BSOD with several Chrome windows, error 3B (C0000005, ...

Page 2 of 2 FirstFirst 12

  1. peebee
    Posts : 64
    Windows 7 x64
       New #11

    Not going to be necessary. I looked at this a little yesterday and this morning. Unfortunately I don't have anything conclusive, but I do have a very strong hunch. Keep in mind that I'm still relatively new to debugging (have been diving in head first last month or two) so maybe a veteran might be able to dig a little deep than I have.

    I believe what's happening is the Rapport software that is installed is corrupting Avast's page table. Likely in a buffer overflow, but I've not confirmed that and have no evidence of it (yet). The fact that the two processes and their stack frames are consistent with the crashes makes me believe they're tripping over one another. The "trip" always appears to happen during a usermode interaction that makes a kernel call. I'll provide some of the code I went through to hopefully paint a thorough picture for you.

    With all that said, I would start by uninstalling the Rapport software and monitoring the situation. My bet is that the problem goes away.

    Code:
    2: kd> !running
 
System Processors:  (000000000000000f)
Idle Processors:  (0000000000000003) (0000000000000000) (0000000000000000) (0000000000000000)
 
     Prcbs             Current         (pri) Next            (pri) Idle
2    fffff88002f63180  fffffa8007419b50 (11)                       fffff88002f6dfc0  ................
3    fffff88002fd3180  fffffa8006106060 ( 8)                       fffff88002fddfc0  ................
 
