Windows 10: First memory dump from Win10

I generated this using NotMyFault with a High IRQL error.....

Attachment 5429

EDIT: It appears that the Symbol Server hasn't uploaded the symbols for this build *Sad

:)

 

Windows 10 netio.sys system service exception error

If you have set the option to Kernel Memory dump then a large file generates to C:/Windows/ with name memory .dmp. We call it a full memory dump.

If you have set the option to Small memory dump(our preferred and recommended) then file generates in C:/Windows/Minidump folder. This is called a minidump.

According to your settings, you should have a file at C:/Windows/ folder.

First of all change the settings to Small memory dumps.

Wait for the next BSOD to occur.

Do not use CCleaner or Disk cleanup as they might remove the dumps.

 

CrashDumps filling up SSD! solved

The nearest thing you can get to automated is to put a shortcut for the minidump folder on your desktop.

It sounds like you have Debugging set up for full Kernel crash dumps. The small (mini) dumps are what everyone request when troubleshooting issues that result in a crash dump being created.

Go to Control Panel > System > Advanced System Settings > Startup and Recovery.

Select Small Memory Dump from the drop down box in the Write Debugging Information
section.

You can also set up to overwrite each time. My Win10 has this selected automatically ( it's greyed out as well ).

.

 

Code: Windows 8 Kernel Version 9841 UP Free x64[/quote] So it is still considered as Win8. *Smile

 

Nope, it's just incompletely coded. FWIW - in Win7 you'd often see things that said "Vista"
This is roughly analogous to the M1 or M2 build - it's really (IMO) an "alpha" build

 

Here's the output from the app I use to run memory dumps:

3rd Party Drivers:
The following is for information purposes only.
Any drivers in red should be updated or removed from your system. And should have been discussed in the body of my post.
Code: **************************Wed Oct 1 13:11:08.529 2014 (UTC - 4:00)************************** E1G6032E.sys Tue Mar 23 17:08:16 2010 (4BA92DC0) myfault.sys Sat Apr 7 12:34:41 2012 (4F806CA1) ntosext.sys Fri Sep 12 21:39:09 2014 (5413A03D) intelppm.sys Fri Sep 12 21:39:14 2014 (5413A042) CEA.sys Sat Sep 13 00:13:23 2014 (5413C463) clipsp.sys Sat Sep 13 00:13:48 2014 (5413C47C) mmcss.sys Sat Sep 13 00:13:49 2014 (5413C47D) intelide.sys Sat Sep 13 00:14:32 2014 (5413C4A8) cmimcext.sys Sat Sep 13 00:14:46 2014 (5413C4B6) [/quote] http://www.carrona.org/drivers/driver.php?id=E1G6032E.sys
http://www.carrona.org/drivers/driver.php?id=myfault.sys
ntosext.sys - this driver hasn't been added to the DRT as of this run. Please search Google/Bing for the driver if additional information is needed.
http://www.carrona.org/drivers/driver.php?id=intelppm.sys
CEA.sys - this driver hasn't been added to the DRT as of this run. Please search Google/Bing for the driver if additional information is needed.
clipsp.sys - this driver hasn't been added to the DRT as of this run. Please search Google/Bing for the driver if additional information is needed.
mmcss.sys - this driver hasn't been added to the DRT as of this run. Please search Google/Bing for the driver if additional information is needed.
http://www.carrona.org/drivers/driver.php?id=intelide.sys
cmimcext.sys - this driver hasn't been added to the DRT as of this run. Please search Google/Bing for the driver if additional information is needed.
[/quote]

 

And here's the output of WinDbg with !analyze -v and lmstmn lmtsmn:

