Damnation Posted June 7, 2022 Author Share Posted June 7, 2022 @Dietmar I think KeAllocateCalloutStackEx is the cause, let me try something. Link to comment Share on other sites More sharing options...
Damnation Posted June 7, 2022 Author Share Posted June 7, 2022 @Dietmar OK, try this one. https://ufile.io/nuiwxdd6 Link to comment Share on other sites More sharing options...
Dietmar Posted June 7, 2022 Share Posted June 7, 2022 @Damnation Same as before Dietmar Breakpoint 0 hit e1d6232!DriverEntry: b5512094 55 push ebp 11: kd> g *** Fatal System Error: 0x0000007f (0x00000008,0xBA380D70,0x00000000,0x00000000) Break instruction exception - code 80000003 (first chance) A fatal system error has occurred. Debugger entered on first try; Bugcheck callbacks have not been invoked. A fatal system error has occurred. Connected to Windows XP 2600 x86 compatible target at (Tue Jun 7 21:41:06.218 2022 (UTC + 2:00)), ptr64 FALSE Loading Kernel Symbols ..................WARNING: Process directory table base 9E680020 doesn't match CR3 00759000 WARNING: Process directory table base 9E680020 doesn't match CR3 00759000 .......................... Loading User Symbols Loading unloaded module list ..... ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* Use !analyze -v to get detailed debugging information. BugCheck 7F, {8, ba380d70, 0, 0} *** ERROR: Symbol file could not be found. Defaulted to export symbols for ntoskrn8.sys - Probably caused by : ntoskrn8.sys ( ntoskrn8!wcstoul+64bd2 ) Followup: MachineOwner --------- nt!RtlpBreakWithStatusInstruction: 8052b724 cc int 3 11: kd> !analyze -v ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* UNEXPECTED_KERNEL_MODE_TRAP (7f) This means a trap occurred in kernel mode, and it's a trap of a kind that the kernel isn't allowed to have/catch (bound trap) or that is always instant death (double fault). The first number in the bugcheck params is the number of the trap (8 = double fault, etc) Consult an Intel x86 family manual to learn more about what these traps are. Here is a *portion* of those codes: If kv shows a taskGate use .tss on the part before the colon, then kv. Else if kv shows a trapframe use .trap on that value Else .trap on the appropriate frame will show where the trap was taken (on x86, this will be the ebp that goes with the procedure KiTrap) Endif kb will then show the corrected stack. Arguments: Arg1: 00000008, EXCEPTION_DOUBLE_FAULT Arg2: ba380d70 Arg3: 00000000 Arg4: 00000000 Debugging Details: ------------------ BUGCHECK_STR: 0x7f_8 TSS: 00000028 -- (.tss 0x28) eax=ba55db67 ebx=00020019 ecx=ba556590 edx=e1796540 esi=ba553690 edi=8bc3a9c8 eip=b9972f6b esp=e8570689 ebp=ba553658 iopl=0 nv up ei ng nz na pe nc cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010286 ntoskrn8!wcstoul+0x64bd2: b9972f6b 80340850 xor byte ptr [eax+ecx],50h ds:0023:74ab40f7=?? Resetting default scope DEFAULT_BUCKET_ID: DRIVER_FAULT PROCESS_NAME: System ANALYSIS_VERSION: 6.3.9600.17237 (debuggers(dbg).140716-0327) x86fre LAST_CONTROL_TRANSFER: from 00000000 to b9972f6b UNALIGNED_STACK_POINTER: e8570689 STACK_TEXT: ba553658 00000000 8bc37620 8bc3a9c8 ba553690 ntoskrn8!wcstoul+0x64bd2 STACK_COMMAND: .tss 0x28 ; kb FOLLOWUP_IP: ntoskrn8!wcstoul+64bd2 b9972f6b 80340850 xor byte ptr [eax+ecx],50h SYMBOL_STACK_INDEX: 0 SYMBOL_NAME: ntoskrn8!wcstoul+64bd2 FOLLOWUP_NAME: MachineOwner MODULE_NAME: ntoskrn8 IMAGE_NAME: ntoskrn8.sys DEBUG_FLR_IMAGE_TIMESTAMP: 629fa760 IMAGE_VERSION: 5.1.2600.10 FAILURE_BUCKET_ID: 0x7f_8_ntoskrn8!wcstoul+64bd2 BUCKET_ID: 0x7f_8_ntoskrn8!wcstoul+64bd2 ANALYSIS_SOURCE: KM FAILURE_ID_HASH_STRING: km:0x7f_8_ntoskrn8!wcstoul+64bd2 FAILURE_ID_HASH: {1fad9cf1-073f-b7e5-0ea1-ef1bf339577a} Followup: MachineOwner --------- 11: kd> lm start end module name 80062000 80072a80 pci (deferred) 80100000 8012a000 KDSTUB (deferred) 804d7000 806e5000 nt (pdb symbols) C:\Programme\Windows Kits\8.1\Debuggers\x86\sym\ntkrpamp.pdb\270E083F57714738A1895FE542CFB8DE1\ntkrpamp.pdb 