2: kd> !thread fffffa8007419b50
THREAD fffffa8007419b50  Cid 0fa0.0aac  Teb: 00000000fffdb000 Win32Thread: fffff900c3fd5c20 RUNNING on processor 2
IRP List:
  fffffa80072f1c60: (0006,0118) Flags: 00060000  Mdl: 00000000
Not impersonating
DeviceMap                 fffff8a0065a8910
Owning Process            fffffa8007317b30       Image:         chrome.exe
Attached Process          N/A            Image:         N/A
Wait Start TickCount      10452135       Ticks: 0
Context Switch Count      20632429       IdealProcessor: 2                 LargeStack
UserTime                  00:07:58.704
KernelTime                00:01:54.551
Win32 Start Address chrome!SetCrashKeyValueImpl (0x00000000001b7ef2)
Stack Init fffff8800a6ca640 Current fffff8800a6ca530
Base fffff8800a6cb000 Limit fffff8800a6c2000 Call fffff8800a6ca690
Priority 11 BasePriority 8 UnusualBoost 0 ForegroundBoost 2 IoPriority 2 PagePriority 5
Child-SP          RetAddr           : Args to Child                                                           : Call Site
fffff880`0a6c9128 fffff800`03292169 : 00000000`0000003b 00000000`c0000005 fffff880`03efcad1 fffff880`0a6c99f0 : nt!KeBugCheckEx
fffff880`0a6c9130 fffff800`03291abc : fffff880`0a6ca198 fffff880`0a6c99f0 00000000`00000000 fffff880`03f569d0 : nt!KiBugCheckDispatch+0x69
fffff880`0a6c9270 fffff800`032bd75d : fffff880`03fb3f6c 00000000`00000000 fffff880`03ed0000 fffff880`0a6ca198 : nt!KiSystemServiceHandler+0x7c
fffff880`0a6c92b0 fffff800`032bc535 : fffff800`033e26c4 fffff880`0a6c9328 fffff880`0a6ca198 fffff800`0321d000 : nt!RtlpExecuteHandlerForException+0xd
fffff880`0a6c92e0 fffff800`032cd4c1 : fffff880`0a6ca198 fffff880`0a6c99f0 fffff880`00000000 00000000`062b00d0 : nt!RtlDispatchException+0x415
fffff880`0a6c99c0 fffff800`03292242 : fffff880`0a6ca198 00000000`00000001 fffff880`0a6ca240 00000000`00000000 : nt!KiDispatchException+0x135
fffff880`0a6ca060 fffff800`03290dba : 00000000`00000000 00000000`0b5a0000 fffff8a0`13a74300 00000000`00000001 : nt!KiExceptionDispatch+0xc2
fffff880`0a6ca240 fffff880`03efcad1 : 00000000`00000001 00000000`00003302 00000000`062b00d0 00000000`00000000 : nt!KiPageFault+0x23a (TrapFrame @ fffff880`0a6ca240) ß- Page fault caused by aswsnx.sys
fffff880`0a6ca3d0 fffff800`03291e53 : fffffa80`07419b50 00000000`000fc6d8 00000000`062b00d0 fffff880`0a6ca458 : aswSnx+0x2cad1
fffff880`0a6ca440 00000000`776f13ba : 00000000`7529d148 00000000`00000002 00000000`00000000 00000000`75c09b28 : nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`0a6ca4b0) ß- Call to kernel
00000000`000fc6b8 00000000`7529d148 : 00000000`00000002 00000000`00000000 00000000`75c09b28 00000000`00000164 : ntdll!NtQueryObject+0xa ß- User function that invokes kernel call
00000000`000fc6c0 00000000`7529d282 : 00000000`02000000 00000000`00000001 00000000`00d5ba30 00000000`00000004 : wow64!ConstructKernelKeyPath+0x1d4
00000000`000fc740 00000000`75293203 : 00000000`0039e6fc 00000000`02000000 00000000`0039e130 00000000`0039e3a4 : wow64!Wow64NtOpenKey+0x5a
00000000`000fc7e0 00000000`7527d03b : 00000000`00000000 00000000`00000000 00000000`000fd0a0 00000000`0039e134 : wow64!whNtOpenKeyEx+0x73
00000000`000fc840 00000000`75202776 : 00000000`00000246 00000000`13f2e5a0 00000000`00000246 00000000`75202776 : wow64!Wow64SystemServiceEx+0xd7
00000000`000fd100 00000000`7527d132 : 00000000`00000246 00000000`75201904 00000000`00000246 00000000`7520198b : wow64cpu!ServiceNoTurbo+0x2d
00000000`000fd1c0 00000000`75278a50 : 00000000`00000000 00000000`000fdef0 00000018`0039eef0 00000000`778900dc : wow64!RunCpuSimulation+0xa
00000000`000fd210 00000000`75242c4e : 00000000`000fd590 00000000`00000002 00000000`000fdef0 00000000`00000020 : wow64!Wow64KiUserCallbackDispatcher+0x204
00000000`000fd560 00000000`776f11f5 : 00000000`00110624 00000000`00000000 00000000`00000000 778ee5fc`778b2612 : wow64win!whcbfnDWORD+0xe2
00000000`000fdf50 00000000`7524fe4a : 00000000`7522aefe 00000000`000fe018 0000005e`00000068 00000000`7525287a : ntdll!KiUserCallbackDispatcherContinue (TrapFrame @ 00000000`000fde18)
00000000`000fdfd8 00000000`7522aefe : 00000000`000fe018 0000005e`00000068 00000000`7525287a 00000000`00000001 : wow64win!ZwUserMessageCall+0xa
00000000`000fdfe0 00000000`7524281b : 00000000`00000040 00000000`752254b0 00000000`00000000 00000000`0000003d : wow64win!whNT32NtUserMessageCallCB+0x32
00000000`000fe030 00000000`7522b00a : 00000000`000002b3 00000000`0039ee40 00000000`0000003d 00000000`0039ee30 : wow64win!Wow64DoMessageThunk+0x8b
00000000`000fe070 00000000`7527d03b : 00000000`0039ee0c 00000000`fffdb000 00000000`fffdd000 00000000`7522af0c : wow64win!whNtUserMessageCall+0xfe
00000000`000fe110 00000000`75202776 : 00000000`77380b75 00000000`75270023 00000000`00000246 00000000`0039ef58 : wow64!Wow64SystemServiceEx+0xd7
00000000`000fe9d0 00000000`7527d132 : 00000000`00000000 00000000`75201920 00000000`777b5430 00000000`776cecf1 : wow64cpu!ServiceNoTurbo+0x2d
00000000`000fea90 00000000`7527c54b : 00000000`00000000 00000000`00000000 00000000`75274ad8 00000000`7ffe0030 : wow64!RunCpuSimulation+0xa
00000000`000feae0 00000000`776e4966 : 00000000`004b3140 00000000`00000000 00000000`777d2670 00000000`777a5978 : wow64!Wow64LdrpInitialize+0x42b
00000000`000ff030 00000000`776e1937 : 00000000`00000000 00000000`776e4071 00000000`000ff5e0 00000000`00000000 : ntdll!LdrpInitializeProcess+0x17e3
00000000`000ff520 00000000`776cc34e : 00000000`000ff5e0 00000000`00000000 00000000`fffdf000 00000000`00000000 : ntdll! ?? ::FNODOBFM::`string'+0x28ff0
00000000`000ff590 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!LdrInitializeThunk+0xe
 
