Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

More Info on Driver Writing and Debugging


The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.


Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/


USER_MODE_HEALTH_MONITOR bugcheck due to my filter driver threads.

KunalKunal Member - All Emails Posts: 21
Hi,

I received a dump from the customer with USER_MODE_HEALTH_MONITOR bugcheck. Upon dump analysis, I saw several threads of my filter driver in "WAIT: (Suspended)" state for around 20 mins. Below is one of the callstacks:

-------------------------------------
0: kd> !thread fffffa8012f0e5e0
THREAD fffffa8012f0e5e0 Cid 1df0.1d60 Teb: 000007ffffeb0000 Win32Thread: 0000000000000000 WAIT: (Suspended) KernelMode Non-Alertable
SuspendCount 1
fffffa8012f0e8b8 Semaphore Limit 0x2
IRP List:
fffffa800b83e490: (0006,0358) Flags: 00000884 Mdl: 00000000
Not impersonating
DeviceMap fffff8a002fcddd0
Owning Process fffffa800f65b060 Image: DxDmService.exe
Attached Process N/A Image: N/A
Wait Start TickCount 153051155 Ticks: 98635 (0:00:25:41.171)
Context Switch Count 3126429 IdealProcessor: 0
UserTime 00:01:37.625
KernelTime 00:13:13.250
Win32 Start Address 0x0000000010376284
Stack Init fffff8800b183db0 Current fffff8800b182340
Base fffff8800b184000 Limit fffff8800b17e000 Call 0000000000000000
Priority 8 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5
Child-SP RetAddr : Args to Child : Call Site
fffff880`0b182380 fffff800`01ec4142 : fffffa80`0f65b001 fffffa80`12f0e5e0 fffff800`0203ce80 fffff880`00000008 : nt!KiSwapContext+0x7a
fffff880`0b1824c0 fffff800`01ec696f : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiCommitThreadWait+0x1d2
fffff880`0b182550 fffff800`01eb1ee0 : 00000000`00000000 fffffa80`00000005 fffffa80`0f65b000 00000000`00000000 : nt!KeWaitForSingleObject+0x19f
fffff880`0b1825f0 fffff800`01eb2b7d : fffffa80`12f0e5e0 00000000`00000000 00000000`00000000 fffffa80`00000000 : nt!KiSuspendThread+0x54
fffff880`0b182630 fffff800`01ec434d : fffffa80`12f0e6a0 00000000`00000000 fffff800`01eb1e8c 00000000`00000000 : nt!KiDeliverApc+0x21d
fffff880`0b1826b0 fffff800`01ec696f : fffffa80`0b83e490 fffffa80`08bd9200 fffff880`0000004f 00000000`00000000 : nt!KiCommitThreadWait+0x3dd
fffff880`0b182740 fffff880`05b233c1 : fffffa80`12438000 fffff880`00000000 fffff880`0b182800 fffff880`0b182a00 : nt!KeWaitForSingleObject+0x19f
:
:
-----------------------------------------------------------------------------------

I am calling KeWaitForSingleObject() from my filter driver and I have specified timeout value of 45 seconds.
What can be the reason for 25 mins wait even though I have specified timeout of 45 seconds?
Also what does KiDeliverApc() mean in this context?

Appreciate any help on this.

Thanks,
Kunal

Comments

  • KunalKunal Member - All Emails Posts: 21
    I could also see another thread with my driver in the callstack with a Trap frame as follows:

    ------------------------------------
    0: kd> !thread fffffa800c40f7f0
    THREAD fffffa800c40f7f0 Cid 1df0.027c Teb: 000007ffffec8000 Win32Thread: 0000000000000000 WAIT: (Suspended) KernelMode Non-Alertable
    SuspendCount 1
    fffffa800c40fac8 Semaphore Limit 0x2
    IRP List:
    fffffa80170346c0: (0006,0358) Flags: 00000884 Mdl: 00000000
    Not impersonating
    DeviceMap fffff8a002fcddd0
    Owning Process fffffa800f65b060 Image: DxDmService.exe
    Attached Process N/A Image: N/A
    Wait Start TickCount 153051154 Ticks: 98636 (0:00:25:41.187)
    Context Switch Count 2688470 IdealProcessor: 1
    UserTime 00:01:20.812
    KernelTime 00:13:51.890
    Win32 Start Address 0x0000000010376284
    Stack Init fffff88005c27db0 Current fffff88005c265c0
    Base fffff88005c28000 Limit fffff88005c22000 Call 0000000000000000
    Priority 9 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5

    Child-SP RetAddr : Args to Child : Call Site
    fffff880`05c26600 fffff800`01ec4142 : 00000000`00000000 fffffa80`0c40f7f0 00000000`00000000 fffff800`021aba78 : nt!KiSwapContext+0x7a
    fffff880`05c26740 fffff800`01ec696f : fffffa80`0d002de0 fffff880`05c26b50 fffffa80`00000000 fffffa80`119320e4 : nt!KiCommitThreadWait+0x1d2
    fffff880`05c267d0 fffff800`01eb1ee0 : fffff880`05c26800 fffff880`00000005 fffffa80`0c40f700 fffff800`01ebe000 : nt!KeWaitForSingleObject+0x19f
    fffff880`05c26870 fffff800`01eb2b7d : fffffa80`0c40f7f0 fffff880`05c26930 54d338c3`00010000 00000000`00000000 : nt!KiSuspendThread+0x54
    fffff880`05c268b0 fffff800`01eb2df7 : 00000000`09e97285 00000000`00000000 fffff800`01eb1e8c 00000000`00000000 : nt!KiDeliverApc+0x21d
    fffff880`05c26930 fffff880`05b50a61 : 4f73e71d`f28b33f1 acf85ec3`08e49586 93804e29`b007765f aaf994a9`20b19db4 : nt!KiApcInterrupt+0xd7 (TrapFrame @ fffff880`05c26930)
    fffff880`05c26ac0 4f73e71d`f28b33f1 : acf85ec3`08e49586 93804e29`b007765f aaf994a9`20b19db4 36d4a682`d2d94433 : <mydriver>!sha1_block_data_order+0xfa1
    :
    :

    -----------------------------------------------

    How can I proceed to find the root cause?

    THanks,
    Kunal
  • taehwa_leetaehwa_lee Member - All Emails Posts: 16
    Could we see all of the thread in DxDmService.exe?
    Usually, there might be Wer to handle an exception if threads are suspended.

    Best regards
    Taehwa

    On Fri, Aug 11, 2017 at 2:09 AM, [email protected] <
    [email protected]> wrote:

    > I could also see another thread with my driver in the callstack with a
    > Trap frame as follows:
    >
    > ------------------------------------
    > 0: kd> !thread fffffa800c40f7f0
    > THREAD fffffa800c40f7f0 Cid 1df0.027c Teb: 000007ffffec8000 Win32Thread:
    > 0000000000000000 WAIT: (Suspended) KernelMode Non-Alertable
    > SuspendCount 1
    > fffffa800c40fac8 Semaphore Limit 0x2
    > IRP List:
    > fffffa80170346c0: (0006,0358) Flags: 00000884 Mdl: 00000000
    > Not impersonating
    > DeviceMap fffff8a002fcddd0
    > Owning Process fffffa800f65b060 Image:
    > DxDmService.exe
    > Attached Process N/A Image: N/A
    > Wait Start TickCount 153051154 Ticks: 98636 (0:00:25:41.187)
    > Context Switch Count 2688470 IdealProcessor: 1
    > UserTime 00:01:20.812
    > KernelTime 00:13:51.890
    > Win32 Start Address 0x0000000010376284
    > Stack Init fffff88005c27db0 Current fffff88005c265c0
    > Base fffff88005c28000 Limit fffff88005c22000 Call 0000000000000000
    > Priority 9 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5
    >
    > Child-SP RetAddr : Args to Child
    > : Call Site
    > fffff880`05c26600 fffff800`01ec4142 : 00000000`00000000 fffffa80`0c40f7f0
    > 00000000`00000000 fffff800`021aba78 : nt!KiSwapContext+0x7a
    > fffff880`05c26740 fffff800`01ec696f : fffffa80`0d002de0 fffff880`05c26b50
    > fffffa80`00000000 fffffa80`119320e4 : nt!KiCommitThreadWait+0x1d2
    > fffff880`05c267d0 fffff800`01eb1ee0 : fffff880`05c26800 fffff880`00000005
    > fffffa80`0c40f700 fffff800`01ebe000 : nt!KeWaitForSingleObject+0x19f
    > fffff880`05c26870 fffff800`01eb2b7d : fffffa80`0c40f7f0 fffff880`05c26930
    > 54d338c3`00010000 00000000`00000000 : nt!KiSuspendThread+0x54
    > fffff880`05c268b0 fffff800`01eb2df7 : 00000000`09e97285 00000000`00000000
    > fffff800`01eb1e8c 00000000`00000000 : nt!KiDeliverApc+0x21d
    > fffff880`05c26930 fffff880`05b50a61 : 4f73e71d`f28b33f1 acf85ec3`08e49586
    > 93804e29`b007765f aaf994a9`20b19db4 : nt!KiApcInterrupt+0xd7 (TrapFrame @
    > fffff880`05c26930)
    > fffff880`05c26ac0 4f73e71d`f28b33f1 : acf85ec3`08e49586 93804e29`b007765f
    > aaf994a9`20b19db4 36d4a682`d2d94433 : !sha1_block_data_
    > order+0xfa1
    > :
    > :
    >
    > -----------------------------------------------
    >
    > How can I proceed to find the root cause?
    >
    > THanks,
    > Kunal
    >
    > ---
    > WINDBG is sponsored by OSR
    >
    > OSR is hiring!! Info at http://www.osr.com/careers
    >
    >
    > MONTHLY seminars on crash dump analysis, WDF, Windows internals and
    > software drivers!
    > Details at
    >
    > To unsubscribe, visit the List Server section of OSR Online at <
    > http://www.osronline.com/page.cfm?name=ListServer&gt;
    >
  • KunalKunal Member - All Emails Posts: 21
    THere are 12 threads in DxDmService.exe with my driver in callstack. Also, all of them have KiDeliverApc() in the callstack. Here are 2 unique threads from DxDmService. There are multiple instances of these threads.


    0: kd> !thread fffffa800c40f7f0
    THREAD fffffa800c40f7f0 Cid 1df0.027c Teb: 000007ffffec8000 Win32Thread: 0000000000000000 WAIT: (Suspended) KernelMode Non-Alertable
    SuspendCount 1
    fffffa800c40fac8 Semaphore Limit 0x2
    IRP List:
    fffffa80170346c0: (0006,0358) Flags: 00000884 Mdl: 00000000
    Not impersonating
    DeviceMap fffff8a002fcddd0
    Owning Process fffffa800f65b060 Image: DxDmService.exe
    Attached Process N/A Image: N/A
    Wait Start TickCount 153051154 Ticks: 98636 (0:00:25:41.187)
    Context Switch Count 2688470 IdealProcessor: 1
    UserTime 00:01:20.812
    KernelTime 00:13:51.890
    Win32 Start Address 0x0000000010376284
    Stack Init fffff88005c27db0 Current fffff88005c265c0
    Base fffff88005c28000 Limit fffff88005c22000 Call 0000000000000000
    Priority 9 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5

    Child-SP RetAddr : Args to Child : Call Site
    fffff880`05c26600 fffff800`01ec4142 : 00000000`00000000 fffffa80`0c40f7f0 00000000`00000000 fffff800`021aba78 : nt!KiSwapContext+0x7a
    fffff880`05c26740 fffff800`01ec696f : fffffa80`0d002de0 fffff880`05c26b50 fffffa80`00000000 fffffa80`119320e4 : nt!KiCommitThreadWait+0x1d2
    fffff880`05c267d0 fffff800`01eb1ee0 : fffff880`05c26800 fffff880`00000005 fffffa80`0c40f700 fffff800`01ebe000 : nt!KeWaitForSingleObject+0x19f
    fffff880`05c26870 fffff800`01eb2b7d : fffffa80`0c40f7f0 fffff880`05c26930 54d338c3`00010000 00000000`00000000 : nt!KiSuspendThread+0x54
    fffff880`05c268b0 fffff800`01eb2df7 : 00000000`09e97285 00000000`00000000 fffff800`01eb1e8c 00000000`00000000 : nt!KiDeliverApc+0x21d
    fffff880`05c26930 fffff880`05b50a61 : 4f73e71d`f28b33f1 acf85ec3`08e49586 93804e29`b007765f aaf994a9`20b19db4 : nt!KiApcInterrupt+0xd7 (TrapFrame @ fffff880`05c26930)
    fffff880`05c26ac0 4f73e71d`f28b33f1 : acf85ec3`08e49586 93804e29`b007765f aaf994a9`20b19db4 36d4a682`d2d94433 : <mydriver>!sha1_block_data_order+0xfa1
    fffff880`05c26ac8 acf85ec3`08e49586 : 93804e29`b007765f aaf994a9`20b19db4 36d4a682`d2d94433 375b9d91`2ab7b9f6 : 0x4f73e71d`f28b33f1
    fffff880`05c26ad0 93804e29`b007765f : aaf994a9`20b19db4 36d4a682`d2d94433 375b9d91`2ab7b9f6 64bf0ad8`2e7e99fb : 0xacf85ec3`08e49586
    fffff880`05c26ad8 aaf994a9`20b19db4 : 36d4a682`d2d94433 375b9d91`2ab7b9f6 64bf0ad8`2e7e99fb 43011eb3`e6e49515 : 0x93804e29`b007765f
    fffff880`05c26ae0 36d4a682`d2d94433 : 375b9d91`2ab7b9f6 64bf0ad8`2e7e99fb 43011eb3`e6e49515 fffff880`05c26b20 : 0xaaf994a9`20b19db4
    fffff880`05c26ae8 375b9d91`2ab7b9f6 : 64bf0ad8`2e7e99fb 43011eb3`e6e49515 fffff880`05c26b20 fffff880`05b0921e : 0x36d4a682`d2d94433
    fffff880`05c26af0 64bf0ad8`2e7e99fb : 43011eb3`e6e49515 fffff880`05c26b20 fffff880`05b0921e fffff880`00000000 : 0x375b9d91`2ab7b9f6
    fffff880`05c26af8 43011eb3`e6e49515 : fffff880`05c26b20 fffff880`05b0921e fffff880`00000000 00000000`00000000 : 0x64bf0ad8`2e7e99fb
    fffff880`05c26b00 fffff880`05c26b20 : fffff880`05b0921e fffff880`00000000 00000000`00000000 fffffa80`170346c0 : 0x43011eb3`e6e49515
    fffff880`05c26b08 fffff880`05b0921e : fffff880`00000000 00000000`00000000 fffffa80`170346c0 00000000`00000000 : 0xfffff880`05c26b20
    fffff880`05c26b10 fffff880`05b45e9e : fffff8a0`21047470 fffff8a0`15eb2000 00000000`00010000 fffff880`05c26bb0 : <mydriver>!qfile_read+0x14e [d:\build_692379\<build>\common\qlib\qfile_winnt_kern.c @ 263]
    fffff880`05c26b90 fffff880`05b45a22 : fffff880`05c26f80 fffff8a0`23625250 fffff880`05c2711a 00000000`00000000 : <mydriver>!qcksum_sha1_file+0x1ce [d:\build_692379\<build>\common\qlib\qcksum.c @ 323]
    fffff880`05c26c00 fffff880`05b2840b : fffff880`00000002 fffff880`05c26f80 fffff8a0`23625250 fffff880`05c27118 : <mydriver>!qcksum_compute_file+0xf2 [d:\build_692379\<build>\common\qlib\qcksum.c @ 541]
    fffff880`05c26c50 fffff880`05b35629 : fffff880`05c26f80 fffff8a0`23625250 fffff880`05c27118 00000000`000d477a : <mydriver>!scan_calculate_checksum_file+0x4b [d:\build_692379\<build>\optimizer\scan\scan.c @ 233]
    fffff880`05c26ca0 fffff880`05b12865 : fffff880`05c270e0 fffff880`05c26fc0 fffff880`05c27088 00000000`00000028 : <mydriver>!scan_check_access_perm+0x8e9 [d:\build_692379\<build>\optimizer\scan\scan.c @ 4524]
    fffff880`05c26f00 fffff880`05b10157 : fffffa80`1a1a38d0 fffff880`05c27448 fffff880`05c273d8 fffff880`014d9882 : <mydriver>!fsh_scan_file+0xe55 [d:\build_692379\<build>\optimizer\fsh\fsh_hooks.c @ 1387]
    fffff880`05c273b0 fffff880`01273288 : fffffa80`1a1a38d0 fffff880`05c27448 00000000`00000000 00000000`00000000 : <mydriver>!fsh_create_hook_cmpl+0x57 [d:\build_692379\<build>\optimizer\fsh\fsh_hooks.c @ 290]
    fffff880`05c27400 fffff880`01271d1b : fffffa80`1ff0d4c0 fffffa80`1a1a3970 fffffa80`14b11010 fffffa80`14b11230 : fltmgr!FltpPerformPostCallbacks+0x368
    fffff880`05c274d0 fffff880`012912b9 : fffffa80`170346c0 fffffa80`1265b800 fffffa80`17034600 fffffa80`0d002de0 : fltmgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x39b
    fffff880`05c27560 fffff880`01271bcf : 00000000`00000000 fffffa80`06d0a9f0 00000000`00000000 00000000`00000000 : fltmgr!FltpCreate+0x2a9
    fffff880`05c27610 fffff880`012912b9 : fffffa80`170346c0 fffffa80`0b42a800 fffffa80`17034600 fffffa80`0ee64de0 : fltmgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x24f
    fffff880`05c276a0 fffff800`021c32bb : 00000000`00000005 00000000`00000040 fffffa80`09446d10 00000000`00000000 : fltmgr!FltpCreate+0x2a9
    fffff880`05c27750 fffff800`021bedde : fffffa80`0c1167e0 00000000`00000000 fffffa80`19841530 00000000`00000701 : nt!IopParseDevice+0x14e2
    fffff880`05c278b0 fffff800`021bf8c6 : 00000000`00000000 fffff880`05c27a30 fffff8a0`00000040 fffffa80`06d0a9f0 : nt!ObpLookupObjectName+0x784
    fffff880`05c279b0 fffff800`021c16bc : 00000000`00000000 00000000`00000000 00000000`00000001 00000000`00000000 : nt!ObOpenObjectByName+0x306
    fffff880`05c27a80 fffff800`021ccd34 : 00000000`2820a5e8 fffff800`c0110098 00000000`2820a638 00000000`2820a5f8 : nt!IopCreateFile+0x2bc
    fffff880`05c27b20 fffff800`01ebe0d3 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`2820c9e0 : nt!NtCreateFile+0x78
    fffff880`05c27bb0 00000000`779cc28a : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`05c27c20)
    00000000`2820a568 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x779cc28a


    0: kd> !thread fffffa8012f0e5e0
    THREAD fffffa8012f0e5e0 Cid 1df0.1d60 Teb: 000007ffffeb0000 Win32Thread: 0000000000000000 WAIT: (Suspended) KernelMode Non-Alertable
    SuspendCount 1
    fffffa8012f0e8b8 Semaphore Limit 0x2
    IRP List:
    fffffa800b83e490: (0006,0358) Flags: 00000884 Mdl: 00000000
    Not impersonating
    DeviceMap fffff8a002fcddd0
    Owning Process fffffa800f65b060 Image: DxDmService.exe
    Attached Process N/A Image: N/A
    Wait Start TickCount 153051155 Ticks: 98635 (0:00:25:41.171)
    Context Switch Count 3126429 IdealProcessor: 0
    UserTime 00:01:37.625
    KernelTime 00:13:13.250
    Win32 Start Address 0x0000000010376284
    Stack Init fffff8800b183db0 Current fffff8800b182340
    Base fffff8800b184000 Limit fffff8800b17e000 Call 0000000000000000
    Priority 8 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5
    Child-SP RetAddr : Args to Child : Call Site
    fffff880`0b182380 fffff800`01ec4142 : fffffa80`0f65b001 fffffa80`12f0e5e0 fffff800`0203ce80 fffff880`00000008 : nt!KiSwapContext+0x7a
    fffff880`0b1824c0 fffff800`01ec696f : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiCommitThreadWait+0x1d2
    fffff880`0b182550 fffff800`01eb1ee0 : 00000000`00000000 fffffa80`00000005 fffffa80`0f65b000 00000000`00000000 : nt!KeWaitForSingleObject+0x19f
    fffff880`0b1825f0 fffff800`01eb2b7d : fffffa80`12f0e5e0 00000000`00000000 00000000`00000000 fffffa80`00000000 : nt!KiSuspendThread+0x54
    fffff880`0b182630 fffff800`01ec434d : fffffa80`12f0e6a0 00000000`00000000 fffff800`01eb1e8c 00000000`00000000 : nt!KiDeliverApc+0x21d
    fffff880`0b1826b0 fffff800`01ec696f : fffffa80`0b83e490 fffffa80`08bd9200 fffff880`0000004f 00000000`00000000 : nt!KiCommitThreadWait+0x3dd
    fffff880`0b182740 fffff880`05b233c1 : fffffa80`12438000 fffff880`00000000 fffff880`0b182800 fffff880`0b182a00 : nt!KeWaitForSingleObject+0x19f
    fffff880`0b1827e0 fffff880`05b1dd93 : fffffa80`0f5d9530 fffff8a0`00f45300 00000000`0000005a fffff8a0`00000000 : <mydriver>!ivmc_wsk_recv_data+0x211 [d:\build_692379\<build>\optimizer\ivmc\ivmc_ksocket.c @ 435]
    fffff880`0b182870 fffff880`05b2f27e : fffff880`05bc9c28 fffff8a0`00f45300 fffff880`0000005a fffff880`00000000 : <mydriver>!ivmc_read_all+0x93 [d:\build_692379\<build>\optimizer\ivmc\ivmc.c @ 426]
    fffff880`0b1828e0 fffff880`05b30ca0 : fffff880`05bc9c28 fffff880`0b182fc0 fffff880`0b182a48 fffff8a0`1fdf65e0 : <mydriver>!scan_process_response+0x10e [d:\build_692379\<build>\optimizer\scan\scan.c @ 2562]
    fffff880`0b1829c0 fffff880`05b3227b : fffff880`0b1830e0 fffff880`0b182fc0 fffff880`00000001 fffff880`0b183148 : <mydriver>!scan_process_file_scan_response+0xb0 [d:\build_692379\<build>\optimizer\scan\scan.c @ 3028]
    fffff880`0b182a90 fffff880`05b35b56 : fffff880`0b1830e0 fffff880`0b182fc0 fffff880`69435351 00000000`000007ff : <mydriver>!scan_file_with_file_transfer+0x99b [d:\build_692379\<build>\optimizer\scan\scan.c @ 3416]
    fffff880`0b182ca0 fffff880`05b12865 : fffff880`0b1830e0 fffff880`0b182fc0 fffff880`0b183088 00000000`00000028 : <mydriver>!scan_check_access_perm+0xe16 [d:\build_692379\<build>\optimizer\scan\scan.c @ 4617]
    fffff880`0b182f00 fffff880`05b10157 : fffffa80`08bd9380 fffff880`0b183448 fffff880`0b1833d8 fffff880`014d9882 : <mydriver>!fsh_scan_file+0xe55 [d:\build_692379\<build>\optimizer\fsh\fsh_hooks.c @ 1387]
    fffff880`0b1833b0 fffff880`01273288 : fffffa80`08bd9380 fffff880`0b183448 00000000`00000000 00000000`00000000 : <mydriver>!fsh_create_hook_cmpl+0x57 [d:\build_692379\<build>\optimizer\fsh\fsh_hooks.c @ 290]
    fffff880`0b183400 fffff880`01271d1b : fffffa80`0ff123f0 fffffa80`08bd9420 fffffa80`099182f0 fffffa80`09918510 : fltmgr!FltpPerformPostCallbacks+0x368
    fffff880`0b1834d0 fffff880`012912b9 : fffffa80`0b83e490 fffffa80`0b4a0250 fffffa80`0b83e400 fffffa80`0a658890 : fltmgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x39b
    fffff880`0b183560 fffff880`01271bcf : 00000000`00000000 fffffa80`06d0a9f0 00000000`00000000 00000000`00000000 : fltmgr!FltpCreate+0x2a9
    fffff880`0b183610 fffff880`012912b9 : fffffa80`0b83e490 fffffa80`1bd1b6b0 fffffa80`0b83e400 fffffa80`0e966040 : fltmgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x24f
    fffff880`0b1836a0 fffff800`021c32bb : 00000000`00000005 00000000`00000040 fffffa80`0de7b590 00000000`00000000 : fltmgr!FltpCreate+0x2a9
    fffff880`0b183750 fffff800`021bedde : fffffa80`0ff27b80 00000000`00000000 fffffa80`108e9530 fffffa80`0e966001 : nt!IopParseDevice+0x14e2
    fffff880`0b1838b0 fffff800`021bf8c6 : 00000000`00000000 fffff880`0b183a30 fffff8a0`00000040 fffffa80`06d0a9f0 : nt!ObpLookupObjectName+0x784
    fffff880`0b1839b0 fffff800`021c16bc : 00000000`00000000 00000000`00000000 00000000`00000001 00000000`00000000 : nt!ObOpenObjectByName+0x306
    fffff880`0b183a80 fffff800`021ccd34 : 00000000`28e0a5e8 fffff800`c0110098 00000000`28e0a638 00000000`28e0a5f8 : nt!IopCreateFile+0x2bc
    fffff880`0b183b20 fffff800`01ebe0d3 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`28e0c9e0 : nt!NtCreateFile+0x78
    fffff880`0b183bb0 00000000`779cc28a : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`0b183c20)
    00000000`28e0a568 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x779cc28a
    ----------------------------------------------------------------------


    I could also see my driver in a WerFault.exe thread.

    0: kd> !thread fffffa800788d540
    THREAD fffffa800788d540 Cid 1128.11b8 Teb: 000007fffffde000 Win32Thread: fffff900c1eb9010 WAIT: (Executive) KernelMode Non-Alertable
    fffff88005bc9bc0 SynchronizationEvent
    IRP List:
    fffffa8025703010: (0006,0358) Flags: 00000884 Mdl: 00000000
    Not impersonating
    DeviceMap fffff8a002fcddd0
    Owning Process fffffa80118e1790 Image: WerFault.exe
    Attached Process N/A Image: N/A
    Wait Start TickCount 153056522 Ticks: 93268 (0:00:24:17.312)
    Context Switch Count 13433 IdealProcessor: 0 LargeStack
    UserTime 00:00:00.109
    KernelTime 00:00:01.906
    Win32 Start Address 0x00000000ffbe4920
    Stack Init fffff88008f55db0 Current fffff88008f549a0
    Base fffff88008f56000 Limit fffff88008f4d000 Call 0000000000000000
    Priority 7 BasePriority 7 PriorityDecrement 0 IoPriority 2 PagePriority 5
    Child-SP RetAddr : Args to Child : Call Site
    fffff880`08f549e0 fffff800`01ec4142 : fffff880`08f54b38 fffffa80`0788d540 fffffa80`00000000 fffff880`05b0280d : nt!KiSwapContext+0x7a
    fffff880`08f54b20 fffff800`01ec696f : 00000000`0000000e 00000000`001a7100 fffff8a0`00000000 00000000`00000000 : nt!KiCommitThreadWait+0x1d2
    fffff880`08f54bb0 fffff880`05b34b6e : fffff880`05bc7a00 fffff880`00000000 fffff8a0`1667f000 fffff880`08f55100 : nt!KeWaitForSingleObject+0x19f
    fffff880`08f54c50 fffff880`05b357eb : fffff880`08f54d64 fffff880`08f54d18 fffff880`08f55118 00000000`001a7100 : <mydriver>!scan_open_connection+0x10e [d:\build_692379\<build>\optimizer\scan\scan.c @ 4266]
    fffff880`08f54ca0 fffff880`05b12865 : fffff880`08f550e0 fffff880`08f54fc0 fffff880`08f55088 00000000`00000028 : <mydriver>!scan_check_access_perm+0xaab [d:\build_692379\<build>\optimizer\scan\scan.c @ 4559]
    fffff880`08f54f00 fffff880`05b10157 : fffffa80`1260c740 fffff880`08f55448 fffff880`08f553d8 fffff880`014d9882 : <mydriver>!fsh_scan_file+0xe55 [d:\build_692379\<build>\optimizer\fsh\fsh_hooks.c @ 1387]
    fffff880`08f553b0 fffff880`01273288 : fffffa80`1260c740 fffff880`08f55448 00000000`00000000 00000000`00000000 : <mydriver>!fsh_create_hook_cmpl+0x57 [d:\build_692379\<build>\optimizer\fsh\fsh_hooks.c @ 290]
    fffff880`08f55400 fffff880`01271d1b : fffffa80`079fc180 fffffa80`1260c7e0 fffffa80`08a95970 fffffa80`08a95b90 : fltmgr!FltpPerformPostCallbacks+0x368
    fffff880`08f554d0 fffff880`012912b9 : fffffa80`25703010 fffffa80`07412010 fffffa80`25703000 fffffa80`07406360 : fltmgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x39b
    fffff880`08f55560 fffff880`01271bcf : 00000000`00000000 fffffa80`06d0a9f0 00000000`00000000 00000000`00000000 : fltmgr!FltpCreate+0x2a9
    fffff880`08f55610 fffff880`012912b9 : fffffa80`25703010 fffffa80`09001010 fffffa80`25703000 fffffa80`0906e680 : fltmgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x24f
    fffff880`08f556a0 fffff800`021c32bb : 00000000`00000005 00000000`00000040 fffffa80`0c2619b0 00000000`00000000 : fltmgr!FltpCreate+0x2a9
    fffff880`08f55750 fffff800`021bedde : fffffa80`073c7cd0 00000000`00000000 fffffa80`11431530 fffff880`08f55a01 : nt!IopParseDevice+0x14e2
    fffff880`08f558b0 fffff800`021bf8c6 : 00000000`00000000 fffff880`08f55a30 fffff680`00000040 fffffa80`06d0a9f0 : nt!ObpLookupObjectName+0x784
    fffff880`08f559b0 fffff800`021c16bc : 00000000`00000110 00000000`00000000 fffffa80`0788d501 ffffffff`ffffffff : nt!ObOpenObjectByName+0x306
    fffff880`08f55a80 fffff800`021ccd34 : 00000000`000fa758 00000000`80100080 00000000`000fa7a8 00000000`000fa768 : nt!IopCreateFile+0x2bc
    fffff880`08f55b20 fffff800`01ebe0d3 : ffffffff`ffffffff 0000007f`ffffffff 00000000`000fa7f0 00000980`00000000 : nt!NtCreateFile+0x78
    fffff880`08f55bb0 00000000`779cc28a : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`08f55c20)
    00000000`000fa6d8 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x779cc28a



    I also observed an error (Application error) in Event Logs:

    Faulting application name: DxDmService.exe. version: 6.50.0.480. time stamp: 0x5135c463
    Faulting module name: Xms.dll. version: 6.50.0.480. time stamp: 0x5135c556
    Exception code: 0xc0000417 Fault offset: 0x00000000000ea91c Faulting process id: 0x1df0
    Faulting application start time: 0xDxDmService.exe0 Faulting application path: DxDmService.exe1
    Faulting module path: DxDmService.exe2 Report Id: DxDmService.exe3



    Thanks,
    Kunal
  • taehwa_leetaehwa_lee Member - All Emails Posts: 16
    You need to check entire call stack with like !k L100 to see the exception.