806e5000 80705d80 hal (deferred) 80706000 8072e000 kdcom (deferred) b550f000 b557c000 e1d6232 (deferred) b5b83000 b5be0f00 update (deferred) b5be1000 b5c03700 ks (deferred) b5c2c000 b5c5bc80 rdpdr (deferred) b7696000 b7696c00 audstub (deferred) b8ecb000 b8edb000 cdrom (deferred) b91c1000 b91caf80 termdd (deferred) b96b5000 b96dd000 HDAudBus (deferred) b97b9000 b97bb280 wmiacpi (deferred) b97f3000 b97f6d80 serenum (deferred) b97fb000 b97fec80 mssmbios (pdb symbols) C:\Programme\Windows Kits\8.1\Debuggers\x86\sym\mssmbios.pdb\9940673F3B9A4BD682DF9D96A12A355C1\mssmbios.pdb b987f000 b9898e80 Mup (deferred) b9899000 b98d8000 NETIO (deferred) b98d8000 b9903000 msrpc (deferred) b9903000 b9aec880 ntoskrn8 (export symbols) ntoskrn8.sys b9aed000 b9ba5000 NDIS (deferred) b9ba5000 b9c31d00 Ntfs (deferred) b9c32000 b9c48b80 KSecDD (deferred) b9c49000 b9c5af00 sr (deferred) b9c5b000 b9c7ab00 fltMgr (deferred) b9c7b000 b9f30000 iaStor (deferred) b9f30000 b9f55700 dmio (deferred) b9f56000 b9f74880 ftdisk (deferred) b9f75000 b9fa7000 ACPI (deferred) ba0a8000 ba0b1180 isapnp (deferred) ba0b8000 ba0c2700 MountMgr (deferred) ba0c8000 ba0d3000 PartMgr (deferred) ba0d8000 ba0e4c80 VolSnap (deferred) ba0e8000 ba0f8000 disk (deferred) ba0f8000 ba104180 CLASSPNP (deferred) ba108000 ba114d00 i8042prt (deferred) ba118000 ba127c00 serial (deferred) ba128000 ba130e00 intelppm (deferred) ba328000 ba32e800 firadisk (deferred) ba388000 ba38e000 kbdclass (deferred) ba398000 ba39da00 mouclass (deferred) ba4b8000 ba4bb000 BOOTVID (deferred) ba5a8000 ba5a9100 WMILIB (deferred) ba5aa000 ba5ab700 dmload (deferred) ba614000 ba615100 swenum (deferred) Unloaded modules: b8ecb000 b8edb000 cdrom.sys b97ef000 b97f2000 Sfloppy.SYS b8eeb000 b8ef7000 Flpydisk.SYS b8d8f000 b8d96000 Fdc.SYS b9648000 b96b5000 e1d6232.sys Link to comment Share on other sites More sharing options...
Damnation Posted June 7, 2022 Author Share Posted June 7, 2022 @Dietmar can you load the PDB symbols for ntoskrn8? last time it was Quote MISALIGNED_IP: ntoskrn8!_imp__KeInitializeMutex+3 b9972fef 80340850 xor byte ptr [eax+ecx],50h has that changed? Link to comment Share on other sites More sharing options...
Dietmar Posted June 7, 2022 Share Posted June 7, 2022 @Damnation Yepp, I forget. Here is with last *.pdb Dietmar Intel Storage Driver Ver: 11.2.0.1006 *** Fatal System Error: 0x0000007f (0x00000008,0xBA330D70,0x00000000,0x00000000) Break instruction exception - code 80000003 (first chance) A fatal system error has occurred. Debugger entered on first try; Bugcheck callbacks have not been invoked. A fatal system error has occurred. Connected to Windows XP 2600 x86 compatible target at (Tue Jun 7 21:58:29.140 2022 (UTC + 2:00)), ptr64 FALSE Loading Kernel Symbols ..................WARNING: Process directory table base 9E680020 doesn't match CR3 00759000 WARNING: Process directory table base 9E680020 doesn't match CR3 00759000 ......................... Loading User Symbols Loading unloaded module list ..... ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* Use !analyze -v to get detailed debugging information. BugCheck 7F, {8, ba330d70, 0, 0} Probably caused by : ntoskrn8.sys ( ntoskrn8!_imp__PsReferencePrimaryToken+3 ) Followup: MachineOwner --------- nt!RtlpBreakWithStatusInstruction: 8052b724 cc int 3 1: kd> !analyze -v ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* UNEXPECTED_KERNEL_MODE_TRAP (7f) This means a trap occurred in kernel mode, and it's a trap of a kind that the kernel isn't allowed to have/catch (bound trap) or that is always instant death (double fault). The first number in the bugcheck params is the number of the trap (8 = double fault, etc) Consult an Intel x86 family manual to learn more about what these traps are. Here is a *portion* of those codes: If kv shows a taskGate use .tss on the part before the colon, then kv. Else if kv shows a trapframe use .trap on that value Else .trap on the appropriate frame will show where the trap was taken (on x86, this will be the ebp that goes with the procedure KiTrap) Endif kb will then show the corrected stack. Arguments: Arg1: 00000008, EXCEPTION_DOUBLE_FAULT Arg2: ba330d70 Arg3: 00000000 Arg4: 00000000 Debugging Details: ------------------ BUGCHECK_STR: 0x7f_8 TSS: 00000028 -- (.tss 0x28) eax=ba55db67 ebx=00020019 ecx=ba55c390 edx=e178c350 esi=ba553690 edi=8bc3a9c8 eip=b9972f6b esp=e8570689 ebp=ba553658 iopl=0 nv up ei ng nz na pe nc cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010286 ntoskrn8!