Multiple save dumps (with debug info)

[Guest Ross]

Up to this point I have tried to diagnose this problem on my own but I can

see It's more than I can handle.

Here is my system info and a log of previous failure reports and bug checks.

I hope I have done them correctly as I have no experience whatsoever and have

relied completely on information I could read at Microsoft.

 

I had a problem with the computer going to blue screen and not restarting

previously.

It got so bad that it would not restart at all.

I used a drive washer and wiped out everything.

I used my XP Installation disc and reinstalled windows XP.

 

I thought the problem was solved and now the computer is doing it again.

I have some theories as to whats wrong but they are uneducated assumptions

at this point.

 

Any assistance would be greatly appreciated.

 

Ross-

 

(SYSTEM INFO GEERATED WITH BELARC ADVISOR)

 

Operating System:

Win. XP Home Edition. Service Pack 3 (Build 2600)

System Motherboard:

Gigabyte Technology (P35-DS3L)

Bus Clock:

266 Mhz.

 

BIOS:

Award Software Int. Inc. F7 11/29/07

 

PROCESSOR:

2.4 Gigahertz Intel Core2 Quad Q660

 

DRIVES:

WDC WD3200AAKS-00B3A0 (Hard Drive)

STATUS: Healthy

WDC WD25 00JS-55NCB1 (USB External Device)

Pioneer DVR-113NP (CD-ROM drive)

 

MEMORY:

3072 Megabytes Installed Memory

Crucial.com

CL1118P.TQ

97432

BL12864AA804.8FE5

(Says "Ballistix" on the ram itself)

Slot "A0" Has 1024 Mb

Slot "A1" has 1024 Mb

Slot "A2" has 1024 Mb

Slot "A3" is empty

 

DISPLAY:

NVIDIA GeForce 8400 GS (display adapter)

Sceptre X20WG-Naga (moniter)

Realtek High Definition Auido

 

COMMUNICATIONS:

Realtek RTL8168/8111 PCI-E Gigabit Ethernet NIC

 

LOCAL DRIVE VOLUMES:

C:/ (NTFS on drive 0) 320 GB

E:/ (FAT32 on drive 1) 250 GB

 

PRINTERS:

HP Deskjet 925 on USB

Microsoft XPS Document writer

Only one user account (mine)

 

Using IE 6

(I have had numerous issues with IE7)

 

DEBUG INFO:

 

 

SAVEDUMP INFO 1.

 

Event Type: Information

Event Source: Save Dump

Event Category: None

Event ID: 1001

Date: 7/22/2008

Time: 8:16:23 AM

User: N/A

Computer: STEPHEN-DE5B952

Description:

The computer has rebooted from a bugcheck. The bugcheck was: 0x0000001a

(0x00041284, 0x00136001, 0x000006ca, 0xc0883000). A dump was saved in:

C:\WINDOWS\Minidump\Mini072208-01.dmp.

 

SAVEDUMP 1 DETAILS;

Product:

Windows Operating System

ID:

1001

Source:

Save Dump

Version:

5.2

Symbolic Name:

EVENT_BUGCHECK_SAVED

Message:

The computer has rebooted from a bugcheck. The bugcheck was: %1. A dump was

saved in: %2.

 

DEBUG INFO FOR SAVEDUMP 1;

 

Loading Dump File [C:\WINDOWS\Minidump\Mini072208-01.dmp]

Mini Kernel Dump File: Only registers and stack trace are available

 

Symbol search path is: C:\WINDOWS\Symbols

Executable search path is:

Unable to load image ntoskrnl.exe, Win32 error 0n2

*** WARNING: Unable to verify timestamp for ntoskrnl.exe

Windows XP Kernel Version 2600 (Service Pack 3) MP (4 procs) Free x86

compatible

Product: WinNt, suite: TerminalServer SingleUserTS Personal

Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055d720

Debug session time: Tue Jul 22 08:15:38.140 2008 (GMT-7)

System Uptime: 0 days 6:00:50.734

Unable to load image ntoskrnl.exe, Win32 error 0n2

*** WARNING: Unable to verify timestamp for ntoskrnl.exe

Loading Kernel Symbols

.....................................................................................................................

Loading User Symbols

Loading unloaded module list

 

 

 

Bugcheck Analysis

 

 

 

 

Use !analyze -v to get detailed debugging information.

 

BugCheck 1A, {41284, 136001, 6ca, c0883000}

 

Probably caused by : ntoskrnl.exe ( nt!_woutput+404 )

 

Followup: MachineOwner

---------

 

2: kd> !analyze -v

*******

*

*

* Bugcheck Analysis

*

*

*

*******

 

MEMORY_MANAGEMENT (1a)

# Any other values for parameter 1 must be individually examined.

Arguments:

Arg1: 00041284, A PTE or the working set list is corrupt.

Arg2: 00136001

Arg3: 000006ca

Arg4: c0883000

 

Debugging Details:

------------------

 

 

BUGCHECK_STR: 0x1a_41284

 

CUSTOMER_CRASH_COUNT: 1

 

DEFAULT_BUCKET_ID: DRIVER_FAULT

 

PROCESS_NAME: GtCC.exe

 

LAST_CONTROL_TRANSFER: from 80523309 to 804f9f33

 

STACK_TEXT:

b5fd3af4 80523309 0000001a 00041284 00136001 nt!_woutput+0x404

b5fd3b2c 80523b8f 000006ca 00136000 c0600000 nt!MiRemoveMappedPtes+0x88

b5fd3b60 80523fa8 c00009b0 00136000 00000000

nt!MiSessionCommitImagePages+0x198

b5fd3c28 805135b6 00000530 0018ffff 00000000 nt!MmAccessFault+0x17a

b5fd3c68 805d2706 01b6da18 88b93020 88b93268 nt!MiFlushDirtyBitsToPfn+0x57

b5fd3d08 805d28c8 00000000 88b93020 00000000 nt!IopRebalance+0x3e0

b5fd3d28 805d2aa3 88b93020 00000000 b5fd3d64 nt!NtPowerInformation+0x40f

b5fd3d54 8054161c 00000000 00000000 0006fed0 nt!WmipStartLogger+0xa

b5fd3d64 7c90e4f4 badb0d00 0006fddc 00000000 nt!RtlIpv4StringToAddressExW+0x9d

WARNING: Frame IP not in any known module. Following frames may be wrong.

b5fd3d78 00000000 00000000 00000000 00000000 0x7c90e4f4

 

 

STACK_COMMAND: kb

 

FOLLOWUP_IP:

nt!_woutput+404

804f9f33 5d pop ebp

 

SYMBOL_STACK_INDEX: 0

 

SYMBOL_NAME: nt!_woutput+404

 

FOLLOWUP_NAME: MachineOwner

 

MODULE_NAME: nt

 

IMAGE_NAME: ntoskrnl.exe

 

DEBUG_FLR_IMAGE_TIMESTAMP: 4802516a

 

FAILURE_BUCKET_ID: 0x1a_41284_nt!_woutput+404

 

BUCKET_ID: 0x1a_41284_nt!_woutput+404

 

Followup: MachineOwner

---------

 

2: kd> lmvm nt

start end module name

804d7000 806e4000 nt M (pdb symbols)

C:\WINDOWS\Symbols\exe\ntoskrnl.pdb

Loaded symbol image file: ntoskrnl.exe

Image path: ntoskrnl.exe

Image name: ntoskrnl.exe

Timestamp: Sun Apr 13 11:31:06 2008 (4802516A)

CheckSum: 001F442E

ImageSize: 0020D000

Translations: 0000.04b0 0000.04e0 0409.04b0 0409.04e0

 

 

ERROR 1 INFO;

 

Event Type: Error

Event Source: System Error

Event Category: (102)

Event ID: 1003

Date: 7/22/2008

Time: 8:16:45 AM

User: N/A

Computer: STEPHEN-DE5B952

Description:

Error code 0000001a, parameter1 00041284, parameter2 00136001, parameter3

000006ca, parameter4 c0883000.

 

Data:

0000: 53 79 73 74 65 6d 20 45 System E

0008: 72 72 6f 72 20 20 45 72 rror Er

0010: 72 6f 72 20 63 6f 64 65 ror code

0018: 20 30 30 30 30 30 30 31 0000001

0020: 61 20 20 50 61 72 61 6d a Param

0028: 65 74 65 72 73 20 30 30 eters 00

0030: 30 34 31 32 38 34 2c 20 041284,

0038: 30 30 31 33 36 30 30 31 00136001

0040: 2c 20 30 30 30 30 30 36 , 000006

0048: 63 61 2c 20 63 30 38 38 ca, c088

0050: 33 30 30 30 3000

 

ERROR 1 DETAILS;

Product:

Windows Operating System

ID:

1003

Source:

System Error

Version:

5.2

Symbolic Name:

ER_KRNLCRASH_LOG

Message:

Error code %1, parameter1 %2, parameter2 %3, parameter3 %4, parameter4 %5.

 

SAVE DUMP 2 INFO;

 

Event Type: Information

Event Source: Save Dump

Event Category: None

Event ID: 1001

Date: 7/22/2008

Time: 4:15:30 PM

User: N/A

Computer: STEPHEN-DE5B952

Description:

The computer has rebooted from a bugcheck. The bugcheck was: 0x1000000a

(0x00000020, 0x00000002, 0x00000000, 0x805153db). A dump was saved in:

C:\WINDOWS\Minidump\Mini072208-02.dmp.

 

 

SAVEDUP 2 DETAILS;

Product:

Windows Operating System

ID:

1001

Source:

Save Dump

Version:

5.2

Symbolic Name:

EVENT_BUGCHECK_SAVED

Message:

The computer has rebooted from a bugcheck. The bugcheck was: %1. A dump was

saved in: %2.

 

DEBUG INFO FOR SAVEDUMP 2;

 

Loading Dump File [C:\WINDOWS\Minidump\Mini072208-02.dmp]

Mini Kernel Dump File: Only registers and stack trace are available

 

Symbol search path is: C:\WINDOWS\Symbols

Executable search path is:

Unable to load image ntoskrnl.exe, Win32 error 0n2

*** WARNING: Unable to verify timestamp for ntoskrnl.exe

Windows XP Kernel Version 2600 (Service Pack 3) MP (4 procs) Free x86

compatible

Product: WinNt, suite: TerminalServer SingleUserTS Personal

Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055d720

Debug session time: Tue Jul 22 16:14:41.203 2008 (GMT-7)

System Uptime: 0 days 7:58:33.172

Unable to load image ntoskrnl.exe, Win32 error 0n2

*** WARNING: Unable to verify timestamp for ntoskrnl.exe

Loading Kernel Symbols

...........

Loading User Symbols

Loading unloaded module list

..............

******

******

*

*

* Bugcheck Analysis

*

*

*

******

******

 

Use !analyze -v to get detailed debugging information.

 

BugCheck 1000000A, {20, 2, 0, 805153db}

 

Probably caused by : memory_corruption ( nt!MiInsertStandbyListAtFront+7 )

 

Followup: MachineOwner

---------

 

0: kd> !analyze -v

******

******

*

*

* Bugcheck Analysis

*

*

*

******

******

 

IRQL_NOT_LESS_OR_EQUAL (a)

An attempt was made to access a pageable (or completely invalid) address at an

interrupt request level (IRQL) that is too high. This is usually

caused by drivers using improper addresses.

