Driver Problems? Questions? Issues?
Put OSR's experience to work for you! Contact us for assistance with:
  • Creating the right design for your requirements
  • Reviewing your existing driver code
  • Analyzing driver reliability/performance issues
  • Custom training mixed with consulting and focused directly on your specific areas of interest/concern.
Check us out. OSR, the Windows driver experts.

Monthly Seminars at OSR Headquarters

East Coast USA
Windows Internals and SW Drivers, Dulles (Sterling) VA, 13 November 2017

Kernel Debugging & Crash Analysis for Windows, Nashua (Amherst) NH, 4 December 2017

Writing WDF Drivers I: Core Concepts, Nashua (Amherst) NH, 8 January 2018

WDF Drivers II: Advanced Implementation Techniques, Nashua (Amherst) NH, 15 January 2018


Go Back   OSR Online Lists > ntdev
Welcome, Guest
You must login to post to this list
  Message 1 of 7  
01 Dec 17 07:37
Sergey Pisarev
xxxxxx@gmail.com
Join Date: 21 May 2017
Posts To This List: 72
BSOD on processing destroyed timer

Hello. From the dump it looks like windows tries to process already destroyed object. Can I somehow discover who created that timer ? IRQL_NOT_LESS_OR_EQUAL (a) An attempt was made to access a pageable (or completely invalid) address at an interrupt request level (IRQL) that is too high. This is usually caused by drivers using improper addresses. If a kernel debugger is available get the stack backtrace. Arguments: Arg1: fffff8a00031d158, memory referenced Arg2: 0000000000000002, IRQL Arg3: 0000000000000001, bitfield : bit 0 : value 0 = read operation, 1 = write operation bit 3 : value 0 = not an execute operation, 1 = execute operation (only on chips which support this level of status) Arg4: fffff80003497b20, address which referenced memory STACK_TEXT: fffff880`043ff1c8 fffff800`0348b3a9 : 00000000`0000000a fffff8a0`0031d158 00000000`00000002 00000000`00000001 : nt!KeBugCheckEx fffff880`043ff1d0 fffff800`0348a020 : fffffa80`0d310b00 fffffa80`036d3768 fffffa80`036d3768 fffffa80`03f17808 : nt!KiBugCheckDispatch+0x69 fffff880`043ff310 fffff800`03497b20 : fffffa80`0d7e5120 fffffa80`107b6748 fffffa80`107b6748 fffffa80`03f177a0 : nt!KiPageFault+0x260 fffff880`043ff4a0 fffff800`034979be : 00000006`1e5904a0 fffff880`043ffb18 00000000`00029205 fffff880`043d9628 : nt!KiProcessExpiredTimerList+0x110 fffff880`043ffaf0 fffff800`034977a7 : 00000001`ba9cbfc5 00000001`00029205 00000001`ba9cbf45 00000000`00000005 : nt!KiTimerExpiration+0x1be fffff880`043ffb90 fffff800`03483b0a : fffff880`043d7180 fffff880`043e1fc0 00000000`00000001 fffff880`00000000 : nt!KiRetireDpcList+0x277 fffff880`043ffc40 00000000`00000000 : fffff880`04400000 fffff880`043fa000 fffff880`043ffc00 00000000`00000000 : nt!KiIdleLoop+0x5a .trap 0xfffff880043ff310 NOTE: The trap frame does not contain all registers. Some register values may be zeroed or incorrect. rax=0000000000000002 rbx=0000000000000000 rcx=17e499c76c1c0000 rdx=fffff88004369700 rsi=0000000000000000 rdi=0000000000000000 rip=fffff80003497b20 rsp=fffff880043ff4a0 rbp=fffffa8003f17808 r8=fffffa80107b66e0 r9=0000000000000008 r10=fffff8000341b000 r11=fffff880043ff470 r12=0000000000000000 r13=0000000000000000 r14=0000000000000000 r15=0000000000000000 iopl=0 nv up ei ng nz ac po cy nt!KiProcessExpiredTimerList+0x110: fffff800`03497b20 f00fba2f07 lock bts dword ptr [rdi],7 ds:00000000`00000000=???????? !pte fffff8a00031d158 VA fffff8a00031d158 PXE at FFFFF6FB7DBEDF88 PPE at FFFFF6FB7DBF1400 PDE at FFFFF6FB7E280008 PTE at FFFFF6FC500018E8 contains 0000000116204863 contains 000000000488C863 contains 000000004881B863 contains AEB00000AA538882 pfn 116204 ---DA--KWEV pfn 488c ---DA--KWEV pfn 4881b ---DA--KWEV not valid Transition: aa538 Protect: 4 - ReadWrite --
  Message 2 of 7  
01 Dec 17 10:06
Doron Holan
xxxxxx@microsoft.com
Join Date: 08 Sep 2005
Posts To This List: 10106
BSOD on processing destroyed timer

Does it consistently repro? DV will catch a driver freeing memory that it still currently enqueued in the timer or dpc list Bent from my phone ________________________________ From: xxxxx@lists.osr.com <xxxxx@lists.osr.com> on behalf of xxxxx@gmail.com <xxxxx@lists.osr.com> Sent: Friday, December 1, 2017 4:36:38 AM To: Windows System Software Devs Interest List Subject: [ntdev] BSOD on processing destroyed timer Hello. From the dump it looks like windows tries to process already destroyed object. Can I somehow discover who created that timer ? IRQL_NOT_LESS_OR_EQUAL (a) An attempt was made to access a pageable (or completely invalid) address at an interrupt request level (IRQL) that is too high. This is usually caused by drivers using improper addresses. If a kernel debugger is available get the stack backtrace. Arguments: Arg1: fffff8a00031d158, memory referenced Arg2: 0000000000000002, IRQL Arg3: 0000000000000001, bitfield : bit 0 : value 0 = read operation, 1 = write operation bit 3 : value 0 = not an execute operation, 1 = execute operation (only on chips which support this level of status) Arg4: fffff80003497b20, address which referenced memory STACK_TEXT: fffff880`043ff1c8 fffff800`0348b3a9 : 00000000`0000000a fffff8a0`0031d158 00000000`00000002 00000000`00000001 : nt!KeBugCheckEx fffff880`043ff1d0 fffff800`0348a020 : fffffa80`0d310b00 fffffa80`036d3768 fffffa80`036d3768 fffffa80`03f17808 : nt!KiBugCheckDispatch+0x69 fffff880`043ff310 fffff800`03497b20 : fffffa80`0d7e5120 fffffa80`107b6748 fffffa80`107b6748 fffffa80`03f177a0 : nt!KiPageFault+0x260 fffff880`043ff4a0 fffff800`034979be : 00000006`1e5904a0 fffff880`043ffb18 00000000`00029205 fffff880`043d9628 : nt!KiProcessExpiredTimerList+0x110 fffff880`043ffaf0 fffff800`034977a7 : 00000001`ba9cbfc5 00000001`00029205 00000001`ba9cbf45 00000000`00000005 : nt!KiTimerExpiration+0x1be fffff880`043ffb90 fffff800`03483b0a : fffff880`043d7180 fffff880`043e1fc0 00000000`00000001 fffff880`00000000 : nt!KiRetireDpcList+0x277 fffff880`043ffc40 00000000`00000000 : fffff880`04400000 fffff880`043fa000 fffff880`043ffc00 00000000`00000000 : nt!KiIdleLoop+0x5a .trap 0xfffff880043ff310 NOTE: The trap frame does not contain all registers. Some register values may be zeroed or incorrect. rax=0000000000000002 rbx=0000000000000000 rcx=17e499c76c1c0000 rdx=fffff88004369700 rsi=0000000000000000 rdi=0000000000000000 rip=fffff80003497b20 rsp=fffff880043ff4a0 rbp=fffffa8003f17808 r8=fffffa80107b66e0 r9=0000000000000008 r10=fffff8000341b000 r11=fffff880043ff470 r12=0000000000000000 r13=0000000000000000 r14=0000000000000000 r15=0000000000000000 iopl=0 nv up ei ng nz ac po cy nt!KiProcessExpiredTimerList+0x110: fffff800`03497b20 f00fba2f07 lock bts dword ptr [rdi],7 ds:00000000`00000000=???????? !pte fffff8a00031d158 VA fffff8a00031d158 PXE at FFFFF6FB7DBEDF88 PPE at FFFFF6FB7DBF1400 PDE at FFFFF6FB7E280008 PTE at FFFFF6FC500018E8 contains 0000000116204863 contains 000000000488C863 contains 000000004881B863 contains AEB00000AA538882 pfn 116204 ---DA--KWEV pfn 488c ---DA--KWEV pfn 4881b ---DA--KWEV not valid Transition: aa538 Protect: 4 - ReadWrite --- NTDEV is sponsored by OSR Visit the list online at: MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers! Details at To unsubscribe, visit the List Server section of OSR Online at --
  Message 3 of 7  
01 Dec 17 10:22
Sergey Pisarev
xxxxxx@gmail.com
Join Date: 21 May 2017
Posts To This List: 72
BSOD on processing destroyed timer

Thank you for reply Doron ! It reproduces about once per day ! I???ll try to get access to this machine next week, for now I only have dumps On Fri, 1 Dec 2017 at 18:07, xxxxx@microsoft.com <xxxxx@lists.osr.com> wrote: > Does it consistently repro? DV will catch a driver freeing memory that it > still currently enqueued in the timer or dpc list > > Bent from my phone > ------------------------------ > *From:* xxxxx@lists.osr.com < > xxxxx@lists.osr.com> on behalf of xxxxx@gmail.com < > xxxxx@lists.osr.com> > *Sent:* Friday, December 1, 2017 4:36:38 AM > *To:* Windows System Software Devs Interest List <...excess quoted lines suppressed...> --
  Message 4 of 7  
01 Dec 17 10:29
Scott Noone
xxxxxx@osr.com
Join Date:
Posts To This List: 1341
List Moderator
BSOD on processing destroyed timer

Does !pool fffff8a00031d158 say anything? -scott OSR @OSRDrivers
  Message 5 of 7  
01 Dec 17 10:47
Sergey Pisarev
xxxxxx@gmail.com
Join Date: 21 May 2017
Posts To This List: 72
BSOD on processing destroyed timer

Thank you Scott ! !pool fffff8a00031d158 Pool page fffff8a00031d158 region is Paged pool *fffff8a00031d000 size: 1d0 previous size: 0 (Allocated) *ComP Owning component : Unknown (update pooltag.txt) fffff8a00031d1d0 size: 40 previous size: 1d0 (Allocated) MmSm fffff8a00031d210 size: 20 previous size: 40 (Allocated) Pp fffff8a00031d230 size: 50 previous size: 20 (Allocated) ObNm fffff8a00031d280 size: 80 previous size: 50 (Allocated) RngS fffff8a00031d300 size: 20 previous size: 80 (Allocated) ObNm fffff8a00031d320 size: 80 previous size: 20 (Allocated) Sect (Protected) fffff8a00031d3a0 size: 190 previous size: 80 (Allocated) Txsa fffff8a00031d530 size: 50 previous size: 190 (Allocated) Ntfo fffff8a00031d580 size: 50 previous size: 50 (Allocated) IoNm fffff8a00031d5d0 size: 30 previous size: 50 (Allocated) ObDi fffff8a00031d600 size: 20 previous size: 30 (Allocated) ObNm fffff8a00031d620 size: 30 previous size: 20 (Allocated) ObDi fffff8a00031d650 size: 20 previous size: 30 (Allocated) ObNm fffff8a00031d670 size: 30 previous size: 20 (Allocated) ObDi fffff8a00031d6a0 size: 60 previous size: 30 (Allocated) KLna fffff8a00031d700 size: 190 previous size: 60 (Allocated) Txsa fffff8a00031d890 size: 20 previous size: 190 (Allocated) ABFD fffff8a00031d8b0 size: 20 previous size: 20 (Allocated) ABFD fffff8a00031d8d0 size: 20 previous size: 20 (Allocated) ABFD fffff8a00031d8f0 size: 20 previous size: 20 (Allocated) ABFD fffff8a00031d910 size: 20 previous size: 20 (Allocated) ABFD fffff8a00031d930 size: a0 previous size: 20 (Allocated) Key (Protected) fffff8a00031d9d0 size: a0 previous size: a0 (Allocated) Key (Protected) fffff8a00031da70 size: a0 previous size: a0 (Allocated) Key (Protected) fffff8a00031db10 size: 10 previous size: a0 (Free) Io fffff8a00031db20 size: 30 previous size: 10 (Allocated) ObDi fffff8a00031db50 size: 20 previous size: 30 (Allocated) ObNm fffff8a00031db70 size: 40 previous size: 20 (Allocated) NtFs fffff8a00031dbb0 size: 150 previous size: 40 (Allocated) NtFs fffff8a00031dd00 size: 30 previous size: 150 (Allocated) ObNm fffff8a00031dd30 size: 10 previous size: 30 (Free) Key fffff8a00031dd40 size: 30 previous size: 10 (Allocated) ObNm fffff8a00031dd70 size: 30 previous size: 30 (Allocated) ObDi fffff8a00031dda0 size: 20 previous size: 30 (Allocated) ObNm fffff8a00031ddc0 size: 30 previous size: 20 (Allocated) ObNm fffff8a00031ddf0 size: 30 previous size: 30 (Allocated) ObDi fffff8a00031de20 size: 40 previous size: 30 (Allocated) Symt fffff8a00031de60 size: 80 previous size: 40 (Allocated) SeSd fffff8a00031dee0 size: 10 previous size: 80 (Free) NtFs fffff8a00031def0 size: 30 previous size: 10 (Allocated) Ntf0 fffff8a00031df20 size: 30 previous size: 30 (Allocated) ObDi fffff8a00031df50 size: 20 previous size: 30 (Allocated) ObNm fffff8a00031df70 size: 30 previous size: 20 (Allocated) ObDi fffff8a00031dfa0 size: 20 previous size: 30 (Allocated) ObNm fffff8a00031dfc0 size: 40 previous size: 20 (Allocated) MmSm On Fri, Dec 1, 2017 at 6:29 PM, Scott Noone <xxxxx@osr.com> < xxxxx@lists.osr.com> wrote: > Does !pool fffff8a00031d158 say anything? > > -scott > OSR > @OSRDrivers > > > > --- > NTDEV is sponsored by OSR <...excess quoted lines suppressed...> --
  Message 6 of 7  
01 Dec 17 10:52
Scott Noone
xxxxxx@osr.com
Join Date:
Posts To This List: 1341
List Moderator
BSOD on processing destroyed timer

<QUOTE> !pool fffff8a00031d158 Pool page fffff8a00031d158 region is Paged pool *fffff8a00031d000 size: 1d0 previous size: 0 (Allocated) *ComP </QUOTE> Looks like someone allocated a timer out of paged pool (which would be a bad thing). Try this and see if you can find the tag in any of the loaded modules: !for_each_module "s -a ${@#Base} ${@#End} \"ComP\"" Any weird third party COM port software loaded? That's just a guess based on "ComP" possibly being "ComPort"... -scott OSR @OSRDrivers
  Message 7 of 7  
01 Dec 17 11:39
Sergey Pisarev
xxxxxx@gmail.com
Join Date: 21 May 2017
Posts To This List: 72
BSOD on processing destroyed timer

Thank you very much Scott !! You are the god of Windbg ! It turns out memory for our communication port was allocated from paged pool. I didn't know that it should be allocated from non paged pool since FltCreateCommunicationPort documentation says nothing of this sort. Thank you again Scott ! Your help was invaluable! On Fri, Dec 1, 2017 at 6:52 PM, Scott Noone <xxxxx@osr.com> < xxxxx@lists.osr.com> wrote: > <QUOTE> > !pool fffff8a00031d158 > Pool page fffff8a00031d158 region is Paged pool > *fffff8a00031d000 size: 1d0 previous size: 0 (Allocated) *ComP > </QUOTE> > > Looks like someone allocated a timer out of paged pool (which would be a > bad thing). > > Try this and see if you can find the tag in any of the loaded modules: <...excess quoted lines suppressed...> --
Posting Rules  
You may not post new threads
You may not post replies
You may not post attachments
You must login to OSR Online AND be a member of the ntdev list to be able to post.

All times are GMT -5. The time now is 21:40.


Copyright ©2015, OSR Open Systems Resources, Inc.
Based on vBulletin Copyright ©2000 - 2005, Jelsoft Enterprises Ltd.
Modified under license