Hi all,
We are having a machine (NT 2000, sp2) crash with IRQL_NOT_LESS_OR_EQUAL
(see analyze to follow)…
Note that it’s taskmgr ‘causing’ the crash… Couple of questions :
- what the best way to take it from here
- What are the parameters for nt!ExpCopyThreadInfo and/or
nt!ExpGetProcessInformation ? I suspect that at least one param would be a
thread or process struct, but either it’s really whacked or I can’t find
it…
Thanks
kd> !analyze -v
****************************************************************************
***
*
*
* Bugcheck Analysis
*
*
*
****************************************************************************
***
IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pagable (or completely invalid) address at
an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: 636b7203, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000000, value 0 = read operation, 1 = write operation
Arg4: 80484a66, address which referenced memory
Debugging Details:
Unable to translate address 77e62730 with prototype PTE
Unable to translate address 77e62731 with prototype PTE
Unable to translate address 77e62730 with prototype PTE
Unable to translate address 77e62731 with prototype PTE
Unable to translate address 77e62730 with prototype PTE
Unable to translate address 77e62731 with prototype PTE
Unable to translate address 77e62730 with prototype PTE
Unable to translate address 77e62731 with prototype PTE
READ_ADDRESS: 636b7203
CURRENT_IRQL: 2
FAULTING_IP:
nt!ExpCopyThreadInfo+10
80484a66 ffb738010000 push dword ptr [edi+0x138]
DEFAULT_BUCKET_ID: DRIVER_FAULT
BUGCHECK_STR: 0xA
TRAP_FRAME: f4908a00 – (.trap fffffffff4908a00)
.trap fffffffff4908a00
ErrCode = 00000000
eax=636b70cb ebx=f4a99000 ecx=0000ad00 edx=00000003 esi=f4aa3c08
edi=636b70cb
eip=80484a66 esp=f4908a74 ebp=f4908b04 iopl=0 nv up ei pl nz ac pe
cy
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
efl=00010213
nt!ExpCopyThreadInfo+10:
80484a66 ffb738010000 push dword ptr [edi+0x138]
ds:0023:636b7203=???
.trap
Resetting default context
LAST_CONTROL_TRANSFER: from 804848e4 to 80484a66
STACK_TEXT:
f4908a84 804848e4 f4aa3cc0 636b70cb 0000c000 nt!ExpCopyThreadInfo+0x10
f4908b04 80493356 00820000 0000c000 f4908b78
nt!ExpGetProcessInformation+0x1f7
f4908d4c 80465091 00000005 00820000 0000c000
nt!NtQuerySystemInformation+0x7b1
f4908d4c 77f83b4a 00000005 00820000 0000c000 nt!KiSystemService+0xc4
0006f794 01007e8c 0100d804 010024cd 000400d2
ntdll!RtlpAllocateDebugInfo+0xa6
0006f79c 010024cd 000400d2 00000000 77e872b0
taskmgr!CProcPage::TimerEvent+0xe
0006f9b8 010035b1 000400d2 00000000 00000113 taskmgr!MainWnd_OnTimer+0x36
0006f9e4 77e11d0a 000400d2 00000113 00000000 taskmgr!MainWindowProc+0x3b0
0006fa04 77e22b0d 01003201 000400d2 00000113 USER32!bCleanConvertedTTFs+0x2e
0006fa40 77e1b223 000400d2 00000113 00000000 USER32!InitClsMenuNameW+0x12
0006fa78 77e11bc8 77e1b202 000400d2 00000113 USER32!_FindDlgItem+0x7
0006fa78 77e11bc8 77e1b202 000400d2 00000113
USER32!bCheckIfDualBootingWithWin31+0x5a
0006fb04 77e11cef 0006ff1c 00000000 77e1aca5
USER32!bCheckIfDualBootingWithWin31+0x5a
0006fb34 01003c6f 000400d2 0036f130 00d2f67c USER32!bCleanConvertedTTFs+0x13
0006ff60 01003e57 01000000 00000000 0002077a taskmgr!WinMainT+0x42f
0006ffc0 77e9ca90 00d2f67c 77db638c 7ffdf000 taskmgr!ModuleEntry+0xc3
0006fff0 00000000 01003d94 00000000 000000c8 KERNEL32!ReplaceFileW+0x42b
FOLLOWUP_IP:
nt!ExpCopyThreadInfo+10
80484a66 ffb738010000 push dword ptr [edi+0x138]
FOLLOWUP_NAME: MachineOwner
SYMBOL_NAME: nt!ExpCopyThreadInfo+10
MODULE_NAME: nt
IMAGE_NAME: ntoskrnl.exe
DEBUG_FLR_IMAGE_TIMESTAMP: 3d366b8b
STACK_COMMAND: .trap fffffffff4908a00 ; kb
BUCKET_ID: 0xA_nt!ExpCopyThreadInfo+10