Damnation Posted June 6, 2022 Author Posted June 6, 2022 @Mov AX, 0xDEAD I've added the internal ntoskrnl libraries for use with the ntoskrnl extender project. This was to help with some of the much larger functions like MmAllocatePagesForMdlEx You can make use of internal Ki functions this way. It's helped a bit with @Dietmar being able to allocate resources to hardware, and at the very least, adding these libraries did not interfere with anything that already worked with the previous version ntoskrnl extender. Can you take a look at what I have to see if it's possible to get NDIS6 working this way? https://ufile.io/x8teed7c
Dietmar Posted June 6, 2022 Posted June 6, 2022 @Damnation I make a strange discovery: In Windbg when I write bu netio!DriverEntry I get Bsod about NMR.. This means, that the driverentry of netio.sys is not reached. Also I try EB FE at the beginning of DriverEntry of netio.sys, but this also did not stop (should be endless bar but gives also NMR.. Bsod). This simple means, that at no time the driverentry of netio.sys is reached, Bsod is before Dietmar PS: So it looks, as if XP puts the driver netio.sys at an not allowed place in memory. And about this cries NMR and gives Bsod.
Dietmar Posted June 6, 2022 Posted June 6, 2022 @Damnation This a little bit different Bsod I get after breakpoint setting via bu netio!DriverEntry Dietmar Intel Storage Driver Ver: 11.2.0.1006 *** Fatal System Error: 0x000000c2 (0x00000007,0x00000CD4,0x02070008,0x8BC16730) Break instruction exception - code 80000003 (first chance) A fatal system error has occurred. Debugger entered on first try; Bugcheck callbacks have not been invoked. A fatal system error has occurred. Connected to Windows XP 2600 x86 compatible target at (Mon Jun 6 21:57:47.828 2022 (UTC + 2:00)), ptr64 FALSE Loading Kernel Symbols ...................................................... Loading User Symbols Loading unloaded module list ........ ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* Use !analyze -v to get detailed debugging information. BugCheck C2, {7, cd4, 2070008, 8bc16730} Probably caused by : NETIO.SYS ( NETIO!NmrpDeleteNode+39 ) Followup: MachineOwner --------- nt!RtlpBreakWithStatusInstruction: 8052b724 cc int 3 0: kd> !analyze -v ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* BAD_POOL_CALLER (c2) The current thread is making a bad pool request. Typically this is at a bad IRQL level or double freeing the same allocation, etc. Arguments: Arg1: 00000007, Attempt to free pool which was already freed Arg2: 00000cd4, (reserved) Arg3: 02070008, Memory contents of the pool block Arg4: 8bc16730, Address of the block of pool being deallocated Debugging Details: ------------------ POOL_ADDRESS: 8bc16730 Nonpaged pool FREED_POOL_TAG: NMRn BUGCHECK_STR: 0xc2_7_NMRn DEFAULT_BUCKET_ID: DRIVER_FAULT PROCESS_NAME: System ANALYSIS_VERSION: 6.3.9600.17237 (debuggers(dbg).140716-0327) x86fre DPC_STACK_BASE: FFFFFFFFBA4C8000 LAST_CONTROL_TRANSFER: from 804f8e95 to 8052b724 STACK_TEXT: ba4c2e24 804f8e95 00000003 ba4c3180 00000000 nt!RtlpBreakWithStatusInstruction ba4c2e70 804f9a80 00000003 00200000 8bc16728 nt!KiBugCheckDebugBreak+0x19 ba4c3250 804f9fcf 000000c2 00000007 00000cd4 nt!KeBugCheck2+0x574 ba4c3270 8054b583 000000c2 00000007 00000cd4 nt!KeBugCheckEx+0x1b ba4c32c0 b98ba3ca 8bc16730 00000000 89c78100 nt!ExFreePoolWithTag+0x2a3 ba4c32d4 b98ba411 8bc16730 b98afaf0 89c78100 NETIO!NmrpDeleteNode+0x39 ba4c32dc b98afaf0 89c78100 00000000 b98cc072 NETIO!NmrpRemoveRegisteredList+0x3d ba4c32f8 b98b9d69 b9b2e000 00000000 b98cc070 NETIO!NmrpDereferenceModule+0x28 ba4c3310 b98b9da1 89c78100 ba4c334c b9b12e98 NETIO!NmrpWaitForModuleDeregisterComplete+0x38 ba4c331c b9b12e98 89c78100 8055ae68 c00000bb NETIO!NmrWaitForProviderDeregisterComplete+0x16 ba4c3330 b9b0c6f5 8bbd9840 00000000 00000000 NDIS!ndisStopNsiProvider+0x4c ba4c334c b9b1a74d 8057f0eb 8bab59c8 00000000 NDIS!ndisInitializeNsi+0x6a ba4c3350 8057f0eb 8bab59c8 00000000 00000002 NDIS!ndisDriverReinit+0xe ba4c336c 805814e0 ba4c340c 00000000 00000000 nt!IopCallDriverReinitializationRoutines+0x3b ba4c3384 805842c3 800009b0 ba4c340c ba4c3488 nt!IopLoadUnloadDriver+0x66 ba4c3400 80541818 ba4c34ac ba4c34c8 80500575 nt!NtLoadDriver+0x151 ba4c3400 80500575 ba4c34ac ba4c34c8 80500575 nt!KiSystemServicePostCall ba4c347c b6aa92db ba4c34ac 89ab2b88 8054b968 nt!ZwLoadDriver+0x11 ba4c34c8 b6aa8640 b6ab6f34 89ab2b88 8054b968 ipsec!GpcInitialize+0x7f ba4c34e4 b6ab7d81 00000000 8052e8fc 89b7d658 ipsec!IPSecGpcInitialize+0x35 ba4c34f4 b6ab7ba2 89b7d658 e1654424 00000000 ipsec!IPSecGeneralInit+0x16b ba4c356c 805813af 89b7d658 89a85000 e16b2450 ipsec!DriverEntry+0x104 ba4c363c 8069dc9c 000009c0 00000001 00000000 nt!IopLoadDriver+0x66d ba4c3698 8069b001 00034000 00000000 00000000 nt!IopInitializeSystemDrivers+0x16c ba4c3838 806993d3 80084000 00000000 8bc3a5d8 nt!IoInitSystem+0x7a3 ba4c3dac 805cffee 80084000 00000000 00000000 nt!Phase1Initialization+0xac7 ba4c3ddc 8054623e 8069890c 80084000 00000000 nt!PspSystemThreadStartup+0x34 00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16 STACK_COMMAND: kb FOLLOWUP_IP: NETIO!NmrpDeleteNode+39 b98ba3ca 5e pop esi SYMBOL_STACK_INDEX: 5 SYMBOL_NAME: NETIO!NmrpDeleteNode+39 FOLLOWUP_NAME: MachineOwner MODULE_NAME: NETIO IMAGE_NAME: NETIO.SYS DEBUG_FLR_IMAGE_TIMESTAMP: 5b48ef86 IMAGE_VERSION: 6.1.7601.24208 FAILURE_BUCKET_ID: 0xc2_7_NMRn_NETIO!NmrpDeleteNode+39 BUCKET_ID: 0xc2_7_NMRn_NETIO!NmrpDeleteNode+39 ANALYSIS_SOURCE: KM FAILURE_ID_HASH_STRING: km:0xc2_7_nmrn_netio!nmrpdeletenode+39 FAILURE_ID_HASH: {9c9d1a86-e758-a5d4-abd4-a37dc99f73cb} Followup: MachineOwner
Damnation Posted June 6, 2022 Author Posted June 6, 2022 @Dietmar try bu ndis!DriverEntry does a BSOD occur? if so, any change in the BSOD?
