Connected to Windows 7 7601 x86 compatible target at (Thu Mar 19 17:34:28.389 2015 (UTC + 1:00)), ptr64 FALSE
|
Kernel Debugger connection established.
|
Symbol search path is: srv*c:\symbols*http://msdl.microsoft.com/download/symbols;srv*c:\symbols*http://chromium-browser-symsrv.commondatastorage.googleapis.comSRV*c:\symbols\*http://symbols.mozilla.org/firefox;srv*c:\symbols*https://chromium-browser-symsrv.commondatastorage.googleapis.com
|
Executable search path is:
|
Windows 7 Kernel Version 7601 MP (1 procs) Free x86 compatible
|
Built by: 7601.18741.x86fre.win7sp1_gdr.150202-1526
|
Machine Name:
|
Kernel base = 0x82a04000 PsLoadedModuleList = 0x82b4e5b0
|
System Uptime: not available
|
nt!DbgLoadImageSymbols+0x47:
|
82a1c578 cc int 3
|
kd> g
|
KDTARGET: Refreshing KD connection
|
nt!DbgLoadImageSymbols+0x47:
|
82a1c578 cc int 3
|
1: kd> g
|
|
*** Fatal System Error: 0x00000050
|
(0xBEBEBEEA,0x00000001,0x96979765,0x00000002)
|
|
Driver at fault:
|
*** win32k.sys - Address 96979765 base at 968F0000, DateStamp 54ee8ecd
|
.
|
Break instruction exception - code 80000003 (first chance)
|
|
A fatal system error has occurred.
|
Debugger entered on first try; Bugcheck callbacks have not been invoked.
|
|
A fatal system error has occurred.
|
|
Connected to Windows 7 7601 x86 compatible target at (Thu Mar 19 17:39:53.922 2015 (UTC + 1:00)), ptr64 FALSE
|
Loading Kernel Symbols
|
...............................................................
|
................................................................
|
..................................
|
Loading User Symbols
|
..................................
|
Loading unloaded module list
|
.................
|
*******************************************************************************
|
* *
|
* Bugcheck Analysis *
|
* *
|
*******************************************************************************
|
|
Use !analyze -v to get detailed debugging information.
|
|
BugCheck 50, {bebebeea, 1, 96979765, 2}
|
|
*** WARNING: Unable to verify checksum for Poc9.exe
|
*** ERROR: Module load completed but symbols could not be loaded for Poc9.exe
|
Probably caused by : win32k.sys ( win32k!HMChangeOwnerThread+40 )
|
|
Followup: MachineOwner
|
---------
|
|
Assertion: *** DPC watchdog timeout
|
This is NOT a break in update time
|
This is most likely a BUG in an ISR
|
Perform a stack trace to find the culprit
|
The period will be doubled on continuation
|
Use gh to continue!!
|
|
nt!KeAccumulateTicks+0x3c5:
|
82a7f38c cd2c int 2Ch
|
0: kd> !analyze -v
|
*******************************************************************************
|
* *
|
* Bugcheck Analysis *
|
* *
|
*******************************************************************************
|
|
PAGE_FAULT_IN_NONPAGED_AREA (50)
|
Invalid system memory was referenced. This cannot be protected by try-except,
|
it must be protected by a Probe. Typically the address is just plain bad or it
|
is pointing at freed memory.
|
Arguments:
|
Arg1: bebebeea, memory referenced.
|
Arg2: 00000001, value 0 = read operation, 1 = write operation.
|
Arg3: 96979765, If non-zero, the instruction address which referenced the bad memory
|
address.
|
Arg4: 00000002, (reserved)
|
|
Debugging Details:
|
------------------
|
|
|
WRITE_ADDRESS: bebebeea
|
|
FAULTING_IP:
|
win32k!HMChangeOwnerThread+40
|
96979765 ff412c inc dword ptr [ecx+2Ch]
|
|
MM_INTERNAL_CODE: 2
|
|
IMAGE_NAME: win32k.sys
|
|
DEBUG_FLR_IMAGE_TIMESTAMP: 54ee8ecd
|
|
MODULE_NAME: win32k
|
|
FAULTING_MODULE: 968f0000 win32k
|
|
DEFAULT_BUCKET_ID: WIN7_DRIVER_FAULT
|
|
BUGCHECK_STR: 0x50
|
|
PROCESS_NAME: Poc9.exe
|
|
CURRENT_IRQL: 1c
|
|
TRAP_FRAME: 9847f950 -- (.trap 0xffffffff9847f950)
|
ErrCode = 00000002
|
eax=ff9215d8 ebx=ffb0d260 ecx=bebebebe edx=000101d2 esi=fea16568 edi=00000000
|
eip=96979765 esp=9847f9c4 ebp=9847f9d0 iopl=0 nv up ei pl nz na pe nc
|
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010206
|
win32k!HMChangeOwnerThread+0x40:
|
96979765 ff412c inc dword ptr [ecx+2Ch] ds:0023:bebebeea=????????
|
Resetting default scope
|
|
LAST_CONTROL_TRANSFER: from 82a7e853 to 82a7f38c
|
|
STACK_TEXT:
|
9847f378 82a7e853 0002625a 00000000 00005500 nt!KeAccumulateTicks+0x3c5
|
9847f3b8 82a7e700 82e310a8 efcb6a99 00000000 nt!KeUpdateRunTime+0x145
|
9847f410 82a7df03 00000002 00000002 000000d1 nt!KeUpdateSystemTime+0x613
|
9847f410 82e310a8 00000002 00000002 000000d1 nt!KeUpdateSystemTimeAssist+0x13
|
9847f494 82e1fb8c 00001000 00000000 9847f4f4 hal!READ_PORT_USHORT+0x8
|
9847f4a4 82e1fcf5 82ae2f92 adfe38d5 00000065 hal!HalpCheckPowerButton+0x2e
|
9847f4a8 82ae2f92 adfe38d5 00000065 00000000 hal!HaliHaltSystem+0x7
|
9847f4f4 82ae3a39 00000003 c0602fa8 bebebeea nt!KiBugCheckDebugBreak+0x73
|
9847f8b8 82a919ad 00000050 bebebeea 00000001 nt!KeBugCheck2+0x68b
|
9847f938 82a44a78 00000001 bebebeea 00000000 nt!MmAccessFault+0x104
|
9847f938 96979765 00000001 bebebeea 00000000 nt!KiTrap0E+0xdc
|
9847f9d0 96977cf0 fea16568 00000000 85218158 win32k!HMChangeOwnerThread+0x40
|
9847fa24 969c0686 00000001 9847fa3c 969c0660 win32k!xxxDestroyWindow+0x62
|
9847fa30 969c0660 ff9215d8 9847fa48 969c004b win32k!HMDestroyUnlockedObject+0x1b
|
9847fa3c 969c004b fea16568 9847fa5c 969bd745 win32k!HMUnlockObjectInternal+0x30
|
9847fa48 969bd745 fea16568 969d5019 868fcce0 win32k!HMUnlockObject+0x13
|
9847fa50 969d5019 868fcce0 9847fa74 969d6371 win32k!HMAssignmentUnlock+0xf
|
9847fa5c 969d6371 868fcce0 85218158 00000000 win32k!ForceEmptyClipboard+0x1a
|
9847fa74 82c1740b 9847fabc 85218158 00000000 win32k!FreeWindowStation+0x69
|
9847faa4 82c9238d 969d6308 9847fabc 00000001 nt!ExpWin32SessionCallout+0x3c
|
9847fac4 82c278f1 868fcce0 868fcce0 868fccc8 nt!ExpWin32DeleteProcedure+0x4a
|
9847fadc 82a7c320 00000000 85672448 868fccc8 nt!ObpRemoveObjectRoutine+0x59
|
9847faf0 82a7c290 868fcce0 82c4a704 aeea8320 nt!ObfDereferenceObjectWithTag+0x88
|
9847faf8 82c4a704 aeea8320 85672448 aeea8320 nt!ObfDereferenceObject+0xd
|
9847fb38 82c790f0 ab9237f8 aeea8320 85653d40 nt!ObpCloseHandleTableEntry+0x21d
|
9847fb68 82c6150d ab9237f8 9847fb7c 98b04c30 nt!ExSweepHandleTable+0x5f
|
9847fb88 82c6eb9d adfe37dd 00000000 85672448 nt!ObKillProcess+0x54
|
9847fbfc 82c61140 00000000 ffffffff 0031fa98 nt!PspExitThread+0x5db
|
9847fc24 82a41896 ffffffff 00000000 0031faa4 nt!NtTerminateProcess+0x1fa
|
9847fc24 779770f4 ffffffff 00000000 0031faa4 nt!KiSystemServicePostCall
|
0031fa84 77976914 7798e1a7 ffffffff 00000000 ntdll!KiFastSystemCallRet
|
0031fa88 7798e1a7 ffffffff 00000000 00000000 ntdll!ZwTerminateProcess+0xc
|
0031faa4 75cbbcae 00000000 77e8f3b0 ffffffff ntdll!RtlExitUserProcess+0x85
|
0031fab8 5acee619 00000000 0031fb14 5aceee79 kernel32!ExitProcessStub+0x12
|
0031fac4 5aceee79 00000000 6ca6caff 00000000 MSVCR120D!__crtExitProcess+0x19
|
0031fb14 5aceeea0 00000000 00000000 00000000 MSVCR120D!_unlockexit+0x259
|
0031fb28 00d71ed6 00000000 6c90b794 00000000 MSVCR120D!exit+0x10
|
WARNING: Stack unwind information not available. Following frames may be wrong.
|
0031fb70 00d720ad 0031fb84 75caee1c 7ffdf000 Poc9+0x11ed6
|
0031fb78 75caee1c 7ffdf000 0031fbc4 779937eb Poc9+0x120ad
|
0031fb84 779937eb 7ffdf000 7795462b 00000000 kernel32!BaseThreadInitThunk+0xe
|
0031fbc4 779937be 00d7109b 7ffdf000 00000000 ntdll!__RtlUserThreadStart+0x70
|
0031fbdc 00000000 00d7109b 7ffdf000 00000000 ntdll!_RtlUserThreadStart+0x1b
|
|
|
STACK_COMMAND: kb
|
|
FOLLOWUP_IP:
|
win32k!HMChangeOwnerThread+40
|
96979765 ff412c inc dword ptr [ecx+2Ch]
|
|
SYMBOL_STACK_INDEX: b
|
|
SYMBOL_NAME: win32k!HMChangeOwnerThread+40
|
|
FOLLOWUP_NAME: MachineOwner
|
|
FAILURE_BUCKET_ID: 0x50_win32k!HMChangeOwnerThread+40
|
|
BUCKET_ID: 0x50_win32k!HMChangeOwnerThread+40
|
|
Followup: MachineOwner
|
---------
|