Connected to Windows 7 7601 x86 compatible target at (Thu Mar 19 17:34:28.389 2015 (UTC + 1:00)), ptr64 FALSE
Kernel Debugger connection established.
Symbol search path is: srv*c:\symbols*http://msdl.microsoft.com/download/symbols;srv*c:\symbols*http://chromium-browser-symsrv.commondatastorage.googleapis.comSRV*c:\symbols\*http://symbols.mozilla.org/firefox;srv*c:\symbols*https://chromium-browser-symsrv.commondatastorage.googleapis.com
Executable search path is: 
Windows 7 Kernel Version 7601 MP (1 procs) Free x86 compatible
Built by: 7601.18741.x86fre.win7sp1_gdr.150202-1526
Machine Name:
Kernel base = 0x82a04000 PsLoadedModuleList = 0x82b4e5b0
System Uptime: not available
nt!DbgLoadImageSymbols+0x47:
82a1c578 cc              int     3
kd> g
KDTARGET: Refreshing KD connection
nt!DbgLoadImageSymbols+0x47:
82a1c578 cc              int     3
1: kd> g

*** Fatal System Error: 0x00000050
                       (0xBEBEBEEA,0x00000001,0x96979765,0x00000002)

Driver at fault: 
***    win32k.sys - Address 96979765 base at 968F0000, DateStamp 54ee8ecd
.
Break instruction exception - code 80000003 (first chance)

A fatal system error has occurred.
Debugger entered on first try; Bugcheck callbacks have not been invoked.

A fatal system error has occurred.

Connected to Windows 7 7601 x86 compatible target at (Thu Mar 19 17:39:53.922 2015 (UTC + 1:00)), ptr64 FALSE
Loading Kernel Symbols
...............................................................
................................................................
..................................
Loading User Symbols
..................................
Loading unloaded module list
.................
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 50, {bebebeea, 1, 96979765, 2}

*** WARNING: Unable to verify checksum for Poc9.exe
*** ERROR: Module load completed but symbols could not be loaded for Poc9.exe
Probably caused by : win32k.sys ( win32k!HMChangeOwnerThread+40 )

Followup: MachineOwner
---------

Assertion: *** DPC watchdog timeout
    This is NOT a break in update time
    This is most likely a BUG in an ISR
    Perform a stack trace to find the culprit
    The period will be doubled on continuation
    Use gh to continue!!

nt!KeAccumulateTicks+0x3c5:
82a7f38c cd2c            int     2Ch
0: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced.  This cannot be protected by try-except,
it must be protected by a Probe.  Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: bebebeea, memory referenced.
Arg2: 00000001, value 0 = read operation, 1 = write operation.
Arg3: 96979765, If non-zero, the instruction address which referenced the bad memory
	address.
Arg4: 00000002, (reserved)

Debugging Details:
------------------


WRITE_ADDRESS:  bebebeea 

FAULTING_IP: 
win32k!HMChangeOwnerThread+40
96979765 ff412c          inc     dword ptr [ecx+2Ch]

MM_INTERNAL_CODE:  2

IMAGE_NAME:  win32k.sys

DEBUG_FLR_IMAGE_TIMESTAMP:  54ee8ecd

MODULE_NAME: win32k

FAULTING_MODULE: 968f0000 win32k

DEFAULT_BUCKET_ID:  WIN7_DRIVER_FAULT

BUGCHECK_STR:  0x50

PROCESS_NAME:  Poc9.exe

CURRENT_IRQL:  1c

TRAP_FRAME:  9847f950 -- (.trap 0xffffffff9847f950)
ErrCode = 00000002
eax=ff9215d8 ebx=ffb0d260 ecx=bebebebe edx=000101d2 esi=fea16568 edi=00000000
eip=96979765 esp=9847f9c4 ebp=9847f9d0 iopl=0         nv up ei pl nz na pe nc
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010206
win32k!HMChangeOwnerThread+0x40:
96979765 ff412c          inc     dword ptr [ecx+2Ch]  ds:0023:bebebeea=????????
Resetting default scope

LAST_CONTROL_TRANSFER:  from 82a7e853 to 82a7f38c

STACK_TEXT:  
9847f378 82a7e853 0002625a 00000000 00005500 nt!KeAccumulateTicks+0x3c5
9847f3b8 82a7e700 82e310a8 efcb6a99 00000000 nt!KeUpdateRunTime+0x145
9847f410 82a7df03 00000002 00000002 000000d1 nt!KeUpdateSystemTime+0x613
9847f410 82e310a8 00000002 00000002 000000d1 nt!KeUpdateSystemTimeAssist+0x13
9847f494 82e1fb8c 00001000 00000000 9847f4f4 hal!READ_PORT_USHORT+0x8
9847f4a4 82e1fcf5 82ae2f92 adfe38d5 00000065 hal!HalpCheckPowerButton+0x2e
9847f4a8 82ae2f92 adfe38d5 00000065 00000000 hal!HaliHaltSystem+0x7
9847f4f4 82ae3a39 00000003 c0602fa8 bebebeea nt!KiBugCheckDebugBreak+0x73
9847f8b8 82a919ad 00000050 bebebeea 00000001 nt!KeBugCheck2+0x68b
9847f938 82a44a78 00000001 bebebeea 00000000 nt!MmAccessFault+0x104
9847f938 96979765 00000001 bebebeea 00000000 nt!KiTrap0E+0xdc
9847f9d0 96977cf0 fea16568 00000000 85218158 win32k!HMChangeOwnerThread+0x40
9847fa24 969c0686 00000001 9847fa3c 969c0660 win32k!xxxDestroyWindow+0x62
9847fa30 969c0660 ff9215d8 9847fa48 969c004b win32k!HMDestroyUnlockedObject+0x1b
9847fa3c 969c004b fea16568 9847fa5c 969bd745 win32k!HMUnlockObjectInternal+0x30
9847fa48 969bd745 fea16568 969d5019 868fcce0 win32k!HMUnlockObject+0x13
9847fa50 969d5019 868fcce0 9847fa74 969d6371 win32k!HMAssignmentUnlock+0xf
9847fa5c 969d6371 868fcce0 85218158 00000000 win32k!ForceEmptyClipboard+0x1a
9847fa74 82c1740b 9847fabc 85218158 00000000 win32k!FreeWindowStation+0x69
9847faa4 82c9238d 969d6308 9847fabc 00000001 nt!ExpWin32SessionCallout+0x3c
9847fac4 82c278f1 868fcce0 868fcce0 868fccc8 nt!ExpWin32DeleteProcedure+0x4a
9847fadc 82a7c320 00000000 85672448 868fccc8 nt!ObpRemoveObjectRoutine+0x59
9847faf0 82a7c290 868fcce0 82c4a704 aeea8320 nt!ObfDereferenceObjectWithTag+0x88
9847faf8 82c4a704 aeea8320 85672448 aeea8320 nt!ObfDereferenceObject+0xd
9847fb38 82c790f0 ab9237f8 aeea8320 85653d40 nt!ObpCloseHandleTableEntry+0x21d
9847fb68 82c6150d ab9237f8 9847fb7c 98b04c30 nt!ExSweepHandleTable+0x5f
9847fb88 82c6eb9d adfe37dd 00000000 85672448 nt!ObKillProcess+0x54
9847fbfc 82c61140 00000000 ffffffff 0031fa98 nt!PspExitThread+0x5db
9847fc24 82a41896 ffffffff 00000000 0031faa4 nt!NtTerminateProcess+0x1fa
9847fc24 779770f4 ffffffff 00000000 0031faa4 nt!KiSystemServicePostCall
0031fa84 77976914 7798e1a7 ffffffff 00000000 ntdll!KiFastSystemCallRet
0031fa88 7798e1a7 ffffffff 00000000 00000000 ntdll!ZwTerminateProcess+0xc
0031faa4 75cbbcae 00000000 77e8f3b0 ffffffff ntdll!RtlExitUserProcess+0x85
0031fab8 5acee619 00000000 0031fb14 5aceee79 kernel32!ExitProcessStub+0x12
0031fac4 5aceee79 00000000 6ca6caff 00000000 MSVCR120D!__crtExitProcess+0x19
0031fb14 5aceeea0 00000000 00000000 00000000 MSVCR120D!_unlockexit+0x259
0031fb28 00d71ed6 00000000 6c90b794 00000000 MSVCR120D!exit+0x10
WARNING: Stack unwind information not available. Following frames may be wrong.
0031fb70 00d720ad 0031fb84 75caee1c 7ffdf000 Poc9+0x11ed6
0031fb78 75caee1c 7ffdf000 0031fbc4 779937eb Poc9+0x120ad
0031fb84 779937eb 7ffdf000 7795462b 00000000 kernel32!BaseThreadInitThunk+0xe
0031fbc4 779937be 00d7109b 7ffdf000 00000000 ntdll!__RtlUserThreadStart+0x70
0031fbdc 00000000 00d7109b 7ffdf000 00000000 ntdll!_RtlUserThreadStart+0x1b


STACK_COMMAND:  kb

FOLLOWUP_IP: 
win32k!HMChangeOwnerThread+40
96979765 ff412c          inc     dword ptr [ecx+2Ch]

SYMBOL_STACK_INDEX:  b

SYMBOL_NAME:  win32k!HMChangeOwnerThread+40

FOLLOWUP_NAME:  MachineOwner

FAILURE_BUCKET_ID:  0x50_win32k!HMChangeOwnerThread+40

BUCKET_ID:  0x50_win32k!HMChangeOwnerThread+40

Followup: MachineOwner
---------
