A Bugcheck

Prokash_Sinha-1 · February 24, 2005, 11:00am

I’m analyzing a bugcheck that occured on a test machine on a remote site. And it occured only once.

I’ve couple questions –

The code and the args clearly says that it is Hard disk error, so what may be an optimal point of analysis where we can almost surely say that it looks like a hard disk error. The stack look good, after trap the stack dictates that it is a page-fault to pagein (read ).
The PTE is in error and saying that in transition ( but dont understand the code there f27 ). Where can I find some of the code for this field and meaning ?
Is there an easy way to look at the vad for the vitual address at fault.

Appreciate any thoughts .

-pro

Opened log file ‘C:\crashdump\scr5152\analyze’

kd> !analyze -v

*******************************************************************************

* *

* Bugcheck Analysis *

* *

*******************************************************************************

KERNEL_DATA_INPAGE_ERROR (7a)

The requested page of kernel data could not be read in. Typically caused by

a bad block in the paging file or disk controller error. Also see

KERNEL_STACK_INPAGE_ERROR.

If the error status is 0xC000000E, 0xC000009C, 0xC000009D or 0xC0000185,

it means the disk subsystem has experienced a failure.

If the error status is 0xC000009A, then it means the request failed because

a filesystem failed to make forward progress.

Arguments:

Arg1: c0386888, lock type that was held (value 1,2,3, or PTE address) <<<— pte

Arg2: c0000185, error status (normally i/o status code)

Arg3: e1a22aa6, current process (virtual address for lock type 3, or PTE)

Arg4: 00f27880, virtual address that could not be in-paged (or PTE contents if arg1 is a PTE address)

<<< note from bug code >>>>

0xC0000185, or STATUS_IO_DEVICE_ERROR, is caused by improper termination or defective cabling on SCSI devices,

or two devices attempting to use the same IRQ.

Resolving a defective hardware problem: If the I/O status is C0000185 and the paging file is on an SCSI disk,

the disk cabling and SCSI termination should be checked for problems.

Resolving a failing RAM problem: Run the hardware diagnostics supplied by the system manufacturer,

especially the memory scanner. For details on these procedures, see the owner’s manual for your computer.

kd> !pte c0386888

E1A22000 - PDE at C0300E18 PTE at C0386888 <<< so the arg to !pte is indeed a pte >>>

contains 02816163 contains 00F27880

pfn 2816 G-DA–KWV not valid

Transition: f27 <<< WHAT IS THIS ??? >

Protect: 4

kd> !pte 00f27880 <<<- VA at fault

00F27880 - PDE at C030000C PTE at C0003C9C <<< so the arg is not a pte >>>

contains 00D1C067 contains 00000000

pfn d1c --DA–UWV not valid

kd> !pfn 2816

PFN 00002816 at address 81502210

flink 00000000 blink / share count 0000031E pteaddress C0300E18

reference count 0001 color 0

restore pte 00000080 containing page 000030 Active M

Modified

kd> !pfn d1c

PFN 00000D1C at address 814D9AA0

flink 0000034B blink / share count 000000D9 pteaddress C030000C

reference count 0001 color 0

restore pte 00000080 containing page 000962 Active M

Modified

kd> !pte C0003C9C

00F27000 - PDE at C030000C PTE at C0003C9C

contains 00D1C067 contains 00000000

pfn d1c --DA–UWV not valid

kd> !process

PROCESS 87a38340 SessionId: 0 Cid: 0328 Peb: 7ffdf000 ParentCid: 00dc

DirBase: 00962000 ObjectTable: 87a38748 TableSize: 328.

Image: AppMgrService.e

VadRoot 85e8ace8 Clone 0 Private 1178. Modified 32671. Locked 0.

DeviceMap 8149ce88

Token e2146030

ElapsedTime 15:14:29.0545

UserTime 0:19:28.0770

KernelTime 0:45:23.0786

QuotaPoolUsage[PagedPool] 32116

QuotaPoolUsage[NonPagedPool] 9148

Working Set Sizes (now,min,max) (1992, 50, 345) (7968KB, 200KB, 1380KB)

PeakWorkingSetSize 3045

VirtualSize 65 Mb

PeakVirtualSize 70 Mb

PageFaultCount 333981

MemoryPriority BACKGROUND

BasePriority 8

CommitCharge 1381

[… WAITING THREADS ARE DELETED …]

THREAD 8488dcc0 Cid 328.24c Teb: 7ffd9000 Win32Thread: 00000000 RUNNING

<<< - end note >>>

Debugging Details:

OVERLAPPED_MODULE: s3sav4

ERROR_CODE: (NTSTATUS) 0xc0000185 - The I/O device reported an I/O error.

