Question
Applies to
658 views

Can some one explain these dumpfiles Please

simon remington asked on

Hi Guys.

Could some one possibly explain the following dump files to me please.

031414-21028-01.dmp 13/03/2014 20:34:54 SYSTEM_SERVICE_EXCEPTION 0x0000003b 00000000`c0000005 fffff960`0019690e fffff880`071669e0 00000000`00000000 win32k.sys win32k.sys+c690e Multi-User Win32 Driver Microsoft® Windows® Operating System Microsoft Corporation 6.1.7600.16385 (win7_rtm.090713-1255) x64 ntoskrnl.exe+75bc0     C:\Windows\Minidump\031414-21028-01.dmp 2 15 7601 274,736 14/03/2014 07:35:49

                                                           ----------------------------------------------------------------

 ntoskrnl.exe ntoskrnl.exe+75169 fffff800`0324c000 fffff800`03831000 0x005e5000 0x521ea035 29/08/2013 01:13:25 Microsoft® Windows® Operating System NT Kernel & System 6.1.7601.18247 (win7sp1_gdr.130828-1532) Microsoft Corporation C:\Windows\system32\ntoskrnl.exe 

                                                                                          ----------------------------

win32k.sys win32k.sys+c690e fffff960`000d0000 fffff960`003e7000 0x00317000 0x52f4357b 07/02/2014 01:23:07 Microsoft® Windows® Operating System Multi-User Win32 Driver 6.1.7600.16385 (win7_rtm.090713-1255) Microsoft Corporation C:\Windows\system32\win32k.sys 

------------------------------------------------------------------------------------------------------------------------------------------------------------------------

031314-22526-01.dmp 13/03/2014 20:17:08 SYSTEM_SERVICE_EXCEPTION 0x0000003b 00000000`c0000005 fffff800`0354a6d0 fffff880`07a5abf0 00000000`00000000 ntoskrnl.exe ntoskrnl.exe+75bc0 NT Kernel & System Microsoft® Windows® Operating System Microsoft Corporation 6.1.7601.18247 (win7sp1_gdr.130828-1532) x64 ntoskrnl.exe+75bc0     C:\Windows\Minidump\031314-22526-01.dmp 2 15 7601 274,736 13/03/2014 20:18:57

                                                                                            -------------------------------------- 

ntoskrnl.exe ntoskrnl.exe+75169 fffff800`0320c000 fffff800`037f1000 0x005e5000 0x521ea035 29/08/2013 01:13:25 Microsoft® Windows® Operating System NT Kernel & System 6.1.7601.18247 (win7sp1_gdr.130828-1532) Microsoft Corporation C:\Windows\system32\ntoskrnl.exe 

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

031314-31325-01.dmp 13/03/2014 19:15:35 MEMORY_MANAGEMENT 0x0000001a 00000000`00041287 00000000`00000030 00000000`00000000 00000000`00000000 ntoskrnl.exe ntoskrnl.exe+75bc0 NT Kernel & System Microsoft® Windows® Operating System Microsoft Corporation 6.1.7601.18247 (win7sp1_gdr.130828-1532) x64 ntoskrnl.exe+75bc0     C:\Windows\Minidump\031314-31325-01.dmp 2 15 7601 274,736 13/03/2014 19:17:22 

                                                                                    ---------------------------------------------------------

ntoskrnl.exe ntoskrnl.exe+ed2e fffff800`03266000 fffff800`0384b000 0x005e5000 0x521ea035 29/08/2013 01:13:25 Microsoft® Windows® Operating System NT Kernel & System 6.1.7601.18247 (win7sp1_gdr.130828-1532) Microsoft Corporation C:\Windows\system32\ntoskrnl.exe 

-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

As you can see the top layer is the dump and the lower layer is the file. The above is taken from BlueScreenView.exe. There is 3 dumps one after the other could some one talk me slowly through them possibly with a highlighter. Things like what are the 4 parameters? why are they different ? etc.

Thank you in anticipation.

2 people had this question

Abuse history


The answered status icon Answer
Patrick Barker replied on

Great, thanks!

The attached DMP file is of the SYSTEM_SERVICE_EXCEPTION (3b) bug check.

This indicates that an exception happened while executing a routine that transitions from non-privileged code to privileged code.

This error has been linked to excessive paged pool usage and may occur due to user-mode graphics drivers crossing over and passing bad data to the kernel code.

