Month of Vista Bugs

This is the end

2009-10-22T04:30:00.000-07:00

With the official launch of Windows Seven today, I guess it makes no sense to update this blog anymore.

Vista has been a neverending source of pain and jokes. So long, goodbye, and hail to Windows Seven !

MOVB-20 A must read

2009-01-13T06:07:00.000-08:00

Upgrading from Vista to XP

What else ? ;)

Windows Defender: application failed to initialize: 0x80070006

2008-12-19T08:33:00.000-08:00

I have been experiencing the following error on Windows Vista64 startup for 7 monthes:

Application failed to initialize: 0x80070006. The handle is invalid.

I could live without Windows Defender and SpyNet. But today, I took time to debug.

The most obvious thing to do is to query the Microsoft knowledge base. And it worked ! Quoting KB935511:

Method 1: Use System Restore to restore Windows Vista
Method 2: Reinstall Windows Vista

Ok ... maybe I'll try something else.

Then I thought that interesting logs could appear in PerfMon, because Windows Defender implements WPP software tracing. I managed to find the right Event Trace Provider (Microsoft-Windows-Windows Defender), create a Data Collector ... but nothing was eventually logged. Therefore I gave up this option.

Then I had a look at the C:\Program Files\Windows Defender\MpCmdRun.exe command-line utility.

----------------------------------------------------------------------
Windows Defender Command Line Utility (c) 2006 Microsoft Corporation
Use this tool to automate and troubleshoot Windows Defender

Usage:
mpcmdrun.exe [command] [-options]

Command Description
   -? [h]                          Displays all available options for this tool
   -Scan [-ScanType]               Scans for malicious software
   -SignatureUpdate                Checks for new definition updates
   -Trace [-Grouping] [-Level]     Starts diagnostic tracing
   -GetFiles                       Collects support information
   -RemoveDefinitions [-All]       Restores the installed signature definitions
                                   to a previous backup copy or to the original
                                   default set of signatures
   -GetSWE                         Exports information about software installed
                                   on your computer

----------------------------------------------------------------------

I tried -GetFiles, went through all log files but ... found nothing interesting either.

Looks like it is time to get out with IDA Pro Debugger ... Fortunately, remote Vista64 debugging is available through the win64_remotex64.exe stub ! Of course this is not for the faint of heart :)

Fortunately, the error is pretty easy to figure out: Windows Defender cannot acquire a handle on the WinDefend service ... because this service does not exist!

Why on earth was the WinDefend service removed from my computer ? I guess I'll never know. But for the time being, it is enough to export the following registry key from another Vista computer, and to import it back again:

HKLM\SYSTEM\CurrentControlSet\Services\WinDefend

Case solved !

MOVB-19 Vista, 1 year later ...

2008-05-21T13:36:00.000-07:00

Microsoft Vista has been available for IT professionals as soon as 30th, November 2006. But it has been launched to the public on 31st, January 2007 (if I remember well).

Consequently, there has been some press activity about Vista first anniversary.

Microsoft point of view is that "the press and critics have lauded Windows Vista for its beautiful graphics and increased usability".

Here is my personal press review, though:

The 15 Biggest Tech Disappointments of 2007 (Vista is #1)
The 10 biggest technology belly flops of 2007 (Vista ranks #2 only :)
Vista at one year: Progress and pain

Did SP1 change something? More (file copy is now as fast as on Windows XP) or less (a key audio driver is not compatible with Vista SP1) ...

So in the end :

Most people stick to Windows XP for now.
90% of IT professionals do not want Vista.
Gartner: Windows is collapsing.

Fortunately, Microsoft has a refreshing video for motivating depressed salesmen :)

MOVB-18 I am not alone

2008-04-04T12:01:00.000-07:00

Truth is out there: I have the less stable hardware configuration for running Windows Vista.

Read the full story on ArsTechnica.

MOVB-17 Got to love this one

2008-03-20T12:48:00.000-07:00

Stop error message when you start a Windows Vista-based computer: "0xC1F5"

(Knowledge base article 946084, accessed on March 20th, 2008)

[...]
WORKAROUND

If you have only one disk installed, and if you have access to Windows XP or Windows 2000 installation media, restart the computer by using the Windows XP or Windows 2000 installation media. Next, format the offending disk, and then reinstall Windows Vista.
[...]

Hu ho, looks pretty bad :)

MOVB-16 Vista SP1: first bug

2008-03-16T13:22:00.000-07:00

Yet another kernel bug triggered by FireFox.

0: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pageable (or completely invalid) address at an interrupt request level (IRQL) that is too high. This is usually caused by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: c0075000, memory referenced
Arg2: 00000000, IRQL
Arg3: 00000000, bitfield :
bit 0 : value 0 = read operation, 1 = write operation
bit 3 : value 0 = not an execute operation, 1 = execute operation (only on chips which support this level of status)
Arg4: 81eabf99, address which referenced memory

Debugging Details:
------------------

READ_ADDRESS: GetPointerFromAddress: unable to read from 81f53868
Unable to read MiSystemVaType memory at 81f33420
c0075000

CURRENT_IRQL: 0

FAULTING_IP:
nt!MiAgeWorkingSet+1a2
81eabf99 8b1e mov ebx,dword ptr [esi]

CUSTOMER_CRASH_COUNT: 1

DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT

BUGCHECK_STR: 0xA

PROCESS_NAME: firefox.exe

TRAP_FRAME: 86f8fa54 -- (.trap 0xffffffff86f8fa54)
ErrCode = 00000000
eax=c0802d18 ebx=00a3a000 ecx=00002408 edx=00a39000 esi=c0075000 edi=c080bd38
eip=81eabf99 esp=86f8fac8 ebp=86f8fc44 iopl=0 nv up ei ng nz na pe cy
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010287
nt!MiAgeWorkingSet+0x1a2:
81eabf99 8b1e mov ebx,dword ptr [esi] ds:0023:c0075000=????????
Resetting default scope

