Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to interpret windows APPCRASH mysterious log?

How should I interpret these logs to identify the cause of the appcrash?

Fault bucket , type 0
Event Name: APPCRASH
Response: Not available
Cab Id: 0

Problem signature:
P1: InsightAnalysisEngine.exe
P2: 1.0.0.0
P3: 4f4dee84
P4: KERNELBASE.dll
P5: 6.1.7600.16850
P6: 4e211485
P7: c03d0000
P8: 0000b9bc
P9: 
P10: 

Attached files:
C:\Users\devservice\AppData\Local\Temp\WER44D1.tmp.appcompat.txt
C:\Users\devservice\AppData\Local\Temp\WER461A.tmp.WERInternalMetadata.xml
C:\Users\devservice\AppData\Local\Temp\WER462A.tmp.hdmp
C:\Users\devservice\AppData\Local\Temp\WER48E9.tmp.mdmp

These files may be available here:
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_InsightAnalysisE_857bf71fb86d6845394e6281199ee78ad305d_cab_1cc34a1e

Analysis symbol: 
Rechecking for solution: 0
Report Id: 8a13d73c-62b8-11e1-ab53-0050ba3279b5
Report Status: 4

Ye another which is equally mysterious:

Faulting application name: Engine.exe, version: 1.0.0.0, time stamp: 0x4f4dee84
Faulting module name: KERNELBASE.dll, version: 6.1.7600.16850, time stamp: 0x4e211485
Exception code: 0xc03d0000
Fault offset: 0x0000b9bc
Faulting process id: 0x1414
Faulting application start time: 0x01ccf6c528f9f803
Faulting application path:C:\projects\AnalysisEngine\Debug\Engine.exe
Faulting module path: C:\Windows\syswow64\KERNELBASE.dll
Report Id: 8a13fe4c-62b8-11e1-ab53-0050ba3279b5

More specifically, what is Fault offset? In what ways this information is helpful?

like image 471
Nawaz Avatar asked Feb 29 '12 10:02

Nawaz


1 Answers

The fault parameter values are as follows:

  • P1: Process name
  • P2: Process version
  • P3: Process timestamp
  • P4: Module name
  • P5: Module version
  • P6: Module timestamp
  • P7: Exception code
  • P8: Exception offset from the start of the module
  • P9: Unused
  • P10: Unused

The exception offset can then be used with a map and/or a cod file to determine at what point it crashed. A debugger attached to a running process will also allow you to see what is at that offset.

Note that the parameter values are very similar to the values reported for .Net runtime crashes.

like image 134
Deanna Avatar answered Oct 01 '22 03:10

Deanna