Any suggestions how to triage PROCESS_HAS_LOCKED_PAGES bugcheck?

[kd2024]

I'm analyzing a kernel crash dump with the PROCESS_HAS_LOCKED_PAGES bugcheck. Here's what I get from WinDbg:
(I don't get all parameters for this bugcheck. Only the ones that I'm showing below.)

!analyze -show 0x76 0 0xffffaf05`5d1de200 5
Caused by a driver not cleaning up correctly after an I/O.

In this case Arg1 is 0, which means "Locked memory pages found in process being terminated".

So Arg2 is _EPROCESS or 0xffffaf05`5d1de200. When I look it up:

dt _EPROCESS 0xffffaf05`5d1de200

it gives me some user mode process. There's nothing unusual about it.

So what would be your next steps to triage this?

Oh, and here's the callstack:

# Child-SP RetAddr Call Site
00 ffff820c`a3755270 fffff803`0eb8d104 nt!KeBugCheck2+0x1fc
01 ffff820c`a3755890 fffff803`0f373680 nt!KeBugCheckEx+0x14
02 ffff820c`a37558a0 fffff803`0f200ed8 nt!MmDeleteProcessAddressSpace+0x99dd0
03 ffff820c`a37558e0 fffff803`0f1ac000 nt!PspProcessDelete+0x278
04 ffff820c`a3755970 fffff803`0ebe6000 nt!ObpRemoveObjectRoutine+0xd0
05 ffff820c`a37559c0 fffff803`0f201cd0 nt!ObfDereferenceObjectWithTag+0x140
06 ffff820c`a37559f0 fffff803`0f1ac000 nt!PspThreadDelete+0x310
07 ffff820c`a3755a50 fffff803`0ec1c248 nt!ObpRemoveObjectRoutine+0xd0
08 (Inline Function) --------`-------- nt!ObfDereferenceObjectWithTag+0xc0
09 (Inline Function) --------`-------- nt!ObfDereferenceObject+0xc0
0a ffff820c`a3755aa0 fffff803`0ec990a8 nt!PspReaper+0x1a8
0b ffff820c`a3755ba0 fffff803`0ec1a684 nt!ExpWorkerThread+0x158
0c ffff820c`a3755d30 fffff803`0ef32a8c nt!PspSystemThreadStartup+0x64
0d ffff820c`a3755d90 00000000`00000000 nt!KiStartSystemThread+0x24

 

[ubuysa]

I think you'll get a better response if you upload the actual dump so people on here can look at it for themselves.

 

[kd2024]

Thanks, @ubuysa. I can't upload a .dmp file because of these reasons:

1. The client I work for will not like the idea of me uploading these dumps.
2. Privacy concerns of the people whose system crashed.
3. The dumps are usually 16GB, 32GB or 64GB in size.

At this point I can only blame a memory corruption for what I can see. That is why I am asking for advice here, in case someone has a suggestion for something else for me to try that I am missing.

 

[x BlueRobot]

The documentation already suggests what to do: Bug Check 0x76 PROCESS_HAS_LOCKED_PAGES - Windows drivers

Just open an elevated command prompt on the client machine and then enter:

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v TrackLockedPages /t REG_DWORD /d 0x1 /f

Afterwards, reboot the machine and wait for the system to crash again. You could even try the !lockedpages WinDbg command too.

 

[kd2024]

Hmm, thanks. !lockedpages is a good idea. I'll try. As for that registry setting, I will try it too if I have a repro. Usually I just get a crash dump and nothing else.