Two different Svchost.exe Crashes


Multiple calls to ExecNotificationQuery at startup

If the ExecNotificationQuery function is called by more than one thread during OS startup, the svchost.exe process might crash.  For example, call the WMI IWbemServices::ExecNotificationQuery function in 2 threads.

This may be the result of a race condition caused when one thread tries to free the heap while another thread tries to realloc (extend) the heap. This issue is in WMI code inherited from XP Pro SP3.

To avoid this condition, insert a sleep function between the ExecNotificationQuery calls- the crash should not occur if the sleep Tick Count is greater than 2min. You can also call multiple IWbemServices::ExecNotificationQuery functions  in same thread, as that will not result in a race condition.

After installation of MS09-041, KB971657

Stopping wkssvc may cause an AV and svchost to crash on Embedded runtimes built with the MS09-041 security update applied. This can occur both in runtimes with the DQI runtime update installed, or on a runtime built from a component database with the database update containing MS09-041 applied. This issue is inherited from XP Pro.

This crash only occurs during workstation service shutdown. The crash happens toward the end of the service shutting down, and should have no adverse impact. The workstation service can be restarted without error.

To mitigate impact on other services using svchost, isolate the lanmanworkstation service into a separate instance of svchost.exe:

     Sc config lanmanworkstation type=own

Another potential solution is to install the DQI runtime update on Embedded runtimes using the GDR branch rather than the default QFE branch of the update package. For information on how to extract the contents of the update package, in order to install from the GDR branch, see this KB article.

- Gina and Lynda

Technorati Tags:
Comments (4)
  1. lpcarignan says:

    Hi,

    We have been experiencing a svchost.exe crash at shutdown on our Windows XP Embedded image and we were quite glad to find your post as it gives us a couple of leads to investigate this issue.

    Would it be possible to give us some precision about your post as it would help us resolve this issue?

    First of all, when you talk about the ExecNotificationQuery function, you say "the svchost.exe process might crash". Can it crash at anytime during the execution of XPe or only at a precise moment? Our svchost.exe crashes only at shutdown and we were wondering if this first cause only crashes svchost.exe at shutdown. Would it be possible to have some clarification on when it crashes?

    In the second cause, you say "Stopping wkssvc may cause an AV…". Do you mean the Workstation service when you refer to wkssvc? Googling the word 'wkssvc' has directed me to pages where they state it as being a virus. Would it be possible to confirm to which application you are referring when you talk about wkssvc?

    Does the acronym AV mean anti-virus? What about DQI? What does that stand for?

    Finally, you seem to point towards the GDR branch to update packages and components instead of the QFEs branch. Does that mean we could get a different MS09-041security udpate from the GDR branch which would not cause the bug?

    Thanks for you help.

  2. Hi,

    For your first question the ExecNotificationQuery condition was only found on embedded runtimes during OS startup, so I am not sure if it could also be occurring on shutdown. You might still want to try troubleshoot with the same steps, assuming that your crash is also caused by a race condition.

    For your second question, yes we are referring to Workstation Service (as detailed in the link MS09-041, KB971657 referred to in the blog). Installing this KB may cause an access violation (AV).  KB940648 was a non-security fix that was rolled up into the MS09-041 security update for XP Pro, and that is where this bug was introduced. If the GDR branch is installed, the KB940648 fix isn't included, and the crash does not occur (but all security updates are still applied). DQI (Desktop QFE Installer) updates provided on the OEM secure ECE site can be applied directly to embedded runtimes (as opposed to the embedded database from which runtimes are built), provided the runtime image has the required dependencies to support the Windows update installer- see this article for more info on tehse dependencies see this article msdn.microsoft.com/…/ee832774.aspx.

    Lynda

  3. lpcarignan says:

    Thanks for the prompt reply. We tried the GDR branch and the problem is not occuring anymore.

  4. M.P says:

    Hi,

    In order to solve svchost crash on Xpe sp3.

    I typed this command : Sc config lanmanworkstation type= own

    This solution have solved the problem.

    Thx for this article.

Comments are closed.

Skip to main content