PAGE_FAULT_IN_NONPAGED_AREA (50)

Sunil_Patil · June 22, 2011, 7:04am

Hi,

One of our machine (win2k3 server 32-bit) crashed. We got following dump.
Process name “inmsync.exe” mentioned here is our module. Can somebody tell
if “inmsync.exe” is the culprit or something else. How can I debug this
further?

Thanks,
Sunil

1: kd> !analyze -v
*******************************************************************************
*
*
* Bugcheck
Analysis *
*
*
*******************************************************************************

PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by
try-except,
it must be protected by a Probe. Typically the address is just plain bad or
it
is pointing at freed memory.
Arguments:
Arg1: bca31840, memory referenced.
Arg2: 00000000, value 0 = read operation, 1 = write operation.
Arg3: bf8b7fdf, If non-zero, the instruction address which referenced the
bad memory
address.
Arg4: 00000000, (reserved)

Debugging Details:

Page ba292 not present in the dump file. Type “.hh dbgerr004” for details
Page b3712 not present in the dump file. Type “.hh dbgerr004” for details
Page b3712 not present in the dump file. Type “.hh dbgerr004” for details
Page b3712 not present in the dump file. Type “.hh dbgerr004” for details
Page b3712 not present in the dump file. Type “.hh dbgerr004” for details
PEB is paged out (Peb.Ldr = 7ffd600c). Type “.hh dbgerr001” for details
PEB is paged out (Peb.Ldr = 7ffd600c). Type “.hh dbgerr001” for details

READ_ADDRESS: bca31840

FAULTING_IP:
win32k!DestroyThreadsObjects+4f
bf8b7fdf 8b01 mov eax,dword ptr [ecx]

MM_INTERNAL_CODE: 0

IMAGE_NAME: win32k.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 4d6f9db6

MODULE_NAME: win32k

FAULTING_MODULE: bf800000 win32k

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0x50

PROCESS_NAME: inmsync.exe

CURRENT_IRQL: 1

TRAP_FRAME: f34b6b7c – (.trap 0xfffffffff34b6b7c)
ErrCode = 00000000
eax=bca31810 ebx=00000060 ecx=bca31840 edx=80000002 esi=e721fea8
edi=00000480
eip=bf8b7fdf esp=f34b6bf0 ebp=f34b6c3c iopl=0 nv up ei pl zr na pe
nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
efl=00010246
win32k!DestroyThreadsObjects+0x4f:
bf8b7fdf 8b01 mov eax,dword ptr [ecx]
ds:0023:bca31840=bca31720
Resetting default scope

LAST_CONTROL_TRANSFER: from 8085ed47 to 80827c83

STACK_TEXT:
f34b6aec 8085ed47 00000050 bca31840 00000000 nt!KeBugCheckEx+0x1b
f34b6b64 8088c820 00000000 bca31840 00000000 nt!MmAccessFault+0xb25
f34b6b64 bf8b7fdf 00000000 bca31840 00000000 nt!KiTrap0E+0xdc
f34b6bf8 bf8b832c ba882db0 00000000 00000000
win32k!DestroyThreadsObjects+0x4f
f34b6c3c bf8b6bd1 00000001 f34b6c64 bf8b7a2e
win32k!xxxDestroyThreadInfo+0x206
f34b6c48 bf8b7a2e ba882db0 00000001 00000000 win32k!UserThreadCallout+0x4b
f34b6c64 8094c3d2 ba882db0 00000001 b98c04e0 win32k!W32pThreadCallout+0x3a
f34b6cf0 8094c68f 00000000 f34b6d4c 8082e0d6 nt!PspExitThread+0x3b2
f34b6cfc 8082e0d6 b98c04e0 f34b6d48 f34b6d3c nt!PsExitSpecialApc+0x1d
f34b6d4c 80889897 00000001 00000000 f34b6d64 nt!KiDeliverApc+0x1ae
f34b6d4c 7c82847c 00000001 00000000 f34b6d64 nt!KiServiceExit+0x56
WARNING: Frame IP not in any known module. Following frames may be wrong.
18d8cd84 00000000 00000000 00000000 00000000 0x7c82847c

STACK_COMMAND: kb

FOLLOWUP_IP:
win32k!DestroyThreadsObjects+4f
bf8b7fdf 8b01 mov eax,dword ptr [ecx]

SYMBOL_STACK_INDEX: 3

SYMBOL_NAME: win32k!DestroyThreadsObjects+4f

FOLLOWUP_NAME: MachineOwner

FAILURE_BUCKET_ID: 0x50_win32k!DestroyThreadsObjects+4f

BUCKET_ID: 0x50_win32k!DestroyThreadsObjects+4f

Followup: MachineOwner

1: kd> .trap 0xfffffffff34b6b7c
ErrCode = 00000000
eax=bca31810 ebx=00000060 ecx=bca31840 edx=80000002 esi=e721fea8
edi=00000480
eip=bf8b7fdf esp=f34b6bf0 ebp=f34b6c3c iopl=0 nv up ei pl zr na pe
nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
efl=00010246
win32k!DestroyThreadsObjects+0x4f:
bf8b7fdf 8b01 mov eax,dword ptr [ecx]
ds:0023:bca31840=bca31720

1: kd> !process 0 7 inmsync.exe
PROCESS b9774a68 SessionId: 0 Cid: 01c0 Peb: 7ffd6000 ParentCid: 16a0
DirBase: bffcfc40 ObjectTable: e1054578 HandleCount: 113.
Image: inmsync.exe
VadRoot ba3f99a8 Vads 68 Clone 0 Private 294. Modified 2. Locked 0.
DeviceMap e1001888
Token e6c3ade0
ElapsedTime 00:00:02.593
UserTime 00:00:00.015
KernelTime 00:00:00.046
QuotaPoolUsage[PagedPool] 39164
QuotaPoolUsage[NonPagedPool] 3472
Working Set Sizes (now,min,max) (1193, 50, 345) (4772KB, 200KB, 1380KB)
PeakWorkingSetSize 1194
VirtualSize 414 Mb
PeakVirtualSize 416 Mb
PageFaultCount 1251
MemoryPriority BACKGROUND
BasePriority 8
CommitCharge 796
Job b9787be0

THREAD b96bbb60 Cid 01c0.108c Teb: 7ffdf000 Win32Thread: e74b95f0
WAIT: (Unknown) UserMode Non-Alertable
ba7ca958 NotificationEvent
b96bbbd8 NotificationTimer
Impersonation token: e69a2210 (Level Impersonation)
Owning Process b9774a68 Image: inmsync.exe
Attached Process N/A Image: N/A
Wait Start TickCount 62732768 Ticks: 0
Context Switch Count 423 LargeStack
UserTime 00:00:00.000
KernelTime 00:00:00.031
Win32 Start Address 0x00401000
Start Address 0x77e617f8
Stack Init f380b000 Current f380ac60 Base f380b000 Limit f3807000
Call 0
Priority 9 BasePriority 8 PriorityDecrement 0
ChildEBP RetAddr Args to Child
f380ac78 80833491 b96bbb60 b96bbc08 00000001 nt!KiSwapContext+0x26
(FPO: [Uses EBP] [0,0,4])
f380aca4 80829a82 00000000 f380ad14 00000000 nt!KiSwapThread+0x2e5
(FPO: [0,7,0])
f380acec 80938e0a ba7ca958 00000006 0080ad01
nt!KeWaitForSingleObject+0x346 (FPO: [5,13,4])
f380ad50 808897ec 00000614 00000000 f380ad14
nt!NtWaitForSingleObject+0x9a (FPO: [SEH])
f380ad50 7c82847c 00000614 00000000 f380ad14 nt!KiFastCallEntry+0xfc
(FPO: [0,0] TrapFrame @ f380ad64)
WARNING: Frame IP not in any known module. Following frames may be wrong.
0022b454 00000000 00000000 00000000 00000000 0x7c82847c

THREAD ba882db0 Cid 01c0.1d74 Teb: 7ffdd000 Win32Thread: e721fea8
RUNNING on processor 1
Not impersonating
DeviceMap e1001888
Owning Process b9774a68 Image: inmsync.exe
Attached Process N/A Image: N/A
Wait Start TickCount 62732768 Ticks: 0
Context Switch Count 44 LargeStack
UserTime 00:00:00.015
KernelTime 00:00:00.015
Win32 Start Address 0x61003650
Start Address 0x77e617ec
Stack Init f34b7000 Current f34b6660 Base f34b7000 Limit f34b3000
Call 0
Priority 10 BasePriority 8 PriorityDecrement 0
ChildEBP RetAddr Args to Child
f34b6aec 8085ed47 00000050 bca31840 00000000 nt!KeBugCheckEx+0x1b
(FPO: [5,0,0])
f34b6b64 8088c820 00000000 bca31840 00000000 nt!MmAccessFault+0xb25
(FPO: [4,20,0])
f34b6b64 bf8b7fdf 00000000 bca31840 00000000 nt!KiTrap0E+0xdc (FPO:
[0,0] TrapFrame @ f34b6b7c)
f34b6bf8 bf8b832c ba882db0 00000000 00000000
win32k!DestroyThreadsObjects+0x4f (FPO: [0,0,0])
f34b6c3c bf8b6bd1 00000001 f34b6c64 bf8b7a2e
win32k!xxxDestroyThreadInfo+0x206 (FPO: [SEH])
f34b6c48 bf8b7a2e ba882db0 00000001 00000000
win32k!UserThreadCallout+0x4b (FPO: [2,0,4])
f34b6c64 8094c3d2 ba882db0 00000001 b98c04e0
win32k!W32pThreadCallout+0x3a (FPO: [2,0,0])
f34b6cf0 8094c68f 00000000 f34b6d4c 8082e0d6 nt!PspExitThread+0x3b2
(FPO: [SEH])
f34b6cfc 8082e0d6 b98c04e0 f34b6d48 f34b6d3c
nt!PsExitSpecialApc+0x1d (FPO: [5,0,0])
f34b6d4c 80889897 00000001 00000000 f34b6d64 nt!KiDeliverApc+0x1ae
(FPO: [3,10,0])
f34b6d4c 7c82847c 00000001 00000000 f34b6d64 nt!KiServiceExit+0x56
(FPO: [0,0] TrapFrame @ f34b6d64)
WARNING: Frame IP not in any known module. Following frames may be wrong.
18d8cd84 00000000 00000000 00000000 00000000 0x7c82847c

THREAD b971a6f0 Cid 01c0.1430 Teb: 7ffdc000 Win32Thread: 00000000
WAIT: (Unknown) KernelMode Non-Alertable
b971a768 NotificationTimer
Impersonation token: e69a2210 (Level Impersonation)
Owning Process b9774a68 Image: inmsync.exe
Attached Process N/A Image: N/A
Wait Start TickCount 62732768 Ticks: 0
Context Switch Count 7
UserTime 00:00:00.000
KernelTime 00:00:00.000
Win32 Start Address 0x7c80e0b2
Start Address 0x77e617ec
Stack Init f2edb000 Current f2edabac Base f2edb000 Limit f2ed8000
Call 0
Priority 10 BasePriority 8 PriorityDecrement 0
ChildEBP RetAddr Args to Child
f2edabc4 80833491 b971a6f0 b971a7e0 00000000 nt!KiSwapContext+0x26
(FPO: [Uses EBP] [0,0,4])
f2edabf0 80828f2b 80a603f4 80a600b4 b971a8f8 nt!KiSwapThread+0x2e5
(FPO: [0,7,0])
f2edac38 808ea866 00000000 00000000 ffdff630
nt!KeDelayExecutionThread+0x2ab (FPO: [3,13,0])
f2edac68 8094c486 b971a6f0 baa459f8 00000000
nt!IoCancelThreadIo+0x62 (FPO: [1,4,0])
f2edacf0 8094c68f 00000000 f2edad4c 8082e0d6 nt!PspExitThread+0x466
(FPO: [SEH])
f2edacfc 8082e0d6 baa459f8 f2edad48 f2edad3c
nt!PsExitSpecialApc+0x1d (FPO: [5,0,0])
f2edad4c 80889897 00000001 00000000 f2edad64 nt!KiDeliverApc+0x1ae
(FPO: [3,10,0])
f2edad4c 7c82847c 00000001 00000000 f2edad64 nt!KiServiceExit+0x56
(FPO: [0,0] TrapFrame @ f2edad64)
WARNING: Frame IP not in any known module. Following frames may be wrong.
1932cd58 00000000 00000000 00000000 00000000 0x7c82847c

PROCESS b9719960 SessionId: 0 Cid: 101c Peb: 7ffde000 ParentCid: 01c0
DirBase: bffcff00 ObjectTable: 00000000 HandleCount: 0.
Image: inmsync.exe
VadRoot 00000000 Vads 0 Clone 0 Private 0. Modified 3. Locked 0.
DeviceMap e1001888
Token e12988f8
ElapsedTime 00:00:00.234
UserTime 00:00:00.015
KernelTime 562 Days 15:36:05.671
QuotaPoolUsage[PagedPool] 0
QuotaPoolUsage[NonPagedPool] 0
Working Set Sizes (now,min,max) (7, 50, 345) (28KB, 200KB, 1380KB)
PeakWorkingSetSize 979
VirtualSize 406 Mb
PeakVirtualSize 407 Mb
PageFaultCount 1006
MemoryPriority BACKGROUND
BasePriority 8
CommitCharge 0
Job b9787be0

No active threads

Gary_Little-3 · June 22, 2011, 7:33am

More than likely an application did not directly cause the system to panic. Do you have a kernel component you are developing? That would be my suspect.

Gary G. Little
C 952-454-4629
H 952-223-1349

On Jun 22, 2011, at 6:03, Sunil Patil wrote:

> Hi,
>
> One of our machine (win2k3 server 32-bit) crashed. We got following dump. Process name “inmsync.exe” mentioned here is our module. Can somebody tell if “inmsync.exe” is the culprit or something else. How can I debug this further?
>
> Thanks,
> Sunil
>
>
> 1: kd> !analyze -v
> ***
> *
> * Bugcheck Analysis
> *
>
>
> PAGE_FAULT_IN_NONPAGED_AREA (50)
> Invalid system memory was referenced. This cannot be protected by try-except,
> it must be protected by a Probe. Typically the address is just plain bad or it
> is pointing at freed memory.
> Arguments:
> Arg1: bca31840, memory referenced.
> Arg2: 00000000, value 0 = read operation, 1 = write operation.
> Arg3: bf8b7fdf, If non-zero, the instruction address which referenced the bad memory
> address.
> Arg4: 00000000, (reserved)
>
> Debugging Details:
> ------------------
>
> Page ba292 not present in the dump file. Type “.hh dbgerr004” for details
> Page b3712 not present in the dump file. Type “.hh dbgerr004” for details
> Page b3712 not present in the dump file. Type “.hh dbgerr004” for details
> Page b3712 not present in the dump file. Type “.hh dbgerr004” for details
> Page b3712 not present in the dump file. Type “.hh dbgerr004” for details
> PEB is paged out (Peb.Ldr = 7ffd600c). Type “.hh dbgerr001” for details
> PEB is paged out (Peb.Ldr = 7ffd600c). Type “.hh dbgerr001” for details
>
> READ_ADDRESS: bca31840
>
> FAULTING_IP:
> win32k!DestroyThreadsObjects+4f
> bf8b7fdf 8b01 mov eax,dword ptr [ecx]
>
> MM_INTERNAL_CODE: 0
>
> IMAGE_NAME: win32k.sys
>
> DEBUG_FLR_IMAGE_TIMESTAMP: 4d6f9db6
>
> MODULE_NAME: win32k
>
> FAULTING_MODULE: bf800000 win32k
>
> DEFAULT_BUCKET_ID: DRIVER_FAULT
>
> BUGCHECK_STR: 0x50
>
> PROCESS_NAME: inmsync.exe
>
> CURRENT_IRQL: 1
>
> TRAP_FRAME: f34b6b7c – (.trap 0xfffffffff34b6b7c)
> ErrCode = 00000000
> eax=bca31810 ebx=00000060 ecx=bca31840 edx=80000002 esi=e721fea8 edi=00000480
> eip=bf8b7fdf esp=f34b6bf0 ebp=f34b6c3c iopl=0 nv up ei pl zr na pe nc
> cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010246
> win32k!DestroyThreadsObjects+0x4f:
> bf8b7fdf 8b01 mov eax,dword ptr [ecx] ds:0023:bca31840=bca31720
> Resetting default scope
>
> LAST_CONTROL_TRANSFER: from 8085ed47 to 80827c83
>
> STACK_TEXT:
> f34b6aec 8085ed47 00000050 bca31840 00000000 nt!KeBugCheckEx+0x1b
> f34b6b64 8088c820 00000000 bca31840 00000000 nt!MmAccessFault+0xb25
> f34b6b64 bf8b7fdf 00000000 bca31840 00000000 nt!KiTrap0E+0xdc
> f34b6bf8 bf8b832c ba882db0 00000000 00000000 win32k!DestroyThreadsObjects+0x4f
> f34b6c3c bf8b6bd1 00000001 f34b6c64 bf8b7a2e win32k!xxxDestroyThreadInfo+0x206
> f34b6c48 bf8b7a2e ba882db0 00000001 00000000 win32k!UserThreadCallout+0x4b
> f34b6c64 8094c3d2 ba882db0 00000001 b98c04e0 win32k!W32pThreadCallout+0x3a
> f34b6cf0 8094c68f 00000000 f34b6d4c 8082e0d6 nt!PspExitThread+0x3b2
> f34b6cfc 8082e0d6 b98c04e0 f34b6d48 f34b6d3c nt!PsExitSpecialApc+0x1d
> f34b6d4c 80889897 00000001 00000000 f34b6d64 nt!KiDeliverApc+0x1ae
> f34b6d4c 7c82847c 00000001 00000000 f34b6d64 nt!KiServiceExit+0x56
> WARNING: Frame IP not in any known module. Following frames may be wrong.
> 18d8cd84 00000000 00000000 00000000 00000000 0x7c82847c
>
>
> STACK_COMMAND: kb
>
> FOLLOWUP_IP:
> win32k!DestroyThreadsObjects+4f
> bf8b7fdf 8b01 mov eax,dword ptr [ecx]
>
> SYMBOL_STACK_INDEX: 3
>
> SYMBOL_NAME: win32k!DestroyThreadsObjects+4f
>
> FOLLOWUP_NAME: MachineOwner
>
> FAILURE_BUCKET_ID: 0x50_win32k!DestroyThreadsObjects+4f
>
> BUCKET_ID: 0x50_win32k!DestroyThreadsObjects+4f
>
> Followup: MachineOwner
> ---------
>
> 1: kd> .trap 0xfffffffff34b6b7c
> ErrCode = 00000000
> eax=bca31810 ebx=00000060 ecx=bca31840 edx=80000002 esi=e721fea8 edi=00000480
> eip=bf8b7fdf esp=f34b6bf0 ebp=f34b6c3c iopl=0 nv up ei pl zr na pe nc
> cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010246
> win32k!DestroyThreadsObjects+0x4f:
> bf8b7fdf 8b01 mov eax,dword ptr [ecx] ds:0023:bca31840=bca31720
>
>
> 1: kd> !process 0 7 inmsync.exe
> PROCESS b9774a68 SessionId: 0 Cid: 01c0 Peb: 7ffd6000 ParentCid: 16a0
> DirBase: bffcfc40 ObjectTable: e1054578 HandleCount: 113.
> Image: inmsync.exe
> VadRoot ba3f99a8 Vads 68 Clone 0 Private 294. Modified 2. Locked 0.
> DeviceMap e1001888
> Token e6c3ade0
> ElapsedTime 00:00:02.593
> UserTime 00:00:00.015
> KernelTime 00:00:00.046
> QuotaPoolUsage[PagedPool] 39164
> QuotaPoolUsage[NonPagedPool] 3472
> Working Set Sizes (now,min,max) (1193, 50, 345) (4772KB, 200KB, 1380KB)
> PeakWorkingSetSize 1194
> VirtualSize 414 Mb
> PeakVirtualSize 416 Mb
> PageFaultCount 1251
> MemoryPriority BACKGROUND
> BasePriority 8
> CommitCharge 796
> Job b9787be0
>
> THREAD b96bbb60 Cid 01c0.108c Teb: 7ffdf000 Win32Thread: e74b95f0 WAIT: (Unknown) UserMode Non-Alertable
> ba7ca958 NotificationEvent
> b96bbbd8 NotificationTimer
> Impersonation token: e69a2210 (Level Impersonation)
> Owning Process b9774a68 Image: inmsync.exe
> Attached Process N/A Image: N/A
> Wait Start TickCount 62732768 Ticks: 0
> Context Switch Count 423 LargeStack
> UserTime 00:00:00.000
> KernelTime 00:00:00.031
> Win32 Start Address 0x00401000
> Start Address 0x77e617f8
> Stack Init f380b000 Current f380ac60 Base f380b000 Limit f3807000 Call 0
> Priority 9 BasePriority 8 PriorityDecrement 0
> ChildEBP RetAddr Args to Child
> f380ac78 80833491 b96bbb60 b96bbc08 00000001 nt!KiSwapContext+0x26 (FPO: [Uses EBP] [0,0,4])
> f380aca4 80829a82 00000000 f380ad14 00000000 nt!KiSwapThread+0x2e5 (FPO: [0,7,0])
> f380acec 80938e0a ba7ca958 00000006 0080ad01 nt!KeWaitForSingleObject+0x346 (FPO: [5,13,4])
> f380ad50 808897ec 00000614 00000000 f380ad14 nt!NtWaitForSingleObject+0x9a (FPO: [SEH])
> f380ad50 7c82847c 00000614 00000000 f380ad14 nt!KiFastCallEntry+0xfc (FPO: [0,0] TrapFrame @ f380ad64)
> WARNING: Frame IP not in any known module. Following frames may be wrong.
> 0022b454 00000000 00000000 00000000 00000000 0x7c82847c
>
> THREAD ba882db0 Cid 01c0.1d74 Teb: 7ffdd000 Win32Thread: e721fea8 RUNNING on processor 1
> Not impersonating
> DeviceMap e1001888
> Owning Process b9774a68 Image: inmsync.exe
> Attached Process N/A Image: N/A
> Wait Start TickCount 62732768 Ticks: 0
> Context Switch Count 44 LargeStack
> UserTime 00:00:00.015
> KernelTime 00:00:00.015
> Win32 Start Address 0x61003650
> Start Address 0x77e617ec
> Stack Init f34b7000 Current f34b6660 Base f34b7000 Limit f34b3000 Call 0
> Priority 10 BasePriority 8 PriorityDecrement 0
> ChildEBP RetAddr Args to Child
> f34b6aec 8085ed47 00000050 bca31840 00000000 nt!KeBugCheckEx+0x1b (FPO: [5,0,0])
> f34b6b64 8088c820 00000000 bca31840 00000000 nt!MmAccessFault+0xb25 (FPO: [4,20,0])
> f34b6b64 bf8b7fdf 00000000 bca31840 00000000 nt!KiTrap0E+0xdc (FPO: [0,0] TrapFrame @ f34b6b7c)
> f34b6bf8 bf8b832c ba882db0 00000000 00000000 win32k!DestroyThreadsObjects+0x4f (FPO: [0,0,0])
> f34b6c3c bf8b6bd1 00000001 f34b6c64 bf8b7a2e win32k!xxxDestroyThreadInfo+0x206 (FPO: [SEH])
> f34b6c48 bf8b7a2e ba882db0 00000001 00000000 win32k!UserThreadCallout+0x4b (FPO: [2,0,4])
> f34b6c64 8094c3d2 ba882db0 00000001 b98c04e0 win32k!W32pThreadCallout+0x3a (FPO: [2,0,0])
> f34b6cf0 8094c68f 00000000 f34b6d4c 8082e0d6 nt!PspExitThread+0x3b2 (FPO: [SEH])
> f34b6cfc 8082e0d6 b98c04e0 f34b6d48 f34b6d3c nt!PsExitSpecialApc+0x1d (FPO: [5,0,0])
> f34b6d4c 80889897 00000001 00000000 f34b6d64 nt!KiDeliverApc+0x1ae (FPO: [3,10,0])
> f34b6d4c 7c82847c 00000001 00000000 f34b6d64 nt!KiServiceExit+0x56 (FPO: [0,0] TrapFrame @ f34b6d64)
> WARNING: Frame IP not in any known module. Following frames may be wrong.
> 18d8cd84 00000000 00000000 00000000 00000000 0x7c82847c
>
> THREAD b971a6f0 Cid 01c0.1430 Teb: 7ffdc000 Win32Thread: 00000000 WAIT: (Unknown) KernelMode Non-Alertable
> b971a768 NotificationTimer
> Impersonation token: e69a2210 (Level Impersonation)
> Owning Process b9774a68 Image: inmsync.exe
> Attached Process N/A Image: N/A
> Wait Start TickCount 62732768 Ticks: 0
> Context Switch Count 7
> UserTime 00:00:00.000
> KernelTime 00:00:00.000
> Win32 Start Address 0x7c80e0b2
> Start Address 0x77e617ec
> Stack Init f2edb000 Current f2edabac Base f2edb000 Limit f2ed8000 Call 0
> Priority 10 BasePriority 8 PriorityDecrement 0
> ChildEBP RetAddr Args to Child
> f2edabc4 80833491 b971a6f0 b971a7e0 00000000 nt!KiSwapContext+0x26 (FPO: [Uses EBP] [0,0,4])
> f2edabf0 80828f2b 80a603f4 80a600b4 b971a8f8 nt!KiSwapThread+0x2e5 (FPO: [0,7,0])
> f2edac38 808ea866 00000000 00000000 ffdff630 nt!KeDelayExecutionThread+0x2ab (FPO: [3,13,0])
> f2edac68 8094c486 b971a6f0 baa459f8 00000000 nt!IoCancelThreadIo+0x62 (FPO: [1,4,0])
> f2edacf0 8094c68f 00000000 f2edad4c 8082e0d6 nt!PspExitThread+0x466 (FPO: [SEH])
> f2edacfc 8082e0d6 baa459f8 f2edad48 f2edad3c nt!PsExitSpecialApc+0x1d (FPO: [5,0,0])
> f2edad4c 80889897 00000001 00000000 f2edad64 nt!KiDeliverApc+0x1ae (FPO: [3,10,0])
> f2edad4c 7c82847c 00000001 00000000 f2edad64 nt!KiServiceExit+0x56 (FPO: [0,0] TrapFrame @ f2edad64)
> WARNING: Frame IP not in any known module. Following frames may be wrong.
> 1932cd58 00000000 00000000 00000000 00000000 0x7c82847c
>
>
> PROCESS b9719960 SessionId: 0 Cid: 101c Peb: 7ffde000 ParentCid: 01c0
> DirBase: bffcff00 ObjectTable: 00000000 HandleCount: 0.
> Image: inmsync.exe
> VadRoot 00000000 Vads 0 Clone 0 Private 0. Modified 3. Locked 0.
> DeviceMap e1001888
> Token e12988f8
> ElapsedTime 00:00:00.234
> UserTime 00:00:00.015
> KernelTime 562 Days 15:36:05.671
> QuotaPoolUsage[PagedPool] 0
> QuotaPoolUsage[NonPagedPool] 0
> Working Set Sizes (now,min,max) (7, 50, 345) (28KB, 200KB, 1380KB)
> PeakWorkingSetSize 979
> VirtualSize 406 Mb
> PeakVirtualSize 407 Mb
> PageFaultCount 1006
> MemoryPriority BACKGROUND
> BasePriority 8
> CommitCharge 0
> Job b9787be0
>
> No active threads
>
>
> — NTDEV is sponsored by OSR For our schedule of WDF, WDM, debugging and other seminars visit: http://www.osr.com/seminars To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

