M
mbailey16
Hi and thank you.
I am receiving BSOD Bug Check 3b (win32kfull.sys). I found a couple articles mentioning running driver verifier.
Reference links:
Bug Check 0x3B SYSTEM_SERVICE_EXCEPTION
Driver Verifier-- tracking down a mis-behaving driver.
After enabling driver verifier, right on boot up, the system crashed.
I am having some troubles identifying the issue and driver from the crash dump and any help would be great.
Windows 10 (Version 1703 Build 16299.431)
Asus Prime Z270-P motherboard (BIOS Version 1205 - 2018/05/25)
Intel i5 6500
G.Skill 16 GB F4-2400C15-8GVR (xmp currently disabled)
Please let me know if you have any questions.
--------------------------------------------------------------------------
Loading Dump File [C:\WINDOWS\MEMORY.DMP]
Kernel Bitmap Dump File: Kernel address space is available, User address space may not be available.
************* Path validation summary **************
Response Time (ms) Location
Deferred srv*
Symbol search path is: srv*
Executable search path is:
Windows 10 Kernel Version 16299 MP (4 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 16299.431.amd64fre.rs3_release_svc_escrow.180502-1908
Machine Name:
Kernel base = 0xfffff800`35c8a000 PsLoadedModuleList = 0xfffff800`35ff0030
Debug session time: Mon Jun 4 10:00:15.701 2018 (UTC - 4:00)
System Uptime: 0 days 0:00:09.439
Loading Kernel Symbols
...............................................................
..............Page c3bb5 not present in the dump file. Type ".hh dbgerr004" for details
........Page c2100 not present in the dump file. Type ".hh dbgerr004" for details
..........................................
.......
Loading User Symbols
Loading unloaded module list
..
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck C4, {2004, ffffcc03240915d8, fffff8077fc301f0, ffffa38f65496fc8}
Probably caused by : ntkrnlmp.exe ( nt!VerifierBugCheckIfAppropriate+df )
Followup: MachineOwner
---------
nt!KeBugCheckEx:
fffff800`35dff570 48894c2408 mov qword ptr [rsp+8],rcx ss:0018:ffffa38f`65496f00=00000000000000c4
3: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
DRIVER_VERIFIER_DETECTED_VIOLATION (c4)
A device driver attempting to corrupt the system has been caught. This is
because the driver was specified in the registry as being suspect (by the
administrator) and the kernel has enabled substantial checking of this driver.
If the driver attempts to corrupt the system, bugchecks 0xC4, 0xC1 and 0xA will
be among the most commonly seen crashes.
Arguments:
Arg1: 0000000000002004, Code Integrity Issue: The image contains a section that is not page aligned.
Arg2: ffffcc03240915d8, The image file name (Unicode string).
Arg3: fffff8077fc301f0, The address of the section header.
Arg4: ffffa38f65496fc8, The section name (UTF-8 encoded string).
Debugging Details:
------------------
KEY_VALUES_STRING: 1
STACKHASH_ANALYSIS: 1
TIMELINE_ANALYSIS: 1
DUMP_CLASS: 1
DUMP_QUALIFIER: 401
BUILD_VERSION_STRING: 16299.431.amd64fre.rs3_release_svc_escrow.180502-1908
DUMP_TYPE: 1
BUGCHECK_P1: 2004
BUGCHECK_P2: ffffcc03240915d8
BUGCHECK_P3: fffff8077fc301f0
BUGCHECK_P4: ffffa38f65496fc8
BUGCHECK_STR: 0xc4_2004
CPU_COUNT: 4
CPU_MHZ: c78
CPU_VENDOR: GenuineIntel
CPU_FAMILY: 6
CPU_MODEL: 5e
CPU_STEPPING: 3
CPU_MICROCODE: 6,5e,3,0 (F,M,S,R) SIG: C2'00000000 (cache) C2'00000000 (init)
DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULT
PROCESS_NAME: System
CURRENT_IRQL: 0