Damnation Posted June 6, 2022 Author Posted June 6, 2022 @Dietmar we might also need to add some registry keys? Quote [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MsRPC] "ErrorControl"=dword:00000001 "Start"=dword:00000003 "Tag"=dword:00000001 "Type"=dword:00000001 Quote [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NDIS] "Description"="@%SystemRoot%\\system32\\drivers\\ndis.sys,-201" "DisplayName"="@%SystemRoot%\\system32\\drivers\\ndis.sys,-200" "ErrorControl"=dword:00000003 "Group"="NDIS Wrapper" "ImagePath"=hex(2):73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,64,00,\ 72,00,69,00,76,00,65,00,72,00,73,00,5c,00,6e,00,64,00,69,00,73,00,2e,00,73,\ 00,79,00,73,00,00,00 "Start"=dword:00000000 "Type"=dword:00000001 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NDIS\IfTypes] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NDIS\IfTypes\24] "IfType"=dword:00000018 "IfUsedNetLuidIndices"=hex:01 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NDIS\IfTypes\71] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NDIS\IfTypes\71\1] "PortAuthReceiveAuthorizationState"=dword:00000002 "PortAuthReceiveControlState"=dword:00000002 "PortAuthSendAuthorizationState"=dword:00000002 "PortAuthSendControlState"=dword:00000002 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NDIS\Parameters] "MaxCachedNblContextSize"=dword:00000200 "PortAuthReceiveAuthorizationState"=dword:00000002 "PortAuthReceiveControlState"=dword:00000002 "PortAuthSendAuthorizationState"=dword:00000002 "PortAuthSendControlState"=dword:00000002 "ReceiveWorkerDisableAutoStart"=dword:00000000 "TrackNblOwner"=dword:00000002 "WppRecorder_TraceGuid"="{dd7a21e6-a651-46d4-b7c2-66543067b869}" "DefaultPnPCapabilities"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NDIS\State]
Dietmar Posted June 6, 2022 Posted June 6, 2022 @Damnation Here is the Bsod in Safe Mode F8 with network. Safe Mode F8 without network i219-V driver is installed(!) correct Dietmar Intel Storage Driver Ver: 11.2.0.1006 SAFEBOOT: skipping device = Cdrom.SYS(SCSI CDROM Class) SAFEBOOT: skipping device = Serial.SYS(Extended base) SAFEBOOT: skipping device = intelppm.SYS(Extended Base) SAFEBOOT: skipping device = WS2IFSL.SYS(Group) SAFEBOOT: skipping device = Fips.SYS(Group) SAFEBOOT: skipping device = DumpDrv.SYS(Group) *** Fatal System Error: 0x000000c2 (0x00000007,0x00000CD4,0x02070002,0x8A5BA368) Break instruction exception - code 80000003 (first chance) A fatal system error has occurred. Debugger entered on first try; Bugcheck callbacks have not been invoked. A fatal system error has occurred. Connected to Windows XP 2600 x86 compatible target at (Mon Jun 6 23:14:16.078 2022 (UTC + 2:00)), ptr64 FALSE Loading Kernel Symbols ............................................................... .. Loading User Symbols ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* Use !analyze -v to get detailed debugging information. BugCheck C2, {7, cd4, 2070002, 8a5ba368} Probably caused by : NETIO.SYS ( NETIO!NmrpDeleteNode+39 ) Followup: MachineOwner --------- nt!RtlpBreakWithStatusInstruction: 804e29c2 cc int 3 3: kd> !analyze -v ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* BAD_POOL_CALLER (c2) The current thread is making a bad pool request. Typically this is at a bad IRQL level or double freeing the same allocation, etc. Arguments: Arg1: 00000007, Attempt to free pool which was already freed Arg2: 00000cd4, (reserved) Arg3: 02070002, Memory contents of the pool block Arg4: 8a5ba368, Address of the block of pool being deallocated Debugging Details: ------------------ POOL_ADDRESS: 8a5ba368 Nonpaged pool FREED_POOL_TAG: NMRn BUGCHECK_STR: 0xc2_7_NMRn DEFAULT_BUCKET_ID: DRIVER_FAULT PROCESS_NAME: System ANALYSIS_VERSION: 6.3.9600.17237 (debuggers(dbg).140716-0327) x86fre LAST_CONTROL_TRANSFER: from 8053657f to 804e29c2 STACK_TEXT: f7922698 8053657f 00000003 f79229f4 00000000 nt!RtlpBreakWithStatusInstruction f79226e4 80537056 00000003 00200000 8a5ba360 nt!KiBugCheckDebugBreak+0x19 f7922ac4 8053766a 000000c2 00000007 00000cd4 nt!KeBugCheck2+0x574 f7922ae4 80551fc5 000000c2 00000007 00000cd4 nt!KeBugCheckEx+0x1b f7922b34 ba18a3ca 8a5ba368 00000000 88379628 nt!ExFreePoolWithTag+0x2c1 f7922b48 ba18a411 8a5ba368 ba17faf0 88379628 NETIO!NmrpDeleteNode+0x39 f7922b50 ba17faf0 88379628 00000000 ba19c072 NETIO!NmrpRemoveRegisteredList+0x3d f7922b6c ba189d69 ba3fe000 00000000 ba19c070 NETIO!NmrpDereferenceModule+0x28 f7922b84 ba189da1 88379628 f7922bc0 ba3e2e98 NETIO!NmrpWaitForModuleDeregisterComplete+0x38 f7922b90 ba3e2e98 88379628 f7922c64 c00000bb NETIO!NmrWaitForProviderDeregisterComplete+0x16 f7922ba4 ba3dc6f5 00000000 00000008 00000246 NDIS!ndisStopNsiProvider+0x4c f7922bc0 ba4345c0 f7922c64 883797a8 00000000 NDIS!ndisInitializeNsi+0x6a f7922bd4 b9504bd3 f7922c7c b950466c f7922bf8 NDIS!NdisRegisterProtocol+0x18 f7922c84 805a712b 88379690 88378000 00000000 ndisuio!DriverEntry+0x175 f7922d54 805b0e27 80000218 00000001 00000000 nt!IopLoadDriver+0x66d f7922d7c 804e2325 80000218 00000000 8a5a0020 nt!IopLoadUnloadDriver+0x45 f7922dac 80575828 b9ef4cf4 00000000 00000000 nt!ExpWorkerThread+0xef f7922ddc 804ec1a9 804e2261 00000001 00000000 nt!PspSystemThreadStartup+0x34 00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16 STACK_COMMAND: kb FOLLOWUP_IP: NETIO!NmrpDeleteNode+39 ba18a3ca 5e pop esi SYMBOL_STACK_INDEX: 5 SYMBOL_NAME: NETIO!NmrpDeleteNode+39 FOLLOWUP_NAME: MachineOwner MODULE_NAME: NETIO IMAGE_NAME: NETIO.SYS DEBUG_FLR_IMAGE_TIMESTAMP: 5b48ef86 FAILURE_BUCKET_ID: 0xc2_7_NMRn_NETIO!NmrpDeleteNode+39 BUCKET_ID: 0xc2_7_NMRn_NETIO!NmrpDeleteNode+39 ANALYSIS_SOURCE: KM FAILURE_ID_HASH_STRING: km:0xc2_7_nmrn_netio!nmrpdeletenode+39 FAILURE_ID_HASH: {9c9d1a86-e758-a5d4-abd4-a37dc99f73cb} Followup: MachineOwner
Dietmar Posted June 6, 2022 Posted June 6, 2022 @Damnation ndis.sys DriverEntry is reached without Bsod Dietmar kd> bu ndis!DriverEntry kd> g Intel Storage Driver Ver: 11.2.0.1006 Breakpoint 0 hit NDIS!DriverEntry: b9b86684 8bff mov edi,edi
Dietmar Posted June 6, 2022 Posted June 6, 2022 The driver for the i219 can also be stopped at its DriverEntry without Bsod Intel Storage Driver Ver: 11.2.0.1006 *** ERROR: Symbol file could not be found. Defaulted to export symbols for e1d6232.sys - Breakpoint 0 hit e1d6232!DriverEntry: b86d5094 55 push ebp
Damnation Posted June 6, 2022 Author Posted June 6, 2022 @Dietmar OK, So we are quite sure now that netio.sys is where it is failing. I will have to implenent SeCaptureSubjectContextEx and SeAccessCheckFromState properly I think. Unless you or @Mov AX, 0xDEAD have some other ideas?
