BSOD on processing destroyed timer

Hello.
From the dump it looks like windows tries to process already destroyed
object. Can I somehow discover who created that timer ?

IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pageable (or completely invalid) address at
an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: fffff8a00031d158, memory referenced
Arg2: 0000000000000002, IRQL
Arg3: 0000000000000001, bitfield :
bit 0 : value 0 = read operation, 1 = write operation
bit 3 : value 0 = not an execute operation, 1 = execute operation (only on
chips which support this level of status)
Arg4: fffff80003497b20, address which referenced memory

STACK_TEXT:
fffff880043ff1c8 fffff8000348b3a9 : 000000000000000a fffff8a00031d158
0000000000000002 0000000000000001 : nt!KeBugCheckEx
fffff880043ff1d0 fffff8000348a020 : fffffa800d310b00 fffffa80036d3768
fffffa80036d3768 fffffa8003f17808 : nt!KiBugCheckDispatch+0x69
fffff880043ff310 fffff80003497b20 : fffffa800d7e5120 fffffa80107b6748
fffffa80107b6748 fffffa8003f177a0 : nt!KiPageFault+0x260
fffff880043ff4a0 fffff800034979be : 000000061e5904a0 fffff880043ffb18
0000000000029205 fffff880043d9628 : nt!KiProcessExpiredTimerList+0x110
fffff880043ffaf0 fffff800034977a7 : 00000001ba9cbfc5 0000000100029205
00000001ba9cbf45 0000000000000005 : nt!KiTimerExpiration+0x1be
fffff880043ffb90 fffff80003483b0a : fffff880043d7180 fffff880043e1fc0
0000000000000001 fffff88000000000 : nt!KiRetireDpcList+0x277
fffff880043ffc40 0000000000000000 : fffff88004400000 fffff880043fa000
fffff880043ffc00 0000000000000000 : nt!KiIdleLoop+0x5a

.trap 0xfffff880043ff310
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=0000000000000002 rbx=0000000000000000 rcx=17e499c76c1c0000
rdx=fffff88004369700 rsi=0000000000000000 rdi=0000000000000000
rip=fffff80003497b20 rsp=fffff880043ff4a0 rbp=fffffa8003f17808
r8=fffffa80107b66e0 r9=0000000000000008 r10=fffff8000341b000
r11=fffff880043ff470 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei ng nz ac po cy
nt!KiProcessExpiredTimerList+0x110:
fffff80003497b20 f00fba2f07 lock bts dword ptr [rdi],7 ds:0000000000000000=???

!pte fffff8a00031d158
VA fffff8a00031d158
PXE at FFFFF6FB7DBEDF88 PPE at FFFFF6FB7DBF1400 PDE at
FFFFF6FB7E280008 PTE at FFFFF6FC500018E8
contains 0000000116204863 contains 000000000488C863 contains
000000004881B863 contains AEB00000AA538882
pfn 116204 —DA–KWEV pfn 488c —DA–KWEV pfn 4881b
—DA–KWEV not valid

Transition: aa538

Protect: 4 - ReadWrite

Does it consistently repro? DV will catch a driver freeing memory that it still currently enqueued in the timer or dpc list

Bent from my phone


From: xxxxx@lists.osr.com on behalf of xxxxx@gmail.com
Sent: Friday, December 1, 2017 4:36:38 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] BSOD on processing destroyed timer

Hello.
From the dump it looks like windows tries to process already destroyed object. Can I somehow discover who created that timer ?

IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: fffff8a00031d158, memory referenced
Arg2: 0000000000000002, IRQL
Arg3: 0000000000000001, bitfield :
bit 0 : value 0 = read operation, 1 = write operation
bit 3 : value 0 = not an execute operation, 1 = execute operation (only on chips which support this level of status)
Arg4: fffff80003497b20, address which referenced memory

