Crash Dump Analysis Patterns (Part 74)

Sometimes a dump file looks normal inside and at least we don’t see any suspicious past activity. However, as it often happens, the dump was saved manually as a response to some failure. Here Last Error Collection might help in finding further troubleshooting suggestions. If we have a process memory dump we can get all errors and NTSTATUS values at once using !gle command with -all parameter:

0:000> !gle -all
Last error for thread 0:
LastErrorValue: (Win32) 0x3e5 (997) - Overlapped I/O operation is in progress.
LastStatusValue: (NTSTATUS) 0x103 - The operation that was requested is pending completion.

Last error for thread 1:
LastErrorValue: (Win32) 0 (0) - The operation completed successfully.
LastStatusValue: (NTSTATUS) 0 - STATUS_WAIT_0

Last error for thread 2:
LastErrorValue: (Win32) 0 (0) - The operation completed successfully.
LastStatusValue: (NTSTATUS) 0 - STATUS_WAIT_0

Last error for thread 3:
LastErrorValue: (Win32) 0 (0) - The operation completed successfully.
LastStatusValue: (NTSTATUS) 0 - STATUS_WAIT_0

[...]

Last error for thread 28:
LastErrorValue: (Win32) 0 (0) - The operation completed successfully.
LastStatusValue: (NTSTATUS) 0 - STATUS_WAIT_0

Last error for thread 29:
LastErrorValue: (Win32) 0×6ba (1722) - The RPC server is unavailable.
LastStatusValue: (NTSTATUS) 0 - STATUS_WAIT_0

Last error for thread 2a:
LastErrorValue: (Win32) 0 (0) - The operation completed successfully.
LastStatusValue: (NTSTATUS) 0 - STATUS_WAIT_0

Last error for thread 2b:
LastErrorValue: (Win32) 0 (0) - The operation completed successfully.
LastStatusValue: (NTSTATUS) 0 - STATUS_WAIT_0

[...]

For complete memory dumps we can employ the following command or similar to it:

!for_each_thread ".thread /r /p @#Thread; .if (@$teb != 0) { !teb; !gle; }"

0: kd> !for_each_thread ".thread /r /p @#Thread; .if (@$teb != 0) { !teb; !gle; }"

[...]

Implicit thread is now 8941eb40
Implicit process is now 8a4ac498
Loading User Symbols
TEB at 7ff3e000
    ExceptionList:        0280ffa8
    StackBase:            02810000
    StackLimit:           0280b000
    SubSystemTib:         00000000
    FiberData:            00001e00
    ArbitraryUserPointer: 00000000
    Self:                 7ff3e000
    EnvironmentPointer:   00000000
    ClientId:             00001034 . 000012b0
    RpcHandle:            00000000
    Tls Storage:          00000000
    PEB Address:          7ffde000
    LastErrorValue:       0
    LastStatusValue:      c00000a3
    Count Owned Locks:    0
    HardErrorMode:        0
LastErrorValue: (Win32) 0 (0) - The operation completed successfully.
LastStatusValue: (NTSTATUS) 0xc00000a3 - {Drive Not Ready}  The drive is not ready for use; its door may be open.  Please check drive %hs and make sure that a disk is inserted and that the drive door is closed.

[...]

 - Dmitry Vostokov @ DumpAnalysis.org -

2 Responses to “Crash Dump Analysis Patterns (Part 74)”

  1. Crash Dump Analysis » Blog Archive » Heap and early crash dump: pattern cooperation Says:

    […] one of last error values was access violation (Last Error Collection […]

  2. Dmitry Vostokov Says:

    In case of Virtualized Processes !gle may show Win32 last error and status values incorrectly:

    0:000:x86> !gle
    LastErrorValue: (Win32) 0 (0) - The operation completed successfully.
    LastStatusValue: (NTSTATUS) 0 - STATUS_WAIT_0
    Wow64 TEB status:
    LastErrorValue: (Win32) 0 (0) - The operation completed successfully.
    LastStatusValue: (NTSTATUS) 0 - STATUS_WAIT_0

    0:000:x86> !teb
    Wow64 TEB32 at 00000000fffde000
    ExceptionList: 00000000002fb108
    StackBase: 0000000000390000
    StackLimit: 0000000000255000
    SubSystemTib: 0000000000000000
    FiberData: 0000000000001e00
    ArbitraryUserPointer: 0000000000000000
    Self: 00000000fffde000
    EnvironmentPointer: 0000000000000000
    ClientId: 00000000000016d8 . 00000000000011e0
    RpcHandle: 0000000000000000
    Tls Storage: 0000000000e12978
    PEB Address: 00000000fffdf000
    LastErrorValue: 38
    LastStatusValue: c0000011
    Count Owned Locks: 0
    HardErrorMode: 0

    Wow64 TEB at 00000000fffdc000
    ExceptionList: 00000000fffde000
    StackBase: 000000000008fd30
    StackLimit: 0000000000083000
    SubSystemTib: 0000000000000000
    FiberData: 0000000000001e00
    ArbitraryUserPointer: 0000000000000000
    Self: 00000000fffdc000
    EnvironmentPointer: 0000000000000000
    ClientId: 00000000000016d8 . 00000000000011e0
    RpcHandle: 0000000000000000
    Tls Storage: 0000000000000000
    PEB Address: 00000000fffd6000
    LastErrorValue: 0
    LastStatusValue: 0
    Count Owned Locks: 0
    HardErrorMode: 0

Leave a Reply