James_Harper · June 22, 2011, 7:45am

> Hi,

One of our machine (win2k3 server 32-bit) crashed. We got following
dump.
Process name “inmsync.exe” mentioned here is our module. Can somebody
tell if
“inmsync.exe” is the culprit or something else. How can I debug this
further?

No usermode app should be able to directly cause an 0x50 bug check, so
if inmsync.exe is indeed a usermode app then it invoked a bug in a
driver (or much less likely, in the kernel), and the driver is at fault.
Both the app and the driver probably have bugs though

James

James_Harper · June 22, 2011, 7:48am

> > Hi,

>
> One of our machine (win2k3 server 32-bit) crashed. We got following
dump.
> Process name “inmsync.exe” mentioned here is our module. Can
somebody
tell if
> “inmsync.exe” is the culprit or something else. How can I debug this
further?
>

No usermode app should be able to directly cause an 0x50 bug check, so
if inmsync.exe is indeed a usermode app then it invoked a bug in a
driver (or much less likely, in the kernel), and the driver is at
fault.
Both the app and the driver probably have bugs though

Additionally, the docs say that 0x50 could be caused by a corrupt NTFS
filesystem (which I guess could be maliciously caused from userspace). I
think it’s not particularly likely but can you run a chkdsk just to test
it?

James

Sunil_Patil · June 22, 2011, 8:54am

Hi,

We do have driver component. But this particular user-space module
“inmsync.exe” does not interact with any of our drivers thorough IOCTL or
any other mechanism. I checked all my driver threads and they are in good
state.

Thanks,
Sunil

On Wed, Jun 22, 2011 at 5:17 PM, James Harper > wrote:

> > > Hi,
> > >
> > > One of our machine (win2k3 server 32-bit) crashed. We got following
> > dump.
> > > Process name “inmsync.exe” mentioned here is our module. Can
> somebody
> > tell if
> > > “inmsync.exe” is the culprit or something else. How can I debug this
> > further?
> > >
> >
> > No usermode app should be able to directly cause an 0x50 bug check, so
> > if inmsync.exe is indeed a usermode app then it invoked a bug in a
> > driver (or much less likely, in the kernel), and the driver is at
> fault.
> > Both the app and the driver probably have bugs though
> >
>
> Additionally, the docs say that 0x50 could be caused by a corrupt NTFS
> filesystem (which I guess could be maliciously caused from userspace). I
> think it’s not particularly likely but can you run a chkdsk just to test
> it?
>
> James
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

Gary_Little-3 · June 22, 2011, 9:05am

Have you enabled driver verifier? Used WinDbg to step into the driver code? Set breakpoints in the driver? The fact that your driver is not shown in a call stack for a kernel dump does not relieve your driver of guilt.

Gary G. Little
C 952-454-4629
H 952-223-1349

On Jun 22, 2011, at 7:53, Sunil Patil wrote:

> Hi,
>
> We do have driver component. But this particular user-space module “inmsync.exe” does not interact with any of our drivers thorough IOCTL or any other mechanism. I checked all my driver threads and they are in good state.
>
> Thanks,
> Sunil
>
> On Wed, Jun 22, 2011 at 5:17 PM, James Harper wrote:
> > > Hi,
> > >
> > > One of our machine (win2k3 server 32-bit) crashed. We got following
> > dump.
> > > Process name “inmsync.exe” mentioned here is our module. Can
> somebody
> > tell if
> > > “inmsync.exe” is the culprit or something else. How can I debug this
> > further?
> > >
> >
> > No usermode app should be able to directly cause an 0x50 bug check, so
> > if inmsync.exe is indeed a usermode app then it invoked a bug in a
> > driver (or much less likely, in the kernel), and the driver is at
> fault.
> > Both the app and the driver probably have bugs though
> >
>
> Additionally, the docs say that 0x50 could be caused by a corrupt NTFS
> filesystem (which I guess could be maliciously caused from userspace). I
> think it’s not particularly likely but can you run a chkdsk just to test
> it?
>
> James
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
>
> — NTDEV is sponsored by OSR For our schedule of WDF, WDM, debugging and other seminars visit: http://www.osr.com/seminars To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer