Crash Dump Analysis Patterns (Part 26b)
Sunday, November 16th, 2025On Windows 11 ARM64, it is possible to run x64 and x86 programs (ARM64EC and Compiled Hybrid Portable Executable, CHPE). When we capture memory dumps and examine the corresponding Stack Trace Collection, we see ARM64EC and CHPE frames. This is similar to our earlier Virtualized Process (WOW64) analysis pattern, although WinDbg can show us different architecture frames at the same time. Below are 2 examples of NULL Pointer (Data) analysis pattern.
* x64 process minidump
0:000> ~*kL
. 0 Id: 8030.677c Suspend: 0 Teb: 000000e0`5d015000 Unfrozen
# Arch Child-SP RetAddr Call Site
00 ARM64EC 000000e0`5d2fdf30 00007ff8`02901d6c ntdll!#NtWaitForMultipleObjects+0x14
01 ARM64EC 000000e0`5d2fdf40 00007ff8`046735e0 KERNELBASE!#WaitForMultipleObjectsEx+0xfc
02 ARM64EC 000000e0`5d2fe220 00007ff8`046730e0 kernel32!#WerpReportFaultInternal+0x4c0
03 ARM64EC 000000e0`5d2fe390 00007ff8`0463d3e4 kernel32!#WerpReportFault+0xe0
04 ARM64EC 000000e0`5d2fe3f0 00007ff8`02a047e8 kernel32!#BasepReportFault+0x24
05 ARM64EC 000000e0`5d2fe410 00007ff8`0754f7c4 KERNELBASE!#UnhandledExceptionFilter+0x308
06 ARM64EC 000000e0`5d2fe500 00007ff8`07547148 ntdll!RtlUserThreadStart$filt$0+0x64
07 ARM64EC 000000e0`5d2fe510 00007ff8`0749a304 ntdll!#__C_ExecuteExceptionFilter+0x38
08 ARM64EC 000000e0`5d2fe570 00007ff8`07547068 ntdll!#__C_specific_handler+0xf4
09 ARM64EC 000000e0`5d2fe5f0 00007ff8`07440820 ntdll!#RtlpExecuteHandlerForException+0x28
0a ARM64EC 000000e0`5d2fe610 00007ff8`07546e50 ntdll!#RtlDispatchException+0x298
0b ARM64EC 000000e0`5d2fed90 00007ff7`128d1ccc ntdll!KiUserExceptionDispatcher_DetourReturn+0x10
0c AMD64 000000e0`5d2ff8e0 00007ff7`128d2ac9 pointers_c!main+0x41c
0d AMD64 000000e0`5d2ffdb0 00007ff7`128d2972 pointers_c!invoke_main+0x39
0e AMD64 000000e0`5d2ffe00 00007ff7`128d282e pointers_c!__scrt_common_main_seh+0x132
0f AMD64 000000e0`5d2ffe70 00007ff7`128d2b5e pointers_c!__scrt_common_main+0xe
10 AMD64 000000e0`5d2ffea0 00007ff8`046917ac pointers_c!mainCRTStartup+0xe
11 ARM64EC 000000e0`5d2ffed0 00007ff8`046115e8 kernel32!$iexit_thunk$cdecl$i8$i8+0x1c
12 ARM64EC 000000e0`5d2fff00 00007ff8`0748c120 kernel32!#BaseThreadInitThunk+0x48
13 ARM64EC 000000e0`5d2fff10 00000000`00000000 ntdll!#RtlUserThreadStart+0x70
1 Id: 8030.7a64 Suspend: 0 Teb: 000000e0`5d017000 Unfrozen
# Arch Child-SP RetAddr Call Site
00 ARM64EC 000000e0`5d3ff820 00007ff8`07470084 ntdll!#NtWaitForWorkViaWorkerFactory+0x14
01 ARM64EC 000000e0`5d3ff830 00007ff8`046115e8 ntdll!#TppWorkerThread+0x5a4
02 ARM64EC 000000e0`5d3ffaf0 00007ff8`0748c120 kernel32!#BaseThreadInitThunk+0x48
03 ARM64EC 000000e0`5d3ffb00 00000000`00000000 ntdll!#RtlUserThreadStart+0x70
2 Id: 8030.119c Suspend: 0 Teb: 000000e0`5d019000 Unfrozen
# Arch Child-SP RetAddr Call Site
00 ARM64EC 000000e0`5d4ff980 00007ff8`07470084 ntdll!#NtWaitForWorkViaWorkerFactory+0x14
