B
Bhim Charan Murmu
Guest
I want help here to analyze this Memory.dmp file created.
[COLOR=rgba(30, 30, 30, 1)]Microsoft (R) Windows Debugger Version 10.0.21306.1007 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:\Windows\MEMORY.DMP]
Kernel Bitmap Dump File: Kernel address space is available, User address space may not be available.
************* Path validation summary **************
Response Time (ms) Location
Deferred srv*
Symbol search path is: srv*
Executable search path is:
Windows 10 Kernel Version 19041 MP (4 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Edition build lab: 19041.1.amd64fre.vb_release.191206-1406
Machine Name:
Kernel base = 0xfffff802`16400000 PsLoadedModuleList = 0xfffff802`1702a490
Debug session time: Thu Mar 25 20:56:13.587 2021 (UTC + 5:30)
System Uptime: 5 days 23:19:52.727
Loading Kernel Symbols
...............................................................
................................................................
................................................................
.........
Loading User Symbols
Loading unloaded module list
..................................................
For analysis of this file, run [/COLOR][COLOR=rgba(0, 0, 255, 1)]!analyze -v
[/COLOR][COLOR=rgba(30, 30, 30, 1)]nt!KeBugCheckEx:
fffff802`167f5c50 48894c2408 mov qword ptr [rsp+8],rcx ss:fffff682`796ed740=000000000000013a
0: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
KERNEL_MODE_HEAP_CORRUPTION (13a)
The kernel mode heap manager has detected corruption in a heap.
Arguments:
Arg1: 0000000000000012, Type of corruption detected
Arg2: ffff9f03eee02100, Address of the heap that reported the corruption
Arg3: ffff9f03f276b000, Address at which the corruption was detected
Arg4: 0000000000000000
Debugging Details:
------------------
KEY_VALUES_STRING: 1
Key : Analysis.CPU.mSec
Value: 18921
Key : Analysis.DebugAnalysisManager
Value: Create
Key : Analysis.Elapsed.mSec
Value: 22862
Key : Analysis.Init.CPU.mSec
Value: 2233
Key : Analysis.Init.Elapsed.mSec
Value: 11144
Key : Analysis.Memory.CommitPeak.Mb
Value: 73
Key : WER.OS.Branch
Value: vb_release
Key : WER.OS.Timestamp
Value: 2019-12-06T14:06:00Z
Key : WER.OS.Version
Value: 10.0.19041.1
BUGCHECK_CODE: 13a
BUGCHECK_P1: 12
BUGCHECK_P2: ffff9f03eee02100
BUGCHECK_P3: ffff9f03f276b000
BUGCHECK_P4: 0
CORRUPTING_POOL_ADDRESS: ffff9f03f276b000 Nonpaged pool
BLACKBOXBSD: 1 ([/COLOR][COLOR=rgba(0, 0, 255, 1)]!blackboxbsd[/COLOR][COLOR=rgba(30, 30, 30, 1)])
BLACKBOXNTFS: 1 ([/COLOR][COLOR=rgba(0, 0, 255, 1)]!blackboxntfs[/COLOR][COLOR=rgba(30, 30, 30, 1)])
BLACKBOXPNP: 1 ([/COLOR][COLOR=rgba(0, 0, 255, 1)]!blackboxpnp[/COLOR][COLOR=rgba(30, 30, 30, 1)])
BLACKBOXWINLOGON: 1
PROCESS_NAME: System
STACK_TEXT:
fffff682`796ed738 fffff802`1698da88 : 00000000`0000013a 00000000`00000012 ffff9f03`eee02100 ffff9f03`f276b000 : nt!KeBugCheckEx
fffff682`796ed740 fffff802`1698dae8 : 00000000`00000012 fffff682`796ed850 ffff9f03`eee02100 00000000`00000a44 : nt!RtlpHeapHandleError+0x40
fffff682`796ed780 fffff802`1698d715 : ffff9f03`f277f4c0 ffff9f03`eee02280 ffff9f03`eee02100 fffff802`1664caf2 : nt!RtlpHpHeapHandleError+0x58
fffff682`796ed7b0 fffff802`1682d5df : 00000000`00000000 ffffd38e`14000100 fffff802`17050d40 fffff802`1664cc64 : nt!RtlpLogHeapFailure+0x45
