G
Gary Roach
Guest
I've got a computer running XP Home SP2 that crashes intermittently. I've
used the Window debugging tools to analyze the minidump file. It indicates a
problem in the win32k module. I'm wondering if any more information can be
obtained. Here's the !analyze -v output. Thanks for any help.
Microsoft (R) Windows Debugger Version 6.9.0003.113 X86
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [c:\windows\minidump\Mini053008-02.dmp]
Mini Kernel Dump File: Only registers and stack trace are available
Symbol search path is:
srv*c:\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is: c:\windows\i386
Windows XP Kernel Version 2600 (Service Pack 2) UP Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS Personal
Built by: 2600.xpsp_sp2_gdr.070227-2254
Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055a620
Debug session time: Fri May 30 21:36:44.343 2008 (GMT-4)
System Uptime: 0 days 0:11:31.920
Loading Kernel Symbols
...............................................................................................................................................
Loading User Symbols
Loading unloaded module list
..............................
*******************************************************************************
*
*
* Bugcheck Analysis
*
*
*
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck 1000008E, {c0000005, bf8055c5, eddae744, 0}
Probably caused by : memory_corruption
Followup: memory_corruption
---------
kd> !analyze -v
*******************************************************************************
*
*
* Bugcheck Analysis
*
*
*
*******************************************************************************
KERNEL_MODE_EXCEPTION_NOT_HANDLED_M (1000008e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Some common problems are exception code 0x80000003. This means a hard
coded breakpoint or assertion was hit, but this system was booted
/NODEBUG. This is not supposed to happen as developers should never have
hardcoded breakpoints in retail code, but ...
If this happens, make sure a debugger gets connected, and the
system is booted /DEBUG. This will let us see why this breakpoint is
happening.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: bf8055c5, The address that the exception occurred at
Arg3: eddae744, Trap Frame
Arg4: 00000000
Debugging Details:
------------------
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx"
referenced memory at "0x%08lx". The memory could not be "%s".
FAULTING_IP:
win32k!DC::vUpdate_VisRect+99
bf8055c5 8020fb and byte ptr [eax],0FBh
TRAP_FRAME: eddae744 -- (.trap 0xffffffffeddae744)
ErrCode = 00000002
eax=5600299b ebx=e1108008 ecx=55ff8b90 edx=00000000 esi=eddae7d4
edi=023f0cb0
eip=bd8055c5 esp=eddae7b8 ebp=eddae7d4 iopl=0 nv up ei pl nz na pe
nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
efl=00010206
bd8055c5 ?? ???
Resetting default scope
CUSTOMER_CRASH_COUNT: 2
DEFAULT_BUCKET_ID: CODE_CORRUPTION
BUGCHECK_STR: 0x8E
PROCESS_NAME: RegistryPatrol.
LAST_CONTROL_TRANSFER: from e1108418 to bd8055c5
STACK_TEXT:
WARNING: Frame IP not in any known module. Following frames may be wrong.
eddae7b4 e1108418 e1108008 00000001 00000014 0xbd8055c5
eddae7d4 bf805e73 e01460d8 eddae85c 550109e0 0xe1108418
eddae814 bf804727 00000000 00000000 eddae854 win32k!DC::bCompute+0x23d
eddae824 bf8066b6 eddae85c eddae8c8 bc6d56c0 win32k!DEVLOCKOBJ::bLock+0x79
eddae854 bf8155f0 e1108008 eddae8d0 00000001 win32k!GreGetClipBox+0x2e
eddae878 bd81599d bc6d56c0 550109e0 eddae8d0
win32k!UT_GetParentDCClipBox+0x15
eddae89c bf815a84 00000002 eddae8c8 eddae934 0xbd81599d
eddae924 804de7ec 000203ec 0012f134 0012f1b4 win32k!NtUserBeginPaint+0x53
eddae924 7c90eb94 000203ec 0012f134 0012f1b4 nt!KiFastCallEntry+0xf8
0012f1b4 00000000 00000000 00000000 00000000 0x7c90eb94
STACK_COMMAND: .bugcheck ; kb
CHKIMG_EXTENSION: !chkimg -lo 50 -d !nt
80566020-8056603b 28 bytes - nt!CmpUnlockRegistry+8
