SysnativeBSODApps - additional check 'drivers found in stack'

That's alright, dude, I thank you for pursuing it. I personally have no knowledge on the subject when it comes to scripting and using the dbgeng, but I do know that the stack base and limit are reserved in the KTHREAD data structure, which is practically the header for a thread (it's part of the ETHREAD data structure, but it's the first portion.). So if you happen to take the thread address and run it through dt pointing to the _KTHREAD symbols, you'll get the information you seek. Take this example:

Code: 
3: kd> !thread
GetPointerFromAddress: unable to read from fffff80002d09000
THREAD [COLOR=#008000]fffffa8006063040[/COLOR]  Cid 0004.0034  Teb: 0000000000000000 Win32Thread: 0000000000000000 RUNNING on processor 3
Not impersonating
GetUlongFromAddress: unable to read from fffff80002c48ba4
Owning Process            fffffa80053e8040       Image:         System
Attached Process          N/A            Image:         N/A
fffff78000000000: Unable to get shared data
Wait Start TickCount      2711         
Context Switch Count      2536           IdealProcessor: 2             
ReadMemory error: Cannot get nt!KeMaximumIncrement value.
UserTime                  00:00:00.000
KernelTime                00:00:00.000
Win32 Start Address nt!ExpWorkerThread (0xfffff80002ae3730)
Stack Init fffff880035afdb0 Current fffff880035aef10
Base [COLOR=#0000ff]fffff880035b0000 [/COLOR]Limit [COLOR=#0000ff]fffff880035aa000 [/COLOR]Call 0
Priority 13 BasePriority 12 UnusualBoost 0 ForegroundBoost 0 IoPriority 2 PagePriority 5

... 

3: kd> dt !_KTHREAD [COLOR=#008000]fffffa8006063040[/COLOR]
nt!_KTHREAD
   +0x000 Header           : _DISPATCHER_HEADER
   +0x018 CycleTime        : 0x587ad7fa
   +0x020 QuantumTarget    : 0x5c9df4ce
   +0x028 InitialStack     : 0xfffff880`035afdb0 Void
  [COLOR=#0000ff] +0x030 StackLimit       : 0xfffff880`035aa000 Void[/COLOR]
   +0x038 KernelStack      : 0xfffff880`035aef10 Void
   +0x040 ThreadLock       : 0
   +0x048 WaitRegister     : _KWAIT_STATUS_REGISTER
   +0x049 Running          : 0x1 ''
   +0x04a Alerted          : [2]  ""
   +0x04c KernelStackResident : 0y1
   +0x04c ReadyTransition  : 0y0
   +0x04c ProcessReadyQueue : 0y0
   +0x04c WaitNext         : 0y0
   +0x04c SystemAffinityActive : 0y0
   +0x04c Alertable        : 0y0
   +0x04c GdiFlushActive   : 0y0
   +0x04c UserStackWalkActive : 0y0
   +0x04c ApcInterruptRequest : 0y0
   +0x04c ForceDeferSchedule : 0y0
   +0x04c QuantumEndMigrate : 0y0
   +0x04c UmsDirectedSwitchEnable : 0y0
   +0x04c TimerActive      : 0y0
   +0x04c SystemThread     : 0y1
   +0x04c Reserved         : 0y000000000000000000 (0)
   +0x04c MiscFlags        : 0n8193
   +0x050 ApcState         : _KAPC_STATE
   +0x050 ApcStateFill     : [43]  "???"
   +0x07b Priority         : 13 ''
   +0x07c NextProcessor    : 3
   +0x080 DeferredProcessor : 0
   +0x088 ApcQueueLock     : 0
   +0x090 WaitStatus       : 0n0
   +0x098 WaitBlockList    : 0xfffffa80`06063148 _KWAIT_BLOCK
   +0x0a0 WaitListEntry    : _LIST_ENTRY [ 0x00000000`00000000 - 0xfffff800`02c51450 ]
   +0x0a0 SwapListEntry    : _SINGLE_LIST_ENTRY
   +0x0b0 Queue            : 0xfffff800`02c772d8 _KQUEUE
   +0x0b8 Teb              : (null) 
   +0x0c0 Timer            : _KTIMER
   +0x100 AutoAlignment    : 0y1
   +0x100 DisableBoost     : 0y0
   +0x100 EtwStackTraceApc1Inserted : 0y0
   +0x100 EtwStackTraceApc2Inserted : 0y0
   +0x100 CalloutActive    : 0y0
   +0x100 ApcQueueable     : 0y1
   +0x100 EnableStackSwap  : 0y1
   +0x100 GuiThread        : 0y0
   +0x100 UmsPerformingSyscall : 0y0
   +0x100 VdmSafe          : 0y0
   +0x100 UmsDispatched    : 0y0
   +0x100 ReservedFlags    : 0y000000000000000000000 (0)
   +0x100 ThreadFlags      : 0n97
   +0x104 Spare0           : 0
   +0x108 WaitBlock        : [4] _KWAIT_BLOCK
   +0x108 WaitBlockFill4   : [44]  "x???"
   +0x134 ContextSwitches  : 0x9e8
   +0x108 WaitBlockFill5   : [92]  "x???"
   +0x164 State            : 0x2 ''
   +0x165 NpxState         : 0 ''
   +0x166 WaitIrql         : 0 ''
   +0x167 WaitMode         : 0 ''
   +0x108 WaitBlockFill6   : [140]  "x???"
   +0x194 WaitTime         : 0xa97
   +0x108 WaitBlockFill7   : [168]  "x???"
   +0x1b0 TebMappedLowVa   : (null) 
   +0x1b8 Ucb              : (null) 
   +0x108 WaitBlockFill8   : [188]  "x???"
   +0x1c4 KernelApcDisable : 0n-1
   +0x1c6 SpecialApcDisable : 0n0
   +0x1c4 CombinedApcDisable : 0xffff
   +0x1c8 QueueListEntry   : _LIST_ENTRY [ 0xfffffa80`06063d18 - 0xfffffa80`06062828 ]
   +0x1d8 TrapFrame        : (null) 
   +0x1e0 FirstArgument    : (null) 
   +0x1e8 CallbackStack    : (null) 
   +0x1e8 CallbackDepth    : 0
   +0x1f0 ApcStateIndex    : 0 ''
   +0x1f1 BasePriority     : 12 ''
   +0x1f2 PriorityDecrement : 0 ''
   +0x1f2 ForegroundBoost  : 0y0000
   +0x1f2 UnusualBoost     : 0y0000
   +0x1f3 Preempted        : 0 ''
   +0x1f4 AdjustReason     : 0 ''
   +0x1f5 AdjustIncrement  : 0 ''
   +0x1f6 PreviousMode     : 0 ''
   +0x1f7 Saturation       : 0 ''
   +0x1f8 SystemCallNumber : 0
   +0x1fc FreezeCount      : 0
   +0x200 UserAffinity     : _GROUP_AFFINITY
   +0x210 Process          : 0xfffffa80`053e8040 _KPROCESS
   +0x218 Affinity         : _GROUP_AFFINITY
   +0x228 IdealProcessor   : 2
   +0x22c UserIdealProcessor : 2
   +0x230 ApcStatePointer  : [2] 0xfffffa80`06063090 _KAPC_STATE
   +0x240 SavedApcState    : _KAPC_STATE
   +0x240 SavedApcStateFill : [43]  "???"
   +0x26b WaitReason       : 0x5 ''
   +0x26c SuspendCount     : 0 ''
   +0x26d Spare1           : 0 ''
   +0x26e CodePatchInProgress : 0 ''
   +0x270 Win32Thread      : (null) 
   [COLOR=#0000ff]+0x278 StackBase        : 0xfffff880`035b0000 Void[/COLOR]
   +0x280 SuspendApc       : _KAPC
   +0x280 SuspendApcFill0  : [1]  "??????"
   +0x281 ResourceIndex    : 0x1 ''
   +0x280 SuspendApcFill1  : [3]  "???"
   +0x283 QuantumReset     : 0x6 ''
   +0x280 SuspendApcFill2  : [4]  "???"
   +0x284 KernelTime       : 0x25
   +0x280 SuspendApcFill3  : [64]  "???"
   +0x2c0 WaitPrcb         : (null) 
   +0x280 SuspendApcFill4  : [72]  "???"
   +0x2c8 LegoData         : (null) 
   +0x280 SuspendApcFill5  : [83]  "???"
   +0x2d3 LargeStack       : 0 ''
   +0x2d4 UserTime         : 0
   +0x2d8 SuspendSemaphore : _KSEMAPHORE
   +0x2d8 SuspendSemaphorefill : [28]  "???"
   +0x2f4 SListFaultCount  : 0
   +0x2f8 ThreadListEntry  : _LIST_ENTRY [ 0xfffffa80`06063e48 - 0xfffffa80`06062958 ]
   +0x308 MutantListHead   : _LIST_ENTRY [ 0xfffffa80`06063348 - 0xfffffa80`06063348 ]
   +0x318 SListFaultAddress : (null) 
   +0x320 ReadOperationCount : 0n25794
   +0x328 WriteOperationCount : 0n0
   +0x330 OtherOperationCount : 0n123
   +0x338 ReadTransferCount : 0n538946
   +0x340 WriteTransferCount : 0n0
   +0x348 OtherTransferCount : 0n1653
   +0x350 ThreadCounters   : (null) 
   +0x358 StateSaveArea    : 0xfffff880`035afe00 _XSAVE_FORMAT
   +0x360 XStateSave       : (null)

