Archive for the ‘Bugchecks Depicted’ Category

Forthcoming 2nd edition of Memory Dump Analysis Anthology, Volume 1

Sunday, April 15th, 2012

After 4 years in print this bestselling title needs an update to address minor changes, include extra examples and reference additional research published in Volumes 2, 3, 4, 5 and 6.

  • Title: Memory Dump Analysis Anthology, Volume 1
  • Author: Dmitry Vostokov
  • Publisher: OpenTask (Summer 2012)
  • Language: English
  • Product Dimensions: 22.86 x 15.24
  • Paperback: 800 pages
  • ISBN-13: 978-1-908043-35-1
  • Hardcover: 800 pages
  • ISBN-13: 978-1-908043-36-8

The cover for both paperback and hardcover titles will also have a matte finish. We used A Memory Window artwork for the back cover.

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Crash Dump Analysis Patterns (Part 69c)

Sunday, December 4th, 2011

This is a variant of Self-Diagnosis (kernel mode) pattern for system configuration database (registry). Sometimes it is possible to see which part of it (hive) caused the problem. Here’s an example involving possibly corrupt user profiles:

REGISTRY_ERROR (51)
Something has gone badly wrong with the registry.  If a kernel debugger is available, get a stack trace. It can also indicate that the registry got an I/O error while trying to read one of its files, so it can be caused by hardware problems or filesystem corruption. It may occur due to a failure in a refresh operation, which is used only in by the security system, and then only when resource limits are encountered.
Arguments:
Arg1: 00000003, (reserved)
Arg2: 00000004, (reserved)
Arg3: e82372f8, depends on where Windows bugchecked, may be pointer to hive
Arg4: 00000000, depends on where Windows bugchecked, may be return code of HvCheckHive if the hive is corrupt.

0: kd> !reg hivelist

-------------------------------------------------------------------------------------------------------------
| HiveAddr |Stable Length|Stable Map|Volatile Length|Volatile Map|MappedViews|PinnedViews|U(Cnt)| BaseBlock | FileName
-------------------------------------------------------------------------------------------------------------
| e1008a68 |      13000  | e1008ac8 |       1000    |  e1008c04  |        0  |        0  |     0| e1015000  | <NONAME>
| e101a4e0 |     901000  | e1023000 |      40000    |  e101a67c  |      202  |        0  |     0| e101e000  | SYSTEM
| e1938188 |       d000  | e19381e8 |       4000    |  e1938324  |        0  |        0  |     0| e193a000  | <NONAME>
| e1968290 |       8000  | e19682f0 |          0    |  00000000  |        3  |        0  |     0| e1d39000  | \SystemRoot\System32\Config\SAM
| e1cab270 |      3d000  | e1cab2d0 |       1000    |  e1cab40c  |       16  |        0  |     0| e1d32000  | emRoot\System32\Config\SECURITY
| e1c9f448 |    3f70000  | e1e37000 |       1000    |  e1c9f5e4  |      256  |        0  |     0| e1d71000  | temRoot\System32\Config\DEFAULT
| e1d75a80 |    7d5d000  | e1ee3000 |      23000    |  e1d75c1c  |      254  |       12  |     0| e1d37000  | emRoot\System32\Config\SOFTWARE
| e1ba30d0 |      37000  | e1ba3130 |       1000    |  e1ba326c  |       17  |        0  |     0| e1b9e000  | tings\NetworkService\ntuser.dat
| e1ba8060 |       1000  | e1ba80c0 |          0    |  00000000  |        1  |        0  |     0| e1b8e000  | \Microsoft\Windows\UsrClass.dat
| e1afc068 |      3b000  | e1afc0c8 |       1000    |  e1afc204  |       17  |        0  |     0| e1b3d000  | ettings\LocalService\ntuser.dat
| e1d6e2a0 |       1000  | e1d6e300 |          0    |  00000000  |        1  |        0  |     0| e1b39000  | \Microsoft\Windows\UsrClass.dat
[...]
| e82372f8 |     106000  | e8237358 |          0    |  00000000  |       55  |        4  |     0| e514c000  | ings\User123\NTUSER.DAT
[…]
————————————————————————————————————-

0: kd> dt _CMHIVE e82372f8
nt!_CMHIVE
   +0x000 Hive             : _HHIVE
   +0x2d0 FileHandles      : [3] 0x80002234 Void
   +0x2dc NotifyList       : _LIST_ENTRY [ 0x0 - 0x0 ]
   +0x2e4 HiveList         : _LIST_ENTRY [ 0xe7a38d64 - 0xe4d9fc9c ]
   +0x2ec HiveLock         : _EX_PUSH_LOCK
   +0x2f0 ViewLock         : 0x877b0120 _KGUARDED_MUTEX
   +0x2f4 WriterLock       : _EX_PUSH_LOCK
   +0x2f8 FlusherLock      : _EX_PUSH_LOCK
   +0x2fc SecurityLock     : _EX_PUSH_LOCK
   +0x300 LRUViewListHead  : _LIST_ENTRY [ 0xe6160170 - 0xe3d71978 ]
   +0x308 PinViewListHead  : _LIST_ENTRY [ 0xe2714fe0 - 0xe108d9e0 ]
   +0x310 FileObject       : 0x89ecf310 _FILE_OBJECT
   +0x314 FileFullPath     : _UNICODE_STRING "\Device\HarddiskVolumeX\Documents and Settings\User123\NTUSER.DAT"
   +0×31c FileUserName     : _UNICODE_STRING “\??\E:\Documents and Settings\User123\NTUSER.DAT”
   +0×324 MappedViews      : 0×37
   +0×326 PinnedViews      : 4
   +0×328 UseCount         : 0
   +0×32c SecurityCount    : 9
   +0×330 SecurityCacheSize : 9
   +0×334 SecurityHitHint  : 0n0
   +0×338 SecurityCache    : 0xe74d5008 _CM_KEY_SECURITY_CACHE_ENTRY
   +0×33c SecurityHash     : [64] _LIST_ENTRY [ 0xe3f80228 - 0xe5901ef0 ]
   +0×53c UnloadEvent      : (null)
   +0×540 RootKcb          : (null)
   +0×544 Frozen           : 0 ”
   +0×548 UnloadWorkItem   : (null)
   +0×54c GrowOnlyMode     : 0 ”
   +0×550 GrowOffset       : 0
   +0×554 KcbConvertListHead : _LIST_ENTRY [ 0xe823784c - 0xe823784c ]
   +0×55c KnodeConvertListHead : _LIST_ENTRY [ 0xe8237854 - 0xe8237854 ]
   +0×564 CellRemapArray   : (null)
   +0×568 Flags            : 1
   +0×56c TrustClassEntry  : _LIST_ENTRY [ 0xe8237864 - 0xe8237864 ]
   +0×574 FlushCount       : 0
   +0×578 CreatorOwner     : (null)

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

From Bugchecks to Patterns

Tuesday, May 24th, 2011

One of the questions asked during Introduction to Pattern-Driven Software Problem Solving Webinar was how to map bugcheck codes to crash dump analysis patterns. I’m starting this post to provide a few initial mappings and plan to extend it later.

BAD_POOL_CALLER (c2)

BAD_POOL_HEADER (19)

Dynamic Memory Corruption (kernel pool)

Self-Diagnosis (kernel mode)

UNEXPECTED_KERNEL_MODE_TRAP (7f)
Arg1: 00000000, EXCEPTION_DIVIDED_BY_ZERO

Divide by Zero (kernel mode)

NO_MORE_IRP_STACK_LOCATIONS (35)

Stack Overflow (software implementation)

MANUALLY_INITIATED_CRASH (e2)

NMI_HARDWARE_FAILURE (80)

CRITICAL_OBJECT_TERMINATION (f4)

KMODE_EXCEPTION_NOT_HANDLED (1e)
Arg2: 000000000000f001, The address that the exception occurred at

DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
Arg4: 0000f001, address which referenced memory

Manual Dump (kernel)

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Modern Memory Dump and Software Trace Analysis: Volumes 1-3

Sunday, April 18th, 2010

OpenTask to offer first 3 volumes of Memory Dump Analysis Anthology in one set:

The set is available exclusively from OpenTask e-Commerce web site starting from June. Individual volumes are also available from Amazon, Barnes & Noble and other bookstores worldwide.

Product information:

  • Title: Modern Memory Dump and Software Trace Analysis: Volumes 1-3
  • Author: Dmitry Vostokov
  • Language: English
  • Product Dimensions: 22.86 x 15.24
  • Paperback: 1600 pages
  • Publisher: Opentask (31 May 2010)
  • ISBN-13: 978-1-906717-99-5

Information about individual volumes:

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Memory Dump and Software Trace Analysis Training and Seminars

Friday, April 9th, 2010

Plan to start providing training and seminars in my free time. If you are interested please answer these questions (you can either respond here in comments or use this form for private communication http://www.dumpanalysis.org/contact):

  • Are you interested in on-site training, prefer traveling or attending webinars?
  • Are you interested in software trace analysis as well?
  • What specific topics are you interested in?
  • What training level (beginner, intermediate, advanced) are you interested in? (please provide an example, if possible)

Additional topics of expertise that can be integrated into training include Source Code Reading and Analysis, Debugging, Windows Architecture, Device Drivers, Troubleshooting Tools Design and Implementation, Multithreading, Deep Down C and C++, x86 and x64 Assembly Language Reading.

Looking forward to your responses. Any suggestions are welcome.

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Bugtation No.114

Tuesday, February 16th, 2010

Reinterpreting Mr. Sherlock Holmes’ words (as heard by Dr. Watson) in this zero-paradigmatic (no word substitution) semantic suffixal bugtation:

“Stop, driver, stop!” Did he forget a stop code?

