Jump to content

Dietmar

Member
  • Posts

    343
  • Joined

  • Last visited

  • Days Won

    2
  • Donations

    $0.00 
  • Country

    Germany

Everything posted by Dietmar

  1. Hi, I just install the nice XP from @Outbreaker on a Lenovo x230 Tablet version. Customized Option; 3,4,6,7,A,B,C,D,H I get really all to work, even the pen Dietmar
  2. @tpao12 Standby does not work on newer motherboards under XP, I think this is mostly because of the graphik driver Dietmar
  3. @jumper Can you write a Tutorial, how to implement a new function into ndis.sys from Longhorn 5048? This function is in ndis.sys from win7. But I dont know how to extract this function there and also not how to implement it Dietmar PS: Tutorial can use just this example.
  4. @Damnation I think, that @Mov AX, 0xDEAD is interested but ndis6 isnt easy on XP Dietmar
  5. @Damnation all is correct with *.pdb Dietmar
  6. @Damnation Endless running bar and with Windbg netio.sys Bsod, the lan driver e1d.. is 5(!) times unloaded, Bsod very late in Boot process, mouse pointer already there Dietmar *** Fatal System Error: 0x000000d1 (0x00300016,0x00000002,0x00000000,0xB98A99F7) Break instruction exception - code 80000003 (first chance) A fatal system error has occurred. Debugger entered on first try; Bugcheck callbacks have not been invoked. A fatal system error has occurred. Connected to Windows XP 2600 x86 compatible target at (Tue Jun 7 22:55:08.406 2022 (UTC + 2:00)), ptr64 FALSE Loading Kernel Symbols ............................................................... ....... Loading User Symbols Loading unloaded module list ............. ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* Use !analyze -v to get detailed debugging information. BugCheck D1, {300016, 2, 0, b98a99f7} Probably caused by : NETIO.SYS ( NETIO!NmrpIsEqualNpiId+8 ) Followup: MachineOwner --------- nt!RtlpBreakWithStatusInstruction: 8052b724 cc int 3 2: kd> !analyze -v ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1) An attempt was made to access a pageable (or completely invalid) address at an interrupt request level (IRQL) that is too high. This is usually caused by drivers using improper addresses. If kernel debugger is available get stack backtrace. Arguments: Arg1: 00300016, memory referenced Arg2: 00000002, IRQL Arg3: 00000000, value 0 = read operation, 1 = write operation Arg4: b98a99f7, address which referenced memory Debugging Details: ------------------ READ_ADDRESS: 00300016 CURRENT_IRQL: 2 FAULTING_IP: NETIO!NmrpIsEqualNpiId+8 b98a99f7 8b10 mov edx,dword ptr [eax] DEFAULT_BUCKET_ID: DRIVER_FAULT BUGCHECK_STR: 0xD1 PROCESS_NAME: System ANALYSIS_VERSION: 6.3.9600.17237 (debuggers(dbg).140716-0327) x86fre TRAP_FRAME: ba54fa38 -- (.trap 0xffffffffba54fa38) ErrCode = 00000000 eax=00300016 ebx=00300012 ecx=b9b2d6f0 edx=89a1cd30 esi=b9b2d6f0 edi=00000000 eip=b98a99f7 esp=ba54faac ebp=ba54faac iopl=0 nv up ei pl nz na pe nc cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010206 NETIO!NmrpIsEqualNpiId+0x8: b98a99f7 8b10 mov edx,dword ptr [eax] ds:0023:00300016=???????? Resetting default scope LAST_CONTROL_TRANSFER: from 804f8e95 to 8052b724 STACK_TEXT: ba54f5ec 804f8e95 00000003 ba54f948 00000000 nt!RtlpBreakWithStatusInstruction ba54f638 804f9a80 00000003 00300016 b98a99f7 nt!KiBugCheckDebugBreak+0x19 ba54fa18 8054483c 0000000a 00300016 00000002 nt!KeBugCheck2+0x574 ba54fa18 b98a99f7 0000000a 00300016 00000002 nt!KiTrap0E+0x180 ba54faac b98a9e81 00300016 b9b2d6f0 89b18280 NETIO!NmrpIsEqualNpiId+0x8 ba54fac4 b98a9d5d 8bc0d208 00000001 b9b2f008 NETIO!NmrpFindOrAddRegisteredNpiId+0x22 ba54fb30 b98a9c91 89b18280 ba54fb68 ba54fb64 NETIO!NmrpRegisterModuleAndGetBindableCandidates+0x33 ba54fb58 b98a9f72 00000002 b9b2e018 00000000 NETIO!NmrpRegisterModule+0x3c ba54fb80 b9b0bf2f b9b0c6db 00000000 b9b2f008 NETIO!NmrRegisterProvider+0x4b ba54fba4 b9b0c6db 00000000 ba54fdcc 00000030 NDIS!ndisStartNsiProvider+0x4b ba54fbc0 b9b645c0 ba54fc64 8981fb90 00000000 NDIS!ndisInitializeNsi+0x50 ba54fbd4 b91d0bd3 ba54fc7c b91d066c ba54fbf8 NDIS!NdisRegisterProtocol+0x18 ba54fc84 805813af 89afac60 89b4c000 00000000 ndisuio!DriverEntry+0x175 ba54fd54 805814bf 80000958 00000001 00000000 nt!IopLoadDriver+0x66d ba54fd7c 80538921 80000958 00000000 8bc378a0 nt!IopLoadUnloadDriver+0x45 ba54fdac 805cffee b1d9acf4 00000000 00000000 nt!ExpWorkerThread+0xef ba54fddc 8054623e 80538832 00000001 00000000 nt!PspSystemThreadStartup+0x34 00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16 STACK_COMMAND: kb FOLLOWUP_IP: NETIO!NmrpIsEqualNpiId+8 b98a99f7 8b10 mov edx,dword ptr [eax] SYMBOL_STACK_INDEX: 4 SYMBOL_NAME: NETIO!NmrpIsEqualNpiId+8 FOLLOWUP_NAME: MachineOwner MODULE_NAME: NETIO IMAGE_NAME: NETIO.SYS DEBUG_FLR_IMAGE_TIMESTAMP: 5b48ef86 IMAGE_VERSION: 6.1.7601.24208 FAILURE_BUCKET_ID: 0xD1_NETIO!NmrpIsEqualNpiId+8 BUCKET_ID: 0xD1_NETIO!NmrpIsEqualNpiId+8 ANALYSIS_SOURCE: KM FAILURE_ID_HASH_STRING: km:0xd1_netio!nmrpisequalnpiid+8 FAILURE_ID_HASH: {1d7ea187-17c8-1608-8471-24546162eb85} Followup: MachineOwner --------- 2: kd> lm start end module name 80062000 80072a80 pci (deferred) 80100000 8012a000 KDSTUB (deferred) 804d7000 806e5000 nt (pdb symbols) C:\Programme\Windows Kits\8.1\Debuggers\x86\sym\ntkrpamp.pdb\270E083F57714738A1895FE542CFB8DE1\ntkrpamp.pdb 806e5000 80705d80 hal (deferred) 80706000 8072e000 kdcom (deferred) b2041000 b2041d00 dxgthk (deferred) b4d38000 b4da7a80 mrxsmb (deferred) b4e15000 b4e3fb00 rdbss (deferred) b4e40000 b4e61d00 afd (deferred) b4e62000 b4e89d80 netbt (deferred) b4e8a000 b4eaf500 ipnat (deferred) b53df000 b5437480 tcpip (deferred) b5478000 b548a600 ipsec (deferred) b54ab000 b54be880 VIDEOPRT (deferred) b5858000 b585a280 rasacd (deferred) b58bc000 b58be900 Dxapi (deferred) b58f7000 b58f8080 RDPCDD (deferred) b5bb2000 b5bb6500 watchdog (deferred) b6d40000 b6d44a80 TDI (deferred) b6d50000 b6d57980 Npfs (deferred) b6d58000 b6d5cb00 Msfs (deferred) b6d60000 b6d65200 vga (deferred) b6d88000 b6d88b80 Null (deferred) b6e1a000 b6e24e00 Fips (deferred) b6e4a000 b6e52780 netbios (deferred) b8e63000 b8e6b900 msgpc (deferred) b91ce000 b91d1900 ndisuio (pdb symbols) C:\Programme\Windows Kits\8.1\Debuggers\x86\sym\ndisuio.pdb\C49AA8614D0E4F23B14F5894ABB43FD41\ndisuio.pdb b9604000 b9661f00 update (deferred) b9662000 b9684700 ks (deferred) b9685000 b96b4c80 rdpdr (deferred) b96b5000 b96dd000 HDAudBus (deferred) b97ad000 b97b0c80 mssmbios (pdb symbols) C:\Programme\Windows Kits\8.1\Debuggers\x86\sym\mssmbios.pdb\9940673F3B9A4BD682DF9D96A12A355C1\mssmbios.pdb b97ef000 b97f1400 Fs_Rec (deferred) b97f7000 b97fad80 serenum (deferred) b987f000 b9898e80 Mup (deferred) b9899000 b98d8000 NETIO (pdb symbols) C:\Programme\Windows Kits\8.1\Debuggers\x86\sym\netio.pdb\5BBB5169EEB04D0BB707BFA122C6C9442\netio.pdb b98d8000 b9903000 msrpc (deferred) b9903000 b9aec800 ntoskrn8 (deferred) b9aed000 b9ba5000 NDIS (pdb symbols) C:\Programme\Windows Kits\8.1\Debuggers\x86\sym\ndis.pdb\B69DA90026554DB7963D1422C84157172\ndis.pdb b9ba5000 b9c31d00 Ntfs (deferred) b9c32000 b9c48b80 KSecDD (deferred) b9c49000 b9c5af00 sr (deferred) b9c5b000 b9c7ab00 fltMgr (deferred) b9c7b000 b9f30000 iaStor (deferred) b9f30000 b9f55700 dmio (deferred) b9f56000 b9f74880 ftdisk (deferred) b9f75000 b9fa7000 ACPI (deferred) ba0a8000 ba0b1180 isapnp (deferred) ba0b8000 ba0c2700 MountMgr (deferred) ba0c8000 ba0d3000 PartMgr (deferred) ba0d8000 ba0e4c80 VolSnap (deferred) ba0e8000 ba0f8000 disk (deferred) ba0f8000 ba104180 CLASSPNP (deferred) ba118000 ba124d00 i8042prt (deferred) ba128000 ba137c00 serial (deferred) ba138000 ba140e00 intelppm (deferred) ba148000 ba151f80 termdd (deferred) ba328000 ba32e800 firadisk (deferred) ba388000 ba38e000 kbdclass (deferred) ba398000 ba39da00 mouclass (deferred) ba4b8000 ba4bb000 BOOTVID (deferred) ba57c000 ba57e280 wmiacpi (deferred) ba5a8000 ba5a9100 WMILIB (deferred) ba5aa000 ba5ab700 dmload (deferred) ba5be000 ba5bf100 swenum (deferred) ba618000 ba619080 Beep (deferred) ba7d2000 ba7d2c00 audstub (deferred) bf000000 bf011600 dxg (deferred) bf012000 bf05ab00 ATMFD (deferred) bf800000 bf9d3700 win32k (deferred) bff50000 bff52480 framebuf (deferred) Unloaded modules: b5798000 b579b000 DumpDrv.SYS b4ccb000 b4d38000 e1d6232.sys b6e2a000 b6e35000 imapi.sys b4da8000 b4e15000 e1d6232.sys b6e3a000 b6e49000 redbook.sys b553f000 b55ac000 e1d6232.sys b8d12000 b8d17000 Cdaudio.SYS b5a1c000 b5a89000 e1d6232.sys b8e93000 b8ea3000 cdrom.sys b97f3000 b97f6000 Sfloppy.SYS b8ea3000 b8eaf000 Flpydisk.SYS b8d1a000 b8d21000 Fdc.SYS b9648000 b96b5000 e1d6232.sys
  7. @Damnation This one is a little bit other. On normal XP start it gives endless running bar. With Windbg I get it Dietmar *** Fatal System Error: 0x0000007f (0x00000008,0xBA330D70,0x00000000,0x00000000) Break instruction exception - code 80000003 (first chance) A fatal system error has occurred. Debugger entered on first try; Bugcheck callbacks have not been invoked. A fatal system error has occurred. Connected to Windows XP 2600 x86 compatible target at (Tue Jun 7 22:27:55.343 2022 (UTC + 2:00)), ptr64 FALSE Loading Kernel Symbols ..................WARNING: Process directory table base 9E680020 doesn't match CR3 00759000 WARNING: Process directory table base 9E680020 doesn't match CR3 00759000 ......................... Loading User Symbols Loading unloaded module list ..... ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* Use !analyze -v to get detailed debugging information. BugCheck 7F, {8, ba330d70, 0, 0} *** ERROR: Symbol file could not be found. Defaulted to export symbols for e1d6232.sys - *** No owner thread found for resource 8055b4e0 *** No owner thread found for resource 8055b560 *** No owner thread found for resource 8055b4e0 *** No owner thread found for resource 8055b560 *** No owner thread found for resource 8055b4e0 *** No owner thread found for resource 8055b560 *** No owner thread found for resource 8055b4e0 *** No owner thread found for resource 8055b560 *** No owner thread found for resource 8055b4e0 *** No owner thread found for resource 8055b560 Probably caused by : ntoskrn8.sys ( ntoskrn8!_imp__PsReferenceImpersonationToken+3 ) Followup: MachineOwner --------- nt!RtlpBreakWithStatusInstruction: 8052b724 cc int 3 1: kd> !analyze -v ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* UNEXPECTED_KERNEL_MODE_TRAP (7f) This means a trap occurred in kernel mode, and it's a trap of a kind that the kernel isn't allowed to have/catch (bound trap) or that is always instant death (double fault). The first number in the bugcheck params is the number of the trap (8 = double fault, etc) Consult an Intel x86 family manual to learn more about what these traps are. Here is a *portion* of those codes: If kv shows a taskGate use .tss on the part before the colon, then kv. Else if kv shows a trapframe use .trap on that value Else .trap on the appropriate frame will show where the trap was taken (on x86, this will be the ebp that goes with the procedure KiTrap) Endif kb will then show the corrected stack. Arguments: Arg1: 00000008, EXCEPTION_DOUBLE_FAULT Arg2: ba330d70 Arg3: 00000000 Arg4: 00000000 Debugging Details: ------------------ *** No owner thread found for resource 8055b4e0 *** No owner thread found for resource 8055b560 *** No owner thread found for resource 8055b4e0 *** No owner thread found for resource 8055b560 *** No owner thread found for resource 8055b4e0 *** No owner thread found for resource 8055b560 *** No owner thread found for resource 8055b4e0 *** No owner thread found for resource 8055b560 *** No owner thread found for resource 8055b4e0 *** No owner thread found for resource 8055b560 BUGCHECK_STR: 0x7f_8 TSS: 00000028 -- (.tss 0x28) eax=ba553667 ebx=00020019 ecx=ba553290 edx=e15b3290 esi=ba553690 edi=8bc3a9c8 eip=b9972f67 esp=b9904aae ebp=ba553658 iopl=0 nv up ei ng nz na po nc cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010282 ntoskrn8!