2: kd> !thread fffffa8006106060
THREAD fffffa8006106060  Cid 0078.14b4  Teb: 000000007efa7000 Win32Thread: fffff900c1afbc20 RUNNING on processor 3
Not impersonating
DeviceMap                 fffff8a000006090
Owning Process            fffffa8007d495e0       Image:         RapportMgmtService.exe
Attached Process          N/A            Image:         N/A
Wait Start TickCount      10452135       Ticks: 0
Context Switch Count      2648           IdealProcessor: 0                 LargeStack
UserTime                  00:00:01.716
KernelTime                00:00:03.712
Win32 Start Address 0x00000000003b8df0
Stack Init fffff88012488db0 Current fffff880124881c0
Base fffff88012489000 Limit fffff88012480000 Call 0
Priority 8 BasePriority 8 UnusualBoost 0 ForegroundBoost 0 IoPriority 2 PagePriority 5
Child-SP          RetAddr           : Args to Child                                                           : Call Site
fffff880`12488640 fffff800`0359b590 : fffffa80`00000000 fffffa80`0553b801 fffffa80`00000060 fffff880`124886e8 : nt!ObpAllocateObject+0x217
fffff880`124886b0 fffff800`03591ef9 : 00000000`00000025 fffffa80`088a17b8 fffffa80`08465610 fffffa80`08465610 : nt!IopAllocRealFileObject+0xf0
fffff880`12488760 fffff800`0358ddb8 : fffffa80`08465610 fffff800`00000000 fffffa80`088a1600 fffffa80`00000001 : nt!IopParseDevice+0xf90
fffff880`124888c0 fffff800`0358efd6 : 00000000`00000000 fffffa80`088a1600 00000000`026bef00 fffffa80`05550400 : nt!ObpLookupObjectName+0x588
fffff880`124889b0 fffff800`035908dc : 00000000`00000400 00000000`00000000 fffffa80`08a58301 fffff880`12488a98 : nt!ObOpenObjectByName+0x306
fffff880`12488a80 fffff800`0359bed4 : 00000000`026be5a8 fffff8a0`c0100080 00000000`026bee70 00000000`026be5c0 : nt!IopCreateFile+0x2bc
fffff880`12488b20 fffff800`03291e53 : fffffa80`07d495e0 00000000`00000001 fffffa80`06106060 fffff800`03589ce4 : nt!NtCreateFile+0x78
fffff880`12488bb0 00000000`776f180a : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`12488c20)
00000000`026be538 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!ZwCreateFile+0xa
 
2: kd> .trap fffff880`0a6ca240
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=0000000000000000 rbx=0000000000000000 rcx=000000000b5a0000
rdx=fffff8a011d619c1 rsi=0000000000000000 rdi=0000000000000000
rip=fffff88003efcad1 rsp=fffff8800a6ca3d0 rbp=fffff8800a6ca530
r8=fffff8a011d619c0  r9=fffff8800a6ca318 r10=fffff88003fb1600
r11=fffff8a011d619c0 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up ei pl zr na po nc
aswSnx+0x2cad1:
fffff880`03efcad1 f30f6f01        movdqu  xmm0,xmmword ptr [rcx] ds:00000000`0b5a0000=????????????????????????????????
      My Computer
    Quote Quote

