Recently I encountered a BSOD on a Windows 10 Pro system. The BSOD appear to point at an Intel audio driver. I only took a cursory look at the problem as the problem neither appear to be in the stack we own nor did it impede my work or repeat itself enough to warrant any more of my time. Below is some minimal information pertaining to the crash, if it should interest relevant folks. For access to the crash dump, please use the form here to make a request or email to info_at_kryptoguard.com
Basic crash information - SYSTEM_THREAD_EXCEPTION_NOT_HANDLED (7e) This is a very common bugcheck. Usually the exception address pinpoints the driver/function that caused the problem. Always note this address as well as the link date of the driver/image that contains this address. Arguments: Arg1: ffffffffc0000005, The exception code that was not handled Arg2: fffff80828e04096, The address that the exception occurred at Arg3: fffff486e9b9a848, Exception Record Address Arg4: fffff486e9b9a090, Context Record Address Information pertaining to the module (in question) - > lmvm IntcDAud Browse full module list start end module name fffff808`28dc0000 fffff808`28e88000 IntcDAud (no symbols) Loaded symbol image file: IntcDAud.sys Image path: \SystemRoot\system32\DRIVERS\IntcDAud.sys Image name: IntcDAud.sys Browse all global symbols functions data Timestamp: Wed Dec 6 10:01:50 2017 (5A28065E) CheckSum: 000CEEC0 ImageSize: 000C8000 Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4 Offending stack and trap frame - !thread THREAD ffffce8c470a2700 Cid 0004.2d9c Teb: 0000000000000000 Win32Thread: 0000000000000000 RUNNING on processor 0 Not impersonating DeviceMap ffffa60f1ac18bc0 Owning Process ffffce8c3bd12440 Image: System Attached Process N/A Image: N/A Wait Start TickCount 34652705 Ticks: 0 Context Switch Count 42 IdealProcessor: 0 UserTime 00:00:00.000 KernelTime 00:00:00.000 Win32 Start Address IntcDAud (0xfffff80828e3fd50) Stack Init fffff486e9b9ad90 Current fffff486e9b99660 Base fffff486e9b9b000 Limit fffff486e9b95000 Call 0000000000000000 Priority 15 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5 Child-SP RetAddr : Args to Child : Call Site fffff486`e9b99888 fffff800`70bc6cac : 00000000`0000007e ffffffff`c0000005 fffff808`28e04096 fffff486`e9b9a848 : nt!KeBugCheckEx fffff486`e9b99890 fffff800`70b8dc3f : 00000000`00000003 00000000`00000000 fffff486`e9b95000 fffff486`e9b9b000 : nt!PspSystemThreadStartup$filt$0+0x44 fffff486`e9b998d0 fffff800`70bb8c0d : 00000000`00000000 fffff486`e9b99a70 fffff486`e9b99f30 00000000`00000293 : nt!_C_specific_handler+0x9f fffff486`e9b99940 fffff800`70a6fae6 : fffff486`e9b99a70 fffff486`e9b99f30 00000000`00000004 fffff486`e9b9a848 : nt!RtlpExecuteHandlerForException+0xd fffff486`e9b99970 fffff800`70a70f03 : fffff486`e9b9a848 fffff486`e9b9a590 fffff486`e9b9a848 00000000`00000000 : nt!RtlDispatchException+0x416 fffff486`e9b9a060 fffff800`70bc0f42 : 00000000`00000000 00000000`00000000 fffff486`e9b9a7e8 00000000`00000000 : nt!KiDispatchException+0x1f3 fffff486`e9b9a710 fffff800`70bbdabf : 00000000`00000001 fffff808`28ddd00f fffff808`28ddd048 ffffce8c`41e9c1c4 : nt!KiExceptionDispatch+0xc2 fffff486`e9b9a8f0 fffff808`28e04096 : ffffce8c`41e9c100 ffffce8c`41e9c000 00000000`00000000 fffff808`28ddd00f : nt!KiPageFault+0x3ff (TrapFrame @ fffff486`e9b9a8f0) fffff486`e9b9aa80 fffff808`28e33053 : ffffce8c`41e9c010 fffff486`00000003 ffffce8c`41e9c720 00000000`00000000 : IntcDAud+0x44096 fffff486`e9b9aab0 fffff808`28e33870 : 00000000`00000000 fffff808`00000010 ffffce8c`41e9c2b8 00000000`00000001 : IntcDAud+0x73053 fffff486`e9b9ab40 fffff808`28e19a53 : ffffce8c`41eb3ae0 00000000`00000000 00000000`00000001 00000000`00000000 : IntcDAud+0x73870 fffff486`e9b9ab90 fffff808`28e41aa3 : 00000000`00000000 00000000`00000000 00000000`00000000 fffff808`28e3f4ac : IntcDAud+0x59a53 fffff486`e9b9abf0 fffff808`28e3f96c : ffffce8c`41ea4010 00000000`00000004 00000000`00000000 ffffce8c`3bd12440 : IntcDAud+0x81aa3 fffff486`e9b9ac40 fffff808`28e3ffdb : ffffffff`fffcf2c0 ffffffff`fffcf2c0 ffffffff`fffcf2c0 ffffffff`00000000 : IntcDAud+0x7f96c fffff486`e9b9ac70 fffff808`28e3fd9b : ffffffff`fffcf2c0 ffffce8c`41ea4010 00000000`00000080 fffff808`28e3fd50 : IntcDAud+0x7ffdb fffff486`e9b9ace0 fffff800`70afccb7 : ffffce8c`470a2700 fffff808`28e3fd50 ffffffff`ffffffff ffffffff`ffffffff : IntcDAud+0x7fd9b fffff486`e9b9ad10 fffff800`70bb77d6 : fffff800`7007d180 ffffce8c`470a2700 fffff800`70afcc70 ffffffff`ffffffff : nt!PspSystemThreadStartup+0x47 fffff486`e9b9ad60 00000000`00000000 : fffff486`e9b9b000 fffff486`e9b95000 00000000`00000000 00000000`00000000 : nt!KiStartSystemThread+0x16 0: kd> .trap fffff486`e9b9a8f0 NOTE: The trap frame does not contain all registers. Some register values may be zeroed or incorrect. rax=fffff486e9b9aaa8 rbx=0000000000000000 rcx=fffff80828ddfc00 rdx=0000000000000003 rsi=0000000000000000 rdi=0000000000000000 rip=fffff80828e04096 rsp=fffff486e9b9aa80 rbp=fffff486e9b9ab00 r8=ffffe30112900180 r9=0000000000000000 r10=0000000000000004 r11=0000000000000000 r12=0000000000000000 r13=0000000000000000 r14=0000000000000000 r15=0000000000000000 iopl=0 nv up ei pl zr na po nc IntcDAud+0x44096: fffff808`28e04096 40387e18 cmp byte ptr [rsi+18h],dil ds:00000000`00000018=?? Preliminary analysis (tentative/based on cursory look) - It is quite possible the content (at certain offset) of the data at address fffff808`28ddd048 passed on (via RCX register) by the third Intel frame above (IntcDAud+0x73870), which when dereferenced later (at the crashing line above) maybe the cause.
0 Comments
Leave a Reply. |
AuthorFounder of KryptoGuard™ technology initiative, product and services. Archives
June 2021
Categories |