[21994] in bugtraq
Re: w2k dos
daemon@ATHENA.MIT.EDU (Bronek Kozicki)
Sun Jul 29 14:03:59 2001
Message-ID: <000f01c1182f$26f75f00$c503a8c0@waw.getin.pl>
From: "Bronek Kozicki" <brok@rubikon.pl>
To: <bugtraq@securityfocus.com>
Cc: <secure@microsoft.com>
Date: Sun, 29 Jul 2001 15:05:26 +0200
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_000C_01C1183F.E641C200"
------=_NextPart_000_000C_01C1183F.E641C200
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
I tested 2 similar systems. Both are Win2K Pro Eng, installed SP2 and
identical hotfixes:
Q285156 Windows 2000 Event Viewer Contains an Unchecked Buffer"
Q285851 Patch Available for Network DDE Agent Request Vulnerability"
Q292003 SP2 Adds Updates to Several Windows 2000 Support Tools"
Q293826 Pattern-Matching Function Causes Access Violation on FTP Server"
Q296185 Patch Available for New Variant of "Malformed Hit-Highlighting"
Q298012 Security Bulletin MS01-041 : Malformed RPC Request Can Cause Service
Failure (no KB article yet)
Q299687 LDAP over SSL Could Enable Passwords to Be Changed
Q300972 Unchecked Buffer in ISAPI Extension Can Cause Server Compromise
I used simplest command I could find: sleep from Resource Kit.
One system (128MB RAM) did not show blue screen, but simple resterted. Other
system (512MB RAM) displayed BSOD and the resterted, however no memory.dmp
was created (and definitely, system was set to create full memory.dmp)
I used kernel debugger running on serial port to get more details from both.
Apparently there's unhandled exception in csrss.exe process space (it's
Win32 SubSystem - wise book says that a lot of Win32 job is actually done by
Executive). You may find more details in attached Windbg log files:
csrss_halt-1.txt was recorded when smaller system crashed (one with 128MB
RAM)
csrss_halt-2.txt was recorded when bigger system crashed (one with 512MB
RAM). In this file I allowed system to continue running after exception was
handled by system dubugger (command tcb), so at the end of file you will
find BSOD itself. It looks like:
---
*** Fatal System Error: 0xc000021a
(0xE2682B68,0xC0000005,0x5FFB4484,0x00B5FA38)
STOP: c000021a {Fatal System Error}
The Windows SubSystem system process terminated unexpectedly
with a status of 0xc0000005 (0x5ffb4484 0x00b5fa38).
The system has been shut down.
---
Regards
B.Kozicki
PS. has anyone tested this problem with SMP system ?
------=_NextPart_000_000C_01C1183F.E641C200
Content-Type: text/plain;
name="csrss_halt-1.txt"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment;
filename="csrss_halt-1.txt"
Opened \\.\COM2
Microsoft (R) Windows Kernel Debugger
Version 2.0.0023.0
Copyright (C) Microsoft Corporation. 1981-2001
Waiting to reconnect...
Connected to Windows 2000 2195 x86 compatible target, ptr64 FALSE
Kernel Debugger connection established.
Loaded dbghelp extension DLL
Loaded ext extension DLL
Loaded kext extension DLL
Loaded kdextx86 extension DLL
Symbol search path is: C:\WINNT\Symbols\
Executable search path is:=20
PsLoadedModuleList not initialized yet. Delay kernel load.
