Hi All,
I am analyzing a dump with Bugcheck 7E, following in the !analyze output:
`0: kd> !analyze -v
-
*
-
Bugcheck Analysis *
-
*
SYSTEM_THREAD_EXCEPTION_NOT_HANDLED (7e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Arguments:
Arg1: ffffffffc0000005, The exception code that was not handled
Arg2: 0000000000000000, The address that the exception occurred at
Arg3: fffff88001ff7928, Exception Record Address
Arg4: fffff88001ff7190, Context Record Address
Debugging Details:
KEY_VALUES_STRING: 1
Key : AV.Fault
Value: Execute
Key : Analysis.CPU.Sec
Value: 1
Key : Analysis.DebugAnalysisProvider.CPP
Value: Create: 8007007e on xyz-abc
Key : Analysis.DebugData
Value: CreateObject
Key : Analysis.DebugModel
Value: CreateObject
Key : Analysis.Elapsed.Sec
Value: 1
Key : Analysis.Memory.CommitPeak.Mb
Value: 85
Key : Analysis.System
Value: CreateObject
VIRTUAL_MACHINE: VMware
BUGCHECK_CODE: 7e
BUGCHECK_P1: ffffffffc0000005
BUGCHECK_P2: 0
BUGCHECK_P3: fffff88001ff7928
BUGCHECK_P4: fffff88001ff7190
EXCEPTION_RECORD: fffff88001ff7928 – (.exr 0xfffff88001ff7928)
ExceptionAddress: 0000000000000000
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 0000000000000008
Parameter[1]: 0000000000000000
Attempt to execute non-executable address 0000000000000000
CONTEXT: fffff88001ff7190 – (.cxr 0xfffff88001ff7190)
rax=0000000000000001 rbx=0000000000000000 rcx=fffffa800675db00
rdx=0000000000000000 rsi=fffffa8003cc6b50 rdi=fffffa800675db00
rip=0000000000000000 rsp=fffff88001ff7b68 rbp=fffff800026257f8
r8=fffffa8003c71a38 r9=0000000000000000 r10=fffffffffffffffe
r11=fffff800025f9100 r12=fffff88008947790 r13=0000000000000001
r14=0000000000000000 r15=0000000000000001
iopl=0 nv up ei pl nz na po nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00010206
00000000`00000000 ?? ???
Resetting default scope
PROCESS_NAME: System
EXECUTE_ADDRESS: 0
FAILED_INSTRUCTION_ADDRESS:
+0
00000000`00000000 ?? ???
ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.
EXCEPTION_CODE_STR: c0000005
EXCEPTION_PARAMETER1: 0000000000000008
EXCEPTION_PARAMETER2: 0000000000000000
EXCEPTION_STR: 0xc0000005
IP_IN_FREE_BLOCK: 0
STACK_TEXT:
fffff88001ff7b68 fffff800
02460bed : fffff80000000000 fffff800
00000001 fffffa8003cc6b00 00000000
00000000 : 0x0
fffff88001ff7b70 fffff800
02756e40 : 0188fd8141fffffe fffff880
01e00180 0000000000000080 00000000
00000001 : nt!ExpWorkerThread+0x111
fffff88001ff7c00 fffff800
024aeaa6 : fffff88001e00180 fffffa80
03cc6b50 fffffa8003cc6040 00000000
00000000 : nt!PspSystemThreadStartup+0x194
fffff88001ff7c40 00000000
00000000 : fffff88001ff8000 fffff880
01ff2000 fffff88001ff6d70 00000000
00000000 : nt!KiStartSystemThread+0x16
SYMBOL_NAME: nt!KiStartSystemThread+16
MODULE_NAME: nt
IMAGE_NAME: ntkrnlmp.exe
IMAGE_VERSION: 6.1.7601.24475
STACK_COMMAND: .cxr 0xfffff88001ff7190 ; kb
FAILURE_BUCKET_ID: X64_0x7E_NULL_IP_nt!KiStartSystemThread+16
OS_VERSION: 7.1.7601.24475
BUILDLAB_STR: win7sp1_ldr
OSPLATFORM_TYPE: x64
OSNAME: Windows 7