Dietmar Posted June 6, 2022 Posted June 6, 2022 (edited) But later this driver e1d6232.sys is unloaded, still without Bsod 1: kd> nt!NtWriteFile+0x44d0: 805813e0 76e6 jbe nt!NtWriteFile+0x44b8 (805813c8) 1: kd> lm start end module name 7eb30000 7ebe4000 ntdll (pdb symbols) C:\Programme\Windows Kits\8.1\Debuggers\x86\sym\ntdll.pdb\08DE4D91BE654ACEB9F397576108EF3E2\ntdll.pdb 80062000 80072a80 pci (deferred) 80100000 8012a000 KDSTUB (deferred) 804d7000 806e5000 nt (export symbols) ntkrpamp.exe 80706000 8072e000 kdcom (deferred) b86d2000 b873f000 e1d6232 (export symbols) e1d6232.sys b96b5000 b96dd000 HDAudBus (deferred) b979d000 b97a0d80 serenum (deferred) b987f000 b9898e80 Mup (deferred) b9899000 b98d8000 NETIO (deferred) b98d8000 b9903000 msrpc (deferred) b9903000 b9aec680 ntoskrn8 (deferred) b9aed000 b9ba5000 NDIS (deferred) b9ba5000 b9c31d00 Ntfs (deferred) b9c32000 b9c48b80 KSecDD (deferred) b9c49000 b9c5af00 sr (deferred) b9c5b000 b9c7ab00 fltMgr (deferred) b9c7b000 b9f30000 iaStor (deferred) b9f30000 b9f55700 dmio (deferred) b9f56000 b9f74880 ftdisk (deferred) b9f75000 b9fa7000 ACPI (deferred) ba0a8000 ba0b1180 isapnp (deferred) ba0b8000 ba0c2700 MountMgr (deferred) ba0c8000 ba0d3000 PartMgr (deferred) ba0d8000 ba0e4c80 VolSnap (deferred) ba0e8000 ba0f8000 disk (deferred) ba0f8000 ba104180 CLASSPNP (deferred) ba278000 ba284d00 i8042prt (deferred) ba288000 ba297c00 serial (deferred) ba328000 ba32e800 firadisk (deferred) ba3b8000 ba3be000 kbdclass (deferred) ba3c0000 ba3c5a00 mouclass (deferred) ba4b8000 ba4bb000 BOOTVID (deferred) ba5a8000 ba5a9100 WMILIB (deferred) ba5aa000 ba5ab700 dmload (deferred) 1: kd> !devnode 0 1 Error retrieving address of IopRootDeviceNode 1: kd> p nt!NtWriteFile+0x44b8: 805813c8 8b45a0 mov eax,dword ptr [ebp-60h] 1: kd> nt!NtWriteFile+0x44bb: 805813cb 8d448738 lea eax,[edi+eax*4+38h] 1: kd> nt!NtWriteFile+0x44bf: 805813cf 3918 cmp dword ptr [eax],ebx 1: kd> nt!NtWriteFile+0x44c1: 805813d1 7506 jne nt!NtWriteFile+0x44c9 (805813d9) 1: kd> nt!NtWriteFile+0x44c9: 805813d9 ff45a0 inc dword ptr [ebp-60h] 1: kd> nt!NtWriteFile+0x44cc: 805813dc 837da01b cmp dword ptr [ebp-60h],1Bh 1: kd> nt!NtWriteFile+0x44d0: 805813e0 76e6 jbe nt!NtWriteFile+0x44b8 (805813c8) 1: kd> nt!NtWriteFile+0x44b8: 805813c8 8b45a0 mov eax,dword ptr [ebp-60h] 1: kd> nt!NtWriteFile+0x44bb: 805813cb 8d448738 lea eax,[edi+eax*4+38h] 1: kd> nt!NtWriteFile+0x44bf: 805813cf 3918 cmp dword ptr [eax],ebx 1: kd> nt!NtWriteFile+0x44c1: 805813d1 7506 jne nt!NtWriteFile+0x44c9 (805813d9) 1: kd> nt!NtWriteFile+0x44c9: 805813d9 ff45a0 inc dword ptr [ebp-60h] 1: kd> nt!NtWriteFile+0x44cc: 805813dc 837da01b cmp dword ptr [ebp-60h],1Bh 1: kd> nt!NtWriteFile+0x44d0: 805813e0 76e6 jbe nt!NtWriteFile+0x44b8 (805813c8) 1: kd> nt!NtWriteFile+0x44b8: 805813c8 8b45a0 mov eax,dword ptr [ebp-60h] 1: kd> nt!NtWriteFile+0x44bb: 805813cb 8d448738 lea eax,[edi+eax*4+38h] 1: kd> nt!NtWriteFile+0x44bf: 805813cf 3918 cmp dword ptr [eax],ebx 1: kd> nt!NtWriteFile+0x44c1: 805813d1 7506 jne nt!NtWriteFile+0x44c9 (805813d9) 1: kd> nt!NtWriteFile+0x44c9: 805813d9 ff45a0 inc dword ptr [ebp-60h] 1: kd> nt!NtWriteFile+0x44cc: 805813dc 837da01b cmp dword ptr [ebp-60h],1Bh 1: kd> nt!NtWriteFile+0x44d0: 805813e0 76e6 jbe nt!NtWriteFile+0x44b8 (805813c8) 1: kd> nt!NtWriteFile+0x44b8: 805813c8 8b45a0 mov eax,dword ptr [ebp-60h] 1: kd> nt!NtWriteFile+0x44bb: 805813cb 8d448738 lea eax,[edi+eax*4+38h] 1: kd> nt!NtWriteFile+0x44bf: 805813cf 3918 cmp dword ptr [eax],ebx 1: kd> nt!NtWriteFile+0x44c1: 805813d1 7506 jne nt!NtWriteFile+0x44c9 (805813d9) 1: kd> nt!NtWriteFile+0x44c9: 805813d9 ff45a0 inc dword ptr [ebp-60h] 1: kd> nt!NtWriteFile+0x44cc: 805813dc 837da01b cmp dword ptr [ebp-60h],1Bh 1: kd> nt!NtWriteFile+0x44d0: 805813e0 76e6 jbe nt!NtWriteFile+0x44b8 (805813c8) 1: kd> nt!NtWriteFile+0x44b8: 805813c8 8b45a0 mov eax,dword ptr [ebp-60h] 1: kd> nt!NtWriteFile+0x44bb: 805813cb 8d448738 lea eax,[edi+eax*4+38h] 1: kd> nt!NtWriteFile+0x44bf: 805813cf 3918 cmp dword ptr [eax],ebx 1: kd> nt!NtWriteFile+0x44c1: 805813d1 7506 jne nt!NtWriteFile+0x44c9 (805813d9) 1: kd> nt!NtWriteFile+0x44c9: 805813d9 ff45a0 inc dword ptr [ebp-60h] 1: kd> nt!NtWriteFile+0x44cc: 805813dc 837da01b cmp dword ptr [ebp-60h],1Bh 1: kd> nt!NtWriteFile+0x44d0: 805813e0 76e6 jbe nt!NtWriteFile+0x44b8 (805813c8) 1: kd> nt!NtWriteFile+0x44b8: 805813c8 8b45a0 mov eax,dword ptr [ebp-60h] 1: kd> nt!NtWriteFile+0x44bb: 805813cb 8d448738 lea eax,[edi+eax*4+38h] 1: kd> nt!NtWriteFile+0x44bf: 805813cf 3918 cmp dword ptr [eax],ebx 1: kd> nt!NtWriteFile+0x44c1: 805813d1 7506 jne nt!NtWriteFile+0x44c9 (805813d9) 1: kd> nt!NtWriteFile+0x44c9: 805813d9 ff45a0 inc dword ptr [ebp-60h] 1: kd> nt!NtWriteFile+0x44cc: 805813dc 837da01b cmp dword ptr [ebp-60h],1Bh 1: kd> nt!NtWriteFile+0x44d0: 805813e0 76e6 jbe nt!NtWriteFile+0x44b8 (805813c8) 1: kd> nt!NtWriteFile+0x44b8: 805813c8 8b45a0 mov eax,dword ptr [ebp-60h] 1: kd> nt!NtWriteFile+0x44bb: 805813cb 8d448738 lea eax,[edi+eax*4+38h] 1: kd> nt!NtWriteFile+0x44bf: 805813cf 3918 cmp dword ptr [eax],ebx 1: kd> nt!NtWriteFile+0x44c1: 805813d1 7506 jne nt!NtWriteFile+0x44c9 (805813d9) 1: kd> nt!NtWriteFile+0x44c9: 805813d9 ff45a0 inc dword ptr [ebp-60h] 1: kd> nt!NtWriteFile+0x44cc: 805813dc 837da01b cmp dword ptr [ebp-60h],1Bh 1: kd> nt!NtWriteFile+0x44d0: 805813e0 76e6 jbe nt!NtWriteFile+0x44b8 (805813c8) 1: kd> nt!NtWriteFile+0x44b8: 805813c8 8b45a0 mov eax,dword ptr [ebp-60h] 1: kd> nt!NtWriteFile+0x44bb: 805813cb 8d448738 lea eax,[edi+eax*4+38h] 1: kd> nt!NtWriteFile+0x44bf: 805813cf 3918 cmp dword ptr [eax],ebx 1: kd> nt!NtWriteFile+0x44c1: 805813d1 7506 jne nt!NtWriteFile+0x44c9 (805813d9) 1: kd> nt!NtWriteFile+0x44c9: 805813d9 ff45a0 inc dword ptr [ebp-60h] 1: kd> nt!NtWriteFile+0x44cc: 805813dc 837da01b cmp dword ptr [ebp-60h],1Bh 1: kd> nt!NtWriteFile+0x44d0: 805813e0 76e6 jbe nt!NtWriteFile+0x44b8 (805813c8) 1: kd> nt!NtWriteFile+0x44b8: 805813c8 8b45a0 mov eax,dword ptr [ebp-60h] 1: kd> nt!NtWriteFile+0x44bb: 805813cb 8d448738 lea eax,[edi+eax*4+38h] 1: kd> nt!NtWriteFile+0x44bf: 805813cf 3918 cmp dword ptr [eax],ebx 1: kd> nt!NtWriteFile+0x44c1: 805813d1 7506 jne nt!NtWriteFile+0x44c9 (805813d9) 1: kd> nt!NtWriteFile+0x44c9: 805813d9 ff45a0 inc dword ptr [ebp-60h] 1: kd> nt!NtWriteFile+0x44cc: 805813dc 837da01b cmp dword ptr [ebp-60h],1Bh 1: kd> nt!NtWriteFile+0x44d0: 805813e0 76e6 jbe nt!NtWriteFile+0x44b8 (805813c8) 1: kd> nt!NtWriteFile+0x44b8: 805813c8 8b45a0 mov eax,dword ptr [ebp-60h] 1: kd> nt!NtWriteFile+0x44bb: 805813cb 8d448738 lea eax,[edi+eax*4+38h] 1: kd> nt!NtWriteFile+0x44bf: 805813cf 3918 cmp dword ptr [eax],ebx 1: kd> nt!NtWriteFile+0x44c1: 805813d1 7506 jne nt!NtWriteFile+0x44c9 (805813d9) 1: kd> nt!NtWriteFile+0x44c9: 805813d9 ff45a0 inc dword ptr [ebp-60h] 1: kd> nt!NtWriteFile+0x44cc: 805813dc 837da01b cmp dword ptr [ebp-60h],1Bh 1: kd> nt!NtWriteFile+0x44d0: 805813e0 76e6 jbe nt!NtWriteFile+0x44b8 (805813c8) 1: kd> nt!NtWriteFile+0x44b8: 805813c8 8b45a0 mov eax,dword ptr [ebp-60h] 1: kd> nt!NtWriteFile+0x44bb: 805813cb 8d448738 lea eax,[edi+eax*4+38h] 1: kd> nt!NtWriteFile+0x44bf: 805813cf 3918 cmp dword ptr [eax],ebx 1: kd> nt!NtWriteFile+0x44c1: 805813d1 7506 jne nt!NtWriteFile+0x44c9 (805813d9) 1: kd> nt!NtWriteFile+0x44c9: 805813d9 ff45a0 inc dword ptr [ebp-60h] 1: kd> nt!NtWriteFile+0x44cc: 805813dc 837da01b cmp dword ptr [ebp-60h],1Bh 1: kd> nt!NtWriteFile+0x44d0: 805813e0 76e6 jbe nt!NtWriteFile+0x44b8 (805813c8) 1: kd> nt!NtWriteFile+0x44b8: 805813c8 8b45a0 mov eax,dword ptr [ebp-60h] 1: kd> nt!NtWriteFile+0x44bb: 805813cb 8d448738 lea eax,[edi+eax*4+38h] 1: kd> nt!NtWriteFile+0x44bf: 805813cf 3918 cmp dword ptr [eax],ebx 1: kd> nt!NtWriteFile+0x44c1: 805813d1 7506 jne nt!NtWriteFile+0x44c9 (805813d9) 1: kd> nt!NtWriteFile+0x44c9: 805813d9 ff45a0 inc dword ptr [ebp-60h] 1: kd> nt!NtWriteFile+0x44cc: 805813dc 837da01b cmp dword ptr [ebp-60h],1Bh 1: kd> nt!NtWriteFile+0x44d0: 805813e0 76e6 jbe nt!NtWriteFile+0x44b8 (805813c8) 1: kd> nt!NtWriteFile+0x44b8: 805813c8 8b45a0 mov eax,dword ptr [ebp-60h] 1: kd> nt!NtWriteFile+0x44bb: 805813cb 8d448738 lea eax,[edi+eax*4+38h] 1: kd> nt!NtWriteFile+0x44bf: 805813cf 3918 cmp dword ptr [eax],ebx 1: kd> nt!NtWriteFile+0x44c1: 805813d1 7506 jne nt!NtWriteFile+0x44c9 (805813d9) 1: kd> nt!NtWriteFile+0x44c9: 805813d9 ff45a0 inc dword ptr [ebp-60h] 1: kd> nt!NtWriteFile+0x44cc: 805813dc 837da01b cmp dword ptr [ebp-60h],1Bh 1: kd> nt!NtWriteFile+0x44d0: 805813e0 76e6 jbe nt!NtWriteFile+0x44b8 (805813c8) 1: kd> nt!NtWriteFile+0x44d2: 805813e2 53 push ebx 1: kd> nt!NtWriteFile+0x44d3: 805813e3 ffb570ffffff push dword ptr [ebp-90h] 1: kd> nt!NtWriteFile+0x44d9: 805813e9 e8f29efcff call nt!ExFreePoolWithTag (8054b2e0) 1: kd> nt!NtWriteFile+0x44de: 805813ee 395dac cmp dword ptr [ebp-54h],ebx 1: kd> nt!NtWriteFile+0x44e1: 805813f1 7c3b jl nt!NtWriteFile+0x451e (8058142e) 1: kd> nt!NtWriteFile+0x44e3: 805813f3 57 push edi 1: kd> nt!NtWriteFile+0x44e4: 805813f4 e883b10000 call nt!IoReportResourceUsage+0x18a6 (8058c57c) 1: kd> nt!NtWriteFile+0x44e9: 805813f9 84c0 test al,al 1: kd> nt!NtWriteFile+0x44eb: 805813fb 752c jne nt!NtWriteFile+0x4519 (80581429) 1: kd> nt!NtWriteFile+0x44ed: 805813fd 8d4598 lea eax,[ebp-68h] 1: kd> nt!NtWriteFile+0x44f0: 80581400 50 push eax 1: kd> nt!NtWriteFile+0x44f1: 80581401 ff758c push dword ptr [ebp-74h] 1: kd> nt!NtWriteFile+0x44f4: 80581404 57 push edi 1: kd> nt!NtWriteFile+0x44f5: 80581405 e8064bf7ff call nt!IoReportTargetDeviceChangeAsynchronous+0x16c (804f5f10) 1: kd> nt!NtWriteFile+0x44fa: 8058140a 3bc3 cmp eax,ebx 1: kd> nt!NtWriteFile+0x44fc: 8058140c 8945ac mov dword ptr [ebp-54h],eax 1: kd> nt!NtWriteFile+0x44ff: 8058140f 7d2c jge nt!NtWriteFile+0x452d (8058143d) 1: kd> nt!NtWriteFile+0x452d: 8058143d 6a01 push 1 1: kd> nt!NtWriteFile+0x452f: 8058143f 8d45a4 lea eax,[ebp-5Ch] 1: kd> nt!NtWriteFile+0x4532: 80581442 50 push eax 1: kd> nt!NtWriteFile+0x4533: 80581443 e836f4ffff call nt!NtWriteFile+0x396e (8058087e) 1: kd> nt!NtWriteFile+0x4538: 80581448 ff7714 push dword ptr [edi+14h] 1: kd> nt!NtWriteFile+0x453b: 8058144b e8b8c60200 call nt!MmResetDriverPaging+0x118e (805adb08) 1: kd> nt!NtWriteFile+0x4540: 80581450 57 push edi 1: kd> lm start end module name 7eb30000 7ebe4000 ntdll (pdb symbols) C:\Programme\Windows Kits\8.1\Debuggers\x86\sym\ntdll.pdb\08DE4D91BE654ACEB9F397576108EF3E2\ntdll.pdb 80062000 80072a80 pci (deferred) 80100000 8012a000 KDSTUB (deferred) 804d7000 806e5000 nt (export symbols) ntkrpamp.exe 80706000 8072e000 kdcom (deferred) b86d2000 b873f000 e1d6232 (export symbols) e1d6232.sys b96b5000 b96dd000 HDAudBus (deferred) b979d000 b97a0d80 serenum (deferred) b987f000 b9898e80 Mup (deferred) b9899000 b98d8000 NETIO (deferred) b98d8000 b9903000 msrpc (deferred) b9903000 b9aec680 ntoskrn8 (deferred) b9aed000 b9ba5000 NDIS (deferred) b9ba5000 b9c31d00 Ntfs (deferred) b9c32000 b9c48b80 KSecDD (deferred) b9c49000 b9c5af00 sr (deferred) b9c5b000 b9c7ab00 fltMgr (deferred) b9c7b000 b9f30000 iaStor (deferred) b9f30000 b9f55700 dmio (deferred) b9f56000 b9f74880 ftdisk (deferred) b9f75000 b9fa7000 ACPI (deferred) ba0a8000 ba0b1180 isapnp (deferred) ba0b8000 ba0c2700 MountMgr (deferred) ba0c8000 ba0d3000 PartMgr (deferred) ba0d8000 ba0e4c80 VolSnap (deferred) ba0e8000 ba0f8000 disk (deferred) ba0f8000 ba104180 CLASSPNP (deferred) ba278000 ba284d00 i8042prt (deferred) ba288000 ba297c00 serial (deferred) ba328000 ba32e800 firadisk (deferred) ba3b8000 ba3be000 kbdclass (deferred) ba3c0000 ba3c5a00 mouclass (deferred) ba4b8000 ba4bb000 BOOTVID (deferred) ba5a8000 ba5a9100 WMILIB (deferred) ba5aa000 ba5ab700 dmload (deferred) 1: kd> p nt!NtWriteFile+0x4541: 80581451 e8c4d6ffff call nt!NtWriteFile+0x1c0a (8057eb1a) 1: kd> nt!NtWriteFile+0x4546: 80581456 395dac cmp dword ptr [ebp-54h],ebx 1: kd> nt!NtWriteFile+0x4549: 80581459 0f8d39fbffff jge nt!NtWriteFile+0x4088 (80580f98) 1: kd> nt!NtWriteFile+0x4088: 80580f98 53 push ebx 1: kd> nt!NtWriteFile+0x4089: 80580f99 6a02 push 2 1: kd> nt!NtWriteFile+0x408b: 80580f9b e8227bfbff call nt!HeadlessDispatch+0x76 (80538ac2) 1: kd> nt!NtWriteFile+0x4090: 80580fa0 399d78ffffff cmp dword ptr [ebp-88h],ebx 1: kd> nt!NtWriteFile+0x4096: 80580fa6 740c je nt!NtWriteFile+0x40a4 (80580fb4) 1: kd> nt!NtWriteFile+0x4098: 80580fa8 53 push ebx 1: kd> nt!NtWriteFile+0x4099: 80580fa9 ffb578ffffff push dword ptr [ebp-88h] 1: kd> nt!NtWriteFile+0x409f: 80580faf e82ca3fcff call nt!ExFreePoolWithTag (8054b2e0) 1: kd> nt!NtWriteFile+0x40a4: 80580fb4 399d6cffffff cmp dword ptr [ebp-94h],ebx 1: kd> nt!NtWriteFile+0x40aa: 80580fba 740c je nt!NtWriteFile+0x40b8 (80580fc8) 1: kd> nt!NtWriteFile+0x40ac: 80580fbc 53 push ebx 1: kd> nt!NtWriteFile+0x40ad: 80580fbd ffb56cffffff push dword ptr [ebp-94h] 1: kd> nt!NtWriteFile+0x40b3: 80580fc3 e818a3fcff call nt!ExFreePoolWithTag (8054b2e0) 1: kd> nt!NtWriteFile+0x40b8: 80580fc8 395d9c cmp dword ptr [ebp-64h],ebx 1: kd> nt!NtWriteFile+0x40bb: 80580fcb 7409 je nt!NtWriteFile+0x40c6 (80580fd6) 1: kd> nt!NtWriteFile+0x40bd: 80580fcd 53 push ebx 1: kd> nt!NtWriteFile+0x40be: 80580fce ff759c push dword ptr [ebp-64h] 1: kd> nt!NtWriteFile+0x40c1: 80580fd1 e80aa3fcff call nt!ExFreePoolWithTag (8054b2e0) 1: kd> nt!NtWriteFile+0x40c6: 80580fd6 395da8 cmp dword ptr [ebp-58h],ebx 1: kd> nt!NtWriteFile+0x40c9: 80580fd9 7409 je nt!NtWriteFile+0x40d4 (80580fe4) 1: kd> nt!NtWriteFile+0x40cb: 80580fdb 53 push ebx 1: kd> nt!NtWriteFile+0x40cc: 80580fdc ff75a8 push dword ptr [ebp-58h] 1: kd> nt!NtWriteFile+0x40cf: 80580fdf e8fca2fcff call nt!ExFreePoolWithTag (8054b2e0) 1: kd> nt!NtWriteFile+0x40d4: 80580fe4 