BSOD memory dump analysis

  1. Download Microsoft Debugging Tools.
  2. Go to Start -> All Programs -> Debugging Tools For Windows -> Windbg
  3. In Windbg, choose File -> Symbol File Path. Enter the symbols path: SRV*c:\symbols*http://msdl.microsoft.com/download/symbols
  4. Now, go to File, Save Workspace so that your symbols path is saved for future use.
  5. In Windbg, go to File, Open Crash Dump and load the file (dump file are located in %systemroot%\Minidump\). You will get a message to save base workspace information. Choose No.
  6. This process will take some time to load ..

Microsoft (R) Windows Debugger Version 6.11.0001.404 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:\Windows\Minidump\060109-20373-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

My BSOD was caused by HFXP2.SYS, it’s from Hide Folders XP. Uninstalling this application or upgrade to a newer version should solve the issue.

Symbol search path is: SRV*c:\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows 7 Kernel Version 7100 MP (4 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 7100.0.amd64fre.winmain_win7rc.090421-1700
Machine Name:
Kernel base = 0xfffff800`02a56000 PsLoadedModuleList = 0xfffff800`02c8fe90
Debug session time: Mon Jun  1 11:00:22.471 2009 (GMT+2)
System Uptime: 0 days 0:04:24.156
Loading Kernel Symbols
………………………………………………………
……………………………………………………….
…………………………………
Loading User Symbols
Loading unloaded module list
….
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 19, {20, fffffa80046a9000, fffffa80046a9a10, 4a10000}

Unable to load image \SystemRoot\SYSTEM32\DRIVERS\HFXP2.SYS, Win32 error 0n2
*** WARNING: Unable to verify timestamp for HFXP2.SYS
*** ERROR: Module load completed but symbols could not be loaded for HFXP2.SYS
Unable to load image \SystemRoot\system32\drivers\mfeapfk.sys, Win32 error 0n2
*** WARNING: Unable to verify timestamp for mfeapfk.sys
*** ERROR: Module load completed but symbols could not be loaded for mfeapfk.sys
Unable to load image \SystemRoot\system32\drivers\mfehidk.sys, Win32 error 0n2
*** WARNING: Unable to verify timestamp for mfehidk.sys
*** ERROR: Module load completed but symbols could not be loaded for mfehidk.sys
Probably caused by : HFXP2.SYS ( HFXP2+60d6 )

Followup: MachineOwner
———

To get even more info type in the Winbdg console: !analyze -v
3: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

BAD_POOL_HEADER (19)
The pool is already corrupt at the time of the current request.
This may or may not be due to the caller.
The internal pool links must be walked to figure out a possible cause of
the problem, and then special pool applied to the suspect tags or the driver
verifier to a suspect driver.
Arguments:
Arg1: 0000000000000020, a pool block header size is corrupt.
Arg2: fffffa80046a9000, The pool entry we were looking for within the page.
Arg3: fffffa80046a9a10, The next pool entry.
Arg4: 0000000004a10000, (reserved)

Debugging Details:
——————
BUGCHECK_STR:  0x19_20

POOL_ADDRESS: GetPointerFromAddress: unable to read from fffff80002cfa0e0
fffffa80046a9000

