1. #1
    Shintaro's Avatar
    Join Date
    Jun 2012
    Brisbane, Australia

    What does values after USB message calls mean? (OFFSETS)

    I am trying to understand what the values after calls from a crash dump mean.

    Are they Instance ID's or Device ID or USB port address??

    Last edited by Shintaro; 06-18-2012 at 04:00 AM. Reason: Bold relevant data.
    Try to live an ordinary life, in a non-ordinary way.

    • Ad Bot



  2. #2

    Join Date
    Feb 1999
    Sysnative Servers

    re: What does values after USB message calls mean? (OFFSETS)

    Which values are you asking about?

    Is it these? -

    What are you trying to figure out with the stack?
    zigzag3143 and JMH say thanks for this.

  3. #3
    Shintaro's Avatar
    Join Date
    Jun 2012
    Brisbane, Australia

    re: What does values after USB message calls mean? (OFFSETS)

    Yes, sorry for not making them bold.
    Are they the reference to the USB device? For example the ID of the USB device or simply data?
    Or should I be looking at a particular call for the USB ID?

    Or maybe it is out of scope for this forum? And I should ask the question on a USB programming forum?
    Try to live an ordinary life, in a non-ordinary way.

  4. #4

    Join Date
    Mar 2012

    re: What does values after USB message calls mean? (OFFSETS)

    They are offsets from the function start. When you look at a callstack like this, it start from the bottom and goes like "this function called the function above me, which called the function above it, and so on and so forth." For each function listed, you have the three parts: the module name, the function name, and the offset, respectively, as followed:

       /\          /\          /\
      module  function name  offset
    Listed with kv or whatever, this portion of the output is the "Call Site" of the listing, which is basically just the name of the return address (RetAddr), complete with symbols to make it readable for humans to interpret what the function is and its intent. It can be read like an address on an envelope. The module name is the city, the function name is the street, and the offset is the address of the house. If you were to just say to someone asking for directions to your place "I live on such-n-such road" they have to scan down the whole road to find you. Otherwise if you add your address, the process of discovering your house is greatly alleviated.

    It's important to understand what is going on here in a callstack. Read up on my basic description of code flow in BSOD Method & Tips. I'll add it here for quick reference:

    The flow of which all operations are going. The basics of it is you have a thread, and in that thread you have an initial function responsible for a specific task. In order to accomplish it, it will need the assistance of other functions to do so.

    Much like a product being built by a company, you have it go through various hands and sometimes even various places before the finished product is made. Tack on also all the other personnel responsible for various indirect duties to supply the needs of those actually creating the product. If you had the same person/people doing all the tasks, then things slow to a crawl and you're lucky to even have a satisfactory result in the end.

    That's much like what goes on in your typical code flow. It is not enough to have a "one function to rule them all", that's just daft. Rather, you start with the initial function, like say, for drawing a popup window. There's a multitude of facets to this job, so the initial thread will call one function to do something, like DirectX telling it to draw the window, which DirectX will figure "ok, but with what?" and then pass that request to another, and then that to another, and then so on and so forth. How things fragment and flow through all this process of events is the essence of code flow.
    Once you understand that, it's easier to get an idea what's going on in a callstack. Let's use your example. Starting with nt!KxStartSystemThread at the bottom, this function sets up the thread to start doing work. Then when necessary, it calls into the function above it (nt!PspSystemThreadStartup) to continue it. This continues till what appears to be the real work starting (usbhub!UsbhHubWorker), as the rest is just initial setup. It's then performing various and sundry USB-related tasks for some USB I/O.

    It's important to understand that each function is not really calling the function above it from the offset specified in the call site nor from the address specified in the return address (which are both the same thing). Rather, it calls it from the beginning of the function. So, usbhub!UsbhHubWorker is not calling into usbhub!UsbhHubSSH_Worker at offset 0x2d, but is calling it straight into the beginning of the function. The offsets and return addresses are rather just displaying where things continues once and if the function returns. That means the function has done its job, and the flow code operation is now returning to the function below it in the callstack.

    I'm sure it's difficult to be able to interpret this process without any visuals, which I really can't provide any. The closest I can provide is to show some disassembly. Let's start with a simple idle loop from a kernel dump I have stored away:

    Child-SP          RetAddr           Call Site
    fffffa60`01d8ece0 fffff800`01ca8b83 intelppm+0x29ed
    fffffa60`01d8ed10 fffff800`01ca88a1 nt!PoIdle+0x183
    fffffa60`01d8ed80 fffff800`01e75860 nt!KiIdleLoop+0x21
    fffffa60`01d8edb0 00000000`fffffa60 nt!zzz_AsmCodeRange_End+0x4
    fffffa60`01d6ad00 00000000`00000000 0xfffffa60
    Ignoring the first two frames (it's a little too complicated right now to explain), let's start at nt!KiIdleLoop+0x21. I'll whip out the disassembly window and copy and paste the entire name from module to offset, getting as followed:

