Condrv.sys: Bug Check 0x3B (SYSTEM_SERVICE_EXCEPTION)


The system crashed when I clicked on the “Stop Debugging” button in Visual Studio.

3: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************
SYSTEM_SERVICE_EXCEPTION (3b)
An exception happened while executing a system service routine.
Arguments:
Arg1: 00000000c0000005, Exception code that caused the bugcheck
Arg2: fffff80068af1472, Address of the instruction which caused the bugcheck
Arg3: ffffd000358cddf0, Address of the context record for the exception that caused the bugcheck
Arg4: 0000000000000000, zero.
Debugging Details:
------------------
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.
FAULTING_IP: 
nt!ExAcquirePushLockExclusiveEx+f2
fffff800`68af1472 f0480fba2e00    lock bts qword ptr [rsi],0
CONTEXT:  ffffd000358cddf0 -- (.cxr 0xffffd000358cddf0;r)
rax=0000000000000000 rbx=ffffe001ef45c3d0 rcx=0000000000000282
rdx=0000000000000000 rsi=0057005c00450052 rdi=ffffe001f1aec3a0
rip=fffff80068af1472 rsp=ffffd000358ce820 rbp=ffffd000358ceb80
 r8=000000000004001f  r9=000000000000001f r10=ffffe001f1aec308
r11=ffffd000358ce810 r12=ffffe001eed307c0 r13=ffffe001eed30770
r14=ffffe001ef45c3d0 r15=0000000000000001
iopl=0         nv up ei pl zr na po nc
cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246
nt!ExAcquirePushLockExclusiveEx+0xf2:
fffff800`68af1472 f0480fba2e00    lock bts qword ptr [rsi],0 ds:002b:0057005c`00450052=????????????????
...
DEFAULT_BUCKET_ID:  WIN8_DRIVER_FAULT
BUGCHECK_STR:  0x3B
PROCESS_NAME:  CSharpExercise
CURRENT_IRQL:  1
...
3: kd> vertarget
Windows 8 Kernel Version 9600 MP (4 procs) Free x64
Built by: 9600.17085.amd64fre.winblue_gdr.140330-1035
3: kd> k
 # Child-SP          RetAddr           Call Site
00 ffffd000`358cd538 fffff800`68bebae9 nt!KeBugCheckEx
01 ffffd000`358cd540 fffff800`68beb3fc nt!KiBugCheckDispatch+0x69
02 ffffd000`358cd680 fffff800`68be74ed nt!KiSystemServiceHandler+0x7c
03 ffffd000`358cd6c0 fffff800`68b71105 nt!RtlpExecuteHandlerForException+0xd
04 ffffd000`358cd6f0 fffff800`68b6ffbf nt!RtlDispatchException+0x1a5
05 ffffd000`358cddc0 fffff800`68bebbc2 nt!KiDispatchException+0x61f
06 ffffd000`358ce4b0 fffff800`68bea0fe nt!KiExceptionDispatch+0xc2
07 ffffd000`358ce690 fffff800`68af1472 nt!KiGeneralProtectionFault+0xfe
08 ffffd000`358ce820 fffff800`86a2f16b nt!ExAcquirePushLockExclusiveEx+0xf2
09 ffffd000`358ce860 fffff800`68b591e2 condrv!CdpCancelIoIrpPaged+0x3f
0a ffffd000`358ce890 fffff800`68f40183 nt!IoCancelIrp+0x6a
0b ffffd000`358ce8d0 fffff800`68e84164 nt!IopCancelAlertedRequest+0x3b
0c ffffd000`358ce910 fffff800`68beb7b3 nt!NtReadFile+0xc14
0d ffffd000`358cea90 00007ff8`598cabea nt!KiSystemServiceCopyEnd+0x13
0e 00000027`7a26e188 00007ff8`56c77ca8 ntdll!NtReadFile+0xa
0f 00000027`7a26e190 00007ff8`47f96c92 KERNELBASE!ReadFile+0x74
10 00000027`7a26e210 00007ff8`47b26b38 mscorlib_ni+0x556c92
11 00000027`7a26e218 00000027`6053eaf8 mscorlib_ni+0xe6b38
12 00000027`7a26e220 00000027`78e9ce70 0x00000027`6053eaf8
13 00000027`7a26e228 00000027`7a26e3d0 0x00000027`78e9ce70
14 00000027`7a26e230 00000000`00000000 0x00000027`7a26e3d0

Knowing that the parameter to the IoCancelIrp routine is a pointer to the IRP structure, we can determine where the invalid pointer to the EX_PUSH_LOCK structure came from.

