BSOD 0x1e What went wrong?

OSR_Community_User · July 22, 2009, 10:02am

Hi all
I have BSOD 0x1E, I have issued the following instruction in an effort to see what went on down here. Could someone tell me what went down or at least point me in the right direction.

0: kd> dps rsp-100 rsp+100
fffff80003ef36b8 0000000000000000
fffff80003ef36c0 0000000000000000
fffff80003ef36c8 0000000000000000
fffff80003ef36d0 0000000000000000
fffff80003ef36d8 fffff8000161ebce nt!KiOpDecode+0x7e
fffff80003ef36e0 fffff80003ef3750
fffff80003ef36e8 0000000000000001
fffff80003ef36f0 0000000000000000
fffff80003ef36f8 fffff80003ef3750
fffff80003ef3700 0000000000000000
fffff80003ef3708 0000000000000000
fffff80003ef3710 00000000fffffff8
fffff80003ef3718 fffff80003ef3dc0
fffff80003ef3720 ffff9aa0aba712ab
fffff80003ef3728 fffff8000162b2ac nt!KiPreprocessFault+0x4c
fffff80003ef3730 fffff80003ef3fa0
fffff80003ef3738 0000000000000000
fffff80003ef3740 fffff80001601000 nt!PsGetCurrentThreadId (nt+0x0)
fffff80003ef3748 00000000fffffff8
fffff80003ef3750 fffff80003ef3dc0
fffff80003ef3758 fffff80003ef3fa0
fffff80003ef3760 0000000000000000
fffff80003ef3768 fffff80003ef4020
fffff80003ef3770 fffff80003ef3ef8
fffff80003ef3778 fffff80001655754 nt!KeBugCheckEx+0x104
fffff80003ef3780 fffff80001601000 nt!PsGetCurrentThreadId (nt+0x0)
fffff80003ef3788 00000000fffffff8
fffff80003ef3790 fffff80003ef3dc0
fffff80003ef3798 fffff80003ef3fa0
fffff80003ef37a0 fffffa80058b4805
fffff80003ef37a8 0000000000000000
fffff80003ef37b0 0000000000000246
fffff80003ef37b8 fffff8000162fe67 nt! ?? ::FNODOBFM::string'+0x29317 fffff80003ef37c0 000000000000001e fffff80003ef37c8 ffffffffc000001d fffff80003ef37d0 fffffa80058b4805 fffff80003ef37d8 0000000000000000 fffff80003ef37e0 fffffa80058b4805 fffff80003ef37e8 fffff80001601001 nt!PsGetCurrentThreadId <perf> (nt+0x1) fffff80003ef37f0 00000000000069b4 fffff80003ef37f8 fffff8000174d894 nt!_imp_NtOpenSymbolicLinkObject+0x5c7c fffff80003ef3800 0000000000000002 fffff80003ef3808 00000000000069ce fffff80003ef3810 fffff80003ef6e60 fffff80003ef3818 fffff8000164e85c nt!local_unwind+0x1c fffff80003ef3820 fffff8000174d8bc nt!_imp_NtOpenSymbolicLinkObject+0x5ca4 fffff80003ef3828 fffff800`01607a17 nt!ExpTimeRefreshDpcRoutine+0xb7

Regards,
Herbert Zimbizi
NEWTONS FORGOTTEN LAW OF COFFEE:
As soon as you sit down for a cup of hot coffee, your boss will ask you to do something which will last until the coffee is cold

?This e-mail is sent on the Terms and Conditions that can be accessed by Clicking on this link http://www.vodacom.co.za/legal/email.jsp "

Scott_Noone_OSR · July 22, 2009, 10:12am

You’re better off posting the !analyze -v output if you want some help.

-scott

–
Scott Noone
Consulting Associate
OSR Open Systems Resources, Inc.
http://www.osronline.com

“Herbert Zimbizi” wrote in message
news:xxxxx@windbg…
Hi all
I have BSOD 0x1E, I have issued the following instruction in an effort to
see what went on down here. Could someone tell me what went down or at
least point me in the right direction.

0: kd> dps rsp-100 rsp+100
fffff80003ef36b8 0000000000000000
fffff80003ef36c0 0000000000000000
fffff80003ef36c8 0000000000000000
fffff80003ef36d0 0000000000000000
fffff80003ef36d8 fffff8000161ebce nt!KiOpDecode+0x7e
fffff80003ef36e0 fffff80003ef3750
fffff80003ef36e8 0000000000000001
fffff80003ef36f0 0000000000000000
fffff80003ef36f8 fffff80003ef3750
fffff80003ef3700 0000000000000000
fffff80003ef3708 0000000000000000
fffff80003ef3710 00000000fffffff8
fffff80003ef3718 fffff80003ef3dc0
fffff80003ef3720 ffff9aa0aba712ab
fffff80003ef3728 fffff8000162b2ac nt!KiPreprocessFault+0x4c
fffff80003ef3730 fffff80003ef3fa0
fffff80003ef3738 0000000000000000
fffff80003ef3740 fffff80001601000 nt!PsGetCurrentThreadId (nt+0x0)
fffff80003ef3748 00000000fffffff8
fffff80003ef3750 fffff80003ef3dc0
fffff80003ef3758 fffff80003ef3fa0
fffff80003ef3760 0000000000000000
fffff80003ef3768 fffff80003ef4020
fffff80003ef3770 fffff80003ef3ef8
fffff80003ef3778 fffff80001655754 nt!KeBugCheckEx+0x104
fffff80003ef3780 fffff80001601000 nt!PsGetCurrentThreadId (nt+0x0)
fffff80003ef3788 00000000fffffff8
fffff80003ef3790 fffff80003ef3dc0
fffff80003ef3798 fffff80003ef3fa0
fffff80003ef37a0 fffffa80058b4805
fffff80003ef37a8 0000000000000000
fffff80003ef37b0 0000000000000246
fffff80003ef37b8 fffff8000162fe67 nt! ?? ::FNODOBFM::string'+0x29317 fffff80003ef37c0 000000000000001e fffff80003ef37c8 ffffffffc000001d fffff80003ef37d0 fffffa80058b4805 fffff80003ef37d8 0000000000000000 fffff80003ef37e0 fffffa80058b4805 fffff80003ef37e8 fffff80001601001 nt!PsGetCurrentThreadId <perf> (nt+0x1) fffff80003ef37f0 00000000000069b4 fffff80003ef37f8 fffff8000174d894 nt!_imp_NtOpenSymbolicLinkObject+0x5c7c fffff80003ef3800 0000000000000002 fffff80003ef3808 00000000000069ce fffff80003ef3810 fffff80003ef6e60 fffff80003ef3818 fffff8000164e85c nt!local_unwind+0x1c fffff80003ef3820 fffff8000174d8bc nt!_imp_NtOpenSymbolicLinkObject+0x5ca4 fffff80003ef3828 fffff800`01607a17 nt!ExpTimeRefreshDpcRoutine+0xb7

Regards,
Herbert Zimbizi
NEWTONS FORGOTTEN LAW OF COFFEE:
As soon as you sit down for a cup of hot coffee, your boss will ask you to
do something which will last until the coffee is cold

"This e-mail is sent on the Terms and Conditions that can be accessed by
Clicking on this link http://www.vodacom.co.za/legal/email.jsp "

OSR_Community_User · July 22, 2009, 10:18am

Below is the output for analyze
0: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

KMODE_EXCEPTION_NOT_HANDLED (1e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Arguments:
Arg1: ffffffffc000001d, The exception code that was not handled
Arg2: fffffa80058b4805, The address that the exception occurred at
Arg3: 0000000000000000, Parameter 0 of the exception
Arg4: fffffa80058b4805, Parameter 1 of the exception

Debugging Details:

Page e11ae not present in the dump file. Type “.hh dbgerr004” for details
Page e1985 not present in the dump file. Type “.hh dbgerr004” for details
PEB is paged out (Peb.Ldr = 000007fffffd3018). Type ".hh dbgerr001" for details PEB is paged out (Peb.Ldr = 000007fffffd3018). Type “.hh dbgerr001” for details

EXCEPTION_CODE: (NTSTATUS) 0xc000001d - {EXCEPTION} Illegal Instruction An attempt was made to execute an illegal instruction.

FAULTING_IP:
+6afc952f01c1dda8
Page ed2b4 not present in the dump file. Type “.hh dbgerr004” for details
fffffa80`058b4805 ???

EXCEPTION_PARAMETER1: 0000000000000000

EXCEPTION_PARAMETER2: fffffa80058b4805

DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT

BUGCHECK_STR: 0x1E

PROCESS_NAME: opcmsga.exe

CURRENT_IRQL: 2

LAST_CONTROL_TRANSFER: from fffff8000162fe67 to fffff80001655650

FAILED_INSTRUCTION_ADDRESS:
+6afc952f01c1dda8
Page ed2b4 not present in the dump file. Type “.hh dbgerr004” for details
fffffa80`058b4805 ???

STACK_TEXT:
fffff80003ef37b8 fffff8000162fe67 : 000000000000001e ffffffffc000001d fffffa80058b4805 0000000000000000 : nt!KeBugCheckEx
fffff80003ef37c0 fffff800016554a9 : fffff80003ef3ef8 fffffa80058b31ff fffff80003ef3fa0 0000000000000008 : nt! ?? ::FNODOBFM::string'+0x29317 fffff80003ef3dc0 fffff800016539c3 : fffff80003ef3fa0 fffff80001b46300 0000020200186302 0000000000000000 : nt!KiExceptionDispatch+0xa9 fffff80003ef3fa0 fffffa80058b4805 : 0000000000000008 fffffa800589b367 0000000000000010 0000000000000297 : nt!KiInvalidOpcodeFault+0xc3 fffff80003ef4130 0000000000000008 : fffffa800589b367 0000000000000010 0000000000000297 fffffa800589a021 : 0xfffffa80058b4805
fffff80003ef4138 fffffa800589b367 : 0000000000000010 0000000000000297 fffffa800589a021 fffffa800589b627 : 0x8
fffff80003ef4140 0000000000000010 : 0000000000000297 fffffa800589a021 fffffa800589b627 0000000000000000 : 0xfffffa800589b367 fffff80003ef4148 0000000000000297 : fffffa800589a021 fffffa800589b627 0000000000000000 0000000000000000 : 0x10 fffff80003ef4150 fffffa800589a021 : fffffa800589b627 0000000000000000 0000000000000000 0000000000000000 : 0x297 fffff80003ef4158 fffffa800589b627 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : 0xfffffa800589a021
fffff80003ef4160 0000000000000000 : 0000000000000000 0000000000000000 0000000000000000 fffffa80058b31ff : 0xfffffa80`0589b627

STACK_COMMAND: kb

FOLLOWUP_IP:
nt! ?? ::FNODOBFM::string'+29317 fffff8000162fe67 int 3

SYMBOL_STACK_INDEX: 1

SYMBOL_NAME: nt! ?? ::FNODOBFM::`string’+29317

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: nt

IMAGE_NAME: ntkrnlmp.exe

DEBUG_FLR_IMAGE_TIMESTAMP: 49ac93e1

FAILURE_BUCKET_ID: X64_0x1E_BAD_IP_nt!??::FNODOBFM::string+29317

BUCKET_ID: X64_0x1E_BAD_IP_nt!??::FNODOBFM::string+29317

Followup: MachineOwner

From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Herbert Zimbizi
Sent: 22 July, 2009 4:01 PM
To: Kernel Debugging Interest List
Subject: [windbg] BSOD 0x1e What went wrong?

Hi all
I have BSOD 0x1E, I have issued the following instruction in an effort to see what went on down here. Could someone tell me what went down or at least point me in the right direction.

0: kd> dps rsp-100 rsp+100
fffff80003ef36b8 0000000000000000
fffff80003ef36c0 0000000000000000
fffff80003ef36c8 0000000000000000
fffff80003ef36d0 0000000000000000
fffff80003ef36d8 fffff8000161ebce nt!KiOpDecode+0x7e
fffff80003ef36e0 fffff80003ef3750
fffff80003ef36e8 0000000000000001
fffff80003ef36f0 0000000000000000
fffff80003ef36f8 fffff80003ef3750
fffff80003ef3700 0000000000000000
fffff80003ef3708 0000000000000000
fffff80003ef3710 00000000fffffff8
fffff80003ef3718 fffff80003ef3dc0
fffff80003ef3720 ffff9aa0aba712ab
fffff80003ef3728 fffff8000162b2ac nt!KiPreprocessFault+0x4c
fffff80003ef3730 fffff80003ef3fa0
fffff80003ef3738 0000000000000000
fffff80003ef3740 fffff80001601000 nt!PsGetCurrentThreadId (nt+0x0)
fffff80003ef3748 00000000fffffff8
fffff80003ef3750 fffff80003ef3dc0
fffff80003ef3758 fffff80003ef3fa0
fffff80003ef3760 0000000000000000
fffff80003ef3768 fffff80003ef4020
fffff80003ef3770 fffff80003ef3ef8
fffff80003ef3778 fffff80001655754 nt!KeBugCheckEx+0x104
fffff80003ef3780 fffff80001601000 nt!PsGetCurrentThreadId (nt+0x0)
fffff80003ef3788 00000000fffffff8
fffff80003ef3790 fffff80003ef3dc0
fffff80003ef3798 fffff80003ef3fa0
fffff80003ef37a0 fffffa80058b4805
fffff80003ef37a8 0000000000000000
fffff80003ef37b0 0000000000000246
fffff80003ef37b8 fffff8000162fe67 nt! ?? ::FNODOBFM::string'+0x29317 fffff80003ef37c0 000000000000001e fffff80003ef37c8 ffffffffc000001d fffff80003ef37d0 fffffa80058b4805 fffff80003ef37d8 0000000000000000 fffff80003ef37e0 fffffa80058b4805 fffff80003ef37e8 fffff80001601001 nt!PsGetCurrentThreadId <perf> (nt+0x1) fffff80003ef37f0 00000000000069b4 fffff80003ef37f8 fffff8000174d894 nt!_imp_NtOpenSymbolicLinkObject+0x5c7c fffff80003ef3800 0000000000000002 fffff80003ef3808 00000000000069ce fffff80003ef3810 fffff80003ef6e60 fffff80003ef3818 fffff8000164e85c nt!local_unwind+0x1c fffff80003ef3820 fffff8000174d8bc nt!_imp_NtOpenSymbolicLinkObject+0x5ca4 fffff80003ef3828 fffff800`01607a17 nt!ExpTimeRefreshDpcRoutine+0xb7

Regards,
Herbert Zimbizi
NEWTONS FORGOTTEN LAW OF COFFEE:
As soon as you sit down for a cup of hot coffee, your boss will ask you to do something which will last until the coffee is cold

"This e-mail is sent on the Terms and Conditions that can be accessed by Clicking on this link http://www.vodacom.co.za/legal/email.jsp "
—
WINDBG is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer "This e-mail is sent on the Terms and Conditions that can be accessed by Clicking on this link http://www.vodacom.co.za/legal/email.jsp "

?This e-mail is sent on the Terms and Conditions that can be accessed by Clicking on this link http://www.vodacom.co.za/legal/email.jsp "

Scott_Noone_OSR · July 22, 2009, 11:31am

I can’t quite tell if your symbols aren’t right or if you’ve just trashed
your stack. If you do a !symfix then a .reload do you get a different stack?

Also, what does your driver do? I’d suspect this to be some sort of memory
corruption.

-scott

–
Scott Noone
Consulting Associate
OSR Open Systems Resources, Inc.
http://www.osronline.com

“Herbert Zimbizi” wrote in message
news:xxxxx@windbg…
Below is the output for analyze
0: kd> !analyze -v

Bugcheck Analysis

******

KMODE_EXCEPTION_NOT_HANDLED (1e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Arguments:
Arg1: ffffffffc000001d, The exception code that was not handled
Arg2: fffffa80058b4805, The address that the exception occurred at
Arg3: 0000000000000000, Parameter 0 of the exception
Arg4: fffffa80058b4805, Parameter 1 of the exception

Debugging Details:
------------------

Page e11ae not present in the dump file. Type “.hh dbgerr004” for details
Page e1985 not present in the dump file. Type “.hh dbgerr004” for details
PEB is paged out (Peb.Ldr = 000007fffffd3018). Type ".hh dbgerr001" for details PEB is paged out (Peb.Ldr = 000007fffffd3018). Type “.hh dbgerr001” for
details

EXCEPTION_CODE: (NTSTATUS) 0xc000001d - {EXCEPTION} Illegal Instruction An
attempt was made to execute an illegal instruction.

FAULTING_IP:
+6afc952f01c1dda8
Page ed2b4 not present in the dump file. Type “.hh dbgerr004” for details
fffffa80058b4805 ??? EXCEPTION_PARAMETER1: 0000000000000000 EXCEPTION_PARAMETER2: fffffa80058b4805 DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT BUGCHECK_STR: 0x1E PROCESS_NAME: opcmsga.exe CURRENT_IRQL: 2 LAST_CONTROL_TRANSFER: from fffff8000162fe67 to fffff80001655650 FAILED_INSTRUCTION_ADDRESS: +6afc952f01c1dda8 Page ed2b4 not present in the dump file. Type ".hh dbgerr004" for details fffffa80058b4805 ???

STACK_TEXT:
fffff80003ef37b8 fffff8000162fe67 : 000000000000001e ffffffffc000001d
fffffa80058b4805 0000000000000000 : nt!KeBugCheckEx
fffff80003ef37c0 fffff800016554a9 : fffff80003ef3ef8 fffffa80058b31ff
fffff80003ef3fa0 0000000000000008 : nt! ?? ::FNODOBFM::string'+0x29317 fffff80003ef3dc0 fffff800016539c3 : fffff80003ef3fa0 fffff80001b46300 0000020200186302 0000000000000000 : nt!KiExceptionDispatch+0xa9 fffff80003ef3fa0 fffffa80058b4805 : 0000000000000008 fffffa800589b367 0000000000000010 0000000000000297 : nt!KiInvalidOpcodeFault+0xc3 fffff80003ef4130 0000000000000008 : fffffa800589b367 0000000000000010 0000000000000297 fffffa800589a021 : 0xfffffa80058b4805
fffff80003ef4138 fffffa800589b367 : 0000000000000010 0000000000000297
fffffa800589a021 fffffa800589b627 : 0x8
fffff80003ef4140 0000000000000010 : 0000000000000297 fffffa800589a021
fffffa800589b627 0000000000000000 : 0xfffffa800589b367 fffff80003ef4148 0000000000000297 : fffffa800589a021 fffffa800589b627 0000000000000000 0000000000000000 : 0x10 fffff80003ef4150 fffffa800589a021 : fffffa800589b627 0000000000000000 0000000000000000 0000000000000000 : 0x297 fffff80003ef4158 fffffa800589b627 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : 0xfffffa800589a021
fffff80003ef4160 0000000000000000 : 0000000000000000 0000000000000000
0000000000000000 fffffa80058b31ff : 0xfffffa800589b627 STACK_COMMAND: kb FOLLOWUP_IP: nt! ?? ::FNODOBFM::string’+29317
fffff8000162fe67 int 3 SYMBOL_STACK_INDEX: 1 SYMBOL_NAME: nt! ?? ::FNODOBFM::string’+29317

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: nt

IMAGE_NAME: ntkrnlmp.exe

DEBUG_FLR_IMAGE_TIMESTAMP: 49ac93e1

FAILURE_BUCKET_ID: X64_0x1E_BAD_IP_nt!??::FNODOBFM::string+29317

BUCKET_ID: X64_0x1E_BAD_IP_nt!??::FNODOBFM::string+29317

Followup: MachineOwner
---------

From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Herbert Zimbizi
Sent: 22 July, 2009 4:01 PM
To: Kernel Debugging Interest List
Subject: [windbg] BSOD 0x1e What went wrong?

Hi all
I have BSOD 0x1E, I have issued the following instruction in an effort to
see what went on down here. Could someone tell me what went down or at
least point me in the right direction.

0: kd> dps rsp-100 rsp+100
fffff80003ef36b8 0000000000000000
fffff80003ef36c0 0000000000000000
fffff80003ef36c8 0000000000000000
fffff80003ef36d0 0000000000000000
fffff80003ef36d8 fffff8000161ebce nt!KiOpDecode+0x7e
fffff80003ef36e0 fffff80003ef3750
fffff80003ef36e8 0000000000000001
fffff80003ef36f0 0000000000000000
fffff80003ef36f8 fffff80003ef3750
fffff80003ef3700 0000000000000000
fffff80003ef3708 0000000000000000
fffff80003ef3710 00000000fffffff8
fffff80003ef3718 fffff80003ef3dc0
fffff80003ef3720 ffff9aa0aba712ab
fffff80003ef3728 fffff8000162b2ac nt!KiPreprocessFault+0x4c
fffff80003ef3730 fffff80003ef3fa0
fffff80003ef3738 0000000000000000
fffff80003ef3740 fffff80001601000 nt!PsGetCurrentThreadId (nt+0x0)
fffff80003ef3748 00000000fffffff8
fffff80003ef3750 fffff80003ef3dc0
fffff80003ef3758 fffff80003ef3fa0
fffff80003ef3760 0000000000000000
fffff80003ef3768 fffff80003ef4020
fffff80003ef3770 fffff80003ef3ef8
fffff80003ef3778 fffff80001655754 nt!KeBugCheckEx+0x104
fffff80003ef3780 fffff80001601000 nt!PsGetCurrentThreadId (nt+0x0)
fffff80003ef3788 00000000fffffff8
fffff80003ef3790 fffff80003ef3dc0
fffff80003ef3798 fffff80003ef3fa0
fffff80003ef37a0 fffffa80058b4805
fffff80003ef37a8 0000000000000000
fffff80003ef37b0 0000000000000246
fffff80003ef37b8 fffff8000162fe67 nt! ?? ::FNODOBFM::string'+0x29317 fffff80003ef37c0 000000000000001e fffff80003ef37c8 ffffffffc000001d fffff80003ef37d0 fffffa80058b4805 fffff80003ef37d8 0000000000000000 fffff80003ef37e0 fffffa80058b4805 fffff80003ef37e8 fffff80001601001 nt!PsGetCurrentThreadId <perf> (nt+0x1) fffff80003ef37f0 00000000000069b4 fffff80003ef37f8 fffff8000174d894 nt!_imp_NtOpenSymbolicLinkObject+0x5c7c fffff80003ef3800 0000000000000002 fffff80003ef3808 00000000000069ce fffff80003ef3810 fffff80003ef6e60 fffff80003ef3818 fffff8000164e85c nt!local_unwind+0x1c fffff80003ef3820 fffff8000174d8bc nt!_imp_NtOpenSymbolicLinkObject+0x5ca4 fffff80003ef3828 fffff800`01607a17 nt!ExpTimeRefreshDpcRoutine+0xb7

Regards,
Herbert Zimbizi
NEWTONS FORGOTTEN LAW OF COFFEE:
As soon as you sit down for a cup of hot coffee, your boss will ask you to
do something which will last until the coffee is cold

"This e-mail is sent on the Terms and Conditions that can be accessed by
Clicking on this link http://www.vodacom.co.za/legal/email.jsp "
—
WINDBG is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer "This e-mail is sent on
the Terms and Conditions that can be accessed by Clicking on this link
http://www.vodacom.co.za/legal/email.jsp "
"This e-mail is sent on the Terms and Conditions that can be accessed by
Clicking on this link http://www.vodacom.co.za/legal/email.jsp "

OSR_Community_User · July 23, 2009, 3:34am

This is not my driver. Its my server that just started dumping, initially due to AV driver which I removed, and now it is still dumping but with a different code altogether.

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Scott Noone
Sent: 22 July, 2009 5:31 PM
To: Kernel Debugging Interest List
Subject: Re:[windbg] BSOD 0x1e What went wrong?

I can’t quite tell if your symbols aren’t right or if you’ve just trashed
your stack. If you do a !symfix then a .reload do you get a different stack?

Also, what does your driver do? I’d suspect this to be some sort of memory
corruption.

-scott

–
Scott Noone
Consulting Associate
OSR Open Systems Resources, Inc.
http://www.osronline.com

“Herbert Zimbizi” wrote in message
news:xxxxx@windbg…
Below is the output for analyze
0: kd> !analyze -v

Bugcheck Analysis

******

KMODE_EXCEPTION_NOT_HANDLED (1e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Arguments:
Arg1: ffffffffc000001d, The exception code that was not handled
Arg2: fffffa80058b4805, The address that the exception occurred at
Arg3: 0000000000000000, Parameter 0 of the exception
Arg4: fffffa80058b4805, Parameter 1 of the exception

Debugging Details:
------------------

Page e11ae not present in the dump file. Type “.hh dbgerr004” for details
Page e1985 not present in the dump file. Type “.hh dbgerr004” for details
PEB is paged out (Peb.Ldr = 000007fffffd3018). Type ".hh dbgerr001" for details PEB is paged out (Peb.Ldr = 000007fffffd3018). Type “.hh dbgerr001” for
details

EXCEPTION_CODE: (NTSTATUS) 0xc000001d - {EXCEPTION} Illegal Instruction An
attempt was made to execute an illegal instruction.

FAULTING_IP:
+6afc952f01c1dda8
Page ed2b4 not present in the dump file. Type “.hh dbgerr004” for details
fffffa80058b4805 ??? EXCEPTION_PARAMETER1: 0000000000000000 EXCEPTION_PARAMETER2: fffffa80058b4805 DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT BUGCHECK_STR: 0x1E PROCESS_NAME: opcmsga.exe CURRENT_IRQL: 2 LAST_CONTROL_TRANSFER: from fffff8000162fe67 to fffff80001655650 FAILED_INSTRUCTION_ADDRESS: +6afc952f01c1dda8 Page ed2b4 not present in the dump file. Type ".hh dbgerr004" for details fffffa80058b4805 ???

STACK_TEXT:
fffff80003ef37b8 fffff8000162fe67 : 000000000000001e ffffffffc000001d
fffffa80058b4805 0000000000000000 : nt!KeBugCheckEx
fffff80003ef37c0 fffff800016554a9 : fffff80003ef3ef8 fffffa80058b31ff
fffff80003ef3fa0 0000000000000008 : nt! ?? ::FNODOBFM::string'+0x29317 fffff80003ef3dc0 fffff800016539c3 : fffff80003ef3fa0 fffff80001b46300 0000020200186302 0000000000000000 : nt!KiExceptionDispatch+0xa9 fffff80003ef3fa0 fffffa80058b4805 : 0000000000000008 fffffa800589b367 0000000000000010 0000000000000297 : nt!KiInvalidOpcodeFault+0xc3 fffff80003ef4130 0000000000000008 : fffffa800589b367 0000000000000010 0000000000000297 fffffa800589a021 : 0xfffffa80058b4805
fffff80003ef4138 fffffa800589b367 : 0000000000000010 0000000000000297
fffffa800589a021 fffffa800589b627 : 0x8
fffff80003ef4140 0000000000000010 : 0000000000000297 fffffa800589a021
fffffa800589b627 0000000000000000 : 0xfffffa800589b367 fffff80003ef4148 0000000000000297 : fffffa800589a021 fffffa800589b627 0000000000000000 0000000000000000 : 0x10 fffff80003ef4150 fffffa800589a021 : fffffa800589b627 0000000000000000 0000000000000000 0000000000000000 : 0x297 fffff80003ef4158 fffffa800589b627 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : 0xfffffa800589a021
fffff80003ef4160 0000000000000000 : 0000000000000000 0000000000000000
0000000000000000 fffffa80058b31ff : 0xfffffa800589b627 STACK_COMMAND: kb FOLLOWUP_IP: nt! ?? ::FNODOBFM::string’+29317
fffff8000162fe67 int 3 SYMBOL_STACK_INDEX: 1 SYMBOL_NAME: nt! ?? ::FNODOBFM::string’+29317

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: nt

IMAGE_NAME: ntkrnlmp.exe

DEBUG_FLR_IMAGE_TIMESTAMP: 49ac93e1

FAILURE_BUCKET_ID: X64_0x1E_BAD_IP_nt!??::FNODOBFM::string+29317

BUCKET_ID: X64_0x1E_BAD_IP_nt!??::FNODOBFM::string+29317

Followup: MachineOwner
---------

From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Herbert Zimbizi
Sent: 22 July, 2009 4:01 PM
To: Kernel Debugging Interest List
Subject: [windbg] BSOD 0x1e What went wrong?

Hi all
I have BSOD 0x1E, I have issued the following instruction in an effort to
see what went on down here. Could someone tell me what went down or at
least point me in the right direction.

0: kd> dps rsp-100 rsp+100
fffff80003ef36b8 0000000000000000
fffff80003ef36c0 0000000000000000
fffff80003ef36c8 0000000000000000
fffff80003ef36d0 0000000000000000
fffff80003ef36d8 fffff8000161ebce nt!KiOpDecode+0x7e
fffff80003ef36e0 fffff80003ef3750
fffff80003ef36e8 0000000000000001
fffff80003ef36f0 0000000000000000
fffff80003ef36f8 fffff80003ef3750
fffff80003ef3700 0000000000000000
fffff80003ef3708 0000000000000000
fffff80003ef3710 00000000fffffff8
fffff80003ef3718 fffff80003ef3dc0
fffff80003ef3720 ffff9aa0aba712ab
fffff80003ef3728 fffff8000162b2ac nt!KiPreprocessFault+0x4c
fffff80003ef3730 fffff80003ef3fa0
fffff80003ef3738 0000000000000000
fffff80003ef3740 fffff80001601000 nt!PsGetCurrentThreadId (nt+0x0)
fffff80003ef3748 00000000fffffff8
fffff80003ef3750 fffff80003ef3dc0
fffff80003ef3758 fffff80003ef3fa0
fffff80003ef3760 0000000000000000
fffff80003ef3768 fffff80003ef4020
fffff80003ef3770 fffff80003ef3ef8
fffff80003ef3778 fffff80001655754 nt!KeBugCheckEx+0x104
fffff80003ef3780 fffff80001601000 nt!PsGetCurrentThreadId (nt+0x0)
fffff80003ef3788 00000000fffffff8
fffff80003ef3790 fffff80003ef3dc0
fffff80003ef3798 fffff80003ef3fa0
fffff80003ef37a0 fffffa80058b4805
fffff80003ef37a8 0000000000000000
fffff80003ef37b0 0000000000000246
fffff80003ef37b8 fffff8000162fe67 nt! ?? ::FNODOBFM::string'+0x29317 fffff80003ef37c0 000000000000001e fffff80003ef37c8 ffffffffc000001d fffff80003ef37d0 fffffa80058b4805 fffff80003ef37d8 0000000000000000 fffff80003ef37e0 fffffa80058b4805 fffff80003ef37e8 fffff80001601001 nt!PsGetCurrentThreadId <perf> (nt+0x1) fffff80003ef37f0 00000000000069b4 fffff80003ef37f8 fffff8000174d894 nt!_imp_NtOpenSymbolicLinkObject+0x5c7c fffff80003ef3800 0000000000000002 fffff80003ef3808 00000000000069ce fffff80003ef3810 fffff80003ef6e60 fffff80003ef3818 fffff8000164e85c nt!local_unwind+0x1c fffff80003ef3820 fffff8000174d8bc nt!_imp_NtOpenSymbolicLinkObject+0x5ca4 fffff80003ef3828 fffff800`01607a17 nt!ExpTimeRefreshDpcRoutine+0xb7

