//Thread that crashed the box
1: kd> !thread
THREAD ffffe000b5386880 Cid 1018.11c4 Teb: 00007ff5ffea8000 Win32Thread: fffff9014446eb60 RUNNING on processor 1
IRP List:
ffffe000b8841900: (0006,0700) Flags: 00060030 Mdl: 00000000
Not impersonating
DeviceMap ffffc00188de9900
Owning Process ffffe000b603b900 Image: SliceIT.exe
Attached Process N/A Image: N/A
Wait Start TickCount 4773660 Ticks: 0
Context Switch Count 542088 IdealProcessor: 0
UserTime 01:39:46.593
KernelTime 00:00:33.625
Win32 Start Address MSVCR100!_threadstartex (0x00000000730c1dbc)
Stack Init ffffd00199c7cc10 Current ffffd00199c7a9e0
Base ffffd00199c7d000 Limit ffffd00199c76000 Call 0
Priority 11 BasePriority 8 UnusualBoost 0 ForegroundBoost 2 IoPriority 2 PagePriority 5
Child-SP RetAddr : Args to Child : Call Site
ffffd001`99c7c8c8 fffff802`0b5d44e9 : 00000000`00000001 00007ffa`53a50e4a 00000000`00000000 00000000`0000fffe : nt!KeBugCheckEx
ffffd001`99c7c8d0 fffff802`0b5d4406 : ffffe000`b5386880 ffffd001`001f0003 00000000`1e8febf8 fffff802`00000000 : nt!KiBugCheckDispatch+0x69
ffffd001`99c7ca10 00007ffa`53a50e4a : 00007ffa`50be67fb 00000000`00000007 00000000`00000040 00000000`00000000 : nt!KiSystemServiceExit+0x24b (TrapFrame @ ffffd001`99c7ca80)
00000000`1e8feba8 00007ffa`50be67fb : 00000000`00000007 00000000`00000040 00000000`00000000 00000000`00210000 : ntdll!NtDeviceIoControlFile+0xa
00000000`1e8febb0 00007ffa`510b1bb0 : 00000000`002f0003 00000000`00000000 00000000`00000030 00007ffa`50be14db : KERNELBASE!DeviceIoControl+0x89
00000000`1e8fec20 00007ffa`3ae6380a : 00000000`00000018 00000000`00000c9c 00000000`1e8fed60 00000000`00000c9c : KERNEL32!DeviceIoControlImplementation+0x80
00000000`1e8fec70 00007ffa`3ae6243d : 00000000`168df9c0 00000000`1e8fedb8 00000000`168dfd18 00000000`00000c9c : ksproxy!KsSynchronousDeviceControl+0xba
00000000`1e8fece0 00007ffa`3ae41cde : 00000000`168df9c0 00000000`00000001 00000000`00000004 00000000`168dfd18 : ksproxy!SetState+0x5d
00000000`1e8fed50 00007ffa`3ae53aec : 00000000`168d9370 00000000`168df9c0 00000000`00000001 00000000`00000000 : ksproxy!CKsProxy::PropagateAcquire+0x546
00000000`1e8fee00 00007ffa`3ae481a7 : 00000000`168d9468 00000000`26a0e8f8 00000000`168dfc60 00000000`00000000 : ksproxy!Active+0xa8
00000000`1e8fee50 00007ffa`3ae41766 : 00000000`00000000 00000000`168d9468 00000000`26a0e8f8 00000000`00000000 : ksproxy!CKsOutputPin::Active+0x87
00000000`1e8feeb0 00007ffa`2f822f09 : 00007ffa`3bdc0730 00000000`26a0e8f8 00007ffa`3ae41610 00000000`26a0e8f8 : ksproxy!CKsProxy::Pause+0x156
00000000`1e8feef0 00007ffa`2f833c1f : 00000000`00000000 00000000`26d0e2c8 00000000`1e8ff300 00007ffa`3bd53898 : quartz!CFilterGraph::Pause+0x1f9
00000000`1e8fefe0 00007ffa`2f833c4f : 00000000`26a0e960 00000000`1e8ff300 00007ffa`3bd53898 00000000`1e8ff070 : quartz!CFGControl::Cue+0x3b
00000000`1e8ff010 00007ffa`2f8366af : 00000000`26d0e2c8 00000000`1e8ff300 00007ffa`3bd53898 00000000`1e8ff0a0 : quartz!CFGControl::CueThenRun+0x1f
00000000`1e8ff040 00007ffa`2f836065 : 00000000`26a0e960 00000000`26d0e2c8 00000000`1e8ff300 00007ffa`3bd53898 : quartz!CFGControl::CImplMediaControl::StepRun+0xab
00000000`1e8ff070 00007ffa`3bd3b780 : 00000000`26a0e960 00000000`203b6dc0 00007ffa`3bd53898 00000000`1e8ff1c0 : quartz!CFGControl::CImplMediaControl::Run+0x35
00000000`1e8ff0a0 00000000`26a0e960 : 00000000`203b6dc0 00007ffa`3bd53898 00000000`1e8ff1c0 00000000`26a0dee8 : OpenIMAJGrabber!OpenIMAJGrabber::setTimeout+0x9760
00000000`1e8ff0a8 00000000`203b6dc0 : 00007ffa`3bd53898 00000000`1e8ff1c0 00000000`26a0dee8 00000000`168dd898 : 0x26a0e960
00000000`1e8ff0b0 00007ffa`3bd53898 : 00000000`1e8ff1c0 00000000`26a0dee8 00000000`168dd898 00000000`00000000 : 0x203b6dc0
00000000`1e8ff0b8 00000000`1e8ff1c0 : 00000000`26a0dee8 00000000`168dd898 00000000`00000000 00000000`00000000 : OpenIMAJGrabber!OpenIMAJGrabber::setTimeout+0x21878
00000000`1e8ff0c0 00000000`26a0dee8 : 00000000`168dd898 00000000`00000000 00000000`00000000 00100000`73646976 : 0x1e8ff1c0
00000000`1e8ff0c8 00000000`168dd898 : 00000000`00000000 00000000`00000000 00100000`73646976 719b3800`aa000080 : 0x26a0dee8
00000000`1e8ff0d0 00000000`00000000 : 00000000`00000000 00100000`73646976 719b3800`aa000080 11ce524f`e436eb7d : 0x168dd898
/*-2 APCs, the KeEnterGuardedRegion and/or KeEnterCriticalRegion didn't match the Leave functions
So the APCs were disabled too little. */
+0x1e4 KernelApcDisable : 0n-2
+0x1e6 SpecialApcDisable : 0n0
+0x1e4 CombinedApcDisable : 0xfffe
//Old .dll file
1: kd> lmvm OpenIMAJGrabber
start end module name
00007ffa`3bd30000 00007ffa`3bd66000 OpenIMAJGrabber (export symbols) OpenIMAJGrabber.dll
Loaded symbol image file: OpenIMAJGrabber.dll
Image path: C:\Users\workshop\AppData\Local\Temp\BridJExtractedLibraries1547411402935275519\OpenIMAJGrabber.dll
Image name: OpenIMAJGrabber.dll
Timestamp: Thu May 09 12:55:53 2013 (518B8EC9)
CheckSum: 0003A4DF
ImageSize: 00036000
Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4
1: kd> !irp ffffe000b8841900
Irp is active with 22 stacks 22 is current (= 0xffffe000b8841fb8)
No Mdl: System buffer=ffffe000b75d4bc0: Thread ffffe000b5386880: Irp stack trace.
cmd flg cl Device File Completion-Context
[ 0, 0] 0 2 00000000 00000000 00000000-00000000
Args: 00000000 00000000 00000000 ffffffffc0000005
[ 0, 0] 0 0 00000000 00000000 00000000-00000000
Args: 00000000 00000000 00000000 00000000
[ 0, 0] 0 0 00000000 00000000 00000000-00000000
Args: 00000000 00000000 00000000 00000000
[ 0, 0] 0 0 00000000 00000000 00000000-00000000
Args: 00000000 00000000 00000000 00000000
[ 0, 0] 0 0 00000000 00000000 00000000-00000000
Args: 00000000 00000000 00000000 00000000
[ 0, 0] 0 0 00000000 00000000 00000000-00000000
Args: 00000000 00000000 00000000 00000000
[ 0, 0] 0 0 00000000 00000000 00000000-00000000
Args: 00000000 00000000 00000000 00000000
[ 0, 0] 0 0 00000000 00000000 00000000-00000000
Args: 00000000 00000000 00000000 00000000
[ 0, 0] 0 0 00000000 00000000 00000000-00000000
Args: 00000000 00000000 00000000 00000000
[ 0, 0] 0 0 00000000 00000000 00000000-00000000
Args: 00000000 00000000 00000000 00000000
[ 0, 0] 0 0 00000000 00000000 00000000-00000000
Args: 00000000 00000000 00000000 00000000
[ 0, 0] 0 0 00000000 00000000 00000000-00000000
Args: 00000000 00000000 00000000 00000000
[ 0, 0] 0 0 00000000 00000000 00000000-00000000
Args: 00000000 00000000 00000000 00000000
[ 0, 0] 0 0 00000000 00000000 00000000-00000000
Args: 00000000 00000000 00000000 00000000
[ 0, 0] 0 0 00000000 00000000 00000000-00000000
Args: 00000000 00000000 00000000 00000000
[ 0, 0] 0 0 00000000 00000000 00000000-00000000
Args: 00000000 00000000 00000000 00000000
[ 0, 0] 0 0 00000000 00000000 00000000-00000000
Args: 00000000 00000000 00000000 00000000
[ 0, 0] 0 0 00000000 00000000 00000000-00000000
Args: 00000000 00000000 00000000 00000000
[ 0, 0] 0 0 00000000 00000000 00000000-00000000
Args: 00000000 00000000 00000000 00000000
[ 0, 0] 0 0 00000000 00000000 00000000-00000000
Args: 00000000 00000000 00000000 00000000
[ e, 0] 0 2 ffffe000b87aea90 00000000 fffff800e3917598-ffffd00199c7c6a0
*** ERROR: Module load completed but symbols could not be loaded for lvuvc64.sys //Logitech Webcam driver
\Driver\LVUVC64 ksthunk!CKernelFilterDevice::DeferIrpCompletion //Defer IRP complete function, wait for conditions
Args: 00000000 00000000 00000000 1e8fed20
>[ e, 0] 1 0 ffffe000b8acc910 ffffe000b5472360 00000000-00000000
\Driver\ksthunk
Args: 00000004 00000018 002f0003 1e8fed20
1: kd> !fileobj ffffe000b5472360
{146F1A80-4791-11D0-A5D6-28DB04C10000}\暠᪇拎ᇏ횥�섄
Related File Object: 0xffffe000bec44310
Device Object: 0xffffe000b62c64c0 \Driver\usbccgp
Vpb is NULL
Flags: 0x40000
Handle Created
FsContext: 0xffffe000b531b378 FsContext2: 0x00000000
CurrentByteOffset: 0
//Accessing a file object using a handle
1: kd> lmvm lvuvc64
start end module name
fffff800`e3a5b000 fffff800`e3ee2d80 lvuvc64 (no symbols)
Loaded symbol image file: lvuvc64.sys
Image path: \SystemRoot\system32\DRIVERS\lvuvc64.sys
Image name: lvuvc64.sys
Timestamp: Tue Oct 23 03:12:08 2012 (5085FCF8) //Very old driver
CheckSum: 004912C7
ImageSize: 00487D80
Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4
1: kd> !devstack ffffe000b87aea90
!DevObj !DrvObj !DevExt ObjectName
ffffe000b8acc910 \Driver\ksthunk ffffe000b8acca60 000000fe
> ffffe000b87aea90 \Driver\LVUVC64 ffffe000b87aec00
ffffe000b62c64c0 \Driver\usbccgp ffffe000b62c6610 000000fc
!DevNode ffffe000b5abab00 :
DeviceInst is "USB\VID_046D&PID_081B&MI_00\7&1cd1107f&0&0000"
ServiceName is "LVUVC64"
//PArt of the USB driver stack and device stack
1: kd> !devobj ffffe000b62c64c0
Device object (ffffe000b62c64c0) is for:
000000fc \Driver\usbccgp DriverObject ffffe000b4bf2c20
Current Irp 00000000 RefCount 2 Type 00000022 Flags 00003040
Dacl ffffc1027c762bc1 DevExt ffffe000b62c6610 DevObjExt ffffe000b62c6ba0 DevNode ffffe000b5abab00
ExtensionFlags (0x00000804) DOE_REMOVE_PENDING, DOE_DEFAULT_SD_PRESENT
Characteristics (0x00000180) FILE_AUTOGENERATED_DEVICE_NAME, FILE_DEVICE_SECURE_OPEN
AttachedDevice (Upper) ffffe000b87aea90 \Driver\LVUVC64
Device queue is not busy.
1: kd> !handle 40000
PROCESS ffffe000b603b900
SessionId: 1 Cid: 1018 Peb: 7ff5ffffe000 ParentCid: 034c
DirBase: 28b1aa000 ObjectTable: ffffc0017f41e840 HandleCount: <Data Not Accessible>
Image: SliceIT.exe
Handle Error reading handle count.
Invalid Handle: 0x40000
1: kd> !process ffffe000b603b900
PROCESS ffffe000b603b900
SessionId: 1 Cid: 1018 Peb: 7ff5ffffe000 ParentCid: 034c
DirBase: 28b1aa000 ObjectTable: ffffc0017f41e840 HandleCount: <Data Not Accessible>
Image: SliceIT.exe
VadRoot ffffe000b8bd8a20 Vads 451 Clone 0 Private 485129. Modified 6726816. Locked 1929.
DeviceMap ffffc00188de9900
Token ffffc00189f0a890
ElapsedTime 19:33:54.111
UserTime 12:33:42.687
KernelTime 00:22:43.343
QuotaPoolUsage[PagedPool] 601224
QuotaPoolUsage[NonPagedPool] 62400
Working Set Sizes (now,min,max) (498429, 50, 345) (1993716KB, 200KB, 1380KB)
PeakWorkingSetSize 497229
VirtualSize 7019 Mb
PeakVirtualSize 7019 Mb
PageFaultCount 517382843
MemoryPriority BACKGROUND
BasePriority 8
CommitCharge 699679
Job ffffe000b54ca060
THREAD ffffe000b8531880 Cid 1018.1310 Teb: 00007ff5ffffc000 Win32Thread: fffff901407c0b60 WAIT: (WrUserRequest) UserMode Non-Alertable
ffffe000b8686dc0 SynchronizationEvent
Not impersonating
DeviceMap ffffc00188de9900
Owning Process ffffe000b603b900 Image: SliceIT.exe
Attached Process N/A Image: N/A
Wait Start TickCount 4773659 Ticks: 1 (0:00:00:00.015)
Context Switch Count 27802 IdealProcessor: 2
UserTime 00:00:05.906
KernelTime 00:00:02.640