D1, {b5388508, 2, b5388508, 88dafb2c} what is the 3rd parameter???

NTDEV
1

Hi all,
i got this BSOD,

I know D1 is for “DRIVER_IRQL_NOT_LESS_OR_EQUAL”

2nd parameter says IRQL is at DISPATCH_LEVEL

3rd parameter NOT write, Not READ, is it Execute???

if yes, what is execute situation??

Karthik SG

2

>

Hi all,
i got this BSOD,

I know D1 is for “DRIVER_IRQL_NOT_LESS_OR_EQUAL”

2nd parameter says IRQL is at DISPATCH_LEVEL

3rd parameter NOT write, Not READ, is it Execute???

if yes, what is execute situation??

If you have a crash dump file, does the debugger tell you anything
useful?

James

3

Hi,
Debugger says:-
//****************************************************************************************************//
MODULE_NAME: nt

FAULTING_MODULE: 804d7000 nt

DEBUG_FLR_IMAGE_TIMESTAMP: 498c11d3

WORKER_ROUTINE: Unable to load image \SystemRoot\system32\drivers\ks.sys,
Win32 error 0n2
*** WARNING: Unable to verify timestamp for ks.sys
*** ERROR: Module load completed but symbols could not be loaded for ks.sys

ks+18508
b5388508 ?? ???

WORK_ITEM: 88dafb2c

CURRENT_IRQL: 2

CUSTOMER_CRASH_COUNT: 4

DEFAULT_BUCKET_ID: WRONG_SYMBOLS

BUGCHECK_STR: 0xD1

LAST_CONTROL_TRANSFER: from 00000000 to 804f9f43

STACK_TEXT:
ba50bd38 00000000 b5388508 00000002 b5388508 nt+0x22f43

STACK_COMMAND: kb

FOLLOWUP_IP:
nt+22f43
804f9f43 ?? ???

SYMBOL_STACK_INDEX: 0

SYMBOL_NAME: nt+22f43

FOLLOWUP_NAME: MachineOwner

IMAGE_NAME: ntkrnlpa.exe

BUCKET_ID: WRONG_SYMBOLS

Followup: MachineOwner
//****************************************************************************************************************//

I am not able to figure this out.

Karthik SG

On Tue, Aug 4, 2009 at 6:30 PM, James Harper
wrote:

> >
> > Hi all,
> > i got this BSOD,
> >
> > I know D1 is for “DRIVER_IRQL_NOT_LESS_OR_EQUAL”
> >
> > 2nd parameter says IRQL is at DISPATCH_LEVEL
> >
> > 3rd parameter NOT write, Not READ, is it Execute???
> >
> > if yes, what is execute situation??
> >
>
> If you have a crash dump file, does the debugger tell you anything
> useful?
>
> James
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

4

Make sure you symbols are correct and try to get a stack back-trace.

If nothing else, try the command:

dds esp

and

dds ebp

and try to figure out how to reconstruct the stack from a point that can be
deciphered into a backtrace.

Some call through a pointer is likely bogus. A DPC, Timer or Workitem (that
might have raised IRQL), or some such.

What does !analyze say about the situation? Please post the output from
that command if you would.

Good Luck,

Dave Cattley

Consulting Engineer

Systems Software Development

From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Karthik Gurumurthy
Sent: Tuesday, August 04, 2009 9:06 AM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] D1, {b5388508, 2, b5388508, 88dafb2c} what is the 3rd
parameter???

Hi,
Debugger says:-
//**************************************************************************
**************************//
MODULE_NAME: nt

FAULTING_MODULE: 804d7000 nt

DEBUG_FLR_IMAGE_TIMESTAMP: 498c11d3

WORKER_ROUTINE: Unable to load image \SystemRoot\system32\drivers\ks.sys,
Win32 error 0n2
*** WARNING: Unable to verify timestamp for ks.sys
*** ERROR: Module load completed but symbols could not be loaded for ks.sys

ks+18508
b5388508 ?? ???

WORK_ITEM: 88dafb2c

CURRENT_IRQL: 2

CUSTOMER_CRASH_COUNT: 4

DEFAULT_BUCKET_ID: WRONG_SYMBOLS

BUGCHECK_STR: 0xD1

LAST_CONTROL_TRANSFER: from 00000000 to 804f9f43

STACK_TEXT:
ba50bd38 00000000 b5388508 00000002 b5388508 nt+0x22f43

STACK_COMMAND: kb

FOLLOWUP_IP:
nt+22f43
804f9f43 ?? ???

SYMBOL_STACK_INDEX: 0

SYMBOL_NAME: nt+22f43

FOLLOWUP_NAME: MachineOwner

IMAGE_NAME: ntkrnlpa.exe

BUCKET_ID: WRONG_SYMBOLS

Followup: MachineOwner
//**************************************************************************
**************************************//

I am not able to figure this out.

Karthik SG

On Tue, Aug 4, 2009 at 6:30 PM, James Harper
wrote:

>
> Hi all,
> i got this BSOD,
>
> I know D1 is for “DRIVER_IRQL_NOT_LESS_OR_EQUAL”
>
> 2nd parameter says IRQL is at DISPATCH_LEVEL
>
> 3rd parameter NOT write, Not READ, is it Execute???
>
> if yes, what is execute situation??
>

If you have a crash dump file, does the debugger tell you anything
useful?

James


NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

— NTDEV is sponsored by OSR For our schedule of WDF, WDM, debugging and
other seminars visit: http://www.osr.com/seminars To unsubscribe, visit the
List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

5

After you fix your symbols, run !analyze -v and send that output

d

Sent from my phone with no t9, all spilling mistakes are not intentional.

From: Karthik Gurumurthy
Sent: Tuesday, August 04, 2009 6:07 AM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] D1, {b5388508, 2, b5388508, 88dafb2c} what is the 3rd parameter???

Hi,
Debugger says:-
// //
MODULE_NAME: nt

FAULTING_MODULE: 804d7000 nt

DEBUG_FLR_IMAGE_TIMESTAMP: 498c11d3

WORKER_ROUTINE: Unable to load image \SystemRoot\system32\drivers\ks.sys, Win32 error 0n2
 WARNING: Unable to verify timestamp for ks.sys
ERROR: Module load completed but symbols could not be loaded for ks.sys

ks+18508
b5388508 ?? ???

WORK_ITEM: 88dafb2c

CURRENT_IRQL: 2

CUSTOMER_CRASH_COUNT: 4

DEFAULT_BUCKET_ID: WRONG_SYMBOLS

BUGCHECK_STR: 0xD1

LAST_CONTROL_TRANSFER: from 00000000 to 804f9f43

STACK_TEXT:
ba50bd38 00000000 b5388508 00000002 b5388508 nt+0x22f43

STACK_COMMAND: kb

FOLLOWUP_IP:
nt+22f43
804f9f43 ?? ???