    Could you run below command and show me the result

    !process 0 7 services.exe

    Best regards
    Taehwa.


    On Fri, Aug 11, 2017 at 1:38 PM, [email protected] <
    [email protected]> wrote:

    > THere are 12 threads in DxDmService.exe with my driver in callstack. Also,
    > all of them have KiDeliverApc() in the callstack. Here are 2 unique threads
    > from DxDmService. There are multiple instances of these threads.
    >
    >
    > 0: kd> !thread fffffa800c40f7f0
    > THREAD fffffa800c40f7f0 Cid 1df0.027c Teb: 000007ffffec8000 Win32Thread:
    > 0000000000000000 WAIT: (Suspended) KernelMode Non-Alertable
    > SuspendCount 1
    > fffffa800c40fac8 Semaphore Limit 0x2
    > IRP List:
    > fffffa80170346c0: (0006,0358) Flags: 00000884 Mdl: 00000000
    > Not impersonating
    > DeviceMap fffff8a002fcddd0
    > Owning Process fffffa800f65b060 Image:
    > DxDmService.exe
    > Attached Process N/A Image: N/A
    > Wait Start TickCount 153051154 Ticks: 98636 (0:00:25:41.187)
    > Context Switch Count 2688470 IdealProcessor: 1
    > UserTime 00:01:20.812
    > KernelTime 00:13:51.890
    > Win32 Start Address 0x0000000010376284
    > Stack Init fffff88005c27db0 Current fffff88005c265c0
    > Base fffff88005c28000 Limit fffff88005c22000 Call 0000000000000000
    > Priority 9 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5
    >
    > Child-SP RetAddr : Args to Child
    > : Call Site
    > fffff880`05c26600 fffff800`01ec4142 : 00000000`00000000 fffffa80`0c40f7f0
    > 00000000`00000000 fffff800`021aba78 : nt!KiSwapContext+0x7a
    > fffff880`05c26740 fffff800`01ec696f : fffffa80`0d002de0 fffff880`05c26b50
    > fffffa80`00000000 fffffa80`119320e4 : nt!KiCommitThreadWait+0x1d2
    > fffff880`05c267d0 fffff800`01eb1ee0 : fffff880`05c26800 fffff880`00000005
    > fffffa80`0c40f700 fffff800`01ebe000 : nt!KeWaitForSingleObject+0x19f
    > fffff880`05c26870 fffff800`01eb2b7d : fffffa80`0c40f7f0 fffff880`05c26930
    > 54d338c3`00010000 00000000`00000000 : nt!KiSuspendThread+0x54
    > fffff880`05c268b0 fffff800`01eb2df7 : 00000000`09e97285 00000000`00000000
    > fffff800`01eb1e8c 00000000`00000000 : nt!KiDeliverApc+0x21d
    > fffff880`05c26930 fffff880`05b50a61 : 4f73e71d`f28b33f1 acf85ec3`08e49586
    > 93804e29`b007765f aaf994a9`20b19db4 : nt!KiApcInterrupt+0xd7 (TrapFrame @
    > fffff880`05c26930)
    > fffff880`05c26ac0 4f73e71d`f28b33f1 : acf85ec3`08e49586 93804e29`b007765f
    > aaf994a9`20b19db4 36d4a682`d2d94433 : !sha1_block_data_
    > order+0xfa1
    > fffff880`05c26ac8 acf85ec3`08e49586 : 93804e29`b007765f aaf994a9`20b19db4
    > 36d4a682`d2d94433 375b9d91`2ab7b9f6 : 0x4f73e71d`f28b33f1
    > fffff880`05c26ad0 93804e29`b007765f : aaf994a9`20b19db4 36d4a682`d2d94433
    > 375b9d91`2ab7b9f6 64bf0ad8`2e7e99fb : 0xacf85ec3`08e49586
    > fffff880`05c26ad8 aaf994a9`20b19db4 : 36d4a682`d2d94433 375b9d91`2ab7b9f6
    > 64bf0ad8`2e7e99fb 43011eb3`e6e49515 : 0x93804e29`b007765f
    > fffff880`05c26ae0 36d4a682`d2d94433 : 375b9d91`2ab7b9f6 64bf0ad8`2e7e99fb
    > 43011eb3`e6e49515 fffff880`05c26b20 : 0xaaf994a9`20b19db4
    > fffff880`05c26ae8 375b9d91`2ab7b9f6 : 64bf0ad8`2e7e99fb 43011eb3`e6e49515
    > fffff880`05c26b20 fffff880`05b0921e : 0x36d4a682`d2d94433
    > fffff880`05c26af0 64bf0ad8`2e7e99fb : 43011eb3`e6e49515 fffff880`05c26b20
    > fffff880`05b0921e fffff880`00000000 : 0x375b9d91`2ab7b9f6
    > fffff880`05c26af8 43011eb3`e6e49515 : fffff880`05c26b20 fffff880`05b0921e
    > fffff880`00000000 00000000`00000000 : 0x64bf0ad8`2e7e99fb
    > fffff880`05c26b00 fffff880`05c26b20 : fffff880`05b0921e fffff880`00000000
    > 00000000`00000000 fffffa80`170346c0 : 0x43011eb3`e6e49515
    > fffff880`05c26b08 fffff880`05b0921e : fffff880`00000000 00000000`00000000
    > fffffa80`170346c0 00000000`00000000 : 0xfffff880`05c26b20
    > fffff880`05c26b10 fffff880`05b45e9e : fffff8a0`21047470 fffff8a0`15eb2000
    > 00000000`00010000 fffff880`05c26bb0 : !qfile_read+0x14e
    > [d:\build_692379\\common\qlib\qfile_winnt_kern.c @ 263]
    > fffff880`05c26b90 fffff880`05b45a22 : fffff880`05c26f80 fffff8a0`23625250
    > fffff880`05c2711a 00000000`00000000 : !qcksum_sha1_file+0x1ce
    > [d:\build_692379\\common\qlib\qcksum.c @ 323]
    > fffff880`05c26c00 fffff880`05b2840b : fffff880`00000002 fffff880`05c26f80
    > fffff8a0`23625250 fffff880`05c27118 : !qcksum_compute_file+0xf2
    > [d:\build_692379\\common\qlib\qcksum.c @ 541]
    > fffff880`05c26c50 fffff880`05b35629 : fffff880`05c26f80 fffff8a0`23625250
    > fffff880`05c27118 00000000`000d477a : !scan_calculate_checksum_file+0x4b
    > [d:\build_692379\\optimizer\scan\scan.c @ 233]
    > fffff880`05c26ca0 fffff880`05b12865 : fffff880`05c270e0 fffff880`05c26fc0
    > fffff880`05c27088 00000000`00000028 : !scan_check_access_perm+0x8e9
    > [d:\build_692379\\optimizer\scan\scan.c @ 4524]
    > fffff880`05c26f00 fffff880`05b10157 : fffffa80`1a1a38d0 fffff880`05c27448
    > fffff880`05c273d8 fffff880`014d9882 : !fsh_scan_file+0xe55
    > [d:\build_692379\\optimizer\fsh\fsh_hooks.c @ 1387]
    > fffff880`05c273b0 fffff880`01273288 : fffffa80`1a1a38d0 fffff880`05c27448
    > 00000000`00000000 00000000`00000000 : !fsh_create_hook_cmpl+0x57
    > [d:\build_692379\\optimizer\fsh\fsh_hooks.c @ 290]
    > fffff880`05c27400 fffff880`01271d1b : fffffa80`1ff0d4c0 fffffa80`1a1a3970
    > fffffa80`14b11010 fffffa80`14b11230 : fltmgr!
    > FltpPerformPostCallbacks+0x368
    > fffff880`05c274d0 fffff880`012912b9 : fffffa80`170346c0 fffffa80`1265b800
    > fffffa80`17034600 fffffa80`0d002de0 : fltmgr!
    > FltpLegacyProcessingAfterPreCallbacksCompleted+0x39b
    > fffff880`05c27560 fffff880`01271bcf : 00000000`00000000 fffffa80`06d0a9f0
    > 00000000`00000000 00000000`00000000 : fltmgr!FltpCreate+0x2a9
    > fffff880`05c27610 fffff880`012912b9 : fffffa80`170346c0 fffffa80`0b42a800
    > fffffa80`17034600 fffffa80`0ee64de0 : fltmgr!
    > FltpLegacyProcessingAfterPreCallbacksCompleted+0x24f
    > fffff880`05c276a0 fffff800`021c32bb : 00000000`00000005 00000000`00000040
    > fffffa80`09446d10 00000000`00000000 : fltmgr!FltpCreate+0x2a9
    > fffff880`05c27750 fffff800`021bedde : fffffa80`0c1167e0 00000000`00000000
    > fffffa80`19841530 00000000`00000701 : nt!IopParseDevice+0x14e2
    > fffff880`05c278b0 fffff800`021bf8c6 : 00000000`00000000 fffff880`05c27a30
    > fffff8a0`00000040 fffffa80`06d0a9f0 : nt!ObpLookupObjectName+0x784
    > fffff880`05c279b0 fffff800`021c16bc : 00000000`00000000 00000000`00000000
    > 00000000`00000001 00000000`00000000 : nt!ObOpenObjectByName+0x306
    > fffff880`05c27a80 fffff800`021ccd34 : 00000000`2820a5e8 fffff800`c0110098
    > 00000000`2820a638 00000000`2820a5f8 : nt!IopCreateFile+0x2bc
    > fffff880`05c27b20 fffff800`01ebe0d3 : 00000000`00000000 00000000`00000000
    > 00000000`00000000 00000000`2820c9e0 : nt!NtCreateFile+0x78
    > fffff880`05c27bb0 00000000`779cc28a : 00000000`00000000 00000000`00000000
    > 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13
    > (TrapFrame @ fffff880`05c27c20)
    > 00000000`2820a568 00000000`00000000 : 00000000`00000000 00000000`00000000
    > 00000000`00000000 00000000`00000000 : 0x779cc28a
    >
    >
    > 0: kd> !thread fffffa8012f0e5e0
    > THREAD fffffa8012f0e5e0 Cid 1df0.1d60 Teb: 000007ffffeb0000 Win32Thread:
    > 0000000000000000 WAIT: (Suspended) KernelMode Non-Alertable
    > SuspendCount 1
    > fffffa8012f0e8b8 Semaphore Limit 0x2
    > IRP List:
    > fffffa800b83e490: (0006,0358) Flags: 00000884 Mdl: 00000000
    > Not impersonating
    > DeviceMap fffff8a002fcddd0
    > Owning Process fffffa800f65b060 Image:
    > DxDmService.exe
    > Attached Process N/A Image: N/A
    > Wait Start TickCount 153051155 Ticks: 98635 (0:00:25:41.171)
    > Context Switch Count 3126429 IdealProcessor: 0
    > UserTime 00:01:37.625
    > KernelTime 00:13:13.250
    > Win32 Start Address 0x0000000010376284
    > Stack Init fffff8800b183db0 Current fffff8800b182340
    > Base fffff8800b184000 Limit fffff8800b17e000 Call 0000000000000000
    > Priority 8 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5
    > Child-SP RetAddr : Args to Child
    > : Call Site
    > fffff880`0b182380 fffff800`01ec4142 : fffffa80`0f65b001 fffffa80`12f0e5e0
    > fffff800`0203ce80 fffff880`00000008 : nt!KiSwapContext+0x7a
    > fffff880`0b1824c0 fffff800`01ec696f : 00000000`00000000 00000000`00000000
    > 00000000`00000000 00000000`00000000 : nt!KiCommitThreadWait+0x1d2
    > fffff880`0b182550 fffff800`01eb1ee0 : 00000000`00000000 fffffa80`00000005
    > fffffa80`0f65b000 00000000`00000000 : nt!KeWaitForSingleObject+0x19f
    > fffff880`0b1825f0 fffff800`01eb2b7d : fffffa80`12f0e5e0 00000000`00000000
    > 00000000`00000000 fffffa80`00000000 : nt!KiSuspendThread+0x54
    > fffff880`0b182630 fffff800`01ec434d : fffffa80`12f0e6a0 00000000`00000000
    > fffff800`01eb1e8c 00000000`00000000 : nt!KiDeliverApc+0x21d
    > fffff880`0b1826b0 fffff800`01ec696f : fffffa80`0b83e490 fffffa80`08bd9200
    > fffff880`0000004f 00000000`00000000 : nt!KiCommitThreadWait+0x3dd
    > fffff880`0b182740 fffff880`05b233c1 : fffffa80`12438000 fffff880`00000000
    > fffff880`0b182800 fffff880`0b182a00 : nt!KeWaitForSingleObject+0x19f
    > fffff880`0b1827e0 fffff880`05b1dd93 : fffffa80`0f5d9530 fffff8a0`00f45300
    > 00000000`0000005a fffff8a0`00000000 : !ivmc_wsk_recv_data+0x211
    > [d:\build_692379\\optimizer\ivmc\ivmc_ksocket.c @ 435]
    > fffff880`0b182870 fffff880`05b2f27e : fffff880`05bc9c28 fffff8a0`00f45300
    > fffff880`0000005a fffff880`00000000 : !ivmc_read_all+0x93
    > [d:\build_692379\\optimizer\ivmc\ivmc.c @ 426]
    > fffff880`0b1828e0 fffff880`05b30ca0 : fffff880`05bc9c28 fffff880`0b182fc0
    > fffff880`0b182a48 fffff8a0`1fdf65e0 : !scan_process_response+0x10e
    > [d:\build_692379\\optimizer\scan\scan.c @ 2562]
    > fffff880`0b1829c0 fffff880`05b3227b : fffff880`0b1830e0 fffff880`0b182fc0
    > fffff880`00000001 fffff880`0b183148 : !scan_process_file_scan_response+0xb0
    > [d:\build_692379\\optimizer\scan\scan.c @ 3028]
    > fffff880`0b182a90 fffff880`05b35b56 : fffff880`0b1830e0 fffff880`0b182fc0
    > fffff880`69435351 00000000`000007ff : !scan_file_with_file_transfer+0x99b
    > [d:\build_692379\\optimizer\scan\scan.c @ 3416]
    > fffff880`0b182ca0 fffff880`05b12865 : fffff880`0b1830e0 fffff880`0b182fc0
    > fffff880`0b183088 00000000`00000028 : !scan_check_access_perm+0xe16
    > [d:\build_692379\\optimizer\scan\scan.c @ 4617]
    > fffff880`0b182f00 fffff880`05b10157 : fffffa80`08bd9380 fffff880`0b183448
    > fffff880`0b1833d8 fffff880`014d9882 : !fsh_scan_file+0xe55
    > [d:\build_692379\\optimizer\fsh\fsh_hooks.c @ 1387]
    > fffff880`0b1833b0 fffff880`01273288 : fffffa80`08bd9380 fffff880`0b183448
    > 00000000`00000000 00000000`00000000 : !fsh_create_hook_cmpl+0x57
    > [d:\build_692379\\optimizer\fsh\fsh_hooks.c @ 290]
    > fffff880`0b183400 fffff880`01271d1b : fffffa80`0ff123f0 fffffa80`08bd9420
    > fffffa80`099182f0 fffffa80`09918510 : fltmgr!
    > FltpPerformPostCallbacks+0x368
    > fffff880`0b1834d0 fffff880`012912b9 : fffffa80`0b83e490 fffffa80`0b4a0250
    > fffffa80`0b83e400 fffffa80`0a658890 : fltmgr!
    > FltpLegacyProcessingAfterPreCallbacksCompleted+0x39b
    > fffff880`0b183560 fffff880`01271bcf : 00000000`00000000 fffffa80`06d0a9f0
    > 00000000`00000000 00000000`00000000 : fltmgr!FltpCreate+0x2a9
    > fffff880`0b183610 fffff880`012912b9 : fffffa80`0b83e490 fffffa80`1bd1b6b0
    > fffffa80`0b83e400 fffffa80`0e966040 : fltmgr!
    > FltpLegacyProcessingAfterPreCallbacksCompleted+0x24f
    > fffff880`0b1836a0 fffff800`021c32bb : 00000000`00000005 00000000`00000040
    > fffffa80`0de7b590 00000000`00000000 : fltmgr!FltpCreate+0x2a9
    > fffff880`0b183750 fffff800`021bedde : fffffa80`0ff27b80 00000000`00000000
    > fffffa80`108e9530 fffffa80`0e966001 : nt!IopParseDevice+0x14e2
    > fffff880`0b1838b0 fffff800`021bf8c6 : 00000000`00000000 fffff880`0b183a30
    > fffff8a0`00000040 fffffa80`06d0a9f0 : nt!ObpLookupObjectName+0x784
    > fffff880`0b1839b0 fffff800`021c16bc : 00000000`00000000 00000000`00000000
    > 00000000`00000001 00000000`00000000 : nt!ObOpenObjectByName+0x306
    > fffff880`0b183a80 fffff800`021ccd34 : 00000000`28e0a5e8 fffff800`c0110098
    > 00000000`28e0a638 00000000`28e0a5f8 : nt!IopCreateFile+0x2bc
    > fffff880`0b183b20 fffff800`01ebe0d3 : 00000000`00000000 00000000`00000000
    > 00000000`00000000 00000000`28e0c9e0 : nt!NtCreateFile+0x78
    > fffff880`0b183bb0 00000000`779cc28a : 00000000`00000000 00000000`00000000
    > 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13
    > (TrapFrame @ fffff880`0b183c20)
    > 00000000`28e0a568 00000000`00000000 : 00000000`00000000 00000000`00000000
    > 00000000`00000000 00000000`00000000 : 0x779cc28a
    > ----------------------------------------------------------------------
    >
    >
    > I could also see my driver in a WerFault.exe thread.
    >
    > 0: kd> !thread fffffa800788d540
    > THREAD fffffa800788d540 Cid 1128.11b8 Teb: 000007fffffde000 Win32Thread:
    > fffff900c1eb9010 WAIT: (Executive) KernelMode Non-Alertable
    > fffff88005bc9bc0 SynchronizationEvent
    > IRP List:
    > fffffa8025703010: (0006,0358) Flags: 00000884 Mdl: 00000000
    > Not impersonating
    > DeviceMap fffff8a002fcddd0
    > Owning Process fffffa80118e1790 Image:
    > WerFault.exe
    > Attached Process N/A Image: N/A
    > Wait Start TickCount 153056522 Ticks: 93268 (0:00:24:17.312)
    > Context Switch Count 13433 IdealProcessor: 0
    > LargeStack
    > UserTime 00:00:00.109
    > KernelTime 00:00:01.906
    > Win32 Start Address 0x00000000ffbe4920
    > Stack Init fffff88008f55db0 Current fffff88008f549a0
    > Base fffff88008f56000 Limit fffff88008f4d000 Call 0000000000000000
    > Priority 7 BasePriority 7 PriorityDecrement 0 IoPriority 2 PagePriority 5
    > Child-SP RetAddr : Args to Child
    > : Call Site
    > fffff880`08f549e0 fffff800`01ec4142 : fffff880`08f54b38 fffffa80`0788d540
    > fffffa80`00000000 fffff880`05b0280d : nt!KiSwapContext+0x7a
    > fffff880`08f54b20 fffff800`01ec696f : 00000000`0000000e 00000000`001a7100
    > fffff8a0`00000000 00000000`00000000 : nt!KiCommitThreadWait+0x1d2
    > fffff880`08f54bb0 fffff880`05b34b6e : fffff880`05bc7a00 fffff880`00000000
    > fffff8a0`1667f000 fffff880`08f55100 : nt!KeWaitForSingleObject+0x19f
    > fffff880`08f54c50 fffff880`05b357eb : fffff880`08f54d64 fffff880`08f54d18
    > fffff880`08f55118 00000000`001a7100 : !scan_open_connection+0x10e
    > [d:\build_692379\\optimizer\scan\scan.c @ 4266]
    > fffff880`08f54ca0 fffff880`05b12865 : fffff880`08f550e0 fffff880`08f54fc0
    > fffff880`08f55088 00000000`00000028 : !scan_check_access_perm+0xaab
    > [d:\build_692379\\optimizer\scan\scan.c @ 4559]
    > fffff880`08f54f00 fffff880`05b10157 : fffffa80`1260c740 fffff880`08f55448
    > fffff880`08f553d8 fffff880`014d9882 : !fsh_scan_file+0xe55
    > [d:\build_692379\\optimizer\fsh\fsh_hooks.c @ 1387]
    > fffff880`08f553b0 fffff880`01273288 : fffffa80`1260c740 fffff880`08f55448
    > 00000000`00000000 00000000`00000000 : !fsh_create_hook_cmpl+0x57
    > [d:\build_692379\\optimizer\fsh\fsh_hooks.c @ 290]
    > fffff880`08f55400 fffff880`01271d1b : fffffa80`079fc180 fffffa80`1260c7e0
    > fffffa80`08a95970 fffffa80`08a95b90 : fltmgr!
    > FltpPerformPostCallbacks+0x368
    > fffff880`08f554d0 fffff880`012912b9 : fffffa80`25703010 fffffa80`07412010
    > fffffa80`25703000 fffffa80`07406360 : fltmgr!
    > FltpLegacyProcessingAfterPreCallbacksCompleted+0x39b
    > fffff880`08f55560 fffff880`01271bcf : 00000000`00000000 fffffa80`06d0a9f0
    > 00000000`00000000 00000000`00000000 : fltmgr!FltpCreate+0x2a9
    > fffff880`08f55610 fffff880`012912b9 : fffffa80`25703010 fffffa80`09001010
    > fffffa80`25703000 fffffa80`0906e680 : fltmgr!
    > FltpLegacyProcessingAfterPreCallbacksCompleted+0x24f
    > fffff880`08f556a0 fffff800`021c32bb : 00000000`00000005 00000000`00000040
    > fffffa80`0c2619b0 00000000`00000000 : fltmgr!FltpCreate+0x2a9
    > fffff880`08f55750 fffff800`021bedde : fffffa80`073c7cd0 00000000`00000000
    > fffffa80`11431530 fffff880`08f55a01 : nt!IopParseDevice+0x14e2
    > fffff880`08f558b0 fffff800`021bf8c6 : 00000000`00000000 fffff880`08f55a30
    > fffff680`00000040 fffffa80`06d0a9f0 : nt!ObpLookupObjectName+0x784
    > fffff880`08f559b0 fffff800`021c16bc : 00000000`00000110 00000000`00000000
    > fffffa80`0788d501 ffffffff`ffffffff : nt!ObOpenObjectByName+0x306
    > fffff880`08f55a80 fffff800`021ccd34 : 00000000`000fa758 00000000`80100080
    > 00000000`000fa7a8 00000000`000fa768 : nt!IopCreateFile+0x2bc
    > fffff880`08f55b20 fffff800`01ebe0d3 : ffffffff`ffffffff 0000007f`ffffffff
    > 00000000`000fa7f0 00000980`00000000 : nt!NtCreateFile+0x78
    > fffff880`08f55bb0 00000000`779cc28a : 00000000`00000000 00000000`00000000
    > 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13
    > (TrapFrame @ fffff880`08f55c20)
    > 00000000`000fa6d8 00000000`00000000 : 00000000`00000000 00000000`00000000
    > 00000000`00000000 00000000`00000000 : 0x779cc28a
    >
    >
    >
    > I also observed an error (Application error) in Event Logs:
    >
    > Faulting application name: DxDmService.exe. version: 6.50.0.480. time
    > stamp: 0x5135c463
    > Faulting module name: Xms.dll. version: 6.50.0.480. time stamp: 0x5135c556
    > Exception code: 0xc0000417 Fault offset: 0x00000000000ea91c Faulting
    > process id: 0x1df0
    > Faulting application start time: 0xDxDmService.exe0 Faulting application
    > path: DxDmService.exe1
    > Faulting module path: DxDmService.exe2 Report Id: DxDmService.exe3
    >
    >
    >
    > Thanks,
    > Kunal
    >
    > ---
    > WINDBG is sponsored by OSR
    >
    > OSR is hiring!! Info at http://www.osr.com/careers
    >
    >
    > MONTHLY seminars on crash dump analysis, WDF, Windows internals and
    > software drivers!
    > Details at
    >
    > To unsubscribe, visit the List Server section of OSR Online at <
    > http://www.osronline.com/page.cfm?name=ListServer&gt;
    >
  • KunalKunal Member - All Emails Posts: 21
    WIndbg does not recognize !k command. I guess you meant 'k' . But I am not getting the complete callstack using 'k L100' . I think its because the dump is a kernel dump and has only kernel information.

