BSOD ntkrnlmp.exe - Full Log!!

A

Anthrax50551

New member
Joined
Oct 22, 2014
Posts
2
Please let me know what you guys think, Usually I can figure this stuff out but right now i cannot.

Code: 
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

KMODE_EXCEPTION_NOT_HANDLED (1e)
This is a very common bugcheck.  Usually the exception address pinpoints
the driver/function that caused the problem.  Always note this address
as well as the link date of the driver/image that contains this address.
Arguments:
Arg1: ffffffffc0000005, The exception code that was not handled
Arg2: fffff80290cbac8d, The address that the exception occurred at
Arg3: 0000000000000000, Parameter 0 of the exception
Arg4: ffffffffffffffff, Parameter 1 of the exception

Debugging Details:
------------------

TRIAGER: Could not open triage file : e:\dump_analysis\program\triage\modclass.ini, error 2

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".

FAULTING_IP: 
nt! ?? ::FNODOBFM::`string'+f174
fffff802`90cbac8d 498b04c6        mov     rax,qword ptr [r14+rax*8]

EXCEPTION_PARAMETER1:  0000000000000000

EXCEPTION_PARAMETER2:  ffffffffffffffff

READ_ADDRESS: GetPointerFromAddress: unable to read from fffff80290f64168
GetUlongFromAddress: unable to read from fffff80290f641f8
 ffffffffffffffff 

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".

BUGCHECK_STR:  0x1e_c0000005

CUSTOMER_CRASH_COUNT:  1

DEFAULT_BUCKET_ID:  WIN8_DRIVER_FAULT

PROCESS_NAME:  System

CURRENT_IRQL:  0

LAST_CONTROL_TRANSFER:  from fffff80290de61cd to fffff80290c66540

CONTEXT:  1e75fff88348c20b -- (.cxr 0x1e75fff88348c20b)
Unable to read context, Win32 error 0n30

STACK_TEXT:  
fffff880`009dae78 fffff802`90de61cd : 00000000`0000001e ffffffff`c0000005 fffff802`90cbac8d 00000000`00000000 : nt!KeBugCheckEx
fffff880`009dae80 fffff802`90c65942 : 00000000`00000000 00000000`0000002f 00000000`00000000 fffffa80`0f6e3a68 : nt! ?? ::FNODOBFM::`string'+0x1463f
fffff880`009db540 fffff802`90c63e4a : fffffa80`0ed12268 ffffffff`feced300 00000000`00000002 fffffa80`0ed12268 : nt!KiExceptionDispatch+0xc2
fffff880`009db720 fffff802`90cbac8d : fffff802`90cb9102 d4a21039`cf8359b8 00000000`00000000 fffffa80`0f6e3980 : nt!KiGeneralProtectionFault+0x10a
fffff880`009db8b8 ffffffff`00000000 : 00000000`00003980 00000000`01c07917 00000003`ffffffff fffffa80`00000078 : nt! ?? ::FNODOBFM::`string'+0xf174
fffff880`009db908 00000000`00003980 : 00000000`01c07917 00000003`ffffffff fffffa80`00000078 fffffa80`0f6e3b98 : 0xffffffff`00000000
fffff880`009db910 00000000`01c07917 : 00000003`ffffffff fffffa80`00000078 fffffa80`0f6e3b98 00000000`00000000 : 0x3980
fffff880`009db918 00000003`ffffffff : fffffa80`00000078 fffffa80`0f6e3b98 00000000`00000000 0000016d`7aa4ebdf : 0x1c07917
fffff880`009db920 fffffa80`00000078 : fffffa80`0f6e3b98 00000000`00000000 0000016d`7aa4ebdf 00000020`00000020 : 0x3`ffffffff
fffff880`009db928 fffffa80`0f6e3b98 : 00000000`00000000 0000016d`7aa4ebdf 00000020`00000020 00046240`643fed29 : 0xfffffa80`00000078
fffff880`009db930 00000000`00000000 : 0000016d`7aa4ebdf 00000020`00000020 00046240`643fed29 fffffa80`0f3d4800 : 0xfffffa80`0f6e3b98


FOLLOWUP_IP: 
nt! ?? ::FNODOBFM::`string'+f174
fffff802`90cbac8d 498b04c6        mov     rax,qword ptr [r14+rax*8]

SYMBOL_STACK_INDEX:  4

SYMBOL_NAME:  nt! ?? ::FNODOBFM::`string'+f174

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: nt

IMAGE_NAME:  ntkrnlmp.exe

DEBUG_FLR_IMAGE_TIMESTAMP:  536464f4

STACK_COMMAND:  .cxr 0x1e75fff88348c20b ; kb

FAILURE_BUCKET_ID:  X64_0x1e_c0000005_nt!_??_::FNODOBFM::_string_+f174

BUCKET_ID:  X64_0x1e_c0000005_nt!_??_::FNODOBFM::_string_+f174

Followup: MachineOwner
 
Last edited by a moderator:
You can go ahead and private message it to me if you're not comfortable posting the zip publicly, or you can just attach a zip of the dumps without the other info. Either is fine.

Regards,

Patrick
 
Anthrax50551 said:
Patrick said:
Hi,

Please refer to the following and reply back accordingly with the required information - https://www.sysnative.com/forums/bs...ons-windows-10-8-1-8-7-and-windows-vista.html

Regards,

Patrick
Click to expand...

Yeah uh only way im sharing that Information is privately. Alot of it shows personnel Information Including Email Addresses and among other things that could expose me probably to hackers.
Click to expand...

Where do email addresses appear in the Sysnative BSOD Collection App output?

We went to a lot of trouble with systeminfo.exe (a Windows executable) in particular to strip out the email address from the output file upon learning of it when Windows 8 came out. If other output files contain an email address, we will modify the app to remove it as well. But at this time, we have no such knowledge of an email address or personal info in the app's output files.

For info, there have been 100,000s of downloads and 10,000s threads containing the output from that app at several large forums, including Microsoft owned.

Regards. . .

jcgriff2
 
I think the user was referring to the fact that memory dumps can contain sensitive information. Interestingly enough, regardless of how much of a skilled RE you are, you very much likely won't be able to extract any personal information that can be used maliciously with a simple small memory dump, as it's only a capture of the stack, etc. You'd likely need a Complete Memory Dump as a KMD probably wouldn't even contain information worth RE'ing unless it was in kernel-space.
 

Has Sysnative Forums helped you? Please consider donating to help us support the site!

Back
Top