CLASSPNP.SYS - How to find the *real* culprit ?

Hi all,

All I have is a mindump of a kernel core. CLASSPNP.SYS got the blame, but as
experience shows its usually a driver calling CLASSPNP.SYS that is the culprit.

Can anyone suggest how to find the caller of CLASSPNP.SYS from the below details ?

TACK_COMMAND: kb
FOLLOWUP_IP:
CLASSPNP! ?? ::NNGAKEGL::string'+1209 fffffa60013c16b9 4183ff17 cmp r15d,17h
SYMBOL_STACK_INDEX: 5
SYMBOL_NAME: CLASSPNP! ?? ::NNGAKEGL::`string’+1209
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: CLASSPNP
IMAGE_NAME: CLASSPNP.SYS
DEBUG_FLR_IMAGE_TIMESTAMP: 49e02bd7
FAILURE_BUCKET_ID: X64_0x7a_c000000e_CLASSPNP!??::NNGAKEGL::string+1209
BUCKET_ID: X64_0x7a_c000000e_CLASSPNP!??::NNGAKEGL::string+1209

Reading up the stack its clear that the ?nt!Pnp* system calls where the last
functions called before the panic occurred. i.e servicing the removal of the
disk.

rax=0000000000000002 rbx=000000000fd7c860 rcx=000000000000007a
rdx=fffff6fd30009e08 rsi=fffffa60013c16b9 rdi=0000000000000001
rip=fffff80001e72490 rsp=fffffa6002332398 rbp=fffffa8020a27640
r8=ffffffffc000000e r9=000000000fd7c860 r10=fffffa8020a27670
r11=000000000000000c r12=fffff6fd30009e08 r13=fffffa8020a27580
r14=0000000000001000 r15=0000000000001000
iopl=0 nv up ei ng nz na po nc
cs=0010 ss=0000 ds=002b es=002b fs=0053 gs=002b efl=00000286
nt!KeBugCheckEx:
fffff80001e72490 48894c2408 mov qword ptr [rsp+8],rcx ss:fffffa60 023323a0=000000000000007a

Child-SP RetAddr : Args to Child : Call Site

fffffa6002332398 fffff80001e2c4e4 : 000000000000007a fffff6fd30009e08 ffffffffc000000e 000000000fd7c860 : nt!KeBugCheckEx
fffffa60023323a0 fffff80001e8b901 : fffffa8020a27580 fffffa60023324e0 fffff80001fdd240 0000000000000000 : nt! ?? ::FNODOBFM::string'+0x1cf99 fffffa6002332460 fffff80001e88ea4 : fffffa80002f8740 0000000000000000 fffffa8018e3f720 0000000000000001 : nt!MiDispatchFault+0xac1 fffffa60023325c0 fffff80001e71019 : 0000000000000008 fffffa801c60de60 fffffa8019714000 0000000000000001 : nt!MmAccessFault+0x7f4 fffffa60023326a0 fffffa60013c16b9 : 0000000000000007 fffffa60009de165 fffffa802492cdc0 0000000000000000 : nt!KiPageFault+0x119 (TrapFrame @ fffffa60023326a0)
fffffa6002332830 fffffa60009e12e5 : fffffa8019c971b0 fffffa8019c57478 fffffa802492cc60 fffffa8019714060 : CLASSPNP! ?? ::NNGAKEGL::string'+0x1209 fffffa60023328c0 fffff8000206d632 : fffffa802492cc60 0000000000000000 fffffa60023329c8 fffffa8019c962d0 : partmgr!PmPnp+0xe5 fffffa6002332910 fffff8000224c481 : fffffa8019714060 0000000000000000 fffffa8019717de0 0000000000000017 : nt!IopSynchronousCall+0x10a fffffa6002332980 fffff80002248dc3 : fffffa8019717de0 fffffa8019717de0 000000000000030a 0000000000000308 : nt!IopRemoveDevice+0x101 fffffa6002332a40 fffff8000224bfb7 : fffffa8019717de0 0000000000000000 0000000000000003 fffffa6002332bc8 : nt!PnpSurpriseRemoveLockedDeviceNode+0xe3 fffffa6002332a80 fffff8000224c0e0 : 0000000000000000 fffffa8019717d00 fffff8800984aef0 fffffa6002332bc8 : nt!PnpDeleteLockedDeviceNode+0x37 fffffa6002332ab0 fffff80002250288 : 0000000000000002 0000000000000000 0000000000000003 0000000000000000 : nt!PnpDeleteLockedDeviceNodes+0xa0 fffffa6002332b20 fffff80002250dcc : fffffa6002332cf8 fffffa801e535000 fffffa8018e3f700 fffffa8000000000 : nt!PnpProcessQueryRemoveAndEject+0x6d8 fffffa6002332c70 fffff8000214fdca : 0000000000000001 fffffa801e5350b0 fffff8800e5293f0 0000000000000000 : nt!PnpProcessTargetDeviceEvent+0x4c fffffa6002332ca0 fffff80001e798cb : fffff8000206f870 fffff8800e5293f0 fffff80001fa98f8 fffffa8018e3f720 : nt! ?? ::NNGAKEGL::string’+0x4e537
fffffa6002332cf0 fffff8000207cf97 : fffffa801e5350b0 03df33da23de33df fffffa8018e3f720 0000000000000080 : nt!ExpWorkerThread+0xfb
fffffa6002332d50 fffff80001eaf5c6 : fffffa6001d99180 fffffa8018e3f720 fffffa6001da2d40 0000000000000000 : nt!PspSystemThreadStartup+0x57
fffffa6002332d80 0000000000000000 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : nt!KiStartSystemThread+0x16

