Debugging Faulting Application w3wp.exe Crashes
Posted on May 31, 2011 by Paul WhiteIf your websites are going down, due to your application pool failing, or being automatically shut down after a few application errors, then you have a major problem on your hands. In my case the symptom was A process serving the application pool suffered a fatal communication error with the Windows Process Activation Service, in my system logs. If you have each website running in its own application pool then you know which website is going down, but the errors being displayed give you no hints as to the cause. I recently had a website that was randomly going down. Sometimes it would go down every few days, and other times it would only crash once a month. So I finally did some digging for the cause, and found it. If you don't know where to start in debugging your crashed application pools, this might help.
Why Does W3WP.exe Crash?
In my experience crashing happens for only a few reasons. The first is an unhandled Exception which was serious enough to crash the Application Pool which is rare but does happen. The second is a recursive function or a set of functions that continue to pass the ball to one another with nothing stopping them. In my case this was the case. I had two functions that got caught in a loop and continued to run out of control until the server bottle necked due to CPU or memory usage.How do you know when your Application Pool Crashed?
Easy check your event viewer Application Logs under Windows Logs
The Red Exclamation points are telling you there was an Application Error
But the details of the error don't help us very much. See Below
Faulting application name: w3wp.exe, version: 7.5.7601.17514, time stamp: 0x4ce7afa2
Faulting module name: KERNELBASE.dll, version: 6.1.7601.17514, time stamp: 0x4ce7c78c
Exception code: 0xe053534f
Fault offset: 0x000000000000a49d
Faulting process id: 0x%9
Faulting application start time: 0x%10
Faulting application path: %11
Faulting module path: %12
Report Id: %13
These errors are followed by a application log from Windows Error Reporting
The details of this message tell us where the system dump was stored. Take note of this, as this will help you find the dump files you need.
Fault bucket , type 0
Event Name: APPCRASH
Response: Not available
Cab Id: 0
Problem signature:
P1: w3wp.exe
P2: 7.5.7601.17514
P3: 4ce7afa2
P4: KERNELBASE.dll
P5: 6.1.7601.17514
P6: 4ce7c78c
P7: e053534f
P8: 000000000000a49d
P9:
P10:
Attached files:
These files may be available here:
C:ProgramDataMicrosoftWindowsWERReportQueueAppCrash_w3wp.exe_624e5315e1074e44338812efe102157b47f6ca8_70c6df40
Analysis symbol:
Rechecking for solution: 0
Report Id: 215432e8-8bba-11e0-8d49-0030482e5b77
Report Status: 4
Check your System Logs
Next we go to our system errors on the event viewer. If you are running websites on your server then your system logs are likely to be very numerous. Every time a Application Pool starts or shuts down it will make an entry in your system logs. This is nothing to be concerned about. Many websites are set to shutdown the application pools after a website hasn't had any visitors for more than 20 minutes. This frees up the memory for other sites that do have traffic.But if you see any entries with the Yellow Warning this is not good.
In my case it was telling which website was throwing the error and gave me the following message
A process serving application pool 'yourwebsite.com' suffered a fatal communication error with the Windows Process Activation Service. The process id was '10452'. The data field contains the error number.
Retrieving the W3WP.exe Dump Files
The one you want is the biggest one.
WinDbg Download
First if you don't have WinDbg on your system then you need it.This program will take your dump files and give you the stack trace, which can shed some light on where the problem lies.
Unfortunately Microsoft has recently decided to put WinDbg into some huge 600MB+ ISO package. Forcing you to install the entire package to get just one little program. So after some hard searching I found the raw installers.
Windows WinDbg x86 installer
Windows WinDbg x64 installer
Huge Thanks to RXWEN for keeping these files available
Running WinDbg
In my case since I am running Windows Server 2008 R2 ( only comes in 64 bit ), I installed the 64 bit version of the WinDbg. After you install it, you will find it under Debugging Tools for Windows (x64). Also take note that I am running WinDbg off my production server. You would also download your Dump files to your local machine and try to debug them from there, but to keep things easy in case I ever needed to do some debugging on a Remote Desktop Connection using my cell phone I figured running them off my Production Server was ideal.
After you open the program you will click
File > Open Crash Dump
You will select the dump file which in my case found in the following directory
C:ProgramDataMicrosoftWindowsWERReportQueueAppCrash_w3wp.exe_624e5315e1074e44338812efe102157b47f6ca8_70c6df40
Now you should see a screen like this
In the command line at the bottom of the screen you will type
.loadby sos mscorwks
and press enter. The result should look similar to this
Next we do this
Type the following into the command line
!clrstack
and press enter. You should get something like this showing you the stack trace
What you are looking for is either a single function being called over and over, or maybe 2 or 3 functions that are running in a loop. At the top of the stack I don't see anything so I scroll down a bit.
and the cause is right before our eyes. In my case I have two custom functions that seem to be passing control back and forth with no end in sight. The first is fixquotes, and the second is blacklistVisitor.
fixquotes is a function that just cleans up strings before they are added to MySQL queries, and blacklistVisitor is a function that I setup to blacklist IPs that were attempting something bad ( like SQL Injection, or Denial of Service Attacks ).
Unfortunately until I had a hacker attempt something bad, I had no idea that these two functions were stuck in a loop. Of course just a single instance wouldn't cause the site to go down. But if the same hacker tried over and over again this could create multiple errors and at this point IIS would assume something is wrong and shut the site down.
Conclusion to finding errors in Crashed Application Pools
Most likely you have a recursive function that is calling itself over and over, or you have several functions that are stuck in a loop. Hoping the steps I went through will help others find errors in their code.Debugging Faulting Application w3wp.exe Crashes Categories
Discussion
Paul | Jun 27, 2011 10:35 PM
Neo,
You might need to install .NET 4.0 to get that command to run correctly. I recall running into the same problem and installing .NET 4.0 framework with all updates fixed the issue.
Neo,
You might need to install .NET 4.0 to get that command to run correctly. I recall running into the same problem and installing .NET 4.0 framework with all updates fixed the issue.
Corey | Jul 18, 2011 11:29 AM
Actually neo, if you get that LoadLibrary error you will need to install and run the 32bit version of WinDbg instead.
Actually neo, if you get that LoadLibrary error you will need to install and run the 32bit version of WinDbg instead.
neo | Jul 20, 2011 9:31 PM
hello to all,
i just run the windbg 32 bit on my windows 7 with framework 4.0 upon loading on the memory dump files with a size of 2 gigz its prompt some error its says again. Could not find the I:Installerwindebug x64 and x86 win 2008 r2 IIS crush dump files checkerappcrushdumpappcrushdumpmemory.dump Dump file, Win32 error On87 the parameter is in correct.
what is the problem with this.
hello to all,
i just run the windbg 32 bit on my windows 7 with framework 4.0 upon loading on the memory dump files with a size of 2 gigz its prompt some error its says again. Could not find the I:Installerwindebug x64 and x86 win 2008 r2 IIS crush dump files checkerappcrushdumpappcrushdumpmemory.dump Dump file, Win32 error On87 the parameter is in correct.
what is the problem with this.
Fabio | Jan 9, 2012 10:07 AM
What if I don't hacve a dump file in my directory ? I have only a WER file, but no big ones! Do I have to enable the dumping somewhere? Thanks
What if I don't hacve a dump file in my directory ? I have only a WER file, but no big ones! Do I have to enable the dumping somewhere? Thanks
Paul | Jan 9, 2012 11:00 AM
@ Fabio
You need to install DebugDiag that will allow you create a rule that will generate a dump file when one of your application pools crash. I had actually done that before I figured out I needed the WinDbg to actually process my dump files. I am going to try to update this article with details on installing DebugDiag and setting up the system to generate the dumps.
@ Fabio
You need to install DebugDiag that will allow you create a rule that will generate a dump file when one of your application pools crash. I had actually done that before I figured out I needed the WinDbg to actually process my dump files. I am going to try to update this article with details on installing DebugDiag and setting up the system to generate the dumps.