SYMBOL_STACK_INDEX: 0

SYMBOL_NAME: nt+22f43

FOLLOWUP_NAME: MachineOwner

IMAGE_NAME: ntkrnlpa.exe

BUCKET_ID: WRONG_SYMBOLS

Followup: MachineOwner
//************ //

I am not able to figure this out.

Karthik SG

On Tue, Aug 4, 2009 at 6:30 PM, James Harper > wrote:
>
> Hi all,
> i got this BSOD,
>
> I know D1 is for “DRIVER_IRQL_NOT_LESS_OR_EQUAL”
>
> 2nd parameter says IRQL is at DISPATCH_LEVEL
>
> 3rd parameter NOT write, Not READ, is it Execute???
>
> if yes, what is execute situation??
>

If you have a crash dump file, does the debugger tell you anything
useful?

James


NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

— NTDEV is sponsored by OSR For our schedule of WDF, WDM, debugging and other seminars visit: http://www.osr.com/seminars To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

6

hi,
All the symbols are correctly loaded
Symbol path----> to the folder containing *.pdb file
Source path-----> containing my source files.
Image path------> containing *.obj and *.sys file

If i run the !analyze -v on this the result is

*******************************************************************************
MODULE_NAME: nt

FAULTING_MODULE: 804d7000 nt

DEBUG_FLR_IMAGE_TIMESTAMP: 498c11d3

WORKER_ROUTINE: Unable to load image \SystemRoot\system32\drivers\ks.sys,
Win32 error 0n2
*** WARNING: Unable to verify timestamp for ks.sys
*** ERROR: Module load completed but symbols could not be loaded for ks.sys

ks+18508
b5388508 ?? ???

WORK_ITEM: 89189ed4

CURRENT_IRQL: 2

CUSTOMER_CRASH_COUNT: 1

DEFAULT_BUCKET_ID: WRONG_SYMBOLS

BUGCHECK_STR: 0xD1

LAST_CONTROL_TRANSFER: from 00000000 to 804f9f43

STACK_TEXT:
ba50bd38 00000000 b5388508 00000002 b5388508 nt+0x22f43

STACK_COMMAND: kb

FOLLOWUP_IP:
nt+22f43
804f9f43 ?? ???

SYMBOL_STACK_INDEX: 0

SYMBOL_NAME: nt+22f43

FOLLOWUP_NAME: MachineOwner

IMAGE_NAME: ntkrnlpa.exe

BUCKET_ID: WRONG_SYMBOLS

Followup: MachineOwner

*******************************************************************************
it says *** ERROR: Module load completed but symbols could not be loaded for
ks.sys
from where i load symbols of ks.sys? is it possible??

Karthik SG

On Tue, Aug 4, 2009 at 8:10 PM, Doron Holan wrote:

> After you fix your symbols, run !analyze -v and send that output
>
> d
>
> Sent from my phone with no t9, all spilling mistakes are not intentional.
>
> ------------------------------
> From: Karthik Gurumurthy
> Sent: Tuesday, August 04, 2009 6:07 AM
> To: Windows System Software Devs Interest List
>
> Subject: Re: [ntdev] D1, {b5388508, 2, b5388508, 88dafb2c} what is the 3rd
> parameter???
>
> Hi,
> Debugger says:-
>
> // //
> MODULE_NAME: nt
>
> FAULTING_MODULE: 804d7000 nt
>
> DEBUG_FLR_IMAGE_TIMESTAMP: 498c11d3
>
> WORKER_ROUTINE: Unable to load image \SystemRoot\system32\drivers\ks.sys,
> Win32 error 0n2
> WARNING: Unable to verify timestamp for ks.sys
> ERROR: Module load completed but symbols could not be loaded for ks.sys
>
> ks+18508
> b5388508 ?? ???
>
> WORK_ITEM: 88dafb2c
>
> CURRENT_IRQL: 2
>
> CUSTOMER_CRASH_COUNT: 4
>
> DEFAULT_BUCKET_ID: WRONG_SYMBOLS
>
> BUGCHECK_STR: 0xD1
>
> LAST_CONTROL_TRANSFER: from 00000000 to 804f9f43
>
> STACK_TEXT:
> ba50bd38 00000000 b5388508 00000002 b5388508 nt+0x22f43
>
>
> STACK_COMMAND: kb
>
> FOLLOWUP_IP:
> nt+22f43
> 804f9f43 ?? ???
>
> SYMBOL_STACK_INDEX: 0
>
> SYMBOL_NAME: nt+22f43
>
> FOLLOWUP_NAME: MachineOwner
>
> IMAGE_NAME: ntkrnlpa.exe
>
> BUCKET_ID: WRONG_SYMBOLS
>
> Followup: MachineOwner
>
> //************ //
>
> I am not able to figure this out.
>
> Karthik SG
>
> On Tue, Aug 4, 2009 at 6:30 PM, James Harper <
> xxxxx@bendigoit.com.au> wrote:
>
>> >
>> > Hi all,
>> > i got this BSOD,
>> >
>> > I know D1 is for “DRIVER_IRQL_NOT_LESS_OR_EQUAL”
>> >
>> > 2nd parameter says IRQL is at DISPATCH_LEVEL
>> >
>> > 3rd parameter NOT write, Not READ, is it Execute???
>> >
>> > if yes, what is execute situation??
>> >
>>
>> If you have a crash dump file, does the debugger tell you anything
>> useful?
>>
>> James
>>
>> —
>> NTDEV is sponsored by OSR
>>
>> For our schedule of WDF, WDM, debugging and other seminars visit:
>> http://www.osr.com/seminars
>>
>> To unsubscribe, visit the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>>
>
> — NTDEV is sponsored by OSR For our schedule of WDF, WDM, debugging and
> other seminars visit: http://www.osr.com/seminars To unsubscribe, visit
> the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

7

Please read the debugger documentation for the .symfix command.

Note the “wrong symbols” complaint in your output below.

  • S

From: Karthik Gurumurthy
Sent: Tuesday, August 04, 2009 22:18
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] D1, {b5388508, 2, b5388508, 88dafb2c} what is the 3rd parameter???

hi,
All the symbols are correctly loaded
Symbol path----> to the folder containing .pdb file
Source path-----> containing my source files.
Image path------> containing .obj and .sys file

If i run the !analyze -v on this the result is


MODULE_NAME: nt

FAULTING_MODULE: 804d7000 nt

DEBUG_FLR_IMAGE_TIMESTAMP: 498c11d3

WORKER_ROUTINE: Unable to load image \SystemRoot\system32\drivers\ks.sys, Win32 error 0n2
 WARNING: Unable to verify timestamp for ks.sys
ERROR: Module load completed but symbols could not be loaded for ks.sys

ks+18508
b5388508 ?? ???

