What's new

Most Notable BSOD Kernel Dump Analysis posts

Vir Gnarus

BSOD Kernel Dump Analyst
Joined
Mar 2, 2012
Messages
469
Yeah, SMART values are a bit of a pain to interpret. Some of them are setup in some very unusual ways, and it's rather vendor-specific. Good catch though, anything that can help clarify SMART is good in my book!
 

jcgriff2

Site Administrator, Forum General Manager, BSOD Kernel Dump Expert
Staff member
Joined
Feb 19, 2012
Messages
17,479
Location
New Jersey Shore
Bugcheck 0x116 -

As a reference to other analysts, make sure to check 3rd bugcheck argument for any possible error code that the driver (or DirectX?) may have reported. In this case, it's c000009a, or insufficient resources to complete the request API call, which is a common problem with 0x116 bugchecks. It could mean either a driver is leaking memory (pool memory), insufficient RAM, or some resource contention issue.

I recommend if you find the latest crash a client experienced has this error code in the 3rd arg, ask them for a kernel dump. It'll contain the info you'll need to do most memory management analysis tasks, like !vm and !poolused.
Great info!

Thank you...
 

usasma

Microsoft MVP
Joined
Feb 20, 2012
Messages
2,094
BSOD New PC
Just an average BSOD post, but it demonstrates:
1) That the cause of the BSOD isn't necessarily correct - even if a 3rd party driver (that we know is a problem - Norton) is named.
2) That the reports and older drivers scan is/are helpful in solving this sort of issue (it was due to the older Citrix drivers)
3) That the use of Driver Verifier is helpful, and can even verify our suspicions (note the date of the dump in the initial post - 18 Jan, and I didn't suggest running DV).

Another instance of a smart user solving their own problem!
 

Wrench97

Administrator, Hardware Expert
Staff member
Joined
Feb 20, 2012
Messages
2,656
Location
S.E. Pennsylvania
Ya know that being a Lano APU I wonder if it's actually the GPU section of the CPU that's throwing the error, do the 2 show up differently in the stacks?
 

Vir Gnarus

BSOD Kernel Dump Analyst
Joined
Mar 2, 2012
Messages
469
You may be on to something. I've seen APU/GPU conflicts before. I'll make mention of it. Thanks!
 

