This bugcheck is almost identical to a Stop 0xBE but instead of attempting to write to a portion of readonly memory, a driver is attempting to execute a portion of memory which has the non-executable protection bit set.
Rich (BB code):
ATTEMPTED_EXECUTE_OF_NOEXECUTE_MEMORY (fc)
An attempt was made to execute non-executable memory. The guilty driver
is on the stack trace (and is typically the current instruction pointer).
When possible, the guilty driver's name (Unicode string) is printed on
the bugcheck screen and saved in KiBugCheckDriver.
Arguments:
Arg1: ffff9505b5e00000, Virtual address for the attempted execute.
Arg2: 8a0000015aa008e3, PTE contents.
Arg3: fffff80682677db0, (reserved) <-- Address of the trap frame
Arg4: 0000000000000003, (reserved)
The most relevant parameters are the first and third; the virtual address and trap frame address. We can use the
!pte command on the first parameter to verify the protection bits by dumping the associated PTE for the address being executed.
Rich (BB code):
0: kd> !pte ffff9505b5e00000
Levels not implemented for this platform
This error occurs because there isn’t any associated PTE for the linear address which we provided to it. The
!pte command will automatically calculate the PTE address for us from the bits of the linear address and if there isn’t one, then the debugger will show the error as seen.
Let's examine the call stack to see which driver might have possibly caused the system to crash.
Rich (BB code):
0: kd> knL
# Child-SP RetAddr Call Site
00 fffff806`82677b78 fffff806`7f687312 nt!KeBugCheckEx
01 fffff806`82677b80 fffff806`7f6798cb nt!MiCheckSystemNxFault+0x12e90a << Throws Stop 0xFC bugcheck
02 fffff806`82677bc0 fffff806`7f46d1cf nt!MiRaisedIrqlFault+0x1414ef
03 fffff806`82677c10 fffff806`7f606a5e nt!MmAccessFault+0x4ef
04 fffff806`82677db0 ffff9505`b5e00000 nt!KiPageFault+0x35e
05 fffff806`82677f48 fffff806`968bd719 0xffff9505`b5e00000 << Address being executed
06 fffff806`82677f50 fffff806`968792f7 rtwlanu!ProcessReceivedPacketForEachPortSpecific+0x199 << Our problematic third-party driver
07 fffff806`82678250 fffff806`968bd511 rtwlanu!MultiPortFeedPacketToMultipleAdapter+0x47f
08 fffff806`82678350 fffff806`969cc8f2 rtwlanu!ProcessReceivedPacket+0x7d
09 fffff806`82678390 fffff806`969ccde9 rtwlanu!ProcessSegregatedPackets_8192E+0x132
0a fffff806`826783d0 fffff806`969cc791 rtwlanu!SegregateDmaAggPackets_8192E+0x189
0b fffff806`82678440 fffff806`969cc243 rtwlanu!ParsingRxAggregation_8192E+0x75
0c fffff806`82678480 fffff806`96816eac rtwlanu!HalUsbInMpduComplete8192EUsb+0xcb
0d fffff806`826784d0 fffff806`811a9249 rtwlanu!WdfUsb_InComplete+0x15c
0e fffff806`82678560 fffff806`811ac854 Wdf01000!FxRequestBase::CompleteSubmitted+0xe9
0f (Inline Function) --------`-------- Wdf01000!FxIoTarget::CompleteRequest+0x8
10 (Inline Function) --------`-------- Wdf01000!FxIoTarget::RequestCompletionRoutine+0xab
11 fffff806`826785f0 fffff806`7f557366 Wdf01000!FxIoTarget::_RequestCompletionRoutine+0xe4
12 fffff806`82678660 fffff806`7f4a0e4e nt!IopUnloadSafeCompletion+0x56
13 fffff806`82678690 fffff806`7f4a0d17 nt!IopfCompleteRequest+0x11e
14 fffff806`82678780 fffff806`811a811a nt!IofCompleteRequest+0x17
15 (Inline Function) --------`-------- Wdf01000!FxIrp::CompleteRequest+0x13
16 fffff806`826787b0 fffff806`811a5bbf Wdf01000!FxRequest::CompleteInternal+0x23a
17 (Inline Function) --------`-------- Wdf01000!FxRequest::Complete+0x31
18 fffff806`82678840 fffff806`a6f0cb4d Wdf01000!imp_WdfRequestComplete+0x8f
19 fffff806`826788a0 fffff806`a6f0ca11 USBXHCI!Bulk_Transfer_CompleteCancelable+0xc9
