Bugchecks: KERNEL_MODE_EXCEPTION_NOT_HANDLED
Here is the next depicted bugcheck: 0×8E. It is very common in kernel crash dumps and it means that:
-
If access violation exception happened the read or write address was in user space
-
Frame-based exception handling was allowed, kernel debugger (if any) didn’t handle the exception (first chance), then no exception handlers were willing to process the exception and at last kernel debugger (if any) didn’t handle the exception (second chance)
-
Frame-based exception handling wasn’t allowed and kernel debugger (if any) didn’t handle the exception
The second option is depicted on the following UML sequence diagram:
Note: if you have an access violation and read or write address is in kernel space you get a different bugcheck as explained in Invalid Pointer Pattern
I assumed that you know about structured and frame based exception handling (SEH). If you don’t know how it is implemented please read Matt Pietrek’s article: A Crash Course on the Depths of Win32 Structured Exception Handling
References used:
- “Windows NT/2000 Native API Reference” book by Gary Nebbett
- Local kernel debugging on Windows XP to check that the flow on the diagram above is correct
- Dmitry Vostokov -