As you can see, the StackBase and StackLimit values correspond to the output from !thread, which is because !thread just reads those values (amongst others) from the KTHREAD data structure and outputs them in a more friendly manner. Because the KTHREAD structure starts at the very beginning of the ETHREAD structure (as in offset 0x000), the offset you see for each value is the offset from the very beginning of the thread's address. Therefore you don't even have to pump out the whole structure to get the values you seek, nor do you need to do additional math by adding in more offsets, just dump whatever's at [threadaddress]+0x30 and [threadaddress]+0x278 to get the stack limit and base values, respectively:

Code: 
3: kd> dps fffffa8006063040+30 L1; dps fffffa8006063040+278 L1
fffffa80`06063070  fffff880`035aa000 [COLOR=#008000]< stack limit[/COLOR]
fffffa80`060632b8  fffff880`035b0000 [COLOR=#008000]< stack base[/COLOR]

Now the problem would be figuring out the thread address without resorting to !thread or any other extensions. That I cannot figure off the top of my head, but I'm sure you're resourceful, and I personally plan on figuring it out eventually (never bothered to do it previously). Maybe if you can somehow break down the !thread extension to see how it does it, that would work. Remember, the thread address is really just the starting point for the ETHREAD data structure, with of course it also being the starting point for the KTHREAD structure. Knowing that could probably help a bit.
 
Last edited:
Thanks for the awesome info, Vir Gnarus! You have just given me the vital info I need to progress :)

Fortunately, this is where DbgEng functions come into play. Old WdbgExts had the function GetCurrentThreadAddr, but the replacement DbgEng makes this even easier through the GetCurrentThreadDataOffset function which allows me to jump straight to the KTHREAD structure. Awesome!!

I will try this out over the weekend. I cannot promise anything, as I am still very new to DbgEng extension writing, and I might not be able to get it working properly due to some unfathomable reason, but I will certainly give it a try. I can only get better through practice :)

Thanks again, I am really looking forward to trying this out!

Richard
 
Awesome. That would work perfectly. Just grab whatever result is from that and then slap the appropriate offsets on it and you'll get yer values!
 
Just an idea.
Some of the stops can be analyzed in more detail if you know the stop code and params. Imagine that you have scripts for different bugchecks and use them for detailed analysis. I created a sample 'PoC script', which in newest versions of The App is possible to run, with a little help from another tool (as you may remember, I wrote a simple tool, which parses the .dmp files and reads some basic info, including .bugcheck, and it can be used to provide some help ;)).
If you want to see what I'm talking about, do this:
1. Unpack the contents of the attachment into the %userprofile%\SysnativeBSODApps directory (it adds BSODScripts directory, two .dmps & dmpbasics.exe)
2. Run the DMPBasics.exe file from this directory (it reads both .dmp files and creates .dmp.wds temporary scripts)
3. Run the SysnativeBSODApps.exe and in the 'User kd Commands' tab add:

{1} $$><${$CurrentDumpFile}.wds

4. Save and Run, and then look for the user1.txt file

What do you think?

m.g.
 

Attachments

Yes, that could work. Depending on the bugcheck code and subcode, as well as the rest of the parameters, you could at least do some automated tasks to get things started. For instance, bugchecks related to IRPs could try and grab the IRP from one of the parameters in the bugcheck as well as try and sift it from the current thread's KTHREAD (or is it ETHREAD?). Other various bugchecks can run the aforementioned raw stack output. Stuff like that would help expedite process (of course, the real analysis should be left to personal scrutiny).
 
Keep in mind that you're not limited to running one command at a time. You can, for instance, run the default commands (just don't include the q for quit since that is added at the end of all user commands and will cause the kernel debugger to hang if it occurs twice):

[TABLE="class: grid, width: 500"]
[TR]
[TD="align: center"]User kd Commands[/TD]
[/TR]
[TR]
[TD]{1} !analyze -v; !sysinfo cpuspeed; !sysinfo SMBIOS; lmtsmn[/TD]
[/TR]
[/TABLE]

Or you can run them in a different order.


Also, if you need to use a command that has a period leading it, you will not be able to do so if it is the first command, i.e. the following will not work:

[TABLE="class: grid, width: 500"]
[TR]
[TD="align: center"]User kd Commands[/TD]
[/TR]
[TR]
[TD]{1} .foreach [Options] ( Variable { InCommands } ) { OutCommands }[/TD]
[/TR]
[/TABLE]


This was necessary to account for the possibility of a user doing this:

[TABLE="class: grid, width: 500"]
[TR]
[TD="align: center"]User kd Commands[/TD]
[/TR]
[TR]
[TD]1. !analyze -v; !sysinfo cpuspeed; !sysinfo SMBIOS; lmtsmn[/TD]
[/TR]
[/TABLE]

I wanted to make sure the periods were first considered part of the number, so if you want to use .foreach or other commands with a leading period, you will have to first use another command. I've never used any of those commands, so if this poses an issue, let me know, and I'll look into providing other methods. Does the following method work? Or does anyone know if it works?

[TABLE="class: grid, width: 500"]
[TR]
[TD="align: center"]User kd Commands[/TD]
[/TR]
[TR]
[TD]{1} !analyze; .foreach [Options] ( Variable { InCommands } ) { OutCommands }[/TD]
[/TR]
[/TABLE]


.block
.break
.catch
.continue
.do
.else
.elsif
.for
.foreach
.if
.leave
.printf
.while
Click to expand...

Command Tokens


From what I can tell, these are primarily used in writing one's own scripts, so I doubt it will pose an issue, but I did want to let users know of the limitation of the apps in this regard.
 
Last edited:
@Vir Gnarus:

Any idea what I am doing wrong here:

Code: 
6: kd> [B]!thread[/B]
GetPointerFromAddress: unable to read from fffff8000350b000
THREAD [COLOR=#0000FF][B]fffffa800f683060 [/B][/COLOR] Cid 1ea0.0508  Teb: 000000007ef47000 Win32Thread: fffff900c2211260 RUNNING on processor 6
Not impersonating
GetUlongFromAddress: unable to read from fffff8000344aba4
Owning Process            fffffa800fd14830       Image:         iexplore.exe
Attached Process          N/A            Image:         N/A
fffff78000000000: Unable to get shared data
Wait Start TickCount      31257        
Context Switch Count      1351           IdealProcessor: 0                 LargeStack
ReadMemory error: Cannot get nt!KeMaximumIncrement value.
UserTime                  00:00:00.000
KernelTime                00:00:00.000
Win32 Start Address 0x00000000748d0240
Stack Init [COLOR=#FF0000][B]fffff8800a3e7c70 [/B][/COLOR]Current [COLOR=#4B0082][B]fffff8800a3e77c0[/B][/COLOR]
Base fffff8800a3e8000 Limit fffff8800a3e0000 Call 0
Priority 10 BasePriority 8 UnusualBoost 0 ForegroundBoost 2 IoPriority 2 PagePriority 5
Child-SP          RetAddr           : Args to Child                                                           : Call Site
fffff880`0a3e6dd8 fffff800`03326d88 : 00000000`0000001e ffffffff`c0000005 fffff800`03301830 00000000`00000000 : nt!KeBugCheckEx
fffff880`0a3e6de0 fffff800`032db842 : fffff880`0a3e75b8 bffffa80`0888bf10 fffff880`0a3e7660 00000000`00000006 : nt! ?? ::FNODOBFM::`string'+0x48d3d
fffff880`0a3e7480 fffff800`032da14a : fffffa80`0d92b250 fffff8a0`127d8880 00000000`00000000 fffff800`0330a0cf : nt!KiExceptionDispatch+0xc2
fffff880`0a3e7660 fffff800`03301830 : fffffa80`0f683060 fffff800`032df07a 00000000`180d0000 fffff800`03304106 : nt!KiGeneralProtectionFault+0x10a (TrapFrame @ fffff880`0a3e7660)
fffff880`0a3e77f0 fffff800`032fffef : fffffa80`0cbfb338 00000000`0000007b fffffa80`0889c710 00000000`0000007b : nt!MiReplenishPageSlist+0xc0
fffff880`0a3e7860 fffff800`032e9614 : 00000000`00000000 00000000`00000002 00000000`00000000 ffffffff`ffffffff : nt!MiRemoveAnyPage+0x24f
fffff880`0a3e7980 fffff800`032da2ee : 00000000`00000001 00000000`180ee000 00000000`00000001 00000000`00000110 : nt!MmAccessFault+0x1224
fffff880`0a3e7ae0 00000000`70816af7 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiPageFault+0x16e (TrapFrame @ fffff880`0a3e7ae0)
00000000`175fcdc0 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x70816af7

