Jump to content

Recommended Posts

Posted

Hi,

 

Can someone please assist me in troubleshooting issue with BSOD on Windows 7-32 bit machine. I have run windows debugger tool with memory dump that was created after BSOD and as per the analysis it seems like "cng.sys" is causing the BSOD. However, I am not expert in this so if someone could help in resolving this would be really appreciated. Below is the output of debugger tool.

 

Microsoft ® Windows Debugger Version 10.0.17763.132 AMD64

Copyright © Microsoft Corporation. All rights reserved.

 

 

Loading Dump File [C:\Temp\MEMORY.DMP]

Kernel Summary Dump File: Kernel address space is available, User address space may not be available.

 

 

************* Path validation summary **************

Response Time (ms) Location

Deferred Symbol information

Symbol search path is: Symbol information

Executable search path is:

Windows 7 Kernel Version 7601 (Service Pack 1) MP (2 procs) Free x86 compatible

Product: WinNt, suite: TerminalServer SingleUserTS

Built by: 7601.24524.x86fre.win7sp1_ldr_escrow.190916-1700

Machine Name:

Kernel base = 0x82852000 PsLoadedModuleList = 0x829a8730

Debug session time: Tue Nov 12 17:05:18.998 2019 (UTC + 1:00)

System Uptime: 0 days 0:08:59.245

WARNING: Process directory table base BEDC6D40 doesn't match CR3 00185000

WARNING: Process directory table base BEDC6D40 doesn't match CR3 00185000

Loading Kernel Symbols

...............................................................

................................................................

...................

Loading User Symbols

PEB is paged out (Peb.Ldr = 7ffd300c). Type ".hh dbgerr001" for details

Loading unloaded module list

......

*******************************************************************************

* *

* Bugcheck Analysis *

* *

*******************************************************************************

 

Use !analyze -v to get detailed debugging information.

 

BugCheck 7F, {8, 80b93c00, 0, 0}

 

Page 5f280 not present in the dump file. Type ".hh dbgerr004" for details

Page 5f280 not present in the dump file. Type ".hh dbgerr004" for details

Page 5f280 not present in the dump file. Type ".hh dbgerr004" for details

 

*** ERROR: Module load completed but symbols could not be loaded for SYMEVENT.SYS

Page 5f280 not present in the dump file. Type ".hh dbgerr004" for details

Page 5f280 not present in the dump file. Type ".hh dbgerr004" for details

Page 5f280 not present in the dump file. Type ".hh dbgerr004" for details

 

Probably caused by : cng.sys ( cng!AesGcm+268 )

 

Followup: MachineOwner

---------

 

WARNING: Process directory table base BEDC6D40 doesn't match CR3 00185000

WARNING: Process directory table base BEDC6D40 doesn't match CR3 00185000

0: kd> !analyze -v

*******************************************************************************

* *

* Bugcheck Analysis *

* *

*******************************************************************************

 

UNEXPECTED_KERNEL_MODE_TRAP (7f)

This means a trap occurred in kernel mode, and it's a trap of a kind

that the kernel isn't allowed to have/catch (bound trap) or that

is always instant death (double fault). The first number in the

bugcheck params is the number of the trap (8 = double fault, etc)

Consult an Intel x86 family manual to learn more about what these

traps are. Here is a *portion* of those codes:

If kv shows a taskGate

use .tss on the part before the colon, then kv.

Else if kv shows a trapframe

use .trap on that value

Else

.trap on the appropriate frame will show where the trap was taken

(on x86, this will be the ebp that goes with the procedure KiTrap)

Endif

kb will then show the corrected stack.

Arguments:

Arg1: 00000008, EXCEPTION_DOUBLE_FAULT

Arg2: 80b93c00

Arg3: 00000000

Arg4: 00000000

 

Debugging Details:

------------------

 

Page 5f280 not present in the dump file. Type ".hh dbgerr004" for details

Page 5f280 not present in the dump file. Type ".hh dbgerr004" for details

Page 5f280 not present in the dump file. Type ".hh dbgerr004" for details

 

Page 5f280 not present in the dump file. Type ".hh dbgerr004" for details

 

KEY_VALUES_STRING: 1

 

 

STACKHASH_ANALYSIS: 1

 

TIMELINE_ANALYSIS: 1

 

 

DUMP_CLASS: 1

 

DUMP_QUALIFIER: 401

 

BUILD_VERSION_STRING: 7601.24524.x86fre.win7sp1_ldr_escrow.190916-1700

 

SYSTEM_MANUFACTURER: VMware, Inc.

 

VIRTUAL_MACHINE: VMware

 

SYSTEM_PRODUCT_NAME: VMware Virtual Platform

 

SYSTEM_VERSION: None

 

BIOS_VENDOR: Phoenix Technologies LTD

 

BIOS_VERSION: 6.00

 

BIOS_DATE: 09/21/2015

 

BASEBOARD_MANUFACTURER: Intel Corporation

 

BASEBOARD_PRODUCT: 440BX Desktop Reference Platform

 

BASEBOARD_VERSION: None

 

DUMP_TYPE: 1

 

BUGCHECK_P1: 8

 

BUGCHECK_P2: ffffffff80b93c00

 

BUGCHECK_P3: 0

 

BUGCHECK_P4: 0

 

BUGCHECK_STR: 0x7f_8

 

TSS: 00000028 -- (.tss 0x28)

eax=bc3b005c ebx=82995100 ecx=82995000 edx=82995100 esi=856e48f8 edi=82995040

eip=82820ff1 esp=bc3b0000 ebp=bc3b0014 iopl=0 nv up ei pl zr na pe nc

cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00210246

hal!HalpLowerIrqlHardwareInterrupts+0x13:

82820ff1 57 push edi

Resetting default scope

 

CPU_COUNT: 2

 

CPU_MHZ: 8fc

 

CPU_VENDOR: GenuineIntel

 

CPU_FAMILY: 6

 

CPU_MODEL: 3f

 

CPU_STEPPING: 0

 

CPU_MICROCODE: 6,3f,0,0 (F,M,S,R) SIG: 43'00000000 (cache) 43'00000000 (init)

 

DEFAULT_BUCKET_ID: WIN7_DRIVER_FAULT

 

PROCESS_NAME: explorer.exe

 

CURRENT_IRQL: 2

 

ANALYSIS_SESSION_HOST: LT-18-139

 

ANALYSIS_SESSION_TIME: 11-14-2019 10:34:32.0653

 

ANALYSIS_VERSION: 10.0.17763.132 amd64fre

 

BAD_STACK_POINTER: 82985fe4

 

LAST_CONTROL_TRANSFER: from 82820ff1 to 82896d51

 

STACK_OVERFLOW: Stack Limit: bc3b0000. Use (kF) and (!stackusage) to investigate stack usage.

 

STACKUSAGE_FUNCTION: The function at address 0xffffffff8b1ae698 was blamed for the stack overflow. It is using 2276 bytes of stack.

 

FOLLOWUP_IP:

cng!AesGcm+268

8b1ae698 8b4334 mov eax,dword ptr [ebx+34h]

 

STACK_TEXT:

Page 5f280 not present in the dump file. Type ".hh dbgerr004" for details

Page 5f280 not present in the dump file. Type ".hh dbgerr004" for details

 

Page 5f280 not present in the dump file. Type ".hh dbgerr004" for details

bc3b0014 82821226 82995140 82995000 bc3b0068 hal!HalpLowerIrqlHardwareInterrupts+0x13

bc3b0024 8281eddd 829819cb 856e4568 82995144 hal!KfLowerIrql+0x58

bc3b0028 829819cb 856e4568 82995144 82995040 hal!KeReleaseQueuedSpinLock+0x2d

bc3b0068 82981366 82995040 00000000 00000000 nt!ExDeferredFreePool+0x35b

bc3b00d0 828da579 856e4570 76615358 85692a38 nt!ExFreePoolWithTag+0x8a7

bc3b00e0 828da333 bc3b0158 00000001 00000001 nt!KeFreeXStateContext+0x1b

bc3b00f8 828da534 bc3b011c bc3b013c 8b1b0e42 nt!KeRestoreExtendedProcessorState+0xd7

bc3b0104 8b1b0e42 bc3b011c 00000000 bc3b09e0 nt!KeRestoreFloatingPointState+0xd

bc3b013c 8b1ae341 bc3b01d0 bc3b09e0 bc3b0158 cng!GHashAppendDatax86KmodeXmm+0x62

bc3b0168 8b1ae698 856c1b30 bc3b01c8 bc3b09e0 cng!AesGcmComputeFinalTag+0x51

bc3b0a4c 8b1908d9 856c1b30 00000000 00000010 cng!AesGcm+0x268

bc3b0b00 8b18d542 856c1af0 bc3b0bb4 00000000 cng!MSBlockEncrypt+0x29b

bc3b0b34 8b16ff07 856c1af0 856411ca 000012b2 cng!MSCryptEncrypt+0x7d

bc3b0b80 8b192b51 8b18d4c5 856411ca 000012b2 cng!BCryptEncrypt+0x14d

bc3b0c18 8b193035 00000017 000003ea 00000000 cng!Tls1ComputeMac+0x26b

bc3b0c68 8b191e43 87aadda0 00000008 856411ca cng!TlsEncryptPacket+0x36c

bc3b0c98 8b171f05 87aadda0 856c1a78 856411ca cng!SPSslEncryptPacket+0x8c

bc3b0ccc 8b32f5cf 87aa7b20 87cb2330 856411ca cng!SslEncryptPacket+0x4d

bc3b0d4c 8b342232 a7c33008 00000000 bc3b0dec ksecpkg!SslSealMessageStream+0x288

bc3b0d68 8b1691d0 a7c33008 00000000 bc3b0dec ksecpkg!SslSealMessage+0x34

bc3b0d80 b7bbe15d a8c43ba0 00000000 bc3b0dec ksecdd!EncryptMessage+0x34

bc3b0d98 b7bb840f 85422294 00000000 bc3b0dec tssecsrv!SpEncryptMessage+0x25

bc3b0df8 b7bb883c 856411bd bc3b0e30 00000000 tssecsrv!CSecurityFilter::EncryptData+0xda

bc3b0e0c b7bb6171 856411bd bc3b0e30 8538edb8 tssecsrv!CSecurityFilter::FilterOutgoingData+0x22

bc3b0e34 b7bb598f bc3b0e44 8538eda8 b7bba140 tssecsrv!CFilter::FilterOutgoingData+0x8d

bc3b0e60 94ce2721 87c451f0 bc3b0ecc bc3b0ecc tssecsrv!ScrRawWrite+0x49

bc3b0e7c 94ce2802 8538eda8 00000002 bc3b0ecc termdd!_IcaCallSd+0x37

bc3b0e98 b7be56c3 853a04e4 00000002 bc3b0ecc termdd!IcaCallNextDriver+0x4a

bc3b0eac b7bcc5af a7b38008 853a04e4 bc3b0ecc RDPWD!FinalSendOutBuf+0x12

bc3b0ee0 b7bcbca4 000012af 00000001 00000000 RDPWD!NM_SendData+0xd9

bc3b0f18 b7bcd26c 000012af 00000001 00000000 RDPWD!SM_SendData+0x8f

bc3b0f40 b7bc4b07 dd561000 856411c0 000012af RDPWD!ShareClass::SC_SendFastPathData+0x2a

bc3b0f60 b7bcf318 dd561000 bc3b0f7c bc3b1194 RDPWD!ShareClass::SC_FlushPackage+0x29

bc3b0f94 b7bc7196 dd561000 bc3b1194 bc3b11d4 RDPWD!ShareClass::DCS_TimeToDoStuff+0xf6

bc3b0fbc b7bc537c a7858008 dd561000 853a04e0 RDPWD!WDLIB_DDOutputAvailable+0x194

bc3b0fd4 94ce2721 a7858008 bc3b105c 87cdb010 RDPWD!WDSYS_Ioctl+0x20

bc3b0ff0 94ce2bd9 853a04d0 00000005 bc3b105c termdd!_IcaCallSd+0x37

bc3b1010 94ce3576 87cdb008 00000005 bc3b105c termdd!_IcaCallStack+0x57

bc3b1038 94ce40fd 856cc918 00000005 bc3b105c termdd!IcaCallDriver+0x11e

bc3b1074 94ce02f4 856cc918 855f9eb0 855f9f20 termdd!IcaDeviceControlVirtual+0x265

bc3b109c 94ce0fcb 856cc918 855f9eb0 855f9f20 termdd!IcaDeviceControlChannel+0x222