3: kd> u nt!IoCancelIrp nt!IoCancelIrp+0x6a
nt!IoCancelIrp:
fffff800`68b59178 48895c2410      mov     qword ptr [rsp+10h],rbx
fffff800`68b5917d 4889742418      mov     qword ptr [rsp+18h],rsi
fffff800`68b59182 57              push    rdi
fffff800`68b59183 4883ec30        sub     rsp,30h
fffff800`68b59187 48833da1241e0000 cmp     qword ptr [nt!ViVerifierDriverAddedThunkListHead (fffff800`68d3b630)],0
fffff800`68b5918f 488bd9          mov     rbx,rcx == nt!_IRP
fffff800`68b59192 0f8581000000    jne     nt!IoCancelIrp+0xa1 (fffff800`68b59219)
fffff800`68b59198 488d4c2440      lea     rcx,[rsp+40h]
fffff800`68b5919d e81af3ffff      call    nt!IoAcquireCancelSpinLock (fffff800`68b584bc)
fffff800`68b591a2 33ff            xor     edi,edi
fffff800`68b591a4 c6434401        mov     byte ptr [rbx+44h],1
fffff800`68b591a8 48877b68        xchg    rdi,qword ptr [rbx+68h]
fffff800`68b591ac 4885ff          test    rdi,rdi
fffff800`68b591af 744b            je      nt!IoCancelIrp+0x84 (fffff800`68b591fc)
fffff800`68b591b1 8a4342          mov     al,byte ptr [rbx+42h]
fffff800`68b591b4 488bd3          mov     rdx,rbx
fffff800`68b591b7 fec0            inc     al
fffff800`68b591b9 384343          cmp     byte ptr [rbx+43h],al
fffff800`68b591bc 0f8f32b70c00    jg      nt! ?? ::FNODOBFM::`string'+0x34444 (fffff800`68c248f4)
fffff800`68b591c2 408a742440      mov     sil,byte ptr [rsp+40h]
fffff800`68b591c7 488b8bb8000000  mov     rcx,qword ptr [rbx+0B8h]
fffff800`68b591ce 40887345        mov     byte ptr [rbx+45h],sil
fffff800`68b591d2 48833d56241e0000 cmp     qword ptr [nt!ViVerifierDriverAddedThunkListHead (fffff800`68d3b630)],0
fffff800`68b591da 488b4928        mov     rcx,qword ptr [rcx+28h]
fffff800`68b591de 7543            jne     nt!IoCancelIrp+0xab (fffff800`68b59223)
fffff800`68b591e0 ffd7            call    rdi
fffff800`68b591e2 440f20c0        mov     rax,cr8
3: kd> dq ffffd000`358ce890-8+8 L1
ffffd000`358ce890  ffffe001`ef45c3d0
3: kd> u condrv!CdpCancelIoIrpPaged condrv!CdpCancelIoIrpPaged+0x3f
condrv!CdpCancelIoIrpPaged:
fffff800`86a2f12c 48895c2408      mov     qword ptr [rsp+8],rbx == nt!_IRP ffffe001`ef45c3d0
fffff800`86a2f131 4889742410      mov     qword ptr [rsp+10h],rsi
fffff800`86a2f136 57              push    rdi
fffff800`86a2f137 4883ec20        sub     rsp,20h
fffff800`86a2f13b 488b81b8000000  mov     rax,qword ptr [rcx+0B8h]
fffff800`86a2f142 488bd9          mov     rbx,rcx
fffff800`86a2f145 4032ff          xor     dil,dil
fffff800`86a2f148 488b7008        mov     rsi,qword ptr [rax+8]
