General discussion

Locked

error - referenced memory can't be read

By SciFiMan ·
I have a W2K Pro ThinkPad user that upon logging in this morning gets the following error after domain authentication but just before the desktop comes up:
Explorer.exe - Application error "The instruction at "0x100179f9" referenced memory at "0x00000030". The memory could not be 'read'.

He uses his Domain id and is in "Admin" class of user. If I log in as domain Administrator the desktop comes up normal. Can Explorer.exe be "cut and pasted" back in to replace it, assuming it has the problem? He swears, don't they all ;-) that it worked fine Friday and he didn't do anything over the weekend.

Anyone have any ideas before I do anything drastic?

Thanks,
David

This conversation is currently closed to new comments.

3 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

error - referenced memory can't be read

by Aaron_Wurthmann In reply to error - referenced memory ...

A couple of things come to mind, one yes you can copy another working explorer.exe in to place, you might have to do it from NTFSDOS, http://winternals.com. But before you do that I would do a bit of exploring yourself. Do a search for explorer.exe on the all hard drives. How many show up? There should only be three or four, one in c:\winnt another in c:\i386, one in C:\WINNT\$NtServicePackUninstall$, maybe one in C:\WINNT\ServicePackFiles\i386, and perhaps C:\WINNT\system32\dllcache (that is if those directory exists, if not no biggie) If any others show up, especially in c:\winnt\system32, compare the file size of them to the one in c:\winnt or the one you want to import.

In the past I have seen some pretty cool/dangerous viruses pretending to be explorer.exe, but listed in the users path before c:\winnt. You might as well double check while you are on the users machine. Another method would be to install whereis have the user logon open a command prompt and type whereis explorer, only C:\WINNT/explorer.exe should return.

In addition I noticed that you said that you logged on to the users machine as a domain admin. I would make a policy to never to do that. Logon passwords can be captured by users and or Trojan viruses. Agood policy is to use the local administrator account to login, as most password capturing tools had to be install by someone with admin rights so this doesn?t divulge any new information, then use your account, not the domain administrator account,to get to network shares and what not. Your account?s password should expire like everyone else?s, so even if someone was able to capture the keystrokes of your password they only have a few days to use it. All of this is suggested by Microsoft in fact I originally read it from the NSA book on implementing Windows NT.

Collapse -

error - referenced memory can't be read

by SciFiMan In reply to error - referenced memory ...

Poster rated this answer

Collapse -

error - referenced memory can't be read

by SciFiMan In reply to error - referenced memory ...

This question was closed by the author

Back to Windows Forum
3 total posts (Page 1 of 1)  

Related Discussions

Related Forums