![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Thanks!
The attached DMP file is of the DRIVER_POWER_STATE_FAILURE (9f) bug check.
As opposed to your traditional *9F bug check containing a 4th parameter with a driver holding a blocked IRP address, we have the 0x4 value being the 1st parameter which indicates that a power IRP has failed to synchronize with the PnP Manager. Essentially, the crash itself is very similar to a *9F with the subtype 0x3, however, instead of a pending IRP, the problem arises with a thread becoming hung during power transition.
BugCheck 9F, {4, 258, fffffa8003692040, fffff800050ff3d0}
What is the PnP Manager? Well, it's actually a subsystem of the I/O Manager, and it's used to allow devices to be added and/or removed while requiring little interaction from the user.
For example, the insertion and/or removal of USB devices doesn't require any additional drivers or configuration. You simply plug it in, Windows takes the necessary steps to add it to the filesystem for example, and you unplug it when you want as well. You didn't need to do any special setup.
The PnP Manager can't be directly interacted with any driver routines. The PnP Manager is both present in Kernel-Mode and User-Mode. The User-Mode version will interact with the Kernel-Mode version.
--------------------
If we take a look at the call stack:
0: kd> knL # Child-SP RetAddr Call Site00 fffff800050ff398 fffff8000371e7e6 nt!KeBugCheckEx01 fffff800050ff3a0 fffff800038cf34c nt!PnpBugcheckPowerTimeout+0x7602 fffff800050ff400 fffff8000369785c nt!PopBuildDeviceNotifyListWatchdog+0x1c03 fffff800050ff430 fffff800036976f6 nt!KiProcessTimerDpcTable+0x6c04 fffff800050ff4a0 fffff800036975de nt!KiProcessExpiredTimerList+0xc605 fffff800050ffaf0 fffff800036973c7 nt!KiTimerExpiration+0x1be06 fffff800050ffb90 fffff800036848ca nt!KiRetireDpcList+0x27707 fffff800050ffc40 0000000000000000 nt!KiIdleLoop+0x5a
We can see that a timer has expired (KiTimerExpiration), and a Watchdog has been notified (PopBuildDeviceNotifyListWatchdog).
Timers are set with *9F's to check the state of any threads or IRPs which are hung or need processing, and if the counter is incremented above a certain threshold, then the system notifies a Watchdog routine which bugchecks the system.
0: kd> dt nt!_DEVICE_OBJECT +0x000 Type : Int2B +0x002 Size : Uint2B +0x004 ReferenceCount : Int4B +0x008 DriverObject : Ptr64 _DRIVER_OBJECT +0x010 NextDevice : Ptr64 _DEVICE_OBJECT +0x018 AttachedDevice : Ptr64 _DEVICE_OBJECT +0x020 CurrentIrp : Ptr64 _IRP +0x028 Timer : Ptr64 _IO_TIMER +0x030 Flags : Uint4B +0x034 Characteristics : Uint4B +0x038 Vpb : Ptr64 _VPB +0x040 DeviceExtension : Ptr64 Void +0x048 DeviceType : Uint4B +0x04c StackSize : Char +0x050 Queue : <unnamed-tag> +0x098 AlignmentRequirement : Uint4B +0x0a0 DeviceQueue : _KDEVICE_QUEUE +0x0c8 Dpc : _KDPC +0x108 ActiveThreadCount : Uint4B +0x110 SecurityDescriptor : Ptr64 Void +0x118 DeviceLock : _KEVENT +0x130 SectorSize : Uint2B +0x132 Spare1 : Uint2B +0x138 DeviceObjectExtension : Ptr64 _DEVOBJ_EXTENSION +0x140 Reserved : Ptr64 Void
^^ Let's view the IO_TIMER data structure:
0: kd> dt nt!_IO_TIMER +0x000 Type : Int2B +0x002 TimerFlag : Int2B +0x008 TimerList : _LIST_ENTRY +0x018 TimerRoutine : Ptr64 void +0x020 Context : Ptr64 Void +0x028 DeviceObject : Ptr64 _DEVICE_OBJECT^^ The TimerList field is a doubly linked list of the timers found with the !timer extension. The TimerRoutine field is function pointer to the driver callback routine which will be called by the I/O Manager every second once the Timer has been started with IoStartTimer.
The DeviceObject field is the associated Device Object which is able to cancel any pending I/O operations. This pointer is usually found from the IO Stack Location of the current IRP.
The Context field indicates the driver context, and thus which driver functions the driver associated with the Device Object is able to call.
**--------------------****If we go ahead and run !locks:**0: kd> !locks**** DUMP OF ALL RESOURCE OBJECTS ****KD: Scanning for held locks..Resource @ nt!IopDeviceTreeLock (0xfffff80003890ce0) Shared 1 owning threads Contention Count = 3 Threads: fffffa8003692040-01<*> KD: Scanning for held locks.Resource @ nt!PiEngineLock (0xfffff80003890be0) Exclusively owned Contention Count = 95 NumberOfExclusiveWaiters = 3 Threads: fffffa8003692040-01<*> Threads Waiting On Exclusive Access: fffffa8003692660 fffffa8003695040 fffffa8003691660 KD: Scanning for held locks..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................24042 total locks, 2 locks currently held
**And now run a thread on that address:**0: kd> !thread fffffa8003692040THREAD fffffa8003692040 Cid 0004.0050 Teb: 0000000000000000 Win32Thread: 0000000000000000 WAIT: (Executive) KernelMode Non-Alertable fffff800038909c8 Semaphore Limit 0x7fffffffNot impersonatingDeviceMap fffff8a000008bc0Owning Process fffffa8003681040 Image: SystemAttached Process N/A Image: N/AWait Start TickCount 1605858 Ticks: 38462 (0:00:10:00.011)Context Switch Count 91340 IdealProcessor: 1 NoStackSwapUserTime 00:00:00.000KernelTime 00:00:04.836Win32 Start Address nt!ExpWorkerThread (0xfffff80003696150)Stack Init fffff880035e0c70 Current fffff880035e04e0Base fffff880035e1000 Limit fffff880035db000 Call 0Priority 15 BasePriority 12 UnusualBoost 0 ForegroundBoost 0 IoPriority 2 PagePriority 5Child-SP RetAddr : Args to Child : Call Sitefffff880035e0520 fffff800036825f2 : fffffa8003692040 fffffa8003692040 0000000000000000 000000000000000c : nt!KiSwapContext+0x7afffff880035e0660 fffff8000369399f : fffff880035e0ad0 0000000000000000 0000000000000000 0000000000000000 : nt!KiCommitThreadWait+0x1d2fffff880035e06f0 fffff8000374d7e5 : 0000000000000000 0000000000000000 fffffa80079e8000 fffff800038f7d00 : nt!KeWaitForSingleObject+0x19ffffff880035e0790 fffff80003a2efde : fffff800038909a0 fffff880035e0864 0000000000000000 0000000000000001 : nt!PnpDeviceCompletionQueueGetCompletedRequest+0x35fffff880035e07e0 fffff80003a7bf98 : fffffa80079e8010 fffffa80079e8010 0000000000000002 0000000000000000 : nt!PnpDeviceCompletionProcessCompletedRequests+0x5efffff880035e0810 fffff80003a7c448 : fffff8000388e560 0000000000000000 0000000000000001 fffff800038f7e08 : nt!PipProcessDevNodeTree+0x378fffff880035e0a80 fffff8000378f827 : 0000000100000003 0000000000000000 0000000000000001 0000000000000000 : nt!PiProcessReenumeration+0x98fffff880035e0ad0 fffff80003696261 : fffff8000378f500 fffff80003983101 fffffa8003692000 0000000000000000 : nt!PnpDeviceActionWorker+0x327fffff880035e0b70 fffff800039292ea : 6cf1682c5e078cd1 fffffa8003692040 0000000000000080 fffffa8003681040 : nt!ExpWorkerThread+0x111fffff880035e0c00 fffff8000367d8e6 : fffff880033d7180 fffffa8003692040 fffff880033e1fc0 3dedda07dadea562 : nt!PspSystemThreadStartup+0x5afffff880035e0c40 0000000000000000 : fffff880035e1000 fffff880035db000 fffff880035de6d0 0000000000000000 : nt!KxStartSystemThread+0x16
We don't seem to have an 'IRP List:' field within that dump. It may have due to the fact that the system at this time of the crash didn't respond to the deadlock enough to dump info on it. I am not sure.
--------------------
Let's enable Driver Verifier to help us, keep generating kernel-dumps enabled as small and/or minidumps are not useful in this situation:
Driver Verifier:
What is Driver Verifier?
Driver Verifier is included in Windows 8, 7, Windows Server 2008 R2, Windows Vista, Windows Server 2008, Windows 2000, Windows XP, and Windows Server 2003 to promote stability and reliability; you can use this tool to troubleshoot driver issues. Windows kernel-mode components can cause system corruption or system failures as a result of an improperly written driver, such as an earlier version of a Windows Driver Model (WDM) driver.
Essentially, if there's a 3rd party driver believed to be at issue, enabling Driver Verifier will help flush out the rogue driver if it detects a violation.
Before enabling Driver Verifier, it is recommended to create a System Restore Point:
Vista - START | type rstrui - create a restore point
Windows 7 - START | type create | select "Create a Restore Point"
Windows 8 - http://www.eightforums.com/tutorials/4690-restore-point-create-windows-8-a.html
How to enable Driver Verifier:
Start > type "verifier" without the quotes > Select the following options -
- Select - "Create custom settings (for code developers)"
- Select - "Select individual settings from a full list"
- Check the following boxes -
- Special Pool
- Pool Tracking
- Force IRQL Checking
- Deadlock Detection
- Security Checks (Windows 7 & 8)
- DDI compliance checking (Windows 8)
- Miscellaneous Checks
- Select - "Select driver names from a list"
- Click on the "Provider" tab. This will sort all of the drivers by the provider.
- Check EVERY box that is [B]NOT[/B] provided by Microsoft / Microsoft Corporation.
- Click on Finish.
- Restart.
Important information regarding Driver Verifier:
- If Driver Verifier finds a violation, the system will BSOD.
- After enabling Driver Verifier and restarting the system, depending on the culprit, if for example the driver is on start-up, you may not be able to get back into normal Windows because Driver Verifier will flag it, and as stated above, that will cause / force a BSOD.
If this happens, do not panic, do the following:
- Boot into Safe Mode by repeatedly tapping the F8 key during boot-up.
- Once in Safe Mode - Start > Search > type "cmd" without the quotes.
- To turn off Driver Verifier, type in cmd "verifier /reset" without the quotes.
・ Restart and boot into normal Windows.
If your OS became corrupt or you cannot boot into Windows after disabling verifier via Safe Mode:
- Boot into Safe Mode by repeatedly tapping the F8 key during boot-up.
- Once in Safe Mode - Start > type "system restore" without the quotes.
- Choose the restore point you created earlier.
How long should I keep Driver Verifier enabled for?
It varies, many experts and analysts have different recommendations. Personally, I recommend keeping it enabled for at least 24 hours. If you don't BSOD by then, disable Driver Verifier.
My system BSOD'd, where can I find the crash dumps?
They will be located in %systemroot%\Minidump
Any other questions can most likely be answered by this article:
http://support.microsoft.com/kb/244617
Regards,
Patrick