Analyse d’un stop 7F
Nous allons analyser ensemble un dump relatif à des problème de crash réguliers sur un serveur de fichiers.
D’abord, regardons sur quel type de serveur le crash s’est produit :
0: kd> vertarget
Windows Server 2003 Kernel Version 3790 (Service Pack 1) MP (4 procs) Free x86 compatible
Product: Server, suite: TerminalServer SingleUserTS
Built by: 3790.srv03_sp1_rtm.050324-1447
Kernel base = 0x80800000 PsLoadedModuleList = 0x808af988
Debug session time: Tue Oct 21 02:22:03.749 2008 (GMT+2)
System Uptime: 6 days 7:23:43.156
Il s’agit donc d’un serveur 2003 en SP1, un premier plan d’action serait de le mettre à jour en SP2 :-)
D’autre part, le serveur semble avoir tourné pendant 6 jours avant la génération du dump.
Aussi, chaque crash ou stop est associé un code qui définie le type de problème rencontré, examinons le stop en question :
0: kd> .bugcheck
Bugcheck code 0000007F
Arguments 00000008 80042000 00000000 00000000
C’est un stop 7F avec le paramètre 00000008 ….intéressant !!
Les documents techniques qui détaillent ce type de stop, font référence à un problème de stack overflow :
“Bug Check 0x7F: UNEXPECTED_KERNEL_MODE_TRAP
The UNEXPECTED_KERNEL_MODE_TRAP bug check has a value of 0x0000007F. This bug check indicates that the Intel CPU generated a trap and the kernel failed to catch this trap.
This trap could be a bound trap (a trap the kernel is not permitted to catch) or a double fault (a fault that occurred while processing an earlier fault, which always results in a system failure).
0x00000008, or Double Fault, indicates that an exception occurs during a call to the handler for a prior exception. Typically, the two exceptions are handled serially. However, there are several exceptions that cannot be handled serially, and in this situation the processor signals a double fault. There are two common causes of a double fault:
A kernel stack overflow Or A hardware problem”
Ok, nous savons maintenant qu’il peut s’agir d’un stack overflow ..il va falloir se mettre sur le thread qui a causé le crash pour en savoir plus :
0: kd> .tss 0x28
eax=854b8300 ebx=854b8310 ecx=00000003 edx=89756000 esi=89fc3f30 edi=89756000
eip=bae30bf7 esp=f78f7f88 ebp=f78f81b8 iopl=0 nv up ei ng nz na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010286
q57xp32+0x9bf7:
bae30bf7 53 push ebx
0: kd> .thread
Implicit thread is now 8ab868d0
0: kd> !thread
THREAD 8ab868d0 Cid 0004.0048 Teb: 00000000 Win32Thread: 00000000 RUNNING on processor 0
IRP List:
859c0370: (0006,0220) Flags: 00000010 Mdl: 00000000
85391008: (0006,0220) Flags: 00000884 Mdl: 00000000
8a02af68: (0006,0094) Flags: 00000000 Mdl: 00000000
Not impersonating
DeviceMap d6402818
Owning Process 8ab8a238 Image: System
Wait Start TickCount 34881482 Ticks: 0
Context Switch Count 21126271
UserTime 00:00:00.000
KernelTime 00:03:14.531
Start Address nt!ExpWorkerThread (0x8083f671)
Stack Init f78fb000 Current f78f9150 Base f78fb000 Limit f78f8000 Call 0
Priority 12 BasePriority 12 PriorityDecrement 0
ChildEBP RetAddr Args to Child
00000000 bae30bf7 00000000 00000000 00000000 nt!_KiTrap08+0x75 (FPO: TSS 28:0)
WARNING: Stack unwind information not available. Following frames may be wrong.