LAST_CONTROL_TRANSFER: from 81eabf99 to 81e76d84

STACK_TEXT:
86f8fa54 81eabf99 badb0d00 00a39000 81f099a9 nt!KiTrap0E+0x2ac
86f8fc44 81eab9af 8521bf60 00000003 86f8fc80 nt!MiAgeWorkingSet+0x1a2
86f8fc98 81eab3e4 00000002 86f8fcb4 00000001 nt!MiProcessWorkingSets+0x1ff
86f8fcd8 81e57612 00000000 8356e020 00000000 nt!MmWorkingSetManager+0x199
86f8fd7c 81ff1a1c 00000000 aea14805 00000000 nt!KeBalanceSetManager+0x12a
86f8fdc0 81e4aa3e 81e574e8 00000000 00000000 nt!PspSystemThreadStartup+0x9d
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16

STACK_COMMAND: kb

FOLLOWUP_IP:
nt!MiAgeWorkingSet+1a2
81eabf99 8b1e mov ebx,dword ptr [esi]

SYMBOL_STACK_INDEX: 1

SYMBOL_NAME: nt!MiAgeWorkingSet+1a2

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: nt

DEBUG_FLR_IMAGE_TIMESTAMP: 47918b12

IMAGE_NAME: memory_corruption

FAILURE_BUCKET_ID: 0xA_nt!MiAgeWorkingSet+1a2

BUCKET_ID: 0xA_nt!MiAgeWorkingSet+1a2

Followup: MachineOwner
---------

MOVB-15 "I cannot auto-terminate"

2008-02-03T00:00:00.000-08:00

Yet another kernel bug delivered by FireFox+YouTube combination.

NtTerminateProcess() failed with the infamous IRQL_NOT_LESS_OR_EQUAL. It seems that MiDeleteAddressesInWorkingSet() tried to access data without any probe or exception handling. Did Vista kernel passed WHQL?

0: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pageable (or completely invalid) address at an interrupt request level (IRQL) that is too high. This is usually caused by drivers using improper addresses. If a kernel debugger is available get the stack backtrace.

Arguments:
Arg1: c0053000, memory referenced
Arg2: 00000000, IRQL
Arg3: 00000000, bitfield :
bit 0 : value 0 = read operation, 1 = write operation
bit 3 : value 0 = not an execute operation, 1 = execute operation (only on chips which support this level of status)
Arg4: 8201985f, address which referenced memory

Debugging Details:
------------------
Missing image name, possible paged-out or corrupt data.
Unable to read KLDR_DATA_TABLE_ENTRY at 00000000 - NTSTATUS 0xC0000147

WARNING: .reload failed, module list may be incomplete
Missing image name, possible paged-out or corrupt data.
Unable to read KLDR_DATA_TABLE_ENTRY at 00000000 - NTSTATUS 0xC0000147

WARNING: .reload failed, module list may be incomplete

READ_ADDRESS: c0053000

CURRENT_IRQL: 0

FAULTING_IP:
nt!MiDeleteAddressesInWorkingSet+141
8201985f 8b0e mov ecx,dword ptr [esi]

DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT

BUGCHECK_STR: 0xA

TRAP_FRAME: af78f79c -- (.trap 0xffffffffaf78f79c)
ErrCode = 00000000
eax=0a600201 ebx=84ded3a8 ecx=c080f514 edx=c080a50c esi=c0053000 edi=c0801000
eip=8201985f esp=af78f810 ebp=af78fc6c iopl=0 nv up ei ng nz na pe cy
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010287
nt!MiDeleteAddressesInWorkingSet+0x141:
8201985f 8b0e mov ecx,dword ptr [esi] ds:0023:c0053000=????????
Resetting default scope

LAST_CONTROL_TRANSFER: from 8201985f to 8208fd84

STACK_TEXT:
af78f79c 8201985f badb0d00 c080a50c 85382cb5 nt!KiTrap0E+0x2ac
af78fc6c 82019cc7 84ded1d8 84ded1d8 84ded1d8 nt!MiDeleteAddressesInWorkingSet+0x141
af78fc9c 8221bd12 84ded1d8 af784644 84daf818 nt!MmCleanProcessAddressSpace+0x14f
af78fd04 8221ad7a 00000000 00000000 84daf5b8 nt!PspExitThread+0x64a
af78fd24 8221b265 84daf5b8 00000000 00000001 nt!PspTerminateThreadByPointer+0x5b
af78fd54 8208caaa ffffffff 00000000 0012fea4 nt!NtTerminateProcess+0x1e0
af78fd54 77b20f34 ffffffff 00000000 0012fea4 nt!KiFastCallEntry+0x12a
WARNING: Frame IP not in any known module. Following frames may be wrong.
0012fea4 00000000 00000000 00000000 00000000 0x77b20f34

STACK_COMMAND: kb

FOLLOWUP_IP:
nt!MiDeleteAddressesInWorkingSet+141
8201985f 8b0e mov ecx,dword ptr [esi]

SYMBOL_STACK_INDEX: 1

SYMBOL_NAME: nt!MiDeleteAddressesInWorkingSet+141

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: nt

DEBUG_FLR_IMAGE_TIMESTAMP: 471ea39c

IMAGE_NAME: memory_corruption

FAILURE_BUCKET_ID: 0xA_nt!MiDeleteAddressesInWorkingSet+141

BUCKET_ID: 0xA_nt!MiDeleteAddressesInWorkingSet+141

MOVB-14 DirectX BSoD

2008-02-02T00:00:00.000-08:00

I have been lucky on this one.

My daughter was watching videos on YouTube, so I could not deliver MOVB of the day. And then Vista died with a DirectX BSoD ... Enjoy !

