Jump to content

Help with Windows Debugging Tools

Ankle

By Ankle
in Windows XP

 Share

Recommended Posts

Ankle

Ankle

Posted
Posted

Today I recieved a rather unexpected critical stop while working away on my desktop doing the same thing I do every day of the year (ftp, ssh, txt editing, browsing, irc, im). For whatever reason it did not generate a log in event viewer as they usually tend to. There has been no recent updates or installations in the past month or so other than this and last month's automatic updates. However, I did remove kaspersky antivirus from the system the other day in preperation for getting around to moving over to Nod32.

Fired up windows debugger and checked the minidump. I doubt the OS component, win32k.sys in this case, is at fault unless the most recent updates or kaspersky's uninstaller broke something.

Any chance I can figure out what driver passed a bad instruction when calling win32k.sys from this dump?

http://ankle.sinistrals.net/misc/files/Mini122706-01.dmp

BugCheck 10000050, {e2ecf1e0, 0, bf801a2a, 1}

Could not read faulting driver name

Probably caused by : win32k.sys ( win32k!HmgLock+65 )

Followup: MachineOwner

---------

1: kd> !analyze -v

*******************************************************************************

* *

* Bugcheck Analysis *

* *

*******************************************************************************

Unknown bugcheck code (10000050)

Unknown bugcheck description

Arguments:

Arg1: e2ecf1e0

Arg2: 00000000

Arg3: bf801a2a

Arg4: 00000001

Debugging Details:

------------------

Could not read faulting driver name

READ_ADDRESS: e2ecf1e0

FAULTING_IP:

win32k!HmgLock+65

bf801a2a 6683780800 cmp word ptr [eax+0x8],0x0

MM_INTERNAL_CODE: 1

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0x50

LAST_CONTROL_TRANSFER: from bf8053dd to bf801a2a

STACK_TEXT:

ba58f788 bf8053dd 01010570 000000cc ba58f8c0 win32k!HmgLock+0x65

ba58f798 bf83f4fb 01010570 ba58f934 0012e85c win32k!MDCOBJ::MDCOBJ+0x13

ba58f8c0 bf83378f 01010573 00000000 00000000 win32k!GreStretchBltInternal+0xda

ba58f8fc 8054078c 01010573 00000000 00000000 win32k!GreStretchBlt+0x30

ba58f8fc 7c90eb94 01010573 00000000 00000000 nt!KiFastCallEntry+0xfc

WARNING: Frame IP not in any known module. Following frames may be wrong.

0012e820 00000000 00000000 00000000 00000000 0x7c90eb94

ba58fbec 805a077d ba58fca8 ba58fcac ba58fc7c nt!KiCallUserMode+0x4

ba58fc48 bf813e27 00000002 ba58fc8c 00000018 nt!KeUserModeCallback+0x87

ba58fccc bf8035de bc654a20 0000000f 00000000 win32k!SfnDWORD+0xa8

ba58fd0c bf80f532 01b02b30 ba58fd64 0012fd74 win32k!xxxDispatchMessage+0x1dc

ba58fd58 8054078c 0012fe54 0012fdac 7c90eb94 win32k!NtUserDispatchMessage+0x39

ba58fd58 7c90eb94 0012fe54 0012fdac 7c90eb94 nt!KiFastCallEntry+0xfc

0012fd3c 00000000 00000000 00000000 00000000 0x7c90eb94

FOLLOWUP_IP:

win32k!HmgLock+65

bf801a2a 6683780800 cmp word ptr [eax+0x8],0x0

FOLLOWUP_NAME: MachineOwner

SYMBOL_NAME: win32k!HmgLock+65

MODULE_NAME: win32k

IMAGE_NAME: win32k.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 43446b4e

STACK_COMMAND: kb

BUCKET_ID: 0x50_win32k!HmgLock+65

Followup: MachineOwner

---------

Here are the loaded modules:

1: kd> lm

start end module name

804d7000 806e2000 nt # (pdb symbols) c:\symbols\ntkrpamp.pdb\93B3151FBA1F444E921B0B7AF2BADA5A1\ntkrpamp.pdb

806e2000 80702c80 hal (deferred)

9099a000 909c3f00 kmixer (deferred)

97f6d000 97f6ff80 mouhid (deferred)

a8164000 a8187100 Fastfat (deferred)

b93f5000 b93fd2e0 LHidUsb (deferred)

b9499000 b949b580 hidusb (deferred)

b94e1000 b94e4800 asyncmac (deferred)

b9e7d000 b9e80700 BATTC (deferred)

b9f45000 b9f47480 compbatt (deferred)

b9fe5000 b9fedd80 HIDCLASS (deferred)

ba045000 ba06cf00 secdrv (deferred)

ba06d000 ba0be480 srv (deferred)

ba0e3000 ba0e5d00 vstor2 (deferred)

ba134000 ba148400 wdmaud (deferred)

ba211000 ba239600 atksgt (deferred)

ba23a000 ba251280 vmx86 (deferred)

ba2ea000 ba2f8d80 sysaudio (deferred)

ba352000 ba355d00 vmnetuserif (deferred)

ba376000 ba379a00 kbdhid (deferred)

ba462000 ba469c00 usbccgp (deferred)

ba482000 ba497980 nwlnkipx (deferred)

ba510000 ba512800 VMNET (deferred)

ba590000 ba59a000 hcmon (deferred)

ba5b0000 ba5bda80 nwlnkspx (deferred)

bf800000 bf9c1100 win32k # (pdb symbols) c:\symbols\win32k.pdb\756382DF1446491E911BD0C649DCE93C2\win32k.pdb

bf9c2000 bf9d3580 dxg (deferred)

bf9d4000 bfe25580 nv4_disp (deferred)

bffa0000 bffe5c00 ATMFD (deferred)

f3b8b000 f3ba2580 dump_atapi (deferred)

f3c6b000 f3c96000 klif (deferred)

f3c96000 f3d04f00 mrxsmb (deferred)

f3d05000 f3d2fa00 rdbss (deferred)

f3d30000 f3d51d00 afd (deferred)

f3d52000 f3d79c00 netbt (deferred)

f3d7a000 f3d9af00 ipnat (deferred)

f3d9b000 f3df3080 tcpip (deferred)

f3df4000 f3e06400 ipsec (deferred)

f3ecf000 f3ede900 Cdfs (deferred)

f3f2f000 f3f3e760 LMouFlt2 (deferred)

f3f8e000 f402a000 ctac32k (deferred)

f402a000 f4051000 ctsfm2k (deferred)

f4051000 f407e000 emupia2k (deferred)

f407e000 f417f000 ha10kx2k (deferred)

f417f000 f41a9000 hap16v2k (deferred)

f424d000 f424f900 Dxapi (deferred)

f4279000 f427baa0 klmc (deferred)

f63aa000 f63dd180 update (deferred)

f63de000 f640e100 rdpdr (deferred)

f644f000 f6457880 Fips (deferred)

f645f000 f646e700 nwlnknb (deferred)

f646f000 f6477700 netbios (deferred)

f647f000 f648dd80 arp1394 (deferred)

f648f000 f6497700 wanarp (deferred)

f649f000 f64a8000 wpsdrvnt (deferred)

f64af000 f64bfe00 psched (deferred)

f64c0000 f64d6680 ndiswan (deferred)

f64d7000 f650a400 NVSNPU (deferred)

f650b000 f6550200 NVNRM (deferred)

f6551000 f6583000 ctoss2k (deferred)

f6583000 f65ee400 ctaud2k (deferred)

f65ef000 f6611e80 USBPORT (deferred)

f6612000 f6634680 ks (deferred)

f6635000 f6658a00 portcls (deferred)

f6659000 f666c900 parport (deferred)

f666d000 f6680780 VIDEOPRT (deferred)

f6681000 f6a50400 nv4_mini (deferred)

f70f7000 f70fac80 mssmbios (deferred)

f7121000 f7123580 ndistapi (deferred)

f7125000 f7128280 nvnetbus (deferred)

f7129000 f712bf80 ctgame (deferred)

f7139000 f713cc80 serenum (deferred)

f713d000 f713f980 gameenum (deferred)

f7161000 f717aa80 Mup (deferred)

f717b000 f7198000 Teefer (deferred)

f7198000 f71c4a80 NDIS (deferred)

f71c5000 f7251480 Ntfs (deferred)

f7252000 f7268780 KSecDD (deferred)

f7269000 f727af00 sr (deferred)

f727b000 f727c000 fltMgr (deferred)

f729a000 f72b1880 SCSIPORT (deferred)

f72c3000 f72da580 atapi (deferred)

f72db000 f7300700 dmio (deferred)

f7301000 f731f880 ftdisk (deferred)

f7320000 f7330a80 pci (deferred)

f7331000 f735ed80 ACPI (deferred)

f735f000 f7385f80 Vax347b (deferred)

f7487000 f748fc00 isapnp (deferred)

f7497000 f74a5f80 ohci1394 (deferred)

f74a7000 f74b4000 1394BUS (deferred)

f74b7000 f74c1500 MountMgr (deferred)

f74c7000 f74d3c80 VolSnap (deferred)

f74d7000 f74dfe00 disk (deferred)

f74e7000 f74f3200 CLASSPNP (deferred)

f75f7000 f7605b80 drmk (deferred)

f7607000 f7616d80 serial (deferred)

f7617000 f7621400 imapi (deferred)

f7627000 f7633180 cdrom (deferred)

f7637000 f7645080 redbook (deferred)

f7647000 f7656180 nic1394 (deferred)

f7657000 f7665000 AmdK8 (deferred)

f7667000 f7671200 raspppoe (deferred)

f7677000 f7682d00 raspptp (deferred)

f7687000 f768f900 msgpc (deferred)

f7697000 f76a3880 rasl2tp (deferred)

f76a7000 f76b0f00 termdd (deferred)

f76d7000 f76e0480 NDProxy (deferred)

f76e7000 f76f5200 usbhub (deferred)

f76f7000 f76ff380 NVENETFD (deferred)

f7707000 f770d200 PCIIDEX (deferred)

f770f000 f7713900 PartMgr (deferred)

f7717000 f771b880 TDI (deferred)

f7727000 f772e880 Npfs (deferred)

f777f000 f7784f00 LHidFlt2 (deferred)

f7787000 f778b500 watchdog (deferred)

f778f000 f7794b80 vmnetbridge (deferred)

f7797000 f779e000 VMparport (deferred)

f779f000 f77a3680 lirsgt (deferred)

f77c7000 f77cbb00 HidBatt (deferred)

f781f000 f7825b00 fdc (deferred)

f7827000 f782b280 usbohci (deferred)

f782f000 f7835980 usbehci (deferred)

f7837000 f783e000 GEARAspiWDM (deferred)

f783f000 f7847000 ctprxy2k (deferred)

f7847000 f784e580 Modem (deferred)

f784f000 f7853580 ptilink (deferred)

f7857000 f785b080 raspti (deferred)

f785f000 f7865000 kbdclass (deferred)

f7867000 f786ca00 mouclass (deferred)

f786f000 f7874000 flpydisk (deferred)

f787f000 f7885180 HIDPARSE (deferred)

f7887000 f788c200 vga (deferred)

f788f000 f7890000 Msfs (deferred)

f7897000 f789a000 BOOTVID (deferred)

f789b000 f789d880 SiWinAcc (deferred)

f789f000 f78a1280 kl1 (deferred)

f796b000 f796d280 rasacd (deferred)

f7987000 f7988b80 kdcom (deferred)

f7989000 f798a100 WMILIB (deferred)

f798b000 f798c000 dmload (deferred)

f798d000 f798e480 Vax347s (deferred)

f79ab000 f79ac100 swenum (deferred)

f79af000 f79b0280 USBD (deferred)

f79b1000 f79b2000 Fs_Rec (deferred)

f79b3000 f79b4080 Beep (deferred)

f79b5000 f79b6080 RDPCDD (deferred)

f79b9000 f79ba100 dump_WMILIB (deferred)

f79d5000 f79d7000 wg3n (deferred)

f79d7000 f79d9000 wg4n (deferred)

f79d9000 f79db000 wg5n (deferred)

f79db000 f79dd000 wg6n (deferred)

f79e1000 f79e2000 ParVdm (deferred)

f79e3000 f79e4d80 enodpl (deferred)

f79e5000 f79e6280 tandpl (deferred)

f7a3d000 f7a3e100 hiber_WMILIB (deferred)

f7a4f000 f7a4fd00 pciide (deferred)

f7a50000 f7a51000 speedfan (deferred)

f7a51000 f7a51680 giveio (deferred)

f7b0d000 f7b0dd00 dxgthk (deferred)

f7b1d000 f7b1db80 msmpu401 (deferred)

f7b2e000 f7b2ec00 audstub (deferred)

f7b5c000 f7b5d000 Null (deferred)


cluberti

cluberti

Posted
Posted

No, because the driver is already unloaded or it's memory address is corrupt (that's why you see only a memory address in the stack). You'll either need to enable driver verifier or special pool (or both). However, I can tell you just from the stack that it is a user mode application calling a kernel-mode driver to do something (likely in nonpaged pool) - if you've installed, uninstalled, or updated an antivirus, antispyware, firewall, or backup application recently, those would then be suspect.

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...