Tuesday 14 May 2013

Debugging Stop 0x9F - Blocked IRPs

Stop 0x9F Debugging Guide

How is it caused?

Typically, a Stop 0x9F with the first parameter is holding the value of 3, means that a certain device object (Windows representation of installed devices), is holding a IRP packet for too long and therefore creating a blockage of any further IRP packets to be processed.

At this point, for those who do not understand what a IRP is or how it works, quite simply a IRP  is a I/O request packet, this data structure is used by the Windows operating system and other drivers to communicate with each other. The packets are handed by the I/O Manager which then routes these packets to the appropriate destination. 

Debugging the Stop 0x9F:

Now, you understand what a IRP is, we can now look into how a Stop 0x9F may be debugged, here are the following parameters:

A driver has failed to complete a power IRP within a specific time (usually 10 minutes).
Arg1: 0000000000000003, A device object has been blocking an Irp for too long a time
Arg2: fffffa8005bd7060, Physical Device Object of the stack
Arg3: fffff80000b9c3d8, nt!TRIAGE_9F_POWER on Win7, otherwise the Functional Device Object of the stack
Arg4: fffffa8005f6bc50, The blocked IRP
We can see there is a blocked IRP packet, and fortunately we can analyze this IRP packet and check which Device Object it belongs to.

0: kd> !irp fffffa8005f6bc50
Irp is active with 4 stacks 3 is current (= 0xfffffa8005f6bdb0)
No Mdl: No System Buffer: Thread 00000000: Irp stack trace.
cmd flg cl Device File Completion-Context
[ 0, 0] 0 0 00000000 00000000 00000000-00000000

Args: 00000000 00000000 00000000 00000000
[ 0, 0] 0 0 00000000 00000000 00000000-00000000

Args: 00000000 00000000 00000000 00000000

>[ 16, 2] 0 e1 fffffa800926b050 00000000 fffff80004ad2200-fffffa8007fc5a10 Success Error Cancel pending
*** WARNING: Unable to verify timestamp for k57nd60a.sys
*** ERROR: Module load completed but symbols could not be loaded for k57nd60a.sys

\Driver\k57nd60a nt!PopSystemIrpCompletion
Args: 00014400 00000000 00000004 00000002
[ 0, 0] 0 0 00000000 00000000 00000000-fffffa8007fc5a10

Args: 00000000 00000000 00000000 00000000
The !irp is used with the address from parameter 4, this displays information about the specified IRP packet, the small > points to the driver which was active at the time of the crash. Do you notice the two number within the [    ] box, these are called function codes. The first number is a major function code and the second number is a minor function code.

The major function code 16 (IRP_MJ_POWER), means that the IRP has been sent to a power-related stack, with the minor function code 2 (IRP_MN_SET_POWER), indicating that a request has been sent.

Notice, one last thing, the Success Error Cancel, the Success indicates that the IRP packet completion routine will be called if the IRP completes successfully, the Error indicates that the IRP packet completion routine will be called wen the IRP completes with an error, and the Cancel means that the IRP completion routine will be called  when the current IRP is attempted to be canceled. 


  1. Replies
    1. how to use this !? please please help me

  2. install Debugging Tools for Windows (WinDbg, KD, CDB, NTSD) https://msdn.microsoft.com/en-us/library/ff551063.aspx
    start cmd
    enter the install directory
    start kd.exe
    follow the method above (may not work always)