Closed SteAmeR closed 1 year ago
@SteAmeR would you please attach the dump file or email it to me?
Find attach 120622-20265-01.zip
Thanks for providing the dump file.
5: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by try-except.
Typically the address is just plain bad or it is pointing at freed memory.
Arguments:
Arg1: ffffac0144310781, memory referenced.
Arg2: 0000000000000000, X64: bit 0 set if the fault was due to a not-present PTE.
bit 1 is set if the fault was due to a write, clear if a read.
bit 3 is set if the processor decided the fault was due to a corrupted PTE.
bit 4 is set if the fault was due to attempted execute of a no-execute PTE.
- ARM64: bit 1 is set if the fault was due to a write, clear if a read.
bit 3 is set if the fault was due to attempted execute of a no-execute PTE.
Arg3: fffff80674b0a620, If non-zero, the instruction address which referenced the bad memory
address.
Arg4: 0000000000000002, (reserved)
Debugging Details:
------------------
KEY_VALUES_STRING: 1
Key : AV.Type
Value: Read
Key : Analysis.CPU.mSec
Value: 1937
Key : Analysis.DebugAnalysisManager
Value: Create
Key : Analysis.Elapsed.mSec
Value: 7903
Key : Analysis.IO.Other.Mb
Value: 0
Key : Analysis.IO.Read.Mb
Value: 0
Key : Analysis.IO.Write.Mb
Value: 0
Key : Analysis.Init.CPU.mSec
Value: 218
Key : Analysis.Init.Elapsed.mSec
Value: 26884
Key : Analysis.Memory.CommitPeak.Mb
Value: 89
Key : Bugcheck.Code.DumpHeader
Value: 0x50
Key : Bugcheck.Code.Register
Value: 0x50
Key : WER.OS.Branch
Value: vb_release
Key : WER.OS.Timestamp
Value: 2019-12-06T14:06:00Z
Key : WER.OS.Version
Value: 10.0.19041.1
FILE_IN_CAB: 120622-20265-01.dmp
BUGCHECK_CODE: 50
BUGCHECK_P1: ffffac0144310781
BUGCHECK_P2: 0
BUGCHECK_P3: fffff80674b0a620
BUGCHECK_P4: 2
READ_ADDRESS: fffff806754fb390: Unable to get MiVisibleState
Unable to get NonPagedPoolStart
Unable to get NonPagedPoolEnd
Unable to get PagedPoolStart
Unable to get PagedPoolEnd
unable to get nt!MmSpecialPagesInUse
ffffac0144310781
MM_INTERNAL_CODE: 2
BLACKBOXBSD: 1 (!blackboxbsd)
BLACKBOXNTFS: 1 (!blackboxntfs)
BLACKBOXPNP: 1 (!blackboxpnp)
BLACKBOXWINLOGON: 1
CUSTOMER_CRASH_COUNT: 1
PROCESS_NAME: SystemInformer.exe
DEVICE_OBJECT: 0000000000000160
TRAP_FRAME: fffffc813dcf7250 -- (.trap 0xfffffc813dcf7250)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=0000000000000018 rbx=0000000000000000 rcx=ffffac0144310341
rdx=0000001011aff2b0 rsi=0000000000000000 rdi=0000000000000000
rip=fffff80674b0a620 rsp=fffffc813dcf73e8 rbp=0000000000000000
r8=00000000ffffffff r9=7fffd388b5f74160 r10=fffff80674b0a620
r11=0000000000000000 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei ng nz na po nc
nt!PsGetProcessId:
fffff806`74b0a620 488b8140040000 mov rax,qword ptr [rcx+440h] ds:ffffac01`44310781=????????????????
