Help with frequent CTD

[girmrad]

I've been struggling to figure out the source of a frequent CTD issue. As far as I can tell, it is somehow connected to face geometry during random NPC spawning (e.g. bandits), but I can't track down what mod or combination of mods is causing the problem. I'm fairly sure that I have all mod dependencies set up correctly and I've sorted the load order using LOOT. I've attached a few crash logs from .NET Script Framework. I've noticed that all of the possibly related items are HDPT records, but they come from multiple different mods. Any help / insight would be greatly appreciated.

Crash_2023_5_27_20-55-44.txt Crash_2023_5_27_21-1-41.txt Crash_2023_5_27_21-13-5.txt

[traison]

Yeah seems head mesh related; potentially a facegen mesh.

 

1. I'd start by going through all facegen meshes looking for one with a shape named "0Paula_Elf". Most likely belonging to an elf called "Paula". You can limit your search significantly if you know which mod that may be coming from. Edit: Set notepad++ to search for the shape name in all *.nif files if you don't want to do it by hand.
2. Once the mesh/mod is located, I'd rebuild the face mesh for the affected actor in the Creation Kit.

 

If this changes nothing, then the issue may be something more obscure. Mods with dlls can change any byte in the game's memory, so those would be my target #2.

Edited May 28, 2023 by traison

[girmrad]

The "0Paula_Elf" turns out to be a hair from KS Hairdos. I've gotten some crashes from "FemaleBrowsHuman07" which comes from Skyrim.esm, Apachii Divine Elegance Store, and Aurlyn Dawnstone, and crashes from "FemaleBrowsHuman01" which comes from Skyrim.esm, The Demonic Trio, and Elven Priscilla Follower. Some crashes come from eye textures such as "FemaleEyesHumanGreenHazel" and "MaleEyesHumanIceBlue" which are both from Improved Eyes Skyrim. So, it doesn't seem to be only one mod with bad facegen or something.

 

I do have some mods that affect many faces such as Botox, but I don't know if they could be responsible for these crashes. I do have some NPC mods with high poly heads, but I do NOT have the High Poly Head mod installed only because none of those mods stated that they required the High Poly Head mod.

[traison]

The KS Hairdo's mesh would be built into the facegen mesh of an npc, if it was set to use that hairstyle in the CK. I think you're still looking for a bad facegen mesh.

 

As for reading the crash log: I doubt FemaleBrowsHuman07 specifically caused any crash, unless you have a mod that alters things related to that. You'd see a lot more crashes if it was some specific eyebrow style that was doing it.

 

The thing that caused your crashes is SkyrimSE.exe+3D8C67, conveniently translated to BSFaceGenNiNode::unk_3D8980+2E7 by the crash logger. The hint is in the class name: BSFaceGenNiNode -> Bethesda Softworks FaceGen NiNode (perhaps). NiNode is a term used in nif files, or meshes (armors, hats, bodies, eyeballs, hair, ...).

Edited May 28, 2023 by traison

[girmrad]

OK. How do I go searching through facegen to locate the issue? Do I look in CK or SSEdit? I have no experience with facegen.

 

Edit: sorry, just remembered you mentioned to search with Notepad++. I'll try to dig around.

Edited May 28, 2023 by girmrad

[traison]

If powershell is more your thing, this looks like it could do the job as well.

Spoiler

dir .\* -I *.nif -R | Select-String 0Paula_Elf

 

This should be executed in meshes\actors\character\facegendata\facegeom. Remember to run ps through mo2 if you're using that.

 

Not tested.

Edited May 28, 2023 by traison

[girmrad]

I ended up using grepWin to search. I get tons of results for the brows, but weirdly nothing shows for "0Paula_Elf". It's only found in KSHairdo's.esp.

[traison]

Hm, you appear to be correct.

 

 [01] KS Hairdo's.esm (2DF9E084) \ Head Part \ 0107A1DF <0Paula_Elf>

KS Hairdo's\Elves\Paula.nif

Mesh contains a BSDynamicTriShape named "group_1".

 

Powershell finds nothing for me either, despite having KS installed.

 

Going to have to take another look at those logs...

[girmrad]

Something else that's strange is that I can now consistently reproduce the crash while in the Alternate Start cell by running my MCM Recorder recording. Randomly at some point during the MCM Recorder recording playback the game will crash with the same logs as above. If I go to Breezehome and run the same recording, the game doesn't crash. I know that ghosts spawn in the Alternate Start location, but if I toggle clipping off and wander out there to get the ghosts to spawn (before running the MCM Recorder recording) the game spawns the ghosts fine.

[traison]

Pretty sure the ghosts are all male and probably wouldn't have the 0Paula_Elf hairstyle. I'm not familiar with the MCM Recorder mod.

 

What I'd do next is run through all plugins and find the ones with a reference to KS Hairdo's.esm:

Spoiler

dir .\* -I *.es* | Select-String "KS Hairdo's.esm" | % {$_.filename}

 

One of them is bound to be the problem. If that's not it either then the only thing that remains is mods with dlls. For instance, do you have the SMP version of KS? If so, your problem may be in SMP/FSMP.

Edited May 28, 2023 by traison

[girmrad]

I do have both the standard and SMP versions of KS Hairdo's installed.

 

So, your Powershell command returned the following:

Damsels The Caged Rose.esp
Enemy Variations V4 - Items.esp
Enemy Variations V4 - NPCs.esp
Enemy Variations V4 - Wild Add-on.esp
EVW - Weapons Add-on - Enchantments - VAN - SUM.esp
EVW - Weapons Add-on - Enchantments.esp
EVW - Weapons Add-on - NA (WACCF).esp
Full Random NPC Pack.esp
Immersive Wenches -KS hairs- Patch.esp
KS Hairdo's.esp
KS Hairdo's.esp
KS Hairdo's.esp
Spoils of War.esp
The Queens Cure.esp

 

Removing Immersive Wenches (and thus Deadly Wenches and Enemy Variations) seems to resolve the crash at least within the Alternate Start cell. I tried removing only Enemy Variations, but that didn't fix the crash, so it seems to be Immersive Wenches causing the issue at least in part.

