http://mikemstech.blogspot.com/2011/11/windows-crash-dump-analysis.html
0x0000003B SYSTEM_SERVICE_EXCEPTION is a fairly common bug check that occurs when there is an exception in the code that transfers control from non-privileged (user-mode code) to privileged (kernel-mode code) execution. Most SYSTEM_SERVICE_EXCEPTIONs result from memory corruption (parameter 1 typically shows 0xc0000005 STATUS_ACCESS_VIOLATION). The exceptions that occur from memory corruption may or may not be identified with the driver that causes the corruption and usually take involvement of the driver verifier to diagnose. These exceptions may also arise from memory issues. Below is an example dump analysis, typically !analyze -v shows most of the information that is going to be retrieved from a dump like this.
4: kd> !analyze -v ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* SYSTEM_SERVICE_EXCEPTION (3b) An exception happened while executing a system service routine. Arguments: Arg1: 00000000c0000005, Exception code that caused the bugcheck Arg2: fffff8000376a398, Address of the instruction which caused the bugcheck Arg3: fffff88008848c70, Address of the context record for the exception that
caused the bugcheck Arg4: 0000000000000000, zero. Debugging Details: ------------------ EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced
memory at 0x%08lx. The memory could not be %s. FAULTING_IP: nt!AlpcpCancelMessagesByRequestor+84 fffff800`0376a398 4c396b70 cmp qword ptr [rbx+70h],r13 CONTEXT: fffff88008848c70 -- (.cxr 0xfffff88008848c70) rax=fffffa800f358af8 rbx=f7fff8a004060710 rcx=fffffa8010c75c06 rdx=fffffa800f358a60 rsi=fffffa800f358af8 rdi=0000000000000000 rip=fffff8000376a398 rsp=fffff88008849650 rbp=0000000000000000 r8=0000000000000000 r9=fffff880088496c0 r10=fffffa8010c75cb0 r11=fffff880088497d8 r12=fffffa800f358a60 r13=fffffa8010c75ce0 r14=0000000000000001 r15=fffff880088496c0 iopl=0 nv up ei ng nz ac po cy cs=0010 ss=0000 ds=002b es=002b fs=0053 gs=002b efl=00010297 nt!AlpcpCancelMessagesByRequestor+0x84: fffff800`0376a398 4c396b70 cmp qword ptr [rbx+70h],r13 ds:002b:f7fff8a0`04060780=???????????????? Resetting default scope CUSTOMER_CRASH_COUNT: 1 DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT BUGCHECK_STR: 0x3B PROCESS_NAME: dllhost.exe CURRENT_IRQL: 0 LAST_CONTROL_TRANSFER: from 0000000000000000 to fffff8000376a398 STACK_TEXT: ... : nt!AlpcpCancelMessagesByRequestor+0x84 FOLLOWUP_IP: nt!AlpcpCancelMessagesByRequestor+84 fffff800`0376a398 4c396b70 cmp qword ptr [rbx+70h],r13 SYMBOL_STACK_INDEX: 0 SYMBOL_NAME: nt!AlpcpCancelMessagesByRequestor+84 FOLLOWUP_NAME: MachineOwner MODULE_NAME: nt IMAGE_NAME: ntkrnlmp.exe DEBUG_FLR_IMAGE_TIMESTAMP: 4e02aaa3 STACK_COMMAND: .cxr 0xfffff88008848c70 ; kb FAILURE_BUCKET_ID: X64_0x3B_nt!AlpcpCancelMessagesByRequestor+84 BUCKET_ID: X64_0x3B_nt!AlpcpCancelMessagesByRequestor+84 Followup: MachineOwner ---------
We can tell that the exception occurred in nt!AlpcpCancelMessagesByRequestor+0x84.
4: kd> ln fffff8000376a398 (fffff800`0376a314) nt!AlpcpCancelMessagesByRequestor+0x84 |
(fffff800`037cfda0) nt!CcCreateVacbArrayNext steps after identifying this error are to test the memory and ensure that the BIOS and drivers are all up to date. If this does not resolve the problem, see if enabling the driver verifier produces more meaningful dumps.
See Also,
Windows Crash Dump Analysis
Troubleshooting Memory Errors
Enable Driver Verifier To Help Identify Blue Screen Causes
No comments:
Post a Comment