Debugging Stop 0x7E - SYSTEM_THREAD_EXCEPTION_NOT_HANDLED_M

[x BlueRobot]

Caveat: Before we begin, it would be best to note the subtle difference between 0x1000007E and 0x7E, since while the bugchecks are identical in their cause, their processing by operating system is not. All bugcheck names which have been suffixed with M and subsequently codes which have been prefixed with 0x100000, signify that the crash is a "Minidump" version of that bugcheck. This ensures that a valid context is saved at the time of the exception which will improve the accuracy of the call stack.

Special thanks to @axe0 for bringing this to my attention.

SYSTEM_THREAD_EXCEPTION_NOT_HANDLED_M (1000007e)
This is a very common bugcheck.  Usually the exception address pinpoints
the driver/function that caused the problem.  Always note this address
as well as the link date of the driver/image that contains this address.
Some common problems are exception code 0x80000003.  This means a hard
coded breakpoint or assertion was hit, but this system was booted
/NODEBUG.  This is not supposed to happen as developers should never have
hardcoded breakpoints in retail code, but ...
If this happens, make sure a debugger gets connected, and the
system is booted /DEBUG.  This will let us see why this breakpoint is
happening.
Arguments:
Arg1: ffffffffc0000005, The exception code that was not handled
Arg2: fffff80020e3d57b, The address that the exception occurred at
Arg3: fffffb8aed24c0f8, Exception Record Address
Arg4: fffffb8aed24b930, Context Record Address

As the bugcheck description implies, this is a very common bugcheck and a very generic one at that, it is almost always caused by a access violation error and tends to be easy to debug, It is quite common for the faulty driver to be present on the call stack. The reason why the bugcheck occurs is because an exception is thrown within a system thread which isn't able to be handled by any given exception handler. System threads are able to be created by a device driver by calling the PsCreateSystemThread function. These threads run in kernel mode and are used by device drivers to perform some form of processing which requires a non-arbitrary thread context. Most of the system threads run within the System process and therefore it is very common to find the process context set to the System process with this crash. Please note that this does not mean that the System process is responsible for the bugcheck.

If we examine the call stack, we can see a system thread being initialised by the operating system:

3: kd> knL
 # Child-SP          RetAddr           Call Site
00 fffffb8a`ed24b0f8 fffff800`19c121be nt!KeBugCheckEx
01 fffffb8a`ed24b100 fffff800`19bccdd2 nt!PspSystemThreadStartup$filt$0+0x44
02 fffffb8a`ed24b140 fffff800`19c00072 nt!_C_specific_handler+0xa2
03 fffffb8a`ed24b1b0 fffff800`19ae6dd7 nt!RtlpExecuteHandlerForException+0x12
04 fffffb8a`ed24b1e0 fffff800`19ae59d6 nt!RtlDispatchException+0x297
05 fffffb8a`ed24b900 fffff800`19c092ac nt!KiDispatchException+0x186
06 fffffb8a`ed24bfc0 fffff800`19c05443 nt!KiExceptionDispatch+0x12c
07 fffffb8a`ed24c1a0 fffff800`20e3d57b nt!KiPageFault+0x443
[...]
26 fffffb8a`ed24cb70 fffff800`19b55855 nt!ExpWorkerThread+0x105
27 fffffb8a`ed24cc10 fffff800`19bfe808 nt!PspSystemThreadStartup+0x55
28 fffffb8a`ed24cc60 00000000`00000000 nt!KiStartSystemThread+0x28

Now, we have an understanding on how the bugcheck is caused, let's examine the individual parameters and see what they can tell us. The first parameter indicates the type of exception which has occurred, we can use the !error command to see which exception the exception code belongs to.

3: kd> !error c0000005
Error code: (NTSTATUS) 0xc0000005 (3221225477) - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.

We can see that the exception was an access violation error. This indicates that a driver has referenced an invalid memory address, which in turn leads to a page fault which isn't able to be resolved, leading to the bugcheck being produced. The second parameter reveals where the exception was raised. Let's dump the context record stored in the fourth parameter and see what instruction this address corresponds to.

