Guest Ross Posted July 25, 2008 Posted July 25, 2008 Up to this point I have tried to diagnose this problem on my own but I can see It's more than I can handle. Here is my system info and a log of previous failure reports and bug checks. I hope I have done them correctly as I have no experience whatsoever and have relied completely on information I could read at Microsoft. I had a problem with the computer going to blue screen and not restarting previously. It got so bad that it would not restart at all. I used a drive washer and wiped out everything. I used my XP Installation disc and reinstalled windows XP. I thought the problem was solved and now the computer is doing it again. I have some theories as to whats wrong but they are uneducated assumptions at this point. Any assistance would be greatly appreciated. Ross- (SYSTEM INFO GEERATED WITH BELARC ADVISOR) Operating System: Win. XP Home Edition. Service Pack 3 (Build 2600) System Motherboard: Gigabyte Technology (P35-DS3L) Bus Clock: 266 Mhz. BIOS: Award Software Int. Inc. F7 11/29/07 PROCESSOR: 2.4 Gigahertz Intel Core2 Quad Q660 DRIVES: WDC WD3200AAKS-00B3A0 (Hard Drive) STATUS: Healthy WDC WD25 00JS-55NCB1 (USB External Device) Pioneer DVR-113NP (CD-ROM drive) MEMORY: 3072 Megabytes Installed Memory Crucial.com CL1118P.TQ 97432 BL12864AA804.8FE5 (Says "Ballistix" on the ram itself) Slot "A0" Has 1024 Mb Slot "A1" has 1024 Mb Slot "A2" has 1024 Mb Slot "A3" is empty DISPLAY: NVIDIA GeForce 8400 GS (display adapter) Sceptre X20WG-Naga (moniter) Realtek High Definition Auido COMMUNICATIONS: Realtek RTL8168/8111 PCI-E Gigabit Ethernet NIC LOCAL DRIVE VOLUMES: C:/ (NTFS on drive 0) 320 GB E:/ (FAT32 on drive 1) 250 GB PRINTERS: HP Deskjet 925 on USB Microsoft XPS Document writer Only one user account (mine) Using IE 6 (I have had numerous issues with IE7) DEBUG INFO: SAVEDUMP INFO 1. Event Type: Information Event Source: Save Dump Event Category: None Event ID: 1001 Date: 7/22/2008 Time: 8:16:23 AM User: N/A Computer: STEPHEN-DE5B952 Description: The computer has rebooted from a bugcheck. The bugcheck was: 0x0000001a (0x00041284, 0x00136001, 0x000006ca, 0xc0883000). A dump was saved in: C:\WINDOWS\Minidump\Mini072208-01.dmp. SAVEDUMP 1 DETAILS; Product: Windows Operating System ID: 1001 Source: Save Dump Version: 5.2 Symbolic Name: EVENT_BUGCHECK_SAVED Message: The computer has rebooted from a bugcheck. The bugcheck was: %1. A dump was saved in: %2. DEBUG INFO FOR SAVEDUMP 1; Loading Dump File [C:\WINDOWS\Minidump\Mini072208-01.dmp] Mini Kernel Dump File: Only registers and stack trace are available Symbol search path is: C:\WINDOWS\Symbols Executable search path is: Unable to load image ntoskrnl.exe, Win32 error 0n2 *** WARNING: Unable to verify timestamp for ntoskrnl.exe Windows XP Kernel Version 2600 (Service Pack 3) MP (4 procs) Free x86 compatible Product: WinNt, suite: TerminalServer SingleUserTS Personal Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055d720 Debug session time: Tue Jul 22 08:15:38.140 2008 (GMT-7) System Uptime: 0 days 6:00:50.734 Unable to load image ntoskrnl.exe, Win32 error 0n2 *** WARNING: Unable to verify timestamp for ntoskrnl.exe Loading Kernel Symbols ..................................................................................................................... Loading User Symbols Loading unloaded module list Bugcheck Analysis Use !analyze -v to get detailed debugging information. BugCheck 1A, {41284, 136001, 6ca, c0883000} Probably caused by : ntoskrnl.exe ( nt!_woutput+404 ) Followup: MachineOwner --------- 2: kd> !analyze -v ******* * * * Bugcheck Analysis * * * ******* MEMORY_MANAGEMENT (1a) # Any other values for parameter 1 must be individually examined. Arguments: Arg1: 00041284, A PTE or the working set list is corrupt. Arg2: 00136001 Arg3: 000006ca Arg4: c0883000 Debugging Details: ------------------ BUGCHECK_STR: 0x1a_41284 CUSTOMER_CRASH_COUNT: 1 DEFAULT_BUCKET_ID: DRIVER_FAULT PROCESS_NAME: GtCC.exe LAST_CONTROL_TRANSFER: from 80523309 to 804f9f33 STACK_TEXT: b5fd3af4 80523309 0000001a 00041284 00136001 nt!_woutput+0x404 b5fd3b2c 80523b8f 000006ca 00136000 c0600000 nt!MiRemoveMappedPtes+0x88 b5fd3b60 80523fa8 c00009b0 00136000 00000000 nt!MiSessionCommitImagePages+0x198 b5fd3c28 805135b6 00000530 0018ffff 00000000 nt!MmAccessFault+0x17a b5fd3c68 805d2706 01b6da18 88b93020 88b93268 nt!MiFlushDirtyBitsToPfn+0x57 b5fd3d08 805d28c8 00000000 88b93020 00000000 nt!IopRebalance+0x3e0 b5fd3d28 805d2aa3 88b93020 00000000 b5fd3d64 nt!NtPowerInformation+0x40f b5fd3d54 8054161c 00000000 00000000 0006fed0 nt!WmipStartLogger+0xa b5fd3d64 7c90e4f4 badb0d00 0006fddc 00000000 nt!RtlIpv4StringToAddressExW+0x9d WARNING: Frame IP not in any known module. Following frames may be wrong. b5fd3d78 00000000 00000000 00000000 00000000 0x7c90e4f4 STACK_COMMAND: kb FOLLOWUP_IP: nt!_woutput+404 804f9f33 5d pop ebp SYMBOL_STACK_INDEX: 0 SYMBOL_NAME: nt!_woutput+404 FOLLOWUP_NAME: MachineOwner MODULE_NAME: nt IMAGE_NAME: ntoskrnl.exe DEBUG_FLR_IMAGE_TIMESTAMP: 4802516a FAILURE_BUCKET_ID: 0x1a_41284_nt!_woutput+404 BUCKET_ID: 0x1a_41284_nt!_woutput+404 Followup: MachineOwner --------- 2: kd> lmvm nt start end module name 804d7000 806e4000 nt M (pdb symbols) C:\WINDOWS\Symbols\exe\ntoskrnl.pdb Loaded symbol image file: ntoskrnl.exe Image path: ntoskrnl.exe Image name: ntoskrnl.exe Timestamp: Sun Apr 13 11:31:06 2008 (4802516A) CheckSum: 001F442E ImageSize: 0020D000 Translations: 0000.04b0 0000.04e0 0409.04b0 0409.04e0 ERROR 1 INFO; Event Type: Error Event Source: System Error Event Category: (102) Event ID: 1003 Date: 7/22/2008 Time: 8:16:45 AM User: N/A Computer: STEPHEN-DE5B952 Description: Error code 0000001a, parameter1 00041284, parameter2 00136001, parameter3 000006ca, parameter4 c0883000. Data: 0000: 53 79 73 74 65 6d 20 45 System E 0008: 72 72 6f 72 20 20 45 72 rror Er 0010: 72 6f 72 20 63 6f 64 65 ror code 0018: 20 30 30 30 30 30 30 31 0000001 0020: 61 20 20 50 61 72 61 6d a Param 0028: 65 74 65 72 73 20 30 30 eters 00 0030: 30 34 31 32 38 34 2c 20 041284, 0038: 30 30 31 33 36 30 30 31 00136001 0040: 2c 20 30 30 30 30 30 36 , 000006 0048: 63 61 2c 20 63 30 38 38 ca, c088 0050: 33 30 30 30 3000 ERROR 1 DETAILS; Product: Windows Operating System ID: 1003 Source: System Error Version: 5.2 Symbolic Name: ER_KRNLCRASH_LOG Message: Error code %1, parameter1 %2, parameter2 %3, parameter3 %4, parameter4 %5. SAVE DUMP 2 INFO; Event Type: Information Event Source: Save Dump Event Category: None Event ID: 1001 Date: 7/22/2008 Time: 4:15:30 PM User: N/A Computer: STEPHEN-DE5B952 Description: The computer has rebooted from a bugcheck. The bugcheck was: 0x1000000a (0x00000020, 0x00000002, 0x00000000, 0x805153db). A dump was saved in: C:\WINDOWS\Minidump\Mini072208-02.dmp. SAVEDUP 2 DETAILS; Product: Windows Operating System ID: 1001 Source: Save Dump Version: 5.2 Symbolic Name: EVENT_BUGCHECK_SAVED Message: The computer has rebooted from a bugcheck. The bugcheck was: %1. A dump was saved in: %2. DEBUG INFO FOR SAVEDUMP 2; Loading Dump File [C:\WINDOWS\Minidump\Mini072208-02.dmp] Mini Kernel Dump File: Only registers and stack trace are available Symbol search path is: C:\WINDOWS\Symbols Executable search path is: Unable to load image ntoskrnl.exe, Win32 error 0n2 *** WARNING: Unable to verify timestamp for ntoskrnl.exe Windows XP Kernel Version 2600 (Service Pack 3) MP (4 procs) Free x86 compatible Product: WinNt, suite: TerminalServer SingleUserTS Personal Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055d720 Debug session time: Tue Jul 22 16:14:41.203 2008 (GMT-7) System Uptime: 0 days 7:58:33.172 Unable to load image ntoskrnl.exe, Win32 error 0n2 *** WARNING: Unable to verify timestamp for ntoskrnl.exe Loading Kernel Symbols ........... Loading User Symbols Loading unloaded module list .............. ****** ****** * * * Bugcheck Analysis * * * ****** ****** Use !analyze -v to get detailed debugging information. BugCheck 1000000A, {20, 2, 0, 805153db} Probably caused by : memory_corruption ( nt!MiInsertStandbyListAtFront+7 ) Followup: MachineOwner --------- 0: kd> !analyze -v ****** ****** * * * Bugcheck Analysis * * * ****** ****** IRQL_NOT_LESS_OR_EQUAL (a) An attempt was made to access a pageable (or completely invalid) address at an interrupt request level (IRQL) that is too high. This is usually caused by drivers using improper addresses. If a kernel debugger is available get the stack backtrace. Arguments: Arg1: 00000020, memory referenced Arg2: 00000002, IRQL Arg3: 00000000, bitfield : bit 0 : value 0 = read operation, 1 = write operation bit 3 : value 0 = not an execute operation, 1 = execute operation (only on chips which support this level of status) Arg4: 805153db, address which referenced memory Debugging Details: ------------------ READ_ADDRESS: 00000020 CURRENT_IRQL: 2 FAULTING_IP: nt!MiInsertStandbyListAtFront+7 805153db 8b4320 mov eax,dword ptr [ebx+20h] CUSTOMER_CRASH_COUNT: 2 DEFAULT_BUCKET_ID: DRIVER_FAULT BUGCHECK_STR: 0xA PROCESS_NAME: System LAST_CONTROL_TRANSFER: from 00000000 to 805153db STACK_TEXT: bacf7ac4 00000000 000004c0 88a44ca0 c5020000 nt!MiInsertStandbyListAtFront+0x7 STACK_COMMAND: kb FOLLOWUP_IP: nt!MiInsertStandbyListAtFront+7 805153db 8b4320 mov eax,dword ptr [ebx+20h] SYMBOL_STACK_INDEX: 0 SYMBOL_NAME: nt!MiInsertStandbyListAtFront+7 FOLLOWUP_NAME: MachineOwner MODULE_NAME: nt DEBUG_FLR_IMAGE_TIMESTAMP: 4802516a IMAGE_NAME: memory_corruption FAILURE_BUCKET_ID: 0xA_nt!MiInsertStandbyListAtFront+7 BUCKET_ID: 0xA_nt!MiInsertStandbyListAtFront+7 Followup: MachineOwner --------- 0: kd> lmvm nt start end module name 804d7000 806e4000 nt M (pdb symbols) C:\WINDOWS\Symbols\exe\ntoskrnl.pdb Loaded symbol image file: ntoskrnl.exe Image path: ntoskrnl.exe Image name: ntoskrnl.exe Timestamp: Sun Apr 13 11:31:06 2008 (4802516A) CheckSum: 001F442E ImageSize: 0020D000 Translations: 0000.04b0 0000.04e0 0409.04b0 0409.04e0 ERROR 2 INFO; Event Type: Error Event Source: System Error Event Category: (102) Event ID: 1003 Date: 7/22/2008 Time: 4:16:05 PM User: N/A Computer: STEPHEN-DE5B952 Description: Error code 1000000a, parameter1 00000020, parameter2 00000002, parameter3 00000000, parameter4 805153db. Data: 0000: 53 79 73 74 65 6d 20 45 System E 0008: 72 72 6f 72 20 20 45 72 rror Er 0010: 72 6f 72 20 63 6f 64 65 ror code 0018: 20 31 30 30 30 30 30 30 1000000 0020: 61 20 20 50 61 72 61 6d a Param 0028: 65 74 65 72 73 20 30 30 eters 00 0030: 30 30 30 30 32 30 2c 20 000020, 0038: 30 30 30 30 30 30 30 32 00000002 0040: 2c 20 30 30 30 30 30 30 , 000000 0048: 30 30 2c 20 38 30 35 31 00, 8051 0050: 35 33 64 62 53db ERROR 2 DETAILS; Product: Windows Operating System ID: 1003 Source: System Error Version: 5.2 Symbolic Name: ER_KRNLCRASH_LOG Message: Error code %1, parameter1 %2, parameter2 %3, parameter3 %4, parameter4 %5. SAVEDUMP 3 INFO; Event Type: Information Event Source: Save Dump Event Category: None Event ID: 1001 Date: 7/22/2008 Time: 7:01:57 PM User: N/A Computer: STEPHEN-DE5B952 Description: The computer has rebooted from a bugcheck. The bugcheck was: 0x100000d1 (0x00000004, 0x00000002, 0x00000001, 0xb65e7625). A dump was saved in: C:\WINDOWS\Minidump\Mini072208-03.dmp. SAVEDUMP 3 DETAILS; Product: Windows Operating System ID: 1001 Source: Save Dump Version: 5.2 Symbolic Name: EVENT_BUGCHECK_SAVED Message: The computer has rebooted from a bugcheck. The bugcheck was: %1. A dump was saved in: %2. Currently there are no Microsoft Knowledge Base articles available for this specific error or event message. DEBUG INFO FOR SAVEDUMP 3; Microsoft ® Windows Debugger Version 6.9.0003.113 X86 Copyright © Microsoft Corporation. All rights reserved. Loading Dump File [C:\WINDOWS\Minidump\Mini072208-03.dmp] Mini Kernel Dump File: Only registers and stack trace are available Symbol search path is: C:\WINDOWS\Symbols Executable search path is: Unable to load image ntoskrnl.exe, Win32 error 0n2 *** WARNING: Unable to verify timestamp for ntoskrnl.exe Windows XP Kernel Version 2600 (Service Pack 3) MP (4 procs) Free x86 compatible Product: WinNt, suite: TerminalServer SingleUserTS Personal Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055d720 Debug session time: Tue Jul 22 19:01:11.453 2008 (GMT-7) System Uptime: 0 days 2:46:00.076 Unable to load image ntoskrnl.exe, Win32 error 0n2 *** WARNING: Unable to verify timestamp for ntoskrnl.exe Loading Kernel Symbols ............... Loading User Symbols Loading unloaded module list .................. Unable to load image afd.sys, Win32 error 0n2 ****** ****** * * * Bugcheck Analysis * * * ******* ******* Use !analyze -v to get detailed debugging information. BugCheck 100000D1, {4, 2, 1, b65e7625} Unable to load image msfwhlpr.sys, Win32 error 0n2 *** WARNING: Unable to verify timestamp for msfwhlpr.sys *** ERROR: Module load completed but symbols could not be loaded for msfwhlpr.sys *** WARNING: Unable to verify timestamp for tcpip.sys Unable to load image TDI.SYS, Win32 error 0n2 *** WARNING: Unable to verify timestamp for TDI.SYS Probably caused by : msfwhlpr.sys ( msfwhlpr+11922 ) Followup: MachineOwner --------- 1: kd> !analyze -v ****** ****** * * * Bugcheck Analysis * * * ****** ****** DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1) An attempt was made to access a pageable (or completely invalid) address at an interrupt request level (IRQL) that is too high. This is usually caused by drivers using improper addresses. If kernel debugger is available get stack backtrace. Arguments: Arg1: 00000004, memory referenced Arg2: 00000002, IRQL Arg3: 00000001, value 0 = read operation, 1 = write operation Arg4: b65e7625, address which referenced memory Debugging Details: ------------------ WRITE_ADDRESS: 00000004 CURRENT_IRQL: 2 FAULTING_IP: afd!AfdIndicatePollEventReal+d6 b65e7625 894804 mov dword ptr [eax+4],ecx CUSTOMER_CRASH_COUNT: 3 DEFAULT_BUCKET_ID: DRIVER_FAULT BUGCHECK_STR: 0xD1 PROCESS_NAME: System LAST_CONTROL_TRANSFER: from b65f29fd to b65e7625 STACK_TEXT: bad038cc b65f29fd 88c53640 00000001 00000000 afd!AfdIndicatePollEventReal+0xd6 bad03900 b66d4922 bad03a9c b66d4922 88c53640 afd!AfdPoll+0xe2 WARNING: Stack unwind information not available. Following frames may be wrong. bad039f4 b66d4b41 88cb3358 00000016 bad03aac msfwhlpr+0x11922 bad03a2c b665986c 88cb3358 00000016 bad03aac msfwhlpr+0x11b41 bad03ac8 b6663d35 88c44278 0100007f 00002504 tcpip!UDPDeliver+0x1be bad03b20 b6658ef5 8a2abd50 0100007f 0100007f tcpip!TCPRcv+0xe41 bad03b80 b6658b19 00000020 8a2abd50 b6659592 tcpip!DeliverToUser+0x18e bad03bfc b6658836 b66988f0 8a2abd50 bad03d18 tcpip!DeliverToUserEx+0x95e bad03cb4 b6664ce6 8a2abd50 bad03d2c 00000009 tcpip!IPRcvPacket+0x6cb bad03d60 babe83e4 b6698680 8a2abd50 b6698690 tcpip!TCPRcv+0x10fa bad03d7c 8053876d 8a2abd50 00000000 8a535da8 TDI!CTEpEventHandler+0x32 bad03dac 805cff64 b6698680 00000000 00000000 nt!MiTrimPte+0x1ee bad03ddc 805460de 8053867e 00000001 00000000 nt!IopQueryReconfiguration+0x17 bad03df8 00000000 00000000 00000000 00001f80 nt!ExpRemovePoolTracker+0x6b STACK_COMMAND: kb FOLLOWUP_IP: msfwhlpr+11922 b66d4922 ?? ??? SYMBOL_STACK_INDEX: 2 SYMBOL_NAME: msfwhlpr+11922 FOLLOWUP_NAME: MachineOwner MODULE_NAME: msfwhlpr IMAGE_NAME: msfwhlpr.sys DEBUG_FLR_IMAGE_TIMESTAMP: 474d104c FAILURE_BUCKET_ID: 0xD1_W_msfwhlpr+11922 BUCKET_ID: 0xD1_W_msfwhlpr+11922 Followup: MachineOwner --------- 1: kd> lmvm msfwhlpr start end module name b66c3000 b66dd280 msfwhlpr T (no symbols) Loaded symbol image file: msfwhlpr.sys Image path: msfwhlpr.sys Image name: msfwhlpr.sys Timestamp: Tue Nov 27 22:53:00 2007 (474D104C) CheckSum: 00029480 ImageSize: 0001A280 Translations: 0000.04b0 0000.04e0 0409.04b0 0409.04e0 ERROR 3 INFO; Event Type: Error Event Source: System Error Event Category: (102) Event ID: 1003 Date: 7/22/2008 Time: 8:55:33 PM User: N/A Computer: STEPHEN-DE5B952 Description: Error code 100000d1, parameter1 00000004, parameter2 00000002, parameter3 00000001, parameter4 b65e7625. Data: 0000: 53 79 73 74 65 6d 20 45 System E 0008: 72 72 6f 72 20 20 45 72 rror Er 0010: 72 6f 72 20 63 6f 64 65 ror code 0018: 20 31 30 30 30 30 30 64 