Code: Microsoft (R) Windows Debugger Version 6.3.9600.16384 AMD64 Copyright (c) Microsoft Corporation. All rights reserved. Loading Dump File [C:\Users\John\Downloads\100114-5937-01.dmp] Mini Kernel Dump File: Only registers and stack trace are available ************* Symbol Path validation summary ************** Response Time (ms) Location Deferred SRV*c:\symbols*Symbol information Deferred srv*c:\SymcachePublic*404 - File or directory not found. Symbol search path is: SRV*c:\symbols*http://ctxsym.citrix.com/symbolsad/symbols]404 - File or directory not found.[/url] Executable search path is: Unable to load image ntoskrnl.exe, Win32 error 0n2 *** WARNING: Unable to verify timestamp for ntoskrnl.exe *** ERROR: Module load completed but symbols could not be loaded for ntoskrnl.exe Windows 8 Kernel Version 9841 UP Free x64 Product: WinNt, suite: TerminalServer SingleUserTS Built by: 9841.0.amd64fre.fbl_release.140912-1613 Machine Name: Kernel base = 0xfffff801`6d201000 PsLoadedModuleList = 0xfffff801`6d4f08b0 Debug session time: Wed Oct 1 13:11:08.529 2014 (UTC - 4:00) System Uptime: 0 days 0:15:34.874 Unable to load image ntoskrnl.exe, Win32 error 0n2 *** WARNING: Unable to verify timestamp for ntoskrnl.exe *** ERROR: Module load completed but symbols could not be loaded for ntoskrnl.exe Loading Kernel Symbols . Press ctrl-c (cdb, kd, ntsd) or ctrl-break (windbg) to abort symbol loads that take too long. Run !sym noisy before .reload to track down problems loading symbols. .............................................................. ................................................................ ........ Loading User Symbols Loading unloaded module list ...... ************* Symbol Loading Error Summary ************** Module name Error ntoskrnl The system cannot find the file specified You can troubleshoot most symbol related issues by turning on symbol loading diagnostics (!sym noisy) and repeating the command that caused symbols to be loaded. You should also verify that your symbol search path (.sympath) is correct. ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* Use !analyze -v to get detailed debugging information. BugCheck D1, {ffffc0012f5306b0, 2, 0, fffff80072101385} ***** Kernel symbols are WRONG. Please fix symbols to do analysis. ************************************************************************* *** *** *** *** *** Either you specified an unqualified symbol, or your debugger *** *** doesn't have full symbol information. Unqualified symbol *** *** resolution is turned off by default. Please either specify a *** *** fully qualified symbol module!symbolname, or enable resolution *** *** of unqualified symbols by typing ".symopt- 100". Note that *** *** enabling unqualified symbol resolution with network symbol *** *** server shares in the symbol path may cause the debugger to *** *** appear to hang for long periods of time when an incorrect *** *** symbol name is typed or the network symbol server is down. *** *** *** *** For some commands to work properly, your symbol path *** *** must point to .pdb files that have full type information. *** *** *** *** Certain .pdb files (such as the public OS symbols) do not *** *** contain the required information. Contact the group that *** *** provided you with these symbols if you need this command to *** *** work. *** *** *** *** Type referenced: nt!_KPRCB *** *** *** ************************************************************************* ************************************************************************* *** *** *** *** *** Either you specified an unqualified symbol, or your debugger *** *** doesn't have full symbol information. Unqualified symbol *** *** resolution is turned off by default. Please either specify a *** *** fully qualified symbol module!symbolname, or enable resolution *** *** of unqualified symbols by typing ".symopt- 100". Note that *** *** enabling unqualified symbol resolution with network symbol *** *** server shares in the symbol path may cause the debugger to *** *** appear to hang for long periods of time when an incorrect *** *** symbol name is typed or the network symbol server is down. *** *** *** *** For some commands to work properly, your symbol path *** *** must point to .pdb files that have full type information. *** *** *** *** Certain .pdb files (such as the public OS symbols) do not *** *** contain the required information. Contact the group that *** *** provided you with these symbols if you need this command to *** *** work. *** *** *** *** Type referenced: nt!KPRCB *** *** *** ************************************************************************* ************************************************************************* *** *** *** *** *** Either you specified an unqualified symbol, or your debugger *** *** doesn't have full symbol information. Unqualified symbol *** *** resolution is turned off by default. Please either specify a *** *** fully qualified symbol module!symbolname, or enable resolution *** *** of unqualified symbols by typing ".symopt- 100". Note that *** *** enabling unqualified symbol resolution with network symbol *** *** server shares in the symbol path may cause the debugger to *** *** appear to hang for long periods of time when an incorrect *** *** symbol name is typed or the network symbol server is down. *** *** *** *** For some commands to work properly, your symbol path *** *** must point to .pdb files that have full type information. *** *** *** *** Certain .pdb files (such as the public OS symbols) do not *** *** contain the required information. Contact the group that *** *** provided you with these symbols if you need this command to *** *** work. *** *** *** *** Type referenced: nt!_KPRCB *** *** *** ************************************************************************* ************************************************************************* *** *** *** *** *** Either you specified an unqualified symbol, or your debugger *** *** doesn't have full symbol information. Unqualified symbol *** *** resolution is turned off by default. Please either specify a *** *** fully qualified symbol module!symbolname, or enable resolution *** *** of unqualified symbols by typing ".symopt- 100". Note that *** *** enabling unqualified symbol resolution with network symbol *** *** server shares in the symbol path may cause the debugger to *** *** appear to hang for long periods of time when an incorrect *** *** symbol name is typed or the network symbol server is down. *** *** *** *** For some commands to work properly, your symbol path *** *** must point to .pdb files that have full type information. *** *** *** *** Certain .pdb files (such as the public OS symbols) do not *** *** contain the required information. Contact the group that *** *** provided you with these symbols if you need this command to *** *** work. *** *** *** *** Type referenced: nt!KPRCB *** *** *** ************************************************************************* ************************************************************************* *** *** *** *** *** Either you specified an unqualified symbol, or your debugger *** *** doesn't have full symbol information. Unqualified symbol *** *** resolution is turned off by default. Please either specify a *** *** fully qualified symbol module!symbolname, or enable resolution *** *** of unqualified symbols by typing ".symopt- 100". Note that *** *** enabling unqualified symbol resolution with network symbol *** *** server shares in the symbol path may cause the debugger to *** *** appear to hang for long periods of time when an incorrect *** *** symbol name is typed or the network symbol server is down. *** *** *** *** For some commands to work properly, your symbol path *** *** must point to .pdb files that have full type information. *** *** *** *** Certain .pdb files (such as the public OS symbols) do not *** *** contain the required information. Contact the group that *** *** provided you with these symbols if you need this command to *** *** work. *** *** *** *** Type referenced: nt!_KPRCB *** *** *** ************************************************************************* ************************************************************************* *** *** *** *** *** Either you specified an unqualified symbol, or your debugger *** *** doesn't have full symbol information. Unqualified symbol *** *** resolution is turned off by default. Please either specify a *** *** fully qualified symbol module!symbolname, or enable resolution *** *** of unqualified symbols by typing ".symopt- 100". Note that *** *** enabling unqualified symbol resolution with network symbol *** *** server shares in the symbol path may cause the debugger to *** *** appear to hang for long periods of time when an incorrect *** *** symbol name is typed or the network symbol server is down. *** *** *** *** For some commands to work properly, your symbol path *** *** must point to .pdb files that have full type information. *** *** *** *** Certain .pdb files (such as the public OS symbols) do not *** *** contain the required information. Contact the group that *** *** provided you with these symbols if you need this command to *** *** work. *** *** *** *** Type referenced: nt!