Can't implement !thread by dbgeng.dll

1. Try to implement the !thread command for dump file check.  Anyway, GetFrameOffset still get the original value after SetImplicitThreadDataOffset.

 In kernel-mode debugging, the debugger engine will use the implicit thread to determine some of the target's registers. This includes the processor stack (see GetStackOffset), the frame offset (see GetFrameOffset), and the instruction offset (see GetInstructionOffset). When an event occurs, the implicit thread is set to the current thread.

The implicit thread may be changed by using SetImplicitThreadDataOffset. To determine the implicit thread, use GetImplicitThreadDataOffset.

Not all registers are determined by the implicit thread. Some registers will remain the same when the implicit thread is changed.

2. GetThreadIdByDataOffset also get the E_NOINTERFACE poor result.

!amli lc

The !amli lc extension lists all active ACPI contexts.

 Ctxt=fffffa8001c87000, ThID=0000000000000000, Flgs=---C-----, pbOp=fffffa8001bfc229, Obj=\_SB.PCI0.VGA.ATCS

We can find the ACPI control method of VGA device is running...We can use !amli u to check more detail what ACPI code is running

1: kd> !amli u fffffa8001bfc225

AMLI_DBGERR: Failed to get address of ACPI!gDebugger

AMLI_DBGERR: Failed to get address of ACPI!gDebugger

fffffa8001bfc225 : Sleep(0x1e)

fffffa8001bfc229 : While(And(A008, Local1, AMLI_DBGERR: UnAsmSuperName: invalid SuperName - 0x0a

))

MFC ListBox DeleteString

For the code below, it will not be able to clear all ListBox string.
int c= m_list.GetCount ();
for(int k=0;k<c;k++)
m_list.DeleteString (i);

The problem is that the index will become 0 ~ n-1 (not 1 ~ n) after you delete index 0.  You need to modify the code below to make the task success.

int c= m_list.GetCount ();
for(int k=0;k<c;k++)
m_list.DeleteString (0);

Dump file structure

Offset	Type	Feild	Remarks
0x000	char	Signature[4]	'PAGE'
0x004	char	ValidDump[4]	'DUMP'
0x008	uint32	MajorVersion
0x00c	uint32	MinorVersion	windows build no.
0x010	unit32	DirectoryTableBase
0x014	uint32	PfnDataBase
0x018	uint32	PsLoadedModuleList
0x01c	uint32	PsActiveProcessHead
0x020	uint32	MachineImageTyoe
0x24	uint32	NumberProcessors
.....
0x05c	char	PaeEnabled
.....
0x064	char	PhysicalMemoryBlockBuffer[700]
.....
0xf88	uint32	DumpType	1= full dump, 2= kernel dump (smaller)
.....
0xfa0	int64	RequiredDumpSpace	should equal dump file size
......
0xfb8	int64	SystemUpTime	measured in units of 100ns
0xfc0	int64	SystemTime	FILETIME
......

This is copy from http://computer.forensikblog.de/en/2006/03/dmp_file_structure.html

 

Offset	Type	Field	Remarks
0x000	char	Signature[4]	'PAGE'
0x004	char	ValidDump[4]	'DU64'
0x008	uint32	MajorVersion	windows build no.
0x00c	uint32	MinorVersion
0x010	uint64	DirectoryTableBase
0x018	uint64	PfnDataBase
0x020	uint64	PsLoadedModuleList
0x028	uint64	PsActiveProcessHead
0x030	uint32	MachineImageType
0x034	uint32	NumberProcessors
.....
0x088	char	PhysicalMemoryBlock[0x80]
.....
0x0f98	uint32	DumpType	1= full dump. 2 = kernel dump
.....
0xfa0	int64	SystemUpTime	measured in units of 100ns
0xfa8	int64	SystemTime	FILETIME

 This is copy from http://computer.forensikblog.de/en/2008/02/64bit_crash_dumps.html

 

BSOD 0xC0

There is one unknown BSOD C0 in the PCI.sys.  And there is one description about the BSOD C0 in the WDK bugcodes.h