-----------------------

1: kd> uf win32k!DEVLOCKOBJ::~DEVLOCKOBJ+0xe
win32k!DEVLOCKOBJ::~DEVLOCKOBJ:
fffff960`001967a8 fff3            push    rbx
fffff960`001967aa 4883ec20        sub     rsp,20h
fffff960`001967ae 488bd9          mov     rbx,rcx
fffff960`001967b1 e8ce000000      call    win32k!DEVLOCKOBJ::bDisposeTrgDco (fffff960`00196884)
fffff960`001967b6 0fba63180c      bt      dword ptr [rbx+18h],0Ch
fffff960`001967bb 732e            jae     win32k!DEVLOCKOBJ::~DEVLOCKOBJ+0x43 (fffff960`001967eb)

win32k!DEVLOCKOBJ::~DEVLOCKOBJ+0x15:
fffff960`001967bd ff154d181e00    call    qword ptr [win32k!_imp_PsGetCurrentThreadWin32Thread (fffff960`00378010)]
fffff960`001967c3 4885c0          test    rax,rax
fffff960`001967c6 7403            je      win32k!DEVLOCKOBJ::~DEVLOCKOBJ+0x23 (fffff960`001967cb)

win32k!DEVLOCKOBJ::~DEVLOCKOBJ+0x20:
fffff960`001967c8 ff4860          dec     dword ptr [rax+60h]

win32k!DEVLOCKOBJ::~DEVLOCKOBJ+0x23:
fffff960`001967cb 0fba73180c      btr     dword ptr [rbx+18h],0Ch
fffff960`001967d0 ff153a181e00    call    qword ptr [win32k!_imp_PsGetCurrentThreadWin32Thread (fffff960`00378010)]
fffff960`001967d6 4885c0          test    rax,rax
fffff960`001967d9 7410            je      win32k!DEVLOCKOBJ::~DEVLOCKOBJ+0x43 (fffff960`001967eb)

win32k!DEVLOCKOBJ::~DEVLOCKOBJ+0x33:
fffff960`001967db 4883a03801000000 and     qword ptr [rax+138h],0
fffff960`001967e3 4883a03001000000 and     qword ptr [rax+130h],0

win32k!DEVLOCKOBJ::~DEVLOCKOBJ+0x43:
fffff960`001967eb 488b13          mov     rdx,qword ptr [rbx]
fffff960`001967ee 4885d2          test    rdx,rdx
fffff960`001967f1 744d            je      win32k!DEVLOCKOBJ::~DEVLOCKOBJ+0x98 (fffff960`00196840)

win32k!DEVLOCKOBJ::~DEVLOCKOBJ+0x4b:
fffff960`001967f3 488b4310        mov     rax,qword ptr [rbx+10h]
fffff960`001967f7 4c8b80f8090000  mov     r8,qword ptr [rax+9F8h]
fffff960`001967fe 4d85c0          test    r8,r8
fffff960`00196801 741a            je      win32k!DEVLOCKOBJ::~DEVLOCKOBJ+0x75 (fffff960`0019681d)

win32k!DEVLOCKOBJ::~DEVLOCKOBJ+0x5b:
fffff960`00196803 33c9            xor     ecx,ecx
fffff960`00196805 483b15d4bc2100  cmp     rdx,qword ptr [win32k!ghsemGreLock (fffff960`003b24e0)]
fffff960`0019680c 0f95c1          setne   cl
fffff960`0019680f 4803c9          add     rcx,rcx
fffff960`00196812 498b4cc808      mov     rcx,qword ptr [r8+rcx*8+8]
fffff960`00196817 ff150b251e00    call    qword ptr [win32k!_imp_WdExitMonitoredSection (fffff960`00378d28)]

win32k!DEVLOCKOBJ::~DEVLOCKOBJ+0x75:
fffff960`0019681d 488b13          mov     rdx,qword ptr [rbx]
fffff960`00196820 488d0d91d41e00  lea     rcx,[win32k!`string' (fffff960`00383cb8)]
fffff960`00196827 e828520c00      call    win32k!TraceGreReleaseSemaphore (fffff960`0025ba54)
fffff960`0019682c 488b0b          mov     rcx,qword ptr [rbx]
fffff960`0019682f 4885c9          test    rcx,rcx
fffff960`00196832 740c            je      win32k!DEVLOCKOBJ::~DEVLOCKOBJ+0x98 (fffff960`00196840)

win32k!DEVLOCKOBJ::~DEVLOCKOBJ+0x8c:
fffff960`00196834 ff151e191e00    call    qword ptr [win32k!_imp_ExReleaseResourceAndLeaveCriticalRegion (fffff960`00378158)]
fffff960`0019683a ff15601c1e00    call    qword ptr [win32k!_imp_PsLeavePriorityRegion (fffff960`003784a0)]

win32k!DEVLOCKOBJ::~DEVLOCKOBJ+0x98:
fffff960`00196840 8b4318          mov     eax,dword ptr [rbx+18h]
fffff960`00196843 a808            test    al,8
fffff960`00196845 7406            je      win32k!DEVLOCKOBJ::~DEVLOCKOBJ+0xa5 (fffff960`0019684d)

win32k!DEVLOCKOBJ::~DEVLOCKOBJ+0x9f:
fffff960`00196847 83e0f7          and     eax,0FFFFFFF7h
fffff960`0019684a 894318          mov     dword ptr [rbx+18h],eax

win32k!DEVLOCKOBJ::~DEVLOCKOBJ+0xa5:
fffff960`0019684d 488b5308        mov     rdx,qword ptr [rbx+8]
fffff960`00196851 4885d2          test    rdx,rdx
fffff960`00196854 7421            je      win32k!DEVLOCKOBJ::~DEVLOCKOBJ+0xcf (fffff960`00196877)

win32k!DEVLOCKOBJ::~DEVLOCKOBJ+0xae:
fffff960`00196856 488d0d6bd41e00  lea     rcx,[win32k!`string' (fffff960`00383cc8)]
fffff960`0019685d e8f2510c00      call    win32k!TraceGreReleaseSemaphore (fffff960`0025ba54)
fffff960`00196862 488b4b08        mov     rcx,qword ptr [rbx+8]
fffff960`00196866 4885c9          test    rcx,rcx
fffff960`00196869 740c            je      win32k!DEVLOCKOBJ::~DEVLOCKOBJ+0xcf (fffff960`00196877)

win32k!DEVLOCKOBJ::~DEVLOCKOBJ+0xc3:
fffff960`0019686b ff15e7181e00    call    qword ptr [win32k!_imp_ExReleaseResourceAndLeaveCriticalRegion (fffff960`00378158)]
fffff960`00196871 ff15291c1e00    call    qword ptr [win32k!_imp_PsLeavePriorityRegion (fffff960`003784a0)]

win32k!DEVLOCKOBJ::~DEVLOCKOBJ+0xcf:
fffff960`00196877 4883c420        add     rsp,20h
fffff960`0019687b 5b              pop     rbx
fffff960`0019687c c3              ret

-----------------------

1: kd> uf win32k!DEVLOCKOBJ::bDisposeTrgDco+0x8a
win32k!DEVLOCKOBJ::bDisposeTrgDco:
fffff960`00196884 48895c2408      mov     qword ptr [rsp+8],rbx
fffff960`00196889 4889742410      mov     qword ptr [rsp+10h],rsi
fffff960`0019688e 57              push    rdi
fffff960`0019688f 4883ec20        sub     rsp,20h
fffff960`00196893 488b5920        mov     rbx,qword ptr [rcx+20h]
fffff960`00196897 488bf1          mov     rsi,rcx
fffff960`0019689a 4885db          test    rbx,rbx
fffff960`0019689d 0f848f000000    je      win32k!DEVLOCKOBJ::bDisposeTrgDco+0xae (fffff960`00196932)

win32k!DEVLOCKOBJ::bDisposeTrgDco+0x1f:
fffff960`001968a3 0fba61180c      bt      dword ptr [rcx+18h],0Ch
fffff960`001968a8 488b5b30        mov     rbx,qword ptr [rbx+30h]
fffff960`001968ac 7360            jae     win32k!DEVLOCKOBJ::bDisposeTrgDco+0x8a (fffff960`0019690e)

win32k!DEVLOCKOBJ::bDisposeTrgDco+0x2a:
fffff960`001968ae 0fba61180a      bt      dword ptr [rcx+18h],0Ah
fffff960`001968b3 730e            jae     win32k!DEVLOCKOBJ::bDisposeTrgDco+0x3f (fffff960`001968c3)

win32k!DEVLOCKOBJ::bDisposeTrgDco+0x31:
fffff960`001968b5 4883c120        add     rcx,20h
fffff960`001968b9 e8ee4b1800      call    win32k!bUnHookRedir (fffff960`0031b4ac)
fffff960`001968be 0fba76180a      btr     dword ptr [rsi+18h],0Ah