Windows 2000 Kernel Version 2195 UP Free x86 compatible
Kernel base =3D 0x80400000 PsLoadedModuleList =3D 0x8046ccf0
System Uptime: not available
%Added floppy named: \Device\FloppyPDO0
No Vpb on floppy filter
Fips device driver loaded successfully
Fips driver locked into memory
Fips driver unlocked from memory
Unhandled Exception hit in csrss.exe
first, enter !exr 0045FA1C for the exception record
next, enter !cxr 0045FA38 for the context
then !kb to get the faulting stack
Break instruction exception - code 80000003 (first chance)
*** WARNING: Unable to verify Timestamp for ntdll.dll
*** WARNING: Unable to verify Timestamp for ntoskrnl.exe
NTDLL!DbgBreakPoint:
001b:77fa018c cc int 3
kd> .exr 0045FA1C
ExceptionAddress: 5ffb448c
ExceptionCode: c0000005
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000001
Parameter[1]: 00ee4e10
Attempt to write to address 00ee4e10
kd> .cxr 0045FA38
eax=3D0000003e ebx=3D00ed0144 ecx=3D0000000f edx=3D0000001f =
esi=3D0045ff5c edi=3D00ee4e10
eip=3D5ffb448c esp=3D0045fd04 ebp=3D0045fd20 iopl=3D3 nv up ei =
pl nz na po cy
cs=3D001b ss=3D0023 ds=3D0023 es=3D0023 fs=3D0038 gs=3D0000 =
efl=3D00013207
001b:5ffb448c f3a5 rep movsd
kd> kb
*** Stack trace for last set context - .thread resets it
ChildEBP RetAddr Args to Child =20
0045fd20 5ffb4242 0045ff5c 0000001f 00412ec8 0x5ffb448c
0045fd4c 5ffb406d 0045ff2c 0045ffb0 00168b70 0x5ffb4242
0045fe7c 5ffb3f3c 0045ff2c 0045ff24 004127f0 0x5ffb406d
0045fe94 5ffb3edd 0045ff2c 0045ff24 004127f0 0x5ffb3f3c
0045feb8 5ff942fb 004127f0 0045ff24 00000005 0x5ffb3edd
0045fff4 00000000 000000a4 00000000 00000000 0x5ff942fb
kd>
------=_NextPart_000_000C_01C1183F.E641C200
Content-Type: text/plain;
name="csrss_halt-2.txt"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment;
filename="csrss_halt-2.txt"
Opened \\.\COM1
Microsoft (R) Windows Kernel Debugger
Version 2.0.0023.0
Copyright (C) Microsoft Corporation. 1981-2001
Waiting to reconnect...
Connected to Windows 2000 2195 x86 compatible target, ptr64 FALSE
Kernel Debugger connection established.
Loaded dbghelp extension DLL
Loaded ext extension DLL
Loaded kext extension DLL
Loaded kdextx86 extension DLL
Symbol search path is: C:\WINNT\Symbols\
Executable search path is:=20
PsLoadedModuleList not initialized yet. Delay kernel load.
Windows 2000 Kernel Version 2195 UP Free x86 compatible
Kernel base =3D 0x80400000 PsLoadedModuleList =3D 0x8046ccf0
System Uptime: not available
Fips device driver loaded successfully
=0DFips driver locked into memory
=0DFips driver unlocked from memory
=0DUnhandled Exception hit in csrss.exe
=0Dfirst, enter !exr 00B5FA1C for the exception record
=0Dnext, enter !cxr 00B5FA38 for the context
=0Dthen !kb to get the faulting stack
=0DBreak instruction exception - code 80000003 (first chance)
*** WARNING: Unable to verify Timestamp for ntdll.dll
*** WARNING: Unable to verify Timestamp for ntoskrnl.exe
NTDLL!DbgBreakPoint:
001b:77fa018c cc int 3
kd> .exr 00B5FA1C
ExceptionAddress: 5ffb4484
ExceptionCode: c0000005
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: 0104c124
Attempt to read from address 0104c124
kd> .cxr 00B5FA38
eax=3D00000000 ebx=3D0104c11c ecx=3D00000042 edx=3D00000021 =
esi=3D00b5ff5c edi=3D00000000
eip=3D5ffb4484 esp=3D00b5fd04 ebp=3D00b5fd20 iopl=3D3 nv up ei =
pl nz na pe nc
cs=3D001b ss=3D0023 ds=3D0023 es=3D0023 fs=3D0038 gs=3D0000 =
efl=3D00013202
001b:5ffb4484 037b08 add edi,[ebx+0x8]
kd> kb
*** Stack trace for last set context - .thread resets it
ChildEBP RetAddr Args to Child =20
00b5fd20 5ffb4242 00b5ff5c 00000021 0104a890 0x5ffb4484
00b5fd4c 5ffb406d 00b5ff2c 00b5ffb0 001653d0 0x5ffb4242
00b5fe7c 5ffb3f3c 00b5ff2c 00b5ff24 0104a1e0 0x5ffb406d
00b5fe94 5ffb3edd 00b5ff2c 00b5ff24 0104a1e0 0x5ffb3f3c
00b5feb8 5ff942fb 0104a1e0 00b5ff24 00000005 0x5ffb3edd
00b5fff4 00000000 00000000 000000c8 00000100 0x5ff942fb
kd> tcb
NTDLL!DbgBreakPoint+1:
001b:77fa018d c3 ret
001b:5ff9307d 8b35b410f95f mov esi,[5ff910b4]
001b:5ff93083 8d45ff lea eax,[ebp-0x1]
001b:5ff93086 50 push eax
001b:5ff93087 6a01 push 0x1
001b:5ff93089 6a01 push 0x1
001b:5ff9308b 6a13 push 0x13
001b:5ff9308d ffd6 call esi
NTDLL!RtlAdjustPrivilege:
001b:77f92b83 55 push ebp
NTDLL!RtlAdjustPrivilege+1:
001b:77f92b84 8bec mov ebp,esp
NTDLL!RtlAdjustPrivilege+3:
001b:77f92b86 83ec24 sub esp,0x24
NTDLL!RtlAdjustPrivilege+6:
001b:77f92b89 807d1001 cmp byte ptr [ebp+0x10],0x1
NTDLL!RtlAdjustPrivilege+a:
001b:77f92b8d 8d4510 lea eax,[ebp+0x10]
NTDLL!RtlAdjustPrivilege+d:
001b:77f92b90 56 push esi
NTDLL!RtlAdjustPrivilege+e:
001b:77f92b91 50 push eax
NTDLL!RtlAdjustPrivilege+f:
001b:77f92b92 0f846a370000 je NTDLL!RtlAdjustPrivilege+0x11 =
(77f96302)
NTDLL!RtlAdjustPrivilege+11:
001b:77f96302 6a00 push 0x0
NTDLL!RtlAdjustPrivilege+13:
001b:77f96304 6a28 push 0x28
NTDLL!RtlAdjustPrivilege+15:
001b:77f96306 6afe push 0xfe
NTDLL!RtlAdjustPrivilege+17:
001b:77f96308 e807c7feff call NTDLL!NtOpenThreadToken (77f82a14)
NTDLL!NtOpenThreadToken:
001b:77f82a14 b870000000 mov eax,0x70
NTDLL!ZwOpenThreadToken+5:
001b:77f82a19 8d542404 lea edx,[esp+0x4]
NTDLL!ZwOpenThreadToken+9:
001b:77f82a1d cd2e int 2e
NTDLL!RtlAdjustPrivilege+1c:
001b:77f9630d e98fc8ffff jmp NTDLL!RtlAdjustPrivilege+0x27 =
(77f92ba1)
NTDLL!RtlAdjustPrivilege+27:
001b:77f92ba1 85c0 test eax,eax
NTDLL!RtlAdjustPrivilege+29:
001b:77f92ba3 7c68 jl NTDLL!RtlAdjustPrivilege+0x9a =
(77f92c0d)
NTDLL!RtlAdjustPrivilege+9a:
001b:77f92c0d 5e pop esi
NTDLL!RtlAdjustPrivilege+9b:
001b:77f92c0e c9 leave
NTDLL!RtlAdjustPrivilege+9c:
001b:77f92c0f c21000 ret 0x10
001b:5ff9308f 3d7c0000c0 cmp eax,0xc000007c
001b:5ff93094 750c jnz 5ff930a2
001b:5ff93096 8d45ff lea eax,[ebp-0x1]
001b:5ff93099 50 push eax
001b:5ff9309a 6a00 push 0x0
001b:5ff9309c 6a01 push 0x1
