IRQL_NOT_LESS_OR_EQUAL crash

OSR_Community_User · November 8, 2002, 12:49pm

Hi all,
We are having a machine (NT 2000, sp2) crash with IRQL_NOT_LESS_OR_EQUAL
(see analyze to follow)…

Note that it’s taskmgr ‘causing’ the crash… Couple of questions :

what the best way to take it from here
What are the parameters for nt!ExpCopyThreadInfo and/or
nt!ExpGetProcessInformation ? I suspect that at least one param would be a
thread or process struct, but either it’s really whacked or I can’t find
it…

Thanks

kd> !analyze -v
****************************************************************************
***
*
*
* Bugcheck Analysis
*
*
*
****************************************************************************
***

IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pagable (or completely invalid) address at
an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: 636b7203, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000000, value 0 = read operation, 1 = write operation
Arg4: 80484a66, address which referenced memory

Debugging Details:

Unable to translate address 77e62730 with prototype PTE
Unable to translate address 77e62731 with prototype PTE
Unable to translate address 77e62730 with prototype PTE
Unable to translate address 77e62731 with prototype PTE
Unable to translate address 77e62730 with prototype PTE
Unable to translate address 77e62731 with prototype PTE
Unable to translate address 77e62730 with prototype PTE
Unable to translate address 77e62731 with prototype PTE

READ_ADDRESS: 636b7203

CURRENT_IRQL: 2

FAULTING_IP:
nt!ExpCopyThreadInfo+10
80484a66 ffb738010000 push dword ptr [edi+0x138]

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0xA

TRAP_FRAME: f4908a00 – (.trap fffffffff4908a00)
.trap fffffffff4908a00
ErrCode = 00000000
eax=636b70cb ebx=f4a99000 ecx=0000ad00 edx=00000003 esi=f4aa3c08
edi=636b70cb
eip=80484a66 esp=f4908a74 ebp=f4908b04 iopl=0 nv up ei pl nz ac pe
cy
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
efl=00010213
nt!ExpCopyThreadInfo+10:
80484a66 ffb738010000 push dword ptr [edi+0x138]
ds:0023:636b7203=???
.trap
Resetting default context

LAST_CONTROL_TRANSFER: from 804848e4 to 80484a66

STACK_TEXT:
f4908a84 804848e4 f4aa3cc0 636b70cb 0000c000 nt!ExpCopyThreadInfo+0x10
f4908b04 80493356 00820000 0000c000 f4908b78
nt!ExpGetProcessInformation+0x1f7
f4908d4c 80465091 00000005 00820000 0000c000
nt!NtQuerySystemInformation+0x7b1
f4908d4c 77f83b4a 00000005 00820000 0000c000 nt!KiSystemService+0xc4
0006f794 01007e8c 0100d804 010024cd 000400d2
ntdll!RtlpAllocateDebugInfo+0xa6
0006f79c 010024cd 000400d2 00000000 77e872b0
taskmgr!CProcPage::TimerEvent+0xe
0006f9b8 010035b1 000400d2 00000000 00000113 taskmgr!MainWnd_OnTimer+0x36
0006f9e4 77e11d0a 000400d2 00000113 00000000 taskmgr!MainWindowProc+0x3b0
0006fa04 77e22b0d 01003201 000400d2 00000113 USER32!bCleanConvertedTTFs+0x2e
0006fa40 77e1b223 000400d2 00000113 00000000 USER32!InitClsMenuNameW+0x12
0006fa78 77e11bc8 77e1b202 000400d2 00000113 USER32!_FindDlgItem+0x7
0006fa78 77e11bc8 77e1b202 000400d2 00000113
USER32!bCheckIfDualBootingWithWin31+0x5a
0006fb04 77e11cef 0006ff1c 00000000 77e1aca5
USER32!bCheckIfDualBootingWithWin31+0x5a
0006fb34 01003c6f 000400d2 0036f130 00d2f67c USER32!bCleanConvertedTTFs+0x13
0006ff60 01003e57 01000000 00000000 0002077a taskmgr!WinMainT+0x42f
0006ffc0 77e9ca90 00d2f67c 77db638c 7ffdf000 taskmgr!ModuleEntry+0xc3
0006fff0 00000000 01003d94 00000000 000000c8 KERNEL32!ReplaceFileW+0x42b

FOLLOWUP_IP:
nt!ExpCopyThreadInfo+10
80484a66 ffb738010000 push dword ptr [edi+0x138]

FOLLOWUP_NAME: MachineOwner

SYMBOL_NAME: nt!ExpCopyThreadInfo+10

MODULE_NAME: nt

IMAGE_NAME: ntoskrnl.exe

DEBUG_FLR_IMAGE_TIMESTAMP: 3d366b8b

STACK_COMMAND: .trap fffffffff4908a00 ; kb

BUCKET_ID: 0xA_nt!ExpCopyThreadInfo+10

Followup: MachineOwner

OSR_Community_User · November 8, 2002, 1:20pm

My bet would be, one of the parameters of the function where it is
crashing is wrongly passed. This is particularly true for the callback
functions where the function would expect a void* but the actual
parameter passed is void. The compiler will not show any warning/error,
but the kernel would throw up the exception while retrieving the pop-up
stack at the end of the function.

-----Original Message-----
From: Victor Pittman [mailto:xxxxx@quest.com]
Sent: Friday, November 08, 2002 11:49 AM
To: NT Developers Interest List
Subject: [ntdev] IRQL_NOT_LESS_OR_EQUAL crash

Hi all,
We are having a machine (NT 2000, sp2) crash with
IRQL_NOT_LESS_OR_EQUAL (see analyze to follow)…

Note that it’s taskmgr ‘causing’ the crash… Couple of
questions :

what the best way to take it from here
What are the parameters for nt!ExpCopyThreadInfo and/or
nt!ExpGetProcessInformation ? I suspect that at least one param would be
a thread or process struct, but either it’s really whacked or I can’t
find it…

Thanks

kd> !analyze -v

************************************************************************
*******
*
*
* Bugcheck Analysis
*
*
*

************************************************************************
*******

IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pagable (or completely invalid)
address at an
interrupt request level (IRQL) that is too high. This is
usually
caused by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: 636b7203, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000000, value 0 = read operation, 1 = write operation
Arg4: 80484a66, address which referenced memory

Debugging Details:

Unable to translate address 77e62730 with prototype PTE
Unable to translate address 77e62731 with prototype PTE
Unable to translate address 77e62730 with prototype PTE
Unable to translate address 77e62731 with prototype PTE
Unable to translate address 77e62730 with prototype PTE
Unable to translate address 77e62731 with prototype PTE
Unable to translate address 77e62730 with prototype PTE
Unable to translate address 77e62731 with prototype PTE

READ_ADDRESS: 636b7203

CURRENT_IRQL: 2

FAULTING_IP:
nt!ExpCopyThreadInfo+10
80484a66 ffb738010000 push dword ptr [edi+0x138]

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0xA

TRAP_FRAME: f4908a00 – (.trap fffffffff4908a00)
.trap fffffffff4908a00
ErrCode = 00000000
eax=636b70cb ebx=f4a99000 ecx=0000ad00 edx=00000003 esi=f4aa3c08
edi=636b70cb
eip=80484a66 esp=f4908a74 ebp=f4908b04 iopl=0 nv up ei
pl nz ac pe cy
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
efl=00010213
nt!ExpCopyThreadInfo+10:
80484a66 ffb738010000 push dword ptr [edi+0x138]
ds:0023:636b7203=???
.trap
Resetting default context