If a kernel debugger is available get the stack backtrace.

Arguments:

Arg1: 00000020, memory referenced

Arg2: 00000002, IRQL

Arg3: 00000000, bitfield :

bit 0 : value 0 = read operation, 1 = write operation

bit 3 : value 0 = not an execute operation, 1 = execute operation (only on

chips which support this level of status)

Arg4: 805153db, address which referenced memory

 

Debugging Details:

------------------

 

 

READ_ADDRESS: 00000020

 

CURRENT_IRQL: 2

 

FAULTING_IP:

nt!MiInsertStandbyListAtFront+7

805153db 8b4320 mov eax,dword ptr [ebx+20h]

 

CUSTOMER_CRASH_COUNT: 2

 

DEFAULT_BUCKET_ID: DRIVER_FAULT

 

BUGCHECK_STR: 0xA

 

PROCESS_NAME: System

 

LAST_CONTROL_TRANSFER: from 00000000 to 805153db

 

STACK_TEXT:

bacf7ac4 00000000 000004c0 88a44ca0 c5020000 nt!MiInsertStandbyListAtFront+0x7

 

 

STACK_COMMAND: kb

 

FOLLOWUP_IP:

nt!MiInsertStandbyListAtFront+7

805153db 8b4320 mov eax,dword ptr [ebx+20h]

 

SYMBOL_STACK_INDEX: 0

 

SYMBOL_NAME: nt!MiInsertStandbyListAtFront+7

 

FOLLOWUP_NAME: MachineOwner

 

MODULE_NAME: nt

 

DEBUG_FLR_IMAGE_TIMESTAMP: 4802516a

 

IMAGE_NAME: memory_corruption

 

FAILURE_BUCKET_ID: 0xA_nt!MiInsertStandbyListAtFront+7

 

BUCKET_ID: 0xA_nt!MiInsertStandbyListAtFront+7

 

Followup: MachineOwner

---------

 

0: kd> lmvm nt

start end module name

804d7000 806e4000 nt M (pdb symbols)

C:\WINDOWS\Symbols\exe\ntoskrnl.pdb

Loaded symbol image file: ntoskrnl.exe

Image path: ntoskrnl.exe

Image name: ntoskrnl.exe

Timestamp: Sun Apr 13 11:31:06 2008 (4802516A)

CheckSum: 001F442E

ImageSize: 0020D000

Translations: 0000.04b0 0000.04e0 0409.04b0 0409.04e0

 

 

 

ERROR 2 INFO;

 

Event Type: Error

Event Source: System Error

Event Category: (102)

Event ID: 1003

Date: 7/22/2008

Time: 4:16:05 PM

User: N/A

Computer: STEPHEN-DE5B952

Description:

Error code 1000000a, parameter1 00000020, parameter2 00000002, parameter3

00000000, parameter4 805153db.

 

 

Data:

0000: 53 79 73 74 65 6d 20 45 System E

0008: 72 72 6f 72 20 20 45 72 rror Er

0010: 72 6f 72 20 63 6f 64 65 ror code

0018: 20 31 30 30 30 30 30 30 1000000

0020: 61 20 20 50 61 72 61 6d a Param

0028: 65 74 65 72 73 20 30 30 eters 00

0030: 30 30 30 30 32 30 2c 20 000020,

0038: 30 30 30 30 30 30 30 32 00000002

0040: 2c 20 30 30 30 30 30 30 , 000000

0048: 30 30 2c 20 38 30 35 31 00, 8051

0050: 35 33 64 62 53db

 

 

ERROR 2 DETAILS;

Product:

Windows Operating System

ID:

1003

Source:

System Error

Version:

5.2

Symbolic Name:

ER_KRNLCRASH_LOG

Message:

Error code %1, parameter1 %2, parameter2 %3, parameter3 %4, parameter4 %5.

 

SAVEDUMP 3 INFO;

 

 

Event Type: Information

Event Source: Save Dump

Event Category: None

Event ID: 1001

Date: 7/22/2008

Time: 7:01:57 PM

User: N/A

Computer: STEPHEN-DE5B952

Description:

The computer has rebooted from a bugcheck. The bugcheck was: 0x100000d1

(0x00000004, 0x00000002, 0x00000001, 0xb65e7625). A dump was saved in:

C:\WINDOWS\Minidump\Mini072208-03.dmp.

 

 

SAVEDUMP 3 DETAILS;

Product:

Windows Operating System

ID:

1001

Source:

Save Dump

Version:

5.2

Symbolic Name:

EVENT_BUGCHECK_SAVED

Message:

The computer has rebooted from a bugcheck. The bugcheck was: %1. A dump was

saved in: %2.

 

Currently there are no Microsoft Knowledge Base articles available for this

specific error or event message.

 

DEBUG INFO FOR SAVEDUMP 3;

 

Microsoft ® Windows Debugger Version 6.9.0003.113 X86

Copyright © Microsoft Corporation. All rights reserved.

 

Loading Dump File [C:\WINDOWS\Minidump\Mini072208-03.dmp]

Mini Kernel Dump File: Only registers and stack trace are available

 

Symbol search path is: C:\WINDOWS\Symbols

Executable search path is:

Unable to load image ntoskrnl.exe, Win32 error 0n2

*** WARNING: Unable to verify timestamp for ntoskrnl.exe

Windows XP Kernel Version 2600 (Service Pack 3) MP (4 procs) Free x86

compatible

Product: WinNt, suite: TerminalServer SingleUserTS Personal

Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055d720

Debug session time: Tue Jul 22 19:01:11.453 2008 (GMT-7)

System Uptime: 0 days 2:46:00.076

Unable to load image ntoskrnl.exe, Win32 error 0n2

*** WARNING: Unable to verify timestamp for ntoskrnl.exe

Loading Kernel Symbols

...............

Loading User Symbols

Loading unloaded module list

..................

Unable to load image afd.sys, Win32 error 0n2

******

******

*

*

* Bugcheck Analysis

*

*

*

*******

*******

 

Use !analyze -v to get detailed debugging information.

 

BugCheck 100000D1, {4, 2, 1, b65e7625}

 

Unable to load image msfwhlpr.sys, Win32 error 0n2

*** WARNING: Unable to verify timestamp for msfwhlpr.sys

*** ERROR: Module load completed but symbols could not be loaded for

msfwhlpr.sys

*** WARNING: Unable to verify timestamp for tcpip.sys

Unable to load image TDI.SYS, Win32 error 0n2

*** WARNING: Unable to verify timestamp for TDI.SYS

Probably caused by : msfwhlpr.sys ( msfwhlpr+11922 )

 

Followup: MachineOwner

---------

 

1: kd> !analyze -v

******

******

*

*

* Bugcheck Analysis

*

*

*

******

******

 

DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)

An attempt was made to access a pageable (or completely invalid) address at an

interrupt request level (IRQL) that is too high. This is usually

caused by drivers using improper addresses.

If kernel debugger is available get stack backtrace.

Arguments:

Arg1: 00000004, memory referenced

Arg2: 00000002, IRQL

Arg3: 00000001, value 0 = read operation, 1 = write operation

Arg4: b65e7625, address which referenced memory

 

Debugging Details:

------------------

 

 

WRITE_ADDRESS: 00000004

 

CURRENT_IRQL: 2

 

FAULTING_IP:

afd!AfdIndicatePollEventReal+d6

b65e7625 894804 mov dword ptr [eax+4],ecx

 

CUSTOMER_CRASH_COUNT: 3

 

DEFAULT_BUCKET_ID: DRIVER_FAULT

 

BUGCHECK_STR: 0xD1

 

PROCESS_NAME: System

 

LAST_CONTROL_TRANSFER: from b65f29fd to b65e7625

 

STACK_TEXT:

bad038cc b65f29fd 88c53640 00000001 00000000 afd!AfdIndicatePollEventReal+0xd6

bad03900 b66d4922 bad03a9c b66d4922 88c53640 afd!AfdPoll+0xe2

WARNING: Stack unwind information not available. Following frames may be

wrong.

bad039f4 b66d4b41 88cb3358 00000016 bad03aac msfwhlpr+0x11922

bad03a2c b665986c 88cb3358 00000016 bad03aac msfwhlpr+0x11b41

bad03ac8 b6663d35 88c44278 0100007f 00002504 tcpip!UDPDeliver+0x1be

bad03b20 b6658ef5 8a2abd50 0100007f 0100007f tcpip!TCPRcv+0xe41

bad03b80 b6658b19 00000020 8a2abd50 b6659592 tcpip!DeliverToUser+0x18e

bad03bfc b6658836 b66988f0 8a2abd50 bad03d18 tcpip!DeliverToUserEx+0x95e

bad03cb4 b6664ce6 8a2abd50 bad03d2c 00000009 tcpip!IPRcvPacket+0x6cb

bad03d60 babe83e4 b6698680 8a2abd50 b6698690 tcpip!TCPRcv+0x10fa

bad03d7c 8053876d 8a2abd50 00000000 8a535da8 TDI!CTEpEventHandler+0x32

bad03dac 805cff64 b6698680 00000000 00000000 nt!MiTrimPte+0x1ee

bad03ddc 805460de 8053867e 00000001 00000000 nt!IopQueryReconfiguration+0x17

bad03df8 00000000 00000000 00000000 00001f80 nt!ExpRemovePoolTracker+0x6b

 

 

STACK_COMMAND: kb

 

FOLLOWUP_IP:

msfwhlpr+11922

b66d4922 ?? ???

 

SYMBOL_STACK_INDEX: 2

 

SYMBOL_NAME: msfwhlpr+11922

 

FOLLOWUP_NAME: MachineOwner

 

MODULE_NAME: msfwhlpr

 

IMAGE_NAME: msfwhlpr.sys

 

DEBUG_FLR_IMAGE_TIMESTAMP: 474d104c

 

FAILURE_BUCKET_ID: 0xD1_W_msfwhlpr+11922

 

BUCKET_ID: 0xD1_W_msfwhlpr+11922

 

Followup: MachineOwner

---------

 

1: kd> lmvm msfwhlpr

start end module name

b66c3000 b66dd280 msfwhlpr T (no symbols)

Loaded symbol image file: msfwhlpr.sys

Image path: msfwhlpr.sys

Image name: msfwhlpr.sys

Timestamp: Tue Nov 27 22:53:00 2007 (474D104C)

CheckSum: 00029480

ImageSize: 0001A280

Translations: 0000.04b0 0000.04e0 0409.04b0 0409.04e0

 

ERROR 3 INFO;

 

Event Type: Error

Event Source: System Error

Event Category: (102)

Event ID: 1003

Date: 7/22/2008

Time: 8:55:33 PM

User: N/A

Computer: STEPHEN-DE5B952

Description:

Error code 100000d1, parameter1 00000004, parameter2 00000002, parameter3

00000001, parameter4 b65e7625.

