UNEXPECTED_KERNEL_MODE_TRAP (7f)

OSR_Community_User · January 14, 2005, 10:01am

I have a BSOD : UNEXPECTED_KERNEL_MODE_TRAP (7f) on my filter driver in
W2k.
I have Driver verify on and below o/p.
Can not step trace as BSOD is very random and not on every boot session.

Any Ideas???

kd> .tss 28
eax=eb435644 ebx=eb435344 ecx=eb435330 edx=00000001 esi=eb43542c
edi=00000000
eip=8042dbbf esp=eb434f78 ebp=eb435314 iopl=0 nv up di ng nz na
po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
efl=00210086
nt!KiDispatchException+0x25:
8042dbbf 53 push ebx

kd> .trap eb435384
ErrCode = 00000000
eax=00000001 ebx=00000000 ecx=eb43542c edx=00000000 esi=00000000
edi=bb050fd0
eip=8045a9f8 esp=eb4353f8 ebp=eb4353fc iopl=0 nv up ei pl nz ac
po cy
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
efl=00200217
nt!DebugService+0x10:
8045a9f8 8945fc mov [ebp-0x4],eax
ss:0010:eb4353f8=eb43543c

kd> !thread
THREAD 818a1620 Cid 8.20 Teb: 00000000 Win32Thread: 00000000 RUNNING
IRP List:
bb042e48: (0006,01b4) Flags: 40000884 Mdl: 00000000
bb038e48: (0006,01b4) Flags: 40000a00 Mdl: 00000000
Not impersonating
Owning Process 818a2b60
Wait Start TickCount 1056281 Elapsed Ticks: 0
Context Switch Count 54448
UserTime 0:00:00.0000
KernelTime 0:00:00.0468
Start Address nt!ExpWorkerThread (0x80416820)
Stack Init eb438000 Current eb4357fc Base eb438000 Limit eb435000 Call 0
Priority 12 BasePriority 12 PriorityDecrement 0 DecrementCount 0

kd> kv
ChildEBP RetAddr Args to Child
00000000 8042dbbf 00000000 00000000 00000000 nt!KiTrap08+0x3e (FPO:
TaskGate 28:0)
eb435314 80464891 eb435330 00000000 eb435384 nt!KiDispatchException+0x25
(FPO: [Non-Fpo])
eb43537c 80464e7b 00000000 00000000 00000000
nt!CommonDispatchException+0x4d (FPO: [0,20,0])
eb43537c 8045a9f8 00000000 00000000 00000000 nt!KiTrap03+0x97 (FPO:
[0,0] TrapFrame @ eb435384)
eb4353fc 8045a9c1 00000001 eb43542c 00000000 nt!DebugService+0x10 (FPO:
[Non-Fpo])
eb43540c 80454388 eb43542c bb050fd0 bb050e48 nt!DebugPrint+0xd (FPO:
[1,0,0])
eb435654 eb54c7cc eb435660 4349440a 746f473a nt!DbgPrint+0xac (FPO:
[Non-Fpo])
WARNING: Stack unwind information not available. Following frames may be
wrong.
eb435860 f0e7942d f0e78a20 bb050fd0 bb050e48 Dbgv+0x7cc
eb4359c4 80526626 8135e500 bb050e48 00000000 filespy+0x242d
eb435a0c bfeee818 00001000 00001000 bfef10fe
nt!IovSpecialIrpCompleteRequest+0x18c (FPO: [Non-Fpo])
eb435a18 bfef10fe 81546908 bb050e48 00000000
Ntfs!NtfsCompleteRequest+0x5c (FPO: [3,0,2])
eb435c24 bfef1083 81546908 bb050e48 00000001 Ntfs!NtfsCommonRead+0x161a
(FPO: [Non-Fpo])
eb435cc0 805269c4 81810020 bb050e48 81575b50 Ntfs!NtfsFsdRead+0x201
(FPO: [Non-Fpo])
eb435d0c f139411b 815d4820 80064bec 805269c4
nt!IovSpecialIrpCallDriver+0xcd (FPO: [Non-Fpo])
eb435d64 805261cf bb050fd0 bb050ff4 81488e10
SYMEVENT!SYMEvent_GetVMDataPtr+0x697b
eb435d80 f0e78828 8135e500 80064bec bb050fb4 nt!IovCallDriver+0x31 (FPO:
[Non-Fpo])
eb435d9c f0e7a994 8135e500 bb050e48 8135e500 filespy+0x1828
eb435db8 805269c4 8135e500 bb050e48 8135e500 filespy+0x3994
eb435e04 8041e445 00000000 00000000 80064bd4
nt!IovSpecialIrpCallDriver+0xcd (FPO: [Non-Fpo])
eb435e18 8043fb41 8169e998 81582ec0 81582ea0 nt!IoPageRead+0xb1 (FPO:
[Non-Fpo])

OSR_Community_User · January 14, 2005, 10:13am

What does ‘analyze -v’ say?

–
Mats

-------- Notice --------
The information in this message is confidential and may be legally
privileged. It is intended solely for the addressee. Access to this
message by anyone else is unauthorized. If you are not the intended
recipient, any disclosure, copying or distribution of the message, or any
action taken by you in reliance on it, is prohibited and may be unlawful.
If you have received this message in error, please delete it and contact
the sender immediately. Thank you.

xxxxx@lists.osr.com wrote on 01/14/2005 03:03:49 PM:

I have a BSOD : UNEXPECTED_KERNEL_MODE_TRAP (7f) on my filter driver in
W2k.
I have Driver verify on and below o/p.
Can not step trace as BSOD is very random and not on every boot session.
Any Ideas???
kd> .tss 28
eax=eb435644 ebx=eb435344 ecx=eb435330 edx=00000001 esi=eb43542c
edi=00000000
eip=8042dbbf esp=eb434f78 ebp=eb435314 iopl=0 nv up di ng nz na
po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
efl=00210086
nt!KiDispatchException+0x25:
8042dbbf 53 push ebx
kd> .trap eb435384
ErrCode = 00000000
eax=00000001 ebx=00000000 ecx=eb43542c edx=00000000 esi=00000000
edi=bb050fd0
eip=8045a9f8 esp=eb4353f8 ebp=eb4353fc iopl=0 nv up ei pl nz ac
po cy
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
efl=00200217
nt!DebugService+0x10:
8045a9f8 8945fc mov [ebp-0x4],eax
ss:0010:eb4353f8=eb43543c
kd> !thread
THREAD 818a1620 Cid 8.20 Teb: 00000000 Win32Thread: 00000000 RUNNING
IRP List:
bb042e48: (0006,01b4) Flags: 40000884 Mdl: 00000000
bb038e48: (0006,01b4) Flags: 40000a00 Mdl: 00000000
Not impersonating
Owning Process 818a2b60
Wait Start TickCount 1056281 Elapsed Ticks: 0
Context Switch Count 54448
UserTime 0:00:00.0000
KernelTime 0:00:00.0468
Start Address nt!ExpWorkerThread (0x80416820)
Stack Init eb438000 Current eb4357fc Base eb438000 Limit eb435000 Call 0
Priority 12 BasePriority 12 PriorityDecrement 0 DecrementCount 0
kd> kv
ChildEBP RetAddr Args to Child
00000000 8042dbbf 00000000 00000000 00000000 nt!KiTrap08+0x3e (FPO:
TaskGate 28:0)
eb435314 80464891 eb435330 00000000 eb435384 nt!
KiDispatchException+0x25 (FPO: [Non-Fpo])
eb43537c 80464e7b 00000000 00000000 00000000 nt!
CommonDispatchException+0x4d (FPO: [0,20,0])
eb43537c 8045a9f8 00000000 00000000 00000000 nt!KiTrap03+0x97 (FPO:
[0,0] TrapFrame @ eb435384)
eb4353fc 8045a9c1 00000001 eb43542c 00000000 nt!DebugService+0x10
(FPO: [Non-Fpo])
eb43540c 80454388 eb43542c bb050fd0 bb050e48 nt!DebugPrint+0xd (FPO:
[1,0,0])
eb435654 eb54c7cc eb435660 4349440a 746f473a nt!DbgPrint+0xac (FPO:
[Non-Fpo])
WARNING: Stack unwind information not available. Following frames
may be wrong.
eb435860 f0e7942d f0e78a20 bb050fd0 bb050e48 Dbgv+0x7cc
eb4359c4 80526626 8135e500 bb050e48 00000000 filespy+0x242d
eb435a0c bfeee818 00001000 00001000 bfef10fe nt!
IovSpecialIrpCompleteRequest+0x18c (FPO: [Non-Fpo])
eb435a18 bfef10fe 81546908 bb050e48 00000000 Ntfs!
NtfsCompleteRequest+0x5c (FPO: [3,0,2])
eb435c24 bfef1083 81546908 bb050e48 00000001 Ntfs!
NtfsCommonRead+0x161a (FPO: [Non-Fpo])
eb435cc0 805269c4 81810020 bb050e48 81575b50 Ntfs!NtfsFsdRead+0x201
(FPO: [Non-Fpo])
eb435d0c f139411b 815d4820 80064bec 805269c4 nt!
IovSpecialIrpCallDriver+0xcd (FPO: [Non-Fpo])
eb435d64 805261cf bb050fd0 bb050ff4 81488e10 SYMEVENT!
SYMEvent_GetVMDataPtr+0x697b
eb435d80 f0e78828 8135e500 80064bec bb050fb4 nt!IovCallDriver+0x31
(FPO: [Non-Fpo])
eb435d9c f0e7a994 8135e500 bb050e48 8135e500 filespy+0x1828
eb435db8 805269c4 8135e500 bb050e48 8135e500 filespy+0x3994
eb435e04 8041e445 00000000 00000000 80064bd4 nt!
IovSpecialIrpCallDriver+0xcd (FPO: [Non-Fpo])
eb435e18 8043fb41 8169e998 81582ec0 81582ea0 nt!IoPageRead+0xb1
(FPO: [Non-Fpo])

Questions? First check the Kernel Driver FAQ at http://www.
osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: unknown lmsubst tag argument:
‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com
ForwardSourceID:NT0000AE32

OSR_Community_User · January 14, 2005, 10:15am

I suspect either a stack overflow or a bug in Symantec AV filter.

Jamey

From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Anurag Sarin
Sent: Friday, January 14, 2005 10:04 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] UNEXPECTED_KERNEL_MODE_TRAP (7f)

I have a BSOD : UNEXPECTED_KERNEL_MODE_TRAP (7f) on my filter driver in W2k.

I have Driver verify on and below o/p.
Can not step trace as BSOD is very random and not on every boot session.

Any Ideas???

kd> .tss 28
eax=eb435644 ebx=eb435344 ecx=eb435330 edx=00000001 esi=eb43542c
edi=00000000
eip=8042dbbf esp=eb434f78 ebp=eb435314 iopl=0 nv up di ng nz na po
nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
efl=00210086
nt!KiDispatchException+0x25:
8042dbbf 53 push ebx

kd> .trap eb435384
ErrCode = 00000000
eax=00000001 ebx=00000000 ecx=eb43542c edx=00000000 esi=00000000
edi=bb050fd0
eip=8045a9f8 esp=eb4353f8 ebp=eb4353fc iopl=0 nv up ei pl nz ac po
cy
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
efl=00200217
nt!DebugService+0x10:
8045a9f8 8945fc mov [ebp-0x4],eax
ss:0010:eb4353f8=eb43543c

kd> !thread
THREAD 818a1620 Cid 8.20 Teb: 00000000 Win32Thread: 00000000 RUNNING
IRP List:
bb042e48: (0006,01b4) Flags: 40000884 Mdl: 00000000
bb038e48: (0006,01b4) Flags: 40000a00 Mdl: 00000000
Not impersonating
Owning Process 818a2b60
Wait Start TickCount 1056281 Elapsed Ticks: 0
Context Switch Count 54448
UserTime 0:00:00.0000
KernelTime 0:00:00.0468
Start Address nt!ExpWorkerThread (0x80416820)
Stack Init eb438000 Current eb4357fc Base eb438000 Limit eb435000 Call 0
Priority 12 BasePriority 12 PriorityDecrement 0 DecrementCount 0

kd> kv
ChildEBP RetAddr Args to Child
00000000 8042dbbf 00000000 00000000 00000000 nt!KiTrap08+0x3e (FPO: TaskGate
28:0)
eb435314 80464891 eb435330 00000000 eb435384 nt!KiDispatchException+0x25
(FPO: [Non-Fpo])
eb43537c 80464e7b 00000000 00000000 00000000 nt!CommonDispatchException+0x4d
(FPO: [0,20,0])
eb43537c 8045a9f8 00000000 00000000 00000000 nt!KiTrap03+0x97 (FPO: [0,0]
TrapFrame @ eb435384)
eb4353fc 8045a9c1 00000001 eb43542c 00000000 nt!DebugService+0x10 (FPO:
[Non-Fpo])
eb43540c 80454388 eb43542c bb050fd0 bb050e48 nt!DebugPrint+0xd (FPO:
[1,0,0])
eb435654 eb54c7cc eb435660 4349440a 746f473a nt!DbgPrint+0xac (FPO:
[Non-Fpo])
WARNING: Stack unwind information not available. Following frames may be
wrong.
eb435860 f0e7942d f0e78a20 bb050fd0 bb050e48 Dbgv+0x7cc
eb4359c4 80526626 8135e500 bb050e48 00000000 filespy+0x242d
eb435a0c bfeee818 00001000 00001000 bfef10fe
nt!IovSpecialIrpCompleteRequest+0x18c (FPO: [Non-Fpo])
eb435a18 bfef10fe 81546908 bb050e48 00000000 Ntfs!NtfsCompleteRequest+0x5c
(FPO: [3,0,2])
eb435c24 bfef1083 81546908 bb050e48 00000001 Ntfs!NtfsCommonRead+0x161a
(FPO: [Non-Fpo])
eb435cc0 805269c4 81810020 bb050e48 81575b50 Ntfs!NtfsFsdRead+0x201 (FPO:
[Non-Fpo])
eb435d0c f139411b 815d4820 80064bec 805269c4 nt!IovSpecialIrpCallDriver+0xcd
(FPO: [Non-Fpo])
eb435d64 805261cf bb050fd0 bb050ff4 81488e10
SYMEVENT!SYMEvent_GetVMDataPtr+0x697b
eb435d80 f0e78828 8135e500 80064bec bb050fb4 nt!IovCallDriver+0x31 (FPO:
[Non-Fpo])
eb435d9c f0e7a994 8135e500 bb050e48 8135e500 filespy+0x1828
eb435db8 805269c4 8135e500 bb050e48 8135e500 filespy+0x3994
eb435e04 8041e445 00000000 00000000 80064bd4 nt!IovSpecialIrpCallDriver+0xcd
(FPO: [Non-Fpo])
eb435e18 8043fb41 8169e998 81582ec0 81582ea0 nt!IoPageRead+0xb1 (FPO:
[Non-Fpo])

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com

__________ NOD32 1.970 (20050113) Information __________

This message was checked by NOD32 antivirus system.
http://www.nod32.com

Maxim_S_Shatskih · January 14, 2005, 10:19am

UNEXPECTED_KERNEL_MODE_TRAP (7f) Kernel stack overflow possible.

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

----- Original Message -----
From: Anurag Sarin
To: Windows System Software Devs Interest List
Sent: Friday, January 14, 2005 6:03 PM
Subject: [ntdev] UNEXPECTED_KERNEL_MODE_TRAP (7f)

I have a BSOD : UNEXPECTED_KERNEL_MODE_TRAP (7f) on my filter driver in W2k.
I have Driver verify on and below o/p.
Can not step trace as BSOD is very random and not on every boot session.

Any Ideas???

kd> .tss 28
eax=eb435644 ebx=eb435344 ecx=eb435330 edx=00000001 esi=eb43542c edi=00000000
eip=8042dbbf esp=eb434f78 ebp=eb435314 iopl=0 nv up di ng nz na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00210086
nt!KiDispatchException+0x25:
8042dbbf 53 push ebx

kd> .trap eb435384
ErrCode = 00000000
eax=00000001 ebx=00000000 ecx=eb43542c edx=00000000 esi=00000000 edi=bb050fd0
eip=8045a9f8 esp=eb4353f8 ebp=eb4353fc iopl=0 nv up ei pl nz ac po cy
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00200217
nt!DebugService+0x10:
8045a9f8 8945fc mov [ebp-0x4],eax ss:0010:eb4353f8=eb43543c

kd> !thread
THREAD 818a1620 Cid 8.20 Teb: 00000000 Win32Thread: 00000000 RUNNING
IRP List:
bb042e48: (0006,01b4) Flags: 40000884 Mdl: 00000000
bb038e48: (0006,01b4) Flags: 40000a00 Mdl: 00000000
Not impersonating
Owning Process 818a2b60
Wait Start TickCount 1056281 Elapsed Ticks: 0
Context Switch Count 54448
UserTime 0:00:00.0000
KernelTime 0:00:00.0468
Start Address nt!ExpWorkerThread (0x80416820)
Stack Init eb438000 Current eb4357fc Base eb438000 Limit eb435000 Call 0
Priority 12 BasePriority 12 PriorityDecrement 0 DecrementCount 0

kd> kv
ChildEBP RetAddr Args to Child
00000000 8042dbbf 00000000 00000000 00000000 nt!KiTrap08+0x3e (FPO: TaskGate 28:0)
eb435314 80464891 eb435330 00000000 eb435384 nt!KiDispatchException+0x25 (FPO: [Non-Fpo])
eb43537c 80464e7b 00000000 00000000 00000000 nt!CommonDispatchException+0x4d (FPO: [0,20,0])
eb43537c 8045a9f8 00000000 00000000 00000000 nt!KiTrap03+0x97 (FPO: [0,0] TrapFrame @ eb435384)
eb4353fc 8045a9c1 00000001 eb43542c 00000000 nt!DebugService+0x10 (FPO: [Non-Fpo])
eb43540c 80454388 eb43542c bb050fd0 bb050e48 nt!DebugPrint+0xd (FPO: [1,0,0])
eb435654 eb54c7cc eb435660 4349440a 746f473a nt!DbgPrint+0xac (FPO: [Non-Fpo])
WARNING: Stack unwind information not available. Following frames may be wrong.
eb435860 f0e7942d f0e78a20 bb050fd0 bb050e48 Dbgv+0x7cc
eb4359c4 80526626 8135e500 bb050e48 00000000 filespy+0x242d
eb435a0c bfeee818 00001000 00001000 bfef10fe nt!IovSpecialIrpCompleteRequest+0x18c (FPO: [Non-Fpo])
eb435a18 bfef10fe 81546908 bb050e48 00000000 Ntfs!NtfsCompleteRequest+0x5c (FPO: [3,0,2])
eb435c24 bfef1083 81546908 bb050e48 00000001 Ntfs!NtfsCommonRead+0x161a (FPO: [Non-Fpo])
eb435cc0 805269c4 81810020 bb050e48 81575b50 Ntfs!NtfsFsdRead+0x201 (FPO: [Non-Fpo])
eb435d0c f139411b 815d4820 80064bec 805269c4 nt!IovSpecialIrpCallDriver+0xcd (FPO: [Non-Fpo])
eb435d64 805261cf bb050fd0 bb050ff4 81488e10 SYMEVENT!SYMEvent_GetVMDataPtr+0x697b
eb435d80 f0e78828 8135e500 80064bec bb050fb4 nt!IovCallDriver+0x31 (FPO: [Non-Fpo])
eb435d9c f0e7a994 8135e500 bb050e48 8135e500 filespy+0x1828
eb435db8 805269c4 8135e500 bb050e48 8135e500 filespy+0x3994
eb435e04 8041e445 00000000 00000000 80064bd4 nt!IovSpecialIrpCallDriver+0xcd (FPO: [Non-Fpo])
eb435e18 8043fb41 8169e998 81582ec0 81582ea0 nt!IoPageRead+0xb1 (FPO: [Non-Fpo])

Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com

Daniel_Terhell · January 14, 2005, 10:23am

UNEXPECTED_KERNEL_MODE_TRAP (7f)This is often caused by a stack overflow but what are the parameters ? Then you can check whether this is division by zero, bounds check fault, invalid opcode, stack overflow or other.

Regards,

Daniel Terhell
Resplendence Software Projects Sp
xxxxx@resplendence.com
http://www.resplendence.com

“Anurag Sarin” wrote in message news:xxxxx@ntdev…
I have a BSOD : UNEXPECTED_KERNEL_MODE_TRAP (7f) on my filter driver in W2k.
I have Driver verify on and below o/p.
Can not step trace as BSOD is very random and not on every boot session.

Any Ideas???

kd> .tss 28
eax=eb435644 ebx=eb435344 ecx=eb435330 edx=00000001 esi=eb43542c edi=00000000
eip=8042dbbf esp=eb434f78 ebp=eb435314 iopl=0 nv up di ng nz na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00210086
nt!KiDispatchException+0x25:
8042dbbf 53 push ebx

kd> .trap eb435384
ErrCode = 00000000
eax=00000001 ebx=00000000 ecx=eb43542c edx=00000000 esi=00000000 edi=bb050fd0
eip=8045a9f8 esp=eb4353f8 ebp=eb4353fc iopl=0 nv up ei pl nz ac po cy
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00200217
nt!DebugService+0x10:
8045a9f8 8945fc mov [ebp-0x4],eax ss:0010:eb4353f8=eb43543c

kd> !thread
THREAD 818a1620 Cid 8.20 Teb: 00000000 Win32Thread: 00000000 RUNNING
IRP List:
bb042e48: (0006,01b4) Flags: 40000884 Mdl: 00000000
bb038e48: (0006,01b4) Flags: 40000a00 Mdl: 00000000
Not impersonating
Owning Process 818a2b60
Wait Start TickCount 1056281 Elapsed Ticks: 0
Context Switch Count 54448
UserTime 0:00:00.0000
KernelTime 0:00:00.0468
Start Address nt!ExpWorkerThread (0x80416820)
Stack Init eb438000 Current eb4357fc Base eb438000 Limit eb435000 Call 0
Priority 12 BasePriority 12 PriorityDecrement 0 DecrementCount 0

kd> kv
ChildEBP RetAddr Args to Child
00000000 8042dbbf 00000000 00000000 00000000 nt!KiTrap08+0x3e (FPO: TaskGate 28:0)
eb435314 80464891 eb435330 00000000 eb435384 nt!KiDispatchException+0x25 (FPO: [Non-Fpo])
eb43537c 80464e7b 00000000 00000000 00000000 nt!CommonDispatchException+0x4d (FPO: [0,20,0])
eb43537c 8045a9f8 00000000 00000000 00000000 nt!KiTrap03+0x97 (FPO: [0,0] TrapFrame @ eb435384)
eb4353fc 8045a9c1 00000001 eb43542c 00000000 nt!DebugService+0x10 (FPO: [Non-Fpo])
eb43540c 80454388 eb43542c bb050fd0 bb050e48 nt!DebugPrint+0xd (FPO: [1,0,0])
eb435654 eb54c7cc eb435660 4349440a 746f473a nt!DbgPrint+0xac (FPO: [Non-Fpo])
WARNING: Stack unwind information not available. Following frames may be wrong.
eb435860 f0e7942d f0e78a20 bb050fd0 bb050e48 Dbgv+0x7cc
eb4359c4 80526626 8135e500 bb050e48 00000000 filespy+0x242d
eb435a0c bfeee818 00001000 00001000 bfef10fe nt!IovSpecialIrpCompleteRequest+0x18c (FPO: [Non-Fpo])
eb435a18 bfef10fe 81546908 bb050e48 00000000 Ntfs!NtfsCompleteRequest+0x5c (FPO: [3,0,2])
eb435c24 bfef1083 81546908 bb050e48 00000001 Ntfs!NtfsCommonRead+0x161a (FPO: [Non-Fpo])
eb435cc0 805269c4 81810020 bb050e48 81575b50 Ntfs!NtfsFsdRead+0x201 (FPO: [Non-Fpo])
eb435d0c f139411b 815d4820 80064bec 805269c4 nt!IovSpecialIrpCallDriver+0xcd (FPO: [Non-Fpo])
eb435d64 805261cf bb050fd0 bb050ff4 81488e10 SYMEVENT!SYMEvent_GetVMDataPtr+0x697b
eb435d80 f0e78828 8135e500 80064bec bb050fb4 nt!IovCallDriver+0x31 (FPO: [Non-Fpo])
eb435d9c f0e7a994 8135e500 bb050e48 8135e500 filespy+0x1828
eb435db8 805269c4 8135e500 bb050e48 8135e500 filespy+0x3994
eb435e04 8041e445 00000000 00000000 80064bd4 nt!IovSpecialIrpCallDriver+0xcd (FPO: [Non-Fpo])
eb435e18 8043fb41 8169e998 81582ec0 81582ea0 nt!IoPageRead+0xb1 (FPO: [Non-Fpo])

OSR_Community_User · January 14, 2005, 10:25am

>kd> .tss 28

eax=eb435644 ebx=eb435344 ecx=eb435330 edx=00000001 esi=eb43542c
edi=00000000
eip=8042dbbf esp=eb434f78 ebp=eb435314 iopl=0 nv up di ng nz na po
nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
efl=00210086
nt!KiDispatchException+0x25:
8042dbbf 53 push ebx

This is a typical double fault caused by stack overflow.

Check if there’s endless recursion call in the call stack or see which
function consumed abnormal amount of stack.
!analyze -v is your first step to triage.

Calvin Guan Software Engineer
ATI Technologies Inc. www.ati.com

OSR_Community_User · January 14, 2005, 10:33am

It says…

UNEXPECTED_KERNEL_MODE_TRAP (7f)
Arguments:
Arg1: 00000008, EXCEPTION_DOUBLE_FAULT
Arg2: 00000000
Arg3: 00000000
Arg4: 00000000

Debugging Details:

BUGCHECK_STR: 0x7f_8

TSS: 00000028 – (.tss 28)
eax=eb435644 ebx=eb435344 ecx=eb435330 edx=00000001 esi=eb43542c
edi=00000000
eip=8042dbbf esp=eb434f78 ebp=eb435314 iopl=0 nv up di ng nz na
po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
efl=00210086
nt!KiDispatchException+0x25:
8042dbbf 53 push ebx
Resetting default scope

DEFAULT_BUCKET_ID: DRIVER_FAULT

LAST_CONTROL_TRANSFER: from 80464891 to 8042dbbf

STACK_TEXT:
eb435314 80464891 eb435330 00000000 eb435384 nt!KiDispatchException+0x25
eb43537c 80464e7b 00000000 00000000 00000000
nt!CommonDispatchException+0x4d
eb43537c 8045a9f8 00000000 00000000 00000000 nt!KiTrap03+0x97
eb4353fc 8045a9c1 00000001 eb43542c 00000000 nt!DebugService+0x10
eb43540c 80454388 eb43542c bb050fd0 bb050e48 nt!DebugPrint+0xd
eb435654 eb54c7cc eb435660 4349440a 746f473a nt!DbgPrint+0xac
WARNING: Stack unwind information not available. Following frames may be
wrong.
eb435860 f0e7942d f0e78a20 bb050fd0 bb050e48 Dbgv+0x7cc
eb4359c4 80526626 8135e500 bb050e48 00000000 filespy+0x242d
eb435a0c bfeee818 00001000 00001000 bfef10fe
nt!IovSpecialIrpCompleteRequest+0x18c
eb435a18 bfef10fe 81546908 bb050e48 00000000
Ntfs!NtfsCompleteRequest+0x5c
eb435c24 bfef1083 81546908 bb050e48 00000001 Ntfs!NtfsCommonRead+0x161a
eb435cc0 805269c4 81810020 bb050e48 81575b50 Ntfs!NtfsFsdRead+0x201
eb435d0c f139411b 815d4820 80064bec 805269c4
nt!IovSpecialIrpCallDriver+0xcd
eb435d64 805261cf bb050fd0 bb050ff4 81488e10
SYMEVENT!SYMEvent_GetVMDataPtr+0x697b
eb435d80 f0e78828 8135e500 80064bec bb050fb4 nt!IovCallDriver+0x31
eb435d9c f0e7a994 8135e500 bb050e48 8135e500 filespy+0x1828
eb435db8 805269c4 8135e500 bb050e48 8135e500 filespy+0x3994
eb435e04 8041e445 00000000 00000000 80064bd4
nt!IovSpecialIrpCallDriver+0xcd
eb435e18 8043fb41 8169e998 81582ec0 81582ea0 nt!IoPageRead+0xb1
eb435e58 80448a86 00000000 c6040000 c0318100 nt!MiDispatchFault+0x23d
eb435ea4 80466a2f 00000000 00000000 00000000 nt!MmAccessFault+0x682
eb435ea4 804116b9 00000000 00000000 00000000 nt!KiTrap0E+0xc3
eb435f74 bff0631c 8169e998 eb435fa8 00001000 nt!CcMapData+0xd9
eb435f98 bff0afb8 81502368 e132c6e8 00000000 Ntfs!NtfsMapStream+0x4b
eb435fc8 bff0b2e0 81502368 0000000c 00000000 Ntfs!ReadIndexBuffer+0x8b
eb435ff4 bff65095 81502368 e33157c8 eb43609c
Ntfs!FindFirstIndexEntry+0x1be
eb436058 bff5dafa 81502368 e132c6e8 eb4360f4 Ntfs!NtOfsReadRecords+0xb8
eb436110 bff5dc30 81502368 e3362668 00000000
Ntfs!NtOfsLookupSecurityDescriptorInIndex+0x8a
eb43618c bff5ccb9 81502368 e3362668 0000004c
Ntfs!GetSecurityIdFromSecurityDescriptorUnsafe+0x65
eb4361cc bff08c25 81502368 e3338ac8 0000004c
Ntfs!NtfsCacheSharedSecurityByDescriptor+0x74
eb436220 bff04a89 81502368 e2fee708 81502368
Ntfs!NtfsCacheSharedSecurityForCreate+0xaf
eb436400 bff0f8b3 81502368 bb042e48 bb042f90
Ntfs!NtfsCreateNewFile+0x227
eb43673c bff0c5a2 81502368 bb042e48 eb4367b0 Ntfs!NtfsCommonCreate+0x6eb
eb4367f0 805269c4 81810020 bb042e48 815e5e48 Ntfs!NtfsFsdCreate+0x1fe
eb43683c f1394273 eb43688c eb046800 00000000
nt!IovSpecialIrpCallDriver+0xcd
eb4368f4 805261cf bb042fd0 bb042ff4 81488e10
SYMEVENT!SYMEvent_GetVMDataPtr+0x6ad3
eb436910 f0e78828 8135e500 80064bec bb042fb4 nt!IovCallDriver+0x31
eb43692c f0e7b497 8135e500 bb042e48 8135e500 filespy+0x1828
eb4369bc 805269c4 8135e500 bb042e48 eb436d88 filespy+0x4497
eb436a08 804bda04 804812c0 804bcf50 eb436d0c
nt!IovSpecialIrpCallDriver+0xcd
eb436b98 8044f5b5 81868bb0 00000000 eb436c50 nt!IopParseDevice+0xab4
eb436c10 804d378b 00000000 818a2500 00000040
nt!ObpLookupObjectName+0x4e7
eb436d20 8049dd31 00000000 00000000 72747400 nt!ObOpenObjectByName+0xc5
eb436dfc 8049d8d6 eb437020 0013019f eb437088 nt!IopCreateFile+0x407
eb436e44 804a5264 eb437020 0013019f eb437088 nt!IoCreateFile+0x36
eb436e84 80463d94 eb437020 0013019f eb437088 nt!NtCreateFile+0x2e
eb436e84 8042e953 eb437020 0013019f eb437088 nt!KiSystemService+0xc4
eb436f28 f0e7f032 eb437020 0013019f eb437088 nt!ZwCreateFile+0xb
eb4370b8 805269c4 8135e500 bb038e48 80064b7c filespy+0x8032
eb437104 804aca56 bb038fd8 00000000 bb038e48
nt!IovSpecialIrpCallDriver+0xcd

FOLLOWUP_IP:
Dbgv+7cc
eb54c7cc eb22 jmp Dbgv+0x7f0 (eb54c7f0)

SYMBOL_STACK_INDEX: 6

FOLLOWUP_NAME: MachineOwner

SYMBOL_NAME: Dbgv+7cc

MODULE_NAME: Dbgv

IMAGE_NAME: Dbgv.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 3b47213b

STACK_COMMAND: .tss 28 ; kb

BUCKET_ID: 0x7f_8_Dbgv+7cc

Followup: MachineOwner

-----Original Message-----
From: Mats PETERSSON [mailto:xxxxx@3dlabs.com]
Sent: Friday, January 14, 2005 8:43 PM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] UNEXPECTED_KERNEL_MODE_TRAP (7f)

What does ‘analyze -v’ say?

–
Mats

-------- Notice --------
The information in this message is confidential and may be legally
privileged. It is intended solely for the addressee. Access to this
message by anyone else is unauthorized. If you are not the intended
recipient, any disclosure, copying or distribution of the message, or
any action taken by you in reliance on it, is prohibited and may be
unlawful. If you have received this message in error, please delete it
and contact the sender immediately. Thank you.

xxxxx@lists.osr.com wrote on 01/14/2005 03:03:49 PM:

I have a BSOD : UNEXPECTED_KERNEL_MODE_TRAP (7f) on my filter driver
in
W2k.
I have Driver verify on and below o/p.
Can not step trace as BSOD is very random and not on every boot
session. Any Ideas???
kd> .tss 28
eax=eb435644 ebx=eb435344 ecx=eb435330 edx=00000001 esi=eb43542c
edi=00000000
eip=8042dbbf esp=eb434f78 ebp=eb435314 iopl=0 nv up di ng nz
na
po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
efl=00210086
nt!KiDispatchException+0x25:
8042dbbf 53 push ebx
kd> .trap eb435384
ErrCode = 00000000
eax=00000001 ebx=00000000 ecx=eb43542c edx=00000000 esi=00000000
edi=bb050fd0
eip=8045a9f8 esp=eb4353f8 ebp=eb4353fc iopl=0 nv up ei pl nz
ac
po cy
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
efl=00200217
nt!DebugService+0x10:
8045a9f8 8945fc mov [ebp-0x4],eax
ss:0010:eb4353f8=eb43543c
kd> !thread
THREAD 818a1620 Cid 8.20 Teb: 00000000 Win32Thread: 00000000
RUNNING IRP List:
bb042e48: (0006,01b4) Flags: 40000884 Mdl: 00000000
bb038e48: (0006,01b4) Flags: 40000a00 Mdl: 00000000
Not impersonating
Owning Process 818a2b60
Wait Start TickCount 1056281 Elapsed Ticks: 0
Context Switch Count 54448
UserTime 0:00:00.0000
KernelTime 0:00:00.0468
Start Address nt!ExpWorkerThread (0x80416820)
Stack Init eb438000 Current eb4357fc Base eb438000 Limit eb435000 Call

0 Priority 12 BasePriority 12 PriorityDecrement 0 DecrementCount 0
kd> kv
ChildEBP RetAddr Args to Child
00000000 8042dbbf 00000000 00000000 00000000 nt!KiTrap08+0x3e (FPO:
TaskGate 28:0) eb435314 80464891 eb435330 00000000 eb435384 nt!
KiDispatchException+0x25 (FPO: [Non-Fpo])
eb43537c 80464e7b 00000000 00000000 00000000 nt!
CommonDispatchException+0x4d (FPO: [0,20,0])
eb43537c 8045a9f8 00000000 00000000 00000000 nt!KiTrap03+0x97 (FPO:
[0,0] TrapFrame @ eb435384) eb4353fc 8045a9c1 00000001 eb43542c
00000000 nt!DebugService+0x10
(FPO: [Non-Fpo])
eb43540c 80454388 eb43542c bb050fd0 bb050e48 nt!DebugPrint+0xd (FPO:
[1,0,0])
eb435654 eb54c7cc eb435660 4349440a 746f473a nt!DbgPrint+0xac (FPO:
[Non-Fpo])
WARNING: Stack unwind information not available. Following frames may
be wrong. eb435860 f0e7942d f0e78a20 bb050fd0 bb050e48 Dbgv+0x7cc
eb4359c4 80526626 8135e500 bb050e48 00000000 filespy+0x242d
eb435a0c bfeee818 00001000 00001000 bfef10fe nt!
IovSpecialIrpCompleteRequest+0x18c (FPO: [Non-Fpo])
eb435a18 bfef10fe 81546908 bb050e48 00000000 Ntfs!
NtfsCompleteRequest+0x5c (FPO: [3,0,2])
eb435c24 bfef1083 81546908 bb050e48 00000001 Ntfs!
NtfsCommonRead+0x161a (FPO: [Non-Fpo])
eb435cc0 805269c4 81810020 bb050e48 81575b50 Ntfs!NtfsFsdRead+0x201
(FPO: [Non-Fpo])
eb435d0c f139411b 815d4820 80064bec 805269c4 nt!
IovSpecialIrpCallDriver+0xcd (FPO: [Non-Fpo])
eb435d64 805261cf bb050fd0 bb050ff4 81488e10 SYMEVENT!
SYMEvent_GetVMDataPtr+0x697b eb435d80 f0e78828 8135e500 80064bec
bb050fb4 nt!IovCallDriver+0x31
(FPO: [Non-Fpo])
eb435d9c f0e7a994 8135e500 bb050e48 8135e500 filespy+0x1828 eb435db8
805269c4 8135e500 bb050e48 8135e500 filespy+0x3994 eb435e04 8041e445
00000000 00000000 80064bd4 nt!
IovSpecialIrpCallDriver+0xcd (FPO: [Non-Fpo])
eb435e18 8043fb41 8169e998 81582ec0 81582ea0 nt!IoPageRead+0xb1
(FPO: [Non-Fpo])

Questions? First check the Kernel Driver FAQ at http://www.
osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: unknown lmsubst tag
argument:
‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com
ForwardSourceID:NT0000AE32

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@divassoftware.com To
unsubscribe send a blank email to xxxxx@lists.osr.com

Daniel_Terhell · January 14, 2005, 10:35am

The doc says that this is mostly caused by hardware problems but in reality
this is often stack overflow.

Regards,

Daniel Terhell
Resplendence Software Projects Sp
xxxxx@resplendence.com
http://www.resplendence.com

“Anurag Sarin” wrote in message
news:xxxxx@ntdev…
It says…

UNEXPECTED_KERNEL_MODE_TRAP (7f)
Arguments:
Arg1: 00000008, EXCEPTION_DOUBLE_FAULT
Arg2: 00000000
Arg3: 00000000
Arg4: 00000000

Debugging Details:
------------------

BUGCHECK_STR: 0x7f_8

TSS: 00000028 – (.tss 28)
eax=eb435644 ebx=eb435344 ecx=eb435330 edx=00000001 esi=eb43542c
edi=00000000
eip=8042dbbf esp=eb434f78 ebp=eb435314 iopl=0 nv up di ng nz na
po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
efl=00210086
nt!KiDispatchException+0x25:
8042dbbf 53 push ebx
Resetting default scope

DEFAULT_BUCKET_ID: DRIVER_FAULT

LAST_CONTROL_TRANSFER: from 80464891 to 8042dbbf

STACK_TEXT:
eb435314 80464891 eb435330 00000000 eb435384 nt!KiDispatchException+0x25
eb43537c 80464e7b 00000000 00000000 00000000
nt!CommonDispatchException+0x4d
eb43537c 8045a9f8 00000000 00000000 00000000 nt!KiTrap03+0x97
eb4353fc 8045a9c1 00000001 eb43542c 00000000 nt!DebugService+0x10
eb43540c 80454388 eb43542c bb050fd0 bb050e48 nt!DebugPrint+0xd
eb435654 eb54c7cc eb435660 4349440a 746f473a nt!DbgPrint+0xac
WARNING: Stack unwind information not available. Following frames may be
wrong.
eb435860 f0e7942d f0e78a20 bb050fd0 bb050e48 Dbgv+0x7cc
eb4359c4 80526626 8135e500 bb050e48 00000000 filespy+0x242d
eb435a0c bfeee818 00001000 00001000 bfef10fe
nt!IovSpecialIrpCompleteRequest+0x18c
eb435a18 bfef10fe 81546908 bb050e48 00000000
Ntfs!NtfsCompleteRequest+0x5c
eb435c24 bfef1083 81546908 bb050e48 00000001 Ntfs!NtfsCommonRead+0x161a
eb435cc0 805269c4 81810020 bb050e48 81575b50 Ntfs!NtfsFsdRead+0x201
eb435d0c f139411b 815d4820 80064bec 805269c4
nt!IovSpecialIrpCallDriver+0xcd
eb435d64 805261cf bb050fd0 bb050ff4 81488e10
SYMEVENT!SYMEvent_GetVMDataPtr+0x697b
eb435d80 f0e78828 8135e500 80064bec bb050fb4 nt!IovCallDriver+0x31
eb435d9c f0e7a994 8135e500 bb050e48 8135e500 filespy+0x1828
eb435db8 805269c4 8135e500 bb050e48 8135e500 filespy+0x3994
eb435e04 8041e445 00000000 00000000 80064bd4
nt!IovSpecialIrpCallDriver+0xcd
eb435e18 8043fb41 8169e998 81582ec0 81582ea0 nt!IoPageRead+0xb1
eb435e58 80448a86 00000000 c6040000 c0318100 nt!MiDispatchFault+0x23d
eb435ea4 80466a2f 00000000 00000000 00000000 nt!MmAccessFault+0x682
eb435ea4 804116b9 00000000 00000000 00000000 nt!KiTrap0E+0xc3
eb435f74 bff0631c 8169e998 eb435fa8 00001000 nt!CcMapData+0xd9
eb435f98 bff0afb8 81502368 e132c6e8 00000000 Ntfs!NtfsMapStream+0x4b
eb435fc8 bff0b2e0 81502368 0000000c 00000000 Ntfs!ReadIndexBuffer+0x8b
eb435ff4 bff65095 81502368 e33157c8 eb43609c
Ntfs!FindFirstIndexEntry+0x1be
eb436058 bff5dafa 81502368 e132c6e8 eb4360f4 Ntfs!NtOfsReadRecords+0xb8
eb436110 bff5dc30 81502368 e3362668 00000000
Ntfs!NtOfsLookupSecurityDescriptorInIndex+0x8a
eb43618c bff5ccb9 81502368 e3362668 0000004c
Ntfs!GetSecurityIdFromSecurityDescriptorUnsafe+0x65
eb4361cc bff08c25 81502368 e3338ac8 0000004c
Ntfs!NtfsCacheSharedSecurityByDescriptor+0x74
eb436220 bff04a89 81502368 e2fee708 81502368
Ntfs!NtfsCacheSharedSecurityForCreate+0xaf
eb436400 bff0f8b3 81502368 bb042e48 bb042f90
Ntfs!NtfsCreateNewFile+0x227
eb43673c bff0c5a2 81502368 bb042e48 eb4367b0 Ntfs!NtfsCommonCreate+0x6eb
eb4367f0 805269c4 81810020 bb042e48 815e5e48 Ntfs!NtfsFsdCreate+0x1fe
eb43683c f1394273 eb43688c eb046800 00000000
nt!IovSpecialIrpCallDriver+0xcd
eb4368f4 805261cf bb042fd0 bb042ff4 81488e10
SYMEVENT!SYMEvent_GetVMDataPtr+0x6ad3
eb436910 f0e78828 8135e500 80064bec bb042fb4 nt!IovCallDriver+0x31
eb43692c f0e7b497 8135e500 bb042e48 8135e500 filespy+0x1828
eb4369bc 805269c4 8135e500 bb042e48 eb436d88 filespy+0x4497
eb436a08 804bda04 804812c0 804bcf50 eb436d0c
nt!IovSpecialIrpCallDriver+0xcd
eb436b98 8044f5b5 81868bb0 00000000 eb436c50 nt!IopParseDevice+0xab4
eb436c10 804d378b 00000000 818a2500 00000040
nt!ObpLookupObjectName+0x4e7
eb436d20 8049dd31 00000000 00000000 72747400 nt!ObOpenObjectByName+0xc5
eb436dfc 8049d8d6 eb437020 0013019f eb437088 nt!IopCreateFile+0x407
eb436e44 804a5264 eb437020 0013019f eb437088 nt!IoCreateFile+0x36
eb436e84 80463d94 eb437020 0013019f eb437088 nt!NtCreateFile+0x2e
eb436e84 8042e953 eb437020 0013019f eb437088 nt!KiSystemService+0xc4
eb436f28 f0e7f032 eb437020 0013019f eb437088 nt!ZwCreateFile+0xb
eb4370b8 805269c4 8135e500 bb038e48 80064b7c filespy+0x8032
eb437104 804aca56 bb038fd8 00000000 bb038e48
nt!IovSpecialIrpCallDriver+0xcd

FOLLOWUP_IP:
Dbgv+7cc
eb54c7cc eb22 jmp Dbgv+0x7f0 (eb54c7f0)

SYMBOL_STACK_INDEX: 6

FOLLOWUP_NAME: MachineOwner

SYMBOL_NAME: Dbgv+7cc

MODULE_NAME: Dbgv

IMAGE_NAME: Dbgv.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 3b47213b

STACK_COMMAND: .tss 28 ; kb

BUCKET_ID: 0x7f_8_Dbgv+7cc

Followup: MachineOwner
---------

-----Original Message-----
From: Mats PETERSSON [mailto:xxxxx@3dlabs.com]
Sent: Friday, January 14, 2005 8:43 PM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] UNEXPECTED_KERNEL_MODE_TRAP (7f)

What does ‘analyze -v’ say?

–
Mats

-------- Notice --------
The information in this message is confidential and may be legally
privileged. It is intended solely for the addressee. Access to this
message by anyone else is unauthorized. If you are not the intended
recipient, any disclosure, copying or distribution of the message, or
any action taken by you in reliance on it, is prohibited and may be
unlawful. If you have received this message in error, please delete it
and contact the sender immediately. Thank you.

xxxxx@lists.osr.com wrote on 01/14/2005 03:03:49 PM:

> I have a BSOD : UNEXPECTED_KERNEL_MODE_TRAP (7f) on my filter driver
> in
W2k.
> I have Driver verify on and below o/p.
> Can not step trace as BSOD is very random and not on every boot
> session. Any Ideas???
> kd> .tss 28
> eax=eb435644 ebx=eb435344 ecx=eb435330 edx=00000001 esi=eb43542c
edi=00000000
> eip=8042dbbf esp=eb434f78 ebp=eb435314 iopl=0 nv up di ng nz
na
po nc
> cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
efl=00210086
> nt!KiDispatchException+0x25:
> 8042dbbf 53 push ebx
> kd> .trap eb435384
> ErrCode = 00000000
> eax=00000001 ebx=00000000 ecx=eb43542c edx=00000000 esi=00000000
edi=bb050fd0
> eip=8045a9f8 esp=eb4353f8 ebp=eb4353fc iopl=0 nv up ei pl nz
ac
po cy
> cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
efl=00200217
> nt!DebugService+0x10:
> 8045a9f8 8945fc mov [ebp-0x4],eax
ss:0010:eb4353f8=eb43543c
> kd> !thread
> THREAD 818a1620 Cid 8.20 Teb: 00000000 Win32Thread: 00000000
> RUNNING IRP List:
> bb042e48: (0006,01b4) Flags: 40000884 Mdl: 00000000
> bb038e48: (0006,01b4) Flags: 40000a00 Mdl: 00000000
> Not impersonating
> Owning Process 818a2b60
> Wait Start TickCount 1056281 Elapsed Ticks: 0
> Context Switch Count 54448
> UserTime 0:00:00.0000
> KernelTime 0:00:00.0468
> Start Address nt!ExpWorkerThread (0x80416820)
> Stack Init eb438000 Current eb4357fc Base eb438000 Limit eb435000 Call

> 0 Priority 12 BasePriority 12 PriorityDecrement 0 DecrementCount 0
> kd> kv
> ChildEBP RetAddr Args to Child
> 00000000 8042dbbf 00000000 00000000 00000000 nt!KiTrap08+0x3e (FPO:
> TaskGate 28:0) eb435314 80464891 eb435330 00000000 eb435384 nt!
> KiDispatchException+0x25 (FPO: [Non-Fpo])
> eb43537c 80464e7b 00000000 00000000 00000000 nt!
> CommonDispatchException+0x4d (FPO: [0,20,0])
> eb43537c 8045a9f8 00000000 00000000 00000000 nt!KiTrap03+0x97 (FPO:
> [0,0] TrapFrame @ eb435384) eb4353fc 8045a9c1 00000001 eb43542c
> 00000000 nt!DebugService+0x10
> (FPO: [Non-Fpo])
> eb43540c 80454388 eb43542c bb050fd0 bb050e48 nt!DebugPrint+0xd (FPO:
[1,0,0])
> eb435654 eb54c7cc eb435660 4349440a 746f473a nt!DbgPrint+0xac (FPO:
[Non-Fpo])
> WARNING: Stack unwind information not available. Following frames may
> be wrong. eb435860 f0e7942d f0e78a20 bb050fd0 bb050e48 Dbgv+0x7cc
> eb4359c4 80526626 8135e500 bb050e48 00000000 filespy+0x242d
> eb435a0c bfeee818 00001000 00001000 bfef10fe nt!
> IovSpecialIrpCompleteRequest+0x18c (FPO: [Non-Fpo])
> eb435a18 bfef10fe 81546908 bb050e48 00000000 Ntfs!
> NtfsCompleteRequest+0x5c (FPO: [3,0,2])
> eb435c24 bfef1083 81546908 bb050e48 00000001 Ntfs!
> NtfsCommonRead+0x161a (FPO: [Non-Fpo])
> eb435cc0 805269c4 81810020 bb050e48 81575b50 Ntfs!NtfsFsdRead+0x201
> (FPO: [Non-Fpo])
> eb435d0c f139411b 815d4820 80064bec 805269c4 nt!
> IovSpecialIrpCallDriver+0xcd (FPO: [Non-Fpo])
> eb435d64 805261cf bb050fd0 bb050ff4 81488e10 SYMEVENT!
> SYMEvent_GetVMDataPtr+0x697b eb435d80 f0e78828 8135e500 80064bec
> bb050fb4 nt!IovCallDriver+0x31
> (FPO: [Non-Fpo])
> eb435d9c f0e7a994 8135e500 bb050e48 8135e500 filespy+0x1828 eb435db8
> 805269c4 8135e500 bb050e48 8135e500 filespy+0x3994 eb435e04 8041e445
> 00000000 00000000 80064bd4 nt!
> IovSpecialIrpCallDriver+0xcd (FPO: [Non-Fpo])
> eb435e18 8043fb41 8169e998 81582ec0 81582ea0 nt!IoPageRead+0xb1
> (FPO: [Non-Fpo])
> —
> Questions? First check the Kernel Driver FAQ at http://www.
> osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: unknown lmsubst tag
> argument:
‘’
> To unsubscribe send a blank email to xxxxx@lists.osr.com
> ForwardSourceID:NT0000AE32

—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@divassoftware.com To
unsubscribe send a blank email to xxxxx@lists.osr.com

OSR_Community_User · January 14, 2005, 10:36am

how Kernel stack overflow possible ?
the Base eb438000 & Limit eb435000
i.e stack range from eb435000 to eb438000.

No stack value is below eb435000 to show a stack over flow…

regards
Anurag

-----Original Message-----
From: Maxim S. Shatskih [mailto:xxxxx@storagecraft.com]
Sent: Friday, January 14, 2005 8:50 PM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] UNEXPECTED_KERNEL_MODE_TRAP (7f)

Kernel stack overflow possible.

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

----- Original Message -----
From: Anurag Sarin mailto:xxxxx
To: Windows System Software Devs Interest mailto:xxxxx
List
Sent: Friday, January 14, 2005 6:03 PM
Subject: [ntdev] UNEXPECTED_KERNEL_MODE_TRAP (7f)

I have a BSOD : UNEXPECTED_KERNEL_MODE_TRAP (7f) on my filter driver in
W2k.
I have Driver verify on and below o/p.
Can not step trace as BSOD is very random and not on every boot session.

Any Ideas???

kd> .tss 28
eax=eb435644 ebx=eb435344 ecx=eb435330 edx=00000001 esi=eb43542c
edi=00000000
eip=8042dbbf esp=eb434f78 ebp=eb435314 iopl=0 nv up di ng nz na
po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
efl=00210086
nt!KiDispatchException+0x25:
8042dbbf 53 push ebx

kd> .trap eb435384
ErrCode = 00000000
eax=00000001 ebx=00000000 ecx=eb43542c edx=00000000 esi=00000000
edi=bb050fd0
eip=8045a9f8 esp=eb4353f8 ebp=eb4353fc iopl=0 nv up ei pl nz ac
po cy
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
efl=00200217
nt!DebugService+0x10:
8045a9f8 8945fc mov [ebp-0x4],eax
ss:0010:eb4353f8=eb43543c

kd> !thread
THREAD 818a1620 Cid 8.20 Teb: 00000000 Win32Thread: 00000000 RUNNING
IRP List:
bb042e48: (0006,01b4) Flags: 40000884 Mdl: 00000000
bb038e48: (0006,01b4) Flags: 40000a00 Mdl: 00000000
Not impersonating
Owning Process 818a2b60
Wait Start TickCount 1056281 Elapsed Ticks: 0
Context Switch Count 54448
UserTime 0:00:00.0000
KernelTime 0:00:00.0468
Start Address nt!ExpWorkerThread (0x80416820)
Stack Init eb438000 Current eb4357fc Base eb438000 Limit eb435000 Call 0

Priority 12 BasePriority 12 PriorityDecrement 0 DecrementCount 0

kd> kv
ChildEBP RetAddr Args to Child
00000000 8042dbbf 00000000 00000000 00000000 nt!KiTrap08+0x3e (FPO:
TaskGate 28:0)
eb435314 80464891 eb435330 00000000 eb435384 nt!KiDispatchException+0x25
(FPO: [Non-Fpo])
eb43537c 80464e7b 00000000 00000000 00000000
nt!CommonDispatchException+0x4d (FPO: [0,20,0])
eb43537c 8045a9f8 00000000 00000000 00000000 nt!KiTrap03+0x97 (FPO:
[0,0] TrapFrame @ eb435384)
eb4353fc 8045a9c1 00000001 eb43542c 00000000 nt!DebugService+0x10 (FPO:
[Non-Fpo])
eb43540c 80454388 eb43542c bb050fd0 bb050e48 nt!DebugPrint+0xd (FPO:
[1,0,0])
eb435654 eb54c7cc eb435660 4349440a 746f473a nt!DbgPrint+0xac (FPO:
[Non-Fpo])
WARNING: Stack unwind information not available. Following frames may be
wrong.
eb435860 f0e7942d f0e78a20 bb050fd0 bb050e48 Dbgv+0x7cc
eb4359c4 80526626 8135e500 bb050e48 00000000 filespy+0x242d
eb435a0c bfeee818 00001000 00001000 bfef10fe
nt!IovSpecialIrpCompleteRequest+0x18c (FPO: [Non-Fpo])
eb435a18 bfef10fe 81546908 bb050e48 00000000
Ntfs!NtfsCompleteRequest+0x5c (FPO: [3,0,2])
eb435c24 bfef1083 81546908 bb050e48 00000001 Ntfs!NtfsCommonRead+0x161a
(FPO: [Non-Fpo])
eb435cc0 805269c4 81810020 bb050e48 81575b50 Ntfs!NtfsFsdRead+0x201
(FPO: [Non-Fpo])
eb435d0c f139411b 815d4820 80064bec 805269c4
nt!IovSpecialIrpCallDriver+0xcd (FPO: [Non-Fpo])
eb435d64 805261cf bb050fd0 bb050ff4 81488e10
SYMEVENT!SYMEvent_GetVMDataPtr+0x697b
eb435d80 f0e78828 8135e500 80064bec bb050fb4 nt!IovCallDriver+0x31 (FPO:
[Non-Fpo])
eb435d9c f0e7a994 8135e500 bb050e48 8135e500 filespy+0x1828
eb435db8 805269c4 8135e500 bb050e48 8135e500 filespy+0x3994
eb435e04 8041e445 00000000 00000000 80064bd4
nt!IovSpecialIrpCallDriver+0xcd (FPO: [Non-Fpo])
eb435e18 8043fb41 8169e998 81582ec0 81582ea0 nt!IoPageRead+0xb1 (FPO:
[Non-Fpo])

—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: unknown lmsubst tag argument:
‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com

—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: unknown lmsubst tag argument:
‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com</mailto:xxxxx></mailto:xxxxx>