_imp__PsReferencePrimaryToken+0x3: b9972f6b 80340850 xor byte ptr [eax+ecx],50h ds:0023:74ab9ef7=?? Resetting default scope DEFAULT_BUCKET_ID: DRIVER_FAULT PROCESS_NAME: System ANALYSIS_VERSION: 6.3.9600.17237 (debuggers(dbg).140716-0327) x86fre LAST_CONTROL_TRANSFER: from 00000000 to b9972f6b UNALIGNED_STACK_POINTER: e8570689 STACK_TEXT: ba553658 00000000 8bc37620 8bc3a9c8 ba553690 ntoskrn8!_imp__PsReferencePrimaryToken+0x3 STACK_COMMAND: .tss 0x28 ; kb FOLLOWUP_IP: ntoskrn8!_imp__PsReferencePrimaryToken+3 b9972f6b 80340850 xor byte ptr [eax+ecx],50h SYMBOL_STACK_INDEX: 0 SYMBOL_NAME: ntoskrn8!_imp__PsReferencePrimaryToken+3 FOLLOWUP_NAME: MachineOwner MODULE_NAME: ntoskrn8 IMAGE_NAME: ntoskrn8.sys DEBUG_FLR_IMAGE_TIMESTAMP: 629fa760 IMAGE_VERSION: 5.1.2600.10 FAILURE_BUCKET_ID: 0x7f_8_ntoskrn8!_imp__PsReferencePrimaryToken+3 BUCKET_ID: 0x7f_8_ntoskrn8!_imp__PsReferencePrimaryToken+3 ANALYSIS_SOURCE: KM FAILURE_ID_HASH_STRING: km:0x7f_8_ntoskrn8!_imp__psreferenceprimarytoken+3 FAILURE_ID_HASH: {27ce86e3-c6e0-2574-9fa6-ebfd80618e8d} Followup: MachineOwner --------- 1: kd> lm start end module name 80062000 80072a80 pci (deferred) 80100000 8012a000 KDSTUB (deferred) 804d7000 806e5000 nt (pdb symbols) C:\Programme\Windows Kits\8.1\Debuggers\x86\sym\ntkrpamp.pdb\270E083F57714738A1895FE542CFB8DE1\ntkrpamp.pdb 806e5000 80705d80 hal (pdb symbols) C:\Programme\Windows Kits\8.1\Debuggers\x86\sym\halmacpi.pdb\253F6CAD95214878B51A88A9B592FD381\halmacpi.pdb 80706000 8072e000 kdcom (deferred) b5a1c000 b5a89000 e1d6232 (deferred) b8b39000 b8b96f00 update (deferred) b9326000 b9348700 ks (deferred) b9685000 b96b4c80 rdpdr (deferred) b96b5000 b96dd000 HDAudBus (deferred) b9711000 b9714c80 mssmbios (pdb symbols) C:\Programme\Windows Kits\8.1\Debuggers\x86\sym\mssmbios.pdb\9940673F3B9A4BD682DF9D96A12A355C1\mssmbios.pdb b97f7000 b97fad80 serenum (deferred) b987f000 b9898e80 Mup (deferred) b9899000 b98d8000 NETIO (deferred) b98d8000 b9903000 msrpc (deferred) b9903000 b9aec880 ntoskrn8 (private pdb symbols) C:\Programme\Windows Kits\8.1\Debuggers\x86\sym\ntoskrn8.pdb\C9467C0DBC594315A0717C5122137D231\ntoskrn8.pdb b9aed000 b9ba5000 NDIS (deferred) b9ba5000 b9c31d00 Ntfs (deferred) b9c32000 b9c48b80 KSecDD (deferred) b9c49000 b9c5af00 sr (deferred) b9c5b000 b9c7ab00 fltMgr (deferred) b9c7b000 b9f30000 iaStor (deferred) b9f30000 b9f55700 dmio (deferred) b9f56000 b9f74880 ftdisk (deferred) b9f75000 b9fa7000 ACPI (deferred) ba0a8000 ba0b1180 isapnp (deferred) ba0b8000 ba0c2700 MountMgr (deferred) ba0c8000 ba0d3000 PartMgr (deferred) ba0d8000 ba0e4c80 VolSnap (deferred) ba0e8000 ba0f8000 disk (deferred) ba0f8000 ba104180 CLASSPNP (deferred) ba118000 ba124d00 i8042prt (deferred) ba128000 ba137c00 serial (deferred) ba138000 ba140e00 intelppm (deferred) ba148000 ba151f80 termdd (deferred) ba328000 ba32e800 firadisk (deferred) ba388000 ba38e000 kbdclass (deferred) ba398000 ba39da00 mouclass (deferred) ba4b8000 ba4bb000 BOOTVID (deferred) ba57c000 ba57e280 wmiacpi (deferred) ba5a8000 ba5a9100 WMILIB (deferred) ba5aa000 ba5ab700 dmload (deferred) ba5be000 ba5bf100 swenum (deferred) ba7f3000 ba7f3c00 audstub (deferred) Unloaded modules: b8ef1000 b8f01000 cdrom.sys b97f3000 b97f6000 Sfloppy.SYS b8f01000 b8f0d000 Flpydisk.SYS b8d78000 b8d7f000 Fdc.SYS b9648000 b96b5000 e1d6232.sys Link to comment Share on other sites More sharing options...