[ be 60 73 55 80 0f 85 9c:06 00 70 00 00 00 00 00 ]
8056603d-80566056 26 bytes - nt!CmpUnlockRegistry+42 (+0x1d)
[ 00 5e 75 0b 8d 48 34 39:a0 da ed 00 f0 fd 7f 00 ]
80566058-8056606a 19 bytes - nt!RtlUpcaseUnicodeString+6 (+0x1b)
[ 7d 10 00 56 8b 75 0c 66:54 60 56 82 5c 60 56 80 ]
8056606c-8056606e 3 bytes - nt!RtlUpcaseUnicodeString+35 (+0x14)
[ 66 3b 47:c7 10 02 ]
80566070-80566074 5 bytes - nt!RtlUpcaseUnicodeString+39 (+0x04)
[ 0f 87 e4 70 09:00 00 00 00 00 ]
80566076-80566079 4 bytes - nt!RtlUpcaseUnicodeString+45 (+0x06)
[ 0f b7 16 6a:00 00 00 01 ]
8056607b-805660c0 70 bytes - nt!RtlUpcaseUnicodeString+4a (+0x05)
[ d1 ea 59 89 55 08 89 4d:04 d8 60 56 80 00 00 00 ]
805660c2-805660cd 12 bytes - nt!RtlUpcaseUnicodeString+ad (+0x47)
[ 0f b7 c0 eb dd 3b d0 0f:00 00 00 00 00 00 20 60 ]
805660cf-805660fe 48 bytes - nt!NtWaitForMultipleObjects+6a (+0x0d)
[ 8b 0a 89 4d b0 8b 52 04:00 00 00 00 00 00 00 00 ]
80566100-80566106 7 bytes - nt!ObReferenceObjectByHandle+37 (+0x31)
[ 8b 76 44 8b 8e a4 01:40 96 55 80 00 00 00 ]
80566109-80566114 12 bytes - nt!ObReferenceObjectByHandle+40 (+0x09)
[ 8b c1 f7 d0 85 45 0c 0f:00 00 00 00 00 00 00 08 ]
80566116-80566125 16 bytes - nt!ObReferenceObjectByHandle+4f (+0x0d)
[ 8b 45 1c 3b c3 8d 56 e8:00 00 d8 60 56 82 d8 60 ]
80566127-80566132 12 bytes - nt!ObReferenceObjectByHandle+61 (+0x11)
[ 80 3d 50 2f 55 80 00 0f:00 28 31 58 82 10 2a 56 ]
80566134-80566135 2 bytes - nt!ObReferenceObjectByHandle+72 (+0x0d)
[ b8 01:00 00 ]
80566139-80566180 72 bytes - nt!ObReferenceObjectByHandle+77 (+0x05)
[ 8b 4d fc 0f c1 01 89 37:00 00 00 00 00 00 00 01 ]
80566183-8056618e 12 bytes - nt!ObReferenceObjectByHandle+d4 (+0x4a)
[ 80 3d 50 2f 55 80 00 0f:00 00 00 01 00 00 f0 da ]
80566190-80566191 2 bytes - nt!ObReferenceObjectByHandle+e5 (+0x0d)
[ b8 01:00 00 ]
80566194-805661b2 31 bytes - nt!ObReferenceObjectByHandle+e9 (+0x04)
[ 00 8b 4d fc 0f c1 01 eb:20 60 56 80 54 60 56 82 ]
805661b6-805661b9 4 bytes - nt!RtlpUnlockAtomTable+14 (+0x22)
[ 8b 4d 08 ba:00 00 00 00 ]
805661bc - nt!RtlpUnlockAtomTable+1a (+0x06)
[ 00:05 ]
805661be-805661cd 16 bytes - nt!RtlpUnlockAtomTable+1c (+0x02)
[ 0f b1 11 83 f8 02 0f 85:05 00 00 00 00 00 c4 61 ]
805661d0-805661da 11 bytes - nt!RtlpUnlockAtomTable+31 (+0x12)
[ ff 80 d4 00 00 00 5e 0f:58 cf 66 82 40 07 54 82 ]
805661dd-80566200 36 bytes - nt!RtlpUnlockAtomTable+4d (+0x0d)
[ 5d c2 04 00 90 90 90 90:00 00 00 b0 ee ec dc eb ]
80566202-8056620d 12 bytes - nt!RtlpLockAtomTable+14 (+0x25)
[ 56 64 a1 24 01 00 00 ff:00 00 04 62 56 82 04 62 ]
8056620f-80566210 2 bytes - nt!RtlpLockAtomTable+21 (+0x0d)
[ 8d 71:00 3c ]
80566212-80566216 5 bytes - nt!RtlpLockAtomTable+24 (+0x03)
[ 89 75 08 b8 00:00 00 05 00 05 ]
8056621a-80566267 78 bytes - nt!RtlpLockAtomTable+2c (+0x08)
[ 8b 4d 08 ba 02 00 00 00:00 00 1c 62 56 82 1c 62 ]
80566269-8056627c 20 bytes - nt!RtlpAtomMapAtomToHandleEntry+2d (+0x4f)
[ 33 c0 eb f7 90 90 90 90:00 00 00 00 00 00 00 00 ]
8056627e-8056627f 2 bytes - nt!NtRemoveIoCompletion+c (+0x15)
[ 33 f6:ff 7f ]
568 errors : !nt (80566020-8056627f)
MODULE_NAME: memory_corruption
IMAGE_NAME: memory_corruption
FOLLOWUP_NAME: memory_corruption
DEBUG_FLR_IMAGE_TIMESTAMP: 0
MEMORY_CORRUPTOR: LARGE
FAILURE_BUCKET_ID: MEMORY_CORRUPTION_LARGE
BUCKET_ID: MEMORY_CORRUPTION_LARGE
Followup: memory_corruption
---------
kd> !analyze -v
*******************************************************************************
*
*
* Bugcheck Analysis
*
*
*
*******************************************************************************
KERNEL_MODE_EXCEPTION_NOT_HANDLED_M (1000008e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Some common problems are exception code 0x80000003. This means a hard
coded breakpoint or assertion was hit, but this system was booted
/NODEBUG. This is not supposed to happen as developers should never have
hardcoded breakpoints in retail code, but ...