jcgriff2

Site Administrator, Forum General Manager, BSOD Kernel Dump Expert
Staff member
Joined
Feb 19, 2012
Messages
17,479
Location
New Jersey Shore
You can find the WRusr on the stack, but I'm not sure if it's directly connected to the problem. Just as usasma said - remove WebRoot and see if it helps.
Code:
0:002> !teb
TEB at 7efd7000
    ExceptionList:        0497ed90
    StackBase:            04980000
    StackLimit:           0497d000
    SubSystemTib:         00000000
    FiberData:            00001e00
    ArbitraryUserPointer: 00000000
    Self:                 7efd7000
    EnvironmentPointer:   00000000
    ClientId:             0000098c . 00000a94
    RpcHandle:            00000000
    Tls Storage:          7efd702c
    PEB Address:          7efde000
    LastErrorValue:       0
    LastStatusValue:      c0000034
    Count Owned Locks:    0
    HardErrorMode:        0
0:002> dds 0497d000 04980000
[CUT]
0497ecd4  ????????
0497ecd8  0497ed04
0497ecdc  7775013d ntdll!NtWaitForMultipleObjects+0x15
0497ece0  720e87a9 WRusr+0x187a9
0497ece4  00000002
0497ece8  0497ed54
0497ecec  00000001
0497ecf0  00000000
0497ecf4  00000000
0497ecf8  00000002
0497ecfc  00000000
0497ed00  00000000
0497ed04  0497eda0
0497ed08  757615e9 KERNELBASE!WaitForMultipleObjectsEx+0x100
0497ed0c  00000002
0497ed10  0497ed54
0497ed14  00000001
0497ed18  00000000
0497ed1c  00000000
0497ed20  8b622535
0497ed24  00000002
0497ed28  0497edcc
0497ed2c  0497edc8
0497ed30  00000024
0497ed34  00000001
0497ed38  00000000
0497ed3c  00000000
0497ed40  00000000
0497ed44  00000000
0497ed48  00000000
0497ed4c  00000000
0497ed50  00000000
0497ed54  0000010c
0497ed58  000000e8
0497ed5c  00730079
0497ed60  004f0057
0497ed64  00360057
0497ed68  005c0034
0497ed6c  00650057
0497ed70  00460072
0497ed74  00750061
0497ed78  0074006c
0497ed7c  0065002e
0497ed80  00000002
0497ed84  00000000
0497ed88  0497ed20
0497ed8c  00000000
0497ed90  0497ee60
0497ed94  75786ff0 KERNELBASE!_except_handler4
0497ed98  fa8d402d
0497ed9c  00000000
0497eda0  0497ede8
0497eda4  76ff1a2c kernel32!WaitForMultipleObjectsExImplementation+0xe0
0497eda8  0497ed54
0497edac  0497edc8
0497edb0  00000000
0497edb4  ffffffff
0497edb8  00000000
0497edbc  00170000
0497edc0  000000e8
0497edc4  00000000
0497edc8  0000010c
0497edcc  000000e8
0497edd0  006f0064
0497edd4  00730077
0497edd8  0053005c
0497eddc  00730079
0497ede0  004f0057
0497ede4  00360057
0497ede8  0497ee04
0497edec  76ff4220 kernel32!WaitForMultipleObjects+0x18
0497edf0  00000002
0497edf4  7efde000
0497edf8  00000000
0497edfc  ffffffff
0497ee00  00000000
0497ee04  0497ee70
0497ee08  770180c4 kernel32!WerpReportFaultInternal+0x186
0497ee0c  00000002
0497ee10  0497ee38
0497ee14  00000000
0497ee18  ffffffff
0497ee1c  8b6226dd
0497ee20  00000000
0497ee24  00000000
0497ee28  0497ef34
0497ee2c  0000000c
0497ee30  00000000
0497ee34  00000001
0497ee38  0000010c
0497ee3c  000000e8
0497ee40  00000000
0497ee44  00170000
0497ee48  80004005
0497ee4c  000000e8
0497ee50  000000ec
0497ee54  0000010c
0497ee58  0497ee1c
0497ee5c  8b622625
0497ee60  0497ef10
0497ee64  77094123 kernel32!_except_handler4
0497ee68  f8f44855
0497ee6c  00000000
0497ee70  0497ee84
0497ee74  77017f83 kernel32!WerpReportFault+0x70
0497ee78  0497ef34
0497ee7c  00000001
0497ee80  00000001
0497ee84  0497ee94
0497ee88  77017878 kernel32!BasepReportFault+0x20
0497ee8c  0497ef34
0497ee90  00000001
0497ee94  0497ef20
0497ee98  770177f7 kernel32!UnhandledExceptionFilter+0x1af
0497ee9c  0497ef34
0497eea0  00000001
0497eea4  8b62278d
0497eea8  00000000
0497eeac  770c030c kernel32!BasepUEFLock
0497eeb0  00000003
0497eeb4  00000000