3: kd> .cxr 0xfffffb8aed24b930
rax=0000000000000000 rbx=0000447ff7eeb628 rcx=ffffbb8001f1cfa8
rdx=0000447ff7eeb628 rsi=0000000000000127 rdi=ffffbb80081149d0
rip=fffff80020e3d57b rsp=fffffb8aed24c330 rbp=fffffb8aed24c460
 r8=fffff80020e8f000  r9=ffffbb8015e46868 r10=ffffbb8001561cf0
r11=fffffb8aed24c2c0 r12=ffffbb8013b79060 r13=fffff8001ca36da0
r14=ffffbb8008a46a08 r15=ffffbb8008a469e8
iopl=0         nv up ei ng nz na pe nc
cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b             efl=00010282
SynTP+0x3d57b:
fffff800`20e3d57b ff5070          call    qword ptr [rax+70h] ds:002b:00000000`00000070=????????????????

It seems that the exception was caused by a driver attempting to execute a call instruction using a completely invalid memory address. This would explain the access violation error shown in the exception record, which can be dumped using the .exr command and the value of the bugcheck's third parameter.

3: kd> .exr 0xfffffb8aed24c0f8
ExceptionAddress: fffff80020e3d57b (SynTP+0x000000000003d57b)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 0000000000000000
   Parameter[1]: 0000000000000070
Attempt to read from address 0000000000000070

The exception record corresponds directly to what we found in the context record. The driver - SynTP.sys - was referencing the same invalid memory address shown earlier, which resulted in a access violation error being thrown. However, because there was no appropriate exception handler found, the system then decided to bugcheck with Stop 0x7E.

We can check what the driver is associated to by looking up the driver name in the Sysnative driver reference table, and it appears that SynTP.sys is a Synaptics touchpad driver. The driver appears to be from 2017 which is quite old and therefore it is recommend that the driver is updated from the appropriate support page.

3: kd> lmvm SynTP
Browse full module list
start             end                 module name
fffff800`20e00000 fffff800`20e9f000   SynTP    T (no symbols)        
    Loaded symbol image file: SynTP.sys
    Image path: \SystemRoot\system32\DRIVERS\SynTP.sys
    Image name: SynTP.sys
    Browse all global symbols  functions  data
    Timestamp:        Thu Aug 17 01:51:24 2017 (5994E88C)
    CheckSum:         000A7751
    ImageSize:        0009F000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
    Information from resource tables:

If you're unable to find a third-party driver on the call stack, then you can dump the raw thread stack using the dps command. Likewise, if you have the PDE debugger extension library installed, then you can use !dpx as well.

Addendum:

For those who are curious, the .exr and .cxr commands technically parse the _EXCEPTION_RECORD and _CONTEXT structures respectively.

3: kd> dt _EXCEPTION_RECORD
nt!_EXCEPTION_RECORD
   +0x000 ExceptionCode    : Int4B
   +0x004 ExceptionFlags   : Uint4B
   +0x008 ExceptionRecord  : Ptr64 _EXCEPTION_RECORD
   +0x010 ExceptionAddress : Ptr64 Void
   +0x018 NumberParameters : Uint4B
   +0x020 ExceptionInformation : [15] Uint8B

Most of the fields correspond directly to the fields shown by .exr command and so I won't explain those again. The ExceptionRecord field is a pointer to another exception record which is for exceptions which have inner exception information, therefore in most cases, this field will usually be set to null. The ExceptionInformation field is an integer array and contains the exception parameters, as well as, the processor registers saved during the exception. You can dump the ExceptionInformation array as so:

3: kd> dp fffffb8aed24c0f8+0x20
fffffb8a`ed24c118  00000000`00000000 00000000`00000070
fffffb8a`ed24c128  ffffa251`28944fff 00000000`00000000
fffffb8a`ed24c138  00000000`00000000 00000000`00000000
fffffb8a`ed24c148  00000000`00000000 ffffc858`a9754e7d
fffffb8a`ed24c158  00000000`41706e50 ffffbb80`08a469e8
fffffb8a`ed24c168  fffff800`1ca36da0 ffffbb80`08a46a08
fffffb8a`ed24c178  ffffbb80`13b79060 ffffbb80`081149d0
fffffb8a`ed24c188  00000000`00000127 0000447f`f7eeb628

