I have been trying to analyze memory dump for couple of hours and can’t
pin-point who caused it. My driver’s address range is (f0313000 - f031fa00)
and I don’t see it anywhere in the stack. As per one of Peter’s article on
kernelmode debugging, ExpWorkerThread could cause this bug check. How can I
track back to see what driver caused it. The only driver I can see is Ntfs.
Any hint will be greatly appreciated. I should be able to take it from
there.

Thanks.

STACK_TEXT:
f242bd24 80120d65 f242bd5c 8177c3e8 81424008
nt!MiDecrementReferenceCount+0xc
f242bd3c 80112b11 8177c3e8 c0000043 f242beb4 nt!MmUnlockPages+0xa7
f242bd5c 802465cf e239f5e0 e2c895d0 f242bea8 nt!IofCompleteRequest+0x1b3
WARNING: Stack unwind information not available. Following frames may be
wrong.
f242bd6c 8025d145 f242beb0 f242beb4 c0000043 Ntfs+0x5cf
f242bea8 8024b5c6 00000000 81424008 00000000 Ntfs+0x17145
f242bf34 8010bd0b 814aacc8 f242bf7c 00000000 Ntfs+0x55c6
f242bf4c 8013a1da 00000000 00000000 00000000 nt!ExpWorkerThread+0x73
f242bf7c 80145c3e 8010bc98 00000000 00000000 nt!PspSystemThreadStartup+0x54
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16

Naveen

Do you use WorkItems in your driver?

-----Original Message-----
From: Kohli, Naveen [mailto:xxxxx@CriticalSites.com]
Sent: Wednesday, September 03, 2003 7:52 PM
To: Windows System Software Developers Interest List
Subject: [ntdev] Infamous IRQL_NOT_LESS_OR_EQUAL Bugcheck

I have been trying to analyze memory dump for couple of hours and can’t
pin-point who caused it. My driver’s address range is (f0313000 - f031fa00)
and I don’t see it anywhere in the stack. As per one of Peter’s article on
kernelmode debugging, ExpWorkerThread could cause this bug check. How can I
track back to see what driver caused it. The only driver I can see is Ntfs.
Any hint will be greatly appreciated. I should be able to take it from
there.

Thanks.

STACK_TEXT:
f242bd24 80120d65 f242bd5c 8177c3e8 81424008
nt!MiDecrementReferenceCount+0xc
f242bd3c 80112b11 8177c3e8 c0000043 f242beb4 nt!MmUnlockPages+0xa7
f242bd5c 802465cf e239f5e0 e2c895d0 f242bea8 nt!IofCompleteRequest+0x1b3
WARNING: Stack unwind information not available. Following frames may be
wrong.
f242bd6c 8025d145 f242beb0 f242beb4 c0000043 Ntfs+0x5cf
f242bea8 8024b5c6 00000000 81424008 00000000 Ntfs+0x17145
f242bf34 8010bd0b 814aacc8 f242bf7c 00000000 Ntfs+0x55c6
f242bf4c 8013a1da 00000000 00000000 00000000 nt!ExpWorkerThread+0x73
f242bf7c 80145c3e 8010bc98 00000000 00000000 nt!PspSystemThreadStartup+0x54
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16

Naveen

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@baslerweb.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

Yes I have a worker thread in my driver. I looked at the implementation. It
is not doing any thing funky to change IRL levels. It acquires a spin lock
and then releases it before exiting.

Now when I do some more investigation I get more iformation. Dpc routines
are coming into picture. Everything seems to be revolving around Ntfs.

0: kd> !kdex2x86.stack

T. Address RetAddr Called Procedure

*2 F242BC98 8014464C nt!KeBugCheckEx(0000000A, 22785FA6, 00000002,…);

*2 F242BCB4 00000000 nt!KiTrap0E+00000284(00000000, 00000000, 00000000,…);

*0 F242BCC4 8010922C hal!KfReleaseSpinLock(F242BCF0, E2C89508,
814AACC8,…);

*1 F242BD28 80120D65 nt!MiDecrementReferenceCount(F242BD5C, 8177C3E8,
81424008,…);

*1 F242BD40 80112B11 nt!MmUnlockPages(8177C3E8, C0000043, F242BEB4,…);

*1 F242BD60 802465CF nt!IofCompleteRequest(E239F5E0, E2C895D0,
F242BEA8,…);

*1 F242BD70 8025D145 Ntfs+00000576(F242BEB0, F242BEB4, C0000043,…);

*1 F242BDD4 801199C1 hal!KfLowerIrql(80D50000, 80D5A1D0, 80D5A1E4,…);

*1 F242BDF4 F1F3D471 nt!KeInsertQueueDpc(F242BF90, F2429000, 00000000,…);

*0 F242BE18 80145172 dword ptr [EDI+0C](80D1BA70, 8014517C, 00000000,…);

*0 F242BE20 8014517C hal!HalEndSystemInterrupt(00000000, 00000072,
E2C599A4,…);

*1 F242BEAC 8024B5C6 Ntfs+00016192(00000000, 81424008, 00000000,…);

*0 F242BEEC 801456C1 intlfxsr!FxsrSwapContextNotify(F242BF6C, 00000246,
F242BEE0,…);

*0 F242BF38 8010BD0B dword ptr [EAX+08](814AACC8, F242BF7C, 00000000,…);

*0 F242BF50 8013A1DA dword ptr [EBP+08](00000000, 00000000, 00000000,…);

*0 F242BF80 80145C3E dword ptr EAX(8010BC98, 00000000, 00000000,…);

-----Original Message-----
From: Moebius, V. [mailto:xxxxx@baslerweb.com]
Sent: Wednesday, September 03, 2003 2:10 PM
To: Windows System Software Developers Interest List
Subject: [ntdev] RE: Infamous IRQL_NOT_LESS_OR_EQUAL Bugcheck

Do you use WorkItems in your driver?

-----Original Message-----
From: Kohli, Naveen [mailto:xxxxx@CriticalSites.com]
Sent: Wednesday, September 03, 2003 7:52 PM
To: Windows System Software Developers Interest List
Subject: [ntdev] Infamous IRQL_NOT_LESS_OR_EQUAL Bugcheck

I have been trying to analyze memory dump for couple of hours and can’t
pin-point who caused it. My driver’s address range is (f0313000 - f031fa00)
and I don’t see it anywhere in the stack. As per one of Peter’s article on
kernelmode debugging, ExpWorkerThread could cause this bug check. How can I
track back to see what driver caused it. The only driver I can see is Ntfs.
Any hint will be greatly appreciated. I should be able to take it from
there.

Thanks.

STACK_TEXT:
f242bd24 80120d65 f242bd5c 8177c3e8 81424008
nt!MiDecrementReferenceCount+0xc
f242bd3c 80112b11 8177c3e8 c0000043 f242beb4 nt!MmUnlockPages+0xa7
f242bd5c 802465cf e239f5e0 e2c895d0 f242bea8 nt!IofCompleteRequest+0x1b3
WARNING: Stack unwind information not available. Following frames may be
wrong.
f242bd6c 8025d145 f242beb0 f242beb4 c0000043 Ntfs+0x5cf
f242bea8 8024b5c6 00000000 81424008 00000000 Ntfs+0x17145
f242bf34 8010bd0b 814aacc8 f242bf7c 00000000 Ntfs+0x55c6
f242bf4c 8013a1da 00000000 00000000 00000000 nt!ExpWorkerThread+0x73
f242bf7c 80145c3e 8010bc98 00000000 00000000 nt!PspSystemThreadStartup+0x54
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16

Naveen

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@baslerweb.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@criticalsites.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

I’d like to help but at my age your use of that set of tiny little html
fonts causes me to throw up.

=====================
Mark Roddy

-----Original Message-----
From: Kohli, Naveen [mailto:xxxxx@CriticalSites.com]
Sent: Wednesday, September 03, 2003 2:40 PM
To: Windows System Software Developers Interest List
Subject: [ntdev] RE: Infamous IRQL_NOT_LESS_OR_EQUAL Bugcheck

Yes I have a worker thread in my driver. I looked at the implementation. It
is not doing any thing funky to change IRL levels. It acquires a spin lock
and then releases it before exiting.

Now when I do some more investigation I get more iformation. Dpc routines
are coming into picture. Everything seems to be revolving around Ntfs.

0: kd> !kdex2x86.stack

T. Address RetAddr Called Procedure

*2 F242BC98 8014464C nt!KeBugCheckEx(0000000A, 22785FA6, 00000002,…);

*2 F242BCB4 00000000 nt!KiTrap0E+00000284(00000000, 00000000, 00000000,…);

*0 F242BCC4 8010922C hal!KfReleaseSpinLock(F242BCF0, E2C89508,
814AACC8,…);

*1 F242BD28 80120D65 nt!MiDecrementReferenceCount(F242BD5C, 8177C3E8,
81424008,…);

*1 F242BD40 80112B11 nt!MmUnlockPages(8177C3E8, C0000043, F242BEB4,…);

*1 F242BD60 802465CF nt!IofCompleteRequest(E239F5E0, E2C895D0,
F242BEA8,…);

*1 F242BD70 8025D145 Ntfs+00000576(F242BEB0, F242BEB4, C0000043,…);

*1 F242BDD4 801199C1 hal!KfLowerIrql(80D50000, 80D5A1D0, 80D5A1E4,…);

*1 F242BDF4 F1F3D471 nt!KeInsertQueueDpc(F242BF90, F2429000, 00000000,…);

*0 F242BE18 80145172 dword ptr [EDI+0C](80D1BA70, 8014517C, 00000000,…);

*0 F242BE20 8014517C hal!HalEndSystemInterrupt(00000000, 00000072,
E2C599A4,…);

*1 F242BEAC 8024B5C6 Ntfs+00016192(00000000, 81424008, 00000000,…);

*0 F242BEEC 801456C1 intlfxsr!FxsrSwapContextNotify(F242BF6C, 00000246,
F242BEE0,…);

*0 F242BF38 8010BD0B dword ptr [EAX+08](814AACC8, F242BF7C, 00000000,…);

*0 F242BF50 8013A1DA dword ptr [EBP+08](00000000, 00000000, 00000000,…);

*0 F242BF80 80145C3E dword ptr EAX(8010BC98, 00000000, 00000000,…);

-----Original Message-----
From: Moebius, V. [mailto:xxxxx@baslerweb.com]
Sent: Wednesday, September 03, 2003 2:10 PM
To: Windows System Software Developers Interest List
Subject: [ntdev] RE: Infamous IRQL_NOT_LESS_OR_EQUAL Bugcheck

Do you use WorkItems in your driver?

-----Original Message-----
From: Kohli, Naveen [mailto:xxxxx@CriticalSites.com]
Sent: Wednesday, September 03, 2003 7:52 PM
To: Windows System Software Developers Interest List
Subject: [ntdev] Infamous IRQL_NOT_LESS_OR_EQUAL Bugcheck

I have been trying to analyze memory dump for couple of hours and can’t
pin-point who caused it. My driver’s address range is (f0313000 - f031fa00)
and I don’t see it anywhere in the stack. As per one of Peter’s article on
kernelmode debugging, ExpWorkerThread could cause this bug check. How can I
track back to see what driver caused it. The only driver I can see is Ntfs.
Any hint will be greatly appreciated. I should be able to take it from
there.

Thanks.

STACK_TEXT:
f242bd24 80120d65 f242bd5c 8177c3e8 81424008
nt!MiDecrementReferenceCount+0xc
f242bd3c 80112b11 8177c3e8 c0000043 f242beb4 nt!MmUnlockPages+0xa7
f242bd5c 802465cf e239f5e0 e2c895d0 f242bea8 nt!IofCompleteRequest+0x1b3
WARNING: Stack unwind information not available. Following frames may be
wrong.
f242bd6c 8025d145 f242beb0 f242beb4 c0000043 Ntfs+0x5cf
f242bea8 8024b5c6 00000000 81424008 00000000 Ntfs+0x17145
f242bf34 8010bd0b 814aacc8 f242bf7c 00000000 Ntfs+0x55c6
f242bf4c 8013a1da 00000000 00000000 00000000 nt!ExpWorkerThread+0x73
f242bf7c 80145c3e 8010bc98 00000000 00000000 nt!PspSystemThreadStartup+0x54
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16

Naveen

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@baslerweb.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@criticalsites.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@stratus.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

Sorry about that. I myself hate that tiny font. I am just not a very good
user of Outlook. I will post it again with modified font. Finally I got hold
of DBG file for NTFS and was able to display more information.

0: kd> !kdex2x86.stack
T. Address RetAddr Called Procedure
*2 F242BC98 8014464C nt!KeBugCheckEx(0000000A, 22785FA6, 00000002,...);
*2 F242BCB4 00000000 nt!KiTrap0E+00000284(00000000, 00000000, 00000000,...);
*0 F242BCC4 8010922C hal!KfReleaseSpinLock(F242BCF0, E2C89508,
814AACC8,...);
*1 F242BD28 80120D65 nt!MiDecrementReferenceCount(F242BD5C, 8177C3E8,
81424008,...);
*1 F242BD40 80112B11 nt!MmUnlockPages(8177C3E8, C0000043, F242BEB4,...);
*1 F242BD60 802465CF nt!IofCompleteRequest(E239F5E0, E2C895D0,
F242BEA8,...);
*1 F242BD70 8025D145 Ntfs+00000576(F242BEB0, F242BEB4, C0000043,...);
*1 F242BDD4 801199C1 hal!KfLowerIrql(80D50000, 80D5A1D0, 80D5A1E4,...);
*1 F242BDF4 F1F3D471 nt!KeInsertQueueDpc(F242BF90, F2429000, 00000000,...);
*0 F242BE18 80145172 dword ptr [EDI+0C](80D1BA70, 8014517C, 00000000,...);
*0 F242BE20 8014517C hal!HalEndSystemInterrupt(00000000, 00000072,
E2C599A4,...);
*1 F242BEAC 8024B5C6 Ntfs+00016192(00000000, 81424008, 00000000,...);
*0 F242BEEC 801456C1 intlfxsr!FxsrSwapContextNotify(F242BF6C, 00000246,
F242BEE0,...);
*0 F242BF38 8010BD0B dword ptr [EAX+08](814AACC8, F242BF7C, 00000000,...);
*0 F242BF50 8013A1DA dword ptr [EBP+08](00000000, 00000000, 00000000,...);
*0 F242BF80 80145C3E dword ptr EAX(8010BC98, 00000000, 00000000,...);

0: kd> kn
*** Stack trace for last set context - .thread/.cxr resets it

ChildEBP RetAddr

00 f242bd24 80120d65 nt!MiDecrementReferenceCount+0xc
01 f242bd3c 80112b11 nt!MmUnlockPages+0xa7
02 f242bd5c 802465cf nt!IofCompleteRequest+0x1b3
03 f242bd6c 8025d145 Ntfs!_imp__SeFreePrivileges+0x3
04 f242bea8 8024b5c6 Ntfs!NtfsFsdShutdown+0x5b
05 f242bf34 8010bd0b Ntfs!NtfsPrepareBuffers+0x6f9
06 f242bf7c 80145c3e nt!ExpWorkerThread+0x73
07 f242bf88 00000000 nt!KiThreadStartup+0x16

Thanks for offering some help.

-----Original Message-----
From: Roddy, Mark [mailto:xxxxx@stratus.com]
Sent: Wednesday, September 03, 2003 4:05 PM
To: Windows System Software Developers Interest List
Subject: [ntdev] RE: Infamous IRQL_NOT_LESS_OR_EQUAL Bugcheck

I'd like to help but at my age your use of that set of tiny little html
fonts causes me to throw up.

=====================
Mark Roddy

-----Original Message-----
From: Kohli, Naveen [mailto:xxxxx@CriticalSites.com]
Sent: Wednesday, September 03, 2003 2:40 PM
To: Windows System Software Developers Interest List
Subject: [ntdev] RE: Infamous IRQL_NOT_LESS_OR_EQUAL Bugcheck

Yes I have a worker thread in my driver. I looked at the implementation. It
is not doing any thing funky to change IRL levels. It acquires a spin lock
and then releases it before exiting.

Now when I do some more investigation I get more iformation. Dpc routines
are coming into picture. Everything seems to be revolving around Ntfs.

0: kd> !kdex2x86.stack
T. Address RetAddr Called Procedure
*2 F242BC98 8014464C nt!KeBugCheckEx(0000000A, 22785FA6, 00000002,...);
*2 F242BCB4 00000000 nt!KiTrap0E+00000284(00000000, 00000000, 00000000,...);
*0 F242BCC4 8010922C hal!KfReleaseSpinLock(F242BCF0, E2C89508,
814AACC8,...);
*1 F242BD28 80120D65 nt!MiDecrementReferenceCount(F242BD5C, 8177C3E8,
81424008,...);
*1 F242BD40 80112B11 nt!MmUnlockPages(8177C3E8, C0000043, F242BEB4,...);
*1 F242BD60 802465CF nt!IofCompleteRequest(E239F5E0, E2C895D0,
F242BEA8,...);
*1 F242BD70 8025D145 Ntfs+00000576(F242BEB0, F242BEB4, C0000043,...);
*1 F242BDD4 801199C1 hal!KfLowerIrql(80D50000, 80D5A1D0, 80D5A1E4,...);
*1 F242BDF4 F1F3D471 nt!KeInsertQueueDpc(F242BF90, F2429000, 00000000,...);
*0 F242BE18 80145172 dword ptr [EDI+0C](80D1BA70, 8014517C, 00000000,...);
*0 F242BE20 8014517C hal!HalEndSystemInterrupt(00000000, 00000072,
E2C599A4,...);
*1 F242BEAC 8024B5C6 Ntfs+00016192(00000000, 81424008, 00000000,...);
*0 F242BEEC 801456C1 intlfxsr!FxsrSwapContextNotify(F242BF6C, 00000246,
F242BEE0,...);
*0 F242BF38 8010BD0B dword ptr [EAX+08](814AACC8, F242BF7C, 00000000,...);
*0 F242BF50 8013A1DA dword ptr [EBP+08](00000000, 00000000, 00000000,...);
*0 F242BF80 80145C3E dword ptr EAX(8010BC98, 00000000, 00000000,...);
-----Original Message-----
From: Moebius, V. [mailto:xxxxx@baslerweb.com]
Sent: Wednesday, September 03, 2003 2:10 PM
To: Windows System Software Developers Interest List
Subject: [ntdev] RE: Infamous IRQL_NOT_LESS_OR_EQUAL Bugcheck

Do you use WorkItems in your driver?
-----Original Message-----
From: Kohli, Naveen [mailto:xxxxx@CriticalSites.com]
Sent: Wednesday, September 03, 2003 7:52 PM
To: Windows System Software Developers Interest List
Subject: [ntdev] Infamous IRQL_NOT_LESS_OR_EQUAL Bugcheck

I have been trying to analyze memory dump for couple of hours and can't
pin-point who caused it. My driver's address range is (f0313000 - f031fa00)
and I don't see it anywhere in the stack. As per one of Peter's article on
kernelmode debugging, ExpWorkerThread could cause this bug check. How can I
track back to see what driver caused it. The only driver I can see is Ntfs.
Any hint will be greatly appreciated. I should be able to take it from
there.
Thanks.

STACK_TEXT:
f242bd24 80120d65 f242bd5c 8177c3e8 81424008
nt!MiDecrementReferenceCount+0xc
f242bd3c 80112b11 8177c3e8 c0000043 f242beb4 nt!MmUnlockPages+0xa7
f242bd5c 802465cf e239f5e0 e2c895d0 f242bea8 nt!IofCompleteRequest+0x1b3
WARNING: Stack unwind information not available. Following frames may be
wrong.
f242bd6c 8025d145 f242beb0 f242beb4 c0000043 Ntfs+0x5cf
f242bea8 8024b5c6 00000000 81424008 00000000 Ntfs+0x17145
f242bf34 8010bd0b 814aacc8 f242bf7c 00000000 Ntfs+0x55c6
f242bf4c 8013a1da 00000000 00000000 00000000 nt!ExpWorkerThread+0x73
f242bf7c 80145c3e 8010bc98 00000000 00000000 nt!PspSystemThreadStartup+0x54
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16
Naveen

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@baslerweb.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@criticalsites.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@stratus.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@criticalsites.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

Hey, you can always turn on your Magnifier ! Incidentally, I do that
with my students at school, works wonders, I let Magnifier take over the top
slice of my screen.

Alberto - I’m 58, but I can still read the fine print !

-----Original Message-----
From: Roddy, Mark [mailto:xxxxx@stratus.com]
Sent: Wednesday, September 03, 2003 4:05 PM
To: Windows System Software Developers Interest List
Subject: [ntdev] RE: Infamous IRQL_NOT_LESS_OR_EQUAL Bugcheck

I’d like to help but at my age your use of that set of tiny little html
fonts causes me to throw up.

=====================
Mark Roddy

-----Original Message-----
From: Kohli, Naveen [mailto:xxxxx@CriticalSites.com]
Sent: Wednesday, September 03, 2003 2:40 PM
To: Windows System Software Developers Interest List
Subject: [ntdev] RE: Infamous IRQL_NOT_LESS_OR_EQUAL Bugcheck

Yes I have a worker thread in my driver. I looked at the implementation. It
is not doing any thing funky to change IRL levels. It acquires a spin lock
and then releases it before exiting.

Now when I do some more investigation I get more iformation. Dpc routines
are coming into picture. Everything seems to be revolving around Ntfs.

0: kd> !kdex2x86.stack

T. Address RetAddr Called Procedure

*2 F242BC98 8014464C nt!KeBugCheckEx(0000000A, 22785FA6, 00000002,…);

*2 F242BCB4 00000000 nt!KiTrap0E+00000284(00000000, 00000000, 00000000,…);

*0 F242BCC4 8010922C hal!KfReleaseSpinLock(F242BCF0, E2C89508,
814AACC8,…);

*1 F242BD28 80120D65 nt!MiDecrementReferenceCount(F242BD5C, 8177C3E8,
81424008,…);

*1 F242BD40 80112B11 nt!MmUnlockPages(8177C3E8, C0000043, F242BEB4,…);

*1 F242BD60 802465CF nt!IofCompleteRequest(E239F5E0, E2C895D0,
F242BEA8,…);

*1 F242BD70 8025D145 Ntfs+00000576(F242BEB0, F242BEB4, C0000043,…);

*1 F242BDD4 801199C1 hal!KfLowerIrql(80D50000, 80D5A1D0, 80D5A1E4,…);

*1 F242BDF4 F1F3D471 nt!KeInsertQueueDpc(F242BF90, F2429000, 00000000,…);

*0 F242BE18 80145172 dword ptr [EDI+0C](80D1BA70, 8014517C, 00000000,…);

*0 F242BE20 8014517C hal!HalEndSystemInterrupt(00000000, 00000072,
E2C599A4,…);

*1 F242BEAC 8024B5C6 Ntfs+00016192(00000000, 81424008, 00000000,…);

*0 F242BEEC 801456C1 intlfxsr!FxsrSwapContextNotify(F242BF6C, 00000246,
F242BEE0,…);

*0 F242BF38 8010BD0B dword ptr [EAX+08](814AACC8, F242BF7C, 00000000,…);

*0 F242BF50 8013A1DA dword ptr [EBP+08](00000000, 00000000, 00000000,…);

*0 F242BF80 80145C3E dword ptr EAX(8010BC98, 00000000, 00000000,…);

-----Original Message-----
From: Moebius, V. [mailto:xxxxx@baslerweb.com]
Sent: Wednesday, September 03, 2003 2:10 PM
To: Windows System Software Developers Interest List
Subject: [ntdev] RE: Infamous IRQL_NOT_LESS_OR_EQUAL Bugcheck

Do you use WorkItems in your driver?

-----Original Message-----
From: Kohli, Naveen [mailto:xxxxx@CriticalSites.com]
Sent: Wednesday, September 03, 2003 7:52 PM
To: Windows System Software Developers Interest List
Subject: [ntdev] Infamous IRQL_NOT_LESS_OR_EQUAL Bugcheck

I have been trying to analyze memory dump for couple of hours and can’t
pin-point who caused it. My driver’s address range is (f0313000 - f031fa00)
and I don’t see it anywhere in the stack. As per one of Peter’s article on
kernelmode debugging, ExpWorkerThread could cause this bug check. How can I
track back to see what driver caused it. The only driver I can see is Ntfs.
Any hint will be greatly appreciated. I should be able to take it from
there.

Thanks.