0497eeb8  00000000
0497eebc  00000000
0497eec0  00000000
0497eec4  00000000
0497eec8  00000000
0497eecc  00000000
0497eed0  00000000
0497eed4  00000000
0497eed8  00000000
0497eedc  00000000
0497eee0  00000000
0497eee4  00000000
0497eee8  00000000
0497eeec  00000000
0497eef0  00000000
0497eef4  00000001
0497eef8  00000000
0497eefc  00000000
0497ef00  00000006
0497ef04  00000000
0497ef08  0497eea4
0497ef0c  00000000
0497ef10  0497f28c
0497ef14  77094123 kernel32!_except_handler4
0497ef18  f8f4b095
0497ef1c  fffffffe
0497ef20  0497f25c
0497ef24  00efc6af mbamgui+0x3c6af
0497ef28  00000000
0497ef2c  00efd218 mbamgui+0x3d218
0497ef30  0497f35c
0497ef34  0497ef3c
0497ef38  0497ef8c
0497ef3c  40000015
0497ef40  00000001
0497ef44  00000000
0497ef48  00efb525 mbamgui+0x3b525
0497ef4c  00000000
0497ef50  00000000
0497ef54  00000000
0497ef58  00000000
0497ef5c  00000000
0497ef60  00000000
0497ef64  00000000
0497ef68  00000000
0497ef6c  00000000
0497ef70  00000000
0497ef74  00000000
0497ef78  00000000
0497ef7c  00000000
0497ef80  00000000
0497ef84  00000000
0497ef88  00000000
0497ef8c  00010001
0497ef90  00000000
0497ef94  0497eff4
0497ef98  75761ac0 KERNELBASE!GetModuleHandleForUnicodeString+0xad
0497ef9c  8b62274d
0497efa0  00000000
0497efa4  725942d8 mbamnet+0x1742d8
0497efa8  00000002
0497efac  00000000
0497efb0  00000000
0497efb4  00000000
0497efb8  00000000
0497efbc  76fe0000 kernel32!_imp__DebugBreak <PERF> (kernel32+0x0)
0497efc0  0497ef9c
0497efc4  00000000
0497efc8  0497f440
0497efcc  75786ff0 KERNELBASE!_except_handler4
0497efd0  fa8d406d
0497efd4  fffffffe
0497efd8  75761ac0 KERNELBASE!GetModuleHandleForUnicodeString+0xad
0497efdc  7578739e KERNELBASE!_SEH_epilog4_GS+0xa
0497efe0  75761cfb KERNELBASE!BasepGetModuleHandleExW+0x233
0497efe4  8b623cc5
0497efe8  00000000
0497efec  028f1f58
0497eff0  72420000 mbamnet
0497eff4  001a0018
0497eff8  725942d8 mbamnet+0x1742d8
0497effc  0497f470
0497f000  00000000
0497f004  00000000
0497f008  00000000
0497f00c  02080000
0497f010  0497f22c
0497f014  02080000
0497f018  0497002b
0497f01c  00000053
0497f020  76fe002b kernel32!_imp__DebugBreak <PERF> (kernel32+0x2b)
0497f024  0000002b
0497f028  00efd218 mbamgui+0x3d218
0497f02c  770c030c kernel32!BasepUEFLock
0497f030  00000003
0497f034  00000000
0497f038  00000000
0497f03c  0497ef8c
0497f040  0497f29c
0497f044  00efb525 mbamgui+0x3b525
0497f048  00000023
0497f04c  00000202
0497f050  0497f260
0497f054  0000002b
0497f058  00000000
0497f05c  00000000
0497f060  00000000
0497f064  00000000
0497f068  00000000
0497f06c  00000000
0497f070  00000000
0497f074  00000000
0497f078  00000000
0497f07c  00000000
0497f080  00000000
0497f084  00000000
0497f088  00000000
0497f08c  00000000
0497f090  00000000
0497f094  00000000
0497f098  00000000
0497f09c  00000000
0497f0a0  00000000
0497f0a4  00000000
0497f0a8  00000000
0497f0ac  00000000
0497f0b0  00000000
0497f0b4  00000000
0497f0b8  00000000
0497f0bc  00000000
0497f0c0  00000000
0497f0c4  00000000
0497f0c8  8b623861
0497f0cc  0497f520
0497f0d0  76ff3362 kernel32!_BaseDllInitialize+0x92
0497f0d4  00000002
0497f0d8  00000000
0497f0dc  0497f5b0
0497f0e0  0497f534
0497f0e4  76ff3377 kernel32!_BaseDllInitialize+0x2cf
0497f0e8  00000000
0497f0ec  00000000
0497f0f0  01092ce0
0497f0f4  00000000
0497f0f8  76fe0000 kernel32!_imp__DebugBreak <PERF> (kernel32+0x0)
0497f0fc  00000000
0497f100  00000000
0497f104  00000000
0497f108  00000000
0497f10c  00000000
0497f110  00000000
0497f114  00000000
0497f118  00000000
0497f11c  00000000
0497f120  00000000
0497f124  00000000
0497f128  00000000
0497f12c  00000000
0497f130  00000000
0497f134  00000000
