- Jun 16, 2015
- 20
- 0
- 4,510
Ok I decoded a .dump file but when I did I didnt know what a lot of it meant
Code:
Microsoft (R) Windows Debugger Version 6.3.9600.17298 X86
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:\Windows\MEMORY.DMP]
Kernel Summary Dump File: Only kernel address space is available
************* Symbol Path validation summary **************
Response Time (ms) Location
Deferred SRV*C:\Windows\symbol_cache*http://msdl.microsoft.com/download/symbols
Symbol search path is: SRV*C:\Windows\symbol_cache*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows 7 Kernel Version 7601 (Service Pack 1) MP (2 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS Personal
Built by: 7601.19018.amd64fre.win7sp1_gdr.150928-1507
Machine Name:
Kernel base = 0xfffff800`0300d000 PsLoadedModuleList = 0xfffff800`03254730
Debug session time: Fri Oct 30 20:23:34.660 2015 (UTC - 4:00)
System Uptime: 0 days 0:06:45.800
Loading Kernel Symbols
...............................................................
................................................................
...................................................
Loading User Symbols
PEB is paged out (Peb.Ldr = 000007ff`fffdc018). Type ".hh dbgerr001" for details
Loading unloaded module list
.......
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck 7E, {ffffffffc0000005, fffff8000318b36c, fffff8800337f818, fffff8800337f070}
Probably caused by : memory_corruption ( nt!MiEmptyPageAccessLog+dc )
Followup: MachineOwner
---------
************* Symbol Path validation summary **************
Response Time (ms) Location
Deferred SRV*C:\Windows\symbol_cache*http://msdl.microsoft.com/download/symbols
1: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
SYSTEM_THREAD_EXCEPTION_NOT_HANDLED (7e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Arguments:
Arg1: ffffffffc0000005, The exception code that was not handled
Arg2: fffff8000318b36c, The address that the exception occurred at
Arg3: fffff8800337f818, Exception Record Address
Arg4: fffff8800337f070, Context Record Address
Debugging Details:
------------------
OVERLAPPED_MODULE: Address regions for 'rt2870' and 'rt2870.sys' overlap
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.
FAULTING_IP:
nt!MiEmptyPageAccessLog+dc
fffff800`0318b36c 488b08 mov rcx,qword ptr [rax]
EXCEPTION_RECORD: fffff8800337f818 -- (.exr 0xfffff8800337f818)
ExceptionAddress: fffff8000318b36c (nt!MiEmptyPageAccessLog+0x00000000000000dc)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 0000000000000000
Parameter[1]: ffffffffffffffff
Attempt to read from address ffffffffffffffff
CONTEXT: fffff8800337f070 -- (.cxr 0xfffff8800337f070;r)
rax=e3769dd9716c3138 rbx=0000000000002402 rcx=0000000000000008
rdx=fffff8a001415d10 rsi=fffffa8006daa048 rdi=0000000000000400
rip=fffff8000318b36c rsp=fffff8800337fa50 rbp=0000000000000000
r8=fffffa800ba60002 r9=fffffa8006daa048 r10=fffffa800abc3010
r11=fffffa800abc2830 r12=0000000000000000 r13=fffffa8006daa000
r14=fffff8a001415f48 r15=0000000000000001
iopl=0 nv up ei ng nz na po nc
cs=0010 ss=0000 ds=002b es=002b fs=0053 gs=002b efl=00010286
nt!MiEmptyPageAccessLog+0xdc:
fffff800`0318b36c 488b08 mov rcx,qword ptr [rax] ds:002b:e3769dd9`716c3138=????????????????
Last set context:
rax=e3769dd9716c3138 rbx=0000000000002402 rcx=0000000000000008
rdx=fffff8a001415d10 rsi=fffffa8006daa048 rdi=0000000000000400
rip=fffff8000318b36c rsp=fffff8800337fa50 rbp=0000000000000000
r8=fffffa800ba60002 r9=fffffa8006daa048 r10=fffffa800abc3010
r11=fffffa800abc2830 r12=0000000000000000 r13=fffffa8006daa000
r14=fffff8a001415f48 r15=0000000000000001
iopl=0 nv up ei ng nz na po nc
cs=0010 ss=0000 ds=002b es=002b fs=0053 gs=002b efl=00010286
nt!MiEmptyPageAccessLog+0xdc:
fffff800`0318b36c 488b08 mov rcx,qword ptr [rax] ds:002b:e3769dd9`716c3138=????????????????
Resetting default scope
DEFAULT_BUCKET_ID: WIN7_DRIVER_FAULT
PROCESS_NAME: nvtray.exe
CURRENT_IRQL: 0
ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.
EXCEPTION_PARAMETER1: 0000000000000000
EXCEPTION_PARAMETER2: ffffffffffffffff
READ_ADDRESS: ffffffffffffffff
FOLLOWUP_IP:
nt!MiEmptyPageAccessLog+dc
fffff800`0318b36c 488b08 mov rcx,qword ptr [rax]
BUGCHECK_STR: 0x7E
ANALYSIS_VERSION: 6.3.9600.17336 (debuggers(dbg).150226-1500) x86fre
LAST_CONTROL_TRANSFER: from fffff80003105823 to fffff8000318b36c
STACK_TEXT:
fffff880`0337fa50 fffff800`03105823 : fffffa80`0ba6f060 00000003`00000000 00000000`00002402 e3769dd9`716c3138 : nt!MiEmptyPageAccessLog+0xdc
fffff880`0337fac0 fffff800`0306b186 : 00000000`00000197 00000000`00000000 fffffa80`00000000 00000000`00000004 : nt! ?? ::FNODOBFM::`string'+0x4c22b
fffff880`0337fb40 fffff800`0306b9f3 : 00000000`00000008 fffff880`0337fbd0 00000000`00000001 fffffa80`00000000 : nt!MmWorkingSetManager+0x6e
fffff880`0337fb90 fffff800`0331ab26 : fffffa80`06715040 00000000`00000080 fffffa80`066ed040 00000000`00000001 : nt!KeBalanceSetManager+0x1c3
fffff880`0337fd00 fffff800`03071f66 : fffff800`03200e80 fffffa80`06715040 fffff800`0320ecc0 00000000`00000000 : nt!PspSystemThreadStartup+0x5a
fffff880`0337fd40 00000000`00000000 : fffff880`03380000 fffff880`0337a000 fffff880`0337f6c0 00000000`00000000 : nt!KiStartSystemThread+0x16
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: nt!MiEmptyPageAccessLog+dc
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: nt
DEBUG_FLR_IMAGE_TIMESTAMP: 5609efa0
IMAGE_VERSION: 6.1.7601.19018
STACK_COMMAND: .cxr 0xfffff8800337f070 ; kb
IMAGE_NAME: memory_corruption
FAILURE_BUCKET_ID: X64_0x7E_nt!MiEmptyPageAccessLog+dc
BUCKET_ID: X64_0x7E_nt!MiEmptyPageAccessLog+dc
ANALYSIS_SOURCE: KM
FAILURE_ID_HASH_STRING: km:x64_0x7e_nt!miemptypageaccesslog+dc
FAILURE_ID_HASH: {dcc53ce3-be33-1ec6-3dff-2332dca76544}
Followup: MachineOwner
---------
1: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
SYSTEM_THREAD_EXCEPTION_NOT_HANDLED (7e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Arguments:
Arg1: ffffffffc0000005, The exception code that was not handled
Arg2: fffff8000318b36c, The address that the exception occurred at
Arg3: fffff8800337f818, Exception Record Address
Arg4: fffff8800337f070, Context Record Address
Debugging Details:
------------------
OVERLAPPED_MODULE: Address regions for 'rt2870' and 'rt2870.sys' overlap
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.
FAULTING_IP:
nt!MiEmptyPageAccessLog+dc
fffff800`0318b36c 488b08 mov rcx,qword ptr [rax]
EXCEPTION_RECORD: fffff8800337f818 -- (.exr 0xfffff8800337f818)
ExceptionAddress: fffff8000318b36c (nt!MiEmptyPageAccessLog+0x00000000000000dc)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 0000000000000000
Parameter[1]: ffffffffffffffff
Attempt to read from address ffffffffffffffff
CONTEXT: fffff8800337f070 -- (.cxr 0xfffff8800337f070;r)
rax=e3769dd9716c3138 rbx=0000000000002402 rcx=0000000000000008
rdx=fffff8a001415d10 rsi=fffffa8006daa048 rdi=0000000000000400
rip=fffff8000318b36c rsp=fffff8800337fa50 rbp=0000000000000000
r8=fffffa800ba60002 r9=fffffa8006daa048 r10=fffffa800abc3010
r11=fffffa800abc2830 r12=0000000000000000 r13=fffffa8006daa000
r14=fffff8a001415f48 r15=0000000000000001
iopl=0 nv up ei ng nz na po nc
cs=0010 ss=0000 ds=002b es=002b fs=0053 gs=002b efl=00010286
nt!MiEmptyPageAccessLog+0xdc:
fffff800`0318b36c 488b08 mov rcx,qword ptr [rax] ds:002b:e3769dd9`716c3138=????????????????
Last set context:
rax=e3769dd9716c3138 rbx=0000000000002402 rcx=0000000000000008
rdx=fffff8a001415d10 rsi=fffffa8006daa048 rdi=0000000000000400
rip=fffff8000318b36c rsp=fffff8800337fa50 rbp=0000000000000000
r8=fffffa800ba60002 r9=fffffa8006daa048 r10=fffffa800abc3010
r11=fffffa800abc2830 r12=0000000000000000 r13=fffffa8006daa000
r14=fffff8a001415f48 r15=0000000000000001
iopl=0 nv up ei ng nz na po nc
cs=0010 ss=0000 ds=002b es=002b fs=0053 gs=002b efl=00010286
nt!MiEmptyPageAccessLog+0xdc:
fffff800`0318b36c 488b08 mov rcx,qword ptr [rax] ds:002b:e3769dd9`716c3138=????????????????
Resetting default scope
DEFAULT_BUCKET_ID: WIN7_DRIVER_FAULT
PROCESS_NAME: nvtray.exe
CURRENT_IRQL: 0
ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.
EXCEPTION_PARAMETER1: 0000000000000000
EXCEPTION_PARAMETER2: ffffffffffffffff
READ_ADDRESS: ffffffffffffffff
FOLLOWUP_IP:
nt!MiEmptyPageAccessLog+dc
fffff800`0318b36c 488b08 mov rcx,qword ptr [rax]
BUGCHECK_STR: 0x7E
ANALYSIS_VERSION: 6.3.9600.17336 (debuggers(dbg).150226-1500) x86fre
LAST_CONTROL_TRANSFER: from fffff80003105823 to fffff8000318b36c
STACK_TEXT:
fffff880`0337fa50 fffff800`03105823 : fffffa80`0ba6f060 00000003`00000000 00000000`00002402 e3769dd9`716c3138 : nt!MiEmptyPageAccessLog+0xdc
fffff880`0337fac0 fffff800`0306b186 : 00000000`00000197 00000000`00000000 fffffa80`00000000 00000000`00000004 : nt! ?? ::FNODOBFM::`string'+0x4c22b
fffff880`0337fb40 fffff800`0306b9f3 : 00000000`00000008 fffff880`0337fbd0 00000000`00000001 fffffa80`00000000 : nt!MmWorkingSetManager+0x6e
fffff880`0337fb90 fffff800`0331ab26 : fffffa80`06715040 00000000`00000080 fffffa80`066ed040 00000000`00000001 : nt!KeBalanceSetManager+0x1c3
fffff880`0337fd00 fffff800`03071f66 : fffff800`03200e80 fffffa80`06715040 fffff800`0320ecc0 00000000`00000000 : nt!PspSystemThreadStartup+0x5a
fffff880`0337fd40 00000000`00000000 : fffff880`03380000 fffff880`0337a000 fffff880`0337f6c0 00000000`00000000 : nt!KiStartSystemThread+0x16
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: nt!MiEmptyPageAccessLog+dc
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: nt
DEBUG_FLR_IMAGE_TIMESTAMP: 5609efa0
IMAGE_VERSION: 6.1.7601.19018
STACK_COMMAND: .cxr 0xfffff8800337f070 ; kb
IMAGE_NAME: memory_corruption
FAILURE_BUCKET_ID: X64_0x7E_nt!MiEmptyPageAccessLog+dc
BUCKET_ID: X64_0x7E_nt!MiEmptyPageAccessLog+dc
ANALYSIS_SOURCE: KM
FAILURE_ID_HASH_STRING: km:x64_0x7e_nt!miemptypageaccesslog+dc
FAILURE_ID_HASH: {dcc53ce3-be33-1ec6-3dff-2332dca76544}
Followup: MachineOwner
---------
1: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
SYSTEM_THREAD_EXCEPTION_NOT_HANDLED (7e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Arguments:
Arg1: ffffffffc0000005, The exception code that was not handled
Arg2: fffff8000318b36c, The address that the exception occurred at
Arg3: fffff8800337f818, Exception Record Address
Arg4: fffff8800337f070, Context Record Address
Debugging Details:
------------------
OVERLAPPED_MODULE: Address regions for 'rt2870' and 'rt2870.sys' overlap
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.
FAULTING_IP:
nt!MiEmptyPageAccessLog+dc
fffff800`0318b36c 488b08 mov rcx,qword ptr [rax]
EXCEPTION_RECORD: fffff8800337f818 -- (.exr 0xfffff8800337f818)
ExceptionAddress: fffff8000318b36c (nt!MiEmptyPageAccessLog+0x00000000000000dc)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 0000000000000000
Parameter[1]: ffffffffffffffff
Attempt to read from address ffffffffffffffff
CONTEXT: fffff8800337f070 -- (.cxr 0xfffff8800337f070;r)
rax=e3769dd9716c3138 rbx=0000000000002402 rcx=0000000000000008
rdx=fffff8a001415d10 rsi=fffffa8006daa048 rdi=0000000000000400
rip=fffff8000318b36c rsp=fffff8800337fa50 rbp=0000000000000000
r8=fffffa800ba60002 r9=fffffa8006daa048 r10=fffffa800abc3010
r11=fffffa800abc2830 r12=0000000000000000 r13=fffffa8006daa000
r14=fffff8a001415f48 r15=0000000000000001
iopl=0 nv up ei ng nz na po nc
cs=0010 ss=0000 ds=002b es=002b fs=0053 gs=002b efl=00010286
nt!MiEmptyPageAccessLog+0xdc:
fffff800`0318b36c 488b08 mov rcx,qword ptr [rax] ds:002b:e3769dd9`716c3138=????????????????
Last set context:
rax=e3769dd9716c3138 rbx=0000000000002402 rcx=0000000000000008
rdx=fffff8a001415d10 rsi=fffffa8006daa048 rdi=0000000000000400
rip=fffff8000318b36c rsp=fffff8800337fa50 rbp=0000000000000000
r8=fffffa800ba60002 r9=fffffa8006daa048 r10=fffffa800abc3010
r11=fffffa800abc2830 r12=0000000000000000 r13=fffffa8006daa000
r14=fffff8a001415f48 r15=0000000000000001
iopl=0 nv up ei ng nz na po nc
cs=0010 ss=0000 ds=002b es=002b fs=0053 gs=002b efl=00010286
nt!MiEmptyPageAccessLog+0xdc:
fffff800`0318b36c 488b08 mov rcx,qword ptr [rax] ds:002b:e3769dd9`716c3138=????????????????
Resetting default scope
DEFAULT_BUCKET_ID: WIN7_DRIVER_FAULT
PROCESS_NAME: nvtray.exe
CURRENT_IRQL: 0
ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.
EXCEPTION_PARAMETER1: 0000000000000000
EXCEPTION_PARAMETER2: ffffffffffffffff
READ_ADDRESS: ffffffffffffffff
FOLLOWUP_IP:
nt!MiEmptyPageAccessLog+dc
fffff800`0318b36c 488b08 mov rcx,qword ptr [rax]
BUGCHECK_STR: 0x7E
ANALYSIS_VERSION: 6.3.9600.17336 (debuggers(dbg).150226-1500) x86fre
LAST_CONTROL_TRANSFER: from fffff80003105823 to fffff8000318b36c
STACK_TEXT:
fffff880`0337fa50 fffff800`03105823 : fffffa80`0ba6f060 00000003`00000000 00000000`00002402 e3769dd9`716c3138 : nt!MiEmptyPageAccessLog+0xdc
fffff880`0337fac0 fffff800`0306b186 : 00000000`00000197 00000000`00000000 fffffa80`00000000 00000000`00000004 : nt! ?? ::FNODOBFM::`string'+0x4c22b
fffff880`0337fb40 fffff800`0306b9f3 : 00000000`00000008 fffff880`0337fbd0 00000000`00000001 fffffa80`00000000 : nt!MmWorkingSetManager+0x6e
fffff880`0337fb90 fffff800`0331ab26 : fffffa80`06715040 00000000`00000080 fffffa80`066ed040 00000000`00000001 : nt!KeBalanceSetManager+0x1c3
fffff880`0337fd00 fffff800`03071f66 : fffff800`03200e80 fffffa80`06715040 fffff800`0320ecc0 00000000`00000000 : nt!PspSystemThreadStartup+0x5a
fffff880`0337fd40 00000000`00000000 : fffff880`03380000 fffff880`0337a000 fffff880`0337f6c0 00000000`00000000 : nt!KiStartSystemThread+0x16
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: nt!MiEmptyPageAccessLog+dc
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: nt
DEBUG_FLR_IMAGE_TIMESTAMP: 5609efa0
IMAGE_VERSION: 6.1.7601.19018
STACK_COMMAND: .cxr 0xfffff8800337f070 ; kb
IMAGE_NAME: memory_corruption
FAILURE_BUCKET_ID: X64_0x7E_nt!MiEmptyPageAccessLog+dc
BUCKET_ID: X64_0x7E_nt!MiEmptyPageAccessLog+dc
ANALYSIS_SOURCE: KM
FAILURE_ID_HASH_STRING: km:x64_0x7e_nt!miemptypageaccesslog+dc
FAILURE_ID_HASH: {dcc53ce3-be33-1ec6-3dff-2332dca76544}
Followup: MachineOwner
---------
Facebook
Twitter
Instagram