LAST_CONTROL_TRANSFER: from 804848e4 to 80484a66

STACK_TEXT:
f4908a84 804848e4 f4aa3cc0 636b70cb 0000c000
nt!ExpCopyThreadInfo+0x10
f4908b04 80493356 00820000 0000c000 f4908b78
nt!ExpGetProcessInformation+0x1f7
f4908d4c 80465091 00000005 00820000 0000c000
nt!NtQuerySystemInformation+0x7b1
f4908d4c 77f83b4a 00000005 00820000 0000c000
nt!KiSystemService+0xc4
0006f794 01007e8c 0100d804 010024cd 000400d2
ntdll!RtlpAllocateDebugInfo+0xa6
0006f79c 010024cd 000400d2 00000000 77e872b0
taskmgr!CProcPage::TimerEvent+0xe
0006f9b8 010035b1 000400d2 00000000 00000113
taskmgr!MainWnd_OnTimer+0x36
0006f9e4 77e11d0a 000400d2 00000113 00000000
taskmgr!MainWindowProc+0x3b0
0006fa04 77e22b0d 01003201 000400d2 00000113
USER32!bCleanConvertedTTFs+0x2e
0006fa40 77e1b223 000400d2 00000113 00000000
USER32!InitClsMenuNameW+0x12
0006fa78 77e11bc8 77e1b202 000400d2 00000113
USER32!_FindDlgItem+0x7
0006fa78 77e11bc8 77e1b202 000400d2 00000113
USER32!bCheckIfDualBootingWithWin31+0x5a
0006fb04 77e11cef 0006ff1c 00000000 77e1aca5
USER32!bCheckIfDualBootingWithWin31+0x5a
0006fb34 01003c6f 000400d2 0036f130 00d2f67c
USER32!bCleanConvertedTTFs+0x13
0006ff60 01003e57 01000000 00000000 0002077a
taskmgr!WinMainT+0x42f
0006ffc0 77e9ca90 00d2f67c 77db638c 7ffdf000
taskmgr!ModuleEntry+0xc3
0006fff0 00000000 01003d94 00000000 000000c8
KERNEL32!ReplaceFileW+0x42b

FOLLOWUP_IP:
nt!ExpCopyThreadInfo+10
80484a66 ffb738010000 push dword ptr [edi+0x138]

FOLLOWUP_NAME: MachineOwner

SYMBOL_NAME: nt!ExpCopyThreadInfo+10

MODULE_NAME: nt

IMAGE_NAME: ntoskrnl.exe

DEBUG_FLR_IMAGE_TIMESTAMP: 3d366b8b

STACK_COMMAND: .trap fffffffff4908a00 ; kb

BUCKET_ID: 0xA_nt!ExpCopyThreadInfo+10

Followup: MachineOwner

You are currently subscribed to ntdev as:
chakradhar.kommuri@hp.com
To unsubscribe send a blank email to
%%email.unsub%%

Gary_G_Little · November 8, 2002, 2:40pm

MessageActually, IRQL_NOT_LESS_OR_EQUAL, is generally associated with a kernel problem and an excellent explanation of such a BSOD is the mis-handling of an IRP or the data buffer(s) associated with an IRP. Bang analyze (!analyze) is simply doing its best to explain the stack frame active when things went bump in the night.

Victor, is there a propriatary device driver involved?

–
Gary G. Little
Have Computer, Will Travel …
909-698-3191
909-551-2105
“Kommuri, Chakradhar” <chakradhar.kommuri> wrote in message news:xxxxx@ntdev…
My bet would be, one of the parameters of the function where it is crashing is wrongly passed. This is particularly true for the callback functions where the function would expect a void* but the actual parameter passed is void. The compiler will not show any warning/error, but the kernel would throw up the exception while retrieving the pop-up stack at the end of the function.
-----Original Message-----
From: Victor Pittman [mailto:xxxxx@quest.com]
Sent: Friday, November 08, 2002 11:49 AM
To: NT Developers Interest List
Subject: [ntdev] IRQL_NOT_LESS_OR_EQUAL crash

Hi all,
We are having a machine (NT 2000, sp2) crash with IRQL_NOT_LESS_OR_EQUAL (see analyze to follow)…

