Author: omrsafetyo
Subject: ** Process Explorer Bugs **
Posted: 11 September 2014 at 3:14pm
On system without driver verifier running:
Subject: ** Process Explorer Bugs **
Posted: 11 September 2014 at 3:14pm
On system without driver verifier running:
Use !analyze -v to get detailed debugging information.
BugCheck 18, {0, fffffa804757bd30, 2, fffffa803cfb1678}
*** ERROR: Module load completed but symbols could not be loaded for PROCEXP152.SYS
Probably caused by : PROCEXP152.SYS ( PROCEXP152+1151 )
Followup: MachineOwner
---------
6: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
REFERENCE_BY_POINTER (18)
Arguments:
Arg1: 0000000000000000, Object type of the object whose reference count is being lowered
Arg2: fffffa804757bd30, Object whose reference count is being lowered
Arg3: 0000000000000002, Reserved
Arg4: fffffa803cfb1678, Reserved
The reference count of an object is illegal for the current state of the object.
Each time a driver uses a pointer to an object the driver calls a kernel routine
to increment the reference count of the object. When the driver is done with the
pointer the driver calls another kernel routine to decrement the reference count.
Drivers must match calls to the increment and decrement routines. This bugcheck
can occur because an object's reference count goes to zero while there are still
open handles to the object, in which case the fourth parameter indicates the number
of opened handles. It may also occur when the objects reference count drops below zero
whether or not there are open handles to the object, and in that case the fourth parameter
contains the actual value of the pointer references count.
Debugging Details:
------------------
DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT
BUGCHECK_STR: 0x18
PROCESS_NAME: handle64.exe
CURRENT_IRQL: 0
LAST_CONTROL_TRANSFER: from fffff80001838de4 to fffff80001892b80
STACK_TEXT:
fffff880`1dfa2428 fffff800`01838de4 : 00000000`00000018 00000000`00000000 fffffa80`4757bd30 00000000`00000002 : nt!KeBugCheckEx
fffff880`1dfa2430 fffff800`01b6aee1 : fffff880`1dfa2ca0 fffffa80`4757bd00 00000000`00000001 00000000`00002544 : nt! ?? ::FNODOBFM::`string'+0x48de1
fffff880`1dfa2490 fffff800`01b72fb6 : fffffa80`4757bd90 fffffa80`4bce5344 00000000`00000800 fffff880`1dfa2600 : nt!ObpQueryNameString+0x321
fffff880`1dfa2590 fffff880`06db6151 : fffffa80`49249850 fffff800`01b6d295 00000006`00000000 fffff800`00000000 : nt!ObQueryNameString+0xe
fffff880`1dfa25d0 fffff880`06db6dc6 : fffff880`1dfa2c01 fffffa80`41195b30 fffffa80`4bce5344 fffff800`00000800 : PROCEXP152+0x1151
fffff880`1dfa2630 fffff880`06db7ce9 : 00000000`00000001 fffffa80`4bce5340 fffffa80`4bce5340 fffffa80`452b4e98 : PROCEXP152+0x1dc6
fffff880`1dfa2750 fffff880`06db82cd : fffffa80`49249850 fffff800`01b8b601 fffffa80`4bce5340 00000000`00000020 : PROCEXP152+0x2ce9
fffff880`1dfa2940 fffff800`01bb0cc7 : fffffa80`3e32a060 fffffa80`452b4e60 fffffa80`452b4f78 fffffa80`452b4e60 : PROCEXP152+0x32cd
fffff880`1dfa2a10 fffff800`01bb1526 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!IopXxxControlFile+0x607
fffff880`1dfa2b40 fffff800`01891e13 : 00000000`00000000 00000000`77565450 00000000`00c70158 fffff880`1dfa2c20 : nt!NtDeviceIoControlFile+0x56
fffff880`1dfa2bb0 00000000`774a132a : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13
00000000`0012d348 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x774a132a
STACK_COMMAND: kb
FOLLOWUP_IP:
PROCEXP152+1151
fffff880`06db6151 89442434 mov dword ptr [rsp+34h],eax
SYMBOL_STACK_INDEX: 4
SYMBOL_NAME: PROCEXP152+1151
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: PROCEXP152
IMAGE_NAME: PROCEXP152.SYS
DEBUG_FLR_IMAGE_TIMESTAMP: 50c7fe0b
FAILURE_BUCKET_ID: X64_0x18_CORRUPT_REF_COUNT_PROCEXP152+1151
BUCKET_ID: X64_0x18_CORRUPT_REF_COUNT_PROCEXP152+1151
Followup: MachineOwner
---------
6: kd> lmvm PROCEXP152
start end module name
fffff880`06db5000 fffff880`06dc2000 PROCEXP152 (no symbols)
Loaded symbol image file: PROCEXP152.SYS
Image path: \??\C:\Windows\system32\Drivers\PROCEXP152.SYS
Image name: PROCEXP152.SYS
Timestamp: Tue Dec 11 22:46:19 2012 (50C7FE0B)
CheckSum: 00010494
ImageSize: 0000D000
Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4
6: kd> !running
System Processors: (00000000000000ff)
Idle Processors: (00000000000000be) (0000000000000000) (0000000000000000) (0000000000000000)
Prcbs Current Next
0 fffff80001a0de80 fffffa803b82fab0 ................
6 fffff88001fe1180 fffffa80479d8b50 ................
6: kd> !thread fffffa803b82fab0
THREAD fffffa803b82fab0 Cid 06b4.0788 Teb: 000007fffff76000 Win32Thread: 0000000000000000 RUNNING on processor 0
IRP List:
fffffa8047459cf0: (0006,0310) Flags: 00060901 Mdl: fffffa8045bd2f40
Not impersonating
DeviceMap fffff8a001a403d0
Owning Process fffffa803b7bd2c0 Image: sqlservr.exe
Attached Process N/A Image: N/A
Wait Start TickCount 8040989 Ticks: 1 (0:00:00:00.015)
Context Switch Count 1414309
UserTime 04:05:14.997
KernelTime 00:27:47.104
Win32 Start Address 0x000000006c613810
Stack Init fffff8800503edb0 Current fffff8800503e900
Base fffff8800503f000 Limit fffff88005039000 Call 0
Priority 8 BasePriority 8 UnusualBoost 0 ForegroundBoost 0 IoPriority 2 PagePriority 5
Child-SP RetAddr : Args to Child : Call Site
00000000`1a80c940 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x3c61e2
6: kd> !thread fffffa80479d8b50
THREAD fffffa80479d8b50 Cid a494.deb8 Teb: 000007fffffdd000 Win32Thread: fffff900c4045580 RUNNING on processor 6
IRP List:
fffffa80452b4e60: (0006,0118) Flags: 00060070 Mdl: 00000000
Not impersonating
DeviceMap fffff8a000006110
Owning Process fffffa804b477060 Image: handle64.exe
Attached Process N/A Image: N/A
Wait Start TickCount 8040990 Ticks: 0
Context Switch Count 37 LargeStack
UserTime 00:00:00.000
KernelTime 00:00:00.624
Win32 Start Address 0x0000000140007c7c
Stack Init fffff8801dfa2db0 Current fffff8801dfa2600
Base fffff8801dfa3000 Limit fffff8801df9c000 Call 0
Priority 9 BasePriority 8 UnusualBoost 0 ForegroundBoost 0 IoPriority 2 PagePriority 5
Child-SP RetAddr : Args to Child : Call Site
fffff880`1dfa2428 fffff800`01838de4 : 00000000`00000018 00000000`00000000 fffffa80`4757bd30 00000000`00000002 : nt!KeBugCheckEx
fffff880`1dfa2430 fffff800`01b6aee1 : fffff880`1dfa2ca0 fffffa80`4757bd00 00000000`00000001 00000000`00002544 : nt! ?? ::FNODOBFM::`string'+0x48de1
fffff880`1dfa2490 fffff800`01b72fb6 : fffffa80`4757bd90 fffffa80`4bce5344 00000000`00000800 fffff880`1dfa2600 : nt!ObpQueryNameString+0x321
fffff880`1dfa2590 fffff880`06db6151 : fffffa80`49249850 fffff800`01b6d295 00000006`00000000 fffff800`00000000 : nt!ObQueryNameString+0xe
fffff880`1dfa25d0 fffff880`06db6dc6 : fffff880`1dfa2c01 fffffa80`41195b30 fffffa80`4bce5344 fffff800`00000800 : PROCEXP152+0x1151
fffff880`1dfa2630 fffff880`06db7ce9 : 00000000`00000001 fffffa80`4bce5340 fffffa80`4bce5340 fffffa80`452b4e98 : PROCEXP152+0x1dc6
fffff880`1dfa2750 fffff880`06db82cd : fffffa80`49249850 fffff800`01b8b601 fffffa80`4bce5340 00000000`00000020 : PROCEXP152+0x2ce9
fffff880`1dfa2940 fffff800`01bb0cc7 : fffffa80`3e32a060 fffffa80`452b4e60 fffffa80`452b4f78 fffffa80`452b4e60 : PROCEXP152+0x32cd
fffff880`1dfa2a10 fffff800`01bb1526 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!IopXxxControlFile+0x607
fffff880`1dfa2b40 fffff800`01891e13 : 00000000`00000000 00000000`77565450 00000000`00c70158 fffff880`1dfa2c20 : nt!NtDeviceIoControlFile+0x56
fffff880`1dfa2bb0 00000000`774a132a : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`1dfa2c20)
00000000`0012d348 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x774a132a
6: kd> !running -ti
System Processors: (00000000000000ff)
Idle Processors: (00000000000000be) (0000000000000000) (0000000000000000) (0000000000000000)
Prcbs Current Next
0 fffff80001a0de80 fffffa803b82fab0 ................
Child-SP RetAddr Call Site
00000000`1a80c940 00000000`00000000 0x3c61e2
1 fffff880009bf180 fffff880009ca0c0 ................
Child-SP RetAddr Call Site
fffff880`009d2c98 fffff800`0189b709 intelppm!C1Halt+0x2
fffff880`009d2ca0 fffff800`0188a85c nt!PoIdle+0x52a
fffff880`009d2d80 00000000`00000000 nt!KiIdleLoop+0x2c
2 fffff88001e5d180 fffff88001e680c0 ................
Child-SP RetAddr Call Site
fffff880`01e85c98 fffff800`0189b709 intelppm!C1Halt+0x2
fffff880`01e85ca0 fffff800`0188a85c nt!PoIdle+0x52a
fffff880`01e85d80 00000000`00000000 nt!KiIdleLoop+0x2c
3 fffff88001ece180 fffff88001ed90c0 ................
Child-SP RetAddr Call Site
fffff880`01ef6c98 fffff800`0189b709 intelppm!C1Halt+0x2
fffff880`01ef6ca0 fffff800`0188a85c nt!PoIdle+0x52a
fffff880`01ef6d80 00000000`00000000 nt!KiIdleLoop+0x2c
4 fffff88001f3f180 fffff88001f4a0c0 ................
Child-SP RetAddr Call Site
fffff880`01f67c98 fffff800`0189b709 intelppm!C1Halt+0x2
fffff880`01f67ca0 fffff800`0188a85c nt!PoIdle+0x52a
fffff880`01f67d80 00000000`00000000 nt!KiIdleLoop+0x2c
5 fffff88001fb0180 fffff88001fbb0c0 ................
Child-SP RetAddr Call Site
fffff880`01fd8c98 fffff800`0189b709 intelppm!C1Halt+0x2
fffff880`01fd8ca0 fffff800`0188a85c nt!PoIdle+0x52a
fffff880`01fd8d80 00000000`00000000 nt!KiIdleLoop+0x2c
6 fffff88001fe1180 fffffa80479d8b50 ................
Child-SP RetAddr Call Site
fffff880`1dfa2428 fffff800`01838de4 nt!KeBugCheckEx
fffff880`1dfa2430 fffff800`01b6aee1 nt! ?? ::FNODOBFM::`string'+0x48de1
fffff880`1dfa2490 fffff800`01b72fb6 nt!ObpQueryNameString+0x321
fffff880`1dfa2590 fffff880`06db6151 nt!ObQueryNameString+0xe
fffff880`1dfa25d0 fffff880`06db6dc6 PROCEXP152+0x1151
fffff880`1dfa2630 fffff880`06db7ce9 PROCEXP152+0x1dc6
fffff880`1dfa2750 fffff880`06db82cd PROCEXP152+0x2ce9
fffff880`1dfa2940 fffff800`01bb0cc7 PROCEXP152+0x32cd
fffff880`1dfa2a10 fffff800`01bb1526 nt!IopXxxControlFile+0x607
fffff880`1dfa2b40 fffff800`01891e13 nt!NtDeviceIoControlFile+0x56
fffff880`1dfa2bb0 00000000`774a132a nt!KiSystemServiceCopyEnd+0x13
00000000`0012d348 00000000`00000000 0x774a132a
7 fffff880020a4180 fffff880020af0c0 ................
Child-SP RetAddr Call Site
fffff880`020ccc98 fffff800`0189b709 intelppm!C1Halt+0x2
fffff880`020ccca0 fffff800`0188a85c nt!PoIdle+0x52a
fffff880`020ccd80 00000000`00000000 nt!KiIdleLoop+0x2c
6: kd> !ready
Processor 0: No threads in READY state
Processor 1: No threads in READY state
Processor 2: No threads in READY state
Processor 3: No threads in READY state
Processor 4: No threads in READY state
Processor 5: No threads in READY state
Processor 6: No threads in READY state
Processor 7: No threads in READY state
---------------
There aren't really any other running threads to look at as suspect.