WinDbg command to find all modules that might have been involved in a problem thread

A

Anu Pai

New member
Joined
Jan 28, 2019
Posts
2
Is there a winDbg command that will help us to identify all the modules that might have been involved in a problem thread?

This is what i have been doing
WinDbg command: "dps limit base" of the thread

I am looking for one command that will go through the call stack.
i found a command that works for WinXP and previous versions - "!w2kfre\kdex2x86.stack"
 
Anu Pai said:
Is there a winDbg command that will help us to identify all the modules that might have been involved in a problem thread?

This is what i have been doing
WinDbg command: "dps limit base" of the thread

I am looking for one command that will go through the call stack.
i found a command that works for WinXP and previous versions - "!w2kfre\kdex2x86.stack"
Click to expand...

There really are not that many drivers on a stack to begin with. You could look up each manually with the lmvm command.

I tried the command - !w2kfre\kdex2x86.stack that you provided -

Code: 
0: kd> !w2kfre\kdex2x86.stack

The call to LoadLibrary(w2kfre\kdex2x86) failed, Win32 error 0n2
"The system cannot find the file specified."

Please check your debugger configuration and/or network access.

There obviously is a piece missing - the load library to which it mentions.

I found the command in a BSOD Reference Manual and it does a lot more than just give info on files found on the stack. Exactly what it does, I am unsure of.

4: kd> !w2kfre\kdex2x86.stack -? !stack - Do stack trace for specified thread Usage : !stack [-?ha[0|1]] [address] Arguments : -?,-h - display help information. -a - specifies display mode. This option is off, in default. If this option is specified, output stack trace in detail. -0,-1 - specifies filter level for display. Default filter level is 0. In level 0, display stackframes that are guessed return-adresses for reason of its value and previous mnemonic. In level 1, display stackframes that call other stackframe or is called by other stackframe, besides level 0. address - specifies thread address. When address is omitted, do stack trace for the current thread. For example:
Click to expand...

Code: 
Loading Dump File [MEMORY.DMP] Kernel Summary Dump File: Only kernel address space is available Windows Server 2003 Kernel Version 3790 (Service Pack 2) MP (8 procs) Free x86 compatible Product: Server, suite: Enterprise TerminalServer Built by: 3790.srv03_sp2_gdr.070304-2240 Kernel base = 0x80800000 PsLoadedModuleList = 0x808a6ea8 Debug session time: Mon Jun 11 14:49:21.541 2007 (GMT+1) System Uptime: 0 days 2:10:11.877 4: kd> k ChildEBP RetAddr b7a24e84 80949b48 nt!KeBugCheckEx+0x1b b7a24ea0 80949ba4 nt!PspUnhandledExceptionInSystemThread+0x1a b7a25ddc 8088e062 nt!PspSystemThreadStartup+0x56 00000000 00000000 nt!KiThreadStartup+0x16


4: kd> !w2kfre\kdex2x86.stack T. Address RetAddr Called Procedure *2 B7A24E68 80827C63 nt!KeBugCheck2(0000007E, C0000005, BFE5FEEA,...); *2 B7A24E88 80949B48 nt!KeBugCheckEx(0000007E, C0000005, BFE5FEEA,...); *2 B7A24EA4 80949BA4 nt!PspUnhandledExceptionInSystemThread(B7A24EC8, 80881801, B7A24ED0,...); *0 B7A24EAC 80881801 dword ptr EAX(B7A24ED0, 00000000, B7A24ED0,...); *1 B7A24ED4 8088ED4E dword ptr ECX(B7A25378, B7A25DCC, B7A25074,...); *1 B7A24EF8 8088ED20 nt!ExecuteHandler2(B7A25378, B7A25DCC, B7A25074,...);

Code: 
*1 B7A24F1C 80877C0C nt!RtlpExecuteHandlerForException(B7A25378, B7A25DCC, B7A25074,...); *0 B7A24F5C 808914F7 nt!RtlClearBits(893E3BF8, 0000014A, 00000001,...); *1 B7A24FA8 8082D58F nt!RtlDispatchException(B7A25378, B7A25074, 00000008,...); *1 B7A2501C 80A5C456 hal!HalpCheckForSoftwareInterrupt(89267D08, 00000000, 89267D00,...); *1 B7A25030 80A5C456 hal!HalpCheckForSoftwareInterrupt(00000000, 89267D00, B7A25060,...); *1 B7A25040 80A5A56D hal!KfLowerIrql(8087C9C0, BC910000, 00000018,...); *1 B7A25044 8087C9C0 hal!KeReleaseInStackQueuedSpinLock(BC910000, 00000018, BFEBC0A0,...); *1 B7A25064 8087CA95 nt!ExReleaseResourceLite(B7A253CC, B7A25078, B7A25378,...); *0 B7A250F4 F346C646 termdd!IcaCallNextDriver(88F9E2A4, 00000002, 00000000,...); *1 B7A25140 F764C20E termdd!_IcaCallSd(88F9E290, 00000002, B7A251EC,...); *1 B7A25154 F3464959 termdd!IcaCallNextDriver(88F876B4, 00000002, B7A251EC,...); *1 B7A25174 F346632D component2+00000830(88F4F990, B7A251EC, 88F876B0,...); *1 B7A25188 F764C1C7 dword ptr EAX(88F4F990, B7A251EC, 88DFB000,...); *1 B7A251A4 F764C20E termdd!_IcaCallSd(88F876A0, 00000002, B7A251EC,...); *1 B7A251B8 F36C9928 termdd!IcaCallNextDriver(88EAEC6C, F773F120, F773F120,...); *0 B7A251D0 80892853 nt!RtlpInterlockedPushEntrySList(00000000, 00000000, 808B4900,...); *0 B7A251E8 8081C3DA nt!RtlpInterlockedPushEntrySList(89586178, 00000000, 00000000,...); *0 B7A251FC 80821967 nt!ObDereferenceObjectDeferDelete(8082196C, 894E8648, 898B0020,...); *0 B7A25200 8082196C nt!_SEH_epilog(894E8648, 898B0020, 80A5A530,...); *0 B7A25248 8082196C nt!_SEH_epilog(8082DFC3, 894E8648, B7A25294,...); *1 B7A2524C 8082DFC3 dword ptr [EBP-14](894E8648, B7A25294, B7A25288,...); *1 B7A2529C 80A5C199 nt!KiDeliverApc(00000000, 00000000, 00000000,...); *1 B7A252BC 80A5C3D9 hal!HalpDispatchSoftwareInterrupt(898B0001, 00000000, 00000000,...); *1 B7A252D8 80A5C456 hal!HalpCheckForSoftwareInterrupt(00000001, 898B0000, B7A25300,...); *1 B7A252E8 8083129E hal!KfLowerIrql(898B0020, 894E8648, 89468504,...); *1 B7A25304 8082AB7B nt!KiExitDispatcher(894E8648, 894E8608, 00000000,...); *1 B7A25318 80864E45 nt!MiFindNodeOrParent(893F8E00, 00000000, B7A2532C,...); *1 B7A25334 8084D308 nt!MiLocateAddress(C0000000, C0600000, 0000BB40,...); *1 B7A25360 8088A262 nt!KiDispatchException(B7A25378, 00000000, B7A253CC,...); *0 B7A253A0 F7648BFE termdd!_SEH_epilog(00000000, C0000005, 00000018,...); *0 B7A253B8 8088C798 nt!MmAccessFault(00000000, 00000008, 00000000,...); *1 B7A253C8 8088A216 nt!CommonDispatchException(B7A25488, BFE5FEEA, BADB0D00,...); *1 B7A25450 BFE7B854 component+0003D5D0(BC048FE0, 00000000, 00000003,...); *1 B7A2548C BFE6C043 component+00021B70(04048FE0, BC912820, BFEBC0A0,...); *1 B7A254A8 BFE6CCBD component+0002DFD0(BC912820, BC14A2B4, BC14A018,...); WinDbg Tips and Tricks 195


