please help me analyze memory dump - Windows 7 x64

K

ksangam20

Member
Joined
Jul 13, 2015
Posts
13
Code: 
Microsoft (R) Windows Debugger Version 6.11.0001.404 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [\\TXALLE2NESAXT41\d$\Memory.dmp]
Kernel Summary Dump File: Only kernel address space is available

Symbol search path is: [url]http://msdl.microsoft.com/download/symbols[/url]
Executable search path is: 
Windows 7 Kernel Version 7601 (Service Pack 1) MP (8 procs) Free x64
Product: Server, suite: TerminalServer
Built by: 7601.23002.amd64fre.win7sp1_ldr.150316-1651
Machine Name:
Kernel base = 0xfffff800`01a59000 PsLoadedModuleList = 0xfffff800`01c9d890
Debug session time: Wed Aug  5 07:36:58.008 2015 (GMT-7)
System Uptime: 0 days 5:35:21.426
Loading Kernel Symbols
...............................................................
................................................................
................................
Loading User Symbols
PEB is paged out (Peb.Ldr = 00000000`7efdf018).  Type ".hh dbgerr001" for details
Loading unloaded module list
..................................................
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 3B, {c0000005, fffff880032fbacf, fffff8800ae19b70, 0}

*** ERROR: Module load completed but symbols could not be loaded for picadm.sys
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for mfehidk.sys - 
*** ERROR: Module load completed but symbols could not be loaded for CtxSbx.sys
*** ERROR: Module load completed but symbols could not be loaded for CtxAltStr.sys
PEB is paged out (Peb.Ldr = 00000000`7efdf018).  Type ".hh dbgerr001" for details
PEB is paged out (Peb.Ldr = 00000000`7efdf018).  Type ".hh dbgerr001" for details
Probably caused by : picadm.sys ( picadm+11acf )

Followup: MachineOwner
---------

5: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

SYSTEM_SERVICE_EXCEPTION (3b)
An exception happened while executing a system service routine.
Arguments:
Arg1: 00000000c0000005, Exception code that caused the bugcheck
Arg2: fffff880032fbacf, Address of the exception record for the exception that caused the bugcheck
Arg3: fffff8800ae19b70, Address of the context record for the exception that caused the bugcheck
Arg4: 0000000000000000, zero.

Debugging Details:
------------------

PEB is paged out (Peb.Ldr = 00000000`7efdf018).  Type ".hh dbgerr001" for details
PEB is paged out (Peb.Ldr = 00000000`7efdf018).  Type ".hh dbgerr001" for details

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.

FAULTING_IP: 
picadm+11acf
fffff880`032fbacf 894730          mov     dword ptr [rdi+30h],eax

CONTEXT:  fffff8800ae19b70 -- (.cxr 0xfffff8800ae19b70)
rax=0000000003391df0 rbx=fffffa8016a970a0 rcx=0000000000000004
rdx=00000000037f10bd rsi=fffffa8013524b90 rdi=01d0cf8c2eba5e57
rip=fffff880032fbacf rsp=fffff8800ae1a550 rbp=0000000000000000
 r8=0000000014053a8b  r9=0000000000da7a64 r10=0000000000000000
r11=0000000000000000 r12=00000000c00000b6 r13=fffffa8018098f70
r14=fffff880014a4118 r15=fffff880014a4118
iopl=0         nv up ei pl nz na po nc
cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b             efl=00010206
picadm+0x11acf:
fffff880`032fbacf 894730          mov     dword ptr [rdi+30h],eax ds:002b:01d0cf8c`2eba5e87=????????
Resetting default scope

DEFAULT_BUCKET_ID:  VISTA_DRIVER_FAULT

BUGCHECK_STR:  0x3B

PROCESS_NAME:  wfica32.exe

CURRENT_IRQL:  0

LAST_CONTROL_TRANSFER:  from fffff880032f9274 to fffff880032fbacf

STACK_TEXT:  
fffff880`0ae1a550 fffff880`032f9274 : 00000000`00000000 fffffa80`18098cf0 fffffa80`18098cf0 fffffa80`16a970a0 : picadm+0x11acf
fffff880`0ae1a5e0 fffff880`014a7c79 : fffffa80`13524801 fffffa80`18098cf0 fffffa80`16a970a0 fffffa80`14668820 : picadm+0xf274
fffff880`0ae1a6a0 fffff880`014a6175 : fffff8a0`0029aea0 fffffa80`16ff6c60 00000000`00000103 fffffa80`142d3420 : mup!MupiCallUncProvider+0x169
fffff880`0ae1a710 fffff880`014a8001 : fffffa80`18098cf0 fffff880`014a4118 fffffa80`17c76420 00000000`00000000 : mup!MupStateMachine+0x165
fffff880`0ae1a760 fffff880`013016af : fffffa80`132d3c30 fffffa80`16ff6c60 fffffa80`18098f00 fffffa80`132d2a50 : mup!MupFsdIrpPassThrough+0x12d
fffff880`0ae1a7b0 fffff880`0155bd80 : fffffa80`18098cf0 fffffa80`142d3400 fffffa80`18098cf0 fffffa80`18098f00 : fltmgr!FltpDispatch+0x9f
fffff880`0ae1a810 fffff880`039ae4d2 : fffffa80`18098cf0 fffffa80`18098f70 fffffa80`142eeda0 00000000`c000000d : mfehidk!DEVICEDISPATCH::DispatchPassThrough+0x140
fffff880`0ae1a890 fffff880`038056c7 : fffffa80`18098cf0 00000000`00000000 fffffa80`142d3420 00000000`00000000 : CtxSbx+0x74d2
fffff880`0ae1a8c0 fffff800`01dd27fb : 00000000`00000002 fffffa80`17c76420 00000000`00000001 fffffa80`18098cf0 : CtxAltStr+0x56c7
fffff880`0ae1a920 fffff800`01d3c217 : fffffa80`17c76420 fffff880`0380bf01 fffffa80`17c76420 fffff880`01ed0180 : nt!IopSynchronousServiceTail+0xfb
fffff880`0ae1a990 fffff800`01acaf13 : fffffa80`17eb3b00 fffff800`01a1f768 00000000`00000000 00000000`00000000 : nt!NtLockFile+0x514
fffff880`0ae1aa70 00000000`77b3cc4a : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13
00000000`001ae068 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x77b3cc4a


FOLLOWUP_IP: 
picadm+11acf
fffff880`032fbacf 894730          mov     dword ptr [rdi+30h],eax

SYMBOL_STACK_INDEX:  0

SYMBOL_NAME:  picadm+11acf

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: picadm

IMAGE_NAME:  picadm.sys

DEBUG_FLR_IMAGE_TIMESTAMP:  54497e2f

STACK_COMMAND:  .cxr 0xfffff8800ae19b70 ; kb

FAILURE_BUCKET_ID:  X64_0x3B_picadm+11acf

BUCKET_ID:  X64_0x3B_picadm+11acf

Followup: MachineOwner
---------
 
Last edited by a moderator:
Your Citrix ICA Host is most likely at fault.
Generating an access violation by trying to reference memory outside of the authorised range.
I would update the driver, you can check it by running the command lmvm picadm in Windbg.
 

Has Sysnative Forums helped you? Please consider donating to help us support the site!

Back
Top