Damnation Posted June 6 Author Share Posted June 6 @Mov AX, 0xDEAD I've added the internal ntoskrnl libraries for use with the ntoskrnl extender project. This was to help with some of the much larger functions like MmAllocatePagesForMdlEx You can make use of internal Ki functions this way. It's helped a bit with @Dietmar being able to allocate resources to hardware, and at the very least, adding these libraries did not interfere with anything that already worked with the previous version ntoskrnl extender. Can you take a look at what I have to see if it's possible to get NDIS6 working this way? https://ufile.io/x8teed7c Link to comment Share on other sites More sharing options...
Dietmar Posted June 6 Share Posted June 6 @Damnation I make a strange discovery: In Windbg when I write bu netio!DriverEntry I get Bsod about NMR.. This means, that the driverentry of netio.sys is not reached. Also I try EB FE at the beginning of DriverEntry of netio.sys, but this also did not stop (should be endless bar but gives also NMR.. Bsod). This simple means, that at no time the driverentry of netio.sys is reached, Bsod is before Dietmar PS: So it looks, as if XP puts the driver netio.sys at an not allowed place in memory. And about this cries NMR and gives Bsod. Link to comment Share on other sites More sharing options...
Dietmar Posted June 6 Share Posted June 6 @Damnation This a little bit different Bsod I get after breakpoint setting via bu netio!DriverEntry  Dietmar Intel Storage Driver Ver: 11.2.0.1006 *** Fatal System Error: 0x000000c2                       (0x00000007,0x00000CD4,0x02070008,0x8BC16730) Break instruction exception - code 80000003 (first chance) A fatal system error has occurred. Debugger entered on first try; Bugcheck callbacks have not been invoked. A fatal system error has occurred. Connected to Windows XP 2600 x86 compatible target at (Mon Jun 6 21:57:47.828 2022 (UTC + 2:00)), ptr64 FALSE Loading Kernel Symbols ...................................................... Loading User Symbols Loading unloaded module list ........ ******************************************************************************* *                                                                            * *                       Bugcheck Analysis                                   * *                                                                            * ******************************************************************************* Use !analyze -v to get detailed debugging information. BugCheck C2, {7, cd4, 2070008, 8bc16730} Probably caused by : NETIO.SYS ( NETIO!NmrpDeleteNode+39 ) Followup: MachineOwner --------- nt!RtlpBreakWithStatusInstruction: 8052b724 cc             int    3 0: kd> !analyze -v ******************************************************************************* *                                                                            * *                       Bugcheck Analysis                                   * *                                                                            * ******************************************************************************* BAD_POOL_CALLER (c2) The current thread is making a bad pool request. Typically this is at a bad IRQL level or double freeing the same allocation, etc. Arguments: Arg1: 00000007, Attempt to free pool which was already freed Arg2: 00000cd4, (reserved) Arg3: 02070008, Memory contents of the pool block Arg4: 8bc16730, Address of the block of pool being deallocated Debugging Details: ------------------ POOL_ADDRESS: 8bc16730 Nonpaged pool FREED_POOL_TAG: NMRn BUGCHECK_STR: 0xc2_7_NMRn DEFAULT_BUCKET_ID: DRIVER_FAULT PROCESS_NAME: System ANALYSIS_VERSION: 6.3.9600.17237 (debuggers(dbg).140716-0327) x86fre DPC_STACK_BASE: FFFFFFFFBA4C8000 LAST_CONTROL_TRANSFER: from 804f8e95 to 8052b724 STACK_TEXT:  ba4c2e24 804f8e95 00000003 ba4c3180 00000000 nt!RtlpBreakWithStatusInstruction ba4c2e70 804f9a80 00000003 00200000 8bc16728 nt!KiBugCheckDebugBreak+0x19 ba4c3250 804f9fcf 000000c2 00000007 00000cd4 nt!KeBugCheck2+0x574 ba4c3270 8054b583 000000c2 00000007 00000cd4 nt!KeBugCheckEx+0x1b ba4c32c0 b98ba3ca 8bc16730 00000000 89c78100 nt!ExFreePoolWithTag+0x2a3 ba4c32d4 b98ba411 8bc16730 b98afaf0 89c78100 NETIO!NmrpDeleteNode+0x39 ba4c32dc b98afaf0 89c78100 00000000 b98cc072 NETIO!NmrpRemoveRegisteredList+0x3d ba4c32f8 b98b9d69 b9b2e000 00000000 b98cc070 NETIO!NmrpDereferenceModule+0x28 ba4c3310 b98b9da1 89c78100 ba4c334c b9b12e98 NETIO!NmrpWaitForModuleDeregisterComplete+0x38 ba4c331c b9b12e98 89c78100 8055ae68 c00000bb NETIO!NmrWaitForProviderDeregisterComplete+0x16 ba4c3330 b9b0c6f5 8bbd9840 00000000 00000000 NDIS!ndisStopNsiProvider+0x4c ba4c334c b9b1a74d 8057f0eb 8bab59c8 00000000 NDIS!ndisInitializeNsi+0x6a ba4c3350 8057f0eb 8bab59c8 00000000 00000002 NDIS!ndisDriverReinit+0xe ba4c336c 805814e0 ba4c340c 00000000 00000000 nt!IopCallDriverReinitializationRoutines+0x3b ba4c3384 805842c3 800009b0 ba4c340c ba4c3488 nt!IopLoadUnloadDriver+0x66 ba4c3400 80541818 ba4c34ac ba4c34c8 80500575 nt!NtLoadDriver+0x151 ba4c3400 80500575 ba4c34ac ba4c34c8 80500575 nt!KiSystemServicePostCall ba4c347c b6aa92db ba4c34ac 89ab2b88 8054b968 nt!ZwLoadDriver+0x11 ba4c34c8 b6aa8640 b6ab6f34 89ab2b88 8054b968 ipsec!GpcInitialize+0x7f ba4c34e4 b6ab7d81 00000000 8052e8fc 89b7d658 ipsec!IPSecGpcInitialize+0x35 ba4c34f4 b6ab7ba2 89b7d658 e1654424 00000000 ipsec!IPSecGeneralInit+0x16b ba4c356c 805813af 89b7d658 89a85000 e16b2450 ipsec!DriverEntry+0x104 ba4c363c 8069dc9c 000009c0 00000001 00000000 nt!IopLoadDriver+0x66d ba4c3698 8069b001 00034000 00000000 00000000 nt!IopInitializeSystemDrivers+0x16c ba4c3838 806993d3 80084000 00000000 8bc3a5d8 nt!IoInitSystem+0x7a3 ba4c3dac 805cffee 80084000 00000000 00000000 nt!Phase1Initialization+0xac7 ba4c3ddc 8054623e 8069890c 80084000 00000000 nt!PspSystemThreadStartup+0x34 00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16 STACK_COMMAND: kb FOLLOWUP_IP: NETIO!NmrpDeleteNode+39 b98ba3ca 5e             pop    esi SYMBOL_STACK_INDEX: 5 SYMBOL_NAME: NETIO!NmrpDeleteNode+39 FOLLOWUP_NAME: MachineOwner MODULE_NAME: NETIO IMAGE_NAME: NETIO.SYS DEBUG_FLR_IMAGE_TIMESTAMP: 5b48ef86 IMAGE_VERSION: 6.1.7601.24208 FAILURE_BUCKET_ID: 0xc2_7_NMRn_NETIO!NmrpDeleteNode+39 BUCKET_ID: 0xc2_7_NMRn_NETIO!NmrpDeleteNode+39 ANALYSIS_SOURCE: KM FAILURE_ID_HASH_STRING: km:0xc2_7_nmrn_netio!nmrpdeletenode+39 FAILURE_ID_HASH: {9c9d1a86-e758-a5d4-abd4-a37dc99f73cb} Followup: MachineOwner Link to comment Share on other sites More sharing options...
Damnation Posted June 6 Author Share Posted June 6 @Dietmar try bu ndis!DriverEntry does a BSOD occur? if so, any change in the BSOD? Link to comment Share on other sites More sharing options...
Damnation Posted June 6 Author Share Posted June 6 @Dietmar we might also need to add some registry keys?  Quote [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MsRPC] "ErrorControl"=dword:00000001 "Start"=dword:00000003 "Tag"=dword:00000001 "Type"=dword:00000001 Quote  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NDIS] "Description"="@%SystemRoot%\\system32\\drivers\\ndis.sys,-201" "DisplayName"="@%SystemRoot%\\system32\\drivers\\ndis.sys,-200" "ErrorControl"=dword:00000003 "Group"="NDIS Wrapper" "ImagePath"=hex(2):73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,64,00,\  72,00,69,00,76,00,65,00,72,00,73,00,5c,00,6e,00,64,00,69,00,73,00,2e,00,73,\  00,79,00,73,00,00,00 "Start"=dword:00000000 "Type"=dword:00000001 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NDIS\IfTypes] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NDIS\IfTypes\24] "IfType"=dword:00000018 "IfUsedNetLuidIndices"=hex:01 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NDIS\IfTypes\71] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NDIS\IfTypes\71\1] "PortAuthReceiveAuthorizationState"=dword:00000002 "PortAuthReceiveControlState"=dword:00000002 "PortAuthSendAuthorizationState"=dword:00000002 "PortAuthSendControlState"=dword:00000002 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NDIS\Parameters] "MaxCachedNblContextSize"=dword:00000200 "PortAuthReceiveAuthorizationState"=dword:00000002 "PortAuthReceiveControlState"=dword:00000002 "PortAuthSendAuthorizationState"=dword:00000002 "PortAuthSendControlState"=dword:00000002 "ReceiveWorkerDisableAutoStart"=dword:00000000 "TrackNblOwner"=dword:00000002 "WppRecorder_TraceGuid"="{dd7a21e6-a651-46d4-b7c2-66543067b869}" "DefaultPnPCapabilities"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NDIS\State]   Link to comment Share on other sites More sharing options...
