New
#11
I would have to say that thundertjE's analysis is spot-on - the ATI driver running inside dwm.exe is causing the exception, and since it's a system service (transitioning from non-privileged code, aka user-mode, to privileged code, aka kernel-mode), it cannot cause an exception without causing the computer to bugcheck during this transition period:
Code:// Exception record and thread that caused it: 2: kd> .cxr 0xfffff8800a550900 rax=0000000000000000 rbx=fffffa8006994f90 rcx=fffffa80055112d0 rdx=0000000000000000 rsi=0000000000000015 rdi=fffffa800672e340 rip=fffff88004b02817 rsp=fffff8800a5512d0 rbp=fffffa80055112d0 r8=0000000000000015 r9=fffff88004ec4970 r10=fffffa80076d2950 r11=fffff8800a551420 r12=0000000000000000 r13=fffffa8005cf97f0 r14=0000000000000001 r15=0000000000000000 iopl=0 nv up ei pl zr na po nc cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00010246 atikmdag+0x90817: fffff880`04b02817 8b4820 mov ecx,dword ptr [rax+20h] ds:002b:00000000`00000020=???????? 2: kd> kn *** Stack trace for last set context - .thread/.cxr resets it # Child-SP RetAddr Call Site 00 fffff880`0a5512d0 00000000`00000000 atikmdag+0x90817 // The thread that caused the bugcheck, spawned due to the exception above: 2: kd> !thread GetPointerFromAddress: unable to read from fffff80002cc6000 THREAD fffffa8005d4db60 Cid 0654.0264 Teb: 000007fffffd6000 Win32Thread: fffff900c235c010 RUNNING on processor 2 Not impersonating GetUlongFromAddress: unable to read from fffff80002c04b74 Owning Process fffffa8006b30060 Image: dwm.exe Attached Process N/A Image: N/A fffff78000000000: Unable to get shared data Wait Start TickCount 264839 Context Switch Count 66 LargeStack ReadMemory error: Cannot get nt!KeMaximumIncrement value. UserTime 00:00:00.000 KernelTime 00:00:00.000 Win32 Start Address 0x000007fef906b0e4 Stack Init fffff8800a551db0 Current fffff8800a551430 Base fffff8800a552000 Limit fffff8800a54b000 Call 0 Priority 15 BasePriority 15 UnusualBoost 0 ForegroundBoost 0 IoPriority 2 PagePriority 5 Child-SP RetAddr : Args to Child : Call Site fffff880`0a550038 fffff800`02a8dca9 : 00000000`0000003b 00000000`c0000005 fffff880`04b02817 fffff880`0a550900 : nt!KeBugCheckEx fffff880`0a550040 fffff800`02a8d5fc : fffff880`0a551098 fffff880`0a550900 00000000`00000000 fffff880`05297dec : nt!KiBugCheckDispatch+0x69 fffff880`0a550180 fffff800`02ab440d : fffff960`0033b8d0 fffff960`00301498 fffff960`00050000 fffff880`0a551098 : nt!KiSystemServiceHandler+0x7c fffff880`0a5501c0 fffff800`02abba90 : fffff800`02bde1a0 fffff880`0a550238 fffff880`0a551098 fffff800`02a1e000 : nt!RtlpExecuteHandlerForException+0xd fffff880`0a5501f0 fffff800`02ac89ef : fffff880`0a551098 fffff880`0a550900 fffff880`00000000 fffffa80`0672e340 : nt!RtlDispatchException+0x410 fffff880`0a5508d0 fffff800`02a8dd82 : fffff880`0a551098 fffffa80`06994f90 fffff880`0a551140 00000000`00000015 : nt!KiDispatchException+0x16f fffff880`0a550f60 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiExceptionDispatch+0xc2 // ATI driver: 2: kd> lmvm atikmdag start end module name fffff880`04a72000 fffff880`05283000 atikmdag T (no symbols) Loaded symbol image file: atikmdag.sys Image path: \SystemRoot\system32\DRIVERS\atikmdag.sys Image name: atikmdag.sys Timestamp: Thu Nov 25 21:46:44 2010 (4CEF1F94) CheckSum: 007CA105 ImageSize: 00811000 Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4