0: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

MEMORY_MANAGEMENT (1a)
# Any other values for parameter 1 must be individually examined.
Arguments:
Arg1: 00000403, The subtype of the bugcheck.
Arg2: c004e000
Arg3: 000002f5
Arg4: 00000000

Debugging Details:
------------------

BUGCHECK_STR: 0x1a_403
CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT
PROCESS_NAME: firefox.exe
CURRENT_IRQL: 2
BAD_PAGES_DETECTED: 1
LAST_CONTROL_TRANSFER: from 82040566 to 8204099b

STACK_TEXT:
a9c778a0 82040566 c004e000 84c194f0 91f19768 nt!MiDeletePte+0x360
a9c779d4 820bf1bd 099c0000 09ebffff a9c7c12c nt!MiDeleteVirtualAddresses+0x8a1
a9c77a6c 8208caaa ffffffff 9073ccd0 9073cce4 nt!NtFreeVirtualMemory+0x655
a9c77a6c 8207e83d ffffffff 9073ccd0 9073cce4 nt!KiFastCallEntry+0x12a
a9c77af4 89461123 ffffffff 9073ccd0 9073cce4 nt!ZwFreeVirtualMemory+0x11
a9c77b1c 894621fb 9073ccc8 9246a008 850082d8 dxgkrnl!VIDMM_PROCESS_HEAP::Free+0x75
a9c77b50 89461b26 0006d258 00000001 00000000 dxgkrnl!VIDMM_GLOBAL::CloseLocalAllocation+0xd9
a9c77b90 89462b73 00000000 00000000 92548008 dxgkrnl!VIDMM_GLOBAL::CloseOneAllocation+0xe6
a9c77bb0 8946a49c af095c60 00000000 92548008 dxgkrnl!VIDMM_GLOBAL::CloseAllocation+0x37
a9c77c1c 89471394 b03d8e00 00000001 906d6268 dxgkrnl!DXGDEVICE::DestroyAllocations+0x176
a9c77c40 8946a96d b03d8e00 a94e3804 00000000 dxgkrnl!DXGDEVICE::DestroyResource+0x4b
a9c77c94 89463d14 a9c77cf0 00000001 a94e39c8 dxgkrnl!DXGDEVICE::DestroyAllocation+0x97
a9c77d58 8208caaa 099bfcfc 099bfd0c 76e80f34 dxgkrnl!DxgkDestroyAllocation+0x538
a9c77d58 76e80f34 099bfcfc 099bfd0c 76e80f34 nt!KiFastCallEntry+0x12a
WARNING: Frame IP not in any known module. Following frames may be wrong.
099bfd0c 00000000 00000000 00000000 00000000 0x76e80f34

STACK_COMMAND: kb
SYMBOL_NAME: PAGE_NOT_ZERO_VISTA
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: Unknown_Module
IMAGE_NAME: Unknown_Image
DEBUG_FLR_IMAGE_TIMESTAMP: 0
BUCKET_ID: PAGE_NOT_ZERO_VISTA

Followup: MachineOwner
---------

*** Memory manager detected 1 instance(s) of page corruption, target is likely to have memory corruption.

MOVB-13 Minor annoyances

2008-02-01T00:00:00.000-08:00

When importing pictures from a digital camera, you cannot selected pictures individually.

When doing anything that requires elevation from a network share (e.g. installing software), you have to re-enter network credentials after elevation (this is logical because of UAC design, yet annoying if you have a super-secure password :).

When creating a new folder in a "privileged" location, you have to go through UAC twice: once for creating the "new folder" directory, once for renaming it. Depending on the scenario, the number of UAC prompts can be as high as 4. Hopefully, "SP1 reduces the number of UAC (User Account Control) prompts from 4 to 1 when creating or renaming a folder at a protected location".

You cannot drag and drop files anywhere (like on the desktop) from a network share. You are restricted to a subset of folders, such as "Documents".

You cannot drag and drop inside a CMD anymore. This is "by design".

Windows Vista users cannot easily access files on a Windows XP partition in a dual-boot configuration. Default XP users are admins, and most files are accessible by the "Administrators" group only. Vista users are not admins, and Explorer cannot be elevated.

".HLP" files are not supported anymore.

HyperTerminal is not bundled anymore. There is no easy way to access the serial port on Windows Vista.

Telnet (and many other commands) are not available by default. You have to "re-enable" them from the Control Panel.

Other interesting annoyances (FireWire drives, etc.) can be found here.

MOVB-12 Application compatibility

2008-01-31T00:00:00.000-08:00

When trying to install third party software under Vista, you can run into the following trouble:

Software would like to disable UAC entirely.

Sample application: EasyBCD

Software needs to be added to DEP exemption list, because it's somehow protected ("packed").

... and the error message will puzzle most (if not all) end-users :)

Sample application: AuctionSentry

Software needs a compatibility pack from Microsoft

I guess compatibility packs rely on the Shim Engine, but I have never dug too deep in those mechanisms. Let's say that it is a database of big hacks to get crappy applications working :)

Sample : March 2007 Windows Vista Application Compatibility Update

You wait 3 monthes for an upgrade

Sample : iTunes [*], Microsoft Visual Studio 2005 [**]

[*] It seems also that iTunes will never be Vista64-compatible.
[**] Visual Studio 2005 still needs to be "elevated" to run properly on Vista.

You wait 3 monthes, but the upgrade is not free

Sample : some Adobe products

Oh yeah, I almost forgot. The software can play nice on 1st try! ;)

MOVB-11 Vista logging

2008-01-30T00:00:00.000-08:00

A nice finding about Windows Vista logging:
http://www.heysoft.de/Frames/Vista_Remarks1_en.htm

In short, most event log files are not properly referenced in the registry. Under HKLM\System\CCS\Services\EventLog\*\, the "File" entry has a ".elf" suffix, whereas Vista file format is ".evtx".

