Update: Process Monitor v1.12

Update: Process Monitor v1.12

  • Comments 4
  • Likes
Process Monitor v1.12: This release fixes a bug in the driver.
Comments
  • as the forum is currently locked, where can i submit bugs/feature requests?

  • It's open now.

  • Version 1.12 of procmon bluescreened my machine.  I have a minidump of collected during the crash which I can send to you if you wish.

  • Here is the kd !analyze -v output from the minidump mentioned in the above post.  The bluescreen happened during full unfiltered  file/registry/process/thread capture on a busy machine.

    ---------

    kd> !analyze -v

    *******************************************************************************

    *                                                                             *

    *                        Bugcheck Analysis                                    *

    *                                                                             *

    *******************************************************************************

    KERNEL_MODE_EXCEPTION_NOT_HANDLED_M (1000008e)

    This is a very common bugcheck.  Usually the exception address pinpoints

    the driver/function that caused the problem.  Always note this address

    as well as the link date of the driver/image that contains this address.

    Some common problems are exception code 0x80000003.  This means a hard

    coded breakpoint or assertion was hit, but this system was booted

    /NODEBUG.  This is not supposed to happen as developers should never have

    hardcoded breakpoints in retail code, but ...

    If this happens, make sure a debugger gets connected, and the

    system is booted /DEBUG.  This will let us see why this breakpoint is

    happening.

    Arguments:

    Arg1: c0000006, The exception code that was not handled

    Arg2: 80602c50, The address that the exception occurred at

    Arg3: f79fb5c4, Trap Frame

    Arg4: 00000000

    Debugging Details:

    ------------------

    EXCEPTION_CODE: (NTSTATUS) 0xc0000006 - The instruction at "0x%08lx" referenced

    memory at "0x%08lx". The required data was not placed into memory because of an

    I/O error status of "0x%08lx".

    FAULTING_IP:

    nt!ExpAllocateHandleTableEntry+1be

    80602c50 8b4904          mov     ecx,dword ptr [ecx+4]

    TRAP_FRAME:  f79fbbcc -- (.trap fffffffff79fbbcc)

    ErrCode = 00000000

    eax=e3c54320 ebx=00000190 ecx=00000000 edx=00000190 esi=e3c54320 edi=f79fbd0c

    eip=806034e5 esp=f79fbc40 ebp=f79fbc54 iopl=0         nv up ei ng nz na po nc

    cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010282

    nt!ExMapHandleToPointerEx+0x2d:

    806034e5 8b06            mov     eax,dword ptr [esi]  ds:0023:e3c54320=????????

    Resetting default scope

    CUSTOMER_CRASH_COUNT:  1

    DEFAULT_BUCKET_ID:  DRIVER_FAULT

    BUGCHECK_STR:  0x8E

    PROCESS_NAME:  ccSetMgr.exe

    LAST_CONTROL_TRANSFER:  from 80603253 to 80602c50

    STACK_TEXT:

    f79fb65c 80603253 e3c4c6c8 f79fb674 00000000 nt!ExpAllocateHandleTableEntry+0x1

    e

    f79fb678 805b1d47 e3c4c6c8 f79fb6ac 00000000 nt!ExCreateHandle+0x19

    f79fb6cc 805b0174 00000001 e3c52720 00000000 nt!ObpCreateHandle+0x3f7

    f79fb79c 805e21dc e3c52720 00000000 00000000 nt!ObOpenObjectByPointer+0xa4

    f79fb7f8 805e2557 800017c4 00020008 00000000 nt!NtOpenProcessTokenEx+0x94

    f79fb810 8053ca28 800017c4 00020008 f79fb94c nt!NtOpenProcessToken+0x15

    f79fb810 804fdded 800017c4 00020008 f79fb94c nt!KiFastCallEntry+0xf8

    f79fb894 f879b5dc 800017c4 00020008 f79fb94c nt!ZwOpenProcessToken+0x11

    WARNING: Stack unwind information not available. Following frames may be wrong.

    f79fb978 f879b973 00b30080 fe236be0 fdf3af14 PROCMON11+0x15dc

    f79fb994 f879c57e 0000023c 00000001 fdf24194 PROCMON11+0x1973

    f79fb9d0 f82be888 fdf3af14 f79fb9f0 f79fba20 PROCMON11+0x257e

    f79fba30 f82c02a0 009fba78 00000000 f79fba78 fltmgr!FltpPerformPreCallbacks+0x2

    4

    f79fba44 f82c0c48 f79fba78 00000000 81ad8020 fltmgr!FltpPassThroughInternal+0x3

    f79fba60 f82c1059 f79fba01 fe75cd88 82397e40 fltmgr!FltpPassThrough+0x1c2

    f79fba90 804edfe3 81ad8020 fd998e00 0b2e6000 fltmgr!FltpDispatch+0x10d

    f79fbaa0 804ee9ae 00000000 fe75cd78 fe75cd88 nt!IopfCallDriver+0x31

    f79fbab4 804ee9d5 81ad8020 fe75cd0b fe75cd90 nt!IopPageReadInternal+0xf4

    f79fbad4 80512a30 81da9f90 fe75cdb0 fe75cd90 nt!IoPageRead+0x1b

    f79fbb50 8051bfa0 c071e2a0 e3c54320 c071e2a0 nt!MiDispatchFault+0x286

    f79fbbb4 8053f90c 00000000 e3c54320 00000000 nt!MmAccessFault+0x7b4

    f79fbbb4 806034e5 00000000 e3c54320 00000000 nt!KiTrap0E+0xcc

    f79fbc54 805af96a e3c4c6c8 00000190 e1e5d001 nt!ExMapHandleToPointerEx+0x2d

    f79fbc7c 805c078d 00000190 00000040 823cac68 nt!ObReferenceObjectByHandle+0x12e

    f79fbd48 8053ca28 00000190 00000010 00dcff88 nt!NtQueryInformationThread+0x43d

    f79fbd48 7c90eb94 00000190 00000010 00dcff88 nt!KiFastCallEntry+0xf8

    00dcff8c 00000000 00000000 00000000 00000000 0x7c90eb94

    STACK_COMMAND:  kb

    FOLLOWUP_IP:

    PROCMON11+15dc

    f879b5dc ??              ???

    SYMBOL_STACK_INDEX:  8

    SYMBOL_NAME:  PROCMON11+15dc

    FOLLOWUP_NAME:  MachineOwner

    MODULE_NAME: PROCMON11

    IMAGE_NAME:  PROCMON11.SYS

    DEBUG_FLR_IMAGE_TIMESTAMP:  46142c9b

    FAILURE_BUCKET_ID:  0x8E_PROCMON11+15dc

    BUCKET_ID:  0x8E_PROCMON11+15dc

    Followup: MachineOwner

    ---------

    kd>