The Wiert Corner – irregular stream of stuff

Jeroen W. Pluimers on .NET, C#, Delphi, databases, and personal interests

  • My badges

  • Twitter Updates

  • My Flickr Stream

  • Pages

  • All categories

  • Enter your email address to subscribe to this blog and receive notifications of new posts by email.

    Join 1,437 other followers

Interesting: minidump/kernel dump Instant Online Crash Analysis

Posted by jpluimers on 2015/01/28

Figured using Instant Online Crash Analysis that mfefirek.sys is causing a DRIVER_IRQL_NOT_LESS_OR_EQUAL BSOD.

Well done McAfee!

This is what I did:

  1. As admin, copy %windir%\Minidump\*.dmp %temp%
  2. Uploaded these to http://www.osronline.com/page.cfm?name=analyze
  3. Compare the results with Beyond Compare 4 for patterns.

The result for all *.dmp files is a pattern like this:

DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high.  This is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: 000000000000000d, memory referenced
Arg2: 0000000000000002, IRQL
Arg3: 0000000000000000, value 0 = read operation, 1 = write operation
Arg4: fffff8800....d70, address which referenced memory

Debugging Details:
------------------

TRIAGER: Could not open triage file : e:\dump_analysis\program\triage\modclass.ini, error 2

READ_ADDRESS: GetPointerFromAddress: unable to read from fffff800032..100
GetUlongFromAddress: unable to read from fffff800032..1c0
 000000000000000d Nonpaged pool

CURRENT_IRQL:  2

FAULTING_IP: 
mfefirek+19d70
fffff880`0.....70 8a400d          mov     al,byte ptr [rax+0Dh]

–jeroen

via: Instant Online Crash Analysis.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

 
%d bloggers like this: