New
#1
Tracing driver causing WATCHDOG BSOD - crash dump has "zeroed stack"
Short version - I'm fairly sure this is the standard DPC_WATCHDOG bugcheck, but I'm having trouble pinning down the responsible driver, because the crash dump has a zeroed stack. The dps info suggests it's a network driver issue but I don't know where to go from here, or if I need a non-zeroed stack to do more.
>>> !analyse -v
BUCKET_ID: ZEROED_STACK_0x133
PRIMARY_PROBLEM_CLASS: ZEROED_STACK
FAILURE_BUCKET_ID: ZEROED_STACK_0x133
>>> !thread
GetPointerFromAddress: unable to read from fffff80200d67000
THREAD ffffe001388d3080 Cid 5d08.64f0 Teb: 00007ff7be483000 Win32Thread: fffff90144579b50 RUNNING on processor 0
IRP List:
Unable to read nt!_IRP @ ffffe0014a401b90
Not impersonating
GetUlongFromAddress: unable to read from fffff80200cb4b00
Owning Process ffffe0014fe75080 Image: vmware-vmx.exe
Attached Process N/A Image: N/A
fffff78000000000: Unable to get shared data
...
Base ffffd0003cd63000 Limit ffffd0003cd5d000 Call 0000000000000000
Priority 10 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5
Child-SP RetAddr : Args to Child : Call Site
fffff802`027d2c88 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KeBugCheckEx
>>> dps ffffd0003cd5d000 ffffd0003cd63000
(I've left out all lines with hex addresses and nothing else)
ffffd000`3cd60ae8 fffff801`01b083ca tcpip!TcpSetSockOptTcb+0x23a
ffffd000`3cd60de8 fffff801`01b0810a tcpip!TcpTlConnectionIoControlEndpoint+0x4a
ffffd000`3cd60e08 fffff801`02ab73f1 tdx!DbgTdxDereferenceConnection+0xa1
ffffd000`3cd60e48 fffff801`02ab8192 tdx!TdxIssueIoControlRequest+0x352
ffffd000`3cd60ec0 fffff801`02ab5770 tdx!TdxSynchronousTlIoRequestComplete
ffffd000`3cd60f20 fffff802`00d08180 nt!KiInitialPCR+0x180
ffffd000`3cd60f28 fffff802`00aa4e7f nt!IopfCompleteRequest+0x97f
ffffd000`3cd60f58 fffff801`02ab52da tdx!TdxTcpSetInformationEx+0x11a
ffffd000`3cd60f98 fffff802`00ca8d06 nt!ExAllocatePoolWithTag+0x2b6
ffffd000`3cd61008 fffff802`00a3e2b5 nt!IopAllocateIrpPrivate+0x165
ffffd000`3cd61048 fffff801`02b1e010 netbt!WPP_GLOBAL_Control
ffffd000`3cd61068 fffff801`02ab5171 tdx!TdxTdiDispatchDeviceControl+0x81
ffffd000`3cd61080 fffff802`00d08180 nt!KiInitialPCR+0x180
ffffd000`3cd61088 fffff802`00aa4e7f nt!IopfCompleteRequest+0x97f
ffffd000`3cd610c0 fffff801`02b1e010 netbt!WPP_GLOBAL_Control
ffffd000`3cd61120 fffff801`02b1e010 netbt!WPP_GLOBAL_Control
ffffd000`3cd61138 fffff801`02af2387 netbt!SetTcpInfo+0x9b
ffffd000`3cd61178 fffff801`02af2162 netbt!NbtDereferenceLowerConnection+0x36
ffffd000`3cd611a8 fffff801`02b1e010 netbt!WPP_GLOBAL_Control
ffffd000`3cd611c8 fffff801`02aec610 netbt!NTIoComplete+0x60
ffffd000`3cd61208 fffff801`02b230c0 netbt!DispatchIoctls+0xb0
ffffd000`3cd61280 fffff802`00d08ca0 nt!KiInitialPCR+0xca0
ffffd000`3cd61288 fffff802`00ca8d06 nt!ExAllocatePoolWithTag+0x2b6
ffffd000`3cd61298 fffff801`02aec4ac netbt!NBT_DEREFERENCE_DEVICE+0x5c
ffffd000`3cd612e8 fffff801`02b2393b netbt!NbtDispatchDevCtrl+0x9b
ffffd000`3cd61318 fffff802`00ea5bc7 nt!IopSynchronousServiceTail+0x4b7
ffffd000`3cd61358 fffff802`00a98a31 nt!SepNormalAccessCheck+0x231
ffffd000`3cd61388 fffff802`00a3e2b5 nt!IopAllocateIrpPrivate+0x165
ffffd000`3cd613c8 fffff802`00ab6e9e nt!MmCreateKernelStack+0x8e
ffffd000`3cd61438 fffff802`00ab6bde nt!KeExpandKernelStackAndCalloutInternal+0x4be
ffffd000`3cd61528 fffff801`01b11bb6 tcpip!TcpTlConnectionSend+0x76
ffffd000`3cd61530 fffff801`01b118d0 tcpip!TcpTlConnectionSendCalloutRoutine
ffffd000`3cd61548 fffff801`016658c0 NETIO!NsiDefaultSecurityDescriptor
ffffd000`3cd61558 fffff801`02ab73f1 tdx!DbgTdxDereferenceConnection+0xa1
ffffd000`3cd61598 fffff801`02ab7c33 tdx!TdxSendConnection+0x1a7
ffffd000`3cd615c8 fffff801`01b378ee tcpip!TcpGetTcbConnectionObject+0x1fe
ffffd000`3cd615d8 fffff801`01b15852 tcpip!IpNlpReferenceLocalAddress+0x31e
ffffd000`3cd61620 fffff801`02ab7d30 tdx!TdxSendConnectionTlRequestComplete
ffffd000`3cd61688 fffff801`02ab770e tdx!TdxTdiDispatchInternalDeviceControl+0x316e
ffffd000`3cd616a8 fffff801`02aec4ac netbt!NBT_DEREFERENCE_DEVICE+0x5c
ffffd000`3cd616c8 fffff801`02aec532 netbt!NBT_REFERENCE_DEVICE+0x62
ffffd000`3cd616f8 fffff801`02af2947 netbt!NTSend+0x23b
ffffd000`3cd61748 fffff801`02af2975 netbt!NbtDispatchInternalCtrl+0x20f5
ffffd000`3cd61760 fffff801`0463c010 mrxsmb!WPP_GLOBAL_Control
ffffd000`3cd61788 fffff801`016074d2 NETIO!NsipAccessCheck+0x216
ffffd000`3cd617c8 fffff801`04614c75 mrxsmb!RxCeSubmitAsynchronousTdiRequest+0x6d
ffffd000`3cd61808 fffff801`046151c2 mrxsmb!RxTdiSend+0x242
ffffd000`3cd61848 fffff801`01c9ab18 tcpip!TcpNsiInterfaceDispatch
ffffd000`3cd61888 fffff801`04643775 mrxsmb!RxCeSend+0x535
ffffd000`3cd61938 fffff802`00d08180 nt!KiInitialPCR+0x180
ffffd000`3cd61988 fffff801`0160a4b7 NETIO!NsiGetAllParameters+0x8f
ffffd000`3cd619d8 fffff801`046437d8 mrxsmb!VctSend+0x48
ffffd000`3cd61a28 fffff801`04605d2f mrxsmb!SmbCseSubmitBufferContext+0x37f
ffffd000`3cd61b58 fffff801`01a9b51e mrxsmb20!Smb2Read_Start+0x1ae
ffffd000`3cd61b98 fffff801`04607700 mrxsmb!SmbCeWaitForActiveObject+0x20
ffffd000`3cd61ba8 fffff801`0460a701 mrxsmb!SmbCseFinalizeBufferContext+0x121
ffffd000`3cd61bf0 fffff801`0463c010 mrxsmb!WPP_GLOBAL_Control
ffffd000`3cd61c28 fffff801`04607226 mrxsmb!SmbCeInitiateExchange+0xa2b
ffffd000`3cd61c88 fffff801`0460a1b9 mrxsmb!SmbCeInitializeExchange+0x369
