Hello,
I am seeing a strange Win2012R2 BSOD.
We have a WFP driver to inspect inbound/outbound traffic.
However this intermittent problem is seen only on Win2012R2 and even after applying all the correct symbols I am not able to resolve the call stack which leads to this BSOD.
RetAddr : Args to Child : Call Site
00 fffff80400d9dba0 : 00000000
00000000 fffff804008dce50 ffffe001
a80038ca 80000001339f1963 : hal!HalpAcpiPmRegisterReadPort+0x1b 01 fffff804
00dbd213 : ffffe001a7429038 fffff804
00759501 0000000000000010 00000000
00000082 : hal!HalpAcpiPmRegisterRead+0x30
02 fffff804007c6e01 : fffff6fb
7dbf0000 0000000000000004 ffff0fa6
0438a724 fffff804007c76ee : hal!HaliHaltSystem+0x53 03 fffff804
007c6a4d : fffff80400000004 00000000
00000020 00000000000000fc 00000000
000000fc : nt!KiBugCheckDebugBreak+0x99
04 fffff804007513a4 : 80000001
339f1963 0000000000000000 ffffd001
b668ee02 0000000000000000 : nt!KeBugCheck2+0xc49 05 fffff804
006e796c : 00000000000000fc ffffe001
a80038ca 80000001339f1963 ffffd001
b668eef0 : nt!KeBugCheckEx+0x104
06 fffff804007f558f : ffffd001
b668eeb0 fffff804009b8ee9 ffffd001
b668eeb0 0000000000000000 : nt!MI_CHECK_KERNEL_NOEXECUTE_FAULT+0x64 07 fffff804
006448c3 : 0000000000000000 80000001
339f1963 ffffd001b668ee89 00000000
00000000 : nt!MiRaisedIrqlFault+0x1c7
08 fffff8040075e957 : 00000000
00000000 0000000000000000 00000000
00000000 0000000000000000 : nt!MmAccessFault+0x103 09 ffffe001
a80038ca : ffffe001a84e7e65 b3b74bde
e4453415 ffffd001b668f100 ffffe001
a84dd15c : nt!KiPageFault+0x317
0a ffffe001a84e7e65 : b3b74bde
e4453415 ffffd001b668f100 ffffe001
a84dd15c 0000000000000001 : 0xffffe001
a80038ca
0b b3b74bdee4453415 : ffffd001
b668f100 ffffe001a84dd15c 00000000
00000001 ffffe001a5864be0 : 0xffffe001
a84e7e65
0c ffffd001b668f100 : ffffe001
a84dd15c 0000000000000001 ffffe001
a5864be0 0000000000000000 : 0xb3b74bde
e4453415
0d ffffe001a84dd15c : 00000000
00000001 ffffe001a5864be0 00000000
00000000 0000000000000000 : 0xffffd001
b668f100
0e 0000000000000001 : ffffe001
a5864be0 0000000000000000 00000000
00000000 ffffd001b668f2f8 : 0xffffe001
a84dd15c
0f ffffe001a5864be0 : 00000000
00000000 0000000000000000 ffffd001
b668f2f8 0000000000000000 : 0x1 10 00000000
00000000 : 0000000000000000 ffffd001
b668f2f8 0000000000000000 fffff804
00922ee8 : 0xffffe001`a5864be0
According to trap frame analysis - the 0xffffe001`a80038ca is the faulting address and it has no Execute permissions.
2: kd> !pte 0xffffe001`a80038ca
VA ffffe001a80038ca
PXE at FFFFF6FB7DBEDE00 PPE at FFFFF6FB7DBC0030 PDE at FFFFF6FB78006A00 PTE at FFFFF6F000D40018
contains 000000000054D863 contains 000000000054C863 contains 000000000D7E3863 contains 80000001339F1963
pfn 54d —DA–KWEV pfn 54c —DA–KWEV pfn d7e3 —DA–KWEV pfn 1339f1 -G-DA–KW-V
This address range specified for 0xffffe001a80038ca does not fall in the range of any loaded module. also when the addresses 0xffffe001
a84e7e65, 0xb3b74bdee4453415, 0xb3b74bde
e4453415 are unassembled they seem strange and I am not sure why instructions at 0xffffe001`a80038ca are being executed.
I don’t have access to private symbols.
Can anyone please tell me how to troubleshoot this further, I want to understand what is leading to this BSOD?
Thanks.