fffff800`86a2f14c 440f20c0        mov     rax,cr8
fffff800`86a2f150 3c01            cmp     al,1
fffff800`86a2f152 7709            ja      condrv!CdpCancelIoIrpPaged+0x31 (fffff800`86a2f15d)
fffff800`86a2f154 ff15ae5effff    call    qword ptr [condrv!_imp_KeEnterCriticalRegion (fffff800`86a25008)]
fffff800`86a2f15a 40b701          mov     dil,1
fffff800`86a2f15d 488b0e          mov     rcx,qword ptr [rsi] rsi == ffffc000`d624d050; rcx == 0057005c`00450052
fffff800`86a2f160 ba01000000      mov     edx,1
fffff800`86a2f165 ff15a55effff    call    qword ptr [condrv!_imp_ExAcquirePushLockExclusiveEx (fffff800`86a25010)]
fffff800`86a2f16b b201            mov     dl,1
3: kd> dt ffffe001`ef45c3d0 nt!_IRP Tail.Overlay.CurrentStackLocation
        +0x078 Tail                              : 
      +0x000 Overlay                           : 
        +0x040 CurrentStackLocation              : 0xffffe001`ef45c4a0 _IO_STACK_LOCATION
3: kd> dt 0xffffe001`ef45c4a0 nt!_IO_STACK_LOCATION Parameters.Others.
        +0x008 Parameters         : 
      +0x000 Others             : 
         +0x000 Argument1          : 0xffffc000`d624d050 Void
         +0x008 Argument2          : 0x0000002f`37e0ae90 Void
         +0x010 Argument3          : (null) 
         +0x018 Argument4          : 0xffffe001`eea56a10 Void
3: kd> dq 0xffffc000`d624d050 L1
ffffc000`d624d050  0057005c`00450052
3: kd> u nt!ExAcquirePushLockExclusiveEx nt!ExAcquirePushLockExclusiveEx+0xf2
nt!ExAcquirePushLockExclusiveEx:
fffff800`68af1380 4889742410      mov     qword ptr [rsp+10h],rsi
fffff800`68af1385 57              push    rdi
fffff800`68af1386 4883ec30        sub     rsp,30h
fffff800`68af138a 488bf1          mov     rsi,rcx == 0057005c`00450052
...
fffff800`68af1472 f0480fba2e00    lock bts qword ptr [rsi],0
3: kd> !pool 0xffffc000`d624d050
Pool page ffffc000d624d050 region is Paged pool
*ffffc000d624d000 size:   f0 previous size:    0  (Free ) *CMNb
		Pooltag CMNb : Configuration Manager Name Tag, Binary : nt!cm
 ffffc000d624d0f0 size:   a0 previous size:   f0  (Allocated)  Sect
 ffffc000d624d190 size:  220 previous size:   a0  (Allocated)  FMfn
 ffffc000d624d3b0 size:  170 previous size:  220  (Allocated)  NtFU
 ffffc000d624d520 size:  3f0 previous size:  170  (Free)       FIcs
 ffffc000d624d910 size:   30 previous size:  3f0  (Allocated)  ObDi
 ffffc000d624d940 size:  480 previous size:   30  (Free)       Free
 ffffc000d624ddc0 size:   90 previous size:  480  (Allocated)  AlCI
 ffffc000d624de50 size:  1b0 previous size:   90  (Free)       FMfn

