Hi, I got a IRQL_NOT_LESS_OR_EQUAL and I cant figure out the exact root cause of the crash. This crash occurs while Ctls+S is pressed twice while saving Word files.
Here are the details:
IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: 00000000, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000000, value 0 = read operation, 1 = write operation
Arg4: 804fef20, address which referenced memory
Debugging Details:
READ_ADDRESS: 00000000
CURRENT_IRQL: 2
FAULTING_IP:
nt!KiDeliverApc+142
804fef20 391b cmp dword ptr [ebx],ebx
DEFAULT_BUCKET_ID: DRIVER_FAULT
BUGCHECK_STR: 0xA
PROCESS_NAME: svchost.exe
TRAP_FRAME: a8eddab8 – (.trap ffffffffa8eddab8)
ErrCode = 00000000
eax=a8eddb38 ebx=00000000 ecx=89a2184a edx=00000000 esi=89a21760 edi=89bf6cb8
eip=804fef20 esp=a8eddb2c ebp=a8eddb60 iopl=0 nv up ei ng nz na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010282
nt!KiDeliverApc+0x142:
804fef20 391b cmp dword ptr [ebx],ebx ds:0023:00000000=???
Resetting default scope
LAST_CONTROL_TRANSFER: from 804fef20 to 80543a70
STACK_TEXT:
a8eddab8 804fef20 badb0d00 00000000 89bf6cb8 nt!KiTrap0E+0x238
a8eddb60 806e5ef2 00000000 00000000 a8eddb78 nt!KiDeliverApc+0x142
a8eddb60 806e591a 00000000 00000000 a8eddb78 hal!HalpApcInterrupt+0xc6
a8eddbe8 a8ebcb47 00000000 891ec320 a8ebcc14 hal!KfReleaseSpinLock+0x1a
WARNING: Stack unwind information not available. Following frames may be wrong.
a8eddc78 a8eb5527 891ec268 89b66d40 a8eb5590 abcd+0xdb47
a8eddcb8 80578fb3 891ec268 89b66d40 8798fd50 abcd+0x6527
a8eddd38 805409ac 00000db4 000007ec 00000000 nt!NtNotifyChangeDirectoryFile+0x227
a8eddd38 7c91eb94 00000db4 000007ec 00000000 nt!KiFastCallEntry+0xfc
0071fb58 7c91dc8b 7c83168b 00000db4 000007ec ntdll!KiFastSystemCallRet
0071fb5c 7c83168b 00000db4 000007ec 00000000 ntdll!NtNotifyChangeDirectoryFile+0xc
0071fba4 74ff173e 00000db4 0035f718 00000868 kernel32!ReadDirectoryChangesW+0x92
0071fbd4 74ff16c0 0035f6e4 74ff14d4 00000000 trkwks!CObjIdIndexChangeNotifier::StartListening+0x45
0071fc48 74ff1512 0035f6e4 74ff14d4 00000000 trkwks!CObjIdIndexChangeNotifier::DoWork+0xff
0071fc80 7c937911 0035f6e4 00000000 000ead68 trkwks!ThreadPoolCallbackFunction+0x52
0071fccc 7c93a1bb 74ff14d4 0035f6e4 00000000 ntdll!RtlpWaitOrTimerCallout+0x73
0071fcf8 7c93a109 000ead68 0071fee4 00000000 ntdll!RtlpProcessWaitCompletion+0x112
0071ffb4 7c80b683 00000000 00000000 7c812a5b ntdll!RtlpWaitThread+0x277
0071ffec 00000000 7c939fae 00000000 00000000 kernel32!BaseThreadStart+0x37
STACK_COMMAND: kb
FOLLOWUP_IP:
ofant+db47
a8ebcb47 5e pop esi
SYMBOL_STACK_INDEX: 4
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: abcd
IMAGE_NAME: abcd.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 45cb74bf
SYMBOL_NAME: abcd+db47
FAILURE_BUCKET_ID: 0xA_abcd+db47
BUCKET_ID: 0xA_abcd+db47
Followup: MachineOwner
From the disassembly of KiDeliverAPC:
804fee07 64a124010000 mov eax,fs:[00000124] <----- eax pointing to the currently executing thread.
804fee0d 8bf0 mov esi,eax <---- esi is now pointing to currently executing thread.
804fee0f 8b8634010000 mov eax,[esi+0x134]
804fee15 8945e4 mov [ebp-0x1c],eax
804fee18 8b4644 mov eax,[esi+0x44]
804fee1b 898e34010000 mov [esi+0x134],ecx
804fee21 8d8ee8000000 lea ecx,[esi+0xe8]
804fee27 8d55d8 lea edx,[ebp-0x28]
804fee2a 8945e8 mov [ebp-0x18],eax
804fee2d ff1510814d80 call dword ptr [nt!_imp_KeAcquireInStackQueuedSpinLock (804d8110)]
804fee33 c6464900 mov byte ptr [esi+0x49],0x0
804fee37 8d5e34 lea ebx,[esi+0x34] <------ Storing the current thread ApcState in ebx.
804fee3a e9e1000000 jmp nt!KiDeliverApc+0x142 (804fef20)
-Next we jump to the following instruction where we encounter an exception and bug check.
804fef20 391b cmp [ebx],ebx
1: kd> .trap a8eddab8
ErrCode = 00000000
eax=a8eddb38 ebx=00000000 ecx=89a2184a edx=00000000 esi=89a21760 edi=89bf6cb8
eip=804fef20 esp=a8eddb2c ebp=a8eddb60 iopl=0 nv up ei ng nz na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010282
nt!KiDeliverApc+0x142:
804fef20 391b cmp [ebx],ebx ds:0023:00000000=??? <------------ (Exception)ApcState is not valid hence the bug check.
1: kd> dt nt!_kthread 89a21760 -b
nt!_KTHREAD
+0x000 Header : _DISPATCHER_HEADER
+0x000 Type : 0x6 ‘’
+0x001 Absolute : 0 ‘’
+0x002 Size : 0x70 ‘p’
+0x003 Inserted : 0 ‘’
+0x004 SignalState : 0
+0x008 WaitListHead : _LIST_ENTRY [0x89a21768 - 0x89a21768]
+0x000 Flink : 0x89a21768
+0x004 Blink : 0x89a21768
+0x010 MutantListHead : _LIST_ENTRY [0x89a21770 - 0x89a21770]
+0x000 Flink : 0x89a21770
+0x004 Blink : 0x89a21770
+0x018 InitialStack : 0xa8ede000
+0x01c StackLimit : 0xa8edb000
+0x020 Teb : 0x7ffdb000
+0x024 TlsArray : (null)
+0x028 KernelStack : 0xa8eddb5c
+0x02c DebugActive : 0 ‘’
+0x02d State : 0x2 ‘’
+0x02e Alerted : “”
[00] 0 ‘’
[01] 0 ‘’
+0x030 Iopl : 0 ‘’
+0x031 NpxState : 0xa ‘’
+0x032 Saturation : 0 ‘’
+0x033 Priority : 8 ‘’
+0x034 ApcState : _KAPC_STATE <------------ APC state in our thread is valid.
+0x000 ApcListHead :
[00] _LIST_ENTRY [0x89a21794 - 0x89a21794]
+0x000 Flink : 0x89a21794
+0x004 Blink : 0x89a21794
[01] [0x89a2179c - 0x89a2179c]
+0x000 Flink : 0x89a2179c
+0x004 Blink : 0x89a2179c
+0x010 Process : 0x891a9a30
+0x014 KernelApcInProgress : 0 ‘’
+0x015 KernelApcPending : 0 ‘’
+0x016 UserApcPending : 0 ‘’
I reffered the details listed on http://www.osronline.com/showThread.cfm?link=36233.
We need to figure out - how did ebx get zeroed? It was loaded once at the top
of the KiDeliverApc function. There is no other function call within this code path, and as per the above link KiDeliverApc function itself never touches ebx after loading it.