001b:5ff9309e 6a13 push 0x13
001b:5ff930a0 ffd6 call esi
NTDLL!RtlAdjustPrivilege:
001b:77f92b83 55 push ebp
NTDLL!RtlAdjustPrivilege+1:
001b:77f92b84 8bec mov ebp,esp
NTDLL!RtlAdjustPrivilege+3:
001b:77f92b86 83ec24 sub esp,0x24
NTDLL!RtlAdjustPrivilege+6:
001b:77f92b89 807d1001 cmp byte ptr [ebp+0x10],0x1
NTDLL!RtlAdjustPrivilege+a:
001b:77f92b8d 8d4510 lea eax,[ebp+0x10]
NTDLL!RtlAdjustPrivilege+d:
001b:77f92b90 56 push esi
NTDLL!RtlAdjustPrivilege+e:
001b:77f92b91 50 push eax
NTDLL!RtlAdjustPrivilege+f:
001b:77f92b92 0f846a370000 je NTDLL!RtlAdjustPrivilege+0x11 =
(77f96302)
NTDLL!RtlAdjustPrivilege+1e:
001b:77f92b98 6a28 push 0x28
NTDLL!RtlAdjustPrivilege+20:
001b:77f92b9a 6aff push 0xff
NTDLL!RtlAdjustPrivilege+22:
001b:77f92b9c e88ffefeff call NTDLL!ZwOpenProcessToken (77f82a30)
NTDLL!ZwOpenProcessToken:
001b:77f82a30 b86b000000 mov eax,0x6b
NTDLL!NtOpenProcessToken+5:
001b:77f82a35 8d542404 lea edx,[esp+0x4]
NTDLL!NtOpenProcessToken+9:
001b:77f82a39 cd2e int 2e
NTDLL!RtlAdjustPrivilege+27:
001b:77f92ba1 85c0 test eax,eax
NTDLL!RtlAdjustPrivilege+29:
001b:77f92ba3 7c68 jl NTDLL!RtlAdjustPrivilege+0x9a =
(77f92c0d)
NTDLL!RtlAdjustPrivilege+2b:
001b:77f92ba5 8b4508 mov eax,[ebp+0x8]
NTDLL!RtlAdjustPrivilege+2e:
001b:77f92ba8 33c9 xor ecx,ecx
NTDLL!RtlAdjustPrivilege+30:
001b:77f92baa 8945f0 mov [ebp-0x10],eax
NTDLL!RtlAdjustPrivilege+33:
001b:77f92bad 8a450c mov al,[ebp+0xc]
NTDLL!RtlAdjustPrivilege+36:
001b:77f92bb0 f6d8 neg al
NTDLL!RtlAdjustPrivilege+38:
001b:77f92bb2 1bc0 sbb eax,eax
NTDLL!RtlAdjustPrivilege+3a:
001b:77f92bb4 c745ec01000000 mov dword ptr [ebp-0x14],0x1
NTDLL!RtlAdjustPrivilege+41:
001b:77f92bbb 83e002 and eax,0x2
NTDLL!RtlAdjustPrivilege+44:
001b:77f92bbe 894df4 mov [ebp-0xc],ecx
NTDLL!RtlAdjustPrivilege+47:
001b:77f92bc1 8945f8 mov [ebp-0x8],eax
NTDLL!RtlAdjustPrivilege+4a:
001b:77f92bc4 8d45fc lea eax,[ebp-0x4]
NTDLL!RtlAdjustPrivilege+4d:
001b:77f92bc7 50 push eax
NTDLL!RtlAdjustPrivilege+4e:
001b:77f92bc8 8d45dc lea eax,[ebp-0x24]
NTDLL!RtlAdjustPrivilege+51:
001b:77f92bcb 50 push eax
NTDLL!RtlAdjustPrivilege+52:
001b:77f92bcc 8d45ec lea eax,[ebp-0x14]
NTDLL!RtlAdjustPrivilege+55:
001b:77f92bcf 6a10 push 0x10
NTDLL!RtlAdjustPrivilege+57:
001b:77f92bd1 50 push eax
NTDLL!RtlAdjustPrivilege+58:
001b:77f92bd2 51 push ecx
NTDLL!RtlAdjustPrivilege+59:
001b:77f92bd3 ff7510 push dword ptr [ebp+0x10]
NTDLL!RtlAdjustPrivilege+5c:
001b:77f92bd6 e8c105ffff call NTDLL!ZwAdjustPrivilegesToken =
(77f8319c)
NTDLL!ZwAdjustPrivilegesToken:
001b:77f8319c b80a000000 mov eax,0xa
NTDLL!NtAdjustPrivilegesToken+5:
001b:77f831a1 8d542404 lea edx,[esp+0x4]
NTDLL!NtAdjustPrivilegesToken+9:
001b:77f831a5 cd2e int 2e
NTDLL!RtlAdjustPrivilege+61:
001b:77f92bdb ff7510 push dword ptr [ebp+0x10]
NTDLL!RtlAdjustPrivilege+64:
001b:77f92bde 8bf0 mov esi,eax
NTDLL!RtlAdjustPrivilege+66:
001b:77f92be0 e821fcfeff call NTDLL!NtClose (77f82806)
