Connected to Windows 7 7601 x86 compatible target at (Thu Mar 19 17:34:28.389 2015 (UTC + 1:00)), ptr64 FALSE Kernel Debugger connection established. Symbol search path is: srv*c:\symbols*http://msdl.microsoft.com/download/symbols;srv*c:\symbols*http://chromium-browser-symsrv.commondatastorage.googleapis.comSRV*c:\symbols\*http://symbols.mozilla.org/firefox;srv*c:\symbols*https://chromium-browser-symsrv.commondatastorage.googleapis.com Executable search path is: Windows 7 Kernel Version 7601 MP (1 procs) Free x86 compatible Built by: 7601.18741.x86fre.win7sp1_gdr.150202-1526 Machine Name: Kernel base = 0x82a04000 PsLoadedModuleList = 0x82b4e5b0 System Uptime: not available nt!DbgLoadImageSymbols+0x47: 82a1c578 cc int 3 kd> g KDTARGET: Refreshing KD connection nt!DbgLoadImageSymbols+0x47: 82a1c578 cc int 3 1: kd> g *** Fatal System Error: 0x00000050 (0xBEBEBEEA,0x00000001,0x96979765,0x00000002) Driver at fault: *** win32k.sys - Address 96979765 base at 968F0000, DateStamp 54ee8ecd . Break instruction exception - code 80000003 (first chance) A fatal system error has occurred. Debugger entered on first try; Bugcheck callbacks have not been invoked. A fatal system error has occurred. Connected to Windows 7 7601 x86 compatible target at (Thu Mar 19 17:39:53.922 2015 (UTC + 1:00)), ptr64 FALSE Loading Kernel Symbols ............................................................... ................................................................ .................................. Loading User Symbols .................................. Loading unloaded module list ................. ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* Use !analyze -v to get detailed debugging information. BugCheck 50, {bebebeea, 1, 96979765, 2} *** WARNING: Unable to verify checksum for Poc9.exe *** ERROR: Module load completed but symbols could not be loaded for Poc9.exe Probably caused by : win32k.sys ( win32k!HMChangeOwnerThread+40 ) Followup: MachineOwner --------- Assertion: *** DPC watchdog timeout This is NOT a break in update time This is most likely a BUG in an ISR Perform a stack trace to find the culprit The period will be doubled on continuation Use gh to continue!! nt!KeAccumulateTicks+0x3c5: 82a7f38c cd2c int 2Ch 0: kd> !analyze -v ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* PAGE_FAULT_IN_NONPAGED_AREA (50) Invalid system memory was referenced. This cannot be protected by try-except, it must be protected by a Probe. Typically the address is just plain bad or it is pointing at freed memory. Arguments: Arg1: bebebeea, memory referenced. Arg2: 00000001, value 0 = read operation, 1 = write operation. Arg3: 96979765, If non-zero, the instruction address which referenced the bad memory address. Arg4: 00000002, (reserved) Debugging Details: ------------------ WRITE_ADDRESS: bebebeea FAULTING_IP: win32k!HMChangeOwnerThread+40 96979765 ff412c inc dword ptr [ecx+2Ch] MM_INTERNAL_CODE: 2 IMAGE_NAME: win32k.sys DEBUG_FLR_IMAGE_TIMESTAMP: 54ee8ecd MODULE_NAME: win32k FAULTING_MODULE: 968f0000 win32k DEFAULT_BUCKET_ID: WIN7_DRIVER_FAULT BUGCHECK_STR: 0x50 PROCESS_NAME: Poc9.exe CURRENT_IRQL: 1c TRAP_FRAME: 9847f950 -- (.trap 0xffffffff9847f950) ErrCode = 00000002 eax=ff9215d8 ebx=ffb0d260 ecx=bebebebe edx=000101d2 esi=fea16568 edi=00000000 eip=96979765 esp=9847f9c4 ebp=9847f9d0 iopl=0 nv up ei pl nz na pe nc cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010206 win32k!HMChangeOwnerThread+0x40: 96979765 ff412c inc dword ptr [ecx+2Ch] ds:0023:bebebeea=???????? Resetting default scope LAST_CONTROL_TRANSFER: from 82a7e853 to 82a7f38c STACK_TEXT: 9847f378 82a7e853 0002625a 00000000 00005500 nt!KeAccumulateTicks+0x3c5 9847f3b8 82a7e700 82e310a8 efcb6a99 00000000 nt!KeUpdateRunTime+0x145 9847f410 82a7df03 00000002 00000002 000000d1 nt!KeUpdateSystemTime+0x613 9847f410 82e310a8 00000002 00000002 000000d1 nt!KeUpdateSystemTimeAssist+0x13 9847f494 82e1fb8c 00001000 00000000 9847f4f4 hal!READ_PORT_USHORT+0x8 9847f4a4 82e1fcf5 82ae2f92 adfe38d5 00000065 hal!HalpCheckPowerButton+0x2e 9847f4a8 82ae2f92 adfe38d5 00000065 00000000 hal!HaliHaltSystem+0x7 9847f4f4 82ae3a39 00000003 c0602fa8 bebebeea nt!KiBugCheckDebugBreak+0x73 9847f8b8 82a919ad 00000050 bebebeea 00000001 nt!KeBugCheck2+0x68b 9847f938 82a44a78 00000001 bebebeea 00000000 nt!MmAccessFault+0x104 9847f938 96979765 00000001 bebebeea 00000000 nt!KiTrap0E+0xdc 9847f9d0 96977cf0 fea16568 00000000 85218158 win32k!HMChangeOwnerThread+0x40 9847fa24 969c0686 00000001 9847fa3c 969c0660 win32k!xxxDestroyWindow+0x62 9847fa30 969c0660 ff9215d8 9847fa48 969c004b win32k!HMDestroyUnlockedObject+0x1b 9847fa3c 969c004b fea16568 9847fa5c 969bd745 win32k!HMUnlockObjectInternal+0x30 9847fa48 969bd745 fea16568 969d5019 868fcce0 win32k!HMUnlockObject+0x13 9847fa50 969d5019 868fcce0 9847fa74 969d6371 win32k!HMAssignmentUnlock+0xf 9847fa5c 969d6371 868fcce0 85218158 00000000 win32k!ForceEmptyClipboard+0x1a 9847fa74 82c1740b 9847fabc 85218158 00000000 win32k!FreeWindowStation+0x69 9847faa4 82c9238d 969d6308 9847fabc 00000001 nt!ExpWin32SessionCallout+0x3c 9847fac4 82c278f1 868fcce0 868fcce0 868fccc8 nt!ExpWin32DeleteProcedure+0x4a 9847fadc 82a7c320 00000000 85672448 868fccc8 nt!ObpRemoveObjectRoutine+0x59 9847faf0 82a7c290 868fcce0 82c4a704 aeea8320 nt!ObfDereferenceObjectWithTag+0x88 9847faf8 82c4a704 aeea8320 85672448 aeea8320 nt!ObfDereferenceObject+0xd 9847fb38 82c790f0 ab9237f8 aeea8320 85653d40 nt!ObpCloseHandleTableEntry+0x21d 9847fb68 82c6150d ab9237f8 9847fb7c 98b04c30 nt!ExSweepHandleTable+0x5f 9847fb88 82c6eb9d adfe37dd 00000000 85672448 nt!ObKillProcess+0x54 9847fbfc 82c61140 00000000 ffffffff 0031fa98 nt!PspExitThread+0x5db 9847fc24 82a41896 ffffffff 00000000 0031faa4 nt!NtTerminateProcess+0x1fa 9847fc24 779770f4 ffffffff 00000000 0031faa4 nt!KiSystemServicePostCall 0031fa84 77976914 7798e1a7 ffffffff 00000000 ntdll!KiFastSystemCallRet 0031fa88 7798e1a7 ffffffff 00000000 00000000 ntdll!ZwTerminateProcess+0xc 0031faa4 75cbbcae 00000000 77e8f3b0 ffffffff ntdll!RtlExitUserProcess+0x85 0031fab8 5acee619 00000000 0031fb14 5aceee79 kernel32!ExitProcessStub+0x12 0031fac4 5aceee79 00000000 6ca6caff 00000000 MSVCR120D!__crtExitProcess+0x19 0031fb14 5aceeea0 00000000 00000000 00000000 MSVCR120D!_unlockexit+0x259 0031fb28 00d71ed6 00000000 6c90b794 00000000 MSVCR120D!exit+0x10 WARNING: Stack unwind information not available. Following frames may be wrong. 0031fb70 00d720ad 0031fb84 75caee1c 7ffdf000 Poc9+0x11ed6 0031fb78 75caee1c 7ffdf000 0031fbc4 779937eb Poc9+0x120ad 0031fb84 779937eb 7ffdf000 7795462b 00000000 kernel32!BaseThreadInitThunk+0xe 0031fbc4 779937be 00d7109b 7ffdf000 00000000 ntdll!__RtlUserThreadStart+0x70 0031fbdc 00000000 00d7109b 7ffdf000 00000000 ntdll!_RtlUserThreadStart+0x1b STACK_COMMAND: kb FOLLOWUP_IP: win32k!HMChangeOwnerThread+40 96979765 ff412c inc dword ptr [ecx+2Ch] SYMBOL_STACK_INDEX: b SYMBOL_NAME: win32k!HMChangeOwnerThread+40 FOLLOWUP_NAME: MachineOwner FAILURE_BUCKET_ID: 0x50_win32k!HMChangeOwnerThread+40 BUCKET_ID: 0x50_win32k!HMChangeOwnerThread+40 Followup: MachineOwner ---------