 

 

Data:

0000: 53 79 73 74 65 6d 20 45 System E

0008: 72 72 6f 72 20 20 45 72 rror Er

0010: 72 6f 72 20 63 6f 64 65 ror code

0018: 20 31 30 30 30 30 30 64 100000d

0020: 31 20 20 50 61 72 61 6d 1 Param

0028: 65 74 65 72 73 20 30 30 eters 00

0030: 30 30 30 30 30 34 2c 20 000004,

0038: 30 30 30 30 30 30 30 32 00000002

0040: 2c 20 30 30 30 30 30 30 , 000000

0048: 30 31 2c 20 62 36 35 65 01, b65e

0050: 37 36 32 35 7625

 

 

 

ERROR 3 DETAILS;

Product:

Windows Operating System

ID:

1003

Source:

System Error

Version:

5.2

Symbolic Name:

ER_KRNLCRASH_LOG

Message:

Error code %1, parameter1 %2, parameter2 %3, parameter3 %4, parameter4 %5.

 

SAVE DUMP 4 INFO;

 

Event Type: Information

Event Source: Save Dump

Event Category: None

Event ID: 1001

Date: 7/24/2008

Time: 9:59:56 PM

User: N/A

Computer: STEPHEN-DE5B952

Description:

The computer has rebooted from a bugcheck. The bugcheck was: 0x000000c1

(0x8bb6ee28, 0x8bb6e7b6, 0x00d101d8, 0x00000023). A dump was saved in:

C:\WINDOWS\Minidump\Mini072408-01.dmp.

 

DEBUG INFO;

 

Loading Dump File [C:\WINDOWS\Minidump\Mini072408-01.dmp]

Mini Kernel Dump File: Only registers and stack trace are available

 

Symbol search path is: C:\WINDOWS\Symbols

Executable search path is:

Unable to load image ntoskrnl.exe, Win32 error 0n2

*** WARNING: Unable to verify timestamp for ntoskrnl.exe

Windows XP Kernel Version 2600 (Service Pack 3) MP (4 procs) Free x86

compatible

Product: WinNt, suite: TerminalServer SingleUserTS Personal

Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055d720

Debug session time: Thu Jul 24 21:43:09.953 2008 (GMT-7)

System Uptime: 0 days 14:24:45.922

Unable to load image ntoskrnl.exe, Win32 error 0n2

*** WARNING: Unable to verify timestamp for ntoskrnl.exe

Loading Kernel Symbols

..............

Loading User Symbols

Loading unloaded module list

...................

******

******

*

*

* Bugcheck Analysis

*

*

*

******

******

 

Use !analyze -v to get detailed debugging information.

 

BugCheck C1, {8bb6ee28, 8bb6e7b6, d101d8, 23}

 

Probably caused by : ntoskrnl.exe ( nt!_woutput+404 )

 

Followup: MachineOwner

---------

 

3: kd> !analyze -v

******

******

*

*

* Bugcheck Analysis

*

*

*

******

******

 

SPECIAL_POOL_DETECTED_MEMORY_CORRUPTION (c1)

Special pool has detected memory corruption. Typically the current thread's

stack backtrace will reveal the guilty party.

Arguments:

Arg1: 8bb6ee28, address trying to free

Arg2: 8bb6e7b6, address where bits are corrupted

Arg3: 00d101d8, (reserved)

Arg4: 00000023, caller is freeing an address where nearby bytes within the

same page have been corrupted

 

Debugging Details:

------------------

 

 

BUGCHECK_STR: 0xC1_23

 

SPECIAL_POOL_CORRUPTION_TYPE: 23

 

CUSTOMER_CRASH_COUNT: 1

 

DEFAULT_BUCKET_ID: DRIVER_FAULT

 

PROCESS_NAME: winlogon.exe

 

LAST_CONTROL_TRANSFER: from 8066dd94 to 804f9f33

 

STACK_TEXT:

b70f7804 8066dd94 000000c1 8bb6ee28 8bb6e7b6 nt!_woutput+0x404

b70f7850 8054b32a 8bb6ee28 b70f78d3 88b3beb8 nt!VerifierKeAcquireSpinLock+0x24

b70f7890 8065f1f6 8bb6ee28 00000000 8065f391

nt!MiReserveAlignedSystemPtes+0x122

b70f78b8 80658071 00000000 8bb6ee28 b70f791c nt!MiPhysicalViewInserter+0x33

b70f78c8 804f4e35 8bb6ee28 8bb6ee68 899a25c8 nt!HvRefreshHive+0x419

b70f791c 804ff843 8bb6ee68 b70f7968 b70f795c nt!CcPurgeCacheSection+0x62

b70f796c 80503854 00000000 00000000 00000000 nt!CcPerformReadAhead+0x155

b70f79bc 805c0a37 00000040 b70f7bf0 00000001 nt!WmipEnterCritSection+0x1e

b70f7d48 8054161c 00000040 00eb6e60 00000001 nt!IopDriverLoadingFailed+0x4bf

b70f7d64 7c90e4f4 badb0d00 00d2ff54 00000000 nt!RtlIpv4StringToAddressExW+0x9d

WARNING: Frame IP not in any known module. Following frames may be wrong.

b70f7d78 00000000 00000000 00000000 00000000 0x7c90e4f4

 

 

STACK_COMMAND: kb

 

FOLLOWUP_IP:

nt!_woutput+404

804f9f33 5d pop ebp

 

SYMBOL_STACK_INDEX: 0

 

SYMBOL_NAME: nt!_woutput+404

 

FOLLOWUP_NAME: MachineOwner

 

MODULE_NAME: nt

 

IMAGE_NAME: ntoskrnl.exe

 

DEBUG_FLR_IMAGE_TIMESTAMP: 4802516a

 

FAILURE_BUCKET_ID: 0xC1_23_nt!_woutput+404

 

BUCKET_ID: 0xC1_23_nt!_woutput+404

 

Followup: MachineOwner

---------

 

3: kd> lmvm nt

start end module name

804d7000 806e4000 nt M (pdb symbols)

C:\WINDOWS\Symbols\exe\ntoskrnl.pdb

Loaded symbol image file: ntoskrnl.exe

Image path: ntoskrnl.exe

Image name: ntoskrnl.exe

Timestamp: Sun Apr 13 11:31:06 2008 (4802516A)

CheckSum: 001F442E

ImageSize: 0020D000

Translations: 0000.04b0 0000.04e0 0409.04b0 0409.04e0

 

 

SAVE DUMP 5 INFO;

 

Event Type: Information

Event Source: Save Dump

Event Category: None

Event ID: 1001

Date: 7/25/2008

Time: 8:32:32 AM

User: N/A

Computer: STEPHEN-DE5B952

Description:

The computer has rebooted from a bugcheck.

 

The bugcheck was: 0x000000c1 (0x8a9d4f00, 0x8a9d412e, 0x00a90100,

0x00000023). A dump was saved in: C:\WINDOWS\Minidump\Mini072508-01.dmp.

 

DETAILS;

 

Product:

Windows Operating System

ID:

1001

Source:

Save Dump

Version:

5.2

Symbolic Name:

EVENT_BUGCHECK_SAVED

Message:

The computer has rebooted from a bugcheck. The bugcheck was: %1. A dump was

saved in: %2.

 

BUGCHECK INFO;

 

 

Loading Dump File [C:\WINDOWS\Minidump\Mini072508-01.dmp]

Mini Kernel Dump File: Only registers and stack trace are available

 

Symbol search path is: C:\WINDOWS\Symbols

Executable search path is:

Unable to load image ntoskrnl.exe, Win32 error 0n2

*** WARNING: Unable to verify timestamp for ntoskrnl.exe

Windows XP Kernel Version 2600 (Service Pack 3) MP (4 procs) Free x86

compatible

Product: WinNt, suite: TerminalServer SingleUserTS Personal

Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055d720

Debug session time: Fri Jul 25 07:55:33.031 2008 (GMT-7)

System Uptime: 0 days 9:13:19.626

Unable to load image ntoskrnl.exe, Win32 error 0n2

*** WARNING: Unable to verify timestamp for ntoskrnl.exe

Loading Kernel Symbols

.................

Loading User Symbols

Loading unloaded module list

............

******

******

*

*

* Bugcheck Analysis

*

*

*

*****

******

 

Use !analyze -v to get detailed debugging information.

 

BugCheck C1, {8a9d4f00, 8a9d412e, a90100, 23}

 

Probably caused by : ntoskrnl.exe ( nt!_woutput+404 )

 

Followup: MachineOwner

---------

 

1: kd> !analyze -v

**************

**************

*

*

* Bugcheck Analysis

*

*

*

********

********

 

SPECIAL_POOL_DETECTED_MEMORY_CORRUPTION (c1)

Special pool has detected memory corruption. Typically the current thread's

stack backtrace will reveal the guilty party.

Arguments:

Arg1: 8a9d4f00, address trying to free

Arg2: 8a9d412e, address where bits are corrupted

Arg3: 00a90100, (reserved)

Arg4: 00000023, caller is freeing an address where nearby bytes within the

same page have been corrupted

 

Debugging Details:

------------------

 

 

BUGCHECK_STR: 0xC1_23

 

SPECIAL_POOL_CORRUPTION_TYPE: 23

 

CUSTOMER_CRASH_COUNT: 1

 

DEFAULT_BUCKET_ID: DRIVER_FAULT

 

PROCESS_NAME: winss.exe

 

LAST_CONTROL_TRANSFER: from 8066dd94 to 804f9f33

 

STACK_TEXT:

b66b6b44 8066dd94 000000c1 8a9d4f00 8a9d412e nt!_woutput+0x404

b66b6b90 8054b32a 8a9d4f00 b66b6c13 884b4008 nt!VerifierKeAcquireSpinLock+0x24

b66b6bd0 8065f1f6 8a9d4f00 00000000 8065f391

nt!MiReserveAlignedSystemPtes+0x122

b66b6bf8 80658071 00000000 8a9d4f00 b66b6c5c nt!MiPhysicalViewInserter+0x33

b66b6c08 804f4e35 8a9d4f00 8a9d4f40 88dbf598 nt!HvRefreshHive+0x419

b66b6c5c 804ff843 8a9d4f40 b66b6ca8 b66b6c9c nt!CcPurgeCacheSection+0x62

b66b6cac 80503854 00000000 00000000 00000000 nt!CcPerformReadAhead+0x155

b66b6cec 805c0750 00000001 00000006 01c8ee01 nt!WmipEnterCritSection+0x1e

b66b6d50 8054161c 00000c98 00000001 b66b6d1c nt!IoAssignDriveLetters+0x8c9

b66b6d64 7c90e4f4 badb0d00 0550fad8 b66b6d98 nt!RtlIpv4StringToAddressExW+0x9d

WARNING: Frame IP not in any known module. Following frames may be wrong.

b66b6d78 00000000 00000000 00000000 00000000 0x7c90e4f4

 

 

STACK_COMMAND: kb

 

FOLLOWUP_IP:

nt!_woutput+404

804f9f33 5d pop ebp

 

SYMBOL_STACK_INDEX: 0

 

SYMBOL_NAME: nt!_woutput+404

 

FOLLOWUP_NAME: MachineOwner

 

MODULE_NAME: nt

 

IMAGE_NAME: ntoskrnl.exe

 

DEBUG_FLR_IMAGE_TIMESTAMP: 4802516a

 

FAILURE_BUCKET_ID: 0xC1_23_nt!_woutput+404

 

BUCKET_ID: 0xC1_23_nt!_woutput+404

 

Followup: MachineOwner

---------

 

1: kd> lmvm nt

start end module name

804d7000 806e4000 nt M (pdb symbols)

C:\WINDOWS\Symbols\exe\ntoskrnl.pdb

Loaded symbol image file: ntoskrnl.exe

Image path: ntoskrnl.exe

Image name: ntoskrnl.exe

Timestamp: Sun Apr 13 11:31:06 2008 (4802516A)

CheckSum: 001F442E

ImageSize: 0020D000

Translations: 0000.04b0 0000.04e0 0409.04b0 0409.04e0

 

 

ERROR 4 DETAILS;

 

 

Event Type: Error

Event Source: System Error

Event Category: (102)

Event ID: 1003

Date: 7/25/2008

Time: 8:33:16 AM

User: N/A

Computer: STEPHEN-DE5B952

Description:

Error code 000000c1, parameter1 8a9d4f00, parameter2 8a9d412e, parameter3

00a90100, parameter4 00000023.