DISK_HARDWARE_ERROR: There was error with disk hardware

BUGCHECK_STR: 0x7a_c0000185

DEFAULT_BUCKET_ID: DRIVER_FAULT

LAST_CONTROL_TRANSFER: from 80518113 to 80518131

TRAP_FRAME: b94ad854 – (.trap ffffffffb94ad854)

.trap ffffffffb94ad854

ErrCode = 00000000

eax=e1a22aa4 ebx=e2164024 ecx=00000aa0 edx=e1353ca8 esi=e2164438 edi=b94ad950

eip=80518131 esp=b94ad8c8 ebp=b94ad8d0 iopl=0 nv up ei ng nz na pe nc

cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010282

nt!CmpDoCompareKeyName+0xf:

80518131 f6400220 test byte ptr [eax+0x2],0x20 ds:0023:e1a22aa6=20

.trap

Resetting default scope

STACK_TEXT:

b94ad7ac 8043ea4a 814dcba8 c0386888 e1a22aa6 nt!MiWaitForInPageComplete+0x1c1 (FPO: [Non-Fpo])

b94ad7f0 80447eb5 00000000 e1a22aa6 c0386888 nt!MiDispatchFault+0x272 (FPO: [Non-Fpo])

b94ad83c 80466223 00000000 00000000 00000000 nt!MmAccessFault+0x67b (FPO: [Non-Fpo])

b94ad83c 80518131 00000000 00000000 00000000 nt!KiTrap0E+0xc3 (FPO: [0,0] TrapFrame @ b94ad854)

b94ad8d0 80518113 e1353ca8 b94adb18 0018caa0 nt!CmpDoCompareKeyName+0xf

b94ad8f4 80517ffd e1353ca8 b94adb18 00000104 nt!CmpCompareInIndex+0xbb

b94ad91c 80517e81 e1353ca8 000000d0 000001a0 nt!CmpFindSubKeyInLeaf+0x3f

b94ad948 805194e6 ffffffff e18d02a4 b94adb18 nt!CmpFindSubKeyByName+0x59

b94adb20 8044e60d 00000000 81498e00 b94adbd0 nt!CmpParseKey+0x528

b94adb90 804d303b 0000002c b94adc8c 00000040 nt!ObpLookupObjectName+0xe1

b94adca0 8050ef47 00000000 81498ee0 00000001 nt!ObOpenObjectByName+0xc5

b94add2c b9245490 0ae5d2ac 000f003f 0ae5d1c4 nt!NtOpenKey+0x151

b94add50 80462f14 0ae5d2ac 000f003f 0ae5d1c4 REGHOOK!RegHook::RegHookDevice::HookRegOpenKey+0x25 [C:\apps40\Applications\REGHOOK_NT\src\RegHookDev.cpp @ 1069]

b94add50 77f88647 0ae5d2ac 000f003f 0ae5d1c4 nt!KiSystemService+0xc4

0ae5d168 77df0b79 0ae5d2ac 000f003f 0ae5d1c4 ntdll!NtOpenKey+0xb

0ae5d1f4 77dd9a93 0000002c 0ae5d21c 00000000 ADVAPI32!LocalBaseRegOpenKey+0x13e

0ae5d228 005f4383 80000002 00ebf286 00000000 ADVAPI32!RegOpenKeyExW+0xf8

0ae5f6f4 005ead3a 0ae5f87c 00000000 0ae5f708 AppMgrService!AppInstallation::RegistryInstall::handleRegistryUninstall+0xa33 [C:\Native\Sources_4.0\libraries\AppInstallation\src\RegistryInstall.cpp @ 1143]

0ae5f708 00584df8 0ae5f87c ffffffff 02e83ae0 AppMgrService!AppInstallation::RegistryInstall::uninstallRegistry+0x1a [C:\Native\Sources_4.0\libraries\AppInstallation\src\RegistryInstall.cpp @ 121]

0ae5f9d8 004cf5b5 02e83be8 00e101e0 ffff0006 AppMgrService!AppInstallation::AppInstallUninsMgr::removeAppFromCache+0x888 [C:\Native\Sources_4.0\libraries\AppInstallation\src\AppInstallUninsMgr.cpp @ 556]

0ae5fb24 004583c4 00e101e0 00e101f0 ffffffff AppMgrService!Management::Application::uninstall+0x6b5 [C:\Native\Sources_4.0\libraries\Management\src\Application.cpp @ 997]

