Free Stack Traces
By analogy with the free verse and the anthropologist John Tedlock’s written narratives of Native American Zuni where different font size was used for different levels I tried today the similar technique with a raw stack data from the previous case study of registry corruption:
[...]
f690a3dc f7a21a06 BOOTVID!ReadWriteMode+0×42
f690a3e0 f7a219a7 BOOTVID!__outpw+0×17
f690a3ec f7a21a76 BOOTVID!SetPixel+0×6a
f690a404 f7a21c1b BOOTVID!DisplayCharacter+0×47
f690a420 b42e14db dump_iaStor+0×3a4db
f690a468 b4364080 dump_iaStor+0xbd080
f690a480 f6249983 ati2mtag+0×1b6983
f690a488 804f2ee6 nt!IopWritePageToDisk+0xe4
f690a4e0 804f2fb6 nt!IopWriteSummaryDump+0×7e
f690a4e4 b42e12d8 dump_iaStor+0×3a2d8
f690a50c 804f3c8d nt!IoWriteCrashDump+0×42d
f690a514 b42e12d8 dump_iaStor+0×3a2d8
f690a584 804f8fa7 nt!KiDumpParameterImages+0×5f
f690a594 f74764bb sptd+0×664bb
f690a598 f74764a0 sptd+0×664a0
f690a59c b42e162a dump_iaStor+0×3a62a
f690a5a8 f7a22394 BOOTVID!PreserveRow+0×7c
f690a5c0 b42e12d8 dump_iaStor+0×3a2d8
f690a5cc 804f9ecd nt!KeBugCheck2+0xa4d
f690a6e0 804f9f43 nt!KeBugCheckEx+0×1b
f690a950 80545d00 nt!KiSwapProcess+0×60
f690a9a0 80522d45 nt!MiDecrementReferenceCount+0×65
f690a9ac 805067ea nt!MiDeferredUnlockPages+0×1c8
f690a9c8 804f9f43 nt!KeBugCheckEx+0×1b
f690a9e8 80548c2d nt!MiFreePoolPages+0×8b
f690aa04 80564d20 nt!NonPagedPoolDescriptor
f690aa28 8054b49a nt!ExFreePoolWithTag+0×1ba
f690aa3c 8062bc17 nt!CmpPinCmView+0xab
f690aa5c 80637e13 nt!HvpDelistBinFreeCells+0xad
f690aa68 8063bf19 nt!CmpFree+0×17
f690aa78 8063eb20 nt!HvpRecoverData+0×3ec
f690aad4 8063ef05 nt!HvMapHive+0×133
f690ab10 80539ac0 nt!_except_handler3
f690ab14 804e0e38 nt!`string’+0×258
f690ab20 8063087e nt!HvInitializeHive+0×416
f690ab38 806383a9 nt!CmpInitializeHive+0×26d
f690ab54 8063bf02 nt!CmpFree
f690ab58 8063b918 nt!CmpFileSetSize
f690ab5c 8063c466 nt!CmpFileWrite
f690ab60 8063c33e nt!CmpFileRead
f690ab64 8063c1fc nt!CmpFileFlush
f690aba4 80625bf9 nt!CmpInitHiveFromFile+0xa3
f690abfc 8062ad8b nt!CmpCmdHiveOpen+0×21
f690ac24 80631f24 nt!CmLoadKey+0×90
f690ac98 80622053 nt!CmConvertHandleToKernelHandle+0×55
f690acb0 806257b4 nt!NtLoadKey2+0×1fc
f690acc8 806259ac nt!NtLoadKey
f690acd8 805bc33f nt!ObpCloseHandleTableEntry+0×14d
f690ad24 805bc401 nt!ObpCloseHandle+0xab
f690ad34 80539ac0 nt!_except_handler3
f690ad38 804e0bd0 nt!`string’+0×364
f690ad44 806259be nt!NtLoadKey+0×12
f690ad58 8054162c nt!KiFastCallEntry+0xfc
f690ade0 805460ee nt!KiThreadStartup+0×16
f690ade4 80626dee nt!CmpLoadHiveThread
f690aec0 bf875fb4 win32k!WatchdogDrvStretchBlt+0×92
f690aee4 bf988527 win32k!_except_handler3
f690aee8 bf995f40 win32k!`string’+0×124
f690aef0 bf875fb4 win32k!WatchdogDrvStretchBlt+0×92
f690aef4 bf873ec2 win32k!EngStretchBltROP+0×3a9
where the larger font size indicates the stack trace from kv command and the smaller font size indicates symbolic information found between call frames that may or may not correspond to partial stack traces left from intermediate nested function calls of the current call sequence or past stack traces and their frames.
- Dmitry Vostokov @ DumpAnalysis.org -