 

Data:

0000: 53 79 73 74 65 6d 20 45 System E

0008: 72 72 6f 72 20 20 45 72 rror Er

0010: 72 6f 72 20 63 6f 64 65 ror code

0018: 20 30 30 30 30 30 30 63 000000c

0020: 31 20 20 50 61 72 61 6d 1 Param

0028: 65 74 65 72 73 20 38 61 eters 8a

0030: 39 64 34 66 30 30 2c 20 9d4f00,

0038: 38 61 39 64 34 31 32 65 8a9d412e

0040: 2c 20 30 30 61 39 30 31 , 00a901

0048: 30 30 2c 20 30 30 30 30 00, 0000

0050: 30 30 32 33 0023

 

Details

Product:

Windows Operating System

ID:

1003

Source:

System Error

Version:

5.2

Symbolic Name:

ER_KRNLCRASH_LOG

Message:

Error code %1, parameter1 %2, parameter2 %3, parameter3 %4, parameter4 %5.

 

 

--

Ross McLaughlin

koolaid_51 at yahoo

[Guest Ross]

RE: Multiple save dumps (with debug info)

 

More Info.

I have installed all microsoft updates, except IE7.

Windows Live one care is installed.

Have run CCleaner, & Spybot Search and destroy. They are all updated and

none run on startup except Live one care.

 

The failure has happened at random times as well as whem I'm doing a

virus/spyware scan with any of the tools mentioned.

--

Ross McLaughlin

koolaid_51 at yahoo

 

 

"Ross" wrote:

> Up to this point I have tried to diagnose this problem on my own but I can

> see It's more than I can handle.

> Here is my system info and a log of previous failure reports and bug checks.

> I hope I have done them correctly as I have no experience whatsoever and have

> relied completely on information I could read at Microsoft.

>

> I had a problem with the computer going to blue screen and not restarting

> previously.

> It got so bad that it would not restart at all.

> I used a drive washer and wiped out everything.

> I used my XP Installation disc and reinstalled windows XP.

>

> I thought the problem was solved and now the computer is doing it again.

> I have some theories as to whats wrong but they are uneducated assumptions

> at this point.

>

> Any assistance would be greatly appreciated.

>

> Ross-

>

> (SYSTEM INFO GEERATED WITH BELARC ADVISOR)

>

> Operating System:

> Win. XP Home Edition. Service Pack 3 (Build 2600)

> System Motherboard:

> Gigabyte Technology (P35-DS3L)

> Bus Clock:

> 266 Mhz.

>

> BIOS:

> Award Software Int. Inc. F7 11/29/07

>

> PROCESSOR:

> 2.4 Gigahertz Intel Core2 Quad Q660

>

> DRIVES:

> WDC WD3200AAKS-00B3A0 (Hard Drive)

> STATUS: Healthy

> WDC WD25 00JS-55NCB1 (USB External Device)

> Pioneer DVR-113NP (CD-ROM drive)

>

> MEMORY:

> 3072 Megabytes Installed Memory

> Crucial.com

> CL1118P.TQ

> 97432

> BL12864AA804.8FE5

> (Says "Ballistix" on the ram itself)

> Slot "A0" Has 1024 Mb

> Slot "A1" has 1024 Mb

> Slot "A2" has 1024 Mb

> Slot "A3" is empty

>

> DISPLAY:

> NVIDIA GeForce 8400 GS (display adapter)

> Sceptre X20WG-Naga (moniter)

> Realtek High Definition Auido

>

> COMMUNICATIONS:

> Realtek RTL8168/8111 PCI-E Gigabit Ethernet NIC

>

> LOCAL DRIVE VOLUMES:

> C:/ (NTFS on drive 0) 320 GB

> E:/ (FAT32 on drive 1) 250 GB

>

> PRINTERS:

> HP Deskjet 925 on USB

> Microsoft XPS Document writer

> Only one user account (mine)

>

> Using IE 6

> (I have had numerous issues with IE7)

>

> DEBUG INFO:

>

>

> SAVEDUMP INFO 1.

>

> Event Type: Information

> Event Source: Save Dump

> Event Category: None

> Event ID: 1001

> Date: 7/22/2008

> Time: 8:16:23 AM

> User: N/A

> Computer: STEPHEN-DE5B952

> Description:

> The computer has rebooted from a bugcheck. The bugcheck was: 0x0000001a

> (0x00041284, 0x00136001, 0x000006ca, 0xc0883000). A dump was saved in:

> C:\WINDOWS\Minidump\Mini072208-01.dmp.

>

> SAVEDUMP 1 DETAILS;

> Product:

> Windows Operating System

> ID:

> 1001

> Source:

> Save Dump

> Version:

> 5.2

> Symbolic Name:

> EVENT_BUGCHECK_SAVED

> Message:

> The computer has rebooted from a bugcheck. The bugcheck was: %1. A dump was

> saved in: %2.

>

> DEBUG INFO FOR SAVEDUMP 1;

>

> Loading Dump File [C:\WINDOWS\Minidump\Mini072208-01.dmp]

> Mini Kernel Dump File: Only registers and stack trace are available

>

> Symbol search path is: C:\WINDOWS\Symbols

> Executable search path is:

> Unable to load image ntoskrnl.exe, Win32 error 0n2

> *** WARNING: Unable to verify timestamp for ntoskrnl.exe

> Windows XP Kernel Version 2600 (Service Pack 3) MP (4 procs) Free x86

> compatible

> Product: WinNt, suite: TerminalServer SingleUserTS Personal

> Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055d720

> Debug session time: Tue Jul 22 08:15:38.140 2008 (GMT-7)

> System Uptime: 0 days 6:00:50.734

> Unable to load image ntoskrnl.exe, Win32 error 0n2

> *** WARNING: Unable to verify timestamp for ntoskrnl.exe

> Loading Kernel Symbols

> ....................................................................................................................

> Loading User Symbols

> Loading unloaded module list

>

>

>

> Bugcheck Analysis

>

>

>

>

> Use !analyze -v to get detailed debugging information.

>

> BugCheck 1A, {41284, 136001, 6ca, c0883000}

>

> Probably caused by : ntoskrnl.exe ( nt!_woutput+404 )

>

> Followup: MachineOwner

> ---------

>

> 2: kd> !analyze -v

> *******

> *

> *

> * Bugcheck Analysis

> *

> *

> *

> *******

>

> MEMORY_MANAGEMENT (1a)

> # Any other values for parameter 1 must be individually examined.

> Arguments:

> Arg1: 00041284, A PTE or the working set list is corrupt.

> Arg2: 00136001

> Arg3: 000006ca

> Arg4: c0883000

>

> Debugging Details:

> ------------------

>

>

> BUGCHECK_STR: 0x1a_41284

>

> CUSTOMER_CRASH_COUNT: 1

>

> DEFAULT_BUCKET_ID: DRIVER_FAULT

>

> PROCESS_NAME: GtCC.exe

>

> LAST_CONTROL_TRANSFER: from 80523309 to 804f9f33

>

> STACK_TEXT:

> b5fd3af4 80523309 0000001a 00041284 00136001 nt!_woutput+0x404

> b5fd3b2c 80523b8f 000006ca 00136000 c0600000 nt!MiRemoveMappedPtes+0x88

> b5fd3b60 80523fa8 c00009b0 00136000 00000000

> nt!MiSessionCommitImagePages+0x198

> b5fd3c28 805135b6 00000530 0018ffff 00000000 nt!MmAccessFault+0x17a

> b5fd3c68 805d2706 01b6da18 88b93020 88b93268 nt!MiFlushDirtyBitsToPfn+0x57

> b5fd3d08 805d28c8 00000000 88b93020 00000000 nt!IopRebalance+0x3e0

> b5fd3d28 805d2aa3 88b93020 00000000 b5fd3d64 nt!NtPowerInformation+0x40f

> b5fd3d54 8054161c 00000000 00000000 0006fed0 nt!WmipStartLogger+0xa

> b5fd3d64 7c90e4f4 badb0d00 0006fddc 00000000 nt!RtlIpv4StringToAddressExW+0x9d

> WARNING: Frame IP not in any known module. Following frames may be wrong.

> b5fd3d78 00000000 00000000 00000000 00000000 0x7c90e4f4

>

>

> STACK_COMMAND: kb

>

> FOLLOWUP_IP:

> nt!_woutput+404

> 804f9f33 5d pop ebp

>

> SYMBOL_STACK_INDEX: 0

>

> SYMBOL_NAME: nt!_woutput+404

>

> FOLLOWUP_NAME: MachineOwner

>

> MODULE_NAME: nt

>

> IMAGE_NAME: ntoskrnl.exe

>

> DEBUG_FLR_IMAGE_TIMESTAMP: 4802516a

>

> FAILURE_BUCKET_ID: 0x1a_41284_nt!_woutput+404

>

> BUCKET_ID: 0x1a_41284_nt!_woutput+404

>

> Followup: MachineOwner

> ---------

>

> 2: kd> lmvm nt

> start end module name

> 804d7000 806e4000 nt M (pdb symbols)

> C:\WINDOWS\Symbols\exe\ntoskrnl.pdb

> Loaded symbol image file: ntoskrnl.exe

> Image path: ntoskrnl.exe

> Image name: ntoskrnl.exe

> Timestamp: Sun Apr 13 11:31:06 2008 (4802516A)

> CheckSum: 001F442E

> ImageSize: 0020D000

> Translations: 0000.04b0 0000.04e0 0409.04b0 0409.04e0

>

>

> ERROR 1 INFO;

>

> Event Type: Error

> Event Source: System Error

> Event Category: (102)

> Event ID: 1003

> Date: 7/22/2008

> Time: 8:16:45 AM

> User: N/A

> Computer: STEPHEN-DE5B952

> Description:

> Error code 0000001a, parameter1 00041284, parameter2 00136001, parameter3

> 000006ca, parameter4 c0883000.

>

> Data:

> 0000: 53 79 73 74 65 6d 20 45 System E

> 0008: 72 72 6f 72 20 20 45 72 rror Er

> 0010: 72 6f 72 20 63 6f 64 65 ror code

> 0018: 20 30 30 30 30 30 30 31 0000001

> 0020: 61 20 20 50 61 72 61 6d a Param

> 0028: 65 74 65 72 73 20 30 30 eters 00

> 0030: 30 34 31 32 38 34 2c 20 041284,

> 0038: 30 30 31 33 36 30 30 31 00136001

> 0040: 2c 20 30 30 30 30 30 36 , 000006

> 0048: 63 61 2c 20 63 30 38 38 ca, c088

> 0050: 33 30 30 30 3000

>

> ERROR 1 DETAILS;

> Product:

> Windows Operating System

> ID:

> 1003

> Source:

> System Error

> Version:

> 5.2

> Symbolic Name:

> ER_KRNLCRASH_LOG

> Message:

> Error code %1, parameter1 %2, parameter2 %3, parameter3 %4, parameter4 %5.

>

> SAVE DUMP 2 INFO;

>

> Event Type: Information

> Event Source: Save Dump

> Event Category: None

> Event ID: 1001

> Date: 7/22/2008

> Time: 4:15:30 PM

> User: N/A

> Computer: STEPHEN-DE5B952

> Description:

> The computer has rebooted from a bugcheck. The bugcheck was: 0x1000000a

> (0x00000020, 0x00000002, 0x00000000, 0x805153db). A dump was saved in:

> C:\WINDOWS\Minidump\Mini072208-02.dmp.

>

>

> SAVEDUP 2 DETAILS;

> Product:

> Windows Operating System

> ID:

> 1001

> Source:

> Save Dump

> Version:

> 5.2

> Symbolic Name:

> EVENT_BUGCHECK_SAVED

> Message:

> The computer has rebooted from a bugcheck. The bugcheck was: %1. A dump was

> saved in: %2.

>

[Guest Rey Santos]

RE: Multiple save dumps (with debug info)

 

I think there is sometehing wrong:

 

Your Symbol search path is: C:\WINDOWS\Symbols

Your Executable search path is (Image path): Unable to load image

ntoskrnl.exe, Win32 error 0n2

*** WARNING: Unable to verify timestamp for ntoskrnl.exe

 

I used these:

Symbol search path is:

srv*c:\symbols*http://msdl.microsoft.com/download/symbols

Executable search path is Image path): c:\windows\i386

 

At the command prompt I used this:

windbg -y srv*c:\symbols*http://msdl.microsoft.com/download/symbols -i

c:\windows\i386 -z c:\windows\minidump\Mini072508-01.dmp

(while connected to the internet)

Note: I used here your last dump file.

 

For instructions:

How to read the small memory dump files that Windows creates for debugging

http://support.microsoft.com/kb/315263

 

Tip:

Look for the "Probably caused by:", "MODULE_NAME:" and "IMAGE_NAME:"

headings. This is the program that caused the error. Sometimes when it's a

device driver it means that that device is causing the BSOD and by disabling

Uninstalling) it or updating the driver your system will run stable. If you

don't know what device that name relates to then Google it.

 

 

--

Rey

[Guest Ross]

RE: Multiple save dumps (with debug info)

 

Thank you for the assistance.

I set the parameters in WinDbg like you said but could not get the Command

Prompt to respond to the entries given. I set them up directly in the WinDbg

Program and ran the debug from there. Results are below.

 

Also the system failed to bluescreen three times already today and left no

trace in the system log or the minidump file. Weird...

 

The results show the issue in "win32.sys" I googled like you said and got

varied results but not that directly related to my issue.

 

Thank's again.

 

Ross-

 

Microsoft ® Windows Debugger Version 6.9.0003.113 X86

Copyright © Microsoft Corporation. All rights reserved.

 

 

Loading Dump File [C:\WINDOWS\Minidump\Mini072508-02.dmp]

Mini Kernel Dump File: Only registers and stack trace are available

 

Symbol search path is:

srv*c:\symbols*http://msdl.microsoft.com/download/symbols

 

Executable search path is: C:\Windows\I386

Windows XP Kernel Version 2600 (Service Pack 3) MP (4 procs) Free x86

compatible

Product: WinNt

Built by: 2600.xpsp.080413-2111

Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055d720

Debug session time: Fri Jul 25 17:02:11.390 2008 (GMT-7)

System Uptime: 0 days 5:05:20.999

Loading Kernel Symbols

....................................................................................................................

Loading User Symbols

Loading unloaded module list

..............

*******************************************************************************

*

*

* Bugcheck Analysis

*

*

*

*******************************************************************************

 

Use !analyze -v to get detailed debugging information.

 

BugCheck C1, {8b488eb8, 8b488816, 390148, 23}

 

Probably caused by : win32k.sys ( win32k!RawInputThread+4f3 )

 

Followup: MachineOwner

---------

 

2: kd> !analyze -v

*******************************************************************************

*

*

* Bugcheck Analysis

*

*

*

*******************************************************************************

 

SPECIAL_POOL_DETECTED_MEMORY_CORRUPTION (c1)

Special pool has detected memory corruption. Typically the current thread's

stack backtrace will reveal the guilty party.

Arguments:

Arg1: 8b488eb8, address trying to free

Arg2: 8b488816, address where bits are corrupted

Arg3: 00390148, (reserved)

Arg4: 00000023, caller is freeing an address where nearby bytes within the

same page have been corrupted

 

Debugging Details:

------------------

 

 

BUGCHECK_STR: 0xC1_23

 

SPECIAL_POOL_CORRUPTION_TYPE: 23

 

CUSTOMER_CRASH_COUNT: 2

 

DEFAULT_BUCKET_ID: DRIVER_FAULT

 

LAST_CONTROL_TRANSFER: from 8066dd94 to 804f9f33

 

STACK_TEXT:

baaf7944 8066dd94 000000c1 8b488eb8 8b488816 nt!KeBugCheckEx+0x1b

baaf7990 8054b32a 8b488eb8 baaf7a13 88bea358 nt!MmFreeSpecialPool+0x2f4

baaf79d0 8065f1f6 8b488eb8 00000000 8065f391 nt!ExFreePoolWithTag+0x4a

baaf79dc 8065f391 8b488ef8 8b488eb8 00000000 nt!VfIrpFree+0xc

baaf79f8 80658071 8a1feda8 8a1feddc baaf7a14 nt!VerifierIoFreeIrp+0x129

baaf7a08 8057ede9 8b488eb8 baaf7a64 804ff896 nt!IovFreeIrpPrivate+0x41

baaf7a14 804ff896 8b488ef8 baaf7a60 baaf7a54 nt!IopUserCompletion+0x11

baaf7a64 80503854 00000000 00000000 00000000 nt!KiDeliverApc+0x106

baaf7a7c 804fad88 80500254 00000001 00000000 nt!KiSwapThread+0xa8

baaf7ab4 bf89fcb5 00000007 8a2dc108 00000001 nt!KeWaitForMultipleObjects+0x284

baaf7d30 bf884705 baac7490 00000002 baaf7d54 win32k!RawInputThread+0x4f3

baaf7d40 bf80110a baac7490 baaf7d64 006efff4

win32k!xxxCreateSystemThreads+0x60

baaf7d54 8054161c 00000000 00000022 00000000 win32k!NtUserCallOneParam+0x23

baaf7d54 7c90e4f4 00000000 00000022 00000000 nt!KiFastCallEntry+0xfc

WARNING: Frame IP not in any known module. Following frames may be wrong.

00000000 00000000 00000000 00000000 00000000 0x7c90e4f4

 

 

STACK_COMMAND: kb

 

FOLLOWUP_IP:

win32k!RawInputThread+4f3

bf89fcb5 391df0b29abf cmp dword ptr [win32k!gdwUpdateKeyboard

(bf9ab2f0)],ebx

 

SYMBOL_STACK_INDEX: a

 

SYMBOL_NAME: win32k!RawInputThread+4f3

 

FOLLOWUP_NAME: MachineOwner

 

MODULE_NAME: win32k

 

IMAGE_NAME: win32k.sys

 

DEBUG_FLR_IMAGE_TIMESTAMP: 48025f2a

 

FAILURE_BUCKET_ID: 0xC1_23_win32k!RawInputThread+4f3

 

BUCKET_ID: 0xC1_23_win32k!RawInputThread+4f3

 

Followup: MachineOwner

---------

 

2: kd> lmvm win32k

start end module name

bf800000 bf9c2980 win32k # (pdb symbols)

c:\symbols\win32k.pdb\B8354F59A2A341179030B80ACC7969972\win32k.pdb

Loaded symbol image file: win32k.sys

Mapped memory image file: c:\symbols\win32k.sys\48025F2A1c2980\win32k.sys

Image path: \SystemRoot\System32\win32k.sys

Image name: win32k.sys

Timestamp: Sun Apr 13 12:29:46 2008 (48025F2A)

CheckSum: 001CC002

ImageSize: 001C2980

File version: 5.1.2600.5512

Product version: 5.1.2600.5512

File flags: 0 (Mask 3F)

File OS: 40004 NT Win32

File type: 3.7 Driver

File date: 00000000.00000000

Translations: 0405.04b0

CompanyName: Microsoft Corporation

ProductName: Operační systém Microsoft® Windows®

InternalName: win32k.sys

OriginalFilename: win32k.sys

ProductVersion: 5.1.2600.5512

FileVersion: 5.1.2600.5512 (xpsp.080413-2105)

FileDescription: Multi-User Win32 Driver

LegalCopyright: © Microsoft Corporation. Všechna práva vyhrazena.

 

 

--

Ross McLaughlin

koolaid_51 at yahoo

 

 

"Rey Santos" wrote:

> I think there is sometehing wrong:

>

> Your Symbol search path is: C:\WINDOWS\Symbols

> Your Executable search path is (Image path): Unable to load image

> ntoskrnl.exe, Win32 error 0n2

> *** WARNING: Unable to verify timestamp for ntoskrnl.exe

>

> I used these:

> Symbol search path is:

> srv*c:\symbols*http://msdl.microsoft.com/download/symbols

> Executable search path is Image path): c:\windows\i386

>

> At the command prompt I used this:

> windbg -y srv*c:\symbols*http://msdl.microsoft.com/download/symbols -i

> c:\windows\i386 -z c:\windows\minidump\Mini072508-01.dmp

> (while connected to the internet)

> Note: I used here your last dump file.

>

> For instructions:

> How to read the small memory dump files that Windows creates for debugging

> http://support.microsoft.com/kb/315263

>

> Tip:

> Look for the "Probably caused by:", "MODULE_NAME:" and "IMAGE_NAME:"

> headings. This is the program that caused the error. Sometimes when it's a

> device driver it means that that device is causing the BSOD and by disabling

> Uninstalling) it or updating the driver your system will run stable. If you

> don't know what device that name relates to then Google it.

>

>

> --

> Rey

>

>

>

[Guest Ross]

RE: Multiple save dumps (with debug info)

 

I also did repair one problem on Friday.

 

I went back to the users manual for my motherboard and read it from cover to

cover. In the product specifications I noticed a note that stated: "To enable

hot plug capability for the SATA connectors (SATAll0, SATAll1, SATAll4,

SATAll5) controlled by the ICH9 South Bridge, you must install Windows Vista

(on ICH9, hot plug is supported in windows vista only) and configure the SATA

connectors for AHCI mode."

