none
Driver causing system crash on WIndows Server 2008 RRS feed

  • Question

  • Hi,

    I am working on an upper volume filter driver that monitors sector read/writes.
    My problem is that the driver is working fine when tested on Windows 7 but when
    tested on Windows server 2008 standard edition the system crashes. I am also not
    able to debug my driver through windbg at startup, as soon as the OS loads a
    little bit the system crashes.

    Below is the output of "!analyze -v" of windbg,

    *** Fatal System Error: 0x00000050
                           (0x83A00000,0x00000001,0x81691085,0x00000000)
    
    Break instruction exception - code 80000003 (first chance)
    
    A fatal system error has occurred.
    Debugger entered on first try; Bugcheck callbacks have not been invoked.
    
    A fatal system error has occurred.
    
    Connected to Windows Server 2008 x86 compatible target at (Tue Apr 23 
    13:09:19.842 2013 (UTC + 5:30)), ptr64 FALSE
    Loading Kernel Symbols
    ..........................................
    Loading User Symbols
    
    *******************************************************************************
    *                                                                             *
    *                        Bugcheck Analysis                                    *
    *                                                                             *
    *******************************************************************************
    
    Use !analyze -v to get detailed debugging information.
    
    BugCheck 50, {83a00000, 1, 81691085, 0}
    
    Probably caused by : ntkrpamp.exe ( nt!KiTrap0E+dc )
    
    Followup: MachineOwner
    ---------
    
    nt!RtlpBreakWithStatusInstruction:
    816f6514 cc              int     3
    kd> !analyze -v
    *******************************************************************************
    *                                                                             *
    *                        Bugcheck Analysis                                    *
    *                                                                             *
    *******************************************************************************
    
    PAGE_FAULT_IN_NONPAGED_AREA (50)
    Invalid system memory was referenced.  This cannot be protected by try-except,
    it must be protected by a Probe.  Typically the address is just plain bad or it
    is pointing at freed memory.
    Arguments:
    Arg1: 83a00000, memory referenced.
    Arg2: 00000001, value 0 = read operation, 1 = write operation.
    Arg3: 81691085, If non-zero, the instruction address which referenced the bad 
    memory
    	address.
    Arg4: 00000000, (reserved)
    
    Debugging Details:
    ------------------
    
    
    WRITE_ADDRESS:  83a00000 
    
    FAULTING_IP: 
    nt!memset+45
    81691085 f3ab            rep stos dword ptr es:[edi]
    
    MM_INTERNAL_CODE:  0
    
    DEFAULT_BUCKET_ID:  INTEL_CPU_MICROCODE_ZERO
    
    BUGCHECK_STR:  0x50
    
    CURRENT_IRQL:  2
    
    TRAP_FRAME:  81733a10 -- (.trap 0xffffffff81733a10)
    ErrCode = 0000000b
    eax=00000000 ebx=00000963 ecx=00000400 edx=00000000 esi=83a00000 edi=83a00000
    eip=81691085 esp=81733a84 ebp=81733ab8 iopl=0         nv up ei pl nz na pe nc
    cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0010             efl=00210206
    nt!memset+0x45:
    81691085 f3ab            rep stos dword ptr es:[edi]
    Resetting default scope
    
    LAST_CONTROL_TRANSFER:  from 8170b2d7 to 816f6514
    
    STACK_TEXT:  
    81733564 8170b2d7 00000003 3a33d3fa 00000000 nt!RtlpBreakWithStatusInstruction
    817335b4 8170bdbd 00000003 00000000 00000000 nt!KiBugCheckDebugBreak+0x1c
    81733980 816e3155 00000050 83a00000 00000001 nt!KeBugCheck2+0x66d
    817339f8 81698bb4 00000001 83a00000 00000000 nt!MmAccessFault+0x10a
    817339f8 81691085 00000001 83a00000 00000000 nt!KiTrap0E+0xdc
    81733a84 81986164 83a00000 00000000 00001000 nt!memset+0x45
    81733ab8 81985d95 83a00000 00000000 00001000 nt!MxMapVa+0x1f9
    81733ae4 81992069 c041d000 00000000 00000001 nt!MiCreateSparsePfnDatabase+0xc5
    81733b04 81991236 8081156c 00000000 8081156c nt!MiCreatePfnDatabase+0x1c1
    81733b4c 8199b19f 8081156c 0000bb40 81733cf0 nt!MmInitNucleus+0x1b7
    81733b5c 8198a867 00000000 00000000 8173a640 nt!MmInitSystem+0x12
    81733cf0 81907e73 8081156c 3a33db72 827fec00 nt!InitBootProcessor+0x27f
    81733d3c 8172a7c9 8173a900 8173a640 81734000 nt!KiInitializeKernel+0x65b
    00000000 00000000 00000000 00000000 00000000 nt!KiSystemStartup+0x319
    