Damnation Posted June 7, 2022 Author Share Posted June 7, 2022 (edited) @Dietmar OK, lets try this one - sorry it's not ufile.io - it's down for me right now. https://anonfiles.com/Hc1fR7n4y6/ndis6_fordietmar_8jun2022_5_7z edit: ufile is back https://ufile.io/69oe56vn Edited June 7, 2022 by Damnation Link to comment Share on other sites More sharing options...
Dietmar Posted June 7, 2022 Share Posted June 7, 2022 @Damnation This one is a little bit other. On normal XP start it gives endless running bar. With Windbg I get it Dietmar *** Fatal System Error: 0x0000007f (0x00000008,0xBA330D70,0x00000000,0x00000000) Break instruction exception - code 80000003 (first chance) A fatal system error has occurred. Debugger entered on first try; Bugcheck callbacks have not been invoked. A fatal system error has occurred. Connected to Windows XP 2600 x86 compatible target at (Tue Jun 7 22:27:55.343 2022 (UTC + 2:00)), ptr64 FALSE Loading Kernel Symbols ..................WARNING: Process directory table base 9E680020 doesn't match CR3 00759000 WARNING: Process directory table base 9E680020 doesn't match CR3 00759000 ......................... Loading User Symbols Loading unloaded module list ..... ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* Use !analyze -v to get detailed debugging information. BugCheck 7F, {8, ba330d70, 0, 0} *** ERROR: Symbol file could not be found. Defaulted to export symbols for e1d6232.sys - *** No owner thread found for resource 8055b4e0 *** No owner thread found for resource 8055b560 *** No owner thread found for resource 8055b4e0 *** No owner thread found for resource 8055b560 *** No owner thread found for resource 8055b4e0 *** No owner thread found for resource 8055b560 *** No owner thread found for resource 8055b4e0 *** No owner thread found for resource 8055b560 *** No owner thread found for resource 8055b4e0 *** No owner thread found for resource 8055b560 Probably caused by : ntoskrn8.sys ( ntoskrn8!_imp__PsReferenceImpersonationToken+3 ) Followup: MachineOwner --------- nt!RtlpBreakWithStatusInstruction: 8052b724 cc int 3 1: kd> !analyze -v ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* UNEXPECTED_KERNEL_MODE_TRAP (7f) This means a trap occurred in kernel mode, and it's a trap of a kind that the kernel isn't allowed to have/catch (bound trap) or that is always instant death (double fault). The first number in the bugcheck params is the number of the trap (8 = double fault, etc) Consult an Intel x86 family manual to learn more about what these traps are. Here is a *portion* of those codes: If kv shows a taskGate use .tss on the part before the colon, then kv. Else if kv shows a trapframe use .trap on that value Else .trap on the appropriate frame will show where the trap was taken (on x86, this will be the ebp that goes with the procedure KiTrap) Endif kb will then show the corrected stack. Arguments: Arg1: 00000008, EXCEPTION_DOUBLE_FAULT Arg2: ba330d70 Arg3: 00000000 Arg4: 00000000 Debugging Details: ------------------ *** No owner thread found for resource 8055b4e0 *** No owner thread found for resource 8055b560 *** No owner thread found for resource 8055b4e0 *** No owner thread found for resource 8055b560 *** No owner thread found for resource 8055b4e0 *** No owner thread found for resource 8055b560 *** No owner thread found for resource 8055b4e0 *** No owner thread found for resource 8055b560 *** No owner thread found for resource 8055b4e0 *** No owner thread found for resource 8055b560 BUGCHECK_STR: 0x7f_8 TSS: 00000028 -- (.tss 0x28) eax=ba553667 ebx=00020019 ecx=ba553290 edx=e15b3290 esi=ba553690 edi=8bc3a9c8 eip=b9972f67 esp=b9904aae ebp=ba553658 iopl=0 nv up ei ng nz na po nc cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010282 ntoskrn8!