Resetting default scope
STACK_TEXT:
fffffc81`3dcf6fa8 fffff806`74c3421d : 00000000`00000050 ffffac01`44310781 00000000`00000000 fffffc81`3dcf7250 : nt!KeBugCheckEx
fffffc81`3dcf6fb0 fffff806`74a399e0 : 00000000`00000000 00000000`00000000 fffffc81`3dcf72d0 00000000`00000000 : nt!MiSystemFault+0x1dc80d
fffffc81`3dcf70b0 fffff806`74c08dd8 : 00000000`00000000 00000000`00000000 ffffd388`5de61c80 00000000`00000000 : nt!MmAccessFault+0x400
fffffc81`3dcf7250 fffff806`74b0a620 : fffff806`ecd5a660 00000000`0000123c 00000010`11aff2b0 ffffd388`95558320 : nt!KiPageFault+0x358
fffffc81`3dcf73e8 fffff806`ecd5a660 : 00000000`0000123c 00000010`11aff2b0 ffffd388`95558320 00000000`0000003c : nt!PsGetProcessId
fffffc81`3dcf73f0 fffff806`ecd5a76d : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : SystemInformer!KphpAlpcBasicInfo+0x48 [C:\Users\aione\source\repos\systeminformer\KSystemInformer\alpc.c @ 198]
fffffc81`3dcf7420 fffff806`ecd5a544 : 00000000`00000000 00000010`11aff2b0 ffffac01`4120a660 00000000`00000000 : SystemInformer!KphpAlpcCommunicationInfo+0xa5 [C:\Users\aione\source\repos\systeminformer\KSystemInformer\alpc.c @ 269]
fffffc81`3dcf7460 fffff806`ecd5e0c3 : 00000178`b530b6b0 ffffd388`f8177d40 fffff806`ecd57000 fffff806`ecd6c58c : SystemInformer!KphAlpcQueryInformation+0x28c [C:\Users\aione\source\repos\systeminformer\KSystemInformer\alpc.c @ 682]
fffffc81`3dcf7520 fffff806`ecd5d3b5 : 00000000`00000000 00000000`00000ce0 00000000`00000000 00000000`00000000 : SystemInformer!KphpCommsAlpcQueryInformation+0x33 [C:\Users\aione\source\repos\systeminformer\KSystemInformer\comms_handlers.c @ 740]
fffffc81`3dcf7570 fffff806`740bbc4b : ffffd388`de65e010 00000000`00000000 00000000`00000ce0 00000000`00000000 : SystemInformer!KphpCommsMessageNotifyCallback+0x355 [C:\Users\aione\source\repos\systeminformer\KSystemInformer\comms.c @ 573]
fffffc81`3dcf75d0 fffff806`740f1819 : ffffac01`3ef15b70 ffffac01`3ef15aa0 00000000`00000000 00000000`00000000 : FLTMGR!FltpFilterMessage+0xdb
fffffc81`3dcf7630 fffff806`740b4a40 : ffffac0f`cef86e00 00000000`00000002 00000000`00000000 ffffac01`3ef15aa0 : FLTMGR!FltpMsgDispatch+0x179
fffffc81`3dcf76a0 fffff806`74a2a6b5 : ffffac01`3ef15aa0 fffffc81`3dcf7a80 ffffac01`3ef15ac0 00000000`00000ce0 : FLTMGR!FltpDispatch+0xe0
fffffc81`3dcf7700 fffff806`74e194c8 : ffffac01`3ef15aa0 00000000`00000000 00000000`00000000 fffff806`00000000 : nt!IofCallDriver+0x55
fffffc81`3dcf7740 fffff806`74e192c7 : 00000000`00000160 00000000`00000000 00000000`00000000 fffffc81`3dcf7a80 : nt!IopSynchronousServiceTail+0x1a8
fffffc81`3dcf77e0 fffff806`74e18646 : ffffd388`5dedec20 00000000`00000000 00000000`00000000 00000000`00000000 : nt!IopXxxControlFile+0xc67
fffffc81`3dcf7920 fffff806`74c0caf5 : 00000000`00000ae0 00000010`11aff760 00000000`00000000 00000000`00000000 : nt!NtDeviceIoControlFile+0x56
fffffc81`3dcf7990 00007ff9`d858d1a4 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x25
00000010`11afefa8 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x00007ff9`d858d1a4
FAULTING_SOURCE_LINE: C:\Users\aione\source\repos\systeminformer\KSystemInformer\alpc.c
FAULTING_SOURCE_FILE: C:\Users\aione\source\repos\systeminformer\KSystemInformer\alpc.c
FAULTING_SOURCE_LINE_NUMBER: 198
FAULTING_SOURCE_CODE:
No source found for 'C:\Users\aione\source\repos\systeminformer\KSystemInformer\alpc.c'
SYMBOL_NAME: SystemInformer!KphpAlpcBasicInfo+48
MODULE_NAME: SystemInformer
IMAGE_NAME: SystemInformer.sys
IMAGE_VERSION: 3.2.0.0
STACK_COMMAND: .cxr; .ecxr ; kb
BUCKET_ID_FUNC_OFFSET: 48
FAILURE_BUCKET_ID: AV_R_(null)_SystemInformer!KphpAlpcBasicInfo
OS_VERSION: 10.0.19041.1
BUILDLAB_STR: vb_release
OSPLATFORM_TYPE: x64
OSNAME: Windows 10
FAILURE_ID_HASH: {7df7ad47-ea2a-bd28-2ac1-1219db200c24}
Followup: MachineOwner
---------