 

I went into the BIOS and remidied the problem for windows XP by "Enableing

the SATA controllers to operate in native IDE mode as per the motherboard

instructions. This was the only problem I found going thru all the user

manuals for the system.

 

Then today it Blue screened 4 times now and wont leave any minidump info, or

any info in the system log.

 

Thank's again

Ross-

 

Here are all 6 minidumps prior to today:

 

#1 Savedump:

 

Microsoft ® Windows Debugger Version 6.9.0003.113 X86

Copyright © Microsoft Corporation. All rights reserved.

 

 

Loading Dump File [C:\WINDOWS\Minidump\Mini072208-01.dmp]

Mini Kernel Dump File: Only registers and stack trace are available

 

Symbol search path is:

srv*c:\symbols*http://msdl.microsoft.com/download/symbols

 

Executable search path is: C:\Windows\I386

Windows XP Kernel Version 2600 (Service Pack 3) MP (4 procs) Free x86

compatible

Product: WinNt, suite: TerminalServer SingleUserTS Personal

Built by: 2600.xpsp.080413-2111

Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055d720

Debug session time: Tue Jul 22 08:15:38.140 2008 (GMT-7)

System Uptime: 0 days 6:00:50.734

Loading Kernel Symbols

...

Loading User Symbols

Loading unloaded module list

...

*

*

*

* Bugcheck Analysis

*

*

*

 

Use !analyze -v to get detailed debugging information.

 

BugCheck 1A, {41284, 136001, 6ca, c0883000}

 

Probably caused by : memory_corruption ( nt!MiLocateWsle+c1 )

 

Followup: MachineOwner

 

2: kd> !analyze -v

**

*

*

* Bugcheck Analysis

*

*

*

*

 

MEMORY_MANAGEMENT (1a)

# Any other values for parameter 1 must be individually examined.

Arguments:

Arg1: 00041284, A PTE or the working set list is corrupt.

Arg2: 00136001

Arg3: 000006ca

Arg4: c0883000

 

Debugging Details:

 

 

 

BUGCHECK_STR: 0x1a_41284

 

CUSTOMER_CRASH_COUNT: 1

 

DEFAULT_BUCKET_ID: DRIVER_FAULT

 

PROCESS_NAME: GtCC.exe

 

LAST_CONTROL_TRANSFER: from 80523309 to 804f9f33

 

STACK_TEXT:

b5fd3af4 80523309 0000001a 00041284 00136001 nt!KeBugCheckEx+0x1b

b5fd3b2c 80523b8f 000006ca 00136000 c0600000 nt!MiLocateWsle+0xc1

b5fd3b60 80523fa8 c00009b0 00136000 00000000 nt!MiDeletePte+0x1fd

b5fd3c28 805135b6 00000530 0018ffff 00000000 nt!MiDeleteVirtualAddresses+0x164

b5fd3c68 805d2706 01b6da18 88b93020 88b93268

nt!MmCleanProcessAddressSpace+0x262

b5fd3d08 805d28c8 00000000 88b93020 00000000 nt!PspExitThread+0x680

b5fd3d28 805d2aa3 88b93020 00000000 b5fd3d64

nt!PspTerminateThreadByPointer+0x52

b5fd3d54 8054161c 00000000 00000000 0006fed0 nt!NtTerminateProcess+0x105

b5fd3d54 7c90e4f4 00000000 00000000 0006fed0 nt!KiFastCallEntry+0xfc

WARNING: Frame IP not in any known module. Following frames may be wrong.

0006fed0 00000000 00000000 00000000 00000000 0x7c90e4f4

 

 

STACK_COMMAND: kb

 

FOLLOWUP_IP:

nt!MiLocateWsle+c1

80523309 2b45f0 sub eax,dword ptr [ebp-10h]

 

SYMBOL_STACK_INDEX: 1

 

SYMBOL_NAME: nt!MiLocateWsle+c1

 

FOLLOWUP_NAME: MachineOwner

 

MODULE_NAME: nt

 

DEBUG_FLR_IMAGE_TIMESTAMP: 4802516a

 

IMAGE_NAME: memory_corruption

 

FAILURE_BUCKET_ID: 0x1a_41284_nt!MiLocateWsle+c1

 

BUCKET_ID: 0x1a_41284_nt!MiLocateWsle+c1

 

Followup: MachineOwner

 

2: kd> lmvm nt

start end module name

804d7000 806e4000 nt # (pdb symbols)

c:\symbols\ntkrpamp.pdb\7D6290E03E32455BB0E035E38816124F1\ntkrpamp.pdb

Loaded symbol image file: ntkrpamp.exe

Mapped memory image file:

c:\symbols\ntkrpamp.exe\4802516A20d000\ntkrpamp.exe

Image path: ntkrpamp.exe

Image name: ntkrpamp.exe

Timestamp: Sun Apr 13 11:31:06 2008 (4802516A)

CheckSum: 001F442E

ImageSize: 0020D000

File version: 5.1.2600.5512

Product version: 5.1.2600.5512

File flags: 0 (Mask 3F)

File OS: 40004 NT Win32

File type: 1.0 App

File date: 00000000.00000000

Translations: 040c.04b0

CompanyName: Microsoft Corporation

ProductName: Système d'exploitation Microsoft® Windows®

InternalName: ntkrpamp.exe

OriginalFilename: ntkrpamp.exe

ProductVersion: 5.1.2600.5512

FileVersion: 5.1.2600.5512 (xpsp.080413-2111)

FileDescription: Noyau et système NT

LegalCopyright: © Microsoft Corporation. Tous droits réservés.

 

 

 

 

 

 

#2 Savedump:

 

Microsoft ® Windows Debugger Version 6.9.0003.113 X86

Copyright © Microsoft Corporation. All rights reserved.

 

 

Loading Dump File [C:\WINDOWS\Minidump\Mini072208-02.dmp]

Mini Kernel Dump File: Only registers and stack trace are available

 

Symbol search path is:

srv*c:\symbols*http://msdl.microsoft.com/download/symbols

 

Executable search path is: C:\Windows\I386

Windows XP Kernel Version 2600 (Service Pack 3) MP (4 procs) Free x86

compatible

Product: WinNt, suite: TerminalServer SingleUserTS Personal

Built by: 2600.xpsp.080413-2111

Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055d720

Debug session time: Tue Jul 22 16:14:41.203 2008 (GMT-7)

System Uptime: 0 days 7:58:33.172

Loading Kernel Symbols

...

Loading User Symbols

Loading unloaded module list

 

*

*

*

* Bugcheck Analysis

*

*

*

 

Use !analyze -v to get detailed debugging information.

 

BugCheck 1000000A, {20, 2, 0, 805153db}

 

Probably caused by : memory_corruption ( nt!MiResolveMappedFileFault+37 )

 

Followup: MachineOwner

 

0: kd> !analyze -v

**

*

*

* Bugcheck Analysis

*

*

*

 

IRQL_NOT_LESS_OR_EQUAL (a)

An attempt was made to access a pageable (or completely invalid) address at an

interrupt request level (IRQL) that is too high. This is usually

caused by drivers using improper addresses.

If a kernel debugger is available get the stack backtrace.

Arguments:

Arg1: 00000020, memory referenced

Arg2: 00000002, IRQL

Arg3: 00000000, bitfield :

bit 0 : value 0 = read operation, 1 = write operation

bit 3 : value 0 = not an execute operation, 1 = execute operation (only on

chips which support this level of status)

Arg4: 805153db, address which referenced memory

 

Debugging Details:

 

 

 

READ_ADDRESS: 00000020

 

CURRENT_IRQL: 2

 

FAULTING_IP:

nt!MiResolveMappedFileFault+37

805153db 8b4320 mov eax,dword ptr [ebx+20h]

 

CUSTOMER_CRASH_COUNT: 2

 

DEFAULT_BUCKET_ID: DRIVER_FAULT

 

BUGCHECK_STR: 0xA

 

PROCESS_NAME: System

 

LAST_CONTROL_TRANSFER: from 80516349 to 805153db

 

STACK_TEXT:

bacf7af0 80516349 c5021000 e4abd308 bacf7bb4 nt!MiResolveMappedFileFault+0x37

bacf7b34 8051650f 00000000 c5021000 c0628108 nt!MiResolveProtoPteFault+0x195

bacf7bb8 80520239 e4abd308 c5021000 c0628108 nt!MiDispatchFault+0xf1

bacf7c24 8051b061 00000000 c5021000 00000000 nt!MmAccessFault+0x877

bacf7c84 804e1ac9 c5021000 00000000 80559698 nt!MmCheckCachedPageState+0x601

bacf7d34 804e70ec 8a5360a8 80564820 8a536398 nt!CcPerformReadAhead+0x20b

bacf7d7c 8053876d 8a5360a8 00000000 8a536398 nt!CcWorkerThread+0x150

bacf7dac 805cff64 8a5360a8 00000000 00000000 nt!ExpWorkerThread+0xef

bacf7ddc 805460de 8053867e 00000000 00000000 nt!PspSystemThreadStartup+0x34

00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16

 

 

STACK_COMMAND: kb

 

FOLLOWUP_IP:

nt!MiResolveMappedFileFault+37

805153db 8b4320 mov eax,dword ptr [ebx+20h]

 

SYMBOL_STACK_INDEX: 0

 

SYMBOL_NAME: nt!MiResolveMappedFileFault+37

 

FOLLOWUP_NAME: MachineOwner

 

MODULE_NAME: nt

 

DEBUG_FLR_IMAGE_TIMESTAMP: 4802516a

 

IMAGE_NAME: memory_corruption

 

FAILURE_BUCKET_ID: 0xA_nt!MiResolveMappedFileFault+37

 

BUCKET_ID: 0xA_nt!MiResolveMappedFileFault+37

 

Followup: MachineOwner

 

 

0: kd> lmvm nt

start end module name

804d7000 806e4000 nt # (pdb symbols)

c:\symbols\ntkrpamp.pdb\7D6290E03E32455BB0E035E38816124F1\ntkrpamp.pdb

Loaded symbol image file: ntkrpamp.exe

Mapped memory image file:

c:\symbols\ntkrpamp.exe\4802516A20d000\ntkrpamp.exe

Image path: ntkrpamp.exe

Image name: ntkrpamp.exe

Timestamp: Sun Apr 13 11:31:06 2008 (4802516A)

CheckSum: 001F442E

ImageSize: 0020D000

File version: 5.1.2600.5512

Product version: 5.1.2600.5512

File flags: 0 (Mask 3F)

File OS: 40004 NT Win32

File type: 1.0 App

File date: 00000000.00000000

Translations: 040c.04b0

CompanyName: Microsoft Corporation

ProductName: Système d'exploitation Microsoft® Windows®

InternalName: ntkrpamp.exe

OriginalFilename: ntkrpamp.exe

ProductVersion: 5.1.2600.5512

FileVersion: 5.1.2600.5512 (xpsp.080413-2111)

FileDescription: Noyau et système NT

LegalCopyright: © Microsoft Corporation. Tous droits réservés.

 

 

 

#3 Savedump:

 

Microsoft ® Windows Debugger Version 6.9.0003.113 X86

Copyright © Microsoft Corporation. All rights reserved.