_KPRCB *** *** *** ************************************************************************* Unable to load image \??\C:\Windows\system32\drivers\myfault.sys, Win32 error 0n2 *** WARNING: Unable to verify timestamp for myfault.sys *** ERROR: Module load completed but symbols could not be loaded for myfault.sys ************************************************************************* *** *** *** *** *** Either you specified an unqualified symbol, or your debugger *** *** doesn't have full symbol information. Unqualified symbol *** *** resolution is turned off by default. Please either specify a *** *** fully qualified symbol module!symbolname, or enable resolution *** *** of unqualified symbols by typing ".symopt- 100". Note that *** *** enabling unqualified symbol resolution with network symbol *** *** server shares in the symbol path may cause the debugger to *** *** appear to hang for long periods of time when an incorrect *** *** symbol name is typed or the network symbol server is down. *** *** *** *** For some commands to work properly, your symbol path *** *** must point to .pdb files that have full type information. *** *** *** *** Certain .pdb files (such as the public OS symbols) do not *** *** contain the required information. Contact the group that *** *** provided you with these symbols if you need this command to *** *** work. *** *** *** *** Type referenced: nt!_KPRCB *** *** *** ************************************************************************* ************************************************************************* *** *** *** *** *** Either you specified an unqualified symbol, or your debugger *** *** doesn't have full symbol information. Unqualified symbol *** *** resolution is turned off by default. Please either specify a *** *** fully qualified symbol module!symbolname, or enable resolution *** *** of unqualified symbols by typing ".symopt- 100". Note that *** *** enabling unqualified symbol resolution with network symbol *** *** server shares in the symbol path may cause the debugger to *** *** appear to hang for long periods of time when an incorrect *** *** symbol name is typed or the network symbol server is down. *** *** *** *** For some commands to work properly, your symbol path *** *** must point to .pdb files that have full type information. *** *** *** *** Certain .pdb files (such as the public OS symbols) do not *** *** contain the required information. Contact the group that *** *** provided you with these symbols if you need this command to *** *** work. *** *** *** *** Type referenced: nt!_KPRCB *** *** *** ************************************************************************* Probably caused by : myfault.sys ( myfault+1385 ) Followup: MachineOwner --------- kd> !analyze -v ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1) An attempt was made to access a pageable (or completely invalid) address at an interrupt request level (IRQL) that is too high. This is usually caused by drivers using improper addresses. If kernel debugger is available get stack backtrace. Arguments: Arg1: ffffc0012f5306b0, memory referenced Arg2: 0000000000000002, IRQL Arg3: 0000000000000000, value 0 = read operation, 1 = write operation Arg4: fffff80072101385, address which referenced memory Debugging Details: ------------------ ***** Kernel symbols are WRONG. Please fix symbols to do analysis. ************************************************************************* *** *** *** *** *** Either you specified an unqualified symbol, or your debugger *** *** doesn't have full symbol information. Unqualified symbol *** *** resolution is turned off by default. Please either specify a *** *** fully qualified symbol module!symbolname, or enable resolution *** *** of unqualified symbols by typing ".symopt- 100". Note that *** *** enabling unqualified symbol resolution with network symbol *** *** server shares in the symbol path may cause the debugger to *** *** appear to hang for long periods of time when an incorrect *** *** symbol name is typed or the network symbol server is down. *** *** *** *** For some commands to work properly, your symbol path *** *** must point to .pdb files that have full type information. *** *** *** *** Certain .pdb files (such as the public OS symbols) do not *** *** contain the required information. Contact the group that *** *** provided you with these symbols if you need this command to *** *** work. *** *** *** *** Type referenced: nt!_KPRCB *** *** *** ************************************************************************* ************************************************************************* *** *** *** *** *** Either you specified an unqualified symbol, or your debugger *** *** doesn't have full symbol information. Unqualified symbol *** *** resolution is turned off by default. Please either specify a *** *** fully qualified symbol module!symbolname, or enable resolution *** *** of unqualified symbols by typing ".symopt- 100". Note that *** *** enabling unqualified symbol resolution with network symbol *** *** server shares in the symbol path may cause the debugger to *** *** appear to hang for long periods of time when an incorrect *** *** symbol name is typed or the network symbol server is down. *** *** *** *** For some commands to work properly, your symbol path *** *** must point to .pdb files that have full type information. *** *** *** *** Certain .pdb files (such as the public OS symbols) do not *** *** contain the required information. Contact the group that *** *** provided you with these symbols if you need this command to *** *** work. *** *** *** *** Type referenced: nt!KPRCB *** *** *** ************************************************************************* ************************************************************************* *** *** *** *** *** Either you specified an unqualified symbol, or your debugger *** *** doesn't have full symbol information. Unqualified symbol *** *** resolution is turned off by default. Please either specify a *** *** fully qualified symbol module!symbolname, or enable resolution *** *** of unqualified symbols by typing ".symopt- 100". Note that *** *** enabling unqualified symbol resolution with network symbol *** *** server shares in the symbol path may cause the debugger to *** *** appear to hang for long periods of time when an incorrect *** *** symbol name is typed or the network symbol server is down. *** *** *** *** For some commands to work properly, your symbol path *** *** must point to .pdb files that have full type information. *** *** *** *** Certain .pdb files (such as the public OS symbols) do not *** *** contain the required information. Contact the group that *** *** provided you with these symbols if you need this command to *** *** work. *** *** *** *** Type referenced: nt!_KPRCB *** *** *** ************************************************************************* ************************************************************************* *** *** *** *** *** Either you specified an unqualified symbol, or your debugger *** *** doesn't have full symbol information. Unqualified symbol *** *** resolution is turned off by default. Please either specify a *** *** fully qualified symbol module!symbolname, or enable resolution *** *** of unqualified symbols by typing ".symopt- 100". Note that *** *** enabling unqualified symbol resolution with network symbol *** *** server shares in the symbol path may cause the debugger to *** *** appear to hang for long periods of time when an incorrect *** *** symbol name is typed or the network symbol server is down. *** *** *** *** For some commands to work properly, your symbol path *** *** must point to .pdb files that have full type information. *** *** *** *** Certain .pdb files (such as the public OS symbols) do not *** *** contain the required information. Contact the group that *** *** provided you with these symbols if you need this command to *** *** work. *** *** *** *** Type referenced: nt!KPRCB *** *** *** ************************************************************************* ************************************************************************* *** *** *** *** *** Either you specified an unqualified symbol, or your debugger *** *** doesn't have full symbol information. Unqualified symbol *** *** resolution is turned off by default. Please either specify a *** *** fully qualified symbol module!symbolname, or enable resolution *** *** of unqualified symbols by typing ".symopt- 100". Note that *** *** enabling unqualified symbol resolution with network symbol *** *** server shares in the symbol path may cause the debugger to *** *** appear to hang for long periods of time when an incorrect *** *** symbol name is typed or the network symbol server is down. *** *** *** *** For some commands to work properly, your symbol path *** *** must point to .pdb files that have full type information. *** *** *** *** Certain .pdb files (such as the public OS symbols) do not *** *** contain the required information. Contact the group that *** *** provided you with these symbols if you need this command to *** *** work. *** *** *** *** Type referenced: nt!