_imp__PsReferenceImpersonationToken+0x3: b9972f67 80340850 xor byte ptr [eax+ecx],50h ds:0023:74aa68f7=?? Resetting default scope DEFAULT_BUCKET_ID: DRIVER_FAULT PROCESS_NAME: System ANALYSIS_VERSION: 6.3.9600.17237 (debuggers(dbg).140716-0327) x86fre LOCK_ADDRESS: 8055b4e0 -- (!locks 8055b4e0) Resource @ nt!PiEngineLock (0x8055b4e0) Exclusively owned Contention Count = 2 Threads: 8bc37620-01<*> 1 total locks, 1 locks currently held PNP_TRIAGE: Lock address : 0x8055b4e0 Thread Count : 0 Thread address: 0x00000000 Thread wait : 0x0 LAST_CONTROL_TRANSFER: from b989ec77 to b9972f67 UNALIGNED_STACK_POINTER: b9904aae STACK_TEXT: ba553658 b989ec77 8bc37620 8bc3a9c8 ba553690 ntoskrn8!_imp__PsReferenceImpersonationToken+0x3 ba5536bc b98a4a0a 00000000 e15b3290 00000000 NETIO!NsipAccessCheck+0x100 ba553728 b9b0b945 ba553740 b9b307c0 00000000 NETIO!NsiRegisterChangeNotificationEx+0x23 ba55375c b9b0c6ea 00060000 8052e8fc ba553784 NDIS!ndisStartNsiClient+0x6b ba553778 b9b08db9 b1c46000 89b1e950 00060014 NDIS!ndisInitializeNsi+0x5f ba553790 b1bf52a3 89b1e950 89b53000 00000000 NDIS!NdisMRegisterMiniportDriver+0x51 WARNING: Stack unwind information not available. Following frames may be wrong. ba55380c 805813af 89b1e950 89b53000 00000000 e1d6232!DriverEntry+0x20f ba5538dc 8058f557 80000824 00000000 ba553900 nt!IopLoadDriver+0x66d ba553920 805e7b7f e13ce1c0 00000001 80000824 nt!PipCallDriverAddDeviceQueryRoutine+0x235 ba55396c 805e7f76 e13ce1a4 00000001 ba5539e8 nt!RtlpCallQueryRegistryRoutine+0x37d ba5539f4 80590ddf 00000001 00000084 ba553a1c nt!RtlQueryRegistryValues+0x368 ba553ac8 8059229c 00000000 00000001 ba553d5c nt!PipCallDriverAddDevice+0x261 ba553d24 80592832 8bb9e168 00000001 00000000 nt!PipProcessDevNodeTree+0x1a4 ba553d54 804f6a2a 00000003 8055b5c0 8056485c nt!PiRestartDevice+0x80 ba553d7c 80538921 00000000 00000000 8bc37620 nt!PipDeviceActionWorker+0x168 ba553dac 805cffee 00000000 00000000 00000000 nt!ExpWorkerThread+0xef ba553ddc 8054623e 80538832 00000001 00000000 nt!PspSystemThreadStartup+0x34 00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16 STACK_COMMAND: .tss 0x28 ; kb FOLLOWUP_IP: ntoskrn8!_imp__PsReferenceImpersonationToken+3 b9972f67 80340850 xor byte ptr [eax+ecx],50h SYMBOL_STACK_INDEX: 0 SYMBOL_NAME: ntoskrn8!_imp__PsReferenceImpersonationToken+3 FOLLOWUP_NAME: MachineOwner MODULE_NAME: ntoskrn8 IMAGE_NAME: ntoskrn8.sys DEBUG_FLR_IMAGE_TIMESTAMP: 629faeff IMAGE_VERSION: 5.1.2600.10 FAILURE_BUCKET_ID: 0x7f_8_ntoskrn8!_imp__PsReferenceImpersonationToken+3 BUCKET_ID: 0x7f_8_ntoskrn8!_imp__PsReferenceImpersonationToken+3 ANALYSIS_SOURCE: KM FAILURE_ID_HASH_STRING: km:0x7f_8_ntoskrn8!_imp__psreferenceimpersonationtoken+3 FAILURE_ID_HASH: {bee40295-1430-50f2-4e8a-32064dcc7f4a} Followup: MachineOwner --------- 1: kd> lm start end module name 80062000 80072a80 pci (deferred) 80100000 8012a000 KDSTUB (deferred) 804d7000 806e5000 nt (pdb symbols) C:\Programme\Windows Kits\8.1\Debuggers\x86\sym\ntkrpamp.pdb\270E083F57714738A1895FE542CFB8DE1\ntkrpamp.pdb 806e5000 80705d80 hal (pdb symbols) C:\Programme\Windows Kits\8.1\Debuggers\x86\sym\halmacpi.pdb\253F6CAD95214878B51A88A9B592FD381\halmacpi.pdb 80706000 8072e000 kdcom (deferred) b1bf2000 b1c5f000 e1d6232 (export symbols) e1d6232.sys b3862000 b38bff00 update (deferred) b5105000 b5127700 ks (deferred) b51f9000 b5228c80 rdpdr (deferred) b6de3000 b6de3c00 audstub (deferred) b8e7b000 b8e84f80 termdd (deferred) b96b5000 b96dd000 HDAudBus (deferred) b970d000 b9710c80 mssmbios (pdb symbols) C:\Programme\Windows Kits\8.1\Debuggers\x86\sym\mssmbios.pdb\9940673F3B9A4BD682DF9D96A12A355C1\mssmbios.pdb b97f7000 b97fad80 serenum (deferred) b987f000 b9898e80 Mup (deferred) b9899000 b98d8000 NETIO (pdb symbols) C:\Programme\Windows Kits\8.1\Debuggers\x86\sym\netio.pdb\5BBB5169EEB04D0BB707BFA122C6C9442\netio.pdb b98d8000 b9903000 msrpc (deferred) b9903000 b9aec800 ntoskrn8 (private pdb symbols) C:\Programme\Windows Kits\8.1\Debuggers\x86\sym\ntoskrn8.pdb\86B8A4E26A414B788E4F55812BC03C5D1\ntoskrn8.pdb b9aed000 b9ba5000 NDIS (pdb symbols) C:\Programme\Windows Kits\8.1\Debuggers\x86\sym\ndis.pdb\B69DA90026554DB7963D1422C84157172\ndis.pdb b9ba5000 b9c31d00 Ntfs (deferred) b9c32000 b9c48b80 KSecDD (deferred) b9c49000 b9c5af00 sr (deferred) b9c5b000 b9c7ab00 fltMgr (deferred) b9c7b000 b9f30000 iaStor (deferred) b9f30000 b9f55700 dmio (deferred) b9f56000 b9f74880 ftdisk (deferred) b9f75000 b9fa7000 ACPI (deferred) ba0a8000 ba0b1180 isapnp (deferred) ba0b8000 ba0c2700 MountMgr (deferred) ba0c8000 ba0d3000 PartMgr (deferred) ba0d8000 ba0e4c80 VolSnap (deferred) ba0e8000 ba0f8000 disk (deferred) ba0f8000 ba104180 CLASSPNP (deferred) ba118000 ba124d00 i8042prt (deferred) ba128000 ba137c00 serial (deferred) ba138000 ba140e00 intelppm (deferred) ba328000 ba32e800 firadisk (deferred) ba388000 ba38e000 kbdclass (deferred) ba398000 ba39da00 mouclass (deferred) ba4b8000 ba4bb000 BOOTVID (deferred) ba57c000 ba57e280 wmiacpi (deferred) ba5a8000 ba5a9100 WMILIB (deferred) ba5aa000 ba5ab700 dmload (deferred) ba622000 ba623100 swenum (deferred) Unloaded modules: b2a8b000 b2a9b000 cdrom.sys b73f4000 b73f7000 Sfloppy.SYS b2a9b000 b2aa7000 Flpydisk.SYS b8dcb000 b8dd2000 Fdc.SYS b9648000 b96b5000 e1d6232.sys
  8. @Damnation Yepp, I forget. Here is with last *.pdb Dietmar Intel Storage Driver Ver: 11.2.0.1006 *** Fatal System Error: 0x0000007f (0x00000008,0xBA330D70,0x00000000,0x00000000) Break instruction exception - code 80000003 (first chance) A fatal system error has occurred. Debugger entered on first try; Bugcheck callbacks have not been invoked. A fatal system error has occurred. Connected to Windows XP 2600 x86 compatible target at (Tue Jun 7 21:58:29.140 2022 (UTC + 2:00)), ptr64 FALSE Loading Kernel Symbols ..................WARNING: Process directory table base 9E680020 doesn't match CR3 00759000 WARNING: Process directory table base 9E680020 doesn't match CR3 00759000 ......................... Loading User Symbols Loading unloaded module list ..... ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* Use !analyze -v to get detailed debugging information. BugCheck 7F, {8, ba330d70, 0, 0} Probably caused by : ntoskrn8.sys ( ntoskrn8!_imp__PsReferencePrimaryToken+3 ) Followup: MachineOwner --------- nt!RtlpBreakWithStatusInstruction: 8052b724 cc int 3 1: kd> !analyze -v ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* UNEXPECTED_KERNEL_MODE_TRAP (7f) This means a trap occurred in kernel mode, and it's a trap of a kind that the kernel isn't allowed to have/catch (bound trap) or that is always instant death (double fault). The first number in the bugcheck params is the number of the trap (8 = double fault, etc) Consult an Intel x86 family manual to learn more about what these traps are. Here is a *portion* of those codes: If kv shows a taskGate use .tss on the part before the colon, then kv. Else if kv shows a trapframe use .trap on that value Else .trap on the appropriate frame will show where the trap was taken (on x86, this will be the ebp that goes with the procedure KiTrap) Endif kb will then show the corrected stack. Arguments: Arg1: 00000008, EXCEPTION_DOUBLE_FAULT Arg2: ba330d70 Arg3: 00000000 Arg4: 00000000 Debugging Details: ------------------ BUGCHECK_STR: 0x7f_8 TSS: 00000028 -- (.tss 0x28) eax=ba55db67 ebx=00020019 ecx=ba55c390 edx=e178c350 esi=ba553690 edi=8bc3a9c8 eip=b9972f6b esp=e8570689 ebp=ba553658 iopl=0 nv up ei ng nz na pe nc cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010286 ntoskrn8!_imp__PsReferencePrimaryToken+0x3: b9972f6b 80340850 xor byte ptr [eax+ecx],50h ds:0023:74ab9ef7=?? Resetting default scope DEFAULT_BUCKET_ID: DRIVER_FAULT PROCESS_NAME: System ANALYSIS_VERSION: 6.3.9600.17237 (debuggers(dbg).140716-0327) x86fre LAST_CONTROL_TRANSFER: from 00000000 to b9972f6b UNALIGNED_STACK_POINTER: e8570689 STACK_TEXT: ba553658 00000000 8bc37620 8bc3a9c8 ba553690 ntoskrn8!_imp__PsReferencePrimaryToken+0x3 STACK_COMMAND: .tss 0x28 ; kb FOLLOWUP_IP: ntoskrn8!_imp__PsReferencePrimaryToken+3 b9972f6b 80340850 xor byte ptr [eax+ecx],50h SYMBOL_STACK_INDEX: 0 SYMBOL_NAME: ntoskrn8!_imp__PsReferencePrimaryToken+3 FOLLOWUP_NAME: MachineOwner MODULE_NAME: ntoskrn8 IMAGE_NAME: ntoskrn8.sys DEBUG_FLR_IMAGE_TIMESTAMP: 629fa760 IMAGE_VERSION: 5.1.2600.10 FAILURE_BUCKET_ID: 0x7f_8_ntoskrn8!_imp__PsReferencePrimaryToken+3 BUCKET_ID: 0x7f_8_ntoskrn8!_imp__PsReferencePrimaryToken+3 ANALYSIS_SOURCE: KM FAILURE_ID_HASH_STRING: km:0x7f_8_ntoskrn8!_imp__psreferenceprimarytoken+3 FAILURE_ID_HASH: {27ce86e3-c6e0-2574-9fa6-ebfd80618e8d} Followup: MachineOwner --------- 1: kd> lm start end module name 80062000 80072a80 pci (deferred) 80100000 8012a000 KDSTUB (deferred) 804d7000 806e5000 nt (pdb symbols) C:\Programme\Windows Kits\8.1\Debuggers\x86\sym\ntkrpamp.pdb\270E083F57714738A1895FE542CFB8DE1\ntkrpamp.pdb 806e5000 80705d80 hal (pdb symbols) C:\Programme\Windows Kits\8.1\Debuggers\x86\sym\halmacpi.pdb\253F6CAD95214878B51A88A9B592FD381\halmacpi.pdb 80706000 8072e000 kdcom (deferred) b5a1c000 b5a89000 e1d6232 (deferred) b8b39000 b8b96f00 update (deferred) b9326000 b9348700 ks (deferred) b9685000 b96b4c80 rdpdr (deferred) b96b5000 b96dd000 HDAudBus (deferred) b9711000 b9714c80 mssmbios (pdb symbols) C:\Programme\Windows Kits\8.1\Debuggers\x86\sym\mssmbios.pdb\9940673F3B9A4BD682DF9D96A12A355C1\mssmbios.pdb b97f7000 b97fad80 serenum (deferred) b987f000 b9898e80 Mup (deferred) b9899000 b98d8000 NETIO (deferred) b98d8000 b9903000 msrpc (deferred) b9903000 b9aec880 ntoskrn8 (private pdb symbols) C:\Programme\Windows Kits\8.1\Debuggers\x86\sym\ntoskrn8.pdb\C9467C0DBC594315A0717C5122137D231\ntoskrn8.pdb b9aed000 b9ba5000 NDIS (deferred) b9ba5000 b9c31d00 Ntfs (deferred) b9c32000 b9c48b80 KSecDD (deferred) b9c49000 b9c5af00 sr (deferred) b9c5b000 b9c7ab00 fltMgr (deferred) b9c7b000 b9f30000 iaStor (deferred) b9f30000 b9f55700 dmio (deferred) b9f56000 b9f74880 ftdisk (deferred) b9f75000 b9fa7000 ACPI (deferred) ba0a8000 ba0b1180 isapnp (deferred) ba0b8000 ba0c2700 MountMgr (deferred) ba0c8000 ba0d3000 PartMgr (deferred) ba0d8000 ba0e4c80 VolSnap (deferred) ba0e8000 ba0f8000 disk (deferred) ba0f8000 ba104180 CLASSPNP (deferred) ba118000 ba124d00 i8042prt (deferred) ba128000 ba137c00 serial (deferred) ba138000 ba140e00 intelppm (deferred) ba148000 ba151f80 termdd (deferred) ba328000 ba32e800 firadisk (deferred) ba388000 ba38e000 kbdclass (deferred) ba398000 ba39da00 mouclass (deferred) ba4b8000 ba4bb000 BOOTVID (deferred) ba57c000 ba57e280 wmiacpi (deferred) ba5a8000 ba5a9100 WMILIB (deferred) ba5aa000 ba5ab700 dmload (deferred) ba5be000 ba5bf100 swenum (deferred) ba7f3000 ba7f3c00 audstub (deferred) Unloaded modules: b8ef1000 b8f01000 cdrom.sys b97f3000 b97f6000 Sfloppy.SYS b8f01000 b8f0d000 Flpydisk.SYS b8d78000 b8d7f000 Fdc.SYS b9648000 b96b5000 e1d6232.sys
  9. @Damnation Same as before Dietmar Breakpoint 0 hit e1d6232!DriverEntry: b5512094 55 push ebp 11: kd> g *** Fatal System Error: 0x0000007f (0x00000008,0xBA380D70,0x00000000,0x00000000) Break instruction exception - code 80000003 (first chance) A fatal system error has occurred. Debugger entered on first try; Bugcheck callbacks have not been invoked. A fatal system error has occurred. Connected to Windows XP 2600 x86 compatible target at (Tue Jun 7 21:41:06.218 2022 (UTC + 2:00)), ptr64 FALSE Loading Kernel Symbols ..................WARNING: Process directory table base 9E680020 doesn't match CR3 00759000 WARNING: Process directory table base 9E680020 doesn't match CR3 00759000 .......................... Loading User Symbols Loading unloaded module list ..... ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* Use !analyze -v to get detailed debugging information. BugCheck 7F, {8, ba380d70, 0, 0} *** ERROR: Symbol file could not be found. Defaulted to export symbols for ntoskrn8.sys - Probably caused by : ntoskrn8.sys ( ntoskrn8!wcstoul+64bd2 ) Followup: MachineOwner --------- nt!RtlpBreakWithStatusInstruction: 8052b724 cc int 3 11: kd> !analyze -v ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* UNEXPECTED_KERNEL_MODE_TRAP (7f) This means a trap occurred in kernel mode, and it's a trap of a kind that the kernel isn't allowed to have/catch (bound trap) or that is always instant death (double fault). The first number in the bugcheck params is the number of the trap (8 = double fault, etc) Consult an Intel x86 family manual to learn more about what these traps are. Here is a *portion* of those codes: If kv shows a taskGate use .tss on the part before the colon, then kv. Else if kv shows a trapframe use .trap on that value Else .trap on the appropriate frame will show where the trap was taken (on x86, this will be the ebp that goes with the procedure KiTrap) Endif kb will then show the corrected stack. Arguments: Arg1: 00000008, EXCEPTION_DOUBLE_FAULT Arg2: ba380d70 Arg3: 00000000 Arg4: 00000000 Debugging Details: ------------------ BUGCHECK_STR: 0x7f_8 TSS: 00000028 -- (.tss 0x28) eax=ba55db67 ebx=00020019 ecx=ba556590 edx=e1796540 esi=ba553690 edi=8bc3a9c8 eip=b9972f6b esp=e8570689 ebp=ba553658 iopl=0 nv up ei ng nz na pe nc cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010286 ntoskrn8!wcstoul+0x64bd2: b9972f6b 80340850 xor byte ptr [eax+ecx],50h ds:0023:74ab40f7=?? Resetting default scope DEFAULT_BUCKET_ID: DRIVER_FAULT PROCESS_NAME: System ANALYSIS_VERSION: 6.3.9600.17237 (debuggers(dbg).140716-0327) x86fre LAST_CONTROL_TRANSFER: from 00000000 to b9972f6b UNALIGNED_STACK_POINTER: e8570689 STACK_TEXT: ba553658 00000000 8bc37620 8bc3a9c8 ba553690 ntoskrn8!wcstoul+0x64bd2 STACK_COMMAND: .tss 0x28 ; kb FOLLOWUP_IP: ntoskrn8!wcstoul+64bd2 b9972f6b 80340850 xor byte ptr [eax+ecx],50h SYMBOL_STACK_INDEX: 0 SYMBOL_NAME: ntoskrn8!wcstoul+64bd2 FOLLOWUP_NAME: MachineOwner MODULE_NAME: ntoskrn8 IMAGE_NAME: ntoskrn8.sys DEBUG_FLR_IMAGE_TIMESTAMP: 629fa760 IMAGE_VERSION: 5.1.2600.10 FAILURE_BUCKET_ID: 0x7f_8_ntoskrn8!wcstoul+64bd2 BUCKET_ID: 0x7f_8_ntoskrn8!wcstoul+64bd2 ANALYSIS_SOURCE: KM FAILURE_ID_HASH_STRING: km:0x7f_8_ntoskrn8!wcstoul+64bd2 FAILURE_ID_HASH: {1fad9cf1-073f-b7e5-0ea1-ef1bf339577a} Followup: MachineOwner --------- 11: kd> lm start end module name 80062000 80072a80 pci (deferred) 80100000 8012a000 KDSTUB (deferred) 804d7000 806e5000 nt (pdb symbols) C:\Programme\Windows Kits\8.1\Debuggers\x86\sym\ntkrpamp.pdb\270E083F57714738A1895FE542CFB8DE1\ntkrpamp.pdb 806e5000 80705d80 hal (deferred) 80706000 8072e000 kdcom (deferred) b550f000 b557c000 e1d6232 (deferred) b5b83000 b5be0f00 update (deferred) b5be1000 b5c03700 ks (deferred) b5c2c000 b5c5bc80 rdpdr (deferred) b7696000 b7696c00 audstub (deferred) b8ecb000 b8edb000 cdrom (deferred) b91c1000 b91caf80 termdd (deferred) b96b5000 b96dd000 HDAudBus (deferred) b97b9000 b97bb280 wmiacpi (deferred) b97f3000 b97f6d80 serenum (deferred) b97fb000 b97fec80 mssmbios (pdb symbols) C:\Programme\Windows Kits\8.1\Debuggers\x86\sym\mssmbios.pdb\9940673F3B9A4BD682DF9D96A12A355C1\mssmbios.pdb b987f000 b9898e80 Mup (deferred) b9899000 b98d8000 NETIO (deferred) b98d8000 b9903000 msrpc (deferred) b9903000 b9aec880 ntoskrn8 (export symbols) ntoskrn8.sys b9aed000 b9ba5000 NDIS (deferred) b9ba5000 b9c31d00 Ntfs (deferred) b9c32000 b9c48b80 KSecDD (deferred) b9c49000 b9c5af00 sr (deferred) b9c5b000 b9c7ab00 fltMgr (deferred) b9c7b000 b9f30000 iaStor (deferred) b9f30000 b9f55700 dmio (deferred) b9f56000 b9f74880 ftdisk (deferred) b9f75000 b9fa7000 ACPI (deferred) ba0a8000 ba0b1180 isapnp (deferred) ba0b8000 ba0c2700 MountMgr (deferred) ba0c8000 ba0d3000 PartMgr (deferred) ba0d8000 ba0e4c80 VolSnap (deferred) ba0e8000 ba0f8000 disk (deferred) ba0f8000 ba104180 CLASSPNP (deferred) ba108000 ba114d00 i8042prt (deferred) ba118000 ba127c00 serial (deferred) ba128000 ba130e00 intelppm (deferred) ba328000 ba32e800 firadisk (deferred) ba388000 ba38e000 kbdclass (deferred) ba398000 ba39da00 mouclass (deferred) ba4b8000 ba4bb000 BOOTVID (deferred) ba5a8000 ba5a9100 WMILIB (deferred) ba5aa000 ba5ab700 dmload (deferred) ba614000 ba615100 swenum (deferred) Unloaded modules: b8ecb000 b8edb000 cdrom.sys b97ef000 b97f2000 Sfloppy.SYS b8eeb000 b8ef7000 Flpydisk.SYS b8d8f000 b8d96000 Fdc.SYS b9648000 b96b5000 e1d6232.sys
  10. @Damnation Same as before Dietmar Intel Storage Driver Ver: 11.2.0.1006 *** Fatal System Error: 0x0000007f (0x00000008,0xBA330D70,0x00000000,0x00000000) Break instruction exception - code 80000003 (first chance) A fatal system error has occurred. Debugger entered on first try; Bugcheck callbacks have not been invoked. A fatal system error has occurred. Connected to Windows XP 2600 x86 compatible target at (Tue Jun 7 20:53:44.562 2022 (UTC + 2:00)), ptr64 FALSE Loading Kernel Symbols ..................WARNING: Process directory table base 9E680020 doesn't match CR3 00759000 WARNING: Process directory table base 9E680020 doesn't match CR3 00759000 ......................... Loading User Symbols Loading unloaded module list ..... ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* Use !analyze -v to get detailed debugging information. BugCheck 7F, {8, ba330d70, 0, 0} Probably caused by : hardware ( ntoskrn8!_imp__KeInitializeMutex+3 ) Followup: MachineOwner --------- nt!RtlpBreakWithStatusInstruction: 8052b724 cc int 3 1: kd> !analyze -v ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* UNEXPECTED_KERNEL_MODE_TRAP (7f) This means a trap occurred in kernel mode, and it's a trap of a kind that the kernel isn't allowed to have/catch (bound trap) or that is always instant death (double fault). The first number in the bugcheck params is the number of the trap (8 = double fault, etc) Consult an Intel x86 family manual to learn more about what these traps are. Here is a *portion* of those codes: If kv shows a taskGate use .tss on the part before the colon, then kv. Else if kv shows a trapframe use .trap on that value Else .trap on the appropriate frame will show where the trap was taken (on x86, this will be the ebp that goes with the procedure KiTrap) Endif kb will then show the corrected stack. Arguments: Arg1: 00000008, EXCEPTION_DOUBLE_FAULT Arg2: ba330d70 Arg3: 00000000 Arg4: 00000000 Debugging Details: ------------------ BUGCHECK_STR: 0x7f_8 TSS: 00000028 -- (.tss 0x28) eax=ba551367 ebx=00020019 ecx=ba55da90 edx=e174daa0 esi=ba553690 edi=8bc3a9c7 eip=b9972fef esp=e8570689 ebp=ba553658 iopl=0 nv up ei ng nz na po nc cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010282 ntoskrn8!_imp__KeInitializeMutex+0x3: b9972fef 80340850 xor byte ptr [eax+ecx],50h ds:0023:74aaedf7=?? Resetting default scope DEFAULT_BUCKET_ID: DRIVER_FAULT PROCESS_NAME: System ANALYSIS_VERSION: 6.3.9600.17237 (debuggers(dbg).140716-0327) x86fre LAST_CONTROL_TRANSFER: from 00000000 to b9972fef MISALIGNED_IP: ntoskrn8!_imp__KeInitializeMutex+3 b9972fef 80340850 xor byte ptr [eax+ecx],50h UNALIGNED_STACK_POINTER: e8570689 STACK_TEXT: ba553658 00000000 8bc37620 8bc3a9c8 ba553690 ntoskrn8!_imp__KeInitializeMutex+0x3 STACK_COMMAND: .tss 0x28 ; kb FOLLOWUP_IP: ntoskrn8!_imp__KeInitializeMutex+3 b9972fef 80340850 xor byte ptr [eax+ecx],50h SYMBOL_STACK_INDEX: 0 SYMBOL_NAME: ntoskrn8!_imp__KeInitializeMutex+3 FOLLOWUP_NAME: MachineOwner MODULE_NAME: hardware IMAGE_NAME: hardware DEBUG_FLR_IMAGE_TIMESTAMP: 0 IMAGE_VERSION: 5.1.2600.10 FAILURE_BUCKET_ID: IP_MISALIGNED_ntoskrn8.sys BUCKET_ID: IP_MISALIGNED_ntoskrn8.sys ANALYSIS_SOURCE: KM FAILURE_ID_HASH_STRING: km:ip_misaligned_ntoskrn8.sys FAILURE_ID_HASH: {dbda5822-4532-65a2-14de-bf4f49b55a8c} Followup: MachineOwner --------- 1: kd> lm start end module name 80062000 80072a80 pci (deferred) 80100000 8012a000 KDSTUB (deferred) 804d7000 806e5000 nt (pdb symbols) C:\Programme\Windows Kits\8.1\Debuggers\x86\sym\ntkrpamp.pdb\270E083F57714738A1895FE542CFB8DE1\ntkrpamp.pdb 806e5000 80705d80 hal (pdb symbols) C:\Programme\Windows Kits\8.1\Debuggers\x86\sym\halmacpi.pdb\253F6CAD95214878B51A88A9B592FD381\halmacpi.pdb 80706000 8072e000 kdcom (deferred) b5495000 b5502000 e1d6232 (deferred) b5b6a000 b5bc7f00 update (deferred) b5bc8000 b5bea700 ks (deferred) b5c13000 b5c42c80 rdpdr (deferred) b76af000 b76afc00 audstub (deferred) b91c1000 b91caf80 termdd (deferred) b96b5000 b96dd000 HDAudBus (deferred) b97b9000 b97bb280 wmiacpi (deferred) b97f3000 b97f6d80 serenum (deferred) b97ff000 b9802c80 mssmbios (pdb symbols) C:\Programme\Windows Kits\8.1\Debuggers\x86\sym\mssmbios.pdb\9940673F3B9A4BD682DF9D96A12A355C1\mssmbios.pdb b987f000 b9898e80 Mup (deferred) b9899000 b98d8000 NETIO (deferred) b98d8000 b9903000 msrpc (deferred) b9903000 b9aec900 ntoskrn8 (private pdb symbols) C:\Programme\Windows Kits\8.1\Debuggers\x86\sym\ntoskrn8.pdb\D8662FF0A5A24F3A82813E44885940221\ntoskrn8.pdb b9aed000 b9ba5000 NDIS (deferred) b9ba5000 b9c31d00 Ntfs (deferred) b9c32000 b9c48b80 KSecDD (deferred) b9c49000 b9c5af00 sr (deferred) b9c5b000 b9c7ab00 fltMgr (deferred) b9c7b000 b9f30000 iaStor (deferred) b9f30000 b9f55700 dmio (deferred) b9f56000 b9f74880 ftdisk (deferred) b9f75000 b9fa7000 ACPI (deferred) ba0a8000 ba0b1180 isapnp (deferred) ba0b8000 ba0c2700 MountMgr (deferred) ba0c8000 ba0d3000 PartMgr (deferred) ba0d8000 ba0e4c80 VolSnap (deferred) ba0e8000 ba0f8000 disk (deferred) ba0f8000 ba104180 CLASSPNP (deferred) ba2c8000 ba2d4d00 i8042prt (deferred) ba2d8000 ba2e7c00 serial (deferred) ba2e8000 ba2f0e00 intelppm (deferred) ba328000 ba32e800 firadisk (deferred) ba388000 ba38da00 mouclass (deferred) ba4b0000 ba4b6000 kbdclass (deferred) ba4b8000 ba4bb000 BOOTVID (deferred) ba5a8000 ba5a9100 WMILIB (deferred) ba5aa000 ba5ab700 dmload (deferred) ba614000 ba615100 swenum (deferred) Unloaded modules: b8ecb000 b8edb000 cdrom.sys b97f7000 b97fa000 Sfloppy.SYS b8eeb000 b8ef7000 Flpydisk.SYS b8dcb000 b8dd2000 Fdc.SYS b9648000 b96b5000 e1d6232.sys
  11. @Damnation Did you know this tool Dietmar
  12. @Damnation Only the last 2 ntoskrn8.exe gives this Kerneltrap 7F Dietmar
  13. @Damnation I just test. When you do a trace in Windbg, it is an endless loop after the driver e1d6232.sys is unloaded This is output from Windbg Dietmar Intel Storage Driver Ver: 11.2.0.1006 *** Fatal System Error: 0x0000007f (0x00000008,0xBA330D70,0x00000000,0x00000000) Break instruction exception - code 80000003 (first chance) A fatal system error has occurred. Debugger entered on first try; Bugcheck callbacks have not been invoked. A fatal system error has occurred. Connected to Windows XP 2600 x86 compatible target at (Tue Jun 7 19:29:10.484 2022 (UTC + 2:00)), ptr64 FALSE Loading Kernel Symbols ..................WARNING: Process directory table base 9E680020 doesn't match CR3 00759000 WARNING: Process directory table base 9E680020 doesn't match CR3 00759000 ......................... Loading User Symbols Loading unloaded module list ..... ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* Use !analyze -v to get detailed debugging information. BugCheck 7F, {8, ba330d70, 0, 0} Probably caused by : hardware ( ntoskrn8!_imp__KeInitializeMutex+3 ) Followup: MachineOwner --------- nt!RtlpBreakWithStatusInstruction: 8052b724 cc int 3 1: kd> !analyze -v ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* UNEXPECTED_KERNEL_MODE_TRAP (7f) This means a trap occurred in kernel mode, and it's a trap of a kind that the kernel isn't allowed to have/catch (bound trap) or that is always instant death (double fault). The first number in the bugcheck params is the number of the trap (8 = double fault, etc) Consult an Intel x86 family manual to learn more about what these traps are. Here is a *portion* of those codes: If kv shows a taskGate use .tss on the part before the colon, then kv. Else if kv shows a trapframe use .trap on that value Else .trap on the appropriate frame will show where the trap was taken (on x86, this will be the ebp that goes with the procedure KiTrap) Endif kb will then show the corrected stack. Arguments: Arg1: 00000008, EXCEPTION_DOUBLE_FAULT Arg2: ba330d70 Arg3: 00000000 Arg4: 00000000 Debugging Details: ------------------ BUGCHECK_STR: 0x7f_8 TSS: 00000028 -- (.tss 0x28) eax=ba551367 ebx=00020019 ecx=ba556e90 edx=e1766ea8 esi=ba553690 edi=8bc3a9c7 eip=b9972fef esp=e8570689 ebp=ba553658 iopl=0 nv up ei ng nz na po nc cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010282 ntoskrn8!_imp__KeInitializeMutex+0x3: b9972fef 80340850 xor byte ptr [eax+ecx],50h ds:0023:74aa81f7=?? Resetting default scope DEFAULT_BUCKET_ID: DRIVER_FAULT PROCESS_NAME: System ANALYSIS_VERSION: 6.3.9600.17237 (debuggers(dbg).140716-0327) x86fre LAST_CONTROL_TRANSFER: from 00000000 to b9972fef MISALIGNED_IP: ntoskrn8!_imp__KeInitializeMutex+3 b9972fef 80340850 xor byte ptr [eax+ecx],50h UNALIGNED_STACK_POINTER: e8570689 STACK_TEXT: ba553658 00000000 8bc37620 8bc3a9c8 ba553690 ntoskrn8!_imp__KeInitializeMutex+0x3 STACK_COMMAND: .tss 0x28 ; kb FOLLOWUP_IP: ntoskrn8!_imp__KeInitializeMutex+3 b9972fef 80340850 xor byte ptr [eax+ecx],50h SYMBOL_STACK_INDEX: 0 SYMBOL_NAME: ntoskrn8!_imp__KeInitializeMutex+3 FOLLOWUP_NAME: MachineOwner MODULE_NAME: hardware IMAGE_NAME: hardware DEBUG_FLR_IMAGE_TIMESTAMP: 0 IMAGE_VERSION: 5.1.2600.10 FAILURE_BUCKET_ID: IP_MISALIGNED_ntoskrn8.sys BUCKET_ID: IP_MISALIGNED_ntoskrn8.sys ANALYSIS_SOURCE: KM FAILURE_ID_HASH_STRING: km:ip_misaligned_ntoskrn8.sys FAILURE_ID_HASH: {dbda5822-4532-65a2-14de-bf4f49b55a8c} Followup: MachineOwner --------- 1: kd> lm start end module name 80062000 80072a80 pci (deferred) 80100000 8012a000 KDSTUB (deferred) 804d7000 806e5000 nt (pdb symbols) C:\Programme\Windows Kits\8.1\Debuggers\x86\sym\ntkrpamp.pdb\270E083F57714738A1895FE542CFB8DE1\ntkrpamp.pdb 806e5000 80705d80 hal (pdb symbols) C:\Programme\Windows Kits\8.1\Debuggers\x86\sym\halmacpi.pdb\253F6CAD95214878B51A88A9B592FD381\halmacpi.pdb 80706000 8072e000 kdcom (deferred) b693b000 b69a8000 e1d6232 (deferred) b6cda000 b6d37f00 update (deferred) b6d38000 b6d5a700 ks (deferred) b6d5b000 b6d8ac80 rdpdr (deferred) b915a000 b9163f80 termdd (deferred) b96b5000 b96dd000 HDAudBus (deferred) b9795000 b9797280 wmiacpi (deferred) b97f3000 b97f6d80 serenum (deferred) b97f7000 b97fac80 mssmbios (pdb symbols) C:\Programme\Windows Kits\8.1\Debuggers\x86\sym\mssmbios.pdb\9940673F3B9A4BD682DF9D96A12A355C1\mssmbios.pdb b987f000 b9898e80 Mup (deferred) b9899000 b98d8000 NETIO (deferred) b98d8000 b9903000 msrpc (deferred) b9903000 b9aec900 ntoskrn8 (private pdb symbols) C:\Programme\Windows Kits\8.1\Debuggers\x86\sym\ntoskrn8.pdb\D8662FF0A5A24F3A82813E44885940221\ntoskrn8.pdb b9aed000 b9ba5000 NDIS (deferred) b9ba5000 b9c31d00 Ntfs (deferred) b9c32000 b9c48b80 KSecDD (deferred) b9c49000 b9c5af00 sr (deferred) b9c5b000 b9c7ab00 fltMgr (deferred) b9c7b000 b9f30000 iaStor (deferred) b9f30000 b9f55700 dmio (deferred) b9f56000 b9f74880 ftdisk (deferred) b9f75000 b9fa7000 ACPI (deferred) ba0a8000 ba0b1180 isapnp (deferred) ba0b8000 ba0c2700 MountMgr (deferred) ba0c8000 ba0d3000 PartMgr (deferred) ba0d8000 ba0e4c80 VolSnap (deferred) ba0e8000 ba0f8000 disk (deferred) ba0f8000 ba104180 CLASSPNP (deferred) ba1e8000 ba1f0e00 intelppm (deferred) ba298000 ba2a4d00 i8042prt (deferred) ba2a8000 ba2b7c00 serial (deferred) ba328000 ba32e800 firadisk (deferred) ba4a8000 ba4ae000 kbdclass (deferred) ba4b0000 ba4b5a00 mouclass (deferred) ba4b8000 ba4bb000 BOOTVID (deferred) ba5a8000 ba5a9100 WMILIB (deferred) ba5aa000 ba5ab700 dmload (deferred) ba624000 ba625100 swenum (deferred) ba683000 ba683c00 audstub (deferred) Unloaded modules: b8dca000 b8dda000 cdrom.sys b883e000 b8841000 Sfloppy.SYS b8dda000 b8de6000 Flpydisk.SYS b8d5a000 b8d61000 Fdc.SYS b9648000 b96b5000 e1d6232.sys
  14. @Damnation Now Bsod goes to ntoskrn8.sys Dietmar Intel Storage Driver Ver: 11.2.0.1006 *** ERROR: Symbol file could not be found. Defaulted to export symbols for e1d6232.sys - Breakpoint 0 hit e1d6232!DriverEntry: b6a56094 55 push ebp 1: kd> g *** Fatal System Error: 0x0000007f (0x00000008,0xBA330D70,0x00000000,0x00000000) Break instruction exception - code 80000003 (first chance) A fatal system error has occurred. Debugger entered on first try; Bugcheck callbacks have not been invoked. A fatal system error has occurred. Connected to Windows XP 2600 x86 compatible target at (Tue Jun 7 18:14:34.234 2022 (UTC + 2:00)), ptr64 FALSE Loading Kernel Symbols ..................WARNING: Process directory table base 9E680020 doesn't match CR3 00759000 WARNING: Process directory table base 9E680020 doesn't match CR3 00759000 ......................... Loading User Symbols Loading unloaded module list ..... ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* Use !analyze -v to get detailed debugging information. BugCheck 7F, {8, ba330d70, 0, 0} Probably caused by : ntoskrn8.sys ( ntoskrn8!_imp__SeQueryInformationToken+2 ) Followup: MachineOwner --------- nt!RtlpBreakWithStatusInstruction: 8052b724 cc int 3 1: kd> !analyze -v ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* UNEXPECTED_KERNEL_MODE_TRAP (7f) This means a trap occurred in kernel mode, and it's a trap of a kind that the kernel isn't allowed to have/catch (bound trap) or that is always instant death (double fault). The first number in the bugcheck params is the number of the trap (8 = double fault, etc) Consult an Intel x86 family manual to learn more about what these traps are. Here is a *portion* of those codes: If kv shows a taskGate use .tss on the part before the colon, then kv. Else if kv shows a trapframe use .trap on that value Else .trap on the appropriate frame will show where the trap was taken (on x86, this will be the ebp that goes with the procedure KiTrap) Endif kb will then show the corrected stack. Arguments: Arg1: 00000008, EXCEPTION_DOUBLE_FAULT Arg2: ba330d70 Arg3: 00000000 Arg4: 00000000 Debugging Details: ------------------ BUGCHECK_STR: 0x7f_8 TSS: 00000028 -- (.tss 0x28) eax=ba551367 ebx=00020019 ecx=ba550090 edx=e1640008 esi=ba553690 edi=8bc3a9c7 eip=b9973072 esp=e8570689 ebp=ba553658 iopl=0 nv up ei pl nz ac pe cy cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010217 ntoskrn8!_imp__SeQueryInformationToken+0x2: b9973072 5e pop esi Resetting default scope DEFAULT_BUCKET_ID: DRIVER_FAULT PROCESS_NAME: System ANALYSIS_VERSION: 6.3.9600.17237 (debuggers(dbg).140716-0327) x86fre LAST_CONTROL_TRANSFER: from 00000000 to b9973072 UNALIGNED_STACK_POINTER: e8570689 STACK_TEXT: ba553658 00000000 8bc37620 8bc3a9c8 ba553690 ntoskrn8!_imp__SeQueryInformationToken+0x2 STACK_COMMAND: .tss 0x28 ; kb FOLLOWUP_IP: ntoskrn8!_imp__SeQueryInformationToken+2 b9973072 5e pop esi SYMBOL_STACK_INDEX: 0 SYMBOL_NAME: ntoskrn8!_imp__SeQueryInformationToken+2 FOLLOWUP_NAME: MachineOwner MODULE_NAME: ntoskrn8 IMAGE_NAME: ntoskrn8.sys DEBUG_FLR_IMAGE_TIMESTAMP: 629f7012 IMAGE_VERSION: 5.1.2600.10 FAILURE_BUCKET_ID: 0x7f_8_ntoskrn8!_imp__SeQueryInformationToken+2 BUCKET_ID: 0x7f_8_ntoskrn8!_imp__SeQueryInformationToken+2 ANALYSIS_SOURCE: KM FAILURE_ID_HASH_STRING: km:0x7f_8_ntoskrn8!_imp__sequeryinformationtoken+2 FAILURE_ID_HASH: {ddac3b4e-42a8-11ea-6936-c7f1f378e5c8} Followup: MachineOwner --------- 1: kd> lm start end module name 80062000 80072a80 pci (deferred) 80100000 8012a000 KDSTUB (deferred) 804d7000 806e5000 nt (pdb symbols) C:\Programme\Windows Kits\8.1\Debuggers\x86\sym\ntkrpamp.pdb\270E083F57714738A1895FE542CFB8DE1\ntkrpamp.pdb 806e5000 80705d80 hal (pdb symbols) C:\Programme\Windows Kits\8.1\Debuggers\x86\sym\halmacpi.pdb\253F6CAD95214878B51A88A9B592FD381\halmacpi.pdb 80706000 8072e000 kdcom (deferred) b34d2000 b353f000 e1d6232 (deferred) b35ab000 b3608f00 update (deferred) b3609000 b362b700 ks (deferred) b362c000 b365bc80 rdpdr (deferred) b41cb000 b41cbc00 audstub (deferred) b44c7000 b44d0f80 termdd (deferred) b8e01000 b8e09e00 intelppm (deferred) b92b1000 b92b3280 wmiacpi (deferred) b96b5000 b96dd000 HDAudBus (deferred) b97f3000 b97f6d80 serenum (deferred) b97fb000 b97fec80 mssmbios (pdb symbols) C:\Programme\Windows Kits\8.1\Debuggers\x86\sym\mssmbios.pdb\9940673F3B9A4BD682DF9D96A12A355C1\mssmbios.pdb b987f000 b9898e80 Mup (deferred) b9899000 b98d8000 NETIO (deferred) b98d8000 b9903000 msrpc (deferred) b9903000 b9aec980 ntoskrn8 (private pdb symbols) C:\Programme\Windows Kits\8.1\Debuggers\x86\sym\ntoskrn8.pdb\DE5820ED5A0D4BDDAA0BD990F97C228A1\ntoskrn8.pdb b9aed000 b9ba5000 NDIS (deferred) b9ba5000 b9c31d00 Ntfs (deferred) b9c32000 b9c48b80 KSecDD (deferred) b9c49000 b9c5af00 sr (deferred) b9c5b000 b9c7ab00 fltMgr (deferred) b9c7b000 b9f30000 iaStor (deferred) b9f30000 b9f55700 dmio (deferred) b9f56000 b9f74880 ftdisk (deferred) b9f75000 b9fa7000 ACPI (deferred) ba0a8000 ba0b1180 isapnp (deferred) ba0b8000 ba0c2700 MountMgr (deferred) ba0c8000 ba0d3000 PartMgr (deferred) ba0d8000 ba0e4c80 VolSnap (deferred) ba0e8000 ba0f8000 disk (deferred) ba0f8000 ba104180 CLASSPNP (deferred) ba248000 ba254d00 i8042prt (deferred) ba258000 ba267c00 serial (deferred) ba328000 ba32e800 firadisk (deferred) ba498000 ba49e000 kbdclass (deferred) ba4a0000 ba4a5a00 mouclass (deferred) ba4b8000 ba4bb000 BOOTVID (deferred) ba5a8000 ba5a9100 WMILIB (deferred) ba5aa000 ba5ab700 dmload (deferred) ba5c0000 ba5c1100 swenum (deferred) Unloaded modules: b44a7000 b44b7000 cdrom.sys b97f7000 b97fa000 Sfloppy.SYS b44b7000 b44c3000 Flpydisk.SYS b3d67000 b3d6e000 Fdc.SYS b6a53000 b6ac0000 e1d6232.sys
  15. @Damnation May be it is not so difficult, if we understand how PE Maker and PE_Tool_0.0.5 work. The function KeQueryActiveProcessorCountEx you already integrate in ntoskrn8.sys. The function itself we can take from ndis.sys from win7 sp1, NdisGroupActiveProcessorCount but I also dont know how to extract this function Dietmar PS: Via IdaPro, the HexValues of this Export function in ndis.sys win7 sp1 bit32 are just Beginning with to end .text:0001832A ; Exported entry 200. NdisGroupActiveProcessorCount .text:0001832A .text:0001832A ; =============== S U B R O U T I N E ======================================= .text:0001832A .text:0001832A ; Attributes: bp-based frame .text:0001832A .text:0001832A ; __stdcall NdisGroupActiveProcessorCount(x) .text:0001832A public _NdisGroupActiveProcessorCount@4 .text:0001832A _NdisGroupActiveProcessorCount@4 proc near .text:0001832A ; CODE XREF: ndisCreateReceiveWorkerThreadPool()+42p .text:0001832A mov edi, edi .text:0001832C push ebp .text:0001832D mov ebp, esp .text:0001832F pop ebp .text:00018330 jmp ds:__imp__KeQueryActiveProcessorCountEx@4 ; KeQueryActiveProcessorCountEx(x) .text:00018330 _NdisGroupActiveProcessorCount@4 endp .text:00018330 .text:00018330 ; --------------------------------------------------------------------------- 8B FF 55 8B EC 5D FF 25 B4 F0 04 00
  16. @tpao12 May be the most easy test is to disable all the NVIDIA drivers in Device Manager in Sound, because I see, that you have there Realtek and Nvidia. XP may choose the Nvidia driver for sound, so you hear nothing Dietmar
  17. @Damnation Can you please integrate for me the function NdisGroupActiveProcessorCount into ndis.sys from Longhorn 5048? I think, that you do this via ntoskrn8.sys . I make a try with PE Maker, to add this function to ndis.sys by myself but I dont know, from where to get this function and how to integrate it into ndis.sys (or ntoskrn8.sys). This function is the only missed function in Import in ndis.sys for the win7 e1d6232.sys driver, as you can see with Dependency Walker Dietmar https://ufile.io/0taapdko
  18. @tpao12 After you have installed the Realtek driver, disable and then enable again the Microsoft UAA driver in system devices Dietmar
  19. @Damnation I make a try what happens in real win7. This win7 sp1 boots on the Asrock z370 k6 board with working drivers for i219 and i211, I test. With unlocker1.9.0-portable I rename on this win7 sp1 bit32 HD in an USB box netio.sys msrpc.sys and ndis.sys to netioORI.sys msrpcORI.sys and ndisORI.sys . Then I copy there your modded netio.sys msrpc.sys ndis.sys and ntoskrn8.sys. But win7 does not want to start with this files, even via F8 I choose "unsigned driver". The crazy System repair from win7 kicked the modified files out and replace it with its own. Is there a way, to tell win7 not to do this Dietmar
  20. @Damnation I already tried this, same Bsod with ndis5 driver for the i217 and ndis/netio/msrpc.sys files from win7 together with ntoskrn8.sys . I also look, if the i217 is backword compatible with the win7 driver and ndis/netio/msrpc.sys files from win7 together with ntoskrn8.sys, also not, same Bsod. Now I think the best what we can do is, to look step by step at the working 5048 ndis/netio/msrpc.sys, which driver has to be loaded at which time. For me it is still strange as much as possible, that I cant catch the driverentry of netio.sys. It looks, as if this driver never starts, is only loaded. And this may be the reason, why the e1d6232.sys is unloaded Dietmar PS: Now I am tired and go to bed:)). Next BIG step would be, to look at a working mini win7 SP1, which Lan files are loaded at which time, looking also for registry entries. Before e1d6232.sys install and then with Beyond compare of whole registry after install.
  21. @Damnation I caught the Bsod after the driverentry of e1d6232.sys . This driver e1d6232.sys was unloaded for unknown reason, 3 times. And after this netio.sys crashes. https://ufile.io/dompmiaq
  22. But later this driver e1d6232.sys is unloaded, still without Bsod 1: kd> nt!NtWriteFile+0x44d0: 805813e0 76e6 jbe nt!NtWriteFile+0x44b8 (805813c8) 1: kd> lm start end module name 7eb30000 7ebe4000 ntdll (pdb symbols) C:\Programme\Windows Kits\8.1\Debuggers\x86\sym\ntdll.pdb\08DE4D91BE654ACEB9F397576108EF3E2\ntdll.pdb 80062000 80072a80 pci (deferred) 80100000 8012a000 KDSTUB (deferred) 804d7000 806e5000 nt (export symbols) ntkrpamp.exe 80706000 8072e000 kdcom (deferred) b86d2000 b873f000 e1d6232 (export symbols) e1d6232.sys b96b5000 b96dd000 HDAudBus (deferred) b979d000 b97a0d80 serenum (deferred) b987f000 b9898e80 Mup (deferred) b9899000 b98d8000 NETIO (deferred) b98d8000 b9903000 msrpc (deferred) b9903000 b9aec680 ntoskrn8 (deferred) b9aed000 b9ba5000 NDIS (deferred) b9ba5000 b9c31d00 Ntfs (deferred) b9c32000 b9c48b80 KSecDD (deferred) b9c49000 b9c5af00 sr (deferred) b9c5b000 b9c7ab00 fltMgr (deferred) b9c7b000 b9f30000 iaStor (deferred) b9f30000 b9f55700 dmio (deferred) b9f56000 b9f74880 ftdisk (deferred) b9f75000 b9fa7000 ACPI (deferred) ba0a8000 ba0b1180 isapnp (deferred) ba0b8000 ba0c2700 MountMgr (deferred) ba0c8000 ba0d3000 PartMgr (deferred) ba0d8000 ba0e4c80 VolSnap (deferred) ba0e8000 ba0f8000 disk (deferred) ba0f8000 ba104180 CLASSPNP (deferred) ba278000 ba284d00 i8042prt (deferred) ba288000 ba297c00 serial (deferred) ba328000 ba32e800 firadisk (deferred) ba3b8000 ba3be000 kbdclass (deferred) ba3c0000 ba3c5a00 mouclass (deferred) ba4b8000 ba4bb000 BOOTVID (deferred) ba5a8000 ba5a9100 WMILIB (deferred) ba5aa000 ba5ab700 dmload (deferred) 1: kd> !devnode 0 1 Error retrieving address of IopRootDeviceNode 1: kd> p nt!NtWriteFile+0x44b8: 805813c8 8b45a0 mov eax,dword ptr [ebp-60h] 1: kd> nt!NtWriteFile+0x44bb: 805813cb 8d448738 lea eax,[edi+eax*4+38h] 1: kd> nt!NtWriteFile+0x44bf: 805813cf 3918 cmp dword ptr [eax],ebx 1: kd> nt!NtWriteFile+0x44c1: 805813d1 7506 jne nt!NtWriteFile+0x44c9 (805813d9) 1: kd> nt!NtWriteFile+0x44c9: 805813d9 ff45a0 inc dword ptr [ebp-60h] 1: kd> nt!NtWriteFile+0x44cc: 805813dc 837da01b cmp dword ptr [ebp-60h],1Bh 1: kd> nt!NtWriteFile+0x44d0: 805813e0 76e6 jbe nt!NtWriteFile+0x44b8 (805813c8) 1: kd> nt!NtWriteFile+0x44b8: 805813c8 8b45a0 mov eax,dword ptr [ebp-60h] 1: kd> nt!NtWriteFile+0x44bb: 805813cb 8d448738 lea eax,[edi+eax*4+38h] 1: kd> nt!NtWriteFile+0x44bf: 805813cf 3918 cmp dword ptr [eax],ebx 1: kd> nt!NtWriteFile+0x44c1: 805813d1 7506 jne nt!NtWriteFile+0x44c9 (805813d9) 1: kd> nt!NtWriteFile+0x44c9: 805813d9 ff45a0 inc dword ptr [ebp-60h] 1: kd> nt!NtWriteFile+0x44cc: 805813dc 837da01b cmp dword ptr [ebp-60h],1Bh 1: kd> nt!NtWriteFile+0x44d0: 805813e0 76e6 jbe nt!NtWriteFile+0x44b8 (805813c8) 1: kd> nt!NtWriteFile+0x44b8: 805813c8 8b45a0 mov eax,dword ptr [ebp-60h] 1: kd> nt!NtWriteFile+0x44bb: 805813cb 8d448738 lea eax,[edi+eax*4+38h] 1: kd> nt!NtWriteFile+0x44bf: 805813cf 3918 cmp dword ptr [eax],ebx 1: kd> nt!NtWriteFile+0x44c1: 805813d1 7506 jne nt!NtWriteFile+0x44c9 (805813d9) 1: kd> nt!NtWriteFile+0x44c9: 805813d9 ff45a0 inc dword ptr [ebp-60h] 1: kd> nt!NtWriteFile+0x44cc: 805813dc 837da01b cmp dword ptr [ebp-60h],1Bh 1: kd> nt!NtWriteFile+0x44d0: 805813e0 76e6 jbe nt!NtWriteFile+0x44b8 (805813c8) 1: kd> nt!NtWriteFile+0x44b8: 805813c8 8b45a0 mov eax,dword ptr [ebp-60h] 1: kd> nt!NtWriteFile+0x44bb: 805813cb 8d448738 lea eax,[edi+eax*4+38h] 1: kd> nt!NtWriteFile+0x44bf: 805813cf 3918 cmp dword ptr [eax],ebx 1: kd> nt!NtWriteFile+0x44c1: 805813d1 7506 jne nt!NtWriteFile+0x44c9 (805813d9) 1: kd> nt!NtWriteFile+0x44c9: 805813d9 ff45a0 inc dword ptr [ebp-60h] 1: kd> nt!NtWriteFile+0x44cc: 805813dc 837da01b cmp dword ptr [ebp-60h],1Bh 1: kd> nt!NtWriteFile+0x44d0: 805813e0 76e6 jbe nt!NtWriteFile+0x44b8 (805813c8) 1: kd> nt!NtWriteFile+0x44b8: 805813c8 8b45a0 mov eax,dword ptr [ebp-60h] 1: kd> nt!NtWriteFile+0x44bb: 805813cb 8d448738 lea eax,[edi+eax*4+38h] 1: kd> nt!NtWriteFile+0x44bf: 805813cf 3918 cmp dword ptr [eax],ebx 1: kd> nt!NtWriteFile+0x44c1: 805813d1 7506 jne nt!NtWriteFile+0x44c9 (805813d9) 1: kd> nt!NtWriteFile+0x44c9: 805813d9 ff45a0 inc dword ptr [ebp-60h] 1: kd> nt!NtWriteFile+0x44cc: 805813dc 837da01b cmp dword ptr [ebp-60h],1Bh 1: kd> nt!NtWriteFile+0x44d0: 805813e0 76e6 jbe nt!NtWriteFile+0x44b8 (805813c8) 1: kd> nt!NtWriteFile+0x44b8: 805813c8 8b45a0 mov eax,dword ptr [ebp-60h] 1: kd> nt!NtWriteFile+0x44bb: 805813cb 8d448738 lea eax,[edi+eax*4+38h] 1: kd> nt!NtWriteFile+0x44bf: 805813cf 3918 cmp dword ptr [eax],ebx 1: kd> nt!NtWriteFile+0x44c1: 805813d1 7506 jne nt!NtWriteFile+0x44c9 (805813d9) 1: kd> nt!NtWriteFile+0x44c9: 805813d9 ff45a0 inc dword ptr [ebp-60h] 1: kd> nt!NtWriteFile+0x44cc: 805813dc 837da01b cmp dword ptr [ebp-60h],1Bh 1: kd> nt!NtWriteFile+0x44d0: 805813e0 76e6 jbe nt!NtWriteFile+0x44b8 (805813c8) 1: kd> nt!NtWriteFile+0x44b8: 805813c8 8b45a0 mov eax,dword ptr [ebp-60h] 1: kd> nt!NtWriteFile+0x44bb: 805813cb 8d448738 lea eax,[edi+eax*4+38h] 1: kd> nt!NtWriteFile+0x44bf: 805813cf 3918 cmp dword ptr [eax],ebx 1: kd> nt!NtWriteFile+0x44c1: 805813d1 7506 jne nt!NtWriteFile+0x44c9 (805813d9) 1: kd> nt!NtWriteFile+0x44c9: 805813d9 ff45a0 inc dword ptr [ebp-60h] 1: kd> nt!NtWriteFile+0x44cc: 805813dc 837da01b cmp dword ptr [ebp-60h],1Bh 1: kd> nt!NtWriteFile+0x44d0: 805813e0 76e6 jbe nt!NtWriteFile+0x44b8 (805813c8) 1: kd> nt!NtWriteFile+0x44b8: 805813c8 8b45a0 mov eax,dword ptr [ebp-60h] 1: kd> nt!NtWriteFile+0x44bb: 805813cb 8d448738 lea eax,[edi+eax*4+38h] 1: kd> nt!NtWriteFile+0x44bf: 805813cf 3918 cmp dword ptr [eax],ebx 1: kd> nt!NtWriteFile+0x44c1: 805813d1 7506 jne nt!NtWriteFile+0x44c9 (805813d9) 1: kd> nt!NtWriteFile+0x44c9: 805813d9 ff45a0 inc dword ptr [ebp-60h] 1: kd> nt!NtWriteFile+0x44cc: 805813dc 837da01b cmp dword ptr [ebp-60h],1Bh 1: kd> nt!NtWriteFile+0x44d0: 805813e0 76e6 jbe nt!NtWriteFile+0x44b8 (805813c8) 1: kd> nt!NtWriteFile+0x44b8: 805813c8 8b45a0 mov eax,dword ptr [ebp-60h] 1: kd> nt!NtWriteFile+0x44bb: 805813cb 8d448738 lea eax,[edi+eax*4+38h] 1: kd> nt!NtWriteFile+0x44bf: 805813cf 3918 cmp dword ptr [eax],ebx 1: kd> nt!NtWriteFile+0x44c1: 805813d1 7506 jne nt!NtWriteFile+0x44c9 (805813d9) 1: kd> nt!NtWriteFile+0x44c9: 805813d9 ff45a0 inc dword ptr [ebp-60h] 1: kd> nt!NtWriteFile+0x44cc: 805813dc 837da01b cmp dword ptr [ebp-60h],1Bh 1: kd> nt!NtWriteFile+0x44d0: 805813e0 76e6 jbe nt!NtWriteFile+0x44b8 (805813c8) 1: kd> nt!NtWriteFile+0x44b8: 805813c8 8b45a0 mov eax,dword ptr [ebp-60h] 1: kd> nt!NtWriteFile+0x44bb: 805813cb 8d448738 lea eax,[edi+eax*4+38h] 1: kd> nt!NtWriteFile+0x44bf: 805813cf 3918 cmp dword ptr [eax],ebx 1: kd> nt!NtWriteFile+0x44c1: 805813d1 7506 jne nt!NtWriteFile+0x44c9 (805813d9) 1: kd> nt!NtWriteFile+0x44c9: 805813d9 ff45a0 inc dword ptr [ebp-60h] 1: kd> nt!NtWriteFile+0x44cc: 805813dc 837da01b cmp dword ptr [ebp-60h],1Bh 1: kd> nt!NtWriteFile+0x44d0: 805813e0 76e6 jbe nt!NtWriteFile+0x44b8 (805813c8) 1: kd> nt!NtWriteFile+0x44b8: 805813c8 8b45a0 mov eax,dword ptr [ebp-60h] 1: kd> nt!NtWriteFile+0x44bb: 805813cb 8d448738 lea eax,[edi+eax*4+38h] 1: kd> nt!NtWriteFile+0x44bf: 805813cf 3918 cmp dword ptr [eax],ebx 1: kd> nt!NtWriteFile+0x44c1: 805813d1 7506 jne nt!NtWriteFile+0x44c9 (805813d9) 1: kd> nt!NtWriteFile+0x44c9: 805813d9 ff45a0 inc dword ptr [ebp-60h] 1: kd> nt!NtWriteFile+0x44cc: 805813dc 837da01b cmp dword ptr [ebp-60h],1Bh 1: kd> nt!NtWriteFile+0x44d0: 805813e0 76e6 jbe nt!NtWriteFile+0x44b8 (805813c8) 1: kd> nt!NtWriteFile+0x44b8: 805813c8 8b45a0 mov eax,dword ptr [ebp-60h] 1: kd> nt!NtWriteFile+0x44bb: 805813cb 8d448738 lea eax,[edi+eax*4+38h] 1: kd> nt!NtWriteFile+0x44bf: 805813cf 3918 cmp dword ptr [eax],ebx 1: kd> nt!NtWriteFile+0x44c1: 805813d1 7506 jne nt!NtWriteFile+0x44c9 (805813d9) 1: kd> nt!NtWriteFile+0x44c9: 805813d9 ff45a0 inc dword ptr [ebp-60h] 1: kd> nt!NtWriteFile+0x44cc: 805813dc 837da01b cmp dword ptr [ebp-60h],1Bh 1: kd> nt!NtWriteFile+0x44d0: 805813e0 76e6 jbe nt!NtWriteFile+0x44b8 (805813c8) 1: kd> nt!NtWriteFile+0x44b8: 805813c8 8b45a0 mov eax,dword ptr [ebp-60h] 1: kd> nt!NtWriteFile+0x44bb: 805813cb 8d448738 lea eax,[edi+eax*4+38h] 1: kd> nt!NtWriteFile+0x44bf: 805813cf 3918 cmp dword ptr [eax],ebx 1: kd> nt!NtWriteFile+0x44c1: 805813d1 7506 jne nt!NtWriteFile+0x44c9 (805813d9) 1: kd> nt!NtWriteFile+0x44c9: 805813d9 ff45a0 inc dword ptr [ebp-60h] 1: kd> nt!NtWriteFile+0x44cc: 805813dc 837da01b cmp dword ptr [ebp-60h],1Bh 1: kd> nt!NtWriteFile+0x44d0: 805813e0 76e6 jbe nt!NtWriteFile+0x44b8 (805813c8) 1: kd> nt!NtWriteFile+0x44d2: 805813e2 53 push ebx 1: kd> nt!NtWriteFile+0x44d3: 805813e3 ffb570ffffff push dword ptr [ebp-90h] 1: kd> nt!NtWriteFile+0x44d9: 805813e9 e8f29efcff call nt!ExFreePoolWithTag (8054b2e0) 1: kd> nt!NtWriteFile+0x44de: 805813ee 395dac cmp dword ptr [ebp-54h],ebx 1: kd> nt!NtWriteFile+0x44e1: 805813f1 7c3b jl nt!NtWriteFile+0x451e (8058142e) 1: kd> nt!NtWriteFile+0x44e3: 805813f3 57 push edi 1: kd> nt!NtWriteFile+0x44e4: 805813f4 e883b10000 call nt!IoReportResourceUsage+0x18a6 (8058c57c) 1: kd> nt!NtWriteFile+0x44e9: 805813f9 84c0 test al,al 1: kd> nt!NtWriteFile+0x44eb: 805813fb 752c jne nt!NtWriteFile+0x4519 (80581429) 1: kd> nt!NtWriteFile+0x44ed: 805813fd 8d4598 lea eax,[ebp-68h] 1: kd> nt!NtWriteFile+0x44f0: 80581400 50 push eax 1: kd> nt!NtWriteFile+0x44f1: 80581401 ff758c push dword ptr [ebp-74h] 1: kd> nt!NtWriteFile+0x44f4: 80581404 57 push edi 1: kd> nt!NtWriteFile+0x44f5: 80581405 e8064bf7ff call nt!IoReportTargetDeviceChangeAsynchronous+0x16c (804f5f10) 1: kd> nt!NtWriteFile+0x44fa: 8058140a 3bc3 cmp eax,ebx 1: kd> nt!NtWriteFile+0x44fc: 8058140c 8945ac mov dword ptr [ebp-54h],eax 1: kd> nt!NtWriteFile+0x44ff: 8058140f 7d2c jge nt!NtWriteFile+0x452d (8058143d) 1: kd> nt!NtWriteFile+0x452d: 8058143d 6a01 push 1 1: kd> nt!NtWriteFile+0x452f: 8058143f 8d45a4 lea eax,[ebp-5Ch] 1: kd> nt!NtWriteFile+0x4532: 80581442 50 push eax 1: kd> nt!NtWriteFile+0x4533: 80581443 e836f4ffff call nt!NtWriteFile+0x396e (8058087e) 1: kd> nt!NtWriteFile+0x4538: 80581448 ff7714 push dword ptr [edi+14h] 1: kd> nt!NtWriteFile+0x453b: 8058144b e8b8c60200 call nt!MmResetDriverPaging+0x118e (805adb08) 1: kd> nt!NtWriteFile+0x4540: 80581450 57 push edi 1: kd> lm start end module name 7eb30000 7ebe4000 ntdll (pdb symbols) C:\Programme\Windows Kits\8.1\Debuggers\x86\sym\ntdll.pdb\08DE4D91BE654ACEB9F397576108EF3E2\ntdll.pdb 80062000 80072a80 pci (deferred) 80100000 8012a000 KDSTUB (deferred) 804d7000 806e5000 nt (export symbols) ntkrpamp.exe 80706000 8072e000 kdcom (deferred) b86d2000 b873f000 e1d6232 (export symbols) e1d6232.sys b96b5000 b96dd000 HDAudBus (deferred) b979d000 b97a0d80 serenum (deferred) b987f000 b9898e80 Mup (deferred) b9899000 b98d8000 NETIO (deferred) b98d8000 b9903000 msrpc (deferred) b9903000 b9aec680 ntoskrn8 (deferred) b9aed000 b9ba5000 NDIS (deferred) b9ba5000 b9c31d00 Ntfs (deferred) b9c32000 b9c48b80 KSecDD (deferred) b9c49000 b9c5af00 sr (deferred) b9c5b000 b9c7ab00 fltMgr (deferred) b9c7b000 b9f30000 iaStor (deferred) b9f30000 b9f55700 dmio (deferred) b9f56000 b9f74880 ftdisk (deferred) b9f75000 b9fa7000 ACPI (deferred) ba0a8000 ba0b1180 isapnp (deferred) ba0b8000 ba0c2700 MountMgr (deferred) ba0c8000 ba0d3000 PartMgr (deferred) ba0d8000 ba0e4c80 VolSnap (deferred) ba0e8000 ba0f8000 disk (deferred) ba0f8000 ba104180 CLASSPNP (deferred) ba278000 ba284d00 i8042prt (deferred) ba288000 ba297c00 serial (deferred) ba328000 ba32e800 firadisk (deferred) ba3b8000 ba3be000 kbdclass (deferred) ba3c0000 ba3c5a00 mouclass (deferred) ba4b8000 ba4bb000 BOOTVID (deferred) ba5a8000 ba5a9100 WMILIB (deferred) ba5aa000 ba5ab700 dmload (deferred) 1: kd> p nt!NtWriteFile+0x4541: 80581451 e8c4d6ffff call nt!NtWriteFile+0x1c0a (8057eb1a) 1: kd> nt!NtWriteFile+0x4546: 80581456 395dac cmp dword ptr [ebp-54h],ebx 1: kd> nt!NtWriteFile+0x4549: 80581459 0f8d39fbffff jge nt!NtWriteFile+0x4088 (80580f98) 1: kd> nt!NtWriteFile+0x4088: 80580f98 53 push ebx 1: kd> nt!NtWriteFile+0x4089: 80580f99 6a02 push 2 1: kd> nt!NtWriteFile+0x408b: 80580f9b e8227bfbff call nt!HeadlessDispatch+0x76 (80538ac2) 1: kd> nt!NtWriteFile+0x4090: 80580fa0 399d78ffffff cmp dword ptr [ebp-88h],ebx 1: kd> nt!NtWriteFile+0x4096: 80580fa6 740c je nt!NtWriteFile+0x40a4 (80580fb4) 1: kd> nt!NtWriteFile+0x4098: 80580fa8 53 push ebx 1: kd> nt!NtWriteFile+0x4099: 80580fa9 ffb578ffffff push dword ptr [ebp-88h] 1: kd> nt!NtWriteFile+0x409f: 80580faf e82ca3fcff call nt!ExFreePoolWithTag (8054b2e0) 1: kd> nt!NtWriteFile+0x40a4: 80580fb4 399d6cffffff cmp dword ptr [ebp-94h],ebx 1: kd> nt!NtWriteFile+0x40aa: 80580fba 740c je nt!NtWriteFile+0x40b8 (80580fc8) 1: kd> nt!NtWriteFile+0x40ac: 80580fbc 53 push ebx 1: kd> nt!NtWriteFile+0x40ad: 80580fbd ffb56cffffff push dword ptr [ebp-94h] 1: kd> nt!NtWriteFile+0x40b3: 80580fc3 e818a3fcff call nt!ExFreePoolWithTag (8054b2e0) 1: kd> nt!NtWriteFile+0x40b8: 80580fc8 395d9c cmp dword ptr [ebp-64h],ebx 1: kd> nt!NtWriteFile+0x40bb: 80580fcb 7409 je nt!NtWriteFile+0x40c6 (80580fd6) 1: kd> nt!NtWriteFile+0x40bd: 80580fcd 53 push ebx 1: kd> nt!NtWriteFile+0x40be: 80580fce ff759c push dword ptr [ebp-64h] 1: kd> nt!NtWriteFile+0x40c1: 80580fd1 e80aa3fcff call nt!ExFreePoolWithTag (8054b2e0) 1: kd> nt!NtWriteFile+0x40c6: 80580fd6 395da8 cmp dword ptr [ebp-58h],ebx 1: kd> nt!NtWriteFile+0x40c9: 80580fd9 7409 je nt!NtWriteFile+0x40d4 (80580fe4) 1: kd> nt!NtWriteFile+0x40cb: 80580fdb 53 push ebx 1: kd> nt!NtWriteFile+0x40cc: 80580fdc ff75a8 push dword ptr [ebp-58h] 1: kd> nt!NtWriteFile+0x40cf: 80580fdf e8fca2fcff call nt!ExFreePoolWithTag (8054b2e0) 1: kd> nt!NtWriteFile+0x40d4: 80580fe4 8b7dac mov edi,dword ptr [ebp-54h] 1: kd> nt!NtWriteFile+0x40d7: 80580fe7 3bfb cmp edi,ebx 1: kd> nt!NtWriteFile+0x40d9: 80580fe9 7d4e jge nt!NtWriteFile+0x4129 (80581039) 1: kd> nt!NtWriteFile+0x4129: 80581039 53 push ebx 1: kd> nt!NtWriteFile+0x412a: 8058103a ff758c push dword ptr [ebp-74h] 1: kd> nt!NtWriteFile+0x412d: 8058103d e806b50300 call nt!ObCloseHandle (805bc548) 1: kd> nt!NtWriteFile+0x4132: 80581042 8bc7 mov eax,edi 1: kd> nt!NtWriteFile+0x4134: 80581044 8b4dfc mov ecx,dword ptr [ebp-4] 1: kd> nt!NtWriteFile+0x4137: 80581047 5f pop edi 1: kd> nt!NtWriteFile+0x4138: 80581048 5e pop esi 1: kd> nt!NtWriteFile+0x4139: 80581049 5b pop ebx 1: kd> nt!NtWriteFile+0x413a: 8058104a e8cfd8f7ff call nt!KeRaiseUserException+0xc94 (804fe91e) 1: kd> nt!NtWriteFile+0x413f: 8058104f c9 leave 1: kd> nt!NtWriteFile+0x4140: 80581050 c21000 ret 10h 1: kd> nt!IoReportResourceUsage+0x4881: 8058f557 8bf0 mov esi,eax 1: kd> nt!IoReportResourceUsage+0x4883: 8058f559 3bf7 cmp esi,edi 1: kd> nt!IoReportResourceUsage+0x4885: 8058f55b 7d43 jge nt!IoReportResourceUsage+0x48ca (8058f5a0) 1: kd> nt!IoReportResourceUsage+0x48ca: 8058f5a0 803d97b4558000 cmp byte ptr [nt!IoAdapterObjectType+0x727 (8055b497)],0 1: kd> nt!IoReportResourceUsage+0x48d1: 8058f5a7 7405 je nt!IoReportResourceUsage+0x48d8 (8058f5ae) 1: kd> nt!IoReportResourceUsage+0x48d8: 8058f5ae 8d45e0 lea eax,[ebp-20h] 1: kd> nt!IoReportResourceUsage+0x48db: 8058f5b1 50 push eax 1: kd> nt!IoReportResourceUsage+0x48dc: 8058f5b2 e855fbfeff call nt!NtWriteFile+0x21fc (8057f10c) 1: kd> nt!IoReportResourceUsage+0x48e1: 8058f5b7 3bc7 cmp eax,edi 1: kd> nt!IoReportResourceUsage+0x48e3: 8058f5b9 8945f8 mov dword ptr [ebp-8],eax 1: kd> nt!IoReportResourceUsage+0x48e6: 8058f5bc 0f85c5000000 jne nt!IoReportResourceUsage+0x49b1 (8058f687) 1: kd> nt!IoReportResourceUsage+0x49b1: 8058f687 f6400810 test byte ptr [eax+8],10h 1: kd> nt!IoReportResourceUsage+0x49b5: 8058f68b 7509 jne nt!IoReportResourceUsage+0x49c0 (8058f696) 1: kd> nt!IoReportResourceUsage+0x49c0: 8058f696 50 push eax 1: kd> nt!IoReportResourceUsage+0x49c1: 8058f697 e8e0ceffff call nt!IoReportResourceUsage+0x18a6 (8058c57c) 1: kd> nt!IoReportResourceUsage+0x49c6: 8058f69c 84c0 test al,al 1: kd> nt!IoReportResourceUsage+0x49c8: 8058f69e 7421 je nt!IoReportResourceUsage+0x49eb (8058f6c1) 1: kd> nt!IoReportResourceUsage+0x49eb: 8058f6c1 8b03 mov eax,dword ptr [ebx] 1: kd> nt!IoReportResourceUsage+0x49ed: 8058f6c3 8b4018 mov eax,dword ptr [eax+18h] 1: kd> nt!IoReportResourceUsage+0x49f0: 8058f6c6 3d02030000 cmp eax,302h 1: kd> nt!IoReportResourceUsage+0x49f5: 8058f6cb 7407 je nt!IoReportResourceUsage+0x49fe (8058f6d4) 1: kd> nt!IoReportResourceUsage+0x49fe: 8058f6d4 8b451c mov eax,dword ptr [ebp+1Ch] 1: kd> nt!IoReportResourceUsage+0x4a01: 8058f6d7 685070656e push 6E657050h 1: kd> nt!IoReportResourceUsage+0x4a06: 8058f6dc 6a08 push 8 1: kd> nt!IoReportResourceUsage+0x4a08: 8058f6de 6a01 push 1 1: kd> nt!IoReportResourceUsage+0x4a0a: 8058f6e0 8d7c830c lea edi,[ebx+eax*4+0Ch] 1: kd> nt!IoReportResourceUsage+0x4a0e: 8058f6e4 33f6 xor esi,esi 1: kd> nt!IoReportResourceUsage+0x4a10: 8058f6e6 e87dc2fbff call nt!ExAllocatePoolWithTag (8054b968) 1: kd> nt!IoReportResourceUsage+0x4a15: 8058f6eb 85c0 test eax,eax 1: kd> nt!IoReportResourceUsage+0x4a17: 8058f6ed 7507 jne nt!IoReportResourceUsage+0x4a20 (8058f6f6) 1: kd> nt!IoReportResourceUsage+0x4a20: 8058f6f6 8b4df8 mov ecx,dword ptr [ebp-8] 1: kd> nt!IoReportResourceUsage+0x4a23: 8058f6f9 8908 mov dword ptr [eax],ecx 1: kd> nt!IoReportResourceUsage+0x4a25: 8058f6fb 33c9 xor ecx,ecx 1: kd> nt!IoReportResourceUsage+0x4a27: 8058f6fd 894804 mov dword ptr [eax+4],ecx 1: kd> nt!IoReportResourceUsage+0x4a2a: 8058f700 eb05 jmp nt!IoReportResourceUsage+0x4a31 (8058f707) 1: kd> nt!IoReportResourceUsage+0x4a31: 8058f707 390f cmp dword ptr [edi],ecx 1: kd> nt!IoReportResourceUsage+0x4a33: 8058f709 75f7 jne nt!IoReportResourceUsage+0x4a2c (8058f702) 1: kd> nt!IoReportResourceUsage+0x4a35: 8058f70b 8907 mov dword ptr [edi],eax 1: kd> nt!IoReportResourceUsage+0x4a37: 8058f70d 837df400 cmp dword ptr [ebp-0Ch],0 1: kd> nt!IoReportResourceUsage+0x4a3b: 8058f711 5b pop ebx 1: kd> nt!IoReportResourceUsage+0x4a3c: 8058f712 7408 je nt!IoReportResourceUsage+0x4a46 (8058f71c) 1: kd> nt!IoReportResourceUsage+0x4a3e: 8058f714 ff75f4 push dword ptr [ebp-0Ch] 1: kd> nt!IoReportResourceUsage+0x4a41: 8058f717 e8a808f7ff call nt!ZwClose (804fffc4) 1: kd> nt!IoReportResourceUsage+0x4a46: 8058f71c 807dff00 cmp byte ptr [ebp-1],0 1: kd> nt!IoReportResourceUsage+0x4a4a: 8058f720 7409 je nt!IoReportResourceUsage+0x4a55 (8058f72b) 1: kd> nt!IoReportResourceUsage+0x4a4c: 8058f722 8d45e0 lea eax,[ebp-20h] 1: kd> nt!IoReportResourceUsage+0x4a4f: 8058f725 50 push eax 1: kd> nt!IoReportResourceUsage+0x4a50: 8058f726 e8f5240500 call nt!RtlFreeUnicodeString (805e1c20) 1: kd> nt!IoReportResourceUsage+0x4a55: 8058f72b 8bc6 mov eax,esi 1: kd> nt!IoReportResourceUsage+0x4a57: 8058f72d 5f pop edi 1: kd> nt!IoReportResourceUsage+0x4a58: 8058f72e 5e pop esi 1: kd> nt!IoReportResourceUsage+0x4a59: 8058f72f c9 leave 1: kd> nt!IoReportResourceUsage+0x4a5a: 8058f730 c21800 ret 18h 1: kd> nt!RtlFormatCurrentUserKeyPath+0xe1f: 805e7b7f 3d230000c0 cmp eax,0C0000023h 1: kd> nt!RtlFormatCurrentUserKeyPath+0xe24: 805e7b84 7502 jne nt!RtlFormatCurrentUserKeyPath+0xe28 (805e7b88) 1: kd> nt!RtlFormatCurrentUserKeyPath+0xe28: 805e7b88 5f pop edi 1: kd> nt!RtlFormatCurrentUserKeyPath+0xe29: 805e7b89 5e pop esi 1: kd> nt!RtlFormatCurrentUserKeyPath+0xe2a: 805e7b8a 5b pop ebx 1: kd> nt!RtlFormatCurrentUserKeyPath+0xe2b: 805e7b8b c9 leave 1: kd> nt!RtlFormatCurrentUserKeyPath+0xe2c: 805e7b8c c21c00 ret 1Ch 1: kd> nt!RtlQueryRegistryValues+0x368: 805e7f76 3d230000c0 cmp eax,0C0000023h 1: kd> nt!RtlQueryRegistryValues+0x36d: 805e7f7b 8945f8 mov dword ptr [ebp-8],eax 1: kd> nt!RtlQueryRegistryValues+0x370: 805e7f7e 7531 jne nt!RtlQueryRegistryValues+0x3a3 (805e7fb1) 1: kd> nt!RtlQueryRegistryValues+0x3a3: 805e7fb1 837df800 cmp dword ptr [ebp-8],0 1: kd> nt!RtlQueryRegistryValues+0x3a7: 805e7fb5 0f8cb3000000 jl nt!RtlQueryRegistryValues+0x460 (805e806e) 1: kd> nt!RtlQueryRegistryValues+0x3ad: 805e7fbb f6470440 test byte ptr [edi+4],40h 1: kd> nt!RtlQueryRegistryValues+0x3b1: 805e7fbf 0f84e4feffff je nt!RtlQueryRegistryValues+0x29b (805e7ea9) 1: kd> nt!RtlQueryRegistryValues+0x29b: 805e7ea9 837df800 cmp dword ptr [ebp-8],0 1: kd> nt!RtlQueryRegistryValues+0x29f: 805e7ead 0f8cbb010000 jl nt!RtlQueryRegistryValues+0x460 (805e806e) 1: kd> nt!RtlQueryRegistryValues+0x2a5: 805e7eb3 83c71c add edi,1Ch 1: kd> nt!RtlQueryRegistryValues+0x2a8: 805e7eb6 e973feffff jmp nt!RtlQueryRegistryValues+0x120 (805e7d2e) 1: kd> nt!RtlQueryRegistryValues+0x120: 805e7d2e 8b0f mov ecx,dword ptr [edi] 1: kd> nt!RtlQueryRegistryValues+0x122: 805e7d30 85c9 test ecx,ecx 1: kd> nt!RtlQueryRegistryValues+0x124: 805e7d32 750a jne nt!RtlQueryRegistryValues+0x130 (805e7d3e) 1: kd> nt!RtlQueryRegistryValues+0x126: 805e7d34 f6470421 test byte ptr [edi+4],21h 1: kd> nt!RtlQueryRegistryValues+0x12a: 805e7d38 0f8430030000 je nt!RtlQueryRegistryValues+0x460 (805e806e) 1: kd> nt!RtlQueryRegistryValues+0x460: 805e806e 837df000 cmp dword ptr [ebp-10h],0 1: kd> nt!RtlQueryRegistryValues+0x464: 805e8072 740e je nt!RtlQueryRegistryValues+0x474 (805e8082) 1: kd> nt!RtlQueryRegistryValues+0x466: 805e8074 837de800 cmp dword ptr [ebp-18h],0 1: kd> nt!RtlQueryRegistryValues+0x46a: 805e8078 7508 jne nt!RtlQueryRegistryValues+0x474 (805e8082) 1: kd> nt!RtlQueryRegistryValues+0x474: 805e8082 8b45ec mov eax,dword ptr [ebp-14h] 1: kd> nt!RtlQueryRegistryValues+0x477: 805e8085 85c0 test eax,eax 1: kd> nt!RtlQueryRegistryValues+0x479: 805e8087 740b je nt!RtlQueryRegistryValues+0x486 (805e8094) 1: kd> nt!RtlQueryRegistryValues+0x47b: 805e8089 3b45f0 cmp eax,dword ptr [ebp-10h] 1: kd> nt!RtlQueryRegistryValues+0x47e: 805e808c 7406 je nt!RtlQueryRegistryValues+0x486 (805e8094) 1: kd> nt!RtlQueryRegistryValues+0x486: 805e8094 837de000 cmp dword ptr [ebp-20h],0 1: kd> nt!RtlQueryRegistryValues+0x48a: 805e8098 7409 je nt!RtlQueryRegistryValues+0x495 (805e80a3) 1: kd> nt!RtlQueryRegistryValues+0x48c: 805e809a ff75e0 push dword ptr [ebp-20h] 1: kd> nt!RtlQueryRegistryValues+0x48f: 805e809d ff15240c6880 call dword ptr [nt!NlsOemLeadByteInfo+0xb04 (80680c24)] 1: kd> nt!RtlQueryRegistryValues+0x495: 805e80a3 6a00 push 0 1: kd> nt!RtlQueryRegistryValues+0x497: 805e80a5 ff750c push dword ptr [ebp+0Ch] 1: kd> nt!RtlQueryRegistryValues+0x49a: 805e80a8 56 push esi 1: kd> nt!RtlQueryRegistryValues+0x49b: 805e80a9 6a00 push 0 1: kd> nt!RtlQueryRegistryValues+0x49d: 805e80ab e8e8eaffff call nt!RtlInt64ToUnicodeString+0x1ae (805e6b98) 1: kd> nt!RtlQueryRegistryValues+0x4a2: 805e80b0 8b45f8 mov eax,dword ptr [ebp-8] 1: kd> nt!RtlQueryRegistryValues+0x4a5: 805e80b3 5f pop edi 1: kd> nt!RtlQueryRegistryValues+0x4a6: 805e80b4 5e pop esi 1: kd> nt!RtlQueryRegistryValues+0x4a7: 805e80b5 5b pop ebx 1: kd> nt!RtlQueryRegistryValues+0x4a8: 805e80b6 c9 leave 1: kd> nt!RtlQueryRegistryValues+0x4a9: 805e80b7 c21400 ret 14h 1: kd> nt!IoReportResourceUsage+0x6109: 80590ddf 894508 mov dword ptr [ebp+8],eax 1: kd> nt!IoReportResourceUsage+0x610c: 80590de2 f6467d10 test byte ptr [esi+7Dh],10h 1: kd> nt!IoReportResourceUsage+0x6110: 80590de6 0f8524020000 jne nt!IoReportResourceUsage+0x633a (80591010) 1: kd> nt!IoReportResourceUsage+0x6116: 80590dec 837d0800 cmp dword ptr [ebp+8],0 1: kd> nt!IoReportResourceUsage+0x611a: 80590df0 7c19 jl nt!IoReportResourceUsage+0x6135 (80590e0b) 1: kd> nt!IoReportResourceUsage+0x611c: 80590df2 8b45bc mov eax,dword ptr [ebp-44h] 1: kd> nt!IoReportResourceUsage+0x611f: 80590df5 83780400 cmp dword ptr [eax+4],0 1: kd> nt!IoReportResourceUsage+0x6123: 80590df9 740a je nt!IoReportResourceUsage+0x612f (80590e05) 1: kd> nt!IoReportResourceUsage+0x612f: 80590e05 c645cc00 mov byte ptr [ebp-34h],0 1: kd> nt!IoReportResourceUsage+0x6133: 80590e09 eb30 jmp nt!IoReportResourceUsage+0x6165 (80590e3b) 1: kd> nt!IoReportResourceUsage+0x6165: 80590e3b 6a15 push 15h 1: kd> nt!IoReportResourceUsage+0x6167: 80590e3d 59 pop ecx 1: kd> nt!IoReportResourceUsage+0x6168: 80590e3e 33c0 xor eax,eax 1: kd> nt!IoReportResourceUsage+0x616a: 80590e40 50 push eax 1: kd> nt!IoReportResourceUsage+0x616b: 80590e41 8dbd54ffffff lea edi,[ebp-0ACh] 1: kd> nt!IoReportResourceUsage+0x6171: 80590e47 f3ab rep stos dword ptr es:[edi] 1: kd> nt!IoReportResourceUsage+0x6173: 80590e49 8d45a8 lea eax,[ebp-58h] 1: kd> nt!IoReportResourceUsage+0x6176: 80590e4c 50 push eax 1: kd> nt!IoReportResourceUsage+0x6177: 80590e4d 8d8554ffffff lea eax,[ebp-0ACh] 1: kd> nt!IoReportResourceUsage+0x617d: 80590e53 50 push eax 1: kd> nt!IoReportResourceUsage+0x617e: 80590e54 ff75f4 push dword ptr [ebp-0Ch] 1: kd> nt!IoReportResourceUsage+0x6181: 80590e57 bf22f35880 mov edi,offset nt!IoReportResourceUsage+0x464c (8058f322) 1: kd> nt!IoReportResourceUsage+0x6186: 80590e5c 53 push ebx 1: kd> nt!IoReportResourceUsage+0x6187: 80590e5d 89bd54ffffff mov dword ptr [ebp-0ACh],edi 1: kd> nt!IoReportResourceUsage+0x618d: 80590e63 c7855cffffff420b5980 mov dword ptr [ebp-0A4h],offset nt!IoReportResourceUsage+0x5e6c (80590b42) 1: kd> nt!IoReportResourceUsage+0x6197: 80590e6d c78560ffffff03000000 mov dword ptr [ebp-0A0h],3 1: kd> nt!IoReportResourceUsage+0x61a1: 80590e77 e8926d0500 call nt!RtlQueryRegistryValues (805e7c0e) 1: kd> nt!IoReportResourceUsage+0x61a6: 80590e7c 85c0 test eax,eax 1: kd> nt!IoReportResourceUsage+0x61a8: 80590e7e 894508 mov dword ptr [ebp+8],eax 1: kd> nt!IoReportResourceUsage+0x61ab: 80590e81 0f8c8d010000 jl nt!IoReportResourceUsage+0x633e (80591014) 1: kd> nt!IoReportResourceUsage+0x61b1: 80590e87 837df800 cmp dword ptr [ebp-8],0 1: kd> nt!IoReportResourceUsage+0x61b5: 80590e8b 7433 je nt!IoReportResourceUsage+0x61ea (80590ec0) 1: kd> lm start end module name 7eb30000 7ebe4000 ntdll (pdb symbols) C:\Programme\Windows Kits\8.1\Debuggers\x86\sym\ntdll.pdb\08DE4D91BE654ACEB9F397576108EF3E2\ntdll.pdb 80062000 80072a80 pci (deferred) 80100000 8012a000 KDSTUB (deferred) 804d7000 806e5000 nt (export symbols) ntkrpamp.exe 80706000 8072e000 kdcom (deferred) b86d2000 b873f000 e1d6232 (export symbols) e1d6232.sys b96b5000 b96dd000 HDAudBus (deferred) b979d000 b97a0d80 serenum (deferred) b987f000 b9898e80 Mup (deferred) b9899000 b98d8000 NETIO (deferred) b98d8000 b9903000 msrpc (deferred) b9903000 b9aec680 ntoskrn8 (deferred) b9aed000 b9ba5000 NDIS (deferred) b9ba5000 b9c31d00 Ntfs (deferred) b9c32000 b9c48b80 KSecDD (deferred) b9c49000 b9c5af00 sr (deferred) b9c5b000 b9c7ab00 fltMgr (deferred) b9c7b000 b9f30000 iaStor (deferred) b9f30000 b9f55700 dmio (deferred) b9f56000 b9f74880 ftdisk (deferred) b9f75000 b9fa7000 ACPI (deferred) ba0a8000 ba0b1180 isapnp (deferred) ba0b8000 ba0c2700 MountMgr (deferred) ba0c8000 ba0d3000 PartMgr (deferred) ba0d8000 ba0e4c80 VolSnap (deferred) ba0e8000 ba0f8000 disk (deferred) ba0f8000 ba104180 CLASSPNP (deferred) ba278000 ba284d00 i8042prt (deferred) ba288000 ba297c00 serial (deferred) ba328000 ba32e800 firadisk (deferred) ba3b8000 ba3be000 kbdclass (deferred) ba3c0000 ba3c5a00 mouclass (deferred) ba4b8000 ba4bb000 BOOTVID (deferred) ba5a8000 ba5a9100 WMILIB (deferred) ba5aa000 ba5ab700 dmload (deferred) 1: kd> p nt!IoReportResourceUsage+0x61b7: 80590e8d 6a00 push 0 1: kd> nt!IoReportResourceUsage+0x61b9: 80590e8f 8d45a8 lea eax,[ebp-58h] 1: kd> nt!IoReportResourceUsage+0x61bc: 80590e92 50 push eax 1: kd> nt!IoReportResourceUsage+0x61bd: 80590e93 8d8554ffffff lea eax,[ebp-0ACh] 1: kd> nt!IoReportResourceUsage+0x61c3: 80590e99 50 push eax 1: kd> nt!IoReportResourceUsage+0x61c4: 80590e9a ff75f8 push dword ptr [ebp-8] 1: kd> nt!IoReportResourceUsage+0x61c7: 80590e9d 89bd54ffffff mov dword ptr [ebp-0ACh],edi 1: kd> nt!IoReportResourceUsage+0x61cd: 80590ea3 53 push ebx 1: kd> nt!IoReportResourceUsage+0x61ce: 80590ea4 c7855cffffff5e0b5980 mov dword ptr [ebp-0A4h],offset nt!IoReportResourceUsage+0x5e88 (80590b5e) 1: kd> nt!IoReportResourceUsage+0x61d8: 80590eae c78560ffffff04000000 mov dword ptr [ebp-0A0h],4 1: kd> nt!IoReportResourceUsage+0x61e2: 80590eb8 e8516d0500 call nt!RtlQueryRegistryValues (805e7c0e) 1: kd> nt!IoReportResourceUsage+0x61e7: 80590ebd 894508 mov dword ptr [ebp+8],eax 1: kd> nt!IoReportResourceUsage+0x61ea: 80590ec0 837d0800 cmp dword ptr [ebp+8],0 1: kd> nt!IoReportResourceUsage+0x61ee: 80590ec4 0f8c4a010000 jl nt!IoReportResourceUsage+0x633e (80591014) 1: kd> nt!IoReportResourceUsage+0x61f4: 80590eca ffb688000000 push dword ptr [esi+88h] 1: kd> nt!IoReportResourceUsage+0x61fa: 80590ed0 33db xor ebx,ebx 1: kd> nt!IoReportResourceUsage+0x61fc: 80590ed2 895d10 mov dword ptr [ebp+10h],ebx 1: kd> nt!IoReportResourceUsage+0x61ff: 80590ed5 895dd8 mov dword ptr [ebp-28h],ebx 1: kd> nt!IoReportResourceUsage+0x6202: 80590ed8 e8a5e7f5ff call nt!IoGetAttachedDevice (804ef682) 1: kd> nt!IoReportResourceUsage+0x6207: 80590edd 8945c8 mov dword ptr [ebp-38h],eax 1: kd> nt!IoReportResourceUsage+0x620a: 80590ee0 885d0f mov byte ptr [ebp+0Fh],bl 1: kd> nt!IoReportResourceUsage+0x620d: 80590ee3 807d0f02 cmp byte ptr [ebp+0Fh],2 1: kd> nt!IoReportResourceUsage+0x6211: 80590ee7 7525 jne nt!IoReportResourceUsage+0x6238 (80590f0e) 1: kd> nt!IoReportResourceUsage+0x6238: 80590f0e 0fb6450f movzx eax,byte ptr [ebp+0Fh] 1: kd> nt!IoReportResourceUsage+0x623c: 80590f12 8b7c85b4 mov edi,dword ptr [ebp+eax*4-4Ch] 1: kd> nt!IoReportResourceUsage+0x6240: 80590f16 3bfb cmp edi,ebx 1: kd> nt!IoReportResourceUsage+0x6242: 80590f18 7459 je nt!IoReportResourceUsage+0x629d (80590f73) 1: kd> nt!IoReportResourceUsage+0x629d: 80590f73 fe450f inc byte ptr [ebp+0Fh] 1: kd> nt!IoReportResourceUsage+0x62a0: 80590f76 807d0f05 cmp byte ptr [ebp+0Fh],5 1: kd> nt!IoReportResourceUsage+0x62a4: 80590f7a 0f8263ffffff jb nt!IoReportResourceUsage+0x620d (80590ee3) 1: kd> nt!IoReportResourceUsage+0x620d: 80590ee3 807d0f02 cmp byte ptr [ebp+0Fh],2 1: kd> nt!IoReportResourceUsage+0x6211: 80590ee7 7525 jne nt!IoReportResourceUsage+0x6238 (80590f0e) 1: kd> nt!IoReportResourceUsage+0x6238: 80590f0e 0fb6450f movzx eax,byte ptr [ebp+0Fh] 1: kd> nt!IoReportResourceUsage+0x623c: 80590f12 8b7c85b4 mov edi,dword ptr [ebp+eax*4-4Ch] 1: kd> nt!IoReportResourceUsage+0x6240: 80590f16 3bfb cmp edi,ebx 1: kd> nt!IoReportResourceUsage+0x6242: 80590f18 7459 je nt!IoReportResourceUsage+0x629d (80590f73) 1: kd> nt!IoReportResourceUsage+0x629d: 80590f73 fe450f inc byte ptr [ebp+0Fh] 1: kd> nt!IoReportResourceUsage+0x62a0: 80590f76 807d0f05 cmp byte ptr [ebp+0Fh],5 1: kd> nt!IoReportResourceUsage+0x62a4: 80590f7a 0f8263ffffff jb nt!IoReportResourceUsage+0x620d (80590ee3) 1: kd> nt!IoReportResourceUsage+0x620d: 80590ee3 807d0f02 cmp byte ptr [ebp+0Fh],2 1: kd> nt!IoReportResourceUsage+0x6211: 80590ee7 7525 jne nt!IoReportResourceUsage+0x6238 (80590f0e) 1: kd> nt!IoReportResourceUsage+0x6213: 80590ee9 ffb688000000 push dword ptr [esi+88h] 1: kd> nt!IoReportResourceUsage+0x6219: 80590eef e88ee7f5ff call nt!IoGetAttachedDevice (804ef682) 1: kd> nt!IoReportResourceUsage+0x621e: 80590ef4 807dff00 cmp byte ptr [ebp-1],0 1: kd> nt!IoReportResourceUsage+0x6222: 80590ef8 8945d8 mov dword ptr [ebp-28h],eax 1: kd> nt!IoReportResourceUsage+0x6225: 80590efb 7411 je nt!IoReportResourceUsage+0x6238 (80590f0e) 1: kd> nt!IoReportResourceUsage+0x6238: 80590f0e 0fb6450f movzx eax,byte ptr [ebp+0Fh] 1: kd> nt!IoReportResourceUsage+0x623c: 80590f12 8b7c85b4 mov edi,dword ptr [ebp+eax*4-4Ch] 1: kd> nt!IoReportResourceUsage+0x6240: 80590f16 3bfb cmp edi,ebx 1: kd> nt!IoReportResourceUsage+0x6242: 80590f18 7459 je nt!IoReportResourceUsage+0x629d (80590f73) 1: kd> nt!IoReportResourceUsage+0x6244: 80590f1a 83c002 add eax,2 1: kd> nt!IoReportResourceUsage+0x6247: 80590f1d 8945e8 mov dword ptr [ebp-18h],eax 1: kd> nt!IoReportResourceUsage+0x624a: 80590f20 8b17 mov edx,dword ptr [edi] 1: kd> nt!IoReportResourceUsage+0x624c: 80590f22 8b4218 mov eax,dword ptr [edx+18h] 1: kd> nt!IoReportResourceUsage+0x624f: 80590f25 ff75e8 push dword ptr [ebp-18h] 1: kd> nt!IoReportResourceUsage+0x6252: 80590f28 8b4004 mov eax,dword ptr [eax+4] 1: kd> nt!IoReportResourceUsage+0x6255: 80590f2b 8b8e88000000 mov ecx,dword ptr [esi+88h] 1: kd> nt!IoReportResourceUsage+0x625b: 80590f31 50 push eax 1: kd> nt!IoReportResourceUsage+0x625c: 80590f32 e80b65f6ff call nt!IoReportTargetDeviceChangeAsynchronous+0x169e (804f7442) 1: kd> nt!IoReportResourceUsage+0x6261: 80590f37 3bc3 cmp eax,ebx 1: kd> nt!IoReportResourceUsage+0x6263: 80590f39 894508 mov dword ptr [ebp+8],eax 1: kd> nt!IoReportResourceUsage+0x6266: 80590f3c 7c1d jl nt!IoReportResourceUsage+0x6285 (80590f5b) 1: kd> nt!IoReportResourceUsage+0x6285: 80590f5b 807d0f02 cmp byte ptr [ebp+0Fh],2 1: kd> nt!IoReportResourceUsage+0x6289: 80590f5f 742e je nt!IoReportResourceUsage+0x62b9 (80590f8f) 1: kd> nt!IoReportResourceUsage+0x62b9: 80590f8f 8b45c8 mov eax,dword ptr [ebp-38h] 1: kd> nt!IoReportResourceUsage+0x62bc: 80590f92 8b5010 mov edx,dword ptr [eax+10h] 1: kd> nt!IoReportResourceUsage+0x62bf: 80590f95 8b8e88000000 mov ecx,dword ptr [esi+88h] 1: kd> nt!IoReportResourceUsage+0x62c5: 80590f9b 53 push ebx 1: kd> nt!IoReportResourceUsage+0x62c6: 80590f9c ff7510 push dword ptr [ebp+10h] 1: kd> nt!IoReportResourceUsage+0x62c9: 80590f9f e862ecfaff call nt!wctomb+0x3f0b (8053fc06) 1: kd> nt!IoReportResourceUsage+0x62ce: 80590fa4 6a1f push 1Fh 1: kd> nt!IoReportResourceUsage+0x62d0: 80590fa6 53 push ebx 1: kd> nt!IoReportResourceUsage+0x62d1: 80590fa7 56 push esi 1: kd> nt!IoReportResourceUsage+0x62d2: 80590fa8 e8a7370000 call nt!IoReportResourceUsage+0x9a7e (80594754) 1: kd> nt!IoReportResourceUsage+0x62d7: 80590fad eb65 jmp nt!IoReportResourceUsage+0x633e (80591014) 1: kd> nt!IoReportResourceUsage+0x633e: 80591014 8d5db4 lea ebx,[ebp-4Ch] 1: kd> nt!IoReportResourceUsage+0x6341: 80591017 c7450c05000000 mov dword ptr [ebp+0Ch],5 1: kd> nt!IoReportResourceUsage+0x6348: 8059101e 8b33 mov esi,dword ptr [ebx] 1: kd> nt!IoReportResourceUsage+0x634a: 80591020 eb24 jmp nt!IoReportResourceUsage+0x6370 (80591046) 1: kd> nt!IoReportResourceUsage+0x6370: 80591046 85f6 test esi,esi 1: kd> nt!IoReportResourceUsage+0x6372: 80591048 75d8 jne nt!IoReportResourceUsage+0x634c (80591022) 1: kd> nt!IoReportResourceUsage+0x6374: 8059104a 83c304 add ebx,4 1: kd> nt!IoReportResourceUsage+0x6377: 8059104d ff4d0c dec dword ptr [ebp+0Ch] 1: kd> nt!IoReportResourceUsage+0x637a: 80591050 75cc jne nt!IoReportResourceUsage+0x6348 (8059101e) 1: kd> nt!IoReportResourceUsage+0x6348: 8059101e 8b33 mov esi,dword ptr [ebx] 1: kd> nt!IoReportResourceUsage+0x634a: 80591020 eb24 jmp nt!IoReportResourceUsage+0x6370 (80591046) 1: kd> nt!IoReportResourceUsage+0x6370: 80591046 85f6 test esi,esi 1: kd> nt!IoReportResourceUsage+0x6372: 80591048 75d8 jne nt!IoReportResourceUsage+0x634c (80591022) 1: kd> nt!IoReportResourceUsage+0x6374: 8059104a 83c304 add ebx,4 1: kd> nt!IoReportResourceUsage+0x6377: 8059104d ff4d0c dec dword ptr [ebp+0Ch] 1: kd> nt!IoReportResourceUsage+0x637a: 80591050 75cc jne nt!IoReportResourceUsage+0x6348 (8059101e) 1: kd> nt!IoReportResourceUsage+0x6348: 8059101e 8b33 mov esi,dword ptr [ebx] 1: kd> nt!IoReportResourceUsage+0x634a: 80591020 eb24 jmp nt!IoReportResourceUsage+0x6370 (80591046) 1: kd> nt!IoReportResourceUsage+0x6370: 80591046 85f6 test esi,esi 1: kd> nt!IoReportResourceUsage+0x6372: 80591048 75d8 jne nt!IoReportResourceUsage+0x634c (80591022) 1: kd> nt!IoReportResourceUsage+0x634c: 80591022 803d96b4558000 cmp byte ptr [nt!IoAdapterObjectType+0x726 (8055b496)],0 1: kd> nt!IoReportResourceUsage+0x6353: 80591029 8bfe mov edi,esi 1: kd> nt!IoReportResourceUsage+0x6355: 8059102b 8b7604 mov esi,dword ptr [esi+4] 1: kd> nt!IoReportResourceUsage+0x6358: 8059102e 7407 je nt!IoReportResourceUsage+0x6361 (80591037) 1: kd> nt!IoReportResourceUsage+0x635a: 80591030 ff37 push dword ptr [edi] 1: kd> nt!IoReportResourceUsage+0x635c: 80591032 e885350000 call nt!IoReportResourceUsage+0x98e6 (805945bc) 1: kd> nt!IoReportResourceUsage+0x6361: 80591037 8b0f mov ecx,dword ptr [edi] 1: kd> nt!IoReportResourceUsage+0x6363: 80591039 e8a057f9ff call nt!ObfDereferenceObject (805267de) 1: kd> nt!RtlUnwind+0xdc1: 80532043 5d pop ebp 1: kd> lm start end module name 7eb30000 7ebe4000 ntdll (pdb symbols) C:\Programme\Windows Kits\8.1\Debuggers\x86\sym\ntdll.pdb\08DE4D91BE654ACEB9F397576108EF3E2\ntdll.pdb 80062000 80072a80 pci (deferred) 80100000 8012a000 KDSTUB (deferred) 804d7000 806e5000 nt (export symbols) ntkrpamp.exe 80706000 8072e000 kdcom (deferred) b3748000 b37a5f00 update (deferred) b37a6000 b37c8700 ks (deferred) b37c9000 b37f8c80 rdpdr (deferred) b44e6000 b44e6c00 audstub (deferred) b45f7000 b4600f80 termdd (deferred) b500e000 b5011c80 mssmbios (deferred) b6e27000 b6e28100 swenum (deferred) b8eab000 b8eb3e00 intelppm (deferred) b96b5000 b96dd000 HDAudBus (deferred) b979d000 b97a0d80 serenum (deferred) b97b1000 b97b3280 wmiacpi (deferred) b987f000 b9898e80 Mup (deferred) b9899000 b98d8000 NETIO (deferred) b98d8000 b9903000 msrpc (deferred) b9903000 b9aec680 ntoskrn8 (deferred) b9aed000 b9ba5000 NDIS (deferred) b9ba5000 b9c31d00 Ntfs (deferred) b9c32000 b9c48b80 KSecDD (deferred) b9c49000 b9c5af00 sr (deferred) b9c5b000 b9c7ab00 fltMgr (deferred) b9c7b000 b9f30000 iaStor (deferred) b9f30000 b9f55700 dmio (deferred) b9f56000 b9f74880 ftdisk (deferred) b9f75000 b9fa7000 ACPI (deferred) ba0a8000 ba0b1180 isapnp (deferred) ba0b8000 ba0c2700 MountMgr (deferred) ba0c8000 ba0d3000 PartMgr (deferred) ba0d8000 ba0e4c80 VolSnap (deferred) ba0e8000 ba0f8000 disk (deferred) ba0f8000 ba104180 CLASSPNP (deferred) ba278000 ba284d00 i8042prt (deferred) ba288000 ba297c00 serial (deferred) ba328000 ba32e800 firadisk (deferred) ba3b8000 ba3be000 kbdclass (deferred) ba3c0000 ba3c5a00 mouclass (deferred) ba4b8000 ba4bb000 BOOTVID (deferred) ba5a8000 ba5a9100 WMILIB (deferred) ba5aa000 ba5ab700 dmload (deferred) Unloaded modules: b5006000 b5009000 Sfloppy.SYS b45e7000 b45f3000 Flpydisk.SYS b6f9d000 b6fa4000 Fdc.SYS b86d2000 b873f000 e1d6232.sys
  23. The driver for the i219 can also be stopped at its DriverEntry without Bsod Intel Storage Driver Ver: 11.2.0.1006 *** ERROR: Symbol file could not be found. Defaulted to export symbols for e1d6232.sys - Breakpoint 0 hit e1d6232!DriverEntry: b86d5094 55 push ebp
  24. @Damnation ndis.sys DriverEntry is reached without Bsod Dietmar kd> bu ndis!DriverEntry kd> g Intel Storage Driver Ver: 11.2.0.1006 Breakpoint 0 hit NDIS!DriverEntry: b9b86684 8bff mov edi,edi


×
×
  • Create New...