how to debug when the debugger shows error in ntoskrnl

TheMSsForum.com: The Microsoft Software Forum

Can I anyone give a hint how to proceed for error which shows ntoskrnl
(instead of my driver module) for error.


BugCheck C000021A, {e1e2e428, 80, 0, 0}

Probably caused by : ntoskrnl.exe (
nt!RtlpBreakWithStatusInstruction+0 )

Followup: MachineOwner
---------

nt!RtlpBreakWithStatusInstruction:
804535ac cc int 3
kd> !analyze -v
*******************************************************************************
*
*
* Bugcheck Analysis
*
*
*
*******************************************************************************

WINLOGON_FATAL_ERROR (c000021a)
The Winlogon process terminated unexpectedly.
Arguments:
Arg1: e1e2e428
Arg2: 00000080
Arg3: 00000000
Arg4: 00000000

Debugging Details:
------------------


BUGCHECK_STR: 0xc000021a_80

DEFAULT_BUCKET_ID: DRIVER_FAULT

LAST_CONTROL_TRANSFER: from 804293f5 to 804535ac

STACK_TEXT:
eb4fef78 804293f5 00000003 eb4fefc0 e1e2e428
nt!RtlpBreakWithStatusInstruction
eb4fefa8 804299e8 00000003 00000001 00000000
nt!KiBugCheckDebugBreak+0x31
eb4ff334 80489de2 0000004c e1e2e428 00000080 nt!KeBugCheckEx+0x390
eb4ff420 80462f14 00000004 00000002 e0000004
nt!NtSetSystemPowerState+0x34c
eb4ff420 8042edef 00000004 00000002 e0000004 nt!KiSystemService+0xc4
eb4ff4a4 804d8bac 00000004 00000002 e0000004
nt!ZwSetSystemPowerState+0xb
eb4ff4d4 804d8a2b 00000000 00000004 00000002
nt!PopIssueActionRequest+0x64
eb4ff4f4 80451627 81eddc68 81eddc48 00000000
nt!PopPolicyWorkerAction+0x37
eb4ff534 804dad12 00000000 eb4ff5a4 804d8e90
nt!PopPolicyWorkerThread+0xdd
eb4ff540 804d8e90 00000001 eb4ff5bc eb4ff644
nt!PopReleasePolicyLock+0x2e
eb4ff5a4 80462f14 00000004 00000004 c0000004
nt!NtInitiatePowerAction+0x14c
eb4ff5a4 8042e603 00000004 00000004 c0000004 nt!KiSystemService+0xc4
eb4ff62c 804d86a2 00000004 00000004 c0000004
nt!ZwInitiatePowerAction+0xb
eb4ff66c 8048316b 00000000 0000004c c000021a
nt!PoShutdownBugCheck+0x56
eb4ffb08 80493420 c000021a 00000002 00000001
nt!ExpSystemErrorHandler+0x529
eb4ffcdc 8049383c c000021a 00000002 00000001 nt!ExpRaiseHardError+0xbe
eb4ffd44 80462f14 c000021a 00000002 00000001 nt!NtRaiseHardError+0x1c2
eb4ffd44 77f889d7 c000021a 00000002 00000001 nt!KiSystemService+0xc4
0015ff04 48588f43 c000021a 00000002 00000001
ntdll!ZwRaiseHardError+0xb
0015ffb4 485899cb 00000001 00162420 00162428 smss!main+0x275
0015fff4 00000000 7ffdf000 000000c8 00000100
smss!NtProcessStartup+0x18d
Top

Re: how to debug when the debugger shows error in ntoskrnl by Gary

Gary
Fri Sep 05 19:23:45 CDT 2003

Well, first ... don't assume it is NTOSKRNL.

Look for bad memory pointers such as allocating the size of a pointer
instead of the size of a struct. Bad handling of IRP cancellation. Most
likely it is related to an IRP problem, such and storing something in an IRP
AFTER calling IoComplete.
--
Gary G. Little
Seagate Technologies, LLC

"Raj" <r_konjeti@mailcity.com> wrote in message
news:8509fde8.0309051552.a8ab54@posting.google.com...
> Can I anyone give a hint how to proceed for error which shows ntoskrnl
> (instead of my driver module) for error.
>
>
> BugCheck C000021A, {e1e2e428, 80, 0, 0}
>
> Probably caused by : ntoskrnl.exe (
> nt!RtlpBreakWithStatusInstruction+0 )
>
> Followup: MachineOwner
> ---------
>
> nt!RtlpBreakWithStatusInstruction:
> 804535ac cc int 3
> kd> !analyze -v
>
****************************************************************************
***
> *
> *
> * Bugcheck Analysis
> *
> *
> *
>
****************************************************************************
***
>
> WINLOGON_FATAL_ERROR (c000021a)
> The Winlogon process terminated unexpectedly.
> Arguments:
> Arg1: e1e2e428
> Arg2: 00000080
> Arg3: 00000000
> Arg4: 00000000
>
> Debugging Details:
> ------------------
>
>
> BUGCHECK_STR: 0xc000021a_80
>
> DEFAULT_BUCKET_ID: DRIVER_FAULT
>
> LAST_CONTROL_TRANSFER: from 804293f5 to 804535ac
>
> STACK_TEXT:
> eb4fef78 804293f5 00000003 eb4fefc0 e1e2e428
> nt!RtlpBreakWithStatusInstruction
> eb4fefa8 804299e8 00000003 00000001 00000000
> nt!KiBugCheckDebugBreak+0x31
> eb4ff334 80489de2 0000004c e1e2e428 00000080 nt!KeBugCheckEx+0x390
> eb4ff420 80462f14 00000004 00000002 e0000004
> nt!NtSetSystemPowerState+0x34c
> eb4ff420 8042edef 00000004 00000002 e0000004 nt!KiSystemService+0xc4
> eb4ff4a4 804d8bac 00000004 00000002 e0000004
> nt!ZwSetSystemPowerState+0xb
> eb4ff4d4 804d8a2b 00000000 00000004 00000002
> nt!PopIssueActionRequest+0x64
> eb4ff4f4 80451627 81eddc68 81eddc48 00000000
> nt!PopPolicyWorkerAction+0x37
> eb4ff534 804dad12 00000000 eb4ff5a4 804d8e90
> nt!PopPolicyWorkerThread+0xdd
> eb4ff540 804d8e90 00000001 eb4ff5bc eb4ff644
> nt!PopReleasePolicyLock+0x2e
> eb4ff5a4 80462f14 00000004 00000004 c0000004
> nt!NtInitiatePowerAction+0x14c
> eb4ff5a4 8042e603 00000004 00000004 c0000004 nt!KiSystemService+0xc4
> eb4ff62c 804d86a2 00000004 00000004 c0000004
> nt!ZwInitiatePowerAction+0xb
> eb4ff66c 8048316b 00000000 0000004c c000021a
> nt!PoShutdownBugCheck+0x56
> eb4ffb08 80493420 c000021a 00000002 00000001
> nt!ExpSystemErrorHandler+0x529
> eb4ffcdc 8049383c c000021a 00000002 00000001 nt!ExpRaiseHardError+0xbe
> eb4ffd44 80462f14 c000021a 00000002 00000001 nt!NtRaiseHardError+0x1c2
> eb4ffd44 77f889d7 c000021a 00000002 00000001 nt!KiSystemService+0xc4
> 0015ff04 48588f43 c000021a 00000002 00000001
> ntdll!ZwRaiseHardError+0xb
> 0015ffb4 485899cb 00000001 00162420 00162428 smss!main+0x275
> 0015fff4 00000000 7ffdf000 000000c8 00000100
> smss!NtProcessStartup+0x18d



Top

Re: how to debug when the debugger shows error in ntoskrnl by r_konjeti

r_konjeti
Sat Sep 06 15:00:35 CDT 2003

> Look for bad memory pointers such as allocating the size of a pointer
> instead of the size of a struct. Bad handling of IRP cancellation. Most
> likely it is related to an IRP problem, such and storing something in an IRP
> AFTER calling IoComplete.

1. Yes, I understand it is problem with my driver and not
NTOSKRNL.exe.

2. But I wish I find out the function or some place where the problem
is occuring. How nearer can I trace to the problem.

3. When I try to display Irp, it says "Irp signature not found.
Possibly not Irp". I used !Irp command.

4. It says ExFreePool is called. If I can atleast know the last tag
that was freed, it will be clue. I am looking for ways like this.