_KPRCB *** *** *** ************************************************************************* ************************************************************************* *** *** *** *** *** Either you specified an unqualified symbol, or your debugger *** *** doesn't have full symbol information. Unqualified symbol *** *** resolution is turned off by default. Please either specify a *** *** fully qualified symbol module!symbolname, or enable resolution *** *** of unqualified symbols by typing ".symopt- 100". Note that *** *** enabling unqualified symbol resolution with network symbol *** *** server shares in the symbol path may cause the debugger to *** *** appear to hang for long periods of time when an incorrect *** *** symbol name is typed or the network symbol server is down. *** *** *** *** For some commands to work properly, your symbol path *** *** must point to .pdb files that have full type information. *** *** *** *** Certain .pdb files (such as the public OS symbols) do not *** *** contain the required information. Contact the group that *** *** provided you with these symbols if you need this command to *** *** work. *** *** *** *** Type referenced: nt!_KPRCB *** *** *** ************************************************************************* ************************************************************************* *** *** *** *** *** Either you specified an unqualified symbol, or your debugger *** *** doesn't have full symbol information. Unqualified symbol *** *** resolution is turned off by default. Please either specify a *** *** fully qualified symbol module!symbolname, or enable resolution *** *** of unqualified symbols by typing ".symopt- 100". Note that *** *** enabling unqualified symbol resolution with network symbol *** *** server shares in the symbol path may cause the debugger to *** *** appear to hang for long periods of time when an incorrect *** *** symbol name is typed or the network symbol server is down. *** *** *** *** For some commands to work properly, your symbol path *** *** must point to .pdb files that have full type information. *** *** *** *** Certain .pdb files (such as the public OS symbols) do not *** *** contain the required information. Contact the group that *** *** provided you with these symbols if you need this command to *** *** work. *** *** *** *** Type referenced: nt!_KPRCB *** *** *** ************************************************************************* ************************************************************************* *** *** *** *** *** Either you specified an unqualified symbol, or your debugger *** *** doesn't have full symbol information. Unqualified symbol *** *** resolution is turned off by default. Please either specify a *** *** fully qualified symbol module!symbolname, or enable resolution *** *** of unqualified symbols by typing ".symopt- 100". Note that *** *** enabling unqualified symbol resolution with network symbol *** *** server shares in the symbol path may cause the debugger to *** *** appear to hang for long periods of time when an incorrect *** *** symbol name is typed or the network symbol server is down. *** *** *** *** For some commands to work properly, your symbol path *** *** must point to .pdb files that have full type information. *** *** *** *** Certain .pdb files (such as the public OS symbols) do not *** *** contain the required information. Contact the group that *** *** provided you with these symbols if you need this command to *** *** work. *** *** *** *** Type referenced: nt!_KPRCB *** *** *** ************************************************************************* ADDITIONAL_DEBUG_TEXT: You can run '.symfix; .reload' to try to fix the symbol path and load symbols. MODULE_NAME: myfault FAULTING_MODULE: fffff8016d201000 nt DEBUG_FLR_IMAGE_TIMESTAMP: 4f806ca1 READ_ADDRESS: unable to get nt!MmSpecialPoolStart unable to get nt!MmSpecialPoolEnd unable to get nt!MmPagedPoolEnd unable to get nt!MmNonPagedPoolStart unable to get nt!MmSizeOfNonPagedPoolInBytes ffffc0012f5306b0 CURRENT_IRQL: 0 FAULTING_IP: myfault+1385 fffff800`72101385 8b03 mov eax,dword ptr [rbx] CUSTOMER_CRASH_COUNT: 1 DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULT BUGCHECK_STR: AV ANALYSIS_VERSION: 6.3.9600.16384 (debuggers(dbg).130821-1623) amd64fre LAST_CONTROL_TRANSFER: from 000000000000000a to fffff8016d32e629 STACK_TEXT: ffffd001`d7a1c740 00000000`0000000a : ffffc001`2f5306b0 00000000`00000002 00000000`00000000 fffff800`72101385 : nt+0x12d629 ffffd001`d7a1c748 ffffc001`2f5306b0 : 00000000`00000002 00000000`00000000 fffff800`72101385 00000000`00000000 : 0xa ffffd001`d7a1c750 00000000`00000002 : 00000000`00000000 fffff800`72101385 00000000`00000000 00000000`00000000 : 0xffffc001`2f5306b0 ffffd001`d7a1c758 00000000`00000000 : fffff800`72101385 00000000`00000000 00000000`00000000 00000000`00000000 : 0x2 STACK_COMMAND: .bugcheck ; kb FOLLOWUP_IP: myfault+1385 fffff800`72101385 8b03 mov eax,dword ptr [rbx] SYMBOL_NAME: myfault+1385 FOLLOWUP_NAME: MachineOwner IMAGE_NAME: myfault.sys BUCKET_ID: WRONG_SYMBOLS FAILURE_BUCKET_ID: WRONG_SYMBOLS ANALYSIS_SOURCE: KM FAILURE_ID_HASH_STRING: km:wrong_symbols FAILURE_ID_HASH: {70b057e8-2462-896f-28e7-ac72d4d365f8} Followup: MachineOwner --------- kd> lmtsmn start end module name fffff800`6ffc0000 fffff800`7004f000 ACPI ACPI.sys Fri Sep 12 21:39:21 2014 (5413A049) fffff800`6ff90000 fffff800`6ffae000 acpiex acpiex.sys Sat Sep 13 00:12:36 2014 (5413C434) fffff800`71220000 fffff800`712ac000 afd afd.sys Sat Sep 13 00:11:38 2014 (5413C3FA) fffff800`71470000 fffff800`7149b000 ahcache ahcache.sys Fri Sep 12 21:39:11 2014 (5413A03F) fffff800`70550000 fffff800`7055a000 atapi atapi.sys Sat Sep 13 00:14:55 2014 (5413C4BF) fffff800`70560000 fffff800`70594000 ataport ataport.SYS Fri Sep 12 21:39:13 2014 (5413A041) fffff800`70f70000 fffff800`70f82000 BasicDisplay BasicDisplay.sys Sat Sep 13 00:14:06 2014 (5413C48E) fffff800`71160000 fffff800`7116e000 BasicRender BasicRender.sys Sat Sep 13 00:13:57 2014 (5413C485) fffff800`71630000 fffff800`7163c000 BATTC BATTC.SYS Sat Sep 13 00:14:33 2014 (5413C4A9) fffff800`70f60000 fffff800`70f68000 Beep Beep.SYS Sat Sep 13 00:14:46 2014 (5413C4B6) fffff800`702d0000 fffff800`702db000 BOOTVID BOOTVID.dll Sat Sep 13 00:14:49 2014 (5413C4B9) fffff800`71b80000 fffff800`71ba0000 bowser bowser.sys Sat Sep 13 00:13:10 2014 (5413C456) fffff960`50000000 fffff960`5003a000 cdd cdd.dll unavailable (00000000) fffff800`70f20000 fffff800`70f4f000 cdrom cdrom.sys Fri Sep 12 21:39:15 2014 (5413A043) fffff800`70dd0000 fffff800`70de4000 CEA CEA.sys Sat Sep 13 00:13:23 2014 (5413C463) fffff800`70300000 fffff800`70387000 CI CI.dll Sat Sep 13 00:12:49 2014 (5413C441) fffff800`70e00000 fffff800`70e5e000 CLASSPNP CLASSPNP.SYS Fri Sep 12 21:39:18 2014 (5413A046) fffff800`70220000 fffff800`7027f000 CLFS CLFS.SYS Sat Sep 13 00:14:28 2014 (5413C4A4) fffff800`6fe80000 fffff800`6fe93000 clipsp clipsp.sys Sat Sep 13 00:13:48 2014 (5413C47C) fffff800`71620000 fffff800`7162c000 CmBatt CmBatt.sys Sat Sep 13 00:14:17 2014 (5413C499) fffff800`702e0000 fffff800`702ec000 cmimcext cmimcext.sys Sat Sep 13 00:14:46 2014 (5413C4B6) fffff800`70060000 fffff800`700ed000 cng cng.sys Sat Sep 13 00:12:33 2014 (5413C431) fffff800`714a0000 fffff800`714af000 CompositeBus CompositeBus.sys Sat Sep 13 00:13:40 2014 (5413C474) fffff800`720f0000 fffff800`72100000 condrv condrv.sys Sat Sep 13 00:14:42 2014 (5413C4B2) fffff800`70e80000 fffff800`70e95000 crashdmp crashdmp.sys Sat Sep 13 00:14:31 2014 (5413C4A7) fffff800`71360000 fffff800`713eb000 csc csc.sys Sat Sep 13 00:13:10 2014 (5413C456) fffff800`71420000 fffff800`71447000 dfsc dfsc.sys Sat Sep 13 00:12:58 2014 (5413C44A) fffff800`71da0000 fffff800`71dbb000 disk disk.sys Fri Sep 12 21:39:14 2014 (5413A042) fffff800`71820000 fffff800`7182a000 dump_atapi dump_atapi.sys Sat Sep 13 00:14:55 2014 (5413C4BF) fffff800`71800000 fffff800`7180d000 dump_ataport dump_ataport.sys Sat Sep 13 00:14:22 2014 (5413C49E) fffff800`71850000 fffff800`71866000 dump_dumpfve dump_dumpfve.sys Sat Sep 13 00:14:24 2014 (5413C4A0) fffff800`70fb0000 fffff800`71157000 dxgkrnl dxgkrnl.sys Sat Sep 13 00:12:37 2014 (5413C435) fffff800`71940000 fffff800`719a1000 dxgmms1 dxgmms1.sys Sat Sep 13 00:12:27 2014 (5413C42B) fffff800`71550000 fffff800`71574080 E1G6032E E1G6032E.sys Tue Mar 23 17:08:16 2010 (4BA92DC0) fffff800`705a0000 fffff800`705ba000 EhStorClass EhStorClass.sys Sat Sep 13 00:13:18 2014 (5413C45E) fffff800`705c0000 fffff800`705d6000 fileinfo fileinfo.sys Sat Sep 13 00:13:31 2014 (5413C46B) fffff800`6fe00000 fffff800`6fe59000 FLTMGR FLTMGR.SYS Sat Sep 13 00:14:27 2014 (5413C4A3) fffff800`70870000 fffff800`7087c000 Fs_Rec Fs_Rec.sys unavailable (00000000) fffff800`71c00000 fffff800`71c9b000 fvevol fvevol.sys Sat Sep 13 00:12:27 2014 (5413C42B) fffff800`70cb0000 fffff800`70d13000 fwpkclnt fwpkclnt.sys Sat Sep 13 00:11:41 2014 (5413C3FD) fffff801`6d9d5000 fffff801`6da3f000 hal hal.dll Fri Sep 12 21:39:19 2014 (5413A047) fffff800`719c0000 fffff800`719e1000 HIDCLASS HIDCLASS.SYS Sat Sep 13 00:13:52 2014 (5413C480) fffff800`71be0000 fffff800`71bef000 HIDPARSE HIDPARSE.SYS Sat Sep 13 00:14:49 2014 (5413C4B9) fffff800`719b0000 fffff800`719bd000 hidusb hidusb.sys Sat Sep 13 00:13:42 2014 (5413C476) fffff800`71a70000 fffff800`71b5f000 HTTP HTTP.sys Sat Sep 13 00:11:41 2014 (5413C3FD) fffff800`714e0000 fffff800`714fc000 i8042prt i8042prt.sys Sat Sep 13 00:13:55 2014 (5413C483) fffff800`70510000 fffff800`70518000 intelide intelide.sys Sat Sep 13 00:14:32 2014 (5413C4A8) fffff800`71d80000 fffff800`71d8f000 intelpep intelpep.sys Sat Sep 13 00:13:39 2014 (5413C473) fffff800`71640000 fffff800`71663000 intelppm intelppm.sys Fri Sep 12 21:39:14 2014 (5413A042) fffff800`71500000 fffff800`71512000 kbdclass kbdclass.sys Sat Sep 13 00:13:59 2014 (5413C487) fffff801`6c8f6000 fffff801`6c8ff000 kdcom kdcom.dll Sat Sep 13 00:14:58 2014 (5413C4C2) fffff800`714b0000 fffff800`714bb000 kdnic kdnic.sys Sat Sep 13 00:13:05 2014 (5413C451) fffff800`71690000 fffff800`716e8000 ks ks.sys Sat Sep 13 00:14:20 2014 (5413C49C) fffff800`6fe60000 fffff800`6fe80000 ksecdd ksecdd.sys Sat Sep 13 00:13:50 2014 (5413C47E) fffff800`70a10000 fffff800`70a3a000 ksecpkg ksecpkg.sys Sat Sep 13 00:12:16 2014 (5413C420) fffff800`71a30000 fffff800`71a44000 lltdio lltdio.sys Sat Sep 13 00:11:44 2014 (5413C400) fffff800`71a00000 fffff800`71a25000 luafv luafv.sys Sat Sep 13 00:14:12 2014 (5413C494) fffff800`701a0000 fffff800`7020c000 mcupdate mcupdate.dll Sat Sep 13 00:14:42 2014 (5413C4B2) fffff800`73080000 fffff800`73091000 mmcss mmcss.sys Sat Sep 13 00:13:49 2014 (5413C47D) fffff800`71930000 fffff800`7193e000 monitor monitor.sys Sat Sep 13 00:12:00 2014 (5413C410) fffff800`71520000 fffff800`71530000 mouclass mouclass.sys Sat Sep 13 00:13:58 2014 (5413C486) fffff800`719f0000 fffff800`719fd000 mouhid mouhid.sys Sat Sep 13 00:13:58 2014 (5413C486) fffff800`70530000 fffff800`7054b000 mountmgr mountmgr.sys Sat Sep 13 00:14:24 2014 (5413C4A0) fffff800`718b0000 fffff800`718c7000 mpsdrv mpsdrv.sys Sat Sep 13 00:10:07 2014 (5413C39F) fffff800`70ea0000 fffff800`70f0d000 mrxsmb mrxsmb.sys Sat Sep 13 00:09:53 2014 (5413C391) fffff800`730a0000 fffff800`730eb000 mrxsmb10 mrxsmb10.sys Sat Sep 13 00:09:51 2014 (5413C38F) fffff800`71870000 fffff800`718a9000 mrxsmb20 mrxsmb20.sys Sat Sep 13 00:12:30 2014 (5413C42E) fffff800`71190000 fffff800`7119c000 Msfs Msfs.SYS Sat Sep 13 00:14:46 2014 (5413C4B6) fffff800`70110000 fffff800`7011a000 msisadrv msisadrv.sys Sat Sep 13 00:13:50 2014 (5413C47E) fffff800`71b60000 fffff800`71b76000 mslldp mslldp.sys Sat Sep 13 00:11:32 2014 (5413C3F4) fffff800`70390000 fffff800`703e8000 msrpc msrpc.sys unavailable (00000000) fffff800`71410000 fffff800`7141c000 mssmbios mssmbios.sys Sat Sep 13 00:14:11 2014 (5413C493) fffff800`71d60000 fffff800`71d75000 mup mup.sys Sat Sep 13 00:14:45 2014 (5413C4B5) fffff800`72100000 fffff800`72107000 myfault myfault.sys Sat Apr 07 12:34:41 2012 (4F806CA1) fffff800`70880000 fffff800`70997000 ndis ndis.sys Sat Sep 13 00:11:52 2014 (5413C408) fffff800`71670000 fffff800`7167b000 NdisVirtualBus NdisVirtualBus.sys Sat Sep 13 00:11:53 2014 (5413C409) fffff800`730f0000 fffff800`7310d000 Ndu Ndu.sys Sat Sep 13 00:10:01 2014 (5413C399) fffff800`712e0000 fffff800`712f0000 netbios netbios.sys Sat Sep 13 00:13:16 2014 (5413C45C) fffff800`711d0000 fffff800`71219000 netbt netbt.sys Sat Sep 13 00:11:41 2014 (5413C3FD) fffff800`709a0000 fffff800`70a0d000 NETIO NETIO.SYS Sat Sep 13 00:11:41 2014 (5413C3FD) fffff800`71170000 fffff800`71185000 Npfs Npfs.SYS Sat Sep 13 00:14:47 2014 (5413C4B7) fffff800`71400000 fffff800`7140c000 npsvctrig npsvctrig.sys Sat Sep 13 00:13:22 2014 (5413C462) fffff800`713f0000 fffff800`713fe000 nsiproxy nsiproxy.sys Sat Sep 13 00:12:00 2014 (5413C410) fffff801`6d201000 fffff801`6d9d5000 nt ntoskrnl.exe Sat Sep 13 00:19:10 2014 (5413C5BE) fffff800`70670000 fffff800`7086c000 Ntfs Ntfs.sys Fri Sep 12 21:39:37 2014 (5413A059) fffff800`702f0000 fffff800`702fa000 ntosext ntosext.sys Fri Sep 12 21:39:09 2014 (5413A03D) fffff800`70f50000 fffff800`70f58000 Null Null.SYS unavailable (00000000) fffff800`712b0000 fffff800`712d9000 pacer pacer.sys Sat Sep 13 00:09:56 2014 (5413C394) fffff800`71530000 fffff800`7154c000 parport parport.sys Sat Sep 13 00:14:30 2014 (5413C4A6) fffff800`70400000 fffff800`7041c000 partmgr partmgr.sys Fri Sep 12 21:39:14 2014 (5413A042) fffff800`70120000 fffff800`70169000 pci pci.sys Sat Sep 13 00:13:16 2014 (5413C45C) fffff800`70520000 fffff800`7052f000 PCIIDEX PCIIDEX.SYS Sat Sep 13 00:14:17 2014 (5413C499) fffff800`70100000 fffff800`70110000 pcw pcw.sys Fri Sep 12 21:39:10 2014 (5413A03E) fffff800`70180000 fffff800`7019b000 pdc pdc.sys Fri Sep 12 21:39:12 2014 (5413A040) fffff800`73110000 fffff800`731ba000 peauth peauth.sys Sat Sep 13 00:11:42 2014 (5413C3FE) fffff800`702b0000 fffff800`702c6000 PSHED PSHED.dll Sat Sep 13 01:35:42 2014 (5413D7AE) fffff800`712f0000 fffff800`7135e000 rdbss rdbss.sys Sat Sep 13 00:12:19 2014 (5413C423) fffff800`716f0000 fffff800`716fb000 rdpbus rdpbus.sys Sat Sep 13 00:13:44 2014 (5413C478) fffff800`71d10000 fffff800`71d52000 rdyboost rdyboost.sys Sat Sep 13 00:13:27 2014 (5413C467) fffff800`71a50000 fffff800`71a68000 rspndr rspndr.sys Sat Sep 13 00:11:46 2014 (5413C402) fffff800`72090000 fffff800`7209b000 secdrv secdrv.SYS Wed Sep 13 09:18:38 2006 (4508052E) fffff800`70420000 fffff800`7048d000 spaceport spaceport.sys unavailable (00000000) fffff800`72000000 fffff800`7208c000 srv srv.sys Sat Sep 13 00:12:05 2014 (5413C415) fffff800`72fd0000 fffff800`7307c000 srv2 srv2.sys Sat Sep 13 00:12:07 2014 (5413C417) fffff800`718d0000 fffff800`71910000 srvnet srvnet.sys Sat Sep 13 00:09:51 2014 (5413C38F) fffff800`71680000 fffff800`7168a000 swenum swenum.sys Sat Sep 13 00:14:12 2014 (5413C494) fffff800`70a40000 fffff800`70ca2000 tcpip tcpip.sys Sat Sep 13 00:11:20 2014 (5413C3E8) fffff800`720a0000 fffff800`720b2000 tcpipreg tcpipreg.sys Sat Sep 13 00:10:08 2014 (5413C3A0) fffff800`711c0000 fffff800`711cd000 TDI TDI.SYS Sat Sep 13 00:13:20 2014 (5413C460) fffff800`711a0000 fffff800`711bf000 tdx tdx.sys Sat Sep 13 00:11:47 2014 (5413C403) fffff800`70280000 fffff800`702a2000 tm tm.sys Fri Sep 12 21:39:11 2014 (5413A03F) fffff960`3a200000 fffff960`3a209000 TSDDD TSDDD.dll unavailable (00000000) fffff800`720c0000 fffff800`720ec000 tunnel tunnel.sys Sat Sep 13 00:09:51 2014 (5413C38F) fffff800`71790000 fffff800`717e3000 udfs udfs.sys Sat Sep 13 00:14:44 2014 (5413C4B4) fffff800`714c0000 fffff800`714d1000 umbus umbus.sys Sat Sep 13 00:13:48 2014 (5413C47C) fffff800`71780000 fffff800`7178c000 USBD USBD.SYS Sat Sep 13 00:14:45 2014 (5413C4B5) fffff800`71600000 fffff800`71619000 usbehci usbehci.sys Sat Sep 13 00:13:58 2014 (5413C486) fffff800`71700000 fffff800`71779000 usbhub usbhub.sys Sat Sep 13 00:13:27 2014 (5413C467) fffff800`71580000 fffff800`7158c000 usbohci usbohci.sys Sat Sep 13 00:14:03 2014 (5413C48B) fffff800`71590000 fffff800`715ff000 USBPORT USBPORT.SYS Sat Sep 13 00:14:14 2014 (5413C496) fffff800`70170000 fffff800`7017d000 vdrvroot vdrvroot.sys Sat Sep 13 00:13:42 2014 (5413C476) fffff800`70490000 fffff800`704a6000 volmgr volmgr.sys Fri Sep 12 21:39:14 2014 (5413A042) fffff800`704b0000 fffff800`7050b000 volmgrx volmgrx.sys unavailable (00000000) fffff800`71ca0000 fffff800`71d03000 volsnap volsnap.sys Sat Sep 13 00:14:46 2014 (5413C4B6) fffff800`70f90000 fffff800`70fa2000 watchdog watchdog.sys Sat Sep 13 00:14:13 2014 (5413C495) fffff800`6fea0000 fffff800`6ff72000 Wdf01000 Wdf01000.sys Sat Sep 13 00:12:08 2014 (5413C418) fffff800`70620000 fffff800`70667000 WdFilter WdFilter.sys Sat Sep 13 00:13:55 2014 (5413C483) fffff800`6ff80000 fffff800`6ff90000 WDFLDR WDFLDR.SYS Sat Sep 13 00:13:49 2014 (5413C47D) fffff800`70210000 fffff800`7021e000 werkernel werkernel.sys Sat Sep 13 00:14:47 2014 (5413C4B7) fffff800`70d20000 fffff800`70d43000 wfplwfs wfplwfs.sys Sat Sep 13 00:11:31 2014 (5413C3F3) fffff960`0bc00000 fffff960`0bc1c000 win32k win32k.sys unavailable (00000000) fffff960`35e00000 fffff960`35eb8000 win32kbase win32kbase.sys unavailable (00000000) fffff960`2ae00000 fffff960`2b162000 win32kfull win32kfull.sys unavailable (00000000) fffff800`70050000 fffff800`7005a000 WMILIB WMILIB.SYS Sat Sep 13 00:14:46 2014 (5413C4B6) fffff800`705e0000 fffff800`7061e000 Wof Wof.sys Sat Sep 13 00:12:16 2014 (5413C420) fffff800`6ffb0000 fffff800`6ffbb000 WppRecorder WppRecorder.sys Fri Sep 12 21:39:10 2014 (5413A03E) Unloaded modules: fffff800`70eb0000 fffff800`70ebd000 dump_ataport Timestamp: unavailable (00000000) Checksum: 00000000 ImageSize: 0000D000 fffff800`70ed0000 fffff800`70eda000 dump_atapi.s Timestamp: unavailable (00000000) Checksum: 00000000 ImageSize: 0000A000 fffff800`70f00000 fffff800`70f16000 dump_dumpfve Timestamp: unavailable (00000000) Checksum: 00000000 ImageSize: 00016000 fffff800`71450000 fffff800`71461000 dam.sys Timestamp: unavailable (00000000) Checksum: 00000000 ImageSize: 00011000 fffff800`700f0000 fffff800`700fb000 WdBoot.sys Timestamp: unavailable (00000000) Checksum: 00000000 ImageSize: 0000B000 fffff800`71d90000 fffff800`71d9c000 hwpolicy.sys Timestamp: unavailable (00000000) Checksum: 00000000 ImageSize: 0000C000[/quote] aka John MVP Windows Expert - Consumer
My Website: www.carrona.org ' ' Sysnative Forums
If I haven't replied in 48 hours, please send me a PM.
- I check replies to topics that I'm working first, then I check new posts (from oldest to newest) as time allows. I only have a few hours available in the mornings - so that's when you'll find me online.

 

I'd have thought symbols would have been available pretty much straight away, there will be many BSODs to debug in the coming months while people test the Tech Preview.

 

Still not on the symbol server.
A friend found them posted on MSDN here: Download Windows Symbol Packages

 

Brilliant stuff, thanks John. Very useful indeed.

 

Forgot to post this before I went to work. It's in response to post #7 by Boozad:

Different divisions of Microsoft. And symbols are likely available to Microsoft (they're private symbols now). Microsoft doesn't solicit BSOD advice from us, it uses the Windows Error reporting to gather memory dumps and analyzes them with their own developers (and they have access to the source code also - which makes the developers' job much easier when analyzing BSOD's).

When developing the new OS, I'm unsure at what stage they will develop the symbols for the drivers (different divisions may do it at different times.
But, at some point someone at Microsoft has to make a decision to move from private symbols to public symbols - and that seems most likely to happen around the time that the bits are released (FYI - this is the first time that I've generated a BSOD on the day a product was released, so I don't know if this is "business as usual" or not).

Then, once the decision is made, the different divisions have to coordinate their efforts.
Once done (likely at the Windows division level) then they have to submit them to the division that controls the Symbol Server.
And, once the Symbol Server folks get the symbols, then they have to work their magic on it before releasing it for the world to access.

And, if a glitch occurs (which is more likely in the pre-beta and beta releases than in the final code) - then they've gotta go back and figure out what to do.
Ple
Finally, as there are going to be OS updates along the road to the final release, that is going to complicate the release of symbols to the Symbol Server - as the OS will be changing often.

EDIT: Please note that this was written before I was told about the symbols for download on MSDN.
I hadn't even though to look there!

 

Hi John,

Nice to see you're still bugging Windows all over the web. *Cool

 

John, is this a Windows Phone/tablet driver? I can't find any references for it.

