Recently I worked on an interesting bugcheck case where Windows 10 would crash with bugcheck code 0xFC (ATTEMPTED_EXECUTE_OF_NOEXECUTE_MEMORY) after keeping the device idle for a while.
3: kd> .bugcheck
Bugcheck code 000000FC
Arguments ffffac81`88ca26d0 8a000001`be07b963 ffffac81`88ca2460 00000000`00000002
I believe below is the callstack
3: kd> .bugcheck
Bugcheck code 000000FC
Arguments ffffac81`88ca26d0 8a000001`be07b963 ffffac81`88ca2460 00000000`00000002
The 1st argument is The virtual address whose execution was attempted, do a !pte on the 1st argument and we obtain the pte of that virtual address.
3: kd> !pte ffffac81`88ca26d0
VA ffffac8188ca26d0
PXE at FFFF93C9E4F27AC8 PPE at FFFF93C9E4F59030 PDE at FFFF93C9EB206230 PTE at FFFF93D640C46510
contains 0A0000000138A863 contains 0A00000000EAA863 contains 0A0000011D722863 contains 8A000001BE07B963
pfn 138a ---DA--KWEV pfn eaa ---DA--KWEV pfn 11d722 ---DA--KWEV pfn 1be07b -G-DA--KW-V
Obviously, this virtual address is NoExecute, that's why system bugcheck.
do a kv to dump the callstack
3: kd> kv
# Child-SP RetAddr : Args to Child : Call Site
00 ffffac81`88ca2188 fffff800`b56469fe : 00000000`000000fc ffffac81`88ca26d0 8a000001`be07b963 ffffac81`88ca2460 : nt!KeBugCheckEx
01 ffffac81`88ca2190 fffff800`b550bf5a : 00000000`00000000 fffff800`b57ea218 00000000`00000000 00000000`b5924eab : nt!MiCheckSystemNxFault+0xb20f2
02 ffffac81`88ca21d0 fffff800`b550d6c6 : 00000000`00000011 ffffac81`88ca26d0 ffffac81`88ca2460 ffff9b00`37930640 : nt!MiSystemFault+0xa3a
03 ffffac81`88ca2270 fffff800`b55f5d72 : 00000000`00000000 00000000`00000000 ffffac81`88ca2530 ffff93c9`e4f277f8 : nt!MmAccessFault+0xae6
04 ffffac81`88ca2460 ffffac81`88ca26d0 : 00000000`00000000 00007ffd`6b589fff ffff9b00`33ce1a10 ffff9b00`37731040 : nt!KiPageFault+0x132 (TrapFrame @ ffffac81`88ca2460)
05 ffffac81`88ca25f0 00000000`00000000 : 00007ffd`6b589fff ffff9b00`33ce1a10 ffff9b00`37731040 ffff9b00`33ce1a10 : 0xffffac81`88ca26d0
3: kd> kv
# Child-SP RetAddr : Args to Child : Call Site
00 ffffac81`88ca2188 fffff800`b56469fe : 00000000`000000fc ffffac81`88ca26d0 8a000001`be07b963 ffffac81`88ca2460 : nt!KeBugCheckEx
01 ffffac81`88ca2190 fffff800`b550bf5a : 00000000`00000000 fffff800`b57ea218 00000000`00000000 00000000`b5924eab : nt!MiCheckSystemNxFault+0xb20f2
02 ffffac81`88ca21d0 fffff800`b550d6c6 : 00000000`00000011 ffffac81`88ca26d0 ffffac81`88ca2460 ffff9b00`37930640 : nt!MiSystemFault+0xa3a
03 ffffac81`88ca2270 fffff800`b55f5d72 : 00000000`00000000 00000000`00000000 ffffac81`88ca2530 ffff93c9`e4f277f8 : nt!MmAccessFault+0xae6
04 ffffac81`88ca2460 ffffac81`88ca26d0 : 00000000`00000000 00007ffd`6b589fff ffff9b00`33ce1a10 ffff9b00`37731040 : nt!KiPageFault+0x132 (TrapFrame @ ffffac81`88ca2460)
05 ffffac81`88ca25f0 00000000`00000000 : 00007ffd`6b589fff ffff9b00`33ce1a10 ffff9b00`37731040 ffff9b00`33ce1a10 : 0xffffac81`88ca26d0
The callstack is corrupted, we need to rebuild the callstack to know what system is doing just before bugcheck.
3: kd> .trap ffffac81`88ca2460
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=0000000000000000 rbx=0000000000000000 rcx=41427c5d24bd0000
rdx=0000000000000000 rsi=0000000000000000 rdi=0000000000000000
rip=ffffac8188ca26d0 rsp=ffffac8188ca25f0 rbp=00007ffd6b589fff
r8=0000000000000000 r9=7fff9b003731f518 r10=7ffffffffffffffc
r11=00000007ff5f4c5a r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei ng nz na pe nc
ffffac81`88ca26d0 0000 add byte ptr [rax],al ds:00000000`00000000=??
3: kd> !thread
THREAD ffff9b0037731040 Cid 26b8.2728 Teb: 000000cbafbdc000 Win32Thread: 0000000000000000 RUNNING on processor 3
Not impersonating
DeviceMap ffffe10478f9a2b0
Owning Process ffff9b0037930640 Image: taskhostw.exe
Attached Process N/A Image: N/A
Wait Start TickCount 250434 Ticks: 0
Context Switch Count 6 IdealProcessor: 2
UserTime 00:00:00.000
KernelTime 00:00:00.015
Win32 Start Address ntdll!TppWorkerThread (0x00007ffd6b5e12c0)
Stack Init ffffac8188ca2c10 Current ffffac8188ca2450
Base ffffac8188ca3000 Limit ffffac8188c9c000 Call 0000000000000000
3: kd> dps ffffac8188ca25f0 ffffac8188ca3000
ffffac81`88ca25f0 00000000`00000000
ffffac81`88ca25f8 00007ffd`6b589fff shcore!wkscli_NULL_THUNK_DATA_DLA <PERF> (shcore+0xa9fff)
ffffac81`88ca2600 ffff9b00`33ce1a10
ffffac81`88ca2608 ffff9b00`37731040
ffffac81`88ca2610 ffff9b00`33ce1a10
ffffac81`88ca2618 ffff9b00`37731040
ffffac81`88ca2620 00000000`00000001
ffffac81`88ca2628 fffff800`b590d6a2 nt!MiMapViewOfImageSection+0x6c2
ffffac81`88ca2630 00000000`0000005a
ffffac81`88ca2638 ffffac81`88ca2730
ffffac81`88ca2640 ffff9b00`386bfef0
ffffac81`88ca2648 ffff9b00`37930640
ffffac81`88ca2650 ffff9b00`37731040
ffffac81`88ca2658 ffffe104`7d72b900
ffffac81`88ca2660 00000000`00000000
ffffac81`88ca2668 00000000`00000003
ffffac81`88ca2670 00000000`00000000
ffffac81`88ca2678 00007ffd`68390000
ffffac81`88ca2680 ffff9b00`37731040
ffffac81`88ca2688 00000000`00000000
ffffac81`88ca2690 00007fff`fffdffff
ffffac81`88ca2698 ffffe104`775a8630
ffffac81`88ca26a0 00000000`00010000
ffffac81`88ca26a8 00000007`ffd68390
ffffac81`88ca26b0 00000000`006f1000
ffffac81`88ca26b8 ffff9b00`33ec5330
ffffac81`88ca26c0 00000000`00000000
ffffac81`88ca26c8 ffffe104`775a8678
ffffac81`88ca26d0 00000000`00000000
ffffac81`88ca26d8 ffff9b00`0002c003
ffffac81`88ca26e0 00007ffd`68390000
ffffac81`88ca26e8 ffffac81`00000000
ffffac81`88ca26f0 00000000`006f1000
ffffac81`88ca26f8 fffff800`00000000
ffffac81`88ca2700 ffffe104`79b55ed6
ffffac81`88ca2708 00000000`00000000
ffffac81`88ca2710 00000000`00000000
ffffac81`88ca2718 ffffe104`707e5ea0
ffffac81`88ca2720 ffff93bf`746c6644
ffffac81`88ca2728 ffffac81`88ca2700
ffffac81`88ca2730 0000000f`00000000
ffffac81`88ca2738 ffffe104`7d72b800
ffffac81`88ca2740 ffffe104`775b2e50
ffffac81`88ca2748 00000000`00000008
ffffac81`88ca2750 ffffac81`00000020
ffffac81`88ca2758 ffff9b00`306afdd0
ffffac81`88ca2760 00000000`00000000
ffffac81`88ca2768 00000000`00800000
ffffac81`88ca2770 ffffe104`775b2e50
ffffac81`88ca2778 ffff9b00`37930640
ffffac81`88ca2780 00000000`00000004
ffffac81`88ca2788 ffffac81`88ca29b0