bc3b10cc 94ce119f 855f9eb0 855f9f20 8568d818 termdd!IcaDeviceControl+0x59

bc3b10e4 8288bf47 863804b8 855f9eb0 855f9eb0 termdd!IcaDispatch+0x13f

bc3b10fc 9fae9d4e ffaef010 00000000 bc3b1164 nt!IofCallDriver+0x63

bc3b1128 9faa9fcb 00000001 0038144f bc3b1194 win32k!CtxDeviceIoControlFile+0xa7

bc3b1164 9f8011fa 8568d818 0038144f bc3b1194 win32k!EngFileIoControl+0x31

bc3b11f0 9f8012c9 ffb7c010 00000001 ffb81470 RDPDD!SCH_DDOutputAvailable+0x160

bc3b1208 9f80e70c ffb7c010 00000001 00000000 RDPDD!SCH_DDOutputAvailable+0x2f

bc3b122c 9f810fa1 ffb7c010 ffaef010 00000f30 RDPDD!OA_AllocOrderMem+0x42

bc3b1288 9f8115a1 ffb7c010 0000004b ffb51158 RDPDD!SBCCacheBits+0x125

bc3b1324 9f80a516 ffb7c010 0000000f 00000039 RDPDD!SBC_CacheBitmapTile+0x1cb

bc3b16b0 9f80a768 ffb7c010 00000000 00000000 RDPDD!OETileBitBltOrder+0x22c

bc3b16d8 9f8058d7 00000000 bc3b173c bc3b1718 RDPDD!OEEncodeMemBlt+0x100

bc3b1798 9f805f3f fde7b420 fd9e8158 00000000 RDPDD!DrvBitBlt+0x425

bc3b17d4 9f9d9053 fd5c46b8 fd9e8158 bc3b224c RDPDD!DrvCopyBits+0x41

bc3b1818 9f9c8eb9 9f805efe bc3b1aa8 fd5c46b8 win32k!OffCopyBits+0x80

bc3b1abc 9f9d909d fd5c46b8 fd9e8158 00000000 win32k!SpBitBlt+0x252

bc3b1af0 9f9dc262 fd5c46b8 fd9e8158 bc3b224c win32k!SpCopyBits+0x27

bc3b1d88 9f9de26b fd5c46b8 fd479580 fd5e4830 win32k!EngTextOut+0x710

bc3b1dd4 9f9de4d8 9f9dbb52 bc3b2040 fd5c46b8 win32k!OffTextOut+0x71

bc3b2058 9f9de048 fd5c46b8 bc3b20b4 fd5e4830 win32k!SpTextOut+0x1a2

bc3b2354 9f96c3f7 bc3b2518 ffa49700 ffa4975c win32k!GreExtTextOutWLocked+0x1040

bc3b23d0 9f9bf924 00000000 ffbbe064 00000010 win32k!GreBatchTextOut+0x1e6

bc3b2540 82ad958e 8b3315bf bc3b265c 7ffdf6cc win32k!NtGdiFlushUserBatch+0x123

bc3b2590 9fa5fe9a 00000061 bc3b25bc 00000088 nt!KeUserModeCallback+0x176

bc3b26a0 9f989e08 fe00c880 00000092 00000000 win32k!SfnINLPUAHDRAWMENUITEM+0x12d

bc3b26d4 9fa75c42 fe00c880 00000092 00000000 win32k!xxxDefWindowProc+0xdd

bc3b274c 9fa444e5 fe014900 00000092 00000000 win32k!xxxRealMenuWindowProc+0xe8d

bc3b2780 9f9bc5e0 fe00c880 00000092 00000000 win32k!xxxMenuWindowProc+0x121

bc3b27c0 9f9bc6b2 fe00c880 00000092 00000000 win32k!xxxSendMessageTimeout+0x1ac

bc3b27e8 9fa5f826 fe00c880 00000092 00000000 win32k!xxxSendMessage+0x28

bc3b2890 9fa5fa4d 010100d6 00000001 00000001 win32k!xxxSendMenuDrawItemMessage+0x120

bc3b28f8 9fa59622 010100d6 fe014900 00000000 win32k!xxxDrawMenuItem+0x11b

bc3b2970 9fa75c53 010100d6 00000017 fe00c880 win32k!xxxMenuDraw+0x23a

bc3b29e4 9fa444e5 fe014900 00000318 010100d6 win32k!xxxRealMenuWindowProc+0xe9e

bc3b2a18 9f9bc5e0 fe00c880 00000318 010100d6 win32k!xxxMenuWindowProc+0x121

bc3b2a58 9f9bc6b2 fe00c880 00000318 010100d6 win32k!xxxSendMessageTimeout+0x1ac

bc3b2a80 9fa422a1 fe00c880 00000318 010100d6 win32k!xxxSendMessage+0x28

bc3b2ac8 9f9b17db 00000001 00000000 0000000e win32k!xxxDWPPrint+0x1cd

bc3b2b44 9f9be783 fe00c880 00000317 010100d6 win32k!xxxRealDefWindowProc+0x13be

bc3b2b5c 9f988aad fe00c880 00000317 010100d6 win32k!xxxWrapRealDefWindowProc+0x2b

bc3b2b78 9f9be63f fe00c880 00000317 010100d6 win32k!NtUserfnNCDESTROY+0x27

bc3b2bb0 91cf6a7e 00030166 00000317 010100d6 win32k!NtUserMessageCall+0xd2

WARNING: Stack unwind information not available. Following frames may be wrong.

bc3b2be8 865feb5b 86520e6c 00030166 00000317 SYMEVENT+0x1a7e

bc3b2c10 82892a5a 00030166 00000317 010100d6 0x865feb5b

bc3b2c10 77d36c04 00030166 00000317 010100d6 nt!KiSystemServicePostCall

0025e19c 00000000 00000000 00000000 00000000 0x77d36c04

 

 

STACK_COMMAND: .tss 0x28 ; kb

 

THREAD_SHA1_HASH_MOD_FUNC: 94c9288b51fd41deae5e677e756482488d343cf9

 

THREAD_SHA1_HASH_MOD_FUNC_OFFSET: ba2320747de3d5724dde04a750daa995531660de

 

THREAD_SHA1_HASH_MOD: 563baa34ec8ce9d510b5e266c87413a00e6db852

 

FAULT_INSTR_CODE: 8b34438b

 

SYMBOL_STACK_INDEX: a

 

SYMBOL_NAME: cng!AesGcm+268

 

FOLLOWUP_NAME: MachineOwner

 

MODULE_NAME: cng

 

IMAGE_NAME: cng.sys

 

DEBUG_FLR_IMAGE_TIMESTAMP: 5af4fd0a

 

FAILURE_BUCKET_ID: 0x7f_8_STACK_USAGE_cng!AesGcm+268

 

BUCKET_ID: 0x7f_8_STACK_USAGE_cng!AesGcm+268

 

PRIMARY_PROBLEM_CLASS: 0x7f_8_STACK_USAGE_cng!AesGcm+268

 

TARGET_TIME: 2019-11-12T16:05:18.000Z

 

OSBUILD: 7601

 

OSSERVICEPACK: 1000

 

SERVICEPACK_NUMBER: 0

 

OS_REVISION: 0

 

SUITE_MASK: 272

 

PRODUCT_TYPE: 1

 

OSPLATFORM_TYPE: x86

 

OSNAME: Windows 7

 

OSEDITION: Windows 7 WinNt (Service Pack 1) TerminalServer SingleUserTS

 

OS_LOCALE:

 

USER_LCID: 0

 

OSBUILD_TIMESTAMP: 2019-09-17 03:58:39

 

BUILDDATESTAMP_STR: 190916-1700

 

BUILDLAB_STR: win7sp1_ldr_escrow

 

BUILDOSVER_STR: 6.1.7601.24524.x86fre.win7sp1_ldr_escrow.190916-1700

 

ANALYSIS_SESSION_ELAPSED_TIME: 388

 

ANALYSIS_SOURCE: KM

 

FAILURE_ID_HASH_STRING: km:0x7f_8_stack_usage_cng!aesgcm+268

 

FAILURE_ID_HASH: {0cf448aa-f892-a120-4dc7-88f52f0c788a}

 

Followup: MachineOwner

---------

 

WARNING: Process directory table base BEDC6D40 doesn't match CR3 00185000

WARNING: Process directory table base BEDC6D40 doesn't match CR3 00185000

0: kd> lmvm cng

Browse full module list

start end module name

8b16e000 8b1cc000 cng (pdb symbols) C:\ProgramData\dbg\sym\cng.pdb\231A7D34F2874BC787CA4A4012AF459B1\cng.pdb

Loaded symbol image file: cng.sys

Image path: \SystemRoot\System32\Drivers\cng.sys

Image name: cng.sys

Browse all global symbols functions data

Timestamp: Thu May 10 19:16:42 2018 (5AF4FD0A)

CheckSum: 0005D33D

ImageSize: 0005E000

Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4

Information from resource tables:

0: kd> lmvm cng

Browse full module list

start end module name

8b16e000 8b1cc000 cng (pdb symbols) C:\ProgramData\dbg\sym\cng.pdb\231A7D34F2874BC787CA4A4012AF459B1\cng.pdb

Loaded symbol image file: cng.sys

Image path: \SystemRoot\System32\Drivers\cng.sys

Image name: cng.sys

Browse all global symbols functions data

Timestamp: Thu May 10 19:16:42 2018 (5AF4FD0A)

CheckSum: 0005D33D

ImageSize: 0005E000

Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4

Information from resource tables:

 

More...

  • Replies 0
  • Created
  • Last Reply

Popular Days

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


×
×
  • Create New...