  3. peebee
    Posts : 64
    Windows 7 x64
       New #12

    Code:
    2: kd> uf fffff88003efcad1-10
aswSnx+0x2c9cc:
fffff880`03efc9cc 4c8bdc          mov     r11,rsp
fffff880`03efc9cf 49895b08        mov     qword ptr [r11+8],rbx
fffff880`03efc9d3 49897310        mov     qword ptr [r11+10h],rsi
fffff880`03efc9d7 49897b20        mov     qword ptr [r11+20h],rdi
fffff880`03efc9db 4d894318        mov     qword ptr [r11+18h],r8
fffff880`03efc9df 4154            push    r12
fffff880`03efc9e1 4883ec60        sub     rsp,60h
fffff880`03efc9e5 498bf8          mov     rdi,r8
fffff880`03efc9e8 8bda            mov     ebx,edx
fffff880`03efc9ea 488bf1          mov     rsi,rcx
fffff880`03efc9ed 488b842490000000 mov     rax,qword ptr [rsp+90h]
fffff880`03efc9f5 498943b8        mov     qword ptr [r11-48h],rax
fffff880`03efc9f9 ff1581330b00    call    qword ptr [aswSnx+0xdfd80 (fffff880`03fafd80)]
fffff880`03efc9ff 448be0          mov     r12d,eax
fffff880`03efca02 89442430        mov     dword ptr [rsp+30h],eax
fffff880`03efca06 85c0            test    eax,eax
fffff880`03efca08 0f88fc010000    js      aswSnx+0x2cc0a (fffff880`03efcc0a)

aswSnx+0x2ca0e:
fffff880`03efca0e ff159caf0600    call    qword ptr [aswSnx+0x979b0 (fffff880`03f679b0)]
fffff880`03efca14 3c01            cmp     al,1
fffff880`03efca16 0f85ee010000    jne     aswSnx+0x2cc0a (fffff880`03efcc0a)

aswSnx+0x2ca1c:
fffff880`03efca1c 83fb01          cmp     ebx,1
fffff880`03efca1f 0f85e5010000    jne     aswSnx+0x2cc0a (fffff880`03efcc0a)

aswSnx+0x2ca25:
fffff880`03efca25 48c744244070020000 mov   qword ptr [rsp+40h],270h
fffff880`03efca2e 488364243800    and     qword ptr [rsp+38h],0
fffff880`03efca34 ff1576af0600    call    qword ptr [aswSnx+0x979b0 (fffff880`03f679b0)]
fffff880`03efca3a 84c0            test    al,al
fffff880`03efca3c 751a            jne     aswSnx+0x2ca58 (fffff880`03efca58)

aswSnx+0x2ca3e:
fffff880`03efca3e 41b8536e7820    mov     r8d,20786E53h
fffff880`03efca44 488b542440      mov     rdx,qword ptr [rsp+40h]
fffff880`03efca49 8bcb            mov     ecx,ebx
fffff880`03efca4b ff15ffaf0600    call    qword ptr [aswSnx+0x97a50 (fffff880`03f67a50)]
fffff880`03efca51 4889442438      mov     qword ptr [rsp+38h],rax
fffff880`03efca56 eb2c            jmp     aswSnx+0x2ca84 (fffff880`03efca84)

aswSnx+0x2ca58:
fffff880`03efca58 c744242804000000 mov     dword ptr [rsp+28h],4
fffff880`03efca60 c744242000100000 mov     dword ptr [rsp+20h],1000h
fffff880`03efca68 4c8d4c2440      lea     r9,[rsp+40h]
fffff880`03efca6d 4533c0          xor     r8d,r8d
fffff880`03efca70 488d542438      lea     rdx,[rsp+38h]
fffff880`03efca75 4883c9ff        or      rcx,0FFFFFFFFFFFFFFFFh
fffff880`03efca79 ff15f9aa0600    call    qword ptr [aswSnx+0x97578 (fffff880`03f67578)]
fffff880`03efca7f 488b442438      mov     rax,qword ptr [rsp+38h]

aswSnx+0x2ca84:
fffff880`03efca84 4885c0          test    rax,rax
fffff880`03efca87 0f847d010000    je      aswSnx+0x2cc0a (fffff880`03efcc0a)