Regards,
Herbert Zimbizi
NEWTONS FORGOTTEN LAW OF COFFEE:
As soon as you sit down for a cup of hot coffee, your boss will ask you to
do something which will last until the coffee is cold

"This e-mail is sent on the Terms and Conditions that can be accessed by
Clicking on this link http://www.vodacom.co.za/legal/email.jsp "
—
WINDBG is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer "This e-mail is sent on
the Terms and Conditions that can be accessed by Clicking on this link
http://www.vodacom.co.za/legal/email.jsp "
"This e-mail is sent on the Terms and Conditions that can be accessed by
Clicking on this link http://www.vodacom.co.za/legal/email.jsp "

—
WINDBG is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
?This e-mail is sent on the Terms and Conditions that can be accessed by Clicking on this link http://www.vodacom.co.za/legal/email.jsp "

OSR_Community_User · July 23, 2009, 3:50am

I did not also respond to your earlier email as well. !symfix and .reload have no effect on the results. The stack always comes out the same.

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Scott Noone
Sent: 22 July, 2009 5:31 PM
To: Kernel Debugging Interest List
Subject: Re:[windbg] BSOD 0x1e What went wrong?

I can’t quite tell if your symbols aren’t right or if you’ve just trashed
your stack. If you do a !symfix then a .reload do you get a different stack?

Also, what does your driver do? I’d suspect this to be some sort of memory
corruption.

-scott

–
Scott Noone
Consulting Associate
OSR Open Systems Resources, Inc.
http://www.osronline.com

“Herbert Zimbizi” wrote in message
news:xxxxx@windbg…
Below is the output for analyze
0: kd> !analyze -v

Bugcheck Analysis

******

KMODE_EXCEPTION_NOT_HANDLED (1e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Arguments:
Arg1: ffffffffc000001d, The exception code that was not handled
Arg2: fffffa80058b4805, The address that the exception occurred at
Arg3: 0000000000000000, Parameter 0 of the exception
Arg4: fffffa80058b4805, Parameter 1 of the exception

Debugging Details:
------------------

Page e11ae not present in the dump file. Type “.hh dbgerr004” for details
Page e1985 not present in the dump file. Type “.hh dbgerr004” for details
PEB is paged out (Peb.Ldr = 000007fffffd3018). Type ".hh dbgerr001" for details PEB is paged out (Peb.Ldr = 000007fffffd3018). Type “.hh dbgerr001” for
details

EXCEPTION_CODE: (NTSTATUS) 0xc000001d - {EXCEPTION} Illegal Instruction An
attempt was made to execute an illegal instruction.

FAULTING_IP:
+6afc952f01c1dda8
Page ed2b4 not present in the dump file. Type “.hh dbgerr004” for details
fffffa80058b4805 ??? EXCEPTION_PARAMETER1: 0000000000000000 EXCEPTION_PARAMETER2: fffffa80058b4805 DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT BUGCHECK_STR: 0x1E PROCESS_NAME: opcmsga.exe CURRENT_IRQL: 2 LAST_CONTROL_TRANSFER: from fffff8000162fe67 to fffff80001655650 FAILED_INSTRUCTION_ADDRESS: +6afc952f01c1dda8 Page ed2b4 not present in the dump file. Type ".hh dbgerr004" for details fffffa80058b4805 ???

STACK_TEXT:
fffff80003ef37b8 fffff8000162fe67 : 000000000000001e ffffffffc000001d
fffffa80058b4805 0000000000000000 : nt!KeBugCheckEx
fffff80003ef37c0 fffff800016554a9 : fffff80003ef3ef8 fffffa80058b31ff
fffff80003ef3fa0 0000000000000008 : nt! ?? ::FNODOBFM::string'+0x29317 fffff80003ef3dc0 fffff800016539c3 : fffff80003ef3fa0 fffff80001b46300 0000020200186302 0000000000000000 : nt!KiExceptionDispatch+0xa9 fffff80003ef3fa0 fffffa80058b4805 : 0000000000000008 fffffa800589b367 0000000000000010 0000000000000297 : nt!KiInvalidOpcodeFault+0xc3 fffff80003ef4130 0000000000000008 : fffffa800589b367 0000000000000010 0000000000000297 fffffa800589a021 : 0xfffffa80058b4805
fffff80003ef4138 fffffa800589b367 : 0000000000000010 0000000000000297
fffffa800589a021 fffffa800589b627 : 0x8
fffff80003ef4140 0000000000000010 : 0000000000000297 fffffa800589a021
fffffa800589b627 0000000000000000 : 0xfffffa800589b367 fffff80003ef4148 0000000000000297 : fffffa800589a021 fffffa800589b627 0000000000000000 0000000000000000 : 0x10 fffff80003ef4150 fffffa800589a021 : fffffa800589b627 0000000000000000 0000000000000000 0000000000000000 : 0x297 fffff80003ef4158 fffffa800589b627 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : 0xfffffa800589a021
fffff80003ef4160 0000000000000000 : 0000000000000000 0000000000000000
0000000000000000 fffffa80058b31ff : 0xfffffa800589b627 STACK_COMMAND: kb FOLLOWUP_IP: nt! ?? ::FNODOBFM::string’+29317
fffff8000162fe67 int 3 SYMBOL_STACK_INDEX: 1 SYMBOL_NAME: nt! ?? ::FNODOBFM::string’+29317

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: nt

IMAGE_NAME: ntkrnlmp.exe

DEBUG_FLR_IMAGE_TIMESTAMP: 49ac93e1

FAILURE_BUCKET_ID: X64_0x1E_BAD_IP_nt!??::FNODOBFM::string+29317

BUCKET_ID: X64_0x1E_BAD_IP_nt!??::FNODOBFM::string+29317

Followup: MachineOwner
---------

From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Herbert Zimbizi
Sent: 22 July, 2009 4:01 PM
To: Kernel Debugging Interest List
Subject: [windbg] BSOD 0x1e What went wrong?

Hi all
I have BSOD 0x1E, I have issued the following instruction in an effort to
see what went on down here. Could someone tell me what went down or at
least point me in the right direction.

