Author: plugger
Subject: ** Process Explorer Bugs **
Posted: 17 June 2013 at 1:04am
I downloaded Version 15.31.
After a few minutes, I clicked (or right-clicked, I forget which) on an image name,
and bugchecked.
Here's windbg's analysis of the minidump file.
Microsoft (R) Windows Debugger Version 6.2.9200.20512 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:\WINDOWS\minidump\061613-37003-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available
WARNING: Inaccessible path: 'C:\WINDOWS\I386'
Symbol search path is: SRV*C:\Users\RJD\WinDbgSymbols*http://msdl.microsoft.com/download/symbols
Executable search path is: C:\WINDOWS\I386
Windows 7 Kernel Version 7601 (Service Pack 1) MP (4 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS Personal
Built by: 7601.18113.amd64fre.win7sp1_gdr.130318-1533
Machine Name:
Kernel base = 0xfffff800`10262000 PsLoadedModuleList = 0xfffff800`104a5670
Debug session time: Sun Jun 16 19:40:19.104 2013 (UTC - 4:00)
System Uptime: 0 days 19:07:29.455
Loading Kernel Symbols
...............................................................
................................................................
..................
Loading User Symbols
Loading unloaded module list
.....
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck C4, {f6, 308, fffffa8005d8a570, fffff88005f8a5b6}
*** WARNING: Unable to verify timestamp for PROCEXP152.SYS
*** ERROR: Module load completed but symbols could not be loaded for PROCEXP152.SYS
Probably caused by : PROCEXP152.SYS ( PROCEXP152+15b6 )
Followup: MachineOwner
---------
0: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
DRIVER_VERIFIER_DETECTED_VIOLATION (c4)
A device driver attempting to corrupt the system has been caught. This is
because the driver was specified in the registry as being suspect (by the
administrator) and the kernel has enabled substantial checking of this driver.
If the driver attempts to corrupt the system, bugchecks 0xC4, 0xC1 and 0xA will
be among the most commonly seen crashes.
Arguments:
Arg1: 00000000000000f6, Referencing user handle as KernelMode.
Arg2: 0000000000000308, Handle value being referenced.
Arg3: fffffa8005d8a570, Address of the current process.
Arg4: fffff88005f8a5b6, Address inside the driver that is performing the incorrect reference.
Debugging Details:
------------------
BUGCHECK_STR: 0xc4_f6
CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: WIN7_DRIVER_FAULT
PROCESS_NAME: HPTouchSmartSy
CURRENT_IRQL: 0
LAST_CONTROL_TRANSFER: from fffff800107654ec to fffff800102d7c00
STACK_TEXT:
fffff880`07c51f78 fffff800`107654ec : 00000000`000000c4 00000000`000000f6 00000000`00000308 fffffa80`05d8a570 : nt!KeBugCheckEx
fffff880`07c51f80 fffff800`1077abf4 : 00000000`00000308 fffffa80`05d8a570 00000000`00000004 fffff6fc`00083318 : nt!VerifierBugCheckIfAppropriate+0x3c
fffff880`07c51fc0 fffff800`105320e0 : 00000000`00000000 fffff880`07c52250 fffff880`07c52300 fffff880`07c524a8 : nt!VfCheckUserHandle+0x1b4
fffff880`07c520a0 fffff800`105b9a56 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt! ?? ::NNGAKEGL::`string'+0x202ae
fffff880`07c52170 fffff800`102d6e93 : fffffa80`0af75590 fffff880`07c524a8 fffff880`07c52298 00000000`00000002 : nt!NtQueryObject+0x14c
fffff880`07c52280 fffff800`102d3450 : fffff800`1076a033 00000000`00000000 00000000`00000002 00000000`00000010 : nt!KiSystemServiceCopyEnd+0x13
fffff880`07c52488 fffff800`1076a033 : 00000000`00000000 00000000`00000002 00000000`00000010 fffff800`10663b10 : nt!KiServiceLinkage
fffff880`07c52490 fffff880`05f8a5b6 : fffff980`2e234ee0 00000000`00000002 fffffa80`093bfc90 00000000`00000000 : nt!VfZwQueryObject+0x63
fffff880`07c524e0 fffff980`2e234ee0 : 00000000`00000002 fffffa80`093bfc90 00000000`00000000 fffff880`07c52560 : PROCEXP152+0x15b6
fffff880`07c524e8 00000000`00000002 : fffffa80`093bfc90 00000000`00000000 fffff880`07c52560 00000000`00000000 : 0xfffff980`2e234ee0
fffff880`07c524f0 fffffa80`093bfc90 : 00000000`00000000 fffff880`07c52560 00000000`00000000 00000000`00000000 : 0x2
fffff880`07c524f8 00000000`00000000 : fffff880`07c52560 00000000`00000000 00000000`00000000 00000000`00000000 : 0xfffffa80`093bfc90
STACK_COMMAND: kb
FOLLOWUP_IP:
PROCEXP152+15b6
fffff880`05f8a5b6 89842498000000 mov dword ptr [rsp+98h],eax
SYMBOL_STACK_INDEX: 8
SYMBOL_NAME: PROCEXP152+15b6
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: PROCEXP152
IMAGE_NAME: PROCEXP152.SYS
DEBUG_FLR_IMAGE_TIMESTAMP: 516026a0
FAILURE_BUCKET_ID: X64_0xc4_f6_PROCEXP152+15b6
BUCKET_ID: X64_0xc4_f6_PROCEXP152+15b6
Followup: MachineOwner
---------
Subject: ** Process Explorer Bugs **
Posted: 17 June 2013 at 1:04am
I downloaded Version 15.31.
After a few minutes, I clicked (or right-clicked, I forget which) on an image name,
and bugchecked.
Here's windbg's analysis of the minidump file.
Microsoft (R) Windows Debugger Version 6.2.9200.20512 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:\WINDOWS\minidump\061613-37003-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available
WARNING: Inaccessible path: 'C:\WINDOWS\I386'
Symbol search path is: SRV*C:\Users\RJD\WinDbgSymbols*http://msdl.microsoft.com/download/symbols
Executable search path is: C:\WINDOWS\I386
Windows 7 Kernel Version 7601 (Service Pack 1) MP (4 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS Personal
Built by: 7601.18113.amd64fre.win7sp1_gdr.130318-1533
Machine Name:
Kernel base = 0xfffff800`10262000 PsLoadedModuleList = 0xfffff800`104a5670
Debug session time: Sun Jun 16 19:40:19.104 2013 (UTC - 4:00)
System Uptime: 0 days 19:07:29.455
Loading Kernel Symbols
...............................................................
................................................................
..................
Loading User Symbols
Loading unloaded module list
.....
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck C4, {f6, 308, fffffa8005d8a570, fffff88005f8a5b6}
*** WARNING: Unable to verify timestamp for PROCEXP152.SYS
*** ERROR: Module load completed but symbols could not be loaded for PROCEXP152.SYS
Probably caused by : PROCEXP152.SYS ( PROCEXP152+15b6 )
Followup: MachineOwner
---------
0: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
DRIVER_VERIFIER_DETECTED_VIOLATION (c4)
A device driver attempting to corrupt the system has been caught. This is
because the driver was specified in the registry as being suspect (by the
administrator) and the kernel has enabled substantial checking of this driver.
If the driver attempts to corrupt the system, bugchecks 0xC4, 0xC1 and 0xA will
be among the most commonly seen crashes.
Arguments:
Arg1: 00000000000000f6, Referencing user handle as KernelMode.
Arg2: 0000000000000308, Handle value being referenced.
Arg3: fffffa8005d8a570, Address of the current process.
Arg4: fffff88005f8a5b6, Address inside the driver that is performing the incorrect reference.
Debugging Details:
------------------
BUGCHECK_STR: 0xc4_f6
CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: WIN7_DRIVER_FAULT
PROCESS_NAME: HPTouchSmartSy
CURRENT_IRQL: 0
LAST_CONTROL_TRANSFER: from fffff800107654ec to fffff800102d7c00
STACK_TEXT:
fffff880`07c51f78 fffff800`107654ec : 00000000`000000c4 00000000`000000f6 00000000`00000308 fffffa80`05d8a570 : nt!KeBugCheckEx
fffff880`07c51f80 fffff800`1077abf4 : 00000000`00000308 fffffa80`05d8a570 00000000`00000004 fffff6fc`00083318 : nt!VerifierBugCheckIfAppropriate+0x3c
fffff880`07c51fc0 fffff800`105320e0 : 00000000`00000000 fffff880`07c52250 fffff880`07c52300 fffff880`07c524a8 : nt!VfCheckUserHandle+0x1b4
fffff880`07c520a0 fffff800`105b9a56 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt! ?? ::NNGAKEGL::`string'+0x202ae
fffff880`07c52170 fffff800`102d6e93 : fffffa80`0af75590 fffff880`07c524a8 fffff880`07c52298 00000000`00000002 : nt!NtQueryObject+0x14c
fffff880`07c52280 fffff800`102d3450 : fffff800`1076a033 00000000`00000000 00000000`00000002 00000000`00000010 : nt!KiSystemServiceCopyEnd+0x13
fffff880`07c52488 fffff800`1076a033 : 00000000`00000000 00000000`00000002 00000000`00000010 fffff800`10663b10 : nt!KiServiceLinkage
fffff880`07c52490 fffff880`05f8a5b6 : fffff980`2e234ee0 00000000`00000002 fffffa80`093bfc90 00000000`00000000 : nt!VfZwQueryObject+0x63
fffff880`07c524e0 fffff980`2e234ee0 : 00000000`00000002 fffffa80`093bfc90 00000000`00000000 fffff880`07c52560 : PROCEXP152+0x15b6
fffff880`07c524e8 00000000`00000002 : fffffa80`093bfc90 00000000`00000000 fffff880`07c52560 00000000`00000000 : 0xfffff980`2e234ee0
fffff880`07c524f0 fffffa80`093bfc90 : 00000000`00000000 fffff880`07c52560 00000000`00000000 00000000`00000000 : 0x2
fffff880`07c524f8 00000000`00000000 : fffff880`07c52560 00000000`00000000 00000000`00000000 00000000`00000000 : 0xfffffa80`093bfc90
STACK_COMMAND: kb
FOLLOWUP_IP:
PROCEXP152+15b6
fffff880`05f8a5b6 89842498000000 mov dword ptr [rsp+98h],eax
SYMBOL_STACK_INDEX: 8
SYMBOL_NAME: PROCEXP152+15b6
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: PROCEXP152
IMAGE_NAME: PROCEXP152.SYS
DEBUG_FLR_IMAGE_TIMESTAMP: 516026a0
FAILURE_BUCKET_ID: X64_0xc4_f6_PROCEXP152+15b6
BUCKET_ID: X64_0xc4_f6_PROCEXP152+15b6
Followup: MachineOwner
---------