The context record contains all the registers saved when the context record was generated. This includes the EFLAGS register, segment registers and any machine-specific registers. You may noticed a set of peculiar fields called P1Home, P2Home etc. These are known as the homing parameters or homing space of a stack frame, instead of the first four parameters being stored in registers as per the x64 calling convention, the first four parameters are pushed onto the stack instead.

3: kd> dt _CONTEXT
nt!_CONTEXT
   +0x000 P1Home           : Uint8B
   +0x008 P2Home           : Uint8B
   +0x010 P3Home           : Uint8B
   +0x018 P4Home           : Uint8B
   +0x020 P5Home           : Uint8B
   +0x028 P6Home           : Uint8B
   +0x030 ContextFlags     : Uint4B
   +0x034 MxCsr            : Uint4B
   +0x038 SegCs            : Uint2B
   +0x03a SegDs            : Uint2B
   +0x03c SegEs            : Uint2B
   +0x03e SegFs            : Uint2B
   +0x040 SegGs            : Uint2B
   +0x042 SegSs            : Uint2B
   +0x044 EFlags           : Uint4B
   +0x048 Dr0              : Uint8B
   +0x050 Dr1              : Uint8B
   +0x058 Dr2              : Uint8B
   +0x060 Dr3              : Uint8B
   +0x068 Dr6              : Uint8B
   +0x070 Dr7              : Uint8B
   +0x078 Rax              : Uint8B
   +0x080 Rcx              : Uint8B
   +0x088 Rdx              : Uint8B
   +0x090 Rbx              : Uint8B
   +0x098 Rsp              : Uint8B
   +0x0a0 Rbp              : Uint8B
   +0x0a8 Rsi              : Uint8B
   +0x0b0 Rdi              : Uint8B
   +0x0b8 R8               : Uint8B
   +0x0c0 R9               : Uint8B
   +0x0c8 R10              : Uint8B
   +0x0d0 R11              : Uint8B
   +0x0d8 R12              : Uint8B
   +0x0e0 R13              : Uint8B
   +0x0e8 R14              : Uint8B
   +0x0f0 R15              : Uint8B
   +0x0f8 Rip              : Uint8B
   +0x100 FltSave          : _XSAVE_FORMAT
   +0x100 Header           : [2] _M128A
   +0x120 Legacy           : [8] _M128A
   +0x1a0 Xmm0             : _M128A
   +0x1b0 Xmm1             : _M128A
   +0x1c0 Xmm2             : _M128A
   +0x1d0 Xmm3             : _M128A
   +0x1e0 Xmm4             : _M128A
   +0x1f0 Xmm5             : _M128A
   +0x200 Xmm6             : _M128A
   +0x210 Xmm7             : _M128A
   +0x220 Xmm8             : _M128A
   +0x230 Xmm9             : _M128A
   +0x240 Xmm10            : _M128A
   +0x250 Xmm11            : _M128A
   +0x260 Xmm12            : _M128A
   +0x270 Xmm13            : _M128A
   +0x280 Xmm14            : _M128A
   +0x290 Xmm15            : _M128A
   +0x300 VectorRegister   : [26] _M128A
   +0x4a0 VectorControl    : Uint8B
   +0x4a8 DebugControl     : Uint8B
   +0x4b0 LastBranchToRip  : Uint8B
   +0x4b8 LastBranchFromRip : Uint8B
   +0x4c0 LastExceptionToRip : Uint8B
   +0x4c8 LastExceptionFromRip : Uint8B

References:

CodeMachine - Article - X64 Deep Dive
Bug Check 0x7E SYSTEM_THREAD_EXCEPTION_NOT_HANDLED - Windows drivers
Bug Check 0x1000007E SYSTEM_THREAD_EXCEPTION_NOT_HANDLED_M - Windows drivers
Question about STOP code differences
winsdk-10/bugcodes.h at master · tpn/winsdk-10

 

[x BlueRobot]

This crash was an excellent example in identifying the clues which could indicate that a file system filter driver is the culprit. All the bugchecks were Stop 0x7E. The call stack doesn’t reveal much but it was consistent in every dump which was examined.

