S
SC2317
Guest
Hi,
Can someone please assist me in troubleshooting issue with BSOD on Windows 7-32 bit machine. I have run windows debugger tool with memory dump that was created after BSOD and as per the analysis it seems like "cng.sys" is causing the BSOD. However, I am not expert in this so if someone could help in resolving this would be really appreciated. Below is the output of debugger tool.
Microsoft (R) Windows Debugger Version 10.0.17763.132 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:\Temp\MEMORY.DMP]
Kernel Summary Dump File: Kernel address space is available, User address space may not be available.
************* Path validation summary **************
Response Time (ms) Location
Deferred Symbol information
Symbol search path is: Symbol information
Executable search path is:
Windows 7 Kernel Version 7601 (Service Pack 1) MP (2 procs) Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 7601.24524.x86fre.win7sp1_ldr_escrow.190916-1700
Machine Name:
Kernel base = 0x82852000 PsLoadedModuleList = 0x829a8730
Debug session time: Tue Nov 12 17:05:18.998 2019 (UTC + 1:00)
System Uptime: 0 days 0:08:59.245
WARNING: Process directory table base BEDC6D40 doesn't match CR3 00185000
WARNING: Process directory table base BEDC6D40 doesn't match CR3 00185000
Loading Kernel Symbols
...............................................................
................................................................
...................
Loading User Symbols
PEB is paged out (Peb.Ldr = 7ffd300c). Type ".hh dbgerr001" for details
Loading unloaded module list
......
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck 7F, {8, 80b93c00, 0, 0}
Page 5f280 not present in the dump file. Type ".hh dbgerr004" for details
Page 5f280 not present in the dump file. Type ".hh dbgerr004" for details
Page 5f280 not present in the dump file. Type ".hh dbgerr004" for details
*** ERROR: Module load completed but symbols could not be loaded for SYMEVENT.SYS
Page 5f280 not present in the dump file. Type ".hh dbgerr004" for details
Page 5f280 not present in the dump file. Type ".hh dbgerr004" for details
Page 5f280 not present in the dump file. Type ".hh dbgerr004" for details
Probably caused by : cng.sys ( cng!AesGcm+268 )
Followup: MachineOwner
---------
WARNING: Process directory table base BEDC6D40 doesn't match CR3 00185000
WARNING: Process directory table base BEDC6D40 doesn't match CR3 00185000
0: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
UNEXPECTED_KERNEL_MODE_TRAP (7f)
This means a trap occurred in kernel mode, and it's a trap of a kind
that the kernel isn't allowed to have/catch (bound trap) or that
is always instant death (double fault). The first number in the
bugcheck params is the number of the trap (8 = double fault, etc)
Consult an Intel x86 family manual to learn more about what these
traps are. Here is a *portion* of those codes:
If kv shows a taskGate
use .tss on the part before the colon, then kv.
Else if kv shows a trapframe
use .trap on that value
Else
.trap on the appropriate frame will show where the trap was taken
(on x86, this will be the ebp that goes with the procedure KiTrap)
Endif
kb will then show the corrected stack.
Arguments:
Arg1: 00000008, EXCEPTION_DOUBLE_FAULT
Arg2: 80b93c00
Arg3: 00000000
Arg4: 00000000
Debugging Details:
------------------
Page 5f280 not present in the dump file. Type ".hh dbgerr004" for details
Page 5f280 not present in the dump file. Type ".hh dbgerr004" for details
Page 5f280 not present in the dump file. Type ".hh dbgerr004" for details
Page 5f280 not present in the dump file. Type ".hh dbgerr004" for details
KEY_VALUES_STRING: 1
STACKHASH_ANALYSIS: 1
TIMELINE_ANALYSIS: 1
DUMP_CLASS: 1
DUMP_QUALIFIER: 401
BUILD_VERSION_STRING: 7601.24524.x86fre.win7sp1_ldr_escrow.190916-1700
SYSTEM_MANUFACTURER: VMware, Inc.
VIRTUAL_MACHINE: VMware
SYSTEM_PRODUCT_NAME: VMware Virtual Platform
SYSTEM_VERSION: None
BIOS_VENDOR: Phoenix Technologies LTD
BIOS_VERSION: 6.00
BIOS_DATE: 09/21/2015
BASEBOARD_MANUFACTURER: Intel Corporation
BASEBOARD_PRODUCT: 440BX Desktop Reference Platform
BASEBOARD_VERSION: None
DUMP_TYPE: 1
BUGCHECK_P1: 8
BUGCHECK_P2: ffffffff80b93c00
BUGCHECK_P3: 0
BUGCHECK_P4: 0
BUGCHECK_STR: 0x7f_8
TSS: 00000028 -- (.tss 0x28)
eax=bc3b005c ebx=82995100 ecx=82995000 edx=82995100 esi=856e48f8 edi=82995040
eip=82820ff1 esp=bc3b0000 ebp=bc3b0014 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00210246
hal!HalpLowerIrqlHardwareInterrupts+0x13:
82820ff1 57 push edi
Resetting default scope
CPU_COUNT: 2
CPU_MHZ: 8fc
CPU_VENDOR: GenuineIntel
CPU_FAMILY: 6
CPU_MODEL: 3f
CPU_STEPPING: 0
CPU_MICROCODE: 6,3f,0,0 (F,M,S,R) SIG: 43'00000000 (cache) 43'00000000 (init)
DEFAULT_BUCKET_ID: WIN7_DRIVER_FAULT
PROCESS_NAME: explorer.exe
CURRENT_IRQL: 2
ANALYSIS_SESSION_HOST: LT-18-139
ANALYSIS_SESSION_TIME: 11-14-2019 10:34:32.0653
ANALYSIS_VERSION: 10.0.17763.132 amd64fre
BAD_STACK_POINTER: 82985fe4
LAST_CONTROL_TRANSFER: from 82820ff1 to 82896d51
STACK_OVERFLOW: Stack Limit: bc3b0000. Use (kF) and (!stackusage) to investigate stack usage.
STACKUSAGE_FUNCTION: The function at address 0xffffffff8b1ae698 was blamed for the stack overflow. It is using 2276 bytes of stack.
FOLLOWUP_IP:
cng!AesGcm+268
8b1ae698 8b4334 mov eax,dword ptr [ebx+34h]
STACK_TEXT:
Page 5f280 not present in the dump file. Type ".hh dbgerr004" for details
Page 5f280 not present in the dump file. Type ".hh dbgerr004" for details
Page 5f280 not present in the dump file. Type ".hh dbgerr004" for details
bc3b0014 82821226 82995140 82995000 bc3b0068 hal!HalpLowerIrqlHardwareInterrupts+0x13
bc3b0024 8281eddd 829819cb 856e4568 82995144 hal!KfLowerIrql+0x58
bc3b0028 829819cb 856e4568 82995144 82995040 hal!KeReleaseQueuedSpinLock+0x2d
bc3b0068 82981366 82995040 00000000 00000000 nt!ExDeferredFreePool+0x35b
bc3b00d0 828da579 856e4570 76615358 85692a38 nt!ExFreePoolWithTag+0x8a7
bc3b00e0 828da333 bc3b0158 00000001 00000001 nt!KeFreeXStateContext+0x1b
bc3b00f8 828da534 bc3b011c bc3b013c 8b1b0e42 nt!KeRestoreExtendedProcessorState+0xd7
bc3b0104 8b1b0e42 bc3b011c 00000000 bc3b09e0 nt!KeRestoreFloatingPointState+0xd
bc3b013c 8b1ae341 bc3b01d0 bc3b09e0 bc3b0158 cng!GHashAppendDatax86KmodeXmm+0x62
bc3b0168 8b1ae698 856c1b30 bc3b01c8 bc3b09e0 cng!AesGcmComputeFinalTag+0x51
bc3b0a4c 8b1908d9 856c1b30 00000000 00000010 cng!AesGcm+0x268
bc3b0b00 8b18d542 856c1af0 bc3b0bb4 00000000 cng!MSBlockEncrypt+0x29b
bc3b0b34 8b16ff07 856c1af0 856411ca 000012b2 cng!MSCryptEncrypt+0x7d
bc3b0b80 8b192b51 8b18d4c5 856411ca 000012b2 cng!BCryptEncrypt+0x14d
bc3b0c18 8b193035 00000017 000003ea 00000000 cng!Tls1ComputeMac+0x26b
bc3b0c68 8b191e43 87aadda0 00000008 856411ca cng!TlsEncryptPacket+0x36c
bc3b0c98 8b171f05 87aadda0 856c1a78 856411ca cng!SPSslEncryptPacket+0x8c
bc3b0ccc 8b32f5cf 87aa7b20 87cb2330 856411ca cng!SslEncryptPacket+0x4d
bc3b0d4c 8b342232 a7c33008 00000000 bc3b0dec ksecpkg!SslSealMessageStream+0x288
bc3b0d68 8b1691d0 a7c33008 00000000 bc3b0dec ksecpkg!SslSealMessage+0x34
bc3b0d80 b7bbe15d a8c43ba0 00000000 bc3b0dec ksecdd!EncryptMessage+0x34
bc3b0d98 b7bb840f 85422294 00000000 bc3b0dec tssecsrv!SpEncryptMessage+0x25
bc3b0df8 b7bb883c 856411bd bc3b0e30 00000000 tssecsrv!CSecurityFilter::EncryptData+0xda
bc3b0e0c b7bb6171 856411bd bc3b0e30 8538edb8 tssecsrv!CSecurityFilter::FilterOutgoingData+0x22
bc3b0e34 b7bb598f bc3b0e44 8538eda8 b7bba140 tssecsrv!CFilter::FilterOutgoingData+0x8d
bc3b0e60 94ce2721 87c451f0 bc3b0ecc bc3b0ecc tssecsrv!ScrRawWrite+0x49
bc3b0e7c 94ce2802 8538eda8 00000002 bc3b0ecc termdd!_IcaCallSd+0x37
bc3b0e98 b7be56c3 853a04e4 00000002 bc3b0ecc termdd!IcaCallNextDriver+0x4a
bc3b0eac b7bcc5af a7b38008 853a04e4 bc3b0ecc RDPWD!FinalSendOutBuf+0x12
bc3b0ee0 b7bcbca4 000012af 00000001 00000000 RDPWD!NM_SendData+0xd9
bc3b0f18 b7bcd26c 000012af 00000001 00000000 RDPWD!SM_SendData+0x8f
bc3b0f40 b7bc4b07 dd561000 856411c0 000012af RDPWD!ShareClass::SC_SendFastPathData+0x2a
bc3b0f60 b7bcf318 dd561000 bc3b0f7c bc3b1194 RDPWD!ShareClass::SC_FlushPackage+0x29
bc3b0f94 b7bc7196 dd561000 bc3b1194 bc3b11d4 RDPWD!ShareClass:
CS_TimeToDoStuff+0xf6
bc3b0fbc b7bc537c a7858008 dd561000 853a04e0 RDPWD!WDLIB_DDOutputAvailable+0x194
bc3b0fd4 94ce2721 a7858008 bc3b105c 87cdb010 RDPWD!WDSYS_Ioctl+0x20
bc3b0ff0 94ce2bd9 853a04d0 00000005 bc3b105c termdd!_IcaCallSd+0x37
bc3b1010 94ce3576 87cdb008 00000005 bc3b105c termdd!_IcaCallStack+0x57
bc3b1038 94ce40fd 856cc918 00000005 bc3b105c termdd!IcaCallDriver+0x11e
bc3b1074 94ce02f4 856cc918 855f9eb0 855f9f20 termdd!IcaDeviceControlVirtual+0x265
bc3b109c 94ce0fcb 856cc918 855f9eb0 855f9f20 termdd!IcaDeviceControlChannel+0x222
bc3b10cc 94ce119f 855f9eb0 855f9f20 8568d818 termdd!IcaDeviceControl+0x59
bc3b10e4 8288bf47 863804b8 855f9eb0 855f9eb0 termdd!IcaDispatch+0x13f
bc3b10fc 9fae9d4e ffaef010 00000000 bc3b1164 nt!IofCallDriver+0x63
bc3b1128 9faa9fcb 00000001 0038144f bc3b1194 win32k!CtxDeviceIoControlFile+0xa7
bc3b1164 9f8011fa 8568d818 0038144f bc3b1194 win32k!EngFileIoControl+0x31
bc3b11f0 9f8012c9 ffb7c010 00000001 ffb81470 RDPDD!SCH_DDOutputAvailable+0x160
bc3b1208 9f80e70c ffb7c010 00000001 00000000 RDPDD!SCH_DDOutputAvailable+0x2f
bc3b122c 9f810fa1 ffb7c010 ffaef010 00000f30 RDPDD!OA_AllocOrderMem+0x42
bc3b1288 9f8115a1 ffb7c010 0000004b ffb51158 RDPDD!SBCCacheBits+0x125
bc3b1324 9f80a516 ffb7c010 0000000f 00000039 RDPDD!SBC_CacheBitmapTile+0x1cb
bc3b16b0 9f80a768 ffb7c010 00000000 00000000 RDPDD!OETileBitBltOrder+0x22c
bc3b16d8 9f8058d7 00000000 bc3b173c bc3b1718 RDPDD!OEEncodeMemBlt+0x100
bc3b1798 9f805f3f fde7b420 fd9e8158 00000000 RDPDD!DrvBitBlt+0x425
bc3b17d4 9f9d9053 fd5c46b8 fd9e8158 bc3b224c RDPDD!DrvCopyBits+0x41
bc3b1818 9f9c8eb9 9f805efe bc3b1aa8 fd5c46b8 win32k!OffCopyBits+0x80
bc3b1abc 9f9d909d fd5c46b8 fd9e8158 00000000 win32k!SpBitBlt+0x252
bc3b1af0 9f9dc262 fd5c46b8 fd9e8158 bc3b224c win32k!SpCopyBits+0x27
bc3b1d88 9f9de26b fd5c46b8 fd479580 fd5e4830 win32k!EngTextOut+0x710
bc3b1dd4 9f9de4d8 9f9dbb52 bc3b2040 fd5c46b8 win32k!OffTextOut+0x71
bc3b2058 9f9de048 fd5c46b8 bc3b20b4 fd5e4830 win32k!SpTextOut+0x1a2
bc3b2354 9f96c3f7 bc3b2518 ffa49700 ffa4975c win32k!GreExtTextOutWLocked+0x1040
bc3b23d0 9f9bf924 00000000 ffbbe064 00000010 win32k!GreBatchTextOut+0x1e6
bc3b2540 82ad958e 8b3315bf bc3b265c 7ffdf6cc win32k!NtGdiFlushUserBatch+0x123
bc3b2590 9fa5fe9a 00000061 bc3b25bc 00000088 nt!KeUserModeCallback+0x176
bc3b26a0 9f989e08 fe00c880 00000092 00000000 win32k!SfnINLPUAHDRAWMENUITEM+0x12d
bc3b26d4 9fa75c42 fe00c880 00000092 00000000 win32k!xxxDefWindowProc+0xdd
bc3b274c 9fa444e5 fe014900 00000092 00000000 win32k!xxxRealMenuWindowProc+0xe8d
bc3b2780 9f9bc5e0 fe00c880 00000092 00000000 win32k!xxxMenuWindowProc+0x121
bc3b27c0 9f9bc6b2 fe00c880 00000092 00000000 win32k!xxxSendMessageTimeout+0x1ac
bc3b27e8 9fa5f826 fe00c880 00000092 00000000 win32k!xxxSendMessage+0x28
bc3b2890 9fa5fa4d 010100d6 00000001 00000001 win32k!xxxSendMenuDrawItemMessage+0x120
bc3b28f8 9fa59622 010100d6 fe014900 00000000 win32k!xxxDrawMenuItem+0x11b
bc3b2970 9fa75c53 010100d6 00000017 fe00c880 win32k!xxxMenuDraw+0x23a
bc3b29e4 9fa444e5 fe014900 00000318 010100d6 win32k!xxxRealMenuWindowProc+0xe9e
bc3b2a18 9f9bc5e0 fe00c880 00000318 010100d6 win32k!xxxMenuWindowProc+0x121
bc3b2a58 9f9bc6b2 fe00c880 00000318 010100d6 win32k!xxxSendMessageTimeout+0x1ac
bc3b2a80 9fa422a1 fe00c880 00000318 010100d6 win32k!xxxSendMessage+0x28
bc3b2ac8 9f9b17db 00000001 00000000 0000000e win32k!xxxDWPPrint+0x1cd
bc3b2b44 9f9be783 fe00c880 00000317 010100d6 win32k!xxxRealDefWindowProc+0x13be
bc3b2b5c 9f988aad fe00c880 00000317 010100d6 win32k!xxxWrapRealDefWindowProc+0x2b
bc3b2b78 9f9be63f fe00c880 00000317 010100d6 win32k!NtUserfnNCDESTROY+0x27
bc3b2bb0 91cf6a7e 00030166 00000317 010100d6 win32k!NtUserMessageCall+0xd2
WARNING: Stack unwind information not available. Following frames may be wrong.
