Windows 7 / Getting Started

Understanding Kernel Stack Overflows

Kernel stack overflows are a common error in many cases reported to us by customers. These are caused by drivers taking up too much space on the kernel stack. This results in a kernel stack overflow, which will then crash the system with one of the following bugchecks:

  • STOP 0x7F: UNEXPECTED_KERNEL_MODE_TRAP with Parameter 1 set to EXCEPTION_DOUBLE_FAULT, which is caused by running off the end of a kernel stack.
  • STOP 0x1E: KMODE_EXCEPTION_NOT_HANDLED, 0x7E: SYSTEM_THREAD_ EXCEPTION_NOT_HANDLED, or 0x8E: KERNEL_MODE_EXCEPTION_NOT_ HANDLED, with an exception code of STATUS_ACCESS_VIOLATION, which indicates a memory access violation.
  • STOP 0x2B: PA NIC_STACK_SWITCH, which usually occurs when a kernel-mode driver uses too much stack space.

Each thread in the system is allocated with a kernel mode stack. Code running on any kernel-mode thread (whether it is a system thread or a thread created by a driver) uses that thread's kernel-mode stack unless the code is a deferred procedure call (DPC), in which case it uses the processor's DPC stack on certain platforms.

The stack grows negatively. This means that the beginning (bottom) of the stack has a higher address than the end (top) of the stack. For example, let's say the beginning of your stack is 0x80f1000, and this is where your stack pointer (ESP) is pointing. If you push a DWORD value onto the stack, its address would be 0x80f0ffc. The next DWORD value would be stored at 0x80f0ff8 and so on up to the limit (top) of the allocated stack. The top of the stack is bordered by a guard page to detect overruns.

The size of the kernel-mode stack varies among different hardware platforms. For example, on 32-bit platforms, the kernel-mode stack is 12 KB, and on 64-bit platforms, the kernel-mode stack is 24 KB. The stack sizes are hard limits that are imposed by the system, and all drivers need to use space conservatively so that they can coexist. When we reach the top of the stack, one more push instruction is going to cause an exception, which in turn can lead to a Stop error. This could be either a simple push instruction or something along the lines of a call instruction that also pushes the return address onto the stack.

[Previous] [Contents] [Next]

In this tutorial:

  1. Troubleshooting Stop Messages
  2. Stop Message Overview
  3. Identifying the Stop Error
  4. Finding Troubleshooting Information
  5. Stop Messages
  6. Bugcheck Information
  7. Technical Information
  8. Debug Port and Dump Status Information
  9. Types of Stop Errors
  10. Memory Dump Files
  11. Configuring Small Memory Dump Files
  12. Configuring Kernel Memory Dump Files
  13. Configuring Complete Memory Dump Files
  14. How to Manually Initiate a Stop Error and Create a Dump File
  15. Using Memory Dump Files to Analyze Stop Errors
  16. Using Windows 7 Error Reporting
  17. Using Symbol Files and Debuggers
  18. Being Prepared for Stop Errors
  19. Record and Save Stop Message Information
  20. Check Software Disk Space Requirements
  21. Install a Kernel Debugger and Symbol Files
  22. Stop 0xA or IRQL_NOT_LESS_OR_EQUAL
  23. Stop 0x1E or KMODE_EXCEPTION_NOT_HANDLED
  24. Understanding Kernel Stack Overflows
  25. Stop 0x24 or NTFS_FILE_SYSTEM
  26. Stop 0x2E or DATA_BUS_ERROR
  27. Stop 0x3B or SYSTEM_SERVICE_EXCEPTION
  28. Stop 0x3F or NO_MORE_SYSTEM_PTES
  29. Stop 0x50 or PA GE_FAULT_IN_NONPA GED_AREA
  30. Stop 0x77 or KERNEL_STACK_INPA GE_ERROR
  31. Stop 0x7A or KERNEL_DATA_INPA GE_ERROR
  32. Stop 0x7B or INACCESSIBLE_BOOT_DEVICE
  33. Stop 0x7F or UNEXPECTED_KERNEL_MODE_TRAP
  34. Stop 0x9F or DRIVER_POWER_STATE_FAILURE
  35. Stop 0xBE or ATTEMPTED_WRITE_TO_READONLY_MEMORY
  36. Stop 0xC2 or BAD_POOL_CALLER
  37. Stop 0xCE or DRIVER_UNLOADED_WITHOUT_CANCELLING_ PENDING_OPERATIONS
  38. Stop 0xD1 or IRQL_NOT_LESS_OR_EQUAL
  39. Stop 0xD8 or DRIVER_USED_EXCESSIVE_PTES
  40. Stop 0xEA or THREAD_STUCK_IN_DEVICE_DRIVER
  41. Stop 0xED or UNMOUNTABLE_BOOT_VOLUME
  42. Stop 0xFE or BUGCODE_USB_DRIVER
  43. Stop 0x00000124
  44. Stop 0xC000021A or STATUS_SYSTEM_PROCESS_TERMINATED
  45. Stop 0xC0000221 or STATUS_IMAGE_CHECKSUM_MISMATCH
  46. Hardware Malfunction Messages
  47. Stop Message Checklist
  48. Check Your Software
  49. Use the Last Known Good Configuration
  50. Restart the System in Safe Mode
  51. Check Event Viewer Logs
  52. Install Compatible Antivirus Tools
  53. Report Your Errors
  54. Install Operating System and Driver Updates
  55. Install and Use a Kernel Debugger
  56. Check Your Hardware
  57. Check for Nondefault Firmware Settings
  58. Check for Non-Default Hardware Clock Speeds
  59. Check by Running Hardware Diagnostic Tools
  60. Check for SCSI Disk and Controller Settings
  61. Check Memory Compatibility
  62. Check by Temporarily Removing Devices
  63. Check by Replacing a Device