0: kd> dps rsp-100 rsp+100
fffff80003ef36b8 0000000000000000
fffff80003ef36c0 0000000000000000
fffff80003ef36c8 0000000000000000
fffff80003ef36d0 0000000000000000
fffff80003ef36d8 fffff8000161ebce nt!KiOpDecode+0x7e
fffff80003ef36e0 fffff80003ef3750
fffff80003ef36e8 0000000000000001
fffff80003ef36f0 0000000000000000
fffff80003ef36f8 fffff80003ef3750
fffff80003ef3700 0000000000000000
fffff80003ef3708 0000000000000000
fffff80003ef3710 00000000fffffff8
fffff80003ef3718 fffff80003ef3dc0
fffff80003ef3720 ffff9aa0aba712ab
fffff80003ef3728 fffff8000162b2ac nt!KiPreprocessFault+0x4c
fffff80003ef3730 fffff80003ef3fa0
fffff80003ef3738 0000000000000000
fffff80003ef3740 fffff80001601000 nt!PsGetCurrentThreadId (nt+0x0)
fffff80003ef3748 00000000fffffff8
fffff80003ef3750 fffff80003ef3dc0
fffff80003ef3758 fffff80003ef3fa0
fffff80003ef3760 0000000000000000
fffff80003ef3768 fffff80003ef4020
fffff80003ef3770 fffff80003ef3ef8
fffff80003ef3778 fffff80001655754 nt!KeBugCheckEx+0x104
fffff80003ef3780 fffff80001601000 nt!PsGetCurrentThreadId (nt+0x0)
fffff80003ef3788 00000000fffffff8
fffff80003ef3790 fffff80003ef3dc0
fffff80003ef3798 fffff80003ef3fa0
fffff80003ef37a0 fffffa80058b4805
fffff80003ef37a8 0000000000000000
fffff80003ef37b0 0000000000000246
fffff80003ef37b8 fffff8000162fe67 nt! ?? ::FNODOBFM::string'+0x29317 fffff80003ef37c0 000000000000001e fffff80003ef37c8 ffffffffc000001d fffff80003ef37d0 fffffa80058b4805 fffff80003ef37d8 0000000000000000 fffff80003ef37e0 fffffa80058b4805 fffff80003ef37e8 fffff80001601001 nt!PsGetCurrentThreadId <perf> (nt+0x1) fffff80003ef37f0 00000000000069b4 fffff80003ef37f8 fffff8000174d894 nt!_imp_NtOpenSymbolicLinkObject+0x5c7c fffff80003ef3800 0000000000000002 fffff80003ef3808 00000000000069ce fffff80003ef3810 fffff80003ef6e60 fffff80003ef3818 fffff8000164e85c nt!local_unwind+0x1c fffff80003ef3820 fffff8000174d8bc nt!_imp_NtOpenSymbolicLinkObject+0x5ca4 fffff80003ef3828 fffff800`01607a17 nt!ExpTimeRefreshDpcRoutine+0xb7

Regards,
Herbert Zimbizi
NEWTONS FORGOTTEN LAW OF COFFEE:
As soon as you sit down for a cup of hot coffee, your boss will ask you to
do something which will last until the coffee is cold

"This e-mail is sent on the Terms and Conditions that can be accessed by
Clicking on this link http://www.vodacom.co.za/legal/email.jsp "
—
WINDBG is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer "This e-mail is sent on
the Terms and Conditions that can be accessed by Clicking on this link
http://www.vodacom.co.za/legal/email.jsp "
"This e-mail is sent on the Terms and Conditions that can be accessed by
Clicking on this link http://www.vodacom.co.za/legal/email.jsp "

—
WINDBG is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
?This e-mail is sent on the Terms and Conditions that can be accessed by Clicking on this link http://www.vodacom.co.za/legal/email.jsp "

Scott_Noone_OSR · July 24, 2009, 7:47am

Yuck, that’s a tough one. The corruption doesn’t really implicate anyone. If
I’m going to stretch, I suppose I could think of some hardware issues that
might do this (I had a system once with a thermal issue that did some weird
stuff).

What package is opcmsga.exe a part of? Just because it’s the active process
doesn’t mean that it’s at fault, but it could be communicating with a
driver. You could also try !thread and see if there are any IRPs queued to
the current thread, that might point to a driver you could try disabling.

I’m reaching here though without more details or access to the dump.

-scott

–
Scott Noone
Consulting Associate
OSR Open Systems Resources, Inc.
http://www.osronline.com

“Herbert Zimbizi” wrote in message
news:xxxxx@windbg…
I did not also respond to your earlier email as well. !symfix and .reload
have no effect on the results. The stack always comes out the same.

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Scott Noone
Sent: 22 July, 2009 5:31 PM
To: Kernel Debugging Interest List
Subject: Re:[windbg] BSOD 0x1e What went wrong?

I can’t quite tell if your symbols aren’t right or if you’ve just trashed
your stack. If you do a !symfix then a .reload do you get a different stack?

Also, what does your driver do? I’d suspect this to be some sort of memory
corruption.

-scott

–
Scott Noone
Consulting Associate
OSR Open Systems Resources, Inc.
http://www.osronline.com

“Herbert Zimbizi” wrote in message
news:xxxxx@windbg…
Below is the output for analyze
0: kd> !analyze -v

Bugcheck Analysis

******

KMODE_EXCEPTION_NOT_HANDLED (1e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Arguments:
Arg1: ffffffffc000001d, The exception code that was not handled
Arg2: fffffa80058b4805, The address that the exception occurred at
Arg3: 0000000000000000, Parameter 0 of the exception
Arg4: fffffa80058b4805, Parameter 1 of the exception

Debugging Details:
------------------

Page e11ae not present in the dump file. Type “.hh dbgerr004” for details
Page e1985 not present in the dump file. Type “.hh dbgerr004” for details
PEB is paged out (Peb.Ldr = 000007fffffd3018). Type ".hh dbgerr001" for details PEB is paged out (Peb.Ldr = 000007fffffd3018). Type “.hh dbgerr001” for
details

EXCEPTION_CODE: (NTSTATUS) 0xc000001d - {EXCEPTION} Illegal Instruction An
attempt was made to execute an illegal instruction.

FAULTING_IP:
+6afc952f01c1dda8
Page ed2b4 not present in the dump file. Type “.hh dbgerr004” for details
fffffa80058b4805 ??? EXCEPTION_PARAMETER1: 0000000000000000 EXCEPTION_PARAMETER2: fffffa80058b4805 DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT BUGCHECK_STR: 0x1E PROCESS_NAME: opcmsga.exe CURRENT_IRQL: 2 LAST_CONTROL_TRANSFER: from fffff8000162fe67 to fffff80001655650 FAILED_INSTRUCTION_ADDRESS: +6afc952f01c1dda8 Page ed2b4 not present in the dump file. Type ".hh dbgerr004" for details fffffa80058b4805 ???

STACK_TEXT:
fffff80003ef37b8 fffff8000162fe67 : 000000000000001e ffffffffc000001d
fffffa80058b4805 0000000000000000 : nt!KeBugCheckEx
fffff80003ef37c0 fffff800016554a9 : fffff80003ef3ef8 fffffa80058b31ff
fffff80003ef3fa0 0000000000000008 : nt! ?? ::FNODOBFM::string'+0x29317 fffff80003ef3dc0 fffff800016539c3 : fffff80003ef3fa0 fffff80001b46300 0000020200186302 0000000000000000 : nt!KiExceptionDispatch+0xa9 fffff80003ef3fa0 fffffa80058b4805 : 0000000000000008 fffffa800589b367 0000000000000010 0000000000000297 : nt!KiInvalidOpcodeFault+0xc3 fffff80003ef4130 0000000000000008 : fffffa800589b367 0000000000000010 0000000000000297 fffffa800589a021 : 0xfffffa80058b4805
fffff80003ef4138 fffffa800589b367 : 0000000000000010 0000000000000297
fffffa800589a021 fffffa800589b627 : 0x8
fffff80003ef4140 0000000000000010 : 0000000000000297 fffffa800589a021
fffffa800589b627 0000000000000000 : 0xfffffa800589b367 fffff80003ef4148 0000000000000297 : fffffa800589a021 fffffa800589b627 0000000000000000 0000000000000000 : 0x10 fffff80003ef4150 fffffa800589a021 : fffffa800589b627 0000000000000000 0000000000000000 0000000000000000 : 0x297 fffff80003ef4158 fffffa800589b627 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : 0xfffffa800589a021
fffff80003ef4160 0000000000000000 : 0000000000000000 0000000000000000
0000000000000000 fffffa80058b31ff : 0xfffffa800589b627 STACK_COMMAND: kb FOLLOWUP_IP: nt! ?? ::FNODOBFM::string’+29317
fffff8000162fe67 int 3 SYMBOL_STACK_INDEX: 1 SYMBOL_NAME: nt! ?? ::FNODOBFM::string’+29317

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: nt

IMAGE_NAME: ntkrnlmp.exe

DEBUG_FLR_IMAGE_TIMESTAMP: 49ac93e1

FAILURE_BUCKET_ID: X64_0x1E_BAD_IP_nt!??::FNODOBFM::string+29317

BUCKET_ID: X64_0x1E_BAD_IP_nt!??::FNODOBFM::string+29317

Followup: MachineOwner
---------

From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Herbert Zimbizi
Sent: 22 July, 2009 4:01 PM
To: Kernel Debugging Interest List
Subject: [windbg] BSOD 0x1e What went wrong?