WORK_ITEM: 89189ed4

CURRENT_IRQL: 2

CUSTOMER_CRASH_COUNT: 1

DEFAULT_BUCKET_ID: WRONG_SYMBOLS

BUGCHECK_STR: 0xD1

LAST_CONTROL_TRANSFER: from 00000000 to 804f9f43

STACK_TEXT:
ba50bd38 00000000 b5388508 00000002 b5388508 nt+0x22f43

STACK_COMMAND: kb

FOLLOWUP_IP:
nt+22f43
804f9f43 ?? ???

SYMBOL_STACK_INDEX: 0

SYMBOL_NAME: nt+22f43

FOLLOWUP_NAME: MachineOwner

IMAGE_NAME: ntkrnlpa.exe

BUCKET_ID: WRONG_SYMBOLS

Followup: MachineOwner
it says ERROR: Module load completed but symbols could not be loaded for ks.sys
from where i load symbols of ks.sys? is it possible??

Karthik SG

On Tue, Aug 4, 2009 at 8:10 PM, Doron Holan > wrote:
After you fix your symbols, run !analyze -v and send that output

d

Sent from my phone with no t9, all spilling mistakes are not intentional.

________________________________
From: Karthik Gurumurthy >
Sent: Tuesday, August 04, 2009 6:07 AM
To: Windows System Software Devs Interest List >

Subject: Re: [ntdev] D1, {b5388508, 2, b5388508, 88dafb2c} what is the 3rd parameter???

Hi,
Debugger says:-
//**********************************************************************************************//
MODULE_NAME: nt

FAULTING_MODULE: 804d7000 nt

DEBUG_FLR_IMAGE_TIMESTAMP: 498c11d3

WORKER_ROUTINE: Unable to load image \SystemRoot\system32\drivers\ks.sys, Win32 error 0n2
WARNING: Unable to verify timestamp for ks.sys
 ERROR: Module load completed but symbols could not be loaded for ks.sys

ks+18508
b5388508 ?? ???

WORK_ITEM: 88dafb2c

CURRENT_IRQL: 2

CUSTOMER_CRASH_COUNT: 4

DEFAULT_BUCKET_ID: WRONG_SYMBOLS

BUGCHECK_STR: 0xD1

LAST_CONTROL_TRANSFER: from 00000000 to 804f9f43

STACK_TEXT:
ba50bd38 00000000 b5388508 00000002 b5388508 nt+0x22f43

STACK_COMMAND: kb

FOLLOWUP_IP:
nt+22f43
804f9f43 ?? ???

SYMBOL_STACK_INDEX: 0

SYMBOL_NAME: nt+22f43

FOLLOWUP_NAME: MachineOwner

IMAGE_NAME: ntkrnlpa.exe

BUCKET_ID: WRONG_SYMBOLS

Followup: MachineOwner
// **************************************************************************************************************** //

I am not able to figure this out.

Karthik SG

On Tue, Aug 4, 2009 at 6:30 PM, James Harper > wrote:
>
> Hi all,
> i got this BSOD,
>
> I know D1 is for “DRIVER_IRQL_NOT_LESS_OR_EQUAL”
>
> 2nd parameter says IRQL is at DISPATCH_LEVEL
>
> 3rd parameter NOT write, Not READ, is it Execute???
>
> if yes, what is execute situation??
>

If you have a crash dump file, does the debugger tell you anything
useful?

James


NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

— NTDEV is sponsored by OSR For our schedule of WDF, WDM, debugging and other seminars visit: http://www.osr.com/seminars To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer


NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

— NTDEV is sponsored by OSR For our schedule of WDF, WDM, debugging and other seminars visit: http://www.osr.com/seminars To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

8

Ok after fixing symbol issue this is the analyze output

*********************************************************************MODULE_NAME:
ks

FAULTING_MODULE: 804d7000 nt

DEBUG_FLR_IMAGE_TIMESTAMP: 48025c12

WORKER_ROUTINE:
ks+18508
b531d508 8bff mov edi,edi

WORK_ITEM: 879cd664

CURRENT_IRQL: 2

CUSTOMER_CRASH_COUNT: 2

DEFAULT_BUCKET_ID: WRONG_SYMBOLS

BUGCHECK_STR: 0xD1

LAST_CONTROL_TRANSFER: from b5306452 to 804f9f43

STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may be
wrong.
ba50bd54 b5306452 0000000a b531d508 00000002 nt+0x22f43
ba50bd7c 8053877d 87a3ed98 00000000 8a23fda8 ks+0x1452
ba50bdac 805cff70 87a3ed98 00000000 00000000 nt+0x6177d
ba50bddc 805460ee 8053868e 00000002 00000000 nt+0xf8f70
00000000 00000000 00000000 00000000 00000000 nt+0x6f0ee

STACK_COMMAND: kb

FOLLOWUP_IP:
ks+1452
b5306452 ?? ???

SYMBOL_STACK_INDEX: 1

SYMBOL_NAME: ks+1452

FOLLOWUP_NAME: MachineOwner

IMAGE_NAME: ks.sys

BUCKET_ID: WRONG_SYMBOLS

Followup: MachineOwner
***********************************************************************************

Karthik SG

On Wed, Aug 5, 2009 at 10:52 AM, Skywing wrote:

