Author: danmcleran
Subject: bugcheck in process explorer
Posted: 03 January 2013 at 8:17pm
That's weird. When I came back from the crash, I saw 2 shortcuts: procexp and procexp64. I ran both one after the other and now I only see procexp. Strange behavior. I repeated what I did before with the same result (bugcheck).
Subject: bugcheck in process explorer
Posted: 03 January 2013 at 8:17pm
That's weird. When I came back from the crash, I saw 2 shortcuts: procexp and procexp64. I ran both one after the other and now I only see procexp. Strange behavior. I repeated what I did before with the same result (bugcheck).
1. Run procexp.exe as admin.
2. dbl-click on one of my svchost.exe processes.
3. open Threads tab.
4. dbl-click on a thread (ntdll.dll!RtlRegisterThreadWithCsrss + 0x174)
0: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by try-except,
it must be protected by a Probe. Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: fffff880055b4038, memory referenced.
Arg2: 0000000000000000, value 0 = read operation, 1 = write operation.
Arg3: fffff880176eaf9d, If non-zero, the instruction address which referenced the bad memory
address.
Arg4: 0000000000000000, (reserved)
Debugging Details:
------------------
READ_ADDRESS: unable to get nt!MmPoolCodeStart
unable to get nt!MmPoolCodeEnd
fffff880055b4038
FAULTING_IP:
PROCEXP141+1f9d
fffff880`176eaf9d 488b4238 mov rax,qword ptr [rdx+38h]
MM_INTERNAL_CODE: 0
IMAGE_NAME: PROCEXP141.SYS
DEBUG_FLR_IMAGE_TIMESTAMP: 4bc6db36
MODULE_NAME: PROCEXP141
FAULTING_MODULE: fffff880176e9000 PROCEXP141
DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT
BUGCHECK_STR: 0x50
PROCESS_NAME: procexp64.exe
CURRENT_IRQL: 0
TRAP_FRAME: fffff8801608b520 -- (.trap 0xfffff8801608b520)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=fffff880055b4040 rbx=0000000000000000 rcx=fffffa8007ef86c0
rdx=fffff880055b4000 rsi=0000000000000000 rdi=0000000000000000
rip=fffff880176eaf9d rsp=fffff8801608b6b0 rbp=fffff98005b6efe0
r8=fffff8a00225c001 r9=0000000000000001 r10=0000000083350028
r11=fffff8801608b8e0 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei pl nz na pe nc
PROCEXP141+0x1f9d:
fffff880`176eaf9d 488b4238 mov rax,qword ptr [rdx+38h] ds:af10:4038=????????????????
Resetting default scope
LAST_CONTROL_TRANSFER: from fffff80194c010ea to fffff80194b00930
STACK_TEXT:
fffff880`1608ab78 fffff801`94c010ea : 00000000`00000000 00000000`00000050 fffff880`1608ace0 fffff801`94b854b8 : nt!RtlpBreakWithStatusInstruction
fffff880`1608ab80 fffff801`94c00742 : 00000000`00000003 fffff880`1608ace0 fffff801`94b85ee0 fffff880`1608b230 : nt!KiBugCheckDebugBreak+0x12
fffff880`1608abe0 fffff801`94b06144 : 00000000`00000000 00000000`05fb5df8 00000000`00000238 00000000`05fb79b0 : nt!KeBugCheck2+0x79f
fffff880`1608b300 fffff801`94c73e59 : 00000000`00000050 fffff880`055b4038 00000000`00000000 fffff880`1608b520 : nt!KeBugCheckEx+0x104
fffff880`1608b340 fffff801`94b40b6f : 00000000`00000000 fffff880`055b4038 fffffa80`0868f700 00000000`05fb6d01 : nt! ?? ::FNODOBFM::`string'+0x32c9f
fffff880`1608b3e0 fffff801`94b03aee : 00000000`00000000 fffff980`05beaf10 00000000`c0000000 fffff880`1608b520 : nt!MmAccessFault+0x54f
fffff880`1608b520 fffff880`176eaf9d : 00000000`00000000 00000000`00000000 00000000`00000000 00000001`00000000 : nt!KiPageFault+0x16e
fffff880`1608b6b0 fffff880`176eb073 : 00000000`00000000 fffffa80`08688e40 fffff801`94d29400 00000000`00000000 : PROCEXP141+0x1f9d
fffff880`1608b8a0 fffff801`950c8d26 : fffff980`05beaee0 00000000`00000002 fffffa80`086863b0 fffffa80`05021418 : PROCEXP141+0x2073
fffff880`1608b940 fffff801`94eef42f : fffff980`05beaee0 fffff880`1608bc80 fffff980`05beaff8 fffffa80`07a2fb00 : nt!IovCallDriver+0x3e6
fffff880`1608b990 fffff801`94eefdb6 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!IopXxxControlFile+0x7dd
fffff880`1608bb20 fffff801`94b05053 : 00000000`00000000 00000000`00000000 00000000`05fb6901 fffffa80`07ef86c0 : nt!NtDeviceIoControlFile+0x56
fffff880`1608bb90 000007f8`3fd92c1a : 000007f8`3cdf3579 000007f8`3f981742 0000003f`0000003e ffffffff`fffc9e30 : nt!KiSystemServiceCopyEnd+0x13
00000000`05fb5df8 000007f8`3cdf3579 : 000007f8`3f981742 0000003f`0000003e ffffffff`fffc9e30 00000000`01574e90 : ntdll!ZwDeviceIoControlFile+0xa
00000000`05fb5e00 000007f8`3ec31880 : 00000000`83350028 00000000`00000000 00000000`000202ea 000007f7`423458a0 : KERNELBASE!DeviceIoControl+0x75
00000000`05fb5e70 000007f7`4237d8de : 00000000`00000000 00000000`05fb6820 00000000`05fb7441 00000000`05fb6920 : KERNEL32!DeviceIoControlImplementation+0x74
00000000`05fb5ec0 000007f7`42390bb3 : 00000000`00000064 00000000`000202e8 00000000`000002fc 00000000`05fb5fc0 : procexp64+0x3d8de
00000000`05fb5f20 000007f8`3f99b6ca : 00000000`000202ea 00000000`00000001 00000000`00000110 00000000`000202ea : procexp64+0x50bb3
00000000`05fb7300 000007f8`3f99b108 : 00000000`01574e90 00000000`00000000 00000000`00000110 00000000`000202e8 : USER32!UserCallDlgProcCheckWow+0x18b
00000000`05fb73d0 000007f8`3f9d3b19 : 00000000`05fb79a8 00000000`05fb7610 00000000`00000110 00000000`00002020 : USER32!DefDlgProcWorker+0xb8
00000000`05fb74a0 000007f8`3f98171e : 00000000`00000001 00000000`00000000 00000000`00000070 ffffffff`ffffffff : USER32!DefDlgProcA+0x39
00000000`05fb74e0 000007f8`3f9c22f9 : 00000000`05fb79a8 00000000`00000110 00000000`80000000 00000000`80000000 : USER32!UserCallWinProcCheckWow+0x13a
00000000`05fb75a0 000007f8`3f99c7a5 : 000007f7`424333dc 00000000`00000000 00000000`000202e8 000007f7`424333dc : USER32!SendMessageWorker+0xa72
00000000`05fb7650 000007f8`3f9ab889 : 00000000`00010298 000007f7`423905c0 00000000`00000001 000007f7`423905c0 : USER32!InternalCreateDialog+0x9f6
00000000`05fb77e0 000007f8`3f9ab936 : 000007f7`42340000 00000000`00010298 000007f7`423905c0 ffffffff`ffffffff : USER32!InternalDialogBox+0xf9
00000000`05fb7840 000007f8`3f9c9c3e : 000007f7`42340000 000007f7`423905c0 ffffffff`ffffffff 00000000`00000000 : USER32!DialogBoxIndirectParamAorW+0x56
00000000`05fb7880 000007f7`423929b3 : 00000000`00010298 00000000`0364d670 00000000`00000000 00000000`0364cea0 : USER32!DialogBoxParamA+0x82
00000000`05fb78c0 000007f8`3f99b3b9 : 00000000`04fdd600 00000000`04fdd6a6 00000000`534f5047 00000000`01158de0 : procexp64+0x529b3
00000000`05fb8b30 000007f8`3f99b108 : 00000000`015714f0 00000000`00000000 00000000`00000111 00000000`0000043d : USER32!UserCallDlgProcCheckWow+0x135
00000000`05fb8c00 000007f8`3f9d3b19 : 00000000`00000000 00000000`0000043d 00000000`00000111 00000000`00000000 : USER32!DefDlgProcWorker+0xb8
00000000`05fb8cd0 000007f8`3f98171e : 00000000`00000001 00000000`00000000 00000000`05fba111 00000000`00000000 : USER32!DefDlgProcA+0x39
00000000`05fb8d10 000007f8`3f9c9020 : 000007f8`3fd91b84 00000000`00010298 00000000`00000111 00000000`00000000 : USER32!UserCallWinProcCheckWow+0x13a
00000000`05fb8dd0 000007f8`3f9c8f3b : 00000000`04039bc0 00000000`0000043d 00000000`00010298 00000000`00000018 : USER32!CallWindowProcAorW+0xd8
00000000`05fb8e20 000007f7`42344488 : 00000000`00000000 00000000`000d000c 000007f7`423e0838 00000000`6e74616c : USER32!CallWindowProcA+0x1b
00000000`05fb8e60 000007f7`42341fa7 : 00000000`00000001 000007f8`3fa0c891 00000000`01158d00 00000000`544c4600 : procexp64+0x4488
00000000`05fb8ea0 000007f7`42345b08 : 00000000`00000001 00000000`0000043d 00000000`04039bc0 00000000`05fb9480 : procexp64+0x1fa7
00000000`05fb8ee0 000007f8`3f98171e : 00000000`00010298 00000000`0000004e 00000000`0000004e 00000000`00000000 : procexp64+0x5b08
00000000`05fb8fd0 000007f8`3f9c22f9 : 00000000`00000000 00000000`00000111 00000000`80000000 00000000`80000000 : USER32!UserCallWinProcCheckWow+0x13a
00000000`05fb9090 000007f8`3f9af30d : 00000000`00000111 00000000`0364d600 00000000`0000043d 00000000`00000111 : USER32!SendMessageWorker+0xa72
00000000`05fb9140 000007f7`42391ea9 : 00000000`00010298 00000000`00000000 00000000`0000004e 00000000`00010298 : USER32!SendMessageA+0x75
00000000`05fb9190 000007f8`3f99b3b9 : 00000000`00000001 00000000`00000000 00000000`05fbaa20 00000000`00000001 : procexp64+0x51ea9
00000000`05fba400 000007f8`3f99b108 : 00000000`015714f0 00000000`00000000 00000000`0000004e 00000000`00000414 : USER32!UserCallDlgProcCheckWow+0x135
00000000`05fba4d0 000007f8`3f9d3b19 : 00000000`05fbac40 00000000`00000414 00000000`0000004e 000007f8`3fd9541f : USER32!DefDlgProcWorker+0xb8
00000000`05fba5a0 000007f8`3f98171e : 00000000`00000001 00000000`00000000 00000000`05fbaa20 00000000`00000000 : USER32!DefDlgProcA+0x39
00000000`05fba5e0 000007f8`3f9c9020 : 000007f8`3fd91b84 00000000`00010298 00000000`0000004e 00000000`05fbac40 : USER32!UserCallWinProcCheckWow+0x13a
00000000`05fba6a0 000007f8`3f9c8f3b : 00000000`04039bc0 00000000`00000414 00000000`00010298 000007f7`00000018 : USER32!CallWindowProcAorW+0xd8
00000000`05fba6f0 000007f7`42344488 : 00000000`00000000 ffffffff`000d000c 000007f7`423e0838 000007f8`3f981690 : USER32!CallWindowProcA+0x1b
00000000`05fba730 000007f7`42341fa7 : 00000000`00000001 000007f8`3fa0c891 00000000`05fbaa00 00000000`00000000 : procexp64+0x4488
00000000`05fba770 000007f7`42345b08 : 00000000`00000001 00000000`00000414 00000000`04039bc0 00000000`00000000 : procexp64+0x1fa7
00000000`05fba7b0 000007f8`3f98171e : 00000000`05fba939 00000000`00010298 00000000`00000001 000007f8`3f984ba2 : procexp64+0x5b08
00000000`05fba8a0 000007f8`3f9c22f9 : 00000000`05fbac40 00000000`0000004e 00000000`80000000 00000000`00000000 : USER32!UserCallWinProcCheckWow+0x13a
00000000`05fba960 000007f8`3f98487a : 00000000`0001029a 00000000`00000000 00000000`00000414 00000000`015714f0 : USER32!SendMessageWorker+0xa72
00000000`05fbaa10 000007f8`3ad3840a : 00000000`03683d70 00000000`05fbac40 00000000`05fbab19 00000000`00010298 : USER32!SendMessageW+0x10a
00000000`05fbaa70 000007f8`3adcd6e5 : 00000000`00000001 00000000`fffffffd 00000000`03683d10 000007f8`3ae95b7d : COMCTL32!CCSendNotify+0x183
00000000`05fbab80 000007f8`3ae7f099 : 00000000`00000000 00000000`00000203 00000000`0002029e 00000000`0002029e : COMCTL32!CLVMouseManager::HandleMouse+0x6d5
00000000`05fbace0 000007f8`3acdaf36 : 00000000`00000001 00000000`00000203 00000000`0001029a 00000000`00000001 : COMCTL32!alloca_probe+0x151cf
00000000`05fbaf20 000007f8`3f98171e : 00000000`05fbb160 00000000`00000001 00000000`00000000 00000000`00000000 : COMCTL32!CListView::s_WndProc+0x52
00000000`05fbaf70 000007f8`3f98432b : 00000000`01571670 000007f8`3acdaee0 00000000`0001029a 00000000`002e00f5 : USER32!UserCallWinProcCheckWow+0x13a
00000000`05fbb030 000007f8`3acc125d : 00000000`05fbb290 00000000`0001029a 00000000`0001029a 00000000`00000001 : USER32!CallWindowProcW+0x93
00000000`05fbb090 000007f8`3acc11f6 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`01571930 : COMCTL32!CallOriginalWndProc+0x1d
00000000`05fbb0d0 000007f8`3acc132d : 00000000`00000001 00000000`00000203 00000000`00000000 00000000`00000000 : COMCTL32!CallNextSubclassProc+0x82
00000000`05fbb130 000007f8`3acc11f6 : 00000000`00000048 00000000`00000001 00000000`00000000 000007f8`3fd9541f : COMCTL32!TTSubclassProc+0xbd
00000000`05fbb1e0 000007f8`3acc10f2 : 00000000`00000001 00000000`00000001 00000000`002e00f5 00000000`0001029a : COMCTL32!CallNextSubclassProc+0x82
00000000`05fbb240 000007f8`3f98171e : 000007f8`3f981742 00000000`00000000 00000000`0001024a 00000000`00000000 : COMCTL32!MasterSubclassProc+0xa2
00000000`05fbb2e0 000007f8`3f9c9020 : 000007f8`3acc1050 00000000`0001029a 00000000`00000203 00000000`002e00f5 : USER32!UserCallWinProcCheckWow+0x13a
00000000`05fbb3a0 000007f8`3f9c8f3b : 00000000`0001029a 00000000`00000203 00000000`00000000 00000000`01571670 : USER32!CallWindowProcAorW+0xd8
00000000`05fbb3f0 000007f7`42365923 : 00000000`0001029a 00000000`00000000 00000000`05fbb903 00000000`05fbb903 : USER32!CallWindowProcA+0x1b
00000000`05fbb430 000007f8`3f98171e : 000007f8`3f981742 000007f8`00000000 00000000`00000000 00000000`80000000 : procexp64+0x25923
00000000`05fbf950 000007f8`3f9814d7 : 00000000`01571670 00000000`05fbfb90 000007f7`41f9a800 000007f7`42364cb0 : USER32!UserCallWinProcCheckWow+0x13a
00000000`05fbfa10 000007f8`3f9ae067 : 00000000`05fbfba0 00000000`01571670 00000000`01562810 00000000`05fbfb90 : USER32!DispatchMessageWorker+0x1a7
00000000`05fbfa90 000007f8`3f9d3bac : 00000000`00000000 00000000`05fbfba0 00000000`00100250 00000000`000d0153 : USER32!IsDialogMessageW+0x242
00000000`05fbfb20 000007f7`4239775e : 00000000`00000578 00000000`00000002 00000000`0403e5c0 00000000`00000000 : USER32!IsDialogMessageA+0x7c
00000000`05fbfb50 000007f7`423b215f : 00000000`0363f810 00000000`00000000 00000000`00000000 00000000`00000000 : procexp64+0x5775e
00000000`05fbfbf0 000007f7`423b2209 : 00000000`0363f810 00000000`00000000 00000000`00000000 00000000`00000000 : procexp64+0x7215f
00000000`05fbfc20 000007f8`3ec3167e : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : procexp64+0x72209
STACK_COMMAND: kb
FOLLOWUP_IP:
PROCEXP141+1f9d
fffff880`176eaf9d 488b4238 mov rax,qword ptr [rdx+38h]
SYMBOL_STACK_INDEX: 7
SYMBOL_NAME: PROCEXP141+1f9d
FOLLOWUP_NAME: MachineOwner
FAILURE_BUCKET_ID: X64_0x50_VRF_PROCEXP141+1f9d
BUCKET_ID: X64_0x50_VRF_PROCEXP141+1f9d
Followup: MachineOwner
---------
Gonna turn on verifier for this driver and repeat.