Code:
Microsoft (R) Windows Debugger Version 6.12.0002.633 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:\Users\David\AppData\Local\Temp\7zOEE0.tmp\062510-19593-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available
Symbol search path is: SRV*c:\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows 7 Kernel Version 7600 MP (2 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS Personal
Built by: 7600.16539.amd64fre.win7_gdr.100226-1909
Machine Name:
Kernel base = 0xfffff800`02a04000 PsLoadedModuleList = 0xfffff800`02c41e50
Debug session time: Fri Jun 25 13:56:01.407 2010 (UTC - 7:00)
System Uptime: 1 days 21:06:25.608
Loading Kernel Symbols
...............................................................
................................................................
..........................................
Loading User Symbols
Loading unloaded module list
......
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck 24, {1904fb, fffff8800aedfa08, fffff8800aedf270, fffff88001254a30}
Unable to load image \SystemRoot\system32\DRIVERS\SiWinAcc.sys, Win32 error 0n2
*** WARNING: Unable to verify timestamp for SiWinAcc.sys
*** ERROR: Module load completed but symbols could not be loaded for SiWinAcc.sys
Probably caused by : Ntfs.sys ( Ntfs!NtfsSnapshotScbInternal+160 )
Followup: MachineOwner
---------
0: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
NTFS_FILE_SYSTEM (24)
If you see NtfsExceptionFilter on the stack then the 2nd and 3rd
parameters are the exception record and context record. Do a .cxr
on the 3rd parameter and then kb to obtain a more informative stack
trace.
Arguments:
Arg1: 00000000001904fb
Arg2: fffff8800aedfa08
Arg3: fffff8800aedf270
Arg4: fffff88001254a30
Debugging Details:
------------------
EXCEPTION_RECORD: fffff8800aedfa08 -- (.exr 0xfffff8800aedfa08)
ExceptionAddress: fffff88001254a30 (Ntfs!NtfsSnapshotScbInternal+0x0000000000000160)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 0000000000000000
Parameter[1]: ffffffffffffffff
Attempt to read from address ffffffffffffffff
CONTEXT: fffff8800aedf270 -- (.cxr 0xfffff8800aedf270)
rax=527265776f506574 rbx=fffff88004d26c70 rcx=fffff8800aee0260
rdx=fffff88004d26c70 rsi=fffff8800aee0308 rdi=fffff8800aee0260
rip=fffff88001254a30 rsp=fffff8800aedfc40 rbp=0000000000000727
r8=0000000000000000 r9=0000000000000002 r10=fffff8800aee0260
r11=fffff8800aee0078 r12=fffffa8005ae2070 r13=0000000000000000
r14=fffff8a004d26ed8 r15=fffff8a0169e6d60
iopl=0 nv up ei pl nz na po nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00010206
Ntfs!NtfsSnapshotScbInternal+0x160:
fffff880`01254a30 48394860 cmp qword ptr [rax+60h],rcx ds:002b:52726577`6f5065d4=????????????????
Resetting default scope
CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT
PROCESS_NAME: firefox.exe
CURRENT_IRQL: 0
ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.
EXCEPTION_PARAMETER1: 0000000000000000
EXCEPTION_PARAMETER2: ffffffffffffffff
READ_ADDRESS: GetPointerFromAddress: unable to read from fffff80002cac0e0
ffffffffffffffff
FOLLOWUP_IP:
Ntfs!NtfsSnapshotScbInternal+160
fffff880`01254a30 48394860 cmp qword ptr [rax+60h],rcx
FAULTING_IP:
Ntfs!NtfsSnapshotScbInternal+160
fffff880`01254a30 48394860 cmp qword ptr [rax+60h],rcx
BUGCHECK_STR: 0x24
LAST_CONTROL_TRANSFER: from fffff880012e8e73 to fffff88001254a30
STACK_TEXT:
fffff880`0aedfc40 fffff880`012e8e73 : fffff8a0`04d26b40 fffff880`0aee04c0 fffff880`04d26c70 fffffa80`03b00604 : Ntfs!NtfsSnapshotScbInternal+0x160
fffff880`0aedfc70 fffff880`01257aa9 : fffffa80`05567350 00000000`000007ff fffff880`0aee01c0 fffff880`0aecf000 : Ntfs!NtfsCommonCleanup+0x843
fffff880`0aee0080 fffff800`02a83d4a : fffff880`0aee01c0 fffff880`012545d3 fffff880`0aed9000 fffffa80`05567358 : Ntfs!NtfsCommonCleanupCallout+0x19
fffff880`0aee00b0 fffff880`01257662 : fffff880`01257a90 fffff880`0aee01c0 fffff880`0aee0500 00000000`00000000 : nt!KeExpandKernelStackAndCalloutEx+0xda
fffff880`0aee0190 fffff880`012f9244 : fffff880`0aee0260 fffff880`0aee0260 fffff880`0aee0260 fffffa80`05ae2070 : Ntfs!NtfsCommonCleanupOnNewStack+0x42
fffff880`0aee0200 fffff880`0117d23f : fffff880`0aee0260 fffffa80`04376b80 fffffa80`04376fb0 fffffa80`071b9010 : Ntfs!NtfsFsdCleanup+0x144
fffff880`0aee0470 fffff880`0117b6df : fffffa80`042dc6f0 00000000`00000000 fffffa80`040ebe00 fffffa80`04376b80 : fltmgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x24f
fffff880`0aee0500 fffff880`011db02e : fffffa80`04376b80 00000000`00000001 fffffa80`0522c660 00000000`00000000 : fltmgr!FltpDispatch+0xcf
fffff880`0aee0560 fffffa80`04376b80 : 00000000`00000001 fffffa80`0522c660 00000000`00000000 fffffa80`04376b80 : SiWinAcc+0x102e
fffff880`0aee0568 00000000`00000001 : fffffa80`0522c660 00000000`00000000 fffffa80`04376b80 fffff800`02d8b9af : 0xfffffa80`04376b80
fffff880`0aee0570 fffffa80`0522c660 : 00000000`00000000 fffffa80`04376b80 fffff800`02d8b9af fffffa80`071b9010 : 0x1
fffff880`0aee0578 00000000`00000000 : fffffa80`04376b80 fffff800`02d8b9af fffffa80`071b9010 00000000`00000000 : 0xfffffa80`0522c660
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: Ntfs!NtfsSnapshotScbInternal+160
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: Ntfs
IMAGE_NAME: Ntfs.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 4a5bc14f
STACK_COMMAND: .cxr 0xfffff8800aedf270 ; kb
FAILURE_BUCKET_ID: X64_0x24_Ntfs!NtfsSnapshotScbInternal+160
BUCKET_ID: X64_0x24_Ntfs!NtfsSnapshotScbInternal+160
Followup: MachineOwner
---------
Microsoft (R) Windows Debugger Version 6.12.0002.633 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:\Users\David\AppData\Local\Temp\7zOE7F.tmp\062210-20576-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available
Symbol search path is: SRV*c:\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows 7 Kernel Version 7600 MP (2 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS Personal
Built by: 7600.16539.amd64fre.win7_gdr.100226-1909
Machine Name:
Kernel base = 0xfffff800`02a10000 PsLoadedModuleList = 0xfffff800`02c4de50
Debug session time: Tue Jun 22 15:38:14.177 2010 (UTC - 7:00)
System Uptime: 0 days 0:28:12.377
Loading Kernel Symbols
...............................................................
................................................................
..............................................
Loading User Symbols
Loading unloaded module list
.......
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck 50, {fffff880039043a0, 0, fffff80002d75927, 0}
Could not read faulting driver name
Probably caused by : ntkrnlmp.exe ( nt!ObReferenceObjectByHandleWithTag+e7 )
Followup: MachineOwner
---------
0: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by try-except,
it must be protected by a Probe. Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: fffff880039043a0, memory referenced.
Arg2: 0000000000000000, value 0 = read operation, 1 = write operation.
Arg3: fffff80002d75927, If non-zero, the instruction address which referenced the bad memory
address.
Arg4: 0000000000000000, (reserved)
Debugging Details:
------------------
Could not read faulting driver name
OVERLAPPED_MODULE: Address regions for 'nvlddmkm' and 'nvlddmkm.sys' overlap
READ_ADDRESS: GetPointerFromAddress: unable to read from fffff80002cb80e0
fffff880039043a0
FAULTING_IP:
nt!ObReferenceObjectByHandleWithTag+e7
fffff800`02d75927 488b03 mov rax,qword ptr [rbx]
MM_INTERNAL_CODE: 0
CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT
BUGCHECK_STR: 0x50
PROCESS_NAME: RapportLaunSer
CURRENT_IRQL: 0
TRAP_FRAME: fffff88007afb950 -- (.trap 0xfffff88007afb950)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=0000000000000000 rbx=0000000000000000 rcx=0000000000000000
rdx=0000000000100000 rsi=0000000000000000 rdi=0000000000000000
rip=fffff80002d75927 rsp=fffff88007afbae0 rbp=fffff88007afbc00
r8=fffff88003904000 r9=00000000000000e8 r10=fffff80002d7bd00
r11=fffff88007afbc18 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei ng nz na po nc
nt!ObReferenceObjectByHandleWithTag+0xe7:
fffff800`02d75927 488b03 mov rax,qword ptr [rbx] ds:00000000`00000000=????????????????
Resetting default scope
LAST_CONTROL_TRANSFER: from fffff80002b00e54 to fffff80002a80600
STACK_TEXT:
fffff880`07afb7e8 fffff800`02b00e54 : 00000000`00000050 fffff880`039043a0 00000000`00000000 fffff880`07afb950 : nt!KeBugCheckEx
fffff880`07afb7f0 fffff800`02a7e6ee : 00000000`00000000 fffff880`039043a0 00000000`00000000 00000000`00000000 : nt! ?? ::FNODOBFM::`string'+0x42877
fffff880`07afb950 fffff800`02d75927 : 00000000`00000000 fffffa80`0536f440 fffffa80`07403400 00000000`00000000 : nt!KiPageFault+0x16e
fffff880`07afbae0 fffff800`02d7bd69 : 00000000`00000000 fffff800`00100000 00000000`00000000 00000000`00000001 : nt!ObReferenceObjectByHandleWithTag+0xe7
fffff880`07afbbb0 fffff800`02a7f853 : fffffa80`0536f440 00000000`ffffffff 00000000`00000000 00000000`00000000 : nt!NtWaitForSingleObject+0x69
fffff880`07afbc20 00000000`76f4fefa : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13
00000000`0124fda8 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x76f4fefa
STACK_COMMAND: kb
FOLLOWUP_IP:
nt!ObReferenceObjectByHandleWithTag+e7
fffff800`02d75927 488b03 mov rax,qword ptr [rbx]
SYMBOL_STACK_INDEX: 3
SYMBOL_NAME: nt!ObReferenceObjectByHandleWithTag+e7
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: nt
IMAGE_NAME: ntkrnlmp.exe
DEBUG_FLR_IMAGE_TIMESTAMP: 4b88cfeb
FAILURE_BUCKET_ID: X64_0x50_nt!ObReferenceObjectByHandleWithTag+e7
BUCKET_ID: X64_0x50_nt!ObReferenceObjectByHandleWithTag+e7
Followup: MachineOwner
---------
Microsoft (R) Windows Debugger Version 6.12.0002.633 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:\Users\David\AppData\Local\Temp\7zOE9F.tmp\062310-20108-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available
Symbol search path is: SRV*c:\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows 7 Kernel Version 7600 MP (2 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS Personal
Built by: 7600.16539.amd64fre.win7_gdr.100226-1909
Machine Name:
Kernel base = 0xfffff800`02a06000 PsLoadedModuleList = 0xfffff800`02c43e50
Debug session time: Wed Jun 23 10:04:00.478 2010 (UTC - 7:00)
System Uptime: 0 days 6:12:00.679
Loading Kernel Symbols
...............................................................
................................................................
..........................................
Loading User Symbols
Loading unloaded module list
.....
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck 1E, {ffffffffc0000005, fffff80002e27ffb, 1, f}
Probably caused by : ntkrnlmp.exe ( nt!CmpCallCallBacks+eb )
Followup: MachineOwner
---------
0: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
KMODE_EXCEPTION_NOT_HANDLED (1e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Arguments:
Arg1: ffffffffc0000005, The exception code that was not handled
Arg2: fffff80002e27ffb, The address that the exception occurred at
Arg3: 0000000000000001, Parameter 0 of the exception
Arg4: 000000000000000f, Parameter 1 of the exception
Debugging Details:
------------------
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.
FAULTING_IP:
nt!CmpCallCallBacks+eb
fffff800`02e27ffb f044017710 lock add dword ptr [rdi+10h],r14d
EXCEPTION_PARAMETER1: 0000000000000001
EXCEPTION_PARAMETER2: 000000000000000f
WRITE_ADDRESS: GetPointerFromAddress: unable to read from fffff80002cae0e0
000000000000000f
ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.
BUGCHECK_STR: 0x1E_c0000005
CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT
PROCESS_NAME: dwm.exe
CURRENT_IRQL: 0
EXCEPTION_RECORD: fffff88005cb0ae8 -- (.exr 0xfffff88005cb0ae8)
ExceptionAddress: fffff80002e27ffb (nt!CmpCallCallBacks+0x00000000000000eb)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 0000000000000001
Parameter[1]: 000000000000000f
Attempt to write to address 000000000000000f
TRAP_FRAME: fffff88005cb0b90 -- (.trap 0xfffff88005cb0b90)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=fffff8a010204180 rbx=0000000000000000 rcx=00000000000007ff
rdx=00000000000004f1 rsi=0000000000000000 rdi=0000000000000000
rip=fffff80002e27ffb rsp=fffff88005cb0d20 rbp=fffff88005cb1310
r8=0000000000000801 r9=00000000000004ef r10=fffff80002bf2420
r11=0000000000000011 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei ng nz na pe nc
nt!CmpCallCallBacks+0xeb:
fffff800`02e27ffb f044017710 lock add dword ptr [rdi+10h],r14d ds:00000000`00000010=????????
Resetting default scope
LAST_CONTROL_TRANSFER: from fffff80002ab0929 to fffff80002a76600
STACK_TEXT:
fffff880`05cb0318 fffff800`02ab0929 : 00000000`0000001e ffffffff`c0000005 fffff800`02e27ffb 00000000`00000001 : nt!KeBugCheckEx
fffff880`05cb0320 fffff800`02a75c42 : fffff880`05cb0ae8 00000000`00000000 fffff880`05cb0b90 00000000`00000000 : nt!KiDispatchException+0x1b9
fffff880`05cb09b0 fffff800`02a747ba : 00000000`00000001 00000000`00000000 00000000`41735300 00000000`000007ff : nt!KiExceptionDispatch+0xc2
fffff880`05cb0b90 fffff800`02e27ffb : 00000000`000004ef 00000000`00000000 00000000`00000000 00000000`000007ff : nt!KiPageFault+0x23a
fffff880`05cb0d20 fffff800`02d96b1b : fffffa80`0000001c fffff880`05cb0f50 fffff8a0`00058001 fffff880`0000001d : nt!CmpCallCallBacks+0xeb
fffff880`05cb0df0 fffff800`02d70a64 : fffff800`02d50ae0 00000000`00000000 fffffa80`04321010 00000000`00000000 : nt! ?? ::NNGAKEGL::`string'+0x2c227
fffff880`05cb10c0 fffff800`02d75b76 : fffffa80`04321010 fffff880`05cb1240 00000000`00000240 fffffa80`036f2f30 : nt!ObpLookupObjectName+0x585
fffff880`05cb11c0 fffff800`02d54bec : fffffa80`06ff7af0 00000000`00000000 fffffa80`065fd400 fffffa80`00000000 : nt!ObOpenObjectByName+0x306
fffff880`05cb1290 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!CmOpenKey+0x28a
STACK_COMMAND: kb
FOLLOWUP_IP:
nt!CmpCallCallBacks+eb
fffff800`02e27ffb f044017710 lock add dword ptr [rdi+10h],r14d
SYMBOL_STACK_INDEX: 4
SYMBOL_NAME: nt!CmpCallCallBacks+eb
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: nt
IMAGE_NAME: ntkrnlmp.exe
DEBUG_FLR_IMAGE_TIMESTAMP: 4b88cfeb
FAILURE_BUCKET_ID: X64_0x1E_c0000005_nt!CmpCallCallBacks+eb
BUCKET_ID: X64_0x1E_c0000005_nt!CmpCallCallBacks+eb
Followup: MachineOwner
---------
Microsoft (R) Windows Debugger Version 6.12.0002.633 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:\Users\David\AppData\Local\Temp\7zOE2E.tmp\062110-22666-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available
Symbol search path is: SRV*c:\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows 7 Kernel Version 7600 MP (2 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS Personal
Built by: 7600.16539.amd64fre.win7_gdr.100226-1909
Machine Name:
Kernel base = 0xfffff800`02a50000 PsLoadedModuleList = 0xfffff800`02c8de50
Debug session time: Mon Jun 21 05:31:06.099 2010 (UTC - 7:00)
System Uptime: 2 days 1:07:41.300
Loading Kernel Symbols
...............................................................
