Most Notable BSOD Kernel Dump Analysis posts


RE: Sysnative Forums BSOD Thread - https://www.sysnative.com/forums/bs...lling-zonealarm-windows-7-x86.html#post107314

Sometimes, BSOD analysis is done in "visual steps" with the Windbg command + resulting output shown in code boxes, step-by-step as was done in this thread.

To try and help you follow such steps in BSOD threads here at Sysnative Forums, I thought it would be helpful to provide additional details and information as to what these steps are and where the parms come from.

I can think of few things more frustrating than knowing what a Windbg command does, how it can help me in finding an answer/solution, but not being able to figure out where the memory address used in conjunction with the Windbg command came from.

When I read this thread earlier and came upon Patrick's post, I could follow all with relative ease, except that the memory address in step #4 (a.k.a., the "command parameter") eluded me for a bit until I looked closer at the output of #3. Once the output of #3 is reviewed, the origin of #4's "command parameter" becomes immediately evident.

Just to go over it quickly:

kd> command for #4 -
Code:
[COLOR=#565656]2: kd> [/COLOR][B]dt nt!_MODE c9dd6208[/B]

So... I'm on the hunt for memory address 0xc9dd6208, which could have come from the output of #3 or elsewhere. I'm not very familiar with #4 command, so the output of #3 is where I started and... there it was!

I included the command for #4, which includes the memory address from #3 command at the end of the show/hide (spoiler) tag for your viewing pleasure (makes it easier to see/compare)!

kd> command for #3 -
Code:
[COLOR=#565656]2: kd> [/COLOR][B]!handle 300[/B]

Output for #3:
Read More:


So, that ends the mystery as to where the cmd parm memory address for #4 came from.

We can all rest easy tonight! :0




START ANALYSIS OF PATRICK'S POST

Now, we'll get started with the analysis on Patrick's post #17.


Summation - "Probably caused by:" Zone Alarm BSOD likely caused by Bitdefender.

Windbg kd> commands used & displayed in post:
  1. !analyze -v
  2. knL
  3. !handle 300
  4. dt nt!_MODE c9dd6208
  5. .bugcheck
  6. !address 8eea7cc3
  7. !thread 95a1c7c8
  8. !irp 89326ac0
  9. !fileobj 95a1a7c8

  1. "!analyze" = displays information about the bugcheck; "-v" = verbose output; "!analyze -v is probably the most well known and widely used Windbg command in the world (my estimate & opinion)
  2. Display Stack Backtrace - displays the thread's stack frame and related information (the command = "k"; "n" = Displays frame numbers; "L" = Hides source lines in the display. "L" is case sensitive)
  3. Displays information about a handle that a process owns
    Not sure what the "300" after "!handle" means as I can't locate any information on it at this time.
    Windbg help CHM file shows these as valid parms for the !thread command:

    Read More:

  4. Displays displays information about a local variable, global variable or data type. The memory address (c9dd6208) was obtained from this output line from #3 -
    Code:
    ObjectHeader: c9dd6208 (new version)
  5. Displays bugcheck information - the STOP ERROR followed by 4 parameters in parenthesis (P1,P2,P3,P4)
  6. Displays information about the memory address used by the target address [the hexadecimal number following the word ADDRESS]
  7. Displays summary information about a thread [the hexadecimal number after the word THREAD]
  8. Displays IRP (I/O Request Packet) information
  9. Displays detailed information about the FILE_OBJECT structure. The actual file object is the memory address following the word FILEOBJ

Very nice analysis, Patrick. :thumbsup2:

Please know that a thread not found, detailed/analyzed and discussed in this "Most Notable BSOD Kernel Dump Analysis Posts" thread/sticky DOES NOT in any way mean that it was not good enough to be a "...most notable..." BSOD post. There are many reasons why most threads don't make it in here -- #1 reason (or excuse if you wish!) - lack of time.

"Sysnative Forums" is specifically mentioned here because this post involves a thread from this forum. Most of us (BSOD Analysts) are on staff at other forums or just simply answer BSOD threads as time permits.

Sysnative Forums is our primary forum; however, there are two other forums that take precedence over ALL others after Sysnative Forums -- Bleeping Computer (BC) and Tech Support Forum (TSF). They both use "BSOD Posting Instructions" very similar to ours (the same "SysnativeBSODCollectionApp.exe" dump + collection app is used -- 1st developed in 2008; improved constantly ever since, and copied/plagiarized by many).

Lastly, the comments in this post about the BSOD thread are mine. I in no way speak for Patrick, the author of the post in question and therefore, he is of course free to correct anything I have written. Something doesn't necessarily have to be incorrect/wrong; a simple disagreement may occur.

Regards. . .

jcgriff2
 
Last edited:
Not sure what the "300" after "!thread" means as I can't locate any information on it at this time.

The 300 is the actual handle that was being referenced.
It was actually after '!handle', not '!thread'.

It took Patrick and I a while to find the data structure that represents the Kernel and User mode of an object, I finally found it through sheer luck actually.
After about an hour, and many MSDN articles, searching for undocumented data structures later...

But good post though Patrick.
 
Not sure what the "300" after "!thread" means as I can't locate any information on it at this time.

The 300 is the actual handle that was being referenced.
It was actually after '!handle', not '!thread'.

It took Patrick and I a while to find the data structure that represents the Kernel and User mode of an object, I finally found it through sheer luck actually.
After about an hour, and many MSDN articles, searching for undocumented data structures later...

But good post though Patrick.

Thanks for spotting my typo. I changed !thread to !handle before the 300.

I did look up !handle and don't see "300" as a parm; hence I still don't know its meaning.

With user mode dumps, the parm options are 0x1, 0x2, 0x4 & 0x8.

Kernel mode dumps - parm options listed are 0x1, 0x2, 0x4, 0x10 & 0x20.

I was just curious as to where the "300" came from & what it does as compared to the other parms.

Regardless of its origin ad meaning, it worked/helped you here!

Thanks,

John
 
Not sure what the "300" after "!thread" means as I can't locate any information on it at this time.

The 300 is the actual handle that was being referenced.
It was actually after '!handle', not '!thread'.

It took Patrick and I a while to find the data structure that represents the Kernel and User mode of an object, I finally found it through sheer luck actually.
After about an hour, and many MSDN articles, searching for undocumented data structures later...

But good post though Patrick.

Thanks for spotting my typo. I changed !thread to !handle before the 300.

I did look up !handle and don't see "300" as a parm; hence I still don't know its meaning.

With user mode dumps, the parm options are 0x1, 0x2, 0x4 & 0x8.

Kernel mode dumps - parm options listed are 0x1, 0x2, 0x4, 0x10 & 0x20.

I was just curious as to where the "300" came from & what it does as compared to the other parms.

Regardless of its origin ad meaning, it worked/helped you here!

Thanks,

John

300 isn't a parameter, it's the actual handle reference used to access an object, which was the handle reference that caused the crash.

Its passed as a parameter with the bugcheck function, it's the 2nd parameter in that particular 0xC4 bugcheck.
 
Last edited:
OK... thanks.

I wasn't aware that could be done per the Windbg help file debugger.chm.
 
By the way John, this is a great way to show recognition.

You did a great job, Patrick -- and it was a relatively easy one for me to explain in greater detail considering you prett much explained it as you went along in the thread.

I simply expanded on what you did/posted to give the users (including myself) additional info on the various commands that you used.
 

Has Sysnative Forums helped you? Please consider donating to help us support the site!

Back
Top