> Please read the debugger documentation for the .symfix command.
>
> Note the “wrong symbols” complaint in your output below.
>
> - S
>
> ------------------------------
> From: Karthik Gurumurthy
> Sent: Tuesday, August 04, 2009 22:18
>
> To: Windows System Software Devs Interest List
> Subject: Re: [ntdev] D1, {b5388508, 2, b5388508, 88dafb2c} what is the 3rd
> parameter???
>
> hi,
> All the symbols are correctly loaded
> Symbol path----> to the folder containing .pdb file
> Source path-----> containing my source files.
> Image path------> containing .obj and .sys file
>
> If i run the !analyze -v on this the result is
>
>
>
> MODULE_NAME: nt
>
> FAULTING_MODULE: 804d7000 nt
>
> DEBUG_FLR_IMAGE_TIMESTAMP: 498c11d3
>
> WORKER_ROUTINE: Unable to load image \SystemRoot\system32\drivers\ks.sys,
> Win32 error 0n2
> WARNING: Unable to verify timestamp for ks.sys
> ERROR: Module load completed but symbols could not be loaded for ks.sys
>
> ks+18508
> b5388508 ?? ???
>
> WORK_ITEM: 89189ed4
>
> CURRENT_IRQL: 2
>
> CUSTOMER_CRASH_COUNT: 1
>
> DEFAULT_BUCKET_ID: WRONG_SYMBOLS
>
> BUGCHECK_STR: 0xD1
>
> LAST_CONTROL_TRANSFER: from 00000000 to 804f9f43
>
> STACK_TEXT:
> ba50bd38 00000000 b5388508 00000002 b5388508 nt+0x22f43
>
>
> STACK_COMMAND: kb
>
> FOLLOWUP_IP:
> nt+22f43
> 804f9f43 ?? ???
>
> SYMBOL_STACK_INDEX: 0
>
> SYMBOL_NAME: nt+22f43
>
> FOLLOWUP_NAME: MachineOwner
>
> IMAGE_NAME: ntkrnlpa.exe
>
> BUCKET_ID: WRONG_SYMBOLS
>
> Followup: MachineOwner
>
>
>
> it says ERROR: Module load completed but symbols could not be loaded
> for ks.sys
> from where i load symbols of ks.sys? is it possible??
>
> Karthik SG
>
>
> On Tue, Aug 4, 2009 at 8:10 PM, Doron Holan wrote:
>
>> After you fix your symbols, run !analyze -v and send that output
>>
>> d
>>
>> Sent from my phone with no t9, all spilling mistakes are not intentional.
>>
>> ------------------------------
>> From: Karthik Gurumurthy
>> Sent: Tuesday, August 04, 2009 6:07 AM
>> To: Windows System Software Devs Interest List
>>
>> Subject: Re: [ntdev] D1, {b5388508, 2, b5388508, 88dafb2c} what is the
>> 3rd parameter???
>>
>> Hi,
>> Debugger says:-
>>
>> //**********************************************************************************************//
>> MODULE_NAME: nt
>>
>> FAULTING_MODULE: 804d7000 nt
>>
>> DEBUG_FLR_IMAGE_TIMESTAMP: 498c11d3
>>
>> WORKER_ROUTINE: Unable to load image \SystemRoot\system32\drivers\ks.sys,
>> Win32 error 0n2
>> WARNING: Unable to verify timestamp for ks.sys
>> ERROR: Module load completed but symbols could not be loaded for
>> ks.sys
>>
>> ks+18508
>> b5388508 ?? ???
>>
>> WORK_ITEM: 88dafb2c
>>
>> CURRENT_IRQL: 2
>>
>> CUSTOMER_CRASH_COUNT: 4
>>
>> DEFAULT_BUCKET_ID: WRONG_SYMBOLS
>>
>> BUGCHECK_STR: 0xD1
>>
>> LAST_CONTROL_TRANSFER: from 00000000 to 804f9f43
>>
>> STACK_TEXT:
>> ba50bd38 00000000 b5388508 00000002 b5388508 nt+0x22f43
>>
>>
>> STACK_COMMAND: kb
>>
>> FOLLOWUP_IP:
>> nt+22f43
>> 804f9f43 ?? ???
>>
>> SYMBOL_STACK_INDEX: 0
>>
>> SYMBOL_NAME: nt+22f43
>>
>> FOLLOWUP_NAME: MachineOwner
>>
>> IMAGE_NAME: ntkrnlpa.exe
>>
>> BUCKET_ID: WRONG_SYMBOLS
>>
>> Followup: MachineOwner
>>
>> // **************************************************************************************************************** //
>>
>> I am not able to figure this out.
>>
>> Karthik SG
>>
>> On Tue, Aug 4, 2009 at 6:30 PM, James Harper <
>> xxxxx@bendigoit.com.au> wrote:
>>
>>> >
>>> > Hi all,
>>> > i got this BSOD,
>>> >
>>> > I know D1 is for “DRIVER_IRQL_NOT_LESS_OR_EQUAL”
>>> >
>>> > 2nd parameter says IRQL is at DISPATCH_LEVEL
>>> >
>>> > 3rd parameter NOT write, Not READ, is it Execute???
>>> >
>>> > if yes, what is execute situation??
>>> >
>>>
>>> If you have a crash dump file, does the debugger tell you anything
>>> useful?
>>>
>>> James
>>>
>>> —
>>> NTDEV is sponsored by OSR
>>>
>>> For our schedule of WDF, WDM, debugging and other seminars visit:
>>> http://www.osr.com/seminars
>>>
>>> To unsubscribe, visit the List Server section of OSR Online at
>>> http://www.osronline.com/page.cfm?name=ListServer
>>>
>>
>> — NTDEV is sponsored by OSR For our schedule of WDF, WDM, debugging and
>> other seminars visit: http://www.osr.com/seminars To unsubscribe, visit
>> the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>>
>> —
>> NTDEV is sponsored by OSR
>>
>> For our schedule of WDF, WDM, debugging and other seminars visit:
>> http://www.osr.com/seminars
>>
>> To unsubscribe, visit the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>>
>
> — NTDEV is sponsored by OSR For our schedule of WDF, WDM, debugging and
> other seminars visit: http://www.osr.com/seminars To unsubscribe, visit
> the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

9

is ks your driver? in that case its symbols are not loaded yet. check the
output of “lm vm ” and see if propoer pdb file is loaded for it.
-rtshiva
On Wed, Aug 5, 2009 at 12:02 PM, Karthik Gurumurthy <
xxxxx@nextbitcpu.com> wrote:

