MS Toaster sample driver blue-screens on me ..

Greetings,

I’m having some Windows driver BSOD issues and I’m looking for suggestions.
I’m working on a Windows 7 (64 bit) PC. I’m using VS2015 and WDK-10.
I used VS2015 to write a very minimal driver (debug - x64): it basically is just a “DriverEntry” and a “DriverUnload” function, only doing some DbgPrints. I built it (test signed it, and running Windows 7 in Test Mode), I used OSRLOAD to register and load it, and everything works fine. I can load and unload it at will, and I see my DbgPrints in DebugView.
So far so good.

Then I wanted to add some more functionality and found the famous WDK ‘Toaster’ driver sample source.
So, I decided to first build that, and then study it.
I used the provided solution file, and I built the project wdfSimple.
I used the same set-up as above, the ONLY things I changed were a) I added test-signing certifcate data to the properties, and changed the default setting from debug-x32 to debug-x64.
It built fine! But when I use OSRLOAD to load it (after registering it), it bluescreens.
Since I’m not yet on a 2 machine develop-test set-up (I just wanted to do some quick tests), and thus can’t debug it well, I simply started trimming it down to see what caused the bluescreen (I know, not a very professional procedure).
It kept dying on me. So at last I simply commented ALL code out in my toaster.c and pasted the code, that worked just fine in my own minimal driver. Built it, signed it, loaded … and it bluescreens as well! Same code!

I have been comparing project properties and nothing jumps out to me as being different between the projects. The generated .sys files have both the exact same number of bytes (in their ‘data’ section).

I uploaded the minidump to OSR’s analyzer and it tells me the following, basically suggesting there’s a break point being set.

"
SYSTEM_THREAD_EXCEPTION_NOT_HANDLED_M (1000007e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Some common problems are exception code 0x80000003. This means a hard
coded breakpoint or assertion was hit, but this system was booted
/NODEBUG.
"

I have no breakpoints set, VS2015 has ‘delete all breakpoints’ grayed out, and the address of where the violation occurs (602d) is way outside the memory used by my driver, based on the link map I had it generate for this purpose.
So it really looks my code is stomping on something it shouldn’t be accessing.

I’m out of ideas … and I’m also wondering: Why can’t I build and run the ‘toaster’ sample driver, as is, out of the box? It must, surely, have been built by tens of thousands of people! Can’t find anything with Google on a blue-screening toaster sample driver either!

It MUST be something in the build procedure/project properties, because the source code is now identical between ‘my’ toaster.c and my little minimal driver that works just fine.

Somehow this feels like it’s something simple, but I can’t think of anything.
Any ideas will be very very welcome.

~ Paul Claessen

The toaster sample drivers are all plug and play which OSRLOADER does not
support. You are going to have to use the INF file with either device
manager or devcon to load the driver.

Don Burn
Windows Driver Consulting
Website: http://www.windrvr.com

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@claessen.com
xxxxx@lists.osr.com
Sent: Tuesday, August 22, 2017 3:59 PM
To: Windows System Software Devs Interest List
Subject: [ntdev] MS Toaster sample driver blue-screens on me …

Greetings,

I’m having some Windows driver BSOD issues and I’m looking for suggestions.
I’m working on a Windows 7 (64 bit) PC. I’m using VS2015 and WDK-10.
I used VS2015 to write a very minimal driver (debug - x64): it basically is
just a “DriverEntry” and a “DriverUnload” function, only doing some
DbgPrints. I built it (test signed it, and running Windows 7 in Test Mode),
I used OSRLOAD to register and load it, and everything works fine. I can
load and unload it at will, and I see my DbgPrints in DebugView.
So far so good.

Then I wanted to add some more functionality and found the famous WDK
‘Toaster’ driver sample source.
So, I decided to first build that, and then study it.
I used the provided solution file, and I built the project wdfSimple.
I used the same set-up as above, the ONLY things I changed were a) I added
test-signing certifcate data to the properties, and changed the default
setting from debug-x32 to debug-x64.
It built fine! But when I use OSRLOAD to load it (after registering it), it
bluescreens.
Since I’m not yet on a 2 machine develop-test set-up (I just wanted to do
some quick tests), and thus can’t debug it well, I simply started trimming
it down to see what caused the bluescreen (I know, not a very professional
procedure).
It kept dying on me. So at last I simply commented ALL code out in my
toaster.c and pasted the code, that worked just fine in my own minimal
driver. Built it, signed it, loaded … and it bluescreens as well! Same
code!

I have been comparing project properties and nothing jumps out to me as
being different between the projects. The generated .sys files have both the
exact same number of bytes (in their ‘data’ section).

I uploaded the minidump to OSR’s analyzer and it tells me the following,
basically suggesting there’s a break point being set.


SYSTEM_THREAD_EXCEPTION_NOT_HANDLED_M (1000007e) This is a very common
bugcheck. Usually the exception address pinpoints the driver/function that
caused the problem. Always note this address as well as the link date of
the driver/image that contains this address.
Some common problems are exception code 0x80000003. This means a hard coded
breakpoint or assertion was hit, but this system was booted /NODEBUG.


I have no breakpoints set, VS2015 has ‘delete all breakpoints’ grayed out,
and the address of where the violation occurs (602d) is way outside the
memory used by my driver, based on the link map I had it generate for this
purpose.
So it really looks my code is stomping on something it shouldn’t be
accessing.

I’m out of ideas … and I’m also wondering: Why can’t I build and run the
‘toaster’ sample driver, as is, out of the box? It must, surely, have been
built by tens of thousands of people! Can’t find anything with Google on a
blue-screening toaster sample driver either!

It MUST be something in the build procedure/project properties, because the
source code is now identical between ‘my’ toaster.c and my little minimal
driver that works just fine.

Somehow this feels like it’s something simple, but I can’t think of
anything.
Any ideas will be very very welcome.

~ Paul Claessen


NTDEV is sponsored by OSR

Visit the list online at:
http:

MONTHLY seminars on crash dump analysis, WDF, Windows internals and software
drivers!
Details at http:

To unsubscribe, visit the List Server section of OSR Online at
http:</http:></http:></http:>

Don,

Thanks for your response.
Which triggers 2 more questions :wink:

  1. Is the PnP nature of the driver reflected somewhere in the project’s properties? (And can I change that?). After all, the code, right now, has been reduced to a simple DriverEntry and DriverUnload … copied from a driver that DOES work just fine (when loaded with OSRLOAD)

  2. Doesn’t the blue screen indicate that OSR actually DID manage to load it?

~ Paul

xxxxx@claessen.com xxxxx@lists.osr.com wrote:

  1. Is the PnP nature of the driver reflected somewhere in the project’s properties? (And can I change that?). After all, the code, right now, has been reduced to a simple DriverEntry and DriverUnload … copied from a driver that DOES work just fine (when loaded with OSRLOAD)

No, there’s no external property about this.  Essentially, a non-PnP
driver creates its device object within DriverEntry.  A PnP driver
registers an AddDevice handler and creates its device objects within
AddDevice.  The AddDevice handler gets called when a hardware ID match
is found within an INF file.

 

  1. Doesn’t the blue screen indicate that OSR actually DID manage to load it?

Yes, although a mismatch between “thought i was PnP” and “not really
PnP” can cause it.  You might post the entire dump analysis.

By the way, you can configure your test machine create a full dump
(“memory.dmp”) during a BSOD, then analyze that with “windbg -z”.  In
many cases, that’s almost as productive as live kernel debugging.


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

Thanks Tim,

Your “a mismatch between ‘thought i was PnP’ and ‘not really PnP’ can cause it” … sounds promising … but where does this mismatch come from, if not from the source?

All my driver does is this:

"
#include <ntddk.h>

void DriverUnload(PDRIVER_OBJECT pDriverObject)
{
DbgPrint(“drpaul: Driver unloading. [0x%X]\n”, pDriverObject);
}

NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath)
{
DriverObject->DriverUnload = DriverUnload;
DbgPrint(“drpaul: Driver started. %wZ\n”, RegistryPath);

return STATUS_SUCCESS;
}
"

Also, and this is what makes it such a mystery: it works fine when built in one VS2015 project, but not when I build this with the MS provided toaster project, when I replace their code with the code above: it STILL blue-screens.

As for posting the entire analysis … I see that I “may not” post attachments here: what can I do that get that permission? (Posting the analysis in a reply is probably a bit much).

Thanks for your reply!

~ Paul</ntddk.h>

Post the output of !analyze -v of the crash.

d

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@claessen.com xxxxx@lists.osr.com
Sent: Wednesday, August 23, 2017 5:33 AM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] MS Toaster sample driver blue-screens on me …

Thanks Tim,

Your “a mismatch between ‘thought i was PnP’ and ‘not really PnP’ can cause it” … sounds promising … but where does this mismatch come from, if not from the source?

All my driver does is this:


#include <ntddk.h>

void DriverUnload(PDRIVER_OBJECT pDriverObject) {
DbgPrint(“drpaul: Driver unloading. [0x%X]\n”, pDriverObject); }

NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath) {
DriverObject->DriverUnload = DriverUnload;
DbgPrint(“drpaul: Driver started. %wZ\n”, RegistryPath);

return STATUS_SUCCESS;
}


Also, and this is what makes it such a mystery: it works fine when built in one VS2015 project, but not when I build this with the MS provided toaster project, when I replace their code with the code above: it STILL blue-screens.

As for posting the entire analysis … I see that I “may not” post attachments here: what can I do that get that permission? (Posting the analysis in a reply is probably a bit much).

Thanks for your reply!

~ Paul


NTDEV is sponsored by OSR

Visit the list online at: https:

MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers!
Details at https:

To unsubscribe, visit the List Server section of OSR Online at https:</https:></https:></https:></ntddk.h>

Okay, here goes (didn’t expand the raw stack, since that would make the post too big for posting here):

Instant Online Crash Analysis, brought to you by OSR Open Systems Resources, Inc.

Show DivPrimary Analysis

Crash Dump Analysis provided by OSR Open Systems Resources, Inc. (http://www.osr.com)
Online Crash Dump Analysis Service
See http://www.osronline.com for more information
Windows 7 Kernel Version 7601 (Service Pack 1) MP (4 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 7601.23807.amd64fre.win7sp1_ldr.170512-0600
Machine Name:
Kernel base = 0xfffff80002e61000 PsLoadedModuleList = 0xfffff800030a3750
Debug session time: Tue Aug 22 12:02:17.631 2017 (UTC - 4:00)
System Uptime: 0 days 2:11:11.631
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

SYSTEM_THREAD_EXCEPTION_NOT_HANDLED_M (1000007e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Some common problems are exception code 0x80000003. This means a hard
coded breakpoint or assertion was hit, but this system was booted
/NODEBUG. This is not supposed to happen as developers should never have
hardcoded breakpoints in retail code, but …
If this happens, make sure a debugger gets connected, and the
system is booted /DEBUG. This will let us see why this breakpoint is
happening.
Arguments:
Arg1: ffffffff80000003, The exception code that was not handled
Arg2: fffff8800dca602d, The address that the exception occurred at
Arg3: fffff880033a1728, Exception Record Address
Arg4: fffff880033a0f90, Context Record Address

Debugging Details:

TRIAGER: Could not open triage file : e:\dump_analysis\program\triage\modclass.ini, error 2

EXCEPTION_CODE: (HRESULT) 0x80000003 (2147483651) - One or more arguments are invalid

FAULTING_IP:
wdfsimple+602d
fffff880`0dca602d cc int 3

EXCEPTION_RECORD: fffff880033a1728 – (.exr 0xfffff880033a1728)
ExceptionAddress: fffff8800dca602d (wdfsimple+0x000000000000602d)
ExceptionCode: 80000003 (Break instruction exception)
ExceptionFlags: 00000000
NumberParameters: 1
Parameter[0]: 0000000000000000

CONTEXT: fffff880033a0f90 – (.cxr 0xfffff880033a0f90)
rax=00002b992ddfa232 rbx=fffffa80199ce000 rcx=0000000000000006
rdx=fffffa80199ce000 rsi=fffffa80199ce000 rdi=fffffa8015d70370
rip=fffff8800dca602d rsp=fffff880033a1968 rbp=0000000000000000
r8=fffffa8013041000 r9=0000000000000000 r10=0000000000000000
r11=0000000000000000 r12=0000000000000001 r13=ffffffff800013f4
r14=fffffa8017e38be0 r15=000000000000001c
iopl=0 nv up ei pl zr na po nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00000246
wdfsimple+0x602d:
fffff880`0dca602d cc int 3
Resetting default scope

DEFAULT_BUCKET_ID: WIN7_DRIVER_FAULT

BUGCHECK_STR: 0x7E

PROCESS_NAME: System

CURRENT_IRQL: 0

ERROR_CODE: (NTSTATUS) 0x80000003 - {EXCEPTION} Breakpoint A breakpoint has been reached.

EXCEPTION_PARAMETER1: 0000000000000000

LAST_CONTROL_TRANSFER: from fffff8800dca10ad to fffff8800dca602d

STACK_TEXT:
fffff880033a1968 fffff8800dca10ad : 0000000000000000 0000000000000000 0000000000000002 fffff880033a1b00 : wdfsimple+0x602d
fffff880033a1970 0000000000000000 : 0000000000000000 0000000000000002 fffff880033a1b00 000000000000000e : wdfsimple+0x10ad

FOLLOWUP_IP:
wdfsimple+602d
fffff880`0dca602d cc int 3

SYMBOL_STACK_INDEX: 0

SYMBOL_NAME: wdfsimple+602d

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: wdfsimple

IMAGE_NAME: wdfsimple.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 599c5533

STACK_COMMAND: .cxr 0xfffff880033a0f90 ; kb

FAILURE_BUCKET_ID: X64_0x7E_wdfsimple+602d

BUCKET_ID: X64_0x7E_wdfsimple+602d

Followup: MachineOwner

This free analysis is provided by OSR Open Systems Resources, Inc.
Want a deeper understanding of crash dump analysis? Check out our Windows Kernel Debugging and Crash Dump Analysis Seminar (opens in new tab/window)
Hide DivCrash Code Links

View the MSDN page for SYSTEM_THREAD_EXCEPTION_NOT_HANDLED_M
Search Google for SYSTEM_THREAD_EXCEPTION_NOT_HANDLED_M

Hide DivLoaded Module List

start end module name
fffff80000bac000 fffff80000bb6000 kdcom kdcom.dll
fffff80002e18000 fffff80002e61000 hal hal.dll
fffff80002e61000 fffff80003447000 nt ntkrnlmp.exe
fffff88000c13000 fffff88000c91000 mcupdate_GenuineIntel mcupdate_GenuineIntel.dll
fffff88000c91000 fffff88000ca5000 PSHED PSHED.dll
fffff88000ca5000 fffff88000d04000 CLFS CLFS.SYS
fffff88000d04000 fffff88000d79000 CI CI.dll
fffff88000d79000 fffff88000dd5000 volmgrx volmgrx.sys
fffff88000dd5000 fffff88000def000 mountmgr mountmgr.sys
fffff88000e00000 fffff88000e57000 ACPI ACPI.sys
fffff88000e57000 fffff88000e60000 WMILIB WMILIB.SYS
fffff88000e60000 fffff88000e6a000 msisadrv msisadrv.sys
fffff88000e6a000 fffff88000e9d000 pci pci.sys
fffff88000e9d000 fffff88000eaa000 vdrvroot vdrvroot.sys
fffff88000eaa000 fffff88000ebf000 partmgr partmgr.sys
fffff88000ebf000 fffff88000ec8000 compbatt compbatt.sys
fffff88000ec8000 fffff88000ed4000 BATTC BATTC.SYS
fffff88000ed4000 fffff88000ee9000 volmgr volmgr.sys
fffff88000efa000 fffff88000fbc000 Wdf01000 Wdf01000.sys
fffff88000fbc000 fffff88000fcc000 WDFLDR WDFLDR.SYS
fffff88000fcc000 fffff88000fe5000 vmci vmci.sys
fffff88000fe5000 fffff88000ffc000 vsock vsock.sys
fffff88001000000 fffff8800104c000 fltmgr fltmgr.sys
fffff8800104c000 fffff88001060000 fileinfo fileinfo.sys
fffff88001070000 fffff880011c4000 iaStor iaStor.sys
fffff880011c4000 fffff880011cf000 amdxata amdxata.sys
fffff88001200000 fffff8800125e000 msrpc msrpc.sys
fffff8800125e000 fffff880012a7000 fwpkclnt fwpkclnt.sys
fffff880012af000 fffff880012f7000 MpFilter MpFilter.sys
fffff880012f7000 fffff880013c7880 mfehidk mfehidk.sys
fffff8800140f000 fffff880015b6000 Ntfs Ntfs.sys
fffff880015b6000 fffff880015d1000 ksecdd ksecdd.sys
fffff880015d1000 fffff880015fc000 ksecpkg ksecpkg.sys
fffff88001600000 fffff88001661000 NETIO NETIO.SYS
fffff8800166c000 fffff880016e1000 cng cng.sys
fffff880016e1000 fffff880016f2000 pcw pcw.sys
fffff880016f2000 fffff880016fc000 Fs_Rec Fs_Rec.sys
fffff880016fc000 fffff880017ef000 ndis ndis.sys
fffff88001803000 fffff880019ff000 tcpip tcpip.sys
fffff88001a00000 fffff88001a1e000 mup mup.sys
fffff88001a1e000 fffff88001a27000 hwpolicy hwpolicy.sys
fffff88001a27000 fffff88001a61000 fvevol fvevol.sys
fffff88001a61000 fffff88001a76000 disk disk.sys
fffff88001a76000 fffff88001aa7000 CLASSPNP CLASSPNP.SYS
fffff88001ab5000 fffff88001af8000 ks ks.sys
fffff88001af9000 fffff88001b4ba80 mfewfpk mfewfpk.sys
fffff88001b4c000 fffff88001b5c000 vmstorfl vmstorfl.sys
fffff88001b5c000 fffff88001ba8000 volsnap volsnap.sys
fffff88001ba8000 fffff88001bb0000 spldr spldr.sys
fffff88001bb0000 fffff88001bea000 rdyboost rdyboost.sys
fffff88001bea000 fffff88001bf4000 nvmeF nvmeF.sys
fffff88002e0c000 fffff88002f3c000 CyProtectDrv64 CyProtectDrv64.sys
fffff88002f3c000 fffff88002f45000 Null Null.SYS
fffff88002f45000 fffff88002f4c000 Beep Beep.SYS
fffff88002f4c000 fffff88002f59000 dwvkbd64 dwvkbd64.sys
fffff88002f59000 fffff88002f67000 vga vga.sys
fffff88002f67000 fffff88002f8c000 VIDEOPRT VIDEOPRT.SYS
fffff88002f8c000 fffff88002f9c000 watchdog watchdog.sys
fffff88002f9c000 fffff88002fa5000 RDPCDD RDPCDD.sys
fffff88002fa5000 fffff88002fae000 rdpencdd rdpencdd.sys
fffff88002fae000 fffff88002fb7000 rdprefmp rdprefmp.sys
fffff88002fb7000 fffff88002fc2000 Msfs Msfs.SYS
fffff88002fc2000 fffff88002fd3000 Npfs Npfs.SYS
fffff88002fd3000 fffff88002ff5000 tdx tdx.sys
fffff88004000000 fffff8800400f000 discache discache.sys
fffff8800400f000 fffff8800404d000 VBoxNetAdp6 VBoxNetAdp6.sys
fffff8800404d000 fffff8800405c280 dwdscard dwdscard.sys
fffff8800405d000 fffff88004069000 SMCLIB SMCLIB.SYS
fffff88004069000 fffff88004074000 vmnetadapter vmnetadapter.sys
fffff88004074000 fffff88004080000 VMNET VMNET.SYS
fffff88004084000 fffff8800417d000 VBoxDrv VBoxDrv.sys
fffff8800417d000 fffff88004191000 termdd termdd.sys
fffff88004191000 fffff880041e2000 rdbss rdbss.sys
fffff880041e2000 fffff880041ee000 nsiproxy nsiproxy.sys
fffff880041ee000 fffff880041f9000 mssmbios mssmbios.sys
fffff88004213000 fffff8800423d000 cdrom cdrom.sys
fffff8800423d000 fffff88004265000 hdlpflt hdlpflt.sys
fffff88004265000 fffff88004271000 hdlpevnt hdlpevnt.sys
fffff88004271000 fffff88004287000 hdlpctrl hdlpctrl.sys
fffff88004287000 fffff88004294000 TDI TDI.SYS
fffff88004294000 fffff880043e8000 dump_iaStor dump_iaStor.sys
fffff8800441d000 fffff88004462000 netbt netbt.sys
fffff88004462000 fffff880044eb000 afd afd.sys
fffff880044eb000 fffff880044f6000 ws2ifsl ws2ifsl.sys
fffff880044f6000 fffff880044ff000 wfplwf wfplwf.sys
fffff880044ff000 fffff88004525000 pacer pacer.sys
fffff88004525000 fffff88004566000 VBoxNetLwf VBoxNetLwf.sys
fffff88004566000 fffff88004575000 netbios netbios.sys
fffff88004575000 fffff88004592000 serial serial.sys
fffff88004592000 fffff880045ad000 wanarp wanarp.sys
fffff880045ad000 fffff880045dd000 VBoxUSBMon VBoxUSBMon.sys
fffff88004a00000 fffff88004a46000 dxgmms1 dxgmms1.sys
fffff88004a46000 fffff88004a6a000 HDAudBus HDAudBus.sys
fffff88004a6a000 fffff88004a77000 usbuhci usbuhci.sys
fffff88004a77000 fffff88004ace000 USBPORT USBPORT.SYS
fffff88004ace000 fffff88004adb000 hdlpdbk hdlpdbk.sys
fffff88004adb000 fffff88004aed000 usbehci usbehci.sys
fffff88004aed000 fffff88004af9000 serenum serenum.sys
fffff88004afe000 fffff88004bf3000 dxgkrnl dxgkrnl.sys
fffff88004bf3000 fffff88004bfa000 DamewareMini DamewareMini.sys
fffff88004bfa000 fffff88004bfb480 swenum swenum.sys
fffff88004c00000 fffff88004c26000 tunnel tunnel.sys
fffff88004c26000 fffff88004c2f000 wmiacpi wmiacpi.sys
fffff88004c2f000 fffff88004c45000 intelppm intelppm.sys
fffff88004c45000 fffff88004c60000 raspppoe raspppoe.sys
fffff88004c60000 fffff88004c81000 raspptp raspptp.sys
fffff88004c81000 fffff88004c9b000 rassstp rassstp.sys
fffff88004c9b000 fffff88004ca6000 rdpbus rdpbus.sys
fffff88004ca6000 fffff88004cb5000 mouclass mouclass.sys
fffff88004cbc000 fffff88004d3f000 csc csc.sys
fffff88004d3f000 fffff88004d5e000 dfsc dfsc.sys
fffff88004d5e000 fffff88004dd6000 cbk7 cbk7.sys
fffff88004dd6000 fffff88004de7000 blbdrive blbdrive.sys
fffff88004de7000 fffff88004df9000 umbus umbus.sys
fffff88005000000 fffff88005080000 ADIHdAud ADIHdAud.sys
fffff88005080000 fffff88005095000 lltdio lltdio.sys
fffff88005095000 fffff880050ad000 rspndr rspndr.sys
fffff880050c2000 fffff8800511c000 usbhub usbhub.sys
fffff8800511c000 fffff88005131000 NDProxy NDProxy.SYS
fffff88005131000 fffff8800515e000 nvhda64v nvhda64v.sys
fffff8800515e000 fffff8800519b000 portcls portcls.sys
fffff8800519b000 fffff880051bd000 drmk drmk.sys
fffff880051bd000 fffff880051c2200 ksthunk ksthunk.sys
fffff88005c00000 fffff88005c12000 point64 point64.sys
fffff88005c12000 fffff88005c35000 luafv luafv.sys
fffff88005c35000 fffff88005c56000 WudfPf WudfPf.sys
fffff88005c56000 fffff88005c68000 vmnetbridge vmnetbridge.sys
fffff88005c6b000 fffff88005ccb080 mfeaack mfeaack.sys
fffff88005ccc000 fffff88005d1c580 mfeavfk mfeavfk.sys
fffff88005d1d000 fffff88005d3a000 usbccgp usbccgp.sys
fffff88005d3a000 fffff88005d3be80 USBD USBD.SYS
fffff88005d3c000 fffff88005d48000 Dxapi Dxapi.sys
fffff88005d48000 fffff88005d56000 hidusb hidusb.sys
fffff88005d56000 fffff88005d6f000 HIDCLASS HIDCLASS.SYS
fffff88005d6f000 fffff88005d77080 HIDPARSE HIDPARSE.SYS
fffff88005d78000 fffff88005d86000 kbdhid kbdhid.sys
fffff88005d86000 fffff88005d94000 crashdmp crashdmp.sys
fffff88005d94000 fffff88005da7000 dump_dumpfve dump_dumpfve.sys
fffff88005da7000 fffff88005db5000 monitor monitor.sys
fffff88005db5000 fffff88005dcd000 dc3d dc3d.sys
fffff88005dcd000 fffff88005de7d00 usbaudio usbaudio.sys
fffff88005de8000 fffff88005df5000 mouhid mouhid.sys
fffff88005df5000 fffff88005e00000 vmnetuserif vmnetuserif.sys
fffff8800c000000 fffff8800c02d000 mrxsmb mrxsmb.sys
fffff8800c02d000 fffff8800c07b000 mrxsmb10 mrxsmb10.sys
fffff8800c07b000 fffff8800c09f000 mrxsmb20 mrxsmb20.sys
fffff8800c09f000 fffff8800c0bb000 vmx86 vmx86.sys
fffff8800c0bb000 fffff8800c0d0000 hcmon hcmon.sys
fffff8800c0eb000 fffff8800c1b3000 HTTP HTTP.sys
fffff8800c1b3000 fffff8800c1d0000 bowser bowser.sys
fffff8800c1d0000 fffff8800c1e8000 mpsdrv mpsdrv.sys
fffff8800cc00000 fffff8800cc68000 srv2 srv2.sys
fffff8800ccf7000 fffff8800cda1000 peauth peauth.sys
fffff8800cda1000 fffff8800cdd2000 srvnet srvnet.sys
fffff8800cdd2000 fffff8800cde4000 tcpipreg tcpipreg.sys
fffff8800cde4000 fffff8800cdf0000 vmparport vmparport.sys
fffff8800cdf0000 fffff8800cdfb000 vstor2_mntapi20_shared vstor2-mntapi20-shared.sys
fffff8800dc00000 fffff8800dc0f000 tssecsrv tssecsrv.sys
fffff8800dc0f000 fffff8800dc49000 RDPWD RDPWD.SYS
fffff8800dc57000 fffff8800dc62000 asyncmac asyncmac.sys
fffff8800dc62000 fffff8800dc6d000 prepdrv prepdrv.sys
fffff8800dc6d000 fffff8800dc77000 groundling64 groundling64.sys
fffff8800dc77000 fffff8800dc82000 procwall64 procwall64.sys
fffff8800dc92000 fffff8800dca0000 MpKsl7c24efdc MpKsl7c24efdc.sys
fffff8800dca0000 fffff8800dca8000 wdfsimple wdfsimple.sys
fffff8800dcd0000 fffff8800dd65000 srv srv.sys
fffff8800dd65000 fffff8800dd76e80 mfesmfk mfesmfk.sys
fffff8800dd77000 fffff8800dd84b40 hdlphook hdlphook.sys
fffff8800dd85000 fffff8800dd93000 cbstream cbstream.sys
fffff8800dd93000 fffff8800ddb3000 NisDrvWFP NisDrvWFP.sys
fffff8800ddb3000 fffff8800ddbe000 cyclorama64 cyclorama64.sys
fffff8800ddbe000 fffff8800ddec000 rdpdr rdpdr.sys
fffff8800ddec000 fffff8800ddf7000 tdtcp tdtcp.sys
fffff8800f200000 fffff8800f26c000 b57nd60a b57nd60a.sys
fffff8800f26c000 fffff8800f289000 parport parport.sys
fffff8800f289000 fffff8800f299000 CompositeBus CompositeBus.sys
fffff8800f299000 fffff8800f2a8000 kbdclass kbdclass.sys
fffff8800f2a8000 fffff8800f2be000 AgileVpn AgileVpn.sys
fffff8800f2be000 fffff8800f2e2000 rasl2tp rasl2tp.sys
fffff8800f2e9000 fffff8800ffbb000 nvlddmkm nvlddmkm.sys
fffff8800ffbb000 fffff8800ffc7000 ndistapi ndistapi.sys
fffff8800ffc7000 fffff8800fff6000 ndiswan ndiswan.sys
fffff960000c0000 fffff960003e7000 win32k win32k.sys
fffff96000550000 fffff9600055a000 TSDDD TSDDD.dll
fffff96000680000 fffff960006a7000 cdd cdd.dll

Unloaded modules:
fffff8800cc68000 fffff8800ccd9000 spsys.sys
fffff8800dc49000 fffff8800dc57000 MpKsla7533af
fffff8800dc8a000 fffff8800dc92000 drpaul.sys
fffff8800dc82000 fffff8800dc8a000 drpaul.sys
fffff8800cc68000 fffff8800ccd9000 spsys.sys
fffff88001aa7000 fffff88001ab5000 crashdmp.sys
fffff880042a5000 fffff880043f9000 dump_iaStor.
fffff88004200000 fffff88004213000 dump_dumpfve

Show DivRaw Stack Contents

Hide DivDump Header Information

----- 64 bit Kernel Mini Dump Analysis

DUMP_HEADER64:
MajorVersion 0000000f
MinorVersion 00001db1
KdSecondaryVersion 00000000
DirectoryTableBase 0000000000187000 PfnDataBase fffff8000310d280
PsLoadedModuleList fffff800030a3750 PsActiveProcessHead fffff80003085440
MachineImageType 00008664
NumberProcessors 00000004
BugCheckCode 1000007e
BugCheckParameter1 ffffffff80000003 BugCheckParameter2 fffff8800dca602d
BugCheckParameter3 fffff880033a1728 BugCheckParameter4 fffff880033a0f90
KdDebuggerDataBlock fffff800`0304e110
ProductType 00000001
SuiteMask 00000110
WriterStatus 00000000
MiniDumpFields 00000cff

TRIAGE_DUMP64:
ServicePackBuild 00000100
SizeOfDump 00040000
ValidOffset 0003fffc
ContextOffset 00000348
ExceptionOffset 00000f00
MmOffset 00002080
UnloadedDriversOffset 000020d0
PrcbOffset 00002298
ProcessOffset 00006f98
ThreadOffset 00007480
CallStackOffset 00007928
SizeOfCallStack 00000448
DriverListOffset 000080b0
DriverCount 000000b9
StringPoolOffset 0000e8c0
StringPoolSize 00004070
BrokenDriverOffset 00000000
TriageOptions ffffffff
TopOfStack fffff880033a1968 BStoreOffset 00000000 SizeOfBStore 00000000 LimitOfBStore 0000000000000000
DebuggerDataOffset 00007d70
DebuggerDataSize 00000340
DataBlocksOffset 00012930
DataBlocksCount 00000010
fffff800030a3ba0 - fffff800030a3c3b at offset 00012a30
fffff8000308ba08 - fffff8000308ba0b at offset 00012acc
fffff8000308ba04 - fffff8000308ba07 at offset 00012ad0
fffff80003013b00 - fffff80003013bff at offset 00012ad4
fffff8800dca6000 - fffff8800dca6fff at offset 00012bd4
fffff880033a1000 - fffff880033a1fff at offset 00013bd4
fffff880033a0000 - fffff880033a0fff at offset 00014bd4
fffff800030da4c0 - fffff800030da4c3 at offset 00015bd4
fffff800030da0c0 - fffff800030da10f at offset 00015bd8
fffff8000310d07c - fffff8000310d07f at offset 00015c28
fffff8000310d068 - fffff8000310d06b at offset 00015c2c
fffffa8012c86000 - fffffa8012c86e9f at offset 00015c30
fffff80003076290 - fffff80003076297 at offset 00016ad0
fffff80003076298 - fffff8000307629f at offset 00016ad8
fffffa80199ce000 - fffffa80199cefff at offset 00016ae0
fffffa8015d70000 - fffffa8015d70fff at offset 00017ae0
Max offset 18ae0, 2ed60 from end of file

Hide DivStrings

PAGEDU64
PAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGE
PAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGE
PAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGE
PAGE@x
PAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGE
GEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGE
spsys.sys
MpKsla7533af
drpaul.sys
drpaul.sys
spsys.sys
crashdmp.sys
dump_iaStor.
dump_dumpfve
GenuineIntel
System
\SystemRoot\system32\ntoskrnl.exe
\SystemRoot\system32\hal.dll
\SystemRoot\system32\kdcom.dll
\SystemRoot\system32\mcupdate_GenuineIntel.dll
\SystemRoot\system32\PSHED.dll
\SystemRoot\system32\CLFS.SYS
\SystemRoot\system32\CI.dll
\SystemRoot\system32\drivers\Wdf01000.sys
\SystemRoot\system32\drivers\WDFLDR.SYS
\SystemRoot\system32\drivers\ACPI.sys
\SystemRoot\system32\drivers\WMILIB.SYS
\SystemRoot\system32\drivers\msisadrv.sys
\SystemRoot\system32\drivers\pci.sys
\SystemRoot\system32\drivers\vdrvroot.sys
\SystemRoot\System32\drivers\partmgr.sys
\SystemRoot\system32\drivers\compbatt.sys
\SystemRoot\system32\drivers\BATTC.SYS
\SystemRoot\system32\drivers\volmgr.sys
\SystemRoot\System32\drivers\volmgrx.sys
\SystemRoot\system32\DRIVERS\vmci.sys
\SystemRoot\system32\DRIVERS\vsock.sys
\SystemRoot\System32\drivers\mountmgr.sys
\SystemRoot\system32\drivers\iaStor.sys
\SystemRoot\system32\drivers\amdxata.sys
\SystemRoot\system32\drivers\fltmgr.sys
\SystemRoot\system32\drivers\fileinfo.sys
\SystemRoot\system32\DRIVERS\MpFilter.sys
\SystemRoot\system32\drivers\mfehidk.sys
\SystemRoot\System32\Drivers\Ntfs.sys
\SystemRoot\System32\Drivers\msrpc.sys
\SystemRoot\System32\Drivers\ksecdd.sys
\SystemRoot\System32\Drivers\cng.sys
\SystemRoot\System32\drivers\pcw.sys
\SystemRoot\System32\Drivers\Fs_Rec.sys
\SystemRoot\system32\drivers\ndis.sys
\SystemRoot\system32\drivers\NETIO.SYS
\SystemRoot\System32\Drivers\ksecpkg.sys
\SystemRoot\System32\drivers\tcpip.sys
\SystemRoot\System32\drivers\fwpkclnt.sys
\SystemRoot\system32\drivers\mfewfpk.sys
\SystemRoot\system32\drivers\vmstorfl.sys
\SystemRoot\system32\drivers\volsnap.sys
\SystemRoot\System32\Drivers\spldr.sys
\SystemRoot\System32\drivers\rdyboost.sys
\SystemRoot\system32\drivers\nvmeF.sys
\SystemRoot\System32\Drivers\mup.sys
\SystemRoot\System32\drivers\hwpolicy.sys
\SystemRoot\System32\DRIVERS\fvevol.sys
\SystemRoot\system32\drivers\disk.sys
\SystemRoot\system32\drivers\CLASSPNP.SYS
\SystemRoot\system32\DRIVERS\cdrom.sys
\SystemRoot\system32\DRIVERS\hdlpflt.sys
\SystemRoot\system32\drivers\hdlpevnt.sys
\SystemRoot\system32\drivers\hdlpctrl.sys
\SystemRoot\system32\DRIVERS\CyProtectDrv64.sys
\SystemRoot\System32\Drivers\Null.SYS
\SystemRoot\System32\Drivers\Beep.SYS
\SystemRoot\system32\DRIVERS\dwvkbd64.sys
\SystemRoot\System32\drivers\vga.sys
\SystemRoot\System32\drivers\VIDEOPRT.SYS
\SystemRoot\System32\drivers\watchdog.sys
\SystemRoot\System32\DRIVERS\RDPCDD.sys
\SystemRoot\system32\drivers\rdpencdd.sys
\SystemRoot\system32\drivers\rdprefmp.sys
\SystemRoot\System32\Drivers\Msfs.SYS
\SystemRoot\System32\Drivers\Npfs.SYS
\SystemRoot\system32\DRIVERS\tdx.sys
\SystemRoot\system32\DRIVERS\TDI.SYS
\SystemRoot\System32\DRIVERS\netbt.sys
\SystemRoot\system32\drivers\afd.sys
\SystemRoot\system32\drivers\ws2ifsl.sys
\SystemRoot\system32\DRIVERS\wfplwf.sys
\SystemRoot\system32\DRIVERS\pacer.sys
\SystemRoot\system32\DRIVERS\VBoxNetLwf.sys
\SystemRoot\system32\DRIVERS\netbios.sys
\SystemRoot\system32\DRIVERS\serial.sys
\SystemRoot\system32\DRIVERS\wanarp.sys
\SystemRoot\system32\DRIVERS\VBoxUSBMon.sys
\SystemRoot\system32\DRIVERS\VBoxDrv.sys
\SystemRoot\system32\DRIVERS\termdd.sys
\SystemRoot\system32\DRIVERS\rdbss.sys
\SystemRoot\system32\drivers\nsiproxy.sys
\SystemRoot\system32\DRIVERS\mssmbios.sys
\SystemRoot\System32\drivers\discache.sys
\SystemRoot\system32\drivers\csc.sys
\SystemRoot\System32\Drivers\dfsc.sys
??\C:\WINDOWS\system32\drivers\cbk7.sys
\SystemRoot\system32\DRIVERS\blbdrive.sys
\SystemRoot\system32\DRIVERS\tunnel.sys
\SystemRoot\system32\DRIVERS\wmiacpi.sys
\SystemRoot\system32\DRIVERS\intelppm.sys
\SystemRoot\system32\DRIVERS\nvlddmkm.sys
\SystemRoot\System32\drivers\dxgkrnl.sys
\SystemRoot\System32\drivers\dxgmms1.sys
\SystemRoot\system32\DRIVERS\HDAudBus.sys
\SystemRoot\system32\drivers\usbuhci.sys
\SystemRoot\system32\drivers\USBPORT.SYS
\SystemRoot\system32\drivers\hdlpdbk.sys
\SystemRoot\system32\drivers\usbehci.sys
\SystemRoot\system32\DRIVERS\b57nd60a.sys
\SystemRoot\system32\DRIVERS\parport.sys
\SystemRoot\system32\DRIVERS\serenum.sys
\SystemRoot\system32\DRIVERS\CompositeBus.sys
\SystemRoot\system32\DRIVERS\DamewareMini.sys
\SystemRoot\system32\DRIVERS\kbdclass.sys
\SystemRoot\system32\DRIVERS\AgileVpn.sys
\SystemRoot\system32\DRIVERS\rasl2tp.sys
\SystemRoot\system32\DRIVERS\ndistapi.sys
\SystemRoot\system32\DRIVERS\ndiswan.sys
\SystemRoot\system32\DRIVERS\raspppoe.sys
\SystemRoot\system32\DRIVERS\raspptp.sys
\SystemRoot\system32\DRIVERS\rassstp.sys
\SystemRoot\system32\DRIVERS\VBoxNetAdp6.sys
\SystemRoot\system32\DRIVERS\rdpbus.sys
\SystemRoot\system32\DRIVERS\mouclass.sys
\SystemRoot\system32\DRIVERS\swenum.sys
\SystemRoot\system32\DRIVERS\ks.sys
\SystemRoot\system32\DRIVERS\umbus.sys
\SystemRoot\system32\drivers\dwdscard.sys
\SystemRoot\system32\drivers\SMCLIB.SYS
\SystemRoot\system32\DRIVERS\vmnetadapter.sys
\SystemRoot\system32\DRIVERS\VMNET.SYS
\SystemRoot\system32\DRIVERS\usbhub.sys
\SystemRoot\System32\Drivers\NDProxy.SYS
\SystemRoot\system32\drivers\nvhda64v.sys
\SystemRoot\system32\drivers\portcls.sys
\SystemRoot\system32\drivers\drmk.sys
\SystemRoot\system32\drivers\ksthunk.sys
\SystemRoot\system32\drivers\ADIHdAud.sys
\SystemRoot\system32\drivers\mfeaack.sys
\SystemRoot\system32\drivers\mfeavfk.sys
\SystemRoot\system32\DRIVERS\usbccgp.sys
\SystemRoot\system32\DRIVERS\USBD.SYS
\SystemRoot\System32\win32k.sys
\SystemRoot\System32\drivers\Dxapi.sys
\SystemRoot\system32\DRIVERS\hidusb.sys
\SystemRoot\system32\DRIVERS\HIDCLASS.SYS
\SystemRoot\system32\DRIVERS\HIDPARSE.SYS
\SystemRoot\system32\DRIVERS\kbdhid.sys
\SystemRoot\System32\Drivers\crashdmp.sys
\SystemRoot\System32\Drivers\dump_iaStor.sys
\SystemRoot\System32\Drivers\dump_dumpfve.sys
\SystemRoot\system32\DRIVERS\monitor.sys
\SystemRoot\system32\DRIVERS\dc3d.sys
\SystemRoot\system32\drivers\usbaudio.sys
\SystemRoot\system32\DRIVERS\mouhid.sys
\SystemRoot\system32\DRIVERS\point64.sys
\SystemRoot\System32\TSDDD.dll
\SystemRoot\System32\cdd.dll
\SystemRoot\system32\drivers\luafv.sys
\SystemRoot\system32\drivers\WudfPf.sys
\SystemRoot\system32\DRIVERS\vmnetbridge.sys
\SystemRoot\system32\DRIVERS\lltdio.sys
\SystemRoot\system32\DRIVERS\rspndr.sys
\SystemRoot\system32\DRIVERS\vmnetuserif.sys
\SystemRoot\system32\drivers\HTTP.sys
\SystemRoot\system32\DRIVERS\bowser.sys
\SystemRoot\System32\drivers\mpsdrv.sys
\SystemRoot\system32\DRIVERS\mrxsmb.sys
\SystemRoot\system32\DRIVERS\mrxsmb10.sys
\SystemRoot\system32\DRIVERS\mrxsmb20.sys
\SystemRoot\system32\DRIVERS\vmx86.sys
\SystemRoot\system32\DRIVERS\hcmon.sys
\SystemRoot\system32\drivers\peauth.sys
\SystemRoot\System32\DRIVERS\srvnet.sys
\SystemRoot\System32\drivers\tcpipreg.sys
\SystemRoot\system32\DRIVERS\vmparport.sys
\SystemRoot\SysWOW64\drivers\vstor2-mntapi20-shared.sys
\SystemRoot\System32\DRIVERS\srv2.sys
\SystemRoot\System32\DRIVERS\srv.sys
\SystemRoot\system32\drivers\mfesmfk.sys
\SystemRoot\system32\drivers\hdlphook.sys
??\C:\WINDOWS\system32\drivers\cbstream.sys
\SystemRoot\system32\DRIVERS\NisDrvWFP.sys
??\C:\Program Files (x86)\Dell SecureWorks\Red Cloak\cyclorama64.sys
\SystemRoot\System32\Class
WDFLDR.SYS
*** wdfsimple.sys - Address FFFFF8800DCA602D base at FFFFF8800DCA0000, DateStamp 599c5533
\Device\HarddiskVolume2\Windows\System32\wow64win.dll
\Device\HarddiskVolume2\Windows\System32\wow64.dll
\Device\HarddiskVolume2\Windows\System32\wow64cpu.dll
\Device\HarddiskVolume2\Windows\SysWOW64\cryptbase.dll
\Device\HarddiskVolume2\Windows\SysWOW64\sspicli.dll
\Device\HarddiskVolume2\Windows\SysWOW64\advapi32.dll
\Device\HarddiskVolume2\Windows\SysWOW64\kernel32.dll
\Device\HarddiskVolume2\Windows\SysWOW64\KernelBase.dll
\Device\HarddiskVolume2\Windows\SysWOW64\msvcrt.dll
\Device\HarddiskVolume2\Windows\SysWOW64\profapi.dll
\Device\HarddiskVolume2\Windows\SysWOW64\userenv.dll
\Device\HarddiskVolume2\Windows\SysWOW64\sechost.dll
\Device\HarddiskVolume2\Windows\SysWOW64\rpcrt4.dll
\Device\HarddiskVolume2\Windows\System32\ntdll.dll
\Device\HarddiskVolume2\Windows\SysWOW64\ntdll.dll
session_win.exe
“C:\ProgramData\JWrapper-Remote Access\JWrapper-Remote Access-00050741974-complete\session_win.exe” --slWaitForCompletion “C:\ProgramData\JWrapper-Remote Access\JWrapper-Remote Access-00050741974-complete\elev_win.exe” --mouselocation
??\C:\Projects\Drivers\toaster\toastDrv\kmdf\func\simple\x64\Debug\wdfsimple.sys
\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wdfsimple
angsau.ttf
TRGDDumpBlob
EDID-Detailed:1920x1080x60.000Hz
EDID-Detailed:1280x1024x60.020Hz
Dell Inc.
12/29/2011
Dell Inc.
Precision WorkStation T3500

Dell Inc.
09KPNV

Dell Inc.

PARALLEL
SERIAL1
SERIAL2
LINE-OUT
LINE-IN
HP-OUT
SLOT1
SLOT2
SLOT3
SLOT4
SLOT5
SLOT6

Intel Pro 1000 MT Network Connection
Intel(R) High Definition Audio Controller
www.dell.com
en|US|iso8859-1
DIMM 1
80CE000080CE

M391B5273CH0-YH9

DIMM 2
80CE000080CE

M391B5273CH0-YH9

DIMM 3
80CE000080CE

M391B5273CH0-YH9

DIMM 4
80CE000080CE

M391B5273CH0-YH9

DIMM 5
80CE000080CE

M391B5273CH0-YH9

DIMM 6
80CE000080CE

M391B5273CH0-YH9

20120322
20120405
Component Information
Configuration Data
Identifier
Intel64 Family 6 Model 26 Stepping 5
ProcessorNameString
Intel(R) Xeon(R) CPU W3565 @ 3.20GHz
Update Signature
Update Status
VendorIdentifier
GenuineIntel
GenuntelineI
GenuntelineI
Intel(R) Xeon(R)Intel(R) Xeon(R)
CPU W CPU W
3565 @ 3.20GHz
3565 @ 3.20GHz
BDELL B10K
DELL B10K
DELL B10K
DELL B10K
JDELL B10K
_DELL B10K
DELL B10K
|DELL B10K
DELL B10K
(9w?`7
Wdf01000
m V6 Callout
msisadrv
vdrvroot
storflt
intelppm
HDAudBus
CompositeBus
monitor
Point64
PEAUTH

You should learn to setup a test machine for kernel debugging and attach a debugger. Use a virtual machine if you don’t have two physical machines. Start here:

https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/setting-up-kernel-mode-debugging-in-windbg--cdb--or-ntsd

Are you sure you are building a Windows 7 compatible binary. Open the project’s property page, than in ‘Driver Settings’, make sure the ‘Target OS Version’ property is set to ‘Windows 7’ and the ‘Target Platform’ property is set to ‘Desktop’. You should copy the current configuration to new one. For instance, copy the ‘Debug’ configuration to a new one named ‘Win7 Debug’, select this new configuration and then set the properties cited above to the correct value.

You are hitting a breakpoint without a kernel debugger attached. Probably hitting it because the state of the driver is incorrect according to wdf

xxxxx@claessen.com xxxxx@lists.osr.com wrote:

Your “a mismatch between ‘thought i was PnP’ and ‘not really PnP’ can cause it” … sounds promising … but where does this mismatch come from, if not from the source?

All my driver does is this:

"
#include <ntddk.h>
>
> void DriverUnload(PDRIVER_OBJECT pDriverObject)
> {
> DbgPrint(“drpaul: Driver unloading. [0x%X]\n”, pDriverObject);
> }
>
> NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath)
> {
> DriverObject->DriverUnload = DriverUnload;
> DbgPrint(“drpaul: Driver started. %wZ\n”, RegistryPath);
>
> return STATUS_SUCCESS;
> }
> "
>
> Also, and this is what makes it such a mystery: it works fine when built in one VS2015 project, but not when I build this with the MS provided toaster project, when I replace their code with the code above: it STILL blue-screens.

But in the second case, you’ve installed this with an INF file that has
a PnP ID, right? So, the I/O manager is going to try to call your
AddDevice handler, and you don’t have one.

> As for posting the entire analysis … I see that I “may not” post attachments here: what can I do that get that permission? (Posting the analysis in a reply is probably a bit much).

Not at all. Most of us love digging through a dump analysis looking for
a smoking gun.


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.</ntddk.h>

Tim,

So far I have exclusively used osrload to load and unload these drivers.
I assumed that no .inf files were involved in that. Am I wrong?

So, what makes a driver a PnP driver, when I only have the two simple functions (DriverEntry and DriverUnload) in my driver?

Besides, for an ‘on demand’ driver, other than osrload or ‘net start’ I wouldn’t know how to load a driver, supposedly through an .inf file. Any hints there?

One more observation, if I move the original toaster source from my failing project, to the project that worked just fine with the two above mentioned functions, it builds fine, but now osrload gives me the error “The service cannot be started, either because it is disabled or it has no enabled devices associated with it”

So,
a. Why is this?
and
b. and what could possibly be the difference between the 2 projects/builds, where one won’t load the driver, and the other will, but blue-screens?

What am I missing?

Isn’t osrload the proper way to get this driver loaded?

I even did this: In VS2015, I started a new solution: picked as template: Driver, KMDF.
Only changed the solution from 32 to 64 bit, target OS = Windows 7, and added my certificate for signing. Then build all the VS2015 generated code … didn’t do anything to the code.
When I load it with osrload, I get that same error “The service cannot be started, either because it is disabled or it has no enabled devices associated with it” … Again, this is just standard generated code. Out of the box … didn’t touch it. Why doesn’t that work?

Any suggestions are VERY welcome. :wink:

xxxxx@claessen.com xxxxx@lists.osr.com wrote:

So far I have exclusively used osrload to load and unload these drivers.
I assumed that no .inf files were involved in that. Am I wrong?

If you  built the “toaster” sample, that driver has an INF file, because
it is PnP.  You can’t use osrload to load and unload it.  It expects to
be loaded by the PnP system in response to its hardware ID appearing.

 

So, what makes a driver a PnP driver, when I only have the two simple functions (DriverEntry and DriverUnload) in my driver?

Nothing, but the registry plays a huge part here.  There is an entry in
HKLM\System\CurrentControlSet\Services that describes this driver. 
“osrload” creates that key (using CreateService) if it does not already
exist.  But if the system has ever seen the INF file for the “toaster”
version, then it also has an entry in HKLM\System\CurrentControlSet\Enum
that names the hardware ID from the INF file, and that is the basis for
triggering the load of a PnP device.  If that key still exists, it could
be causing your driver to get loaded as a PnP driver.

Besides, for an ‘on demand’ driver, other than osrload or ‘net start’ I wouldn’t know how to load a driver, supposedly through an .inf file. Any hints there?

“osrload” and “net start” and “sc start” all load legacy drivers, which
are managed and loaded via the Service Manager.  Most drivers today are
PnP drivers, which are loaded through their INF file, after the driver
package (INF plus SYS) is pre-installed in the driver store, or loaded
through Device Manager.

One more observation, if I move the original toaster source from my failing project, to the project that worked just fine with the two above mentioned functions, it builds fine, but now osrload gives me the error “The service cannot be started, either because it is disabled or it has no enabled devices associated with it”

So,
a. Why is this?
and
b. and what could possibly be the difference between the 2 projects/builds, where one won’t load the driver, and the other will, but blue-screens?

Check “link /dump /imports”.  See if the second project is adding a
reference to a driver that isn’t loaded.

I suppose you could send me the directories, and I’ll see which of the
settings are weird.

Isn’t osrload the proper way to get this driver loaded?

If it is a legacy driver, “osrload” is fine.  Osrload does both the
“install” and “load” process.  Once it is installed (by copying into
\windows\system32\drivers and creating the Services entry), it can be
loaded through “net start”.

I even did this: In VS2015, I started a new solution: picked as template: Driver, KMDF.
Only changed the solution from 32 to 64 bit, target OS = Windows 7, and added my certificate for signing. Then build all the VS2015 generated code … didn’t do anything to the code.
When I load it with osrload, I get that same error “The service cannot be started, either because it is disabled or it has no enabled devices associated with it” … Again, this is just standard generated code. Out of the box … didn’t touch it. Why doesn’t that work?

You’re asking for KMDF here, even though you aren’t using KMDF.  What
operating system are you loading on?  If you’re running Windows 7 but
building for Windows 10, it could be that the wrong version of KMDF is
in place.


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

I don’t know if you can set the DRIVER_OBJECT unload routine with a KMDF driver. To me this field is reserved for KMDF.

You have to create a WDF driver object with WdfDriverCreate and set the WDF unload routine with the WDF_DRIVER_CONFIG structure. You don’t want PNP so you could probably call WDF_DRIVER_CONFIG_INIT with a NULL EvtDriverDeviceAdd routine as this parameter is optional.

I would use VS 2015 provided KMDF Driver Template. You would have a PNP driver that would install very easely with the command (admin):

DEVCON.EXE install MyTestDriver.inf ROOT\MyTestDriver

xxxxx@claessen.com xxxxx@lists.osr.com wrote:

So,
a. Why is this?
and
b. and what could possibly be the difference between the 2 projects/builds, where one won’t load the driver, and the other will, but blue-screens?

What am I missing?

There’s another possibility.  You are building your bare minimum code
with a “KMDF” project.  The KMDF project sets the initial starting
address to gDriverEntry inside of KMDF, and then KMDF redirects things
to your DriverEntry.  Your DriverEntry is returning without calling
WdfDriverCreate, and the framework is probably throwing up at that.


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

Tim,

Thanks for your generous and extensive comments.
I’ll have quite a few things to try now … and somehow I get the feeling that this whole PnP thing is what’s causing me problems.

But just one more question about loading a driver: You mention that some, non-legacy, drivers can’t be loaded by osrload (net start, etc). And you mention using the .inf file and device manager.

The problem is that my drivers don’t have any hardware associated with them. They’re just software drivers. How do I load those?

I guess the answer is probably going to be: if they don’t ‘drive’ hardware, they don’t need to be PnP, and thus they will be legacy drivers, so you CAN load it with osrload.

But apparently my drivers ARE somehow PnP. I have no control over that. As soon as WDF functions are called, or even linked in, apparently, things go sideways.

Here’s a simple scenario (which is probably easy and quickly to follow if you happen to have VS2015 (maybe earlier versions do the same) and WDK 10 installed.

  • Open a New -> Project
  • Select: Installed->Templates->Other Languages->Visual C+±>Windows Driver->WDF and select Kernel Mode Driver
  • Let VS generate all the code. Select the proper cpu setting, and if you need a test-signed driver add your certificate info to the project file
  • Build it. You have have a nice driver, built okay, based on Microsoft generated code.

Now my question is … HOW do I load this driver? osrload won’t do it (after registering), and there are no devices involved.

There are no HARDWARE device to enumerate, that’s true.

So, what the example does instead, is create a WDFDEVICE in response to a"root-enumerated pseudo-device" being discovered.

The INF file tells the system what device (real or otherwise) your driver supports. The sample KMDF project INF has a line:

%KMDFDriver1.DeviceDesc%=KMDFDriver1_Device, Root\KMDFDriver1 ; TODO: edit hw-id

This tell Windows “When the Root enumerator finds a device named KMDFDriver1, then load my driver”.

To kick-off the creation of device named “KMDFDriver1” by the Root enumerator, use the DEVCON utility, as follows:

DEVCON.EXE install KMDFDriver1.inf ROOT\KMDFDriver1

This instructs DEVCON to instruct the system to enumerate a device named ROOT\KMDFDriver1 and then load the driver as instructed by KMDFDriver1.Inf.

May I suggest you take a driver seminar… you’ll learn all this stuff there, you know, and save a yourself a ton of time.

Peter
OSR
@OSRDrivers

Peter,

Excellent! That was the information I was looking for! (For this ‘loading’ part)

As for taking your guys’ driver seminar … What? Are you suggesting that reading your excellent book wasn’t enough? Okay, just kidding, besides, I read it some 18 years ago, and I MAY have forgotten a few details here and there after I quickly (after reading the book) moved to firmware development, plus another few details about Windows drivers have changed a bit too, I’m now finding out. :wink:

And I would LOVE to take your seminars. If only my boss would let me (time and money wise!).
(And I know … those seminars are, in the end, money saving investments … how do I convince upper management of that, I don’t know).

~ Paul C