win32k!DEVLOCKOBJ::bDisposeTrgDco+0x3f:
fffff960`001968c3 0fba66180d      bt      dword ptr [rsi+18h],0Dh
fffff960`001968c8 730e            jae     win32k!DEVLOCKOBJ::bDisposeTrgDco+0x54 (fffff960`001968d8)

win32k!DEVLOCKOBJ::bDisposeTrgDco+0x46:
fffff960`001968ca 488d4e20        lea     rcx,[rsi+20h]
fffff960`001968ce e865071800      call    win32k!bUnHookBmpDrv (fffff960`00317038)
fffff960`001968d3 0fba76180d      btr     dword ptr [rsi+18h],0Dh

win32k!DEVLOCKOBJ::bDisposeTrgDco+0x54:
fffff960`001968d8 ba01000000      mov     edx,1
fffff960`001968dd 488bce          mov     rcx,rsi
fffff960`001968e0 e87b1dfcff      call    win32k!DEVLOCKOBJ::vFlushSpriteUpdates (fffff960`00158660)
fffff960`001968e5 f6461810        test    byte ptr [rsi+18h],10h
fffff960`001968e9 741b            je      win32k!DEVLOCKOBJ::bDisposeTrgDco+0x82 (fffff960`00196906)

win32k!DEVLOCKOBJ::bDisposeTrgDco+0x67:
fffff960`001968eb 488b4620        mov     rax,qword ptr [rsi+20h]
fffff960`001968ef 0fba70240e      btr     dword ptr [rax+24h],0Eh
fffff960`001968f4 488b4e20        mov     rcx,qword ptr [rsi+20h]
fffff960`001968f8 488b83b0090000  mov     rax,qword ptr [rbx+9B0h]
fffff960`001968ff 488981f8010000  mov     qword ptr [rcx+1F8h],rax

win32k!DEVLOCKOBJ::bDisposeTrgDco+0x82:
fffff960`00196906 488bce          mov     rcx,rsi
fffff960`00196909 e86e2e1200      call    win32k!DEVLOCKOBJ::vClearRenderState (fffff960`002b977c)

win32k!DEVLOCKOBJ::bDisposeTrgDco+0x8a:
fffff960`0019690e 48837e2000      cmp     qword ptr [rsi+20h],0
fffff960`00196913 7418            je      win32k!DEVLOCKOBJ::bDisposeTrgDco+0xa9 (fffff960`0019692d)

win32k!DEVLOCKOBJ::bDisposeTrgDco+0x91:
fffff960`00196915 488d4e20        lea     rcx,[rsi+20h]
fffff960`00196919 e842140000      call    win32k!XDCOBJ::RestoreAttributes (fffff960`00197d60)
fffff960`0019691e 4c8b5e20        mov     r11,qword ptr [rsi+20h]
fffff960`00196922 f04183430cff    lock add dword ptr [r11+0Ch],0FFFFFFFFh
fffff960`00196928 4883662000      and     qword ptr [rsi+20h],0

win32k!DEVLOCKOBJ::bDisposeTrgDco+0xa9:
fffff960`0019692d 4883662000      and     qword ptr [rsi+20h],0

win32k!DEVLOCKOBJ::bDisposeTrgDco+0xae:
fffff960`00196932 488b5c2430      mov     rbx,qword ptr [rsp+30h]
fffff960`00196937 488b742438      mov     rsi,qword ptr [rsp+38h]
fffff960`0019693c b801000000      mov     eax,1
fffff960`00196941 4883c420        add     rsp,20h
fffff960`00196945 5f              pop     rdi
fffff960`00196946 c3              ret

^^ Both callers are intact.

It looks like we fall off at win32k!DEVLOCKOBJ::bDisposeTrgDco+0xae. The IP is in the middle of the instruction, likely ready to return.

1: kd> .formats fffff9600019690e;.formats fffff960`00196932
Evaluate expression:
  Hex:     fffff960`0019690e
  Decimal: -7284262868722
  Octal:   1777777626000006264416
  Binary:  11111111 11111111 11111001 01100000 00000000 00011001 01101001 00001110
  Chars:   ...`..i.
  Time:    ***** Invalid FILETIME
  Float:   low 2.33357e-039 high -1.#QNAN
  Double:  -1.#QNAN
Evaluate expression:
  Hex:     fffff960`00196932
  Decimal: -7284262868686
  Octal:   1777777626000006264462
  Binary:  11111111 11111111 11111001 01100000 00000000 00011001 01101001 00110010
  Chars:   ...`..i2
  Time:    ***** Invalid FILETIME
  Float:   low 2.33362e-039 high -1.#QNAN
  Double:  -1.#QNAN

^^ No single bit differ, likely not a hardware issue at this time (at least not one I can currently see).

