# Sticky  BSOD Kernel Dump Analysis - Discussion



## jcgriff2

`

For an execellent tutorial on getting started with BSOD Kernel Memory Dump Debugging, see POST #12

This is a discussion thread on debugging and analyzing Blue Screen of Death (BSOD) Kernel Memory Dumps.

All comments and questions are welcome - simply submit a reply post.

If you are seeking help for BSODs, please see --> BSOD Posting Instructions


Thank you all for your input.

Kind Regards. . .

jcgriff2

.


----------



## jcgriff2

`

I have received > 1,000 PMs and emails about Blue Screen View. The following is my professional and personal opinion on the product.

I believe that Blue Screen View is a very good product; however, most often misses the very obvious and tell-tale signs that one sees in the debugger. Granted, most times these "obvious" signs that are obvious to me may be considered "buried" and not-so-obvious to others.

Bottom line, you cannot always rely on the line "Probably caused by", especially when it is encircled by other driver names.  *I am specifically referring to those dumps that give up Microsoft drivers as the probable cause, which in 99% of the cases is simply not true* - this goes for BlueScreenView or the Windows Debugger.

One of my earliest tests of BlueScreenView - Caused By Driver : ntoskrnl.exe (NT).

BlueScreenView gave the blame to NT because it was the last on the stack - * nt!*



Code:


[FONT=Lucida Console][B]STACK_TEXT:[/B]  (edited)
00000000`00000000 : [COLOR=Red]nt![/COLOR]PfFbLogEntryComplet
fffffa80`0907ab60 : [COLOR=red]nt![/COLOR]PfFileInfoNotify+0x
fffffa60`099ff430 : [COLOR=Blue]fileinfo![/COLOR]FIStreamLog+0
fffffa60`099ff430 : fileinfo!FIStreamSetFi
00000000`00003bd2 : fileinfo!FIStreamGetIn
00000000`00000000 : fileinfo!FIPostCreateC
fffffa80`07518b30 : fltmgr!FltpPerformPost
fffffa60`099ff620 : fltmgr!FltpLegacyProce
00000000`00000000 : fltmgr!FltpCreate+0x25
00000000`00000000 : AVGIDSFilter+0x54f0
fffffa80`04d64820 : 0x801
00000000`00000005 : 0x300
fffffa80`08ec2940 : 0xfffffa80`08ec2940[/FONT]


Windbg = Probably caused by : fileinfo.sys  

Windbg gave p/cause to fileinfo.sys  because it is the last subordinate MS driver to* nt!*

Both BlueScreenView and the Microsoft WHDC debugger were incorrect in the "probable cause" that each named, but Windbg came much closer to actual. Remember that we are given a _probable_ cause - not the _actual_ cause of a system crash.

Please don't get me wrong - I think Blue Screen View has done a great initial job. Like all software products, there is room for improvement; hence the reason they have asked for feedback. I wish that I could write an app that came close to BlueScreenView. I give the author(s) an A+ for initiative.

What I hate to see is someone using BlueScreenView and posting the results of 25 dumps all showing the NT Kernel (or other Microsoft driver) as the cause of the BSODs and considering it to be Gospel. NT may show up as the probable cause more often than any other; however --> Never happen. Not in a genuine Windows OS system. 

What do you believe the cause of the crash to be? I have attached the dump, my Windbg log (partial) and the Blue Screen View HTML file.

WHDC/ WDK Debugging Tools For Windows --> http://www.microsoft.com/whdc/devtools/debugging/default.mspx

*PLEASE - feel free to comment in any manner in which you see fit.*

Regards. . .

jcgriff2

.


----------



## DT Roberts

Very interesting... I've never heard of *Blue Screen View* to be honest. I'm definitely more biased toward *WinDbg*; I've been using it since I started. But, yes, blaming *nt *is definitely misleading. It does put the information in a pretty nice interface, but it's not completely accurate.

*WinDbg* names *fileinfo.sys* as the probable cause, which is a driver that comes preloaded with the OS. I always look to the stack text for more information:


Code:


fffffa60`099fdf88 fffff800`020a33ee nt!KeBugCheckEx
fffffa60`099fdf90 fffff800`020a2dbc nt!KiBugCheckDispatch+0x6e
fffffa60`099fe0d0 fffff800`020b69cd nt!KiSystemServiceHandler+0x7c
fffffa60`099fe110 fffff800`020bdfef nt!RtlpExecuteHandlerForException+0xd
fffffa60`099fe140 fffff800`0207bda3 nt!RtlDispatchException+0x22f
fffffa60`099fe830 fffff800`020a34a9 nt!KiDispatchException+0xc3
fffffa60`099fee30 fffff800`020a22a5 nt!KiExceptionDispatch+0xa9
fffffa60`099ff010 fffff800`0213bdb9 nt!KiPageFault+0x1e5
fffffa60`099ff1a0 fffff800`021719b4 nt!PfFbLogEntryComplete+0x9
fffffa60`099ff1d0 fffffa60`00a5b4f9 nt!PfFileInfoNotify+0x654
fffffa60`099ff250 fffffa60`00a5bb2c fileinfo!FIStreamLog+0x89
fffffa60`099ff320 fffffa60`00a5b36c fileinfo!FIStreamSetFileInfo+0x14c
fffffa60`099ff390 fffffa60`00a59c16 fileinfo!FIStreamGetInfo+0x17c
fffffa60`099ff410 fffffa60`00a0ff0c fileinfo!FIPostCreateCallback+0x17a
fffffa60`099ff490 fffffa60`00a0df5d fltmgr!FltpPerformPostCallbacks+0x31d
fffffa60`099ff560 fffffa60`00a2a26c fltmgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x36d
fffffa60`099ff5d0 fffffa60`088a24f0 fltmgr!FltpCreate+0x25d
fffffa60`099ff680 00000000`00000801 AVGIDSFilter+0x54f0
fffffa60`099ff688 00000000`00000300 0x801
fffffa60`099ff690 fffffa80`08ec2940 0x300

*AVG *is listed at the bottom of the stack. So, am I right in saying that *AVG* caused it...? Please? :grin:


----------



## jcgriff2

DT Roberts said:


> Very interesting... I've never heard of *Blue Screen View* to be honest. I'm definitely more biased toward *WinDbg*; I've been using it since I started. But, yes, blaming *nt *is definitely misleading. It does put the information in a pretty nice interface, but it's not completely accurate.
> 
> *WinDbg* names *fileinfo.sys* as the probable cause, which is a driver that comes preloaded with the OS. I always look to the stack text for more information:
> 
> 
> Code:
> 
> 
> fffffa60`099fdf88 fffff800`020a33ee nt!KeBugCheckEx
> fffffa60`099fdf90 fffff800`020a2dbc nt!KiBugCheckDispatch+0x6e
> fffffa60`099fe0d0 fffff800`020b69cd nt!KiSystemServiceHandler+0x7c
> fffffa60`099fe110 fffff800`020bdfef nt!RtlpExecuteHandlerForException+0xd
> fffffa60`099fe140 fffff800`0207bda3 nt!RtlDispatchException+0x22f
> fffffa60`099fe830 fffff800`020a34a9 nt!KiDispatchException+0xc3
> fffffa60`099fee30 fffff800`020a22a5 nt!KiExceptionDispatch+0xa9
> fffffa60`099ff010 fffff800`0213bdb9 nt!KiPageFault+0x1e5
> fffffa60`099ff1a0 fffff800`021719b4 nt!PfFbLogEntryComplete+0x9
> fffffa60`099ff1d0 fffffa60`00a5b4f9 nt!PfFileInfoNotify+0x654
> fffffa60`099ff250 fffffa60`00a5bb2c fileinfo!FIStreamLog+0x89
> fffffa60`099ff320 fffffa60`00a5b36c fileinfo!FIStreamSetFileInfo+0x14c
> fffffa60`099ff390 fffffa60`00a59c16 fileinfo!FIStreamGetInfo+0x17c
> fffffa60`099ff410 fffffa60`00a0ff0c fileinfo!FIPostCreateCallback+0x17a
> fffffa60`099ff490 fffffa60`00a0df5d fltmgr!FltpPerformPostCallbacks+0x31d
> fffffa60`099ff560 fffffa60`00a2a26c fltmgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x36d
> fffffa60`099ff5d0 fffffa60`088a24f0 fltmgr!FltpCreate+0x25d
> fffffa60`099ff680 00000000`00000801 [COLOR=Red][B]AVGIDSFilter[/B][/COLOR]+0x54f0
> fffffa60`099ff688 00000000`00000300 0x801
> fffffa60`099ff690 fffffa80`08ec2940 0x300
> 
> *AVG *is listed at the bottom of the stack. So, am I right in saying that *AVG* caused it...? Please? :grin:





`

You got it, Devin !

The AVG driver *AVGIDSFilter.sys* is the culprit.

Nice!

John

.


----------



## pat mcgroin

I just wondered about the difference in your debug stack list and Devon's.
Can I assume that yours was shorthand?


----------



## jcgriff2

`

The stack from my attached log - post #1 - 


Code:


[FONT=Lucida Console]
STACK_TEXT:  
fffffa60`099ff1a0 fffff800`021719b4 : 00000000`0000003f fffffa60`099ff280 00000000`00000001 00000000`00000000 : nt!PfFbLogEntryComplete+0x9
fffffa60`099ff1d0 fffffa60`00a5b4f9 : 00000000`00000000 fffff880`000e5d08 fffffa60`099ff358 fffffa80`0907ab60 : nt!PfFileInfoNotify+0x654
fffffa60`099ff250 fffffa60`00a5bb2c : fffffa80`074cb670 fffff880`08fd29f0 fffffa60`099ff430 fffffa60`099ff430 : fileinfo!FIStreamLog+0x89
fffffa60`099ff320 fffffa60`00a5b36c : fffff880`08fd29f0 00000000`00000000 fffffa60`099ff430 fffffa60`099ff430 : fileinfo!FIStreamSetFileInfo+0x14c
fffffa60`099ff390 fffffa60`00a59c16 : fffff100`15e10e67 00000000`00000001 00000000`00000000 00000000`00003bd2 : fileinfo!FIStreamGetInfo+0x17c
fffffa60`099ff410 fffffa60`00a0ff0c : fffffa80`04d647d8 fffffa60`099ff4d8 fffff880`08fd29f0 00000000`00000000 : fileinfo!FIPostCreateCallback+0x17a
fffffa60`099ff490 fffffa60`00a0df5d : fffffa80`04bdb030 fffffa80`04f87a20 fffffa80`07518910 fffffa80`07518b30 : fltmgr!FltpPerformPostCallbacks+0x31d
fffffa60`099ff560 fffffa60`00a2a26c : fffffa80`074cbde0 fffffa80`074cb670 fffffa80`04d64400 fffffa60`099ff620 : fltmgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x36d
fffffa60`099ff5d0 fffffa60`088a24f0 : 00000000`00000801 00000000`00000300 fffffa80`08ec2940 00000000`00000000 : fltmgr!FltpCreate+0x25d
fffffa60`099ff680 00000000`00000801 : 00000000`00000300 fffffa80`08ec2940 00000000`00000000 00000000`00000000 : AVGIDSFilter+0x54f0
fffffa60`099ff688 00000000`00000300 : fffffa80`08ec2940 00000000`00000000 00000000`00000000 fffffa80`04d64820 : 0x801
fffffa60`099ff690 fffffa80`08ec2940 : 00000000`00000000 00000000`00000000 fffffa80`04d64820 00000000`00000005 : 0x300
fffffa60`099ff698 00000000`00000000 : 00000000`00000000 fffffa80`04d64820 00000000`00000005 fffffa80`08ec2940 : 0xfffffa80`08ec2940[/FONT]

`
SCROLL to the right in the code box above and you'll see the edited stack below as was displayed in my 1st post. I simply block-deleted several of the (hex #) columns except for the last -


 Code:


[FONT=Lucida Console][B]STACK_TEXT:[/B]  (edited)
00000000`00000000 : [COLOR=Red]nt![/COLOR]PfFbLogEntryComplet
fffffa80`0907ab60 : [COLOR=red]nt![/COLOR]PfFileInfoNotify+0x
fffffa60`099ff430 : [COLOR=Blue]fileinfo![/COLOR]FIStreamLog+0
fffffa60`099ff430 : fileinfo!FIStreamSetFi
00000000`00003bd2 : fileinfo!FIStreamGetIn
00000000`00000000 : fileinfo!FIPostCreateC
fffffa80`07518b30 : fltmgr!FltpPerformPost
fffffa60`099ff620 : fltmgr!FltpLegacyProce
00000000`00000000 : fltmgr!FltpCreate+0x25
00000000`00000000 : AVGIDSFilter+0x54f0
fffffa80`04d64820 : 0x801
00000000`00000005 : 0x300
fffffa80`08ec2940 : 0xfffffa80`08ec2940[/FONT]

`

Look for the *k* command in the debugger.chm help file. Usually, *kd* is used.

Regards. . .

John

.


----------



## DT Roberts

And, for a more simplified view without the memory addresses, use the *kc* command:


Code:


2: kd> kc
Call Site
nt!KeBugCheckEx
nt!KiBugCheckDispatch
nt!KiSystemServiceHandler
nt!RtlpExecuteHandlerForException
nt!RtlDispatchException
nt!KiDispatchException
nt!KiExceptionDispatch
nt!KiPageFault
nt!PfFbLogEntryComplete
nt!PfFileInfoNotify
fileinfo!FIStreamLog
fileinfo!FIStreamSetFileInfo
fileinfo!FIStreamGetInfo
fileinfo!FIPostCreateCallback
fltmgr!FltpPerformPostCallbacks
fltmgr!FltpLegacyProcessingAfterPreCallbacksCompleted
fltmgr!FltpCreate
AVGIDSFilter
0x0
0x0

There are TONS of switches for the *k* command (*k*, *kv*, *kv*, *kc*, *kn*, and so much more), all displaying different types and amounts of info. Go through sometime and find what you like best.


----------



## pat mcgroin

I see what you guys are saying in both outputs.

What I looked at without running DBG was in Johns first post and the text file that was used.
It may be a local problem for me as I cant reproduce it, even with copy and paste.

I see one line in the stack with no address references.
I have enclosed a txt file to see what I am talking about,


----------



## jcgriff2

From your attachment - edited for display purposes (I deleted most of the columns to the left) -


Code:


[FONT=Lucida Console]
 fffffa60`099ff620 : fltmgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x36d
 00000000`00000000 : fltmgr!FltpCreate+0x25d
 00000000`00000000 : [color=red][b]AVGIDSFilter[/color][/b]+0x54f0
 fffffa80`04d64820 : 0x801
 00000000`00000005 : 0x300
 fffffa80`08ec2940 : 0xfffffa80`08ec2940
[/FONT]

`

*AVGIDSFilter* is the culprit as we now know.

As for the 0x801 & 0x300 - not sure of their meaning as we only have a mini kernel memory dump file to work with v. a full kernel dump.

0xfffffa80`08ec2940 = a memory address that is not identifiable. A full kernel dump may be able to tell us what the object is residing at that address; however, we may also need the page file to convert the address to/from virtual address/ physical memory address.

Regards. . .

JC

.

@ *DT Roberts* - Devin, thank you for further explaining the *k* command. Using *kc* would save me a step or two!

.


----------



## usasma

Sorry for being late to the party, but here's my 2¢ :0)

There isn't any tool that will always tell you what to fix with a BSOD. This is the reason we need analysts. 

For the simplest (so to speak) cases - when a BSOD blames NTOSKRNL.EXE, it just can't be that. If it was, the OS would have lot's of other problems (other than just the occasional BSOD).

Add to this the Windows System File Checker's protection, and it makes the Windows files even less likely to be at fault. *BUT*, this doesn't completely rule them out - it just decreases the likelyhood that Windows will be at fault.

I use BlueScreenView on all the dump files that I analyze.
Most often I'll find that it will pickup different files than WinDbg - and will list different drivers in the stack text.

Although I have no clue why it's listing what it does, I can't see just throwing the data out. So I remember the data while analyzing crash dumps. 

Quite often I don't need the results, but sometimes it'll clue me in to something that isn't obvious or that I'd miss otherwise. Most recently this was an issue with Kaspersky Internet Security that wasn't present in the WinDbg output.

*****************************************************************

The more time that you spend analyzing memory dump files, the more you'll realize that there's a lot more to learn!

Take a look around the web for people doing BSOD analysis. You'll find that there just aren't that many people using WinDbg in order to help out users with their BSOD's. 

I started out doing BSOD analysis by reading the descriptions of the BSOD's at http://aumha.org/a/stop.htm (it hasn't been updated since 2007, so I made up this table to be used instead: http://www.carrona.org/bsodindx.html ) and seeing what parts of the errors corresponded to what the user was describing. You can do a lot with just that information and a Google search. And that will help to improve your search skills - another essential tool in your arsenal.

The next step was to actually read the dump files using WinDbg (and to read up on other things like Debugging Techniques, Windows Internals, and programming). Then things start to become a bit clearer - but it's a lot of work (and it's where we lose a lot of people who aspire to analyze BSOD's). Also, there's a lot that you won't understand on the first read - so reread them all periodically. You'll be amazed at how much more you understand each time! I'm on my 3rd read-through of Windows Internals, 5th Edition and my 2nd read-through of Advanced Windows Debugging.

Again, don't just accept what the tools give you. Do research on the results to find out why these things happen. It's understanding the "why" of these things that makes a good analyst.


Finally, I really want to thank all of your for your dedication to helping others - and especially by doing it in this extremely difficult area. You show me (and others) the true spirit of the online communities - "Users helping users"


----------



## oliverk71

I would hardly appreciate a tool which tells me the actual cause of any bsod 
...especially as BluescreenView always tells me that ntoskrnl.exe is the cause.


----------



## jcgriff2

Not even Debugging Tools for Windows will provide you with an actual cause.... only the probable cause.

BlueScreenView does seem to favor blaming the NT Kernel for all, doesn't it?

The best beginner's tutorial for debugging authored by the great H2SO4 --> 

http://www.vistax64.com/tutorials/221510-crash-dumps-analyse-bugcheck-process.html

Regards. . .

jcgriff2

.