// MessageId: PCI_CONFIG_SPACE_ACCESS_FAILURE
//
// MessageText:
//
// An attempt to access PCI configuration space failed.
//
#define PCI_CONFIG_SPACE_ACCESS_FAILURE  ((ULONG)0x000000C0L)



pci!PciWriteDeviceConfig+0x3f:
fffff880`00ead297 488b4148        mov     rax,qword ptr [rcx+48h]
fffff880`00ead29b 448b4118        mov     r8d,dword ptr [rcx+18h]
fffff880`00ead29f 44894c2428      mov     dword ptr [rsp+28h],r9d
fffff880`00ead2a4 4c8b5020        mov     r10,qword ptr [rax+20h]
fffff880`00ead2a8 4c8bca          mov     r9,rdx
fffff880`00ead2ab 8b5114          mov     edx,dword ptr [rcx+14h]
fffff880`00ead2ae 498b4a08        mov     rcx,qword ptr [r10+8]
fffff880`00ead2b2 897c2420        mov     dword ptr [rsp+20h],edi
fffff880`00ead2b6 41ff5228        call    qword ptr [r10+28h]
fffff880`00ead2ba 3bc6            cmp     eax,esi
fffff880`00ead2bc 741c            je      pci!PciWriteDeviceConfig+0x82 (fffff880`00ead2da)

pci!PciWriteDeviceConfig+0x66:
fffff880`00ead2be 448b4318        mov     r8d,dword ptr [rbx+18h]
fffff880`00ead2c2 8b5314          mov     edx,dword ptr [rbx+14h]
fffff880`00ead2c5 488364242000    and     qword ptr [rsp+20h],0
fffff880`00ead2cb 4c8bcf          mov     r9,rdi
fffff880`00ead2ce b9c0000000      mov     ecx,0C0h
fffff880`00ead2d3 ff15cfbe0000    call    qword ptr [pci!_imp_KeBugCheckEx (fffff880`00eb91a8)]
fffff880`00ead2d9 cc              int     3

pci!PciWriteDeviceConfig+0x82:
fffff880`00ead2da 488b5c2440      mov     rbx,qword ptr [rsp+40h]
fffff880`00ead2df 488b742448      mov     rsi,qword ptr [rsp+48h]
fffff880`00ead2e4 4883c430        add     rsp,30h
fffff880`00ead2e8 5f              pop     rdi
fffff880`00ead2e9 c3              ret

Dump file analysis checklist

I just saw the dump file analysis checklist in the http://www.dumpanalysis.org/blog/index.php/2007/06/20/crash-dump-analysis-checklist/

There are some useful windbg commands in the web site.  Anyway, the dump file analysis need the experience and many test result for reference.

Windbg command tab completion

Here is some words copy from the Windbg help about the Tab completion.

Using Debugger Commands

You can press the TAB key to automatically complete your text entry. In any of the debuggers, press the TAB key after you enter at least one character to automatically complete a command. Press the TAB key repeatedly to cycle through text completion options, and hold down the SHIFT key and press TAB to cycle backward. You can also use wildcard characters in the text and press TAB to expand to the full set of text completion options. For example, if you type fo*!ba and then press TAB, the debugger expands to the set of all symbols that start with "ba", in all modules with module names that start with "fo". As another example, you can complete all extension commands that have "prcb" in them by typing !*prcb and then pressing TAB. 

When you use the TAB key to perform text completion, if your text fragment begins with a period (.), the text is matched to a dot command. If your text fragment begins with an exclamation point (!), the text is matched to an extension command. Otherwise, the text is matched with a symbol. When you usee the TAB key to enter symbols, pressing the TAB key completes code and type symbols and module names. If no module name is apparent, local symbols and module names are completed. If a module or module pattern is given, symbol completion completes code and type symbols from all matches.

This feature make us to type the windbg command faster.  And more useful for us is that can help us to find more Windbg commands.  When we type !po<tab>, we can find !poaction, then !pocaps..  You also can use !po*n<tab>.