Edited May 28, 2023 by girmrad

[traison]

One of those may only be a trigger. It could be a combination of things. But one thing is for certain, you're on to something now.

[girmrad]

OK, so  removing the Yuriana Wench mod specifically prevented the crash during Alternate Start. However, running around the world eventually caused the same crash to happen.

Crash_2023_5_28_13-25-28.txt

[girmrad]

I have tried disabling all the mods referencing "0Paula_Elf" as discussed above to no avail. So, at this point I'm guessing it must be due to a DLL mod? Are there any methods or tools I can use to track down which mod it could be?

Edited May 29, 2023 by girmrad

[traison]

A debugger with bypassers for the anti-tamper and DRM present in SkyrimSE.exe. So, rewording your question a bit: "Is there a practical way to track down...?", no, not really.

 

I'd start with SMP/FSMP, if the Paula style is SMP enabled. Other than that, kinda dry on ideas here.

 

Edit: The best I can do here without putting in hours of effort is a snapshot of the function where the crash occured. The main issues with this snapshow however will be: 1) its in assembly and 2) RIP will be somewhere else, meaning it will be a bit like getting woken up in class by your professor and asked to answer a question. You sort of know whats going on but the context and details are missing.

Edited May 29, 2023 by traison

[girmrad]

Unfortunately, the Paula hair is not SMP and disabling FSMP didn't help. I think the snapshot is going to be my only clue. How do I take such a snapshot?

[traison]

2 hours ago, girmrad said:

How do I take such a snapshot?

 

6 hours ago, traison said:

A debugger with bypassers for the anti-tamper and DRM present in SkyrimSE.exe. So, rewording your question a bit: "Is there a practical way to track down...?", no, not really.

 

x64dbg

 

The rest is most likely banned here so not even going to attempt.

 

Edit: I had a look at that offset (SkyrimSE.exe+3D8C67) and for me that lands me in the middle of an instruction. Our executables are different, despite us both having 1.5.97.0. Meaning: I can't do it from here. And even if I could, I'd only see what the function looks like on my end. If yours was modified, that wouldn't be visible anyways.

 

Edit again: 3d9868 does seem to line up though, and the call instruction before that takes me to the function that contains 3d8c67 (faulting offset). Here's the snapshot of the function as it appears for me. Yours is most likely modified but there's no way for me to know where and what. Oh and, ignore column 4, that's used for speculation and since RIP is elsewhere it's meaningless in this context.

 

Edit again: Since your next question might be "what am I looking at": Focus on the call instructions. Some of them got translated names like BSDynamicTriShape::sub_1403DA210. Code execution goes from top to bottom as usual. The crash occurs at line 175 in the dump, however like I said for me that's in the middle of an instruction (not valid). The instruction it crashes at for you is different.

SkyrimSE.exe+3d8c67.txt

Edited May 29, 2023 by traison

[girmrad]

I use MO2, so I started x64dbg in MO2 and opened the SkyrimSE.exe. I went to the file offset "3D8C67". The call instructions above that line didn't have translated names. I've put a chunk of the "CPU" window in the attached file. The last line in the file is the "3D8C67" offset.

x64dbg out.txt

[traison]

That is way too different to be the same function. See the messages I sent you yesterday. There's a video of me doing the same thing.

[girmrad]

Unfortunately, I'm not familiar enough with assembly and debugging to follow your messages. I would have to do a lot of studying and learning about assembly / x64dbg before I could attempt to track the issue down. Thank you for all your help, though. I do appreciate it.

[traison]

It seemed like you were so close though?

 

I think all you may have done wrong is how you wrote the offset. Instead of just 3D8C67, do this (Ctrl+G): "skyrimse.0+3D8C67"

 

From there scroll up until you see a bunch of int3 instructions, select the first non-int3 and scroll down to the next int3 block. That's your function. Copy-paste and done.

[girmrad]

The new search does put me at a different location. Does there have to be many "int3" or just a single "int3"? I see places with single "int3" instructions but I have yet to see somewhere with "a bunch" of "int3".

[traison]

My snapshot has no int3's at all, sounds like you're still in a different location. Is your exe cracked or something like that?

 

Edit: Try skyrimse.0+3d9868 and go up one instruction. It should be a call instruction to the function where your game is crashing. Follow that call instruction and it should put you at the start of the function you want a shapshot of.

Edited May 30, 2023 by traison

[girmrad]

My exe is Steam legit, however I did downgrade back to 1.5.97 after Steam automatically updated it to AE. I am running x64dbg through MO2 so that any mods affecting the SkyrimSE.exe would be reflected. Should I just run x64dbg normally (outside of MO2) and look at the unmodded SkyrimSE.exe? The instruction above skyrim.0+3d9868 for me is "sbb esp,esi".

 

Edit: running x64dbg outside of MO2 yields the same result. Does the downgrade tool use a cracked exe or something?

Edited May 30, 2023 by girmrad

[traison]

Running x64dbg through MO2 only injects the usvfs into x64dbg, nothing else. I wouldn't do that.

 

I get the feeling you're opening SkyrimSE.exe as-is instead of attaching to the running process. SkyrimSE.exe has a compression, encoding or encryption of some kind in it so you will never see the actual executing code without attaching it to an already running process.

 

You should check out the things I sent you in my message. The video shows it all and the readme file has the steps in text form.