Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results
Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.More Info on Driver Writing and Debugging
The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.
Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/
Bugcheck 7E and CR2 register contains 0000000000000000
rahulpathak2002
Member Posts: 6
Hi All,
I am analyzing a dump with Bugcheck 7E, following in the !analyze output:
`0: kd> !analyze -v
- *
- Bugcheck Analysis *
- *
SYSTEM_THREAD_EXCEPTION_NOT_HANDLED (7e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Arguments:
Arg1: ffffffffc0000005, The exception code that was not handled
Arg2: 0000000000000000, The address that the exception occurred at
Arg3: fffff88001ff7928, Exception Record Address
Arg4: fffff88001ff7190, Context Record Address
Debugging Details:
KEY_VALUES_STRING: 1
Key : AV.Fault Value: Execute Key : Analysis.CPU.Sec Value: 1 Key : Analysis.DebugAnalysisProvider.CPP Value: Create: 8007007e on xyz-abc Key : Analysis.DebugData Value: CreateObject Key : Analysis.DebugModel Value: CreateObject Key : Analysis.Elapsed.Sec Value: 1 Key : Analysis.Memory.CommitPeak.Mb Value: 85 Key : Analysis.System Value: CreateObject
VIRTUAL_MACHINE: VMware
BUGCHECK_CODE: 7e
BUGCHECK_P1: ffffffffc0000005
BUGCHECK_P2: 0
BUGCHECK_P3: fffff88001ff7928
BUGCHECK_P4: fffff88001ff7190
EXCEPTION_RECORD: fffff88001ff7928 -- (.exr 0xfffff88001ff7928)
ExceptionAddress: 0000000000000000
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 0000000000000008
Parameter[1]: 0000000000000000
Attempt to execute non-executable address 0000000000000000
CONTEXT: fffff88001ff7190 -- (.cxr 0xfffff88001ff7190)
rax=0000000000000001 rbx=0000000000000000 rcx=fffffa800675db00
rdx=0000000000000000 rsi=fffffa8003cc6b50 rdi=fffffa800675db00
rip=0000000000000000 rsp=fffff88001ff7b68 rbp=fffff800026257f8
r8=fffffa8003c71a38 r9=0000000000000000 r10=fffffffffffffffe
r11=fffff800025f9100 r12=fffff88008947790 r13=0000000000000001
r14=0000000000000000 r15=0000000000000001
iopl=0 nv up ei pl nz na po nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00010206
00000000`00000000 ?? ???
Resetting default scope
PROCESS_NAME: System
EXECUTE_ADDRESS: 0
FAILED_INSTRUCTION_ADDRESS:
+0
00000000`00000000 ?? ???
ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.
EXCEPTION_CODE_STR: c0000005
EXCEPTION_PARAMETER1: 0000000000000008
EXCEPTION_PARAMETER2: 0000000000000000
EXCEPTION_STR: 0xc0000005
IP_IN_FREE_BLOCK: 0
STACK_TEXT:
fffff88001ff7b68 fffff80002460bed : fffff80000000000 fffff80000000001 fffffa8003cc6b00 0000000000000000 : 0x0
fffff88001ff7b70 fffff80002756e40 : 0188fd8141fffffe fffff88001e00180 0000000000000080 0000000000000001 : nt!ExpWorkerThread+0x111
fffff88001ff7c00 fffff800024aeaa6 : fffff88001e00180 fffffa8003cc6b50 fffffa8003cc6040 0000000000000000 : nt!PspSystemThreadStartup+0x194
fffff88001ff7c40 0000000000000000 : fffff88001ff8000 fffff88001ff2000 fffff88001ff6d70 0000000000000000 : nt!KiStartSystemThread+0x16
SYMBOL_NAME: nt!KiStartSystemThread+16
MODULE_NAME: nt
IMAGE_NAME: ntkrnlmp.exe
IMAGE_VERSION: 6.1.7601.24475
STACK_COMMAND: .cxr 0xfffff88001ff7190 ; kb
FAILURE_BUCKET_ID: X64_0x7E_NULL_IP_nt!KiStartSystemThread+16
OS_VERSION: 7.1.7601.24475
BUILDLAB_STR: win7sp1_ldr
OSPLATFORM_TYPE: x64
OSNAME: Windows 7
FAILURE_ID_HASH: {5d4dd521-b722-54fe-d47f-6bbdcebd03b4}
- Followup: MachineOwner
- ---------`
- Following thread is showing the KiPageFault -
- kd> .process fffffa8003c719b0
Implicit process is now fffffa8003c719b0 0: kd> !thread THREAD fffffa8003cc6b50 Cid 0004.0030 Teb: 0000000000000000 Win32Thread: 0000000000000000 RUNNING on processor 0 Not impersonating DeviceMap fffff8a000008aa0 Owning Process fffffa8003c719b0 Image: System Attached Process N/A Image: N/A Wait Start TickCount 46589221 Ticks: 0 Context Switch Count 205578 IdealProcessor: 0 UserTime 00:00:00.000 KernelTime 00:00:00.468 Win32 Start Address nt!ExpWorkerThread (0xfffff80002460adc) Stack Init fffff88001ff7c70 Current fffff88001ff6d70 Base fffff88001ff8000 Limit fffff88001ff2000 Call 0000000000000000 Priority 12 BasePriority 12 PriorityDecrement 0 IoPriority 2 PagePriority 5 Child-SP RetAddr : Args to Child : Call Site fffff88001ff61d0 fffff80002563744 : fffffa8004ddfea0 fffff80002415000 fffff800025f9180 fffff800025637e2 : hal!HaliHaltSystem+0x2b fffff88001ff6200 fffff80002564a9c : fffff80000000004 0000000000000020 000000000000000f fffffa8003cc6b50 : nt!KiBugCheckDebugBreak+0x84 fffff88001ff6260 fffff800024a8ba4 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : nt!KeBugCheck2+0xcfc fffff88001ff6930 fffff800027badd4 : 000000000000007e ffffffffc0000005 0000000000000000 fffff88001ff7928 : nt!KeBugCheckEx+0x104 fffff88001ff6970 fffff8000277352c : fffff80002625810 fffff80002455722 000067ee80c3c9fb fffffa8003cc6b50 : nt!PspUnhandledExceptionInSystemThread+0x24 fffff88001ff69b0 fffff80002496f98 : fffffa80049da890 0000000000000000 fffffa80041e5000 0000000000001000 : nt! ?? ::NNGAKEGL::string'+0x216c
fffff88001ff69e0 fffff800024afddd : fffff800025e55e8 fffff88001ff7c00 0000000000000000 fffff80002415000 : nt!_C_specific_handler+0x8c
fffff88001ff6a50 fffff80002474eb5 : fffff800025e55e8 fffff88001ff6ac8 fffff88001ff7928 fffff80002415000 : nt!RtlpExecuteHandlerForException+0xd
fffff88001ff6a80 fffff8000258f99e : fffff88001ff7928 fffff88001ff7190 fffff88000000000 fffffa800675db00 : nt!RtlDispatchException+0x415
fffff88001ff7160 fffff800024b6f42 : fffff88001ff7928 0000000000000000 fffff88001ff79d0 fffffa8003cc6b50 : nt!KiDispatchException+0x17e
fffff88001ff77f0 fffff800024b4c62 : 0000000000000008 0000000000000000 fffffa8003cc6b00 0000000000000000 : nt!KiExceptionDispatch+0xc2
fffff88001ff79d0 0000000000000000 : fffff80002460bed fffff80000000000 fffff80000000001 fffffa8003cc6b00 : nt!KiPageFault+0x422 (TrapFrame @ fffff880`01ff79d0)
Here as we can see the address that was tried to access is Zeroed out as we can see from call stack and also I have checked the CR2 register that is also having zeroed out value. I have tried to find out nearby instruction by dumping rsp regsiter values but there also couldn't get any success. Can anyone please guide me on this how to proceed.
Thanks and regards
Howdy, Stranger!
| Upcoming OSR Seminars | ||
|---|---|---|
| OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead! | ||
| Kernel Debugging | 16-20 October 2023 | Live, Online |
| Developing Minifilters | 13-17 November 2023 | Live, Online |
| Internals & Software Drivers | 4-8 Dec 2023 | Live, Online |
| Writing WDF Drivers | 10-14 July 2023 | Live, Online |
Comments
Some code inside a worker thread called a function pointer that was null. Are you using work queue items in your driver? Are you using callbacks of some kind where you might have registered a null pointer? That's where you need to look.
Tim Roberts, [email protected]
Providenza & Boekelheide, Inc.
Hi @Tim_Roberts thanks for insight. Yes we are using work queue and callbacks in our product and there are number of modules involved here. Actually I want to somehow trace into the culprit driver using the rip and rsp pointer but as we can see rip is zeroed out and even callstack pointer tracing is also not pointing to any any driver module except nt. As u can see I have dumped rsp upto to some extent and after that it is having zero values so didn't do beyond that.