ffffac81`88ca2790 ffffac81`88ca2b00
ffffac81`88ca2798 fffff800`b5931ba5 nt!MiMapViewOfSection+0x305
ffffac81`88ca27a0 ffff9b00`33ec52b0
ffffac81`88ca27a8 00000000`00000001
ffffac81`88ca27b0 ffff9b00`37930640
ffffac81`88ca27b8 ffffac81`88ca2838
ffffac81`88ca27c0 ffffac81`88ca2988
ffffac81`88ca27c8 ffffac81`88ca29b0
ffffac81`88ca27d0 ffffe104`775b2e50
ffffac81`88ca27d8 ffffac81`00000001
ffffac81`88ca27e0 00000000`00000004
ffffac81`88ca27e8 00000000`00000000
ffffac81`88ca27f0 ffffac81`00800000
ffffac81`88ca27f8 ffffac81`00000000
ffffac81`88ca2800 ffff9b00`37731360
ffffac81`88ca2808 fffff800`b54e3429 nt!ExAcquirePushLockExclusiveEx+0xe9
ffffac81`88ca2810 fffff800`b5480001 nt!TmInitSystemPhase2 <PERF> (nt+0x1)
ffffac81`88ca2818 ffff9b00`37930640
ffffac81`88ca2820 00000000`00000000
ffffac81`88ca2828 fffff800`00000000
ffffac81`88ca2830 00000000`00000000
ffffac81`88ca2838 00007ffd`68390000
ffffac81`88ca2840 ffffac81`88ca2998
ffffac81`88ca2848 ffffac81`88ca2988
ffffac81`88ca2850 00000000`00000000
ffffac81`88ca2858 ffffac81`88ca29b0
ffffac81`88ca2860 00000004`2e200000
ffffac81`88ca2868 00000000`006f1000
ffffac81`88ca2870 ffff9b00`33ec52b0
ffffac81`88ca2878 ffffe104`775b2e50
ffffac81`88ca2880 ffff9b00`37930640
ffffac81`88ca2888 ffff9b00`37930640
ffffac81`88ca2890 ffffac81`88ca2998
ffffac81`88ca2898 00000000`00000000
ffffac81`88ca28a0 00000000`00000000
ffffac81`88ca28a8 00000000`00000000
ffffac81`88ca28b0 ffff9b00`37930640
ffffac81`88ca28b8 ffffac81`88ca2b00
ffffac81`88ca28c0 00000000`00800000
ffffac81`88ca28c8 fffff800`b5920b6e nt!ObReferenceObjectByHandle+0x2e
ffffac81`88ca28d0 ffffedc3`f497031d
ffffac81`88ca28d8 00000000`00000002
ffffac81`88ca28e0 ffff9b00`33ec52b0
ffffac81`88ca28e8 00000000`00000000
ffffac81`88ca28f0 00000000`00000000
ffffac81`88ca28f8 00000000`00000000
ffffac81`88ca2900 ffffe104`775b2e50
ffffac81`88ca2908 ffff9b00`37930640
ffffac81`88ca2910 00000000`00000000
ffffac81`88ca2918 fffff800`b59330b2 nt!NtMapViewOfSection+0x2f2
ffffac81`88ca2920 ffff9b00`37930640
ffffac81`88ca2928 ffffac81`00000008
ffffac81`88ca2930 ffff9b00`306f8f20
ffffac81`88ca2938 00000000`00000001
ffffac81`88ca2940 00000000`00000000
ffffac81`88ca2948 ffffac81`88ca2988
ffffac81`88ca2950 ffffac81`88ca29b0
ffffac81`88ca2958 00000000`00000001
ffffac81`88ca2960 00000004`00800000
ffffac81`88ca2968 00000000`00000004
ffffac81`88ca2970 ffffe104`00000002
ffffac81`88ca2978 00000000`00000000
ffffac81`88ca2980 00000002`00000000
ffffac81`88ca2988 00000000`00000000
ffffac81`88ca2990 ffffe104`00000004
ffffac81`88ca2998 00000000`00000000
ffffac81`88ca29a0 ffff9b00`37930640
ffffac81`88ca29a8 00000000`00000000
ffffac81`88ca29b0 00000000`006f1000
ffffac81`88ca29b8 ffffe104`775b2e50
ffffac81`88ca29c0 00000000`00000030
ffffac81`88ca29c8 ffff9b00`37930640
ffffac81`88ca29d0 00000000`00800000
ffffac81`88ca29d8 0000020a`beb57600
ffffac81`88ca29e0 00000000`000001d8
ffffac81`88ca29e8 0000020a`beb24df0
ffffac81`88ca29f0 ffffac81`88ca2a28
ffffac81`88ca29f8 000000cb`aff7ddc8
ffffac81`88ca2a00 ffff9b00`37731040
ffffac81`88ca2a08 fffff800`b55f7413 nt!KiSystemServiceCopyEnd+0x13