-----------------------

1. AODDriver2.sys is listed and loaded in your modules list which is AMD Overdrive; also in EasyTune6 for Gigabyte motherboard. Known BSOD issues in Win7 & 8.

Please uninstall either software ASAP! If you cannot find either software to uninstall, or it's not installed, please navigate to the following filepath:

C:\Program Files\ATI Technologies\ATI.ACE\Fuel\amd64\AODDriver2.sys

and rename AODDriver2.sys to AODDriver.2old

and then Restart.

2. Enable Driver Verifier if #1 fails:

Driver Verifier:

What is Driver Verifier?

Driver Verifier is included in Windows 8/8.1, 7, Windows Server 2008 R2, Windows Vista, Windows Server 2008, Windows 2000, Windows XP, and Windows Server 2003 to promote stability and reliability; you can use this tool to troubleshoot driver issues. Windows kernel-mode components can cause system corruption or system failures as a result of an improperly written driver, such as an earlier version of a Windows Driver Model (WDM) driver.

Essentially, if there's a 3rd party driver believed to be at issue, enabling Driver Verifier will help flush out the rogue driver if it detects a violation.

Before enabling Driver Verifier, it is recommended to create a System Restore Point:

Vista - START | type rstrui - create a restore point
Windows 7 - START | type create | select "Create a Restore Point"
Windows 8 - http://www.eightforums.com/tutorials/4690-restore-point-create-windows-8-a.html

How to enable Driver Verifier:

Start > type "verifier" without the quotes > Select the following options -

1. Select - "Create custom settings (for code developers)"
2. Select - "Select individual settings from a full list"
3. Check the following boxes -
- Special Pool
- Pool Tracking
- Force IRQL Checking
- Deadlock Detection
- Security Checks (Windows 7 & 8)
- DDI compliance checking (Windows 8)
- Miscellaneous Checks
4. Select  - "Select driver names from a list"
5. Click on the "Provider" tab. This will sort all of the drivers by the provider.
6. Check EVERY box that is NOT provided by Microsoft / Microsoft Corporation.
7. Click on Finish.
8. Restart.

Important information regarding Driver Verifier:

- If Driver Verifier finds a violation, the system will BSOD. To expand on this a bit more for the interested, specifically what Driver Verifier actually does is it looks for any driver making illegal function calls. When and/if this happens, system corruption occurs if allowed to continue. When Driver Verifier is enabled, it is monitoring all 3rd party drivers (as we have it set that way) and when it catches a driver attempting to do this, it will quickly flag that driver as being a troublemaker, and bring down the system safely before any corruption can occur.

- After enabling Driver Verifier and restarting the system, depending on the culprit, if for example the driver is on start-up, you may not be able to get back into normal Windows because Driver Verifier will detect it in violation almost straight away, and as stated above, that will cause / force a BSOD.

If this happens, do not panic, do the following:

- Boot into Safe Mode by repeatedly tapping the F8 key during boot-up.

- Once in Safe Mode - Start > Search > type "cmd" without the quotes.

- To turn off Driver Verifier, type in cmd "verifier /reset" without the quotes.
・    Restart and boot into normal Windows.

If your OS became corrupt or you cannot boot into Windows after disabling verifier via Safe Mode:

- Boot into Safe Mode by repeatedly tapping the F8 key during boot-up.

- Once in Safe Mode - Start > type "system restore" without the quotes.

- Choose the restore point you created earlier.

-- Note that Safe Mode for Windows 8 is a bit different, and you may need to try different methods: 5 Ways to Boot into Safe Mode in Windows 8 & Windows 8.1

How long should I keep Driver Verifier enabled for?

I recommend keeping it enabled for at least 24 hours. If you don't BSOD by then, disable Driver Verifier. I will usually say whether or not I'd like for you to keep it enabled any longer.

My system BSOD'd with Driver Verifier enabled, where can I find the crash dumps?

They will be located in %systemroot%\Minidump

Any other questions can most likely be answered by this article:
http://support.microsoft.com/kb/244617

Regards,

Patrick

Debugger/Reverse Engineer.
Be the first person to mark this helpful

Abuse history


progress