bc3b2be8 865feb5b 86520e6c 00030166 00000317 SYMEVENT+0x1a7e
bc3b2c10 82892a5a 00030166 00000317 010100d6 0x865feb5b
bc3b2c10 77d36c04 00030166 00000317 010100d6 nt!KiSystemServicePostCall
0025e19c 00000000 00000000 00000000 00000000 0x77d36c04
STACK_COMMAND: .tss 0x28 ; kb
THREAD_SHA1_HASH_MOD_FUNC: 94c9288b51fd41deae5e677e756482488d343cf9
THREAD_SHA1_HASH_MOD_FUNC_OFFSET: ba2320747de3d5724dde04a750daa995531660de
THREAD_SHA1_HASH_MOD: 563baa34ec8ce9d510b5e266c87413a00e6db852
FAULT_INSTR_CODE: 8b34438b
SYMBOL_STACK_INDEX: a
SYMBOL_NAME: cng!AesGcm+268
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: cng
IMAGE_NAME: cng.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 5af4fd0a
FAILURE_BUCKET_ID: 0x7f_8_STACK_USAGE_cng!AesGcm+268
BUCKET_ID: 0x7f_8_STACK_USAGE_cng!AesGcm+268
PRIMARY_PROBLEM_CLASS: 0x7f_8_STACK_USAGE_cng!AesGcm+268
TARGET_TIME: 2019-11-12T16:05:18.000Z
OSBUILD: 7601
OSSERVICEPACK: 1000
SERVICEPACK_NUMBER: 0
OS_REVISION: 0
SUITE_MASK: 272
PRODUCT_TYPE: 1
OSPLATFORM_TYPE: x86
OSNAME: Windows 7
OSEDITION: Windows 7 WinNt (Service Pack 1) TerminalServer SingleUserTS
OS_LOCALE:
USER_LCID: 0
OSBUILD_TIMESTAMP: 2019-09-17 03:58:39
BUILDDATESTAMP_STR: 190916-1700
BUILDLAB_STR: win7sp1_ldr_escrow
BUILDOSVER_STR: 6.1.7601.24524.x86fre.win7sp1_ldr_escrow.190916-1700
ANALYSIS_SESSION_ELAPSED_TIME: 388
ANALYSIS_SOURCE: KM
FAILURE_ID_HASH_STRING: km:0x7f_8_stack_usage_cng!aesgcm+268
FAILURE_ID_HASH: {0cf448aa-f892-a120-4dc7-88f52f0c788a}
Followup: MachineOwner
---------
WARNING: Process directory table base BEDC6D40 doesn't match CR3 00185000
WARNING: Process directory table base BEDC6D40 doesn't match CR3 00185000
0: kd> lmvm cng
Browse full module list
start end module name
8b16e000 8b1cc000 cng (pdb symbols) C:\ProgramData\dbg\sym\cng.pdb\231A7D34F2874BC787CA4A4012AF459B1\cng.pdb
Loaded symbol image file: cng.sys
Image path: \SystemRoot\System32\Drivers\cng.sys
Image name: cng.sys
Browse all global symbols functions data
Timestamp: Thu May 10 19:16:42 2018 (5AF4FD0A)
CheckSum: 0005D33D
ImageSize: 0005E000
Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4
Information from resource tables:
0: kd> lmvm cng
Browse full module list
start end module name
8b16e000 8b1cc000 cng (pdb symbols) C:\ProgramData\dbg\sym\cng.pdb\231A7D34F2874BC787CA4A4012AF459B1\cng.pdb
Loaded symbol image file: cng.sys
Image path: \SystemRoot\System32\Drivers\cng.sys
Image name: cng.sys
Browse all global symbols functions data
Timestamp: Thu May 10 19:16:42 2018 (5AF4FD0A)
CheckSum: 0005D33D
ImageSize: 0005E000
Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4
Information from resource tables:
More...