The dump file does not contain sufficient information to get complete insight into the state of the machine. Certain information is not resident. A complete memory dump would be required to get complete context. That said, there is some insight we can gather. The ALPC port being queried is a client to a communication port:
5: kd> dx (nt!_ALPC_PORT*)0xffffac0f`f14e7dd0
(nt!_ALPC_PORT*)0xffffac0f`f14e7dd0 : 0xffffac0ff14e7dd0 [Type: _ALPC_PORT *]
[+0x000] PortListEntry [Type: _LIST_ENTRY]
[+0x010] CommunicationInfo : 0xffffd388b5f74130 [Type: _ALPC_COMMUNICATION_INFO *]
[+0x018] OwnerProcess : 0xffffac0ff3936240 [Type: _EPROCESS *]
[+0x020] CompletionPort : 0xffffac0ff2ac2680 [Type: void *]
[+0x028] CompletionKey : 0x1c8a30f8990 [Type: void *]
[+0x030] CompletionPacketLookaside : 0xffffac0131a7cef0 [Type: _ALPC_COMPLETION_PACKET_LOOKASIDE *]
[+0x038] PortContext : 0x123c [Type: void *]
[+0x040] StaticSecurity [Type: _SECURITY_CLIENT_CONTEXT]
[+0x088] IncomingQueueLock [Type: _EX_PUSH_LOCK]
[+0x090] MainQueue [Type: _LIST_ENTRY]
[+0x0a0] LargeMessageQueue [Type: _LIST_ENTRY]
[+0x0b0] PendingQueueLock [Type: _EX_PUSH_LOCK]
[+0x0b8] PendingQueue [Type: _LIST_ENTRY]
[+0x0c8] DirectQueueLock [Type: _EX_PUSH_LOCK]
[+0x0d0] DirectQueue [Type: _LIST_ENTRY]
[+0x0e0] WaitQueueLock [Type: _EX_PUSH_LOCK]
[+0x0e8] WaitQueue [Type: _LIST_ENTRY]
[+0x0f8] Semaphore : 0xffffac0fcc0723c0 [Type: _KSEMAPHORE *]
[+0x0f8] DummyEvent : 0xffffac0fcc0723c0 [Type: _KEVENT *]
[+0x100] PortAttributes [Type: _ALPC_PORT_ATTRIBUTES]
[+0x148] ResourceListLock [Type: _EX_PUSH_LOCK]
[+0x150] ResourceListHead [Type: _LIST_ENTRY]
[+0x160] PortObjectLock [Type: _EX_PUSH_LOCK]
[+0x168] CompletionList : 0x0 [Type: _ALPC_COMPLETION_LIST *]
[+0x170] CallbackObject : 0x0 [Type: _CALLBACK_OBJECT *]
[+0x178] CallbackContext : 0x0 [Type: void *]
[+0x180] CanceledQueue [Type: _LIST_ENTRY]
[+0x190] SequenceNo : 23 [Type: long]
[+0x194] ReferenceNo : 0 [Type: long]
[+0x198] ReferenceNoWait : 0x0 [Type: _PALPC_PORT_REFERENCE_WAIT_BLOCK *]
[+0x1a0] u1 [Type: <anonymous-tag>]
[+0x1a8] TargetQueuePort : 0x0 [Type: _ALPC_PORT *]
[+0x1b0] TargetSequencePort : 0x0 [Type: _ALPC_PORT *]
[+0x1b8] CachedMessage : 0x0 [Type: _KALPC_MESSAGE *]
[+0x1c0] MainQueueLength : 0x0 [Type: unsigned long]
[+0x1c4] LargeMessageQueueLength : 0x0 [Type: unsigned long]
[+0x1c8] PendingQueueLength : 0x0 [Type: unsigned long]
[+0x1cc] DirectQueueLength : 0x0 [Type: unsigned long]
[+0x1d0] CanceledQueueLength : 0x0 [Type: unsigned long]
[+0x1d4] WaitQueueLength : 0x0 [Type: unsigned long]
5: kd> dx -r1 ((ntkrnlmp!_ALPC_COMMUNICATION_INFO *)0xffffd388b5f74130)
((ntkrnlmp!_ALPC_COMMUNICATION_INFO *)0xffffd388b5f74130) : 0xffffd388b5f74130 [Type: _ALPC_COMMUNICATION_INFO *]
[+0x000] ConnectionPort : 0xffffac014120a660 [Type: _ALPC_PORT *]
[+0x008] ServerCommunicationPort : 0x0 [Type: _ALPC_PORT *]
[+0x010] ClientCommunicationPort : 0xffffac0ff14e7dd0 [Type: _ALPC_PORT *]
[+0x018] CommunicationList [Type: _LIST_ENTRY]
[+0x028] HandleTable [Type: _ALPC_HANDLE_TABLE]
[+0x048] CloseMessage : 0x0 [Type: _KALPC_MESSAGE *]
The client port looks completely valid, however the connection port looks off. And it is reaching into the connection port where the crash occurs:
5: kd> .frame 0n5;dv /t /v
05 fffffc81`3dcf73f0 fffff806`ecd5a76d SystemInformer!KphpAlpcBasicInfo+0x48 [C:\Users\aione\source\repos\systeminformer\KSystemInformer\alpc.c @ 198]
@rdi void * Port = 0xffffac01`4120a660
@rbx struct _KPH_ALPC_BASIC_INFORMATION * Info = 0x00000010`11aff2b0
<unavailable> struct _KPROCESS * process = <value unavailable>
5: kd> dx -r1 ((ntkrnlmp!_ALPC_PORT *)0xffffac014120a660)
((ntkrnlmp!_ALPC_PORT *)0xffffac014120a660) : 0xffffac014120a660 [Type: _ALPC_PORT *]
[+0x000] PortListEntry [Type: _LIST_ENTRY]