STACK_TEXT:
fffff880043ff1c8 fffff8000348b3a9 : 000000000000000a fffff8a00031d158 0000000000000002 0000000000000001 : nt!KeBugCheckEx
fffff880043ff1d0 fffff8000348a020 : fffffa800d310b00 fffffa80036d3768 fffffa80036d3768 fffffa8003f17808 : nt!KiBugCheckDispatch+0x69
fffff880043ff310 fffff80003497b20 : fffffa800d7e5120 fffffa80107b6748 fffffa80107b6748 fffffa8003f177a0 : nt!KiPageFault+0x260
fffff880043ff4a0 fffff800034979be : 000000061e5904a0 fffff880043ffb18 0000000000029205 fffff880043d9628 : nt!KiProcessExpiredTimerList+0x110
fffff880043ffaf0 fffff800034977a7 : 00000001ba9cbfc5 0000000100029205 00000001ba9cbf45 0000000000000005 : nt!KiTimerExpiration+0x1be
fffff880043ffb90 fffff80003483b0a : fffff880043d7180 fffff880043e1fc0 0000000000000001 fffff88000000000 : nt!KiRetireDpcList+0x277
fffff880043ffc40 0000000000000000 : fffff88004400000 fffff880043fa000 fffff880043ffc00 0000000000000000 : nt!KiIdleLoop+0x5a

.trap 0xfffff880043ff310
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=0000000000000002 rbx=0000000000000000 rcx=17e499c76c1c0000
rdx=fffff88004369700 rsi=0000000000000000 rdi=0000000000000000
rip=fffff80003497b20 rsp=fffff880043ff4a0 rbp=fffffa8003f17808
r8=fffffa80107b66e0 r9=0000000000000008 r10=fffff8000341b000
r11=fffff880043ff470 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei ng nz ac po cy
nt!KiProcessExpiredTimerList+0x110:
fffff80003497b20 f00fba2f07 lock bts dword ptr [rdi],7 ds:0000000000000000=???

!pte fffff8a00031d158
VA fffff8a00031d158
PXE at FFFFF6FB7DBEDF88 PPE at FFFFF6FB7DBF1400 PDE at FFFFF6FB7E280008 PTE at FFFFF6FC500018E8
contains 0000000116204863 contains 000000000488C863 contains 000000004881B863 contains AEB00000AA538882
pfn 116204 —DA–KWEV pfn 488c —DA–KWEV pfn 4881b —DA–KWEV not valid
Transition: aa538
Protect: 4 - ReadWrite

— NTDEV is sponsored by OSR Visit the list online at: MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers! Details at To unsubscribe, visit the List Server section of OSR Online at

Thank you for reply Doron !
It reproduces about once per day ! I’ll try to get access to this machine
next week, for now I only have dumps

On Fri, 1 Dec 2017 at 18:07, xxxxx@microsoft.com
wrote:

> Does it consistently repro? DV will catch a driver freeing memory that it
> still currently enqueued in the timer or dpc list
>
> Bent from my phone
> ------------------------------
> From: xxxxx@lists.osr.com <
> xxxxx@lists.osr.com> on behalf of xxxxx@gmail.com <
> xxxxx@lists.osr.com>
> Sent: Friday, December 1, 2017 4:36:38 AM
> To: Windows System Software Devs Interest List
> Subject: [ntdev] BSOD on processing destroyed timer
>
> Hello.
> From the dump it looks like windows tries to process already destroyed
> object. Can I somehow discover who created that timer ?
>
> IRQL_NOT_LESS_OR_EQUAL (a)
> An attempt was made to access a pageable (or completely invalid) address
> at an
> interrupt request level (IRQL) that is too high. This is usually
> caused by drivers using improper addresses.
> If a kernel debugger is available get the stack backtrace.
> Arguments:
> Arg1: fffff8a00031d158, memory referenced
> Arg2: 0000000000000002, IRQL
> Arg3: 0000000000000001, bitfield :
> bit 0 : value 0 = read operation, 1 = write operation
> bit 3 : value 0 = not an execute operation, 1 = execute operation (only on
> chips which support this level of status)
> Arg4: fffff80003497b20, address which referenced memory
>
>
> STACK_TEXT:
> fffff880043ff1c8 fffff8000348b3a9 : 000000000000000a fffff8a00031d158
> 0000000000000002 0000000000000001 : nt!KeBugCheckEx
> fffff880043ff1d0 fffff8000348a020 : fffffa800d310b00 fffffa80036d3768
> fffffa80036d3768 fffffa8003f17808 : nt!KiBugCheckDispatch+0x69
> fffff880043ff310 fffff80003497b20 : fffffa800d7e5120 fffffa80107b6748
> fffffa80107b6748 fffffa8003f177a0 : nt!KiPageFault+0x260
> fffff880043ff4a0 fffff800034979be : 000000061e5904a0 fffff880043ffb18
> 0000000000029205 fffff880043d9628 : nt!KiProcessExpiredTimerList+0x110
> fffff880043ffaf0 fffff800034977a7 : 00000001ba9cbfc5 0000000100029205
> 00000001ba9cbf45 0000000000000005 : nt!KiTimerExpiration+0x1be
> fffff880043ffb90 fffff80003483b0a : fffff880043d7180 fffff880043e1fc0
> 0000000000000001 fffff88000000000 : nt!KiRetireDpcList+0x277
> fffff880043ffc40 0000000000000000 : fffff88004400000 fffff880043fa000
> fffff880043ffc00 0000000000000000 : nt!KiIdleLoop+0x5a
>
>
> .trap 0xfffff880043ff310
> NOTE: The trap frame does not contain all registers.
> Some register values may be zeroed or incorrect.
> rax=0000000000000002 rbx=0000000000000000 rcx=17e499c76c1c0000
> rdx=fffff88004369700 rsi=0000000000000000 rdi=0000000000000000
> rip=fffff80003497b20 rsp=fffff880043ff4a0 rbp=fffffa8003f17808
> r8=fffffa80107b66e0 r9=0000000000000008 r10=fffff8000341b000
> r11=fffff880043ff470 r12=0000000000000000 r13=0000000000000000
> r14=0000000000000000 r15=0000000000000000
> iopl=0 nv up ei ng nz ac po cy
> nt!KiProcessExpiredTimerList+0x110:
> fffff80003497b20 f00fba2f07 lock bts dword ptr [rdi],7<br>&gt; ds:0000000000000000=???
>
> !pte fffff8a00031d158
> VA fffff8a00031d158
> PXE at FFFFF6FB7DBEDF88 PPE at FFFFF6FB7DBF1400 PDE at
> FFFFF6FB7E280008 PTE at FFFFF6FC500018E8
> contains 0000000116204863 contains 000000000488C863 contains
> 000000004881B863 contains AEB00000AA538882
> pfn 116204 —DA–KWEV pfn 488c —DA–KWEV pfn 4881b
> —DA–KWEV not valid
>
> Transition: aa538
>
> Protect: 4 - ReadWrite
>
> — NTDEV is sponsored by OSR Visit the list online at: MONTHLY seminars
> on crash dump analysis, WDF, Windows internals and software drivers!
> Details at To unsubscribe, visit the List Server section of OSR Online at
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list online at: <
> http://www.osronline.com/showlists.cfm?list=ntdev&gt;
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
> software drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at <
> http://www.osronline.com/page.cfm?name=ListServer&gt;
></http:>

Does !pool fffff8a00031d158 say anything?

-scott
OSR
@OSRDrivers

Thank you Scott !

