How to analyze dump from BSOD?

How to analyze a BSOD dump? I get following-

3: kd>!analyze -v
Bugcheck Analysis

PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by try-except,
it must be protected by a Probe. Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: e71ce4d8, memory referenced.
Arg2: 00000000, value 0 = read operation, 1 = write operation.
Arg3: f333f332, If non-zero, the instruction address which referenced the bad memory
address.
Arg4: 00000000, (reserved)

Debugging Details:

READ_ADDRESS: e71ce4d8 Paged pool

FAULTING_IP:
MyDriver+a332
f333f332 8b4f78 mov ecx,dword ptr [edi+78h]

MM_INTERNAL_CODE: 0

IMAGE_NAME: MyDriver.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 45462c99

MODULE_NAME: MyDriver

FAULTING_MODULE: f3335000 MyDriver

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0x50

PROCESS_NAME: System

CURRENT_IRQL: 1

TRAP_FRAME: f17f48ac – (.trap fffffffff17f48ac)
ErrCode = 00000000
eax=e71ce460 ebx=fc5ad018 ecx=eaa06ed8 edx=e52f9d68 esi=e527ebf8 edi=e71ce460
eip=f333f332 esp=f17f4920 ebp=f17f4974 iopl=0 nv up ei ng nz na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010286
MyDriver+0xa332:
f333f332 8b4f78 mov ecx,dword ptr [edi+78h] ds:0023:e71ce4d8=???
Resetting default scope

LAST_CONTROL_TRANSFER: from e10689ee to e107b6be

STACK_TEXT:
f17f4844 e10689ee 00000050 e71ce4d8 00000000 nt!KeBugCheckEx+0x1b
f17f4894 e1037d0a 00000000 e71ce4d8 00000000 nt!MmAccessFault+0x813
f17f4894 f333f332 00000000 e71ce4d8 00000000 nt!KiTrap0E+0xdc
WARNING: Stack unwind information not available. Following frames may be wrong.
f17f4974 f333e6c3 fcfa38f0 e889e008 e9e0f570 MyDriver+0xa332
f17f4a04 f333e96e fcfa38f0 fc267f40 00000000 MyDriver+0x96c3
f17f4a4c e103f9d0 fd0198e0 fc267f40 fc267f40 MyDriver+0x996e
f17f4a60 f440715c fc267f40 f17f4ad4 f440c8ac nt!IofCallDriver+0x45
f17f4a6c f440c8ac fc267f40 fd0198e0 f17f4a90 srv!StartIoAndWait+0x1b
f17f4ad4 f440ec67 0000304c fc5ad018 00000fec srv!SrvIssueQueryDirectoryRequest+0x165
f17f4b74 f440f049 fdbb0e78 00000000 f17f4c00 srv!SrvQueryDirectoryFile+0x4fd
f17f4c50 f440f516 fdbb0e78 00000000 00000000 srv!SrvFind2Loop+0x218
f17f4cd4 f440f266 fdbb0e01 fdbb0e78 e18ad008 srv!DoFindFirst2+0x5c8
f17f4cec f444b424 fdbb0e78 fdbb0e78 e1039aed srv!SrvSmbFindFirst2+0x6b
f17f4d78 f43f1bc6 fdbb0e80 fdbd0b40 f4407451 srv!_NULL_IMPORT_DESCRIPTOR (srv+0x5b424)
f17f4d84 f4407451 00000000 fc477020 00000000 srv!SrvProcessSmb+0xb7
f17f4dac e112ccff 00bd0b40 00000000 00000000 srv!WorkerThread+0x138
f17f4ddc e1041a96 f4407394 fdbd0b40 00000000 nt!PspSystemThreadStartup+0x2e
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16

STACK_COMMAND: kb

FOLLOWUP_IP:
MyDriver+a332
f333f332 8b4f78 mov ecx,dword ptr [edi+78h]

SYMBOL_STACK_INDEX: 3

FOLLOWUP_NAME: MachineOwner

SYMBOL_NAME: MyDriver+a332

FAILURE_BUCKET_ID: 0x50_MyDriver+a332

BUCKET_ID: 0x50_MyDriver+a332

Followup: MachineOwner
---------

3: kd> !pool e71ce4d8
Pool page e71ce4d8 region is Paged pool
e71ce000 is not a valid small pool allocation, checking large pool…
e71ce000 is not a valid large pool allocation, checking large session pool…
ddff4000: Unable to get contents of pool block
3: kd> !poolval e71ce4d8
Pool page e71ce4d8 region is Paged pool

Validating Pool headers for pool page: e71ce4d8

Pool page [e71ce000] is __inVALID.