6: kd> [B]dt nt!_KTHREAD [COLOR=#0000FF]fffffa800f683060[/COLOR][/B]
   +0x000 Header           : _DISPATCHER_HEADER
   +0x018 CycleTime        : 0x1d1a88fe
   +0x020 QuantumTarget    : 0x26c67ffb
   +0x028 InitialStack     : 0xfffff880`0a3e7c70 Void
   +0x030 StackLimit       : [B][COLOR=#800080]0xfffff880`0a3e0000[/COLOR][/B] Void
   +0x038 KernelStack      : 0xfffff880`0a3e77c0 Void
   +0x040 ThreadLock       : 0
   +0x048 WaitRegister     : _KWAIT_STATUS_REGISTER
   +0x049 Running          : 0x1 ''
   +0x04a Alerted          : [2]  ""
   +0x04c KernelStackResident : 0y1
   +0x04c ReadyTransition  : 0y0
   +0x04c ProcessReadyQueue : 0y0
   +0x04c WaitNext         : 0y0
   +0x04c SystemAffinityActive : 0y0
   +0x04c Alertable        : 0y0
   +0x04c GdiFlushActive   : 0y0
   +0x04c UserStackWalkActive : 0y0
   +0x04c ApcInterruptRequest : 0y0
   +0x04c ForceDeferSchedule : 0y0
   +0x04c QuantumEndMigrate : 0y0
   +0x04c UmsDirectedSwitchEnable : 0y0
   +0x04c TimerActive      : 0y0
   +0x04c SystemThread     : 0y0
   +0x04c Reserved         : 0y000000000000000000 (0)
   +0x04c MiscFlags        : 0n1
   +0x050 ApcState         : _KAPC_STATE
   +0x050 ApcStateFill     : [43]  "???"
   +0x07b Priority         : 10 ''
   +0x07c NextProcessor    : 6
   +0x080 DeferredProcessor : 0
   +0x088 ApcQueueLock     : 0
   +0x090 WaitStatus       : 0n0
   +0x098 WaitBlockList    : 0xfffffa80`0f683168 _KWAIT_BLOCK
   +0x0a0 WaitListEntry    : _LIST_ENTRY [ 0x00000000`00000000 - 0xfffffa80`0e839100 ]
   +0x0a0 SwapListEntry    : _SINGLE_LIST_ENTRY
   +0x0b0 Queue            : (null) 
   +0x0b8 Teb              : 0x00000000`7ef47000 Void
   +0x0c0 Timer            : _KTIMER
   +0x100 AutoAlignment    : 0y1
   +0x100 DisableBoost     : 0y0
   +0x100 EtwStackTraceApc1Inserted : 0y0
   +0x100 EtwStackTraceApc2Inserted : 0y0
   +0x100 CalloutActive    : 0y0
   +0x100 ApcQueueable     : 0y1
   +0x100 EnableStackSwap  : 0y1
   +0x100 GuiThread        : 0y1
   +0x100 UmsPerformingSyscall : 0y0
   +0x100 VdmSafe          : 0y0
   +0x100 UmsDispatched    : 0y0
   +0x100 ReservedFlags    : 0y000000000000000000000 (0)
   +0x100 ThreadFlags      : 0n225
   +0x104 Spare0           : 0
   +0x108 WaitBlock        : [4] _KWAIT_BLOCK
   +0x108 WaitBlockFill4   : [44]  "h???"
   +0x134 ContextSwitches  : 0x547
   +0x108 WaitBlockFill5   : [92]  "h???"
   +0x164 State            : 0x2 ''
   +0x165 NpxState         : 5 ''
   +0x166 WaitIrql         : 0 ''
   +0x167 WaitMode         : 1 ''
   +0x108 WaitBlockFill6   : [140]  "h???"
   +0x194 WaitTime         : 0x7a19
   +0x108 WaitBlockFill7   : [168]  "h???"
   +0x1b0 TebMappedLowVa   : (null) 
   +0x1b8 Ucb              : (null) 
   +0x108 WaitBlockFill8   : [188]  "h???"
   +0x1c4 KernelApcDisable : 0n0
   +0x1c6 SpecialApcDisable : 0n-1
   +0x1c4 CombinedApcDisable : 0xffff0000
   +0x1c8 QueueListEntry   : _LIST_ENTRY [ 0x00000000`00000000 - 0x0 ]
   +0x1d8 TrapFrame        : 0xfffff880`0a3e7ae0 _KTRAP_FRAME
   +0x1e0 FirstArgument    : 0x00000000`00000a78 Void
   +0x1e8 CallbackStack    : (null) 
   +0x1e8 CallbackDepth    : 0
   +0x1f0 ApcStateIndex    : 0 ''
   +0x1f1 BasePriority     : 8 ''
   +0x1f2 PriorityDecrement : 2 ''
   +0x1f2 ForegroundBoost  : 0y0010
   +0x1f2 UnusualBoost     : 0y0000
   +0x1f3 Preempted        : 0 ''
   +0x1f4 AdjustReason     : 0 ''
   +0x1f5 AdjustIncrement  : 1 ''
   +0x1f6 PreviousMode     : 1 ''
   +0x1f7 Saturation       : 0 ''
   +0x1f8 SystemCallNumber : 0xb
   +0x1fc FreezeCount      : 0
   +0x200 UserAffinity     : _GROUP_AFFINITY
   +0x210 Process          : 0xfffffa80`0fd14830 _KPROCESS
   +0x218 Affinity         : _GROUP_AFFINITY
   +0x228 IdealProcessor   : 3
   +0x22c UserIdealProcessor : 3
   +0x230 ApcStatePointer  : [2] 0xfffffa80`0f6830b0 _KAPC_STATE
   +0x240 SavedApcState    : _KAPC_STATE
   +0x240 SavedApcStateFill : [43]  "???"
   +0x26b WaitReason       : 0x6 ''
   +0x26c SuspendCount     : 0 ''
   +0x26d Spare1           : 0 ''
   +0x26e CodePatchInProgress : 0 ''
   +0x270 Win32Thread      : 0xfffff900`c2211260 Void
   +0x278 StackBase        : [B][COLOR=#FF0000]0xfffff880`0a3e8000[/COLOR][/B] Void
   +0x280 SuspendApc       : _KAPC
   +0x280 SuspendApcFill0  : [1]  "??????"
   +0x281 ResourceIndex    : 0x1 ''
   +0x280 SuspendApcFill1  : [3]  "???"
   +0x283 QuantumReset     : 0x12 ''
   +0x280 SuspendApcFill2  : [4]  "???"
   +0x284 KernelTime       : 4
   +0x280 SuspendApcFill3  : [64]  "???"
   +0x2c0 WaitPrcb         : (null) 
   +0x280 SuspendApcFill4  : [72]  "???"
   +0x2c8 LegoData         : (null) 
   +0x280 SuspendApcFill5  : [83]  "???"
   +0x2d3 LargeStack       : 0x1 ''
   +0x2d4 UserTime         : 5
   +0x2d8 SuspendSemaphore : _KSEMAPHORE
   +0x2d8 SuspendSemaphorefill : [28]  "???"
   +0x2f4 SListFaultCount  : 0
   +0x2f8 ThreadListEntry  : _LIST_ENTRY [ 0xfffffa80`101a25e8 - 0xfffffa80`0da7bb68 ]
   +0x308 MutantListHead   : _LIST_ENTRY [ 0xfffffa80`0f683368 - 0xfffffa80`0f683368 ]
   +0x318 SListFaultAddress : (null) 
   +0x320 ReadOperationCount : 0n18
   +0x328 WriteOperationCount : 0n18
   +0x330 OtherOperationCount : 0n88
   +0x338 ReadTransferCount : 0n359035
   +0x340 WriteTransferCount : 0n38457
   +0x348 OtherTransferCount : 0n786
   +0x350 ThreadCounters   : (null) 
   +0x358 StateSaveArea    : 0xfffff880`0a3e7cc0 _XSAVE_FORMAT
   +0x360 XStateSave       : (null)

The stack base and init simply do not agree, and I am at a completely loss to work out why. The extension is coming on well though :)

Thank you.
 