*1 B7A254CC BFE6FCB6 component+0002EBE0(BFEBC0A0, BFEBC038, BFEBBF80,...); *1 B7A255C8 80A5C456 hal!HalpCheckForSoftwareInterrupt(00000000, 8CE03500, B7A255F8,...); *1 B7A255D8 80A5A56D hal!KfLowerIrql(8087C9C0, 88F93F24, E1681348,...); *1 B7A255DC 8087C9C0 hal!KeReleaseInStackQueuedSpinLock(88F93F24, E1681348, 00000000,...); *1 B7A255FC F7134586 nt!ExReleaseResourceLite(88F93EF8, B7A2561C, F7134640,...); *1 B7A25608 F7134640 Ntfs!NtfsReleaseFcb(88F93EF8, 88F93EF8, 00000000,...); *1 B7A2561C F7133091 Ntfs!NtfsFreeSnapshotsForFcb(88F93EF8, 00000014, 88F93EF8,...); *1 B7A25638 F7133177 Ntfs!NtfsCleanupIrpContext(88F93EF8, 00000001, 00000000,...); *1 B7A25650 F7174936 Ntfs!NtfsCompleteRequest(88F93EF8, 00000000, F7174943,...); *0 B7A2565C F7174943 Ntfs!_SEH_epilog(00000000, B7A257A0, 88F103D8,...); *1 B7A2568C 80A5C456 hal!HalpCheckForSoftwareInterrupt(00000000, 00000001, 00000001,...); *1 B7A256D4 80A5C456 hal!HalpCheckForSoftwareInterrupt(00000001, 808B4300, B7A256FC,...); *1 B7A256E4 8083129E hal!KfLowerIrql(00000000, B7A25C90, 00000000,...); *1 B7A25700 808281D6 nt!KiExitDispatcher(88F103D8, 00000000, 00000000,...); *1 B7A25714 8081E1E9 nt!KeSetEvent(00A25C90, 00000001, 00000000,...); *1 B7A2573C F7133177 Ntfs!NtfsCleanupIrpContext(B7A25750, B7A257A4, 00000000,...); *1 B7A25780 80A5C456 hal!HalpCheckForSoftwareInterrupt(0000026C, 808B4900, B7A25828,...); *1 B7A25790 80A5A56D hal!KfLowerIrql(8085712D, 00000000, 00180000,...); *1 B7A25794 8085712D hal!KeReleaseQueuedSpinLock(00000000, 00180000, 00181000,...); *1 B7A2582C 8085755D nt!MiProcessValidPteList(B7A25844, 00000002, C0000C08,...); *1 B7A25890 80A5C456 hal!HalpCheckForSoftwareInterrupt(00000001, 808B4300, F7747120,...); *0 B7A258C4 F724DA0D fltmgr!FltDecodeParameters(88E3BD2C, B7A25924, 88E62020,...); *0 B7A258E8 8082CD1F nt!KiEspFromTrapFrame(B7A25D64, 894CA9C8, 7FFDA000,...); *0 B7A258F8 8082CF40 nt!__security_check_cookie(B7A25D64, 01A5C456, 892373F8,...); *1 B7A25914 80A5C456 hal!HalpCheckForSoftwareInterrupt(8081C585, B7A25944, B7A25948,...); *1 B7A25918 8081C585 nt!RtlpGetStackLimits(B7A25944, B7A25948, 00000000,...); *1 B7A25934 F713320E nt!IoGetStackLimits(000015ED, B7A25764, B7A25A78,...); *1 B7A25970 80A5C456 hal!HalpCheckForSoftwareInterrupt(8CE03598, 00000000, 8CE03500,...); *0 B7A2598C 808347E4 nt!ProbeForWrite(0032FD14, 000002E4, 808348C6,...); *0 B7A25998 808348C6 nt!_SEH_epilog(7FFDA000, 894CA9C8, 00000000,...); *0 B7A259A8 F713435F Ntfs!ExFreeToNPagedLookasideList(F7150420, 88F93EF8, B7A25ACC,...); 196 PART 2: Professional Crash Dump Analysis