Note that it’s taskmgr ‘causing’ the crash… Couple of questions :

1) what the best way to take it from here
2) What are the parameters for nt!ExpCopyThreadInfo and/or nt!ExpGetProcessInformation ? I suspect that at least one param would be a thread or process struct, but either it’s really whacked or I can’t find it…

Thanks

kd> !analyze -v
***
*
* Bugcheck Analysis
*

IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pagable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: 636b7203, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000000, value 0 = read operation, 1 = write operation
Arg4: 80484a66, address which referenced memory

Debugging Details:
------------------

Unable to translate address 77e62730 with prototype PTE
Unable to translate address 77e62731 with prototype PTE
Unable to translate address 77e62730 with prototype PTE
Unable to translate address 77e62731 with prototype PTE
Unable to translate address 77e62730 with prototype PTE
Unable to translate address 77e62731 with prototype PTE
Unable to translate address 77e62730 with prototype PTE
Unable to translate address 77e62731 with prototype PTE

READ_ADDRESS: 636b7203

CURRENT_IRQL: 2

FAULTING_IP:
nt!ExpCopyThreadInfo+10
80484a66 ffb738010000 push dword ptr [edi+0x138]

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0xA

TRAP_FRAME: f4908a00 – (.trap fffffffff4908a00)
.trap fffffffff4908a00
ErrCode = 00000000
eax=636b70cb ebx=f4a99000 ecx=0000ad00 edx=00000003 esi=f4aa3c08 edi=636b70cb
eip=80484a66 esp=f4908a74 ebp=f4908b04 iopl=0 nv up ei pl nz ac pe cy
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010213
nt!ExpCopyThreadInfo+10:
80484a66 ffb738010000 push dword ptr [edi+0x138] ds:0023:636b7203=???
.trap
Resetting default context

LAST_CONTROL_TRANSFER: from 804848e4 to 80484a66

STACK_TEXT:
f4908a84 804848e4 f4aa3cc0 636b70cb 0000c000 nt!ExpCopyThreadInfo+0x10
f4908b04 80493356 00820000 0000c000 f4908b78 nt!ExpGetProcessInformation+0x1f7
f4908d4c 80465091 00000005 00820000 0000c000 nt!NtQuerySystemInformation+0x7b1
f4908d4c 77f83b4a 00000005 00820000 0000c000 nt!KiSystemService+0xc4
0006f794 01007e8c 0100d804 010024cd 000400d2 ntdll!RtlpAllocateDebugInfo+0xa6
0006f79c 010024cd 000400d2 00000000 77e872b0 taskmgr!CProcPage::TimerEvent+0xe
0006f9b8 010035b1 000400d2 00000000 00000113 taskmgr!MainWnd_OnTimer+0x36
0006f9e4 77e11d0a 000400d2 00000113 00000000 taskmgr!MainWindowProc+0x3b0
0006fa04 77e22b0d 01003201 000400d2 00000113 USER32!bCleanConvertedTTFs+0x2e
0006fa40 77e1b223 000400d2 00000113 00000000 USER32!InitClsMenuNameW+0x12
0006fa78 77e11bc8 77e1b202 000400d2 00000113 USER32!_FindDlgItem+0x7
0006fa78 77e11bc8 77e1b202 000400d2 00000113 USER32!bCheckIfDualBootingWithWin31+0x5a
0006fb04 77e11cef 0006ff1c 00000000 77e1aca5 USER32!bCheckIfDualBootingWithWin31+0x5a
0006fb34 01003c6f 000400d2 0036f130 00d2f67c USER32!bCleanConvertedTTFs+0x13
0006ff60 01003e57 01000000 00000000 0002077a taskmgr!WinMainT+0x42f
0006ffc0 77e9ca90 00d2f67c 77db638c 7ffdf000 taskmgr!ModuleEntry+0xc3
0006fff0 00000000 01003d94 00000000 000000c8 KERNEL32!ReplaceFileW+0x42b

