I'm seeing that the following thread crashed the svchost.exe, which in turn resulted in MANUALLY_INITIATED_CRASH
due to user-mode-exceptions being enabled in the kernel.
THREAD ffff898d32317080 Cid 14bc.14c0 Teb: 000000679d633000 Win32Thread: ffff898d32446230 RUNNING on processor 3
Not impersonating
DeviceMap ffffde0fcd224480
Owning Process ffff898d32314080 Image: svchost.exe
Attached Process N/A Image: N/A
Wait Start TickCount 2031 Ticks: 0
Context Switch Count 67 IdealProcessor: 1
UserTime 00:00:00.000
KernelTime 00:00:00.031
Win32 Start Address svchost!wmainCRTStartup (0x00007ff7219f69d0)
Stack Init ffffc806722aadb0 Current ffffc806722a9d30
Base ffffc806722ab000 Limit ffffc806722a3000 Call 0000000000000000
Priority 9 BasePriority 8 Decay Boost 1 IoPriority 2 PagePriority 5
Child-SP RetAddr Call Site
ffffc806`722a9950 fffff801`1ca5d104 nt!KeBugCheck2+0x1fc
ffffc806`722a9f70 fffff801`1d278368 nt!KeBugCheckEx+0x14
(Inline Function) --------`-------- nt!KdpCauseBugCheck+0x20 (Inline Function @ fffff801`1d278368)
ffffc806`722a9f80 fffff801`1d2775b4 nt!KdpSendWaitContinue+0x680
ffffc806`722aa190 fffff801`1ccc5184 nt!KdpReportExceptionStateChange+0xac
ffffc806`722aa2e0 fffff801`1d27a640 nt!KdpReport+0xa4
ffffc806`722aa320 fffff801`1ca5765c nt!KdpTrap+0x168
ffffc806`722aa350 fffff801`1ca6b8d4 nt!KdTrap+0x5c
ffffc806`722aa3a0 fffff801`1cab29a8 nt!KiDispatchException+0x374
(Inline Function) --------`-------- nt!KiDispatchExceptionOnExceptionStack+0x1c (Inline Function @ fffff801`1cab29a8)
ffffc806`722aa900 fffff801`1ce05c5c nt!KiSynchronousException+0xd8
ffffc806`722aa9f0 fffff801`1ce05d38 nt!KzSynchronousException+0x24
ffffc806`722aaa50 00007ffc`28b3c104 nt!KiUserExceptionHandlerRaise+0x54 (TrapFrame @ ffffc806`722aaa50)
00000067`9d5de8d0 00007ffc`24922c28 ntdll!RtlUnhandledExceptionFilter2+0x374
00000067`9d5de920 00000000`00000000 KERNELBASE+0x142c28
I have three questions:
-
Why does the callstack seem to be cut off in user mode?
-
Can user-mode exceptions be handled on a different thread than where they were raised? (this may explain the call stack that I showed above.)
-
How to tell which service (or which DLL) caused this exception? (that was loaded into svchost.exe)