I’ve been a member of the list for a few years, but have only posted a
couple of times. I’ve been asked to look over a mini dump for a Win2k3
Cluster node that is occasionally crashing. I don’t get a lot of
practice troubleshooting memory dumps, so I apologize if this is a
trivial issue.
After looking this over, my assessment is that because arg1 == arg4, and
that the exception occurred when EBP is pushed on the stack for the
setup of KSecDD!SspRc4Key, my thinking is that KSecDD was paged out.
Because IRQL is currently 2, if KSecDD was paged out, execution
transferring to KSecDD would cause this exception. What confuses me
though is that I can look at the address via ‘dd ba3e07e9’. If this
memory address was paged out, shouldn’t I expect to see ?'s instead of
data?
Is my reasoning for the cause of this exception sound? Or am I
overlooking something?
I would really like to build up my troubleshooting skills with Windbg,
so if anyone has any tips for further analysis, I would appreciate it
greatly. Likewise, if I’m completely wrong in my analysis, I would
welcome any tips to get me moving in the correct direction.
Kurt
DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or completely invalid) address
at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: ba3e07e9, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000000, value 0 = read operation, 1 = write operation
Arg4: ba3e07e9, address which referenced memory
Debugging Details:
READ_ADDRESS: ba3e07e9
CURRENT_IRQL: 2
FAULTING_IP:
KSecDD!SspRc4Key+0
ba3e07e9 55 push ebp
CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: DRIVER_FAULT_SERVER_MINIDUMP
BUGCHECK_STR: 0xD1
LAST_CONTROL_TRANSFER: from ba3e374c to ba3e07e9
STACK_TEXT:
bacd37f0 ba3e374c 63888255 884441d8 bacd3968 KSecDD!SspRc4Key
bacd3980 80704e9d ba3da85b bacd39d0 ba3e3a0d KSecDD!SspSignSealHelper+0x18c
bacd39b0 80542b4c 00000001 00000000 879d2e70 hal!HalpSendIpi+0xd
bacd39e4 b92e31df b92eb234 bacd3a2c 00000000 nt!ExRemoveHeadNBQueue+0xa0
bacd3a38 b92eb234 bacd3a68 b92e34b5 898f9318
clusnet!CcmpProcessReceivePacket+0x237
87399008 00000000 00000000 00000000 00000000 clusnet!SecurityContexts+0x14
STACK_COMMAND: .bugcheck ; kb
FAILED_INSTRUCTION_ADDRESS:
KSecDD!SspRc4Key+0
ba3e07e9 55 push ebp
FOLLOWUP_IP:
KSecDD!SspRc4Key+0
ba3e07e9 55 push ebp
FOLLOWUP_NAME: MachineOwner
SYMBOL_NAME: KSecDD!SspRc4Key+0
MODULE_NAME: KSecDD
IMAGE_NAME: KSecDD.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 3e7fffc3
FAILURE_BUCKET_ID: 0xD1_CODE_AV_BAD_IP_KSecDD!SspRc4Key+0
BUCKET_ID: 0xD1_CODE_AV_BAD_IP_KSecDD!SspRc4Key+0
Followup: MachineOwner