Opened \\.\COM1 Microsoft (R) Windows Kernel Debugger Version 2.0.0023.0 Copyright (C) Microsoft Corporation. 1981-2001 Waiting to reconnect... Connected to Windows 2000 2195 x86 compatible target, ptr64 FALSE Kernel Debugger connection established. Loaded dbghelp extension DLL Loaded ext extension DLL Loaded kext extension DLL Loaded kdextx86 extension DLL Symbol search path is: C:\WINNT\Symbols\ Executable search path is: PsLoadedModuleList not initialized yet. Delay kernel load. Windows 2000 Kernel Version 2195 UP Free x86 compatible Kernel base = 0x80400000 PsLoadedModuleList = 0x8046ccf0 System Uptime: not available Fips device driver loaded successfully Fips driver locked into memory Fips driver unlocked from memory Unhandled Exception hit in csrss.exe first, enter !exr 00B5FA1C for the exception record next, enter !cxr 00B5FA38 for the context then !kb to get the faulting stack Break instruction exception - code 80000003 (first chance) *** WARNING: Unable to verify Timestamp for ntdll.dll *** WARNING: Unable to verify Timestamp for ntoskrnl.exe NTDLL!DbgBreakPoint: 001b:77fa018c cc int 3 kd> .exr 00B5FA1C ExceptionAddress: 5ffb4484 ExceptionCode: c0000005 ExceptionFlags: 00000000 NumberParameters: 2 Parameter[0]: 00000000 Parameter[1]: 0104c124 Attempt to read from address 0104c124 kd> .cxr 00B5FA38 eax=00000000 ebx=0104c11c ecx=00000042 edx=00000021 esi=00b5ff5c edi=00000000 eip=5ffb4484 esp=00b5fd04 ebp=00b5fd20 iopl=3 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00013202 001b:5ffb4484 037b08 add edi,[ebx+0x8] kd> kb *** Stack trace for last set context - .thread resets it ChildEBP RetAddr Args to Child 00b5fd20 5ffb4242 00b5ff5c 00000021 0104a890 0x5ffb4484 00b5fd4c 5ffb406d 00b5ff2c 00b5ffb0 001653d0 0x5ffb4242 00b5fe7c 5ffb3f3c 00b5ff2c 00b5ff24 0104a1e0 0x5ffb406d 00b5fe94 5ffb3edd 00b5ff2c 00b5ff24 0104a1e0 0x5ffb3f3c 00b5feb8 5ff942fb 0104a1e0 00b5ff24 00000005 0x5ffb3edd 00b5fff4 00000000 00000000 000000c8 00000100 0x5ff942fb kd> tcb NTDLL!DbgBreakPoint+1: 001b:77fa018d c3 ret 001b:5ff9307d 8b35b410f95f mov esi,[5ff910b4] 001b:5ff93083 8d45ff lea eax,[ebp-0x1] 001b:5ff93086 50 push eax 001b:5ff93087 6a01 push 0x1 001b:5ff93089 6a01 push 0x1 001b:5ff9308b 6a13 push 0x13 001b:5ff9308d ffd6 call esi NTDLL!RtlAdjustPrivilege: 001b:77f92b83 55 push ebp NTDLL!RtlAdjustPrivilege+1: 001b:77f92b84 8bec mov ebp,esp NTDLL!RtlAdjustPrivilege+3: 001b:77f92b86 83ec24 sub esp,0x24 NTDLL!RtlAdjustPrivilege+6: 001b:77f92b89 807d1001 cmp byte ptr [ebp+0x10],0x1 NTDLL!RtlAdjustPrivilege+a: 001b:77f92b8d 8d4510 lea eax,[ebp+0x10] NTDLL!RtlAdjustPrivilege+d: 001b:77f92b90 56 push esi NTDLL!RtlAdjustPrivilege+e: 001b:77f92b91 50 push eax NTDLL!RtlAdjustPrivilege+f: 001b:77f92b92 0f846a370000 je NTDLL!RtlAdjustPrivilege+0x11 (77f96302) NTDLL!RtlAdjustPrivilege+11: 001b:77f96302 6a00 push 0x0 NTDLL!RtlAdjustPrivilege+13: 001b:77f96304 6a28 push 0x28 NTDLL!RtlAdjustPrivilege+15: 001b:77f96306 6afe push 0xfe NTDLL!RtlAdjustPrivilege+17: 001b:77f96308 e807c7feff call NTDLL!NtOpenThreadToken (77f82a14) NTDLL!NtOpenThreadToken: 001b:77f82a14 b870000000 mov eax,0x70 NTDLL!ZwOpenThreadToken+5: 001b:77f82a19 8d542404 lea edx,[esp+0x4] NTDLL!ZwOpenThreadToken+9: 001b:77f82a1d cd2e int 2e NTDLL!RtlAdjustPrivilege+1c: 001b:77f9630d e98fc8ffff jmp NTDLL!RtlAdjustPrivilege+0x27 (77f92ba1) NTDLL!RtlAdjustPrivilege+27: 001b:77f92ba1 85c0 test eax,eax NTDLL!RtlAdjustPrivilege+29: 001b:77f92ba3 7c68 jl NTDLL!RtlAdjustPrivilege+0x9a (77f92c0d) NTDLL!RtlAdjustPrivilege+9a: 001b:77f92c0d 5e pop esi NTDLL!RtlAdjustPrivilege+9b: 001b:77f92c0e c9 leave NTDLL!RtlAdjustPrivilege+9c: 001b:77f92c0f c21000 ret 0x10 001b:5ff9308f 3d7c0000c0 cmp eax,0xc000007c 001b:5ff93094 750c jnz 5ff930a2 001b:5ff93096 8d45ff lea eax,[ebp-0x1] 001b:5ff93099 50 push eax 001b:5ff9309a 6a00 push 0x0 001b:5ff9309c 6a01 push 0x1 001b:5ff9309e 6a13 push 0x13 001b:5ff930a0 ffd6 call esi NTDLL!RtlAdjustPrivilege: 001b:77f92b83 55 push ebp NTDLL!RtlAdjustPrivilege+1: 001b:77f92b84 8bec mov ebp,esp NTDLL!RtlAdjustPrivilege+3: 001b:77f92b86 83ec24 sub esp,0x24 NTDLL!RtlAdjustPrivilege+6: 001b:77f92b89 807d1001 cmp byte ptr [ebp+0x10],0x1 NTDLL!RtlAdjustPrivilege+a: 001b:77f92b8d 8d4510 lea eax,[ebp+0x10] NTDLL!RtlAdjustPrivilege+d: 001b:77f92b90 56 push esi NTDLL!RtlAdjustPrivilege+e: 001b:77f92b91 50 push eax NTDLL!RtlAdjustPrivilege+f: 001b:77f92b92 0f846a370000 je NTDLL!RtlAdjustPrivilege+0x11 (77f96302) NTDLL!RtlAdjustPrivilege+1e: 001b:77f92b98 6a28 push 0x28 NTDLL!RtlAdjustPrivilege+20: 001b:77f92b9a 6aff push 0xff NTDLL!RtlAdjustPrivilege+22: 001b:77f92b9c e88ffefeff call NTDLL!ZwOpenProcessToken (77f82a30) NTDLL!ZwOpenProcessToken: 001b:77f82a30 b86b000000 mov eax,0x6b NTDLL!NtOpenProcessToken+5: 001b:77f82a35 8d542404 lea edx,[esp+0x4] NTDLL!NtOpenProcessToken+9: 001b:77f82a39 cd2e int 2e NTDLL!RtlAdjustPrivilege+27: 001b:77f92ba1 85c0 test eax,eax NTDLL!RtlAdjustPrivilege+29: 001b:77f92ba3 7c68 jl NTDLL!RtlAdjustPrivilege+0x9a (77f92c0d) NTDLL!RtlAdjustPrivilege+2b: 001b:77f92ba5 8b4508 mov eax,[ebp+0x8] NTDLL!RtlAdjustPrivilege+2e: 001b:77f92ba8 33c9 xor ecx,ecx NTDLL!RtlAdjustPrivilege+30: 001b:77f92baa 8945f0 mov [ebp-0x10],eax NTDLL!RtlAdjustPrivilege+33: 001b:77f92bad 8a450c mov al,[ebp+0xc] NTDLL!RtlAdjustPrivilege+36: 001b:77f92bb0 f6d8 neg al NTDLL!RtlAdjustPrivilege+38: 001b:77f92bb2 1bc0 sbb eax,eax NTDLL!RtlAdjustPrivilege+3a: 001b:77f92bb4 c745ec01000000 mov dword ptr [ebp-0x14],0x1 NTDLL!RtlAdjustPrivilege+41: 001b:77f92bbb 83e002 and eax,0x2 NTDLL!RtlAdjustPrivilege+44: 001b:77f92bbe 894df4 mov [ebp-0xc],ecx NTDLL!RtlAdjustPrivilege+47: 001b:77f92bc1 8945f8 mov [ebp-0x8],eax NTDLL!RtlAdjustPrivilege+4a: 001b:77f92bc4 8d45fc lea eax,[ebp-0x4] NTDLL!RtlAdjustPrivilege+4d: 001b:77f92bc7 50 push eax NTDLL!RtlAdjustPrivilege+4e: 001b:77f92bc8 8d45dc lea eax,[ebp-0x24] NTDLL!RtlAdjustPrivilege+51: 001b:77f92bcb 50 push eax NTDLL!RtlAdjustPrivilege+52: 001b:77f92bcc 8d45ec lea eax,[ebp-0x14] NTDLL!RtlAdjustPrivilege+55: 001b:77f92bcf 6a10 push 0x10 NTDLL!RtlAdjustPrivilege+57: 001b:77f92bd1 50 push eax NTDLL!RtlAdjustPrivilege+58: 001b:77f92bd2 51 push ecx NTDLL!RtlAdjustPrivilege+59: 001b:77f92bd3 ff7510 push dword ptr [ebp+0x10] NTDLL!RtlAdjustPrivilege+5c: 001b:77f92bd6 e8c105ffff call NTDLL!ZwAdjustPrivilegesToken (77f8319c) NTDLL!ZwAdjustPrivilegesToken: 001b:77f8319c b80a000000 mov eax,0xa NTDLL!NtAdjustPrivilegesToken+5: 001b:77f831a1 8d542404 lea edx,[esp+0x4] NTDLL!NtAdjustPrivilegesToken+9: 001b:77f831a5 cd2e int 2e NTDLL!RtlAdjustPrivilege+61: 001b:77f92bdb ff7510 push dword ptr [ebp+0x10] NTDLL!RtlAdjustPrivilege+64: 001b:77f92bde 8bf0 mov esi,eax NTDLL!RtlAdjustPrivilege+66: 001b:77f92be0 e821fcfeff call NTDLL!NtClose (77f82806) NTDLL!NtClose: 001b:77f82806 b818000000 mov eax,0x18 NTDLL!NtClose+5: 001b:77f8280b 8d542404 lea edx,[esp+0x4] NTDLL!NtClose+9: 001b:77f8280f cd2e int 2e NTDLL!RtlAdjustPrivilege+6b: 001b:77f92be5 81fe06010000 cmp esi,0x106 NTDLL!RtlAdjustPrivilege+71: 001b:77f92beb 0f846b130100 je NTDLL!RtlAdjustPrivilege+0x73 (77fa3f5c) NTDLL!RtlAdjustPrivilege+78: 001b:77f92bf1 85f6 test esi,esi NTDLL!RtlAdjustPrivilege+7a: 001b:77f92bf3 7c16 jl NTDLL!RtlAdjustPrivilege+0x98 (77f92c0b) NTDLL!RtlAdjustPrivilege+7c: 001b:77f92bf5 837ddc00 cmp dword ptr [ebp-0x24],0x0 NTDLL!RtlAdjustPrivilege+80: 001b:77f92bf9 0f8467130100 je NTDLL!RtlAdjustPrivilege+0x82 (77fa3f66) NTDLL!RtlAdjustPrivilege+8c: 001b:77f92bff 8b45e8 mov eax,[ebp-0x18] NTDLL!RtlAdjustPrivilege+8f: 001b:77f92c02 8b4d14 mov ecx,[ebp+0x14] NTDLL!RtlAdjustPrivilege+92: 001b:77f92c05 d1e8 shr eax,1 NTDLL!RtlAdjustPrivilege+94: 001b:77f92c07 2401 and al,0x1 NTDLL!RtlAdjustPrivilege+96: 001b:77f92c09 8801 mov [ecx],al NTDLL!RtlAdjustPrivilege+98: 001b:77f92c0b 8bc6 mov eax,esi NTDLL!RtlAdjustPrivilege+9a: 001b:77f92c0d 5e pop esi NTDLL!RtlAdjustPrivilege+9b: 001b:77f92c0e c9 leave NTDLL!RtlAdjustPrivilege+9c: 001b:77f92c0f c21000 ret 0x10 001b:5ff930a2 8d45f0 lea eax,[ebp-0x10] 001b:5ff930a5 683017f95f push 0x5ff91730 001b:5ff930aa 50 push eax 001b:5ff930ab ff159010f95f call dword ptr [5ff91090] NTDLL!RtlInitUnicodeString: 001b:77f82d74 57 push edi NTDLL!RtlInitUnicodeString+1: 001b:77f82d75 8b7c240c mov edi,[esp+0xc] NTDLL!RtlInitUnicodeString+5: 001b:77f82d79 8b542408 mov edx,[esp+0x8] NTDLL!RtlInitUnicodeString+9: 001b:77f82d7d c70200000000 mov dword ptr [edx],0x0 NTDLL!RtlInitUnicodeString+f: 001b:77f82d83 897a04 mov [edx+0x4],edi NTDLL!RtlInitUnicodeString+12: 001b:77f82d86 0bff or edi,edi NTDLL!RtlInitUnicodeString+14: 001b:77f82d88 7415 jz NTDLL!RtlInitUnicodeString+0x2b (77f82d9f) NTDLL!RtlInitUnicodeString+16: 001b:77f82d8a 83c9ff or ecx,0xffffffff NTDLL!RtlInitUnicodeString+19: 001b:77f82d8d 33c0 xor eax,eax NTDLL!RtlInitUnicodeString+1b: 001b:77f82d8f f266af repne scasw NTDLL!RtlInitUnicodeString+1b: 001b:77f82d8f f266af repne scasw NTDLL!RtlInitUnicodeString+1b: 001b:77f82d8f f266af repne scasw NTDLL!RtlInitUnicodeString+1b: 001b:77f82d8f f266af repne scasw NTDLL!RtlInitUnicodeString+1b: 001b:77f82d8f f266af repne scasw NTDLL!RtlInitUnicodeString+1b: 001b:77f82d8f f266af repne scasw NTDLL!RtlInitUnicodeString+1b: 001b:77f82d8f f266af repne scasw NTDLL!RtlInitUnicodeString+1b: 001b:77f82d8f f266af repne scasw NTDLL!RtlInitUnicodeString+1b: 001b:77f82d8f f266af repne scasw NTDLL!RtlInitUnicodeString+1b: 001b:77f82d8f f266af repne scasw NTDLL!RtlInitUnicodeString+1b: 001b:77f82d8f f266af repne scasw NTDLL!RtlInitUnicodeString+1b: 001b:77f82d8f f266af repne scasw NTDLL!RtlInitUnicodeString+1b: 001b:77f82d8f f266af repne scasw NTDLL!RtlInitUnicodeString+1b: 001b:77f82d8f f266af repne scasw NTDLL!RtlInitUnicodeString+1b: 001b:77f82d8f f266af repne scasw NTDLL!RtlInitUnicodeString+1b: 001b:77f82d8f f266af repne scasw NTDLL!RtlInitUnicodeString+1b: 001b:77f82d8f f266af repne scasw NTDLL!RtlInitUnicodeString+1b: 001b:77f82d8f f266af repne scasw NTDLL!RtlInitUnicodeString+1e: 001b:77f82d92 f7d1 not ecx NTDLL!RtlInitUnicodeString+20: 001b:77f82d94 d1e1 shl ecx,1 NTDLL!RtlInitUnicodeString+22: 001b:77f82d96 66894a02 mov [edx+0x2],cx NTDLL!RtlInitUnicodeString+26: 001b:77f82d9a 49 dec ecx NTDLL!RtlInitUnicodeString+27: 001b:77f82d9b 49 dec ecx NTDLL!RtlInitUnicodeString+28: 001b:77f82d9c 66890a mov [edx],cx NTDLL!RtlInitUnicodeString+2b: 001b:77f82d9f 5f pop edi NTDLL!RtlInitUnicodeString+2c: 001b:77f82da0 c20800 ret 0x8 001b:5ff930b1 8d45f0 lea eax,[ebp-0x10] 001b:5ff930b4 8945e0 mov [ebp-0x20],eax 001b:5ff930b7 8b07 mov eax,[edi] 001b:5ff930b9 8b08 mov ecx,[eax] 001b:5ff930bb 894de4 mov [ebp-0x1c],ecx 001b:5ff930be 8b400c mov eax,[eax+0xc] 001b:5ff930c1 8945e8 mov [ebp-0x18],eax 001b:5ff930c4 8b4704 mov eax,[edi+0x4] 001b:5ff930c7 8945ec mov [ebp-0x14],eax 001b:5ff930ca 8d45f8 lea eax,[ebp-0x8] 001b:5ff930cd 50 push eax 001b:5ff930ce 8d45e0 lea eax,[ebp-0x20] 001b:5ff930d1 6a06 push 0x6 001b:5ff930d3 50 push eax 001b:5ff930d4 6a01 push 0x1 001b:5ff930d6 6a04 push 0x4 001b:5ff930d8 681a0200c0 push 0xc000021a 001b:5ff930dd ff15b010f95f call dword ptr [5ff910b0] NTDLL!NtRaiseHardError: 001b:77f99f6c b8a0000000 mov eax,0xa0 NTDLL!ZwRaiseHardError+5: 001b:77f99f71 8d542404 lea edx,[esp+0x4] NTDLL!ZwRaiseHardError+9: 001b:77f99f75 cd2e int 2e *** Fatal System Error: 0xc000021a (0xE2682B68,0xC0000005,0x5FFB4484,0x00B5FA38) STOP: c000021a {Fatal System Error} The Windows SubSystem system process terminated unexpectedly with a status of 0xc0000005 (0x5ffb4484 0x00b5fa38). The system has been shut down. ntoskrnl!RtlpBreakWithStatusInstruction: 80455994 cc int 3 ntoskrnl!KiBugCheckDebugBreak+31: 8042bef7 834dfcff or dword ptr [ebp-0x4],0xffffffff ntoskrnl!KiBugCheckDebugBreak+35: 8042befb 837d0803 cmp dword ptr [ebp+0x8],0x3 ntoskrnl!KiBugCheckDebugBreak+39: 8042beff 75ea jnz ntoskrnl!KiBugCheckDebugBreak+0x25 (8042beeb) ntoskrnl!KiBugCheckDebugBreak+3b: 8042bf01 8b4df0 mov ecx,[ebp-0x10] ntoskrnl!KiBugCheckDebugBreak+3e: 8042bf04 64890d00000000 mov fs:[00000000],ecx ntoskrnl!KiBugCheckDebugBreak+45: 8042bf0b 5f pop edi ntoskrnl!KiBugCheckDebugBreak+46: 8042bf0c 5e pop esi ntoskrnl!KiBugCheckDebugBreak+47: 8042bf0d 5b pop ebx ntoskrnl!KiBugCheckDebugBreak+48: 8042bf0e c9 leave ntoskrnl!KiBugCheckDebugBreak+49: 8042bf0f c20400 ret 0x4 ntoskrnl!KeBugCheckEx+390: 8042c2bb e821530000 call ntoskrnl!KiDisableInterrupts (804315e1) ntoskrnl!KiDisableInterrupts: 804315e1 9c pushfd