If this happens, make sure a debugger gets connected, and the
system is booted /DEBUG. This will let us see why this breakpoint is
happening.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: bf8055c5, The address that the exception occurred at
Arg3: eddae744, Trap Frame
Arg4: 00000000
Debugging Details:
------------------
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx"
referenced memory at "0x%08lx". The memory could not be "%s".
FAULTING_IP:
win32k!DC::vUpdate_VisRect+99
bf8055c5 8020fb and byte ptr [eax],0FBh
TRAP_FRAME: eddae744 -- (.trap 0xffffffffeddae744)
ErrCode = 00000002
eax=5600299b ebx=e1108008 ecx=55ff8b90 edx=00000000 esi=eddae7d4
edi=023f0cb0
eip=bd8055c5 esp=eddae7b8 ebp=eddae7d4 iopl=0 nv up ei pl nz na pe
nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
efl=00010206
bd8055c5 ?? ???
Resetting default scope
CUSTOMER_CRASH_COUNT: 2
DEFAULT_BUCKET_ID: CODE_CORRUPTION
BUGCHECK_STR: 0x8E
PROCESS_NAME: RegistryPatrol.
LAST_CONTROL_TRANSFER: from e1108418 to bd8055c5
STACK_TEXT:
WARNING: Frame IP not in any known module. Following frames may be wrong.
eddae7b4 e1108418 e1108008 00000001 00000014 0xbd8055c5
eddae7d4 bf805e73 e01460d8 eddae85c 550109e0 0xe1108418
eddae814 bf804727 00000000 00000000 eddae854 win32k!DC::bCompute+0x23d
eddae824 bf8066b6 eddae85c eddae8c8 bc6d56c0 win32k!DEVLOCKOBJ::bLock+0x79
eddae854 bf8155f0 e1108008 eddae8d0 00000001 win32k!GreGetClipBox+0x2e
eddae878 bd81599d bc6d56c0 550109e0 eddae8d0
win32k!UT_GetParentDCClipBox+0x15
eddae89c bf815a84 00000002 eddae8c8 eddae934 0xbd81599d
eddae924 804de7ec 000203ec 0012f134 0012f1b4 win32k!NtUserBeginPaint+0x53
eddae924 7c90eb94 000203ec 0012f134 0012f1b4 nt!KiFastCallEntry+0xf8
0012f1b4 00000000 00000000 00000000 00000000 0x7c90eb94
STACK_COMMAND: .bugcheck ; kb
CHKIMG_EXTENSION: !chkimg -lo 50 -d !nt
80566020-8056603b 28 bytes - nt!CmpUnlockRegistry+8
[ be 60 73 55 80 0f 85 9c:06 00 70 00 00 00 00 00 ]
8056603d-80566056 26 bytes - nt!CmpUnlockRegistry+42 (+0x1d)
[ 00 5e 75 0b 8d 48 34 39:a0 da ed 00 f0 fd 7f 00 ]
80566058-8056606a 19 bytes - nt!RtlUpcaseUnicodeString+6 (+0x1b)
[ 7d 10 00 56 8b 75 0c 66:54 60 56 82 5c 60 56 80 ]
8056606c-8056606e 3 bytes - nt!RtlUpcaseUnicodeString+35 (+0x14)
[ 66 3b 47:c7 10 02 ]
80566070-80566074 5 bytes - nt!RtlUpcaseUnicodeString+39 (+0x04)
[ 0f 87 e4 70 09:00 00 00 00 00 ]
80566076-80566079 4 bytes - nt!RtlUpcaseUnicodeString+45 (+0x06)
[ 0f b7 16 6a:00 00 00 01 ]
8056607b-805660c0 70 bytes - nt!RtlUpcaseUnicodeString+4a (+0x05)
[ d1 ea 59 89 55 08 89 4d:04 d8 60 56 80 00 00 00 ]
805660c2-805660cd 12 bytes - nt!RtlUpcaseUnicodeString+ad (+0x47)
[ 0f b7 c0 eb dd 3b d0 0f:00 00 00 00 00 00 20 60 ]
805660cf-805660fe 48 bytes - nt!NtWaitForMultipleObjects+6a (+0x0d)