f78f81b8 bae29c53 89756000 89fc3f30 8975bf54 q57xp32+0x9bf7
f78f8200 bae29edb 854b8310 f78f8278 f78f8248 q57xp32+0x2c53
f78f8210 bae2a199 02756000 878032e0 897ef950 q57xp32+0x2edb
f78f8248 f76ee804 00000001 f78f8278 00000000 q57xp32+0x3199
f78f8260 80a7a24f 897ef850 00000000 86e62a20 NDIS!ndisMProcessSGList+0x90
f78f828c f76ee6fe 86e62a20 897ef850 878032c0 hal!HalBuildScatterGatherList+0x1c7
f78f82e4 f76d249d 8a3d5008 854b8310 862fe230 NDIS!ndisMAllocSGList+0xd9
f78f8300 ba782f37 89e90290 854b8310 89d16c48 NDIS!ndisMSendX+0x1a0
f78f8328 ba78223a 8a3d5008 854b8310 8638eae8 tcpip!IPRcvComplete+0x12d3
f78f8350 ba782622 8638ea02 f78f8402 00000001 tcpip!IPRcvComplete+0x5d6
f78f848c ba783c01 ba7bbbb8 862fe2a4 862fe230 tcpip!IPRcvComplete+0x9be
f78f84fc ba783da0 f3b3f555 00000002 875d30c0 tcpip!IPRcvComplete+0x1f9d
f78f8524 ba784478 00000001 00000000 00000002 tcpip!IPRcvComplete+0x213c
f78f8558 bab209ac 875d3008 89443364 89d2d540 tcpip!IPRcvComplete+0x2814
f78f857c bab29a46 89e8e000 89429058 89e8e000 msiscsi+0x99ac
f78f8624 bab2c101 01429058 84f25502 84f2552c msiscsi+0x12a46
f78f8644 bab1a435 808a5180 84f25502 00000000 msiscsi+0x15101
f78f866c bab036ca 8a02b65c 89e8e000 f78f8698 msiscsi+0x3435
f78f867c bab03afc 897c31a0 84f2552c 884b7d28 iscsiprt!RaCallMiniportStartIo+0x1e
f78f8698 bab0c182 84f2552c 870a48a0 89d17e18 iscsiprt!RaidAdapterPostScatterGatherExecute+0x5e
f78f86b8 bab07823 00000000 00000001 00000000 iscsiprt!RaUnitStartIo+0xc4
f78f86d8 bab0b575 89d17e18 014b7d28 00000000 iscsiprt!RaidStartIoPacket+0x49
f78f86fc bab0c8a6 89d17d30 884b7d28 84c6d270 iscsiprt!RaidUnitSubmitRequest+0x63
f78f8718 bab06844 89d17d30 884b7d28 f78f873c iscsiprt!RaUnitScsiIrp+0x92
f78f8728 8083f9d0 89d17c78 884b7d28 89e8caa0 iscsiprt!RaDriverScsiIrp+0x2a
f78f873c f7409440 884b7d28 884b7dfc 884b7d28 nt!IofCallDriver+0x45
f78f8764 f74094e0 89cfba88 884b7d28 884b7d28 mpio!MPIOReadWrite+0x19e
f78f8830 f7409b34 89cfba88 84c6d1f0 884b7dd8 mpio!MPIOPdoHandleRequest+0x76
f78f8848 f7408945 89cfbb40 884b7d28 884b7d28 mpio!MPIOPdoInternalDeviceControl+0x3c
f78f8870 f740916f 89cfba88 89cfbd78 01000000 mpio!MPIOPdoCommonDeviceControl+0x1fb
f78f8890 f74062ef 89cfba88 884b7d28 f78f88b4 mpio!MPIOPdoDispatch+0x8f
f78f88a0 8083f9d0 89cfba88 884b7d28 84f25480 mpio!MPIOGlobalDispatch+0x19
f78f88b4 f7139a20 84f25480 68d0e000 f78f88f8 nt!IofCallDriver+0x45
f78f88c4 f7139635 84f25480 89419b70 85a52e2c CLASSPNP!SubmitTransferPacket+0xbb
f78f88f8 f7139712 00000000 00001000 85a52e50 CLASSPNP!ServiceTransferRequest+0x1e4
f78f891c 8083f9d0 89419ab8 00000000 8ab96b38 CLASSPNP!ClassReadWrite+0x159
f78f8930 f74d80cf 8756c3a8 85a52e50 f78f8954 nt!IofCallDriver+0x45
f78f8940 8083f9d0 893e7780 85a52cc0 85a52cc0 PartMgr+0x10cf
f78f8954 f73b4802 890bd008 8756c3a8 89595d08 nt!IofCallDriver+0x45
La, il n’y a pas de doute, nous somme bien en présence d’un beau “stack overflow”.
En effet, chaque thread a le droit à un espace limité pour gérer la stack.