100000d 0020: 31 20 20 50 61 72 61 6d 1 Param 0028: 65 74 65 72 73 20 30 30 eters 00 0030: 30 30 30 30 30 34 2c 20 000004, 0038: 30 30 30 30 30 30 30 32 00000002 0040: 2c 20 30 30 30 30 30 30 , 000000 0048: 30 31 2c 20 62 36 35 65 01, b65e 0050: 37 36 32 35 7625 ERROR 3 DETAILS; Product: Windows Operating System ID: 1003 Source: System Error Version: 5.2 Symbolic Name: ER_KRNLCRASH_LOG Message: Error code %1, parameter1 %2, parameter2 %3, parameter3 %4, parameter4 %5. SAVE DUMP 4 INFO; Event Type: Information Event Source: Save Dump Event Category: None Event ID: 1001 Date: 7/24/2008 Time: 9:59:56 PM User: N/A Computer: STEPHEN-DE5B952 Description: The computer has rebooted from a bugcheck. The bugcheck was: 0x000000c1 (0x8bb6ee28, 0x8bb6e7b6, 0x00d101d8, 0x00000023). A dump was saved in: C:\WINDOWS\Minidump\Mini072408-01.dmp. DEBUG INFO; Loading Dump File [C:\WINDOWS\Minidump\Mini072408-01.dmp] Mini Kernel Dump File: Only registers and stack trace are available Symbol search path is: C:\WINDOWS\Symbols Executable search path is: Unable to load image ntoskrnl.exe, Win32 error 0n2 *** WARNING: Unable to verify timestamp for ntoskrnl.exe Windows XP Kernel Version 2600 (Service Pack 3) MP (4 procs) Free x86 compatible Product: WinNt, suite: TerminalServer SingleUserTS Personal Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055d720 Debug session time: Thu Jul 24 21:43:09.953 2008 (GMT-7) System Uptime: 0 days 14:24:45.922 Unable to load image ntoskrnl.exe, Win32 error 0n2 *** WARNING: Unable to verify timestamp for ntoskrnl.exe Loading Kernel Symbols .............. Loading User Symbols Loading unloaded module list ................... ****** ****** * * * Bugcheck Analysis * * * ****** ****** Use !analyze -v to get detailed debugging information. BugCheck C1, {8bb6ee28, 8bb6e7b6, d101d8, 23} Probably caused by : ntoskrnl.exe ( nt!_woutput+404 ) Followup: MachineOwner --------- 3: kd> !analyze -v ****** ****** * * * Bugcheck Analysis * * * ****** ****** SPECIAL_POOL_DETECTED_MEMORY_CORRUPTION (c1) Special pool has detected memory corruption. Typically the current thread's stack backtrace will reveal the guilty party. Arguments: Arg1: 8bb6ee28, address trying to free Arg2: 8bb6e7b6, address where bits are corrupted Arg3: 00d101d8, (reserved) Arg4: 00000023, caller is freeing an address where nearby bytes within the same page have been corrupted Debugging Details: ------------------ BUGCHECK_STR: 0xC1_23 SPECIAL_POOL_CORRUPTION_TYPE: 23 CUSTOMER_CRASH_COUNT: 1 DEFAULT_BUCKET_ID: DRIVER_FAULT PROCESS_NAME: winlogon.exe LAST_CONTROL_TRANSFER: from 8066dd94 to 804f9f33 STACK_TEXT: b70f7804 8066dd94 000000c1 8bb6ee28 8bb6e7b6 nt!_woutput+0x404 b70f7850 8054b32a 8bb6ee28 b70f78d3 88b3beb8 nt!VerifierKeAcquireSpinLock+0x24 b70f7890 8065f1f6 8bb6ee28 00000000 8065f391 nt!MiReserveAlignedSystemPtes+0x122 b70f78b8 80658071 00000000 8bb6ee28 b70f791c nt!MiPhysicalViewInserter+0x33 b70f78c8 804f4e35 8bb6ee28 8bb6ee68 899a25c8 nt!HvRefreshHive+0x419 b70f791c 804ff843 8bb6ee68 b70f7968 b70f795c nt!CcPurgeCacheSection+0x62 b70f796c 80503854 00000000 00000000 00000000 nt!CcPerformReadAhead+0x155 b70f79bc 805c0a37 00000040 b70f7bf0 00000001 nt!WmipEnterCritSection+0x1e b70f7d48 8054161c 00000040 00eb6e60 00000001 nt!IopDriverLoadingFailed+0x4bf b70f7d64 7c90e4f4 badb0d00 00d2ff54 00000000 nt!RtlIpv4StringToAddressExW+0x9d WARNING: Frame IP not in any known module. Following frames may be wrong. b70f7d78 00000000 00000000 00000000 00000000 0x7c90e4f4 STACK_COMMAND: kb FOLLOWUP_IP: nt!_woutput+404 804f9f33 5d pop ebp SYMBOL_STACK_INDEX: 0 SYMBOL_NAME: nt!_woutput+404 FOLLOWUP_NAME: MachineOwner MODULE_NAME: nt IMAGE_NAME: ntoskrnl.exe DEBUG_FLR_IMAGE_TIMESTAMP: 4802516a FAILURE_BUCKET_ID: 0xC1_23_nt!_woutput+404 BUCKET_ID: 0xC1_23_nt!_woutput+404 Followup: MachineOwner --------- 3: kd> lmvm nt start end module name 804d7000 806e4000 nt M (pdb symbols) C:\WINDOWS\Symbols\exe\ntoskrnl.pdb Loaded symbol image file: ntoskrnl.exe Image path: ntoskrnl.exe Image name: ntoskrnl.exe Timestamp: Sun Apr 13 11:31:06 2008 (4802516A) CheckSum: 001F442E ImageSize: 0020D000 Translations: 0000.04b0 0000.04e0 0409.04b0 0409.04e0 SAVE DUMP 5 INFO; Event Type: Information Event Source: Save Dump Event Category: None Event ID: 1001 Date: 7/25/2008 Time: 8:32:32 AM User: N/A Computer: STEPHEN-DE5B952 Description: The computer has rebooted from a bugcheck. The bugcheck was: 0x000000c1 (0x8a9d4f00, 0x8a9d412e, 0x00a90100, 0x00000023). A dump was saved in: C:\WINDOWS\Minidump\Mini072508-01.dmp. DETAILS; Product: Windows Operating System ID: 1001 Source: Save Dump Version: 5.2 Symbolic Name: EVENT_BUGCHECK_SAVED Message: The computer has rebooted from a bugcheck. The bugcheck was: %1. A dump was saved in: %2. BUGCHECK INFO; Loading Dump File [C:\WINDOWS\Minidump\Mini072508-01.dmp] Mini Kernel Dump File: Only registers and stack trace are available Symbol search path is: C:\WINDOWS\Symbols Executable search path is: Unable to load image ntoskrnl.exe, Win32 error 0n2 *** WARNING: Unable to verify timestamp for ntoskrnl.exe Windows XP Kernel Version 2600 (Service Pack 3) MP (4 procs) Free x86 compatible Product: WinNt, suite: TerminalServer SingleUserTS Personal Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055d720 Debug session time: Fri Jul 25 07:55:33.031 2008 (GMT-7) System Uptime: 0 days 9:13:19.626 Unable to load image ntoskrnl.exe, Win32 error 0n2 *** WARNING: Unable to verify timestamp for ntoskrnl.exe Loading Kernel Symbols ................. Loading User Symbols Loading unloaded module list ............ ****** ****** * * * Bugcheck Analysis * * * ***** ****** Use !analyze -v to get detailed debugging information. BugCheck C1, {8a9d4f00, 8a9d412e, a90100, 23} Probably caused by : ntoskrnl.exe ( nt!_woutput+404 ) Followup: MachineOwner --------- 1: kd> !analyze -v ************** ************** * * * Bugcheck Analysis * * * ******** ******** SPECIAL_POOL_DETECTED_MEMORY_CORRUPTION (c1) Special pool has detected memory corruption. Typically the current thread's stack backtrace will reveal the guilty party. Arguments: Arg1: 8a9d4f00, address trying to free Arg2: 8a9d412e, address where bits are corrupted Arg3: 00a90100, (reserved) Arg4: 00000023, caller is freeing an address where nearby bytes within the same page have been corrupted Debugging Details: ------------------ BUGCHECK_STR: 0xC1_23 SPECIAL_POOL_CORRUPTION_TYPE: 23 CUSTOMER_CRASH_COUNT: 1 DEFAULT_BUCKET_ID: DRIVER_FAULT PROCESS_NAME: winss.exe LAST_CONTROL_TRANSFER: from 8066dd94 to 804f9f33 STACK_TEXT: b66b6b44 8066dd94 000000c1 8a9d4f00 8a9d412e nt!_woutput+0x404 b66b6b90 8054b32a 8a9d4f00 b66b6c13 884b4008 nt!VerifierKeAcquireSpinLock+0x24 b66b6bd0 8065f1f6 8a9d4f00 00000000 8065f391 nt!MiReserveAlignedSystemPtes+0x122 b66b6bf8 80658071 00000000 8a9d4f00 b66b6c5c nt!MiPhysicalViewInserter+0x33 b66b6c08 804f4e35 8a9d4f00 8a9d4f40 88dbf598 nt!HvRefreshHive+0x419 b66b6c5c 804ff843 8a9d4f40 b66b6ca8 b66b6c9c nt!CcPurgeCacheSection+0x62 b66b6cac 80503854 00000000 00000000 00000000 nt!CcPerformReadAhead+0x155 b66b6cec 805c0750 00000001 00000006 01c8ee01 nt!WmipEnterCritSection+0x1e b66b6d50 8054161c 00000c98 00000001 b66b6d1c nt!IoAssignDriveLetters+0x8c9 b66b6d64 7c90e4f4 badb0d00 0550fad8 b66b6d98 nt!RtlIpv4StringToAddressExW+0x9d WARNING: Frame IP not in any known module. Following frames may be wrong. b66b6d78 00000000 00000000 00000000 00000000 0x7c90e4f4 STACK_COMMAND: kb FOLLOWUP_IP: nt!_woutput+404 804f9f33 5d pop ebp SYMBOL_STACK_INDEX: 0 SYMBOL_NAME: nt!_woutput+404 FOLLOWUP_NAME: MachineOwner MODULE_NAME: nt IMAGE_NAME: ntoskrnl.exe DEBUG_FLR_IMAGE_TIMESTAMP: 4802516a FAILURE_BUCKET_ID: 0xC1_23_nt!_woutput+404 BUCKET_ID: 0xC1_23_nt!_woutput+404 Followup: MachineOwner --------- 1: kd> lmvm nt start end module name 804d7000 806e4000 nt M (pdb symbols) C:\WINDOWS\Symbols\exe\ntoskrnl.pdb Loaded symbol image file: ntoskrnl.exe Image path: ntoskrnl.exe Image name: ntoskrnl.exe Timestamp: Sun Apr 13 11:31:06 2008 (4802516A) CheckSum: 001F442E ImageSize: 0020D000 Translations: 0000.04b0 0000.04e0 0409.04b0 0409.04e0 ERROR 4 DETAILS; Event Type: Error Event Source: System Error Event Category: (102) Event ID: 1003 Date: 7/25/2008 Time: 8:33:16 AM User: N/A Computer: STEPHEN-DE5B952 Description: Error code 000000c1, parameter1 8a9d4f00, parameter2 8a9d412e, parameter3 00a90100, parameter4 00000023. Data: 0000: 53 79 73 74 65 6d 20 45 System E 0008: 72 72 6f 72 20 20 45 72 rror Er 0010: 72 6f 72 20 63 6f 64 65 ror code 0018: 20 30 30 30 30 30 30 63 000000c 0020: 31 20 20 50 61 72 61 6d 1 Param 0028: 65 74 65 72 73 20 38 61 eters 8a 0030: 39 64 34 66 30 30 2c 20 9d4f00, 0038: 38 61 39 64 34 31 32 65 8a9d412e 0040: 2c 20 30 30 61 39 30 31 , 00a901 0048: 30 30 2c 20 30 30 30 30 00, 0000 0050: 30 30 32 33 0023 Details Product: Windows Operating System ID: 1003 Source: System Error Version: 5.2 Symbolic Name: ER_KRNLCRASH_LOG Message: Error code %1, parameter1 %2, parameter2 %3, parameter3 %4, parameter4 %5. -- Ross McLaughlin koolaid_51 at yahoo
