CODEWITHSUNDEEP
windowswindbgcrash-dumpsbsod
Jeff
Jeff

Reputation: 509

How To Interpret .analyze of a Win 11 Crash Dump?

Everything I see online says that the best way to diagnose a driver that's causing BSODs is to open the crash dump in windbg and run !analyze -v and it'll tell me what driver is the issue. Maybe I'm missing something, but I can't figure out what's supposed to tell me that.

Here's my !analyze -v

*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

ATTEMPTED_EXECUTE_OF_NOEXECUTE_MEMORY (fc)
An attempt was made to execute non-executable memory.  The guilty driver
is on the stack trace (and is typically the current instruction pointer).
When possible, the guilty driver's name is printed on
the BugCheck screen and saved in KiBugCheckDriver.
Arguments:
Arg1: ffffcb02f821d200, Virtual address for the attempted execute.
Arg2: 8a000001f4c009e3, PTE contents.
Arg3: fffffd87af0973d0, (reserved)
Arg4: 0000000000000003, (reserved)

Debugging Details:
------------------


KEY_VALUES_STRING: 1

    Key  : Analysis.CPU.mSec
    Value: 140

    Key  : Analysis.DebugAnalysisManager
    Value: Create

    Key  : Analysis.Elapsed.mSec
    Value: 1196

    Key  : Analysis.Init.CPU.mSec
    Value: 828

    Key  : Analysis.Init.Elapsed.mSec
    Value: 628505

    Key  : Analysis.Memory.CommitPeak.Mb
    Value: 100

    Key  : WER.OS.Branch
    Value: ni_release

    Key  : WER.OS.Timestamp
    Value: 2022-05-06T12:50:00Z

    Key  : WER.OS.Version
    Value: 10.0.22621.1


FILE_IN_CAB:  011525-14328-01.dmp

BUGCHECK_CODE:  fc

BUGCHECK_P1: ffffcb02f821d200

BUGCHECK_P2: 8a000001f4c009e3

BUGCHECK_P3: fffffd87af0973d0

BUGCHECK_P4: 3

BLACKBOXBSD: 1 (!blackboxbsd)


BLACKBOXNTFS: 1 (!blackboxntfs)


BLACKBOXPNP: 1 (!blackboxpnp)


BLACKBOXWINLOGON: 1

CUSTOMER_CRASH_COUNT:  1

PROCESS_NAME:  MsMpEng.exe

TRAP_FRAME:  fffffd87af0973d0 -- (.trap 0xfffffd87af0973d0)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=0000000000000111 rbx=0000000000000000 rcx=fffff880e0417290
rdx=fffff8017006af81 rsi=0000000000000000 rdi=0000000000000000
rip=ffffcb02f821d200 rsp=fffffd87af097560 rbp=fffff880e0417290
 r8=fffff8fc407020b8  r9=0000000000000000 r10=fffff88000000000
r11=fffff8fc7e3f1000 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up ei ng nz na po nc
ffffcb02`f821d200 0000            add     byte ptr [rax],al ds:00000000`00000111=??
Resetting default scope

STACK_TEXT:  
fffffd87`af097218 fffff801`6f8c95aa     : 00000000`000000fc ffffcb02`f821d200 8a000001`f4c009e3 fffffd87`af0973d0 : nt!KeBugCheckEx
fffffd87`af097220 fffff801`6f8c41ee     : 00000000`00000011 00000000`00000003 00000000`00000000 fffffd87`af0972f0 : nt!MiCheckSystemNxFault+0x17efa2
fffffd87`af097260 fffff801`6f66a603     : 00000000`00000000 00000000`00000011 fffffd87`af097369 00000000`00000000 : nt!MiRaisedIrqlFault+0x18a0ee
fffffd87`af0972b0 fffff801`6f82617e     : fffffd87`af097460 fffff801`6f66f9ed ffffcb02`dbbb5000 fffff801`6f6709f9 : nt!MmAccessFault+0x363
fffffd87`af0973d0 ffffcb02`f821d200     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiPageFault+0x37e
fffffd87`af097560 00000000`00000000     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0xffffcb02`f821d200


SYMBOL_NAME:  nt!MiCheckSystemNxFault+17efa2

MODULE_NAME: nt

IMAGE_VERSION:  10.0.22621.4601

STACK_COMMAND:  .cxr; .ecxr ; kb

IMAGE_NAME:  ntkrnlmp.exe

BUCKET_ID_FUNC_OFFSET:  17efa2

FAILURE_BUCKET_ID:  0xFC_nt!MiCheckSystemNxFault

OS_VERSION:  10.0.22621.1

BUILDLAB_STR:  ni_release

OSPLATFORM_TYPE:  x64

OSNAME:  Windows 10

FAILURE_ID_HASH:  {a6ae5288-6b71-974a-9b09-23f14d998164}

Followup:     MachineOwner

Also, I don't know if it's relevant, but I get different BSOD error codes when it crashes.

Edit: Also, I don't have any errors shown in Device Manager, and I ran a memory test that didn't find any issues.

Upvotes: 0

Views: 57

Answers (0)

Related Questions