Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

More Info on Driver Writing and Debugging


The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.


Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/


Before Posting...

Please check out the Community Guidelines in the Announcements and Administration Category.

I need help analyzing why this crash keeps happening (PLEASE HELP)

justdaniel55justdaniel55 Member Posts: 1

  • *
  • Bugcheck Analysis *
  • *

KMODE_EXCEPTION_NOT_HANDLED (1e)
This is a very common BugCheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Arguments:
Arg1: ffffffff80000003, The exception code that was not handled
Arg2: fffff80312e04d2c, The address that the exception occurred at
Arg3: 0000000000000000, Parameter 0 of the exception
Arg4: 0000fffff80312d5, Parameter 1 of the exception

Debugging Details:

*** WARNING: Unable to verify checksum for win32k.sys

KEY_VALUES_STRING: 1

Key  : Analysis.CPU.mSec
Value: 3593

Key  : Analysis.DebugAnalysisManager
Value: Create

Key  : Analysis.Elapsed.mSec
Value: 6754

Key  : Analysis.Init.CPU.mSec
Value: 358

Key  : Analysis.Init.Elapsed.mSec
Value: 6850

Key  : Analysis.Memory.CommitPeak.Mb
Value: 82

Key  : WER.OS.Branch
Value: vb_release

Key  : WER.OS.Timestamp
Value: 2019-12-06T14:06:00Z

Key  : WER.OS.Version
Value: 10.0.19041.1

BUGCHECK_CODE: 1e

BUGCHECK_P1: ffffffff80000003

BUGCHECK_P2: fffff80312e04d2c

BUGCHECK_P3: 0

BUGCHECK_P4: fffff80312d5

EXCEPTION_PARAMETER2: 0000fffff80312d5

BLACKBOXBSD: 1 (!blackboxbsd)

BLACKBOXNTFS: 1 (!blackboxntfs)

BLACKBOXPNP: 1 (!blackboxpnp)

BLACKBOXWINLOGON: 1

CUSTOMER_CRASH_COUNT: 1

PROCESS_NAME: System

TRAP_FRAME: fffff80316643690 -- (.trap 0xfffff80316643690)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=fffff803140ff610 rbx=0000000000000000 rcx=fffff8030d1af764
rdx=0000000000000080 rsi=0000000000000000 rdi=0000000000000000
rip=fffff80292dffac0 rsp=fffff80316643828 rbp=fffff80316643960
r8=0000000000000000 r9=0000000000000000 r10=0000fffff80312d5
r11=00000008e1779328 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei ng nz na pe nc
fffff802`92dffac0 ?? ???
Resetting default scope

STACK_TEXT:
fffff80316658158 fffff80312ef53ee : 000000000000001e ffffffff80000003 fffff80312e04d2c 0000000000000000 : nt!KeBugCheckEx
fffff80316658160 fffff80312dffde2 : fffff80312ef53cc 0000000000000000 0000000000000000 0000000000000000 : nt!HvlpVtlCallExceptionHandler+0x22
fffff803166581a0 fffff80312ce6e07 : fffff80316658710 0000000000000000 fffff80316643c60 fffff80312dfaa8e : nt!RtlpExecuteHandlerForException+0x12
fffff803166581d0 fffff80312ce59f6 : fffff80316643458 fffff80316658e20 fffff80316643458 fffff8030d1af760 : nt!RtlDispatchException+0x297
fffff803166588f0 fffff80312df7db2 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : nt!KiDispatchException+0x186
fffff80316658fb0 fffff80312df7d80 : fffff80312e08fa5 fffff80312d62f90 fffff80312d23c44 000000000000fffe : nt!KxExceptionDispatchOnExceptionStack+0x12
fffff80316643318 fffff80312e08fa5 : fffff80312d62f90 fffff80312d23c44 000000000000fffe 0000000000000000 : nt!KiExceptionDispatchOnExceptionStackContinue
fffff80316643320 fffff80312e02916 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : nt!KiExceptionDispatch+0x125
fffff80316643500 fffff80312e04d2d : 0000000000000004 0000000000000000 0000000000000002 ffff9181e449f180 : nt!KiBreakpointTrap+0x316
fffff80316643690 fffff80292dffac0 : fffff80312d5161d 0000000000000000 0000000000000000 0000000000000000 : nt!KiPageFault+0x2d
fffff80316643828 fffff80312d5161d : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : 0xfffff80292dffac0 fffff80316643830 fffff80312c9a3be : fffff8030d1aa240 fffff80316643b10 fffff8030d1a7180 ffffb888e50a7080 : nt!KiEntropyDpcRoutine+0x3d fffff80316643860 fffff80312c996a4 : 0000000000000000 0000000000000000 000000000000002a 00000000001e316d : nt!KiExecuteAllDpcs+0x30e fffff803166439d0 fffff80312dfaa8e : 0000000000000000 fffff8030d1a7180 fffff80313726a00 ffffb888e12dc080 : nt!KiRetireDpcList+0x1f4 fffff80316643c60 0000000000000000 : fffff80316644000 fffff8031663e000 0000000000000000 00000000`00000000 : nt!KiIdleLoop+0x9e

SYMBOL_NAME: nt!KiPageFault+2c

MODULE_NAME: nt

IMAGE_NAME: ntkrnlmp.exe

IMAGE_VERSION: 10.0.19041.1110

STACK_COMMAND: .thread ; .cxr ; kb

BUCKET_ID_FUNC_OFFSET: 2c

FAILURE_BUCKET_ID: 0x1E_80000003_nt!KiPageFault

OS_VERSION: 10.0.19041.1

BUILDLAB_STR: vb_release

OSPLATFORM_TYPE: x64

OSNAME: Windows 10

FAILURE_ID_HASH: {dd972cec-b3fc-7856-8a36-888ca66e1181}

Followup: MachineOwner

Comments

  • Tim_RobertsTim_Roberts Member - All Emails Posts: 14,093

    Do you have a driver on this machine? It seems to be showing a page fault jumping to empty memory while handling a DPC. That can mean that you forgot to unregister a callback when your driver unloaded, or that you're trying to call a DPC in a segment marked as "paged" or "init". How your stack dump get corrupted?

    Tim Roberts, [email protected]
    Providenza & Boekelheide, Inc.

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. Sign in or register to get started.

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Internals & Software Drivers 15 November 2021 Live, Online
Writing WDF Drivers TBD Live, Online
Developing Minifilters 7 February 2022 Live, Online
Kernel Debugging 21 March 2022 Live, Online