· 6 years ago · Mar 07, 2020, 12:12 PM
1BugChecks and what to do about them:
2
3Bugchecks with no descriptions are either checked builds
4only or very rare. If you get one of these and a kernel
5debugger is available do the following
6 kb
7 !process 0 7
8 !vm
9 !errlog
10
11APC_INDEX_MISMATCH (0x1)
12This is a kernel internal error which can occur on a checked build.
13The most common reason to see such a bugcheck would occur when a
14filesystem had a mismatched number of KeEnterCriticalRegion calls compared
15to KeLeaveCriticalRegion calls.
16
17DEVICE_QUEUE_NOT_BUSY (0x2)
18
19INVALID_AFFINITY_SET (0x3)
20
21INVALID_DATA_ACCESS_TRAP (0x4)
22
23INVALID_PROCESS_ATTACH_ATTEMPT (0x5)
24
25INVALID_PROCESS_DETACH_ATTEMPT (0x6)
26
27INVALID_SOFTWARE_INTERRUPT (0x7)
28
29IRQL_NOT_DISPATCH_LEVEL (0x8)
30
31IRQL_NOT_GREATER_OR_EQUAL (0x9)
32
33IRQL_NOT_LESS_OR_EQUAL (0xA)
34 1 - memory referenced
35 2 - IRQL
36 3 - value 0 = read operation, 1 = write operation
37 4 - address which referenced memory
38
39An attempt was made to touch pagable memory at a process
40internal request level (IRQL) too high. This is usually
41caused by drivers using improper addresses.
42
43If kernel debugger is available get stack backtrace.
44
45
46NO_EXCEPTION_HANDLING_SUPPORT (0xB)
47
48MAXIMUM_WAIT_OBJECTS_EXCEEDED (0xC)
49
50MUTEX_LEVEL_NUMBER_VIOLATION (0xD)
51 1 - The current thread's mutex level
52 2 - The mutex level that we are attempting to acquire
53
54Try to identify the mutexes using the ntos\ex\exlevels.h header file. This
55usually will pinpoint the mutexes that are getting acquired in an incorrect
56sequence.
57
58NO_USER_MODE_CONTEXT (0xE)
59
60SPIN_LOCK_ALREADY_OWNED (0xF)
61
62SPIN_LOCK_NOT_OWNED (0x10)
63
64THREAD_NOT_MUTEX_OWNER (0x11)
65
66TRAP_CAUSE_UNKNOWN (0x12)
67
68EMPTY_THREAD_REAPER_LIST (0x13)
69
70CREATE_DELETE_LOCK_NOT_LOCKED (0x14)
71
72LAST_CHANCE_CALLED_FROM_KMODE (0x15)
73
74CID_HANDLE_CREATION (0x16)
75
76CID_HANDLE_DELETION (0x17)
77
78REFERENCE_BY_POINTER (0x18)
79
80BAD_POOL_HEADER (0x19)
81
82The pool is already corrupt at the time of the current request.
83This may or may not be due to the caller.
84The internal pool links must be walked to figure out a possible cause of
85the problem, and then special pool applied to the suspect tags or the driver
86verifier to a suspect driver.
87
88 3 - the pool freelist is corrupt. parameter 2 is the pool entry being
89 checked, 4/5 are the read back flink/blink freelist values. The values
90 are supposed to be the same parameter 2.
91
92 5 - the adjacent pool block headers are corrupt. parameter 2 and 4 are
93 the entries whose headers are not consistent. parameter 3 is the line
94 number inside pool.c (generally not useful).
95
96MEMORY_MANAGEMENT (0x1A)
97
98 #n, where # denotes the bugcheck parameter
99
100 #1 - The subtype of the bugcheck:
101
102 1 - The fork clone block reference count is corrupt. Only occurs
103 on checked builds.
104
105 # Any other values for parameter 1 must be individually examined.
106
107PFN_SHARE_COUNT (0x1B)
108
109PFN_REFERENCE_COUNT (0x1C)
110
111NO_SPIN_LOCK_AVAILABLE (0x1D)
112
113KMODE_EXCEPTION_NOT_HANDLED (0x1E)
114 1 - The exception code that was not handled
115 2 - The address that the exception occured at
116 3 - Parameter 0 of the exception
117 4 - Parameter 1 of the exception
118
119This is a very common bugcheck. Usually the exception address pinpoints
120the driver/function that caused the problem. Always note this address
121as well as the link date of the driver/image that contains this address.
122Some common problems are exception code 0x80000003. This means a hard
123coded breakpoint or assertion was hit, but this system was booted
124/NODEBUG. This should not happen, but I am positive you will see this.
125If it happens repeatedly, make sure a debugger gets connected, and the
126system is booted /DEBUG. This will let us see why this breakpoint is
127happening.
128
129On MIPs systems if the address of the exception is 0XBFC0304, then bugcheck is
130the result of a cache parity error on the CPU. If the problem reoccurs
131frequently, the hardware manufactor should be contacted.
132
133SHARED_RESOURCE_CONV_ERROR (0x1F)
134
135KERNEL_APC_PENDING_DURING_EXIT (0x20)
136 1 - The address of the APC found pending during exit.
137 2 - The thread's APC disable count
138 3 - The current IRQL
139
140The key data items are the thread's APC disable count.
141If this is non-zero, then this is the source of the problem.
142A negative value indicates that a filesystem has called
143FsRtlEnterFileSystem more than FsRtlExitFileSystem. A positive value
144indicates that the reverse is true. If you ever see this, be very very
145suspicious of all file systems installed on the machine. Third party
146redirectors (like Novell) are especially suspicious since they do not
147receive the heavy duty testing that NTFS, FAT, HPFS, and RDR receive.
148
149This current IRQL should also be 0. If it is not, that a driver's
150cancelation routine can cause this bugcheck by returning at an elevated
151IRQL. Always attempt to not what the customer was doing/closing at the
152time of the crash, and note all of the installed drivers at the time of
153the crash. This symptom is usually a severe bug in a third party
154driver.
155
156QUOTA_UNDERFLOW (0x21)
157
158FILE_SYSTEM (0x22)
159
160FAT_FILE_SYSTEM (0x23)
161 All file system bug checks have encoded in their first ULONG
162 the source file and the line within the source file that generated
163 the bugcheck. The high 16-bits contains a number to identify the
164 file and low 16-bits is the source line within the file where
165 the bug check call occurs. For example, 0x00020009 indicates
166 that the FAT file system bugcheck occurred in source file #2 and
167 line #9.
168
169 The file system calls bug check in multiple places and this will
170 help us identify the actual source line that generated the bug
171 check. The only thing that can be done right now is to collect
172 any bug check information in a database and pass on the output
173 to a developer who can look in the sources and hopefully identify
174 the cause of the bug check.
175
176NTFS_FILE_SYSTEM (0x24)
177 See the comment for FAT_FILE_SYSTEM
178 If you see NtfsExceptionFilter on the stack then the 2nd and 3rd parameters are the
179 exception record and context record. Do a !cxr on the 3rd parameter and then !kb to
180 obtain a more informative stack trace.
181
182
183NPFS_FILE_SYSTEM (0x25)
184 See the comment for FAT_FILE_SYSTEM
185
186CDFS_FILE_SYSTEM (0x26)
187 See the comment for FAT_FILE_SYSTEM
188
189RDR_FILE_SYSTEM (0x27)
190
191CORRUPT_ACCESS_TOKEN (0x28)
192
193SECURITY_SYSTEM (0x29)
194
195INCONSISTENT_IRP (0x2A)
196 1 - Address of the IRP that was found to be inconsistent
197
198An IRP was encountered that was in an inconsistent state; i.e., some field
199or fields of the IRP were inconsistent w/the remaining state of the IRP.
200An example would be an IRP that was being completed, but was still marked
201as being queued to a driver's device queue. This bugcheck code is not
202currently being used in the system, but exists for debugging purposes.
203
204PANIC_STACK_SWITCH (0x2B)
205This error indicates that the kernel mode stack was overrun. This normally
206occurs when a kernel-mode driver uses too much stack space. It can also
207occur when serious data corruption occurs in the kernel.
208
209PORT_DRIVER_INTERNAL (0x2C)
210
211SCSI_DISK_DRIVER_INTERNAL (0x2D)
212
213DATA_BUS_ERROR (0x2E)
214This bugcheck is normally caused by a parity error in the system memory.
215 1. Virtual address that caused the fault
216 2. Physical address that caused
217 3. Processor status register (PSR)
218 4. Faulting instruction register (FIR)
219This error can also be caused by a driver accessing a 0x8XXXXXXX address
220that does not exist.
221
222INSTRUCTION_BUS_ERROR (0x2F)
223
224SET_OF_INVALID_CONTEXT (0x30)
225
226PHASE0_INITIALIZATION_FAILED (0x31)
227
228 System init failed early on. Debugger is required to make sense of this
229 since the bugcheck tells you almost nothing.
230
231PHASE1_INITIALIZATION_FAILED (0x32)
232 1 - NT Status code that describes why the system thinks initialization failed.
233 2 - Indicates location within init.c where phase 1 initialization failure occured
234
235UNEXPECTED_INITIALIZATION_CALL (0x33)
236
237CACHE_MANAGER (0x34)
238 See the comment for FAT_FILE_SYSTEM
239
240NO_MORE_IRP_STACK_LOCATIONS (0x35)
241 1 - Address of the IRP
242
243A higher level driver has attempted to call a lower level driver through
244the IoCallDriver() interface, but there are no more stack locations in the
245packet, hence, the lower level driver would not be able to access its
246parameters, as there are no parameters for it. This is a disasterous
247situation, since the higher level driver "thinks" it has filled in the
248parameters for the lower level driver (something it MUST do before it calls
249it), but since there is no stack location for the latter driver, the former
250has written off of the end of the packet. This means that some other memory
251has probably been trashed at this point.
252
253DEVICE_REFERENCE_COUNT_NOT_ZERO (0x36)
254 1 - Address of the device object
255
256A device driver has attempted to delete one of its device objects from the
257system but the reference count for that object was non-zero, meaning that
258there are still outstanding references to the device. (The reference count
259indicates the number of reasons why this device object cannot be deleted.)
260This is a bug in the calling device driver.
261
262FLOPPY_INTERNAL_ERROR (0x37)
263
264SERIAL_DRIVER_INTERNAL (0x38)
265
266SYSTEM_EXIT_OWNED_MUTEX (0x39)
267
268SYSTEM_UNWIND_PREVIOUS_USER (0x3A)
269
270SYSTEM_SERVICE_EXCEPTION (0x3B)
271
272INTERRUPT_UNWIND_ATTEMPTED (0x3C)
273
274INTERRUPT_EXCEPTION_NOT_HANDLED (0x3D)
275
276MULTIPROCESSOR_CONFIGURATION_NOT_SUPPORTED (0x3E)
277The system has multiple processors, but they are asymmetric in relation
278to one another. In order to be symmetric all processors must be of
279the same type and level. For example, trying to mix a Pentium level
280processor with an 80486 would cause this bugcheck. Additionally, on x86
281systems all processors must either have floating point capabilities, or
282none should.
283
284
285NO_MORE_SYSTEM_PTES (0x3F)
286 1 - PTE Type (0 - system expansion, 1 nonpaged pool expansion)
287 2 - Requested size
288 3 - Total free system PTEs
289 4 - Total system PTEs
290
291No System PTEs left. Usually caused by a driver not cleaning up
292properly. If kernel debugger available get stack trace and
293"!sysptes 3".
294
295Set HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Mamagement\TrackPtes to a DWORD 1 value and reboot. Then the system will save stack traces
296so the guilty driver can be identified. There is no other way to find out
297which driver is neglecting to clean up the I/Os. A bugcheck DRIVER_USED_EXCESSIVE_PTES will then occur if the system runs out of PTEs again and the offending
298driver's name will be printed.
299
300TARGET_MDL_TOO_SMALL (0x40)
301
302A driver has called the IoBuildPartialMdl() function and passed it an MDL
303to map part of a source MDL, but the target MDL is not large enough to map
304the entire range of addresses requested. This is a driver bug. The source
305and target MDLs, as well as the address range length to be mapped are the
306arguments to the IoBuildPartialMdl() function, i.e.;
307
308 IoBuildPartialMdl(
309 IN PMDL SourceMdl,
310 IN OUT PMDL TargetMdl,
311 IN PVOID VirtualAddress,
312 IN ULONG Length
313 )
314
315MUST_SUCCEED_POOL_EMPTY (0x41)
316
317 1 - size of the request that could not be satisfied
318 2 - number of pages used of nonpaged pool
319 3 - number of > PAGE_SIZE requests from nonpaged pool
320 4 - number of pages available
321
322If debugger available, !vm command lists various sizes. Then do !poolused 2.
323
324ATDISK_DRIVER_INTERNAL (0x42)
325
326NO_SUCH_PARTITION (0x43)
327
328MULTIPLE_IRP_COMPLETE_REQUESTS (0x44)
329 1 - Address of the IRP
330
331A driver has requested that an IRP be completed (IoCompleteRequest()), but
332the packet has already been completed. This is a tough bug to find because
333the easiest case, a driver actually attempted to complete its own packet
334twice, is generally not what happened. Rather, two separate drivers each
335believe that they own the packet, and each attempts to complete it. The
336first actually works, and the second fails. Tracking down which drivers
337in the system actually did this is difficult, generally because the trails
338of the first driver have been covered by the second. However, the driver
339stack for the current request can be found by examining the DeviceObject
340fields in each of the stack locations.
341
342INSUFFICIENT_SYSTEM_MAP_REGS (0x45)
343
344DEREF_UNKNOWN_LOGON_SESSION (0x46)
345
346REF_UNKNOWN_LOGON_SESSION (0x47)
347
348CANCEL_STATE_IN_COMPLETED_IRP (0x48)
349 1 - Pointer to the IRP
350
351This bugcheck indicates that an I/O Request Packet (IRP) that is to be
352cancelled, has a cancel routine specified in it -- meaning that the packet
353is in a state in which the packet can be cancelled -- however, the packet
354no longer belongs to a driver, as it has entered I/O completion. This is
355either a driver bug, or more than one driver is accessing the same packet,
356which is not likely and much more difficult to find.
357
358PAGE_FAULT_WITH_INTERRUPTS_OFF (0x49)
359
360 Means exactly what it says, treat it as a case of 0x0A above.
361
362IRQL_GT_ZERO_AT_SYSTEM_SERVICE (0x4A)
363
364STREAMS_INTERNAL_ERROR (0x4B)
365
366FATAL_UNHANDLED_HARD_ERROR (0x4C)
367
368If a hard error occurs during system booting before windows is up, and
369the hard error is a real error, the system will blue screen crash.
370
371Some common cases are:
372
373 x218 - This means a necessary registry hive file could not be
374 loaded. The obvious reason is if it is corrupt or missing.
375 In this case, either the Emergency Repair Disk or a
376 reinstall is required.
377
378 Some less obvious reasons are that the driver has corrupted
379 the registry data while loading into memory, or the memory
380 where the registry file was loaded is not actually memory.
381 In particular, AST EISA machines with 16MB or more of memory
382 must have access to the memory above 16MB ENABLED in the
383 Eisa Config Utility, or else a registry file is liable to get
384 loaded in this spot, but will return just 0xffffffff when
385 we look at the memory.
386
387 x21a - This means that either winlogon, or csrss (windows) died
388 unexpectedly. The exit code tells more information. Usually
389 it is c0000005 meaning that an unhandled exception crashed
390 either of these processes. There is not much you can do
391 unless this becomes a persistent problem.
392
393 x221 - This means that a driver is corrupt, or a system DLL was
394 detected to be corrupt. We do our best to integrety check
395 drivers and important system DLLs, and if they are corrupt,
396 the blue screen the name of the corrupt file. This prevents
397 crashes from occuring when we stumble into the corruption
398 later. Boot an alternate OS, or reinstall if no alternate
399 exists. Make sure the on disk file that is listed as bad
400 matches the version on CD and replace if necessary. In some
401 cases, random corruption can mean that there is a hardware
402 problem in our I/O path to the file.
403
404NO_PAGES_AVAILABLE (0x4D)
405 1 - Total number of dirty pages
406 2 - Number of dirty pages destined for the pagefile(s).
407 3 - Nonpaged pool available at time of bugcheck (in pages).
408 4 - Number of transition pages that are currently stranded.
409
410No free pages available to continue operations.
411If kernel debugger available "!vm" followed by "!poolused 2" and "!process 8 7"
412
413 This bugcheck can occur for the following reasons:
414
415 1. A driver has blocked, deadlocking the modified or mapped
416 page writers. Examples of this include mutex deadlocks or
417 accesses to paged out memory in filesystem drivers, filter
418 drivers, etc. This indicates a driver bug.
419
420 If parameter 1 or 2 is large, then this is a possibility. Type
421 "!process 8 7" in the kernel debugger.
422
423 2. The storage driver(s) are not processing requests. Examples
424 of this are stranded queues, non-responding drives, etc. This
425 indicates a driver bug.
426
427 If parameter 1 or 2 is large, then this is a possibility. Type
428 "!process 8 7" in the kernel debugger.
429
430 3. Not enough pool is available for the storage stack to write out
431 modified pages. This indicates a driver bug.
432
433 If parameter 3 is small, then this is a possibility. Type
434 "!vm" and "!poolused 2" in the kernel debugger.
435
436 4. A high priority realtime thread has starved the balance set
437 manager from trimming pages and/or starved the modified writer
438 from writing them out. This indicates a bug in the component
439 that created this thread.
440
441 This one is hard to determine, try "!ready"
442
443 5. All the processes have been trimmed to their minimums and all
444 modified pages written, but still no memory is available. The
445 freed memory must be stuck in transition pages with non-zero
446 reference counts - thus they cannot be put on the freelist.
447 A driver is neglecting to unlock the pages preventing the
448 reference counts from going to zero which would free the pages.
449 This may be due to transfers that never finish and the driver
450 never aborts or other driver bugs.
451
452 If parameter 4 is large, then this is a possibility. But it
453 is very hard to find the driver. Try "!process 0 1" and look
454 for any that have a lot of locked pages.
455
456PFN_LIST_CORRUPT (0x4E)
457 1 - value 1
458 2 - ListHead value which was corrupt
459 3 - number of pages available
460 4 - 0
461
462 1 - value 2
463 2 - entry in list being removed
464 3 - highest physical page number
465 4 - reference count of entry being removed
466
467Caused by corrupting I/O driver structures. If kernel debugger
468available get stack trace.
469
470
471NDIS_INTERNAL_ERROR (0x4F)
472
473PAGE_FAULT_IN_NONPAGED_AREA (0x50)
474 1 - memory referenced.
475 2 - value 0 = read operation, 1 = write operation.
476 3 - If non-zero, the instruction address which referenced the bad memory
477 address.
478 4 - Mm internal code.
479
480Invalid system memory was referenced. This cannot be protected by try-except, it must be protected by a Probe. Typically the address is just plain bad or it is pointing at freed memory.
481
482REGISTRY_ERROR (0x51)
483 1 - value 1 (indicates where we bugchecked)
484 2 - value 2 (indicates where we bugchecked)
485 3 - depends on where it bugchecked, may be pointer to hive
486 4 - depends on where it bugchecked, may be return code of
487 HvCheckHive if the hive is corrupt.
488
489Something has gone horribly wrong with the registry. If a kernel debugger
490is available, get a stack trace.
491
492If the stack trace indicates we are in a system worker thread (CmpWorker
493will be on the call list) do the following kernel debugger commands:
494
495 dd CmpRegistryMutex+18 L1
496 !thread <whatever value the above command printed out>
497
498This will give you the thread and stacktrace that made the registry call.
499
500It can also indicate that the registry got an I/O error while trying to
501read one of its files, so it can be caused by hardware problems or
502filesystem corruption.
503
504It may occur due to a failure in a refresh operation, which is used only
505in by the security system, and then only when resource limits are encountered.
506When you see this bugcode, be sure to ask if the machine is a PDC or BDC,
507and how many accounts are in its sam, whether it might be a replication target,
508and whether the volume where the hive files reside is nearly full.
509
510MAILSLOT_FILE_SYSTEM (0x52)
511
512NO_BOOT_DEVICE (0x53)
513
514LM_SERVER_INTERNAL_ERROR (0x54)
515
516DATA_COHERENCY_EXCEPTION (0x55)
517
518INSTRUCTION_COHERENCY_EXCEPTION (0x56)
519
520XNS_INTERNAL_ERROR (0x57)
521
522FTDISK_INTERNAL_ERROR (0x58)
523
524The system was booted from a revived primary partition so
525the hives say the mirror is ok, when in fact it is not.
526The "real" image of the hives are on the shadow.
527The user must boot from the shadow.
528
529PINBALL_FILE_SYSTEM (0x59)
530 See the comment for FAT_FILE_SYSTEM
531
532CRITICAL_SERVICE_FAILED (0x5A)
533
534SET_ENV_VAR_FAILED (0x5B)
535
536HAL_INITIALIZATION_FAILED (0x5C)
537
538UNSUPPORTED_PROCESSOR (0x5D)
539 386 - System failed because the processor is only a 386 or
540 compatible. The system requires a 486 compatible or better processor.
541
542HEAP_INITIALIZATION_FAILED (0x5D)
543
544OBJECT_INITIALIZATION_FAILED (0x5E)
545
546SECURITY_INITIALIZATION_FAILED (0x5F)
547
548PROCESS_INITIALIZATION_FAILED (0x60)
549
550HAL1_INITIALIZATION_FAILED (0x61)
551
552OBJECT1_INITIALIZATION_FAILED (0x62)
553
554SECURITY1_INITIALIZATION_FAILED (0x63)
555
556SYMBOLIC_INITIALIZATION_FAILED (0x64)
557
558MEMORY1_INITIALIZATION_FAILED (0x65)
559
560CACHE_INITIALIZATION_FAILED (0x66)
561
562CONFIG_INITIALIZATION_FAILED (0x67)
563 1 - 5
564 2 - indicates location in ntos\config\cmsysini that failed
565
566This means the registry couldn't allocate the pool needed to contain the
567registry files. This should never happen, since it is early enough in
568system initialization that there is always plenty of paged pool available.
569
570FILE_INITIALIZATION_FAILED (0x68)
571
572IO1_INITIALIZATION_FAILED (0x69)
573
574Initialization of the I/O system failed for some reason. There is
575practically no other information available. In general, setup really made
576some bad decisions about the installation of the system, or the user has
577reconfigured the system.
578
579LPC_INITIALIZATION_FAILED (0x6A)
580
581PROCESS1_INITIALIZATION_FAILED (0x6B)
582 1 - Indicates the status code that tripped us into thinking that
583 initialization failed.
584 2 - Indicates the location in ntos\ps\psinit.c where the failure
585 was detected.
586
587REFMON_INITIALIZATION_FAILED (0x6C)
588
589SESSION1_INITIALIZATION_FAILED (0x6D)
590 1 - Indicates the NT status code that tripped us into thinking
591 that initialization failed.
592
593The bugcheck code (SESSION1 - SESSION5) indicates the location in
594ntos\init\init.c where the failure was detected.
595
596SESSION2_INITIALIZATION_FAILED (0x6E)
597 1 - Indicates the NT status code that tripped us into thinking
598 that initialization failed.
599
600The bugcheck code (SESSION1 - SESSION5) indicates the location in
601ntos\init\init.c where the failure was detected.
602
603SESSION3_INITIALIZATION_FAILED (0x6F)
604 1 - Indicates the NT status code that tripped us into thinking
605 that initialization failed.
606
607The bugcheck code (SESSION1 - SESSION5) indicates the location in
608ntos\init\init.c where the failure was detected.
609
610SESSION4_INITIALIZATION_FAILED (0x70)
611 1 - Indicates the NT status code that tripped us into thinking
612 that initialization failed.
613
614The bugcheck code (SESSION1 - SESSION5) indicates the location in
615ntos\init\init.c where the failure was detected.
616
617SESSION5_INITIALIZATION_FAILED (0x71)
618 1 - Indicates the NT status code that tripped us into thinking
619 that initialization failed.
620
621The bugcheck code (SESSION1 - SESSION5) indicates the location in
622ntos\init\init.c where the failure was detected.
623
624ASSIGN_DRIVE_LETTERS_FAILED (0x72)
625
626CONFIG_LIST_FAILED (0x73)
627
628 1 - 5
629 2 - 2
630 3 - index of hive in list
631 4 - pointer to UNICODE_STRING containing filename of hive
632
633Indicates that one of the core system hives is corrupt or
634unreadable. This can be either SOFTWARE, SECURITY or SAM.
635
636BAD_SYSTEM_CONFIG_INFO (0x74)
637
638Can indicate that the SYSTEM hive loaded by the osloader/NTLDR
639was corrupt. This is unlikely, since the osloader will check
640a hive to make sure it isn't corrupt after loading it.
641
642It can also indicate that some critical registry keys and values
643are not present. (i.e. somebody used regedt32 to delete something
644that they shouldn't have) Booting from LastKnownGood may fix
645the problem, but if someone is persistent enough in mucking with
646the registry they will need to reinstall or use the Emergency
647Repair Disk.
648
649CANNOT_WRITE_CONFIGURATION (0x75)
650
651This will result if the SYSTEM hive files (SYSTEM and SYSTEM.ALT)
652cannot be grown to accomodate additional data written into it
653between registry initialization and phase one initialization
654(when the filesystems are available)
655
656It usually means there are 0 bytes of free space available on the
657drive.
658
659You cannot store the registry on a read-only device.
660
661PROCESS_HAS_LOCKED_PAGES (0x76)
662 1 - 0
663 2 - process address
664 3 - number of locked pages
665 4 - pointer to driver stacks (if enabled) or 0 if not.
666
667Caused by a driver not cleaning up completely after an I/O. Set
668HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\TrackLockedPages to a DWORD 1 value and reboot. Then the system will save stack traces
669so the guilty driver can be identified. There is no other way to find out
670which driver is neglecting to clean up the I/Os. When you enable this flag,
671if the driver commits the error again you will see a different
672bugcheck - DRIVER_LEFT_LOCKED_PAGES_IN_PROCESS - which can identify the
673offending driver(s).
674
675KERNEL_STACK_INPAGE_ERROR (0x77)
676 1 - 0 (page was retrieved from page cache)
677 2 - value found in stack where signature should be
678 3 - 0
679 4 - address of signature on kernel stack
680
681 1 - 1 (page was retrieved from disk)
682 2 - value found in stack where signature should be
683 3 - 0
684 4 - address of signature on kernel stack
685
686 1 - 2 (page was retrieved from disk, storage stack returned SUCCESS,
687 but the Status.Information != PAGE_SIZE)
688 2 - value found in stack where signature should be
689 3 - 0
690 4 - address of signature on kernel stack
691
692 1 - status code
693 2 - i/o status code
694 3 - page file number
695 4 - offset into page file
696
697The requested page of kernel data could not be read in. Caused by
698bad block in paging file or disk controller error.
699
700This can also be caused by running out of resources, specifically,
701nonpaged pool with status of c0000009a (STATUS_INSUFFICIENT_RESOURCES).
702In this case, do !vm to see which pool has been overused, and then do
703!poolused x to sort the pool allocators. Then give the failure to the
704component that has the most pool.
705
706In the case when the first and second arguments are 0, the stack signature
707in the kernel stack was not found. Again, bad hardware.
708
709An I/O status of c000009c (STATUS_DEVICE_DATA_ERROR) or
710C000016AL (STATUS_DISK_OPERATION_FAILED) normally indicates
711the data could not be read from the disk due to a bad
712block. Upon reboot autocheck willl run and attempt to map out the bad
713sector. If the status is C0000185 (STATUS_IO_DEVICE_ERROR) and the paging
714file is on a SCSI disk device, then the cabling and termination should be
715checked. See the knowledge base article on SCSI termination.
716
717PHASE0_EXCEPTION (0x78)
718
719MISMATCHED_HAL (0x79)
720 1 - type of mismatch
721 type 1:
722 The PRCB release levels mismatch. (something is out of date)
723 2 - Major PRCB level of ntoskrnl.exe
724 3 - Major PRCB level of hal.dll
725
726 type 2:
727 The build types mismatch.
728 2 - Build type of ntoskrnl.exe
729 3 - Build type of hal.dll
730
731 Build type
732 0 = Free multiprocessor enabled build
733 1 = Checked multiprocessor enabled build
734 2 = Free uniprocessor build
735
736 type 3:
737 Microchannel computers require a micro-channel specific hal.
738 This type would means that there is a mis-match.
739 2 - Machine type as detected by ntdetect.com
740 A value of a 2 would mean the computer is MCA
741 3 - Machine type which hal supports:
742 A value of a 2 would mean the hal is built for MCA
743
744The HAL revision level and HAL configuration type does not match that
745of the kernel or the machine type. This would probably happen if the
746user has manually updated either ntoskrnl.exe or hal.dll and managed to
747get a conflict.
748
749You have an MP (multi-processor) Hal and a UP (uni-processor) Kernel,
750or the reverse.
751
752
753
754KERNEL_DATA_INPAGE_ERROR (0x7A)
755 1 - lock type that was held (value 1,2,3, or PTE address)
756 2 - error status (normally i/o status code)
757 3 - current process (virtual address for lock type 3, or PTE)
758 4 - virtual address that could not be in-paged
759
760The requested page of kernel data could not be read in. Caused by
761bad block in paging file or disk controller error. Also see
762KERNEL_STACK_INPAGE_ERROR.
763
764If the error status is 0xC000000E, 0xC000009C, 0xC000009D or 0xC0000185,
765it means the disk subsystem has experienced a failure.
766ntmsd is the best alias to take care of these types of failures.
767
768If the error status is 0xC000009A, then it means the request failed because
769memory could not be allocated. Type !vm and then !poolused 2 in the kernel
770debugger to find which tags are leaking memory and then have the owning driver
771fix their leaks.
772
773
774
775
776INACCESSIBLE_BOOT_DEVICE (0x7B)
777 1 - Pointer to the device object or Unicode string of ARC name
778
779During the initialization of the I/O system, it is possible that the driver
780for the boot device failed to initialize the device that the system is
781attempting to boot from, or it is possible for the file system that is
782supposed to read that device to either fail its initialization or to simply
783not recognize the data on the boot device as a file system structure that
784it recognizes. In the former case, the argument (#1) is the address of a
785Unicode string data structure that is the ARC name of the device from which
786the boot was being attempted. In the latter case, the argument (#1) is the
787address of the device object that could not be mounted.
788
789If this is the initial setup of the system, then this error can occur if
790the system was installed on an unsupported disk or SCSI controller. Note
791that some controllers are supported only by drivers which are in the Windows
792Driver Library (WDL) which requires the user to do a custom install. See
793the Windows Driver Library for more information.
794
795This error can also be caused by the installation of a new SCSI adapter or
796disk controller or repartitioning the disk with the system partition. If
797this is the case, on x86 systems the boot.ini file must be edited or on ARC
798systems setup must be run. See the "Advanced Server System Administrator's
799User Guide" for information on changing boot.ini.
800
801If the argument is a pointer to an ARC name string, then the format of the
802first two (and in this case only) longwords will be:
803
804 USHORT Length;
805 USHORT MaximumLength;
806 PVOID Buffer;
807
808That is, the first longword will contain something like 00800020 where 20
809is the actual length of the Unicode string, and the next longword will
810contain the address of buffer. This address will be in system space, so
811the high order bit will be set.
812
813If the argument is a pointer to a device object, then the format of the first
814word will be:
815
816 USHORT Type;
817
818That is, the first word will contain a 0003, where the Type code will ALWAYS
819be 0003.
820
821Note that this makes it immediately obvious whether the argument is a pointer
822to an ARC name string or a device object, since a Unicode string can never
823have an odd number of bytes, and a device object will always have a Type
824code of 3.
825
826BUGCODE_PSS_MESSAGE (0x7C)
827
828INSTALL_MORE_MEMORY (0x7D)
829 1 - Number of physical pages found
830 2 - Lowest physical page
831 3 - Highest physical page
832 4 - 0
833
834Not enough memory to boot NT (needs 5mb).
835
836WINDOWS_NT_BANNER (0x4000007E)
837
838UNEXPECTED_KERNEL_MODE_TRAP (0x7F)
839
840This means a trap occured in kernel mode, and it's a trap of a kind
841that the kernel isn't allowed to have/catch (bound trap) or that
842is always instant death (double fault). The first number in the
843bugcheck parens is the number of the trap (8 = double fault, etc)
844Consult an Intel x86 family manual to learn more about what these
845traps are.
846
847A kb and !trap on the appropriate frame (which will be the ebp that
848goes with a procedure named KiTrap...) (at least on x86) will
849show where the trap was taken.
850
851
852NMI_HARDWARE_FAILURE (0x80)
853
854Hopefully MS PSS will never hear about this. The HAL is supposed
855to report whatever specific data it has, and to tell the user to
856call their HARDWARE vendor for support.
857
858SPIN_LOCK_INIT_FAILURE (0x81)
859
860DFS_FILE_SYSTEM (0x82)
861
862SETUP_FAILURE (0x85)
863
864(NOTE: Textmode setup no longer uses bugchecks to bail out of serious
865error conditions. Therefore, you will never encounter a bugcheck 0x85.
866All bugchecks have been replaced with friendlier and (where possible)
867more descriptive error messages. Some of the former bugchecks, however,
868have simply been replaced by our own bugcheck screen, and the codes for
869these error conditions are the same as before. These are documented below.)
870
871The first extended bugcheck field is a code indicating what the
872problem is, and the other fields are used differently depending on
873that value.
874
875 1 -
876 0: The oem hal font is not a valid .fon format file, and so setup
877 is unable to display text.
878 This indicates that vgaxxx.fon on the boot floppy or CD-ROM
879 is damaged.
880
881 1: Video initialization failed. NO LONGER A BUGCHECK CODE.
882 This error now has its own error screen, and the user is only
883 presented with the two relevant parameters detailed below.
884
885 This may indicate that the disk containing vga.sys
886 (or other video driver appropriate to the machine)
887 is damaged or that machine has video hardware that
888 we cannot communicate with.
889
890 2 - What failed:
891 0: NtCreateFile of \device\video0
892 1: IOCTL_VIDEO_QUERY_NUM_AVAIL_MODES
893 2: IOCTL_VIDEO_QUERY_AVAIL_MODES
894 3: Desired video mode not supported. This is indicative of
895 an internal setup error.
896 4: IOCTL_VIDEO_SET_CURRENT_MODE (unable to set video mode)
897 5: IOCTL_VIDEO_MAP_VIDEO_MEMORY
898 6: IOCTL_VIDEO_LOAD_AND_SET_FONT
899
900 3 - Status code from NT API call, if appropriate.
901
902 2: Out of memory. NO LONGER A BUGCHECK CODE.
903 This error now uses a more friendly error screen that works regardless
904 of how far along in setup we are.
905
906 3: Keyboard initialization failed. NO LONGER A BUGCHECK CODE.
907 There are now 2 error screens for the two different possible errors
908 we can get here.
909 This may indicate that the disk containing the keyboard driver
910 (i8042prt.sys or kbdclass.sys) is damaged or that machine has
911 keyboard hardware we cannot communicate with.
912
913 It may also mean that the keyboard layout dll could not be loaded.
914
915 2 - What failed:
916 0: NtCreateFile of \device\KeyboardClass0 failed.
917 "Setup did not find a keyboard connected to your computer."
918 1: Unable to load keyboard layout dll.
919 "Setup could not load the keyboard layout file <filename>."
920 Indicates that the cd or floppy is missing a file (kbdus.dll
921 for us release, other layout dlls for localized ones).
922
923 4: Setup was unable to resolve the ARC device pathname of
924 the device from which setup was started. This is an internal
925 Setup error.
926
927 5: Partitioning sanity check failed. This indicates a bug in
928 a disk driver. The parameters are meaningful only to the setup
929 group.
930
931MBR_CHECKSUM_MISMATCH (0x8B)
932
933This message occurs during the boot process when the MBR checksum the system
934calculates does not match the checksum passed in by the loader. This is usually
935an indication of a virus. There are many forms of viruses and not all can be
936detected. The newer ones usually can only be detected by a virus scanner that
937has recently been upgraded. Boot a write-protected disk containing a virus
938scanner and attempt to clean out the infection.
939
940KerBugCheckEx parameters:
941
942 1 - Disk Signature from MBR.
943 2 - MBR checksum calculated by osloader.
944 3 - MBR checksum calculated by system.
945
946PP0_INITIALIZATION_FAILED (0x8F)
947
948This message occurs if phase 0 initialization of the kernel-mode Plug and
949Play Manager failed. There's really nothing going on here that could cause
950a failure.
951
952PP1_INITIALIZATION_FAILED (0x90)
953
954This message occurs if phase 1 initialization of the kernel-mode Plug and
955Play Manager failed. This is where we do most of our initialization,
956including setting up the environment (registry, etc.) for drivers to
957subsequently call during I/O init.
958
959
960UP_DRIVER_ON_MP_SYSTEM (0x92)
961
962This message occurs if a UNIPROCESSOR only driver is loaded on a MultiProcessor
963system with more than one active processor.
964
965KeBugCheckEx parameters:
966
967 1 - The Base address of the driver.
968
969INVALID_KERNEL_HANDLE (0x93)
970
971This message occurs if kernel code (server, redirector, other driver, etc.) attempts
972to close a handle that is not a valid handle.
973
974 1 - The handle that NtClose was called with.
975
976 2 - 0 means a protected handle was closed.
977 1 means an invalid handle was closed.
978
979KERNEL_STACK_LOCKED_AT_EXIT (0x94)
980
981This message occurs when a thread exits while it's kernel stack is
982marked as not swapable
983
984INVALID_WORK_QUEUE_ITEM (0x96)
985
986This message occurs when KeRemoveQueue removes a queue entry whose flink
987or blink field is null. This is almost always called by code misusing
988worker thread work items, but any queue misuse can caus this. The rule
989is that an entry on a queue may only be inserted on the list once. When an
990item is removed from a queue, it's flink field is set to NULL. This bugcheck
991occurs when remove queue attempts to remove an entry, but the flink or blink field
992is NULL. In order to debug this problem, you need to know the queue being referenced.
993If the queue is one of the EX worker queues (ExWorkerQueue), then the item being
994removed is a WORK_QUEUE_ITEM (see ex.h). This bugcheck assumes that this is the case.
995The bugcheck ex parameters are designed to help identify the driver misusing the queue
996item.
997
998BOUND_IMAGE_UNSUPPORTED (0x97)
999
1000MmLoadSystemImage was called to load a bound image.
1001This is not supported in the kernel. Make sure bind.exe was not run on the
1002image.
1003
1004
1005KeBugCheckEx parameters:
1006
1007 1 - The address of the queue entry whose flink/blink field is NULL
1008 2 - The address of the queue being references. Usually this is one
1009 of the ExWorkerQueues.
1010 3 - The base address of the ExWorkerQueue array. This will help determine if
1011 the queue in question is an ExWorkerQueue and if so, the offset from this
1012 parameter will isolate the queue.
1013 4 - If this is an ExWorkerQueue (which it usually is), this is the address of the
1014 worker routine that would have been called if the work item was valid. This
1015 can be used to isolate the driver that is misusing the work queue.
1016
1017
1018END_OF_NT_EVALUATION_PERIOD (0x98)
1019
1020Your NT System is an evaluation unit with an expiration date. The trial period is over.
1021
1022KeBugCheckEx parameters:
1023
1024 1 - The low order 32 bits of your instalation date
1025 2 - The high order 32 bits of your instalation date
1026 3 - The trial period in minutes
1027
1028INVALID_REGION_OR_SEGMENT (0x99)
1029
1030ExInitializeRegion or ExInterlockedExtendRegion was called with an invalid
1031set of parameters.
1032
1033SYSTEM_LICENSE_VIOLATION (x9a)
1034
1035A violation of the software license agreement has occurred. This can be due to either
1036attempting to change the product type of an offline system, or an attempt to change
1037the trial period of an evaluation unit of NT.
1038
1039 1 - 0 means that offline product type changes were attempted
1040 2 - if 1, product should be LanmanNT or ServerNT. If 0, should be WinNT
1041 3 - partial serial number
1042 4 - first two characters of product type from product options.
1043
1044 1 means that offline changes to the nt evaluation unit time period
1045 2 - registered evaluation time from source 1
1046 3 - partial serial number
1047 4 - registered evaluation time from alternate source
1048
1049
1050 2 means that the setup key could not be opened
1051 2 - status code associated with the open failure
1052
1053 3 - The SetupType value from the setup key is missing so gui setup
1054 mode could not be detected
1055 2 - status code associated with the key lookup failure
1056
1057 4 - The SystemPrefix value from the setup key is missing
1058 2 - status code associated with the key lookup failure
1059
1060 4 - The SystemPrefix value from the setup key is missing
1061
1062 5 - means that offline changes were made to the number of licensed processors
1063 2 - see setup code
1064 3 - invalid value found in licensed processors
1065 4 - officially licensed number of processors
1066
1067 6 - means that ProductOptions key could not be opened
1068 2 - status code associated with the open failure
1069
1070 7 - means that ProductType value could not be read
1071 2 - status code associated with the read failure
1072
1073 8 - means that Change Notify on ProductOptions failed
1074 2 - status code associated with the change notify failure
1075
1076 9 - means that Change Notify on SystemPrefix failed
1077 2 - status code associated with the change notify failure
1078
1079 10 - Looks like an NTW system was converted to an NTS system
1080
1081 11 - Reference of setup key failed
1082 2 - status code associated with the change failure
1083
1084 12 - Reference of product options key failed
1085 2 - status code associated with the change failure
1086
1087 13 - Open of ProductOptions in worker thread failed
1088 2 - status code associated with the failure
1089
1090 16 - Failure occured in the setup key worker thread
1091 2 - status code associated with the failure
1092 3 - 0 means set value failed, 1 means change notify failed
1093
1094 17 - Failure occured in the product options key worker thread
1095 2 - status code associated with the failure
1096 3 - 0 means set value failed, 1 means change notify failed
1097
1098 18 - Could not open the LicenseInfoSuites key for the suite
1099 2 - status code associated with the failure
1100
1101 19 - Could not query the LicenseInfoSuites key for the suite
1102 2 - status code associated with the failure
1103
1104 20 - Could not allocate memory
1105 2 - size of memory alllocation
1106
1107 21 - Could not re-set the ConcurrentLimit value for the suite key
1108 2 - status code associated with the failure
1109
1110 22 - Could not open the license key for a suite product
1111 2 - status code associated with the failure
1112
1113 23 - Could not re-set the ConsurrentLimit value for a suite product
1114 2 - status code associated with the failure
1115
1116 24 - Could not start the change notify for the LicenseInfoSuites
1117 2 - status code associated with the open failure
1118
1119 25 - A suite is running on a system that must be pdc
1120
1121 26 - Failure occurred when enumerating the suites
1122 2 - status code associated with the failure
1123
1124
1125KeBugCheckEx parameters;
1126
1127 1 - The segment address which must reside on a quadword boundary.
1128 2 - The segment size which must be greater than the block size plus
1129 the size of a segment header.
1130 3 - The block size which must be a multiple of eight and smaller than
1131 the segment size minus the size of the segment header.
1132
1133UDFS_FILE_SYSTEM (0x9B)
1134 See the comment for FAT_FILE_SYSTEM
1135
1136MACHINE_CHECK_EXCEPTION (0x9C)
1137
1138A fatal Machine Check Exception has occurred.
1139
1140KeBugCheckEx parameters;
1141
1142 x86 Processors
1143 If the processor has ONLY MCE feature available (For example Intel Pentium),
1144 the parameters are:
1145
1146 1 - Low 32 bits of P5_MC_TYPE MSR
1147 2 -
1148 3 - High 32 bits of P5_MC_ADDR MSR
1149 4 - Low 32 bits of P5_MC_ADDR MSR
1150
1151 If the processor also has MCA feature available (For example Intel
1152 Pentium Pro), the parameters are:
1153
1154 1 - Bank number
1155 2 - Address field of MCi_ADDR MSR for the MCA bank that had the error
1156 3 - High 32 bits of MCi_STATUS MSR for the MCA bank that had the error
1157 4 - Low 32 bits of MCi_STATUS MSR for the MCA bank that had the error
1158
1159 Alpha Processors
1160 1 - Platform-specific data, where available
1161 2 -
1162 3 - Pointer to Alpha system Logout Frame, where available.
1163 4 - Pointer to Uncorrectable Error frame.
1164
1165DRIVER_POWER_STATE_FAILURE (0x9F)
1166
1167The driver lead to an inconsitent power state
1168
1169Parameters:
1170
1171 Value 1:
1172 1 - The device object is being freed which still has an
1173 outstanding power request which it has not completed
1174
1175 2 - pointer to the device object
1176
1177
1178 2 - The device object completed the irp for the system power
1179 state request, but failed to call PoStartNextPowerIrp
1180
1181 2 - pointer to the target device object
1182 3 - pointer to the device object
1183
1184 3 - The device driver did not properly set the irp pending
1185 or complete the irp
1186
1187 2 - pointer to the target device object
1188 3 - pointer to the device object
1189 4 - the irp
1190
1191 100 - The device objects in the devnode were inconsistent
1192 in their use of DO_POWER_PAGABLE
1193
1194 2 - pointer to the non-paged device object
1195 3 - pointer to the target device object
1196 4 - pointer to the device object to notify
1197
1198 101 - A parent device object has detected that a child device
1199 has not set the DO_POWER_PAGABLE bit.
1200 2 - child device object (FDO)
1201 3 - child device object (PDO)
1202 4 - parent device object
1203
1204PCI_BUS_DRIVER_INTERNAL (0xA1)
1205
1206The PCI Bus driver detected (theoretically impossible) inconsistency
1207problems in its internal structures and could not continue.
1208
1209
1210MEMORY_IMAGE_CORRUPT (0xA2)
1211On a system wake operation, various regions of memory may be CRCed to
1212gaurd against memory failures.
1213
1214 Value 1:
1215 2 - Table page check failure
1216 2 - the page number in of the table page which failed
1217 3 - 0
1218
1219 2 - the page number with the failing page run index
1220 3 - non-zero, the index which failed to match the run
1221
1222 3 - The checksum for the range of memory listed is incorrect
1223 2 - starting physical page # of the range
1224 3 - length (in pages) of the range
1225 4 - the page number of the table page containing this run
1226
1227ACPI_DRIVER_INTERNAL (0xA3)
1228
1229The ACPI Driver detected an internal inconsistency. The inconsistency is
1230so severe that continuing to run would cause serious problems.
1231
1232The ACPI driver calls this when the state is so inconsistent that proceeding
1233would actually be dangerous. The problem may or may not be a bios issue, but
1234we cannot actually tell.
1235
1236To find the place where the driver died, look at the 2nd parameter. The high
1237word corresponds to an entry in wdm\acpi\driver\nt\debug.h. The low word
1238corresponds to a line number.
1239
1240
1241CNSS_FILE_SYSTEM_FILTER (0xA4)
1242 See the comment for FAT_FILE_SYSTEM
1243
1244ACPI_BIOS_ERROR (0xA5)
1245
1246The ACPI Bios in the system is not fully compliant to the ACPI specification.
1247The first value indicates where the incompatibility lies:
1248
1249 Plug & Play and Power Management related incompatibilities:
1250
1251 0x1 --- ACPI_ROOT_RESOURCES_FAILURE
1252 ACPI cannot find the SCI Interrupt vector in the resources handed
1253 to it when ACPI is started.
1254 Argument 0 - ACPI's deviceExtension
1255 Argument 1 - ACPI's ResourceList
1256 Argument 2 - 0 <- Means no resource list found
1257 Argument 2 - 1 <- Means no IRQ resource found in list
1258
1259 0x2 --- ACPI_ROOT_PCI_RESOURCE_FAILURE
1260 ACPI could not process the resource list for the PCI root buses
1261 There is an White Paper on the Web Site about this problem
1262 Argument 0 - The ACPI Extension for the PCI bus
1263 Argument 1 - 0
1264 Argument 2 - Pointer to the QUERY_RESOURCES irp
1265 Argument 1 - 1
1266 Argument 2 - Pointer to the QUERY_RESOURCE_REQUIREMENTS irp
1267 Argument 1 - 2
1268 Argument 2 - 0 <- Indicates that we found an empty resource list
1269 Argument 1 - 3 <- Could not find the current bus number in the CRS
1270 Argument 2 - Pointer to the PNP CRS descriptor
1271 Argument 1 - Pointer to the Resource List for PCI
1272 Argument 2 - Number of errors/conflicts found in the resource list
1273
1274 0x3 --- ACPI_FAILED_MUST_SUCCEED_METHOD
1275 ACPI tried to run a control method while creating device extensions
1276 to represent the ACPI namespace, but this control method failed
1277 Argument 0 - The ACPI Object that was being run
1278 Argument 1 - return value from the interpreter
1279 Argument 2 - Name of the control method (in ULONG format)
1280
1281 0x4 --- ACPI_PRW_PACKAGE_EXPECTED_INTEGER
1282 ACPI evaluated a _PRW and expected to find an integer as a
1283 package element
1284 Argument 0 - The ACPI Extension for which the _PRW belongs to
1285 Argument 1 - Pointer to the method
1286 Argument 2 - The DataType returned (see amli.h)
1287
1288 0x5 --- ACPI_PRW_PACKAGE_TOO_SMALL
1289 ACPI evaluated a _PRW and the package that came back failed to
1290 contain at least 2 elements. The ACPI specification requires that
1291 two elements to always be present in a _PRW.
1292 Argument 0 - The ACPI Extension for which the _PRW belongs to
1293 Argument 1 - Pointer to the _PRW
1294 Argument 2 - Number of elements in the _PRW
1295
1296 0x6 --- ACPI_PRx_CANNOT_FIND_OBJECT
1297 ACPI tried to find a named object named, but could not find it.
1298 Argument 0 - The ACPI Extension for which the _PRx belongs to
1299 Argument 1 - Pointer to the _PRx
1300 Argument 2 - Pointer to the name of the object to look for
1301
1302 0x7 --- ACPI_EXPECTED_BUFFER
1303 ACPI evaluated a method and expected to receive a Buffer in return.
1304 However, the method returned some other data type
1305 Argument 0 - The ACPI Extension for which the method belongs to
1306 Argument 1 - Pointer to the method
1307 Argument 2 - The DataType returned (see amli.h)
1308
1309 0x8 --- ACPI_EXPECTED_INTEGER
1310 ACPI evaluated a method and expected to receive an Integer in return.
1311 However, the method returned some other data type
1312 Argument 0 - The ACPI Extension for which the method belongs to
1313 Argument 1 - Pointer to the method
1314 Argument 2 - The DataType returned (see amli.h)
1315
1316 0x9 --- ACPI_EXPECTED_PACKAGE
1317 ACPI evaluated a method and expected to receive a Package in return.
1318 However, the method returned some other data type
1319 Argument 0 - The ACPI Extension for which the method belongs to
1320 Argument 1 - Pointer to the method
1321 Argument 2 - The DataType returned (see amli.h)
1322
1323 0xA --- ACPI_EXPECTED_STRING
1324 ACPI evaluated a method and expected to receive a String in return.
1325 However, the method returned some other data type
1326 Argument 0 - The ACPI Extension for which the method belongs to
1327 Argument 1 - Pointer to the method
1328 Argument 2 - The DataType returned (see amli.h)
1329
1330 0xB --- ACPI_EJD_CANNOT_FIND_OBJECT
1331 ACPI cannot find the object referenced to by an _EJD string
1332 Argument 0 - The ACPI Extension for which which the _EJD belongs to
1333 Argument 1 - The status returned by the interpreter
1334 Argument 2 - Name of the object we are trying to find
1335
1336 0xC --- ACPI_CLAIMS_BOGUS_DOCK_SUPPORT
1337 ACPI provides faulty/insufficient information for dock support
1338 Argument 0 - The ACPI Extension for which ACPI found a dock device
1339 Argument 1 - Pointer to the _EJD method
1340 Argument 2 - 0 <- Bios does not claim system is dockage
1341 1 <- Duplicate device extensions for dock device
1342
1343 0xD --- ACPI_REQUIRED_METHOD_NOT_PRESENT
1344 ACPI could not find a required method/object in the namespace
1345 This is the bugcheck that is used if a vendor does not have an
1346 _HID or _ADR present
1347 Argument 0 - The ACPI Extension that we need the object for
1348 Argument 1 - The (ULONG) name of the method we looked for
1349 Argument 2 - 0 <- Base Case
1350 Argument 2 - 1 <- Conflict
1351
1352 0xE --- ACPI_POWER_NODE_REQUIRED_METHOD_NOT_PRESENT
1353 ACPI could not find a requird method/object in the namespace for
1354 a power resource (or entity other than a "device"). This is the
1355 bugcheck used if a vendor does not have an _ON, _OFF, or _STA present
1356 for a power resource
1357 Argument 0 - The NS PowerResource that we need the object for
1358 Argument 1 - The (ULONG) name of the method we looked for
1359 Argument 2 - 0 <- Base Case
1360
1361 0xF --- ACPI_PNP_RESOURCE_LIST_BUFFER_TOO_SMALL
1362 ACPI could not parse the resource descriptor
1363 Argument 0 - The current buffer that ACPI was parsing
1364 Argument 1 - The buffer's tag
1365 Argument 2 - The specified length of the buffer
1366
1367 0x10 --- ACPI_CANNOT_MAP_SYSTEM_TO_DEVICE_STATES
1368 ACPI could not map determine the system to device state mapping
1369 correctly. There is a very long white paper about this topic
1370 Argument 0 - The ACPI Extension for which are trying to do the mapping
1371 Argument 1 - 0 The _PRx mapped back to a non-supported S-state
1372 Argument 2 - The DEVICE_POWER_STATE (ie: x+1)
1373 Argument 1 - 1 We cannot find a D-state to associate with the S-state
1374 Argument 2 - The SYSTEM_POWER_STATE that is causing us grief
1375 Argument 1 - 2 The device claims to support wake from this s-state but
1376 the s-state is not supported by the system
1377 Argument 2 - The SYSTEM_POWER_STATE that is causing us grief
1378
1379 0x11 --- ACPI_SYSTEM_CANNOT_START_ACPI
1380 The system could not enter ACPI mode
1381 Argument 0 - 0 <- System could not initialize AML interpreter
1382 Argument 0 - 1 <- System could not find RSDT
1383 Argument 0 - 2 <- System could not allocate critical driver structures
1384 Argument 0 - 3 <- System could not load RSDT
1385 Argument 0 - 4 <- System could not load DDBs
1386 Argument 0 - 5 <- System cannot connect Interrupt vector
1387 Argument 0 - 6 <- SCI_EN never becomes set in PM1 Control Register
1388 Argument 0 - 7 <- Table checksum is incorrect
1389 Argument 1 - Pointer to the table that had a bad checksum
1390 Argument 2 - Creator Revision
1391 Argument 0 - 8 <- Failed to load DDB
1392 Argument 1 - Pointer to the table that we failed to load
1393 Argument 2 - Creator Revision
1394
1395 Interrupt Routing Failures/Incompatibilities:
1396
1397 A _PRT is the ACPI BIOS object that specifies how all the
1398 PCI devices are connected to the interrupt controllers. PRT
1399 stands for PCI Routing Table. A machine with multiple PCI
1400 busses may have multiple _PRTs. A _PRT can be displayed using the
1401 command !acpikd.nsobj <address of _PRT object>
1402
1403 Report any failures in this section to PatrickF.
1404
1405 0x2001 --- ACPI_FAILED_PIC_METHOD
1406 ACPI tried to evaluate the PIC control method and but failed
1407 Argument 0 - InterruptModel (Integer)
1408 Argument 1 - return value from interpreter
1409 Argument 2 - Pointer to the PIC control method
1410
1411 0x10001 --- ACPI_CANNOT_ROUTE_INTERRUPTS
1412 ACPI tried to do interrupt routing, but failed
1413 Argument 0 - Pointer to the device object
1414 Argument 1 - Pointer to the parent of the device object
1415 Argument 2 - Pointer to the PRT
1416
1417 0x10002 --- ACPI_PRT_CANNOT_FIND_LINK_NODE
1418 ACPI could not find the link node referenced in a _PRT
1419 Argument 0 - Pointer to the device object
1420 Argument 1 - Pointer to the string name we are looking for, but
1421 could not find.
1422 Argument 2 - Pointer to the PRT.
1423 Dump this with !acpikd.nsobj <argument 2>
1424
1425 0x10003 --- ACPI_PRT_CANNOT_FIND_DEVICE_ENTRY
1426 ACPI could not find a mapping in the _PRT package for a device
1427 Argument 0 - Pointer to the device object
1428 Argument 1 - The Device ID / Function Number. This DWORD is encoded
1429 as follows: Bits 5:0 are the PCI Device Number,
1430 Bits 8:6 are the PCI function number.
1431 Argument 2 - Pointer to the PRT.
1432 Dump this with !acpikd.nsobj <argument 2>
1433
1434 0x10005 --- ACPI_PRT_HAS_INVALID_FUNCTION_NUMBERS
1435 ACPI found an entry in the _PRT for which the function ID isn't
1436 all F's. The Win98 behaviour is to bugcheck if it see this condition,
1437 so we do so all well. The generic format for a _PRT entry is such
1438 that the device number is specified, but the function number isn't.
1439 If it isn't done this way, then the machine vendor can introduce
1440 dangerous ambiguities
1441 Argument 0 - Pointer to the PRT object.
1442 Dump this with !acpikd.nsobj <argument 2>
1443 Argument 1 - Pointer to the current PRT Element. This is an index into
1444 the PRT.
1445 Argument 2 - The DeviceID/FunctionID of the element. This DWORD is
1446 encoded. Bits 15:0 are the PCI Function Number.
1447 Bits 31:16 are the PCI Device Number.
1448
1449 0x10006 --- ACPI_LINK_NODE_CANNOT_BE_DISABLED
1450 ACPI found a link node, but cannot disable it. Link nodes must
1451 be disable to allow for reprogramming
1452 Argument 0 - Pointer to the link node. This device is missing the
1453 _DIS method.
1454
1455
1456 0x10007 ---
1457 The _PRT contained a reference to a vector not described in the
1458 I/O APIC entries MAPIC table.
1459 Argument 0 - The vector that couldn't be found
1460
1461 Other Failures/Incompatibilities:
1462
1463 0x20000 ---
1464 The PM_TMR_BLK entry in the Fixed ACPI Description Table doesn't point
1465 to a working ACPI timer block.
1466 Argument 0 - The I/O port in the Fixed Table
1467
1468BAD_EXHANDLE (0xA7)
1469
1470The kernel mode handle table detected an inconsistent handle table
1471entry state.
1472
1473SESSION_HAS_VALID_POOL_ON_EXIT (0xAB)
1474 1 - session ID
1475 2 - number of paged pool bytes that are leaking
1476 3 - number of nonpaged pool bytes that are leaking
1477 4 - total number of paged and nonpaged allocations that are leaking.
1478 paged allocations are in the upper half of this word,
1479 nonpaged allocations are in the lower half of this word.
1480
1481Caused by a session driver not freeing its pool allocations prior to a
1482session unload. This happens only on Terminal Server systems and usually
1483indicates a bug in win32k.sys, atmfd.dll, rdpdd.dll or a video driver.
1484
1485HAL_MEMORY_ALLOCATION (0xAC)
1486
1487The HAL was unable to obtain allocate memory (from the system Non Paged
1488pool) for a system critical requirement. These allocations are made
1489early in system initialization and such a failure is not expected. It
1490probably indicates some other critical error such as pool corruption or
1491massive consumption.
1492
1493 1 - Allocation size.
1494 2 - 0
1495 3 - Pointer to string containing file name.
1496 4 - Line number of call to KeBugCheckEx.
1497
1498VIDEO_DRIVER_INIT_FAILURE (0xB4)
1499
1500The system was not able to go into graphics mode because no display drivers
1501were able to start. This usually occurs if no video miniport drivers load
1502successfully.
1503
1504ATTEMPTED_SWITCH_FROM_DPC (0xB8)
1505
1506A wait operation, attach process, or yield was attempted from a DPC routine.
1507This is not a legal operation and the stack track will lead to the offending
1508code and original DPC routine.
1509
1510CHIPSET_DETECTED_ERROR (0xB9)
1511This bug code is normally caused by a parity error in the system memory or buses.
1512This error can also be caused by a device driver accessing a 0x8XXXXXXX address
1513that does not exist.
1514 1 - Platform-specific data, where available
1515 2 -
1516 3 - Pointer to Alpha system Logout Frame, where available.
1517 4 - Pointer to Uncorrectable Error frame.
1518
1519SESSION_HAS_VALID_VIEWS_ON_EXIT (0xBA)
1520 1 - session ID
1521 2 - number of mapped views that are leaking
1522 3 - address of this session's mapped views table
1523 4 - size of this session's mapped views table.
1524
1525Caused by a session driver not unmapping its mapped views prior to a
1526session unload. This happens only on Terminal Server systems and usually
1527indicates a bug in win32k.sys, atmfd.dll, rdpdd.dll or a video driver.
1528
1529NETWORK_BOOT_INITIALIZATION_FAILED (0xBB)
1530 1 - the part of network initialization that failed
1531 2 - the failure status
1532Caused if we are booting off the network, and a critical function fails during
1533IO initialization. Currently the codes for the first value are:
15341 - updating the registry.
15352 - starting the network stack - send IOCTLs to the redirector and datagram
1536 receiver, then wait for the redirector to be ready. If it is not ready
1537 within a certain period of time, we fail.
15383 - failed sending the DHCP IOCTL to TCP - this is how we inform the
1539 transport of its IP adress.
1540
1541NETWORK_BOOT_DUPLICATE_ADDRESS (0xBC)
1542 1 - the IP address, show as a hex DWORD. So an address aa.bb.cc.dd will
1543 appear as 0xddccbbaa.
1544 2/3/4 - the hardware address of the other machine. For ethernet, a MAC address
1545 of aa-bb-cc-dd-ee-ff will be indicated by the second parameter containing
1546 0xaabbccdd, the third parameter containing 0xeeff0000, and the fourth
1547 parameter containing 0x00000000.
1548This indicates that when TCP/IP sent out an ARP for its IP address, it got
1549a response from another machine, indicating a duplicate IP address. When we
1550are booting off the network this is a fatal error.
1551
1552INVALID_HIBERNATED_STATE (0xBD)
1553The hibernated memory image does not match the current hardware configuration.
1554This bugcheck occurs when a system resumes from hibernate and discovers that the
1555hardware has been changed while the system was hibernated.
1556 1 - hardware that was invalid
1557 1 - Number of installed processors is less than before the hibernation
1558 2 - number of processors before hibernation
1559 3 - number of processors after hibernation
1560
1561ATTEMPTED_WRITE_TO_READONLY_MEMORY (0xBE)
1562An attempt was made to write to readonly memory. The guilty driver is on the stack trace (and is typically the current instruction pointer).
1563
1564 1 - Virtual address for the attempted write.
1565 2 - PTE contents.
1566 3 - Unique internal Mm information.
1567 4 - Unique internal Mm code.
1568
1569When possible, the guilty driver's name (Unicode string) is printed on
1570the bugcheck screen and saved in KiBugCheckDriver.
1571
1572MUTEX_ALREADY_OWNED (0xBF)
1573
1574This thread is attempting to acquire ownership of a mutex it already owns.
1575
1576 1 - Address of Mutex
1577 2 - Thread
1578 3 - 0
1579 4 - Unique value to help development isolate the instance.
1580
1581SPECIAL_POOL_DETECTED_MEMORY_CORRUPTION (0xC1)
1582
1583Special pool has detected memory corruption. Typically the current thread's stack bactrace will reveal the guilty party.
1584
1585 4 - subclass of driver violation.
1586 0x30 - caller is trying to allocate pool from an incorrect IRQL level, 1 == current IRQL, 2 == pool type, 3 == number of bytes
1587
1588 0x20 - caller is trying to free pool which is not allocated, 1 == address trying to free, 2 == Mm internal code, 3 == 0.
1589
1590 0x31 - caller is trying to free pool from an incorrect IRQL level, 1 == current IRQL, 2 == pool type, 3 == address trying to free
1591
1592 0x21 - caller is trying to free a bad address, 1 == address trying to free, 2 == bytes requested, 3 == bytes calculated
1593
1594 0x22 - caller is trying to free a bad address, 1 == address trying to free, 2 == bytes requested, 3 == bytes calculated
1595
1596 0x23 - caller is freeing an address where nearby bytes within the same page have been corrupted, 1 == address trying to free, 2 == address where bits are corrupted, 3 == unique internal Mm pattern
1597
1598 0x24 - caller is freeing an address where bytes after the end of the allocation have been overwritten, 1 == address trying to free, 2 == address where bits are corrupted, 3 == unique internal Mm pattern
1599
1600BAD_POOL_CALLER (0xC2)
1601
1602The current thread is making a bad pool request. Typically this is at a bad IRQL level or double freeing the same allocation, etc.
1603
1604 1 - type of pool violation the caller is guilty of.
1605 6 - the pool address being freed is already free.
1606 7 - the pool address being freed is already free.
1607 8 - parameter 2 is the IRQL allocating at, parameter 3 is the pool type
1608 9 - parameter 2 is the IRQL freeing at, parameter 3 is the pool type
1609
1610Parameter 1 = 0x1, 0x2, or 0x4 : Pool header has been corrupted
1611 Parameter 2 = Pointer to pool header
1612 Parameter 3 = First part of pool header contents
1613 Parameter 4 = 0
1614
1615Parameter 1 = 0x6 : Attempt to free pool which was already freed
1616 Parameter 2 = Reserved (__LINE__)
1617 Parameter 3 = Pointer to pool header
1618 Parameter 4 = Pool header contents
1619
1620Parameter 1 = 0x7 : Attempt to free pool which was already freed
1621 Parameter 2 = Reserved (__LINE__)
1622 Parameter 3 = Pointer to pool header
1623 Parameter 4 = 0
1624
1625Parameter 1 = 0x8 : Attempt to allocate pool at invalid IRQL
1626 Parameter 2 = Current IRQL
1627 Parameter 3 = Pool type
1628 Parameter 4 = Size of allocation
1629
1630Parameter 1 = 0x9 : Attempt to free pool at invalid IRQL
1631 Parameter 2 = Current IRQL
1632 Parameter 3 = Pool type
1633 Parameter 4 = Address of pool
1634
1635Parameter 1 = 0x40 : Attempt to free usermode address to kernel pool
1636 Parameter 2 = Starting address
1637 Parameter 3 = Start of system address space
1638 Parameter 4 = 0
1639
1640Parameter 1 = 0x41 : Attempt to free a non-allocated nonpaged pool address
1641 Parameter 2 = Starting address
1642 Parameter 3 = physical page frame
1643 Parameter 4 = highest physical page frame
1644
1645Parameter 1 = 0x50 : Attempt to free a non-allocated paged pool address
1646 Parameter 2 = Starting address
1647 Parameter 3 = Start offset in pages from beginning of paged pool
1648 Parameter 4 = Size in bytes of paged pool
1649
1650Parameter 1 = 0x99 : Attempt to free pool with invalid address (or corruption in pool header)
1651 Parameter 2 = Address being freed
1652 Parameter 3 = 0
1653 Parameter 4 = 0
1654
1655DRIVER_VERIFIER_DETECTED_VIOLATION (0xC4)
1656
1657A device driver attempting to corrupt the system has been caught. This is
1658because the driver was specified in the registry as being suspect (by the
1659administrator) and the kernel has enabled substantial checking of this driver.
1660If the driver attempts to corrupt the system, bugchecks 0xC4, 0xC1 and 0xA will
1661be the most commonly seen crashes.
1662
1663 1 - subclass of driver violation.
1664 0x00 - caller is trying to allocate zero bytes, 2 == current IRQL, 3 == pool type, 4 == number of bytes
1665
1666 0x01 - caller is trying to allocate paged pool at DISPATCH_LEVEL or above, 2 == current IRQL, 3 == pool type, 4 == number of bytes
1667
1668 0x02 - caller is trying to allocate nonpaged pool at an IRQL above DISPATCH_LEVEL, 2 == current IRQL, 3 == pool type, 4 == number of bytes
1669
1670 0x03 - caller is trying to allocate more than one page of mustsucceed pool, but one page is the maximum allowed by this API.
1671
1672 0x10 - caller is freeing a bad pool address, 2 == bad pool address
1673
1674 0x11 - caller is trying to free paged pool at DISPATCH_LEVEL or above, 2 == current IRQL, 3 == pool type, 4 == pool address
1675
1676 0x12 - caller is trying to free nonpaged pool at an IRQL above DISPATCH_LEVEL, 2 == current IRQL, 3 == pool type, 4 == pool address
1677
1678 0x13 - the pool the caller is trying to free is already free. 2 == line number, 3 == pool header, 4 == pool header contents
1679
1680 0x14 - the pool the caller is trying to free is already free. 2 == line number, 3 == pool header, 4 == pool header contents
1681
1682 0x15 - the pool the caller is trying to free contains an active timer. 2 == timer entry, 3 == pool type, 4 == pool address being freed
1683
1684 0x16 - the pool the caller is trying to free is a bad address. 2 == line number, 3 == pool address, 4 == 0
1685
1686 0x17 - the pool the caller is trying to free contains an active ERESOURCE. 2 == resource entry, 3 == pool type, 4 == pool address being freed
1687
1688 0x30 - raising IRQL to an invalid level, 2 == current IRQL, 3 == new IRQL
1689 0x31 - lowering IRQL to an invalid level, 2 == current IRQL, 3 == new IRQL
1690 0x32 - releasing a spinlock when not at DISPATCH_LEVEL. 2 == current IRQL, 3 == spinlock address
1691
1692 0x33 - acquiring a fast mutex when not at APC_LEVEL or below. 2 == current IRQL, 3 == fast mutex address
1693
1694 0x34 - releasing a fast mutex when not at APC_LEVEL. 2 == current IRQL, 3 == thread APC disable count, 4 == fast mutex address
1695
1696 0x35 - kernel is releasing a spinlock when not at DISPATCH_LEVEL. 2 == current IRQL, 3 == spinlock address, 4 == old irql.
1697
1698 0x36 - kernel is releasing a queued spinlock when not at DISPATCH_LEVEL. 2 == current IRQL, 3 == spinlock number, 4 == old irql.
1699
1700 0x37 - a resource is being acquired but APCs are not disabled. 2 == current IRQL, 3 == thread APC disable count, 4 == resource.
1701
1702 0x38 - a resource is being released but APCs are not disabled. 2 == current IRQL, 3 == thread APC disable count, 4 == resource.
1703
1704 0x39 - a mutex is being acquired unsafe, but irql is not APC_LEVEL on entry. 2 == current IRQL, 3 == thread APC disable count, 4 == mutex.
1705
1706 0x3A - a mutex is being released unsafe, but irql is not APC_LEVEL on entry. 2 == current IRQL, 3 == thread APC disable count, 4 == mutex.
1707
1708 0x40 - acquiring a spinlock when not at DISPATCH_LEVEL. 2 == current IRQL, 3 == spinlock address
1709
1710 0x41 - releasing a spinlock when not at DISPATCH_LEVEL. 2 == current IRQL, 3 == spinlock address
1711
1712 0x42 - acquiring a spinlock when caller is already above DISPATCH_LEVEL. 2 == current IRQL, 3 == spinlock address
1713
1714 0x51 - freeing memory where the caller has written past the end of the allocation overwriting our stored bytecount. 2 == base address of the allocation, 3 == corrupt address, 4 == charged bytes.
1715
1716 0x52 - freeing memory where the caller has written past the end of the allocation overwriting our stored virtual address. 2 == base address of the allocation, 3 == hash entry, 4 == charged bytes.
1717
1718 0x53 - freeing memory where the caller has written past the end of the allocation overwriting our stored virtual address. 2 == base address of the allocation, 3 == header, 4 = internal verifier pointer.
1719
1720 0x54 - freeing memory where the caller has written past the end of the allocation overwriting our stored virtual address. 2 == base address of the allocation, 3 == pool hash size, 4 = listindex.
1721
1722 0x59 - freeing memory where the caller has written past the end of the allocation overwriting our stored virtual address. 2 == base address of the allocation, 3 == listindex, 4 == internal verifier pointer.
1723
1724 0x60 - A driver has forgotten to free its pool allocations prior to unloading. 2 == paged bytes, 3 = nonpaged bytes, 4 == total # of (paged+nonpaged) allocations that weren't freed.
1725
1726 In the kernel debugger, type:
1727 kd> dc ViBadDriver l1; dc @$p+4 l1; du @$p
1728
1729 This gives you the name of the driver.
1730 Then type !verifier 3 drivername.sys for info on the allocations
1731 that were leaked that caused the bugcheck.
1732
1733 Assign the bug to the driver owner found above.
1734
1735 0x61 - A driver is unloading and allocating memory (in another thread) at the same time. 2 == paged bytes, 3 = nonpaged bytes, 4 == total # of (paged+nonpaged) allocations that weren't freed.
1736
1737 In the kernel debugger, type:
1738 kd> dc ViBadDriver l1; dc @$p+4 l1; du @$p
1739
1740 This gives you the name of the driver.
1741 Then type !verifier 3 drivername.sys for info on the allocations
1742 that were leaked that caused the bugcheck.
1743
1744 Assign the bug to the driver owner found above.
1745
1746 0x70 - MmProbeAndLockPages called when not at DISPATCH_LEVEL or below.
1747 2 == current IRQL
1748 3 == MDL address
1749 4 == access mode
1750
1751 0x71 - MmProbeAndLockProcessPages called when not at DISPATCH_LEVEL or below.
1752 2 == current IRQL
1753 3 == MDL address
1754 4 == process address
1755
1756 0x72 - MmProbeAndLockSelectedPages called when not at DISPATCH_LEVEL or below.
1757 2 == current IRQL
1758 3 == MDL address
1759 4 == process address
1760
1761 0x73 - MmMapIoSpace called when not at DISPATCH_LEVEL or below.
1762 2 == current IRQL
1763 3 == low 32 bits of the physical address (full 64 on Win64)
1764 4 == number of bytes
1765
1766 0x74 - MmMapLockedPages called when not at DISPATCH_LEVEL or below.
1767 2 == current IRQL
1768 3 == MDL address
1769 4 == access mode
1770
1771 0x75 - MmMapLockedPages called when not at APC_LEVEL or below.
1772 2 == current IRQL
1773 3 == MDL address
1774 4 == access mode
1775
1776 0x76 - MmMapLockedPagesSpecifyCache called when not at DISPATCH_LEVEL or below.
1777 2 == current IRQL
1778 3 == MDL address
1779 4 == access mode
1780
1781 0x77 - MmMapLockedPagesSpecifyCache called when not at APC_LEVEL or below.
1782 2 == current IRQL
1783 3 == MDL address
1784 4 == access mode
1785
1786 0x78 - MmUnlockPages called when not at DISPATCH_LEVEL or below.
1787 2 == current IRQL
1788 3 == MDL address
1789 4 == 0
1790
1791 0x79 - MmUnmapLockedPages called when not at DISPATCH_LEVEL or below.
1792 2 == current IRQL
1793 3 == virtual address being unmapped
1794 4 == MDL address
1795
1796 0x7A - MmUnmapLockedPages called when not at APC_LEVEL or below.
1797 2 == current IRQL
1798 3 == virtual address being unmapped
1799 4 == MDL address
1800
1801 0x7B - MmUnmapIoSpace called when not at APC_LEVEL or below.
1802 2 == current IRQL
1803 3 == virtual address being unmapped
1804 4 == number of bytes
1805
1806 0x7C - MmUnlockPages called with an MDL whose pages were never successfully locked.
1807 2 == MDL address
1808 3 == MDL flags
1809 4 == 0
1810
1811 0x7D - MmUnlockPages called with an MDL whose pages are from nonpaged pool - these should never be unlocked.
1812 2 == MDL address
1813 3 == MDL flags
1814 4 == 0
1815
1816 0x80 - KeSetEvent called when not at DISPATCH_LEVEL or below.
1817 2 == current IRQL
1818 3 == event address
1819 4 == 0
1820
1821DRIVER_CORRUPTED_EXPOOL (0xC5)
1822 1 - memory referenced
1823 2 - IRQL
1824 3 - value 0 = read operation, 1 = write operation
1825 4 - address which referenced memory
1826
1827An attempt was made to touch invalid memory at a process
1828internal request level (IRQL) too high. This is almost always
1829caused by drivers that have corrupted the system pool. Run the driver
1830verifier against any new (or suspect) drivers, and if that doesn't turn up
1831the culprit, then use gflags to enable special pool.
1832
1833DRIVER_CAUGHT_MODIFYING_FREED_POOL (0xC6)
1834 1 - memory referenced
1835 2 - value 0 = read operation, 1 = write operation
1836 3 - previous mode.
1837 4 - 4.
1838
1839An attempt was made to access freed pool memory. The faulty component is
1840displayed in the current kernel stack.
1841
1842TIMER_OR_DPC_INVALID (0xC7)
1843
1844A kernel timer or DPC was found in memory which must not contain such items.
1845Usually this is memory being freed. This is usually caused by a device driver
1846that has not cleaned up properly before freeing memory.
1847
1848 1 - What kind of object
1849 0 Timer Object
1850 1 DPC Object
1851 2 DPC Routine
1852 2 - Address of object
1853 3 - Start of range being checked
1854 4 - End of range being checked
1855
1856IRQL_UNEXPECTED_VALUE (0xC8)
1857
1858The processor's IRQL is not what it should be at this time. This is
1859usually caused by a lower level routine changing IRQL for some period
1860and not restoring IRQL at the end of that period (eg acquires spinlock
1861but doesn't release it).
1862
1863 1 - (Current IRQL << 16) | (Expected IRQL << 8) | UniqueValue
1864 if UniqueValue is 0 or 1
1865 2 - APC->KernelRoutine
1866 3 - APC
1867 4 - APC->NormalRoutine
1868
1869DRIVER_VERIFIER_IOMANAGER_VIOLATION (0xC9)
1870The IO manager has caught a misbehaving driver.
1871 1 - Code that specifies the violation
1872 1. Invalid IRP passed to IoFreeIrp
1873 2 - the IRP passed in
1874 3/4 - 0
1875 2. IRP still associated with a thread at IoFreeIrp
1876 2 - the IRP passed in
1877 3/4 - 0
1878 3. Invalid IRP passed to IoCallDriver
1879 2 - the IRP passed in
1880 3/4 - 0
1881 4. Invalid Device object passed to IoCallDriver
1882 2 - the Device object
1883 3/4 - 0
1884 5. Irql not equal across call to the driver dispatch routine
1885 2 - the device object associated with the offending driver
1886 3 - the Irql before the call
1887 4 - the Irql after the call
1888 6. IRP passed to IoCompleteRequest contains invalid status
1889 2 - the status
1890 3 - the IRP
1891 4 - 0
1892 7. IRP passed to IoCompleteRequest still has cancel routine set
1893 2 - the cancel routine pointer
1894 3 - the IRP
1895 4 - 0
1896 8. Call to IoBuildAsynchronousFsdRequest threw an exception
1897 2 - the Device object
1898 3 - the IRP major function
1899 4 - the exception status
1900 9. Call to IoBuildDeviceIoControlRequest threw an exception
1901 2 - the Device object
1902 3 - the IoControlCode
1903 4 - the exception status
1904 10. Reinitialization of Device object timer
1905 2 - the Device object
1906 3/4 - 0
1907 11. Unused
1908 12. Invalid IOSB in IRP at APC IopCompleteRequest (appears to be on
1909 stack that was unwound)
1910 2 - the IOSB pointer
1911 3/4 - 0
1912 13. Invalid UserEvent in IRP at APC IopCompleteRequest (appears to be on
1913 stack that was unwound)
1914 2 - the UserEvent pointer
1915 3/4 - 0
1916 14. Irql > DPC at IoCompleteRequest
1917 2 - the current Irql
1918 3 - the IRP
1919 4 - 0
1920
1921PNP_DETECTED_FATAL_ERROR (0xCA)
1922
1923PnP encountered a severe error, either as a result of a problem in a driver or
1924a problem in PnP itself. The first argument describes the nature of the
1925problem, the second argument is the address of the PDO. The other arguments
1926vary depending on argument 1.
1927
1928 1 - Type of error.
1929 2 - Address of PDO.
1930 3 - Varies depending on argument 1
1931 4 - Varies depending on argument 1
1932
1933Argument 1 - defined error types:
1934
1935 1 - Duplicate PDO
1936
1937 A specific instance of a driver has enumerated multiple PDOs with
1938 identical device id and unique ids.
1939
1940 Arguments:
1941
1942 2 - Newly reported PDO.
1943
1944 3 - PDO of which it is a duplicate.
1945
1946 2 - Invalid PDO
1947
1948 An API which requires a PDO has been called with either an FDO, a PDO
1949 which hasn't been initialized yet (returned to PnP in a
1950 QueryDeviceRelation/BusRelations), or some random piece of memory.
1951
1952 Arguments:
1953
1954 2 - Purported PDO.
1955
1956 3 - Invalid ID
1957
1958 An enumerator has returned an ID which contains illegal characters or
1959 isn't properly terminated. IDs must only contain characters in the
1960 range 0x20-7F inclusive with the exception of 0x2C (comma) which is
1961 illegal.
1962
1963 2 - PDO whose IDs were queried
1964
1965 3 - Address of ID buffer
1966
1967 4 - Type of ID
1968
1969 1 = DeviceID
1970 2 = UniqueID
1971 3 = HardwareIDs
1972 4 = CompatibleIDs
1973
1974 4 - Invalid enumeration of deleted PDO
1975
1976 An enumerator has returned a PDO which it has previously deleted using
1977 IoDeleteDevice.
1978
1979 2 - PDO with DOE_DELETE_PENDING set.
1980
1981 5 - PDO freed while still linked in devnode tree.
1982
1983 The object manager reference count on a PDO dropped to zero while the
1984 devnode was still linked in the tree. This usually indicates that the
1985 driver is not adding a reference when returning the PDO in a query IRP.
1986
1987 2 - PDO.
1988
1989
1990
1991DRIVER_LEFT_LOCKED_PAGES_IN_PROCESS (0xCB)
1992 1 - The calling address in the driver that locked the pages.
1993 2 - The caller of the calling address in the driver that locked the pages.
1994 3 - A pointer to the MDL containing the locked pages.
1995 4 - The guilty driver's name (Unicode string).
1996
1997Caused by a driver not cleaning up completely after an I/O. The bad driver's
1998name is printed on the bugcheck screen and is available for re-dumping as
1999parameter 4 in the bugcheck data.
2000The broken driver's name is displayed on the screen.
2001
2002PAGE_FAULT_IN_FREED_SPECIAL_POOL (0xCC)
2003 1 - memory referenced
2004 2 - value 0 = read operation, 1 = write operation
2005 3 - if non-zero, the address which referenced memory.
2006 4 - Mm internal code.
2007
2008Memory was referenced after it was freed.
2009This cannot be protected by try-except.
2010
2011When possible, the guilty driver's name (Unicode string) is printed on
2012the bugcheck screen and saved in KiBugCheckDriver.
2013
2014PAGE_FAULT_BEYOND_END_OF_ALLOCATION (0xCD)
2015 1 - memory referenced
2016 2 - value 0 = read operation, 1 = write operation
2017 3 - if non-zero, the address which referenced memory.
2018 4 - Mm internal code.
2019
2020N bytes of memory was allocated and more than N bytes are being referenced.
2021This cannot be protected by try-except.
2022
2023When possible, the guilty driver's name (Unicode string) is printed on
2024the bugcheck screen and saved in KiBugCheckDriver.
2025
2026DRIVER_UNLOADED_WITHOUT_CANCELLING_PENDING_OPERATIONS (0xCE)
2027
2028A driver unloaded without cancelling timers, DPCs, worker threads, etc.
2029The broken driver's name is displayed on the screen.
2030 1 - memory referenced
2031 2 - value 0 = read operation, 1 = write operation
2032 3 - If non-zero, the instruction address which referenced the bad memory
2033 address.
2034 4 - Mm internal code.
2035
2036TERMINAL_SERVER_DRIVER_MADE_INCORRECT_MEMORY_REFERENCE (0xCF)
2037 1 - memory referenced
2038 2 - value 0 = read operation, 1 = write operation
2039 3 - If non-zero, the instruction address which referenced the bad memory
2040 address.
2041 4 - Mm internal code.
2042
2043A driver has been incorrectly ported to Terminal Server. It is referencing
2044session space addresses from the system process context. Probably from
2045queueing an item to a system worker thread.
2046The broken driver's name is displayed on the screen.
2047
2048DRIVER_CORRUPTED_MMPOOL (0xD0)
2049 1 - memory referenced
2050 2 - IRQL
2051 3 - value 0 = read operation, 1 = write operation
2052 4 - address which referenced memory
2053
2054An attempt was made to touch invalid memory at a process
2055internal request level (IRQL) too high. This is almost always
2056caused by drivers that have corrupted the system pool. Run the driver
2057verifier against any new (or suspect) drivers, and if that doesn't turn up
2058the culprit, then use gflags to enable special pool. You can also set
2059HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Mamagement\ProtectNonPagedPool to a DWORD 1 value and reboot. Then the system will unmap freed nonpaged pool, preventing drivers (although not DMA-hardware) from corrupting
2060the pool.
2061
2062DRIVER_IRQL_NOT_LESS_OR_EQUAL (0xD1)
2063 1 - memory referenced
2064 2 - IRQL
2065 3 - value 0 = read operation, 1 = write operation
2066 4 - address which referenced memory
2067
2068An attempt was made to touch pagable memory at a process
2069internal request level (IRQL) too high. This is usually
2070caused by drivers using improper addresses.
2071
2072If kernel debugger is available get stack backtrace.
2073
2074DRIVER_PORTION_MUST_BE_NONPAGED (0xD3)
2075 1 - memory referenced
2076 2 - IRQL
2077 3 - value 0 = read operation, 1 = write operation
2078 If this value is non-zero and is equal to parameter 1, then
2079 The bugcheck indicates that a worker routine returned at raised
2080 IRQL.Parameter 1 and 3 are the address of the work routine, and
2081 parameter 4 is the workitem
2082 4 - address which referenced memory
2083
2084When possible, the guilty driver's name (Unicode string) is printed on
2085the bugcheck screen and saved in KiBugCheckDriver.
2086
2087An attempt was made to touch pagable memory at a process
2088internal request level (IRQL) too high. This is usually
2089caused by drivers marking code or data as pagable when it should be
2090marked nonpaged.
2091
2092If kernel debugger is available get stack backtrace.
2093
2094SYSTEM_SCAN_AT_RAISED_IRQL_CAUGHT_IMPROPER_DRIVER_UNLOAD (0xD4)
2095
2096A driver unloaded without cancelling lookaside lists, DPCs, worker threads, etc.
2097The broken driver's name is displayed on the screen.
2098
2099 1 - memory referenced
2100 2 - IRQL
2101 3 - value 0 = read operation, 1 = write operation
2102 If this value is non-zero and is equal to parameter 1, then
2103 The bugcheck indicates that a worker routine returned at raised
2104 IRQL.Parameter 1 and 3 are the address of the work routine, and
2105 parameter 4 is the workitem
2106 4 - address which referenced memory
2107
2108When possible, the guilty driver's name (Unicode string) is printed on
2109the bugcheck screen and saved in KiBugCheckDriver.
2110
2111An attempt was made to access the driver at raised IRQL after it unloaded.
2112
2113If kernel debugger is available get stack backtrace.
2114
2115DRIVER_PAGE_FAULT_IN_FREED_SPECIAL_POOL (0xD5)
2116 1 - memory referenced
2117 2 - value 0 = read operation, 1 = write operation
2118 3 - if non-zero, the address which referenced memory.
2119 4 - Mm internal code.
2120
2121Memory was referenced after it was freed.
2122This cannot be protected by try-except.
2123
2124When possible, the guilty driver's name (Unicode string) is printed on
2125the bugcheck screen and saved in KiBugCheckDriver.
2126
2127DRIVER_PAGE_FAULT_BEYOND_END_OF_ALLOCATION (0xD6)
2128 1 - memory referenced
2129 2 - value 0 = read operation, 1 = write operation
2130 3 - if non-zero, the address which referenced memory.
2131 4 - Mm internal code.
2132
2133N bytes of memory was allocated and more than N bytes are being referenced.
2134This cannot be protected by try-except.
2135
2136When possible, the guilty driver's name (Unicode string) is printed on
2137the bugcheck screen and saved in KiBugCheckDriver.
2138
2139DRIVER_UNMAPPING_INVALID_VIEW (0xD7)
2140 1 - virtual address to unmap.
2141 2 - 1 if system is Terminal Server, 0 if not.
2142 3 - 0.
2143 4 - 0.
2144
2145A driver (usually win32k.sys, but can be determined from the stack trace for
2146certain) is trying to unmap an address that was not mapped.
2147
2148DRIVER_USED_EXCESSIVE_PTES (0xD8)
2149 1 - If non-null, the guilty driver's name (Unicode string).
2150 2 - If parameter 1 non-null, the number of PTEs used by the guilty driver.
2151 3 - Total free system PTEs
2152 4 - Total system PTEs
2153
2154No System PTEs left. Usually caused by a driver not cleaning up
2155properly. If non-null, the second parameter shows the name of the driver
2156who is consuming the most PTEs. The calling stack also shows the name of
2157the driver which bugchecked. Both drivers need to be fixed and/or the number
2158of PTEs increased.
2159
2160When possible, the guilty driver's name (Unicode string) is printed on
2161the bugcheck screen and saved in KiBugCheckDriver.
2162
2163LOCKED_PAGES_TRACKER_CORRUPTION (0xD9)
2164
2165 1 - Type of error.
2166 2 - Varies depending on argument 1.
2167 3 - Varies depending on argument 1.
2168 4 - Varies depending on argument 1.
2169
2170Argument 1 - defined error types:
2171
2172 1 - The MDL is being inserted twice on the same process list.
2173
2174 Arguments:
2175
2176 2 - Address of internal lock tracking structure.
2177 3 - Address of memory descriptor list.
2178 4 - Number of pages locked for the current process.
2179
2180 2 - The MDL is being inserted twice on the systemwide list.
2181
2182 Arguments:
2183
2184 2 - Address of internal lock tracking structure.
2185 3 - Address of memory descriptor list.
2186 4 - Number of pages locked for the current process.
2187
2188 3 - The MDL was found twice in the process list when being freed.
2189
2190 Arguments:
2191
2192 2 - Address of first internal tracking structure found.
2193 3 - Address of internal lock tracking structure.
2194 4 - Address of memory descriptor list.
2195
2196
2197 4 - The MDL was found in the systemwide list on free after it was removed.
2198
2199 Arguments:
2200
2201 2 - Address of internal lock tracking structure.
2202 3 - Address of memory descriptor list.
2203 4 - 0.
2204
2205SYSTEM_PTE_MISUSE (0xDA)
2206
2207The stack trace identifies the guilty driver.
2208
2209 1 - Type of error.
2210 2 - Varies depending on argument 1.
2211 3 - Varies depending on argument 1.
2212 4 - Varies depending on argument 1.
2213
2214Argument 1 - defined error types:
2215
2216 1 - The PTE mapping being freed is a duplicate.
2217
2218 Arguments:
2219
2220 2 - Address of internal lock tracking structure.
2221 3 - Address of memory descriptor list.
2222 4 - Address of duplicate internal lock tracking structure.
2223
2224 2 - The number of PTE mappings being freed is incorrect.
2225
2226 Arguments:
2227
2228 2 - Address of internal lock tracking structure.
2229 3 - Number of PTEs the system thinks should be freed.
2230 4 - Number of PTEs the driver is requesting to free.
2231
2232 3 - The PTE mapping address being freed is incorrect.
2233
2234 Arguments:
2235
2236 2 - Address of first internal tracking structure found.
2237 3 - The PTE address the system thinks should be freed.
2238 4 - The PTE address the driver is requesting to free.
2239
2240 4 - The first page of the mapped MDL has changed since the MDL was mapped.
2241
2242 Arguments:
2243
2244 2 - Address of internal lock tracking structure.
2245 3 - Page frame number the system thinks should be first in the MDL.
2246 4 - Page frame number that is currently first in the MDL.
2247
2248 5 - The start virtual address in the MDL being freed has changed since
2249 the MDL was mapped.
2250
2251 Arguments:
2252
2253 2 - Address of first internal tracking structure found.
2254 3 - The virtual address the system thinks should be freed.
2255 4 - The virtual address the driver is requesting to free.
2256
2257 6 - The MDL being freed was never (or is currently not) mapped.
2258
2259 Arguments:
2260
2261 2 - The MDL specified by the driver.
2262 3 - The virtual address specified by the driver.
2263 4 - The number of PTEs to free (specified by the driver).
2264
2265 7 - The PTE range is being double allocated.
2266
2267 Arguments:
2268
2269 2 - Starting PTE.
2270 3 - Number of PTEs.
2271 4 - Caller Id (system internal).
2272
2273 8 - The caller is asking to free an incorrect number of PTEs.
2274
2275 Arguments:
2276
2277 2 - Starting PTE.
2278 3 - Number of PTEs the caller is freeing.
2279 4 - Number of PTEs the system thinks should be freed.
2280
2281 9 - The caller is asking to free PTEs where one of them is not allocated.
2282
2283 Arguments:
2284
2285 2 - Starting PTE.
2286 3 - Number of PTEs the caller is freeing.
2287 4 - PTE index that the system thinks is already free.
2288
2289 0xA - The caller is asking to allocate 0 PTEs.
2290
2291 Arguments:
2292
2293 2 - Bugcheck on failure parameter.
2294 3 - Number of PTEs the caller is allocating.
2295 4 - Type of PTE pool requested.
2296
2297 0xB - The PTE list is already corrupted at the time of this allocation.
2298 The corrupt PTE is below the lowest possible PTE address.
2299
2300 Arguments:
2301
2302 2 - Corrupt PTE.
2303 3 - Number of PTEs the caller is allocating.
2304 4 - Type of PTE pool requested.
2305
2306 0xC - The PTE list is already corrupted at the time of this allocation.
2307 The corrupt PTE is above the lowest possible PTE address.
2308
2309 Arguments:
2310
2311 2 - Corrupt PTE.
2312 3 - Number of PTEs the caller is allocating.
2313 4 - Type of PTE pool requested.
2314
2315 0xD - The caller is trying to free 0 PTEs.
2316
2317 Arguments:
2318
2319 2 - Starting PTE.
2320 3 - Number of PTEs the caller is freeing.
2321 4 - Type of PTE pool.
2322
2323 0xE - The caller is trying to free PTEs and the guard PTE has been overwritten.
2324
2325 Arguments:
2326
2327 2 - Starting PTE.
2328 3 - Number of PTEs the caller is freeing.
2329 4 - Type of PTE pool.
2330
2331 0xF - The caller is trying to free a bogus PTE.
2332 The bogus PTE is below the lowest possible PTE address.
2333
2334 Arguments:
2335
2336 2 - Bogus PTE.
2337 3 - Number of PTEs the caller is trying to free.
2338 4 - Type of PTE pool being freed.
2339
2340 0x10 - The caller is trying to free a bogus PTE.
2341 The bogus PTE is above the highest possible PTE address.
2342
2343 Arguments:
2344
2345 2 - Bogus PTE.
2346 3 - Number of PTEs the caller is trying to free.
2347 4 - Type of PTE pool being freed.
2348
2349 0x11 - The caller is trying to free a bogus PTE.
2350 The bogus PTE is at the base of the PTE address space.
2351
2352 Arguments:
2353
2354 2 - Bogus PTE.
2355 3 - Number of PTEs the caller is trying to free.
2356 4 - Type of PTE pool being freed.
2357
2358DRIVER_CORRUPTED_SYSPTES (0xDB)
2359 1 - memory referenced
2360 2 - IRQL
2361 3 - value 0 = read operation, 1 = write operation
2362 4 - address which referenced memory
2363
2364An attempt was made to touch invalid memory at a process
2365internal request level (IRQL) too high. This is almost always
2366caused by drivers that have corrupted system PTEs. Set
2367HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Mamagement\TrackPtes to a DWORD 1 value and reboot. Then the system will save stack traces and
2368perform validity checks so the guilty driver can be identified.
2369There is no other way to find out which driver did this. When you enable
2370this flag, if the driver commits the error again you will see a different
2371bugcheck - SYSTEM_PTE_MISUSE - and the stack trace will identify the offending
2372driver(s).
2373
2374DRIVER_INVALID_STACK_ACCESS (0xDC)
2375
2376A driver accessed a stack address that lies below the stack pointer of the
2377stack's thread.
2378
2379POOL_CORRUPTION_IN_FILE_AREA (0xDE)
2380
2381A driver corrupted pool memory used for holding pages destined for disk.
2382This was discovered by the memory manager when dereferencing the file.
2383
2384WORKER_THREAD_RETURNED_AT_BAD_IRQL (0xE1)
2385 1 - address of worker routine (do ln on this to find guilty driver)
2386 2 - IRQL returned at (should have been 0, but isn't).
2387 3 - workitem parameter
2388 4 - workitem address
2389
2390MANUALLY_INITIATED_CRASH (0xE2)
2391
2392The user manually initiated this crash dump.
2393
2394RESOURCE_NOT_OWNED (0xE3)
2395
2396A thread tried to release a resource it did not own.
2397
2398 1 - Address of resource
2399 2 - Address of thread
2400 3 - Address of owner table if there is one
2401
2402WORKER_INVALID (0xE4)
2403
2404A executive worker item was found in memory which must not contain such
2405items. Usually this is memory being freed. This is usually caused by
2406a device driver that has not cleaned up properly before freeing memory.
2407
2408 1 - Code position indicator
2409 2 - Address of worker item
2410 3 - Start of pool block
2411 4 - End of pool block
2412
2413BUGCHECK C000026C (0xC000026C)
2414
2415A driver image (xxx.sys) is missing or otherwise corrupt. In many cases
2416this is a newly hand-copied image where there was operator or media error.
2417ie: putting an Alpha driver on an x86 machine, etc.
2418
2419 1 - pointer to a Unicode string containing the bad driver image name.
2420
2421 In the kernel debugger, type:
2422 kd> dc KiBugCheckData+4 l1 (dq KiBugCheckData+8 on Win64)
2423 kd> du $@p l2
2424
2425 This gives you the filename of the broken driver image.
2426
2427 2 - actual cause of the error (look this up in ntstatus.h).
2428
2429 Some common ones are :
2430
2431 C0000221 == image checksum mismatch
2432 C000007B == the image format is invalid (bad image header).
2433 C0000034 == the image was not found
2434 C000000E == no such device (send mail to ntmsd)
2435
2436IMPERSONATING_WORKER_THREAD
2437
2438A workitem forgot to disable impersonation before it completed.
2439
2440 1 - Worker Routine that caused this bugcheck.
2441 2 - Parameter passed to this worker routine.
2442 3 - Pointer to the Workitem.