Read More:


Read More:
 
Done :)

The .dll file is currently called niemiro.dll, but can be renamed to anything. Feel free to do so. I had no idea what to name it! Simply change all references of "niemiro" to whatever you named the .dll. The .dll needs to be placed in the winext folder in your debugger's folder (e.g. C:\Program Files (x86)\Windows Kits\8.0\Debuggers\x64\winext\ or wherever (including x86 debuggers))

It has three commands:

!niemiro.rawstack
!niemiro.rawstack -dc
!niemiro.auto_errrec

Rawstack

Rawstack will grab addresses from KTHREAD (thanks Vir Gnarus :thumbsup2:). All non available memory will be stripped off the beginning and end (e.g. stuff which will come out as ????????`????????).

!niemiro.rawstack will output to dps, whereas -dc will output to dc.

Auto_errrec

This will produce absolutely no output except when the bugcheck is 0x124, in which case it will run !errrec off the second parameter.

The three minidumps I have provided have been specifically chosen to show off as much of the extension as possible.

All feedback, bug reports, feature requests, or ideas for other extensions most welcome.

Finally, I have included all source code. I know that some parts of it may not be the best code, but I was struggling to get this working at all, and after hours of trial and error, any working solution goes :p

I have written the entire source code as a reusable template for any dbgeng/wdbgext extension, and it is stuffed full of comments on how to write extensions in general. Feel free to use any of the code in your own projects. You will just need to remove the rawstack and auto_errrec functions, and you will be away to go. I will be refining this template as I get better, though.

Hope this helps someone.

Richard
 

Attachments

You're looking at the Stack Initand current position in the stack. Rather, you want to go down one row in that output and grab the Base and Limit values. I know, I've done this mistake myself a number of times. Remember to reverse the numbers when you enter dps or any other equivalent data dump command.
 
Vir Gnarus said:
You're looking at the Stack Initand current position in the stack. Rather, you want to go down one row in that output and grab the Base and Limit values. I know, I've done this mistake myself a number of times. Remember to reverse the numbers when you enter dps or any other equivalent data dump command.
Click to expand...

Thanks a lot for your help.

I know there are a fair few bugs in the extension I posted. I have since fixed all but one, and hope to re-release very soon :)
 
Actually, I just managed to fix that final bug. This version is a lot more stable, and supports 32bit targets a lot more completely.

I will give full source code and changelog tomorrow. Must dash :)
 

Attachments

Running Windows 8 Release Preview (64 bit)
Had an app crash :0(
using v1.0.0.0
Will try 1.1.0.0 next

Copied x64 dll to x64 directory
Copied x86 dll to x86 directory
Ran using Mike's scripts (used all 3 of your sample dumps at one time)

Got this error:
Application: _v2120_SysnativeBSODApps.exe
Framework Version: v4.0.30319
Description: The process was terminated due to an unhandled exception.
Exception Info: System.AccessViolationException
Stack:
at <Module>.std.basic_string<char,std::char_traits<char>,std::allocator<char> >.assign(std.basic_string<char,std::char_traits<char>,std::allocator<char> >*, std.basic_string<char,std::char_traits<char>,std::allocator<char> >*, UInt32, UInt32)
at <Module>.std.basic_string<char,std::char_traits<char>,std::allocator<char> >.{ctor}(std.basic_string<char,std::char_traits<char>,std::allocator<char> >*, std.basic_string<char,std::char_traits<char>,std::allocator<char> >*, UInt32, UInt32, std.allocator<char>*)
at <Module>.std.basic_string<char,std::char_traits<char>,std::allocator<char> >.substr(std.basic_string<char,std::char_traits<char>,std::allocator<char> >*, std.basic_string<char,std::char_traits<char>,std::allocator<char> >*, UInt32, UInt32)
at <Module>.InputData.currentSpeedString(InputData*, Int32)
at <Module>.InputData.getImportantLines(InputData*, Int32)
at <Module>.InputData.getImportantInfo(InputData*)
at <Module>.OutputDmps.getInputData(OutputDmps*)
at <Module>.OutputDmps.outputAnalysisFiles(OutputDmps*)
at <Module>.main(System.String[])
Click to expand...

and this one:
Faulting application name: _v2120_SysnativeBSODApps.exe, version: 2.1.2.0, time stamp: 0x505b4084
Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception code: 0xc0000005
Fault offset: 0x05b1a55a
Faulting process id: 0x1a8c
Faulting application start time: 0x01cd9a88253792bc
Faulting application path: C:\Users\John\_jcgriff2_\dbug\__Kernel__\_v2120_SysnativeBSODApps.exe
Faulting module path: unknown
Report Id: d8db0890-067b-11e2-9b9b-485b3901d3fe
Faulting package full name:
Faulting package-relative application ID:
Click to expand...
 