ffffac81`88ca2a10 00000000`000001d8
ffffac81`88ca2a18 000000cb`aff7df18
ffffac81`88ca2a20 0000020a`beb24df0
ffffac81`88ca2a28 00000000`00000001
ffffac81`88ca2a30 00000000`00000000
ffffac81`88ca2a38 00000000`00000000
ffffac81`88ca2a40 0000020a`beb57778
ffffac81`88ca2a48 0000020a`00000001
ffffac81`88ca2a50 0000020a`00800000
ffffac81`88ca2a58 00007ffd`00000004
ffffac81`88ca2a60 00000000`00000000
ffffac81`88ca2a68 000000cb`aff7df18
ffffac81`88ca2a70 00000000`00000000
ffffac81`88ca2a78 fffff800`b55f7413 nt!KiSystemServiceCopyEnd+0x13
ffffac81`88ca2a80 ffff9b00`37731040
ffffac81`88ca2a88 0000020a`beb24e08
ffffac81`88ca2a90 00000000`00000000
ffffac81`88ca2a98 ffffffff`00000000
ffffac81`88ca2aa0 00000000`00000000
ffffac81`88ca2aa8 00001f80`02000000
ffffac81`88ca2ab0 00000000`00000000
ffffac81`88ca2ab8 00007ffd`69674052 SHELL32!_NULL_IMPORT_DESCRIPTOR+0x625a
ffffac81`88ca2ac0 00007ffd`69090000 SHELL32!`dynamic initializer for 'Microsoft::WRL::Module<1,Microsoft::WRL::Details::DefaultModule<5> >::isInitialized'' <PERF> (SHELL32+0x0)
ffffac81`88ca2ac8 000000cb`aff7e140
ffffac81`88ca2ad0 0000020a`beb25f90
ffffac81`88ca2ad8 00000000`00000000
ffffac81`88ca2ae0 000000cb`aff7dee0
ffffac81`88ca2ae8 000000cb`afbdc000
ffffac81`88ca2af0 00000000`00000000
ffffac81`88ca2af8 00000000`00000000
ffffac81`88ca2b00 00000000`00000000
ffffac81`88ca2b08 00000000`00000000
ffffac81`88ca2b10 00000000`00000000
ffffac81`88ca2b18 00000000`00000000
ffffac81`88ca2b20 00000000`00000000
ffffac81`88ca2b28 00000000`00000000
ffffac81`88ca2b30 00000000`00000000
ffffac81`88ca2b38 00000000`00000000
ffffac81`88ca2b40 00000000`00000000
ffffac81`88ca2b48 00000000`00000000
ffffac81`88ca2b50 00007ffd`69674052 SHELL32!_NULL_IMPORT_DESCRIPTOR+0x625a
ffffac81`88ca2b58 00000000`00000000
ffffac81`88ca2b60 00000000`00000000
ffffac81`88ca2b68 00000000`00000000
ffffac81`88ca2b70 00000000`00000000
ffffac81`88ca2b78 00000000`00000000
ffffac81`88ca2b80 00000000`00000000
ffffac81`88ca2b88 00000000`00000000
ffffac81`88ca2b90 00000000`00000000
ffffac81`88ca2b98 00000000`00000000
ffffac81`88ca2ba0 00000000`00000000
ffffac81`88ca2ba8 00000000`00000000
ffffac81`88ca2bb0 00000000`00000000
ffffac81`88ca2bb8 00000000`00000000
ffffac81`88ca2bc0 00000000`00000000
ffffac81`88ca2bc8 000000cb`afbdc000
ffffac81`88ca2bd0 0000020a`beb24dc0
ffffac81`88ca2bd8 0000020a`beb576e0
ffffac81`88ca2be0 00000000`00000004
ffffac81`88ca2be8 00007ffd`6b6458a4 ntdll!NtMapViewOfSection+0x14
ffffac81`88ca2bf0 00000000`00000033
To rebuild correct callstack, I check 3 things below
3: kd> .trap ffffac81`88ca2460
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=0000000000000000 rbx=0000000000000000 rcx=41427c5d24bd0000
rdx=0000000000000000 rsi=0000000000000000 rdi=0000000000000000
rip=ffffac8188ca26d0 rsp=ffffac8188ca25f0 rbp=00007ffd6b589fff
r8=0000000000000000 r9=7fff9b003731f518 r10=7ffffffffffffffc
r11=00000007ff5f4c5a r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei ng nz na pe nc
ffffac81`88ca26d0 0000 add byte ptr [rax],al ds:00000000`00000000=??
3: kd> !thread
THREAD ffff9b0037731040 Cid 26b8.2728 Teb: 000000cbafbdc000 Win32Thread: 0000000000000000 RUNNING on processor 3
Not impersonating
DeviceMap ffffe10478f9a2b0
Owning Process ffff9b0037930640 Image: taskhostw.exe
Attached Process N/A Image: N/A
Wait Start TickCount 250434 Ticks: 0
Context Switch Count 6 IdealProcessor: 2
UserTime 00:00:00.000
KernelTime 00:00:00.015
Win32 Start Address ntdll!TppWorkerThread (0x00007ffd6b5e12c0)
Stack Init ffffac8188ca2c10 Current ffffac8188ca2450
Base ffffac8188ca3000 Limit ffffac8188c9c000 Call 0000000000000000
3: kd> dps ffffac8188ca25f0 ffffac8188ca3000
ffffac81`88ca25f0 00000000`00000000
ffffac81`88ca25f8 00007ffd`6b589fff shcore!wkscli_NULL_THUNK_DATA_DLA <PERF> (shcore+0xa9fff)
ffffac81`88ca2600 ffff9b00`33ce1a10
ffffac81`88ca2608 ffff9b00`37731040
ffffac81`88ca2610 ffff9b00`33ce1a10
ffffac81`88ca2618 ffff9b00`37731040
ffffac81`88ca2620 00000000`00000001
ffffac81`88ca2628 fffff800`b590d6a2 nt!MiMapViewOfImageSection+0x6c2
ffffac81`88ca2630 00000000`0000005a
ffffac81`88ca2638 ffffac81`88ca2730
ffffac81`88ca2640 ffff9b00`386bfef0
ffffac81`88ca2648 ffff9b00`37930640
ffffac81`88ca2650 ffff9b00`37731040
ffffac81`88ca2658 ffffe104`7d72b900
ffffac81`88ca2660 00000000`00000000
ffffac81`88ca2668 00000000`00000003
ffffac81`88ca2670 00000000`00000000
ffffac81`88ca2678 00007ffd`68390000
ffffac81`88ca2680 ffff9b00`37731040
ffffac81`88ca2688 00000000`00000000
ffffac81`88ca2690 00007fff`fffdffff
ffffac81`88ca2698 ffffe104`775a8630
ffffac81`88ca26a0 00000000`00010000
ffffac81`88ca26a8 00000007`ffd68390
ffffac81`88ca26b0 00000000`006f1000
ffffac81`88ca26b8 ffff9b00`33ec5330
ffffac81`88ca26c0 00000000`00000000
ffffac81`88ca26c8 ffffe104`775a8678
ffffac81`88ca26d0 00000000`00000000
ffffac81`88ca26d8 ffff9b00`0002c003
ffffac81`88ca26e0 00007ffd`68390000
ffffac81`88ca26e8 ffffac81`00000000
ffffac81`88ca26f0 00000000`006f1000
ffffac81`88ca26f8 fffff800`00000000
ffffac81`88ca2700 ffffe104`79b55ed6
ffffac81`88ca2708 00000000`00000000
ffffac81`88ca2710 00000000`00000000
ffffac81`88ca2718 ffffe104`707e5ea0
ffffac81`88ca2720 ffff93bf`746c6644
ffffac81`88ca2728 ffffac81`88ca2700
ffffac81`88ca2730 0000000f`00000000
ffffac81`88ca2738 ffffe104`7d72b800
ffffac81`88ca2740 ffffe104`775b2e50
ffffac81`88ca2748 00000000`00000008
ffffac81`88ca2750 ffffac81`00000020
ffffac81`88ca2758 ffff9b00`306afdd0
ffffac81`88ca2760 00000000`00000000
ffffac81`88ca2768 00000000`00800000
ffffac81`88ca2770 ffffe104`775b2e50
ffffac81`88ca2778 ffff9b00`37930640
ffffac81`88ca2780 00000000`00000004
ffffac81`88ca2788 ffffac81`88ca29b0
ffffac81`88ca2790 ffffac81`88ca2b00
ffffac81`88ca2798 fffff800`b5931ba5 nt!MiMapViewOfSection+0x305
ffffac81`88ca27a0 ffff9b00`33ec52b0
ffffac81`88ca27a8 00000000`00000001
ffffac81`88ca27b0 ffff9b00`37930640
ffffac81`88ca27b8 ffffac81`88ca2838
ffffac81`88ca27c0 ffffac81`88ca2988
ffffac81`88ca27c8 ffffac81`88ca29b0
ffffac81`88ca27d0 ffffe104`775b2e50
ffffac81`88ca27d8 ffffac81`00000001
ffffac81`88ca27e0 00000000`00000004
ffffac81`88ca27e8 00000000`00000000
ffffac81`88ca27f0 ffffac81`00800000
ffffac81`88ca27f8 ffffac81`00000000
ffffac81`88ca2800 ffff9b00`37731360
ffffac81`88ca2808 fffff800`b54e3429 nt!ExAcquirePushLockExclusiveEx+0xe9
ffffac81`88ca2810 fffff800`b5480001 nt!TmInitSystemPhase2 <PERF> (nt+0x1)
ffffac81`88ca2818 ffff9b00`37930640
ffffac81`88ca2820 00000000`00000000
ffffac81`88ca2828 fffff800`00000000
ffffac81`88ca2830 00000000`00000000
ffffac81`88ca2838 00007ffd`68390000
ffffac81`88ca2840 ffffac81`88ca2998
ffffac81`88ca2848 ffffac81`88ca2988
ffffac81`88ca2850 00000000`00000000
ffffac81`88ca2858 ffffac81`88ca29b0
ffffac81`88ca2860 00000004`2e200000
ffffac81`88ca2868 00000000`006f1000
ffffac81`88ca2870 ffff9b00`33ec52b0
ffffac81`88ca2878 ffffe104`775b2e50
ffffac81`88ca2880 ffff9b00`37930640
ffffac81`88ca2888 ffff9b00`37930640
ffffac81`88ca2890 ffffac81`88ca2998
ffffac81`88ca2898 00000000`00000000
ffffac81`88ca28a0 00000000`00000000
ffffac81`88ca28a8 00000000`00000000
ffffac81`88ca28b0 ffff9b00`37930640
ffffac81`88ca28b8 ffffac81`88ca2b00
ffffac81`88ca28c0 00000000`00800000
ffffac81`88ca28c8 fffff800`b5920b6e nt!ObReferenceObjectByHandle+0x2e
ffffac81`88ca28d0 ffffedc3`f497031d
ffffac81`88ca28d8 00000000`00000002
ffffac81`88ca28e0 ffff9b00`33ec52b0
ffffac81`88ca28e8 00000000`00000000
ffffac81`88ca28f0 00000000`00000000
ffffac81`88ca28f8 00000000`00000000
ffffac81`88ca2900 ffffe104`775b2e50
ffffac81`88ca2908 ffff9b00`37930640
ffffac81`88ca2910 00000000`00000000
ffffac81`88ca2918 fffff800`b59330b2 nt!NtMapViewOfSection+0x2f2
ffffac81`88ca2920 ffff9b00`37930640
ffffac81`88ca2928 ffffac81`00000008
ffffac81`88ca2930 ffff9b00`306f8f20
ffffac81`88ca2938 00000000`00000001
ffffac81`88ca2940 00000000`00000000
ffffac81`88ca2948 ffffac81`88ca2988
ffffac81`88ca2950 ffffac81`88ca29b0
ffffac81`88ca2958 00000000`00000001
ffffac81`88ca2960 00000004`00800000
ffffac81`88ca2968 00000000`00000004
ffffac81`88ca2970 ffffe104`00000002
ffffac81`88ca2978 00000000`00000000
ffffac81`88ca2980 00000002`00000000
ffffac81`88ca2988 00000000`00000000
ffffac81`88ca2990 ffffe104`00000004
ffffac81`88ca2998 00000000`00000000
ffffac81`88ca29a0 ffff9b00`37930640
ffffac81`88ca29a8 00000000`00000000
ffffac81`88ca29b0 00000000`006f1000
ffffac81`88ca29b8 ffffe104`775b2e50
ffffac81`88ca29c0 00000000`00000030
ffffac81`88ca29c8 ffff9b00`37930640
ffffac81`88ca29d0 00000000`00800000
ffffac81`88ca29d8 0000020a`beb57600
ffffac81`88ca29e0 00000000`000001d8
ffffac81`88ca29e8 0000020a`beb24df0
ffffac81`88ca29f0 ffffac81`88ca2a28
ffffac81`88ca29f8 000000cb`aff7ddc8
ffffac81`88ca2a00 ffff9b00`37731040
ffffac81`88ca2a08 fffff800`b55f7413 nt!KiSystemServiceCopyEnd+0x13
ffffac81`88ca2a10 00000000`000001d8
ffffac81`88ca2a18 000000cb`aff7df18
ffffac81`88ca2a20 0000020a`beb24df0
ffffac81`88ca2a28 00000000`00000001
ffffac81`88ca2a30 00000000`00000000
ffffac81`88ca2a38 00000000`00000000
ffffac81`88ca2a40 0000020a`beb57778
ffffac81`88ca2a48 0000020a`00000001
ffffac81`88ca2a50 0000020a`00800000
ffffac81`88ca2a58 00007ffd`00000004
ffffac81`88ca2a60 00000000`00000000
ffffac81`88ca2a68 000000cb`aff7df18
ffffac81`88ca2a70 00000000`00000000
ffffac81`88ca2a78 fffff800`b55f7413 nt!KiSystemServiceCopyEnd+0x13
ffffac81`88ca2a80 ffff9b00`37731040
ffffac81`88ca2a88 0000020a`beb24e08
ffffac81`88ca2a90 00000000`00000000
ffffac81`88ca2a98 ffffffff`00000000
ffffac81`88ca2aa0 00000000`00000000
ffffac81`88ca2aa8 00001f80`02000000
ffffac81`88ca2ab0 00000000`00000000
ffffac81`88ca2ab8 00007ffd`69674052 SHELL32!_NULL_IMPORT_DESCRIPTOR+0x625a
ffffac81`88ca2ac0 00007ffd`69090000 SHELL32!`dynamic initializer for 'Microsoft::WRL::Module<1,Microsoft::WRL::Details::DefaultModule<5> >::isInitialized'' <PERF> (SHELL32+0x0)
ffffac81`88ca2ac8 000000cb`aff7e140
ffffac81`88ca2ad0 0000020a`beb25f90
ffffac81`88ca2ad8 00000000`00000000
ffffac81`88ca2ae0 000000cb`aff7dee0
ffffac81`88ca2ae8 000000cb`afbdc000
ffffac81`88ca2af0 00000000`00000000
ffffac81`88ca2af8 00000000`00000000
ffffac81`88ca2b00 00000000`00000000
ffffac81`88ca2b08 00000000`00000000
ffffac81`88ca2b10 00000000`00000000
ffffac81`88ca2b18 00000000`00000000
ffffac81`88ca2b20 00000000`00000000
ffffac81`88ca2b28 00000000`00000000
ffffac81`88ca2b30 00000000`00000000
ffffac81`88ca2b38 00000000`00000000
ffffac81`88ca2b40 00000000`00000000
ffffac81`88ca2b48 00000000`00000000
ffffac81`88ca2b50 00007ffd`69674052 SHELL32!_NULL_IMPORT_DESCRIPTOR+0x625a
ffffac81`88ca2b58 00000000`00000000
ffffac81`88ca2b60 00000000`00000000
ffffac81`88ca2b68 00000000`00000000
ffffac81`88ca2b70 00000000`00000000
ffffac81`88ca2b78 00000000`00000000
ffffac81`88ca2b80 00000000`00000000
ffffac81`88ca2b88 00000000`00000000
ffffac81`88ca2b90 00000000`00000000
ffffac81`88ca2b98 00000000`00000000
ffffac81`88ca2ba0 00000000`00000000
ffffac81`88ca2ba8 00000000`00000000
ffffac81`88ca2bb0 00000000`00000000
ffffac81`88ca2bb8 00000000`00000000
ffffac81`88ca2bc0 00000000`00000000
ffffac81`88ca2bc8 000000cb`afbdc000
ffffac81`88ca2bd0 0000020a`beb24dc0
ffffac81`88ca2bd8 0000020a`beb576e0
ffffac81`88ca2be0 00000000`00000004
ffffac81`88ca2be8 00007ffd`6b6458a4 ntdll!NtMapViewOfSection+0x14
ffffac81`88ca2bf0 00000000`00000033
To rebuild correct callstack, I check 3 things below
- do ub on each routine in the raw stack, this is to find the caller & callee relationship
- find the system service call of current thread by checking the _KThread structure to make sure the entry routine.
I believe below is the callstack
# Child-SP RetAddr Call Site
00 ffffac81`88ca2188 fffff800`b56469fe nt!KeBugCheckEx
01 ffffac81`88ca2190 fffff800`b550bf5a nt!MiCheckSystemNxFault+0xb20f2
02 ffffac81`88ca21d0 fffff800`b550d6c6 nt!MiSystemFault+0xa3a
03 ffffac81`88ca2270 fffff800`b55f5d72 nt!MmAccessFault+0xae6
04 ffffac81`88ca2460 ffffac81`88ca26d0 nt!KiPageFault+0x132
nt!MiCommitVadCfgBits
ffffac81`88ca2628 fffff800`b590d6a2 nt!MiMapViewOfImageSection+0x6c2
ffffac81`88ca2798 fffff800`b5931ba5 nt!MiMapViewOfSection+0x305
ffffac81`88ca2918 fffff800`b59330b2 nt!NtMapViewOfSection+0x2f2
00 ffffac81`88ca2188 fffff800`b56469fe nt!KeBugCheckEx
01 ffffac81`88ca2190 fffff800`b550bf5a nt!MiCheckSystemNxFault+0xb20f2
02 ffffac81`88ca21d0 fffff800`b550d6c6 nt!MiSystemFault+0xa3a
03 ffffac81`88ca2270 fffff800`b55f5d72 nt!MmAccessFault+0xae6
04 ffffac81`88ca2460 ffffac81`88ca26d0 nt!KiPageFault+0x132
nt!MiCommitVadCfgBits
ffffac81`88ca2628 fffff800`b590d6a2 nt!MiMapViewOfImageSection+0x6c2
ffffac81`88ca2798 fffff800`b5931ba5 nt!MiMapViewOfSection+0x305
ffffac81`88ca2918 fffff800`b59330b2 nt!NtMapViewOfSection+0x2f2
According to the callstack, the system is loading a module. I next check TEB to find the loading module is C:\windows\System32\windows.storage.dll
All routines on the callstack and the loading module are all Windows's. It is hard to suspect this is Windows bug especially system has been running for more than one hours before bugcheck.
3: kd> vertarget
...
Machine Name:
Kernel base = 0xfffff800`b5480000 PsLoadedModuleList = 0xfffff800`b57cc5c0
Debug session time: Fri Oct 27 22:50:31.170 2017 (UTC + 8:00)
System Uptime: 0 days 1:05:13.046
All routines on the callstack and the loading module are all Windows's. It is hard to suspect this is Windows bug especially system has been running for more than one hours before bugcheck.
3: kd> vertarget
...
Machine Name:
Kernel base = 0xfffff800`b5480000 PsLoadedModuleList = 0xfffff800`b57cc5c0
Debug session time: Fri Oct 27 22:50:31.170 2017 (UTC + 8:00)
System Uptime: 0 days 1:05:13.046
According to the wrong rip ffffac81`88ca26d0, compared to all loaded modules, this is not caused by bit flipped.
With all above, I will guess this is a CPU microcode issue. But because there is a device error as following, I suggest to fix device issue first, if bugcheck still happen, ask CPU vendor to follow up.
With all above, I will guess this is a CPU microcode issue. But because there is a device error as following, I suggest to fix device issue first, if bugcheck still happen, ask CPU vendor to follow up.
DevNode 0xffff9b00341d4d30 for PDO 0xffff9b00341d55b0
InstancePath is "ACPI\WCOM002E\4&7c6b55f&0"
ServiceName is "WacHidRouterPro"
State = DeviceNodeRemoved (0x312)
Previous State = DeviceNodeStartCompletion (0x306)
Problem = CM_PROB_FAILED_START
Problem Status = 0xc000009c
Failure Status 0000000000
InstancePath is "ACPI\WCOM002E\4&7c6b55f&0"
ServiceName is "WacHidRouterPro"
State = DeviceNodeRemoved (0x312)
Previous State = DeviceNodeStartCompletion (0x306)
Problem = CM_PROB_FAILED_START
Problem Status = 0xc000009c
Failure Status 0000000000
留言
張貼留言