> Ok after fixing symbol issue this is the analyze output
>
>
> MODULE_NAME:
> ks
>
> FAULTING_MODULE: 804d7000 nt
>
> DEBUG_FLR_IMAGE_TIMESTAMP: 48025c12
>
> WORKER_ROUTINE:
> ks+18508
> b531d508 8bff mov edi,edi
>
> WORK_ITEM: 879cd664
>
> CURRENT_IRQL: 2
>
> CUSTOMER_CRASH_COUNT: 2
>
> DEFAULT_BUCKET_ID: WRONG_SYMBOLS
>
> BUGCHECK_STR: 0xD1
>
> LAST_CONTROL_TRANSFER: from b5306452 to 804f9f43
>
> STACK_TEXT:
> WARNING: Stack unwind information not available. Following frames may be
> wrong.
> ba50bd54 b5306452 0000000a b531d508 00000002 nt+0x22f43
> ba50bd7c 8053877d 87a3ed98 00000000 8a23fda8 ks+0x1452
> ba50bdac 805cff70 87a3ed98 00000000 00000000 nt+0x6177d
> ba50bddc 805460ee 8053868e 00000002 00000000 nt+0xf8f70
> 00000000 00000000 00000000 00000000 00000000 nt+0x6f0ee
>
>
> STACK_COMMAND: kb
>
> FOLLOWUP_IP:
> ks+1452
> b5306452 ?? ???
>
> SYMBOL_STACK_INDEX: 1
>
> SYMBOL_NAME: ks+1452
>
> FOLLOWUP_NAME: MachineOwner
>
> IMAGE_NAME: ks.sys
>
> BUCKET_ID: WRONG_SYMBOLS
>
> Followup: MachineOwner
>
>**************
>
>
> Karthik SG
>
>
> On Wed, Aug 5, 2009 at 10:52 AM, Skywing wrote:
>
>> Please read the debugger documentation for the .symfix command.
>>
>> Note the “wrong symbols” complaint in your output below.
>>
>> - S
>>
>> ------------------------------
>> From: Karthik Gurumurthy
>> Sent: Tuesday, August 04, 2009 22:18
>>
>> To: Windows System Software Devs Interest List
>> Subject: Re: [ntdev] D1, {b5388508, 2, b5388508, 88dafb2c} what is the
>> 3rd parameter???
>>
>> hi,
>> All the symbols are correctly loaded
>> Symbol path----> to the folder containing .pdb file
>> Source path-----> containing my source files.
>> Image path------> containing .obj and .sys file
>>
>> If i run the !analyze -v on this the result is
>>
>>
>>
>> MODULE_NAME: nt
>>
>> FAULTING_MODULE: 804d7000 nt
>>
>> DEBUG_FLR_IMAGE_TIMESTAMP: 498c11d3
>>
>> WORKER_ROUTINE: Unable to load image \SystemRoot\system32\drivers\ks.sys,
>> Win32 error 0n2
>> WARNING: Unable to verify timestamp for ks.sys
>> ERROR: Module load completed but symbols could not be loaded for
>> ks.sys
>>
>> ks+18508
>> b5388508 ?? ???
>>
>> WORK_ITEM: 89189ed4
>>
>> CURRENT_IRQL: 2
>>
>> CUSTOMER_CRASH_COUNT: 1
>>
>> DEFAULT_BUCKET_ID: WRONG_SYMBOLS
>>
>> BUGCHECK_STR: 0xD1
>>
>> LAST_CONTROL_TRANSFER: from 00000000 to 804f9f43
>>
>> STACK_TEXT:
>> ba50bd38 00000000 b5388508 00000002 b5388508 nt+0x22f43
>>
>>
>> STACK_COMMAND: kb
>>
>> FOLLOWUP_IP:
>> nt+22f43
>> 804f9f43 ?? ???
>>
>> SYMBOL_STACK_INDEX: 0
>>
>> SYMBOL_NAME: nt+22f43
>>
>> FOLLOWUP_NAME: MachineOwner
>>
>> IMAGE_NAME: ntkrnlpa.exe
>>
>> BUCKET_ID: WRONG_SYMBOLS
>>
>> Followup: MachineOwner
>>
>>
>>
>> it says ERROR: Module load completed but symbols could not be loaded
>> for ks.sys
>> from where i load symbols of ks.sys? is it possible??
>>
>> Karthik SG
>>
>>
>> On Tue, Aug 4, 2009 at 8:10 PM, Doron Holan wrote:
>>
>>> After you fix your symbols, run !analyze -v and send that output
>>>
>>> d
>>>
>>> Sent from my phone with no t9, all spilling mistakes are not intentional.
>>>
>>> ------------------------------
>>> From: Karthik Gurumurthy
>>> Sent: Tuesday, August 04, 2009 6:07 AM
>>> To: Windows System Software Devs Interest List
>>>
>>> Subject: Re: [ntdev] D1, {b5388508, 2, b5388508, 88dafb2c} what is the
>>> 3rd parameter???
>>>
>>> Hi,
>>> Debugger says:-
>>>
>>> //**********************************************************************************************//
>>> MODULE_NAME: nt
>>>
>>> FAULTING_MODULE: 804d7000 nt
>>>
>>> DEBUG_FLR_IMAGE_TIMESTAMP: 498c11d3
>>>
>>> WORKER_ROUTINE: Unable to load image \SystemRoot\system32\drivers\ks.sys,
>>> Win32 error 0n2
>>> WARNING: Unable to verify timestamp for ks.sys
>>> ERROR: Module load completed but symbols could not be loaded for
>>> ks.sys
>>>
>>> ks+18508
>>> b5388508 ?? ???
>>>
>>> WORK_ITEM: 88dafb2c
>>>
>>> CURRENT_IRQL: 2
>>>
>>> CUSTOMER_CRASH_COUNT: 4
>>>
>>> DEFAULT_BUCKET_ID: WRONG_SYMBOLS
>>>
>>> BUGCHECK_STR: 0xD1
>>>
>>> LAST_CONTROL_TRANSFER: from 00000000 to 804f9f43
>>>
>>> STACK_TEXT:
>>> ba50bd38 00000000 b5388508 00000002 b5388508 nt+0x22f43
>>>
>>>
>>> STACK_COMMAND: kb
>>>
>>> FOLLOWUP_IP:
>>> nt+22f43
>>> 804f9f43 ?? ???
>>>
>>> SYMBOL_STACK_INDEX: 0
>>>
>>> SYMBOL_NAME: nt+22f43
>>>
>>> FOLLOWUP_NAME: MachineOwner
>>>
>>> IMAGE_NAME: ntkrnlpa.exe
>>>
>>> BUCKET_ID: WRONG_SYMBOLS
>>>
>>> Followup: MachineOwner
>>>
>>> // **************************************************************************************************************** //
>>>
>>> I am not able to figure this out.
>>>
>>> Karthik SG
>>>
>>> On Tue, Aug 4, 2009 at 6:30 PM, James Harper <
>>> xxxxx@bendigoit.com.au> wrote:
>>>
>>>> >
>>>> > Hi all,
>>>> > i got this BSOD,
>>>> >
>>>> > I know D1 is for “DRIVER_IRQL_NOT_LESS_OR_EQUAL”
>>>> >
>>>> > 2nd parameter says IRQL is at DISPATCH_LEVEL
>>>> >
>>>> > 3rd parameter NOT write, Not READ, is it Execute???
>>>> >
>>>> > if yes, what is execute situation??
>>>> >
>>>>
>>>> If you have a crash dump file, does the debugger tell you anything
>>>> useful?
>>>>
>>>> James
>>>>
>>>> —
>>>> NTDEV is sponsored by OSR
>>>>
>>>> For our schedule of WDF, WDM, debugging and other seminars visit:
>>>> http://www.osr.com/seminars
>>>>
>>>> To unsubscribe, visit the List Server section of OSR Online at
>>>> http://www.osronline.com/page.cfm?name=ListServer
>>>>
>>>
>>> — NTDEV is sponsored by OSR For our schedule of WDF, WDM, debugging and
>>> other seminars visit: http://www.osr.com/seminars To unsubscribe, visit
>>> the List Server section of OSR Online at
>>> http://www.osronline.com/page.cfm?name=ListServer
>>>
>>> —
>>> NTDEV is sponsored by OSR
>>>
>>> For our schedule of WDF, WDM, debugging and other seminars visit:
>>> http://www.osr.com/seminars
>>>
>>> To unsubscribe, visit the List Server section of OSR Online at
>>> http://www.osronline.com/page.cfm?name=ListServer
>>>
>>
>> — NTDEV is sponsored by OSR For our schedule of WDF, WDM, debugging and
>> other seminars visit: http://www.osr.com/seminars To unsubscribe, visit
>> the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>>
>> —
>> NTDEV is sponsored by OSR
>>
>> For our schedule of WDF, WDM, debugging and other seminars visit:
>> http://www.osr.com/seminars
>>
>> To unsubscribe, visit the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>>
>
> — NTDEV is sponsored by OSR For our schedule of WDF, WDM, debugging and
> other seminars visit: http://www.osr.com/seminars To unsubscribe, visit
> the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer

10

No mydriver is different since it is an Audio driver is is calling
ks.sys(Kernelstreaming)

Karthik SG

On Wed, Aug 5, 2009 at 12:17 PM, sivakumar thulasimani wrote:

> is ks your driver? in that case its symbols are not loaded yet. check the
> output of “lm vm ” and see if propoer pdb file is loaded for it.
> -rtshiva
> On Wed, Aug 5, 2009 at 12:02 PM, Karthik Gurumurthy <
> xxxxx@nextbitcpu.com> wrote:
>
>> Ok after fixing symbol issue this is the analyze output
>>
>>
>> MODULE_NAME:
>> ks
>>
>> FAULTING_MODULE: 804d7000 nt
>>
>> DEBUG_FLR_IMAGE_TIMESTAMP: 48025c12
>>
>> WORKER_ROUTINE:
>> ks+18508
>> b531d508 8bff mov edi,edi
>>
>> WORK_ITEM: 879cd664
>>
>> CURRENT_IRQL: 2
>>
>> CUSTOMER_CRASH_COUNT: 2
>>
>> DEFAULT_BUCKET_ID: WRONG_SYMBOLS
>>
>> BUGCHECK_STR: 0xD1
>>
>> LAST_CONTROL_TRANSFER: from b5306452 to 804f9f43
>>
>> STACK_TEXT:
>> WARNING: Stack unwind information not available. Following frames may be
>> wrong.
>> ba50bd54 b5306452 0000000a b531d508 00000002 nt+0x22f43
>> ba50bd7c 8053877d 87a3ed98 00000000 8a23fda8 ks+0x1452
>> ba50bdac 805cff70 87a3ed98 00000000 00000000 nt+0x6177d
>> ba50bddc 805460ee 8053868e 00000002 00000000 nt+0xf8f70
>> 00000000 00000000 00000000 00000000 00000000 nt+0x6f0ee
>>
>>
>> STACK_COMMAND: kb
>>
>> FOLLOWUP_IP:
>> ks+1452
>> b5306452 ?? ???
>>
>> SYMBOL_STACK_INDEX: 1
>>
>> SYMBOL_NAME: ks+1452
>>
>> FOLLOWUP_NAME: MachineOwner
>>
>> IMAGE_NAME: ks.sys
>>
>> BUCKET_ID: WRONG_SYMBOLS
>>
>> Followup: MachineOwner
>>
>>**************
>>
>>
>> Karthik SG
>>
>>
>> On Wed, Aug 5, 2009 at 10:52 AM, Skywing wrote:
>>
>>> Please read the debugger documentation for the .symfix command.
>>>
>>> Note the “wrong symbols” complaint in your output below.
>>>
>>> - S
>>>
>>> ------------------------------
>>> From: Karthik Gurumurthy
>>> Sent: Tuesday, August 04, 2009 22:18
>>>
>>> To: Windows System Software Devs Interest List
>>> Subject: Re: [ntdev] D1, {b5388508, 2, b5388508, 88dafb2c} what is the
>>> 3rd parameter???
>>>
>>> hi,
>>> All the symbols are correctly loaded
>>> Symbol path----> to the folder containing .pdb file
>>> Source path-----> containing my source files.
>>> Image path------> containing .obj and .sys file
>>>
>>> If i run the !analyze -v on this the result is
>>>
>>>
>>>
>>> MODULE_NAME: nt
>>>
>>> FAULTING_MODULE: 804d7000 nt
>>>
>>> DEBUG_FLR_IMAGE_TIMESTAMP: 498c11d3
>>>
>>> WORKER_ROUTINE: Unable to load image \SystemRoot\system32\drivers\ks.sys,
>>> Win32 error 0n2
>>> WARNING: Unable to verify timestamp for ks.sys
>>> ERROR: Module load completed but symbols could not be loaded for
>>> ks.sys
>>>
>>> ks+18508
>>> b5388508 ?? ???
>>>
>>> WORK_ITEM: 89189ed4
>>>
>>> CURRENT_IRQL: 2
>>>
>>> CUSTOMER_CRASH_COUNT: 1
>>>
>>> DEFAULT_BUCKET_ID: WRONG_SYMBOLS
>>>
>>> BUGCHECK_STR: 0xD1
>>>
>>> LAST_CONTROL_TRANSFER: from 00000000 to 804f9f43
>>>
>>> STACK_TEXT:
>>> ba50bd38 00000000 b5388508 00000002 b5388508 nt+0x22f43
>>>
>>>
>>> STACK_COMMAND: kb
>>>
>>> FOLLOWUP_IP:
>>> nt+22f43
>>> 804f9f43 ?? ???
>>>
>>> SYMBOL_STACK_INDEX: 0
>>>
>>> SYMBOL_NAME: nt+22f43
>>>
>>> FOLLOWUP_NAME: MachineOwner
>>>
>>> IMAGE_NAME: ntkrnlpa.exe
>>>
>>> BUCKET_ID: WRONG_SYMBOLS
>>>
>>> Followup: MachineOwner
>>>
>>>
>>>
>>> it says ERROR: Module load completed but symbols could not be loaded
>>> for ks.sys
>>> from where i load symbols of ks.sys? is it possible??
>>>
>>> Karthik SG
>>>
>>>
>>> On Tue, Aug 4, 2009 at 8:10 PM, Doron Holan wrote:
>>>
>>>> After you fix your symbols, run !analyze -v and send that output
>>>>
>>>> d
>>>>
>>>> Sent from my phone with no t9, all spilling mistakes are not
>>>> intentional.
>>>>
>>>> ------------------------------
>>>> From: Karthik Gurumurthy
>>>> Sent: Tuesday, August 04, 2009 6:07 AM
>>>> To: Windows System Software Devs Interest List
>>>>
>>>> Subject: Re: [ntdev] D1, {b5388508, 2, b5388508, 88dafb2c} what is the
>>>> 3rd parameter???
>>>>
>>>> Hi,
>>>> Debugger says:-
>>>>
>>>> //**********************************************************************************************//
>>>> MODULE_NAME: nt
>>>>
>>>> FAULTING_MODULE: 804d7000 nt
>>>>
>>>> DEBUG_FLR_IMAGE_TIMESTAMP: 498c11d3
>>>>
>>>> WORKER_ROUTINE: Unable to load image
>>>> \SystemRoot\system32\drivers\ks.sys, Win32 error 0n2
>>>> WARNING: Unable to verify timestamp for ks.sys
>>>> ERROR: Module load completed but symbols could not be loaded for
>>>> ks.sys
>>>>
>>>> ks+18508