aswSnx+0x2ca8d:
fffff880`03efca8d 488364242000    and     qword ptr [rsp+20h],0
fffff880`03efca93 448b4c2440      mov     r9d,dword ptr [rsp+40h]
fffff880`03efca98 4c8bc0          mov     r8,rax
fffff880`03efca9b ba02000000      mov     edx,2
fffff880`03efcaa0 488bce          mov     rcx,rsi
fffff880`03efcaa3 ff15d7320b00    call    qword ptr [aswSnx+0xdfd80 (fffff880`03fafd80)]
fffff880`03efcaa9 8bf0            mov     esi,eax
fffff880`03efcaab 85c0            test    eax,eax
fffff880`03efcaad 0f881b010000    js      aswSnx+0x2cbce (fffff880`03efcbce)

aswSnx+0x2cab3:
fffff880`03efcab3 488d15464b0b00  lea     rdx,[aswSnx+0xe1600 (fffff880`03fb1600)]
fffff880`03efcaba 488d4c2448      lea     rcx,[rsp+48h] ß- rcx came from this address (on the stack)
fffff880`03efcabf e850670c00      call    aswSnx+0xf3214 (fffff880`03fc3214)
fffff880`03efcac4 85c0            test    eax,eax
fffff880`03efcac6 0f8802010000    js      aswSnx+0x2cbce (fffff880`03efcbce)

aswSnx+0x2cacc:
fffff880`03efcacc 488b4c2438      mov     rcx,qword ptr [rsp+38h] ß- We crashed moving the contents of this register
fffff880`03efcad1 f30f6f01        movdqu  xmm0,xmmword ptr [rcx] ß- Crash
fffff880`03efcad5 f30f7f442450    movdqu  xmmword ptr [rsp+50h],xmm0
fffff880`03efcadb ff15cfae0600    call    qword ptr [aswSnx+0x979b0 (fffff880`03f679b0)]
fffff880`03efcae1 3c01            cmp     al,1
fffff880`03efcae3 7426            je      aswSnx+0x2cb0b (fffff880`03efcb0b)

aswSnx+0x2cae5:
fffff880`03efcae5 488b4c2458      mov     rcx,qword ptr [rsp+58h]
fffff880`03efcaea 488b05b7a90600  mov     rax,qword ptr [aswSnx+0x974a8 (fffff880`03f674a8)]
fffff880`03efcaf1 483b08          cmp     rcx,qword ptr [rax]
fffff880`03efcaf4 761a            jbe     aswSnx+0x2cb10 (fffff880`03efcb10)

aswSnx+0x2caf6:
fffff880`03efcaf6 488d542450      lea     rdx,[rsp+50h]
fffff880`03efcafb 488b5c2448      mov     rbx,qword ptr [rsp+48h]
fffff880`03efcb00 488bcb          mov     rcx,rbx
fffff880`03efcb03 ff157fad0600    call    qword ptr [aswSnx+0x97888 (fffff880`03f67888)]
fffff880`03efcb09 eb47            jmp     aswSnx+0x2cb52 (fffff880`03efcb52)

aswSnx+0x2cb0b:
fffff880`03efcb0b 488b4c2458      mov     rcx,qword ptr [rsp+58h]

aswSnx+0x2cb10:
fffff880`03efcb10 0fb7442450      movzx   eax,word ptr [rsp+50h]
fffff880`03efcb15 6685c0          test    ax,ax
fffff880`03efcb18 740f            je      aswSnx+0x2cb29 (fffff880`03efcb29)

aswSnx+0x2cb1a:
fffff880`03efcb1a 0fb7d0          movzx   edx,ax
fffff880`03efcb1d 41b801000000    mov     r8d,1
fffff880`03efcb23 ff1547a70600    call    qword ptr [aswSnx+0x97270 (fffff880`03f67270)]

aswSnx+0x2cb29:
fffff880`03efcb29 488d542450      lea     rdx,[rsp+50h]
fffff880`03efcb2e 488b5c2448      mov     rbx,qword ptr [rsp+48h]
fffff880`03efcb33 488bcb          mov     rcx,rbx
fffff880`03efcb36 ff154cad0600    call    qword ptr [aswSnx+0x97888 (fffff880`03f67888)]
fffff880`03efcb3c eb14            jmp     aswSnx+0x2cb52 (fffff880`03efcb52)

aswSnx+0x2cb52:
fffff880`03efcb52 85f6            test    esi,esi
fffff880`03efcb54 7869            js      aswSnx+0x2cbbf (fffff880`03efcbbf)

aswSnx+0x2cb56:
fffff880`03efcb56 41b001          mov     r8b,1
fffff880`03efcb59 488d15d0110b00  lea     rdx,[aswSnx+0xddd30 (fffff880`03fadd30)]
fffff880`03efcb60 488bcb          mov     rcx,rbx
fffff880`03efcb63 ff1557ad0600    call    qword ptr [aswSnx+0x978c0 (fffff880`03f678c0)]
fffff880`03efcb69 85c0            test    eax,eax
fffff880`03efcb6b 751e            jne     aswSnx+0x2cb8b (fffff880`03efcb8b)

aswSnx+0x2cb6d:
fffff880`03efcb6d 488bcf          mov     rcx,rdi
fffff880`03efcb70 e89fe1fdff      call    aswSnx+0xad14 (fffff880`03edad14)
fffff880`03efcb75 84c0            test    al,al
fffff880`03efcb77 7446            je      aswSnx+0x2cbbf (fffff880`03efcbbf)

aswSnx+0x2cb79:
fffff880`03efcb79 4c8bc7          mov     r8,rdi
fffff880`03efcb7c 488bd7          mov     rdx,rdi
fffff880`03efcb7f b902000000      mov     ecx,2
fffff880`03efcb84 e88b2cfeff      call    aswSnx+0xf814 (fffff880`03edf814)
fffff880`03efcb89 eb34            jmp     aswSnx+0x2cbbf (fffff880`03efcbbf)

aswSnx+0x2cb8b:
fffff880`03efcb8b 41b001          mov     r8b,1
fffff880`03efcb8e 488d158b110b00  lea     rdx,[aswSnx+0xddd20 (fffff880`03fadd20)]
fffff880`03efcb95 488bcb          mov     rcx,rbx
fffff880`03efcb98 ff1522ad0600    call    qword ptr [aswSnx+0x978c0 (fffff880`03f678c0)]
fffff880`03efcb9e 85c0            test    eax,eax
fffff880`03efcba0 751d            jne     aswSnx+0x2cbbf (fffff880`03efcbbf)

aswSnx+0x2cba2:
fffff880`03efcba2 66833f4e        cmp     word ptr [rdi],4Eh
fffff880`03efcba6 7217            jb      aswSnx+0x2cbbf (fffff880`03efcbbf)

aswSnx+0x2cba8:
fffff880`03efcba8 488bcf          mov     rcx,rdi
fffff880`03efcbab e850960300      call    aswSnx+0x66200 (fffff880`03f36200)
fffff880`03efcbb0 84c0            test    al,al
fffff880`03efcbb2 740b            je      aswSnx+0x2cbbf (fffff880`03efcbbf)

aswSnx+0x2cbb4:
fffff880`03efcbb4 488bd7          mov     rdx,rdi
fffff880`03efcbb7 488bcf          mov     rcx,rdi
fffff880`03efcbba e88d960300      call    aswSnx+0x6624c (fffff880`03f3624c)

aswSnx+0x2cbbf:
fffff880`03efcbbf 488d153a4a0b00  lea     rdx,[aswSnx+0xe1600 (fffff880`03fb1600)]
fffff880`03efcbc6 488bcb          mov     rcx,rbx
fffff880`03efcbc9 e89ec20400      call    aswSnx+0x78e6c (fffff880`03f48e6c)

aswSnx+0x2cbce:
fffff880`03efcbce ff15dcad0600    call    qword ptr [aswSnx+0x979b0 (fffff880`03f679b0)]
fffff880`03efcbd4 84c0            test    al,al
fffff880`03efcbd6 7512            jne     aswSnx+0x2cbea (fffff880`03efcbea)

aswSnx+0x2cbd8:
fffff880`03efcbd8 ba536e7820      mov     edx,20786E53h
fffff880`03efcbdd 488b4c2438      mov     rcx,qword ptr [rsp+38h]
fffff880`03efcbe2 ff1538ae0600    call    qword ptr [aswSnx+0x97a20 (fffff880`03f67a20)]
fffff880`03efcbe8 eb20            jmp     aswSnx+0x2cc0a (fffff880`03efcc0a)

aswSnx+0x2cbea:
fffff880`03efcbea 488364244000    and     qword ptr [rsp+40h],0
fffff880`03efcbf0 41b900800000    mov     r9d,8000h
fffff880`03efcbf6 4c8d442440      lea     r8,[rsp+40h]
fffff880`03efcbfb 488d542438      lea     rdx,[rsp+38h]
fffff880`03efcc00 4883c9ff        or      rcx,0FFFFFFFFFFFFFFFFh
fffff880`03efcc04 ff15eea80600    call    qword ptr [aswSnx+0x974f8 (fffff880`03f674f8)]

aswSnx+0x2cc0a:
fffff880`03efcc0a 418bc4          mov     eax,r12d
fffff880`03efcc0d 4c8d5c2460      lea     r11,[rsp+60h]
fffff880`03efcc12 498b5b10        mov     rbx,qword ptr [r11+10h]
fffff880`03efcc16 498b7318        mov     rsi,qword ptr [r11+18h]
fffff880`03efcc1a 498b7b28        mov     rdi,qword ptr [r11+28h]
fffff880`03efcc1e 498be3          mov     rsp,r11
fffff880`03efcc21 415c            pop     r12
fffff880`03efcc23 c3              ret
      My Computer
    Quote Quote

  4. peebee
    Posts : 64
    Windows 7 x64
       New #13

    Code:
    2: kd> dp @rsp+48h ß- Location on the stack where rcx came from. Looks good
fffff880`0a6ca418  fffff8a0`11d619c0 00000000`000fc770
fffff880`0a6ca428  00000000`000fc798 00000000`000fc798
fffff880`0a6ca438  fffff800`03291e53 fffffa80`07419b50
fffff880`0a6ca448  00000000`000fc6d8 00000000`062b00d0
fffff880`0a6ca458  fffff880`0a6ca458 00000000`00000000
fffff880`0a6ca468  fffffa80`07317b30 fffff8a0`124a41c0
fffff880`0a6ca478  00000000`000030cc 00000000`75202401
fffff880`0a6ca488  00000000`000fd100 00000000`000ffd20

2: kd> dd @rcx
00000000`0b5a0000  ???????? ???????? ???????? ???????? ß- No data?
00000000`0b5a0010  ???????? ???????? ???????? ????????
00000000`0b5a0020  ???????? ???????? ???????? ????????
00000000`0b5a0030  ???????? ???????? ???????? ????????
00000000`0b5a0040  ???????? ???????? ???????? ????????
00000000`0b5a0050  ???????? ???????? ???????? ????????
00000000`0b5a0060  ???????? ???????? ???????? ????????
00000000`0b5a0070  ???????? ???????? ???????? ????????

2: kd> r
Last set context:
rax=0000000000000000 rbx=0000000000000000 rcx=000000000b5a0000
rdx=fffff8a011d619c1 rsi=0000000000000000 rdi=0000000000000000
rip=fffff88003efcad1 rsp=fffff8800a6ca3d0 rbp=fffff8800a6ca530
 r8=fffff8a011d619c0  r9=fffff8800a6ca318 r10=fffff88003fb1600
r11=fffff8a011d619c0 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up ei pl zr na po nc
cs=0010  ss=0018  ds=0000  es=0000  fs=0000  gs=0000             efl=00010246
aswSnx+0x2cad1:
fffff880`03efcad1 f30f6f01        movdqu  xmm0,xmmword ptr [rcx] ds:00000000`0b5a0000=???????????????????????????????? ß- Address being referenced. Shouldn’t be ?’s in a full dump.

2: kd> !pte 00000000`0b5a0000
                                           VA 000000000b5a0000
PXE at FFFFF6FB7DBED000    PPE at FFFFF6FB7DA00000    PDE at FFFFF6FB400002D0    PTE at FFFFF6800005AD00
contains 65700001A9C95867  contains 174000000CC99867  contains 6AA000003CC7C867  contains 0000000000000000 ß- Invalid page table entry
pfn 1a9c95    ---DA--UWEV  pfn cc99      ---DA--UWEV  pfn 3cc7c     ---DA--UWEV  not valid
      My Computer
    Quote Quote

  6. Haakon
    Posts : 9
    Massachusetts
    Thread Starter
       New #14

    Thanks for looking into this!

    It makes sense that it could be Rapport. The one situation that I reproduced that caused the crash was logging into a site. Some of the sites use Rapport, I can't remember which at this point, and I neglected to write down which site it was, but it might have been one that used it. The problem is pretty intermittent--it can come up several times in a day and then not for a week, so it could take a while before I know for sure.
      My Computer
    Quote Quote

  7. Haakon
    Posts : 9
    Massachusetts
    Thread Starter
       New #15

    I hadn't mentioned this before, but it is something else that has been coming up for about the same period, and just happened again: Windows Explorer crashes intermittently. Most of the time it just restarts itself, but occasionally I have to restart the machine. Do you think this could be related???
      My Computer
    Quote Quote

  8. peebee
    Posts : 64
    Windows 7 x64
       New #16

    Haakon said:
    I hadn't mentioned this before, but it is something else that has been coming up for about the same period, and just happened again: Windows Explorer crashes intermittently. Most of the time it just restarts itself, but occasionally I have to restart the machine. Do you think this could be related???
    It's probably unrelated because the explorer crashes are happening in usermode. Aside from looking at event logs (eventvwr.msc) and any other various logs explorer.exe keeps track of, the only other method of debugging this would be to attach a live debugger and wait until the process terminates.
      My Computer
    Quote Quote

  10. Haakon
    Posts : 9
    Massachusetts
    Thread Starter
       New #17

    OK, it's been a week and no BSODs. I am marking this solved. The only thing I changed is to remove Trusteer Rapport, which is apparently used by some 50 banks on the server end as well as recommended for their users. I told Trusteer about it, and with luck it will be fixed in a future version. Meanwhile I am considering a dual boot or Live CD/USB Drive.

    It seems the antivirus and other protective software like Trusteer, as well as the OSs themselves are in a sort of core wars to get to deeper levels of your system in order to attack or protect the system. It's not surprising that they end up stepping on each other in the kernel--it's more surprising that often the systems keep working.
      My Computer
    Quote Quote

 
Page 2 of 2 FirstFirst 12

  Related Discussions
Hi there. I upgraded my mobo/CPU a while ago, and started getting 0xC0000005 errors shortly after. I've reformatted the computer about three times now, using Windows 7 Home, both the 32 and 64 bit versions (currently 64-bit is installed). I've run one of them there memory checkers, leaving it on...
I am running a program on two seprate datasets which calls a script in a .exe format. The crash only happens when I try to run on the larger of the two. I have read through many of the c0000005 posts and have run the memory checker (no problems) scannow (no problems) and restored to a point when I...
I play only a couple games, so I am not sure why I get this issue. I play Mechwarrior Online with no major issues, no crashes, etc. It is a little laggy but that is due to internet and RAM. I get This below error when I play MoO3 (Master of Orion 3) on my machine. My profile machine is my...
Hi guys, this error started off as a BEX error which turned into a AppCrash error after disabling my motherboards extra DEP function. This only happens after the installation of SP2/Acceleration updates, and is driving my up the wall as I can't find a cure. Problem signature: Problem Event...
Hello, I have tried to troubleshoot this machine via remote from my XP system. The affected system's specs are: AsRock N68-S3 UCC Mainboard Athlon II X2 250 / 3GHz CPU 2 GB DDR3-1333 Team Value CL 9 RAM The box was built by a small retail store, OEM Windows Home Premium SP1 POLISH...
Our Sites
Site Links
About Us
Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

 © Designer Media Ltd
All times are GMT -5. The time now is 22:13.
Find Us