Debugging Stop 0x1A – MEMORY_MANAGEMENT

Thanks muhahaa for pointing the PFN data structure out to me.

A Stop 0x1A is quite common in my opinion, and usually is caused by two things: device drivers and RAM. Although, other causes can include the Windows Kernel and memory located in other areas.

Firstly, looking at the parameters presented to us by WinDbg, we can see that the first parameter usually indicates the type of memory management violation which has occurred.

From this example, 41790 indicates that a page table page has become corrupt. The page table is used to store mappings between physical and virtual memory addresses.

We can see from the call stack for the thread, that some virtual memory related routines were being called by the Windows Kernel, for instance the nt!NtUnmapViewOfSection is used to view the unmap the view (mapping of a section object in virtual memory for a process) from the virtual memory address space for a process.

The interesting thing about this dump file is the third parameter, which is 0xffff, this is very similar value when a device driver has called MmUnlockPages too many times on a MDL, which causes the reference count for the number of PFN entries to drop below zero.

We can view the data structure for a PFN  database and check the reference count:

We can see that the number of Used Page Table Entries reference count has dropped below zero, here my suggestion would be to use Driver Verifier along with the Special Pool option.

About 0x14c

I'm currently a Software Developer. My primary interests are Mathematics, Programming and Windows Internals.
This entry was posted in Stop 0x1A. Bookmark the permalink.

2 Responses to Debugging Stop 0x1A – MEMORY_MANAGEMENT

  1. Bug hunter says:

    HI, I have a BSOD with stop code 0x1A, I can not find argument 1 “41201” on MSDN, can you please give me a hand?

    # Any other values for parameter 1 must be individually examined.
    Arg1: 0000000000041201, The subtype of the bugcheck.
    Arg2: fffff6800013ebd8
    Arg3: e7100001fe7d5867
    Arg4: fffffa800a60a5e0


  2. Bug hunter says:

    can someone please help?


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.