Here are some of my recent minidump analysis:
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
KERNEL_MODE_EXCEPTION_NOT_HANDLED_M (1000008e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Some common problems are exception code 0x80000003. This means a hard
coded breakpoint or assertion was hit, but this system was booted
/NODEBUG. This is not supposed to happen as developers should never have
hardcoded breakpoints in retail code, but ...
If this happens, make sure a debugger gets connected, and the
system is booted /DEBUG. This will let us see why this breakpoint is
happening.
Arguments:
Arg1: c000001d, The exception code that was not handled
Arg2: 804e3b7c, The address that the exception occurred at
Arg3: f92f6a10, Trap Frame
Arg4: 00000000
Debugging Details:
------------------
EXCEPTION_CODE: (NTSTATUS) 0xc000001d - {EXCEPTION} Illegal Instruction An attempt was made to execute an illegal instruction.
FAULTING_IP:
nt!KeWaitForMultipleObjects+283
804e3b7c ff ???
TRAP_FRAME: f92f6a10 -- (.trap 0xfffffffff92f6a10)
Unable to read trap frame at f92f6a10
CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: DRIVER_FAULT
BUGCHECK_STR: 0x8E
LAST_CONTROL_TRANSFER: from 006c0061 to 00490062
FAILED_INSTRUCTION_ADDRESS:
nt!KeWaitForMultipleObjects+283
804e3b7c ff ???
STACK_TEXT:
WARNING: Frame IP not in any known module. Following frames may be wrong.
f92f6a80 006c0061 007a0069 00000065 ffffffa8 0x490062
f92f6a84 007a0069 00000065 ffffffa8 00206b6e 0x6c0061
f92f6a88 00000000 ffffffa8 00206b6e 2a00b746 0x7a0069
STACK_COMMAND: .bugcheck ; kb
FOLLOWUP_IP:
nt!KeWaitForMultipleObjects+283
804e3b7c ff ???
SYMBOL_NAME: nt!KeWaitForMultipleObjects+283
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: nt
IMAGE_NAME: ntoskrnl.exe
DEBUG_FLR_IMAGE_TIMESTAMP: 498c1192
FAILURE_BUCKET_ID: 0x8E_BAD_IP_nt!KeWaitForMultipleObjects+283
BUCKET_ID: 0x8E_BAD_IP_nt!KeWaitForMultipleObjects+283
Followup: MachineOwner
---------
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
KERNEL_MODE_EXCEPTION_NOT_HANDLED_M (1000008e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Some common problems are exception code 0x80000003. This means a hard
coded breakpoint or assertion was hit, but this system was booted
/NODEBUG. This is not supposed to happen as developers should never have
hardcoded breakpoints in retail code, but ...
If this happens, make sure a debugger gets connected, and the
system is booted /DEBUG. This will let us see why this breakpoint is
happening.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: bf804831, The address that the exception occurred at
Arg3: ef62a864, Trap Frame
Arg4: 00000000
Debugging Details:
------------------
***** Kernel symbols are WRONG. Please fix symbols to do analysis.
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!_KPRCB ***
*** ***
*************************************************************************
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!_KPRCB ***
*** ***
*************************************************************************
*********************************************************************
* Symbols can not be loaded because symbol path is not initialized. *
* *
* The Symbol Path can be set by: *
* using the _NT_SYMBOL_PATH environment variable. *
* using the -y <symbol_path> argument when starting the debugger. *
* using .sympath and .sympath+ *
*********************************************************************
*********************************************************************
* Symbols can not be loaded because symbol path is not initialized. *
* *
* The Symbol Path can be set by: *
* using the _NT_SYMBOL_PATH environment variable. *
* using the -y <symbol_path> argument when starting the debugger. *
* using .sympath and .sympath+ *
*********************************************************************
ADDITIONAL_DEBUG_TEXT:
Use '!findthebuild' command to search for the target build information.
If the build information is available, run '!findthebuild -s ; .reload' to set symbol path and load symbols.
MODULE_NAME: win32k
FAULTING_MODULE: 804d7000 nt
DEBUG_FLR_IMAGE_TIMESTAMP: 49e852d2
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".
FAULTING_IP:
win32k+4831
bf804831 ?? ???
TRAP_FRAME: ef62a864 -- (.trap 0xffffffffef62a864)
Unable to read trap frame at ef62a864
CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: DRIVER_FAULT
BUGCHECK_STR: 0x8E
LAST_CONTROL_TRANSFER: from e2981778 to bf804831
STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may be wrong.
ef62a8d4 e2981778 e2981778 bf808700 e169b278 win32k+0x4831
ef62a910 bf8086ee e1816568 0185000f 00000000 0xe2981778
ef62a924 804de7ec ed010719 0185000f 0012ee18 win32k+0x86ee
ef62a934 7c90e514 badb0d00 0012ee00 bf8018f2 nt+0x77ec
ef62a938 badb0d00 0012ee00 bf8018f2 bf81204c 0x7c90e514
ef62a93c 0012ee00 bf8018f2 bf81204c 00000000 0xbadb0d00
ef62a940 bf8018f2 bf81204c 00000000 e174a13a 0x12ee00
ef62a944 bf81204c 00000000 e174a13a 00000120 win32k+0x18f2
ef62a948 00000000 e174a13a 00000120 0000014c win32k+0x1204c
STACK_COMMAND: kb
FOLLOWUP_IP:
win32k+4831
bf804831 ?? ???
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: win32k+4831
FOLLOWUP_NAME: MachineOwner
IMAGE_NAME: win32k.sys
BUCKET_ID: WRONG_SYMBOLS
Followup: MachineOwner
---------
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: 8b584f8a, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000001, bitfield :
bit 0 : value 0 = read operation, 1 = write operation
bit 3 : value 0 = not an execute operation, 1 = execute operation (only on chips which support this level of status)
Arg4: 804dc0f6, address which referenced memory
Debugging Details:
------------------
***** Kernel symbols are WRONG. Please fix symbols to do analysis.
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!_KPRCB ***
*** ***
*************************************************************************
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!_KPRCB ***
*** ***
*************************************************************************
*********************************************************************
* Symbols can not be loaded because symbol path is not initialized. *
* *
* The Symbol Path can be set by: *
* using the _NT_SYMBOL_PATH environment variable. *
* using the -y <symbol_path> argument when starting the debugger. *
* using .sympath and .sympath+ *
*********************************************************************
*********************************************************************
* Symbols can not be loaded because symbol path is not initialized. *
* *
* The Symbol Path can be set by: *
* using the _NT_SYMBOL_PATH environment variable. *
* using the -y <symbol_path> argument when starting the debugger. *
* using .sympath and .sympath+ *
*********************************************************************
ADDITIONAL_DEBUG_TEXT:
Use '!findthebuild' command to search for the target build information.
If the build information is available, run '!findthebuild -s ; .reload' to set symbol path and load symbols.
MODULE_NAME: nt
FAULTING_MODULE: 804d7000 nt
DEBUG_FLR_IMAGE_TIMESTAMP: 4249ff84
WRITE_ADDRESS: unable to get nt!MmSpecialPoolStart
unable to get nt!MmSpecialPoolEnd
unable to get nt!MmPoolCodeStart
unable to get nt!MmPoolCodeEnd
8b584f8a
CURRENT_IRQL: 2
FAULTING_IP:
nt+50f6
804dc0f6 ff84c08a4f588b inc dword ptr [eax+eax*8-74A7B076h]
CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: DRIVER_FAULT
BUGCHECK_STR: 0xA
LAST_CONTROL_TRANSFER: from 00000000 to 804e187f
STACK_TEXT:
f9566cac 00000000 8b584f8a 00000002 00000001 nt+0xa87f
STACK_COMMAND: .bugcheck ; kb
FOLLOWUP_IP:
nt+50f6
804dc0f6 ff84c08a4f588b inc dword ptr [eax+eax*8-74A7B076h]
SYMBOL_NAME: nt+50f6
FOLLOWUP_NAME: MachineOwner
IMAGE_NAME: ntoskrnl.exe
BUCKET_ID: WRONG_SYMBOLS
Followup: MachineOwner
---------