Can someone please assist me in troubleshooting issue with BSOD on Windows 7-32 bit machine. I have run windows debugger tool with memory dump that was created after BSOD and as per the analysis it seems like "cng.sys" is causing the BSOD. However, I am not expert in this so if someone could help in resolving this would be really appreciated. Below is the output of debugger tool.
Microsoft (R) Windows Debugger Version 10.0.17763.132 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:\Temp\MEMORY.DMP]
Kernel Summary Dump File: Kernel address space is available, User address space may not be available.
************* Path validation summary **************
Response Time (ms) Location
Deferred Symbol information
Symbol search path is: Symbol information
Executable search path is:
Windows 7 Kernel Version 7601 (Service Pack 1) MP (2 procs) Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 7601.24524.x86fre.win7sp1_ldr_escrow.190916-1700
Machine Name:
Kernel base = 0x82852000 PsLoadedModuleList = 0x829a8730
Debug session time: Tue Nov 12 17:05:18.998 2019 (UTC + 1:00)
System Uptime: 0 days 0:08:59.245
WARNING: Process directory table base BEDC6D40 doesn't match CR3 00185000
WARNING: Process directory table base BEDC6D40 doesn't match CR3 00185000
Loading Kernel Symbols
...............................................................
................................................................
...................
Loading User Symbols
PEB is paged out (Peb.Ldr = 7ffd300c). Type ".hh dbgerr001" for details
Loading unloaded module list
......
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck 7F, {8, 80b93c00, 0, 0}
Page 5f280 not present in the dump file. Type ".hh dbgerr004" for details
Page 5f280 not present in the dump file. Type ".hh dbgerr004" for details
Page 5f280 not present in the dump file. Type ".hh dbgerr004" for details
*** ERROR: Module load completed but symbols could not be loaded for SYMEVENT.SYS
Page 5f280 not present in the dump file. Type ".hh dbgerr004" for details
Page 5f280 not present in the dump file. Type ".hh dbgerr004" for details
Page 5f280 not present in the dump file. Type ".hh dbgerr004" for details
Probably caused by : cng.sys ( cng!AesGcm+268 )
Followup: MachineOwner
---------
WARNING: Process directory table base BEDC6D40 doesn't match CR3 00185000
WARNING: Process directory table base BEDC6D40 doesn't match CR3 00185000
0: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
UNEXPECTED_KERNEL_MODE_TRAP (7f)
This means a trap occurred in kernel mode, and it's a trap of a kind
that the kernel isn't allowed to have/catch (bound trap) or that
is always instant death (double fault). The first number in the
bugcheck params is the number of the trap (8 = double fault, etc)
Consult an Intel x86 family manual to learn more about what these
traps are. Here is a *portion* of those codes:
If kv shows a taskGate
use .tss on the part before the colon, then kv.
Else if kv shows a trapframe
use .trap on that value
Else
.trap on the appropriate frame will show where the trap was taken
(on x86, this will be the ebp that goes with the procedure KiTrap)
Endif
kb will then show the corrected stack.
Arguments:
Arg1: 00000008, EXCEPTION_DOUBLE_FAULT
Arg2: 80b93c00
Arg3: 00000000
Arg4: 00000000
Debugging Details:
------------------
Page 5f280 not present in the dump file. Type ".hh dbgerr004" for details
Page 5f280 not present in the dump file. Type ".hh dbgerr004" for details
Page 5f280 not present in the dump file. Type ".hh dbgerr004" for details
Page 5f280 not present in the dump file. Type ".hh dbgerr004" for details
KEY_VALUES_STRING: 1
STACKHASH_ANALYSIS: 1
TIMELINE_ANALYSIS: 1
DUMP_CLASS: 1
DUMP_QUALIFIER: 401
BUILD_VERSION_STRING: 7601.24524.x86fre.win7sp1_ldr_escrow.190916-1700
SYSTEM_MANUFACTURER: VMware, Inc.
VIRTUAL_MACHINE: VMware
SYSTEM_PRODUCT_NAME: VMware Virtual Platform
SYSTEM_VERSION: None
BIOS_VENDOR: Phoenix Technologies LTD
BIOS_VERSION: 6.00
BIOS_DATE: 09/21/2015
BASEBOARD_MANUFACTURER: Intel Corporation
BASEBOARD_PRODUCT: 440BX Desktop Reference Platform
BASEBOARD_VERSION: None
DUMP_TYPE: 1
BUGCHECK_P1: 8
BUGCHECK_P2: ffffffff80b93c00
BUGCHECK_P3: 0
BUGCHECK_P4: 0
BUGCHECK_STR: 0x7f_8
TSS: 00000028 -- (.tss 0x28)
eax=bc3b005c ebx=82995100 ecx=82995000 edx=82995100 esi=856e48f8 edi=82995040
eip=82820ff1 esp=bc3b0000 ebp=bc3b0014 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00210246
hal!HalpLowerIrqlHardwareInterrupts+0x13:
82820ff1 57 push edi
Resetting default scope
CPU_COUNT: 2
CPU_MHZ: 8fc
CPU_VENDOR: GenuineIntel
CPU_FAMILY: 6
CPU_MODEL: 3f
CPU_STEPPING: 0
CPU_MICROCODE: 6,3f,0,0 (F,M,S,R) SIG: 43'00000000 (cache) 43'00000000 (init)
DEFAULT_BUCKET_ID: WIN7_DRIVER_FAULT
PROCESS_NAME: explorer.exe
CURRENT_IRQL: 2
ANALYSIS_SESSION_HOST: LT-18-139
ANALYSIS_SESSION_TIME: 11-14-2019 10:34:32.0653
ANALYSIS_VERSION: 10.0.17763.132 amd64fre
BAD_STACK_POINTER: 82985fe4
LAST_CONTROL_TRANSFER: from 82820ff1 to 82896d51
STACK_OVERFLOW: Stack Limit: bc3b0000. Use (kF) and (!stackusage) to investigate stack usage.
STACKUSAGE_FUNCTION: The function at address 0xffffffff8b1ae698 was blamed for the stack overflow. It is using 2276 bytes of stack.
FOLLOWUP_IP:
cng!AesGcm+268
8b1ae698 8b4334 mov eax,dword ptr [ebx+34h]
STACK_TEXT:
Page 5f280 not present in the dump file. Type ".hh dbgerr004" for details
Page 5f280 not present in the dump file. Type ".hh dbgerr004" for details
Page 5f280 not present in the dump file. Type ".hh dbgerr004" for details
bc3b0014 82821226 82995140 82995000 bc3b0068 hal!HalpLowerIrqlHardwareInterrupts+0x13
bc3b0024 8281eddd 829819cb 856e4568 82995144 hal!KfLowerIrql+0x58
bc3b0028 829819cb 856e4568 82995144 82995040 hal!KeReleaseQueuedSpinLock+0x2d
bc3b0068 82981366 82995040 00000000 00000000 nt!ExDeferredFreePool+0x35b
bc3b00d0 828da579 856e4570 76615358 85692a38 nt!ExFreePoolWithTag+0x8a7
bc3b00e0 828da333 bc3b0158 00000001 00000001 nt!KeFreeXStateContext+0x1b
bc3b00f8 828da534 bc3b011c bc3b013c 8b1b0e42 nt!KeRestoreExtendedProcessorState+0xd7
bc3b0104 8b1b0e42 bc3b011c 00000000 bc3b09e0 nt!KeRestoreFloatingPointState+0xd
bc3b013c 8b1ae341 bc3b01d0 bc3b09e0 bc3b0158 cng!GHashAppendDatax86KmodeXmm+0x62
bc3b0168 8b1ae698 856c1b30 bc3b01c8 bc3b09e0 cng!AesGcmComputeFinalTag+0x51
bc3b0a4c 8b1908d9 856c1b30 00000000 00000010 cng!AesGcm+0x268
bc3b0b00 8b18d542 856c1af0 bc3b0bb4 00000000 cng!MSBlockEncrypt+0x29b
bc3b0b34 8b16ff07 856c1af0 856411ca 000012b2 cng!MSCryptEncrypt+0x7d
bc3b0b80 8b192b51 8b18d4c5 856411ca 000012b2 cng!BCryptEncrypt+0x14d
bc3b0c18 8b193035 00000017 000003ea 00000000 cng!Tls1ComputeMac+0x26b
bc3b0c68 8b191e43 87aadda0 00000008 856411ca cng!TlsEncryptPacket+0x36c
bc3b0c98 8b171f05 87aadda0 856c1a78 856411ca cng!SPSslEncryptPacket+0x8c
bc3b0ccc 8b32f5cf 87aa7b20 87cb2330 856411ca cng!SslEncryptPacket+0x4d
bc3b0d4c 8b342232 a7c33008 00000000 bc3b0dec ksecpkg!SslSealMessageStream+0x288
bc3b0d68 8b1691d0 a7c33008 00000000 bc3b0dec ksecpkg!SslSealMessage+0x34
bc3b0d80 b7bbe15d a8c43ba0 00000000 bc3b0dec ksecdd!EncryptMessage+0x34
bc3b0d98 b7bb840f 85422294 00000000 bc3b0dec tssecsrv!SpEncryptMessage+0x25
bc3b0df8 b7bb883c 856411bd bc3b0e30 00000000 tssecsrv!CSecurityFilter::EncryptData+0xda
bc3b0e0c b7bb6171 856411bd bc3b0e30 8538edb8 tssecsrv!CSecurityFilter::FilterOutgoingData+0x22
bc3b0e34 b7bb598f bc3b0e44 8538eda8 b7bba140 tssecsrv!CFilter::FilterOutgoingData+0x8d
bc3b0e60 94ce2721 87c451f0 bc3b0ecc bc3b0ecc tssecsrv!ScrRawWrite+0x49
bc3b0e7c 94ce2802 8538eda8 00000002 bc3b0ecc termdd!_IcaCallSd+0x37
bc3b0e98 b7be56c3 853a04e4 00000002 bc3b0ecc termdd!IcaCallNextDriver+0x4a
bc3b0eac b7bcc5af a7b38008 853a04e4 bc3b0ecc RDPWD!FinalSendOutBuf+0x12
bc3b0ee0 b7bcbca4 000012af 00000001 00000000 RDPWD!NM_SendData+0xd9
bc3b0f18 b7bcd26c 000012af 00000001 00000000 RDPWD!SM_SendData+0x8f
bc3b0f40 b7bc4b07 dd561000 856411c0 000012af RDPWD!ShareClass::SC_SendFastPathData+0x2a
bc3b0f60 b7bcf318 dd561000 bc3b0f7c bc3b1194 RDPWD!ShareClass::SC_FlushPackage+0x29
bc3b0f94 b7bc7196 dd561000 bc3b1194 bc3b11d4 RDPWD!ShareClass:
CS_TimeToDoStuff+0xf6bc3b0fbc b7bc537c a7858008 dd561000 853a04e0 RDPWD!WDLIB_DDOutputAvailable+0x194
bc3b0fd4 94ce2721 a7858008 bc3b105c 87cdb010 RDPWD!WDSYS_Ioctl+0x20
bc3b0ff0 94ce2bd9 853a04d0 00000005 bc3b105c termdd!_IcaCallSd+0x37
bc3b1010 94ce3576 87cdb008 00000005 bc3b105c termdd!_IcaCallStack+0x57
bc3b1038 94ce40fd 856cc918 00000005 bc3b105c termdd!IcaCallDriver+0x11e