8b7dac mov edi,dword ptr [ebp-54h] 1: kd> nt!NtWriteFile+0x40d7: 80580fe7 3bfb cmp edi,ebx 1: kd> nt!NtWriteFile+0x40d9: 80580fe9 7d4e jge nt!NtWriteFile+0x4129 (80581039) 1: kd> nt!NtWriteFile+0x4129: 80581039 53 push ebx 1: kd> nt!NtWriteFile+0x412a: 8058103a ff758c push dword ptr [ebp-74h] 1: kd> nt!NtWriteFile+0x412d: 8058103d e806b50300 call nt!ObCloseHandle (805bc548) 1: kd> nt!NtWriteFile+0x4132: 80581042 8bc7 mov eax,edi 1: kd> nt!NtWriteFile+0x4134: 80581044 8b4dfc mov ecx,dword ptr [ebp-4] 1: kd> nt!NtWriteFile+0x4137: 80581047 5f pop edi 1: kd> nt!NtWriteFile+0x4138: 80581048 5e pop esi 1: kd> nt!NtWriteFile+0x4139: 80581049 5b pop ebx 1: kd> nt!NtWriteFile+0x413a: 8058104a e8cfd8f7ff call nt!KeRaiseUserException+0xc94 (804fe91e) 1: kd> nt!NtWriteFile+0x413f: 8058104f c9 leave 1: kd> nt!NtWriteFile+0x4140: 80581050 c21000 ret 10h 1: kd> nt!IoReportResourceUsage+0x4881: 8058f557 8bf0 mov esi,eax 1: kd> nt!IoReportResourceUsage+0x4883: 8058f559 3bf7 cmp esi,edi 1: kd> nt!IoReportResourceUsage+0x4885: 8058f55b 7d43 jge nt!IoReportResourceUsage+0x48ca (8058f5a0) 1: kd> nt!IoReportResourceUsage+0x48ca: 8058f5a0 803d97b4558000 cmp byte ptr [nt!IoAdapterObjectType+0x727 (8055b497)],0 1: kd> nt!IoReportResourceUsage+0x48d1: 8058f5a7 7405 je nt!IoReportResourceUsage+0x48d8 (8058f5ae) 1: kd> nt!IoReportResourceUsage+0x48d8: 8058f5ae 8d45e0 lea eax,[ebp-20h] 1: kd> nt!IoReportResourceUsage+0x48db: 8058f5b1 50 push eax 1: kd> nt!IoReportResourceUsage+0x48dc: 8058f5b2 e855fbfeff call nt!NtWriteFile+0x21fc (8057f10c) 1: kd> nt!IoReportResourceUsage+0x48e1: 8058f5b7 3bc7 cmp eax,edi 1: kd> nt!IoReportResourceUsage+0x48e3: 8058f5b9 8945f8 mov dword ptr [ebp-8],eax 1: kd> nt!IoReportResourceUsage+0x48e6: 8058f5bc 0f85c5000000 jne nt!IoReportResourceUsage+0x49b1 (8058f687) 1: kd> nt!IoReportResourceUsage+0x49b1: 8058f687 f6400810 test byte ptr [eax+8],10h 1: kd> nt!IoReportResourceUsage+0x49b5: 8058f68b 7509 jne nt!IoReportResourceUsage+0x49c0 (8058f696) 1: kd> nt!IoReportResourceUsage+0x49c0: 8058f696 50 push eax 1: kd> nt!IoReportResourceUsage+0x49c1: 8058f697 e8e0ceffff call nt!IoReportResourceUsage+0x18a6 (8058c57c) 1: kd> nt!IoReportResourceUsage+0x49c6: 8058f69c 84c0 test al,al 1: kd> nt!IoReportResourceUsage+0x49c8: 8058f69e 7421 je nt!IoReportResourceUsage+0x49eb (8058f6c1) 1: kd> nt!IoReportResourceUsage+0x49eb: 8058f6c1 8b03 mov eax,dword ptr [ebx] 1: kd> nt!IoReportResourceUsage+0x49ed: 8058f6c3 8b4018 mov eax,dword ptr [eax+18h] 1: kd> nt!IoReportResourceUsage+0x49f0: 8058f6c6 3d02030000 cmp eax,302h 1: kd> nt!IoReportResourceUsage+0x49f5: 8058f6cb 7407 je nt!IoReportResourceUsage+0x49fe (8058f6d4) 1: kd> nt!IoReportResourceUsage+0x49fe: 8058f6d4 8b451c mov eax,dword ptr [ebp+1Ch] 1: kd> nt!IoReportResourceUsage+0x4a01: 8058f6d7 685070656e push 6E657050h 1: kd> nt!IoReportResourceUsage+0x4a06: 8058f6dc 6a08 push 8 1: kd> nt!IoReportResourceUsage+0x4a08: 8058f6de 6a01 push 1 1: kd> nt!IoReportResourceUsage+0x4a0a: 8058f6e0 8d7c830c lea edi,[ebx+eax*4+0Ch] 1: kd> nt!IoReportResourceUsage+0x4a0e: 8058f6e4 33f6 xor esi,esi 1: kd> nt!IoReportResourceUsage+0x4a10: 8058f6e6 e87dc2fbff call nt!ExAllocatePoolWithTag (8054b968) 1: kd> nt!IoReportResourceUsage+0x4a15: 8058f6eb 85c0 test eax,eax 1: kd> nt!IoReportResourceUsage+0x4a17: 8058f6ed 7507 jne nt!IoReportResourceUsage+0x4a20 (8058f6f6) 1: kd> nt!IoReportResourceUsage+0x4a20: 8058f6f6 8b4df8 mov ecx,dword ptr [ebp-8] 1: kd> nt!IoReportResourceUsage+0x4a23: 8058f6f9 8908 mov dword ptr [eax],ecx 1: kd> nt!IoReportResourceUsage+0x4a25: 8058f6fb 33c9 xor ecx,ecx 1: kd> nt!IoReportResourceUsage+0x4a27: 8058f6fd 894804 mov dword ptr [eax+4],ecx 1: kd> nt!IoReportResourceUsage+0x4a2a: 8058f700 eb05 jmp nt!IoReportResourceUsage+0x4a31 (8058f707) 1: kd> nt!IoReportResourceUsage+0x4a31: 8058f707 390f cmp dword ptr [edi],ecx 1: kd> nt!IoReportResourceUsage+0x4a33: 8058f709 75f7 jne nt!IoReportResourceUsage+0x4a2c (8058f702) 1: kd> nt!IoReportResourceUsage+0x4a35: 8058f70b 8907 mov dword ptr [edi],eax 1: kd> nt!IoReportResourceUsage+0x4a37: 8058f70d 837df400 cmp dword ptr [ebp-0Ch],0 1: kd> nt!IoReportResourceUsage+0x4a3b: 8058f711 5b pop ebx 1: kd> nt!IoReportResourceUsage+0x4a3c: 8058f712 7408 je nt!IoReportResourceUsage+0x4a46 (8058f71c) 1: kd> nt!IoReportResourceUsage+0x4a3e: 8058f714 ff75f4 push dword ptr [ebp-0Ch] 1: kd> nt!IoReportResourceUsage+0x4a41: 8058f717 e8a808f7ff call nt!ZwClose (804fffc4) 1: kd> nt!IoReportResourceUsage+0x4a46: 8058f71c 807dff00 cmp byte ptr [ebp-1],0 1: kd> nt!IoReportResourceUsage+0x4a4a: 8058f720 7409 je nt!IoReportResourceUsage+0x4a55 (8058f72b) 1: kd> nt!IoReportResourceUsage+0x4a4c: 8058f722 8d45e0 lea eax,[ebp-20h] 1: kd> nt!IoReportResourceUsage+0x4a4f: 8058f725 50 push eax 1: kd> nt!IoReportResourceUsage+0x4a50: 8058f726 e8f5240500 call nt!RtlFreeUnicodeString (805e1c20) 1: kd> nt!IoReportResourceUsage+0x4a55: 8058f72b 8bc6 mov eax,esi 1: kd> nt!IoReportResourceUsage+0x4a57: 8058f72d 5f pop edi 1: kd> nt!IoReportResourceUsage+0x4a58: 8058f72e 5e pop esi 1: kd> nt!IoReportResourceUsage+0x4a59: 8058f72f c9 leave 1: kd> nt!IoReportResourceUsage+0x4a5a: 8058f730 c21800 ret 18h 1: kd> nt!RtlFormatCurrentUserKeyPath+0xe1f: 805e7b7f 3d230000c0 cmp eax,0C0000023h 1: kd> nt!RtlFormatCurrentUserKeyPath+0xe24: 805e7b84 7502 jne nt!RtlFormatCurrentUserKeyPath+0xe28 (805e7b88) 1: kd> nt!RtlFormatCurrentUserKeyPath+0xe28: 805e7b88 5f pop edi 1: kd> nt!RtlFormatCurrentUserKeyPath+0xe29: 805e7b89 5e pop esi 1: kd> nt!RtlFormatCurrentUserKeyPath+0xe2a: 805e7b8a 5b pop ebx 1: kd> nt!RtlFormatCurrentUserKeyPath+0xe2b: 805e7b8b c9 leave 1: kd> nt!RtlFormatCurrentUserKeyPath+0xe2c: 805e7b8c c21c00 ret 1Ch 1: kd> nt!RtlQueryRegistryValues+0x368: 805e7f76 3d230000c0 cmp eax,0C0000023h 1: kd> nt!RtlQueryRegistryValues+0x36d: 805e7f7b 8945f8 mov dword ptr [ebp-8],eax 1: kd> nt!RtlQueryRegistryValues+0x370: 805e7f7e 7531 jne nt!RtlQueryRegistryValues+0x3a3 (805e7fb1) 1: kd> nt!RtlQueryRegistryValues+0x3a3: 805e7fb1 837df800 cmp dword ptr [ebp-8],0 1: kd> nt!RtlQueryRegistryValues+0x3a7: 805e7fb5 0f8cb3000000 jl nt!RtlQueryRegistryValues+0x460 (805e806e) 1: kd> nt!RtlQueryRegistryValues+0x3ad: 805e7fbb f6470440 test byte ptr [edi+4],40h 1: kd> nt!RtlQueryRegistryValues+0x3b1: 805e7fbf 0f84e4feffff je nt!RtlQueryRegistryValues+0x29b (805e7ea9) 1: kd> nt!RtlQueryRegistryValues+0x29b: 805e7ea9 837df800 cmp dword ptr [ebp-8],0 1: kd> nt!RtlQueryRegistryValues+0x29f: 805e7ead 0f8cbb010000 jl nt!RtlQueryRegistryValues+0x460 (805e806e) 1: kd> nt!RtlQueryRegistryValues+0x2a5: 805e7eb3 83c71c add edi,1Ch 1: kd> nt!RtlQueryRegistryValues+0x2a8: 805e7eb6 e973feffff jmp nt!RtlQueryRegistryValues+0x120 (805e7d2e) 1: kd> nt!RtlQueryRegistryValues+0x120: 