Consequently, most remote log reading tools (like Windows XP's Event Viewer, but most log collection tools could be affected) are unable to access Vista event logs.

This has been confirmed on my up-to-date Vista 64 system.

The conclusion from this guy is: "I must admit that I do now better understand all those people why say that they never install a Windows operating system in a production environment before its first Service Pack is out."

Fortunately, SP1 is due for Q1 2008 :)

MOVB-10 Bug or security flaw?

2008-01-29T00:49:00.000-08:00

[ MOVB is back on track ... time to finish up, before Vista SP1 being out! ]

An interesting bug from Microsoft Knowledge Base 945438:

Consider the following scenario:
On a computer that is running Windows Vista, you use Microsoft Office PowerPoint 2007 to record audio, or you use another application to record audio.
The application calls the acmFormatChoose function to display a dialog box so that you can select the waveform-audio format.
In this scenario, the application crashes.

What is more interesting is the logic behind this bug:

The acmFormatChoose function tries to free a pointer that was not allocated.

Bug or security flaw? Given Vista heap protections, this one might be hard to exploit, even locally. But who dares to say impossible, when it comes to bug exploitation?

MOVB-09 Mobile devices support

2007-11-09T12:00:00.000-08:00

So I plugged my Windows Mobile 2005 HTC SmartPhone on Vista64 ...

"Out of the box" software has multiple issues, such as:
- It does not allow access to the phone internal storage (as explained in Q931621) ;
- Windows Media Device Center (WMDC) shall be updated to version 6.1, otherwise you will experience various other issues.

Yet there is this nasty "feature" of Vista itself: you cannot import individual pictures from a camera. "All or none" is your only choice.

Last but not least, if you set the default browser to a 3rd party application (namely FireFox), WMDC will raise an "Unhandled Exception" error when opening external links.

MOVB-08 Does UAC serve any purpose?

2007-11-08T12:00:00.000-08:00

User Account Control (aka UAC) is a Vista security feature[*] that has been previously experimented by other operating systems (namely Mac OS X and Linux).
[*] Well, not for Mark Russinovitch

The idea is to have non-admin users by default, and to prompt them in case of an application requiring "elevated" rights.

So far so good, but since users have had admin rights since the beginning of Windows saga, such a change has a huge impact on the user experience.

My bet is, a great bunch of domestic users have (or will have) UAC turned off because of:

Software invites users to disable UAC entirely (or disables UAC silently)

Sample software: TweakVI

You'd better be sure, because there is a second prompt.

User disables UAC entirely by himself

It is as easy as downloading TweakUAC.

According to this completely non-scientific poll (seens on 4sysops.com), that is exactly what is happening now:

Not to mention OEMs that may be tempted to disable UAC
... in order to lower support costs.

MOVB-07 Drivers, drivers, drivers!

2007-11-07T12:00:00.000-08:00

When looking for drivers under Vista, you can run into the following trouble:

You will never get the driver, because your hardware is unsupported

Here is a sample error message:

Windows Vista does not support SNAPSCAN e20. This problem was caused by a compatibility issue between Windows Vista and SNAPSCAN e20. AGFA-Gevaert NV, the company that manufactured SNAPSCAN e20, has informed Microsoft that they do not expect to offer updates to fix this problem.

You are trying to use a "generic" piece of hardware

In most cases, you loose! For instance, when trying to plug a generic USB mouse, here is what you get:

You are looking for a video driver

According to Microsoft, drivers are accountable for most Blue Screens of Death. So they decided to move as many drivers as possible in userland, especially video drivers. This is called User Mode Driver Framework (aka UMDF).

The result: most video cards that are older than, let's say 2 years, will never have Vista drivers (since manufacturers do not see clear value in porting drivers to UMDF).

You are running Vista64

Oh my! This is alpha-testing!

For instance, here are two crash dumps that are related to my NVidia Quadro FX 3400 Vista64 driver. Most driver code is userland-based, but there is still a kernelland recovery thread. And if the userland driver does not recover fast enough, the system will ... BSoD!

0: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

VIDEO_TDR_FAILURE (116)
Attempt to reset the display driver and recover from timeout failed.
Arguments:
Arg1: fffffa8003c8c630, Optional pointer to internal TDR recovery context (TDR_RECOVERY_CONTEXT).
Arg2: fffff9800404e0f0, The pointer into responsible device driver module (e.g. owner tag).
Arg3: ffffffffc00000b5, Optional error code (NTSTATUS) of the last failed operation.
Arg4: 000000000000000a, Optional internal context dependent data.

Debugging Details:
------------------

FAULTING_IP:
nvlddmkm+60f0
fffff980`0404e0f0 4883ec28 sub rsp,28h

DEFAULT_BUCKET_ID: GRAPHICS_DRIVER_TDR_FAULT

BUGCHECK_STR: 0x116

PROCESS_NAME: System

CURRENT_IRQL: 0

STACK_TEXT:
fffff980`05370a08 fffff980`0477c01c : 00000000`00000116 fffffa80`03c8c630 fffff980`0404e0f0 ffffffff`c00000b5 : nt!KeBugCheckEx
fffff980`05370a10 fffff980`0477bf1f : fffff980`0404e0f0 fffffa80`03c8c630 fffffa80`05da0820 fffffa80`0320b730 : dxgkrnl!TdrBugcheckOnTimeout+0xec
fffff980`05370a50 fffff980`04738c48 : fffff980`ffffe464 00000000`c00000b5 00000000`00000000 fffffa80`0320b730 : dxgkrnl!TdrIsRecoveryRequired+0x1c3
fffff980`05370a90 fffff980`047f5993 : 00000000`00000000 00000000`00000002 00000000`ffffffff 00000000`00000002 : dxgkrnl!VidSchiReportHwHang+0x2f4
fffff980`05370b40 fffff980`047f4591 : fffffa80`0320b730 00000000`00000000 00000000`01ff8f6c 00000000`00000000 : dxgkrnl!VidSchiCheckHwProgress+0x7b
fffff980`05370b70 fffff980`0473ccd8 : ffffffff`ff676980 00000000`00000000 00000000`00000000 00000000`00000000 : dxgkrnl!VidSchiWaitForSchedulerEvents+0x199
fffff980`05370bf0 fffff980`047f43b1 : 00000000`00000000 fffffa80`031fe710 00000000`00000080 fffffa80`0320b730 : dxgkrnl!VidSchiScheduleCommandToRun+0x398
fffff980`05370d10 fffff800`01ae199b : fffffa80`053b4060 fffff800`018388f7 fffff980`0121f900 00000000`00000001 : dxgkrnl!VidSchiWorkerThread+0x95
fffff980`05370d50 fffff800`01834b86 : fffff980`00c85180 fffffa80`053b4060 fffff980`00c8ec40 fffff980`00a75290 : nt!PspSystemThreadStartup+0x5b
fffff980`05370d80 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiStartSystemThread+0x16

STACK_COMMAND: .bugcheck ; kb

FOLLOWUP_IP:
nvlddmkm+60f0
fffff980`0404e0f0 4883ec28 sub rsp,28h

SYMBOL_NAME: nvlddmkm+60f0

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: nvlddmkm

IMAGE_NAME: nvlddmkm.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 4578ef88

FAILURE_BUCKET_ID: X64_0x116_IMAGE_nvlddmkm.sys

BUCKET_ID: X64_0x116_IMAGE_nvlddmkm.sys

0: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

VIDEO_TDR_FAILURE (116)
Attempt to reset the display driver and recover from timeout failed.
Arguments:
Arg1: fffffa80034834e0, Optional pointer to internal TDR recovery context (TDR_RECOVERY_CONTEXT).
Arg2: fffff980046d5800, The pointer into responsible device driver module (e.g. owner tag).
Arg3: 0000000000000000, Optional error code (NTSTATUS) of the last failed operation.
Arg4: 0000000000000002, Optional internal context dependent data.

Debugging Details:
------------------

FAULTING_IP:
nvlddmkm+8800
fffff980`046d5800 4885c9 test rcx,rcx

DEFAULT_BUCKET_ID: GRAPHICS_DRIVER_TDR_FAULT

BUGCHECK_STR: 0x116

PROCESS_NAME: System

CURRENT_IRQL: 0

STACK_TEXT:
fffff980`05ef9a08 fffff980`0517c2c4 : 00000000`00000116 fffffa80`034834e0 fffff980`046d5800 00000000`00000000 : nt!KeBugCheckEx
fffff980`05ef9a10 fffff980`0517c0f7 : fffff980`046d5800 fffffa80`034834e0 fffffa80`06252d90 fffffa80`03733730 : dxgkrnl!TdrBugcheckOnTimeout+0xec
fffff980`05ef9a50 fffff980`05137c1b : fffff980`ffffe464 00000000`00000000 00000000`00000000 fffffa80`03733730 : dxgkrnl!TdrIsRecoveryRequired+0x16f
fffff980`05ef9a90 fffff980`051f5f83 : 00000000`00000000 00000000`00000002 00000000`ffffffff 00000000`00000002 : dxgkrnl!VidSchiReportHwHang+0x2f7
fffff980`05ef9b40 fffff980`051f4b85 : fffffa80`03733730 00000000`00000000 00000000`0000f375 00000000`00000000 : dxgkrnl!VidSchiCheckHwProgress+0x7b
fffff980`05ef9b70 fffff980`0513bc90 : ffffffff`ff676980 00000000`00000000 00000000`00000000 00000000`00000000 : dxgkrnl!VidSchiWaitForSchedulerEvents+0x199
fffff980`05ef9bf0 fffff980`051f49a5 : 00000000`00000000 fffffa80`0372d430 00000000`00000080 fffffa80`03733730 : dxgkrnl!VidSchiScheduleCommandToRun+0x398
fffff980`05ef9d10 fffff800`01ee222b : fffffa80`03737a70 fffff800`01c38257 fffff980`014e0900 00000000`00000001 : dxgkrnl!VidSchiWorkerThread+0x95
fffff980`05ef9d50 fffff800`01c344f6 : fffff980`00c4e180 fffffa80`03737a70 fffffa80`0359db60 fffffa80`03733c90 : nt!PspSystemThreadStartup+0x5b
fffff980`05ef9d80 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KxStartSystemThread+0x16

STACK_COMMAND: .bugcheck ; kb

FOLLOWUP_IP:
nvlddmkm+8800
fffff980`046d5800 4885c9 test rcx,rcx

SYMBOL_NAME: nvlddmkm+8800

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: nvlddmkm

IMAGE_NAME: nvlddmkm.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 46c63a34

FAILURE_BUCKET_ID: X64_0x116_IMAGE_nvlddmkm.sys

BUCKET_ID: X64_0x116_IMAGE_nvlddmkm.sys

BONUS-02 ... and counting

2007-11-07T04:44:00.000-08:00

After a few monthes of "standard" use, here are my stats:

On June, 30th 2007 Microsoft claims 60 millions Vista licences. Estimating a (low) average of 100 "problems" per user, it means that Microsoft has a database of at least 6 billions bug reports.

Wow.

MOVB-06 Internationalization weirdness

2007-11-06T12:00:00.000-08:00

When using the English language pack, CACLS.EXE[*] command performs as expected.
[*] This command has been taken as an example, I am pretty sure you could find others.