----------



## zigzag3143

Guys

Just wanted to say thanks for the most thorough description I have seen to date. Information like this helps people new to debugging. 

Ken


----------



## Cpt.JackSparrow

Kudos for the info John !! 

- Captain


----------



## ickymay

yes thnx guys it does slowly become clearer especially revisiting many of the excellent answers you have taken the care to publish and explain ray:


----------



## zigzag3143

Feels like old home week. Usamsa, jcgriff, dtroberts, ickmay, capt jack S, etc. Seems like we have moved en masse.

Ken


----------



## ickymay

zigzag3143 said:


> Feels like old home week. Usamsa, jcgriff, dtroberts, ickmay, capt jack S, etc. Seems like we have moved en masse.
> 
> Ken


no I just come here for a holiday, sit round a campfire and toast marshmallows while i watch jcgriff debug peoples .dmp files ray:

I exist on three forums :wink:


----------



## DT Roberts

ickymay said:


> no I just come here for a holiday, sit round a campfire and toast marshmallows while i watch jcgriff debug peoples .dmp files ray:
> 
> I exist on three forums :wink:


JC isn't alone on here! :upset: :laugh:


----------



## usasma

There just aren't that many people who help users with memory dumps.
There's also not much reward for doing it - so it takes a special kind of person to do this (relatively) thankless task.

Search for BSOD threads on the web - there's just not that many people who can use the Debugging Tools to analyze a dump file (to help a user - developers are another story). Right now it's probably limited to just those mentioned in this thread.

Thanks to all of you who devote your time to helping others!!!


----------



## pat mcgroin

ickymay said:


> yes thnx guys it does slowly become clearer especially revisiting many of the excellent answers you have taken the care to publish and explain ray:


Stick around...
It is getting to be more clear for myself,as well
We all learn from each other....


----------



## ickymay

I get a warm and cosy feeling being in the bluescreen team :heartlove


----------



## jcgriff2

Beware of FAKE BSODs - 

http://windows7forums.com/windows-7...p-files-dmp-saved-after-crash.html#post143462

EDIT: New URL - Where are dump files (.dmp) saved after crash ? - Windows Forums

They could be someone playing a joke on us, or being played themselves by another.

jcgriff2

.


----------



## jcgriff2

More interesting reading from the great H2SO4 of SevenForums -

More Debugger Trickery For The Interested

Enjoy !

jcgriff2

.


----------



## Cpt.JackSparrow

Yup H2SO4's debugging trick are always really helpful and most of us follow them !! Thanks for reminding it again John !! 

- Captain


----------



## jcgriff2

`

*NT Kernel Symbol Errors*​
Some analysis on the SYM errors re: NT - ntoskrnl.exe/ ntkrpamp.exe --> http://www.techsupportforum.com/2667350-post15.html

Note the timestamp for NT - ntoskrnl - *8 December 2009*

I'll have to check, but I believe it to be the same date that shows in Windows 7 systems w/ NT Kernel SYM errors

Note "*tcpip.sys - note AVG..?* in one of the code boxes at end of post

From the * kd>* command line in Windbg -


Code:


[font=lucida console]
[B]!sym noisy[/B] (shows which symbol files dbghelp is loading)

[B].reload[/B]

[B]lmvm tcpip[/B]
[/font]

Q. . . why does AVG show up under tcpip symbol file?

The OS = *Windows XP Kernel Version 2600 SP3 - Bugcheck = 0xf4 (0x3,,,)*

Comments appreciated.

John

.


----------



## zigzag3143

jcgriff2 said:


> More interesting reading from the great H2SO4 of SevenForums -
> 
> More Debugger Trickery For The Interested
> 
> Enjoy !
> 
> jcgriff2
> 
> .


Hey John

Unfortunately H2SO4 is no longer at seven forums and missed.


----------



## jcgriff2

Thank you.

H2SO4 is greatly missed.

John

.


----------



## Jonathan_King

Thanks John. I'm in the process of learning myself (as you know).


----------



## zigzag3143

Jonathan King said:


> Thanks John. I'm in the process of learning myself (as you know).


JK

Welcome. Glad you made it over.

Ken


----------



## jcgriff2

`

Windows Service Branch info - RTM, LDR, GDR + the infamous *8 December 2009* timestamp for ntoskrnl, ntkrnlmp, etc. . . causing all of the recent SYM errors (not found on MSDL SYM site) + tcpip, tcpipreg and others -

File info w/ timestamps & version numbers -

http://support.microsoft.com/default.aspx/kb/974145?p=1

http://support.microsoft.com/kb/977165

jcgriff2

.


----------



## DT Roberts

Good to know, thanks for posting.

I just wish my symbols worked more than half the time :sigh:


----------



## usasma

Nice find jcgriff2!!!

Thanks!!!


----------



## jcgriff2

Thanks, John.

It appears that the SYM error issues are over as the most recently processed Windows 7 x86 dumps in particular show no symbol errors. They have apparently been added to the MSDL site. I have not yet gone back to re-run prior dumps, though.

__________________________

A *0xd1* bugcheck mini kernel dump analysis in depth (actually 34 of them!) showing how the 4th parm (object referencing the memory address in parm #1) can be tied to a loaded driver. The 1st parm was not as easily ID'd to what I believe is the Realtek driver as it may be a physical memory address (v. virtual, or vice-versa) and a full kernel dump (w/ page file info) would be needed to do so. The page file contains the table for physical and virtual memory address conversions.

http://www.techsupportforum.com/f217/bsod-in-win7-and-realtek-ndis-474928.html#post2677840

jcgriff2

.


----------



## jcgriff2

Thanks to *Done_Fishin* - 

Acer FTP Driver Support site - Notebooks --> ftp://ftp.work.acer-euro.com/notebook/

Acer FTP main site, UK --> ftp://ftp.work.acer-euro.com

jcgriff2

.


----------



## Zappza

Hi!
Not sure if you patrol the Server board, I need some help debugging a memorydump there, would really appreciate it if you could take a look.

http://www.techsupportforum.com/f103/bsod-errors-occasionally-475493.html

Thanks!


----------



## usasma

posted reply to Server forums


----------



## jcgriff2

Information on commands and additional interesting and informative BSOD threads - 

Windbg commands that I find most useful - http://www.sevenforums.com/671427-post3.html



Code:


[FONT=Lucida Console] !analyze -v; kv; k; r; lmnt; lmntsm
 
!for_each_module .echo @#ModuleIndex : @#Base @#End @#ModuleName @#ImageName @#LoadedImageName 
 
!for_each_module .echo @#ModuleName fver = @#FileVersion pver = @#ProductVersion[/FONT]


The first is the "usual" set of stringed commands that I use, including - 

*k * = stack text of given thread
*kv* = " " + frame pointer omission (FPO) information
*r * = registers (I don't usually use much, if any info from this command

*lmnt *- 
-- *lm* = loaded driver listing
-- *n *= displays image name
-- *t* = displays timestamp info
-- *lmnt* displays the loaded driver list in order of memory addresses

*lmntsm* - 
- *lmnt* - see above
-- *sm* = Sorts the display by module name instead of by the start addresSorts the display by module name instead of by the start address

*!for each module* - displays various info for each module, including current and previous version numbers

Informative threads --> http://www.techsupportforum.com/f217/solved-symantec-endpoint-11-0x7e-vista-x64-bsod-370804.html

John

`


----------



## DT Roberts

I've never played with *!for_each_module* before. I'll have to try it out. Thanks for sharing.


----------



## jcgriff2

jcgriff2 said:


> `
> 
> Windows Service Branch info - RTM, LDR, GDR + the infamous *8 December 2009* timestamp for ntoskrnl, ntkrnlmp, etc. . . causing all of the recent SYM errors (not found on MSDL SYM site) + tcpip, tcpipreg and others -
> 
> File info w/ timestamps & version numbers -
> 
> http://support.microsoft.com/default.aspx/kb/974145?p=1
> 
> http://support.microsoft.com/kb/977165
> 
> jcgriff2
> 
> .


It is now official... I went back and re-ran many old dumps that showed SYM errors - and they do not have symbol errors now.

Case in point - a post showing "before" (w/ SYM errors) and "after" - same dumps, but now no symbol errors.

http://www.techsupportforum.com/2680515-post8.html

jcgriff2

.


----------



## jcgriff2

`

NO MEMORY DUMP FILES BEING PRODUCED UPON BSOD? ​Please see --> http://www.techsupportforum.com/2687596-post2.html

jcgriff2

.


----------



## jcgriff2

0x9f (0x3,,,) "guesstimate" 

http://www.techsupportforum.com/f21...ailure-vista-sp2-bsod-478419.html#post2697838

jcgriff2

.


----------



## jcgriff2

Zone Alarm once again causing BSODs in a new Windows 7 system - 

http://www.techsupportforum.com/f217/solved-windows-7-asus-and-random-bsods-481541.html

Note that the Microsoft driver netio.sys is listed as the probable cause, not Zone Alarm. Z/A drivers can be found in the loaded driver listing. 

jcgriff2

.


----------



## TorrentG

Yeah, the does happen on systems as I've noted for years. It must be the hardware or configs it runs on because it has been perfection here for at least 5 years. Not one problem except when I had a beta long ago and that's to be expected. I have run many betas since and still, not a single problem besides the one time I mentioned.

Whenever you see a netio.sys error, that's ZA. haha


----------



## zigzag3143

They might as well put a symbol in windb for ZAP instead of blaming netio.sys


----------



## jcgriff2

*Re: Windows 7 BSOD – DRIVER_POWER_STATE_FAILURE*

`

Interesting look at 0x9f bugcheck BSODs. System reports void of DVD drive, yet cdrom.sys listed in one dump as the probable cause. No 3rd party firewall present that I can find, a usual leading contender for 0x9f along with NIC & wifi drivers.

http://www.techsupportforum.com/f21...r_power_state_failure-485258.html#post2740048


¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨

Hi - 

The bugchecks on all 7 dumps total was as thread title states - *0x9f* = driver in an inconsistent power state. Looking at the 1st parm (inside parenthesis), a slight difference - 

(6) *0x9f (0x4,,,)* = The power transition timed out waiting to synchronize with the Pnp subsystem

(1) *0x9f (0x3,,,)* = driver blocking an IRP for too long a time

The first 6 named the NT Kernel as the probable cause (default of sorts). The 7th named cdrom.sys as p/c, which I find interesting because your system files do not indicate the presence of a DVD/ CD drive. Do you have a DVD drive? Did you, then remove it or disconnect it?

The stack from the *0x9f (0x4,,,)* - 


Code:


[font=lucida console]
[COLOR=navy][B]STACK_TEXT: [/B][/COLOR]
 
00000000`00000000 : nt![color=blue]KiSwapContext[/color]+0x7a
00000000`00000000 : nt!KiCommitThreadWait+0x1d2

fffff800`0304cd00 : nt!Ke[COLOR=DarkRed]WaitForSingleObject[/COLOR]+0x19f

00000000`00000001 : nt![color=red]PnpDeviceCompletionQueueGetCompletedRequest[/color]+0x35

00000000`00000000 : nt![color=red]PnpDeviceCompletionProcessCompletedRequests[/color]+0x5e

fffff800`02ef9698 : nt!PipProcess[color=purple][b]DevNodeTree[/color][/b]+0x378

00000000`00000000 : nt!PiProcessReenumeration+0x98
00000000`00000000 : nt!PnpDeviceActionWorker+0x327
fffffa80`03aed890 : nt!ExpWorkerThread+0x111
00000000`00000000 : nt!PspSystemThreadStartup+0x5a
00000000`00000000 : nt!KxStartSystemThread+0x16
[/font]

This is the program line that failed -


Code:


[font=lucida console][B]Fault bucket[/B] X64_[COLOR=Blue]0x9F_4[/COLOR]_nt![color=red]PnpDeviceCompletionQueueGetCompletedRequest[/color]+35, type 0[/font]

Separate the words and we see that a PnP device is involved - 


Code:


[font=lucida console]Pnp Device Completion Queue Get Completed Request[/font]

This tells us that resource contention exists, i.e., a "LOCK" - a thread has exclusive hold of an object, another needs it but will never get it; hence the BSODs -


Code:


[font=lucida console][COLOR=DarkRed]WaitForSingleObject[/COLOR][/font]


This line from the stack -


Code:


[font=lucida console][color=purple][b]DevNodeTree[/color][/b]+[/font]

DevNode = An internal structure that represents a device on the system created by the PnP Manager when the device is configured 
Tree = path


`

A closer look at your MediaLink MWN-USB150N USB wifi -
Main page --> http://www.medialinkproducts.com/wirelessUSBAdapter.html
Data Sheet (PDF file) --> http://www.medialinkproducts.com/docs/MWN-USB150N_UG.pdf
Driver Setup (EXE file) --> see bottom-right of main page, next to 'Data Sheet'

Look at page 11 of the PDF. Are you using that screen for wifi configuration?

I found these start-up items. I believe the 1st is the p11 screen. What does #2 (Digital Line Detect) do? The 3rd appears to be from Dell, but how does the "datasafe" work, i.e., is it a back up app to server or external drive?


Code:


[font=lucida console]
[COLOR=Red]Medialink Utility[/COLOR]	c:\program files (x86)\medialink\mwn-usb150n\ui.exe -s	
	HKU\S-1-5-21-3004775959-100996524-3952689435-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

[COLOR=red]Digital Line Detect[/COLOR]	dlg	1.0.0.2	3/1/2010 5:50 PM	
	Avanquest Software	c:\program files (x86)\digital line detect\dlg.exe

[COLOR=red]SftService[/COLOR]	1.0.82.41	3/1/2010 5:54 PM	
	SoftThinks	c:\program files (x86)\dell datasafe local backup\sftservice.exe[/font]


The Dell Support page for your system shows an Atheros wifi, yet I do not see it anywhere in your system files. Did it come with Atheros wifi... and then removed so the USB wifi could be used?
Dell Inspiron 580s Support - drivers --> http://support.dell.com/support/dow...=INSP_DSKTP_580S&os=W764&osl=en&catid=&impid=

Note that it also shows firmware for a DVD drive.

As *TorrentG* mentioned, Conexant = soft56k modem - and is showing up as a serial port device. Have you ever used it? I don't know what this 2006 Conexant diagnostic interface driver is doing in a new Windows 7 system - 


Code:


[font=lucida console]
mdmxsdk.sys  Mon Jun 19 17:27:26 2006 (449716BE)[/font]

The other driver updates as noted by TorrentG are important as well, but I would like to know more about the wifi and DVD drive first.

The system had its initial boot-up on 3 March 2010. The BSODs began suddenly and furiously on 30 April 2010. Check the Reliability Monitor for clues on 29 April & 30 April - 
START | type *perfmon /rel*

Regards. . .

jcgriff2

.

BSOD BUGCHECK SUMMARY


Code:


[font=lucida console]
Built by: 7600.16539.amd64fre.win7_gdr.100226-1909
Debug session time: Sat May 22 14:57:14.720 2010 (GMT-4)
System Uptime: 0 days 0:51:02.280
BugCheck 1000009F, {4, 258, fffffa8003b65040, fffff80003dba510}
Probably caused by : ntkrnlmp.exe ( nt!KiSwapContext+7a )
BUGCHECK_STR:  0x9F
PROCESS_NAME:  System
¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨``
Built by: 7600.16539.amd64fre.win7_gdr.100226-1909
Debug session time: Sat May 22 12:15:15.098 2010 (GMT-4)
System Uptime: 0 days 2:15:24.284
BugCheck 1000009F, {4, 258, fffffa8003b62040, fffff80003db8510}
Probably caused by : ntkrnlmp.exe ( nt!KiSwapContext+7a )
BUGCHECK_STR:  0x9F
PROCESS_NAME:  System
¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨``
Built by: 7600.16539.amd64fre.win7_gdr.100226-1909
Debug session time: Wed May 19 18:15:34.872 2010 (GMT-4)
System Uptime: 0 days 9:32:43.059
BugCheck 1000009F, {4, 258, fffffa8003b65040, fffff80000b9c510}
Probably caused by : ntkrnlmp.exe ( nt!KiSwapContext+7a )
BUGCHECK_STR:  0x9F
PROCESS_NAME:  System
¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨``
Built by: 7600.16539.amd64fre.win7_gdr.100226-1909
Debug session time: Mon May 17 20:01:38.512 2010 (GMT-4)
System Uptime: 0 days 1:23:08.683
BugCheck 9F, {3, fffffa8004925060, fffff80003db5518, fffffa800715e010}
Probably caused by : cdrom.sys
BUGCHECK_STR:  0x9F
PROCESS_NAME:  System
¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨``
Built by: 7600.16539.amd64fre.win7_gdr.100226-1909
Debug session time: Tue May  4 17:39:45.648 2010 (GMT-4)
System Uptime: 0 days 8:55:55.819
BugCheck 1000009F, {4, 258, fffffa8003b65040, fffff80003db3510}
Probably caused by : ntkrnlmp.exe ( nt!KiSwapContext+7a )
BUGCHECK_STR:  0x9F
PROCESS_NAME:  System
¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨``
Built by: 7600.16539.amd64fre.win7_gdr.100226-1909
Debug session time: Fri Apr 30 19:15:23.491 2010 (GMT-4)
System Uptime: 0 days 4:27:37.052
BugCheck 1000009F, {4, 258, fffffa8003b64040, fffff80003db3510}
Probably caused by : ntkrnlmp.exe ( nt!KiSwapContext+7a )
BUGCHECK_STR:  0x9F
PROCESS_NAME:  System
¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨``
Built by: 7600.16539.amd64fre.win7_gdr.100226-1909
Debug session time: Fri Apr 30 14:04:49.002 2010 (GMT-4)
System Uptime: 0 days 5:36:57.562
BugCheck 1000009F, {4, 258, fffffa8003b62040, fffff80000b9c510}
Probably caused by : ntkrnlmp.exe ( nt!KiSwapContext+7a )
BUGCHECK_STR:  0x9F
PROCESS_NAME:  System
¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨``
  
  
 by [color=navy]jcgriff2     
             
         J. C. Griffith, Microsoft MVP[/color]   
             
           [url=https://mvp.support.microsoft.com/profile/Griffith][color=#000055]https://mvp.support.microsoft.com/profile/Griffith[/color][/url]   
             
           [url=www.jcgriff2.com][color=#000055]www.jcgriff2.com[/color][/url] 


¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨


  [/font]



¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨


----------



## Jonathan_King

John, I am at a loss for words to describe how impressed I am with that post. The best word I can think of is astonishing.