1: kd> knL
 # Child-SP          RetAddr               Call Site
00 ffffa084`1b0e52f8 fffff800`59e3c69a     nt!KeBugCheckEx
01 ffffa084`1b0e5300 fffff800`59dde362     nt!PspSystemThreadStartup$filt$0+0x44
02 ffffa084`1b0e5340 fffff800`59e286e2     nt!_C_specific_handler+0xa2
03 ffffa084`1b0e53b0 fffff800`59cdb587     nt!RtlpExecuteHandlerForException+0x12
04 ffffa084`1b0e53e0 fffff800`59cdf4d1     nt!RtlDispatchException+0x2d7
05 ffffa084`1b0e5b40 fffff800`59e3288e     nt!KiDispatchException+0x1b1
06 ffffa084`1b0e6220 fffff800`59e2dadb     nt!KiExceptionDispatch+0x10e
07 ffffa084`1b0e6400 fffff800`5a1a0982     nt!KiGeneralProtectionFault+0x31b
08 ffffa084`1b0e6590 fffff800`5a0f5c01     nt!MmEnumerateAddressSpaceAndReferenceImages+0x1d2
09 ffffa084`1b0e6620 fffff800`5a20e3e4     nt!EtwpEnumerateAddressSpace+0x15d
0a ffffa084`1b0e67d0 fffff800`5a1b945b     nt!EtwpProcessEnumCallback+0x1d4
0b ffffa084`1b0e6870 fffff800`5a20e1bc     nt!PsEnumProcesses+0x37
0c ffffa084`1b0e68a0 fffff800`5a20dfbe     nt!EtwpProcessThreadImageRundown+0xc0
0d ffffa084`1b0e6930 fffff800`59daa4f8     nt!EtwpKernelTraceRundown+0xae
0e ffffa084`1b0e69a0 fffff800`5a20de6a     nt!EtwpUpdateSelectedGroupMasks+0x1f4
0f ffffa084`1b0e6aa0 fffff800`5a17e684     nt!EtwpUpdateGroupMasks+0x76
10 ffffa084`1b0e6b00 fffff800`5a2afc22     nt!EtwpStopLoggerInstance+0x58
11 ffffa084`1b0e6b70 fffff800`59d64555     nt!EtwpLogger+0x19c1f2
12 ffffa084`1b0e6bf0 fffff800`59e22394     nt!PspSystemThreadStartup+0x55
13 ffffa084`1b0e6c40 00000000`00000000     nt!KiStartSystemThread+0x34

As we can see, some kind of event trace logging is happening here. This isn’t anything unusual and is common to see in dump files. The exception is thrown around nt!MmEnumerateAddressSpaceAndReferenceImages. Every crash was because of this function call. This is the first clue that the issue is most likely being caused by a driver.

Now, if we examine the raw stack using !dpx then we can see the same file path being referenced each time with some calls to the filter manager. This is a clue that the culprit is a file system driver, especially if you take note of the file path being queried. It’s related to Steam which is a gaming client and Discord which is an IRC client.

1: kd> !du ffff9081b22a6000
"C:\Users\<redacted>\AppData\Local\Discord\app-1.0.9012\Discord.exe" torunnceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfx

5: kd> !du ffffa105d93fe000
"C:\Program Files (x86)\Steam\steam.exe" -silent12\Discord.exe" torunnceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfx

Here’s a excerpt of the raw stack from !dpx:

[...]

