KMODE_EXCEPTION_NOT_HANDLED with valid address

Hi All,

I am debugging one BSOD that has kernel mode exception not handled properly. The BSOD occurred when accessing a memory location for write operation. As per the MSDN doc, when I check the Arg 4 (parameter 1) which is the problematic memory address, I see nothing wrong with that address. Indeed command “dd”, “pte” as well as “address” show no issue with the address. Is my understanding correct? I am suspecting memory/hardware error may be causing this issue sometimes when the address is valid but system got bug checked.

I would greatly appreciate if you would provide any inputs to debug further.

KMODE_EXCEPTION_NOT_HANDLED (1e)
This is a very common bugcheck.  Usually the exception address pinpoints
the driver/function that caused the problem.  Always note this address
as well as the link date of the driver/image that contains this address.
Arguments:
Arg1: ffffffffc0000005, The exception code that was not handled
Arg2: fffff8060feb1349, The address that the exception occurred at
Arg3: fffff38e767a2e78, Parameter 0 of the exception
Arg4: fffff38e767a26b0, Parameter 1 of the exception

....
**WRITE_ADDRESS:  fffff38e767a26b0 **

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.

FAULTING_IP: 
WppRecorder!WppAutoLogTrace+219
fffff806`0feb1349 0fb682dd000000  movzx   eax,byte ptr [rdx+0DDh]

EXCEPTION_PARAMETER1:  fffff38e767a2e78

EXCEPTION_PARAMETER2:  fffff38e767a26b0

BUGCHECK_STR:  0x1E_c0000005

1: kd> dd fffff38e767a26b0
fffff38e`767a26b0  a0b85870 ffffa40a 1d0a9763 fffff806
fffff38e`767a26c0  9c4cd990 ffffa40a 1d102110 fffff806
fffff38e`767a26d0  a0b858b8 ffffa40a a0b85870 ffffa40a
fffff38e`767a26e0  0010001f 00001f80 002b0010 0053002b
fffff38e`767a26f0  0018002b 00010202 00000000 00000000
fffff38e`767a2700  00000000 00000000 00000000 00000000
fffff38e`767a2710  00000000 00000000 8000130c ffffffff
fffff38e`767a2720  000009fc 00000000 767a31c8 fffff38e

1: kd> !address fffff38e767a26b0
Usage:                  Stack
Base Address:           fffff38e`7679e000
End Address:            fffff38e`767a4000
Region Size:            00000000`00006000
VA Type:                SystemRange

1: kd> !pte fffff38e767a26b0
                                           VA fffff38e767a26b0
PXE at FFFF8E472391CF38    PPE at FFFF8E47239E71C8    PDE at FFFF8E473CE39D98    PTE at FFFF8E79C73B3D10
contains 0A0000011C363863  contains 0A0000011C364863  contains 0A00000025CB2863  contains 8A00000083CBB863
pfn 11c363    ---DA--KWEV  pfn 11c364    ---DA--KWEV  pfn 25cb2     ---DA--KWEV  pfn 83cbb     ---DA--KW-V

Can you post the full !analyze -v output?

Hi Scott,

The problem occurs in the WppRecorder driver function. When I dump the trap frame it shows accessing some invalid address causing the issue.
But not sure why the BSOD occurs in the WppRecorder driver which is from Microsoft.

KMODE_EXCEPTION_NOT_HANDLED (1e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Arguments:
Arg1: ffffffffc0000005, The exception code that was not handled
Arg2: fffff8060feb1349, The address that the exception occurred at
Arg3: fffff38e767a2e78, Parameter 0 of the exception
Arg4: fffff38e767a26b0, Parameter 1 of the exception

Debugging Details:

KEY_VALUES_STRING: 1

PROCESSES_ANALYSIS: 1

SERVICE_ANALYSIS: 1

STACKHASH_ANALYSIS: 1

TIMELINE_ANALYSIS: 1

DUMP_CLASS: 1

DUMP_QUALIFIER: 401

BUILD_VERSION_STRING: 19041.1.amd64fre.vb_release.191206-1406

SYSTEM_MANUFACTURER: Dell Inc.

