Case of the SMSSWD.exe Crash

A colleague advised me on first logon only a component of SCCM, smsswd.exe would always crash – but would never crash on any subsequent logons.

Not only that, they had a crash dump file. (they’re learning!) In this case it was a User Mini Dump File (.hdmp) generated by Windows Error Reporting on Windows XP…but a good place to start.

So I first run !analyze -v in WinDbg:

This dump file has an exception of interest stored in it.

The stored exception information can be accessed via .ecxr.

(7f8.474): Access violation – code c0000005 (first/second chance not available)

eax=00000000 ebx=80070000 ecx=00350650 edx=00274c80 esi=0000060c edi=00000000

eip=7c90e4f4 esp=0006981c ebp=00069880 iopl=0 nv up ei ng nz ac pe cy

cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000297


7c90e4f4 c3 ret

0:000> !analyze -v


* *

* Exception Analysis *

* *


*** WARNING: Unable to verify timestamp for TSCore.dll

*** ERROR: Module load completed but symbols could not be loaded for TSCore.dll

*** WARNING: Unable to verify timestamp for smsswd.exe

*** ERROR: Module load completed but symbols could not be loaded for smsswd.exe

GetUrlPageData2 (WinHttp) failed: 12002.



7c809e7a 8a08 mov cl,byte ptr [eax]

EXCEPTION_RECORD: ffffffff — (.exr 0xffffffffffffffff)

ExceptionAddress: 7c809e7a (kernel32!MultiByteToWideChar+0x00000240)

ExceptionCode: c0000005 (Access violation)

ExceptionFlags: 00000000

NumberParameters: 2

Parameter[0]: 00000000

Parameter[1]: 006cb000

Attempt to read from address 006cb000


PROCESS_NAME: smsswd.exe

ERROR_CODE: (NTSTATUS) 0xc0000005 – The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 – The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.



READ_ADDRESS: 006cb000



274a46e4 ?? ???



APP: smsswd.exe




LAST_CONTROL_TRANSFER: from 274a46e4 to 7c809e7a


0006f4c8 274a46e4 00000000 00000000 006cac70 kernel32!MultiByteToWideChar+0x240

WARNING: Stack unwind information not available. Following frames may be wrong.

0006f50c 274a582f 006cac70 ffffffff 0006f6a4 ccmcore+0x246e4

0006f520 274a58a8 006cac70 2aa9306d 00000002 ccmcore+0x2582f

0006f54c 28d8236d 006cac70 2aa918ab 274ada55 ccmcore+0x258a8

0006f7ec 28d84875 2aa9177f 00000001 28d2b750 TSCore+0x8236d

0006f838 28d992d6 0006f87c 0006f88c 2aa9178b TSCore+0x84875

0006f8cc 28d99c5d ffffffff 005c88fa 00000042 TSCore+0x992d6

0006fab8 28d9a670 006c33ea 28d2e9c4 0006fb54 TSCore+0x99c5d

0006fbc8 28d9ab9f 006c33ea 0006fad4 00000000 TSCore+0x9a670

0006fcd4 28d9af53 006c33ea 0006fe00 00000000 TSCore+0x9ab9f

0006fd1c 0040d5d4 006c33ea 0006fe00 00000000 TSCore+0x9af53

0006fd7c 0041130b 006c33ea 00000001 2aa91814 smsswd+0xd5d4

0006fe58 0040cd18 006c33ea 006c34d2 2aa91930 smsswd+0x1130b

0006ff7c 00418b86 00000005 00274468 00274d08 smsswd+0xcd18

0006ffc0 7c817067 00000000 00000000 7ffd5000 smsswd+0x18b86

0006fff0 00000000 00418cc4 00000000 00000000 kernel32!BaseProcessStart+0x23

STACK_COMMAND: ~0s; .ecxr ; kb


SYMBOL_NAME: ccmcore+246e4


MODULE_NAME: ccmcore

IMAGE_NAME: ccmcore.dll


FAILURE_BUCKET_ID: INVALID_POINTER_READ_c0000005_ccmcore.dll!Unknown



Followup: MachineOwner

I noticed error message:

GetUrlPageData2 (WinHttp) failed: 12002.

Which is the WinInet error code for “The Operation Timed Out” (

Dumping the second parameter at the top of the stack trace

0006f50c 274a582f 006cac70 ffffffff 0006f6a4 ccmcore+0x246e4

I retrieved what appeared to be the HTTP response and gave us the likely SCCM package at the time of crash

0:000> da 006cac70 (006cac70+512)
006cac70  “<?xml version=”1.0″ encoding=”ut”
006cac90  “f-8″?><D:multistatus xmlns:D=”DA”
006cacb0  “V:”><D:response><D:href>
006cacd0  “”
006cacf0  “/SMS_DP_SMSPKGD%24/P0000101/</D:”
006cad10  “href><D:propstat><D:status>HTTP/”
006cad30  “1.1 200 OK</D:status><D:prop><D:”
006cad50  “getcontentlength>0</D:getcontent”
006cad70  “length><D:iscollection>1</D:isco”
006cad90  “llection></D:prop></D:propstat><“
006cadb0  “/D:response><D:response><D:href>”
006cadd0  “”
006cadf0  “”
006cae10  “101/650/</D:href><D:propstat><D:”
006cae30  “status>HTTP/1.1 200 OK</D:status”
006cae50  “><D:prop><D:getcontentlength>0</”
006cae70  “D:getcontentlength><D:iscollecti”
006cae90  “on>1</D:iscollection></D:prop></”
006caeb0  “D:propstat></D:response><D:respo”
006caed0  “nse><D:href>”
006caef0  “”
006caf10  “KGD%24/P0000101/650/clientsync.i”
006caf30  “ni</D:href><D:propstat><D:status”
006caf50  “>HTTP/1.1 200 OK</D:status><D:pr”
006caf70  “op><D:getcontentlength>903</D:ge”
006caf90  “tcontentlength><D:iscollection>0”
006cafb0  “</D:iscollection></D:prop></D:pr”
006cafd0  “opstat></D:response></D:multista”
006caff0  “tus>o…LA~..S..????????????????”

However at the end of the day that was not relevant as when I looked at the crash dump date, it was months ago:

Windows XP Version 2600 (Service Pack 3) UP Free x86 compatible
Product: WinNt, suite: SingleUserTS
Machine Name:
Debug session time: Sat Mar 16 08:51:32.000 2013 (UTC + 10:00)
System Uptime: not available

(This “crash” was happening in August 2013)

I then asked for more visual description of the crash…and it was not the application crashing, it was the Dr Watson Error Reporting coming up…

From a crash that occurred just before the image had been last sysprep’ed…in March.

The fix was to mount the WIM of the Windows XP image and remove the following files:



You may also need to delete these folders under each user profile if they exist:

  • Application Data\Microsoft\Dr Watson
  • Local Settings\Application Data\Microsoft\Dr Watson

More info on Microsoft Error Reporting in XP : (This is not to be confused with Windows Error Reporting on Vista and later)

About chentiangemalc

specializes in end-user computing technologies. disclaimer 1) use at your own risk. test any solution in your environment. if you do not understand the impact/consequences of what you're doing please stop, and ask advice from somebody who does. 2) views are my own at the time of posting and do not necessarily represent my current view or the view of my employer and family members/relatives. 3) over the years Microsoft/Citrix/VMWare have given me a few free shirts, pens, paper notebooks/etc. despite these gifts i will try to remain unbiased.
This entry was posted in Debugging, SCCM, Troubleshooting, WinDbg, Windows XP and tagged . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s