fffff682`796ed7e0 fffff802`1664cc64 : 00000000`00000103 00000000`00000000 00000000`00000000 00000000`00000000 : nt!RtlpHpVsContextFree+0x1df48f
fffff682`796ed880 fffff802`16db1019 : 00000000`00000000 00000000`00000000 00000000`00000000 01000000`00100000 : nt!ExFreeHeapPool+0x4d4
fffff682`796ed960 fffff802`166b95ef : ffff9f03`f277f720 ffff9f03`f277f4e0 ffff9f03`f277f520 00000000`00000000 : nt!ExFreePool+0x9
fffff682`796ed990 fffff802`166b6fb0 : 00000000`00000000 ffffd38e`2b58a1d0 ffff9f03`f277f4e0 01000000`00100000 : nt!MiDeleteControlArea+0x77
fffff682`796ed9e0 fffff802`16a3e368 : 00000000`000000a6 00000000`000800a1 fffff802`17050d40 ffffd38e`2b58a1d0 : nt!MiDereferenceControlAreaProbe+0x24
fffff682`796eda10 fffff802`167843bd : 00000000`00000001 00000000`00000000 fffff682`796edae0 ffff9f03`f277f4e8 : nt!MiSegmentDelete+0xf4
fffff682`796eda60 fffff802`167b9249 : 00000000`00000000 fffff802`00000001 00000000`00000000 00000000`00000000 : nt!MiProcessDereferenceList+0xc1
fffff682`796edb20 fffff802`16717e85 : ffff9f03`f215b040 ffff9f03`f215b040 00000000`00000080 fffff802`167b9120 : nt!MiDereferenceSegmentThread+0x129
fffff682`796edd50 fffff802`167fd2a8 : fffff802`12859180 ffff9f03`f215b040 fffff802`16717e30 00000000`00000000 : nt!PspSystemThreadStartup+0x55
fffff682`796edda0 00000000`00000000 : fffff682`796ee000 fffff682`796e8000 00000000`00000000 00000000`00000000 : nt!KiStartSystemThread+0x28
SYMBOL_NAME: nt!ExFreePool+9
IMAGE_NAME: Pool_Corruption
MODULE_NAME: [/COLOR][COLOR=rgba(0, 0, 255, 1)]Pool_Corruption
[/COLOR][COLOR=rgba(30, 30, 30, 1)]STACK_COMMAND: .thread ; .cxr ; kb
BUCKET_ID_FUNC_OFFSET: 9
FAILURE_BUCKET_ID: 0x13a_12_nt!ExFreePool
OS_VERSION: 10.0.19041.1
BUILDLAB_STR: vb_release
OSPLATFORM_TYPE: x64
OSNAME: Windows 10
FAILURE_ID_HASH: {0e8bc89c-9b1f-e697-ed6c-83210db041e2}
Followup: Pool_corruption
---------
[/COLOR]
Continue reading...
[COLOR=rgba(30, 30, 30, 1)]Microsoft (R) Windows Debugger Version 10.0.21306.1007 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:\Windows\MEMORY.DMP]
Kernel Bitmap Dump File: Kernel address space is available, User address space may not be available.
************* Path validation summary **************
Response Time (ms) Location
Deferred srv*
Symbol search path is: srv*
Executable search path is:
Windows 10 Kernel Version 19041 MP (4 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Edition build lab: 19041.1.amd64fre.vb_release.191206-1406
Machine Name:
Kernel base = 0xfffff802`16400000 PsLoadedModuleList = 0xfffff802`1702a490
Debug session time: Thu Mar 25 20:56:13.587 2021 (UTC + 5:30)
System Uptime: 5 days 23:19:52.727
Loading Kernel Symbols
...............................................................
................................................................
................................................................
.........
Loading User Symbols
Loading unloaded module list
..................................................
For analysis of this file, run [/COLOR][COLOR=rgba(0, 0, 255, 1)]!analyze -v
[/COLOR][COLOR=rgba(30, 30, 30, 1)]nt!KeBugCheckEx:
fffff802`167f5c50 48894c2408 mov qword ptr [rsp+8],rcx ss:fffff682`796ed740=000000000000013a
0: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
KERNEL_MODE_HEAP_CORRUPTION (13a)
The kernel mode heap manager has detected corruption in a heap.
Arguments:
Arg1: 0000000000000012, Type of corruption detected
Arg2: ffff9f03eee02100, Address of the heap that reported the corruption
Arg3: ffff9f03f276b000, Address at which the corruption was detected
Arg4: 0000000000000000
Debugging Details:
------------------
KEY_VALUES_STRING: 1
Key : Analysis.CPU.mSec
Value: 18921
Key : Analysis.DebugAnalysisManager
Value: Create
Key : Analysis.Elapsed.mSec
Value: 22862
Key : Analysis.Init.CPU.mSec
Value: 2233
Key : Analysis.Init.Elapsed.mSec
Value: 11144
Key : Analysis.Memory.CommitPeak.Mb
Value: 73
Key : WER.OS.Branch
Value: vb_release
Key : WER.OS.Timestamp
Value: 2019-12-06T14:06:00Z
Key : WER.OS.Version
Value: 10.0.19041.1
BUGCHECK_CODE: 13a
BUGCHECK_P1: 12
BUGCHECK_P2: ffff9f03eee02100
BUGCHECK_P3: ffff9f03f276b000
BUGCHECK_P4: 0
CORRUPTING_POOL_ADDRESS: ffff9f03f276b000 Nonpaged pool
BLACKBOXBSD: 1 ([/COLOR][COLOR=rgba(0, 0, 255, 1)]!blackboxbsd[/COLOR][COLOR=rgba(30, 30, 30, 1)])
BLACKBOXNTFS: 1 ([/COLOR][COLOR=rgba(0, 0, 255, 1)]!blackboxntfs[/COLOR][COLOR=rgba(30, 30, 30, 1)])
BLACKBOXPNP: 1 ([/COLOR][COLOR=rgba(0, 0, 255, 1)]!blackboxpnp[/COLOR][COLOR=rgba(30, 30, 30, 1)])
BLACKBOXWINLOGON: 1
PROCESS_NAME: System
STACK_TEXT:
fffff682`796ed738 fffff802`1698da88 : 00000000`0000013a 00000000`00000012 ffff9f03`eee02100 ffff9f03`f276b000 : nt!KeBugCheckEx
fffff682`796ed740 fffff802`1698dae8 : 00000000`00000012 fffff682`796ed850 ffff9f03`eee02100 00000000`00000a44 : nt!RtlpHeapHandleError+0x40
fffff682`796ed780 fffff802`1698d715 : ffff9f03`f277f4c0 ffff9f03`eee02280 ffff9f03`eee02100 fffff802`1664caf2 : nt!RtlpHpHeapHandleError+0x58
fffff682`796ed7b0 fffff802`1682d5df : 00000000`00000000 ffffd38e`14000100 fffff802`17050d40 fffff802`1664cc64 : nt!RtlpLogHeapFailure+0x45
fffff682`796ed7e0 fffff802`1664cc64 : 00000000`00000103 00000000`00000000 00000000`00000000 00000000`00000000 : nt!RtlpHpVsContextFree+0x1df48f
fffff682`796ed880 fffff802`16db1019 : 00000000`00000000 00000000`00000000 00000000`00000000 01000000`00100000 : nt!ExFreeHeapPool+0x4d4
fffff682`796ed960 fffff802`166b95ef : ffff9f03`f277f720 ffff9f03`f277f4e0 ffff9f03`f277f520 00000000`00000000 : nt!ExFreePool+0x9
fffff682`796ed990 fffff802`166b6fb0 : 00000000`00000000 ffffd38e`2b58a1d0 ffff9f03`f277f4e0 01000000`00100000 : nt!MiDeleteControlArea+0x77
fffff682`796ed9e0 fffff802`16a3e368 : 00000000`000000a6 00000000`000800a1 fffff802`17050d40 ffffd38e`2b58a1d0 : nt!MiDereferenceControlAreaProbe+0x24
fffff682`796eda10 fffff802`167843bd : 00000000`00000001 00000000`00000000 fffff682`796edae0 ffff9f03`f277f4e8 : nt!MiSegmentDelete+0xf4
fffff682`796eda60 fffff802`167b9249 : 00000000`00000000 fffff802`00000001 00000000`00000000 00000000`00000000 : nt!MiProcessDereferenceList+0xc1
fffff682`796edb20 fffff802`16717e85 : ffff9f03`f215b040 ffff9f03`f215b040 00000000`00000080 fffff802`167b9120 : nt!MiDereferenceSegmentThread+0x129
fffff682`796edd50 fffff802`167fd2a8 : fffff802`12859180 ffff9f03`f215b040 fffff802`16717e30 00000000`00000000 : nt!PspSystemThreadStartup+0x55
fffff682`796edda0 00000000`00000000 : fffff682`796ee000 fffff682`796e8000 00000000`00000000 00000000`00000000 : nt!KiStartSystemThread+0x28
SYMBOL_NAME: nt!ExFreePool+9
IMAGE_NAME: Pool_Corruption
MODULE_NAME: [/COLOR][COLOR=rgba(0, 0, 255, 1)]Pool_Corruption
[/COLOR][COLOR=rgba(30, 30, 30, 1)]STACK_COMMAND: .thread ; .cxr ; kb
BUCKET_ID_FUNC_OFFSET: 9
FAILURE_BUCKET_ID: 0x13a_12_nt!ExFreePool
OS_VERSION: 10.0.19041.1
BUILDLAB_STR: vb_release
OSPLATFORM_TYPE: x64
OSNAME: Windows 10
FAILURE_ID_HASH: {0e8bc89c-9b1f-e697-ed6c-83210db041e2}
Followup: Pool_corruption
---------
[/COLOR]
Continue reading...