Page 3 of 3 First 123
  1. #41

    Re: Most Notable BSOD Kernel Dump Analysis posts

    Probably a garbage pirated version they all seem to get then.


    • Ad Bot

      advertising
      Beep.

        
       

  2. #42
    jcgriff2's Avatar
    Join Date
    Feb 2012
    Location
    New Jersey Shore
    Posts
    16,445
    • specs System Specs
      • Manufacturer:
        HP
      • Model Number:
        HP ENVY TouchSmart 17-j130us Notebook - E8A04UA
      • Motherboard:
        HP Insyde 720265-501 6050A2549501-MB-A02
      • CPU:
        Intel Core i7-4700MQ Processor with Turbo Boost up to 3.4GHz.
      • Memory:
        12GB DDR3L SDRAM (2 DIMM)
      • Graphics:
        Intel HD graphics 4600 with up to 1792MB total graphics memory
      • Sound Card:
        Beats Audio quad speakers and two subwoofers
      • Hard Drives:
        1TB 5400RPM hard drive with HP ProtectSmart Hard Drive Protection
      • Disk Drives:
        Hitachi 500 GB SSD; 7 TB USB External
      • Power Supply:
        90w
      • Case:
        Laptop
      • Display:
        17.3-inch diagonal HD+ BrightView LED-backlit touchscreen display (1600 x 900)
      • Operating System:
        Windows 8.1

    Re: Most Notable BSOD Kernel Dump Analysis posts


    RE: Sysnative Forums BSOD Thread - BSOD while installing ZoneAlarm - Windows 7 x86

    Sometimes, BSOD analysis is done in "visual steps" with the Windbg command + resulting output shown in code boxes, step-by-step as was done in this thread.

    To try and help you follow such steps in BSOD threads here at Sysnative Forums, I thought it would be helpful to provide additional details and information as to what these steps are and where the parms come from.

    I can think of few things more frustrating than knowing what a Windbg command does, how it can help me in finding an answer/solution, but not being able to figure out where the memory address used in conjunction with the Windbg command came from.

    When I read this thread earlier and came upon Patrick's post, I could follow all with relative ease, except that the memory address in step #4 (a.k.a., the "command parameter") eluded me for a bit until I looked closer at the output of #3. Once the output of #3 is reviewed, the origin of #4's "command parameter" becomes immediately evident.

    Just to go over it quickly:

    kd> command for #4 -
    Code:
    2: kd> dt nt!_MODE c9dd6208
    So... I'm on the hunt for memory address 0xc9dd6208, which could have come from the output of #3 or elsewhere. I'm not very familiar with #4 command, so the output of #3 is where I started and... there it was!

    I included the command for #4, which includes the memory address from #3 command at the end of the show/hide (spoiler) tag for your viewing pleasure (makes it easier to see/compare)!

    kd> command for #3 -
    Code:
    2: kd> !handle 300
    Output for #3:
    Read More:


    So, that ends the mystery as to where the cmd parm memory address for #4 came from.

    We can all rest easy tonight! :0




    START ANALYSIS OF PATRICK'S POST

    Now, we'll get started with the analysis on Patrick's post #17.


    Summation - "Probably caused by:" Zone Alarm BSOD likely caused by Bitdefender.

    Windbg kd> commands used & displayed in post:

    1. !analyze -v
    2. knL
    3. !handle 300
    4. dt nt!_MODE c9dd6208
    5. .bugcheck
    6. !address 8eea7cc3
    7. !thread 95a1c7c8
    8. !irp 89326ac0
    9. !fileobj 95a1a7c8
    1. "!analyze" = displays information about the bugcheck; "-v" = verbose output; "!analyze -v is probably the most well known and widely used Windbg command in the world (my estimate & opinion)
    2. Display Stack Backtrace - displays the thread's stack frame and related information (the command = "k"; "n" = Displays frame numbers; "L" = Hides source lines in the display. "L" is case sensitive)
    3. Displays information about a handle that a process owns
      Not sure what the "300" after "!handle" means as I can't locate any information on it at this time.
      Windbg help CHM file shows these as valid parms for the !thread command:

      Read More:
    4. Displays displays information about a local variable, global variable or data type. The memory address (c9dd6208) was obtained from this output line from #3 -
      Code:
      ObjectHeader: c9dd6208 (new version)
    5. Displays bugcheck information - the STOP ERROR followed by 4 parameters in parenthesis (P1,P2,P3,P4)
    6. Displays information about the memory address used by the target address [the hexadecimal number following the word ADDRESS]
    7. Displays summary information about a thread [the hexadecimal number after the word THREAD]
    8. Displays IRP (I/O Request Packet) information
    9. Displays detailed information about the FILE_OBJECT structure. The actual file object is the memory address following the word FILEOBJ


    Very nice analysis, Patrick.

    Please know that a thread not found, detailed/analyzed and discussed in this "Most Notable BSOD Kernel Dump Analysis Posts" thread/sticky DOES NOT in any way mean that it was not good enough to be a "...most notable..." BSOD post. There are many reasons why most threads don't make it in here -- #1 reason (or excuse if you wish!) - lack of time.

    "Sysnative Forums" is specifically mentioned here because this post involves a thread from this forum. Most of us (BSOD Analysts) are on staff at other forums or just simply answer BSOD threads as time permits.

    Sysnative Forums is our primary forum; however, there are two other forums that take precedence over ALL others after Sysnative Forums -- Bleeping Computer (BC) and Tech Support Forum (TSF). They both use "BSOD Posting Instructions" very similar to ours (the same "SysnativeBSODCollectionApp.exe" dump + collection app is used -- 1st developed in 2008; improved constantly ever since, and copied/plagiarized by many).

    Lastly, the comments in this post about the BSOD thread are mine. I in no way speak for Patrick, the author of the post in question and therefore, he is of course free to correct anything I have written. Something doesn't necessarily have to be incorrect/wrong; a simple disagreement may occur.

    Regards. . .

    jcgriff2
    Last edited by jcgriff2; 06-05-2015 at 10:21 PM.
    usasma says thanks for this.

  3. #43

    Re: Most Notable BSOD Kernel Dump Analysis posts

    Thanks to cluberti for answering my quick questions regarding that specific issue as well.
    usasma says thanks for this.

  4. #44
    Jared's Avatar
    Join Date
    Feb 2014
    Age
    21
    Posts
    1,584
    • specs System Specs
      • Manufacturer:
        Custom
      • Motherboard:
        ASUS Maximus VII Ranger
      • CPU:
        i7 4790K @ 4.4GHz
      • Memory:
        Corsair Vengeance 16GB 1866MHz
      • Graphics:
        MSI Gaming 4G GTX 980
      • Sound Card:
        Creative Soundblaster ZxR
      • Hard Drives:
        Samsung 850 SSD 250GB
      • Disk Drives:
        Western Digital Black Caviar 2TB
      • Power Supply:
        Corsair RM650 Modular 650 Watts
      • Case:
        Fractal Design Define R5 Window
      • Cooling:
        Corsair H100i GTX
      • Display:
        Dell U2515H 25inch 2560x1440 + LG Flatron M2262D 22inch 1920x1080
      • Operating System:
        Windows 10 Professional x64

    Re: Most Notable BSOD Kernel Dump Analysis posts

    Quote Originally Posted by jcgriff2 View Post
    Not sure what the "300" after "!thread" means as I can't locate any information on it at this time.
    The 300 is the actual handle that was being referenced.
    It was actually after '!handle', not '!thread'.

    It took Patrick and I a while to find the data structure that represents the Kernel and User mode of an object, I finally found it through sheer luck actually.
    After about an hour, and many MSDN articles, searching for undocumented data structures later...

    But good post though Patrick.
    usasma says thanks for this.