Analyzing linked list…

Scanning for single bit errors…

None found

3: kd> !pte e71ce4d8
VA e71ce4d8
PDE at C0300E70 PTE at C039C738
contains A8266963 contains 0390A000
pfn a8266 -G-DA–KWEV not valid
PageFile: 0
Offset: 390a
Protect: 0

It would help if you had symbols for your driver available to the
debugger.

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@yahoo.com
Sent: Thursday, October 25, 2007 9:09 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] How to analyze dump from BSOD?

How to analyze a BSOD dump? I get following-

3: kd>!analyze -v
Bugcheck Analysis

PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by
try-except,
it must be protected by a Probe. Typically the address is just plain
bad or it
is pointing at freed memory.
Arguments:
Arg1: e71ce4d8, memory referenced.
Arg2: 00000000, value 0 = read operation, 1 = write operation.
Arg3: f333f332, If non-zero, the instruction address which referenced
the bad memory
address.
Arg4: 00000000, (reserved)

Debugging Details:

READ_ADDRESS: e71ce4d8 Paged pool

FAULTING_IP:
MyDriver+a332
f333f332 8b4f78 mov ecx,dword ptr [edi+78h]

MM_INTERNAL_CODE: 0

IMAGE_NAME: MyDriver.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 45462c99

MODULE_NAME: MyDriver

FAULTING_MODULE: f3335000 MyDriver

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0x50

PROCESS_NAME: System

CURRENT_IRQL: 1

TRAP_FRAME: f17f48ac – (.trap fffffffff17f48ac)
ErrCode = 00000000
eax=e71ce460 ebx=fc5ad018 ecx=eaa06ed8 edx=e52f9d68 esi=e527ebf8
edi=e71ce460
eip=f333f332 esp=f17f4920 ebp=f17f4974 iopl=0 nv up ei ng nz na
pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
efl=00010286
MyDriver+0xa332:
f333f332 8b4f78 mov ecx,dword ptr [edi+78h]
ds:0023:e71ce4d8=???
Resetting default scope

LAST_CONTROL_TRANSFER: from e10689ee to e107b6be

STACK_TEXT:
f17f4844 e10689ee 00000050 e71ce4d8 00000000 nt!KeBugCheckEx+0x1b
f17f4894 e1037d0a 00000000 e71ce4d8 00000000 nt!MmAccessFault+0x813
f17f4894 f333f332 00000000 e71ce4d8 00000000 nt!KiTrap0E+0xdc
WARNING: Stack unwind information not available. Following frames may be
wrong.
f17f4974 f333e6c3 fcfa38f0 e889e008 e9e0f570 MyDriver+0xa332
f17f4a04 f333e96e fcfa38f0 fc267f40 00000000 MyDriver+0x96c3
f17f4a4c e103f9d0 fd0198e0 fc267f40 fc267f40 MyDriver+0x996e
f17f4a60 f440715c fc267f40 f17f4ad4 f440c8ac nt!IofCallDriver+0x45
f17f4a6c f440c8ac fc267f40 fd0198e0 f17f4a90 srv!StartIoAndWait+0x1b
f17f4ad4 f440ec67 0000304c fc5ad018 00000fec
srv!SrvIssueQueryDirectoryRequest+0x165
f17f4b74 f440f049 fdbb0e78 00000000 f17f4c00
srv!SrvQueryDirectoryFile+0x4fd
f17f4c50 f440f516 fdbb0e78 00000000 00000000 srv!SrvFind2Loop+0x218
f17f4cd4 f440f266 fdbb0e01 fdbb0e78 e18ad008 srv!DoFindFirst2+0x5c8
f17f4cec f444b424 fdbb0e78 fdbb0e78 e1039aed srv!SrvSmbFindFirst2+0x6b
f17f4d78 f43f1bc6 fdbb0e80 fdbd0b40 f4407451 srv!_NULL_IMPORT_DESCRIPTOR
(srv+0x5b424)
f17f4d84 f4407451 00000000 fc477020 00000000 srv!SrvProcessSmb+0xb7
f17f4dac e112ccff 00bd0b40 00000000 00000000 srv!WorkerThread+0x138
f17f4ddc e1041a96 f4407394 fdbd0b40 00000000
nt!PspSystemThreadStartup+0x2e
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16