Last edited:
Got this WER report out of the temp files:
Version=1
EventType=CLR20r3
EventTime=129929875773913491
ReportType=2
Consent=1
UploadTime=129929875774413502
ReportIdentifier=d8db0891-067b-11e2-9b9b-485b3901d3fe
IntegratorReportIdentifier=d8db0890-067b-11e2-9b9b-485b3901d3fe
WOW64=1
NsAppName=_v2120_SysnativeBSODApps.exe
Response.BucketId=0a63d0f7e8582b94dc3ba09fcd5a174e
Response.BucketTable=5
Response.LegacyBucketId=-1006785077
Response.type=4
Sig[0].Name=Problem Signature 01
Sig[0].Value=_v2120_sysnativebsodapps.exe
Sig[1].Name=Problem Signature 02
Sig[1].Value=2.1.2.0
Sig[2].Name=Problem Signature 03
Sig[2].Value=505b4084
Sig[3].Name=Problem Signature 04
Sig[3].Value=SysnativeBSODApps
Sig[4].Name=Problem Signature 05
Sig[4].Value=2.1.2.0
Sig[5].Name=Problem Signature 06
Sig[5].Value=505b4084
Sig[6].Name=Problem Signature 07
Sig[6].Value=14a
Sig[7].Name=Problem Signature 08
Sig[7].Value=0
Sig[8].Name=Problem Signature 09
Sig[8].Value=System.AccessViolationException
DynamicSig[1].Name=OS Version
DynamicSig[1].Value=6.2.8400.2.0.0.256.48
DynamicSig[2].Name=Locale ID
DynamicSig[2].Value=1033
DynamicSig[22].Name=Additional Information 1
DynamicSig[22].Value=5861
DynamicSig[23].Name=Additional Information 2
DynamicSig[23].Value=5861822e1919d7c014bbb064c64908b2
DynamicSig[24].Name=Additional Information 3
DynamicSig[24].Value=3955
DynamicSig[25].Name=Additional Information 4
DynamicSig[25].Value=395596f8b99d4d186d01ebc48ecdffc0
UI[2]=C:\Users\John\_jcgriff2_\dbug\__Kernel__\_v2120_SysnativeBSODApps.exe
UI[3]=Sysnative BSOD Analysis Software has stopped working
UI[4]=Windows can check online for a solution to the problem.
UI[5]=Check online for a solution and close the program
UI[6]=Check online for a solution later and close the program
UI[7]=Close the program
LoadedModule[0]=C:\Users\John\_jcgriff2_\dbug\__Kernel__\_v2120_SysnativeBSODApps.exe
LoadedModule[1]=C:\Windows\SYSTEM32\ntdll.dll
LoadedModule[2]=C:\Windows\SYSTEM32\MSCOREE.DLL
LoadedModule[3]=C:\Windows\SYSTEM32\KERNEL32.dll
LoadedModule[4]=C:\Windows\SYSTEM32\KERNELBASE.dll
LoadedModule[5]=C:\Windows\system32\apphelp.dll
LoadedModule[6]=C:\Windows\SYSTEM32\ADVAPI32.dll
LoadedModule[7]=C:\Windows\SYSTEM32\msvcrt.dll
LoadedModule[8]=C:\Windows\SYSTEM32\sechost.dll
LoadedModule[9]=C:\Windows\SYSTEM32\RPCRT4.dll
LoadedModule[10]=C:\Windows\SYSTEM32\SspiCli.dll
LoadedModule[11]=C:\Windows\SYSTEM32\CRYPTBASE.dll
LoadedModule[12]=C:\Windows\SYSTEM32\bcryptPrimitives.dll
LoadedModule[13]=C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll
LoadedModule[14]=C:\Windows\SYSTEM32\SHLWAPI.dll
LoadedModule[15]=C:\Windows\SYSTEM32\USER32.dll
LoadedModule[16]=C:\Windows\SYSTEM32\GDI32.dll
LoadedModule[17]=C:\Windows\system32\IMM32.DLL
LoadedModule[18]=C:\Windows\SYSTEM32\MSCTF.dll
LoadedModule[19]=C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll
LoadedModule[20]=C:\Windows\SYSTEM32\MSVCR110_CLR0400.dll
LoadedModule[21]=C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\bcee5d59d5cc1be6caddd114461e60b6\mscorlib.ni.dll
LoadedModule[22]=C:\Windows\SYSTEM32\ole32.dll
LoadedModule[23]=C:\Windows\SYSTEM32\combase.dll
LoadedModule[24]=C:\Windows\system32\uxtheme.dll
LoadedModule[25]=C:\Windows\Microsoft.NET\Framework\v4.0.30319\clrjit.dll
LoadedModule[26]=C:\Windows\SYSTEM32\MSVCP100.dll
LoadedModule[27]=C:\Windows\SYSTEM32\MSVCR100.dll
LoadedModule[28]=C:\Windows\assembly\NativeImages_v4.0.30319_32\System\13c079cdc1f4f4cb2f8f1b66c8642faa\System.ni.dll
LoadedModule[29]=C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\152a0c55da058b3901d66b79a05deaf8\System.Drawing.ni.dll
LoadedModule[30]=C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\bc50af0142297ce0048fb51208a306bc\System.Windows.Forms.ni.dll
LoadedModule[31]=C:\Windows\SYSTEM32\WININET.dll
LoadedModule[32]=C:\Windows\SYSTEM32\iertutil.dll
LoadedModule[33]=C:\Windows\SYSTEM32\Secur32.dll
LoadedModule[34]=C:\Windows\SYSTEM32\SHELL32.dll
LoadedModule[35]=C:\Windows\SYSTEM32\SHCORE.dll
LoadedModule[36]=C:\Windows\SYSTEM32\profapi.dll
LoadedModule[37]=C:\Windows\SYSTEM32\urlmon.dll
LoadedModule[38]=C:\Windows\SYSTEM32\dwmapi.dll
LoadedModule[39]=C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.8400.0_none_937ea7ded97a3e38\comctl32.dll
LoadedModule[40]=C:\Windows\SYSTEM32\WS2_32.dll
LoadedModule[41]=C:\Windows\SYSTEM32\NSI.dll
LoadedModule[42]=C:\Windows\SYSTEM32\winhttp.dll
LoadedModule[43]=C:\Windows\system32\mswsock.dll
LoadedModule[44]=C:\Windows\SYSTEM32\IPHLPAPI.DLL
LoadedModule[45]=C:\Windows\SYSTEM32\WINNSI.DLL
LoadedModule[46]=C:\Windows\SYSTEM32\OLEAUT32.dll
LoadedModule[47]=C:\Windows\SYSTEM32\DNSAPI.dll
LoadedModule[48]=C:\Program Files (x86)\Bonjour\mdnsNSP.dll
LoadedModule[49]=C:\Windows\System32\rasadhlp.dll
LoadedModule[50]=C:\Windows\System32\fwpuclnt.dll
LoadedModule[51]=C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.8400.0_none_5fd8353149325cd7\comctl32.dll
LoadedModule[52]=C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.8400.0_none_25db1fb25132cd52\gdiplus.dll
LoadedModule[53]=C:\Windows\SYSTEM32\DWrite.dll
LoadedModule[54]=C:\Windows\SYSTEM32\RichEd20.DLL
LoadedModule[55]=C:\Windows\SYSTEM32\USP10.dll
LoadedModule[56]=C:\Windows\SYSTEM32\msls31.dll
LoadedModule[57]=C:\Windows\SYSTEM32\version.dll
LoadedModule[58]=C:\Windows\SYSTEM32\WindowsCodecs.dll
LoadedModule[59]=C:\Windows\SYSTEM32\clbcatq.dll
LoadedModule[60]=C:\Windows\SYSTEM32\CRYPTSP.dll
LoadedModule[61]=C:\Windows\system32\rsaenh.dll
LoadedModule[62]=C:\Windows\Microsoft.NET\Framework\v4.0.30319\diasymreader.dll
State[0].Key=Transport.DoneStage1
State[0].Value=1
FriendlyEventName=Stopped working
ConsentKey=CLR20r3
AppName=Sysnative BSOD Analysis Software
AppPath=C:\Users\John\_jcgriff2_\dbug\__Kernel__\_v2120_SysnativeBSODApps.exe
NsPartner=windows
NsGroup=windows8
Click to expand...
 
v1.1.0.0 crashes also:
Application: _v2120_SysnativeBSODApps.exe
Framework Version: v4.0.30319
Description: The process was terminated due to an unhandled exception.
Exception Info: System.AccessViolationException
Stack:
at <Module>.std.basic_string<char,std::char_traits<char>,std::allocator<char> >.assign(std.basic_string<char,std::char_traits<char>,std::allocator<char> >*, std.basic_string<char,std::char_traits<char>,std::allocator<char> >*, UInt32, UInt32)
at <Module>.std.basic_string<char,std::char_traits<char>,std::allocator<char> >.{ctor}(std.basic_string<char,std::char_traits<char>,std::allocator<char> >*, std.basic_string<char,std::char_traits<char>,std::allocator<char> >*, UInt32, UInt32, std.allocator<char>*)
at <Module>.std.basic_string<char,std::char_traits<char>,std::allocator<char> >.substr(std.basic_string<char,std::char_traits<char>,std::allocator<char> >*, std.basic_string<char,std::char_traits<char>,std::allocator<char> >*, UInt32, UInt32)
at <Module>.InputData.currentSpeedString(InputData*, Int32)
at <Module>.InputData.getImportantLines(InputData*, Int32)
at <Module>.InputData.getImportantInfo(InputData*)
at <Module>.OutputDmps.getInputData(OutputDmps*)
at <Module>.OutputDmps.outputAnalysisFiles(OutputDmps*)
at <Module>.main(System.String[])
Click to expand...

Faulting application name: _v2120_SysnativeBSODApps.exe, version: 2.1.2.0, time stamp: 0x505b4084
Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception code: 0xc0000005
Fault offset: 0x05afa55a
Faulting process id: 0x1f8c
Faulting application start time: 0x01cd9a8a93669262
Faulting application path: C:\Users\John\_jcgriff2_\dbug\__Kernel__\_v2120_SysnativeBSODApps.exe
Faulting module path: unknown
Report Id: e66072fe-067d-11e2-9b9b-485b3901d3fe
Faulting package full name:
Faulting package-relative application ID:
Click to expand...