ERROR_CODE: (NTSTATUS) 0xc000000e - A device which does not exist was specified.
DISK_HARDWARE_ERROR: There was error with disk hardware
BUGCHECK_STR: 0x7a_c000000e
CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: DRIVER_FAULT_SERVER_MINIDUMP
PROCESS_NAME: System
CURRENT_IRQL: 0

TRAP_FRAME: fffffa60023326a0 – (.trap 0xfffffa60023326a0)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=0000000000000000 rbx=0000000000000000 rcx=fffffa8019c97060
rdx=fffffa60013bf5b0 rsi=0000000000000000 rdi=0000000000000000
rip=fffffa60013c16b9 rsp=fffffa6002332830 rbp=00000000c00000bb
r8=fffffa60013bf580 r9=fffffa60013bf5c0 r10=fffffa60013bcd80
r11=fffffa8019c57478 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei pl nz na pe nc
CLASSPNP! ?? ::NNGAKEGL::`string’+0x1209:

fffffa60`013c16b9 4183ff17 cmp r15d,17h

7: kd> .trap 0xfffffa60023326a0

NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=0000000000000000 rbx=0000000000000000 rcx=fffffa8019c97060
rdx=fffffa60013bf5b0 rsi=0000000000000000 rdi=0000000000000000
rip=fffffa60013c16b9 rsp=fffffa6002332830 rbp=00000000c00000bb
r8=fffffa60013bf580 r9=fffffa60013bf5c0 r10=fffffa60013bcd80
r11=fffffa8019c57478 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei pl nz na pe nc
CLASSPNP! ?? ::NNGAKEGL::string'+0x1209: fffffa60013c16b9 4183ff17 cmp r15d,17h

7: kd> lmvm CLASSPNP

start end module name

fffffa60013a2000 fffffa60013ce000 CLASSPNP (pdb symbols) c:\
symbols\classpnp.pdb\F145C80057C94C3A97110FDDDF89D23C2\classpnp.pdb

Loaded symbol image file: CLASSPNP.SYS
Mapped memory image file: c:\symbols\CLASSPNP.SYS\49E02BD72c000\ CLASSPNP.SYS

Image path: CLASSPNP.SYS
Image name: CLASSPNP.SYS

Timestamp: Sat Apr 11 13:34:15 2009 (49E02BD7)
CheckSum: 00033AA3
ImageSize: 0002C000
File version: 6.0.6002.18005
Product version: 6.0.6002.18005
File flags: 0 (Mask 3F)
File OS: 40004 NT Win32
File type: 3.7 Driver
File date: 00000000.00000000
Translations: 0000.04b0
CompanyName: Microsoft Corporation
ProductName: Microsoft(R) Windows(R) Operating System
InternalName: Classpnp.sys
OriginalFilename: Classpnp.sys
ProductVersion: 6.0.6002.18005
FileVersion: 6.0.6002.18005 (lh_sp2rtm.090410-1830)
FileDescription: SCSI Class System Dll
LegalCopyright: (C) Microsoft Corporation. All rights reserved.

Thanks!

-Alex

************** IMPORTANT MESSAGE *****************************
This e-mail message is intended only for the addressee(s) and contains information which may be
confidential.
If you are not the intended recipient please advise the sender by return email, do not use or
disclose the contents, and delete the message and any attachments from your system. Unless
specifically indicated, this email does not constitute formal advice or commitment by the sender
or the Commonwealth Bank of Australia (ABN 48 123 123 124) or its subsidiaries.
We can be contacted through our web site: commbank.com.au.
If you no longer wish to receive commercial electronic messages from us, please reply to this
e-mail by typing Unsubscribe in the subject line.
**************************************************************

The bugcheck is KERNEL_DATA_INPAGE_ERROR with an error status of
STATUS_NO_SUCH_DEVICE. This means the O/S tried to page in some kernel
memory from a paging file and received an error, which is a fatal condition.

The trap frame points us to the page fault that caused the paging read that
caused the error:

CLASSPNP! ?? ::NNGAKEGL::string'+0x1209: fffffa60013c16b9 4183ff17 cmp r15d,17h

The only potential pointer dereference in that instruction is the
instruction pointer. Interesting that the debugger can resolve the address
though, as you would expect to see “???” to indicate that the RIP is bad
instead of the actual instruction. However, this is a minidump and the
debugger can get the code from the on disk image, so I suspect that’s a bit
of misdirection.

Based on the stack we can assume that this is a PnP operation, so the
instruction could be some part of ClassPnP’s PnP handler. Checking the
source in the WDK, we see that the IRP_MJ_PNP dispatch entry point is
actually ClassDispatchPnp and that it is in fact in a pageable section:

#pragma alloc_text(INIT, DriverEntry)
…
#pragma alloc_text(PAGE, ClassDispatchPnp)

Thus, the fact that the instruction pointer is paged out here is likely
normal and expected. However, what’s *not* expected is that an attempt to
page this back in would fail. The fact that this is a remove operation
(again based on the stack) and the error code returned was
STATUS_NO_SUCH_DEVICE makes me think that a disk containing a paging file
was removed, either physically or because it died and disappeared.

-scott
OSR

“Wilkinson, Alex” wrote in message news:xxxxx@windbg…

Hi all,

All I have is a mindump of a kernel core. CLASSPNP.SYS got the blame, but as
experience shows its usually a driver calling CLASSPNP.SYS that is the
culprit.

Can anyone suggest how to find the caller of CLASSPNP.SYS from the below
details ?

TACK_COMMAND: kb
FOLLOWUP_IP:
CLASSPNP! ?? ::NNGAKEGL::string'+1209 fffffa60013c16b9 4183ff17 cmp r15d,17h
SYMBOL_STACK_INDEX: 5
SYMBOL_NAME: CLASSPNP! ?? ::NNGAKEGL::`string’+1209
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: CLASSPNP
IMAGE_NAME: CLASSPNP.SYS
DEBUG_FLR_IMAGE_TIMESTAMP: 49e02bd7
FAILURE_BUCKET_ID: X64_0x7a_c000000e_CLASSPNP!??::NNGAKEGL::string+1209
BUCKET_ID: X64_0x7a_c000000e_CLASSPNP!??::NNGAKEGL::string+1209

Reading up the stack its clear that the ?nt!Pnp* system calls where the last
functions called before the panic occurred. i.e servicing the removal of the
disk.