We can see from the information above that the memory where should be the pointer to the EX_PUSH_LOCK structure doesn’t belong to condrv.sys and was freed by the Configuration Manager. Here’s how this pool allocation looks on a healthy system:

kd> !pool poi(poi(ffffe000431a9900+b8)+8)
Pool page ffffc0001fb78cf0 region is Paged pool
...
*ffffc0001fb78ca0 size:   f0 previous size:   30  (Allocated) *CdSe
		Owning component : Unknown (update pooltag.txt)
 ffffc0001fb78d90 size:   a0 previous size:   f0  (Allocated)  MSeg
 ffffc0001fb78e30 size:   90 previous size:   a0  (Allocated)  FSim
 ffffc0001fb78ec0 size:  140 previous size:   90  (Allocated)  FMfn

We can search for the 'CdSe' tag to determine which drivers use it.

Find

Now let’s find out where the pointer in the Argument1 member of the IO_STACK_LOCATION structure came from.

condrv

If we examine the same structures in the crash dump, we can see that the "\Connect", "\Reference" and "\Server" file objects and all associated with them structures were deleted.

3: kd> !irp ffffe001`ef45c3d0
Irp is active with 2 stacks 1 is current (= 0xffffe001ef45c4a0)
 Mdl=ffffe001eea56a10: No System Buffer: Thread ffffe001f1aec080:  Irp stack trace.  
     cmd  flg cl Device   File     Completion-Context
>[  f, 6]   0  1 00000000 00000000 00000000-00000000    pending
			Args: ffffc000d624d050 2f37e0ae90 00000000 ffffe001eea56a10
 [  3, 0]   0  0 ffffe001ed0505c0 ffffe001eed30770 00000000-00000000    
	       \Driver\condrv
			Args: 00000100 00000000 00000000 00000000
3: kd> dt nt!_FILE_OBJECT -l RelatedFileObject -y FileName FsContext ffffe001eed30770
RelatedFileObject at 0xffffe001`eed30770
---------------------------------------------
   +0x018 FsContext : 0xffffc000`d070c320 Void
   +0x058 FileName  : _UNICODE_STRING "\Input"
RelatedFileObject at 0xffffe001`eea9e990
---------------------------------------------
   +0x018 FsContext : 0xffffc000`e1433ae0 Void
   +0x058 FileName  : _UNICODE_STRING "???"
...
3: kd> !pool 0xffffe001`eea9e990
Pool page ffffe001eea9e990 region is Unknown
...
*ffffe001eea9e8d0 size:  1a0 previous size:   30  (Free)      *Free
		Owning component : Unknown (update pooltag.txt)
...
3: kd> !pool 0xffffc000`e1433ae0
Pool page ffffc000e1433ae0 region is Paged pool
...
*ffffc000e1433ad0 size:   50 previous size:  9f0  (Free ) *CdCo
		Owning component : Unknown (update pooltag.txt)

After digging around I found out the root cause of the failure. Here’s the major events that led to the crash:

  1. Click on the "Stop Debugging" button in Visual Studio.
  2. The Remote Debugging Monitor (msvsmon.exe) calls NtTerminateProcess to terminate our debuggee and end up calling KeAlertThread to alert the thread ffffe001f1aec080. The dispatcher performs a context switch to this thread due to its higher priority.
  3. The IoCancelIrp routine calls condrv!CdpCancelIoIrpPaged, but because the page with this routine is paged out to a paging file, a page fault occurs and the thread is put into a Wait state. The dispatcher performs a context switch to the thread ffffe001f0e09880.
  4. The ObClearProcessHandleTable routine (only called if a process hasn’t any threads or the process being debugged (i.e. the DebugPort member of the EPROCESS structure is not null) and the process handle was specified in the call to the NtTerminateProcess routine) is called to clear debuggee’s handle table and the “\Connect”, “\Reference” and “\Server” file objects and all associated with them structures get deleted. Meanwhile, the Configuration Manager allocates and releases pool memory. The dispatcher performs a context switch to the thread ffffe001f1aec080, because the page fault was resolved.
  5. The condrv!CdpCancelIoIrpPaged calls ExAcquirePushLockExclusiveEx and the bug check occurs.
3: kd> !thread ffffe001f1aec080
THREAD ffffe001f1aec080  Cid 095c.0cbc  Teb: 00007ff5ff5f8000 Win32Thread: 0000000000000000 RUNNING on processor 3
IRP List:
    ffffe001ef45c3d0: (0006,0160) Flags: 00060900  Mdl: ffffe001eea56a10
Not impersonating
DeviceMap                 ffffc000d08b1d10
Owning Process            ffffe001f02346c0       Image:         CSharpExercise.vshost.exe
Attached Process          N/A            Image:         N/A
Wait Start TickCount      1415073        Ticks: 3 (0:00:00:00.046)
Context Switch Count      81             IdealProcessor: 3             
UserTime                  00:00:00.000
KernelTime                00:00:00.015
Win32 Start Address clr!Thread::intermediateThreadProc (0x00007ff84960e840)
Stack Init ffffd000358cec90 Current ffffd000358ce0d0
Base ffffd000358cf000 Limit ffffd000358c9000 Call 0
Priority 11 BasePriority 8 UnusualBoost 0 ForegroundBoost 2 IoPriority 2 PagePriority 5
Child-SP          RetAddr           : Args to Child                                                           : Call Site
ffffd000`358cd538 fffff800`68bebae9 : 00000000`0000003b 00000000`c0000005 fffff800`68af1472 ffffd000`358cddf0 : nt!KeBugCheckEx
ffffd000`358cd540 fffff800`68beb3fc : ffffd000`358cd770 fffff800`68bdc886 ffffd000`358ceb00 ffffd000`358ce5e8 : nt!KiBugCheckDispatch+0x69
ffffd000`358cd680 fffff800`68be74ed : ffffd000`358cddf0 00000000`00000000 ffffd000`358ce5e8 ffffd000`358cd7f0 : nt!KiSystemServiceHandler+0x7c
ffffd000`358cd6c0 fffff800`68b71105 : 00000000`00000001 fffff800`68a8c000 ffffd000`358ce501 00000000`00000000 : nt!RtlpExecuteHandlerForException+0xd
ffffd000`358cd6f0 fffff800`68b6ffbf : ffffd000`358ce5e8 ffffd000`358ce690 ffffd000`358ce5e8 ffffe001`f1aec3a0 : nt!RtlDispatchException+0x1a5
ffffd000`358cddc0 fffff800`68bebbc2 : 00000000`00000000 fffff800`68dd8ec0 fffffa80`02497f80 fffff6fc`00435178 : nt!KiDispatchException+0x61f
ffffd000`358ce4b0 fffff800`68bea0fe : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiExceptionDispatch+0xc2
ffffd000`358ce690 fffff800`68af1472 : ffffe001`ef45c4e8 ffffe001`f1aec118 ffffe001`f1aec3a0 ffffe001`ef45c3d0 : nt!KiGeneralProtectionFault+0xfe (TrapFrame @ ffffd000`358ce690)
