Quantcast
Channel: Sysinternals Forums
Viewing all 10386 articles
Browse latest View live

Process Explorer : bugcheck in process explorer

January 3, 2013, 12:17 pm
$
0
0
Author: danmcleran
Subject: bugcheck in process explorer
Posted: 03 January 2013 at 8:17pm

That's weird. When I came back from the crash, I saw 2 shortcuts: procexp and procexp64. I ran both one after the other and now I only see procexp. Strange behavior. I repeated what I did before with the same result (bugcheck).

1. Run procexp.exe as admin.
2. dbl-click on one of my svchost.exe processes.
3. open Threads tab.
4. dbl-click on a thread (ntdll.dll!RtlRegisterThreadWithCsrss + 0x174)

0: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced.  This cannot be protected by try-except,
it must be protected by a Probe.  Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: fffff880055b4038, memory referenced.
Arg2: 0000000000000000, value 0 = read operation, 1 = write operation.
Arg3: fffff880176eaf9d, If non-zero, the instruction address which referenced the bad memory
address.
Arg4: 0000000000000000, (reserved)

Debugging Details:
------------------


READ_ADDRESS: unable to get nt!MmPoolCodeStart
unable to get nt!MmPoolCodeEnd
 fffff880055b4038 

FAULTING_IP: 
PROCEXP141+1f9d
fffff880`176eaf9d 488b4238        mov     rax,qword ptr [rdx+38h]

MM_INTERNAL_CODE:  0

IMAGE_NAME:  PROCEXP141.SYS

DEBUG_FLR_IMAGE_TIMESTAMP:  4bc6db36

MODULE_NAME: PROCEXP141

FAULTING_MODULE: fffff880176e9000 PROCEXP141

DEFAULT_BUCKET_ID:  VISTA_DRIVER_FAULT

BUGCHECK_STR:  0x50

PROCESS_NAME:  procexp64.exe

CURRENT_IRQL:  0

TRAP_FRAME:  fffff8801608b520 -- (.trap 0xfffff8801608b520)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=fffff880055b4040 rbx=0000000000000000 rcx=fffffa8007ef86c0
rdx=fffff880055b4000 rsi=0000000000000000 rdi=0000000000000000
rip=fffff880176eaf9d rsp=fffff8801608b6b0 rbp=fffff98005b6efe0
 r8=fffff8a00225c001  r9=0000000000000001 r10=0000000083350028
r11=fffff8801608b8e0 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up ei pl nz na pe nc
PROCEXP141+0x1f9d:
fffff880`176eaf9d 488b4238        mov     rax,qword ptr [rdx+38h] ds:af10:4038=????????????????
Resetting default scope