There is another web site talk about this. http://analyze-v.com/?p=123

CD-ROM utility

For a cdrom utility.  The first step is to get exclusive access mode.  It enables applications and system components to obtain exclusive access to a CD-ROM device.  Callers that request exclusive access should not open the CD-ROM device by simply sending a create request to the file system driver, because there is no guarantee that the CD-ROM class driver will receive the request. Instead, applications should use theSetupDiXxx routines to enumerate the interfaces for all CD-ROM devices in the system and then open the appropriate device interface.

 There is one MS enumerate cdrom utility in the http://support.microsoft.com/kb/305184/en-us.  We can learn something from this utility.

    1. Win32 applications can use the SetupDixxx APIs to enumerate all of the devices that are available on a computer.

    2. The EnumCD sample provided by means of this article does the following:

• Demonstrates SetupDixxx by enumerating all the CD drives regardless of their bus type.
• Obtains a handle to the device to send IOCTL commands to get the adapter and device properties.
• Uses SCSI pass-through commands to get the inquiry data and the drive capabilities.

New debug features for Win 8

http://msdn.microsoft.com/en-us/library/hh451083(v=VS.85).aspx

New for Windows 8

[This documentation is preliminary and is subject to change.]

The following debugger features are new for Windows Developer Preview.

• Visual Studio Debugging Environment
• Debugging Over a Network Connection
• Debugging Over a USB 3.0 Connection
• Improved Debugging of Optimized Code and Inline Functions

The Windows Developer Preview Debugging Tools for Windows package does not support Windows 2000.

Sos.dll is a component that is used for debugging managed code. The Windows Developer Preview Debugging Tools for Windows package does not include any version of sos.dll. To get sos.dll for .NET Framework 1.x, download the Windows 7 Debugging Tools for Windowspackage. For later versions of .NET Framework , sos.dll is included in the .NET Framework installation.

Build date: 12/8/2011

BSOD 7A KERNEL_DATA_INPAGE_ERROR

The KERNEL_DATA_INPAGE_ERROR bug check has a value of 0x0000007A. This bug check indicates that the requested page of kernel data from the paging file could not be read into memory.  Usually, this is the HDD or HDD interface problem.  Then we can check parameter 2 for more information. 

Cause

Frequently, you can determine the cause of the KERNEL_DATA_INPAGE_ERROR bug check from the error status (Parameter 2). Some common status codes include the following:

• 0xC000009A, or STATUS_INSUFFICIENT_RESOURCES, indicates a lack of nonpaged pool resources.
• 0xC000009C, or STATUS_DEVICE_DATA_ERROR, typically indicates bad blocks (sectors) on the hard disk.
• 0xC000009D, or STATUS_DEVICE_NOT_CONNECTED, indicates defective or loose cabling, termination, or that the controller does not see the hard disk.
• 0xC000016A, or STATUS_DISK_OPERATION_FAILED, indicates bad blocks (sectors) on the hard disk.
• 0xC0000185, or STATUS_IO_DEVICE_ERROR, indicates improper termination or defective cabling on SCSI devices or that two devices are trying to use the same IRQ.

These status codes are the most common ones that have specific causes. For more information about other possible status codes that can be returned, see the Ntstatus.h file in the Microsoft Windows Driver Kit (WDK).  Sometimes, these status code will be also shown in the other kind dump files.  This status code will be useful for us to check the dump file.  Another common cause of this error message is defective hardware or failing RAM.  Or a virus infection can also cause this bug check.

Here also show you the detail about "Resolving the Problem" from windbg help.

Resolving a bad block problem: An I/O status code of 0xC000009C or 0xC000016A typically indicates that the data could not be read from the disk because of a bad block (sector). If you can restart the computer after the error, Autochk runs automatically and attempts to map the bad sector to prevent it from being used anymore.

If Autochk does not scan the hard disk for errors, you can manually start the disk scanner. Run Chkdsk /f /r on the system partition. You must restart the computer before the disk scan begins. If you cannot start the computer because of the error, use the Recovery Console and runChkdsk /r.

Resolving a defective hardware problem: If the I/O status is C0000185 and the paging file is on an SCSI disk, check the disk cabling and SCSI termination for problems.

Resolving a failing RAM problem: Run the hardware diagnostics that the system manufacturer supplies, especially the memory scanner. For more information about these procedures, see the owner's manual for your computer.