805e7d2e 8b0f mov ecx,dword ptr [edi] 1: kd> nt!RtlQueryRegistryValues+0x122: 805e7d30 85c9 test ecx,ecx 1: kd> nt!RtlQueryRegistryValues+0x124: 805e7d32 750a jne nt!RtlQueryRegistryValues+0x130 (805e7d3e) 1: kd> nt!RtlQueryRegistryValues+0x126: 805e7d34 f6470421 test byte ptr [edi+4],21h 1: kd> nt!RtlQueryRegistryValues+0x12a: 805e7d38 0f8430030000 je nt!RtlQueryRegistryValues+0x460 (805e806e) 1: kd> nt!RtlQueryRegistryValues+0x460: 805e806e 837df000 cmp dword ptr [ebp-10h],0 1: kd> nt!RtlQueryRegistryValues+0x464: 805e8072 740e je nt!RtlQueryRegistryValues+0x474 (805e8082) 1: kd> nt!RtlQueryRegistryValues+0x466: 805e8074 837de800 cmp dword ptr [ebp-18h],0 1: kd> nt!RtlQueryRegistryValues+0x46a: 805e8078 7508 jne nt!RtlQueryRegistryValues+0x474 (805e8082) 1: kd> nt!RtlQueryRegistryValues+0x474: 805e8082 8b45ec mov eax,dword ptr [ebp-14h] 1: kd> nt!RtlQueryRegistryValues+0x477: 805e8085 85c0 test eax,eax 1: kd> nt!RtlQueryRegistryValues+0x479: 805e8087 740b je nt!RtlQueryRegistryValues+0x486 (805e8094) 1: kd> nt!RtlQueryRegistryValues+0x47b: 805e8089 3b45f0 cmp eax,dword ptr [ebp-10h] 1: kd> nt!RtlQueryRegistryValues+0x47e: 805e808c 7406 je nt!RtlQueryRegistryValues+0x486 (805e8094) 1: kd> nt!RtlQueryRegistryValues+0x486: 805e8094 837de000 cmp dword ptr [ebp-20h],0 1: kd> nt!RtlQueryRegistryValues+0x48a: 805e8098 7409 je nt!RtlQueryRegistryValues+0x495 (805e80a3) 1: kd> nt!RtlQueryRegistryValues+0x48c: 805e809a ff75e0 push dword ptr [ebp-20h] 1: kd> nt!RtlQueryRegistryValues+0x48f: 805e809d ff15240c6880 call dword ptr [nt!NlsOemLeadByteInfo+0xb04 (80680c24)] 1: kd> nt!RtlQueryRegistryValues+0x495: 805e80a3 6a00 push 0 1: kd> nt!RtlQueryRegistryValues+0x497: 805e80a5 ff750c push dword ptr [ebp+0Ch] 1: kd> nt!RtlQueryRegistryValues+0x49a: 805e80a8 56 push esi 1: kd> nt!RtlQueryRegistryValues+0x49b: 805e80a9 6a00 push 0 1: kd> nt!RtlQueryRegistryValues+0x49d: 805e80ab e8e8eaffff call nt!RtlInt64ToUnicodeString+0x1ae (805e6b98) 1: kd> nt!RtlQueryRegistryValues+0x4a2: 805e80b0 8b45f8 mov eax,dword ptr [ebp-8] 1: kd> nt!RtlQueryRegistryValues+0x4a5: 805e80b3 5f pop edi 1: kd> nt!RtlQueryRegistryValues+0x4a6: 805e80b4 5e pop esi 1: kd> nt!RtlQueryRegistryValues+0x4a7: 805e80b5 5b pop ebx 1: kd> nt!RtlQueryRegistryValues+0x4a8: 805e80b6 c9 leave 1: kd> nt!RtlQueryRegistryValues+0x4a9: 805e80b7 c21400 ret 14h 1: kd> nt!IoReportResourceUsage+0x6109: 80590ddf 894508 mov dword ptr [ebp+8],eax 1: kd> nt!IoReportResourceUsage+0x610c: 80590de2 f6467d10 test byte ptr [esi+7Dh],10h 1: kd> nt!IoReportResourceUsage+0x6110: 80590de6 0f8524020000 jne nt!IoReportResourceUsage+0x633a (80591010) 1: kd> nt!IoReportResourceUsage+0x6116: 80590dec 837d0800 cmp dword ptr [ebp+8],0 1: kd> nt!IoReportResourceUsage+0x611a: 80590df0 7c19 jl nt!IoReportResourceUsage+0x6135 (80590e0b) 1: kd> nt!IoReportResourceUsage+0x611c: 80590df2 8b45bc mov eax,dword ptr [ebp-44h] 1: kd> nt!IoReportResourceUsage+0x611f: 80590df5 83780400 cmp dword ptr [eax+4],0 1: kd> nt!IoReportResourceUsage+0x6123: 80590df9 740a je nt!IoReportResourceUsage+0x612f (80590e05) 1: kd> nt!IoReportResourceUsage+0x612f: 80590e05 c645cc00 mov byte ptr [ebp-34h],0 1: kd> nt!IoReportResourceUsage+0x6133: 80590e09 eb30 jmp nt!IoReportResourceUsage+0x6165 (80590e3b) 1: kd> nt!IoReportResourceUsage+0x6165: 80590e3b 6a15 push 15h 1: kd> nt!IoReportResourceUsage+0x6167: 80590e3d 59 pop ecx 1: kd> nt!IoReportResourceUsage+0x6168: 80590e3e 33c0 xor eax,eax 1: kd> nt!IoReportResourceUsage+0x616a: 80590e40 50 push eax 1: kd> nt!IoReportResourceUsage+0x616b: 80590e41 8dbd54ffffff lea edi,[ebp-0ACh] 1: kd> nt!IoReportResourceUsage+0x6171: 80590e47 f3ab rep stos dword ptr es:[edi] 1: kd> nt!IoReportResourceUsage+0x6173: 80590e49 8d45a8 lea eax,[ebp-58h] 1: kd> nt!IoReportResourceUsage+0x6176: 80590e4c 50 push eax 1: kd> nt!IoReportResourceUsage+0x6177: 80590e4d 8d8554ffffff lea eax,[ebp-0ACh] 1: kd> nt!IoReportResourceUsage+0x617d: 80590e53 50 push eax 1: kd> nt!IoReportResourceUsage+0x617e: 80590e54 ff75f4 push dword ptr [ebp-0Ch] 1: kd> nt!IoReportResourceUsage+0x6181: 80590e57 bf22f35880 mov edi,offset nt!IoReportResourceUsage+0x464c (8058f322) 1: kd> nt!IoReportResourceUsage+0x6186: 80590e5c 53 push ebx 1: kd> nt!IoReportResourceUsage+0x6187: 80590e5d 89bd54ffffff mov dword ptr [ebp-0ACh],edi 1: kd> nt!IoReportResourceUsage+0x618d: 80590e63 c7855cffffff420b5980 mov dword ptr [ebp-0A4h],offset nt!IoReportResourceUsage+0x5e6c (80590b42) 1: kd> nt!IoReportResourceUsage+0x6197: 80590e6d c78560ffffff03000000 mov dword ptr [ebp-0A0h],3 1: kd> nt!IoReportResourceUsage+0x61a1: 80590e77 e8926d0500 call nt!RtlQueryRegistryValues (805e7c0e) 1: kd> nt!IoReportResourceUsage+0x61a6: 80590e7c 85c0 test eax,eax 1: kd> nt!IoReportResourceUsage+0x61a8: 80590e7e 894508 mov dword ptr [ebp+8],eax 1: kd> nt!IoReportResourceUsage+0x61ab: 80590e81 0f8c8d010000 jl nt!IoReportResourceUsage+0x633e (80591014) 1: kd> nt!IoReportResourceUsage+0x61b1: 80590e87 837df800 cmp dword ptr [ebp-8],0 1: kd> nt!IoReportResourceUsage+0x61b5: 80590e8b 7433 je nt!IoReportResourceUsage+0x61ea (80590ec0) 1: kd> lm start end module name 7eb30000 7ebe4000 ntdll (pdb symbols) C:\Programme\Windows Kits\8.1\Debuggers\x86\sym\ntdll.pdb\08DE4D91BE654ACEB9F397576108EF3E2\ntdll.pdb 80062000 80072a80 pci (deferred) 80100000 8012a000 KDSTUB (deferred) 804d7000 806e5000 nt (export symbols) ntkrpamp.exe 80706000 8072e000 kdcom (deferred) b86d2000 b873f000 e1d6232 (export symbols) e1d6232.sys b96b5000 b96dd000 HDAudBus (deferred) b979d000 b97a0d80 serenum (deferred) b987f000 b9898e80 Mup (deferred) b9899000 b98d8000 NETIO (deferred) b98d8000 b9903000 msrpc (deferred) b9903000 b9aec680 ntoskrn8 (deferred) b9aed000 b9ba5000 NDIS (deferred) b9ba5000 b9c31d00 Ntfs (deferred) b9c32000 b9c48b80 KSecDD (deferred) b9c49000 b9c5af00 sr (deferred) b9c5b000 b9c7ab00 fltMgr (deferred) b9c7b000 b9f30000 iaStor (deferred) b9f30000 b9f55700 dmio (deferred) b9f56000 b9f74880 ftdisk (deferred) b9f75000 b9fa7000 ACPI (deferred) ba0a8000 ba0b1180 isapnp (deferred) ba0b8000 ba0c2700 MountMgr (deferred) ba0c8000 ba0d3000 PartMgr (deferred) ba0d8000 ba0e4c80 VolSnap (deferred) ba0e8000 ba0f8000 disk (deferred) ba0f8000 ba104180 CLASSPNP (deferred) ba278000 ba284d00 i8042prt (deferred) ba288000 ba297c00 serial (deferred) ba328000 ba32e800 firadisk (deferred) ba3b8000 ba3be000 kbdclass (deferred) ba3c0000 ba3c5a00 mouclass (deferred) ba4b8000 ba4bb000 BOOTVID (deferred) ba5a8000 ba5a9100 WMILIB (deferred) ba5aa000 ba5ab700 dmload (deferred) 1: kd> p nt!IoReportResourceUsage+0x61b7: 80590e8d 6a00 push 0 1: kd> nt!IoReportResourceUsage+0x61b9: 80590e8f 8d45a8 lea eax,[ebp-58h] 1: kd> nt!IoReportResourceUsage+0x61bc: 80590e92 50 push eax 1: kd> nt!IoReportResourceUsage+0x61bd: 80590e93 8d8554ffffff lea eax,[ebp-0ACh] 1: kd> nt!IoReportResourceUsage+0x61c3: 80590e99 50 push eax 1: kd> nt!IoReportResourceUsage+0x61c4: 80590e9a ff75f8 push dword ptr [ebp-8] 1: kd> nt!IoReportResourceUsage+0x61c7: 80590e9d 89bd54ffffff mov dword ptr [ebp-0ACh],edi 1: kd> nt!IoReportResourceUsage+0x61cd: 80590ea3 53 push ebx 1: kd> nt!IoReportResourceUsage+0x61ce: 80590ea4 c7855cffffff5e0b5980 mov dword ptr [ebp-0A4h],offset nt!IoReportResourceUsage+0x5e88 (80590b5e) 1: kd> nt!IoReportResourceUsage+0x61d8: 80590eae c78560ffffff04000000 mov dword ptr [ebp-0A0h],4 1: kd> nt!IoReportResourceUsage+0x61e2: 80590eb8 e8516d0500 call nt!RtlQueryRegistryValues (805e7c0e) 1: kd> nt!IoReportResourceUsage+0x61e7: 80590ebd 894508 mov dword ptr [ebp+8],eax 1: kd> nt!IoReportResourceUsage+0x61ea: 80590ec0 837d0800 cmp dword ptr [ebp+8],0 1: kd> nt!IoReportResourceUsage+0x61ee: 80590ec4 0f8c4a010000 jl nt!IoReportResourceUsage+0x633e (80591014) 1: kd> nt!IoReportResourceUsage+0x61f4: 80590eca ffb688000000 push dword ptr [esi+88h] 1: kd> nt!IoReportResourceUsage+0x61fa: 80590ed0 33db xor ebx,ebx 1: kd> nt!IoReportResourceUsage+0x61fc: 80590ed2 895d10 mov dword ptr [ebp+10h],ebx 1: kd> nt!IoReportResourceUsage+0x61ff: 80590ed5 895dd8 mov dword ptr [ebp-28h],ebx 1: kd> nt!IoReportResourceUsage+0x6202: 80590ed8 e8a5e7f5ff call nt!IoGetAttachedDevice (804ef682) 1: kd> nt!IoReportResourceUsage+0x6207: 80590edd 8945c8 mov dword ptr [ebp-38h],eax 1: kd> nt!IoReportResourceUsage+0x620a: 80590ee0 885d0f mov byte ptr [ebp+0Fh],bl 1: kd> nt!IoReportResourceUsage+0x620d: 80590ee3 807d0f02 cmp byte ptr [ebp+0Fh],2 1: kd> nt!IoReportResourceUsage+0x6211: 80590ee7 7525 jne nt!IoReportResourceUsage+0x6238 (80590f0e) 1: kd> nt!IoReportResourceUsage+0x6238: 80590f0e 0fb6450f movzx eax,byte ptr [ebp+0Fh] 1: kd> nt!IoReportResourceUsage+0x623c: 80590f12 8b7c85b4 mov edi,dword ptr [ebp+eax*4-4Ch] 1: kd> nt!IoReportResourceUsage+0x6240: 80590f16 3bfb cmp edi,ebx 1: kd> nt!IoReportResourceUsage+0x6242: 80590f18 7459 je nt!IoReportResourceUsage+0x629d (80590f73) 1: kd> nt!IoReportResourceUsage+0x629d: 80590f73 fe450f inc byte ptr [ebp+0Fh] 1: kd> nt!IoReportResourceUsage+0x62a0: 80590f76 807d0f05 cmp byte ptr [ebp+0Fh],5 1: kd> nt!IoReportResourceUsage+0x62a4: 80590f7a 0f8263ffffff jb nt!IoReportResourceUsage+0x620d (80590ee3) 1: kd> nt!IoReportResourceUsage+0x620d: 80590ee3 807d0f02 cmp byte ptr [ebp+0Fh],2 1: kd> nt!IoReportResourceUsage+0x6211: 80590ee7 7525 jne nt!IoReportResourceUsage+0x6238 (80590f0e) 1: kd> nt!IoReportResourceUsage+0x6238: 80590f0e 0fb6450f movzx eax,byte ptr [ebp+0Fh] 1: kd> nt!IoReportResourceUsage+0x623c: 80590f12 8b7c85b4 mov edi,dword ptr [ebp+eax*4-4Ch] 1: kd> nt!IoReportResourceUsage+0x6240: 80590f16 3bfb cmp edi,ebx 1: kd> nt!IoReportResourceUsage+0x6242: 80590f18 7459 je nt!IoReportResourceUsage+0x629d (80590f73) 1: kd> nt!IoReportResourceUsage+0x629d: 80590f73 fe450f inc byte ptr [ebp+0Fh] 1: kd> nt!IoReportResourceUsage+0x62a0: 80590f76 807d0f05 cmp byte ptr [ebp+0Fh],5 1: kd> nt!IoReportResourceUsage+0x62a4: 80590f7a 0f8263ffffff jb nt!IoReportResourceUsage+0x620d (80590ee3) 1: kd> nt!IoReportResourceUsage+0x620d: 80590ee3 807d0f02 cmp byte ptr [ebp+0Fh],2 1: kd> nt!IoReportResourceUsage+0x6211: 80590ee7 7525 jne nt!IoReportResourceUsage+0x6238 (80590f0e) 1: kd> nt!IoReportResourceUsage+0x6213: 80590ee9 ffb688000000 push dword ptr [esi+88h] 1: kd> nt!IoReportResourceUsage+0x6219: 80590eef e88ee7f5ff call nt!IoGetAttachedDevice (804ef682) 1: kd> nt!IoReportResourceUsage+0x621e: 80590ef4 807dff00 cmp byte ptr [ebp-1],0 1: kd> nt!IoReportResourceUsage+0x6222: 80590ef8 8945d8 mov dword ptr [ebp-28h],eax 1: kd> nt!IoReportResourceUsage+0x6225: 80590efb 7411 je nt!IoReportResourceUsage+0x6238 (80590f0e) 1: kd> nt!IoReportResourceUsage+0x6238: 80590f0e 0fb6450f movzx eax,byte ptr [ebp+0Fh] 1: kd> nt!IoReportResourceUsage+0x623c: 80590f12 8b7c85b4 mov edi,dword ptr [ebp+eax*4-4Ch] 1: kd> nt!IoReportResourceUsage+0x6240: 80590f16 3bfb cmp edi,ebx 1: kd> nt!IoReportResourceUsage+0x6242: 80590f18 7459 je nt!IoReportResourceUsage+0x629d (80590f73) 1: kd> nt!IoReportResourceUsage+0x6244: 80590f1a 83c002 add eax,2 1: kd> nt!IoReportResourceUsage+0x6247: 80590f1d 8945e8 mov dword ptr [ebp-18h],eax 1: kd> nt!IoReportResourceUsage+0x624a: 80590f20 8b17 mov edx,dword ptr [edi] 1: kd> nt!IoReportResourceUsage+0x624c: 80590f22 8b4218 mov eax,dword ptr [edx+18h] 1: kd> nt!IoReportResourceUsage+0x624f: 80590f25 ff75e8 push dword ptr [ebp-18h] 1: kd> nt!IoReportResourceUsage+0x6252: 80590f28 8b4004 mov eax,dword ptr [eax+4] 1: kd> nt!IoReportResourceUsage+0x6255: 80590f2b 8b8e88000000 mov ecx,dword ptr [esi+88h] 1: kd> nt!IoReportResourceUsage+0x625b: 80590f31 50 push eax 1: kd> nt!IoReportResourceUsage+0x625c: 80590f32 e80b65f6ff call nt!IoReportTargetDeviceChangeAsynchronous+0x169e (804f7442) 1: kd> nt!IoReportResourceUsage+0x6261: 80590f37 3bc3 cmp eax,ebx 1: kd> nt!IoReportResourceUsage+0x6263: 80590f39 894508 mov dword ptr [ebp+8],eax 1: kd> nt!IoReportResourceUsage+0x6266: 80590f3c 7c1d jl nt!IoReportResourceUsage+0x6285 (80590f5b) 1: kd> nt!IoReportResourceUsage+0x6285: 80590f5b 807d0f02 cmp byte ptr [ebp+0Fh],2 1: kd> nt!IoReportResourceUsage+0x6289: 80590f5f 742e je nt!IoReportResourceUsage+0x62b9 (80590f8f) 1: kd> nt!IoReportResourceUsage+0x62b9: 80590f8f 8b45c8 mov eax,dword ptr [ebp-38h] 1: kd> nt!IoReportResourceUsage+0x62bc: 80590f92 8b5010 mov edx,dword ptr [eax+10h] 1: kd> nt!IoReportResourceUsage+0x62bf: 80590f95 8b8e88000000 mov ecx,dword ptr [esi+88h] 1: kd> nt!IoReportResourceUsage+0x62c5: 80590f9b 53 push ebx 1: kd> nt!IoReportResourceUsage+0x62c6: 80590f9c ff7510 push dword ptr [ebp+10h] 1: kd> nt!IoReportResourceUsage+0x62c9: 80590f9f e862ecfaff call nt!wctomb+0x3f0b (8053fc06) 1: kd> nt!IoReportResourceUsage+0x62ce: 80590fa4 6a1f push 1Fh 1: kd> nt!IoReportResourceUsage+0x62d0: 80590fa6 53 push ebx 1: kd> nt!IoReportResourceUsage+0x62d1: 80590fa7 56 push esi 1: kd> nt!IoReportResourceUsage+0x62d2: 80590fa8 e8a7370000 call nt!IoReportResourceUsage+0x9a7e (80594754) 1: kd> nt!IoReportResourceUsage+0x62d7: 80590fad eb65 jmp nt!IoReportResourceUsage+0x633e (80591014) 1: kd> nt!IoReportResourceUsage+0x633e: 80591014 8d5db4 lea ebx,[ebp-4Ch] 1: kd> nt!IoReportResourceUsage+0x6341: 80591017 c7450c05000000 mov dword ptr [ebp+0Ch],5 1: kd> nt!IoReportResourceUsage+0x6348: 8059101e 8b33 mov esi,dword ptr [ebx] 1: kd> nt!IoReportResourceUsage+0x634a: 80591020 eb24 jmp nt!IoReportResourceUsage+0x6370 (80591046) 1: kd> nt!IoReportResourceUsage+0x6370: 80591046 85f6 test esi,esi 1: kd> nt!IoReportResourceUsage+0x6372: 80591048 75d8 jne nt!IoReportResourceUsage+0x634c (80591022) 1: kd> nt!IoReportResourceUsage+0x6374: 8059104a 83c304 add ebx,4 1: kd> nt!IoReportResourceUsage+0x6377: 8059104d ff4d0c dec dword ptr [ebp+0Ch] 1: kd> nt!IoReportResourceUsage+0x637a: 80591050 75cc jne nt!IoReportResourceUsage+0x6348 (8059101e) 1: kd> nt!IoReportResourceUsage+0x6348: 8059101e 8b33 mov esi,dword ptr [ebx] 1: kd> nt!IoReportResourceUsage+0x634a: 80591020 eb24 jmp nt!IoReportResourceUsage+0x6370 (80591046) 1: kd> nt!IoReportResourceUsage+0x6370: 80591046 85f6 test esi,esi 1: kd> nt!IoReportResourceUsage+0x6372: 80591048 75d8 jne nt!IoReportResourceUsage+0x634c (80591022) 1: kd> nt!IoReportResourceUsage+0x6374: 8059104a 83c304 add ebx,4 1: kd> nt!IoReportResourceUsage+0x6377: 8059104d ff4d0c dec dword ptr [ebp+0Ch] 1: kd> nt!IoReportResourceUsage+0x637a: 80591050 75cc jne nt!IoReportResourceUsage+0x6348 (8059101e) 1: kd> nt!IoReportResourceUsage+0x6348: 8059101e 8b33 mov esi,dword ptr [ebx] 1: kd> nt!IoReportResourceUsage+0x634a: 80591020 eb24 jmp nt!IoReportResourceUsage+0x6370 (80591046) 1: kd> nt!IoReportResourceUsage+0x6370: 80591046 85f6 test esi,esi 1: kd> nt!IoReportResourceUsage+0x6372: 80591048 75d8 jne nt!IoReportResourceUsage+0x634c (80591022) 1: kd> nt!IoReportResourceUsage+0x634c: 80591022 803d96b4558000 cmp byte ptr [nt!IoAdapterObjectType+0x726 (8055b496)],0 1: kd> nt!IoReportResourceUsage+0x6353: 80591029 8bfe mov edi,esi 1: kd> nt!IoReportResourceUsage+0x6355: 8059102b 8b7604 mov esi,dword ptr [esi+4] 1: kd> nt!IoReportResourceUsage+0x6358: 8059102e 7407 je nt!IoReportResourceUsage+0x6361 (80591037) 1: kd> nt!IoReportResourceUsage+0x635a: 80591030 ff37 push dword ptr [edi] 1: kd> nt!IoReportResourceUsage+0x635c: 80591032 e885350000 call nt!IoReportResourceUsage+0x98e6 (805945bc) 1: kd> nt!IoReportResourceUsage+0x6361: 80591037 8b0f mov ecx,dword ptr [edi] 1: kd> nt!IoReportResourceUsage+0x6363: 80591039 e8a057f9ff call nt!ObfDereferenceObject (805267de) 1: kd> nt!RtlUnwind+0xdc1: 80532043 5d pop ebp 1: kd> lm start end module name 7eb30000 7ebe4000 ntdll (pdb symbols) C:\Programme\Windows Kits\8.1\Debuggers\x86\sym\ntdll.pdb\08DE4D91BE654ACEB9F397576108EF3E2\ntdll.pdb 80062000 80072a80 pci (deferred) 80100000 8012a000 KDSTUB (deferred) 804d7000 806e5000 nt (export symbols) ntkrpamp.exe 80706000 8072e000 kdcom (deferred) b3748000 b37a5f00 update (deferred) b37a6000 b37c8700 ks (deferred) b37c9000 b37f8c80 rdpdr (deferred) b44e6000 b44e6c00 audstub (deferred) b45f7000 b4600f80 termdd (deferred) b500e000 b5011c80 mssmbios (deferred) b6e27000 b6e28100 swenum (deferred) b8eab000 b8eb3e00 intelppm (deferred) b96b5000 b96dd000 HDAudBus (deferred) b979d000 b97a0d80 serenum (deferred) b97b1000 b97b3280 wmiacpi (deferred) b987f000 b9898e80 Mup (deferred) b9899000 b98d8000 NETIO (deferred) b98d8000 b9903000 msrpc (deferred) b9903000 b9aec680 ntoskrn8 (deferred) b9aed000 b9ba5000 NDIS (deferred) b9ba5000 b9c31d00 Ntfs (deferred) b9c32000 b9c48b80 KSecDD (deferred) b9c49000 b9c5af00 sr (deferred) b9c5b000 b9c7ab00 fltMgr (deferred) b9c7b000 b9f30000 iaStor (deferred) b9f30000 b9f55700 dmio (deferred) b9f56000 b9f74880 ftdisk (deferred) b9f75000 b9fa7000 ACPI (deferred) ba0a8000 ba0b1180 isapnp (deferred) ba0b8000 ba0c2700 MountMgr (deferred) ba0c8000 ba0d3000 PartMgr (deferred) ba0d8000 ba0e4c80 VolSnap (deferred) ba0e8000 ba0f8000 disk (deferred) ba0f8000 ba104180 CLASSPNP (deferred) ba278000 ba284d00 i8042prt (deferred) ba288000 ba297c00 serial (deferred) ba328000 ba32e800 firadisk (deferred) ba3b8000 ba3be000 kbdclass (deferred) ba3c0000 ba3c5a00 mouclass (deferred) ba4b8000 ba4bb000 BOOTVID (deferred) ba5a8000 ba5a9100 WMILIB (deferred) ba5aa000 ba5ab700 dmload (deferred) Unloaded modules: b5006000 b5009000 Sfloppy.SYS b45e7000 b45f3000 Flpydisk.SYS b6f9d000 b6fa4000 Fdc.SYS b86d2000 b873f000 e1d6232.sys Edited June 6, 2022 by Dietmar
Dietmar Posted June 6, 2022 Posted June 6, 2022 @Damnation I caught the Bsod after the driverentry of e1d6232.sys . This driver e1d6232.sys was unloaded for unknown reason, 3 times. And after this netio.sys crashes. https://ufile.io/dompmiaq
Damnation Posted June 6, 2022 Author Posted June 6, 2022 @Dietmar can you try these ndis/netio/msrpc.sys files on a system with a known XP compatible NDIS5 NIC? i.e just swap the files on a system with a working NIC on XP and restart. Does it stop working? do you get a similar BSOD on that kind of hardware?
Dietmar Posted June 6, 2022 Posted June 6, 2022 (edited) @Damnation I already tried this, same Bsod with ndis5 driver for the i217 and ndis/netio/msrpc.sys files from win7 together with ntoskrn8.sys . I also look, if the i217 is backword compatible with the win7 driver and ndis/netio/msrpc.sys files from win7 together with ntoskrn8.sys, also not, same Bsod. Now I think the best what we can do is, to look step by step at the working 5048 ndis/netio/msrpc.sys, which driver has to be loaded at which time. For me it is still strange as much as possible, that I cant catch the driverentry of netio.sys. It looks, as if this driver never starts, is only loaded. And this may be the reason, why the e1d6232.sys is unloaded Dietmar PS: Now I am tired and go to bed:)). Next BIG step would be, to look at a working mini win7 SP1, which Lan files are loaded at which time, looking also for registry entries. Before e1d6232.sys install and then with Beyond compare of whole registry after install. Edited June 6, 2022 by Dietmar
Dietmar Posted June 7, 2022 Posted June 7, 2022 @Damnation I make a try what happens in real win7. This win7 sp1 boots on the Asrock z370 k6 board with working drivers for i219 and i211, I test. With unlocker1.9.0-portable I rename on this win7 sp1 bit32 HD in an USB box netio.sys msrpc.sys and ndis.sys to netioORI.sys msrpcORI.sys and ndisORI.sys . Then I copy there your modded netio.sys msrpc.sys ndis.sys and ntoskrn8.sys. But win7 does not want to start with this files, even via F8 I choose "unsigned driver". The crazy System repair from win7 kicked the modified files out and replace it with its own. Is there a way, to tell win7 not to do this Dietmar
Dietmar Posted June 7, 2022 Posted June 7, 2022 @Damnation Can you please integrate for me the function NdisGroupActiveProcessorCount into ndis.sys from Longhorn 5048? I think, that you do this via ntoskrn8.sys . I make a try with PE Maker, to add this function to ndis.sys by myself but I dont know, from where to get this function and how to integrate it into ndis.sys (or ntoskrn8.sys). This function is the only missed function in Import in ndis.sys for the win7 e1d6232.sys driver, as you can see with Dependency Walker Dietmar https://ufile.io/0taapdko
Recommended Posts
Please sign in to comment
You will be able to leave a comment after signing in
Sign In Now