*0 B7A259D8 8082CBCF nt!KiEspFromTrapFrame(C0001978, 83F251EC, 00000000,...); *0 B7A259F0 80865C32 nt!MiInsertPageInFreeList(C0001978, 00000000, 83F251EC,...); *1 B7A25A30 80A5C456 hal!HalpCheckForSoftwareInterrupt(C0001980, C0600000, 808B4900,...); *1 B7A25A44 80A5C456 hal!HalpCheckForSoftwareInterrupt(C0600008, 808B4900, B7A25B2C,...); *1 B7A25A54 80A5A56D hal!KfLowerIrql(808658FB, 0032FFFF, 890D4198,...); *1 B7A25A58 808658FB hal!KeReleaseQueuedSpinLock(0032FFFF, 890D4198, 8CB0B7B0,...); *1 B7A25A7C 80A5C456 hal!HalpCheckForSoftwareInterrupt(C0600018, 808B4900, B7A25B44,...); *1 B7A25A8C 80A5A56D hal!KfLowerIrql(808658FB, 88E62020, 89293DF0,...); *1 B7A25A90 808658FB hal!KeReleaseQueuedSpinLock(88E62020, 89293DF0, 88F87718,...); *0 B7A25AC4 80945FEA nt!ObReferenceObjectByHandle(00000000, 00000018, 0032FE64,...); *0 B7A25AE0 80892853 nt!RtlpInterlockedPushEntrySList(8CB0B890, 890D4198, 8CB0B7B0,...); *1 B7A25AF4 80A5C1AE nt!KiDispatchInterrupt(00000000, 00000000, 00000202,...); *1 B7A25B08 80A5C3D9 hal!HalpDispatchSoftwareInterrupt(00000002, 00000000, 80A5C3F4,...); *0 B7A25B20 8081C3DA nt!RtlpInterlockedPushEntrySList(89586178, 00000000, 00000000,...); *0 B7A25B34 80821967 nt!ObDereferenceObjectDeferDelete(8082196C, 8C22B848, 898B0020,...); *0 B7A25B38 8082196C nt!_SEH_epilog(8C22B848, 898B0020, 80A5A530,...); *0 B7A25B4C 8081C3DA nt!RtlpInterlockedPushEntrySList(00000000, 00000000, 8C22B808,...); *0 B7A25B80 8082196C nt!_SEH_epilog(8082DFC3, 8C22B848, B7A25BCC,...); *1 B7A25B84 8082DFC3 dword ptr [EBP-14](8C22B848, B7A25BCC, B7A25BC0,...); *1 B7A25BD4 80A5C199 nt!KiDeliverApc(00000000, 00000000, 00000000,...); *1 B7A25BF4 80A5C3D9 hal!HalpDispatchSoftwareInterrupt(898B0001, 00000000, 00000000,...); *1 B7A25C10 80A5C456 hal!HalpCheckForSoftwareInterrupt(00000001, 898B0000, B7A25C38,...); *1 B7A25C20 8083129E hal!KfLowerIrql(898B0020, 8C22B848, 00000010,...); *1 B7A25C54 80A5C456 hal!HalpCheckForSoftwareInterrupt(F7757000, 00000002, 893F8BB0,...); *1 B7A25C64 8088DBAC hal!KfLowerIrql(B7A25C88, BFE6BA78, 00000000,...); *1 B7A25C78 80A5C1AE nt!KiDispatchInterrupt(B7A25CC0, B7A25D00, 00000002,...); *1 B7A25C8C 80A5C3D9 hal!HalpDispatchSoftwareInterrupt(00000002, B7A25CC0, B7A25CC0,...); *1 B7A25CA8 80A5C57E nt!KiCheckForSListAddress(BC845018, B7A25CC0, 80A59902,...); *1 B7A25CB4 80A59902 hal!HalEndSystemInterrupt(898B0000, 000000E1, B7A25D40,...); *1 B7A25CE0 80A5C456 hal!HalpCheckForSoftwareInterrupt(00000001, 894890F0, 894890D8,...); *0 B7A25CF4 8087CDDC hal!KeReleaseInStackQueuedSpinLock(894890D8, 00000000, 89489100,...); WinDbg Tips and Tricks 197


*1 B7A25D18 80A5A56D hal!KfLowerIrql(00000001, BC14A018, BC5F9003,...); *1 B7A25D44 BFE708D4 component+000312D0(BFEBBF80, 00000000, 00000000,...);



Here is the PDF that it came from. See page 193 - View attachment Memory Dump Analysis Anthology Volume 1.pdf


It can also be found in this Google Book - Memory Dump Analysis Anthology


I honestly do not know what you would do with the output of that command.

Are you a driver developer or are you debugging a kernel memory dump? Is it s recent dump? Where did it come from?

If you provide us with more information, perhaps we can help you.

Regards. . .

jcgriff2
 
There's a very old thread here (2012) which discusses something similar, although due to its age some attachments/links are broken: SysnativeBSODApps - additional check 'drivers found in stack'

There also used to be a WinDbg extension called ProcDumpExt which had some nice features similar to what you're after. However, ProcDumpExt has been dead for a long time, but there's a newer version called PDE which has more features:

From here: [SUGGESTION] - WinDbg Cheat Sheet - Data Structures, Commands and Extensions
philc43 said:
I have discovered that Andrew Richards (author of ProcDumpExt) has made a new version of this extension called Prototype Debugger Extension (PDE). It is available on his publically shared OneDrive

Download the current version (ver 11.3) zip file, locate the appropriate PDE.dll file (either x64 or x86) and copy to your WinDBG directory e.g. C:\Program Files (x86)\Windows Kits\10\Debuggers\x64

Useful commands can be viewed by loading the extension and then viewing the help.

Code: 
4: kd> !load PDE
=========================================================================================
 PDE v11.3 - Copyright 2017 Andrew Richards
=========================================================================================
4: kd> !help
=========================================================================================
Help for Prototype Debugger Extension (PDE) v11.3 - Copyright 2009-2017 Andrew Richards
=========================================================================================
  !seek          - Equivalent of ~*knL and/or !deep 1

  !seek [-q] [-e symbol] [<symbol> [command]]
                 - Execute 'command' against stacks that contain 'symbol'
                    (Note, don't include a displacement in the specified symbol)

                 - Specify '-q' (quiet) to omit the per-thread header

                 - Specify '-e' to exclude stacks that contain 'symbol'
                    (Note, don't include a displacement in the specified symbol)

                   e.g. !seek
                        !seek ReadFile
                        !seek ReadFile kbn
                        !seek ReadFile dps @rsp @rsp+0x20
                        !seek -q ReadFile !teb
                        !seek -e SleepEx ReadFile !teb

  !seek -?        - Display the help for !seek
  !seek -help     - Display the help for !seek

=========================================================================================
  !deep          - Equivalent of ~*knL but only displays stacks that are at least
                   'depth' frames deep (default depth is 1)

  !deep [<depth> [-q] [-s symbol] [-e symbol] [command]]
                 - Execute 'command' against stacks that are at least 'depth' frames deep

                 - Specify '-q' (quiet) to omit the per-thread header

                 - Specify '-s' to only include stacks that contain 'symbol'
                    (Note, don't include a displacement in the specified symbol)

                 - Specify '-e' to exclude stacks that contain 'symbol'
                    (Note, don't include a displacement in the specified symbol)

                   e.g. !deep
                        !deep 25
                        !deep 25 kbn
                        !deep 25 dps @rsp @rsp+0x20