bc3b1074 94ce02f4 856cc918 855f9eb0 855f9f20 termdd!IcaDeviceControlVirtual+0x265
bc3b109c 94ce0fcb 856cc918 855f9eb0 855f9f20 termdd!IcaDeviceControlChannel+0x222
bc3b10cc 94ce119f 855f9eb0 855f9f20 8568d818 termdd!IcaDeviceControl+0x59
bc3b10e4 8288bf47 863804b8 855f9eb0 855f9eb0 termdd!IcaDispatch+0x13f
bc3b10fc 9fae9d4e ffaef010 00000000 bc3b1164 nt!IofCallDriver+0x63
bc3b1128 9faa9fcb 00000001 0038144f bc3b1194 win32k!CtxDeviceIoControlFile+0xa7
bc3b1164 9f8011fa 8568d818 0038144f bc3b1194 win32k!EngFileIoControl+0x31
bc3b11f0 9f8012c9 ffb7c010 00000001 ffb81470 RDPDD!SCH_DDOutputAvailable+0x160
bc3b1208 9f80e70c ffb7c010 00000001 00000000 RDPDD!SCH_DDOutputAvailable+0x2f
bc3b122c 9f810fa1 ffb7c010 ffaef010 00000f30 RDPDD!OA_AllocOrderMem+0x42
bc3b1288 9f8115a1 ffb7c010 0000004b ffb51158 RDPDD!SBCCacheBits+0x125
bc3b1324 9f80a516 ffb7c010 0000000f 00000039 RDPDD!SBC_CacheBitmapTile+0x1cb
bc3b16b0 9f80a768 ffb7c010 00000000 00000000 RDPDD!OETileBitBltOrder+0x22c
bc3b16d8 9f8058d7 00000000 bc3b173c bc3b1718 RDPDD!OEEncodeMemBlt+0x100
bc3b1798 9f805f3f fde7b420 fd9e8158 00000000 RDPDD!DrvBitBlt+0x425
bc3b17d4 9f9d9053 fd5c46b8 fd9e8158 bc3b224c RDPDD!DrvCopyBits+0x41
bc3b1818 9f9c8eb9 9f805efe bc3b1aa8 fd5c46b8 win32k!OffCopyBits+0x80
bc3b1abc 9f9d909d fd5c46b8 fd9e8158 00000000 win32k!SpBitBlt+0x252
bc3b1af0 9f9dc262 fd5c46b8 fd9e8158 bc3b224c win32k!SpCopyBits+0x27
bc3b1d88 9f9de26b fd5c46b8 fd479580 fd5e4830 win32k!EngTextOut+0x710
bc3b1dd4 9f9de4d8 9f9dbb52 bc3b2040 fd5c46b8 win32k!OffTextOut+0x71
bc3b2058 9f9de048 fd5c46b8 bc3b20b4 fd5e4830 win32k!SpTextOut+0x1a2
bc3b2354 9f96c3f7 bc3b2518 ffa49700 ffa4975c win32k!GreExtTextOutWLocked+0x1040
bc3b23d0 9f9bf924 00000000 ffbbe064 00000010 win32k!GreBatchTextOut+0x1e6
bc3b2540 82ad958e 8b3315bf bc3b265c 7ffdf6cc win32k!NtGdiFlushUserBatch+0x123
bc3b2590 9fa5fe9a 00000061 bc3b25bc 00000088 nt!KeUserModeCallback+0x176
bc3b26a0 9f989e08 fe00c880 00000092 00000000 win32k!SfnINLPUAHDRAWMENUITEM+0x12d
bc3b26d4 9fa75c42 fe00c880 00000092 00000000 win32k!xxxDefWindowProc+0xdd
bc3b274c 9fa444e5 fe014900 00000092 00000000 win32k!xxxRealMenuWindowProc+0xe8d
bc3b2780 9f9bc5e0 fe00c880 00000092 00000000 win32k!xxxMenuWindowProc+0x121
bc3b27c0 9f9bc6b2 fe00c880 00000092 00000000 win32k!xxxSendMessageTimeout+0x1ac
bc3b27e8 9fa5f826 fe00c880 00000092 00000000 win32k!xxxSendMessage+0x28
bc3b2890 9fa5fa4d 010100d6 00000001 00000001 win32k!xxxSendMenuDrawItemMessage+0x120
bc3b28f8 9fa59622 010100d6 fe014900 00000000 win32k!xxxDrawMenuItem+0x11b
bc3b2970 9fa75c53 010100d6 00000017 fe00c880 win32k!xxxMenuDraw+0x23a
bc3b29e4 9fa444e5 fe014900 00000318 010100d6 win32k!xxxRealMenuWindowProc+0xe9e
bc3b2a18 9f9bc5e0 fe00c880 00000318 010100d6 win32k!xxxMenuWindowProc+0x121
bc3b2a58 9f9bc6b2 fe00c880 00000318 010100d6 win32k!xxxSendMessageTimeout+0x1ac
bc3b2a80 9fa422a1 fe00c880 00000318 010100d6 win32k!xxxSendMessage+0x28
bc3b2ac8 9f9b17db 00000001 00000000 0000000e win32k!xxxDWPPrint+0x1cd
bc3b2b44 9f9be783 fe00c880 00000317 010100d6 win32k!xxxRealDefWindowProc+0x13be
bc3b2b5c 9f988aad fe00c880 00000317 010100d6 win32k!xxxWrapRealDefWindowProc+0x2b
bc3b2b78 9f9be63f fe00c880 00000317 010100d6 win32k!NtUserfnNCDESTROY+0x27
bc3b2bb0 91cf6a7e 00030166 00000317 010100d6 win32k!NtUserMessageCall+0xd2
WARNING: Stack unwind information not available. Following frames may be wrong.
bc3b2be8 865feb5b 86520e6c 00030166 00000317 SYMEVENT+0x1a7e
bc3b2c10 82892a5a 00030166 00000317 010100d6 0x865feb5b
bc3b2c10 77d36c04 00030166 00000317 010100d6 nt!KiSystemServicePostCall
0025e19c 00000000 00000000 00000000 00000000 0x77d36c04
STACK_COMMAND: .tss 0x28 ; kb
THREAD_SHA1_HASH_MOD_FUNC: 94c9288b51fd41deae5e677e756482488d343cf9
THREAD_SHA1_HASH_MOD_FUNC_OFFSET: ba2320747de3d5724dde04a750daa995531660de
THREAD_SHA1_HASH_MOD: 563baa34ec8ce9d510b5e266c87413a00e6db852
FAULT_INSTR_CODE: 8b34438b
SYMBOL_STACK_INDEX: a
SYMBOL_NAME: cng!AesGcm+268
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: cng
IMAGE_NAME: cng.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 5af4fd0a
FAILURE_BUCKET_ID: 0x7f_8_STACK_USAGE_cng!AesGcm+268
BUCKET_ID: 0x7f_8_STACK_USAGE_cng!AesGcm+268
PRIMARY_PROBLEM_CLASS: 0x7f_8_STACK_USAGE_cng!AesGcm+268
TARGET_TIME: 2019-11-12T16:05:18.000Z
OSBUILD: 7601
OSSERVICEPACK: 1000
SERVICEPACK_NUMBER: 0
OS_REVISION: 0
SUITE_MASK: 272
PRODUCT_TYPE: 1
OSPLATFORM_TYPE: x86
OSNAME: Windows 7
OSEDITION: Windows 7 WinNt (Service Pack 1) TerminalServer SingleUserTS
OS_LOCALE:
USER_LCID: 0
OSBUILD_TIMESTAMP: 2019-09-17 03:58:39
BUILDDATESTAMP_STR: 190916-1700
BUILDLAB_STR: win7sp1_ldr_escrow
BUILDOSVER_STR: 6.1.7601.24524.x86fre.win7sp1_ldr_escrow.190916-1700
ANALYSIS_SESSION_ELAPSED_TIME: 388
ANALYSIS_SOURCE: KM
FAILURE_ID_HASH_STRING: km:0x7f_8_stack_usage_cng!aesgcm+268
FAILURE_ID_HASH: {0cf448aa-f892-a120-4dc7-88f52f0c788a}
Followup: MachineOwner
---------
WARNING: Process directory table base BEDC6D40 doesn't match CR3 00185000
WARNING: Process directory table base BEDC6D40 doesn't match CR3 00185000
0: kd> lmvm cng
Browse full module list
start end module name
8b16e000 8b1cc000 cng (pdb symbols) C:\ProgramData\dbg\sym\cng.pdb\231A7D34F2874BC787CA4A4012AF459B1\cng.pdb
Loaded symbol image file: cng.sys
Image path: \SystemRoot\System32\Drivers\cng.sys
Image name: cng.sys
Browse all global symbols functions data
Timestamp: Thu May 10 19:16:42 2018 (5AF4FD0A)
CheckSum: 0005D33D
ImageSize: 0005E000
Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4
Information from resource tables:
0: kd> lmvm cng
Browse full module list
start end module name
8b16e000 8b1cc000 cng (pdb symbols) C:\ProgramData\dbg\sym\cng.pdb\231A7D34F2874BC787CA4A4012AF459B1\cng.pdb
Loaded symbol image file: cng.sys
Image path: \SystemRoot\System32\Drivers\cng.sys
Image name: cng.sys
Browse all global symbols functions data
Timestamp: Thu May 10 19:16:42 2018 (5AF4FD0A)
CheckSum: 0005D33D
ImageSize: 0005E000
Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4
Information from resource tables:
More...