Where's that rep button when I need it?


----------



## zigzag3143

John

I wil second my learned colleague. An insightful, detailed post that I for one can learn from.


----------



## TorrentG

New WinDbg available as of today. See bottom for links to 32 or 64 bit:

http://www.microsoft.com/whdc/devtools/debugging/debugstart.mspx

Edit: Actually, I think only the info on the download pages have been updated today.


----------



## usasma

It appears that Microsoft has had a change of heart - letting users install the Debugging Tools without having to download the entire Windows SDK (as was the case earlier this week).


----------



## pat mcgroin

Glad for that


----------



## TorrentG

Yes, I went through that whole download. It was over a gig just so I could have new Windbg lol.


----------



## usasma

FYI - if it happens again, just select "Run" rather than "Save" for the download.
Then, it'll ask which components you want to install - and you can clear all the checkmarks with the exception of the Debugging Tools. So it'll download a lot less and will go quicker.

Learned that little trick from Michael Morales when he used it to download just the Windows Performance Toolkit here: http://www.devproconnections.com/article/performance/diagnose-shutdown-problems-with-xbootmgr.aspx


----------



## Cpt.JackSparrow

*Re: Windows 7 BSOD – DRIVER_POWER_STATE_FAILURE*



jcgriff2 said:


> `
> 
> Interesting look at 0x9f bugcheck BSODs. System reports void of DVD drive, yet cdrom.sys listed in one dump as the probable cause. No 3rd party firewall present that I can find, a usual leading contender for 0x9f along with NIC & wifi drivers.


Great analysis John !! Its great to read your post it always would have something new to learn. Thanks for posting 

- Captain


----------



## pat mcgroin

I like the Performance toolkit.
Thanks for that John, I had not seen that.


----------



## usasma

Thanks Pat!
FWIW - here's a link to my website that has what little I know about the Windows Performance Toolkit

http://www.carrona.org/xperf.html


----------



## usasma

Just for everyone's info, there's a BSOD at this link (STOP 0xCE: DRIVER_UNLOADED_WITHOUT_CANCELLING_PENDING_OPERATIONS) that has an unloaded driver in the stack text (and it's blamed for the crash) - http://www.techsupportforum.com/f217/blue-screens-489102.html#post2761419 .

I thought that it was unique enough to bring up here.



Code:


fffff880`088d1748 fffff880`01085f5b : 00000000`00000101 fffff880`088d1770 fffff8a0`08744b40 fffff8a0`08744c70 : <Unloaded_dump_ataport>+0x7204

Here's the BSOD summary:


Code:


Built by: 7600.16539.amd64fre.win7_gdr.100226-1909
Debug session time: Fri Jun 11 10:47:35.928 2010 (GMT-4)
System Uptime: 0 days 2:00:26.473
BugCheck CE, {fffff8800107b204, 8, fffff8800107b204, 0}
Probably caused by : dump_ataport ( dump_ataport>+7204 )
BUGCHECK_STR:  0xCE
PROCESS_NAME:  firefox.exe


----------



## jcgriff2

usasma said:


> http://www.techsupportforum.com/f217/blue-screens-489102.html#post2761419





Code:


[font=lucida console]
Built by: 7600.16539.amd64fre.win7_gdr.100226-1909
Debug session time: Sat Jun 12 09:54:11.457 2010 (GMT-4)
System Uptime: 0 days 2:01:24.002
BugCheck 1E, {0, 0, 0, 0}
Probably caused by : USBPORT.SYS ( USBPORT!USBPORT_Core_GetIoRequestFromObject+14 )
BUGCHECK_STR:  0x1E
PROCESS_NAME:  System
¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨
Built by: 7600.16539.amd64fre.win7_gdr.100226-1909
Debug session time: Fri Jun 11 10:47:35.928 2010 (GMT-4)
System Uptime: 0 days 2:00:26.473
BugCheck CE, {[COLOR=Red]fffff8800107b204[/COLOR], 8, [COLOR=Blue]fffff8800107b204[/COLOR], 0}
Probably caused by : dump_ataport ( dump_ataport>+7204 )
BUGCHECK_STR:  [B]0xCE[/B]
PROCESS_NAME:  firefox.exe
[/font]


That is an intersting one.

The 1st & 3rd parms contain identical memory addresses in the 0xce crash - 
parm 3 is the memory address of the object that referenced parm 1; 0x8 in parm 2 = execution... 

I don't think I've ever seen dump_ataport.sys named p/c before, let alone unloaded.

Both crashes, different bugchecks occur 2 hours after boot-up.

Thanks John!

John

.


----------



## usasma

FYI - changes to v6.12.2.633 of the Windows Debugging Tools (in particular it affects STOP 0x9F and 0xFE:


> This is the current version of Debugging Tools for Windows and is available in the Windows Driver Kit (WDK). This release of Debugging Tools for Windows contains many bug fixes and new enhancements. The debuggers are stable and more reliable than previous releases and we recommend that you upgrade to this version.
> 
> Here are some of the key changes in this version of Debugging Tools for Windows:
> 
> 1. Several bug fixes in extensions to only use public symbols
> 
> 2. General BugCheck Analysis Updates including:
> • Bug Check 0x9F Update – Added logic to diagnose bugcheck 0x9F minidumps using new data in Windows 7 added to the 0x9F minidumps by the Kernel and Networking Teams.
> Data includes:
> - All Kernel ExWorkerThreads that process Power IRPs
> - IRPs Associated with any ExWorkerThread
> - IRPs Associated with PnP Completion Queue
> - All Kernel Power IRPs
> - Device Stacks for all IRPS
> - NT_TRIAGE_POWER Structure
> - NT_TRIAGE_PNP structure
> • BugCheck 0xFE Update - Add logic to diagnose bugcheck 0xFE minidumps using new to Windows 7 callback data added by the USB team.
> 
> 3. Fixed user-mode minidump generation problem.
> 
> 4. Fixed buffer overrun in schannel transport.
> 
> 5. Fixed several kernel debugger transport issues.
> 
> 6. Fixed problem with debugger reporting incorrect FPO information.
> 
> 7. Allowed stack dumps deeper than 65535 if specified explicitly.
> 
> 8. Changed ".outmask /a" and ".outmask /d" to be set only instead of or/xor.
> 
> 9. The old ADPlus.vbs is being replaced by ADPlus.exe which requires the .Net Framework 2.0. For those cases where the .Net Framework isn't available we are still shipping the older version renamed to adplus_old.vbs. For detailed documentation of the new ADPlus.exe as well as for its new companion ADPlusManager.exe please see adplus.doc located in the same folder as adplus.exe.
> 
> Additional details on some of these features can be found in the debugger documentation (debugger.chm). To open this documentation, use Start --> Debugging Tools for Windows --> Debugging Help.


Found here: http://www.microsoft.com/whdc/devtools/debugging/whatsnew.mspx#

FYI - I found this out from ttran over at SevenForums via PM referencing his STOP 0x9F error ( http://www.sevenforums.com/crashes-debugging/90182-bsod-again-what-hell-going.html#post777353 )

v6.12 gives:


> FAILURE_BUCKET_ID: 0x9F_3_NETw5s32_IMAGE_pci.sys
> BUCKET_ID: 0x9F_3_NETw5s32_IMAGE_pci.sys


v6.11 gives:


> FAILURE_BUCKET_ID: 0x9F_IMAGE_NETw5s32.sys
> BUCKET_ID: 0x9F_IMAGE_NETw5s32.sys


I have verified this by updating my version of the Debugging Tools - but I had to get .NET v4 before it'd let me get WinDbg v6.12

Updating is a pain, but I'd advise it because of these changes.


----------



## usasma

Hi John!

Yep, this is most likely a hardware issue - the OP had 3 other memory dumps with 3 different errors.

Nothing significant attached to USB (Mouse and microphone) - so I'm starting to think memory - either RAM or video memory.


----------



## jcgriff2

usasma said:


> FYI - changes to v6.12.2.633 of the Windows Debugging Tools (in particular it affects STOP 0x9F and 0xFE:
> 
> 
> 
> This is the current version of Debugging Tools for Windows and is available in the Windows Driver Kit (WDK). This release of Debugging Tools for Windows contains many bug fixes and new enhancements. The debuggers are stable and more reliable than previous releases and we recommend that you upgrade to this version.
> 
> Here are some of the key changes in this version of Debugging Tools for Windows:
> 
> 1. Several bug fixes in extensions to only use public symbols
> 
> 2. General BugCheck Analysis Updates including:
> • Bug Check 0x9F Update – Added logic to diagnose bugcheck 0x9F minidumps using new data in Windows 7 added to the 0x9F minidumps by the Kernel and Networking Teams.
> Data includes:
> - All Kernel ExWorkerThreads that process Power IRPs
> - IRPs Associated with any ExWorkerThread
> - IRPs Associated with PnP Completion Queue
> - All Kernel Power IRPs
> - Device Stacks for all IRPS
> - NT_TRIAGE_POWER Structure
> - NT_TRIAGE_PNP structure
> • BugCheck 0xFE Update - Add logic to diagnose bugcheck 0xFE minidumps using new to Windows 7 callback data added by the USB team.
> 
> 3. Fixed user-mode minidump generation problem.
> 
> 4. Fixed buffer overrun in schannel transport.
> 
> 5. Fixed several kernel debugger transport issues.
> 
> 6. Fixed problem with debugger reporting incorrect FPO information.
> 
> 7. Allowed stack dumps deeper than 65535 if specified explicitly.
> 
> 8. Changed ".outmask /a" and ".outmask /d" to be set only instead of or/xor.
> 
> 9. The old ADPlus.vbs is being replaced by ADPlus.exe which requires the .Net Framework 2.0. For those cases where the .Net Framework isn't available we are still shipping the older version renamed to adplus_old.vbs. For detailed documentation of the new ADPlus.exe as well as for its new companion ADPlusManager.exe please see adplus.doc located in the same folder as adplus.exe.
> 
> Additional details on some of these features can be found in the debugger documentation (debugger.chm). To open this documentation, use Start --> Debugging Tools for Windows --> Debugging Help.
> 
> 
> 
> Found here: http://www.microsoft.com/whdc/devtools/debugging/whatsnew.mspx#
> 
> FYI - I found this out from ttran over at SevenForums via PM referencing his STOP 0x9F error ( http://www.sevenforums.com/crashes-debugging/90182-bsod-again-what-hell-going.html#post777353 )
> 
> v6.12 gives:
> 
> 
> 
> FAILURE_BUCKET_ID: 0x9F_3_NETw5s32_IMAGE_pci.sys
> BUCKET_ID: 0x9F_3_NETw5s32_IMAGE_pci.sys
> 
> Click to expand...
> 
> v6.11 gives:
> 
> 
> 
> FAILURE_BUCKET_ID: 0x9F_IMAGE_NETw5s32.sys
> BUCKET_ID: 0x9F_IMAGE_NETw5s32.sys
> 
> Click to expand...
> 
> I have verified this by updating my version of the Debugging Tools - but I had to get .NET v4 before it'd let me get WinDbg v6.12
> 
> Updating is a pain, but I'd advise it because of these changes.
Click to expand...

Excellent analysis, John.

I agree with you - updating to Windbg v6.12 is worth the time - especially after seeing the additional info provided for parm 1 of the *0x9f *bugcheck BSODs. I'll get started with .NET v4 update later today!

Thank you for your valuable time spent on this.

John

.


----------



## reventon

This OP has 4 BSODs - all *0x9F*'s

I haven't got round to installing v6.12 of Windbg yet... when you run the 4 dumps does it mention a different driver (specifically *ASACPI.sys* which was present but not blamed by v6.11)

http://www.techsupportforum.com/f217/win7-x64-many-bsods-489940.html#post2763377


----------



## Jonathan_King

I just installed the latest version. Either I'm doing it wrong, or it's a royal PITA. First I had to install the .net framework, then the SDK, and finally windbg through that.

Isn't there a direct installer instead for 4.12?


----------



## usasma

No direct installer for the latest version - I though there was one (based on TorrentG's post) - but I was mistaken.

You'll want .NET 4 anyway - so it's OK to install it.
When installing the SDK, use Internet Explorer and select Run rather than Save (I couldn't figure a way to do it with Firefox). Then you can just select the Debugging Tools for installation.


----------



## bigalster

I tried this tool in an effort to find out what is causing my ACER laptop to bluescreen and this is what it created.Perhaps someone can assist in suggesting a "fix".Is it my drivers that are corrupted?I am not sure how to interpret what the report is saying?
Thanks to all. bigalster

Created by using BlueScreenView


Code:


Dump File  Crash Time  Bug Check String  Bug Check Code  Parameter 1  Parameter 2  Parameter 3  Parameter 4  Caused By Driver  Caused By Address  File Description  Product Name  Company  File Version  Processor  Computer Name  Full Path  Processors Count  Major Version  Minor Version  
Mini062010-01.dmp  20/06/2010 11:16:54 AM  CRITICAL_OBJECT_TERMINATION  0x000000f4  0x00000003  0x87859568  0x878596b4  0x81eaa730  ntkrnlpa.exe  ntkrnlpa.exe+d8781  NT Kernel & System  Microsoft® Windows® Operating System  Microsoft Corporation  6.0.6000.17021 (vista_gdr.100218-0019)  32-bit     C:\Windows\Minidump\Mini062010-01.dmp  2  15  6000  
Mini061910-03.dmp  19/06/2010 2:24:21 PM  NTFS_FILE_SYSTEM  0x00000024  0x001904ab  0x9b1dba50  0x9b1db74c  0x81b4b797  Ntfs.sys  Ntfs.sys+8c797  NT File System Driver  Microsoft® Windows® Operating System  Microsoft Corporation  6.0.6000.16386 (vista_rtm.061101-2205)  32-bit     C:\Windows\Minidump\Mini061910-03.dmp  2  15  6000  
Mini061910-02.dmp  19/06/2010 1:50:35 PM  CRITICAL_OBJECT_TERMINATION  0x000000f4  0x00000003  0x85fda800  0x85fda94c  0x81eaa730  ntkrnlpa.exe  ntkrnlpa.exe+d8781  NT Kernel & System  Microsoft® Windows® Operating System  Microsoft Corporation  6.0.6000.17021 (vista_gdr.100218-0019)  32-bit     C:\Windows\Minidump\Mini061910-02.dmp  2  15  6000  
Mini061910-01.dmp  19/06/2010 1:33:57 PM  IRQL_NOT_LESS_OR_EQUAL  0x0000000a  0x00020005  0x0000001b  0x00000001  0x81cbb165  Ntfs.sys  Ntfs.sys+185ac  NT File System Driver  Microsoft® Windows® Operating System  Microsoft Corporation  6.0.6000.16386 (vista_rtm.061101-2205)  32-bit     C:\Windows\Minidump\Mini061910-01.dmp  2  15  6000  
Mini061310-01.dmp  13/06/2010 12:44:04 AM  MEMORY_MANAGEMENT  0x0000001a  0x00005010  0xc0801000  0x00038dfb  0x0715e100  ntkrnlpa.exe  ntkrnlpa.exe+2b7d2  NT Kernel & System  Microsoft® Windows® Operating System  Microsoft Corporation  6.0.6000.17021 (vista_gdr.100218-0019)  32-bit     C:\Windows\Minidump\Mini061310-01.dmp  2  15  6000  
Mini061010-01.dmp  10/06/2010 12:36:50 AM  MEMORY_MANAGEMENT  0x0000001a  0x00041284  0x1291f001  0x0000fcbf  0xc0801000  ntkrnlpa.exe  ntkrnlpa.exe+d8781  NT Kernel & System  Microsoft® Windows® Operating System  Microsoft Corporation  6.0.6000.17021 (vista_gdr.100218-0019)  32-bit     C:\Windows\Minidump\Mini061010-01.dmp  2  15  6000  
Mini053010-01.dmp  30/05/2010 11:19:12 AM  MEMORY_MANAGEMENT  0x0000001a  0x00041289  0x35c05001  0x00043b10  0x3e719121  ntkrnlpa.exe  ntkrnlpa.exe+d8781  NT Kernel & System  Microsoft® Windows® Operating System  Microsoft Corporation  6.0.6000.17021 (vista_gdr.100218-0019)  32-bit     C:\Windows\Minidump\Mini053010-01.dmp  2  15  6000  
Mini052510-01.dmp  25/05/2010 10:31:04 PM  IRQL_NOT_LESS_OR_EQUAL  0x0000000a  0x90dd851b  0x00000000  0x00000000  0x81cb6b2d  ntkrnlpa.exe  ntkrnlpa.exe+8fe14  NT Kernel & System  Microsoft® Windows® Operating System  Microsoft Corporation  6.0.6000.17021 (vista_gdr.100218-0019)  32-bit     C:\Windows\Minidump\Mini052510-01.dmp  2  15  6000  
Mini041510-01.dmp  15/04/2010 12:21:37 AM  IRQL_NOT_LESS_OR_EQUAL  0x0000000a  0x0000006c  0x0000001b  0x00000001  0x818b3809  ntkrnlpa.exe  ntkrnlpa.exe+8fe14  NT Kernel & System  Microsoft® Windows® Operating System  Microsoft Corporation  6.0.6000.17021 (vista_gdr.100218-0019)  32-bit     C:\Windows\Minidump\Mini041510-01.dmp  2  15  6000  
Mini041110-01.dmp  11/04/2010 7:58:17 AM  MEMORY_MANAGEMENT  0x0000001a  0x00000030  0x85f4ea50  0x93d65000  0x9af29060  ntkrnlpa.exe  ntkrnlpa.exe+d8781  NT Kernel & System  Microsoft® Windows® Operating System  Microsoft Corporation  6.0.6000.17021 (vista_gdr.100218-0019)  32-bit     C:\Windows\Minidump\Mini041110-01.dmp  2  15  6000  
Mini040910-01.dmp  09/04/2010 10:27:04 PM  MEMORY_MANAGEMENT  0x0000001a  0x00041289  0x25401001  0x0001db42  0x1db411d6  ntkrnlpa.exe  ntkrnlpa.exe+d8781  NT Kernel & System  Microsoft® Windows® Operating System  Microsoft Corporation  6.0.6000.17021 (vista_gdr.100218-0019)  32-bit     C:\Windows\Minidump\Mini040910-01.dmp  2  15  6000  
Mini040310-01.dmp  03/04/2010 10:50:52 PM  PAGE_FAULT_IN_NONPAGED_AREA  0x00000050  0x9e8a8923  0x00000000  0x818b6a9f  0x00000002  ntkrnlpa.exe  ntkrnlpa.exe+a9ff2  NT Kernel & System  Microsoft® Windows® Operating System  Microsoft Corporation  6.0.6000.17021 (vista_gdr.100218-0019)  32-bit     C:\Windows\Minidump\Mini040310-01.dmp  2  15  6000  
Mini032510-01.dmp  25/03/2010 3:19:16 PM  PAGE_FAULT_IN_NONPAGED_AREA  0x00000050  0xba96e603  0x00000000  0x818b6a9f  0x00000002  ntkrnlpa.exe  ntkrnlpa.exe+a9ff2  NT Kernel & System  Microsoft® Windows® Operating System  Microsoft Corporation  6.0.6000.17021 (vista_gdr.100218-0019)  32-bit     C:\Windows\Minidump\Mini032510-01.dmp  2  15  6000  
Mini032110-01.dmp  21/03/2010 12:22:20 PM  IRQL_NOT_LESS_OR_EQUAL  0x0000000a  0x9e9a97e3  0x00000000  0x00000000  0x818b6a9f  ntkrnlpa.exe  ntkrnlpa.exe+8fe14  NT Kernel & System  Microsoft® Windows® Operating System  Microsoft Corporation  6.0.6000.17021 (vista_gdr.100218-0019)  32-bit     C:\Windows\Minidump\Mini032110-01.dmp  2  15  6000  
Mini031810-03.dmp  18/03/2010 3:25:37 PM  MEMORY_MANAGEMENT  0x0000001a  0x00041790  0xc0801728  0x0000ffff  0x00000000  ntkrnlpa.exe  ntkrnlpa.exe+4047e  NT Kernel & System  Microsoft® Windows® Operating System  Microsoft Corporation  6.0.6000.17021 (vista_gdr.100218-0019)  32-bit     C:\Windows\Minidump\Mini031810-03.dmp  2  15  6000  
Mini031810-02.dmp  18/03/2010 3:21:35 PM  PAGE_FAULT_IN_NONPAGED_AREA  0x00000050  0x9c2ef890  0x00000001  0x818e88d9  0x00000000  fltmgr.sys  fltmgr.sys+28c5  Microsoft Filesystem Filter Manager  Microsoft® Windows® Operating System  Microsoft Corporation  6.0.6000.16386 (vista_rtm.061101-2205)  32-bit     C:\Windows\Minidump\Mini031810-02.dmp  2  15  6000  
Mini031810-01.dmp  18/03/2010 2:50:22 PM  NTFS_FILE_SYSTEM  0x00000024  0x001904ab  0x88423a7c  0x88423778  0x8185e688  Ntfs.sys  Ntfs.sys+d6f0  NT File System Driver  Microsoft® Windows® Operating System  Microsoft Corporation  6.0.6000.16386 (vista_rtm.061101-2205)  32-bit     C:\Windows\Minidump\Mini031810-01.dmp  2  15  6000


