Hello All,
We are encountering a hang problem here:
In our application, there are two threads were trying to call OutputDebugString(...), and they both were waiting for a kernel level mutex
which was hold by ngtray.exe (C:\program files\symantec\ghost\ngtray.exe).
And after we kill ngtray.exe, our application recovered from hang mode.
Our two waiting threads as:
THREAD 88511da8 Cid 0460.045c Teb: 7ffdf000 Win32Thread: e7154008 WAIT: (UserRequest) UserMode Non-Alertable
889fdd68 Mutant - owning thread
889a5308
and
THREAD 88437020 Cid 0460.16f8 Teb: 7ff9b000 Win32Thread: e82424f8 WAIT: (UserRequest) UserMode Non-Alertable
889fdd68 Mutant - owning thread 889a5308
lkd> !process 0 2 ngtray.exe
PROCESS 889a5788 SessionId: 0 Cid: 01c4 Peb: 7ffdd000 ParentCid: 072c
DirBase: 0a4c0280 ObjectTable: e115c828 HandleCount: 54.
Image: ngtray.exe
THREAD 889a5308 Cid 01c4.01c8 Teb: 7ffdf000 Win32Thread: e1136ca0 WAIT: (Suspended) KernelMode Non-Alertable
SuspendCount 1
889a54a4 Semaphore Limit 0x2
THREAD 8899eda8 Cid 01c4.01e0 Teb: 7ffde000 Win32Thread: e1337870 WAIT: (UserRequest) UserMode Non-Alertable
889fdd68 Mutant - owning thread 889a5308
Captured a dump file for ngtray.exe and get following call stack Msgs:
0:000> ~* kb ffff
. 0 Id: 1c4.1c8 Suspend: 0 Teb: 7ffdf000 Unfrozen
Memory ChildEBP RetAddr Args to Child
0012fa88 7c90df5a 7c8025db 00000044 00000000 ntdll!KiFastSystemCallRet
4 0012fa8c 7c8025db 00000044 00000000 00000000 ntdll!ZwWaitForSingleObject+0xc
WARNING: Stack unwind information not available. Following frames may be wrong.
64 0012faf0 7c802542 00000044 ffffffff 00000000 kernel32!WaitForSingleObjectEx+0x8b
14 0012fb04 7c85ae03 00000044 ffffffff 00939620 kernel32!WaitForSingleObject+0x12
260 0012fd64 7c85b440 00159148 00910804 014e014c kernel32!OutputDebugStringA+0xb7
20 0012fd84 0041a207 0093b11c 00910804 00000001 kernel32!OutputDebugStringW+0x3b
00000000 00000000 00000000 00000000 00000000 ngtray+0x1a207
1 Id: 1c4.1e0 Suspend: 0 Teb: 7ffde000 Unfrozen
Memory ChildEBP RetAddr Args to Child
00b0f850 7c90df5a 7c8025db 00000044 00000000 ntdll!KiFastSystemCallRet
4 00b0f854 7c8025db 00000044 00000000 00000000 ntdll!ZwWaitForSingleObject+0xc
WARNING: Stack unwind information not available. Following frames may be wrong.
64 00b0f8b8 7c802542 00000044 ffffffff 00000000 kernel32!WaitForSingleObjectEx+0x8b
14 00b0f8cc 7c85ae03 00000044 ffffffff 000006e7 kernel32!WaitForSingleObject+0x12
260 00b0fb2c 004076cf 0093a42c 00000040 0091078c kernel32!OutputDebugStringA+0xb7
2c 00b0fb58 00407196 00000040 0091078c 00b0fc28 ngtray+0x76cf
1c 00b0fb74 00407997 00939d20 00b0fbb0 00000010 ngtray+0x7196
20 00b0fb94 004079e4 004079ed 009105cc 00000005 ngtray+0x7997
4 00b0fb98 004079ed 009105cc 00000005 00939ae0 ngtray+0x79e4
10 00b0fba8 00407baa 00420240 00939cf0 004272a8 ngtray+0x79ed
18 00b0fbc0 00407ed3 00407ee5 0091070c 00b0feb4 ngtray+0x7baa
4 00b0fbc4 00407ee5 0091070c 00b0feb4 00912060 ngtray+0x7ed3
20 00b0fbe4 004082b5 00000000 00939cf0 0091073c ngtray+0x7ee5
18 00b0fbfc 00407738 00000040 00000040 0091078c ngtray+0x82b5
18 00b0fc14 100011d3 100011ea 10003014 00406cf3 ngtray+0x7738
70 00b0fc84 00411588 00000040 00910a64 00b0feb4 THREAD!suspendThreads+0x43
18 00b0fc9c 00407b6a 0000000a 00407d79 0000000a ngtray+0x11588
8 00b0fca4 00407d79 0000000a 00b0feb4 00911fe0 ngtray+0x7b6a
20 00b0fcc4 004082b5 00911fe0 00939ae0 0091073c ngtray+0x7d79
28 00b0fcec 004029d3 00910a64 00939aa0 00000000 ngtray+0x82b5
68 00b0fd54 004079e4 004079ed 00405bb1 00000033 ngtray+0x29d3
4 00b0fd58 004079ed 00405bb1 00000033 00b0fdb4 ngtray+0x79e4
4 00b0fd5c 00405bb1 00000033 00b0fdb4 0040e47a ngtray+0x79ed
c 00b0fd68 0040e47a 00911f10 0091078c 00b0fdbc ngtray+0x5bb1
4c 00b0fdb4 0040250b 00b0feb4 00000000 00b0feb4 ngtray+0xe47a
18 00b0fdcc 00402a9f 00910a64 00939a90 00000000 ngtray+0x250b
c8 00b0fe94 00402d59 00b0feb4 00000000 009109fc ngtray+0x2a9f
64 00b0fef8 004013f4 00910db4 00000001 00910df8 ngtray+0x2d59
10 00b0ff08 004107d8 00910db4 009109fc 00000001 ngtray+0x13f4
10 00b0ff18 004106fd 00410940 0093a3ec 00000000 ngtray+0x107d8
10 00b0ff28 00410953 0093a3ec 00000004 0040390a ngtray+0x106fd
00000000 00000000 00000000 00000000 00000000 ngtray+0x10953
0:000> !handle 44 f
Handle 44
Type Mutant
Attributes 0
GrantedAccess 0x1f0001:
Delete,ReadControl,WriteDac,WriteOwner,Synch
QueryState
HandleCount 24
PointerCount 33
Name \BaseNamedObjects\DBWinMutex
And, what this is ngtray.exe used for? I found that ini our system not all PCs have this "ghost" folder(C:\program files\symantec\ghost), usually just has folder "Liveupdate" and several other files under "C:\program files\symantec". Whether our problem computers used the very old version of it?
Anyone has any suggestion about how to avoid this issue or fix it?
Thanks