!pool fffff8a00031d158
Pool page fffff8a00031d158 region is Paged pool
*fffff8a00031d000 size: 1d0 previous size: 0 (Allocated) *ComP
Owning component : Unknown (update pooltag.txt)
fffff8a00031d1d0 size: 40 previous size: 1d0 (Allocated) MmSm
fffff8a00031d210 size: 20 previous size: 40 (Allocated) Pp
fffff8a00031d230 size: 50 previous size: 20 (Allocated) ObNm
fffff8a00031d280 size: 80 previous size: 50 (Allocated) RngS
fffff8a00031d300 size: 20 previous size: 80 (Allocated) ObNm
fffff8a00031d320 size: 80 previous size: 20 (Allocated) Sect
(Protected)
fffff8a00031d3a0 size: 190 previous size: 80 (Allocated) Txsa
fffff8a00031d530 size: 50 previous size: 190 (Allocated) Ntfo
fffff8a00031d580 size: 50 previous size: 50 (Allocated) IoNm
fffff8a00031d5d0 size: 30 previous size: 50 (Allocated) ObDi
fffff8a00031d600 size: 20 previous size: 30 (Allocated) ObNm
fffff8a00031d620 size: 30 previous size: 20 (Allocated) ObDi
fffff8a00031d650 size: 20 previous size: 30 (Allocated) ObNm
fffff8a00031d670 size: 30 previous size: 20 (Allocated) ObDi
fffff8a00031d6a0 size: 60 previous size: 30 (Allocated) KLna
fffff8a00031d700 size: 190 previous size: 60 (Allocated) Txsa
fffff8a00031d890 size: 20 previous size: 190 (Allocated) ABFD
fffff8a00031d8b0 size: 20 previous size: 20 (Allocated) ABFD
fffff8a00031d8d0 size: 20 previous size: 20 (Allocated) ABFD
fffff8a00031d8f0 size: 20 previous size: 20 (Allocated) ABFD
fffff8a00031d910 size: 20 previous size: 20 (Allocated) ABFD
fffff8a00031d930 size: a0 previous size: 20 (Allocated) Key
(Protected)
fffff8a00031d9d0 size: a0 previous size: a0 (Allocated) Key
(Protected)
fffff8a00031da70 size: a0 previous size: a0 (Allocated) Key
(Protected)
fffff8a00031db10 size: 10 previous size: a0 (Free) Io
fffff8a00031db20 size: 30 previous size: 10 (Allocated) ObDi
fffff8a00031db50 size: 20 previous size: 30 (Allocated) ObNm
fffff8a00031db70 size: 40 previous size: 20 (Allocated) NtFs
fffff8a00031dbb0 size: 150 previous size: 40 (Allocated) NtFs
fffff8a00031dd00 size: 30 previous size: 150 (Allocated) ObNm
fffff8a00031dd30 size: 10 previous size: 30 (Free) Key
fffff8a00031dd40 size: 30 previous size: 10 (Allocated) ObNm
fffff8a00031dd70 size: 30 previous size: 30 (Allocated) ObDi
fffff8a00031dda0 size: 20 previous size: 30 (Allocated) ObNm
fffff8a00031ddc0 size: 30 previous size: 20 (Allocated) ObNm
fffff8a00031ddf0 size: 30 previous size: 30 (Allocated) ObDi
fffff8a00031de20 size: 40 previous size: 30 (Allocated) Symt
fffff8a00031de60 size: 80 previous size: 40 (Allocated) SeSd
fffff8a00031dee0 size: 10 previous size: 80 (Free) NtFs
fffff8a00031def0 size: 30 previous size: 10 (Allocated) Ntf0
fffff8a00031df20 size: 30 previous size: 30 (Allocated) ObDi
fffff8a00031df50 size: 20 previous size: 30 (Allocated) ObNm
fffff8a00031df70 size: 30 previous size: 20 (Allocated) ObDi
fffff8a00031dfa0 size: 20 previous size: 30 (Allocated) ObNm
fffff8a00031dfc0 size: 40 previous size: 20 (Allocated) MmSm

On Fri, Dec 1, 2017 at 6:29 PM, Scott Noone <
xxxxx@lists.osr.com> wrote:

> Does !pool fffff8a00031d158 say anything?
>
> -scott
> OSR
> @OSRDrivers
>
>
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list online at: http:> lists.cfm?list=ntdev>
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
> software drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at <
> http://www.osronline.com/page.cfm?name=ListServer&gt;
></http:></http:>

Looks like someone allocated a timer out of paged pool (which would be a bad
thing).

Try this and see if you can find the tag in any of the loaded modules:

!for_each_module “s -a ${@#Base} ${@#End} "ComP"”

Any weird third party COM port software loaded? That’s just a guess based on
“ComP” possibly being “ComPort”…

-scott
OSR
@OSRDrivers

Thank you very much Scott !! You are the god of Windbg !
It turns out memory for our communication port was allocated from paged
pool. I didn’t know that it should be allocated from non paged pool
since FltCreateCommunicationPort
documentation says nothing of this sort.

Thank you again Scott ! Your help was invaluable!

On Fri, Dec 1, 2017 at 6:52 PM, Scott Noone <
xxxxx@lists.osr.com> wrote:

>


>
> Looks like someone allocated a timer out of paged pool (which would be a
> bad thing).
>
> Try this and see if you can find the tag in any of the loaded modules:
>
> !for_each_module “s -a ${@#Base} ${@#End} "ComP"”
>
> Any weird third party COM port software loaded? That’s just a guess based
> on “ComP” possibly being “ComPort”…
>
>
> -scott
> OSR
> @OSRDrivers
>
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list online at: http:> lists.cfm?list=ntdev>
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
> software drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at <
> http://www.osronline.com/page.cfm?name=ListServer&gt;
></http:></http:>