................................................................
..........................................
Loading User Symbols
Loading unloaded module list
.......
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck F7, {21f89382a0ee, 21fa9382a0ee, ffffde056c7d5f11, 0}
Probably caused by : win32k.sys ( win32k!SetWakeBit+f8 )
Followup: MachineOwner
---------
0: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
DRIVER_OVERRAN_STACK_BUFFER (f7)
A driver has overrun a stack-based buffer. This overrun could potentially
allow a malicious user to gain control of this machine.
DESCRIPTION
A driver overran a stack-based buffer (or local variable) in a way that would
have overwritten the function's return address and jumped back to an arbitrary
address when the function returned. This is the classic "buffer overrun"
hacking attack and the system has been brought down to prevent a malicious user
from gaining complete control of it.
Do a kb to get a stack backtrace -- the last routine on the stack before the
buffer overrun handlers and bugcheck call is the one that overran its local
variable(s).
Arguments:
Arg1: 000021f89382a0ee, Actual security check cookie from the stack
Arg2: 000021fa9382a0ee, Expected security check cookie
Arg3: ffffde056c7d5f11, Complement of the expected security check cookie
Arg4: 0000000000000000, zero
Debugging Details:
------------------
DEFAULT_BUCKET_ID: GS_FALSE_POSITIVE_MISSING_GSFRAME
SECURITY_COOKIE: Expected 000021fa9382a0ee found 000021f89382a0ee
BUGCHECK_STR: 0xF7_ONE_BIT
CUSTOMER_CRASH_COUNT: 1
PROCESS_NAME: csrss.exe
CURRENT_IRQL: 2
LAST_CONTROL_TRANSFER: from fffff80002b55405 to fffff80002ac0600
STACK_TEXT:
fffff880`03483338 fffff800`02b55405 : 00000000`000000f7 000021f8`9382a0ee 000021fa`9382a0ee ffffde05`6c7d5f11 : nt!KeBugCheckEx
fffff880`03483340 fffff800`02ac50fa : fffffa80`04769350 00000000`00000000 fffff800`02c65f70 fffff880`03483400 : nt!_report_gsfailure+0x25
fffff880`03483380 fffff800`02ac4771 : fffffa80`075de5e0 00000000`00000000 00000000`00000000 00000000`00000002 : nt!KiDeferredReadyThread+0x31a
fffff880`03483400 fffff960`000fb30c : fffff960`00000000 fffff900`00000002 fffff900`c2cfc800 fffffa80`0410fc68 : nt!KeSetEvent+0x1e1
fffff880`03483470 fffff960`000c8485 : fffff900`c2d126f0 fffff900`c2de0690 00000000`00000012 fffff900`c0819300 : win32k!SetWakeBit+0xf8
fffff880`034834a0 fffff960`000c8181 : fffff900`c1ff9f00 fffff900`c2de0690 00000000`0000011b fffff900`c30b5ce0 : win32k!WakeSomeone+0x221
fffff880`034834e0 fffff960`00126505 : fffff900`c2d77010 fffff900`c2cfc93c fffff900`c26fb650 00000000`00000001 : win32k!PostInputMessage+0x1f5
fffff880`03483560 fffff960`001290e7 : fffffa80`0a8ab071 fffff900`c2cfc93c 00000000`000001e9 00000000`0000018f : win32k!PostRawMouseInput+0x2ad
fffff880`034835d0 fffff960`00127b49 : fffff900`c2cfc93c 00000000`0a8ab071 fffff900`c2cfc8b0 00000000`0a8ab071 : win32k!xxxMoveEventAbsolute+0x17f
fffff880`03483660 fffff960`001279a0 : fffff900`c2cfc8b0 0000018f`000001e9 00000000`00000000 00000000`00200286 : win32k!ProcessMouseInput+0x195
fffff880`034836d0 fffff800`02a9d009 : 00000000`00000001 00000000`00000000 00000000`20707249 00000000`00000001 : win32k!InputApc+0x7c
fffff880`03483700 fffff800`02ac795d : fffffa80`06135060 00000000`00000000 fffff960`00127924 00000000`00000000 : nt!KiDeliverApc+0x211
fffff880`03483780 fffff800`02ac3c4b : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiCommitThreadWait+0x3dd
fffff880`03483810 fffff960`000c87f0 : fffff900`00000002 fffffa80`05c23820 fffff900`00000001 fffff880`0000000d : nt!KeWaitForMultipleObjects+0x271
fffff880`03483ac0 fffff960`000c970c : 00000000`00000000 fffff900`c01d5010 fffff960`0030f340 fffff900`c01eadd0 : win32k!xxxMsgWaitForMultipleObjects+0x108
fffff880`03483b40 fffff960`00084634 : fffffa80`00000001 fffffa80`0000000c fffffa80`06135060 fffff6fc`4001a2b0 : win32k!xxxDesktopThread+0x254
fffff880`03483bc0 fffff960`00103fa6 : fffffa80`00000001 fffff960`0030f340 00000000`00000020 00000000`00000000 : win32k!xxxCreateSystemThreads+0x64
fffff880`03483bf0 fffff800`02abf853 : fffffa80`06135060 00000000`00000004 000007ff`fffac000 00000000`00000000 : win32k!NtUserCallNoParam+0x36
fffff880`03483c20 000007fe`fd613d3a : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13
00000000`0236fa18 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x7fe`fd613d3a
STACK_COMMAND: kb
FOLLOWUP_IP:
win32k!SetWakeBit+f8
fffff960`000fb30c 488b5c2430 mov rbx,qword ptr [rsp+30h]
SYMBOL_STACK_INDEX: 4
SYMBOL_NAME: win32k!SetWakeBit+f8
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: win32k
IMAGE_NAME: win32k.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 4bdc4376
FAILURE_BUCKET_ID: X64_0xF7_ONE_BIT_MISSING_GSFRAME_win32k!SetWakeBit+f8
BUCKET_ID: X64_0xF7_ONE_BIT_MISSING_GSFRAME_win32k!SetWakeBit+f8
Followup: MachineOwner
---------
Microsoft (R) Windows Debugger Version 6.12.0002.633 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:\Users\David\AppData\Local\Temp\7zOE4E.tmp\062210-19281-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available
Symbol search path is: SRV*c:\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows 7 Kernel Version 7600 MP (2 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS Personal
Built by: 7600.16539.amd64fre.win7_gdr.100226-1909
Machine Name:
Kernel base = 0xfffff800`02a4a000 PsLoadedModuleList = 0xfffff800`02c87e50
Debug session time: Tue Jun 22 15:08:40.393 2010 (UTC - 7:00)
System Uptime: 0 days 0:10:10.594
Loading Kernel Symbols
...............................................................
................................................................
..............................................
Loading User Symbols
Loading unloaded module list
.....
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck BE, {fffff880001c9110, 4a0121, fffff880066f9b90, b}
Probably caused by : win32k.sys ( win32k!DrvUpdateGraphicsDeviceList+198 )
Followup: MachineOwner
---------
0: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
ATTEMPTED_WRITE_TO_READONLY_MEMORY (be)
An attempt was made to write to readonly memory. The guilty driver is on the
stack trace (and is typically the current instruction pointer).
When possible, the guilty driver's name (Unicode string) is printed on
the bugcheck screen and saved in KiBugCheckDriver.
Arguments:
Arg1: fffff880001c9110, Virtual address for the attempted write.
Arg2: 00000000004a0121, PTE contents.