                        !deep 25 -q
                        !deep 25 -q !teb

                        !deep 25 -s ReadFile
                        !deep 25 -s ReadFile kbn
                        !deep 25 -s ReadFile dps @rsp @rsp+0x20

                        !deep 25 -e SleepEx
                        !deep 25 -e SleepEx kbn
                        !deep 25 -e SleepEx dps @rsp @rsp+0x20

  !deep -?        - Display the help for !deep
  !deep -help     - Display the help for !deep

=========================================================================================
  !busy          - Equivalent of ~*knL but only displays stacks that are at least
                   'depth' frames deep (default depth is 1) and are not waiting for:-
                    ~ ntdll!NtWaitFor*
                    ~ ntdll!ZwWaitFor*
                    ~ ntdll!NtRemoveIoCompletion
                    ~ ntdll!ZwRemoveIoCompletion
                    ~ ntdll!NtReplyWaitReceivePort
                    ~ ntdll!ZwReplyWaitReceivePortEx

  !busy [<depth> [-x] [-q] [-s symbol] [-e symbol] [command]]
                 - Execute 'command' against stacks that are at least 'depth' frames deep
                   and are not waiting (for the list above)

                 - Specify '-x' to also exclude waiters of network calls, sleeps nad messages:-
                    ~ ntdll!NtRequestWaitReplyPort
                    ~ ntdll!ZwRequestWaitReplyPort
                    ~ ntdll!NtDelayExecution
                    ~ ntdll!ZwDelayExecution
                    ~ ntdll!RtlDeactivateActivationContextUnsafeFast
                    ~ *!NtUserWaitMessage
                    ~ *!ZwUserWaitMessage
                    ~ *!ZwUserGetMessage
                    ~ *!NtUserGetMessage

                 - Specify '-q' (quiet) to omit the per-thread header

                 - Specify '-s' to only include stacks that contain 'symbol'
                    (Note, don't include a displacement in the specified symbol)

                 - Specify '-e' to exclude stacks that contain 'symbol'
                    (Note, don't include a displacement in the specified symbol)

                   e.g. !busy
                        !busy 25
                        !busy 25 kbn
                        !busy 25 dps @rsp @rsp+0x20

                        !busy 25 -x
                        !busy 25 -x kbn
                        !busy 25 -x dps @rsp @rsp+0x20

                        !busy 25 -q
                        !busy 25 -q !teb

                        !busy 25 -s ReadFile
                        !busy 25 -s ReadFile kbn
                        !busy 25 -s ReadFile dps @rsp @rsp+0x20

                        !busy 25 -e SleepEx
                        !busy 25 -e SleepEx kbn
                        !busy 25 -e SleepEx dps @rsp @rsp+0x20

  !busy -?        - Display the help for !busy
  !busy -help     - Display the help for !busy

=========================================================================================
  !dpx           - Equivalent of dps, dpp, dpa and dpu (combined); also class types (dt) and trap frames (kV)

  !dpx           - Displays from stack pointer to the stack base
  !dpx N         - Displays the first N values, from the stack pointer down
  !dpx <addr> N
                 - Displays the first N values, from <addr> down
  !dpx <addr> <addr>
                 - Displays from addr to addr

                 - Specify '-u' to display an unlimited number of values
                   Default limit is 6,000 addresses

                 - Specify '-a' to display all stack values
                   Default only displays stack values that point to a value

                 - Interface pointers are adjusted to align with the class's virtual function table (vftable)
                 - When there is a value adjustment, the pointer is displayed in light blue text

                 - Specify the following to limit the types; multiple options are allowed
                   -da : ANSI strings
                   -du : UNICODE strings
                   -dt : Data Types
                   -ds : Symbols
                   -df : Trap Frames (Kernel only)
                   -dse: Stowed Exceptions (WinRT apps only)


                   e.g. !dpx
                        !dpx 20
                        !dpx -a
                        !dpx -da -du 20
                        !dpx <addr> <addr> -u
                        !dpx <addr> <addr> -u -a

=========================================================================================
  !spx           - Find an expression (number) or data type (symbol)
                 - Search is pointer aligned
                 - Special handling for multiple interface classes
                 - Add -dt to perform a 'dt' on each address
                 - Very fast in User Mode
                 - Very slow in Kernel Mode

  !spx [-dt] [-s <addr>] [-e <addr>] <expression>

                   e.g. !spx combase!CComApartment
                        !spx -dt combase!CComApartment
                        !spx -s @rsp -e @rsp+1000 0x1234000+0n56

=========================================================================================
  !ssz           - Find ANSI and UNICODE strings
  !ssa           - Find ANSI strings
  !ssu           - Find UNICODE strings
                 - Search is case sensitive
                 - Displays up to 200 characters after the initial match
                 - UNICODE search is a conversion of the ANSI command line
                 - Very FAST in User Mode
                 - Very slow in Kernel Mode

  !ssz [-s <addr>] [-e <addr>] <string>
  !ssa [-s <addr>] [-e <addr>] <string>
  !ssu [-s <addr>] [-e <addr>] <string>

                   e.g. !ssz Program Files
                        !ssz Windows
                        !ssz -s @rsp -e @rsp+1000 User

=========================================================================================
  !dtr           - Equivalent of dt for each valid register

  !dtr [args]
  !dtr           - Lists registers that point to an address; includes class type
  !dtr <arg>     - Equivalent of dt @reg <arg> for each valid register
                     !dtr <arg> --> dt @reg <arg>

                   e.g. !dtr
                        !dtr nt!_ERESOURCE
                        !dtr nt!_ERESOURCE Flag

=========================================================================================
  !grep          - Only shows lines which contain <search>
                 - Search is case insensitive
                 - Lines are delimited by newline ('\n')
                 - !grep can be chained

  !grep <search> <command>

                   e.g. !grep days vertarget
                        !grep call u @eip
                        !grep dt !dpx
                        !grep dt !grep DUser !dpx

  !ungrep        - Same as !grep but exclusion

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
  !bold          - Highlight the lines which contain <search>
                 - Search is case insensitive
                 - Lines are delimited by newline ('\n')

  !bold <search> <command>

                   e.g. !bold version vertarget
                        !bold call uf ntdll!RtlUserThreadStart

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
  !head          - Display the first N bytes of a command
  !tail          - Display the last N bytes of a command

  !head <bytes> <command>
  !tail <bytes> <command>

=========================================================================================
  !ghostthreads  - Lists all threads; real or ghosts
  !gt            - Same as !ghostthreads

  !gt [command]  - If 'command' is specified, the command is run
                   for each thread, instead of the summary table.