STACK_TEXT:
f242bd24 80120d65 f242bd5c 8177c3e8 81424008
nt!MiDecrementReferenceCount+0xc
f242bd3c 80112b11 8177c3e8 c0000043 f242beb4 nt!MmUnlockPages+0xa7
f242bd5c 802465cf e239f5e0 e2c895d0 f242bea8 nt!IofCompleteRequest+0x1b3
WARNING: Stack unwind information not available. Following frames may be
wrong.
f242bd6c 8025d145 f242beb0 f242beb4 c0000043 Ntfs+0x5cf
f242bea8 8024b5c6 00000000 81424008 00000000 Ntfs+0x17145
f242bf34 8010bd0b 814aacc8 f242bf7c 00000000 Ntfs+0x55c6
f242bf4c 8013a1da 00000000 00000000 00000000 nt!ExpWorkerThread+0x73
f242bf7c 80145c3e 8010bc98 00000000 00000000 nt!PspSystemThreadStartup+0x54
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16

Naveen

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@baslerweb.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@criticalsites.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@stratus.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@compuware.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

The contents of this e-mail are intended for the named addressee only. It
contains information that may be confidential. Unless you are the named
addressee or an authorized designee, you may not copy or use it, or disclose
it to anyone else. If you received it in error please notify us immediately
and then destroy it.

-----Original Message-----
From: Kohli, Naveen [mailto:xxxxx@CriticalSites.com]
Sent: Wednesday, September 03, 2003 4:11 PM
To: Windows System Software Developers Interest List
Subject: [ntdev] RE: Infamous IRQL_NOT_LESS_OR_EQUAL Bugcheck

Sorry about that. I myself hate that tiny font. I am just not a very good
user of Outlook. I will post it again with modified font. Finally I got hold
of DBG file for NTFS and was able to display more information.

0: kd> !kdex2x86.stack
T. Address RetAddr Called Procedure
*2 F242BC98 8014464C nt!KeBugCheckEx(0000000A, 22785FA6, 00000002,...);
*2 F242BCB4 00000000 nt!KiTrap0E+00000284(00000000, 00000000, 00000000,...);

*0 F242BCC4 8010922C hal!KfReleaseSpinLock(F242BCF0, E2C89508,
814AACC8,...);
*1 F242BD28 80120D65 nt!MiDecrementReferenceCount(F242BD5C, 8177C3E8,
81424008,...);
*1 F242BD40 80112B11 nt!MmUnlockPages(8177C3E8, C0000043, F242BEB4,...);
*1 F242BD60 802465CF nt!IofCompleteRequest(E239F5E0, E2C895D0,
F242BEA8,...);
*1 F242BD70 8025D145 Ntfs+00000576(F242BEB0, F242BEB4, C0000043,...);
*1 F242BDD4 801199C1 hal!KfLowerIrql(80D50000, 80D5A1D0, 80D5A1E4,...);
*1 F242BDF4 F1F3D471 nt!KeInsertQueueDpc(F242BF90, F2429000, 00000000,...);
*0 F242BE18 80145172 dword ptr [EDI+0C](80D1BA70, 8014517C, 00000000,...);
*0 F242BE20 8014517C hal!HalEndSystemInterrupt(00000000, 00000072,
E2C599A4,...);
*1 F242BEAC 8024B5C6 Ntfs+00016192(00000000, 81424008, 00000000,...);
*0 F242BEEC 801456C1 intlfxsr!FxsrSwapContextNotify(F242BF6C, 00000246,
F242BEE0,...);
*0 F242BF38 8010BD0B dword ptr [EAX+08](814AACC8, F242BF7C, 00000000,...);
*0 F242BF50 8013A1DA dword ptr [EBP+08](00000000, 00000000, 00000000,...);
*0 F242BF80 80145C3E dword ptr EAX(8010BC98, 00000000, 00000000,...);

0: kd> kn
*** Stack trace for last set context - .thread/.cxr resets it

ChildEBP RetAddr

00 f242bd24 80120d65 nt!MiDecrementReferenceCount+0xc
01 f242bd3c 80112b11 nt!MmUnlockPages+0xa7
02 f242bd5c 802465cf nt!IofCompleteRequest+0x1b3
03 f242bd6c 8025d145 Ntfs!_imp__SeFreePrivileges+0x3
04 f242bea8 8024b5c6 Ntfs!NtfsFsdShutdown+0x5b
05 f242bf34 8010bd0b Ntfs!NtfsPrepareBuffers+0x6f9
06 f242bf7c 80145c3e nt!ExpWorkerThread+0x73
07 f242bf88 00000000 nt!KiThreadStartup+0x16

Thanks for offering some help.

-----Original Message-----
From: Roddy, Mark [ mailto:xxxxx@stratus.com
mailto:xxxxx ]
Sent: Wednesday, September 03, 2003 4:05 PM
To: Windows System Software Developers Interest List
Subject: [ntdev] RE: Infamous IRQL_NOT_LESS_OR_EQUAL Bugcheck

I'd like to help but at my age your use of that set of tiny little html
fonts causes me to throw up.

=====================
Mark Roddy

-----Original Message-----
From: Kohli, Naveen [mailto:xxxxx@CriticalSites.com
mailto:xxxxx]
Sent: Wednesday, September 03, 2003 2:40 PM
To: Windows System Software Developers Interest List
Subject: [ntdev] RE: Infamous IRQL_NOT_LESS_OR_EQUAL Bugcheck

Yes I have a worker thread in my driver. I looked at the implementation. It
is not doing any thing funky to change IRL levels. It acquires a spin lock
and then releases it before exiting.

Now when I do some more investigation I get more iformation. Dpc routines
are coming into picture. Everything seems to be revolving around Ntfs.

0: kd> !kdex2x86.stack
T. Address RetAddr Called Procedure
*2 F242BC98 8014464C nt!KeBugCheckEx(0000000A, 22785FA6, 00000002,...);
*2 F242BCB4 00000000 nt!KiTrap0E+00000284(00000000, 00000000, 00000000,...);

*0 F242BCC4 8010922C hal!KfReleaseSpinLock(F242BCF0, E2C89508,
814AACC8,...);
*1 F242BD28 80120D65 nt!MiDecrementReferenceCount(F242BD5C, 8177C3E8,
81424008,...);
*1 F242BD40 80112B11 nt!MmUnlockPages(8177C3E8, C0000043, F242BEB4,...);
*1 F242BD60 802465CF nt!IofCompleteRequest(E239F5E0, E2C895D0,
F242BEA8,...);
*1 F242BD70 8025D145 Ntfs+00000576(F242BEB0, F242BEB4, C0000043,...);
*1 F242BDD4 801199C1 hal!KfLowerIrql(80D50000, 80D5A1D0, 80D5A1E4,...);
*1 F242BDF4 F1F3D471 nt!KeInsertQueueDpc(F242BF90, F2429000, 00000000,...);
*0 F242BE18 80145172 dword ptr [EDI+0C](80D1BA70, 8014517C, 00000000,...);
*0 F242BE20 8014517C hal!HalEndSystemInterrupt(00000000, 00000072,
E2C599A4,...);
*1 F242BEAC 8024B5C6 Ntfs+00016192(00000000, 81424008, 00000000,...);
*0 F242BEEC 801456C1 intlfxsr!FxsrSwapContextNotify(F242BF6C, 00000246,
F242BEE0,...);
*0 F242BF38 8010BD0B dword ptr [EAX+08](814AACC8, F242BF7C, 00000000,...);
*0 F242BF50 8013A1DA dword ptr [EBP+08](00000000, 00000000, 00000000,...);
*0 F242BF80 80145C3E dword ptr EAX(8010BC98, 00000000, 00000000,...);
-----Original Message-----
From: Moebius, V. [mailto:xxxxx@baslerweb.com
mailto:xxxxx]
Sent: Wednesday, September 03, 2003 2:10 PM
To: Windows System Software Developers Interest List
Subject: [ntdev] RE: Infamous IRQL_NOT_LESS_OR_EQUAL Bugcheck

Do you use WorkItems in your driver?
-----Original Message-----
From: Kohli, Naveen [mailto:xxxxx@CriticalSites.com
mailto:xxxxx]
Sent: Wednesday, September 03, 2003 7:52 PM
To: Windows System Software Developers Interest List
Subject: [ntdev] Infamous IRQL_NOT_LESS_OR_EQUAL Bugcheck

I have been trying to analyze memory dump for couple of hours and can't
pin-point who caused it. My driver's address range is (f0313000 - f031fa00)
and I don't see it anywhere in the stack. As per one of Peter's article on
kernelmode debugging, ExpWorkerThread could cause this bug check. How can I
track back to see what driver caused it. The only driver I can see is Ntfs.
Any hint will be greatly appreciated. I should be able to take it from
there.

Thanks.

STACK_TEXT:
f242bd24 80120d65 f242bd5c 8177c3e8 81424008
nt!MiDecrementReferenceCount+0xc
f242bd3c 80112b11 8177c3e8 c0000043 f242beb4 nt!MmUnlockPages+0xa7
f242bd5c 802465cf e239f5e0 e2c895d0 f242bea8 nt!IofCompleteRequest+0x1b3
WARNING: Stack unwind information not available. Following frames may be
wrong.
f242bd6c 8025d145 f242beb0 f242beb4 c0000043 Ntfs+0x5cf
f242bea8 8024b5c6 00000000 81424008 00000000 Ntfs+0x17145
f242bf34 8010bd0b 814aacc8 f242bf7c 00000000 Ntfs+0x55c6
f242bf4c 8013a1da 00000000 00000000 00000000 nt!ExpWorkerThread+0x73
f242bf7c 80145c3e 8010bc98 00000000 00000000 nt!PspSystemThreadStartup+0x54
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16
Naveen
---
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
http:

You are currently subscribed to ntdev as: xxxxx@baslerweb.com
To unsubscribe send a blank email to xxxxx@lists.osr.com
---
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
http:

You are currently subscribed to ntdev as: xxxxx@criticalsites.com
To unsubscribe send a blank email to xxxxx@lists.osr.com
---
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
http:

You are currently subscribed to ntdev as: xxxxx@stratus.com
To unsubscribe send a blank email to xxxxx@lists.osr.com
---
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
http:

You are currently subscribed to ntdev as: xxxxx@criticalsites.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

---
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@criticalsites.com
To unsubscribe send a blank email to xxxxx@lists.osr.com</http:></http:></http:></http:></mailto:xxxxx></mailto:xxxxx></mailto:xxxxx></mailto:xxxxx>

!analyze -v would be more useful than the simple stack trace. Also, I don't
think you got the correct symbols for ntfs. The function calls shown don't
make any sense.

-----Original Message-----
From: Kohli, Naveen [mailto:xxxxx@CriticalSites.com]
Sent: Wednesday, September 03, 2003 4:18 PM
To: Windows System Software Developers Interest List
Subject: [ntdev] RE: Infamous IRQL_NOT_LESS_OR_EQUAL Bugcheck

-----Original Message-----
From: Kohli, Naveen [mailto:xxxxx@CriticalSites.com]
Sent: Wednesday, September 03, 2003 4:11 PM
To: Windows System Software Developers Interest List
Subject: [ntdev] RE: Infamous IRQL_NOT_LESS_OR_EQUAL Bugcheck

Sorry about that. I myself hate that tiny font. I am just not a very good
user of Outlook. I will post it again with modified font. Finally I got hold
of DBG file for NTFS and was able to display more information.

0: kd> !kdex2x86.stack
T. Address RetAddr Called Procedure
*2 F242BC98 8014464C nt!KeBugCheckEx(0000000A, 22785FA6, 00000002,...);
*2 F242BCB4 00000000 nt!KiTrap0E+00000284(00000000, 00000000, 00000000,...);

*0 F242BCC4 8010922C hal!KfReleaseSpinLock(F242BCF0, E2C89508,
814AACC8,...);
*1 F242BD28 80120D65 nt!MiDecrementReferenceCount(F242BD5C, 8177C3E8,
81424008,...);
*1 F242BD40 80112B11 nt!MmUnlockPages(8177C3E8, C0000043, F242BEB4,...);
*1 F242BD60 802465CF nt!IofCompleteRequest(E239F5E0, E2C895D0,
F242BEA8,...);
*1 F242BD70 8025D145 Ntfs+00000576(F242BEB0, F242BEB4, C0000043,...);
*1 F242BDD4 801199C1 hal!KfLowerIrql(80D50000, 80D5A1D0, 80D5A1E4,...);
*1 F242BDF4 F1F3D471 nt!KeInsertQueueDpc(F242BF90, F2429000, 00000000,...);
*0 F242BE18 80145172 dword ptr [EDI+0C](80D1BA70, 8014517C, 00000000,...);
*0 F242BE20 8014517C hal!HalEndSystemInterrupt(00000000, 00000072,
E2C599A4,...);
*1 F242BEAC 8024B5C6 Ntfs+00016192(00000000, 81424008, 00000000,...);
*0 F242BEEC 801456C1 intlfxsr!FxsrSwapContextNotify(F242BF6C, 00000246,
F242BEE0,...);
*0 F242BF38 8010BD0B dword ptr [EAX+08](814AACC8, F242BF7C, 00000000,...);
*0 F242BF50 8013A1DA dword ptr [EBP+08](00000000, 00000000, 00000000,...);
*0 F242BF80 80145C3E dword ptr EAX(8010BC98, 00000000, 00000000,...);

0: kd> kn
*** Stack trace for last set context - .thread/.cxr resets it

ChildEBP RetAddr

00 f242bd24 80120d65 nt!MiDecrementReferenceCount+0xc
01 f242bd3c 80112b11 nt!MmUnlockPages+0xa7
02 f242bd5c 802465cf nt!IofCompleteRequest+0x1b3
03 f242bd6c 8025d145 Ntfs!_imp__SeFreePrivileges+0x3
04 f242bea8 8024b5c6 Ntfs!NtfsFsdShutdown+0x5b
05 f242bf34 8010bd0b Ntfs!NtfsPrepareBuffers+0x6f9
06 f242bf7c 80145c3e nt!ExpWorkerThread+0x73
07 f242bf88 00000000 nt!KiThreadStartup+0x16

Thanks for offering some help.

-----Original Message-----
From: Roddy, Mark [ mailto:xxxxx@stratus.com
mailto:xxxxx ]
Sent: Wednesday, September 03, 2003 4:05 PM
To: Windows System Software Developers Interest List
Subject: [ntdev] RE: Infamous IRQL_NOT_LESS_OR_EQUAL Bugcheck

I'd like to help but at my age your use of that set of tiny little html
fonts causes me to throw up.

=====================
Mark Roddy

-----Original Message-----
From: Kohli, Naveen [mailto:xxxxx@CriticalSites.com
mailto:xxxxx]
Sent: Wednesday, September 03, 2003 2:40 PM
To: Windows System Software Developers Interest List
Subject: [ntdev] RE: Infamous IRQL_NOT_LESS_OR_EQUAL Bugcheck

Yes I have a worker thread in my driver. I looked at the implementation. It
is not doing any thing funky to change IRL levels. It acquires a spin lock
and then releases it before exiting.

Now when I do some more investigation I get more iformation. Dpc routines
are coming into picture. Everything seems to be revolving around Ntfs.

0: kd> !kdex2x86.stack
T. Address RetAddr Called Procedure
*2 F242BC98 8014464C nt!KeBugCheckEx(0000000A, 22785FA6, 00000002,...);
*2 F242BCB4 00000000 nt!KiTrap0E+00000284(00000000, 00000000, 00000000,...);

*0 F242BCC4 8010922C hal!KfReleaseSpinLock(F242BCF0, E2C89508,
814AACC8,...);
*1 F242BD28 80120D65 nt!MiDecrementReferenceCount(F242BD5C, 8177C3E8,
81424008,...);
*1 F242BD40 80112B11 nt!MmUnlockPages(8177C3E8, C0000043, F242BEB4,...);
*1 F242BD60 802465CF nt!IofCompleteRequest(E239F5E0, E2C895D0,
F242BEA8,...);
*1 F242BD70 8025D145 Ntfs+00000576(F242BEB0, F242BEB4, C0000043,...);
*1 F242BDD4 801199C1 hal!KfLowerIrql(80D50000, 80D5A1D0, 80D5A1E4,...);
*1 F242BDF4 F1F3D471 nt!KeInsertQueueDpc(F242BF90, F2429000, 00000000,...);
*0 F242BE18 80145172 dword ptr [EDI+0C](80D1BA70, 8014517C, 00000000,...);
*0 F242BE20 8014517C hal!HalEndSystemInterrupt(00000000, 00000072,
E2C599A4,...);
*1 F242BEAC 8024B5C6 Ntfs+00016192(00000000, 81424008, 00000000,...);
*0 F242BEEC 801456C1 intlfxsr!FxsrSwapContextNotify(F242BF6C, 00000246,
F242BEE0,...);
*0 F242BF38 8010BD0B dword ptr [EAX+08](814AACC8, F242BF7C, 00000000,...);
*0 F242BF50 8013A1DA dword ptr [EBP+08](00000000, 00000000, 00000000,...);
*0 F242BF80 80145C3E dword ptr EAX(8010BC98, 00000000, 00000000,...);
-----Original Message-----
From: Moebius, V. [mailto:xxxxx@baslerweb.com
mailto:xxxxx]
Sent: Wednesday, September 03, 2003 2:10 PM
To: Windows System Software Developers Interest List
Subject: [ntdev] RE: Infamous IRQL_NOT_LESS_OR_EQUAL Bugcheck

Do you use WorkItems in your driver?
-----Original Message-----
From: Kohli, Naveen [mailto:xxxxx@CriticalSites.com
mailto:xxxxx]
Sent: Wednesday, September 03, 2003 7:52 PM
To: Windows System Software Developers Interest List
Subject: [ntdev] Infamous IRQL_NOT_LESS_OR_EQUAL Bugcheck

I have been trying to analyze memory dump for couple of hours and can't
pin-point who caused it. My driver's address range is (f0313000 - f031fa00)
and I don't see it anywhere in the stack. As per one of Peter's article on
kernelmode debugging, ExpWorkerThread could cause this bug check. How can I
track back to see what driver caused it. The only driver I can see is Ntfs.
Any hint will be greatly appreciated. I should be able to take it from
there.

Thanks.

STACK_TEXT:
f242bd24 80120d65 f242bd5c 8177c3e8 81424008
nt!MiDecrementReferenceCount+0xc
f242bd3c 80112b11 8177c3e8 c0000043 f242beb4 nt!MmUnlockPages+0xa7
f242bd5c 802465cf e239f5e0 e2c895d0 f242bea8 nt!IofCompleteRequest+0x1b3
WARNING: Stack unwind information not available. Following frames may be
wrong.
f242bd6c 8025d145 f242beb0 f242beb4 c0000043 Ntfs+0x5cf
f242bea8 8024b5c6 00000000 81424008 00000000 Ntfs+0x17145
f242bf34 8010bd0b 814aacc8 f242bf7c 00000000 Ntfs+0x55c6
f242bf4c 8013a1da 00000000 00000000 00000000 nt!ExpWorkerThread+0x73
f242bf7c 80145c3e 8010bc98 00000000 00000000 nt!PspSystemThreadStartup+0x54
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16
Naveen
---
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
http:

You are currently subscribed to ntdev as: xxxxx@baslerweb.com
To unsubscribe send a blank email to xxxxx@lists.osr.com
---
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
http:

You are currently subscribed to ntdev as: xxxxx@criticalsites.com
To unsubscribe send a blank email to xxxxx@lists.osr.com
---
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
http:

You are currently subscribed to ntdev as: xxxxx@stratus.com
To unsubscribe send a blank email to xxxxx@lists.osr.com
---
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
http:

You are currently subscribed to ntdev as: xxxxx@criticalsites.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

---
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@criticalsites.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

---
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@stratus.com
To unsubscribe send a blank email to xxxxx@lists.osr.com</http:></http:></http:></http:></mailto:xxxxx></mailto:xxxxx></mailto:xxxxx></mailto:xxxxx>

MessageWith without glasses, Lasik and or contacts?

–
Gary G. Little
Seagate Technologies, LLC
“Moreira, Alberto” wrote in message news:xxxxx@ntdev…
Hey, you can always turn on your Magnifier ! Incidentally, I do that with my students at school, works wonders, I let Magnifier take over the top slice of my screen.

Alberto - I’m 58, but I can still read the fine print !

-----Original Message-----
From: Roddy, Mark [mailto:xxxxx@stratus.com]
Sent: Wednesday, September 03, 2003 4:05 PM
To: Windows System Software Developers Interest List
Subject: [ntdev] RE: Infamous IRQL_NOT_LESS_OR_EQUAL Bugcheck

I’d like to help but at my age your use of that set of tiny little html fonts causes me to throw up.

=====================
Mark Roddy

-----Original Message-----
From: Kohli, Naveen [mailto:xxxxx@CriticalSites.com]
Sent: Wednesday, September 03, 2003 2:40 PM
To: Windows System Software Developers Interest List
Subject: [ntdev] RE: Infamous IRQL_NOT_LESS_OR_EQUAL Bugcheck

Yes I have a worker thread in my driver. I looked at the implementation. It is not doing any thing funky to change IRL levels. It acquires a spin lock and then releases it before exiting.

Now when I do some more investigation I get more iformation. Dpc routines are coming into picture. Everything seems to be revolving around Ntfs.

0: kd> !kdex2x86.stack

T. Address RetAddr Called Procedure

*2 F242BC98 8014464C nt!KeBugCheckEx(0000000A, 22785FA6, 00000002,…);

*2 F242BCB4 00000000 nt!KiTrap0E+00000284(00000000, 00000000, 00000000,…);

*0 F242BCC4 8010922C hal!KfReleaseSpinLock(F242BCF0, E2C89508, 814AACC8,…);

*1 F242BD28 80120D65 nt!MiDecrementReferenceCount(F242BD5C, 8177C3E8, 81424008,…);

*1 F242BD40 80112B11 nt!MmUnlockPages(8177C3E8, C0000043, F242BEB4,…);

*1 F242BD60 802465CF nt!IofCompleteRequest(E239F5E0, E2C895D0, F242BEA8,…);

*1 F242BD70 8025D145 Ntfs+00000576(F242BEB0, F242BEB4, C0000043,…);

*1 F242BDD4 801199C1 hal!KfLowerIrql(80D50000, 80D5A1D0, 80D5A1E4,…);

*1 F242BDF4 F1F3D471 nt!KeInsertQueueDpc(F242BF90, F2429000, 00000000,…);

*0 F242BE18 80145172 dword ptr [EDI+0C](80D1BA70, 8014517C, 00000000,…);

*0 F242BE20 8014517C hal!HalEndSystemInterrupt(00000000, 00000072, E2C599A4,…);

*1 F242BEAC 8024B5C6 Ntfs+00016192(00000000, 81424008, 00000000,…);

*0 F242BEEC 801456C1 intlfxsr!FxsrSwapContextNotify(F242BF6C, 00000246, F242BEE0,…);

*0 F242BF38 8010BD0B dword ptr [EAX+08](814AACC8, F242BF7C, 00000000,…);

*0 F242BF50 8013A1DA dword ptr [EBP+08](00000000, 00000000, 00000000,…);

*0 F242BF80 80145C3E dword ptr EAX(8010BC98, 00000000, 00000000,…);

-----Original Message-----
From: Moebius, V. [mailto:xxxxx@baslerweb.com]
Sent: Wednesday, September 03, 2003 2:10 PM
To: Windows System Software Developers Interest List
Subject: [ntdev] RE: Infamous IRQL_NOT_LESS_OR_EQUAL Bugcheck

Do you use WorkItems in your driver?
-----Original Message-----
From: Kohli, Naveen [mailto:xxxxx@CriticalSites.com]
Sent: Wednesday, September 03, 2003 7:52 PM
To: Windows System Software Developers Interest List
Subject: [ntdev] Infamous IRQL_NOT_LESS_OR_EQUAL Bugcheck

I have been trying to analyze memory dump for couple of hours and can’t pin-point who caused it. My driver’s address range is (f0313000 - f031fa00) and I don’t see it anywhere in the stack. As per one of Peter’s article on kernelmode debugging, ExpWorkerThread could cause this bug check. How can I track back to see what driver caused it. The only driver I can see is Ntfs. Any hint will be greatly appreciated. I should be able to take it from there.

Thanks.

STACK_TEXT:
f242bd24 80120d65 f242bd5c 8177c3e8 81424008 nt!MiDecrementReferenceCount+0xc
f242bd3c 80112b11 8177c3e8 c0000043 f242beb4 nt!MmUnlockPages+0xa7
f242bd5c 802465cf e239f5e0 e2c895d0 f242bea8 nt!IofCompleteRequest+0x1b3
WARNING: Stack unwind information not available. Following frames may be wrong.
f242bd6c 8025d145 f242beb0 f242beb4 c0000043 Ntfs+0x5cf
f242bea8 8024b5c6 00000000 81424008 00000000 Ntfs+0x17145
f242bf34 8010bd0b 814aacc8 f242bf7c 00000000 Ntfs+0x55c6
f242bf4c 8013a1da 00000000 00000000 00000000 nt!ExpWorkerThread+0x73
f242bf7c 80145c3e 8010bc98 00000000 00000000 nt!PspSystemThreadStartup+0x54
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16

Naveen

—
Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@baslerweb.com
To unsubscribe send a blank email to xxxxx@lists.osr.com
—
Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@criticalsites.com
To unsubscribe send a blank email to xxxxx@lists.osr.com
—
Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@stratus.com
To unsubscribe send a blank email to xxxxx@lists.osr.com
—
Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@compuware.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

The contents of this e-mail are intended for the named addressee only. It contains information that may be confidential. Unless you are the named addressee or an authorized designee, you may not copy or use it, or disclose it to anyone else. If you received it in error please notify us immediately and then destroy it.

I got these symbols from checked build CD of NT4 SP6. I was so desperate at
this stage, I just loaded what ever i got hold of. May be I should remove
them. Here is the !analyze information.

0: kd> !analyze -v
The call to LoadLibrary(b) failed, Win32 error 2
"The system cannot find the file specified."
Please check your debugger configuration and/or network access.
****************************************************************************
***
* *
* Bugcheck Analysis *
* *
****************************************************************************
***
IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pageable (or completely invalid) address at
an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: 22785fa6, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000000, value 0 = read operation, 1 = write operation
Arg4: 80130cc6, address which referenced memory
Debugging Details:

The call to LoadLibrary(b) failed, Win32 error 2
"The system cannot find the file specified."
Please check your debugger configuration and/or network access.
The call to LoadLibrary(b) failed, Win32 error 2
"The system cannot find the file specified."
Please check your debugger configuration and/or network access.
READ_ADDRESS: The call to LoadLibrary(b) failed, Win32 error 2
"The system cannot find the file specified."
Please check your debugger configuration and/or network access.
22785fa6
CURRENT_IRQL: 2
FAULTING_IP:
nt!MiDecrementReferenceCount+c
80130cc6 668b410e mov ax,[ecx+0xe]
DEFAULT_BUCKET_ID: DRIVER_FAULT
BUGCHECK_STR: 0xA
LAST_CONTROL_TRANSFER: from 80120d65 to 80130cc6
STACK_TEXT:
f242bd24 80120d65 f242bd5c 8177c3e8 81424008
nt!MiDecrementReferenceCount+0xc
f242bd3c 80112b11 8177c3e8 c0000043 f242beb4 nt!MmUnlockPages+0xa7
f242bd5c 802465cf e239f5e0 e2c895d0 f242bea8 nt!IofCompleteRequest+0x1b3
f242bd6c 8025d145 f242beb0 f242beb4 c0000043 Ntfs!_imp__SeFreePrivileges+0x3
f242bea8 8024b5c6 00000000 81424008 00000000 Ntfs!NtfsFsdShutdown+0x5b
f242bf34 8010bd0b 814aacc8 f242bf7c 00000000 Ntfs!NtfsPrepareBuffers+0x6f9
f242bf7c 80145c3e 8010bc98 00000000 00000000 nt!ExpWorkerThread+0x73
f242bf88 00000000 0000027f 00000000 0000ffff nt!KiThreadStartup+0x16

FOLLOWUP_IP:
nt!MiDecrementReferenceCount+c
80130cc6 668b410e mov ax,[ecx+0xe]
FOLLOWUP_NAME: MachineOwner
SYMBOL_NAME: nt!MiDecrementReferenceCount+c
MODULE_NAME: nt
IMAGE_NAME: ntkrnlmp.exe
DEBUG_FLR_IMAGE_TIMESTAMP: 37e80077
STACK_COMMAND: kb
BUCKET_ID: 0xA_nt!MiDecrementReferenceCount+c
Followup: MachineOwner

-----Original Message-----
From: Croci, MaryBeth [mailto:xxxxx@stratus.com]
Sent: Wednesday, September 03, 2003 4:34 PM
To: Windows System Software Developers Interest List
Subject: [ntdev] RE: Infamous IRQL_NOT_LESS_OR_EQUAL Bugcheck

!analyze -v would be more useful than the simple stack trace. Also, I don't
think you got the correct symbols for ntfs. The function calls shown don't
make any sense.
-----Original Message-----
From: Kohli, Naveen [mailto:xxxxx@CriticalSites.com]
Sent: Wednesday, September 03, 2003 4:18 PM
To: Windows System Software Developers Interest List
Subject: [ntdev] RE: Infamous IRQL_NOT_LESS_OR_EQUAL Bugcheck

-----Original Message-----
From: Kohli, Naveen [mailto:xxxxx@CriticalSites.com]
Sent: Wednesday, September 03, 2003 4:11 PM
To: Windows System Software Developers Interest List
Subject: [ntdev] RE: Infamous IRQL_NOT_LESS_OR_EQUAL Bugcheck

Sorry about that. I myself hate that tiny font. I am just not a very good
user of Outlook. I will post it again with modified font. Finally I got hold
of DBG file for NTFS and was able to display more information.
0: kd> !kdex2x86.stack
T. Address RetAddr Called Procedure
*2 F242BC98 8014464C nt!KeBugCheckEx(0000000A, 22785FA6, 00000002,...);
*2 F242BCB4 00000000 nt!KiTrap0E+00000284(00000000, 00000000, 00000000,...);

*0 F242BCC4 8010922C hal!KfReleaseSpinLock(F242BCF0, E2C89508,
814AACC8,...);
*1 F242BD28 80120D65 nt!MiDecrementReferenceCount(F242BD5C, 8177C3E8,
81424008,...);
*1 F242BD40 80112B11 nt!MmUnlockPages(8177C3E8, C0000043, F242BEB4,...);
*1 F242BD60 802465CF nt!IofCompleteRequest(E239F5E0, E2C895D0,
F242BEA8,...);
*1 F242BD70 8025D145 Ntfs+00000576(F242BEB0, F242BEB4, C0000043,...);
*1 F242BDD4 801199C1 hal!KfLowerIrql(80D50000, 80D5A1D0, 80D5A1E4,...);
*1 F242BDF4 F1F3D471 nt!KeInsertQueueDpc(F242BF90, F2429000, 00000000,...);
*0 F242BE18 80145172 dword ptr [EDI+0C](80D1BA70, 8014517C, 00000000,...);
*0 F242BE20 8014517C hal!HalEndSystemInterrupt(00000000, 00000072,
E2C599A4,...);
*1 F242BEAC 8024B5C6 Ntfs+00016192(00000000, 81424008, 00000000,...);
*0 F242BEEC 801456C1 intlfxsr!FxsrSwapContextNotify(F242BF6C, 00000246,
F242BEE0,...);
*0 F242BF38 8010BD0B dword ptr [EAX+08](814AACC8, F242BF7C, 00000000,...);
*0 F242BF50 8013A1DA dword ptr [EBP+08](00000000, 00000000, 00000000,...);
*0 F242BF80 80145C3E dword ptr EAX(8010BC98, 00000000, 00000000,...);

0: kd> kn
*** Stack trace for last set context - .thread/.cxr resets it

ChildEBP RetAddr

00 f242bd24 80120d65 nt!MiDecrementReferenceCount+0xc
01 f242bd3c 80112b11 nt!MmUnlockPages+0xa7
02 f242bd5c 802465cf nt!IofCompleteRequest+0x1b3
03 f242bd6c 8025d145 Ntfs!_imp__SeFreePrivileges+0x3
04 f242bea8 8024b5c6 Ntfs!NtfsFsdShutdown+0x5b
05 f242bf34 8010bd0b Ntfs!NtfsPrepareBuffers+0x6f9
06 f242bf7c 80145c3e nt!ExpWorkerThread+0x73
07 f242bf88 00000000 nt!KiThreadStartup+0x16
Thanks for offering some help.
-----Original Message-----
From: Roddy, Mark [mailto:xxxxx@stratus.com]
Sent: Wednesday, September 03, 2003 4:05 PM
To: Windows System Software Developers Interest List
Subject: [ntdev] RE: Infamous IRQL_NOT_LESS_OR_EQUAL Bugcheck

I'd like to help but at my age your use of that set of tiny little html
fonts causes me to throw up.

=====================
Mark Roddy
-----Original Message-----
From: Kohli, Naveen [mailto:xxxxx@CriticalSites.com]
Sent: Wednesday, September 03, 2003 2:40 PM
To: Windows System Software Developers Interest List
Subject: [ntdev] RE: Infamous IRQL_NOT_LESS_OR_EQUAL Bugcheck

Yes I have a worker thread in my driver. I looked at the implementation. It
is not doing any thing funky to change IRL levels. It acquires a spin lock
and then releases it before exiting.
Now when I do some more investigation I get more iformation. Dpc routines
are coming into picture. Everything seems to be revolving around Ntfs.
0: kd> !kdex2x86.stack
T. Address RetAddr Called Procedure
*2 F242BC98 8014464C nt!KeBugCheckEx(0000000A, 22785FA6, 00000002,...);
*2 F242BCB4 00000000 nt!KiTrap0E+00000284(00000000, 00000000, 00000000,...);

*0 F242BCC4 8010922C hal!KfReleaseSpinLock(F242BCF0, E2C89508,
814AACC8,...);
*1 F242BD28 80120D65 nt!MiDecrementReferenceCount(F242BD5C, 8177C3E8,
81424008,...);
*1 F242BD40 80112B11 nt!MmUnlockPages(8177C3E8, C0000043, F242BEB4,...);
*1 F242BD60 802465CF nt!IofCompleteRequest(E239F5E0, E2C895D0,
F242BEA8,...);
*1 F242BD70 8025D145 Ntfs+00000576(F242BEB0, F242BEB4, C0000043,...);
*1 F242BDD4 801199C1 hal!KfLowerIrql(80D50000, 80D5A1D0, 80D5A1E4,...);
*1 F242BDF4 F1F3D471 nt!KeInsertQueueDpc(F242BF90, F2429000, 00000000,...);
*0 F242BE18 80145172 dword ptr [EDI+0C](80D1BA70, 8014517C, 00000000,...);
*0 F242BE20 8014517C hal!HalEndSystemInterrupt(00000000, 00000072,
E2C599A4,...);
*1 F242BEAC 8024B5C6 Ntfs+00016192(00000000, 81424008, 00000000,...);
*0 F242BEEC 801456C1 intlfxsr!FxsrSwapContextNotify(F242BF6C, 00000246,
F242BEE0,...);
*0 F242BF38 8010BD0B dword ptr [EAX+08](814AACC8, F242BF7C, 00000000,...);
*0 F242BF50 8013A1DA dword ptr [EBP+08](00000000, 00000000, 00000000,...);
*0 F242BF80 80145C3E dword ptr EAX(8010BC98, 00000000, 00000000,...);
-----Original Message-----
From: Moebius, V. [mailto:xxxxx@baslerweb.com]
Sent: Wednesday, September 03, 2003 2:10 PM
To: Windows System Software Developers Interest List
Subject: [ntdev] RE: Infamous IRQL_NOT_LESS_OR_EQUAL Bugcheck

Do you use WorkItems in your driver?
-----Original Message-----
From: Kohli, Naveen [mailto:xxxxx@CriticalSites.com]
Sent: Wednesday, September 03, 2003 7:52 PM
To: Windows System Software Developers Interest List
Subject: [ntdev] Infamous IRQL_NOT_LESS_OR_EQUAL Bugcheck

I have been trying to analyze memory dump for couple of hours and can't
pin-point who caused it. My driver's address range is (f0313000 - f031fa00)
and I don't see it anywhere in the stack. As per one of Peter's article on
kernelmode debugging, ExpWorkerThread could cause this bug check. How can I
track back to see what driver caused it. The only driver I can see is Ntfs.
Any hint will be greatly appreciated. I should be able to take it from
there.
Thanks.

STACK_TEXT:
f242bd24 80120d65 f242bd5c 8177c3e8 81424008
nt!MiDecrementReferenceCount+0xc
f242bd3c 80112b11 8177c3e8 c0000043 f242beb4 nt!MmUnlockPages+0xa7
f242bd5c 802465cf e239f5e0 e2c895d0 f242bea8 nt!IofCompleteRequest+0x1b3
WARNING: Stack unwind information not available. Following frames may be
wrong.
f242bd6c 8025d145 f242beb0 f242beb4 c0000043 Ntfs+0x5cf
f242bea8 8024b5c6 00000000 81424008 00000000 Ntfs+0x17145
f242bf34 8010bd0b 814aacc8 f242bf7c 00000000 Ntfs+0x55c6
f242bf4c 8013a1da 00000000 00000000 00000000 nt!ExpWorkerThread+0x73
f242bf7c 80145c3e 8010bc98 00000000 00000000 nt!PspSystemThreadStartup+0x54
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16
Naveen

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
You are currently subscribed to ntdev as: xxxxx@baslerweb.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
You are currently subscribed to ntdev as: xxxxx@criticalsites.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
You are currently subscribed to ntdev as: xxxxx@stratus.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
You are currently subscribed to ntdev as: xxxxx@criticalsites.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@criticalsites.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@stratus.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@criticalsites.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

“Kohli, Naveen” wrote in message
news:xxxxx@ntdev…
> I got these symbols from checked build CD of NT4 SP6. I was so desperate
at
> this stage, I just loaded what ever i got hold of. May be I should remove
> them. Here is the !analyze information.
>

Now let me see…

Are you RUNNING the checked build of NT V4??

Please. Set the debugger up right, or you’ll NEVER be able to debug this
(and neither will we). Please.

Use the MS symbol server. See:
http://www.microsoft.com/whdc/ddk/debugging/symbols.mspx#How%20to%20Use%20the%20Microsoft%20Symbol%20Server

Then come back and talk to us,

Peter
OSR

I am not running checked build of NT4. The reason I threw in SP6 symbols for
NTFS.sys were because I just wanted to see what the hell those 3 calls were.
Before throwing in these symbol files, I tried to goto MS symbol site. No
luck. They don’t have NT4 symbols there. In the debuger I have set the
symbol servers to “srv*Downstream
Store*http://msdl.microsoft.com/download/symbols;”. Windbg can load all
symbols except NTFS.sys. I hope you understand the frustration under which I
loaded the SP6 symbols.
When the debugger did not help me the right way, I tried to tilt it upside
down hoping it can find the symbols from somewhere.
But thats besides the point. Now I have removed NTFS.dbg file from the list.
And now I am debuging with the fact that NTFS.sys symbols are not available
to me.

Here is additional information… worst part of this problem is that we
can’t reproduce the problem on any of the machines. It came from some
customer site. And as I was suspecting the most popular antivirus filter (no
names) is in the way. Tony helped us last time in debugging some other crash
dump. I am just folowing steps he mentioned in reports and adding some more
to it to get all the information I can from the dump. Atleast in other dumps
I could see my driver in the stack somewhere. But in this dump I see no
traces of it.

Thanks for knocking on my head to put the debugger upright again

-----Original Message-----
From: Peter Viscarola [mailto:xxxxx@osr.com]
Sent: Wednesday, September 03, 2003 5:05 PM
To: Windows System Software Developers Interest List
Subject: [ntdev] Re: Infamous IRQL_NOT_LESS_OR_EQUAL Bugcheck

“Kohli, Naveen” wrote in message
news:xxxxx@ntdev…
> I got these symbols from checked build CD of NT4 SP6. I was so desperate
at
> this stage, I just loaded what ever i got hold of. May be I should remove
> them. Here is the !analyze information.
>

Now let me see…

Are you RUNNING the checked build of NT V4??

Please. Set the debugger up right, or you’ll NEVER be able to debug this
(and neither will we). Please.

Use the MS symbol server. See:
http://www.microsoft.com/whdc/ddk/debugging/symbols.mspx#How%20to%20Use%20th
e%20Microsoft%20Symbol%20Server

Then come back and talk to us,

Peter
OSR

—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@criticalsites.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

Of course not. I’m a manager, so, I’m entitled to cheat !

-----Original Message-----
From: Gary G. Little [mailto:xxxxx@seagate.com]
Sent: Wednesday, September 03, 2003 4:39 PM
To: Windows System Software Developers Interest List
Subject: [ntdev] Re: Infamous IRQL_NOT_LESS_OR_EQUAL Bugcheck

With without glasses, Lasik and or contacts?

–
Gary G. Little
Seagate Technologies, LLC

“Moreira, Alberto” < xxxxx@compuware.com
mailto:xxxxx > wrote in message news:xxxxx@ntdev
news:xxxxx …
Hey, you can always turn on your Magnifier ! Incidentally, I do that
with my students at school, works wonders, I let Magnifier take over the top
slice of my screen.

Alberto - I’m 58, but I can still read the fine print !

-----Original Message-----
From: Roddy, Mark [mailto:xxxxx@stratus.com]
Sent: Wednesday, September 03, 2003 4:05 PM
To: Windows System Software Developers Interest List
Subject: [ntdev] RE: Infamous IRQL_NOT_LESS_OR_EQUAL Bugcheck

I’d like to help but at my age your use of that set of tiny little html
fonts causes me to throw up.

=====================
Mark Roddy

-----Original Message-----
From: Kohli, Naveen [mailto:xxxxx@CriticalSites.com]
Sent: Wednesday, September 03, 2003 2:40 PM
To: Windows System Software Developers Interest List
Subject: [ntdev] RE: Infamous IRQL_NOT_LESS_OR_EQUAL Bugcheck

Yes I have a worker thread in my driver. I looked at the implementation. It
is not doing any thing funky to change IRL levels. It acquires a spin lock
and then releases it before exiting.

Now when I do some more investigation I get more iformation. Dpc routines
are coming into picture. Everything seems to be revolving around Ntfs.

0: kd> !kdex2x86.stack

T. Address RetAddr Called Procedure

*2 F242BC98 8014464C nt!KeBugCheckEx(0000000A, 22785FA6, 00000002,…);

*2 F242BCB4 00000000 nt!KiTrap0E+00000284(00000000, 00000000, 00000000,…);

*0 F242BCC4 8010922C hal!KfReleaseSpinLock(F242BCF0, E2C89508,
814AACC8,…);

*1 F242BD28 80120D65 nt!MiDecrementReferenceCount(F242BD5C, 8177C3E8,
81424008,…);

*1 F242BD40 80112B11 nt!MmUnlockPages(8177C3E8, C0000043, F242BEB4,…);

*1 F242BD60 802465CF nt!IofCompleteRequest(E239F5E0, E2C895D0,
F242BEA8,…);

*1 F242BD70 8025D145 Ntfs+00000576(F242BEB0, F242BEB4, C0000043,…);

*1 F242BDD4 801199C1 hal!KfLowerIrql(80D50000, 80D5A1D0, 80D5A1E4,…);

*1 F242BDF4 F1F3D471 nt!KeInsertQueueDpc(F242BF90, F2429000, 00000000,…);

*0 F242BE18 80145172 dword ptr [EDI+0C](80D1BA70, 8014517C, 00000000,…);

*0 F242BE20 8014517C hal!HalEndSystemInterrupt(00000000, 00000072,
E2C599A4,…);

*1 F242BEAC 8024B5C6 Ntfs+00016192(00000000, 81424008, 00000000,…);

*0 F242BEEC 801456C1 intlfxsr!FxsrSwapContextNotify(F242BF6C, 00000246,
F242BEE0,…);

*0 F242BF38 8010BD0B dword ptr [EAX+08](814AACC8, F242BF7C, 00000000,…);

*0 F242BF50 8013A1DA dword ptr [EBP+08](00000000, 00000000, 00000000,…);

*0 F242BF80 80145C3E dword ptr EAX(8010BC98, 00000000, 00000000,…);

-----Original Message-----
From: Moebius, V. [mailto:xxxxx@baslerweb.com]
Sent: Wednesday, September 03, 2003 2:10 PM
To: Windows System Software Developers Interest List
Subject: [ntdev] RE: Infamous IRQL_NOT_LESS_OR_EQUAL Bugcheck

Do you use WorkItems in your driver?

-----Original Message-----
From: Kohli, Naveen [mailto:xxxxx@CriticalSites.com]
Sent: Wednesday, September 03, 2003 7:52 PM
To: Windows System Software Developers Interest List
Subject: [ntdev] Infamous IRQL_NOT_LESS_OR_EQUAL Bugcheck

I have been trying to analyze memory dump for couple of hours and can’t
pin-point who caused it. My driver’s address range is (f0313000 - f031fa00)
and I don’t see it anywhere in the stack. As per one of Peter’s article on
kernelmode debugging, ExpWorkerThread could cause this bug check. How can I
track back to see what driver caused it. The only driver I can see is Ntfs.
Any hint will be greatly appreciated. I should be able to take it from
there.

Thanks.

STACK_TEXT:
f242bd24 80120d65 f242bd5c 8177c3e8 81424008
nt!MiDecrementReferenceCount+0xc
f242bd3c 80112b11 8177c3e8 c0000043 f242beb4 nt!MmUnlockPages+0xa7
f242bd5c 802465cf e239f5e0 e2c895d0 f242bea8 nt!IofCompleteRequest+0x1b3
WARNING: Stack unwind information not available. Following frames may be
wrong.
f242bd6c 8025d145 f242beb0 f242beb4 c0000043 Ntfs+0x5cf
f242bea8 8024b5c6 00000000 81424008 00000000 Ntfs+0x17145
f242bf34 8010bd0b 814aacc8 f242bf7c 00000000 Ntfs+0x55c6
f242bf4c 8013a1da 00000000 00000000 00000000 nt!ExpWorkerThread+0x73
f242bf7c 80145c3e 8010bc98 00000000 00000000 nt!PspSystemThreadStartup+0x54
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16

Naveen

—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@baslerweb.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@criticalsites.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@stratus.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@compuware.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

The contents of this e-mail are intended for the named addressee only. It
contains information that may be confidential. Unless you are the named
addressee or an authorized designee, you may not copy or use it, or disclose
it to anyone else. If you received it in error please notify us immediately
and then destroy it.

—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@compuware.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

The contents of this e-mail are intended for the named addressee only. It
contains information that may be confidential. Unless you are the named
addressee or an authorized designee, you may not copy or use it, or disclose
it to anyone else. If you received it in error please notify us immediately
and then destroy it.</news:xxxxx></mailto:xxxxx>

Is your use of the text “Downstream Store” literal? You should replace
it with a path, like:

SRV*c:\websymbols*http://msdl.microsoft.com/download/symbols

Chuck

----- Original Message -----
From: “Kohli, Naveen”
To: “Windows System Software Developers Interest List”

Sent: Thursday, September 04, 2003 4:25 AM
Subject: [ntdev] Re: Infamous IRQL_NOT_LESS_OR_EQUAL Bugcheck

> I am not running checked build of NT4. The reason I threw in SP6
symbols for
> NTFS.sys were because I just wanted to see what the hell those 3 calls
were.
> Before throwing in these symbol files, I tried to goto MS symbol site.
No
> luck. They don’t have NT4 symbols there. In the debuger I have set the
> symbol servers to “srvDownstream
> Storehttp://msdl.microsoft.com/download/symbols;”. Windbg can load
all
> symbols except NTFS.sys. I hope you understand the frustration under
which I
> loaded the SP6 symbols.
> When the debugger did not help me the right way, I tried to tilt it
upside
> down hoping it can find the symbols from somewhere.
> But thats besides the point. Now I have removed NTFS.dbg file from the
list.
> And now I am debuging with the fact that NTFS.sys symbols are not
available
> to me.
>
> Here is additional information… worst part of this problem is that
we
> can’t reproduce the problem on any of the machines. It came from some
> customer site. And as I was suspecting the most popular antivirus
filter (no
> names) is in the way. Tony helped us last time in debugging some other
crash
> dump. I am just folowing steps he mentioned in reports and adding some
more
> to it to get all the information I can from the dump. Atleast in other
dumps
> I could see my driver in the stack somewhere. But in this dump I see
no
> traces of it.
>
> Thanks for knocking on my head to put the debugger upright again
>
>
> -----Original Message-----
> From: Peter Viscarola [mailto:xxxxx@osr.com]
> Sent: Wednesday, September 03, 2003 5:05 PM
> To: Windows System Software Developers Interest List
> Subject: [ntdev] Re: Infamous IRQL_NOT_LESS_OR_EQUAL Bugcheck
>
>
>
> “Kohli, Naveen” wrote in message
> news:xxxxx@ntdev…
> > I got these symbols from checked build CD of NT4 SP6. I was so
desperate
> at
> > this stage, I just loaded what ever i got hold of. May be I should
remove
> > them. Here is the !analyze information.
> >
>
> Now let me see…
>
> Are you RUNNING the checked build of NT V4??
>
> Please. Set the debugger up right, or you’ll NEVER be able to debug
this
> (and neither will we). Please.
>
> Use the MS symbol server. See:
>
http://www.microsoft.com/whdc/ddk/debugging/symbols.mspx#How%20to%20Use%20th
> e%20Microsoft%20Symbol%20Server
>
> Then come back and talk to us,
>
> Peter
> OSR

MessageAaahhhhhh … on of the pointy haired ones.

–
Gary G. Little
Seagate Technologies, LLC
“Moreira, Alberto” wrote in message news:xxxxx@ntdev…
Of course not. I’m a manager, so, I’m entitled to cheat !
-----Original Message-----
From: Gary G. Little [mailto:xxxxx@seagate.com]
Sent: Wednesday, September 03, 2003 4:39 PM
To: Windows System Software Developers Interest List
Subject: [ntdev] Re: Infamous IRQL_NOT_LESS_OR_EQUAL Bugcheck

With without glasses, Lasik and or contacts?

–
Gary G. Little
Seagate Technologies, LLC
“Moreira, Alberto” wrote in message news:xxxxx@ntdev…
Hey, you can always turn on your Magnifier ! Incidentally, I do that with my students at school, works wonders, I let Magnifier take over the top slice of my screen.

Alberto - I’m 58, but I can still read the fine print !

-----Original Message-----
From: Roddy, Mark [mailto:xxxxx@stratus.com]
Sent: Wednesday, September 03, 2003 4:05 PM
To: Windows System Software Developers Interest List
Subject: [ntdev] RE: Infamous IRQL_NOT_LESS_OR_EQUAL Bugcheck

I’d like to help but at my age your use of that set of tiny little html fonts causes me to throw up.

=====================
Mark Roddy

-----Original Message-----
From: Kohli, Naveen [mailto:xxxxx@CriticalSites.com]
Sent: Wednesday, September 03, 2003 2:40 PM
To: Windows System Software Developers Interest List
Subject: [ntdev] RE: Infamous IRQL_NOT_LESS_OR_EQUAL Bugcheck

Yes I have a worker thread in my driver. I looked at the implementation. It is not doing any thing funky to change IRL levels. It acquires a spin lock and then releases it before exiting.

Now when I do some more investigation I get more iformation. Dpc routines are coming into picture. Everything seems to be revolving around Ntfs.

0: kd> !kdex2x86.stack

T. Address RetAddr Called Procedure

*2 F242BC98 8014464C nt!KeBugCheckEx(0000000A, 22785FA6, 00000002,…);

*2 F242BCB4 00000000 nt!KiTrap0E+00000284(00000000, 00000000, 00000000,…);

*0 F242BCC4 8010922C hal!KfReleaseSpinLock(F242BCF0, E2C89508, 814AACC8,…);

*1 F242BD28 80120D65 nt!MiDecrementReferenceCount(F242BD5C, 8177C3E8, 81424008,…);

*1 F242BD40 80112B11 nt!MmUnlockPages(8177C3E8, C0000043, F242BEB4,…);

*1 F242BD60 802465CF nt!IofCompleteRequest(E239F5E0, E2C895D0, F242BEA8,…);

*1 F242BD70 8025D145 Ntfs+00000576(F242BEB0, F242BEB4, C0000043,…);

*1 F242BDD4 801199C1 hal!KfLowerIrql(80D50000, 80D5A1D0, 80D5A1E4,…);

*1 F242BDF4 F1F3D471 nt!KeInsertQueueDpc(F242BF90, F2429000, 00000000,…);

*0 F242BE18 80145172 dword ptr [EDI+0C](80D1BA70, 8014517C, 00000000,…);

*0 F242BE20 8014517C hal!HalEndSystemInterrupt(00000000, 00000072, E2C599A4,…);

*1 F242BEAC 8024B5C6 Ntfs+00016192(00000000, 81424008, 00000000,…);

*0 F242BEEC 801456C1 intlfxsr!FxsrSwapContextNotify(F242BF6C, 00000246, F242BEE0,…);

*0 F242BF38 8010BD0B dword ptr [EAX+08](814AACC8, F242BF7C, 00000000,…);

*0 F242BF50 8013A1DA dword ptr [EBP+08](00000000, 00000000, 00000000,…);

*0 F242BF80 80145C3E dword ptr EAX(8010BC98, 00000000, 00000000,…);

-----Original Message-----
From: Moebius, V. [mailto:xxxxx@baslerweb.com]
Sent: Wednesday, September 03, 2003 2:10 PM
To: Windows System Software Developers Interest List
Subject: [ntdev] RE: Infamous IRQL_NOT_LESS_OR_EQUAL Bugcheck

Do you use WorkItems in your driver?
-----Original Message-----
From: Kohli, Naveen [mailto:xxxxx@CriticalSites.com]
Sent: Wednesday, September 03, 2003 7:52 PM
To: Windows System Software Developers Interest List
Subject: [ntdev] Infamous IRQL_NOT_LESS_OR_EQUAL Bugcheck

I have been trying to analyze memory dump for couple of hours and can’t pin-point who caused it. My driver’s address range is (f0313000 - f031fa00) and I don’t see it anywhere in the stack. As per one of Peter’s article on kernelmode debugging, ExpWorkerThread could cause this bug check. How can I track back to see what driver caused it. The only driver I can see is Ntfs. Any hint will be greatly appreciated. I should be able to take it from there.

Thanks.

STACK_TEXT:
f242bd24 80120d65 f242bd5c 8177c3e8 81424008 nt!MiDecrementReferenceCount+0xc
f242bd3c 80112b11 8177c3e8 c0000043 f242beb4 nt!MmUnlockPages+0xa7
f242bd5c 802465cf e239f5e0 e2c895d0 f242bea8 nt!IofCompleteRequest+0x1b3
WARNING: Stack unwind information not available. Following frames may be wrong.
f242bd6c 8025d145 f242beb0 f242beb4 c0000043 Ntfs+0x5cf
f242bea8 8024b5c6 00000000 81424008 00000000 Ntfs+0x17145
f242bf34 8010bd0b 814aacc8 f242bf7c 00000000 Ntfs+0x55c6
f242bf4c 8013a1da 00000000 00000000 00000000 nt!ExpWorkerThread+0x73
f242bf7c 80145c3e 8010bc98 00000000 00000000 nt!PspSystemThreadStartup+0x54
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16

Naveen

—
Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@baslerweb.com
To unsubscribe send a blank email to xxxxx@lists.osr.com
—
Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@criticalsites.com
To unsubscribe send a blank email to xxxxx@lists.osr.com
—
Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@stratus.com
To unsubscribe send a blank email to xxxxx@lists.osr.com
—
Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@compuware.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

The contents of this e-mail are intended for the named addressee only. It contains information that may be confidential. Unless you are the named addressee or an authorized designee, you may not copy or use it, or disclose it to anyone else. If you received it in error please notify us immediately and then destroy it.

—
Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@compuware.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

The contents of this e-mail are intended for the named addressee only. It contains information that may be confidential. Unless you are the named addressee or an authorized designee, you may not copy or use it, or disclose it to anyone else. If you received it in error please notify us immediately and then destroy it.

I am not using symbols from local drive. So C:\websymbols does not make any
sense in my case.

-----Original Message-----
From: Chuck Batson [mailto:xxxxx@cbatson.com]
Sent: Wednesday, September 03, 2003 9:18 PM
To: Windows System Software Developers Interest List
Subject: [ntdev] Re: Infamous IRQL_NOT_LESS_OR_EQUAL Bugcheck

Is your use of the text “Downstream Store” literal? You should replace
it with a path, like:

SRV*c:\websymbols*http://msdl.microsoft.com/download/symbols

Chuck

----- Original Message -----
From: “Kohli, Naveen”
To: “Windows System Software Developers Interest List”

Sent: Thursday, September 04, 2003 4:25 AM
Subject: [ntdev] Re: Infamous IRQL_NOT_LESS_OR_EQUAL Bugcheck

> I am not running checked build of NT4. The reason I threw in SP6
symbols for
> NTFS.sys were because I just wanted to see what the hell those 3 calls
were.
> Before throwing in these symbol files, I tried to goto MS symbol site.
No
> luck. They don’t have NT4 symbols there. In the debuger I have set the
> symbol servers to “srvDownstream
> Storehttp://msdl.microsoft.com/download/symbols;”. Windbg can load
all
> symbols except NTFS.sys. I hope you understand the frustration under
which I
> loaded the SP6 symbols.
> When the debugger did not help me the right way, I tried to tilt it
upside
> down hoping it can find the symbols from somewhere.
> But thats besides the point. Now I have removed NTFS.dbg file from the
list.
> And now I am debuging with the fact that NTFS.sys symbols are not
available
> to me.
>
> Here is additional information… worst part of this problem is that
we
> can’t reproduce the problem on any of the machines. It came from some
> customer site. And as I was suspecting the most popular antivirus
filter (no
> names) is in the way. Tony helped us last time in debugging some other
crash
> dump. I am just folowing steps he mentioned in reports and adding some
more
> to it to get all the information I can from the dump. Atleast in other
dumps
> I could see my driver in the stack somewhere. But in this dump I see
no
> traces of it.
>
> Thanks for knocking on my head to put the debugger upright again
>
>
> -----Original Message-----
> From: Peter Viscarola [mailto:xxxxx@osr.com]
> Sent: Wednesday, September 03, 2003 5:05 PM
> To: Windows System Software Developers Interest List
> Subject: [ntdev] Re: Infamous IRQL_NOT_LESS_OR_EQUAL Bugcheck
>
>
>
> “Kohli, Naveen” wrote in message
> news:xxxxx@ntdev…
> > I got these symbols from checked build CD of NT4 SP6. I was so
desperate
> at
> > this stage, I just loaded what ever i got hold of. May be I should
remove
> > them. Here is the !analyze information.
> >
>
> Now let me see…
>
> Are you RUNNING the checked build of NT V4??
>
> Please. Set the debugger up right, or you’ll NEVER be able to debug
this
> (and neither will we). Please.
>
> Use the MS symbol server. See:
>
http://www.microsoft.com/whdc/ddk/debugging/symbols.mspx#How%20to%20Use%20th
> e%20Microsoft%20Symbol%20Server
>
> Then come back and talk to us,
>
> Peter
> OSR

—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@criticalsites.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

That is where you are going to cache the symbols produced by the symbol
server.

Oh, and you can get rid of the awful html fonts you are so fond of by using
Outlook menu Format\Plain Text.

=====================
Mark Roddy

-----Original Message-----
From: Kohli, Naveen [mailto:xxxxx@CriticalSites.com]
Sent: Thursday, September 04, 2003 9:33 AM
To: Windows System Software Developers Interest List
Subject: [ntdev] Re: Infamous IRQL_NOT_LESS_OR_EQUAL Bugcheck

I am not using symbols from local drive. So C:\websymbols does not make any
sense in my case.
-----Original Message-----
From: Chuck Batson [mailto:xxxxx@cbatson.com]
Sent: Wednesday, September 03, 2003 9:18 PM
To: Windows System Software Developers Interest List
Subject: [ntdev] Re: Infamous IRQL_NOT_LESS_OR_EQUAL Bugcheck

Is your use of the text “Downstream Store” literal? You should replace
it with a path, like:
SRV*c:\websymbols*http://msdl.microsoft.com/download/symbols
Chuck
----- Original Message -----
From: “Kohli, Naveen”
To: “Windows System Software Developers Interest List”

Sent: Thursday, September 04, 2003 4:25 AM
Subject: [ntdev] Re: Infamous IRQL_NOT_LESS_OR_EQUAL Bugcheck

> I am not running checked build of NT4. The reason I threw in SP6
symbols for
> NTFS.sys were because I just wanted to see what the hell those 3 calls
were.
> Before throwing in these symbol files, I tried to goto MS symbol site.
No
> luck. They don’t have NT4 symbols there. In the debuger I have set the
> symbol servers to “srvDownstream
> Storehttp://msdl.microsoft.com/download/symbols;”. Windbg can load
all
> symbols except NTFS.sys. I hope you understand the frustration under
which I
> loaded the SP6 symbols.
> When the debugger did not help me the right way, I tried to tilt it
upside
> down hoping it can find the symbols from somewhere.
> But thats besides the point. Now I have removed NTFS.dbg file from the
list.
> And now I am debuging with the fact that NTFS.sys symbols are not
available
> to me.
>
> Here is additional information… worst part of this problem is that
we
> can’t reproduce the problem on any of the machines. It came from some
> customer site. And as I was suspecting the most popular antivirus
filter (no
> names) is in the way. Tony helped us last time in debugging some other
crash
> dump. I am just folowing steps he mentioned in reports and adding some
more
> to it to get all the information I can from the dump. Atleast in other
dumps
> I could see my driver in the stack somewhere. But in this dump I see
no
> traces of it.
>
> Thanks for knocking on my head to put the debugger upright again
>
>
> -----Original Message-----
> From: Peter Viscarola [mailto:xxxxx@osr.com]
> Sent: Wednesday, September 03, 2003 5:05 PM
> To: Windows System Software Developers Interest List
> Subject: [ntdev] Re: Infamous IRQL_NOT_LESS_OR_EQUAL Bugcheck
>
>
>
> “Kohli, Naveen” wrote in message
> news:xxxxx@ntdev…
> > I got these symbols from checked build CD of NT4 SP6. I was so
desperate
> at
> > this stage, I just loaded what ever i got hold of. May be I should
remove
> > them. Here is the !analyze information.
> >
>
> Now let me see…
>
> Are you RUNNING the checked build of NT V4??
>
> Please. Set the debugger up right, or you’ll NEVER be able to debug
this
> (and neither will we). Please.
>
> Use the MS symbol server. See:
>
http://www.microsoft.com/whdc/ddk/debugging/symbols.mspx#How%20to%20Use%20th

> e%20Microsoft%20Symbol%20Server
>
> Then come back and talk to us,
>
> Peter
> OSR

—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
You are currently subscribed to ntdev as: xxxxx@criticalsites.com
To unsubscribe send a blank email to xxxxx@lists.osr.com
—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@stratus.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

“c:\websymbols” refers local symbol cache and it’s imho neccessary for using
symbols via web. You are free to use any other directory instead of
“c:\websymbols”

Volker

-----Original Message-----
From: Kohli, Naveen [mailto:xxxxx@CriticalSites.com]
Sent: Thursday, September 04, 2003 3:33 PM
To: Windows System Software Developers Interest List
Subject: [ntdev] Re: Infamous IRQL_NOT_LESS_OR_EQUAL Bugcheck

I am not using symbols from local drive. So C:\websymbols does not make any
sense in my case.

-----Original Message-----
From: Chuck Batson [mailto:xxxxx@cbatson.com mailto:xxxxx]
Sent: Wednesday, September 03, 2003 9:18 PM
To: Windows System Software Developers Interest List
Subject: [ntdev] Re: Infamous IRQL_NOT_LESS_OR_EQUAL Bugcheck

Is your use of the text “Downstream Store” literal? You should replace
it with a path, like:

SRVc:\websymbols http://msdl.microsoft.com/download/symbols
http:

Chuck

----- Original Message -----
From: “Kohli, Naveen”
To: “Windows System Software Developers Interest List”

Sent: Thursday, September 04, 2003 4:25 AM
Subject: [ntdev] Re: Infamous IRQL_NOT_LESS_OR_EQUAL Bugcheck

> I am not running checked build of NT4. The reason I threw in SP6
symbols for
> NTFS.sys were because I just wanted to see what the hell those 3 calls
were.
> Before throwing in these symbol files, I tried to goto MS symbol site.
No
> luck. They don’t have NT4 symbols there. In the debuger I have set the
> symbol servers to "srvDownstream
> Store http://msdl.microsoft.com/download/symbols;
http: ". Windbg can load
all
> symbols except NTFS.sys. I hope you understand the frustration under
which I
> loaded the SP6 symbols.
> When the debugger did not help me the right way, I tried to tilt it
upside
> down hoping it can find the symbols from somewhere.
> But thats besides the point. Now I have removed NTFS.dbg file from the
list.
> And now I am debuging with the fact that NTFS.sys symbols are not
available
> to me.
>
> Here is additional information… worst part of this problem is that
we
> can’t reproduce the problem on any of the machines. It came from some
> customer site. And as I was suspecting the most popular antivirus
filter (no
> names) is in the way. Tony helped us last time in debugging some other
crash
> dump. I am just folowing steps he mentioned in reports and adding some
more
> to it to get all the information I can from the dump. Atleast in other
dumps
> I could see my driver in the stack somewhere. But in this dump I see
no
> traces of it.
>
> Thanks for knocking on my head to put the debugger upright again
>
>
> -----Original Message-----
> From: Peter Viscarola [mailto:xxxxx@osr.com mailto:xxxxx]
> Sent: Wednesday, September 03, 2003 5:05 PM
> To: Windows System Software Developers Interest List
> Subject: [ntdev] Re: Infamous IRQL_NOT_LESS_OR_EQUAL Bugcheck
>
>
>
> “Kohli, Naveen” wrote in message
> news:xxxxx@ntdev news:xxxxx …
> > I got these symbols from checked build CD of NT4 SP6. I was so
desperate
> at
> > this stage, I just loaded what ever i got hold of. May be I should
remove
> > them. Here is the !analyze information.
> >
>
> Now let me see…
>
> Are you RUNNING the checked build of NT V4??
>
> Please. Set the debugger up right, or you’ll NEVER be able to debug
this
> (and neither will we). Please.
>
> Use the MS symbol server. See:
>
http://www.microsoft.com/whdc/ddk/debugging/symbols.mspx#How%20to%20Use%20th
http:h>
> e%20Microsoft%20Symbol%20Server
>
> Then come back and talk to us,
>
> Peter
> OSR

—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
http:

You are currently subscribed to ntdev as: xxxxx@criticalsites.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@baslerweb.com
To unsubscribe send a blank email to xxxxx@lists.osr.com</http:></http:></news:xxxxx></mailto:xxxxx></http:></http:></mailto:xxxxx>

I think the symbols get cached under the folder where debugger is installed
unless I specify it otherwise. So that is not an issue. I have all the
cached symbols other than NTFS.ddb/pdb. I am just looking for some hint on
where to bang my head in debugger to figure out what went wrong on the
system that made it crash.

-----Original Message-----
From: Roddy, Mark [mailto:xxxxx@stratus.com]
Sent: Thursday, September 04, 2003 9:41 AM
To: Windows System Software Developers Interest List
Subject: [ntdev] Re: Infamous IRQL_NOT_LESS_OR_EQUAL Bugcheck

That is where you are going to cache the symbols produced by the symbol
server.

Oh, and you can get rid of the awful html fonts you are so fond of by using
Outlook menu Format\Plain Text.

=====================
Mark Roddy

-----Original Message-----
From: Kohli, Naveen [mailto:xxxxx@CriticalSites.com]
Sent: Thursday, September 04, 2003 9:33 AM
To: Windows System Software Developers Interest List
Subject: [ntdev] Re: Infamous IRQL_NOT_LESS_OR_EQUAL Bugcheck

I am not using symbols from local drive. So C:\websymbols does not make any
sense in my case.
-----Original Message-----
From: Chuck Batson [mailto:xxxxx@cbatson.com]
Sent: Wednesday, September 03, 2003 9:18 PM
To: Windows System Software Developers Interest List
Subject: [ntdev] Re: Infamous IRQL_NOT_LESS_OR_EQUAL Bugcheck

Is your use of the text “Downstream Store” literal? You should replace
it with a path, like:
SRV*c:\websymbols*http://msdl.microsoft.com/download/symbols
Chuck
----- Original Message -----
From: “Kohli, Naveen”
To: “Windows System Software Developers Interest List”

Sent: Thursday, September 04, 2003 4:25 AM
Subject: [ntdev] Re: Infamous IRQL_NOT_LESS_OR_EQUAL Bugcheck

> I am not running checked build of NT4. The reason I threw in SP6
symbols for
> NTFS.sys were because I just wanted to see what the hell those 3 calls
were.
> Before throwing in these symbol files, I tried to goto MS symbol site.
No
> luck. They don’t have NT4 symbols there. In the debuger I have set the
> symbol servers to “srvDownstream
> Storehttp://msdl.microsoft.com/download/symbols;”. Windbg can load
all
> symbols except NTFS.sys. I hope you understand the frustration under
which I
> loaded the SP6 symbols.
> When the debugger did not help me the right way, I tried to tilt it
upside
> down hoping it can find the symbols from somewhere.
> But thats besides the point. Now I have removed NTFS.dbg file from the
list.
> And now I am debuging with the fact that NTFS.sys symbols are not
available
> to me.
>
> Here is additional information… worst part of this problem is that
we
> can’t reproduce the problem on any of the machines. It came from some
> customer site. And as I was suspecting the most popular antivirus
filter (no
> names) is in the way. Tony helped us last time in debugging some other
crash
> dump. I am just folowing steps he mentioned in reports and adding some
more
> to it to get all the information I can from the dump. Atleast in other
dumps
> I could see my driver in the stack somewhere. But in this dump I see
no
> traces of it.
>
> Thanks for knocking on my head to put the debugger upright again
>
>
> -----Original Message-----
> From: Peter Viscarola [mailto:xxxxx@osr.com]
> Sent: Wednesday, September 03, 2003 5:05 PM
> To: Windows System Software Developers Interest List
> Subject: [ntdev] Re: Infamous IRQL_NOT_LESS_OR_EQUAL Bugcheck
>
>
>
> “Kohli, Naveen” wrote in message
> news:xxxxx@ntdev…
> > I got these symbols from checked build CD of NT4 SP6. I was so
desperate
> at
> > this stage, I just loaded what ever i got hold of. May be I should
remove
> > them. Here is the !analyze information.
> >
>
> Now let me see…
>
> Are you RUNNING the checked build of NT V4??
>
> Please. Set the debugger up right, or you’ll NEVER be able to debug
this
> (and neither will we). Please.
>
> Use the MS symbol server. See:
>
http://www.microsoft.com/whdc/ddk/debugging/symbols.mspx#How%20to%20Use%20th

> e%20Microsoft%20Symbol%20Server
>
> Then come back and talk to us,
>
> Peter
> OSR

—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
You are currently subscribed to ntdev as: xxxxx@criticalsites.com
To unsubscribe send a blank email to xxxxx@lists.osr.com
—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@stratus.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@criticalsites.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

You will need to specify a local path into which the downloaded symbols
will be cached. Try it, you might like it. =^)

Chuck

----- Original Message -----
From: “Kohli, Naveen”
To: “Windows System Software Developers Interest List”

Sent: Thursday, September 04, 2003 8:33 PM
Subject: [ntdev] Re: Infamous IRQL_NOT_LESS_OR_EQUAL Bugcheck

> I am not using symbols from local drive. So C:\websymbols does not
make any
> sense in my case.
>
> -----Original Message-----
> From: Chuck Batson [mailto:xxxxx@cbatson.com]
> Sent: Wednesday, September 03, 2003 9:18 PM
> To: Windows System Software Developers Interest List
> Subject: [ntdev] Re: Infamous IRQL_NOT_LESS_OR_EQUAL Bugcheck
>
>
> Is your use of the text “Downstream Store” literal? You should
replace
> it with a path, like:
>
> SRVc:\websymbolshttp://msdl.microsoft.com/download/symbols
>
> Chuck
>
> ----- Original Message -----
> From: “Kohli, Naveen”
> To: “Windows System Software Developers Interest List”
>
> Sent: Thursday, September 04, 2003 4:25 AM
> Subject: [ntdev] Re: Infamous IRQL_NOT_LESS_OR_EQUAL Bugcheck
>
>
> > I am not running checked build of NT4. The reason I threw in SP6
> symbols for
> > NTFS.sys were because I just wanted to see what the hell those 3
calls
> were.
> > Before throwing in these symbol files, I tried to goto MS symbol
site.
> No
> > luck. They don’t have NT4 symbols there. In the debuger I have set
the
> > symbol servers to “srvDownstream
> > Storehttp://msdl.microsoft.com/download/symbols;”. Windbg can load
> all
> > symbols except NTFS.sys. I hope you understand the frustration under
> which I
> > loaded the SP6 symbols.
> > When the debugger did not help me the right way, I tried to tilt it
> upside
> > down hoping it can find the symbols from somewhere.
> > But thats besides the point. Now I have removed NTFS.dbg file from
the
> list.
> > And now I am debuging with the fact that NTFS.sys symbols are not
> available
> > to me.
> >
> > Here is additional information… worst part of this problem is that
> we
> > can’t reproduce the problem on any of the machines. It came from
some
> > customer site. And as I was suspecting the most popular antivirus
> filter (no
> > names) is in the way. Tony helped us last time in debugging some
other
> crash
> > dump. I am just folowing steps he mentioned in reports and adding
some
> more
> > to it to get all the information I can from the dump. Atleast in
other
> dumps
> > I could see my driver in the stack somewhere. But in this dump I see
> no
> > traces of it.
> >
> > Thanks for knocking on my head to put the debugger upright again
> >
> >
> > -----Original Message-----
> > From: Peter Viscarola [mailto:xxxxx@osr.com]
> > Sent: Wednesday, September 03, 2003 5:05 PM
> > To: Windows System Software Developers Interest List
> > Subject: [ntdev] Re: Infamous IRQL_NOT_LESS_OR_EQUAL Bugcheck
> >
> >
> >
> > “Kohli, Naveen” wrote in message
> > news:xxxxx@ntdev…
> > > I got these symbols from checked build CD of NT4 SP6. I was so
> desperate
> > at
> > > this stage, I just loaded what ever i got hold of. May be I should
> remove
> > > them. Here is the !analyze information.
> > >
> >
> > Now let me see…
> >
> > Are you RUNNING the checked build of NT V4??
> >
> > Please. Set the debugger up right, or you’ll NEVER be able to debug
> this
> > (and neither will we). Please.
> >
> > Use the MS symbol server. See:
> >
>
http://www.microsoft.com/whdc/ddk/debugging/symbols.mspx#How%20to%20Use%20th
> > e%20Microsoft%20Symbol%20Server
> >
> > Then come back and talk to us,
> >
> > Peter
> > OSR