Arg3: fffff880066f9b90, (reserved)
Arg4: 000000000000000b, (reserved)
Debugging Details:
------------------
CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT
BUGCHECK_STR: 0xBE
PROCESS_NAME: dwm.exe
CURRENT_IRQL: 0
TRAP_FRAME: fffff880066f9b90 -- (.trap 0xfffff880066f9b90)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=fffff8a004640980 rbx=0000000000000000 rcx=00000000000007ff
rdx=00000000000004f1 rsi=0000000000000000 rdi=0000000000000000
rip=fffff80002e6bffb rsp=fffff880066f9d20 rbp=fffff880066fa310
r8=0000000000000801 r9=00000000000004ef r10=fffff80002c36420
r11=0000000000000011 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei ng nz na pe nc
nt!CmpCallCallBacks+0xeb:
fffff800`02e6bffb f044017710 lock add dword ptr [rdi+10h],r14d ds:00000000`00000010=????????
Resetting default scope
LAST_CONTROL_TRANSFER: from fffff80002b3aa22 to fffff80002aba600
STACK_TEXT:
fffff880`066f9a28 fffff800`02b3aa22 : 00000000`000000be fffff880`001c9110 00000000`004a0121 fffff880`066f9b90 : nt!KeBugCheckEx
fffff880`066f9a30 fffff800`02ab86ee : 00000000`00000001 00000000`00000000 00000000`41735300 00000000`000007ff : nt! ?? ::FNODOBFM::`string'+0x423be
fffff880`066f9b90 fffff800`02e6bffb : 00000000`000004ef 00000000`00000000 00000000`00000000 00000000`000007ff : nt!KiPageFault+0x16e
fffff880`066f9d20 fffff800`02ddab1b : fffffa80`0000001c fffff880`066f9f50 fffff8a0`00058001 fffff880`0000001d : nt!CmpCallCallBacks+0xeb
fffff880`066f9df0 fffff800`02db4a64 : fffff800`02d94ae0 00000000`00000000 fffffa80`05778010 00000000`00000000 : nt! ?? ::NNGAKEGL::`string'+0x2c227
fffff880`066fa0c0 fffff800`02db9b76 : fffffa80`05778010 fffff880`066fa240 00000000`00000240 fffffa80`0370cf30 : nt!ObpLookupObjectName+0x585
fffff880`066fa1c0 fffff800`02d98bec : fffffa80`0635a010 00000000`00000000 fffffa80`063eeb00 fffffa80`00000000 : nt!ObOpenObjectByName+0x306
fffff880`066fa290 fffff800`02d9be12 : fffff880`066fa8e8 fffff8a0`82000000 fffff880`066fa620 00000000`00000000 : nt!CmOpenKey+0x28a
fffff880`066fa3e0 fffff800`02ab9853 : fffff8a0`002bd060 fffff880`066fa500 00000000`001a0000 00000000`000001a8 : nt!NtOpenKey+0x12
fffff880`066fa420 fffff800`02ab5df0 : fffff800`02d75c45 00000000`00000000 00000000`00000000 fffff960`0034d6c0 : nt!KiSystemServiceCopyEnd+0x13
fffff880`066fa5b8 fffff800`02d75c45 : 00000000`00000000 00000000`00000000 fffff960`0034d6c0 fffff880`066fa8e8 : nt!KiServiceLinkage
fffff880`066fa5c0 fffff800`02d757e3 : 00000000`00000000 400001c0`400000c0 00000000`00000000 00000000`021fe9b0 : nt!RtlpGetRegistryHandle+0x131
fffff880`066fa8a0 fffff960`000ad164 : 00000000`00000000 00000000`00000004 00000000`00000000 00000000`00000000 : nt!RtlQueryRegistryValues+0x37
fffff880`066fa970 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : win32k!DrvUpdateGraphicsDeviceList+0x198
STACK_COMMAND: kb
FOLLOWUP_IP:
win32k!DrvUpdateGraphicsDeviceList+198
fffff960`000ad164 440fb71d38fe2c00 movzx r11d,word ptr [win32k!gProtocolType (fffff960`0037cfa4)]
SYMBOL_STACK_INDEX: d
SYMBOL_NAME: win32k!DrvUpdateGraphicsDeviceList+198
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: win32k
IMAGE_NAME: win32k.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 4bdc4376
FAILURE_BUCKET_ID: X64_0xBE_win32k!DrvUpdateGraphicsDeviceList+198
BUCKET_ID: X64_0xBE_win32k!DrvUpdateGraphicsDeviceList+198
Followup: MachineOwner
---------
~Lordbob