Ici la limite est à f78fb000 (on commence la stack à à l’adresse f78f8000 ) : Stack Init f78fb000 Current f78f9150 Base f78fb000 Limit f78f8000
Le dernier appel a été fait à l’adresse f78f81b8 ; par conséquent l’appel d’après aurait utiliser de la mémoire et dépasser ainsi la limite du f78f8000 d’où le stack overflow et le crash.
Voici les détails de consommation de la stack au moment du Stop:
Module Stack Usage Percentage
fltMgr 280 2
volsnap 584 5
Ntfs 4844 42
iscsiprt 188 2
NDIS 140 1
msiscsi 276 2
q57xp32 144 1
CLASSPNP 104 1
mfetdik 144 1
hal 44 0
dmio 328 3
tcpip 600 5
mpio 356 3
PartMgr 16 0
mfehidk 660 6
nt 1988 17
df2k 848 7
Nous constatons que Ntfs utilise 42% de celle-ci ce qui est beaucoup. Maintenant si l’on regarde attentivement la stack nous allons constater que c’est le driver df2k.sys qui est réentrant dans le file system.
0: kd> kv 100
ChildEBP RetAddr Args to Child
00000000 bae30bf7 00000000 00000000 00000000 nt!_KiTrap08+0x75
WARNING: Stack unwind information not available. Following frames may be wrong.
f78f81b8 bae29c53 89756000 89fc3f30 8975bf54 q57xp32+0x9bf7
f78f8200 bae29edb 854b8310 f78f8278 f78f8248 q57xp32+0x2c53
f78f8210 bae2a199 02756000 878032e0 897ef950 q57xp32+0x2edb
f78f8248 f76ee804 00000001 f78f8278 00000000 q57xp32+0x3199
f78f8260 80a7a24f 897ef850 00000000 86e62a20 NDIS!ndisMProcessSGList+0x90
f78f828c f76ee6fe 86e62a20 897ef850 878032c0 hal!HalBuildScatterGatherList+0x1c7
f78f82e4 f76d249d 8a3d5008 854b8310 862fe230 NDIS!ndisMAllocSGList+0xd9
f78f8300 ba782f37 89e90290 854b8310 89d16c48 NDIS!ndisMSendX+0x1a0
f78f8328 ba78223a 8a3d5008 854b8310 8638eae8 tcpip!IPRcvComplete+0x12d3
f78f8350 ba782622 8638ea02 f78f8402 00000001 tcpip!IPRcvComplete+0x5d6
f78f848c ba783c01 ba7bbbb8 862fe2a4 862fe230 tcpip!IPRcvComplete+0x9be
f78f84fc ba783da0 f3b3f555 00000002 875d30c0 tcpip!IPRcvComplete+0x1f9d
f78f8524 ba784478 00000001 00000000 00000002 tcpip!IPRcvComplete+0x213c
f78f8558 bab209ac 875d3008 89443364 89d2d540 tcpip!IPRcvComplete+0x2814
f78f857c bab29a46 89e8e000 89429058 89e8e000 msiscsi+0x99ac
f78f8624 bab2c101 01429058 84f25502 84f2552c msiscsi+0x12a46
f78f8644 bab1a435 808a5180 84f25502 00000000 msiscsi+0x15101
f78f866c bab036ca 8a02b65c 89e8e000 f78f8698 msiscsi+0x3435
f78f867c bab03afc 897c31a0 84f2552c 884b7d28 iscsiprt!RaCallMiniportStartIo+0x1e
f78f8698 bab0c182 84f2552c 870a48a0 89d17e18 iscsiprt!RaidAdapterPostScatterGatherExecute+0x5e
f78f86b8 bab07823 00000000 00000001 00000000 iscsiprt!RaUnitStartIo+0xc4
f78f86d8 bab0b575 89d17e18 014b7d28 00000000 iscsiprt!RaidStartIoPacket+0x49
f78f86fc bab0c8a6 89d17d30 884b7d28 84c6d270 iscsiprt!RaidUnitSubmitRequest+0x63
f78f8718 bab06844 89d17d30 884b7d28 f78f873c iscsiprt!RaUnitScsiIrp+0x92