0497f138  00000000
0497f13c  00000044
0497f140  02a94188
0497f144  02c10000
0497f148  02a94fe0
0497f14c  00000000
0497f150  00000000
0497f154  00000000
0497f158  00000000
0497f15c  00000187
0497f160  0497f24c
0497f164  00000044
0497f168  00000044
0497f16c  77762c8f ntdll!RtlpAllocateHeap+0xc78
0497f170  02a94190
0497f174  00000000
0497f178  77763cc3 ntdll!RtlpAllocateHeap+0xe73
0497f17c  7314e5e2
0497f180  00000002
0497f184  02c103a4
0497f188  02c10000
0497f18c  02c10150
0497f190  00000000
0497f194  00000000
0497f198  02c12a48
0497f19c  00000000
0497f1a0  02c12a94
0497f1a4  00000000
0497f1a8  00000187
0497f1ac  00000000
0497f1b0  02c12a48
0497f1b4  0000014b
0497f1b8  02a87ec8
0497f1bc  00000000
0497f1c0  000001cb
0497f1c4  00000000
0497f1c8  00000080
0497f1cc  00000000
0497f1d0  00000000
0497f1d4  00000000
0497f1d8  00000000
0497f1dc  00000000
0497f1e0  02000002
0497f1e4  02c1ff90
0497f1e8  57000453
0497f1ec  00000000
0497f1f0  00000000
0497f1f4  00000000
0497f1f8  000007ff
0497f1fc  00000000
0497f200  1f000c13
0497f204  02c1d1c0
0497f208  00000001
0497f20c  00000000
0497f210  0000000a
0497f214  0000000c
0497f218  02a94190
0497f21c  02a94190
0497f220  7774fbca ntdll!ZwQueryVirtualMemory+0x12
0497f224  7575ef1f KERNELBASE!VirtualQueryEx+0x1d
0497f228  ffffffff
0497f22c  00efd218 mbamgui+0x3d218
0497f230  00000000
0497f234  0497f274
0497f238  0000001c
0497f23c  0497f254
0497f240  0497f258
0497f244  7575efeb KERNELBASE!VirtualQuery+0x15
0497f248  0497f29c
0497f24c  00efda8b mbamgui+0x3da8b
0497f250  0000001e
0497f254  0497f29c
0497f258  8b7704ef
0497f25c  0497f29c
0497f260  00efb525 mbamgui+0x3b525
0497f264  00000003
0497f268  40000015
0497f26c  00000001
0497f270  00eff92a mbamgui+0x3f92a
0497f274  8b77042f
0497f278  00efd218 mbamgui+0x3d218
0497f27c  770c030c kernel32!BasepUEFLock
0497f280  0497f35c
0497f284  0497f274
0497f288  00000020
0497f28c  0497f31c
0497f290  00efccc0 mbamgui+0x3ccc0
0497f294  8f12ef63
0497f298  fffffffe
0497f29c  0497f2a4
0497f2a0  00efd254 mbamgui+0x3d254
0497f2a4  0497f32c
0497f2a8  7703003f kernel32!UnhandledExceptionFilter+0x127
0497f2ac  0497f35c
0497f2b0  8b623b81
0497f2b4  00000000
0497f2b8  0497f35c
0497f2bc  00000000
0497f2c0  0497f2cc
0497f2c4  00f00e00 mbamgui+0x40e00
0497f2c8  00f2e318 mbamgui+0x6e318
0497f2cc  0497f304
0497f2d0  00efdb9f mbamgui+0x3db9f
0497f2d4  0000000c
0497f2d8  00efdb88 mbamgui+0x3db88
0497f2dc  00000011
0497f2e0  00000000
0497f2e4  0497f45c
0497f2e8  00000000
0497f2ec  0497f2dc
0497f2f0  00000001
0497f2f4  0497f388
0497f2f8  00efccc0 mbamgui+0x3ccc0
0497f2fc  8f12efd3
0497f300  00000001
0497f304  00000000
0497f308  00000000
0497f30c  00000006
0497f310  00000000
0497f314  0497f2b0
0497f318  00000024
0497f31c  0497f388
0497f320  77094123 kernel32!_except_handler4
0497f324  f8f4b095
0497f328  fffffffe
0497f32c  0497f900
0497f330  777a74df ntdll!__RtlUserThreadStart+0x62
0497f334  0497f35c
0497f338  777a73bc ntdll!_EH4_CallFilterFunc+0x12
0497f33c  00000000
0497f340  0497f900
0497f344  7775c530 ntdll! ?? ::FNODOBFM::`string'+0xb5e
0497f348  0497f370
0497f34c  777a7261 ntdll!_except_handler4+0x8e
0497f350  00000000
0497f354  00000000
0497f358  00000000
0497f35c  0497f45c
0497f360  0497f4ac
0497f364  7775c540 ntdll! ?? ::FNODOBFM::`string'+0xb6e
0497f368  00000001
0497f36c  00f6d80e
0497f370  0497f394
0497f374  7778b459 ntdll!ExecuteHandler2+0x26
0497f378  fffffffe
0497f37c  0497f8f0
0497f380  0497f4ac
0497f384  0497f430
0497f388  0497f8a4
0497f38c  7778b46d ntdll!ExecuteHandler2+0x3a
0497f390  0497f8f0
0497f394  0497f444
0497f398  7778b42b ntdll!ExecuteHandler+0x24
0497f39c  0497f45c