0xffffa0841b0e5b38 : 0xfffff80059cdf4d1 : nt!KiDispatchException+0x1b1
0xffffa0841b0e5b68 : 0xfffff80059c47100 : nt!IopFreeIrp+0x60
0xffffa0841b0e5b98 : 0xfffff80059c45515 : nt!IofCallDriver+0x55
0xffffa0841b0e5bc8 : 0xfffff80059c429bf : nt!ExpAllocatePoolWithTagFromNode+0x5f
0xffffa0841b0e5c68 : 0xfffff8005a1a0982 : nt!MmEnumerateAddressSpaceAndReferenceImages+0x1d2
0xffffa0841b0e5c78 : 0xfffff8005543bb0e : FLTMGR!FltpGetNormalizedFileNameWorker+0x5e
0xffffa0841b0e5c98 : 0xfffff80059c1ebd3 : nt!RtlCopyUnicodeString+0x43
0xffffa0841b0e5cc8 : 0xfffff8005543d0e9 : FLTMGR!FltpAllocateFileNameInformation+0x139
0xffffa0841b0e5cf8 : 0xfffff8005543cd40 : FLTMGR!FltpCreateFileNameInformation+0x1c0
0xffffa0841b0e5d20 : 0x0065002e00640072 :  !du ""rd.exe" pData\Local\Discord\app-$""
0xffffa0841b0e5d28 : 0x0020002200650078 :  !du ""xe" pData\Local\Discord\app-$""
0xffffa0841b0e5d30 : 0x0074006100440070 :  !du "pData\Local\Discord\app-$"
0xffffa0841b0e5d38 : 0x006f004c005c0061 :  !du "a\Local\Discord\app-$"
0xffffa0841b0e5d40 : 0x005c006c00610063 :  !du "cal\Discord\app-$"
0xffffa0841b0e5d48 : 0x0063007300690044 :  !du "Discord\app-$"
0xffffa0841b0e5d50 : 0x005c00640072006f :  !du "ord\app-$"
0xffffa0841b0e5d58 : 0x002d007000700061 :  !du "app-$"
0xffffa0841b0e5e18 : 0xfffff8005543fe59 : FLTMGR!FltGetFileNameInformationUnsafe+0x99
0xffffa0841b0e5e58 : 0xfffff8005543aeb7 : FLTMGR!FltReleaseFileNameInformation+0x107
0xffffa0841b0e5e68 : 0xfffff80059c1ebd3 : nt!RtlCopyUnicodeString+0x43
[...]

Once I requested the user provide a list of their registered file system filter drivers using the fltmc filters command, then it was quite obvious from the list which one was most likely causing the issue.

C:\Windows\system32>fltmc filters

Filter Name Num Instances Altitude Frame
------------------------------ ------------- ------------ -----
bindflt 1 409800 0
WdFilter 7 328010 0
storqosflt 0 244000 0
wcifs 2 189900 0
gameflt 5 189850 0
CldFlt 1 180451 0
FileCrypt 2 141100 0
luafv 1 135000 0
npsvctrig 1 46000 0
Wof 5 40700 0
FileInfo 7 40500 0

The gameflt.sys driver is a filter driver used by the Microsoft Gaming Services app. It seems to be delivered through an optional update and has been conjectured that it will allow PC users to run Xbox One natively. Here’s a quote from TechRadar, thanks to @ubuysa for finding this:

The latest build of the Windows 10 April 2019 Update also adds a new Gaming Service app (Microsoft.GamingServices) which installs two drivers xvdd.sys = XVD Disk Driver (Microsoft Gaming Filesystem Driver) gameflt.sys = Gaming Filter (Microsoft Gaming Install Filter Driver).

Source: Windows 10 April 2019 Update could play native Xbox One games

Since this isn’t a legacy file system filter driver, it will installed slightly differently and we will be able to remove it using pnputil. However, first we need to find the oem alias that the driver uses in order to use pnputil.

