Hello, I have a memory dump that is giving me problems in trying to
obtain answers from it. I cant for the life of me get a stack dump of
the thread that generated the exception. I can not figure out who
called ExFreePoolWithTag or what its parameters where. Any help in
trying to figure out what happened?
Microsoft (R) Windows Debugger Version 6.0.0007.0
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [c:\temp\memory1.dmp]
Kernel Summary Dump File: Only kernel address space is available
Symbol search path is:
SRV*c:\websymbols*http://msdl.microsoft.com/download/symbols;c:\kits\221
6\files\release;c:\symbols
Executable search path is:
Windows 2000 Kernel Version 2195 (Service Pack 2) MP (2 procs) Free x86
compatible
Product: Server, suite: Enterprise TerminalServer SingleUserTS Blade
Kernel base = 0x80400000 PsLoadedModuleList = 0x804836e0
Debug session time: Thu Jun 06 12:33:58 2002
System Uptime: 0 days 0:02:41.133
Loading Kernel Symbols
…
…
Loading unloaded module list
…
Loading User Symbols
… Module List has empty entry in it - skipping
Unable to read KLDR_DATA_TABLE_ENTRY at ee827cd8 - HRESULT 0x80004005
************************************************************************
*******
*
*
* Bugcheck Analysis
*
*
*
************************************************************************
*******
Use !analyze -v to get detailed debugging information.
BugCheck 1E, {c0000005, 8046bf15, 1, 0}
Probably caused by : ntkrnlmp.exe ( nt!ExFreePoolWithTag+345 )
Followup: MachineOwner
0: kd> !analyze -v
************************************************************************
*******
*
*
* Bugcheck Analysis
*
*
*
************************************************************************
*******
KMODE_EXCEPTION_NOT_HANDLED (1e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Some common problems are exception code 0x80000003. This means a hard
coded breakpoint or assertion was hit, but this system was booted
/NODEBUG. This is not supposed to happen as developers should never
have
hardcoded breakpoints in retail code, but …
If this happens, make sure a debugger gets connected, and the
system is booted /DEBUG. This will let us see why this breakpoint is
happening.
An exception code of 0x80000002 (STATUS_DATATYPE_MISALIGNMENT) indicates
that an unaligned data reference was encountered. The trap frame will
supply additional information.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: 8046bf15, The address that the exception occurred at
Arg3: 00000001, Parameter 0 of the exception
Arg4: 00000000, Parameter 1 of the exception
Debugging Details:
EXCEPTION_CODE: c0000005
FAULTING_IP:
nt!ExFreePoolWithTag+345
8046bf15 890a mov [edx],ecx
EXCEPTION_PARAMETER1: 00000001
EXCEPTION_PARAMETER2: 00000000
WRITE_ADDRESS: 00000000
DEFAULT_BUCKET_ID: DRIVER_FAULT
BUGCHECK_STR: 1E_W
LAST_CONTROL_TRANSFER: from 00000000 to 8042ed28
STACK_TEXT:
b9625988 00000000 00000000 00000000 00000000
nt!KiDispatchException+0x30e
FOLLOWUP_IP:
nt!ExFreePoolWithTag+345
8046bf15 890a mov [edx],ecx
FOLLOWUP_NAME: MachineOwner
SYMBOL_NAME: nt!ExFreePoolWithTag+345
MODULE_NAME: nt
IMAGE_NAME: ntkrnlmp.exe
DEBUG_FLR_IMAGE_TIMESTAMP: 3ad77869
STACK_COMMAND: kb
BUCKET_ID: 0x1E_W_nt!ExFreePoolWithTag+345
Followup: MachineOwner
0: kd> r
eax=ffdff13c ebx=0000001e ecx=b96255fc edx=8046a97e esi=b96259f8
edi=b96259a4
eip=8042ed28 esp=b96255cc ebp=b9625988 iopl=0 nv up ei ng nz na
po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
efl=00000286
nt!KiDispatchException+30e:
8042ed28 53 push ebx
0: kd> kv
ChildEBP RetAddr Args to Child
b9625988 00000000 00000000 00000000 00000000
nt!KiDispatchException+0x30e (FPO: [Non-Fpo])
0: kd> dd esp
b96255cc 00000000 00000000 00000000 00000000
b96255dc 00000000 e2f2f5c8 00000000 00000000
b96255ec 00000000 00000000 00000000 e2f2f5e0
b96255fc 00000000 00000000 00000000 00000000
b962560c 00000000 e2f2f5f8 00000000 00000000
b962561c 00000000 00000000 00000000 e2f2f610
b962562c 00000000 00000000 00000000 00000000
b962563c 00000000 e2f2f628 00000000 00000000
0: kd> d edx
8046a97e 04244c8b 060441f7 b8000000 00000001
8046a98e 4c8b1275 548b0824 418b1024 b8028908
8046a99e 00000002 8b0010c2 f704244c 00060441
8046a9ae 01b80000 74000000 244c8b12 24548b08
8046a9be 08418b10 03b80289 c2000000 4c8b0010
8046a9ce 098b0424 000d8964 c2000000 8b530004
8046a9de 8908245c 0000b083 ac8b8900 89000000
8046a9ee 0000a893 24048b00 00a48389 b3890000
0: kd> d esi
b96259f8 00000000 00000000 e2f2f9e8 00000000
b9625a08 00000000 00000000 00000000 00000000
b9625a18 e2f2fa00 00000000 00000000 00000000
b9625a28 00000000 00000000 e2f2fa18 00000000
b9625a38 00000000 00000000 00000000 00000000
b9625a48 e2f2fa30 00000000 00000000 00000000
b9625a58 00000000 00000000 e2f2fa48 00000000
b9625a68 00000000 00000000 00000000 00000000
0: kd> d eax
ffdff13c 00000000 00000000 00000000 00000000
ffdff14c 00000000 00000000 00000000 00000000
ffdff15c 00000000 00000000 00000000 00000000
ffdff16c 00000000 00000000 00000000 00000000
ffdff17c 00000000 00000000 00000000 00000000
ffdff18c 00000000 00000000 00000000 00000000
ffdff19c 00000000 00000000 00000000 00000000
ffdff1ac 00000000 00000000 00000000 00000000
0: kd> d ecx
b96255fc 00000000 00000000 00000000 00000000
b962560c 00000000 e2f2f5f8 00000000 00000000
b962561c 00000000 00000000 00000000 e2f2f610
b962562c 00000000 00000000 00000000 00000000
b962563c 00000000 e2f2f628 00000000 00000000
b962564c 00000000 00000000 00000000 e2f2f640
b962565c 00000000 00000000 00000000 00000000
b962566c 00000000 e2f2f658 00000000 00000000
0: kd> d edi
b96259a4 00000000 00000000 00000000 00000000
b96259b4 00000000 e2f2f9a0 00000000 00000000
b96259c4 00000000 00000000 00000000 e2f2f9b8
b96259d4 00000000 00000000 00000000 00000000
b96259e4 00000000 e2f2f9d0 00000000 00000000
b96259f4 00000000 00000000 00000000 e2f2f9e8
b9625a04 00000000 00000000 00000000 00000000
b9625a14 00000000 e2f2fa00 00000000 00000000
0: kd> !thread
THREAD 8884f8a0 Cid 530.6c0 Teb: 7ffab000 Win32Thread: a21ef748
RUNNING
Not impersonating
Owning Process 888cda40
WaitTime (seconds) 10312
Context Switch Count 200 LargeStack
UserTime 0:00:00.0000
KernelTime 0:00:00.0000
Start Address KERNEL32!BaseThreadStartThunk (0x77e87532)
*** ERROR: Symbol file could not be found. Defaulted to export symbols
for MSVCRT.dll -
Win32 Start Address MSVCRT!beginthread (0x7800a224)
Stack Init b9626000 Current b9625c18 Base b9626000 Limit b9622000 Call 0
Priority 9 BasePriority 8 PriorityDecrement 0 DecrementCount 0
ChildEBP RetAddr Args to Child
b9625988 00000000 00000000 00000000 00000000
nt!KiDispatchException+0x30e
0: kd> !process
PROCESS 888cda40 SessionId: 0 Cid: 0530 Peb: 7ffdf000 ParentCid:
0168
DirBase: 14d65000 ObjectTable: 88915d08 TableSize: 537.
Image: WinMgmt.exe
VadRoot 88c605e8 Clone 0 Private 1244. Modified 5435. Locked 0.
DeviceMap 89061288
Token e3fac6f0
ElapsedTime 0:00:40.0750
UserTime 0:00:01.0205
KernelTime 0:00:00.0334
QuotaPoolUsage[PagedPool] 48024
QuotaPoolUsage[NonPagedPool] 22124
Working Set Sizes (now,min,max) (1725, 50, 345) (6900KB, 200KB,
1380KB)
PeakWorkingSetSize 2327
VirtualSize 77 Mb
PeakVirtualSize 77 Mb
PageFaultCount 15574
MemoryPriority BACKGROUND
BasePriority 8
CommitCharge 1365