Guest SC2317 Posted November 15, 2019 Posted November 15, 2019 Hi, Can someone please assist me in troubleshooting issue with BSOD on Windows 7-32 bit machine. I have run windows debugger tool with memory dump that was created after BSOD and as per the analysis it seems like "cng.sys" is causing the BSOD. However, I am not expert in this so if someone could help in resolving this would be really appreciated. Below is the output of debugger tool. Microsoft ® Windows Debugger Version 10.0.17763.132 AMD64 Copyright © Microsoft Corporation. All rights reserved. Loading Dump File [C:\Temp\MEMORY.DMP] Kernel Summary Dump File: Kernel address space is available, User address space may not be available. ************* Path validation summary ************** Response Time (ms) Location Deferred Symbol information Symbol search path is: Symbol information Executable search path is: Windows 7 Kernel Version 7601 (Service Pack 1) MP (2 procs) Free x86 compatible Product: WinNt, suite: TerminalServer SingleUserTS Built by: 7601.24524.x86fre.win7sp1_ldr_escrow.190916-1700 Machine Name: Kernel base = 0x82852000 PsLoadedModuleList = 0x829a8730 Debug session time: Tue Nov 12 17:05:18.998 2019 (UTC + 1:00) System Uptime: 0 days 0:08:59.245 WARNING: Process directory table base BEDC6D40 doesn't match CR3 00185000 WARNING: Process directory table base BEDC6D40 doesn't match CR3 00185000 Loading Kernel Symbols ............................................................... ................................................................ ................... Loading User Symbols PEB is paged out (Peb.Ldr = 7ffd300c). Type ".hh dbgerr001" for details Loading unloaded module list ...... ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* Use !analyze -v to get detailed debugging information. BugCheck 7F, {8, 80b93c00, 0, 0} Page 5f280 not present in the dump file. Type ".hh dbgerr004" for details Page 5f280 not present in the dump file. Type ".hh dbgerr004" for details Page 5f280 not present in the dump file. Type ".hh dbgerr004" for details *** ERROR: Module load completed but symbols could not be loaded for SYMEVENT.SYS Page 5f280 not present in the dump file. Type ".hh dbgerr004" for details Page 5f280 not present in the dump file. Type ".hh dbgerr004" for details Page 5f280 not present in the dump file. Type ".hh dbgerr004" for details Probably caused by : cng.sys ( cng!AesGcm+268 ) Followup: MachineOwner --------- WARNING: Process directory table base BEDC6D40 doesn't match CR3 00185000 WARNING: Process directory table base BEDC6D40 doesn't match CR3 00185000 0: kd> !analyze -v ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* UNEXPECTED_KERNEL_MODE_TRAP (7f) This means a trap occurred in kernel mode, and it's a trap of a kind that the kernel isn't allowed to have/catch (bound trap) or that is always instant death (double fault). The first number in the bugcheck params is the number of the trap (8 = double fault, etc) Consult an Intel x86 family manual to learn more about what these traps are. Here is a *portion* of those codes: If kv shows a taskGate use .tss on the part before the colon, then kv. Else if kv shows a trapframe use .trap on that value Else .trap on the appropriate frame will show where the trap was taken (on x86, this will be the ebp that goes with the procedure KiTrap) Endif kb will then show the corrected stack. Arguments: Arg1: 00000008, EXCEPTION_DOUBLE_FAULT Arg2: 80b93c00 Arg3: 00000000 Arg4: 00000000 Debugging Details: ------------------ Page 5f280 not present in the dump file. Type ".hh dbgerr004" for details Page 5f280 not present in the dump file. Type ".hh dbgerr004" for details Page 5f280 not present in the dump file. Type ".hh dbgerr004" for details Page 5f280 not present in the dump file. Type ".hh dbgerr004" for details KEY_VALUES_STRING: 1 STACKHASH_ANALYSIS: 1 TIMELINE_ANALYSIS: 1 DUMP_CLASS: 1 DUMP_QUALIFIER: 401 BUILD_VERSION_STRING: 7601.24524.x86fre.win7sp1_ldr_escrow.190916-1700 SYSTEM_MANUFACTURER: VMware, Inc. VIRTUAL_MACHINE: VMware SYSTEM_PRODUCT_NAME: VMware Virtual Platform SYSTEM_VERSION: None BIOS_VENDOR: Phoenix Technologies LTD BIOS_VERSION: 6.00 BIOS_DATE: 09/21/2015 BASEBOARD_MANUFACTURER: Intel Corporation BASEBOARD_PRODUCT: 440BX Desktop Reference Platform BASEBOARD_VERSION: None DUMP_TYPE: 1 BUGCHECK_P1: 8 BUGCHECK_P2: ffffffff80b93c00 BUGCHECK_P3: 0 BUGCHECK_P4: 0 BUGCHECK_STR: 0x7f_8 TSS: 00000028 -- (.tss 0x28) eax=bc3b005c ebx=82995100 ecx=82995000 edx=82995100 esi=856e48f8 edi=82995040 eip=82820ff1 esp=bc3b0000 ebp=bc3b0014 iopl=0 nv up ei pl zr na pe nc cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00210246 hal!HalpLowerIrqlHardwareInterrupts+0x13: 82820ff1 57 push edi Resetting default scope CPU_COUNT: 2 CPU_MHZ: 8fc CPU_VENDOR: GenuineIntel CPU_FAMILY: 6 CPU_MODEL: 3f CPU_STEPPING: 0 CPU_MICROCODE: 6,3f,0,0 (F,M,S,R) SIG: 43'00000000 (cache) 43'00000000 (init) DEFAULT_BUCKET_ID: WIN7_DRIVER_FAULT PROCESS_NAME: explorer.exe CURRENT_IRQL: 2 ANALYSIS_SESSION_HOST: LT-18-139 ANALYSIS_SESSION_TIME: 11-14-2019 10:34:32.0653 ANALYSIS_VERSION: 10.0.17763.132 amd64fre BAD_STACK_POINTER: 82985fe4 LAST_CONTROL_TRANSFER: from 82820ff1 to 82896d51 STACK_OVERFLOW: Stack Limit: bc3b0000. Use (kF) and (!stackusage) to investigate stack usage. STACKUSAGE_FUNCTION: The function at address 0xffffffff8b1ae698 was blamed for the stack overflow. It is using 2276 bytes of stack. FOLLOWUP_IP: cng!AesGcm+268 8b1ae698 8b4334 mov eax,dword ptr [ebx+34h] STACK_TEXT: Page 5f280 not present in the dump file. Type ".hh dbgerr004" for details Page 5f280 not present in the dump file. Type ".hh dbgerr004" for details Page 5f280 not present in the dump file. Type ".hh dbgerr004" for details bc3b0014 82821226 82995140 82995000 bc3b0068 hal!HalpLowerIrqlHardwareInterrupts+0x13 bc3b0024 8281eddd 829819cb 856e4568 82995144 hal!KfLowerIrql+0x58 