ANALYSIS_SESSION_HOST: MARK-PC
ANALYSIS_SESSION_TIME: 06-04-2018 10:05:34.0894
ANALYSIS_VERSION: 10.0.17674.1000 amd64fre
LOCK_ADDRESS: fffff80036009f40 -- (!locks fffff80036009f40)
Resource @ nt!PiEngineLock (0xfffff80036009f40) Exclusively owned
Contention Count = 1
NumberOfExclusiveWaiters = 1
Threads: ffffcc031f9ff040-01<*>
Threads Waiting On Exclusive Access:
ffffcc0323c48700
1 total locks
PNP_TRIAGE_DATA:
Lock address : 0xfffff80036009f40
Thread Count : 1
Thread address: 0xffffcc031f9ff040
Thread wait : 0x25c
LAST_CONTROL_TRANSFER: from fffff80036434293 to fffff80035dff570
STACK_TEXT:
ffffa38f`65496ef8 fffff800`36434293 : 00000000`000000c4 00000000`00002004 ffffcc03`240915d8 fffff807`7fc301f0 : nt!KeBugCheckEx
ffffa38f`65496f00 fffff800`35efcf1f : fffff800`35fdfaec 00000000`00002004 ffffcc03`240915d8 fffff807`7fc301f0 : nt!VerifierBugCheckIfAppropriate+0xdf
ffffa38f`65496f40 fffff800`3642c02b : 00000000`00000000 ffffa38f`65496fe0 fffff807`7fc301f0 ffff0000`00480043 : nt!VfReportIssueWithOptions+0x103
ffffa38f`65496f90 fffff800`3644196b : ffffcc03`24091580 ffffcc03`24091580 00000000`00000001 ffffcc03`1e04c660 : nt!VfCheckImageCompliance+0x297
ffffa38f`65497010 fffff800`3642823f : ffffcc03`24091580 00000000`00000000 fffff807`7fc30000 ffffcc03`24091500 : nt!VfSuspectDriversLoadCallback+0x31f
ffffa38f`65497050 fffff800`3616c1da : fffff807`7fc30118 ffffa38f`65497190 fffff807`7fc30000 00000000`00000000 : nt!VfDriverLoadImage+0x24df
ffffa38f`65497090 fffff800`361657cf : ffffa38f`65497290 00000000`00000000 00000000`00000000 ffffe205`14012f01 : nt!MmLoadSystemImageEx+0x40e
ffffa38f`65497240 fffff800`3616367f : 00000000`00000000 00000000`00000000 00000000`00000004 ffffe205`00000004 : nt!IopLoadDriver+0x22b
ffffa38f`65497410 fffff800`36163400 : ffffffff`80000101 ffffa38f`654975d0 ffffffff`8000018c 00000000`00000000 : nt!PipCallDriverAddDeviceQueryRoutine+0x1b3
ffffa38f`654974a0 fffff800`361b40f5 : 00000000`00000000 ffffa38f`654975b0 00000000`6e657050 00000000`00000014 : nt!PnpCallDriverQueryServiceHelper+0xcc
ffffa38f`65497550 fffff800`361ba9a8 : ffffcc03`1ef0e5f0 ffffa38f`654977f0 ffffcc03`1ef0e5f0 ffffcc03`1ef03d20 : nt!PipCallDriverAddDevice+0x385
ffffa38f`654976f0 fffff800`3626f605 : ffffcc03`23bf3d80 ffffa38f`65497a19 ffffcc03`23bf3d80 ffffcc03`23bf3dd0 : nt!PipProcessDevNodeTree+0x164
ffffa38f`65497970 fffff800`35d83f04 : ffffcc01`00000003 ffffcc03`00000000 ffffcc03`00000000 00000000`00000000 : nt!PiProcessStartSystemDevices+0x59
ffffa38f`654979c0 fffff800`35d0b9e5 : ffffcc03`1f9ff040 ffffcc03`1e0b02a0 fffff800`360089c0 ffffcc03`1e0b02a0 : nt!PnpDeviceActionWorker+0x474
ffffa38f`65497a80 fffff800`35d48967 : ffffcc03`1f9ff040 00000000`00000080 ffffcc03`1e0aa440 ffffcc03`1f9ff040 : nt!ExpWorkerThread+0xf5
ffffa38f`65497b10 fffff800`35e06fb6 : ffffe501`09780180 ffffcc03`1f9ff040 fffff800`35d48920 00000000`00000000 : nt!PspSystemThreadStartup+0x47
ffffa38f`65497b60 00000000`00000000 : ffffa38f`65498000 ffffa38f`65491000 00000000`00000000 00000000`00000000 : nt!KiStartSystemThread+0x16
THREAD_SHA1_HASH_MOD_FUNC: 803c38680c1eea67c961a2628cbae0eebf27f443
THREAD_SHA1_HASH_MOD_FUNC_OFFSET: 909b19cddf57ff0fcc570bfbdb9ae929fa4934dd
THREAD_SHA1_HASH_MOD: aaa5a324bf1bd3082ad2b464ee2ed2f6d50e564c
FOLLOWUP_IP:
nt!VerifierBugCheckIfAppropriate+df
fffff800`36434293 cc int 3
FAULT_INSTR_CODE: 8418bcc
SYMBOL_STACK_INDEX: 1
SYMBOL_NAME: nt!VerifierBugCheckIfAppropriate+df
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: nt
IMAGE_NAME: ntkrnlmp.exe
DEBUG_FLR_IMAGE_TIMESTAMP: 5aeaa6a2
IMAGE_VERSION: 10.0.16299.431
STACK_COMMAND: .thread ; .cxr ; kb
BUCKET_ID_FUNC_OFFSET: df
FAILURE_BUCKET_ID: 0xc4_2004_VRF_nt!VerifierBugCheckIfAppropriate
BUCKET_ID: 0xc4_2004_VRF_nt!VerifierBugCheckIfAppropriate
PRIMARY_PROBLEM_CLASS: 0xc4_2004_VRF_nt!VerifierBugCheckIfAppropriate
TARGET_TIME: 2018-06-04T14:00:15.000Z
OSBUILD: 16299
OSSERVICEPACK: 431
SERVICEPACK_NUMBER: 0
OS_REVISION: 0
SUITE_MASK: 272
PRODUCT_TYPE: 1
OSPLATFORM_TYPE: x64
OSNAME: Windows 10
OSEDITION: Windows 10 WinNt TerminalServer SingleUserTS
OS_LOCALE:
USER_LCID: 0
OSBUILD_TIMESTAMP: 2018-05-03 02:05:22
BUILDDATESTAMP_STR: 180502-1908
BUILDLAB_STR: rs3_release_svc_escrow
BUILDOSVER_STR: 10.0.16299.431.amd64fre.rs3_release_svc_escrow.180502-1908
ANALYSIS_SESSION_ELAPSED_TIME: cae
ANALYSIS_SOURCE: KM
FAILURE_ID_HASH_STRING: km:0xc4_2004_vrf_nt!verifierbugcheckifappropriate
FAILURE_ID_HASH: {2f46a29b-f110-bcdf-86c8-8ab3df856220}
Followup: MachineOwner
Continue reading...
I am receiving BSOD Bug Check 3b (win32kfull.sys). I found a couple articles mentioning running driver verifier.
Reference links:
Bug Check 0x3B SYSTEM_SERVICE_EXCEPTION
Driver Verifier-- tracking down a mis-behaving driver.
After enabling driver verifier, right on boot up, the system crashed.
I am having some troubles identifying the issue and driver from the crash dump and any help would be great.
Windows 10 (Version 1703 Build 16299.431)
Asus Prime Z270-P motherboard (BIOS Version 1205 - 2018/05/25)
Intel i5 6500
G.Skill 16 GB F4-2400C15-8GVR (xmp currently disabled)
Please let me know if you have any questions.
--------------------------------------------------------------------------
Loading Dump File [C:\WINDOWS\MEMORY.DMP]
Kernel Bitmap Dump File: Kernel address space is available, User address space may not be available.
************* Path validation summary **************
Response Time (ms) Location
Deferred srv*
Symbol search path is: srv*
Executable search path is:
Windows 10 Kernel Version 16299 MP (4 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 16299.431.amd64fre.rs3_release_svc_escrow.180502-1908
Machine Name:
Kernel base = 0xfffff800`35c8a000 PsLoadedModuleList = 0xfffff800`35ff0030
Debug session time: Mon Jun 4 10:00:15.701 2018 (UTC - 4:00)
System Uptime: 0 days 0:00:09.439
Loading Kernel Symbols
...............................................................
..............Page c3bb5 not present in the dump file. Type ".hh dbgerr004" for details
........Page c2100 not present in the dump file. Type ".hh dbgerr004" for details
..........................................
.......
Loading User Symbols
Loading unloaded module list
..
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck C4, {2004, ffffcc03240915d8, fffff8077fc301f0, ffffa38f65496fc8}
Probably caused by : ntkrnlmp.exe ( nt!VerifierBugCheckIfAppropriate+df )
Followup: MachineOwner
---------
nt!KeBugCheckEx:
fffff800`35dff570 48894c2408 mov qword ptr [rsp+8],rcx ss:0018:ffffa38f`65496f00=00000000000000c4
3: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
DRIVER_VERIFIER_DETECTED_VIOLATION (c4)
A device driver attempting to corrupt the system has been caught. This is
because the driver was specified in the registry as being suspect (by the
administrator) and the kernel has enabled substantial checking of this driver.
If the driver attempts to corrupt the system, bugchecks 0xC4, 0xC1 and 0xA will
be among the most commonly seen crashes.
Arguments:
Arg1: 0000000000002004, Code Integrity Issue: The image contains a section that is not page aligned.
Arg2: ffffcc03240915d8, The image file name (Unicode string).
Arg3: fffff8077fc301f0, The address of the section header.
Arg4: ffffa38f65496fc8, The section name (UTF-8 encoded string).
Debugging Details:
------------------
KEY_VALUES_STRING: 1
STACKHASH_ANALYSIS: 1
TIMELINE_ANALYSIS: 1
DUMP_CLASS: 1
DUMP_QUALIFIER: 401
BUILD_VERSION_STRING: 16299.431.amd64fre.rs3_release_svc_escrow.180502-1908
DUMP_TYPE: 1
BUGCHECK_P1: 2004
BUGCHECK_P2: ffffcc03240915d8
BUGCHECK_P3: fffff8077fc301f0
BUGCHECK_P4: ffffa38f65496fc8
BUGCHECK_STR: 0xc4_2004
CPU_COUNT: 4
CPU_MHZ: c78
CPU_VENDOR: GenuineIntel
CPU_FAMILY: 6
CPU_MODEL: 5e
CPU_STEPPING: 3
CPU_MICROCODE: 6,5e,3,0 (F,M,S,R) SIG: C2'00000000 (cache) C2'00000000 (init)
DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULT
PROCESS_NAME: System
CURRENT_IRQL: 0
ANALYSIS_SESSION_HOST: MARK-PC
ANALYSIS_SESSION_TIME: 06-04-2018 10:05:34.0894
ANALYSIS_VERSION: 10.0.17674.1000 amd64fre
LOCK_ADDRESS: fffff80036009f40 -- (!locks fffff80036009f40)
Resource @ nt!PiEngineLock (0xfffff80036009f40) Exclusively owned
Contention Count = 1
NumberOfExclusiveWaiters = 1
Threads: ffffcc031f9ff040-01<*>
Threads Waiting On Exclusive Access:
ffffcc0323c48700
1 total locks
PNP_TRIAGE_DATA:
Lock address : 0xfffff80036009f40
Thread Count : 1
Thread address: 0xffffcc031f9ff040
Thread wait : 0x25c
LAST_CONTROL_TRANSFER: from fffff80036434293 to fffff80035dff570
STACK_TEXT:
ffffa38f`65496ef8 fffff800`36434293 : 00000000`000000c4 00000000`00002004 ffffcc03`240915d8 fffff807`7fc301f0 : nt!KeBugCheckEx
ffffa38f`65496f00 fffff800`35efcf1f : fffff800`35fdfaec 00000000`00002004 ffffcc03`240915d8 fffff807`7fc301f0 : nt!VerifierBugCheckIfAppropriate+0xdf
ffffa38f`65496f40 fffff800`3642c02b : 00000000`00000000 ffffa38f`65496fe0 fffff807`7fc301f0 ffff0000`00480043 : nt!VfReportIssueWithOptions+0x103
ffffa38f`65496f90 fffff800`3644196b : ffffcc03`24091580 ffffcc03`24091580 00000000`00000001 ffffcc03`1e04c660 : nt!VfCheckImageCompliance+0x297
ffffa38f`65497010 fffff800`3642823f : ffffcc03`24091580 00000000`00000000 fffff807`7fc30000 ffffcc03`24091500 : nt!VfSuspectDriversLoadCallback+0x31f
ffffa38f`65497050 fffff800`3616c1da : fffff807`7fc30118 ffffa38f`65497190 fffff807`7fc30000 00000000`00000000 : nt!VfDriverLoadImage+0x24df
ffffa38f`65497090 fffff800`361657cf : ffffa38f`65497290 00000000`00000000 00000000`00000000 ffffe205`14012f01 : nt!MmLoadSystemImageEx+0x40e
ffffa38f`65497240 fffff800`3616367f : 00000000`00000000 00000000`00000000 00000000`00000004 ffffe205`00000004 : nt!IopLoadDriver+0x22b
ffffa38f`65497410 fffff800`36163400 : ffffffff`80000101 ffffa38f`654975d0 ffffffff`8000018c 00000000`00000000 : nt!PipCallDriverAddDeviceQueryRoutine+0x1b3
ffffa38f`654974a0 fffff800`361b40f5 : 00000000`00000000 ffffa38f`654975b0 00000000`6e657050 00000000`00000014 : nt!PnpCallDriverQueryServiceHelper+0xcc
ffffa38f`65497550 fffff800`361ba9a8 : ffffcc03`1ef0e5f0 ffffa38f`654977f0 ffffcc03`1ef0e5f0 ffffcc03`1ef03d20 : nt!PipCallDriverAddDevice+0x385
ffffa38f`654976f0 fffff800`3626f605 : ffffcc03`23bf3d80 ffffa38f`65497a19 ffffcc03`23bf3d80 ffffcc03`23bf3dd0 : nt!PipProcessDevNodeTree+0x164
ffffa38f`65497970 fffff800`35d83f04 : ffffcc01`00000003 ffffcc03`00000000 ffffcc03`00000000 00000000`00000000 : nt!PiProcessStartSystemDevices+0x59
ffffa38f`654979c0 fffff800`35d0b9e5 : ffffcc03`1f9ff040 ffffcc03`1e0b02a0 fffff800`360089c0 ffffcc03`1e0b02a0 : nt!PnpDeviceActionWorker+0x474
ffffa38f`65497a80 fffff800`35d48967 : ffffcc03`1f9ff040 00000000`00000080 ffffcc03`1e0aa440 ffffcc03`1f9ff040 : nt!ExpWorkerThread+0xf5
ffffa38f`65497b10 fffff800`35e06fb6 : ffffe501`09780180 ffffcc03`1f9ff040 fffff800`35d48920 00000000`00000000 : nt!PspSystemThreadStartup+0x47
ffffa38f`65497b60 00000000`00000000 : ffffa38f`65498000 ffffa38f`65491000 00000000`00000000 00000000`00000000 : nt!KiStartSystemThread+0x16
THREAD_SHA1_HASH_MOD_FUNC: 803c38680c1eea67c961a2628cbae0eebf27f443
THREAD_SHA1_HASH_MOD_FUNC_OFFSET: 909b19cddf57ff0fcc570bfbdb9ae929fa4934dd
THREAD_SHA1_HASH_MOD: aaa5a324bf1bd3082ad2b464ee2ed2f6d50e564c
FOLLOWUP_IP:
nt!VerifierBugCheckIfAppropriate+df
fffff800`36434293 cc int 3
FAULT_INSTR_CODE: 8418bcc
SYMBOL_STACK_INDEX: 1
SYMBOL_NAME: nt!VerifierBugCheckIfAppropriate+df
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: nt
IMAGE_NAME: ntkrnlmp.exe
DEBUG_FLR_IMAGE_TIMESTAMP: 5aeaa6a2
IMAGE_VERSION: 10.0.16299.431
STACK_COMMAND: .thread ; .cxr ; kb
BUCKET_ID_FUNC_OFFSET: df
FAILURE_BUCKET_ID: 0xc4_2004_VRF_nt!VerifierBugCheckIfAppropriate
BUCKET_ID: 0xc4_2004_VRF_nt!VerifierBugCheckIfAppropriate
PRIMARY_PROBLEM_CLASS: 0xc4_2004_VRF_nt!VerifierBugCheckIfAppropriate
TARGET_TIME: 2018-06-04T14:00:15.000Z
OSBUILD: 16299
OSSERVICEPACK: 431
SERVICEPACK_NUMBER: 0
OS_REVISION: 0
SUITE_MASK: 272
PRODUCT_TYPE: 1
OSPLATFORM_TYPE: x64
OSNAME: Windows 10
OSEDITION: Windows 10 WinNt TerminalServer SingleUserTS
OS_LOCALE:
USER_LCID: 0
OSBUILD_TIMESTAMP: 2018-05-03 02:05:22
BUILDDATESTAMP_STR: 180502-1908
BUILDLAB_STR: rs3_release_svc_escrow
BUILDOSVER_STR: 10.0.16299.431.amd64fre.rs3_release_svc_escrow.180502-1908
ANALYSIS_SESSION_ELAPSED_TIME: cae
ANALYSIS_SOURCE: KM
FAILURE_ID_HASH_STRING: km:0xc4_2004_vrf_nt!verifierbugcheckifappropriate
FAILURE_ID_HASH: {2f46a29b-f110-bcdf-86c8-8ab3df856220}
Followup: MachineOwner
Continue reading...