    fffff800`01ca8880 4883ec28        sub     rsp,28h
    fffff800`01ca8884 65488b1c2520000000 mov   rbx,qword ptr gs:[20h]
    fffff800`01ca888d eb20            jmp     nt!KiIdleLoop+0x2f (fffff800`01ca88af)
    fffff800`01ca888f 33c9            xor     ecx,ecx
    fffff800`01ca8891 440f22c1        mov     cr8,rcx
    fffff800`01ca8895 488d8b80380000  lea     rcx,[rbx+3880h]
    fffff800`01ca889c e85f010000      call    nt!PoIdle (fffff800`01ca8a00)
    fffff800`01ca88a1 fb              sti
    fffff800`01ca88a2 b902000000      mov     ecx,2
    fffff800`01ca88a7 440f22c1        mov     cr8,rcx
    fffff800`01ca88ab 80630700        and     byte ptr [rbx+7],0
    fffff800`01ca88af 803d9c881c0000  cmp     byte ptr [nt!HvlEnableIdleYield (fffff800`01e71152)],0
    fffff800`01ca88b6 7402            je      nt!KiIdleLoop+0x3a (fffff800`01ca88ba)
    fffff800`01ca88b8 f390            pause
    fffff800`01ca88ba fb              sti
    fffff800`01ca88bb 90              nop
    fffff800`01ca88bc 90              nop
    fffff800`01ca88bd fa              cli
    The bold is where the disassembly window highlights, telling me that nt!KiIdleLoop+0x21 points exactly to here. As you can tell, its position is 0x21 away from the beginning of the function. Now take notice of the call function right before it. That's the call to nt!PoIdle, which you can see in the callstack is the next function that was called into. What happened is nt!KiIdleLoop started, ran its course, then it eventually said "I need to call PoIdle cuz it needs to do something", so it called it as such. Now, did it call it at nt!PoIdle+0x183 like the callstack said? Nope. Rather, it says it called straight into the beginning of the PoIdle function, at address fffff800`01ca8a00. I'll verify:

    fffff800`01ca8a00 4883ec68        sub     rsp,68h
    fffff800`01ca8a04 f605ff09130002  test    byte ptr [nt!PpmIdlePolicy+0x2 (fffff800`01dd940a)],2
    fffff800`01ca8a0b 0f85b9010000    jne     nt!PoIdle+0x1ca (fffff800`01ca8bca)
    fffff800`01ca8a11 48895c2470      mov     qword ptr [rsp+70h],rbx
    fffff800`01ca8a16 4889742458      mov     qword ptr [rsp+58h],rsi
    fffff800`01ca8a1b 48897c2450      mov     qword ptr [rsp+50h],rdi
    fffff800`01ca8a20 488b39          mov     rdi,qword ptr [rcx]
    fffff800`01ca8a23 4885ff          test    rdi,rdi
    fffff800`01ca8a26 0f841d050600    je      nt! ?? ::FNODOBFM::`string'+0x31b79 (fffff800`01d08f49)
    fffff800`01ca8a2c 8b5f08          mov     ebx,dword ptr [rdi+8]
    fffff800`01ca8a2f f6c302          test    bl,2
    Blammo. First line of code in the function is where it pointed too, not the offset described in the callstack. Now what's going to happen here is that PoIdle will runs its stuff, until eventually it, too, needs to call another function. Let's check nt!PoIdle+0x183 which is what the callstack gave us as the call site:

    fffff800`01ca8b68 0f8456050600    je      nt! ?? ::FNODOBFM::`string'+0x31cf4 (fffff800`01d090c4)
    fffff800`01ca8b6e 83fb02          cmp     ebx,2
    fffff800`01ca8b71 0f845b050600    je      nt! ?? ::FNODOBFM::`string'+0x31d02 (fffff800`01d090d2)
    fffff800`01ca8b77 33d2            xor     edx,edx
    fffff800`01ca8b79 4a8b4cef28      mov     rcx,qword ptr [rdi+r13*8+28h]
    fffff800`01ca8b7e 42ff54ef20      call    qword ptr [rdi+r13*8+20h]
    fffff800`01ca8b83 85c0            test    eax,eax
    fffff800`01ca8b85 0f8851050600    js      nt! ?? ::FNODOBFM::`string'+0x31d0c (fffff800`01d090dc)
    fffff800`01ca8b8b 85db            test    ebx,ebx
    fffff800`01ca8b8d 0f859e050600    jne     nt! ?? ::FNODOBFM::`string'+0x31d61 (fffff800`01d09131)
    fffff800`01ca8b93 33c9            xor     ecx,ecx
    fffff800`01ca8b95 ff1505a60d00    call    qword ptr [nt!_imp_KeQueryPerformanceCounter (fffff800`01d831a0)]
    fffff800`01ca8b9b 492bc6          sub     rax,r14
    Notice again the call instruction before it? In this case it's a little more convoluted in that the address isn't a static address like before but it's one made by doing some math with some registers and junk and then using the resulting memory address' contents as a reference point. However if we did all of that math n stuff, we'd most likely come up with the start for the next function listed in the callstack, which is somewhere in the module intelppm. What's going to happen, then is that is for whatever reason the function in intelppm returns, the code flow will return to nt!PoIdle+0x183, then if for whatever reason the PoIdle function returns, everything will continue at nt!KiIdleLoop+0x21, and so on.

    You're probably wondering why intelppm doesn't have a function listed. That's because in my case, I do not have access to any symbols for intelppm. Because there are no symbols, no function names and whatnot can be displayed, so it just leaves me with intelppm with a very big offset, not an offset from the beginning of a function, but from the beginning of the entire module. So it's important to have symbols whenever possible. It's not impossible to go without em, but it makes things quite more difficulty because then you have to ascertain through disassembling and reading the code just what the function is actually doing. The function names there provided by the symbols are to help you discover what each function's responsibility is.

    I hope that kinda clarifies something about what's going on in a callstack. If you need more assistance I'll do what I can to help, but that should at least get things going for ya.
    Last edited by Vir Gnarus; 06-18-2012 at 10:35 AM.
    tom982, x BlueRobot, thefabe and 3 others say thanks for this.

  5. #5
    Shintaro's Avatar
    Join Date
    Jun 2012
    Brisbane, Australia

    re: What does values after USB message calls mean? (OFFSETS)

    Vir Gnarus,
    Thank you for that excellent explanation.