    Here is the output for !process 0 7 services.exe:
    -----------------------------------------------------
    0: kd> !process 0 7 services.exe
    PROCESS fffffa8007b12b10
    SessionId: 0 Cid: 0220 Peb: 7fffffdf000 ParentCid: 01b8
    DirBase: 20ca7d000 ObjectTable: fffff8a0020ed010 HandleCount: 628.
    Image: services.exe
    VadRoot fffffa8007b1d830 Vads 146 Clone 0 Private 2233. Modified 4900541. Locked 35.
    DeviceMap fffff8a000008820
    Token fffff8a0020dd060
    ElapsedTime 27 Days 16:41:03.120
    UserTime 00:46:49.468
    KernelTime 01:46:07.671
    QuotaPoolUsage[PagedPool] 124296
    QuotaPoolUsage[NonPagedPool] 38792
    Working Set Sizes (now,min,max) (2196, 50, 345) (8784KB, 200KB, 1380KB)
    PeakWorkingSetSize 4765
    VirtualSize 72 Mb
    PeakVirtualSize 209 Mb
    PageFaultCount 5210240
    MemoryPriority BACKGROUND
    BasePriority 9
    CommitCharge 2866

    THREAD fffffa800720a2c0 Cid 0220.0270 Teb: 000007fffffdb000 Win32Thread: 0000000000000000 WAIT: (UserRequest) UserMode Alertable
    fffffa800720a7d0 SynchronizationTimer
    fffffa8007b84ad0 SynchronizationTimer
    fffffa8007470b10 ProcessObject
    fffffa80074ad060 ProcessObject
    fffffa8008205b10 ProcessObject
    fffffa8008228380 ProcessObject
    fffffa800823ab10 ProcessObject
    fffffa800824eb10 ProcessObject
    fffffa800826fb10 ProcessObject
    fffffa80082898e0 ProcessObject
    fffffa8007a0b060 ProcessObject
    fffffa8007b2e320 ProcessObject
    fffffa8007bd1320 ProcessObject
    fffffa80083046a0 ProcessObject
    fffffa8008763060 ProcessObject
    fffffa8008869060 ProcessObject
    fffffa800889c060 ProcessObject
    fffffa80088c9730 ProcessObject
    fffffa80089a7b10 ProcessObject
    fffffa8008a27b10 ProcessObject
    fffffa8008a16b10 ProcessObject
    fffffa80089c6060 ProcessObject
    fffffa80089f8b10 ProcessObject
    fffffa8008c0ab10 ProcessObject
    fffffa8008c3a530 ProcessObject
    fffffa8008c79b10 ProcessObject
    fffffa8008d6cb10 ProcessObject
    fffffa8008c36b10 ProcessObject
    fffffa8008e38cc0 SynchronizationEvent
    fffffa8008d804a0 SynchronizationTimer
    fffffa8008228380 ProcessObject
    fffffa800824eb10 ProcessObject
    fffffa80089f8b10 ProcessObject
    fffffa800826fb10 ProcessObject
    fffffa800826fb10 ProcessObject
    fffffa800823ab10 ProcessObject
    fffffa800826fb10 ProcessObject
    fffffa8008c3a530 ProcessObject
    fffffa80089c6060 ProcessObject
    fffffa8008d6cb10 ProcessObject
    fffffa8007b2e320 ProcessObject
    fffffa8008a16b10 ProcessObject
    fffffa8008228380 ProcessObject
    fffffa8008228380 ProcessObject
    fffffa8008228380 ProcessObject
    fffffa8008228380 ProcessObject
    fffffa80074ad060 ProcessObject
    fffffa80074ad060 ProcessObject
    fffffa8008a27b10 ProcessObject
    fffffa8008228380 ProcessObject
    fffffa8007470b10 ProcessObject
    fffffa8008c79b10 ProcessObject
    fffffa8007470b10 ProcessObject
    fffffa80089a7b10 ProcessObject
    fffffa8008fd8060 ProcessObject
    fffffa800824eb10 ProcessObject
    fffffa801ac86060 ProcessObject
    fffffa800bab55d0 ProcessObject
    fffffa800f65b060 ProcessObject
    fffffa800ebcfb10 ProcessObject
    fffffa8007a332a0 SynchronizationTimer
    fffffa80082afe30 SynchronizationTimer
    fffffa8008ec9990 SynchronizationTimer
    fffffa800720bef0 SynchronizationTimer
    Not impersonating
    DeviceMap fffff8a000008820
    Owning Process fffffa8007b12b10 Image: services.exe
    Attached Process N/A Image: N/A
    Wait Start TickCount 153148235 Ticks: 1555 (0:00:00:24.296)
    Context Switch Count 127463 IdealProcessor: 0
    UserTime 00:00:00.000
    KernelTime 00:00:00.218
    Win32 Start Address 0x000000007799a280
    Stack Init fffff88003d76db0 Current fffff88003d75fc0
    Base fffff88003d77000 Limit fffff88003d71000 Call 0000000000000000
    Priority 9 BasePriority 9 PriorityDecrement 0 IoPriority 2 PagePriority 5
    Child-SP RetAddr : Args to Child : Call Site
    fffff880`03d76000 fffff800`01ec4142 : fffffa80`0720a380 fffffa80`0720a2c0 fffff880`03d76320 fffff800`00000006 : nt!KiSwapContext+0x7a
    fffff880`03d76140 fffff800`01ec365a : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiCommitThreadWait+0x1d2
    fffff880`03d761d0 fffff800`021b9c2f : fffff880`00000040 fffff880`03d76520 00000000`00000001 00000000`00000006 : nt!KeWaitForMultipleObjects+0x272
    fffff880`03d76490 fffff800`021b9fa6 : fffffa80`07208701 fffff800`01ec1a73 00000000`00000001 00000000`00000001 : nt!ObpWaitForMultipleObjects+0x294
    fffff880`03d76960 fffff800`01ebe0d3 : fffffa80`0720a2c0 00000000`00b7fad8 fffff880`03d76bc8 fffff880`03d76c00 : nt!NtWaitForMultipleObjects+0xe5
    fffff880`03d76bb0 00000000`779cc2ea : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`03d76c20)
    00000000`00b7fab8 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x779cc2ea