1a fffff806`82678900 fffff806`a6f0c800 USBXHCI!Bulk_ProcessTransferEventWithED1+0x1fd
1b fffff806`826789b0 fffff806`a6f07101 USBXHCI!Bulk_EP_TransferEventHandler+0x10
1c fffff806`826789e0 fffff806`a6f06c35 USBXHCI!Endpoint_TransferEventHandler+0xb1
1d fffff806`82678a40 fffff806`a6f0690c USBXHCI!Interrupter_DeferredWorkProcessor+0x315
1e fffff806`82678b40 fffff806`811a38f6 USBXHCI!Interrupter_WdfEvtInterruptDpc+0xc
1f (Inline Function) --------`-------- Wdf01000!FxInterrupt::DpcHandler+0x6e
20 fffff806`82678b70 fffff806`7f467f9e Wdf01000!FxInterrupt::_InterruptDpcThunk+0xa6
21 fffff806`82678bb0 fffff806`7f467284 nt!KiExecuteAllDpcs+0x30e
22 fffff806`82678d20 fffff806`7f5ff935 nt!KiRetireDpcList+0x1f4
23 fffff806`82678fb0 fffff806`7f5ff720 nt!KxRetireDpcList+0x5
24 fffff987`106af9c0 fffff806`7f5fefd5 nt!KiDispatchInterruptContinue
25 fffff987`106af9f0 fffff806`7f5fa431 nt!KiDpcInterruptBypass+0x25
26 fffff987`106afa00 00000000`00000000 nt!KiInterruptDispatch+0xb1
Just after the instruction at the address is being executed, a page fault is issued by the operating system, which is due to the fact that Windows will issue page faults on pages which have marked as non-executable. We can confirm that it is our address which caused the page fault by examining CR2 register:
Rich (BB code):
0: kd> r @cr2
cr2=ffff9505b5e00000
The page fault handler is then called which then checks that the page is non-executable, which it is, which then leads to the bugcheck Stop 0xFC being thrown as shown.
Now, we've identified the faulty driver which lead to the address being executed, if you dump the trap frame from the third parameter, you'll be able to notice that the address was being executed because it had been set as an instruction pointer.
Rich (BB code):
0: kd> .trap 0xfffff80682677db0
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=000000000000007a rbx=0000000000000000 rcx=fffff806826781b0
rdx=ffff9cff390a0e92 rsi=0000000000000000 rdi=0000000000000000
rip=ffff9505b5e00000 rsp=fffff80682677f48 rbp=fffff80682678050
r8=0000000000000000 r9=0000000000000000 r10=ffff9505bb719038
r11=fffff806826781b0 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei ng nz ac pe nc
ffff9505`b5e00000 a0d181ae0595ffff00 mov al,byte ptr [00FFFF9505AE81D1h] ds:00ffff95`05ae81d1=??
The driver in question is related to the Realtek network driver. It recommend to update the driver from the OEM support page or the device manufacturer page.
Rich (BB code):
0: kd> lmvm rtwlanu
Browse full module list
start end module name
fffff806`967d0000 fffff806`9715f000 rtwlanu (pdb symbols) C:\ProgramData\dbg\sym\rtwlanu.pdb\9C10FF687684407483FA9D0613F6E91F2\rtwlanu.pdb
Loaded symbol image file: rtwlanu.sys
Mapped memory image file: C:\ProgramData\dbg\sym\rtwlanu.sys\5D3EB1CD98f000\rtwlanu.sys
Image path: \SystemRoot\System32\drivers\rtwlanu.sys
Image name: rtwlanu.sys
Browse all global symbols functions data
Timestamp: Mon Jul 29 09:43:57 2019 (5D3EB1CD)
CheckSum: 00970F46
ImageSize: 0098F000
File version: 1030.38.712.2019
Product version: 1030.38.712.2019
File flags: 8 (Mask 3F) Private
File OS: 40004 NT Win32
File type: 3.6 Driver
File date: 00000000.00000000
Translations: 0409.04b0
Information from resource tables:
CompanyName: Realtek Semiconductor Corporation
ProductName: Realtek WLAN Wireless USB 2.0 Adapter
InternalName: rtwlanu.sys
OriginalFilename: rtwlanu.sys
ProductVersion: 1030.38.0712.2019
FileVersion: 1030.38.0712.2019
FileDescription: Realtek WLAN USB NDIS Driver 80816
LegalCopyright: Copyright (C) 2014 Realtek Semiconductor Corporation
