This chapter covers troubleshooting application crashes and hangs, a critical skill for the CompTIA A+ Core 2 (220-1102) exam, particularly under Objective 3.4: Software Troubleshooting. Application failures are among the most common issues faced by IT support technicians, and exam questions frequently test your ability to diagnose and resolve these problems. Approximately 10-15% of the Software Troubleshooting domain questions relate to application crashes, hangs, or general failures, so mastering this topic is essential for exam success.
Jump to a section
Imagine an office assembly line where each worker completes a specific task on a document before passing it to the next station. The process is well-defined: Worker A receives raw data, formats it, and sends it to Worker B, who checks for errors and passes it to Worker C for final approval. The system works smoothly until one day, Worker B's computer freezes while checking a spreadsheet. Worker B is stuck, unable to finish the task or pass the document along. Meanwhile, Worker A, having completed their task, tries to hand off the next document but finds Worker B's inbox full. Worker A's document sits in a queue, and eventually, Worker A's own desk becomes cluttered, slowing down their work. The bottleneck at Worker B causes a cascade of delays upstream. In a computer, an application hang is like Worker B freezing: the application is still open (the worker is at their desk) but not processing any new input or advancing its own tasks. The operating system (the office manager) notices the hang and may offer to terminate the process (fire the worker) or wait. If the hang is severe, the OS can forcibly close the application, freeing up memory and CPU resources (clearing the bottleneck). Crashes, on the other hand, are like Worker B suddenly quitting without notice – the process terminates abruptly, often leaving behind a core dump (a detailed exit interview) that developers can analyze to determine why the worker left.
What Are Application Crashes and Hangs?
Application crashes and hangs are two distinct types of software failures that IT professionals encounter daily. A crash is an abrupt termination of an application, often accompanied by an error dialog or the application simply disappearing from the screen. A hang occurs when an application stops responding to user input but remains visible on the screen; the window may show a 'Not Responding' title bar in Windows, or the spinning cursor (beach ball) on macOS. Both conditions prevent the user from completing tasks and can lead to data loss.
From the operating system's perspective, a crash is typically caused by an unhandled exception – an error condition that the application code did not anticipate or manage. Common exceptions include access violations (trying to read or write memory the process does not own), division by zero, stack overflow, or invalid instruction. When such an exception occurs, the OS's exception handler terminates the process and may generate a crash dump (memory dump) for debugging.
A hang, on the other hand, is usually caused by a thread deadlock, infinite loop, or waiting on a resource that never becomes available. The process is still alive (its threads exist), but one or more threads are stuck. The OS can detect hangs through watchdog timers or by monitoring window messages; if a window fails to respond to a 'ping' message within a timeout (typically 5 seconds on Windows), the OS marks it as 'Not Responding'.
How Crashes and Hangs Work Internally
When an application starts, the OS creates a process with its own virtual address space, handle table, and at least one thread. The thread executes the application code. If the code attempts an invalid operation – for example, dereferencing a null pointer – the CPU raises an exception (e.g., access violation on x86/x64). The OS's exception dispatcher checks if the application has registered a structured exception handler (SEH) for that exception. If not, the OS invokes the final handler, which terminates the process and displays an error to the user (e.g., 'Application has stopped working').
For hangs, the mechanism often involves the Windows Message Pump. In GUI applications, a thread runs a message loop that retrieves and dispatches messages (keyboard, mouse, timer, etc.) from the thread's message queue. If the thread enters an infinite loop or is waiting on a synchronization object (mutex, semaphore, event) that is never signaled, it stops processing messages. The OS's Hung Window Detection component periodically sends a WM_NULL message to the window; if the window does not respond within a timeout (default 5 seconds), Windows marks the window as 'Not Responding' and offers the user the option to force close the application.
Key Components, Values, and Defaults
Windows Error Reporting (WER): When a crash occurs, WER collects diagnostic information (crash dump, exception code, stack trace) and optionally sends it to Microsoft. The crash dump is typically saved to %LOCALAPPDATA%\CrashDumps or %TEMP%\WER*.
Exception Codes: Common exception codes include 0xC0000005 (Access Violation), 0xC0000094 (Integer Division by Zero), 0xC00000FD (Stack Overflow), and 0xC0000008 (Invalid Handle).
