Actually, the kernel32 errors are normal (is that the proper term to use to describe an expected [as in “that’s the way it works”] though perhaps not quite intuitive behavior without getting flamed to death here?). These complaints happen because analyze now depends on typeinfo for kernel32, despite the fact that nobody outside of Microsoft has private symbols for kernel32.
(It would be nice if the people who wrote the public debugger extensions actually tested them with public symbols, like the rest of the real world has to use. Just maybe, a random quick thought for anyone from Microsoft who might be in a position to do something about this if they get this mail.)
Anyways, these are presumably for some extra optional step that !analyze wants to do sometimes, under unknown circumstances. Those errors will always happen when !analyze decides that it wants to do this if you are not using private symbols. The !analyze output is still good despite the kernel32 typeinfo complaints.
For the OP’s problem, however, perhaps they freed a KTIMER while the timer was still “live”, and the pool page where it lived (or other backing store) happened to become released?
-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Martin O’Brien
Sent: Tuesday, August 26, 2008 4:07 PM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] bugcheck analysis
OK. This is officially weird. The !analyze is screwed up, but most curiously, it reads like something that !analyze is doing wants
a symbol form kernel32, which is different to say the least. In any case, Doron’s already given you the same advice I would give
you, but this kd session is do bizarre, let’s break down the steps.
For the moment, just to make sure your symbols are set up correctly, let’s change your .sympath to point to somewhere new:
-
Close WinDbg
-
Make a directory on a local drive that you wish to use for the local symbol cache. From here out, I’ll assume that the it’s
‘c:\sym,’ so substitute as you need.
-
Start WinDbg as you usually do
-
enter these commands:
.sympath srv*c:\sym*http://msdl.microsoft.com/download/symbols
.symopt+ 0x80000000
-
press ‘CTRL+ALT+K’ until you see soemthing like the following in the command window:
‘Will breakin on first symbol load at next boot.’
-
reboot the target
.reboot
-
When the debugger breaks in
version
vertarget
.sympath srv*c:\sym*http://msdl.microsoft.com/download/symbols
.symopt+ 0x80000000
.reload -f -n
lml
Look at the output: there should be very few modules that report either ‘no symbols’ or ‘export symbols only,’ and at a minimum,
‘nt’ and ‘hal’ must have public symbols loaded. If they do not, you might be able to figure out what’s going on by looking at
diagnostic information that was displayed during load, and please post the results of the commands in step (8).
Until the ‘lml’ listing looks correct, do not proceed with anything else - it’s all waste of time without correct symbols.
Good luck,
mm
nayan kumar wrote:
Hi Doron,
Debugger version is Windows Debugger Version
6.9.0003.113 X86
i did the changes as you said but i think problem is still coming.
following is the bugcheck analysis
0: kd> !analyze -v
*******************************************************************************
*
*
* Bugcheck
Analysis *
*
*
*******************************************************************************
IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pageable (or completely invalid) address
at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: e881c6ed, memory referenced
Arg2: 0000001b, IRQL
Arg3: 00000000, bitfield :
bit 0 : value 0 = read operation, 1 = write operation
bit 3 : value 0 = not an execute operation, 1 = execute operation (only
on chips which support this level of status)
Arg4: 81cc28be, address which referenced memory
Debugging Details:
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: kernel32!pNlsUserInfo ***
*** ***
*************************************************************************
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: kernel32!pNlsUserInfo ***
*** ***
*************************************************************************
READ_ADDRESS: e881c6ed
CURRENT_IRQL: 1b
FAULTING_IP:
nt!KiInsertTimerTable+9b
81cc28be 3b48fc cmp ecx,dword ptr [eax-4]
DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT
BUGCHECK_STR: 0xA
PROCESS_NAME: svchost.exe
TRAP_FRAME: 8059dd7c – (.trap 0xffffffff8059dd7c)
ErrCode = 00000000
eax=e881c6f1 ebx=00000000 ecx=00000004 edx=00015f94 esi=81d07b30
edi=8761d240
eip=81cc28be esp=8059ddf0 ebp=8059de10 iopl=0 nv up ei pl nz na
po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
efl=00010202
nt!KiInsertTimerTable+0x9b:
81cc28be 3b48fc cmp ecx,dword ptr [eax-4]
ds:0023:e881c6ed=???
Resetting default scope
LAST_CONTROL_TRANSFER: from 81cd72d7 to 81cc2514
STACK_TEXT:
8059d93c 81cd72d7 00000003 5ae549ad 00000000
nt!RtlpBreakWithStatusInstruction
8059d98c 81cd7dbd 00000003 e881c6ed 81cc28be nt!KiBugCheckDebugBreak+0x1c
8059dd5c 81c64d84 0000000a e881c6ed 0000001b nt!KeBugCheck2+0x66d
8059dd5c 81cc28be 0000000a e881c6ed 0000001b nt!KiTrap0E+0x2ac
8059de10 81cc0c25 84ae3d30 000000fb 81d07b20 nt!KiInsertTimerTable+0x9b
8059df28 81cc0936 8059df70 8059df02 8059df78 nt!KiTimerListExpire+0x28c
8059df88 81cc0483 00000000 00000000 0001f6fa nt!KiTimerExpiration+0x2a0
8059dff4 81cbe9f5 a2ca5720 00000000 00000000 nt!KiRetireDpcList+0xba
8059dff8 a2ca5720 00000000 00000000 00000000 nt!KiDispatchInterrupt+0x45
WARNING: Frame IP not in any known module. Following frames may be wrong.
