I wrote a simple packet filter driver based on the example 'passthru' of the Windows DDK, when I turned on the filter function, the OS is crashed and I got the following message from the WinDbg:
Microsoft (R) Windows Debugger Version 6.12.0002.633 X86 Copyright (c)
Microsoft Corporation. All rights reserved.
Loading Dump File [D:\iCheckTool\dump\MEMORY.DMP] Kernel Summary Dump
File: Only kernel address space is available
WARNING: Whitespace at start of path element Symbol search path is:
D:\iCheckTool\dump;
SRV*E:\DebuggingSymbols*http://msdl.microsoft.com/download/symbols;SRV*C:\MyLocalSymbols*http://192.168.20.25/zfprisymbols/
Executable search path is: Windows XP Kernel Version 2600 (Service
Pack 3) MP (2 procs) Free x86 compatible Product: WinNt, suite:
TerminalServer SingleUserTS Built by: 2600.xpsp_sp3_qfe.120504-1617
Machine Name: Kernel base = 0x804d8000 PsLoadedModuleList = 0x8055e720
Debug session time: Tue Sep 11 09:41:02.828 2012 (UTC + 8:00) System
Uptime: 0 days 0:02:30.578 Loading Kernel Symbols
...............................................................
............................................................. Loading
User Symbols PEB is paged out (Peb.Ldr = 7ffd800c). Type ".hh
dbgerr001" for details Loading unloaded module list ........
*
Bugcheck Analysis *
*
Use !analyze -v to get detailed debugging information.
BugCheck C5, {4, 2, 1, 8054c10f}
Probably caused by : Pool_Corruption ( nt!ExDeferredFreePool+109 )
Followup: Pool_corruption
1: kd> !analyze -v
*
Bugcheck Analysis *
*
DRIVER_CORRUPTED_EXPOOL (c5) An attempt was made to access a pageable
(or completely invalid) address at an interrupt request level (IRQL)
that is too high. This is caused by drivers that have corrupted the
system pool. Run the driver verifier against any new (or suspect)
drivers, and if that doesn't turn up the culprit, then use gflags to
enable special pool. Arguments: Arg1: 00000004, memory referenced
Arg2: 00000002, IRQL Arg3: 00000001, value 0 = read operation, 1 =
write operation Arg4: 8054c10f, address which referenced memory
Debugging Details:
BUGCHECK_STR: 0xC5_2
CURRENT_IRQL: 2
FAULTING_IP: nt!ExDeferredFreePool+109 8054c10f 895f04 mov
dword ptr [edi+4],ebx
DEFAULT_BUCKET_ID: DRIVER_FAULT
PROCESS_NAME: explorer.exe
TRAP_FRAME: b42555dc -- (.trap 0xffffffffb42555dc) ErrCode = 00000002
eax=89cc1c60 ebx=89e4ded8 ecx=000001ff edx=89cc2a78 esi=80565d20
edi=00000000 eip=8054c10f esp=b4255650 ebp=b4255690 iopl=0 nv
up ei ng nz ac pe cy cs=0008 ss=0010 ds=0023 es=0023 fs=0030
gs=0000 efl=00010297 nt!ExDeferredFreePool+0x109: 8054c10f
895f04 mov dword ptr [edi+4],ebx
ds:0023:00000004=???????? Resetting default scope
LOCK_ADDRESS: 8055c4e0 -- (!locks 8055c4e0)
Resource # nt!PiEngineLock (0x8055c4e0) Available
Contention Count = 1 1 total locks
PNP_TRIAGE: Lock address : 0x8055c4e0 Thread Count : 0 Thread
address: 0x00000000 Thread wait : 0x0
LAST_CONTROL_TRANSFER: from 8054c10f to 80545768
STACK_TEXT: b42555dc 8054c10f badb0d00 89cc2a78 b8338538
nt!KiTrap0E+0x238 b4255690 8054c75f 00000001 8055c100 00020019
nt!ExDeferredFreePool+0x109 b42556d0 8058635e 899522e8 00000000
b42557d8 nt!ExFreePoolWithTag+0x47f b42556fc 805878b8 c0000023
00000007 8058758c nt!PiGetDeviceRegistryProperty+0x108 b425578c
bf879f40 8a523030 00000001 00000100 nt!IoGetDeviceProperty+0x25e
b42558f8 bf879735 00000000 e1b5e008 00000000
win32k!DrvEnumDisplayDevices+0x33b b425591c 8054268c 00000000 00000000
0007ecc4 win32k!NtUserEnumDisplayDevices+0x7c b425591c 7c92e514
00000000 00000000 0007ecc4 nt!KiFastCallEntry+0xfc WARNING: Frame IP
not in any known module. Following frames may be wrong. 0007f010
00000000 00000000 00000000 00000000 0x7c92e514
STACK_COMMAND: kb
FOLLOWUP_IP: nt!ExDeferredFreePool+109 8054c10f 895f04 mov
dword ptr [edi+4],ebx
SYMBOL_STACK_INDEX: 1
SYMBOL_NAME: nt!ExDeferredFreePool+109
FOLLOWUP_NAME: Pool_corruption
IMAGE_NAME: Pool_Corruption
DEBUG_FLR_IMAGE_TIMESTAMP: 0
MODULE_NAME: Pool_Corruption
FAILURE_BUCKET_ID: 0xC5_2_nt!ExDeferredFreePool+109
BUCKET_ID: 0xC5_2_nt!ExDeferredFreePool+109
Followup: Pool_corruption
Can someone tell me what caused this problem and how to fix it?
Thanks.
Apparently, you tried to write into invalid memory region (address = 0x4). Beyond this the debugger analysis you posted isn't too helpful. You can try finding your driver stack (which is not present in your posted debug output) in the debugger to get the failing code, but it's not guaranteed. Other methods to attack this include adding debug prints to your code and capturing it with DbgView (you can later extract them from the memory dump). And you can also connect kernel debugger and catch the error when it happens.
Related
If Microsoft Visual Studio 2015 community edition IDE is opened in Windows 10 and Microsoft Visal Foxpro IDE is in foreground,
after few seconds Visual Studio crashes with
Microsoft Visual Studio 2015 stopped working
message.