bc3b0028 829819cb 856e4568 82995144 82995040 hal!KeReleaseQueuedSpinLock+0x2d bc3b0068 82981366 82995040 00000000 00000000 nt!ExDeferredFreePool+0x35b bc3b00d0 828da579 856e4570 76615358 85692a38 nt!ExFreePoolWithTag+0x8a7 bc3b00e0 828da333 bc3b0158 00000001 00000001 nt!KeFreeXStateContext+0x1b bc3b00f8 828da534 bc3b011c bc3b013c 8b1b0e42 nt!KeRestoreExtendedProcessorState+0xd7 bc3b0104 8b1b0e42 bc3b011c 00000000 bc3b09e0 nt!KeRestoreFloatingPointState+0xd bc3b013c 8b1ae341 bc3b01d0 bc3b09e0 bc3b0158 cng!GHashAppendDatax86KmodeXmm+0x62 bc3b0168 8b1ae698 856c1b30 bc3b01c8 bc3b09e0 cng!AesGcmComputeFinalTag+0x51 bc3b0a4c 8b1908d9 856c1b30 00000000 00000010 cng!AesGcm+0x268 bc3b0b00 8b18d542 856c1af0 bc3b0bb4 00000000 cng!MSBlockEncrypt+0x29b bc3b0b34 8b16ff07 856c1af0 856411ca 000012b2 cng!MSCryptEncrypt+0x7d bc3b0b80 8b192b51 8b18d4c5 856411ca 000012b2 cng!BCryptEncrypt+0x14d bc3b0c18 8b193035 00000017 000003ea 00000000 cng!Tls1ComputeMac+0x26b bc3b0c68 8b191e43 87aadda0 00000008 856411ca cng!TlsEncryptPacket+0x36c bc3b0c98 8b171f05 87aadda0 856c1a78 856411ca cng!SPSslEncryptPacket+0x8c bc3b0ccc 8b32f5cf 87aa7b20 87cb2330 856411ca cng!SslEncryptPacket+0x4d bc3b0d4c 8b342232 a7c33008 00000000 bc3b0dec ksecpkg!SslSealMessageStream+0x288 bc3b0d68 8b1691d0 a7c33008 00000000 bc3b0dec ksecpkg!SslSealMessage+0x34 bc3b0d80 b7bbe15d a8c43ba0 00000000 bc3b0dec ksecdd!EncryptMessage+0x34 bc3b0d98 b7bb840f 85422294 00000000 bc3b0dec tssecsrv!SpEncryptMessage+0x25 bc3b0df8 b7bb883c 856411bd bc3b0e30 00000000 tssecsrv!CSecurityFilter::EncryptData+0xda bc3b0e0c b7bb6171 856411bd bc3b0e30 8538edb8 tssecsrv!CSecurityFilter::FilterOutgoingData+0x22 bc3b0e34 b7bb598f bc3b0e44 8538eda8 b7bba140 tssecsrv!CFilter::FilterOutgoingData+0x8d bc3b0e60 94ce2721 87c451f0 bc3b0ecc bc3b0ecc tssecsrv!ScrRawWrite+0x49 bc3b0e7c 94ce2802 8538eda8 00000002 bc3b0ecc termdd!_IcaCallSd+0x37 bc3b0e98 b7be56c3 853a04e4 00000002 bc3b0ecc termdd!IcaCallNextDriver+0x4a bc3b0eac b7bcc5af a7b38008 853a04e4 bc3b0ecc RDPWD!FinalSendOutBuf+0x12 bc3b0ee0 b7bcbca4 000012af 00000001 00000000 RDPWD!NM_SendData+0xd9 bc3b0f18 b7bcd26c 000012af 00000001 00000000 RDPWD!SM_SendData+0x8f bc3b0f40 b7bc4b07 dd561000 856411c0 000012af RDPWD!ShareClass::SC_SendFastPathData+0x2a bc3b0f60 b7bcf318 dd561000 bc3b0f7c bc3b1194 RDPWD!ShareClass::SC_FlushPackage+0x29 bc3b0f94 b7bc7196 dd561000 bc3b1194 bc3b11d4 RDPWD!ShareClass::DCS_TimeToDoStuff+0xf6 bc3b0fbc b7bc537c a7858008 dd561000 853a04e0 RDPWD!WDLIB_DDOutputAvailable+0x194 bc3b0fd4 94ce2721 a7858008 bc3b105c 87cdb010 RDPWD!WDSYS_Ioctl+0x20 bc3b0ff0 94ce2bd9 853a04d0 00000005 bc3b105c termdd!_IcaCallSd+0x37 bc3b1010 94ce3576 87cdb008 00000005 bc3b105c termdd!_IcaCallStack+0x57 bc3b1038 94ce40fd 856cc918 00000005 bc3b105c termdd!IcaCallDriver+0x11e bc3b1074 94ce02f4 856cc918 855f9eb0 855f9f20 termdd!IcaDeviceControlVirtual+0x265 bc3b109c 94ce0fcb 856cc918 855f9eb0 855f9f20 termdd!IcaDeviceControlChannel+0x222 bc3b10cc 94ce119f 855f9eb0 855f9f20 8568d818 termdd!IcaDeviceControl+0x59 bc3b10e4 8288bf47 863804b8 855f9eb0 855f9eb0 termdd!IcaDispatch+0x13f bc3b10fc 9fae9d4e ffaef010 00000000 bc3b1164 nt!IofCallDriver+0x63 bc3b1128 9faa9fcb 00000001 0038144f bc3b1194 win32k!CtxDeviceIoControlFile+0xa7 bc3b1164 9f8011fa 8568d818 0038144f bc3b1194 win32k!EngFileIoControl+0x31 bc3b11f0 9f8012c9 ffb7c010 00000001 ffb81470 RDPDD!SCH_DDOutputAvailable+0x160 bc3b1208 9f80e70c ffb7c010 00000001 00000000 RDPDD!SCH_DDOutputAvailable+0x2f bc3b122c 9f810fa1 ffb7c010 ffaef010 00000f30 RDPDD!OA_AllocOrderMem+0x42 bc3b1288 9f8115a1 ffb7c010 0000004b ffb51158 RDPDD!SBCCacheBits+0x125 bc3b1324 9f80a516 ffb7c010 0000000f 00000039 RDPDD!SBC_CacheBitmapTile+0x1cb bc3b16b0 9f80a768 ffb7c010 00000000 00000000 RDPDD!OETileBitBltOrder+0x22c bc3b16d8 9f8058d7 00000000 bc3b173c bc3b1718 RDPDD!OEEncodeMemBlt+0x100 bc3b1798 9f805f3f fde7b420 fd9e8158 00000000 RDPDD!DrvBitBlt+0x425 bc3b17d4 9f9d9053 fd5c46b8 fd9e8158 bc3b224c RDPDD!DrvCopyBits+0x41 bc3b1818 9f9c8eb9 9f805efe bc3b1aa8 fd5c46b8 win32k!OffCopyBits+0x80 bc3b1abc 9f9d909d fd5c46b8 fd9e8158 00000000 win32k!SpBitBlt+0x252 bc3b1af0 9f9dc262 fd5c46b8 fd9e8158 bc3b224c win32k!SpCopyBits+0x27 bc3b1d88 9f9de26b fd5c46b8 fd479580 fd5e4830 win32k!EngTextOut+0x710 bc3b1dd4 9f9de4d8 9f9dbb52 bc3b2040 fd5c46b8 win32k!OffTextOut+0x71 bc3b2058 9f9de048 fd5c46b8 bc3b20b4 fd5e4830 win32k!SpTextOut+0x1a2 bc3b2354 9f96c3f7 bc3b2518 ffa49700 ffa4975c win32k!GreExtTextOutWLocked+0x1040 bc3b23d0 9f9bf924 00000000 ffbbe064 00000010 win32k!GreBatchTextOut+0x1e6 bc3b2540 82ad958e 8b3315bf bc3b265c 7ffdf6cc win32k!NtGdiFlushUserBatch+0x123 bc3b2590 9fa5fe9a 00000061 bc3b25bc 00000088 nt!KeUserModeCallback+0x176 bc3b26a0 9f989e08 fe00c880 00000092 00000000 win32k!SfnINLPUAHDRAWMENUITEM+0x12d bc3b26d4 9fa75c42 fe00c880 00000092 00000000 win32k!xxxDefWindowProc+0xdd bc3b274c 9fa444e5 fe014900 00000092 00000000 win32k!xxxRealMenuWindowProc+0xe8d bc3b2780 9f9bc5e0 fe00c880 00000092 00000000 win32k!xxxMenuWindowProc+0x121 bc3b27c0 9f9bc6b2 fe00c880 00000092 00000000 win32k!xxxSendMessageTimeout+0x1ac bc3b27e8 9fa5f826 fe00c880 00000092 00000000 win32k!xxxSendMessage+0x28 bc3b2890 9fa5fa4d 010100d6 00000001 00000001 win32k!xxxSendMenuDrawItemMessage+0x120 bc3b28f8 9fa59622 010100d6 fe014900 00000000 win32k!xxxDrawMenuItem+0x11b bc3b2970 9fa75c53 010100d6 00000017 fe00c880 win32k!xxxMenuDraw+0x23a bc3b29e4 9fa444e5 fe014900 00000318 010100d6 win32k!xxxRealMenuWindowProc+0xe9e bc3b2a18 9f9bc5e0 fe00c880 00000318 010100d6 win32k!xxxMenuWindowProc+0x121 bc3b2a58 9f9bc6b2 fe00c880 00000318 010100d6 win32k!xxxSendMessageTimeout+0x1ac bc3b2a80 9fa422a1 fe00c880 00000318 010100d6 win32k!xxxSendMessage+0x28 bc3b2ac8 9f9b17db 00000001 00000000 0000000e win32k!xxxDWPPrint+0x1cd bc3b2b44 9f9be783 fe00c880 00000317 010100d6 win32k!xxxRealDefWindowProc+0x13be bc3b2b5c 9f988aad fe00c880 00000317 010100d6 win32k!xxxWrapRealDefWindowProc+0x2b bc3b2b78 9f9be63f fe00c880 00000317 010100d6 win32k!NtUserfnNCDESTROY+0x27 bc3b2bb0 91cf6a7e 00030166 00000317 010100d6 win32k!NtUserMessageCall+0xd2 WARNING: Stack unwind information not available. Following frames may be wrong. bc3b2be8 865feb5b 86520e6c 00030166 00000317 SYMEVENT+0x1a7e bc3b2c10 82892a5a 00030166 00000317 010100d6 0x865feb5b bc3b2c10 77d36c04 00030166 00000317 010100d6 nt!KiSystemServicePostCall 0025e19c 00000000 00000000 00000000 00000000 0x77d36c04 STACK_COMMAND: .tss 0x28 ; kb THREAD_SHA1_HASH_MOD_FUNC: 94c9288b51fd41deae5e677e756482488d343cf9 THREAD_SHA1_HASH_MOD_FUNC_OFFSET: ba2320747de3d5724dde04a750daa995531660de THREAD_SHA1_HASH_MOD: 563baa34ec8ce9d510b5e266c87413a00e6db852 FAULT_INSTR_CODE: 8b34438b SYMBOL_STACK_INDEX: a SYMBOL_NAME: cng!AesGcm+268 FOLLOWUP_NAME: MachineOwner MODULE_NAME: cng IMAGE_NAME: cng.sys DEBUG_FLR_IMAGE_TIMESTAMP: 5af4fd0a FAILURE_BUCKET_ID: 0x7f_8_STACK_USAGE_cng!AesGcm+268 BUCKET_ID: 0x7f_8_STACK_USAGE_cng!AesGcm+268 PRIMARY_PROBLEM_CLASS: 0x7f_8_STACK_USAGE_cng!AesGcm+268 TARGET_TIME: 2019-11-12T16:05:18.000Z OSBUILD: 7601 OSSERVICEPACK: 1000 SERVICEPACK_NUMBER: 0 OS_REVISION: 0 SUITE_MASK: 272 PRODUCT_TYPE: 1 OSPLATFORM_TYPE: x86 OSNAME: Windows 7 OSEDITION: Windows 7 WinNt (Service Pack 1) TerminalServer SingleUserTS OS_LOCALE: USER_LCID: 0 OSBUILD_TIMESTAMP: 2019-09-17 03:58:39 BUILDDATESTAMP_STR: 190916-1700 BUILDLAB_STR: win7sp1_ldr_escrow BUILDOSVER_STR: 6.1.7601.24524.x86fre.win7sp1_ldr_escrow.190916-1700 ANALYSIS_SESSION_ELAPSED_TIME: 388 ANALYSIS_SOURCE: KM FAILURE_ID_HASH_STRING: km:0x7f_8_stack_usage_cng!aesgcm+268 FAILURE_ID_HASH: {0cf448aa-f892-a120-4dc7-88f52f0c788a} Followup: MachineOwner --------- WARNING: Process directory table base BEDC6D40 doesn't match CR3 00185000 WARNING: Process directory table base BEDC6D40 doesn't match CR3 00185000 0: kd> lmvm cng Browse full module list start end module name 8b16e000 8b1cc000 cng (pdb symbols) C:\ProgramData\dbg\sym\cng.pdb\231A7D34F2874BC787CA4A4012AF459B1\cng.pdb Loaded symbol image file: cng.sys Image path: \SystemRoot\System32\Drivers\cng.sys Image name: cng.sys Browse all global symbols functions data Timestamp: Thu May 10 19:16:42 2018 (5AF4FD0A) CheckSum: 0005D33D ImageSize: 0005E000 Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4 Information from resource tables: 0: kd> lmvm cng Browse full module list start end module name 8b16e000 8b1cc000 cng (pdb symbols) C:\ProgramData\dbg\sym\cng.pdb\231A7D34F2874BC787CA4A4012AF459B1\cng.pdb Loaded symbol image file: cng.sys Image path: \SystemRoot\System32\Drivers\cng.sys Image name: cng.sys Browse all global symbols functions data Timestamp: Thu May 10 19:16:42 2018 (5AF4FD0A) CheckSum: 0005D33D ImageSize: 0005E000 Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4 Information from resource tables: More... Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.