SYSTEM_PRODUCT_NAME: Inspiron 3420

SYSTEM_SKU: To be filled by O.E.M.

SYSTEM_VERSION: Not Specified

BIOS_VENDOR: Dell Inc.

BIOS_VERSION: A05

BIOS_DATE: 09/28/2012

BASEBOARD_MANUFACTURER: Dell Inc.

BASEBOARD_PRODUCT: 04XGDT

BASEBOARD_VERSION: A05

DUMP_TYPE: 1

BUGCHECK_P1: ffffffffc0000005

BUGCHECK_P2: fffff8060feb1349

BUGCHECK_P3: fffff38e767a2e78

BUGCHECK_P4: fffff38e767a26b0

WRITE_ADDRESS: fffff38e767a26b0

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.

FAULTING_IP:
WppRecorder!WppAutoLogTrace+219
fffff806`0feb1349 0fb682dd000000 movzx eax,byte ptr [rdx+0DDh]

EXCEPTION_PARAMETER1: fffff38e767a2e78

EXCEPTION_PARAMETER2: fffff38e767a26b0

BUGCHECK_STR: 0x1E_c0000005

CPU_COUNT: 4

CPU_MHZ: 9be

CPU_VENDOR: GenuineIntel

CPU_FAMILY: 6

CPU_MODEL: 3a

CPU_STEPPING: 9

CPU_MICROCODE: 6,3a,9,0 (F,M,S,R) SIG: 21’00000000 (cache) 21’00000000 (init)

DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULT

PROCESS_NAME: svchost.exe

CURRENT_IRQL: 0

ANALYSIS_SESSION_HOST: CLW-G4B6HR2

ANALYSIS_SESSION_TIME: 03-30-2021 10:38:54.0655

ANALYSIS_VERSION: 10.0.18362.1 amd64fre

LAST_CONTROL_TRANSFER: from fffff8060db0ed9f to fffff8060d9f5a80

STACK_TEXT:
fffff38e767a1e38 fffff8060db0ed9f : 000000000000001e ffffffffc0000005 fffff8060feb1349 fffff38e767a2e78 : nt!KeBugCheckEx
fffff38e767a1e40 fffff8060da11c86 : fffff38e767a26b0 fffff8060d903845 fffff38e767a30b0 fffff8060feb1349 : nt!KiFatalFilter+0x1f
fffff38e767a1e80 fffff8060d9cc052 : fffff80600000002 fffff8060d6d8e34 fffff38e7679e000 fffff38e767a4000 : nt!KeExpandKernelStackAndCalloutInternal$filt$0+0x16
fffff38e767a1ec0 fffff8060d9fe942 : fffff8060d6d8e34 fffff38e767a24a0 fffff8060d9cbfb0 0000000000000000 : nt!_C_specific_handler+0xa2
fffff38e767a1f30 fffff8060d92bf97 : fffff38e767a24a0 0000000000000000 fffff38e767a35e0 fffff8060d954488 : nt!RtlpExecuteHandlerForException+0x12
fffff38e767a1f60 fffff8060d92ab86 : fffff38e767a2e78 fffff38e767a2bb0 fffff38e767a2e78 0000000000000000 : nt!RtlDispatchException+0x297
fffff38e767a2680 fffff8060da07bac : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : nt!KiDispatchException+0x186
fffff38e767a2d40 fffff8060da038e0 : 000000000000003e 0000000000000000 ffffa40aa7be6810 fffff80610e5e23b : nt!KiExceptionDispatch+0x12c
fffff38e767a2f20 fffff8060feb1349 : 0000000000000000 0000000063467453 00000000000000a0 00000000000009a7 : nt!KiGeneralProtectionFault+0x320
fffff38e767a30b0 fffff806097a5824 : 0000000000000000 fffff806097bd4f8 0000000000000000 0000000000000000 : WppRecorder!WppAutoLogTrace+0x219
fffff38e767a3120 fffff806097a109e : ffffa40aac53d920 ffffa40aac0eaf10 0000000000000014 000000000000013a : customdrv!WPP_RECORDER_SF_XDD+0x12c
fffff38e767a31a0 fffff80610c10576 : ffffa40a968958a0 fffff806097a1010 ffffa40a96840220 fffff80610a95a2b : customdrv!StreamFlowDeletion+0x8e
fffff38e767a3210 fffff80610c10037 : 0000000000005d7f ffffa40aab11c550 0000000000000000 ffffa40a96840220 : NETIO!WfpNotifyFlowContextDelete+0x20a
fffff38e767a3290 fffff80610e5e799 : fffff38e7600ff00 ffffa40aac0eaf10 fffff38e767a33f0 ffffa40aab11c520 : NETIO!KfdAleNotifyFlowDeletion+0x1c7
fffff38e767a32f0 fffff80610e5e570 : 0000000000000000 0000000000000000 ffffa40a96ad7a00 ffffa40aaa51fa20 : tcpip!TcpCleanupTcbWorkQueueRoutine+0x149
fffff38e767a3450 fffff80610e5e2a5 : 0000000000000001 fffff38e767a36c0 fffff38e767a36c0 0000000000000000 : tcpip!TcpCloseTcb+0x2b0
fffff38e767a35b0 fffff8060d954488 : 0000000000000000 0000000000000000 0000000000000000 0000000000000001 : tcpip!TcpTlConnectionCloseEndpointCalloutRoutine+0x15
fffff38e767a35e0 fffff8060d9543fd : fffff80610e5e290 fffff38e767a36c0 ffffa40a9681a1e0 0000000000000000 : nt!KeExpandKernelStackAndCalloutInternal+0x78
fffff38e767a3650 fffff80610e75b1a : fffff38e767a3908 ffffa40aac748700 fffff38e767a3908 0000000100060000 : nt!KeExpandKernelStackAndCalloutEx+0x1d
fffff38e767a3690 fffff8061cd229b9 : ffffa40a96c56ce0 0000000000000000 000000000000006a fffff8060d848cc2 : tcpip!TcpTlConnectionCloseEndpoint+0x6a
fffff38e767a3700 fffff8061cd023df : ffffa40aaa85b2b0 ffffa40aa9aa9b30 ffffa40aa9772e10 fffff8060d853131 : afd!AfdCloseConnection+0x8d
fffff38e767a3740 fffff8061cd0231e : ffffa40aaa85b2b0 0000000000000000 00000000ffff800d ffffa40aaa85b2b0 : afd!AfdCloseCore+0xaf
fffff38e767a3780 fffff8061cd1fbfb : ffffa40aac002e60 0000000000000000 fffff38e767a3a39 fffff8060d852f97 : afd!AfdClose+0x3a
fffff38e767a37b0 fffff8060d852f55 : ffffa40aac002e60 fffff38e767a3a00 0000000000000000 ffffa40aa9aa9b30 : afd!AfdDispatch+0x7b
fffff38e767a37f0 fffff8060dc00eea : fffff38e767a3a39 ffffa40aac002e60 0000000000000000 0000000000000000 : nt!IofCallDriver+0x55
fffff38e767a3830 fffff8060dbfb250 : fffff38e767a3a39 0000000000000000 ffffa40a95ec12a0 ffffa40aa9aa9b30 : nt!IopDeleteFile+0x13a
fffff38e767a38b0 fffff8060d861277 : 0000000000000000 0000000000000000 fffff38e767a3a39 ffffa40aac002e60 : nt!ObpRemoveObjectRoutine+0x80
fffff38e767a3910 fffff8060dc28cbe : ffffa40a95ec12a0 0000000000000000 ffffffff00000000 ffffa40a95ec12a0 : nt!ObfDereferenceObjectWithTag+0xc7
fffff38e767a3950 fffff8060dc2c93c : 000000000000039c 0000000000000000 0000000000000000 fffff38e767a3b80 : nt!ObCloseHandleTableEntry+0x29e
fffff38e767a3a90 fffff8060da074b8 : ffffa40a00000000 ffffa40a00000001 fffff38e767a3b80 fffff38e767a3b80 : nt!NtClose+0xec
fffff38e767a3b00 00007ff9bdeac804 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : nt!KiSystemServiceCopyEnd+0x28
000000137207f268 0000000000000000 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : 0x00007ff9`bdeac804