Sherlock Holmes, A Study in Scarlet, Part 1, 3: The Lauriston Gardens Mystery

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Debugged! Magazine

Tuesday, November 25th, 2008

As one of the new initiatives for the Year of Debugging  DumpAnalysis Portal will publish bimonthly full color 16 page publication called:

Debugged! MZ/PE: MagaZine for/from Practicing Engineers
The only serial publication dedicated entirely to Windows® debugging

The first issue is planned for March, 2009 and will have ISBN-13: 978-1-906717-38-4. If it goes well I’m planning to have ISSN number assigned to it too. More details will be announced soon.

- Dmitry Vostokov @ DumpAnalysis.org

MDAA Volume 2 is available on Amazon and B&N

Saturday, October 18th, 2008

Paperback edition of Memory Dump Analysis Anthology, Volume 2 is finally available on Amazon and Barnes & Noble. Search Inside is also available on Amazon. In addition, I updated the list of recommended books:

Listmania! Crash Dump Analysis and Debugging

Hardcover edition will be available on Amazon and B&N in 2-3 weeks.

- Dmitry Vostokov @ DumpAnalysis.org -

Tales before the dawn of virtualization

Wednesday, October 15th, 2008

Before the advent of virtual machines to Wintel platforms people had to take pictures of bluescreens or even write all data down by hand to fax it:

 

How easy it is today! You just do Print Screen.

- Dmitry Vostokov @ DumpAnalysis.org -

I’m Windows Internals certified!

Saturday, October 11th, 2008

Seems railroad to it was a success: just got this message in my e-mail:

Congratulations on passing your recent Microsoft Certification exam, inspiring confidence for your employer, your peers, and yourself with a widely-recognized validation of your skills on Microsoft technology.

Because I haven’t done any exam since Windows Internals beta I assumed that I passed it and I was right! After registering at Microsoft certification site as MCP I was able to build my logo:

Here is the link to Exam 70-660 information and required skills:

http://www.microsoft.com/learning/en/us/Exams/70-660.aspx

- Dmitry Vostokov @ DumpAnalysis.org -

Memory Dump Analysis Anthology, Volume 2

Friday, October 3rd, 2008

“Everything is memory dump.”

I’m very excited to announce that Volume 2 is available in paperback, hardcover and digital editions:

Memory Dump Analysis Anthology, Volume 2

In one or two weeks paperback edition should also appear on Amazon and other bookstores. Amazon hardcover edition is planned to be available by the end of October.

I’m often asked when Volume 3 is available and I currently plan to release it in October - November, 2009. In the mean time I’m planning to concentrate on other publishing projects. 

- Dmitry Vostokov @ DumpAnalysis.org -

MDAA Volume 2: Table of Contents

Wednesday, October 1st, 2008

The book is nearly finished and here is the final TOC:

Memory Dump Analysis Anthology, Volume 2: Table of Contents

- Dmitry Vostokov @ DumpAnalysis.org -

MDAA Volume One Goes Digital

Friday, April 25th, 2008

Due to demand from people that prefer ebooks I published Memory Dump Analysis Anthology, Volume 1 in a digital format that can be purchased in Crash Dump Analysis Store. This format has color pictures inside.

- Dmitry Vostokov @ DumpAnalysis.org -

Bugcheck Callbacks

Wednesday, April 23rd, 2008

There are some improvements in Vista and Windows Server 2008 regarding various WER callbacks to write user-defined data in the case of application crashes and hangs. See MSDN documentation:

What’s New in WER

However I have found that many engineers are not aware that the similar mechanism exists in kernel for many years:

Writing a Bug Check Callback Routine

You can check this data using !bugdump and .enumtag WinDbg commands:

0: kd> !bugdump
**** Dump of Bug Check Data ****
8526ba7c: Bug check callback record could not be read

We get “could not be read” message probably because for systems newer than Windows XP SP1 !bugdump command shows callback data written to memory after the crash dump was saved. So it is useful for live debugging only. However we can see that bugcheck callbacks form a linked list:

0: kd> dps 8526ba7c
8526ba7c  849eca7c
8526ba80  81b36ce0 nt!KeBugCheckCallbackListHead
8526ba84  858a7dea ndis!ndisBugcheckHandler
8526ba88  8526b438
8526ba8c  00000b28
8526ba90  8594dd76 ndis! ?? ::LNCPHCLB::`string’
8526ba94  90461ac0
8526ba98  00000001
8526ba9c  85936767 ndis!ndisMDispatchReceiveNetBufferLists
8526baa0  85936767 ndis!ndisMDispatchReceiveNetBufferLists
8526baa4  85969274 ndis!ethFilterDprIndicateReceivePacket
8526baa8  8de66c5c bthpan!MpReturnPacket
8526baac  8526ea80
8526bab0  859495ef ndis!ndisSynchReturnPacketsForTranslation
8526bab4  8526b438
8526bab8  00000000

0: kd> !list -x "dps @$extret l10" 81b36ce0
81b36ce0  8526ba7c
81b36ce4  81ddbe40 hal!HalpCallbackRecord
81b36ce8  00000000
81b36cec  00000001
81b36cf0  00000000
81b36cf4  00000000
81b36cf8  00000101
81b36cfc  00000001
81b36d00  00000000
81b36d04  00000000
81b36d08  00000000
81b36d0c  00000000
81b36d10  00000000
81b36d14  00000000
81b36d18  00000000
81b36d1c  00000000

8526ba7c  849eca7c
8526ba80  81b36ce0 nt!KeBugCheckCallbackListHead
8526ba84  858a7dea ndis!ndisBugcheckHandler
8526ba88  8526b438
8526ba8c  00000b28
8526ba90  8594dd76 ndis! ?? ::LNCPHCLB::`string'
8526ba94  90461ac0
8526ba98  00000001
8526ba9c  85936767 ndis!ndisMDispatchReceiveNetBufferLists
8526baa0  85936767 ndis!ndisMDispatchReceiveNetBufferLists
8526baa4  85969274 ndis!ethFilterDprIndicateReceivePacket
8526baa8  8de66c5c bthpan!MpReturnPacket
8526baac  8526ea80
8526bab0  859495ef ndis!ndisSynchReturnPacketsForTranslation
8526bab4  8526b438
8526bab8  00000000

849eca7c  849ea72c
849eca80  8526ba7c
849eca84  858a7dea ndis!ndisBugcheckHandler
849eca88  849ec438
849eca8c  00000b28
849eca90  8594dd76 ndis! ?? ::LNCPHCLB::`string'
849eca94  8fbe2ac0
849eca98  00000001
849eca9c  85936767 ndis!ndisMDispatchReceiveNetBufferLists
849ecaa0  85936767 ndis!ndisMDispatchReceiveNetBufferLists
849ecaa4  859432ca ndis!ndisMIndicatePacket
849ecaa8  00000000
849ecaac  00000000
849ecab0  859495ef ndis!ndisSynchReturnPacketsForTranslation
849ecab4  849ec438
849ecab8  00000000

849ea72c  849c272c
849ea730  849eca7c
849ea734  858a7dea ndis!ndisBugcheckHandler
849ea738  849ea0e8
849ea73c  00000b28
849ea740  8594dd76 ndis! ?? ::LNCPHCLB::`string'
849ea744  8fbe0770
849ea748  00000001
849ea74c  85936767 ndis!ndisMDispatchReceiveNetBufferLists
849ea750  85936767 ndis!ndisMDispatchReceiveNetBufferLists
849ea754  85969274 ndis!ethFilterDprIndicateReceivePacket
849ea758  00000000
849ea75c  00000000
849ea760  859495ef ndis!ndisSynchReturnPacketsForTranslation
849ea764  849ea0e8
849ea768  00000000

849c272c  849c172c
849c2730  849ea72c
849c2734  858a7dea ndis!ndisBugcheckHandler
849c2738  849c20e8
849c273c  00000b28
849c2740  8594dd76 ndis! ?? ::LNCPHCLB::`string'
849c2744  8fbb8770
849c2748  00000001
849c274c  85936767 ndis!ndisMDispatchReceiveNetBufferLists
849c2750  85936767 ndis!ndisMDispatchReceiveNetBufferLists
849c2754  85969274 ndis!ethFilterDprIndicateReceivePacket
849c2758  85df579a tunmp!TunMpReturnPacket
849c275c  84a45538
849c2760  859495ef ndis!ndisSynchReturnPacketsForTranslation
849c2764  849c20e8
849c2768  00000000

849c172c  849a072c
849c1730  849c272c
849c1734  858a7dea ndis!ndisBugcheckHandler
849c1738  849c10e8
849c173c  00000b28
849c1740  8594dd76 ndis! ?? ::LNCPHCLB::`string'
849c1744  8fbb7770
849c1748  00000001
849c174c  85936767 ndis!ndisMDispatchReceiveNetBufferLists
849c1750  85936767 ndis!ndisMDispatchReceiveNetBufferLists
849c1754  859432ca ndis!ndisMIndicatePacket
849c1758  00000000
849c175c  00000000
849c1760  859495ef ndis!ndisSynchReturnPacketsForTranslation
849c1764  849c10e8
849c1768  00000000

849a072c  8499d72c
849a0730  849c172c
849a0734  858a7dea ndis!ndisBugcheckHandler
849a0738  849a00e8
849a073c  00000b28
849a0740  8594dd76 ndis! ?? ::LNCPHCLB::`string'
849a0744  8fb96770
849a0748  00000001
849a074c  85936767 ndis!ndisMDispatchReceiveNetBufferLists
849a0750  85936767 ndis!ndisMDispatchReceiveNetBufferLists
849a0754  859432ca ndis!ndisMIndicatePacket
849a0758  00000000
849a075c  00000000
849a0760  859495ef ndis!ndisSynchReturnPacketsForTranslation
849a0764  849a00e8
849a0768  00000000

8499d72c  8499f72c
8499d730  849a072c
8499d734  858a7dea ndis!ndisBugcheckHandler
8499d738  8499d0e8
8499d73c  00000b28
8499d740  8594dd76 ndis! ?? ::LNCPHCLB::`string'
8499d744  8fb93770
8499d748  00000001
8499d74c  85936767 ndis!ndisMDispatchReceiveNetBufferLists
8499d750  85936767 ndis!ndisMDispatchReceiveNetBufferLists
8499d754  859432ca ndis!ndisMIndicatePacket
8499d758  00000000
8499d75c  00000000
8499d760  859495ef ndis!ndisSynchReturnPacketsForTranslation
8499d764  8499d0e8
8499d768  00000000

8499f72c  81ddbe40 hal!HalpCallbackRecord
8499f730  8499d72c
8499f734  858a7dea ndis!ndisBugcheckHandler
8499f738  8499f0e8
8499f73c  00000b28
8499f740  8594dd76 ndis! ?? ::LNCPHCLB::`string'
8499f744  8fb95770
8499f748  00000001
8499f74c  85936767 ndis!ndisMDispatchReceiveNetBufferLists
8499f750  85936767 ndis!ndisMDispatchReceiveNetBufferLists
8499f754  859432ca ndis!ndisMIndicatePacket
8499f758  00000000
8499f75c  00000000
8499f760  859495ef ndis!ndisSynchReturnPacketsForTranslation
8499f764  8499f0e8
8499f768  00000000

81ddbe40  81b36ce0 nt!KeBugCheckCallbackListHead
81ddbe44  8499f72c
81ddbe48  81dcebdc hal!HalpBugCheckCallback
81ddbe4c  00000000
81ddbe50  00000000
81ddbe54  81dc2550 hal!HalName
81ddbe58  03b9112c
81ddbe5c  00000001
81ddbe60  00000000
81ddbe64  00000000
81ddbe68  00000000
81ddbe6c  00000000
81ddbe70  6d46da80
81ddbe74  00000000
81ddbe78  00000000
81ddbe7c  00000000

Another WinDbg command .enumtag shows data written before saving a crash dump and therefore useful for postmortem crash dump analysis (binary output is removed for visual clarity):

0: kd> .enumtag
{BC5C008F-1E3A-44D7-988D86F6884C6758} - 0x5cd bytes
  ...$............
  ................
  Apple Inc..    M
  M21.88Z.009A.B00
  .0706281359.06/2
  8/07............
  ................
  .Apple Inc..Macm
  ini2,1.1.0.    
        .System SK
  UNumber.Napa Mac
  ................
  ..Apple Inc..Mac
  -F4208EAA.PVT. .
  .Part Compon
  ent.............
  ..........Apple
  Inc..Mac-F4208EA
  A.           . 
  ............J6H1
  :1-X CMOS CLEAR(
  default); J8H1:1
  -X BIOS RECOVERY
  ...........None.
  Ethernet........
  ...None.DVI.....
  ......None.USB0.
  ..........None.U
  SB1...........No
  ne.USB2.........
  ..None.USB3.....
  ....!.None.FireW
  ire0...........N
  one.Audio Line I
  n...........None
  .Audio Line Out.
  ..............Ai
  rPort........Int
  egrated Graphics
  Controller ....
  ....Yukon Ethern
  et Controller...
  .....Azalia Audi
  o Codec........S
  ATA........PATA.
  ..........#.....
  .............&.&
  .A..........Inte
  l(R) Core(TM)2 C
  PU         T.Int
  el(R) Corporatio
  n.U2E1.       ..
[...]
  .......Intel(R)
  Core(TM)2 CPU  
       T.Intel(R)
  Corporation.U2E
  1.       .......
[...]
  ...........DIMM0
  .BANK 0.0x2C0000
  0000000000.    
      .       .0x
  3848544636343634
  4844592D36363744
  3320....!.......
  .. .$........"..
  ...@.@..........
  ......DIMM1.BANK
  1.0x2C000000000
  00000.         
  .       .0x38485
  4463634363448445
  92D363637443320.
[...]
{6C7AC389-4313-47DC-9F34A8800A0FB56C} - 0x266 bytes
  ....~.M.H.z.....
  ......)...,...C.
  o.m.p.o.n.e.n.t.
  .I.n.f.o.r.m.a.
  t.i.o.n.........
  ..&...C.o.n.f.i.
  g.u.r.a.t.i.o.n.
  .D.a.t.a.......
  ........I.d.e.n.
  t.i.f.i.e.r.....
  ..B...x.8.6. .F.
  a.m.i.l.y. .6. .
  M.o.d.e.l. .1.5.
  .S.t.e.p.p.i.n.
  g. .2...(...P.r.
  o.c.e.s.s.o.r.N.
  a.m.e.S.t.r.i.n.
  g.......`...I.n.
  t.e.l.(.R.). .C.
  o.r.e.(.T.M.).2.
  .C.P.U. . . . .
  . . . . .T.5.6.
  0.0. . .@. .1...
  8.3.G.H.z..."...
  U.p.d.a.t.e. .S.
  i.g.n.a.t.u.r.e.
  ..............W.
  ......U.p.d.a.t.
  e. .S.t.a.t.u.s.
  ..............".
  ..V.e.n.d.o.r.I.
  d.e.n.t.i.f.i.e.
  r...........G.e.
  n.u.i.n.e.I.n.t.
  e.l.......M.S.R.
[...]
{D03DC06F-D88E-44C5-BA2AFAE035172D19} - 0x438 bytes
  ............Genu
  ntelineI....Genu
  ntelineI........
[...]
  ........Intel(R)
  Core(TMIntel(R)
  Core(TM........
  )2 CPU         T
  )2 CPU         T
  ........5600  @
  1.83GHz.5600  @
  1.83GHz.........
[...]
{E83B40D2-B0A0-4842-ABEA71C9E3463DD1} - 0x184 bytes
  APICh.....APPLE
  Apple00.....Loki
  _.......FACP....
  .aAPPLE Apple00.
  ....Loki_......>
  HPET8.....APPLE
  Apple00.....Loki
  _.......MCFG<...
  ..APPLE Apple00.
  ....Loki_.......
  ASF!.... .APPLE
  Apple00.....Loki
  _.......SBST0...
  ..APPLE Apple00.
  ....Loki_.......
  ECDTS....9APPLE
  Apple00.....Loki
  _.......SSDTO...
  .>APPLE SataPri.
  ....INTL... SSDT
  O....>APPLE Sata
  Pri.....INTL...
  SSDTO....>APPLE
  SataPri.....INTL
{270A33FD-3DA6-460D-BA893C1BAE21E39B} - 0xfc8 bytes
  ........H.......
  H.......H.......
[...]

Of course, this is much more useful if your drivers save additional data for troubleshooting and you have written a WinDbg extension to interpret it.

- Dmitry Vostokov @ DumpAnalysis.org -

Bugchecks: SYSTEM_SERVICE_EXCEPTION

Tuesday, April 22nd, 2008

Bugcheck 0×3B is forced on x64 Windows platforms when an exception happens during a system service and unwind leads to a transition from a kernel to a user mode. Let’s see this in a complete memory dump:

SYSTEM_SERVICE_EXCEPTION (3b)
An exception happened while executing a system service routine.
Arguments:
Arg1: 00000000c0000005, Exception code that caused the bugcheck
Arg2: fffff80001048a1d, Address of the exception record for the exception that caused the bugcheck
Arg3: fffffade643f6870, Address of the context record for the exception that caused the bugcheck
Arg4: 0000000000000000, zero.

CONTEXT: fffffade643f6870 -- (.cxr 0xfffffade643f6870)
rax=005300450053005c rbx=0000000000000048 rcx=0000000000000020
rdx=fffffa8007c9da20 rsi=0000000000000048 rdi=fffffade643f71d0
rip=fffff80001048a1d rsp=fffffade643f7088 rbp=0000000000000000
 r8=0000000000000048 r9=0000000000000002 r10=00490046002d0054
r11=0000000000000000 r12=fffffadf19744010 r13=fffffade643f7a78
r14=0000000000000800 r15=fffffadf1da71ee8
iopl=0 nv up ei pl nz na pe nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00010202
nt!memmove+0xbd:
fffff800`01048a1d 488941e0 mov qword ptr [rcx-20h],rax ds:002b:00000000`00000000=????????????????

