system crash on UNEXPECTED_KERNEL_MODE_TRAP

One of my system crashed on
UNEXPECTED_KERNEL_MODE_TRAP every time on reboot.

The memory dump file is as follow:
the driver cause system crash hooked on registry key.
Can I get this conclusion from this dupm?
Before the registry is hooked, First driver call
ZwOpenKey(). OS trap this ZwOpenKey(). After that,
second driver hooked on ZeOpenKey(). When first
ZwOpenKey() return, it call second driver hook
function. After second driver hook finished its
function, it tried to pass itself to ZwOpenKey()
again. That crashed the system. Am I right or not?

kd> !analyze -v
******************************************************
Bugcheck Analysis
******************************************************
UNEXPECTED_KERNEL_MODE_TRAP (7f)
This means a trap occurred in kernel mode, and it’s a
trap of a kind
that the kernel isn’t allowed to have/catch (bound
trap) or that
is always instant death (double fault). The first
number in the
bugcheck parens is the number of the trap (8 = double
fault, etc)
Consult an Intel x86 family manual to learn more about
what these
traps are. Here is a *portion* of those codes:
If kv shows a taskGate
use .tss on the part before the colon, then
kv.
Else if kv shows a trapframe
use .trap on that value
Else
.trap on the appropriate frame will show where
the trap was taken
(on x86, this will be the ebp that goes with
the procedure KiTrap)
Endif
kb will then show the corrected stack.
Arguments:
Arg1: 00000008, EXCEPTION_DOUBLE_FAULT
Arg2: 80042000
Arg3: 00000000
Arg4: 00000000

Debugging Details:

BUGCHECK_STR: 0x7f_8

TSS: 00000028 – (.tss 28)
eax=00000020 ebx=ffdff120 ecx=90320001 edx=90320002
esi=823bdbf8 edi=82321638
eip=804e2455 esp=ef177ff0 ebp=ef178020 iopl=0
nv up ei ng nz na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
efl=00010286
nt!_SEH_prolog+0x1a:
804e2455 53 push ebx
Resetting default scope

DEFAULT_BUCKET_ID: DRIVER_FAULT

LAST_CONTROL_TRANSFER: from 80564713 to 804e2455

STACK_TEXT:
ef178020 80564713 823bdbf8 80563300 80563300
nt!_SEH_prolog+0x1a
ef178058 8056b390 80563300 823bdbf8 00000000
nt!ObCreateObject+0x79
ef1780b4 805677a0 e1a9e008 007ebd38 00000000
nt!CmpDoOpen+0x121
ef1782ac 8056316c 007ebd38 00000000 81e2a260
nt!CmpParseKey+0x558
ef178334 8056729a 00000000 ef178374 00000240
nt!ObpLookupObjectName+0x56a
ef178388 80567bfd 00000000 823bdbf8 00000000
nt!ObOpenObjectByName+0xeb
ef17845c f882240d ef178fa8 82000000 ef178d1c
nt!NtOpenKey+0x1af
ef178c78 804de7ec ef178fa8 82000000 ef178d1c
grddrvr!HookRegOpenKey+0x4d
ef178c78 804dd019 ef178fa8 82000000 ef178d1c
nt!KiFastCallEntry+0xf8
ef178cfc 80595907 ef178fa8 82000000 ef178d1c
nt!ZwOpenKey+0x11
ef178f5c 8059570d 00000000 e2665b88 00000000
nt!RtlpGetRegistryHandle+0x15d
ef178fb8 efe5d3ca 00000000 e2665b88 ef178fe0
nt!RtlQueryRegistryValues+0x1d
WARNING: Stack unwind information not available.
Following frames may be wrong.
ef179068 f8176ebf 00000000 f8171960 f817194c
ialmkchw+0x63ca
ef1799b0 f815f11b 8221e358 ef1799cc 00000000
ialmnt5+0x11ebf
ef179a74 804e37f7 8221e040 81e03a20 00000008
VIDEOPRT!pVideoPortDispatch+0xabf
ef179b1c 8054a938 8218006a e272ec9a 82180008
nt!IopfCallDriver+0x31
ef179b64 805a31ca ef17a63c ef17a6cc 00000000
nt!ExFreePoolWithTag+0x676
ef179b9c 805802ce e27bfc58 823bdb00 82180008
nt!CmpQueryKeyName+0xe4
ef179cdc 8056b012 8056b2ae e1a9e008 c0000034
nt!ObQueryNameString+0xe0
ffffffff 00000000 00000000 00000000 00000000
nt!CmpFindValueByNameFromCache+0xde
ef17b758 80565cec ef17b874 ef17b878 ef17b848
nt!KiCallUserMode+0x4
ef17b7b4 bf84036e 0000000a ef17b8b0 00000088
nt!KeUserModeCallback+0x87
ef17bacc bf813f63 bc682228 00000001 00000000
win32k!SfnINLPCREATESTRUCT+0x41f
ef17bb14 bf814155 0a682228 00000001 00000000
win32k!xxxSendMessageToClient+0x176
ef17bb60 bf80f53e bc682228 00000001 00000000
win32k!xxxSendMessageTimeout+0x1a6
ef17bb84 bf84104b bc682228 00000001 00000000
win32k!xxxSendMessage+0x1b
ef17bc6c bf83ee67 00000000 00000000 bc6821a8
win32k!xxxCreateWindowEx+0xbce
ef17bd20 804de7ec 80000000 ef17bcec ef17bce0
win32k!NtUserCreateWindowEx+0x1c1
ef17bd20 7c90eb94 80000000 ef17bcec ef17bce0
nt!KiFastCallEntry+0xf8
0012f764 00000000 00000000 00000000 00000000
0x7c90eb94

FOLLOWUP_IP:
grddrvr!HookRegOpenKey+4d
f882240d 8985f8f7ffff mov [ebp-0x808],eax

SYMBOL_STACK_INDEX: 7

FOLLOWUP_NAME: MachineOwner

SYMBOL_NAME: grddrvr!HookRegOpenKey+4d

MODULE_NAME: grddrvr

IMAGE_NAME: grddrvr.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 427a599e

STACK_COMMAND: .tss 28 ; kb

BUCKET_ID: 0x7f_8_grddrvr!HookRegOpenKey+4d

Followup: MachineOwner

kd> .tss 28
eax=00000020 ebx=ffdff120 ecx=90320001 edx=90320002
esi=823bdbf8 edi=82321638
eip=804e2455 esp=ef177ff0 ebp=ef178020 iopl=0
nv up ei ng nz na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
efl=00010286
nt!_SEH_prolog+0x1a:
804e2455 53 push ebx
kd> kb
*** Stack trace for last set context - .thread/.cxr
resets it
ChildEBP RetAddr Args to Child
ef178020 80564713 823bdbf8 80563300 80563300
nt!_SEH_prolog+0x1a
ef178058 8056b390 80563300 823bdbf8 00000000
nt!ObCreateObject+0x79
ef1780b4 805677a0 e1a9e008 007ebd38 00000000
nt!CmpDoOpen+0x121
ef1782ac 8056316c 007ebd38 00000000 81e2a260
nt!CmpParseKey+0x558
ef178334 8056729a 00000000 ef178374 00000240
nt!ObpLookupObjectName+0x56a
ef178388 80567bfd 00000000 823bdbf8 00000000
nt!ObOpenObjectByName+0xeb
ef17845c f882240d ef178fa8 82000000 ef178d1c
nt!NtOpenKey+0x1af
ef178c78 804de7ec ef178fa8 82000000 ef178d1c
grddrvr!HookRegOpenKey+0x4d
ef178c78 804dd019 ef178fa8 82000000 ef178d1c
nt!KiFastCallEntry+0xf8 (FPO: [0,0] trapfram at
ef178c8c
ef178cfc 80595907 ef178fa8 82000000 ef178d1c
nt!ZwOpenKey+0x11
ef178f5c 8059570d 00000000 e2665b88 00000000
nt!RtlpGetRegistryHandle+0x15d
ef178fb8 efe5d3ca 00000000 e2665b88 ef178fe0
nt!RtlQueryRegistryValues+0x1d
WARNING: Stack unwind information not available.
Following frames may be wrong.
ef179068 f8176ebf 00000000 f8171960 f817194c
ialmkchw+0x63ca
ef1799b0 f815f11b 8221e358 ef1799cc 00000000
ialmnt5+0x11ebf
ef179a74 804e37f7 8221e040 81e03a20 00000008
VIDEOPRT!pVideoPortDispatch+0xabf
ef179b1c 8054a938 8218006a e272ec9a 82180008
nt!IopfCallDriver+0x31
ef179b64 805a31ca ef17a63c ef17a6cc 00000000
nt!ExFreePoolWithTag+0x676
ef179b9c 805802ce e27bfc58 823bdb00 82180008
nt!CmpQueryKeyName+0xe4
ef179cdc 8056b012 8056b2ae e1a9e008 c0000034
nt!ObQueryNameString+0xe0
ffffffff 00000000 00000000 00000000 00000000
nt!CmpFindValueByNameFromCache+0xde

Kernel stack overflow due to too many drivers, anti-virus filters
especially.

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

----- Original Message -----
From: “David Wu”
To: “Windows File Systems Devs Interest List”
Sent: Friday, July 22, 2005 12:52 AM
Subject: [ntfsd] system crash on UNEXPECTED_KERNEL_MODE_TRAP

> One of my system crashed on
> UNEXPECTED_KERNEL_MODE_TRAP every time on reboot.
>
> The memory dump file is as follow:
> the driver cause system crash hooked on registry key.
> Can I get this conclusion from this dupm?
> Before the registry is hooked, First driver call
> ZwOpenKey(). OS trap this ZwOpenKey(). After that,
> second driver hooked on ZeOpenKey(). When first
> ZwOpenKey() return, it call second driver hook
> function. After second driver hook finished its
> function, it tried to pass itself to ZwOpenKey()
> again. That crashed the system. Am I right or not?
>
> kd> !analyze -v
>
> Bugcheck Analysis
>

> UNEXPECTED_KERNEL_MODE_TRAP (7f)
> This means a trap occurred in kernel mode, and it’s a
> trap of a kind
> that the kernel isn’t allowed to have/catch (bound
> trap) or that
> is always instant death (double fault). The first
> number in the
> bugcheck parens is the number of the trap (8 = double
> fault, etc)
> Consult an Intel x86 family manual to learn more about
> what these
> traps are. Here is a portion of those codes:
> If kv shows a taskGate
> use .tss on the part before the colon, then
> kv.
> Else if kv shows a trapframe
> use .trap on that value
> Else
> .trap on the appropriate frame will show where
> the trap was taken
> (on x86, this will be the ebp that goes with
> the procedure KiTrap)
> Endif
> kb will then show the corrected stack.
> Arguments:
> Arg1: 00000008, EXCEPTION_DOUBLE_FAULT
> Arg2: 80042000
> Arg3: 00000000
> Arg4: 00000000
>
> Debugging Details:
> ------------------
>
>
> BUGCHECK_STR: 0x7f_8
>
> TSS: 00000028 – (.tss 28)
> eax=00000020 ebx=ffdff120 ecx=90320001 edx=90320002
> esi=823bdbf8 edi=82321638
> eip=804e2455 esp=ef177ff0 ebp=ef178020 iopl=0
> nv up ei ng nz na po nc
> cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
> efl=00010286
> nt!_SEH_prolog+0x1a:
> 804e2455 53 push ebx
> Resetting default scope
>
> DEFAULT_BUCKET_ID: DRIVER_FAULT
>
> LAST_CONTROL_TRANSFER: from 80564713 to 804e2455
>
> STACK_TEXT:
> ef178020 80564713 823bdbf8 80563300 80563300
> nt!_SEH_prolog+0x1a
> ef178058 8056b390 80563300 823bdbf8 00000000
> nt!ObCreateObject+0x79
> ef1780b4 805677a0 e1a9e008 007ebd38 00000000
> nt!CmpDoOpen+0x121
> ef1782ac 8056316c 007ebd38 00000000 81e2a260
> nt!CmpParseKey+0x558
> ef178334 8056729a 00000000 ef178374 00000240
> nt!ObpLookupObjectName+0x56a
> ef178388 80567bfd 00000000 823bdbf8 00000000
> nt!ObOpenObjectByName+0xeb
> ef17845c f882240d ef178fa8 82000000 ef178d1c
> nt!NtOpenKey+0x1af
> ef178c78 804de7ec ef178fa8 82000000 ef178d1c
> grddrvr!HookRegOpenKey+0x4d
> ef178c78 804dd019 ef178fa8 82000000 ef178d1c
> nt!KiFastCallEntry+0xf8
> ef178cfc 80595907 ef178fa8 82000000 ef178d1c
> nt!ZwOpenKey+0x11
> ef178f5c 8059570d 00000000 e2665b88 00000000
> nt!RtlpGetRegistryHandle+0x15d
> ef178fb8 efe5d3ca 00000000 e2665b88 ef178fe0
> nt!RtlQueryRegistryValues+0x1d
> WARNING: Stack unwind information not available.
> Following frames may be wrong.
> ef179068 f8176ebf 00000000 f8171960 f817194c
> ialmkchw+0x63ca
> ef1799b0 f815f11b 8221e358 ef1799cc 00000000
> ialmnt5+0x11ebf
> ef179a74 804e37f7 8221e040 81e03a20 00000008
> VIDEOPRT!pVideoPortDispatch+0xabf
> ef179b1c 8054a938 8218006a e272ec9a 82180008
> nt!IopfCallDriver+0x31
> ef179b64 805a31ca ef17a63c ef17a6cc 00000000
> nt!ExFreePoolWithTag+0x676
> ef179b9c 805802ce e27bfc58 823bdb00 82180008
> nt!CmpQueryKeyName+0xe4
> ef179cdc 8056b012 8056b2ae e1a9e008 c0000034
> nt!ObQueryNameString+0xe0
> ffffffff 00000000 00000000 00000000 00000000
> nt!CmpFindValueByNameFromCache+0xde
> ef17b758 80565cec ef17b874 ef17b878 ef17b848
> nt!KiCallUserMode+0x4
> ef17b7b4 bf84036e 0000000a ef17b8b0 00000088
> nt!KeUserModeCallback+0x87
> ef17bacc bf813f63 bc682228 00000001 00000000
> win32k!SfnINLPCREATESTRUCT+0x41f
> ef17bb14 bf814155 0a682228 00000001 00000000
> win32k!xxxSendMessageToClient+0x176
> ef17bb60 bf80f53e bc682228 00000001 00000000
> win32k!xxxSendMessageTimeout+0x1a6
> ef17bb84 bf84104b bc682228 00000001 00000000
> win32k!xxxSendMessage+0x1b
> ef17bc6c bf83ee67 00000000 00000000 bc6821a8
> win32k!xxxCreateWindowEx+0xbce
> ef17bd20 804de7ec 80000000 ef17bcec ef17bce0
> win32k!NtUserCreateWindowEx+0x1c1
> ef17bd20 7c90eb94 80000000 ef17bcec ef17bce0
> nt!KiFastCallEntry+0xf8
> 0012f764 00000000 00000000 00000000 00000000
> 0x7c90eb94
>
>
> FOLLOWUP_IP:
> grddrvr!HookRegOpenKey+4d
> f882240d 8985f8f7ffff mov [ebp-0x808],eax
>
> SYMBOL_STACK_INDEX: 7
>
> FOLLOWUP_NAME: MachineOwner
>
> SYMBOL_NAME: grddrvr!HookRegOpenKey+4d
>
> MODULE_NAME: grddrvr
>
> IMAGE_NAME: grddrvr.sys
>
> DEBUG_FLR_IMAGE_TIMESTAMP: 427a599e
>
> STACK_COMMAND: .tss 28 ; kb
>
> BUCKET_ID: 0x7f_8_grddrvr!HookRegOpenKey+4d
>
> Followup: MachineOwner
> ---------
>
> kd> .tss 28
> eax=00000020 ebx=ffdff120 ecx=90320001 edx=90320002
> esi=823bdbf8 edi=82321638
> eip=804e2455 esp=ef177ff0 ebp=ef178020 iopl=0
> nv up ei ng nz na po nc
> cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
> efl=00010286
> nt!_SEH_prolog+0x1a:
> 804e2455 53 push ebx
> kd> kb
> *** Stack trace for last set context - .thread/.cxr
> resets it
> ChildEBP RetAddr Args to Child
> ef178020 80564713 823bdbf8 80563300 80563300
> nt!_SEH_prolog+0x1a
> ef178058 8056b390 80563300 823bdbf8 00000000
> nt!ObCreateObject+0x79
> ef1780b4 805677a0 e1a9e008 007ebd38 00000000
> nt!CmpDoOpen+0x121
> ef1782ac 8056316c 007ebd38 00000000 81e2a260
> nt!CmpParseKey+0x558
> ef178334 8056729a 00000000 ef178374 00000240
> nt!ObpLookupObjectName+0x56a
> ef178388 80567bfd 00000000 823bdbf8 00000000
> nt!ObOpenObjectByName+0xeb
> ef17845c f882240d ef178fa8 82000000 ef178d1c
> nt!NtOpenKey+0x1af
> ef178c78 804de7ec ef178fa8 82000000 ef178d1c
> grddrvr!HookRegOpenKey+0x4d
> ef178c78 804dd019 ef178fa8 82000000 ef178d1c
> nt!KiFastCallEntry+0xf8 (FPO: [0,0] trapfram at
> ef178c8c
> ef178cfc 80595907 ef178fa8 82000000 ef178d1c
> nt!ZwOpenKey+0x11
> ef178f5c 8059570d 00000000 e2665b88 00000000
> nt!RtlpGetRegistryHandle+0x15d
> ef178fb8 efe5d3ca 00000000 e2665b88 ef178fe0
> nt!RtlQueryRegistryValues+0x1d
> WARNING: Stack unwind information not available.
> Following frames may be wrong.
> ef179068 f8176ebf 00000000 f8171960 f817194c
> ialmkchw+0x63ca
> ef1799b0 f815f11b 8221e358 ef1799cc 00000000
> ialmnt5+0x11ebf
> ef179a74 804e37f7 8221e040 81e03a20 00000008
> VIDEOPRT!pVideoPortDispatch+0xabf
> ef179b1c 8054a938 8218006a e272ec9a 82180008
> nt!IopfCallDriver+0x31
> ef179b64 805a31ca ef17a63c ef17a6cc 00000000
> nt!ExFreePoolWithTag+0x676
> ef179b9c 805802ce e27bfc58 823bdb00 82180008
> nt!CmpQueryKeyName+0xe4
> ef179cdc 8056b012 8056b2ae e1a9e008 c0000034
> nt!ObQueryNameString+0xe0
> ffffffff 00000000 00000000 00000000 00000000
> nt!CmpFindValueByNameFromCache+0xde
>
>
>
> —
> Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17
>
> You are currently subscribed to ntfsd as: xxxxx@storagecraft.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com

Try typing “.kframes 100” and then reissuing the stack backtrace command

  • that way you can see the entire stack.

But Max is basically right - there’s a stack overflow; it may be due to
too many “things” on the stack, or some stack pigs (use “!thread” to get
the stack limits, and remember stacks grow *down*).

Regards,

Tony

Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Maxim S. Shatskih
Sent: Thursday, July 21, 2005 5:27 PM
To: ntfsd redirect
Subject: Re: [ntfsd] system crash on UNEXPECTED_KERNEL_MODE_TRAP

Kernel stack overflow due to too many drivers, anti-virus filters
especially.

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

----- Original Message -----
From: “David Wu”
To: “Windows File Systems Devs Interest List”
Sent: Friday, July 22, 2005 12:52 AM
Subject: [ntfsd] system crash on UNEXPECTED_KERNEL_MODE_TRAP

> One of my system crashed on
> UNEXPECTED_KERNEL_MODE_TRAP every time on reboot.
>
> The memory dump file is as follow:
> the driver cause system crash hooked on registry key.
> Can I get this conclusion from this dupm?
> Before the registry is hooked, First driver call
> ZwOpenKey(). OS trap this ZwOpenKey(). After that,
> second driver hooked on ZeOpenKey(). When first
> ZwOpenKey() return, it call second driver hook
> function. After second driver hook finished its
> function, it tried to pass itself to ZwOpenKey()
> again. That crashed the system. Am I right or not?
>
> kd> !analyze -v
>
> Bugcheck Analysis
>

> UNEXPECTED_KERNEL_MODE_TRAP (7f)
> This means a trap occurred in kernel mode, and it’s a
> trap of a kind
> that the kernel isn’t allowed to have/catch (bound
> trap) or that
> is always instant death (double fault). The first
> number in the
> bugcheck parens is the number of the trap (8 = double
> fault, etc)
> Consult an Intel x86 family manual to learn more about
> what these
> traps are. Here is a portion of those codes:
> If kv shows a taskGate
> use .tss on the part before the colon, then
> kv.
> Else if kv shows a trapframe
> use .trap on that value
> Else
> .trap on the appropriate frame will show where
> the trap was taken
> (on x86, this will be the ebp that goes with
> the procedure KiTrap)
> Endif
> kb will then show the corrected stack.
> Arguments:
> Arg1: 00000008, EXCEPTION_DOUBLE_FAULT
> Arg2: 80042000
> Arg3: 00000000
> Arg4: 00000000
>
> Debugging Details:
> ------------------
>
>
> BUGCHECK_STR: 0x7f_8
>
> TSS: 00000028 – (.tss 28)
> eax=00000020 ebx=ffdff120 ecx=90320001 edx=90320002
> esi=823bdbf8 edi=82321638
> eip=804e2455 esp=ef177ff0 ebp=ef178020 iopl=0
> nv up ei ng nz na po nc
> cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
> efl=00010286
> nt!_SEH_prolog+0x1a:
> 804e2455 53 push ebx
> Resetting default scope
>
> DEFAULT_BUCKET_ID: DRIVER_FAULT
>
> LAST_CONTROL_TRANSFER: from 80564713 to 804e2455
>
> STACK_TEXT:
> ef178020 80564713 823bdbf8 80563300 80563300
> nt!_SEH_prolog+0x1a
> ef178058 8056b390 80563300 823bdbf8 00000000
> nt!ObCreateObject+0x79
> ef1780b4 805677a0 e1a9e008 007ebd38 00000000
> nt!CmpDoOpen+0x121
> ef1782ac 8056316c 007ebd38 00000000 81e2a260
> nt!CmpParseKey+0x558
> ef178334 8056729a 00000000 ef178374 00000240
> nt!ObpLookupObjectName+0x56a
> ef178388 80567bfd 00000000 823bdbf8 00000000
> nt!ObOpenObjectByName+0xeb
> ef17845c f882240d ef178fa8 82000000 ef178d1c
> nt!NtOpenKey+0x1af
> ef178c78 804de7ec ef178fa8 82000000 ef178d1c
> grddrvr!HookRegOpenKey+0x4d
> ef178c78 804dd019 ef178fa8 82000000 ef178d1c
> nt!KiFastCallEntry+0xf8
> ef178cfc 80595907 ef178fa8 82000000 ef178d1c
> nt!ZwOpenKey+0x11
> ef178f5c 8059570d 00000000 e2665b88 00000000
> nt!RtlpGetRegistryHandle+0x15d
> ef178fb8 efe5d3ca 00000000 e2665b88 ef178fe0
> nt!RtlQueryRegistryValues+0x1d
> WARNING: Stack unwind information not available.
> Following frames may be wrong.
> ef179068 f8176ebf 00000000 f8171960 f817194c
> ialmkchw+0x63ca
> ef1799b0 f815f11b 8221e358 ef1799cc 00000000
> ialmnt5+0x11ebf
> ef179a74 804e37f7 8221e040 81e03a20 00000008
> VIDEOPRT!pVideoPortDispatch+0xabf
> ef179b1c 8054a938 8218006a e272ec9a 82180008
> nt!IopfCallDriver+0x31
> ef179b64 805a31ca ef17a63c ef17a6cc 00000000
> nt!ExFreePoolWithTag+0x676
> ef179b9c 805802ce e27bfc58 823bdb00 82180008
> nt!CmpQueryKeyName+0xe4
> ef179cdc 8056b012 8056b2ae e1a9e008 c0000034
> nt!ObQueryNameString+0xe0
> ffffffff 00000000 00000000 00000000 00000000
> nt!CmpFindValueByNameFromCache+0xde
> ef17b758 80565cec ef17b874 ef17b878 ef17b848
> nt!KiCallUserMode+0x4
> ef17b7b4 bf84036e 0000000a ef17b8b0 00000088
> nt!KeUserModeCallback+0x87
> ef17bacc bf813f63 bc682228 00000001 00000000
> win32k!SfnINLPCREATESTRUCT+0x41f
> ef17bb14 bf814155 0a682228 00000001 00000000
> win32k!xxxSendMessageToClient+0x176
> ef17bb60 bf80f53e bc682228 00000001 00000000
> win32k!xxxSendMessageTimeout+0x1a6
> ef17bb84 bf84104b bc682228 00000001 00000000
> win32k!xxxSendMessage+0x1b
> ef17bc6c bf83ee67 00000000 00000000 bc6821a8
> win32k!xxxCreateWindowEx+0xbce
> ef17bd20 804de7ec 80000000 ef17bcec ef17bce0
> win32k!NtUserCreateWindowEx+0x1c1
> ef17bd20 7c90eb94 80000000 ef17bcec ef17bce0
> nt!KiFastCallEntry+0xf8
> 0012f764 00000000 00000000 00000000 00000000
> 0x7c90eb94
>
>
> FOLLOWUP_IP:
> grddrvr!HookRegOpenKey+4d
> f882240d 8985f8f7ffff mov [ebp-0x808],eax
>
> SYMBOL_STACK_INDEX: 7
>
> FOLLOWUP_NAME: MachineOwner
>
> SYMBOL_NAME: grddrvr!HookRegOpenKey+4d
>
> MODULE_NAME: grddrvr
>
> IMAGE_NAME: grddrvr.sys
>
> DEBUG_FLR_IMAGE_TIMESTAMP: 427a599e
>
> STACK_COMMAND: .tss 28 ; kb
>
> BUCKET_ID: 0x7f_8_grddrvr!HookRegOpenKey+4d
>
> Followup: MachineOwner
> ---------
>
> kd> .tss 28
> eax=00000020 ebx=ffdff120 ecx=90320001 edx=90320002
> esi=823bdbf8 edi=82321638
> eip=804e2455 esp=ef177ff0 ebp=ef178020 iopl=0
> nv up ei ng nz na po nc
> cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
> efl=00010286
> nt!_SEH_prolog+0x1a:
> 804e2455 53 push ebx
> kd> kb
> *** Stack trace for last set context - .thread/.cxr
> resets it
> ChildEBP RetAddr Args to Child
> ef178020 80564713 823bdbf8 80563300 80563300
> nt!_SEH_prolog+0x1a
> ef178058 8056b390 80563300 823bdbf8 00000000
> nt!ObCreateObject+0x79
> ef1780b4 805677a0 e1a9e008 007ebd38 00000000
> nt!CmpDoOpen+0x121
> ef1782ac 8056316c 007ebd38 00000000 81e2a260
> nt!CmpParseKey+0x558
> ef178334 8056729a 00000000 ef178374 00000240
> nt!ObpLookupObjectName+0x56a
> ef178388 80567bfd 00000000 823bdbf8 00000000
> nt!ObOpenObjectByName+0xeb
> ef17845c f882240d ef178fa8 82000000 ef178d1c
> nt!NtOpenKey+0x1af
> ef178c78 804de7ec ef178fa8 82000000 ef178d1c
> grddrvr!HookRegOpenKey+0x4d
> ef178c78 804dd019 ef178fa8 82000000 ef178d1c
> nt!KiFastCallEntry+0xf8 (FPO: [0,0] trapfram at
> ef178c8c
> ef178cfc 80595907 ef178fa8 82000000 ef178d1c
> nt!ZwOpenKey+0x11
> ef178f5c 8059570d 00000000 e2665b88 00000000
> nt!RtlpGetRegistryHandle+0x15d
> ef178fb8 efe5d3ca 00000000 e2665b88 ef178fe0
> nt!RtlQueryRegistryValues+0x1d
> WARNING: Stack unwind information not available.
> Following frames may be wrong.
> ef179068 f8176ebf 00000000 f8171960 f817194c
> ialmkchw+0x63ca
> ef1799b0 f815f11b 8221e358 ef1799cc 00000000
> ialmnt5+0x11ebf
> ef179a74 804e37f7 8221e040 81e03a20 00000008
> VIDEOPRT!pVideoPortDispatch+0xabf
> ef179b1c 8054a938 8218006a e272ec9a 82180008
> nt!IopfCallDriver+0x31
> ef179b64 805a31ca ef17a63c ef17a6cc 00000000
> nt!ExFreePoolWithTag+0x676
> ef179b9c 805802ce e27bfc58 823bdb00 82180008
> nt!CmpQueryKeyName+0xe4
> ef179cdc 8056b012 8056b2ae e1a9e008 c0000034
> nt!ObQueryNameString+0xe0
> ffffffff 00000000 00000000 00000000 00000000
> nt!CmpFindValueByNameFromCache+0xde
>
>
>
> —
> Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17
>
> You are currently subscribed to ntfsd as: xxxxx@storagecraft.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com


Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@osr.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

Tony & Max,
Thank you very much for your advice.
I’ll try that frames command to find out some detail info.
Another question is you said it may be due to too many “things” on stack,
Is that mean I still can not point finger on the second driver(registry
hook)? How ever, if that registry hook driver is uninstalled, every thing
will work fine.
Based on this common sense: a driver is installed, then the system crashed,
If there is no strong evidence to show other drivers fault, it is this
driver fault. Can I say that in this stack overflow case?

Thanks again.

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Tony Mason
Sent: Thursday, July 21, 2005 5:33 PM
To: Windows File Systems Devs Interest List
Subject: RE: [ntfsd] system crash on UNEXPECTED_KERNEL_MODE_TRAP

Try typing “.kframes 100” and then reissuing the stack backtrace command

  • that way you can see the entire stack.

But Max is basically right - there’s a stack overflow; it may be due to
too many “things” on the stack, or some stack pigs (use “!thread” to get
the stack limits, and remember stacks grow *down*).

Regards,

Tony

Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Maxim S. Shatskih
Sent: Thursday, July 21, 2005 5:27 PM
To: ntfsd redirect
Subject: Re: [ntfsd] system crash on UNEXPECTED_KERNEL_MODE_TRAP

Kernel stack overflow due to too many drivers, anti-virus filters
especially.

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

----- Original Message -----
From: “David Wu”
To: “Windows File Systems Devs Interest List”
Sent: Friday, July 22, 2005 12:52 AM
Subject: [ntfsd] system crash on UNEXPECTED_KERNEL_MODE_TRAP

> One of my system crashed on
> UNEXPECTED_KERNEL_MODE_TRAP every time on reboot.
>
> The memory dump file is as follow:
> the driver cause system crash hooked on registry key.
> Can I get this conclusion from this dupm?
> Before the registry is hooked, First driver call
> ZwOpenKey(). OS trap this ZwOpenKey(). After that,
> second driver hooked on ZeOpenKey(). When first
> ZwOpenKey() return, it call second driver hook
> function. After second driver hook finished its
> function, it tried to pass itself to ZwOpenKey()
> again. That crashed the system. Am I right or not?
>
> kd> !analyze -v
>
> Bugcheck Analysis
>

> UNEXPECTED_KERNEL_MODE_TRAP (7f)
> This means a trap occurred in kernel mode, and it’s a
> trap of a kind
> that the kernel isn’t allowed to have/catch (bound
> trap) or that
> is always instant death (double fault). The first
> number in the
> bugcheck parens is the number of the trap (8 = double
> fault, etc)
> Consult an Intel x86 family manual to learn more about
> what these
> traps are. Here is a portion of those codes:
> If kv shows a taskGate
> use .tss on the part before the colon, then
> kv.
> Else if kv shows a trapframe
> use .trap on that value
> Else
> .trap on the appropriate frame will show where
> the trap was taken
> (on x86, this will be the ebp that goes with
> the procedure KiTrap)
> Endif
> kb will then show the corrected stack.
> Arguments:
> Arg1: 00000008, EXCEPTION_DOUBLE_FAULT
> Arg2: 80042000
> Arg3: 00000000
> Arg4: 00000000
>
> Debugging Details:
> ------------------
>
>
> BUGCHECK_STR: 0x7f_8
>
> TSS: 00000028 – (.tss 28)
> eax=00000020 ebx=ffdff120 ecx=90320001 edx=90320002
> esi=823bdbf8 edi=82321638
> eip=804e2455 esp=ef177ff0 ebp=ef178020 iopl=0
> nv up ei ng nz na po nc
> cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
> efl=00010286
> nt!_SEH_prolog+0x1a:
> 804e2455 53 push ebx
> Resetting default scope
>
> DEFAULT_BUCKET_ID: DRIVER_FAULT
>
> LAST_CONTROL_TRANSFER: from 80564713 to 804e2455
>
> STACK_TEXT:
> ef178020 80564713 823bdbf8 80563300 80563300
> nt!_SEH_prolog+0x1a
> ef178058 8056b390 80563300 823bdbf8 00000000
> nt!ObCreateObject+0x79
> ef1780b4 805677a0 e1a9e008 007ebd38 00000000
> nt!CmpDoOpen+0x121
> ef1782ac 8056316c 007ebd38 00000000 81e2a260
> nt!CmpParseKey+0x558
> ef178334 8056729a 00000000 ef178374 00000240
> nt!ObpLookupObjectName+0x56a
> ef178388 80567bfd 00000000 823bdbf8 00000000
> nt!ObOpenObjectByName+0xeb
> ef17845c f882240d ef178fa8 82000000 ef178d1c
> nt!NtOpenKey+0x1af
> ef178c78 804de7ec ef178fa8 82000000 ef178d1c
> grddrvr!HookRegOpenKey+0x4d
> ef178c78 804dd019 ef178fa8 82000000 ef178d1c
> nt!KiFastCallEntry+0xf8
> ef178cfc 80595907 ef178fa8 82000000 ef178d1c
> nt!ZwOpenKey+0x11
> ef178f5c 8059570d 00000000 e2665b88 00000000
> nt!RtlpGetRegistryHandle+0x15d
> ef178fb8 efe5d3ca 00000000 e2665b88 ef178fe0
> nt!RtlQueryRegistryValues+0x1d
> WARNING: Stack unwind information not available.
> Following frames may be wrong.
> ef179068 f8176ebf 00000000 f8171960 f817194c
> ialmkchw+0x63ca
> ef1799b0 f815f11b 8221e358 ef1799cc 00000000
> ialmnt5+0x11ebf
> ef179a74 804e37f7 8221e040 81e03a20 00000008
> VIDEOPRT!pVideoPortDispatch+0xabf
> ef179b1c 8054a938 8218006a e272ec9a 82180008
> nt!IopfCallDriver+0x31
> ef179b64 805a31ca ef17a63c ef17a6cc 00000000
> nt!ExFreePoolWithTag+0x676
> ef179b9c 805802ce e27bfc58 823bdb00 82180008
> nt!CmpQueryKeyName+0xe4
> ef179cdc 8056b012 8056b2ae e1a9e008 c0000034
> nt!ObQueryNameString+0xe0
> ffffffff 00000000 00000000 00000000 00000000
> nt!CmpFindValueByNameFromCache+0xde
> ef17b758 80565cec ef17b874 ef17b878 ef17b848
> nt!KiCallUserMode+0x4
> ef17b7b4 bf84036e 0000000a ef17b8b0 00000088
> nt!KeUserModeCallback+0x87
> ef17bacc bf813f63 bc682228 00000001 00000000
> win32k!SfnINLPCREATESTRUCT+0x41f
> ef17bb14 bf814155 0a682228 00000001 00000000
> win32k!xxxSendMessageToClient+0x176
> ef17bb60 bf80f53e bc682228 00000001 00000000
> win32k!xxxSendMessageTimeout+0x1a6
> ef17bb84 bf84104b bc682228 00000001 00000000
> win32k!xxxSendMessage+0x1b
> ef17bc6c bf83ee67 00000000 00000000 bc6821a8
> win32k!xxxCreateWindowEx+0xbce
> ef17bd20 804de7ec 80000000 ef17bcec ef17bce0
> win32k!NtUserCreateWindowEx+0x1c1
> ef17bd20 7c90eb94 80000000 ef17bcec ef17bce0
> nt!KiFastCallEntry+0xf8
> 0012f764 00000000 00000000 00000000 00000000
> 0x7c90eb94
>
>
> FOLLOWUP_IP:
> grddrvr!HookRegOpenKey+4d
> f882240d 8985f8f7ffff mov [ebp-0x808],eax
>
> SYMBOL_STACK_INDEX: 7
>
> FOLLOWUP_NAME: MachineOwner
>
> SYMBOL_NAME: grddrvr!HookRegOpenKey+4d
>
> MODULE_NAME: grddrvr
>
> IMAGE_NAME: grddrvr.sys
>
> DEBUG_FLR_IMAGE_TIMESTAMP: 427a599e
>
> STACK_COMMAND: .tss 28 ; kb
>
> BUCKET_ID: 0x7f_8_grddrvr!HookRegOpenKey+4d
>
> Followup: MachineOwner
> ---------
>
> kd> .tss 28
> eax=00000020 ebx=ffdff120 ecx=90320001 edx=90320002
> esi=823bdbf8 edi=82321638
> eip=804e2455 esp=ef177ff0 ebp=ef178020 iopl=0
> nv up ei ng nz na po nc
> cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
> efl=00010286
> nt!_SEH_prolog+0x1a:
> 804e2455 53 push ebx
> kd> kb
> *** Stack trace for last set context - .thread/.cxr
> resets it
> ChildEBP RetAddr Args to Child
> ef178020 80564713 823bdbf8 80563300 80563300
> nt!_SEH_prolog+0x1a
> ef178058 8056b390 80563300 823bdbf8 00000000
> nt!ObCreateObject+0x79
> ef1780b4 805677a0 e1a9e008 007ebd38 00000000
> nt!CmpDoOpen+0x121
> ef1782ac 8056316c 007ebd38 00000000 81e2a260
> nt!CmpParseKey+0x558
> ef178334 8056729a 00000000 ef178374 00000240
> nt!ObpLookupObjectName+0x56a
> ef178388 80567bfd 00000000 823bdbf8 00000000
> nt!ObOpenObjectByName+0xeb
> ef17845c f882240d ef178fa8 82000000 ef178d1c
> nt!NtOpenKey+0x1af
> ef178c78 804de7ec ef178fa8 82000000 ef178d1c
> grddrvr!HookRegOpenKey+0x4d
> ef178c78 804dd019 ef178fa8 82000000 ef178d1c
> nt!KiFastCallEntry+0xf8 (FPO: [0,0] trapfram at
> ef178c8c
> ef178cfc 80595907 ef178fa8 82000000 ef178d1c
> nt!ZwOpenKey+0x11
> ef178f5c 8059570d 00000000 e2665b88 00000000
> nt!RtlpGetRegistryHandle+0x15d
> ef178fb8 efe5d3ca 00000000 e2665b88 ef178fe0
> nt!RtlQueryRegistryValues+0x1d
> WARNING: Stack unwind information not available.
> Following frames may be wrong.
> ef179068 f8176ebf 00000000 f8171960 f817194c
> ialmkchw+0x63ca
> ef1799b0 f815f11b 8221e358 ef1799cc 00000000
> ialmnt5+0x11ebf
> ef179a74 804e37f7 8221e040 81e03a20 00000008
> VIDEOPRT!pVideoPortDispatch+0xabf
> ef179b1c 8054a938 8218006a e272ec9a 82180008
> nt!IopfCallDriver+0x31
> ef179b64 805a31ca ef17a63c ef17a6cc 00000000
> nt!ExFreePoolWithTag+0x676
> ef179b9c 805802ce e27bfc58 823bdb00 82180008
> nt!CmpQueryKeyName+0xe4
> ef179cdc 8056b012 8056b2ae e1a9e008 c0000034
> nt!ObQueryNameString+0xe0
> ffffffff 00000000 00000000 00000000 00000000
> nt!CmpFindValueByNameFromCache+0xde
>
>
>
> —
> Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17
>
> You are currently subscribed to ntfsd as: xxxxx@storagecraft.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com


Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@osr.com
To unsubscribe send a blank email to xxxxx@lists.osr.com


Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com

David

I dont think you can piont the finger at the “other driver” just like that.
Your driver and “otehr driver” both share kernel thread stack. If you
uniinstall your driver but leave the “other driver” there then does it just
work? In that case your logic also says you point the finger at your driver!
The customer perspective in general I have found is that the last
product/driver installed is the deemed the cause of the problem. If I were
you I would do something like “kv n f 1000” it makes it easiest in my
experience (limited perhaps) do see where the stack pigs are.

Cheers
Lyndon