THREAD_SHA1_HASH_MOD_FUNC: 62eae1283d3274c50a747d1897548590b36fb6a9

THREAD_SHA1_HASH_MOD_FUNC_OFFSET: 1210ea6613a4655fb1dfd96c1191f658fc282959

THREAD_SHA1_HASH_MOD: bec7129f59d735b3ed8a521eeb57280e59c5cb06

FOLLOWUP_IP:
WppRecorder!WppAutoLogTrace+219
fffff806`0feb1349 0fb682dd000000 movzx eax,byte ptr [rdx+0DDh]

FAULT_INSTR_CODE: dd82b60f

SYMBOL_STACK_INDEX: 9

SYMBOL_NAME: WppRecorder!WppAutoLogTrace+219

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: WppRecorder

IMAGE_NAME: WppRecorder.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 15060d00

STACK_COMMAND: .thread ; .cxr ; kb

BUCKET_ID_FUNC_OFFSET: 219

FAILURE_BUCKET_ID: 0x1E_c0000005_WppRecorder!WppAutoLogTrace

BUCKET_ID: 0x1E_c0000005_WppRecorder!WppAutoLogTrace

PRIMARY_PROBLEM_CLASS: 0x1E_c0000005_WppRecorder!WppAutoLogTrace

TARGET_TIME: 2021-03-26T14:18:28.000Z

OSBUILD: 19041

OSSERVICEPACK: 0

SERVICEPACK_NUMBER: 0

OS_REVISION: 0

SUITE_MASK: 784

PRODUCT_TYPE: 1

OSPLATFORM_TYPE: x64

OSNAME: Windows 10

OSEDITION: Windows 10 WinNt TerminalServer SingleUserTS Personal

OS_LOCALE:

USER_LCID: 0

OSBUILD_TIMESTAMP: 1977-03-08 15:51:50

BUILDDATESTAMP_STR: 191206-1406

BUILDLAB_STR: vb_release

BUILDOSVER_STR: 10.0.19041.1.amd64fre.vb_release.191206-1406

ANALYSIS_SESSION_ELAPSED_TIME: 1e92

ANALYSIS_SOURCE: KM

FAILURE_ID_HASH_STRING: km:0x1e_c0000005_wpprecorder!wppautologtrace

FAILURE_ID_HASH: {66a8f622-be9f-28b6-2043-e2f20ce95285}

1: kd> .trap fffff38e767a2f20 NOTE: The trap frame does not contain all registers. Some register values may be zeroed or incorrect. rax=fffff38e767a31c8 rbx=0000000000000000 rcx=fffff806097b94e0 rdx=0065006800730069 rsi=0000000000000000 rdi=0000000000000000 rip=fffff8060feb1349 rsp=fffff38e767a30b0 rbp=fffff806097b94d0 r8=0000000000000001 r9=fffff806097b94d0 r10=fffff806097bc000 r11=fffff806097b94e0 r12=0000000000000000 r13=0000000000000000 r14=0000000000000000 r15=0000000000000000 iopl=0 nv up ei pl nz na pe nc WppRecorder!WppAutoLogTrace+0x219: fffff8060feb1349 0fb682dd000000 movzx eax,byte ptr [rdx+0DDh] ds:00650068`00730146=??

So, the address is a stack address, but notice that, at the time the exception occurred, it was way off the end of the stack. During the exception process, the stack was extended to make additional room, but when the exception occurred, it was an invalid address. You need to look at your StreamFlowDeletion to see what you are passing to the log message. One very common cause of this is when a program calls a function that returns a pointer to a buffer on the stack. When the function returns, that stack address is no longer valid.

1 Like

Hi Tim,

Thank you for your response. Could you please clarify which address you are referring as the stack address.

Any stack address that is returned from a called function to a calling function. A trivial example (in the real world it can be much more complex)

void func1()
{
char* pBuf;

pBuf = func2();

func3(pBuf);

}

char* func2()
{
char szBuf[100];

szBuf[0] = 'A';	// assign some value

return szBuf;

}

void func3(char* pBuf)
{
int local1;

local1 = 123;	// corrupt the value in pBuf since it occupies the same memory in the stack

// do more stuff and crash

}

1 Like