Paul | Jan 9, 2012 11:04 AM
If you need to manually create a dump file, for instances where your Applications are just consuming lots of CPU or Memory, but not crashing, you can do this by opening task manager, and then right click on the process in question and select "Create Dump File". However if this is to debug a application that is crashing then you will still need to install and setup DebugDiag to capture the dump files when the process crashes.
If you need to manually create a dump file, for instances where your Applications are just consuming lots of CPU or Memory, but not crashing, you can do this by opening task manager, and then right click on the process in question and select "Create Dump File". However if this is to debug a application that is crashing then you will still need to install and setup DebugDiag to capture the dump files when the process crashes.
Fabio | Jan 9, 2012 3:17 PM
Thank you, I'll give it a try!
Thank you, I'll give it a try!
Puneet | Jan 10, 2012 8:19 AM
Thank you so much for this article. It was very helpful. Regards,
Thank you so much for this article. It was very helpful. Regards,
Puneet | Jan 10, 2012 4:36 PM
Also, !clrstack -p showed the parameters and their values passed in the methods.
Regards,
Also, !clrstack -p showed the parameters and their values passed in the methods.
Regards,
Alex | Mar 29, 2012 3:06 PM
for .net 4 read the following to properly .loadby
for .net 4 read the following to properly .loadby
http://stackoverflow.com/questions/4373683/unable-to-load-sos-in-windbg
Andreas | Apr 3, 2012 8:54 AM
Thank you!
Thank you!
This helped me to find our problem! I was lost before I found this post!
Our issue was a home made url re-writer that at some point got stuck in a loop!
Best regards Andreas
John | Apr 23, 2012 12:06 PM
You have no idea how helpful this post is to me. Thank You!!!!!
-John
You have no idea how helpful this post is to me. Thank You!!!!!
-John
Michal | May 10, 2012 5:49 AM
Hello,
Hello,
We have a very similar problem with an application pool serving a web application on our WS2008 R2 SP1 Server.
A process serving application pool 'EHK' suffered a fatal communication error with the Windows Process Activation Service. The process id was '1164'. The data field contains the error number.
However no dump is created when this error occurs, because the process doesn´t crash, nor DebugDiag catches anything.
This is the only evidence of this error. Nothing else in Application nor System Logs
Any idea how to diagnose and debug this kind of error, please?
Regards,
Paul | May 10, 2012 9:56 AM
@Michal
Windows Server 2008 R2 doesn't create dump files on its own. You have to configure it to do so. I learned this the hard way : )
Visit this page
How to use Debug Diag
This page will show you how to install Debug Diagostics Tools, and how to set them up to force the system to capture a dump file. After you have the dump file come back to this blog for info on how to open and read it.
@Michal
Windows Server 2008 R2 doesn't create dump files on its own. You have to configure it to do so. I learned this the hard way : )
Visit this page
How to use Debug Diag
This page will show you how to install Debug Diagostics Tools, and how to set them up to force the system to capture a dump file. After you have the dump file come back to this blog for info on how to open and read it.
Michal | May 11, 2012 7:45 AM
@Paul:
@Paul:
Thanks for reply,
This is exactly what I have tried, but still no success :-/ The W3WP process doesn´t crash, so no dump is generated via DebugDiag, and setting performance rule and generating the dump manually doesn´t work either, because the problematic W3WP process doesn´t hang forever - it causes 100% CPU usage for 60s and then dies Trying manual dump didn't bring anything interesting at all.
Simon | May 14, 2012 9:03 AM
Thanks for posting this - Very useful!
Thanks for posting this - Very useful!
hello to the author,
i been using the windgb tools x64 on our production server, cause were looking for an answer why the w3wp is crashing, and when i tried to load the 2 gbz file of the memory dump files..the tools says the cannot loadlibary(c:.....net frameworksosfailed..)..what is the problem with this..anyway our production server is windows server 2008 r2 installed with a framework 2.0..