Hung Window Timeout: Configurable via registry key HKEY_CURRENT_USER\Control Panel\Desktop\HungAppTimeout (default 5000 milliseconds = 5 seconds).
WaitToKillAppTimeout: Registry key HKEY_CURRENT_USER\Control Panel\Desktop\WaitToKillAppTimeout (default 20000 ms = 20 seconds) determines how long the OS waits for a hanging app to close gracefully before force-terminating.
Event Logs: Application crashes are logged in Windows Logs > Application with Event ID 1000 (Application Error) or 1001 (Windows Error Reporting). Hangs may be logged with Event ID 1002 (Application Hang).
Configuration and Verification Commands
Event Viewer: eventvwr.msc – Navigate to Windows Logs > Application to view crash and hang events.
Task Manager: taskmgr.exe – Shows 'Not Responding' status for hung applications. You can right-click and 'End Task' to terminate.
Resource Monitor: resmon.exe – Provides detailed CPU, memory, disk, and network usage per process; useful for identifying resource contention causing hangs.
Process Explorer (Sysinternals): procexp.exe – View thread stacks to identify deadlocked threads. A deadlocked thread will show a stack frame waiting on WaitForSingleObject or WaitForMultipleObjects.
Debugging Tools: Use WinDbg to analyze crash dumps. Command: windbg -z <dumpfile.dmp> then !analyze -v to get automated analysis.
Application Compatibility Toolkit: For older applications that crash on newer OS versions, use the Compatibility Administrator to apply fixes (shims).
How Crashes/Hangs Interact with Related Technologies
Virtual Memory: A crash can occur if the application tries to access memory beyond its allocated virtual address space (access violation). Insufficient virtual memory (paging file too small) can cause 'Out of Memory' crashes.
Drivers: Faulty device drivers can corrupt memory or cause IRQL_NOT_LESS_OR_EQUAL crashes (blue screen). Application crashes can be triggered by driver bugs.
Antivirus: Real-time scanning can cause application hangs if the antivirus locks a file the application needs. Some antivirus software injects DLLs into processes, potentially causing instability.
.NET Framework: Managed applications rely on the Common Language Runtime (CLR). Crashes can occur from unhandled CLR exceptions (e.g., NullReferenceException). Hangs may result from garbage collection pauses or finalizer thread deadlocks.
Java: Java applications run in a Java Virtual Machine (JVM). Crashes can be due to native code bugs (JNI) or out-of-memory errors. Hangs often stem from thread contention or infinite loops.
Specific Troubleshooting Steps
When an application crashes or hangs, follow a structured approach:
Identify the symptom: Note whether it's a crash (application closes) or a hang (application freezes but stays open). Check Event Viewer for error logs.
Check for updates: Ensure the application and OS are fully patched. Many crashes are fixed in service packs or updates.
Test in Safe Mode: Boot into Safe Mode to rule out third-party drivers or startup programs. If the issue disappears, a driver or startup item is likely the cause.
Use Clean Boot: Perform a clean boot (disable all non-Microsoft services and startup items) to isolate the conflicting software.
Check resource usage: Use Task Manager to see if the application is consuming excessive CPU, memory, or disk I/O. A memory leak can cause gradual slowdown and eventual crash.
Reinstall the application: Corrupted installation files can cause crashes. Uninstall and reinstall using the latest version.
Run as administrator: Some applications require elevated privileges. Right-click and select 'Run as administrator'.
Check compatibility: For older applications, run the Program Compatibility Troubleshooter or manually set compatibility mode (e.g., Windows 7, XP SP3).
Disable add-ons: Browser crashes often result from extensions. Disable all add-ons and re-enable one by one.
Analyze crash dumps: If available, use WinDbg or Visual Studio to analyze dump files for the exact line of code causing the crash.
Common Causes and Their Solutions
Insufficient memory: Close other applications, increase virtual memory (paging file size), or install more RAM.
Corrupted system files: Run System File Checker (sfc /scannow) and DISM (DISM /Online /Cleanup-Image /RestoreHealth).
