Hi mats,
thanks for your valuable suggestions,I just have one Sr.sys on the system
and that is the system restore driver. As a short cut i first tried to
disable the System Restore Feature of XP, and commented the ExFreePool
calls in my driver just for testing it.By doing this i am able to get rid
of the Bug Check when AutoChk.exe is running.But this brings in a new bug
again from file system which is DRIVER_IRQL_NOT_LESS_OR_EQUAL when system
is showing welcome screen, please take a look at the stack. it shows that
a call to nt!CcGetVirtualAddress generated the bug check.I am working on
NOP method and buffer checking but for the time being this results i have
in hand for posting.
kd> !analyze -v
*******************************************************************************
*
*
* Bugcheck Analysis
*
*
*
*******************************************************************************
IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pagable (or completely invalid) address at
an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: 00000000, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000000, value 0 = read operation, 1 = write operation
Arg4: 804f03fb, address which referenced memory
Debugging Details:
READ_ADDRESS: 00000000
CURRENT_IRQL: 2
FAULTING_IP:
nt!CcGetVirtualAddress+7b
804f03fb 8b3c81 mov edi,[ecx+eax*4]
DEFAULT_BUCKET_ID: DRIVER_FAULT
BUGCHECK_STR: 0xA
LAST_CONTROL_TRANSFER: from 805808d9 to 804f03fb
TRAP_FRAME: fc171960 – (.trap fffffffffc171960)
ErrCode = 00000000
eax=00000000 ebx=810c37a8 ecx=00000000 edx=00000000 esi=00000000
edi=810c3878
eip=804f03fb esp=fc1719d4 ebp=fc1719f4 iopl=0 nv up ei pl zr na po
nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
efl=00000246
nt!CcGetVirtualAddress+7b:
804f03fb 8b3c81 mov edi,[ecx+eax*4]
Resetting default context
STACK_TEXT:
fc1719f4 805808d9 000c37a8 00000000 00000000 nt!CcGetVirtualAddress+0x7b
fc171a5c fc3f6ba3 811c8028 fc171a88 00001000 nt!CcMapData+0x8b
fc171a90 fc3f66a9 811f4008 e15b4840 00000000
Fastfat!FatReadDirectoryFile+0x90
fc171b60 fc3f7317 811f4008 e15b4840 e18be608 Fastfat!FatLocateDirent+0xf0
fc171c98 fc3f6285 811f4008 8117a008 fc3f7706
Fastfat!FatQueryDirectory+0x4ab
fc171ca4 fc3f7706 811f4008 8117a008 811cb230
Fastfat!FatCommonDirectoryControl+0x3d
fc171ce8 804eca36 81250be8 8117a008 806c9190
Fastfat!FatFsdDirectoryControl+0x65
fc171cf8 8058b076 fc171d64 00f0f894 805951e4 nt!IopfCallDriver+0x31
fc171d0c 8059523f 81250be8 8117a008 810e5c40
nt!IopSynchronousServiceTail+0x5e
fc171d30 804da140 00000488 00000000 00000000 nt!NtQueryDirectoryFile+0x5b
fc171d30 7ffe0304 00000488 00000000 00000000 nt!KiSystemService+0xc4
00f0f85c 77f75fba 77e7eb29 00000488 00000000
SharedUserData!SystemCallStub+0x4
00f0f860 77e7eb29 00000488 00000000 00000000
ntdll!ZwQueryDirectoryFile+0xc
WARNING: Stack unwind information not available. Following frames may be
wrong.
00f0fb54 77e7eb75 00528260 00000488 00f0fb8c
kernel32!FindFirstFileExW+0x1b8
00f0fea4 00000000 00000000 00000000 00000484 kernel32!FindFirstFileW+0x13
FOLLOWUP_IP:
nt!CcGetVirtualAddress+7b
804f03fb 8b3c81 mov edi,[ecx+eax*4]
FOLLOWUP_NAME: MachineOwner
SYMBOL_NAME: nt!CcGetVirtualAddress+7b
MODULE_NAME: nt
IMAGE_NAME: ntoskrnl.exe
DEBUG_FLR_IMAGE_TIMESTAMP: 3d6de35c
STACK_COMMAND: .trap fffffffffc171960 ; kb
BUCKET_ID: 0xA_nt!CcGetVirtualAddress+7b
Followup: MachineOwner
kd> .trap fffffffffc171960
ErrCode = 00000000
eax=00000000 ebx=810c37a8 ecx=00000000 edx=00000000 esi=00000000
edi=810c3878
eip=804f03fb esp=fc1719d4 ebp=fc1719f4 iopl=0 nv up ei pl zr na po
nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
efl=00000246
nt!CcGetVirtualAddress+7b:
804f03fb 8b3c81 mov edi,[ecx+eax*4]
kd> kb
*** Stack trace for last set context - .thread/.cxr resets it
ChildEBP RetAddr Args to Child
fc1719f4 805808d9 000c37a8 00000000 00000000 nt!CcGetVirtualAddress+0x7b
fc171a5c fc3f6ba3 811c8028 fc171a88 00001000 nt!CcMapData+0x8b
fc171a90 fc3f66a9 811f4008 e15b4840 00000000
Fastfat!FatReadDirectoryFile+0x90
fc171b60 fc3f7317 811f4008 e15b4840 e18be608 Fastfat!FatLocateDirent+0xf0
fc171c98 fc3f6285 811f4008 8117a008 fc3f7706
Fastfat!FatQueryDirectory+0x4ab
fc171ca4 fc3f7706 811f4008 8117a008 811cb230
Fastfat!FatCommonDirectoryControl+0x3d
fc171ce8 804eca36 81250be8 8117a008 806c9190
Fastfat!FatFsdDirectoryControl+0x65
fc171cf8 8058b076 fc171d64 00f0f894 805951e4 nt!IopfCallDriver+0x31
fc171d0c 8059523f 81250be8 8117a008 810e5c40
nt!IopSynchronousServiceTail+0x5e
fc171d30 804da140 00000488 00000000 00000000 nt!NtQueryDirectoryFile+0x5b
fc171d30 7ffe0304 00000488 00000000 00000000 nt!KiSystemService+0xc4
00f0f85c 77f75fba 77e7eb29 00000488 00000000
SharedUserData!SystemCallStub+0x4
00f0f860 77e7eb29 00000488 00000000 00000000
ntdll!ZwQueryDirectoryFile+0xc
WARNING: Stack unwind information not available. Following frames may be
wrong.
00f0fb54 77e7eb75 00528260 00000488 00f0fb8c
kernel32!FindFirstFileExW+0x1b8
00f0fea4 00000000 00000000 00000000 00000484 kernel32!FindFirstFileW+0x13
Regards
Subodh