How to fix this ? It is not possible to use Microsoft Visal FoxPro IDE is Visual Studio is opened.
After that in shows collection information for a long time but no more information is given.
After it is restared, it offers to recovers files.
If FixPro IDE is brought to foreground, it crashed again and so on.
In Windows 7 boths ides worked.
Posted also in http://forums.asp.net/p/2098546/6062971.aspx
Update
Below is output from x86 windbg.exe
It looks like System.IO.Path.CheckInvalidPathChars call in VS method causes crash.
Is this related to my locale ?
I think only english characters are used in file and path names accessed by both IDE-s.
Why line numbers are not displayed ?
Debugging/Symbols/Use Microsoft Symber Servers is checked in Visual Studio,
All modules, unless excluded radio box is selected and no modules are excluded.
How to find line number in CheckInvalidPathChars source code which causes exception ?
Microsoft (R) Windows Debugger Version 10.0.10586.567 X86
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:\LocalDumps\devenv.exe.7652.dmp]
User Mini Dump File with Full Memory: Only application data is available
Symbol search path is: srv*
Executable search path is:
Windows 10 Version 10586 MP (8 procs) Free x86 compatible
Product: WinNt, suite: SingleUserTS
Built by: 10.0.10586.0 (th2_release.151029-1700)
Machine Name:
Debug session time: Sun Jul 3 17:58:41.000 2016 (UTC + 3:00)
System Uptime: 1 days 2:25:20.731
Process Uptime: 0 days 0:07:52.000
................................................................
................................................................
................................................................
................................................................
................................................................
................................................................
................................................................
.................................
Loading unloaded module list
...............
This dump file has an exception of interest stored in it.
The stored exception information can be accessed via .ecxr.
(1de4.1014): CLR exception - code e0434352 (first/second chance not available)
eax=00000000 ebx=00000000 ecx=00000000 edx=00000000 esi=00000003 edi=00000003
eip=7743718c esp=330ee0f8 ebp=330ee288 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202
ntdll!NtWaitForMultipleObjects+0xc:
7743718c c21400 ret 14h
0:068> !analyze -v
*******************************************************************************
* *
* Exception Analysis *
* *
*******************************************************************************
*** WARNING: Unable to verify checksum for System.ni.dll
*** WARNING: Unable to verify checksum for System.Core.ni.dll
*** WARNING: Unable to verify checksum for PresentationCore.ni.dll
*** WARNING: Unable to verify checksum for WindowsBase.ni.dll
*** WARNING: Unable to verify checksum for Microsoft.VisualStudio.Shell.14.0.ni.dll
*** WARNING: Unable to verify checksum for Microsoft.CodeAnalysis.Features.ni.dll
*** WARNING: Unable to verify checksum for Microsoft.CodeAnalysis.Workspaces.ni.dll
*** WARNING: Unable to verify checksum for Microsoft.Build.ni.dll
*** WARNING: Unable to verify checksum for Microsoft.VisualStudio.JSLS.ni.dll
*** ERROR: Symbol file could not be found. Defaulted to export symbols for nativrd2.dll -
*** WARNING: Unable to verify checksum for System.Management.Automation.ni.dll
*** WARNING: Unable to verify checksum for Microsoft.VisualStudio.Web.ni.dll
*** ERROR: Symbol file could not be found. Defaulted to export symbols for mscordbi.dll -
DUMP_CLASS: 2
DUMP_QUALIFIER: 400
CONTEXT: (.ecxr)
eax=330eede8 ebx=00000005 ecx=00000005 edx=00000000 esi=330eeea8 edi=00000001
eip=7712dae8 esp=330eede8 ebp=330eee40 iopl=0 nv up ei pl nz ac pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000216
KERNELBASE!RaiseException+0x48:
7712dae8 8b4c2454 mov ecx,dword ptr [esp+54h] ss:002b:330eee3c=872f3008
Resetting default scope
FAULTING_IP:
KERNELBASE!RaiseException+48
7712dae8 8b4c2454 mov ecx,dword ptr [esp+54h]
EXCEPTION_RECORD: (.exr -1)
ExceptionAddress: 7712dae8 (KERNELBASE!RaiseException+0x00000048)
ExceptionCode: e0434352 (CLR exception)
ExceptionFlags: 00000001
NumberParameters: 5
Parameter[0]: 80070057
Parameter[1]: 00000000
Parameter[2]: 00000000
Parameter[3]: 00000000
Parameter[4]: 6cd80000
PROCESS_NAME: devenv.exe
ERROR_CODE: (NTSTATUS) 0xe0434352 - <Unable to get error code text>
EXCEPTION_CODE: (HRESULT) 0x80070057 (2147942487) - The parameter is incorrect.