rax=0000000000000002 rbx=000000000fd7c860 rcx=000000000000007a
rdx=fffff6fd30009e08 rsi=fffffa60013c16b9 rdi=0000000000000001
rip=fffff80001e72490 rsp=fffffa6002332398 rbp=fffffa8020a27640
r8=ffffffffc000000e r9=000000000fd7c860 r10=fffffa8020a27670
r11=000000000000000c r12=fffff6fd30009e08 r13=fffffa8020a27580
r14=0000000000001000 r15=0000000000001000
iopl=0 nv up ei ng nz na po nc
cs=0010 ss=0000 ds=002b es=002b fs=0053 gs=002b
efl=00000286
nt!KeBugCheckEx:
fffff80001e72490 48894c2408 mov qword ptr [rsp+8],rcx ss:fffffa60 023323a0=000000000000007a

Child-SP RetAddr : Args to Child : Call Site

fffffa6002332398 fffff80001e2c4e4 : 000000000000007a fffff6fd30009e08
ffffffffc000000e 000000000fd7c860 : nt!KeBugCheckEx
fffffa60023323a0 fffff80001e8b901 : fffffa8020a27580 fffffa60023324e0
fffff80001fdd240 0000000000000000 : nt! ?? ::FNODOBFM::string'+0x1cf99 fffffa6002332460 fffff80001e88ea4 : fffffa80002f8740 0000000000000000 fffffa8018e3f720 0000000000000001 : nt!MiDispatchFault+0xac1 fffffa60023325c0 fffff80001e71019 : 0000000000000008 fffffa801c60de60 fffffa8019714000 0000000000000001 : nt!MmAccessFault+0x7f4 fffffa60023326a0 fffffa60013c16b9 : 0000000000000007 fffffa60009de165 fffffa802492cdc0 0000000000000000 : nt!KiPageFault+0x119 (TrapFrame @ fffffa60023326a0)
fffffa6002332830 fffffa60009e12e5 : fffffa8019c971b0 fffffa8019c57478
fffffa802492cc60 fffffa8019714060 : CLASSPNP! ??
::NNGAKEGL::string'+0x1209 fffffa60023328c0 fffff8000206d632 : fffffa802492cc60 0000000000000000 fffffa60023329c8 fffffa8019c962d0 : partmgr!PmPnp+0xe5 fffffa6002332910 fffff8000224c481 : fffffa8019714060 0000000000000000 fffffa8019717de0 0000000000000017 : nt!IopSynchronousCall+0x10a fffffa6002332980 fffff80002248dc3 : fffffa8019717de0 fffffa8019717de0 000000000000030a 0000000000000308 : nt!IopRemoveDevice+0x101 fffffa6002332a40 fffff8000224bfb7 : fffffa8019717de0 0000000000000000 0000000000000003 fffffa6002332bc8 : nt!PnpSurpriseRemoveLockedDeviceNode+0xe3 fffffa6002332a80 fffff8000224c0e0 : 0000000000000000 fffffa8019717d00 fffff8800984aef0 fffffa6002332bc8 : nt!PnpDeleteLockedDeviceNode+0x37 fffffa6002332ab0 fffff80002250288 : 0000000000000002 0000000000000000 0000000000000003 0000000000000000 : nt!PnpDeleteLockedDeviceNodes+0xa0 fffffa6002332b20 fffff80002250dcc : fffffa6002332cf8 fffffa801e535000 fffffa8018e3f700 fffffa8000000000 : nt!PnpProcessQueryRemoveAndEject+0x6d8 fffffa6002332c70 fffff8000214fdca : 0000000000000001 fffffa801e5350b0 fffff8800e5293f0 0000000000000000 : nt!PnpProcessTargetDeviceEvent+0x4c fffffa6002332ca0 fffff80001e798cb : fffff8000206f870 fffff8800e5293f0 fffff80001fa98f8 fffffa8018e3f720 : nt! ?? ::NNGAKEGL::string’+0x4e537
fffffa6002332cf0 fffff8000207cf97 : fffffa801e5350b0 03df33da23de33df
fffffa8018e3f720 0000000000000080 : nt!ExpWorkerThread+0xfb
fffffa6002332d50 fffff80001eaf5c6 : fffffa6001d99180 fffffa8018e3f720
fffffa6001da2d40 0000000000000000 : nt!PspSystemThreadStartup+0x57
fffffa6002332d80 0000000000000000 : 0000000000000000 0000000000000000
0000000000000000 0000000000000000 : nt!KiStartSystemThread+0x16

