Learn WinDbg - twcu.dmp : check crash process

twcu.dmp : check crash process

I found a unfamiliar dump file in my hard disk. Probably I did something long time ago but forgot what it was about. So I opened the dump file in WinDbg to check what it was.

The dump file size is tiny, about 1MB, and the first part of WinDbg output confirms that it is a minidump. The crash reason is also found in red box above, which is access violation (AV).
I was curious what the crash process was. To check it out, I used "|" command and it turns out that it's my wireless network adapter software.

To check a little further, I ran "!analyze -v" which basically showed APPLICATION_FAULT_INVALID_POINTER_READ exception from TWCU.exe.

0:000> !analyze -v
*******************************************************************************
*                                                                             *
*                        Exception Analysis                                   *
*                                                                             *
*******************************************************************************
...
CONTEXT:  (.ecxr)
eax=00eba9f0 ebx=0034ca68 ecx=012a007f edx=7473694c esi=00eb6c28 edi=00000007
eip=0122989a esp=0034c628 ebp=00000400 iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00210246
TWCU+0x3989a:
0122989a 8b4204          mov     eax,dword ptr [edx+4] ds:002b:74736950=????????
Resetting default scope

FAULTING_IP: 
TWCU+3989a
0122989a 8b4204          mov     eax,dword ptr [edx+4]

EXCEPTION_RECORD:  (.exr -1)
ExceptionAddress: 0122989a (TWCU+0x0003989a)
    ExceptionCode: c0000005 (Access violation)
    ExceptionFlags: 00000000
NumberParameters: 2
    Parameter[0]: 00000000
    Parameter[1]: 74736950
Attempt to read from address 74736950

DEFAULT_BUCKET_ID:  INVALID_POINTER_READ

PROCESS_NAME:  TWCU.exe
... 
ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.
EXCEPTION_CODE_STR:  c0000005
... 
BUGCHECK_STR:  APPLICATION_FAULT_INVALID_POINTER_READ
PRIMARY_PROBLEM_CLASS:  APPLICATION_FAULT
... 
STACK_TEXT:  
WARNING: Stack unwind information not available. Following frames may be wrong.
0034c644 012260cf 00ebaa00 00000400 00000009 TWCU+0x3989a
0034c648 00ebaa00 00000400 00000009 0034d2a4 TWCU+0x360cf
0034c64c 00000000 00000009 0034d2a4 0034cfac 0xebaa00
... 
IMAGE_NAME:  TWCU.exe
... 
FAILURE_BUCKET_ID:  INVALID_POINTER_READ_c0000005_TWCU.exe!Unknown
BUCKET_ID:  APPLICATION_FAULT_INVALID_POINTER_READ_TWCU+3989a
FAILURE_EXCEPTION_CODE:  c0000005
FAILURE_IMAGE_NAME:  TWCU.exe
...