USER_MODE_HEALTH_MONITOR bugcheck due to my filter driver threads.

Hi,

I received a dump from the customer with USER_MODE_HEALTH_MONITOR bugcheck. Upon dump analysis, I saw several threads of my filter driver in “WAIT: (Suspended)” state for around 20 mins. Below is one of the callstacks:


0: kd> !thread fffffa8012f0e5e0
THREAD fffffa8012f0e5e0 Cid 1df0.1d60 Teb: 000007ffffeb0000 Win32Thread: 0000000000000000 WAIT: (Suspended) KernelMode Non-Alertable
SuspendCount 1
fffffa8012f0e8b8 Semaphore Limit 0x2
IRP List:
fffffa800b83e490: (0006,0358) Flags: 00000884 Mdl: 00000000
Not impersonating
DeviceMap fffff8a002fcddd0
Owning Process fffffa800f65b060 Image: DxDmService.exe
Attached Process N/A Image: N/A
Wait Start TickCount 153051155 Ticks: 98635 (0:00:25:41.171)
Context Switch Count 3126429 IdealProcessor: 0
UserTime 00:01:37.625
KernelTime 00:13:13.250
Win32 Start Address 0x0000000010376284
Stack Init fffff8800b183db0 Current fffff8800b182340
Base fffff8800b184000 Limit fffff8800b17e000 Call 0000000000000000
Priority 8 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5
Child-SP RetAddr : Args to Child : Call Site
fffff8800b182380 fffff80001ec4142 : fffffa800f65b001 fffffa8012f0e5e0 fffff8000203ce80 fffff88000000008 : nt!KiSwapContext+0x7a
fffff8800b1824c0 fffff80001ec696f : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : nt!KiCommitThreadWait+0x1d2
fffff8800b182550 fffff80001eb1ee0 : 0000000000000000 fffffa8000000005 fffffa800f65b000 0000000000000000 : nt!KeWaitForSingleObject+0x19f
fffff8800b1825f0 fffff80001eb2b7d : fffffa8012f0e5e0 0000000000000000 0000000000000000 fffffa8000000000 : nt!KiSuspendThread+0x54
fffff8800b182630 fffff80001ec434d : fffffa8012f0e6a0 0000000000000000 fffff80001eb1e8c 0000000000000000 : nt!KiDeliverApc+0x21d
fffff8800b1826b0 fffff80001ec696f : fffffa800b83e490 fffffa8008bd9200 fffff8800000004f 0000000000000000 : nt!KiCommitThreadWait+0x3dd
fffff8800b182740 fffff88005b233c1 : fffffa8012438000 fffff88000000000 fffff8800b182800 fffff8800b182a00 : nt!KeWaitForSingleObject+0x19f
:
:

I am calling KeWaitForSingleObject() from my filter driver and I have specified timeout value of 45 seconds.
What can be the reason for 25 mins wait even though I have specified timeout of 45 seconds?
Also what does KiDeliverApc() mean in this context?

Appreciate any help on this.

Thanks,
Kunal

I could also see another thread with my driver in the callstack with a Trap frame as follows:


0: kd> !thread fffffa800c40f7f0
THREAD fffffa800c40f7f0 Cid 1df0.027c Teb: 000007ffffec8000 Win32Thread: 0000000000000000 WAIT: (Suspended) KernelMode Non-Alertable
SuspendCount 1
fffffa800c40fac8 Semaphore Limit 0x2
IRP List:
fffffa80170346c0: (0006,0358) Flags: 00000884 Mdl: 00000000
Not impersonating
DeviceMap fffff8a002fcddd0
Owning Process fffffa800f65b060 Image: DxDmService.exe
Attached Process N/A Image: N/A
Wait Start TickCount 153051154 Ticks: 98636 (0:00:25:41.187)
Context Switch Count 2688470 IdealProcessor: 1
UserTime 00:01:20.812
KernelTime 00:13:51.890
Win32 Start Address 0x0000000010376284
Stack Init fffff88005c27db0 Current fffff88005c265c0
Base fffff88005c28000 Limit fffff88005c22000 Call 0000000000000000
Priority 9 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5

Child-SP RetAddr : Args to Child : Call Site
fffff88005c26600 fffff80001ec4142 : 0000000000000000 fffffa800c40f7f0 0000000000000000 fffff800021aba78 : nt!KiSwapContext+0x7a
fffff88005c26740 fffff80001ec696f : fffffa800d002de0 fffff88005c26b50 fffffa8000000000 fffffa80119320e4 : nt!KiCommitThreadWait+0x1d2
fffff88005c267d0 fffff80001eb1ee0 : fffff88005c26800 fffff88000000005 fffffa800c40f700 fffff80001ebe000 : nt!KeWaitForSingleObject+0x19f
fffff88005c26870 fffff80001eb2b7d : fffffa800c40f7f0 fffff88005c26930 54d338c300010000 0000000000000000 : nt!KiSuspendThread+0x54
fffff88005c268b0 fffff80001eb2df7 : 0000000009e97285 0000000000000000 fffff80001eb1e8c 0000000000000000 : nt!KiDeliverApc+0x21d
fffff88005c26930 fffff88005b50a61 : 4f73e71df28b33f1 acf85ec308e49586 93804e29b007765f aaf994a920b19db4 : nt!KiApcInterrupt+0xd7 (TrapFrame @ fffff88005c26930) fffff88005c26ac0 4f73e71df28b33f1 : acf85ec308e49586 93804e29b007765f aaf994a920b19db4 36d4a682`d2d94433 : !sha1_block_data_order+0xfa1
:
:

-----------------------------------------------

How can I proceed to find the root cause?

THanks,
Kunal

Could we see all of the thread in DxDmService.exe?
Usually, there might be Wer to handle an exception if threads are suspended.

Best regards
Taehwa

On Fri, Aug 11, 2017 at 2:09 AM, xxxxx@hotmail.com <
xxxxx@lists.osr.com> wrote:

I could also see another thread with my driver in the callstack with a
Trap frame as follows:


0: kd> !thread fffffa800c40f7f0
THREAD fffffa800c40f7f0 Cid 1df0.027c Teb: 000007ffffec8000 Win32Thread:
0000000000000000 WAIT: (Suspended) KernelMode Non-Alertable
SuspendCount 1
fffffa800c40fac8 Semaphore Limit 0x2
IRP List:
fffffa80170346c0: (0006,0358) Flags: 00000884 Mdl: 00000000
Not impersonating
DeviceMap fffff8a002fcddd0
Owning Process fffffa800f65b060 Image:
DxDmService.exe
Attached Process N/A Image: N/A
Wait Start TickCount 153051154 Ticks: 98636 (0:00:25:41.187)
Context Switch Count 2688470 IdealProcessor: 1
UserTime 00:01:20.812
KernelTime 00:13:51.890
Win32 Start Address 0x0000000010376284
Stack Init fffff88005c27db0 Current fffff88005c265c0
Base fffff88005c28000 Limit fffff88005c22000 Call 0000000000000000
Priority 9 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5

Child-SP RetAddr : Args to Child
: Call Site
fffff88005c26600 fffff80001ec4142 : 0000000000000000 fffffa800c40f7f0
0000000000000000 fffff800021aba78 : nt!KiSwapContext+0x7a
fffff88005c26740 fffff80001ec696f : fffffa800d002de0 fffff88005c26b50
fffffa8000000000 fffffa80119320e4 : nt!KiCommitThreadWait+0x1d2
fffff88005c267d0 fffff80001eb1ee0 : fffff88005c26800 fffff88000000005
fffffa800c40f700 fffff80001ebe000 : nt!KeWaitForSingleObject+0x19f
fffff88005c26870 fffff80001eb2b7d : fffffa800c40f7f0 fffff88005c26930
54d338c300010000 0000000000000000 : nt!KiSuspendThread+0x54
fffff88005c268b0 fffff80001eb2df7 : 0000000009e97285 0000000000000000
fffff80001eb1e8c 0000000000000000 : nt!KiDeliverApc+0x21d
fffff88005c26930 fffff88005b50a61 : 4f73e71df28b33f1 acf85ec308e49586
93804e29b007765f aaf994a920b19db4 : nt!KiApcInterrupt+0xd7 (TrapFrame @
fffff88005c26930) fffff88005c26ac0 4f73e71df28b33f1 : acf85ec308e49586 93804e29b007765f aaf994a920b19db4 36d4a682`d2d94433 : !sha1_block_data_
> order+0xfa1
> :
> :
>
> -----------------------------------------------
>
> How can I proceed to find the root cause?
>
> THanks,
> Kunal
>
> —
> WINDBG is sponsored by OSR
>
> OSR is hiring!! Info at http://www.osr.com/careers
>
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
> software drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at <
> http://www.osronline.com/page.cfm?name=ListServer&gt;
></http:>

THere are 12 threads in DxDmService.exe with my driver in callstack. Also, all of them have KiDeliverApc() in the callstack. Here are 2 unique threads from DxDmService. There are multiple instances of these threads.

0: kd> !thread fffffa800c40f7f0
THREAD fffffa800c40f7f0 Cid 1df0.027c Teb: 000007ffffec8000 Win32Thread: 0000000000000000 WAIT: (Suspended) KernelMode Non-Alertable
SuspendCount 1
fffffa800c40fac8 Semaphore Limit 0x2
IRP List:
fffffa80170346c0: (0006,0358) Flags: 00000884 Mdl: 00000000
Not impersonating
DeviceMap fffff8a002fcddd0
Owning Process fffffa800f65b060 Image: DxDmService.exe
Attached Process N/A Image: N/A
Wait Start TickCount 153051154 Ticks: 98636 (0:00:25:41.187)
Context Switch Count 2688470 IdealProcessor: 1
UserTime 00:01:20.812
KernelTime 00:13:51.890
Win32 Start Address 0x0000000010376284
Stack Init fffff88005c27db0 Current fffff88005c265c0
Base fffff88005c28000 Limit fffff88005c22000 Call 0000000000000000
Priority 9 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5