LAST_CONTROL_TRANSFER:  from fffff80194c010ea to fffff80194b00930

STACK_TEXT:  
fffff880`1608ab78 fffff801`94c010ea : 00000000`00000000 00000000`00000050 fffff880`1608ace0 fffff801`94b854b8 : nt!RtlpBreakWithStatusInstruction
fffff880`1608ab80 fffff801`94c00742 : 00000000`00000003 fffff880`1608ace0 fffff801`94b85ee0 fffff880`1608b230 : nt!KiBugCheckDebugBreak+0x12
fffff880`1608abe0 fffff801`94b06144 : 00000000`00000000 00000000`05fb5df8 00000000`00000238 00000000`05fb79b0 : nt!KeBugCheck2+0x79f
fffff880`1608b300 fffff801`94c73e59 : 00000000`00000050 fffff880`055b4038 00000000`00000000 fffff880`1608b520 : nt!KeBugCheckEx+0x104
fffff880`1608b340 fffff801`94b40b6f : 00000000`00000000 fffff880`055b4038 fffffa80`0868f700 00000000`05fb6d01 : nt! ?? ::FNODOBFM::`string'+0x32c9f
fffff880`1608b3e0 fffff801`94b03aee : 00000000`00000000 fffff980`05beaf10 00000000`c0000000 fffff880`1608b520 : nt!MmAccessFault+0x54f
fffff880`1608b520 fffff880`176eaf9d : 00000000`00000000 00000000`00000000 00000000`00000000 00000001`00000000 : nt!KiPageFault+0x16e
fffff880`1608b6b0 fffff880`176eb073 : 00000000`00000000 fffffa80`08688e40 fffff801`94d29400 00000000`00000000 : PROCEXP141+0x1f9d
fffff880`1608b8a0 fffff801`950c8d26 : fffff980`05beaee0 00000000`00000002 fffffa80`086863b0 fffffa80`05021418 : PROCEXP141+0x2073
fffff880`1608b940 fffff801`94eef42f : fffff980`05beaee0 fffff880`1608bc80 fffff980`05beaff8 fffffa80`07a2fb00 : nt!IovCallDriver+0x3e6
fffff880`1608b990 fffff801`94eefdb6 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!IopXxxControlFile+0x7dd
fffff880`1608bb20 fffff801`94b05053 : 00000000`00000000 00000000`00000000 00000000`05fb6901 fffffa80`07ef86c0 : nt!NtDeviceIoControlFile+0x56
fffff880`1608bb90 000007f8`3fd92c1a : 000007f8`3cdf3579 000007f8`3f981742 0000003f`0000003e ffffffff`fffc9e30 : nt!KiSystemServiceCopyEnd+0x13
00000000`05fb5df8 000007f8`3cdf3579 : 000007f8`3f981742 0000003f`0000003e ffffffff`fffc9e30 00000000`01574e90 : ntdll!ZwDeviceIoControlFile+0xa
00000000`05fb5e00 000007f8`3ec31880 : 00000000`83350028 00000000`00000000 00000000`000202ea 000007f7`423458a0 : KERNELBASE!DeviceIoControl+0x75
00000000`05fb5e70 000007f7`4237d8de : 00000000`00000000 00000000`05fb6820 00000000`05fb7441 00000000`05fb6920 : KERNEL32!DeviceIoControlImplementation+0x74
00000000`05fb5ec0 000007f7`42390bb3 : 00000000`00000064 00000000`000202e8 00000000`000002fc 00000000`05fb5fc0 : procexp64+0x3d8de
00000000`05fb5f20 000007f8`3f99b6ca : 00000000`000202ea 00000000`00000001 00000000`00000110 00000000`000202ea : procexp64+0x50bb3
00000000`05fb7300 000007f8`3f99b108 : 00000000`01574e90 00000000`00000000 00000000`00000110 00000000`000202e8 : USER32!UserCallDlgProcCheckWow+0x18b
00000000`05fb73d0 000007f8`3f9d3b19 : 00000000`05fb79a8 00000000`05fb7610 00000000`00000110 00000000`00002020 : USER32!DefDlgProcWorker+0xb8
00000000`05fb74a0 000007f8`3f98171e : 00000000`00000001 00000000`00000000 00000000`00000070 ffffffff`ffffffff : USER32!DefDlgProcA+0x39
00000000`05fb74e0 000007f8`3f9c22f9 : 00000000`05fb79a8 00000000`00000110 00000000`80000000 00000000`80000000 : USER32!UserCallWinProcCheckWow+0x13a
00000000`05fb75a0 000007f8`3f99c7a5 : 000007f7`424333dc 00000000`00000000 00000000`000202e8 000007f7`424333dc : USER32!SendMessageWorker+0xa72
00000000`05fb7650 000007f8`3f9ab889 : 00000000`00010298 000007f7`423905c0 00000000`00000001 000007f7`423905c0 : USER32!InternalCreateDialog+0x9f6
00000000`05fb77e0 000007f8`3f9ab936 : 000007f7`42340000 00000000`00010298 000007f7`423905c0 ffffffff`ffffffff : USER32!InternalDialogBox+0xf9
00000000`05fb7840 000007f8`3f9c9c3e : 000007f7`42340000 000007f7`423905c0 ffffffff`ffffffff 00000000`00000000 : USER32!DialogBoxIndirectParamAorW+0x56
00000000`05fb7880 000007f7`423929b3 : 00000000`00010298 00000000`0364d670 00000000`00000000 00000000`0364cea0 : USER32!DialogBoxParamA+0x82
00000000`05fb78c0 000007f8`3f99b3b9 : 00000000`04fdd600 00000000`04fdd6a6 00000000`534f5047 00000000`01158de0 : procexp64+0x529b3
00000000`05fb8b30 000007f8`3f99b108 : 00000000`015714f0 00000000`00000000 00000000`00000111 00000000`0000043d : USER32!UserCallDlgProcCheckWow+0x135
00000000`05fb8c00 000007f8`3f9d3b19 : 00000000`00000000 00000000`0000043d 00000000`00000111 00000000`00000000 : USER32!DefDlgProcWorker+0xb8
00000000`05fb8cd0 000007f8`3f98171e : 00000000`00000001 00000000`00000000 00000000`05fba111 00000000`00000000 : USER32!DefDlgProcA+0x39
00000000`05fb8d10 000007f8`3f9c9020 : 000007f8`3fd91b84 00000000`00010298 00000000`00000111 00000000`00000000 : USER32!UserCallWinProcCheckWow+0x13a
00000000`05fb8dd0 000007f8`3f9c8f3b : 00000000`04039bc0 00000000`0000043d 00000000`00010298 00000000`00000018 : USER32!CallWindowProcAorW+0xd8
00000000`05fb8e20 000007f7`42344488 : 00000000`00000000 00000000`000d000c 000007f7`423e0838 00000000`6e74616c : USER32!CallWindowProcA+0x1b
00000000`05fb8e60 000007f7`42341fa7 : 00000000`00000001 000007f8`3fa0c891 00000000`01158d00 00000000`544c4600 : procexp64+0x4488
00000000`05fb8ea0 000007f7`42345b08 : 00000000`00000001 00000000`0000043d 00000000`04039bc0 00000000`05fb9480 : procexp64+0x1fa7
00000000`05fb8ee0 000007f8`3f98171e : 00000000`00010298 00000000`0000004e 00000000`0000004e 00000000`00000000 : procexp64+0x5b08