----------



## reventon

Hi *bigalster*,

We do not use BlueScreenView (or WhoCrashed) ourselves - see this post at the start of this thread for why.

However we will be more than happy to take a look at your problem - simply *follow these instructions* and create a new thread in this forum.

Regards,
Reventon


----------



## Cosmin.Alexe

Hello I am new here and I am having some problems with my computer
I'm runnig windows 7 ultimate on a Core2Duo E6420 ;1 GB of RAM DDR2; Nvidia 8600 GT 256 MB VRAM ; Asus P5B Deluxe WiFi AP SOLO Edition motherboard.

I keep getting BSOD's mostly based on the: 

-DRIVER_IRQL_NOT_LESS_OR_EQUAL 
-ATTEMPTED_WRITE_TO_READONLY_MEMORY errors. 

I have attached a .rar file containig my minidumps, please help me I really need my computer to work.
Thanks in advance


----------



## Jonathan_King

Cosmin.Alexe said:


> Hello I am new here and I am having some problems with my computer
> I'm runnig windows 7 ultimate on a Core2Duo E6420 ;1 GB of RAM DDR2; Nvidia 8600 GT 256 MB VRAM ; Asus P5B Deluxe WiFi AP SOLO Edition motherboard.
> 
> I keep getting BSOD's mostly based on the:
> 
> -DRIVER_IRQL_NOT_LESS_OR_EQUAL
> -ATTEMPTED_WRITE_TO_READONLY_MEMORY errors.
> 
> I have attached a .rar file containig my minidumps, please help me I really need my computer to work.
> Thanks in advance


Please start your own thread, following these instructions: http://www.techsupportforum.com/f217/blue-screen-of-death-bsod-posting-instructions-452654.html


----------



## usasma

Interesting command that I found (works for *NTStatus and WIN32 errors*):



Code:


!error <error message here>

For example:


Code:


!error 0xc0000005

gives this output:


Code:


0: kd> !error 0xc0000005
Error code: (NTSTATUS) 0xc0000005 (3221225477) - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.

*To freshen/speed up the symbol resolution:*
*.reload /f* - plan to wait for a long time. All the symbols will get pulled down over the network to a local on disk cache.
*.reload /u* (to unload the current symbols)
*.reload /s* (to reload the kernel symbols)

I keep the interesting symbol stuff here: http://www.carrona.org/debugcmd.html

I did a lot on the plane rides during my vacation and I'll be adding more stuff on debugging different scenarios. Unfortunately, it's written for user mode debugging for developers - but I believe that it can be applied to kernel mode debugging for non-developers. 

I'll start with stack/heap corruptions and the different uses of other commands to isolate/identify if the corruption exists - and how to attempt to debug it. This will include a bit of stuff on unassembling instructions, so a bit of knowledge about how the stack works will be necessary. Foundations of Practical Debugging by Vostokov explains this briefly and is probably all that's necessary for the detail that I'll include (and I don't understand much about it myself).


----------



## Cpt.JackSparrow

usasma said:


> Interesting command that I found (works for *NTStatus and WIN32 errors*):
> 
> 
> 
> Code:
> 
> 
> !error <error message here>
> 
> For example:
> 
> 
> Code:
> 
> 
> !error 0xc0000005
> 
> gives this output:
> 
> 
> Code:
> 
> 
> 0: kd> !error 0xc0000005
> Error code: (NTSTATUS) 0xc0000005 (3221225477) - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.
> 
> *To freshen/speed up the symbol resolution:*
> *.reload /f* - plan to wait for a long time. All the symbols will get pulled down over the network to a local on disk cache.
> *.reload /u* (to unload the current symbols)
> *.reload /s* (to reload the kernel symbols)
> 
> I keep the interesting symbol stuff here: http://www.carrona.org/debugcmd.html
> 
> I did a lot on the plane rides during my vacation and I'll be adding more stuff on debugging different scenarios. Unfortunately, it's written for user mode debugging for developers - but I believe that it can be applied to kernel mode debugging for non-developers.
> 
> I'll start with stack/heap corruptions and the different uses of other commands to isolate/identify if the corruption exists - and how to attempt to debug it. This will include a bit of stuff on unassembling instructions, so a bit of knowledge about how the stack works will be necessary. Foundations of Practical Debugging by Vostokov explains this briefly and is probably all that's necessary for the detail that I'll include (and I don't understand much about it myself).


Thanks John !!


----------



## zigzag3143

Nice Post John thanks for the info.


----------



## usasma

Another interesting post: http://www.techsupportforum.com/f217/bsod-bellevue-wa-7-10-10-a-496665.html#post2799676

From reviewing the BSOD summary you can see that Virtual Box networking might be implicated - but not much else.

Reviewing the dump files one-by-one you come upon this (example from 070410-32713-01.dmp): 


> FAILURE_BUCKET_ID: X64_0x9F_3_athrx_IMAGE_pci.sys


Although it states that pci.sys is to blame, it's clear that athrx.sys is associated with this error.


----------



## jcgriff2

I agree - Atheros involved somehow. 

Thanks for the info, John. Hopefully, OP will follow all your suggestions to isolate this further.


----------



## usasma

Another series of STOP 0x9F dumps where the new version of the debugger appears to save the day: http://www.techsupportforum.com/f21...s-massive-help-needed-496974.html#post2803099



> FAILURE_BUCKET_ID: X64_0x9F_3_SiSG664_IMAGE_pci.sys


SiSG664.sys is a component of the NDIS 6.0 Miniport Driver for SiS191/SiS190 Ethernet Device

It pays to review the entire dump file line by line - that way you won't miss these entries (and others).


----------



## reventon

I ran one of those *0x9F* dumps in the v6.11 debugger.

The result:


> FAILURE_BUCKET_ID: X64_0x9F_IMAGE_SiSG664.sys


If anything, I think the newer debugger is the one behind the times here!


----------



## usasma

Very interesting! I wonder how useful this is going to be - as the documentation touts the advantages of the additional IRP checking in Win7. If it doesn't give us any extra info - what good is it to us?


----------



## jcgriff2

I have seen same results between the two. Debugging Tools for Windows is geared toward driver developers, not those of us processing 3rd party post-mortem dumps. I wonder if there are more noticeable differences in full kernel dumps v. mini kernels, not that that would be a big help to us either, 99.9% of the time.


----------



## reventon

It seems like sometimes the situation is vice-versa.

*v6.11*


Code:


[font=lucida console]FAILURE_BUCKET_ID:  X64_0x9F_IMAGE_disk.sys[/font]

*v6.12*


Code:


[font=lucida console]FAILURE_BUCKET_ID:  X64_0x9F_3_disk_IMAGE_[COLOR=Red][B]o2sdgx64.sys[/B][/COLOR][/font]

From: http://www.techsupportforum.com/f108/toshiba-bsod-0x9f-help-497098.html#post2803338


----------



## jcgriff2

Interesting info in a dump today.

BSOD dump timestamp = 13 January 2010

Some Windows 7 OS drivers have timestamps newer than 13 Jan 2010, such as the Win32 subsystem driver, win32k.sys and the NT Kernel & Executive.



Code:


[FONT=Lucida Console]
ntkrnlmp.exe Sat Feb 27 02:55:23 2010 (4B88CFEB)
win32k.sys   Sat May 01 11:06:30 2010 (4BDC4376)
[/font]

Same with AVG drivers -


Code:


[FONT=Lucida Console]avgldx64.sys Thu Jun 03 17:06:48 2010 (4C081968)
avgmfx64.sys Sun Apr 25 17:06:15 2010 (4BD4AEC7)
avgtdia.sys  Thu Jun 03 17:09:57 2010 (4C081A25)
[/font]


SYM path used was the MSDL server site; version of Windbg = v6.11.0001.404



Code:


[FONT=Lucida Console]
Opened log file 'C:\Users\PalmDesert\_jcgriff2_\dbug\__Kernel__\_99-dbug.txt'

Microsoft (R) Windows Debugger Version 6.11.0001.404 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\Users\PalmDesert\_jcgriff2_\dbug\__Kernel__\011210-29920-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: SRV*c:\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is: 
Windows 7 Kernel Version 7600 MP (4 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS Personal
Built by: 7600.16539.amd64fre.win7_gdr.100226-1909
Machine Name:
Kernel base = 0xfffff800`02417000 PsLoadedModuleList = 0xfffff800`02654e50
Debug session time: Wed Jan 13 01:01:21.991 2010 (GMT-4)
System Uptime: 0 days 0:00:43.849
Loading Kernel Symbols
...............................................................
................................................................
..................
Loading User Symbols
Loading unloaded module list
....
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 24, {1904fb, fffff880093e66f8, fffff880093e5f60, fffff800024ad687}

Probably caused by : Ntfs.sys ( Ntfs!NtfsCreateFcb+211 )

Followup: MachineOwner
---------

1: kd> !analyze -v;r;kv;lmtn;lmtsmn;.bugcheck;.logclose;q
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

NTFS_FILE_SYSTEM (24)
    If you see NtfsExceptionFilter on the stack then the 2nd and 3rd
    parameters are the exception record and context record. Do a .cxr
    on the 3rd parameter and then kb to obtain a more informative stack
    trace.
Arguments:
Arg1: 00000000001904fb
Arg2: fffff880093e66f8
Arg3: fffff880093e5f60
Arg4: fffff800024ad687

Debugging Details:
------------------


EXCEPTION_RECORD:  fffff880093e66f8 -- (.exr 0xfffff880093e66f8)
.exr 0xfffff880093e66f8
ExceptionAddress: fffff800024ad687 (nt!RtlInsertElementGenericTableFullAvl+0x0000000000000097)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 0000000000000000
   Parameter[1]: 0000000000000008
Attempt to read from address 0000000000000008

CONTEXT:  fffff880093e5f60 -- (.cxr 0xfffff880093e5f60)
.cxr 0xfffff880093e5f60
rax=0000000000000000 rbx=fffff8a000f39c90 rcx=0000000000000000
rdx=0000000000000001 rsi=fffffa800467b640 rdi=0000000000000000
rip=fffff800024ad687 rsp=fffff880093e6930 rbp=0000000000000000
 r8=fffff8a0010bb1c0  r9=00000000ffffffff r10=fffffa800365f148
r11=0000000000000001 r12=fffff8a000fdda94 r13=0000000000000010
r14=fffff880093e69f0 r15=0000000000000001
iopl=0         nv up ei ng nz na po nc
cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b             efl=00010286
nt!RtlInsertElementGenericTableFullAvl+0x97:
fffff800`024ad687 4c394008        cmp     qword ptr [rax+8],r8 ds:002b:00000000`00000008=????????????????
.cxr
Resetting default scope

CUSTOMER_CRASH_COUNT:  1

PROCESS_NAME:  avgchsva.exe

CURRENT_IRQL:  0

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.

EXCEPTION_PARAMETER1:  0000000000000000

EXCEPTION_PARAMETER2:  0000000000000008

READ_ADDRESS: GetPointerFromAddress: unable to read from fffff800026bf0e0
 0000000000000008 

FOLLOWUP_IP: 
Ntfs!NtfsCreateFcb+211
fffff880`012c27c9 41830c2440      or      dword ptr [r12],40h

FAULTING_IP: 
nt!RtlInsertElementGenericTableFullAvl+97
fffff800`024ad687 4c394008        cmp     qword ptr [rax+8],r8

BUGCHECK_STR:  0x24

DEFAULT_BUCKET_ID:  NULL_CLASS_PTR_DEREFERENCE

LAST_CONTROL_TRANSFER:  from fffff880012c27c9 to fffff800024ad687

STACK_TEXT:  
fffff880`093e6930 fffff880`012c27c9 : 00000000`00000000 fffffa80`068166c0 fffffa80`067e06e0 fffff8a0`00fdda90 : nt!RtlInsertElementGenericTableFullAvl+0x97
fffff880`093e6970 fffff880`0137c492 : fffffa80`067e06e0 fffffa80`0467b180 fffffa80`067e06e0 00010000`00006475 : Ntfs!NtfsCreateFcb+0x211
fffff880`093e6a50 fffff880`012b3b91 : fffffa80`067e06e0 fffffa80`068166c0 00000000`00000000 00010000`00006475 : Ntfs!NtfsOpenFcbById+0x362
fffff880`093e6b50 fffff880`0121bc0d : fffffa80`067e06e0 fffffa80`068166c0 fffff880`092c7490 00000000`00000000 : Ntfs!NtfsCommonCreate+0x1cdf
fffff880`093e6d30 fffff800`0247f487 : fffff880`092c7400 00000000`00000000 00000000`00000000 00000000`00000000 : Ntfs!NtfsCommonCreateCallout+0x1d
fffff880`093e6d60 fffff800`0247f441 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KySwitchKernelStackCallout+0x27
fffff880`092c72d0 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSwitchKernelStackContinue


SYMBOL_STACK_INDEX:  1

SYMBOL_NAME:  Ntfs!NtfsCreateFcb+211

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: Ntfs

IMAGE_NAME:  Ntfs.sys

DEBUG_FLR_IMAGE_TIMESTAMP:  4a5bc14f

STACK_COMMAND:  .cxr 0xfffff880093e5f60 ; kb

FAILURE_BUCKET_ID:  X64_0x24_Ntfs!NtfsCreateFcb+211

BUCKET_ID:  X64_0x24_Ntfs!NtfsCreateFcb+211

Followup: MachineOwner
---------

rax=fffff800024ad687 rbx=00000000c0000005 rcx=0000000000000024
rdx=00000000001904fb rsi=fffff880093e57e0 rdi=fffffa80067e06e0
rip=fffff80002487600 rsp=fffff880093e5738 rbp=00000000c00000d8
 r8=fffff880093e66f8  r9=fffff880093e5f60 r10=fffffa800379f000
r11=fffffa800379f564 r12=fffff88001256d2c r13=0000000000011c0d
r14=fffff8800120a000 r15=fffff880093e66f8
iopl=0         nv up ei ng nz na pe nc
cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b             efl=00000282
nt!KeBugCheckEx:
fffff800`02487600 48894c2408      mov     qword ptr [rsp+8],rcx ss:0018:fffff880`093e5740=0000000000000024
Child-SP          RetAddr           : Args to Child                                                           : Call Site
fffff880`093e5738 fffff880`0122b3d8 : 00000000`00000024 00000000`001904fb fffff880`093e66f8 fffff880`093e5f60 : nt!KeBugCheckEx
fffff880`093e5740 fffff880`0120e487 : fffff880`01256d38 fffff880`093e6d30 fffff880`093e6d30 fffff800`02639300 : Ntfs! ?? ::FNODOBFM::`string'+0x2cc9
fffff880`093e5780 fffff800`024b5bdc : 00000000`00000000 fffff8a0`00001a10 00000000`00000200 00000000`00000000 : Ntfs! ?? ::FNODOBFM::`string'+0xfc8
fffff880`093e57b0 fffff800`024ad2ed : fffff880`01256d2c fffff880`093e6d30 00000000`00000000 fffff880`0120a000 : nt!_C_specific_handler+0x8c
fffff880`093e5820 fffff800`024b4950 : fffff880`01256d2c fffff880`093e5898 fffff880`093e66f8 fffff880`0120a000 : nt!RtlpExecuteHandlerForException+0xd
fffff880`093e5850 fffff800`024c18df : fffff880`093e66f8 fffff880`093e5f60 fffff880`00000000 00000000`00000000 : nt!RtlDispatchException+0x410
fffff880`093e5f30 fffff800`02486c42 : fffff880`093e66f8 fffff8a0`00f39c90 fffff880`093e67a0 fffffa80`0467b640 : nt!KiDispatchException+0x16f
fffff880`093e65c0 fffff800`024857ba : 00000000`00000000 fffff8a0`00f39c90 00000000`00000700 00000000`00000050 : nt!KiExceptionDispatch+0xc2
fffff880`093e67a0 fffff800`024ad687 : fffff880`00000001 00000000`00000000 fffff880`093e6a80 00000000`000007ff : nt!KiPageFault+0x23a (TrapFrame @ fffff880`093e67a0)
fffff880`093e6930 fffff880`012c27c9 : 00000000`00000000 fffffa80`068166c0 fffffa80`067e06e0 fffff8a0`00fdda90 : nt!RtlInsertElementGenericTableFullAvl+0x97
fffff880`093e6970 fffff880`0137c492 : fffffa80`067e06e0 fffffa80`0467b180 fffffa80`067e06e0 00010000`00006475 : Ntfs!NtfsCreateFcb+0x211
fffff880`093e6a50 fffff880`012b3b91 : fffffa80`067e06e0 fffffa80`068166c0 00000000`00000000 00010000`00006475 : Ntfs!NtfsOpenFcbById+0x362
fffff880`093e6b50 fffff880`0121bc0d : fffffa80`067e06e0 fffffa80`068166c0 fffff880`092c7490 00000000`00000000 : Ntfs!NtfsCommonCreate+0x1cdf
fffff880`093e6d30 fffff800`0247f487 : fffff880`092c7400 00000000`00000000 00000000`00000000 00000000`00000000 : Ntfs!NtfsCommonCreateCallout+0x1d
fffff880`093e6d60 fffff800`0247f441 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KySwitchKernelStackCallout+0x27 (TrapFrame @ fffff880`093e6c20)
fffff880`092c72d0 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSwitchKernelStackContinue
start             end                 module name
fffff800`022cf000 fffff800`022d9000   kdcom    kdcom.dll    Mon Jul 13 21:31:07 2009 (4A5BDFDB)
fffff800`02417000 fffff800`029f3000   nt       ntkrnlmp.exe Sat Feb 27 02:55:23 2010 (4B88CFEB)
fffff800`029f3000 fffff800`02a3c000   hal      hal.dll      Mon Jul 13 21:27:36 2009 (4A5BDF08)
fffff880`00c08000 fffff880`00c15000   mcupdate_AuthenticAMD mcupdate_AuthenticAMD.dll Mon Jul 13 21:29:09 2009 (4A5BDF65)
fffff880`00c15000 fffff880`00c29000   PSHED    PSHED.dll    Mon Jul 13 21:32:23 2009 (4A5BE027)
fffff880`00c29000 fffff880`00c87000   CLFS     CLFS.SYS     Mon Jul 13 19:19:57 2009 (4A5BC11D)
fffff880`00c87000 fffff880`00d47000   CI       CI.dll       Mon Jul 13 21:32:13 2009 (4A5BE01D)
fffff880`00d47000 fffff880`00deb000   Wdf01000 Wdf01000.sys Mon Jul 13 19:22:07 2009 (4A5BC19F)
fffff880`00deb000 fffff880`00dfa000   WDFLDR   WDFLDR.SYS   Mon Jul 13 19:19:54 2009 (4A5BC11A)
fffff880`00e00000 fffff880`00e10000   PCIIDEX  PCIIDEX.SYS  Mon Jul 13 19:19:48 2009 (4A5BC114)
fffff880`00e10000 fffff880`00e2a000   mountmgr mountmgr.sys Mon Jul 13 19:19:54 2009 (4A5BC11A)
fffff880`00e2a000 fffff880`00e33000   atapi    atapi.sys    Mon Jul 13 19:19:47 2009 (4A5BC113)
fffff880`00e33000 fffff880`00e5d000   ataport  ataport.SYS  Mon Jul 13 19:19:52 2009 (4A5BC118)
fffff880`00e5d000 fffff880`00e68000   amdxata  amdxata.sys  Tue May 19 13:56:59 2009 (4A12F2EB)
fffff880`00e68000 fffff880`00eb4000   fltmgr   fltmgr.sys   Mon Jul 13 19:19:59 2009 (4A5BC11F)
fffff880`00ec6000 fffff880`00f1d000   ACPI     ACPI.sys     Mon Jul 13 19:19:34 2009 (4A5BC106)
fffff880`00f1d000 fffff880`00f26000   WMILIB   WMILIB.SYS   Mon Jul 13 19:19:51 2009 (4A5BC117)
fffff880`00f26000 fffff880`00f30000   msisadrv msisadrv.sys Mon Jul 13 19:19:26 2009 (4A5BC0FE)
fffff880`00f30000 fffff880`00f63000   pci      pci.sys      Mon Jul 13 19:19:51 2009 (4A5BC117)
fffff880`00f63000 fffff880`00f70000   vdrvroot vdrvroot.sys Mon Jul 13 20:01:31 2009 (4A5BCADB)
fffff880`00f70000 fffff880`00f85000   partmgr  partmgr.sys  Mon Jul 13 19:19:58 2009 (4A5BC11E)
fffff880`00f85000 fffff880`00f9a000   volmgr   volmgr.sys   Mon Jul 13 19:19:57 2009 (4A5BC11D)
fffff880`00f9a000 fffff880`00ff6000   volmgrx  volmgrx.sys  Mon Jul 13 19:20:33 2009 (4A5BC141)
fffff880`00ff6000 fffff880`00ffd000   pciide   pciide.sys   Mon Jul 13 19:19:49 2009 (4A5BC115)
fffff880`01000000 fffff880`0104a000   fwpkclnt fwpkclnt.sys Mon Jul 13 19:21:08 2009 (4A5BC164)
fffff880`0104a000 fffff880`01096000   volsnap  volsnap.sys  Mon Jul 13 19:20:08 2009 (4A5BC128)
fffff880`01096000 fffff880`010d0000   fvevol   fvevol.sys   Fri Sep 25 22:34:26 2009 (4ABD7DB2)
fffff880`010ef000 fffff880`01103000   fileinfo fileinfo.sys Mon Jul 13 19:34:25 2009 (4A5BC481)
fffff880`01103000 fffff880`01161000   msrpc    msrpc.sys    Mon Jul 13 19:21:32 2009 (4A5BC17C)
fffff880`01161000 fffff880`011d4000   cng      cng.sys      Mon Jul 13 19:49:40 2009 (4A5BC814)
fffff880`011d4000 fffff880`011f8000   rasl2tp  rasl2tp.sys  Mon Jul 13 20:10:11 2009 (4A5BCCE3)
fffff880`0120a000 fffff880`013ad000   Ntfs     Ntfs.sys     Mon Jul 13 19:20:47 2009 (4A5BC14F)
fffff880`013ad000 fffff880`013c7000   ksecdd   ksecdd.sys   Mon Jul 13 19:20:54 2009 (4A5BC156)
fffff880`013c7000 fffff880`013d8000   pcw      pcw.sys      Mon Jul 13 19:19:27 2009 (4A5BC0FF)
fffff880`013d8000 fffff880`013e2000   Fs_Rec   Fs_Rec.sys   Mon Jul 13 19:19:45 2009 (4A5BC111)
fffff880`01400000 fffff880`01460000   NETIO    NETIO.SYS    Mon Jul 13 19:21:46 2009 (4A5BC18A)
fffff880`01460000 fffff880`0148b000   ksecpkg  ksecpkg.sys  Fri Dec 11 01:03:32 2009 (4B21E0B4)
fffff880`0148b000 fffff880`01493000   spldr    spldr.sys    Mon May 11 12:56:27 2009 (4A0858BB)
fffff880`01493000 fffff880`0149a000   speedfan speedfan.sys Sun Sep 24 09:26:48 2006 (45168798)
fffff880`0149a000 fffff880`014ac000   mup      mup.sys      Mon Jul 13 19:23:45 2009 (4A5BC201)
fffff880`014ac000 fffff880`014b5000   hwpolicy hwpolicy.sys Mon Jul 13 19:19:22 2009 (4A5BC0FA)
fffff880`014b5000 fffff880`014cb000   disk     disk.sys     Mon Jul 13 19:19:57 2009 (4A5BC11D)
fffff880`014cf000 fffff880`015c1000   ndis     ndis.sys     Mon Jul 13 19:21:40 2009 (4A5BC184)
fffff880`015c1000 fffff880`015fb000   rdyboost rdyboost.sys Mon Jul 13 19:34:34 2009 (4A5BC48A)
fffff880`01603000 fffff880`01800000   tcpip    tcpip.sys    Mon Jul 13 19:25:34 2009 (4A5BC26E)
fffff880`01800000 fffff880`01851000   avgtdia  avgtdia.sys  Thu Jun 03 17:09:57 2010 (4C081A25)
fffff880`01851000 fffff880`01896000   netbt    netbt.sys    Mon Jul 13 19:21:28 2009 (4A5BC178)
fffff880`018b0000 fffff880`018e0000   CLASSPNP CLASSPNP.SYS Mon Jul 13 19:19:58 2009 (4A5BC11E)
fffff880`018e0000 fffff880`018e8000   AtiPcie  AtiPcie.sys  Tue May 05 11:00:22 2009 (4A005486)
fffff880`0191e000 fffff880`01948000   cdrom    cdrom.sys    Mon Jul 13 19:19:54 2009 (4A5BC11A)
fffff880`01948000 fffff880`01951000   Null     Null.SYS     Mon Jul 13 19:19:37 2009 (4A5BC109)
fffff880`01951000 fffff880`01958000   Beep     Beep.SYS     Mon Jul 13 20:00:13 2009 (4A5BCA8D)
fffff880`01958000 fffff880`01966000   vga      vga.sys      Mon Jul 13 19:38:47 2009 (4A5BC587)
fffff880`01966000 fffff880`0198b000   VIDEOPRT VIDEOPRT.SYS Mon Jul 13 19:38:51 2009 (4A5BC58B)
fffff880`0198b000 fffff880`0199b000   watchdog watchdog.sys Mon Jul 13 19:37:35 2009 (4A5BC53F)
fffff880`0199b000 fffff880`019a4000   RDPCDD   RDPCDD.sys   Mon Jul 13 20:16:34 2009 (4A5BCE62)
fffff880`019a4000 fffff880`019ad000   rdpencdd rdpencdd.sys Mon Jul 13 20:16:34 2009 (4A5BCE62)
fffff880`019ad000 fffff880`019b6000   rdprefmp rdprefmp.sys Mon Jul 13 20:16:35 2009 (4A5BCE63)
fffff880`019b6000 fffff880`019c1000   Msfs     Msfs.SYS     Mon Jul 13 19:19:47 2009 (4A5BC113)
fffff880`019c1000 fffff880`019d2000   Npfs     Npfs.SYS     Mon Jul 13 19:19:48 2009 (4A5BC114)
fffff880`019d2000 fffff880`019f0000   tdx      tdx.sys      Mon Jul 13 19:21:15 2009 (4A5BC16B)
fffff880`019f0000 fffff880`019fd000   TDI      TDI.SYS      Mon Jul 13 19:21:18 2009 (4A5BC16E)
fffff880`02a00000 fffff880`02a24000   HDAudBus HDAudBus.sys Mon Jul 13 20:06:13 2009 (4A5BCBF5)
fffff880`02a24000 fffff880`02a30000   serenum  serenum.sys  Mon Jul 13 20:00:33 2009 (4A5BCAA1)
fffff880`02a30000 fffff880`02a39000   wmiacpi  wmiacpi.sys  Mon Jul 13 19:31:02 2009 (4A5BC3B6)
fffff880`02a39000 fffff880`02a49000   CompositeBus CompositeBus.sys Mon Jul 13 20:00:33 2009 (4A5BCAA1)
fffff880`02a49000 fffff880`02a5f000   AgileVpn AgileVpn.sys Mon Jul 13 20:10:24 2009 (4A5BCCF0)
fffff880`02a66000 fffff880`02aad000   avgldx64 avgldx64.sys Thu Jun 03 17:06:48 2010 (4C081968)
fffff880`02aad000 fffff880`02ad3000   tunnel   tunnel.sys   Mon Jul 13 20:09:37 2009 (4A5BCCC1)
fffff880`02ad3000 fffff880`02ae8000   amdppm   amdppm.sys   Mon Jul 13 19:19:25 2009 (4A5BC0FD)
fffff880`02ae8000 fffff880`02b27000   Rt64win7 Rt64win7.sys Thu Aug 20 12:05:06 2009 (4A8D7432)
fffff880`02b27000 fffff880`02b65000   1394ohci 1394ohci.sys Mon Jul 13 20:07:12 2009 (4A5BCC30)
fffff880`02b65000 fffff880`02b72000   GEARAspiWDM GEARAspiWDM.sys Mon May 18 08:17:04 2009 (4A1151C0)
fffff880`02b72000 fffff880`02b7d000   usbohci  usbohci.sys  Mon Jul 13 20:06:30 2009 (4A5BCC06)
fffff880`02b7d000 fffff880`02bd3000   USBPORT  USBPORT.SYS  Mon Jul 13 20:06:31 2009 (4A5BCC07)
fffff880`02bd3000 fffff880`02be4000   usbehci  usbehci.sys  Mon Jul 13 20:06:30 2009 (4A5BCC06)
fffff880`02be4000 fffff880`02bf0000   ndistapi ndistapi.sys Mon Jul 13 20:10:00 2009 (4A5BCCD8)
fffff880`06e00000 fffff880`06e51000   rdbss    rdbss.sys    Mon Jul 13 19:24:09 2009 (4A5BC219)
fffff880`06e51000 fffff880`06e5d000   nsiproxy nsiproxy.sys Mon Jul 13 19:21:02 2009 (4A5BC15E)
fffff880`06e5d000 fffff880`06e68000   mssmbios mssmbios.sys Mon Jul 13 19:31:10 2009 (4A5BC3BE)
fffff880`06e68000 fffff880`06e77000   discache discache.sys Mon Jul 13 19:37:18 2009 (4A5BC52E)
fffff880`06e84000 fffff880`06f0e000   afd      afd.sys      Mon Jul 13 19:21:40 2009 (4A5BC184)
fffff880`06f0e000 fffff880`06f17000   wfplwf   wfplwf.sys   Mon Jul 13 20:09:26 2009 (4A5BCCB6)
fffff880`06f17000 fffff880`06f3d000   pacer    pacer.sys    Mon Jul 13 20:09:41 2009 (4A5BCCC5)
fffff880`06f3d000 fffff880`06f4c000   netbios  netbios.sys  Mon Jul 13 20:09:26 2009 (4A5BCCB6)
fffff880`06f4c000 fffff880`06f69000   serial   serial.sys   Mon Jul 13 20:00:40 2009 (4A5BCAA8)
fffff880`06f69000 fffff880`06f84000   wanarp   wanarp.sys   Mon Jul 13 20:10:21 2009 (4A5BCCED)
fffff880`06f84000 fffff880`06f98000   termdd   termdd.sys   Mon Jul 13 20:16:36 2009 (4A5BCE64)
fffff880`06f98000 fffff880`06fb1000   SCDEmu   SCDEmu.SYS   Mon Jul 07 03:58:16 2008 (4871CC98)
fffff880`06fb1000 fffff880`06fcf000   dfsc     dfsc.sys     Mon Jul 13 19:23:44 2009 (4A5BC200)
fffff880`06fcf000 fffff880`06fe0000   blbdrive blbdrive.sys Mon Jul 13 19:35:59 2009 (4A5BC4DF)
fffff880`06fe0000 fffff880`06fe7080   avgmfx64 avgmfx64.sys Sun Apr 25 17:06:15 2010 (4BD4AEC7)
fffff880`07200000 fffff880`07218000   rspndr   rspndr.sys   Mon Jul 13 20:08:50 2009 (4A5BCC92)
fffff880`07226000 fffff880`07255000   ndiswan  ndiswan.sys  Mon Jul 13 20:10:11 2009 (4A5BCCE3)
fffff880`07255000 fffff880`07270000   raspppoe raspppoe.sys Mon Jul 13 20:10:17 2009 (4A5BCCE9)
fffff880`07270000 fffff880`07291000   raspptp  raspptp.sys  Mon Jul 13 20:10:18 2009 (4A5BCCEA)
fffff880`07291000 fffff880`072ab000   rassstp  rassstp.sys  Mon Jul 13 20:10:25 2009 (4A5BCCF1)
fffff880`072ab000 fffff880`072bf380   pcouffin pcouffin.sys Tue Dec 05 09:39:30 2006 (457584A2)
fffff880`072c0000 fffff880`072cf000   kbdclass kbdclass.sys Mon Jul 13 19:19:50 2009 (4A5BC116)
fffff880`072cf000 fffff880`072de000   mouclass mouclass.sys Mon Jul 13 19:19:50 2009 (4A5BC116)
fffff880`072de000 fffff880`072df480   swenum   swenum.sys   Mon Jul 13 20:00:18 2009 (4A5BCA92)
fffff880`072e0000 fffff880`07323000   ks       ks.sys       Mon Jul 13 20:00:31 2009 (4A5BCA9F)
fffff880`07323000 fffff880`07367000   MarvinBus64 MarvinBus64.sys Fri Sep 23 17:17:03 2005 (433470CF)
fffff880`07367000 fffff880`07379000   umbus    umbus.sys    Mon Jul 13 20:06:56 2009 (4A5BCC20)
fffff880`07379000 fffff880`073d3000   usbhub   usbhub.sys   Mon Jul 13 20:07:09 2009 (4A5BCC2D)
fffff880`073d3000 fffff880`073e8000   NDProxy  NDProxy.SYS  Mon Jul 13 20:10:05 2009 (4A5BCCDD)
fffff880`073e8000 fffff880`073fd000   lltdio   lltdio.sys   Mon Jul 13 20:08:50 2009 (4A5BCC92)
fffff880`08c01000 fffff880`08de9f00   RTKVHD64 RTKVHD64.sys Tue Oct 06 06:51:17 2009 (4ACB2125)
fffff880`08dea000 fffff880`08dfe000   LMouFilt LMouFilt.Sys Wed Jun 17 12:49:43 2009 (4A391EA7)
fffff880`08e00000 fffff880`08e0d000   mouhid   mouhid.sys   Mon Jul 13 20:00:20 2009 (4A5BCA94)
fffff880`08e1e000 fffff880`08e5b000   portcls  portcls.sys  Mon Jul 13 20:06:27 2009 (4A5BCC03)
fffff880`08e5b000 fffff880`08e7d000   drmk     drmk.sys     Mon Jul 13 21:01:25 2009 (4A5BD8E5)
fffff880`08e7d000 fffff880`08e82200   ksthunk  ksthunk.sys  Mon Jul 13 20:00:19 2009 (4A5BCA93)
fffff880`08e83000 fffff880`08e8f000   Dxapi    Dxapi.sys    Mon Jul 13 19:38:28 2009 (4A5BC574)
fffff880`08e8f000 fffff880`08ee3000   udfs     udfs.sys     Mon Jul 13 19:23:37 2009 (4A5BC1F9)
fffff880`08ee3000 fffff880`08f00000   usbccgp  usbccgp.sys  Mon Jul 13 20:06:45 2009 (4A5BCC15)
fffff880`08f00000 fffff880`08f01f00   USBD     USBD.SYS     Mon Jul 13 20:06:23 2009 (4A5BCBFF)
fffff880`08f02000 fffff880`08f10000   hidusb   hidusb.sys   Mon Jul 13 20:06:22 2009 (4A5BCBFE)
fffff880`08f10000 fffff880`08f29000   HIDCLASS HIDCLASS.SYS Mon Jul 13 20:06:21 2009 (4A5BCBFD)
fffff880`08f29000 fffff880`08f31080   HIDPARSE HIDPARSE.SYS Mon Jul 13 20:06:17 2009 (4A5BCBF9)
fffff880`08f32000 fffff880`08f40000   kbdhid   kbdhid.sys   Mon Jul 13 20:00:20 2009 (4A5BCA94)
fffff880`08f40000 fffff880`08f4e000   crashdmp crashdmp.sys Mon Jul 13 20:01:01 2009 (4A5BCABD)
fffff880`08f4e000 fffff880`08f5a000   dump_dumpata dump_dumpata.sys Mon Jul 13 19:19:47 2009 (4A5BC113)
fffff880`08f5a000 fffff880`08f63000   dump_atapi dump_atapi.sys Mon Jul 13 19:19:47 2009 (4A5BC113)
fffff880`08f63000 fffff880`08f76000   dump_dumpfve dump_dumpfve.sys Mon Jul 13 19:21:51 2009 (4A5BC18F)
fffff880`08f76000 fffff880`08f91000   USBSTOR  USBSTOR.SYS  Mon Jul 13 20:06:34 2009 (4A5BCC0A)
fffff880`08f91000 fffff880`08fb4000   luafv    luafv.sys    Mon Jul 13 19:26:13 2009 (4A5BC295)
fffff880`08fb4000 fffff880`08fd5000   WudfPf   WudfPf.sys   Mon Jul 13 20:05:37 2009 (4A5BCBD1)
fffff880`08fd5000 fffff880`08fe5000   LUsbFilt LUsbFilt.Sys Wed Jun 17 12:49:46 2009 (4A391EAA)
fffff880`08fe5000 fffff880`08ff8000   LHidFilt LHidFilt.Sys Wed Jun 17 12:49:39 2009 (4A391EA3)
fffff880`09c1d000 fffff880`09ce5000   HTTP     HTTP.sys     Mon Jul 13 19:22:16 2009 (4A5BC1A8)
fffff880`09ce5000 fffff880`09d03000   bowser   bowser.sys   Mon Jul 13 19:23:50 2009 (4A5BC206)
fffff880`09d03000 fffff880`09d1b000   mpsdrv   mpsdrv.sys   Mon Jul 13 20:08:25 2009 (4A5BCC79)
fffff880`09d1b000 fffff880`09d48000   mrxsmb   mrxsmb.sys   Sat Feb 27 02:52:19 2010 (4B88CF33)
fffff880`09d48000 fffff880`09d96000   mrxsmb10 mrxsmb10.sys Sat Feb 27 02:52:28 2010 (4B88CF3C)
fffff880`09d96000 fffff880`09db9000   mrxsmb20 mrxsmb20.sys Sat Feb 27 02:52:26 2010 (4B88CF3A)
fffff880`0a000000 fffff880`0a069000   srv2     srv2.sys     Mon Jul 13 19:25:02 2009 (4A5BC24E)
fffff880`0a0af000 fffff880`0a155000   peauth   peauth.sys   Mon Jul 13 21:01:19 2009 (4A5BD8DF)
fffff880`0a155000 fffff880`0a160000   secdrv   secdrv.SYS   Wed Sep 13 09:18:38 2006 (4508052E)
fffff880`0a160000 fffff880`0a18d000   srvnet   srvnet.sys   Tue Dec 08 03:32:26 2009 (4B1E0F1A)
fffff880`0a18d000 fffff880`0a19f000   tcpipreg tcpipreg.sys Mon Jul 13 20:09:49 2009 (4A5BCCCD)
fffff880`0a283000 fffff880`0a31b000   srv      srv.sys      Tue Dec 08 03:32:55 2009 (4B1E0F37)
fffff960`00080000 fffff960`0038f000   win32k   win32k.sys   Sat May 01 11:06:30 2010 (4BDC4376)
fffff960`00510000 fffff960`0052e000   dxg      dxg.sys      Mon Jul 13 19:38:28 2009 (4A5BC574)
fffff960`00760000 fffff960`0076a000   TSDDD    TSDDD.dll    Mon Jul 13 20:16:34 2009 (4A5BCE62)
fffff960`00810000 fffff960`00819000   framebuf framebuf.dll unavailable (00000000)