                 - The following substitutions are made:
                   - $teb   - TEB Address
                   - $base  - Stack Base Address
                   - $limit - Stack Limit Address

                   e.g. !gt !teb $teb
                        !gt !dpx $base $limit

=========================================================================================
  !loadsos        - Runs #1
  !loadpsscor     - Runs #2
  !loadsosex      - Runs #3
  !loadspext      - Runs #4

  Define PDE_LOADCORDLL to change the default (at load)
                  0 = Disabled
                  1 = SOS (default)
                  2 = PSSCORx + SOSEX
                  3 = SOS + SOSEX
                  4 = SOS + SOSEX + SPEXT 

=========================================================================================
  !comment        - Display the dump's comment (with DML)

  !notes          - Executes commands based on the dump type - starts your case notes
  !exr            - Executes commands based on the exception code (.exr -1)

  !line           - Print a line
  !bigline        - Print three big lines

  !du <addr>      - Display a UNICODE string (up to 4Gb)
  !da <addr>      - Display a ANSI string (up to 4Gb)
  !err <code>     - Display an Error Code
  !guid <addr>    - Display a GUID

  !url <url>      - Open a url; use !ext.url instead

  !kr             - knL printed upside down so WinDiff works better

  !dtr            - Displays Data Types in Registers
  !msr            - Displays the Model-Specific Registers (MSR)

  !stowedexceptions
                  - Display the Stowed Exceptions of a Store app
  !dse            - Same as !stowedexceptions
  !bgtask         - Display the Background Tasks of a Store app

  !symsrvaudit    - Display the SRV status of each lookup made during the command
                  - Command defaults to ".reload /f"

  !diadump <module>
                  - Dump the DIA Tables and Assembly Information of the specified Module

  !dbgp           - Dump a DBGP ACPI table
  !dbg2           - Dump a DBG2 ACPI table
  !msdm           - Dump a MSDM ACPI table
  !slic           - Dump a SLIC ACPI table

  !dmem           - Display the Memory Regions of a User Mode dump
  !vmem           - Display the Virtual Regions of a User Mode process

  !tags [GUID]    - List the GUID and Size of the secondary callback chunks
  !tagshex [GUID] - List the GUID and Size of the secondary callback chunks, and dump in HEX
  !tagstext [GUID]- List the GUID and Size of the secondary callback chunks, and dump in TEXT

  !crashtask      - Enable crashdump support on the current (modern) process

  !dml            - Toggle .prefer_dml
  !dmlraw         - Print DML output as TEXT (used to review DML)

  !help           - Displays the help for all commands

=========================================================================================
  -- Defaults -- 
  DML On          - .prefer_dml 1
  UNICODE On      - .enable_unicode 1
  Ignore Pages On - .ignore_missing_pages 1
  Lines Disabled  - .lines -d

  -- Aliases -- 
  symoff          - .outmask- 0x200
  symon           - .outmask+ 0x200
  dml             - !PDE.dml
  av              - !ext.analyze -nodb -v
  avv             - !ext.analyze -nodb -v6
  ax              - !ext.analyze -nodb -xml
  axv             - !ext.analyze -nodb -xml -xcs -xmi
  axs             - !ext.analyze -nodb -xsd
  show            - !ext.analyze -show
  sn              - !sym noisy
  sq              - !sym quiet
  rf              - .reload /f
  ru              - .reload /u

=========================================================================================
Click to expand...



As an aside, there's an absolute ton of stuff in that BSOD Information forum I'd forgotten about that's super useful. What's the plan with this academy and all the old material - are we leaving it spread across here and the "old" BSOD tutorials forum, or migrating it all into one place?
 
There is a lot of useful information in there as you suggest.

I had planned for all of us to go through the BSOD Tutorial Forum and copy the ones that are of interest to us to the BSOD Academy Library.

Because they are so old, I had thought it would be best to create new threads with the author's name at the top, like I did with this one by VirGnarus - https://www.sysnative.com/forums/threads/registers-a-short-story.27998/
 
I haven't tried using !w2kfre\kdex2x86.stack command yet since it's an old Windows 2000 command, however, isn't it the same as dumping the raw stack using dps? I tend to use !dpx anyway from the ProcDumpExt.dll. However, I didn't know that it was continued with PDE, thanks for that!

We definitely need to slowly review all the old BSOD Tutorial threads, there is so much useful information buried in there still which needs to be reviewed and updated. For example, most of the CodeMachine links are broken, but I know that the CodeMachine website is still running so I'll try and update those links as I come across them.

I also really need to update that WinDbg cheat sheet, lots more data structures and commands which could be added. I feel I could have probably written it a little better too.
 
I think that OP is looking for something that will provide something similar to lmvm on all stack drivers.

Here is the stack -
Code: 
0: kd> [COLOR=rgb(0, 0, 255)][B]k[/B][/COLOR]
# Child-SP RetAddr Call Site
00 ffffd000`2136fa78 fffff803`27fdd7e9 [color=red][b]nt[/b][/color][b][/b]!KeBugCheckEx
01 ffffd000`2136fa80 fffff803`27fddb10 nt!KiBugCheckDispatch+0x69
02 ffffd000`2136fbc0 fffff803`27fdcd34 nt!KiFastFailDispatch+0xd0
03 ffffd000`2136fda0 fffff800`8043ac3a nt!KiRaiseSecurityCheckFailure+0xf4
04 ffffd000`2136ff30 fffff800`804359ff [color=red][b]ndis[/b][/color][b][/b]!ndisFreeToNPagedPool+0x59
05 ffffd000`2136ff60 fffff800`804559dd ndis!NdisFreeNetBuffer+0xdf
06 ffffd000`2136ffd0 fffff800`81364e19 ndis!NdisFreeCloneNetBufferList+0x292fd
07 ffffd000`21370080 fffff800`80430eee [color=red][b]vwififlt[/b][/color][b][/b]!FilterSendNetBufferListsComplete+0x181
08 ffffd000`213700d0 fffff800`81e9e671 ndis!NdisMSendNetBufferListsComplete+0x4de
09 ffffd000`21370240 fffff800`81d0f222 [color=red][b]NETwbw02[/b][/color][b][/b]+0x1b1671
0a ffffd000`21370270 fffff800`81e4d73b NETwbw02+0x22222
0b ffffd000`213702b0 fffff800`81d10099 NETwbw02+0x16073b
0c ffffd000`213703c0 fffff800`81d08723 NETwbw02+0x23099
0d ffffd000`21370410 fffff800`81d25782 NETwbw02+0x1b723
0e ffffd000`21370460 fffff800`81d488dd NETwbw02+0x38782
0f ffffd000`213704b0 fffff800`81e5296c NETwbw02+0x5b8dd
10 ffffd000`213704e0 fffff800`81d10099 NETwbw02+0x16596c
11 ffffd000`21370510 fffff800`81d08723 NETwbw02+0x23099
12 ffffd000`21370560 fffff800`81e7b5dd NETwbw02+0x1b723
13 ffffd000`213705b0 fffff800`81e7ab8c NETwbw02+0x18e5dd
14 ffffd000`21370650 fffff800`81eb2d5d NETwbw02+0x18db8c
15 ffffd000`21370790 fffff800`81eb434d NETwbw02+0x1c5d5d
16 ffffd000`21370810 fffff800`81eb53e9 NETwbw02+0x1c734d
17 ffffd000`21370840 fffff800`81eb5a42 NETwbw02+0x1c83e9
18 ffffd000`213708d0 fffff800`81eadc15 NETwbw02+0x1c8a42
19 ffffd000`21370970 fffff800`81ea48c8 NETwbw02+0x1c0c15
1a ffffd000`213709d0 fffff800`81e9647a NETwbw02+0x1b78c8
1b ffffd000`21370a00 fffff800`804391f0 NETwbw02+0x1a947a
1c ffffd000`21370a30 fffff800`804394eb ndis!ndisMiniportDpc+0x110
1d ffffd000`21370ad0 fffff800`80438fae ndis!ndisQueuedMiniportDpcWorkItem+0xfb
1e ffffd000`21370b70 fffff803`27f8136c ndis!ndisReceiveWorkerThread+0x20e
1f ffffd000`21370c00 fffff803`27fd82c6 nt!PspSystemThreadStartup+0x58
20 ffffd000`21370c60 00000000`00000000 nt!KiStartSystemThread+0x16

Eliminating duplicate driver lines from the stack leaves us with 4 -
  • NT
  • ndis.sys
  • vwififlt.sys
  • NETwbw02.sys


Code: 
0: kd> [color=blue][b]lmvm nt[/b][/color][b][/b]
Browse full module list
start end module name
fffff803`27e81000 fffff803`28615000 nt (pdb symbols) c:\symbols\ntkrnlmp.pdb\3BAEE2762F6442089EF8B926DDC8DBA61\ntkrnlmp.pdb
Loaded symbol image file: [color=red][b]ntkrnlmp.exe[/b][/color][b][/b]
Image path: ntkrnlmp.exe
Image name: ntkrnlmp.exe
Browse all global symbols functions data
Timestamp: Sun Mar 22 15:26:46 2015 (550F41A6)
CheckSum: 0072FF0F
ImageSize: 00794000
Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4
Information from resource tables:

Code: 
0: kd> [color=blue][b]lmvm ndis[/b][/color][b][/b]
Browse full module list
start end module name
fffff800`80429000 fffff800`80540000 ndis (pdb symbols) c:\symbols\ndis.pdb\0A2B1C2CFB6F40AC8473FF364A434C802\ndis.pdb
Loaded symbol image file: ndis.sys
Image path: \SystemRoot\system32\drivers\[color=red][b]ndis.sys[/b][/color][b][/b]
Image name: ndis.sys
Browse all global symbols functions data
Timestamp: Mon Feb 2 16:03:15 2015 (54D01043)
CheckSum: 0011DC0C
ImageSize: 00117000
Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4
Information from resource tables:

Code: 
0: kd> [color=blue][b]lmvm vwififlt[/b][/color][b][/b]
Browse full module list
start end module name
fffff800`8135e000 fffff800`81376000 vwififlt (pdb symbols) c:\symbols\vwififlt.pdb\F71A4C46A0C0485B845CC47DD1F2ADFC1\vwififlt.pdb
Loaded symbol image file: vwififlt.sys
Image path: \SystemRoot\system32\DRIVERS\[color=red][b]vwififlt.sys[/b][/color][b][/b]
Image name: vwififlt.sys
Browse all global symbols functions data
Timestamp: Tue Apr 29 23:43:46 2014 (53609BA2)
CheckSum: 0001F37F
ImageSize: 00018000
Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4
Information from resource tables:

Code: 
0: kd> [color=blue][b]lmvm NETwbw02[/b][/color][b][/b]
Browse full module list
start end module name
fffff800`81ced000 fffff800`82070000 NETwbw02 (no symbols)
Loaded symbol image file: NETwbw02.sys
Image path: \SystemRoot\system32\DRIVERS\[color=red][b]NETwbw02.sys[/b][/color][b][/b]
Image name: NETwbw02.sys
Browse all global symbols functions data
Timestamp: Mon Mar 23 01:53:41 2015 (550FD495)
CheckSum: 0035F91B
ImageSize: 00383000
Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4
Information from resource tables:

Here is output from dps command:
Code: 
0: kd> [color=blue][b]dps[/b][/color][b][/b]
fffff803`27fd1ca0 54894808`244c8948
fffff803`27fd1ca8 4c182444`894c1024
fffff803`27fd1cb0 ec83489c`20244c89
fffff803`27fd1cb8 20250c8b`4865fa30
fffff803`27fd1cc0 5980898b`48000000
fffff803`27fd1cc8 6500006d`61e80000
fffff803`27fd1cd0 00000020`250c8b48
fffff803`27fd1cd8 0002efe8`40c18348
fffff803`27fd1ce0 00202514`8b4c6500
fffff803`27fd1ce8 00598092`8b4d0000
fffff803`27fd1cf0 89494024`448b4800
fffff803`27fd1cf8 448b4800`00008082
fffff803`27fd1d00 8d484442`89493024
fffff803`27fd1d08 443b48ff`ffff6c05
fffff803`27fd1d10 24448d4c`0e753824
fffff803`27fd1d18 ffffff50`0d8d4c68

@x BlueRobot - what exactly does the output of the dps command tell us? I assume that the output are memory addresses, but how can the above information help us to solve the BSOD?

I also tried the !dpx command, but had no luck I must be off on the syntax -
Code: 
0: kd> [color=blue][b]!dpx[/b][/color][b][/b]
No export dpx found

@Anu Pai - Am I correct in that the above information on drivers listed in the stack is what you are looking for?

What do you need information on stack drivers for?

