Hi!
a customer got back to us with what seems an interesting dump and I would
appreciate some
help in understanding the dump. The driver works fine on 3400 computers but
fails on 200 and, from what I have been told, these are mostly sys-admins
computers which have additional software that end users do not have.
Our driver: f3436000 f346b000 pmsecdrv.sys
Our driver is a legacy driver and it cannot be stopped and I was surprised
to find it in the “unloaded modules” list when I tried the lm command (see
later on).
Q: Do I have to deduce that the system was shutting down?
The memory referenced points to our driver but our driver
had already been unloaded. I suspect that since our driver hooks
a couple of functions (and that does not un-hook them) the system
crashed when trying to call such functions.
But why would that happen if our driver does not support unload?
Any idea/tip/comment is welcome.
thanks,
Marco
Microsoft (R) Windows Debugger Version 6.5.0003.7
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [E:\2del\MEMORY.DMP]
Kernel Complete Dump File: Full address space is available
Windows XP Kernel Version 2600 (Service Pack 1) UP Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 2600.xpsp2.050301-1526
Kernel base = 0x804d4000 PsLoadedModuleList = 0x8054c850
Debug session time: Thu Oct 13 21:29:52.928 2005 (GMT+2)
System Uptime: 0 days 0:19:17.364
Loading Kernel Symbols
…
Loading unloaded module list
…
Loading User Symbols
*******************************************************************************
*
*
* Bugcheck Analysis
*
*
*
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck D4, {f34673c8, ff, 1, 804d87b7}
Probably caused by : ntoskrnl.exe ( nt!ExfInterlockedInsertTailList+d )
Followup: MachineOwner
kd> !analyze -v
*******************************************************************************
*
*
* Bugcheck Analysis
*
*
*
*******************************************************************************
SYSTEM_SCAN_AT_RAISED_IRQL_CAUGHT_IMPROPER_DRIVER_UNLOAD (d4)
A driver unloaded without cancelling lookaside lists, DPCs, worker threads,
etc.
The broken driver’s name is displayed on the screen.
When possible, the guilty driver’s name (Unicode string) is printed on
the bugcheck screen and saved in KiBugCheckDriver.
An attempt was made to access the driver at raised IRQL after it unloaded.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: f34673c8, memory referenced
Arg2: 000000ff, IRQL
Arg3: 00000001, value 0 = read operation, 1 = write operation
Arg4: 804d87b7, address which referenced memory
Debugging Details:
WRITE_ADDRESS: f34673c8
CURRENT_IRQL: ff
FAULTING_IP:
nt!ExfInterlockedInsertTailList+d
804d87b7 8910 mov [eax],edx
DEFAULT_BUCKET_ID: DRIVER_FAULT
BUGCHECK_STR: 0xD4
LAST_CONTROL_TRANSFER: from 804e4f1d to 804d87b7
TRAP_FRAME: f89798cc – (.trap fffffffff89798cc)
ErrCode = 00000002
eax=f34673c8 ebx=81f98ac8 ecx=80550da8 edx=82182da0 esi=82182da0
edi=82182dd8
eip=804d87b7 esp=f8979940 ebp=f89799f0 iopl=0 nv up di pl zr na po
nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
efl=00010046
nt!ExfInterlockedInsertTailList+0xd:
804d87b7 8910 mov [eax],edx
ds:0023:f34673c8=???