ERROR_CODE: (NTSTATUS) 0xc000000e - A device which does not exist was
specified.
DISK_HARDWARE_ERROR: There was error with disk hardware
BUGCHECK_STR: 0x7a_c000000e
CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: DRIVER_FAULT_SERVER_MINIDUMP
PROCESS_NAME: System
CURRENT_IRQL: 0

TRAP_FRAME: fffffa60023326a0 – (.trap 0xfffffa60023326a0)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=0000000000000000 rbx=0000000000000000 rcx=fffffa8019c97060
rdx=fffffa60013bf5b0 rsi=0000000000000000 rdi=0000000000000000
rip=fffffa60013c16b9 rsp=fffffa6002332830 rbp=00000000c00000bb
r8=fffffa60013bf580 r9=fffffa60013bf5c0 r10=fffffa60013bcd80
r11=fffffa8019c57478 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei pl nz na pe nc
CLASSPNP! ?? ::NNGAKEGL::`string’+0x1209:

fffffa60`013c16b9 4183ff17 cmp r15d,17h

7: kd> .trap 0xfffffa60023326a0

NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=0000000000000000 rbx=0000000000000000 rcx=fffffa8019c97060
rdx=fffffa60013bf5b0 rsi=0000000000000000 rdi=0000000000000000
rip=fffffa60013c16b9 rsp=fffffa6002332830 rbp=00000000c00000bb
r8=fffffa60013bf580 r9=fffffa60013bf5c0 r10=fffffa60013bcd80
r11=fffffa8019c57478 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei pl nz na pe nc
CLASSPNP! ?? ::NNGAKEGL::string'+0x1209: fffffa60013c16b9 4183ff17 cmp r15d,17h

7: kd> lmvm CLASSPNP

start end module name

fffffa60013a2000 fffffa60013ce000 CLASSPNP (pdb symbols) c:\
symbols\classpnp.pdb\F145C80057C94C3A97110FDDDF89D23C2\classpnp.pdb

Loaded symbol image file: CLASSPNP.SYS
Mapped memory image file: c:\symbols\CLASSPNP.SYS\49E02BD72c000\
CLASSPNP.SYS

Image path: CLASSPNP.SYS
Image name: CLASSPNP.SYS

Timestamp: Sat Apr 11 13:34:15 2009 (49E02BD7)
CheckSum: 00033AA3
ImageSize: 0002C000
File version: 6.0.6002.18005
Product version: 6.0.6002.18005
File flags: 0 (Mask 3F)
File OS: 40004 NT Win32
File type: 3.7 Driver
File date: 00000000.00000000
Translations: 0000.04b0
CompanyName: Microsoft Corporation
ProductName: Microsoft(R) Windows(R) Operating System
InternalName: Classpnp.sys
OriginalFilename: Classpnp.sys
ProductVersion: 6.0.6002.18005
FileVersion: 6.0.6002.18005 (lh_sp2rtm.090410-1830)
FileDescription: SCSI Class System Dll
LegalCopyright: (C) Microsoft Corporation. All rights reserved.

Thanks!

-Alex

************** IMPORTANT MESSAGE *****************************
This e-mail message is intended only for the addressee(s) and contains
information which may be
confidential.
If you are not the intended recipient please advise the sender by return
email, do not use or
disclose the contents, and delete the message and any attachments from your
system. Unless
specifically indicated, this email does not constitute formal advice or
commitment by the sender
or the Commonwealth Bank of Australia (ABN 48 123 123 124) or its
subsidiaries.
We can be contacted through our web site: commbank.com.au.
If you no longer wish to receive commercial electronic messages from us,
please reply to this
e-mail by typing Unsubscribe in the subject line.
**************************************************************