This is planned for publication after Windows® Crash Dump Analysis book. Preliminary information is:
(*) subject to change
- Dmitry Vostokov @ DumpAnalysis.org -
Microsoft is looking for 5 Windows Internals SME to help them with their special project. Details can be found on CPR Team blog:
Wanted: Windows Internals subject matter experts
- Dmitry Vostokov @ DumpAnalysis.org -
Although the first volume has not been published yet (scheduled for 15th of April, 2008) the planning for the second volume has already begun. Preliminary information is:
Hardcover version is also planned. PDF version will be available for download too.
(*) subject to change
- Dmitry Vostokov @ DumpAnalysis.org -
There is a good Microsoft white paper about !ndiskd commands to interrogate kernel dumps:
Applying !ndiskd.protocols command we can see that there are more protocols added to Vista:
Windows Server 2003 SP2:
kd> !ndiskd.protocols
Protocol 862db330: NDISUIO
Open 86420650 - Miniport: 862e2ab0 AMD PCNET Family PCI Ethernet Adapter
Protocol 86324780: TCPIP_WANARP
Open 86324008 - Miniport: 863a2130 WAN Miniport (IP)
Protocol 86318790: TCPIP
Open 8637c008 - Miniport: 862e2ab0 AMD PCNET Family PCI Ethernet Adapter
Protocol 863e3c28: NDPROXY
Open 8639e0d0 - Miniport: 86361530 Direct Parallel
Open 8639bb48 - Miniport: 86361530 Direct Parallel
Open 863e48b0 - Miniport: 863e3130 WAN Miniport (L2TP)
Open 86404008 - Miniport: 863e3130 WAN Miniport (L2TP)
Protocol 863a9d80: RASPPPOE
Protocol 863a9008: NDISWAN
Open 863e3ab0 - Miniport: 86361530 Direct Parallel
Open 86398c30 - Miniport: 862c4530 WAN Miniport (PPTP)
Open 864618f8 - Miniport: 8637a870 WAN Miniport (PPPOE)
Open 86468a28 - Miniport: 863e3130 WAN Miniport (L2TP)
Vista:
1: kd> !ndiskd.protocols
Protocol fffffa8004569580: RSPNDR
Open fffffa8004566a20 - Miniport: fffffa80039711a0 Broadcom NetXtreme 57xx Gigabit Controller
Protocol fffffa80043a4900: LLTDIO
Open fffffa800428a1d0 - Miniport: fffffa80039711a0 Broadcom NetXtreme 57xx Gigabit Controller
Protocol fffffa8003f6c820: WANARPV6
Open fffffa8003f1c010 - Miniport: fffffa800399f1a0 WAN Miniport (IPv6)
Protocol fffffa8003f6cd20: WANARP
Open fffffa8003f1c670 - Miniport: fffffa80039d61a0 WAN Miniport (IP)
Protocol fffffa8003eedb10: TCPIP6TUNNEL
Open fffffa8003f33010 - Miniport: fffffa800396c1a0 isatap.company.com
Open fffffa8003f0f010 - Miniport: fffffa80038f21a0 Teredo Tunneling Pseudo-Interface
Protocol fffffa8003eeb580: TCPIPTUNNEL
Protocol fffffa8003eeb010: TCPIP6
Open fffffa8003f452e0 - Miniport: fffffa80039711a0 Broadcom NetXtreme 57xx Gigabit Controller
Protocol fffffa8003ee90d0: TCPIP
Open fffffa8003ffc480 - Miniport: fffffa80039711a0 Broadcom NetXtreme 57xx Gigabit Controller
Protocol fffffa8003c56010: NDPROXY
Open fffffa8003d41450 - Miniport: fffffa800399d1a0 WAN Miniport (L2TP)
Open fffffa8003d41a30 - Miniport: fffffa800399d1a0 WAN Miniport (L2TP)
Protocol fffffa80039ad790: RASPPPOE
Protocol fffffa80039af4e0: NDISWAN
Open fffffa8004737a10 - Miniport: fffffa8004a321a0 RAS Async Adapter
Open fffffa8003bf8ac0 - Miniport: fffffa80039c21a0 WAN Miniport (PPTP)
Open fffffa8003c5cac0 - Miniport: fffffa80039c01a0 WAN Miniport (PPPOE)
Open fffffa8003c565a0 - Miniport: fffffa800399d1a0 WAN Miniport (L2TP)
I noticed this extension when I got a bugcheck from the 3rd-party custom protocol driver:
SYSTEM_PTE_MISUSE (da)
The stack trace identifies the guilty driver.
Arguments:
Arg1: 00000400, Type of error.
Arg2: f7a9a413
Arg3: 00000001
Arg4: 00000000
0: kd> kL
ChildEBP RetAddr
f5c68a68 8083b6e1 nt!KeBugCheckEx+0x1b
f5c68a90 8083d478 nt!MiRemoveIoSpaceMap+0x5d
f5c68b38 f5b6ebea nt!MmUnmapIoSpace+0x10c
WARNING: Stack unwind information not available. Following frames may be wrong.
f5c68b90 f5b69abe protocol!foo2+0x28ac
f5c68bf4 f70fd4be protocol!foo+0x1aa0
f5c68c90 f70fd2fc NDIS!ndisInitializeBinding+0x189
f5c68d18 f70fce48 NDIS!ndisCheckAdapterBindings+0xd9
f5c68d98 f70fca66 NDIS!ndisCheckProtocolBindings+0xd2
f5c68dac 80949b7c NDIS!ndisWorkerThread+0x74
f5c68ddc 8088e062 nt!PspSystemThreadStartup+0x2e
00000000 00000000 nt!KiThreadStartup+0x16
Arg1 0×400 one tells us this (from WinDbg help):
| 0×400 | The base address of the I/O space mapping | The number of pages to be freed | 0 | (Windows XP and later only) The caller is trying to free an I/O space mapping that the system is unaware of. |
PTE looks unknown indeed:
0: kd> !pte f7a9a413
VA f7a9a413
PDE at 00000000C0603DE8 PTE at 00000000C07BD4D0
contains 0000000000A87863 contains 0000000000000000
pfn a87 —DA–KWEV
We can see this protocol in the list:
0: kd> !ndiskd.protocols
Protocol 89df10a0: CustomProtocol
Open 89b4e6d8 - Miniport: 8a59d290 Broadcom BCM5708S NetXtreme II GigE (NDIS VBD Client)
Protocol 8918f248: NDISUIO
Protocol 89dd8008: TCPIP_WANARP
Open 8a4da6f0 - Miniport: 8a50a9e8 WAN Miniport (IP)
Protocol 89b4ec88: TCPIP
Protocol 8a4cd5a0: NDPROXY
Open 8a59b128 - Miniport: 8a58eab0 Direct Parallel
Open 8a59b328 - Miniport: 8a58eab0 Direct Parallel
Open 8a4f1580 - Miniport: 8a58a328 WAN Miniport (L2TP)
Open 8a507008 - Miniport: 8a58a328 WAN Miniport (L2TP)
Protocol 8a4e7008: RASPPPOE
Protocol 8a5cb490: NDISWAN
Open 8a59b988 - Miniport: 8a58eab0 Direct Parallel
Open 8a5976c0 - Miniport: 8a591628 WAN Miniport (PPTP)
Open 8a594468 - Miniport: 8a4e93f0 WAN Miniport (PPPOE)
Open 8a4d3580 - Miniport: 8a58a328 WAN Miniport (L2TP)
- Dmitry Vostokov @ DumpAnalysis.org -