From WER report
Version=1
EventType=CLR20r3
EventTime=129929884590595424
ReportType=2
Consent=1
UploadTime=129929884591095439
ReportIdentifier=e66072ff-067d-11e2-9b9b-485b3901d3fe
IntegratorReportIdentifier=e66072fe-067d-11e2-9b9b-485b3901d3fe
WOW64=1
NsAppName=_v2120_SysnativeBSODApps.exe
Response.BucketId=0a63d0f7e8582b94dc3ba09fcd5a174e
Response.BucketTable=5
Response.LegacyBucketId=-1006785077
Response.type=4
Sig[0].Name=Problem Signature 01
Sig[0].Value=_v2120_sysnativebsodapps.exe
Sig[1].Name=Problem Signature 02
Sig[1].Value=2.1.2.0
Sig[2].Name=Problem Signature 03
Sig[2].Value=505b4084
Sig[3].Name=Problem Signature 04
Sig[3].Value=SysnativeBSODApps
Sig[4].Name=Problem Signature 05
Sig[4].Value=2.1.2.0
Sig[5].Name=Problem Signature 06
Sig[5].Value=505b4084
Sig[6].Name=Problem Signature 07
Sig[6].Value=14a
Sig[7].Name=Problem Signature 08
Sig[7].Value=0
Sig[8].Name=Problem Signature 09
Sig[8].Value=System.AccessViolationException
DynamicSig[1].Name=OS Version
DynamicSig[1].Value=6.2.8400.2.0.0.256.48
DynamicSig[2].Name=Locale ID
DynamicSig[2].Value=1033
DynamicSig[22].Name=Additional Information 1
DynamicSig[22].Value=5861
DynamicSig[23].Name=Additional Information 2
DynamicSig[23].Value=5861822e1919d7c014bbb064c64908b2
DynamicSig[24].Name=Additional Information 3
DynamicSig[24].Value=3955
DynamicSig[25].Name=Additional Information 4
DynamicSig[25].Value=395596f8b99d4d186d01ebc48ecdffc0
UI[2]=C:\Users\John\_jcgriff2_\dbug\__Kernel__\_v2120_SysnativeBSODApps.exe
UI[3]=Sysnative BSOD Analysis Software has stopped working
UI[4]=Windows can check online for a solution to the problem.
UI[5]=Check online for a solution and close the program
UI[6]=Check online for a solution later and close the program
UI[7]=Close the program
LoadedModule[0]=C:\Users\John\_jcgriff2_\dbug\__Kernel__\_v2120_SysnativeBSODApps.exe
LoadedModule[1]=C:\Windows\SYSTEM32\ntdll.dll
LoadedModule[2]=C:\Windows\SYSTEM32\MSCOREE.DLL
LoadedModule[3]=C:\Windows\SYSTEM32\KERNEL32.dll
LoadedModule[4]=C:\Windows\SYSTEM32\KERNELBASE.dll
LoadedModule[5]=C:\Windows\system32\apphelp.dll
LoadedModule[6]=C:\Windows\SYSTEM32\ADVAPI32.dll
LoadedModule[7]=C:\Windows\SYSTEM32\msvcrt.dll
LoadedModule[8]=C:\Windows\SYSTEM32\sechost.dll
LoadedModule[9]=C:\Windows\SYSTEM32\RPCRT4.dll
LoadedModule[10]=C:\Windows\SYSTEM32\SspiCli.dll
LoadedModule[11]=C:\Windows\SYSTEM32\CRYPTBASE.dll
LoadedModule[12]=C:\Windows\SYSTEM32\bcryptPrimitives.dll
LoadedModule[13]=C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll
LoadedModule[14]=C:\Windows\SYSTEM32\SHLWAPI.dll
LoadedModule[15]=C:\Windows\SYSTEM32\USER32.dll
LoadedModule[16]=C:\Windows\SYSTEM32\GDI32.dll
LoadedModule[17]=C:\Windows\system32\IMM32.DLL
LoadedModule[18]=C:\Windows\SYSTEM32\MSCTF.dll
LoadedModule[19]=C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll
LoadedModule[20]=C:\Windows\SYSTEM32\MSVCR110_CLR0400.dll
LoadedModule[21]=C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\bcee5d59d5cc1be6caddd114461e60b6\mscorlib.ni.dll
LoadedModule[22]=C:\Windows\SYSTEM32\ole32.dll
LoadedModule[23]=C:\Windows\SYSTEM32\combase.dll
LoadedModule[24]=C:\Windows\system32\uxtheme.dll
LoadedModule[25]=C:\Windows\Microsoft.NET\Framework\v4.0.30319\clrjit.dll
LoadedModule[26]=C:\Windows\SYSTEM32\MSVCP100.dll
LoadedModule[27]=C:\Windows\SYSTEM32\MSVCR100.dll
LoadedModule[28]=C:\Windows\assembly\NativeImages_v4.0.30319_32\System\13c079cdc1f4f4cb2f8f1b66c8642faa\System.ni.dll
LoadedModule[29]=C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\152a0c55da058b3901d66b79a05deaf8\System.Drawing.ni.dll
LoadedModule[30]=C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\bc50af0142297ce0048fb51208a306bc\System.Windows.Forms.ni.dll
LoadedModule[31]=C:\Windows\SYSTEM32\WININET.dll
LoadedModule[32]=C:\Windows\SYSTEM32\iertutil.dll
LoadedModule[33]=C:\Windows\SYSTEM32\Secur32.dll
LoadedModule[34]=C:\Windows\SYSTEM32\SHELL32.dll
LoadedModule[35]=C:\Windows\SYSTEM32\SHCORE.dll
LoadedModule[36]=C:\Windows\SYSTEM32\profapi.dll
LoadedModule[37]=C:\Windows\SYSTEM32\urlmon.dll
LoadedModule[38]=C:\Windows\SYSTEM32\dwmapi.dll
LoadedModule[39]=C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.8400.0_none_937ea7ded97a3e38\comctl32.dll
LoadedModule[40]=C:\Windows\SYSTEM32\WS2_32.dll
LoadedModule[41]=C:\Windows\SYSTEM32\NSI.dll
LoadedModule[42]=C:\Windows\SYSTEM32\winhttp.dll
LoadedModule[43]=C:\Windows\system32\mswsock.dll
LoadedModule[44]=C:\Windows\SYSTEM32\IPHLPAPI.DLL
LoadedModule[45]=C:\Windows\SYSTEM32\WINNSI.DLL
LoadedModule[46]=C:\Windows\SYSTEM32\OLEAUT32.dll
LoadedModule[47]=C:\Windows\SYSTEM32\DNSAPI.dll
LoadedModule[48]=C:\Program Files (x86)\Bonjour\mdnsNSP.dll
LoadedModule[49]=C:\Windows\System32\rasadhlp.dll
LoadedModule[50]=C:\Windows\System32\fwpuclnt.dll
LoadedModule[51]=C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.8400.0_none_5fd8353149325cd7\comctl32.dll
LoadedModule[52]=C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.8400.0_none_25db1fb25132cd52\gdiplus.dll
LoadedModule[53]=C:\Windows\SYSTEM32\DWrite.dll
LoadedModule[54]=C:\Windows\SYSTEM32\RichEd20.DLL
LoadedModule[55]=C:\Windows\SYSTEM32\USP10.dll
LoadedModule[56]=C:\Windows\SYSTEM32\msls31.dll
LoadedModule[57]=C:\Windows\SYSTEM32\version.dll
LoadedModule[58]=C:\Windows\SYSTEM32\WindowsCodecs.dll
LoadedModule[59]=C:\Windows\SYSTEM32\clbcatq.dll
LoadedModule[60]=C:\Windows\Microsoft.NET\Framework\v4.0.30319\diasymreader.dll
State[0].Key=Transport.DoneStage1
State[0].Value=1
FriendlyEventName=Stopped working
ConsentKey=CLR20r3
AppName=Sysnative BSOD Analysis Software
AppPath=C:\Users\John\_jcgriff2_\dbug\__Kernel__\_v2120_SysnativeBSODApps.exe
NsPartner=windows
NsGroup=windows8
Click to expand...
 
Thank you very much for your detailed report, John. Mike and I are working to ID and fix this as soon as possible, and will post more details soon.
 
Changelog from last night.

Code: 
[B]v1.0.0.0
[/B]Initial Release

[B]v1.1.0.0
FIXED:[/B] Extension no longer reports range errors on 32bit targets.
[B]FIXED:[/B] Extension no longer hangs or reports range errors when the entire raw stack lies in unavailable memory.
[B]FIXED:[/B] Extension no longer sometimes loses the first or last available memory address in the raw stack on 32bit targets.
[B]FIXED:[/B] File details are now correct.
 
I just tried it and both extensions (and rawstack's -dc switch) worked perfectly in x64 Windbg (Windows 8 version) on the sample minidumps! However, I did run into a snag with a kernel dump:

Code: 
12: kd> !niemiro.rawstack
dps [COLOR=#0000cd]fffffa600796c000 [/COLOR][COLOR=#ff0000]fffff80001ce23d0[/COLOR]
                                            ^ Range error in 'dps fffffa600796c000 fffff80001ce23d0'
12: kd> !thread
THREAD fffffa802abf0060  Cid 050c.069c  Teb: 000000007eec3000 Win32Thread: fffff900c0727a90 RUNNING on processor c
Not impersonating
DeviceMap                 fffff88000007310
Owning Process            fffffa802ab80c10       Image:         ccSvcHst.exe
Attached Process          N/A            Image:         N/A
Wait Start TickCount      57907819       Ticks: 1 (0:00:00:00.015)
Context Switch Count      462246         IdealProcessor: 12                 LargeStack
UserTime                  00:00:36.535
KernelTime                00:01:20.137
Win32 Start Address 0x000000006fa46369
Stack Init fffffa6007973db0 Current fffffa6007972320
Base [COLOR=#0000cd]fffffa6007974000 [/COLOR]Limit [COLOR=#0000cd]fffffa600796c000 [/COLOR]Call 0
Priority 9 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5

...