01 ARM64EC 000000e0`5d4ff990 00007ff8`046115e8 ntdll!#TppWorkerThread+0x5a4
02 ARM64EC 000000e0`5d4ffc50 00007ff8`0748c120 kernel32!#BaseThreadInitThunk+0x48
03 ARM64EC 000000e0`5d4ffc60 00000000`00000000 ntdll!#RtlUserThreadStart+0x70
3 Id: 8030.70f0 Suspend: 0 Teb: 000000e0`5d01b000 Unfrozen
# Arch Child-SP RetAddr Call Site
00 ARM64EC 000000e0`5d5ff810 00007ff8`07470084 ntdll!#NtWaitForWorkViaWorkerFactory+0x14
01 ARM64EC 000000e0`5d5ff820 00007ff8`046115e8 ntdll!#TppWorkerThread+0x5a4
02 ARM64EC 000000e0`5d5ffae0 00007ff8`0748c120 kernel32!#BaseThreadInitThunk+0x48
03 ARM64EC 000000e0`5d5ffaf0 00000000`00000000 ntdll!#RtlUserThreadStart+0x70
4 Id: 8030.4720 Suspend: 0 Teb: 000000e0`5d01d000 Unfrozen
# Arch Child-SP RetAddr Call Site
00 ARM64EC 000000e0`5d6ff740 00007ff8`0487ec00 ntdll!#NtWaitForSingleObject+0x14
01 ARM64EC 000000e0`5d6ff750 00007ff8`0487e2b0 xtajit64!BeginSimulation+0x12eb0
02 ARM64EC 000000e0`5d6ff7a0 00007ff8`0748c0f0 xtajit64!BeginSimulation+0x12560
03 ARM64EC 000000e0`5d6ff7d0 00000000`00000000 ntdll!#RtlUserThreadStart+0x40
0:000> .frame /c 4
04 000000e0`5d2fe3f0 00007ff8`02a047e8 kernel32!#BasepReportFault+0x24
x0=0000000000000003 x1=000000e05d2fe2e0 x2=0000000000000001 x3=0000000000000000
x4=0000000000000000 x5=0000000000000000 x6=0000000000000000 x7=0000000000000000
x8=000000000000012c x9=0000000000000000 x10=0000000000000000 x11=0000000000000000
x12=0000000000000000 x13=0000000000000000 x14=0000000000000000 x15=0000000000000000
x16=0000bbd3fe198401 x17=0000bbd3fe198401 x18=0000000000000000 x19=000000e05d2fe5a0
x20=0000000000000000 x21=000000e05d2fe5a0 x22=00007ff8045a0000 x23=0000000000000000
x24=0000000000000000 x25=0000000000000000 x26=000000e05d2fe410 x27=0000000000000001
x28=0000000000000000 fp=000000e05d2fe3f0 lr=00007ff80463d3e4 sp=000000e05d2fe3f0
pc=00007ff80463d3e4 psr=60000000 -ZC- EL0
kernel32!#BasepReportFault+0x24:
00007ff8`0463d3e4 14000002 b kernel32!#BasepReportFault+0x2c (00007ff8`0463d3ec)
0:000:ARM64EC> .frame /c c
0c 000000e0`5d2ff8e0 00007ff7`128d2ac9 pointers_c!main+0x41c [C:\ACPPWD\pointers_c\pointers_c.c @ 133]
rax=0000000000000004 rbx=0000000000000000 rcx=9ff2ebf5ac870000
rdx=00007ff7128dabc0 rsi=0000000000000000 rdi=000000e05d2ffc18
rip=00007ff7128d1ccc rsp=000000e05d2ff8e0 rbp=000000e05d2ff930
r8=00000000fffffffe r9=0000000000000000 r10=0000000000000001
r11=0000000000000000 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=3 nv up ei pl zr na pe nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00003240
pointers_c!main+0x41c:
00007ff7`128d1ccc c70000000000 mov dword ptr [rax],0 ds:00000000`00000004=????????
0:000> .cxr
Resetting default scope
0:000:ARM64EC>
* x86 process full dump
0:000> ~*kL
. 0 Id: 1a68.8a54 Suspend: 0 Teb: 0295d000 Unfrozen
# Arch ChildEBP RetAddr
WARNING: Frame IP not in any known module. Following frames may be wrong.
