S
stevenelder
Virtualized Windows 2012 R2
Analysed memory.dmp using BlueScreenView and WinDbg, but not giving much information to point to a specific hardware fault or driver. Any help to point me in the right direction would be appreciated:
Microsoft (R) Windows Debugger Version 10.0.17134.12 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:\MEMORY.DMP]
Kernel Bitmap Dump File: Kernel address space is available, User address space may not be available.
Symbol search path is: srv*
Executable search path is:
Windows 8.1 Kernel Version 9600 MP (4 procs) Free x64
Product: Server, suite: TerminalServer SingleUserTS
Built by: 9600.18969.amd64fre.winblue_ltsb.180309-0600
Machine Name:
Kernel base = 0xfffff801`23a7d000 PsLoadedModuleList = 0xfffff801`23d49570
Debug session time: Mon May 28 16:32:37.531 2018 (UTC + 1:00)
System Uptime: 0 days 0:02:00.416
Loading Kernel Symbols
...............................................................
................................................................
................
Loading User Symbols
Loading unloaded module list
....
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck D1, {ffffe00165527e89, 2, 8, ffffe00165527e89}
Probably caused by : ntkrnlmp.exe ( nt!KiPageFault+516 )
Followup: MachineOwner
---------
Implicit thread is now ffffe001`6686e880
0: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: ffffe00165527e89, memory referenced
Arg2: 0000000000000002, IRQL
Arg3: 0000000000000008, value 0 = read operation, 1 = write operation
Arg4: ffffe00165527e89, address which referenced memory
Debugging Details:
------------------
KEY_VALUES_STRING: 1
TIMELINE_ANALYSIS: 1
DUMP_CLASS: 1
DUMP_QUALIFIER: 401
BUILD_VERSION_STRING: 9600.18969.amd64fre.winblue_ltsb.180309-0600
SYSTEM_MANUFACTURER: VMware, Inc.
VIRTUAL_MACHINE: VMware
SYSTEM_PRODUCT_NAME: VMware Virtual Platform
SYSTEM_VERSION: None
BIOS_VENDOR: Phoenix Technologies LTD
BIOS_VERSION: 6.00
BIOS_DATE: 09/17/2015
BASEBOARD_MANUFACTURER: Intel Corporation
BASEBOARD_PRODUCT: 440BX Desktop Reference Platform
BASEBOARD_VERSION: None
DUMP_TYPE: 1
BUGCHECK_P1: ffffe00165527e89
BUGCHECK_P2: 2
BUGCHECK_P3: 8
BUGCHECK_P4: ffffe00165527e89
READ_ADDRESS: ffffe00165527e89 Nonpaged pool
CURRENT_IRQL: 2
FAULTING_IP:
+0
ffffe001`65527e89 ?? ???
CPU_COUNT: 4
CPU_MHZ: 898
CPU_VENDOR: GenuineIntel
CPU_FAMILY: 6
CPU_MODEL: 3e
CPU_STEPPING: 4
CPU_MICROCODE: 6,3e,4,0 (F,M,S,R) SIG: 428'00000000 (cache) 428'00000000 (init)
DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULT
BUGCHECK_STR: AV
PROCESS_NAME: System
ANALYSIS_SESSION_HOST: xxxxxxxxxx
ANALYSIS_SESSION_TIME: 05-29-2018 09:19:58.0893
ANALYSIS_VERSION: 10.0.17134.12 amd64fre
TRAP_FRAME: ffffd001829feef0 -- (.trap 0xffffd001829feef0)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=0000000080040031 rbx=0000000000000000 rcx=fffff6fb7dbedf80
rdx=ffffd001829ff450 rsi=0000000000000000 rdi=0000000000000000
rip=ffffe00165527e89 rsp=ffffd001829ff088 rbp=ffffd001829ff100
r8=0000000000000000 r9=0000000000000000 r10=7010008004002001
r11=0000000080050031 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei pl nz na pe nc
ffffe001`65527e89 ?? ???
Resetting default scope
LAST_CONTROL_TRANSFER: from fffff80123be48a9 to fffff80123bd22a0
FAILED_INSTRUCTION_ADDRESS:
+0
ffffe001`65527e89 ?? ???