Dietmar Posted June 6 Share Posted June 6 @Damnation Here is the Bsod in Safe Mode F8 with network. Safe Mode F8 without network i219-V driver is installed(!) correct Dietmar Intel Storage Driver Ver: 11.2.0.1006 SAFEBOOT: skipping device = Cdrom.SYS(SCSI CDROM Class) SAFEBOOT: skipping device = Serial.SYS(Extended base) SAFEBOOT: skipping device = intelppm.SYS(Extended Base) SAFEBOOT: skipping device = WS2IFSL.SYS(Group) SAFEBOOT: skipping device = Fips.SYS(Group) SAFEBOOT: skipping device = DumpDrv.SYS(Group) *** Fatal System Error: 0x000000c2                       (0x00000007,0x00000CD4,0x02070002,0x8A5BA368) Break instruction exception - code 80000003 (first chance) A fatal system error has occurred. Debugger entered on first try; Bugcheck callbacks have not been invoked. A fatal system error has occurred. Connected to Windows XP 2600 x86 compatible target at (Mon Jun 6 23:14:16.078 2022 (UTC + 2:00)), ptr64 FALSE Loading Kernel Symbols ............................................................... .. Loading User Symbols ******************************************************************************* *                                                                            * *                       Bugcheck Analysis                                   * *                                                                            * ******************************************************************************* Use !analyze -v to get detailed debugging information. BugCheck C2, {7, cd4, 2070002, 8a5ba368} Probably caused by : NETIO.SYS ( NETIO!NmrpDeleteNode+39 ) Followup: MachineOwner --------- nt!RtlpBreakWithStatusInstruction: 804e29c2 cc             int    3 3: kd> !analyze -v ******************************************************************************* *                                                                            * *                       Bugcheck Analysis                                   * *                                                                            * ******************************************************************************* BAD_POOL_CALLER (c2) The current thread is making a bad pool request. Typically this is at a bad IRQL level or double freeing the same allocation, etc. Arguments: Arg1: 00000007, Attempt to free pool which was already freed Arg2: 00000cd4, (reserved) Arg3: 02070002, Memory contents of the pool block Arg4: 8a5ba368, Address of the block of pool being deallocated Debugging Details: ------------------ POOL_ADDRESS: 8a5ba368 Nonpaged pool FREED_POOL_TAG: NMRn BUGCHECK_STR: 0xc2_7_NMRn DEFAULT_BUCKET_ID: DRIVER_FAULT PROCESS_NAME: System ANALYSIS_VERSION: 6.3.9600.17237 (debuggers(dbg).140716-0327) x86fre LAST_CONTROL_TRANSFER: from 8053657f to 804e29c2 STACK_TEXT:  f7922698 8053657f 00000003 f79229f4 00000000 nt!RtlpBreakWithStatusInstruction f79226e4 80537056 00000003 00200000 8a5ba360 nt!KiBugCheckDebugBreak+0x19 f7922ac4 8053766a 000000c2 00000007 00000cd4 nt!KeBugCheck2+0x574 f7922ae4 80551fc5 000000c2 00000007 00000cd4 nt!KeBugCheckEx+0x1b f7922b34 ba18a3ca 8a5ba368 00000000 88379628 nt!ExFreePoolWithTag+0x2c1 f7922b48 ba18a411 8a5ba368 ba17faf0 88379628 NETIO!NmrpDeleteNode+0x39 f7922b50 ba17faf0 88379628 00000000 ba19c072 NETIO!NmrpRemoveRegisteredList+0x3d f7922b6c ba189d69 ba3fe000 00000000 ba19c070 NETIO!NmrpDereferenceModule+0x28 f7922b84 ba189da1 88379628 f7922bc0 ba3e2e98 NETIO!NmrpWaitForModuleDeregisterComplete+0x38 f7922b90 ba3e2e98 88379628 f7922c64 c00000bb NETIO!NmrWaitForProviderDeregisterComplete+0x16 f7922ba4 ba3dc6f5 00000000 00000008 00000246 NDIS!ndisStopNsiProvider+0x4c f7922bc0 ba4345c0 f7922c64 883797a8 00000000 NDIS!ndisInitializeNsi+0x6a f7922bd4 b9504bd3 f7922c7c b950466c f7922bf8 NDIS!NdisRegisterProtocol+0x18 f7922c84 805a712b 88379690 88378000 00000000 ndisuio!DriverEntry+0x175 f7922d54 805b0e27 80000218 00000001 00000000 nt!IopLoadDriver+0x66d f7922d7c 804e2325 80000218 00000000 8a5a0020 nt!IopLoadUnloadDriver+0x45 f7922dac 80575828 b9ef4cf4 00000000 00000000 nt!ExpWorkerThread+0xef f7922ddc 804ec1a9 804e2261 00000001 00000000 nt!PspSystemThreadStartup+0x34 00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16 STACK_COMMAND: kb FOLLOWUP_IP: NETIO!NmrpDeleteNode+39 ba18a3ca 5e             pop    esi SYMBOL_STACK_INDEX: 5 SYMBOL_NAME: NETIO!NmrpDeleteNode+39 FOLLOWUP_NAME: MachineOwner MODULE_NAME: NETIO IMAGE_NAME: NETIO.SYS DEBUG_FLR_IMAGE_TIMESTAMP: 5b48ef86 FAILURE_BUCKET_ID: 0xc2_7_NMRn_NETIO!NmrpDeleteNode+39 BUCKET_ID: 0xc2_7_NMRn_NETIO!NmrpDeleteNode+39 ANALYSIS_SOURCE: KM FAILURE_ID_HASH_STRING: km:0xc2_7_nmrn_netio!nmrpdeletenode+39 FAILURE_ID_HASH: {9c9d1a86-e758-a5d4-abd4-a37dc99f73cb} Followup: MachineOwner Link to comment Share on other sites More sharing options...
Dietmar Posted June 6 Share Posted June 6 @Damnation ndis.sys DriverEntry is reached without Bsod Dietmar kd> bu ndis!DriverEntry kd> g Intel Storage Driver Ver: 11.2.0.1006 Breakpoint 0 hit NDIS!DriverEntry: b9b86684 8bff           mov    edi,edi Link to comment Share on other sites More sharing options...
Dietmar Posted June 6 Share Posted June 6 The driver for the i219 can also be stopped at its DriverEntry without Bsod Intel Storage Driver Ver: 11.2.0.1006 *** ERROR: Symbol file could not be found. Defaulted to export symbols for e1d6232.sys - Breakpoint 0 hit e1d6232!DriverEntry: b86d5094 55             push   ebp Link to comment Share on other sites More sharing options...
Damnation Posted June 6 Author Share Posted June 6 @Dietmar OK, So we are quite sure now that netio.sys is where it is failing. I will have to implenent SeCaptureSubjectContextEx and SeAccessCheckFromState properly I think. Unless you or @Mov AX, 0xDEAD have some other ideas? Link to comment Share on other sites More sharing options...
Dietmar Posted June 6 Share Posted June 6 (edited) But later this driver e1d6232.sys is unloaded, still without Bsod 1: kd> nt!NtWriteFile+0x44d0: 805813e0 76e6           jbe    nt!NtWriteFile+0x44b8 (805813c8) 1: kd> lm start   end       module name 7eb30000 7ebe4000  ntdll     (pdb symbols)         C:\Programme\Windows Kits\8.1\Debuggers\x86\sym\ntdll.pdb\08DE4D91BE654ACEB9F397576108EF3E2\ntdll.pdb 80062000 80072a80  pci       (deferred)            80100000 8012a000  KDSTUB    (deferred)            804d7000 806e5000  nt        (export symbols)      ntkrpamp.exe 80706000 8072e000  kdcom     (deferred)            b86d2000 b873f000  e1d6232   (export symbols)      e1d6232.sys b96b5000 b96dd000  HDAudBus  (deferred)            b979d000 b97a0d80  serenum   (deferred)            b987f000 b9898e80  Mup       (deferred)            b9899000 b98d8000  NETIO     (deferred)            b98d8000 b9903000  msrpc     (deferred)            b9903000 b9aec680  ntoskrn8  (deferred)            b9aed000 b9ba5000  NDIS      (deferred)            b9ba5000 b9c31d00  Ntfs      (deferred)            b9c32000 b9c48b80  KSecDD    (deferred)            b9c49000 b9c5af00  sr        (deferred)            b9c5b000 b9c7ab00  fltMgr    (deferred)            b9c7b000 b9f30000  iaStor    (deferred)            b9f30000 b9f55700  dmio      (deferred)            b9f56000 b9f74880  ftdisk    (deferred)            b9f75000 b9fa7000  ACPI      (deferred)            ba0a8000 ba0b1180  isapnp    (deferred)            ba0b8000 ba0c2700  MountMgr  (deferred)            ba0c8000 ba0d3000  PartMgr   (deferred)            ba0d8000 ba0e4c80  VolSnap   (deferred)            ba0e8000 ba0f8000  disk      (deferred)            ba0f8000 ba104180  CLASSPNP  (deferred)            ba278000 ba284d00  i8042prt  (deferred)            ba288000 ba297c00  serial    (deferred)            ba328000 ba32e800  firadisk  (deferred)            ba3b8000 ba3be000  kbdclass  (deferred)            ba3c0000 ba3c5a00  mouclass  (deferred)            ba4b8000 ba4bb000  BOOTVID   (deferred)            ba5a8000 ba5a9100  WMILIB    (deferred)            ba5aa000 ba5ab700  dmload    (deferred)            1: kd> !devnode 0 1 Error retrieving address of IopRootDeviceNode 1: kd> p nt!NtWriteFile+0x44b8: 805813c8 8b45a0         mov    eax,dword ptr [ebp-60h] 1: kd> nt!NtWriteFile+0x44bb: 805813cb 8d448738       lea    eax,[edi+eax*4+38h] 1: kd> nt!NtWriteFile+0x44bf: 805813cf 3918           cmp    dword ptr [eax],ebx 1: kd> nt!NtWriteFile+0x44c1: 805813d1 7506           jne    nt!NtWriteFile+0x44c9 (805813d9) 1: kd> nt!NtWriteFile+0x44c9: 805813d9 ff45a0         inc    dword ptr [ebp-60h] 1: kd> nt!NtWriteFile+0x44cc: 805813dc 837da01b       cmp    dword ptr [ebp-60h],1Bh 1: kd> nt!NtWriteFile+0x44d0: 805813e0 76e6           jbe    nt!NtWriteFile+0x44b8 (805813c8) 1: kd> nt!NtWriteFile+0x44b8: 805813c8 8b45a0         mov    eax,dword ptr [ebp-60h] 1: kd> nt!NtWriteFile+0x44bb: 805813cb 8d448738       lea    eax,[edi+eax*4+38h] 1: kd> nt!NtWriteFile+0x44bf: 805813cf 3918           cmp    dword ptr [eax],ebx 1: kd> nt!NtWriteFile+0x44c1: 805813d1 7506           jne    nt!NtWriteFile+0x44c9 (805813d9) 1: kd> nt!NtWriteFile+0x44c9: 805813d9 ff45a0         inc    dword ptr [ebp-60h] 1: kd> nt!NtWriteFile+0x44cc: 805813dc 837da01b       cmp    dword ptr [ebp-60h],1Bh 1: kd> nt!NtWriteFile+0x44d0: 805813e0 76e6           jbe    nt!NtWriteFile+0x44b8 (805813c8) 1: kd> nt!NtWriteFile+0x44b8: 805813c8 8b45a0         mov    eax,dword ptr [ebp-60h] 1: kd> nt!NtWriteFile+0x44bb: 805813cb 8d448738       lea    eax,[edi+eax*4+38h] 1: kd> nt!NtWriteFile+0x44bf: 805813cf 3918           cmp    dword ptr [eax],ebx 1: kd> nt!NtWriteFile+0x44c1: 805813d1 7506           jne    nt!NtWriteFile+0x44c9 (805813d9) 1: kd> nt!NtWriteFile+0x44c9: 805813d9 ff45a0         inc    dword ptr [ebp-60h] 1: kd> nt!NtWriteFile+0x44cc: 805813dc 837da01b       cmp    dword ptr [ebp-60h],1Bh 1: kd> nt!NtWriteFile+0x44d0: 805813e0 76e6           jbe    nt!NtWriteFile+0x44b8 (805813c8) 1: kd> nt!NtWriteFile+0x44b8: 805813c8 8b45a0         mov    eax,dword ptr [ebp-60h] 1: kd> nt!NtWriteFile+0x44bb: 805813cb 8d448738       lea    eax,[edi+eax*4+38h] 1: kd> nt!NtWriteFile+0x44bf: 805813cf 3918           cmp    dword ptr [eax],ebx 1: kd> nt!NtWriteFile+0x44c1: 805813d1 7506           jne    nt!NtWriteFile+0x44c9 (805813d9) 1: kd> nt!NtWriteFile+0x44c9: 805813d9 ff45a0         inc    dword ptr [ebp-60h] 1: kd> nt!NtWriteFile+0x44cc: 805813dc 837da01b       cmp    dword ptr [ebp-60h],1Bh 1: kd> nt!NtWriteFile+0x44d0: 805813e0 76e6           jbe    nt!NtWriteFile+0x44b8 (805813c8) 1: kd> nt!NtWriteFile+0x44b8: 805813c8 8b45a0         mov    eax,dword ptr [ebp-60h] 1: kd> nt!NtWriteFile+0x44bb: 805813cb 8d448738       lea    eax,[edi+eax*4+38h] 1: kd> nt!NtWriteFile+0x44bf: 805813cf 3918           cmp    dword ptr [eax],ebx 1: kd> nt!NtWriteFile+0x44c1: 805813d1 7506           jne    nt!NtWriteFile+0x44c9 (805813d9) 1: kd> nt!NtWriteFile+0x44c9: 805813d9 ff45a0         inc    dword ptr [ebp-60h] 1: kd> nt!NtWriteFile+0x44cc: 805813dc 837da01b       cmp    dword ptr [ebp-60h],1Bh 1: kd> nt!NtWriteFile+0x44d0: 805813e0 76e6           jbe    nt!NtWriteFile+0x44b8 (805813c8) 1: kd> nt!NtWriteFile+0x44b8: 805813c8 8b45a0         mov    eax,dword ptr [ebp-60h] 1: kd> nt!NtWriteFile+0x44bb: 805813cb 8d448738       lea    eax,[edi+eax*4+38h] 1: kd> nt!NtWriteFile+0x44bf: 805813cf 3918           cmp    dword ptr [eax],ebx 1: kd> nt!NtWriteFile+0x44c1: 805813d1 7506           jne    nt!NtWriteFile+0x44c9 (805813d9) 1: kd> nt!NtWriteFile+0x44c9: 805813d9 ff45a0         inc    dword ptr [ebp-60h] 1: kd> nt!NtWriteFile+0x44cc: 805813dc 837da01b       cmp    dword ptr [ebp-60h],1Bh 1: kd> nt!NtWriteFile+0x44d0: 805813e0 76e6           jbe    nt!NtWriteFile+0x44b8 (805813c8) 1: kd> nt!NtWriteFile+0x44b8: 805813c8 8b45a0         mov    eax,dword ptr [ebp-60h] 1: kd> nt!NtWriteFile+0x44bb: 805813cb 8d448738       lea    eax,[edi+eax*4+38h] 1: kd> nt!NtWriteFile+0x44bf: 805813cf 3918           cmp    dword ptr [eax],ebx 1: kd> nt!NtWriteFile+0x44c1: 805813d1 7506           jne    nt!NtWriteFile+0x44c9 (805813d9) 1: kd> nt!NtWriteFile+0x44c9: 805813d9 ff45a0         inc    dword ptr [ebp-60h] 1: kd> nt!NtWriteFile+0x44cc: 805813dc 837da01b       cmp    dword ptr [ebp-60h],1Bh 1: kd> nt!NtWriteFile+0x44d0: 805813e0 76e6           jbe    nt!NtWriteFile+0x44b8 (805813c8) 1: kd> nt!NtWriteFile+0x44b8: 805813c8 8b45a0         mov    eax,dword ptr [ebp-60h] 1: kd> nt!NtWriteFile+0x44bb: 805813cb 8d448738       lea    eax,[edi+eax*4+38h] 1: kd> nt!NtWriteFile+0x44bf: 805813cf 3918           cmp    dword ptr [eax],ebx 1: kd> nt!NtWriteFile+0x44c1: 805813d1 7506           jne    nt!NtWriteFile+0x44c9 (805813d9) 1: kd> nt!NtWriteFile+0x44c9: 805813d9 ff45a0         inc    dword ptr [ebp-60h] 1: kd> nt!NtWriteFile+0x44cc: 805813dc 837da01b       cmp    dword ptr [ebp-60h],1Bh 1: kd> nt!NtWriteFile+0x44d0: 805813e0 76e6           jbe    nt!NtWriteFile+0x44b8 (805813c8) 1: kd> nt!NtWriteFile+0x44b8: 805813c8 8b45a0         mov    eax,dword ptr [ebp-60h] 1: kd> nt!NtWriteFile+0x44bb: 805813cb 8d448738       lea    eax,[edi+eax*4+38h] 1: kd> nt!NtWriteFile+0x44bf: 805813cf 3918           cmp    dword ptr [eax],ebx 1: kd> nt!NtWriteFile+0x44c1: 805813d1 7506           jne    nt!NtWriteFile+0x44c9 (805813d9) 1: kd> nt!NtWriteFile+0x44c9: 805813d9 ff45a0         inc    dword ptr [ebp-60h] 1: kd> nt!NtWriteFile+0x44cc: 805813dc 837da01b       cmp    dword ptr [ebp-60h],1Bh 1: kd> nt!NtWriteFile+0x44d0: 805813e0 76e6           jbe    nt!NtWriteFile+0x44b8 (805813c8) 1: kd> nt!NtWriteFile+0x44b8: 805813c8 8b45a0         mov    eax,dword ptr [ebp-60h] 1: kd> nt!NtWriteFile+0x44bb: 805813cb 8d448738       lea    eax,[edi+eax*4+38h] 1: kd> nt!NtWriteFile+0x44bf: 805813cf 3918           cmp    dword ptr [eax],ebx 1: kd> nt!NtWriteFile+0x44c1: 805813d1 7506           jne    nt!NtWriteFile+0x44c9 (805813d9) 1: kd> nt!NtWriteFile+0x44c9: 805813d9 ff45a0         inc    dword ptr [ebp-60h] 1: kd> nt!NtWriteFile+0x44cc: 805813dc 837da01b       cmp    dword ptr [ebp-60h],1Bh 1: kd> nt!NtWriteFile+0x44d0: 805813e0 76e6           jbe    nt!NtWriteFile+0x44b8 (805813c8) 1: kd> nt!NtWriteFile+0x44b8: 805813c8 8b45a0         mov    eax,dword ptr [ebp-60h] 1: kd> nt!NtWriteFile+0x44bb: 805813cb 8d448738       lea    eax,[edi+eax*4+38h] 1: kd> nt!NtWriteFile+0x44bf: 805813cf 3918           cmp    dword ptr [eax],ebx 1: kd> nt!NtWriteFile+0x44c1: 805813d1 7506           jne    nt!NtWriteFile+0x44c9 (805813d9) 1: kd> nt!NtWriteFile+0x44c9: 805813d9 ff45a0         inc    dword ptr [ebp-60h] 1: kd> nt!NtWriteFile+0x44cc: 805813dc 837da01b       cmp    dword ptr [ebp-60h],1Bh 1: kd> nt!NtWriteFile+0x44d0: 805813e0 76e6           jbe    nt!NtWriteFile+0x44b8 (805813c8) 1: kd> nt!NtWriteFile+0x44b8: 805813c8 8b45a0         mov    eax,dword ptr [ebp-60h] 1: kd> nt!NtWriteFile+0x44bb: 805813cb 8d448738       lea    eax,[edi+eax*4+38h] 1: kd> nt!NtWriteFile+0x44bf: 805813cf 3918           cmp    dword ptr [eax],ebx 1: kd> nt!NtWriteFile+0x44c1: 805813d1 7506           jne    nt!NtWriteFile+0x44c9 (805813d9) 1: kd> nt!NtWriteFile+0x44c9: 805813d9 ff45a0         inc    dword ptr [ebp-60h] 1: kd> nt!NtWriteFile+0x44cc: 805813dc 837da01b       cmp    dword ptr [ebp-60h],1Bh 1: kd> nt!NtWriteFile+0x44d0: 805813e0 76e6           jbe    nt!NtWriteFile+0x44b8 (805813c8) 1: kd> nt!NtWriteFile+0x44b8: 805813c8 8b45a0         mov    eax,dword ptr [ebp-60h] 1: kd> nt!NtWriteFile+0x44bb: 805813cb 8d448738       lea    eax,[edi+eax*4+38h] 1: kd> nt!NtWriteFile+0x44bf: 805813cf 3918           cmp    dword ptr [eax],ebx 1: kd> nt!NtWriteFile+0x44c1: 805813d1 7506           jne    nt!NtWriteFile+0x44c9 (805813d9) 1: kd> nt!NtWriteFile+0x44c9: 805813d9 ff45a0         inc    dword ptr [ebp-60h] 1: kd> nt!NtWriteFile+0x44cc: 805813dc 837da01b       cmp    dword ptr [ebp-60h],1Bh 1: kd> nt!NtWriteFile+0x44d0: 805813e0 76e6           jbe    nt!NtWriteFile+0x44b8 (805813c8) 1: kd> nt!NtWriteFile+0x44d2: 805813e2 53             push   ebx 1: kd> nt!NtWriteFile+0x44d3: 805813e3 ffb570ffffff   push   dword ptr [ebp-90h] 1: kd> nt!NtWriteFile+0x44d9: 805813e9 e8f29efcff     call   nt!ExFreePoolWithTag (8054b2e0) 1: kd> nt!NtWriteFile+0x44de: 805813ee 395dac         cmp    dword ptr [ebp-54h],ebx 1: kd> nt!NtWriteFile+0x44e1: 805813f1 7c3b           jl     nt!NtWriteFile+0x451e (8058142e) 1: kd> nt!NtWriteFile+0x44e3: 805813f3 57             push   edi 1: kd> nt!NtWriteFile+0x44e4: 805813f4 e883b10000     call   nt!IoReportResourceUsage+0x18a6 (8058c57c) 1: kd> nt!NtWriteFile+0x44e9: 805813f9 84c0           test   al,al 1: kd> nt!NtWriteFile+0x44eb: 805813fb 752c           jne    nt!NtWriteFile+0x4519 (80581429) 1: kd> nt!NtWriteFile+0x44ed: 805813fd 8d4598         lea    eax,[ebp-68h] 1: kd> nt!NtWriteFile+0x44f0: 80581400 50             push   eax 1: kd> nt!NtWriteFile+0x44f1: 80581401 ff758c         push   dword ptr [ebp-74h] 1: kd> nt!NtWriteFile+0x44f4: 80581404 57             push   edi 1: kd> nt!NtWriteFile+0x44f5: 80581405 e8064bf7ff     call   nt!IoReportTargetDeviceChangeAsynchronous+0x16c (804f5f10) 1: kd> nt!NtWriteFile+0x44fa: 8058140a 3bc3           cmp    eax,ebx 1: kd> nt!NtWriteFile+0x44fc: 8058140c 8945ac         mov    dword ptr [ebp-54h],eax 1: kd> nt!NtWriteFile+0x44ff: 8058140f 7d2c           jge    nt!NtWriteFile+0x452d (8058143d) 1: kd> nt!NtWriteFile+0x452d: 8058143d 6a01           push   1 1: kd> nt!NtWriteFile+0x452f: 8058143f 8d45a4         lea    eax,[ebp-5Ch] 1: kd> nt!NtWriteFile+0x4532: 80581442 50             push   eax 1: kd> nt!NtWriteFile+0x4533: 80581443 e836f4ffff     call   nt!NtWriteFile+0x396e (8058087e) 1: kd> nt!NtWriteFile+0x4538: 80581448 ff7714         push   dword ptr [edi+14h] 1: kd> nt!NtWriteFile+0x453b: 8058144b e8b8c60200     call   nt!MmResetDriverPaging+0x118e (805adb08) 1: kd> nt!NtWriteFile+0x4540: 80581450 57             push   edi 1: kd> lm start   end       module name 7eb30000 7ebe4000  ntdll     (pdb symbols)         C:\Programme\Windows Kits\8.1\Debuggers\x86\sym\ntdll.pdb\08DE4D91BE654ACEB9F397576108EF3E2\ntdll.pdb 80062000 80072a80  pci       (deferred)            80100000 8012a000  KDSTUB    (deferred)            804d7000 806e5000  nt        (export symbols)      ntkrpamp.exe 80706000 8072e000  kdcom     (deferred)            b86d2000 b873f000  e1d6232   (export symbols)      e1d6232.sys b96b5000 b96dd000  HDAudBus  (deferred)            b979d000 b97a0d80  serenum   (deferred)            b987f000 b9898e80  Mup       (deferred)            b9899000 b98d8000  NETIO     (deferred)            b98d8000 b9903000  msrpc     (deferred)            b9903000 b9aec680  ntoskrn8  (deferred)            b9aed000 b9ba5000  NDIS      (deferred)            b9ba5000 b9c31d00  Ntfs      (deferred)            b9c32000 b9c48b80  KSecDD    (deferred)            b9c49000 b9c5af00  sr        (deferred)            b9c5b000 b9c7ab00  fltMgr    (deferred)            b9c7b000 b9f30000  iaStor    (deferred)            b9f30000 b9f55700  dmio      (deferred)            b9f56000 b9f74880  ftdisk    (deferred)            b9f75000 b9fa7000  ACPI      (deferred)            ba0a8000 ba0b1180  isapnp    (deferred)            ba0b8000 ba0c2700  MountMgr  (deferred)            ba0c8000 ba0d3000  PartMgr   (deferred)            ba0d8000 ba0e4c80  VolSnap   (deferred)            ba0e8000 ba0f8000  disk      (deferred)            ba0f8000 ba104180  CLASSPNP  (deferred)            ba278000 ba284d00  i8042prt  (deferred)            ba288000 ba297c00  serial    (deferred)            ba328000 ba32e800  firadisk  (deferred)            ba3b8000 ba3be000  kbdclass  (deferred)            ba3c0000 ba3c5a00  mouclass  (deferred)            ba4b8000 ba4bb000  BOOTVID   (deferred)            ba5a8000 ba5a9100  WMILIB    (deferred)            ba5aa000 ba5ab700  dmload    (deferred)            1: kd> p nt!NtWriteFile+0x4541: 80581451 e8c4d6ffff     call   nt!NtWriteFile+0x1c0a (8057eb1a) 1: kd> nt!NtWriteFile+0x4546: 80581456 395dac         cmp    dword ptr [ebp-54h],ebx 1: kd> nt!NtWriteFile+0x4549: 80581459 0f8d39fbffff   jge    nt!NtWriteFile+0x4088 (80580f98) 1: kd> nt!NtWriteFile+0x4088: 80580f98 53             push   ebx 1: kd> nt!NtWriteFile+0x4089: 80580f99 6a02           push   2 1: kd> nt!NtWriteFile+0x408b: 80580f9b e8227bfbff     call   nt!HeadlessDispatch+0x76 (80538ac2) 1: kd> nt!NtWriteFile+0x4090: 80580fa0 399d78ffffff   cmp    dword ptr [ebp-88h],ebx 1: kd> nt!NtWriteFile+0x4096: 80580fa6 740c           je     nt!NtWriteFile+0x40a4 (80580fb4) 1: kd> nt!NtWriteFile+0x4098: 80580fa8 53             push   ebx 1: kd> nt!NtWriteFile+0x4099: 80580fa9 ffb578ffffff   push   dword ptr [ebp-88h] 1: kd> nt!NtWriteFile+0x409f: 80580faf e82ca3fcff     call   nt!ExFreePoolWithTag (8054b2e0) 1: kd> nt!NtWriteFile+0x40a4: 80580fb4 399d6cffffff   cmp    dword ptr [ebp-94h],ebx 1: kd> nt!NtWriteFile+0x40aa: 80580fba 740c           je     nt!NtWriteFile+0x40b8 (80580fc8) 1: kd> nt!NtWriteFile+0x40ac: 80580fbc 53             push   ebx 1: kd> nt!NtWriteFile+0x40ad: 80580fbd ffb56cffffff   push   dword ptr [ebp-94h] 1: kd> nt!NtWriteFile+0x40b3: 80580fc3 e818a3fcff     call   nt!ExFreePoolWithTag (8054b2e0) 1: kd> nt!NtWriteFile+0x40b8: 80580fc8 395d9c         cmp    dword ptr [ebp-64h],ebx 1: kd> nt!NtWriteFile+0x40bb: 80580fcb 7409           je     nt!NtWriteFile+0x40c6 (80580fd6) 1: kd> nt!NtWriteFile+0x40bd: 80580fcd 53             push   ebx 1: kd> nt!NtWriteFile+0x40be: 80580fce ff759c         push   dword ptr [ebp-64h] 1: kd> nt!NtWriteFile+0x40c1: 80580fd1 e80aa3fcff     call   nt!ExFreePoolWithTag (8054b2e0) 1: kd> nt!NtWriteFile+0x40c6: 80580fd6 395da8         cmp    dword ptr [ebp-58h],ebx 1: kd> nt!NtWriteFile+0x40c9: 80580fd9 7409           je     nt!NtWriteFile+0x40d4 (80580fe4) 1: kd> nt!NtWriteFile+0x40cb: 80580fdb 53             push   ebx 1: kd> nt!NtWriteFile+0x40cc: 80580fdc ff75a8         push   dword ptr [ebp-58h] 1: kd> nt!NtWriteFile+0x40cf: 80580fdf e8fca2fcff     call   nt!ExFreePoolWithTag (8054b2e0) 1: kd> nt!NtWriteFile+0x40d4: 80580fe4 8b7dac         mov    edi,dword ptr [ebp-54h] 1: kd> nt!NtWriteFile+0x40d7: 80580fe7 3bfb           cmp    edi,ebx 1: kd> nt!NtWriteFile+0x40d9: 80580fe9 7d4e           jge    nt!NtWriteFile+0x4129 (80581039) 1: kd> nt!NtWriteFile+0x4129: 80581039 53             push   ebx 1: kd> nt!NtWriteFile+0x412a: 8058103a ff758c         push   dword ptr [ebp-74h] 1: kd> nt!NtWriteFile+0x412d: 8058103d e806b50300     call   nt!ObCloseHandle (805bc548) 1: kd> nt!NtWriteFile+0x4132: 80581042 8bc7           mov    eax,edi 1: kd> nt!NtWriteFile+0x4134: 80581044 8b4dfc         mov    ecx,dword ptr [ebp-4] 1: kd> nt!NtWriteFile+0x4137: 80581047 5f             pop    edi 1: kd> nt!NtWriteFile+0x4138: 80581048 5e             pop    esi 1: kd> nt!NtWriteFile+0x4139: 80581049 5b             pop    ebx 1: kd> nt!NtWriteFile+0x413a: 8058104a e8cfd8f7ff     call   nt!KeRaiseUserException+0xc94 (804fe91e) 1: kd> nt!NtWriteFile+0x413f: 8058104f c9             leave 1: kd> nt!NtWriteFile+0x4140: 80581050 c21000         ret    10h 1: kd> nt!IoReportResourceUsage+0x4881: 8058f557 8bf0           mov    esi,eax 1: kd> nt!IoReportResourceUsage+0x4883: 8058f559 3bf7           cmp    esi,edi 1: kd> nt!IoReportResourceUsage+0x4885: 8058f55b 7d43           jge    nt!IoReportResourceUsage+0x48ca (8058f5a0) 1: kd> nt!IoReportResourceUsage+0x48ca: 8058f5a0 803d97b4558000 cmp    byte ptr [nt!IoAdapterObjectType+0x727 (8055b497)],0 1: kd> nt!IoReportResourceUsage+0x48d1: 8058f5a7 7405           je     nt!IoReportResourceUsage+0x48d8 (8058f5ae) 1: kd> nt!IoReportResourceUsage+0x48d8: 8058f5ae 8d45e0         lea    eax,[ebp-20h] 1: kd> nt!IoReportResourceUsage+0x48db: 8058f5b1 50             push   eax 1: kd> nt!IoReportResourceUsage+0x48dc: 8058f5b2 e855fbfeff     call   nt!NtWriteFile+0x21fc (8057f10c) 1: kd> nt!IoReportResourceUsage+0x48e1: 8058f5b7 3bc7           cmp    eax,edi 1: kd> nt!IoReportResourceUsage+0x48e3: 8058f5b9 8945f8         mov    dword ptr [ebp-8],eax 1: kd> nt!IoReportResourceUsage+0x48e6: 8058f5bc 0f85c5000000   jne    nt!IoReportResourceUsage+0x49b1 (8058f687) 1: kd> nt!IoReportResourceUsage+0x49b1: 8058f687 f6400810       test   byte ptr [eax+8],10h 1: kd> nt!IoReportResourceUsage+0x49b5: 8058f68b 7509           jne    nt!IoReportResourceUsage+0x49c0 (8058f696) 1: kd> nt!IoReportResourceUsage+0x49c0: 8058f696 50             push   eax 1: kd> nt!IoReportResourceUsage+0x49c1: 8058f697 e8e0ceffff     call   nt!IoReportResourceUsage+0x18a6 (8058c57c) 1: kd> nt!IoReportResourceUsage+0x49c6: 8058f69c 84c0           test   al,al 1: kd> nt!IoReportResourceUsage+0x49c8: 8058f69e 7421           je     nt!IoReportResourceUsage+0x49eb (8058f6c1) 1: kd> nt!IoReportResourceUsage+0x49eb: 8058f6c1 8b03           mov    eax,dword ptr [ebx] 1: kd> nt!IoReportResourceUsage+0x49ed: 8058f6c3 8b4018         mov    eax,dword ptr [eax+18h] 1: kd> nt!IoReportResourceUsage+0x49f0: 8058f6c6 3d02030000     cmp    eax,302h 1: kd> nt!IoReportResourceUsage+0x49f5: 8058f6cb 7407           je     nt!IoReportResourceUsage+0x49fe (8058f6d4) 1: kd> nt!IoReportResourceUsage+0x49fe: 8058f6d4 8b451c         mov    eax,dword ptr [ebp+1Ch] 1: kd> nt!IoReportResourceUsage+0x4a01: 8058f6d7 685070656e     push   6E657050h 1: kd> nt!IoReportResourceUsage+0x4a06: 8058f6dc 6a08           push   8 1: kd> nt!IoReportResourceUsage+0x4a08: 8058f6de 6a01           push   1 1: kd> nt!IoReportResourceUsage+0x4a0a: 8058f6e0 8d7c830c       lea    edi,[ebx+eax*4+0Ch] 1: kd> nt!IoReportResourceUsage+0x4a0e: 8058f6e4 33f6           xor    esi,esi 1: kd> nt!IoReportResourceUsage+0x4a10: 8058f6e6 e87dc2fbff     call   nt!ExAllocatePoolWithTag (8054b968) 1: kd> nt!IoReportResourceUsage+0x4a15: 8058f6eb 85c0           test   eax,eax 1: kd> nt!IoReportResourceUsage+0x4a17: 8058f6ed 7507           jne    nt!IoReportResourceUsage+0x4a20 (8058f6f6) 1: kd> nt!IoReportResourceUsage+0x4a20: 8058f6f6 8b4df8         mov    ecx,dword ptr [ebp-8] 1: kd> nt!IoReportResourceUsage+0x4a23: 8058f6f9 8908           mov    dword ptr [eax],ecx 1: kd> nt!IoReportResourceUsage+0x4a25: 8058f6fb 33c9           xor    ecx,ecx 1: kd> nt!IoReportResourceUsage+0x4a27: 8058f6fd 894804         mov    dword ptr [eax+4],ecx 1: kd> nt!IoReportResourceUsage+0x4a2a: 8058f700 eb05           jmp    nt!IoReportResourceUsage+0x4a31 (8058f707) 1: kd> nt!IoReportResourceUsage+0x4a31: 8058f707 390f           cmp    dword ptr [edi],ecx 1: kd> nt!IoReportResourceUsage+0x4a33: 8058f709 75f7           jne    nt!IoReportResourceUsage+0x4a2c (8058f702) 1: kd> nt!IoReportResourceUsage+0x4a35: 8058f70b 8907           mov    dword ptr [edi],eax 1: kd> nt!IoReportResourceUsage+0x4a37: 8058f70d 837df400       cmp    dword ptr [ebp-0Ch],0 1: kd> nt!IoReportResourceUsage+0x4a3b: 8058f711 5b             pop    ebx 1: kd> nt!IoReportResourceUsage+0x4a3c: 8058f712 7408           je     nt!IoReportResourceUsage+0x4a46 (8058f71c) 1: kd> nt!IoReportResourceUsage+0x4a3e: 8058f714 ff75f4         push   dword ptr [ebp-0Ch] 1: kd> nt!IoReportResourceUsage+0x4a41: 8058f717 e8a808f7ff     call   nt!ZwClose (804fffc4) 1: kd> nt!IoReportResourceUsage+0x4a46: 8058f71c 807dff00       cmp    byte ptr [ebp-1],0 1: kd> nt!IoReportResourceUsage+0x4a4a: 8058f720 7409           je     nt!IoReportResourceUsage+0x4a55 (8058f72b) 1: kd> nt!IoReportResourceUsage+0x4a4c: 8058f722 8d45e0         lea    eax,[ebp-20h] 1: kd> nt!IoReportResourceUsage+0x4a4f: 8058f725 50             push   eax 1: kd> nt!IoReportResourceUsage+0x4a50: 8058f726 e8f5240500     call   nt!RtlFreeUnicodeString (805e1c20) 1: kd> nt!IoReportResourceUsage+0x4a55: 8058f72b 8bc6           mov    eax,esi 1: kd> nt!IoReportResourceUsage+0x4a57: 8058f72d 5f             pop    edi 1: kd> nt!IoReportResourceUsage+0x4a58: 8058f72e 5e             pop    esi 1: kd> nt!IoReportResourceUsage+0x4a59: 8058f72f c9             leave 1: kd> nt!IoReportResourceUsage+0x4a5a: 8058f730 c21800         ret    18h 1: kd> nt!RtlFormatCurrentUserKeyPath+0xe1f: 805e7b7f 3d230000c0     cmp    eax,0C0000023h 1: kd> nt!RtlFormatCurrentUserKeyPath+0xe24: 805e7b84 7502           jne    nt!RtlFormatCurrentUserKeyPath+0xe28 (805e7b88) 1: kd> nt!RtlFormatCurrentUserKeyPath+0xe28: 805e7b88 5f             pop    edi 1: kd> nt!RtlFormatCurrentUserKeyPath+0xe29: 805e7b89 5e             pop    esi 1: kd> nt!RtlFormatCurrentUserKeyPath+0xe2a: 805e7b8a 5b             pop    ebx 1: kd> nt!RtlFormatCurrentUserKeyPath+0xe2b: 805e7b8b c9             leave 1: kd> nt!RtlFormatCurrentUserKeyPath+0xe2c: 805e7b8c c21c00         ret    1Ch 1: kd> nt!RtlQueryRegistryValues+0x368: 805e7f76 3d230000c0     cmp    eax,0C0000023h 1: kd> nt!RtlQueryRegistryValues+0x36d: 805e7f7b 8945f8         mov    dword ptr [ebp-8],eax 1: kd> nt!RtlQueryRegistryValues+0x370: 805e7f7e 7531           jne    nt!RtlQueryRegistryValues+0x3a3 (805e7fb1) 1: kd> nt!RtlQueryRegistryValues+0x3a3: 805e7fb1 837df800       cmp    dword ptr [ebp-8],0 1: kd> nt!RtlQueryRegistryValues+0x3a7: 805e7fb5 0f8cb3000000   jl     nt!RtlQueryRegistryValues+0x460 (805e806e) 1: kd> nt!RtlQueryRegistryValues+0x3ad: 805e7fbb f6470440       test   byte ptr [edi+4],40h 1: kd> nt!RtlQueryRegistryValues+0x3b1: 805e7fbf 0f84e4feffff   je     nt!RtlQueryRegistryValues+0x29b (805e7ea9) 1: kd> nt!RtlQueryRegistryValues+0x29b: 805e7ea9 837df800       cmp    dword ptr [ebp-8],0 1: kd> nt!RtlQueryRegistryValues+0x29f: 805e7ead 0f8cbb010000   jl     nt!RtlQueryRegistryValues+0x460 (805e806e) 1: kd> nt!RtlQueryRegistryValues+0x2a5: 805e7eb3 83c71c         add    edi,1Ch 1: kd> nt!RtlQueryRegistryValues+0x2a8: 805e7eb6 e973feffff     jmp    nt!RtlQueryRegistryValues+0x120 (805e7d2e) 1: kd> nt!RtlQueryRegistryValues+0x120: 805e7d2e 8b0f           mov    ecx,dword ptr [edi] 1: kd> nt!RtlQueryRegistryValues+0x122: 805e7d30 85c9           test   ecx,ecx 1: kd> nt!RtlQueryRegistryValues+0x124: 805e7d32 750a           jne    nt!RtlQueryRegistryValues+0x130 (805e7d3e) 1: kd> nt!RtlQueryRegistryValues+0x126: 805e7d34 f6470421       test   byte ptr [edi+4],21h 1: kd> nt!RtlQueryRegistryValues+0x12a: 805e7d38 0f8430030000   je     nt!RtlQueryRegistryValues+0x460 (805e806e) 1: kd> nt!RtlQueryRegistryValues+0x460: 805e806e 837df000       cmp    dword ptr [ebp-10h],0 1: kd> nt!RtlQueryRegistryValues+0x464: 805e8072 740e           je     nt!RtlQueryRegistryValues+0x474 (805e8082) 1: kd> nt!RtlQueryRegistryValues+0x466: 805e8074 837de800       cmp    dword ptr [ebp-18h],0 1: kd> nt!RtlQueryRegistryValues+0x46a: 805e8078 7508           jne    nt!RtlQueryRegistryValues+0x474 (805e8082) 1: kd> nt!RtlQueryRegistryValues+0x474: 805e8082 8b45ec         mov    eax,dword ptr [ebp-14h] 1: kd> nt!RtlQueryRegistryValues+0x477: 805e8085 85c0           test   eax,eax 1: kd> nt!RtlQueryRegistryValues+0x479: 805e8087 740b           je     nt!RtlQueryRegistryValues+0x486 (805e8094) 1: kd> nt!RtlQueryRegistryValues+0x47b: 805e8089 3b45f0         cmp    eax,dword ptr [ebp-10h] 1: kd> nt!RtlQueryRegistryValues+0x47e: 805e808c 7406           je     nt!RtlQueryRegistryValues+0x486 (805e8094) 1: kd> nt!RtlQueryRegistryValues+0x486: 805e8094 837de000       cmp    dword ptr [ebp-20h],0 1: kd> nt!RtlQueryRegistryValues+0x48a: 805e8098 7409           je     nt!RtlQueryRegistryValues+0x495 (805e80a3) 1: kd> nt!RtlQueryRegistryValues+0x48c: 805e809a ff75e0         push   dword ptr [ebp-20h] 1: kd> nt!RtlQueryRegistryValues+0x48f: 805e809d ff15240c6880   call   dword ptr [nt!NlsOemLeadByteInfo+0xb04 (80680c24)] 1: kd> nt!RtlQueryRegistryValues+0x495: 805e80a3 6a00           push   0 1: kd> nt!RtlQueryRegistryValues+0x497: 805e80a5 ff750c         push   dword ptr [ebp+0Ch] 1: kd> nt!RtlQueryRegistryValues+0x49a: 805e80a8 56             push   esi 1: kd> nt!RtlQueryRegistryValues+0x49b: 805e80a9 6a00           push   0 1: kd> nt!RtlQueryRegistryValues+0x49d: 805e80ab e8e8eaffff     call   nt!RtlInt64ToUnicodeString+0x1ae (805e6b98) 1: kd> nt!RtlQueryRegistryValues+0x4a2: 805e80b0 8b45f8         mov    eax,dword ptr [ebp-8] 1: kd> nt!RtlQueryRegistryValues+0x4a5: 805e80b3 5f             pop    edi 1: kd> nt!RtlQueryRegistryValues+0x4a6: 805e80b4 5e             pop    esi 1: kd> nt!RtlQueryRegistryValues+0x4a7: 805e80b5 5b             pop    ebx 1: kd> nt!RtlQueryRegistryValues+0x4a8: 805e80b6 c9             leave 1: kd> nt!RtlQueryRegistryValues+0x4a9: 805e80b7 c21400         ret    14h 1: kd> nt!IoReportResourceUsage+0x6109: 80590ddf 894508         mov    dword ptr [ebp+8],eax 1: kd> nt!IoReportResourceUsage+0x610c: 80590de2 f6467d10       test   byte ptr [esi+7Dh],10h 1: kd> nt!IoReportResourceUsage+0x6110: 80590de6 0f8524020000   jne    nt!IoReportResourceUsage+0x633a (80591010) 1: kd> nt!IoReportResourceUsage+0x6116: 80590dec 837d0800       cmp    dword ptr [ebp+8],0 1: kd> nt!IoReportResourceUsage+0x611a: 80590df0 7c19           jl     nt!IoReportResourceUsage+0x6135 (80590e0b) 1: kd> nt!IoReportResourceUsage+0x611c: 80590df2 8b45bc         mov    eax,dword ptr [ebp-44h] 1: kd> nt!IoReportResourceUsage+0x611f: 80590df5 83780400       cmp    dword ptr [eax+4],0 1: kd> nt!IoReportResourceUsage+0x6123: 80590df9 740a           je     nt!IoReportResourceUsage+0x612f (80590e05) 1: kd> nt!IoReportResourceUsage+0x612f: 80590e05 c645cc00       mov    byte ptr [ebp-34h],0 1: kd> nt!IoReportResourceUsage+0x6133: 80590e09 eb30           jmp    nt!IoReportResourceUsage+0x6165 (80590e3b) 1: kd> nt!IoReportResourceUsage+0x6165: 80590e3b 6a15           push   15h 1: kd> nt!IoReportResourceUsage+0x6167: 80590e3d 59             pop    ecx 1: kd> nt!IoReportResourceUsage+0x6168: 80590e3e 33c0           xor    eax,eax 1: kd> nt!IoReportResourceUsage+0x616a: 80590e40 50             push   eax 1: kd> nt!IoReportResourceUsage+0x616b: 80590e41 8dbd54ffffff   lea    edi,[ebp-0ACh] 1: kd> nt!IoReportResourceUsage+0x6171: 80590e47 f3ab           rep stos dword ptr es:[edi] 1: kd> nt!IoReportResourceUsage+0x6173: 80590e49 8d45a8         lea    eax,[ebp-58h] 1: kd> nt!IoReportResourceUsage+0x6176: 80590e4c 50             push   eax 1: kd> nt!IoReportResourceUsage+0x6177: 80590e4d 8d8554ffffff   lea    eax,[ebp-0ACh] 1: kd> nt!IoReportResourceUsage+0x617d: 80590e53 50             push   eax 1: kd> nt!IoReportResourceUsage+0x617e: 80590e54 ff75f4         push   dword ptr [ebp-0Ch] 1: kd> nt!IoReportResourceUsage+0x6181: 80590e57 bf22f35880     mov    edi,offset nt!IoReportResourceUsage+0x464c (8058f322) 1: kd> nt!IoReportResourceUsage+0x6186: 80590e5c 53             push   ebx 1: kd> nt!IoReportResourceUsage+0x6187: 80590e5d 89bd54ffffff   mov    dword ptr [ebp-0ACh],edi 1: kd> nt!IoReportResourceUsage+0x618d: 80590e63 c7855cffffff420b5980 mov dword ptr [ebp-0A4h],offset nt!IoReportResourceUsage+0x5e6c (80590b42) 1: kd> nt!IoReportResourceUsage+0x6197: 80590e6d c78560ffffff03000000 mov dword ptr [ebp-0A0h],3 1: kd> nt!IoReportResourceUsage+0x61a1: 80590e77 e8926d0500     call   nt!RtlQueryRegistryValues (805e7c0e) 1: kd> nt!IoReportResourceUsage+0x61a6: 80590e7c 85c0           test   eax,eax 1: kd> nt!IoReportResourceUsage+0x61a8: 80590e7e 894508         mov    dword ptr [ebp+8],eax 1: kd> nt!IoReportResourceUsage+0x61ab: 80590e81 0f8c8d010000   jl     nt!IoReportResourceUsage+0x633e (80591014) 1: kd> nt!IoReportResourceUsage+0x61b1: 80590e87 837df800       cmp    dword ptr [ebp-8],0 1: kd> nt!IoReportResourceUsage+0x61b5: 80590e8b 7433           je     nt!IoReportResourceUsage+0x61ea (80590ec0) 1: kd> lm start   end       module name 7eb30000 7ebe4000  ntdll     (pdb symbols)         C:\Programme\Windows Kits\8.1\Debuggers\x86\sym\ntdll.pdb\08DE4D91BE654ACEB9F397576108EF3E2\ntdll.pdb 80062000 80072a80  pci       (deferred)            80100000 8012a000  KDSTUB    (deferred)            804d7000 806e5000  nt        (export symbols)      ntkrpamp.exe 80706000 8072e000  kdcom     (deferred)            b86d2000 b873f000  e1d6232   (export symbols)      e1d6232.sys b96b5000 b96dd000  HDAudBus  (deferred)            b979d000 b97a0d80  serenum   (deferred)            b987f000 b9898e80  Mup       (deferred)            b9899000 b98d8000  NETIO     (deferred)            b98d8000 b9903000  msrpc     (deferred)            b9903000 b9aec680  ntoskrn8  (deferred)            b9aed000 b9ba5000  NDIS      (deferred)            b9ba5000 b9c31d00  Ntfs      (deferred)            b9c32000 b9c48b80  KSecDD    (deferred)            b9c49000 b9c5af00  sr        (deferred)            b9c5b000 b9c7ab00  fltMgr    (deferred)            b9c7b000 b9f30000  iaStor    (deferred)            b9f30000 b9f55700  dmio      (deferred)            b9f56000 b9f74880  ftdisk    (deferred)            b9f75000 b9fa7000  ACPI      (deferred)            ba0a8000 ba0b1180  isapnp    (deferred)            ba0b8000 ba0c2700  MountMgr  (deferred)            ba0c8000 ba0d3000  PartMgr   (deferred)            ba0d8000 ba0e4c80  VolSnap   (deferred)            ba0e8000 ba0f8000  disk      (deferred)            ba0f8000 ba104180  CLASSPNP  (deferred)            ba278000 ba284d00  i8042prt  (deferred)            ba288000 ba297c00  serial    (deferred)            ba328000 ba32e800  firadisk  (deferred)            ba3b8000 ba3be000  kbdclass  (deferred)            ba3c0000 ba3c5a00  mouclass  (deferred)            ba4b8000 ba4bb000  BOOTVID   (deferred)            ba5a8000 ba5a9100  WMILIB    (deferred)            ba5aa000 ba5ab700  dmload    (deferred)            1: kd> p nt!IoReportResourceUsage+0x61b7: 80590e8d 6a00           push   0 1: kd> nt!IoReportResourceUsage+0x61b9: 80590e8f 8d45a8         lea    eax,[ebp-58h] 1: kd> nt!IoReportResourceUsage+0x61bc: 80590e92 50             push   eax 1: kd> nt!IoReportResourceUsage+0x61bd: 80590e93 8d8554ffffff   lea    eax,[ebp-0ACh] 1: kd> nt!IoReportResourceUsage+0x61c3: 80590e99 50             push   eax 1: kd> nt!IoReportResourceUsage+0x61c4: 80590e9a ff75f8         push   dword ptr [ebp-8] 1: kd> nt!IoReportResourceUsage+0x61c7: 80590e9d 89bd54ffffff   mov    dword ptr [ebp-0ACh],edi 1: kd> nt!IoReportResourceUsage+0x61cd: 80590ea3 53             push   ebx 1: kd> nt!IoReportResourceUsage+0x61ce: 80590ea4 c7855cffffff5e0b5980 mov dword ptr [ebp-0A4h],offset nt!IoReportResourceUsage+0x5e88 (80590b5e) 1: kd> nt!IoReportResourceUsage+0x61d8: 80590eae c78560ffffff04000000 mov dword ptr [ebp-0A0h],4 1: kd> nt!IoReportResourceUsage+0x61e2: 80590eb8 e8516d0500     call   nt!RtlQueryRegistryValues (805e7c0e) 1: kd> nt!IoReportResourceUsage+0x61e7: 80590ebd 894508         mov    dword ptr [ebp+8],eax 1: kd> nt!IoReportResourceUsage+0x61ea: 80590ec0 837d0800       cmp    dword ptr [ebp+8],0 1: kd> nt!IoReportResourceUsage+0x61ee: 80590ec4 0f8c4a010000   jl     nt!IoReportResourceUsage+0x633e (80591014) 1: kd> nt!IoReportResourceUsage+0x61f4: 80590eca ffb688000000   push   dword ptr [esi+88h] 1: kd> nt!IoReportResourceUsage+0x61fa: 80590ed0 33db           xor    ebx,ebx 1: kd> nt!IoReportResourceUsage+0x61fc: 80590ed2 895d10         mov    dword ptr [ebp+10h],ebx 1: kd> nt!IoReportResourceUsage+0x61ff: 80590ed5 895dd8         mov    dword ptr [ebp-28h],ebx 1: kd> nt!IoReportResourceUsage+0x6202: 80590ed8 e8a5e7f5ff     call   nt!IoGetAttachedDevice (804ef682) 1: kd> nt!IoReportResourceUsage+0x6207: 80590edd 8945c8         mov    dword ptr [ebp-38h],eax 1: kd> nt!IoReportResourceUsage+0x620a: 80590ee0 885d0f         mov    byte ptr [ebp+0Fh],bl 1: kd> nt!IoReportResourceUsage+0x620d: 80590ee3 807d0f02       cmp    byte ptr [ebp+0Fh],2 1: kd> nt!IoReportResourceUsage+0x6211: 80590ee7 7525           jne    nt!IoReportResourceUsage+0x6238 (80590f0e) 1: kd> nt!IoReportResourceUsage+0x6238: 80590f0e 0fb6450f       movzx  eax,byte ptr [ebp+0Fh] 1: kd> nt!IoReportResourceUsage+0x623c: 80590f12 8b7c85b4       mov    edi,dword ptr [ebp+eax*4-4Ch] 1: kd> nt!IoReportResourceUsage+0x6240: 80590f16 3bfb           cmp    edi,ebx 1: kd> nt!IoReportResourceUsage+0x6242: 80590f18 7459           je     nt!IoReportResourceUsage+0x629d (80590f73) 1: kd> nt!IoReportResourceUsage+0x629d: 80590f73 fe450f         inc    byte ptr [ebp+0Fh] 1: kd> nt!IoReportResourceUsage+0x62a0: 80590f76 807d0f05       cmp    byte ptr [ebp+0Fh],5 1: kd> nt!IoReportResourceUsage+0x62a4: 80590f7a 0f8263ffffff   jb     nt!IoReportResourceUsage+0x620d (80590ee3) 1: kd> nt!IoReportResourceUsage+0x620d: 80590ee3 807d0f02       cmp    byte ptr [ebp+0Fh],2 1: kd> nt!IoReportResourceUsage+0x6211: 80590ee7 7525           jne    nt!IoReportResourceUsage+0x6238 (80590f0e) 1: kd> nt!IoReportResourceUsage+0x6238: 80590f0e 0fb6450f       movzx  eax,byte ptr [ebp+0Fh] 1: kd> nt!IoReportResourceUsage+0x623c: 80590f12 8b7c85b4       mov    edi,dword ptr [ebp+eax*4-4Ch] 1: kd> nt!IoReportResourceUsage+0x6240: 80590f16 3bfb           cmp    edi,ebx 1: kd> nt!IoReportResourceUsage+0x6242: 80590f18 7459           je     nt!IoReportResourceUsage+0x629d (80590f73) 1: kd> nt!IoReportResourceUsage+0x629d: 80590f73 fe450f         inc    byte ptr [ebp+0Fh] 1: kd> nt!IoReportResourceUsage+0x62a0: 80590f76 807d0f05       cmp    byte ptr [ebp+0Fh],5 1: kd> nt!IoReportResourceUsage+0x62a4: 80590f7a 0f8263ffffff   jb     nt!IoReportResourceUsage+0x620d (80590ee3) 1: kd> nt!IoReportResourceUsage+0x620d: 80590ee3 807d0f02       cmp    byte ptr [ebp+0Fh],2 1: kd> nt!IoReportResourceUsage+0x6211: 80590ee7 7525           jne    nt!IoReportResourceUsage+0x6238 (80590f0e) 1: kd> nt!IoReportResourceUsage+0x6213: 80590ee9 ffb688000000   push   dword ptr [esi+88h] 1: kd> nt!IoReportResourceUsage+0x6219: 80590eef e88ee7f5ff     call   nt!IoGetAttachedDevice (804ef682) 1: kd> nt!IoReportResourceUsage+0x621e: 80590ef4 807dff00       cmp    byte ptr [ebp-1],0 1: kd> nt!IoReportResourceUsage+0x6222: 80590ef8 8945d8         mov    dword ptr [ebp-28h],eax 1: kd> nt!IoReportResourceUsage+0x6225: 80590efb 7411           je     nt!IoReportResourceUsage+0x6238 (80590f0e) 1: kd> nt!IoReportResourceUsage+0x6238: 80590f0e 0fb6450f       movzx  eax,byte ptr [ebp+0Fh] 1: kd> nt!IoReportResourceUsage+0x623c: 80590f12 8b7c85b4       mov    edi,dword ptr [ebp+eax*4-4Ch] 1: kd> nt!IoReportResourceUsage+0x6240: 80590f16 3bfb           cmp    edi,ebx 1: kd> nt!IoReportResourceUsage+0x6242: 80590f18 7459           je     nt!IoReportResourceUsage+0x629d (80590f73) 1: kd> nt!IoReportResourceUsage+0x6244: 80590f1a 83c002         add    eax,2 1: kd> nt!IoReportResourceUsage+0x6247: 80590f1d 8945e8         mov    dword ptr [ebp-18h],eax 1: kd> nt!IoReportResourceUsage+0x624a: 80590f20 8b17           mov    edx,dword ptr [edi] 1: kd> nt!IoReportResourceUsage+0x624c: 80590f22 8b4218         mov    eax,dword ptr [edx+18h] 1: kd> nt!IoReportResourceUsage+0x624f: 80590f25 ff75e8         push   dword ptr [ebp-18h] 1: kd> nt!IoReportResourceUsage+0x6252: 80590f28 8b4004         mov    eax,dword ptr [eax+4] 1: kd> nt!IoReportResourceUsage+0x6255: 80590f2b 8b8e88000000   mov    ecx,dword ptr [esi+88h] 1: kd> nt!IoReportResourceUsage+0x625b: 80590f31 50             push   eax 1: kd> nt!IoReportResourceUsage+0x625c: 80590f32 e80b65f6ff     call   nt!IoReportTargetDeviceChangeAsynchronous+0x169e (804f7442) 1: kd> nt!IoReportResourceUsage+0x6261: 80590f37 3bc3           cmp    eax,ebx 1: kd> nt!IoReportResourceUsage+0x6263: 80590f39 894508         mov    dword ptr [ebp+8],eax 1: kd> nt!IoReportResourceUsage+0x6266: 80590f3c 7c1d           jl     nt!IoReportResourceUsage+0x6285 (80590f5b) 1: kd> nt!IoReportResourceUsage+0x6285: 80590f5b 807d0f02       cmp    byte ptr [ebp+0Fh],2 1: kd> nt!IoReportResourceUsage+0x6289: 80590f5f 742e           je     nt!IoReportResourceUsage+0x62b9 (80590f8f) 1: kd> nt!IoReportResourceUsage+0x62b9: 80590f8f 8b45c8         mov    eax,dword ptr [ebp-38h] 1: kd> nt!IoReportResourceUsage+0x62bc: 80590f92 8b5010         mov    edx,dword ptr [eax+10h] 1: kd> nt!IoReportResourceUsage+0x62bf: 80590f95 8b8e88000000   mov    ecx,dword ptr [esi+88h] 1: kd> nt!IoReportResourceUsage+0x62c5: 80590f9b 53             push   ebx 1: kd> nt!IoReportResourceUsage+0x62c6: 80590f9c ff7510         push   dword ptr [ebp+10h] 1: kd> nt!IoReportResourceUsage+0x62c9: 80590f9f e862ecfaff     call   nt!wctomb+0x3f0b (8053fc06) 1: kd> nt!IoReportResourceUsage+0x62ce: 80590fa4 6a1f           push   1Fh 1: kd> nt!IoReportResourceUsage+0x62d0: 80590fa6 53             push   ebx 1: kd> nt!IoReportResourceUsage+0x62d1: 80590fa7 56             push   esi 1: kd> nt!IoReportResourceUsage+0x62d2: 80590fa8 e8a7370000     call   nt!IoReportResourceUsage+0x9a7e (80594754) 1: kd> nt!IoReportResourceUsage+0x62d7: 80590fad eb65           jmp    nt!IoReportResourceUsage+0x633e (80591014) 1: kd> nt!IoReportResourceUsage+0x633e: 80591014 8d5db4         lea    ebx,[ebp-4Ch] 1: kd> nt!IoReportResourceUsage+0x6341: 80591017 c7450c05000000 mov    dword ptr [ebp+0Ch],5 1: kd> nt!IoReportResourceUsage+0x6348: 8059101e 8b33           mov    esi,dword ptr [ebx] 1: kd> nt!IoReportResourceUsage+0x634a: 80591020 eb24           jmp    nt!IoReportResourceUsage+0x6370 (80591046) 1: kd> nt!IoReportResourceUsage+0x6370: 80591046 85f6           test   esi,esi 1: kd> nt!IoReportResourceUsage+0x6372: 80591048 75d8           jne    nt!IoReportResourceUsage+0x634c (80591022) 1: kd> nt!IoReportResourceUsage+0x6374: 8059104a 83c304         add    ebx,4 1: kd> nt!IoReportResourceUsage+0x6377: 8059104d ff4d0c         dec    dword ptr [ebp+0Ch] 1: kd> nt!IoReportResourceUsage+0x637a: 80591050 75cc           jne    nt!IoReportResourceUsage+0x6348 (8059101e) 1: kd> nt!IoReportResourceUsage+0x6348: 