00 x86 02afe454 779dd5dc 0x2730002
01 x86 02afe458 75eb2f10 ntdll!NtWaitForMultipleObjects+0xc
02 CHPE 02afe460 75eb2f10 KERNELBASE!$push_thunk$stdcall$u$uuuuu+0x60
03 CHPE 02afe4e0 75d30840 KERNELBASE!#WaitForMultipleObjectsEx+0x194
04 CHPE 02afe680 7712bc70 KERNELBASE!#WaitForMultipleObjects+0x20
05 CHPE 02afe690 7712b690 kernel32!#WerpReportFaultInternal+0x598
06 CHPE 02afe790 770e7fe4 kernel32!#WerpReportFault+0x118
07 CHPE 02afe800 75e90da8 kernel32!#BasepReportFault+0x24
08 CHPE 02afe820 779141b4 KERNELBASE!#UnhandledExceptionFilter+0x378
09 CHPE 02afe8f0 77910ef8 ntdll!strrchr+0x1eb4
0a CHPE 02afe910 778cf388 ntdll!#__C_ExecuteExceptionFilter+0x38
0b CHPE 02afe970 77861554 ntdll!#__C_specific_handler+0xf8
0c CHPE 02afe9e0 779b7154 ntdll!RtlpExecuteHandlerForExceptionCHPE+0x14
0d x86 02afeee0 779b7154 ntdll!RtlDispatchExceptionCHPE+0x2de
0e x86 02aff2bc 779e08d2 ntdll!RtlpProcessPushThunkForException+0x7b
0f x86 02aff354 779e0e5f ntdll!RtlDispatchException+0×1ee
10 x86 02aff360 02aff36c ntdll!KiUserExceptionDispatcher+0xf
11 x86 02aff88c 00712a03 0×2aff36c
12 x86 02aff8ac 0071284a pointers_c!invoke_main+0×33
13 x86 02aff908 007126dd pointers_c!__scrt_common_main_seh+0×15a
14 x86 02aff910 00712a88 pointers_c!__scrt_common_main+0xd
15 x86 02aff918 771487a8 pointers_c!mainCRTStartup+0×8
16 CHPE 02aff920 771487a8 kernel32!$push_thunk$cdecl$u$u+0×58
17 CHPE 02aff990 778bfc8c kernel32!BaseThreadInitThunk+0×2c
18 CHPE 02aff9a0 778bfbe8 ntdll!#__RtlUserThreadStart+0×3c
19 CHPE 02aff9f0 7799988c ntdll!#_RtlUserThreadStart+0×28
1 Id: 1a68.8194 Suspend: 0 Teb: 02961000 Unfrozen
# Arch ChildEBP RetAddr
WARNING: Frame IP not in any known module. Following frames may be wrong.
00 x86 086ff5a4 779dee8c 0x2730002
01 x86 086ff5a8 779ab648 ntdll!NtWaitForWorkViaWorkerFactory+0xc
02 CHPE 086ff5b0 779ab648 ntdll!#NtWaitForWorkViaWorkerFactory$push_thunk+0x68
03 CHPE 086ff630 7709e81c ntdll!#TppWorkerThread+0x238
04 CHPE 086ff810 778bfc8c kernel32!BaseThreadInitThunk+0x2c
05 CHPE 086ff820 778bfbe8 ntdll!#__RtlUserThreadStart+0x3c
06 CHPE 086ff870 7799988c ntdll!#_RtlUserThreadStart+0x28
2 Id: 1a68.499c Suspend: 0 Teb: 02965000 Unfrozen
# Arch ChildEBP RetAddr
WARNING: Frame IP not in any known module. Following frames may be wrong.
00 x86 087ffcc4 779dee8c 0x2730002
01 x86 087ffcc8 779ab648 ntdll!NtWaitForWorkViaWorkerFactory+0xc
02 CHPE 087ffcd0 779ab648 ntdll!#NtWaitForWorkViaWorkerFactory$push_thunk+0x68
03 CHPE 087ffd50 7709e81c ntdll!#TppWorkerThread+0x238
04 CHPE 087fff30 778bfc8c kernel32!BaseThreadInitThunk+0x2c
05 CHPE 087fff40 778bfbe8 ntdll!#__RtlUserThreadStart+0x3c
06 CHPE 087fff90 7799988c ntdll!#_RtlUserThreadStart+0x28
3 Id: 1a68.63f4 Suspend: 0 Teb: 02969000 Unfrozen
# Arch ChildEBP RetAddr
WARNING: Frame IP not in any known module. Following frames may be wrong.
00 x86 08b5f854 779dee8c 0x2730002
01 x86 08b5f858 779ab648 ntdll!NtWaitForWorkViaWorkerFactory+0xc
02 CHPE 08b5f860 779ab648 ntdll!#NtWaitForWorkViaWorkerFactory$push_thunk+0x68
03 CHPE 08b5f8e0 7709e81c ntdll!#TppWorkerThread+0x238
04 CHPE 08b5fac0 778bfc8c kernel32!BaseThreadInitThunk+0x2c
05 CHPE 08b5fad0 778bfbe8 ntdll!#__RtlUserThreadStart+0x3c
06 CHPE 08b5fb20 7799988c ntdll!#_RtlUserThreadStart+0x28
0:000> r
eax=001d005b ebx=00000180 ecx=00000003 edx=779ea670 esi=00000000 edi=00000003
eip=02730002 esp=02afe458 ebp=02afe480 iopl=0 nv up ei ng nz ac po cy
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0023 efl=00000293
02730002 c3 ret
0:000> .frame /c 7
07 02afe800 75e90da8 kernel32!#BasepReportFault+0x24
x0=0000000000000000 x1=0000000000000000 x2=0000000000000000 x3=0000000000000000
x4=0000000000000000 x5=0000000000000000 x6=0000000000000000 x7=0000000000000000
x8=0000000000000000 x9=0000000000000000 x10=0000000000000000 x11=0000000000000000
x12=0000000000000000 x13=0000000000000000 x14=0000000000000000 x15=0000000000000000
x16=0000000000000000 x17=0000000000000000 x18=0000000000000000 x19=0000000002afe990
x20=0000000002afe990 x21=0000000077090000 x22=0000000000000004 x23=0000000000000000
x24=0000000000000001 x25=0000000075f1e000 x26=0000000000000000 x27=0000000002afe830
x28=0000000002affa38 fp=0000000002afe800 lr=00000000770e7fe4 sp=0000000002afe800
pc=00000000770e7fe4 psr=00000000 ---- EL0
kernel32!#BasepReportFault+0x24:
770e7fe4 2a0003e0 mov w0,w0
0:000:CHPE> .cxr
Resetting default scope
0:000> dps 02aff354
02aff354 02aff88c
02aff358 779e0e5f ntdll!KiUserExceptionDispatcher+0xf
02aff35c 02aff36c
02aff360 02aff3bc
02aff364 02aff36c
02aff368 02aff3bc
02aff36c c0000005
02aff370 00000000
02aff374 00000000
02aff378 00711c6a pointers_c!main+0×3da
02aff37c 00000002
02aff380 00000001
02aff384 00000004
02aff388 00000000
02aff38c 00000000
02aff390 00000000
02aff394 00000000
02aff398 00000000
02aff39c 00000000
02aff3a0 00000000
02aff3a4 00000000
02aff3a8 00000000
02aff3ac 00000000
02aff3b0 00000000
02aff3b4 00000000
02aff3b8 00000000
02aff3bc 0001003f
02aff3c0 00000000
02aff3c4 00000000
02aff3c8 00000000
02aff3cc 00000000
02aff3d0 ffff0ff0
0:000> .cxr 02aff3bc
eax=00000004 ebx=0295a000 ecx=02aff4a0 edx=00000000 esi=02aff6a8 edi=02aff88c
eip=00711c6a esp=02aff6a8 ebp=02aff88c iopl=0 nv up ei pl nz ac po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0023 efl=00010212
pointers_c!main+0×3da:
00711c6a c70000000000 mov dword ptr [eax],0 ds:0023:00000004=????????
0:000> kL
*** Stack trace for last set context - .thread/.cxr resets it
# Arch ChildEBP RetAddr
00 x86 02aff88c 00712a03 pointers_c!main+0x3da
01 x86 02aff8ac 0071284a pointers_c!invoke_main+0x33
02 x86 02aff908 007126dd pointers_c!__scrt_common_main_seh+0x15a
03 x86 02aff910 00712a88 pointers_c!__scrt_common_main+0xd
04 x86 02aff918 771487a8 pointers_c!mainCRTStartup+0x8
05 CHPE 02aff920 771487a8 kernel32!$push_thunk$cdecl$u$u+0x58
06 CHPE 02aff990 778bfc8c kernel32!BaseThreadInitThunk+0x2c
07 CHPE 02aff9a0 778bfbe8 ntdll!#__RtlUserThreadStart+0x3c
08 CHPE 02aff9f0 7799988c ntdll!#_RtlUserThreadStart+0x28
- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -