Hello There,
I used windbp to analyze the dump file, but I am not a developer so I am having a hard time reading the below code.. Is there an easy way to indentify which drivers is causing the blue screen and make the machine reboot. ?
Any Help Apreciated. thanks
KERNEL_MODE_EXCEPTION_NOT_HANDLED_M (1000008e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Some common problems are exception code 0x80000003. This means a hard
coded breakpoint or assertion was hit, but this system was booted
/NODEBUG. This is not supposed to happen as developers should never have
hardcoded breakpoints in retail code, but ...
If this happens, make sure a debugger gets connected, and the
system is booted /DEBUG. This will let us see why this breakpoint is
happening.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: 804e73a0, The address that the exception occurred at
Arg3: b49c083c, Trap Frame
Arg4: 00000000
Debugging Details:
------------------
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced
memory at "0x%08lx". The memory could not be "%s".
FAULTING_IP:
nt!PsReturnPoolQuota+17
804e73a0 8b8840010000 mov ecx,[eax+0x140]
TRAP_FRAME: b49c083c -- (.trap ffffffffb49c083c)
ErrCode = 00000000
eax=08143b30 ebx=00000081 ecx=00000000 edx=00000000 esi=e476fbf8 edi=897ac028
eip=804e73a0 esp=b49c08b0 ebp=b49c08cc iopl=0 nv up ei pl nz na pe cy
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010203
nt!PsReturnPoolQuota+0x17:
804e73a0 8b8840010000 mov ecx,[eax+0x140] ds:0023:08143c70=????????
Resetting default scope
DEFAULT_BUCKET_ID: DRIVER_FAULT
BUGCHECK_STR: 0x8E
LAST_CONTROL_TRANSFER: from 8054b229 to 804e73a0
STACK_TEXT:
b49c08cc 8054b229 08143b30 00000001 00000408 nt!PsReturnPoolQuota+0x17
b49c0914 bf8029ef e476fc00 08143b30 b49c0930 nt!ExFreePoolWithTag+0x3aa
b49c0924 bf80ee83 e476fc00 b49c0bf4 bf888978 win32k!HeavyFreePool+0xbb
b49c0930 bf888978 b49c0984 bc66c6b0 0000004a win32k!PopAndFreeAlwaysW32ThreadLoc
k+0x20
b49c0bf4 bf813ea0 bc66c6b0 0000004a 00020470 win32k!SfnCOPYDATA+0x284
b49c0c3c bf83c607 0066c6b0 0000004a 00020470 win32k!xxxSendMessageToClient+0x176
b49c0cac bf801e58 e16064c0 b49c0d64 00000000 win32k!xxxReceiveMessage+0x2b5
b49c0ce8 bf80365e b49c0d14 000025ff 00000000 win32k!xxxRealInternalGetMessage+0x
1d7
b49c0d48 804df06b 0117ff28 00000000 00000000 win32k!NtUserPeekMessage+0x40
b49c0d48 7c90eb94 0117ff28 00000000 00000000 nt!KiFastCallEntry+0xf8
WARNING: Frame IP not in any known module. Following frames may be wrong.
0117fed4 00000000 00000000 00000000 00000000 0x7c90eb94
FOLLOWUP_IP:
win32k!HeavyFreePool+bb
bf8029ef 5d pop ebp
SYMBOL_STACK_INDEX: 2
FOLLOWUP_NAME: MachineOwner
SYMBOL_NAME: win32k!HeavyFreePool+bb
MODULE_NAME: win32k
IMAGE_NAME: win32k.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 41107f7a
STACK_COMMAND: .trap ffffffffb49c083c ; kb
FAILURE_BUCKET_ID: 0x8E_win32k!HeavyFreePool+bb
BUCKET_ID: 0x8E_win32k!HeavyFreePool+bb
Followup: MachineOwner
I used windbp to analyze the dump file, but I am not a developer so I am having a hard time reading the below code.. Is there an easy way to indentify which drivers is causing the blue screen and make the machine reboot. ?
Any Help Apreciated. thanks
KERNEL_MODE_EXCEPTION_NOT_HANDLED_M (1000008e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Some common problems are exception code 0x80000003. This means a hard
coded breakpoint or assertion was hit, but this system was booted
/NODEBUG. This is not supposed to happen as developers should never have
hardcoded breakpoints in retail code, but ...
If this happens, make sure a debugger gets connected, and the
system is booted /DEBUG. This will let us see why this breakpoint is
happening.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: 804e73a0, The address that the exception occurred at
Arg3: b49c083c, Trap Frame
Arg4: 00000000
Debugging Details:
------------------
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced
memory at "0x%08lx". The memory could not be "%s".
FAULTING_IP:
nt!PsReturnPoolQuota+17
804e73a0 8b8840010000 mov ecx,[eax+0x140]
TRAP_FRAME: b49c083c -- (.trap ffffffffb49c083c)
ErrCode = 00000000
eax=08143b30 ebx=00000081 ecx=00000000 edx=00000000 esi=e476fbf8 edi=897ac028
eip=804e73a0 esp=b49c08b0 ebp=b49c08cc iopl=0 nv up ei pl nz na pe cy
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010203
nt!PsReturnPoolQuota+0x17:
804e73a0 8b8840010000 mov ecx,[eax+0x140] ds:0023:08143c70=????????
Resetting default scope
DEFAULT_BUCKET_ID: DRIVER_FAULT
BUGCHECK_STR: 0x8E
LAST_CONTROL_TRANSFER: from 8054b229 to 804e73a0
STACK_TEXT:
b49c08cc 8054b229 08143b30 00000001 00000408 nt!PsReturnPoolQuota+0x17
b49c0914 bf8029ef e476fc00 08143b30 b49c0930 nt!ExFreePoolWithTag+0x3aa
b49c0924 bf80ee83 e476fc00 b49c0bf4 bf888978 win32k!HeavyFreePool+0xbb
b49c0930 bf888978 b49c0984 bc66c6b0 0000004a win32k!PopAndFreeAlwaysW32ThreadLoc
k+0x20
b49c0bf4 bf813ea0 bc66c6b0 0000004a 00020470 win32k!SfnCOPYDATA+0x284
b49c0c3c bf83c607 0066c6b0 0000004a 00020470 win32k!xxxSendMessageToClient+0x176
b49c0cac bf801e58 e16064c0 b49c0d64 00000000 win32k!xxxReceiveMessage+0x2b5
b49c0ce8 bf80365e b49c0d14 000025ff 00000000 win32k!xxxRealInternalGetMessage+0x
1d7
b49c0d48 804df06b 0117ff28 00000000 00000000 win32k!NtUserPeekMessage+0x40
b49c0d48 7c90eb94 0117ff28 00000000 00000000 nt!KiFastCallEntry+0xf8
WARNING: Frame IP not in any known module. Following frames may be wrong.
0117fed4 00000000 00000000 00000000 00000000 0x7c90eb94
FOLLOWUP_IP:
win32k!HeavyFreePool+bb
bf8029ef 5d pop ebp
SYMBOL_STACK_INDEX: 2
FOLLOWUP_NAME: MachineOwner
SYMBOL_NAME: win32k!HeavyFreePool+bb
MODULE_NAME: win32k
IMAGE_NAME: win32k.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 41107f7a
STACK_COMMAND: .trap ffffffffb49c083c ; kb
FAILURE_BUCKET_ID: 0x8E_win32k!HeavyFreePool+bb
BUCKET_ID: 0x8E_win32k!HeavyFreePool+bb
Followup: MachineOwner