    I have attached the two minidumps from the problem that I was looking at.
    The crashes occurred when USB devices, logitech C270 webcam, XBOX 360 Controller for PC, Net Gear N300 Wireless Adapter, were attached and it was a cold (PC was off for at least 6 hours) boot.
    I was hoping to see a way of proving what device was causing the crash as when they are all removed on Cold boot the PC does not crash.
    So it becomes a slow process of plugging each one in, on consecutive days to find the culprit.

    The first zip file contains the first crash supplied by the user. The Second is with verifier turned on, although, when the cmd !verifier is run it doesn't show the verifier information, possibly because it crashed before verifier could finish?

    Attached Files Attached Files
    Try to live an ordinary life, in a non-ordinary way.

  6. #6

    Join Date
    Feb 2012
    Blog Entries

    re: What does values after USB message calls mean? (OFFSETS)

    Just FYI - both the XBox controller and the wireless USB device have histories of causing BSOD's
    There's no updated driver for the XBox controller (dates from 2009), and I would suggest looking at the date of the wireless USB drivers (older = more chance of BSOD's)

  7. #7
    Shintaro's Avatar
    Join Date
    Jun 2012
    Brisbane, Australia

    re: What does values after USB message calls mean? (OFFSETS)

    Cheers usasma,
    I knew about the Wireless USB device, I hit that one real early. And I had idea that the XBox was at fault, but as I was unable to point to a particular device, that's why I wanted to know if the USB device information could be found in the crash dump, and the XBox was nothing more than a hunch as I couldn't prove it.

    Driver list
    fffff880`01946000 fffff880`0194e000 spldr spldr.sys Tue May 12 02:56:27 2009 (4A0858BB)
    fffff880`0414a000 fffff880`04157000 GEARAspiWDM GEARAspiWDM.sys Mon May 18 22:17:04 2009 (4A1151C0)
    fffff880`03c7e000 fffff880`03c94000 intelppm intelppm.sys Tue Jul 14 09:19:25 2009 (4A5BC0FD)
    fffff880`00eb3000 fffff880`00ebd000 msisadrv msisadrv.sys Tue Jul 14 09:19:26 2009 (4A5BC0FE)
    fffff880`01200000 fffff880`01211000 pcw pcw.sys Tue Jul 14 09:19:27 2009 (4A5BC0FF)
    fffff880`0168c000 fffff880`01695000 Null Null.SYS Tue Jul 14 09:19:37 2009 (4A5BC109)
    fffff880`00c86000 fffff880`00c8f000 atapi atapi.sys Tue Jul 14 09:19:47 2009 (4A5BC113)
    fffff880`01224000 fffff880`0122f000 Msfs Msfs.SYS Tue Jul 14 09:19:47 2009 (4A5BC113)
    fffff880`01654000 fffff880`01660000 dump_ataport dump_ataport.sys Tue Jul 14 09:19:47 2009 (4A5BC113)
    fffff880`01660000 fffff880`01669000 dump_atapi dump_atapi.sys Tue Jul 14 09:19:47 2009 (4A5BC113)
    fffff880`00c5c000 fffff880`00c6c000 PCIIDEX PCIIDEX.SYS Tue Jul 14 09:19:48 2009 (4A5BC114)
    fffff880`0122f000 fffff880`01240000 Npfs Npfs.SYS Tue Jul 14 09:19:48 2009 (4A5BC114)
    fffff880`00eca000 fffff880`00ed1000 pciide pciide.sys Tue Jul 14 09:19:49 2009 (4A5BC115)
    fffff880`04c97000 fffff880`04ca6000 mouclass mouclass.sys Tue Jul 14 09:19:50 2009 (4A5BC116)
    fffff880`04ca6000 fffff880`04cb5000 kbdclass kbdclass.sys Tue Jul 14 09:19:50 2009 (4A5BC116)
    fffff880`00ff4000 fffff880`00ffd000 WMILIB WMILIB.SYS Tue Jul 14 09:19:51 2009 (4A5BC117)
    fffff880`00ea4000 fffff880`00eb3000 WDFLDR WDFLDR.SYS Tue Jul 14 09:19:54 2009 (4A5BC11A)
    fffff880`00d19000 fffff880`00d77000 CLFS CLFS.SYS Tue Jul 14 09:19:57 2009 (4A5BC11D)
    fffff880`019dd000 fffff880`019f3000 disk disk.sys Tue Jul 14 09:19:57 2009 (4A5BC11D)
    fffff880`04c79000 fffff880`04c97000 i8042prt i8042prt.sys Tue Jul 14 09:19:57 2009 (4A5BC11D)
    fffff880`03e51000 fffff880`03e5d000 nsiproxy nsiproxy.sys Tue Jul 14 09:21:02 2009 (4A5BC15E)
    fffff880`01669000 fffff880`0167c000 dump_dumpfve dump_dumpfve.sys Tue Jul 14 09:21:51 2009 (4A5BC18F)
    fffff880`00e00000 fffff880`00ea4000 Wdf01000 Wdf01000.sys Tue Jul 14 09:22:07 2009 (4A5BC19F)
    fffff880`077bf000 fffff880`077f5000 fastfat fastfat.SYS Tue Jul 14 09:23:28 2009 (4A5BC1F0)
    fffff880`01988000 fffff880`0199a000 mup mup.sys Tue Jul 14 09:23:45 2009 (4A5BC201)
    fffff880`04cb5000 fffff880`04cbe000 wmiacpi wmiacpi.sys Tue Jul 14 09:31:02 2009 (4A5BC3B6)
    fffff880`03e5d000 fffff880`03e68000 mssmbios mssmbios.sys Tue Jul 14 09:31:10 2009 (4A5BC3BE)
    fffff880`010c1000 fffff880`010d5000 fileinfo fileinfo.sys Tue Jul 14 09:34:25 2009 (4A5BC481)
    fffff880`03fe9000 fffff880`03ffa000 blbdrive blbdrive.sys Tue Jul 14 09:35:59 2009 (4A5BC4DF)
    fffff880`03fbc000 fffff880`03fcb000 discache discache.sys Tue Jul 14 09:37:18 2009 (4A5BC52E)
    fffff880`01425000 fffff880`01435000 watchdog watchdog.sys Tue Jul 14 09:37:35 2009 (4A5BC53F)
    fffff880`015ea000 fffff880`015f8000 vga vga.sys Tue Jul 14 09:38:47 2009 (4A5BC587)
    fffff880`01400000 fffff880`01425000 VIDEOPRT VIDEOPRT.SYS Tue Jul 14 09:38:51 2009 (4A5BC58B)
    fffff880`01695000 fffff880`0169c000 Beep Beep.SYS Tue Jul 14 10:00:13 2009 (4A5BCA8D)
    fffff880`04d99000 fffff880`04d9a480 swenum swenum.sys Tue Jul 14 10:00:18 2009 (4A5BCA92)
    fffff880`04bf9000 fffff880`04bfe200 ksthunk ksthunk.sys Tue Jul 14 10:00:19 2009 (4A5BCA93)
    fffff880`01646000 fffff880`01654000 crashdmp crashdmp.sys Tue Jul 14 10:01:01 2009 (4A5BCABD)
    fffff880`00ebd000 fffff880`00eca000 vdrvroot vdrvroot.sys Tue Jul 14 10:01:31 2009 (4A5BCADB)
    fffff880`06c27000 fffff880`06c2f080 HIDPARSE HIDPARSE.SYS Tue Jul 14 10:06:17 2009 (4A5BCBF9)
    fffff880`04000000 fffff880`0403d000 portcls portcls.sys Tue Jul 14 10:06:27 2009 (4A5BCC03)
    fffff880`06dc5000 fffff880`06dd2000 vwifibus vwifibus.sys Tue Jul 14 10:07:21 2009 (4A5BCC39)
    fffff880`03f68000 fffff880`03f7e000 vwififlt vwififlt.sys Tue Jul 14 10:07:22 2009 (4A5BCC3A)
    fffff880`03f39000 fffff880`03f42000 wfplwf wfplwf.sys Tue Jul 14 10:09:26 2009 (4A5BCCB6)
    fffff880`03f7e000 fffff880`03f8d000 netbios netbios.sys Tue Jul 14 10:09:26 2009 (4A5BCCB6)
    fffff880`04d08000 fffff880`04d14000 ndistapi ndistapi.sys Tue Jul 14 10:10:00 2009 (4A5BCCD8)
    fffff880`04d43000 fffff880`04d5e000 raspppoe raspppoe.sys Tue Jul 14 10:10:17 2009 (4A5BCCE9)
    fffff880`04cce000 fffff880`04ce4000 AgileVpn AgileVpn.sys Tue Jul 14 10:10:24 2009 (4A5BCCF0)
    fffff880`04d7f000 fffff880`04d99000 rassstp rassstp.sys Tue Jul 14 10:10:25 2009 (4A5BCCF1)
    fffff880`01435000 fffff880`0143e000 rdpencdd rdpencdd.sys Tue Jul 14 10:16:34 2009 (4A5BCE62)
    fffff880`019f3000 fffff880`019fc000 RDPCDD RDPCDD.sys Tue Jul 14 10:16:34 2009 (4A5BCE62)
    fffff880`0121b000 fffff880`01224000 rdprefmp rdprefmp.sys Tue Jul 14 10:16:35 2009 (4A5BCE63)
    fffff880`04bd7000 fffff880`04bf9000 drmk drmk.sys Tue Jul 14 11:01:25 2009 (4A5BD8E5)
    fffff880`00d05000 fffff880`00d19000 PSHED PSHED.dll Tue Jul 14 11:32:23 2009 (4A5BE027)
    fffff880`06dd2000 fffff880`06de4100 xusb21 xusb21.sys Fri Aug 14 08:10:17 2009 (4A848F49)
    fffff880`00ed1000 fffff880`00edb000 mv91cons mv91cons.sys Wed Sep 23 07:36:37 2009 (4AB94365)
    fffff880`00c8f000 fffff880`00c9a000 amdxata amdxata.sys Sat Mar 20 03:18:18 2010 (4BA3A3CA)
    fffff880`04a12000 fffff880`04bd7000 cmudaxp cmudaxp.sys Thu Sep 16 13:41:13 2010 (4C9191D9)
    fffff880`04dad000 fffff880`04dc6000 nusb3hub nusb3hub.sys Fri Nov 19 12:34:24 2010 (4CE5D420)
    fffff880`03c94000 fffff880`03cc5000 nusb3xhc nusb3xhc.sys Fri Nov 19 12:34:25 2010 (4CE5D421)
    fffff880`0199a000 fffff880`019a3000 hwpolicy hwpolicy.sys Sat Nov 20 20:18:54 2010 (4CE7927E)
    fffff880`00d77000 fffff880`00daa000 pci pci.sys Sat Nov 20 20:19:11 2010 (4CE7928F)
    fffff880`00dd4000 fffff880`00dfe000 ataport ataport.SYS Sat Nov 20 20:19:15 2010 (4CE79293)
    fffff880`00f9d000 fffff880`00ff4000 ACPI ACPI.sys Sat Nov 20 20:19:16 2010 (4CE79294)
    fffff880`015c0000 fffff880`015ea000 cdrom cdrom.sys Sat Nov 20 20:19:20 2010 (4CE79298)
    fffff880`00c6c000 fffff880`00c86000 mountmgr mountmgr.sys Sat Nov 20 20:19:21 2010 (4CE79299)
    fffff880`01600000 fffff880`01630000 CLASSPNP CLASSPNP.SYS Sat Nov 20 20:19:23 2010 (4CE7929B)
    fffff880`01075000 fffff880`010c1000 fltmgr fltmgr.sys Sat Nov 20 20:19:24 2010 (4CE7929C)
    fffff880`00dbf000 fffff880`00dd4000 volmgr volmgr.sys Sat Nov 20 20:19:28 2010 (4CE792A0)
    fffff880`018fa000 fffff880`01946000 volsnap volsnap.sys Sat Nov 20 20:20:08 2010 (4CE792C8)
    fffff880`00c00000 fffff880`00c5c000 volmgrx volmgrx.sys Sat Nov 20 20:20:43 2010 (4CE792EB)
    fffff880`018a6000 fffff880`018f0000 fwpkclnt fwpkclnt.sys Sat Nov 20 20:21:37 2010 (4CE79321)
    fffff880`011a5000 fffff880`011c7000 tdx tdx.sys Sat Nov 20 20:21:54 2010 (4CE79332)
    fffff880`010d5000 fffff880`01133000 msrpc msrpc.sys Sat Nov 20 20:21:56 2010 (4CE79334)
    fffff880`011c7000 fffff880`011d4000 TDI TDI.SYS Sat Nov 20 20:22:06 2010 (4CE7933E)
    fffff880`01535000 fffff880`01595000 NETIO NETIO.SYS Sat Nov 20 20:23:13 2010 (4CE79381)
    fffff880`03e6b000 fffff880`03eb0000 netbt netbt.sys Sat Nov 20 20:23:18 2010 (4CE79386)
    fffff880`01442000 fffff880`01535000 ndis ndis.sys Sat Nov 20 20:23:30 2010 (4CE79392)
    fffff880`019a3000 fffff880`019dd000 fvevol fvevol.sys Sat Nov 20 20:24:06 2010 (4CE793B6)
    fffff880`03fcb000 fffff880`03fe9000 dfsc dfsc.sys Sat Nov 20 20:26:31 2010 (4CE79447)
    fffff880`03e00000 fffff880`03e51000 rdbss rdbss.sys Sat Nov 20 20:27:51 2010 (4CE79497)
    fffff880`0194e000 fffff880`01988000 rdyboost rdyboost.sys Sat Nov 20 20:43:10 2010 (4CE7982E)
    fffff880`0406c000 fffff880`040b2000 dxgmms1 dxgmms1.sys Sat Nov 20 20:49:53 2010 (4CE799C1)
    fffff880`03cc7000 fffff880`03dbb000 dxgkrnl dxgkrnl.sys Sat Nov 20 20:50:50 2010 (4CE799FA)
    fffff880`04cbe000 fffff880`04cce000 CompositeBus CompositeBus.sys Sat Nov 20 21:33:17 2010 (4CE7A3ED)
    fffff880`03dbb000 fffff880`03dfe000 ks ks.sys Sat Nov 20 21:33:23 2010 (4CE7A3F3)
    fffff880`040b2000 fffff880`040d6000 HDAudBus HDAudBus.sys Sat Nov 20 21:43:42 2010 (4CE7A65E)
    fffff880`06c00000 fffff880`06c0e000 hidusb hidusb.sys Sat Nov 20 21:43:49 2010 (4CE7A665)
    fffff880`06c0e000 fffff880`06c27000 HIDCLASS HIDCLASS.SYS Sat Nov 20 21:43:49 2010 (4CE7A665)
    fffff880`07750000 fffff880`0776ac80 usbaudio usbaudio.sys Sat Nov 20 21:43:52 2010 (4CE7A668)
    fffff880`050d8000 fffff880`05134000 HdAudio HdAudio.sys Sat Nov 20 21:44:23 2010 (4CE7A687)
    fffff880`04d9b000 fffff880`04dad000 umbus umbus.sys Sat Nov 20 21:44:37 2010 (4CE7A695)
    fffff880`04c3b000 fffff880`04c79000 1394ohci 1394ohci.sys Sat Nov 20 21:44:56 2010 (4CE7A6A8)
    fffff880`03c58000 fffff880`03c7e000 tunnel tunnel.sys Sat Nov 20 21:51:50 2010 (4CE7A846)
    fffff880`03f42000 fffff880`03f68000 pacer pacer.sys Sat Nov 20 21:52:18 2010 (4CE7A862)
    fffff880`05091000 fffff880`050a6000 NDProxy NDProxy.SYS Sat Nov 20 21:52:20 2010 (4CE7A864)
    fffff880`04d5e000 fffff880`04d7f000 raspptp raspptp.sys Sat Nov 20 21:52:31 2010 (4CE7A86F)
    fffff880`04d14000 fffff880`04d43000 ndiswan ndiswan.sys Sat Nov 20 21:52:32 2010 (4CE7A870)
    fffff880`04ce4000 fffff880`04d08000 rasl2tp rasl2tp.sys Sat Nov 20 21:52:34 2010 (4CE7A872)
    fffff880`03f8d000 fffff880`03fa8000 wanarp wanarp.sys Sat Nov 20 21:52:36 2010 (4CE7A874)
    fffff880`03fa8000 fffff880`03fbc000 termdd termdd.sys Sat Nov 20 22:03:40 2010 (4CE7AB0C)
    fffff800`033f0000 fffff800`03439000 hal hal.dll Sun Nov 21 00:00:25 2010 (4CE7C669)
    fffff880`00cb6000 fffff880`00d05000 mcupdate mcupdate.dll Sun Nov 21 00:03:51 2010 (4CE7C737)
    fffff880`00edd000 fffff880`00f9d000 CI CI.dll Sun Nov 21 00:12:36 2010 (4CE7C944)
    fffff800`00bc4000 fffff800`00bce000 kdcom kdcom.dll Sun Feb 06 03:52:49 2011 (4D4D8061)
    fffff880`01240000 fffff880`013e3000 Ntfs Ntfs.sys Fri Mar 11 14:39:39 2011 (4D79997B)
    fffff880`06de5000 fffff880`06e00000 USBSTOR USBSTOR.SYS Fri Mar 11 15:37:16 2011 (4D79A6FC)
    fffff880`03cc5000 fffff880`03cc6f00 USBD USBD.SYS Fri Mar 25 14:28:59 2011 (4D8C0BFB)
    fffff880`040d6000 fffff880`040e3000 usbuhci usbuhci.sys Fri Mar 25 14:29:03 2011 (4D8C0BFF)
    fffff880`04139000 fffff880`0414a000 usbehci usbehci.sys Fri Mar 25 14:29:04 2011 (4D8C0C00)
    fffff880`040e3000 fffff880`04139000 USBPORT USBPORT.SYS Fri Mar 25 14:29:12 2011 (4D8C0C08)
    fffff880`06c30000 fffff880`06c4d000 usbccgp usbccgp.sys Fri Mar 25 14:29:14 2011 (4D8C0C0A)
    fffff880`05037000 fffff880`05091000 usbhub usbhub.sys Fri Mar 25 14:29:25 2011 (4D8C0C15)
    fffff880`06c8e000 fffff880`06dc5000 bcmwlhigh664 bcmwlhigh664.sys Tue Apr 19 17:13:08 2011 (4DAD3604)
    fffff880`018f0000 fffff880`018fa000 scmndisp scmndisp.sys Fri May 27 20:30:22 2011 (4DDF7D3E)
    fffff880`04157000 fffff880`041f7000 Rt64win7 Rt64win7.sys Wed Sep 28 00:50:33 2011 (4E81E2B9)
    fffff880`013e3000 fffff880`013fe000 ksecdd ksecdd.sys Thu Nov 17 14:48:13 2011 (4EC483FD)
    fffff880`01133000 fffff880`011a5000 cng cng.sys Thu Nov 17 15:23:17 2011 (4EC48C35)
    fffff880`01595000 fffff880`015c0000 ksecpkg ksecpkg.sys Thu Nov 17 15:23:44 2011 (4EC48C50)
    fffff880`0167c000 fffff880`0168c000 avgmfx64 avgmfx64.sys Fri Dec 23 23:08:12 2011 (4EF46F2C)
    fffff880`03eb0000 fffff880`03f39000 afd afd.sys Wed Dec 28 14:59:20 2011 (4EFA9418)
    fffff880`0776b000 fffff880`077bea80 lvrs64 lvrs64.sys Wed Jan 18 17:40:36 2012 (4F166964)
    fffff880`072ae000 fffff880`0774fd00 lvuvc64 lvuvc64.sys Wed Jan 18 17:41:08 2012 (4F166984)
    fffff880`01630000 fffff880`0163c000 avgrkx64 avgrkx64.sys Tue Jan 31 14:11:41 2012 (4F275BED)
    fffff880`03c0d000 fffff880`03c58000 avgldx64 avgldx64.sys Wed Feb 22 14:57:53 2012 (4F4467C1)
    fffff880`01211000 fffff880`0121b000 Fs_Rec Fs_Rec.sys Thu Mar 01 14:41:06 2012 (4F4EEFD2)
    fffff880`00daa000 fffff880`00dbf000 partmgr partmgr.sys Sat Mar 17 16:06:09 2012 (4F641BC1)
    fffff880`01000000 fffff880`01061000 avgtdia avgtdia.sys Mon Mar 19 14:53:32 2012 (4F66ADBC)
    fffff880`016a3000 fffff880`018a6000 tcpip tcpip.sys Fri Mar 30 19:34:26 2012 (4F757012)
    fffff880`050a6000 fffff880`050d8000 nvhda64v nvhda64v.sys Thu Apr 19 03:07:54 2012 (4F8EF4EA)
    fffff880`0163c000 fffff880`01646000 avgidsha avgidsha.sys Thu Apr 19 12:19:15 2012 (4F8F7623)
    fffff800`02e08000 fffff800`033f0000 nt ntkrnlmp.exe Fri May 04 18:18:59 2012 (4FA390F3)
    fffff880`0f00d000 fffff880`0fdcf000 nvlddmkm nvlddmkm.sys Tue May 15 17:35:36 2012 (4FB20748)
    Last edited by Shintaro; 06-19-2012 at 09:29 PM. Reason: More information
    Try to live an ordinary life, in a non-ordinary way.

  8. #8

    Join Date
    Feb 2012
    Blog Entries

    re: What does values after USB message calls mean? (OFFSETS)

    This is the XBox driver:
    fffff880`06dd2000 fffff880`06de4100 xusb21 xusb21.sys Fri Aug 14 08:10:17 2009 (4A848F49)
    I last checked a couple of weeks ago and there was no update available for the 2009 driver.
    Shintaro and Vir Gnarus say thanks for this.

  9. #9

    Join Date
    Mar 2012

    re: What does values after USB message calls mean? (OFFSETS)

    As a note, Windows 7 did not come out until Oct 2009, and even the RTM version was not publicly released until July 22, 2009. I'm sure things have changed since then, and most likely this is a driver for Vista, or it was built during Windows 7 beta. Either way, it's dusty, and it's bound to have bugs. I also can vouch that I've seen it crash systems.

    EDIT: I checked the crashdumps, and the first one has what appears to be a stack overflow due to stack trashing, as you can tell from dumping the raw stack:

    0: kd> dc fffff88003356000 fffff8800335c000
    fffff880`03356000  a897a89e 0f740f74 36b336ec 1c261c26  ....t.t..6.6&.&.
    fffff880`03356010  0888086d bd78bd78 17461739 9efe9efe  m...x.x.9.F.....
    fffff880`03356020  cd1bcde5 be0fbe0f 20ba2084 fafffaff  ......... . ....
    fffff880`03356030  520152da 06040604 37eb3748 d246d246  .R.R....H7.7F.F.
    fffff880`03356040  a89ea8a4 0f740f74 36ec362b ef26bc26  ....t.t.+6.6&.&.
    fffff880`03356050  086d0861 ae78ae78 1739173e e0fe9afe  a.m.x.x.>.9.....
    fffff880`03356060  cde5cd08 8d0f210f 20842024 f2fffbff  .....!..$ . ....
    fffff880`03356070  52da52ed 06047d04 37483748 5b46d246  .R.R.}..H7H7F.F[
    fffff880`03356080  65166616 31e531e5 c37dfd7d 1c4f1c4f  .f.e.1.1}.}.O.O.
    fffff880`03356090  1520c720 154d154d e9c79bc7 b08fb08f   . .M.M.........
    fffff880`033560a0  e3d216d2 b619b619 8609be09 c913c913  ................
    fffff880`033560b0  a6bffcbf e59de59d 15285428 7fe87fe8  ........(T(.....
    fffff880`033560c0  18331816 31e531e5 fd4afd7d 1c4f1c4f  ..3..1.1}.J.O.O.
    fffff880`033560d0  ef3fef20 154d154d 1b451bc7 b08fb08f   .?.M.M...E.....
    fffff880`033560e0  16e416d2 b619b619 79b57909 c913c913  .........y.y....
    fffff880`033560f0  7ca27cbf e59de59d ea57ea28 7fe87fe8  .|.|....(.W.....
    fffff880`03356100  18161879 b9e576e5 fd7dfdfd c04f144f  y....v....}.O.O.
    fffff880`03356110  ef20eff2 154d6e4d 1bc71bc3 018f908f  .. .MnM.........
    fffff880`03356120  16d21659 b0191619 79097944 4613cb13  Y.......Dy.y...F
    fffff880`03356130  7cbf7c2c e59de49d ea28eaa9 c0e810e8  ,|.|......(.....
    fffff880`03356140  2607ae07 3cd73cd7 bb0fbb0f f988f988  ...&.<.<........
    fffff880`03356150  c0c913c9 62056205 05582d58 6a4d6a4d  .....b.bX-X.MjMj
    fffff880`03356160  52b41bb4 76ba76ba f238d238 2c6b2c6b  ...R.v.v8.8.k,k,
    fffff880`03356170  c673fd73 b2ceb2ce 34849084 32703270  s.s........4p2p2
    fffff880`03356180  2e252e07 3cd73cd7 44b0440f f988f988  ..%..<.<.D.D....
    fffff880`03356190  33ce33c9 62056205 faa7fa58 6a4d6a4d  .3.3.b.bX...MjMj
    fffff880`033561a0  ad0badb4 76ba76ba d239d238 2c6b2c6b  .....v.v8.9.k,k,
    I can't make sense of the junk, but there are very noticeable patterns in it.

    Three 3rd party drivers were involved in this thread:

    fffff880`03359df8  fffff880`03359fe0
    fffff880`03359e00  fffff880`03359fc0
    fffff880`03359e08  00000000`00000004
    fffff880`03359e10  fffffa80`04ea6b30
    fffff880`03359e18  00000000`00000001
    fffff880`03359e20  fffff880`019ef554Unable to load image avgmfx64.sys, Win32 error 0n2
    *** WARNING: Unable to verify timestamp for avgmfx64.sys
    *** ERROR: Module load completed but symbols could not be loaded for avgmfx64.sys
    fffff880`03359e28  fffff800`02e6d2d2 nt!RtlpLookupFunctionEntryForStackWalks+0x32
    fffff880`03359e30  fffffa80`05699798
    fffff880`03359e38  fffff880`03359fe0
    fffff880`03359e40  fffff880`03359ea0
    fffff880`0335af48  fffff880`0335b130
    fffff880`0335af50  fffff880`0335b110
    fffff880`0335af58  00000000`00000004
    fffff880`0335af60  fffffa80`04ea6b30
    fffff880`0335af68  00000000`00000001
    fffff880`0335af70  fffff880`04119304 nusb3xhc+0x1c304
    fffff880`0335af78  fffff800`02e6d2d2 nt!RtlpLookupFunctionEntryForStackWalks+0x32
    fffff880`0335af80  fffffa80`057a6498
    fffff880`0335af88  fffff880`0335b130
    fffff880`0335af90  fffff880`0335aff0
    fffff880`0335af98  fffff880`0335b010
    fffff880`0335afa0  00000129`0000012f
    fffff880`0335afa8  fffff800`0000012c
    fffff880`0335afb0  fffff880`04120e10 nusb3xhc+0x23e10
    fffff880`0335afb8  fffff880`04120e10 nusb3xhc+0x23e10
    fffff880`0335afc0  00000000`00000000
    fffff880`0335afc8  00000000`00000002
    fffff880`0335afd0  00000000`80000000
    fffff880`0335afd8  fffffa80`04f21040
    fffff880`03359768  00001f80`001f0200
    fffff880`03359770  fffff880`03356001
    fffff880`03359778  fffff800`02f4d823 nt!RtlpWalkFrameChain+0xa3
    fffff880`03359780  fffff880`06d0a000Unable to load image avgidsdrivera.sys, Win32 error 0n2
    *** WARNING: Unable to verify timestamp for avgidsdrivera.sys
    *** ERROR: Module load completed but symbols could not be loaded for avgidsdrivera.sys
    fffff880`03359788  00000000`00000000
    fffff880`03359790  fffff800`02e9f095 nt!KiIpiInterrupt+0x135
    fffff880`03359798  fffff880`03359740
    0: kd> lmvm avgidsdrivera
    start             end                 module name
    fffff880`06d0a000 fffff880`06d36000   avgidsdrivera T (no symbols)           
        Loaded symbol image file: avgidsdrivera.sys
        Image path: avgidsdrivera.sys
        Image name: avgidsdrivera.sys
        Timestamp:        Fri Dec 23 07:05:21 2011 (4EF46E81)
        CheckSum:         0002B0BE
        ImageSize:        0002C000
        Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
    0: kd> lmvm avgmfx64
    start             end                 module name
    fffff880`019ee000 fffff880`019fe000   avgmfx64 T (no symbols)           
        Loaded symbol image file: avgmfx64.sys
        Image path: avgmfx64.sys
        Image name: avgmfx64.sys
        Timestamp:        Fri Dec 23 07:08:12 2011 (4EF46F2C)
        CheckSum:         00015683
        ImageSize:        00010000
        Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
    0: kd> lmvm nusb3xhc
    start             end                 module name
    fffff880`040fd000 fffff880`0412e000   nusb3xhc T (no symbols)           
        Loaded symbol image file: nusb3xhc.sys
        Image path: nusb3xhc.sys
        Image name: nusb3xhc.sys
        Timestamp:        Thu Nov 18 20:34:25 2010 (4CE5D421)
        CheckSum:         0002D1D4
        ImageSize:        00031000
        Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
    This involved AVG and NEC USB controller drivers. AVG is gettin a little stale, and the NEC drivers, not only are they old, but from the Driver Reference table I checked on sysnative, its commented that they have a tendency to cause BSODs. 3rd-party USB controller drivers are never needed. The USB bus is completely supported by standard Windows drivers. I can only see it being needed for USB ports attached to a monitor, which, given this is NEC, I would assume is the case.

    As for the second crashdump, I can't tell from the minidump. The current IRP is not available, and the rest of it is pretty esoteric.

    The commands I used to diagnose this is !irp, dps and dc. dps displays memory in the range you specify with symbols for anything it finds is an address to code in a module that has symbols loaded for it. dc is like dps but it'll show memory data as ASCII characters, good for finding hidden strings n such.

    Just so you know, this isn't an affirmative diagnosis. It's an educated guess based on what information is available, which isn't much. One must realize the severe limitiations one has to deal with when handling minidumps.
    Last edited by Vir Gnarus; 06-20-2012 at 10:21 AM.
    Trouble, Shintaro and niemiro say thanks for this.

  10. #10
    Shintaro's Avatar
    Join Date
    Jun 2012
    Brisbane, Australia

    re: What does values after USB message calls mean? (OFFSETS)

    Vir Gnarus,
    Thanks for the response.
    I really appreciate it that you have taken the time to explain things. It can be difficult at times trying to work out where to look next.
    Try to live an ordinary life, in a non-ordinary way.

  11. #11

    Join Date
    Mar 2012

    re: What does values after USB message calls mean? (OFFSETS)

    The best way to go at it if you don't know exactly where to start looking is to simply do what I did and start scrounging for data in various places. Look at the raw stack; look at thread information with !thread and see if there's any IRPs related to the thread and dump info on that; scour kv for any patterns like an error (you can easily point them out because they are 8-bytes and start with a 'c' and have small values, like c000002b, or c0000101) which you can send to !error command to get an explanation for it. There's a myriad of details you can eyeball that as you gain more and more insight will appear increasingly suspicious and relevant to your search for the right answer.

    Don't expect to find a 100% accurate answer for everything, nor should you get flustered when you can't find any worthwhile data to chew on. As you continue to improve in understanding the mechanics behind Windows, your answers will continue to improve and your methods for finding them will become more direct and expedient. You'll also find that as you learn more you'll start to realize your need to acquire more and more information to sift through deeper, and you'll eventually get to the point like me in finding out that minidumps are completely insatiable in your quest to diagnose the problem!
    niemiro says thanks for this.

  12. #12

    re: What does values after USB message calls mean? (OFFSETS)

    How do you all clean out your PC'/LT's USB registered device and clean log logs?
    As to start all new again, with only the USB's that are on the host PC/LT?
    Remove lots of old register devices no longer good?

Similar Threads

  1. Mark Zuckerberg calls Obama to complain about NSA
    By JMH in forum Social Media News
    Replies: 0
    Last Post: 03-15-2014, 03:47 AM
  2. Replies: 3
    Last Post: 06-14-2012, 01:10 AM
  3. The Pirate Bay calls Anonymous attacks censorship
    By JMH in forum News You Can Use
    Replies: 0
    Last Post: 05-12-2012, 06:20 PM
  4. Replies: 1
    Last Post: 05-11-2012, 03:58 PM
  5. Replies: 0
    Last Post: 04-06-2012, 09:24 PM

Log in

Log in