Child-SP RetAddr : Args to Child : Call Site
fffff88005c26600 fffff80001ec4142 : 0000000000000000 fffffa800c40f7f0 0000000000000000 fffff800021aba78 : nt!KiSwapContext+0x7a
fffff88005c26740 fffff80001ec696f : fffffa800d002de0 fffff88005c26b50 fffffa8000000000 fffffa80119320e4 : nt!KiCommitThreadWait+0x1d2
fffff88005c267d0 fffff80001eb1ee0 : fffff88005c26800 fffff88000000005 fffffa800c40f700 fffff80001ebe000 : nt!KeWaitForSingleObject+0x19f
fffff88005c26870 fffff80001eb2b7d : fffffa800c40f7f0 fffff88005c26930 54d338c300010000 0000000000000000 : nt!KiSuspendThread+0x54
fffff88005c268b0 fffff80001eb2df7 : 0000000009e97285 0000000000000000 fffff80001eb1e8c 0000000000000000 : nt!KiDeliverApc+0x21d
fffff88005c26930 fffff88005b50a61 : 4f73e71df28b33f1 acf85ec308e49586 93804e29b007765f aaf994a920b19db4 : nt!KiApcInterrupt+0xd7 (TrapFrame @ fffff88005c26930) fffff88005c26ac0 4f73e71df28b33f1 : acf85ec308e49586 93804e29b007765f aaf994a920b19db4 36d4a682d2d94433 : <mydriver>!sha1_block_data_order+0xfa1<br>fffff88005c26ac8 acf85ec308e49586 : 93804e29b007765f aaf994a920b19db4 36d4a682d2d94433 375b9d912ab7b9f6 : 0x4f73e71df28b33f1
fffff88005c26ad0 93804e29b007765f : aaf994a920b19db4 36d4a682d2d94433 375b9d912ab7b9f6 64bf0ad82e7e99fb : 0xacf85ec308e49586<br>fffff88005c26ad8 aaf994a920b19db4 : 36d4a682d2d94433 375b9d912ab7b9f6 64bf0ad82e7e99fb 43011eb3e6e49515 : 0x93804e29b007765f
fffff88005c26ae0 36d4a682d2d94433 : 375b9d912ab7b9f6 64bf0ad82e7e99fb 43011eb3e6e49515 fffff88005c26b20 : 0xaaf994a920b19db4<br>fffff88005c26ae8 375b9d912ab7b9f6 : 64bf0ad82e7e99fb 43011eb3e6e49515 fffff88005c26b20 fffff88005b0921e : 0x36d4a682d2d94433
fffff88005c26af0 64bf0ad82e7e99fb : 43011eb3e6e49515 fffff88005c26b20 fffff88005b0921e fffff88000000000 : 0x375b9d912ab7b9f6<br>fffff88005c26af8 43011eb3e6e49515 : fffff88005c26b20 fffff88005b0921e fffff88000000000 0000000000000000 : 0x64bf0ad82e7e99fb
fffff88005c26b00 fffff88005c26b20 : fffff88005b0921e fffff88000000000 0000000000000000 fffffa80170346c0 : 0x43011eb3e6e49515<br>fffff88005c26b08 fffff88005b0921e : fffff88000000000 0000000000000000 fffffa80170346c0 0000000000000000 : 0xfffff88005c26b20
fffff88005c26b10 fffff88005b45e9e : fffff8a021047470 fffff8a015eb2000 0000000000010000 fffff88005c26bb0 : !qfile_read+0x14e [d:\build_692379<build>\common\qlib\qfile_winnt_kern.c @ 263]
fffff88005c26b90 fffff88005b45a22 : fffff88005c26f80 fffff8a023625250 fffff88005c2711a 0000000000000000 : !qcksum_sha1_file+0x1ce [d:\build_692379<build>\common\qlib\qcksum.c @ 323]
fffff88005c26c00 fffff88005b2840b : fffff88000000002 fffff88005c26f80 fffff8a023625250 fffff88005c27118 : !qcksum_compute_file+0xf2 [d:\build_692379<build>\common\qlib\qcksum.c @ 541]
fffff88005c26c50 fffff88005b35629 : fffff88005c26f80 fffff8a023625250 fffff88005c27118 00000000000d477a : !scan_calculate_checksum_file+0x4b [d:\build_692379<build>\optimizer\scan\scan.c @ 233]
fffff88005c26ca0 fffff88005b12865 : fffff88005c270e0 fffff88005c26fc0 fffff88005c27088 0000000000000028 : !scan_check_access_perm+0x8e9 [d:\build_692379<build>\optimizer\scan\scan.c @ 4524]
fffff88005c26f00 fffff88005b10157 : fffffa801a1a38d0 fffff88005c27448 fffff88005c273d8 fffff880014d9882 : !fsh_scan_file+0xe55 [d:\build_692379<build>\optimizer\fsh\fsh_hooks.c @ 1387]
fffff88005c273b0 fffff88001273288 : fffffa801a1a38d0 fffff88005c27448 0000000000000000 0000000000000000 : !fsh_create_hook_cmpl+0x57 [d:\build_692379<build>\optimizer\fsh\fsh_hooks.c @ 290]
fffff88005c27400 fffff88001271d1b : fffffa801ff0d4c0 fffffa801a1a3970 fffffa8014b11010 fffffa8014b11230 : fltmgr!FltpPerformPostCallbacks+0x368
fffff88005c274d0 fffff880012912b9 : fffffa80170346c0 fffffa801265b800 fffffa8017034600 fffffa800d002de0 : fltmgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x39b
fffff88005c27560 fffff88001271bcf : 0000000000000000 fffffa8006d0a9f0 0000000000000000 0000000000000000 : fltmgr!FltpCreate+0x2a9
fffff88005c27610 fffff880012912b9 : fffffa80170346c0 fffffa800b42a800 fffffa8017034600 fffffa800ee64de0 : fltmgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x24f
fffff88005c276a0 fffff800021c32bb : 0000000000000005 0000000000000040 fffffa8009446d10 0000000000000000 : fltmgr!FltpCreate+0x2a9
fffff88005c27750 fffff800021bedde : fffffa800c1167e0 0000000000000000 fffffa8019841530 0000000000000701 : nt!IopParseDevice+0x14e2
fffff88005c278b0 fffff800021bf8c6 : 0000000000000000 fffff88005c27a30 fffff8a000000040 fffffa8006d0a9f0 : nt!ObpLookupObjectName+0x784
fffff88005c279b0 fffff800021c16bc : 0000000000000000 0000000000000000 0000000000000001 0000000000000000 : nt!ObOpenObjectByName+0x306
fffff88005c27a80 fffff800021ccd34 : 000000002820a5e8 fffff800c0110098 000000002820a638 000000002820a5f8 : nt!IopCreateFile+0x2bc
fffff88005c27b20 fffff80001ebe0d3 : 0000000000000000 0000000000000000 0000000000000000 000000002820c9e0 : nt!NtCreateFile+0x78
fffff88005c27bb0 00000000779cc28a : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff88005c27c20)<br>000000002820a568 0000000000000000 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : 0x779cc28a<br><br>0: kd&gt; !thread fffffa8012f0e5e0<br>THREAD fffffa8012f0e5e0 Cid 1df0.1d60 Teb: 000007ffffeb0000 Win32Thread: 0000000000000000 WAIT: (Suspended) KernelMode Non-Alertable<br>SuspendCount 1<br> fffffa8012f0e8b8 Semaphore Limit 0x2<br>IRP List:<br> fffffa800b83e490: (0006,0358) Flags: 00000884 Mdl: 00000000<br>Not impersonating<br>DeviceMap fffff8a002fcddd0<br>Owning Process fffffa800f65b060 Image: DxDmService.exe<br>Attached Process N/A Image: N/A<br>Wait Start TickCount 153051155 Ticks: 98635 (0:00:25:41.171)<br>Context Switch Count 3126429 IdealProcessor: 0 <br>UserTime 00:01:37.625<br>KernelTime 00:13:13.250<br>Win32 Start Address 0x0000000010376284<br>Stack Init fffff8800b183db0 Current fffff8800b182340<br>Base fffff8800b184000 Limit fffff8800b17e000 Call 0000000000000000<br>Priority 8 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5<br>Child-SP RetAddr : Args to Child : Call Site<br>fffff8800b182380 fffff80001ec4142 : fffffa800f65b001 fffffa8012f0e5e0 fffff8000203ce80 fffff88000000008 : nt!KiSwapContext+0x7a<br>fffff8800b1824c0 fffff80001ec696f : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : nt!KiCommitThreadWait+0x1d2<br>fffff8800b182550 fffff80001eb1ee0 : 0000000000000000 fffffa8000000005 fffffa800f65b000 0000000000000000 : nt!KeWaitForSingleObject+0x19f<br>fffff8800b1825f0 fffff80001eb2b7d : fffffa8012f0e5e0 0000000000000000 0000000000000000 fffffa8000000000 : nt!KiSuspendThread+0x54<br>fffff8800b182630 fffff80001ec434d : fffffa8012f0e6a0 0000000000000000 fffff80001eb1e8c 0000000000000000 : nt!KiDeliverApc+0x21d<br>fffff8800b1826b0 fffff80001ec696f : fffffa800b83e490 fffffa8008bd9200 fffff8800000004f 0000000000000000 : nt!KiCommitThreadWait+0x3dd<br>fffff8800b182740 fffff88005b233c1 : fffffa8012438000 fffff88000000000 fffff8800b182800 fffff8800b182a00 : nt!KeWaitForSingleObject+0x19f<br>fffff8800b1827e0 fffff88005b1dd93 : fffffa800f5d9530 fffff8a000f45300 000000000000005a fffff8a000000000 : <mydriver>!ivmc_wsk_recv_data+0x211 [d:\build_692379\<build>\optimizer\ivmc\ivmc_ksocket.c @ 435] <br>fffff8800b182870 fffff88005b2f27e : fffff88005bc9c28 fffff8a000f45300 fffff8800000005a fffff88000000000 : <mydriver>!ivmc_read_all+0x93 [d:\build_692379\<build>\optimizer\ivmc\ivmc.c @ 426] <br>fffff8800b1828e0 fffff88005b30ca0 : fffff88005bc9c28 fffff8800b182fc0 fffff8800b182a48 fffff8a01fdf65e0 : <mydriver>!scan_process_response+0x10e [d:\build_692379\<build>\optimizer\scan\scan.c @ 2562] <br>fffff8800b1829c0 fffff88005b3227b : fffff8800b1830e0 fffff8800b182fc0 fffff88000000001 fffff8800b183148 : <mydriver>!scan_process_file_scan_response+0xb0 [d:\build_692379\<build>\optimizer\scan\scan.c @ 3028] <br>fffff8800b182a90 fffff88005b35b56 : fffff8800b1830e0 fffff8800b182fc0 fffff88069435351 00000000000007ff : <mydriver>!scan_file_with_file_transfer+0x99b [d:\build_692379\<build>\optimizer\scan\scan.c @ 3416] <br>fffff8800b182ca0 fffff88005b12865 : fffff8800b1830e0 fffff8800b182fc0 fffff8800b183088 0000000000000028 : <mydriver>!scan_check_access_perm+0xe16 [d:\build_692379\<build>\optimizer\scan\scan.c @ 4617] <br>fffff8800b182f00 fffff88005b10157 : fffffa8008bd9380 fffff8800b183448 fffff8800b1833d8 fffff880014d9882 : <mydriver>!fsh_scan_file+0xe55 [d:\build_692379\<build>\optimizer\fsh\fsh_hooks.c @ 1387] <br>fffff8800b1833b0 fffff88001273288 : fffffa8008bd9380 fffff8800b183448 0000000000000000 0000000000000000 : <mydriver>!fsh_create_hook_cmpl+0x57 [d:\build_692379\<build>\optimizer\fsh\fsh_hooks.c @ 290] <br>fffff8800b183400 fffff88001271d1b : fffffa800ff123f0 fffffa8008bd9420 fffffa80099182f0 fffffa8009918510 : fltmgr!FltpPerformPostCallbacks+0x368<br>fffff8800b1834d0 fffff880012912b9 : fffffa800b83e490 fffffa800b4a0250 fffffa800b83e400 fffffa800a658890 : fltmgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x39b<br>fffff8800b183560 fffff88001271bcf : 0000000000000000 fffffa8006d0a9f0 0000000000000000 0000000000000000 : fltmgr!FltpCreate+0x2a9<br>fffff8800b183610 fffff880012912b9 : fffffa800b83e490 fffffa801bd1b6b0 fffffa800b83e400 fffffa800e966040 : fltmgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x24f<br>fffff8800b1836a0 fffff800021c32bb : 0000000000000005 0000000000000040 fffffa800de7b590 0000000000000000 : fltmgr!FltpCreate+0x2a9<br>fffff8800b183750 fffff800021bedde : fffffa800ff27b80 0000000000000000 fffffa80108e9530 fffffa800e966001 : nt!IopParseDevice+0x14e2<br>fffff8800b1838b0 fffff800021bf8c6 : 0000000000000000 fffff8800b183a30 fffff8a000000040 fffffa8006d0a9f0 : nt!ObpLookupObjectName+0x784<br>fffff8800b1839b0 fffff800021c16bc : 0000000000000000 0000000000000000 0000000000000001 0000000000000000 : nt!ObOpenObjectByName+0x306<br>fffff8800b183a80 fffff800021ccd34 : 0000000028e0a5e8 fffff800c0110098 0000000028e0a638 0000000028e0a5f8 : nt!IopCreateFile+0x2bc<br>fffff8800b183b20 fffff80001ebe0d3 : 0000000000000000 0000000000000000 0000000000000000 0000000028e0c9e0 : nt!NtCreateFile+0x78<br>fffff8800b183bb0 00000000779cc28a : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff8800b183c20)
0000000028e0a568 0000000000000000 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : 0x779cc28a
----------------------------------------------------------------------

I could also see my driver in a WerFault.exe thread.

0: kd> !thread fffffa800788d540
THREAD fffffa800788d540 Cid 1128.11b8 Teb: 000007fffffde000 Win32Thread: fffff900c1eb9010 WAIT: (Executive) KernelMode Non-Alertable
fffff88005bc9bc0 SynchronizationEvent
IRP List:
fffffa8025703010: (0006,0358) Flags: 00000884 Mdl: 00000000
Not impersonating
DeviceMap fffff8a002fcddd0
Owning Process fffffa80118e1790 Image: WerFault.exe
Attached Process N/A Image: N/A
Wait Start TickCount 153056522 Ticks: 93268 (0:00:24:17.312)
Context Switch Count 13433 IdealProcessor: 0 LargeStack
UserTime 00:00:00.109
KernelTime 00:00:01.906
Win32 Start Address 0x00000000ffbe4920
Stack Init fffff88008f55db0 Current fffff88008f549a0
Base fffff88008f56000 Limit fffff88008f4d000 Call 0000000000000000
Priority 7 BasePriority 7 PriorityDecrement 0 IoPriority 2 PagePriority 5
Child-SP RetAddr : Args to Child : Call Site
fffff88008f549e0 fffff80001ec4142 : fffff88008f54b38 fffffa800788d540 fffffa8000000000 fffff88005b0280d : nt!KiSwapContext+0x7a
fffff88008f54b20 fffff80001ec696f : 000000000000000e 00000000001a7100 fffff8a000000000 0000000000000000 : nt!KiCommitThreadWait+0x1d2
fffff88008f54bb0 fffff88005b34b6e : fffff88005bc7a00 fffff88000000000 fffff8a01667f000 fffff88008f55100 : nt!KeWaitForSingleObject+0x19f
fffff88008f54c50 fffff88005b357eb : fffff88008f54d64 fffff88008f54d18 fffff88008f55118 00000000001a7100 : !scan_open_connection+0x10e [d:\build_692379<build>\optimizer\scan\scan.c @ 4266]
fffff88008f54ca0 fffff88005b12865 : fffff88008f550e0 fffff88008f54fc0 fffff88008f55088 0000000000000028 : !scan_check_access_perm+0xaab [d:\build_692379<build>\optimizer\scan\scan.c @ 4559]
fffff88008f54f00 fffff88005b10157 : fffffa801260c740 fffff88008f55448 fffff88008f553d8 fffff880014d9882 : !fsh_scan_file+0xe55 [d:\build_692379<build>\optimizer\fsh\fsh_hooks.c @ 1387]
fffff88008f553b0 fffff88001273288 : fffffa801260c740 fffff88008f55448 0000000000000000 0000000000000000 : !fsh_create_hook_cmpl+0x57 [d:\build_692379<build>\optimizer\fsh\fsh_hooks.c @ 290]
fffff88008f55400 fffff88001271d1b : fffffa80079fc180 fffffa801260c7e0 fffffa8008a95970 fffffa8008a95b90 : fltmgr!FltpPerformPostCallbacks+0x368
fffff88008f554d0 fffff880012912b9 : fffffa8025703010 fffffa8007412010 fffffa8025703000 fffffa8007406360 : fltmgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x39b
fffff88008f55560 fffff88001271bcf : 0000000000000000 fffffa8006d0a9f0 0000000000000000 0000000000000000 : fltmgr!FltpCreate+0x2a9
fffff88008f55610 fffff880012912b9 : fffffa8025703010 fffffa8009001010 fffffa8025703000 fffffa800906e680 : fltmgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x24f
fffff88008f556a0 fffff800021c32bb : 0000000000000005 0000000000000040 fffffa800c2619b0 0000000000000000 : fltmgr!FltpCreate+0x2a9
fffff88008f55750 fffff800021bedde : fffffa80073c7cd0 0000000000000000 fffffa8011431530 fffff88008f55a01 : nt!IopParseDevice+0x14e2
fffff88008f558b0 fffff800021bf8c6 : 0000000000000000 fffff88008f55a30 fffff68000000040 fffffa8006d0a9f0 : nt!ObpLookupObjectName+0x784
fffff88008f559b0 fffff800021c16bc : 0000000000000110 0000000000000000 fffffa800788d501 ffffffffffffffff : nt!ObOpenObjectByName+0x306
fffff88008f55a80 fffff800021ccd34 : 00000000000fa758 0000000080100080 00000000000fa7a8 00000000000fa768 : nt!IopCreateFile+0x2bc
fffff88008f55b20 fffff80001ebe0d3 : ffffffffffffffff 0000007fffffffff 00000000000fa7f0 0000098000000000 : nt!NtCreateFile+0x78
fffff88008f55bb0 00000000779cc28a : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff88008f55c20)<br>00000000000fa6d8 0000000000000000 : 0000000000000000 0000000000000000 0000000000000000 00000000`00000000 : 0x779cc28a

I also observed an error (Application error) in Event Logs:

Faulting application name: DxDmService.exe. version: 6.50.0.480. time stamp: 0x5135c463
Faulting module name: Xms.dll. version: 6.50.0.480. time stamp: 0x5135c556
Exception code: 0xc0000417 Fault offset: 0x00000000000ea91c Faulting process id: 0x1df0
Faulting application start time: 0xDxDmService.exe0 Faulting application path: DxDmService.exe1
Faulting module path: DxDmService.exe2 Report Id: DxDmService.exe3

Thanks,
Kunal

You need to check entire call stack with like !k L100 to see the exception.

Could you run below command and show me the result

!process 0 7 services.exe

Best regards
Taehwa.