0: kd> kL
Child-SP RetAddr Call Site
fffffade`643f5eb8 fffff800`0104e834 nt!KeBugCheckEx
fffffade`643f5ec0 fffff800`0104e2fb nt!KiBugCheckDispatch+0x74
fffffade`643f6040 fffff800`0105c09d nt!KiSystemServiceHandler+0x7b
fffffade`643f6080 fffff800`01031561 nt!RtlpExecuteHandlerForException+0xd
fffffade`643f60b0 fffff800`010174fa nt!RtlDispatchException+0x2c0
fffffade`643f6770 fffff800`0104e92f nt!KiDispatchException+0xd9
fffffade`643f6d70 fffff800`0104d7e1 nt!KiExceptionExit
fffffade`643f6ef0 fffff800`01048a1d nt!KiPageFault+0x1e1
fffffade`643f7088 fffff800`01025977 nt!memmove+0xbd
fffffade`643f7090 fffffadf`101f858d nt!RtlAppendUnicodeStringToString+0x67
fffffade`643f70c0 fffffadf`101f8a1d driver+0x558d
fffffade`643f7a20 fffff800`012c3b21 driver+0x5a1d
fffffade`643f7a70 fffff800`012c3bd6 nt!IopXxxControlFile+0xa6b
fffffade`643f7b90 fffff800`0104e5fd nt!NtDeviceIoControlFile+0x56
fffffade`643f7c00 00000000`77ef12ca nt!KiSystemServiceCopyEnd+0×3
00000000`00e6ba08 00000000`77d67963 ntdll!ZwDeviceIoControlFile+0xa
00000000`00e6ba10 00000000`6340239f kernel32!DeviceIoControl+0×237
00000000`00e6bbf0 00000000`0000000e application!DllUnregisterServer+0×40f
[…]

On x64 Windows platforms KiSystemServiceCopyEnd has the similar purpose as KiFastSystemCallRet on x86 platforms.

We see that the chain of exception handlers spans protection boundary where KiSystemServiceCopyEnd has KiSystemServiceHandler as its exception handler:

0: kd> !exchain
100 stack frames, scanning for handlers...
Frame 0x03: nt!RtlpExecuteHandlerForException+0xd (fffff800`0105c09d)
  ehandler nt!RtlpExceptionHandler (fffff800`0105c060)
Frame 0x05: nt!KiDispatchException+0xd9 (fffff800`010174fa)
  ehandler nt!_C_specific_handler (fffff800`010356e0)
Frame 0x0a: driver+0x558d (fffffadf`101f858d)
  ehandler driver+0x1242 (fffffadf`101f4242)
Frame 0x0c: nt!IopXxxControlFile+0xa6b (fffff800`012c3b21)
  ehandler nt!_C_specific_handler (fffff800`010356e0)
Frame 0×0e: nt!KiSystemServiceCopyEnd+0×3 (fffff800`0104e5fd)
  ehandler nt!KiSystemServiceHandler (fffff800`0104e280)

Frame 0×10: kernel32!DeviceIoControl+0×237 (00000000`77d67963)
  ehandler kernel32!_C_specific_handler (00000000`77d92200)

If we disassemble KiSystemServiceHandler we get this code with bugcheck 3B branch:

kd> uf nt!KiSystemServiceHandler
nt!KiSystemServiceHandler:
[...]
fffff800`01040ddc cmp     byte ptr [rax+153h],0
fffff800`01040de3 je      nt!KiSystemServiceHandler+0×7b (fffff800`01040dfb)

nt!KiSystemServiceHandler+0x65:
fffff800`01040de5 xor     r10,r10
fffff800`01040de8 mov     r9,r8
fffff800`01040deb mov     r8,qword ptr [rcx+10h]
fffff800`01040def mov     edx,dword ptr [rcx]
fffff800`01040df1 mov     ecx,3Bh
fffff800`01040df6 call    nt!KiBugCheckDispatch (fffff800`01041300)

nt!KiSystemServiceHandler+0x7b:
fffff800`01040dfb mov     eax,1
fffff800`01040e00 add     rsp,38h
fffff800`01040e04 ret
[...]

Here we see that the code checks if the previous mode for a thread was UserMode and if this is the case it bugchecks the system because transitioning back to  user space in exception unwind would have had disastrous consequences. The system wants to save a controlled crash dump for later problem analysis:

kd> dt _KTHREAD
ntdll!_KTHREAD
   +0x000 Header           : _DISPATCHER_HEADER
   +0x018 MutantListHead   : _LIST_ENTRY
   +0x028 InitialStack     : Ptr64 Void
   +0x030 StackLimit       : Ptr64 Void
   +0x038 KernelStack      : Ptr64 Void
[...]
   +0×153 PreviousMode     : Char
[…]

Note that _KTHREAD.PreviousMode should not be confused with _KTRAP_FRAME.PreviousMode. The latter has KernelMode value if an exception happened while CPU was in kernel mode but the former structure field shows the previous CPU mode of a thread, for example, it has UserMode value if a user space thread called a system service.

kd> dt _KTRAP_FRAME
ntdll!_KTRAP_FRAME
  +0x000 P1Home : Uint8B
  +0x008 P2Home : Uint8B
  +0x010 P3Home : Uint8B
  +0x018 P4Home : Uint8B
  +0x020 P5 : Uint8B
  +0×028 PreviousMode : Char
  +0×029 PreviousIrql : UChar
  +0×02a FaultIndicator : UChar
[…]

I put all of this on a colored sequence UML diagram:

 

- Dmitry Vostokov @ DumpAnalysis.org -

The First Windows® Memory Dump Analysis Book!

Tuesday, April 15th, 2008

I’m very proud to announce that it is finally available in both paperback and hardback. Why have I made available both editions? Because I personally prefer hardcover books. You can order the book today and it will be printed in 3-5 days (paperback) or 5-10 days (hardcover) and sent to you:

Memory Dump Analysis Anthology, Volume 1

Note: although listed on Amazon and other online bookstores it is not immediately available at these stores at the moment due to the late submission. I apologize for this. However, I expect that in a few weeks pre-orders taken there will be eventually fulfilled. In the mean time, if you want the book now, you can use the link above.

- Dmitry Vostokov @ DumpAnalysis.org -

Crash Dump Analysis Patterns (Part 57)

Thursday, April 3rd, 2008

Another pattern that occurs frequently is Hardware Error. This can be internal CPU malfunction due to overheating, RAM or hard disk I/O problem. It usually results in the appropriate bugcheck and the most frequent one is the 6th from the top of Bug Check Frequency Table:

  • BugCheck 9C: MACHINE_CHECK_EXCEPTION

Other relevant bugchecks include:

  • BugCheck 7B: INACCESSIBLE_BOOT_DEVICE

  • BugCheck 77: KERNEL_STACK_INPAGE_ERROR

  • BugCheck 7A: KERNEL_DATA_INPAGE_ERROR

Another bugcheck from this category can also be triggered on purpose to get a crash dump of a hanging or slow system:

Please also note that other popular bugchecks like  

  • BugCheck 7F: UNEXPECTED_KERNEL_MODE_TRAP

  • BugCheck 50: PAGE_FAULT_IN_NONPAGED_AREA

can result from RAM problems but we should try to find a software cause first.

Sometimes the following bugchecks like

  • BugCheck 7E: SYSTEM_THREAD_EXCEPTION_NOT_HANDLED

report EXCEPTION_DOESNOT_MATCH_CODE where read or write address doesn’t correspond to faulted instruction at EIP:

SYSTEM_THREAD_EXCEPTION_NOT_HANDLED (7e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: bf802671, The address that the exception occurred at
Arg3: f10b8c74, Exception Record Address
Arg4: f10b88c4, Context Record Address

FAULTING_IP:
driver!AcquireSemaphoreShared+4
bf802671 90 nop

EXCEPTION_RECORD: f10b8c74 -- (.exr fffffffff10b8c74)
ExceptionAddress: bf802671 (driver!AcquireSemaphoreShared+0x00000004)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000001
Parameter[1]: 0000000c
Attempt to write to address 0000000c

CONTEXT: f10b88c4 -- (.cxr fffffffff10b88c4)
eax=884d2d01 ebx=0000000c ecx=00000000 edx=80010031 esi=8851ef60 edi=bc3846d4
eip=bf802671 esp=f10b8d3c ebp=f10b8d70 iopl=0 nv up ei pl nz na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010206
driver!AcquireSemaphoreShared+0x4:
bf802671 90 nop
Resetting default scope

WRITE_ADDRESS: 0000000c

EXCEPTION_DOESNOT_MATCH_CODE: This indicates a hardware error.
Instruction at bf802671 does not read/write to 0000000c

Code mismatch can also happen in user mode but from my experience it usually results from improper Hooked Function or similar corruption: 

EXCEPTION_RECORD: ffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 7c848768 (ntdll!_LdrpInitialize+0x00000184)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000001
NumberParameters: 0

DEFAULT_BUCKET_ID: CODE_ADDRESS_MISMATCH

WRITE_ADDRESS: f774f120

FAULTING_IP:
ntdll!_LdrpInitialize+184
7c848768 cc int 3

EXCEPTION_DOESNOT_MATCH_CODE: This indicates a hardware error.
Instruction at 7c848768 does not read/write to f774f120

STACK_TEXT:
0012fd14 7c8284c5 0012fd28 7c800000 00000000 ntdll!_LdrpInitialize+0x184
00000000 00000000 00000000 00000000 00000000 ntdll!KiUserApcDispatcher+0x25

In such cases EIP might point to the middle of the expected instruction (Wild Code):

FAULTING_IP:
+59c3659
059c3659 86990508f09b xchg bl,byte ptr [ecx-640FF7FBh]

Here is an example of the real hardware error (note the concatenated error code for bugcheck 0×9C):