Unloaded modules:
fffff880`018e8000 fffff880`018f6000   crashdmp.sys
    Timestamp: unavailable (00000000)
    Checksum:  00000000
fffff880`018f6000 fffff880`01902000   dump_ataport
    Timestamp: unavailable (00000000)
    Checksum:  00000000
fffff880`01902000 fffff880`0190b000   dump_atapi.s
    Timestamp: unavailable (00000000)
    Checksum:  00000000
fffff880`0190b000 fffff880`0191e000   dump_dumpfve
    Timestamp: unavailable (00000000)
    Checksum:  00000000
start             end                 module name
fffff880`02b27000 fffff880`02b65000   1394ohci 1394ohci.sys Mon Jul 13 20:07:12 2009 (4A5BCC30)
fffff880`00ec6000 fffff880`00f1d000   ACPI     ACPI.sys     Mon Jul 13 19:19:34 2009 (4A5BC106)
fffff880`06e84000 fffff880`06f0e000   afd      afd.sys      Mon Jul 13 19:21:40 2009 (4A5BC184)
fffff880`02a49000 fffff880`02a5f000   AgileVpn AgileVpn.sys Mon Jul 13 20:10:24 2009 (4A5BCCF0)
fffff880`02ad3000 fffff880`02ae8000   amdppm   amdppm.sys   Mon Jul 13 19:19:25 2009 (4A5BC0FD)
fffff880`00e5d000 fffff880`00e68000   amdxata  amdxata.sys  Tue May 19 13:56:59 2009 (4A12F2EB)
fffff880`00e2a000 fffff880`00e33000   atapi    atapi.sys    Mon Jul 13 19:19:47 2009 (4A5BC113)
fffff880`00e33000 fffff880`00e5d000   ataport  ataport.SYS  Mon Jul 13 19:19:52 2009 (4A5BC118)
fffff880`018e0000 fffff880`018e8000   AtiPcie  AtiPcie.sys  Tue May 05 11:00:22 2009 (4A005486)
fffff880`02a66000 fffff880`02aad000   avgldx64 avgldx64.sys Thu Jun 03 17:06:48 2010 (4C081968)
fffff880`06fe0000 fffff880`06fe7080   avgmfx64 avgmfx64.sys Sun Apr 25 17:06:15 2010 (4BD4AEC7)
fffff880`01800000 fffff880`01851000   avgtdia  avgtdia.sys  Thu Jun 03 17:09:57 2010 (4C081A25)
fffff880`01951000 fffff880`01958000   Beep     Beep.SYS     Mon Jul 13 20:00:13 2009 (4A5BCA8D)
fffff880`06fcf000 fffff880`06fe0000   blbdrive blbdrive.sys Mon Jul 13 19:35:59 2009 (4A5BC4DF)
fffff880`09ce5000 fffff880`09d03000   bowser   bowser.sys   Mon Jul 13 19:23:50 2009 (4A5BC206)
fffff880`0191e000 fffff880`01948000   cdrom    cdrom.sys    Mon Jul 13 19:19:54 2009 (4A5BC11A)
fffff880`00c87000 fffff880`00d47000   CI       CI.dll       Mon Jul 13 21:32:13 2009 (4A5BE01D)
fffff880`018b0000 fffff880`018e0000   CLASSPNP CLASSPNP.SYS Mon Jul 13 19:19:58 2009 (4A5BC11E)
fffff880`00c29000 fffff880`00c87000   CLFS     CLFS.SYS     Mon Jul 13 19:19:57 2009 (4A5BC11D)
fffff880`01161000 fffff880`011d4000   cng      cng.sys      Mon Jul 13 19:49:40 2009 (4A5BC814)
fffff880`02a39000 fffff880`02a49000   CompositeBus CompositeBus.sys Mon Jul 13 20:00:33 2009 (4A5BCAA1)
fffff880`08f40000 fffff880`08f4e000   crashdmp crashdmp.sys Mon Jul 13 20:01:01 2009 (4A5BCABD)
fffff880`06fb1000 fffff880`06fcf000   dfsc     dfsc.sys     Mon Jul 13 19:23:44 2009 (4A5BC200)
fffff880`06e68000 fffff880`06e77000   discache discache.sys Mon Jul 13 19:37:18 2009 (4A5BC52E)
fffff880`014b5000 fffff880`014cb000   disk     disk.sys     Mon Jul 13 19:19:57 2009 (4A5BC11D)
fffff880`08e5b000 fffff880`08e7d000   drmk     drmk.sys     Mon Jul 13 21:01:25 2009 (4A5BD8E5)
fffff880`08f5a000 fffff880`08f63000   dump_atapi dump_atapi.sys Mon Jul 13 19:19:47 2009 (4A5BC113)
fffff880`08f4e000 fffff880`08f5a000   dump_dumpata dump_dumpata.sys Mon Jul 13 19:19:47 2009 (4A5BC113)
fffff880`08f63000 fffff880`08f76000   dump_dumpfve dump_dumpfve.sys Mon Jul 13 19:21:51 2009 (4A5BC18F)
fffff880`08e83000 fffff880`08e8f000   Dxapi    Dxapi.sys    Mon Jul 13 19:38:28 2009 (4A5BC574)
fffff960`00510000 fffff960`0052e000   dxg      dxg.sys      Mon Jul 13 19:38:28 2009 (4A5BC574)
fffff880`010ef000 fffff880`01103000   fileinfo fileinfo.sys Mon Jul 13 19:34:25 2009 (4A5BC481)
fffff880`00e68000 fffff880`00eb4000   fltmgr   fltmgr.sys   Mon Jul 13 19:19:59 2009 (4A5BC11F)
fffff960`00810000 fffff960`00819000   framebuf framebuf.dll unavailable (00000000)
fffff880`013d8000 fffff880`013e2000   Fs_Rec   Fs_Rec.sys   Mon Jul 13 19:19:45 2009 (4A5BC111)
fffff880`01096000 fffff880`010d0000   fvevol   fvevol.sys   Fri Sep 25 22:34:26 2009 (4ABD7DB2)
fffff880`01000000 fffff880`0104a000   fwpkclnt fwpkclnt.sys Mon Jul 13 19:21:08 2009 (4A5BC164)
fffff880`02b65000 fffff880`02b72000   GEARAspiWDM GEARAspiWDM.sys Mon May 18 08:17:04 2009 (4A1151C0)
fffff800`029f3000 fffff800`02a3c000   hal      hal.dll      Mon Jul 13 21:27:36 2009 (4A5BDF08)
fffff880`02a00000 fffff880`02a24000   HDAudBus HDAudBus.sys Mon Jul 13 20:06:13 2009 (4A5BCBF5)
fffff880`08f10000 fffff880`08f29000   HIDCLASS HIDCLASS.SYS Mon Jul 13 20:06:21 2009 (4A5BCBFD)
fffff880`08f29000 fffff880`08f31080   HIDPARSE HIDPARSE.SYS Mon Jul 13 20:06:17 2009 (4A5BCBF9)
fffff880`08f02000 fffff880`08f10000   hidusb   hidusb.sys   Mon Jul 13 20:06:22 2009 (4A5BCBFE)
fffff880`09c1d000 fffff880`09ce5000   HTTP     HTTP.sys     Mon Jul 13 19:22:16 2009 (4A5BC1A8)
fffff880`014ac000 fffff880`014b5000   hwpolicy hwpolicy.sys Mon Jul 13 19:19:22 2009 (4A5BC0FA)
fffff880`072c0000 fffff880`072cf000   kbdclass kbdclass.sys Mon Jul 13 19:19:50 2009 (4A5BC116)
fffff880`08f32000 fffff880`08f40000   kbdhid   kbdhid.sys   Mon Jul 13 20:00:20 2009 (4A5BCA94)
fffff800`022cf000 fffff800`022d9000   kdcom    kdcom.dll    Mon Jul 13 21:31:07 2009 (4A5BDFDB)
fffff880`072e0000 fffff880`07323000   ks       ks.sys       Mon Jul 13 20:00:31 2009 (4A5BCA9F)
fffff880`013ad000 fffff880`013c7000   ksecdd   ksecdd.sys   Mon Jul 13 19:20:54 2009 (4A5BC156)
fffff880`01460000 fffff880`0148b000   ksecpkg  ksecpkg.sys  Fri Dec 11 01:03:32 2009 (4B21E0B4)
fffff880`08e7d000 fffff880`08e82200   ksthunk  ksthunk.sys  Mon Jul 13 20:00:19 2009 (4A5BCA93)
fffff880`08fe5000 fffff880`08ff8000   LHidFilt LHidFilt.Sys Wed Jun 17 12:49:39 2009 (4A391EA3)
fffff880`073e8000 fffff880`073fd000   lltdio   lltdio.sys   Mon Jul 13 20:08:50 2009 (4A5BCC92)
fffff880`08dea000 fffff880`08dfe000   LMouFilt LMouFilt.Sys Wed Jun 17 12:49:43 2009 (4A391EA7)
fffff880`08f91000 fffff880`08fb4000   luafv    luafv.sys    Mon Jul 13 19:26:13 2009 (4A5BC295)
fffff880`08fd5000 fffff880`08fe5000   LUsbFilt LUsbFilt.Sys Wed Jun 17 12:49:46 2009 (4A391EAA)
fffff880`07323000 fffff880`07367000   MarvinBus64 MarvinBus64.sys Fri Sep 23 17:17:03 2005 (433470CF)
fffff880`00c08000 fffff880`00c15000   mcupdate_AuthenticAMD mcupdate_AuthenticAMD.dll Mon Jul 13 21:29:09 2009 (4A5BDF65)
fffff880`072cf000 fffff880`072de000   mouclass mouclass.sys Mon Jul 13 19:19:50 2009 (4A5BC116)
fffff880`08e00000 fffff880`08e0d000   mouhid   mouhid.sys   Mon Jul 13 20:00:20 2009 (4A5BCA94)
fffff880`00e10000 fffff880`00e2a000   mountmgr mountmgr.sys Mon Jul 13 19:19:54 2009 (4A5BC11A)
fffff880`09d03000 fffff880`09d1b000   mpsdrv   mpsdrv.sys   Mon Jul 13 20:08:25 2009 (4A5BCC79)
fffff880`09d1b000 fffff880`09d48000   mrxsmb   mrxsmb.sys   Sat Feb 27 02:52:19 2010 (4B88CF33)
fffff880`09d48000 fffff880`09d96000   mrxsmb10 mrxsmb10.sys Sat Feb 27 02:52:28 2010 (4B88CF3C)
fffff880`09d96000 fffff880`09db9000   mrxsmb20 mrxsmb20.sys Sat Feb 27 02:52:26 2010 (4B88CF3A)
fffff880`019b6000 fffff880`019c1000   Msfs     Msfs.SYS     Mon Jul 13 19:19:47 2009 (4A5BC113)
fffff880`00f26000 fffff880`00f30000   msisadrv msisadrv.sys Mon Jul 13 19:19:26 2009 (4A5BC0FE)
fffff880`01103000 fffff880`01161000   msrpc    msrpc.sys    Mon Jul 13 19:21:32 2009 (4A5BC17C)
fffff880`06e5d000 fffff880`06e68000   mssmbios mssmbios.sys Mon Jul 13 19:31:10 2009 (4A5BC3BE)
fffff880`0149a000 fffff880`014ac000   mup      mup.sys      Mon Jul 13 19:23:45 2009 (4A5BC201)
fffff880`014cf000 fffff880`015c1000   ndis     ndis.sys     Mon Jul 13 19:21:40 2009 (4A5BC184)
fffff880`02be4000 fffff880`02bf0000   ndistapi ndistapi.sys Mon Jul 13 20:10:00 2009 (4A5BCCD8)
fffff880`07226000 fffff880`07255000   ndiswan  ndiswan.sys  Mon Jul 13 20:10:11 2009 (4A5BCCE3)
fffff880`073d3000 fffff880`073e8000   NDProxy  NDProxy.SYS  Mon Jul 13 20:10:05 2009 (4A5BCCDD)
fffff880`06f3d000 fffff880`06f4c000   netbios  netbios.sys  Mon Jul 13 20:09:26 2009 (4A5BCCB6)
fffff880`01851000 fffff880`01896000   netbt    netbt.sys    Mon Jul 13 19:21:28 2009 (4A5BC178)
fffff880`01400000 fffff880`01460000   NETIO    NETIO.SYS    Mon Jul 13 19:21:46 2009 (4A5BC18A)
fffff880`019c1000 fffff880`019d2000   Npfs     Npfs.SYS     Mon Jul 13 19:19:48 2009 (4A5BC114)
fffff880`06e51000 fffff880`06e5d000   nsiproxy nsiproxy.sys Mon Jul 13 19:21:02 2009 (4A5BC15E)
fffff800`02417000 fffff800`029f3000   nt       ntkrnlmp.exe Sat Feb 27 02:55:23 2010 (4B88CFEB)
fffff880`0120a000 fffff880`013ad000   Ntfs     Ntfs.sys     Mon Jul 13 19:20:47 2009 (4A5BC14F)
fffff880`01948000 fffff880`01951000   Null     Null.SYS     Mon Jul 13 19:19:37 2009 (4A5BC109)
fffff880`06f17000 fffff880`06f3d000   pacer    pacer.sys    Mon Jul 13 20:09:41 2009 (4A5BCCC5)
fffff880`00f70000 fffff880`00f85000   partmgr  partmgr.sys  Mon Jul 13 19:19:58 2009 (4A5BC11E)
fffff880`00f30000 fffff880`00f63000   pci      pci.sys      Mon Jul 13 19:19:51 2009 (4A5BC117)
fffff880`00ff6000 fffff880`00ffd000   pciide   pciide.sys   Mon Jul 13 19:19:49 2009 (4A5BC115)
fffff880`00e00000 fffff880`00e10000   PCIIDEX  PCIIDEX.SYS  Mon Jul 13 19:19:48 2009 (4A5BC114)
fffff880`072ab000 fffff880`072bf380   pcouffin pcouffin.sys Tue Dec 05 09:39:30 2006 (457584A2)
fffff880`013c7000 fffff880`013d8000   pcw      pcw.sys      Mon Jul 13 19:19:27 2009 (4A5BC0FF)
fffff880`0a0af000 fffff880`0a155000   peauth   peauth.sys   Mon Jul 13 21:01:19 2009 (4A5BD8DF)
fffff880`08e1e000 fffff880`08e5b000   portcls  portcls.sys  Mon Jul 13 20:06:27 2009 (4A5BCC03)
fffff880`00c15000 fffff880`00c29000   PSHED    PSHED.dll    Mon Jul 13 21:32:23 2009 (4A5BE027)
fffff880`011d4000 fffff880`011f8000   rasl2tp  rasl2tp.sys  Mon Jul 13 20:10:11 2009 (4A5BCCE3)
fffff880`07255000 fffff880`07270000   raspppoe raspppoe.sys Mon Jul 13 20:10:17 2009 (4A5BCCE9)
fffff880`07270000 fffff880`07291000   raspptp  raspptp.sys  Mon Jul 13 20:10:18 2009 (4A5BCCEA)
fffff880`07291000 fffff880`072ab000   rassstp  rassstp.sys  Mon Jul 13 20:10:25 2009 (4A5BCCF1)
fffff880`06e00000 fffff880`06e51000   rdbss    rdbss.sys    Mon Jul 13 19:24:09 2009 (4A5BC219)
fffff880`0199b000 fffff880`019a4000   RDPCDD   RDPCDD.sys   Mon Jul 13 20:16:34 2009 (4A5BCE62)
fffff880`019a4000 fffff880`019ad000   rdpencdd rdpencdd.sys Mon Jul 13 20:16:34 2009 (4A5BCE62)
fffff880`019ad000 fffff880`019b6000   rdprefmp rdprefmp.sys Mon Jul 13 20:16:35 2009 (4A5BCE63)
fffff880`015c1000 fffff880`015fb000   rdyboost rdyboost.sys Mon Jul 13 19:34:34 2009 (4A5BC48A)
fffff880`07200000 fffff880`07218000   rspndr   rspndr.sys   Mon Jul 13 20:08:50 2009 (4A5BCC92)
fffff880`02ae8000 fffff880`02b27000   Rt64win7 Rt64win7.sys Thu Aug 20 12:05:06 2009 (4A8D7432)
fffff880`08c01000 fffff880`08de9f00   RTKVHD64 RTKVHD64.sys Tue Oct 06 06:51:17 2009 (4ACB2125)
fffff880`06f98000 fffff880`06fb1000   SCDEmu   SCDEmu.SYS   Mon Jul 07 03:58:16 2008 (4871CC98)
fffff880`0a155000 fffff880`0a160000   secdrv   secdrv.SYS   Wed Sep 13 09:18:38 2006 (4508052E)
fffff880`02a24000 fffff880`02a30000   serenum  serenum.sys  Mon Jul 13 20:00:33 2009 (4A5BCAA1)
fffff880`06f4c000 fffff880`06f69000   serial   serial.sys   Mon Jul 13 20:00:40 2009 (4A5BCAA8)
fffff880`01493000 fffff880`0149a000   speedfan speedfan.sys Sun Sep 24 09:26:48 2006 (45168798)
fffff880`0148b000 fffff880`01493000   spldr    spldr.sys    Mon May 11 12:56:27 2009 (4A0858BB)
fffff880`0a283000 fffff880`0a31b000   srv      srv.sys      Tue Dec 08 03:32:55 2009 (4B1E0F37)
fffff880`0a000000 fffff880`0a069000   srv2     srv2.sys     Mon Jul 13 19:25:02 2009 (4A5BC24E)
fffff880`0a160000 fffff880`0a18d000   srvnet   srvnet.sys   Tue Dec 08 03:32:26 2009 (4B1E0F1A)
fffff880`072de000 fffff880`072df480   swenum   swenum.sys   Mon Jul 13 20:00:18 2009 (4A5BCA92)
fffff880`01603000 fffff880`01800000   tcpip    tcpip.sys    Mon Jul 13 19:25:34 2009 (4A5BC26E)
fffff880`0a18d000 fffff880`0a19f000   tcpipreg tcpipreg.sys Mon Jul 13 20:09:49 2009 (4A5BCCCD)
fffff880`019f0000 fffff880`019fd000   TDI      TDI.SYS      Mon Jul 13 19:21:18 2009 (4A5BC16E)
fffff880`019d2000 fffff880`019f0000   tdx      tdx.sys      Mon Jul 13 19:21:15 2009 (4A5BC16B)
fffff880`06f84000 fffff880`06f98000   termdd   termdd.sys   Mon Jul 13 20:16:36 2009 (4A5BCE64)
fffff960`00760000 fffff960`0076a000   TSDDD    TSDDD.dll    Mon Jul 13 20:16:34 2009 (4A5BCE62)
fffff880`02aad000 fffff880`02ad3000   tunnel   tunnel.sys   Mon Jul 13 20:09:37 2009 (4A5BCCC1)
fffff880`08e8f000 fffff880`08ee3000   udfs     udfs.sys     Mon Jul 13 19:23:37 2009 (4A5BC1F9)
fffff880`07367000 fffff880`07379000   umbus    umbus.sys    Mon Jul 13 20:06:56 2009 (4A5BCC20)
fffff880`08ee3000 fffff880`08f00000   usbccgp  usbccgp.sys  Mon Jul 13 20:06:45 2009 (4A5BCC15)
fffff880`08f00000 fffff880`08f01f00   USBD     USBD.SYS     Mon Jul 13 20:06:23 2009 (4A5BCBFF)
fffff880`02bd3000 fffff880`02be4000   usbehci  usbehci.sys  Mon Jul 13 20:06:30 2009 (4A5BCC06)
fffff880`07379000 fffff880`073d3000   usbhub   usbhub.sys   Mon Jul 13 20:07:09 2009 (4A5BCC2D)
fffff880`02b72000 fffff880`02b7d000   usbohci  usbohci.sys  Mon Jul 13 20:06:30 2009 (4A5BCC06)
fffff880`02b7d000 fffff880`02bd3000   USBPORT  USBPORT.SYS  Mon Jul 13 20:06:31 2009 (4A5BCC07)
fffff880`08f76000 fffff880`08f91000   USBSTOR  USBSTOR.SYS  Mon Jul 13 20:06:34 2009 (4A5BCC0A)
fffff880`00f63000 fffff880`00f70000   vdrvroot vdrvroot.sys Mon Jul 13 20:01:31 2009 (4A5BCADB)
fffff880`01958000 fffff880`01966000   vga      vga.sys      Mon Jul 13 19:38:47 2009 (4A5BC587)
fffff880`01966000 fffff880`0198b000   VIDEOPRT VIDEOPRT.SYS Mon Jul 13 19:38:51 2009 (4A5BC58B)
fffff880`00f85000 fffff880`00f9a000   volmgr   volmgr.sys   Mon Jul 13 19:19:57 2009 (4A5BC11D)
fffff880`00f9a000 fffff880`00ff6000   volmgrx  volmgrx.sys  Mon Jul 13 19:20:33 2009 (4A5BC141)
fffff880`0104a000 fffff880`01096000   volsnap  volsnap.sys  Mon Jul 13 19:20:08 2009 (4A5BC128)
fffff880`06f69000 fffff880`06f84000   wanarp   wanarp.sys   Mon Jul 13 20:10:21 2009 (4A5BCCED)
fffff880`0198b000 fffff880`0199b000   watchdog watchdog.sys Mon Jul 13 19:37:35 2009 (4A5BC53F)
fffff880`00d47000 fffff880`00deb000   Wdf01000 Wdf01000.sys Mon Jul 13 19:22:07 2009 (4A5BC19F)
fffff880`00deb000 fffff880`00dfa000   WDFLDR   WDFLDR.SYS   Mon Jul 13 19:19:54 2009 (4A5BC11A)
fffff880`06f0e000 fffff880`06f17000   wfplwf   wfplwf.sys   Mon Jul 13 20:09:26 2009 (4A5BCCB6)
fffff960`00080000 fffff960`0038f000   win32k   win32k.sys   Sat May 01 11:06:30 2010 (4BDC4376)
fffff880`02a30000 fffff880`02a39000   wmiacpi  wmiacpi.sys  Mon Jul 13 19:31:02 2009 (4A5BC3B6)
fffff880`00f1d000 fffff880`00f26000   WMILIB   WMILIB.SYS   Mon Jul 13 19:19:51 2009 (4A5BC117)
fffff880`08fb4000 fffff880`08fd5000   WudfPf   WudfPf.sys   Mon Jul 13 20:05:37 2009 (4A5BCBD1)