On Fri, Aug 11, 2017 at 1:38 PM, xxxxx@hotmail.com <
xxxxx@lists.osr.com> wrote:

THere are 12 threads in DxDmService.exe with my driver in callstack. Also,
all of them have KiDeliverApc() in the callstack. Here are 2 unique threads
from DxDmService. There are multiple instances of these threads.

0: kd> !thread fffffa800c40f7f0
THREAD fffffa800c40f7f0 Cid 1df0.027c Teb: 000007ffffec8000 Win32Thread:
0000000000000000 WAIT: (Suspended) KernelMode Non-Alertable
SuspendCount 1
fffffa800c40fac8 Semaphore Limit 0x2
IRP List:
fffffa80170346c0: (0006,0358) Flags: 00000884 Mdl: 00000000
Not impersonating
DeviceMap fffff8a002fcddd0
Owning Process fffffa800f65b060 Image:
DxDmService.exe
Attached Process N/A Image: N/A
Wait Start TickCount 153051154 Ticks: 98636 (0:00:25:41.187)
Context Switch Count 2688470 IdealProcessor: 1
UserTime 00:01:20.812
KernelTime 00:13:51.890
Win32 Start Address 0x0000000010376284
Stack Init fffff88005c27db0 Current fffff88005c265c0
Base fffff88005c28000 Limit fffff88005c22000 Call 0000000000000000
Priority 9 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5

Child-SP RetAddr : Args to Child
: Call Site
fffff88005c26600 fffff80001ec4142 : 0000000000000000 fffffa800c40f7f0
0000000000000000 fffff800021aba78 : nt!KiSwapContext+0x7a
fffff88005c26740 fffff80001ec696f : fffffa800d002de0 fffff88005c26b50
fffffa8000000000 fffffa80119320e4 : nt!KiCommitThreadWait+0x1d2
fffff88005c267d0 fffff80001eb1ee0 : fffff88005c26800 fffff88000000005
fffffa800c40f700 fffff80001ebe000 : nt!KeWaitForSingleObject+0x19f
fffff88005c26870 fffff80001eb2b7d : fffffa800c40f7f0 fffff88005c26930
54d338c300010000 0000000000000000 : nt!KiSuspendThread+0x54
fffff88005c268b0 fffff80001eb2df7 : 0000000009e97285 0000000000000000
fffff80001eb1e8c 0000000000000000 : nt!KiDeliverApc+0x21d
fffff88005c26930 fffff88005b50a61 : 4f73e71df28b33f1 acf85ec308e49586
93804e29b007765f aaf994a920b19db4 : nt!KiApcInterrupt+0xd7 (TrapFrame @
fffff88005c26930) fffff88005c26ac0 4f73e71df28b33f1 : acf85ec308e49586 93804e29b007765f aaf994a920b19db4 36d4a682d2d94433 : <mydriver>!sha1_block_data_<br>&gt; order+0xfa1<br>&gt; fffff88005c26ac8 acf85ec308e49586 : 93804e29b007765f aaf994a920b19db4<br>&gt; 36d4a682d2d94433 375b9d912ab7b9f6 : 0x4f73e71df28b33f1
> fffff88005c26ad0 93804e29b007765f : aaf994a920b19db4 36d4a682d2d94433
> 375b9d912ab7b9f6 64bf0ad82e7e99fb : 0xacf85ec308e49586<br>&gt; fffff88005c26ad8 aaf994a920b19db4 : 36d4a682d2d94433 375b9d912ab7b9f6<br>&gt; 64bf0ad82e7e99fb 43011eb3e6e49515 : 0x93804e29b007765f
> fffff88005c26ae0 36d4a682d2d94433 : 375b9d912ab7b9f6 64bf0ad82e7e99fb
> 43011eb3e6e49515 fffff88005c26b20 : 0xaaf994a920b19db4<br>&gt; fffff88005c26ae8 375b9d912ab7b9f6 : 64bf0ad82e7e99fb 43011eb3e6e49515<br>&gt; fffff88005c26b20 fffff88005b0921e : 0x36d4a682d2d94433
> fffff88005c26af0 64bf0ad82e7e99fb : 43011eb3e6e49515 fffff88005c26b20
> fffff88005b0921e fffff88000000000 : 0x375b9d912ab7b9f6<br>&gt; fffff88005c26af8 43011eb3e6e49515 : fffff88005c26b20 fffff88005b0921e<br>&gt; fffff88000000000 0000000000000000 : 0x64bf0ad82e7e99fb
> fffff88005c26b00 fffff88005c26b20 : fffff88005b0921e fffff88000000000
> 0000000000000000 fffffa80170346c0 : 0x43011eb3e6e49515<br>&gt; fffff88005c26b08 fffff88005b0921e : fffff88000000000 0000000000000000<br>&gt; fffffa80170346c0 0000000000000000 : 0xfffff88005c26b20
> fffff88005c26b10 fffff88005b45e9e : fffff8a021047470 fffff8a015eb2000
> 0000000000010000 fffff88005c26bb0 : !qfile_read+0x14e
> [d:\build_692379<build>\common\qlib\qfile_winnt_kern.c @ 263]
> fffff88005c26b90 fffff88005b45a22 : fffff88005c26f80 fffff8a023625250
> fffff88005c2711a 0000000000000000 : !qcksum_sha1_file+0x1ce
> [d:\build_692379<build>\common\qlib\qcksum.c @ 323]
> fffff88005c26c00 fffff88005b2840b : fffff88000000002 fffff88005c26f80
> fffff8a023625250 fffff88005c27118 : !qcksum_compute_file+0xf2
> [d:\build_692379<build>\common\qlib\qcksum.c @ 541]
> fffff88005c26c50 fffff88005b35629 : fffff88005c26f80 fffff8a023625250
> fffff88005c27118 00000000000d477a : !scan_calculate_checksum_file+0x4b
> [d:\build_692379<build>\optimizer\scan\scan.c @ 233]
> fffff88005c26ca0 fffff88005b12865 : fffff88005c270e0 fffff88005c26fc0
> fffff88005c27088 0000000000000028 : !scan_check_access_perm+0x8e9
> [d:\build_692379<build>\optimizer\scan\scan.c @ 4524]
> fffff88005c26f00 fffff88005b10157 : fffffa801a1a38d0 fffff88005c27448
> fffff88005c273d8 fffff880014d9882 : !fsh_scan_file+0xe55
> [d:\build_692379<build>\optimizer\fsh\fsh_hooks.c @ 1387]
> fffff88005c273b0 fffff88001273288 : fffffa801a1a38d0 fffff88005c27448
> 0000000000000000 0000000000000000 : !fsh_create_hook_cmpl+0x57
> [d:\build_692379<build>\optimizer\fsh\fsh_hooks.c @ 290]
> fffff88005c27400 fffff88001271d1b : fffffa801ff0d4c0 fffffa801a1a3970
> fffffa8014b11010 fffffa8014b11230 : fltmgr!
> FltpPerformPostCallbacks+0x368
> fffff88005c274d0 fffff880012912b9 : fffffa80170346c0 fffffa801265b800
> fffffa8017034600 fffffa800d002de0 : fltmgr!
> FltpLegacyProcessingAfterPreCallbacksCompleted+0x39b
> fffff88005c27560 fffff88001271bcf : 0000000000000000 fffffa8006d0a9f0
> 0000000000000000 0000000000000000 : fltmgr!FltpCreate+0x2a9
> fffff88005c27610 fffff880012912b9 : fffffa80170346c0 fffffa800b42a800
> fffffa8017034600 fffffa800ee64de0 : fltmgr!
> FltpLegacyProcessingAfterPreCallbacksCompleted+0x24f
> fffff88005c276a0 fffff800021c32bb : 0000000000000005 0000000000000040
> fffffa8009446d10 0000000000000000 : fltmgr!FltpCreate+0x2a9
> fffff88005c27750 fffff800021bedde : fffffa800c1167e0 0000000000000000
> fffffa8019841530 0000000000000701 : nt!IopParseDevice+0x14e2
> fffff88005c278b0 fffff800021bf8c6 : 0000000000000000 fffff88005c27a30
> fffff8a000000040 fffffa8006d0a9f0 : nt!ObpLookupObjectName+0x784
> fffff88005c279b0 fffff800021c16bc : 0000000000000000 0000000000000000
> 0000000000000001 0000000000000000 : nt!ObOpenObjectByName+0x306
> fffff88005c27a80 fffff800021ccd34 : 000000002820a5e8 fffff800c0110098
> 000000002820a638 000000002820a5f8 : nt!IopCreateFile+0x2bc
> fffff88005c27b20 fffff80001ebe0d3 : 0000000000000000 0000000000000000
> 0000000000000000 000000002820c9e0 : nt!NtCreateFile+0x78
> fffff88005c27bb0 00000000779cc28a : 0000000000000000 0000000000000000
> 0000000000000000 0000000000000000 : nt!KiSystemServiceCopyEnd+0x13
> (TrapFrame @ fffff88005c27c20)<br>&gt; 000000002820a568 0000000000000000 : 0000000000000000 0000000000000000<br>&gt; 0000000000000000 0000000000000000 : 0x779cc28a<br>&gt;<br>&gt;<br>&gt; 0: kd&gt; !thread fffffa8012f0e5e0<br>&gt; THREAD fffffa8012f0e5e0 Cid 1df0.1d60 Teb: 000007ffffeb0000 Win32Thread:<br>&gt; 0000000000000000 WAIT: (Suspended) KernelMode Non-Alertable<br>&gt; SuspendCount 1<br>&gt; fffffa8012f0e8b8 Semaphore Limit 0x2<br>&gt; IRP List:<br>&gt; fffffa800b83e490: (0006,0358) Flags: 00000884 Mdl: 00000000<br>&gt; Not impersonating<br>&gt; DeviceMap fffff8a002fcddd0<br>&gt; Owning Process fffffa800f65b060 Image:<br>&gt; DxDmService.exe<br>&gt; Attached Process N/A Image: N/A<br>&gt; Wait Start TickCount 153051155 Ticks: 98635 (0:00:25:41.171)<br>&gt; Context Switch Count 3126429 IdealProcessor: 0<br>&gt; UserTime 00:01:37.625<br>&gt; KernelTime 00:13:13.250<br>&gt; Win32 Start Address 0x0000000010376284<br>&gt; Stack Init fffff8800b183db0 Current fffff8800b182340<br>&gt; Base fffff8800b184000 Limit fffff8800b17e000 Call 0000000000000000<br>&gt; Priority 8 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5<br>&gt; Child-SP RetAddr : Args to Child<br>&gt; : Call Site<br>&gt; fffff8800b182380 fffff80001ec4142 : fffffa800f65b001 fffffa8012f0e5e0<br>&gt; fffff8000203ce80 fffff88000000008 : nt!KiSwapContext+0x7a<br>&gt; fffff8800b1824c0 fffff80001ec696f : 0000000000000000 0000000000000000<br>&gt; 0000000000000000 0000000000000000 : nt!KiCommitThreadWait+0x1d2<br>&gt; fffff8800b182550 fffff80001eb1ee0 : 0000000000000000 fffffa8000000005<br>&gt; fffffa800f65b000 0000000000000000 : nt!KeWaitForSingleObject+0x19f<br>&gt; fffff8800b1825f0 fffff80001eb2b7d : fffffa8012f0e5e0 0000000000000000<br>&gt; 0000000000000000 fffffa8000000000 : nt!KiSuspendThread+0x54<br>&gt; fffff8800b182630 fffff80001ec434d : fffffa8012f0e6a0 0000000000000000<br>&gt; fffff80001eb1e8c 0000000000000000 : nt!KiDeliverApc+0x21d<br>&gt; fffff8800b1826b0 fffff80001ec696f : fffffa800b83e490 fffffa8008bd9200<br>&gt; fffff8800000004f 0000000000000000 : nt!KiCommitThreadWait+0x3dd<br>&gt; fffff8800b182740 fffff88005b233c1 : fffffa8012438000 fffff88000000000<br>&gt; fffff8800b182800 fffff8800b182a00 : nt!KeWaitForSingleObject+0x19f<br>&gt; fffff8800b1827e0 fffff88005b1dd93 : fffffa800f5d9530 fffff8a000f45300<br>&gt; 000000000000005a fffff8a000000000 : <mydriver>!ivmc_wsk_recv_data+0x211<br>&gt; [d:\build_692379\<build>\optimizer\ivmc\ivmc_ksocket.c @ 435]<br>&gt; fffff8800b182870 fffff88005b2f27e : fffff88005bc9c28 fffff8a000f45300<br>&gt; fffff8800000005a fffff88000000000 : <mydriver>!ivmc_read_all+0x93<br>&gt; [d:\build_692379\<build>\optimizer\ivmc\ivmc.c @ 426]<br>&gt; fffff8800b1828e0 fffff88005b30ca0 : fffff88005bc9c28 fffff8800b182fc0<br>&gt; fffff8800b182a48 fffff8a01fdf65e0 : <mydriver>!scan_process_response+0x10e<br>&gt; [d:\build_692379\<build>\optimizer\scan\scan.c @ 2562]<br>&gt; fffff8800b1829c0 fffff88005b3227b : fffff8800b1830e0 fffff8800b182fc0<br>&gt; fffff88000000001 fffff8800b183148 : <mydriver>!scan_process_file_scan_response+0xb0<br>&gt; [d:\build_692379\<build>\optimizer\scan\scan.c @ 3028]<br>&gt; fffff8800b182a90 fffff88005b35b56 : fffff8800b1830e0 fffff8800b182fc0<br>&gt; fffff88069435351 00000000000007ff : <mydriver>!scan_file_with_file_transfer+0x99b<br>&gt; [d:\build_692379\<build>\optimizer\scan\scan.c @ 3416]<br>&gt; fffff8800b182ca0 fffff88005b12865 : fffff8800b1830e0 fffff8800b182fc0<br>&gt; fffff8800b183088 0000000000000028 : <mydriver>!scan_check_access_perm+0xe16<br>&gt; [d:\build_692379\<build>\optimizer\scan\scan.c @ 4617]<br>&gt; fffff8800b182f00 fffff88005b10157 : fffffa8008bd9380 fffff8800b183448<br>&gt; fffff8800b1833d8 fffff880014d9882 : <mydriver>!fsh_scan_file+0xe55<br>&gt; [d:\build_692379\<build>\optimizer\fsh\fsh_hooks.c @ 1387]<br>&gt; fffff8800b1833b0 fffff88001273288 : fffffa8008bd9380 fffff8800b183448<br>&gt; 0000000000000000 0000000000000000 : <mydriver>!fsh_create_hook_cmpl+0x57<br>&gt; [d:\build_692379\<build>\optimizer\fsh\fsh_hooks.c @ 290]<br>&gt; fffff8800b183400 fffff88001271d1b : fffffa800ff123f0 fffffa8008bd9420<br>&gt; fffffa80099182f0 fffffa8009918510 : fltmgr!<br>&gt; FltpPerformPostCallbacks+0x368<br>&gt; fffff8800b1834d0 fffff880012912b9 : fffffa800b83e490 fffffa800b4a0250<br>&gt; fffffa800b83e400 fffffa800a658890 : fltmgr!<br>&gt; FltpLegacyProcessingAfterPreCallbacksCompleted+0x39b<br>&gt; fffff8800b183560 fffff88001271bcf : 0000000000000000 fffffa8006d0a9f0<br>&gt; 0000000000000000 0000000000000000 : fltmgr!FltpCreate+0x2a9<br>&gt; fffff8800b183610 fffff880012912b9 : fffffa800b83e490 fffffa801bd1b6b0<br>&gt; fffffa800b83e400 fffffa800e966040 : fltmgr!<br>&gt; FltpLegacyProcessingAfterPreCallbacksCompleted+0x24f<br>&gt; fffff8800b1836a0 fffff800021c32bb : 0000000000000005 0000000000000040<br>&gt; fffffa800de7b590 0000000000000000 : fltmgr!FltpCreate+0x2a9<br>&gt; fffff8800b183750 fffff800021bedde : fffffa800ff27b80 0000000000000000<br>&gt; fffffa80108e9530 fffffa800e966001 : nt!IopParseDevice+0x14e2<br>&gt; fffff8800b1838b0 fffff800021bf8c6 : 0000000000000000 fffff8800b183a30<br>&gt; fffff8a000000040 fffffa8006d0a9f0 : nt!ObpLookupObjectName+0x784<br>&gt; fffff8800b1839b0 fffff800021c16bc : 0000000000000000 0000000000000000<br>&gt; 0000000000000001 0000000000000000 : nt!ObOpenObjectByName+0x306<br>&gt; fffff8800b183a80 fffff800021ccd34 : 0000000028e0a5e8 fffff800c0110098<br>&gt; 0000000028e0a638 0000000028e0a5f8 : nt!IopCreateFile+0x2bc<br>&gt; fffff8800b183b20 fffff80001ebe0d3 : 0000000000000000 0000000000000000<br>&gt; 0000000000000000 0000000028e0c9e0 : nt!NtCreateFile+0x78<br>&gt; fffff8800b183bb0 00000000779cc28a : 0000000000000000 0000000000000000<br>&gt; 0000000000000000 0000000000000000 : nt!KiSystemServiceCopyEnd+0x13<br>&gt; (TrapFrame @ fffff8800b183c20)
> 0000000028e0a568 0000000000000000 : 0000000000000000 0000000000000000
> 0000000000000000 0000000000000000 : 0x779cc28a
> ----------------------------------------------------------------------
>
>
> I could also see my driver in a WerFault.exe thread.
>
> 0: kd> !thread fffffa800788d540
> THREAD fffffa800788d540 Cid 1128.11b8 Teb: 000007fffffde000 Win32Thread:
> fffff900c1eb9010 WAIT: (Executive) KernelMode Non-Alertable
> fffff88005bc9bc0 SynchronizationEvent
> IRP List:
> fffffa8025703010: (0006,0358) Flags: 00000884 Mdl: 00000000
> Not impersonating
> DeviceMap fffff8a002fcddd0
> Owning Process fffffa80118e1790 Image:
> WerFault.exe
> Attached Process N/A Image: N/A
> Wait Start TickCount 153056522 Ticks: 93268 (0:00:24:17.312)
> Context Switch Count 13433 IdealProcessor: 0
> LargeStack
> UserTime 00:00:00.109
> KernelTime 00:00:01.906
> Win32 Start Address 0x00000000ffbe4920
> Stack Init fffff88008f55db0 Current fffff88008f549a0
> Base fffff88008f56000 Limit fffff88008f4d000 Call 0000000000000000
> Priority 7 BasePriority 7 PriorityDecrement 0 IoPriority 2 PagePriority 5
> Child-SP RetAddr : Args to Child
> : Call Site
> fffff88008f549e0 fffff80001ec4142 : fffff88008f54b38 fffffa800788d540
> fffffa8000000000 fffff88005b0280d : nt!KiSwapContext+0x7a
> fffff88008f54b20 fffff80001ec696f : 000000000000000e 00000000001a7100
> fffff8a000000000 0000000000000000 : nt!KiCommitThreadWait+0x1d2
> fffff88008f54bb0 fffff88005b34b6e : fffff88005bc7a00 fffff88000000000
> fffff8a01667f000 fffff88008f55100 : nt!KeWaitForSingleObject+0x19f
> fffff88008f54c50 fffff88005b357eb : fffff88008f54d64 fffff88008f54d18
> fffff88008f55118 00000000001a7100 : !scan_open_connection+0x10e
> [d:\build_692379<build>\optimizer\scan\scan.c @ 4266]
> fffff88008f54ca0 fffff88005b12865 : fffff88008f550e0 fffff88008f54fc0
> fffff88008f55088 0000000000000028 : !scan_check_access_perm+0xaab
> [d:\build_692379<build>\optimizer\scan\scan.c @ 4559]
> fffff88008f54f00 fffff88005b10157 : fffffa801260c740 fffff88008f55448
> fffff88008f553d8 fffff880014d9882 : !fsh_scan_file+0xe55
> [d:\build_692379<build>\optimizer\fsh\fsh_hooks.c @ 1387]
> fffff88008f553b0 fffff88001273288 : fffffa801260c740 fffff88008f55448
> 0000000000000000 0000000000000000 : !fsh_create_hook_cmpl+0x57
> [d:\build_692379<build>\optimizer\fsh\fsh_hooks.c @ 290]
> fffff88008f55400 fffff88001271d1b : fffffa80079fc180 fffffa801260c7e0
> fffffa8008a95970 fffffa8008a95b90 : fltmgr!
> FltpPerformPostCallbacks+0x368
> fffff88008f554d0 fffff880012912b9 : fffffa8025703010 fffffa8007412010
> fffffa8025703000 fffffa8007406360 : fltmgr!
> FltpLegacyProcessingAfterPreCallbacksCompleted+0x39b
> fffff88008f55560 fffff88001271bcf : 0000000000000000 fffffa8006d0a9f0
> 0000000000000000 0000000000000000 : fltmgr!FltpCreate+0x2a9
> fffff88008f55610 fffff880012912b9 : fffffa8025703010 fffffa8009001010
> fffffa8025703000 fffffa800906e680 : fltmgr!
> FltpLegacyProcessingAfterPreCallbacksCompleted+0x24f
> fffff88008f556a0 fffff800021c32bb : 0000000000000005 0000000000000040
> fffffa800c2619b0 0000000000000000 : fltmgr!FltpCreate+0x2a9
> fffff88008f55750 fffff800021bedde : fffffa80073c7cd0 0000000000000000
> fffffa8011431530 fffff88008f55a01 : nt!IopParseDevice+0x14e2
> fffff88008f558b0 fffff800021bf8c6 : 0000000000000000 fffff88008f55a30
> fffff68000000040 fffffa8006d0a9f0 : nt!ObpLookupObjectName+0x784
> fffff88008f559b0 fffff800021c16bc : 0000000000000110 0000000000000000
> fffffa800788d501 ffffffffffffffff : nt!ObOpenObjectByName+0x306
> fffff88008f55a80 fffff800021ccd34 : 00000000000fa758 0000000080100080
> 00000000000fa7a8 00000000000fa768 : nt!IopCreateFile+0x2bc
> fffff88008f55b20 fffff80001ebe0d3 : ffffffffffffffff 0000007fffffffff
> 00000000000fa7f0 0000098000000000 : nt!NtCreateFile+0x78
> fffff88008f55bb0 00000000779cc28a : 0000000000000000 0000000000000000
> 0000000000000000 0000000000000000 : nt!KiSystemServiceCopyEnd+0x13
> (TrapFrame @ fffff88008f55c20)<br>&gt; 00000000000fa6d8 0000000000000000 : 0000000000000000 0000000000000000<br>&gt; 0000000000000000 00000000`00000000 : 0x779cc28a
>
>
>
> I also observed an error (Application error) in Event Logs:
>
> Faulting application name: DxDmService.exe. version: 6.50.0.480. time
> stamp: 0x5135c463
> Faulting module name: Xms.dll. version: 6.50.0.480. time stamp: 0x5135c556
> Exception code: 0xc0000417 Fault offset: 0x00000000000ea91c Faulting
> process id: 0x1df0
> Faulting application start time: 0xDxDmService.exe0 Faulting application
> path: DxDmService.exe1
> Faulting module path: DxDmService.exe2 Report Id: DxDmService.exe3
>
>
>
> Thanks,
> Kunal
>
> —
> WINDBG is sponsored by OSR
>
> OSR is hiring!! Info at http://www.osr.com/careers
>
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
> software drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at <
> http://www.osronline.com/page.cfm?name=ListServer&gt;
></http:>