0497f3a0  0497f8f0
0497f3a4  0497f4ac
0497f3a8  0497f430
0497f3ac  777a71d5 ntdll!_except_handler4
0497f3b0  00000000
0497f3b4  0497f45c
0497f3b8  0497f8f0
0497f3bc  7778b3ce ntdll!RtlDispatchException+0x127
0497f3c0  0497f45c
0497f3c4  0497f8f0
0497f3c8  0497f4ac
0497f3cc  0497f430
0497f3d0  777a71d5 ntdll!_except_handler4
0497f3d4  00000000
0497f3d8  0497f45c
0497f3dc  00000000
0497f3e0  fffffffe
0497f3e4  77763cc3 ntdll!RtlpAllocateHeap+0xe73
0497f3e8  77763cee ntdll!RtlAllocateHeap+0x23a
0497f3ec  00000214
0497f3f0  00000220
0497f3f4  028f1f52
0497f3f8  028f1f50
0497f3fc  00000000
0497f400  00000214
0497f404  72420000 mbamnet
0497f408  00000178
0497f40c  00000180
0497f410  01108d7a
0497f414  01108d78
0497f418  0497f5b0
0497f41c  00000000
0497f420  00000002
0497f424  01000214
0497f428  0497f370
0497f42c  00d48b12
0497f430  00000000
0497f434  0000004d
0497f438  04980000
0497f43c  0497e000
0497f440  0097f48c
0497f444  0497f7e4
0497f448  77740133 ntdll!KiUserExceptionDispatcher+0xf
0497f44c  0097f45c
0497f450  0497f4ac
0497f454  0497f45c
0497f458  0497f4ac
0497f45c  e06d7363
0497f460  00000001
0497f464  00000000
0497f468  7575c41f KERNELBASE!RaiseException+0x58
0497f46c  00000003
0497f470  19930520
0497f474  0497f880
0497f478  00f21cd8 mbamgui+0x61cd8
0497f47c  02c1f790
0497f480  0497f880
0497f484  00000008
0497f488  0061001f
0497f48c  0000000e
0497f490  00000003
0497f494  00000000
0497f498  00000018
0497f49c  02c1f4d0
0497f4a0  0497f7f8
0497f4a4  00efa032 mbamgui+0x3a032
0497f4a8  02c10000
0497f4ac  0001003f
0497f4b0  00000000
0497f4b4  00000000
0497f4b8  00000000
0497f4bc  00000000
0497f4c0  00000000
0497f4c4  00000000
0497f4c8  0000027f
0497f4cc  00000000
0497f4d0  0000ffff
0497f4d4  00000000
0497f4d8  00000000
0497f4dc  00000000
0497f4e0  00000000
0497f4e4  00000000
0497f4e8  00000000
0497f4ec  00000000
0497f4f0  00000000
0497f4f4  00000000
0497f4f8  00000000
0497f4fc  00000000
0497f500  00000000
0497f504  00000000
0497f508  00000000
0497f50c  00000000
0497f510  00000000
0497f514  00000000
0497f518  00000000
0497f51c  00000000
0497f520  00000000
0497f524  00000000
0497f528  00000000
0497f52c  00000000
0497f530  00000000
0497f534  00000001
0497f538  0000002b
0497f53c  00000053
0497f540  0000002b
0497f544  0000002b
0497f548  00000000
0497f54c  00000000
0497f550  00000008
0497f554  00000000
0497f558  00000003
0497f55c  0497f794
0497f560  0497f7e4
0497f564  7575c41f KERNELBASE!RaiseException+0x58
0497f568  00000023
0497f56c  00000212
0497f570  0497f794
0497f574  0000002b
0497f578  0000027f
0497f57c  00000000
0497f580  00000000
0497f584  00000000
0497f588  00000000
0497f58c  00000000
0497f590  00001f80
0497f594  0000ffff
0497f598  00000000
[CUT]
0:002> lmvm WRusr
start    end        module name
720d0000 720fc000   WRusr    T (no symbols)           
    Loaded symbol image file: WRusr.dll
    Image path: C:\Windows\System32\WRusr.dll
    Image name: WRusr.dll
    Timestamp:        Fri Jun 07 01:37:56 2013 (51B11D54)
    CheckSum:         000303E0
    ImageSize:        0002C000
    File version:     8.0.2.150
    Product version:  8.0.2.150
    File flags:       8 (Mask 3F) Private
    File OS:          40004 NT Win32
    File type:        2.0 Dll
    File date:        00000000.00000000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
0:002> ~* kbn
   0  Id: 98c.990 Suspend: 1 Teb: 7efdd000 Unfrozen
 # ChildEBP RetAddr  Args to Child              
00 00d0f774 7588790d 00d0f7b4 000100a4 00000000 user32!NtUserGetMessage+0x15
01 00d0f790 00ec40d0 00d0f7b4 000100a4 00000000 user32!GetMessageW+0x33
WARNING: Stack unwind information not available. Following frames may be wrong.