f78f8728 8083f9d0 89d17c78 884b7d28 89e8caa0 iscsiprt!RaDriverScsiIrp+0x2a
f78f873c f7409440 884b7d28 884b7dfc 884b7d28 nt!IofCallDriver+0x45
f78f8764 f74094e0 89cfba88 884b7d28 884b7d28 mpio!MPIOReadWrite+0x19e
f78f8830 f7409b34 89cfba88 84c6d1f0 884b7dd8 mpio!MPIOPdoHandleRequest+0x76
f78f8848 f7408945 89cfbb40 884b7d28 884b7d28 mpio!MPIOPdoInternalDeviceControl+0x3c
f78f8870 f740916f 89cfba88 89cfbd78 01000000 mpio!MPIOPdoCommonDeviceControl+0x1fb
f78f8890 f74062ef 89cfba88 884b7d28 f78f88b4 mpio!MPIOPdoDispatch+0x8f
f78f88a0 8083f9d0 89cfba88 884b7d28 84f25480 mpio!MPIOGlobalDispatch+0x19
f78f88b4 f7139a20 84f25480 68d0e000 f78f88f8 nt!IofCallDriver+0x45
f78f88c4 f7139635 84f25480 89419b70 85a52e2c CLASSPNP!SubmitTransferPacket+0xbb
f78f88f8 f7139712 00000000 00001000 85a52e50 CLASSPNP!ServiceTransferRequest+0x1e4
f78f891c 8083f9d0 89419ab8 00000000 8ab96b38 CLASSPNP!ClassReadWrite+0x159
f78f8930 f74d80cf 8756c3a8 85a52e50 f78f8954 nt!IofCallDriver+0x45
f78f8940 8083f9d0 893e7780 85a52cc0 85a52cc0 PartMgr+0x10cf
f78f8954 f73b4802 890bd008 8756c3a8 89595d08 nt!IofCallDriver+0x45
f78f899c f73cdfa3 8756c3a8 010bd008 04000000 dmio!voldiskiostart+0x482
f78f89ec f73bf8dc 8756c3a8 f78f8a44 f78f8a38 dmio!vol_subdisksio_start+0x107
f78f8a5c f73b5e2c 8712c408 00000001 00000001 dmio!volkiostart+0x32c
f78f8a88 f73b85e2 88dc1a60 85a52cc0 8ab50418 dmio!volrdwr+0xa0
f78f8a9c 8083f9d0 88dc1a60 85a52cc0 85a52e98 dmio!volread+0x58
f78f8ab0 f73899c4 8ab2d248 88db7af0 88d246d0 nt!IofCallDriver+0x45
f78f8ac8 8083f9d0 88d246d0 85a52cc0 85a52cc0 volsnap+0x19c4
f78f8adc f70d9881 88db7a38 88db7af0 88ba5c98 nt!IofCallDriver+0x45
f78f8b34 f70dae17 88db7a38 85a52cc0 85a52cc0 df2k+0x6881
f78f8b5c f701d0ce f78f8e40 f78f8d40 f701c702 df2k+0x7e17
f78f8b68 f701c702 f78f8e40 88db7a38 9c09a000 Ntfs!NtfsSingleAsync+0x91
f78f8d40 f701a75e f78f8e40 85a52cc0 88ba5c98 Ntfs!NtfsNonCachedIo+0x2db
f78f8e2c f701d8de f78f8e40 85a52cc0 00000001 Ntfs!NtfsCommonRead+0xaf5
f78f8fd8 8083f9d0 88be6718 85a52cc0 85a52cc0 Ntfs!NtfsFsdRead+0x113
f78f8fec f7117b43 88f2aae8 85a52cc0 88eeb008 nt!IofCallDriver+0x45
f78f9010 f7117d03 f78f9030 88f2aae8 00000000 fltMgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x20b
f78f9048 8083f9d0 88f2aae8 85a52cc0 88db7af0 fltMgr!FltpDispatch+0x11f
f78f905c f70d8ab1 89944588 89944640 88fcd5c0 nt!IofCallDriver+0x45
f78f9100 f70dae17 89944588 85a52cc0 85a52ebc df2k+0x5ab1
f78f9128 ba9efa40 88d1da08 89705218 88bed008 df2k+0x7e17
f78f913c 8083f9d0 88aacf10 85a52cc0 85a52cc0 SYMEVENT!SYMEvent_AllocVMData+0x5f00
f78f9150 f7117d36 0010e000 8a0d1768 00000000 nt!IofCallDriver+0x45
f78f917c 8083f9d0 88d1da08 85a52cc0 85a52cc0 fltMgr!FltpDispatch+0x152
f78f9190 8082f0de 83e86308 8ab868d0 83e862f8 nt!IofCallDriver+0x45
f78f91a8 8082f17c 88f04f0c 83e86330 83e86310 nt!IoPageRead+0x109
f78f922c 80849ce5 00000001 c16ce000 c0305b38 nt!MiDispatchFault+0xd2a
f78f9288 8082fd4f 00000000 c16ce000 00000000 nt!MmAccessFault+0x64a
f78f92b8 80845b53 c16ce000 00000000 f78f93e4 nt!MmCheckCachedPageState+0x48e
f78f9300 80845d5a 88ba5b60 f78f9340 00001000 nt!CcMapAndRead+0x93
f78f9394 8092f599 88f04f90 f78f93d4 00001000 nt!CcPinFileData+0x24a
f78f9408 f7054d25 88f04f90 f78f9440 00001000 nt!CcPinRead+0xc4
f78f9430 f704842b 84f7a168 88ba5c98 0010e000 Ntfs!NtfsPinStream+0x76
f78f945c f7049751 84f7a168 88be67f8 00870000 Ntfs!NtfsMapOrPinPageInBitmap+0x9d
f78f94d8 f704851f 84f7a168 88be67f8 0087312e Ntfs!NtfsAllocateBitmapRun+0x4b
f78f9614 f7040136 84f7a168 88be67f8 87342a00 Ntfs!NtfsAllocateClusters+0x9fd
f78f96d4 f7047e53 84f7a168 87342a00 00000020 Ntfs!NtfsAllocateAttribute+0x156
f78f9774 f704835c 84f7a168 d6650468 00000020 Ntfs!NtfsCreateNonresidentWithValue+0xde
f78f9874 f706e627 84f7a168 d6650468 d1911898 Ntfs!NtfsConvertToNonresident+0x2ec
f78f99cc f7076cc4 84f7a168 d6650468 00000240 Ntfs!NtfsChangeAttributeValue+0x467
f78f9ab8 f7071d04 84f7a168 d6650468 000fe6ad Ntfs!NtfsAddToAttributeList+0x177
f78f9ca0 f7047a50 84f7a168 d6650530 f78f9cd0 Ntfs!NtfsAddAttributeAllocation+0xf71
f78f9d64 f70845ef 84f7a168 8523cc68 d6650530 Ntfs!NtfsAddAllocation+0x397
f78f9e74 f7041c94 84f7a168 8523cc68 859c0370 Ntfs!NtfsSetAllocationInfo+0x3dd
f78f9ee0 f701d2fb 84f7a168 859c0370 00000000 Ntfs!NtfsCommonSetInformation+0x48c
f78f9f48 8083f9d0 88be6718 859c0370 859c0370 Ntfs!NtfsFsdSetInformation+0xa3
f78f9f5c f7117b43 88f2aae8 859c0370 88eeb008 nt!IofCallDriver+0x45
f78f9f80 f7117d03 f78f9fa0 88f2aae8 00000000 fltMgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x20b
f78f9fb8 8083f9d0 88f2aae8 859c0370 88db7af0 fltMgr!FltpDispatch+0x11f
f78f9fcc f70d8ab1 89944588 89944640 f78fa0e8 nt!IofCallDriver+0x45
f78fa070 f70dae17 89944588 859c0370 859c056c df2k+0x5ab1
f78fa098 ba9ef7b1 859c056c 859c0590 f78fa0e8 df2k+0x7e17
f78fa0b0 ba9f8d68 89944588 00000000 f78fa0e8 SYMEVENT!SYMEvent_AllocVMData+0x5c71
f78fa0cc ba9ef91b f78fa0e8 8082b0b9 ba9ef9e3 SYMEVENT!EventObjectCreate+0xba8
f78fa10c 8083f9d0 88aacf10 859c0370 859c0370 SYMEVENT!SYMEvent_AllocVMData+0x5ddb
f78fa120 f7117b43 88d1da08 859c0370 88bed008 nt!IofCallDriver+0x45
f78fa144 f7117d03 f78fa164 88d1da08 00000000 fltMgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x20b
f78fa17c 8083f9d0 88d1da08 859c0370 859c0370 fltMgr!FltpDispatch+0x11f
f78fa190 8098911f 85391008 84c497a0 f78fa434 nt!IofCallDriver+0x45
f78fa1c8 f707e07c 0123cc68 00000013 85391018 nt!IoSetInformation+0x1c2
f78fa1f4 f706c7b7 84c497a0 85391008 d66506b8 Ntfs!NtfsCompleteLargeAllocation+0x40
f78fa3f4 f70531e5 84c497a0 85391008 f78fa434 Ntfs!NtfsCommonCreate+0x1472
f78fa4f8 8083f9d0 88be6718 85391008 85391008 Ntfs!NtfsFsdCreate+0x17d
f78fa50c f7117b43 00000000 85391008 85391198 nt!IofCallDriver+0x45
f78fa530 f71255af f78fa550 88f2aae8 00000000 fltMgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x20b
f78fa56c 8083f9d0 88f2aae8 85391008 853911d8 fltMgr!FltpCreate+0x23b
f78fa580 f70da51c 8081fd79 899446b0 899446f4 nt!IofCallDriver+0x45
f78fa5b0 f70d942b 899446b0 85391008 00000000 df2k+0x751c
f78fa5e4 f70d8fed 89944640 85391008 89944588 df2k+0x642b
f78fa690 f70dae17 89944588 85391008 853911e0 df2k+0x5fed
f78fa6b8 ba9ef8a1 853911e0 85391204 f78fa718 df2k+0x7e17
f78fa6e0 ba9f8d58 89944588 00000000 f78fa718 SYMEVENT!SYMEvent_AllocVMData+0x5d61
f78fa6fc ba9ef91b f78fa718 8082b0b9 ba9ef9e3 SYMEVENT!EventObjectCreate+0xb98
f78fa73c 8083f9d0 88aacf10 85391008 85391008 SYMEVENT!SYMEvent_AllocVMData+0x5ddb
f78fa750 f7117b43 00000000 85391008 85391204 nt!IofCallDriver+0x45
f78fa774 f71255af f78fa794 88d1da08 00000000 fltMgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x20b
f78fa7b0 8083f9d0 88d1da08 85391008 85391008 fltMgr!FltpCreate+0x23b
f78fa7c4 8092e269 f78fa96c 88dc1a48 00000000 nt!IofCallDriver+0x45
f78fa8ac 80936caa 88dc1a60 00000000 88e62860 nt!IopParseDevice+0xa35
f78fa92c 80936aa5 00000000 f78fa96c 00000240 nt!ObpLookupObjectName+0x5a9
f78fa980 80936f27 00000000 00000000 00000100 nt!ObOpenObjectByName+0xea
f78fa9fc 80936ff8 8a2f22e4 0012019f f78fab7c nt!IopCreateFile+0x447
f78faa58 8092ed98 8a2f22e4 0012019f f78fab7c nt!IoCreateFile+0xa3
f78faa98 80834d3f 8a2f22e4 0012019f f78fab7c nt!NtCreateFile+0x30
f78faa98 8083c1ec 8a2f22e4 0012019f f78fab7c nt!KiFastCallEntry+0xfc
f78fab3c f7396acb 8a2f22e4 0012019f f78fab7c nt!ZwCreateFile+0x11
f78fabc4 f739c6f7 8a2f22d0 00000001 f78fabec volsnap+0xeacb
f78fabf8 f73a5d5d 86a966e0 12c00000 00000000 volsnap+0x146f7
f78fad50 f73945e5 8aa020d8 851a5798 8ab868d0 volsnap+0x1dd5d
f78fad6c 809180a0 875603d0 88eb2ab8 808b70dc volsnap+0xc5e5
f78fad80 8083f72e 875603d0 00000000 8ab868d0 nt!IopProcessWorkItem+0x13
f78fadac 8092ccff 875603d0 00000000 00000000 nt!ExpWorkerThread+0xeb
f78faddc 80841a96 8083f671 00000001 00000000 nt!PspSystemThreadStartup+0x2e
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16
La stack contient aussi plusieurs occurrences du module SYMEVENT qui est connu pour causer des problèmes de stack overflow
La solution au problème rencontré passera par:
- Désinstallation ou mise à jour du composant Df2K.sys
- Suivi des recommandations de Symantec pour la partie Symevent : https://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2002071208532048?Open&src=w
Mounia
Windows Core Technical Lead