EXCEPTION_CODE_STR: 80070057
EXCEPTION_PARAMETER1: 80070057
EXCEPTION_PARAMETER2: 00000000
EXCEPTION_PARAMETER3: 00000000
EXCEPTION_PARAMETER4: 0
WATSON_BKT_PROCSTAMP: 57685d85
WATSON_BKT_PROCVER: 14.0.25420.1
PROCESS_VER_PRODUCT: Microsoft® Visual Studio® 2015
WATSON_BKT_MODULE: KERNELBASE.dll
WATSON_BKT_MODSTAMP: 571afb9a
WATSON_BKT_MODOFFSET: bdae8
WATSON_BKT_MODVER: 10.0.10586.306
MODULE_VER_PRODUCT: Microsoft® Windows® Operating System
BUILD_VERSION_STRING: 10.0.10586.0 (th2_release.151029-1700)
MODLIST_WITH_TSCHKSUM_HASH: 4fcd781d45a1334d9bcf598acb3135d540e69ef0
MODLIST_SHA1_HASH: a0fd1d4cab671d86ea9b9d7967795f680101df97
NTGLOBALFLAG: 0
APPLICATION_VERIFIER_FLAGS: 0
PRODUCT_TYPE: 1
SUITE_MASK: 272
DUMP_FLAGS: 8000c07
DUMP_TYPE: 0
APP: devenv.exe
MISSING_CLR_SYMBOL: 0
MANAGED_EXCEPTION_HRESULT: 80070057
ANALYSIS_SESSION_HOST: DELL2
ANALYSIS_SESSION_TIME: 07-03-2016 18:16:32.0068
ANALYSIS_VERSION: 10.0.10586.567 x86fre
MANAGED_CODE: 1
MANAGED_ENGINE_MODULE: clr
MANAGED_ANALYSIS_PROVIDER: SOS
MANAGED_THREAD_ID: 1014
MANAGED_EXCEPTION_ADDRESS: 36697728
LAST_CONTROL_TRANSFER: from 6ce8a701 to 7712dae8
THREAD_ATTRIBUTES:
FAULTING_THREAD: ffffffff
THREAD_SHA1_HASH_MOD_FUNC: 7b898fe56a64f5be9b4f1219f22e997dac66cbc4
THREAD_SHA1_HASH_MOD_FUNC_OFFSET: 1211f347092e8a4415eb763a6305ba8f87471780
OS_LOCALE: ETI
PROBLEM_CLASSES:
CLR_EXCEPTION
Tid [0x44]
Frame [0x00]
String [System.ArgumentException]
Failure Bucketing
Data Bucketing
FINALIZER
Tid [0x1014]
Frame [0x0d]: clr!Thread::DoExtraWorkForFinalizer
Failure Bucketing
NOSOS
Tid [0x1014]
Failure Bucketing
BUGCHECK_STR: CLR_EXCEPTION_FINALIZER_NOSOS_System.ArgumentException
DEFAULT_BUCKET_ID: CLR_EXCEPTION_FINALIZER_NOSOS_System.ArgumentException
STACK_TEXT:
330eefac 66e3c13d mscorlib_ni!System.IO.Path.CheckInvalidPathChars+0xb3cfbd
330eefbc 663ab5c6 mscorlib_ni!System.IO.Path.GetFileName+0x16
330eefd4 65d2112b system_ni!System.IO.FileSystemWatcher.MatchPattern+0xf
330eefe8 65d2118e system_ni!System.IO.FileSystemWatcher.NotifyFileSystemEventArgs+0x16
330ef000 6580f251 system_ni!System.IO.FileSystemWatcher.CompletionStatusChanged+0x275
330ef060 66372134 mscorlib_ni!System.Threading._IOCompletionCallback.PerformIOCompletionCallback+0x70
STACK_COMMAND: !sos.pe 0x36697728 ; ** Pseudo Context ** ; kb
THREAD_SHA1_HASH_MOD: 9e580844edc1c536a492e0ccea2cdd390265f467
FOLLOWUP_IP:
mscorlib_ni+e3c13d
66e3c13d cc int 3
FAULT_INSTR_CODE: 8dcccccc
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: mscorlib_ni!System.IO.Path.CheckInvalidPathChars+e3c13d
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: mscorlib_ni
IMAGE_NAME: mscorlib.ni.dll
DEBUG_FLR_IMAGE_TIMESTAMP: 570c5040
BUCKET_ID: CLR_EXCEPTION_FINALIZER_NOSOS_System.ArgumentException_mscorlib_ni!System.IO.Path.CheckInvalidPathChars+e3c13d
PRIMARY_PROBLEM_CLASS: CLR_EXCEPTION_FINALIZER_NOSOS_System.ArgumentException_mscorlib_ni!System.IO.Path.CheckInvalidPathChars+e3c13d
BUCKET_ID_OFFSET: e3c13d
BUCKET_ID_MODULE_STR: mscorlib_ni
BUCKET_ID_MODTIMEDATESTAMP: 570c5040
BUCKET_ID_MODCHECKSUM: 1154df8
BUCKET_ID_MODVER_STR: 4.6.1080.0
BUCKET_ID_PREFIX_STR: CLR_EXCEPTION_FINALIZER_NOSOS_System.ArgumentException_
FAILURE_PROBLEM_CLASS: CLR_EXCEPTION_FINALIZER_NOSOS_System.ArgumentException
FAILURE_EXCEPTION_CODE: 80070057
FAILURE_IMAGE_NAME: mscorlib.ni.dll
FAILURE_FUNCTION_NAME: System.IO.Path.CheckInvalidPathChars
BUCKET_ID_FUNCTION_STR: System.IO.Path.CheckInvalidPathChars
FAILURE_SYMBOL_NAME: mscorlib.ni.dll!System.IO.Path.CheckInvalidPathChars
FAILURE_BUCKET_ID: CLR_EXCEPTION_FINALIZER_NOSOS_System.ArgumentException_80070057_mscorlib.ni.dll!System.IO.Path.CheckInvalidPathChars
WATSON_STAGEONE_URL: http://watson.microsoft.com/StageOne/devenv.exe/14.0.25420.1/57685d85/KERNELBASE.dll/10.0.10586.306/571afb9a/80070057/000bdae8.htm?Retriage=1
TARGET_TIME: 2016-07-03T14:58:41.000Z
OSBUILD: 10586
OSSERVICEPACK: 0
SERVICEPACK_NUMBER: 0
OS_REVISION: 0
OSPLATFORM_TYPE: x86
OSNAME: Windows 10
OSEDITION: Windows 10 WinNt SingleUserTS
USER_LCID: 0
OSBUILD_TIMESTAMP: 2015-10-30 04:46:21
BUILDDATESTAMP_STR: 151029-1700
BUILDLAB_STR: th2_release
BUILDOSVER_STR: 10.0.10586.0
ANALYSIS_SESSION_ELAPSED_TIME: 6952
ANALYSIS_SOURCE: UM
FAILURE_ID_HASH_STRING: um:clr_exception_finalizer_nosos_system.argumentexception_80070057_mscorlib.ni.dll!system.io.path.checkinvalidpathchars
FAILURE_ID_HASH: {9ac34ec0-80d5-6afc-db16-24c08255921b}
Followup: MachineOwner
---------
Update2
Output from sos.pe after that:
0:068> !sos.pe 0x36697728
Exception object: 36697728
Exception type: System.ArgumentException
Message: Illegal characters in path.
