New
#11
Hmm... I tried usasma Minidump analysis with a more resent crash dump file (btw since I started this thread my laptop crashed at least 3 times), I got the debugging tool to analyse it correctly this time and here is what I got: (it seems to be caused by NETIO.SYS )
@usasma: This driver verifier method seems a little scary but I will try it later also. I will post the minidumps here afterwards. I will check both afd.sys and netio.sys.Code:Microsoft (R) Windows Debugger Version 6.4.0007.2 Copyright (c) Microsoft Corporation. All rights reserved. Loading Dump File [C:\Windows\Minidump\Mini071409-01.dmp] Mini Kernel Dump File: Only registers and stack trace are available Symbol search path is: SRV*c:\symbols*http://msdl.microsoft.com/download/symbols Executable search path is: Windows Longhorn Kernel Version 6002 (Service Pack 2) MP (2 procs) Free x86 compatible Product: WinNt, suite: TerminalServer SingleUserTS Personal Built by: 6002.18005.x86fre.lh_sp2rtm.090410-1830 Kernel base = 0x81c1e000 PsLoadedModuleList = 0x81d35c70 Debug session time: Tue Jul 14 11:50:00.702 2009 (GMT+3) System Uptime: 0 days 3:01:42.387 Loading Kernel Symbols ........................................................................................................................................... Loading unloaded module list ............. Loading User Symbols ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* Use !analyze -v to get detailed debugging information. BugCheck D1, {50000005, 2, 1, 87a58d40} Probably caused by : NETIO.SYS ( NETIO!WfppIncrementIndexAndPurgeEntries+a8 ) Followup: MachineOwner --------- 0: kd> !analyze -v ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1) An attempt was made to access a pageable (or completely invalid) address at an interrupt request level (IRQL) that is too high. This is usually caused by drivers using improper addresses. If kernel debugger is available get stack backtrace. Arguments: Arg1: 50000005, memory referenced Arg2: 00000002, IRQL Arg3: 00000001, value 0 = read operation, 1 = write operation Arg4: 87a58d40, address which referenced memory Debugging Details: ------------------ OVERLAPPED_MODULE: HIDCLASS WRITE_ADDRESS: GetUlongFromAddress: unable to read from 81d55868 Unable to read MiSystemVaType memory at 81d35420 50000005 CURRENT_IRQL: 2 FAULTING_IP: tcpip!WfpAlePreprocessLruEntryDelete+2f 87a58d40 894104 mov [ecx+0x4],eax CUSTOMER_CRASH_COUNT: 1 DEFAULT_BUCKET_ID: DRIVER_FAULT BUGCHECK_STR: 0xD1 LAST_CONTROL_TRANSFER: from 879468bd to 87a58d40 TRAP_FRAME: 8874cc2c -- (.trap ffffffff8874cc2c) ErrCode = 00000002 eax=8620c148 ebx=84968a60 ecx=50000001 edx=843d6c28 esi=843d6cd0 edi=843d6cd0 eip=87a58d40 esp=8874cca0 ebp=8874cca4 iopl=0 nv up ei pl nz na pe nc cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010202 tcpip!WfpAlePreprocessLruEntryDelete+0x2f: 87a58d40 894104 mov [ecx+0x4],eax ds:0023:50000005=???????? Resetting default scope STACK_TEXT: 8874cca4 879468bd 843d6cd0 00000000 00000000 tcpip!WfpAlePreprocessLruEntryDelete+0x2f 8874cce0 87941675 00000000 00000000 87ae16f8 NETIO!WfppIncrementIndexAndPurgeEntries+0xa8 8874ccf4 8794135b 87ae1760 87ae1360 81d2013c NETIO!WfppLeastRecentlyUsedTimerRoutine+0x10 8874cd20 8794189b 87ae1368 848c4590 8874cd44 NETIO!WfpTimerWheelTimeoutHandler+0x114 8874cd30 81e2b865 848c4590 84847f98 83a75580 NETIO!WfpSysTimerNdisPassiveCallback+0x20 8874cd44 81cc3e22 83f95558 00000000 83a75580 nt!IopProcessWorkItem+0x23 8874cd7c 81df3c42 83f95558 ec9dfd06 00000000 nt!ExpWorkerThread+0xfd 8874cdc0 81c5cefe 81cc3d25 00000001 00000000 nt!PspSystemThreadStartup+0x9d 00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16 FOLLOWUP_IP: NETIO!WfppIncrementIndexAndPurgeEntries+a8 879468bd 8d8e94080000 lea ecx,[esi+0x894] SYMBOL_STACK_INDEX: 1 FOLLOWUP_NAME: MachineOwner SYMBOL_NAME: NETIO!WfppIncrementIndexAndPurgeEntries+a8 MODULE_NAME: NETIO IMAGE_NAME: NETIO.SYS DEBUG_FLR_IMAGE_TIMESTAMP: 49e0209d STACK_COMMAND: .trap ffffffff8874cc2c ; kb FAILURE_BUCKET_ID: 0xD1_W_NETIO!WfppIncrementIndexAndPurgeEntries+a8 BUCKET_ID: 0xD1_W_NETIO!WfppIncrementIndexAndPurgeEntries+a8 Followup: MachineOwner ---------
Last edited by Bling; 14 Jul 2009 at 10:44.