NTDLL!NtClose:
001b:77f82806 b818000000 mov eax,0x18
NTDLL!NtClose+5:
001b:77f8280b 8d542404 lea edx,[esp+0x4]
NTDLL!NtClose+9:
001b:77f8280f cd2e int 2e
NTDLL!RtlAdjustPrivilege+6b:
001b:77f92be5 81fe06010000 cmp esi,0x106
NTDLL!RtlAdjustPrivilege+71:
001b:77f92beb 0f846b130100 je NTDLL!RtlAdjustPrivilege+0x73 =
(77fa3f5c)
NTDLL!RtlAdjustPrivilege+78:
001b:77f92bf1 85f6 test esi,esi
NTDLL!RtlAdjustPrivilege+7a:
001b:77f92bf3 7c16 jl NTDLL!RtlAdjustPrivilege+0x98 =
(77f92c0b)
NTDLL!RtlAdjustPrivilege+7c:
001b:77f92bf5 837ddc00 cmp dword ptr [ebp-0x24],0x0
NTDLL!RtlAdjustPrivilege+80:
001b:77f92bf9 0f8467130100 je NTDLL!RtlAdjustPrivilege+0x82 =
(77fa3f66)
NTDLL!RtlAdjustPrivilege+8c:
001b:77f92bff 8b45e8 mov eax,[ebp-0x18]
NTDLL!RtlAdjustPrivilege+8f:
001b:77f92c02 8b4d14 mov ecx,[ebp+0x14]
NTDLL!RtlAdjustPrivilege+92:
001b:77f92c05 d1e8 shr eax,1
NTDLL!RtlAdjustPrivilege+94:
001b:77f92c07 2401 and al,0x1
NTDLL!RtlAdjustPrivilege+96:
001b:77f92c09 8801 mov [ecx],al
NTDLL!RtlAdjustPrivilege+98:
001b:77f92c0b 8bc6 mov eax,esi
NTDLL!RtlAdjustPrivilege+9a:
001b:77f92c0d 5e pop esi
NTDLL!RtlAdjustPrivilege+9b:
001b:77f92c0e c9 leave
NTDLL!RtlAdjustPrivilege+9c:
001b:77f92c0f c21000 ret 0x10
001b:5ff930a2 8d45f0 lea eax,[ebp-0x10]
001b:5ff930a5 683017f95f push 0x5ff91730
001b:5ff930aa 50 push eax
001b:5ff930ab ff159010f95f call dword ptr [5ff91090]
NTDLL!RtlInitUnicodeString:
001b:77f82d74 57 push edi
NTDLL!RtlInitUnicodeString+1:
001b:77f82d75 8b7c240c mov edi,[esp+0xc]
NTDLL!RtlInitUnicodeString+5:
001b:77f82d79 8b542408 mov edx,[esp+0x8]
NTDLL!RtlInitUnicodeString+9:
001b:77f82d7d c70200000000 mov dword ptr [edx],0x0
NTDLL!RtlInitUnicodeString+f:
001b:77f82d83 897a04 mov [edx+0x4],edi
NTDLL!RtlInitUnicodeString+12:
001b:77f82d86 0bff or edi,edi
NTDLL!RtlInitUnicodeString+14:
001b:77f82d88 7415 jz NTDLL!RtlInitUnicodeString+0x2b =
(77f82d9f)
NTDLL!RtlInitUnicodeString+16:
001b:77f82d8a 83c9ff or ecx,0xffffffff
NTDLL!RtlInitUnicodeString+19:
001b:77f82d8d 33c0 xor eax,eax
NTDLL!RtlInitUnicodeString+1b:
001b:77f82d8f f266af repne scasw
NTDLL!RtlInitUnicodeString+1b:
001b:77f82d8f f266af repne scasw
NTDLL!RtlInitUnicodeString+1b:
001b:77f82d8f f266af repne scasw
NTDLL!RtlInitUnicodeString+1b:
001b:77f82d8f f266af repne scasw
NTDLL!RtlInitUnicodeString+1b:
001b:77f82d8f f266af repne scasw
NTDLL!RtlInitUnicodeString+1b:
001b:77f82d8f f266af repne scasw
NTDLL!RtlInitUnicodeString+1b:
001b:77f82d8f f266af repne scasw
NTDLL!RtlInitUnicodeString+1b:
001b:77f82d8f f266af repne scasw
NTDLL!RtlInitUnicodeString+1b:
001b:77f82d8f f266af repne scasw
NTDLL!RtlInitUnicodeString+1b:
001b:77f82d8f f266af repne scasw
NTDLL!RtlInitUnicodeString+1b:
001b:77f82d8f f266af repne scasw
NTDLL!RtlInitUnicodeString+1b:
001b:77f82d8f f266af repne scasw
NTDLL!RtlInitUnicodeString+1b:
001b:77f82d8f f266af repne scasw
NTDLL!RtlInitUnicodeString+1b:
001b:77f82d8f f266af repne scasw
NTDLL!RtlInitUnicodeString+1b:
001b:77f82d8f f266af repne scasw
NTDLL!RtlInitUnicodeString+1b:
001b:77f82d8f f266af repne scasw
NTDLL!RtlInitUnicodeString+1b:
001b:77f82d8f f266af repne scasw
NTDLL!RtlInitUnicodeString+1b:
001b:77f82d8f f266af repne scasw
NTDLL!RtlInitUnicodeString+1e:
001b:77f82d92 f7d1 not ecx
NTDLL!RtlInitUnicodeString+20:
001b:77f82d94 d1e1 shl ecx,1
NTDLL!RtlInitUnicodeString+22:
001b:77f82d96 66894a02 mov [edx+0x2],cx
NTDLL!RtlInitUnicodeString+26:
001b:77f82d9a 49 dec ecx
NTDLL!RtlInitUnicodeString+27:
001b:77f82d9b 49 dec ecx
NTDLL!RtlInitUnicodeString+28:
001b:77f82d9c 66890a mov [edx],cx
NTDLL!RtlInitUnicodeString+2b:
001b:77f82d9f 5f pop edi
NTDLL!RtlInitUnicodeString+2c:
001b:77f82da0 c20800 ret 0x8
001b:5ff930b1 8d45f0 lea eax,[ebp-0x10]
001b:5ff930b4 8945e0 mov [ebp-0x20],eax
001b:5ff930b7 8b07 mov eax,[edi]
001b:5ff930b9 8b08 mov ecx,[eax]
001b:5ff930bb 894de4 mov [ebp-0x1c],ecx
001b:5ff930be 8b400c mov eax,[eax+0xc]
001b:5ff930c1 8945e8 mov [ebp-0x18],eax
001b:5ff930c4 8b4704 mov eax,[edi+0x4]
001b:5ff930c7 8945ec mov [ebp-0x14],eax
001b:5ff930ca 8d45f8 lea eax,[ebp-0x8]
001b:5ff930cd 50 push eax
001b:5ff930ce 8d45e0 lea eax,[ebp-0x20]
001b:5ff930d1 6a06 push 0x6
001b:5ff930d3 50 push eax
001b:5ff930d4 6a01 push 0x1
001b:5ff930d6 6a04 push 0x4
001b:5ff930d8 681a0200c0 push 0xc000021a
001b:5ff930dd ff15b010f95f call dword ptr [5ff910b0]
NTDLL!NtRaiseHardError:
001b:77f99f6c b8a0000000 mov eax,0xa0
NTDLL!ZwRaiseHardError+5:
001b:77f99f71 8d542404 lea edx,[esp+0x4]
NTDLL!ZwRaiseHardError+9:
001b:77f99f75 cd2e int 2e
=0D*** Fatal System Error: 0xc000021a
=0D (0xE2682B68,0xC0000005,0x5FFB4484,0x00B5FA38)
=0D
=0D
=0DSTOP: c000021a {Fatal System Error}
=0DThe Windows SubSystem system process terminated unexpectedly=0D
=0Dwith a status of 0xc0000005 (0x5ffb4484 0x00b5fa38).=0D
=0DThe system has been shut down.=0D
=0Dntoskrnl!RtlpBreakWithStatusInstruction:
80455994 cc int 3
ntoskrnl!KiBugCheckDebugBreak+31:
8042bef7 834dfcff or dword ptr [ebp-0x4],0xffffffff
ntoskrnl!KiBugCheckDebugBreak+35:
8042befb 837d0803 cmp dword ptr [ebp+0x8],0x3
ntoskrnl!KiBugCheckDebugBreak+39:
8042beff 75ea jnz ntoskrnl!KiBugCheckDebugBreak+0x25 =
(8042beeb)
ntoskrnl!KiBugCheckDebugBreak+3b:
8042bf01 8b4df0 mov ecx,[ebp-0x10]
ntoskrnl!KiBugCheckDebugBreak+3e:
8042bf04 64890d00000000 mov fs:[00000000],ecx
ntoskrnl!KiBugCheckDebugBreak+45:
8042bf0b 5f pop edi
ntoskrnl!KiBugCheckDebugBreak+46:
8042bf0c 5e pop esi
ntoskrnl!KiBugCheckDebugBreak+47:
8042bf0d 5b pop ebx
ntoskrnl!KiBugCheckDebugBreak+48:
8042bf0e c9 leave
ntoskrnl!KiBugCheckDebugBreak+49:
8042bf0f c20400 ret 0x4
ntoskrnl!KeBugCheckEx+390:
8042c2bb e821530000 call ntoskrnl!KiDisableInterrupts =
(804315e1)
ntoskrnl!KiDisableInterrupts:
804315e1 9c pushfd
------=_NextPart_000_000C_01C1183F.E641C200--
