BugCheck subtype unknown

benji · June 27, 2024, 6:40am

Hello !

I'm currently analysing a BSOD dump, here is the !analyse -v output :

0: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

MEMORY_MANAGEMENT (1a)
    # Any other values for parameter 1 must be individually examined.
Arguments:
Arg1: 0000000000041791, The subtype of the bugcheck.
Arg2: ffff978001234530
Arg3: ffffe4807795c7e0
Arg4: 0000000000020001

My problem is that MSDN doesn't provide any information on this bugcheck subtype : Bug Check 0x1A MEMORY_MANAGEMENT - Windows drivers | Microsoft Learn 0x41790 and 0x41792 are defined, but not 0x41791.

0x41790	A page table page has been corrupted. On a 64-bit version of Windows, parameter 2 contains the address of the PFN for the corrupted page table page. On a 32-bit version of Windows, parameter 2 contains a pointer to the number of used PTEs, and parameter 3 contains the number of used PTEs.
0x41792	A corrupted PTE has been detected. Parameter 2 contains the address of the PTE. Parameters 3 and 4 contain the low and high parts of the PTE.

Does someone know what is this subtype supposed to mean ? Also the arguments coming with it ?
Thank you !

Scott_Noone_OSR · July 2, 2024, 2:36pm

These are usually pretty miserable to understand...

If it's not documented you'll need to figure it out from surrounding context. What's the call stack?

benji · July 4, 2024, 6:26am

Hello Scott,

Thank you for your response.

I'm having this BSOD on calling MmUnlockPages().

The context is a bit special, may be it will give you some insight.
I have a driver (cbfs from CBFS Connect | Virtual Drive Library | Callback Technologies) that catches a READ on a file, it maps the READ buffer on a valid userland address of a process, gives this address to this process, this process then give this address to another driver, and this drivers locks this buffer and maps it to a valid system address. When attempting to call MmUnlockPages(), boom this BugCheck triggers.
It does not always triggers, only when its a .exe file that is opened, so I think that the antivirus is in the loop, doing stuff on this I/O...

But in order to understand what is happening, knowing what this BugCheck subcode means would help a lot...

rod_widdowson · July 4, 2024, 8:20am

Cannot help but i had to ask.

Is the exe file just opened (as per filetest say) or is it then mapped as an image prior to being executed?

WD issues are usually easy to attribute (and hard to diagnose), just turn it off and repeat the experiment..

benji · July 4, 2024, 8:29am

Hello Rod,

The executable file is just opened, by the explorer, probably to read the icon.

system · August 3, 2024, 8:29am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.