FOLLOWUP_IP:
nt!ExpCopyThreadInfo+10
80484a66 ffb738010000 push dword ptr [edi+0x138]

FOLLOWUP_NAME: MachineOwner

SYMBOL_NAME: nt!ExpCopyThreadInfo+10

MODULE_NAME: nt

IMAGE_NAME: ntoskrnl.exe

DEBUG_FLR_IMAGE_TIMESTAMP: 3d366b8b

STACK_COMMAND: .trap fffffffff4908a00 ; kb

BUCKET_ID: 0xA_nt!ExpCopyThreadInfo+10

Followup: MachineOwner
---------

—
You are currently subscribed to ntdev as: chakradhar.kommuri@hp.com
To unsubscribe send a blank email to %%email.unsub%%</chakradhar.kommuri>

OSR_Community_User · November 8, 2002, 4:45pm

Thanks Gary,
Not that I can tell… I have my suspicions about a user mode program that
my be doing something funky, an ‘expect’ library with a slavedrv.exe. It’s
not really a driver, but I’m not quite sure what it does, I’m about to
review the code…

I think that ‘something’ is messing up the active process chain so that when
GetProcessInformation/CopyThreadInfo is called the process that is returned
points to the nether land and the access at the elevated irq crashes…

But how do I go about proving this …

-----Original Message-----
From: Gary G. Little [mailto:xxxxx@inland.net]
Sent: Friday, November 08, 2002 11:41 AM
To: NT Developers Interest List
Subject: [ntdev] Re: IRQL_NOT_LESS_OR_EQUAL crash

Actually, IRQL_NOT_LESS_OR_EQUAL, is generally associated with a kernel
problem and an excellent explanation of such a BSOD is the mis-handling of
an IRP or the data buffer(s) associated with an IRP. Bang analyze (!analyze)
is simply doing its best to explain the stack frame active when things went
bump in the night.

Victor, is there a propriatary device driver involved?

–
Gary G. Little
Have Computer, Will Travel …
909-698-3191
909-551-2105

“Kommuri, Chakradhar” < Chakradhar.Kommuri@hp.com
mailto:chakradhar.kommuri > wrote in message news:xxxxx@ntdev
news:xxxxx …
My bet would be, one of the parameters of the function where it is crashing
is wrongly passed. This is particularly true for the callback functions
where the function would expect a void* but the actual parameter passed is
void. The compiler will not show any warning/error, but the kernel would
throw up the exception while retrieving the pop-up stack at the end of the
function.

-----Original Message-----
From: Victor Pittman [mailto:xxxxx@quest.com]
Sent: Friday, November 08, 2002 11:49 AM
To: NT Developers Interest List
Subject: [ntdev] IRQL_NOT_LESS_OR_EQUAL crash

Hi all,
We are having a machine (NT 2000, sp2) crash with IRQL_NOT_LESS_OR_EQUAL
(see analyze to follow)…

Note that it’s taskmgr ‘causing’ the crash… Couple of questions :

1) what the best way to take it from here
2) What are the parameters for nt!ExpCopyThreadInfo and/or
nt!ExpGetProcessInformation ? I suspect that at least one param would be a
thread or process struct, but either it’s really whacked or I can’t find
it…

Thanks

kd> !analyze -v
*******************************************************************

Bugcheck Analysis

*************************************************************************

IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pagable (or completely invalid) address at
an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: 636b7203, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000000, value 0 = read operation, 1 = write operation
Arg4: 80484a66, address which referenced memory

Debugging Details:
------------------

Unable to translate address 77e62730 with prototype PTE
Unable to translate address 77e62731 with prototype PTE
Unable to translate address 77e62730 with prototype PTE
Unable to translate address 77e62731 with prototype PTE
Unable to translate address 77e62730 with prototype PTE
Unable to translate address 77e62731 with prototype PTE
Unable to translate address 77e62730 with prototype PTE
Unable to translate address 77e62731 with prototype PTE

READ_ADDRESS: 636b7203

CURRENT_IRQL: 2

FAULTING_IP:
nt!ExpCopyThreadInfo+10
80484a66 ffb738010000 push dword ptr [edi+0x138]

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0xA

TRAP_FRAME: f4908a00 – (.trap fffffffff4908a00)
.trap fffffffff4908a00
ErrCode = 00000000
eax=636b70cb ebx=f4a99000 ecx=0000ad00 edx=00000003 esi=f4aa3c08
edi=636b70cb
eip=80484a66 esp=f4908a74 ebp=f4908b04 iopl=0 nv up ei pl nz ac pe
cy
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
efl=00010213
nt!ExpCopyThreadInfo+10:
80484a66 ffb738010000 push dword ptr [edi+0x138]
ds:0023:636b7203=???
.trap
Resetting default context

LAST_CONTROL_TRANSFER: from 804848e4 to 80484a66

STACK_TEXT:
f4908a84 804848e4 f4aa3cc0 636b70cb 0000c000 nt!ExpCopyThreadInfo+0x10
f4908b04 80493356 00820000 0000c000 f4908b78
nt!ExpGetProcessInformation+0x1f7
f4908d4c 80465091 00000005 00820000 0000c000
nt!NtQuerySystemInformation+0x7b1
f4908d4c 77f83b4a 00000005 00820000 0000c000 nt!KiSystemService+0xc4
0006f794 01007e8c 0100d804 010024cd 000400d2
ntdll!RtlpAllocateDebugInfo+0xa6
0006f79c 010024cd 000400d2 00000000 77e872b0
taskmgr!CProcPage::TimerEvent+0xe
0006f9b8 010035b1 000400d2 00000000 00000113 taskmgr!MainWnd_OnTimer+0x36
0006f9e4 77e11d0a 000400d2 00000113 00000000 taskmgr!MainWindowProc+0x3b0
0006fa04 77e22b0d 01003201 000400d2 00000113 USER32!bCleanConvertedTTFs+0x2e
0006fa40 77e1b223 000400d2 00000113 00000000 USER32!InitClsMenuNameW+0x12
0006fa78 77e11bc8 77e1b202 000400d2 00000113 USER32!_FindDlgItem+0x7
0006fa78 77e11bc8 77e1b202 000400d2 00000113
USER32!bCheckIfDualBootingWithWin31+0x5a
0006fb04 77e11cef 0006ff1c 00000000 77e1aca5
USER32!bCheckIfDualBootingWithWin31+0x5a
0006fb34 01003c6f 000400d2 0036f130 00d2f67c USER32!bCleanConvertedTTFs+0x13
0006ff60 01003e57 01000000 00000000 0002077a taskmgr!WinMainT+0x42f
0006ffc0 77e9ca90 00d2f67c 77db638c 7ffdf000 taskmgr!ModuleEntry+0xc3
0006fff0 00000000 01003d94 00000000 000000c8 KERNEL32!ReplaceFileW+0x42b

FOLLOWUP_IP:
nt!ExpCopyThreadInfo+10
80484a66 ffb738010000 push dword ptr [edi+0x138]

FOLLOWUP_NAME: MachineOwner

SYMBOL_NAME: nt!ExpCopyThreadInfo+10

MODULE_NAME: nt

IMAGE_NAME: ntoskrnl.exe

DEBUG_FLR_IMAGE_TIMESTAMP: 3d366b8b

STACK_COMMAND: .trap fffffffff4908a00 ; kb

BUCKET_ID: 0xA_nt!ExpCopyThreadInfo+10

Followup: MachineOwner
---------

—
You are currently subscribed to ntdev as: chakradhar.kommuri@hp.com
To unsubscribe send a blank email to %%email.unsub%%

—
You are currently subscribed to ntdev as: xxxxx@quest.com
To unsubscribe send a blank email to %%email.unsub%%</news:xxxxx></mailto:chakradhar.kommuri>

OSR_Community_User · November 8, 2002, 4:56pm

You need to walk backwards from the invalid reference to find the source of
the invalid information. This is a standard debugging problem, and
shouldn’t take too long to figure out (at least at a basic level.)

My initial guess is that the thread OR the process has been whacked.

Regards,

Tony

Tony Mason

Consulting Partner

OSR Open Systems Resources, Inc.

http://www.osr.com

-----Original Message-----
From: Victor Pittman [mailto:xxxxx@quest.com]
Sent: Friday, November 08, 2002 4:45 PM
To: NT Developers Interest List
Subject: [ntdev] Re: IRQL_NOT_LESS_OR_EQUAL crash

Thanks Gary,

Not that I can tell… I have my suspicions about a user mode program that
my be doing something funky, an ‘expect’ library with a slavedrv.exe. It’s
not really a driver, but I’m not quite sure what it does, I’m about to
review the code…

I think that ‘something’ is messing up the active process chain so that when
GetProcessInformation/CopyThreadInfo is called the process that is returned
points to the nether land and the access at the elevated irq crashes…

But how do I go about proving this …

-----Original Message-----
From: Gary G. Little [mailto:xxxxx@inland.net]
Sent: Friday, November 08, 2002 11:41 AM
To: NT Developers Interest List
Subject: [ntdev] Re: IRQL_NOT_LESS_OR_EQUAL crash

Actually, IRQL_NOT_LESS_OR_EQUAL, is generally associated with a kernel
problem and an excellent explanation of such a BSOD is the mis-handling of
an IRP or the data buffer(s) associated with an IRP. Bang analyze (!analyze)
is simply doing its best to explain the stack frame active when things went
bump in the night.

Victor, is there a propriatary device driver involved?

–
Gary G. Little
Have Computer, Will Travel …
909-698-3191
909-551-2105

“Kommuri, Chakradhar” <chakradhar.kommuri>mailto:chakradhar.kommuri > wrote in message news:xxxxx@ntdev
news:xxxxx …

My bet would be, one of the parameters of the function where it is crashing
is wrongly passed. This is particularly true for the callback functions
where the function would expect a void* but the actual parameter passed is
void. The compiler will not show any warning/error, but the kernel would
throw up the exception while retrieving the pop-up stack at the end of the
function.

-----Original Message-----
From: Victor Pittman [mailto:xxxxx@quest.com]
Sent: Friday, November 08, 2002 11:49 AM
To: NT Developers Interest List
Subject: [ntdev] IRQL_NOT_LESS_OR_EQUAL crash

Hi all,

We are having a machine (NT 2000, sp2) crash with IRQL_NOT_LESS_OR_EQUAL
(see analyze to follow)…

Note that it’s taskmgr ‘causing’ the crash… Couple of questions :

1) what the best way to take it from here

2) What are the parameters for nt!ExpCopyThreadInfo and/or
nt!ExpGetProcessInformation ? I suspect that at least one param would be a
thread or process struct, but either it’s really whacked or I can’t find
it…

Thanks

kd> !analyze -v
*******************************************************************

Bugcheck Analysis

*************************************************************************

IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pagable (or completely invalid) address at
an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: 636b7203, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000000, value 0 = read operation, 1 = write operation
Arg4: 80484a66, address which referenced memory

Debugging Details:
------------------

Unable to translate address 77e62730 with prototype PTE
Unable to translate address 77e62731 with prototype PTE
Unable to translate address 77e62730 with prototype PTE
Unable to translate address 77e62731 with prototype PTE
Unable to translate address 77e62730 with prototype PTE
Unable to translate address 77e62731 with prototype PTE
Unable to translate address 77e62730 with prototype PTE
Unable to translate address 77e62731 with prototype PTE

READ_ADDRESS: 636b7203

CURRENT_IRQL: 2

FAULTING_IP:
nt!ExpCopyThreadInfo+10
80484a66 ffb738010000 push dword ptr [edi+0x138]

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0xA

TRAP_FRAME: f4908a00 – (.trap fffffffff4908a00)
.trap fffffffff4908a00
ErrCode = 00000000
eax=636b70cb ebx=f4a99000 ecx=0000ad00 edx=00000003 esi=f4aa3c08
edi=636b70cb
eip=80484a66 esp=f4908a74 ebp=f4908b04 iopl=0 nv up ei pl nz ac pe
cy
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
efl=00010213
nt!ExpCopyThreadInfo+10:
80484a66 ffb738010000 push dword ptr [edi+0x138]
ds:0023:636b7203=???
.trap
Resetting default context

LAST_CONTROL_TRANSFER: from 804848e4 to 80484a66

STACK_TEXT:
f4908a84 804848e4 f4aa3cc0 636b70cb 0000c000 nt!ExpCopyThreadInfo+0x10
f4908b04 80493356 00820000 0000c000 f4908b78
nt!ExpGetProcessInformation+0x1f7
f4908d4c 80465091 00000005 00820000 0000c000
nt!NtQuerySystemInformation+0x7b1
f4908d4c 77f83b4a 00000005 00820000 0000c000 nt!KiSystemService+0xc4
0006f794 01007e8c 0100d804 010024cd 000400d2
ntdll!RtlpAllocateDebugInfo+0xa6
0006f79c 010024cd 000400d2 00000000 77e872b0
taskmgr!CProcPage::TimerEvent+0xe
0006f9b8 010035b1 000400d2 00000000 00000113 taskmgr!MainWnd_OnTimer+0x36
0006f9e4 77e11d0a 000400d2 00000113 00000000 taskmgr!MainWindowProc+0x3b0
0006fa04 77e22b0d 01003201 000400d2 00000113 USER32!bCleanConvertedTTFs+0x2e
0006fa40 77e1b223 000400d2 00000113 00000000 USER32!InitClsMenuNameW+0x12
0006fa78 77e11bc8 77e1b202 000400d2 00000113 USER32!_FindDlgItem+0x7
0006fa78 77e11bc8 77e1b202 000400d2 00000113
USER32!bCheckIfDualBootingWithWin31+0x5a
0006fb04 77e11cef 0006ff1c 00000000 77e1aca5
USER32!bCheckIfDualBootingWithWin31+0x5a
0006fb34 01003c6f 000400d2 0036f130 00d2f67c USER32!bCleanConvertedTTFs+0x13
0006ff60 01003e57 01000000 00000000 0002077a taskmgr!WinMainT+0x42f
0006ffc0 77e9ca90 00d2f67c 77db638c 7ffdf000 taskmgr!ModuleEntry+0xc3
0006fff0 00000000 01003d94 00000000 000000c8 KERNEL32!ReplaceFileW+0x42b

FOLLOWUP_IP:
nt!ExpCopyThreadInfo+10
80484a66 ffb738010000 push dword ptr [edi+0x138]

FOLLOWUP_NAME: MachineOwner

SYMBOL_NAME: nt!ExpCopyThreadInfo+10

MODULE_NAME: nt

IMAGE_NAME: ntoskrnl.exe

DEBUG_FLR_IMAGE_TIMESTAMP: 3d366b8b

STACK_COMMAND: .trap fffffffff4908a00 ; kb

BUCKET_ID: 0xA_nt!ExpCopyThreadInfo+10

Followup: MachineOwner
---------

—
You are currently subscribed to ntdev as: chakradhar.kommuri@hp.com
To unsubscribe send a blank email to %%email.unsub%%

—
You are currently subscribed to ntdev as: xxxxx@quest.com
To unsubscribe send a blank email to %%email.unsub%%

—
You are currently subscribed to ntdev as: xxxxx@osr.com
To unsubscribe send a blank email to %%email.unsub%%</news:xxxxx></mailto:chakradhar.kommuri></chakradhar.kommuri>