Hint # 1 - configure your system to take at least kernel summary dumps.
Mini-dumps contain very little useful information.
Hint # 2 - figure out what that odd driver is on the stack
Hint # 3 - try to figure out what I/O operation was in progress.
Typically this is the second parameter to the DPC routine (c.f.
IoRequestDpc in ntddk.h or ntifs.h)
I suspect your driver changed an IRP in some way that it broke the
underlying driver; it is possible you have introduced a memory scribble.
Hint # 4 - make sure you are running with your driver under verifier.
Look closely at your irp handling code. Examine the IRP in this case.
Try to figure out if it went through your driver and if it did, figure
out what you did to it while it was there.
Regards,
Tony
Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of yu zhou
Sent: Friday, April 22, 2005 11:37 PM
To: ntfsd redirect
Subject: Re: [ntfsd] a bluescreen in file filter driver
I found nothing related with with my file filter driver--sfilter.sys
Please give me a hint
The follow information From the windbg:
Microsoft (R) Windows Debugger Version 6.4.0007.2
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:\WINNT\Minidump\Mini041905-02.dmp]
Mini Kernel Dump File: Only registers and stack trace are available
Symbol search path is: C:\WINNT\Symbols
Executable search path is:
Unable to load image ntoskrnl.exe, Win32 error 2
Windows 2000 Kernel Version 2195 (Service Pack 4) UP Free x86 compatible
Kernel base = 0x80400000 PsLoadedModuleList = 0x8046e1b8
Debug session time: Tue Apr 19 11:29:51.943 2005 (GMT+8)
System Uptime: not available
Unable to load image ntoskrnl.exe, Win32 error 2
Loading Kernel Symbols
........................................................................
..................
Loading unloaded module list
..........
Loading User Symbols
************************************************************************
*******
*
*
* Bugcheck Analysis
*
*
*
************************************************************************
*******
Use !analyze -v to get detailed debugging information.
BugCheck D1, {b8, d, 1, bff8b584}
Unable to load image atapi.sys, Win32 error 2
Probably caused by : atapi.sys ( atapi!IdePortNotification+ca )
Followup: MachineOwner
kd> !analyze -v
************************************************************************
*******
*
*
* Bugcheck Analysis
*
*
*
************************************************************************
*******
DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or completely invalid) address
at
an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: 000000b8, memory referenced
Arg2: 0000000d, IRQL
Arg3: 00000001, value 0 = read operation, 1 = write operation
Arg4: bff8b584, address which referenced memory
Debugging Details:
OVERLAPPED_MODULE: trid3d
WRITE_ADDRESS: unable to read from 80482fac
unable to read from 80482a08
unable to read from 804828e0
unable to read from 80474e00
unable to read from 804828f8
unable to read from 80482a04
unable to read from 80474e04
unable to read from 80482ac4
unable to read from 80482f80
000000b8
CURRENT_IRQL: d
FAULTING_IP:
atapi!IdePortNotification+ca
bff8b584 ?? ???
CUSTOMER_CRASH_COUNT: 2
DEFAULT_BUCKET_ID: DRIVER_FAULT
BUGCHECK_STR: 0xD1
LAST_CONTROL_TRANSFER: from 81839328 to bff8b584
TRAP_FRAME: 80473a20 -- (.trap ffffffff80473a20)
ErrCode = 00000002
eax=000000ac ebx=80067a2c ecx=81839214 edx=00000000 esi=818390e8
edi=811a66e8
eip=bff8b584 esp=80473a94 ebp=80473a98 iopl=0 nv up ei pl nz na
po
nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
efl=00010206
atapi!IdePortNotification+0xca:
bff8b584 ?? ???
Resetting default scope
STACK_TEXT:
80473a90 81839328 80473ad0 bff852e1 00000000
atapi!IdePortNotification+0xca
WARNING: Frame IP not in any known module. Following frames may be
wrong.
80473a98 bff852e1 00000000 81839328 811a66e8 0x81839328
80473ad0 bff892d2 81839350 8184398c 0000000e atapi!AtapiInterrupt+0x659
80473ae0 804698ba 81843728 81839030 80473b02
atapi!ScsiPortInterrupt+0x14
80473ae0 80464b5b 81843728 81839030 80473b02 nt!KiInterruptDispatch+0x2a
80473b68 0000000e 00000000 00000000 00000000 nt!KiIdleLoop+0x12
FOLLOWUP_IP:
atapi!IdePortNotification+ca
bff8b584 ?? ???
SYMBOL_STACK_INDEX: 0
FOLLOWUP_NAME: MachineOwner
SYMBOL_NAME: atapi!IdePortNotification+ca
MODULE_NAME: atapi
IMAGE_NAME: atapi.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 3e89d599
STACK_COMMAND: .trap ffffffff80473a20 ; kb
FAILURE_BUCKET_ID: 0xD1_W_atapi!IdePortNotification+ca
BUCKET_ID: 0xD1_W_atapi!IdePortNotification+ca
Followup: MachineOwner
From: "Ladislav Zezula"
>Reply-To: "Windows File Systems Devs Interest List"
>To: "Windows File Systems Devs Interest List"
>Subject: Re: [ntfsd] a bluescreen in file filter driver
>Date: Fri, 22 Apr 2005 07:25:03 +0200
>
>I must create an answer-template for such mails 
>
>Welcome to the "I have a driver and it doesn't work"
>club. No one is probably able to help you if you don't
>provide mode information.
>
>You've said that the OS dumps memory. Open that
>dump in WinDbg, do "!analyze -v" on that and send
>the call stack here.
>
>L.
>
>
>---
>Questions? First check the IFS FAQ at
>The NT Insider:Windows NT Virtual Memory (Part I)
>
>You are currently subscribed to ntfsd as: xxxxx@hotmail.com
>To unsubscribe send a blank email to xxxxx@lists.osr.com
_________________________________________________________________
Don't just search. Find. Check out the new MSN Search!
http://search.msn.com/
---
Questions? First check the IFS FAQ at
The NT Insider:Windows NT Virtual Memory (Part I)
You are currently subscribed to ntfsd as: xxxxx@osr.com
To unsubscribe send a blank email to xxxxx@lists.osr.com