When using the French language pack, CACLS.EXE usage() output is truncated:

Everything seems ok in C:\Windows\System32\fr-FR\CACLS.EXE.MUI resource file. Since only 3 APIs are called by usage(), guessing the one to blame is left as an exercise to the reader:

FormatMessageW()
WideCharToMultiByte()
fprintf()

A revival of the NOTEPAD bug?

PS. On my home system, here is stranger behavior indeed:

Oh my, how could I dare to stop (seemingly) "useless" services?

MOVB-05 Not all Vista applications are IPv6-aware

2007-11-05T12:00:00.000-08:00

If you have native IPv6 connectivity on your network, Windows Meeting Space will fail to run with the following error:

The stack trace is the following (on Vista 64):

0 Id: 132c.d0c Suspend: 1 Teb: 000007ff`fffdd000 Unfrozen
Child-SP RetAddr Call Site
00000000`001db188 00000000`7706ed73 ntdll!NtWaitForMultipleObjects+0xa
00000000`001db190 00000000`76f7e96d kernel32!WaitForMultipleObjectsEx+0x10b
00000000`001db2a0 000007fe`fc551ab6 USER32!RealMsgWaitForMultipleObjectsEx+0x129
00000000`001db340 000007fe`fc55371f DUser!CoreSC::Wait+0x62
00000000`001db390 000007fe`fc553696 DUser!CoreSC::WaitMessage+0x6f
00000000`001db3d0 00000000`76f6bd1a DUser!MphWaitMessageEx+0x36
00000000`001db400 00000000`771c2016 USER32!_ClientWaitMessageExMPH+0x1a
00000000`001db450 00000000`76f7df2a ntdll!KiUserCallbackDispatcherContinue
00000000`001db4b8 00000000`76f673e9 USER32!ZwUserWaitMessage+0xa
00000000`001db4c0 00000000`76f6760a USER32!DialogBox2+0x261
00000000`001db540 00000000`76f674c6 USER32!InternalDialogBox+0x134
00000000`001db5a0 00000000`76f67918 USER32!DialogBoxIndirectParamAorW+0x58
00000000`001db5e0 000007fe`fc34f262 USER32!DialogBoxIndirectParamW+0x18
00000000`001db620 000007fe`fc2930ca COMCTL32!SHFusionDialogBoxIndirectParam+0x56
00000000`001db670 00000000`ffce84ab COMCTL32!CTaskDialog::Show+0x156
00000000`001db6e0 00000000`ffce86de WinCollab!ReportMessageForLH+0x178
00000000`001db7b0 00000000`ffce87a1 WinCollab!ReportMessage+0x1dd
00000000`001ddf70 00000000`ffce887a WinCollab!ReportErrorCommon+0x9f
00000000`001ddfd0 00000000`ffcf43ba WinCollab!ReportError+0x67
00000000`001de000 00000000`ffcf125d WinCollab!CStartMeetingMain::CallCallbackOnGroupConnected+0x11c

MOVB-04 BSoD in PCMCIA driver

2007-11-04T12:00:00.000-08:00

Microsoft cannot be blamed for this one, but I still find it "fun".

Vista "Gold" has a (known) integer overflow in Texas Instruments Cardbus driver. It means that PCMCIA is not useable under Vista on our official, corporate laptop (HP nc4200) - FYI, we bought a few thousands of this one.

Video: Unleashing Vista

BONUS-01 Who's to blame?

2007-11-03T12:03:00.000-07:00

Sorry for being late today, here is a small bonus.
(This has not been edited - this is a real screenshot)

MOVB-03 BSoD in WIN32K.SYS

2007-11-03T12:00:00.000-07:00

What about this nice one ?
Userland context is WerFault.exe
(WER = Windows Error Reporting)

PS. I promise, there won't be only BSoD during MOVB ;)

1: kd> !analyze -v
*******************************************************************************
Bugcheck Analysis *******************************************************************************
KERNEL_MODE_EXCEPTION_NOT_HANDLED_M (1000008e)

This is a very common bugcheck. Usually the exception address pinpoints the driver/function that caused the problem. Always note this address as well as the link date of the driver/image that contains this address. Some common problems are exception code 0x80000003. This means a hard coded breakpoint or assertion was hit, but this system was booted /NODEBUG. This is not supposed to happen as developers should never have hardcoded breakpoints in retail code, but ... If this happens, make sure a debugger gets connected, and the system is booted /DEBUG. This will let us see why this breakpoint is happening.

Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: 8c2c5881, The address that the exception occurred at
Arg3: b30b3c04, Trap Frame
Arg4: 00000000

Debugging Details:
------------------
EXCEPTION_CODE: (NTSTATUS) 0xc0000005
FAULTING_IP: win32k+c5881 8c2c5881 8b402c mov eax,dword ptr [eax+2Ch]
TRAP_FRAME: b30b3c04 -- (.trap 0xffffffffb30b3c04)
ErrCode = 00000000 eax=00000000 ebx=000000c0 ecx=ffa6e8e0 edx=00000000 esi=00000000 edi=00000000 eip=8c2c5881 esp=b30b3c78 ebp=b30b3c88 iopl=0 nv up ei pl nz na po nc cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010202 win32k+0xc5881: 8c2c5881 8b402c mov eax,dword ptr [eax+2Ch] ds:0023:0000002c=????????

Resetting default scope
CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT
BUGCHECK_STR: 0x8E
PROCESS_NAME: WerFault.exe
CURRENT_IRQL: 0
LAST_CONTROL_TRANSFER: from 8c2cdf9c to 8c2c5881
STACK_TEXT:
b30b3c88 8c2cdf9c 00000000 00000000 00000010 win32k!HMAllocObject+0x27
b30b3cac 8c2b4fd6 00000000 00000000 000088b8 win32k!InternalSetTimer+0x86
b30b3cc8 8c2a68a2 00000000 000088b8 8c286d62 win32k!SetRITTimer+0x22
b30b3ce0 8c2bc1fe ffabce50 ffabce50 ffabce50 win32k!SetAppStarting+0x3d
b30b3d00 8c2bc00e 00000000 ffabce50 8445d410 win32k!xxxInitProcessInfo+0xaa
b30b3d24 8c2bbfa7 ffabce50 00000001 8445d410 win32k!xxxUserProcessCallout+0x1f
b30b3d40 81e19337 83851438 00000001 81d31b10 win32k!W32pProcessCallout+0x43
b30b3d4c 81d31b10 8445d410 81c8c62e 000010e4 nt!PsConvertToGuiThread+0x47
b30b3d64 77640f34 badb0d00 0019ee54 00000000 nt!KeServiceDescriptorTable+0x10
WARNING: Frame IP not in any known module. Following frames may be wrong.
b30b3d68 badb0d00 0019ee54 00000000 00000000 0x77640f34
b30b3d6c 0019ee54 00000000 00000000 00000000 0xbadb0d00
b30b3d70 00000000 00000000 00000000 00000000 0x19ee54

STACK_COMMAND: kb
FOLLOWUP_IP: win32k+c5881 8c2c5881 8b402c mov eax,dword ptr [eax+2Ch]
SYMBOL_STACK_INDEX: 0
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: win32k
IMAGE_NAME: win32k.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 45d3cc1d
SYMBOL_NAME: win32k+c5881
FAILURE_BUCKET_ID: 0x8E_win32k+c5881
BUCKET_ID: 0x8E_win32k+c5881

MOVB-02 Another BSoD in NTFS.SYS

2007-11-02T12:00:00.000-07:00

Yet another bug in NTFS.SYS driver (same platform, same configuration).

This one has been triggered in background by the defragmentation process (DfrgNtfs.exe).

PS. Don't worry, I am not going to publish crashdumps during one full month. Funny bugs are coming out. Stay tuned!

1: kd> !analyze -v
*******************************************************************************
Bugcheck Analysis *******************************************************************************

NTFS_FILE_SYSTEM (24)

If you see NtfsExceptionFilter on the stack then the 2nd and 3rd parameters are the exception record and context record. Do a .cxr on the 3rd parameter and then kb to obtain a more informative stack trace.

Arguments:
Arg1: 001904ab
Arg2: a2a468e0
Arg3: a2a465dc
Arg4: 8519b53b

Debugging Details:
------------------
EXCEPTION_RECORD: a2a468e0 -- (.exr 0xffffffffa2a468e0)

ExceptionAddress: 8519b53b (Ntfs!NtfsCreateScb+0x0000004c)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: 30000010

Attempt to read from address 30000010

CONTEXT: a2a465dc -- (.cxr 0xffffffffa2a465dc)
eax=30000000 ebx=c5ef080d ecx=c5ef0855 edx=00000000 esi=c5efd008 edi=00000000 eip=8519b53b esp=a2a469a8 ebp=a2a46a08 iopl=0 nv up ei pl nz na pe nc cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010206

Ntfs!NtfsCreateScb+0x4c: 8519b53b f6401006 test byte ptr [eax+10h],6 ds:0023:30000010=??

Resetting default scope
CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT
PROCESS_NAME: DfrgNtfs.exe
CURRENT_IRQL: 1
ERROR_CODE: (NTSTATUS) 0xc0000005
READ_ADDRESS: GetPointerFromAddress: unable to read from 81d315ac
Unable to read MiSystemVaType memory at 81d11780 30000010
BUGCHECK_STR: 0x24
LAST_CONTROL_TRANSFER: from 851a64b8 to 8519b53b

STACK_TEXT:
a2a46a08 851a64b8 84911400 c5efd008 00000080 Ntfs!NtfsCreateScb+0x4c
a2a46a40 851a5b15 84911400 84653520 846536d4 Ntfs!NtfsBreakBatchOplock+0x7e
a2a46a74 851a3cee 84911400 84653520 00000000 Ntfs!NtfsOpenExistingAttr+0x6a
a2a46b5c 8518554e 84911400 84653520 00000000 Ntfs!NtfsOpenAttributeInExistingFile+0x79b
a2a46c10 8519c637 84911400 84653520 00000000 Ntfs!NtfsOpenFcbById+0x590
a2a46cec 851126b6 84911400 84653520 aa7b3964 Ntfs!NtfsCommonCreate+0x601
a2a46d2c 81c80278 aa7b38fc 00000000 ffffffff Ntfs!NtfsCommonCreateCallout+0x20
a2a46d2c 81c80371 aa7b38fc 00000000 ffffffff nt!KiSwapKernelStackAndExit+0x118
aa7b3894 00000000 00000000 00000000 00000000 nt!KiSwitchKernelStackAndCallout+0x31

FOLLOWUP_IP: Ntfs!NtfsCreateScb+4c 8519b53b f6401006 test byte ptr [eax+10h],6
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: Ntfs!NtfsCreateScb+4c
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: Ntfs
IMAGE_NAME: Ntfs.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 4549aceb
STACK_COMMAND: .cxr 0xffffffffa2a465dc ; kb
FAILURE_BUCKET_ID: 0x24_Ntfs!NtfsCreateScb+4c
BUCKET_ID: 0x24_Ntfs!NtfsCreateScb+4c

MOVB-01 BSoD in NTFS.SYS

2007-11-01T02:29:00.000-07:00

So, this is day one of MOVB.

Contrary to other Monthes of Bugs, this one will not focus on "security" bugs (do not expect 30 remotely anonymously exploitable bugs ;). My favoraite bugs are "stupid" bugs/features, or blatant QA failures.

First BSOD was caught on a fresh install of Vista32 Ultimate, running on Intel Core Duo processor. Faulting driver was NTFS.SYS - luckily I did not loose any data.

It might be time to get your NTFS fuzzers back on track ;)

PS. Bug has been reported to Microsoft using built-in WER.

PPS. I am willing to answer questions. However, I cannot forward the full memory dump: it holds personal information.

1: kd> !analyze -v *******************************************************************************
Bugcheck Analysis ******************************************************************************* NTFS_FILE_SYSTEM (24)

If you see NtfsExceptionFilter on the stack then the 2nd and 3rd parameters are the exception record and context record. Do a .cxr on the 3rd parameter and then kb to obtain a more informative stack trace.

Arguments:
Arg1: 001904ab
Arg2: 85ac09e4
Arg3: 85ac06e0
Arg4: 81c5e86c

Debugging Details
------------------
EXCEPTION_RECORD: 85ac09e4 -- (.exr 0xffffffff85ac09e4)

ExceptionAddress: 81c5e86c (nt!RtlSubtreePredecessor+0x00000015)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: 3f3f3f47

Attempt to read from address 3f3f3f47

CONTEXT: 85ac06e0 -- (.cxr 0xffffffff85ac06e0)
eax=3f3f3f3f ebx=00000000 ecx=3f3f3f3f edx=00000000 esi=a6e36ca8 edi=00010000 eip=81c5e86c esp=85ac0aac ebp=85ac0aac iopl=0 nv up ei pl nz na pe nc cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010206

nt!RtlSubtreePredecessor+0x15: 81c5e86c 8b4808 mov ecx,dword ptr [eax+8] ds:0023:3f3f3f47=????????

Resetting default scope
CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT
PROCESS_NAME: System
CURRENT_IRQL: 0
ERROR_CODE: (NTSTATUS) 0xc0000005
READ_ADDRESS: GetPointerFromAddress: unable to read from 81d315ac
Unable to read MiSystemVaType memory at 81d11780 3f3f3f47 BUGCHECK_STR: 0x24
LAST_CONTROL_TRANSFER: from 81c5e7c7 to 81c5e86c

STACK_TEXT:
85ac0aac 81c5e7c7 a6e36ca8 8a265cfc a6e36ca8 nt!RtlSubtreePredecessor+0x15
85ac0ac4 806629e1 a6e36ca8 00010000 a6e36ca8 nt!RtlDeleteNoSplay+0x20
85ac0ad8 80662cbe a6e36ca8 8a265cec 8487e2f8 fltmgr!TreeUnlinkNoBalance+0x13
85ac0af0 80674fb6 8a265cfc ffffffff ffffffff fltmgr!TreeUnlinkMulti+0x22
85ac0b10 8067509f 8a265cb8 00008000 ffffffff fltmgr!DeleteNameCacheNodes+0x84
85ac0b2c 806783d1 8487e008 8a265cb8 8a265cf8 fltmgr!FltpFreeNameCacheList+0x17
85ac0b48 806785d6 8a265cb8 8a265cbc ac3e1d08 fltmgr!CleanupStreamListCtrl+0x37
85ac0b5c 81d7cd18 8a265cbc 85acb0d4 81ce7b69 fltmgr!DeleteStreamListCtrlCallback+0x5a
85ac0b94 8517cd79 ac3e1d08 00000000 ac3e1d08 nt!FsRtlTeardownPerStreamContexts+0xd4
85ac0bb0 8518f1ad 00000705 ac3e1c18 ac3e1c40 Ntfs!NtfsDeleteScb+0x1f2
85ac0bc8 85109c9b 83bbec90 ac3e1d08 00000000 Ntfs!NtfsRemoveScb+0xc2
85ac0be4 8519bed4 83bbec90 ac3e1c18 00000000 Ntfs!NtfsPrepareFcbForRemoval+0x59
85ac0c28 851113be 83bbec90 ac3e1d08 00000000 Ntfs!NtfsTeardownStructures+0x62
85ac0c50 85197fe1 83bbec90 ac3e1d08 00000000 Ntfs!NtfsDecrementCloseCounts+0xad
85ac0cb0 8517d126 83bbec90 ac3e1d08 ac3e1c18 Ntfs!NtfsCommonClose+0x4d9
85ac0d44 81c78e18 00000000 00000000 82f64828 Ntfs!NtfsFspClose+0x117
85ac0d7c 81e254a8 00000000 85acb680 00000000 nt!ExpWorkerThread+0xfd
85ac0dc0 81c9145e 81c78d1b 00000000 00000000 nt!PspSystemThreadStartup+0x9d
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16

FOLLOWUP_IP: Ntfs!NtfsDeleteScb+1f2 8517cd79 8b06 mov eax,dword ptr [esi]
SYMBOL_STACK_INDEX: 9
SYMBOL_NAME: Ntfs!NtfsDeleteScb+1f2
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: Ntfs
IMAGE_NAME: Ntfs.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 4549aceb
STACK_COMMAND: .cxr 0xffffffff85ac06e0 ; kb
FAILURE_BUCKET_ID: 0x24_Ntfs!NtfsDeleteScb+1f2
BUCKET_ID: 0x24_Ntfs!NtfsDeleteScb+1f2

MOVB démarre le 1er novembre

2007-10-27T12:55:00.000-07:00

Il parait que novembre est un bon mois ...

Alors rendez-vous le 1er novembre pour découvrir "30 reasons you'll be speechless".

Bienvenue sur MOVB !

2007-03-10T01:04:00.000-08:00

Comme son nom ne l'indique pas, le but de ce projet n'est pas de publier un bug par jour pendant un mois - ce serait trop lourd pour un homme seul, père de famille qui plus est :)

Ayant commencé depuis quelques temps à utiliser Vista 32 bits Ultimate et Vista 64 bits Ultimate, il me semblait important de garder trace de tous les bugs que je rencontre chaque jour ... ou que je lis ailleurs sur Internet.

Surtout n'hésitez pas à contribuer, de manière anonyme ou avec les full credits !