Traversing folder structure crashes EXPLORER.EXE in SHELL32.DLL

I have a brand new Lenovo ThinkPad X1 Carbon 20A7 with Windows 8.1 Professional. I can cause a crash of EXPLORER.EXE at will by performing a sequence of steps. It doesn't matter whether the system is freshly imaged back to its factory settings or updated with the latest Windows patches. I believe I have found a bug in Windows itself.

Open up what, in Windows 7, I would call the File Explorer. Navigate to a nice, complex, deep folder structure like C:\Program Files or C:\Windows. Press Enter to display a list of files in the top level of that structure. Now press the Down Arrow, Enter, Right Arrow in sequence, over and over and over for about a minute. Doing this will traverse every level of the folder structure, displaying the contents of each folder as you go.

Obscure? Perhaps. But this is something that I need to do on a regular basis for my work. I am about to return this system unless I can get someone, ANYONE to pay attention. Lenovo isn't interested.

I can reproduce this EXPLORER.EXE crash at will. I have uninstalled everything and it still happens. I have updated everything and it still happens. I have restored to factory, and it still happens. Otherwise, the machine is functional, so I feel strongly that this is in Windows itself, not in the hardware.

I have uploaded a minidump to:

https://drive.google.com/file/d/0B6rGZlHtOqk7LW94Z

This is am example of analyzing one of the minidumps using WinDbg:

||0:0:067> !analyze -v
*******************************************************************************
*                                                                             *
*                        Exception Analysis                                   *
*                                                                             *
*******************************************************************************


FAULTING_IP:
shell32!Microsoft::WRL::ComPtr<ISyncStatusCacheEntry>::As<IUnknown>+22
00007ffb`535771d2 488b01          mov     rax,qword ptr [rcx]

EXCEPTION_RECORD:  ffffffffffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 00007ffb535771d2 (shell32!Microsoft::WRL::ComPtr<ISyncStatusCacheEntry>::As<IUnknown>+0x0000000000000022)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 0000000000000000
   Parameter[1]: 0000000000000000
Attempt to read from address 0000000000000000

CONTEXT:  0000000000000000 -- (.cxr 0x0;r)
rax=00000000139b0000 rbx=0000000000000003 rcx=00000000139b0000
rdx=0000000000000000 rsi=0000000000000000 rdi=0000000000000003
rip=00007ffb54586b2a rsp=00000000194fbd58 rbp=00000000194ffa90
 r8=0000000000001000  r9=0000000000000000 r10=0000000000000040
r11=0000000000000286 r12=0000000000000010 r13=00000000194fc128
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up ei pl zr na po nc
cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000246
ntdll!NtWaitForMultipleObjects+0xa:
00007ffb`54586b2a c3              ret

PROCESS_NAME:  explorer.exe

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.

EXCEPTION_PARAMETER1:  0000000000000000

EXCEPTION_PARAMETER2:  0000000000000000

READ_ADDRESS:  0000000000000000

FOLLOWUP_IP:
shell32!Microsoft::WRL::ComPtr<ISyncStatusCacheEntry>::As<IUnknown>+22
00007ffb`535771d2 488b01          mov     rax,qword ptr [rcx]