InnerException: <none>
StackTrace (generated):
SP IP Function
330EEFAC 66E3C13D mscorlib_ni!System.IO.Path.CheckInvalidPathChars(System.String, Boolean)+0xb3cfbd
330EEFBC 663AB5C6 mscorlib_ni!System.IO.Path.GetFileName(System.String)+0x16
330EEFD4 65D2112B System_ni!System.IO.FileSystemWatcher.MatchPattern(System.String)+0xf
330EEFE8 65D2118E System_ni!System.IO.FileSystemWatcher.NotifyFileSystemEventArgs(Int32, System.String)+0x16
330EF000 6580F251 System_ni!System.IO.FileSystemWatcher.CompletionStatusChanged(UInt32, UInt32, System.Threading.NativeOverlapped*)+0x275
330EF060 66372134 mscorlib_ni!System.Threading._IOCompletionCallback.PerformIOCompletionCallback(UInt32, UInt32, System.Threading.NativeOverlapped*)+0x70
StackTraceString: <none>
HResult: 80070057
Update3.
Visual Studio Shows Stack trace with parameter values:
mscorlib.dll!System.IO.Path.CheckInvalidPathChars(string path, bool checkAdditional) Unknown
mscorlib.dll!System.IO.Path.GetFileName(string path = "andmed\\\0\0\0\0\0\0\0\0\0\0\0\0") Unknown
System.dll!System.IO.FileSystemWatcher.MatchPattern(string relativePath) Unknown
System.dll!System.IO.FileSystemWatcher.NotifyFileSystemEventArgs(int action = 3, string name = "andmed\\\0\0\0\0\0\0\0\0\0\0\0\0") Unknown
System.dll!System.IO.FileSystemWatcher.CompletionStatusChanged(uint errorCode, uint numBytes, System.Threading.NativeOverlapped* overlappedPointer = 0x1e9bc584) Unknown
mscorlib.dll!System.Threading._IOCompletionCallback.PerformIOCompletionCallback(uint errorCode, uint numBytes, System.Threading.NativeOverlapped* pOVERLAP) Unknown
Replacing TrueCrypt with VeraCrypt fixes the issue.
I'm hoping someone here can help.
I have a new Windows 10 machine (all parts by EVGA).
I get random BSOD, so I've grabbed a mini dump, installed the SDK and looked into it. I just don't understand what it is reporting.
Can someone point me in the direction of a guide, or decode this mini dump.
Note : Each dump looks very similar. e.g. almost the same report from 'irp'
Here is the dump....
Microsoft (R) Windows Debugger Version 10.0.10586.567 X86
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:\Windows\Minidump\033016-4718-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available
Symbol search path is: srv*
Executable search path is:
Windows 10 Kernel Version 10586 MP (8 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 10586.162.amd64fre.th2_release_sec.160223-1728
Machine Name:
Kernel base = 0xfffff8018d674000 PsLoadedModuleList = 0xfffff8018d952cd0
Debug session time: Wed Mar 30 18:15:33.639 2016 (UTC + 1:00)
System Uptime: 0 days 2:47:26.264
Loading Kernel Symbols
.
Press ctrl-c (cdb, kd, ntsd) or ctrl-break (windbg) to abort symbol loads that take too long.
Run !sym noisy before .reload to track down problems loading symbols.
..............................................................
................................................................
................................
Loading User Symbols
Loading unloaded module list
.............
*
Bugcheck Analysis *
*
Use !analyze -v to get detailed debugging information.
BugCheck 9F, {3, ffffe000935ea880, fffff8018f25a890, ffffe00092718bd0}
Probably caused by : ACPI.sys
Followup: MachineOwner
0: kd> !analyze -v
*
Bugcheck Analysis *
*
DRIVER_POWER_STATE_FAILURE (9f)
A driver has failed to complete a power IRP within a specific time.
Arguments:
Arg1: 0000000000000003, A device object has been blocking an Irp for too long a time
Arg2: ffffe000935ea880, Physical Device Object of the stack
Arg3: fffff8018f25a890, nt!TRIAGE_9F_POWER on Win7 and higher, otherwise the Functional Device Object of the stack
Arg4: ffffe00092718bd0, The blocked IRP
Debugging Details:
DUMP_CLASS: 1
DUMP_QUALIFIER: 400
BUILD_VERSION_STRING: 10586.162.amd64fre.th2_release_sec.160223-1728
SYSTEM_MANUFACTURER: EVGA INTERNATIONAL CO.,LTD
SYSTEM_PRODUCT_NAME: Default string
SYSTEM_SKU: Default string
SYSTEM_VERSION: Default string
BIOS_VENDOR: American Megatrends Inc.