02 00d0f7d4 00ec3eb0 8f300f67 00000000 00000000 mbamgui+0x40d0
03 00d0f9d4 00ef807d 00ec0000 00000000 01090e08 mbamgui+0x3eb0
04 00d0fa64 76ff33aa 7efde000 00d0fab0 77769ef2 mbamgui+0x3807d
05 00d0fa70 77769ef2 7efde000 7753ed1e 00000000 kernel32!BaseThreadInitThunk+0xe
06 00d0fab0 77769ec5 00ef80d0 7efde000 00000000 ntdll!__RtlUserThreadStart+0x70
07 00d0fac8 00000000 00ef80d0 7efde000 00000000 ntdll!_RtlUserThreadStart+0x1b
   1  Id: 98c.a8c Suspend: 1 Teb: 7efda000 Unfrozen
 # ChildEBP RetAddr  Args to Child              
00 03ebdb88 75757a56 000000e0 00000000 00000000 ntdll!ZwFsControlFile+0x15
01 03ebdbcc 00ecb48a 000000e0 00000000 00000000 KERNELBASE!ConnectNamedPipe+0x5d
WARNING: Stack unwind information not available. Following frames may be wrong.
02 03ebdbd8 00000000 00000008 00000000 03ebfc24 mbamgui+0xb48a
#  2  Id: 98c.a94 Suspend: 0 Teb: 7efd7000 Unfrozen
 # ChildEBP RetAddr  Args to Child              
00 0497ed04 757615e9 00000002 0497ed54 00000001 ntdll!NtWaitForMultipleObjects+0x15
01 0497eda0 76ff1a2c 0497ed54 0497edc8 00000000 KERNELBASE!WaitForMultipleObjectsEx+0x100
02 0497ede8 76ff4220 00000002 7efde000 00000000 kernel32!WaitForMultipleObjectsExImplementation+0xe0
03 0497ee04 770180c4 00000002 0497ee38 00000000 kernel32!WaitForMultipleObjects+0x18
04 0497ee70 77017f83 0497ef34 00000001 00000001 kernel32!WerpReportFaultInternal+0x186
05 0497ee84 77017878 0497ef34 00000001 0497ef20 kernel32!WerpReportFault+0x70
06 0497ee94 770177f7 0497ef34 00000001 8b62278d kernel32!BasepReportFault+0x20
07 0497ef20 00efc6af 00000000 00efd218 0497f35c kernel32!UnhandledExceptionFilter+0x1af
WARNING: Stack unwind information not available. Following frames may be wrong.
08 0497f25c 00efb525 00000003 40000015 00000001 mbamgui+0x3c6af
09 0497f29c 00efd254 0497f32c 7703003f 0497f35c mbamgui+0x3b525
0a 0497f2a4 7703003f 0497f35c 8b623b81 00000000 mbamgui+0x3d254
0b 0497f32c 777a74df 0497f35c 777a73bc 00000000 kernel32!UnhandledExceptionFilter+0x127
0c 0497f334 777a73bc 00000000 0497f900 7775c530 ntdll!__RtlUserThreadStart+0x62
0d 0497f348 777a7261 00000000 00000000 00000000 ntdll!_EH4_CallFilterFunc+0x12
0e 0497f370 7778b459 fffffffe 0497f8f0 0497f4ac ntdll!_except_handler4+0x8e
0f 0497f394 7778b42b 0497f45c 0497f8f0 0497f4ac ntdll!ExecuteHandler2+0x26
10 0497f3b8 7778b3ce 0497f45c 0497f8f0 0497f4ac ntdll!ExecuteHandler+0x24
11 0497f444 77740133 0097f45c 0497f4ac 0497f45c ntdll!RtlDispatchException+0x127
12 0497f444 7575c41f 0097f45c 0497f4ac 0497f45c ntdll!KiUserExceptionDispatcher+0xf
13 0497f7e4 00ef857e e06d7363 00000001 00000003 KERNELBASE!RaiseException+0x58
14 0497f81c 00ec6f84 0497f880 00f21cd8 8b770e83 mbamgui+0x3857e
15 0497f8b4 76ff33aa 00000000 0497f900 77769ef2 mbamgui+0x6f84
16 0497f8c0 77769ef2 00000000 7314eeae 00000000 kernel32!BaseThreadInitThunk+0xe
17 0497f900 77769ec5 00ec6ab0 00000000 00000000 ntdll!__RtlUserThreadStart+0x70
18 0497f918 00000000 00ec6ab0 00000000 00000000 ntdll!_RtlUserThreadStart+0x1b
   3  Id: 98c.a98 Suspend: 1 Teb: 7efaf000 Unfrozen
 # ChildEBP RetAddr  Args to Child              
00 054bfdc8 75763bc8 00000000 054bfe0c 8abe36a5 ntdll!NtDelayExecution+0x15
01 054bfe30 75764498 000927c0 00000000 00000000 KERNELBASE!SleepEx+0x65
02 054bfe40 00ec7475 000927c0 8aab08e3 00000000 KERNELBASE!Sleep+0xf
WARNING: Stack unwind information not available. Following frames may be wrong.
03 00000000 00000000 00000000 00000000 00000000 mbamgui+0x7475
Optionally, you can create full dump using procdump:
procdump -ma -e -x "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe"
and try to analyze it in WinDbg


