BSOD - How to locate driver in dump file?

  • Thread starter Thread starter Sam Harvey (sam.harvey)
  • Start date Start date
S

Sam Harvey (sam.harvey)

Guest
MEMORY dmp

Minidump File


0: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

DRIVER_VERIFIER_DETECTED_VIOLATION (c4)
A device driver attempting to corrupt the system has been caught. This is
because the driver was specified in the registry as being suspect (by the
administrator) and the kernel has enabled substantial checking of this driver.
If the driver attempts to corrupt the system, bugchecks 0xC4, 0xC1 and 0xA will
be among the most commonly seen crashes.
Arguments:
Arg1: 0000000000002000, Code Integrity Issue: The caller specified an executable pool type. (Expected: NonPagedPoolNx)
Arg2: fffff804dee61d93, The address in the driver's code where the error was detected.
Arg3: 0000000000000000, Pool Type.
Arg4: 0000000000726274, Pool Tag (if provided).

Debugging Details:
------------------


KEY_VALUES_STRING: 1

Key : Analysis.CPU.mSec
Value: 2015

Key : Analysis.DebugAnalysisProvider.CPP
Value: Create: 8007007e on ASI-2018-01

Key : Analysis.DebugData
Value: CreateObject

Key : Analysis.DebugModel
Value: CreateObject

Key : Analysis.Elapsed.mSec
Value: 2627

Key : Analysis.Memory.CommitPeak.Mb
Value: 78

Key : Analysis.System
Value: CreateObject

Key : WER.OS.Branch
Value: vb_release

Key : WER.OS.Timestamp
Value: 2019-12-06T14:06:00Z

Key : WER.OS.Version
Value: 10.0.19041.1


ADDITIONAL_XML: 1

OS_BUILD_LAYERS: 1

BUGCHECK_CODE: c4

BUGCHECK_P1: 2000

BUGCHECK_P2: fffff804dee61d93

BUGCHECK_P3: 0

BUGCHECK_P4: 726274

BLACKBOXNTFS: 1 (
!blackboxntfs)


PROCESS_NAME: System

STACK_TEXT:
fffffe01`616075a8 fffff800`2c5dee34 : 00000000`000000c4 00000000`00002000 fffff804`dee61d93 00000000`00000000 : nt!KeBugCheckEx
fffffe01`616075b0 fffff800`2c1acda5 : fffff800`2c823c20 00000000`00002000 fffff804`dee61d93 00000000`00000000 : nt!VerifierBugCheckIfAppropriate+0xe0
fffffe01`616075f0 fffff800`2c5d5df4 : 00000000`00726274 fffff800`2c823c20 fffff804`dee61d93 00000000`00000000 : nt!VfReportIssueWithOptions+0x101
fffffe01`61607640 fffff800`2c5e2ff2 : 00000000`00000000 fffffe01`61607940 00000000`00000018 00000000`00000000 : nt!VfCheckPoolType+0x90
fffffe01`61607680 fffff804`dee61d93 : 00000000`00000000 ffffca09`265f8d90 00000000`00000000 00000000`00000000 : nt!VerifierExAllocatePoolWithTag+0x62
fffffe01`616076d0 fffff804`dee61cf4 : 00000000`00000000 fffffe01`61607940 ffffca09`265f8d90 ffffca09`2658c880 : ene+0x1d93
fffffe01`61607700 fffff804`dee614c7 : 00000000`00000000 ffffca09`265f8d90 00000000`00000000 00000000`00000000 : ene+0x1cf4
fffffe01`61607730 fffff804`dee66020 : ffffca09`1dff5000 fffff800`2bf7302a ffffca09`2658c630 fffff800`2be60e50 : ene+0x14c7
fffffe01`616077b0 fffff800`2c36bcf4 : ffffca09`1dff5000 00000000`00000000 00000000`00000002 fffffe01`61607808 : ene+0x6020
fffffe01`616077e0 fffff800`2c336c2d : 00000000`00000014 00000000`00000000 00000000`00000000 00000000`00001000 : nt!PnpCallDriverEntry+0x4c
fffffe01`61607840 fffff800`2c66789f : ffffca09`1d0f2248 ffffca09`1d0f2248 fffffe01`61607a80 00000000`00000000 : nt!IopLoadDriver+0x4e5
fffffe01`61607a10 fffff800`2c6703fa : ffffffff`00000000 ffffb006`9bc2efd0 00000000`00000000 fffff800`2a2e0750 : nt!IopInitializeSystemDrivers+0x157
fffffe01`61607ab0 fffff800`2c3abe2b : fffff800`2a2e0750 fffff800`2c857f68 fffff800`2c3abdf0 fffff800`2a2e0750 : nt!IoInitSystem+0x2e
fffffe01`61607ae0 fffff800`2bf28e25 : ffffca09`182a9040 fffff800`2c3abdf0 fffff800`2a2e0750 00000000`00000000 : nt!Phase1Initialization+0x3b
fffffe01`61607b10 fffff800`2c00ddd8 : fffff800`2a64a180 ffffca09`182a9040 fffff800`2bf28dd0 00000000`00000000 : nt!PspSystemThreadStartup+0x55
fffffe01`61607b60 00000000`00000000 : fffffe01`61608000 fffffe01`61601000 00000000`00000000 00000000`00000000 : nt!KiStartSystemThread+0x28


SYMBOL_NAME: ene+1d93

MODULE_NAME:
ene

IMAGE_NAME: ene.sys

STACK_COMMAND: .thread ; .cxr ; kb

BUCKET_ID_FUNC_OFFSET: 1d93

FAILURE_BUCKET_ID: 0xc4_2000_VRF_ene!unknown_function

OS_VERSION: 10.0.19041.1

BUILDLAB_STR: vb_release

OSPLATFORM_TYPE: x64

OSNAME: Windows 10

FAILURE_ID_HASH: {8c7175c3-41d7-9412-c64e-e43d9572bd5c}

Followup: MachineOwner


Continue reading...
 
Back
Top