Hi all
I have BSOD 0x1E, I have issued the following instruction in an effort to
see what went on down here. Could someone tell me what went down or at
least point me in the right direction.

0: kd> dps rsp-100 rsp+100
fffff80003ef36b8 0000000000000000
fffff80003ef36c0 0000000000000000
fffff80003ef36c8 0000000000000000
fffff80003ef36d0 0000000000000000
fffff80003ef36d8 fffff8000161ebce nt!KiOpDecode+0x7e
fffff80003ef36e0 fffff80003ef3750
fffff80003ef36e8 0000000000000001
fffff80003ef36f0 0000000000000000
fffff80003ef36f8 fffff80003ef3750
fffff80003ef3700 0000000000000000
fffff80003ef3708 0000000000000000
fffff80003ef3710 00000000fffffff8
fffff80003ef3718 fffff80003ef3dc0
fffff80003ef3720 ffff9aa0aba712ab
fffff80003ef3728 fffff8000162b2ac nt!KiPreprocessFault+0x4c
fffff80003ef3730 fffff80003ef3fa0
fffff80003ef3738 0000000000000000
fffff80003ef3740 fffff80001601000 nt!PsGetCurrentThreadId (nt+0x0)
fffff80003ef3748 00000000fffffff8
fffff80003ef3750 fffff80003ef3dc0
fffff80003ef3758 fffff80003ef3fa0
fffff80003ef3760 0000000000000000
fffff80003ef3768 fffff80003ef4020
fffff80003ef3770 fffff80003ef3ef8
fffff80003ef3778 fffff80001655754 nt!KeBugCheckEx+0x104
fffff80003ef3780 fffff80001601000 nt!PsGetCurrentThreadId (nt+0x0)
fffff80003ef3788 00000000fffffff8
fffff80003ef3790 fffff80003ef3dc0
fffff80003ef3798 fffff80003ef3fa0
fffff80003ef37a0 fffffa80058b4805
fffff80003ef37a8 0000000000000000
fffff80003ef37b0 0000000000000246
fffff80003ef37b8 fffff8000162fe67 nt! ?? ::FNODOBFM::string'+0x29317 fffff80003ef37c0 000000000000001e fffff80003ef37c8 ffffffffc000001d fffff80003ef37d0 fffffa80058b4805 fffff80003ef37d8 0000000000000000 fffff80003ef37e0 fffffa80058b4805 fffff80003ef37e8 fffff80001601001 nt!PsGetCurrentThreadId <perf> (nt+0x1) fffff80003ef37f0 00000000000069b4 fffff80003ef37f8 fffff8000174d894 nt!_imp_NtOpenSymbolicLinkObject+0x5c7c fffff80003ef3800 0000000000000002 fffff80003ef3808 00000000000069ce fffff80003ef3810 fffff80003ef6e60 fffff80003ef3818 fffff8000164e85c nt!local_unwind+0x1c fffff80003ef3820 fffff8000174d8bc nt!_imp_NtOpenSymbolicLinkObject+0x5ca4 fffff80003ef3828 fffff800`01607a17 nt!ExpTimeRefreshDpcRoutine+0xb7

Regards,
Herbert Zimbizi
NEWTONS FORGOTTEN LAW OF COFFEE:
As soon as you sit down for a cup of hot coffee, your boss will ask you to
do something which will last until the coffee is cold

"This e-mail is sent on the Terms and Conditions that can be accessed by
Clicking on this link http://www.vodacom.co.za/legal/email.jsp "
—
WINDBG is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer "This e-mail is sent on
the Terms and Conditions that can be accessed by Clicking on this link
http://www.vodacom.co.za/legal/email.jsp "
"This e-mail is sent on the Terms and Conditions that can be accessed by
Clicking on this link http://www.vodacom.co.za/legal/email.jsp "

—
WINDBG is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
"This e-mail is sent on the Terms and Conditions that can be accessed by
Clicking on this link http://www.vodacom.co.za/legal/email.jsp "

OSR_Community_User · July 24, 2009, 7:59am

Over the last few weeks, I have been looking at basically two servers one giving 0x1e and another one giving 0xd1. Interestingly both crash mostly when this opcmsga.exe is running. I only picked that yesterday. Both are virtual servers. The opcmsga.exe is hp Openview Management Center. Also the last dump I had seemed to suggest that it had just called the (Thermal module) or something to do with Thermal. But then why only this VM. Let me check your last comments on the dump.

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Scott Noone
Sent: 24 July, 2009 1:47 PM
To: Kernel Debugging Interest List
Subject: Re:[windbg] Re:BSOD 0x1e What went wrong?

Yuck, that’s a tough one. The corruption doesn’t really implicate anyone. If
I’m going to stretch, I suppose I could think of some hardware issues that
might do this (I had a system once with a thermal issue that did some weird
stuff).

What package is opcmsga.exe a part of? Just because it’s the active process
doesn’t mean that it’s at fault, but it could be communicating with a
driver. You could also try !thread and see if there are any IRPs queued to
the current thread, that might point to a driver you could try disabling.

I’m reaching here though without more details or access to the dump.

-scott

–
Scott Noone
Consulting Associate
OSR Open Systems Resources, Inc.
http://www.osronline.com

“Herbert Zimbizi” wrote in message
news:xxxxx@windbg…
I did not also respond to your earlier email as well. !symfix and .reload
have no effect on the results. The stack always comes out the same.

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Scott Noone
Sent: 22 July, 2009 5:31 PM
To: Kernel Debugging Interest List
Subject: Re:[windbg] BSOD 0x1e What went wrong?

I can’t quite tell if your symbols aren’t right or if you’ve just trashed
your stack. If you do a !symfix then a .reload do you get a different stack?

Also, what does your driver do? I’d suspect this to be some sort of memory
corruption.

-scott

–
Scott Noone
Consulting Associate
OSR Open Systems Resources, Inc.
http://www.osronline.com

“Herbert Zimbizi” wrote in message
news:xxxxx@windbg…
Below is the output for analyze
0: kd> !analyze -v

Bugcheck Analysis

******

KMODE_EXCEPTION_NOT_HANDLED (1e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Arguments:
Arg1: ffffffffc000001d, The exception code that was not handled
Arg2: fffffa80058b4805, The address that the exception occurred at
Arg3: 0000000000000000, Parameter 0 of the exception
Arg4: fffffa80058b4805, Parameter 1 of the exception

Debugging Details:
------------------

Page e11ae not present in the dump file. Type “.hh dbgerr004” for details
Page e1985 not present in the dump file. Type “.hh dbgerr004” for details
PEB is paged out (Peb.Ldr = 000007fffffd3018). Type ".hh dbgerr001" for details PEB is paged out (Peb.Ldr = 000007fffffd3018). Type “.hh dbgerr001” for
details

EXCEPTION_CODE: (NTSTATUS) 0xc000001d - {EXCEPTION} Illegal Instruction An
attempt was made to execute an illegal instruction.

FAULTING_IP:
+6afc952f01c1dda8
Page ed2b4 not present in the dump file. Type “.hh dbgerr004” for details
fffffa80058b4805 ??? EXCEPTION_PARAMETER1: 0000000000000000 EXCEPTION_PARAMETER2: fffffa80058b4805 DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT BUGCHECK_STR: 0x1E PROCESS_NAME: opcmsga.exe CURRENT_IRQL: 2 LAST_CONTROL_TRANSFER: from fffff8000162fe67 to fffff80001655650 FAILED_INSTRUCTION_ADDRESS: +6afc952f01c1dda8 Page ed2b4 not present in the dump file. Type ".hh dbgerr004" for details fffffa80058b4805 ???

STACK_TEXT:
fffff80003ef37b8 fffff8000162fe67 : 000000000000001e ffffffffc000001d
fffffa80058b4805 0000000000000000 : nt!KeBugCheckEx
fffff80003ef37c0 fffff800016554a9 : fffff80003ef3ef8 fffffa80058b31ff
fffff80003ef3fa0 0000000000000008 : nt! ?? ::FNODOBFM::string'+0x29317 fffff80003ef3dc0 fffff800016539c3 : fffff80003ef3fa0 fffff80001b46300 0000020200186302 0000000000000000 : nt!KiExceptionDispatch+0xa9 fffff80003ef3fa0 fffffa80058b4805 : 0000000000000008 fffffa800589b367 0000000000000010 0000000000000297 : nt!KiInvalidOpcodeFault+0xc3 fffff80003ef4130 0000000000000008 : fffffa800589b367 0000000000000010 0000000000000297 fffffa800589a021 : 0xfffffa80058b4805
fffff80003ef4138 fffffa800589b367 : 0000000000000010 0000000000000297
fffffa800589a021 fffffa800589b627 : 0x8
fffff80003ef4140 0000000000000010 : 0000000000000297 fffffa800589a021
fffffa800589b627 0000000000000000 : 0xfffffa800589b367 fffff80003ef4148 0000000000000297 : fffffa800589a021 fffffa800589b627 0000000000000000 0000000000000000 : 0x10 fffff80003ef4150 fffffa800589a021 : fffffa800589b627 0000000000000000 0000000000000000 0000000000000000 : 0x297 fffff80003ef4158 fffffa800589b627 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : 0xfffffa800589a021
fffff80003ef4160 0000000000000000 : 0000000000000000 0000000000000000
0000000000000000 fffffa80058b31ff : 0xfffffa800589b627 STACK_COMMAND: kb FOLLOWUP_IP: nt! ?? ::FNODOBFM::string’+29317
fffff8000162fe67 int 3 SYMBOL_STACK_INDEX: 1 SYMBOL_NAME: nt! ?? ::FNODOBFM::string’+29317

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: nt

IMAGE_NAME: ntkrnlmp.exe

DEBUG_FLR_IMAGE_TIMESTAMP: 49ac93e1

FAILURE_BUCKET_ID: X64_0x1E_BAD_IP_nt!??::FNODOBFM::string+29317

BUCKET_ID: X64_0x1E_BAD_IP_nt!??::FNODOBFM::string+29317

Followup: MachineOwner
---------

From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Herbert Zimbizi
Sent: 22 July, 2009 4:01 PM
To: Kernel Debugging Interest List
Subject: [windbg] BSOD 0x1e What went wrong?

Hi all
I have BSOD 0x1E, I have issued the following instruction in an effort to
see what went on down here. Could someone tell me what went down or at
least point me in the right direction.

0: kd> dps rsp-100 rsp+100
fffff80003ef36b8 0000000000000000
fffff80003ef36c0 0000000000000000
fffff80003ef36c8 0000000000000000
fffff80003ef36d0 0000000000000000
fffff80003ef36d8 fffff8000161ebce nt!KiOpDecode+0x7e
fffff80003ef36e0 fffff80003ef3750
fffff80003ef36e8 0000000000000001
fffff80003ef36f0 0000000000000000
fffff80003ef36f8 fffff80003ef3750
fffff80003ef3700 0000000000000000
fffff80003ef3708 0000000000000000
fffff80003ef3710 00000000fffffff8
fffff80003ef3718 fffff80003ef3dc0
fffff80003ef3720 ffff9aa0aba712ab
fffff80003ef3728 fffff8000162b2ac nt!KiPreprocessFault+0x4c
fffff80003ef3730 fffff80003ef3fa0
fffff80003ef3738 0000000000000000
fffff80003ef3740 fffff80001601000 nt!PsGetCurrentThreadId (nt+0x0)
fffff80003ef3748 00000000fffffff8
fffff80003ef3750 fffff80003ef3dc0
fffff80003ef3758 fffff80003ef3fa0
fffff80003ef3760 0000000000000000
fffff80003ef3768 fffff80003ef4020
fffff80003ef3770 fffff80003ef3ef8
fffff80003ef3778 fffff80001655754 nt!KeBugCheckEx+0x104
fffff80003ef3780 fffff80001601000 nt!PsGetCurrentThreadId (nt+0x0)
fffff80003ef3788 00000000fffffff8
fffff80003ef3790 fffff80003ef3dc0
fffff80003ef3798 fffff80003ef3fa0
fffff80003ef37a0 fffffa80058b4805
fffff80003ef37a8 0000000000000000
fffff80003ef37b0 0000000000000246
fffff80003ef37b8 fffff8000162fe67 nt! ?? ::FNODOBFM::string'+0x29317 fffff80003ef37c0 000000000000001e fffff80003ef37c8 ffffffffc000001d fffff80003ef37d0 fffffa80058b4805 fffff80003ef37d8 0000000000000000 fffff80003ef37e0 fffffa80058b4805 fffff80003ef37e8 fffff80001601001 nt!PsGetCurrentThreadId <perf> (nt+0x1) fffff80003ef37f0 00000000000069b4 fffff80003ef37f8 fffff8000174d894 nt!_imp_NtOpenSymbolicLinkObject+0x5c7c fffff80003ef3800 0000000000000002 fffff80003ef3808 00000000000069ce fffff80003ef3810 fffff80003ef6e60 fffff80003ef3818 fffff8000164e85c nt!local_unwind+0x1c fffff80003ef3820 fffff8000174d8bc nt!_imp_NtOpenSymbolicLinkObject+0x5ca4 fffff80003ef3828 fffff800`01607a17 nt!ExpTimeRefreshDpcRoutine+0xb7

Regards,
Herbert Zimbizi
NEWTONS FORGOTTEN LAW OF COFFEE:
As soon as you sit down for a cup of hot coffee, your boss will ask you to
do something which will last until the coffee is cold

"This e-mail is sent on the Terms and Conditions that can be accessed by
Clicking on this link http://www.vodacom.co.za/legal/email.jsp "
—
WINDBG is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer "This e-mail is sent on
the Terms and Conditions that can be accessed by Clicking on this link
http://www.vodacom.co.za/legal/email.jsp "
"This e-mail is sent on the Terms and Conditions that can be accessed by
Clicking on this link http://www.vodacom.co.za/legal/email.jsp "

—
WINDBG is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
"This e-mail is sent on the Terms and Conditions that can be accessed by
Clicking on this link http://www.vodacom.co.za/legal/email.jsp "

—
WINDBG is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
?This e-mail is sent on the Terms and Conditions that can be accessed by Clicking on this link http://www.vodacom.co.za/legal/email.jsp "

Email secured by Check Point at OSR.COM

OSR_Community_User · July 24, 2009, 3:43pm

For what it is worth, opcmsga.exe has been seen as a name used by some viri.

Of course, so has everything else too.

mm