m.g.
 
Last edited:

jcgriff2

Site Administrator, Forum General Manager, BSOD Kernel Dump Expert
Staff member
Joined
Feb 19, 2012
Messages
17,479
Location
New Jersey Shore
Definitely a "most notable" post on \system32, \syswow64 & \sysnative -

. . .by Sysnative Forums Admin niemiro

Hello again :)

Don't worry about posting multiple times in a row. In actual fact I prefer it, as then I get a notification of your new post vs. no notification for an edit.


As promised, a little talk on redirection. First, let's discuss file system redirection. We will come onto registry later. If you don't understand any part of this, feel completely free to ask me about it. Also, I do not know what you do and do not know, so I have included pretty much everything. It will also help future readers.


System32 vs. SysWOW64 vs. Sysnative

Finally, although you may already know this, I would like to briefly talk about these folders. All three of them exist on a 64bit computer under %SystemRoot% (C:\Windows)(although you will not be able to find Sysnative using explorer.exe), however, only System32 exists on a 32bit computer.

The names of these folder are slightly counterintuitive, however, it is done for compatibility reasons with old programs.

On a 32bit computer, everything is nice and simple. There is only one set of Windows files, and they are compiled for a 32bit architecture. They are stored under winsxs with the prefix x86_ and the active version of each file is linked into the System32 folder.

On a 64bit computer, everything is not quite so nice and simple. First, Microsoft realised that many programs had hardcoded the path C:\Windows\System32 rather than using some form of expansion variable such as an environmental variable. This meant that they couldn't just move everything to System64, as then all those old programs would break. The System32 name had to stick, or at least be redirected.

But there is another difficulty. Microsoft also wished for legacy 32bit programs to still work on the 64bit architecture. To achieve this, they implemented something called WOW64. Now all of a sudden, two sets of each Windows file exists: the 64bit files (winsxs prefix of amd64_) and the 32bit files (winsxs prefix of wow64_ [or occasionally x86_ - technicality]).

The next point of note is the wow64 files. Contrary to much of the misinformation currently available on the internet, these 32bit copies of the files do not actually contain full sets of the code. In fact, they are merely redirection shells. When a legacy 32bit application makes a call to a Windows .dll, it is sent a reference to the 32bit copy of the .dll file. However, this 32bit copy of the .dll does not actually process the call. Instead, it converts all of the 32bit data types from the 32bit application to 64bit, calls the 64bit copy of the .dll with this converted data which does the actual processing, and then takes the returned 64bit datatypes from the 64bit .dll, converts them back to 32bit before returning them to the application as though the 64bit .dll had never been invoked. This is what is actually going on.

So where are the active versions of these wow64 files linked? Well, they're linked in a new folder called SysWOW64. And then the truly 64bit copies of the files are stored in the System32 folder to maintain compatibility with legacy applications for the reasons already given. But this leads to another problem: what happens if a 32bit legacy application directly calls C:\Windows\System32\example.dll? Well then it gets sent a 64bit .dll file, which won't work. So to solve this, 32bit applications which directly call System32 get silently redirected to the 32bit copy in SysWOW64.

But this doesn't completely solve the problem. What if a 32bit application explicitly wants to access the 64bit copy of the file directly? Well, Microsoft have provided several different solutions to this problem any one of which can be used, but perhaps the simplest is the virtual Sysnative folder. This folder isn't real. It doesn't contain anything, it's just a link to another folder. And for 32bit applications, it links to the 64bit System32. So Sysnative may be used to bypass normal System32 direction and actually get access to System32. This is why you won't be able to find this folder in explorer.exe: it doesn't really exist. But there's another reason too. This sort of redirection doesn't make sense in 64bit. 64bit applications can already access the 64bit copies of the files through System32, and they can access the 32bit copies of the files through SysWOW64. So there's no need for Sysnative, so Sysnative doesn't work in 64bit applications.

Wow, that's long and confusing. What about a nice summary? :p

In summary:
System32 holds 32bit copies of files on 32bit computers, and 64bit copies of files on a 64bit computer.
SysWOW64 holds wow64/32bit copies of files on a 64bit computer, and doesn't exist on a 32bit computer.
Sysnative is a virtual redirection directory which doesn't exist except under legacy 32bit applications on a 64bit computer.

32bit application on 32bit computer:
System32 --> no redirection --> System32
SysWOW64 --> doesn't exist
Sysnative --> doesn't exist

64bit application on 64bit computer:
System32 --> no redirection --> System32
SysWOW64 --> no redirection --> SysWOW64
Sysnative --> doesn't exist

32bit application on 64bit computer:
System32 --> redirection --> SysWOW64
SysWOW64 --> no redirection --> SysWOW64
Sysnative --> redirection --> System32



So, hopefully you understand a little more about the System32, SysWOW64, and Sysnative folders, and why they were created as they are.


So, now let's say you want to access C:\Windows\System32\example.dll (no redirection, actually in System32).
On a 32bit computer, it's very simple: Just access C:\Windows\System32\example.dll. On a 64bit app on a 64bit computer, again just access C:\Windows\System32\example.dll. But on a 32bit app on a 64bit computer, you must access C:\Windows\Sysnative\example.dll.


So, if you are writing a permanently 32bit app, and you want to access the real C:\Windows\System32\example.dll, you must first check whether the system is 32bit or 64bit. If it is 32bit, you directly access C:\Windows\System32\example.dll, and if it's 64bit you change the request and access C:\Windows\Sysnative\example.dll.




What about the registry? Well, a very similar thing occurs. This time, if you want to access the other architecture of a registry value you have a magical registry key called Wow6432Node. But things are a little different this time.

The 64bit copy of the key on 64bit OS or 32bit copy of the key on 32bit OS is stored where it should be, e.g. HKEY_LOCAL_MACHINE\Software. However, for 64bit OS, the 32bit copy of the key is stored at HKEY_LOCAL_MACHINE\Software\Wow6432Node.

