Monday, December 12, 2011

Troubleshooting 0x3B SYSTEM_SERVICE_EXCEPTION

The Debugging Tools for Windows are required to analyze crash dump files. If you do not have the Debugging Tools for Windows installed or dump files are not being generated on system crash, see this post for installation/configuration instructions:

http://mikemstech.blogspot.com/2011/11/windows-crash-dump-analysis.html

0x0000003B SYSTEM_SERVICE_EXCEPTION is a fairly common bug check that occurs when there is an exception in the code that transfers control from non-privileged (user-mode code) to privileged (kernel-mode code) execution. Most SYSTEM_SERVICE_EXCEPTIONs result from memory corruption (parameter 1 typically shows 0xc0000005 STATUS_ACCESS_VIOLATION). The exceptions that occur from memory corruption may or may not be identified with the driver that causes the corruption and usually take involvement of the driver verifier to diagnose. These exceptions may also arise from memory issues. Below is an example dump analysis, typically !analyze -v shows most of the information that is going to be retrieved from a dump like this.

4: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

SYSTEM_SERVICE_EXCEPTION (3b)
An exception happened while executing a system service routine.
Arguments:
Arg1: 00000000c0000005, Exception code that caused the bugcheck
Arg2: fffff8000376a398, Address of the instruction which caused the bugcheck
Arg3: fffff88008848c70, Address of the context record for the exception that 
                        caused the bugcheck
Arg4: 0000000000000000, zero.

Debugging Details:
------------------


EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced 
                                memory at 0x%08lx. The memory could not be %s.

FAULTING_IP: 
nt!AlpcpCancelMessagesByRequestor+84
fffff800`0376a398 4c396b70        cmp     qword ptr [rbx+70h],r13

CONTEXT:  fffff88008848c70 -- (.cxr 0xfffff88008848c70)
rax=fffffa800f358af8 rbx=f7fff8a004060710 rcx=fffffa8010c75c06
rdx=fffffa800f358a60 rsi=fffffa800f358af8 rdi=0000000000000000
rip=fffff8000376a398 rsp=fffff88008849650 rbp=0000000000000000
 r8=0000000000000000  r9=fffff880088496c0 r10=fffffa8010c75cb0
r11=fffff880088497d8 r12=fffffa800f358a60 r13=fffffa8010c75ce0
r14=0000000000000001 r15=fffff880088496c0
iopl=0         nv up ei ng nz ac po cy
cs=0010  ss=0000  ds=002b  es=002b  fs=0053  gs=002b             efl=00010297
nt!AlpcpCancelMessagesByRequestor+0x84:
fffff800`0376a398 4c396b70        cmp     qword ptr [rbx+70h],r13 ds:002b:f7fff8a0`04060780=????????????????
Resetting default scope

CUSTOMER_CRASH_COUNT:  1

DEFAULT_BUCKET_ID:  VISTA_DRIVER_FAULT

BUGCHECK_STR:  0x3B

PROCESS_NAME:  dllhost.exe

CURRENT_IRQL:  0

LAST_CONTROL_TRANSFER:  from 0000000000000000 to fffff8000376a398

STACK_TEXT:  
... : nt!AlpcpCancelMessagesByRequestor+0x84


FOLLOWUP_IP: 
nt!AlpcpCancelMessagesByRequestor+84
fffff800`0376a398 4c396b70        cmp     qword ptr [rbx+70h],r13

SYMBOL_STACK_INDEX:  0

SYMBOL_NAME:  nt!AlpcpCancelMessagesByRequestor+84

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: nt

IMAGE_NAME:  ntkrnlmp.exe

DEBUG_FLR_IMAGE_TIMESTAMP:  4e02aaa3

STACK_COMMAND:  .cxr 0xfffff88008848c70 ; kb

FAILURE_BUCKET_ID:  X64_0x3B_nt!AlpcpCancelMessagesByRequestor+84

BUCKET_ID:  X64_0x3B_nt!AlpcpCancelMessagesByRequestor+84

Followup: MachineOwner
--------- 
 
We can tell that the exception occurred in nt!AlpcpCancelMessagesByRequestor+0x84.

4: kd> ln fffff8000376a398
(fffff800`0376a314)   nt!AlpcpCancelMessagesByRequestor+0x84   | 
(fffff800`037cfda0)   nt!CcCreateVacbArray
 
Next steps after identifying this error are to test the memory and ensure that the BIOS and drivers are all up to date. If this does not resolve the problem, see if enabling the driver verifier produces more meaningful dumps.

See Also,
Windows Crash Dump Analysis
Troubleshooting Memory Errors
Enable Driver Verifier To Help Identify Blue Screen Causes

No comments:

Post a Comment