Wednesday, November 25, 2015

Windows Errors - what's that 0xC0000005 ???

Whenever you catch something like an hex errorcode without knowing what it is for. Then this may help you a lot.

Windows Errors on MSDN 

Here you may find the answer (Based on errors coming from WinError.h which is the source for Base OS errors).
Please keep in mind whenever you are looking for an error here you have to remove the leading zeros (00000...) (e.g. dont lookup for 0xc0000005  just look for 5)
Here you see the example:
5 (0x5)
Access is denied.

Windows Errors with Error Lookup Tool (Err.exe)

When you are looking for more than just errors coming from WinError.h then you get more possible error codes and also error sources when using the "Exchange Server Error Lookup Tool."
Exchange is in this case somehow missleading. Actually its about the Windows error code ressources.
Simply download it and extract the err.exe file. You can simply execute it with the errorcode.
err.exe 0xc0000005 which reveals what OS header files include a description of this error code. That might be more as just the (WinError.h or ntstatus.h)

"Usage: err <value> [value] [value]…
where <value> must be of one of the following forms:
  • Decorated hex (0x54f)
  • Implicit hex (54f)
  • Ambiguous (1359)
  • Exact string (=ERROR_INTERNAL_ERROR)
  • Substring (:INTERNAL_ERROR)
All values on the command line as well as any associated information, will be in internal tables in Exchange Windows OS Server (see following example). If available, informational data associated with the value or values will also be displayed. By default, this tool searches all tables, but you can restrict the output to those tables you deem appropriate by adding "/<tablename>" to the beginning of the command line."
And don't think it is old. Most of the error codes existing for a very long time. The dump was extracted from Windows source code in 2003. And believe it or not but an access denied is still the same error code.
This tool may not help with all the brand new fancy features where the error is very specific. But also these fancy features still rely on the good old Windows basics. Like file access is denied to use this feature.
Give it a trial. It may help you to look into the right direction.
And in doubt use ProcMon from Mark Russinovich