MACHINE_CHECK_EXCEPTION (9c)
A fatal Machine Check Exception has occurred.
KeBugCheckEx parameters;
    x86 Processors
        If the processor has ONLY MCE feature available (For example Intel
        Pentium), the parameters are:
        1 - Low  32 bits of P5_MC_TYPE MSR
        2 - Address of MCA_EXCEPTION structure
        3 - High 32 bits of P5_MC_ADDR MSR
        4 - Low  32 bits of P5_MC_ADDR MSR
        If the processor also has MCA feature available (For example Intel
        Pentium Pro), the parameters are:
        1 - Bank number
        2 - Address of MCA_EXCEPTION structure
        3 - High 32 bits of MCi_STATUS MSR for the MCA bank that had the error
        4 - Low  32 bits of MCi_STATUS MSR for the MCA bank that had the error
    IA64 Processors
        1 - Bugcheck Type
            1 - MCA_ASSERT
            2 - MCA_GET_STATEINFO
                SAL returned an error for SAL_GET_STATEINFO while processing MCA.
            3 - MCA_CLEAR_STATEINFO
                SAL returned an error for SAL_CLEAR_STATEINFO while processing MCA.
            4 - MCA_FATAL
                FW reported a fatal MCA.
            5 - MCA_NONFATAL
                SAL reported a recoverable MCA and we don't support currently
                support recovery or SAL generated an MCA and then couldn't
                produce an error record.
            0xB - INIT_ASSERT
            0xC - INIT_GET_STATEINFO
                  SAL returned an error for SAL_GET_STATEINFO while processing INIT event.
            0xD - INIT_CLEAR_STATEINFO
                  SAL returned an error for SAL_CLEAR_STATEINFO while processing INIT event.
            0xE - INIT_FATAL
                  Not used.
        2 - Address of log
        3 - Size of log
        4 - Error code in the case of x_GET_STATEINFO or x_CLEAR_STATEINFO
    AMD64 Processors
        1 - Bank number
        2 - Address of MCA_EXCEPTION structure
        3 - High 32 bits of MCi_STATUS MSR for the MCA bank that had the error
        4 - Low  32 bits of MCi_STATUS MSR for the MCA bank that had the error
Arguments:
Arg1: 00000000
Arg2: 808a07a0
Arg3: be000300
Arg4: 1008081f

Debugging Details:
------------------

   NOTE:  This is a hardware error.  This error was reported by the CPU
   via Interrupt 18.  This analysis will provide more information about
   the specific error.  Please contact the manufacturer for additional
   information about this error and troubleshooting assistance.

   This error is documented in the following publication:

      - IA-32 Intel(r) Architecture Software Developer's Manual
        Volume 3: System Programming Guide

   Bit Mask:

    MA                           Model Specific       MCA
 O  ID      Other Information      Error Code     Error Code
VV  SDP ___________|____________ _______|_______ _______|______
AEUECRC|                        |               |             
LRCNVVC|                        |               |             
^^^^^^^|                        |               |              
   6         5         4         3         2         1
3210987654321098765432109876543210987654321098765432109876543210
----------------------------------------------------------------
1011111000000000000000110000000000010000000010000000100000011111 

VAL   - MCi_STATUS register is valid
        Indicates that the information contained within the IA32_MCi_STATUS
        register is valid.  When this flag is set, the processor follows the
        rules given for the OVER flag in the IA32_MCi_STATUS register when
        overwriting previously valid entries.  The processor sets the VAL
        flag and software is responsible for clearing it.

UC    - Error Uncorrected
        Indicates that the processor did not or was not able to correct the
        error condition.  When clear, this flag indicates that the processor
        was able to correct the error condition.

EN    - Error Enabled
        Indicates that the error was enabled by the associated EEj bit of the
        IA32_MCi_CTL register.

MISCV - IA32_MCi_MISC Register Valid
        Indicates that the IA32_MCi_MISC register contains additional
        information regarding the error.  When clear, this flag indicates
        that the IA32_MCi_MISC register is either not implemented or does
        not contain additional information regarding the error.

ADDRV - IA32_MCi_ADDR register valid
        Indicates that the IA32_MCi_ADDR register contains the address where
        the error occurred.

PCC   - Processor Context Corrupt
        Indicates that the state of the processor might have been corrupted
        by the error condition detected and that reliable restarting of the
        processor may not be possible.

BUSCONNERR - Bus and Interconnect Error   BUS{LL}_{PP}_{RRRR}_{II}_{T}_err
        These errors match the format 0000 1PPT RRRR IILL

   Concatenated Error Code:
   --------------------------
   _VAL_UC_EN_MISCV_ADDRV_PCC_BUSCONNERR_1F

   This error code can be reported back to the manufacturer.
   They may be able to provide additional information based upon
   this error.  All questions regarding STOP 0x9C should be
   directed to the hardware manufacturer.

BUGCHECK_STR:  0x9C_IA32_GenuineIntel

DEFAULT_BUCKET_ID:  DRIVER_FAULT

PROCESS_NAME:  Idle

CURRENT_IRQL:  2

LAST_CONTROL_TRANSFER:  from 80a7fbd8 to 8087b6be

STACK_TEXT: 
f773d280 80a7fbd8 0000009c 00000000 f773d2b0 nt!KeBugCheckEx+0x1b
f773d3b4 80a7786f f7737fe0 00000000 00000000 hal!HalpMcaExceptionHandler+0x11e
f773d3b4 f75a9ca2 f7737fe0 00000000 00000000 hal!HalpMcaExceptionHandlerWrapper+0x77
f78c6d50 8083abf2 00000000 0000000e 00000000 intelppm!AcpiC1Idle+0x12
f78c6d54 00000000 0000000e 00000000 00000000 nt!KiIdleLoop+0xa

- Dmitry Vostokov @ DumpAnalysis.org -

Memory Dump Analysis Anthology, Volume 2

Tuesday, March 25th, 2008

Although the first volume has not been published yet (scheduled for 15th of April, 2008) the planning for the second volume has already begun. Preliminary information is:

  • Title: Memory Dump Analysis Anthology, Volume 2
  • Paperback: 512 pages (*)
  • ISBN-13: 978-0-9558328-7-1
  • Author: Dmitry Vostokov
  • Publisher: Opentask (01 Oct 2008)
  • Language: English
  • Product Dimensions: 22.86 x 15.24

Hardcover version is also planned. PDF version will be available for download too.

(*) subject to change

- Dmitry Vostokov @ DumpAnalysis.org -

Crash Dump Analysis Patterns (Part 2b)

Thursday, March 13th, 2008

Here is an additional kernel space example to my old Dynamic Memory Corruption pattern. If kernel pools are corrupt then calls that allocate or free memory result in bugchecks C2 or 19 and in other less frequent bugchecks (from Google stats):

BugCheck C2: BAD_POOL_CALLER

1600

BugCheck 19: BAD_POOL_HEADER

434

BugCheck C5: DRIVER_CORRUPTED_EXPOOL

207

BugCheck DE: POOL_CORRUPTION_IN_FILE_AREA

106

BugCheck D0: DRIVER_CORRUPTED_MMPOOL

8

BugCheck D6: DRIVER_PAGE_FAULT_BEYOND_END_OF_ALLOCATION

3

BugCheck CD: PAGE_FAULT_BEYOND_END_OF_ALLOCATION

2

BugCheck C6: DRIVER_CAUGHT_MODIFYING_FREED_POOL

0

Bug Checks 0xC2 and 0×19 have parameters in bugcheck arguments that tell the type of detected pool corruption. Refer to WinDbg help for details or use the variant of !analyze command where you can supply optional bugcheck arguments:

1: kd> !analyze -show c2
BAD_POOL_CALLER (c2)
The current thread is making a bad pool request.  Typically this is at a bad IRQL level or double freeing the same allocation, etc.
Arguments:
Arg1: 00000000, The caller is requesting a zero byte pool allocation.
Arg2: 00000000, zero.
Arg3: 00000000, the pool type being allocated.
Arg4: 00000000, the pool tag being used.

1: kd> !analyze -show 19 2 1 1 1
BAD_POOL_HEADER (19)
The pool is already corrupt at the time of the current request.
This may or may not be due to the caller.
The internal pool links must be walked to figure out a possible cause of
the problem, and then special pool applied to the suspect tags or the driver
verifier to a suspect driver.
Arguments:
Arg1: 00000002, the verifier pool pattern check failed.  The owner has likely corrupted the pool block
Arg2: 00000001, the pool entry being checked.
Arg3: 00000001, size of the block.
Arg4: 00000001, 0.

If we enable special pool on suspected drivers we might get these bugchecks too with the following Google frequency:

BugCheck C1: SPECIAL_POOL_DETECTED_MEMORY_CORRUPTION

59

BugCheck D5: DRIVER_PAGE_FAULT_IN_FREED_SPECIAL_POOL

5

BugCheck CC: PAGE_FAULT_IN_FREED_SPECIAL_POOL

1

Here is one example of nonpaged pool corruption detected during free operation with the following !analyze -v output:

BAD_POOL_HEADER (19)
The pool is already corrupt at the time of the current request.
This may or may not be due to the caller.
The internal pool links must be walked to figure out a possible cause of
the problem, and then special pool applied to the suspect tags or the driver
verifier to a suspect driver.
Arguments:
Arg1: 00000020, a pool block header size is corrupt.
Arg2: a34583b8, The pool entry we were looking for within the page.
Arg3: a34584f0, The next pool entry.
Arg4: 0a270001, (reserved)

POOL_ADDRESS:  a34583b8 Nonpaged pool

PROCESS_NAME:  process.exe

CURRENT_IRQL:  2

STACK_TEXT: 
b80a60cc 808927bb nt!KeBugCheckEx+0x1b
b80a6134 80892b6f nt!ExFreePoolWithTag+0x477
b80a6144 b9591400 nt!ExFreePool+0xf
WARNING: Stack unwind information not available. Following frames may be wrong.
b80a615c b957b954 driver+0x38400
b80a617c b957d482 driver+0x22954
b80a61c0 b957abf4 driver+0x24482
b80a6260 b957ccef driver+0x21bf4
b80a62a8 8081df65 driver+0x23cef
b80a62bc f721ac45 nt!IofCallDriver+0x45
b80a62e4 8081df65 fltMgr!FltpDispatch+0x6f
b80a62f8 b99de70b nt!IofCallDriver+0x45
b80a6308 b99da6ee filter!Dispatch+0xfb
b80a6318 8081df65 filter!dispatch+0x6e
b80a632c b9bdebfe nt!IofCallDriver+0x45
b80a6334 8081df65 2ndfilter!Redirect+0x7ea
b80a6348 b9bd1756 nt!IofCallDriver+0x45
b80a6374 b9bd1860 3rdfilter!PassThrough+0x136
b80a6384 8081df65 3rdfilter!Dispatch+0x80
b80a6398 808f5437 nt!IofCallDriver+0x45
b80a63ac 808ef963 nt!IopSynchronousServiceTail+0x10b
b80a63d0 8088978c nt!NtQueryDirectoryFile+0x5d
b80a63d0 7c8285ec nt!KiFastCallEntry+0xfc
00139524 7c8274eb ntdll!KiFastSystemCallRet
00139528 77e6ba40 ntdll!NtQueryDirectoryFile+0xc
00139830 77e6bb5f kernel32!FindFirstFileExW+0x3d5
00139850 6002665e kernel32!FindFirstFileW+0x16
00139e74 60026363 process+0x2665e
0013a328 60027852 process+0x26363
0013a33c 60035b58 process+0x27852
0013b104 600385ff process+0x35b58
0013b224 612cb643 process+0x385ff
0013b988 612cc109 dll!FileDialog+0xc53
0013bba0 612cb47b dll!FileDialog+0x1719
0013c2c0 7739b6e3 dll!FileDialog+0xa8b
0013c2ec 77395f82 USER32!InternalCallWinProc+0x28
0013c368 77395e22 USER32!UserCallDlgProcCheckWow+0x147
0013c3b0 7739c9c6 USER32!DefDlgProcWorker+0xa8
0013c3d8 7c828536 USER32!__fnDWORD+0x24
0013c3d8 808308f4 ntdll!KiUserCallbackDispatcher+0x2e
b80a66b8 8091d6d1 nt!KiCallUserMode+0x4
b80a6710 bf8a2622 nt!KeUserModeCallback+0x8f
b80a6794 bf8a2517 win32k!SfnDWORD+0xb4
b80a67dc bf8a13d9 win32k!xxxSendMessageToClient+0x133
b80a6828 bf85ae67 win32k!xxxSendMessageTimeout+0x1a6
b80a684c bf8847a1 win32k!xxxWrapSendMessage+0x1b
b80a6868 bf8c1459 win32k!NtUserfnNCDESTROY+0x27
b80a68a0 8088978c win32k!NtUserMessageCall+0xc0
b80a68a0 7c8285ec nt!KiFastCallEntry+0xfc
0013c3d8 7c828536 ntdll!KiFastSystemCallRet
0013c3d8 808308f4 ntdll!KiUserCallbackDispatcher+0x2e
b80a6b7c 8091d6d1 nt!KiCallUserMode+0x4
b80a6bd4 bf8a2622 nt!KeUserModeCallback+0x8f
b80a6c58 bf8a23a0 win32k!SfnDWORD+0xb4
b80a6ca0 bf8a13d9 win32k!xxxSendMessageToClient+0x118
b80a6cec bf85ae67 win32k!xxxSendMessageTimeout+0x1a6
b80a6d10 bf8c148c win32k!xxxWrapSendMessage+0x1b
b80a6d40 8088978c win32k!NtUserMessageCall+0x9d
b80a6d40 7c8285ec nt!KiFastCallEntry+0xfc
0013f474 7c828536 ntdll!KiFastSystemCallRet
0013f4a0 7739d1ec ntdll!KiUserCallbackDispatcher+0x2e
0013f4dc 7738cf29 USER32!NtUserMessageCall+0xc
0013f4fc 612d3276 USER32!SendMessageA+0x7f
0013f63c 611add41 dll!SubWindow+0x3dc6
0013f658 7739b6e3 dll!SetWindowText+0x37a1
0013f684 7739b874 USER32!InternalCallWinProc+0x28
0013f6fc 7739ba92 USER32!UserCallWinProcCheckWow+0x151
0013f764 7739bad0 USER32!DispatchMessageWorker+0x327
0013f774 61221ca8 USER32!DispatchMessageW+0xf
0013f7e0 0040156d dll!MainLoop+0x2c8
0013ff24 00401dfa process+0x156d
0013ffc0 77e6f23b process+0x1dfa
0013fff0 00000000 kernel32!BaseProcessStart+0x23

MODULE_NAME: driver

IMAGE_NAME:  driver.sys

We see that WinDbg pointed to driver.sys by using a procedure described in one of my old minidump analysis posts: BugCheck C2 Minidump Analysis

However any OS component could corrupt the pool prior to detection as the bugcheck description says: “The pool is already corrupt at the time of the current request.”. What other evidence can reinforce our belief in driver.sys? Let’s look at our pool entry tag first:

1: kd> !pool a34583b8
Pool page a34583b8 region is Nonpaged pool
 a3458000 size:  270 previous size:    0  (Allocated)  Thre (Protected)
 a3458270 size:   10 previous size:  270  (Free)       RxIr
 a3458280 size:   40 previous size:   10  (Allocated)  Vadl
 a34582c0 size:   98 previous size:   40  (Allocated)  File (Protected)
 a3458358 size:    8 previous size:   98  (Free)       Vadl
 a3458360 size:   50 previous size:    8  (Allocated)  Gsem
 a34583b0 size:    8 previous size:   50  (Free)       CcSc
*a34583b8 size:  138 previous size:    8  (Allocated) *DRIV
  Owning component : Unknown (update pooltag.txt)
a34584f0 is not a valid large pool allocation, checking large session pool…
a34584f0 is freed (or corrupt) pool
Bad allocation size @a34584f0, zero is invalid

***
*** An error (or corruption) in the pool was detected;
*** Attempting to diagnose the problem.
***
*** Use !poolval a3458000 for more details.
***

Pool page [ a3458000 ] is __inVALID.

Analyzing linked list...
[ a34583b8 --> a34583d8 (size = 0x20 bytes)]: Corrupt region
[ a34583f8 --> a34585e8 (size = 0x1f0 bytes)]: Corrupt region

Scanning for single bit errors...

None found

We see that the tag is DRIV and we know either from association or from similar problems in the past that it belongs to driver.sys. Let’s dump our pool entry contents to see if there are any symbolic hints in it:

1: kd> dps a34583b8
a34583b8 0a270001
a34583bc 5346574e
a34583c0 00000000
a34583c4 00000000
a34583c8 b958f532 driver+0×36532
a34583cc a3471010
a34583d0 0000012e
a34583d4 00000001
a34583d8 00041457
a34583dc 05af0026
a34583e0 00068002
a34583e4 7b9ec6f5
a34583e8 ffffff00
a34583ec 73650cff
a34583f0 7461445c
a34583f4 97a10061
a34583f8 ff340004
a34583fc c437862a
a3458400 6a000394
a3458404 00000038
a3458408 00000000
a345840c bf000000
a3458410 bf0741b5
a3458414 f70741b5
a3458418 00000000
a345841c 00000000
a3458420 00000000
a3458424 00000000
a3458428 05000000
a345842c 34303220
a3458430 31323332
a3458434 ff322d36

Indeed we see the possible code pointer driver+0×36532 and the code around this address looks normal:

3: kd> .asm no_code_bytes
Assembly options: no_code_bytes

3: kd> u b958f532
driver+0x36532:
b958f532 push    2Ch
b958f534 push    offset driver+0x68d08 (b95c1d08)
b958f539 call    driver+0x65c50 (b95bec50)
b958f53e mov     byte ptr [ebp-19h],0
b958f542 and     dword ptr [ebp-24h],0
b958f546 call    dword ptr [driver+0x65f5c (b95bef5c)]
b958f54c mov     ecx,dword ptr [ebp+0Ch]
b958f54f cmp     eax,ecx

3: kd> ub b958f532
driver+0x36528:
b958f528 leave
b958f529 ret     18h
b958f52c int     3
b958f52d int     3
b958f52e int     3
b958f52f int     3
b958f530 int     3
b958f531 int     3

- Dmitry Vostokov @ DumpAnalysis.org -

Bug Check Frequencies

Wednesday, March 12th, 2008

259 bugchecks are documented in WinDbg help. I did Google search for every one and here is their search results distribution graph cut off for data with less than 10 matches:

Of course there is some noise and matches do not always correspond to WinDbg bugcheck analysis output but we can get rough idea about bugcheck frequency. For example, unhandled exceptions in kernel mode, IRQL contract violation, pool corruption and hardware failures are the most frequent. Here is the full table:

BugCheck 1000008E: KERNEL_MODE_EXCEPTION_NOT_HANDLED_M

3440

BugCheck A: IRQL_NOT_LESS_OR_EQUAL

2890

BugCheck D1: DRIVER_IRQL_NOT_LESS_OR_EQUAL

2840

BugCheck 50: PAGE_FAULT_IN_NONPAGED_AREA

2040

BugCheck C2: BAD_POOL_CALLER

1600

BugCheck 9C: MACHINE_CHECK_EXCEPTION

1150

BugCheck 1000007F: UNEXPECTED_KERNEL_MODE_TRAP_M

1070

BugCheck 7E: SYSTEM_THREAD_EXCEPTION_NOT_HANDLED

998

BugCheck 1000007E: SYSTEM_THREAD_EXCEPTION_NOT_HANDLED_M

917

BugCheck 7F: UNEXPECTED_KERNEL_MODE_TRAP

834

BugCheck 4E: PFN_LIST_CORRUPT

799

BugCheck 24: NTFS_FILE_SYSTEM

697

BugCheck 8E: KERNEL_MODE_EXCEPTION_NOT_HANDLED

686

BugCheck 1E: KMODE_EXCEPTION_NOT_HANDLED

571

BugCheck 100000EA: THREAD_STUCK_IN_DEVICE_DRIVER_M

450

BugCheck EA: THREAD_STUCK_IN_DEVICE_DRIVER

446

BugCheck 19: BAD_POOL_HEADER

434

BugCheck F4: CRITICAL_OBJECT_TERMINATION

397

BugCheck 1A: MEMORY_MANAGEMENT

373

BugCheck C4: DRIVER_VERIFIER_DETECTED_VIOLATION

360

BugCheck 7B: INACCESSIBLE_BOOT_DEVICE

347

BugCheck 1: APC_INDEX_MISMATCH

242

BugCheck 77: KERNEL_STACK_INPAGE_ERROR

240

BugCheck FE: BUGCODE_USB_DRIVER

239

BugCheck 44: MULTIPLE_IRP_COMPLETE_REQUESTS

216

BugCheck C5: DRIVER_CORRUPTED_EXPOOL

207

BugCheck 124: WHEA_UNCORRECTABLE_ERROR

204

BugCheck C000021A: STATUS_SYSTEM_PROCESS_TERMINATED

187

BugCheck 20: KERNEL_APC_PENDING_DURING_EXIT

168

BugCheck B8: ATTEMPTED_SWITCH_FROM_DPC

124

BugCheck 5: INVALID_PROCESS_ATTACH_ATTEMPT

123

BugCheck C: MAXIMUM_WAIT_OBJECTS_EXCEEDED

110

BugCheck 7A: KERNEL_DATA_INPAGE_ERROR

110

BugCheck DE: POOL_CORRUPTION_IN_FILE_AREA

106

BugCheck A0: INTERNAL_POWER_ERROR

104

BugCheck FC: ATTEMPTED_EXECUTE_OF_NOEXECUTE_MEMORY

101

BugCheck 9F: DRIVER_POWER_STATE_FAILURE

98

BugCheck E2: MANUALLY_INITIATED_CRASH

98

BugCheck 2: DEVICE_QUEUE_NOT_BUSY

97

BugCheck AB: SESSION_HAS_VALID_POOL_ON_EXIT

86

BugCheck 93: INVALID_KERNEL_HANDLE

83

BugCheck 51: REGISTRY_ERROR

73

BugCheck 3: INVALID_AFFINITY_SET

71

BugCheck 35: NO_MORE_IRP_STACK_LOCATIONS

71

BugCheck 3B: SYSTEM_SERVICE_EXCEPTION

70

BugCheck CE: DRIVER_UNLOADED_WITHOUT_CANCELLING_PENDING_OPERATIONS

65

BugCheck C1: SPECIAL_POOL_DETECTED_MEMORY_CORRUPTION

59

BugCheck E3: RESOURCE_NOT_OWNED

43

BugCheck 109: CRITICAL_STRUCTURE_CORRUPTION

33

BugCheck E: NO_USER_MODE_CONTEXT

32

BugCheck D: MUTEX_LEVEL_NUMBER_VIOLATION

23

BugCheck 12: TRAP_CAUSE_UNKNOWN

14

BugCheck 23: FAT_FILE_SYSTEM

10

BugCheck 116: VIDEO_TDR_ERROR

10

BugCheck 9: IRQL_NOT_GREATER_OR_EQUAL

9

BugCheck 10D: WDF_VIOLATION

9

BugCheck 4: INVALID_DATA_ACCESS_TRAP

8

BugCheck 6: INVALID_PROCESS_DETACH_ATTEMPT

8

BugCheck 3F: NO_MORE_SYSTEM_PTES

8

BugCheck C9: DRIVER_VERIFIER_IOMANAGER_VIOLATION

8

BugCheck D0: DRIVER_CORRUPTED_MMPOOL

8

BugCheck 117: VIDEO_TDR_TIMEOUT_DETECTED

8

BugCheck F: SPIN_LOCK_ALREADY_OWNED

7

BugCheck 11: THREAD_NOT_MUTEX_OWNER

6

BugCheck 6B: PROCESS1_INITIALIZATION_FAILED

6

BugCheck BE: ATTEMPTED_WRITE_TO_READONLY_MEMORY

6

BugCheck B: NO_EXCEPTION_HANDLING_SUPPORT

5

BugCheck 27: RDR_FILE_SYSTEM

5

BugCheck 41: MUST_SUCCEED_POOL_EMPTY

5

BugCheck 96: INVALID_WORK_QUEUE_ITEM

5

BugCheck D5: DRIVER_PAGE_FAULT_IN_FREED_SPECIAL_POOL

5

BugCheck DA: SYSTEM_PTE_MISUSE

5

BugCheck E1: WORKER_THREAD_RETURNED_AT_BAD_IRQL

5

BugCheck E6: DRIVER_VERIFIER_DMA_VIOLATION

5

BugCheck 10E: VIDEO_MEMORY_MANAGEMENT_INTERNAL

5

BugCheck 8: IRQL_NOT_DISPATCH_LEVEL

4

BugCheck 18: REFERENCE_BY_POINTER

4

BugCheck 34: CACHE_MANAGER

4

BugCheck 76: PROCESS_HAS_LOCKED_PAGES

4

BugCheck CA: PNP_DETECTED_FATAL_ERROR

4

BugCheck CB: DRIVER_LEFT_LOCKED_PAGES_IN_PROCESS

4

BugCheck D2: BUGCODE_ID_DRIVER

4

BugCheck D4: SYSTEM_SCAN_AT_RAISED_IRQL_CAUGHT_IMPROPER_DRIVER_UNLOAD

4

BugCheck D9: LOCKED_PAGES_TRACKER_CORRUPTION

4

BugCheck F7: DRIVER_OVERRAN_STACK_BUFFER

4

BugCheck 101: CLOCK_WATCHDOG_TIMEOUT

4

BugCheck C0000218: STATUS_CANNOT_LOAD_REGISTRY_FILE

4

BugCheck 7: INVALID_SOFTWARE_INTERRUPT

3

BugCheck 13: EMPTY_THREAD_REAPER_LIST

3

BugCheck 14: CREATE_DELETE_LOCK_NOT_LOCKED

3

BugCheck 22: FILE_SYSTEM

3

BugCheck 29: SECURITY_SYSTEM

3

BugCheck 39: SYSTEM_EXIT_OWNED_MUTEX

3

BugCheck 46: DEREF_UNKNOWN_LOGON_SESSION

3

BugCheck 4D: NO_PAGES_AVAILABLE

3

BugCheck 9E: USER_MODE_HEALTH_MONITOR

3

BugCheck BA: SESSION_HAS_VALID_VIEWS_ON_EXIT

3

BugCheck D3: DRIVER_PORTION_MUST_BE_NONPAGED

3

BugCheck D6: DRIVER_PAGE_FAULT_BEYOND_END_OF_ALLOCATION

3

BugCheck E7: INVALID_FLOATING_POINT_STATE

3

BugCheck 100: LOADER_BLOCK_MISMATCH

3

BugCheck 106: AGP_ILLEGALLY_REPROGRAMMED

3

BugCheck DEADDEAD: MANUALLY_INITIATED_CRASH1

3

BugCheck 10: SPIN_LOCK_NOT_OWNED

2

BugCheck 21: QUOTA_UNDERFLOW

2

BugCheck 26: CDFS_FILE_SYSTEM

2

BugCheck 30: SET_OF_INVALID_CONTEXT

2

BugCheck 33: UNEXPECTED_INITIALIZATION_CALL

2

BugCheck 36: DEVICE_REFERENCE_COUNT_NOT_ZERO

2

BugCheck 37: FLOPPY_INTERNAL_ERROR

2

BugCheck 40: TARGET_MDL_TOO_SMALL

2

BugCheck 42: ATDISK_DRIVER_INTERNAL

2

BugCheck 4A: IRQL_GT_ZERO_AT_SYSTEM_SERVICE

2

BugCheck 72: ASSIGN_DRIVE_LETTERS_FAILED

2

BugCheck 73: CONFIG_LIST_FAILED

2

BugCheck CD: PAGE_FAULT_BEYOND_END_OF_ALLOCATION

2

BugCheck CF: TERMINAL_SERVER_DRIVER_MADE_INCORRECT_MEMORY_REFERENCE

2

BugCheck E4: WORKER_INVALID

2

BugCheck 104: AGP_INVALID_ACCESS

2

BugCheck 15: LAST_CHANCE_CALLED_FROM_KMODE

1

BugCheck 16: CID_HANDLE_CREATION

1

BugCheck 17: CID_HANDLE_DELETION

1

BugCheck 28: CORRUPT_ACCESS_TOKEN

1

BugCheck 38: SERIAL_DRIVER_INTERNAL

1

BugCheck 43: NO_SUCH_PARTITION

1

BugCheck 45: INSUFFICIENT_SYSTEM_MAP_REGS

1

BugCheck 48: CANCEL_STATE_IN_COMPLETED_IRP

1

BugCheck 49: PAGE_FAULT_WITH_INTERRUPTS_OFF