    THREAD fffffa800746aa00 Cid 0220.028c Teb: 000007fffffac000 Win32Thread: 0000000000000000 WAIT: (UserRequest) UserMode Non-Alertable
    fffffa8008bf9670 SynchronizationEvent
    fffffa800746e530 SynchronizationEvent
    Not impersonating
    DeviceMap fffff8a000008820
    Owning Process fffffa8007b12b10 Image: services.exe
    Attached Process N/A Image: N/A
    Wait Start TickCount 153051456 Ticks: 98334 (0:00:25:36.468)
    Context Switch Count 11294 IdealProcessor: 0
    UserTime 00:00:00.015
    KernelTime 00:00:00.093
    Win32 Start Address 0x000007fefccd04fc
    Stack Init fffff88003dd9db0 Current fffff88003dd8fc0
    Base fffff88003dda000 Limit fffff88003dd4000 Call 0000000000000000
    Priority 9 BasePriority 9 PriorityDecrement 0 IoPriority 2 PagePriority 5
    Kernel stack not resident.
    Child-SP RetAddr : Args to Child : Call Site
    fffff880`03dd9000 fffff800`01ec4142 : fffffa80`0746aac0 fffffa80`0746aa00 00000000`00000000 fffffa80`00000009 : nt!KiSwapContext+0x7a
    fffff880`03dd9140 fffff800`01ec365a : 00000000`0000007b 00000000`000000ff 00000000`00000000 fffffa80`05815470 : nt!KiCommitThreadWait+0x1d2
    fffff880`03dd91d0 fffff800`021b9c2f : fffff880`00000002 fffff880`03dd9520 00000000`00000001 fffff880`00000006 : nt!KeWaitForMultipleObjects+0x272
    fffff880`03dd9490 fffff800`021b9fa6 : 00000000`00169501 00000000`00000003 fffff800`00000001 ffffffff`ffffff00 : nt!ObpWaitForMultipleObjects+0x294
    fffff880`03dd9960 fffff800`01ebe0d3 : fffffa80`0746aa00 00000000`00eff488 fffff880`03dd9bc8 fffff880`03dd9c28 : nt!NtWaitForMultipleObjects+0xe5
    fffff880`03dd9bb0 00000000`779cc2ea : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`03dd9c20)
    00000000`00eff468 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x779cc2ea

    THREAD fffffa80074af6f0 Cid 0220.02c4 Teb: 000007fffffaa000 Win32Thread: 0000000000000000 WAIT: (WrQueue) UserMode Alertable
    fffffa8007480a40 QueueObject
    Not impersonating
    DeviceMap fffff8a000008820
    Owning Process fffffa8007b12b10 Image: services.exe
    Attached Process N/A Image: N/A
    Wait Start TickCount 153147012 Ticks: 2778 (0:00:00:43.406)
    Context Switch Count 46385 IdealProcessor: 1
    UserTime 00:00:00.000
    KernelTime 00:00:00.031
    Win32 Start Address 0x000000007799f6f0
    Stack Init fffff880047b6db0 Current fffff880047b67c0
    Base fffff880047b7000 Limit fffff880047b1000 Call 0000000000000000
    Priority 9 BasePriority 9 PriorityDecrement 0 IoPriority 2 PagePriority 5
    Child-SP RetAddr : Args to Child : Call Site
    fffff880`047b6800 fffff800`01ec4142 : fffffa80`074af7b0 fffffa80`074af6f0 00000000`00000000 fffffa80`00000008 : nt!KiSwapContext+0x7a
    fffff880`047b6940 fffff800`01ec71a3 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000040 : nt!KiCommitThreadWait+0x1d2
    fffff880`047b69d0 fffff800`021aa217 : fffffa80`078b1500 fffff800`01ec1a01 fffff880`047b6c01 fffff800`00000000 : nt!KeRemoveQueueEx+0x323
    fffff880`047b6a90 fffff800`01eab3a6 : 00000000`00000000 fffff880`047b6ba8 fffff880`047b6bc8 00000000`00000001 : nt!IoRemoveIoCompletion+0x47
    fffff880`047b6b20 fffff800`01ebe0d3 : fffffa80`074af6f0 00000000`77a7f5c0 00000000`00000000 00000000`00000000 : nt!NtWaitForWorkViaWorkerFactory+0x285
    fffff880`047b6c20 00000000`779cd63a : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`047b6c20)
    00000000`00a4f5c8 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x779cd63a

    THREAD fffffa8008e54060 Cid 0220.0c98 Teb: 000007fffff54000 Win32Thread: 0000000000000000 WAIT: (UserRequest) UserMode Non-Alertable
    fffffa8008e40c50 SynchronizationEvent
    fffffa8008e5ffe0 SynchronizationEvent
    fffffa80071b4110 SynchronizationEvent
    Not impersonating
    DeviceMap fffff8a000008820
    Owning Process fffffa8007b12b10 Image: services.exe
    Attached Process N/A Image: N/A
    Wait Start TickCount 153044980 Ticks: 104810 (0:00:27:17.656)
    Context Switch Count 9737 IdealProcessor: 1
    UserTime 00:00:00.000
    KernelTime 00:00:00.046
    Win32 Start Address 0x000000018005a33c
    Stack Init fffff880065e7db0 Current fffff880065e6fc0
    Base fffff880065e8000 Limit fffff880065e2000 Call 0000000000000000
    Priority 11 BasePriority 9 PriorityDecrement 0 IoPriority 2 PagePriority 5
    Kernel stack not resident.
    Child-SP RetAddr : Args to Child : Call Site
    fffff880`065e7000 fffff800`01ec4142 : fffffa80`08e54120 fffffa80`08e54060 00000000`00000000 fffffa80`00000008 : nt!KiSwapContext+0x7a
    fffff880`065e7140 fffff800`01ec365a : 00000000`0000023f 00000000`00000000 00000000`00000000 00000000`00001f80 : nt!KiCommitThreadWait+0x1d2
    fffff880`065e71d0 fffff800`021b9c2f : fffff880`00000003 fffff880`065e7520 00000000`00000001 00000000`00000006 : nt!KeWaitForMultipleObjects+0x272
    fffff880`065e7490 fffff800`021b9fa6 : fffff880`065e7901 fffff800`021ac35a fffffa80`00000001 fffffa80`08298c00 : nt!ObpWaitForMultipleObjects+0x294
    fffff880`065e7960 fffff800`01ebe0d3 : fffffa80`08e54060 00000000`03aff348 fffff880`065e7bc8 00000000`00000000 : nt!NtWaitForMultipleObjects+0xe5
    fffff880`065e7bb0 00000000`779cc2ea : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`065e7c20)
    00000000`03aff328 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x779cc2ea

    THREAD fffffa8008e3c5b0 Cid 0220.0c9c Teb: 000007fffff52000 Win32Thread: 0000000000000000 WAIT: (WrQueue) UserMode Non-Alertable
    fffffa8008defe40 QueueObject
    Not impersonating
    DeviceMap fffff8a000008820
    Owning Process fffffa8007b12b10 Image: services.exe
    Attached Process N/A Image: N/A
    Wait Start TickCount 153044980 Ticks: 104810 (0:00:27:17.656)
    Context Switch Count 9295 IdealProcessor: 0
    UserTime 00:00:00.000
    KernelTime 00:00:00.078
    Win32 Start Address 0x000000018005a33c
    Stack Init fffff88006ccedb0 Current fffff88006cce7a0
    Base fffff88006ccf000 Limit fffff88006cc9000 Call 0000000000000000
    Priority 11 BasePriority 9 PriorityDecrement 0 IoPriority 2 PagePriority 5
    Kernel stack not resident.
    Child-SP RetAddr : Args to Child : Call Site
    fffff880`06cce7e0 fffff800`01ec4142 : fffffa80`08e3c670 fffffa80`08e3c5b0 00000000`00000000 fffffa80`0000000a : nt!KiSwapContext+0x7a
    fffff880`06cce920 fffff800`01ec71a3 : 00000000`00000002 fffffa80`07b12ea8 fffff880`00000000 fffff800`01ecf91e : nt!KiCommitThreadWait+0x1d2
    fffff880`06cce9b0 fffff800`021aa217 : 00000000`00000000 00000000`00000001 00000000`00000000 00000000`00000000 : nt!KeRemoveQueueEx+0x323
    fffff880`06ccea70 fffff800`0217c0a5 : 00000000`00000000 fffff880`06cceb68 fffff880`06cceb60 fffff800`0203ce01 : nt!IoRemoveIoCompletion+0x47
    fffff880`06cceb00 fffff800`01ebe0d3 : fffffa80`08e3c5b0 00000000`03bbf9f8 fffff880`06ccebc8 00000000`00000000 : nt!NtRemoveIoCompletion+0x145
    fffff880`06ccebb0 00000000`779cbdca : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`06ccec20)
    00000000`03bbf9d8 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x779cbdca

    THREAD fffffa800904cb50 Cid 0220.0ca0 Teb: 000007fffff4e000 Win32Thread: 0000000000000000 WAIT: (WrQueue) UserMode Non-Alertable
    fffffa8008defe40 QueueObject
    Not impersonating
    DeviceMap fffff8a000008820
    Owning Process fffffa8007b12b10 Image: services.exe
    Attached Process N/A Image: N/A
    Wait Start TickCount 153044980 Ticks: 104810 (0:00:27:17.656)
    Context Switch Count 9539 IdealProcessor: 1
    UserTime 00:00:00.000
    KernelTime 00:00:00.046
    Win32 Start Address 0x000000018005a33c
    Stack Init fffff88007078db0 Current fffff880070787a0
    Base fffff88007079000 Limit fffff88007073000 Call 0000000000000000
    Priority 11 BasePriority 9 PriorityDecrement 0 IoPriority 2 PagePriority 5
    Kernel stack not resident.
    Child-SP RetAddr : Args to Child : Call Site
    fffff880`070787e0 fffff800`01ec4142 : fffffa80`0904cc10 fffffa80`0904cb50 00000000`00000000 fffffa80`00000008 : nt!KiSwapContext+0x7a
    fffff880`07078920 fffff800`01ec71a3 : 00000000`00000002 fffffa80`07b12ea8 fffff880`00000000 fffff800`01ecf91e : nt!KiCommitThreadWait+0x1d2
    fffff880`070789b0 fffff800`021aa217 : 00000000`00000000 00000000`00000001 00000000`00000000 00000000`00000000 : nt!KeRemoveQueueEx+0x323
    fffff880`07078a70 fffff800`0217c0a5 : 00000000`00000000 fffff880`07078b68 fffff880`07078b60 fffff800`0203ce01 : nt!IoRemoveIoCompletion+0x47
    fffff880`07078b00 fffff800`01ebe0d3 : fffffa80`0904cb50 00000000`03defab8 fffff880`07078bc8 00000000`00000000 : nt!NtRemoveIoCompletion+0x145
    fffff880`07078bb0 00000000`779cbdca : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`07078c20)
    00000000`03defa98 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x779cbdca

    THREAD fffffa8008f60b50 Cid 0220.0ca4 Teb: 000007fffff4c000 Win32Thread: 0000000000000000 WAIT: (WrQueue) UserMode Non-Alertable
    fffffa8008defe40 QueueObject
    Not impersonating
    DeviceMap fffff8a000008820
    Owning Process fffffa8007b12b10 Image: services.exe
    Attached Process N/A Image: N/A
    Wait Start TickCount 153044980 Ticks: 104810 (0:00:27:17.656)
    Context Switch Count 9219 IdealProcessor: 0
    UserTime 00:00:00.000
    KernelTime 00:00:00.031
    Win32 Start Address 0x000000018005a33c
    Stack Init fffff8800707fdb0 Current fffff8800707f7a0
    Base fffff88007080000 Limit fffff8800707a000 Call 0000000000000000
    Priority 11 BasePriority 9 PriorityDecrement 0 IoPriority 2 PagePriority 5
    Kernel stack not resident.
    Child-SP RetAddr : Args to Child : Call Site
    fffff880`0707f7e0 fffff800`01ec4142 : fffffa80`08f60c10 fffffa80`08f60b50 00000000`00000000 fffffa80`0000000a : nt!KiSwapContext+0x7a
    fffff880`0707f920 fffff800`01ec71a3 : 00000000`00000002 fffffa80`07b12ea8 fffff880`00000000 fffff800`01ecf91e : nt!KiCommitThreadWait+0x1d2
    fffff880`0707f9b0 fffff800`021aa217 : 00000000`026df500 00000000`00000001 00000000`00000000 fffff880`0707fc20 : nt!KeRemoveQueueEx+0x323
    fffff880`0707fa70 fffff800`0217c0a5 : 00000000`00000000 fffff880`0707fb68 fffff880`0707fb60 ffffd6ee`ce01d101 : nt!IoRemoveIoCompletion+0x47
    fffff880`0707fb00 fffff800`01ebe0d3 : fffffa80`08f60b50 00000000`026df838 fffff880`0707fbc8 00000000`00000000 : nt!NtRemoveIoCompletion+0x145
    fffff880`0707fbb0 00000000`779cbdca : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`0707fc20)
    00000000`026df818 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x779cbdca

    THREAD fffffa8008f64060 Cid 0220.0ca8 Teb: 000007fffff4a000 Win32Thread: 0000000000000000 WAIT: (WrQueue) UserMode Non-Alertable
    fffffa8008defe40 QueueObject
    Not impersonating
    DeviceMap fffff8a000008820
    Owning Process fffffa8007b12b10 Image: services.exe
    Attached Process N/A Image: N/A
    Wait Start TickCount 153044980 Ticks: 104810 (0:00:27:17.656)
    Context Switch Count 9572 IdealProcessor: 1
    UserTime 00:00:00.000
    KernelTime 00:00:00.015
    Win32 Start Address 0x000000018005a33c
    Stack Init fffff88007086db0 Current fffff880070867a0
    Base fffff88007087000 Limit fffff88007081000 Call 0000000000000000
    Priority 11 BasePriority 9 PriorityDecrement 0 IoPriority 2 PagePriority 5
    Kernel stack not resident.
    Child-SP RetAddr : Args to Child : Call Site
    fffff880`070867e0 fffff800`01ec4142 : fffffa80`08f64120 fffffa80`08f64060 00000000`00000000 fffffa80`00000008 : nt!KiSwapContext+0x7a
    fffff880`07086920 fffff800`01ec71a3 : 00000000`00000002 fffffa80`07b12ea8 fffff880`00000000 fffff800`01ecf91e : nt!KiCommitThreadWait+0x1d2
    fffff880`070869b0 fffff800`021aa217 : 00000000`00000000 00000000`00000001 00000000`00000000 00000000`00000000 : nt!KeRemoveQueueEx+0x323
    fffff880`07086a70 fffff800`0217c0a5 : 00000000`00000000 fffff880`07086b68 fffff880`07086b60 fffff800`0203ce01 : nt!IoRemoveIoCompletion+0x47
    fffff880`07086b00 fffff800`01ebe0d3 : fffffa80`08f64060 00000000`03f0f9b8 fffff880`07086bc8 00000000`00000000 : nt!NtRemoveIoCompletion+0x145
    fffff880`07086bb0 00000000`779cbdca : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`07086c20)
    00000000`03f0f998 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x779cbdca

    THREAD fffffa8008f647d0 Cid 0220.0cac Teb: 000007fffff48000 Win32Thread: 0000000000000000 WAIT: (WrQueue) UserMode Non-Alertable
    fffffa8008defe40 QueueObject
    Not impersonating
    DeviceMap fffff8a000008820
    Owning Process fffffa8007b12b10 Image: services.exe
    Attached Process N/A Image: N/A
    Wait Start TickCount 153044980 Ticks: 104810 (0:00:27:17.656)
    Context Switch Count 9162 IdealProcessor: 0
    UserTime 00:00:00.000
    KernelTime 00:00:00.078
    Win32 Start Address 0x000000018005a33c
    Stack Init fffff8800708ddb0 Current fffff8800708d7a0
    Base fffff8800708e000 Limit fffff88007088000 Call 0000000000000000
    Priority 11 BasePriority 9 PriorityDecrement 0 IoPriority 2 PagePriority 5
    Kernel stack not resident.
    Child-SP RetAddr : Args to Child : Call Site
    fffff880`0708d7e0 fffff800`01ec4142 : fffffa80`08f64890 fffffa80`08f647d0 00000000`00000000 fffffa80`0000000b : nt!KiSwapContext+0x7a
    fffff880`0708d920 fffff800`01ec71a3 : 00000000`00000002 fffffa80`07b12ea8 fffff880`00000000 fffff800`01ecf91e : nt!KiCommitThreadWait+0x1d2
    fffff880`0708d9b0 fffff800`021aa217 : 00000000`0382f500 00000000`00000001 00000000`00000000 fffff880`0708dc20 : nt!KeRemoveQueueEx+0x323
    fffff880`0708da70 fffff800`0217c0a5 : 00000000`00000000 fffff880`0708db68 fffff880`0708db60 ffffd6ee`ce0ef101 : nt!IoRemoveIoCompletion+0x47
    fffff880`0708db00 fffff800`01ebe0d3 : fffffa80`08f647d0 00000000`0382f8f8 fffff880`0708dbc8 00000000`00000000 : nt!NtRemoveIoCompletion+0x145
    fffff880`0708dbb0 00000000`779cbdca : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`0708dc20)
    00000000`0382f8d8 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x779cbdca

    THREAD fffffa8008f6db50 Cid 0220.0cc4 Teb: 000007fffff56000 Win32Thread: 0000000000000000 WAIT: (UserRequest) UserMode Alertable
    fffffa8008e11580 SynchronizationTimer
    fffffa800824eb10 ProcessObject
    fffffa80088c9730 ProcessObject
    fffffa80082898e0 ProcessObject
    fffffa800824eb10 ProcessObject
    fffffa8008c0ab10 ProcessObject
    fffffa8007a0b060 ProcessObject
    fffffa800889c060 ProcessObject
    fffffa8008869060 ProcessObject
    fffffa8008c36b10 ProcessObject
    fffffa8008763060 ProcessObject
    fffffa80083046a0 ProcessObject
    fffffa8008205b10 ProcessObject
    fffffa80082898e0 ProcessObject
    fffffa8008228380 ProcessObject
    fffffa8008228380 ProcessObject
    fffffa8008228380 ProcessObject
    fffffa8008228380 ProcessObject
    fffffa800824eb10 ProcessObject
    fffffa8008205b10 ProcessObject
    fffffa80082898e0 ProcessObject
    fffffa8007bd1320 ProcessObject
    fffffa8008205b10 ProcessObject
    fffffa8007470b10 ProcessObject
    fffffa80082898e0 ProcessObject
    fffffa8008228380 ProcessObject
    fffffa8007a0b060 ProcessObject
    fffffa8008f6cb10 ProcessObject
    fffffa8008f6cb10 ProcessObject
    fffffa8007b51be0 NotificationEvent
    fffffa8008228380 ProcessObject
    fffffa80092cf790 ProcessObject
    fffffa80092cf790 ProcessObject
    fffffa800938c350 ProcessObject
    fffffa800938c350 ProcessObject
    fffffa8007a0b060 ProcessObject
    fffffa80092039c0 ProcessObject
    fffffa80092039c0 ProcessObject
    fffffa80094c2b10 ProcessObject
    fffffa800826fb10 ProcessObject
    fffffa80094c2b10 ProcessObject
    fffffa80082898e0 ProcessObject
    fffffa8008228380 ProcessObject
    fffffa800bab55d0 ProcessObject
    fffffa80152c5060 ProcessObject
    fffffa80105f1060 ProcessObject
    fffffa80105f1060 ProcessObject
    fffffa800f65b060 ProcessObject
    fffffa800ebcfb10 ProcessObject
    fffffa80178a2060 ProcessObject
    fffffa80178a2060 ProcessObject
    Not impersonating
    DeviceMap fffff8a000008820
    Owning Process fffffa8007b12b10 Image: services.exe
    Attached Process N/A Image: N/A
    Wait Start TickCount 153056886 Ticks: 92904 (0:00:24:11.625)
    Context Switch Count 57235 IdealProcessor: 0
    UserTime 00:00:00.109
    KernelTime 00:00:01.109
    Win32 Start Address 0x000000007799a280
    Stack Init fffff880065eedb0 Current fffff880065edfc0
    Base fffff880065ef000 Limit fffff880065e9000 Call 0000000000000000
    Priority 11 BasePriority 9 PriorityDecrement 0 IoPriority 2 PagePriority 5
    Kernel stack not resident.
    Child-SP RetAddr : Args to Child : Call Site
    fffff880`065ee000 fffff800`01ec4142 : fffffa80`08f6db50 fffffa80`08f6db50 00000000`00000000 fffffa80`0000000a : nt!KiSwapContext+0x7a
    fffff880`065ee140 fffff800`01ec365a : 00000000`00000014 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiCommitThreadWait+0x1d2
    fffff880`065ee1d0 fffff800`021b9c2f : fffff880`00000033 fffff880`065ee520 00000000`00000001 00000000`00000006 : nt!KeWaitForMultipleObjects+0x272
    fffff880`065ee490 fffff800`021b9fa6 : 00000000`00000001 00000000`00000000 00000000`00000001 00000000`00000001 : nt!ObpWaitForMultipleObjects+0x294
    fffff880`065ee960 fffff800`01ebe0d3 : fffffa80`08f6db50 00000000`0370fad8 fffff880`065eebc8 fffff8a0`022a0330 : nt!NtWaitForMultipleObjects+0xe5
    fffff880`065eebb0 00000000`779cc2ea : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`065eec20)
    00000000`0370fab8 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x779cc2ea

    THREAD fffffa8009691340 Cid 0220.17b4 Teb: 000007fffffd5000 Win32Thread: 0000000000000000 WAIT: (WrQueue) UserMode Alertable
    fffffa80071e3cc0 QueueObject
    Not impersonating
    DeviceMap fffff8a000008820
    Owning Process fffffa8007b12b10 Image: services.exe
    Attached Process N/A Image: N/A
    Wait Start TickCount 153141990 Ticks: 7800 (0:00:02:01.875)
    Context Switch Count 14 IdealProcessor: 1
    UserTime 00:00:00.000
    KernelTime 00:00:00.000
    Win32 Start Address 0x000000007799f6f0
    Stack Init fffff8800b0badb0 Current fffff8800b0ba7c0
    Base fffff8800b0bb000 Limit fffff8800b0b5000 Call 0000000000000000
    Priority 9 BasePriority 9 PriorityDecrement 0 IoPriority 2 PagePriority 5
    Child-SP RetAddr : Args to Child : Call Site
    fffff880`0b0ba800 fffff800`01ec4142 : 00000000`00000000 fffffa80`09691340 fffffa80`0faa3620 00000000`00000008 : nt!KiSwapContext+0x7a
    fffff880`0b0ba940 fffff800`01ec71a3 : fffffa80`09691340 00000000`00000000 ffffffff`00000000 fffff8a0`00000030 : nt!KiCommitThreadWait+0x1d2
    fffff880`0b0ba9d0 fffff800`021aa217 : fffffa80`078a2700 fffff800`01eb3501 fffff880`0b0bac01 fffffa80`071e3e18 : nt!KeRemoveQueueEx+0x323
    fffff880`0b0baa90 fffff800`01eab3a6 : 00000000`00000000 fffff880`0b0baba8 fffff880`0b0babc8 00000000`00000001 : nt!IoRemoveIoCompletion+0x47
    fffff880`0b0bab20 fffff800`01ebe0d3 : fffffa80`09691340 00000000`77a7f5c0 00000000`00000000 00000000`00000001 : nt!NtWaitForWorkViaWorkerFactory+0x285
    fffff880`0b0bac20 00000000`779cd63a : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`0b0bac20)
    00000000`00c7f918 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x779cd63a

    THREAD fffffa800ec603d0 Cid 0220.19c8 Teb: 000007fffffa6000 Win32Thread: 0000000000000000 WAIT: (UserRequest) UserMode Non-Alertable
    fffffa800821c660 SynchronizationEvent
    fffffa8008228380 ProcessObject
    Not impersonating
    DeviceMap fffff8a000008820
    Owning Process fffffa8007b12b10 Image: services.exe
    Attached Process N/A Image: N/A
    Wait Start TickCount 153148354 Ticks: 1436 (0:00:00:22.437)
    Context Switch Count 376 IdealProcessor: 1
    UserTime 00:00:00.000
    KernelTime 00:00:00.000
    Win32 Start Address 0x000000007799f6f0
    Stack Init fffff8800ad4fdb0 Current fffff8800ad4efc0
    Base fffff8800ad50000 Limit fffff8800ad4a000 Call 0000000000000000
    Priority 9 BasePriority 9 PriorityDecrement 0 IoPriority 2 PagePriority 5
    Child-SP RetAddr : Args to Child : Call Site
    fffff880`0ad4f000 fffff800`01ec4142 : fffffa80`0ec603d0 fffffa80`0ec603d0 00000000`00000000 00000000`00000008 : nt!KiSwapContext+0x7a
    fffff880`0ad4f140 fffff800`01ec365a : fffff8a0`28606568 fffffa80`10399000 00000000`00000042 fffff8a0`28606578 : nt!KiCommitThreadWait+0x1d2
    fffff880`0ad4f1d0 fffff800`021b9c2f : fffff8a0`00000002 fffff880`0ad4f520 00000000`00000001 00000000`00000006 : nt!KeWaitForMultipleObjects+0x272
    fffff880`0ad4f490 fffff800`021b9fa6 : fffff8a0`1c059001 00000000`00000654 00000000`00000001 fffff800`02175200 : nt!ObpWaitForMultipleObjects+0x294
    fffff880`0ad4f960 fffff800`01ebe0d3 : fffffa80`0ec603d0 00000000`010ae798 fffff880`0ad4fbc8 fffffa80`00000000 : nt!NtWaitForMultipleObjects+0xe5
    fffff880`0ad4fbb0 00000000`779cc2ea : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`0ad4fc20)
    00000000`010ae778 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x779cc2ea

    THREAD fffffa801152b2c0 Cid 0220.1cbc Teb: 000007fffffd3000 Win32Thread: 0000000000000000 WAIT: (WrQueue) UserMode Alertable
    fffffa8007208700 QueueObject
    Not impersonating
    DeviceMap fffff8a000008820
    Owning Process fffffa8007b12b10 Image: services.exe
    Attached Process N/A Image: N/A
    Wait Start TickCount 153146327 Ticks: 3463 (0:00:00:54.109)
    Context Switch Count 3855 IdealProcessor: 1
    UserTime 00:00:00.062
    KernelTime 00:00:00.031
    Win32 Start Address 0x000000007799f6f0
    Stack Init fffff88007d70db0 Current fffff88007d707c0
    Base fffff88007d71000 Limit fffff88007d6b000 Call 0000000000000000
    Priority 10 BasePriority 9 PriorityDecrement 0 IoPriority 2 PagePriority 5
    Child-SP RetAddr : Args to Child : Call Site
    fffff880`07d70800 fffff800`01ec4142 : fffffa80`1152b2c0 fffffa80`1152b2c0 fffff880`07d70b58 00000000`00000009 : nt!KiSwapContext+0x7a
    fffff880`07d70940 fffff800`01ec71a3 : fffff8a0`13737d00 00000000`000008c4 00000000`00000097 fffff800`021d2312 : nt!KiCommitThreadWait+0x1d2
    fffff880`07d709d0 fffff800`021aa217 : 00000000`00000000 00000000`00000001 00000000`00000001 00000000`00000000 : nt!KeRemoveQueueEx+0x323
    fffff880`07d70a90 fffff800`01eab3a6 : 000007fe`ff5aee00 fffff880`07d70ba8 fffff880`07d70bc8 00000000`00000001 : nt!IoRemoveIoCompletion+0x47
    fffff880`07d70b20 fffff800`01ebe0d3 : fffffa80`1152b2c0 00000000`77a7f5c0 00000000`00000000 00000000`015eed40 : nt!NtWaitForWorkViaWorkerFactory+0x285
    fffff880`07d70c20 00000000`779cd63a : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`07d70c20)
    00000000`015efbf8 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x779cd63a

    THREAD fffffa80121bbb50 Cid 0220.25e8 Teb: 000007fffffae000 Win32Thread: 0000000000000000 WAIT: (WrQueue) UserMode Alertable
    fffffa8007208700 QueueObject
    Not impersonating
    DeviceMap fffff8a000008820
    Owning Process fffffa8007b12b10 Image: services.exe
    Attached Process N/A Image: N/A
    Wait Start TickCount 153148994 Ticks: 796 (0:00:00:12.437)
    Context Switch Count 3807 IdealProcessor: 1
    UserTime 00:00:00.062
    KernelTime 00:00:00.078
    Win32 Start Address 0x000000007799f6f0
    Stack Init fffff8800a73bdb0 Current fffff8800a73b7c0
    Base fffff8800a73c000 Limit fffff8800a736000 Call 0000000000000000
    Priority 10 BasePriority 9 PriorityDecrement 0 IoPriority 2 PagePriority 5
    Child-SP RetAddr : Args to Child : Call Site
    fffff880`0a73b800 fffff800`01ec4142 : fffffa80`121bbb50 fffffa80`121bbb50 fffff880`0a73bb58 00000000`00000009 : nt!KiSwapContext+0x7a
    fffff880`0a73b940 fffff800`01ec71a3 : fffff8a0`1c269d00 00000000`0000037c 00000000`00000002 fffff800`021d2312 : nt!KiCommitThreadWait+0x1d2
    fffff880`0a73b9d0 fffff800`021aa217 : 00000000`00000000 00000000`00000001 00000000`00000001 00000000`00000000 : nt!KeRemoveQueueEx+0x323
    fffff880`0a73ba90 fffff800`01eab3a6 : 000007fe`ff5aee00 fffff880`0a73bba8 fffff880`0a73bbc8 00000000`00000001 : nt!IoRemoveIoCompletion+0x47
    fffff880`0a73bb20 fffff800`01ebe0d3 : fffffa80`121bbb50 00000000`77a7f5c0 00000000`00000000 00000000`00000000 : nt!NtWaitForWorkViaWorkerFactory+0x285
    fffff880`0a73bc20 00000000`779cd63a : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`0a73bc20)
    00000000`0172f6f8 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x779cd63a

    THREAD fffffa800e3e4060 Cid 0220.0d5c Teb: 000007fffffdd000 Win32Thread: 0000000000000000 WAIT: (WrQueue) UserMode Alertable
    fffffa8007208700 QueueObject
    Not impersonating
    DeviceMap fffff8a000008820
    Owning Process fffffa8007b12b10 Image: services.exe
    Attached Process N/A Image: N/A
    Wait Start TickCount 153149787 Ticks: 3 (0:00:00:00.046)
    Context Switch Count 496 IdealProcessor: 0
    UserTime 00:00:00.000
    KernelTime 00:00:00.000
    Win32 Start Address 0x000000007799f6f0
    Stack Init fffff88007e64db0 Current fffff88007e647c0
    Base fffff88007e65000 Limit fffff88007e5f000 Call 0000000000000000
    Priority 9 BasePriority 9 PriorityDecrement 0 IoPriority 2 PagePriority 5
    Child-SP RetAddr : Args to Child : Call Site
    fffff880`07e64800 fffff800`01ec4142 : fffffa80`0e3e4060 fffffa80`0e3e4060 fffff880`07e64b58 00000000`00000009 : nt!KiSwapContext+0x7a
    fffff880`07e64940 fffff800`01ec71a3 : fffff8a0`4e181030 00000000`00000524 00000000`0000001b fffff800`021d2312 : nt!KiCommitThreadWait+0x1d2
    fffff880`07e649d0 fffff800`021aa217 : 00000000`00000000 00000000`00000001 00000000`00000001 00000000`00000000 : nt!KeRemoveQueueEx+0x323
    fffff880`07e64a90 fffff800`01eab3a6 : 000007fe`ff5aee00 fffff880`07e64ba8 fffff880`07e64bc8 00000000`00000001 : nt!IoRemoveIoCompletion+0x47
    fffff880`07e64b20 fffff800`01ebe0d3 : fffffa80`0e3e4060 00000000`77a7f5c0 00000000`00000000 00000000`00000000 : nt!NtWaitForWorkViaWorkerFactory+0x285
    fffff880`07e64c20 00000000`779cd63a : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`07e64c20)
    00000000`0112f508 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x779cd63a



    Thanks,
    Kunal
  • KunalKunal Member - All Emails Posts: 21
    To give more info, I am using KeWaitForSingleObject() with following parameters:

    status = KeWaitForSingleObject( &event, Executive, KernelMode, FALSE, p_timeout );
    //where event is KEVENT.