81cbe9f5 00000000 0000001b 00c7850f bb830000 0xa2ca5720
STACK_COMMAND: kb
FOLLOWUP_IP:
nt!KiInsertTimerTable+9b
81cc28be 3b48fc cmp ecx,dword ptr [eax-4]
SYMBOL_STACK_INDEX: 4
SYMBOL_NAME: nt!KiInsertTimerTable+9b
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: nt
IMAGE_NAME: ntkrpamp.exe
DEBUG_FLR_IMAGE_TIMESTAMP: 4812bd71
FAILURE_BUCKET_ID: 0xA_nt!KiInsertTimerTable+9b
BUCKET_ID: 0xA_nt!KiInsertTimerTable+9b
Followup: MachineOwner
what wrong i am doing that is causing this crash.
Regards
From: xxxxx@microsoft.com
To: xxxxx@lists.osr.com
Date: Fri, 22 Aug 2008 14:58:36 -0700
Subject: RE: [ntdev] bugcheck analysis
Is your initial sympath srv
*http://msdl.microsoft.com/download/symbols ? try .symfix and
reloading your symbols as well. what is the output of .version?
d
*From:* xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] *On Behalf Of *nayan kumar
*Sent:* Friday, August 22, 2008 2:54 PM
*To:* Windows System Software Devs Interest List
*Subject:* RE: [ntdev] bugcheck analysis
Hi Doron ,
I install all the symbol related to vista and
longhorn Server whatever is available on microsoft but i couldnot
figured it out why it is showing
my target system is
Microsoft Vista Bussiness.
if you know something about these kind problem please let me know what
should i do inorder to get rid of from this WRONG_SYMBOL problem.
Regards
From: xxxxx@microsoft.com
To: xxxxx@lists.osr.com
Date: Fri, 22 Aug 2008 14:29:41 -0700
Subject: RE: [ntdev] bugcheck analysis
First, fix your symbols and get a coherent call stack 
d
*From:* xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] *On Behalf Of *nayan kumar
*Sent:* Friday, August 22, 2008 2:06 PM
*To:* Windows System Software Devs Interest List
*Subject:* [ntdev] bugcheck analysis
Hi All,
Can anyone help me in understanding the reason for the crash
that i am getting while debugging.
following is the bugcheck analysis i am getting after issuing the
!analyze -v command in WinDbg
MODULE_NAME: nt
FAULTING_MODULE: 81c06000 nt
DEBUG_FLR_IMAGE_TIMESTAMP: 4812bd71
READ_ADDRESS: unable to get nt!MmSpecialPoolStart
unable to get nt!MmSpecialPoolEnd
unable to get nt!MmPoolCodeStart
unable to get nt!MmPoolCodeEnd
fffffffd
CURRENT_IRQL: 1b
FAULTING_IP:
nt!KeSetTimerEx+26a
81cbe8be 3b48fc cmp ecx,dword ptr [eax-4]
DEFAULT_BUCKET_ID: WRONG_SYMBOLS
BUGCHECK_STR: 0xA
LAST_CONTROL_TRANSFER: from 81cd3dbd to 81cbe514
STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may be
wrong.
8059d98c 81cd3dbd 00000003 fffffffd 81cbe8be nt!DbgBreakPointWithStatus+0x4
8059dd5c 81c60d84 0000000a fffffffd 0000001b nt!KeBugCheckEx+0xc78
8059ddf8 81cb9da0 c1119082 00000000 000011b0 nt!Kei386EoiHelper+0x291c
8059de10 81cbcc25 81f04220 0000011b 81d03d20 nt!KeSetEvent+0x1e4
8059df28 81cbc8c0 8059df70 81cfe902 8059df78 nt!KeDelayExecutionThread+0xf49
8059df88 81cbc483 00000000 00000000 0000511a nt!KeDelayExecutionThread+0xbe4
8059dff4 81cba9f5 85362468 00000000 00000000 nt!KeDelayExecutionThread+0x7a7
8059dff8 85362468 00000000 00000000 00000000 nt!KiDispatchInterrupt+0x45
81cba9f5 00000000 0000001b 00c7850f bb830000 0x85362468
STACK_COMMAND: .bugcheck ; kb
FOLLOWUP_IP:
nt!KeSetTimerEx+26a
81cbe8be 3b48fc cmp ecx,dword ptr [eax-4]
SYMBOL_NAME: nt!KeSetTimerEx+26a
FOLLOWUP_NAME: MachineOwner
IMAGE_NAME: ntkrpamp.exe
BUCKET_ID: WRONG_SYMBOLS
Followup: MachineOwner
regards
Search for videos of Bollywood, Hollywood, Mollywood and every other
wood, only on Live.com Try it now!
http:
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
> ------------------------------------------------------------------------
>
> Search for videos of Bollywood, Hollywood, Mollywood and every other
> wood, only on Live.com Try it now!
> http:
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
> ------------------------------------------------------------------------
> Searching for weekend getaways? Try Live.com Try it!
> http:
—
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer</http:></http:></http:>
or wrong sympath