STACK_TEXT:
ffffd001`829feda8 fffff801`23be48a9 : 00000000`0000000a ffffe001`65527e89 00000000`00000002 00000000`00000008 : nt!KeBugCheckEx
ffffd001`829fedb0 fffff801`23be1356 : 00000000`00000008 00000000`02b04063 00000000`00000000 00000000`00000000 : nt!KiBugCheckDispatch+0x69
ffffd001`829feef0 ffffe001`65527e89 : ffffe001`65a0b0b0 b3b74bde`e4453415 ffffd001`829ff100 ffffe001`65a00053 : nt!KiPageFault+0x516
ffffd001`829ff088 ffffe001`65a0b0b0 : b3b74bde`e4453415 ffffd001`829ff100 ffffe001`65a00053 00000000`00000001 : 0xffffe001`65527e89
ffffd001`829ff090 b3b74bde`e4453415 : ffffd001`829ff100 ffffe001`65a00053 00000000`00000001 ffffe001`65641cb0 : 0xffffe001`65a0b0b0
ffffd001`829ff098 ffffd001`829ff100 : ffffe001`65a00053 00000000`00000001 ffffe001`65641cb0 ffffd001`00002f00 : 0xb3b74bde`e4453415
ffffd001`829ff0a0 ffffe001`65a00053 : 00000000`00000001 ffffe001`65641cb0 ffffd001`00002f00 00000000`00000000 : 0xffffd001`829ff100
ffffd001`829ff0a8 00000000`00000001 : ffffe001`65641cb0 ffffd001`00002f00 00000000`00000000 ffffd001`829ff2f8 : 0xffffe001`65a00053
ffffd001`829ff0b0 ffffe001`65641cb0 : ffffd001`00002f00 00000000`00000000 ffffd001`829ff2f8 ffffe001`6c1c55d0 : 0x1
ffffd001`829ff0b8 ffffd001`00002f00 : 00000000`00000000 ffffd001`829ff2f8 ffffe001`6c1c55d0 fffff800`efc7279d : 0xffffe001`65641cb0
ffffd001`829ff0c0 00000000`00000000 : ffffd001`829ff2f8 ffffe001`6c1c55d0 fffff800`efc7279d ffffd001`829ff2c0 : 0xffffd001`00002f00
THREAD_SHA1_HASH_MOD_FUNC: bf99962f16aee8a6a536cfcc5454c0cd4db15ac9
THREAD_SHA1_HASH_MOD_FUNC_OFFSET: 1ac8ae97df21cc5e25a79e0299d3df812a04aba8
THREAD_SHA1_HASH_MOD: 2a7ca9d3ab5386d53fea7498e1d81b9c4a4c036b
FOLLOWUP_IP:
nt!KiPageFault+516
fffff801`23be1356 440f20c0 mov rax,cr8
FAULT_INSTR_CODE: c0200f44
SYMBOL_STACK_INDEX: 2
SYMBOL_NAME: nt!KiPageFault+516
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: nt
IMAGE_NAME: ntkrnlmp.exe
DEBUG_FLR_IMAGE_TIMESTAMP: 5aa29c76
STACK_COMMAND: .thread ; .cxr ; kb
BUCKET_ID_FUNC_OFFSET: 516
FAILURE_BUCKET_ID: AV_CODE_AV_BAD_IP_nt!KiPageFault
BUCKET_ID: AV_CODE_AV_BAD_IP_nt!KiPageFault
PRIMARY_PROBLEM_CLASS: AV_CODE_AV_BAD_IP_nt!KiPageFault
TARGET_TIME: 2018-05-28T15:32:37.000Z
OSBUILD: 9600
OSSERVICEPACK: 0
SERVICEPACK_NUMBER: 0
OS_REVISION: 0
SUITE_MASK: 272
PRODUCT_TYPE: 3
OSPLATFORM_TYPE: x64
OSNAME: Windows 8.1
OSEDITION: Windows 8.1 Server TerminalServer SingleUserTS
OS_LOCALE:
USER_LCID: 0
OSBUILD_TIMESTAMP: 2018-03-09 14:38:46
BUILDDATESTAMP_STR: 180309-0600
BUILDLAB_STR: winblue_ltsb
BUILDOSVER_STR: 6.3.9600.18969.amd64fre.winblue_ltsb.180309-0600
ANALYSIS_SESSION_ELAPSED_TIME: 89c
ANALYSIS_SOURCE: KM
FAILURE_ID_HASH_STRING: km:av_code_av_bad_ip_nt!kipagefault
FAILURE_ID_HASH: {73cd60cc-83fa-6b76-df08-1961c31d7403}
Followup: MachineOwner
---------
Continue reading...
