Every once in a while I receive a request to look at a crash dump file. I always like a good challenge and a break from my usual work. Tool that I use for basic analysis is MicrosoftWinDbg.
3: kd> !analyze -v <- First command that I usualy use
************************************************************
** Bugcheck Analysis ** ************************************************************
DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1) <- Error also reported on "Blue Screen"
An attempt was made to access a pageable (or completely invalid) address at aninterrupt request level (IRQL) that is too high. This is usuallycaused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: 0000000c, memory referenced
Arg2: d0000002, IRQL
Arg3: 00000001, value 0 = read operation, 1 = write operation
Arg4: f6287cea, address which referenced memory
Debugging Details:------------------
WRITE_ADDRESS: 0000000c
CURRENT_IRQL: 2
FAULTING_IP:
tcpip!IpTerminateOffload+9b
f6287cea 83671c00 and dword ptr [edi+0x1c],0x0
DEFAULT_BUCKET_ID: DRIVER_FAULT
BUGCHECK_STR: 0xD1
LAST_CONTROL_TRANSFER: from f6287cea to 80836de5
STACK_TEXT:
f78bec84 f6287cea badb0d00 00000000 85d10470 nt!KiTrap0E+0x2a7
f78bed18 f628e5ac 00000000 fbd60618 f7d29800 tcpip!IpTerminateOffload+0x9bf78bed30 f78bed30 fbd60618 00000002 00000000 tcpip!TcpInitiateUpload+0x8df78bed58 f628d634 fbd60618 00000002 891a87d4 tcpip!OlmNotifyUploadIndicate+0x60f78bed6c f71fafbd f7d29824 00000003 00000009 tcpip!TcpOffloadEventHandler+0x5bf78bed80 f76a07ef f7d29824 00000003 00000009 NDIS!NdisMTcpOffloadEventIndicate+0x1a
WARNING: Stack unwind information not available. Following frames may be wrong.
f78beda0 f72d4196 891a87d4 898ff708 00000000 bxnd52x+0x97ef<- File named bxnd52.sys f78bedc0 f72d4880 00000000 00000000 8914d9c0 bxvbdx+0x10196
f78bedd4 f72da925 89b1f004 839364a8 00000000 bxvbdx+0x10880
f78bedf4 f72daa95 89b1f004 f78bee54 00000001 bxvbdx+0x16925
f78bee18 f72dab3e 89b1f004 f78bee54 00000001 bxvbdx+0x16a95
f78bee3c f72dabc6 89b1f004 89b20d08 000012b2 bxvbdx+0x16b3e
f78bef54 f72c9be3 00000000 00000007 f72ca338 bxvbdx+0x16bc6
f78bef80 f72ca4ac f7737a40 89b203b0 f72ca41c bxvbdx+0x5be3
f78bef9c 8083d99a 89b203b0 89b1f004 00000001 bxvbdx+0x64ac
f78beff4 80839833 f535cd10 00000000 00000000 nt!KiRetireDpcList+0xca
f78beff8 f535cd10 00000000 00000000 00000000 nt!KiDispatchInterrupt+0x37
80839833 00000000 0000000a 0083850f bb830000 0xf535cd10
STACK_COMMAND: kb
FOLLOWUP_IP:
bxnd52x+97ef
f76a07ef 85ff test edi,edi
FAULTING_SOURCE_CODE:
SYMBOL_STACK_INDEX: 6
FOLLOWUP_NAME: MachineOwner
SYMBOL_NAME: bxnd52x+97ef
MODULE_NAME: bxnd52x
IMAGE_NAME: bxnd52x.sys <- File name (driver) that most likely caused the computer to crash
DEBUG_FLR_IMAGE_TIMESTAMP: 44a55446
FAILURE_BUCKET_ID: 0xD1_W_bxnd52x+97ef
BUCKET_ID: 0xD1_W_bxnd52x+97ef
Followup: MachineOwner---------
3: kd> lmvm bxnd52x <- this command can give us more information on the file bxnd52.sys
start end module name
f7697000 f76a7000 bxnd52x (no symbols)
Loaded symbol image file: bxnd52x.sys
Image path: \SystemRoot\system32\DRIVERS\bxnd52x.sys
Image name: bxnd52x.sys
Timestamp: Fri Jun 30 18:41:42 2006 (44A55446) <- driver date (it looks a bit old -- more then 1 year)
CheckSum: 00013D96 ImageSize: 00010000
Translations: 0000.04b0 0000.04e0 0409.04b0 0409.04e0
Googling the file bxnd52x.sys reveals that this is a Broadcom NIC (Network Interface Card) driver. In this case it is shipped as HP NC373i Multifunction Gigabit Server Adapter. At the time of writing, latest driver for this NIC awailable from HP was released in July 2007 (v. 3.4.10.0).
While doing this research on Google, I noticed that there were a lot of servers with this error, specially servers that where updated to Windows Server 2003 SP2 .