Hello Everyone,
I am new to the list, but I have been seeing some strange traps that I
cannot seem to figure out what’s going on and would like some
ideas. Basically, I have 2 traps on quad processor machines that are
valid instructions, however, they caused a bluescreen.
The trap occurs in the context of Winlogon. One of Winlogon’s threads is
basically just making a GetMessage() call. The OS is Windows 2003.
1: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
KERNEL_MODE_EXCEPTION_NOT_HANDLED (8e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Some common problems are exception code 0x80000003. This means a hard
coded breakpoint or assertion was hit, but this system was booted
/NODEBUG. This is not supposed to happen as developers should never have
hardcoded breakpoints in retail code, but …
If this happens, make sure a debugger gets connected, and the
system is booted /DEBUG. This will let us see why this breakpoint is
happening.
An exception code of 0x80000002 (STATUS_DATATYPE_MISALIGNMENT) indicates
that an unaligned data reference was encountered. The trap frame will
supply additional information.
Arguments:
Arg1: c000001d, The exception code that was not handled
Arg2: bf8e59bc, The address that the exception occurred at
Arg3: ec251be0, Trap Frame
Arg4: 00000000
Debugging Details:
EXCEPTION_CODE: (NTSTATUS) 0xc000001d - {EXCEPTION} Illegal
Instruction An attempt was made to execute an illegal instruction.
FAULTING_IP:
win32k+e59bc
bf8e59bc 8945e0 mov [ebp-0x20],eax
TRAP_FRAME: ec251be0 – (.trap ffffffffec251be0)
ErrCode = 00000000
eax=00000000 ebx=00000000 ecx=00000000 edx=80010031 esi=bc1717c8 edi=00000000
eip=bf8e59bc esp=ec251c54 ebp=ec251c94 iopl=0 nv up ei ng nz na po cy
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010287
win32k+0xe59bc:
bf8e59bc 8945e0 mov [ebp-0x20],eax ss:0010:ec251c74=00000000
Resetting default scope
DEFAULT_BUCKET_ID: DRIVER_FAULT
BUGCHECK_STR: 0x8E
CURRENT_IRQL: 0
LAST_CONTROL_TRANSFER: from bf8e5db1 to bf8e59bc
STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may be wrong.
ec251c94 bf8e5db1 000025ff 00000000 00000001 win32k+0xe59bc
ec251cec bf8e6721 ec251d18 00000000 00000000 win32k+0xe5db1
ec251d4c 804dfd24 0092ff64 00000000 00000000 win32k+0xe6721
ec251d4c 7ffe0304 0092ff64 00000000 00000000 nt!KiSystemService+0xd0
0092fef8 77d06718 77d067e0 0092ff64 00000000 SharedUserData!SystemCallStub+0x4
0092ff18 67481876 0092ff64 00000000 00000000 USER32!NtUserGetMessage+0xc
FAILED_INSTRUCTION_ADDRESS:
win32k+e59bc
bf8e59bc 8945e0 mov [ebp-0x20],eax
FOLLOWUP_IP:
win32k+e59bc
bf8e59bc 8945e0 mov [ebp-0x20],eax
SYMBOL_STACK_INDEX: 0
FOLLOWUP_NAME: MachineOwner
SYMBOL_NAME: win32k+e59bc
MODULE_NAME: win32k
IMAGE_NAME: win32k.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 3e801611
STACK_COMMAND: .trap ffffffffec251be0 ; kb
BUCKET_ID: 0x8E_BAD_IP_win32k+e59bc
Followup: MachineOwner
1: kd> .trap ffffffffec251be0
ErrCode = 00000000
eax=00000000 ebx=00000000 ecx=00000000 edx=80010031 esi=bc1717c8 edi=00000000
eip=bf8e59bc esp=ec251c54 ebp=ec251c94 iopl=0 nv up ei ng nz na po cy
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010287
win32k+0xe59bc:
bf8e59bc 8945e0 mov [ebp-0x20],eax ss:0010:ec251c74=00000000
1: kd> kb
*** Stack trace for last set context - .thread/.cxr resets it
ChildEBP RetAddr Args to Child
WARNING: Stack unwind information not available. Following frames may be wrong.
ec251c94 bf8e5db1 000025ff 00000000 00000001 win32k+0xe59bc
ec251cec bf8e6721 ec251d18 00000000 00000000 win32k+0xe5db1
ec251d4c 804dfd24 0092ff64 00000000 00000000 win32k+0xe6721
ec251d4c 7ffe0304 0092ff64 00000000 00000000 nt!KiSystemService+0xd0
0092fef8 77d06718 77d067e0 0092ff64 00000000 SharedUserData!SystemCallStub+0x4
0092ff18 67481876 0092ff64 00000000 00000000 USER32!NtUserGetMessage+0xc
1: kd> u bf8e5db1
win32k+0xe5db1:
bf8e5db1 85c0 test eax,eax
bf8e5db3 0f84ee030000 je win32k+0xe61a7 (bf8e61a7)
bf8e5db9 e9f1010000 jmp win32k+0xe5faf (bf8e5faf)
bf8e5dbe e873ecffff call win32k+0xe4a36 (bf8e4a36)
bf8e5dc3 e9f5020000 jmp win32k+0xe60bd (bf8e60bd)
bf8e5dc8 83600400 and dword ptr [eax+0x4],0x0
bf8e5dcc 8b464c mov eax,[esi+0x4c]
bf8e5dcf 85c2 test edx,eax
1: kd> u win32k+e59bc
win32k+0xe59bc:
bf8e59bc 8945e0 mov [ebp-0x20],eax
bf8e59bf e894eeffff call win32k+0xe4858 (bf8e4858)
bf8e59c4 56 push esi
bf8e59c5 e844000000 call win32k+0xe5a0e (bf8e5a0e)
bf8e59ca e9b2feffff jmp win32k+0xe5881 (bf8e5881)
bf8e59cf 8b4640 mov eax,[esi+0x40]
bf8e59d2 8b400c mov eax,[eax+0xc]
bf8e59d5 0b869c000000 or eax,[esi+0x9c]
1: kd> dds ec251c94 -40
ec251c54 00000000
ec251c58 bc1717c8
ec251c5c 00000000
ec251c60 00000100
ec251c64 855dd020
ec251c68 804f0000 nt!KiRetireDpcList+0x10
ec251c6c bc1717c8
ec251c70 00000000
ec251c74 00000000
ec251c78 00000000
ec251c7c ec251c54
ec251c80 ec2516e8
ec251c84 ec251cdc
ec251c88 bf980f8a win32k+0x180f8a
ec251c8c bf994f60 win32k+0x194f60
ec251c90 ffffffff
ec251c94 ec251cec
ec251c98 bf8e5db1 win32k+0xe5db1
ec251c9c 000025ff
ec251ca0 00000000
ec251ca4 00000001
ec251ca8 ec251d64
ec251cac 0092ff14
ec251cb0 bf8e66fa win32k+0xe66fa
ec251cb4 00000000
Seems valid memory is being accessed.
CP F/M/S Manufacturer MHz
0 15,2,7 GenuineIntel 2392
1 15,2,7 GenuineIntel 2392
2 15,2,7 GenuineIntel 2392
3 15,2,7 GenuineIntel 2392
1: kd> !ready
Processor 0: No threads in READY state
Processor 1: Ready Threads at priority 8
THREAD 85928570 Cid 0220.0820 Teb: 7ff8d000 Win32Thread: bc3bca20 READY
Processor 2: No threads in READY state
Processor 3: Ready Threads at priority 13
THREAD 858a1020 Cid 0fac.23e0 Teb: 7ffdb000 Win32Thread: bc0109c0 READY
Processor 3: Ready Threads at priority 11
THREAD 85e28768 Cid 028c.02e4 Teb: 7ffad000 Win32Thread: 00000000 READY
Processor 3: Ready Threads at priority 8
THREAD 84e48020 Cid 2c60.29f4 Teb: 7ffde000 Win32Thread: bc4da770 READY
1: kd> !thread
THREAD 855dd020 Cid 1428.2378 Teb: 7ffda000 Win32Thread: bc1717c8 RUNNING
on processor 1
Not impersonating
DeviceMap e1001900
Owning Process 8553f020
Wait Start TickCount 5333443 Elapsed Ticks: 0
Context Switch Count 280 LargeStack
UserTime 00:00:00.0000
KernelTime 00:00:00.0015
Start Address kernel32!FlsSetValue (0x77e4a99b)
Win32 Start Address msvcrt!_endthreadex (0x77bc917e)
Stack Init ec252000 Current ec251bc4 Base ec252000 Limit ec24d000 Call 0
Priority 15 BasePriority 13 PriorityDecrement 0
ChildEBP RetAddr Args to Child
ec2517b4 80527624 0000008e c000001d bf8e59bc nt!KeBugCheckEx+0x19
ec251b70 804e087a ec251b8c 00000000 ec251be0 nt!KiDispatchException+0x2f5
ec251bd8 804e07fa 804ed800 855dd0c0 855dd020
nt!CommonDispatchException+0x4a (FPO: [0,20,0])
ec251c04 804eda20 00000000 00000000 00000023 nt!KiExceptionExit+0x16a
ec251c38 00000000 ec251c94 00000000 bf8e59bc nt!KeWaitForSingleObject+0x249
1: kd> !process -1 0
PROCESS 8553f020 SessionId: 4 Cid: 1428 Peb: 7ffdf000 ParentCid: 01d8
DirBase: 1fb9f000 ObjectTable: e287ad60 HandleCount: 221.
Image: winlogon.exe
1: kd> !cpuinfo
CP F/M/S Manufacturer MHz Update Signature Features
0 15,2,7 GenuineIntel 2392 0000003400000000 00033fff
TargetInfo::ReadMsr is not available in the current debug session
1 15,2,7 GenuineIntel 2392>0000003400000000<00033fff
2 15,2,7 GenuineIntel 2392 0000003400000000 00033fff
3 15,2,7 GenuineIntel 2392 0000003400000000 00033fff
1: kd> !running
System Processors f (affinity mask)
Idle Processors 0
Prcb Current Next
0 ffdff120 85533020 …
1 f772f120 855dd020 …
2 f773f120 85150020 …
3 f774f120 84ccd020 …
1: kd> !irql
Debugger saved IRQL for processor 0x1 – 0 (LOW_LEVEL)
c000001d == Invalid Instruction.
So, is there something I am missing? Is this a hardware failure? I would
say that the OS got into a bad state, but the processor is the one who
generates the exceptions, the OS just handles them. Any ideas where I
should look for this problem? Perhaps there is really a trap here
somewhere but the bluescreen information is invalid somehow. I have a few
of these traps, all in the same thread, in the context of GetMessage()
pretty much but traps in different places, all valid. Sometimes it’s a
CALL it trapped on, another time it was “DEC ESP” or EBP. Nothing makes
much sense. I did get 1 trap that was really a trap in the same context,
someone apparently did a ret (most likely) or jmp to the thread context and
trapped on accessing invalid memory there. Perhaps something simmilar
happened with the rest, but the dumps are messed up.
2: kd> kb
*** Stack trace for last set context - .thread/.cxr resets it
ChildEBP RetAddr Args to Child
WARNING: Frame IP not in any known module. Following frames may be wrong.
ec4e0c94 bf8e5db1 000025ff 00000000 00000001 0xbc165018
ec4e0cec bf8e6721 ec4e0d18 00000000 00000000 win32k+0xe5db1
ec4e0d4c 804dfd24 0092ff64 00000000 00000000 win32k+0xe6721
ec4e0d4c 7ffe0304 0092ff64 00000000 00000000 nt!KiSystemService+0xd0
0092fef8 77d06718 77d067e0 0092ff64 00000000 SharedUserData!SystemCallStub+0x4
0092ff18 67481876 0092ff64 00000000 00000000 USER32!NtUserGetMessage+0xc
0092ffb8 77e4a990 002546d8 00000000 00000000 msvcrt!_endthreadex+0x95
0092ffec 00000000 77bc917e 002546d8 00000000 kernel32!FlsSetValue+0x779
2: kd> dd bc165018
bc165018 85524020 00000001 00000000 004c0740
bc165028 00000000 00000000 00000000 00000000
bc165038 bc165038 bc165038 00000000 bc0043b0
bc165048 bc16b698 bc1a8ba0 be251920 85482338
bc165058 be250650 bdd70000 7ffda6cc 03000000
bc165068 00000000 00000000 00000000 bc1b1c50
bc165078 04ebb876 00000001 00000000 00000104
bc165088 00000000 00000000 00000000 00000000
2: kd> !thread 85524020
THREAD 85524020 Cid 1520.1f2c Teb: 7ffda000 Win32Thread: bc165018 RUNNING
on processor 2
Not impersonating
DeviceMap e1001900
Owning Process 8549b968
Wait Start TickCount 5283651 Elapsed Ticks: 0
Context Switch Count 38 LargeStack
UserTime 00:00:00.0015
KernelTime 00:00:00.0000
Start Address kernel32!FlsSetValue (0x77e4a99b)
Win32 Start Address msvcrt!_endthreadex (0x77bc917e)
Stack Init ec4e1000 Current ec4e00a0 Base ec4e1000 Limit ec4dc000 Call 0
Priority 15 BasePriority 13 PriorityDecrement 0
ChildEBP RetAddr Args to Child
ec4e07bc 80527624 0000008e c0000005 bc165018 nt!KeBugCheckEx+0x19
ec4e0b78 804e087a ec4e0b94 00000000 ec4e0be8 nt!KiDispatchException+0x2f5
ec4e0be0 804e0812 85524020 85421248 85465d40
nt!CommonDispatchException+0x4a (FPO: [0,20,0])
ec4e0c04 804eda20 00000000 bc165018 00000000 nt!KiExceptionExit+0x182
ec4e0c38 00000000 bc165018 00000000 ec4e0c94 nt!KeWaitForSingleObject+0x249
I started to look at other threads, perhaps the trap occured somewhere else
on another processor or on another thread that was previuosly active.
Also, does anyone know where to get the symbols for WIN32K.SYS for Windows
2003. It appears that the symbol server attempts to search for win32k.sys
as the symbol, but even renaming the win32k.pdb to win32k.sys it will not
load it, invalid signature. The dates for the files are the same day but
different times as well. Has anyone experienced this problem? I usually
use the symbol server, but I even downloaded the symbols from MS.
0: kd> lm v mwin32k
start end module name
bf800000 bf9c6000 win32k (no symbols)
Loaded symbol image file: win32k.sys
Image path: \SystemRoot\System32\win32k.sys
Timestamp: Tue Mar 25 03:40:49 2003 (3E801611) Checksum: 001CC3D7
ImageSize : 001C6000
Translations: 0000.04b0 0000.04e0 0409.04b0 0409.04e0
Thanks