[+0x010] CommunicationInfo : 0xffffd388b5f73f80 [Type: _ALPC_COMMUNICATION_INFO *]
[+0x018] OwnerProcess : 0xffffac0144310341 [Type: _EPROCESS *]
[+0x020] CompletionPort : 0xffffac012feae840 [Type: void *]
[+0x028] CompletionKey : 0x263c0c8a310 [Type: void *]
[+0x030] CompletionPacketLookaside : 0xffffac011b4fb780 [Type: _ALPC_COMPLETION_PACKET_LOOKASIDE *]
[+0x038] PortContext : 0x0 [Type: void *]
[+0x040] StaticSecurity [Type: _SECURITY_CLIENT_CONTEXT]
[+0x088] IncomingQueueLock [Type: _EX_PUSH_LOCK]
[+0x090] MainQueue [Type: _LIST_ENTRY]
[+0x0a0] LargeMessageQueue [Type: _LIST_ENTRY]
[+0x0b0] PendingQueueLock [Type: _EX_PUSH_LOCK]
[+0x0b8] PendingQueue [Type: _LIST_ENTRY]
[+0x0c8] DirectQueueLock [Type: _EX_PUSH_LOCK]
[+0x0d0] DirectQueue [Type: _LIST_ENTRY]
[+0x0e0] WaitQueueLock [Type: _EX_PUSH_LOCK]
[+0x0e8] WaitQueue [Type: _LIST_ENTRY]
[+0x0f8] Semaphore : 0xffffac0fcc0723c0 [Type: _KSEMAPHORE *]
[+0x0f8] DummyEvent : 0xffffac0fcc0723c0 [Type: _KEVENT *]
[+0x100] PortAttributes [Type: _ALPC_PORT_ATTRIBUTES]
[+0x148] ResourceListLock [Type: _EX_PUSH_LOCK]
[+0x150] ResourceListHead [Type: _LIST_ENTRY]
[+0x160] PortObjectLock [Type: _EX_PUSH_LOCK]
[+0x168] CompletionList : 0x0 [Type: _ALPC_COMPLETION_LIST *]
[+0x170] CallbackObject : 0x0 [Type: _CALLBACK_OBJECT *]
[+0x178] CallbackContext : 0x0 [Type: void *]
[+0x180] CanceledQueue [Type: _LIST_ENTRY]
[+0x190] SequenceNo : 9 [Type: long]
[+0x194] ReferenceNo : 48 [Type: long]
[+0x198] ReferenceNoWait : 0x0 [Type: _PALPC_PORT_REFERENCE_WAIT_BLOCK *]
[+0x1a0] u1 [Type: <anonymous-tag>]
[+0x1a8] TargetQueuePort : 0x0 [Type: _ALPC_PORT *]
[+0x1b0] TargetSequencePort : 0x0 [Type: _ALPC_PORT *]
[+0x1b8] CachedMessage : 0x0 [Type: _KALPC_MESSAGE *]
[+0x1c0] MainQueueLength : 0x0 [Type: unsigned long]
[+0x1c4] LargeMessageQueueLength : 0x0 [Type: unsigned long]
[+0x1c8] PendingQueueLength : 0x0 [Type: unsigned long]
[+0x1cc] DirectQueueLength : 0x0 [Type: unsigned long]
[+0x1d0] CanceledQueueLength : 0x0 [Type: unsigned long]
[+0x1d4] WaitQueueLength : 0x0 [Type: unsigned long]
The EPROCESS
pointer in the connection port looks wrong (which is likely the ultimate cause of the crash), as does the communication info pointer. But, there are portions of the connection port look accurate.
5: kd> dx -r1 (*((ntkrnlmp!_ALPC_PORT *)0xffffac014120a660)).u1.s1
(*((ntkrnlmp!_ALPC_PORT *)0xffffac014120a660)).u1.s1 [Type: <anonymous-tag>]
[+0x000 ( 0: 0)] Initialized : 0x1 [Type: unsigned long]
[+0x000 ( 2: 1)] Type : 0x1 [Type: unsigned long]
[+0x000 ( 3: 3)] ConnectionPending : 0x0 [Type: unsigned long]
[+0x000 ( 4: 4)] ConnectionRefused : 0x0 [Type: unsigned long]
[+0x000 ( 5: 5)] Disconnected : 0x1 [Type: unsigned long]
[+0x000 ( 6: 6)] Closed : 0x1 [Type: unsigned long]
[+0x000 ( 7: 7)] NoFlushOnClose : 0x0 [Type: unsigned long]
[+0x000 ( 8: 8)] ReturnExtendedInfo : 0x0 [Type: unsigned long]
[+0x000 ( 9: 9)] Waitable : 0x0 [Type: unsigned long]
[+0x000 (10:10)] DynamicSecurity : 0x0 [Type: unsigned long]
[+0x000 (11:11)] Wow64CompletionList : 0x0 [Type: unsigned long]
[+0x000 (12:12)] Lpc : 0x0 [Type: unsigned long]
[+0x000 (13:13)] LpcToLpc : 0x0 [Type: unsigned long]
[+0x000 (14:14)] HasCompletionList : 0x0 [Type: unsigned long]
[+0x000 (15:15)] HadCompletionList : 0x0 [Type: unsigned long]
[+0x000 (16:16)] EnableCompletionList : 0x0 [Type: unsigned long]
Note the flags indicating Closed
and Disconnected
. So, I expect in this scenario the ALPC connection port process died (or destroyed the port) before the client did. Possibly, resulting in the connection information releasing most the state associated with the connection port, keeping around only minimal state. But, it's hard to say at this point since I'm not yet confident that the information in the "destroyed" ALPC connection port can be trusted.
The fix could be as simple as checking the state for the target ALPC port. And if it is Closed
do not attempt to reach in for more data. However, I am speculating a bit, I'd like to be able to reproduce the state here to confirm. It will take me some time to write a test to verify this is the appropriate fix.
Hi @jxy-s ,
Thanks for your efforts. I set my environment to get a full memory dump when crashed. I'll make deep a look at the case in light of your analysis information.
Further investigation indicates that the OS uses the first bit of the EPROCESS
OwnerProcess
to determine if the EPROCESS
is valid.
NTSTATUS __fastcall AlpcpPortQueryServerSessionInfo(
_ALPC_PORT *AlpcObject,
PVOID PortInformation,
ULONG Length,
PULONG ReturnLength)
{
_ALPC_PORT *port; // rax MAPDST
_EX_PUSH_LOCK *portObjectLock; // rdi
_EPROCESS *ownerProcess; // rbx
ULONG uniqueProcessId; // edi
ULONG sessionId; // esi
NTSTATUS result; // eax
if ( !AlpcObject )
return 0xC000000D;
port = AlpcpReferenceConnectedPort(AlpcObject);
if ( !port )
return 0xC000000D;
portObjectLock = &port->PortObjectLock;
ExAcquirePushLockSharedEx(&port->PortObjectLock, 0);
ownerProcess = 0i64;
if ( (port->OwnerProcess & 1) == 0 )
ownerProcess = port->OwnerProcess;
if ( ownerProcess )
ObfReferenceObjectWithTag(ownerProcess, 'cplA');
if ( _InterlockedCompareExchange64(portObjectLock, 0i64, 17i64) != 17 )
ExfReleasePushLockShared(portObjectLock);
KeAbPostRelease(portObjectLock);
ObfDereferenceObject(port);
if ( !ownerProcess )
return 0xC000000D;
uniqueProcessId = ownerProcess->UniqueProcessId;
sessionId = MmGetSessionIdEx(ownerProcess);
ObfDereferenceObjectWithTag(ownerProcess, 'cplA');
result = Length < 8 ? 0xC0000004 : 0;
if ( Length >= 8 )
{
*PortInformation = sessionId;
*(PortInformation + 1) = uniqueProcessId;
}
if ( ReturnLength )
*ReturnLength = 8;
return result;
}
Per the reverse engineering above, the following patch should address this:
➜ git diff
diff --git a/KSystemInformer/alpc.c b/KSystemInformer/alpc.c
index 6a42c5240..1ba65cad2 100644
--- a/KSystemInformer/alpc.c
+++ b/KSystemInformer/alpc.c
@@ -182,22 +182,36 @@ NTSTATUS KphpAlpcBasicInfo(
)
{
PEPROCESS process;
+ PVOID portObjectLock;
PAGED_PASSIVE();
RtlZeroMemory(Info, sizeof(*Info));
- if (KphDynAlpcOwnerProcess == ULONG_MAX)
+ if ((KphDynAlpcOwnerProcess == ULONG_MAX) ||
+ (KphDynAlpcPortObjectLock == ULONG_MAX))
{
return STATUS_NOINTERFACE;
}
+ //
+ // The OS uses the first bit of the OwnerProcess to denote if it is valid,
+ // if the first bit of the OwnerProcess is set is it invalid. Checking the
+ // bit should be done under the PortObjectLock.
+ // See: ntoskrnl!AlpcpPortQueryServerSessionInfo
+ //
+
+ portObjectLock = Add2Ptr(Port, KphDynAlpcPortObjectLock);
+ FltAcquirePushLockShared(portObjectLock);
+
process = *(PEPROCESS*)Add2Ptr(Port, KphDynAlpcOwnerProcess);
- if (process)
+ if (process && (((ULONG_PTR)process & 1) == 0))
{
Info->OwnerProcessId = PsGetProcessId(process);
}
+ FltReleasePushLock(portObjectLock);
+
if ((KphDynAlpcAttributes != ULONG_MAX) &&
(KphDynAlpcAttributesFlags != ULONG_MAX))
{
This will include changes to the dynamic data structure which will increment the revision of the dynamic data blob. I have another branch going to address another issue in that area. This patch will have to wait until after those other changes go in.
I've had just encountered the same BSOD on Win11 21H2. I was searching for DLLs and the stack matches (well at least the system part as I don't have symbols for driver).
I'd really appreciate fixed driver. Hopefully it will happen soon :)
I also just encountered two similar BSOD errors within the last 24 hours. I don't recall what I was doing when the first BSOD occurred, but for the second one, which just occurred, I was also searching for the process locking a file (System -> Find Handles or DLLs) when it occurred.
Both memory dump I ran through WinDbg seem to indicate the bugcheck error was triggered by systeminformer.exe / systemInformer.sys? I don't understand the output, but System Informer is being referenced.
Here is the WinDbg analysis from the first BSOD: Mini Dump-01-03-23_12-58-AM.zip
Microsoft (R) Windows Debugger Version 10.0.19041.685 AMD64 Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [E:\ScratchTemp\DebugDiag 2-Debug Diagnostic Tool-Output Directory\Crash Dumps\MEMORY-01-03-23_12-58-AM.DMP] Kernel Bitmap Dump File: Kernel address space is available, User address space may not be available.
***** Path validation summary **
Response Time (ms) Location
OK C:\Symbols
Symbol search path is: C:\Symbols
Executable search path is:
Windows 10 Kernel Version 19041 MP (12 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 19041.1.amd64fre.vb_release.191206-1406
Machine Name:
Kernel base = 0xfffff80244a00000 PsLoadedModuleList = 0xfffff802
4562a290
Debug session time: Tue Jan 3 00:51:15.638 2023 (UTC - 5:00)
System Uptime: 0 days 9:00:19.281
Loading Kernel Symbols
...............................................................
................................................................
................................................................
....................Page 283f35 not present in the dump file. Type ".hh dbgerr004" for details
............................................
.......................................
Loading User Symbols
PEB is paged out (Peb.Ldr = 0000003c`7f0b2018). Type ".hh dbgerr001" for details
Loading unloaded module list
..................................................
For analysis of this file, run !analyze -v
0: kd> !analyze -v
PAGE_FAULT_IN_NONPAGED_AREA (50) Invalid system memory was referenced. This cannot be protected by try-except. Typically the address is just plain bad or it is pointing at freed memory. Arguments: Arg1: ffffa602762e24c1, memory referenced. Arg2: 0000000000000000, value 0 = read operation, 1 = write operation. Arg3: fffff80244d0a680, If non-zero, the instruction address which referenced the bad memory address. Arg4: 0000000000000002, (reserved)
Page 283f35 not present in the dump file. Type ".hh dbgerr004" for details Page 190e5f not present in the dump file. Type ".hh dbgerr004" for details Page 283f35 not present in the dump file. Type ".hh dbgerr004" for details
KEY_VALUES_STRING: 1
Key : Analysis.CPU.Sec
Value: 4
Key : Analysis.DebugAnalysisProvider.CPP
Value: Create: 8007007e on SPECTREI7
Key : Analysis.DebugData
Value: CreateObject
Key : Analysis.DebugModel
Value: CreateObject
Key : Analysis.Elapsed.Sec
Value: 4
Key : Analysis.Memory.CommitPeak.Mb
Value: 86
Key : Analysis.System
Value: CreateObject
BUGCHECK_CODE: 50
BUGCHECK_P1: ffffa602762e24c1
BUGCHECK_P2: 0
BUGCHECK_P3: fffff80244d0a680
BUGCHECK_P4: 2
READ_ADDRESS: ffffa602762e24c1 Nonpaged pool
MM_INTERNAL_CODE: 2
BLACKBOXBSD: 1 (!blackboxbsd)
BLACKBOXNTFS: 1 (!blackboxntfs)
BLACKBOXPNP: 1 (!blackboxpnp)
BLACKBOXWINLOGON: 1
PROCESS_NAME: SystemInformer.exe
DEVICE_OBJECT: 00000000000001a8
TRAP_FRAME: fffff48f2b487290 -- (.trap 0xfffff48f2b487290)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=0000000000000018 rbx=0000000000000000 rcx=ffffa602762e2081
rdx=0000003c00eff3d0 rsi=0000000000000000 rdi=0000000000000000
rip=fffff80244d0a680 rsp=fffff48f2b487428 rbp=0000000000000000
r8=00000000ffffffff r9=7fffbc8ada3d11f0 r10=fffff80244d0a680
r11=0000000000000000 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei ng nz na po nc
nt!PsGetProcessId:
fffff80244d0a680 488b8140040000 mov rax,qword ptr [rcx+440h] ds:ffffa602
762e24c1=????????????????
Resetting default scope
STACK_TEXT:
fffff48f2b486fe8 fffff802
44e3421d : 0000000000000050 ffffa602
762e24c1 0000000000000000 fffff48f
2b487290 : nt!KeBugCheckEx
fffff48f2b486ff0 fffff802
44c39a40 : 0000000000000000 00000000
00000000 fffff48f2b487310 00000000
00000000 : nt!MiSystemFault+0x1dc7ad
fffff48f2b4870f0 fffff802
44e08dd8 : 0000000000000000 00000000
00000000 ffffbc8a00000000 00000000
00000000 : nt!MmAccessFault+0x400
fffff48f2b487290 fffff802
44d0a680 : fffff8027e4ea660 00000000
00001c18 0000003c00eff3d0 ffffbc8b
084ebce0 : nt!KiPageFault+0x358
fffff48f2b487428 fffff802
7e4ea660 : 0000000000001c18 0000003c
00eff3d0 ffffbc8b084ebce0 00000000
0000003c : nt!PsGetProcessId
fffff48f2b487430 fffff802
7e4ea76d : 0000000000000000 00000000
00000000 0000000000000000 00000000
00000000 : SystemInformer+0xa660
fffff48f2b487460 fffff802
7e4ea544 : 0000000000000000 0000003c
00eff3d0 ffffa6026b608aa0 00000000
00000000 : SystemInformer+0xa76d
fffff48f2b4874a0 fffff802
7e4ee0c3 : 000001f9b44107d0 ffffbc8a
bc668140 fffff8027e4e7000 fffff802
7e4fc58c : SystemInformer+0xa544
fffff48f2b487560 fffff802
7e4ed3b5 : 0000000000000000 00000000
00000ce0 0000000000000000 00000000
00000000 : SystemInformer+0xe0c3
fffff48f2b4875b0 fffff802
4872bc4b : ffffbc8ac3ac9010 00000000
00000000 0000000000000ce0 00000000
00000000 : SystemInformer+0xd3b5
fffff48f2b487610 fffff802
48761819 : ffffa60275d05c20 ffffa602
75d05b50 0000000000000000 00000000
00000000 : FLTMGR!FltpFilterMessage+0xdb
fffff48f2b487670 fffff802
48724a40 : ffffa6024345a740 00000000
00000002 0000000000000000 ffffa602
75d05b50 : FLTMGR!FltpMsgDispatch+0x179
fffff48f2b4876e0 fffff802
44c2a715 : ffffa60275d05b50 00000000
00000000 fffff48f2b487ac0 00000000
00000ce0 : FLTMGR!FltpDispatch+0xe0
fffff48f2b487740 fffff802
450195c8 : ffffa60275d05b50 00000000
00000000 0000000000000000 00000000
00000000 : nt!IofCallDriver+0x55
fffff48f2b487780 fffff802
450193c7 : 00000000000001a8 00000000
00000000 0000000000000000 fffff48f
2b487ac0 : nt!IopSynchronousServiceTail+0x1a8
fffff48f2b487820 fffff802
45018746 : 0000000000000000 00000000
00000000 0000000000000000 00000000
00000000 : nt!IopXxxControlFile+0xc67
fffff48f2b487960 fffff802
44e0caf5 : 00000000000007cc 00000000
00001c00 0000000000000102 ffffa602
6b02d340 : nt!NtDeviceIoControlFile+0x56
fffff48f2b4879d0 00007ffc
23fed1a4 : 0000000000000000 00000000
00000000 0000000000000000 00000000
00000000 : nt!KiSystemServiceCopyEnd+0x25
0000003c00eff038 00000000
00000000 : 0000000000000000 00000000
00000000 0000000000000000 00000000
00000000 : 0x00007ffc`23fed1a4
SYMBOL_NAME: SystemInformer+a660
MODULE_NAME: SystemInformer
IMAGE_NAME: SystemInformer.sys
STACK_COMMAND: .thread ; .cxr ; kb
BUCKET_ID_FUNC_OFFSET: a660
FAILURE_BUCKET_ID: AV_R_INVALID_SystemInformer!unknown_function
OS_VERSION: 10.0.19041.1
BUILDLAB_STR: vb_release
OSPLATFORM_TYPE: x64
OSNAME: Windows 10
FAILURE_ID_HASH: {3c22572d-d4b5-9512-6a6d-dc82a77e1bd8}
Here is the analysis from the 2nd BSOD that just occurred: Mini Dump-01-03-23_9-18-PM.zip
Microsoft (R) Windows Debugger Version 10.0.19041.685 AMD64 Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [E:\ScratchTemp\DebugDiag 2-Debug Diagnostic Tool-Output Directory\Crash Dumps\MEMORY-01-03-23_9-18-PM.DMP] Kernel Bitmap Dump File: Kernel address space is available, User address space may not be available.
***** Path validation summary **
Response Time (ms) Location
OK C:\Symbols
Symbol search path is: C:\Symbols
Executable search path is:
Windows 10 Kernel Version 19041 MP (12 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 19041.1.amd64fre.vb_release.191206-1406
Machine Name:
Kernel base = 0xfffff80576600000 PsLoadedModuleList = 0xfffff805
7722a290
Debug session time: Tue Jan 3 21:13:46.942 2023 (UTC - 5:00)
System Uptime: 0 days 20:15:40.468
Loading Kernel Symbols
...............................................................
................................................................
................................................................
................................................................
...................................
Loading User Symbols
PEB is paged out (Peb.Ldr = 00000090`368fb018). Type ".hh dbgerr001" for details
Loading unloaded module list
..................................................
For analysis of this file, run !analyze -v
2: kd> !analyze -v
SYSTEM_SERVICE_EXCEPTION (3b) An exception happened while executing a system service routine. Arguments: Arg1: 00000000c0000005, Exception code that caused the bugcheck Arg2: fffff8061e426806, Address of the instruction which caused the bugcheck Arg3: fffff38538046630, Address of the context record for the exception that caused the bugcheck Arg4: 0000000000000000, zero.
KEY_VALUES_STRING: 1
Key : Analysis.CPU.Sec
Value: 2
Key : Analysis.DebugAnalysisProvider.CPP
Value: Create: 8007007e on SPECTREI7
Key : Analysis.DebugData
Value: CreateObject
Key : Analysis.DebugModel
Value: CreateObject
Key : Analysis.Elapsed.Sec
Value: 2
Key : Analysis.Memory.CommitPeak.Mb
Value: 84
Key : Analysis.System
Value: CreateObject
BUGCHECK_CODE: 3b
BUGCHECK_P1: c0000005
BUGCHECK_P2: fffff8061e426806
BUGCHECK_P3: fffff38538046630
BUGCHECK_P4: 0
CONTEXT: fffff38538046630 -- (.cxr 0xfffff38538046630)
rax=0020006d00610072 rbx=0000000000000000 rcx=0020006d00610072
rdx=00000000746c6644 rsi=ffffc5823636a290 rdi=000000000000002c
rip=fffff8061e426806 rsp=fffff38538047030 rbp=ffffd58321d56d8c
r8=00000000ffffffff r9=7fffd582cd23faa0 r10=7ffffffffffffffc
r11=0069007600650044 r12=fffff38538047398 r13=0000000000000210
r14=ffffd58321d56d60 r15=000000000000007a
iopl=0 nv up ei pl nz na po nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00050206
SystemInformer+0x16806:
fffff8061e426806 0fb74158 movzx eax,word ptr [rcx+58h] ds:002b:0020006d
006100ca=????
Resetting default scope
BLACKBOXBSD: 1 (!blackboxbsd)
BLACKBOXNTFS: 1 (!blackboxntfs)
BLACKBOXPNP: 1 (!blackboxpnp)
BLACKBOXWINLOGON: 1
PROCESS_NAME: SystemInformer.exe
DEVICE_OBJECT: 00000000000001b0
STACK_TEXT:
fffff38538047030 fffff806
1e4261bd : ffffc5823636a290 00000000
00000000 0000000000000210 fffff805
76fb5094 : SystemInformer+0x16806
fffff385380470b0 fffff806
1e426235 : 0000000000000000 00000000
00000000 0000000000000000 00000000
00000000 : SystemInformer+0x161bd
fffff38538047120 fffff806
1e4255b7 : 0000000000000000 00000000
00000000 ffffd58321d56d60 00000000
00000000 : SystemInformer+0x16235
fffff38538047150 fffff806
1e41df03 : 0000025daf4107d0 ffffd582
faad8b90 ffffd582d5724050 fffff806
1e42c587 : SystemInformer+0x155b7
fffff38538047560 fffff806
1e41d3b5 : 0000000000000000 00000000
00000ce0 0000000000000000 00000000
00000000 : SystemInformer+0xdf03
fffff385380475b0 fffff805
7992bc4b : ffffd582d5724050 00000000
00000000 ffffc58200000ce0 ffffc582
2b4fb620 : SystemInformer+0xd3b5
fffff38538047610 fffff805
79961819 : ffffc5822b4fb620 ffffc582
2b4fb550 0000000000000000 fffff805
76be7e39 : FLTMGR!FltpFilterMessage+0xdb
fffff38538047670 fffff805
79924a40 : ffffc58206f03290 00000000
00000002 0000000000000000 ffffc582
2b4fb550 : FLTMGR!FltpMsgDispatch+0x179
fffff385380476e0 fffff805
7682a715 : ffffc5822b4fb550 00000000
00000000 fffff38538047ac0 00000000
00000ce0 : FLTMGR!FltpDispatch+0xe0
fffff38538047740 fffff805
76c195c8 : ffffc5822b4fb550 00000000
00000000 0000000000000000 00000000
00000000 : nt!IofCallDriver+0x55
fffff38538047780 fffff805
76c193c7 : 00000000000001b0 00000000
00000000 0000000000000000 fffff385
38047ac0 : nt!IopSynchronousServiceTail+0x1a8
fffff38538047820 fffff805
76c18746 : 0000000000000000 00000000
00000000 0000000000000000 00000000
00000000 : nt!IopXxxControlFile+0xc67
fffff38538047960 fffff805
76a0caf5 : 0000000000001778 00000000
00000000 0000000000000102 ffffc582
1da52140 : nt!NtDeviceIoControlFile+0x56
fffff385380479d0 00007ff8
86aed1a4 : 0000000000000000 00000000
00000000 0000000000000000 00000000
00000000 : nt!KiSystemServiceCopyEnd+0x25
00000090385ff268 00000000
00000000 : 0000000000000000 00000000
00000000 0000000000000000 00000000
00000000 : 0x00007ff8`86aed1a4
SYMBOL_NAME: SystemInformer+16806
MODULE_NAME: SystemInformer
IMAGE_NAME: SystemInformer.sys
STACK_COMMAND: .cxr 0xfffff38538046630 ; kb
BUCKET_ID_FUNC_OFFSET: 16806
FAILURE_BUCKET_ID: 0x3B_c0000005_SystemInformer!unknown_function
OS_VERSION: 10.0.19041.1
BUILDLAB_STR: vb_release
OSPLATFORM_TYPE: x64
OSNAME: Windows 10
FAILURE_ID_HASH: {7ef224b6-cc5f-b0ba-47a2-a7292cc6d48b}
Staging branch was merged. New driver release soon™️. I greatly appreciate everyone's patience.
Fixed in latest nightly build 🥳
@dmex What a timing, just as I switched to Windows 11 Enterprise..
Brief description of your issue
The system has been crashed when I try to search for a locked file by System->Find handles or DLLs menu. Exception could find out attach bsodissue.txt
Steps to reproduce (optional)
Reproduce may be complex but I think if you can try a file locked and used by another process while you search for a file handle by "Find handles or DLLs"
Expected behavior (optional)
No response
Actual behavior (optional)
No response
Environment (optional)
No response