Address space-wide search for errors and status codes (page 29) may show coincidental error codes:
0:000> !heap -x -v c0000005 Search VM for address range c0000005 - c0000005 : 028690b8 (c0000005), [...] 0:000> dd 028690b8 l1 028690b8 c0000005
In such cases we need to check whether the addresses belong to volatile regions such as stack because it is possible to have such values as legitimate code and image data:
0:000> !address 028690b8 Usage: Image Allocation Base: 02700000 Base Address: 02869000 End Address: 02874000 Region Size: 0000b000 Type: 01000000 MEM_IMAGE State: 00001000 MEM_COMMIT Protect: 00000002 PAGE_READONLY More info: lmv m ModuleA More info: !lmi ModuleA More info: ln 0×28690b8 0:000> u 028690b8 ModuleA!ComputeB: 028690b8 050000c000 add eax,0C00000h [...]
Another example (x64):
0:000> !heap -x -v c0000005 Search VM for address range 00000000c0000005 - 00000000c0000005 : 7feff63ab60 (c0000005), 0:000> !address 7feff63ab60 Usage: Image Allocation Base: 000007fe`ff460000 Base Address: 000007fe`ff635000 End Address: 000007fe`ff63c000 Region Size: 00000000`00007000 Type: 01000000 MEM_IMAGE State: 00001000 MEM_COMMIT Protect: 00000004 PAGE_READWRITE More info: lmv m ole32 More info: !lmi ole32 More info: ln 0×7feff63ab60
0:000> dp 7feff63ab60 000007fe`ff63ab60 00000000`c0000005 c0000194`00000001 000007fe`ff63ab70 00000001`00000000 00000000`c00000aa 000007fe`ff63ab80 80000002`00000001 00000001`00000000 000007fe`ff63ab90 00000000`c0000096 c000001d`00000001 000007fe`ff63aba0 00000001`00000000 00000000`80000003 000007fe`ff63abb0 c00000fd`00000001 00000001`00000000 000007fe`ff63abc0 00000000`c0000235 c0000006`00000001 000007fe`ff63abd0 00000001`00000000 00000000`c0000420
In the latter case the data structure suggests a table of errors:
0:000> ln 7feff63ab60 (000007fe`ff63ab60) ole32!gReportedExceptions