Resetting default scope
STACK_TEXT:
f8979940 804e4f1d 8054398c f8979990 82182d68
nt!ExfInterlockedInsertTailList+0xd
f8979950 804eba2a 82182da0 f8979a28 00004000
nt!ExInitializeResourceLite+0x43
f8979964 804eb928 81f98ac8 82251dd8 f8979990 nt!CcAllocateInitializeBcb+0x6c
f89799f0 80566d55 821b11e0 f8979a44 00004000 nt!CcPinFileData+0x1d2
f8979a64 8057a61f 821b11e0 f8979a90 00004000 nt!CcPinMappedData+0xf4
f8979ab4 8057a57f e1036008 e10e77d0 cd096c3c nt!CmpPinCmView+0x3d
f8979acc 80586327 e1036008 000c0190 e1036008 nt!HvMarkCellDirty+0x67
f8979aec 80586420 e1036008 002d5c38 e23e8ab8 nt!CmpMarkKeyDirty+0xa0
f8979b04 80585dbf e1036008 002d5c38 00000001 nt!CmpFreeKeyByCell+0x12
f8979b34 80585fc3 e2c173f8 f8979ba0 f8979c1c nt!CmDeleteKey+0x8a
f8979b94 804dad01 80000894 80584dec 00000000 nt!NtDeleteKey+0x138
f8979b94 804d91f6 80000894 80584dec 00000000 nt!KiSystemService+0xc4
f8979c10 805a83ef 80000894 c0000365 00000000 nt!ZwDeleteKey+0x11
f8979c90 805c445d 00000b14 00000000 00000000 nt!IopDriverLoadingFailed+0x271
f8979d4c 8059773d 00000b14 81d0e000 821297b8 nt!IopLoadDriver+0x286
f8979d74 804e0f89 00000b14 00000000 823ca020 nt!IopLoadUnloadDriver+0x43
f8979dac 805609b0 f44f2cf4 00000000 00000000 nt!ExpWorkerThread+0xfe
f8979ddc 804e8c54 804e0eb6 00000001 00000000 nt!PspSystemThreadStartup+0x34
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16
FOLLOWUP_IP:
nt!ExfInterlockedInsertTailList+d
804d87b7 8910 mov [eax],edx
SYMBOL_STACK_INDEX: 0
FOLLOWUP_NAME: MachineOwner
SYMBOL_NAME: nt!ExfInterlockedInsertTailList+d
MODULE_NAME: nt
IMAGE_NAME: ntoskrnl.exe
DEBUG_FLR_IMAGE_TIMESTAMP: 422517e4
STACK_COMMAND: .trap fffffffff89798cc ; kb
FAILURE_BUCKET_ID: 0xD4_W_nt!ExfInterlockedInsertTailList+d
BUCKET_ID: 0xD4_W_nt!ExfInterlockedInsertTailList+d
Followup: MachineOwner
kd> lm
start end module name
bf9b7000 bfc7c220 nv4_disp T (no symbols) // nvidia
f398f000 f3991ac0 SYMREDRV (no symbols) // process Redirector Filter
Driver ( Symantec )
f39c3000 f39d1000 Unknown_Module_f39c3000 T (no symbols)
f3b2b000 f3b2f000 Unknown_Module_f3b2b000 T (no symbols)
f3f33000 f3f67820 Unknown_Module_f3f33000 (no symbols)
f440f000 f4412000 __________ T (no symbols)
f6c2d000 f6c6d000 SYMTDI T (no symbols) // symantec
f6ce0000 f6cf2000 naveng T (no symbols) // symantec
f6cf2000 f6d94000 navex15 T (no symbols) // symantec
f6da7000 f6df6000 savrt (no symbols) // symantec
f7dfe000 f7e01000 mdc8021x T (no symbols) // IEEE 802.1X Protocol
Driver (software AEGIS Client by Meetinghouse Data Communications)
f7e6d000 f7e8fe00 ipsecw2k (no symbols)
f7fbf000 f7fdede0 ptserial (no symbols) // PC Tel driver. PC Tel
modem driver
f804b000 f8061640 Apfiltr (no symbols) // Alps Pointing-device
Driver
f8626000 f8636000 Savrtpel (no symbols) // symantec
f8696000 f869f000 atmdlc T (no symbols) // Attachmate DLC Protocol
f8726000 f8734200 drmk (export symbols) drmk.sys ( managing
the digital rights of kernel-streaming audio Microsoft)
f887e000 f8882300 omci (no symbols) // dell open manage
client
f88d6000 f88de000 Unknown_Module_f88d6000 T (no symbols)
f8a1a000 f8a1c7a0 eacfilt (no symbols) // NDIS Filter
Intermediate Drive
f8a7a000 f8a7c000 _____ T (no symbols)
f8aac000 f8aae000 dump_WMILIB T (no symbols)
Unloaded modules:
f3436000 f346b000 pmsecdrv.sys
f3818000 f383f000 kmixer.sys
f8c18000 f8c19000 drmkaud.sys
f3af3000 f3b00000 DMusic.sys
f4152000 f4160000 swmidi.sys
f3850000 f3873000 aec.sys
f8a5c000 f8a5e000 splitter.sys
f6a94000 f6aaa000 dump_atapi.s
f88be000 f88c3000 Cdaudio.SYS
f8232000 f8235000 Sfloppy.SYS