0ae5fcc0 00457e26 066dcbb8 ffff0004 00e101e0 AppMgrService!Management::Manager::deleteApplication+0x2b4 [C:\Native\Sources_4.0\libraries\Management\src\Manager.cpp @ 1589]

0ae5fe1c 00485ca1 ffff0000 00e101e0 00e101f0 AppMgrService!Management::Manager::deleteAllApplications+0x2e6 [C:\Native\Sources_4.0\libraries\Management\src\Manager.cpp @ 1519]

0ae5fe38 0048564d ffff0000 00e101e0 00e101f0 AppMgrService!Management::Manager::removeAllPackages+0x31 [C:\Native\Sources_4.0\libraries\Management\src\ManagerEngineInterfaceImp.cpp @ 343]

0ae5ff7c 0056c548 00e101c8 011df358 00130688 AppMgrService!removeAllPackagesExecutor+0x2ad [C:\Native\Sources_4.0\libraries\Management\src\ManagerEngineInterfaceImp.cpp @ 238]

0ae5ffb4 77e8b2d8 038c0958 011df358 00130688 AppMgrService!_beginthreadex+0xf4

WARNING: Stack unwind information not available. Following frames may be wrong.

0ae5ffec 00000000 0056c4bf 038c0958 00000000 KERNEL32+0xb2d8

FOLLOWUP_IP:

REGHOOK!RegHook::RegHookDevice::HookRegOpenKey+25 [C:\apps40\Applications\REGHOOK_NT\src\RegHookDev.cpp @ 1069]

b9245490 8945fc mov [ebp-0x4],eax

SYMBOL_STACK_INDEX: 8

FOLLOWUP_NAME: MachineOwner

SYMBOL_NAME: REGHOOK!RegHook::RegHookDevice::HookRegOpenKey+25

MODULE_NAME: REGHOOK

IMAGE_NAME: REGHOOK.SYS

DEBUG_FLR_IMAGE_TIMESTAMP: 418803b4

STACK_COMMAND: .trap ffffffffb94ad854 ; kb

FAILURE_BUCKET_ID: 0x7a_c0000185_REGHOOK!RegHook::RegHookDevice::HookRegOpenKey+25

BUCKET_ID: 0x7a_c0000185_REGHOOK!RegHook::RegHookDevice::HookRegOpenKey+25

Followup: MachineOwner

kd> .logclose

Closing open log file C:\crashdump\scr5152\analyze

OSR_Community_User · February 24, 2005, 11:14am

The bugcheck is because a page read failed. Looking at the va or the page
bits isn’t going to help. You need to figure out why the disk read failed as
that is why you had a bugcheck.

=====================
Mark Roddy

From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Prokash Sinha
Sent: Thursday, February 24, 2005 10:59 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] A Bugcheck

I’m analyzing a bugcheck that occured on a test machine on a remote site.
And it occured only once.

I’ve couple questions –

The code and the args clearly says that it is Hard disk error, so what
may be an optimal point of analysis where we can almost surely say that it
looks like a hard disk error. The stack look good, after trap the stack
dictates that it is a page-fault to pagein (read ).
The PTE is in error and saying that in transition ( but dont understand
the code there f27 ). Where can I find some of the code for this field and
meaning ?
Is there an easy way to look at the vad for the vitual address at fault.

Appreciate any thoughts .

-pro

Opened log file ‘C:\crashdump\scr5152\analyze’

kd> !analyze -v

****************************************************************************
***

*
*

* Bugcheck Analysis
*

*
*

****************************************************************************
***

KERNEL_DATA_INPAGE_ERROR (7a)

The requested page of kernel data could not be read in. Typically caused by

a bad block in the paging file or disk controller error. Also see

KERNEL_STACK_INPAGE_ERROR.

If the error status is 0xC000000E, 0xC000009C, 0xC000009D or 0xC0000185,

it means the disk subsystem has experienced a failure.

If the error status is 0xC000009A, then it means the request failed because

a filesystem failed to make forward progress.

Arguments:

Arg1: c0386888, lock type that was held (value 1,2,3, or PTE address)
<<<— pte

Arg2: c0000185, error status (normally i/o status code)

Arg3: e1a22aa6, current process (virtual address for lock type 3, or PTE)

Arg4: 00f27880, virtual address that could not be in-paged (or PTE contents
if arg1 is a PTE address)

<<< note from bug code >>>>

0xC0000185, or STATUS_IO_DEVICE_ERROR, is caused by improper termination or
defective cabling on SCSI devices,

or two devices attempting to use the same IRQ.