00000000`05fb8fd0 000007f8`3f9c22f9 : 00000000`00000000 00000000`00000111 00000000`80000000 00000000`80000000 : USER32!UserCallWinProcCheckWow+0x13a
00000000`05fb9090 000007f8`3f9af30d : 00000000`00000111 00000000`0364d600 00000000`0000043d 00000000`00000111 : USER32!SendMessageWorker+0xa72
00000000`05fb9140 000007f7`42391ea9 : 00000000`00010298 00000000`00000000 00000000`0000004e 00000000`00010298 : USER32!SendMessageA+0x75
00000000`05fb9190 000007f8`3f99b3b9 : 00000000`00000001 00000000`00000000 00000000`05fbaa20 00000000`00000001 : procexp64+0x51ea9
00000000`05fba400 000007f8`3f99b108 : 00000000`015714f0 00000000`00000000 00000000`0000004e 00000000`00000414 : USER32!UserCallDlgProcCheckWow+0x135
00000000`05fba4d0 000007f8`3f9d3b19 : 00000000`05fbac40 00000000`00000414 00000000`0000004e 000007f8`3fd9541f : USER32!DefDlgProcWorker+0xb8
00000000`05fba5a0 000007f8`3f98171e : 00000000`00000001 00000000`00000000 00000000`05fbaa20 00000000`00000000 : USER32!DefDlgProcA+0x39
00000000`05fba5e0 000007f8`3f9c9020 : 000007f8`3fd91b84 00000000`00010298 00000000`0000004e 00000000`05fbac40 : USER32!UserCallWinProcCheckWow+0x13a
00000000`05fba6a0 000007f8`3f9c8f3b : 00000000`04039bc0 00000000`00000414 00000000`00010298 000007f7`00000018 : USER32!CallWindowProcAorW+0xd8
00000000`05fba6f0 000007f7`42344488 : 00000000`00000000 ffffffff`000d000c 000007f7`423e0838 000007f8`3f981690 : USER32!CallWindowProcA+0x1b
00000000`05fba730 000007f7`42341fa7 : 00000000`00000001 000007f8`3fa0c891 00000000`05fbaa00 00000000`00000000 : procexp64+0x4488
00000000`05fba770 000007f7`42345b08 : 00000000`00000001 00000000`00000414 00000000`04039bc0 00000000`00000000 : procexp64+0x1fa7
00000000`05fba7b0 000007f8`3f98171e : 00000000`05fba939 00000000`00010298 00000000`00000001 000007f8`3f984ba2 : procexp64+0x5b08
00000000`05fba8a0 000007f8`3f9c22f9 : 00000000`05fbac40 00000000`0000004e 00000000`80000000 00000000`00000000 : USER32!UserCallWinProcCheckWow+0x13a
00000000`05fba960 000007f8`3f98487a : 00000000`0001029a 00000000`00000000 00000000`00000414 00000000`015714f0 : USER32!SendMessageWorker+0xa72
00000000`05fbaa10 000007f8`3ad3840a : 00000000`03683d70 00000000`05fbac40 00000000`05fbab19 00000000`00010298 : USER32!SendMessageW+0x10a
00000000`05fbaa70 000007f8`3adcd6e5 : 00000000`00000001 00000000`fffffffd 00000000`03683d10 000007f8`3ae95b7d : COMCTL32!CCSendNotify+0x183
00000000`05fbab80 000007f8`3ae7f099 : 00000000`00000000 00000000`00000203 00000000`0002029e 00000000`0002029e : COMCTL32!CLVMouseManager::HandleMouse+0x6d5
00000000`05fbace0 000007f8`3acdaf36 : 00000000`00000001 00000000`00000203 00000000`0001029a 00000000`00000001 : COMCTL32!alloca_probe+0x151cf
00000000`05fbaf20 000007f8`3f98171e : 00000000`05fbb160 00000000`00000001 00000000`00000000 00000000`00000000 : COMCTL32!CListView::s_WndProc+0x52
00000000`05fbaf70 000007f8`3f98432b : 00000000`01571670 000007f8`3acdaee0 00000000`0001029a 00000000`002e00f5 : USER32!UserCallWinProcCheckWow+0x13a
00000000`05fbb030 000007f8`3acc125d : 00000000`05fbb290 00000000`0001029a 00000000`0001029a 00000000`00000001 : USER32!CallWindowProcW+0x93
00000000`05fbb090 000007f8`3acc11f6 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`01571930 : COMCTL32!CallOriginalWndProc+0x1d
00000000`05fbb0d0 000007f8`3acc132d : 00000000`00000001 00000000`00000203 00000000`00000000 00000000`00000000 : COMCTL32!CallNextSubclassProc+0x82
00000000`05fbb130 000007f8`3acc11f6 : 00000000`00000048 00000000`00000001 00000000`00000000 000007f8`3fd9541f : COMCTL32!TTSubclassProc+0xbd
00000000`05fbb1e0 000007f8`3acc10f2 : 00000000`00000001 00000000`00000001 00000000`002e00f5 00000000`0001029a : COMCTL32!CallNextSubclassProc+0x82
00000000`05fbb240 000007f8`3f98171e : 000007f8`3f981742 00000000`00000000 00000000`0001024a 00000000`00000000 : COMCTL32!MasterSubclassProc+0xa2
00000000`05fbb2e0 000007f8`3f9c9020 : 000007f8`3acc1050 00000000`0001029a 00000000`00000203 00000000`002e00f5 : USER32!UserCallWinProcCheckWow+0x13a
00000000`05fbb3a0 000007f8`3f9c8f3b : 00000000`0001029a 00000000`00000203 00000000`00000000 00000000`01571670 : USER32!CallWindowProcAorW+0xd8
00000000`05fbb3f0 000007f7`42365923 : 00000000`0001029a 00000000`00000000 00000000`05fbb903 00000000`05fbb903 : USER32!CallWindowProcA+0x1b
00000000`05fbb430 000007f8`3f98171e : 000007f8`3f981742 000007f8`00000000 00000000`00000000 00000000`80000000 : procexp64+0x25923
00000000`05fbf950 000007f8`3f9814d7 : 00000000`01571670 00000000`05fbfb90 000007f7`41f9a800 000007f7`42364cb0 : USER32!UserCallWinProcCheckWow+0x13a
00000000`05fbfa10 000007f8`3f9ae067 : 00000000`05fbfba0 00000000`01571670 00000000`01562810 00000000`05fbfb90 : USER32!DispatchMessageWorker+0x1a7
00000000`05fbfa90 000007f8`3f9d3bac : 00000000`00000000 00000000`05fbfba0 00000000`00100250 00000000`000d0153 : USER32!IsDialogMessageW+0x242
00000000`05fbfb20 000007f7`4239775e : 00000000`00000578 00000000`00000002 00000000`0403e5c0 00000000`00000000 : USER32!IsDialogMessageA+0x7c
00000000`05fbfb50 000007f7`423b215f : 00000000`0363f810 00000000`00000000 00000000`00000000 00000000`00000000 : procexp64+0x5775e
00000000`05fbfbf0 000007f7`423b2209 : 00000000`0363f810 00000000`00000000 00000000`00000000 00000000`00000000 : procexp64+0x7215f
00000000`05fbfc20 000007f8`3ec3167e : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : procexp64+0x72209