FAILURE_ID_HASH: {5d4dd521-b722-54fe-d47f-6bbdcebd03b4}
Followup: MachineOwner
--------- Following thread is showing the KiPageFault - : kd> .process fffffa8003c719b0 Implicit process is now fffffa80
03c719b0
0: kd> !thread
THREAD fffffa8003cc6b50 Cid 0004.0030 Teb: 0000000000000000 Win32Thread: 0000000000000000 RUNNING on processor 0
Not impersonating
DeviceMap fffff8a000008aa0
Owning Process fffffa8003c719b0 Image: System
Attached Process N/A Image: N/A
Wait Start TickCount 46589221 Ticks: 0
Context Switch Count 205578 IdealProcessor: 0
UserTime 00:00:00.000
KernelTime 00:00:00.468
Win32 Start Address nt!ExpWorkerThread (0xfffff80002460adc)
Stack Init fffff88001ff7c70 Current fffff88001ff6d70
Base fffff88001ff8000 Limit fffff88001ff2000 Call 0000000000000000
Priority 12 BasePriority 12 PriorityDecrement 0 IoPriority 2 PagePriority 5
Child-SP RetAddr : Args to Child : Call Site
fffff88001ff61d0 fffff800
02563744 : fffffa8004ddfea0 fffff800
02415000 fffff800025f9180 fffff800
025637e2 : hal!HaliHaltSystem+0x2b
fffff88001ff6200 fffff800
02564a9c : fffff80000000004 00000000
00000020 000000000000000f fffffa80
03cc6b50 : nt!KiBugCheckDebugBreak+0x84
fffff88001ff6260 fffff800
024a8ba4 : 0000000000000000 00000000
00000000 0000000000000000 00000000
00000000 : nt!KeBugCheck2+0xcfc
fffff88001ff6930 fffff800
027badd4 : 000000000000007e ffffffff
c0000005 0000000000000000 fffff880
01ff7928 : nt!KeBugCheckEx+0x104
fffff88001ff6970 fffff800
0277352c : fffff80002625810 fffff800
02455722 000067ee80c3c9fb fffffa80
03cc6b50 : nt!PspUnhandledExceptionInSystemThread+0x24
fffff88001ff69b0 fffff800
02496f98 : fffffa80049da890 00000000
00000000 fffffa80041e5000 00000000
00001000 : nt! ?? ::NNGAKEGL::string'+0x216c fffff880
01ff69e0 fffff800024afddd : fffff800
025e55e8 fffff88001ff7c00 00000000
00000000 fffff80002415000 : nt!_C_specific_handler+0x8c fffff880
01ff6a50 fffff80002474eb5 : fffff800
025e55e8 fffff88001ff6ac8 fffff880
01ff7928 fffff80002415000 : nt!RtlpExecuteHandlerForException+0xd fffff880
01ff6a80 fffff8000258f99e : fffff880
01ff7928 fffff88001ff7190 fffff880
00000000 fffffa800675db00 : nt!RtlDispatchException+0x415 fffff880
01ff7160 fffff800024b6f42 : fffff880
01ff7928 0000000000000000 fffff880
01ff79d0 fffffa8003cc6b50 : nt!KiDispatchException+0x17e fffff880
01ff77f0 fffff800024b4c62 : 00000000
00000008 0000000000000000 fffffa80
03cc6b00 0000000000000000 : nt!KiExceptionDispatch+0xc2 fffff880
01ff79d0 0000000000000000 : fffff800
02460bed fffff80000000000 fffff800
00000001 fffffa8003cc6b00 : nt!KiPageFault+0x422 (TrapFrame @ fffff880
01ff79d0)
Here as we can see the address that was tried to access is Zeroed out as we can see from call stack and also I have checked the CR2 register that is also having zeroed out value. I have tried to find out nearby instruction by dumping rsp regsiter values but there also couldn’t get any success. Can anyone please guide me on this how to proceed.
Thanks and regards