none
Page xxx too large to be in the dump file RRS feed

  • Question

  • I am encountering the below when trying to read the address:

    "Page xxx too large to be in the dump file."

    What is the error actually mean, is the problem with the memory dump. Full memory dump not captured?

    Thanks

    Wednesday, October 23, 2019 1:22 AM

All replies

  • I suspect it may be a Windows bug. Post the output of !analyze -v, and !pte <address>

     -Brian


    Azius Developer Training www.azius.com Windows device driver, internals, security, & forensics training and consulting. Blog at www.azius.com/blog

    Wednesday, October 23, 2019 7:15 PM
    Moderator
  • I am getting the same error so I'm posting my output.

    1: kd> !analyze -v
    *******************************************************************************
    *                                                                             *
    *                        Bugcheck Analysis                                    *
    *                                                                             *
    *******************************************************************************
    MANUALLY_INITIATED_CRASH (e2)
    The user manually initiated this crash dump.
    Arguments:
    Arg1: 0000000000000000
    Arg2: 0000000000000000
    Arg3: 0000000000000000
    Arg4: 0000000000000000
    Debugging Details:
    ------------------
    Page 20044fad8 too large to be in the dump file.
    KEY_VALUES_STRING: 1

    PROCESSES_ANALYSIS: 1
    SERVICE_ANALYSIS: 1
    STACKHASH_ANALYSIS: 1
    TIMELINE_ANALYSIS: 1

    DUMP_CLASS: 1
    DUMP_QUALIFIER: 402
    BUILD_VERSION_STRING:  17134.1.amd64fre.rs4_release.180410-1804
    SYSTEM_MANUFACTURER:  HP
    SYSTEM_PRODUCT_NAME:  HP EliteBook 840 G5
    SYSTEM_SKU:  5SG12UP#ABA
    BIOS_VENDOR:  HP
    BIOS_VERSION:  Q78 Ver. 01.08.01
    BIOS_DATE:  07/18/2019
    BASEBOARD_MANUFACTURER:  HP
    BASEBOARD_PRODUCT:  83B2
    BASEBOARD_VERSION:  KBC Version 04.5D.00
    TAG_NOT_DEFINED_202b:  *** Unknown TAG in analysis list 202b

    DUMP_TYPE:  0
    BUGCHECK_P1: 0
    BUGCHECK_P2: 0
    BUGCHECK_P3: 0
    BUGCHECK_P4: 0
    BUGCHECK_STR:  MANUALLY_INITIATED_CRASH
    CPU_COUNT: 8
    CPU_MHZ: 768
    CPU_VENDOR:  GenuineIntel
    CPU_FAMILY: 6
    CPU_MODEL: 8e
    CPU_STEPPING: a
    CPU_MICROCODE: 6,8e,a,0 (F,M,S,R)  SIG: B4'00000000 (cache) B4'00000000 (init)
    BLACKBOXBSD: 1 (!blackboxbsd)

    DEFAULT_BUCKET_ID:  WIN8_DRIVER_FAULT
    PROCESS_NAME:  WmiPrvSE.exe
    CURRENT_IRQL:  2
    ANALYSIS_SESSION_HOST:  MSFT-MSSFC
    ANALYSIS_SESSION_TIME:  11-05-2019 19:40:56.0427
    ANALYSIS_VERSION: 10.0.18362.1 amd64fre
    DPC_STACK_BASE:  FFFFAC0201437FB0
    EXCEPTION_RECORD:  0032523c41f3c1ff -- (.exr 0x32523c41f3c1ff)
    Cannot read Exception record @ 0032523c41f3c1ff
    LAST_CONTROL_TRANSFER:  from fffff80ed6413ab6 to fffff803c57c3ac0
    STACK_TEXT: 
    ffffac02`014370f8 fffff80e`d6413ab6 : 00000000`000000e2 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KeBugCheckEx
    ffffac02`01437100 fffff80e`d64134af : 00000000`00000000 ffff9581`875df090 ffffac02`014372a0 fffff803`c56a2839 : kbdhid!KbdHidProcessCrashDump+0x1ea
    ffffac02`01437140 fffff80e`d58d4db9 : ffff9581`875fdc80 ffff9581`8760518c ffff9581`00000000 fffff80e`d58d8110 : kbdhid!KbdHid_InsertCodesIntoQueue+0xaf
    ffffac02`014371a0 fffff80e`d58d4f29 : ffff9581`000000c6 ffff9581`875df090 ffff9581`875f0001 ffff9581`867da9c8 : HIDPARSE!HidP_KbdPutKey+0x45
    ffffac02`014371d0 fffff80e`d58d509e : ffff9581`8760518c 00000000`0000000e ffff9581`875fd510 fffff803`c56a2839 : HIDPARSE!HidP_ModifierCode+0xa9
    ffffac02`01437200 fffff80e`d58d518d : ffff9581`87605258 ffffac02`01437409 ffff9581`875fd510 fffff80e`d58d3eba : HIDPARSE!HidP_TranslateUsage+0x86
    ffffac02`01437250 fffff80e`d641322a : 00000000`00000000 ffffac02`01437409 ffff9581`875fdc80 ffff9581`875fdc80 : HIDPARSE!HidP_TranslateUsageAndPagesToI8042ScanCodes+0xad
    ffffac02`014372c0 fffff803`c569f01f : 00000000`00000000 fffff803`c5f75802 ffff9581`00000000 00000000`17bca901 : kbdhid!KbdHid_ReadComplete+0x3ca
    ffffac02`01437350 fffff803`c569eee7 : 00000000`00000001 ffff9581`867da106 ffff9581`875dfd90 00000000`00000000 : nt!IopfCompleteRequest+0x11f
    ffffac02`01437470 fffff80e`d5b596d0 : ffff9581`875dfd80 ffff9581`8a285c02 ffffac02`01437511 00000000`00000009 : nt!IofCompleteRequest+0x17
    ffffac02`014374a0 fffff80e`d5b59a04 : ffff9581`867da1d0 ffff9581`867da102 ffff9581`8658b460 ffff9581`00000009 : HIDCLASS!HidpDistributeInterruptReport+0x1f4
    ffffac02`01437570 fffff803`c569f01f : ffff9581`875df610 ffff9581`875df610 ffffac02`01437601 ffff9581`875dfa8b : HIDCLASS!HidpInterruptReadComplete+0x304
    ffffac02`01437610 fffff803`c569eee7 : ffff9581`85575010 00000000`00000200 fffff80e`d029de40 00000000`0000000a : nt!IopfCompleteRequest+0x11f
    ffffac02`01437730 fffff80e`d01f9627 : ffff9581`866222d0 ffff9581`875df610 00000000`00000002 ffff9581`867fe4e0 : nt!IofCompleteRequest+0x17
    ffffac02`01437760 fffff80e`d01f72fb : ffffac02`00000001 fffff80e`00000000 00000000`ffffff02 ffff9581`00000001 : Wdf01000!FxRequest::CompleteInternal+0x247 [minkernel\wdf\framework\shared\core\fxrequest.cpp @ 869]
    ffffac02`01437820 fffff80e`d442f336 : 00000000`ffffff02 ffff9581`866222d0 ffff9581`867fe8c0 ffff9581`867fe8c0 : Wdf01000!imp_WdfRequestComplete+0x8b [minkernel\wdf\framework\shared\core\fxrequestapi.cpp @ 436]
    ffffac02`01437880 fffff80e`d442d469 : ffff9581`86622470 00000000`00000001 ffff9581`86622500 ffffac02`01437b68 : USBXHCI!Bulk_Transfer_CompleteCancelable+0x182
    ffffac02`014378e0 fffff80e`d442bde0 : fffff7a3`c0013a40 ffff9581`8a09a001 ffffb001`c5300100 00000000`00000000 : USBXHCI!Bulk_ProcessTransferEventWithED1+0x40d
    ffffac02`014379a0 fffff80e`d44212c3 : 00000001`ffffffff fffffff6`00000002 00000000`00000005 00000000`00000004 : USBXHCI!Bulk_EP_TransferEventHandler+0x10
    ffffac02`014379d0 fffff80e`d4414608 : 00000000`00000203 00000000`00000004 ffff9581`85a09ff0 ffffac02`01437ad1 : USBXHCI!TR_TransferEventHandler+0x17
    ffffac02`01437a00 fffff80e`d44337ae : ffffac02`01437b68 ffffac02`01437b38 00000000`00000000 ffffac02`01437b40 : USBXHCI!Endpoint_TransferEventHandler+0x148
    ffffac02`01437a90 fffff80e`d441744d : ffff9581`85a09f20 ffffac02`01437b89 ffff9581`85a09ff0 ffff9581`849a3418 : USBXHCI!UsbDevice_TransferEventHandler+0x92
    ffffac02`01437af0 fffff80e`d4417e6c : 00000000`00000001 00000000`0000ffff ffffb001`c5245180 ffff9581`85a09d20 : USBXHCI!Interrupter_DeferredWorkProcessor+0x4c5
    ffffac02`01437bf0 fffff80e`d01f1fad : ffffac02`03e57080 ffffb001`c524af90 00000000`00000000 ffffac02`01437e70 : USBXHCI!Interrupter_WdfEvtInterruptDpc+0xc
    ffffac02`01437c20 fffff803`c56acd97 : ffffb001`c5247f80 00000000`00000000 00000000`00000001 ffffac02`01437d60 : Wdf01000!FxInterrupt::_InterruptDpcThunk+0x9d [minkernel\wdf\framework\shared\irphandlers\pnp\km\interruptobjectkm.cpp @ 410]
    ffffac02`01437c60 fffff803`c56ac3eb : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiExecuteAllDpcs+0x2e7
    ffffac02`01437da0 fffff803`c57caa55 : 00000000`00000000 ffffb001`c5245180 ffffac02`042ffb00 ffffb001`c5f09a00 : nt!KiRetireDpcList+0x1db
    ffffac02`01437fb0 fffff803`c57ca850 : ffffb001`c5f09a00 fffff803`c5f704e6 00000000`00000000 00000000`00000000 : nt!KxRetireDpcList+0x5
    ffffac02`042ffa40 fffff803`c57ca185 : 00000000`85585e40 fffff803`c57c5441 00000000`b7b82eaf ffffb001`c5f09a00 : nt!KiDispatchInterruptContinue
    ffffac02`042ffa70 fffff803`c57c5441 : 00000000`b7b82eaf ffffb001`c5f09a00 ffff9581`8a15b040 ffffac02`042ffb00 : nt!KiDpcInterruptBypass+0x25
    ffffac02`042ffa80 00000000`67f8cf4e : 0032523c`41f3c1ff 52160510`0f41f3c0 0fc18b41`41c00348 000000ec`8b41c004 : nt!KiInterruptDispatch+0xb1
    000000ec`14475dd0 0032523c`41f3c1ff : 52160510`0f41f3c0 0fc18b41`41c00348 000000ec`8b41c004 00000000`00000040 : SYSFER+0x3cf4e
    000000ec`14475dd8 52160510`0f41f3c0 : 0fc18b41`41c00348 000000ec`8b41c004 00000000`00000040 00000000`00000000 : 0x0032523c`41f3c1ff
    000000ec`14475de0 0fc18b41`41c00348 : 000000ec`8b41c004 00000000`00000040 00000000`00000000 00000000`67fd1398 : 0x52160510`0f41f3c0
    000000ec`14475de8 000000ec`8b41c004 : 00000000`00000040 00000000`00000000 00000000`67fd1398 00000000`00000001 : 0x0fc18b41`41c00348
    000000ec`14475df0 00000000`00000040 : 00000000`00000000 00000000`67fd1398 00000000`00000001 000000ec`144772b0 : 0x000000ec`8b41c004
    000000ec`14475df8 00000000`00000000 : 00000000`67fd1398 00000000`00000001 000000ec`144772b0 00000000`00000480 : 0x40

    THREAD_SHA1_HASH_MOD_FUNC:  6562046f03204794b13285b38e2a33552b057e80
    THREAD_SHA1_HASH_MOD_FUNC_OFFSET:  09d23c0bb28a91ae10df70f990605ce40a51b15c
    THREAD_SHA1_HASH_MOD:  d8723b4d531a988b55c228324850132fcc454236
    FOLLOWUP_IP:
    kbdhid!KbdHidProcessCrashDump+1ea
    fffff80e`d6413ab6 cc              int     3
    FAULT_INSTR_CODE:  c08545cc
    SYMBOL_STACK_INDEX:  1
    SYMBOL_NAME:  kbdhid!KbdHidProcessCrashDump+1ea
    FOLLOWUP_NAME:  MachineOwner
    MODULE_NAME: kbdhid
    IMAGE_NAME:  kbdhid.sys
    DEBUG_FLR_IMAGE_TIMESTAMP:  0
    IMAGE_VERSION:  10.0.17134.1
    STACK_COMMAND:  .thread ; .cxr ; kb
    BUCKET_ID_FUNC_OFFSET:  1ea
    FAILURE_BUCKET_ID:  MANUALLY_INITIATED_CRASH_kbdhid!KbdHidProcessCrashDump
    BUCKET_ID:  MANUALLY_INITIATED_CRASH_kbdhid!KbdHidProcessCrashDump
    PRIMARY_PROBLEM_CLASS:  MANUALLY_INITIATED_CRASH_kbdhid!KbdHidProcessCrashDump
    TARGET_TIME:  2019-11-05T20:43:34.000Z
    OSBUILD:  17134
    OSSERVICEPACK:  1006
    SERVICEPACK_NUMBER: 0
    OS_REVISION: 0
    SUITE_MASK:  272
    PRODUCT_TYPE:  1
    OSPLATFORM_TYPE:  x64
    OSNAME:  Windows 10
    OSEDITION:  Windows 10 WinNt TerminalServer SingleUserTS
    OS_LOCALE: 
    USER_LCID:  0
    OSBUILD_TIMESTAMP:  2019-09-04 00:41:56
    BUILDDATESTAMP_STR:  180410-1804
    BUILDLAB_STR:  rs4_release
    BUILDOSVER_STR:  10.0.17134.1.amd64fre.rs4_release.180410-1804
    ANALYSIS_SESSION_ELAPSED_TIME:  7e1
    ANALYSIS_SOURCE:  KM
    FAILURE_ID_HASH_STRING:  km:manually_initiated_crash_kbdhid!kbdhidprocesscrashdump
    FAILURE_ID_HASH:  {a90fbd35-7a19-bced-0f76-fa89d249d332}
    Followup:     MachineOwner
    ---------
    1: kd> .exr 0x32523c41f3c1ff
    Cannot read Exception record @ 0032523c41f3c1ff
    1: kd> !pte 20044fad8
                                               VA 000000020044fad8
    PXE at FFFFAED76BB5D000    PPE at FFFFAED76BA00040    PDE at FFFFAED740008010    PTE at FFFFAE8001002278
    contains 0A0000019BC68867  contains 0000000000000000
    pfn 19bc68    ---DA--UWEV  contains 0000000000000000
    not valid

    Wednesday, November 6, 2019 12:44 AM
  • 20044fad8 looks to be a PFN. Try !pfn 20044fad8

     -Brian


    Azius Developer Training www.azius.com Windows device driver, internals, security, & forensics training and consulting. Blog at www.azius.com/blog

    Wednesday, November 6, 2019 12:49 AM
    Moderator
  • Here is the results of the !pfn 20044fad8

    !pfn 20044fad8
        PFN 20044FAD8 at address FFFFF9E00CEF0880
        flink       00000000  blink / share count 00000000  pteaddress 00000000
        reference count 0000    used entry count  0000      NonCached color 0   Priority 0
        restore pte 00000000  containing page 000000  Zeroed            
                        

    Wednesday, November 6, 2019 2:17 AM
  • From the contents of the PFN entry and what is on the stack, it appears that system memory is being corrupted by the USB DMA controller. Are you writing a driver that is requesting this transfer, or is some third-party driver requesting it? If so, then the request probably isn't being formatted properly. If you are running with stock drivers, then it could be either malware, a hardware issue, or a system bug (very unlikely, though).

     -Brian


    Azius Developer Training www.azius.com Windows device driver, internals, security, & forensics training and consulting. Blog at www.azius.com/blog

    Wednesday, November 6, 2019 2:25 AM
    Moderator
  • Not writing a Driver, they have Ivanti (a Symantec Profile Management piece) and one of the parts we're troubleshooting is a Symantec Application Control program. I'll look at the USB Controller drivers and see if they're using Stock (MSFT) or HP Drivers...

    Thank you for the help.

    Wednesday, November 6, 2019 2:29 AM
  • Frequently, third-party drivers don't play by the rules - especially for test and diagnostics - and they will allow user-mode test programs to specify I/O parameters, such as buffer addresses, rather than having the driver and the system calculate that information. It is possible that your control program may be sending incorrect info to the driver and the driver isn't validating it. It wouldn't be the first time that Symantec has done something like this

     -Brian


    Azius Developer Training www.azius.com Windows device driver, internals, security, & forensics training and consulting. Blog at www.azius.com/blog

    Wednesday, November 6, 2019 2:39 AM
    Moderator