cdb behaves differently when it's not in the WinDBG folder

Question

I'm new to the Windows kernel, but the job is to build a WFP driver and a user-mode library along with it to control over. To make sure the driver works as expected, I'd like to provide a feature that would stop loading it if it triggers the last BSOD.

I know it may be too much but shipping the debugger along with the driver package, and do something like

cdb.exe -y sym -z last-mini-dump.dmp -c "!analyze -v;q"

can provide the necessary info to achieve the goal. Definitely, I'm not going to bundle the WinDBG all together, but only those needed. Here is the file list I'm currently working with

d-----         8/27/2021   3:03 PM                OptionalExtensions
d-----         8/27/2021   2:19 PM                sym
d-----         8/27/2021   3:03 PM                Visualizers
d-----         8/27/2021   2:43 PM                winext
d-----         8/27/2021   2:45 PM                winxp
-a----         12/2/2020   5:31 AM         156112 cdb.exe
-a----         12/2/2020   5:31 AM        7877584 dbgeng.dll
-a----         12/2/2020   5:31 AM        1869264 dbghelp.dll
-a----         12/2/2020   5:31 AM         729552 DbgModel.dll
-a----         11/2/2020   7:36 PM          14512 Manifest.1.xml
-a----         11/2/2020   7:36 PM             13 ManifestVersion.txt
-a----         12/2/2020   5:31 AM         256976 symsrv.dll

thanks to the Dependency Walker, procmon, Process Explorer, but the report (let's call it standalone report) it generates is different from the one that's generated by the same binary which is in the WinDBG folder (let's call it original report)...

Here's the standalone report

Microsoft (R) Windows Debugger Version 10.0.19041.685 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\users\ziok_\Desktop\tools\072021-173671-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: srv*
Executable search path is:
Windows 10 Kernel Version 19041 MP (12 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 19041.1.amd64fre.vb_release.191206-1406
Machine Name:
Kernel base = 0xfffff804`1d600000 PsLoadedModuleList = 0xfffff804`1e22a1d0
Debug session time: Tue Jul 20 10:30:10.460 2021 (UTC + 8:00)
System Uptime: 0 days 1:39:58.262
Loading Kernel Symbols
...............................................................
................................................................
................................................................
............................................
Loading User Symbols
Loading unloaded module list
......................
For analysis of this file, run !analyze -v
0: kd> cdb: Reading initial command '!analyze -v;q'
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high.  This is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: 0000023528624070, memory referenced
Arg2: 0000000000000002, IRQL
Arg3: 0000000000000000, value 0 = read operation, 1 = write operation
Arg4: fffff8046bb91a9b, address which referenced memory

Debugging Details:
------------------

*** WARNING: Unable to verify timestamp for MyDriver.sys

KEY_VALUES_STRING: 1

    Key  : Analysis.CPU.Sec
    Value: 1

    Key  : Analysis.DebugAnalysisProvider.CPP
    Value: Create: 8007007e on DESKTOP-AR8863N

    Key  : Analysis.DebugData
    Value: CreateObject

    Key  : Analysis.DebugModel
    Value: CreateObject

    Key  : Analysis.Elapsed.Sec
    Value: 6

    Key  : Analysis.Memory.CommitPeak.Mb
    Value: 73

    Key  : Analysis.System
    Value: CreateObject


BUGCHECK_CODE:  d1

BUGCHECK_P1: 23528624070

BUGCHECK_P2: 2

BUGCHECK_P3: 0

BUGCHECK_P4: fffff8046bb91a9b

READ_ADDRESS: fffff8041e2fa390: Unable to get MiVisibleState
Unable to get NonPagedPoolStart
Unable to get NonPagedPoolEnd
Unable to get PagedPoolStart
Unable to get PagedPoolEnd
fffff8041e20f380: Unable to get Flags value from nt!KdVersionBlock
fffff8041e20f380: Unable to get Flags value from nt!KdVersionBlock
unable to get nt!MmSpecialPagesInUse
 0000023528624070

BLACKBOXBSD: 1 (!blackboxbsd)


BLACKBOXNTFS: 1 (!blackboxntfs)


BLACKBOXPNP: 1 (!blackboxpnp)


BLACKBOXWINLOGON: 1

CUSTOMER_CRASH_COUNT:  1

PROCESS_NAME:  svchost.exe

TRAP_FRAME:  ffff960681f4a2d0 -- (.trap 0xffff960681f4a2d0)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=0000000000000004 rbx=0000000000000000 rcx=0000000000000004
rdx=0000000000000000 rsi=0000000000000000 rdi=0000000000000000
rip=fffff8046bb91a9b rsp=ffff960681f4a460 rbp=fffff80422d01ad0
 r8=0000000000000fff  r9=000000000000007e r10=000000004c535357
r11=0000000000001001 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up ei pl nz na pe nc
MyDriver+0x1a9b:
fffff804`6bb91a9b f3a4            rep movs byte ptr [rdi],byte ptr [rsi]
Resetting default scope

STACK_TEXT:
ffff9606`81f4a460 ffffd387`9811ad20 : fffff804`22d01ad0 00000000`00000000 fffff804`00000000 fffff804`6bb97390 : MyDriver+0x1a9b
ffff9606`81f4a468 fffff804`22d01ad0 : 00000000`00000000 fffff804`00000000 fffff804`6bb97390 ffff9ad6`00000000 : 0xffffd387`9811ad20
ffff9606`81f4a470 00000000`00000000 : fffff804`00000000 fffff804`6bb97390 ffff9ad6`00000000 ffffd387`9811ad00 : NETIO!`string'


STACK_COMMAND:  .trap 0xffff960681f4a2d0 ; kb

MODULE_NAME: Unknown_Module

IMAGE_NAME:  Unknown_Image

FAILURE_BUCKET_ID:  AV

OS_VERSION:  10.0.19041.1

BUILDLAB_STR:  vb_release

OSPLATFORM_TYPE:  x64

OSNAME:  Windows 10

FAILURE_ID_HASH:  {3bca5200-7e84-5718-7af4-30d0c3e7ccee}
 *** Followup info cannot be found !!! Please contact "BADEV"

---------

quit:
NatVis script unloaded from 'C:\Users\ziok_\Desktop\cdb\Visualizers\atlmfc.natvis'
NatVis script unloaded from 'C:\Users\ziok_\Desktop\cdb\Visualizers\concurrency.natvis'
NatVis script unloaded from 'C:\Users\ziok_\Desktop\cdb\Visualizers\cpp_rest.natvis'
NatVis script unloaded from 'C:\Users\ziok_\Desktop\cdb\Visualizers\stl.natvis'
NatVis script unloaded from 'C:\Users\ziok_\Desktop\cdb\Visualizers\Windows.Data.Json.natvis'
NatVis script unloaded from 'C:\Users\ziok_\Desktop\cdb\Visualizers\Windows.Devices.Geolocation.natvis'
NatVis script unloaded from 'C:\Users\ziok_\Desktop\cdb\Visualizers\Windows.Devices.Sensors.natvis'
NatVis script unloaded from 'C:\Users\ziok_\Desktop\cdb\Visualizers\Windows.Media.natvis'
NatVis script unloaded from 'C:\Users\ziok_\Desktop\cdb\Visualizers\windows.natvis'
NatVis script unloaded from 'C:\Users\ziok_\Desktop\cdb\Visualizers\winrt.natvis'
NatVis script unloaded from 'C:\Users\ziok_\Desktop\cdb\Visualizers\Kernel.natvis'

and here's the original report

Microsoft (R) Windows Debugger Version 10.0.19041.685 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\users\ziok_\Desktop\tools\072021-173671-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: srv*
Executable search path is:
Windows 10 Kernel Version 19041 MP (12 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 19041.1.amd64fre.vb_release.191206-1406
Machine Name:
Kernel base = 0xfffff804`1d600000 PsLoadedModuleList = 0xfffff804`1e22a1d0
Debug session time: Tue Jul 20 10:30:10.460 2021 (UTC + 8:00)
System Uptime: 0 days 1:39:58.262
Loading Kernel Symbols
...............................................................
................................................................
................................................................
............................................
Loading User Symbols
Loading unloaded module list
......................
For analysis of this file, run !analyze -v
0: kd> cdb: Reading initial command '!analyze -v;q'
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high.  This is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: 0000023528624070, memory referenced
Arg2: 0000000000000002, IRQL
Arg3: 0000000000000000, value 0 = read operation, 1 = write operation
Arg4: fffff8046bb91a9b, address which referenced memory

Debugging Details:
------------------

*** WARNING: Unable to verify timestamp for MyDriver.sys

KEY_VALUES_STRING: 1

    Key  : Analysis.CPU.Sec
    Value: 3

    Key  : Analysis.DebugAnalysisProvider.CPP
    Value: Create: 8007007e on DESKTOP-AR8863N

