Volcado de Memoria - ntkrnlmp.exe

Question

Volcado de Memoria - ntkrnlmp.exe

Carlos Zamora 0

Hola,

Escribo aquí para pedir ayuda para saber por qué suceden los volcados de memoria en mi computadora la cual tiene instalada Windows 10.

Usé la herramienta WinDbg para leer el archivo memory.dmp y este es el resultado:


Loading Dump File [C:\Users\USER\Downloads\MEMORY.DMP]

Kernel Bitmap Dump File: Kernel address space is available, User address space may not be available.

Symbol search path is: srv*
Executable search path is: 
Windows 10 Kernel Version 19041 MP (8 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Edition build lab: 19041.1.amd64fre.vb_release.191206-1406
Machine Name:
Kernel base = 0xfffff801`28200000 PsLoadedModuleList = 0xfffff801`28e2a2d0
Debug session time: Thu Jan 19 12:00:35.915 2023 (UTC - 5:00)
System Uptime: 0 days 19:43:26.942
Loading Kernel Symbols
...............................................................
................................................................
....................................................Page 14ee53 not present in the dump file. Type ".hh dbgerr004" for details
............
.........................................
Loading User Symbols
PEB is paged out (Peb.Ldr = 00000003`16824018).  Type ".hh dbgerr001" for details
Loading unloaded module list
.........................
For analysis of this file, run !analyze -v
nt!KeBugCheckEx:
fffff801`285fa1d0 48894c2408      mov     qword ptr [rsp+8],rcx ss:0018:fffff10c`1f55d250=0000000000000001
7: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

APC_INDEX_MISMATCH (1)
This is a kernel internal error. The most common reason to see this
BugCheck is when a filesystem or a driver has a mismatched number of
calls to disable and re-enable APCs. The key data item is the
Thread->CombinedApcDisable field. This consists of two separate 16-bit
fields, the SpecialApcDisable and the KernelApcDisable. A negative value
of either indicates that a driver has disabled special or normal APCs
(respectively) without re-enabling them; a positive value indicates that
a driver has enabled special or normal APCs (respectively) too many times.
Arguments:
Arg1: 00007ff9ac8ce234, Address of system call function or worker routine
Arg2: 0000000000000000, Thread->ApcStateIndex
Arg3: 000000000000ffff, (Thread->SpecialApcDisable << 16) | Thread->KernelApcDisable
Arg4: fffff10c1f55d480, Call type (0 - system call, 1 - worker routine)

Debugging Details:
------------------


KEY_VALUES_STRING: 1

    Key  : Analysis.CPU.mSec
    Value: 2109

    Key  : Analysis.DebugAnalysisManager
    Value: Create

    Key  : Analysis.Elapsed.mSec
    Value: 2162

    Key  : Analysis.IO.Other.Mb
    Value: 12

    Key  : Analysis.IO.Read.Mb
    Value: 0

    Key  : Analysis.IO.Write.Mb
    Value: 24

    Key  : Analysis.Init.CPU.mSec
    Value: 1656

    Key  : Analysis.Init.Elapsed.mSec
    Value: 43379

    Key  : Analysis.Memory.CommitPeak.Mb
    Value: 97

    Key  : Bugcheck.Code.DumpHeader
    Value: 0x1

    Key  : Bugcheck.Code.KiBugCheckData
    Value: 0x1

    Key  : Bugcheck.Code.Register
    Value: 0x1

    Key  : WER.OS.Branch
    Value: vb_release

    Key  : WER.OS.Timestamp
    Value: 2019-12-06T14:06:00Z

    Key  : WER.OS.Version
    Value: 10.0.19041.1


FILE_IN_CAB:  MEMORY.DMP

TAG_NOT_DEFINED_202b:  *** Unknown TAG in analysis list 202b


BUGCHECK_CODE:  1

BUGCHECK_P1: 7ff9ac8ce234

BUGCHECK_P2: 0

BUGCHECK_P3: ffff

BUGCHECK_P4: fffff10c1f55d480

BLACKBOXBSD: 1 (!blackboxbsd)


BLACKBOXNTFS: 1 (!blackboxntfs)


BLACKBOXPNP: 1 (!blackboxpnp)


BLACKBOXWINLOGON: 1

PROCESS_NAME:  WUDFHost.exe

STACK_TEXT:  
fffff10c`1f55d248 fffff801`2860e229     : 00000000`00000001 00007ff9`ac8ce234 00000000`00000000 00000000`0000ffff : nt!KeBugCheckEx
fffff10c`1f55d250 fffff801`2860e0df     : ffff9204`1bd87380 fffff10c`1f55d480 00000003`16afdb88 fffff10c`1f55d3a8 : nt!KiBugCheckDispatch+0x69
fffff10c`1f55d390 00007ff9`ac8ce234     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceExitPico+0x334
00000003`16afdb68 00000000`00000000     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x00007ff9`ac8ce234


SYMBOL_NAME:  nt!KiSystemServiceExitPico+334

MODULE_NAME: nt

IMAGE_NAME:  ntkrnlmp.exe

STACK_COMMAND:  .cxr; .ecxr ; kb

BUCKET_ID_FUNC_OFFSET:  334

FAILURE_BUCKET_ID:  0x1_SysCallNum_8c_nt!KiSystemServiceExitPico

OS_VERSION:  10.0.19041.1

BUILDLAB_STR:  vb_release

OSPLATFORM_TYPE:  x64

OSNAME:  Windows 10

FAILURE_ID_HASH:  {d36608be-7cc5-9aa4-6e2f-7c8e35c58edb}

Followup:     MachineOwner
---------

1 answer

Your answer

Answer 1


Hello

Thank you for your question and reaching out. I can understand you are  having query\issues related  to BSO.

The file WUDFHost.exe(Windows User-mode Driver Framework Host) is a Windows system file.


1. Disable any Antivirus program or Windows firewall you may have for temporary purpose.

2. Cleanup below Temp folders location -> Open Start -> Run -> Type below location one-by-one and press enter 
     C:\Windows\Temp
     %USERPROFILE%\AppData\Local\Temp

3. Run Disk Cleanup from Select C:\ Drive from Properties- > General -> Disk Cleanup - >Cleanup system files

4. Run sfc /scannow from elevated prompt.

5.  Run below DISM commands  from elevated prompt.

DISM /Online /Cleanup-Image /CheckHealth
DISM /Online /Cleanup-Image /ScanHealth
DISM /Online  /Cleanup-Image /RestoreHealth

6. Please update BIOS firmware and Display drivers from vendor website.

--If the reply is helpful, please Upvote and Accept as answer--

Share via

Volcado de Memoria - ntkrnlmp.exe

1 answer

Your answer