Driver Problems? Questions? Issues?
Put OSR's experience to work for you! Contact us for assistance with:
  • Creating the right design for your requirements
  • Reviewing your existing driver code
  • Analyzing driver reliability/performance issues
  • Custom training mixed with consulting and focused directly on your specific areas of interest/concern.
Check us out. OSR, the Windows driver experts.

Monthly Seminars at OSR Headquarters

East Coast USA
Windows Internals and SW Drivers, Dulles (Sterling) VA, 13 November 2017

Kernel Debugging & Crash Analysis for Windows, Nashua (Amherst) NH, 4 December 2017

Writing WDF Drivers I: Core Concepts, Nashua (Amherst) NH, 8 January 2018

WDF Drivers II: Advanced Implementation Techniques, Nashua (Amherst) NH, 15 January 2018


Go Back   OSR Online Lists > ntdev
Welcome, Guest
You must login to post to this list
  Message 1 of 4  
14 Jul 17 12:28
Sivaller
xxxxxx@gmail.com
Join Date: 13 Jul 2017
Posts To This List: 5
Need help

I'am on a driver file system and i have BSOD on createfile on my volume. Can you help please ? Microsoft (R) Windows Debugger Version 10.0.15063.468 AMD64 Copyright (c) Microsoft Corporation. All rights reserved. Loading Dump File [C:\sys\MEMORY.DMP] Kernel Bitmap Dump File: Kernel address space is available, User address space may not be available. Symbol search path is: srv* Executable search path is: *** ERROR: Symbol file could not be found. Defaulted to export symbols for ntkrnlmp.exe - Windows 10 Kernel Version 10240 MP (2 procs) Free x64 Product: WinNt, suite: TerminalServer SingleUserTS Built by: 10240.16384.amd64fre.th1.150709-1700 Machine Name: Kernel base = 0xfffff803`6e079000 PsLoadedModuleList = 0xfffff803`6e39df30 Debug session time: Fri Jul 14 18:20:17.259 2017 (UTC + 2:00) System Uptime: 0 days 0:09:34.605 *** ERROR: Symbol file could not be found. Defaulted to export symbols for ntkrnlmp.exe - Loading Kernel Symbols ............................................................... .....................................................Page c71f not present in the dump file. Type ".hh dbgerr004" for details .Page 4442 not present in the dump file. Type ".hh dbgerr004" for details .......... ......................... Loading User Symbols PEB is paged out (Peb.Ldr = 00000000`7e7ef018). Type ".hh dbgerr001" for details ************* Symbol Loading Error Summary ************** Module name Error ntkrnlmp The system cannot find the file specified You can troubleshoot most symbol related issues by turning on symbol loading diagnostics (!sym noisy) and repeating the command that caused symbols to be loaded. You should also verify that your symbol search path (.sympath) is correct. ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* Use !analyze -v to get detailed debugging information. BugCheck A, {4c, 2, 1, fffff8036e13f7d4} ***** Kernel symbols are WRONG. Please fix symbols to do analysis. ************************************************************************* *** *** *** *** *** Either you specified an unqualified symbol, or your debugger *** *** doesn't have full symbol information. Unqualified symbol *** *** resolution is turned off by default. Please either specify a *** *** fully qualified symbol module!symbolname, or enable resolution *** *** of unqualified symbols by typing ".symopt- 100". Note that *** *** enabling unqualified symbol resolution with network symbol *** *** server shares in the symbol path may cause the debugger to *** *** appear to hang for long periods of time when an incorrect *** *** symbol name is typed or the network symbol server is down. *** *** *** *** For some commands to work properly, your symbol path *** *** must point to .pdb files that have full type information. *** *** *** *** Certain .pdb files (such as the public OS symbols) do not *** *** contain the required information. Contact the group that *** *** provided you with these symbols if you need this command to *** *** work. *** *** *** *** Type referenced: nt!_KPRCB *** *** *** ************************************************************************* ************************************************************************* *** *** *** *** *** Either you specified an unqualified symbol, or your debugger *** *** doesn't have full symbol information. Unqualified symbol *** *** resolution is turned off by default. Please either specify a *** *** fully qualified symbol module!symbolname, or enable resolution *** *** of unqualified symbols by typing ".symopt- 100". Note that *** *** enabling unqualified symbol resolution with network symbol *** *** server shares in the symbol path may cause the debugger to *** *** appear to hang for long periods of time when an incorrect *** *** symbol name is typed or the network symbol server is down. *** *** *** *** For some commands to work properly, your symbol path *** *** must point to .pdb files that have full type information. *** *** *** *** Certain .pdb files (such as the public OS symbols) do not *** *** contain the required information. Contact the group that *** *** provided you with these symbols if you need this command to *** *** work. *** *** *** *** Type referenced: nt!_KPRCB *** *** *** ************************************************************************* Probably caused by : ntoskrnl.wrong.symbols.exe ( nt_wrong_symbols!559F3C1A852000 ) Followup: MachineOwner --------- 0: kd> !analyze -v ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* IRQL_NOT_LESS_OR_EQUAL (a) An attempt was made to access a pageable (or completely invalid) address at an interrupt request level (IRQL) that is too high. This is usually caused by drivers using improper addresses. If a kernel debugger is available get the stack backtrace. Arguments: Arg1: 000000000000004c, memory referenced Arg2: 0000000000000002, IRQL Arg3: 0000000000000001, bitfield : bit 0 : value 0 = read operation, 1 = write operation bit 3 : value 0 = not an execute operation, 1 = execute operation (only on chips which support this level of status) Arg4: fffff8036e13f7d4, address which referenced memory Debugging Details: ------------------ ***** Kernel symbols are WRONG. Please fix symbols to do analysis. ************************************************************************* *** *** *** *** *** Either you specified an unqualified symbol, or your debugger *** *** doesn't have full symbol information. Unqualified symbol *** *** resolution is turned off by default. Please either specify a *** *** fully qualified symbol module!symbolname, or enable resolution *** *** of unqualified symbols by typing ".symopt- 100". Note that *** *** enabling unqualified symbol resolution with network symbol *** *** server shares in the symbol path may cause the debugger to *** *** appear to hang for long periods of time when an incorrect *** *** symbol name is typed or the network symbol server is down. *** *** *** *** For some commands to work properly, your symbol path *** *** must point to .pdb files that have full type information. *** *** *** *** Certain .pdb files (such as the public OS symbols) do not *** *** contain the required information. Contact the group that *** *** provided you with these symbols if you need this command to *** *** work. *** *** *** *** Type referenced: nt!_EPROCESS *** *** *** ************************************************************************* ************************************************************************* *** *** *** *** *** Either you specified an unqualified symbol, or your debugger *** *** doesn't have full symbol information. Unqualified symbol *** *** resolution is turned off by default. Please either specify a *** *** fully qualified symbol module!symbolname, or enable resolution *** *** of unqualified symbols by typing ".symopt- 100". Note that *** *** enabling unqualified symbol resolution with network symbol *** *** server shares in the symbol path may cause the debugger to *** *** appear to hang for long periods of time when an incorrect *** *** symbol name is typed or the network symbol server is down. *** *** *** *** For some commands to work properly, your symbol path *** *** must point to .pdb files that have full type information. *** *** *** *** Certain .pdb files (such as the public OS symbols) do not *** *** contain the required information. Contact the group that *** *** provided you with these symbols if you need this command to *** *** work. *** *** *** *** Type referenced: nt!_KPRCB *** *** *** ************************************************************************* ************************************************************************* *** *** *** *** *** Either you specified an unqualified symbol, or your debugger *** *** doesn't have full symbol information. Unqualified symbol *** *** resolution is turned off by default. Please either specify a *** *** fully qualified symbol module!symbolname, or enable resolution *** *** of unqualified symbols by typing ".symopt- 100". Note that *** *** enabling unqualified symbol resolution with network symbol *** *** server shares in the symbol path may cause the debugger to *** *** appear to hang for long periods of time when an incorrect *** *** symbol name is typed or the network symbol server is down. *** *** *** *** For some commands to work properly, your symbol path *** *** must point to .pdb files that have full type information. *** *** *** *** Certain .pdb files (such as the public OS symbols) do not *** *** contain the required information. Contact the group that *** *** provided you with these symbols if you need this command to *** *** work. *** *** *** *** Type referenced: nt!_KPRCB *** *** *** ************************************************************************* ************************************************************************* *** *** *** *** *** Either you specified an unqualified symbol, or your debugger *** *** doesn't have full symbol information. Unqualified symbol *** *** resolution is turned off by default. Please either specify a *** *** fully qualified symbol module!symbolname, or enable resolution *** *** of unqualified symbols by typing ".symopt- 100". Note that *** *** enabling unqualified symbol resolution with network symbol *** *** server shares in the symbol path may cause the debugger to *** *** appear to hang for long periods of time when an incorrect *** *** symbol name is typed or the network symbol server is down. *** *** *** *** For some commands to work properly, your symbol path *** *** must point to .pdb files that have full type information. *** *** *** *** Certain .pdb files (such as the public OS symbols) do not *** *** contain the required information. Contact the group that *** *** provided you with these symbols if you need this command to *** *** work. *** *** *** *** Type referenced: nt!_KPRCB *** *** *** ************************************************************************* ************************************************************************* *** *** *** *** *** Either you specified an unqualified symbol, or your debugger *** *** doesn't have full symbol information. Unqualified symbol *** *** resolution is turned off by default. Please either specify a *** *** fully qualified symbol module!symbolname, or enable resolution *** *** of unqualified symbols by typing ".symopt- 100". Note that *** *** enabling unqualified symbol resolution with network symbol *** *** server shares in the symbol path may cause the debugger to *** *** appear to hang for long periods of time when an incorrect *** *** symbol name is typed or the network symbol server is down. *** *** *** *** For some commands to work properly, your symbol path *** *** must point to .pdb files that have full type information. *** *** *** *** Certain .pdb files (such as the public OS symbols) do not *** *** contain the required information. Contact the group that *** *** provided you with these symbols if you need this command to *** *** work. *** *** *** *** Type referenced: nt!_KPRCB *** *** *** ************************************************************************* ************************************************************************* *** *** *** *** *** Either you specified an unqualified symbol, or your debugger *** *** doesn't have full symbol information. Unqualified symbol *** *** resolution is turned off by default. Please either specify a *** *** fully qualified symbol module!symbolname, or enable resolution *** *** of unqualified symbols by typing ".symopt- 100". Note that *** *** enabling unqualified symbol resolution with network symbol *** *** server shares in the symbol path may cause the debugger to *** *** appear to hang for long periods of time when an incorrect *** *** symbol name is typed or the network symbol server is down. *** *** *** *** For some commands to work properly, your symbol path *** *** must point to .pdb files that have full type information. *** *** *** *** Certain .pdb files (such as the public OS symbols) do not *** *** contain the required information. Contact the group that *** *** provided you with these symbols if you need this command to *** *** work. *** *** *** *** Type referenced: nt!_KPCR *** *** *** ************************************************************************* ************************************************************************* *** *** *** *** *** Either you specified an unqualified symbol, or your debugger *** *** doesn't have full symbol information. Unqualified symbol *** *** resolution is turned off by default. Please either specify a *** *** fully qualified symbol module!symbolname, or enable resolution *** *** of unqualified symbols by typing ".symopt- 100". Note that *** *** enabling unqualified symbol resolution with network symbol *** *** server shares in the symbol path may cause the debugger to *** *** appear to hang for long periods of time when an incorrect *** *** symbol name is typed or the network symbol server is down. *** *** *** *** For some commands to work properly, your symbol path *** *** must point to .pdb files that have full type information. *** *** *** *** Certain .pdb files (such as the public OS symbols) do not *** *** contain the required information. Contact the group that *** *** provided you with these symbols if you need this command to *** *** work. *** *** *** *** Type referenced: nt!_KTHREAD *** *** *** ************************************************************************* ************************************************************************* *** *** *** *** *** Either you specified an unqualified symbol, or your debugger *** *** doesn't have full symbol information. Unqualified symbol *** *** resolution is turned off by default. Please either specify a *** *** fully qualified symbol module!symbolname, or enable resolution *** *** of unqualified symbols by typing ".symopt- 100". Note that *** *** enabling unqualified symbol resolution with network symbol *** *** server shares in the symbol path may cause the debugger to *** *** appear to hang for long periods of time when an incorrect *** *** symbol name is typed or the network symbol server is down. *** *** *** *** For some commands to work properly, your symbol path *** *** must point to .pdb files that have full type information. *** *** *** *** Certain .pdb files (such as the public OS symbols) do not *** *** contain the required information. Contact the group that *** *** provided you with these symbols if you need this command to *** *** work. *** *** *** *** Type referenced: nt!_KPRCB *** *** *** ************************************************************************* ************************************************************************* *** *** *** *** *** Either you specified an unqualified symbol, or your debugger *** *** doesn't have full symbol information. Unqualified symbol *** *** resolution is turned off by default. Please either specify a *** *** fully qualified symbol module!symbolname, or enable resolution *** *** of unqualified symbols by typing ".symopt- 100". Note that *** *** enabling unqualified symbol resolution with network symbol *** *** server shares in the symbol path may cause the debugger to *** *** appear to hang for long periods of time when an incorrect *** *** symbol name is typed or the network symbol server is down. *** *** *** *** For some commands to work properly, your symbol path *** *** must point to .pdb files that have full type information. *** *** *** *** Certain .pdb files (such as the public OS symbols) do not *** *** contain the required information. Contact the group that *** *** provided you with these symbols if you need this command to *** *** work. *** *** *** *** Type referenced: nt!_KPRCB *** *** *** ************************************************************************* DUMP_CLASS: 1 DUMP_QUALIFIER: 401 BUILD_VERSION_STRING: 10240.16384.amd64fre.th1.150709-1700 SYSTEM_MANUFACTURER: innotek GmbH VIRTUAL_MACHINE: VirtualBox SYSTEM_PRODUCT_NAME: VirtualBox SYSTEM_VERSION: 1.2 BIOS_VENDOR: innotek GmbH BIOS_VERSION: VirtualBox BIOS_DATE: 12/01/2006 BASEBOARD_MANUFACTURER: Oracle Corporation BASEBOARD_PRODUCT: VirtualBox BASEBOARD_VERSION: 1.2 ADDITIONAL_DEBUG_TEXT: You can run '.symfix; .reload' to try to fix the symbol path and load symbols. WRONG_SYMBOLS_TIMESTAMP: 559f3c1a WRONG_SYMBOLS_SIZE: 852000 FAULTING_MODULE: fffff8036e079000 nt DEBUG_FLR_IMAGE_TIMESTAMP: 559f3c1a DUMP_TYPE: 1 BUGCHECK_P1: 4c BUGCHECK_P2: 2 BUGCHECK_P3: 1 BUGCHECK_P4: fffff8036e13f7d4 WRITE_ADDRESS: ************************************************************************* *** *** *** *** *** Either you specified an unqualified symbol, or your debugger *** *** doesn't have full symbol information. Unqualified symbol *** *** resolution is turned off by default. Please either specify a *** *** fully qualified symbol module!symbolname, or enable resolution *** *** of unqualified symbols by typing ".symopt- 100". Note that *** *** enabling unqualified symbol resolution with network symbol *** *** server shares in the symbol path may cause the debugger to *** *** appear to hang for long periods of time when an incorrect *** *** symbol name is typed or the network symbol server is down. *** *** *** *** For some commands to work properly, your symbol path *** *** must point to .pdb files that have full type information. *** *** *** *** Certain .pdb files (such as the public OS symbols) do not *** *** contain the required information. Contact the group that *** *** provided you with these symbols if you need this command to *** *** work. *** *** *** *** Type referenced: nt!_MMPTE *** *** *** ************************************************************************* Unable to get size of nt!_MMPTE - probably bad symbols 000000000000004c CURRENT_IRQL: 0 FAULTING_IP: nt!RtlCompressBuffer+cf8 fffff803`6e13f7d4 88514c mov byte ptr [rcx+4Ch],dl CPU_COUNT: 2 CPU_MHZ: fa0 CPU_VENDOR: AuthenticAMD CPU_FAMILY: 15 CPU_MODEL: 2 CPU_STEPPING: 0 ANALYSIS_SESSION_HOST: DESKTOP-J0KVJ3N ANALYSIS_SESSION_TIME: 07-14-2017 18:21:32.0901 ANALYSIS_VERSION: 10.0.15063.468 amd64fre LAST_CONTROL_TRANSFER: from fffff8036e1d05a9 to fffff8036e1c5c20 STACK_TEXT: ffffd000`5a962ea8 fffff803`6e1d05a9 : 00000000`0000000a 00000000`0000004c 00000000`00000002 00000000`00000001 : nt!KeBugCheckEx ffffd000`5a962eb0 fffff803`6e1cedc8 : 00000000`00000000 ffffe000`c6e2ada0 ffffe000`c872d780 fffff800`b732f34b : nt!setjmpex+0x3b19 ffffd000`5a962ff0 fffff803`6e13f7d4 : ffffe000`c820e5f0 00000000`00000000 ffffe000`c700d000 ffffe000`c700d070 : nt!setjmpex+0x2338 ffffd000`5a963180 fffff803`6e55cbf3 : fffff803`6e3b8440 00000000`00000000 ffffe000`c6efb340 ffffe000`c700d000 : nt!RtlCompressBuffer+0xcf8 ffffd000`5a9631b0 fffff803`6e13f974 : ffffe000`c700d070 ffffe000`c948eb10 ffffe000`c700d070 fffff803`6e51ba66 : nt!MmGetPhysicalMemoryRanges+0x48c7 ffffd000`5a963430 fffff803`6e4a5367 : 00000000`00000025 00000000`00000000 ffffd000`5a963790 00000000`00000000 : nt!RtlCompressBuffer+0xe98 ffffd000`5a963480 fffff803`6e4a09d1 : ffffc000`8b22a638 ffffc000`8b22a638 ffffd000`5a963790 ffffe000`c700d040 : nt!NtSetEvent+0xf57 ffffd000`5a963690 fffff803`6e4ff38c : ffffe000`c7d36001 ffffd000`5a9638b8 ffffe000`00000040 ffffe000`c66a2f20 : nt!ObReferenceObjectByHandleWithTag+0x2d01 ffffd000`5a963830 fffff803`6e4fb69c : 08090a0b`00000001 ffffe000`c948eb10 00000000`006be990 00000000`006be0e0 : nt!ObOpenObjectByName+0x1ec ffffd000`5a963960 fffff803`6e4fb2e9 : 00000000`006be0c8 00000000`00000000 00000000`006be990 00000000`006be0e0 : nt!NtCreateFile+0x42c ffffd000`5a963a00 fffff803`6e1d0263 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!NtCreateFile+0x79 ffffd000`5a963a90 00007ffa`93233a9a : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!setjmpex+0x37d3 00000000`006be058 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x00007ffa`93233a9a STACK_COMMAND: kb THREAD_SHA1_HASH_MOD_FUNC: 354994796ebabcea95158de413e9fe959ee04a0d THREAD_SHA1_HASH_MOD_FUNC_OFFSET: 8ca9079c6090e66caa0852c99e03b54762c6d4e3 THREAD_SHA1_HASH_MOD: dc844b1b94baa204d070855e43bbbd27eee98b94 FOLLOWUP_IP: nt!RtlCompressBuffer+cf8 fffff803`6e13f7d4 88514c mov byte ptr [rcx+4Ch],dl FAULT_INSTR_CODE: 484c5188 SYMBOL_STACK_INDEX: 3 SYMBOL_NAME: nt_wrong_symbols!559F3C1A852000 FOLLOWUP_NAME: MachineOwner BUGCHECK_STR: 559F3C1A EXCEPTION_CODE: (NTSTATUS) 0x559f3c1a - <Unable to get error code text> EXCEPTION_CODE_STR: 559F3C1A EXCEPTION_STR: WRONG_SYMBOLS PROCESS_NAME: ntoskrnl.wrong.symbols.exe IMAGE_NAME: ntoskrnl.wrong.symbols.exe MODULE_NAME: nt_wrong_symbols BUCKET_ID: WRONG_SYMBOLS_X64_10240.16384.amd64fre.th1.150709-1700_TIMESTAMP_150710-032930 DEFAULT_BUCKET_ID: WRONG_SYMBOLS_X64_10240.16384.amd64fre.th1.150709-1700_TIMESTAMP_150710-032930 PRIMARY_PROBLEM_CLASS: WRONG_SYMBOLS FAILURE_BUCKET_ID: WRONG_SYMBOLS_X64_10240.16384.amd64fre.th1.150709-1700_TIMESTAMP_150710-032930_55 9F3C1A_nt_wrong_symbols!559F3C1A852000 TARGET_TIME: 2017-07-14T16:20:17.000Z OSBUILD: 10240 OSSERVICEPACK: 0 SERVICEPACK_NUMBER: 0 OS_REVISION: 0 SUITE_MASK: 272 PRODUCT_TYPE: 1 OSPLATFORM_TYPE: x64 OSNAME: Windows 10 OSEDITION: Windows 10 WinNt TerminalServer SingleUserTS OS_LOCALE: USER_LCID: 0 OSBUILD_TIMESTAMP: 2015-07-10 05:29:30 BUILDDATESTAMP_STR: 150709-1700 BUILDLAB_STR: th1 BUILDOSVER_STR: 10.0.10240.16384.amd64fre.th1.150709-1700 ANALYSIS_SESSION_ELAPSED_TIME: 4f ANALYSIS_SOURCE: KM FAILURE_ID_HASH_STRING: km:wrong_symbols_x64_10240.16384.amd64fre.th1.150709-1700_timestamp_150710-032930 _559f3c1a_nt_wrong_symbols!559f3c1a852000 FAILURE_ID_HASH: {eb71b7c5-5d3e-8b28-668b-123d807c7ae7} Followup: MachineOwner --------- 0: kd> Thank You
  Message 2 of 4  
14 Jul 17 15:17
Slava Imameev
xxxxxx@hotmail.com
Join Date: 13 Sep 2013
Posts To This List: 207
Need help

<QUOTE> ***** Kernel symbols are WRONG. Please fix symbols to do analysis. </QUOTE> To fix the symbols enter the following commands in WinDBG .sympath srv\* .reload More about this https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/getting-starte d-with-windbg--kernel-mode- Then provide the call stack with correct symbols.
  Message 3 of 4  
17 Jul 17 13:51
Sivaller
xxxxxx@gmail.com
Join Date: 13 Jul 2017
Posts To This List: 5
Need help

kd> !analyze -v ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* IRQL_NOT_LESS_OR_EQUAL (a) An attempt was made to access a pageable (or completely invalid) address at an interrupt request level (IRQL) that is too high. This is usually caused by drivers using improper addresses. If a kernel debugger is available get the stack backtrace. Arguments: Arg1: 000000000000004c, memory referenced Arg2: 0000000000000002, IRQL Arg3: 0000000000000001, bitfield : bit 0 : value 0 = read operation, 1 = write operation bit 3 : value 0 = not an execute operation, 1 = execute operation (only on chips which support this level of status) Arg4: fffff801becd07d4, address which referenced memory Debugging Details: ------------------ DUMP_CLASS: 1 DUMP_QUALIFIER: 401 BUILD_VERSION_STRING: 10240.16384.amd64fre.th1.150709-1700 SYSTEM_MANUFACTURER: innotek GmbH VIRTUAL_MACHINE: VirtualBox SYSTEM_PRODUCT_NAME: VirtualBox SYSTEM_VERSION: 1.2 BIOS_VENDOR: innotek GmbH BIOS_VERSION: VirtualBox BIOS_DATE: 12/01/2006 BASEBOARD_MANUFACTURER: Oracle Corporation BASEBOARD_PRODUCT: VirtualBox BASEBOARD_VERSION: 1.2 DUMP_TYPE: 1 BUGCHECK_P1: 4c BUGCHECK_P2: 2 BUGCHECK_P3: 1 BUGCHECK_P4: fffff801becd07d4 WRITE_ADDRESS: 000000000000004c CURRENT_IRQL: 2 FAULTING_IP: nt!IopMountInitializeVpb+54 fffff801`becd07d4 88514c mov byte ptr [rcx+4Ch],dl CPU_COUNT: 2 CPU_MHZ: fa0 CPU_VENDOR: AuthenticAMD CPU_FAMILY: 15 CPU_MODEL: 2 CPU_STEPPING: 0 DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULT BUGCHECK_STR: AV PROCESS_NAME: samplefatfilesystem.exe ANALYSIS_SESSION_HOST: DESKTOP-J0KVJ3N ANALYSIS_SESSION_TIME: 07-17-2017 19:49:26.0617 ANALYSIS_VERSION: 10.0.15063.468 amd64fre TRAP_FRAME: ffffd00140995ff0 -- (.trap 0xffffd00140995ff0) NOTE: The trap frame does not contain all registers. Some register values may be zeroed or incorrect. rax=0000000000000000 rbx=0000000000000000 rcx=0000000000000000 rdx=0000000000000002 rsi=0000000000000000 rdi=0000000000000000 rip=fffff801becd07d4 rsp=ffffd00140996180 rbp=ffffe000722a2070 r8=0000000000000000 r9=fffff801bef6d880 r10=fffff801f0c15b80 r11=ffffd00140996180 r12=0000000000000000 r13=0000000000000000 r14=0000000000000000 r15=0000000000000000 iopl=0 nv up ei pl nz na pe nc nt!IopMountInitializeVpb+0x54: fffff801`becd07d4 88514c mov byte ptr [rcx+4Ch],dl ds:00000000`0000004c=?? Resetting default scope LAST_CONTROL_TRANSFER: from fffff801bed615a9 to fffff801bed56c20 STACK_TEXT: ffffd001`40995ea8 fffff801`bed615a9 : 00000000`0000000a 00000000`0000004c 00000000`00000002 00000000`00000001 : nt!KeBugCheckEx ffffd001`40995eb0 fffff801`bed5fdc8 : 00000000`00000000 ffffe000`7131ddf0 ffffe000`710e9780 fffff801`f0c1f34b : nt!KiBugCheckDispatch+0x69 ffffd001`40995ff0 fffff801`becd07d4 : ffffe000`70deb3f0 00000000`00000000 ffffe000`722a2000 ffffe000`722a2070 : nt!KiPageFault+0x248 ffffd001`40996180 fffff801`bf0edbf3 : fffff801`bef49440 00000000`00000000 ffffe000`71254840 ffffe000`722a2000 : nt!IopMountInitializeVpb+0x54 ffffd001`409961b0 fffff801`becd0974 : ffffe000`722a2070 ffffe000`6fd90b10 ffffe000`722a2070 fffff801`bf0aca66 : nt!IopMountVolume+0x46b ffffd001`40996430 fffff801`bf036367 : 00000000`00000025 00000000`00000000 ffffd001`40996790 00000000`00000000 : nt!IopCheckVpbMounted+0x154 ffffd001`40996480 fffff801`bf0319d1 : ffffc000`d4a2a638 ffffc000`d4a2a638 ffffd001`40996790 ffffe000`722a2040 : nt!IopParseDevice+0x4a7 ffffd001`40996690 fffff801`bf09038c : ffffe000`70b15b01 ffffd001`409968b8 ffffe000`00000040 ffffe000`6f46ff20 : nt!ObpLookupObjectName+0x711 ffffd001`40996830 fffff801`bf08c69c : ffffe000`00000001 ffffe000`6fd90b10 00000000`0075eb80 00000000`0075e2d0 : nt!ObOpenObjectByName+0x1ec ffffd001`40996960 fffff801`bf08c2e9 : 00000000`0075e2b8 00000000`00000000 00000000`0075eb80 00000000`0075e2d0 : nt!IopCreateFile+0x38c ffffd001`40996a00 fffff801`bed61263 : fffff6fb`40001b00 00000000`00000000 00000000`00000000 00000000`00000000 : nt!NtCreateFile+0x79 ffffd001`40996a90 00007ff9`55663a9a : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13 00000000`0075e248 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x00007ff9`55663a9a STACK_COMMAND: kb THREAD_SHA1_HASH_MOD_FUNC: b137d77bc1f8deefd04b4562dfe551e52af3da5a THREAD_SHA1_HASH_MOD_FUNC_OFFSET: 27ae7d2d2794d88ca82b2572a447cec3b99430b0 THREAD_SHA1_HASH_MOD: dc844b1b94baa204d070855e43bbbd27eee98b94 FOLLOWUP_IP: nt!IopMountInitializeVpb+54 fffff801`becd07d4 88514c mov byte ptr [rcx+4Ch],dl FAULT_INSTR_CODE: 484c5188 SYMBOL_STACK_INDEX: 3 SYMBOL_NAME: nt!IopMountInitializeVpb+54 FOLLOWUP_NAME: MachineOwner MODULE_NAME: nt IMAGE_NAME: ntkrnlmp.exe DEBUG_FLR_IMAGE_TIMESTAMP: 559f3c1a BUCKET_ID_FUNC_OFFSET: 54 FAILURE_BUCKET_ID: AV_nt!IopMountInitializeVpb BUCKET_ID: AV_nt!IopMountInitializeVpb PRIMARY_PROBLEM_CLASS: AV_nt!IopMountInitializeVpb TARGET_TIME: 2017-07-17T17:40:39.000Z OSBUILD: 10240 OSSERVICEPACK: 0 SERVICEPACK_NUMBER: 0 OS_REVISION: 0 SUITE_MASK: 272 PRODUCT_TYPE: 1 OSPLATFORM_TYPE: x64 OSNAME: Windows 10 OSEDITION: Windows 10 WinNt TerminalServer SingleUserTS OS_LOCALE: USER_LCID: 0 OSBUILD_TIMESTAMP: 2015-07-10 05:29:30 BUILDDATESTAMP_STR: 150709-1700 BUILDLAB_STR: th1 BUILDOSVER_STR: 10.0.10240.16384.amd64fre.th1.150709-1700 ANALYSIS_SESSION_ELAPSED_TIME: be5 ANALYSIS_SOURCE: KM FAILURE_ID_HASH_STRING: km:av_nt!iopmountinitializevpb FAILURE_ID_HASH: {b00a9f3a-eb89-6a85-c75f-b86adbc50a6f} Followup: MachineOwner
  Message 4 of 4  
18 Jul 17 03:11
Tim Roberts
xxxxxx@probo.com
Join Date: 28 Jan 2005
Posts To This List: 11656
Need help

On Jul 17, 2017, at 10:51 AM, xxxxx@gmail.com xxxxx@lists.osr.com wrote: > > > IRQL_NOT_LESS_OR_EQUAL (a) > An attempt was made to access a pageable (or completely invalid) address at an > interrupt request level (IRQL) that is too high. This is usually > caused by drivers using improper addresses. > If a kernel debugger is available get the stack backtrace. > Arguments: > Arg1: 000000000000004c, memory referenced > Arg2: 0000000000000002, IRQL <...excess quoted lines suppressed...> This is a null pointer dereference. The likely cause here is that you have supplied a null pointer in a structure field or parameter where you are not allowed to supply a null pointer. — Tim Roberts, xxxxx@probo.com Providenza & Boekelheide, Inc.
Posting Rules  
You may not post new threads
You may not post replies
You may not post attachments
You must login to OSR Online AND be a member of the ntdev list to be able to post.

All times are GMT -5. The time now is 08:11.


Copyright ©2015, OSR Open Systems Resources, Inc.
Based on vBulletin Copyright ©2000 - 2005, Jelsoft Enterprises Ltd.
Modified under license