You’ll need to ensure that the DRIVERS hive has been loaded beforehand, but once that has been done, then you can search the registry for gameflt using FRST64 and it should provide a SearchReg.txt file like the following:

================== Search Registry: "gameflt" ===========

[HKEY_LOCAL_MACHINE\DRIVERS\DriverDatabase\DriverInfFiles\oem10.inf]
""="gameflt.inf_amd64_5c797a55721a7394"
[HKEY_LOCAL_MACHINE\DRIVERS\DriverDatabase\DriverInfFiles\oem10.inf]
"Active"="gameflt.inf_amd64_5c797a55721a7394"
[HKEY_LOCAL_MACHINE\DRIVERS\DriverDatabase\DriverPackages\gameflt.inf_amd64_5c797a55721a7394]
[HKEY_LOCAL_MACHINE\DRIVERS\DriverDatabase\DriverPackages\gameflt.inf_amd64_5c797a55721a7394]
"InfName"="gameflt.inf"
[HKEY_LOCAL_MACHINE\DRIVERS\DriverDatabase\DriverPackages\gameflt.inf_amd64_5c797a55721a7394]
"Catalog"="gameflt.cat"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\gameflt]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\gameflt]
"ImagePath"="\SystemRoot\System32\DriverStore\FileRepository\gameflt.inf_amd64_5c797a55721a7394\gameflt.sys"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\gameflt]
"DisplayName"="@oem10.inf,%ServiceName%;gameflt"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\gameflt\Instances]
"DefaultInstance"="gameflt Instance"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\gameflt\Instances\gameflt Instance]

====== End of Search ======

As we can see, it uses an alias of oem10.inf; this what we will provide to pnputil:

pnputil /delete-driver oem10.inf /uninstall /reboot

The system will reboot if required. However, when this driver was removed, the user reported that no other crashes had occurred since.

Thread: [SOLVED] - [11 home] 0x7E BSOD. FIX: I updated Windows and removed gameflt.sys

 

[x BlueRobot]

There isn’t too much to say about this crash since it was a simple Stop 0x7E, but it does seem to have been caused a programming error: calling an undefined virtual function. This typically occurs because a caller has called an abstract or pure virtual function, that is, a function which is has a method signature defined in a base class but has no implementation in the derived class in which the function is being invoked.

If you do this user-mode, then you will simply get an application error, however, within kernel-mode this will lead to the __purecall exception handler being called as the following call stack demonstrates.

0: kd> knL
 # Child-SP          RetAddr               Call Site
00 ffffec8c`e9ddd298 fffff805`2586f704     nt!KeBugCheckEx
01 ffffec8c`e9ddd2a0 fffff805`2580e411     nt!PspSystemThreadStartup$filt$0+0x44
02 ffffec8c`e9ddd2e0 fffff805`25859e6f     nt!_C_specific_handler+0xa1
03 ffffec8c`e9ddd350 fffff805`2568c8b3     nt!RtlpExecuteHandlerForException+0xf
04 ffffec8c`e9ddd380 fffff805`25710f9d     nt!RtlDispatchException+0x2f3
05 ffffec8c`e9dddaf0 fffff805`25789b2f     nt!RtlRaiseException+0x10d
06 ffffec8c`e9dde070 fffff805`25a31a6e     nt!RtlRaiseStatus+0x4f
07 ffffec8c`e9dde610 fffff805`3d03466a     nt!purecall+0xe << Crash here!
08 ffffec8c`e9dde640 fffff805`3c62f98e     iacamera64+0xa2466a
09 ffffec8c`e9dded00 fffff805`3d02b848     iacamera64+0x1f98e
0a ffffec8c`e9dded70 fffff805`3c6668d5     iacamera64+0xa1b848
0b ffffec8c`e9ddeda0 fffff805`3c66aa49     iacamera64+0x568d5
0c ffffec8c`e9ddee00 fffff805`3c693b64     iacamera64+0x5aa49
0d ffffec8c`e9ddef00 fffff805`3c6aac60     iacamera64+0x83b64
0e ffffec8c`e9ddefa0 fffff805`3c69244a     iacamera64+0x9ac60
0f ffffec8c`e9ddf020 fffff805`3c665b70     iacamera64+0x8244a
10 ffffec8c`e9ddf0a0 fffff805`3c62db63     iacamera64+0x55b70
11 ffffec8c`e9ddf1d0 fffff805`3c62ce82     iacamera64+0x1db63
12 ffffec8c`e9ddf220 fffff805`3c6304fe     iacamera64+0x1ce82
13 ffffec8c`e9ddf260 fffff805`25631f30     iacamera64+0x204fe
14 ffffec8c`e9ddf290 fffff805`256356a5     nt!IopProcessWorkItem+0x100
15 ffffec8c`e9ddf300 fffff805`257429f7     nt!ExpWorkerThread+0x155
16 ffffec8c`e9ddf4f0 fffff805`25853b64     nt!PspSystemThreadStartup+0x57
17 ffffec8c`e9ddf540 00000000`00000000     nt!KiStartSystemThread+0x34

The status code which is raised as part of the exception is shown below:

0: kd> !error c0000002
Error code: (NTSTATUS) 0xc0000002 (3221225474) - {Not Implemented}  The requested operation is not implemented.

Once the user had updated their Intel camera driver then the system appears to have remained stable.

Closing Note: A quick introduction to Virtual Tables (vTables)

When we implement a class which has virtual functions then the compiler will generate what is known as a virtual function table or vTable. This table is simply an array of function pointers with a base pointer which contains the address of the table itself. Each class which either overrides or defines it’s own virtual functions will have it’s own virtual table, therefore if you had a base class and a derived class which inherits from the base class, both will have their own distinct tables with their own distinct function pointers. Although, if your derived class does not override any of the base class methods, then the function pointers of the derived class will simply point to the base class implementations: if, they have been defined!

Here is an example from the CAdapter class:

0: kd> dt wdiwifi!CAdapter -y __VFN_table ffffd8857c289000
   +0x000 __VFN_table : 0xfffff805`97b1be28 
   +0x008 __VFN_table : 0xfffff805`97b1be18 
   +0x010 __VFN_table : 0xfffff805`97b1be10 
   +0x018 __VFN_table : 0xfffff805`97b1be08 
   +0x020 __VFN_table : 0xfffff805`97b1be00

0: kd> dps 0xfffff805`97b1be28
fffff805`97b1be28  fffff805`97a69500 wdiwifi!CAdapter::ConvertNdisPortNumberToPortId
fffff805`97b1be30  fffff805`97a98dc0 wdiwifi!CAdapter::ConvertPortIdToNdisPortNumber
fffff805`97b1be38  fffff805`97a67a80 wdiwifi!CAdapter::IsOperationalPowerState
fffff805`97b1be40  fffff805`97a70200 wdiwifi!NotificationManager::OnEventQueueCallback
fffff805`97b1be48  fffff805`97a59eb0 wdiwifi!EventQueue::OnWorkItemCallback
fffff805`97b1be50  fffff805`97a62ab0 wdiwifi!EventQueue::OnEventQueueCallback
fffff805`97b1be58  fffff805`97aa2ff0 wdiwifi!DeviceCommandScheduler::OnTimerCallback
fffff805`97b1be60  fffff805`97aa2f10 wdiwifi!DeviceCommandScheduler::OnOperationCompleted
fffff805`97b1be68  fffff805`97a69160 wdiwifi!DeviceCommandScheduler::OnEventQueueCallback
fffff805`97b1be70  fffff805`97a6a270 wdiwifi!ActiveJobsList::OnEventQueueCallback
fffff805`97b1be78  fffff805`97a529e0 wdiwifi!ActiveJobsList::OnOperationCompleted
fffff805`97b1be80  fffff805`97a70220 wdiwifi!SerializedJobList::OnEventQueueCallback
fffff805`97b1be88  fffff805`97a68bd0 wdiwifi!SerializedJobList::OnOperationCompleted
fffff805`97b1be90  fffff805`97aaf520 wdiwifi!CDeleteMacOidJob::OnOperationStarted
fffff805`97b1be98  fffff805`97a68d60 wdiwifi!CJobBase::OnOperationCompleted
fffff805`97b1bea0  fffff805`97aad8a0 wdiwifi!CDeleteMacOidJob::OnJobStarted

References:

18.6 — The virtual table – Learn C++

_purecall

What is __purecall? - The Old New Thing

Virtual/pure virtual explained