>>>> b5388508 ?? ???
>>>>
>>>> WORK_ITEM: 88dafb2c
>>>>
>>>> CURRENT_IRQL: 2
>>>>
>>>> CUSTOMER_CRASH_COUNT: 4
>>>>
>>>> DEFAULT_BUCKET_ID: WRONG_SYMBOLS
>>>>
>>>> BUGCHECK_STR: 0xD1
>>>>
>>>> LAST_CONTROL_TRANSFER: from 00000000 to 804f9f43
>>>>
>>>> STACK_TEXT:
>>>> ba50bd38 00000000 b5388508 00000002 b5388508 nt+0x22f43
>>>>
>>>>
>>>> STACK_COMMAND: kb
>>>>
>>>> FOLLOWUP_IP:
>>>> nt+22f43
>>>> 804f9f43 ?? ???
>>>>
>>>> SYMBOL_STACK_INDEX: 0
>>>>
>>>> SYMBOL_NAME: nt+22f43
>>>>
>>>> FOLLOWUP_NAME: MachineOwner
>>>>
>>>> IMAGE_NAME: ntkrnlpa.exe
>>>>
>>>> BUCKET_ID: WRONG_SYMBOLS
>>>>
>>>> Followup: MachineOwner
>>>>
>>>> // **************************************************************************************************************** //
>>>>
>>>> I am not able to figure this out.
>>>>
>>>> Karthik SG
>>>>
>>>> On Tue, Aug 4, 2009 at 6:30 PM, James Harper <
>>>> xxxxx@bendigoit.com.au> wrote:
>>>>
>>>>> >
>>>>> > Hi all,
>>>>> > i got this BSOD,
>>>>> >
>>>>> > I know D1 is for “DRIVER_IRQL_NOT_LESS_OR_EQUAL”
>>>>> >
>>>>> > 2nd parameter says IRQL is at DISPATCH_LEVEL
>>>>> >
>>>>> > 3rd parameter NOT write, Not READ, is it Execute???
>>>>> >
>>>>> > if yes, what is execute situation??
>>>>> >
>>>>>
>>>>> If you have a crash dump file, does the debugger tell you anything
>>>>> useful?
>>>>>
>>>>> James
>>>>>
>>>>> —
>>>>> NTDEV is sponsored by OSR
>>>>>
>>>>> For our schedule of WDF, WDM, debugging and other seminars visit:
>>>>> http://www.osr.com/seminars
>>>>>
>>>>> To unsubscribe, visit the List Server section of OSR Online at
>>>>> http://www.osronline.com/page.cfm?name=ListServer
>>>>>
>>>>
>>>> — NTDEV is sponsored by OSR For our schedule of WDF, WDM, debugging
>>>> and other seminars visit: http://www.osr.com/seminars To unsubscribe,
>>>> visit the List Server section of OSR Online at
>>>> http://www.osronline.com/page.cfm?name=ListServer
>>>>
>>>> —
>>>> NTDEV is sponsored by OSR
>>>>
>>>> For our schedule of WDF, WDM, debugging and other seminars visit:
>>>> http://www.osr.com/seminars
>>>>
>>>> To unsubscribe, visit the List Server section of OSR Online at
>>>> http://www.osronline.com/page.cfm?name=ListServer
>>>>
>>>
>>> — NTDEV is sponsored by OSR For our schedule of WDF, WDM, debugging and
>>> other seminars visit: http://www.osr.com/seminars To unsubscribe, visit
>>> the List Server section of OSR Online at
>>> http://www.osronline.com/page.cfm?name=ListServer
>>>
>>> —
>>> NTDEV is sponsored by OSR
>>>
>>> For our schedule of WDF, WDM, debugging and other seminars visit:
>>> http://www.osr.com/seminars
>>>
>>> To unsubscribe, visit the List Server section of OSR Online at
>>> http://www.osronline.com/page.cfm?name=ListServer
>>>
>>
>> — NTDEV is sponsored by OSR For our schedule of WDF, WDM, debugging and
>> other seminars visit: http://www.osr.com/seminars To unsubscribe, visit
>> the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>
>
> — NTDEV is sponsored by OSR For our schedule of WDF, WDM, debugging and
> other seminars visit: http://www.osr.com/seminars To unsubscribe, visit
> the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

11

>Some call through a pointer is likely bogus. A DPC, Timer or Workitem (that might have raised IRQL),

or some such.

…or KS’s virtual method.


Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com

12

I have a spin lock and after getting the lock i am calling a funcion which
is non paged in that function Rtlcopymemory is used.
Can this be the cause for this BSOD???/

On Wed, Aug 5, 2009 at 2:00 PM, Maxim S. Shatskih wrote:

> >Some call through a pointer is likely bogus. A DPC, Timer or Workitem
> (that might have raised IRQL),
> >or some such.
>
> …or KS’s virtual method.
>
> –
> Maxim S. Shatskih
> Windows DDK MVP
> xxxxx@storagecraft.com
> http://www.storagecraft.com
>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

13

if the following output is what you get as part of stack trace still, then
it hasnt loaded the correct symbol files yet.

ba50bd54 b5306452 0000000a b531d508 00000002 nt+0x22f43
ba50bd7c 8053877d 87a3ed98 00000000 8a23fda8 ks+0x1452
ba50bdac 805cff70 87a3ed98 00000000 00000000 nt+0x6177d
ba50bddc 805460ee 8053868e 00000002 00000000 nt+0xf8f70
00000000 00000000 00000000 00000000 00000000 nt+0x6f0ee

it should be more like “nt!KiThreadStartup+0x16” or
“ks!WorkerThread+0x70” in the stack. check the symbols for both nt and ks.

-rtshiva

14

ok, but how can i load symbols of ks.sys (kernel stream provided by
microsoft) or it is the way what skywing told(.symfix)

Karthik SG

On Wed, Aug 5, 2009 at 2:32 PM, sivakumar thulasimani wrote:

> if the following output is what you get as part of stack trace still, then
> it hasnt loaded the correct symbol files yet.
>
> >ba50bd54 b5306452 0000000a b531d508 00000002 nt+0x22f43
> >ba50bd7c 8053877d 87a3ed98 00000000 8a23fda8 ks+0x1452
> >ba50bdac 805cff70 87a3ed98 00000000 00000000 nt+0x6177d
> >ba50bddc 805460ee 8053868e 00000002 00000000 nt+0xf8f70
> >00000000 00000000 00000000 00000000 00000000 nt+0x6f0ee
>
>
> it should be more like “nt!KiThreadStartup+0x16” or
> “ks!WorkerThread+0x70” in the stack. check the symbols for both nt and ks.
>
> -rtshiva
> — NTDEV is sponsored by OSR For our schedule of WDF, WDM, debugging and
> other seminars visit: http://www.osr.com/seminars To unsubscribe, visit
> the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer

15

As skywing told checkout .symfix, it setups the symbol path to load symbols
for all MS binaries including KS.

after setting up the symbols checkout the output of !analyze -v again.

-rtshiva

On Wed, Aug 5, 2009 at 3:16 PM, Karthik Gurumurthy <
xxxxx@nextbitcpu.com> wrote:

ok, but how can i load symbols of ks.sys (kernel stream provided by
microsoft) or it is the way what skywing told(.symfix)

Karthik SG

On Wed, Aug 5, 2009 at 2:32 PM, sivakumar thulasimani > > wrote:
>
>> if the following output is what you get as part of stack trace still,
>> then it hasnt loaded the correct symbol files yet.
>>
>> >ba50bd54 b5306452 0000000a b531d508 00000002 nt+0x22f43
>> >ba50bd7c 8053877d 87a3ed98 00000000 8a23fda8 ks+0x1452
>> >ba50bdac 805cff70 87a3ed98 00000000 00000000 nt+0x6177d
>> >ba50bddc 805460ee 8053868e 00000002 00000000 nt+0xf8f70
>> >00000000 00000000 00000000 00000000 00000000 nt+0x6f0ee
>>
>>
>> it should be more like “nt!KiThreadStartup+0x16” or
>> “ks!WorkerThread+0x70” in the stack. check the symbols for both nt and ks.
>>
>> -rtshiva
>> — NTDEV is sponsored by OSR For our schedule of WDF, WDM, debugging and
>> other seminars visit: http://www.osr.com/seminars To unsubscribe, visit
>> the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>
>
> — NTDEV is sponsored by OSR For our schedule of WDF, WDM, debugging and
> other seminars visit: http://www.osr.com/seminars To unsubscribe, visit
> the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

16

<karthik.gurmurthy>
I have a spin lock and after getting the lock i am calling a funcion which
is non paged in that function Rtlcopymemory is used.
Can this be the cause for this BSOD???/
karthik.gurmurthy>

And do you release the lock and properly restore the prior IRQL?

Dave Cattley</karthik.gurmurthy>

17

>And do you release the lock and properly restore the prior IRQL?
when before the Rtlcopymemory or after it?

karthik SG

On Wed, Aug 5, 2009 at 6:22 PM, David R. Cattley wrote:

> <karthik.gurmurthy>
> I have a spin lock and after getting the lock i am calling a funcion which
> is non paged in that function Rtlcopymemory is used.
> Can this be the cause for this BSOD???/
> karthik.gurmurthy>
>
> And do you release the lock and properly restore the prior IRQL?
>
>
> Dave Cattley
>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
></karthik.gurmurthy>

18

Karthik Gurumurthy wrote:
> I have a spin lock and after getting the lock i am calling a
function which is non paged in that function Rtlcopymemory is used.
> Can this be the cause for this BSOD???/

Have a look at the memory you are copying to and from.

“Callers of RtlCopyMemory can be running at any IRQL if both memory
blocks are resident. Otherwise, the caller must be running at IRQL <=
APC_LEVEL.”.

You are under spinlock - so you are at DISPATCH_LEVEL

Regards,
Alex Krol.

19

The debugger documentation talks at length about how symbols and the symbol server work. I’d strongly encourage you to read through that portion of debugger.chm as it is generally useful knowledge.

That being said, try inspecting the output of these commands:

!sym noisy
.symfix+ c:\symbols
.reload

…where c:\symbols is your preferred downstream store location.

You must issue a .reload to cause the debugger to attempt to re-load symbols for which a load attempt has already been made.

  • S

From: Karthik Gurumurthy
Sent: Wednesday, August 05, 2009 02:47
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] D1, {b5388508, 2, b5388508, 88dafb2c} what is the 3rd parameter???

ok, but how can i load symbols of ks.sys (kernel stream provided by microsoft) or it is the way what skywing told(.symfix)

Karthik SG

On Wed, Aug 5, 2009 at 2:32 PM, sivakumar thulasimani > wrote:
if the following output is what you get as part of stack trace still, then it hasnt loaded the correct symbol files yet.

>ba50bd54 b5306452 0000000a b531d508 00000002 nt+0x22f43
>ba50bd7c 8053877d 87a3ed98 00000000 8a23fda8 ks+0x1452
>ba50bdac 805cff70 87a3ed98 00000000 00000000 nt+0x6177d
>ba50bddc 805460ee 8053868e 00000002 00000000 nt+0xf8f70
>00000000 00000000 00000000 00000000 00000000 nt+0x6f0ee

it should be more like “nt!KiThreadStartup+0x16” or “ks!WorkerThread+0x70” in the stack. check the symbols for both nt and ks.

-rtshiva
— NTDEV is sponsored by OSR For our schedule of WDF, WDM, debugging and other seminars visit: http://www.osr.com/seminars To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

— NTDEV is sponsored by OSR For our schedule of WDF, WDM, debugging and other seminars visit: http://www.osr.com/seminars To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

20

Karthik Gurumurthy wrote:

I have a spin lock and after getting the lock i am calling a funcion
which is non paged in that function Rtlcopymemory is used.
Can this be the cause for this BSOD???

Only if you are copying from paged memory, but it wouldn’t look like the
crash you are seeing. You are getting what looks like a jump or call
into paged memory.


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.