In this example, it is evident that the culprit is the Intel wifi driver NETwbw02.sys

Also, here is a listing of the loaded drivers in the dump using the kd> command lmntsm -

Read More:

Regards. . .

jcgriff2


I've never used DropBox before, so I'm not sure if I have done things correctly. I successfully uploaded the full kernel memory dump from my system to DropBox, then used "Properties" to obtain a link so that others can download the dump.

I don't know if I have properly done the SHARE settings at DropBox, nor am I sure about the link.

If someone could help me with instructions to make the dump public and to obtain the correct link (if mine is INOP), I would greatly appreciate it. Thank you.

Link to my full zipped kernel memory dump - Login - Dropbox

Here is the NOPARSEd link -

Code: 
[NOPARSE]https://www.dropbox.com/preview/dumps/MEMORY_07-06-2015_2120.DMP.zip?role=personal[/NOPARSE]
 
Last edited:
@jcgriff2

You need to use the !thread WinDbg command extension to dump the thread and obtain it's stack address range. Then use the dps command with that, like this:

Code: 
6: kd> !thread
THREAD ffff950a3d56a080 Cid 2650.0be8 Teb: 00000017e3638000 Win32Thread: ffff950a3c0c6550 RUNNING on processor 6
IRP List:
ffff950a42183240: (0006,0478) Flags: 00060043 Mdl: ffff950a3e724b40
Not impersonating
DeviceMap ffffc582aa67e490
Owning Process ffff950a3f462080 Image: OSBuddy64.exe
Attached Process N/A Image: N/A
Wait Start TickCount 2030855 Ticks: 1 (0:00:00:00.015)
Context Switch Count 2818893 IdealProcessor: 6
UserTime 01:04:06.640
KernelTime 00:23:55.015
Win32 Start Address 0x0000000057901dbc
Stack Init ffffe480e018ec90 Current ffffe480e018df50
Base [HI]ffffe480e018f000[/HI] Limit [HI]ffffe480e0189000[/HI] Call 0000000000000000
Priority 6 BasePriority 6 PriorityDecrement 0 IoPriority 2 PagePriority 5
Child-SP RetAddr : Args to Child : Call Site
ffffe480`e018d908 fffff801`3b82eb7c : 00000000`0000001e ffffffff`c0000005 fffff805`f2dda7df 00000000`00000000 : nt!KeBugCheckEx
ffffe480`e018d910 fffff801`3b97b98e : ffffe480`e018e110 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiDispatchException+0x23c
ffffe480`e018dfc0 fffff801`3b979e57 : 00000000`00000000 00000000`0003081c ffff950a`00000000 00000036`b77d3868 : nt!KiExceptionDispatch+0xce
ffffe480`e018e1a0 fffff805`f2dda7df : ffff950a`00000000 00000000`00000000 00000000`00000000 ffffc582`a28fd128 : nt!KiPageFault+0x217 (TrapFrame @ ffffe480`e018e1a0)
ffffe480`e018e330 fffff805`f2ddb92d : ffffe480`e018e450 ffffe480`e018e638 ffff950a`3dfc6b00 fffff805`f2d21a94 : NTFS!NtfsPreRequestProcessingExtend+0x4f
ffffe480`e018e420 fffff805`f240563d : ffff950a`38d49170 ffff950a`42183240 ffff950a`39f46df0 ffff950a`42183628 : NTFS!NtfsFsdRead+0x1dd
ffffe480`e018e6a0 fffff805`f24034d6 : ffffe480`e018e730 00000000`00000003 00000000`0000000d 00000000`00000000 : FLTMGR!FltpLegacyProcessingAfterPreCallbacksCompleted+0x18d
ffffe480`e018e710 fffff801`3b8404a5 : ffff950a`42183260 ffff950a`42183240 ffff950a`3dfc6bf0 fffff801`3b892171 : FLTMGR!FltpDispatch+0xb6
ffffe480`e018e770 fffff801`3b8a5f42 : ffff950a`3e724a40 00000000`3b893da5 ffff950a`3e724aa0 ffff950a`3e724a60 : nt!IoPageReadEx+0x265
ffffe480`e018e7e0 fffff801`3b8a5970 : 00000000`00000003 ffffe480`e018e8b0 00000000`00000000 fffff801`3b870fe9 : nt!MiIssueHardFaultIo+0xb6
ffffe480`e018e830 fffff801`3b891486 : 00000000`c0033333 ffffe480`e018eb00 00000000`00000000 ffffe480`e018ea10 : nt!MiIssueHardFault+0x190
ffffe480`e018e910 fffff801`3b979d72 : ffff950a`3d56a080 000001c2`00000000 ffff950a`3debd310 ffff950a`3debd310 : nt!MmAccessFault+0xc96
ffffe480`e018eb00 00000000`572be790 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiPageFault+0x132 (TrapFrame @ ffffe480`e018eb00)
00000000`fb5fe128 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x572be790

Code: 
6: kd> dps [HI]ffffe480e0189000[/HI] [HI]ffffe480e018f000[/HI]
ffffe480`e0189000 00000000`00000003

[...]

ffffe480`e018ad38 fffff801`3ee1957e*** ERROR: Module load completed but symbols could not be loaded for nvlddmkm.sys
nvlddmkm+0x1b957e
ffffe480`e018ad40 00000000`00000003
ffffe480`e018ad48 00000000`00000000
ffffe480`e018ad50 00000000`00410102
ffffe480`e018ad58 00000000`00000000
ffffe480`e018ad60 ffff950a`3b482e58
ffffe480`e018ad68 fffff801`3ee1957e nvlddmkm+0x1b957e
ffffe480`e018ad70 fffff801`3bb83bc0 nt!NonPagedPoolDescriptor
ffffe480`e018ad78 fffff801`3ba84343 nt!ExFreePoolWithTag+0x323
ffffe480`e018ad80 00000000`00000003
ffffe480`e018ad88 00000000`00000000
ffffe480`e018ad90 00000000`00000000
ffffe480`e018ad98 fffff801`3eed86d9 nvlddmkm+0x2786d9
ffffe480`e018ada0 00000000`00000012
ffffe480`e018ada8 fffff801`3b8ba362 nt!MiRemoveAnyPage+0x112
ffffe480`e018adb0 ffff950a`00000014
ffffe480`e018adb8 fffff801`3bb83bc0 nt!NonPagedPoolDescriptor

[...]

This will dump the raw kernel stack for the thread which is useful when the call stack has become corrupt or is wrong.

The !dpx command belongs to a WinDbg extension library called ProcDumpExt which now been deprecated, however, this has been replaced by the original author with another library called PDE, see this post - [SUGGESTION] - WinDbg Cheat Sheet - Data Structures, Commands and Extensions

Code: 
6: kd> !dpx
Start memory scan  : 0xffffe480e018d908 ($csp)
End memory scan    : 0xffffe480e018f000 (Kernel Stack Base)

               rsp : 0xffffe480e018d908 : 0xfffff8013b82eb7c : nt!KiDispatchException+0x23c
0xffffe480e018d908 : 0xfffff8013b82eb7c : nt!KiDispatchException+0x23c
0xffffe480e018d920 : 0xfffff805f2dda7df : NTFS!NtfsPreRequestProcessingExtend+0x4f
0xffffe480e018d968 : 0xfffff9103327fd7c : win32kfull!ENUMUNDERLAYS::bEnum+0x8c
0xffffe480e018da10 : 0xfffff805f2dfa65b : NTFS!memset+0xdb
0xffffe480e018da38 : 0xfffff805f2dda7df : NTFS!NtfsPreRequestProcessingExtend+0x4f
0xffffe480e018da88 : 0xfffff910338c130f : cdd!DrvCopyBits+0x4f
0xffffe480e018dab8 : 0xffffe480e018e108 : 0xfffff805f2dda7df : NTFS!NtfsPreRequestProcessingExtend+0x4f
0xffffe480e018dc70 : 0xfffff93dc1fa3b48 : 0xfffff93dc1e017d0 :  dt cdd!CddBitmapHw
0xffffe480e018dce8 : 0xfffff8013bcaf767 : nt!MiSessionPoolVector+0x17
0xffffe480e018dd18 : 0xfffff8013ba83bb7 : nt!ExAllocatePoolWithTag+0x817
0xffffe480e018ddb8 : 0xfffff8013ba832a6 : nt!ExDeferredFreePool+0x286
0xffffe480e018ddc8 : 0xfffff8013b82e8b0 : nt!RtlGetExtendedContextLength+0x34
0xffffe480e018de38 : 0xfffff8013ba84697 : nt!ExFreePoolWithTag+0x677
0xffffe480e018de98 : 0xfffff910335dd1d9 : win32kbase!PushThreadGuardedObject+0x79
0xffffe480e018dec8 : 0xfffff910332cef33 : win32kfull!NSInstrumentation::CPointerHashTable::Remove+0xc3
0xffffe480e018ded8 : 0xfffff8013b891cb9 : nt!MiResolvePageTablePage+0x349
0xffffe480e018dee8 : 0xfffff8013b866e99 : nt!ExReleasePushLockExclusiveEx+0x1a9
0xffffe480e018dfb8 : 0xfffff8013b97b98e : nt!KiExceptionDispatch+0xce
0xffffe480e018e108 : 0xfffff805f2dda7df : NTFS!NtfsPreRequestProcessingExtend+0x4f
0xffffe480e018e198 : 0xfffff8013b979e57 : nt!KiPageFault+0x217
0xffffe480e018e200 : 0xfffff805f2dfa65b : NTFS!memset+0xdb
0xffffe480e018e2c8 : 0xfffff8013b867219 : nt!ExAcquirePushLockSharedEx+0xe9
0xffffe480e018e308 : 0xfffff805f2dda7df : NTFS!NtfsPreRequestProcessingExtend+0x4f
0xffffe480e018e378 : 0xfffff805f2407572 : FLTMGR!FltGetStreamContext+0x42
0xffffe480e018e3a8 : 0xfffff805f2ddac15 : NTFS!NtfsInitializeIrpContext+0x115
0xffffe480e018e3b8 : 0xfffff805f2d2f141 : fileinfo!FIStreamGet+0x51
0xffffe480e018e418 : 0xfffff805f2ddb92d : NTFS!NtfsFsdRead+0x1dd
0xffffe480e018e438 : 0xfffff805f2d21a94 : fileinfo!FIPreReadWriteCallback+0x104
0xffffe480e018e448 : 0xfffff805f2d4348c : Wof!WofAcquireFileSystemRundown+0x44
0xffffe480e018e698 : 0xfffff805f240563d : FLTMGR!FltpLegacyProcessingAfterPreCallbacksCompleted+0x18d
0xffffe480e018e708 : 0xfffff805f24034d6 : FLTMGR!FltpDispatch+0xb6
0xffffe480e018e768 : 0xfffff8013b8404a5 : nt!IoPageReadEx+0x265
0xffffe480e018e788 : 0xfffff8013b892171 : nt!MiDispatchFault+0x3c1
0xffffe480e018e7d8 : 0xfffff8013b8a5f42 : nt!MiIssueHardFaultIo+0xb6
0xffffe480e018e828 : 0xfffff8013b8a5970 : nt!MiIssueHardFault+0x190
0xffffe480e018e848 : 0xfffff8013b870fe9 : nt!KeSetEvent+0x99
0xffffe480e018e868 : 0xfffff8013b8a5873 : nt!MiIssueHardFault+0x93
0xffffe480e018e908 : 0xfffff8013b891486 : nt!MmAccessFault+0xc96
0xffffe480e018e9e8 : 0xfffff8013b85e631 : nt!KiQuantumEnd+0x251
0xffffe480e018eaf8 : 0xfffff8013b979d72 : nt!KiPageFault+0x132
0xffffe480e018eb00 : 0xffff950a3d56a080 :  Trap @ ffffe480e018eb00
 
Try this link -

MEMORY_07-06-2015_2120.DMP.zip

I think given that since this BSOD was so easy to solve (Intel wifi driver) this full kernel dump may be a good one for us all to work with since we know the origin (my system) and that it definitely was not hardware related.

Thoughts?

I'd like to learn more about Windbg commands and believe that this dump would be easy to work with.
 
Looks like I can access the file now, I haven't download it yet since I'm at work at the moment.
 
It is a large file (2GB) so I wondered if it would be worth looking out for a smaller kernel dump for students to work on. In general I agree we do need a few dumps we can have as examples for testing out commands and extensions on kernel dumps. The PDE extension has been mentioned a lot and I find this the most useful. Some of the others I use are SwishDbgExt; Dbgkit and MEX. There may be others that the analysts on here use and so it would be good to share this knowledge.
 
There's one which I used to use occasionally called CMKD on CodeMachine - CodeMachine - Tools - CMKD

MEX is a very good extension, which I use occasionally too, it displays IRP information in a nicer format. SwishDbgExt is nice for kernel exploration, but as you said, PDE/ProcDumpExt is the most useful extension.
 
You must log in or register to reply here.

Has Sysnative Forums helped you? Please consider donating to help us support the site!

Back
Top