_imp__PsReferenceImpersonationToken+0x3: b9972f67 80340850 xor byte ptr [eax+ecx],50h ds:0023:74aa68f7=?? Resetting default scope DEFAULT_BUCKET_ID: DRIVER_FAULT PROCESS_NAME: System ANALYSIS_VERSION: 6.3.9600.17237 (debuggers(dbg).140716-0327) x86fre LOCK_ADDRESS: 8055b4e0 -- (!locks 8055b4e0) Resource @ nt!PiEngineLock (0x8055b4e0) Exclusively owned Contention Count = 2 Threads: 8bc37620-01<*> 1 total locks, 1 locks currently held PNP_TRIAGE: Lock address : 0x8055b4e0 Thread Count : 0 Thread address: 0x00000000 Thread wait : 0x0 LAST_CONTROL_TRANSFER: from b989ec77 to b9972f67 UNALIGNED_STACK_POINTER: b9904aae STACK_TEXT: ba553658 b989ec77 8bc37620 8bc3a9c8 ba553690 ntoskrn8!_imp__PsReferenceImpersonationToken+0x3 ba5536bc b98a4a0a 00000000 e15b3290 00000000 NETIO!NsipAccessCheck+0x100 ba553728 b9b0b945 ba553740 b9b307c0 00000000 NETIO!NsiRegisterChangeNotificationEx+0x23 ba55375c b9b0c6ea 00060000 8052e8fc ba553784 NDIS!ndisStartNsiClient+0x6b ba553778 b9b08db9 b1c46000 89b1e950 00060014 NDIS!ndisInitializeNsi+0x5f ba553790 b1bf52a3 89b1e950 89b53000 00000000 NDIS!NdisMRegisterMiniportDriver+0x51 WARNING: Stack unwind information not available. Following frames may be wrong. ba55380c 805813af 89b1e950 89b53000 00000000 e1d6232!DriverEntry+0x20f ba5538dc 8058f557 80000824 00000000 ba553900 nt!IopLoadDriver+0x66d ba553920 805e7b7f e13ce1c0 00000001 80000824 nt!PipCallDriverAddDeviceQueryRoutine+0x235 ba55396c 805e7f76 e13ce1a4 00000001 ba5539e8 nt!RtlpCallQueryRegistryRoutine+0x37d ba5539f4 80590ddf 00000001 00000084 ba553a1c nt!RtlQueryRegistryValues+0x368 ba553ac8 8059229c 00000000 00000001 ba553d5c nt!PipCallDriverAddDevice+0x261 ba553d24 80592832 8bb9e168 00000001 00000000 nt!PipProcessDevNodeTree+0x1a4 ba553d54 804f6a2a 00000003 8055b5c0 8056485c nt!PiRestartDevice+0x80 ba553d7c 80538921 00000000 00000000 8bc37620 nt!PipDeviceActionWorker+0x168 ba553dac 805cffee 00000000 00000000 00000000 nt!ExpWorkerThread+0xef ba553ddc 8054623e 80538832 00000001 00000000 nt!PspSystemThreadStartup+0x34 00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16 STACK_COMMAND: .tss 0x28 ; kb FOLLOWUP_IP: ntoskrn8!_imp__PsReferenceImpersonationToken+3 b9972f67 80340850 xor byte ptr [eax+ecx],50h SYMBOL_STACK_INDEX: 0 SYMBOL_NAME: ntoskrn8!_imp__PsReferenceImpersonationToken+3 FOLLOWUP_NAME: MachineOwner MODULE_NAME: ntoskrn8 IMAGE_NAME: ntoskrn8.sys DEBUG_FLR_IMAGE_TIMESTAMP: 629faeff IMAGE_VERSION: 5.1.2600.10 FAILURE_BUCKET_ID: 0x7f_8_ntoskrn8!_imp__PsReferenceImpersonationToken+3 BUCKET_ID: 0x7f_8_ntoskrn8!_imp__PsReferenceImpersonationToken+3 ANALYSIS_SOURCE: KM FAILURE_ID_HASH_STRING: km:0x7f_8_ntoskrn8!_imp__psreferenceimpersonationtoken+3 FAILURE_ID_HASH: {bee40295-1430-50f2-4e8a-32064dcc7f4a} Followup: MachineOwner --------- 1: kd> lm start end module name 80062000 80072a80 pci (deferred) 80100000 8012a000 KDSTUB (deferred) 804d7000 806e5000 nt (pdb symbols) C:\Programme\Windows Kits\8.1\Debuggers\x86\sym\ntkrpamp.pdb\270E083F57714738A1895FE542CFB8DE1\ntkrpamp.pdb 806e5000 80705d80 hal (pdb symbols) C:\Programme\Windows Kits\8.1\Debuggers\x86\sym\halmacpi.pdb\253F6CAD95214878B51A88A9B592FD381\halmacpi.pdb 80706000 8072e000 kdcom (deferred) b1bf2000 b1c5f000 e1d6232 (export symbols) e1d6232.sys b3862000 b38bff00 update (deferred) b5105000 b5127700 ks (deferred) b51f9000 b5228c80 rdpdr (deferred) b6de3000 b6de3c00 audstub (deferred) b8e7b000 b8e84f80 termdd (deferred) b96b5000 b96dd000 HDAudBus (deferred) b970d000 b9710c80 mssmbios (pdb symbols) C:\Programme\Windows