bsod in wow64, win8.1

NTDEV
1

Hi All,

I started have this problem while using office2010 on win8.1. Windows bsod when office2010 is starting. My driver works fine on xp, win7… but win8.1. I have no idea about this isue. Could any body help? Any help will be appreciated.

STACK_TEXT:
nt!MiCreateSection+0xa78
nt!NtCreateSection+0x1a2
nt!KiSystemServiceCopyEnd+0x13
ntdll!NtCreateSection+0xa
wow64!whNtCreateSection+0x7b
wow64!Wow64SystemServiceEx+0xd4
wow64cpu!ServiceNoTurbo+0xb
wow64!RunCpuSimulation+0xa
wow64!Wow64LdrpInitialize+0x172
ntdll!_LdrpInitialize+0xd8
ntdll!LdrInitializeThunk+0xe

2

Post the full !analyze -v output. What kind of driver is this?

-scott
OSR
@OSRDrivers

wrote in message news:xxxxx@ntdev…

Hi All,

I started have this problem while using office2010 on win8.1. Windows bsod
when office2010 is starting. My driver works fine on xp, win7… but win8.1.
I have no idea about this isue. Could any body help? Any help will be
appreciated.

STACK_TEXT:
nt!MiCreateSection+0xa78
nt!NtCreateSection+0x1a2
nt!KiSystemServiceCopyEnd+0x13
ntdll!NtCreateSection+0xa
wow64!whNtCreateSection+0x7b
wow64!Wow64SystemServiceEx+0xd4
wow64cpu!ServiceNoTurbo+0xb
wow64!RunCpuSimulation+0xa
wow64!Wow64LdrpInitialize+0x172
ntdll!_LdrpInitialize+0xd8
ntdll!LdrInitializeThunk+0xe

3

Thanks for your help.
My driver is a FileSystem driver.
The OS is win8.1 x64. CPU:intel. Mem:1.4G. Running in vmware.
And the BSOD information about “!analyze -v”, “kv”, “.cxr” is here.

kd> !analyze -v
ERROR: FindPlugIns 8007007b
ERROR: Some plugins may not be available [8007007b]
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

SYSTEM_SERVICE_EXCEPTION (3b)
An exception happened while executing a system service routine.
Arguments:
Arg1: 00000000c0000005, Exception code that caused the bugcheck
Arg2: fffff80388c25dc8, Address of the instruction which caused the bugcheck
Arg3: ffffd00021414de0, Address of the context record for the exception that caused the bugcheck
Arg4: 0000000000000000, zero.

Debugging Details:

“KERNEL32.DLL” was not found in the image list.
Debugger will attempt to load “KERNEL32.DLL” at given base 00000000`00000000.

Please provide the full image name, including the extension (i.e. kernel32.dll)
for more reliable results.Base address and size overrides can be given as
.reload <image.ext>=,.
Unable to add module at 0000000000000000<br><br>EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - 0x%08lx<br><br>FAULTING_IP: <br>nt!MiCreateSection+a78<br>fffff80388c25dc8 f0410fba342400 lock btr dword ptr [r12],0

CONTEXT: ffffd00021414de0 – (.cxr 0xffffd00021414de0)
rax=ffffe000027585c0 rbx=ffffe000027585c0 rcx=0000000000000000
rdx=0000000000000001 rsi=0000000008000000 rdi=0000000000000000
rip=fffff80388c25dc8 rsp=ffffd00021415810 rbp=ffffd00021415910
r8=0000000000000000 r9=0000000000000001 r10=0000000000000000
r11=ffffd00021415520 r12=0000000000000000 r13=ffffe00000546010
r14=ffffe00002758240 r15=ffffe000026b2dd0
iopl=0 nv up ei ng nz na po nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00010286
nt!MiCreateSection+0xa78:
fffff80388c25dc8 f0410fba342400 lock btr dword ptr [r12],0 ds:002b:0000000000000000=???
Resetting default scope

DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULT

BUGCHECK_STR: 0x3B

PROCESS_NAME: WINWORD.EXE

CURRENT_IRQL: 1

LAST_CONTROL_TRANSFER: from fffff80388c2525e to fffff80388c25dc8

STACK_TEXT:
ffffd00021415810 fffff80388c2525e : ffffd00021415a60 0000000000000000 fffff80000000000 ffffd00021415a58 : nt!MiCreateSection+0xa78
ffffd00021415a00 fffff803889c84b3 : ffffe00002758240 000000000067e008 ffffd00021415aa8 000000007e8dc000 : nt!NtCreateSection+0x1a2
ffffd00021415a90 00007ffffa5f6a1a : 0000000077dcb00b 000000000077cb7c 000000000067fdb0 000000000067e088 : nt!KiSystemServiceCopyEnd+0x13
000000000067dfe8 0000000077dcb00b : 000000000077cb7c 000000000067fdb0 000000000067e088 000000007e8dc000 : ntdll!NtCreateSection+0xa
000000000067dff0 0000000077dcbb64 : 0000000000000000 0000000000000000 0000000000000000 000000000077cc64 : wow64!whNtCreateSection+0x7b
000000000067e080 0000000077d421e5 : 0000002377e4bd8c 0000000000000023 00000000ffffffff 000000000077cd94 : wow64!Wow64SystemServiceEx+0xd4
000000000067e930 0000000077dd323a : 0000000000000000 0000000077d41503 0000000000000000 0000000077dd3420 : wow64cpu!ServiceNoTurbo+0xb
000000000067e9e0 0000000077dd317e : 0000000000000000 0000000000000000 000000000067fd30 000000000067f350 : wow64!RunCpuSimulation+0xa
000000000067ea30 00007ffffa629763 : 000000002fb90100 0000000000000000 0000000000000010 000000007e8d7000 : wow64!Wow64LdrpInitialize+0x172
000000000067ef70 00007ffffa60c0e4 : 00007ffffa560000 0000000000000000 0000000000000000 000000007e8d7000 : ntdll!LdrpInitializeProcess+0x157b
000000000067f290 00007ffffa586eda : 000000000067f350 0000000000000000 0000000000000000 000000007e8d7000 : ntdll!_LdrpInitialize+0x851b8
000000000067f300 0000000000000000 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : ntdll!LdrInitializeThunk+0xe

FOLLOWUP_IP:
nt!MiCreateSection+a78
fffff80388c25dc8 f0410fba342400 lock btr dword ptr [r12],0<br><br>SYMBOL_STACK_INDEX: 0<br><br>SYMBOL_NAME: nt!MiCreateSection+a78<br><br>FOLLOWUP_NAME: MachineOwner<br><br>MODULE_NAME: nt<br><br>DEBUG_FLR_IMAGE_TIMESTAMP: 52341cf4<br><br>STACK_COMMAND: .cxr 0xffffd00021414de0 ; kb<br><br>IMAGE_NAME: memory_corruption<br><br>BUCKET_ID_FUNC_OFFSET: a78<br><br>FAILURE_BUCKET_ID: 0x3B_nt!MiCreateSection<br><br>BUCKET_ID: 0x3B_nt!MiCreateSection<br><br>Followup: MachineOwner<br><br>kd&gt; kv<br>Child-SP RetAddr : Args to Child : Call Site<br>ffffd00021413d48 fffff80388a4509a : 0000000000000000 0000000000000000 ffffd00021413eb0 fffff8038896b6d0 : nt!DbgBreakPointWithStatus<br>ffffd00021413d50 fffff80388a449ab : 0000000000000003 00000000c0000005 fffff803889cac70 000000000000003b : nt!KiBugCheckDebugBreak+0x12<br>ffffd00021413db0 fffff803889bcda4 : 0000000000000000 ffffc00003c24078 ffffe0000295e180 fffff80000b44837 : nt!KeBugCheck2+0x8ab<br>ffffd000214144c0 fffff803889c87e9 : 000000000000003b 00000000c0000005 fffff80388c25dc8 ffffd00021414de0 : nt!KeBugCheckEx+0x104<br>ffffd00021414500 fffff803889c80fc : ffffd000214155d8 ffffd00021414de0 fffff80388c2525e ffffd00021414c80 : nt!KiBugCheckDispatch+0x69<br>ffffd00021414640 fffff803889c41ed : fffff80388b72000 fffff8038886f000 0003ed6c00781000 0000000000000004 : nt!KiSystemServiceHandler+0x7c<br>ffffd00021414680 fffff8038894f9a5 : 0000000000000000 ffffd000214147b0 ffffd000214155d8 ffffe00002758240 : nt!RtlpExecuteHandlerForException+0xd<br>ffffd000214146b0 fffff8038895086b : ffffd000214155d8 ffffd00021415680 ffffd000214155d8 0000000000000000 : nt!RtlDispatchException+0x455<br>ffffd00021414db0 fffff803889c88c2 : 6d742e7d00000000 ffffe00002d61900 0000000000a73a3e 000000000041df38 : nt!KiDispatchException+0x61f<br>ffffd000214154a0 fffff803889c7014 : 0000000000000001 ffffe000027585c0 ffffd00021415600 ffffd00021415680 : nt!KiExceptionDispatch+0xc2<br>ffffd00021415680 fffff80388c25dc8 : ffffd00021415910 0000000000000000 ffffe00002758240 0000000000000000 : nt!KiPageFault+0x214 (TrapFrame @ ffffd00021415680)
ffffd00021415810 fffff80388c2525e : ffffd00021415a60 0000000000000000 fffff80000000000 ffffd00021415a58 : nt!MiCreateSection+0xa78
ffffd00021415a00 fffff803889c84b3 : ffffe00002758240 000000000067e008 ffffd00021415aa8 000000007e8dc000 : nt!NtCreateSection+0x1a2
ffffd00021415a90 00007ffffa5f6a1a : 0000000077dcb00b 000000000077cb7c 000000000067fdb0 000000000067e088 : nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ ffffd00021415b00)<br>000000000067dfe8 0000000077dcb00b : 000000000077cb7c 000000000067fdb0 000000000067e088 000000007e8dc000 : ntdll!NtCreateSection+0xa<br>000000000067dff0 0000000077dcbb64 : 0000000000000000 0000000000000000 0000000000000000 000000000077cc64 : wow64!whNtCreateSection+0x7b<br>000000000067e080 0000000077d421e5 : 0000002377e4bd8c 0000000000000023 00000000ffffffff 000000000077cd94 : wow64!Wow64SystemServiceEx+0xd4<br>000000000067e930 0000000077dd323a : 0000000000000000 0000000077d41503 0000000000000000 0000000077dd3420 : wow64cpu!ServiceNoTurbo+0xb<br>000000000067e9e0 0000000077dd317e : 0000000000000000 0000000000000000 000000000067fd30 000000000067f350 : wow64!RunCpuSimulation+0xa<br>000000000067ea30 00007ffffa629763 : 000000002fb90100 0000000000000000 0000000000000010 000000007e8d7000 : wow64!Wow64LdrpInitialize+0x172<br>000000000067ef70 00007ffffa60c0e4 : 00007ffffa560000 0000000000000000 0000000000000000 000000007e8d7000 : ntdll!LdrpInitializeProcess+0x157b<br>000000000067f290 00007ffffa586eda : 000000000067f350 0000000000000000 0000000000000000 000000007e8d7000 : ntdll!_LdrpInitialize+0x851b8<br>000000000067f300 0000000000000000 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : ntdll!LdrInitializeThunk+0xe<br><br>kd&gt; .cxr 0xffffd00021414de0<br>rax=ffffe000027585c0 rbx=ffffe000027585c0 rcx=0000000000000000<br>rdx=0000000000000001 rsi=0000000008000000 rdi=0000000000000000<br>rip=fffff80388c25dc8 rsp=ffffd00021415810 rbp=ffffd00021415910<br> r8=0000000000000000 r9=0000000000000001 r10=0000000000000000<br>r11=ffffd00021415520 r12=0000000000000000 r13=ffffe00000546010<br>r14=ffffe00002758240 r15=ffffe000026b2dd0<br>iopl=0 nv up ei ng nz na po nc<br>cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00010286<br>nt!MiCreateSection+0xa78:<br>fffff80388c25dc8 f0410fba342400 lock btr dword ptr [r12],0 ds:002b:00000000`00000000=???</image.ext>

4

Hi Scott Noone, did u find out something in my stack?
I have tried my best on this issues for a week.

5

Something is wrong with the FCB header for the file object backing the
section.

I took a working system and set a breakpoint on the lines leading up the
crashing instruction:

2: kd> u @rip fffff8021d039da6 nt!MiCreateSection+0xa96: fffff8021d039d7a mov r12,qword ptr [r13+30h]

fffff802`1d039d9f lock btr dword ptr [r12],0

So, R12 comes from R13+0x30. Running !pool on R13 shows that it’s an FCB
header:

2: kd> !pool @r13 2
Pool page ffffc00160ccc140 region is Paged pool
*ffffc00160ccc000 size: 510 previous size: 0 (Allocated) *Ntff
Pooltag Ntff : FCB_DATA, Binary : ntfs.sys

And that makes offset 0x30 the Advanced FCB Header’s Fast Mutex:

2: kd> dt nt!_fsrtl_advanced_fcb_header @r13

+0x030 FastMutex : 0xffffe000`0c697ea8 _FAST_MUTEX

Your crash is a NULL pointer dereference, so the FastMutex in this case is
NULL. Presumably this is your file system’s FCB header, so I would inspect
it in the debugger and try to determine why it’s corrupted.

-scott
OSR
@OSRDrivers

wrote in message news:xxxxx@ntdev…

Hi Scott Noone, did u find out something in my stack?
I have tried my best on this issues for a week.

6

Thanks very much!! The problem was solved!
I used the wrong FCB header: FSRTL_COMMON_FCB_HEADER.
Now I use FSRTL_ADVANCED_FCB_HEADER, and it is OK!

Thank you Scott!