: http://forums.majorgeeks.com/showthread.php?t=35246

Then copy and paste the results to your next post.

FWIW - Microsoft only responds if there's a known fix for the specific problem that's reported - otherwise you won't get anything back from them. The event code is very obscure in this case, so there won't be much feedback about it. The only "fix" that I saw in my searching was to do a System Restore to before the problem occurred.
My browser caused a flood of traffic, sio my IP address was banned. Hope to fix it soon. Will get back to posting as soon as Im able.

- John  (my website: http://www.carrona.org/ )**If you need a more detailed explanation, please ask for it. I have the Knack. **  If I haven't replied in 48 hours, please send me a message. My eye problems have recently increased and I'm having difficult reading posts. (23 Nov 2017)FYI - I am completely blind in the right eye and ~30% blind in the left eye.<p>If the eye problems get worse suddenly, I may not be able to respond.If that's the case and help is needed, please PM a staff member for assistance.

#7 joemiller

joemiller
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Location:Beverly Hills, CA
  • Local time:08:25 PM

Posted 11 March 2007 - 09:41 PM

Thanks, John.
I tried that one care program you recommended. I'm not a big fan of MS but I was amazed! It found a number of things that were never found by Norton Internet Security, Spybot S&D, or Ad-Aware, with all the latest updates.

In case anyone is interested it found Webnexus, Trojan downloader small.abd, Surf SideKic, zstart, and Remotely Anywhere. So I killed all that stuff.

Sad to say I still get the svchost.exe error. My next project will be to use the debugger as you suggested.
Best,
joemiller
joemiller[color=#33FF33][size=5]

#8 joemiller

joemiller
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Location:Beverly Hills, CA
  • Local time:08:25 PM

Posted 14 March 2007 - 12:17 AM

John,
I tried the Windows debugger and found some .mdmp files, although they were not in the minidump folder. For some reason the symbols did not load. Following is what I got.The first is the latest from a whole dated series for today and yesterday. The second is a single .mdmp file from a local settings/temp/WERF folder, but from several days ago, so possibly irrelevant.

Any idea why the symbols did not load or what any of this means?

Loading Dump File [C:\WINDOWS\PCHEALTH\ErrorRep\UserDumps\svchost.exe.20070314-042915-00.mdmp]
User Mini Dump File: Only registers, stack and portions of memory are available

Windows XP Version 2600 (Service Pack 2) UP Free x86 compatible
Product: WinNt, suite: SingleUserTS Personal
Debug session time: Tue Mar 13 21:29:20.000 2007 (GMT-7)
System Uptime: not available
Process Uptime: 0 days 0:00:20.000
Symbol search path is: SRV*c:\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
........................................................
Loading unloaded module list
................
This dump file has an exception of interest stored in it.
The stored exception information can be accessed via .ecxr.
(d40.d3c): Access violation - code c0000005 (first/second chance not available)
eax=00002000 ebx=80070000 ecx=00002000 edx=00000000 esi=000001d4 edi=00000000
eip=7c90eb94 esp=00758874 ebp=007588d8 iopl=0 nv up ei ng nz ac pe cy
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000297
*** ERROR: Symbol file could not be found. Defaulted to export symbols for ntdll.dll -
ntdll!KiFastSystemCallRet:
7c90eb94 c3 ret

Loading Dump File [C:\Documents and Settings\Eleanore Miller\Local Settings\Temp\WERf56c.dir00\svchost.exe.mdmp]
User Mini Dump File: Only registers, stack and portions of memory are available

Windows XP Version 2600 (Service Pack 2) UP Free x86 compatible
Product: WinNt, suite: SingleUserTS Personal
Debug session time: Sat Mar 10 18:01:53.000 2007 (GMT-7)
System Uptime: not available
Process Uptime: 0 days 0:00:42.000
Symbol search path is: SRV*c:\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
.......................................................
Loading unloaded module list
................
This dump file has an exception of interest stored in it.
The stored exception information can be accessed via .ecxr.
(db0.ca0): Access violation - code c0000005 (first/second chance not available)
eax=00002000 ebx=80070000 ecx=00002000 edx=00000000 esi=000001d4 edi=00000000
eip=7c90eb94 esp=00758874 ebp=007588d8 iopl=0 nv up ei ng nz ac pe cy
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000297
*** ERROR: Symbol file could not be found. Defaulted to export symbols for ntdll.dll -
ntdll!KiFastSystemCallRet:
7c90eb94 c3 ret
joemiller[color=#33FF33][size=5]

#9 joemiller

joemiller
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Location:Beverly Hills, CA
  • Local time:08:25 PM

Posted 14 March 2007 - 09:39 PM

John and anyone else still reading this,
I got the symbols loaded properly, I think. At least no error message now. Here is what the debugger program produced.

Microsoft ® Windows Debugger Version 6.6.0007.5
Copyright © Microsoft Corporation. All rights reserved.


Loading Dump File [C:\WINDOWS\PCHEALTH\ErrorRep\UserDumps\svchost.exe.20070311-010329-00.mdmp]
User Mini Dump File: Only registers, stack and portions of memory are available

Windows XP Version 2600 (Service Pack 2) UP Free x86 compatible
Product: WinNt, suite: SingleUserTS Personal
Debug session time: Sat Mar 10 18:03:29.000 2007 (GMT-7)
System Uptime: not available
Process Uptime: 0 days 0:00:17.000
Symbol search path is: SRV*c:\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
.......................................................
Loading unloaded module list
................
This dump file has an exception of interest stored in it.
The stored exception information can be accessed via .ecxr.
(820.824): Access violation - code c0000005 (first/second chance not available)
eax=00002000 ebx=80070000 ecx=00002000 edx=00000000 esi=000001d4 edi=00000000
eip=7c90eb94 esp=00758874 ebp=007588d8 iopl=0 nv up ei ng nz ac pe cy
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000297
ntdll!KiFastSystemCallRet:
7c90eb94 c3 ret


I have no idea what this means!
joemiller
joemiller[color=#33FF33][size=5]

#10 KBC

KBC

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:11:25 PM

Posted 20 November 2008 - 02:20 AM

Hi guys! I'm just here to tell how to clear out the Dump GHP WIN32 Services creates for sending the error report to the microsoft. Of course, i'm talking about clearing the ".DIR00" Folders.

First,

http://www.firewallleaktester.com/wwdc.htm

Download the "Windows worm cleaner" which does via porting.

It's clearly understandable and stops the Generic Host process errors, first. And Reboot The system for the changes to take place.

Now, do this in order to get rid of the "Undeleteable" .DIR00 folders.

First thing first, Restart your PC and click F8 Repeatedly as it's an easy way, and DOS brings up a command in which choose "Safe mode".

Now,

You see An account called "Administrator", there, you need to go into it.

Then,

Open My computer, Go to the temp folder in your local settings, i.e.,;

C:\Documents and Settings\Your Name\Local settings(In case if hidden, unhide it by going to folder options)\Temp

Now, as you're there, Right-click anywhere in the temp folder, not on the sub-folders present in-side it and now, you can see you have three tabs.

|general|Security|Cutsomize|

Now, go to Security Tab, There you can see below "Permissions For Everyone" Box

Which has "allow" and "deny" to various controllable functions such as "Move", "Create", etc;

So, just tick "Allow" to every function there. And hit "Apply".

TADA!! Finish! You can "SHIFT" + "DELETE" the .dir00 folders now, Your temp folder will be as clean as it used to be earlier.



-KBC.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users