    
    STACK_COMMAND:  kb
    
    FOLLOWUP_IP: 
    nt!KiTrap0E+dc
    81698bb4 85c0            test    eax,eax
    
    SYMBOL_STACK_INDEX:  4
    
    SYMBOL_NAME:  nt!KiTrap0E+dc
    
    FOLLOWUP_NAME:  MachineOwner
    
    MODULE_NAME: nt
    
    IMAGE_NAME:  ntkrpamp.exe
    
    DEBUG_FLR_IMAGE_TIMESTAMP:  47918b12
    
    FAILURE_BUCKET_ID:  0x50_nt!KiTrap0E+dc
    
    BUCKET_ID:  0x50_nt!KiTrap0E+dc
    
    Followup: MachineOwner
    ---------
    Any kind of suggestion will be appreciated.
    Thanks in advance.

    Wednesday, April 24, 2013 12:40 PM

All replies

  • I added breakpoint (DbgBreakPoint) in DriverEntry, but 
    then too the system got crashed without entering the DriverEntry function, I got 
    the same output as above when ran "!analyze -v" in windbg.
    Infact when I tested the diskperf driver without making any changes in it, then 
    too I got the same problem as above and the system crashed, I tried 2-3 other 
    drivers but its continuously crashing.
    
    What I am exactly doing is, I am building the driver on Windows 7(64 bit) using 
    WDK's "Build Environments" (x86 Checked Build Environment for Windows Vista and 
    Windows Server 2008), then I am copying the driver on Windows server 2008 which 
    is on virtual box and installing the driver through "*.inf" file. The OS reboots 
    and then crashes after the OS loads a little bit.
    
    Please anyone of you can suggest now what to do. I tried many times but got the 
    same result.
    Wednesday, April 24, 2013 12:42 PM
  • Is the driver configured as a boot driver or system driver? (the stack trace is for very early boot)

    Are you sure the driver is already actually loader? Do you see it in !drivers ?

    Tsang Chan

    Wednesday, April 24, 2013 1:08 PM
  • Hi,

    It is an upper volume filter driver using diskperf as base.

    Yes the above error is traced on early boot.

    Wednesday, April 24, 2013 1:52 PM
  • First put on boot debugging and halbreakpoint in the debugger see http://msdn.microsoft.com/en-us/library/windows/hardware/ff542205(v=vs.85).aspx   This will cause you to stop early in the process, make sure you have verbose mode on starting at the breakpoint, and you should get some idea of what is happening.

    This is failing pretty early in the boot process.


    Don Burn Windows Filesystem and Driver Consulting Website: http://www.windrvr.com Blog: http://msmvps.com/blogs/WinDrvr

    Wednesday, April 24, 2013 3:08 PM
  • Hi,

    Thanks @Don Burn for your reply. I enabled boot debugging and halbreakpoint in the debugger using the following commands,

    "bcdedit /debug ON

    bcdedit /dbgsettings serial debugport:1 baudrate:115200

    bcdedit /bootdebug on

    bcdedit /set halbreakpoint on"

    Below is the output that I got on windbg, also includes the output of "!analyze -v", after restarting my machine,

    Microsoft (R) Windows Debugger Version 6.12.0002.633 AMD64
    Copyright (c) Microsoft Corporation. All rights reserved.
    