ffffd000`358ce820 fffff800`86a2f16b : ffffe001`ef45c3d0 ffffc000`d624d050 ffffd000`358ce888 00000000`00000018 : nt!ExAcquirePushLockExclusiveEx+0xf2
ffffd000`358ce860 fffff800`68b591e2 : ffffe001`ef45c3d0 00000000`00000001 ffffe001`ef45c3d0 00000000`00000000 : condrv!CdpCancelIoIrpPaged+0x3f
ffffd000`358ce890 fffff800`68f40183 : ffffe001`ef45c301 ffffe001`eed30808 00000000`00000000 ffffe001`eed30808 : nt!IoCancelIrp+0x6a
ffffd000`358ce8d0 fffff800`68e84164 : ffffe001`eed30808 ffffe001`ef45c400 00000000`00000000 fffff800`00000000 : nt!IopCancelAlertedRequest+0x3b
ffffd000`358ce910 fffff800`68beb7b3 : ffffe001`f1aec080 00000027`7a26dcb8 00000000`00000000 fffff6fb`7dafff08 : nt!NtReadFile+0xc14
ffffd000`358cea90 00007ff8`598cabea : 00007ff8`56c77ca8 00007ff8`494a19fc 00000027`78e9ce70 000e0027`5eb534c0 : nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ ffffd000`358ceb00)
00000027`7a26e188 00007ff8`56c77ca8 : 00007ff8`494a19fc 00000027`78e9ce70 000e0027`5eb534c0 00000027`6053eaf8 : ntdll!NtReadFile+0xa
00000027`7a26e190 00007ff8`47f96c92 : 00007ff8`47b26b38 00000027`6053eaf8 00000027`78e9ce70 00000027`7a26e3d0 : KERNELBASE!ReadFile+0x74
00000027`7a26e210 00007ff8`47b26b38 : 00000027`6053eaf8 00000027`78e9ce70 00000027`7a26e3d0 00000000`00000000 : mscorlib_ni+0x556c92
00000027`7a26e218 00000027`6053eaf8 : 00000027`78e9ce70 00000027`7a26e3d0 00000000`00000000 00007ff8`4945206a : mscorlib_ni+0xe6b38
00000027`7a26e220 00000027`78e9ce70 : 00000027`7a26e3d0 00000000`00000000 00007ff8`4945206a 00000027`7a26e210 : 0x00000027`6053eaf8
00000027`7a26e228 00000027`7a26e3d0 : 00000000`00000000 00007ff8`4945206a 00000027`7a26e210 0000b74d`ede770cf : 0x00000027`78e9ce70
00000027`7a26e230 00000000`00000000 : 00007ff8`4945206a 00000027`7a26e210 0000b74d`ede770cf 00007ff8`49b00000 : 0x00000027`7a26e3d0
3: kd> dt nt!_KTHREAD ffffe001f1aec080 -y WaitReason
   +0x283 WaitReason : 0x9 ''
3: kd> dt ntkrnlmp!_KWAIT_REASON
   Executive = 0n0
   FreePage = 0n1
   PageIn = 0n2
   PoolAllocation = 0n3
   DelayExecution = 0n4
   Suspended = 0n5
   UserRequest = 0n6
   WrExecutive = 0n7
   WrFreePage = 0n8
   WrPageIn = 0n9
...
3: kd> !thread ffffe001f0e09880
THREAD ffffe001f0e09880  Cid 1a04.1bfc  Teb: 00007ff7f5485000 Win32Thread: fffff901425fcb70 WAIT: (Executive) KernelMode Non-Alertable
    ffffe001eed307f0  SynchronizationEvent
Not impersonating
DeviceMap                 ffffc000d08b1d10
Owning Process            ffffe001f03f4900       Image:         msvsmon.exe
Attached Process          ffffe001f02346c0       Image:         CSharpExercise.vshost.exe
Wait Start TickCount      1415073        Ticks: 3 (0:00:00:00.046)
Context Switch Count      581            IdealProcessor: 3             
UserTime                  00:00:00.093
KernelTime                00:00:00.093
Win32 Start Address 0x00007ff8255c3390
Stack Init ffffd00035d92c90 Current ffffd00035d92310
Base ffffd00035d93000 Limit ffffd00035d8d000 Call 0
Priority 9 BasePriority 8 UnusualBoost 0 ForegroundBoost 0 IoPriority 2 PagePriority 5
Child-SP          RetAddr           : Args to Child                                                           : Call Site
ffffd000`35d92350 fffff800`68ae2d1e : ffffd000`207e6180 ffffe001`f0e09880 00000000`00000008 fffff800`68acb3a1 : nt!KiSwapContext+0x76
ffffd000`35d92490 fffff800`68ae2779 : 00000000`00000000 ffffc000`d2f5a040 ffffe001`ee444400 00000000`00000000 : nt!KiSwapThread+0x14e
ffffd000`35d92530 fffff800`68af2dfa : ffffc000`d2f5a040 00000000`00000000 ffffe001`ee66ed98 00000000`00000000 : nt!KiCommitThreadWait+0x129
ffffd000`35d925b0 fffff800`68f1d9ed : ffffe001`eed307f0 ffffc000`00000000 ffffe001`ee5bc500 fffff800`00000000 : nt!KeWaitForSingleObject+0x22a
ffffd000`35d92640 fffff800`68fdc241 : 00000000`00000000 ffffe001`f02346c0 00000000`00000000 ffffe001`eed30770 : nt!IopAcquireFileObjectLock+0x85
ffffd000`35d92690 fffff800`68e9574a : ffffe001`eed30740 ffffe001`ec545c60 ffffe001`eed30750 ffffe001`eed30700 : nt! ?? ::NNGAKEGL::`string'+0x25bd1
ffffd000`35d92720 fffff800`68e95543 : 00000000`00000000 00000000`ffff8001 00000000`00000000 00000000`00000001 : nt!ObpDecrementHandleCount+0x1b6
ffffd000`35d927c0 fffff800`68e9517e : ffffd000`20504180 fffff800`68af1274 7fffe001`f0234988 ffffe001`f0234988 : nt!ObCloseHandleTableEntry+0x313
ffffd000`35d92890 fffff800`690152b0 : ffffe001`f02346c0 ffffe001`f0e09c60 ffffc000`d4d56c40 ffffe001`f0e09880 : nt!ExSweepHandleTable+0xba
ffffd000`35d928f0 fffff800`68ea9592 : 00000000`00000001 00000000`00000001 ffffe001`f0234988 ffffffff`ffffffff : nt! ?? ::NNGAKEGL::`string'+0x5ec40
ffffd000`35d92960 fffff800`68e1b3e3 : 00000000`f02346c8 00000000`f02346c8 00000000`c000010a 00000000`00000000 : nt!PspRundownSingleProcess+0x286
ffffd000`35d929f0 fffff800`68e1b0e9 : ffffe001`f1aec080 ffffe001`f0e09c60 ffffe001`f02346c0 ffffe001`f02346c0 : nt!PspTerminateAllThreads+0x27f
ffffd000`35d92a50 fffff800`68e1ae76 : ffffffff`ffffffff ffffe001`f03f4900 ffffe001`f02346c0 ffffe001`f0e09880 : nt!PspTerminateProcess+0xe5
ffffd000`35d92a90 fffff800`68beb7b3 : ffffe001`f02346c0 ffffe001`f0e09880 ffffd000`35d92b80 01cf99d6`b1f19cdd : nt!NtTerminateProcess+0x9e
ffffd000`35d92b00 00007ff8`598cae4a : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ ffffd000`35d92b00)
000000b4`ad6bcb28 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!NtTerminateProcess+0xa
3: kd> .thread ffffe001f0e09880
Implicit thread is now ffffe001`f0e09880
3: kd> !cmkd.stack
Call Stack : 16 frames
## Stack-Pointer    Return-Address   Call-Site       
00 ffffd00035d92350 fffff80068ae2d1e nt!KiSwapContext+76 
01 ffffd00035d92490 fffff80068ae2779 nt!KiSwapThread+14e (perf)
02 ffffd00035d92530 fffff80068af2dfa nt!KiCommitThreadWait+129 (perf)
03 ffffd00035d925b0 fffff80068f1d9ed nt!KeWaitForSingleObject+22a 
04 ffffd00035d92640 fffff80068fdc241 nt!IopAcquireFileObjectLock+85 
05 ffffd00035d92690 fffff80068e9574a nt!IopCloseFile+15d861 (perf)
06 ffffd00035d92720 fffff80068e95543 nt!ObpDecrementHandleCount+1b6 
07 ffffd00035d927c0 fffff80068e9517e nt!ObCloseHandleTableEntry+313 
08 ffffd00035d92890 fffff800690152b0 nt!ExSweepHandleTable+ba 
09 ffffd00035d928f0 fffff80068ea9592 nt!ObClearProcessHandleTable+d5944 (perf)
0a ffffd00035d92960 fffff80068e1b3e3 nt!PspRundownSingleProcess+286 
0b ffffd00035d929f0 fffff80068e1b0e9 nt!PspTerminateAllThreads+27f 
0c ffffd00035d92a50 fffff80068e1ae76 nt!PspTerminateProcess+e5 
0d ffffd00035d92a90 fffff80068beb7b3 nt!NtTerminateProcess+9e 
0e ffffd00035d92b00 00007ff8598cae4a nt!KiSystemServiceCopyEnd+13 
0f 000000b4ad6bcb28 0000000000000000 ntdll!NtTerminateProcess+a

Conclusion

Because of the subtle bug in the condrv.sys driver we can experience the system crash. The good news (only for users) is that it only can happen when you debug a console application.