Unloaded modules:
fffff880`018e8000 fffff880`018f6000   crashdmp.sys
    Timestamp: unavailable (00000000)
    Checksum:  00000000
fffff880`018f6000 fffff880`01902000   dump_ataport
    Timestamp: unavailable (00000000)
    Checksum:  00000000
fffff880`01902000 fffff880`0190b000   dump_atapi.s
    Timestamp: unavailable (00000000)
    Checksum:  00000000
fffff880`0190b000 fffff880`0191e000   dump_dumpfve
    Timestamp: unavailable (00000000)
    Checksum:  00000000
Bugcheck code 00000024
Arguments 00000000`001904fb fffff880`093e66f8 fffff880`093e5f60 fffff800`024ad687
Closing open log file C:\Users\PalmDesert\_jcgriff2_\dbug\__Kernel__\_99-dbug.txt

¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨``


[/FONT]


----------



## jcgriff2

No mini kernel dumps found in attachments, but files show the presence of a single full kernel dump.

WERCON was able to provide several clues - 

http://www.techsupportforum.com/2846926-post4.html

John

.


----------



## wolfen1086

Maybe its just me, but since I reinstalled Vista to replace a non working XP, I've only had the BOSD twice, both times it was after windows update, and it only lasted between 1 and 3 seconds until windows started rebooting, also both times it said windows was unexpectedly shut down, this of course was after I clicked restart now after an update LOL


----------



## jcgriff2

Comprehensive BSOD thread with many BSOD analysts' replies - 

http://www.techsupportforum.com/f21...system-bsod-vista-x64-410748.html#post2325127

John

`


----------



## jcgriff2

`

Microsoft kb286350 --> How to use ADPlus to troubleshoot "hangs" and "crashes"

Microsoft kb308538 -> Dr. Watson

Happy Hunting !

John

`


----------



## jcgriff2

Came upon a SOLVED XP BSOD thread from April 2008 - while I was trying to learn about BSODs. Extremely detailed and long thread, but interesting with the twists & turns - 

http://www.techsupportforum.com/f10/solved-blue-screen-of-death-237404.html

John

`


----------



## Jonathan_King

Thanks John, good read!


----------



## jcgriff2

Additional Daemon Tools/ Alcohol 120 drivers have been found - other than *sptd.sys*, a known cause of BSODs - 



Code:


[font=lucida console]
[COLOR=red]sptd.sys [/COLOR]    Sun Oct 11 16:55:14 2009 (4AD24632) - Daemon Tools/ Alcohol 120
sprj.sys     Sun Oct 11 16:55:14 2009 (4AD24632) - Daemon Tools/ Alcohol 120
spuu.sys     Sun Oct 11 16:55:14 2009 (4AD24632) - Daemon Tools/ Alcohol 120
spyy.sys     Sun Oct 11 16:55:14 2009 (4AD24632) - Daemon Tools/ Alcohol 120
spex.sys     Sun Oct 11 16:55:14 2009 (4AD24632) - Daemon Tools/ Alcohol 120
spcz.sys     Sun Oct 11 16:55:14 2009 (4AD24632) - Daemon Tools/ Alcohol 120
spqz.sys     Sun Oct 11 16:55:14 2009 (4AD24632) - Daemon Tools/ Alcohol 120
spjw.sys     Sun Oct 11 16:55:14 2009 (4AD24632) - Daemon Tools/ Alcohol 120
spko.sys     Sun Oct 11 16:55:14 2009 (4AD24632) - Daemon Tools/ Alcohol 120
splr.sys     Sun Oct 11 16:55:14 2009 (4AD24632) - Daemon Tools/ Alcohol 120
[/font]


http://www.techsupportforum.com/2876596-post2.html

http://jcgriff2.com/0x1/DaemonTools_Alcohol120_drivers_09-02-2010_.html

John

`


----------



## zigzag3143

jcgriff2 said:


> Additional Daemon Tools/ Alcohol 120 drivers have been found - other than *sptd.sys*, a known cause of BSODs -
> 
> 
> 
> Code:
> 
> 
> [font=lucida console]
> [COLOR=red]sptd.sys [/COLOR]    Sun Oct 11 16:55:14 2009 (4AD24632) - Daemon Tools/ Alcohol 120
> sprj.sys     Sun Oct 11 16:55:14 2009 (4AD24632) - Daemon Tools/ Alcohol 120
> spuu.sys     Sun Oct 11 16:55:14 2009 (4AD24632) - Daemon Tools/ Alcohol 120
> spyy.sys     Sun Oct 11 16:55:14 2009 (4AD24632) - Daemon Tools/ Alcohol 120
> spex.sys     Sun Oct 11 16:55:14 2009 (4AD24632) - Daemon Tools/ Alcohol 120
> spcz.sys     Sun Oct 11 16:55:14 2009 (4AD24632) - Daemon Tools/ Alcohol 120
> spqz.sys     Sun Oct 11 16:55:14 2009 (4AD24632) - Daemon Tools/ Alcohol 120
> spjw.sys     Sun Oct 11 16:55:14 2009 (4AD24632) - Daemon Tools/ Alcohol 120
> spko.sys     Sun Oct 11 16:55:14 2009 (4AD24632) - Daemon Tools/ Alcohol 120
> splr.sys     Sun Oct 11 16:55:14 2009 (4AD24632) - Daemon Tools/ Alcohol 120
> [/font]
> 
> 
> http://www.techsupportforum.com/2876596-post2.html
> 
> http://jcgriff2.com/0x1/DaemonTools_Alcohol120_drivers_09-02-2010_.html
> 
> John
> 
> `


The best information from the best source--Thanks John


----------



## jcgriff2

Nothing like an in-depth BSOD thread to relieve ones (mine) stress after a long day - 

http://www.techsupportforum.com/2882957-post2.html

I think the OPs stress is just beginning, though, given *42* BSODs 22 days.

John

`


----------



## AlbertMC2

Hi

I need information on *this* post.

This is one of the dump analysis (It has been edited - irrelevant info has been removed - I was playing)



Code:


Symbol search path is: SRV*C:\Symbols\Cache*http://msdl.microsoft.com/download/symbols
Executable search path is: 
Windows XP Kernel Version 2600 (Service Pack 3) MP (2 procs) Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 2600.xpsp_sp3_gdr.100427-1636
Machine Name:
Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055d720
Debug session time: Thu Sep  9 15:26:28.046 2010 (UTC + 2:00)
System Uptime: 0 days 0:00:31.734
Loading Kernel Symbols
.

Press ctrl-c (cdb, kd, ntsd) or ctrl-break (windbg) to abort symbol loads that take too long.
Run !sym noisy before .reload to track down problems loading symbols.

..............................................................
........................................
Loading User Symbols
Loading unloaded module list
....
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck C0000218, {e25b74e0, 0, 0, 0}

Probably caused by : ntkrpamp.exe ( nt!ExRaiseHardError+13e )

Followup: MachineOwner
---------

0: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Unknown bugcheck code (c0000218)
Unknown bugcheck description
Arguments:
Arg1: e25b74e0
Arg2: 00000000
Arg3: 00000000
Arg4: 00000000

Debugging Details:
------------------


BUGCHECK_STR:  0xc0000218

ERROR_CODE: (NTSTATUS) 0xc0000218 - {Registry File Failure}  The registry cannot load the hive (file):  %hs  or its log or alternate.  It is corrupt, absent, or not writable.