    Key  : Analysis.DebugData
    Value: CreateObject

    Key  : Analysis.DebugModel
    Value: CreateObject

    Key  : Analysis.Elapsed.Sec
    Value: 15

    Key  : Analysis.Memory.CommitPeak.Mb
    Value: 73

    Key  : Analysis.System
    Value: CreateObject


BUGCHECK_CODE:  d1

BUGCHECK_P1: 23528624070

BUGCHECK_P2: 2

BUGCHECK_P3: 0

BUGCHECK_P4: fffff8046bb91a9b

READ_ADDRESS: fffff8041e2fa390: Unable to get MiVisibleState
Unable to get NonPagedPoolStart
Unable to get NonPagedPoolEnd
Unable to get PagedPoolStart
Unable to get PagedPoolEnd
fffff8041e20f380: Unable to get Flags value from nt!KdVersionBlock
fffff8041e20f380: Unable to get Flags value from nt!KdVersionBlock
unable to get nt!MmSpecialPagesInUse
 0000023528624070

BLACKBOXBSD: 1 (!blackboxbsd)


BLACKBOXNTFS: 1 (!blackboxntfs)


BLACKBOXPNP: 1 (!blackboxpnp)


BLACKBOXWINLOGON: 1

CUSTOMER_CRASH_COUNT:  1

PROCESS_NAME:  svchost.exe

TRAP_FRAME:  ffff960681f4a2d0 -- (.trap 0xffff960681f4a2d0)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=0000000000000004 rbx=0000000000000000 rcx=0000000000000004
rdx=0000000000000000 rsi=0000000000000000 rdi=0000000000000000
rip=fffff8046bb91a9b rsp=ffff960681f4a460 rbp=fffff80422d01ad0
 r8=0000000000000fff  r9=000000000000007e r10=000000004c535357
r11=0000000000001001 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up ei pl nz na pe nc
MyDriver+0x1a9b:
fffff804`6bb91a9b f3a4            rep movs byte ptr [rdi],byte ptr [rsi]
Resetting default scope

STACK_TEXT:
ffff9606`81f4a188 fffff804`1da08e69 : 00000000`0000000a 00000235`28624070 00000000`00000002 00000000`00000000 : nt!KeBugCheckEx
ffff9606`81f4a190 fffff804`1da05169 : 00000000`0000007e ffffd387`92a06700 ffffd387`92a08980 00000000`00000020 : nt!KiBugCheckDispatch+0x69
ffff9606`81f4a2d0 fffff804`6bb91a9b : ffffd387`9811ad20 fffff804`22d01ad0 00000000`00000000 fffff804`00000000 : nt!KiPageFault+0x469
ffff9606`81f4a460 ffffd387`9811ad20 : fffff804`22d01ad0 00000000`00000000 fffff804`00000000 fffff804`6bb97390 : MyDriver+0x1a9b
ffff9606`81f4a468 fffff804`22d01ad0 : 00000000`00000000 fffff804`00000000 fffff804`6bb97390 ffff9ad6`00000000 : 0xffffd387`9811ad20
ffff9606`81f4a470 00000000`00000000 : fffff804`00000000 fffff804`6bb97390 ffff9ad6`00000000 ffffd387`9811ad00 : NETIO!`string'


SYMBOL_NAME:  MyDriver+1a9b

MODULE_NAME: MyDriver

IMAGE_NAME:  MyDriver.sys

STACK_COMMAND:  .thread ; .cxr ; kb

BUCKET_ID_FUNC_OFFSET:  1a9b

FAILURE_BUCKET_ID:  AV_MyDriver!unknown_function

OS_VERSION:  10.0.19041.1

BUILDLAB_STR:  vb_release

OSPLATFORM_TYPE:  x64

OSNAME:  Windows 10

FAILURE_ID_HASH:  {2ae8c6b4-cf92-cac0-46d0-35706bd01819}

Followup:     MachineOwner
---------

quit:
NatVis script unloaded from 'C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\Visualizers\atlmfc.natvis'
NatVis script unloaded from 'C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\Visualizers\concurrency.natvis'
NatVis script unloaded from 'C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\Visualizers\cpp_rest.natvis'
NatVis script unloaded from 'C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\Visualizers\stl.natvis'
NatVis script unloaded from 'C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\Visualizers\Windows.Data.Json.natvis'
NatVis script unloaded from 'C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\Visualizers\Windows.Devices.Geolocation.natvis'
NatVis script unloaded from 'C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\Visualizers\Windows.Devices.Sensors.natvis'
NatVis script unloaded from 'C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\Visualizers\Windows.Media.natvis'
NatVis script unloaded from 'C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\Visualizers\windows.natvis'
NatVis script unloaded from 'C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\Visualizers\winrt.natvis'
NatVis script unloaded from 'C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\Visualizers\Kernel.natvis'