[ 8b 0a 89 4d b0 8b 52 04:00 00 00 00 00 00 00 00 ]
80566100-80566106 7 bytes - nt!ObReferenceObjectByHandle+37 (+0x31)
[ 8b 76 44 8b 8e a4 01:40 96 55 80 00 00 00 ]
80566109-80566114 12 bytes - nt!ObReferenceObjectByHandle+40 (+0x09)
[ 8b c1 f7 d0 85 45 0c 0f:00 00 00 00 00 00 00 08 ]
80566116-80566125 16 bytes - nt!ObReferenceObjectByHandle+4f (+0x0d)
[ 8b 45 1c 3b c3 8d 56 e8:00 00 d8 60 56 82 d8 60 ]
80566127-80566132 12 bytes - nt!ObReferenceObjectByHandle+61 (+0x11)
[ 80 3d 50 2f 55 80 00 0f:00 28 31 58 82 10 2a 56 ]
80566134-80566135 2 bytes - nt!ObReferenceObjectByHandle+72 (+0x0d)
[ b8 01:00 00 ]
80566139-80566180 72 bytes - nt!ObReferenceObjectByHandle+77 (+0x05)
[ 8b 4d fc 0f c1 01 89 37:00 00 00 00 00 00 00 01 ]
80566183-8056618e 12 bytes - nt!ObReferenceObjectByHandle+d4 (+0x4a)
[ 80 3d 50 2f 55 80 00 0f:00 00 00 01 00 00 f0 da ]
80566190-80566191 2 bytes - nt!ObReferenceObjectByHandle+e5 (+0x0d)
[ b8 01:00 00 ]
80566194-805661b2 31 bytes - nt!ObReferenceObjectByHandle+e9 (+0x04)
[ 00 8b 4d fc 0f c1 01 eb:20 60 56 80 54 60 56 82 ]
805661b6-805661b9 4 bytes - nt!RtlpUnlockAtomTable+14 (+0x22)
[ 8b 4d 08 ba:00 00 00 00 ]
805661bc - nt!RtlpUnlockAtomTable+1a (+0x06)
[ 00:05 ]
805661be-805661cd 16 bytes - nt!RtlpUnlockAtomTable+1c (+0x02)
[ 0f b1 11 83 f8 02 0f 85:05 00 00 00 00 00 c4 61 ]
805661d0-805661da 11 bytes - nt!RtlpUnlockAtomTable+31 (+0x12)
[ ff 80 d4 00 00 00 5e 0f:58 cf 66 82 40 07 54 82 ]
805661dd-80566200 36 bytes - nt!RtlpUnlockAtomTable+4d (+0x0d)
[ 5d c2 04 00 90 90 90 90:00 00 00 b0 ee ec dc eb ]
80566202-8056620d 12 bytes - nt!RtlpLockAtomTable+14 (+0x25)
[ 56 64 a1 24 01 00 00 ff:00 00 04 62 56 82 04 62 ]
8056620f-80566210 2 bytes - nt!RtlpLockAtomTable+21 (+0x0d)
[ 8d 71:00 3c ]
80566212-80566216 5 bytes - nt!RtlpLockAtomTable+24 (+0x03)
[ 89 75 08 b8 00:00 00 05 00 05 ]
8056621a-80566267 78 bytes - nt!RtlpLockAtomTable+2c (+0x08)
[ 8b 4d 08 ba 02 00 00 00:00 00 1c 62 56 82 1c 62 ]
80566269-8056627c 20 bytes - nt!RtlpAtomMapAtomToHandleEntry+2d (+0x4f)
[ 33 c0 eb f7 90 90 90 90:00 00 00 00 00 00 00 00 ]
8056627e-8056627f 2 bytes - nt!NtRemoveIoCompletion+c (+0x15)
[ 33 f6:ff 7f ]
568 errors : !nt (80566020-8056627f)
MODULE_NAME: memory_corruption
IMAGE_NAME: memory_corruption
FOLLOWUP_NAME: memory_corruption
DEBUG_FLR_IMAGE_TIMESTAMP: 0
MEMORY_CORRUPTOR: LARGE
FAILURE_BUCKET_ID: MEMORY_CORRUPTION_LARGE
BUCKET_ID: MEMORY_CORRUPTION_LARGE
Followup: memory_corruption
---------
--
Gary Roach
ADB Services
used the Window debugging tools to analyze the minidump file. It indicates a
problem in the win32k module. I'm wondering if any more information can be
obtained. Here's the !analyze -v output. Thanks for any help.
Microsoft (R) Windows Debugger Version 6.9.0003.113 X86
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [c:\windows\minidump\Mini053008-02.dmp]
Mini Kernel Dump File: Only registers and stack trace are available
Symbol search path is:
srv*c:\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is: c:\windows\i386
Windows XP Kernel Version 2600 (Service Pack 2) UP Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS Personal
Built by: 2600.xpsp_sp2_gdr.070227-2254
Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055a620
Debug session time: Fri May 30 21:36:44.343 2008 (GMT-4)
System Uptime: 0 days 0:11:31.920
Loading Kernel Symbols
...............................................................................................................................................
Loading User Symbols
Loading unloaded module list
..............................
*******************************************************************************
*
*
* Bugcheck Analysis
*
*
*
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck 1000008E, {c0000005, bf8055c5, eddae744, 0}
Probably caused by : memory_corruption
Followup: memory_corruption
---------
kd> !analyze -v
*******************************************************************************
*
*
* Bugcheck Analysis
*
*
*
*******************************************************************************
KERNEL_MODE_EXCEPTION_NOT_HANDLED_M (1000008e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Some common problems are exception code 0x80000003. This means a hard
coded breakpoint or assertion was hit, but this system was booted
/NODEBUG. This is not supposed to happen as developers should never have
hardcoded breakpoints in retail code, but ...
If this happens, make sure a debugger gets connected, and the
system is booted /DEBUG. This will let us see why this breakpoint is
happening.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: bf8055c5, The address that the exception occurred at
Arg3: eddae744, Trap Frame
Arg4: 00000000
Debugging Details:
------------------
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx"
referenced memory at "0x%08lx". The memory could not be "%s".
FAULTING_IP:
win32k!DC::vUpdate_VisRect+99
bf8055c5 8020fb and byte ptr [eax],0FBh
TRAP_FRAME: eddae744 -- (.trap 0xffffffffeddae744)
ErrCode = 00000002
eax=5600299b ebx=e1108008 ecx=55ff8b90 edx=00000000 esi=eddae7d4
edi=023f0cb0
eip=bd8055c5 esp=eddae7b8 ebp=eddae7d4 iopl=0 nv up ei pl nz na pe
nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
efl=00010206
bd8055c5 ?? ???
Resetting default scope
CUSTOMER_CRASH_COUNT: 2
DEFAULT_BUCKET_ID: CODE_CORRUPTION
BUGCHECK_STR: 0x8E
PROCESS_NAME: RegistryPatrol.
LAST_CONTROL_TRANSFER: from e1108418 to bd8055c5
STACK_TEXT:
WARNING: Frame IP not in any known module. Following frames may be wrong.
eddae7b4 e1108418 e1108008 00000001 00000014 0xbd8055c5
eddae7d4 bf805e73 e01460d8 eddae85c 550109e0 0xe1108418
eddae814 bf804727 00000000 00000000 eddae854 win32k!DC::bCompute+0x23d
eddae824 bf8066b6 eddae85c eddae8c8 bc6d56c0 win32k!DEVLOCKOBJ::bLock+0x79
eddae854 bf8155f0 e1108008 eddae8d0 00000001 win32k!GreGetClipBox+0x2e
eddae878 bd81599d bc6d56c0 550109e0 eddae8d0
win32k!UT_GetParentDCClipBox+0x15
eddae89c bf815a84 00000002 eddae8c8 eddae934 0xbd81599d
eddae924 804de7ec 000203ec 0012f134 0012f1b4 win32k!NtUserBeginPaint+0x53
eddae924 7c90eb94 000203ec 0012f134 0012f1b4 nt!KiFastCallEntry+0xf8
0012f1b4 00000000 00000000 00000000 00000000 0x7c90eb94
STACK_COMMAND: .bugcheck ; kb
CHKIMG_EXTENSION: !chkimg -lo 50 -d !nt
80566020-8056603b 28 bytes - nt!CmpUnlockRegistry+8
[ be 60 73 55 80 0f 85 9c:06 00 70 00 00 00 00 00 ]
8056603d-80566056 26 bytes - nt!CmpUnlockRegistry+42 (+0x1d)
[ 00 5e 75 0b 8d 48 34 39:a0 da ed 00 f0 fd 7f 00 ]
80566058-8056606a 19 bytes - nt!RtlUpcaseUnicodeString+6 (+0x1b)
[ 7d 10 00 56 8b 75 0c 66:54 60 56 82 5c 60 56 80 ]
8056606c-8056606e 3 bytes - nt!RtlUpcaseUnicodeString+35 (+0x14)
[ 66 3b 47:c7 10 02 ]
80566070-80566074 5 bytes - nt!RtlUpcaseUnicodeString+39 (+0x04)
[ 0f 87 e4 70 09:00 00 00 00 00 ]
80566076-80566079 4 bytes - nt!RtlUpcaseUnicodeString+45 (+0x06)
[ 0f b7 16 6a:00 00 00 01 ]
8056607b-805660c0 70 bytes - nt!RtlUpcaseUnicodeString+4a (+0x05)
[ d1 ea 59 89 55 08 89 4d:04 d8 60 56 80 00 00 00 ]
805660c2-805660cd 12 bytes - nt!RtlUpcaseUnicodeString+ad (+0x47)
[ 0f b7 c0 eb dd 3b d0 0f:00 00 00 00 00 00 20 60 ]
805660cf-805660fe 48 bytes - nt!NtWaitForMultipleObjects+6a (+0x0d)
[ 8b 0a 89 4d b0 8b 52 04:00 00 00 00 00 00 00 00 ]
80566100-80566106 7 bytes - nt!ObReferenceObjectByHandle+37 (+0x31)
[ 8b 76 44 8b 8e a4 01:40 96 55 80 00 00 00 ]
80566109-80566114 12 bytes - nt!ObReferenceObjectByHandle+40 (+0x09)
[ 8b c1 f7 d0 85 45 0c 0f:00 00 00 00 00 00 00 08 ]
80566116-80566125 16 bytes - nt!ObReferenceObjectByHandle+4f (+0x0d)
[ 8b 45 1c 3b c3 8d 56 e8:00 00 d8 60 56 82 d8 60 ]
80566127-80566132 12 bytes - nt!ObReferenceObjectByHandle+61 (+0x11)
[ 80 3d 50 2f 55 80 00 0f:00 28 31 58 82 10 2a 56 ]
80566134-80566135 2 bytes - nt!ObReferenceObjectByHandle+72 (+0x0d)
[ b8 01:00 00 ]
80566139-80566180 72 bytes - nt!ObReferenceObjectByHandle+77 (+0x05)
[ 8b 4d fc 0f c1 01 89 37:00 00 00 00 00 00 00 01 ]
80566183-8056618e 12 bytes - nt!ObReferenceObjectByHandle+d4 (+0x4a)
[ 80 3d 50 2f 55 80 00 0f:00 00 00 01 00 00 f0 da ]
80566190-80566191 2 bytes - nt!ObReferenceObjectByHandle+e5 (+0x0d)
[ b8 01:00 00 ]
80566194-805661b2 31 bytes - nt!ObReferenceObjectByHandle+e9 (+0x04)
[ 00 8b 4d fc 0f c1 01 eb:20 60 56 80 54 60 56 82 ]
805661b6-805661b9 4 bytes - nt!RtlpUnlockAtomTable+14 (+0x22)
[ 8b 4d 08 ba:00 00 00 00 ]
805661bc - nt!RtlpUnlockAtomTable+1a (+0x06)
[ 00:05 ]
805661be-805661cd 16 bytes - nt!RtlpUnlockAtomTable+1c (+0x02)
[ 0f b1 11 83 f8 02 0f 85:05 00 00 00 00 00 c4 61 ]
805661d0-805661da 11 bytes - nt!RtlpUnlockAtomTable+31 (+0x12)
[ ff 80 d4 00 00 00 5e 0f:58 cf 66 82 40 07 54 82 ]
805661dd-80566200 36 bytes - nt!RtlpUnlockAtomTable+4d (+0x0d)
[ 5d c2 04 00 90 90 90 90:00 00 00 b0 ee ec dc eb ]
80566202-8056620d 12 bytes - nt!RtlpLockAtomTable+14 (+0x25)
[ 56 64 a1 24 01 00 00 ff:00 00 04 62 56 82 04 62 ]
8056620f-80566210 2 bytes - nt!RtlpLockAtomTable+21 (+0x0d)
[ 8d 71:00 3c ]
80566212-80566216 5 bytes - nt!RtlpLockAtomTable+24 (+0x03)
[ 89 75 08 b8 00:00 00 05 00 05 ]
8056621a-80566267 78 bytes - nt!RtlpLockAtomTable+2c (+0x08)
[ 8b 4d 08 ba 02 00 00 00:00 00 1c 62 56 82 1c 62 ]
80566269-8056627c 20 bytes - nt!RtlpAtomMapAtomToHandleEntry+2d (+0x4f)
[ 33 c0 eb f7 90 90 90 90:00 00 00 00 00 00 00 00 ]
8056627e-8056627f 2 bytes - nt!NtRemoveIoCompletion+c (+0x15)
[ 33 f6:ff 7f ]
568 errors : !nt (80566020-8056627f)
MODULE_NAME: memory_corruption
IMAGE_NAME: memory_corruption
FOLLOWUP_NAME: memory_corruption
DEBUG_FLR_IMAGE_TIMESTAMP: 0
MEMORY_CORRUPTOR: LARGE
FAILURE_BUCKET_ID: MEMORY_CORRUPTION_LARGE
BUCKET_ID: MEMORY_CORRUPTION_LARGE
Followup: memory_corruption
---------
kd> !analyze -v
*******************************************************************************
*
*
* Bugcheck Analysis
*
*
*
*******************************************************************************
KERNEL_MODE_EXCEPTION_NOT_HANDLED_M (1000008e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Some common problems are exception code 0x80000003. This means a hard
coded breakpoint or assertion was hit, but this system was booted
/NODEBUG. This is not supposed to happen as developers should never have
hardcoded breakpoints in retail code, but ...
