Crash Dump Analysis Patterns (Part 69c)

This is a variant of Self-Diagnosis (kernel mode) pattern for system configuration database (registry). Sometimes it is possible to see which part of it (hive) caused the problem. Here’s an example involving possibly corrupt user profiles:

REGISTRY_ERROR (51)
Something has gone badly wrong with the registry.  If a kernel debugger is available, get a stack trace. It can also indicate that the registry got an I/O error while trying to read one of its files, so it can be caused by hardware problems or filesystem corruption. It may occur due to a failure in a refresh operation, which is used only in by the security system, and then only when resource limits are encountered.
Arguments:
Arg1: 00000003, (reserved)
Arg2: 00000004, (reserved)
Arg3: e82372f8, depends on where Windows bugchecked, may be pointer to hive
Arg4: 00000000, depends on where Windows bugchecked, may be return code of HvCheckHive if the hive is corrupt.

0: kd> !reg hivelist

-------------------------------------------------------------------------------------------------------------
| HiveAddr |Stable Length|Stable Map|Volatile Length|Volatile Map|MappedViews|PinnedViews|U(Cnt)| BaseBlock | FileName
-------------------------------------------------------------------------------------------------------------
| e1008a68 |      13000  | e1008ac8 |       1000    |  e1008c04  |        0  |        0  |     0| e1015000  | <NONAME>
| e101a4e0 |     901000  | e1023000 |      40000    |  e101a67c  |      202  |        0  |     0| e101e000  | SYSTEM
| e1938188 |       d000  | e19381e8 |       4000    |  e1938324  |        0  |        0  |     0| e193a000  | <NONAME>
| e1968290 |       8000  | e19682f0 |          0    |  00000000  |        3  |        0  |     0| e1d39000  | \SystemRoot\System32\Config\SAM
| e1cab270 |      3d000  | e1cab2d0 |       1000    |  e1cab40c  |       16  |        0  |     0| e1d32000  | emRoot\System32\Config\SECURITY
| e1c9f448 |    3f70000  | e1e37000 |       1000    |  e1c9f5e4  |      256  |        0  |     0| e1d71000  | temRoot\System32\Config\DEFAULT
| e1d75a80 |    7d5d000  | e1ee3000 |      23000    |  e1d75c1c  |      254  |       12  |     0| e1d37000  | emRoot\System32\Config\SOFTWARE
| e1ba30d0 |      37000  | e1ba3130 |       1000    |  e1ba326c  |       17  |        0  |     0| e1b9e000  | tings\NetworkService\ntuser.dat
| e1ba8060 |       1000  | e1ba80c0 |          0    |  00000000  |        1  |        0  |     0| e1b8e000  | \Microsoft\Windows\UsrClass.dat
| e1afc068 |      3b000  | e1afc0c8 |       1000    |  e1afc204  |       17  |        0  |     0| e1b3d000  | ettings\LocalService\ntuser.dat
| e1d6e2a0 |       1000  | e1d6e300 |          0    |  00000000  |        1  |        0  |     0| e1b39000  | \Microsoft\Windows\UsrClass.dat
[...]
| e82372f8 |     106000  | e8237358 |          0    |  00000000  |       55  |        4  |     0| e514c000  | ings\User123\NTUSER.DAT
[…]
————————————————————————————————————-

0: kd> dt _CMHIVE e82372f8
nt!_CMHIVE
   +0x000 Hive             : _HHIVE
   +0x2d0 FileHandles      : [3] 0x80002234 Void
   +0x2dc NotifyList       : _LIST_ENTRY [ 0x0 - 0x0 ]
   +0x2e4 HiveList         : _LIST_ENTRY [ 0xe7a38d64 - 0xe4d9fc9c ]
   +0x2ec HiveLock         : _EX_PUSH_LOCK
   +0x2f0 ViewLock         : 0x877b0120 _KGUARDED_MUTEX
   +0x2f4 WriterLock       : _EX_PUSH_LOCK
   +0x2f8 FlusherLock      : _EX_PUSH_LOCK
   +0x2fc SecurityLock     : _EX_PUSH_LOCK
   +0x300 LRUViewListHead  : _LIST_ENTRY [ 0xe6160170 - 0xe3d71978 ]
   +0x308 PinViewListHead  : _LIST_ENTRY [ 0xe2714fe0 - 0xe108d9e0 ]
   +0x310 FileObject       : 0x89ecf310 _FILE_OBJECT
   +0x314 FileFullPath     : _UNICODE_STRING "\Device\HarddiskVolumeX\Documents and Settings\User123\NTUSER.DAT"
   +0×31c FileUserName     : _UNICODE_STRING “\??\E:\Documents and Settings\User123\NTUSER.DAT”
   +0×324 MappedViews      : 0×37
   +0×326 PinnedViews      : 4
   +0×328 UseCount         : 0
   +0×32c SecurityCount    : 9
   +0×330 SecurityCacheSize : 9
   +0×334 SecurityHitHint  : 0n0
   +0×338 SecurityCache    : 0xe74d5008 _CM_KEY_SECURITY_CACHE_ENTRY
   +0×33c SecurityHash     : [64] _LIST_ENTRY [ 0xe3f80228 - 0xe5901ef0 ]
   +0×53c UnloadEvent      : (null)
   +0×540 RootKcb          : (null)
   +0×544 Frozen           : 0 ”
   +0×548 UnloadWorkItem   : (null)
   +0×54c GrowOnlyMode     : 0 ”
   +0×550 GrowOffset       : 0
   +0×554 KcbConvertListHead : _LIST_ENTRY [ 0xe823784c - 0xe823784c ]
   +0×55c KnodeConvertListHead : _LIST_ENTRY [ 0xe8237854 - 0xe8237854 ]
   +0×564 CellRemapArray   : (null)
   +0×568 Flags            : 1
   +0×56c TrustClassEntry  : _LIST_ENTRY [ 0xe8237864 - 0xe8237864 ]
   +0×574 FlushCount       : 0
   +0×578 CreatorOwner     : (null)

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Leave a Reply