Resolving a defective hardware problem: If the I/O status is C0000185 and
the paging file is on an SCSI disk,

the disk cabling and SCSI termination should be checked for problems.

Resolving a failing RAM problem: Run the hardware diagnostics supplied by
the system manufacturer,

especially the memory scanner. For details on these procedures, see the
owner’s manual for your computer.

kd> !pte c0386888

E1A22000 - PDE at C0300E18 PTE at C0386888 <<< so the arg to !pte is
indeed a pte >>>

contains 02816163 contains 00F27880

pfn 2816 G-DA–KWV not valid

Transition: f27 <<< WHAT IS THIS ??? >

Protect: 4

kd> !pte 00f27880 <<<- VA at fault

00F27880 - PDE at C030000C PTE at C0003C9C <<< so the arg is not a
pte >>>

contains 00D1C067 contains 00000000

pfn d1c --DA–UWV not valid

kd> !pfn 2816

PFN 00002816 at address 81502210

flink 00000000 blink / share count 0000031E pteaddress C0300E18

reference count 0001 color 0

restore pte 00000080 containing page 000030 Active M

Modified

kd> !pfn d1c

PFN 00000D1C at address 814D9AA0

flink 0000034B blink / share count 000000D9 pteaddress C030000C

reference count 0001 color 0

restore pte 00000080 containing page 000962 Active M

Modified

kd> !pte C0003C9C

00F27000 - PDE at C030000C PTE at C0003C9C

contains 00D1C067 contains 00000000

pfn d1c --DA–UWV not valid

kd> !process

PROCESS 87a38340 SessionId: 0 Cid: 0328 Peb: 7ffdf000 ParentCid: 00dc

DirBase: 00962000 ObjectTable: 87a38748 TableSize: 328.

Image: AppMgrService.e

VadRoot 85e8ace8 Clone 0 Private 1178. Modified 32671. Locked 0.

DeviceMap 8149ce88

Token e2146030

ElapsedTime 15:14:29.0545

UserTime 0:19:28.0770

KernelTime 0:45:23.0786

QuotaPoolUsage[PagedPool] 32116

QuotaPoolUsage[NonPagedPool] 9148

Working Set Sizes (now,min,max) (1992, 50, 345) (7968KB, 200KB, 1380KB)

PeakWorkingSetSize 3045

VirtualSize 65 Mb

PeakVirtualSize 70 Mb

PageFaultCount 333981

MemoryPriority BACKGROUND

BasePriority 8

CommitCharge 1381

[… WAITING THREADS ARE DELETED …]

THREAD 8488dcc0 Cid 328.24c Teb: 7ffd9000 Win32Thread: 00000000
RUNNING

<<< - end note >>>

Debugging Details:

OVERLAPPED_MODULE: s3sav4

ERROR_CODE: (NTSTATUS) 0xc0000185 - The I/O device reported an I/O error.

DISK_HARDWARE_ERROR: There was error with disk hardware

BUGCHECK_STR: 0x7a_c0000185

DEFAULT_BUCKET_ID: DRIVER_FAULT

LAST_CONTROL_TRANSFER: from 80518113 to 80518131

TRAP_FRAME: b94ad854 – (.trap ffffffffb94ad854)

.trap ffffffffb94ad854

ErrCode = 00000000

eax=e1a22aa4 ebx=e2164024 ecx=00000aa0 edx=e1353ca8 esi=e2164438
edi=b94ad950

eip=80518131 esp=b94ad8c8 ebp=b94ad8d0 iopl=0 nv up ei ng nz na pe
nc

cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
efl=00010282

nt!CmpDoCompareKeyName+0xf:

80518131 f6400220 test byte ptr [eax+0x2],0x20
ds:0023:e1a22aa6=20

.trap

Resetting default scope

STACK_TEXT:

b94ad7ac 8043ea4a 814dcba8 c0386888 e1a22aa6
nt!MiWaitForInPageComplete+0x1c1 (FPO: [Non-Fpo])

b94ad7f0 80447eb5 00000000 e1a22aa6 c0386888 nt!MiDispatchFault+0x272 (FPO:
[Non-Fpo])

b94ad83c 80466223 00000000 00000000 00000000 nt!MmAccessFault+0x67b (FPO:
[Non-Fpo])

b94ad83c 80518131 00000000 00000000 00000000 nt!KiTrap0E+0xc3 (FPO: [0,0]
TrapFrame @ b94ad854)