STACK_COMMAND:  kb

FOLLOWUP_IP: 
PROCEXP141+1f9d
fffff880`176eaf9d 488b4238        mov     rax,qword ptr [rdx+38h]

SYMBOL_STACK_INDEX:  7

SYMBOL_NAME:  PROCEXP141+1f9d

FOLLOWUP_NAME:  MachineOwner

FAILURE_BUCKET_ID:  X64_0x50_VRF_PROCEXP141+1f9d

BUCKET_ID:  X64_0x50_VRF_PROCEXP141+1f9d

Followup: MachineOwner
---------

Gonna turn on verifier for this driver and repeat.

Search

Process Explorer : bugcheck in process explorer

January 3, 2013, 12:24 pm
$
0
0
Author: danmcleran
Subject: bugcheck in process explorer
Posted: 03 January 2013 at 8:24pm

Turned on verifier for PROCEXP141.SYS

1: kd> !verifier

Verify Level 209bb ... enabled options are:
Special pool
Special irql
All pool allocations checked on unload
Io subsystem checking enabled
Deadlock detection enabled
DMA checking enabled
Security checks enabled
Miscellaneous checks enabled

Summary of All Verifier Statistics

RaiseIrqls                             0x0
AcquireSpinLocks                       0x0
Synch Executions                       0x0
Trims                                  0x72c

Pool Allocations Attempted             0x17762
Pool Allocations Succeeded             0x17762
Pool Allocations Succeeded SpecialPool 0x17762
Pool Allocations With NO TAG           0x0
Pool Allocations Failed                0x0
Resource Allocations Failed Deliberately   0x0

Current paged pool allocations         0x0 for 00000000 bytes
Peak paged pool allocations            0x2 for 000000B0 bytes
Current nonpaged pool allocations      0x0 for 00000000 bytes
Peak nonpaged pool allocations         0x0 for 00000000 bytes

Now I get a bugcheck when I try and launch the program (procexp64.exe) as admin:

1: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

DRIVER_VERIFIER_DETECTED_VIOLATION (c4)
A device driver attempting to corrupt the system has been caught.  This is
because the driver was specified in the registry as being suspect (by the
administrator) and the kernel has enabled substantial checking of this driver.
If the driver attempts to corrupt the system, bugchecks 0xC4, 0xC1 and 0xA will
be among the most commonly seen crashes.
Arguments:
Arg1: 00000000000000f6, Referencing user handle as KernelMode.
Arg2: 00000000000002cc, Handle value being referenced.
Arg3: fffffa8008677940, Address of the current process.
Arg4: fffff880172bbbb7, Address inside the driver that is performing the incorrect reference.