BIOS_VERSION: 1.07
BIOS_DATE: 01/04/2016
BASEBOARD_MANUFACTURER: EVGA INTERNATIONAL CO.,LTD
BASEBOARD_PRODUCT: 111-SS-E172
BASEBOARD_VERSION: 1.0
DUMP_TYPE: 2
DUMP_FILE_ATTRIBUTES: 0x8
Kernel Generated Triage Dump
BUGCHECK_P1: 3
BUGCHECK_P2: ffffe000935ea880
BUGCHECK_P3: fffff8018f25a890
BUGCHECK_P4: ffffe00092718bd0
DRVPOWERSTATE_SUBCODE: 3
IMAGE_NAME: ACPI.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 56cbf9c9
MODULE_NAME: ACPI
FAULTING_MODULE: fffff800d5de0000 ACPI
CPU_COUNT: 8
CPU_MHZ: d50
CPU_VENDOR: GenuineIntel
CPU_FAMILY: 6
CPU_MODEL: 5e
CPU_STEPPING: 3
CPU_MICROCODE: 6,5e,3,0 (F,M,S,R) SIG: 33'00000000 (cache) 33'00000000 (init)
CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULT
BUGCHECK_STR: 0x9F
PROCESS_NAME: System
CURRENT_IRQL: 2
ANALYSIS_SESSION_HOST: Q-PC
ANALYSIS_SESSION_TIME: 03-30-2016 20:04:47.0460
ANALYSIS_VERSION: 10.0.10586.567 x86fre
STACK_TEXT:
fffff8018f25a858 fffff8018d854e42 : 000000000000009f 0000000000000003 ffffe000935ea880 fffff8018f25a890 : nt!KeBugCheckEx
fffff8018f25a860 fffff8018d854d62 : ffffe00096133010 fffff8018f252070 0000000000000000 fffff8018d73e0a6 : nt!PopIrpWatchdogBugcheck+0xde
fffff8018f25a8c0 fffff8018d6e22c6 : ffffe00096133048 fffff8018f25aa10 0000000000000001 0000000000000002 : nt!PopIrpWatchdog+0x32
fffff8018f25a910 fffff8018d7b951a : 0000000000000000 fffff8018d991180 fffff8018da07740 ffffe00096723800 : nt!KiRetireDpcList+0x5f6
fffff8018f25ab60 0000000000000000 : fffff8018f25b000 fffff8018f254000 0000000000000000 0000000000000000 : nt!KiIdleLoop+0x5a
STACK_COMMAND: kb
THREAD_SHA1_HASH_MOD_FUNC: 81a7ba75a791115b4f55c8910c64a260d525502e
THREAD_SHA1_HASH_MOD_FUNC_OFFSET: 936d5c51c0ad2157bf4c85af575dd55cea2c0947
THREAD_SHA1_HASH_MOD: f08ac56120cad14894587db086f77ce277bfae84
FOLLOWUP_NAME: MachineOwner
IMAGE_VERSION: 10.0.10586.122
FAILURE_BUCKET_ID: 0x9F_3_POWER_DOWN_i8042prt_IMAGE_ACPI.sys
BUCKET_ID: 0x9F_3_POWER_DOWN_i8042prt_IMAGE_ACPI.sys
PRIMARY_PROBLEM_CLASS: 0x9F_3_POWER_DOWN_i8042prt_IMAGE_ACPI.sys
TARGET_TIME: 2016-03-30T17:15:33.000Z
OSBUILD: 10586
OSSERVICEPACK: 0
SERVICEPACK_NUMBER: 0
OS_REVISION: 0
SUITE_MASK: 272
PRODUCT_TYPE: 1
OSPLATFORM_TYPE: x64
OSNAME: Windows 10
OSEDITION: Windows 10 WinNt TerminalServer SingleUserTS
OS_LOCALE:
USER_LCID: 0
OSBUILD_TIMESTAMP: 2016-02-24 05:48:00
BUILDDATESTAMP_STR: 160223-1728
BUILDLAB_STR: th2_release_sec
BUILDOSVER_STR: 10.0.10586.162.amd64fre.th2_release_sec.160223-1728
ANALYSIS_SESSION_ELAPSED_TIME: 3d7
ANALYSIS_SOURCE: KM
FAILURE_ID_HASH_STRING: km:0x9f_3_power_down_i8042prt_image_acpi.sys
FAILURE_ID_HASH: {22a3ff34-49ca-8d37-715b-ae023b6cc9fb}
Followup: MachineOwner
0: kd> !irp ffffe00092718bd0
Irp is active with 8 stacks 6 is current (= 0xffffe00092718e08)
No Mdl: No System Buffer: Thread 00000000: Irp stack trace. Pending has been returned
cmd flg cl Device File Completion-Context
[N/A(0), N/A(0)]
0 0 00000000 00000000 00000000-00000000
Args: 00000000 00000000 00000000 00000000
[N/A(0), N/A(0)]
0 0 00000000 00000000 00000000-00000000
Args: 00000000 00000000 00000000 00000000
[N/A(0), N/A(0)]
0 0 00000000 00000000 00000000-00000000
Args: 00000000 00000000 00000000 00000000
[N/A(0), N/A(0)]
0 0 00000000 00000000 00000000-00000000
Args: 00000000 00000000 00000000 00000000
[IRP_MJ_POWER(16), IRP_MN_WAIT_WAKE(0)]
0 0 ffffe000935ea880 00000000 fffff800d6a81ec0-00000000
\Driver\ACPI i8042prt!I8xPowerUpToD0Complete
Args: 00000000 00000000 00000000 00000002
[IRP_MJ_POWER(16), IRP_MN_SET_POWER(2)]
0 e1 ffffe00093f936f0 00000000 fffff800d6ab1060-00000000 Success Error Cancel pending
\Driver\i8042prt kbdclass!KeyboardClassPowerComplete
Args: 00051100 00000001 00000001 00000002
[IRP_MJ_POWER(16), IRP_MN_SET_POWER(2)]
0 e1 ffffe00093dc95f0 00000000 fffff8018d7840b8-ffffe00096133010 Success Error Cancel pending
\Driver\kbdclass nt!PopRequestCompletion
Args: 00051100 00000001 00000001 00000002
[N/A(0), N/A(0)]
0 0 00000000 00000000 00000000-ffffe00096133010
Args: 00000000 00000000 00000000 00000000
I'm also adding a BlueScreen screen shot, incase that helps.
Now adding output from some extra commands after Martins comments...
0: kd> !devstack ffffe000935ea880
!DevObj !DrvObj !DevExt ObjectName
ffffe00093dc95f0 \Driver\kbdclass ffffe00093dc9740 InfoMask field not found for _OBJECT_HEADER at ffffe00093dc95c0
ffffe00093f936f0 \Driver\i8042prt ffffe00093f93840 InfoMask field not found for _OBJECT_HEADER at ffffe00093f936c0
> ffffe000935ea880 \Driver\ACPI ffffe000923fa8d0 Cannot read info offset from nt!ObpInfoMaskToOffset
!DevNode ffffe000935d6af0 :
DeviceInst is "ACPI\PNP0303\0"
ServiceName is "i8042prt"
!process 0 7
**** NT ACTIVE PROCESS DUMP ****
GetPointerFromAddress: unable to read from fffff8018d9f3200
Error in reading nt!_EPROCESS at 0000000000000000
0: kd> !poaction
PopAction: fffff8018d94efe0
State..........: 0 - Idle
Updates........: 0
Action.........: None
Lightest State.: Unspecified
Flags..........: 10000003 QueryApps|UIAllowed
Irp minor......: ??