 

 

Loading Dump File [C:\WINDOWS\Minidump\Mini072208-03.dmp]

Mini Kernel Dump File: Only registers and stack trace are available

 

Symbol search path is:

srv*c:\symbols*http://msdl.microsoft.com/download/symbols

 

Executable search path is: C:\Windows\I386

Windows XP Kernel Version 2600 (Service Pack 3) MP (4 procs) Free x86

compatible

Product: WinNt, suite: TerminalServer SingleUserTS Personal

Built by: 2600.xpsp.080413-2111

Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055d720

Debug session time: Tue Jul 22 19:01:11.453 2008 (GMT-7)

System Uptime: 0 days 2:46:00.076

Loading Kernel Symbols

 

Loading User Symbols

Loading unloaded module list

*

*

* Bugcheck Analysis

*

*

*

 

 

Use !analyze -v to get detailed debugging information.

 

BugCheck 100000D1, {4, 2, 1, b65e7625}

 

Probably caused by : afd.sys ( afd!AfdIndicatePollEventReal+d6 )

 

Followup: MachineOwner

 

 

1: kd> !analyze -v

*

*

*

* Bugcheck Analysis

*

*

*

 

 

DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)

An attempt was made to access a pageable (or completely invalid) address at an

interrupt request level (IRQL) that is too high. This is usually

caused by drivers using improper addresses.

If kernel debugger is available get stack backtrace.

Arguments:

Arg1: 00000004, memory referenced

Arg2: 00000002, IRQL

Arg3: 00000001, value 0 = read operation, 1 = write operation

Arg4: b65e7625, address which referenced memory

 

Debugging Details:

 

 

WRITE_ADDRESS: 00000004

 

CURRENT_IRQL: 2

 

FAULTING_IP:

afd!AfdIndicatePollEventReal+d6

b65e7625 894804 mov dword ptr [eax+4],ecx

 

CUSTOMER_CRASH_COUNT: 3

 

DEFAULT_BUCKET_ID: DRIVER_FAULT

 

BUGCHECK_STR: 0xD1

 

PROCESS_NAME: System

 

LAST_CONTROL_TRANSFER: from b65f29fd to b65e7625

 

STACK_TEXT:

bad038cc b65f29fd 88c53640 00000001 00000000 afd!AfdIndicatePollEventReal+0xd6

88987ed0 0169fc18 000004f0 00000102 0169fc2c

afd!AfdReceiveDatagramEventHandler+0x334

WARNING: Frame IP not in any known module. Following frames may be wrong.

88987f00 00000000 00000000 00000000 8a4e5100 0x169fc18

 

 

STACK_COMMAND: kb

 

FOLLOWUP_IP:

afd!AfdIndicatePollEventReal+d6

b65e7625 894804 mov dword ptr [eax+4],ecx

 

SYMBOL_STACK_INDEX: 0

 

SYMBOL_NAME: afd!AfdIndicatePollEventReal+d6

 

FOLLOWUP_NAME: MachineOwner

 

MODULE_NAME: afd

 

IMAGE_NAME: afd.sys

 

DEBUG_FLR_IMAGE_TIMESTAMP: 485b9717

 

FAILURE_BUCKET_ID: 0xD1_W_afd!AfdIndicatePollEventReal+d6

 

BUCKET_ID: 0xD1_W_afd!AfdIndicatePollEventReal+d6

 

Followup: MachineOwner

 

 

1: kd> lmvm afd

start end module name

b65e7000 b6608d00 afd (pdb symbols)

c:\symbols\afd.pdb\491744C6AD9046AC93AF268B8A1A492D2\afd.pdb

Loaded symbol image file: afd.sys

Mapped memory image file: c:\symbols\afd.sys\485B971721d00\afd.sys

Image path: afd.sys

Image name: afd.sys

Timestamp: Fri Jun 20 04:40:07 2008 (485B9717)

CheckSum: 0002B10D

ImageSize: 00021D00

File version: 5.1.2600.5625

Product version: 5.1.2600.5625

File flags: 0 (Mask 3F)

File OS: 40004 NT Win32

File type: 3.7 Driver

File date: 00000000.00000000

Translations: 0409.04b0

CompanyName: Microsoft Corporation

ProductName: Microsoft® Windows® Operating System

InternalName: afd.sys

OriginalFilename: afd.sys

ProductVersion: 5.1.2600.5625

FileVersion: 5.1.2600.5625 (xpsp_sp3_gdr.080620-1249)

FileDescription: Ancillary Function Driver for WinSock

LegalCopyright: © Microsoft Corporation. All rights reserved.

 

 

#4 Savedump:

 

Microsoft ® Windows Debugger Version 6.9.0003.113 X86

Copyright © Microsoft Corporation. All rights reserved.

 

 

Loading Dump File [C:\WINDOWS\Minidump\Mini072408-01.dmp]

Mini Kernel Dump File: Only registers and stack trace are available

 

Symbol search path is:

srv*c:\symbols*http://msdl.microsoft.com/download/symbols

 

Executable search path is: C:\Windows\I386

Windows XP Kernel Version 2600 (Service Pack 3) MP (4 procs) Free x86

compatible

Product: WinNt, suite: TerminalServer SingleUserTS Personal

Built by: 2600.xpsp.080413-2111

Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055d720

Debug session time: Thu Jul 24 21:43:09.953 2008 (GMT-7)

System Uptime: 0 days 14:24:45.922

Loading Kernel Symbols

 

Loading User Symbols

Loading unloaded module list

 

 

**

*

*

* Bugcheck Analysis

*

*

*

**

**

 

Use !analyze -v to get detailed debugging information.

 

BugCheck C1, {8bb6ee28, 8bb6e7b6, d101d8, 23}

 

Probably caused by : memory_corruption ( nt!MmFreeSpecialPool+2f4 )

 

Followup: MachineOwner

--

 

3: kd> !analyze -v

**

**

*

*

* Bugcheck Analysis

*

*

*

**

**

 

SPECIAL_POOL_DETECTED_MEMORY_CORRUPTION (c1)

Special pool has detected memory corruption. Typically the current thread's

stack backtrace will reveal the guilty party.

Arguments:

Arg1: 8bb6ee28, address trying to free

Arg2: 8bb6e7b6, address where bits are corrupted

Arg3: 00d101d8, (reserved)

Arg4: 00000023, caller is freeing an address where nearby bytes within the

same page have been corrupted

 

Debugging Details:

--

 

 

BUGCHECK_STR: 0xC1_23

 

SPECIAL_POOL_CORRUPTION_TYPE: 23

 

CUSTOMER_CRASH_COUNT: 1

 

DEFAULT_BUCKET_ID: DRIVER_FAULT

 

PROCESS_NAME: winlogon.exe

 

IRP_ADDRESS: 8bb6ee28

 

LAST_CONTROL_TRANSFER: from 8066dd94 to 804f9f33

 

STACK_TEXT:

b70f7804 8066dd94 000000c1 8bb6ee28 8bb6e7b6 nt!KeBugCheckEx+0x1b

b70f7850 8054b32a 8bb6ee28 b70f78d3 88b3beb8 nt!MmFreeSpecialPool+0x2f4

b70f7890 8065f1f6 8bb6ee28 00000000 8065f391 nt!ExFreePoolWithTag+0x4a

b70f789c 8065f391 8a3894b0 8bb6ee28 00000000 nt!VfIrpFree+0xc

b70f78b8 80658071 00000000 8bb6ee28 b70f791c nt!VerifierIoFreeIrp+0x129

b70f78c8 804f4e35 8bb6ee28 8bb6ee68 899a25c8 nt!IovFreeIrpPrivate+0x41

b70f791c 804ff843 8bb6ee68 b70f7968 b70f795c nt!IopCompleteRequest+0x319

b70f796c 80503854 00000000 00000000 00000000 nt!KiDeliverApc+0xb3

b70f7984 804fad88 899a25c8 00000040 000000fc nt!KiSwapThread+0xa8

b70f79bc 805c0a37 00000040 b70f7bf0 00000001 nt!KeWaitForMultipleObjects+0x284

b70f7d48 8054161c 00000040 00eb6e60 00000001 nt!NtWaitForMultipleObjects+0x297

b70f7d48 7c90e4f4 00000040 00eb6e60 00000001 nt!KiFastCallEntry+0xfc

WARNING: Frame IP not in any known module. Following frames may be wrong.

00d2ffb4 00000000 00000000 00000000 00000000 0x7c90e4f4

 

 

STACK_COMMAND: kb

 

FOLLOWUP_IP:

nt!MmFreeSpecialPool+2f4

8066dd94 8b4708 mov eax,dword ptr [edi+8]

 

SYMBOL_STACK_INDEX: 1

 

SYMBOL_NAME: nt!MmFreeSpecialPool+2f4

 

FOLLOWUP_NAME: MachineOwner

 

MODULE_NAME: nt

 

DEBUG_FLR_IMAGE_TIMESTAMP: 4802516a

 

IMAGE_NAME: memory_corruption

 

FAILURE_BUCKET_ID: 0xC1_23_nt!MmFreeSpecialPool+2f4

 

BUCKET_ID: 0xC1_23_nt!MmFreeSpecialPool+2f4

 

Followup: MachineOwner

--

 

3: kd> lmvm nt

start end module name

804d7000 806e4000 nt # (pdb symbols)

c:\symbols\ntkrpamp.pdb\7D6290E03E32455BB0E035E38816124F1\ntkrpamp.pdb

Loaded symbol image file: ntkrpamp.exe

Mapped memory image file:

c:\symbols\ntkrpamp.exe\4802516A20d000\ntkrpamp.exe

Image path: ntkrpamp.exe

Image name: ntkrpamp.exe

Timestamp: Sun Apr 13 11:31:06 2008 (4802516A)

CheckSum: 001F442E

ImageSize: 0020D000

File version: 5.1.2600.5512

Product version: 5.1.2600.5512

File flags: 0 (Mask 3F)

File OS: 40004 NT Win32

File type: 1.0 App

File date: 00000000.00000000

Translations: 040c.04b0

CompanyName: Microsoft Corporation

ProductName: Système d'exploitation Microsoft® Windows®

InternalName: ntkrpamp.exe

OriginalFilename: ntkrpamp.exe

ProductVersion: 5.1.2600.5512

FileVersion: 5.1.2600.5512 (xpsp.080413-2111)

FileDescription: Noyau et système NT

LegalCopyright: © Microsoft Corporation. Tous droits réservés.

 

#5 Savedump:

 

Microsoft ® Windows Debugger Version 6.9.0003.113 X86

Copyright © Microsoft Corporation. All rights reserved.

 

 

Loading Dump File [C:\WINDOWS\Minidump\Mini072508-01.dmp]

Mini Kernel Dump File: Only registers and stack trace are available

 

Symbol search path is:

srv*c:\symbols*http://msdl.microsoft.com/download/symbols

 

Executable search path is: C:\Windows\I386

Windows XP Kernel Version 2600 (Service Pack 3) MP (4 procs) Free x86

compatible

Product: WinNt, suite: TerminalServer SingleUserTS Personal

Built by: 2600.xpsp.080413-2111

Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055d720

Debug session time: Fri Jul 25 07:55:33.031 2008 (GMT-7)

System Uptime: 0 days 9:13:19.626

Loading Kernel Symbols

...