ffffd000`3cd61d08 fffff801`01ac6648 mrxsmb20!MRxSmb2Read+0xe4
ffffd000`3cd61d48 fffff801`01abcd10 mrxsmb20!ReadDispatch
ffffd000`3cd61d58 fffff801`0283a035 rdbss!RxLowIoSubmit+0x165
ffffd000`3cd61d70 fffff801`0463cc80 mrxsmb!MRxSmbDispatch
ffffd000`3cd61db8 fffff801`02845fa8 rdbss!RxLowIoReadShell+0xa0
ffffd000`3cd61dd8 fffff801`02826010 rdbss!WPP_GLOBAL_Control
ffffd000`3cd61df8 fffff802`0119d69a hal!HalpApicRequestInterrupt+0xea
ffffd000`3cd61e50 fffff802`00d08180 nt!KiInitialPCR+0x180
ffffd000`3cd61e68 fffff802`0119cff2 hal!HalRequestSoftwareInterrupt+0xd3
ffffd000`3cd61e78 fffff802`011eb800 hal!HalpKInterruptHeap+0x800
ffffd000`3cd61ee8 fffff801`01544a38 fltmgr!GetContextFromStreamList+0x168
ffffd000`3cd61ef8 fffff802`00a86721 nt!IoGetStackLimits+0x15
ffffd000`3cd61f00 fffff801`02844da0 rdbss!RxCommonRead
ffffd000`3cd61f28 fffff801`02802895 rdbss!RxFsdCommonDispatch+0x10a5
ffffd000`3cd61f48 fffff801`02826c80 rdbss!RxActiveContexts+0x80
ffffd000`3cd61f58 fffff801`01547cf2 fltmgr!FltGetStreamContext+0x42
ffffd000`3cd61fe0 fffff801`0281dbd0 rdbss!RxFsdDispatchVector
ffffd000`3cd61ff8 fffff802`00b5c136 nt!KiSwapContext+0x76
ffffd000`3cd62008 fffff801`02844da0 rdbss!RxCommonRead
ffffd000`3cd62018 fffff801`02812270 rdbss!RxCancelRoutine
ffffd000`3cd620a8 fffff802`00b5ab94 nt!KiInterruptDispatchLBControl+0x1a4
ffffd000`3cd62100 fffff802`00a0b000 nt!_guard_check_icall_fptr <PERF> (nt+0x0)
ffffd000`3cd62108 fffff802`00d08ca0 nt!KiInitialPCR+0xca0
ffffd000`3cd62218 fffff802`00b90b59 nt! ?? ::FNODOBFM::`string'+0x27389
ffffd000`3cd62248 fffff802`00d08180 nt!KiInitialPCR+0x180
ffffd000`3cd62288 fffff802`00d08180 nt!KiInitialPCR+0x180
ffffd000`3cd622e8 fffff802`00a71a81 nt!MiWaitForInPageComplete+0x27d
ffffd000`3cd62358 fffff802`00ca8274 nt!ExFreePoolWithTag+0x274
ffffd000`3cd62398 fffff802`00a9c0d6 nt!KiDeliverApc+0x166
ffffd000`3cd62418 fffff802`00adee57 nt!KiCheckForKernelApcDelivery+0x23
ffffd000`3cd62448 fffff802`00a35eaa nt!MmWaitForCacheManagerPrefetch+0xa6
ffffd000`3cd62488 fffff802`00a6464d nt!CcFetchDataForRead+0xe5
ffffd000`3cd624d8 fffff802`00db81f7 nt!CcMapAndCopyFromCache+0xc7
ffffd000`3cd62518 fffff801`01f17306 mup!MupFastIoCheckIfPossible+0x7e
ffffd000`3cd62568 fffff802`00a643fe nt!CcCopyReadEx+0x106
ffffd000`3cd625d8 fffff802`00ea028f nt!CcCopyRead+0x23
ffffd000`3cd62628 fffff802`00fb1ffb nt!CcFastCopyRead+0x2b
ffffd000`3cd62678 fffff801`028462dd rdbss!RxFastCopyRead+0x2fd
ffffd000`3cd626f8 fffff801`02803183 rdbss!RxIsThisTheTopLevelIrp+0x13
ffffd000`3cd62718 fffff801`02826010 rdbss!WPP_GLOBAL_Control
ffffd000`3cd62728 fffff801`02846750 rdbss!RxFastIoRead+0x120