1

BugCheck 57: XNS_INTERNAL_ERROR

1

BugCheck 58: FTDISK_INTERNAL_ERROR

1

BugCheck 5C: HAL_INITIALIZATION_FAILED

1

BugCheck 60: PROCESS_INITIALIZATION_FAILED

1

BugCheck 62: OBJECT1_INITIALIZATION_FAILED

1

BugCheck 63: SECURITY1_INITIALIZATION_FAILED

1

BugCheck 64: SYMBOLIC_INITIALIZATION_FAILED

1

BugCheck 67: CONFIG_INITIALIZATION_FAILED

1

BugCheck 68: FILE_INITIALIZATION_FAILED

1

BugCheck 70: SESSION4_INITIALIZATION_FAILED

1

BugCheck 74: BAD_SYSTEM_CONFIG_INFO

1

BugCheck 75: CANNOT_WRITE_CONFIGURATION

1

BugCheck 79: MISMATCHED_HAL

1

BugCheck 7D: INSTALL_MORE_MEMORY

1

BugCheck 80: NMI_HARDWARE_FAILURE

1

BugCheck 82: DFS_FILE_SYSTEM

1

BugCheck 85: SETUP_FAILURE

1

BugCheck 99: INVALID_REGION_OR_SEGMENT

1

BugCheck A1: PCI_BUS_DRIVER_INTERNAL

1

BugCheck BF: MUTEX_ALREADY_OWNED

1

BugCheck CC: PAGE_FAULT_IN_FREED_SPECIAL_POOL

1

BugCheck DB: DRIVER_CORRUPTED_SYSPTES

1

BugCheck E8: INVALID_CANCEL_OF_FILE_OPEN

1

BugCheck ED: UNMOUNTABLE_BOOT_VOLUME

1

BugCheck FD: DIRTY_NOWRITE_PAGES_CONGESTION

1

BugCheck 108: THIRD_PARTY_FILE_SYSTEM_FAILURE

1

BugCheck 111: RECURSIVE_NMI

1

BugCheck 121: DRIVER_VIOLATION

1

BugCheck 122: WHEA_INTERNAL_ERROR

1

BugCheck 1B: PFN_SHARE_COUNT

0

BugCheck 1C: PFN_REFERENCE_COUNT

0

BugCheck 1D: NO_SPIN_LOCK_AVAILABLE

0

BugCheck 1F: SHARED_RESOURCE_CONV_ERROR

0

BugCheck 25: NPFS_FILE_SYSTEM

0

BugCheck 2A: INCONSISTENT_IRP

0

BugCheck 2B: PANIC_STACK_SWITCH

0

BugCheck 2C: PORT_DRIVER_INTERNAL

0

BugCheck 2D: SCSI_DISK_DRIVER_INTERNAL

0

BugCheck 2E: DATA_BUS_ERROR

0

BugCheck 2F: INSTRUCTION_BUS_ERROR

0

BugCheck 31: PHASE0_INITIALIZATION_FAILED

0

BugCheck 32: PHASE1_INITIALIZATION_FAILED

0

BugCheck 3A: SYSTEM_UNWIND_PREVIOUS_USER

0

BugCheck 3C: INTERRUPT_UNWIND_ATTEMPTED

0

BugCheck 3D: INTERRUPT_EXCEPTION_NOT_HANDLED

0

BugCheck 3E: MULTIPROCESSOR_CONFIGURATION_NOT_SUPPORTED

0

BugCheck 47: REF_UNKNOWN_LOGON_SESSION

0

BugCheck 4B: STREAMS_INTERNAL_ERROR

0

BugCheck 4C: FATAL_UNHANDLED_HARD_ERROR

0

BugCheck 4F: NDIS_INTERNAL_ERROR

0

BugCheck 52: MAILSLOT_FILE_SYSTEM

0

BugCheck 53: NO_BOOT_DEVICE

0

BugCheck 54: LM_SERVER_INTERNAL_ERROR

0

BugCheck 55: DATA_COHERENCY_EXCEPTION

0

BugCheck 56: INSTRUCTION_COHERENCY_EXCEPTION

0

BugCheck 59: PINBALL_FILE_SYSTEM

0

BugCheck 5A: CRITICAL_SERVICE_FAILED

0

BugCheck 5B: SET_ENV_VAR_FAILED

0

BugCheck 5D: UNSUPPORTED_PROCESSOR

0

BugCheck 5E: OBJECT_INITIALIZATION_FAILED

0

BugCheck 5F: SECURITY_INITIALIZATION_FAILED

0

BugCheck 61: HAL1_INITIALIZATION_FAILED

0

BugCheck 65: MEMORY1_INITIALIZATION_FAILED

0

BugCheck 66: CACHE_INITIALIZATION_FAILED

0

BugCheck 69: IO1_INITIALIZATION_FAILED

0

BugCheck 6A: LPC_INITIALIZATION_FAILED

0

BugCheck 6C: REFMON_INITIALIZATION_FAILED

0

BugCheck 6D: SESSION1_INITIALIZATION_FAILED

0

BugCheck 6E: SESSION2_INITIALIZATION_FAILED

0

BugCheck 6F: SESSION3_INITIALIZATION_FAILED

0

BugCheck 71: SESSION5_INITIALIZATION_FAILED

0

BugCheck 78: PHASE0_EXCEPTION

0

BugCheck 7C: BUGCODE_NDIS_DRIVER

0

BugCheck 81: SPIN_LOCK_INIT_FAILURE

0

BugCheck 8B: MBR_CHECKSUM_MISMATCH

0

BugCheck 8F: PP0_INITIALIZATION_FAILED

0

BugCheck 90: PP1_INITIALIZATION_FAILED

0

BugCheck 92: UP_DRIVER_ON_MP_SYSTEM

0

BugCheck 94: KERNEL_STACK_LOCKED_AT_EXIT

0

BugCheck 97: BOUND_IMAGE_UNSUPPORTED

0

BugCheck 98: END_OF_NT_EVALUATION_PERIOD

0

BugCheck 9A: SYSTEM_LICENSE_VIOLATION

0

BugCheck 9B: UDFS_FILE_SYSTEM

0

BugCheck A2: MEMORY_IMAGE_CORRUPT

0

BugCheck A3: ACPI_DRIVER_INTERNAL

0

BugCheck A4: CNSS_FILE_SYSTEM_FILTER

0

BugCheck A5: ACPI_BIOS_ERROR

0

BugCheck A7: BAD_EXHANDLE

0

BugCheck AC: HAL_MEMORY_ALLOCATION

0

BugCheck AD: VIDEO_DRIVER_DEBUG_REPORT_REQUEST

0

BugCheck B4: VIDEO_DRIVER_INIT_FAILURE

0

BugCheck B9: CHIPSET_DETECTED_ERROR

0

BugCheck BB: NETWORK_BOOT_INITIALIZATION_FAILED

0

BugCheck BC: NETWORK_BOOT_DUPLICATE_ADDRESS

0

BugCheck C6: DRIVER_CAUGHT_MODIFYING_FREED_POOL

0

BugCheck C7: TIMER_OR_DPC_INVALID

0

BugCheck C8: IRQL_UNEXPECTED_VALUE

0

BugCheck D7: DRIVER_UNMAPPING_INVALID_VIEW

0

BugCheck D8: DRIVER_USED_EXCESSIVE_PTES

0

BugCheck DC: DRIVER_INVALID_STACK_ACCESS

0

BugCheck DF: IMPERSONATING_WORKER_THREAD

0

BugCheck E0: ACPI_BIOS_FATAL_ERROR

0

BugCheck E9: ACTIVE_EX_WORKER_THREAD_TERMINATION

0

BugCheck EB: DIRTY_MAPPED_PAGES_CONGESTION

0

BugCheck EC: SESSION_HAS_VALID_SPECIAL_POOL_ON_EXIT

0

BugCheck EF: CRITICAL_PROCESS_DIED

0

BugCheck F1: SCSI_VERIFIER_DETECTED_VIOLATION

0

BugCheck F3: DISORDERLY_SHUTDOWN

0

BugCheck F5: FLTMGR_FILE_SYSTEM

0

BugCheck F6: PCI_VERIFIER_DETECTED_VIOLATION

0

BugCheck F8: RAMDISK_BOOT_INITIALIZATION_FAILED

0

BugCheck F9: DRIVER_RETURNED_STATUS_REPARSE_FOR_VOLUME_OPEN

0

BugCheck FA: HTTP_DRIVER_CORRUPTED

0

BugCheck FF: RESERVE_QUEUE_OVERFLOW

0

BugCheck 105: AGP_GART_CORRUPTION

0

BugCheck 10A: APP_TAGGING_INITIALIZATION_FAILED

0

BugCheck 10C: FSRTL_EXTRA_CREATE_PARAMETER_VIOLATION

0

BugCheck 10F: RESOURCE_MANAGER_EXCEPTION_NOT_HANDLED

0

BugCheck 112: MSRPC_STATE_VIOLATION

0

BugCheck 113: VIDEO_DXGKRNL_FATAL_ERROR

0

BugCheck 114: VIDEO_SHADOW_DRIVER_FATAL_ERROR

0

BugCheck 115: AGP_INTERNAL

0

BugCheck 119: VIDEO_SCHEDULER_INTERNAL_ERROR

0

BugCheck 11A: EM_INITIALIZATION_FAILURE

0

BugCheck 11B: DRIVER_RETURNED_HOLDING_CANCEL_LOCK

0

BugCheck 11C: ATTEMPTED_WRITE_TO_CM_PROTECTED_STORAGE

0

BugCheck 11D: EVENT_TRACING_FATAL_ERROR

0

BugCheck 127: PAGE_NOT_ZERO

0

BugCheck 12B: FAULTY_HARDWARE_CORRUPTED_PAGE

0

BugCheck 12C: EXFAT_FILE_SYSTEM

0

BugCheck C0000221: STATUS_IMAGE_CHECKSUM_MISMATCH

0

- Dmitry Vostokov @ DumpAnalysis.org -