WIndbg does not recognize !k command. I guess you meant ‘k’ . But I am not getting the complete callstack using ‘k L100’ . I think its because the dump is a kernel dump and has only kernel information.

Here is the output for !process 0 7 services.exe:

0: kd> !process 0 7 services.exe
PROCESS fffffa8007b12b10
SessionId: 0 Cid: 0220 Peb: 7fffffdf000 ParentCid: 01b8
DirBase: 20ca7d000 ObjectTable: fffff8a0020ed010 HandleCount: 628.
Image: services.exe
VadRoot fffffa8007b1d830 Vads 146 Clone 0 Private 2233. Modified 4900541. Locked 35.
DeviceMap fffff8a000008820
Token fffff8a0020dd060
ElapsedTime 27 Days 16:41:03.120
UserTime 00:46:49.468
KernelTime 01:46:07.671
QuotaPoolUsage[PagedPool] 124296
QuotaPoolUsage[NonPagedPool] 38792
Working Set Sizes (now,min,max) (2196, 50, 345) (8784KB, 200KB, 1380KB)
PeakWorkingSetSize 4765
VirtualSize 72 Mb
PeakVirtualSize 209 Mb
PageFaultCount 5210240
MemoryPriority BACKGROUND
BasePriority 9
CommitCharge 2866

THREAD fffffa800720a2c0 Cid 0220.0270 Teb: 000007fffffdb000 Win32Thread: 0000000000000000 WAIT: (UserRequest) UserMode Alertable
fffffa800720a7d0 SynchronizationTimer
fffffa8007b84ad0 SynchronizationTimer
fffffa8007470b10 ProcessObject
fffffa80074ad060 ProcessObject
fffffa8008205b10 ProcessObject
fffffa8008228380 ProcessObject
fffffa800823ab10 ProcessObject
fffffa800824eb10 ProcessObject
fffffa800826fb10 ProcessObject
fffffa80082898e0 ProcessObject
fffffa8007a0b060 ProcessObject
fffffa8007b2e320 ProcessObject
fffffa8007bd1320 ProcessObject
fffffa80083046a0 ProcessObject
fffffa8008763060 ProcessObject
fffffa8008869060 ProcessObject
fffffa800889c060 ProcessObject
fffffa80088c9730 ProcessObject
fffffa80089a7b10 ProcessObject
fffffa8008a27b10 ProcessObject
fffffa8008a16b10 ProcessObject
fffffa80089c6060 ProcessObject
fffffa80089f8b10 ProcessObject
fffffa8008c0ab10 ProcessObject
fffffa8008c3a530 ProcessObject
fffffa8008c79b10 ProcessObject
fffffa8008d6cb10 ProcessObject
fffffa8008c36b10 ProcessObject
fffffa8008e38cc0 SynchronizationEvent
fffffa8008d804a0 SynchronizationTimer
fffffa8008228380 ProcessObject
fffffa800824eb10 ProcessObject
fffffa80089f8b10 ProcessObject
fffffa800826fb10 ProcessObject
fffffa800826fb10 ProcessObject
fffffa800823ab10 ProcessObject
fffffa800826fb10 ProcessObject
fffffa8008c3a530 ProcessObject
fffffa80089c6060 ProcessObject
fffffa8008d6cb10 ProcessObject
fffffa8007b2e320 ProcessObject
fffffa8008a16b10 ProcessObject
fffffa8008228380 ProcessObject
fffffa8008228380 ProcessObject
fffffa8008228380 ProcessObject
fffffa8008228380 ProcessObject
fffffa80074ad060 ProcessObject
fffffa80074ad060 ProcessObject
fffffa8008a27b10 ProcessObject
fffffa8008228380 ProcessObject
fffffa8007470b10 ProcessObject
fffffa8008c79b10 ProcessObject
fffffa8007470b10 ProcessObject
fffffa80089a7b10 ProcessObject
fffffa8008fd8060 ProcessObject
fffffa800824eb10 ProcessObject
fffffa801ac86060 ProcessObject
fffffa800bab55d0 ProcessObject
fffffa800f65b060 ProcessObject
fffffa800ebcfb10 ProcessObject
fffffa8007a332a0 SynchronizationTimer
fffffa80082afe30 SynchronizationTimer
fffffa8008ec9990 SynchronizationTimer
fffffa800720bef0 SynchronizationTimer
Not impersonating
DeviceMap fffff8a000008820
Owning Process fffffa8007b12b10 Image: services.exe
Attached Process N/A Image: N/A
Wait Start TickCount 153148235 Ticks: 1555 (0:00:00:24.296)
Context Switch Count 127463 IdealProcessor: 0
UserTime 00:00:00.000
KernelTime 00:00:00.218
Win32 Start Address 0x000000007799a280
Stack Init fffff88003d76db0 Current fffff88003d75fc0
Base fffff88003d77000 Limit fffff88003d71000 Call 0000000000000000
Priority 9 BasePriority 9 PriorityDecrement 0 IoPriority 2 PagePriority 5
Child-SP RetAddr : Args to Child : Call Site
fffff88003d76000 fffff80001ec4142 : fffffa800720a380 fffffa800720a2c0 fffff88003d76320 fffff80000000006 : nt!KiSwapContext+0x7a
fffff88003d76140 fffff80001ec365a : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : nt!KiCommitThreadWait+0x1d2
fffff88003d761d0 fffff800021b9c2f : fffff88000000040 fffff88003d76520 0000000000000001 0000000000000006 : nt!KeWaitForMultipleObjects+0x272
fffff88003d76490 fffff800021b9fa6 : fffffa8007208701 fffff80001ec1a73 0000000000000001 0000000000000001 : nt!ObpWaitForMultipleObjects+0x294
fffff88003d76960 fffff80001ebe0d3 : fffffa800720a2c0 0000000000b7fad8 fffff88003d76bc8 fffff88003d76c00 : nt!NtWaitForMultipleObjects+0xe5
fffff88003d76bb0 00000000779cc2ea : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff88003d76c20) 0000000000b7fab8 0000000000000000 : 0000000000000000 0000000000000000 0000000000000000 00000000`00000000 : 0x779cc2ea

THREAD fffffa800746aa00 Cid 0220.028c Teb: 000007fffffac000 Win32Thread: 0000000000000000 WAIT: (UserRequest) UserMode Non-Alertable
fffffa8008bf9670 SynchronizationEvent
fffffa800746e530 SynchronizationEvent
Not impersonating
DeviceMap fffff8a000008820
Owning Process fffffa8007b12b10 Image: services.exe
Attached Process N/A Image: N/A
Wait Start TickCount 153051456 Ticks: 98334 (0:00:25:36.468)
Context Switch Count 11294 IdealProcessor: 0
UserTime 00:00:00.015
KernelTime 00:00:00.093
Win32 Start Address 0x000007fefccd04fc
Stack Init fffff88003dd9db0 Current fffff88003dd8fc0
Base fffff88003dda000 Limit fffff88003dd4000 Call 0000000000000000
Priority 9 BasePriority 9 PriorityDecrement 0 IoPriority 2 PagePriority 5
Kernel stack not resident.
Child-SP RetAddr : Args to Child : Call Site
fffff88003dd9000 fffff80001ec4142 : fffffa800746aac0 fffffa800746aa00 0000000000000000 fffffa8000000009 : nt!KiSwapContext+0x7a
fffff88003dd9140 fffff80001ec365a : 000000000000007b 00000000000000ff 0000000000000000 fffffa8005815470 : nt!KiCommitThreadWait+0x1d2
fffff88003dd91d0 fffff800021b9c2f : fffff88000000002 fffff88003dd9520 0000000000000001 fffff88000000006 : nt!KeWaitForMultipleObjects+0x272
fffff88003dd9490 fffff800021b9fa6 : 0000000000169501 0000000000000003 fffff80000000001 ffffffffffffff00 : nt!ObpWaitForMultipleObjects+0x294
fffff88003dd9960 fffff80001ebe0d3 : fffffa800746aa00 0000000000eff488 fffff88003dd9bc8 fffff88003dd9c28 : nt!NtWaitForMultipleObjects+0xe5
fffff88003dd9bb0 00000000779cc2ea : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff88003dd9c20) 0000000000eff468 0000000000000000 : 0000000000000000 0000000000000000 0000000000000000 00000000`00000000 : 0x779cc2ea

THREAD fffffa80074af6f0 Cid 0220.02c4 Teb: 000007fffffaa000 Win32Thread: 0000000000000000 WAIT: (WrQueue) UserMode Alertable
fffffa8007480a40 QueueObject
Not impersonating
DeviceMap fffff8a000008820
Owning Process fffffa8007b12b10 Image: services.exe
Attached Process N/A Image: N/A
Wait Start TickCount 153147012 Ticks: 2778 (0:00:00:43.406)
Context Switch Count 46385 IdealProcessor: 1
UserTime 00:00:00.000
KernelTime 00:00:00.031
Win32 Start Address 0x000000007799f6f0
Stack Init fffff880047b6db0 Current fffff880047b67c0
Base fffff880047b7000 Limit fffff880047b1000 Call 0000000000000000
Priority 9 BasePriority 9 PriorityDecrement 0 IoPriority 2 PagePriority 5
Child-SP RetAddr : Args to Child : Call Site
fffff880047b6800 fffff80001ec4142 : fffffa80074af7b0 fffffa80074af6f0 0000000000000000 fffffa8000000008 : nt!KiSwapContext+0x7a
fffff880047b6940 fffff80001ec71a3 : 0000000000000000 0000000000000000 0000000000000000 0000000000000040 : nt!KiCommitThreadWait+0x1d2
fffff880047b69d0 fffff800021aa217 : fffffa80078b1500 fffff80001ec1a01 fffff880047b6c01 fffff80000000000 : nt!KeRemoveQueueEx+0x323
fffff880047b6a90 fffff80001eab3a6 : 0000000000000000 fffff880047b6ba8 fffff880047b6bc8 0000000000000001 : nt!IoRemoveIoCompletion+0x47
fffff880047b6b20 fffff80001ebe0d3 : fffffa80074af6f0 0000000077a7f5c0 0000000000000000 0000000000000000 : nt!NtWaitForWorkViaWorkerFactory+0x285
fffff880047b6c20 00000000779cd63a : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880047b6c20) 0000000000a4f5c8 0000000000000000 : 0000000000000000 0000000000000000 0000000000000000 00000000`00000000 : 0x779cd63a

THREAD fffffa8008e54060 Cid 0220.0c98 Teb: 000007fffff54000 Win32Thread: 0000000000000000 WAIT: (UserRequest) UserMode Non-Alertable
fffffa8008e40c50 SynchronizationEvent
fffffa8008e5ffe0 SynchronizationEvent
fffffa80071b4110 SynchronizationEvent
Not impersonating
DeviceMap fffff8a000008820
Owning Process fffffa8007b12b10 Image: services.exe
Attached Process N/A Image: N/A
Wait Start TickCount 153044980 Ticks: 104810 (0:00:27:17.656)
Context Switch Count 9737 IdealProcessor: 1
UserTime 00:00:00.000
KernelTime 00:00:00.046
Win32 Start Address 0x000000018005a33c
Stack Init fffff880065e7db0 Current fffff880065e6fc0
Base fffff880065e8000 Limit fffff880065e2000 Call 0000000000000000
Priority 11 BasePriority 9 PriorityDecrement 0 IoPriority 2 PagePriority 5
Kernel stack not resident.
Child-SP RetAddr : Args to Child : Call Site
fffff880065e7000 fffff80001ec4142 : fffffa8008e54120 fffffa8008e54060 0000000000000000 fffffa8000000008 : nt!KiSwapContext+0x7a
fffff880065e7140 fffff80001ec365a : 000000000000023f 0000000000000000 0000000000000000 0000000000001f80 : nt!KiCommitThreadWait+0x1d2
fffff880065e71d0 fffff800021b9c2f : fffff88000000003 fffff880065e7520 0000000000000001 0000000000000006 : nt!KeWaitForMultipleObjects+0x272
fffff880065e7490 fffff800021b9fa6 : fffff880065e7901 fffff800021ac35a fffffa8000000001 fffffa8008298c00 : nt!ObpWaitForMultipleObjects+0x294
fffff880065e7960 fffff80001ebe0d3 : fffffa8008e54060 0000000003aff348 fffff880065e7bc8 0000000000000000 : nt!NtWaitForMultipleObjects+0xe5
fffff880065e7bb0 00000000779cc2ea : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880065e7c20) 0000000003aff328 0000000000000000 : 0000000000000000 0000000000000000 0000000000000000 00000000`00000000 : 0x779cc2ea

THREAD fffffa8008e3c5b0 Cid 0220.0c9c Teb: 000007fffff52000 Win32Thread: 0000000000000000 WAIT: (WrQueue) UserMode Non-Alertable
fffffa8008defe40 QueueObject
Not impersonating
DeviceMap fffff8a000008820
Owning Process fffffa8007b12b10 Image: services.exe
Attached Process N/A Image: N/A
Wait Start TickCount 153044980 Ticks: 104810 (0:00:27:17.656)
Context Switch Count 9295 IdealProcessor: 0
UserTime 00:00:00.000
KernelTime 00:00:00.078
Win32 Start Address 0x000000018005a33c
Stack Init fffff88006ccedb0 Current fffff88006cce7a0
Base fffff88006ccf000 Limit fffff88006cc9000 Call 0000000000000000
Priority 11 BasePriority 9 PriorityDecrement 0 IoPriority 2 PagePriority 5
Kernel stack not resident.
Child-SP RetAddr : Args to Child : Call Site
fffff88006cce7e0 fffff80001ec4142 : fffffa8008e3c670 fffffa8008e3c5b0 0000000000000000 fffffa800000000a : nt!KiSwapContext+0x7a
fffff88006cce920 fffff80001ec71a3 : 0000000000000002 fffffa8007b12ea8 fffff88000000000 fffff80001ecf91e : nt!KiCommitThreadWait+0x1d2
fffff88006cce9b0 fffff800021aa217 : 0000000000000000 0000000000000001 0000000000000000 0000000000000000 : nt!KeRemoveQueueEx+0x323
fffff88006ccea70 fffff8000217c0a5 : 0000000000000000 fffff88006cceb68 fffff88006cceb60 fffff8000203ce01 : nt!IoRemoveIoCompletion+0x47
fffff88006cceb00 fffff80001ebe0d3 : fffffa8008e3c5b0 0000000003bbf9f8 fffff88006ccebc8 0000000000000000 : nt!NtRemoveIoCompletion+0x145
fffff88006ccebb0 00000000779cbdca : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff88006ccec20) 0000000003bbf9d8 0000000000000000 : 0000000000000000 0000000000000000 0000000000000000 00000000`00000000 : 0x779cbdca

THREAD fffffa800904cb50 Cid 0220.0ca0 Teb: 000007fffff4e000 Win32Thread: 0000000000000000 WAIT: (WrQueue) UserMode Non-Alertable
fffffa8008defe40 QueueObject
Not impersonating
DeviceMap fffff8a000008820
Owning Process fffffa8007b12b10 Image: services.exe
Attached Process N/A Image: N/A
Wait Start TickCount 153044980 Ticks: 104810 (0:00:27:17.656)
Context Switch Count 9539 IdealProcessor: 1
UserTime 00:00:00.000
KernelTime 00:00:00.046
Win32 Start Address 0x000000018005a33c
Stack Init fffff88007078db0 Current fffff880070787a0
Base fffff88007079000 Limit fffff88007073000 Call 0000000000000000
Priority 11 BasePriority 9 PriorityDecrement 0 IoPriority 2 PagePriority 5
Kernel stack not resident.
Child-SP RetAddr : Args to Child : Call Site
fffff880070787e0 fffff80001ec4142 : fffffa800904cc10 fffffa800904cb50 0000000000000000 fffffa8000000008 : nt!KiSwapContext+0x7a
fffff88007078920 fffff80001ec71a3 : 0000000000000002 fffffa8007b12ea8 fffff88000000000 fffff80001ecf91e : nt!KiCommitThreadWait+0x1d2
fffff880070789b0 fffff800021aa217 : 0000000000000000 0000000000000001 0000000000000000 0000000000000000 : nt!KeRemoveQueueEx+0x323
fffff88007078a70 fffff8000217c0a5 : 0000000000000000 fffff88007078b68 fffff88007078b60 fffff8000203ce01 : nt!IoRemoveIoCompletion+0x47
fffff88007078b00 fffff80001ebe0d3 : fffffa800904cb50 0000000003defab8 fffff88007078bc8 0000000000000000 : nt!NtRemoveIoCompletion+0x145
fffff88007078bb0 00000000779cbdca : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff88007078c20) 0000000003defa98 0000000000000000 : 0000000000000000 0000000000000000 0000000000000000 00000000`00000000 : 0x779cbdca

THREAD fffffa8008f60b50 Cid 0220.0ca4 Teb: 000007fffff4c000 Win32Thread: 0000000000000000 WAIT: (WrQueue) UserMode Non-Alertable
fffffa8008defe40 QueueObject
Not impersonating
DeviceMap fffff8a000008820
Owning Process fffffa8007b12b10 Image: services.exe
Attached Process N/A Image: N/A
Wait Start TickCount 153044980 Ticks: 104810 (0:00:27:17.656)
Context Switch Count 9219 IdealProcessor: 0
UserTime 00:00:00.000
KernelTime 00:00:00.031
Win32 Start Address 0x000000018005a33c
Stack Init fffff8800707fdb0 Current fffff8800707f7a0
Base fffff88007080000 Limit fffff8800707a000 Call 0000000000000000
Priority 11 BasePriority 9 PriorityDecrement 0 IoPriority 2 PagePriority 5
Kernel stack not resident.
Child-SP RetAddr : Args to Child : Call Site
fffff8800707f7e0 fffff80001ec4142 : fffffa8008f60c10 fffffa8008f60b50 0000000000000000 fffffa800000000a : nt!KiSwapContext+0x7a
fffff8800707f920 fffff80001ec71a3 : 0000000000000002 fffffa8007b12ea8 fffff88000000000 fffff80001ecf91e : nt!KiCommitThreadWait+0x1d2
fffff8800707f9b0 fffff800021aa217 : 00000000026df500 0000000000000001 0000000000000000 fffff8800707fc20 : nt!KeRemoveQueueEx+0x323
fffff8800707fa70 fffff8000217c0a5 : 0000000000000000 fffff8800707fb68 fffff8800707fb60 ffffd6eece01d101 : nt!IoRemoveIoCompletion+0x47
fffff8800707fb00 fffff80001ebe0d3 : fffffa8008f60b50 00000000026df838 fffff8800707fbc8 0000000000000000 : nt!NtRemoveIoCompletion+0x145
fffff8800707fbb0 00000000779cbdca : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff8800707fc20) 00000000026df818 0000000000000000 : 0000000000000000 0000000000000000 0000000000000000 00000000`00000000 : 0x779cbdca

THREAD fffffa8008f64060 Cid 0220.0ca8 Teb: 000007fffff4a000 Win32Thread: 0000000000000000 WAIT: (WrQueue) UserMode Non-Alertable
fffffa8008defe40 QueueObject
Not impersonating
DeviceMap fffff8a000008820
Owning Process fffffa8007b12b10 Image: services.exe
Attached Process N/A Image: N/A
Wait Start TickCount 153044980 Ticks: 104810 (0:00:27:17.656)
Context Switch Count 9572 IdealProcessor: 1
UserTime 00:00:00.000
KernelTime 00:00:00.015
Win32 Start Address 0x000000018005a33c
Stack Init fffff88007086db0 Current fffff880070867a0
Base fffff88007087000 Limit fffff88007081000 Call 0000000000000000
Priority 11 BasePriority 9 PriorityDecrement 0 IoPriority 2 PagePriority 5
Kernel stack not resident.
Child-SP RetAddr : Args to Child : Call Site
fffff880070867e0 fffff80001ec4142 : fffffa8008f64120 fffffa8008f64060 0000000000000000 fffffa8000000008 : nt!KiSwapContext+0x7a
fffff88007086920 fffff80001ec71a3 : 0000000000000002 fffffa8007b12ea8 fffff88000000000 fffff80001ecf91e : nt!KiCommitThreadWait+0x1d2
fffff880070869b0 fffff800021aa217 : 0000000000000000 0000000000000001 0000000000000000 0000000000000000 : nt!KeRemoveQueueEx+0x323
fffff88007086a70 fffff8000217c0a5 : 0000000000000000 fffff88007086b68 fffff88007086b60 fffff8000203ce01 : nt!IoRemoveIoCompletion+0x47
fffff88007086b00 fffff80001ebe0d3 : fffffa8008f64060 0000000003f0f9b8 fffff88007086bc8 0000000000000000 : nt!NtRemoveIoCompletion+0x145
fffff88007086bb0 00000000779cbdca : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff88007086c20) 0000000003f0f998 0000000000000000 : 0000000000000000 0000000000000000 0000000000000000 00000000`00000000 : 0x779cbdca

THREAD fffffa8008f647d0 Cid 0220.0cac Teb: 000007fffff48000 Win32Thread: 0000000000000000 WAIT: (WrQueue) UserMode Non-Alertable
fffffa8008defe40 QueueObject
Not impersonating
DeviceMap fffff8a000008820
Owning Process fffffa8007b12b10 Image: services.exe
Attached Process N/A Image: N/A
Wait Start TickCount 153044980 Ticks: 104810 (0:00:27:17.656)
Context Switch Count 9162 IdealProcessor: 0
UserTime 00:00:00.000
KernelTime 00:00:00.078
Win32 Start Address 0x000000018005a33c
Stack Init fffff8800708ddb0 Current fffff8800708d7a0
Base fffff8800708e000 Limit fffff88007088000 Call 0000000000000000
Priority 11 BasePriority 9 PriorityDecrement 0 IoPriority 2 PagePriority 5
Kernel stack not resident.
Child-SP RetAddr : Args to Child : Call Site
fffff8800708d7e0 fffff80001ec4142 : fffffa8008f64890 fffffa8008f647d0 0000000000000000 fffffa800000000b : nt!KiSwapContext+0x7a
fffff8800708d920 fffff80001ec71a3 : 0000000000000002 fffffa8007b12ea8 fffff88000000000 fffff80001ecf91e : nt!KiCommitThreadWait+0x1d2
fffff8800708d9b0 fffff800021aa217 : 000000000382f500 0000000000000001 0000000000000000 fffff8800708dc20 : nt!KeRemoveQueueEx+0x323
fffff8800708da70 fffff8000217c0a5 : 0000000000000000 fffff8800708db68 fffff8800708db60 ffffd6eece0ef101 : nt!IoRemoveIoCompletion+0x47
fffff8800708db00 fffff80001ebe0d3 : fffffa8008f647d0 000000000382f8f8 fffff8800708dbc8 0000000000000000 : nt!NtRemoveIoCompletion+0x145
fffff8800708dbb0 00000000779cbdca : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff8800708dc20) 000000000382f8d8 0000000000000000 : 0000000000000000 0000000000000000 0000000000000000 00000000`00000000 : 0x779cbdca

THREAD fffffa8008f6db50 Cid 0220.0cc4 Teb: 000007fffff56000 Win32Thread: 0000000000000000 WAIT: (UserRequest) UserMode Alertable
fffffa8008e11580 SynchronizationTimer
fffffa800824eb10 ProcessObject
fffffa80088c9730 ProcessObject
fffffa80082898e0 ProcessObject
fffffa800824eb10 ProcessObject
fffffa8008c0ab10 ProcessObject
fffffa8007a0b060 ProcessObject
fffffa800889c060 ProcessObject
fffffa8008869060 ProcessObject
fffffa8008c36b10 ProcessObject
fffffa8008763060 ProcessObject
fffffa80083046a0 ProcessObject
fffffa8008205b10 ProcessObject
fffffa80082898e0 ProcessObject
fffffa8008228380 ProcessObject
fffffa8008228380 ProcessObject
fffffa8008228380 ProcessObject
fffffa8008228380 ProcessObject
fffffa800824eb10 ProcessObject
fffffa8008205b10 ProcessObject
fffffa80082898e0 ProcessObject
fffffa8007bd1320 ProcessObject
fffffa8008205b10 ProcessObject
fffffa8007470b10 ProcessObject
fffffa80082898e0 ProcessObject
fffffa8008228380 ProcessObject
fffffa8007a0b060 ProcessObject
fffffa8008f6cb10 ProcessObject
fffffa8008f6cb10 ProcessObject
fffffa8007b51be0 NotificationEvent
fffffa8008228380 ProcessObject
fffffa80092cf790 ProcessObject
fffffa80092cf790 ProcessObject
fffffa800938c350 ProcessObject
fffffa800938c350 ProcessObject
fffffa8007a0b060 ProcessObject
fffffa80092039c0 ProcessObject
fffffa80092039c0 ProcessObject
fffffa80094c2b10 ProcessObject
fffffa800826fb10 ProcessObject
fffffa80094c2b10 ProcessObject
fffffa80082898e0 ProcessObject
fffffa8008228380 ProcessObject
fffffa800bab55d0 ProcessObject
fffffa80152c5060 ProcessObject
fffffa80105f1060 ProcessObject
fffffa80105f1060 ProcessObject
fffffa800f65b060 ProcessObject
fffffa800ebcfb10 ProcessObject
fffffa80178a2060 ProcessObject
fffffa80178a2060 ProcessObject
Not impersonating
DeviceMap fffff8a000008820
Owning Process fffffa8007b12b10 Image: services.exe
Attached Process N/A Image: N/A
Wait Start TickCount 153056886 Ticks: 92904 (0:00:24:11.625)
Context Switch Count 57235 IdealProcessor: 0
UserTime 00:00:00.109
KernelTime 00:00:01.109
Win32 Start Address 0x000000007799a280
Stack Init fffff880065eedb0 Current fffff880065edfc0
Base fffff880065ef000 Limit fffff880065e9000 Call 0000000000000000
Priority 11 BasePriority 9 PriorityDecrement 0 IoPriority 2 PagePriority 5
Kernel stack not resident.
Child-SP RetAddr : Args to Child : Call Site
fffff880065ee000 fffff80001ec4142 : fffffa8008f6db50 fffffa8008f6db50 0000000000000000 fffffa800000000a : nt!KiSwapContext+0x7a
fffff880065ee140 fffff80001ec365a : 0000000000000014 0000000000000000 0000000000000000 0000000000000000 : nt!KiCommitThreadWait+0x1d2
fffff880065ee1d0 fffff800021b9c2f : fffff88000000033 fffff880065ee520 0000000000000001 0000000000000006 : nt!KeWaitForMultipleObjects+0x272
fffff880065ee490 fffff800021b9fa6 : 0000000000000001 0000000000000000 0000000000000001 0000000000000001 : nt!ObpWaitForMultipleObjects+0x294
fffff880065ee960 fffff80001ebe0d3 : fffffa8008f6db50 000000000370fad8 fffff880065eebc8 fffff8a0022a0330 : nt!NtWaitForMultipleObjects+0xe5
fffff880065eebb0 00000000779cc2ea : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880065eec20) 000000000370fab8 0000000000000000 : 0000000000000000 0000000000000000 0000000000000000 00000000`00000000 : 0x779cc2ea

THREAD fffffa8009691340 Cid 0220.17b4 Teb: 000007fffffd5000 Win32Thread: 0000000000000000 WAIT: (WrQueue) UserMode Alertable
fffffa80071e3cc0 QueueObject
Not impersonating
DeviceMap fffff8a000008820
Owning Process fffffa8007b12b10 Image: services.exe
Attached Process N/A Image: N/A
Wait Start TickCount 153141990 Ticks: 7800 (0:00:02:01.875)
Context Switch Count 14 IdealProcessor: 1
UserTime 00:00:00.000
KernelTime 00:00:00.000
Win32 Start Address 0x000000007799f6f0
Stack Init fffff8800b0badb0 Current fffff8800b0ba7c0
Base fffff8800b0bb000 Limit fffff8800b0b5000 Call 0000000000000000
Priority 9 BasePriority 9 PriorityDecrement 0 IoPriority 2 PagePriority 5
Child-SP RetAddr : Args to Child : Call Site
fffff8800b0ba800 fffff80001ec4142 : 0000000000000000 fffffa8009691340 fffffa800faa3620 0000000000000008 : nt!KiSwapContext+0x7a
fffff8800b0ba940 fffff80001ec71a3 : fffffa8009691340 0000000000000000 ffffffff00000000 fffff8a000000030 : nt!KiCommitThreadWait+0x1d2
fffff8800b0ba9d0 fffff800021aa217 : fffffa80078a2700 fffff80001eb3501 fffff8800b0bac01 fffffa80071e3e18 : nt!KeRemoveQueueEx+0x323
fffff8800b0baa90 fffff80001eab3a6 : 0000000000000000 fffff8800b0baba8 fffff8800b0babc8 0000000000000001 : nt!IoRemoveIoCompletion+0x47
fffff8800b0bab20 fffff80001ebe0d3 : fffffa8009691340 0000000077a7f5c0 0000000000000000 0000000000000001 : nt!NtWaitForWorkViaWorkerFactory+0x285
fffff8800b0bac20 00000000779cd63a : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff8800b0bac20) 0000000000c7f918 0000000000000000 : 0000000000000000 0000000000000000 0000000000000000 00000000`00000000 : 0x779cd63a

THREAD fffffa800ec603d0 Cid 0220.19c8 Teb: 000007fffffa6000 Win32Thread: 0000000000000000 WAIT: (UserRequest) UserMode Non-Alertable
fffffa800821c660 SynchronizationEvent
fffffa8008228380 ProcessObject
Not impersonating
DeviceMap fffff8a000008820
Owning Process fffffa8007b12b10 Image: services.exe
Attached Process N/A Image: N/A
Wait Start TickCount 153148354 Ticks: 1436 (0:00:00:22.437)
Context Switch Count 376 IdealProcessor: 1
UserTime 00:00:00.000
KernelTime 00:00:00.000
Win32 Start Address 0x000000007799f6f0
Stack Init fffff8800ad4fdb0 Current fffff8800ad4efc0
Base fffff8800ad50000 Limit fffff8800ad4a000 Call 0000000000000000
Priority 9 BasePriority 9 PriorityDecrement 0 IoPriority 2 PagePriority 5
Child-SP RetAddr : Args to Child : Call Site
fffff8800ad4f000 fffff80001ec4142 : fffffa800ec603d0 fffffa800ec603d0 0000000000000000 0000000000000008 : nt!KiSwapContext+0x7a
fffff8800ad4f140 fffff80001ec365a : fffff8a028606568 fffffa8010399000 0000000000000042 fffff8a028606578 : nt!KiCommitThreadWait+0x1d2
fffff8800ad4f1d0 fffff800021b9c2f : fffff8a000000002 fffff8800ad4f520 0000000000000001 0000000000000006 : nt!KeWaitForMultipleObjects+0x272
fffff8800ad4f490 fffff800021b9fa6 : fffff8a01c059001 0000000000000654 0000000000000001 fffff80002175200 : nt!ObpWaitForMultipleObjects+0x294
fffff8800ad4f960 fffff80001ebe0d3 : fffffa800ec603d0 00000000010ae798 fffff8800ad4fbc8 fffffa8000000000 : nt!NtWaitForMultipleObjects+0xe5
fffff8800ad4fbb0 00000000779cc2ea : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff8800ad4fc20) 00000000010ae778 0000000000000000 : 0000000000000000 0000000000000000 0000000000000000 00000000`00000000 : 0x779cc2ea

THREAD fffffa801152b2c0 Cid 0220.1cbc Teb: 000007fffffd3000 Win32Thread: 0000000000000000 WAIT: (WrQueue) UserMode Alertable
fffffa8007208700 QueueObject
Not impersonating
DeviceMap fffff8a000008820
Owning Process fffffa8007b12b10 Image: services.exe
Attached Process N/A Image: N/A
Wait Start TickCount 153146327 Ticks: 3463 (0:00:00:54.109)
Context Switch Count 3855 IdealProcessor: 1
UserTime 00:00:00.062
KernelTime 00:00:00.031
Win32 Start Address 0x000000007799f6f0
Stack Init fffff88007d70db0 Current fffff88007d707c0
Base fffff88007d71000 Limit fffff88007d6b000 Call 0000000000000000
Priority 10 BasePriority 9 PriorityDecrement 0 IoPriority 2 PagePriority 5
Child-SP RetAddr : Args to Child : Call Site
fffff88007d70800 fffff80001ec4142 : fffffa801152b2c0 fffffa801152b2c0 fffff88007d70b58 0000000000000009 : nt!KiSwapContext+0x7a
fffff88007d70940 fffff80001ec71a3 : fffff8a013737d00 00000000000008c4 0000000000000097 fffff800021d2312 : nt!KiCommitThreadWait+0x1d2
fffff88007d709d0 fffff800021aa217 : 0000000000000000 0000000000000001 0000000000000001 0000000000000000 : nt!KeRemoveQueueEx+0x323
fffff88007d70a90 fffff80001eab3a6 : 000007feff5aee00 fffff88007d70ba8 fffff88007d70bc8 0000000000000001 : nt!IoRemoveIoCompletion+0x47
fffff88007d70b20 fffff80001ebe0d3 : fffffa801152b2c0 0000000077a7f5c0 0000000000000000 00000000015eed40 : nt!NtWaitForWorkViaWorkerFactory+0x285
fffff88007d70c20 00000000779cd63a : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff88007d70c20) 00000000015efbf8 0000000000000000 : 0000000000000000 0000000000000000 0000000000000000 00000000`00000000 : 0x779cd63a

THREAD fffffa80121bbb50 Cid 0220.25e8 Teb: 000007fffffae000 Win32Thread: 0000000000000000 WAIT: (WrQueue) UserMode Alertable
fffffa8007208700 QueueObject
Not impersonating
DeviceMap fffff8a000008820
Owning Process fffffa8007b12b10 Image: services.exe
Attached Process N/A Image: N/A
Wait Start TickCount 153148994 Ticks: 796 (0:00:00:12.437)
Context Switch Count 3807 IdealProcessor: 1
UserTime 00:00:00.062
KernelTime 00:00:00.078
Win32 Start Address 0x000000007799f6f0
Stack Init fffff8800a73bdb0 Current fffff8800a73b7c0
Base fffff8800a73c000 Limit fffff8800a736000 Call 0000000000000000
Priority 10 BasePriority 9 PriorityDecrement 0 IoPriority 2 PagePriority 5
Child-SP RetAddr : Args to Child : Call Site
fffff8800a73b800 fffff80001ec4142 : fffffa80121bbb50 fffffa80121bbb50 fffff8800a73bb58 0000000000000009 : nt!KiSwapContext+0x7a
fffff8800a73b940 fffff80001ec71a3 : fffff8a01c269d00 000000000000037c 0000000000000002 fffff800021d2312 : nt!KiCommitThreadWait+0x1d2
fffff8800a73b9d0 fffff800021aa217 : 0000000000000000 0000000000000001 0000000000000001 0000000000000000 : nt!KeRemoveQueueEx+0x323
fffff8800a73ba90 fffff80001eab3a6 : 000007feff5aee00 fffff8800a73bba8 fffff8800a73bbc8 0000000000000001 : nt!IoRemoveIoCompletion+0x47
fffff8800a73bb20 fffff80001ebe0d3 : fffffa80121bbb50 0000000077a7f5c0 0000000000000000 0000000000000000 : nt!NtWaitForWorkViaWorkerFactory+0x285
fffff8800a73bc20 00000000779cd63a : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff8800a73bc20) 000000000172f6f8 0000000000000000 : 0000000000000000 0000000000000000 0000000000000000 00000000`00000000 : 0x779cd63a

THREAD fffffa800e3e4060 Cid 0220.0d5c Teb: 000007fffffdd000 Win32Thread: 0000000000000000 WAIT: (WrQueue) UserMode Alertable
fffffa8007208700 QueueObject
Not impersonating
DeviceMap fffff8a000008820
Owning Process fffffa8007b12b10 Image: services.exe
Attached Process N/A Image: N/A
Wait Start TickCount 153149787 Ticks: 3 (0:00:00:00.046)
Context Switch Count 496 IdealProcessor: 0
UserTime 00:00:00.000
KernelTime 00:00:00.000
Win32 Start Address 0x000000007799f6f0
Stack Init fffff88007e64db0 Current fffff88007e647c0
Base fffff88007e65000 Limit fffff88007e5f000 Call 0000000000000000
Priority 9 BasePriority 9 PriorityDecrement 0 IoPriority 2 PagePriority 5
Child-SP RetAddr : Args to Child : Call Site
fffff88007e64800 fffff80001ec4142 : fffffa800e3e4060 fffffa800e3e4060 fffff88007e64b58 0000000000000009 : nt!KiSwapContext+0x7a
fffff88007e64940 fffff80001ec71a3 : fffff8a04e181030 0000000000000524 000000000000001b fffff800021d2312 : nt!KiCommitThreadWait+0x1d2
fffff88007e649d0 fffff800021aa217 : 0000000000000000 0000000000000001 0000000000000001 0000000000000000 : nt!KeRemoveQueueEx+0x323
fffff88007e64a90 fffff80001eab3a6 : 000007feff5aee00 fffff88007e64ba8 fffff88007e64bc8 0000000000000001 : nt!IoRemoveIoCompletion+0x47
fffff88007e64b20 fffff80001ebe0d3 : fffffa800e3e4060 0000000077a7f5c0 0000000000000000 0000000000000000 : nt!NtWaitForWorkViaWorkerFactory+0x285
fffff88007e64c20 00000000779cd63a : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff88007e64c20) 000000000112f508 0000000000000000 : 0000000000000000 0000000000000000 0000000000000000 00000000`00000000 : 0x779cd63a

Thanks,
Kunal

To give more info, I am using KeWaitForSingleObject() with following parameters:

status = KeWaitForSingleObject( &event, Executive, KernelMode, FALSE, p_timeout );
//where event is KEVENT.

Thanks
Kunal

What did your driver do in werfault’s stack?

I think that as below

  1. DxDmService got exception
  2. exception handler call werfault
  3. werfault suspend DxDmService to make dump
  4. werfault open a file and then filter it and wait for more
    than 20 min
    5. bugcheck.

    0: kd> !thread fffffa800788d540
    THREAD fffffa800788d540 Cid 1128.11b8 Teb: 000007fffffde000 Win32Thread:
    fffff900c1eb9010 WAIT: (Executive) KernelMode Non-Alertable
    fffff88005bc9bc0 SynchronizationEvent
    IRP List:
    fffffa8025703010: (0006,0358) Flags: 00000884 Mdl: 00000000
    Not impersonating
    DeviceMap fffff8a002fcddd0
    Owning Process fffffa80118e1790 Image: WerFault.exe
    Attached Process N/A Image: N/A
    Wait Start TickCount 153056522 Ticks: 93268 (0:00:24:17.312)
    Context Switch Count 13433 IdealProcessor: 0
    LargeStack
    UserTime 00:00:00.109
    KernelTime 00:00:01.906
    Win32 Start Address 0x00000000ffbe4920
    Stack Init fffff88008f55db0 Current fffff88008f549a0
    Base fffff88008f56000 Limit fffff88008f4d000 Call 0000000000000000
    Priority 7 BasePriority 7 PriorityDecrement 0 IoPriority 2 PagePriority 5
    Child-SP RetAddr : Args to Child
    : Call Site
    fffff88008f549e0 fffff80001ec4142 : fffff88008f54b38 fffffa800788d540
    fffffa8000000000 fffff88005b0280d : nt!KiSwapContext+0x7a
    fffff88008f54b20 fffff80001ec696f : 000000000000000e 00000000001a7100
    fffff8a000000000 0000000000000000 : nt!KiCommitThreadWait+0x1d2
    fffff88008f54bb0 fffff88005b34b6e : fffff88005bc7a00 fffff88000000000
    fffff8a01667f000 fffff88008f55100 : nt!KeWaitForSingleObject+0x19f
    fffff88008f54c50 fffff88005b357eb : fffff88008f54d64 fffff88008f54d18
    fffff88008f55118 00000000001a7100 : !scan_open_connection+0x10e
    [d:\build_692379<build>\optimizer\scan\scan.c @ 4266]
    fffff88008f54ca0 fffff88005b12865 : fffff88008f550e0 fffff88008f54fc0
    fffff88008f55088 0000000000000028 : !scan_check_access_perm+0xaab
    [d:\build_692379<build>\optimizer\scan\scan.c @ 4559]
    fffff88008f54f00 fffff88005b10157 : fffffa801260c740 fffff88008f55448
    fffff88008f553d8 fffff880014d9882 : !fsh_scan_file+0xe55
    [d:\build_692379<build>\optimizer\fsh\fsh_hooks.c @ 1387]
    fffff88008f553b0 fffff88001273288 : fffffa801260c740 fffff88008f55448
    0000000000000000 0000000000000000 : !fsh_create_hook_cmpl+0x57
    [d:\build_692379<build>\optimizer\fsh\fsh_hooks.c @ 290]
    fffff88008f55400 fffff88001271d1b : fffffa80079fc180 fffffa801260c7e0
    fffffa8008a95970 fffffa8008a95b90 : fltmgr!FltpPerformPostCallbacks+0x368
    fffff88008f554d0 fffff880012912b9 : fffffa8025703010 fffffa8007412010
    fffffa8025703000 fffffa8007406360 : fltmgr!FltpLegacyProcessingAfterPreCa
    llbacksCompleted+0x39b
    fffff88008f55560 fffff88001271bcf : 0000000000000000 fffffa8006d0a9f0
    0000000000000000 0000000000000000 : fltmgr!FltpCreate+0x2a9
    fffff88008f55610 fffff880012912b9 : fffffa8025703010 fffffa8009001010
    fffffa8025703000 fffffa800906e680 : fltmgr!FltpLegacyProcessingAfterPreCa
    llbacksCompleted+0x24f
    fffff88008f556a0 fffff800021c32bb : 0000000000000005 0000000000000040
    fffffa800c2619b0 0000000000000000 : fltmgr!FltpCreate+0x2a9
    fffff88008f55750 fffff800021bedde : fffffa80073c7cd0 0000000000000000
    fffffa8011431530 fffff88008f55a01 : nt!IopParseDevice+0x14e2
    fffff88008f558b0 fffff800021bf8c6 : 0000000000000000 fffff88008f55a30
    fffff68000000040 fffffa8006d0a9f0 : nt!ObpLookupObjectName+0x784
    fffff88008f559b0 fffff800021c16bc : 0000000000000110 0000000000000000
    fffffa800788d501 ffffffffffffffff : nt!ObOpenObjectByName+0x306
    fffff88008f55a80 fffff800021ccd34 : 00000000000fa758 0000000080100080
    00000000000fa7a8 00000000000fa768 : nt!IopCreateFile+0x2bc
    fffff88008f55b20 fffff80001ebe0d3 : ffffffffffffffff 0000007fffffffff
    00000000000fa7f0 0000098000000000 : nt!NtCreateFile+0x78
    fffff88008f55bb0 00000000779cc28a : 0000000000000000 0000000000000000
    0000000000000000 0000000000000000 : nt!KiSystemServiceCopyEnd+0x13
    (TrapFrame @ fffff88008f55c20)<br>00000000000fa6d8 0000000000000000 : 0000000000000000 0000000000000000<br>0000000000000000 00000000`00000000 : 0x779cc28a

    On Fri, Aug 11, 2017 at 3:16 PM, xxxxx@hotmail.com <
    xxxxx@lists.osr.com> wrote:

    > To give more info, I am using KeWaitForSingleObject() with following
    > parameters:
    >
    > status = KeWaitForSingleObject( &event, Executive, KernelMode, FALSE,
    > p_timeout );
    > //where event is KEVENT.
    >
    > Thanks
    > Kunal
    >
    > —
    > WINDBG is sponsored by OSR
    >
    > OSR is hiring!! Info at http://www.osr.com/careers
    >
    >
    > MONTHLY seminars on crash dump analysis, WDF, Windows internals and
    > software drivers!
    > Details at http:
    >
    > To unsubscribe, visit the List Server section of OSR Online at <
    > http://www.osronline.com/page.cfm?name=ListServer&gt;
    ></http:>

Thanks for your responses.

In werfault stack, my driver tries to open a connection to my scan-server to send the file for scanning.
To give a brief overview, whenever a user tries to create/open a file, my filter driver sends it to a scan-server. I maintain an array of 5 elements which control sending of files for scan. Whenever a new thread is spawned for scanning,
it marks one of the elements in the array as in-use. After scan is complete, the thread marks it as unused. So, at a time there can be only 5 threads with open connection to scan-server.

I can see 5 threads in the dump in wait state. One of such thread is as below. I have given a timeout value of 45 seconds in KeWaitForSingleObject(). But why is this thread not coming out of wait state?

0: kd> !thread fffffa8012f0e5e0
THREAD fffffa8012f0e5e0 Cid 1df0.1d60 Teb: 000007ffffeb0000 Win32Thread: 0000000000000000 WAIT: (Suspended) KernelMode Non-Alertable
SuspendCount 1
fffffa8012f0e8b8 Semaphore Limit 0x2
IRP List:
fffffa800b83e490: (0006,0358) Flags: 00000884 Mdl: 00000000
Not impersonating
DeviceMap fffff8a002fcddd0
Owning Process fffffa800f65b060 Image: DxDmService.exe
Attached Process N/A Image: N/A
Wait Start TickCount 153051155 Ticks: 98635 (0:00:25:41.171)
Context Switch Count 3126429 IdealProcessor: 0
UserTime 00:01:37.625
KernelTime 00:13:13.250
Win32 Start Address 0x0000000010376284
Stack Init fffff8800b183db0 Current fffff8800b182340
Base fffff8800b184000 Limit fffff8800b17e000 Call 0000000000000000
Priority 8 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5
Child-SP RetAddr : Args to Child : Call Site
fffff8800b182380 fffff80001ec4142 : fffffa800f65b001 fffffa8012f0e5e0 fffff8000203ce80 fffff88000000008 : nt!KiSwapContext+0x7a
fffff8800b1824c0 fffff80001ec696f : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : nt!KiCommitThreadWait+0x1d2
fffff8800b182550 fffff80001eb1ee0 : 0000000000000000 fffffa8000000005 fffffa800f65b000 0000000000000000 : nt!KeWaitForSingleObject+0x19f
fffff8800b1825f0 fffff80001eb2b7d : fffffa8012f0e5e0 0000000000000000 0000000000000000 fffffa8000000000 : nt!KiSuspendThread+0x54
fffff8800b182630 fffff80001ec434d : fffffa8012f0e6a0 0000000000000000 fffff80001eb1e8c 0000000000000000 : nt!KiDeliverApc+0x21d
fffff8800b1826b0 fffff80001ec696f : fffffa800b83e490 fffffa8008bd9200 fffff8800000004f 0000000000000000 : nt!KiCommitThreadWait+0x3dd
fffff8800b182740 fffff88005b233c1 : fffffa8012438000 fffff88000000000 fffff8800b182800 fffff8800b182a00 : nt!KeWaitForSingleObject+0x19f
fffff8800b1827e0 fffff88005b1dd93 : fffffa800f5d9530 fffff8a000f45300 000000000000005a fffff8a000000000 : !ivmc_wsk_recv_data+0x211 [d:\build_692379<build>\optimizer\ivmc\ivmc_ksocket.c @ 435]
fffff8800b182870 fffff88005b2f27e : fffff88005bc9c28 fffff8a000f45300 fffff8800000005a fffff88000000000 : !ivmc_read_all+0x93 [d:\build_692379<build>\optimizer\ivmc\ivmc.c @ 426]
fffff8800b1828e0 fffff88005b30ca0 : fffff88005bc9c28 fffff8800b182fc0 fffff8800b182a48 fffff8a01fdf65e0 : !scan_process_response+0x10e [d:\build_692379<build>\optimizer\scan\scan.c @ 2562]
fffff8800b1829c0 fffff88005b3227b : fffff8800b1830e0 fffff8800b182fc0 fffff88000000001 fffff8800b183148 : !scan_process_file_scan_response+0xb0 [d:\build_692379<build>\optimizer\scan\scan.c @ 3028]
fffff8800b182a90 fffff88005b35b56 : fffff8800b1830e0 fffff8800b182fc0 fffff88069435351 00000000000007ff : !scan_file_with_file_transfer+0x99b [d:\build_692379<build>\optimizer\scan\scan.c @ 3416]
fffff8800b182ca0 fffff88005b12865 : fffff8800b1830e0 fffff8800b182fc0 fffff8800b183088 0000000000000028 : !scan_check_access_perm+0xe16 [d:\build_692379<build>\optimizer\scan\scan.c @ 4617]
fffff8800b182f00 fffff88005b10157 : fffffa8008bd9380 fffff8800b183448 fffff8800b1833d8 fffff880014d9882 : !fsh_scan_file+0xe55 [d:\build_692379<build>\optimizer\fsh\fsh_hooks.c @ 1387]
fffff8800b1833b0 fffff88001273288 : fffffa8008bd9380 fffff8800b183448 0000000000000000 0000000000000000 : !fsh_create_hook_cmpl+0x57 [d:\build_692379<build>\optimizer\fsh\fsh_hooks.c @ 290]
fffff8800b183400 fffff88001271d1b : fffffa800ff123f0 fffffa8008bd9420 fffffa80099182f0 fffffa8009918510 : fltmgr!FltpPerformPostCallbacks+0x368
fffff8800b1834d0 fffff880012912b9 : fffffa800b83e490 fffffa800b4a0250 fffffa800b83e400 fffffa800a658890 : fltmgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x39b
fffff8800b183560 fffff88001271bcf : 0000000000000000 fffffa8006d0a9f0 0000000000000000 0000000000000000 : fltmgr!FltpCreate+0x2a9
fffff8800b183610 fffff880012912b9 : fffffa800b83e490 fffffa801bd1b6b0 fffffa800b83e400 fffffa800e966040 : fltmgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x24f
fffff8800b1836a0 fffff800021c32bb : 0000000000000005 0000000000000040 fffffa800de7b590 0000000000000000 : fltmgr!FltpCreate+0x2a9
fffff8800b183750 fffff800021bedde : fffffa800ff27b80 0000000000000000 fffffa80108e9530 fffffa800e966001 : nt!IopParseDevice+0x14e2
fffff8800b1838b0 fffff800021bf8c6 : 0000000000000000 fffff8800b183a30 fffff8a000000040 fffffa8006d0a9f0 : nt!ObpLookupObjectName+0x784
fffff8800b1839b0 fffff800021c16bc : 0000000000000000 0000000000000000 0000000000000001 0000000000000000 : nt!ObOpenObjectByName+0x306
fffff8800b183a80 fffff800021ccd34 : 0000000028e0a5e8 fffff800c0110098 0000000028e0a638 0000000028e0a5f8 : nt!IopCreateFile+0x2bc
fffff8800b183b20 fffff80001ebe0d3 : 0000000000000000 0000000000000000 0000000000000000 0000000028e0c9e0 : nt!NtCreateFile+0x78
fffff8800b183bb0 00000000779cc28a : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff8800b183c20)<br>0000000028e0a568 0000000000000000 : 0000000000000000 0000000000000000 0000000000000000 00000000`00000000 : 0x779cc28a

I could not see all user mode stack in DxDmService.exe that need to clear
what DxDmService state is.

Thread fffffa8012f0e5e0 is suspended by KiSuspendThread that delivered by
APC. I think that werfault suspend all of thread in DxDmService.
below thread suspended 25 minutes before crash

0: kd> !thread fffffa8012f0e5e0
THREAD fffffa8012f0e5e0 Cid 1df0.1d60 Teb: 000007ffffeb0000 Win32Thread:
0000000000000000 WAIT: (Suspended) KernelMode Non-Alertable
SuspendCount 1
fffffa8012f0e8b8 Semaphore Limit 0x2
IRP List:
fffffa800b83e490: (0006,0358) Flags: 00000884 Mdl: 00000000
Not impersonating
DeviceMap fffff8a002fcddd0
Owning Process fffffa800f65b060 Image:
DxDmService.exe
Attached Process N/A Image: N/A
Wait Start TickCount 153051155 Ticks: 98635 (0:00:25:41.171)
Context Switch Count 3126429 IdealProcessor: 0
UserTime 00:01:37.625
KernelTime 00:13:13.250
Win32 Start Address 0x0000000010376284
Stack Init fffff8800b183db0 Current fffff8800b182340
Base fffff8800b184000 Limit fffff8800b17e000 Call 0000000000000000
Priority 8 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5
Child-SP RetAddr : Args to Child
: Call Site
fffff8800b182380 fffff80001ec4142 : fffffa800f65b001 fffffa8012f0e5e0
fffff8000203ce80 fffff88000000008 : nt!KiSwapContext+0x7a
fffff8800b1824c0 fffff80001ec696f : 0000000000000000 0000000000000000
0000000000000000 0000000000000000 : nt!KiCommitThreadWait+0x1d2
fffff8800b182550 fffff80001eb1ee0 : 0000000000000000 fffffa8000000005
fffffa800f65b000 0000000000000000 : nt!KeWaitForSingleObject+0x19f
fffff8800b1825f0 fffff80001eb2b7d : fffffa8012f0e5e0 0000000000000000
0000000000000000 fffffa8000000000 : nt!KiSuspendThread+0x54
fffff8800b182630 fffff80001ec434d : fffffa8012f0e6a0 0000000000000000
fffff80001eb1e8c 0000000000000000 : nt!KiDeliverApc+0x21d
fffff8800b1826b0 fffff80001ec696f : fffffa800b83e490 fffffa8008bd9200
fffff8800000004f 0000000000000000 : nt!KiCommitThreadWait+0x3dd

best regards
Taehwa.

On Fri, Aug 11, 2017 at 5:38 PM, xxxxx@hotmail.com <
xxxxx@lists.osr.com> wrote:

Thanks for your responses.

In werfault stack, my driver tries to open a connection to my scan-server
to send the file for scanning.
To give a brief overview, whenever a user tries to create/open a file, my
filter driver sends it to a scan-server. I maintain an array of 5 elements
which control sending of files for scan. Whenever a new thread is spawned
for scanning,
it marks one of the elements in the array as in-use. After scan is
complete, the thread marks it as unused. So, at a time there can be only 5
threads with open connection to scan-server.

I can see 5 threads in the dump in wait state. One of such thread is as
below. I have given a timeout value of 45 seconds in
KeWaitForSingleObject(). But why is this thread not coming out of wait
state?

0: kd> !thread fffffa8012f0e5e0
THREAD fffffa8012f0e5e0 Cid 1df0.1d60 Teb: 000007ffffeb0000 Win32Thread:
0000000000000000 WAIT: (Suspended) KernelMode Non-Alertable
SuspendCount 1
fffffa8012f0e8b8 Semaphore Limit 0x2
IRP List:
fffffa800b83e490: (0006,0358) Flags: 00000884 Mdl: 00000000
Not impersonating
DeviceMap fffff8a002fcddd0
Owning Process fffffa800f65b060 Image:
DxDmService.exe
Attached Process N/A Image: N/A
Wait Start TickCount 153051155 Ticks: 98635 (0:00:25:41.171)
Context Switch Count 3126429 IdealProcessor: 0
UserTime 00:01:37.625
KernelTime 00:13:13.250
Win32 Start Address 0x0000000010376284
Stack Init fffff8800b183db0 Current fffff8800b182340
Base fffff8800b184000 Limit fffff8800b17e000 Call 0000000000000000
Priority 8 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5
Child-SP RetAddr : Args to Child
: Call Site
fffff8800b182380 fffff80001ec4142 : fffffa800f65b001 fffffa8012f0e5e0
fffff8000203ce80 fffff88000000008 : nt!KiSwapContext+0x7a
fffff8800b1824c0 fffff80001ec696f : 0000000000000000 0000000000000000
0000000000000000 0000000000000000 : nt!KiCommitThreadWait+0x1d2
fffff8800b182550 fffff80001eb1ee0 : 0000000000000000 fffffa8000000005
fffffa800f65b000 0000000000000000 : nt!KeWaitForSingleObject+0x19f
fffff8800b1825f0 fffff80001eb2b7d : fffffa8012f0e5e0 0000000000000000
0000000000000000 fffffa8000000000 : nt!KiSuspendThread+0x54
fffff8800b182630 fffff80001ec434d : fffffa8012f0e6a0 0000000000000000
fffff80001eb1e8c 0000000000000000 : nt!KiDeliverApc+0x21d
fffff8800b1826b0 fffff80001ec696f : fffffa800b83e490 fffffa8008bd9200
fffff8800000004f 0000000000000000 : nt!KiCommitThreadWait+0x3dd
fffff8800b182740 fffff88005b233c1 : fffffa8012438000 fffff88000000000
fffff8800b182800 fffff8800b182a00 : nt!KeWaitForSingleObject+0x19f
fffff8800b1827e0 fffff88005b1dd93 : fffffa800f5d9530 fffff8a000f45300
000000000000005a fffff8a000000000 : !ivmc_wsk_recv_data+0x211
> [d:\build_692379<build>\optimizer\ivmc\ivmc_ksocket.c @ 435]
> fffff8800b182870 fffff88005b2f27e : fffff88005bc9c28 fffff8a000f45300
> fffff8800000005a fffff88000000000 : !ivmc_read_all+0x93
> [d:\build_692379<build>\optimizer\ivmc\ivmc.c @ 426]
> fffff8800b1828e0 fffff88005b30ca0 : fffff88005bc9c28 fffff8800b182fc0
> fffff8800b182a48 fffff8a01fdf65e0 : !scan_process_response+0x10e
> [d:\build_692379<build>\optimizer\scan\scan.c @ 2562]
> fffff8800b1829c0 fffff88005b3227b : fffff8800b1830e0 fffff8800b182fc0
> fffff88000000001 fffff8800b183148 : !scan_process_file_scan_response+0xb0
> [d:\build_692379<build>\optimizer\scan\scan.c @ 3028]
> fffff8800b182a90 fffff88005b35b56 : fffff8800b1830e0 fffff8800b182fc0
> fffff88069435351 00000000000007ff : !scan_file_with_file_transfer+0x99b
> [d:\build_692379<build>\optimizer\scan\scan.c @ 3416]
> fffff8800b182ca0 fffff88005b12865 : fffff8800b1830e0 fffff8800b182fc0
> fffff8800b183088 0000000000000028 : !scan_check_access_perm+0xe16
> [d:\build_692379<build>\optimizer\scan\scan.c @ 4617]
> fffff8800b182f00 fffff88005b10157 : fffffa8008bd9380 fffff8800b183448
> fffff8800b1833d8 fffff880014d9882 : !fsh_scan_file+0xe55
> [d:\build_692379<build>\optimizer\fsh\fsh_hooks.c @ 1387]
> fffff8800b1833b0 fffff88001273288 : fffffa8008bd9380 fffff8800b183448
> 0000000000000000 0000000000000000 : !fsh_create_hook_cmpl+0x57
> [d:\build_692379<build>\optimizer\fsh\fsh_hooks.c @ 290]
> fffff8800b183400 fffff88001271d1b : fffffa800ff123f0 fffffa8008bd9420
> fffffa80099182f0 fffffa8009918510 : fltmgr!
> FltpPerformPostCallbacks+0x368
> fffff8800b1834d0 fffff880012912b9 : fffffa800b83e490 fffffa800b4a0250
> fffffa800b83e400 fffffa800a658890 : fltmgr!
> FltpLegacyProcessingAfterPreCallbacksCompleted+0x39b
> fffff8800b183560 fffff88001271bcf : 0000000000000000 fffffa8006d0a9f0
> 0000000000000000 0000000000000000 : fltmgr!FltpCreate+0x2a9
> fffff8800b183610 fffff880012912b9 : fffffa800b83e490 fffffa801bd1b6b0
> fffffa800b83e400 fffffa800e966040 : fltmgr!
> FltpLegacyProcessingAfterPreCallbacksCompleted+0x24f
> fffff8800b1836a0 fffff800021c32bb : 0000000000000005 0000000000000040
> fffffa800de7b590 0000000000000000 : fltmgr!FltpCreate+0x2a9
> fffff8800b183750 fffff800021bedde : fffffa800ff27b80 0000000000000000
> fffffa80108e9530 fffffa800e966001 : nt!IopParseDevice+0x14e2
> fffff8800b1838b0 fffff800021bf8c6 : 0000000000000000 fffff8800b183a30
> fffff8a000000040 fffffa8006d0a9f0 : nt!ObpLookupObjectName+0x784
> fffff8800b1839b0 fffff800021c16bc : 0000000000000000 0000000000000000
> 0000000000000001 0000000000000000 : nt!ObOpenObjectByName+0x306
> fffff8800b183a80 fffff800021ccd34 : 0000000028e0a5e8 fffff800c0110098
> 0000000028e0a638 0000000028e0a5f8 : nt!IopCreateFile+0x2bc
> fffff8800b183b20 fffff80001ebe0d3 : 0000000000000000 0000000000000000
> 0000000000000000 0000000028e0c9e0 : nt!NtCreateFile+0x78
> fffff8800b183bb0 00000000779cc28a : 0000000000000000 0000000000000000
> 0000000000000000 0000000000000000 : nt!KiSystemServiceCopyEnd+0x13
> (TrapFrame @ fffff8800b183c20)<br>&gt; 0000000028e0a568 0000000000000000 : 0000000000000000 0000000000000000<br>&gt; 0000000000000000 00000000`00000000 : 0x779cc28a
>
>
> —
> WINDBG is sponsored by OSR
>
> OSR is hiring!! Info at http://www.osr.com/careers
>
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
> software drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at <
> http://www.osronline.com/page.cfm?name=ListServer&gt;
></http:>

This is a kernel dump, so I dont think usermode data will be present. I tried to switch to process “DxDmService” but got the error as below:

0: kd> .process fffffa800f65b060 Process fffffa800f65b060 has invalid page directories

Thanks,
Kunal

Hi Taehwa,

Could you provide some details as to why all 5 of my scanning threads are not coming out of WAIT state even though I have given 45 secs timeout in KeWaitForSingleObject()?
I can see in the callstack of thread “fffffa8012f0e5e0” that after I call KeWaitForSingleObject(), there is a call to KiDeliverApc() after which the thread is suspended and there is another KeWaitForSingleObject().
I could not understand what is happening here. Does suspending a thread change the behavior of KeWaitForSingleObject()?

THanks,
Kunal

Hello

I’ve already explain as below. Unfortunately we could not see user mode
stack due to it is kernel dump. We need to find exception record if we
could see user stack.

  1. DxDmService might get exception (but we couldn’t see it due to kernel
    stack)
  2. exception handler call werfault (you could see dump file name through
    handle information of werfault)
  3. werfault suspend all thread of DxDmService to make dump
  4. werfault open a file and then filter it and wait for more
    than 20 min (I’m not sure why didn’t wake up for 20 mins)
    I think you need to check wait condition of in
    werfault context.
    5. bugcheck.

    It is hard job to understand situation without dump

    best regards
    Taehwa.

    On Mon, Aug 14, 2017 at 4:23 PM, xxxxx@hotmail.com <
    xxxxx@lists.osr.com> wrote:

    > Hi Taehwa,
    >
    > Could you provide some details as to why all 5 of my scanning threads are
    > not coming out of WAIT state even though I have given 45 secs timeout in
    > KeWaitForSingleObject()?
    > I can see in the callstack of thread “fffffa8012f0e5e0” that after I call
    > KeWaitForSingleObject(), there is a call to KiDeliverApc() after which the
    > thread is suspended and there is another KeWaitForSingleObject().
    > I could not understand what is happening here. Does suspending a thread
    > change the behavior of KeWaitForSingleObject()?
    >
    > THanks,
    > Kunal
    >
    > —
    > WINDBG is sponsored by OSR
    >
    > OSR is hiring!! Info at http://www.osr.com/careers
    >
    >
    > MONTHLY seminars on crash dump analysis, WDF, Windows internals and
    > software drivers!
    > Details at http:
    >
    > To unsubscribe, visit the List Server section of OSR Online at <
    > http://www.osronline.com/page.cfm?name=ListServer&gt;
    ></http:>