8059101e 8b33           mov    esi,dword ptr [ebx] 1: kd> nt!IoReportResourceUsage+0x634a: 80591020 eb24           jmp    nt!IoReportResourceUsage+0x6370 (80591046) 1: kd> nt!IoReportResourceUsage+0x6370: 80591046 85f6           test   esi,esi 1: kd> nt!IoReportResourceUsage+0x6372: 80591048 75d8           jne    nt!IoReportResourceUsage+0x634c (80591022) 1: kd> nt!IoReportResourceUsage+0x6374: 8059104a 83c304         add    ebx,4 1: kd> nt!IoReportResourceUsage+0x6377: 8059104d ff4d0c         dec    dword ptr [ebp+0Ch] 1: kd> nt!IoReportResourceUsage+0x637a: 80591050 75cc           jne    nt!IoReportResourceUsage+0x6348 (8059101e) 1: kd> nt!IoReportResourceUsage+0x6348: 8059101e 8b33           mov    esi,dword ptr [ebx] 1: kd> nt!IoReportResourceUsage+0x634a: 80591020 eb24           jmp    nt!IoReportResourceUsage+0x6370 (80591046) 1: kd> nt!IoReportResourceUsage+0x6370: 80591046 85f6           test   esi,esi 1: kd> nt!IoReportResourceUsage+0x6372: 80591048 75d8           jne    nt!IoReportResourceUsage+0x634c (80591022) 1: kd> nt!IoReportResourceUsage+0x634c: 80591022 803d96b4558000 cmp    byte ptr [nt!IoAdapterObjectType+0x726 (8055b496)],0 1: kd> nt!IoReportResourceUsage+0x6353: 80591029 8bfe           mov    edi,esi 1: kd> nt!IoReportResourceUsage+0x6355: 8059102b 8b7604         mov    esi,dword ptr [esi+4] 1: kd> nt!IoReportResourceUsage+0x6358: 8059102e 7407           je     nt!IoReportResourceUsage+0x6361 (80591037) 1: kd> nt!IoReportResourceUsage+0x635a: 80591030 ff37           push   dword ptr [edi] 1: kd> nt!IoReportResourceUsage+0x635c: 80591032 e885350000     call   nt!IoReportResourceUsage+0x98e6 (805945bc) 1: kd> nt!IoReportResourceUsage+0x6361: 80591037 8b0f           mov    ecx,dword ptr [edi] 1: kd> nt!IoReportResourceUsage+0x6363: 80591039 e8a057f9ff     call   nt!ObfDereferenceObject (805267de) 1: kd> nt!RtlUnwind+0xdc1: 80532043 5d             pop    ebp 1: kd> lm start   end       module name 7eb30000 7ebe4000  ntdll     (pdb symbols)         C:\Programme\Windows Kits\8.1\Debuggers\x86\sym\ntdll.pdb\08DE4D91BE654ACEB9F397576108EF3E2\ntdll.pdb 80062000 80072a80  pci       (deferred)            80100000 8012a000  KDSTUB    (deferred)            804d7000 806e5000  nt        (export symbols)      ntkrpamp.exe 80706000 8072e000  kdcom     (deferred)            b3748000 b37a5f00  update    (deferred)            b37a6000 b37c8700  ks        (deferred)            b37c9000 b37f8c80  rdpdr     (deferred)            b44e6000 b44e6c00  audstub   (deferred)            b45f7000 b4600f80  termdd    (deferred)            b500e000 b5011c80  mssmbios  (deferred)            b6e27000 b6e28100  swenum    (deferred)            b8eab000 b8eb3e00  intelppm  (deferred)            b96b5000 b96dd000  HDAudBus  (deferred)            b979d000 b97a0d80  serenum   (deferred)            b97b1000 b97b3280  wmiacpi   (deferred)            b987f000 b9898e80  Mup       (deferred)            b9899000 b98d8000  NETIO     (deferred)            b98d8000 b9903000  msrpc     (deferred)            b9903000 b9aec680  ntoskrn8  (deferred)            b9aed000 b9ba5000  NDIS      (deferred)            b9ba5000 b9c31d00  Ntfs      (deferred)            b9c32000 b9c48b80  KSecDD    (deferred)            b9c49000 b9c5af00  sr        (deferred)            b9c5b000 b9c7ab00  fltMgr    (deferred)            b9c7b000 b9f30000  iaStor    (deferred)            b9f30000 b9f55700  dmio      (deferred)            b9f56000 b9f74880  ftdisk    (deferred)            b9f75000 b9fa7000  ACPI      (deferred)            ba0a8000 ba0b1180  isapnp    (deferred)            ba0b8000 ba0c2700  MountMgr  (deferred)            ba0c8000 ba0d3000  PartMgr   (deferred)            ba0d8000 ba0e4c80  VolSnap   (deferred)            ba0e8000 ba0f8000  disk      (deferred)            ba0f8000 ba104180  CLASSPNP  (deferred)            ba278000 ba284d00  i8042prt  (deferred)            ba288000 ba297c00  serial    (deferred)            ba328000 ba32e800  firadisk  (deferred)            ba3b8000 ba3be000  kbdclass  (deferred)            ba3c0000 ba3c5a00  mouclass  (deferred)            ba4b8000 ba4bb000  BOOTVID   (deferred)            ba5a8000 ba5a9100  WMILIB    (deferred)            ba5aa000 ba5ab700  dmload    (deferred)            Unloaded modules: b5006000 b5009000  Sfloppy.SYS b45e7000 b45f3000  Flpydisk.SYS b6f9d000 b6fa4000  Fdc.SYS b86d2000 b873f000  e1d6232.sys Edited June 6 by Dietmar Link to comment Share on other sites More sharing options...
Dietmar Posted June 6 Share Posted June 6 @Damnation I caught the Bsod after the driverentry of e1d6232.sys . This driver e1d6232.sys was unloaded for unknown reason, 3 times. And after this netio.sys crashes. https://ufile.io/dompmiaq Link to comment Share on other sites More sharing options...
Damnation Posted June 6 Author Share Posted June 6 @Dietmar can you try these ndis/netio/msrpc.sys files on a system with a known XP compatible NDIS5 NIC? i.e just swap the files on a system with a working NIC on XP and restart. Does it stop working? do you get a similar BSOD on that kind of hardware? Link to comment Share on other sites More sharing options...
Dietmar Posted June 6 Share Posted June 6 (edited) @Damnation I already tried this, same Bsod with ndis5 driver for the i217 and ndis/netio/msrpc.sys files from win7 together with ntoskrn8.sys . I also look, if the i217 is backword compatible with the win7 driver and ndis/netio/msrpc.sys files from win7 together with ntoskrn8.sys, also not, same Bsod. Now I think the best what we can do is, to look step by step at the working 5048 ndis/netio/msrpc.sys, which driver has to be loaded at which time. For me it is still strange as much as possible, that I cant catch the driverentry of netio.sys. It looks, as if this driver never starts, is only loaded. And this may be the reason, why the e1d6232.sys is unloaded Dietmar PS: Now I am tired and go to bed:)). Next BIG step would be, to look at a working mini win7 SP1, which Lan files are loaded at which time, looking also for registry entries. Before e1d6232.sys install and then with Beyond compare of whole registry after install. Â Edited June 6 by Dietmar Link to comment Share on other sites More sharing options...
Dietmar Posted June 7 Share Posted June 7 @Damnation I make a try what happens in real win7. This win7 sp1 boots on the Asrock z370 k6 board with working drivers for i219 and i211, I test. With unlocker1.9.0-portable I rename on this win7 sp1 bit32 HD in an USB box netio.sys msrpc.sys and ndis.sys to netioORI.sys msrpcORI.sys and ndisORI.sys . Then I copy there your modded netio.sys msrpc.sys ndis.sys and ntoskrn8.sys. But win7 does not want to start with this files, even via F8 I choose "unsigned driver". The crazy System repair from win7 kicked the modified files out and replace it with its own. Is there a way, to tell win7 not to do this Dietmar Link to comment Share on other sites More sharing options...
Dietmar Posted June 7 Share Posted June 7 @Damnation Can you please integrate for me the function NdisGroupActiveProcessorCount into ndis.sys from Longhorn 5048? I think, that you do this via ntoskrn8.sys . I make a try with PE Maker, to add this function to ndis.sys by myself but I dont know, from where to get this function and how to integrate it into ndis.sys (or ntoskrn8.sys). This function is the only missed function in Import in ndis.sys for the win7 e1d6232.sys driver, as you can see with Dependency Walker Dietmar https://ufile.io/0taapdko Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now