Faulty hardware: Run memory diagnostics (Windows Memory Diagnostic) or check hard drive for errors (CHKDSK).
Outdated drivers: Update drivers, especially graphics and chipset drivers.
Conflicting software: Use Clean Boot to identify conflicting services or startup programs.
Malware: Run a full antivirus scan. Some malware causes application instability.
Registry issues: Use a registry cleaner cautiously; better to use System Restore to revert recent changes.
Advanced: Using Process Monitor (ProcMon)
Process Monitor from Sysinternals logs file system, registry, and process/thread activity in real time. To troubleshoot a crash or hang: 1. Start ProcMon with filtering for the application's process name. 2. Reproduce the crash/hang. 3. Stop capture and look for 'ACCESS DENIED' errors, 'NOT FOUND' file operations, or repeated registry queries that indicate a loop. 4. This can reveal missing DLLs, permission issues, or infinite file access attempts.
Check Event Viewer for Errors
Open Event Viewer (eventvwr.msc) and navigate to Windows Logs > Application. Look for Error events with Event ID 1000 (Application Error) or 1002 (Application Hang). Note the faulting module name, exception code, and fault offset. This provides the first clue about what caused the crash – for example, 'faulting module: ntdll.dll' suggests a low-level OS interaction issue, while 'faulting module: myapp.exe' indicates a bug in the application itself.
Identify Hang vs Crash Symptoms
Determine whether the application is hung (not responding) or crashed (closed). For a hang, the application window remains visible but cannot be interacted with; Task Manager shows 'Not Responding'. For a crash, the application disappears, often with an error dialog. This distinction matters because hangs often require forcing termination (End Task), while crashes may leave behind a dump file for analysis.
Force Close Hung Application
Press Ctrl+Shift+Esc to open Task Manager. Locate the hung application under the Processes tab. Right-click and select 'End Task'. Windows will attempt to close the application gracefully; if it doesn't respond within the WaitToKillAppTimeout (default 20 seconds), the OS forcefully terminates the process. This may cause data loss, so warn the user first.
Check Resource Usage in Task Manager
In Task Manager, click the Performance tab to see overall CPU, memory, disk, and network usage. Then switch to the Processes tab and sort by CPU or Memory to see if the problematic application is consuming excessive resources. A memory leak will show steadily increasing memory usage over time. High CPU (near 100%) often indicates an infinite loop causing a hang.
Run Application in Safe Mode
Restart the computer and press F8 (or use Shift + Restart on Windows 10/11) to boot into Safe Mode. In Safe Mode, only essential drivers and services load. Launch the application. If it works correctly in Safe Mode, the issue is likely caused by a third-party driver, service, or startup program. Use Clean Boot to isolate the culprit.
Perform Clean Boot to Isolate Conflicts
Run msconfig and select 'Selective startup', then uncheck 'Load startup items'. Go to the Services tab, check 'Hide all Microsoft services', and click 'Disable all'. Reboot. If the application works, re-enable services and startup items in groups until the problem reappears. This identifies the conflicting software (e.g., antivirus, shell extensions).
Reinstall or Repair the Application
If the application is corrupted, uninstall it from Programs and Features. Download the latest version from the official source and reinstall. Some applications offer a Repair option in the installer (found in Programs and Features > right-click > Change). Repair replaces missing or corrupted files without removing user data.
Check for Windows and Driver Updates
Go to Settings > Update & Security > Windows Update and check for updates. Also update device drivers, especially graphics drivers, from the manufacturer's website. Outdated or buggy drivers are a common cause of application crashes (e.g., graphics-intensive apps crashing due to GPU driver issues).
Analyze Crash Dump with Debugger
If a crash dump was created (typically in %LOCALAPPDATA%\CrashDumps), install Windows Debugging Tools (WinDbg) from the Windows SDK. Open the dump file and run the command '!analyze -v'. WinDbg will display the exception code, stack trace, and likely cause. For example, an access violation at address 0x00000000 indicates a null pointer dereference.
Test with Application Compatibility Settings
Right-click the application executable, select Properties, go to the Compatibility tab. Check 'Run this program in compatibility mode for' and select an older OS (e.g., Windows 7). Also check 'Run as administrator'. Apply and test. This resolves many crashes caused by legacy applications expecting older OS behavior.