12: kd> dt !_KTHREAD fffffa802abf0060
nt!_KTHREAD
   +0x000 Header           : _DISPATCHER_HEADER
   +0x018 CycleTime        : 0x6c`97f58b6d
   +0x020 QuantumTarget    : 0x6c`a4a26e76
   +0x028 InitialStack     : 0xfffffa60`07973db0 Void
   +0x030 StackLimit       : [COLOR=#0000cd]0xfffffa60`0796c000[/COLOR] Void
   +0x038 KernelStack      : 0xfffffa60`07972320 Void
   +0x040 ThreadLock       : 0
   +0x048 ApcState         : _KAPC_STATE
   +0x048 ApcStateFill     : [43]  "???"
   +0x073 Priority         : 9 ''
   +0x074 NextProcessor    : 0xc
   +0x076 DeferredProcessor : 0
   +0x078 ApcQueueLock     : 0
   +0x080 WaitStatus       : 0n0
   +0x088 WaitBlockList    : 0xfffffa80`2abf0158 _KWAIT_BLOCK
   +0x088 GateObject       : 0xfffffa80`2abf0158 _KGATE
   +0x090 KernelStackResident : 0y1
   +0x090 ReadyTransition  : 0y0
   +0x090 ProcessReadyQueue : 0y0
   +0x090 WaitNext         : 0y0
   +0x090 SystemAffinityActive : 0y0
   +0x090 Alertable        : 0y0
   +0x090 GdiFlushActive   : 0y0
   +0x090 UserStackWalkActive : 0y0
   +0x090 Reserved         : 0y000000000000000000000000 (0)
   +0x090 MiscFlags        : 0n1
   +0x094 WaitReason       : 0x9 ''
   +0x095 SwapBusy         : 0 ''
   +0x096 Alerted          : [2]  ""
   +0x098 WaitListEntry    : _LIST_ENTRY [ 0x00000000`00000000 - 0xfffffa60`01ddc780 ]
   +0x098 SwapListEntry    : _SINGLE_LIST_ENTRY
   +0x0a8 Queue            : (null) 
   +0x0b0 Teb              : 0x00000000`7eec3000 Void
   +0x0b8 Timer            : _KTIMER
   +0x0b8 TimerFill        : [60]  "???"
   +0x0f4 AutoAlignment    : 0y1
   +0x0f4 DisableBoost     : 0y0
   +0x0f4 EtwStackTraceApc1Inserted : 0y0
   +0x0f4 EtwStackTraceApc2Inserted : 0y0
   +0x0f4 CycleChargePending : 0y0
   +0x0f4 CalloutActive    : 0y0
   +0x0f4 ApcQueueable     : 0y1
   +0x0f4 EnableStackSwap  : 0y1
   +0x0f4 GuiThread        : 0y1
   +0x0f4 VdmSafe          : 0y0
   +0x0f4 ReservedFlags    : 0y0000000000000000000000 (0)
   +0x0f4 ThreadFlags      : 0n449
   +0x0f8 WaitBlock        : [4] _KWAIT_BLOCK
   +0x0f8 WaitBlockFill0   : [43]  "8???"
   +0x123 IdealProcessor   : 0xc ''
   +0x0f8 WaitBlockFill1   : [91]  "8???"
   +0x153 PreviousMode     : 1 ''
   +0x0f8 WaitBlockFill2   : [139]  "8???"
   +0x183 ResourceIndex    : 0xa ''
   +0x0f8 WaitBlockFill3   : [187]  "8???"
   +0x1b3 LargeStack       : 0x1 ''
   +0x0f8 WaitBlockFill4   : [44]  "8???"
   +0x124 ContextSwitches  : 0x70da6
   +0x0f8 WaitBlockFill5   : [92]  "8???"
   +0x154 State            : 0x2 ''
   +0x155 NpxState         : 0x1 ''
   +0x156 WaitIrql         : 0x1 ''
   +0x157 WaitMode         : 0 ''
   +0x0f8 WaitBlockFill6   : [140]  "8???"
   +0x184 WaitTime         : 0x3739a6b
   +0x0f8 WaitBlockFill7   : [188]  "8???"
   +0x1b4 KernelApcDisable : 0n-1
   +0x1b6 SpecialApcDisable : 0n0
   +0x1b4 CombinedApcDisable : 0xffff
   +0x1b8 QueueListEntry   : _LIST_ENTRY [ 0x00000000`00000000 - 0x0 ]
   +0x1c8 TrapFrame        : (null) 
   +0x1d0 FirstArgument    : 0x00000000`00000918 Void
   +0x1d8 CallbackStack    : (null) 
   +0x1d8 CallbackDepth    : 0
   +0x1e0 ApcStateIndex    : 0 ''
   +0x1e1 BasePriority     : 8 ''
   +0x1e2 PriorityDecrement : 0 ''
   +0x1e3 Preempted        : 0 ''
   +0x1e4 AdjustReason     : 0 ''
   +0x1e5 AdjustIncrement  : 1 ''
   +0x1e6 Spare01          : 0 ''
   +0x1e7 Saturation       : 0 ''
   +0x1e8 SystemCallNumber : 3
   +0x1ec FreezeCount      : 0
   +0x1f0 UserAffinity     : 0xffff
   +0x1f8 Process          : 0xfffffa80`2ab80c10 _KPROCESS
   +0x200 Affinity         : 0xffff
   +0x208 ApcStatePointer  : [2] 0xfffffa80`2abf00a8 _KAPC_STATE
   +0x218 SavedApcState    : _KAPC_STATE
   +0x218 SavedApcStateFill : [43]  "x???"
   +0x243 Spare02          : 0 ''
   +0x244 SuspendCount     : 0 ''
   +0x245 UserIdealProcessor : 0xc ''
   +0x246 Spare03          : 0 ''
   +0x247 CodePatchInProgress : 0 ''
   +0x248 Win32Thread      : 0xfffff900`c0727a90 Void
   +0x250 StackBase        : [COLOR=#0000cd]0xfffffa60`07974000[/COLOR] Void
   +0x258 SuspendApc       : _KAPC
   +0x258 SuspendApcFill0  : [1]  "???"
   +0x259 Spare04          : 0 ''
   +0x258 SuspendApcFill1  : [3]  "???"
   +0x25b QuantumReset     : 0x24 '$'
   +0x258 SuspendApcFill2  : [4]  "???"
   +0x25c KernelTime       : 0x1411
   +0x258 SuspendApcFill3  : [64]  "???"
   +0x298 WaitPrcb         : (null) 
   +0x258 SuspendApcFill4  : [72]  "???"
   +0x2a0 LegoData         : (null) 
   +0x258 SuspendApcFill5  : [83]  "???"
   +0x2ab PowerState       : 0 ''
   +0x2ac UserTime         : 0x926
   +0x2b0 SuspendSemaphore : _KSEMAPHORE
   +0x2b0 SuspendSemaphorefill : [28]  "???"
   +0x2cc SListFaultCount  : 0
   +0x2d0 ThreadListEntry  : _LIST_ENTRY [ 0xfffffa80`2c09bbc0 - 0xfffffa80`2abe9e80 ]
   +0x2e0 MutantListHead   : _LIST_ENTRY [ 0xfffffa80`2abf0340 - 0xfffffa80`2abf0340 ]
   +0x2f0 SListFaultAddress : (null) 
   +0x2f8 ReadOperationCount : 0n1742701
   +0x300 WriteOperationCount : 0n2810
   +0x308 OtherOperationCount : 0n376741
   +0x310 ReadTransferCount : 0n9880615612
   +0x318 WriteTransferCount : 0n38510
   +0x320 OtherTransferCount : 0n258275356
   +0x328 MdlForLockedTeb  : (null)

I can't figure out where it got that address fffff80001ce23d0 for the end of the range (supposed to be stack base).
 
Thanks for this report. Well...I know where it got the address from.

In my sample minidumps, _KTHREAD comes out like so:

Code: 
6: kd> dt _KTHREAD fffffa800f683060
nt!_KTHREAD
   +0x000 Header           : _DISPATCHER_HEADER
   +0x018 CycleTime        : 0x1d1a88fe
   +0x020 QuantumTarget    : 0x26c67ffb
   +0x028 InitialStack     : 0xfffff880`0a3e7c70 Void
   +0x030 StackLimit       : 0xfffff880`0a3e0000 Void
   +0x038 KernelStack      : 0xfffff880`0a3e77c0 Void
   +0x040 ThreadLock       : 0
   +0x048 WaitRegister     : _KWAIT_STATUS_REGISTER
   +0x049 Running          : 0x1 ''
   +0x04a Alerted          : [2]  ""
   +0x04c KernelStackResident : 0y1
   +0x04c ReadyTransition  : 0y0
   +0x04c ProcessReadyQueue : 0y0
   +0x04c WaitNext         : 0y0
   +0x04c SystemAffinityActive : 0y0
   +0x04c Alertable        : 0y0
   +0x04c GdiFlushActive   : 0y0
   +0x04c UserStackWalkActive : 0y0
   +0x04c ApcInterruptRequest : 0y0
   +0x04c ForceDeferSchedule : 0y0
   +0x04c QuantumEndMigrate : 0y0
   +0x04c UmsDirectedSwitchEnable : 0y0
   +0x04c TimerActive      : 0y0
   +0x04c SystemThread     : 0y0
   +0x04c Reserved         : 0y000000000000000000 (0)
   +0x04c MiscFlags        : 0n1
   +0x050 ApcState         : _KAPC_STATE
   +0x050 ApcStateFill     : [43]  "???"
   +0x07b Priority         : 10 ''
   +0x07c NextProcessor    : 6
   +0x080 DeferredProcessor : 0
   +0x088 ApcQueueLock     : 0
   +0x090 WaitStatus       : 0n0
   +0x098 WaitBlockList    : 0xfffffa80`0f683168 _KWAIT_BLOCK
   +0x0a0 WaitListEntry    : _LIST_ENTRY [ 0x00000000`00000000 - 0xfffffa80`0e839100 ]
   +0x0a0 SwapListEntry    : _SINGLE_LIST_ENTRY
   +0x0b0 Queue            : (null) 
   +0x0b8 Teb              : 0x00000000`7ef47000 Void
   +0x0c0 Timer            : _KTIMER
   +0x100 AutoAlignment    : 0y1
   +0x100 DisableBoost     : 0y0
   +0x100 EtwStackTraceApc1Inserted : 0y0
   +0x100 EtwStackTraceApc2Inserted : 0y0
   +0x100 CalloutActive    : 0y0
   +0x100 ApcQueueable     : 0y1
   +0x100 EnableStackSwap  : 0y1
   +0x100 GuiThread        : 0y1
   +0x100 UmsPerformingSyscall : 0y0
   +0x100 VdmSafe          : 0y0
   +0x100 UmsDispatched    : 0y0
   +0x100 ReservedFlags    : 0y000000000000000000000 (0)
   +0x100 ThreadFlags      : 0n225
   +0x104 Spare0           : 0
   +0x108 WaitBlock        : [4] _KWAIT_BLOCK
   +0x108 WaitBlockFill4   : [44]  "h???"
   +0x134 ContextSwitches  : 0x547
   +0x108 WaitBlockFill5   : [92]  "h???"
   +0x164 State            : 0x2 ''
   +0x165 NpxState         : 5 ''
   +0x166 WaitIrql         : 0 ''
   +0x167 WaitMode         : 1 ''
   +0x108 WaitBlockFill6   : [140]  "h???"
   +0x194 WaitTime         : 0x7a19
   +0x108 WaitBlockFill7   : [168]  "h???"
   +0x1b0 TebMappedLowVa   : (null) 
   +0x1b8 Ucb              : (null) 
   +0x108 WaitBlockFill8   : [188]  "h???"
   +0x1c4 KernelApcDisable : 0n0
   +0x1c6 SpecialApcDisable : 0n-1
   +0x1c4 CombinedApcDisable : 0xffff0000
   +0x1c8 QueueListEntry   : _LIST_ENTRY [ 0x00000000`00000000 - 0x0 ]
   +0x1d8 TrapFrame        : 0xfffff880`0a3e7ae0 _KTRAP_FRAME
   +0x1e0 FirstArgument    : 0x00000000`00000a78 Void
   +0x1e8 CallbackStack    : (null) 
   +0x1e8 CallbackDepth    : 0
   +0x1f0 ApcStateIndex    : 0 ''
   +0x1f1 BasePriority     : 8 ''
   +0x1f2 PriorityDecrement : 2 ''
   +0x1f2 ForegroundBoost  : 0y0010
   +0x1f2 UnusualBoost     : 0y0000
   +0x1f3 Preempted        : 0 ''
   +0x1f4 AdjustReason     : 0 ''
   +0x1f5 AdjustIncrement  : 1 ''
   +0x1f6 PreviousMode     : 1 ''
   +0x1f7 Saturation       : 0 ''
   +0x1f8 SystemCallNumber : 0xb
   +0x1fc FreezeCount      : 0
   +0x200 UserAffinity     : _GROUP_AFFINITY
   +0x210 Process          : 0xfffffa80`0fd14830 _KPROCESS
   +0x218 Affinity         : _GROUP_AFFINITY
   +0x228 IdealProcessor   : 3
   +0x22c UserIdealProcessor : 3
   +0x230 ApcStatePointer  : [2] 0xfffffa80`0f6830b0 _KAPC_STATE
   +0x240 SavedApcState    : _KAPC_STATE
   +0x240 SavedApcStateFill : [43]  "???"
   +0x26b WaitReason       : 0x6 ''
   +0x26c SuspendCount     : 0 ''
   +0x26d Spare1           : 0 ''
   +0x26e CodePatchInProgress : 0 ''
   +0x270 Win32Thread      : 0xfffff900`c2211260 Void
   +0x278 StackBase        : 0xfffff880`0a3e8000 Void
   +0x280 SuspendApc       : _KAPC
   +0x280 SuspendApcFill0  : [1]  "??????"
   +0x281 ResourceIndex    : 0x1 ''
   +0x280 SuspendApcFill1  : [3]  "???"
   +0x283 QuantumReset     : 0x12 ''
   +0x280 SuspendApcFill2  : [4]  "???"
   +0x284 KernelTime       : 4
   +0x280 SuspendApcFill3  : [64]  "???"
   +0x2c0 WaitPrcb         : (null) 
   +0x280 SuspendApcFill4  : [72]  "???"
   +0x2c8 LegoData         : (null) 
   +0x280 SuspendApcFill5  : [83]  "???"
   +0x2d3 LargeStack       : 0x1 ''
   +0x2d4 UserTime         : 5
   +0x2d8 SuspendSemaphore : _KSEMAPHORE
   +0x2d8 SuspendSemaphorefill : [28]  "???"
   +0x2f4 SListFaultCount  : 0
   +0x2f8 ThreadListEntry  : _LIST_ENTRY [ 0xfffffa80`101a25e8 - 0xfffffa80`0da7bb68 ]
   +0x308 MutantListHead   : _LIST_ENTRY [ 0xfffffa80`0f683368 - 0xfffffa80`0f683368 ]
   +0x318 SListFaultAddress : (null) 
   +0x320 ReadOperationCount : 0n18
   +0x328 WriteOperationCount : 0n18
   +0x330 OtherOperationCount : 0n88
   +0x338 ReadTransferCount : 0n359035
   +0x340 WriteTransferCount : 0n38457
   +0x348 OtherTransferCount : 0n786
   +0x350 ThreadCounters   : (null) 
   +0x358 StateSaveArea    : 0xfffff880`0a3e7cc0 _XSAVE_FORMAT
   +0x360 XStateSave       : (null)

Offset of StackBase in your _KTHREAD = 0x250, and in mine, 0x278.

This is not a 32bit/64bit problem. I have different offsets for 32bit targets.

Hmmmm... I need to think. The minidump I am looking at has lmvm nt of version 6.1.7601.17835. I wonder whether _KTHREAD is different in Windows Vista? What OS does your kernel dump come from?

Thank you.

EDIT: If it comes to it, I can always load symbols for _KTHREAD, and get the value by name rather than offset. Just that will be slightly slower...

EDIT2: Or is that because it is not a minidump?
 
Last edited:

Has Sysnative Forums helped you? Please consider donating to help us support the site!

Back
Top