5. This problem is occuring once in 3 or 4 hours testing. So tracing
with prints is almost not possible. I have to find other ways. I try
to analyze code, but not yet succeded.

Thank you very much.
Top

Re: how to debug when the debugger shows error in ntoskrnl by Don

Don
Sat Sep 06 15:20:34 CDT 2003

Raj,

Have you tried running the driver with verifier enabled, and built with
the Call Usage Verifier? These are there to help find some so these
problems. You may have used both already, but if not, try them.


Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting

"Raj" <r_konjeti@mailcity.com> wrote in message
news:8509fde8.0309061200.4bd245c8@posting.google.com...
> > Look for bad memory pointers such as allocating the size of a pointer
> > instead of the size of a struct. Bad handling of IRP cancellation. Most
> > likely it is related to an IRP problem, such and storing something in an
IRP
> > AFTER calling IoComplete.
>
> 1. Yes, I understand it is problem with my driver and not
> NTOSKRNL.exe.
>
> 2. But I wish I find out the function or some place where the problem
> is occuring. How nearer can I trace to the problem.
>
> 3. When I try to display Irp, it says "Irp signature not found.
> Possibly not Irp". I used !Irp command.
>
> 4. It says ExFreePool is called. If I can atleast know the last tag
> that was freed, it will be clue. I am looking for ways like this.
>
> 5. This problem is occuring once in 3 or 4 hours testing. So tracing
> with prints is almost not possible. I have to find other ways. I try
> to analyze code, but not yet succeded.
>
> Thank you very much.


Top

Re: how to debug when the debugger shows error in ntoskrnl by Mark

Mark
Sat Sep 06 15:31:20 CDT 2003

On 6 Sep 2003 13:00:35 -0700, r_konjeti@mailcity.com (Raj) wrote:

>> Look for bad memory pointers such as allocating the size of a pointer
>> instead of the size of a struct. Bad handling of IRP cancellation. Most
>> likely it is related to an IRP problem, such and storing something in an IRP
>> AFTER calling IoComplete.
>
>1. Yes, I understand it is problem with my driver and not
>NTOSKRNL.exe.
>
>2. But I wish I find out the function or some place where the problem
>is occuring. How nearer can I trace to the problem.
>
>3. When I try to display Irp, it says "Irp signature not found.
>Possibly not Irp". I used !Irp command.
>
>4. It says ExFreePool is called. If I can atleast know the last tag
>that was freed, it will be clue. I am looking for ways like this.
>
>5. This problem is occuring once in 3 or 4 hours testing. So tracing
>with prints is almost not possible. I have to find other ways. I try
>to analyze code, but not yet succeded.
>
>Thank you very much.


The bugcheck indicates that the Winlogon process is the victim of some
other defect. Unexpected termination of Winlogon causes a bugcheck. It
sounds like your kernel debugging skills are somewhat lacking, which
is understandable as it is a bit of an art form, and not something
that one can pick up from a book. There are seminars out there that
you might consider taking, if you can afford it.

First principal of debugging: its your crappy software that is at
fault, until proven otherwise.

Back to your bug. If you cannot find any evidence of the damage
caused, then you have to consider implementing a runtime trace history
in your driver. There are several ways to do this, but if you are just
starting out, and your are developing for the XP or later releases,
you should consider the new WPP software tracing facility. Otherwise,
level and module based debug printing, which you can then tune to
reduce the volume of information being displayed, is a good choice. If
debug print alters the timing so drastically that the bug cannot be
reproduced, consider a lightweight execution trace history ring buffer
instead. This can be either textual or numeric information, although
once again WPP provides this functionality and should be considered
instead.

Further back to your bug. You need to look through data structures in
the kernel for evidence of something gone wrong. On a dump file
!Irpfind is reasonably quick enough to produce all of the irps current
in the system. Examine all of your driver's data structures, use
!devnode to get your device objects and from their your device
extension data structures. Windbg is excellent at parsing data
objects, as long as it has access to the correct symbols and source
code. Dump all the threads using !process 0 7. Grovel through this
mess looking for any evidence of what your driver might have been
doing.

Good luck!



=====================
Mark Roddy
Windows XP/2000/NT Consulting, Microsoft DDK MVP
Hollis Technology Solutions 603-321-1032
www.hollistech.com
markr@hollistech.com
For Windows Device Driver Training: see www.azius.com
Top