System State...: Unspecified
Hiber Context..: 0000000000000000
Allocated power irps (PopIrpList - fffff8018d94f4f0)
IRP: ffffe00092718bd0 (set/D0,), PDO: ffffe000935ea880, CURRENT: ffffe00093f936f0
IRP: ffffe000971aa990
Irp worker threads (PopIrpThreadList - fffff8018d94e100)
THREAD: ffffe00091515040 (static)
THREAD: ffffe00091501800 (static)
Error resolving nt!_POP_CURRENT_BROADCAST...
Summary: Error was caused by my 10 year old Razor mouse with Windows 10.
The driver when entering power save state was freaking out and causing the blue screen.
I purchased a new mouse, removed the driver & 2 months in no more BSOD.
I usually use BlueScreenView by Nirsoft. It will get you a list of last BSOD and will show a nice view of the components. "Normally" the first mentioned component could be the reason.
Not sure, if you are looking for a solution on a specific problem or the minidump usage in general.
Some driver got problems with power state change. Make sure, you have the current Drivers installed.
Even after giving correct PDB symbols I cant see stack trace where it can tell me function calls. Stack text only shows msvcr120. Also this crash occurs on customer machine only. I am wondering if something is missing wrt msvcr120 which we need to install. This is what I can see in windbg:
EXCEPTION_RECORD: ffffffffffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 00007fffc113dd27 (msvcr120+0x000000000006dd27)
ExceptionCode: c0000409 (Security check failure or stack buffer overrun)
ExceptionFlags: 00000001
NumberParameters: 1
Parameter[0]: 0000000000000005
CONTEXT: 0000000000000000 -- (.cxr 0x0;r)
rax=aaaaaaaaaaaaaaaa rbx=0000000000000000 rcx=aaaaaaaaaaaaaaaa
rdx=0000000000000000 rsi=0000000000000000 rdi=0000000000000000
rip=00007fffc113dd27 rsp=000000e40cd261c0 rbp=0000000000000000
r8=0000000000000000 r9=0000000000000000 r10=0000000000000000
r11=aaaaaaaaaaaaaaaa r12=000000e40c3076b0 r13=0000000000000000
r14=000000000000005c r15=000000e40c3051d0
iopl=0 nv up ei pl nz na pe nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202
msvcr120+0x6dd27:
00007fff`c113dd27 cd29 int 29h
PROCESS_NAME: <removed>
ERROR_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.
EXCEPTION_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.
EXCEPTION_PARAMETER1: 0000000000000005
NTGLOBALFLAG: 0
APP: <removed>
ANALYSIS_VERSION: 6.3.9600.16384 (debuggers(dbg).130821-1623) amd64fre
FAULTING_THREAD: 0000000000005188
BUGCHECK_STR: APPLICATION_FAULT_INVALID_ARG_FAILURE_SEHOP
PRIMARY_PROBLEM_CLASS: INVALID_ARG_FAILURE_SEHOP
DEFAULT_BUCKET_ID: INVALID_ARG_FAILURE_SEHOP
LAST_CONTROL_TRANSFER: from 0000000000000000 to 00007fffc113dd27
STACK_TEXT:
000000e4`0cd261c0 00000000`00000000 : 00000000`00000000 00000000`00000000 aaaaaaaa`aaaaaaaa 00000000`00000000 : msvcr120+0x6dd27
STACK_COMMAND: ~5s; .ecxr ; kb
FOLLOWUP_IP:
msvcr120+6dd27
00007fff`c113dd27 cd29 int 29h
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: msvcr120+6dd27
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: msvcr120
IMAGE_NAME: msvcr120.dll
DEBUG_FLR_IMAGE_TIMESTAMP: 524f83ff
FAILURE_BUCKET_ID: INVALID_ARG_FAILURE_SEHOP_c0000409_msvcr120.dll!Unknown
BUCKET_ID: APPLICATION_FAULT_INVALID_ARG_FAILURE_SEHOP_msvcr120+6dd27
ANALYSIS_SOURCE: UM
FAILURE_ID_HASH_STRING: um:invalid_arg_failure_sehop_c0000409_msvcr120.dll!unknown
FAILURE_ID_HASH: {6c95a838-d91e-9c26-c623-f4edddde2886}
Followup: MachineOwner
---------
0:005> k
Child-SP RetAddr Call Site
000000e4`0cd261c0 00000000`00000000 msvcr120+0x6dd27
(Btw I have tried every possible suggestion I found to get stack trace on stackoverflow and other places before asking question)
Based on the output above, you do not have valid symbols for msvcr120. The first step is to try and get those. If you can't get the symbols, or you do get them and still can't get a good stack trace, then you should use dqs and try to manually walk the stack.
Need help to understand kernel debugging error.
When I put my driver for Whck test for windows 8(32/64 bit), it fails CHAOS in RUN TEST.
So I did kernel debugging and got following debug message.But I don't understand where is the error in my ioctl.c file.Same driver has cleared the test for windows 7 32 bit.
*** Fatal System Error: 0x0000000a
(0x00000031,0x00000002,0x00000000,0x81CB1194)
Break instruction exception - code 80000003 (first chance)
A fatal system error has occurred.
Debugger entered on first try; Bugcheck callbacks have not been invoked.
A fatal system error has occurred.
nt!RtlpBreakWithStatusInstruction:
818d6ca4 cc int 3
2: kd> !analyze -v
Connected to Windows 8 9200 x86 compatible target at (Tue May 27 11:56:02.788 2014 (UTC - 7:00)), ptr64 FALSE
Loading Kernel Symbols
...............................................................
.............................................
Press ctrl-c (cdb, kd, ntsd) or ctrl-break (windbg) to abort symbol loads that take too long.
Run !sym noisy before .reload to track down problems loading symbols.
...................
........................
Loading User Symbols
Loading unloaded module list
.........Unable to enumerate user-mode unloaded modules, Win32 error 0n30
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: 00000031, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000000, bitfield :
bit 0 : value 0 = read operation, 1 = write operation
bit 3 : value 0 = not an execute operation, 1 = execute operation (only on chips which support this level of status)
Arg4: 81cb1194, address which referenced memory
Debugging Details:
------------------
READ_ADDRESS: 00000031
CURRENT_IRQL: 2
FAULTING_IP:
nt!VerifierKeSynchronizeExecution+26
81cb1194 0fb64631 movzx eax,byte ptr [esi+31h]
DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULT
BUGCHECK_STR: AV
PROCESS_NAME: System
TRAP_FRAME: b74a594c -- (.trap 0xffffffffb74a594c)
ErrCode = 00000000
eax=9132b7d8 ebx=b23f4a38 ecx=b74a59d8 edx=9184c628 esi=00000000 edi=9184c570
eip=81cb1194 esp=b74a59c0 ebp=b74a59c4 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010246
nt!VerifierKeSynchronizeExecution+0x26:
81cb1194 0fb64631 movzx eax,byte ptr [esi+31h] ds:0023:00000031=??
Resetting default scope
LAST_CONTROL_TRANSFER: from 818fefc7 to 818d6ca4
STACK_TEXT:
b74a54e4 818fefc7 00000003 d565b8ac 00000031 nt!RtlpBreakWithStatusInstruction
b74a5534 818fe861 00000003 8286a340 b74a5934 nt!KiBugCheckDebugBreak+0x1c
b74a5908 818d56a6 0000000a 00000031 00000002 nt!KeBugCheck2+0x655
b74a592c 8194ed9b 0000000a 00000031 00000002 nt!KiBugCheck2+0xc6
b74a592c 81cb1194 0000000a 00000031 00000002 nt!KiTrap0E+0x1b3
b74a59c4 9132b7d8 00000000 9132ef20 b74a59d8 nt!VerifierKeSynchronizeExecution+0x26
b74a5a30 81ca1f9b 9184c570 adcf4f00 adcf4f00 OxSer!OxserInternalIoControl+0x328 [c:\users\admin\desktop\trunk\uart_v7.0\source\uart\driver\wdm\ioctl.c # 2570]
b74a5a50 81830066 81cb97fd adcf4fd4 adcf4ff8 nt!IovCallDriver+0x2e3
b74a5a64 81cb97fd b74a5a8c 81cb98f4 9184c570 nt!IofCallDriver+0x73
b74a5a6c 81cb98f4 9184c570 adcf4f00 ace85a30 nt!ViFilterIoCallDriver+0x10
b74a5a8c 81ca1f9b ace85ae8 adcf4f00 81ca27c1 nt!ViFilterDispatchGeneric+0x5e
b74a5aac 81830066 8f7eab44 ace85a30 8ad0c710 nt!IovCallDriver+0x2e3
b74a5ac0 8f7eab44 b74a5b0c b74a5b0c b74a5c14 nt!IofCallDriver+0x73
b74a5ad0 8f7ea625 001b0010 00000001 ace85a30 serenum!Serenum_IoSyncIoctlEx+0x48
b74a5c14 8f7e537d b7196ed8 b74a5c33 b7a84340 serenum!Serenum_ReenumerateDevices+0x259
b74a5c34 81866b1b b7196ed8 d565b1e8 00000000 serenum!SerenumEnumThread+0x57
b74a5c70 81950579 8f7e5326 8ad0c710 00000000 nt!PspSystemThreadStartup+0x4a
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x19
STACK_COMMAND: kb
FOLLOWUP_IP:
OxSer!OxserInternalIoControl+328 [c:\users\admin\desktop\trunk\uart_v7.0\source\uart\driver\wdm\ioctl.c # 2570]
9132b7d8 8b4dcc mov ecx,dword ptr [ebp-34h]
FAULTING_SOURCE_LINE: c:\users\admin\desktop\trunk\uart_v7.0\source\uart\driver\wdm\ioctl.c
FAULTING_SOURCE_FILE: c:\users\admin\desktop\trunk\uart_v7.0\source\uart\driver\wdm\ioctl.c
FAULTING_SOURCE_LINE_NUMBER: 2570
FAULTING_SOURCE_CODE:
No source found for 'c:\users\admin\desktop\trunk\uart_v7.0\source\uart\driver\wdm\ioctl.c'
SYMBOL_STACK_INDEX: 6
SYMBOL_NAME: OxSer!OxserInternalIoControl+328
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: OxSer
IMAGE_NAME: OxSer.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 53802c0f
BUCKET_ID_FUNC_OFFSET: 328
FAILURE_BUCKET_ID: AV_VRF_OxSer!OxserInternalIoControl
BUCKET_ID: AV_VRF_OxSer!OxserInternalIoControl
Followup: MachineOwner
---------
The routine that crashed was actually in the OS verifier. This is a set of function that perform additional validation on driver calls when driver development is performed in order to find driver bugs.
You are probably not crashing on Win7 because either the verifier is not turned on or the verifier was not detecting this problem in Win7. While your code is not crashing, it is probably still doing something that will cause OS instability at some point.
You should view this as Win8 helping you identify a real bug much more easily, rather than under weird circumstances after you shipped your driver.
Since I started using outlook with GoogleCalendarSync i'm experiencing hangs every once in awhile.
I used ADPlus to create a hang dump of the process (using adplus -hang -pn outlook.exe -o c:\dumps).
When I read the dump via WinDBG I use the command !analyze -v -hang, but I can't figure out what exactly went wrong.
The output of the command is:
*******************************************************************************
* *
* Exception Analysis *
* *
*******************************************************************************
FAULTING_IP:
+1d32faf00ffdf58 00000000 ?? ???
EXCEPTION_RECORD: ffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 00000000 ExceptionCode: 80000007 (Wake debugger)
ExceptionFlags: 00000000 NumberParameters: 0
BUGCHECK_STR: HANG
PROCESS_NAME: OUTLOOK.EXE
ERROR_CODE: (NTSTATUS) 0xcfffffff - <Unable to get error code text>
EXCEPTION_CODE: (NTSTATUS) 0xcfffffff - <Unable to get error code
text>
MOD_LIST: <ANALYSIS/>
NTGLOBALFLAG: 0
APPLICATION_VERIFIER_FLAGS: 0
MANAGED_STACK: !dumpstack -EE OS Thread Id: 0xd60 (37) Current frame:
ChildEBP RetAddr Caller,Callee
DERIVED_WAIT_CHAIN:
Dl Eid Cid WaitType
-- --- ------- -------------------------- 0 ba0.6a4 Thread Handle --> 37 ba0.d60 Event
WAIT_CHAIN_COMMAND: ~0s;k;;~37s;k;;
BLOCKING_THREAD: 00000d60
DEFAULT_BUCKET_ID: APPLICATION_HANG_BlockedOn_EventHandle
PRIMARY_PROBLEM_CLASS: APPLICATION_HANG_BlockedOn_EventHandle
LAST_CONTROL_TRANSFER: from 7c90df5a to 7c90e514
FAULTING_THREAD: 00000025
STACK_TEXT: 11f3f764 7c90df5a 7c8025db 00000458 00000000
ntdll!KiFastSystemCallRet 11f3f768 7c8025db 00000458 00000000 00000000
ntdll!NtWaitForSingleObject+0xc 11f3f7cc 7c802542 00000458 ffffffff
00000000 kernel32!WaitForSingleObjectEx+0xa8 11f3f7e0 77520197
00000458 ffffffff 00192888 kernel32!WaitForSingleObject+0x12 11f3f7fc
77602e50 00192888 001a3ab8 00000000 ole32!GetToSTA+0x6f 11f3f81c
7760208a 11f3f8e4 11f3f9f4 09b148b8
ole32!CRpcChannelBuffer::SwitchAptAndDispatchCall+0xf6 11f3f8fc
7752c982 09b148b8 11f3f9f4 11f3f9e4
ole32!CRpcChannelBuffer::SendReceive2+0xc8 11f3f968 7752c91a 09b148b8
11f3f9f4 11f3f9e4 ole32!CAptRpcChnl::SendReceive+0xab 11f3f9bc
77ef5db5 09b148b8 11f3f9f4 11f3f9e4
ole32!CCtxComChnl::SendReceive+0x113 11f3f9d8 77ef5ead 09b22354
11f3fa20 0600015b rpcrt4!NdrProxySendReceive+0x43 11f3fdbc 77ef5e42
774e6228 774e92da 11f3fdf4 rpcrt4!NdrClientCall2+0x1fa 11f3fddc
77e88519 00000010 00000005 11f3fe04 rpcrt4!ObjectStublessClient+0x8b
11f3fdec 7752d919 09b22354 00000001 145bf7b8 rpcrt4!ObjectStubless+0xf
11f3fe04 7752d8ba 09b22354 00192888 00000001
ole32!RemoteReleaseRifRefHelper+0x84 11f3fe2c 7752c558 09b22354
00192888 00000001 ole32!RemoteReleaseRifRef+0x74 11f3fe84 7752c351
0e8a3cfc 0e8a3cf8 00000000 ole32!CStdMarshal::DisconnectCliIPIDs+0x200
11f3feac 7750c880 00000002 0e8a3da0 0e8a3cf8
ole32!CStdMarshal::Disconnect+0x178 11f3fec8 7750c7ed 0e8a3cf8
11f3fee8 7750c967 ole32!CStdIdentity::~CStdIdentity+0x89 11f3fed4
7750c967 00000001 00440023 00520006 ole32!CStdIdentity::`vector
deleting destructor'+0xd 11f3fee8 77ef5ae8 80000000 11f3ff00 1112f31b
ole32!CStdIdentity::CInternalUnk::Release+0x4c 11f3fef4 1112f31b
0e8bd1fc 11f3ff14 1112a0e4 rpcrt4!IUnknown_Release_Proxy+0x11 WARNING:
Stack unwind information not available. Following frames may be wrong.
11f3ff00 1112a0e4 11f3ff80 00000000 11f3ff80 GoogleCalendarSync+0xf31b
11f3ff14 1112a0b1 00000000 11f3ff80 11f3ffb4 GoogleCalendarSync+0xa0e4
11f3ff24 11137c5e 555047c9 00020048 80578cb2 GoogleCalendarSync+0xa0b1
11f3ffb4 7c80b729 00000301 00440023 00520006
GoogleCalendarSync+0x17c5e 11f3ffec 00000000 111378c0 00000301
00000000 kernel32!BaseThreadStart+0x37
FOLLOWUP_IP: GoogleCalendarSync+f31b 1112f31b 8b5508 mov
edx,dword ptr [ebp+8]
SYMBOL_STACK_INDEX: 15
SYMBOL_NAME: GoogleCalendarSync+f31b
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: GoogleCalendarSync
IMAGE_NAME: GoogleCalendarSync.dll
DEBUG_FLR_IMAGE_TIMESTAMP: 4d9f0466
STACK_COMMAND: ~37s ; kb
BUCKET_ID: HANG_GoogleCalendarSync+f31b
WATSON_IBUCKET: -1362224887
WATSON_IBUCKETTABLE: 1
FAILURE_BUCKET_ID:
APPLICATION_HANG_BlockedOn_EventHandle_cfffffff_GoogleCalendarSync.dll!Unknown
WATSON_STAGEONE_URL:
http://watson.microsoft.com/StageOne/OUTLOOK_EXE/14_0_6117_5001/4f3e2d20/unknown/0_0_0_0/bbbbbbb4/cfffffff/00000000.htm?Retriage=1
Followup: MachineOwner
---------------------------
How can I further investigate this dump? What am I missing?
The thread GoogleCalendarSync is operating in tries to Release a COM object whose apartement model is STA, that is the object lives in a single thread. This kind of object was very popular in the begining of COM, because the COM layer ensures the object won't be accessed from multiple threads in the same time, thus avoiding adding synchronization code in the object implementation.
You can grab the first parameter of GetToSTA (0x00192888 in this case), dump the contents of the memory at this address (dc 0x00192888). In the result, skip the first 2 DWORD : next DWORD should be the target process ID and next one the target thread ID. This target thread is likely to be already blocked in another operation (refer to http://blogs.msdn.com/b/tess/archive/2008/06/12/asp-net-case-study-deadlock-waiting-in-gettosta.aspx if you need a real life example).