!error and NTSTATUS Errors

This is going to be very short post, however, I still feel it’s important to understand how to use the !error extension in order to extract some readable and understandable information about a NTSTATUS error.

Here’s a current list of NTSTATUS Errors – 2.3.1 NTSTATUS values

The NTSTATUS are used by kernel-mode drivers which support standard driver routines and driver support routines. Some driver return a NTSTATUS value as their return type, in order to display information regarding: success values, informational values, warnings and error values.

We can therefore use the !error extension with the value displayed by the NTSTATUS value:

Stop: 0x0000007E (0xC000005, 0x95E5529C, 0xA12C0B40, 0xA12C0720

Here’s a little snippet I’ve taken from a dump, notice the 0xC000005, this is a NTSTATUS error, we can use the !error extension with this value to display the following result:

STATUS_ACCESS_VIOLATION


The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.

This is usually due to drivers referencing invalid memory addresses.

  


Advertisements

About 0x14c

I'm a Computer Science student and writer. My primary interests are Graph Theory, Number Theory, Programming Language Theory, Logic and Windows Debugging.
This entry was posted in Debugging. Bookmark the permalink.

One Response to !error and NTSTATUS Errors

  1. sig84 says:

    instead of “0xC000005” have to “0xC0000005”

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s