Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

More Info on Driver Writing and Debugging


The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.


Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/


Before Posting...

Please check out the Community Guidelines in the Announcements and Administration Category.

Crash

Alexey_LogachyovAlexey_Logachyov Member Posts: 476
I'm getting the foolowing error on NT4 SP6:

A fatal system error has occurred.

************************************************************************
*******
*
*
* Bugcheck Analysis
*
*
*
************************************************************************
*******

Use !analyze -v to get detailed debugging information.

BugCheck 1E, {c0000005, 801ae46e, 0, 220}

Probably caused by : ntoskrnl ( nt!HvpDoWriteHive+1e )

Followup: MachineOwner
---------

nt!RtlpBreakWithStatusInstruction:
8012ff7c cc int 3
kd> !analyze -v
************************************************************************
*******
*
*
* Bugcheck Analysis
*
*
*
************************************************************************
*******

KMODE_EXCEPTION_NOT_HANDLED (1e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Some common problems are exception code 0x80000003. This means a hard
coded breakpoint or assertion was hit, but this system was booted
/NODEBUG. This is not supposed to happen as developers should never
have
hardcoded breakpoints in retail code, but ...
If this happens, make sure a debugger gets connected, and the
system is booted /DEBUG. This will let us see why this breakpoint is
happening.
An exception code of 0x80000002 (STATUS_DATATYPE_MISALIGNMENT) indicates
that an unaligned data reference was encountered. The trap frame will
supply additional information.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: 801ae46e, The address that the exception occurred at
Arg3: 00000000, Parameter 0 of the exception
Arg4: 00000220, Parameter 1 of the exception

Debugging Details:
------------------


EXCEPTION_CODE: c0000005

FAULTING_IP:
nt!HvpDoWriteHive+1e
801ae46e 8b7e20 mov edi,[esi+0x20]

EXCEPTION_PARAMETER1: 00000000

EXCEPTION_PARAMETER2: 00000220

READ_ADDRESS: unable to get nt!MmPoolCodeEnd
unable to get nt!MmPoolCodeStart
00000220 Unknown

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 1E

EXCEPTION_RECORD: f9c33e2c -- (.exr fffffffff9c33e2c)
ExceptionAddress: 801ae46e (nt!HvpDoWriteHive+0x0000001e)
ExceptionCode: c0000005
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: 00000220
Attempt to read from address 00000220

CONTEXT: f9c33c68 -- (.cxr fffffffff9c33c68)
eax=00000001 ebx=00000001 ecx=00009b01 edx=f9c33f6c esi=00000200
edi=00000000
eip=801ae46e esp=f9c33ef4 ebp=f9c33f14 iopl=0 nv up ei pl nz na
pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
efl=00010202
nt!HvpDoWriteHive+1e:
801ae46e 8b7e20 mov edi,[esi+0x20]
Resetting default context

LAST_CONTROL_TRANSFER: from 801ae41a to 801ae46e

STACK_TEXT:
f9c33f14 801ae41a e1005be8 00000000 e1005d4c nt!HvpDoWriteHive+0x1e
f9c33f24 801ab978 e1005be8 00000001 801abe96 nt!HvSyncHive+0x40
f9c33f30 801abe96 8010b0a7 00000000 f9c33f7c nt!CmpDoFlushAll+0x2a
f9c33f34 8010b0a7 00000000 f9c33f7c 00000000 nt!CmpLazyFlushWorker+0x1a
f9c33f4c 801375f8 00000001 00000000 00000000 nt!ExpWorkerThread+0x73
f9c33f7c 801428f6 8010b034 00000001 00000000
nt!PspSystemThreadStartup+0x54
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16


FOLLOWUP_IP:
nt!HvpDoWriteHive+1e
801ae46e 8b7e20 mov edi,[esi+0x20]

FOLLOWUP_NAME: MachineOwner

SYMBOL_NAME: nt!HvpDoWriteHive+1e

MODULE_NAME: nt

IMAGE_NAME: ntoskrnl

STACK_COMMAND: .cxr fffffffff9c33c68 ; kb

BUCKET_ID: 0x1E_nt!HvpDoWriteHive+1e

Followup: MachineOwner
---------

This happens only if AUTOCHK was run during boot. Windows is on
autologon. It bugchecks when desktop is loading before icons appear. My
filter was based on sfilter, completely redesigned later. Can anyone
suggest an explanation to the problem? What is parameter 2 of exception
(Arg4 of bugcheck)?

Comments

  • Nathan_NesbitNathan_Nesbit Member Posts: 194
    The last 2 bugcheck params are the 2 exception params. The first means
    Read. The second is the address which could not be read. Look in MSDN
    under WaitForDebugEvent for more info about exception parameters.

    EXCEPTION_RECORD: f9c33e2c -- (.exr fffffffff9c33e2c)
    <snip>
    NumberParameters: 2
    Parameter[0]: 00000000
    Parameter[1]: 00000220
    Attempt to read from address 00000220


    -----Original Message-----
    From: Alexey Logachyov [mailto:[email protected]]
    Sent: Monday, March 18, 2002 3:20 AM
    To: Kernel Debugging Interest List
    Subject: [windbg] Crash


    I'm getting the foolowing error on NT4 SP6:

    A fatal system error has occurred.

    ************************************************************************
    *******
    *
    *
    * Bugcheck Analysis
    *
    *
    *
    ************************************************************************
    *******

    Use !analyze -v to get detailed debugging information.

    BugCheck 1E, {c0000005, 801ae46e, 0, 220}

    Probably caused by : ntoskrnl ( nt!HvpDoWriteHive+1e )

    Followup: MachineOwner
    ---------

    nt!RtlpBreakWithStatusInstruction:
    8012ff7c cc int 3
    kd> !analyze -v
    ************************************************************************
    *******
    *
    *
    * Bugcheck Analysis
    *
    *
    *
    ************************************************************************
    *******

    KMODE_EXCEPTION_NOT_HANDLED (1e)
    This is a very common bugcheck. Usually the exception address pinpoints
    the driver/function that caused the problem. Always note this address
    as well as the link date of the driver/image that contains this address.
    Some common problems are exception code 0x80000003. This means a hard
    coded breakpoint or assertion was hit, but this system was booted
    /NODEBUG. This is not supposed to happen as developers should never
    have hardcoded breakpoints in retail code, but ... If this happens, make
    sure a debugger gets connected, and the system is booted /DEBUG. This
    will let us see why this breakpoint is happening. An exception code of
    0x80000002 (STATUS_DATATYPE_MISALIGNMENT) indicates that an unaligned
    data reference was encountered. The trap frame will supply additional
    information.
    Arguments:
    Arg1: c0000005, The exception code that was not handled
    Arg2: 801ae46e, The address that the exception occurred at
    Arg3: 00000000, Parameter 0 of the exception
    Arg4: 00000220, Parameter 1 of the exception

    Debugging Details:
    ------------------


    EXCEPTION_CODE: c0000005

    FAULTING_IP:
    nt!HvpDoWriteHive+1e
    801ae46e 8b7e20 mov edi,[esi+0x20]

    EXCEPTION_PARAMETER1: 00000000

    EXCEPTION_PARAMETER2: 00000220

    READ_ADDRESS: unable to get nt!MmPoolCodeEnd
    unable to get nt!MmPoolCodeStart
    00000220 Unknown

    DEFAULT_BUCKET_ID: DRIVER_FAULT

    BUGCHECK_STR: 1E

    EXCEPTION_RECORD: f9c33e2c -- (.exr fffffffff9c33e2c)
    ExceptionAddress: 801ae46e (nt!HvpDoWriteHive+0x0000001e)
    ExceptionCode: c0000005
    ExceptionFlags: 00000000
    NumberParameters: 2
    Parameter[0]: 00000000
    Parameter[1]: 00000220
    Attempt to read from address 00000220

    CONTEXT: f9c33c68 -- (.cxr fffffffff9c33c68)
    eax=00000001 ebx=00000001 ecx=00009b01 edx=f9c33f6c esi=00000200
    edi=00000000
    eip=801ae46e esp=f9c33ef4 ebp=f9c33f14 iopl=0 nv up ei pl nz na
    pe nc
    cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010202
    nt!HvpDoWriteHive+1e:
    801ae46e 8b7e20 mov edi,[esi+0x20]
    Resetting default context

    LAST_CONTROL_TRANSFER: from 801ae41a to 801ae46e

    STACK_TEXT:
    f9c33f14 801ae41a e1005be8 00000000 e1005d4c nt!HvpDoWriteHive+0x1e
    f9c33f24 801ab978 e1005be8 00000001 801abe96 nt!HvSyncHive+0x40 f9c33f30
    801abe96 8010b0a7 00000000 f9c33f7c nt!CmpDoFlushAll+0x2a f9c33f34
    8010b0a7 00000000 f9c33f7c 00000000 nt!CmpLazyFlushWorker+0x1a f9c33f4c
    801375f8 00000001 00000000 00000000 nt!ExpWorkerThread+0x73 f9c33f7c
    801428f6 8010b034 00000001 00000000 nt!PspSystemThreadStartup+0x54
    00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16


    FOLLOWUP_IP:
    nt!HvpDoWriteHive+1e
    801ae46e 8b7e20 mov edi,[esi+0x20]

    FOLLOWUP_NAME: MachineOwner

    SYMBOL_NAME: nt!HvpDoWriteHive+1e

    MODULE_NAME: nt

    IMAGE_NAME: ntoskrnl

    STACK_COMMAND: .cxr fffffffff9c33c68 ; kb

    BUCKET_ID: 0x1E_nt!HvpDoWriteHive+1e

    Followup: MachineOwner
    ---------

    This happens only if AUTOCHK was run during boot. Windows is on
    autologon. It bugchecks when desktop is loading before icons appear. My
    filter was based on sfilter, completely redesigned later. Can anyone
    suggest an explanation to the problem? What is parameter 2 of exception
    (Arg4 of bugcheck)?


    ---
    You are currently subscribed to windbg as: [email protected] To
    unsubscribe send a blank email to %%email.unsub%%
Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. Sign in or register to get started.

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Writing WDF Drivers 24 January 2022 Live, Online
Internals & Software Drivers 7 February 2022 Live, Online
Kernel Debugging 21 March 2022 Live, Online
Developing Minifilters 23 May 2022 Live, Online