NTGLOBALFLAG:  0

APPLICATION_VERIFIER_FLAGS:  0

APP:  explorer.exe

ANALYSIS_VERSION: 6.3.9600.17029 (debuggers(dbg).140219-1702) x86fre

FAULTING_THREAD:  00000000000007fc

BUGCHECK_STR:  APPLICATION_FAULT_NULL_POINTER_READ_BEFORE_CALL

PRIMARY_PROBLEM_CLASS:  NULL_POINTER_READ_BEFORE_CALL

DEFAULT_BUCKET_ID:  NULL_POINTER_READ_BEFORE_CALL

LAST_CONTROL_TRANSFER:  from 00007ffb5313d131 to 00007ffb535771d2

STACK_TEXT: 
00000000`194fd630 00007ffb`5313d131 : 00000000`00000000 00007ffb`52ec9ce7 00000000`14a36180 00000000`00000000 : shell32!Microsoft::WRL::ComPtr<ISyncStatusCacheEntry>::As<IUnknown>+0x22
00000000`194fd660 00007ffb`5313c71a : 00000000`00000000 00000000`00000000 00000000`194fd700 00000000`194fd700 : shell32!`Microsoft::WRL::Module<1,Microsoft::WRL::Details::DefaultModule<5> >::Create'::`2'::`dynamic atexit destructor for 'module''+0x95b3d
00000000`194fd6a0 00007ffb`5301e455 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`2446ea40 : shell32!`Microsoft::WRL::Module<1,Microsoft::WRL::Details::DefaultModule<5> >::Create'::`2'::`dynamic atexit destructor for 'module''+0x9510b
00000000`194fd740 00007ffb`53020174 : 00000000`00000001 00000000`241e5998 00000000`241e5998 00000000`00000000 : shell32!CSyncIntegrationManager::_GetValueAndStateFromCache+0x85
00000000`194fd7e0 00007ffb`53018930 : 00000000`00000000 00000000`194ff680 00000000`00000000 00000000`00000000 : shell32!CSyncIntegrationManager::GetSyncStatusByIdList+0x88
00000000`194fd8b0 00007ffb`5301d0dc : 00000000`00000000 00000000`087e18d0 00000000`00000000 00000000`00000000 : shell32!CSyncStatusHandler::GetValue+0x70
00000000`194fd910 00007ffb`52d42a12 : 00000000`194ff698 00000000`00000000 00000000`00000000 00007ffb`52ec338d : shell32!CFSFolder::_GetSyncStatusProperties+0xc8
00000000`194fd990 00007ffb`4cea6656 : 00000000`14d82000 00007ffb`4cea2930 00000000`194ff690 00007ffb`4cea2930 : shell32!CFSFolderPropertyStore::GetValue+0x5e8
00000000`194fef10 00007ffb`4cea6656 : 00000000`14d82000 00000000`00000001 00000000`00000001 00007ffb`4cea2930 : propsys!CMultiplexPropertyStore::GetValue+0x186
00000000`194ff190 00007ffb`4cea32ff : 00007ffb`52f0b4f0 00000000`00514b80 00000000`24519398 00000000`194ff680 : propsys!CMultiplexPropertyStore::GetValue+0x186
00000000`194ff410 00007ffb`4cea56ca : 00000000`00000000 00000000`194ff680 00000000`194ff680 00000000`00000000 : propsys!PSGetValueAndPath+0x5f
00000000`194ff490 00007ffb`5301ca14 : 00000000`00000000 00000000`04e30000 00007ffb`53048050 00000000`194ff680 : propsys!CPropertyProvider::GetValue+0xca
00000000`194ff630 00007ffb`5301b7a5 : 00000000`00000000 00000000`242823e0 00000000`80004005 00007ffb`52fd93eb : shell32!CStatusBarPropertyStore::GetValue+0x78
00000000`194ff660 00007ffb`5301b623 : 00000000`242823e0 00000000`00000003 00000000`194ff720 00000000`1271cab0 : shell32!CGetPropertiesWorkItem::_CacheProperty+0x55
00000000`194ff6e0 00007ffb`530215d2 : 00000000`00000000 00007ff6`b23b9000 00000000`242823e0 00000000`00000002 : shell32!CGetPropertiesWorkItem::_CachePropertyList+0x77
00000000`194ff750 00007ffb`52fd90c7 : 00000000`12645b30 00000000`243122c0 00000000`00000000 00000000`087e0e30 : shell32!CGetPropertiesWorkItem::DoWork+0x8e
00000000`194ff7a0 00007ffb`52ebb565 : 00000000`00000ca0 00000000`243122c0 00000000`0000000f 00000000`0000000b : shell32!CFrameTask::InternalResumeRT+0x17
00000000`194ff7d0 00007ffb`52efe6b0 : 00000000`00000000 00000000`00000000 ffffffff`fffffffe 00000000`00200000 : shell32!CRunnableTask::Run+0x95
00000000`194ff800 00007ffb`52efe887 : 00000000`2444ef80 00000000`2444ef80 00000000`00424270 00000000`00486d48 : shell32!CShellTaskThread::ThreadProc+0x284
00000000`194ff950 00007ffb`4e041637 : 00007ff6`b223c000 00000000`00000000 0000f3e1`90eaa829 00000000`00000000 : shell32!CShellTaskThread::s_ThreadProc+0x2b
00000000`194ff980 00007ffb`5451a122 : 00000000`14cb0750 00000000`00486d48 00000000`00000000 00000000`00000017 : SHCore!ExecuteWorkItemThreadProc+0xf
00000000`194ff9b0 00007ffb`5452bddb : 00000001`00010004 00000000`1664ea50 00000000`00486d48 00000000`00424270 : ntdll!RtlpTpWorkCallback+0x11e
00000000`194ffa90 00007ffb`52bf15cd : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!TppWorkerThread+0x81b
00000000`194ffe80 00007ffb`545643d1 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : kernel32!BaseThreadInitThunk+0xd
00000000`194ffeb0 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x1d


SYMBOL_STACK_INDEX:  0

SYMBOL_NAME:  shell32!Microsoft::WRL::ComPtr<ISyncStatusCacheEntry>::As<IUnknown>+22

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: shell32

IMAGE_NAME:  shell32.dll

DEBUG_FLR_IMAGE_TIMESTAMP:  5279002b

STACK_COMMAND:  ~67s; .ecxr ; kb

FAILURE_BUCKET_ID:  NULL_POINTER_READ_BEFORE_CALL_c0000005_shell32.dll!Microsoft::WRL::ComPtr_ISyncStatusCacheEntry_::As_IUnknown_

BUCKET_ID:  APPLICATION_FAULT_NULL_POINTER_READ_BEFORE_CALL_shell32!Microsoft::WRL::ComPtr_ISyncStatusCacheEntry_::As_IUnknown_+22

ANALYSIS_SOURCE:  UM

FAILURE_ID_HASH_STRING:  um:null_pointer_read_before_call_c0000005_shell32.dll!microsoft::wrl::comptr_isyncstatuscacheentry_::as_iunknown_

FAILURE_ID_HASH:  {4b7ac51a-a918-f7d6-8b9f-6758c5666bf4}

Followup: MachineOwner
---------

 

Question Info


Last updated March 12, 2019 Views 1,084 Applies to:
Answer
Answer
Hi Dennis,
Thank you for posting your query in Microsoft community.

Please post this query in TechNet forum, they could provide a better
assistance as Anil Kumar B  mentioned in the above reply.

Thank you for choosing  Microsoft.

Did this solve your problem?

Sorry this didn't help.

Great! Thanks for marking this as the answer.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this response?

Thanks for your feedback.

Answer
Answer

Thank you for the response. I would suggest you to post your query in TechNet forums for better assistance on this issue.

 

http://social.technet.microsoft.com/Forums/en-US/home?category=w8itpro&filter=alltypes&sort=lastpostdesc

 

Hope it helps.

Regards,
Anil

Did this solve your problem?

Sorry this didn't help.

Great! Thanks for marking this as the answer.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this response?

Thanks for your feedback.