    Thanks
    Kunal
  • taehwa_leetaehwa_lee Member - All Emails Posts: 16
    What did your driver do in werfault's stack?

    I think that as below
    1. DxDmService got exception
    2. exception handler call werfault
    3. werfault suspend DxDmService to make dump
    4. werfault open a file and then filter it and wait for more
    than 20 min
    5. bugcheck.




    0: kd> !thread fffffa800788d540
    THREAD fffffa800788d540 Cid 1128.11b8 Teb: 000007fffffde000 Win32Thread:
    fffff900c1eb9010 WAIT: (Executive) KernelMode Non-Alertable
    fffff88005bc9bc0 SynchronizationEvent
    IRP List:
    fffffa8025703010: (0006,0358) Flags: 00000884 Mdl: 00000000
    Not impersonating
    DeviceMap fffff8a002fcddd0
    Owning Process fffffa80118e1790 Image: WerFault.exe
    Attached Process N/A Image: N/A
    Wait Start TickCount 153056522 Ticks: 93268 (0:00:24:17.312)
    Context Switch Count 13433 IdealProcessor: 0
    LargeStack
    UserTime 00:00:00.109
    KernelTime 00:00:01.906
    Win32 Start Address 0x00000000ffbe4920
    Stack Init fffff88008f55db0 Current fffff88008f549a0
    Base fffff88008f56000 Limit fffff88008f4d000 Call 0000000000000000
    Priority 7 BasePriority 7 PriorityDecrement 0 IoPriority 2 PagePriority 5
    Child-SP RetAddr : Args to Child
    : Call Site
    fffff880`08f549e0 fffff800`01ec4142 : fffff880`08f54b38 fffffa80`0788d540
    fffffa80`00000000 fffff880`05b0280d : nt!KiSwapContext+0x7a
    fffff880`08f54b20 fffff800`01ec696f : 00000000`0000000e 00000000`001a7100
    fffff8a0`00000000 00000000`00000000 : nt!KiCommitThreadWait+0x1d2
    fffff880`08f54bb0 fffff880`05b34b6e : fffff880`05bc7a00 fffff880`00000000
    fffff8a0`1667f000 fffff880`08f55100 : nt!KeWaitForSingleObject+0x19f
    fffff880`08f54c50 fffff880`05b357eb : fffff880`08f54d64 fffff880`08f54d18
    fffff880`08f55118 00000000`001a7100 : !scan_open_connection+0x10e
    [d:\build_692379\\optimizer\scan\scan.c @ 4266]
    fffff880`08f54ca0 fffff880`05b12865 : fffff880`08f550e0 fffff880`08f54fc0
    fffff880`08f55088 00000000`00000028 : !scan_check_access_perm+0xaab
    [d:\build_692379\\optimizer\scan\scan.c @ 4559]
    fffff880`08f54f00 fffff880`05b10157 : fffffa80`1260c740 fffff880`08f55448
    fffff880`08f553d8 fffff880`014d9882 : !fsh_scan_file+0xe55
    [d:\build_692379\\optimizer\fsh\fsh_hooks.c @ 1387]
    fffff880`08f553b0 fffff880`01273288 : fffffa80`1260c740 fffff880`08f55448
    00000000`00000000 00000000`00000000 : !fsh_create_hook_cmpl+0x57
    [d:\build_692379\\optimizer\fsh\fsh_hooks.c @ 290]
    fffff880`08f55400 fffff880`01271d1b : fffffa80`079fc180 fffffa80`1260c7e0
    fffffa80`08a95970 fffffa80`08a95b90 : fltmgr!FltpPerformPostCallbacks+0x368
    fffff880`08f554d0 fffff880`012912b9 : fffffa80`25703010 fffffa80`07412010
    fffffa80`25703000 fffffa80`07406360 : fltmgr!FltpLegacyProcessingAfterPreCa
    llbacksCompleted+0x39b
    fffff880`08f55560 fffff880`01271bcf : 00000000`00000000 fffffa80`06d0a9f0
    00000000`00000000 00000000`00000000 : fltmgr!FltpCreate+0x2a9
    fffff880`08f55610 fffff880`012912b9 : fffffa80`25703010 fffffa80`09001010
    fffffa80`25703000 fffffa80`0906e680 : fltmgr!FltpLegacyProcessingAfterPreCa
    llbacksCompleted+0x24f
    fffff880`08f556a0 fffff800`021c32bb : 00000000`00000005 00000000`00000040
    fffffa80`0c2619b0 00000000`00000000 : fltmgr!FltpCreate+0x2a9
    fffff880`08f55750 fffff800`021bedde : fffffa80`073c7cd0 00000000`00000000
    fffffa80`11431530 fffff880`08f55a01 : nt!IopParseDevice+0x14e2
    fffff880`08f558b0 fffff800`021bf8c6 : 00000000`00000000 fffff880`08f55a30
    fffff680`00000040 fffffa80`06d0a9f0 : nt!ObpLookupObjectName+0x784
    fffff880`08f559b0 fffff800`021c16bc : 00000000`00000110 00000000`00000000
    fffffa80`0788d501 ffffffff`ffffffff : nt!ObOpenObjectByName+0x306
    fffff880`08f55a80 fffff800`021ccd34 : 00000000`000fa758 00000000`80100080
    00000000`000fa7a8 00000000`000fa768 : nt!IopCreateFile+0x2bc
    fffff880`08f55b20 fffff800`01ebe0d3 : ffffffff`ffffffff 0000007f`ffffffff
    00000000`000fa7f0 00000980`00000000 : nt!NtCreateFile+0x78
    fffff880`08f55bb0 00000000`779cc28a : 00000000`00000000 00000000`00000000
    00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13
    (TrapFrame @ fffff880`08f55c20)
    00000000`000fa6d8 00000000`00000000 : 00000000`00000000 00000000`00000000
    00000000`00000000 00000000`00000000 : 0x779cc28a

    On Fri, Aug 11, 2017 at 3:16 PM, [email protected] <
    [email protected]> wrote:

    > To give more info, I am using KeWaitForSingleObject() with following
    > parameters:
    >
    > status = KeWaitForSingleObject( &event, Executive, KernelMode, FALSE,
    > p_timeout );
    > //where event is KEVENT.
    >
    > Thanks
    > Kunal
    >
    > ---
    > WINDBG is sponsored by OSR
    >
    > OSR is hiring!! Info at http://www.osr.com/careers
    >
    >
    > MONTHLY seminars on crash dump analysis, WDF, Windows internals and
    > software drivers!
    > Details at
    >
    > To unsubscribe, visit the List Server section of OSR Online at <
    > http://www.osronline.com/page.cfm?name=ListServer&gt;
    >
  • KunalKunal Member - All Emails Posts: 21
    Thanks for your responses.

    In werfault stack, my driver tries to open a connection to my scan-server to send the file for scanning.
    To give a brief overview, whenever a user tries to create/open a file, my filter driver sends it to a scan-server. I maintain an array of 5 elements which control sending of files for scan. Whenever a new thread is spawned for scanning,
    it marks one of the elements in the array as in-use. After scan is complete, the thread marks it as unused. So, at a time there can be only 5 threads with open connection to scan-server.

    I can see 5 threads in the dump in wait state. One of such thread is as below. I have given a timeout value of 45 seconds in KeWaitForSingleObject(). But why is this thread not coming out of wait state?


    0: kd> !thread fffffa8012f0e5e0
    THREAD fffffa8012f0e5e0 Cid 1df0.1d60 Teb: 000007ffffeb0000 Win32Thread: 0000000000000000 WAIT: (Suspended) KernelMode Non-Alertable
    SuspendCount 1
    fffffa8012f0e8b8 Semaphore Limit 0x2
    IRP List:
    fffffa800b83e490: (0006,0358) Flags: 00000884 Mdl: 00000000
    Not impersonating
    DeviceMap fffff8a002fcddd0
    Owning Process fffffa800f65b060 Image: DxDmService.exe
    Attached Process N/A Image: N/A
    Wait Start TickCount 153051155 Ticks: 98635 (0:00:25:41.171)
    Context Switch Count 3126429 IdealProcessor: 0
    UserTime 00:01:37.625
    KernelTime 00:13:13.250
    Win32 Start Address 0x0000000010376284
    Stack Init fffff8800b183db0 Current fffff8800b182340
    Base fffff8800b184000 Limit fffff8800b17e000 Call 0000000000000000
    Priority 8 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5
    Child-SP RetAddr : Args to Child : Call Site
    fffff880`0b182380 fffff800`01ec4142 : fffffa80`0f65b001 fffffa80`12f0e5e0 fffff800`0203ce80 fffff880`00000008 : nt!KiSwapContext+0x7a
    fffff880`0b1824c0 fffff800`01ec696f : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiCommitThreadWait+0x1d2
    fffff880`0b182550 fffff800`01eb1ee0 : 00000000`00000000 fffffa80`00000005 fffffa80`0f65b000 00000000`00000000 : nt!KeWaitForSingleObject+0x19f
    fffff880`0b1825f0 fffff800`01eb2b7d : fffffa80`12f0e5e0 00000000`00000000 00000000`00000000 fffffa80`00000000 : nt!KiSuspendThread+0x54
    fffff880`0b182630 fffff800`01ec434d : fffffa80`12f0e6a0 00000000`00000000 fffff800`01eb1e8c 00000000`00000000 : nt!KiDeliverApc+0x21d
    fffff880`0b1826b0 fffff800`01ec696f : fffffa80`0b83e490 fffffa80`08bd9200 fffff880`0000004f 00000000`00000000 : nt!KiCommitThreadWait+0x3dd
    fffff880`0b182740 fffff880`05b233c1 : fffffa80`12438000 fffff880`00000000 fffff880`0b182800 fffff880`0b182a00 : nt!KeWaitForSingleObject+0x19f
    fffff880`0b1827e0 fffff880`05b1dd93 : fffffa80`0f5d9530 fffff8a0`00f45300 00000000`0000005a fffff8a0`00000000 : <mydriver>!ivmc_wsk_recv_data+0x211 [d:\build_692379\<build>\optimizer\ivmc\ivmc_ksocket.c @ 435]
    fffff880`0b182870 fffff880`05b2f27e : fffff880`05bc9c28 fffff8a0`00f45300 fffff880`0000005a fffff880`00000000 : <mydriver>!ivmc_read_all+0x93 [d:\build_692379\<build>\optimizer\ivmc\ivmc.c @ 426]
    fffff880`0b1828e0 fffff880`05b30ca0 : fffff880`05bc9c28 fffff880`0b182fc0 fffff880`0b182a48 fffff8a0`1fdf65e0 : <mydriver>!scan_process_response+0x10e [d:\build_692379\<build>\optimizer\scan\scan.c @ 2562]
    fffff880`0b1829c0 fffff880`05b3227b : fffff880`0b1830e0 fffff880`0b182fc0 fffff880`00000001 fffff880`0b183148 : <mydriver>!scan_process_file_scan_response+0xb0 [d:\build_692379\<build>\optimizer\scan\scan.c @ 3028]
    fffff880`0b182a90 fffff880`05b35b56 : fffff880`0b1830e0 fffff880`0b182fc0 fffff880`69435351 00000000`000007ff : <mydriver>!scan_file_with_file_transfer+0x99b [d:\build_692379\<build>\optimizer\scan\scan.c @ 3416]
    fffff880`0b182ca0 fffff880`05b12865 : fffff880`0b1830e0 fffff880`0b182fc0 fffff880`0b183088 00000000`00000028 : <mydriver>!scan_check_access_perm+0xe16 [d:\build_692379\<build>\optimizer\scan\scan.c @ 4617]
    fffff880`0b182f00 fffff880`05b10157 : fffffa80`08bd9380 fffff880`0b183448 fffff880`0b1833d8 fffff880`014d9882 : <mydriver>!fsh_scan_file+0xe55 [d:\build_692379\<build>\optimizer\fsh\fsh_hooks.c @ 1387]
    fffff880`0b1833b0 fffff880`01273288 : fffffa80`08bd9380 fffff880`0b183448 00000000`00000000 00000000`00000000 : <mydriver>!fsh_create_hook_cmpl+0x57 [d:\build_692379\<build>\optimizer\fsh\fsh_hooks.c @ 290]
    fffff880`0b183400 fffff880`01271d1b : fffffa80`0ff123f0 fffffa80`08bd9420 fffffa80`099182f0 fffffa80`09918510 : fltmgr!FltpPerformPostCallbacks+0x368
    fffff880`0b1834d0 fffff880`012912b9 : fffffa80`0b83e490 fffffa80`0b4a0250 fffffa80`0b83e400 fffffa80`0a658890 : fltmgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x39b
    fffff880`0b183560 fffff880`01271bcf : 00000000`00000000 fffffa80`06d0a9f0 00000000`00000000 00000000`00000000 : fltmgr!FltpCreate+0x2a9
    fffff880`0b183610 fffff880`012912b9 : fffffa80`0b83e490 fffffa80`1bd1b6b0 fffffa80`0b83e400 fffffa80`0e966040 : fltmgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x24f
    fffff880`0b1836a0 fffff800`021c32bb : 00000000`00000005 00000000`00000040 fffffa80`0de7b590 00000000`00000000 : fltmgr!FltpCreate+0x2a9
    fffff880`0b183750 fffff800`021bedde : fffffa80`0ff27b80 00000000`00000000 fffffa80`108e9530 fffffa80`0e966001 : nt!IopParseDevice+0x14e2
    fffff880`0b1838b0 fffff800`021bf8c6 : 00000000`00000000 fffff880`0b183a30 fffff8a0`00000040 fffffa80`06d0a9f0 : nt!ObpLookupObjectName+0x784
    fffff880`0b1839b0 fffff800`021c16bc : 00000000`00000000 00000000`00000000 00000000`00000001 00000000`00000000 : nt!ObOpenObjectByName+0x306
    fffff880`0b183a80 fffff800`021ccd34 : 00000000`28e0a5e8 fffff800`c0110098 00000000`28e0a638 00000000`28e0a5f8 : nt!IopCreateFile+0x2bc
    fffff880`0b183b20 fffff800`01ebe0d3 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`28e0c9e0 : nt!NtCreateFile+0x78
    fffff880`0b183bb0 00000000`779cc28a : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`0b183c20)
    00000000`28e0a568 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x779cc28a
  • taehwa_leetaehwa_lee Member - All Emails Posts: 16
    I could not see all user mode stack in DxDmService.exe that need to clear
    what DxDmService state is.