Check that all the adapter cards in the computer are properly seated. Use an ink eraser or an electrical contact treatment, available at electronics supply stores, to ensure adapter card contacts are clean.

Check the System Log in Event Viewer for additional error messages that might help identify the device that is causing the error. You can also disable memory caching of the BIOS to try to resolve this error.

Make sure that the latest Windows Service Pack is installed.

If the preceding steps do not resolve the error, take the system motherboard to a repair facility for diagnostic testing. A crack, a scratched trace, or a defective component on the motherboard can cause this error.

Resolving a virus infection: Check your computer for viruses by using any up-to-date, commercial virus scanning software that examines the Master Boot Record of the hard disk. All Windows file systems can be infected by viruses.

There is one real case here

Here is some of the "!analyze -v" result.

KERNEL_DATA_INPAGE_ERROR (7a)

The requested page of kernel data could not be read in.  Typically caused by

a bad block in the paging file or disk controller error. Also see

KERNEL_STACK_INPAGE_ERROR.

If the error status is 0xC000000E, 0xC000009C, 0xC000009D or 0xC0000185,

it means the disk subsystem has experienced a failure.

If the error status is 0xC000009A, then it means the request failed because

a filesystem failed to make forward progress.

Arguments:

Arg1: c040f570, lock type that was held (value 1,2,3, or PTE address)

Arg2: c000009d, error status (normally i/o status code)

Arg3: 2c36a860, current process (virtual address for lock type 3, or PTE)

Arg4: 81eae500, virtual address that could not be in-paged (or PTE contents if arg1 is a PTE address)

Debugging Details:

------------------

ERROR_CODE: (NTSTATUS) 0xc000009d - STATUS_DEVICE_NOT_CONNECTED

DISK_HARDWARE_ERROR: There was error with disk hardware

BUGCHECK_STR:  0x7a_c000009d

DEFAULT_BUCKET_ID:  VISTA_DRIVER_FAULT

SCSI Miniport Extensions (Scsikd.dll and Minipkd.dll)

Extension commands that are useful for debugging SCSI miniport drivers can be found in Scsikd.dll and Minipkd.dll.

You can use the Scsikd.dll extension commands with any version of Windows. However, you can only use the Minipkd.dll extension commands with Windows XP and later versions of Windows. Commands in Minipkd.dll are only applicable to SCSIport-based miniports.

For more information, see SCSI Miniport Debugging.

Actually, "!classext" is the often used command for me to check SATA related problem.

kd> .load scsikd

kd> !classext

Storage class devices:

* !classext 8658d310 [1,2] ST332081 3AS Paging Disk       

  !classext 89b67a28 [1,2] Optiarc CDRWDVD CRX890S Removable Cdrom      

Usage: !classext <class device> <level [0-2]>

kd> !scsikd.classext 8658d310 2

Storage class device 8658d310 with extension at 8658d3c8

Classpnp Internal Information at 86690310

    Transfer Packet Engine:

     Packet  Status  DL Irp  Opcode  Sector   UL Irp 

    -------- ------ -------- ------ -------- --------

    8a0b59f8  Free  84f8b488 

    85f99128  Free  8a15b310 

    84f9ff08  Free  a32dd860 

    8a0977c8  Free  a484e2d0 

    84f9abe0  Free  8cb6e008 

    8cc3af08  Free  9d790008 

    8ccb04d8  Free  8caf8678 

    852e7810  Free  8a039920 

    Pending Idle Requests: 0x0

    Failed Requests:

           Srb    Scsi                                   

    Opcode Status Status Sense Code  Sector   Time Stamp 

    ------ ------ ------ ---------- -------- ------------

      2a     0a     00    00 00 00  00521510 03:40:58.212   

      2a     0a     00    00 00 00  00549f98 03:40:58.212   

      2a     0a     00    00 00 00  0054a058 03:40:58.212   

      2a     0a     00    00 00 00  0054a118 03:40:58.212   

      2a     0a     00    00 00 00  0054a1d8 03:40:58.212   

      2a     0a     00    00 00 00  0054a298 03:40:58.212   

      2a     0a     00    00 00 00  005e0808 03:40:58.212   

      2a     0a     00    00 00 00  00288558 03:40:58.212   

      2a     0a     00    00 00 00  0029e230 03:40:58.212   

      2a     0a     00    00 00 00  005e1748 03:40:58.212   

      2a     0a     00    00 00 00  005e1748 03:40:58.212   

      2a     0a     00    00 00 00  005e0800 03:40:58.212   

      2a     0a     00    00 00 00  00d17650 03:40:58.212   

      2a     0a     00    00 00 00  00275858 03:40:58.212   

      2a     0a     00    00 00 00  005e0808 03:40:58.212   

      2a     0a     00    00 00 00  003b1038 03:40:58.212   

Opcode :  It mean SCSI CDB operation codes and it can find the detail information in the storport.h of Windows WDK.  Below show some definitions.

// 10-byte commands

#define SCSIOP_READ_FORMATTED_CAPACITY  0x23

#define SCSIOP_READ_CAPACITY            0x25

#define SCSIOP_READ                     0x28

#define SCSIOP_WRITE                    0x2A

Srb status :  It also can be checked in the WDK storport.h

#define SRB_STATUS_PENDING                  0x00

#define SRB_STATUS_SUCCESS                  0x01

#define SRB_STATUS_ABORTED                  0x02

#define SRB_STATUS_ABORT_FAILED             0x03

#define SRB_STATUS_ERROR                    0x04

#define SRB_STATUS_BUSY                     0x05

#define SRB_STATUS_INVALID_REQUEST          0x06

#define SRB_STATUS_INVALID_PATH_ID          0x07

#define SRB_STATUS_NO_DEVICE                0x08

#define SRB_STATUS_TIMEOUT                  0x09

#define SRB_STATUS_SELECTION_TIMEOUT        0x0A

#define SRB_STATUS_COMMAND_TIMEOUT          0x0B

Scsi status :  A SCSI Status Code is used to determine the success or failure of a SCSI command. At the end of any command, the target returns a Status Code byte which should be one of the following:  (http://en.wikipedia.org/wiki/SCSI_Status_Code)

 CodeName

00hGOOD

02hCHECK CONDITION

04hCONDITION MET

08hBUSY

18hRESERVATION CONFLICT

28hTASK SET FULL

30hACA ACTIVE

40hTASK ABORTED

Sense code : It can check http://en.wikipedia.org/wiki/Key_Code_Qualifier for more detail.

Key Code Qualifier is a computer term used to describe an error-code returned by a SCSI device.

When a SCSI target device returns a check condition in response to a command, the initiator usually then issues a SCSI Request Sense command. This process is part of a SCSI protocol calledContingent Allegiance Condition. The target will respond to the Request Sense command with a set of SCSI sense data which includes three fields giving increasing levels of detail about the error:

• K - sense key - 4 bits, (byte 2 of Fixed sense data format)
• C - additional sense code (ASC) - 8 bits, (byte 12 of Fixed sense data format)
• Q - additional sense code qualifier (ASCQ) - 8 bits, (byte 13 of Fixed sense data format)

The initiator can take action based on just the K field which indicates if the error is minor or major. However all three fields are usually logically combined into a 20 bit field called Key Code Qualifier or KCQ. The specification for the target device will define the list of possible KCQ values. In practice there are many KCQ values which are common between different SCSI device types and different SCSI device vendors.

Windbg --How to get the computer name

In the Windbg help file show us how to get the computer name.  The computer name is a unicode string in the srv!SrvComputerName.

There are two ways to show unicode..

dS	Specifies that a UNICODE_STRING structure is to be displayed.
du	Unicode characters          Each line displays up to 48 characters. The display continues until the first null byte or until all characters in range have been displayed. All nonprintable characters, such as carriage returns and line feeds,are displayed as periods (.).

For this case, it can use dS to show the computer name.

0: kd> dS srv!SrvComputerName

fffff8a0`0299aa60  "Y-SKU2-XX"

Note: 1. If the BSOD was happened during entering OS, maybe the srv.sys was not loaded yet.

          2. The srv.sys is the "Server driver"
          3. After try, the "!envvar COMPUTERNAME" command can't show the computer name.