CUSTOMER_CRASH_COUNT:  1

DEFAULT_BUCKET_ID:  VISTA_DRIVER_FAULT

PROCESS_NAME:  filezilla.exe

CURRENT_IRQL:  0

LAST_CONTROL_TRANSFER:  from fffff80002bf6a6e to fffff80002ad4f80

STACK_TEXT:
fffff880`0b5653a8 fffff800`02bf6a6e : 00000000`00000019 00000000`00000020 fffffa80`046a9000 fffffa80`046a9a10 : nt!KeBugCheckEx
fffff880`0b5653b0 fffff880`010bf0d6 : fffff880`0b5655d0 fffffa80`04573a90 fffffa80`656e6f4e fffffa80`046a9010 : nt!ExDeferredFreePool+0x12be
fffff880`0b565460 fffff880`0b5655d0 : fffffa80`04573a90 fffffa80`656e6f4e fffffa80`046a9010 fffffa80`046dac80 : HFXP2+0x60d6
fffff880`0b565468 fffffa80`04573a90 : fffffa80`656e6f4e fffffa80`046a9010 fffffa80`046dac80 fffff880`06e92826 : 0xfffff880`0b5655d0
fffff880`0b565470 fffffa80`656e6f4e : fffffa80`046a9010 fffffa80`046dac80 fffff880`06e92826 fffff880`0b5655d0 : 0xfffffa80`04573a90
fffff880`0b565478 fffffa80`046a9010 : fffffa80`046dac80 fffff880`06e92826 fffff880`0b5655d0 fffff880`0189f39d : 0xfffffa80`656e6f4e
fffff880`0b565480 fffffa80`046dac80 : fffff880`06e92826 fffff880`0b5655d0 fffff880`0189f39d fffffa80`04701b80 : 0xfffffa80`046a9010
fffff880`0b565488 fffff880`06e92826 : fffff880`0b5655d0 fffff880`0189f39d fffffa80`04701b80 fffff880`0b5656e0 : 0xfffffa80`046dac80
fffff880`0b565490 fffff880`0b5655d0 : fffff880`0189f39d fffffa80`04701b80 fffff880`0b5656e0 fffffa80`04573a90 : mfeapfk+0x2826
fffff880`0b565498 fffff880`0189f39d : fffffa80`04701b80 fffff880`0b5656e0 fffffa80`04573a90 fffff880`0b5656e0 : 0xfffff880`0b5655d0
fffff880`0b5654a0 fffffa80`04701b80 : fffff880`0b5656e0 fffffa80`04573a90 fffff880`0b5656e0 fffffa80`04701b80 : mfehidk+0x3439d
fffff880`0b5654a8 fffff880`0b5656e0 : fffffa80`04573a90 fffff880`0b5656e0 fffffa80`04701b80 fffffa80`04701b01 : 0xfffffa80`04701b80
fffff880`0b5654b0 fffffa80`04573a90 : fffff880`0b5656e0 fffffa80`04701b80 fffffa80`04701b01 00000000`04060000 : 0xfffff880`0b5656e0
fffff880`0b5654b8 fffff880`0b5656e0 : fffffa80`04701b80 fffffa80`04701b01 00000000`04060000 fffff880`0b5654d8 : 0xfffffa80`04573a90
fffff880`0b5654c0 fffffa80`04701b80 : fffffa80`04701b01 00000000`04060000 fffff880`0b5654d8 fffff880`0b5654d8 : 0xfffff880`0b5656e0
fffff880`0b5654c8 fffffa80`04701b01 : 00000000`04060000 fffff880`0b5654d8 fffff880`0b5654d8 fffff880`0b5654d0 : 0xfffffa80`04701b80
fffff880`0b5654d0 00000000`04060000 : fffff880`0b5654d8 fffff880`0b5654d8 fffff880`0b5654d0 00000000`00000000 : 0xfffffa80`04701b01
fffff880`0b5654d8 fffff880`0b5654d8 : fffff880`0b5654d8 fffff880`0b5654d0 00000000`00000000 00000000`00000008 : 0x4060000
fffff880`0b5654e0 fffff880`0b5654d8 : fffff880`0b5654d0 00000000`00000000 00000000`00000008 00000000`00000000 : 0xfffff880`0b5654d8
fffff880`0b5654e8 fffff880`0b5654d0 : 00000000`00000000 00000000`00000008 00000000`00000000 00000000`00000000 : 0xfffff880`0b5654d8
fffff880`0b5654f0 00000000`00000000 : 00000000`00000008 00000000`00000000 00000000`00000000 00000000`00000000 : 0xfffff880`0b5654d0
STACK_COMMAND:  kb

FOLLOWUP_IP:
HFXP2+60d6
fffff880`010bf0d6 ??              ???

SYMBOL_STACK_INDEX:  2

SYMBOL_NAME:  HFXP2+60d6

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: HFXP2

IMAGE_NAME:  HFXP2.SYS

DEBUG_FLR_IMAGE_TIMESTAMP:  46c74ee1

FAILURE_BUCKET_ID:  X64_0x19_20_HFXP2+60d6

BUCKET_ID:  X64_0x19_20_HFXP2+60d6

Followup: MachineOwner
———