Jump to content

NDIS6 support for XP?


Damnation
 Share

Recommended Posts

@Mov AX, 0xDEAD

I've added the internal ntoskrnl libraries for use with the ntoskrnl extender project.

This was to help with some of the much larger functions like MmAllocatePagesForMdlEx

You can make use of internal Ki functions this way.

It's helped a bit with @Dietmar being able to allocate resources to hardware, and at the very least, adding these libraries did not interfere with anything that already worked with the previous version ntoskrnl extender.

Can you take a look at what I have to see if it's possible to get NDIS6 working this way?

https://ufile.io/x8teed7c

Link to comment
Share on other sites


@Damnation

I make a strange discovery:

In Windbg when I write

bu netio!DriverEntry

I get Bsod about NMR..

This means, that the driverentry of netio.sys is not reached.

Also I try EB FE at the beginning of DriverEntry of netio.sys,

but this also did not stop (should be endless bar but gives also NMR.. Bsod).

This simple means, that at no time the driverentry of netio.sys is reached, Bsod is before

Dietmar

PS: So it looks, as if XP puts the driver netio.sys at an not allowed place in memory.

And about this cries NMR and gives Bsod.

Link to comment
Share on other sites

@Damnation

This a little bit different Bsod I get after breakpoint setting via

bu netio!DriverEntry

 

Dietmar

Intel Storage Driver Ver: 11.2.0.1006


*** Fatal System Error: 0x000000c2
                       (0x00000007,0x00000CD4,0x02070008,0x8BC16730)

Break instruction exception - code 80000003 (first chance)

A fatal system error has occurred.
Debugger entered on first try; Bugcheck callbacks have not been invoked.

A fatal system error has occurred.

Connected to Windows XP 2600 x86 compatible target at (Mon Jun  6 21:57:47.828 2022 (UTC + 2:00)), ptr64 FALSE
Loading Kernel Symbols
......................................................
Loading User Symbols

Loading unloaded module list
........
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck C2, {7, cd4, 2070008, 8bc16730}

Probably caused by : NETIO.SYS ( NETIO!NmrpDeleteNode+39 )

Followup: MachineOwner
---------

nt!RtlpBreakWithStatusInstruction:
8052b724 cc              int     3
0: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

BAD_POOL_CALLER (c2)
The current thread is making a bad pool request.  Typically this is at a bad IRQL level or double freeing the same allocation, etc.
Arguments:
Arg1: 00000007, Attempt to free pool which was already freed
Arg2: 00000cd4, (reserved)
Arg3: 02070008, Memory contents of the pool block
Arg4: 8bc16730, Address of the block of pool being deallocated

Debugging Details:
------------------


POOL_ADDRESS:  8bc16730 Nonpaged pool

FREED_POOL_TAG:  NMRn

BUGCHECK_STR:  0xc2_7_NMRn

DEFAULT_BUCKET_ID:  DRIVER_FAULT

PROCESS_NAME:  System

ANALYSIS_VERSION: 6.3.9600.17237 (debuggers(dbg).140716-0327) x86fre

DPC_STACK_BASE:  FFFFFFFFBA4C8000

LAST_CONTROL_TRANSFER:  from 804f8e95 to 8052b724

STACK_TEXT:  
ba4c2e24 804f8e95 00000003 ba4c3180 00000000 nt!RtlpBreakWithStatusInstruction
ba4c2e70 804f9a80 00000003 00200000 8bc16728 nt!KiBugCheckDebugBreak+0x19
ba4c3250 804f9fcf 000000c2 00000007 00000cd4 nt!KeBugCheck2+0x574
ba4c3270 8054b583 000000c2 00000007 00000cd4 nt!KeBugCheckEx+0x1b
ba4c32c0 b98ba3ca 8bc16730 00000000 89c78100 nt!ExFreePoolWithTag+0x2a3
ba4c32d4 b98ba411 8bc16730 b98afaf0 89c78100 NETIO!NmrpDeleteNode+0x39
ba4c32dc b98afaf0 89c78100 00000000 b98cc072 NETIO!NmrpRemoveRegisteredList+0x3d
ba4c32f8 b98b9d69 b9b2e000 00000000 b98cc070 NETIO!NmrpDereferenceModule+0x28
ba4c3310 b98b9da1 89c78100 ba4c334c b9b12e98 NETIO!NmrpWaitForModuleDeregisterComplete+0x38
ba4c331c b9b12e98 89c78100 8055ae68 c00000bb NETIO!NmrWaitForProviderDeregisterComplete+0x16
ba4c3330 b9b0c6f5 8bbd9840 00000000 00000000 NDIS!ndisStopNsiProvider+0x4c
ba4c334c b9b1a74d 8057f0eb 8bab59c8 00000000 NDIS!ndisInitializeNsi+0x6a
ba4c3350 8057f0eb 8bab59c8 00000000 00000002 NDIS!ndisDriverReinit+0xe
ba4c336c 805814e0 ba4c340c 00000000 00000000 nt!IopCallDriverReinitializationRoutines+0x3b
ba4c3384 805842c3 800009b0 ba4c340c ba4c3488 nt!IopLoadUnloadDriver+0x66
ba4c3400 80541818 ba4c34ac ba4c34c8 80500575 nt!NtLoadDriver+0x151
ba4c3400 80500575 ba4c34ac ba4c34c8 80500575 nt!KiSystemServicePostCall
ba4c347c b6aa92db ba4c34ac 89ab2b88 8054b968 nt!ZwLoadDriver+0x11
ba4c34c8 b6aa8640 b6ab6f34 89ab2b88 8054b968 ipsec!GpcInitialize+0x7f
ba4c34e4 b6ab7d81 00000000 8052e8fc 89b7d658 ipsec!IPSecGpcInitialize+0x35
ba4c34f4 b6ab7ba2 89b7d658 e1654424 00000000 ipsec!IPSecGeneralInit+0x16b
ba4c356c 805813af 89b7d658 89a85000 e16b2450 ipsec!DriverEntry+0x104
ba4c363c 8069dc9c 000009c0 00000001 00000000 nt!IopLoadDriver+0x66d
ba4c3698 8069b001 00034000 00000000 00000000 nt!IopInitializeSystemDrivers+0x16c
ba4c3838 806993d3 80084000 00000000 8bc3a5d8 nt!IoInitSystem+0x7a3
ba4c3dac 805cffee 80084000 00000000 00000000 nt!Phase1Initialization+0xac7
ba4c3ddc 8054623e 8069890c 80084000 00000000 nt!PspSystemThreadStartup+0x34
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16


STACK_COMMAND:  kb

FOLLOWUP_IP:
NETIO!NmrpDeleteNode+39
b98ba3ca 5e              pop     esi

SYMBOL_STACK_INDEX:  5

SYMBOL_NAME:  NETIO!NmrpDeleteNode+39

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: NETIO

IMAGE_NAME:  NETIO.SYS

DEBUG_FLR_IMAGE_TIMESTAMP:  5b48ef86

IMAGE_VERSION:  6.1.7601.24208

FAILURE_BUCKET_ID:  0xc2_7_NMRn_NETIO!NmrpDeleteNode+39

BUCKET_ID:  0xc2_7_NMRn_NETIO!NmrpDeleteNode+39

ANALYSIS_SOURCE:  KM

FAILURE_ID_HASH_STRING:  km:0xc2_7_nmrn_netio!nmrpdeletenode+39

FAILURE_ID_HASH:  {9c9d1a86-e758-a5d4-abd4-a37dc99f73cb}

Followup: MachineOwner

Link to comment
Share on other sites

@Dietmar

we might also need to add some registry keys?

 

Quote

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MsRPC]
"ErrorControl"=dword:00000001
"Start"=dword:00000003
"Tag"=dword:00000001
"Type"=dword:00000001

Quote

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NDIS]
"Description"="@%SystemRoot%\\system32\\drivers\\ndis.sys,-201"
"DisplayName"="@%SystemRoot%\\system32\\drivers\\ndis.sys,-200"
"ErrorControl"=dword:00000003
"Group"="NDIS Wrapper"
"ImagePath"=hex(2):73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,64,00,\
  72,00,69,00,76,00,65,00,72,00,73,00,5c,00,6e,00,64,00,69,00,73,00,2e,00,73,\
  00,79,00,73,00,00,00
"Start"=dword:00000000
"Type"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NDIS\IfTypes]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NDIS\IfTypes\24]
"IfType"=dword:00000018
"IfUsedNetLuidIndices"=hex:01

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NDIS\IfTypes\71]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NDIS\IfTypes\71\1]
"PortAuthReceiveAuthorizationState"=dword:00000002
"PortAuthReceiveControlState"=dword:00000002
"PortAuthSendAuthorizationState"=dword:00000002
"PortAuthSendControlState"=dword:00000002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NDIS\Parameters]
"MaxCachedNblContextSize"=dword:00000200
"PortAuthReceiveAuthorizationState"=dword:00000002
"PortAuthReceiveControlState"=dword:00000002
"PortAuthSendAuthorizationState"=dword:00000002
"PortAuthSendControlState"=dword:00000002
"ReceiveWorkerDisableAutoStart"=dword:00000000
"TrackNblOwner"=dword:00000002
"WppRecorder_TraceGuid"="{dd7a21e6-a651-46d4-b7c2-66543067b869}"
"DefaultPnPCapabilities"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NDIS\State]

 

 

Link to comment
Share on other sites

@Damnation

Here is the Bsod in Safe Mode F8 with network.

Safe Mode F8 without network i219-V driver is installed(!) correct

Dietmar

Intel Storage Driver Ver: 11.2.0.1006

SAFEBOOT: skipping device = Cdrom.SYS(SCSI CDROM Class)
SAFEBOOT: skipping device = Serial.SYS(Extended base)
SAFEBOOT: skipping device = intelppm.SYS(Extended Base)
SAFEBOOT: skipping device = WS2IFSL.SYS(Group)
SAFEBOOT: skipping device = Fips.SYS(Group)
SAFEBOOT: skipping device = DumpDrv.SYS(Group)

*** Fatal System Error: 0x000000c2
                       (0x00000007,0x00000CD4,0x02070002,0x8A5BA368)

Break instruction exception - code 80000003 (first chance)

A fatal system error has occurred.
Debugger entered on first try; Bugcheck callbacks have not been invoked.

