Debugging Stop 0x101

I would usually explain how to use the ‘old method’ of finding which CPU or processor core has stopped responding to interrupts, and therefore causing a hang, but there is a more efficient method of analyzing Stop 0x101’s for any device driver faults (thanks to muhahaa for introducing this method). More Information – Class 101 for 0x101 Bugchecks

We can use the !running extension to quickly produce the information contained within the PRCB’s of each processor. The !running extension takes two parameters which are:

  • -i     This causes the debugger to show idle processors as well as active processors.
  • -t     This causes the debugger to display a stack trace for each processor.

We can then use the !running extension with the two parameters like so:

0: kd> !running -ti

System Processors: (000000000000000f)
Idle Processors: (0000000000000000) (0000000000000000) (0000000000000000) (0000000000000000)

Prcbs Current (pri) Next (pri) Idle
0 fffff80002dfae80 fffffa8006a2fad0 (16) fffff80002e08cc0 …………….

Child-SP RetAddr Call Site
fffff880`033164e8 fffff800`02cd6a3a nt!KeBugCheckEx
fffff880`033164f0 fffff800`02c896e7 nt! ?? ::FNODOBFM::`string’+0x4e3e
fffff880`03316580 fffff800`031fa895 nt!KeUpdateSystemTime+0x377
fffff880`03316680 fffff800`02c7c153 hal!HalpHpetClockInterrupt+0x8d
fffff880`033166b0 fffff800`02cb5483 nt!KiInterruptDispatchNoLock+0x163
fffff880`03316840 fffff800`02c84a0c nt!KxFlushEntireTb+0x93
fffff880`03316880 fffff800`02c699e4 nt!KeFlushMultipleRangeTb+0x28c
fffff880`03316950 fffff800`02d00f15 nt!MiAgeWorkingSet+0x64a
fffff880`03316b00 fffff800`02c69b16 nt! ?? ::FNODOBFM::`string’+0x4c7f6
fffff880`03316b80 fffff800`02c69fc3 nt!MmWorkingSetManager+0x6e
fffff880`03316bd0 fffff800`02f1dede nt!KeBalanceSetManager+0x1c3
fffff880`03316d40 fffff800`02c70906 nt!PspSystemThreadStartup+0x5a
fffff880`03316d80 00000000`00000000 nt!KiStartSystemThread+0x16

1 fffff880009ec180 fffffa80077de060 ( 8) fffffa8008ffaa00 (15) fffff880009f6fc0 …………….

Child-SP RetAddr Call Site
00000000`00000000 00000000`00000000 0x0

2 fffff88002f64180 fffffa800a2a9640 ( 8) fffffa8009f23060 (22) fffff88002f6efc0 …………….

Child-SP RetAddr Call Site
00000000`00000000 00000000`00000000 0x0

3 fffff88002fd5180 fffffa8009267b50 (11) fffffa8007a61590 (26) fffff88002fdffc0 …………….

Child-SP RetAddr Call Site
00000000`00000000 00000000`00000000 0x0

We can then obtain a raw stack trace from each idle processor, by using the !thread extension with the address of highlighted in red, as seen in this blog post –  Stack Text Commands




Advertisements

About 0x14c

I'm a Computer Science student and writer. My primary interests are Graph Theory, Number Theory, Programming Language Theory, Logic and Windows Debugging.
This entry was posted in Uncategorized. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s