Crash dump retrieved from a different OS points to message loop. How to get to the fault location from there? (TeamViewer crashes my process.)

Question

One of the customers of our software complained that it was crashing on his Windows XP machine. I asked him to download ProcDump and run our process through it as such:

procdump -e -ma -w myproc.exe

For which the user emailed me collected crash dump .dmp file.

I then placed that .dmp file into the same folder as the original .exe image file for the process, as well as the .pdb file, and ran the .dmp file through Visual Studio 2010:

Then when I clicked "Debug with native only" VS showed the source code for the MFC 's message loop function with the pointer location after DispatchMessage call (see green arrow):

The call stack didn't help much either:

and when I jumped to the reported fault address, I got nothing:

The app was compiled in VS 2008 as a dialog-based C++/MFC application.

So I'm checking the size of the .dmp file and it is 26.6 MB. There's data in it. The question I have is how can I get more useful info out of it to help pinpoint the location of the fault in the source code?

PS. As an afterthought, I see that the crash happened on Windows XP while I'm running this crash dump .dmp file on Windows 8.1. Is that the reason why I'm getting garbage in the stack trace?

EDIT: Here's what I get in disassembler if I try to see parameters in MSG struct that DispatchMessage was called with:

Also when I try to watch values in pState I get symbol not found .

EDIT 2: Concerning modules and the module loaded into the fault EIP address. The memory slot for 0x1963AB50 appears not be occupied by any module:

EDIT 3: Sorry, it's getting too long. I eventually opened up the crash dump in WinDbg and did !analyze -v command on it. Here's the output. It seems like the DLL that was missing/unloaded is tv_w32.dll :

Microsoft (R) Windows Debugger Version 10.0.10586.567 X86
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\Users\User\Desktop\Myproc\Release\Myproc.exe_160708_141237.dmp]
User Mini Dump File with Full Memory: Only application data is available

Comment: '
*** procdump -e -ma -w Myproc.exe
*** Unhandled exception: C0000005.ACCESS_VIOLATION'

************* Symbol Path validation summary **************
Response                         Time (ms)     Location
Deferred                                       srv*c:\MyServerSymbols*https://msdl.microsoft.com/download/symbols
Symbol search path is: srv*c:\MyServerSymbols*https://msdl.microsoft.com/download/symbols
Executable search path is: 
Windows XP Version 2600 (Service Pack 3) MP (2 procs) Free x86 compatible
Product: WinNt, suite: SingleUserTS
Machine Name:
Debug session time: Fri Jul  8 05:12:39.000 2016 (UTC - 7:00)
System Uptime: 9 days 6:05:50.960
Process Uptime: 3 days 5:08:52.000
.....................................
Loading unloaded module list
..
This dump file has an exception of interest stored in it.
The stored exception information can be accessed via .ecxr.
(ba4.4a4): Access violation - code c0000005 (first/second chance not available)
eax=00000001 ebx=00000002 ecx=7c92741c edx=7c98e174 esi=1963ab50 edi=1963ab50
eip=19608536 esp=0012ee3c ebp=0012ee5c iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
<Unloaded_tv_w32.dll>+0x8536:
19608536 ??              ???
0:000> .bugcheck
               ^ Syntax error in '.bugcheck'
0:000> !analyze -v
*******************************************************************************
*                                                                             *
*                        Exception Analysis                                   *
*                                                                             *
*******************************************************************************


DUMP_CLASS: 2

DUMP_QUALIFIER: 400

CONTEXT:  (.ecxr)
eax=00000001 ebx=00000002 ecx=7c92741c edx=7c98e174 esi=1963ab50 edi=1963ab50
eip=19608536 esp=0012ee3c ebp=0012ee5c iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
<Unloaded_tv_w32.dll>+0x8536:
19608536 ??              ???
Resetting default scope

FAULTING_IP: 
tv_w32!unloaded+8536
19608536 ??              ???

EXCEPTION_RECORD:  (.exr -1)
ExceptionAddress: 19608536 (<Unloaded_tv_w32.dll>+0x00008536)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 00000000
   Parameter[1]: 19608536
Attempt to read from address 19608536

DEFAULT_BUCKET_ID:  BAD_INSTRUCTION_PTR

PROCESS_NAME:  Myproc.exe

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.

EXCEPTION_CODE_STR:  c0000005

EXCEPTION_PARAMETER1:  00000000

EXCEPTION_PARAMETER2:  19608536

READ_ADDRESS:  19608536 

FOLLOWUP_IP: 
tv_w32!unloaded+8536
19608536 ??              ???

FAILED_INSTRUCTION_ADDRESS: 
tv_w32!unloaded+8536
19608536 ??              ???

WATSON_BKT_PROCSTAMP:  576c0d97

WATSON_BKT_PROCVER:  1.5.16.0

PROCESS_VER_PRODUCT:  Myproc Name

WATSON_BKT_MODULE:  unknown

WATSON_BKT_MODVER:  0.0.0.0

WATSON_BKT_MODOFFSET:  19608536

MODLIST_WITH_TSCHKSUM_HASH:  8b7920bcb3af2eb1b97366fd0663a3798ab285ea

MODLIST_SHA1_HASH:  b5acbaed45de37ad3c73ee4478c8f6678e94eaa6

NTGLOBALFLAG:  0

APPLICATION_VERIFIER_FLAGS:  0

PRODUCT_TYPE:  1

SUITE_MASK:  272

DUMP_FLAGS:  3

DUMP_TYPE:  0

APP:  Myproc.exe

ANALYSIS_SESSION_HOST:  DESKTOP-ABC

ANALYSIS_SESSION_TIME:  07-08-2016 22:18:58.0444

ANALYSIS_VERSION: 10.0.10586.567 x86fre

IP_MODULE_UNLOADED: 
tv_w32!unloaded+8536
19608536 ??              ???

THREAD_ATTRIBUTES: 
OS_LOCALE:  DEU

PROBLEM_CLASSES: 



BAD_INSTRUCTION_PTR
    Tid    [0x4a4]
    Frame  [0x00]: tv_w32!unloaded



INVALID_POINTER_READ
    Tid    [0x4a4]
    Frame  [0x00]: tv_w32!unloaded


BUGCHECK_STR:  BAD_INSTRUCTION_PTR_INVALID_POINTER_READ

LAST_CONTROL_TRANSFER:  from 00000000 to 19608536

STACK_TEXT:  
0012ee38 00000000 19608648 ffff071b 00000000 <Unloaded_tv_w32.dll>+0x8536


THREAD_SHA1_HASH_MOD_FUNC:  0959aaead905d5402017a9de12facac3929f71c3

THREAD_SHA1_HASH_MOD_FUNC_OFFSET:  52f8c4ddebdd2e855f90e79f96f6fc29a470ad1d

THREAD_SHA1_HASH_MOD:  2e69fc2d39893b6d7d9991dcc4967479dbafb5c5

SYMBOL_STACK_INDEX:  0

SYMBOL_NAME:  tv_w32!unloaded+8536

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: tv_w32

IMAGE_NAME:  tv_w32.dll

DEBUG_FLR_IMAGE_TIMESTAMP:  573435d6

STACK_COMMAND:  .ecxr ; kb

FAILURE_BUCKET_ID:  BAD_INSTRUCTION_PTR_c0000005_tv_w32.dll!unloaded

BUCKET_ID:  BAD_INSTRUCTION_PTR_INVALID_POINTER_READ_UNLOADED_IP_tv_w32!unloaded+8536

PRIMARY_PROBLEM_CLASS:  BAD_INSTRUCTION_PTR_INVALID_POINTER_READ_UNLOADED_IP_tv_w32!unloaded+8536

BUCKET_ID_OFFSET:  8536

BUCKET_ID_MODULE_STR:  tv_w32

BUCKET_ID_MODTIMEDATESTAMP:  573435d6

BUCKET_ID_MODCHECKSUM:  45ff9

BUCKET_ID_MODVER_STR:  0.0.0.0

BUCKET_ID_PREFIX_STR:  BAD_INSTRUCTION_PTR_INVALID_POINTER_READ_UNLOADED_IP_

FAILURE_PROBLEM_CLASS:  BAD_INSTRUCTION_PTR

FAILURE_EXCEPTION_CODE:  c0000005

FAILURE_IMAGE_NAME:  tv_w32.dll

FAILURE_FUNCTION_NAME:  unloaded

BUCKET_ID_FUNCTION_STR:  unloaded

FAILURE_SYMBOL_NAME:  tv_w32.dll!unloaded

TARGET_TIME:  2016-07-08T12:12:39.000Z

OSBUILD:  2600

OSSERVICEPACK:  6532

SERVICEPACK_NUMBER: 6

OS_REVISION: 0

OSPLATFORM_TYPE:  x86

OSNAME:  Windows XP

OSEDITION:  Windows XP WinNt (Service Pack 3) SingleUserTS

USER_LCID:  0

OSBUILD_TIMESTAMP:  2014-03-12 03:48:40

ANALYSIS_SESSION_ELAPSED_TIME: e0a

ANALYSIS_SOURCE:  UM

FAILURE_ID_HASH_STRING:  um:bad_instruction_ptr_c0000005_tv_w32.dll!unloaded

FAILURE_ID_HASH:  {7c7c5a5b-462a-0301-1674-660f1336c576}

Followup:     MachineOwner
---------

Answer 1

Just want to post it here for whoever else runs into this issue. After several hours of digging through the crash dump file, eventually WinDbg was able to pinpoint the culprit (read my postings in the question itself.)

The bottom line is that our customer was using TeamViewer with their Quick Connect option that basically injects third-party UI elements into running programs. This in combination with apparent memory leak (see my OP above and discussion of the use of the xpsp2res.dll module) caused the crash.

The actual crash happened in tv_w32.dll that was unloaded before the dump was generated. And since I don't have source files for TeamViewer, nor that it is in any way related to our software, that's pretty much all I can do at this point.

PS. As a bottom line, having analyzed the dump, I would strongly advise people against using TeamViewer as a go-to remote desktop solution. It seems to be very buggy and causes memory leaks.