Kits\8.1\Debuggers\x86\sym\mssmbios.pdb\9940673F3B9A4BD682DF9D96A12A355C1\mssmbios.pdb b97f7000 b97fad80 serenum (deferred) b987f000 b9898e80 Mup (deferred) b9899000 b98d8000 NETIO (pdb symbols) C:\Programme\Windows Kits\8.1\Debuggers\x86\sym\netio.pdb\5BBB5169EEB04D0BB707BFA122C6C9442\netio.pdb b98d8000 b9903000 msrpc (deferred) b9903000 b9aec800 ntoskrn8 (private pdb symbols) C:\Programme\Windows Kits\8.1\Debuggers\x86\sym\ntoskrn8.pdb\86B8A4E26A414B788E4F55812BC03C5D1\ntoskrn8.pdb b9aed000 b9ba5000 NDIS (pdb symbols) C:\Programme\Windows Kits\8.1\Debuggers\x86\sym\ndis.pdb\B69DA90026554DB7963D1422C84157172\ndis.pdb b9ba5000 b9c31d00 Ntfs (deferred) b9c32000 b9c48b80 KSecDD (deferred) b9c49000 b9c5af00 sr (deferred) b9c5b000 b9c7ab00 fltMgr (deferred) b9c7b000 b9f30000 iaStor (deferred) b9f30000 b9f55700 dmio (deferred) b9f56000 b9f74880 ftdisk (deferred) b9f75000 b9fa7000 ACPI (deferred) ba0a8000 ba0b1180 isapnp (deferred) ba0b8000 ba0c2700 MountMgr (deferred) ba0c8000 ba0d3000 PartMgr (deferred) ba0d8000 ba0e4c80 VolSnap (deferred) ba0e8000 ba0f8000 disk (deferred) ba0f8000 ba104180 CLASSPNP (deferred) ba118000 ba124d00 i8042prt (deferred) ba128000 ba137c00 serial (deferred) ba138000 ba140e00 intelppm (deferred) ba328000 ba32e800 firadisk (deferred) ba388000 ba38e000 kbdclass (deferred) ba398000 ba39da00 mouclass (deferred) ba4b8000 ba4bb000 BOOTVID (deferred) ba57c000 ba57e280 wmiacpi (deferred) ba5a8000 ba5a9100 WMILIB (deferred) ba5aa000 ba5ab700 dmload (deferred) ba622000 ba623100 swenum (deferred) Unloaded modules: b2a8b000 b2a9b000 cdrom.sys b73f4000 b73f7000 Sfloppy.SYS b2a9b000 b2aa7000 Flpydisk.SYS b8dcb000 b8dd2000 Fdc.SYS b9648000 b96b5000 e1d6232.sys Link to comment Share on other sites More sharing options...
Damnation Posted June 7, 2022 Author Share Posted June 7, 2022 @Dietmar Thanks for all the help with debugging Dietmar! I really appreciate it. https://ufile.io/vhdgq4uy Link to comment Share on other sites More sharing options...
Dietmar Posted June 7, 2022 Share Posted June 7, 2022 (edited) @Damnation Endless running bar and with Windbg netio.sys Bsod, the lan driver e1d.. is 5(!) times unloaded, Bsod very late in Boot process, mouse pointer already there Dietmar *** Fatal System Error: 0x000000d1 (0x00300016,0x00000002,0x00000000,0xB98A99F7) Break instruction exception - code 80000003 (first chance) A fatal system error has occurred. Debugger entered on first try; Bugcheck callbacks have not been invoked. A fatal system error has occurred. Connected to Windows XP 2600 x86 compatible target at (Tue Jun 7 22:55:08.406 2022 (UTC + 2:00)), ptr64 FALSE Loading Kernel Symbols ............................................................... ....... Loading User Symbols Loading unloaded module list ............. ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* Use !analyze -v to get detailed debugging information. BugCheck D1, {300016, 2, 0, b98a99f7} Probably caused by : NETIO.SYS ( NETIO!NmrpIsEqualNpiId+8 ) Followup: MachineOwner --------- nt!RtlpBreakWithStatusInstruction: 8052b724 cc int 3 2: kd> !analyze -v ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1) An attempt was made to access a pageable (or completely invalid) address at an interrupt request level (IRQL) that is too high. This is usually caused by drivers using improper addresses. If kernel debugger is available get stack backtrace. Arguments: Arg1: 00300016, memory referenced Arg2: 00000002, IRQL Arg3: 00000000, value 0 = read operation, 1 = write operation Arg4: b98a99f7, address which referenced memory Debugging Details: ------------------ READ_ADDRESS: 00300016 CURRENT_IRQL: 2 FAULTING_IP: NETIO!NmrpIsEqualNpiId+8 b98a99f7 8b10 mov edx,dword ptr [eax] DEFAULT_BUCKET_ID: DRIVER_FAULT BUGCHECK_STR: 0xD1 PROCESS_NAME: System ANALYSIS_VERSION: 6.3.9600.17237 (debuggers(dbg).140716-0327) x86fre TRAP_FRAME: ba54fa38 -- (.trap 0xffffffffba54fa38) ErrCode = 00000000 eax=00300016 ebx=00300012 ecx=b9b2d6f0 edx=89a1cd30 esi=b9b2d6f0 edi=00000000 eip=b98a99f7 esp=ba54faac ebp=ba54faac iopl=0 nv up ei pl nz na pe nc cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010206 NETIO!NmrpIsEqualNpiId+0x8: b98a99f7 8b10 mov edx,dword ptr [eax] ds:0023:00300016=???????? Resetting default scope LAST_CONTROL_TRANSFER: from 804f8e95 to 8052b724 STACK_TEXT: ba54f5ec 804f8e95 00000003 ba54f948 00000000 nt!RtlpBreakWithStatusInstruction ba54f638 804f9a80 00000003 00300016 b98a99f7 nt!KiBugCheckDebugBreak+0x19 ba54fa18 8054483c 0000000a 00300016 00000002 nt!KeBugCheck2+0x574 ba54fa18 b98a99f7 0000000a 00300016 00000002 nt!KiTrap0E+0x180 ba54faac b98a9e81 00300016 b9b2d6f0 89b18280 NETIO!NmrpIsEqualNpiId+0x8 ba54fac4 b98a9d5d 8bc0d208 00000001 b9b2f008 NETIO!NmrpFindOrAddRegisteredNpiId+0x22 ba54fb30 b98a9c91 89b18280 ba54fb68 ba54fb64 NETIO!NmrpRegisterModuleAndGetBindableCandidates+0x33 ba54fb58 b98a9f72 00000002 b9b2e018 00000000 NETIO!NmrpRegisterModule+0x3c ba54fb80 b9b0bf2f b9b0c6db 00000000 b9b2f008 NETIO!NmrRegisterProvider+0x4b ba54fba4 b9b0c6db 00000000 ba54fdcc 00000030 NDIS!ndisStartNsiProvider+0x4b ba54fbc0 b9b645c0 ba54fc64 8981fb90 00000000 NDIS!ndisInitializeNsi+0x50 ba54fbd4 b91d0bd3 ba54fc7c b91d066c ba54fbf8 NDIS!NdisRegisterProtocol+0x18 ba54fc84 805813af 89afac60 89b4c000 00000000 ndisuio!DriverEntry+0x175 ba54fd54 805814bf 80000958 00000001 00000000 nt!IopLoadDriver+0x66d ba54fd7c 80538921 80000958 00000000 8bc378a0 nt!IopLoadUnloadDriver+0x45 ba54fdac 805cffee b1d9acf4 00000000 00000000 nt!ExpWorkerThread+0xef ba54fddc 8054623e 80538832 00000001 00000000 nt!PspSystemThreadStartup+0x34 00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16 STACK_COMMAND: kb FOLLOWUP_IP: NETIO!NmrpIsEqualNpiId+8 b98a99f7 8b10 mov edx,dword ptr [eax] SYMBOL_STACK_INDEX: 4 SYMBOL_NAME: NETIO!NmrpIsEqualNpiId+8 FOLLOWUP_NAME: MachineOwner MODULE_NAME: NETIO IMAGE_NAME: NETIO.SYS DEBUG_FLR_IMAGE_TIMESTAMP: 5b48ef86 IMAGE_VERSION: 6.1.7601.24208 FAILURE_BUCKET_ID: 0xD1_NETIO!NmrpIsEqualNpiId+8 BUCKET_ID: 0xD1_NETIO!NmrpIsEqualNpiId+8 ANALYSIS_SOURCE: KM FAILURE_ID_HASH_STRING: km:0xd1_netio!nmrpisequalnpiid+8 FAILURE_ID_HASH: {1d7ea187-17c8-1608-8471-24546162eb85} Followup: MachineOwner --------- 2: kd> lm start end module name 80062000 80072a80 pci (deferred) 80100000 8012a000 KDSTUB (deferred) 804d7000 806e5000 nt (pdb symbols) C:\Programme\Windows Kits\8.1\Debuggers\x86\sym\ntkrpamp.pdb\270E083F57714738A1895FE542CFB8DE1\ntkrpamp.pdb 806e5000 80705d80 hal (deferred) 80706000 8072e000 kdcom (deferred) b2041000 b2041d00 dxgthk (deferred) b4d38000 b4da7a80 mrxsmb (deferred) b4e15000 b4e3fb00 rdbss (deferred) b4e40000 b4e61d00 afd (deferred) b4e62000 b4e89d80 netbt (deferred) b4e8a000 b4eaf500 ipnat (deferred) b53df000 b5437480 tcpip (deferred) b5478000 b548a600 ipsec (deferred) b54ab000 b54be880 VIDEOPRT (deferred) b5858000 b585a280 rasacd (deferred) b58bc000 b58be900 Dxapi (deferred) b58f7000 b58f8080 RDPCDD (deferred) b5bb2000 b5bb6500 watchdog (deferred) b6d40000 b6d44a80 TDI (deferred) b6d50000 b6d57980 Npfs (deferred) b6d58000 b6d5cb00 Msfs (deferred) b6d60000 b6d65200 vga (deferred) b6d88000 b6d88b80 Null (deferred) b6e1a000 b6e24e00 Fips (deferred) b6e4a000 b6e52780 netbios (deferred) b8e63000 b8e6b900 msgpc (deferred) b91ce000 b91d1900 ndisuio (pdb symbols) C:\Programme\Windows Kits\8.1\Debuggers\x86\sym\ndisuio.pdb\C49AA8614D0E4F23B14F5894ABB43FD41\ndisuio.pdb b9604000 b9661f00 update (deferred) b9662000 b9684700 ks (deferred) b9685000 b96b4c80 rdpdr (deferred) b96b5000 b96dd000 HDAudBus (deferred) b97ad000 b97b0c80 mssmbios (pdb symbols) C:\Programme\Windows Kits\8.1\Debuggers\x86\sym\mssmbios.pdb\9940673F3B9A4BD682DF9D96A12A355C1\mssmbios.pdb b97ef000 b97f1400 Fs_Rec (deferred) b97f7000 b97fad80 serenum (deferred) b987f000 b9898e80 Mup (deferred) b9899000 b98d8000 NETIO (pdb symbols) C:\Programme\Windows Kits\8.1\Debuggers\x86\sym\netio.pdb\5BBB5169EEB04D0BB707BFA122C6C9442\netio.pdb b98d8000 b9903000 msrpc (deferred) b9903000 b9aec800 ntoskrn8 (deferred) b9aed000 b9ba5000 NDIS (pdb symbols) C:\Programme\Windows Kits\8.1\Debuggers\x86\sym\ndis.pdb\B69DA90026554DB7963D1422C84157172\ndis.pdb b9ba5000 b9c31d00 Ntfs (deferred) b9c32000 b9c48b80 KSecDD (deferred) b9c49000 b9c5af00 sr (deferred) b9c5b000 b9c7ab00 fltMgr (deferred) b9c7b000 b9f30000 iaStor (deferred) b9f30000 b9f55700 dmio (deferred) b9f56000 b9f74880 ftdisk (deferred) b9f75000 b9fa7000 ACPI (deferred) ba0a8000 ba0b1180 isapnp (deferred) ba0b8000 ba0c2700 MountMgr (deferred) ba0c8000 ba0d3000 PartMgr (deferred) ba0d8000 ba0e4c80 VolSnap (deferred) ba0e8000 ba0f8000 disk (deferred) ba0f8000 ba104180 CLASSPNP (deferred) ba118000 ba124d00 i8042prt (deferred) ba128000 ba137c00 serial (deferred) ba138000 ba140e00 intelppm (deferred) ba148000 ba151f80 termdd (deferred) ba328000 ba32e800 firadisk (deferred) ba388000 ba38e000 kbdclass (deferred) ba398000 ba39da00 mouclass (deferred) ba4b8000 ba4bb000 BOOTVID (deferred) ba57c000 ba57e280 wmiacpi (deferred) ba5a8000 ba5a9100 WMILIB (deferred) ba5aa000 ba5ab700 dmload (deferred) ba5be000 ba5bf100 swenum (deferred) ba618000 ba619080 Beep (deferred) ba7d2000 ba7d2c00 audstub (deferred) bf000000 bf011600 dxg (deferred) bf012000 bf05ab00 ATMFD (deferred) bf800000 bf9d3700 win32k (deferred) bff50000 bff52480 framebuf (deferred) Unloaded modules: b5798000 b579b000 DumpDrv.SYS b4ccb000 b4d38000 e1d6232.sys b6e2a000 b6e35000 imapi.sys b4da8000 b4e15000 e1d6232.sys b6e3a000 b6e49000 redbook.sys b553f000 b55ac000 e1d6232.sys b8d12000 b8d17000 Cdaudio.SYS b5a1c000 b5a89000 e1d6232.sys b8e93000 b8ea3000 cdrom.sys b97f3000 b97f6000 Sfloppy.SYS b8ea3000 b8eaf000 Flpydisk.SYS b8d1a000 b8d21000 Fdc.SYS b9648000 b96b5000 e1d6232.sys Edited June 7, 2022 by Dietmar Link to comment Share on other sites More sharing options...
Damnation Posted June 7, 2022 Author Share Posted June 7, 2022 @Dietmar Please double check that it's not ntoskrn8.sys again - I see PDB symbols are not loaded for it. Link to comment Share on other sites More sharing options...
Dietmar Posted June 7, 2022 Share Posted June 7, 2022 @Damnation all is correct with *.pdb Dietmar Link to comment Share on other sites More sharing options...
Damnation Posted June 7, 2022 Author Share Posted June 7, 2022 (edited) @Dietmar I'm out of ideas for now. I'll come back to this later. If you discover something else that you think might help with this let me know. Thanks for all the help! Edited June 7, 2022 by Damnation Link to comment Share on other sites More sharing options...
Dietmar Posted June 7, 2022 Share Posted June 7, 2022 Link to comment Share on other sites More sharing options...
Damnation Posted June 8, 2022 Author Share Posted June 8, 2022 @Mov AX, 0xDEAD are you willing to help? or not interested? Link to comment Share on other sites More sharing options...
Dietmar Posted June 8, 2022 Share Posted June 8, 2022 @Damnation I think, that @Mov AX, 0xDEAD is interested but ndis6 isnt easy on XP Dietmar Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now