If this happens, make sure a debugger gets connected, and the
system is booted /DEBUG. This will let us see why this breakpoint is
happening.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: bf8055c5, The address that the exception occurred at
Arg3: eddae744, Trap Frame
Arg4: 00000000
Debugging Details:
------------------
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx"
referenced memory at "0x%08lx". The memory could not be "%s".
FAULTING_IP:
win32k!DC::vUpdate_VisRect+99
bf8055c5 8020fb and byte ptr [eax],0FBh
TRAP_FRAME: eddae744 -- (.trap 0xffffffffeddae744)
ErrCode = 00000002
eax=5600299b ebx=e1108008 ecx=55ff8b90 edx=00000000 esi=eddae7d4
edi=023f0cb0
eip=bd8055c5 esp=eddae7b8 ebp=eddae7d4 iopl=0 nv up ei pl nz na pe
nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
efl=00010206
bd8055c5 ?? ???
Resetting default scope
CUSTOMER_CRASH_COUNT: 2
DEFAULT_BUCKET_ID: CODE_CORRUPTION
BUGCHECK_STR: 0x8E
PROCESS_NAME: RegistryPatrol.
LAST_CONTROL_TRANSFER: from e1108418 to bd8055c5
STACK_TEXT:
WARNING: Frame IP not in any known module. Following frames may be wrong.
eddae7b4 e1108418 e1108008 00000001 00000014 0xbd8055c5
eddae7d4 bf805e73 e01460d8 eddae85c 550109e0 0xe1108418
eddae814 bf804727 00000000 00000000 eddae854 win32k!DC::bCompute+0x23d
eddae824 bf8066b6 eddae85c eddae8c8 bc6d56c0 win32k!DEVLOCKOBJ::bLock+0x79
eddae854 bf8155f0 e1108008 eddae8d0 00000001 win32k!GreGetClipBox+0x2e
eddae878 bd81599d bc6d56c0 550109e0 eddae8d0
win32k!UT_GetParentDCClipBox+0x15
eddae89c bf815a84 00000002 eddae8c8 eddae934 0xbd81599d
eddae924 804de7ec 000203ec 0012f134 0012f1b4 win32k!NtUserBeginPaint+0x53
eddae924 7c90eb94 000203ec 0012f134 0012f1b4 nt!KiFastCallEntry+0xf8
0012f1b4 00000000 00000000 00000000 00000000 0x7c90eb94
STACK_COMMAND: .bugcheck ; kb
CHKIMG_EXTENSION: !chkimg -lo 50 -d !nt
80566020-8056603b 28 bytes - nt!CmpUnlockRegistry+8
[ be 60 73 55 80 0f 85 9c:06 00 70 00 00 00 00 00 ]
8056603d-80566056 26 bytes - nt!CmpUnlockRegistry+42 (+0x1d)
[ 00 5e 75 0b 8d 48 34 39:a0 da ed 00 f0 fd 7f 00 ]
80566058-8056606a 19 bytes - nt!RtlUpcaseUnicodeString+6 (+0x1b)
[ 7d 10 00 56 8b 75 0c 66:54 60 56 82 5c 60 56 80 ]
8056606c-8056606e 3 bytes - nt!RtlUpcaseUnicodeString+35 (+0x14)
[ 66 3b 47:c7 10 02 ]
80566070-80566074 5 bytes - nt!RtlUpcaseUnicodeString+39 (+0x04)
[ 0f 87 e4 70 09:00 00 00 00 00 ]
80566076-80566079 4 bytes - nt!RtlUpcaseUnicodeString+45 (+0x06)
[ 0f b7 16 6a:00 00 00 01 ]
8056607b-805660c0 70 bytes - nt!RtlUpcaseUnicodeString+4a (+0x05)
[ d1 ea 59 89 55 08 89 4d:04 d8 60 56 80 00 00 00 ]
805660c2-805660cd 12 bytes - nt!RtlUpcaseUnicodeString+ad (+0x47)
[ 0f b7 c0 eb dd 3b d0 0f:00 00 00 00 00 00 20 60 ]
805660cf-805660fe 48 bytes - nt!NtWaitForMultipleObjects+6a (+0x0d)
[ 8b 0a 89 4d b0 8b 52 04:00 00 00 00 00 00 00 00 ]
80566100-80566106 7 bytes - nt!ObReferenceObjectByHandle+37 (+0x31)
[ 8b 76 44 8b 8e a4 01:40 96 55 80 00 00 00 ]
80566109-80566114 12 bytes - nt!ObReferenceObjectByHandle+40 (+0x09)
[ 8b c1 f7 d0 85 45 0c 0f:00 00 00 00 00 00 00 08 ]
80566116-80566125 16 bytes - nt!ObReferenceObjectByHandle+4f (+0x0d)
[ 8b 45 1c 3b c3 8d 56 e8:00 00 d8 60 56 82 d8 60 ]
80566127-80566132 12 bytes - nt!ObReferenceObjectByHandle+61 (+0x11)
[ 80 3d 50 2f 55 80 00 0f:00 28 31 58 82 10 2a 56 ]
80566134-80566135 2 bytes - nt!ObReferenceObjectByHandle+72 (+0x0d)
[ b8 01:00 00 ]
80566139-80566180 72 bytes - nt!ObReferenceObjectByHandle+77 (+0x05)
[ 8b 4d fc 0f c1 01 89 37:00 00 00 00 00 00 00 01 ]
80566183-8056618e 12 bytes - nt!ObReferenceObjectByHandle+d4 (+0x4a)
[ 80 3d 50 2f 55 80 00 0f:00 00 00 01 00 00 f0 da ]
80566190-80566191 2 bytes - nt!ObReferenceObjectByHandle+e5 (+0x0d)
[ b8 01:00 00 ]
80566194-805661b2 31 bytes - nt!ObReferenceObjectByHandle+e9 (+0x04)
[ 00 8b 4d fc 0f c1 01 eb:20 60 56 80 54 60 56 82 ]
805661b6-805661b9 4 bytes - nt!RtlpUnlockAtomTable+14 (+0x22)
[ 8b 4d 08 ba:00 00 00 00 ]
805661bc - nt!RtlpUnlockAtomTable+1a (+0x06)
[ 00:05 ]
805661be-805661cd 16 bytes - nt!RtlpUnlockAtomTable+1c (+0x02)
[ 0f b1 11 83 f8 02 0f 85:05 00 00 00 00 00 c4 61 ]
805661d0-805661da 11 bytes - nt!RtlpUnlockAtomTable+31 (+0x12)
[ ff 80 d4 00 00 00 5e 0f:58 cf 66 82 40 07 54 82 ]
805661dd-80566200 36 bytes - nt!RtlpUnlockAtomTable+4d (+0x0d)
[ 5d c2 04 00 90 90 90 90:00 00 00 b0 ee ec dc eb ]
80566202-8056620d 12 bytes - nt!RtlpLockAtomTable+14 (+0x25)
[ 56 64 a1 24 01 00 00 ff:00 00 04 62 56 82 04 62 ]
8056620f-80566210 2 bytes - nt!RtlpLockAtomTable+21 (+0x0d)
[ 8d 71:00 3c ]
80566212-80566216 5 bytes - nt!RtlpLockAtomTable+24 (+0x03)
[ 89 75 08 b8 00:00 00 05 00 05 ]
8056621a-80566267 78 bytes - nt!RtlpLockAtomTable+2c (+0x08)
[ 8b 4d 08 ba 02 00 00 00:00 00 1c 62 56 82 1c 62 ]
80566269-8056627c 20 bytes - nt!RtlpAtomMapAtomToHandleEntry+2d (+0x4f)
[ 33 c0 eb f7 90 90 90 90:00 00 00 00 00 00 00 00 ]
8056627e-8056627f 2 bytes - nt!NtRemoveIoCompletion+c (+0x15)
[ 33 f6:ff 7f ]
568 errors : !nt (80566020-8056627f)
MODULE_NAME: memory_corruption
IMAGE_NAME: memory_corruption
FOLLOWUP_NAME: memory_corruption
DEBUG_FLR_IMAGE_TIMESTAMP: 0
MEMORY_CORRUPTOR: LARGE
FAILURE_BUCKET_ID: MEMORY_CORRUPTION_LARGE
BUCKET_ID: MEMORY_CORRUPTION_LARGE
Followup: memory_corruption
---------
--
Gary Roach
ADB Services