In a typical enterprise environment, application crashes and hangs are a daily occurrence. Consider a financial trading firm where a proprietary trading application hangs during peak market hours. The application is multithreaded and uses a custom in-memory database. A deadlock occurs when two threads both hold a lock needed by the other. The application stops responding, and traders lose ability to execute trades. The IT team uses Process Explorer to identify threads waiting on WaitForSingleObject. They capture a dump and analyze it with WinDbg, revealing the deadlock. The developers then fix the lock ordering. In production, such issues are mitigated by implementing watchdog timers that automatically restart hung processes, and by using high-availability clusters with failover.
Another scenario: a large hospital uses an electronic health records (EHR) application that crashes when printing patient summaries. The crash is intermittent and occurs only on certain workstations. The support team discovers that the crash is caused by a missing printer driver – the application attempts to call a printer API that returns an error, leading to an unhandled exception. The solution is to ensure all workstations have the correct printer drivers installed and to update the application to handle the error gracefully. This highlights the importance of testing with all supported peripherals.
A third example: a cloud-based CRM application hangs for users when they upload large CSV files. The hang occurs because the application's UI thread is blocked waiting for the file upload to complete. The developers should have used asynchronous I/O. The temporary workaround is to instruct users to split files into smaller chunks. The permanent fix involves rewriting the upload logic to use background threads. In production, monitoring tools like Application Insights can detect hangs by tracking response times and alerting when a page takes longer than 10 seconds to load.
The 220-1102 exam tests troubleshooting of application crashes and hangs under Objective 3.4 (Given a scenario, troubleshoot common Windows, macOS, and Linux issues). Specifically, you must know how to identify and resolve application failures using tools like Task Manager, Event Viewer, and System Configuration. The exam expects you to differentiate between a crash and a hang and apply appropriate steps.
Common Wrong Answers: 1. 'Reinstall the operating system' – This is almost never the correct first step. The exam emphasizes targeted troubleshooting before resorting to OS reinstallation. 2. 'Run a disk defragmentation' – Defragmentation does not fix application crashes; it only optimizes disk layout. Candidates confuse disk issues with application issues. 3. 'Update the BIOS' – While a BIOS update can fix some stability issues, it is rarely the direct cause of an application crash. The exam wants you to check simpler solutions first. 4. 'Increase the paging file size' – While insufficient virtual memory can cause crashes, it's not a universal fix. The exam often presents this as a distractor when the real issue is a corrupted DLL.
Key Numbers and Terms: - Exception code 0xC0000005 (Access Violation) appears frequently. - HungAppTimeout default: 5000 ms (5 seconds). - WaitToKillAppTimeout default: 20000 ms (20 seconds). - Event ID 1000 for application errors, 1002 for hangs. - Tools: Task Manager (taskmgr.exe), Event Viewer (eventvwr.msc), System Configuration (msconfig), Performance Monitor (perfmon).
Edge Cases: - A 32-bit application running on 64-bit Windows may crash due to registry redirection (Wow6432Node). The exam may test awareness of file system and registry virtualization. - A hang caused by a network drive that is unreachable. The application tries to access a file on a mapped drive that is disconnected, causing the UI thread to block indefinitely. - A crash that only occurs when the application is run as a standard user, but works as administrator. This points to permission issues (e.g., writing to Program Files).
Elimination Strategy: When eliminating wrong answers, focus on the symptom. If the problem is a hang, answers that involve reinstalling or patching are unlikely to be the immediate solution – the first step is to end the task. For crashes, check Event Viewer first. If the crash is linked to a specific DLL, the answer might involve re-registering the DLL (regsvr32) or replacing it.
A crash is an abrupt termination; a hang is an unresponsive process that remains open.
Use Event Viewer (eventvwr.msc) to find Event ID 1000 (crash) or 1002 (hang).
Task Manager shows 'Not Responding' for hung apps; use 'End Task' to force close.
Common exception code: 0xC0000005 (Access Violation).
HungAppTimeout default: 5000 ms (5 seconds); WaitToKillAppTimeout default: 20000 ms (20 seconds).
Safe Mode loads only essential drivers and services – use to isolate third-party conflicts.
Clean Boot (msconfig) disables non-Microsoft services to identify conflicting software.
Reinstall or repair the application if corruption is suspected.
Analyze crash dumps with WinDbg using '!analyze -v' command.
Always check for Windows and driver updates before deeper troubleshooting.
These come up on the exam all the time. Here's how to tell them apart.
Crash
Process terminates abruptly.
Often generates an error dialog or crash dump.
Caused by unhandled exceptions (e.g., access violation).
Event ID 1000 logged in Application event log.
User sees application close unexpectedly.
Hang
Process remains running but unresponsive.
Window shows 'Not Responding' (Windows) or spinning cursor (macOS).
Caused by deadlocks, infinite loops, or resource waits.
Event ID 1002 logged in Application event log.
User can attempt to close via Task Manager 'End Task'.
Mistake
A 'Not Responding' window means the application has crashed.
Correct
A 'Not Responding' window indicates a hang, not a crash. The process is still running but not processing messages. A crash would terminate the process entirely.
Mistake
Increasing virtual memory always fixes application crashes.
Correct
Increasing virtual memory only helps if the crash is due to insufficient memory (out-of-memory error). Many crashes are caused by software bugs, corrupted files, or driver issues, not memory.
Mistake
Ending a task in Task Manager immediately closes the application without data loss.
Correct
Ending a task sends a termination signal. The application may have unsaved data, and if it doesn't handle the signal gracefully, data loss occurs. The OS waits for WaitToKillAppTimeout before force-killing.
Mistake
Event ID 1000 always indicates an application crash.
Correct
Event ID 1000 is for application errors, which often but not always correspond to crashes. Some errors may be recoverable. Event ID 1002 specifically indicates an application hang.
Mistake
Safe Mode loads all drivers and services.
Correct
Safe Mode loads only essential drivers and services (e.g., basic display, mouse, keyboard). Third-party drivers and startup programs are not loaded, which helps isolate conflicts.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Press Ctrl+Shift+Esc to open Task Manager. Under the Processes tab, locate the hung application (it will show 'Not Responding' under Status). Right-click it and select 'End Task'. Windows will attempt to close it gracefully; if it doesn't respond within 20 seconds (default WaitToKillAppTimeout), the OS forcefully terminates the process. This may cause data loss.
Event ID 1000 is logged in the Application event log when an application crashes. It includes details like the faulting application name, faulting module, exception code, and fault offset. For example, exception code 0xC0000005 indicates an access violation. Use this information to pinpoint the cause of the crash.
Check Event Viewer for the faulting module. If it's a driver file (e.g., nvlddmkm.sys for NVIDIA graphics), the crash is likely driver-related. Also, if the crash occurs only when using specific hardware (e.g., a printer), update that driver. Boot into Safe Mode – if the crash stops, a third-party driver is probably the culprit.
A crash is when an application terminates unexpectedly due to an unhandled exception. The process ends, and the application disappears from the screen. A hang is when the application remains open but stops responding to input – the window may show 'Not Responding'. Hangs are often caused by deadlocks or infinite loops.
Install Windows Debugging Tools (WinDbg) from the Windows SDK. Open the dump file (usually in %LOCALAPPDATA%\CrashDumps) with WinDbg. Run the command '!analyze -v' to get an automated analysis. This will show the exception code, stack trace, and likely cause, such as a null pointer dereference.
Clean Boot starts Windows with a minimal set of drivers and startup programs. To perform it, run msconfig, select 'Selective startup', uncheck 'Load startup items', and disable all non-Microsoft services. If the application works in Clean Boot, re-enable services in groups until the crash reappears to identify the conflicting software.
Yes, if the system runs out of physical memory, the OS may terminate applications to free memory, or the application may fail to allocate memory (resulting in an exception). However, crashes due to insufficient memory are less common than software bugs. Use Task Manager to monitor memory usage; if it's consistently high, consider adding more RAM.
You've just covered Troubleshoot: Application Crashes and Hangs — now see how well it sticks with free 220-1102 practice questions. Full explanations included, no account needed.
Done with this chapter?