Loading User Symbols

Loading unloaded module list

...

**

*

*

*

* Bugcheck Analysis

*

*

*

**

***

 

Use !analyze -v to get detailed debugging information.

 

BugCheck C1, {8a9d4f00, 8a9d412e, a90100, 23}

 

Probably caused by : memory_corruption ( nt!MmFreeSpecialPool+2f4 )

 

Followup: MachineOwner

--

 

1: kd> !analyze -v

**

**

*

*

* Bugcheck Analysis

*

*

*

**

**

 

SPECIAL_POOL_DETECTED_MEMORY_CORRUPTION (c1)

Special pool has detected memory corruption. Typically the current thread's

stack backtrace will reveal the guilty party.

Arguments:

Arg1: 8a9d4f00, address trying to free

Arg2: 8a9d412e, address where bits are corrupted

Arg3: 00a90100, (reserved)

Arg4: 00000023, caller is freeing an address where nearby bytes within the

same page have been corrupted

 

Debugging Details:

--

 

 

BUGCHECK_STR: 0xC1_23

 

SPECIAL_POOL_CORRUPTION_TYPE: 23

 

CUSTOMER_CRASH_COUNT: 1

 

DEFAULT_BUCKET_ID: DRIVER_FAULT

 

PROCESS_NAME: winss.exe

 

IRP_ADDRESS: 8a9d4f00

 

LAST_CONTROL_TRANSFER: from 8066dd94 to 804f9f33

 

STACK_TEXT:

b66b6b44 8066dd94 000000c1 8a9d4f00 8a9d412e nt!KeBugCheckEx+0x1b

b66b6b90 8054b32a 8a9d4f00 b66b6c13 884b4008 nt!MmFreeSpecialPool+0x2f4

b66b6bd0 8065f1f6 8a9d4f00 00000000 8065f391 nt!ExFreePoolWithTag+0x4a

b66b6bdc 8065f391 8993fee8 8a9d4f00 00000000 nt!VfIrpFree+0xc

b66b6bf8 80658071 00000000 8a9d4f00 b66b6c5c nt!VerifierIoFreeIrp+0x129

b66b6c08 804f4e35 8a9d4f00 8a9d4f40 88dbf598 nt!IovFreeIrpPrivate+0x41

b66b6c5c 804ff843 8a9d4f40 b66b6ca8 b66b6c9c nt!IopCompleteRequest+0x319

b66b6cac 80503854 00000000 00000000 00000000 nt!KiDeliverApc+0xb3

b66b6cc4 804fb068 00000000 b66b6d1c 00000000 nt!KiSwapThread+0xa8

b66b6cec 805c0750 00000001 00000006 01c8ee01 nt!KeWaitForSingleObject+0x1c2

b66b6d50 8054161c 00000c98 00000001 b66b6d1c nt!NtWaitForSingleObject+0x9a

b66b6d50 7c90e4f4 00000c98 00000001 b66b6d1c nt!KiFastCallEntry+0xfc

WARNING: Frame IP not in any known module. Following frames may be wrong.

0550fb0c 00000000 00000000 00000000 00000000 0x7c90e4f4

 

 

STACK_COMMAND: kb

 

FOLLOWUP_IP:

nt!MmFreeSpecialPool+2f4

8066dd94 8b4708 mov eax,dword ptr [edi+8]

 

SYMBOL_STACK_INDEX: 1

 

SYMBOL_NAME: nt!MmFreeSpecialPool+2f4

 

FOLLOWUP_NAME: MachineOwner

 

MODULE_NAME: nt

 

DEBUG_FLR_IMAGE_TIMESTAMP: 4802516a

 

IMAGE_NAME: memory_corruption

 

FAILURE_BUCKET_ID: 0xC1_23_nt!MmFreeSpecialPool+2f4

 

BUCKET_ID: 0xC1_23_nt!MmFreeSpecialPool+2f4

 

Followup: MachineOwner

---------

 

1: kd> lmvm nt

start end module name

804d7000 806e4000 nt # (pdb symbols)

c:\symbols\ntkrpamp.pdb\7D6290E03E32455BB0E035E38816124F1\ntkrpamp.pdb

Loaded symbol image file: ntkrpamp.exe

Mapped memory image file:

c:\symbols\ntkrpamp.exe\4802516A20d000\ntkrpamp.exe

Image path: ntkrpamp.exe

Image name: ntkrpamp.exe

Timestamp: Sun Apr 13 11:31:06 2008 (4802516A)

CheckSum: 001F442E

ImageSize: 0020D000

File version: 5.1.2600.5512

Product version: 5.1.2600.5512

File flags: 0 (Mask 3F)

File OS: 40004 NT Win32

File type: 1.0 App

File date: 00000000.00000000

Translations: 040c.04b0

CompanyName: Microsoft Corporation

ProductName: Système d'exploitation Microsoft® Windows®

InternalName: ntkrpamp.exe

OriginalFilename: ntkrpamp.exe

ProductVersion: 5.1.2600.5512

FileVersion: 5.1.2600.5512 (xpsp.080413-2111)

FileDescription: Noyau et système NT

LegalCopyright: © Microsoft Corporation. Tous droits réservés.

 

 

#6 Savedump:

 

Microsoft ® Windows Debugger Version 6.9.0003.113 X86

Copyright © Microsoft Corporation. All rights reserved.

 

 

Loading Dump File [C:\WINDOWS\Minidump\Mini072508-02.dmp]

Mini Kernel Dump File: Only registers and stack trace are available

 

Symbol search path is:

srv*c:\symbols*http://msdl.microsoft.com/download/symbols

 

Executable search path is: C:\Windows\I386

Windows XP Kernel Version 2600 (Service Pack 3) MP (4 procs) Free x86

compatible

Product: WinNt

Built by: 2600.xpsp.080413-2111

Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055d720

Debug session time: Fri Jul 25 17:02:11.390 2008 (GMT-7)

System Uptime: 0 days 5:05:20.999

Loading Kernel Symbols

...

Loading User Symbols

Loading unloaded module list

 

*****

****

*

*

* Bugcheck Analysis

*

*

*

****

*****

 

Use !analyze -v to get detailed debugging information.

 

BugCheck C1, {8b488eb8, 8b488816, 390148, 23}

 

Probably caused by : win32k.sys ( win32k!RawInputThread+4f3 )

 

Followup: MachineOwner

---------

 

2: kd> !analyze -v

*****

*****

*

*

* Bugcheck Analysis

*

*

*

*******

 

SPECIAL_POOL_DETECTED_MEMORY_CORRUPTION (c1)

Special pool has detected memory corruption. Typically the current thread's

stack backtrace will reveal the guilty party.

Arguments:

Arg1: 8b488eb8, address trying to free

Arg2: 8b488816, address where bits are corrupted

Arg3: 00390148, (reserved)

Arg4: 00000023, caller is freeing an address where nearby bytes within the

same page have been corrupted

 

Debugging Details:

 

 

 

BUGCHECK_STR: 0xC1_23

 

SPECIAL_POOL_CORRUPTION_TYPE: 23

 

CUSTOMER_CRASH_COUNT: 2

 

DEFAULT_BUCKET_ID: DRIVER_FAULT

 

LAST_CONTROL_TRANSFER: from 8066dd94 to 804f9f33

 

STACK_TEXT:

baaf7944 8066dd94 000000c1 8b488eb8 8b488816 nt!KeBugCheckEx+0x1b

baaf7990 8054b32a 8b488eb8 baaf7a13 88bea358 nt!MmFreeSpecialPool+0x2f4

baaf79d0 8065f1f6 8b488eb8 00000000 8065f391 nt!ExFreePoolWithTag+0x4a

baaf79dc 8065f391 8b488ef8 8b488eb8 00000000 nt!VfIrpFree+0xc

baaf79f8 80658071 8a1feda8 8a1feddc baaf7a14 nt!VerifierIoFreeIrp+0x129

baaf7a08 8057ede9 8b488eb8 baaf7a64 804ff896 nt!IovFreeIrpPrivate+0x41

baaf7a14 804ff896 8b488ef8 baaf7a60 baaf7a54 nt!IopUserCompletion+0x11

baaf7a64 80503854 00000000 00000000 00000000 nt!KiDeliverApc+0x106

baaf7a7c 804fad88 80500254 00000001 00000000 nt!KiSwapThread+0xa8

baaf7ab4 bf89fcb5 00000007 8a2dc108 00000001 nt!KeWaitForMultipleObjects+0x284

baaf7d30 bf884705 baac7490 00000002 baaf7d54 win32k!RawInputThread+0x4f3

baaf7d40 bf80110a baac7490 baaf7d64 006efff4

win32k!xxxCreateSystemThreads+0x60

baaf7d54 8054161c 00000000 00000022 00000000 win32k!NtUserCallOneParam+0x23

baaf7d54 7c90e4f4 00000000 00000022 00000000 nt!KiFastCallEntry+0xfc

WARNING: Frame IP not in any known module. Following frames may be wrong.

00000000 00000000 00000000 00000000 00000000 0x7c90e4f4

 

 

STACK_COMMAND: kb

 

FOLLOWUP_IP:

win32k!RawInputThread+4f3

bf89fcb5 391df0b29abf cmp dword ptr [win32k!gdwUpdateKeyboard

(bf9ab2f0)],ebx

 

SYMBOL_STACK_INDEX: a

 

SYMBOL_NAME: win32k!RawInputThread+4f3

 

FOLLOWUP_NAME: MachineOwner

 

MODULE_NAME: win32k

 

IMAGE_NAME: win32k.sys

 

DEBUG_FLR_IMAGE_TIMESTAMP: 48025f2a

 

FAILURE_BUCKET_ID: 0xC1_23_win32k!RawInputThread+4f3

 

BUCKET_ID: 0xC1_23_win32k!RawInputThread+4f3

 

Followup: MachineOwner

 

 

2: kd> lmvm win32k

start end module name

bf800000 bf9c2980 win32k # (pdb symbols)

c:\symbols\win32k.pdb\B8354F59A2A341179030B80ACC7969972\win32k.pdb

Loaded symbol image file: win32k.sys

Mapped memory image file: c:\symbols\win32k.sys\48025F2A1c2980\win32k.sys

Image path: \SystemRoot\System32\win32k.sys

Image name: win32k.sys

Timestamp: Sun Apr 13 12:29:46 2008 (48025F2A)

CheckSum: 001CC002

ImageSize: 001C2980

File version: 5.1.2600.5512

Product version: 5.1.2600.5512

File flags: 0 (Mask 3F)

File OS: 40004 NT Win32

File type: 3.7 Driver

File date: 00000000.00000000

Translations: 0405.04b0

CompanyName: Microsoft Corporation

ProductName: Operační systém Microsoft® Windows®

InternalName: win32k.sys

OriginalFilename: win32k.sys

ProductVersion: 5.1.2600.5512

FileVersion: 5.1.2600.5512 (xpsp.080413-2105)

FileDescription: Multi-User Win32 Driver

LegalCopyright: © Microsoft Corporation. Všechna práva vyhrazena.