Guest Ross Posted July 25, 2008 Posted July 25, 2008 RE: Multiple save dumps (with debug info) More Info. I have installed all microsoft updates, except IE7. Windows Live one care is installed. Have run CCleaner, & Spybot Search and destroy. They are all updated and none run on startup except Live one care. The failure has happened at random times as well as whem I'm doing a virus/spyware scan with any of the tools mentioned. -- Ross McLaughlin koolaid_51 at yahoo "Ross" wrote: > Up to this point I have tried to diagnose this problem on my own but I can > see It's more than I can handle. > Here is my system info and a log of previous failure reports and bug checks. > I hope I have done them correctly as I have no experience whatsoever and have > relied completely on information I could read at Microsoft. > > I had a problem with the computer going to blue screen and not restarting > previously. > It got so bad that it would not restart at all. > I used a drive washer and wiped out everything. > I used my XP Installation disc and reinstalled windows XP. > > I thought the problem was solved and now the computer is doing it again. > I have some theories as to whats wrong but they are uneducated assumptions > at this point. > > Any assistance would be greatly appreciated. > > Ross- > > (SYSTEM INFO GEERATED WITH BELARC ADVISOR) > > Operating System: > Win. XP Home Edition. Service Pack 3 (Build 2600) > System Motherboard: > Gigabyte Technology (P35-DS3L) > Bus Clock: > 266 Mhz. > > BIOS: > Award Software Int. Inc. F7 11/29/07 > > PROCESSOR: > 2.4 Gigahertz Intel Core2 Quad Q660 > > DRIVES: > WDC WD3200AAKS-00B3A0 (Hard Drive) > STATUS: Healthy > WDC WD25 00JS-55NCB1 (USB External Device) > Pioneer DVR-113NP (CD-ROM drive) > > MEMORY: > 3072 Megabytes Installed Memory > Crucial.com > CL1118P.TQ > 97432 > BL12864AA804.8FE5 > (Says "Ballistix" on the ram itself) > Slot "A0" Has 1024 Mb > Slot "A1" has 1024 Mb > Slot "A2" has 1024 Mb > Slot "A3" is empty > > DISPLAY: > NVIDIA GeForce 8400 GS (display adapter) > Sceptre X20WG-Naga (moniter) > Realtek High Definition Auido > > COMMUNICATIONS: > Realtek RTL8168/8111 PCI-E Gigabit Ethernet NIC > > LOCAL DRIVE VOLUMES: > C:/ (NTFS on drive 0) 320 GB > E:/ (FAT32 on drive 1) 250 GB > > PRINTERS: > HP Deskjet 925 on USB > Microsoft XPS Document writer > Only one user account (mine) > > Using IE 6 > (I have had numerous issues with IE7) > > DEBUG INFO: > > > SAVEDUMP INFO 1. > > Event Type: Information > Event Source: Save Dump > Event Category: None > Event ID: 1001 > Date: 7/22/2008 > Time: 8:16:23 AM > User: N/A > Computer: STEPHEN-DE5B952 > Description: > The computer has rebooted from a bugcheck. The bugcheck was: 0x0000001a > (0x00041284, 0x00136001, 0x000006ca, 0xc0883000). A dump was saved in: > C:\WINDOWS\Minidump\Mini072208-01.dmp. > > SAVEDUMP 1 DETAILS; > Product: > Windows Operating System > ID: > 1001 > Source: > Save Dump > Version: > 5.2 > Symbolic Name: > EVENT_BUGCHECK_SAVED > Message: > The computer has rebooted from a bugcheck. The bugcheck was: %1. A dump was > saved in: %2. > > DEBUG INFO FOR SAVEDUMP 1; > > Loading Dump File [C:\WINDOWS\Minidump\Mini072208-01.dmp] > Mini Kernel Dump File: Only registers and stack trace are available > > Symbol search path is: C:\WINDOWS\Symbols > Executable search path is: > Unable to load image ntoskrnl.exe, Win32 error 0n2 > *** WARNING: Unable to verify timestamp for ntoskrnl.exe > Windows XP Kernel Version 2600 (Service Pack 3) MP (4 procs) Free x86 > compatible > Product: WinNt, suite: TerminalServer SingleUserTS Personal > Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055d720 > Debug session time: Tue Jul 22 08:15:38.140 2008 (GMT-7) > System Uptime: 0 days 6:00:50.734 > Unable to load image ntoskrnl.exe, Win32 error 0n2 > *** WARNING: Unable to verify timestamp for ntoskrnl.exe > Loading Kernel Symbols > .................................................................................................................... > Loading User Symbols > Loading unloaded module list > > > > Bugcheck Analysis > > > > > Use !analyze -v to get detailed debugging information. > > BugCheck 1A, {41284, 136001, 6ca, c0883000} > > Probably caused by : ntoskrnl.exe ( nt!_woutput+404 ) > > Followup: MachineOwner > --------- > > 2: kd> !analyze -v > ******* > * > * > * Bugcheck Analysis > * > * > * > ******* > > MEMORY_MANAGEMENT (1a) > # Any other values for parameter 1 must be individually examined. > Arguments: > Arg1: 00041284, A PTE or the working set list is corrupt. > Arg2: 00136001 > Arg3: 000006ca > Arg4: c0883000 > > Debugging Details: > ------------------ > > > BUGCHECK_STR: 0x1a_41284 > > CUSTOMER_CRASH_COUNT: 1 > > DEFAULT_BUCKET_ID: DRIVER_FAULT > > PROCESS_NAME: GtCC.exe > > LAST_CONTROL_TRANSFER: from 80523309 to 804f9f33 > > STACK_TEXT: > b5fd3af4 80523309 0000001a 00041284 00136001 nt!_woutput+0x404 > b5fd3b2c 80523b8f 000006ca 00136000 c0600000 nt!MiRemoveMappedPtes+0x88 > b5fd3b60 80523fa8 c00009b0 00136000 00000000 > nt!MiSessionCommitImagePages+0x198 > b5fd3c28 805135b6 00000530 0018ffff 00000000 nt!MmAccessFault+0x17a > b5fd3c68 805d2706 01b6da18 88b93020 88b93268 nt!MiFlushDirtyBitsToPfn+0x57 > b5fd3d08 805d28c8 00000000 88b93020 00000000 nt!IopRebalance+0x3e0 > b5fd3d28 805d2aa3 88b93020 00000000 b5fd3d64 nt!NtPowerInformation+0x40f > b5fd3d54 8054161c 00000000 00000000 0006fed0 nt!WmipStartLogger+0xa > b5fd3d64 7c90e4f4 badb0d00 0006fddc 00000000 nt!RtlIpv4StringToAddressExW+0x9d > WARNING: Frame IP not in any known module. Following frames may be wrong. > b5fd3d78 00000000 00000000 00000000 00000000 0x7c90e4f4 > > > STACK_COMMAND: kb > > FOLLOWUP_IP: > nt!_woutput+404 > 804f9f33 5d pop ebp > > SYMBOL_STACK_INDEX: 0 > > SYMBOL_NAME: nt!_woutput+404 > > FOLLOWUP_NAME: MachineOwner > > MODULE_NAME: nt > > IMAGE_NAME: ntoskrnl.exe > > DEBUG_FLR_IMAGE_TIMESTAMP: 4802516a > > FAILURE_BUCKET_ID: 0x1a_41284_nt!_woutput+404 > > BUCKET_ID: 0x1a_41284_nt!_woutput+404 > > Followup: MachineOwner > --------- > > 2: kd> lmvm nt > start end module name > 804d7000 806e4000 nt M (pdb symbols) > C:\WINDOWS\Symbols\exe\ntoskrnl.pdb > Loaded symbol image file: ntoskrnl.exe > Image path: ntoskrnl.exe > Image name: ntoskrnl.exe > Timestamp: Sun Apr 13 11:31:06 2008 (4802516A) > CheckSum: 001F442E > ImageSize: 0020D000 > Translations: 0000.04b0 0000.04e0 0409.04b0 0409.04e0 > > > ERROR 1 INFO; > > Event Type: Error > Event Source: System Error > Event Category: (102) > Event ID: 1003 > Date: 7/22/2008 > Time: 8:16:45 AM > User: N/A > Computer: STEPHEN-DE5B952 > Description: > Error code 0000001a, parameter1 00041284, parameter2 00136001, parameter3 > 000006ca, parameter4 c0883000. > > Data: > 0000: 53 79 73 74 65 6d 20 45 System E > 0008: 72 72 6f 72 20 20 45 72 rror Er > 0010: 72 6f 72 20 63 6f 64 65 ror code > 0018: 20 30 30 30 30 30 30 31 0000001 > 0020: 61 20 20 50 61 72 61 6d a Param > 0028: 65 74 65 72 73 20 30 30 eters 00 > 0030: 30 34 31 32 38 34 2c 20 041284, > 0038: 30 30 31 33 36 30 30 31 00136001 > 0040: 2c 20 30 30 30 30 30 36 , 000006 > 0048: 63 61 2c 20 63 30 38 38 ca, c088 > 0050: 33 30 30 30 3000 > > ERROR 1 DETAILS; > Product: > Windows Operating System > ID: > 1003 > Source: > System Error > Version: > 5.2 > Symbolic Name: > ER_KRNLCRASH_LOG > Message: > Error code %1, parameter1 %2, parameter2 %3, parameter3 %4, parameter4 %5. > > SAVE DUMP 2 INFO; > > Event Type: Information > Event Source: Save Dump > Event Category: None > Event ID: 1001 > Date: 7/22/2008 > Time: 4:15:30 PM > User: N/A > Computer: STEPHEN-DE5B952 > Description: > The computer has rebooted from a bugcheck. The bugcheck was: 0x1000000a > (0x00000020, 0x00000002, 0x00000000, 0x805153db). A dump was saved in: > C:\WINDOWS\Minidump\Mini072208-02.dmp. > > > SAVEDUP 2 DETAILS; > Product: > Windows Operating System > ID: > 1001 > Source: > Save Dump > Version: > 5.2 > Symbolic Name: > EVENT_BUGCHECK_SAVED > Message: > The computer has rebooted from a bugcheck. The bugcheck was: %1. A dump was > saved in: %2. >
Guest Rey Santos Posted July 26, 2008 Posted July 26, 2008 RE: Multiple save dumps (with debug info) I think there is sometehing wrong: Your Symbol search path is: C:\WINDOWS\Symbols Your Executable search path is (Image path): Unable to load image ntoskrnl.exe, Win32 error 0n2 *** WARNING: Unable to verify timestamp for ntoskrnl.exe I used these: Symbol search path is: srv*c:\symbols*http://msdl.microsoft.com/download/symbols Executable search path is Image path): c:\windows\i386 At the command prompt I used this: windbg -y srv*c:\symbols*http://msdl.microsoft.com/download/symbols -i c:\windows\i386 -z c:\windows\minidump\Mini072508-01.dmp (while connected to the internet) Note: I used here your last dump file. For instructions: How to read the small memory dump files that Windows creates for debugging http://support.microsoft.com/kb/315263 Tip: Look for the "Probably caused by:", "MODULE_NAME:" and "IMAGE_NAME:" headings. This is the program that caused the error. Sometimes when it's a device driver it means that that device is causing the BSOD and by disabling Uninstalling) it or updating the driver your system will run stable. If you don't know what device that name relates to then Google it. -- Rey
Guest Ross Posted July 28, 2008 Posted July 28, 2008 RE: Multiple save dumps (with debug info) Thank you for the assistance. I set the parameters in WinDbg like you said but could not get the Command Prompt to respond to the entries given. I set them up directly in the WinDbg Program and ran the debug from there. Results are below. Also the system failed to bluescreen three times already today and left no trace in the system log or the minidump file. Weird... The results show the issue in "win32.sys" I googled like you said and got varied results but not that directly related to my issue. Thank's again. Ross- Microsoft ® Windows Debugger Version 6.9.0003.113 X86 Copyright © Microsoft Corporation. All rights reserved. Loading Dump File [C:\WINDOWS\Minidump\Mini072508-02.dmp] Mini Kernel Dump File: Only registers and stack trace are available Symbol search path is: srv*c:\symbols*http://msdl.microsoft.com/download/symbols Executable search path is: C:\Windows\I386 Windows XP Kernel Version 2600 (Service Pack 3) MP (4 procs) Free x86 compatible Product: WinNt Built by: 2600.xpsp.080413-2111 Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055d720 Debug session time: Fri Jul 25 17:02:11.390 2008 (GMT-7) System Uptime: 0 days 5:05:20.999 Loading Kernel Symbols .................................................................................................................... Loading User Symbols Loading unloaded module list .............. ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* Use !analyze -v to get detailed debugging information. BugCheck C1, {8b488eb8, 8b488816, 390148, 23} Probably caused by : win32k.sys ( win32k!RawInputThread+4f3 ) Followup: MachineOwner --------- 2: kd> !analyze -v ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* SPECIAL_POOL_DETECTED_MEMORY_CORRUPTION (c1) Special pool has detected memory corruption. Typically the current thread's stack backtrace will reveal the guilty party. Arguments: Arg1: 8b488eb8, address trying to free Arg2: 8b488816, address where bits are corrupted Arg3: 00390148, (reserved) Arg4: 00000023, caller is freeing an address where nearby bytes within the same page have been corrupted Debugging Details: ------------------ BUGCHECK_STR: 0xC1_23 SPECIAL_POOL_CORRUPTION_TYPE: 23 CUSTOMER_CRASH_COUNT: 2 DEFAULT_BUCKET_ID: DRIVER_FAULT LAST_CONTROL_TRANSFER: from 8066dd94 to 804f9f33 STACK_TEXT: baaf7944 8066dd94 000000c1 8b488eb8 8b488816 nt!KeBugCheckEx+0x1b baaf7990 8054b32a 8b488eb8 baaf7a13 88bea358 nt!MmFreeSpecialPool+0x2f4 baaf79d0 8065f1f6 8b488eb8 00000000 8065f391 nt!ExFreePoolWithTag+0x4a baaf79dc 8065f391 8b488ef8 8b488eb8 00000000 nt!VfIrpFree+0xc baaf79f8 80658071 8a1feda8 8a1feddc baaf7a14 nt!VerifierIoFreeIrp+0x129 baaf7a08 8057ede9 8b488eb8 baaf7a64 804ff896 nt!IovFreeIrpPrivate+0x41 baaf7a14 804ff896 8b488ef8 baaf7a60 baaf7a54 nt!IopUserCompletion+0x11 baaf7a64 80503854 00000000 00000000 00000000 nt!KiDeliverApc+0x106 baaf7a7c 804fad88 80500254 00000001 00000000 nt!KiSwapThread+0xa8 baaf7ab4 bf89fcb5 00000007 8a2dc108 00000001 nt!KeWaitForMultipleObjects+0x284 baaf7d30 bf884705 baac7490 00000002 baaf7d54 win32k!RawInputThread+0x4f3 baaf7d40 bf80110a baac7490 baaf7d64 006efff4 win32k!xxxCreateSystemThreads+0x60 baaf7d54 8054161c 00000000 00000022 00000000 win32k!NtUserCallOneParam+0x23 baaf7d54 7c90e4f4 00000000 00000022 00000000 nt!KiFastCallEntry+0xfc WARNING: Frame IP not in any known module. Following frames may be wrong. 00000000 00000000 00000000 00000000 00000000 0x7c90e4f4 STACK_COMMAND: kb FOLLOWUP_IP: win32k!RawInputThread+4f3 bf89fcb5 391df0b29abf cmp dword ptr [win32k!gdwUpdateKeyboard (bf9ab2f0)],ebx SYMBOL_STACK_INDEX: a SYMBOL_NAME: win32k!RawInputThread+4f3 FOLLOWUP_NAME: MachineOwner MODULE_NAME: win32k IMAGE_NAME: win32k.sys DEBUG_FLR_IMAGE_TIMESTAMP: 48025f2a FAILURE_BUCKET_ID: 0xC1_23_win32k!RawInputThread+4f3 BUCKET_ID: 0xC1_23_win32k!RawInputThread+4f3 Followup: MachineOwner --------- 2: kd> lmvm win32k start end module name bf800000 bf9c2980 win32k # (pdb symbols) c:\symbols\win32k.pdb\B8354F59A2A341179030B80ACC7969972\win32k.pdb Loaded symbol image file: win32k.sys Mapped memory image file: c:\symbols\win32k.sys\48025F2A1c2980\win32k.sys Image path: \SystemRoot\System32\win32k.sys Image name: win32k.sys Timestamp: Sun Apr 13 12:29:46 2008 (48025F2A) CheckSum: 001CC002 ImageSize: 001C2980 File version: 5.1.2600.5512 Product version: 5.1.2600.5512 File flags: 0 (Mask 3F) File OS: 40004 NT Win32 File type: 3.7 Driver File date: 00000000.00000000 Translations: 0405.04b0 CompanyName: Microsoft Corporation ProductName: Operační systém Microsoft® Windows® InternalName: win32k.sys OriginalFilename: win32k.sys ProductVersion: 5.1.2600.5512 FileVersion: 5.1.2600.5512 (xpsp.080413-2105) FileDescription: Multi-User Win32 Driver LegalCopyright: © Microsoft Corporation. Všechna práva vyhrazena. -- Ross McLaughlin koolaid_51 at yahoo "Rey Santos" wrote: > I think there is sometehing wrong: > > Your Symbol search path is: C:\WINDOWS\Symbols > Your Executable search path is (Image path): Unable to load image > ntoskrnl.exe, Win32 error 0n2 > *** WARNING: Unable to verify timestamp for ntoskrnl.exe > > I used these: > Symbol search path is: > srv*c:\symbols*http://msdl.microsoft.com/download/symbols > Executable search path is Image path): c:\windows\i386 > > At the command prompt I used this: > windbg -y srv*c:\symbols*http://msdl.microsoft.com/download/symbols -i > c:\windows\i386 -z c:\windows\minidump\Mini072508-01.dmp > (while connected to the internet) > Note: I used here your last dump file. > > For instructions: > How to read the small memory dump files that Windows creates for debugging > http://support.microsoft.com/kb/315263 > > Tip: > Look for the "Probably caused by:", "MODULE_NAME:" and "IMAGE_NAME:" > headings. This is the program that caused the error. Sometimes when it's a > device driver it means that that device is causing the BSOD and by disabling > Uninstalling) it or updating the driver your system will run stable. If you > don't know what device that name relates to then Google it. > > > -- > Rey > > >
Guest Ross Posted July 28, 2008 Posted July 28, 2008 RE: Multiple save dumps (with debug info) I also did repair one problem on Friday. I went back to the users manual for my motherboard and read it from cover to cover. In the product specifications I noticed a note that stated: "To enable hot plug capability for the SATA connectors (SATAll0, SATAll1, SATAll4, SATAll5) controlled by the ICH9 South Bridge, you must install Windows Vista (on ICH9, hot plug is supported in windows vista only) and configure the SATA connectors for AHCI mode." I went into the BIOS and remidied the problem for windows XP by "Enableing the SATA controllers to operate in native IDE mode as per the motherboard instructions. This was the only problem I found going thru all the user manuals for the system. Then today it Blue screened 4 times now and wont leave any minidump info, or any info in the system log. Thank's again Ross- Here are all 6 minidumps prior to today: #1 Savedump: Microsoft ® Windows Debugger Version 6.9.0003.113 X86 Copyright © Microsoft Corporation. All rights reserved. Loading Dump File [C:\WINDOWS\Minidump\Mini072208-01.dmp] Mini Kernel Dump File: Only registers and stack trace are available Symbol search path is: srv*c:\symbols*http://msdl.microsoft.com/download/symbols Executable search path is: C:\Windows\I386 Windows XP Kernel Version 2600 (Service Pack 3) MP (4 procs) Free x86 compatible Product: WinNt, suite: TerminalServer SingleUserTS Personal Built by: 2600.xpsp.080413-2111 Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055d720 Debug session time: Tue Jul 22 08:15:38.140 2008 (GMT-7) System Uptime: 0 days 6:00:50.734 Loading Kernel Symbols ... Loading User Symbols Loading unloaded module list ... * * * * Bugcheck Analysis * * * Use !analyze -v to get detailed debugging information. BugCheck 1A, {41284, 136001, 6ca, c0883000} Probably caused by : memory_corruption ( nt!MiLocateWsle+c1 ) Followup: MachineOwner 2: kd> !analyze -v ** * * * Bugcheck Analysis * * * * MEMORY_MANAGEMENT (1a) # Any other values for parameter 1 must be individually examined. Arguments: Arg1: 00041284, A PTE or the working set list is corrupt. Arg2: 00136001 Arg3: 000006ca Arg4: c0883000 Debugging Details: BUGCHECK_STR: 0x1a_41284 CUSTOMER_CRASH_COUNT: 1 DEFAULT_BUCKET_ID: DRIVER_FAULT PROCESS_NAME: GtCC.exe LAST_CONTROL_TRANSFER: from 80523309 to 804f9f33 STACK_TEXT: b5fd3af4 80523309 0000001a 00041284 00136001 nt!KeBugCheckEx+0x1b b5fd3b2c 80523b8f 000006ca 00136000 c0600000 nt!MiLocateWsle+0xc1 b5fd3b60 80523fa8 c00009b0 00136000 00000000 nt!MiDeletePte+0x1fd b5fd3c28 805135b6 00000530 0018ffff 00000000 nt!MiDeleteVirtualAddresses+0x164 b5fd3c68 805d2706 01b6da18 88b93020 88b93268 nt!MmCleanProcessAddressSpace+0x262 b5fd3d08 805d28c8 00000000 88b93020 00000000 nt!PspExitThread+0x680 b5fd3d28 805d2aa3 88b93020 00000000 b5fd3d64 nt!PspTerminateThreadByPointer+0x52 b5fd3d54 8054161c 00000000 00000000 0006fed0 nt!NtTerminateProcess+0x105 b5fd3d54 7c90e4f4 00000000 00000000 0006fed0 nt!KiFastCallEntry+0xfc WARNING: Frame IP not in any known module. Following frames may be wrong. 0006fed0 00000000 00000000 00000000 00000000 0x7c90e4f4 STACK_COMMAND: kb FOLLOWUP_IP: nt!MiLocateWsle+c1 80523309 2b45f0 sub eax,dword ptr [ebp-10h] SYMBOL_STACK_INDEX: 1 SYMBOL_NAME: nt!MiLocateWsle+c1 FOLLOWUP_NAME: MachineOwner MODULE_NAME: nt DEBUG_FLR_IMAGE_TIMESTAMP: 4802516a IMAGE_NAME: memory_corruption FAILURE_BUCKET_ID: 0x1a_41284_nt!MiLocateWsle+c1 BUCKET_ID: 0x1a_41284_nt!MiLocateWsle+c1 Followup: MachineOwner 2: kd> lmvm nt start end module name 804d7000 806e4000 nt # (pdb symbols) c:\symbols\ntkrpamp.pdb\7D6290E03E32455BB0E035E38816124F1\ntkrpamp.pdb Loaded symbol image file: ntkrpamp.exe Mapped memory image file: c:\symbols\ntkrpamp.exe\4802516A20d000\ntkrpamp.exe Image path: ntkrpamp.exe Image name: ntkrpamp.exe Timestamp: Sun Apr 13 11:31:06 2008 (4802516A) CheckSum: 001F442E ImageSize: 0020D000 File version: 5.1.2600.5512 Product version: 5.1.2600.5512 File flags: 0 (Mask 3F) File OS: 40004 NT Win32 File type: 1.0 App File date: 00000000.00000000 Translations: 040c.04b0 CompanyName: Microsoft Corporation ProductName: Système d'exploitation Microsoft® Windows® InternalName: ntkrpamp.exe OriginalFilename: ntkrpamp.exe ProductVersion: 5.1.2600.5512 FileVersion: 5.1.2600.5512 (xpsp.080413-2111) FileDescription: Noyau et système NT LegalCopyright: © Microsoft Corporation. Tous droits réservés. #2 Savedump: Microsoft ® Windows Debugger Version 6.9.0003.113 X86 Copyright © Microsoft Corporation. All rights reserved. Loading Dump File [C:\WINDOWS\Minidump\Mini072208-02.dmp] Mini Kernel Dump File: Only registers and stack trace are available Symbol search path is: srv*c:\symbols*http://msdl.microsoft.com/download/symbols Executable search path is: C:\Windows\I386 Windows XP Kernel Version 2600 (Service Pack 3) MP (4 procs) Free x86 compatible Product: WinNt, suite: TerminalServer SingleUserTS Personal Built by: 2600.xpsp.080413-2111 Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055d720 Debug session time: Tue Jul 22 16:14:41.203 2008 (GMT-7) System Uptime: 0 days 7:58:33.172 Loading Kernel Symbols ... Loading User Symbols Loading unloaded module list * * * * Bugcheck Analysis * * * Use !analyze -v to get detailed debugging information. BugCheck 1000000A, {20, 2, 0, 805153db} Probably caused by : memory_corruption ( nt!MiResolveMappedFileFault+37 ) Followup: MachineOwner 0: kd> !analyze -v ** * * * Bugcheck Analysis * * * IRQL_NOT_LESS_OR_EQUAL (a) An attempt was made to access a pageable (or completely invalid) address at an interrupt request level (IRQL) that is too high. This is usually caused by drivers using improper addresses. If a kernel debugger is available get the stack backtrace. Arguments: Arg1: 00000020, memory referenced Arg2: 00000002, IRQL Arg3: 00000000, bitfield : bit 0 : value 0 = read operation, 1 = write operation bit 3 : value 0 = not an execute operation, 1 = execute operation (only on chips which support this level of status) Arg4: 805153db, address which referenced memory Debugging Details: READ_ADDRESS: 00000020 CURRENT_IRQL: 2 FAULTING_IP: nt!MiResolveMappedFileFault+37 805153db 8b4320 mov eax,dword ptr [ebx+20h] CUSTOMER_CRASH_COUNT: 2 DEFAULT_BUCKET_ID: DRIVER_FAULT BUGCHECK_STR: 0xA PROCESS_NAME: System LAST_CONTROL_TRANSFER: from 80516349 to 805153db STACK_TEXT: bacf7af0 80516349 c5021000 e4abd308 bacf7bb4 nt!MiResolveMappedFileFault+0x37 bacf7b34 8051650f 00000000 c5021000 c0628108 nt!MiResolveProtoPteFault+0x195 bacf7bb8 80520239 e4abd308 c5021000 c0628108 nt!MiDispatchFault+0xf1 bacf7c24 8051b061 00000000 c5021000 00000000 nt!MmAccessFault+0x877 bacf7c84 804e1ac9 c5021000 00000000 80559698 nt!MmCheckCachedPageState+0x601 bacf7d34 804e70ec 8a5360a8 80564820 8a536398 nt!CcPerformReadAhead+0x20b bacf7d7c 8053876d 8a5360a8 00000000 8a536398 nt!CcWorkerThread+0x150 bacf7dac 805cff64 8a5360a8 00000000 00000000 nt!ExpWorkerThread+0xef bacf7ddc 805460de 8053867e 00000000 00000000 nt!PspSystemThreadStartup+0x34 00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16 STACK_COMMAND: kb FOLLOWUP_IP: nt!MiResolveMappedFileFault+37 805153db 8b4320 mov eax,dword ptr [ebx+20h] SYMBOL_STACK_INDEX: 0 SYMBOL_NAME: nt!MiResolveMappedFileFault+37 FOLLOWUP_NAME: MachineOwner MODULE_NAME: nt DEBUG_FLR_IMAGE_TIMESTAMP: 4802516a IMAGE_NAME: memory_corruption FAILURE_BUCKET_ID: 0xA_nt!MiResolveMappedFileFault+37 BUCKET_ID: 0xA_nt!MiResolveMappedFileFault+37 Followup: MachineOwner 0: kd> lmvm nt start end module name 804d7000 806e4000 nt # (pdb symbols) c:\symbols\ntkrpamp.pdb\7D6290E03E32455BB0E035E38816124F1\ntkrpamp.pdb Loaded symbol image file: ntkrpamp.exe Mapped memory image file: c:\symbols\ntkrpamp.exe\4802516A20d000\ntkrpamp.exe Image path: ntkrpamp.exe Image name: ntkrpamp.exe Timestamp: Sun Apr 13 11:31:06 2008 (4802516A) CheckSum: 001F442E ImageSize: 0020D000 File version: 5.1.2600.5512 Product version: 5.1.2600.5512 File flags: 0 (Mask 3F) File OS: 40004 NT Win32 File type: 1.0 App File date: 00000000.00000000 Translations: 040c.04b0 CompanyName: Microsoft Corporation ProductName: Système d'exploitation Microsoft® Windows® InternalName: ntkrpamp.exe OriginalFilename: ntkrpamp.exe ProductVersion: 5.1.2600.5512 FileVersion: 5.1.2600.5512 (xpsp.080413-2111) FileDescription: Noyau et système NT LegalCopyright: © Microsoft Corporation. Tous droits réservés. #3 Savedump: Microsoft ® Windows Debugger Version 6.9.0003.113 X86 Copyright © Microsoft Corporation. All rights reserved. Loading Dump File [C:\WINDOWS\Minidump\Mini072208-03.dmp] Mini Kernel Dump File: Only registers and stack trace are available Symbol search path is: srv*c:\symbols*http://msdl.microsoft.com/download/symbols Executable search path is: C:\Windows\I386 Windows XP Kernel Version 2600 (Service Pack 3) MP (4 procs) Free x86 compatible Product: WinNt, suite: TerminalServer SingleUserTS Personal Built by: 2600.xpsp.080413-2111 Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055d720 Debug session time: Tue Jul 22 19:01:11.453 2008 (GMT-7) System Uptime: 0 days 2:46:00.076 Loading Kernel Symbols Loading User Symbols Loading unloaded module list * * * Bugcheck Analysis * * * Use !analyze -v to get detailed debugging information. BugCheck 100000D1, {4, 2, 1, b65e7625} Probably caused by : afd.sys ( afd!AfdIndicatePollEventReal+d6 ) Followup: MachineOwner 1: kd> !analyze -v * * * * Bugcheck Analysis * * * DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1) An attempt was made to access a pageable (or completely invalid) address at an interrupt request level (IRQL) that is too high. This is usually caused by drivers using improper addresses. If kernel debugger is available get stack backtrace. Arguments: Arg1: 00000004, memory referenced Arg2: 00000002, IRQL Arg3: 00000001, value 0 = read operation, 1 = write operation Arg4: b65e7625, address which referenced memory Debugging Details: WRITE_ADDRESS: 00000004 CURRENT_IRQL: 2 FAULTING_IP: afd!AfdIndicatePollEventReal+d6 b65e7625 894804 mov dword ptr [eax+4],ecx CUSTOMER_CRASH_COUNT: 3 DEFAULT_BUCKET_ID: DRIVER_FAULT BUGCHECK_STR: 0xD1 PROCESS_NAME: System LAST_CONTROL_TRANSFER: from b65f29fd to b65e7625 STACK_TEXT: bad038cc b65f29fd 88c53640 00000001 00000000 afd!AfdIndicatePollEventReal+0xd6 88987ed0 0169fc18 000004f0 00000102 0169fc2c afd!AfdReceiveDatagramEventHandler+0x334 WARNING: Frame IP not in any known module. Following frames may be wrong. 88987f00 00000000 00000000 00000000 8a4e5100 0x169fc18 STACK_COMMAND: kb FOLLOWUP_IP: afd!AfdIndicatePollEventReal+d6 b65e7625 894804 mov dword ptr [eax+4],ecx SYMBOL_STACK_INDEX: 0 SYMBOL_NAME: afd!AfdIndicatePollEventReal+d6 FOLLOWUP_NAME: MachineOwner MODULE_NAME: afd IMAGE_NAME: afd.sys DEBUG_FLR_IMAGE_TIMESTAMP: 485b9717 FAILURE_BUCKET_ID: 0xD1_W_afd!AfdIndicatePollEventReal+d6 BUCKET_ID: 0xD1_W_afd!AfdIndicatePollEventReal+d6 Followup: MachineOwner 1: kd> lmvm afd start end module name b65e7000 b6608d00 afd (pdb symbols) c:\symbols\afd.pdb\491744C6AD9046AC93AF268B8A1A492D2\afd.pdb Loaded symbol image file: afd.sys Mapped memory image file: c:\symbols\afd.sys\485B971721d00\afd.sys Image path: afd.sys Image name: afd.sys Timestamp: Fri Jun 20 04:40:07 2008 (485B9717) CheckSum: 0002B10D ImageSize: 00021D00 File version: 5.1.2600.5625 Product version: 5.1.2600.5625 File flags: 0 (Mask 3F) File OS: 40004 NT Win32 File type: 3.7 Driver File date: 00000000.00000000 Translations: 0409.04b0 CompanyName: Microsoft Corporation ProductName: Microsoft® Windows® Operating System InternalName: afd.sys OriginalFilename: afd.sys ProductVersion: 5.1.2600.5625 FileVersion: 5.1.2600.5625 (xpsp_sp3_gdr.080620-1249) FileDescription: Ancillary Function Driver for WinSock LegalCopyright: © Microsoft Corporation. All rights reserved. #4 Savedump: Microsoft ® Windows Debugger Version 6.9.0003.113 X86 Copyright © Microsoft Corporation. All rights reserved. Loading Dump File [C:\WINDOWS\Minidump\Mini072408-01.dmp] Mini Kernel Dump File: Only registers and stack trace are available Symbol search path is: srv*c:\symbols*http://msdl.microsoft.com/download/symbols Executable search path is: C:\Windows\I386 Windows XP Kernel Version 2600 (Service Pack 3) MP (4 procs) Free x86 compatible Product: WinNt, suite: TerminalServer SingleUserTS Personal Built by: 2600.xpsp.080413-2111 Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055d720 Debug session time: Thu Jul 24 21:43:09.953 2008 (GMT-7) System Uptime: 0 days 14:24:45.922 Loading Kernel Symbols Loading User Symbols Loading unloaded module list ** * * * Bugcheck Analysis * * * ** ** Use !analyze -v to get detailed debugging information. BugCheck C1, {8bb6ee28, 8bb6e7b6, d101d8, 23} Probably caused by : memory_corruption ( nt!MmFreeSpecialPool+2f4 ) Followup: MachineOwner -- 3: kd> !analyze -v ** ** * * * Bugcheck Analysis * * * ** ** SPECIAL_POOL_DETECTED_MEMORY_CORRUPTION (c1) Special pool has detected memory corruption. Typically the current thread's stack backtrace will reveal the guilty party. Arguments: Arg1: 8bb6ee28, address trying to free Arg2: 8bb6e7b6, address where bits are corrupted Arg3: 00d101d8, (reserved) Arg4: 00000023, caller is freeing an address where nearby bytes within the same page have been corrupted Debugging Details: -- BUGCHECK_STR: 0xC1_23 SPECIAL_POOL_CORRUPTION_TYPE: 23 CUSTOMER_CRASH_COUNT: 1 DEFAULT_BUCKET_ID: DRIVER_FAULT PROCESS_NAME: winlogon.exe IRP_ADDRESS: 8bb6ee28 LAST_CONTROL_TRANSFER: from 8066dd94 to 804f9f33 STACK_TEXT: b70f7804 8066dd94 000000c1 8bb6ee28 8bb6e7b6 nt!KeBugCheckEx+0x1b b70f7850 8054b32a 8bb6ee28 b70f78d3 88b3beb8 nt!MmFreeSpecialPool+0x2f4 b70f7890 8065f1f6 8bb6ee28 00000000 8065f391 nt!ExFreePoolWithTag+0x4a b70f789c 8065f391 8a3894b0 8bb6ee28 00000000 nt!VfIrpFree+0xc b70f78b8 80658071 00000000 8bb6ee28 b70f791c nt!VerifierIoFreeIrp+0x129 b70f78c8 804f4e35 8bb6ee28 8bb6ee68 899a25c8 nt!IovFreeIrpPrivate+0x41 b70f791c 804ff843 8bb6ee68 b70f7968 b70f795c nt!IopCompleteRequest+0x319 b70f796c 80503854 00000000 00000000 00000000 nt!KiDeliverApc+0xb3 b70f7984 804fad88 899a25c8 00000040 000000fc nt!KiSwapThread+0xa8 b70f79bc 805c0a37 00000040 b70f7bf0 00000001 nt!KeWaitForMultipleObjects+0x284 b70f7d48 8054161c 00000040 00eb6e60 00000001 nt!NtWaitForMultipleObjects+0x297 b70f7d48 7c90e4f4 00000040 00eb6e60 00000001 nt!KiFastCallEntry+0xfc WARNING: Frame IP not in any known module. Following frames may be wrong. 00d2ffb4 00000000 00000000 00000000 00000000 0x7c90e4f4 STACK_COMMAND: kb FOLLOWUP_IP: nt!MmFreeSpecialPool+2f4 8066dd94 8b4708 mov eax,dword ptr [edi+8] SYMBOL_STACK_INDEX: 1 SYMBOL_NAME: nt!MmFreeSpecialPool+2f4 FOLLOWUP_NAME: MachineOwner MODULE_NAME: nt DEBUG_FLR_IMAGE_TIMESTAMP: 4802516a IMAGE_NAME: memory_corruption FAILURE_BUCKET_ID: 0xC1_23_nt!MmFreeSpecialPool+2f4 BUCKET_ID: 0xC1_23_nt!MmFreeSpecialPool+2f4 Followup: MachineOwner -- 3: kd> lmvm nt start end module name 804d7000 806e4000 nt # (pdb symbols) c:\symbols\ntkrpamp.pdb\7D6290E03E32455BB0E035E38816124F1\ntkrpamp.pdb Loaded symbol image file: ntkrpamp.exe Mapped memory image file: c:\symbols\ntkrpamp.exe\4802516A20d000\ntkrpamp.exe Image path: ntkrpamp.exe Image name: ntkrpamp.exe Timestamp: Sun Apr 13 11:31:06 2008 (4802516A) CheckSum: 001F442E ImageSize: 0020D000 File version: 5.1.2600.5512 Product version: 5.1.2600.5512 File flags: 0 (Mask 3F) File OS: 40004 NT Win32 File type: 1.0 App File date: 00000000.00000000 Translations: 040c.04b0 CompanyName: Microsoft Corporation ProductName: Système d'exploitation Microsoft® Windows® InternalName: ntkrpamp.exe OriginalFilename: ntkrpamp.exe ProductVersion: 5.1.2600.5512 FileVersion: 5.1.2600.5512 (xpsp.080413-2111) FileDescription: Noyau et système NT LegalCopyright: © Microsoft Corporation. Tous droits réservés. #5 Savedump: Microsoft ® Windows Debugger Version 6.9.0003.113 X86 Copyright © Microsoft Corporation. All rights reserved. Loading Dump File [C:\WINDOWS\Minidump\Mini072508-01.dmp] Mini Kernel Dump File: Only registers and stack trace are available Symbol search path is: srv*c:\symbols*http://msdl.microsoft.com/download/symbols Executable search path is: C:\Windows\I386 Windows XP Kernel Version 2600 (Service Pack 3) MP (4 procs) Free x86 compatible Product: WinNt, suite: TerminalServer SingleUserTS Personal Built by: 2600.xpsp.080413-2111 Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055d720 Debug session time: Fri Jul 25 07:55:33.031 2008 (GMT-7) System Uptime: 0 days 9:13:19.626 Loading Kernel Symbols ... Loading User Symbols Loading unloaded module list ... ** * * * * Bugcheck Analysis * * * ** *** Use !analyze -v to get detailed debugging information. BugCheck C1, {8a9d4f00, 8a9d412e, a90100, 23} Probably caused by : memory_corruption ( nt!MmFreeSpecialPool+2f4 ) Followup: MachineOwner -- 1: kd> !analyze -v ** ** * * * Bugcheck Analysis * * * ** ** SPECIAL_POOL_DETECTED_MEMORY_CORRUPTION (c1) Special pool has detected memory corruption. Typically the current thread's stack backtrace will reveal the guilty party. Arguments: Arg1: 8a9d4f00, address trying to free Arg2: 8a9d412e, address where bits are corrupted Arg3: 00a90100, (reserved) Arg4: 00000023, caller is freeing an address where nearby bytes within the same page have been corrupted Debugging Details: -- BUGCHECK_STR: 0xC1_23 SPECIAL_POOL_CORRUPTION_TYPE: 23 CUSTOMER_CRASH_COUNT: 1 DEFAULT_BUCKET_ID: DRIVER_FAULT PROCESS_NAME: winss.exe IRP_ADDRESS: 8a9d4f00 LAST_CONTROL_TRANSFER: from 8066dd94 to 804f9f33 STACK_TEXT: b66b6b44 8066dd94 000000c1 8a9d4f00 8a9d412e nt!KeBugCheckEx+0x1b b66b6b90 8054b32a 8a9d4f00 b66b6c13 884b4008 nt!MmFreeSpecialPool+0x2f4 b66b6bd0 8065f1f6 8a9d4f00 00000000 8065f391 nt!ExFreePoolWithTag+0x4a b66b6bdc 8065f391 8993fee8 8a9d4f00 00000000 nt!VfIrpFree+0xc b66b6bf8 80658071 00000000 8a9d4f00 b66b6c5c nt!VerifierIoFreeIrp+0x129 b66b6c08 804f4e35 8a9d4f00 8a9d4f40 88dbf598 nt!IovFreeIrpPrivate+0x41 b66b6c5c 804ff843 8a9d4f40 b66b6ca8 b66b6c9c nt!IopCompleteRequest+0x319 b66b6cac 80503854 00000000 00000000 00000000 nt!KiDeliverApc+0xb3 b66b6cc4 804fb068 00000000 b66b6d1c 00000000 nt!KiSwapThread+0xa8 b66b6cec 805c0750 00000001 00000006 01c8ee01 nt!KeWaitForSingleObject+0x1c2 b66b6d50 8054161c 00000c98 00000001 b66b6d1c nt!NtWaitForSingleObject+0x9a b66b6d50 7c90e4f4 00000c98 00000001 b66b6d1c nt!KiFastCallEntry+0xfc WARNING: Frame IP not in any known module. Following frames may be wrong. 0550fb0c 00000000 00000000 00000000 00000000 0x7c90e4f4 STACK_COMMAND: kb FOLLOWUP_IP: nt!MmFreeSpecialPool+2f4 8066dd94 8b4708 mov eax,dword ptr [edi+8] SYMBOL_STACK_INDEX: 1 SYMBOL_NAME: nt!MmFreeSpecialPool+2f4 FOLLOWUP_NAME: MachineOwner MODULE_NAME: nt DEBUG_FLR_IMAGE_TIMESTAMP: 4802516a IMAGE_NAME: memory_corruption FAILURE_BUCKET_ID: 0xC1_23_nt!MmFreeSpecialPool+2f4 BUCKET_ID: 0xC1_23_nt!MmFreeSpecialPool+2f4 Followup: MachineOwner --------- 1: kd> lmvm nt start end module name 804d7000 806e4000 nt # (pdb symbols) c:\symbols\ntkrpamp.pdb\7D6290E03E32455BB0E035E38816124F1\ntkrpamp.pdb Loaded symbol image file: ntkrpamp.exe Mapped memory image file: c:\symbols\ntkrpamp.exe\4802516A20d000\ntkrpamp.exe Image path: ntkrpamp.exe Image name: ntkrpamp.exe Timestamp: Sun Apr 13 11:31:06 2008 (4802516A) CheckSum: 001F442E ImageSize: 0020D000 File version: 5.1.2600.5512 Product version: 5.1.2600.5512 File flags: 0 (Mask 3F) File OS: 40004 NT Win32 File type: 1.0 App File date: 00000000.00000000 Translations: 040c.04b0 CompanyName: Microsoft Corporation ProductName: Système d'exploitation Microsoft® Windows® InternalName: ntkrpamp.exe OriginalFilename: ntkrpamp.exe ProductVersion: 5.1.2600.5512 FileVersion: 5.1.2600.5512 (xpsp.080413-2111) FileDescription: Noyau et système NT LegalCopyright: © Microsoft Corporation. Tous droits réservés. #6 Savedump: Microsoft ® Windows Debugger Version 6.9.0003.113 X86 Copyright © Microsoft Corporation. All rights reserved. Loading Dump File [C:\WINDOWS\Minidump\Mini072508-02.dmp] Mini Kernel Dump File: Only registers and stack trace are available Symbol search path is: srv*c:\symbols*http://msdl.microsoft.com/download/symbols Executable search path is: C:\Windows\I386 Windows XP Kernel Version 2600 (Service Pack 3) MP (4 procs) Free x86 compatible Product: WinNt Built by: 2600.xpsp.080413-2111 Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055d720 Debug session time: Fri Jul 25 17:02:11.390 2008 (GMT-7) System Uptime: 0 days 5:05:20.999 Loading Kernel Symbols ... Loading User Symbols Loading unloaded module list ***** **** * * * Bugcheck Analysis * * * **** ***** Use !analyze -v to get detailed debugging information. BugCheck C1, {8b488eb8, 8b488816, 390148, 23} Probably caused by : win32k.sys ( win32k!RawInputThread+4f3 ) Followup: MachineOwner --------- 2: kd> !analyze -v ***** ***** * * * Bugcheck Analysis * * * ******* SPECIAL_POOL_DETECTED_MEMORY_CORRUPTION (c1) Special pool has detected memory corruption. Typically the current thread's stack backtrace will reveal the guilty party. Arguments: Arg1: 8b488eb8, address trying to free Arg2: 8b488816, address where bits are corrupted Arg3: 00390148, (reserved) Arg4: 00000023, caller is freeing an address where nearby bytes within the same page have been corrupted Debugging Details: BUGCHECK_STR: 0xC1_23 SPECIAL_POOL_CORRUPTION_TYPE: 23 CUSTOMER_CRASH_COUNT: 2 DEFAULT_BUCKET_ID: DRIVER_FAULT LAST_CONTROL_TRANSFER: from 8066dd94 to 804f9f33 STACK_TEXT: baaf7944 8066dd94 000000c1 8b488eb8 8b488816 nt!KeBugCheckEx+0x1b baaf7990 8054b32a 8b488eb8 baaf7a13 88bea358 nt!MmFreeSpecialPool+0x2f4 baaf79d0 8065f1f6 8b488eb8 00000000 8065f391 nt!ExFreePoolWithTag+0x4a baaf79dc 8065f391 8b488ef8 8b488eb8 00000000 nt!VfIrpFree+0xc baaf79f8 80658071 8a1feda8 8a1feddc baaf7a14 nt!VerifierIoFreeIrp+0x129 baaf7a08 8057ede9 8b488eb8 baaf7a64 804ff896 nt!IovFreeIrpPrivate+0x41 baaf7a14 804ff896 8b488ef8 baaf7a60 baaf7a54 nt!IopUserCompletion+0x11 baaf7a64 80503854 00000000 00000000 00000000 nt!KiDeliverApc+0x106 baaf7a7c 804fad88 80500254 00000001 00000000 nt!KiSwapThread+0xa8 baaf7ab4 bf89fcb5 00000007 8a2dc108 00000001 nt!KeWaitForMultipleObjects+0x284 baaf7d30 bf884705 baac7490 00000002 baaf7d54 win32k!RawInputThread+0x4f3 baaf7d40 bf80110a baac7490 baaf7d64 006efff4 win32k!xxxCreateSystemThreads+0x60 baaf7d54 8054161c 00000000 00000022 00000000 win32k!NtUserCallOneParam+0x23 baaf7d54 7c90e4f4 00000000 00000022 00000000 nt!KiFastCallEntry+0xfc WARNING: Frame IP not in any known module. Following frames may be wrong. 00000000 00000000 00000000 00000000 00000000 0x7c90e4f4 STACK_COMMAND: kb FOLLOWUP_IP: win32k!RawInputThread+4f3 bf89fcb5 391df0b29abf cmp dword ptr [win32k!gdwUpdateKeyboard (bf9ab2f0)],ebx SYMBOL_STACK_INDEX: a SYMBOL_NAME: win32k!RawInputThread+4f3 FOLLOWUP_NAME: MachineOwner MODULE_NAME: win32k IMAGE_NAME: win32k.sys DEBUG_FLR_IMAGE_TIMESTAMP: 48025f2a FAILURE_BUCKET_ID: 0xC1_23_win32k!RawInputThread+4f3 BUCKET_ID: 0xC1_23_win32k!RawInputThread+4f3 Followup: MachineOwner 2: kd> lmvm win32k start end module name bf800000 bf9c2980 win32k # (pdb symbols) c:\symbols\win32k.pdb\B8354F59A2A341179030B80ACC7969972\win32k.pdb Loaded symbol image file: win32k.sys Mapped memory image file: c:\symbols\win32k.sys\48025F2A1c2980\win32k.sys Image path: \SystemRoot\System32\win32k.sys Image name: win32k.sys Timestamp: Sun Apr 13 12:29:46 2008 (48025F2A) CheckSum: 001CC002 ImageSize: 001C2980 File version: 5.1.2600.5512 Product version: 5.1.2600.5512 File flags: 0 (Mask 3F) File OS: 40004 NT Win32 File type: 3.7 Driver File date: 00000000.00000000 Translations: 0405.04b0 CompanyName: Microsoft Corporation ProductName: Operační systém Microsoft® Windows® InternalName: win32k.sys OriginalFilename: win32k.sys ProductVersion: 5.1.2600.5512 FileVersion: 5.1.2600.5512 (xpsp.080413-2105) FileDescription: Multi-User Win32 Driver LegalCopyright: © Microsoft Corporation. Všechna práva vyhrazena.
Recommended Posts