STACK_COMMAND: kb

FOLLOWUP_IP:
MyDriver+a332
f333f332 8b4f78 mov ecx,dword ptr [edi+78h]

SYMBOL_STACK_INDEX: 3

FOLLOWUP_NAME: MachineOwner

SYMBOL_NAME: MyDriver+a332

FAILURE_BUCKET_ID: 0x50_MyDriver+a332

BUCKET_ID: 0x50_MyDriver+a332

Followup: MachineOwner
---------

3: kd> !pool e71ce4d8
Pool page e71ce4d8 region is Paged pool
e71ce000 is not a valid small pool allocation, checking large pool…
e71ce000 is not a valid large pool allocation, checking large session
pool…
ddff4000: Unable to get contents of pool block
3: kd> !poolval e71ce4d8
Pool page e71ce4d8 region is Paged pool

Validating Pool headers for pool page: e71ce4d8

Pool page [e71ce000] is __inVALID.

Analyzing linked list…

Scanning for single bit errors…

None found

3: kd> !pte e71ce4d8
VA e71ce4d8
PDE at C0300E70 PTE at C039C738
contains A8266963 contains 0390A000
pfn a8266 -G-DA–KWEV not valid
PageFile: 0
Offset: 390a
Protect: 0

—
NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

Oh, and if it helps, your driver was processing an
IRP_MJ_DIRECTORY_CONTROL IRP when it screwed up and crashed. Have you
tested this code path?

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@yahoo.com
Sent: Thursday, October 25, 2007 9:09 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] How to analyze dump from BSOD?

How to analyze a BSOD dump? I get following-

3: kd>!analyze -v
Bugcheck Analysis

PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by
try-except,
it must be protected by a Probe. Typically the address is just plain
bad or it
is pointing at freed memory.
Arguments:
Arg1: e71ce4d8, memory referenced.
Arg2: 00000000, value 0 = read operation, 1 = write operation.
Arg3: f333f332, If non-zero, the instruction address which referenced
the bad memory
address.
Arg4: 00000000, (reserved)

Debugging Details:

READ_ADDRESS: e71ce4d8 Paged pool

FAULTING_IP:
MyDriver+a332
f333f332 8b4f78 mov ecx,dword ptr [edi+78h]

MM_INTERNAL_CODE: 0

IMAGE_NAME: MyDriver.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 45462c99

MODULE_NAME: MyDriver

FAULTING_MODULE: f3335000 MyDriver

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0x50

PROCESS_NAME: System

CURRENT_IRQL: 1

TRAP_FRAME: f17f48ac – (.trap fffffffff17f48ac)
ErrCode = 00000000
eax=e71ce460 ebx=fc5ad018 ecx=eaa06ed8 edx=e52f9d68 esi=e527ebf8
edi=e71ce460
eip=f333f332 esp=f17f4920 ebp=f17f4974 iopl=0 nv up ei ng nz na
pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
efl=00010286
MyDriver+0xa332:
f333f332 8b4f78 mov ecx,dword ptr [edi+78h]
ds:0023:e71ce4d8=???
Resetting default scope

LAST_CONTROL_TRANSFER: from e10689ee to e107b6be

STACK_TEXT:
f17f4844 e10689ee 00000050 e71ce4d8 00000000 nt!KeBugCheckEx+0x1b
f17f4894 e1037d0a 00000000 e71ce4d8 00000000 nt!MmAccessFault+0x813
f17f4894 f333f332 00000000 e71ce4d8 00000000 nt!KiTrap0E+0xdc
WARNING: Stack unwind information not available. Following frames may be
wrong.
f17f4974 f333e6c3 fcfa38f0 e889e008 e9e0f570 MyDriver+0xa332
f17f4a04 f333e96e fcfa38f0 fc267f40 00000000 MyDriver+0x96c3
f17f4a4c e103f9d0 fd0198e0 fc267f40 fc267f40 MyDriver+0x996e
f17f4a60 f440715c fc267f40 f17f4ad4 f440c8ac nt!IofCallDriver+0x45
f17f4a6c f440c8ac fc267f40 fd0198e0 f17f4a90 srv!StartIoAndWait+0x1b
f17f4ad4 f440ec67 0000304c fc5ad018 00000fec
srv!SrvIssueQueryDirectoryRequest+0x165
f17f4b74 f440f049 fdbb0e78 00000000 f17f4c00
srv!SrvQueryDirectoryFile+0x4fd
f17f4c50 f440f516 fdbb0e78 00000000 00000000 srv!SrvFind2Loop+0x218
f17f4cd4 f440f266 fdbb0e01 fdbb0e78 e18ad008 srv!DoFindFirst2+0x5c8
f17f4cec f444b424 fdbb0e78 fdbb0e78 e1039aed srv!SrvSmbFindFirst2+0x6b
f17f4d78 f43f1bc6 fdbb0e80 fdbd0b40 f4407451 srv!_NULL_IMPORT_DESCRIPTOR
(srv+0x5b424)
f17f4d84 f4407451 00000000 fc477020 00000000 srv!SrvProcessSmb+0xb7
f17f4dac e112ccff 00bd0b40 00000000 00000000 srv!WorkerThread+0x138
f17f4ddc e1041a96 f4407394 fdbd0b40 00000000
nt!PspSystemThreadStartup+0x2e
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16

STACK_COMMAND: kb

FOLLOWUP_IP:
MyDriver+a332
f333f332 8b4f78 mov ecx,dword ptr [edi+78h]

SYMBOL_STACK_INDEX: 3

FOLLOWUP_NAME: MachineOwner

SYMBOL_NAME: MyDriver+a332

FAILURE_BUCKET_ID: 0x50_MyDriver+a332

BUCKET_ID: 0x50_MyDriver+a332

Followup: MachineOwner
---------

3: kd> !pool e71ce4d8
Pool page e71ce4d8 region is Paged pool
e71ce000 is not a valid small pool allocation, checking large pool…
e71ce000 is not a valid large pool allocation, checking large session
pool…
ddff4000: Unable to get contents of pool block
3: kd> !poolval e71ce4d8
Pool page e71ce4d8 region is Paged pool

Validating Pool headers for pool page: e71ce4d8

Pool page [e71ce000] is __inVALID.

Analyzing linked list…

Scanning for single bit errors…

None found

3: kd> !pte e71ce4d8
VA e71ce4d8
PDE at C0300E70 PTE at C039C738
contains A8266963 contains 0390A000
pfn a8266 -G-DA–KWEV not valid
PageFile: 0
Offset: 390a
Protect: 0

—
NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

You could check this great blog for starting with dump analysis
http://www.dumpanalysis.org/blog/index.php/automated-analysis/

It seems your driver is referencing (in edi register) nonpaged not resident
memory page for some reason (freed memory?)

Jerome.

“Roddy, Mark” wrote in message news:xxxxx@ntdev…
Oh, and if it helps, your driver was processing an
IRP_MJ_DIRECTORY_CONTROL IRP when it screwed up and crashed. Have you
tested this code path?

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@yahoo.com
Sent: Thursday, October 25, 2007 9:09 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] How to analyze dump from BSOD?

How to analyze a BSOD dump? I get following-

3: kd>!analyze -v
Bugcheck Analysis

PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by
try-except,
it must be protected by a Probe. Typically the address is just plain
bad or it
is pointing at freed memory.
Arguments:
Arg1: e71ce4d8, memory referenced.
Arg2: 00000000, value 0 = read operation, 1 = write operation.
Arg3: f333f332, If non-zero, the instruction address which referenced
the bad memory
address.
Arg4: 00000000, (reserved)

Debugging Details:
------------------

READ_ADDRESS: e71ce4d8 Paged pool

FAULTING_IP:
MyDriver+a332
f333f332 8b4f78 mov ecx,dword ptr [edi+78h]

MM_INTERNAL_CODE: 0

IMAGE_NAME: MyDriver.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 45462c99

