tailieunhanh - Memory Dump Analysis Anthology- P6

Memory Dump Analysis Anthology- P6: This is a revised, edited, cross-referenced and thematically organized volume of selected blog posts about crash dump analysis and debugging written in 2006 - 2007 for software engineers developing and maintaining products on Windows platforms, technical support and escalation engineers dealing with complex software issues and general Windows users. | Bugchecks Depicted 151 kd kL Child-SP fffffadf dfcf19b8 RetAddr fffffadf dfee38c4 Call Site fffffadf dfcf19c0 fffffadf dfcf1a70 fffff800 012ce9cf fffff800 012df026 fffffadf dfcf1b90 fffffadf dfcf1c00 fffff800 010410fd 00000000 77ef0a5a 00000001 0000a755 00000000 77ef30a5 nt KeBugCheck userdump UdIoctl 0x104 nt IopXxxControlFile 0xa5a nt NtDeviceIoControlFile 0x56 nt KiSystemServiceCopyEnd 0x3 ntdll NtDeviceIoControlFile 0xa 00000000 01eadd58 00000000 01eadd60 userdump_100000000 UdServiceWorkerAPC 0x1005 00000000 01eaf970 00000000 77ef0a2a ntdll KiUserApcDispatcher 0x15 00000000 01eafe68 00000001 00007fe2 ntdll NtWaitForSingleObject 0xa 00000000 01eafe70 userdump_100000000 UdServiceWorker 0xb2 00000000 01eaff20 000007ff 7fee4db6 00000001 00008a39 userdump_100000000 UdServiceStart 0x139 00000000 01eaff50 00000000 77d6b6da ADVAPI32 ScSvcctrlThreadW 0x25 00000000 01eaff80 00000000 00000000 kernel32 BaseThreadStart 0x3a This might be useful if we want to see kernel data that happened to be at the exception time. In this case we can avoid requesting complete memory dump of physical memory and ask for kernel memory dump only together with a user dump. Note do not set this option if you are unsure. It can have your production servers bluescreen in the case of false positive dumps. Please purchase PDF Split-Merge on to remove this watermark 152 PART 2 Professional Crash Dump Analysis CF Bugcheck CF name is the second longest one TERMINAL_SERVER_DRIVER_MADE_INCORRECT_MEMORY_REFERENCE cf Arguments Arg1 a020b1d4 memory referenced Arg2 00000000 value 0 read operation 1 write operation Arg3 a020b1d4 If non-zero the instruction address which referenced the bad memory address. Arg4 00000000 Mm internal code. A driver has been incorrectly ported to Terminal Server. It is referencing session space addresses from the system process context. Probably from queueing an item to a system worker thread. The broken driver s name is displayed on the screen. Although bugcheck