I did everything I can, but still cannot figure out the root cause. Though I can get the info from some hint like cdb Unable to verify timestamp, but not sure it would always work as the bugcheck checks for more stack trace frames and eventually gives a different result.

Update @08/30/2021

Sorry for the long log files and here comes the diff, and it's the same result if the executed command is cdb.exe -y sym -z last-mini-dump.dmp -c "!analyze -v;q" which applies the local symbol folder where I can see a lot of the symbols for .sys files.

I can see that in the WinDBG folder, 3 more stacks are interpreted by the debugger and the true root cause is provided, fully. And thank you all for reminding me the license issue.

--- outside_windbg.txt  2021-08-30 13:49:06.593947700 +0800
+++ inside_windbg.txt   2021-08-30 13:49:06.592975700 +0800
@@ -49,7 +49,7 @@
 KEY_VALUES_STRING: 1
 
     Key  : Analysis.CPU.Sec
-    Value: 1
+    Value: 3
 
     Key  : Analysis.DebugAnalysisProvider.CPP
     Value: Create: 8007007e on DESKTOP-AR8863N
@@ -61,7 +61,7 @@
     Value: CreateObject
 
     Key  : Analysis.Elapsed.Sec
-    Value: 6
+    Value: 15
 
     Key  : Analysis.Memory.CommitPeak.Mb
     Value: 73
@@ -120,18 +120,25 @@
 Resetting default scope
 
 STACK_TEXT:
+ffff9606`81f4a188 fffff804`1da08e69 : 00000000`0000000a 00000235`28624070 00000000`00000002 00000000`00000000 : nt!KeBugCheckEx
+ffff9606`81f4a190 fffff804`1da05169 : 00000000`0000007e ffffd387`92a06700 ffffd387`92a08980 00000000`00000020 : nt!KiBugCheckDispatch+0x69
+ffff9606`81f4a2d0 fffff804`6bb91a9b : ffffd387`9811ad20 fffff804`22d01ad0 00000000`00000000 fffff804`00000000 : nt!KiPageFault+0x469
 ffff9606`81f4a460 ffffd387`9811ad20 : fffff804`22d01ad0 00000000`00000000 fffff804`00000000 fffff804`6bb97390 : MyDriver+0x1a9b
 ffff9606`81f4a468 fffff804`22d01ad0 : 00000000`00000000 fffff804`00000000 fffff804`6bb97390 ffff9ad6`00000000 : 0xffffd387`9811ad20
 ffff9606`81f4a470 00000000`00000000 : fffff804`00000000 fffff804`6bb97390 ffff9ad6`00000000 ffffd387`9811ad00 : NETIO!`string'
 
 
-STACK_COMMAND:  .trap 0xffff960681f4a2d0 ; kb
+SYMBOL_NAME:  MyDriver+1a9b
 
-MODULE_NAME: Unknown_Module
+MODULE_NAME: MyDriver
 
-IMAGE_NAME:  Unknown_Image
+IMAGE_NAME:  MyDriver.sys
 
-FAILURE_BUCKET_ID:  AV
+STACK_COMMAND:  .thread ; .cxr ; kb
+
+BUCKET_ID_FUNC_OFFSET:  1a9b
+
+FAILURE_BUCKET_ID:  AV_MyDriver!unknown_function
 
 OS_VERSION:  10.0.19041.1
 
@@ -141,9 +148,9 @@
 
 OSNAME:  Windows 10
 
-FAILURE_ID_HASH:  {3bca5200-7e84-5718-7af4-30d0c3e7ccee}
- *** Followup info cannot be found !!! Please contact "BADEV"
+FAILURE_ID_HASH:  {2ae8c6b4-cf92-cac0-46d0-35706bd01819}
 
+Followup:     MachineOwner
 ---------
 
 quit:
\ No newline at end of file