MODULE_NAME: MyDriver

FAULTING_MODULE: f3335000 MyDriver

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0x50

PROCESS_NAME: System

CURRENT_IRQL: 1

TRAP_FRAME: f17f48ac – (.trap fffffffff17f48ac)
ErrCode = 00000000
eax=e71ce460 ebx=fc5ad018 ecx=eaa06ed8 edx=e52f9d68 esi=e527ebf8
edi=e71ce460
eip=f333f332 esp=f17f4920 ebp=f17f4974 iopl=0 nv up ei ng nz na
pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
efl=00010286
MyDriver+0xa332:
f333f332 8b4f78 mov ecx,dword ptr [edi+78h]
ds:0023:e71ce4d8=???
Resetting default scope

LAST_CONTROL_TRANSFER: from e10689ee to e107b6be

STACK_TEXT:
f17f4844 e10689ee 00000050 e71ce4d8 00000000 nt!KeBugCheckEx+0x1b
f17f4894 e1037d0a 00000000 e71ce4d8 00000000 nt!MmAccessFault+0x813
f17f4894 f333f332 00000000 e71ce4d8 00000000 nt!KiTrap0E+0xdc
WARNING: Stack unwind information not available. Following frames may be
wrong.
f17f4974 f333e6c3 fcfa38f0 e889e008 e9e0f570 MyDriver+0xa332
f17f4a04 f333e96e fcfa38f0 fc267f40 00000000 MyDriver+0x96c3
f17f4a4c e103f9d0 fd0198e0 fc267f40 fc267f40 MyDriver+0x996e
f17f4a60 f440715c fc267f40 f17f4ad4 f440c8ac nt!IofCallDriver+0x45
f17f4a6c f440c8ac fc267f40 fd0198e0 f17f4a90 srv!StartIoAndWait+0x1b
f17f4ad4 f440ec67 0000304c fc5ad018 00000fec
srv!SrvIssueQueryDirectoryRequest+0x165
f17f4b74 f440f049 fdbb0e78 00000000 f17f4c00
srv!SrvQueryDirectoryFile+0x4fd
f17f4c50 f440f516 fdbb0e78 00000000 00000000 srv!SrvFind2Loop+0x218
f17f4cd4 f440f266 fdbb0e01 fdbb0e78 e18ad008 srv!DoFindFirst2+0x5c8
f17f4cec f444b424 fdbb0e78 fdbb0e78 e1039aed srv!SrvSmbFindFirst2+0x6b
f17f4d78 f43f1bc6 fdbb0e80 fdbd0b40 f4407451 srv!_NULL_IMPORT_DESCRIPTOR
(srv+0x5b424)
f17f4d84 f4407451 00000000 fc477020 00000000 srv!SrvProcessSmb+0xb7
f17f4dac e112ccff 00bd0b40 00000000 00000000 srv!WorkerThread+0x138
f17f4ddc e1041a96 f4407394 fdbd0b40 00000000
nt!PspSystemThreadStartup+0x2e
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16

STACK_COMMAND: kb

FOLLOWUP_IP:
MyDriver+a332
f333f332 8b4f78 mov ecx,dword ptr [edi+78h]

SYMBOL_STACK_INDEX: 3

FOLLOWUP_NAME: MachineOwner

SYMBOL_NAME: MyDriver+a332

FAILURE_BUCKET_ID: 0x50_MyDriver+a332

BUCKET_ID: 0x50_MyDriver+a332

Followup: MachineOwner
---------

3: kd> !pool e71ce4d8
Pool page e71ce4d8 region is Paged pool
e71ce000 is not a valid small pool allocation, checking large pool…
e71ce000 is not a valid large pool allocation, checking large session
pool…
ddff4000: Unable to get contents of pool block
3: kd> !poolval e71ce4d8
Pool page e71ce4d8 region is Paged pool

Validating Pool headers for pool page: e71ce4d8

Pool page [e71ce000] is __inVALID.

Analyzing linked list…

Scanning for single bit errors…

None found

3: kd> !pte e71ce4d8
VA e71ce4d8
PDE at C0300E70 PTE at C039C738
contains A8266963 contains 0390A000
pfn a8266 -G-DA–KWEV not valid
PageFile: 0
Offset: 390a
Protect: 0

—
NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer