Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 10 replies
  • Subscribers 1 subscriber
  • Views 7946 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Endpoint v10 + Procmon.exe = bsod on Windows 7

winny_uk

To recreate this problem all I need to do is:-

run procmon.exe from Sysinternals (now Microsoft)

Set the filter to "Category = write", Add

Drop filtered events

Start monitor

After 100+ events I get a blue screen of death.

SYSTEM_SERVICE_EXCEPTION 0x0000003b 00000000`c0000005 fffff880`06c1344c fffff880`0766ce50 00000000`00000000 PROCMON23.SYS PROCMON23.SYS+844c     x64 ntoskrnl.exe+7f1c0     

I have tried excluding 2 files from the on-access scanning without success, procmon.exe and procmon23.sys (mentioned in the bsod error). Both are portable files so have no fixed install path, is this required?

Has anyone had the same problem, and could you share any workarounds you have put in place?

Many thanks.

:27091


This thread was automatically locked due to age.
Parents
  • 0

    The windbg !analyze -v output is below.

    Microsoft (R) Windows Debugger Version 6.2.8400.0 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\Windows\Minidump\071712-30856-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: SRV*C:\Program Files (x86)\Windows Kits\8.0\Symbols*http://msdl.microsoft.com/download/symbols
Executable search path is: 
Windows 7 Kernel Version 7601 (Service Pack 1) MP (8 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 7601.17835.amd64fre.win7sp1_gdr.120503-2030
Machine Name:
Kernel base = 0xfffff800`02c55000 PsLoadedModuleList = 0xfffff800`02e99670
Debug session time: Tue Jul 17 16:36:22.354 2012 (UTC + 1:00)
System Uptime: 0 days 0:08:42.275
Loading Kernel Symbols
...............................................................
................................................................
..............................
Loading User Symbols
Loading unloaded module list
....
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 3B, {c0000005, fffff88006c1344c, fffff8800766ce50, 0}

Probably caused by : PROCMON23.SYS ( PROCMON23+844c )

Followup: MachineOwner
---------

7: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

SYSTEM_SERVICE_EXCEPTION (3b)
An exception happened while executing a system service routine.
Arguments:
Arg1: 00000000c0000005, Exception code that caused the bugcheck
Arg2: fffff88006c1344c, Address of the instruction which caused the bugcheck
Arg3: fffff8800766ce50, Address of the context record for the exception that caused the bugcheck
Arg4: 0000000000000000, zero.

Debugging Details:
------------------


EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.

FAULTING_IP: 
PROCMON23+844c
fffff880`06c1344c 0fb708          movzx   ecx,word ptr [rax]

CONTEXT:  fffff8800766ce50 -- (.cxr 0xfffff8800766ce50)
rax=0000000000000007 rbx=fffffa800981bb50 rcx=000000000000004d
rdx=0000000000000007 rsi=fffffa800981bba0 rdi=0000000000000000
rip=fffff88006c1344c rsp=fffff8800766d830 rbp=0000000000000000
 r8=0000000004530000  r9=0000000000265000 r10=fffffa80089a0450
r11=0000000000000001 r12=0000000000000001 r13=fffff8800766db00
r14=fffffa8006a3f060 r15=fffff8800766dc20
iopl=0         nv up ei ng nz na po nc
cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b             efl=00010286
PROCMON23+0x844c:
fffff880`06c1344c 0fb708          movzx   ecx,word ptr [rax] ds:002b:00000000`00000007=????
Resetting default scope

CUSTOMER_CRASH_COUNT:  1

DEFAULT_BUCKET_ID:  WIN7_DRIVER_FAULT

BUGCHECK_STR:  0x3B

PROCESS_NAME:  VIGUARD.exe

CURRENT_IRQL:  1

LAST_CONTROL_TRANSFER:  from 0000000000000000 to fffff88006c1344c

STACK_TEXT:  
fffff880`0766d830 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : PROCMON23+0x844c


FOLLOWUP_IP: 
PROCMON23+844c
fffff880`06c1344c 0fb708          movzx   ecx,word ptr [rax]

SYMBOL_STACK_INDEX:  0

SYMBOL_NAME:  PROCMON23+844c

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: PROCMON23

IMAGE_NAME:  PROCMON23.SYS

DEBUG_FLR_IMAGE_TIMESTAMP:  4f7f1562

STACK_COMMAND:  .cxr 0xfffff8800766ce50 ; kb

FAILURE_BUCKET_ID:  X64_0x3B_PROCMON23+844c

BUCKET_ID:  X64_0x3B_PROCMON23+844c

Followup: MachineOwner
---------

    Another 3rd party executable is mentioned in the output, VIGUARD.EXE, which is included from the LANDdesk client suite. I will try removing these other elements, test again, and report back.

    :27131
Reply
  • 0

    The windbg !analyze -v output is below.

    Microsoft (R) Windows Debugger Version 6.2.8400.0 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\Windows\Minidump\071712-30856-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: SRV*C:\Program Files (x86)\Windows Kits\8.0\Symbols*http://msdl.microsoft.com/download/symbols
Executable search path is: 
Windows 7 Kernel Version 7601 (Service Pack 1) MP (8 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 7601.17835.amd64fre.win7sp1_gdr.120503-2030
Machine Name:
Kernel base = 0xfffff800`02c55000 PsLoadedModuleList = 0xfffff800`02e99670
Debug session time: Tue Jul 17 16:36:22.354 2012 (UTC + 1:00)
System Uptime: 0 days 0:08:42.275
Loading Kernel Symbols
...............................................................
................................................................
..............................
Loading User Symbols
Loading unloaded module list
....
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 3B, {c0000005, fffff88006c1344c, fffff8800766ce50, 0}

Probably caused by : PROCMON23.SYS ( PROCMON23+844c )

Followup: MachineOwner
---------

7: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

SYSTEM_SERVICE_EXCEPTION (3b)
An exception happened while executing a system service routine.
Arguments:
Arg1: 00000000c0000005, Exception code that caused the bugcheck
Arg2: fffff88006c1344c, Address of the instruction which caused the bugcheck
Arg3: fffff8800766ce50, Address of the context record for the exception that caused the bugcheck
Arg4: 0000000000000000, zero.

Debugging Details:
------------------


EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.

FAULTING_IP: 
PROCMON23+844c
fffff880`06c1344c 0fb708          movzx   ecx,word ptr [rax]

CONTEXT:  fffff8800766ce50 -- (.cxr 0xfffff8800766ce50)
rax=0000000000000007 rbx=fffffa800981bb50 rcx=000000000000004d
rdx=0000000000000007 rsi=fffffa800981bba0 rdi=0000000000000000
rip=fffff88006c1344c rsp=fffff8800766d830 rbp=0000000000000000
 r8=0000000004530000  r9=0000000000265000 r10=fffffa80089a0450
r11=0000000000000001 r12=0000000000000001 r13=fffff8800766db00
r14=fffffa8006a3f060 r15=fffff8800766dc20
iopl=0         nv up ei ng nz na po nc
cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b             efl=00010286
PROCMON23+0x844c:
fffff880`06c1344c 0fb708          movzx   ecx,word ptr [rax] ds:002b:00000000`00000007=????
Resetting default scope

CUSTOMER_CRASH_COUNT:  1

DEFAULT_BUCKET_ID:  WIN7_DRIVER_FAULT

BUGCHECK_STR:  0x3B

PROCESS_NAME:  VIGUARD.exe

CURRENT_IRQL:  1

LAST_CONTROL_TRANSFER:  from 0000000000000000 to fffff88006c1344c

STACK_TEXT:  
fffff880`0766d830 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : PROCMON23+0x844c


FOLLOWUP_IP: 
PROCMON23+844c
fffff880`06c1344c 0fb708          movzx   ecx,word ptr [rax]

SYMBOL_STACK_INDEX:  0

SYMBOL_NAME:  PROCMON23+844c

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: PROCMON23

IMAGE_NAME:  PROCMON23.SYS

DEBUG_FLR_IMAGE_TIMESTAMP:  4f7f1562

STACK_COMMAND:  .cxr 0xfffff8800766ce50 ; kb

FAILURE_BUCKET_ID:  X64_0x3B_PROCMON23+844c

BUCKET_ID:  X64_0x3B_PROCMON23+844c

Followup: MachineOwner
---------

    Another 3rd party executable is mentioned in the output, VIGUARD.EXE, which is included from the LANDdesk client suite. I will try removing these other elements, test again, and report back.

    :27131
Children
No Data