You do not need full memory dump unless you suspect that user mode thread(code) has affected the kernel mode driver(by passing some commands).For the beginning kernel memory dump should be sufficient.

here is my full memory dum 7zip-ed.

Marián "VooDooMan" Meravý wrote:

I am posting full 8 GiB memory dump, I took attention to running programs in sake if confidentiality, so I hope full memory dump will not contain serurity-sensitive data.

Please, unpack it with 7zip. original filename is C:\Winow\MEMORY.DMP

Hi Marian! Thanks for your help!

I don't see the file attached to the message - did you post it other way?

due to Inel forum bug I was succesful to upload file, but I was unsuccessful to publish it onto this forum.

I decided to publish it at archive.org, and there is the link: https://archive.org/details/MEMORY.DMP.7z

Vitaly Slobodskoy (Intel) wrote:

Quote:

Marián "VooDooMan" Meravý wrote:

I am posting full 8 GiB memory dump, I took attention to running programs in sake if confidentiality, so I hope full memory dump will not contain serurity-sensitive data.

Please, unpack it with 7zip. original filename is C:\Winow\MEMORY.DMP

 

Hi Marian! Thanks for your help!

I don't see the file attached to the message - did you post it other way?

Intel's forum has bug, I have attached the file, but it is not seen here. Another bug is false-positive spam detection, so this is my 3rd approach to reply.

So I have uploaded the kernel core dump to archive.org, and there it is: (https:// ) archive.org/details/MEMORY.DMP.7z

Best,

@Marian

If you have kernel dump file can you upload it?

iliyapolak wrote:

@Marian

If you have kernel dump file can you upload it?

I was trying it few times, but due to "bug" on Intel forum, my posts and uploaded files were classified like a spam :-( .

full memory dump is attached.

dump is attached.

What I can download file, the size is 50.4 MB (52,922,661 bytes) only - I tried several times. 

@Peter

Is that file freely available to download?

@iliyapolak

Anyone posts an attached file which is public, but I cannot download...I don't know why, maybe file size has exceeded max size, 20MB?

I can get dump file from https://archive.org/details/MEMORY.DMP.7z, and I have escalated this result to dev team. We need to wait because now is holiday season:-)

@Peter

It seems that when I responded to post #53 the dump file was not uploaded.

I can confirm that I was able to download that file.

Tomorrow I will look at this.

@Marian

Unfortunately every time when I try to download your dump file the file itself is corrupted.Can you upload it to skydrive?

@iliyapolak

please, use above link to archive.org, since this forum is broken, often my replies are not going to pass due to broken spam filter.

@Marian

Ok I will download from archive.org.

@Marian and Peter

After short analysis of the dump file it seems that BSOD is triggered by Windows kernel mode function.

This disassembled line of code  fffff801`82610490 8b02            mov     eax,dword ptr [rdx] ds:00000005`ffd01328=???????? is probably responsible for bringing down the system.By looking at the callstack I suppose that code which has been resolved as a  hal!HalSendSoftwareInterrupt+0x51 is accessing or reading a value at invalid memory location pointed by rdx register.That location could have been paged out prior to the HalSoftwareInterrupt execution thus triggering the BSOD.It is strange because Windows kernel mode code should not either causing page fault of pageable pool or referencing invalid memory address at IRQL == 0x2.VTune vtss.sys can be responsible for calling HalSoftwareInterrupt at IRQL == 0x2,but I do not suppose that driver developer(s) could have know before that referenced paged pool will be either invalid or paged out.

Tomorrow I plan to spend more time investigating this issue.

One of the possible workaround could be for example insertion of call to KeLowerIrql() function before the call to HalSendSoftwareInterrupt in order to protect the system against the situation when the  system-level code is about to incur page fault or reference invalid memory at IRQL == DPC level i.e 0x2.

On the assumption that KeRaiseIrql() function calls HalSendSoftwareInterrupt to probably raise/lower IRQL to APC/DPC level.

@Peter

Can you suggest my check(workaround) which was posted post no. #62  to vtss.sys developer(s) or at least to ask them if this could be helpful in the problem solving?