Code: win32kfull start end module name fffff960`2ae00000 fffff960`2b162000 win32kfull T (no symbols) Loaded symbol image file: win32kfull.sys Image path: \SystemRoot\System32\win32kfull.sys Image name: win32kfull.sys Timestamp: unavailable (00000000) CheckSum: 00000000 ImageSize: 00362000 Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4[/quote]

 

It appears that the symbols are available on the symbol server.
Here's the WinDbg output w/!analyze -v and lmtsmn:
Code: Microsoft (R) Windows Debugger Version 6.3.9600.16384 AMD64 Copyright (c) Microsoft Corporation. All rights reserved. Loading Dump File [C:\Users\John\Downloads\100114-5937-01.dmp] Mini Kernel Dump File: Only registers and stack trace are available ************* Symbol Path validation summary ************** Response Time (ms) Location Deferred SRV*c:\symbols*Symbol information Deferred srv*c:\SymcachePublic*http://ctxsym.citrix.com/symbolsad/symbols Symbol search path is: SRV*c:\symbols*http://msdl.microsoft.com/download/...ic*http://ctxsym.citrix.com/symbolsad/symbols Executable search path is: Windows 8 Kernel Version 9841 UP Free x64 Product: WinNt, suite: TerminalServer SingleUserTS Built by: 9841.0.amd64fre.fbl_release.140912-1613 Machine Name: Kernel base = 0xfffff801`6d201000 PsLoadedModuleList = 0xfffff801`6d4f08b0 Debug session time: Wed Oct 1 13:11:08.529 2014 (UTC - 4:00) System Uptime: 0 days 0:15:34.874 Loading Kernel Symbols . Press ctrl-c (cdb, kd, ntsd) or ctrl-break (windbg) to abort symbol loads that take too long. Run !sym noisy before .reload to track down problems loading symbols. .............................................................. ................................................................ ........ Loading User Symbols Loading unloaded module list ...... ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* Use !analyze -v to get detailed debugging information. BugCheck D1, {ffffc0012f5306b0, 2, 0, fffff80072101385} *** WARNING: Unable to verify timestamp for myfault.sys *** ERROR: Module load completed but symbols could not be loaded for myfault.sys GetPointerFromAddress: unable to read from fffff8016d5848f0 Probably caused by : myfault.sys ( myfault+1385 ) Followup: MachineOwner --------- kd> !analyze -v ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1) An attempt was made to access a pageable (or completely invalid) address at an interrupt request level (IRQL) that is too high. This is usually caused by drivers using improper addresses. If kernel debugger is available get stack backtrace. Arguments: Arg1: ffffc0012f5306b0, memory referenced Arg2: 0000000000000002, IRQL Arg3: 0000000000000000, value 0 = read operation, 1 = write operation Arg4: fffff80072101385, address which referenced memory Debugging Details: ------------------ OVERLAPPED_MODULE: Address regions for 'mrxsmb' and 'dump_ataport' overlap READ_ADDRESS: GetPointerFromAddress: unable to read from fffff8016d584920 unable to get nt!MmNonPagedPoolStart unable to get nt!MmSizeOfNonPagedPoolInBytes ffffc0012f5306b0 CURRENT_IRQL: 2 FAULTING_IP: myfault+1385 fffff800`72101385 8b03 mov eax,dword ptr [rbx] CUSTOMER_CRASH_COUNT: 1 DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULT BUGCHECK_STR: AV PROCESS_NAME: NotMyfault.exe ANALYSIS_VERSION: 6.3.9600.16384 (debuggers(dbg).130821-1623) amd64fre TRAP_FRAME: ffffd001d7a1c880 -- (.trap 0xffffd001d7a1c880) NOTE: The trap frame does not contain all registers. Some register values may be zeroed or incorrect. rax=000000002d861c60 rbx=0000000000000000 rcx=ffffc0012f70c010 rdx=000000000000074e rsi=0000000000000000 rdi=0000000000000000 rip=fffff80072101385 rsp=ffffd001d7a1ca10 rbp=ffffd001d7a1cec0 r8=ffffe0005d21b000 r9=00000000000007ff r10=fffff8016d201000 r11=0000000000000002 r12=0000000000000000 r13=0000000000000000 r14=0000000000000000 r15=0000000000000000 iopl=0 nv up ei ng nz na pe nc myfault+0x1385: fffff800`72101385 8b03 mov eax,dword ptr [rbx] ds:00000000`00000000=???????? Resetting default scope LAST_CONTROL_TRANSFER: from fffff8016d32ce48 to fffff8016d32e629 STACK_TEXT: ffffd001`d7a1c740 fffff801`6d32ce48 : ffffd001`00000002 ffffd001`d7a1c8e0 00000000`00000030 ffffd001`d7a1c980 : nt!KiBugCheckDispatch+0x69 ffffd001`d7a1c880 fffff800`72101385 : 00000000`00000001 00000000`00001000 ffffe000`5e63c040 00000000`656e6f4e : nt!KiPageFault+0x248 ffffd001`d7a1ca10 00000000`00000001 : 00000000`00001000 ffffe000`5e63c040 00000000`656e6f4e 00000000`00000000 : myfault+0x1385 ffffd001`d7a1ca18 00000000`00001000 : ffffe000`5e63c040 00000000`656e6f4e 00000000`00000000 fffff801`6d213610 : 0x1 ffffd001`d7a1ca20 ffffe000`5e63c040 : 00000000`656e6f4e 00000000`00000000 fffff801`6d213610 fffff960`2ae00000 : 0x1000 ffffd001`d7a1ca28 00000000`656e6f4e : 00000000`00000000 fffff801`6d213610 fffff960`2ae00000 00000000`000000f0 : 0xffffe000`5e63c040 ffffd001`d7a1ca30 00000000`00000000 : fffff801`6d213610 fffff960`2ae00000 00000000`000000f0 00000000`00000001 : 0x656e6f4e STACK_COMMAND: kb FOLLOWUP_IP: myfault+1385 fffff800`72101385 8b03 mov eax,dword ptr [rbx] SYMBOL_STACK_INDEX: 2 SYMBOL_NAME: myfault+1385 FOLLOWUP_NAME: MachineOwner MODULE_NAME: myfault IMAGE_NAME: myfault.sys DEBUG_FLR_IMAGE_TIMESTAMP: 4f806ca1 FAILURE_BUCKET_ID: AV_myfault+1385 BUCKET_ID: AV_myfault+1385 ANALYSIS_SOURCE: KM FAILURE_ID_HASH_STRING: km:av_myfault+1385 FAILURE_ID_HASH: {88284f85-8087-2f77-5c4e-f6ddb4b8e5f8} Followup: MachineOwner --------- kd> lmtsmn start end module name fffff800`6ffc0000 fffff800`7004f000 ACPI ACPI.sys Fri Sep 12 21:39:21 2014 (5413A049) fffff800`6ff90000 fffff800`6ffae000 acpiex acpiex.sys Sat Sep 13 00:12:36 2014 (5413C434) fffff800`71220000 fffff800`712ac000 afd afd.sys Sat Sep 13 00:11:38 2014 (5413C3FA) fffff800`71470000 fffff800`7149b000 ahcache ahcache.sys Fri Sep 12 21:39:11 2014 (5413A03F) fffff800`70550000 fffff800`7055a000 atapi atapi.sys Sat Sep 13 00:14:55 2014 (5413C4BF) fffff800`70560000 fffff800`70594000 ataport ataport.SYS Fri Sep 12 21:39:13 2014 (5413A041) fffff800`70f70000 fffff800`70f82000 BasicDisplay BasicDisplay.sys Sat Sep 13 00:14:06 2014 (5413C48E) fffff800`71160000 fffff800`7116e000 BasicRender BasicRender.sys Sat Sep 13 00:13:57 2014 (5413C485) fffff800`71630000 fffff800`7163c000 BATTC BATTC.SYS Sat Sep 13 00:14:33 2014 (5413C4A9) fffff800`70f60000 fffff800`70f68000 Beep Beep.SYS Sat Sep 13 00:14:46 2014 (5413C4B6) fffff800`702d0000 fffff800`702db000 BOOTVID BOOTVID.dll Sat Sep 13 00:14:49 2014 (5413C4B9) fffff800`71b80000 fffff800`71ba0000 bowser bowser.sys Sat Sep 13 00:13:10 2014 (5413C456) fffff960`50000000 fffff960`5003a000 cdd cdd.dll unavailable (00000000) fffff800`70f20000 fffff800`70f4f000 cdrom cdrom.sys Fri Sep 12 21:39:15 2014 (5413A043) fffff800`70dd0000 fffff800`70de4000 CEA CEA.sys Sat Sep 13 00:13:23 2014 (5413C463) fffff800`70300000 fffff800`70387000 CI CI.dll Sat Sep 13 00:12:49 2014 (5413C441) fffff800`70e00000 fffff800`70e5e000 CLASSPNP CLASSPNP.SYS Fri Sep 12 21:39:18 2014 (5413A046) fffff800`70220000 fffff800`7027f000 CLFS CLFS.SYS Sat Sep 13 00:14:28 2014 (5413C4A4) fffff800`6fe80000 fffff800`6fe93000 clipsp clipsp.sys Sat Sep 13 00:13:48 2014 (5413C47C) fffff800`71620000 fffff800`7162c000 CmBatt CmBatt.sys Sat Sep 13 00:14:17 2014 (5413C499) fffff800`702e0000 fffff800`702ec000 cmimcext cmimcext.sys Sat Sep 13 00:14:46 2014 (5413C4B6) fffff800`70060000 fffff800`700ed000 cng cng.sys Sat Sep 13 00:12:33 2014 (5413C431) fffff800`714a0000 fffff800`714af000 CompositeBus CompositeBus.sys Sat Sep 13 00:13:40 2014 (5413C474) fffff800`720f0000 fffff800`72100000 condrv condrv.sys Sat Sep 13 00:14:42 2014 (5413C4B2) fffff800`70e80000 fffff800`70e95000 crashdmp crashdmp.sys Sat Sep 13 00:14:31 2014 (5413C4A7) fffff800`71360000 fffff800`713eb000 csc csc.sys Sat Sep 13 00:13:10 2014 (5413C456) fffff800`71420000 fffff800`71447000 dfsc dfsc.sys Sat Sep 13 00:12:58 2014 (5413C44A) fffff800`71da0000 fffff800`71dbb000 disk disk.sys Fri Sep 12 21:39:14 2014 (5413A042) fffff800`71820000 fffff800`7182a000 dump_atapi dump_atapi.sys Sat Sep 13 00:14:55 2014 (5413C4BF) fffff800`71800000 fffff800`7180d000 dump_ataport dump_ataport.sys Sat Sep 13 00:14:22 2014 (5413C49E) fffff800`71850000 fffff800`71866000 dump_dumpfve dump_dumpfve.sys Sat Sep 13 00:14:24 2014 (5413C4A0) fffff800`70fb0000 fffff800`71157000 dxgkrnl dxgkrnl.sys Sat Sep 13 00:12:37 2014 (5413C435) fffff800`71940000 fffff800`719a1000 dxgmms1 dxgmms1.sys Sat Sep 13 00:12:27 2014 (5413C42B) fffff800`71550000 fffff800`71574080 E1G6032E E1G6032E.sys Tue Mar 23 17:08:16 2010 (4BA92DC0) fffff800`705a0000 fffff800`705ba000 EhStorClass EhStorClass.sys Sat Sep 13 00:13:18 2014 (5413C45E) fffff800`705c0000 fffff800`705d6000 fileinfo fileinfo.sys Sat Sep 13 00:13:31 2014 (5413C46B) fffff800`6fe00000 fffff800`6fe59000 FLTMGR FLTMGR.SYS Sat Sep 13 00:14:27 2014 (5413C4A3) fffff800`70870000 fffff800`7087c000 Fs_Rec Fs_Rec.sys unavailable (00000000) fffff800`71c00000 fffff800`71c9b000 fvevol fvevol.sys Sat Sep 13 00:12:27 2014 (5413C42B) fffff800`70cb0000 fffff800`70d13000 fwpkclnt fwpkclnt.sys Sat Sep 13 00:11:41 2014 (5413C3FD) fffff801`6d9d5000 fffff801`6da3f000 hal hal.dll Fri Sep 12 21:39:19 2014 (5413A047) fffff800`719c0000 fffff800`719e1000 HIDCLASS HIDCLASS.SYS Sat Sep 13 00:13:52 2014 (5413C480) fffff800`71be0000 fffff800`71bef000 HIDPARSE HIDPARSE.SYS Sat Sep 13 00:14:49 2014 (5413C4B9) fffff800`719b0000 fffff800`719bd000 hidusb hidusb.sys Sat Sep 13 00:13:42 2014 (5413C476) fffff800`71a70000 fffff800`71b5f000 HTTP HTTP.sys Sat Sep 13 00:11:41 2014 (5413C3FD) fffff800`714e0000 fffff800`714fc000 i8042prt i8042prt.sys Sat Sep 13 00:13:55 2014 (5413C483) fffff800`70510000 fffff800`70518000 intelide intelide.sys Sat Sep 13 00:14:32 2014 (5413C4A8) fffff800`71d80000 fffff800`71d8f000 intelpep intelpep.sys Sat Sep 13 00:13:39 2014 (5413C473) fffff800`71640000 fffff800`71663000 intelppm intelppm.sys Fri Sep 12 21:39:14 2014 (5413A042) fffff800`71500000 fffff800`71512000 kbdclass kbdclass.sys Sat Sep 13 00:13:59 2014 (5413C487) fffff801`6c8f6000 fffff801`6c8ff000 kdcom kdcom.dll Sat Sep 13 00:14:58 2014 (5413C4C2) fffff800`714b0000 fffff800`714bb000 kdnic kdnic.sys Sat Sep 13 00:13:05 2014 (5413C451) fffff800`71690000 fffff800`716e8000 ks ks.sys Sat Sep 13 00:14:20 2014 (5413C49C) fffff800`6fe60000 fffff800`6fe80000 ksecdd ksecdd.sys Sat Sep 13 00:13:50 2014 (5413C47E) fffff800`70a10000 fffff800`70a3a000 ksecpkg ksecpkg.sys Sat Sep 13 00:12:16 2014 (5413C420) fffff800`71a30000 fffff800`71a44000 lltdio lltdio.sys Sat Sep 13 00:11:44 2014 (5413C400) fffff800`71a00000 fffff800`71a25000 luafv luafv.sys Sat Sep 13 00:14:12 2014 (5413C494) fffff800`701a0000 fffff800`7020c000 mcupdate mcupdate.dll Sat Sep 13 00:14:42 2014 (5413C4B2) fffff800`73080000 fffff800`73091000 mmcss mmcss.sys Sat Sep 13 00:13:49 2014 (5413C47D) fffff800`71930000 fffff800`7193e000 monitor monitor.sys Sat Sep 13 00:12:00 2014 (5413C410) fffff800`71520000 fffff800`71530000 mouclass mouclass.sys Sat Sep 13 00:13:58 2014 (5413C486) fffff800`719f0000 fffff800`719fd000 mouhid mouhid.sys Sat Sep 13 00:13:58 2014 (5413C486) fffff800`70530000 fffff800`7054b000 mountmgr mountmgr.sys Sat Sep 13 00:14:24 2014 (5413C4A0) fffff800`718b0000 fffff800`718c7000 mpsdrv mpsdrv.sys Sat Sep 13 00:10:07 2014 (5413C39F) fffff800`70ea0000 fffff800`70f0d000 mrxsmb mrxsmb.sys Sat Sep 13 00:09:53 2014 (5413C391) fffff800`730a0000 fffff800`730eb000 mrxsmb10 mrxsmb10.sys Sat Sep 13 00:09:51 2014 (5413C38F) fffff800`71870000 fffff800`718a9000 mrxsmb20 mrxsmb20.sys Sat Sep 13 00:12:30 2014 (5413C42E) fffff800`71190000 fffff800`7119c000 Msfs Msfs.SYS Sat Sep 13 00:14:46 2014 (5413C4B6) fffff800`70110000 fffff800`7011a000 msisadrv msisadrv.sys Sat Sep 13 00:13:50 2014 (5413C47E) fffff800`71b60000 fffff800`71b76000 mslldp mslldp.sys Sat Sep 13 00:11:32 2014 (5413C3F4) fffff800`70390000 fffff800`703e8000 msrpc msrpc.sys unavailable (00000000) fffff800`71410000 fffff800`7141c000 mssmbios mssmbios.sys Sat Sep 13 00:14:11 2014 (5413C493) fffff800`71d60000 fffff800`71d75000 mup mup.sys Sat Sep 13 00:14:45 2014 (5413C4B5) fffff800`72100000 fffff800`72107000 myfault myfault.sys Sat Apr 07 12:34:41 2012 (4F806CA1) fffff800`70880000 fffff800`70997000 ndis ndis.sys Sat Sep 13 00:11:52 2014 (5413C408) fffff800`71670000 fffff800`7167b000 NdisVirtualBus NdisVirtualBus.sys Sat Sep 13 00:11:53 2014 (5413C409) fffff800`730f0000 fffff800`7310d000 Ndu Ndu.sys Sat Sep 13 00:10:01 2014 (5413C399) fffff800`712e0000 fffff800`712f0000 netbios netbios.sys Sat Sep 13 00:13:16 2014 (5413C45C) fffff800`711d0000 fffff800`71219000 netbt netbt.sys Sat Sep 13 00:11:41 2014 (5413C3FD) fffff800`709a0000 fffff800`70a0d000 NETIO NETIO.SYS Sat Sep 13 00:11:41 2014 (5413C3FD) fffff800`71170000 fffff800`71185000 Npfs Npfs.SYS Sat Sep 13 00:14:47 2014 (5413C4B7) fffff800`71400000 fffff800`7140c000 npsvctrig npsvctrig.sys Sat Sep 13 00:13:22 2014 (5413C462) fffff800`713f0000 fffff800`713fe000 nsiproxy nsiproxy.sys Sat Sep 13 00:12:00 2014 (5413C410) fffff801`6d201000 fffff801`6d9d5000 nt ntkrnlmp.exe Sat Sep 13 00:19:10 2014 (5413C5BE) fffff800`70670000 fffff800`7086c000 Ntfs Ntfs.sys Fri Sep 12 21:39:37 2014 (5413A059) fffff800`702f0000 fffff800`702fa000 ntosext ntosext.sys Fri Sep 12 21:39:09 2014 (5413A03D) fffff800`70f50000 fffff800`70f58000 Null Null.SYS unavailable (00000000) fffff800`712b0000 fffff800`712d9000 pacer pacer.sys Sat Sep 13 00:09:56 2014 (5413C394) fffff800`71530000 fffff800`7154c000 parport parport.sys Sat Sep 13 00:14:30 2014 (5413C4A6) fffff800`70400000 fffff800`7041c000 partmgr partmgr.sys Fri Sep 12 21:39:14 2014 (5413A042) fffff800`70120000 fffff800`70169000 pci pci.sys Sat Sep 13 00:13:16 2014 (5413C45C) fffff800`70520000 fffff800`7052f000 PCIIDEX PCIIDEX.SYS Sat Sep 13 00:14:17 2014 (5413C499) fffff800`70100000 fffff800`70110000 pcw pcw.sys Fri Sep 12 21:39:10 2014 (5413A03E) fffff800`70180000 fffff800`7019b000 pdc pdc.sys Fri Sep 12 21:39:12 2014 (5413A040) fffff800`73110000 fffff800`731ba000 peauth peauth.sys Sat Sep 13 00:11:42 2014 (5413C3FE) fffff800`702b0000 fffff800`702c6000 PSHED PSHED.dll Sat Sep 13 01:35:42 2014 (5413D7AE) fffff800`712f0000 fffff800`7135e000 rdbss rdbss.sys Sat Sep 13 00:12:19 2014 (5413C423) fffff800`716f0000 fffff800`716fb000 rdpbus rdpbus.sys Sat Sep 13 00:13:44 2014 (5413C478) fffff800`71d10000 fffff800`71d52000 rdyboost rdyboost.sys Sat Sep 13 00:13:27 2014 (5413C467) fffff800`71a50000 fffff800`71a68000 rspndr rspndr.sys Sat Sep 13 00:11:46 2014 (5413C402) fffff800`72090000 fffff800`7209b000 secdrv secdrv.SYS Wed Sep 13 09:18:38 2006 (4508052E) fffff800`70420000 fffff800`7048d000 spaceport spaceport.sys unavailable (00000000) fffff800`72000000 fffff800`7208c000 srv srv.sys Sat Sep 13 00:12:05 2014 (5413C415) fffff800`72fd0000 fffff800`7307c000 srv2 srv2.sys Sat Sep 13 00:12:07 2014 (5413C417) fffff800`718d0000 fffff800`71910000 srvnet srvnet.sys Sat Sep 13 00:09:51 2014 (5413C38F) fffff800`71680000 fffff800`7168a000 swenum swenum.sys Sat Sep 13 00:14:12 2014 (5413C494) fffff800`70a40000 fffff800`70ca2000 tcpip tcpip.sys Sat Sep 13 00:11:20 2014 (5413C3E8) fffff800`720a0000 fffff800`720b2000 tcpipreg tcpipreg.sys Sat Sep 13 00:10:08 2014 (5413C3A0) fffff800`711c0000 fffff800`711cd000 TDI TDI.SYS Sat Sep 13 00:13:20 2014 (5413C460) fffff800`711a0000 fffff800`711bf000 tdx tdx.sys Sat Sep 13 00:11:47 2014 (5413C403) fffff800`70280000 fffff800`702a2000 tm tm.sys Fri Sep 12 21:39:11 2014 (5413A03F) fffff960`3a200000 fffff960`3a209000 TSDDD TSDDD.dll unavailable (00000000) fffff800`720c0000 fffff800`720ec000 tunnel tunnel.sys Sat Sep 13 00:09:51 2014 (5413C38F) fffff800`71790000 fffff800`717e3000 udfs udfs.sys Sat Sep 13 00:14:44 2014 (5413C4B4) fffff800`714c0000 fffff800`714d1000 umbus umbus.sys Sat Sep 13 00:13:48 2014 (5413C47C) fffff800`71780000 fffff800`7178c000 USBD USBD.SYS Sat Sep 13 00:14:45 2014 (5413C4B5) fffff800`71600000 fffff800`71619000 usbehci usbehci.sys Sat Sep 13 00:13:58 2014 (5413C486) fffff800`71700000 fffff800`71779000 usbhub usbhub.sys Sat Sep 13 00:13:27 2014 (5413C467) fffff800`71580000 fffff800`7158c000 usbohci usbohci.sys Sat Sep 13 00:14:03 2014 (5413C48B) fffff800`71590000 fffff800`715ff000 USBPORT USBPORT.SYS Sat Sep 13 00:14:14 2014 (5413C496) fffff800`70170000 fffff800`7017d000 vdrvroot vdrvroot.sys Sat Sep 13 00:13:42 2014 (5413C476) fffff800`70490000 fffff800`704a6000 volmgr volmgr.sys Fri Sep 12 21:39:14 2014 (5413A042) fffff800`704b0000 fffff800`7050b000 volmgrx volmgrx.sys unavailable (00000000) fffff800`71ca0000 fffff800`71d03000 volsnap volsnap.sys Sat Sep 13 00:14:46 2014 (5413C4B6) fffff800`70f90000 fffff800`70fa2000 watchdog watchdog.sys Sat Sep 13 00:14:13 2014 (5413C495) fffff800`6fea0000 fffff800`6ff72000 Wdf01000 Wdf01000.sys Sat Sep 13 00:12:08 2014 (5413C418) fffff800`70620000 fffff800`70667000 WdFilter WdFilter.sys Sat Sep 13 00:13:55 2014 (5413C483) fffff800`6ff80000 fffff800`6ff90000 WDFLDR WDFLDR.SYS Sat Sep 13 00:13:49 2014 (5413C47D) fffff800`70210000 fffff800`7021e000 werkernel werkernel.sys Sat Sep 13 00:14:47 2014 (5413C4B7) fffff800`70d20000 fffff800`70d43000 wfplwfs wfplwfs.sys Sat Sep 13 00:11:31 2014 (5413C3F3) fffff960`0bc00000 fffff960`0bc1c000 win32k win32k.sys unavailable (00000000) fffff960`35e00000 fffff960`35eb8000 win32kbase win32kbase.sys unavailable (00000000) fffff960`2ae00000 fffff960`2b162000 win32kfull win32kfull.sys unavailable (00000000) fffff800`70050000 fffff800`7005a000 WMILIB WMILIB.SYS Sat Sep 13 00:14:46 2014 (5413C4B6) fffff800`705e0000 fffff800`7061e000 Wof Wof.sys Sat Sep 13 00:12:16 2014 (5413C420) fffff800`6ffb0000 fffff800`6ffbb000 WppRecorder WppRecorder.sys Fri Sep 12 21:39:10 2014 (5413A03E) Unloaded modules: fffff800`70eb0000 fffff800`70ebd000 dump_ataport Timestamp: unavailable (00000000) Checksum: 00000000 ImageSize: 0000D000 fffff800`70ed0000 fffff800`70eda000 dump_atapi.s Timestamp: unavailable (00000000) Checksum: 00000000 ImageSize: 0000A000 fffff800`70f00000 fffff800`70f16000 dump_dumpfve Timestamp: unavailable (00000000) Checksum: 00000000 ImageSize: 00016000 fffff800`71450000 fffff800`71461000 dam.sys Timestamp: unavailable (00000000) Checksum: 00000000 ImageSize: 00011000 fffff800`700f0000 fffff800`700fb000 WdBoot.sys Timestamp: unavailable (00000000) Checksum: 00000000 ImageSize: 0000B000 fffff800`71d90000 fffff800`71d9c000 hwpolicy.sys Timestamp: unavailable (00000000) Checksum: 00000000 ImageSize: 0000C000[/quote]

 

Hi Zardoc!

essenbe - I spent 20 minutes trying to find out why these drivers didn't appear in my System32/drivers folder - only to look again and see that they're in the System32 folder *Sad

From my VM:

Win32k.sys = Full/Desktop Multi-User Win32 Driver (90 kB)
Win32kbase.sys = Base Win32k Kernel Driver (681 kB)
Win32kfull.sys = Full/Desktop Win32k Kernel Driver (3383 kB)

As Win32k.sys is small (as is Win32kbase.sys), I'd suspect that Win32k.sys has been changed to reference the 2 other drivers (yet it still has some core functionality that applies to all devices).

So, I'd presume that Win32kbase.sys is used for other (?smaller?) devices (EDIT: may be used on larger systems also?), and the Win32kfull.sys driver is designed for greater functionality on systems with a lot of resources (such as Desktop computers)