    Thread fffffa8012f0e5e0 is suspended by KiSuspendThread that delivered by
    APC. I think that werfault suspend all of thread in DxDmService.
    below thread suspended 25 minutes before crash


    0: kd> !thread fffffa8012f0e5e0
    THREAD fffffa8012f0e5e0 Cid 1df0.1d60 Teb: 000007ffffeb0000 Win32Thread:
    0000000000000000 WAIT: (Suspended) KernelMode Non-Alertable
    SuspendCount 1
    fffffa8012f0e8b8 Semaphore Limit 0x2
    IRP List:
    fffffa800b83e490: (0006,0358) Flags: 00000884 Mdl: 00000000
    Not impersonating
    DeviceMap fffff8a002fcddd0
    Owning Process fffffa800f65b060 Image:
    DxDmService.exe
    Attached Process N/A Image: N/A
    Wait Start TickCount 153051155 Ticks: 98635 (0:00:25:41.171)
    Context Switch Count 3126429 IdealProcessor: 0
    UserTime 00:01:37.625
    KernelTime 00:13:13.250
    Win32 Start Address 0x0000000010376284
    Stack Init fffff8800b183db0 Current fffff8800b182340
    Base fffff8800b184000 Limit fffff8800b17e000 Call 0000000000000000
    Priority 8 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5
    Child-SP RetAddr : Args to Child
    : Call Site
    fffff880`0b182380 fffff800`01ec4142 : fffffa80`0f65b001 fffffa80`12f0e5e0
    fffff800`0203ce80 fffff880`00000008 : nt!KiSwapContext+0x7a
    fffff880`0b1824c0 fffff800`01ec696f : 00000000`00000000 00000000`00000000
    00000000`00000000 00000000`00000000 : nt!KiCommitThreadWait+0x1d2
    fffff880`0b182550 fffff800`01eb1ee0 : 00000000`00000000 fffffa80`00000005
    fffffa80`0f65b000 00000000`00000000 : nt!KeWaitForSingleObject+0x19f
    fffff880`0b1825f0 fffff800`01eb2b7d : fffffa80`12f0e5e0 00000000`00000000
    00000000`00000000 fffffa80`00000000 : nt!KiSuspendThread+0x54
    fffff880`0b182630 fffff800`01ec434d : fffffa80`12f0e6a0 00000000`00000000
    fffff800`01eb1e8c 00000000`00000000 : nt!KiDeliverApc+0x21d
    fffff880`0b1826b0 fffff800`01ec696f : fffffa80`0b83e490 fffffa80`08bd9200
    fffff880`0000004f 00000000`00000000 : nt!KiCommitThreadWait+0x3dd

    best regards
    Taehwa.

    On Fri, Aug 11, 2017 at 5:38 PM, [email protected] <
    [email protected]> wrote:

    > Thanks for your responses.
    >
    > In werfault stack, my driver tries to open a connection to my scan-server
    > to send the file for scanning.
    > To give a brief overview, whenever a user tries to create/open a file, my
    > filter driver sends it to a scan-server. I maintain an array of 5 elements
    > which control sending of files for scan. Whenever a new thread is spawned
    > for scanning,
    > it marks one of the elements in the array as in-use. After scan is
    > complete, the thread marks it as unused. So, at a time there can be only 5
    > threads with open connection to scan-server.
    >
    > I can see 5 threads in the dump in wait state. One of such thread is as
    > below. I have given a timeout value of 45 seconds in
    > KeWaitForSingleObject(). But why is this thread not coming out of wait
    > state?
    >
    >
    > 0: kd> !thread fffffa8012f0e5e0
    > THREAD fffffa8012f0e5e0 Cid 1df0.1d60 Teb: 000007ffffeb0000 Win32Thread:
    > 0000000000000000 WAIT: (Suspended) KernelMode Non-Alertable
    > SuspendCount 1
    > fffffa8012f0e8b8 Semaphore Limit 0x2
    > IRP List:
    > fffffa800b83e490: (0006,0358) Flags: 00000884 Mdl: 00000000
    > Not impersonating
    > DeviceMap fffff8a002fcddd0
    > Owning Process fffffa800f65b060 Image:
    > DxDmService.exe
    > Attached Process N/A Image: N/A
    > Wait Start TickCount 153051155 Ticks: 98635 (0:00:25:41.171)
    > Context Switch Count 3126429 IdealProcessor: 0
    > UserTime 00:01:37.625
    > KernelTime 00:13:13.250
    > Win32 Start Address 0x0000000010376284
    > Stack Init fffff8800b183db0 Current fffff8800b182340
    > Base fffff8800b184000 Limit fffff8800b17e000 Call 0000000000000000
    > Priority 8 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5
    > Child-SP RetAddr : Args to Child
    > : Call Site
    > fffff880`0b182380 fffff800`01ec4142 : fffffa80`0f65b001 fffffa80`12f0e5e0
    > fffff800`0203ce80 fffff880`00000008 : nt!KiSwapContext+0x7a
    > fffff880`0b1824c0 fffff800`01ec696f : 00000000`00000000 00000000`00000000
    > 00000000`00000000 00000000`00000000 : nt!KiCommitThreadWait+0x1d2
    > fffff880`0b182550 fffff800`01eb1ee0 : 00000000`00000000 fffffa80`00000005
    > fffffa80`0f65b000 00000000`00000000 : nt!KeWaitForSingleObject+0x19f
    > fffff880`0b1825f0 fffff800`01eb2b7d : fffffa80`12f0e5e0 00000000`00000000
    > 00000000`00000000 fffffa80`00000000 : nt!KiSuspendThread+0x54
    > fffff880`0b182630 fffff800`01ec434d : fffffa80`12f0e6a0 00000000`00000000
    > fffff800`01eb1e8c 00000000`00000000 : nt!KiDeliverApc+0x21d
    > fffff880`0b1826b0 fffff800`01ec696f : fffffa80`0b83e490 fffffa80`08bd9200
    > fffff880`0000004f 00000000`00000000 : nt!KiCommitThreadWait+0x3dd
    > fffff880`0b182740 fffff880`05b233c1 : fffffa80`12438000 fffff880`00000000
    > fffff880`0b182800 fffff880`0b182a00 : nt!KeWaitForSingleObject+0x19f
    > fffff880`0b1827e0 fffff880`05b1dd93 : fffffa80`0f5d9530 fffff8a0`00f45300
    > 00000000`0000005a fffff8a0`00000000 : !ivmc_wsk_recv_data+0x211
    > [d:\build_692379\\optimizer\ivmc\ivmc_ksocket.c @ 435]
    > fffff880`0b182870 fffff880`05b2f27e : fffff880`05bc9c28 fffff8a0`00f45300
    > fffff880`0000005a fffff880`00000000 : !ivmc_read_all+0x93
    > [d:\build_692379\\optimizer\ivmc\ivmc.c @ 426]
    > fffff880`0b1828e0 fffff880`05b30ca0 : fffff880`05bc9c28 fffff880`0b182fc0
    > fffff880`0b182a48 fffff8a0`1fdf65e0 : !scan_process_response+0x10e
    > [d:\build_692379\\optimizer\scan\scan.c @ 2562]
    > fffff880`0b1829c0 fffff880`05b3227b : fffff880`0b1830e0 fffff880`0b182fc0
    > fffff880`00000001 fffff880`0b183148 : !scan_process_file_scan_response+0xb0
    > [d:\build_692379\\optimizer\scan\scan.c @ 3028]
    > fffff880`0b182a90 fffff880`05b35b56 : fffff880`0b1830e0 fffff880`0b182fc0
    > fffff880`69435351 00000000`000007ff : !scan_file_with_file_transfer+0x99b
    > [d:\build_692379\\optimizer\scan\scan.c @ 3416]
    > fffff880`0b182ca0 fffff880`05b12865 : fffff880`0b1830e0 fffff880`0b182fc0
    > fffff880`0b183088 00000000`00000028 : !scan_check_access_perm+0xe16
    > [d:\build_692379\\optimizer\scan\scan.c @ 4617]
    > fffff880`0b182f00 fffff880`05b10157 : fffffa80`08bd9380 fffff880`0b183448
    > fffff880`0b1833d8 fffff880`014d9882 : !fsh_scan_file+0xe55
    > [d:\build_692379\\optimizer\fsh\fsh_hooks.c @ 1387]
    > fffff880`0b1833b0 fffff880`01273288 : fffffa80`08bd9380 fffff880`0b183448
    > 00000000`00000000 00000000`00000000 : !fsh_create_hook_cmpl+0x57
    > [d:\build_692379\\optimizer\fsh\fsh_hooks.c @ 290]
    > fffff880`0b183400 fffff880`01271d1b : fffffa80`0ff123f0 fffffa80`08bd9420
    > fffffa80`099182f0 fffffa80`09918510 : fltmgr!
    > FltpPerformPostCallbacks+0x368
    > fffff880`0b1834d0 fffff880`012912b9 : fffffa80`0b83e490 fffffa80`0b4a0250
    > fffffa80`0b83e400 fffffa80`0a658890 : fltmgr!
    > FltpLegacyProcessingAfterPreCallbacksCompleted+0x39b
    > fffff880`0b183560 fffff880`01271bcf : 00000000`00000000 fffffa80`06d0a9f0
    > 00000000`00000000 00000000`00000000 : fltmgr!FltpCreate+0x2a9
    > fffff880`0b183610 fffff880`012912b9 : fffffa80`0b83e490 fffffa80`1bd1b6b0
    > fffffa80`0b83e400 fffffa80`0e966040 : fltmgr!
    > FltpLegacyProcessingAfterPreCallbacksCompleted+0x24f
    > fffff880`0b1836a0 fffff800`021c32bb : 00000000`00000005 00000000`00000040
    > fffffa80`0de7b590 00000000`00000000 : fltmgr!FltpCreate+0x2a9
    > fffff880`0b183750 fffff800`021bedde : fffffa80`0ff27b80 00000000`00000000
    > fffffa80`108e9530 fffffa80`0e966001 : nt!IopParseDevice+0x14e2
    > fffff880`0b1838b0 fffff800`021bf8c6 : 00000000`00000000 fffff880`0b183a30
    > fffff8a0`00000040 fffffa80`06d0a9f0 : nt!ObpLookupObjectName+0x784
    > fffff880`0b1839b0 fffff800`021c16bc : 00000000`00000000 00000000`00000000
    > 00000000`00000001 00000000`00000000 : nt!ObOpenObjectByName+0x306
    > fffff880`0b183a80 fffff800`021ccd34 : 00000000`28e0a5e8 fffff800`c0110098
    > 00000000`28e0a638 00000000`28e0a5f8 : nt!IopCreateFile+0x2bc
    > fffff880`0b183b20 fffff800`01ebe0d3 : 00000000`00000000 00000000`00000000
    > 00000000`00000000 00000000`28e0c9e0 : nt!NtCreateFile+0x78
    > fffff880`0b183bb0 00000000`779cc28a : 00000000`00000000 00000000`00000000
    > 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13
    > (TrapFrame @ fffff880`0b183c20)
    > 00000000`28e0a568 00000000`00000000 : 00000000`00000000 00000000`00000000
    > 00000000`00000000 00000000`00000000 : 0x779cc28a
    >
    >
    > ---
    > WINDBG is sponsored by OSR
    >
    > OSR is hiring!! Info at http://www.osr.com/careers
    >
    >
    > MONTHLY seminars on crash dump analysis, WDF, Windows internals and
    > software drivers!
    > Details at
    >
    > To unsubscribe, visit the List Server section of OSR Online at <
    > http://www.osronline.com/page.cfm?name=ListServer&gt;
    >
  • KunalKunal Member - All Emails Posts: 21
    This is a kernel dump, so I dont think usermode data will be present. I tried to switch to process "DxDmService" but got the error as below:

    0: kd> .process fffffa80`0f65b060
    Process fffffa80`0f65b060 has invalid page directories

    Thanks,
    Kunal
  • KunalKunal Member - All Emails Posts: 21
    Hi Taehwa,

    Could you provide some details as to why all 5 of my scanning threads are not coming out of WAIT state even though I have given 45 secs timeout in KeWaitForSingleObject()?
    I can see in the callstack of thread "fffffa8012f0e5e0" that after I call KeWaitForSingleObject(), there is a call to KiDeliverApc() after which the thread is suspended and there is another KeWaitForSingleObject().
    I could not understand what is happening here. Does suspending a thread change the behavior of KeWaitForSingleObject()?

    THanks,
    Kunal
  • taehwa_leetaehwa_lee Member - All Emails Posts: 16
    Hello

    I've already explain as below. Unfortunately we could not see user mode
    stack due to it is kernel dump. We need to find exception record if we
    could see user stack.


    1. DxDmService might get exception (but we couldn't see it due to kernel
    stack)
    2. exception handler call werfault (you could see dump file name through
    handle information of werfault)
    3. werfault suspend all thread of DxDmService to make dump
    4. werfault open a file and then filter it and wait for more
    than 20 min (I'm not sure why didn't wake up for 20 mins)
    I think you need to check wait condition of in
    werfault context.
    5. bugcheck.

    It is hard job to understand situation without dump

    best regards
    Taehwa.

    On Mon, Aug 14, 2017 at 4:23 PM, [email protected] <
    [email protected]> wrote:

    > Hi Taehwa,
    >
    > Could you provide some details as to why all 5 of my scanning threads are
    > not coming out of WAIT state even though I have given 45 secs timeout in
    > KeWaitForSingleObject()?
    > I can see in the callstack of thread "fffffa8012f0e5e0" that after I call
    > KeWaitForSingleObject(), there is a call to KiDeliverApc() after which the
    > thread is suspended and there is another KeWaitForSingleObject().
    > I could not understand what is happening here. Does suspending a thread
    > change the behavior of KeWaitForSingleObject()?
    >
    > THanks,
    > Kunal
    >
    > ---
    > WINDBG is sponsored by OSR
    >
    > OSR is hiring!! Info at http://www.osr.com/careers
    >
    >
    > MONTHLY seminars on crash dump analysis, WDF, Windows internals and
    > software drivers!
    > Details at
    >
    > To unsubscribe, visit the List Server section of OSR Online at <
    > http://www.osronline.com/page.cfm?name=ListServer&gt;
    >
Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Internals & Software Drivers 30 Nov 2020 LIVE ONLINE
Writing WDF Drivers 7 Dec 2020 LIVE ONLINE
Developing Minifilters Early 2021 LIVE ONLINE