New
#1
Translating memory adresses in windbg output
Hi everybody. I've got blue screens pointing to ntfs.sys, many other drivers and ntoskrnl.exe on a pc wich I suspect has memory problems, originating either from the memory controller or the memory itself. I've already tested the only memory stick on the failing pc and another correctly working pc during several ours finding no errors. I'd like to know how to translate memory adresses like "fffff880`03164420" to physical adresses so I can test them more througly. I'd really apreciate any help. Here is the windbg analysis of one of the dups, wich I attached to the post:
Microsoft (R) Windows Debugger Version 6.11.0001.404 X86
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:\backup\backup2\MEMORY.DMP]
Kernel Summary Dump File: Only kernel address space is available
Symbol search path is: srv*c:\mss*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows 7 Kernel Version 7601 (Service Pack 1) MP (4 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS Personal
Built by: 7601.17514.amd64fre.win7sp1_rtm.101119-1850
Machine Name:
Kernel base = 0xfffff800`02601000 PsLoadedModuleList = 0xfffff800`02846e90
Debug session time: Tue Jul 8 09:13:21.144 2014 (GMT-3)
System Uptime: 0 days 0:47:25.252
Loading Kernel Symbols
...............................................................
................................................................
.......
Loading User Symbols
Loading unloaded module list
..........
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck 24, {1904fb, fffff880031641e8, fffff88003163a40, fffff8000269573a}
Probably caused by : Ntfs.sys ( Ntfs!NtfsCheckpointVolume+35e )
Followup: MachineOwner
---------
2: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
NTFS_FILE_SYSTEM (24)
If you see NtfsExceptionFilter on the stack then the 2nd and 3rd
parameters are the exception record and context record. Do a .cxr
on the 3rd parameter and then kb to obtain a more informative stack
trace.
Arguments:
Arg1: 00000000001904fb
Arg2: fffff880031641e8
Arg3: fffff88003163a40
Arg4: fffff8000269573a
Debugging Details:
------------------
OVERLAPPED_MODULE: Address regions for 'nvlddmkm' and 'nvlddmkm.sys' overlap
EXCEPTION_RECORD: fffff880031641e8 -- (.exr 0xfffff880031641e8)
ExceptionAddress: fffff8000269573a (nt!CcUnpinFileDataEx+0x00000000000000ea)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 0000000000000000
Parameter[1]: 0000000000000008
Attempt to read from address 0000000000000008
CONTEXT: fffff88003163a40 -- (.cxr 0xfffff88003163a40)
rax=0000000000000000 rbx=00000000ffffffff rcx=0000000000000000
rdx=fffffa8002619901 rsi=0000000065084601 rdi=fffffa80036adc80
rip=fffff8000269573a rsp=fffff88003164420 rbp=fffff8000281e600
r8=0000000000000001 r9=0000000000000000 r10=0000000000000000
r11=00000001b10bd975 r12=0000000000000000 r13=fffffa8002619910
r14=00000000000002fd r15=fffffa8002619920
iopl=0 nv up ei ng nz na po nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00010286
nt!CcUnpinFileDataEx+0xea:
fffff800`0269573a 488b4808 mov rcx,qword ptr [rax+8] ds:002b:00000000`00000008=????????????????
Resetting default scope
PROCESS_NAME: System
CURRENT_IRQL: 0
ERROR_CODE: (NTSTATUS) 0xc0000005 - La instrucci n en 0x%08lx hace referencia a la memoria en 0x%08lx. La memoria no se pudo %s.
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - La instrucci n en 0x%08lx hace referencia a la memoria en 0x%08lx. La memoria no se pudo %s.
EXCEPTION_PARAMETER1: 0000000000000000
EXCEPTION_PARAMETER2: 0000000000000008
READ_ADDRESS: 0000000000000008
FOLLOWUP_IP:
Ntfs!NtfsCheckpointVolume+35e
fffff880`012cce7e 4c8b9c24e0000000 mov r11,qword ptr [rsp+0E0h]
FAULTING_IP:
nt!CcUnpinFileDataEx+ea
fffff800`0269573a 488b4808 mov rcx,qword ptr [rax+8]
BUGCHECK_STR: 0x24
DEFAULT_BUCKET_ID: NULL_CLASS_PTR_DEREFERENCE
LAST_CONTROL_TRANSFER: from fffff80002642fb5 to fffff8000269573a
STACK_TEXT:
fffff880`03164420 fffff800`02642fb5 : fffffa80`02601980 fffff800`0281e600 fffff800`00001000 00000000`00000000 : nt!CcUnpinFileDataEx+0xea
fffff880`031644a0 fffff880`012cce7e : fffff8a0`00136870 fffff880`01223428 fffff880`03164ab0 fffff880`03164658 : nt!CcGetDirtyPages+0x1d9
fffff880`03164590 fffff880`012d08db : fffff880`03164ab0 fffffa80`02724180 fffff880`03164a00 fffff880`01223000 : Ntfs!NtfsCheckpointVolume+0x35e
fffff880`03164990 fffff880`012cf27b : fffff880`03164ab0 fffffa80`02724180 fffffa80`02724188 fffff880`01216020 : Ntfs!NtfsCheckpointAllVolumesWorker+0x4b
fffff880`031649e0 fffff880`012d1398 : fffff880`03164ab0 00000000`00000000 fffff880`012d0890 fffff880`03164cb8 : Ntfs!NtfsForEachVcb+0x167
fffff880`03164a80 fffff800`0268ba21 : fffff880`0418a500 fffff800`0281e600 fffffa80`015ce000 00000000`00000003 : Ntfs!NtfsCheckpointAllVolumes+0xb8
fffff880`03164cb0 fffff800`0291ecce : 00000000`00000000 fffffa80`015ce040 00000000`00000080 fffffa80`015ab040 : nt!ExpWorkerThread+0x111
fffff880`03164d40 fffff800`02672fe6 : fffff880`02f63180 fffffa80`015ce040 fffff880`02f6dfc0 00000000`00000000 : nt!PspSystemThreadStartup+0x5a
fffff880`03164d80 00000000`00000000 : fffff880`03165000 fffff880`0315f000 fffff880`031649e0 00000000`00000000 : nt!KxStartSystemThread+0x16
SYMBOL_STACK_INDEX: 2
SYMBOL_NAME: Ntfs!NtfsCheckpointVolume+35e
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: Ntfs
IMAGE_NAME: Ntfs.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 4ce792f9
STACK_COMMAND: .cxr 0xfffff88003163a40 ; kb
FAILURE_BUCKET_ID: X64_0x24_Ntfs!NtfsCheckpointVolume+35e
BUCKET_ID: X64_0x24_Ntfs!NtfsCheckpointVolume+35e
Followup: MachineOwner
---------