While many BSODs happen purely in the “dark” of the kernel, Bug Check 0x3B: SYSTEM_SERVICE_EXCEPTION occurs at the boundary where a user-mode application makes a request to the kernel (a System Call). This is often the result of a driver failing to properly validate a buffer passed from an application.
1. The User-to-Kernel Transition
When an app calls ReadFile() or a custom DeviceIoControl(), the CPU switches from Ring 3 to Ring 0. The kernel must treat everything coming from the app as “untrusted.”
2. Real Use Case: The Improper Buffer Mapping
Scenario: A monitoring tool for a data center hangs briefly and then crashes the host with 0x3B whenever it tries to pull telemetry from a custom PCIe sensor.
Step 1: The Exception Context
The 0x3B is unique because it includes a Context Record. Run:
.cxr <address_from_analyze>
This “warps” the debugger’s view to the exact state of the user-mode thread at the moment it crossed into the kernel.
Step 2: Finding the Faulting Address
Check the instruction:
kd> u @rip
If it’s a mov or memcpy operation involving a user-supplied pointer, look at the memory protections:
!address <pointer>
The Discovery: The driver tried to write to a buffer that the user-mode app had already freed or marked as Read-Only. Because the driver didn’t use ProbeForWrite or a try/except block, the exception was unhandled, leading to the crash.