    Opened \\.\pipe\com1
    Waiting to reconnect...
    BD: Boot Debugger Initialized
    Connected to Windows Boot Debugger 6001 x86 compatible target at (Thu Apr 25 19:01:21.365 2013 (UTC + 5:30)), ptr64 FALSE
    Kernel Debugger connection established.
    Symbol search path is: SRV*C:\WinDDK\debugsymbols*http://msdl.microsoft.com/download/symbols
    Executable search path is: 
    Windows Boot Debugger Kernel Version 6001 UP Free x86 compatible
    Machine Name:
    Primary image base = 0x00584000 Loaded module list = 0x00684e58
    System Uptime: not available
    Shutdown occurred at (Thu Apr 25 19:01:27.635 2013 (UTC + 5:30))...unloading all symbol tables.
    Waiting to reconnect...
    Connected to Windows Server 2008/Windows Vista 6001 x86 compatible target at (Thu Apr 25 19:01:28.185 2013 (UTC + 5:30)), ptr64 FALSE
    Kernel Debugger connection established.
    Symbol search path is: SRV*C:\WinDDK\debugsymbols*http://msdl.microsoft.com/download/symbols
    Executable search path is: 
    Windows Server 2008/Windows Vista Kernel Version 6001 MP (1 procs) Free x86 compatible
    Built by: 6001.18000.x86fre.longhorn_rtm.080118-1840
    Machine Name:
    Kernel base = 0x81637000 PsLoadedModuleList = 0x8174ec70
    System Uptime: not available
    Break instruction exception - code 80000003 (first chance)
    nt!DbgBreakPoint:
    81688954 cc              int     3
    kd> bu sampledriver!DriverEntry
    kd> ed nt!Kd_DEFAULT_Mask 0x8
    kd> g
    *** MUI CM: LCIDselected=409
    
    *** Fatal System Error: 0x00000050
                           (0x83A00000,0x00000001,0x8168A085,0x00000000)
    
    Break instruction exception - code 80000003 (first chance)
    
    A fatal system error has occurred.
    Debugger entered on first try; Bugcheck callbacks have not been invoked.
    
    A fatal system error has occurred.
    
    Connected to Windows Server 2008/Windows Vista 6001 x86 compatible target at (Thu Apr 25 19:02:08.837 2013 (UTC + 5:30)), ptr64 FALSE
    Loading Kernel Symbols
    ..........................................
    Loading User Symbols
    
    *******************************************************************************
    *                                                                             *
    *                        Bugcheck Analysis                                    *
    *                                                                             *
    *******************************************************************************
    
    Use !analyze -v to get detailed debugging information.
    
    BugCheck 50, {83a00000, 1, 8168a085, 0}
    
    Probably caused by : ntkrpamp.exe ( nt!KiTrap0E+dc )
    
    Followup: MachineOwner
    ---------
    
    nt!RtlpBreakWithStatusInstruction:
    816ef514 cc              int     3
    kd> !analyze -v
    *******************************************************************************
    *                                                                             *
    *                        Bugcheck Analysis                                    *
    *                                                                             *
    *******************************************************************************
    
    PAGE_FAULT_IN_NONPAGED_AREA (50)
    Invalid system memory was referenced.  This cannot be protected by try-except,
    it must be protected by a Probe.  Typically the address is just plain bad or it
    is pointing at freed memory.
    Arguments:
    Arg1: 83a00000, memory referenced.
    Arg2: 00000001, value 0 = read operation, 1 = write operation.
    Arg3: 8168a085, If non-zero, the instruction address which referenced the bad memory
    	address.
    Arg4: 00000000, (reserved)
    
    Debugging Details:
    ------------------
    
    
    WRITE_ADDRESS:  83a00000 
    
    FAULTING_IP: 
    nt!memset+45
    8168a085 f3ab            rep stos dword ptr es:[edi]
    
    MM_INTERNAL_CODE:  0
    
    DEFAULT_BUCKET_ID:  INTEL_CPU_MICROCODE_ZERO
    
    BUGCHECK_STR:  0x50
    
    CURRENT_IRQL:  2
    
    TRAP_FRAME:  8172ca10 -- (.trap 0xffffffff8172ca10)
    ErrCode = 0000000b
    eax=00000000 ebx=00000963 ecx=00000400 edx=00000000 esi=83a00000 edi=83a00000
    eip=8168a085 esp=8172ca84 ebp=8172cab8 iopl=0         nv up ei pl nz na pe nc
    cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0010             efl=00210206
    nt!memset+0x45:
    8168a085 f3ab            rep stos dword ptr es:[edi]
    Resetting default scope
    
    LAST_CONTROL_TRANSFER:  from 817042d7 to 816ef514
    
    STACK_TEXT:  
    8172c564 817042d7 00000003 3a3223fa 00000000 nt!RtlpBreakWithStatusInstruction
    8172c5b4 81704dbd 00000003 00000000 00000000 nt!KiBugCheckDebugBreak+0x1c
    8172c980 816dc155 00000050 83a00000 00000001 nt!KeBugCheck2+0x66d
    8172c9f8 81691bb4 00000001 83a00000 00000000 nt!MmAccessFault+0x10a
    8172c9f8 8168a085 00000001 83a00000 00000000 nt!KiTrap0E+0xdc
    8172ca84 8197f164 83a00000 00000000 00001000 nt!memset+0x45
    8172cab8 8197ed95 83a00000 00000000 00001000 nt!MxMapVa+0x1f9
    8172cae4 8198b069 c041d000 00000000 00000001 nt!MiCreateSparsePfnDatabase+0xc5
    8172cb04 8198a236 80806c28 00000000 80806c28 nt!MiCreatePfnDatabase+0x1c1
    8172cb4c 8199419f 80806c28 0000bb40 8172ccf0 nt!MmInitNucleus+0x1b7
    8172cb5c 81983867 00000000 00000000 81733640 nt!MmInitSystem+0x12
    8172ccf0 81900e73 80806c28 3a322b72 823ffc00 nt!InitBootProcessor+0x27f
    8172cd3c 817237c9 81733900 81733640 8172d000 nt!KiInitializeKernel+0x65b
    00000000 00000000 00000000 00000000 00000000 nt!KiSystemStartup+0x319
    
    
    STACK_COMMAND:  kb
    
    FOLLOWUP_IP: 
    nt!KiTrap0E+dc
    81691bb4 85c0            test    eax,eax
    
    SYMBOL_STACK_INDEX:  4
    
    SYMBOL_NAME:  nt!KiTrap0E+dc
    
    FOLLOWUP_NAME:  MachineOwner
    
    MODULE_NAME: nt
    
    IMAGE_NAME:  ntkrpamp.exe
    
    DEBUG_FLR_IMAGE_TIMESTAMP:  47918b12
    
    FAILURE_BUCKET_ID:  0x50_nt!KiTrap0E+dc
    
    BUCKET_ID:  0x50_nt!KiTrap0E+dc
    
    Followup: MachineOwner
    ---------

    Thursday, April 25, 2013 1:55 PM
  • Did you hit a breakpoint before the crash?  Is your driver running?   Basically at this point you probably are going to have to step through the disassembled code with Windbg till you can see what is failing.  If your driver is loaded and started, you need to look at every pointer dereference in your code for possible memory corruption.

    This is going to be slow and painful, but it is the only way.


    Don Burn Windows Filesystem and Driver Consulting Website: http://www.windrvr.com Blog: http://msmvps.com/blogs/WinDrvr

    Thursday, April 25, 2013 2:02 PM
  • Hi,

    I have tested my driver on another OS i.e. on Windows 7 and its working fine over there but its not working on Windows server 2008. I also tried to test the "diskperf" driver on Windows server 2008 but it too failed with the same error. I have added the breakpoint(DbgBreakPoint) in the code in DriverEntry() function and have also added breakpoint in windbg(bu sampledriver!DriverEntry), but both the breakpoints are not triggered. After rebooting, the OS crashes very early during the boot process.

    Thursday, April 25, 2013 2:07 PM
  • Do you reach the HAL breakpoint?  If so step from there, and try to drill down a little to what is happening.  This is a pain to do, but if you can say what is going on in some detail, the folks at Microsoft are very good at trying to help.  The problem is with what you have they are going to need to do the work, and like most employed folks they are quite busy.


    Don Burn Windows Filesystem and Driver Consulting Website: http://www.windrvr.com Blog: http://msmvps.com/blogs/WinDrvr

    Thursday, April 25, 2013 2:19 PM
  • Hi

    Pls update your ntkrnl.exe if it is not up to date. You can find the updates from the below link

    ***http://support.microsoft.com/kb/2516405***

    Also check your antivirus. Recommended to run offline chkdsk.

    Saturday, December 28, 2013 10:27 AM