Normally, a 32bit app on a 64bit computer which tries to access HKEY_LOCAL_MACHINE\Software is silently redirected to HKEY_LOCAL_MACHINE\Software\Wow6432Node. A 64bit app on a 64bit computer can access either HKEY_LOCAL_MACHINE\Software or HKEY_LOCAL_MACHINE\Wow6432Node directly, with no redirection. But there's a problem. What about 32bit app on 64bit computer accessing 64bit key? There's no second magic key for that. Hmmmmm... This situation is a bit like having System32 and SysWOW64, but no Sysnative. Big hmmmmmm.

Fortunately, there's a solution. We can ask Windows not to redirect us. You can use (in C#) RegistryKey.OpenBaseKey with HKEY_LOCAL_MACHINE\Software, and with view (RegistryView Enumeration (Microsoft.Win32)) set to either Registry32 or Registry64 to access exactly what you want.


And in C++ (and I assume via P/Invoke C# also), for those few exceptionally rare times when you cannot ask Windows not to redirect you, can you globally and temporarily disable redirection entirely using Wow64DisableWow64FsRedirection function (Windows) and Wow64RevertWow64FsRedirection function (Windows).

You should not need to use these.

There is only one scenario I know of where all of these techniques fail, and that involves a very specific and extremely complex operation on the Volume Shadow Copy Service, where you simply have to drop a 64bit exe on the 64bit computer, and run that.

I hope this helps, but suspect it will only confuse further :p

Richard
From: http://www.sysnative.com/forums/programming/7536-need-some-people-who-liked-to-test.html#post58098
 
Last edited:

Patrick

Moderator, BSOD Kernel Dump Expert
Staff member
Joined
Jun 7, 2012
Messages
4,578
Very informative post. I'd expect no less from Richard, though : )
 

jcgriff2

Site Administrator, Forum General Manager, BSOD Kernel Dump Expert
Staff member
Joined
Feb 19, 2012
Messages
17,479
Location
New Jersey Shore
Re: AtihdW86.sys - AMD High Definition Audio Function Driver

Same thread worked on by Patrick -

Hi Patrick! I think I fixed it. Ok, long story short, trying to install in safe mode resulted in the exact same BSOD. After talking to people, going places and hitting my head against the wall so hard it grew a lump I realized that the driver AtihdW86.sys was an HDMI audio driver, and I just needed my graphics to work first. Then I found that I had multiple instances of AMD Install manager (all were corrupt). I couldn't use control panel or even Revo uninstaller to get rid of them. I went into the registry and C drive and manually deleted ALL AMD stuff (except things for my cpu). I then did a custom install leaving out the Audio driver and tada!! two days passed and not a single error and Audio works perfectly (even though it didn't before). Hope that fixes things, at least for a while. Thanks so much for your help!!!!
Bless you both! You saved my life and got me back up and running immediatly instead of waiting another 24 hours for response from a level 2 engineer because the original help desk looked everywhere but here for a solution - and it was as close as a "Find AtihdW86.sys file on Windows media" search away. All I did was login to 8.1 in safe mode, go to device manager and remove both AMD High Definition Audio Device drivers, rebooted, and bango, back in business. I'm DEFINITELY no longer relying on otherwise good utility software like WinZip Utilities to tell me I have "ancient" drivers on my system and to upgrade. That's where all my misery started...

Kind regards,
Dennis King
Web Presence Shop
[SOLVED] Windows 8 BSOD - AtihdW86.sys

:thumbsup2:
 
Last edited:

Patrick

Moderator, BSOD Kernel Dump Expert
Staff member
Joined
Jun 7, 2012
Messages
4,578
Thank you, John! I am honored :grin1:
 

jcgriff2

Site Administrator, Forum General Manager, BSOD Kernel Dump Expert
Staff member
Joined
Feb 19, 2012
Messages
17,479
Location
New Jersey Shore
Saw this image & could not resist posting it. Pretty neat the way they used BSOD screens for the logo!

windows_8_logo_bsos_1600x306.png
 

Patrick

Moderator, BSOD Kernel Dump Expert
Staff member
Joined
Jun 7, 2012
Messages
4,578
Thanks, John. Although it however does not appear we're quite out of the woods yet with that thread given they got an 0xA a week or so later. They must have had a combination of issues, such as UltraMon causing one problem, and then whatever it is now.

In any case, it's definitely always a good idea (as you know) to check software for an 0x124 as it's not always a hardware problem/hardware bug check. The kind of software you want to look for is the kind of software that has a direct correlation with hardware, such as UltraMon in that case. Works with the GPU and completely overwrites Windows' basic multi-monitor features. I've never seen drivers newer than 2008 for UltraMon, so it's either an abandoned project or everybody has the same pirated version.
 
Top