A fatal system error has occurred.

Connected to Windows XP 2600 x86 compatible target at (Mon Jun  6 23:14:16.078 2022 (UTC + 2:00)), ptr64 FALSE
Loading Kernel Symbols
...............................................................
..
Loading User Symbols

*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck C2, {7, cd4, 2070002, 8a5ba368}

Probably caused by : NETIO.SYS ( NETIO!NmrpDeleteNode+39 )

Followup: MachineOwner
---------

nt!RtlpBreakWithStatusInstruction:
804e29c2 cc              int     3
3: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

BAD_POOL_CALLER (c2)
The current thread is making a bad pool request.  Typically this is at a bad IRQL level or double freeing the same allocation, etc.
Arguments:
Arg1: 00000007, Attempt to free pool which was already freed
Arg2: 00000cd4, (reserved)
Arg3: 02070002, Memory contents of the pool block
Arg4: 8a5ba368, Address of the block of pool being deallocated

Debugging Details:
------------------


POOL_ADDRESS:  8a5ba368 Nonpaged pool

FREED_POOL_TAG:  NMRn

BUGCHECK_STR:  0xc2_7_NMRn

DEFAULT_BUCKET_ID:  DRIVER_FAULT

PROCESS_NAME:  System

ANALYSIS_VERSION: 6.3.9600.17237 (debuggers(dbg).140716-0327) x86fre

LAST_CONTROL_TRANSFER:  from 8053657f to 804e29c2

STACK_TEXT:  
f7922698 8053657f 00000003 f79229f4 00000000 nt!RtlpBreakWithStatusInstruction
f79226e4 80537056 00000003 00200000 8a5ba360 nt!KiBugCheckDebugBreak+0x19
f7922ac4 8053766a 000000c2 00000007 00000cd4 nt!KeBugCheck2+0x574
f7922ae4 80551fc5 000000c2 00000007 00000cd4 nt!KeBugCheckEx+0x1b
f7922b34 ba18a3ca 8a5ba368 00000000 88379628 nt!ExFreePoolWithTag+0x2c1
f7922b48 ba18a411 8a5ba368 ba17faf0 88379628 NETIO!NmrpDeleteNode+0x39
f7922b50 ba17faf0 88379628 00000000 ba19c072 NETIO!NmrpRemoveRegisteredList+0x3d
f7922b6c ba189d69 ba3fe000 00000000 ba19c070 NETIO!NmrpDereferenceModule+0x28
f7922b84 ba189da1 88379628 f7922bc0 ba3e2e98 NETIO!NmrpWaitForModuleDeregisterComplete+0x38
f7922b90 ba3e2e98 88379628 f7922c64 c00000bb NETIO!NmrWaitForProviderDeregisterComplete+0x16
f7922ba4 ba3dc6f5 00000000 00000008 00000246 NDIS!ndisStopNsiProvider+0x4c
f7922bc0 ba4345c0 f7922c64 883797a8 00000000 NDIS!ndisInitializeNsi+0x6a
f7922bd4 b9504bd3 f7922c7c b950466c f7922bf8 NDIS!NdisRegisterProtocol+0x18
f7922c84 805a712b 88379690 88378000 00000000 ndisuio!DriverEntry+0x175
f7922d54 805b0e27 80000218 00000001 00000000 nt!IopLoadDriver+0x66d
f7922d7c 804e2325 80000218 00000000 8a5a0020 nt!IopLoadUnloadDriver+0x45
f7922dac 80575828 b9ef4cf4 00000000 00000000 nt!ExpWorkerThread+0xef
f7922ddc 804ec1a9 804e2261 00000001 00000000 nt!PspSystemThreadStartup+0x34
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16


STACK_COMMAND:  kb

FOLLOWUP_IP:
NETIO!NmrpDeleteNode+39
ba18a3ca 5e              pop     esi

SYMBOL_STACK_INDEX:  5

SYMBOL_NAME:  NETIO!NmrpDeleteNode+39

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: NETIO

IMAGE_NAME:  NETIO.SYS

DEBUG_FLR_IMAGE_TIMESTAMP:  5b48ef86

FAILURE_BUCKET_ID:  0xc2_7_NMRn_NETIO!NmrpDeleteNode+39

BUCKET_ID:  0xc2_7_NMRn_NETIO!NmrpDeleteNode+39

ANALYSIS_SOURCE:  KM

FAILURE_ID_HASH_STRING:  km:0xc2_7_nmrn_netio!nmrpdeletenode+39

FAILURE_ID_HASH:  {9c9d1a86-e758-a5d4-abd4-a37dc99f73cb}

Followup: MachineOwner

Link to comment
Share on other sites

@Damnation

ndis.sys DriverEntry is reached without Bsod

Dietmar

kd> bu ndis!DriverEntry
kd> g


Intel Storage Driver Ver: 11.2.0.1006

Breakpoint 0 hit
NDIS!DriverEntry:
b9b86684 8bff            mov     edi,edi

Link to comment
Share on other sites

The driver for the i219 can also be stopped at its DriverEntry without Bsod

Intel Storage Driver Ver: 11.2.0.1006

*** ERROR: Symbol file could not be found.  Defaulted to export symbols for e1d6232.sys -
Breakpoint 0 hit
e1d6232!DriverEntry:
b86d5094 55              push    ebp

Link to comment
Share on other sites

Posted (edited)

But later this driver e1d6232.sys is unloaded,

still without Bsod

1: kd>
nt!NtWriteFile+0x44d0:
805813e0 76e6            jbe     nt!NtWriteFile+0x44b8 (805813c8)
1: kd> lm
start    end        module name
7eb30000 7ebe4000   ntdll      (pdb symbols)          C:\Programme\Windows Kits\8.1\Debuggers\x86\sym\ntdll.pdb\08DE4D91BE654ACEB9F397576108EF3E2\ntdll.pdb
80062000 80072a80   pci        (deferred)             
80100000 8012a000   KDSTUB     (deferred)             
804d7000 806e5000   nt         (export symbols)       ntkrpamp.exe
80706000 8072e000   kdcom      (deferred)             
b86d2000 b873f000   e1d6232    (export symbols)       e1d6232.sys
b96b5000 b96dd000   HDAudBus   (deferred)             
b979d000 b97a0d80   serenum    (deferred)             
b987f000 b9898e80   Mup        (deferred)             
b9899000 b98d8000   NETIO      (deferred)             
b98d8000 b9903000   msrpc      (deferred)             
b9903000 b9aec680   ntoskrn8   (deferred)             
b9aed000 b9ba5000   NDIS       (deferred)             
b9ba5000 b9c31d00   Ntfs       (deferred)             
b9c32000 b9c48b80   KSecDD     (deferred)             
b9c49000 b9c5af00   sr         (deferred)             
b9c5b000 b9c7ab00   fltMgr     (deferred)             
b9c7b000 b9f30000   iaStor     (deferred)             
b9f30000 b9f55700   dmio       (deferred)             
b9f56000 b9f74880   ftdisk     (deferred)             
b9f75000 b9fa7000   ACPI       (deferred)             
ba0a8000 ba0b1180   isapnp     (deferred)             
ba0b8000 ba0c2700   MountMgr   (deferred)             
ba0c8000 ba0d3000   PartMgr    (deferred)             
ba0d8000 ba0e4c80   VolSnap    (deferred)             
ba0e8000 ba0f8000   disk       (deferred)             
ba0f8000 ba104180   CLASSPNP   (deferred)             
ba278000 ba284d00   i8042prt   (deferred)             
ba288000 ba297c00   serial     (deferred)             
ba328000 ba32e800   firadisk   (deferred)             
ba3b8000 ba3be000   kbdclass   (deferred)             
ba3c0000 ba3c5a00   mouclass   (deferred)             
ba4b8000 ba4bb000   BOOTVID    (deferred)             
ba5a8000 ba5a9100   WMILIB     (deferred)             
ba5aa000 ba5ab700   dmload     (deferred)             
1: kd> !devnode 0 1
Error retrieving address of IopRootDeviceNode
1: kd> p
nt!NtWriteFile+0x44b8:
805813c8 8b45a0          mov     eax,dword ptr [ebp-60h]
1: kd>
nt!NtWriteFile+0x44bb:
805813cb 8d448738        lea     eax,[edi+eax*4+38h]
1: kd>
nt!NtWriteFile+0x44bf:
805813cf 3918            cmp     dword ptr [eax],ebx
1: kd>
nt!NtWriteFile+0x44c1:
805813d1 7506            jne     nt!NtWriteFile+0x44c9 (805813d9)
1: kd>
nt!NtWriteFile+0x44c9:
805813d9 ff45a0          inc     dword ptr [ebp-60h]
1: kd>
nt!NtWriteFile+0x44cc:
805813dc 837da01b        cmp     dword ptr [ebp-60h],1Bh
1: kd>
nt!NtWriteFile+0x44d0:
805813e0 76e6            jbe     nt!NtWriteFile+0x44b8 (805813c8)
1: kd>
nt!NtWriteFile+0x44b8:
805813c8 8b45a0          mov     eax,dword ptr [ebp-60h]
1: kd>
nt!NtWriteFile+0x44bb:
805813cb 8d448738        lea     eax,[edi+eax*4+38h]
1: kd>
nt!NtWriteFile+0x44bf:
805813cf 3918            cmp     dword ptr [eax],ebx
1: kd>
nt!NtWriteFile+0x44c1:
805813d1 7506            jne     nt!NtWriteFile+0x44c9 (805813d9)
1: kd>
nt!NtWriteFile+0x44c9:
805813d9 ff45a0          inc     dword ptr [ebp-60h]
1: kd>
nt!NtWriteFile+0x44cc:
805813dc 837da01b        cmp     dword ptr [ebp-60h],1Bh
1: kd>
nt!NtWriteFile+0x44d0:
805813e0 76e6            jbe     nt!NtWriteFile+0x44b8 (805813c8)
1: kd>
nt!NtWriteFile+0x44b8:
805813c8 8b45a0          mov     eax,dword ptr [ebp-60h]
1: kd>
nt!NtWriteFile+0x44bb:
805813cb 8d448738        lea     eax,[edi+eax*4+38h]
1: kd>
nt!NtWriteFile+0x44bf:
805813cf 3918            cmp     dword ptr [eax],ebx
1: kd>
nt!NtWriteFile+0x44c1:
805813d1 7506            jne     nt!NtWriteFile+0x44c9 (805813d9)
1: kd>
nt!NtWriteFile+0x44c9:
805813d9 ff45a0          inc     dword ptr [ebp-60h]
1: kd>
nt!NtWriteFile+0x44cc:
805813dc 837da01b        cmp     dword ptr [ebp-60h],1Bh
1: kd>
nt!NtWriteFile+0x44d0:
805813e0 76e6            jbe     nt!NtWriteFile+0x44b8 (805813c8)
1: kd>
nt!NtWriteFile+0x44b8:
805813c8 8b45a0          mov     eax,dword ptr [ebp-60h]
1: kd>
nt!NtWriteFile+0x44bb:
805813cb 8d448738        lea     eax,[edi+eax*4+38h]
1: kd>
nt!NtWriteFile+0x44bf:
805813cf 3918            cmp     dword ptr [eax],ebx
1: kd>
nt!NtWriteFile+0x44c1:
805813d1 7506            jne     nt!NtWriteFile+0x44c9 (805813d9)
1: kd>
nt!NtWriteFile+0x44c9:
805813d9 ff45a0          inc     dword ptr [ebp-60h]
1: kd>
nt!NtWriteFile+0x44cc:
805813dc 837da01b        cmp     dword ptr [ebp-60h],1Bh
1: kd>
nt!NtWriteFile+0x44d0:
805813e0 76e6            jbe     nt!NtWriteFile+0x44b8 (805813c8)
1: kd>
nt!NtWriteFile+0x44b8:
805813c8 8b45a0          mov     eax,dword ptr [ebp-60h]
1: kd>
nt!NtWriteFile+0x44bb:
805813cb 8d448738        lea     eax,[edi+eax*4+38h]
1: kd>
nt!NtWriteFile+0x44bf:
805813cf 3918            cmp     dword ptr [eax],ebx
1: kd>
nt!NtWriteFile+0x44c1:
805813d1 7506            jne     nt!NtWriteFile+0x44c9 (805813d9)
1: kd>
nt!NtWriteFile+0x44c9:
805813d9 ff45a0          inc     dword ptr [ebp-60h]
1: kd>
nt!NtWriteFile+0x44cc:
805813dc 837da01b        cmp     dword ptr [ebp-60h],1Bh
1: kd>
nt!NtWriteFile+0x44d0:
805813e0 76e6            jbe     nt!NtWriteFile+0x44b8 (805813c8)
1: kd>
nt!NtWriteFile+0x44b8:
805813c8 8b45a0          mov     eax,dword ptr [ebp-60h]
1: kd>
nt!NtWriteFile+0x44bb:
805813cb 8d448738        lea     eax,[edi+eax*4+38h]
1: kd>
nt!NtWriteFile+0x44bf:
805813cf 3918            cmp     dword ptr [eax],ebx
1: kd>
nt!NtWriteFile+0x44c1:
805813d1 7506            jne     nt!NtWriteFile+0x44c9 (805813d9)
1: kd>
nt!NtWriteFile+0x44c9:
805813d9 ff45a0          inc     dword ptr [ebp-60h]
1: kd>
nt!NtWriteFile+0x44cc:
805813dc 837da01b        cmp     dword ptr [ebp-60h],1Bh
1: kd>
nt!NtWriteFile+0x44d0:
805813e0 76e6            jbe     nt!NtWriteFile+0x44b8 (805813c8)
1: kd>
nt!NtWriteFile+0x44b8:
805813c8 8b45a0          mov     eax,dword ptr [ebp-60h]
1: kd>
nt!NtWriteFile+0x44bb:
805813cb 8d448738        lea     eax,[edi+eax*4+38h]
1: kd>
nt!NtWriteFile+0x44bf:
805813cf 3918            cmp     dword ptr [eax],ebx
1: kd>
nt!NtWriteFile+0x44c1:
805813d1 7506            jne     nt!NtWriteFile+0x44c9 (805813d9)
1: kd>
nt!NtWriteFile+0x44c9:
805813d9 ff45a0          inc     dword ptr [ebp-60h]
1: kd>
nt!NtWriteFile+0x44cc:
805813dc 837da01b        cmp     dword ptr [ebp-60h],1Bh
1: kd>
nt!NtWriteFile+0x44d0:
805813e0 76e6            jbe     nt!NtWriteFile+0x44b8 (805813c8)
1: kd>
nt!NtWriteFile+0x44b8:
805813c8 8b45a0          mov     eax,dword ptr [ebp-60h]
1: kd>
nt!NtWriteFile+0x44bb:
805813cb 8d448738        lea     eax,[edi+eax*4+38h]
1: kd>
nt!NtWriteFile+0x44bf:
805813cf 3918            cmp     dword ptr [eax],ebx
1: kd>
nt!NtWriteFile+0x44c1:
805813d1 7506            jne     nt!NtWriteFile+0x44c9 (805813d9)
1: kd>
nt!NtWriteFile+0x44c9:
805813d9 ff45a0          inc     dword ptr [ebp-60h]
1: kd>
nt!NtWriteFile+0x44cc:
805813dc 837da01b        cmp     dword ptr [ebp-60h],1Bh
1: kd>
nt!NtWriteFile+0x44d0:
805813e0 76e6            jbe     nt!NtWriteFile+0x44b8 (805813c8)
1: kd>
nt!NtWriteFile+0x44b8:
805813c8 8b45a0          mov     eax,dword ptr [ebp-60h]
1: kd>
nt!NtWriteFile+0x44bb:
805813cb 8d448738        lea     eax,[edi+eax*4+38h]
1: kd>
nt!NtWriteFile+0x44bf:
805813cf 3918            cmp     dword ptr [eax],ebx
1: kd>
nt!NtWriteFile+0x44c1:
805813d1 7506            jne     nt!NtWriteFile+0x44c9 (805813d9)
1: kd>
nt!NtWriteFile+0x44c9:
805813d9 ff45a0          inc     dword ptr [ebp-60h]
1: kd>
nt!NtWriteFile+0x44cc:
805813dc 837da01b        cmp     dword ptr [ebp-60h],1Bh
1: kd>
nt!NtWriteFile+0x44d0:
805813e0 76e6            jbe     nt!NtWriteFile+0x44b8 (805813c8)
1: kd>
nt!NtWriteFile+0x44b8:
805813c8 8b45a0          mov     eax,dword ptr [ebp-60h]
1: kd>
nt!NtWriteFile+0x44bb:
805813cb 8d448738        lea     eax,[edi+eax*4+38h]
1: kd>
nt!NtWriteFile+0x44bf:
805813cf 3918            cmp     dword ptr [eax],ebx
1: kd>
nt!NtWriteFile+0x44c1:
805813d1 7506            jne     nt!NtWriteFile+0x44c9 (805813d9)
1: kd>
nt!NtWriteFile+0x44c9:
805813d9 ff45a0          inc     dword ptr [ebp-60h]
1: kd>
nt!NtWriteFile+0x44cc:
805813dc 837da01b        cmp     dword ptr [ebp-60h],1Bh
1: kd>
nt!NtWriteFile+0x44d0:
805813e0 76e6            jbe     nt!NtWriteFile+0x44b8 (805813c8)
1: kd>
nt!NtWriteFile+0x44b8:
805813c8 8b45a0          mov     eax,dword ptr [ebp-60h]
1: kd>
nt!NtWriteFile+0x44bb:
805813cb 8d448738        lea     eax,[edi+eax*4+38h]
1: kd>
nt!NtWriteFile+0x44bf:
805813cf 3918            cmp     dword ptr [eax],ebx
1: kd>
nt!NtWriteFile+0x44c1:
805813d1 7506            jne     nt!NtWriteFile+0x44c9 (805813d9)
1: kd>
nt!NtWriteFile+0x44c9:
805813d9 ff45a0          inc     dword ptr [ebp-60h]
1: kd>
nt!NtWriteFile+0x44cc:
805813dc 837da01b        cmp     dword ptr [ebp-60h],1Bh
1: kd>
nt!NtWriteFile+0x44d0:
805813e0 76e6            jbe     nt!NtWriteFile+0x44b8 (805813c8)
1: kd>
nt!NtWriteFile+0x44b8:
805813c8 8b45a0          mov     eax,dword ptr [ebp-60h]
1: kd>
nt!NtWriteFile+0x44bb:
805813cb 8d448738        lea     eax,[edi+eax*4+38h]
1: kd>
nt!NtWriteFile+0x44bf:
805813cf 3918            cmp     dword ptr [eax],ebx
1: kd>
nt!NtWriteFile+0x44c1:
805813d1 7506            jne     nt!NtWriteFile+0x44c9 (805813d9)
1: kd>
nt!NtWriteFile+0x44c9:
805813d9 ff45a0          inc     dword ptr [ebp-60h]
1: kd>
nt!NtWriteFile+0x44cc:
805813dc 837da01b        cmp     dword ptr [ebp-60h],1Bh
1: kd>
nt!NtWriteFile+0x44d0:
805813e0 76e6            jbe     nt!NtWriteFile+0x44b8 (805813c8)
1: kd>
nt!NtWriteFile+0x44b8:
805813c8 8b45a0          mov     eax,dword ptr [ebp-60h]
1: kd>
nt!NtWriteFile+0x44bb:
805813cb 8d448738        lea     eax,[edi+eax*4+38h]
1: kd>
nt!NtWriteFile+0x44bf:
805813cf 3918            cmp     dword ptr [eax],ebx
1: kd>
nt!NtWriteFile+0x44c1:
805813d1 7506            jne     nt!NtWriteFile+0x44c9 (805813d9)
1: kd>
nt!NtWriteFile+0x44c9:
805813d9 ff45a0          inc     dword ptr [ebp-60h]
1: kd>
nt!NtWriteFile+0x44cc:
805813dc 837da01b        cmp     dword ptr [ebp-60h],1Bh
1: kd>
nt!NtWriteFile+0x44d0:
805813e0 76e6            jbe     nt!NtWriteFile+0x44b8 (805813c8)
1: kd>
nt!NtWriteFile+0x44d2:
805813e2 53              push    ebx
1: kd>
nt!NtWriteFile+0x44d3:
805813e3 ffb570ffffff    push    dword ptr [ebp-90h]
1: kd>
nt!NtWriteFile+0x44d9:
805813e9 e8f29efcff      call    nt!ExFreePoolWithTag (8054b2e0)
1: kd>
nt!NtWriteFile+0x44de:
805813ee 395dac          cmp     dword ptr [ebp-54h],ebx
1: kd>
nt!NtWriteFile+0x44e1:
805813f1 7c3b            jl      nt!NtWriteFile+0x451e (8058142e)
1: kd>
nt!NtWriteFile+0x44e3:
805813f3 57              push    edi
1: kd>
nt!NtWriteFile+0x44e4:
805813f4 e883b10000      call    nt!IoReportResourceUsage+0x18a6 (8058c57c)
1: kd>
nt!NtWriteFile+0x44e9:
805813f9 84c0            test    al,al
1: kd>
nt!NtWriteFile+0x44eb:
805813fb 752c            jne     nt!NtWriteFile+0x4519 (80581429)
1: kd>
nt!NtWriteFile+0x44ed:
805813fd 8d4598          lea     eax,[ebp-68h]
1: kd>
nt!NtWriteFile+0x44f0:
80581400 50              push    eax
1: kd>
nt!NtWriteFile+0x44f1:
80581401 ff758c          push    dword ptr [ebp-74h]
1: kd>
nt!NtWriteFile+0x44f4:
80581404 57              push    edi
1: kd>
nt!NtWriteFile+0x44f5:
80581405 e8064bf7ff      call    nt!IoReportTargetDeviceChangeAsynchronous+0x16c (804f5f10)
1: kd>
nt!NtWriteFile+0x44fa:
8058140a 3bc3            cmp     eax,ebx
1: kd>
nt!NtWriteFile+0x44fc:
8058140c 8945ac          mov     dword ptr [ebp-54h],eax
1: kd>
nt!NtWriteFile+0x44ff:
8058140f 7d2c            jge     nt!NtWriteFile+0x452d (8058143d)
1: kd>
nt!NtWriteFile+0x452d:
8058143d 6a01            push    1
1: kd>
nt!NtWriteFile+0x452f:
8058143f 8d45a4          lea     eax,[ebp-5Ch]
1: kd>
nt!NtWriteFile+0x4532:
80581442 50              push    eax
1: kd>
nt!NtWriteFile+0x4533:
80581443 e836f4ffff      call    nt!NtWriteFile+0x396e (8058087e)
1: kd>
nt!NtWriteFile+0x4538:
80581448 ff7714          push    dword ptr [edi+14h]
1: kd>
nt!NtWriteFile+0x453b:
8058144b e8b8c60200      call    nt!MmResetDriverPaging+0x118e (805adb08)
1: kd>
nt!NtWriteFile+0x4540:
80581450 57              push    edi
1: kd> lm
start    end        module name
7eb30000 7ebe4000   ntdll      (pdb symbols)          C:\Programme\Windows Kits\8.1\Debuggers\x86\sym\ntdll.pdb\08DE4D91BE654ACEB9F397576108EF3E2\ntdll.pdb
80062000 80072a80   pci        (deferred)             
80100000 8012a000   KDSTUB     (deferred)             
804d7000 806e5000   nt         (export symbols)       ntkrpamp.exe
80706000 8072e000   kdcom      (deferred)             
b86d2000 b873f000   e1d6232    (export symbols)       e1d6232.sys
b96b5000 b96dd000   HDAudBus   (deferred)             
b979d000 b97a0d80   serenum    (deferred)             
b987f000 b9898e80   Mup        (deferred)             
b9899000 b98d8000   NETIO      (deferred)             
b98d8000 b9903000   msrpc      (deferred)             
b9903000 b9aec680   ntoskrn8   (deferred)             
b9aed000 b9ba5000   NDIS       (deferred)             
b9ba5000 b9c31d00   Ntfs       (deferred)             
b9c32000 b9c48b80   KSecDD     (deferred)             
b9c49000 b9c5af00   sr         (deferred)             
b9c5b000 b9c7ab00   fltMgr     (deferred)             
b9c7b000 b9f30000   iaStor     (deferred)             
b9f30000 b9f55700   dmio       (deferred)             
b9f56000 b9f74880   ftdisk     (deferred)             
b9f75000 b9fa7000   ACPI       (deferred)             
ba0a8000 ba0b1180   isapnp     (deferred)             
ba0b8000 ba0c2700   MountMgr   (deferred)             
ba0c8000 ba0d3000   PartMgr    (deferred)             
ba0d8000 ba0e4c80   VolSnap    (deferred)             
ba0e8000 ba0f8000   disk       (deferred)             
ba0f8000 ba104180   CLASSPNP   (deferred)             
ba278000 ba284d00   i8042prt   (deferred)             
ba288000 ba297c00   serial     (deferred)             
ba328000 ba32e800   firadisk   (deferred)             
ba3b8000 ba3be000   kbdclass   (deferred)             
ba3c0000 ba3c5a00   mouclass   (deferred)             
ba4b8000 ba4bb000   BOOTVID    (deferred)             
ba5a8000 ba5a9100   WMILIB     (deferred)             
ba5aa000 ba5ab700   dmload     (deferred)             
1: kd> p
nt!NtWriteFile+0x4541:
80581451 e8c4d6ffff      call    nt!NtWriteFile+0x1c0a (8057eb1a)
1: kd>
nt!NtWriteFile+0x4546:
80581456 395dac          cmp     dword ptr [ebp-54h],ebx
1: kd>
nt!NtWriteFile+0x4549:
80581459 0f8d39fbffff    jge     nt!NtWriteFile+0x4088 (80580f98)
1: kd>
nt!NtWriteFile+0x4088:
80580f98 53              push    ebx
1: kd>
nt!NtWriteFile+0x4089:
80580f99 6a02            push    2
1: kd>
nt!NtWriteFile+0x408b:
80580f9b e8227bfbff      call    nt!HeadlessDispatch+0x76 (80538ac2)
1: kd>
nt!NtWriteFile+0x4090:
80580fa0 399d78ffffff    cmp     dword ptr [ebp-88h],ebx
1: kd>
nt!NtWriteFile+0x4096:
80580fa6 740c            je      nt!NtWriteFile+0x40a4 (80580fb4)
1: kd>
nt!NtWriteFile+0x4098:
80580fa8 53              push    ebx
1: kd>
nt!NtWriteFile+0x4099:
80580fa9 ffb578ffffff    push    dword ptr [ebp-88h]
1: kd>
nt!NtWriteFile+0x409f:
80580faf e82ca3fcff      call    nt!ExFreePoolWithTag (8054b2e0)
1: kd>
nt!NtWriteFile+0x40a4:
80580fb4 399d6cffffff    cmp     dword ptr [ebp-94h],ebx
1: kd>
nt!NtWriteFile+0x40aa:
80580fba 740c            je      nt!NtWriteFile+0x40b8 (80580fc8)
1: kd>
nt!NtWriteFile+0x40ac:
80580fbc 53              push    ebx
1: kd>
nt!NtWriteFile+0x40ad:
80580fbd ffb56cffffff    push    dword ptr [ebp-94h]
1: kd>
nt!NtWriteFile+0x40b3:
80580fc3 e818a3fcff      call    nt!ExFreePoolWithTag (8054b2e0)
1: kd>
nt!NtWriteFile+0x40b8:
80580fc8 395d9c          cmp     dword ptr [ebp-64h],ebx
1: kd>
nt!NtWriteFile+0x40bb:
80580fcb 7409            je      nt!NtWriteFile+0x40c6 (80580fd6)
1: kd>
nt!NtWriteFile+0x40bd:
80580fcd 53              push    ebx
1: kd>
nt!NtWriteFile+0x40be:
80580fce ff759c          push    dword ptr [ebp-64h]
1: kd>
nt!NtWriteFile+0x40c1:
80580fd1 e80aa3fcff      call    nt!ExFreePoolWithTag (8054b2e0)
1: kd>
nt!NtWriteFile+0x40c6:
80580fd6 395da8          cmp     dword ptr [ebp-58h],ebx
1: kd>
nt!NtWriteFile+0x40c9:
80580fd9 7409            je      nt!NtWriteFile+0x40d4 (80580fe4)
1: kd>
nt!NtWriteFile+0x40cb:
80580fdb 53              push    ebx
1: kd>
nt!NtWriteFile+0x40cc:
80580fdc ff75a8          push    dword ptr [ebp-58h]
1: kd>
nt!NtWriteFile+0x40cf:
80580fdf e8fca2fcff      call    nt!ExFreePoolWithTag (8054b2e0)
1: kd>
nt!NtWriteFile+0x40d4:
80580fe4 8b7dac          mov     edi,dword ptr [ebp-54h]
1: kd>
nt!NtWriteFile+0x40d7:
80580fe7 3bfb            cmp     edi,ebx
1: kd>
nt!NtWriteFile+0x40d9:
80580fe9 7d4e            jge     nt!NtWriteFile+0x4129 (80581039)
1: kd>
nt!NtWriteFile+0x4129:
80581039 53              push    ebx
1: kd>
nt!NtWriteFile+0x412a:
8058103a ff758c          push    dword ptr [ebp-74h]
1: kd>
nt!NtWriteFile+0x412d:
8058103d e806b50300      call    nt!ObCloseHandle (805bc548)
1: kd>
nt!NtWriteFile+0x4132:
80581042 8bc7            mov     eax,edi
1: kd>
nt!NtWriteFile+0x4134:
80581044 8b4dfc          mov     ecx,dword ptr [ebp-4]
1: kd>
nt!NtWriteFile+0x4137:
80581047 5f              pop     edi
1: kd>
nt!NtWriteFile+0x4138:
80581048 5e              pop     esi
1: kd>
nt!NtWriteFile+0x4139:
80581049 5b              pop     ebx
1: kd>
nt!NtWriteFile+0x413a:
8058104a e8cfd8f7ff      call    nt!KeRaiseUserException+0xc94 (804fe91e)
1: kd>
nt!NtWriteFile+0x413f:
8058104f c9              leave
1: kd>
nt!NtWriteFile+0x4140:
80581050 c21000          ret     10h
1: kd>
nt!IoReportResourceUsage+0x4881:
8058f557 8bf0            mov     esi,eax
1: kd>
nt!IoReportResourceUsage+0x4883:
8058f559 3bf7            cmp     esi,edi
1: kd>
nt!IoReportResourceUsage+0x4885:
8058f55b 7d43            jge     nt!IoReportResourceUsage+0x48ca (8058f5a0)
1: kd>
nt!IoReportResourceUsage+0x48ca:
8058f5a0 803d97b4558000  cmp     byte ptr [nt!IoAdapterObjectType+0x727 (8055b497)],0
1: kd>
nt!IoReportResourceUsage+0x48d1:
8058f5a7 7405            je      nt!IoReportResourceUsage+0x48d8 (8058f5ae)
1: kd>
nt!IoReportResourceUsage+0x48d8:
8058f5ae 8d45e0          lea     eax,[ebp-20h]
1: kd>
nt!IoReportResourceUsage+0x48db:
8058f5b1 50              push    eax
1: kd>
nt!IoReportResourceUsage+0x48dc:
8058f5b2 e855fbfeff      call    nt!NtWriteFile+0x21fc (8057f10c)
1: kd>
nt!IoReportResourceUsage+0x48e1:
8058f5b7 3bc7            cmp     eax,edi
1: kd>
nt!IoReportResourceUsage+0x48e3:
8058f5b9 8945f8          mov     dword ptr [ebp-8],eax
1: kd>
nt!IoReportResourceUsage+0x48e6:
8058f5bc 0f85c5000000    jne     nt!IoReportResourceUsage+0x49b1 (8058f687)
1: kd>
nt!IoReportResourceUsage+0x49b1:
8058f687 f6400810        test    byte ptr [eax+8],10h
1: kd>
nt!IoReportResourceUsage+0x49b5:
8058f68b 7509            jne     nt!IoReportResourceUsage+0x49c0 (8058f696)
1: kd>
nt!IoReportResourceUsage+0x49c0:
8058f696 50              push    eax
1: kd>
nt!IoReportResourceUsage+0x49c1:
8058f697 e8e0ceffff      call    nt!IoReportResourceUsage+0x18a6 (8058c57c)
1: kd>
nt!IoReportResourceUsage+0x49c6:
8058f69c 84c0            test    al,al
1: kd>
nt!IoReportResourceUsage+0x49c8:
8058f69e 7421            je      nt!IoReportResourceUsage+0x49eb (8058f6c1)
1: kd>
nt!IoReportResourceUsage+0x49eb:
8058f6c1 8b03            mov     eax,dword ptr [ebx]
1: kd>
nt!IoReportResourceUsage+0x49ed:
8058f6c3 8b4018          mov     eax,dword ptr [eax+18h]
1: kd>
nt!IoReportResourceUsage+0x49f0:
8058f6c6 3d02030000      cmp     eax,302h
1: kd>
nt!IoReportResourceUsage+0x49f5:
8058f6cb 7407            je      nt!IoReportResourceUsage+0x49fe (8058f6d4)
1: kd>
nt!IoReportResourceUsage+0x49fe:
8058f6d4 8b451c          mov     eax,dword ptr [ebp+1Ch]
1: kd>
nt!IoReportResourceUsage+0x4a01:
8058f6d7 685070656e      push    6E657050h
1: kd>
nt!IoReportResourceUsage+0x4a06:
8058f6dc 6a08            push    8
1: kd>
nt!IoReportResourceUsage+0x4a08:
8058f6de 6a01            push    1
1: kd>
nt!IoReportResourceUsage+0x4a0a:
8058f6e0 8d7c830c        lea     edi,[ebx+eax*4+0Ch]
1: kd>
nt!IoReportResourceUsage+0x4a0e:
8058f6e4 33f6            xor     esi,esi
1: kd>
nt!IoReportResourceUsage+0x4a10:
8058f6e6 e87dc2fbff      call    nt!ExAllocatePoolWithTag (8054b968)
1: kd>
nt!IoReportResourceUsage+0x4a15:
8058f6eb 85c0            test    eax,eax
1: kd>
nt!IoReportResourceUsage+0x4a17:
8058f6ed 7507            jne     nt!IoReportResourceUsage+0x4a20 (8058f6f6)
1: kd>
nt!IoReportResourceUsage+0x4a20:
8058f6f6 8b4df8          mov     ecx,dword ptr [ebp-8]
1: kd>
nt!IoReportResourceUsage+0x4a23:
8058f6f9 8908            mov     dword ptr [eax],ecx
1: kd>
nt!IoReportResourceUsage+0x4a25:
8058f6fb 33c9            xor     ecx,ecx
1: kd>
nt!IoReportResourceUsage+0x4a27:
8058f6fd 894804          mov     dword ptr [eax+4],ecx
1: kd>
nt!IoReportResourceUsage+0x4a2a:
8058f700 eb05            jmp     nt!IoReportResourceUsage+0x4a31 (8058f707)
1: kd>
nt!IoReportResourceUsage+0x4a31:
8058f707 390f            cmp     dword ptr [edi],ecx
1: kd>
nt!IoReportResourceUsage+0x4a33:
8058f709 75f7            jne     nt!IoReportResourceUsage+0x4a2c (8058f702)
1: kd>
nt!IoReportResourceUsage+0x4a35:
8058f70b 8907            mov     dword ptr [edi],eax
1: kd>
nt!IoReportResourceUsage+0x4a37:
8058f70d 837df400        cmp     dword ptr [ebp-0Ch],0
1: kd>
nt!IoReportResourceUsage+0x4a3b:
8058f711 5b              pop     ebx
1: kd>
nt!IoReportResourceUsage+0x4a3c:
8058f712 7408            je      nt!IoReportResourceUsage+0x4a46 (8058f71c)
1: kd>
nt!IoReportResourceUsage+0x4a3e:
8058f714 ff75f4          push    dword ptr [ebp-0Ch]
1: kd>
nt!IoReportResourceUsage+0x4a41:
8058f717 e8a808f7ff      call    nt!ZwClose (804fffc4)
1: kd>
nt!IoReportResourceUsage+0x4a46:
8058f71c 807dff00        cmp     byte ptr [ebp-1],0
1: kd>
nt!IoReportResourceUsage+0x4a4a:
8058f720 7409            je      nt!IoReportResourceUsage+0x4a55 (8058f72b)
1: kd>
nt!IoReportResourceUsage+0x4a4c:
8058f722 8d45e0          lea     eax,[ebp-20h]
1: kd>
nt!IoReportResourceUsage+0x4a4f:
8058f725 50              push    eax
1: kd>
nt!IoReportResourceUsage+0x4a50:
8058f726 e8f5240500      call    nt!RtlFreeUnicodeString (805e1c20)
1: kd>
nt!IoReportResourceUsage+0x4a55:
8058f72b 8bc6            mov     eax,esi
1: kd>
nt!IoReportResourceUsage+0x4a57:
8058f72d 5f              pop     edi
1: kd>
nt!IoReportResourceUsage+0x4a58:
8058f72e 5e              pop     esi
1: kd>
nt!IoReportResourceUsage+0x4a59:
8058f72f c9              leave
1: kd>
nt!IoReportResourceUsage+0x4a5a:
8058f730 c21800          ret     18h
1: kd>
nt!RtlFormatCurrentUserKeyPath+0xe1f:
805e7b7f 3d230000c0      cmp     eax,0C0000023h
1: kd>
nt!RtlFormatCurrentUserKeyPath+0xe24:
805e7b84 7502            jne     nt!RtlFormatCurrentUserKeyPath+0xe28 (805e7b88)
1: kd>
nt!RtlFormatCurrentUserKeyPath+0xe28:
805e7b88 5f              pop     edi
1: kd>
nt!RtlFormatCurrentUserKeyPath+0xe29:
805e7b89 5e              pop     esi
1: kd>
nt!RtlFormatCurrentUserKeyPath+0xe2a:
805e7b8a 5b              pop     ebx
1: kd>
nt!RtlFormatCurrentUserKeyPath+0xe2b:
805e7b8b c9              leave
1: kd>
nt!RtlFormatCurrentUserKeyPath+0xe2c:
805e7b8c c21c00          ret     1Ch
1: kd>
nt!RtlQueryRegistryValues+0x368:
805e7f76 3d230000c0      cmp     eax,0C0000023h
1: kd>
nt!RtlQueryRegistryValues+0x36d:
805e7f7b 8945f8          mov     dword ptr [ebp-8],eax
1: kd>
nt!RtlQueryRegistryValues+0x370:
805e7f7e 7531            jne     nt!RtlQueryRegistryValues+0x3a3 (805e7fb1)
1: kd>
nt!RtlQueryRegistryValues+0x3a3:
805e7fb1 837df800        cmp     dword ptr [ebp-8],0
1: kd>
nt!RtlQueryRegistryValues+0x3a7:
805e7fb5 0f8cb3000000    jl      nt!RtlQueryRegistryValues+0x460 (805e806e)
1: kd>
nt!RtlQueryRegistryValues+0x3ad:
805e7fbb f6470440        test    byte ptr [edi+4],40h
1: kd>
nt!RtlQueryRegistryValues+0x3b1:
805e7fbf 0f84e4feffff    je      nt!RtlQueryRegistryValues+0x29b (805e7ea9)
1: kd>
nt!RtlQueryRegistryValues+0x29b:
805e7ea9 837df800        cmp     dword ptr [ebp-8],0
1: kd>
nt!RtlQueryRegistryValues+0x29f:
805e7ead 0f8cbb010000    jl      nt!RtlQueryRegistryValues+0x460 (805e806e)
1: kd>
nt!RtlQueryRegistryValues+0x2a5:
805e7eb3 83c71c          add     edi,1Ch
1: kd>
nt!RtlQueryRegistryValues+0x2a8:
805e7eb6 e973feffff      jmp     nt!RtlQueryRegistryValues+0x120 (805e7d2e)
1: kd>
nt!RtlQueryRegistryValues+0x120:
805e7d2e 8b0f            mov     ecx,dword ptr [edi]
1: kd>
nt!RtlQueryRegistryValues+0x122:
805e7d30 85c9            test    ecx,ecx
1: kd>
nt!RtlQueryRegistryValues+0x124:
805e7d32 750a            jne     nt!RtlQueryRegistryValues+0x130 (805e7d3e)
1: kd>
nt!RtlQueryRegistryValues+0x126:
805e7d34 f6470421        test    byte ptr [edi+4],21h
1: kd>
nt!RtlQueryRegistryValues+0x12a:
805e7d38 0f8430030000    je      nt!RtlQueryRegistryValues+0x460 (805e806e)
1: kd>
nt!RtlQueryRegistryValues+0x460:
805e806e 837df000        cmp     dword ptr [ebp-10h],0
1: kd>
nt!RtlQueryRegistryValues+0x464:
805e8072 740e            je      nt!RtlQueryRegistryValues+0x474 (805e8082)
1: kd>
nt!RtlQueryRegistryValues+0x466:
805e8074 837de800        cmp     dword ptr [ebp-18h],0
1: kd>
nt!RtlQueryRegistryValues+0x46a:
805e8078 7508            jne     nt!RtlQueryRegistryValues+0x474 (805e8082)
1: kd>
nt!RtlQueryRegistryValues+0x474:
805e8082 8b45ec          mov     eax,dword ptr [ebp-14h]
1: kd>
nt!RtlQueryRegistryValues+0x477:
805e8085 85c0            test    eax,eax
1: kd>
nt!RtlQueryRegistryValues+0x479:
805e8087 740b            je      nt!RtlQueryRegistryValues+0x486 (805e8094)
1: kd>
nt!RtlQueryRegistryValues+0x47b:
805e8089 3b45f0          cmp     eax,dword ptr [ebp-10h]
1: kd>
nt!RtlQueryRegistryValues+0x47e:
805e808c 7406            je      nt!RtlQueryRegistryValues+0x486 (805e8094)
1: kd>
nt!RtlQueryRegistryValues+0x486:
805e8094 837de000        cmp     dword ptr [ebp-20h],0
1: kd>
nt!RtlQueryRegistryValues+0x48a:
805e8098 7409            je      nt!RtlQueryRegistryValues+0x495 (805e80a3)
1: kd>
nt!RtlQueryRegistryValues+0x48c:
805e809a ff75e0          push    dword ptr [ebp-20h]
1: kd>
nt!RtlQueryRegistryValues+0x48f:
805e809d ff15240c6880    call    dword ptr [nt!NlsOemLeadByteInfo+0xb04 (80680c24)]
1: kd>
nt!RtlQueryRegistryValues+0x495:
805e80a3 6a00            push    0
1: kd>
nt!RtlQueryRegistryValues+0x497:
805e80a5 ff750c          push    dword ptr [ebp+0Ch]
1: kd>
nt!RtlQueryRegistryValues+0x49a:
805e80a8 56              push    esi
1: kd>
nt!RtlQueryRegistryValues+0x49b:
805e80a9 6a00            push    0
1: kd>
nt!RtlQueryRegistryValues+0x49d:
805e80ab e8e8eaffff      call    nt!RtlInt64ToUnicodeString+0x1ae (805e6b98)
1: kd>
nt!RtlQueryRegistryValues+0x4a2:
805e80b0 8b45f8          mov     eax,dword ptr [ebp-8]
1: kd>
nt!RtlQueryRegistryValues+0x4a5:
805e80b3 5f              pop     edi
1: kd>
nt!RtlQueryRegistryValues+0x4a6:
805e80b4 5e              pop     esi
1: kd>
nt!RtlQueryRegistryValues+0x4a7:
805e80b5 5b              pop     ebx
1: kd>
nt!RtlQueryRegistryValues+0x4a8:
805e80b6 c9              leave
1: kd>
nt!RtlQueryRegistryValues+0x4a9:
805e80b7 c21400          ret     14h
1: kd>
nt!IoReportResourceUsage+0x6109:
80590ddf 894508          mov     dword ptr [ebp+8],eax
1: kd>
nt!IoReportResourceUsage+0x610c:
80590de2 f6467d10        test    byte ptr [esi+7Dh],10h
1: kd>
nt!IoReportResourceUsage+0x6110:
80590de6 0f8524020000    jne     nt!IoReportResourceUsage+0x633a (80591010)
1: kd>
nt!IoReportResourceUsage+0x6116:
80590dec 837d0800        cmp     dword ptr [ebp+8],0
1: kd>
nt!IoReportResourceUsage+0x611a:
80590df0 7c19            jl      nt!IoReportResourceUsage+0x6135 (80590e0b)
1: kd>
nt!IoReportResourceUsage+0x611c:
80590df2 8b45bc          mov     eax,dword ptr [ebp-44h]
1: kd>
nt!IoReportResourceUsage+0x611f:
80590df5 83780400        cmp     dword ptr [eax+4],0
1: kd>
nt!IoReportResourceUsage+0x6123:
80590df9 740a            je      nt!IoReportResourceUsage+0x612f (80590e05)
1: kd>
nt!IoReportResourceUsage+0x612f:
80590e05 c645cc00        mov     byte ptr [ebp-34h],0
1: kd>
nt!IoReportResourceUsage+0x6133:
80590e09 eb30            jmp     nt!IoReportResourceUsage+0x6165 (80590e3b)
1: kd>
nt!IoReportResourceUsage+0x6165:
80590e3b 6a15            push    15h
1: kd>
nt!IoReportResourceUsage+0x6167:
80590e3d 59              pop     ecx
1: kd>
nt!IoReportResourceUsage+0x6168:
80590e3e 33c0            xor     eax,eax
1: kd>
nt!IoReportResourceUsage+0x616a:
80590e40 50              push    eax
1: kd>
nt!IoReportResourceUsage+0x616b:
80590e41 8dbd54ffffff    lea     edi,[ebp-0ACh]
1: kd>
nt!IoReportResourceUsage+0x6171:
80590e47 f3ab            rep stos dword ptr es:[edi]
1: kd>
nt!IoReportResourceUsage+0x6173:
80590e49 8d45a8          lea     eax,[ebp-58h]
1: kd>
nt!IoReportResourceUsage+0x6176:
80590e4c 50              push    eax
1: kd>
nt!IoReportResourceUsage+0x6177:
80590e4d 8d8554ffffff    lea     eax,[ebp-0ACh]
1: kd>
nt!IoReportResourceUsage+0x617d:
80590e53 50              push    eax
1: kd>
nt!IoReportResourceUsage+0x617e:
80590e54 ff75f4          push    dword ptr [ebp-0Ch]
1: kd>
nt!IoReportResourceUsage+0x6181:
80590e57 bf22f35880      mov     edi,offset nt!IoReportResourceUsage+0x464c (8058f322)
1: kd>
nt!IoReportResourceUsage+0x6186:
80590e5c 53              push    ebx
1: kd>
nt!IoReportResourceUsage+0x6187:
80590e5d 89bd54ffffff    mov     dword ptr [ebp-0ACh],edi
1: kd>
nt!IoReportResourceUsage+0x618d:
80590e63 c7855cffffff420b5980 mov dword ptr [ebp-0A4h],offset nt!IoReportResourceUsage+0x5e6c (80590b42)
1: kd>
nt!IoReportResourceUsage+0x6197:
80590e6d c78560ffffff03000000 mov dword ptr [ebp-0A0h],3
1: kd>
nt!IoReportResourceUsage+0x61a1:
80590e77 e8926d0500      call    nt!RtlQueryRegistryValues (805e7c0e)
1: kd>
nt!IoReportResourceUsage+0x61a6:
80590e7c 85c0            test    eax,eax
1: kd>
nt!IoReportResourceUsage+0x61a8:
80590e7e 894508          mov     dword ptr [ebp+8],eax
1: kd>
nt!IoReportResourceUsage+0x61ab:
80590e81 0f8c8d010000    jl      nt!IoReportResourceUsage+0x633e (80591014)
1: kd>
nt!IoReportResourceUsage+0x61b1:
80590e87 837df800        cmp     dword ptr [ebp-8],0
1: kd>
nt!IoReportResourceUsage+0x61b5:
80590e8b 7433            je      nt!IoReportResourceUsage+0x61ea (80590ec0)
1: kd> lm
start    end        module name
7eb30000 7ebe4000   ntdll      (pdb symbols)          C:\Programme\Windows Kits\8.1\Debuggers\x86\sym\ntdll.pdb\08DE4D91BE654ACEB9F397576108EF3E2\ntdll.pdb
80062000 80072a80   pci        (deferred)             
80100000 8012a000   KDSTUB     (deferred)             
804d7000 806e5000   nt         (export symbols)       ntkrpamp.exe
80706000 8072e000   kdcom      (deferred)             
b86d2000 b873f000   e1d6232    (export symbols)       e1d6232.sys
b96b5000 b96dd000   HDAudBus   (deferred)             
b979d000 b97a0d80   serenum    (deferred)             
b987f000 b9898e80   Mup        (deferred)             
b9899000 b98d8000   NETIO      (deferred)             
b98d8000 b9903000   msrpc      (deferred)             
b9903000 b9aec680   ntoskrn8   (deferred)             
b9aed000 b9ba5000   NDIS       (deferred)             
b9ba5000 b9c31d00   Ntfs       (deferred)             
b9c32000 b9c48b80   KSecDD     (deferred)             
b9c49000 b9c5af00   sr         (deferred)             
b9c5b000 b9c7ab00   fltMgr     (deferred)             
b9c7b000 b9f30000   iaStor     (deferred)             
b9f30000 b9f55700   dmio       (deferred)             
b9f56000 b9f74880   ftdisk     (deferred)             
b9f75000 b9fa7000   ACPI       (deferred)             
ba0a8000 ba0b1180   isapnp     (deferred)             
ba0b8000 ba0c2700   MountMgr   (deferred)             
ba0c8000 ba0d3000   PartMgr    (deferred)             
ba0d8000 ba0e4c80   VolSnap    (deferred)             
ba0e8000 ba0f8000   disk       (deferred)             
ba0f8000 ba104180   CLASSPNP   (deferred)             
ba278000 ba284d00   i8042prt   (deferred)             
ba288000 ba297c00   serial     (deferred)             
ba328000 ba32e800   firadisk   (deferred)             
ba3b8000 ba3be000   kbdclass   (deferred)             
ba3c0000 ba3c5a00   mouclass   (deferred)             
ba4b8000 ba4bb000   BOOTVID    (deferred)             
ba5a8000 ba5a9100   WMILIB     (deferred)             
ba5aa000 ba5ab700   dmload     (deferred)             
1: kd> p
nt!IoReportResourceUsage+0x61b7:
80590e8d 6a00            push    0
1: kd>
nt!IoReportResourceUsage+0x61b9:
80590e8f 8d45a8          lea     eax,[ebp-58h]
1: kd>
nt!IoReportResourceUsage+0x61bc:
80590e92 50              push    eax
1: kd>
nt!IoReportResourceUsage+0x61bd:
80590e93 8d8554ffffff    lea     eax,[ebp-0ACh]
1: kd>
nt!IoReportResourceUsage+0x61c3:
80590e99 50              push    eax
1: kd>
nt!IoReportResourceUsage+0x61c4:
80590e9a ff75f8          push    dword ptr [ebp-8]
1: kd>
nt!IoReportResourceUsage+0x61c7:
80590e9d 89bd54ffffff    mov     dword ptr [ebp-0ACh],edi
1: kd>
nt!IoReportResourceUsage+0x61cd:
80590ea3 53              push    ebx
1: kd>
nt!IoReportResourceUsage+0x61ce:
80590ea4 c7855cffffff5e0b5980 mov dword ptr [ebp-0A4h],offset nt!IoReportResourceUsage+0x5e88 (80590b5e)
1: kd>
nt!IoReportResourceUsage+0x61d8:
80590eae c78560ffffff04000000 mov dword ptr [ebp-0A0h],4
1: kd>
nt!IoReportResourceUsage+0x61e2:
80590eb8 e8516d0500      call    nt!RtlQueryRegistryValues (805e7c0e)
1: kd>
nt!IoReportResourceUsage+0x61e7:
80590ebd 894508          mov     dword ptr [ebp+8],eax
1: kd>
nt!IoReportResourceUsage+0x61ea:
80590ec0 837d0800        cmp     dword ptr [ebp+8],0
1: kd>
nt!IoReportResourceUsage+0x61ee:
80590ec4 0f8c4a010000    jl      nt!IoReportResourceUsage+0x633e (80591014)
1: kd>
nt!IoReportResourceUsage+0x61f4:
80590eca ffb688000000    push    dword ptr [esi+88h]
1: kd>
nt!IoReportResourceUsage+0x61fa:
80590ed0 33db            xor     ebx,ebx
1: kd>
nt!IoReportResourceUsage+0x61fc:
80590ed2 895d10          mov     dword ptr [ebp+10h],ebx
1: kd>
nt!IoReportResourceUsage+0x61ff:
80590ed5 895dd8          mov     dword ptr [ebp-28h],ebx
1: kd>
nt!IoReportResourceUsage+0x6202:
80590ed8 e8a5e7f5ff      call    nt!IoGetAttachedDevice (804ef682)
1: kd>
nt!IoReportResourceUsage+0x6207:
80590edd 8945c8          mov     dword ptr [ebp-38h],eax
1: kd>
nt!IoReportResourceUsage+0x620a:
80590ee0 885d0f          mov     byte ptr [ebp+0Fh],bl
1: kd>
nt!IoReportResourceUsage+0x620d:
80590ee3 807d0f02        cmp     byte ptr [ebp+0Fh],2
1: kd>
nt!IoReportResourceUsage+0x6211:
80590ee7 7525            jne     nt!IoReportResourceUsage+0x6238 (80590f0e)
1: kd>
nt!IoReportResourceUsage+0x6238:
80590f0e 0fb6450f        movzx   eax,byte ptr [ebp+0Fh]
1: kd>
nt!IoReportResourceUsage+0x623c:
80590f12 8b7c85b4        mov     edi,dword ptr [ebp+eax*4-4Ch]
1: kd>
nt!IoReportResourceUsage+0x6240:
80590f16 3bfb            cmp     edi,ebx
1: kd>
nt!IoReportResourceUsage+0x6242:
80590f18 7459            je      nt!IoReportResourceUsage+0x629d (80590f73)
1: kd>
nt!IoReportResourceUsage+0x629d:
80590f73 fe450f          inc     byte ptr [ebp+0Fh]
1: kd>
nt!IoReportResourceUsage+0x62a0:
80590f76 807d0f05        cmp     byte ptr [ebp+0Fh],5
1: kd>
nt!IoReportResourceUsage+0x62a4:
80590f7a 0f8263ffffff    jb      nt!IoReportResourceUsage+0x620d (80590ee3)
1: kd>
nt!IoReportResourceUsage+0x620d:
80590ee3 807d0f02        cmp     byte ptr [ebp+0Fh],2
1: kd>
nt!IoReportResourceUsage+0x6211:
80590ee7 7525            jne     nt!IoReportResourceUsage+0x6238 (80590f0e)
1: kd>
nt!IoReportResourceUsage+0x6238:
80590f0e 0fb6450f        movzx   eax,byte ptr [ebp+0Fh]
1: kd>
nt!IoReportResourceUsage+0x623c:
80590f12 8b7c85b4        mov     edi,dword ptr [ebp+eax*4-4Ch]
1: kd>
nt!IoReportResourceUsage+0x6240:
80590f16 3bfb            cmp     edi,ebx
1: kd>
nt!IoReportResourceUsage+0x6242:
80590f18 7459            je      nt!IoReportResourceUsage+0x629d (80590f73)
1: kd>
nt!IoReportResourceUsage+0x629d:
80590f73 fe450f          inc     byte ptr [ebp+0Fh]
1: kd>
nt!IoReportResourceUsage+0x62a0:
80590f76 807d0f05        cmp     byte ptr [ebp+0Fh],5
1: kd>
nt!IoReportResourceUsage+0x62a4:
80590f7a 0f8263ffffff    jb      nt!IoReportResourceUsage+0x620d (80590ee3)
1: kd>
nt!IoReportResourceUsage+0x620d:
80590ee3 807d0f02        cmp     byte ptr [ebp+0Fh],2
1: kd>
nt!IoReportResourceUsage+0x6211:
80590ee7 7525            jne     nt!IoReportResourceUsage+0x6238 (80590f0e)
1: kd>
nt!IoReportResourceUsage+0x6213:
80590ee9 ffb688000000    push    dword ptr [esi+88h]
1: kd>
nt!IoReportResourceUsage+0x6219:
80590eef e88ee7f5ff      call    nt!IoGetAttachedDevice (804ef682)
1: kd>
nt!IoReportResourceUsage+0x621e:
80590ef4 807dff00        cmp     byte ptr [ebp-1],0
1: kd>
nt!IoReportResourceUsage+0x6222:
80590ef8 8945d8          mov     dword ptr [ebp-28h],eax
1: kd>
nt!IoReportResourceUsage+0x6225:
80590efb 7411            je      nt!IoReportResourceUsage+0x6238 (80590f0e)
1: kd>
nt!IoReportResourceUsage+0x6238:
80590f0e 0fb6450f        movzx   eax,byte ptr [ebp+0Fh]
1: kd>
nt!IoReportResourceUsage+0x623c:
80590f12 8b7c85b4        mov     edi,dword ptr [ebp+eax*4-4Ch]
1: kd>
nt!IoReportResourceUsage+0x6240:
80590f16 3bfb            cmp     edi,ebx
1: kd>
nt!IoReportResourceUsage+0x6242:
80590f18 7459            je      nt!IoReportResourceUsage+0x629d (80590f73)
1: kd>
nt!IoReportResourceUsage+0x6244:
80590f1a 83c002          add     eax,2
1: kd>
nt!IoReportResourceUsage+0x6247:
80590f1d 8945e8          mov     dword ptr [ebp-18h],eax
1: kd>
nt!IoReportResourceUsage+0x624a:
80590f20 8b17            mov     edx,dword ptr [edi]
1: kd>
nt!IoReportResourceUsage+0x624c:
80590f22 8b4218          mov     eax,dword ptr [edx+18h]
1: kd>
nt!IoReportResourceUsage+0x624f:
80590f25 ff75e8          push    dword ptr [ebp-18h]
1: kd>
nt!IoReportResourceUsage+0x6252:
80590f28 8b4004          mov     eax,dword ptr [eax+4]
1: kd>
nt!IoReportResourceUsage+0x6255:
80590f2b 8b8e88000000    mov     ecx,dword ptr [esi+88h]
1: kd>
nt!IoReportResourceUsage+0x625b:
80590f31 50              push    eax
1: kd>
nt!IoReportResourceUsage+0x625c:
80590f32 e80b65f6ff      call    nt!IoReportTargetDeviceChangeAsynchronous+0x169e (804f7442)
1: kd>
nt!IoReportResourceUsage+0x6261:
80590f37 3bc3            cmp     eax,ebx
1: kd>
nt!IoReportResourceUsage+0x6263:
80590f39 894508          mov     dword ptr [ebp+8],eax
1: kd>
nt!IoReportResourceUsage+0x6266:
80590f3c 7c1d            jl      nt!IoReportResourceUsage+0x6285 (80590f5b)
1: kd>
nt!IoReportResourceUsage+0x6285:
80590f5b 807d0f02        cmp     byte ptr [ebp+0Fh],2
1: kd>
nt!IoReportResourceUsage+0x6289:
80590f5f 742e            je      nt!IoReportResourceUsage+0x62b9 (80590f8f)
1: kd>
nt!IoReportResourceUsage+0x62b9:
80590f8f 8b45c8          mov     eax,dword ptr [ebp-38h]
1: kd>
nt!IoReportResourceUsage+0x62bc:
80590f92 8b5010          mov     edx,dword ptr [eax+10h]
1: kd>
nt!IoReportResourceUsage+0x62bf:
80590f95 8b8e88000000    mov     ecx,dword ptr [esi+88h]
1: kd>
nt!IoReportResourceUsage+0x62c5:
80590f9b 53              push    ebx
1: kd>
nt!IoReportResourceUsage+0x62c6:
80590f9c ff7510          push    dword ptr [ebp+10h]
1: kd>
nt!IoReportResourceUsage+0x62c9:
80590f9f e862ecfaff      call    nt!wctomb+0x3f0b (8053fc06)
1: kd>
nt!IoReportResourceUsage+0x62ce:
80590fa4 6a1f            push    1Fh
1: kd>
nt!IoReportResourceUsage+0x62d0:
80590fa6 53              push    ebx
1: kd>
nt!IoReportResourceUsage+0x62d1:
80590fa7 56              push    esi
1: kd>
nt!IoReportResourceUsage+0x62d2:
80590fa8 e8a7370000      call    nt!IoReportResourceUsage+0x9a7e (80594754)
1: kd>
nt!IoReportResourceUsage+0x62d7:
80590fad eb65            jmp     nt!IoReportResourceUsage+0x633e (80591014)
1: kd>
nt!IoReportResourceUsage+0x633e:
80591014 8d5db4          lea     ebx,[ebp-4Ch]
1: kd>
nt!IoReportResourceUsage+0x6341:
80591017 c7450c05000000  mov     dword ptr [ebp+0Ch],5
1: kd>
nt!IoReportResourceUsage+0x6348:
8059101e 8b33            mov     esi,dword ptr [ebx]
1: kd>
nt!IoReportResourceUsage+0x634a:
80591020 eb24            jmp     nt!IoReportResourceUsage+0x6370 (80591046)
1: kd>
nt!IoReportResourceUsage+0x6370:
80591046 85f6            test    esi,esi
1: kd>
nt!IoReportResourceUsage+0x6372:
80591048 75d8            jne     nt!IoReportResourceUsage+0x634c (80591022)
1: kd>
nt!IoReportResourceUsage+0x6374:
8059104a 83c304          add     ebx,4
1: kd>
nt!IoReportResourceUsage+0x6377:
8059104d ff4d0c          dec     dword ptr [ebp+0Ch]
1: kd>
nt!IoReportResourceUsage+0x637a:
80591050 75cc            jne     nt!IoReportResourceUsage+0x6348 (8059101e)
1: kd>
nt!IoReportResourceUsage+0x6348:
8059101e 8b33            mov     esi,dword ptr [ebx]
1: kd>
nt!IoReportResourceUsage+0x634a:
80591020 eb24            jmp     nt!IoReportResourceUsage+0x6370 (80591046)
1: kd>
nt!IoReportResourceUsage+0x6370:
80591046 85f6            test    esi,esi
1: kd>
nt!IoReportResourceUsage+0x6372:
80591048 75d8            jne     nt!IoReportResourceUsage+0x634c (80591022)
1: kd>
nt!IoReportResourceUsage+0x6374:
8059104a 83c304          add     ebx,4
1: kd>
nt!IoReportResourceUsage+0x6377:
8059104d ff4d0c          dec     dword ptr [ebp+0Ch]
1: kd>
nt!IoReportResourceUsage+0x637a:
80591050 75cc            jne     nt!IoReportResourceUsage+0x6348 (8059101e)
1: kd>
nt!IoReportResourceUsage+0x6348:
8059101e 8b33            mov     esi,dword ptr [ebx]
1: kd>
nt!IoReportResourceUsage+0x634a:
80591020 eb24            jmp     nt!IoReportResourceUsage+0x6370 (80591046)
1: kd>
nt!IoReportResourceUsage+0x6370:
80591046 85f6            test    esi,esi
1: kd>
nt!IoReportResourceUsage+0x6372:
80591048 75d8            jne     nt!IoReportResourceUsage+0x634c (80591022)
1: kd>
nt!IoReportResourceUsage+0x634c:
80591022 803d96b4558000  cmp     byte ptr [nt!IoAdapterObjectType+0x726 (8055b496)],0
1: kd>
nt!IoReportResourceUsage+0x6353:
80591029 8bfe            mov     edi,esi
1: kd>
nt!IoReportResourceUsage+0x6355:
8059102b 8b7604          mov     esi,dword ptr [esi+4]
1: kd>
nt!IoReportResourceUsage+0x6358:
8059102e 7407            je      nt!IoReportResourceUsage+0x6361 (80591037)
1: kd>
nt!IoReportResourceUsage+0x635a:
80591030 ff37            push    dword ptr [edi]
1: kd>
nt!IoReportResourceUsage+0x635c:
80591032 e885350000      call    nt!IoReportResourceUsage+0x98e6 (805945bc)
1: kd>
nt!IoReportResourceUsage+0x6361:
80591037 8b0f            mov     ecx,dword ptr [edi]
1: kd>
nt!IoReportResourceUsage+0x6363:
80591039 e8a057f9ff      call    nt!ObfDereferenceObject (805267de)
1: kd>
nt!RtlUnwind+0xdc1:
80532043 5d              pop     ebp
1: kd> lm
start    end        module name
7eb30000 7ebe4000   ntdll      (pdb symbols)          C:\Programme\Windows Kits\8.1\Debuggers\x86\sym\ntdll.pdb\08DE4D91BE654ACEB9F397576108EF3E2\ntdll.pdb
80062000 80072a80   pci        (deferred)             
80100000 8012a000   KDSTUB     (deferred)             
804d7000 806e5000   nt         (export symbols)       ntkrpamp.exe
80706000 8072e000   kdcom      (deferred)             
b3748000 b37a5f00   update     (deferred)             
b37a6000 b37c8700   ks         (deferred)             
b37c9000 b37f8c80   rdpdr      (deferred)             
b44e6000 b44e6c00   audstub    (deferred)             
b45f7000 b4600f80   termdd     (deferred)             
b500e000 b5011c80   mssmbios   (deferred)             
b6e27000 b6e28100   swenum     (deferred)             
b8eab000 b8eb3e00   intelppm   (deferred)             
b96b5000 b96dd000   HDAudBus   (deferred)             
b979d000 b97a0d80   serenum    (deferred)             
b97b1000 b97b3280   wmiacpi    (deferred)             
b987f000 b9898e80   Mup        (deferred)             
b9899000 b98d8000   NETIO      (deferred)             
b98d8000 b9903000   msrpc      (deferred)             
b9903000 b9aec680   ntoskrn8   (deferred)             
b9aed000 b9ba5000   NDIS       (deferred)             
b9ba5000 b9c31d00   Ntfs       (deferred)             
b9c32000 b9c48b80   KSecDD     (deferred)             
b9c49000 b9c5af00   sr         (deferred)             
b9c5b000 b9c7ab00   fltMgr     (deferred)             
b9c7b000 b9f30000   iaStor     (deferred)             
b9f30000 b9f55700   dmio       (deferred)             
b9f56000 b9f74880   ftdisk     (deferred)             
b9f75000 b9fa7000   ACPI       (deferred)             
ba0a8000 ba0b1180   isapnp     (deferred)             
ba0b8000 ba0c2700   MountMgr   (deferred)             
ba0c8000 ba0d3000   PartMgr    (deferred)             
ba0d8000 ba0e4c80   VolSnap    (deferred)             
ba0e8000 ba0f8000   disk       (deferred)             
ba0f8000 ba104180   CLASSPNP   (deferred)             
ba278000 ba284d00   i8042prt   (deferred)             
ba288000 ba297c00   serial     (deferred)             
ba328000 ba32e800   firadisk   (deferred)             
ba3b8000 ba3be000   kbdclass   (deferred)             
ba3c0000 ba3c5a00   mouclass   (deferred)             
ba4b8000 ba4bb000   BOOTVID    (deferred)             
ba5a8000 ba5a9100   WMILIB     (deferred)             
ba5aa000 ba5ab700   dmload     (deferred)             

Unloaded modules:
b5006000 b5009000   Sfloppy.SYS
b45e7000 b45f3000   Flpydisk.SYS
b6f9d000 b6fa4000   Fdc.SYS
b86d2000 b873f000   e1d6232.sys

Edited by Dietmar
Link to comment
Share on other sites

@Dietmar

can you try these ndis/netio/msrpc.sys files on a system with a known XP compatible NDIS5 NIC?

i.e just swap the files on a system with a working NIC on XP and restart. Does it stop working?

do you get a similar BSOD on that kind of hardware?

Link to comment
Share on other sites

Posted (edited)

@Damnation

I already tried this, same Bsod with ndis5 driver for the i217 and ndis/netio/msrpc.sys files from win7 together with ntoskrn8.sys .

I also look, if the i217 is backword compatible with the win7 driver and ndis/netio/msrpc.sys files from win7 together with ntoskrn8.sys,

also not, same Bsod.

Now I think the best what we can do is, to look step by step at the working 5048 ndis/netio/msrpc.sys,

which driver has to be loaded at which time. For me it is still strange as much as possible, that I cant catch the driverentry of netio.sys.

It looks, as if this driver never starts, is only loaded. And this may be the reason, why the e1d6232.sys is unloaded

Dietmar

PS: Now I am tired and go to bed:)).

Next BIG step would be, to look at a working mini win7 SP1, which Lan files are loaded at which time,

looking also for registry entries. Before e1d6232.sys install and then with Beyond compare of whole registry after install.

 

Edited by Dietmar
Link to comment
Share on other sites

@Damnation

I make a try what happens in real win7. This win7 sp1 boots on the Asrock z370 k6 board with working drivers for i219 and i211, I test.

With unlocker1.9.0-portable I rename on this win7 sp1 bit32 HD in an USB box

netio.sys msrpc.sys and ndis.sys to netioORI.sys msrpcORI.sys and ndisORI.sys .

Then I copy there your modded netio.sys msrpc.sys ndis.sys and ntoskrn8.sys.

But win7 does not want to start with this files, even via F8 I choose "unsigned driver".

The crazy System repair from win7 kicked the modified files out and replace it with its own.

Is there a way, to tell win7 not to do this

Dietmar

Link to comment
Share on other sites

@Damnation

Can you please integrate for me the function

NdisGroupActiveProcessorCount

into ndis.sys from Longhorn 5048?

I think, that you do this via ntoskrn8.sys .

I make a try with PE Maker, to add this function to ndis.sys by myself but I dont know,

from where to get this function and how to integrate it into ndis.sys (or ntoskrn8.sys).

This function is the only missed function in Import in ndis.sys for the win7 e1d6232.sys driver,

as you can see with Dependency Walker

Dietmar

https://ufile.io/0taapdko

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   1 member



×
×
  • Create New...