Debugging Details:
------------------


BUGCHECK_STR:  0xc4_f6

DEFAULT_BUCKET_ID:  VISTA_DRIVER_FAULT

PROCESS_NAME:  procexp64.exe

CURRENT_IRQL:  0

LAST_CONTROL_TRANSFER:  from fffff803cc9f40ea to fffff803cc8f3930

STACK_TEXT:  
fffff880`17796d58 fffff803`cc9f40ea : 00000000`00000000 00000000`000000c4 fffff880`17796ec0 fffff803`cc9784b8 : nt!RtlpBreakWithStatusInstruction
fffff880`17796d60 fffff803`cc9f3742 : 00000000`00000003 fffff880`17796ec0 fffff803`cc978e90 00000000`000000c4 : nt!KiBugCheckDebugBreak+0x12
fffff880`17796dc0 fffff803`cc8f9144 : 00000000`000002cc 00000000`00000003 00000000`00000008 00000000`000002cc : nt!KeBugCheck2+0x79f
fffff880`177974e0 fffff803`ccec4fa0 : 00000000`000000c4 00000000`000000f6 00000000`000002cc fffffa80`08677940 : nt!KeBugCheckEx+0x104
fffff880`17797520 fffff803`ccecca78 : fffffa80`08677940 00000000`00000000 00000000`00000000 00000000`00000001 : nt!VerifierBugCheckIfAppropriate+0x3c
fffff880`17797560 fffff803`cce7ebb5 : 00000000`00000000 00000000`00000000 fffff880`177977d0 00000000`00000000 : nt!VfCheckUserHandle+0x1b8
fffff880`17797640 fffff803`ccc64484 : 00000000`00000000 00000000`00001000 fffffa80`04eecf20 00000000`00000000 : nt! ?? ::NNGAKEGL::`string'+0x37e4c
fffff880`177976d0 fffff803`cc8f8053 : fffffa80`085bc080 fffff980`02c10ff0 00000000`00000000 fffffa80`05a130b8 : nt!NtOpenProcessTokenEx+0xa4
fffff880`17797750 fffff803`cc8fd230 : fffff880`172bbbb7 fffff980`065f0f10 fffff980`02c10ff0 fffff803`ccbcd3c0 : nt!KiSystemServiceCopyEnd+0x13
fffff880`177978e8 fffff880`172bbbb7 : fffff980`065f0f10 fffff980`02c10ff0 fffff803`ccbcd3c0 00000000`0000001f : nt!KiServiceLinkage
fffff880`177978f0 fffff880`172bc073 : 00000000`00000000 fffffa80`0863dbc0 fffff803`ccb1c400 00000000`00000000 : PROCEXP141+0x1bb7
fffff880`17797ae0 fffff803`ccebbd26 : fffff980`065f0ee0 00000000`00000002 fffffa80`086b15d0 fffffa80`0501e298 : PROCEXP141+0x2073
fffff880`17797b80 fffff803`ccce242f : fffff980`065f0ee0 fffff880`17797ec0 fffff980`065f0ff8 fffffa80`05a13010 : nt!IovCallDriver+0x3e6
fffff880`17797bd0 fffff803`ccce2db6 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!IopXxxControlFile+0x7dd
fffff880`17797d60 fffff803`cc8f8053 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000b18 : nt!NtDeviceIoControlFile+0x56
fffff880`17797dd0 000007fe`3ce52c1a : 000007fe`3a0e3579 00000000`00e442d0 00000000`00000000 00000000`00000001 : nt!KiSystemServiceCopyEnd+0x13
00000000`00d6da68 000007fe`3a0e3579 : 00000000`00e442d0 00000000`00000000 00000000`00000001 000007fe`3c96a783 : ntdll!ZwDeviceIoControlFile+0xa
00000000`00d6da70 000007fe`3c431880 : 00000000`8335000c 00000000`00000000 00000000`00000000 00000000`00000000 : KERNELBASE!DeviceIoControl+0x75
00000000`00d6dae0 000007f6`f874d8de : 00000000`00000000 00000000`00000000 00000000`00000104 00000000`00000b18 : KERNEL32!DeviceIoControlImplementation+0x74
00000000`00d6db30 000007f6`f875919d : 00000000`00d6e2d8 000007f6`f87b0879 00000000`00000b18 00000000`000002cc : procexp64+0x3d8de
00000000`00d6db90 000007f6`f87492c0 : 00000000`00000000 00000000`00000000 00000000`00070227 000007f6`f87d2c80 : procexp64+0x4919d
00000000`00d6e540 000007f6`f871fe46 : 00000000`00000000 00000000`00d6f000 00000000`00000001 00000000`000301a8 : procexp64+0x392c0
00000000`00d6ed60 000007f6`f8748a66 : 00000000`00000001 00000000`000301a8 00000000`00000000 00000000`000301a8 : procexp64+0xfe46
00000000`00d6eda0 000007fe`3a2c3e95 : 00000000`00000001 00000000`00d6f200 00000000`00000000 000007fe`3ce5541f : procexp64+0x38a66
00000000`00d6ede0 000007fe`3a2c2a62 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : USER32!UserCallWinProcCheckWow+0x18d
00000000`00d6eea0 000007fe`3a2caa7c : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : USER32!DispatchClientMessage+0xf8
00000000`00d6ef00 000007fe`3ce54b47 : ffffffff`ffffffff 000007fe`3a2c1690 000007fe`3a2c1742 000007fe`3a2c1690 : USER32!_fnINLPCREATESTRUCT+0x98
00000000`00d6ef60 000007fe`3a2cc35a : 000007fe`3a2cc2dc 00000000`00d6f200 00000000`00d6f510 00000000`00000000 : ntdll!KiUserCallbackDispatcherContinue
00000000`00d6f0f8 000007fe`3a2cc2dc : 00000000`00d6f200 00000000`00d6f510 00000000`00000000 000007fe`06000006 : USER32!ZwUserCreateWindowEx+0xa
00000000`00d6f100 000007fe`3a2cc55c : 00000000`00000012 000007f6`f87b3fe0 00000000`00d6f580 00000000`00000000 : USER32!VerNtUserCreateWindowEx+0x21c
00000000`00d6f480 000007fe`3a2d62df : 00005e14`00000226 00000000`00000001 00000000`00000001 00000000`00cf0000 : USER32!CreateWindowInternal+0x1ed
00000000`00d6f5e0 000007f6`f8724f6b : 00000000`00000010 00000000`00000010 00000000`00000001 000007f6`f8710000 : USER32!CreateWindowExA+0x7f
00000000`00d6f670 000007f6`f877bc0b : 00000000`00000000 00000000`00de2625 000007f6`f8710000 00000000`00000000 : procexp64+0x14f6b
00000000`00d6f740 000007f6`f8784c3f : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : procexp64+0x6bc0b
00000000`00d6f8b0 000007fe`3c43167e : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : procexp64+0x74c3f
00000000`00d6f960 000007fe`3ce6c3f1 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : KERNEL32!BaseThreadInitThunk+0x1a
00000000`00d6f990 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x1d


STACK_COMMAND:  kb

FOLLOWUP_IP: 
PROCEXP141+1bb7
fffff880`172bbbb7 e93b020000      jmp     PROCEXP141+0x1df7 (fffff880`172bbdf7)

SYMBOL_STACK_INDEX:  a

SYMBOL_NAME:  PROCEXP141+1bb7

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: PROCEXP141

IMAGE_NAME:  PROCEXP141.SYS

DEBUG_FLR_IMAGE_TIMESTAMP:  4bc6db36

FAILURE_BUCKET_ID:  X64_0xc4_f6_VRF_PROCEXP141+1bb7

BUCKET_ID:  X64_0xc4_f6_VRF_PROCEXP141+1bb7

Followup: MachineOwner
---------


Autoruns : Simple question about autorun...

January 3, 2013, 12:30 pm
$
0
0
Author: jbrownwi
Subject: Simple question about autorun...
Posted: 03 January 2013 at 8:30pm

So if i setup my autorun and pick and choose the files, and save it. Then....

Are my autorun settings retained until I Undo them? And is it just for startup, or is it startup and while using pc in general?   ( programs wont run in background at all unless manually done)
 

- are my settings permanent?

-is it just for startup, or while im using windows to?

Process Explorer : bugcheck in process explorer

January 3, 2013, 12:58 pm
$
0
0
Author: danmcleran
Subject: bugcheck in process explorer
Posted: 03 January 2013 at 8:58pm

Solution?

No bugcheck if I do not run as admin.

Any explanation?

Process Monitor : Process Monitor not loading

January 3, 2013, 1:00 pm
$
0
0
Author: danmcleran
Subject: Process Monitor not loading
Posted: 03 January 2013 at 9:00pm

I was getting bugchecks on a Win 8 64-bit target machine when I ran procexp64.exe as admin. If I run normally, everything works fine.

PsTools : pspasswd

January 3, 2013, 4:24 pm
$
0
0
Author: asrivastava
Subject: pspasswd
Posted: 04 January 2013 at 12:24am

The new version 1.23 has a bug. When running the pspasswd with -u & -p switches the utility does not run and simply shows the syntax. 

Also the output message does not include the server and username which makes it meaningless.

Process Explorer : bugcheck in process explorer

January 3, 2013, 9:09 pm
$
0
0
Author: MagicAndre1981
Subject: bugcheck in process explorer
Posted: 04 January 2013 at 5:09am

why are you not using the latest 15.xx version?

Process Monitor : Process Monitor not loading

January 3, 2013, 9:11 pm
$
0
0
Author: MagicAndre1981
Subject: Process Monitor not loading
Posted: 04 January 2013 at 5:11am

Run ProcMon from inside WinDbg. Do you get errors? If yes, run !analyze -v. Do you see anything useful?
Search

Disk2vhd : VHD not start after disk2vhd

January 3, 2013, 11:56 pm
$
0
0
Author: alexgor
Subject: VHD not start after disk2vhd
Posted: 04 January 2013 at 7:56am

Hi everybody!

I wish to virtualize Windows Server 2008R2 (IBM 7947K6G System x3650 M2 и WinServer 2008R2) via disk2vhd v1.63 (just disk С). All is ok and after progress I have a VHD file.

I copy this VHD to new location and attach it to fresh created VM (Hyper-V 2012). 

After I try to start this new VM I see black screen and blinking white cursor on left upper left corner. That's it!

I've tried lots of ways to solve the problem:

1. I try to boot from different ERD and DART, they all say that the this version is NOT compatible with your system (and they are certainly working on dozens of previous servers).

2. I try to boot from the installation image of WinServer (from this iso I install this system before) when attempting to enter the recovery mode it is displays a message similar to paragraph 1.

3. I tyr to boot from different LiveCD (3rd party), there I see what this VHD really has a working system (drive C has a NTFS partition and another section in RAW format plus one part in fat32. They both 100 mb, but the C drive partition is not marked as active).

4. I try via Diskpart make C drive active, and I get error that it is can not be made ​​active GPT to MBR. I tried to make convert MBR, and I got an error that this type of disc can not be converted to MBR.

5. Tried to virtualize this server using MS SCVMM 2012. But agent is not start on the target physical server (but that's another story.)

I have investigation via internet and I understood that the problem is faced with the fact that my physical server have uEFI and Hyper-V have BIOS. But I havent found any proof that this is my problem.
At this point, the server successfully migrated to a new virtual machine (data transferred using standard tools and wizards), so the problem is not so urgent.

Just for the future, I would like to find out why the VHD does not start correctly (VHD to the C drive I have so I can make some tests now)?


ps http://social.technet.microsoft.com/Forums/en-US/winserverhyperv/thread/fd7a2e66-6010-43f2-8ba5-655372270703

Process Monitor : Process Monitor not loading

January 4, 2013, 3:39 am
$
0
0
Author: Manton
Subject: Process Monitor not loading
Posted: 04 January 2013 at 11:39am

many thanks for your reply. But I don't know how to run  ProcMon from inside WinDbg, or even what WinDgb is. Neither will I know exactly how to run !analyze -v. Please post specific instructions. again.  thanks.

Disk2vhd : VHD not start after disk2vhd

January 4, 2013, 1:00 pm
$
0
0
Author: CUNFSTUCKER
Subject: VHD not start after disk2vhd
Posted: 04 January 2013 at 9:00pm

This seems to be a common problem and instead of just responding with a single line and link to a thread, let me summarize that others have said it is related to using Disk2VHD while the box is online and despite its reliability it seems impossible to account for all possibilities when it comes to locked directories.
 
 
In the past, I was having issues with an IBM inlcuded software (forget the name sorry, but it was 5 years ago and hopefully fixed) that was an altenrative to Windows System Restore and it was creating a tighttly locked direcotry at %systemdrive% that couldn't be accessed and was in some nether region since the GUI and XCAcls OR SUBINACL couldn't reset the perms and grant an Admin access to the direcotry.
 
Delete at boot wasn't working and I couldn't get access to it until I started a system shell with an AT job and accessed and deleted it that way but still had to take perms but could at least get access to takie ownership.
 
If you have the time to spare and care to experiment, are you prepared to rerun the disk2vhd while logged on as the local system account ? It could make a difference.

Autoruns : Simple question about autorun...

January 4, 2013, 1:15 pm
$
0
0
Author: CUNFSTUCKER
Subject: Simple question about autorun...
Posted: 04 January 2013 at 9:15pm

You've discovered one of the enduring attributes of Autoruns and that is its safety record.
You don't have to save anything, just selecting / deslecting the line item immediately affects the change
None of the changesw are permanent, in the Registry the disabled items are created under the AutorunsDisabled key for easy reversal.
 
Saving an ARN file is more like saving a report and helpful for the built in comparisonfeature and tracking, developers really love that part of it but an admin / user doesn't need to rely on it too much.
 
Whether you've learned the history of the SysInternals suite it can be summarized many ways but I say that if there is a medal of honor for service to the computing industry than Sysinternals would've won it several times over.

Process Explorer : bugcheck in process explorer

January 4, 2013, 2:00 pm
$
0
0
Author: danmcleran
Subject: bugcheck in process explorer
Posted: 04 January 2013 at 10:00pm

I had downloaded Sysinternals Suite not long ago so I thought I had the latest. I will need to go check for individual updates.

Process Explorer : bugcheck in process explorer

January 4, 2013, 8:05 pm
$
0
0
Author: wj32
Subject: bugcheck in process explorer
Posted: 05 January 2013 at 4:05am

Don't run verifier on PE's driver with the handle checks. You will always get a crash since it opens handles in kernel-mode to allow viewing tokens of protected processes.

Disk2vhd : VHD not start after disk2vhd

January 4, 2013, 9:05 pm
Search

Miscellaneous Utilities : Contig "No files fragmented." on fragmented files

January 5, 2013, 3:57 am
$
0
0
Author: Dax1792
Subject: Contig "No files fragmented." on fragmented files
Posted: 05 January 2013 at 11:57am

0xc0000022 suggests a permission problem.
Try running in an elevated command prompt if you haven't already.

Miscellaneous Utilities : Contig "No files fragmented." on fragmented files

January 5, 2013, 5:46 am
$
0
0
Author: Ian Worthington
Subject: Contig "No files fragmented." on fragmented files
Posted: 05 January 2013 at 1:46pm

That was it.  Many thanks,

i

Internals : What is the Syntax: nt! ?? ::FNODOBFM:

January 6, 2013, 12:21 am
$
0
0
Author: thenumberdevil
Subject: What is the Syntax: nt! ?? ::FNODOBFM:
Posted: 06 January 2013 at 8:21am

undname ??_C@_0BN@KLOBBEB@Enabling?5heap?5debug?5options?6?$AA@FNODOBFM@

is  ?? ?? ::FNODOBFM::`string’:

So the debugger is simply displaying the undecorated name of the symbol.

Process Monitor : Strange in KernelThreadCreate Stack

January 6, 2013, 2:36 am
$
0
0
Author: dlux
Subject: Strange <unknown> in KernelThreadCreate Stack
Posted: 06 January 2013 at 10:36am

Someone tell me if this is correct or not:
I run procmon and in the first few entries there is a System (kernel) ThreadCreate event.
In this event under the Stack tab I see some User (U) objects that are simply listed as mem addresses, not as File object names.
0    ntoskrnl.exe    FsRtlTeardownPerStreamContexts + 0x10f1    0xfffff80002f3b91d    C:\Windows\system32\ntoskrnl.exe
1    ntoskrnl.exe    RtlAreAllAccessesGranted + 0x3ba    0xfffff80002f6dfa2    C:\Windows\system32\ntoskrnl.exe
2    ntoskrnl.exe    PsCreateSystemThread + 0x125    0xfffff80002f1cf39    C:\Windows\system32\ntoskrnl.exe
3    ntoskrnl.exe    NtNotifyChangeDirectoryFile + 0x18f9    0xfffff80002ee76c5    C:\Windows\system32\ntoskrnl.exe
4    ntoskrnl.exe    ObInsertObject + 0x740    0xfffff80002ee5650    C:\Windows\system32\ntoskrnl.exe
5    ntoskrnl.exe    NtTraceControl + 0x35c    0xfffff80002f2571c    C:\Windows\system32\ntoskrnl.exe
6    ntoskrnl.exe    KeSynchronizeExecution + 0x3a43    0xfffff80002c80ed3    C:\Windows\system32\ntoskrnl.exe
7    ntdll.dll    NtTraceControl + 0xa    0x76e22b5a    C:\Windows\System32\ntdll.dll
8    advapi32.dll    StartTraceW + 0x5e0    0x7fefd83eb80    C:\Windows\System32\advapi32.dll
9    advapi32.dll    StartTraceW + 0x414    0x7fefd83e9b4    C:\Windows\System32\advapi32.dll
10    <unknown>    0x13f88af61    0x13f88af61   
11    <unknown>    0x13f8878a2    0x13f8878a2   
12    <unknown>    0x13f8b7457    0x13f8b7457   
13    user32.dll    TranslateMessageEx + 0x2a1    0x76bc9bd1    C:\Windows\System32\user32.dll
14    user32.dll    SetWindowTextW + 0x277    0x76bc72cb    C:\Windows\System32\user32.dll
15    user32.dll    IsDialogMessageW + 0x169    0x76bc6829    C:\Windows\System32\user32.dll
16    ntdll.dll    KiUserCallbackDispatcher + 0x1f    0x76e21225    C:\Windows\System32\ntdll.dll
17    ntoskrnl.exe    KeUserModeCallback + 0xe6    0xfffff80002f6db66    C:\Windows\system32\ntoskrnl.exe
18    win32k.sys    memset + 0xa63e    0xfffff9600016f45e    C:\Windows\System32\win32k.sys
19    win32k.sys    memset + 0x73cb    0xfffff9600016c1eb    C:\Windows\System32\win32k.sys
20    win32k.sys    memset + 0x6c73    0xfffff9600016ba93    C:\Windows\System32\win32k.sys
21    win32k.sys    EngFntCacheLookUp + 0x1771c    0xfffff960001241d8    C:\Windows\System32\win32k.sys
22    win32k.sys    EngSetLastError + 0x7f    0xfffff96000143c6f    C:\Windows\System32\win32k.sys
23    win32k.sys    EngSetLastError + 0xd4a2    0xfffff96000151092    C:\Windows\System32\win32k.sys
24    ntoskrnl.exe    KeSynchronizeExecution + 0x3a43    0xfffff80002c80ed3    C:\Windows\system32\ntoskrnl.exe
25    user32.dll    IsDialogMessageW + 0x19a    0x76bc685a    C:\Windows\System32\user32.dll
26    user32.dll    GetWindowLongPtrA + 0x78    0x76bc3838    C:\Windows\System32\user32.dll
27    user32.dll    SendMessageW + 0x5d    0x76bc6bad    C:\Windows\System32\user32.dll
28    <unknown>    0x13f8b98a4    0x13f8b98a4   
29    <unknown>    0x13f8d8f67    0x13f8d8f67   
30    kernel32.dll    BaseThreadInitThunk + 0xd    0x76cc652d    C:\Windows\System32\kernel32.dll
31    ntdll.dll    RtlUserThreadStart + 0x21    0x76dfc521    C:\Windows\System32\ntdll.dll

This system is infected with the infamous GPU hypervisor malware as seen in the malware forum here. I need to know if others see these <unknown> Stack entries, seen ONLY in System ThreadCreate events.
This will tell me a lot.

Process Monitor : Strange entry in RegSummary-not seen in registry

January 6, 2013, 2:46 am
$
0
0
Author: dlux
Subject: Strange entry in RegSummary-not seen in registry
Posted: 06 January 2013 at 10:46am

I'm seeing this reg key in Registry Summary that does not exist in regedit view.
It shows a value of 1 for Open and 0 for all others.
HKLM\System\CurrentControlSet\control\minint

The string mininit cannot be found in regedit or regscanner.
Any ideas?
What is mininit?

Viewing all 10386 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>