  5. #45
    jcgriff2's Avatar
    Join Date
    Feb 2012
    Location
    New Jersey Shore
    Posts
    16,445
    • specs System Specs
      • Manufacturer:
        HP
      • Model Number:
        HP ENVY TouchSmart 17-j130us Notebook - E8A04UA
      • Motherboard:
        HP Insyde 720265-501 6050A2549501-MB-A02
      • CPU:
        Intel Core i7-4700MQ Processor with Turbo Boost up to 3.4GHz.
      • Memory:
        12GB DDR3L SDRAM (2 DIMM)
      • Graphics:
        Intel HD graphics 4600 with up to 1792MB total graphics memory
      • Sound Card:
        Beats Audio quad speakers and two subwoofers
      • Hard Drives:
        1TB 5400RPM hard drive with HP ProtectSmart Hard Drive Protection
      • Disk Drives:
        Hitachi 500 GB SSD; 7 TB USB External
      • Power Supply:
        90w
      • Case:
        Laptop
      • Display:
        17.3-inch diagonal HD+ BrightView LED-backlit touchscreen display (1600 x 900)
      • Operating System:
        Windows 8.1

    Re: Most Notable BSOD Kernel Dump Analysis posts

    Quote Originally Posted by Jared View Post
    Quote Originally Posted by jcgriff2 View Post
    Not sure what the "300" after "!thread" means as I can't locate any information on it at this time.
    The 300 is the actual handle that was being referenced.
    It was actually after '!handle', not '!thread'.

    It took Patrick and I a while to find the data structure that represents the Kernel and User mode of an object, I finally found it through sheer luck actually.
    After about an hour, and many MSDN articles, searching for undocumented data structures later...

    But good post though Patrick.
    Thanks for spotting my typo. I changed !thread to !handle before the 300.

    I did look up !handle and don't see "300" as a parm; hence I still don't know its meaning.

    With user mode dumps, the parm options are 0x1, 0x2, 0x4 & 0x8.

    Kernel mode dumps - parm options listed are 0x1, 0x2, 0x4, 0x10 & 0x20.

    I was just curious as to where the "300" came from & what it does as compared to the other parms.

    Regardless of its origin ad meaning, it worked/helped you here!

    Thanks,

    John

  6. #46

    Re: Most Notable BSOD Kernel Dump Analysis posts

    By the way John, this is a great way to show recognition.
    jcgriff2 says thanks for this.

  7. #47
    Jared's Avatar
    Join Date
    Feb 2014
    Age
    21
    Posts
    1,584
    • specs System Specs
      • Manufacturer:
        Custom
      • Motherboard:
        ASUS Maximus VII Ranger
      • CPU:
        i7 4790K @ 4.4GHz
      • Memory:
        Corsair Vengeance 16GB 1866MHz
      • Graphics:
        MSI Gaming 4G GTX 980
      • Sound Card:
        Creative Soundblaster ZxR
      • Hard Drives:
        Samsung 850 SSD 250GB
      • Disk Drives:
        Western Digital Black Caviar 2TB
      • Power Supply:
        Corsair RM650 Modular 650 Watts
      • Case:
        Fractal Design Define R5 Window
      • Cooling:
        Corsair H100i GTX
      • Display:
        Dell U2515H 25inch 2560x1440 + LG Flatron M2262D 22inch 1920x1080
      • Operating System:
        Windows 10 Professional x64

    Re: Most Notable BSOD Kernel Dump Analysis posts

    Quote Originally Posted by jcgriff2 View Post
    Quote Originally Posted by Jared View Post
    Quote Originally Posted by jcgriff2 View Post
    Not sure what the "300" after "!thread" means as I can't locate any information on it at this time.
    The 300 is the actual handle that was being referenced.
    It was actually after '!handle', not '!thread'.

    It took Patrick and I a while to find the data structure that represents the Kernel and User mode of an object, I finally found it through sheer luck actually.
    After about an hour, and many MSDN articles, searching for undocumented data structures later...

    But good post though Patrick.
    Thanks for spotting my typo. I changed !thread to !handle before the 300.

    I did look up !handle and don't see "300" as a parm; hence I still don't know its meaning.

    With user mode dumps, the parm options are 0x1, 0x2, 0x4 & 0x8.

    Kernel mode dumps - parm options listed are 0x1, 0x2, 0x4, 0x10 & 0x20.

    I was just curious as to where the "300" came from & what it does as compared to the other parms.

    Regardless of its origin ad meaning, it worked/helped you here!

    Thanks,

    John
    300 isn't a parameter, it's the actual handle reference used to access an object, which was the handle reference that caused the crash.

    Its passed as a parameter with the bugcheck function, it's the 2nd parameter in that particular 0xC4 bugcheck.
    Last edited by Jared; 06-06-2015 at 04:30 AM. Reason: Grammar

  8. #48
    jcgriff2's Avatar
    Join Date
    Feb 2012
    Location
    New Jersey Shore
    Posts
    16,445
    • specs System Specs
      • Manufacturer:
        HP
      • Model Number:
        HP ENVY TouchSmart 17-j130us Notebook - E8A04UA
      • Motherboard:
        HP Insyde 720265-501 6050A2549501-MB-A02
      • CPU:
        Intel Core i7-4700MQ Processor with Turbo Boost up to 3.4GHz.
      • Memory:
        12GB DDR3L SDRAM (2 DIMM)
      • Graphics:
        Intel HD graphics 4600 with up to 1792MB total graphics memory
      • Sound Card:
        Beats Audio quad speakers and two subwoofers
      • Hard Drives:
        1TB 5400RPM hard drive with HP ProtectSmart Hard Drive Protection
      • Disk Drives:
        Hitachi 500 GB SSD; 7 TB USB External
      • Power Supply:
        90w
      • Case:
        Laptop
      • Display:
        17.3-inch diagonal HD+ BrightView LED-backlit touchscreen display (1600 x 900)
      • Operating System:
        Windows 8.1

    Re: Most Notable BSOD Kernel Dump Analysis posts

    OK... thanks.

    I wasn't aware that could be done per the Windbg help file debugger.chm.

  9. #49
    jcgriff2's Avatar
    Join Date
    Feb 2012
    Location
    New Jersey Shore
    Posts
    16,445
    • specs System Specs
      • Manufacturer:
        HP
      • Model Number:
        HP ENVY TouchSmart 17-j130us Notebook - E8A04UA
      • Motherboard:
        HP Insyde 720265-501 6050A2549501-MB-A02
      • CPU:
        Intel Core i7-4700MQ Processor with Turbo Boost up to 3.4GHz.
      • Memory:
        12GB DDR3L SDRAM (2 DIMM)
      • Graphics:
        Intel HD graphics 4600 with up to 1792MB total graphics memory
      • Sound Card:
        Beats Audio quad speakers and two subwoofers
      • Hard Drives:
        1TB 5400RPM hard drive with HP ProtectSmart Hard Drive Protection
      • Disk Drives:
        Hitachi 500 GB SSD; 7 TB USB External
      • Power Supply:
        90w
      • Case:
        Laptop
      • Display:
        17.3-inch diagonal HD+ BrightView LED-backlit touchscreen display (1600 x 900)
      • Operating System:
        Windows 8.1

    Re: Most Notable BSOD Kernel Dump Analysis posts

    Quote Originally Posted by Patrick View Post
    By the way John, this is a great way to show recognition.
    You did a great job, Patrick -- and it was a relatively easy one for me to explain in greater detail considering you prett much explained it as you went along in the thread.

    I simply expanded on what you did/posted to give the users (including myself) additional info on the various commands that you used.

Page 3 of 3 First 123

Similar Threads

  1. BSOD Kernel Dump Analysis Debugging Information
    By jcgriff2 in forum BSOD Kernel Dump Analysis Debugging Information
    Replies: 0
    Last Post: 11-28-2012, 01:06 AM
  2. BSOD on win7 Kernel problem?
    By rosendahl in forum BSOD, Crashes, Kernel Debugging
    Replies: 6
    Last Post: 10-14-2012, 10:09 AM
  3. BSOD Kernel/iaStor?
    By jackwebster in forum BSOD, Crashes, Kernel Debugging
    Replies: 19
    Last Post: 08-05-2012, 05:32 PM
  4. Hello, here to help with crash dump analysis!
    By Patrick in forum Introductions - New Members
    Replies: 13
    Last Post: 07-04-2012, 04:30 PM

Log in

Log in