Driver Problems? Questions? Issues?
Put OSR's experience to work for you! Contact us for assistance with:
  • Creating the right design for your requirements
  • Reviewing your existing driver code
  • Analyzing driver reliability/performance issues
  • Custom training mixed with consulting and focused directly on your specific areas of interest/concern.
Check us out. OSR, the Windows driver experts.

Go Back   OSR Online Lists > windbg
Welcome, Guest
You must login to post to this list
  Message 1 of 13  
10 Aug 17 12:56
Kunal
xxxxxx@hotmail.com
Join Date: 13 Jun 2017
Posts To This List: 10
USER_MODE_HEALTH_MONITOR bugcheck due to my filter driver threads.

Hi, I received a dump from the customer with USER_MODE_HEALTH_MONITOR bugcheck. Upon dump analysis, I saw several threads of my filter driver in "WAIT: (Suspended)" state for around 20 mins. Below is one of the callstacks: ------------------------------------- 0: kd> !thread fffffa8012f0e5e0 THREAD fffffa8012f0e5e0 Cid 1df0.1d60 Teb: 000007ffffeb0000 Win32Thread: 0000000000000000 WAIT: (Suspended) KernelMode Non-Alertable SuspendCount 1 fffffa8012f0e8b8 Semaphore Limit 0x2 IRP List: fffffa800b83e490: (0006,0358) Flags: 00000884 Mdl: 00000000 Not impersonating DeviceMap fffff8a002fcddd0 Owning Process fffffa800f65b060 Image: DxDmService.exe Attached Process N/A Image: N/A Wait Start TickCount 153051155 Ticks: 98635 (0:00:25:41.171) Context Switch Count 3126429 IdealProcessor: 0 UserTime 00:01:37.625 KernelTime 00:13:13.250 Win32 Start Address 0x0000000010376284 Stack Init fffff8800b183db0 Current fffff8800b182340 Base fffff8800b184000 Limit fffff8800b17e000 Call 0000000000000000 Priority 8 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5 Child-SP RetAddr : Args to Child : Call Site fffff880`0b182380 fffff800`01ec4142 : fffffa80`0f65b001 fffffa80`12f0e5e0 fffff800`0203ce80 fffff880`00000008 : nt!KiSwapContext+0x7a fffff880`0b1824c0 fffff800`01ec696f : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiCommitThreadWait+0x1d2 fffff880`0b182550 fffff800`01eb1ee0 : 00000000`00000000 fffffa80`00000005 fffffa80`0f65b000 00000000`00000000 : nt!KeWaitForSingleObject+0x19f fffff880`0b1825f0 fffff800`01eb2b7d : fffffa80`12f0e5e0 00000000`00000000 00000000`00000000 fffffa80`00000000 : nt!KiSuspendThread+0x54 fffff880`0b182630 fffff800`01ec434d : fffffa80`12f0e6a0 00000000`00000000 fffff800`01eb1e8c 00000000`00000000 : nt!KiDeliverApc+0x21d fffff880`0b1826b0 fffff800`01ec696f : fffffa80`0b83e490 fffffa80`08bd9200 fffff880`0000004f 00000000`00000000 : nt!KiCommitThreadWait+0x3dd fffff880`0b182740 fffff880`05b233c1 : fffffa80`12438000 fffff880`00000000 fffff880`0b182800 fffff880`0b182a00 : nt!KeWaitForSingleObject+0x19f : : --------------------------------------------------------------------------------- -- I am calling KeWaitForSingleObject() from my filter driver and I have specified timeout value of 45 seconds. What can be the reason for 25 mins wait even though I have specified timeout of 45 seconds? Also what does KiDeliverApc() mean in this context? Appreciate any help on this. Thanks, Kunal
  Message 2 of 13  
10 Aug 17 13:11
Kunal
xxxxxx@hotmail.com
Join Date: 13 Jun 2017
Posts To This List: 10
USER_MODE_HEALTH_MONITOR bugcheck due to my filter driver threads.

I could also see another thread with my driver in the callstack with a Trap frame as follows: ------------------------------------ 0: kd> !thread fffffa800c40f7f0 THREAD fffffa800c40f7f0 Cid 1df0.027c Teb: 000007ffffec8000 Win32Thread: 0000000000000000 WAIT: (Suspended) KernelMode Non-Alertable SuspendCount 1 fffffa800c40fac8 Semaphore Limit 0x2 IRP List: fffffa80170346c0: (0006,0358) Flags: 00000884 Mdl: 00000000 Not impersonating DeviceMap fffff8a002fcddd0 Owning Process fffffa800f65b060 Image: DxDmService.exe Attached Process N/A Image: N/A Wait Start TickCount 153051154 Ticks: 98636 (0:00:25:41.187) Context Switch Count 2688470 IdealProcessor: 1 UserTime 00:01:20.812 KernelTime 00:13:51.890 Win32 Start Address 0x0000000010376284 Stack Init fffff88005c27db0 Current fffff88005c265c0 Base fffff88005c28000 Limit fffff88005c22000 Call 0000000000000000 Priority 9 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5 Child-SP RetAddr : Args to Child : Call Site fffff880`05c26600 fffff800`01ec4142 : 00000000`00000000 fffffa80`0c40f7f0 00000000`00000000 fffff800`021aba78 : nt!KiSwapContext+0x7a fffff880`05c26740 fffff800`01ec696f : fffffa80`0d002de0 fffff880`05c26b50 fffffa80`00000000 fffffa80`119320e4 : nt!KiCommitThreadWait+0x1d2 fffff880`05c267d0 fffff800`01eb1ee0 : fffff880`05c26800 fffff880`00000005 fffffa80`0c40f700 fffff800`01ebe000 : nt!KeWaitForSingleObject+0x19f fffff880`05c26870 fffff800`01eb2b7d : fffffa80`0c40f7f0 fffff880`05c26930 54d338c3`00010000 00000000`00000000 : nt!KiSuspendThread+0x54 fffff880`05c268b0 fffff800`01eb2df7 : 00000000`09e97285 00000000`00000000 fffff800`01eb1e8c 00000000`00000000 : nt!KiDeliverApc+0x21d fffff880`05c26930 fffff880`05b50a61 : 4f73e71d`f28b33f1 acf85ec3`08e49586 93804e29`b007765f aaf994a9`20b19db4 : nt!KiApcInterrupt+0xd7 (TrapFrame @ fffff880`05c26930) fffff880`05c26ac0 4f73e71d`f28b33f1 : acf85ec3`08e49586 93804e29`b007765f aaf994a9`20b19db4 36d4a682`d2d94433 : <mydriver>!sha1_block_data_order+0xfa1 : : ----------------------------------------------- How can I proceed to find the root cause? THanks, Kunal
  Message 3 of 13  
10 Aug 17 17:47
taehwa lee
xxxxxx@gmail.com
Join Date: 26 Jun 2006
Posts To This List: 10
USER_MODE_HEALTH_MONITOR bugcheck due to my filter driver threads.

Could we see all of the thread in DxDmService.exe? Usually, there might be Wer to handle an exception if threads are suspended. Best regards Taehwa On Fri, Aug 11, 2017 at 2:09 AM, xxxxx@hotmail.com < xxxxx@lists.osr.com> wrote: > I could also see another thread with my driver in the callstack with a > Trap frame as follows: > > ------------------------------------ > 0: kd> !thread fffffa800c40f7f0 > THREAD fffffa800c40f7f0 Cid 1df0.027c Teb: 000007ffffec8000 Win32Thread: > 0000000000000000 WAIT: (Suspended) KernelMode Non-Alertable > SuspendCount 1 > fffffa800c40fac8 Semaphore Limit 0x2 > IRP List: <...excess quoted lines suppressed...> --
  Message 4 of 13  
11 Aug 17 00:40
Kunal
xxxxxx@hotmail.com
Join Date: 13 Jun 2017
Posts To This List: 10
USER_MODE_HEALTH_MONITOR bugcheck due to my filter driver threads.

THere are 12 threads in DxDmService.exe with my driver in callstack. Also, all of them have KiDeliverApc() in the callstack. Here are 2 unique threads from DxDmService. There are multiple instances of these threads. 0: kd> !thread fffffa800c40f7f0 THREAD fffffa800c40f7f0 Cid 1df0.027c Teb: 000007ffffec8000 Win32Thread: 0000000000000000 WAIT: (Suspended) KernelMode Non-Alertable SuspendCount 1 fffffa800c40fac8 Semaphore Limit 0x2 IRP List: fffffa80170346c0: (0006,0358) Flags: 00000884 Mdl: 00000000 Not impersonating DeviceMap fffff8a002fcddd0 Owning Process fffffa800f65b060 Image: DxDmService.exe Attached Process N/A Image: N/A Wait Start TickCount 153051154 Ticks: 98636 (0:00:25:41.187) Context Switch Count 2688470 IdealProcessor: 1 UserTime 00:01:20.812 KernelTime 00:13:51.890 Win32 Start Address 0x0000000010376284 Stack Init fffff88005c27db0 Current fffff88005c265c0 Base fffff88005c28000 Limit fffff88005c22000 Call 0000000000000000 Priority 9 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5 Child-SP RetAddr : Args to Child : Call Site fffff880`05c26600 fffff800`01ec4142 : 00000000`00000000 fffffa80`0c40f7f0 00000000`00000000 fffff800`021aba78 : nt!KiSwapContext+0x7a fffff880`05c26740 fffff800`01ec696f : fffffa80`0d002de0 fffff880`05c26b50 fffffa80`00000000 fffffa80`119320e4 : nt!KiCommitThreadWait+0x1d2 fffff880`05c267d0 fffff800`01eb1ee0 : fffff880`05c26800 fffff880`00000005 fffffa80`0c40f700 fffff800`01ebe000 : nt!KeWaitForSingleObject+0x19f fffff880`05c26870 fffff800`01eb2b7d : fffffa80`0c40f7f0 fffff880`05c26930 54d338c3`00010000 00000000`00000000 : nt!KiSuspendThread+0x54 fffff880`05c268b0 fffff800`01eb2df7 : 00000000`09e97285 00000000`00000000 fffff800`01eb1e8c 00000000`00000000 : nt!KiDeliverApc+0x21d fffff880`05c26930 fffff880`05b50a61 : 4f73e71d`f28b33f1 acf85ec3`08e49586 93804e29`b007765f aaf994a9`20b19db4 : nt!KiApcInterrupt+0xd7 (TrapFrame @ fffff880`05c26930) fffff880`05c26ac0 4f73e71d`f28b33f1 : acf85ec3`08e49586 93804e29`b007765f aaf994a9`20b19db4 36d4a682`d2d94433 : <mydriver>!sha1_block_data_order+0xfa1 fffff880`05c26ac8 acf85ec3`08e49586 : 93804e29`b007765f aaf994a9`20b19db4 36d4a682`d2d94433 375b9d91`2ab7b9f6 : 0x4f73e71d`f28b33f1 fffff880`05c26ad0 93804e29`b007765f : aaf994a9`20b19db4 36d4a682`d2d94433 375b9d91`2ab7b9f6 64bf0ad8`2e7e99fb : 0xacf85ec3`08e49586 fffff880`05c26ad8 aaf994a9`20b19db4 : 36d4a682`d2d94433 375b9d91`2ab7b9f6 64bf0ad8`2e7e99fb 43011eb3`e6e49515 : 0x93804e29`b007765f fffff880`05c26ae0 36d4a682`d2d94433 : 375b9d91`2ab7b9f6 64bf0ad8`2e7e99fb 43011eb3`e6e49515 fffff880`05c26b20 : 0xaaf994a9`20b19db4 fffff880`05c26ae8 375b9d91`2ab7b9f6 : 64bf0ad8`2e7e99fb 43011eb3`e6e49515 fffff880`05c26b20 fffff880`05b0921e : 0x36d4a682`d2d94433 fffff880`05c26af0 64bf0ad8`2e7e99fb : 43011eb3`e6e49515 fffff880`05c26b20 fffff880`05b0921e fffff880`00000000 : 0x375b9d91`2ab7b9f6 fffff880`05c26af8 43011eb3`e6e49515 : fffff880`05c26b20 fffff880`05b0921e fffff880`00000000 00000000`00000000 : 0x64bf0ad8`2e7e99fb fffff880`05c26b00 fffff880`05c26b20 : fffff880`05b0921e fffff880`00000000 00000000`00000000 fffffa80`170346c0 : 0x43011eb3`e6e49515 fffff880`05c26b08 fffff880`05b0921e : fffff880`00000000 00000000`00000000 fffffa80`170346c0 00000000`00000000 : 0xfffff880`05c26b20 fffff880`05c26b10 fffff880`05b45e9e : fffff8a0`21047470 fffff8a0`15eb2000 00000000`00010000 fffff880`05c26bb0 : <mydriver>!qfile_read+0x14e [d:\build_692379\<build>\common\qlib\qfile_winnt_kern.c @ 263] fffff880`05c26b90 fffff880`05b45a22 : fffff880`05c26f80 fffff8a0`23625250 fffff880`05c2711a 00000000`00000000 : <mydriver>!qcksum_sha1_file+0x1ce [d:\build_692379\<build>\common\qlib\qcksum.c @ 323] fffff880`05c26c00 fffff880`05b2840b : fffff880`00000002 fffff880`05c26f80 fffff8a0`23625250 fffff880`05c27118 : <mydriver>!qcksum_compute_file+0xf2 [d:\build_692379\<build>\common\qlib\qcksum.c @ 541] fffff880`05c26c50 fffff880`05b35629 : fffff880`05c26f80 fffff8a0`23625250 fffff880`05c27118 00000000`000d477a : <mydriver>!scan_calculate_checksum_file+0x4b [d:\build_692379\<build>\optimizer\scan\scan.c @ 233] fffff880`05c26ca0 fffff880`05b12865 : fffff880`05c270e0 fffff880`05c26fc0 fffff880`05c27088 00000000`00000028 : <mydriver>!scan_check_access_perm+0x8e9 [d:\build_692379\<build>\optimizer\scan\scan.c @ 4524] fffff880`05c26f00 fffff880`05b10157 : fffffa80`1a1a38d0 fffff880`05c27448 fffff880`05c273d8 fffff880`014d9882 : <mydriver>!fsh_scan_file+0xe55 [d:\build_692379\<build>\optimizer\fsh\fsh_hooks.c @ 1387] fffff880`05c273b0 fffff880`01273288 : fffffa80`1a1a38d0 fffff880`05c27448 00000000`00000000 00000000`00000000 : <mydriver>!fsh_create_hook_cmpl+0x57 [d:\build_692379\<build>\optimizer\fsh\fsh_hooks.c @ 290] fffff880`05c27400 fffff880`01271d1b : fffffa80`1ff0d4c0 fffffa80`1a1a3970 fffffa80`14b11010 fffffa80`14b11230 : fltmgr!FltpPerformPostCallbacks+0x368 fffff880`05c274d0 fffff880`012912b9 : fffffa80`170346c0 fffffa80`1265b800 fffffa80`17034600 fffffa80`0d002de0 : fltmgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x39b fffff880`05c27560 fffff880`01271bcf : 00000000`00000000 fffffa80`06d0a9f0 00000000`00000000 00000000`00000000 : fltmgr!FltpCreate+0x2a9 fffff880`05c27610 fffff880`012912b9 : fffffa80`170346c0 fffffa80`0b42a800 fffffa80`17034600 fffffa80`0ee64de0 : fltmgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x24f fffff880`05c276a0 fffff800`021c32bb : 00000000`00000005 00000000`00000040 fffffa80`09446d10 00000000`00000000 : fltmgr!FltpCreate+0x2a9 fffff880`05c27750 fffff800`021bedde : fffffa80`0c1167e0 00000000`00000000 fffffa80`19841530 00000000`00000701 : nt!IopParseDevice+0x14e2 fffff880`05c278b0 fffff800`021bf8c6 : 00000000`00000000 fffff880`05c27a30 fffff8a0`00000040 fffffa80`06d0a9f0 : nt!ObpLookupObjectName+0x784 fffff880`05c279b0 fffff800`021c16bc : 00000000`00000000 00000000`00000000 00000000`00000001 00000000`00000000 : nt!ObOpenObjectByName+0x306 fffff880`05c27a80 fffff800`021ccd34 : 00000000`2820a5e8 fffff800`c0110098 00000000`2820a638 00000000`2820a5f8 : nt!IopCreateFile+0x2bc fffff880`05c27b20 fffff800`01ebe0d3 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`2820c9e0 : nt!NtCreateFile+0x78 fffff880`05c27bb0 00000000`779cc28a : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`05c27c20) 00000000`2820a568 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x779cc28a 0: kd> !thread fffffa8012f0e5e0 THREAD fffffa8012f0e5e0 Cid 1df0.1d60 Teb: 000007ffffeb0000 Win32Thread: 0000000000000000 WAIT: (Suspended) KernelMode Non-Alertable SuspendCount 1 fffffa8012f0e8b8 Semaphore Limit 0x2 IRP List: fffffa800b83e490: (0006,0358) Flags: 00000884 Mdl: 00000000 Not impersonating DeviceMap fffff8a002fcddd0 Owning Process fffffa800f65b060 Image: DxDmService.exe Attached Process N/A Image: N/A Wait Start TickCount 153051155 Ticks: 98635 (0:00:25:41.171) Context Switch Count 3126429 IdealProcessor: 0 UserTime 00:01:37.625 KernelTime 00:13:13.250 Win32 Start Address 0x0000000010376284 Stack Init fffff8800b183db0 Current fffff8800b182340 Base fffff8800b184000 Limit fffff8800b17e000 Call 0000000000000000 Priority 8 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5 Child-SP RetAddr : Args to Child : Call Site fffff880`0b182380 fffff800`01ec4142 : fffffa80`0f65b001 fffffa80`12f0e5e0 fffff800`0203ce80 fffff880`00000008 : nt!KiSwapContext+0x7a fffff880`0b1824c0 fffff800`01ec696f : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiCommitThreadWait+0x1d2 fffff880`0b182550 fffff800`01eb1ee0 : 00000000`00000000 fffffa80`00000005 fffffa80`0f65b000 00000000`00000000 : nt!KeWaitForSingleObject+0x19f fffff880`0b1825f0 fffff800`01eb2b7d : fffffa80`12f0e5e0 00000000`00000000 00000000`00000000 fffffa80`00000000 : nt!KiSuspendThread+0x54 fffff880`0b182630 fffff800`01ec434d : fffffa80`12f0e6a0 00000000`00000000 fffff800`01eb1e8c 00000000`00000000 : nt!KiDeliverApc+0x21d fffff880`0b1826b0 fffff800`01ec696f : fffffa80`0b83e490 fffffa80`08bd9200 fffff880`0000004f 00000000`00000000 : nt!KiCommitThreadWait+0x3dd fffff880`0b182740 fffff880`05b233c1 : fffffa80`12438000 fffff880`00000000 fffff880`0b182800 fffff880`0b182a00 : nt!KeWaitForSingleObject+0x19f fffff880`0b1827e0 fffff880`05b1dd93 : fffffa80`0f5d9530 fffff8a0`00f45300 00000000`0000005a fffff8a0`00000000 : <mydriver>!ivmc_wsk_recv_data+0x211 [d:\build_692379\<build>\optimizer\ivmc\ivmc_ksocket.c @ 435] fffff880`0b182870 fffff880`05b2f27e : fffff880`05bc9c28 fffff8a0`00f45300 fffff880`0000005a fffff880`00000000 : <mydriver>!ivmc_read_all+0x93 [d:\build_692379\<build>\optimizer\ivmc\ivmc.c @ 426] fffff880`0b1828e0 fffff880`05b30ca0 : fffff880`05bc9c28 fffff880`0b182fc0 fffff880`0b182a48 fffff8a0`1fdf65e0 : <mydriver>!scan_process_response+0x10e [d:\build_692379\<build>\optimizer\scan\scan.c @ 2562] fffff880`0b1829c0 fffff880`05b3227b : fffff880`0b1830e0 fffff880`0b182fc0 fffff880`00000001 fffff880`0b183148 : <mydriver>!scan_process_file_scan_response+0xb0 [d:\build_692379\<build>\optimizer\scan\scan.c @ 3028] fffff880`0b182a90 fffff880`05b35b56 : fffff880`0b1830e0 fffff880`0b182fc0 fffff880`69435351 00000000`000007ff : <mydriver>!scan_file_with_file_transfer+0x99b [d:\build_692379\<build>\optimizer\scan\scan.c @ 3416] fffff880`0b182ca0 fffff880`05b12865 : fffff880`0b1830e0 fffff880`0b182fc0 fffff880`0b183088 00000000`00000028 : <mydriver>!scan_check_access_perm+0xe16 [d:\build_692379\<build>\optimizer\scan\scan.c @ 4617] fffff880`0b182f00 fffff880`05b10157 : fffffa80`08bd9380 fffff880`0b183448 fffff880`0b1833d8 fffff880`014d9882 : <mydriver>!fsh_scan_file+0xe55 [d:\build_692379\<build>\optimizer\fsh\fsh_hooks.c @ 1387] fffff880`0b1833b0 fffff880`01273288 : fffffa80`08bd9380 fffff880`0b183448 00000000`00000000 00000000`00000000 : <mydriver>!fsh_create_hook_cmpl+0x57 [d:\build_692379\<build>\optimizer\fsh\fsh_hooks.c @ 290] fffff880`0b183400 fffff880`01271d1b : fffffa80`0ff123f0 fffffa80`08bd9420 fffffa80`099182f0 fffffa80`09918510 : fltmgr!FltpPerformPostCallbacks+0x368 fffff880`0b1834d0 fffff880`012912b9 : fffffa80`0b83e490 fffffa80`0b4a0250 fffffa80`0b83e400 fffffa80`0a658890 : fltmgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x39b fffff880`0b183560 fffff880`01271bcf : 00000000`00000000 fffffa80`06d0a9f0 00000000`00000000 00000000`00000000 : fltmgr!FltpCreate+0x2a9 fffff880`0b183610 fffff880`012912b9 : fffffa80`0b83e490 fffffa80`1bd1b6b0 fffffa80`0b83e400 fffffa80`0e966040 : fltmgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x24f fffff880`0b1836a0 fffff800`021c32bb : 00000000`00000005 00000000`00000040 fffffa80`0de7b590 00000000`00000000 : fltmgr!FltpCreate+0x2a9 fffff880`0b183750 fffff800`021bedde : fffffa80`0ff27b80 00000000`00000000 fffffa80`108e9530 fffffa80`0e966001 : nt!IopParseDevice+0x14e2 fffff880`0b1838b0 fffff800`021bf8c6 : 00000000`00000000 fffff880`0b183a30 fffff8a0`00000040 fffffa80`06d0a9f0 : nt!ObpLookupObjectName+0x784 fffff880`0b1839b0 fffff800`021c16bc : 00000000`00000000 00000000`00000000 00000000`00000001 00000000`00000000 : nt!ObOpenObjectByName+0x306 fffff880`0b183a80 fffff800`021ccd34 : 00000000`28e0a5e8 fffff800`c0110098 00000000`28e0a638 00000000`28e0a5f8 : nt!IopCreateFile+0x2bc fffff880`0b183b20 fffff800`01ebe0d3 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`28e0c9e0 : nt!NtCreateFile+0x78 fffff880`0b183bb0 00000000`779cc28a : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`0b183c20) 00000000`28e0a568 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x779cc28a ---------------------------------------------------------------------- I could also see my driver in a WerFault.exe thread. 0: kd> !thread fffffa800788d540 THREAD fffffa800788d540 Cid 1128.11b8 Teb: 000007fffffde000 Win32Thread: fffff900c1eb9010 WAIT: (Executive) KernelMode Non-Alertable fffff88005bc9bc0 SynchronizationEvent IRP List: fffffa8025703010: (0006,0358) Flags: 00000884 Mdl: 00000000 Not impersonating DeviceMap fffff8a002fcddd0 Owning Process fffffa80118e1790 Image: WerFault.exe Attached Process N/A Image: N/A Wait Start TickCount 153056522 Ticks: 93268 (0:00:24:17.312) Context Switch Count 13433 IdealProcessor: 0 LargeStack UserTime 00:00:00.109 KernelTime 00:00:01.906 Win32 Start Address 0x00000000ffbe4920 Stack Init fffff88008f55db0 Current fffff88008f549a0 Base fffff88008f56000 Limit fffff88008f4d000 Call 0000000000000000 Priority 7 BasePriority 7 PriorityDecrement 0 IoPriority 2 PagePriority 5 Child-SP RetAddr : Args to Child : Call Site fffff880`08f549e0 fffff800`01ec4142 : fffff880`08f54b38 fffffa80`0788d540 fffffa80`00000000 fffff880`05b0280d : nt!KiSwapContext+0x7a fffff880`08f54b20 fffff800`01ec696f : 00000000`0000000e 00000000`001a7100 fffff8a0`00000000 00000000`00000000 : nt!KiCommitThreadWait+0x1d2 fffff880`08f54bb0 fffff880`05b34b6e : fffff880`05bc7a00 fffff880`00000000 fffff8a0`1667f000 fffff880`08f55100 : nt!KeWaitForSingleObject+0x19f fffff880`08f54c50 fffff880`05b357eb : fffff880`08f54d64 fffff880`08f54d18 fffff880`08f55118 00000000`001a7100 : <mydriver>!scan_open_connection+0x10e [d:\build_692379\<build>\optimizer\scan\scan.c @ 4266] fffff880`08f54ca0 fffff880`05b12865 : fffff880`08f550e0 fffff880`08f54fc0 fffff880`08f55088 00000000`00000028 : <mydriver>!scan_check_access_perm+0xaab [d:\build_692379\<build>\optimizer\scan\scan.c @ 4559] fffff880`08f54f00 fffff880`05b10157 : fffffa80`1260c740 fffff880`08f55448 fffff880`08f553d8 fffff880`014d9882 : <mydriver>!fsh_scan_file+0xe55 [d:\build_692379\<build>\optimizer\fsh\fsh_hooks.c @ 1387] fffff880`08f553b0 fffff880`01273288 : fffffa80`1260c740 fffff880`08f55448 00000000`00000000 00000000`00000000 : <mydriver>!fsh_create_hook_cmpl+0x57 [d:\build_692379\<build>\optimizer\fsh\fsh_hooks.c @ 290] fffff880`08f55400 fffff880`01271d1b : fffffa80`079fc180 fffffa80`1260c7e0 fffffa80`08a95970 fffffa80`08a95b90 : fltmgr!FltpPerformPostCallbacks+0x368 fffff880`08f554d0 fffff880`012912b9 : fffffa80`25703010 fffffa80`07412010 fffffa80`25703000 fffffa80`07406360 : fltmgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x39b fffff880`08f55560 fffff880`01271bcf : 00000000`00000000 fffffa80`06d0a9f0 00000000`00000000 00000000`00000000 : fltmgr!FltpCreate+0x2a9 fffff880`08f55610 fffff880`012912b9 : fffffa80`25703010 fffffa80`09001010 fffffa80`25703000 fffffa80`0906e680 : fltmgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x24f fffff880`08f556a0 fffff800`021c32bb : 00000000`00000005 00000000`00000040 fffffa80`0c2619b0 00000000`00000000 : fltmgr!FltpCreate+0x2a9 fffff880`08f55750 fffff800`021bedde : fffffa80`073c7cd0 00000000`00000000 fffffa80`11431530 fffff880`08f55a01 : nt!IopParseDevice+0x14e2 fffff880`08f558b0 fffff800`021bf8c6 : 00000000`00000000 fffff880`08f55a30 fffff680`00000040 fffffa80`06d0a9f0 : nt!ObpLookupObjectName+0x784 fffff880`08f559b0 fffff800`021c16bc : 00000000`00000110 00000000`00000000 fffffa80`0788d501 ffffffff`ffffffff : nt!ObOpenObjectByName+0x306 fffff880`08f55a80 fffff800`021ccd34 : 00000000`000fa758 00000000`80100080 00000000`000fa7a8 00000000`000fa768 : nt!IopCreateFile+0x2bc fffff880`08f55b20 fffff800`01ebe0d3 : ffffffff`ffffffff 0000007f`ffffffff 00000000`000fa7f0 00000980`00000000 : nt!NtCreateFile+0x78 fffff880`08f55bb0 00000000`779cc28a : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`08f55c20) 00000000`000fa6d8 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x779cc28a I also observed an error (Application error) in Event Logs: Faulting application name: DxDmService.exe. version: 6.50.0.480. time stamp: 0x5135c463 Faulting module name: Xms.dll. version: 6.50.0.480. time stamp: 0x5135c556 Exception code: 0xc0000417 Fault offset: 0x00000000000ea91c Faulting process id: 0x1df0 Faulting application start time: 0xDxDmService.exe0 Faulting application path: DxDmService.exe1 Faulting module path: DxDmService.exe2 Report Id: DxDmService.exe3 Thanks, Kunal
  Message 5 of 13  
11 Aug 17 01:53
taehwa lee
xxxxxx@gmail.com
Join Date: 26 Jun 2006
Posts To This List: 10
USER_MODE_HEALTH_MONITOR bugcheck due to my filter driver threads.

You need to check entire call stack with like !k L100 to see the exception. Could you run below command and show me the result !process 0 7 services.exe Best regards Taehwa. On Fri, Aug 11, 2017 at 1:38 PM, xxxxx@hotmail.com < xxxxx@lists.osr.com> wrote: > THere are 12 threads in DxDmService.exe with my driver in callstack. Also, > all of them have KiDeliverApc() in the callstack. Here are 2 unique threads > from DxDmService. There are multiple instances of these threads. > > > 0: kd> !thread fffffa800c40f7f0 > THREAD fffffa800c40f7f0 Cid 1df0.027c Teb: 000007ffffec8000 Win32Thread: > 0000000000000000 WAIT: (Suspended) KernelMode Non-Alertable > SuspendCount 1 > fffffa800c40fac8 Semaphore Limit 0x2 <...excess quoted lines suppressed...>
  Message 6 of 13  
11 Aug 17 02:11
Kunal
xxxxxx@hotmail.com
Join Date: 13 Jun 2017
Posts To This List: 10
USER_MODE_HEALTH_MONITOR bugcheck due to my filter driver threads.

WIndbg does not recognize !k command. I guess you meant 'k' . But I am not getting the complete callstack using 'k L100' . I think its because the dump is a kernel dump and has only kernel information. Here is the output for !process 0 7 services.exe: ----------------------------------------------------- 0: kd> !process 0 7 services.exe PROCESS fffffa8007b12b10 SessionId: 0 Cid: 0220 Peb: 7fffffdf000 ParentCid: 01b8 DirBase: 20ca7d000 ObjectTable: fffff8a0020ed010 HandleCount: 628. Image: services.exe VadRoot fffffa8007b1d830 Vads 146 Clone 0 Private 2233. Modified 4900541. Locked 35. DeviceMap fffff8a000008820 Token fffff8a0020dd060 ElapsedTime 27 Days 16:41:03.120 UserTime 00:46:49.468 KernelTime 01:46:07.671 QuotaPoolUsage[PagedPool] 124296 QuotaPoolUsage[NonPagedPool] 38792 Working Set Sizes (now,min,max) (2196, 50, 345) (8784KB, 200KB, 1380KB) PeakWorkingSetSize 4765 VirtualSize 72 Mb PeakVirtualSize 209 Mb PageFaultCount 5210240 MemoryPriority BACKGROUND BasePriority 9 CommitCharge 2866 THREAD fffffa800720a2c0 Cid 0220.0270 Teb: 000007fffffdb000 Win32Thread: 0000000000000000 WAIT: (UserRequest) UserMode Alertable fffffa800720a7d0 SynchronizationTimer fffffa8007b84ad0 SynchronizationTimer fffffa8007470b10 ProcessObject fffffa80074ad060 ProcessObject fffffa8008205b10 ProcessObject fffffa8008228380 ProcessObject fffffa800823ab10 ProcessObject fffffa800824eb10 ProcessObject fffffa800826fb10 ProcessObject fffffa80082898e0 ProcessObject fffffa8007a0b060 ProcessObject fffffa8007b2e320 ProcessObject fffffa8007bd1320 ProcessObject fffffa80083046a0 ProcessObject fffffa8008763060 ProcessObject fffffa8008869060 ProcessObject fffffa800889c060 ProcessObject fffffa80088c9730 ProcessObject fffffa80089a7b10 ProcessObject fffffa8008a27b10 ProcessObject fffffa8008a16b10 ProcessObject fffffa80089c6060 ProcessObject fffffa80089f8b10 ProcessObject fffffa8008c0ab10 ProcessObject fffffa8008c3a530 ProcessObject fffffa8008c79b10 ProcessObject fffffa8008d6cb10 ProcessObject fffffa8008c36b10 ProcessObject fffffa8008e38cc0 SynchronizationEvent fffffa8008d804a0 SynchronizationTimer fffffa8008228380 ProcessObject fffffa800824eb10 ProcessObject fffffa80089f8b10 ProcessObject fffffa800826fb10 ProcessObject fffffa800826fb10 ProcessObject fffffa800823ab10 ProcessObject fffffa800826fb10 ProcessObject fffffa8008c3a530 ProcessObject fffffa80089c6060 ProcessObject fffffa8008d6cb10 ProcessObject fffffa8007b2e320 ProcessObject fffffa8008a16b10 ProcessObject fffffa8008228380 ProcessObject fffffa8008228380 ProcessObject fffffa8008228380 ProcessObject fffffa8008228380 ProcessObject fffffa80074ad060 ProcessObject fffffa80074ad060 ProcessObject fffffa8008a27b10 ProcessObject fffffa8008228380 ProcessObject fffffa8007470b10 ProcessObject fffffa8008c79b10 ProcessObject fffffa8007470b10 ProcessObject fffffa80089a7b10 ProcessObject fffffa8008fd8060 ProcessObject fffffa800824eb10 ProcessObject fffffa801ac86060 ProcessObject fffffa800bab55d0 ProcessObject fffffa800f65b060 ProcessObject fffffa800ebcfb10 ProcessObject fffffa8007a332a0 SynchronizationTimer fffffa80082afe30 SynchronizationTimer fffffa8008ec9990 SynchronizationTimer fffffa800720bef0 SynchronizationTimer Not impersonating DeviceMap fffff8a000008820 Owning Process fffffa8007b12b10 Image: services.exe Attached Process N/A Image: N/A Wait Start TickCount 153148235 Ticks: 1555 (0:00:00:24.296) Context Switch Count 127463 IdealProcessor: 0 UserTime 00:00:00.000 KernelTime 00:00:00.218 Win32 Start Address 0x000000007799a280 Stack Init fffff88003d76db0 Current fffff88003d75fc0 Base fffff88003d77000 Limit fffff88003d71000 Call 0000000000000000 Priority 9 BasePriority 9 PriorityDecrement 0 IoPriority 2 PagePriority 5 Child-SP RetAddr : Args to Child : Call Site fffff880`03d76000 fffff800`01ec4142 : fffffa80`0720a380 fffffa80`0720a2c0 fffff880`03d76320 fffff800`00000006 : nt!KiSwapContext+0x7a fffff880`03d76140 fffff800`01ec365a : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiCommitThreadWait+0x1d2 fffff880`03d761d0 fffff800`021b9c2f : fffff880`00000040 fffff880`03d76520 00000000`00000001 00000000`00000006 : nt!KeWaitForMultipleObjects+0x272 fffff880`03d76490 fffff800`021b9fa6 : fffffa80`07208701 fffff800`01ec1a73 00000000`00000001 00000000`00000001 : nt!ObpWaitForMultipleObjects+0x294 fffff880`03d76960 fffff800`01ebe0d3 : fffffa80`0720a2c0 00000000`00b7fad8 fffff880`03d76bc8 fffff880`03d76c00 : nt!NtWaitForMultipleObjects+0xe5 fffff880`03d76bb0 00000000`779cc2ea : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`03d76c20) 00000000`00b7fab8 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x779cc2ea THREAD fffffa800746aa00 Cid 0220.028c Teb: 000007fffffac000 Win32Thread: 0000000000000000 WAIT: (UserRequest) UserMode Non-Alertable fffffa8008bf9670 SynchronizationEvent fffffa800746e530 SynchronizationEvent Not impersonating DeviceMap fffff8a000008820 Owning Process fffffa8007b12b10 Image: services.exe Attached Process N/A Image: N/A Wait Start TickCount 153051456 Ticks: 98334 (0:00:25:36.468) Context Switch Count 11294 IdealProcessor: 0 UserTime 00:00:00.015 KernelTime 00:00:00.093 Win32 Start Address 0x000007fefccd04fc Stack Init fffff88003dd9db0 Current fffff88003dd8fc0 Base fffff88003dda000 Limit fffff88003dd4000 Call 0000000000000000 Priority 9 BasePriority 9 PriorityDecrement 0 IoPriority 2 PagePriority 5 Kernel stack not resident. Child-SP RetAddr : Args to Child : Call Site fffff880`03dd9000 fffff800`01ec4142 : fffffa80`0746aac0 fffffa80`0746aa00 00000000`00000000 fffffa80`00000009 : nt!KiSwapContext+0x7a fffff880`03dd9140 fffff800`01ec365a : 00000000`0000007b 00000000`000000ff 00000000`00000000 fffffa80`05815470 : nt!KiCommitThreadWait+0x1d2 fffff880`03dd91d0 fffff800`021b9c2f : fffff880`00000002 fffff880`03dd9520 00000000`00000001 fffff880`00000006 : nt!KeWaitForMultipleObjects+0x272 fffff880`03dd9490 fffff800`021b9fa6 : 00000000`00169501 00000000`00000003 fffff800`00000001 ffffffff`ffffff00 : nt!ObpWaitForMultipleObjects+0x294 fffff880`03dd9960 fffff800`01ebe0d3 : fffffa80`0746aa00 00000000`00eff488 fffff880`03dd9bc8 fffff880`03dd9c28 : nt!NtWaitForMultipleObjects+0xe5 fffff880`03dd9bb0 00000000`779cc2ea : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`03dd9c20) 00000000`00eff468 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x779cc2ea THREAD fffffa80074af6f0 Cid 0220.02c4 Teb: 000007fffffaa000 Win32Thread: 0000000000000000 WAIT: (WrQueue) UserMode Alertable fffffa8007480a40 QueueObject Not impersonating DeviceMap fffff8a000008820 Owning Process fffffa8007b12b10 Image: services.exe Attached Process N/A Image: N/A Wait Start TickCount 153147012 Ticks: 2778 (0:00:00:43.406) Context Switch Count 46385 IdealProcessor: 1 UserTime 00:00:00.000 KernelTime 00:00:00.031 Win32 Start Address 0x000000007799f6f0 Stack Init fffff880047b6db0 Current fffff880047b67c0 Base fffff880047b7000 Limit fffff880047b1000 Call 0000000000000000 Priority 9 BasePriority 9 PriorityDecrement 0 IoPriority 2 PagePriority 5 Child-SP RetAddr : Args to Child : Call Site fffff880`047b6800 fffff800`01ec4142 : fffffa80`074af7b0 fffffa80`074af6f0 00000000`00000000 fffffa80`00000008 : nt!KiSwapContext+0x7a fffff880`047b6940 fffff800`01ec71a3 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000040 : nt!KiCommitThreadWait+0x1d2 fffff880`047b69d0 fffff800`021aa217 : fffffa80`078b1500 fffff800`01ec1a01 fffff880`047b6c01 fffff800`00000000 : nt!KeRemoveQueueEx+0x323 fffff880`047b6a90 fffff800`01eab3a6 : 00000000`00000000 fffff880`047b6ba8 fffff880`047b6bc8 00000000`00000001 : nt!IoRemoveIoCompletion+0x47 fffff880`047b6b20 fffff800`01ebe0d3 : fffffa80`074af6f0 00000000`77a7f5c0 00000000`00000000 00000000`00000000 : nt!NtWaitForWorkViaWorkerFactory+0x285 fffff880`047b6c20 00000000`779cd63a : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`047b6c20) 00000000`00a4f5c8 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x779cd63a THREAD fffffa8008e54060 Cid 0220.0c98 Teb: 000007fffff54000 Win32Thread: 0000000000000000 WAIT: (UserRequest) UserMode Non-Alertable fffffa8008e40c50 SynchronizationEvent fffffa8008e5ffe0 SynchronizationEvent fffffa80071b4110 SynchronizationEvent Not impersonating DeviceMap fffff8a000008820 Owning Process fffffa8007b12b10 Image: services.exe Attached Process N/A Image: N/A Wait Start TickCount 153044980 Ticks: 104810 (0:00:27:17.656) Context Switch Count 9737 IdealProcessor: 1 UserTime 00:00:00.000 KernelTime 00:00:00.046 Win32 Start Address 0x000000018005a33c Stack Init fffff880065e7db0 Current fffff880065e6fc0 Base fffff880065e8000 Limit fffff880065e2000 Call 0000000000000000 Priority 11 BasePriority 9 PriorityDecrement 0 IoPriority 2 PagePriority 5 Kernel stack not resident. Child-SP RetAddr : Args to Child : Call Site fffff880`065e7000 fffff800`01ec4142 : fffffa80`08e54120 fffffa80`08e54060 00000000`00000000 fffffa80`00000008 : nt!KiSwapContext+0x7a fffff880`065e7140 fffff800`01ec365a : 00000000`0000023f 00000000`00000000 00000000`00000000 00000000`00001f80 : nt!KiCommitThreadWait+0x1d2 fffff880`065e71d0 fffff800`021b9c2f : fffff880`00000003 fffff880`065e7520 00000000`00000001 00000000`00000006 : nt!KeWaitForMultipleObjects+0x272 fffff880`065e7490 fffff800`021b9fa6 : fffff880`065e7901 fffff800`021ac35a fffffa80`00000001 fffffa80`08298c00 : nt!ObpWaitForMultipleObjects+0x294 fffff880`065e7960 fffff800`01ebe0d3 : fffffa80`08e54060 00000000`03aff348 fffff880`065e7bc8 00000000`00000000 : nt!NtWaitForMultipleObjects+0xe5 fffff880`065e7bb0 00000000`779cc2ea : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`065e7c20) 00000000`03aff328 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x779cc2ea THREAD fffffa8008e3c5b0 Cid 0220.0c9c Teb: 000007fffff52000 Win32Thread: 0000000000000000 WAIT: (WrQueue) UserMode Non-Alertable fffffa8008defe40 QueueObject Not impersonating DeviceMap fffff8a000008820 Owning Process fffffa8007b12b10 Image: services.exe Attached Process N/A Image: N/A Wait Start TickCount 153044980 Ticks: 104810 (0:00:27:17.656) Context Switch Count 9295 IdealProcessor: 0 UserTime 00:00:00.000 KernelTime 00:00:00.078 Win32 Start Address 0x000000018005a33c Stack Init fffff88006ccedb0 Current fffff88006cce7a0 Base fffff88006ccf000 Limit fffff88006cc9000 Call 0000000000000000 Priority 11 BasePriority 9 PriorityDecrement 0 IoPriority 2 PagePriority 5 Kernel stack not resident. Child-SP RetAddr : Args to Child : Call Site fffff880`06cce7e0 fffff800`01ec4142 : fffffa80`08e3c670 fffffa80`08e3c5b0 00000000`00000000 fffffa80`0000000a : nt!KiSwapContext+0x7a fffff880`06cce920 fffff800`01ec71a3 : 00000000`00000002 fffffa80`07b12ea8 fffff880`00000000 fffff800`01ecf91e : nt!KiCommitThreadWait+0x1d2 fffff880`06cce9b0 fffff800`021aa217 : 00000000`00000000 00000000`00000001 00000000`00000000 00000000`00000000 : nt!KeRemoveQueueEx+0x323 fffff880`06ccea70 fffff800`0217c0a5 : 00000000`00000000 fffff880`06cceb68 fffff880`06cceb60 fffff800`0203ce01 : nt!IoRemoveIoCompletion+0x47 fffff880`06cceb00 fffff800`01ebe0d3 : fffffa80`08e3c5b0 00000000`03bbf9f8 fffff880`06ccebc8 00000000`00000000 : nt!NtRemoveIoCompletion+0x145 fffff880`06ccebb0 00000000`779cbdca : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`06ccec20) 00000000`03bbf9d8 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x779cbdca THREAD fffffa800904cb50 Cid 0220.0ca0 Teb: 000007fffff4e000 Win32Thread: 0000000000000000 WAIT: (WrQueue) UserMode Non-Alertable fffffa8008defe40 QueueObject Not impersonating DeviceMap fffff8a000008820 Owning Process fffffa8007b12b10 Image: services.exe Attached Process N/A Image: N/A Wait Start TickCount 153044980 Ticks: 104810 (0:00:27:17.656) Context Switch Count 9539 IdealProcessor: 1 UserTime 00:00:00.000 KernelTime 00:00:00.046 Win32 Start Address 0x000000018005a33c Stack Init fffff88007078db0 Current fffff880070787a0 Base fffff88007079000 Limit fffff88007073000 Call 0000000000000000 Priority 11 BasePriority 9 PriorityDecrement 0 IoPriority 2 PagePriority 5 Kernel stack not resident. Child-SP RetAddr : Args to Child : Call Site fffff880`070787e0 fffff800`01ec4142 : fffffa80`0904cc10 fffffa80`0904cb50 00000000`00000000 fffffa80`00000008 : nt!KiSwapContext+0x7a fffff880`07078920 fffff800`01ec71a3 : 00000000`00000002 fffffa80`07b12ea8 fffff880`00000000 fffff800`01ecf91e : nt!KiCommitThreadWait+0x1d2 fffff880`070789b0 fffff800`021aa217 : 00000000`00000000 00000000`00000001 00000000`00000000 00000000`00000000 : nt!KeRemoveQueueEx+0x323 fffff880`07078a70 fffff800`0217c0a5 : 00000000`00000000 fffff880`07078b68 fffff880`07078b60 fffff800`0203ce01 : nt!IoRemoveIoCompletion+0x47 fffff880`07078b00 fffff800`01ebe0d3 : fffffa80`0904cb50 00000000`03defab8 fffff880`07078bc8 00000000`00000000 : nt!NtRemoveIoCompletion+0x145 fffff880`07078bb0 00000000`779cbdca : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`07078c20) 00000000`03defa98 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x779cbdca THREAD fffffa8008f60b50 Cid 0220.0ca4 Teb: 000007fffff4c000 Win32Thread: 0000000000000000 WAIT: (WrQueue) UserMode Non-Alertable fffffa8008defe40 QueueObject Not impersonating DeviceMap fffff8a000008820 Owning Process fffffa8007b12b10 Image: services.exe Attached Process N/A Image: N/A Wait Start TickCount 153044980 Ticks: 104810 (0:00:27:17.656) Context Switch Count 9219 IdealProcessor: 0 UserTime 00:00:00.000 KernelTime 00:00:00.031 Win32 Start Address 0x000000018005a33c Stack Init fffff8800707fdb0 Current fffff8800707f7a0 Base fffff88007080000 Limit fffff8800707a000 Call 0000000000000000 Priority 11 BasePriority 9 PriorityDecrement 0 IoPriority 2 PagePriority 5 Kernel stack not resident. Child-SP RetAddr : Args to Child : Call Site fffff880`0707f7e0 fffff800`01ec4142 : fffffa80`08f60c10 fffffa80`08f60b50 00000000`00000000 fffffa80`0000000a : nt!KiSwapContext+0x7a fffff880`0707f920 fffff800`01ec71a3 : 00000000`00000002 fffffa80`07b12ea8 fffff880`00000000 fffff800`01ecf91e : nt!KiCommitThreadWait+0x1d2 fffff880`0707f9b0 fffff800`021aa217 : 00000000`026df500 00000000`00000001 00000000`00000000 fffff880`0707fc20 : nt!KeRemoveQueueEx+0x323 fffff880`0707fa70 fffff800`0217c0a5 : 00000000`00000000 fffff880`0707fb68 fffff880`0707fb60 ffffd6ee`ce01d101 : nt!IoRemoveIoCompletion+0x47 fffff880`0707fb00 fffff800`01ebe0d3 : fffffa80`08f60b50 00000000`026df838 fffff880`0707fbc8 00000000`00000000 : nt!NtRemoveIoCompletion+0x145 fffff880`0707fbb0 00000000`779cbdca : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`0707fc20) 00000000`026df818 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x779cbdca THREAD fffffa8008f64060 Cid 0220.0ca8 Teb: 000007fffff4a000 Win32Thread: 0000000000000000 WAIT: (WrQueue) UserMode Non-Alertable fffffa8008defe40 QueueObject Not impersonating DeviceMap fffff8a000008820 Owning Process fffffa8007b12b10 Image: services.exe Attached Process N/A Image: N/A Wait Start TickCount 153044980 Ticks: 104810 (0:00:27:17.656) Context Switch Count 9572 IdealProcessor: 1 UserTime 00:00:00.000 KernelTime 00:00:00.015 Win32 Start Address 0x000000018005a33c Stack Init fffff88007086db0 Current fffff880070867a0 Base fffff88007087000 Limit fffff88007081000 Call 0000000000000000 Priority 11 BasePriority 9 PriorityDecrement 0 IoPriority 2 PagePriority 5 Kernel stack not resident. Child-SP RetAddr : Args to Child : Call Site fffff880`070867e0 fffff800`01ec4142 : fffffa80`08f64120 fffffa80`08f64060 00000000`00000000 fffffa80`00000008 : nt!KiSwapContext+0x7a fffff880`07086920 fffff800`01ec71a3 : 00000000`00000002 fffffa80`07b12ea8 fffff880`00000000 fffff800`01ecf91e : nt!KiCommitThreadWait+0x1d2 fffff880`070869b0 fffff800`021aa217 : 00000000`00000000 00000000`00000001 00000000`00000000 00000000`00000000 : nt!KeRemoveQueueEx+0x323 fffff880`07086a70 fffff800`0217c0a5 : 00000000`00000000 fffff880`07086b68 fffff880`07086b60 fffff800`0203ce01 : nt!IoRemoveIoCompletion+0x47 fffff880`07086b00 fffff800`01ebe0d3 : fffffa80`08f64060 00000000`03f0f9b8 fffff880`07086bc8 00000000`00000000 : nt!NtRemoveIoCompletion+0x145 fffff880`07086bb0 00000000`779cbdca : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`07086c20) 00000000`03f0f998 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x779cbdca THREAD fffffa8008f647d0 Cid 0220.0cac Teb: 000007fffff48000 Win32Thread: 0000000000000000 WAIT: (WrQueue) UserMode Non-Alertable fffffa8008defe40 QueueObject Not impersonating DeviceMap fffff8a000008820 Owning Process fffffa8007b12b10 Image: services.exe Attached Process N/A Image: N/A Wait Start TickCount 153044980 Ticks: 104810 (0:00:27:17.656) Context Switch Count 9162 IdealProcessor: 0 UserTime 00:00:00.000 KernelTime 00:00:00.078 Win32 Start Address 0x000000018005a33c Stack Init fffff8800708ddb0 Current fffff8800708d7a0 Base fffff8800708e000 Limit fffff88007088000 Call 0000000000000000 Priority 11 BasePriority 9 PriorityDecrement 0 IoPriority 2 PagePriority 5 Kernel stack not resident. Child-SP RetAddr : Args to Child : Call Site fffff880`0708d7e0 fffff800`01ec4142 : fffffa80`08f64890 fffffa80`08f647d0 00000000`00000000 fffffa80`0000000b : nt!KiSwapContext+0x7a fffff880`0708d920 fffff800`01ec71a3 : 00000000`00000002 fffffa80`07b12ea8 fffff880`00000000 fffff800`01ecf91e : nt!KiCommitThreadWait+0x1d2 fffff880`0708d9b0 fffff800`021aa217 : 00000000`0382f500 00000000`00000001 00000000`00000000 fffff880`0708dc20 : nt!KeRemoveQueueEx+0x323 fffff880`0708da70 fffff800`0217c0a5 : 00000000`00000000 fffff880`0708db68 fffff880`0708db60 ffffd6ee`ce0ef101 : nt!IoRemoveIoCompletion+0x47 fffff880`0708db00 fffff800`01ebe0d3 : fffffa80`08f647d0 00000000`0382f8f8 fffff880`0708dbc8 00000000`00000000 : nt!NtRemoveIoCompletion+0x145 fffff880`0708dbb0 00000000`779cbdca : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`0708dc20) 00000000`0382f8d8 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x779cbdca THREAD fffffa8008f6db50 Cid 0220.0cc4 Teb: 000007fffff56000 Win32Thread: 0000000000000000 WAIT: (UserRequest) UserMode Alertable fffffa8008e11580 SynchronizationTimer fffffa800824eb10 ProcessObject fffffa80088c9730 ProcessObject fffffa80082898e0 ProcessObject fffffa800824eb10 ProcessObject fffffa8008c0ab10 ProcessObject fffffa8007a0b060 ProcessObject fffffa800889c060 ProcessObject fffffa8008869060 ProcessObject fffffa8008c36b10 ProcessObject fffffa8008763060 ProcessObject fffffa80083046a0 ProcessObject fffffa8008205b10 ProcessObject fffffa80082898e0 ProcessObject fffffa8008228380 ProcessObject fffffa8008228380 ProcessObject fffffa8008228380 ProcessObject fffffa8008228380 ProcessObject fffffa800824eb10 ProcessObject fffffa8008205b10 ProcessObject fffffa80082898e0 ProcessObject fffffa8007bd1320 ProcessObject fffffa8008205b10 ProcessObject fffffa8007470b10 ProcessObject fffffa80082898e0 ProcessObject fffffa8008228380 ProcessObject fffffa8007a0b060 ProcessObject fffffa8008f6cb10 ProcessObject fffffa8008f6cb10 ProcessObject fffffa8007b51be0 NotificationEvent fffffa8008228380 ProcessObject fffffa80092cf790 ProcessObject fffffa80092cf790 ProcessObject fffffa800938c350 ProcessObject fffffa800938c350 ProcessObject fffffa8007a0b060 ProcessObject fffffa80092039c0 ProcessObject fffffa80092039c0 ProcessObject fffffa80094c2b10 ProcessObject fffffa800826fb10 ProcessObject fffffa80094c2b10 ProcessObject fffffa80082898e0 ProcessObject fffffa8008228380 ProcessObject fffffa800bab55d0 ProcessObject fffffa80152c5060 ProcessObject fffffa80105f1060 ProcessObject fffffa80105f1060 ProcessObject fffffa800f65b060 ProcessObject fffffa800ebcfb10 ProcessObject fffffa80178a2060 ProcessObject fffffa80178a2060 ProcessObject Not impersonating DeviceMap fffff8a000008820 Owning Process fffffa8007b12b10 Image: services.exe Attached Process N/A Image: N/A Wait Start TickCount 153056886 Ticks: 92904 (0:00:24:11.625) Context Switch Count 57235 IdealProcessor: 0 UserTime 00:00:00.109 KernelTime 00:00:01.109 Win32 Start Address 0x000000007799a280 Stack Init fffff880065eedb0 Current fffff880065edfc0 Base fffff880065ef000 Limit fffff880065e9000 Call 0000000000000000 Priority 11 BasePriority 9 PriorityDecrement 0 IoPriority 2 PagePriority 5 Kernel stack not resident. Child-SP RetAddr : Args to Child : Call Site fffff880`065ee000 fffff800`01ec4142 : fffffa80`08f6db50 fffffa80`08f6db50 00000000`00000000 fffffa80`0000000a : nt!KiSwapContext+0x7a fffff880`065ee140 fffff800`01ec365a : 00000000`00000014 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiCommitThreadWait+0x1d2 fffff880`065ee1d0 fffff800`021b9c2f : fffff880`00000033 fffff880`065ee520 00000000`00000001 00000000`00000006 : nt!KeWaitForMultipleObjects+0x272 fffff880`065ee490 fffff800`021b9fa6 : 00000000`00000001 00000000`00000000 00000000`00000001 00000000`00000001 : nt!ObpWaitForMultipleObjects+0x294 fffff880`065ee960 fffff800`01ebe0d3 : fffffa80`08f6db50 00000000`0370fad8 fffff880`065eebc8 fffff8a0`022a0330 : nt!NtWaitForMultipleObjects+0xe5 fffff880`065eebb0 00000000`779cc2ea : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`065eec20) 00000000`0370fab8 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x779cc2ea THREAD fffffa8009691340 Cid 0220.17b4 Teb: 000007fffffd5000 Win32Thread: 0000000000000000 WAIT: (WrQueue) UserMode Alertable fffffa80071e3cc0 QueueObject Not impersonating DeviceMap fffff8a000008820 Owning Process fffffa8007b12b10 Image: services.exe Attached Process N/A Image: N/A Wait Start TickCount 153141990 Ticks: 7800 (0:00:02:01.875) Context Switch Count 14 IdealProcessor: 1 UserTime 00:00:00.000 KernelTime 00:00:00.000 Win32 Start Address 0x000000007799f6f0 Stack Init fffff8800b0badb0 Current fffff8800b0ba7c0 Base fffff8800b0bb000 Limit fffff8800b0b5000 Call 0000000000000000 Priority 9 BasePriority 9 PriorityDecrement 0 IoPriority 2 PagePriority 5 Child-SP RetAddr : Args to Child : Call Site fffff880`0b0ba800 fffff800`01ec4142 : 00000000`00000000 fffffa80`09691340 fffffa80`0faa3620 00000000`00000008 : nt!KiSwapContext+0x7a fffff880`0b0ba940 fffff800`01ec71a3 : fffffa80`09691340 00000000`00000000 ffffffff`00000000 fffff8a0`00000030 : nt!KiCommitThreadWait+0x1d2 fffff880`0b0ba9d0 fffff800`021aa217 : fffffa80`078a2700 fffff800`01eb3501 fffff880`0b0bac01 fffffa80`071e3e18 : nt!KeRemoveQueueEx+0x323 fffff880`0b0baa90 fffff800`01eab3a6 : 00000000`00000000 fffff880`0b0baba8 fffff880`0b0babc8 00000000`00000001 : nt!IoRemoveIoCompletion+0x47 fffff880`0b0bab20 fffff800`01ebe0d3 : fffffa80`09691340 00000000`77a7f5c0 00000000`00000000 00000000`00000001 : nt!NtWaitForWorkViaWorkerFactory+0x285 fffff880`0b0bac20 00000000`779cd63a : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`0b0bac20) 00000000`00c7f918 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x779cd63a THREAD fffffa800ec603d0 Cid 0220.19c8 Teb: 000007fffffa6000 Win32Thread: 0000000000000000 WAIT: (UserRequest) UserMode Non-Alertable fffffa800821c660 SynchronizationEvent fffffa8008228380 ProcessObject Not impersonating DeviceMap fffff8a000008820 Owning Process fffffa8007b12b10 Image: services.exe Attached Process N/A Image: N/A Wait Start TickCount 153148354 Ticks: 1436 (0:00:00:22.437) Context Switch Count 376 IdealProcessor: 1 UserTime 00:00:00.000 KernelTime 00:00:00.000 Win32 Start Address 0x000000007799f6f0 Stack Init fffff8800ad4fdb0 Current fffff8800ad4efc0 Base fffff8800ad50000 Limit fffff8800ad4a000 Call 0000000000000000 Priority 9 BasePriority 9 PriorityDecrement 0 IoPriority 2 PagePriority 5 Child-SP RetAddr : Args to Child : Call Site fffff880`0ad4f000 fffff800`01ec4142 : fffffa80`0ec603d0 fffffa80`0ec603d0 00000000`00000000 00000000`00000008 : nt!KiSwapContext+0x7a fffff880`0ad4f140 fffff800`01ec365a : fffff8a0`28606568 fffffa80`10399000 00000000`00000042 fffff8a0`28606578 : nt!KiCommitThreadWait+0x1d2 fffff880`0ad4f1d0 fffff800`021b9c2f : fffff8a0`00000002 fffff880`0ad4f520 00000000`00000001 00000000`00000006 : nt!KeWaitForMultipleObjects+0x272 fffff880`0ad4f490 fffff800`021b9fa6 : fffff8a0`1c059001 00000000`00000654 00000000`00000001 fffff800`02175200 : nt!ObpWaitForMultipleObjects+0x294 fffff880`0ad4f960 fffff800`01ebe0d3 : fffffa80`0ec603d0 00000000`010ae798 fffff880`0ad4fbc8 fffffa80`00000000 : nt!NtWaitForMultipleObjects+0xe5 fffff880`0ad4fbb0 00000000`779cc2ea : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`0ad4fc20) 00000000`010ae778 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x779cc2ea THREAD fffffa801152b2c0 Cid 0220.1cbc Teb: 000007fffffd3000 Win32Thread: 0000000000000000 WAIT: (WrQueue) UserMode Alertable fffffa8007208700 QueueObject Not impersonating DeviceMap fffff8a000008820 Owning Process fffffa8007b12b10 Image: services.exe Attached Process N/A Image: N/A Wait Start TickCount 153146327 Ticks: 3463 (0:00:00:54.109) Context Switch Count 3855 IdealProcessor: 1 UserTime 00:00:00.062 KernelTime 00:00:00.031 Win32 Start Address 0x000000007799f6f0 Stack Init fffff88007d70db0 Current fffff88007d707c0 Base fffff88007d71000 Limit fffff88007d6b000 Call 0000000000000000 Priority 10 BasePriority 9 PriorityDecrement 0 IoPriority 2 PagePriority 5 Child-SP RetAddr : Args to Child : Call Site fffff880`07d70800 fffff800`01ec4142 : fffffa80`1152b2c0 fffffa80`1152b2c0 fffff880`07d70b58 00000000`00000009 : nt!KiSwapContext+0x7a fffff880`07d70940 fffff800`01ec71a3 : fffff8a0`13737d00 00000000`000008c4 00000000`00000097 fffff800`021d2312 : nt!KiCommitThreadWait+0x1d2 fffff880`07d709d0 fffff800`021aa217 : 00000000`00000000 00000000`00000001 00000000`00000001 00000000`00000000 : nt!KeRemoveQueueEx+0x323 fffff880`07d70a90 fffff800`01eab3a6 : 000007fe`ff5aee00 fffff880`07d70ba8 fffff880`07d70bc8 00000000`00000001 : nt!IoRemoveIoCompletion+0x47 fffff880`07d70b20 fffff800`01ebe0d3 : fffffa80`1152b2c0 00000000`77a7f5c0 00000000`00000000 00000000`015eed40 : nt!NtWaitForWorkViaWorkerFactory+0x285 fffff880`07d70c20 00000000`779cd63a : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`07d70c20) 00000000`015efbf8 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x779cd63a THREAD fffffa80121bbb50 Cid 0220.25e8 Teb: 000007fffffae000 Win32Thread: 0000000000000000 WAIT: (WrQueue) UserMode Alertable fffffa8007208700 QueueObject Not impersonating DeviceMap fffff8a000008820 Owning Process fffffa8007b12b10 Image: services.exe Attached Process N/A Image: N/A Wait Start TickCount 153148994 Ticks: 796 (0:00:00:12.437) Context Switch Count 3807 IdealProcessor: 1 UserTime 00:00:00.062 KernelTime 00:00:00.078 Win32 Start Address 0x000000007799f6f0 Stack Init fffff8800a73bdb0 Current fffff8800a73b7c0 Base fffff8800a73c000 Limit fffff8800a736000 Call 0000000000000000 Priority 10 BasePriority 9 PriorityDecrement 0 IoPriority 2 PagePriority 5 Child-SP RetAddr : Args to Child : Call Site fffff880`0a73b800 fffff800`01ec4142 : fffffa80`121bbb50 fffffa80`121bbb50 fffff880`0a73bb58 00000000`00000009 : nt!KiSwapContext+0x7a fffff880`0a73b940 fffff800`01ec71a3 : fffff8a0`1c269d00 00000000`0000037c 00000000`00000002 fffff800`021d2312 : nt!KiCommitThreadWait+0x1d2 fffff880`0a73b9d0 fffff800`021aa217 : 00000000`00000000 00000000`00000001 00000000`00000001 00000000`00000000 : nt!KeRemoveQueueEx+0x323 fffff880`0a73ba90 fffff800`01eab3a6 : 000007fe`ff5aee00 fffff880`0a73bba8 fffff880`0a73bbc8 00000000`00000001 : nt!IoRemoveIoCompletion+0x47 fffff880`0a73bb20 fffff800`01ebe0d3 : fffffa80`121bbb50 00000000`77a7f5c0 00000000`00000000 00000000`00000000 : nt!NtWaitForWorkViaWorkerFactory+0x285 fffff880`0a73bc20 00000000`779cd63a : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`0a73bc20) 00000000`0172f6f8 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x779cd63a THREAD fffffa800e3e4060 Cid 0220.0d5c Teb: 000007fffffdd000 Win32Thread: 0000000000000000 WAIT: (WrQueue) UserMode Alertable fffffa8007208700 QueueObject Not impersonating DeviceMap fffff8a000008820 Owning Process fffffa8007b12b10 Image: services.exe Attached Process N/A Image: N/A Wait Start TickCount 153149787 Ticks: 3 (0:00:00:00.046) Context Switch Count 496 IdealProcessor: 0 UserTime 00:00:00.000 KernelTime 00:00:00.000 Win32 Start Address 0x000000007799f6f0 Stack Init fffff88007e64db0 Current fffff88007e647c0 Base fffff88007e65000 Limit fffff88007e5f000 Call 0000000000000000 Priority 9 BasePriority 9 PriorityDecrement 0 IoPriority 2 PagePriority 5 Child-SP RetAddr : Args to Child : Call Site fffff880`07e64800 fffff800`01ec4142 : fffffa80`0e3e4060 fffffa80`0e3e4060 fffff880`07e64b58 00000000`00000009 : nt!KiSwapContext+0x7a fffff880`07e64940 fffff800`01ec71a3 : fffff8a0`4e181030 00000000`00000524 00000000`0000001b fffff800`021d2312 : nt!KiCommitThreadWait+0x1d2 fffff880`07e649d0 fffff800`021aa217 : 00000000`00000000 00000000`00000001 00000000`00000001 00000000`00000000 : nt!KeRemoveQueueEx+0x323 fffff880`07e64a90 fffff800`01eab3a6 : 000007fe`ff5aee00 fffff880`07e64ba8 fffff880`07e64bc8 00000000`00000001 : nt!IoRemoveIoCompletion+0x47 fffff880`07e64b20 fffff800`01ebe0d3 : fffffa80`0e3e4060 00000000`77a7f5c0 00000000`00000000 00000000`00000000 : nt!NtWaitForWorkViaWorkerFactory+0x285 fffff880`07e64c20 00000000`779cd63a : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`07e64c20) 00000000`0112f508 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x779cd63a Thanks, Kunal
  Message 7 of 13  
11 Aug 17 02:18
Kunal
xxxxxx@hotmail.com
Join Date: 13 Jun 2017
Posts To This List: 10
USER_MODE_HEALTH_MONITOR bugcheck due to my filter driver threads.

To give more info, I am using KeWaitForSingleObject() with following parameters: status = KeWaitForSingleObject( &event, Executive, KernelMode, FALSE, p_timeout ); //where event is KEVENT. Thanks Kunal
  Message 8 of 13  
11 Aug 17 02:47
taehwa lee
xxxxxx@gmail.com
Join Date: 26 Jun 2006
Posts To This List: 10
USER_MODE_HEALTH_MONITOR bugcheck due to my filter driver threads.

What did your driver do in werfault's stack? I think that as below 1. DxDmService got exception 2. exception handler call werfault 3. werfault suspend DxDmService to make dump 4. werfault open a file and then <mydriver> filter it and wait for more than 20 min 5. bugcheck. 0: kd> !thread fffffa800788d540 THREAD fffffa800788d540 Cid 1128.11b8 Teb: 000007fffffde000 Win32Thread: fffff900c1eb9010 WAIT: (Executive) KernelMode Non-Alertable fffff88005bc9bc0 SynchronizationEvent IRP List: fffffa8025703010: (0006,0358) Flags: 00000884 Mdl: 00000000 Not impersonating DeviceMap fffff8a002fcddd0 Owning Process fffffa80118e1790 Image: WerFault.exe Attached Process N/A Image: N/A Wait Start TickCount 153056522 Ticks: 93268 (0:00:24:17.312) Context Switch Count 13433 IdealProcessor: 0 LargeStack UserTime 00:00:00.109 KernelTime 00:00:01.906 Win32 Start Address 0x00000000ffbe4920 Stack Init fffff88008f55db0 Current fffff88008f549a0 Base fffff88008f56000 Limit fffff88008f4d000 Call 0000000000000000 Priority 7 BasePriority 7 PriorityDecrement 0 IoPriority 2 PagePriority 5 Child-SP RetAddr : Args to Child : Call Site fffff880`08f549e0 fffff800`01ec4142 : fffff880`08f54b38 fffffa80`0788d540 fffffa80`00000000 fffff880`05b0280d : nt!KiSwapContext+0x7a fffff880`08f54b20 fffff800`01ec696f : 00000000`0000000e 00000000`001a7100 fffff8a0`00000000 00000000`00000000 : nt!KiCommitThreadWait+0x1d2 fffff880`08f54bb0 fffff880`05b34b6e : fffff880`05bc7a00 fffff880`00000000 fffff8a0`1667f000 fffff880`08f55100 : nt!KeWaitForSingleObject+0x19f fffff880`08f54c50 fffff880`05b357eb : fffff880`08f54d64 fffff880`08f54d18 fffff880`08f55118 00000000`001a7100 : <mydriver>!scan_open_connection+0x10e [d:\build_692379\<build>\optimizer\scan\scan.c @ 4266] fffff880`08f54ca0 fffff880`05b12865 : fffff880`08f550e0 fffff880`08f54fc0 fffff880`08f55088 00000000`00000028 : <mydriver>!scan_check_access_perm+0xaab [d:\build_692379\<build>\optimizer\scan\scan.c @ 4559] fffff880`08f54f00 fffff880`05b10157 : fffffa80`1260c740 fffff880`08f55448 fffff880`08f553d8 fffff880`014d9882 : <mydriver>!fsh_scan_file+0xe55 [d:\build_692379\<build>\optimizer\fsh\fsh_hooks.c @ 1387] fffff880`08f553b0 fffff880`01273288 : fffffa80`1260c740 fffff880`08f55448 00000000`00000000 00000000`00000000 : <mydriver>!fsh_create_hook_cmpl+0x57 [d:\build_692379\<build>\optimizer\fsh\fsh_hooks.c @ 290] fffff880`08f55400 fffff880`01271d1b : fffffa80`079fc180 fffffa80`1260c7e0 fffffa80`08a95970 fffffa80`08a95b90 : fltmgr!FltpPerformPostCallbacks+0x368 fffff880`08f554d0 fffff880`012912b9 : fffffa80`25703010 fffffa80`07412010 fffffa80`25703000 fffffa80`07406360 : fltmgr!FltpLegacyProcessingAfterPreCa llbacksCompleted+0x39b fffff880`08f55560 fffff880`01271bcf : 00000000`00000000 fffffa80`06d0a9f0 00000000`00000000 00000000`00000000 : fltmgr!FltpCreate+0x2a9 fffff880`08f55610 fffff880`012912b9 : fffffa80`25703010 fffffa80`09001010 fffffa80`25703000 fffffa80`0906e680 : fltmgr!FltpLegacyProcessingAfterPreCa llbacksCompleted+0x24f fffff880`08f556a0 fffff800`021c32bb : 00000000`00000005 00000000`00000040 fffffa80`0c2619b0 00000000`00000000 : fltmgr!FltpCreate+0x2a9 fffff880`08f55750 fffff800`021bedde : fffffa80`073c7cd0 00000000`00000000 fffffa80`11431530 fffff880`08f55a01 : nt!IopParseDevice+0x14e2 fffff880`08f558b0 fffff800`021bf8c6 : 00000000`00000000 fffff880`08f55a30 fffff680`00000040 fffffa80`06d0a9f0 : nt!ObpLookupObjectName+0x784 fffff880`08f559b0 fffff800`021c16bc : 00000000`00000110 00000000`00000000 fffffa80`0788d501 ffffffff`ffffffff : nt!ObOpenObjectByName+0x306 fffff880`08f55a80 fffff800`021ccd34 : 00000000`000fa758 00000000`80100080 00000000`000fa7a8 00000000`000fa768 : nt!IopCreateFile+0x2bc fffff880`08f55b20 fffff800`01ebe0d3 : ffffffff`ffffffff 0000007f`ffffffff 00000000`000fa7f0 00000980`00000000 : nt!NtCreateFile+0x78 fffff880`08f55bb0 00000000`779cc28a : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`08f55c20) 00000000`000fa6d8 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x779cc28a On Fri, Aug 11, 2017 at 3:16 PM, xxxxx@hotmail.com < xxxxx@lists.osr.com> wrote: > To give more info, I am using KeWaitForSingleObject() with following > parameters: > > status = KeWaitForSingleObject( &event, Executive, KernelMode, FALSE, > p_timeout ); > //where event is KEVENT. > > Thanks > Kunal > <...excess quoted lines suppressed...> --
  Message 9 of 13  
11 Aug 17 04:40
Kunal
xxxxxx@hotmail.com
Join Date: 13 Jun 2017
Posts To This List: 10
USER_MODE_HEALTH_MONITOR bugcheck due to my filter driver threads.

Thanks for your responses. In werfault stack, my driver tries to open a connection to my scan-server to send the file for scanning. To give a brief overview, whenever a user tries to create/open a file, my filter driver sends it to a scan-server. I maintain an array of 5 elements which control sending of files for scan. Whenever a new thread is spawned for scanning, it marks one of the elements in the array as in-use. After scan is complete, the thread marks it as unused. So, at a time there can be only 5 threads with open connection to scan-server. I can see 5 threads in the dump in wait state. One of such thread is as below. I have given a timeout value of 45 seconds in KeWaitForSingleObject(). But why is this thread not coming out of wait state? 0: kd> !thread fffffa8012f0e5e0 THREAD fffffa8012f0e5e0 Cid 1df0.1d60 Teb: 000007ffffeb0000 Win32Thread: 0000000000000000 WAIT: (Suspended) KernelMode Non-Alertable SuspendCount 1 fffffa8012f0e8b8 Semaphore Limit 0x2 IRP List: fffffa800b83e490: (0006,0358) Flags: 00000884 Mdl: 00000000 Not impersonating DeviceMap fffff8a002fcddd0 Owning Process fffffa800f65b060 Image: DxDmService.exe Attached Process N/A Image: N/A Wait Start TickCount 153051155 Ticks: 98635 (0:00:25:41.171) Context Switch Count 3126429 IdealProcessor: 0 UserTime 00:01:37.625 KernelTime 00:13:13.250 Win32 Start Address 0x0000000010376284 Stack Init fffff8800b183db0 Current fffff8800b182340 Base fffff8800b184000 Limit fffff8800b17e000 Call 0000000000000000 Priority 8 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5 Child-SP RetAddr : Args to Child : Call Site fffff880`0b182380 fffff800`01ec4142 : fffffa80`0f65b001 fffffa80`12f0e5e0 fffff800`0203ce80 fffff880`00000008 : nt!KiSwapContext+0x7a fffff880`0b1824c0 fffff800`01ec696f : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiCommitThreadWait+0x1d2 fffff880`0b182550 fffff800`01eb1ee0 : 00000000`00000000 fffffa80`00000005 fffffa80`0f65b000 00000000`00000000 : nt!KeWaitForSingleObject+0x19f fffff880`0b1825f0 fffff800`01eb2b7d : fffffa80`12f0e5e0 00000000`00000000 00000000`00000000 fffffa80`00000000 : nt!KiSuspendThread+0x54 fffff880`0b182630 fffff800`01ec434d : fffffa80`12f0e6a0 00000000`00000000 fffff800`01eb1e8c 00000000`00000000 : nt!KiDeliverApc+0x21d fffff880`0b1826b0 fffff800`01ec696f : fffffa80`0b83e490 fffffa80`08bd9200 fffff880`0000004f 00000000`00000000 : nt!KiCommitThreadWait+0x3dd fffff880`0b182740 fffff880`05b233c1 : fffffa80`12438000 fffff880`00000000 fffff880`0b182800 fffff880`0b182a00 : nt!KeWaitForSingleObject+0x19f fffff880`0b1827e0 fffff880`05b1dd93 : fffffa80`0f5d9530 fffff8a0`00f45300 00000000`0000005a fffff8a0`00000000 : <mydriver>!ivmc_wsk_recv_data+0x211 [d:\build_692379\<build>\optimizer\ivmc\ivmc_ksocket.c @ 435] fffff880`0b182870 fffff880`05b2f27e : fffff880`05bc9c28 fffff8a0`00f45300 fffff880`0000005a fffff880`00000000 : <mydriver>!ivmc_read_all+0x93 [d:\build_692379\<build>\optimizer\ivmc\ivmc.c @ 426] fffff880`0b1828e0 fffff880`05b30ca0 : fffff880`05bc9c28 fffff880`0b182fc0 fffff880`0b182a48 fffff8a0`1fdf65e0 : <mydriver>!scan_process_response+0x10e [d:\build_692379\<build>\optimizer\scan\scan.c @ 2562] fffff880`0b1829c0 fffff880`05b3227b : fffff880`0b1830e0 fffff880`0b182fc0 fffff880`00000001 fffff880`0b183148 : <mydriver>!scan_process_file_scan_response+0xb0 [d:\build_692379\<build>\optimizer\scan\scan.c @ 3028] fffff880`0b182a90 fffff880`05b35b56 : fffff880`0b1830e0 fffff880`0b182fc0 fffff880`69435351 00000000`000007ff : <mydriver>!scan_file_with_file_transfer+0x99b [d:\build_692379\<build>\optimizer\scan\scan.c @ 3416] fffff880`0b182ca0 fffff880`05b12865 : fffff880`0b1830e0 fffff880`0b182fc0 fffff880`0b183088 00000000`00000028 : <mydriver>!scan_check_access_perm+0xe16 [d:\build_692379\<build>\optimizer\scan\scan.c @ 4617] fffff880`0b182f00 fffff880`05b10157 : fffffa80`08bd9380 fffff880`0b183448 fffff880`0b1833d8 fffff880`014d9882 : <mydriver>!fsh_scan_file+0xe55 [d:\build_692379\<build>\optimizer\fsh\fsh_hooks.c @ 1387] fffff880`0b1833b0 fffff880`01273288 : fffffa80`08bd9380 fffff880`0b183448 00000000`00000000 00000000`00000000 : <mydriver>!fsh_create_hook_cmpl+0x57 [d:\build_692379\<build>\optimizer\fsh\fsh_hooks.c @ 290] fffff880`0b183400 fffff880`01271d1b : fffffa80`0ff123f0 fffffa80`08bd9420 fffffa80`099182f0 fffffa80`09918510 : fltmgr!FltpPerformPostCallbacks+0x368 fffff880`0b1834d0 fffff880`012912b9 : fffffa80`0b83e490 fffffa80`0b4a0250 fffffa80`0b83e400 fffffa80`0a658890 : fltmgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x39b fffff880`0b183560 fffff880`01271bcf : 00000000`00000000 fffffa80`06d0a9f0 00000000`00000000 00000000`00000000 : fltmgr!FltpCreate+0x2a9 fffff880`0b183610 fffff880`012912b9 : fffffa80`0b83e490 fffffa80`1bd1b6b0 fffffa80`0b83e400 fffffa80`0e966040 : fltmgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x24f fffff880`0b1836a0 fffff800`021c32bb : 00000000`00000005 00000000`00000040 fffffa80`0de7b590 00000000`00000000 : fltmgr!FltpCreate+0x2a9 fffff880`0b183750 fffff800`021bedde : fffffa80`0ff27b80 00000000`00000000 fffffa80`108e9530 fffffa80`0e966001 : nt!IopParseDevice+0x14e2 fffff880`0b1838b0 fffff800`021bf8c6 : 00000000`00000000 fffff880`0b183a30 fffff8a0`00000040 fffffa80`06d0a9f0 : nt!ObpLookupObjectName+0x784 fffff880`0b1839b0 fffff800`021c16bc : 00000000`00000000 00000000`00000000 00000000`00000001 00000000`00000000 : nt!ObOpenObjectByName+0x306 fffff880`0b183a80 fffff800`021ccd34 : 00000000`28e0a5e8 fffff800`c0110098 00000000`28e0a638 00000000`28e0a5f8 : nt!IopCreateFile+0x2bc fffff880`0b183b20 fffff800`01ebe0d3 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`28e0c9e0 : nt!NtCreateFile+0x78 fffff880`0b183bb0 00000000`779cc28a : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`0b183c20) 00000000`28e0a568 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x779cc28a
  Message 10 of 13  
11 Aug 17 05:05
taehwa lee
xxxxxx@gmail.com
Join Date: 26 Jun 2006
Posts To This List: 10
USER_MODE_HEALTH_MONITOR bugcheck due to my filter driver threads.

I could not see all user mode stack in DxDmService.exe that need to clear what DxDmService state is. Thread fffffa8012f0e5e0 is suspended by KiSuspendThread that delivered by APC. I think that werfault suspend all of thread in DxDmService. below thread suspended 25 minutes before crash 0: kd> !thread fffffa8012f0e5e0 THREAD fffffa8012f0e5e0 Cid 1df0.1d60 Teb: 000007ffffeb0000 Win32Thread: 0000000000000000 WAIT: (Suspended) KernelMode Non-Alertable SuspendCount 1 fffffa8012f0e8b8 Semaphore Limit 0x2 IRP List: fffffa800b83e490: (0006,0358) Flags: 00000884 Mdl: 00000000 Not impersonating DeviceMap fffff8a002fcddd0 Owning Process fffffa800f65b060 Image: DxDmService.exe Attached Process N/A Image: N/A Wait Start TickCount 153051155 Ticks: 98635 (0:00:25:41.171) Context Switch Count 3126429 IdealProcessor: 0 UserTime 00:01:37.625 KernelTime 00:13:13.250 Win32 Start Address 0x0000000010376284 Stack Init fffff8800b183db0 Current fffff8800b182340 Base fffff8800b184000 Limit fffff8800b17e000 Call 0000000000000000 Priority 8 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5 Child-SP RetAddr : Args to Child : Call Site fffff880`0b182380 fffff800`01ec4142 : fffffa80`0f65b001 fffffa80`12f0e5e0 fffff800`0203ce80 fffff880`00000008 : nt!KiSwapContext+0x7a fffff880`0b1824c0 fffff800`01ec696f : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiCommitThreadWait+0x1d2 fffff880`0b182550 fffff800`01eb1ee0 : 00000000`00000000 fffffa80`00000005 fffffa80`0f65b000 00000000`00000000 : nt!KeWaitForSingleObject+0x19f fffff880`0b1825f0 fffff800`01eb2b7d : fffffa80`12f0e5e0 00000000`00000000 00000000`00000000 fffffa80`00000000 : nt!KiSuspendThread+0x54 fffff880`0b182630 fffff800`01ec434d : fffffa80`12f0e6a0 00000000`00000000 fffff800`01eb1e8c 00000000`00000000 : nt!KiDeliverApc+0x21d fffff880`0b1826b0 fffff800`01ec696f : fffffa80`0b83e490 fffffa80`08bd9200 fffff880`0000004f 00000000`00000000 : nt!KiCommitThreadWait+0x3dd best regards Taehwa. On Fri, Aug 11, 2017 at 5:38 PM, xxxxx@hotmail.com < xxxxx@lists.osr.com> wrote: > Thanks for your responses. > > In werfault stack, my driver tries to open a connection to my scan-server > to send the file for scanning. > To give a brief overview, whenever a user tries to create/open a file, my > filter driver sends it to a scan-server. I maintain an array of 5 elements > which control sending of files for scan. Whenever a new thread is spawned > for scanning, > it marks one of the elements in the array as in-use. After scan is > complete, the thread marks it as unused. So, at a time there can be only 5 <...excess quoted lines suppressed...> --
  Message 11 of 13  
11 Aug 17 06:53
Kunal
xxxxxx@hotmail.com
Join Date: 13 Jun 2017
Posts To This List: 10
USER_MODE_HEALTH_MONITOR bugcheck due to my filter driver threads.

This is a kernel dump, so I dont think usermode data will be present. I tried to switch to process "DxDmService" but got the error as below: 0: kd> .process fffffa80`0f65b060 Process fffffa80`0f65b060 has invalid page directories Thanks, Kunal
  Message 12 of 13  
14 Aug 17 03:24
Kunal
xxxxxx@hotmail.com
Join Date: 13 Jun 2017
Posts To This List: 10
USER_MODE_HEALTH_MONITOR bugcheck due to my filter driver threads.

Hi Taehwa, Could you provide some details as to why all 5 of my scanning threads are not coming out of WAIT state even though I have given 45 secs timeout in KeWaitForSingleObject()? I can see in the callstack of thread "fffffa8012f0e5e0" that after I call KeWaitForSingleObject(), there is a call to KiDeliverApc() after which the thread is suspended and there is another KeWaitForSingleObject(). I could not understand what is happening here. Does suspending a thread change the behavior of KeWaitForSingleObject()? THanks, Kunal
  Message 13 of 13  
15 Aug 17 04:10
taehwa lee
xxxxxx@gmail.com
Join Date: 26 Jun 2006
Posts To This List: 10
USER_MODE_HEALTH_MONITOR bugcheck due to my filter driver threads.

Hello I've already explain as below. Unfortunately we could not see user mode stack due to it is kernel dump. We need to find exception record if we could see user stack. 1. DxDmService might get exception (but we couldn't see it due to kernel stack) 2. exception handler call werfault (you could see dump file name through handle information of werfault) 3. werfault suspend all thread of DxDmService to make dump 4. werfault open a file and then <mydriver> filter it and wait for more than 20 min (I'm not sure why <mydriver> didn't wake up for 20 mins) I think you need to check wait condition of <mydriver> in werfault context. 5. bugcheck. It is hard job to understand situation without dump best regards Taehwa. On Mon, Aug 14, 2017 at 4:23 PM, xxxxx@hotmail.com < xxxxx@lists.osr.com> wrote: > Hi Taehwa, > > Could you provide some details as to why all 5 of my scanning threads are > not coming out of WAIT state even though I have given 45 secs timeout in > KeWaitForSingleObject()? > I can see in the callstack of thread "fffffa8012f0e5e0" that after I call > KeWaitForSingleObject(), there is a call to KiDeliverApc() after which the > thread is suspended and there is another KeWaitForSingleObject(). > I could not understand what is happening here. Does suspending a thread > change the behavior of KeWaitForSingleObject()? <...excess quoted lines suppressed...> --
Posting Rules  
You may not post new threads
You may not post replies
You may not post attachments
You must login to OSR Online AND be a member of the windbg list to be able to post.

All times are GMT -5. The time now is 15:38.


Copyright ©2015, OSR Open Systems Resources, Inc.
Based on vBulletin Copyright ©2000 - 2005, Jelsoft Enterprises Ltd.
Modified under license