Few weeks ago I bought two modules of Intel Turbo Memory (ITM) for my laptop Asus G2S-A1, installed it without any problems, then downloaded latest version(1.1.0.1010) of ITM drivers. And tried to install for a few minutes everything was looking ok, driver was successfully installed for first 1Gb ITM module and then Windows tried to install drivers for second ITM module(also 1Gb) . I was very angry when figured out that drivers was NOT designed for simultaneous work with two installed ITM modules. So how I figured it out. I started analization from crash dump( it can be found at c:\Windows\Minidump\Mini%DATE%-%CrashDumpNumber%.dmp, in my case it was Mini101807-01.dmp ), so I opened my dump with WinDbg( can be downloaded from microsoft web site, it’s free :)
And what I have found there, driver “Probably caused by : iaNvStor.sys ( iaNvStor+44e7 )” tried to access to unavailable memory, and memory access violation exception was occured at address iaNvStor+44e7 “BugCheck 1000007E, {c0000005, a6b494e7, 830e3830, 830e352c}”
Here is the detailed crash dump log:
FAULTING_MODULE: 81c00000 nt
DEBUG_FLR_IMAGE_TIMESTAMP: 46929a5f
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.
FAULTING_IP:
iaNvStor+44e7
a6b494e7 8b8664010000 mov eax,dword ptr [esi+164h]
EXCEPTION_RECORD: 830e3830 -- (.exr 0xffffffff830e3830)
ExceptionAddress: a6b494e7 (iaNvStor+0x000044e7)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: 00000164
Attempt to read from address 00000164
CONTEXT: 830e352c -- (.cxr 0xffffffff830e352c)
eax=c0000035 ebx=00000000 ecx=0000bb40 edx=85065d00 esi=00000000 edi=c0000035
eip=a6b494e7 esp=830e38f8 ebp=000026b8 iopl=0 nv up ei ng nz na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010286
iaNvStor+0x44e7:
a6b494e7 8b8664010000 mov eax,dword ptr [esi+164h] ds:0023:00000164=????????
Resetting default scope
CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: WRONG_SYMBOLS
BUGCHECK_STR: 0x7E
LAST_CONTROL_TRANSFER: from 81c849f3 to a6b494e7
STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may be wrong.
830e38f4 81c849f3 af7ef008 854705a8 8579d001 iaNvStor+0x44e7
830e38f8 af7ef008 854705a8 8579d001 00000000 nt+0x849f3
830e38fc 854705a8 8579d001 00000000 00000f98 0xaf7ef008
830e3900 8579d001 00000000 00000f98 af7ef008 0x854705a8
830e3904 00000000 00000f98 af7ef008 830e39b8 0x8579d001
FOLLOWUP_IP:
iaNvStor+44e7
a6b494e7 8b8664010000 mov eax,dword ptr [esi+164h]
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: iaNvStor+44e7
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: iaNvStor
IMAGE_NAME: iaNvStor.sys
STACK_COMMAND: .cxr 0xffffffff830e352c ; kb
BUCKET_ID: WRONG_SYMBOLS
So two registers (EAX and EDI) contains some 0xC0000035 Kernel status code, such codes returned by Native APIs, so I searched the WDK( Windows Driver Kit ), this code means “STATUS_OBJECT_NAME_COLLISION”, then I understood that driver trying to create or register the device with the same same and looks like Intel developers didn’t handle this in driver. But it was only my theory, so I disassembled the driver and checked my theory.
As we can see on screenshot, driver trying to register the device in system and set some device state, and moves the result code to EDI register thats explains why we got that error code in EAX and EDI registers.
Weird thing why the ESI register is zero when we got that error, since ESI was not used anywhere in driver code, and there is the rule that EBX, EDI, ESI and EBP registers shouldn’t be changed if we calling some API.
I already reported about this bug, so let’s hope Intel will fix this issue, and will release the driver update for it. Otherwise at least they should mention about that at their site, that you can’t install more than one ITM module.
I hope you liked my post, sorry if something is unclear english isn’t my native language J
With best regards,
int0.