kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by try-except,
it must be protected by a Probe. Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: b05af080, memory referenced.
Arg2: 00000000, value 0 = read operation, 1 = write operation.
Arg3: b05af080, If non-zero, the instruction address which referenced the bad memory
address.
Arg4: 00000000, (reserved)
Debugging Details:
------------------
Could not read faulting driver name
READ_ADDRESS: b05af080
FAULTING_IP:
+ffffffffb05af080
b05af080 ?? ???
MM_INTERNAL_CODE: 0
CUSTOMER_CRASH_COUNT: 2
DEFAULT_BUCKET_ID: DRIVER_FAULT
BUGCHECK_STR: 0x50
PROCESS_NAME: System
LAST_CONTROL_TRANSFER: from 804e3802 to b05af080
FAILED_INSTRUCTION_ADDRESS:
+ffffffffb05af080
b05af080 ?? ???
STACK_TEXT:
WARNING: Frame IP not in any known module. Following frames may be wrong.
f7b05aec 804e3802 86be4618 f75df459 f7b05b38 0xb05af080
f7b05afc 804e37f7 86b89bc8 86292008 86292008 nt!KeInsertByKeyDeviceQueue+0x4
f7b05b38 804e37f7 86977d80 86292008 01880000 nt!IopfCallDriver+0x31
f7b05b48 804f95d8 00000000 86033218 86033228 nt!IopfCallDriver+0x31
f7b05b38 804e37f7 86977d80 86292008 01880000 nt!IopPageReadInternal+0xf4
f7b05b5c 804f95ff 86977d80 8603320a 86033230 nt!IopfCallDriver+0x31
f7b05b5c 804f95ff 86977d80 8603320a 86033230 nt!IoPageRead+0x1b
f7b05b7c 804f9264 8617d2c8 86033250 86033230 nt!IoPageRead+0x1b
f7b05bf0 804eba6a 24eab8c0 d6e80000 c035ba00 nt!MiDispatchFault+0x274
f7b05c40 804f67f3 00000000 d6e80000 00000000 nt!MmAccessFault+0x5bc
f7b05c80 804ff901 d6e80000 00000000 80557398 nt!MmCheckCachedPageState+0x461
f7b05d2c 804ff6b4 86beb090 805622c0 86bc5640 nt!CcPerformReadAhead+0x1f1
f7b05d74 804e426b 86beb090 00000000 86bc5640 nt!CcWorkerThread+0x147
f7b05dac 8057aeff 86beb090 00000000 00000000 nt!ExpWorkerThread+0x100
f7b05ddc 804f88ea 804e4196 00000000 00000000 nt!PspSystemThreadStartup+0x34
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16
STACK_COMMAND: kb
FOLLOWUP_IP:
nt!KeInsertByKeyDeviceQueue+4
804e3802 ec in al,dx
SYMBOL_STACK_INDEX: 1
SYMBOL_NAME: nt!KeInsertByKeyDeviceQueue+4
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: nt
IMAGE_NAME: ntoskrnl.exe
DEBUG_FLR_IMAGE_TIMESTAMP: 498c1a18
FAILURE_BUCKET_ID: 0x50_CODE_AV_BAD_IP_nt!KeInsertByKeyDeviceQueue+4
BUCKET_ID: 0x50_CODE_AV_BAD_IP_nt!KeInsertByKeyDeviceQueue+4
Followup: MachineOwner
---------
** stack frame shows a page read by the system process. the same crash was on the last dump by this time with 0x50 and
** last dump was on the firefox.exe process. both crash on KeInsertByKeyDeviceQueue+4.
** The operation here is an IRP (Io Request Packet) that is a read operation. what we can learn here is that the stack is not right.
** It does not make sense that a call to IopfCallDriver is calling directly IopfCallDriver. This happens mainly by drivers/functions that are not following the EBP rule. long story....
** Also the warning "Frame IP not in any known module" indicate that the stack shows here does not shows us the real story.
** I will try to resolve the stack now.
kd> !thread
GetPointerFromAddress: unable to read from 8055fbd4
THREAD 86bc5640 Cid 0004.0020 Teb: 00000000 Win32Thread: 00000000 RUNNING on processor 0
Not impersonating
GetUlongFromAddress: unable to read from 8055fc6c
Owning Process 86bc69c8 Image: System
ffdf0000: Unable to get shared data
Wait Start TickCount 1528025
Context Switch Count 47645
ReadMemory error: Cannot get nt!KeMaximumIncrement value.
UserTime 00:00:00.000
KernelTime 00:00:00.000
Start Address nt!ExpWorkerThread (0x804e4196)
* here I can see the stack init and the limit. I will look at the stack and try to resolve it by hand.
kd> dds f7b03000 f7b06000 ** I have cut here to reduce number of characters.
f7b05a8c 00000000
f7b05a90 8054ba10 nt!ExAllocatePoolWithTag+0x4a9
f7b05a94 00000008
f7b05a98 8054bdb9 nt!ExAllocatePoolWithTag+0x7af
f7b05a9c 00000000
f7b05aa0 ffdff120
f7b05aa4 ffffffff
f7b05aa8 86be4618
f7b05aac 00000000
f7b05ab0 00000023
f7b05ab4 00000023
f7b05ab8 86292008
f7b05abc f753e025 Ntfs!NtfsFsdRead+0x2a9
f7b05ac0 00000000
f7b05ac4 00000000
f7b05ac8 f7b05d1c
f7b05acc 00000030
f7b05ad0 86977d80
f7b05ad4 86bcaa18
f7b05ad8 86a076e8
f7b05adc f7b05afc
f7b05ae0 00000000
f7b05ae4 b05af080
f7b05ae8 00000008
f7b05aec 00010246
f7b05af0 804e3802 nt!KeInsertByKeyDeviceQueue+0x4
f7b05af4 86be4618
f7b05af8 f75df459 sr!SrPassThrough+0x31
f7b05afc f7b05b38
f7b05b00 804e37f7 nt!IopfCallDriver+0x31
f7b05b04 86b89bc8
f7b05b08 86292008
f7b05b0c 86292008
f7b05b10 f75f509e fltMgr!FltpDispatch+0x152
f7b05b14 86033228
f7b05b18 86b88280
f7b05b1c 8617d2c8
f7b05b20 86a076e8
f7b05b24 86292008
f7b05b28 00000000
f7b05b2c ffffffff
f7b05b30 00000000
f7b05b34 00000008
f7b05b38 f7b05b5c
f7b05b3c 804e37f7 nt!IopfCallDriver+0x31
f7b05b40 86977d80
f7b05b44 86292008
f7b05b48 01880000
f7b05b4c 804f95d8 nt!IopPageReadInternal+0xf4
f7b05b50 00000000
f7b05b54 86033218
f7b05b58 86033228
f7b05b5c f7b05b7c
f7b05b60 804f95ff nt!IoPageRead+0x1b
f7b05b64 86977d80
f7b05b68 8603320a
f7b05b6c 86033230
f7b05b70 86033218
f7b05b74 86033228
f7b05b78 00000000
f7b05b7c f7b05bf0
f7b05b80 804f9264 nt!MiDispatchFault+0x274
f7b05b84 8617d2c8
f7b05b88 86033250
f7b05b8c 86033230
f7b05b90 86033218
f7b05b94 86033228
f7b05b98 806f0298 hal!KeRaiseIrqlToDpcLevel
f7b05b9c c035ba00
f7b05ba0 0029cc00
f7b05ba4 01880000
f7b05ba8 00000000
f7b05bac 804f31e4 nt!CcGetVacbMiss+0x4d0
f7b05bb0 00000000
f7b05bb4 00000000
f7b05bb8 85fcecf8
f7b05bbc 00040000
f7b05bc0 00000000
f7b05bc4 00000000
f7b05bc8 00000000
f7b05bcc 00000000
f7b05bd0 00000000
f7b05bd4 00000000
f7b05bd8 00033a29
f7b05bdc 00000000
f7b05be0 00000000
f7b05be4 00000000
f7b05be8 e10a7200
f7b05bec 86033218
f7b05bf0 f7b05c40
f7b05bf4 804eba6a nt!MmAccessFault+0x5bc
f7b05bf8 24eab8c0
f7b05bfc d6e80000
f7b05c00 c035ba00
f7b05c04 e10a7200
f7b05c08 00000000
f7b05c0c f7b05c34
f7b05c10 c035ba00
f7b05c14 c038429c
f7b05c18 40000000
f7b05c1c 86bc69c8
f7b05c20 00000000
f7b05c24 f7b05bb0
f7b05c28 00000000
f7b05c2c f7b05d1c
f7b05c30 00000000
f7b05c34 00000000
f7b05c38 ffffffff
f7b05c3c 004f31e4
f7b05c40 f7b05c80
f7b05c44 804f67f3 nt!MmCheckCachedPageState+0x461
f7b05c48 00000000
f7b05c4c d6e80000
f7b05c50 00000000
f7b05c54 00000000
f7b05c58 00010000
f7b05c5c 85fcecf8
f7b05c60 0000000f
f7b05c64 00000004
f7b05c68 81cf4508
f7b05c6c 86bc5640
f7b05c70 00000000
f7b05c74 c035ba00
f7b05c78 e10a7200
f7b05c7c 00fcecf8
f7b05c80 f7b05d2c
f7b05c84 804ff901 nt!CcPerformReadAhead+0x1f1
f7b05c88 d6e80000
f7b05c8c 00000000
f7b05c90 80557398 nt!CcExpressWorkQueue
f7b05c94 85f662f0
f7b05c98 00000000
f7b05c9c 01880000
f7b05ca0 00000000
f7b05ca4 01890000
f7b05ca8 00000000
f7b05cac 01880000
f7b05cb0 00000000
f7b05cb4 00010000
f7b05cb8 00010000
f7b05cbc 01880000
f7b05cc0 00000000
f7b05cc4 00010000
f7b05cc8 85fcedd0
f7b05ccc 0000000e
f7b05cd0 85fcecf8
f7b05cd4 00000010
f7b05cd8 00000000
f7b05cdc 00000001
f7b05ce0 00000000
f7b05ce4 8617d2c8
f7b05ce8 00000001
** looking at the offset f7b05af0 in the stack, we can see the last function we have seen on the !analyze -v stack.
** looking deeper, we can see other entries. but still lets try to resolve the stack.
kd> kv L=f7b05ab8
ChildEBP RetAddr Args to Child
WARNING: Frame IP not in any known module. Following frames may be wrong.
f7b05aec 804e3802 86be4618 f75df459 f7b05b38 0xb05af080
f7b05af4 f75df459 f7b05b38 804e37f7 86b89bc8 nt!KeInsertByKeyDeviceQueue+0x4 (FPO: [Non-Fpo])
f7b05b0c f75f509e 86033228 86b88280 8617d2c8 sr!SrPassThrough+0x31 (FPO: [Non-Fpo])
86292008 86033250 00000043 00000000 86292018 fltMgr!FltpDispatch+0x152 (FPO: [Non-Fpo])
86292014 86292018 86292018 00000000 00010000 0x86033250
00000000 00000000 00000000 00000000 00000000 0x86292018
** now it seems that both sr.sys and fltMgr.sys were on the stack. Here is the reason I asked for fltmc filters. It provides me with the
** information which mini-filters exists on his system. Currently the only one is KLIF so it would be intresting to see that driver removed.
** sr.sys is the system restore driver and I doubt it is the root cause.