ffffd000`3cd62768 fffff801`01f0d501 mup!MupiUncProviderCompletion+0x41
ffffd000`3cd62778 fffff801`01542215 fltmgr!FltpPerformPreCallbacks+0x475
ffffd000`3cd627c8 fffff801`01f1739c mup!MupFastIoRead+0x80
ffffd000`3cd62828 fffff801`01544f62 fltmgr!FltpPerformFastIoCall+0xc2
ffffd000`3cd62830 fffff801`01f13840 mup!MupiFastIoDispatch
ffffd000`3cd62888 fffff801`015457d6 fltmgr!FltpPassThroughFastIo+0x165
ffffd000`3cd628e8 fffff801`0156c3af fltmgr!FltpFastIoRead+0x14f
ffffd000`3cd62970 fffff801`0156c260 fltmgr!FltpFastIoRead
ffffd000`3cd62998 fffff802`00da71c7 nt!NtReadFile+0x3f7
ffffd000`3cd62a88 fffff802`00b64ab3 nt!KiSystemServiceCopyEnd+0x13
ffffd000`3cd62af8 fffff802`00b64ab3 nt!KiSystemServiceCopyEnd+0x13
ffffd000`3cd62ff8 00000000`00000000
ffffd000`3cd63000 ????????`????????
(Debugger Version 10.0.15063.468 AMD64)
The actual crash occurred on the *host* when I was trialling Win 10 in a Vmware workstation 12.5.7 VM (Win 8.1 x64 host). That's strange to me, because I'd expect the VM not host to crash due to a Win 10 issue. However it clearly is related to the Win 10 VM, since none of the non-virtual drivers have had issues with WATCHDOG before now, and circumstantially that's all that was being used at the time and the bugcheck process was a VMX.
Where do I go from here to narrow this down or to get a proper crash dump with a usable stack?
Other relevant info:
The host SATA drivers include IAStorA 12.9.4.1000, but they've been checked and given the all-clear at win-raid.com (a specialist SATA controller modding site that I'd trust on Intel RST compatibility issues). The VM had access to a single VMDK (no physical disks), a default network controller which was disconnected at boot, and a mapped disk which couldn't actually be accessed because the network controller was disabled. So I already suspect a network driver issue, which would match the output from dps.
The bugcheck was a crash on the physical host, not the VM, and I'm not sure what to make of that either. The installer was a hash checked MSDN 1703 (March update) ISO. Crash dumps on the host are set to "Kernel memory dump", because a full dump of in-use memory would be ~ 40GB in most cases. There's nothing "strange" installed, and the VM had been in use without trouble for several hours, including software installs and other file access. The crash seemed to happen when I opened an Explorer or a save-as dialog, again this would trigger network driver activity. I could install 10 on a bare host HDD but I would like to trace this, so I'm not left wondering if it's waiting to happen again in daily use.
Last edited by Stilez; 06 Jul 2017 at 07:48.