Analysed memory.dmp using BlueScreenView and WinDbg, but not giving much information to point to a specific hardware fault or driver. Any help to point me in the right direction would be appreciated:
Microsoft (R) Windows Debugger Version 10.0.17134.12 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:\MEMORY.DMP]
Kernel Bitmap Dump File: Kernel address space is available, User address space may not be available.
Symbol search path is: srv*
Executable search path is:
Windows 8.1 Kernel Version 9600 MP (4 procs) Free x64
Product: Server, suite: TerminalServer SingleUserTS
Built by: 9600.18969.amd64fre.winblue_ltsb.180309-0600
Machine Name:
Kernel base = 0xfffff801`23a7d000 PsLoadedModuleList = 0xfffff801`23d49570
Debug session time: Mon May 28 16:32:37.531 2018 (UTC + 1:00)
System Uptime: 0 days 0:02:00.416
Loading Kernel Symbols
...............................................................
................................................................
................
Loading User Symbols
Loading unloaded module list
....
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck D1, {ffffe00165527e89, 2, 8, ffffe00165527e89}
Probably caused by : ntkrnlmp.exe ( nt!KiPageFault+516 )
Followup: MachineOwner
---------
Implicit thread is now ffffe001`6686e880
0: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: ffffe00165527e89, memory referenced
Arg2: 0000000000000002, IRQL
Arg3: 0000000000000008, value 0 = read operation, 1 = write operation
Arg4: ffffe00165527e89, address which referenced memory
Debugging Details:
------------------
KEY_VALUES_STRING: 1
TIMELINE_ANALYSIS: 1
DUMP_CLASS: 1
DUMP_QUALIFIER: 401
BUILD_VERSION_STRING: 9600.18969.amd64fre.winblue_ltsb.180309-0600
SYSTEM_MANUFACTURER: VMware, Inc.
VIRTUAL_MACHINE: VMware
SYSTEM_PRODUCT_NAME: VMware Virtual Platform
SYSTEM_VERSION: None
BIOS_VENDOR: Phoenix Technologies LTD
BIOS_VERSION: 6.00
BIOS_DATE: 09/17/2015
BASEBOARD_MANUFACTURER: Intel Corporation
BASEBOARD_PRODUCT: 440BX Desktop Reference Platform
BASEBOARD_VERSION: None
DUMP_TYPE: 1
BUGCHECK_P1: ffffe00165527e89
BUGCHECK_P2: 2
BUGCHECK_P3: 8
BUGCHECK_P4: ffffe00165527e89
READ_ADDRESS: ffffe00165527e89 Nonpaged pool
CURRENT_IRQL: 2
FAULTING_IP:
+0
ffffe001`65527e89 ?? ???
CPU_COUNT: 4
CPU_MHZ: 898
CPU_VENDOR: GenuineIntel
CPU_FAMILY: 6
CPU_MODEL: 3e
CPU_STEPPING: 4
CPU_MICROCODE: 6,3e,4,0 (F,M,S,R) SIG: 428'00000000 (cache) 428'00000000 (init)
DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULT
BUGCHECK_STR: AV
PROCESS_NAME: System
ANALYSIS_SESSION_HOST: xxxxxxxxxx
ANALYSIS_SESSION_TIME: 05-29-2018 09:19:58.0893
ANALYSIS_VERSION: 10.0.17134.12 amd64fre
TRAP_FRAME: ffffd001829feef0 -- (.trap 0xffffd001829feef0)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=0000000080040031 rbx=0000000000000000 rcx=fffff6fb7dbedf80
rdx=ffffd001829ff450 rsi=0000000000000000 rdi=0000000000000000
rip=ffffe00165527e89 rsp=ffffd001829ff088 rbp=ffffd001829ff100
r8=0000000000000000 r9=0000000000000000 r10=7010008004002001
r11=0000000080050031 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei pl nz na pe nc
ffffe001`65527e89 ?? ???
Resetting default scope
LAST_CONTROL_TRANSFER: from fffff80123be48a9 to fffff80123bd22a0
FAILED_INSTRUCTION_ADDRESS:
+0
ffffe001`65527e89 ?? ???
STACK_TEXT:
ffffd001`829feda8 fffff801`23be48a9 : 00000000`0000000a ffffe001`65527e89 00000000`00000002 00000000`00000008 : nt!KeBugCheckEx
ffffd001`829fedb0 fffff801`23be1356 : 00000000`00000008 00000000`02b04063 00000000`00000000 00000000`00000000 : nt!KiBugCheckDispatch+0x69
ffffd001`829feef0 ffffe001`65527e89 : ffffe001`65a0b0b0 b3b74bde`e4453415 ffffd001`829ff100 ffffe001`65a00053 : nt!KiPageFault+0x516
ffffd001`829ff088 ffffe001`65a0b0b0 : b3b74bde`e4453415 ffffd001`829ff100 ffffe001`65a00053 00000000`00000001 : 0xffffe001`65527e89
ffffd001`829ff090 b3b74bde`e4453415 : ffffd001`829ff100 ffffe001`65a00053 00000000`00000001 ffffe001`65641cb0 : 0xffffe001`65a0b0b0
ffffd001`829ff098 ffffd001`829ff100 : ffffe001`65a00053 00000000`00000001 ffffe001`65641cb0 ffffd001`00002f00 : 0xb3b74bde`e4453415
ffffd001`829ff0a0 ffffe001`65a00053 : 00000000`00000001 ffffe001`65641cb0 ffffd001`00002f00 00000000`00000000 : 0xffffd001`829ff100
ffffd001`829ff0a8 00000000`00000001 : ffffe001`65641cb0 ffffd001`00002f00 00000000`00000000 ffffd001`829ff2f8 : 0xffffe001`65a00053
ffffd001`829ff0b0 ffffe001`65641cb0 : ffffd001`00002f00 00000000`00000000 ffffd001`829ff2f8 ffffe001`6c1c55d0 : 0x1
ffffd001`829ff0b8 ffffd001`00002f00 : 00000000`00000000 ffffd001`829ff2f8 ffffe001`6c1c55d0 fffff800`efc7279d : 0xffffe001`65641cb0
ffffd001`829ff0c0 00000000`00000000 : ffffd001`829ff2f8 ffffe001`6c1c55d0 fffff800`efc7279d ffffd001`829ff2c0 : 0xffffd001`00002f00
THREAD_SHA1_HASH_MOD_FUNC: bf99962f16aee8a6a536cfcc5454c0cd4db15ac9
THREAD_SHA1_HASH_MOD_FUNC_OFFSET: 1ac8ae97df21cc5e25a79e0299d3df812a04aba8
THREAD_SHA1_HASH_MOD: 2a7ca9d3ab5386d53fea7498e1d81b9c4a4c036b
FOLLOWUP_IP:
nt!KiPageFault+516
fffff801`23be1356 440f20c0 mov rax,cr8
FAULT_INSTR_CODE: c0200f44
SYMBOL_STACK_INDEX: 2
SYMBOL_NAME: nt!KiPageFault+516
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: nt
IMAGE_NAME: ntkrnlmp.exe
DEBUG_FLR_IMAGE_TIMESTAMP: 5aa29c76
STACK_COMMAND: .thread ; .cxr ; kb
BUCKET_ID_FUNC_OFFSET: 516
FAILURE_BUCKET_ID: AV_CODE_AV_BAD_IP_nt!KiPageFault
BUCKET_ID: AV_CODE_AV_BAD_IP_nt!KiPageFault
PRIMARY_PROBLEM_CLASS: AV_CODE_AV_BAD_IP_nt!KiPageFault
TARGET_TIME: 2018-05-28T15:32:37.000Z
OSBUILD: 9600
OSSERVICEPACK: 0
SERVICEPACK_NUMBER: 0
OS_REVISION: 0
SUITE_MASK: 272
PRODUCT_TYPE: 3
OSPLATFORM_TYPE: x64
OSNAME: Windows 8.1
OSEDITION: Windows 8.1 Server TerminalServer SingleUserTS
OS_LOCALE:
USER_LCID: 0
OSBUILD_TIMESTAMP: 2018-03-09 14:38:46
BUILDDATESTAMP_STR: 180309-0600
BUILDLAB_STR: winblue_ltsb
BUILDOSVER_STR: 6.3.9600.18969.amd64fre.winblue_ltsb.180309-0600
ANALYSIS_SESSION_ELAPSED_TIME: 89c
ANALYSIS_SOURCE: KM
FAILURE_ID_HASH_STRING: km:av_code_av_bad_ip_nt!kipagefault
FAILURE_ID_HASH: {73cd60cc-83fa-6b76-df08-1961c31d7403}
Followup: MachineOwner
---------
Continue reading...