Comments on: Crash Dump Analysis Patterns (Part 8b) https://www.dumpanalysis.org/blog/index.php/2012/08/30/crash-dump-analysis-patterns-part-8b/ Structural and Behavioral Patterns for Software Diagnostics, Forensics and Prognostics Sat, 06 Jun 2026 23:07:22 +0000 http://wordpress.org/?v=2.3.3 By: Dmitry Vostokov https://www.dumpanalysis.org/blog/index.php/2012/08/30/crash-dump-analysis-patterns-part-8b/#comment-741711 Dmitry Vostokov Fri, 09 Sep 2016 13:19:47 +0000 https://www.dumpanalysis.org/blog/index.php/2012/08/30/crash-dump-analysis-patterns-part-8b/#comment-741711 Another example: 0: kd> k # ChildEBP RetAddr 00 8078aefc 8281db8c hal!READ_PORT_USHORT+0x8 01 8078af0c 8281dcf5 hal!HalpCheckPowerButton+0x2e 02 8078af10 8292cdde hal!HaliHaltSystem+0x7 03 8078af5c 8292dc79 nt!KiBugCheckDebugBreak+0x73 04 8078b320 8292cc24 nt!KeBugCheck2+0xa7f 05 8078b340 82a5a49b nt!KeBugCheckEx+0x1e 06 8078bc90 828fe9c9 nt!PspSystemThreadStartup+0xde 07 00000000 00000000 nt!KiThreadStartup+0x19 <p align="left">0: kd> !thread THREAD 863475f8 Cid 0004.0008 Teb: 00000000 Win32Thread: 00000000 RUNNING on processor 0 Not impersonating DeviceMap 8d6080c0 Owning Process 863478d0 Image: System Attached Process N/A Image: N/A Wait Start TickCount 2624 Ticks: 7 (0:00:00:00.109) Context Switch Count 1025 IdealProcessor: 0 UserTime 00:00:00.000 KernelTime 00:00:03.962 Win32 Start Address nt!Phase1Initialization (0x829dd53b) Stack Init 8078bed0 Current 8078b890 Base 8078c000 Limit 80789000 Call 0 Priority 31 BasePriority 8 UnusualBoost 0 ForegroundBoost 0 IoPriority 2 PagePriority 5 ChildEBP RetAddr Args to Child 8078aefc 8281db8c 00001000 00000000 8078af5c hal!READ_PORT_USHORT+0x8 (FPO: [1,0,0]) 8078af0c 8281dcf5 8292cdde 2b2952aa 807c960c hal!HalpCheckPowerButton+0x2e (FPO: [Non-Fpo]) 8078af10 8292cdde 2b2952aa 807c960c 00000000 hal!HaliHaltSystem+0x7 (FPO: [0,0,0]) 8078af5c 8292dc79 00000004 00000000 00000000 nt!KiBugCheckDebugBreak+0x73 8078b320 8292cc24 0000007e c0000005 8cc14540 nt!KeBugCheck2+0xa7f 8078b340 82a5a49b 0000007e c0000005 8cc14540 nt!KeBugCheckEx+0x1e 8078bc90 828fe9c9 829dd53b 80806cb0 00000000 nt!PspSystemThreadStartup+0xde 00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x19</p> 0: kd> dps 80789000 8078c000 80789000 00000000 80789004 00000000 80789008 00000000 8078900c 00000000 ... 8078b46c 00000000 8078b470 8078b880 8078b474 82902277 nt!KiDispatchException+0x17c 8078b478 8078b89c 8078b47c 8078b480 8078b480 00010017 8078b484 00000000 8078b488 00000000 8078b48c 00000000 8078b490 00000000 ... <p align="left">0: kd> .cxr 8078b480 eax=00000000 ebx=87428554 ecx=8078b998 edx=00000000 esi=871121d0 edi=0000008c eip=8cc11340 esp=8078b964 ebp=8078ba28 iopl=0 nv up ei ng nz ac po nc cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00210292 Driver+0x1340: 8cc11340 ff5000 call dword ptr [eax] ds:0023:00000000=????????</p> Another example:

0: kd> k
# ChildEBP RetAddr
00 8078aefc 8281db8c hal!READ_PORT_USHORT+0×8
01 8078af0c 8281dcf5 hal!HalpCheckPowerButton+0×2e
02 8078af10 8292cdde hal!HaliHaltSystem+0×7
03 8078af5c 8292dc79 nt!KiBugCheckDebugBreak+0×73
04 8078b320 8292cc24 nt!KeBugCheck2+0xa7f
05 8078b340 82a5a49b nt!KeBugCheckEx+0×1e
06 8078bc90 828fe9c9 nt!PspSystemThreadStartup+0xde
07 00000000 00000000 nt!KiThreadStartup+0×19

0: kd> !thread
THREAD 863475f8 Cid 0004.0008 Teb: 00000000 Win32Thread: 00000000 RUNNING on processor 0
Not impersonating
DeviceMap 8d6080c0
Owning Process 863478d0 Image: System
Attached Process N/A Image: N/A
Wait Start TickCount 2624 Ticks: 7 (0:00:00:00.109)
Context Switch Count 1025 IdealProcessor: 0
UserTime 00:00:00.000
KernelTime 00:00:03.962
Win32 Start Address nt!Phase1Initialization (0×829dd53b)
Stack Init 8078bed0 Current 8078b890 Base 8078c000 Limit 80789000 Call 0
Priority 31 BasePriority 8 UnusualBoost 0 ForegroundBoost 0 IoPriority 2 PagePriority 5
ChildEBP RetAddr Args to Child
8078aefc 8281db8c 00001000 00000000 8078af5c hal!READ_PORT_USHORT+0×8 (FPO: [1,0,0])
8078af0c 8281dcf5 8292cdde 2b2952aa 807c960c hal!HalpCheckPowerButton+0×2e (FPO: [Non-Fpo])
8078af10 8292cdde 2b2952aa 807c960c 00000000 hal!HaliHaltSystem+0×7 (FPO: [0,0,0])
8078af5c 8292dc79 00000004 00000000 00000000 nt!KiBugCheckDebugBreak+0×73
8078b320 8292cc24 0000007e c0000005 8cc14540 nt!KeBugCheck2+0xa7f
8078b340 82a5a49b 0000007e c0000005 8cc14540 nt!KeBugCheckEx+0×1e
8078bc90 828fe9c9 829dd53b 80806cb0 00000000 nt!PspSystemThreadStartup+0xde
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0×19

0: kd> dps 80789000 8078c000
80789000 00000000
80789004 00000000
80789008 00000000
8078900c 00000000

8078b46c 00000000
8078b470 8078b880
8078b474 82902277 nt!KiDispatchException+0×17c
8078b478 8078b89c
8078b47c 8078b480
8078b480 00010017
8078b484 00000000
8078b488 00000000
8078b48c 00000000
8078b490 00000000

0: kd> .cxr 8078b480
eax=00000000 ebx=87428554 ecx=8078b998 edx=00000000 esi=871121d0 edi=0000008c
eip=8cc11340 esp=8078b964 ebp=8078ba28 iopl=0 nv up ei ng nz ac po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00210292
Driver+0×1340:
8cc11340 ff5000 call dword ptr [eax] ds:0023:00000000=????????

]]>