EXCEPTION_CODE: (NTSTATUS) 0xc0000218 - {Registry File Failure}  The registry cannot load the hive (file):  %hs  or its log or alternate.  It is corrupt, absent, or not writable.

EXCEPTION_PARAMETER1:  e25b74e0

EXCEPTION_PARAMETER2:  00000000

EXCEPTION_PARAMETER3:  00000000

EXCEPTION_PARAMETER4: 0

ADDITIONAL_DEBUG_TEXT:  \SystemRoot\System32\Config\SOFTWARE - hive could not be loaded.

CUSTOMER_CRASH_COUNT:  2

DEFAULT_BUCKET_ID:  DRIVER_FAULT

PROCESS_NAME:  System

LAST_CONTROL_TRANSFER:  from 806573f6 to 804f9f43

STACK_TEXT:  
f6f5a864 806573f6 0000004c c0000218 f6f5a8a0 nt!KeBugCheckEx+0x1b
f6f5aa18 80614142 c0000218 00000001 00000001 nt!ExpSystemErrorHandler+0x526
f6f5abc4 806143c6 c0000218 00000001 00000001 nt!ExpRaiseHardError+0x9a
f6f5ac34 80627021 c0000218 00000001 00000001 nt!ExRaiseHardError+0x13e
f6f5adac 805cff62 00000002 00000000 00000000 nt!CmpLoadHiveThread+0x1e5
f6f5addc 8054612e 80626e3c 00000002 00000000 nt!PspSystemThreadStartup+0x34
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16


STACK_COMMAND:  kb

FOLLOWUP_IP: 
nt!ExRaiseHardError+13e
806143c6 837dfc00        cmp     dword ptr [ebp-4],0

SYMBOL_STACK_INDEX:  3

SYMBOL_NAME:  nt!ExRaiseHardError+13e

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: nt

IMAGE_NAME:  ntkrpamp.exe

DEBUG_FLR_IMAGE_TIMESTAMP:  4bd6e0e8

FAILURE_BUCKET_ID:  0xc0000218_nt!ExRaiseHardError+13e

BUCKET_ID:  0xc0000218_nt!ExRaiseHardError+13e

Followup: MachineOwner
---------

0: kd> !sym noisy
noisy mode - symbol prompts on
0: kd> .reload
SYMSRV:  c:\symbols\cache\ntoskrnl.exe\4BD6E0E820d000\ntoskrnl.exe not found
SYMSRV:  http://msdl.microsoft.com/download/symbols/ntoskrnl.exe/4BD6E0E820d000/ntoskrnl.exe not found
SYMSRV:  c:\symbols\cache\ntkrnlup.exe\4BD6E0E820d000\ntkrnlup.exe not found
SYMSRV:  http://msdl.microsoft.com/download/symbols/ntkrnlup.exe/4BD6E0E820d000/ntkrnlup.exe not found
SYMSRV:  c:\symbols\cache\ntkrnlpa.exe\4BD6E0E820d000\ntkrnlpa.exe not found
SYMSRV:  http://msdl.microsoft.com/download/symbols/ntkrnlpa.exe/4BD6E0E820d000/ntkrnlpa.exe not found
SYMSRV:  c:\symbols\cache\ntkrnlmp.exe\4BD6E0E820d000\ntkrnlmp.exe not found
SYMSRV:  http://msdl.microsoft.com/download/symbols/ntkrnlmp.exe/4BD6E0E820d000/ntkrnlmp.exe not found
DBGHELP: c:\symbols\cache\ntkrpamp.exe\4BD6E0E820d000\ntkrpamp.exe - OK
DBGENG:  c:\symbols\cache\ntkrpamp.exe\4BD6E0E820d000\ntkrpamp.exe - Mapped image memory
DBGHELP: nt - public symbols  
         c:\symbols\cache\ntkrpamp.pdb\140D20ABBC1B433EA7BF82B979B6BF9D1\ntkrpamp.pdb
Loading Kernel Symbols
.
SYMSRV:  c:\symbols\cache\halaacpi.dll\4802517F20d00\halaacpi.dll not found
SYMSRV:  http://msdl.microsoft.com/download/symbols/halaacpi.dll/4802517F20d00/halaacpi.dll not found
SYMSRV:  c:\symbols\cache\halacpi.dll\4802517F20d00\halacpi.dll not found
SYMSRV:  http://msdl.microsoft.com/download/symbols/halacpi.dll/4802517F20d00/halacpi.dll not found
SYMSRV:  c:\symbols\cache\halapic.dll\4802517F20d00\halapic.dll not found
SYMSRV:  http://msdl.microsoft.com/download/symbols/halapic.dll/4802517F20d00/halapic.dll not found
DBGHELP: c:\symbols\cache\halmacpi.dll\4802517F20d00\halmacpi.dll - OK
DBGENG:  c:\symbols\cache\halmacpi.dll\4802517F20d00\halmacpi.dll - Mapped image memory


Press ctrl-c (cdb, kd, ntsd) or ctrl-break (windbg) to abort symbol loads that take too long.
Run !sym noisy before .reload to track down problems loading symbols.

.
DBGHELP: c:\symbols\cache\kdcom.dll\3B7D83461b80\kdcom.dll - OK
DBGENG:  c:\symbols\cache\kdcom.dll\3B7D83461b80\kdcom.dll - Mapped image memory
.............................................................
........................................
Loading User Symbols
Loading unloaded module list
....
0: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Unknown bugcheck code (c0000218)
Unknown bugcheck description
Arguments:
Arg1: e25b74e0
Arg2: 00000000
Arg3: 00000000
Arg4: 00000000

Debugging Details:
------------------

DBGHELP: c:\symbols\cache\mssmbios.sys\480252BD3c80\mssmbios.sys - OK
DBGENG:  c:\symbols\cache\mssmbios.sys\480252BD3c80\mssmbios.sys - Mapped image memory
DBGHELP: c:\symbols\cache\KSecDD.sys\4A420B9016b00\KSecDD.sys - OK
DBGENG:  c:\symbols\cache\KSecDD.sys\4A420B9016b00\KSecDD.sys - Mapped image memory
DBGHELP: c:\symbols\cache\sr.sys\480252C211f00\sr.sys - OK
DBGENG:  c:\symbols\cache\sr.sys\480252C211f00\sr.sys - Mapped image memory
DBGHELP: c:\symbols\cache\rdbss.sys\48025EE62ae80\rdbss.sys - OK
DBGENG:  c:\symbols\cache\rdbss.sys\48025EE62ae80\rdbss.sys - Mapped image memory
DBGHELP: c:\symbols\cache\afd.sys\48A4033321d00\afd.sys - OK
DBGENG:  c:\symbols\cache\afd.sys\48A4033321d00\afd.sys - Mapped image memory
DBGHELP: c:\symbols\cache\pci.sys\480252BB10a80\pci.sys - OK
DBGENG:  c:\symbols\cache\pci.sys\480252BB10a80\pci.sys - Mapped image memory
DBGHELP: c:\symbols\cache\ACPI.sys\480252B12dd80\ACPI.sys - OK
DBGENG:  c:\symbols\cache\ACPI.sys\480252B12dd80\ACPI.sys - Mapped image memory
DBGHELP: c:\symbols\cache\Mup.sys\48025C3119b80\Mup.sys - OK
DBGENG:  c:\symbols\cache\Mup.sys\48025C3119b80\Mup.sys - Mapped image memory
DBGHELP: c:\symbols\cache\NDIS.sys\48025D032c980\NDIS.sys - OK
DBGENG:  c:\symbols\cache\NDIS.sys\48025D032c980\NDIS.sys - Mapped image memory
SYMSRV:  c:\symbols\cache\SYMTDI.SYS\4050ED2D3f0e0\SYMTDI.SYS not found
SYMSRV:  http://msdl.microsoft.com/download/symbols/SYMTDI.SYS/4050ED2D3f0e0/SYMTDI.SYS not found
DBGHELP: F:\Documents and Settings\Craig\Desktop\Temp\Minidumps\514559-bsod-over-30-computers\SYMTDI.SYS - file not found
SYMSRV:  C:\Symbols\Cache\SYMTDI.SYS\4050ED2D3f0e0\SYMTDI.SYS not found
SYMSRV:  http://msdl.microsoft.com/download/symbols/SYMTDI.SYS/4050ED2D3f0e0/SYMTDI.SYS not found
DBGENG:  SYMTDI.SYS - Image mapping disallowed by non-local path.
DBGHELP: c:\symbols\cache\tcpip.sys\485B99AD58480\tcpip.sys - OK
DBGENG:  c:\symbols\cache\tcpip.sys\485B99AD58480\tcpip.sys - Mapped image memory
DBGHELP: c:\symbols\cache\rdpdr.sys\480251D22fe80\rdpdr.sys - OK
DBGENG:  c:\symbols\cache\rdpdr.sys\480251D22fe80\rdpdr.sys - Mapped image memory
DBGHELP: c:\symbols\cache\psched.sys\4802576410e00\psched.sys - OK
DBGENG:  c:\symbols\cache\psched.sys\4802576410e00\psched.sys - Mapped image memory
DBGHELP: c:\symbols\cache\USBPORT.SYS\480254CE23200\USBPORT.SYS - OK
DBGENG:  c:\symbols\cache\USBPORT.SYS\480254CE23200\USBPORT.SYS - Mapped image memory
DBGHELP: c:\symbols\cache\VIDEOPRT.SYS\4802549713f00\VIDEOPRT.SYS - OK
DBGENG:  c:\symbols\cache\VIDEOPRT.SYS\4802549713f00\VIDEOPRT.SYS - Mapped image memory
DBGHELP: c:\symbols\cache\HDAudBus.sys\4295EF5528000\HDAudBus.sys - OK
DBGENG:  c:\symbols\cache\HDAudBus.sys\4295EF5528000\HDAudBus.sys - Mapped image memory
DBGHELP: c:\symbols\cache\usbhub.sys\480254D0e880\usbhub.sys - OK
DBGENG:  c:\symbols\cache\usbhub.sys\480254D0e880\usbhub.sys - Mapped image memory
DBGHELP: c:\symbols\cache\fltmgr.sys\480251DA1fb00\fltmgr.sys - OK
DBGENG:  c:\symbols\cache\fltmgr.sys\480251DA1fb00\fltmgr.sys - Mapped image memory
DBGHELP: c:\symbols\cache\Ntfs.sys\48025BE58c600\Ntfs.sys - OK
DBGENG:  c:\symbols\cache\Ntfs.sys\48025BE58c600\Ntfs.sys - Mapped image memory

BUGCHECK_STR:  0xc0000218

ERROR_CODE: (NTSTATUS) 0xc0000218 - {Registry File Failure}  The registry cannot load the hive (file):  %hs  or its log or alternate.  It is corrupt, absent, or not writable.

EXCEPTION_CODE: (NTSTATUS) 0xc0000218 - {Registry File Failure}  The registry cannot load the hive (file):  %hs  or its log or alternate.  It is corrupt, absent, or not writable.

EXCEPTION_PARAMETER1:  e25b74e0

EXCEPTION_PARAMETER2:  00000000

EXCEPTION_PARAMETER3:  00000000

EXCEPTION_PARAMETER4: 0

ADDITIONAL_DEBUG_TEXT:  \SystemRoot\System32\Config\SOFTWARE - hive could not be loaded.

CUSTOMER_CRASH_COUNT:  2

DEFAULT_BUCKET_ID:  DRIVER_FAULT

PROCESS_NAME:  System

LAST_CONTROL_TRANSFER:  from 806573f6 to 804f9f43

STACK_TEXT:  
f6f5a864 806573f6 0000004c c0000218 f6f5a8a0 nt!KeBugCheckEx+0x1b
f6f5aa18 80614142 c0000218 00000001 00000001 nt!ExpSystemErrorHandler+0x526
f6f5abc4 806143c6 c0000218 00000001 00000001 nt!ExpRaiseHardError+0x9a
f6f5ac34 80627021 c0000218 00000001 00000001 nt!ExRaiseHardError+0x13e
f6f5adac 805cff62 00000002 00000000 00000000 nt!CmpLoadHiveThread+0x1e5
f6f5addc 8054612e 80626e3c 00000002 00000000 nt!PspSystemThreadStartup+0x34
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16


STACK_COMMAND:  kb

FOLLOWUP_IP: 
nt!ExRaiseHardError+13e
806143c6 837dfc00        cmp     dword ptr [ebp-4],0

SYMBOL_STACK_INDEX:  3

SYMBOL_NAME:  nt!ExRaiseHardError+13e

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: nt

IMAGE_NAME:  ntkrpamp.exe

DEBUG_FLR_IMAGE_TIMESTAMP:  4bd6e0e8

FAILURE_BUCKET_ID:  0xc0000218_nt!ExRaiseHardError+13e

BUCKET_ID:  0xc0000218_nt!ExRaiseHardError+13e

Followup: MachineOwner
---------

0: kd> !sym quiet
quiet mode - symbol prompts on

0: kd> lmvm mrxsmb
start    end        module name
a987f000 a98ee400   mrxsmb     (deferred)             
    Image path: mrxsmb.sys
    Image name: mrxsmb.sys
    Timestamp:        Wed Feb 24 15:11:05 2010 (4B852569)
    CheckSum:         00074B5A
    ImageSize:        0006F400
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
0: kd> lmvm ipsec
start    end        module name
a9a23000 a9a35600   ipsec      (deferred)             
    Image path: ipsec.sys
    Image name: ipsec.sys
    Timestamp:        Sun Apr 13 21:19:42 2008 (48025CCE)
    CheckSum:         00016389
    ImageSize:        00012600
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
0: kd> lmvm isapnp
start    end        module name
f749f000 f74a8180   isapnp     (deferred)             
    Image path: isapnp.sys
    Image name: isapnp.sys
    Timestamp:        Sun Apr 13 20:36:40 2008 (480252B8)
    CheckSum:         0000D074
    ImageSize:        00009180
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4

0: kd> !sysinfo smbios -processor
[SMBIOS Data Tables v2.3]
[DMI Version - 35]
[2.0 Calling Convention - No]
[Table Size - 2709 bytes]

[Processor Information (Type 4) - Length 40 - Handle 0400h]
  Socket Designation            Microprocessor
  Processor Type                Central Processor
  Processor Family              b2h - Pentium IV Processor
  Processor Manufacturer        Intel
  Processor ID                  470f0000fffbebbf
  Processor Version             [String Not Specified]
  Processor Voltage             92h - 1.8V
  External Clock                800MHz
  Max Speed                     5200MHz
  Current Speed                 2800MHz
  Status                        Enabled Populated
  Processor Upgrade             ZIF Socket
  L1 Cache Handle               0700h
  L2 Cache Handle               0701h
  L3 Cache Handle               [Not Present]
  Serial Number                 [String Not Specified]
  Asset Tag Number              [String Not Specified]
  Part Number                   [String Not Specified]
[Cache Information (Type 7) - Length 19 - Handle 0700h]
  Socket Designation            [String Not Specified]
  Cache Configuration           0180h - WB Enabled Int NonSocketed L1
  Maximum Cache Size            0010h - 16K
  Installed Size                0010h - 16K
  Supported SRAM Type           0001h - Other 
  Current SRAM Type             0001h - Other 
  Cache Speed                   0ns
  Error Correction Type         None
  System Cache Type             Data
  Associativity                 8-way Set-Associative
[Cache Information (Type 7) - Length 19 - Handle 0701h]
  Socket Designation            [String Not Specified]
  Cache Configuration           0281h - Varies Enabled Int NonSocketed L2
  Maximum Cache Size            0800h - 2048K
  Installed Size                0800h - 2048K
  Supported SRAM Type           0001h - Other 
  Current SRAM Type             0001h - Other 
  Cache Speed                   0ns
  Error Correction Type         Multi-Bit ECC
  System Cache Type             Unified
  Associativity                 8-way Set-Associative

I would appreciate it if you could shed light on some of my questions as I am still new to this:

1. Why does the analysis say 
Unknown bugcheck code (c0000218)
Unknown bugcheck description
when 0x218 is STATUS_CANNOT_LOAD_REGISTRY_FILE
Is this a symbol problem? I did do a *!sym noisy* and a *.reload*. When doing this some of the other Windows files cannot get symbols (Shown in red above)

2. When doing a *lmvm* on modules *mrxsmb, isapnp and ipsec* the symbols are not displayed (shown in green above). Even though these are MS Windows files. It also does not make a difference if I do a .reload _modulename_. Why would this be? Are these files corrupt?

3. The user attached 6 minidumps which they say come from 4 different PCs. I am sure they accidentally attached the same dumps so they only come from one PC. To make sure I did a *!sysinfo smbios -processor* to get the Processor ID (shown in blue above). The dumps all had the same processor IDs - Is this conclusive that they came from the same PC or am I misunderstanding Processor IDs?
Note, I am sure they come from the same PC due to the Time the BSODs happened and the uptime - I was just interested on how you could say it was definitely the same machine.

4. Finally from reading some of your other BSOD posts I notice you always tell the users to update one or other driver. Do you use a website to tell you if the driver is old or do you have some sort of time/date baseline? (Everything after that date is ok for Win7, anything before must be updated etc)

Thank you for any help with this.
Albert


----------



## jcgriff2

AlbertMC2 said:


> Hi
> 
> I need information on *this* post.
> 
> This is one of the dump analysis (It has been edited - irrelevant info has been removed - I was playing)
> 
> 
> 
> Code:
> 
> 
> Symbol search path is: SRV*C:\Symbols\Cache*http://msdl.microsoft.com/download/symbols
> Executable search path is:
> Windows XP Kernel Version 2600 (Service Pack 3) MP (2 procs) Free x86 compatible
> Product: WinNt, suite: TerminalServer SingleUserTS
> Built by: 2600.xpsp_sp3_gdr.100427-1636
> Machine Name:
> Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055d720
> Debug session time: Thu Sep  9 15:26:28.046 2010 (UTC + 2:00)
> System Uptime: 0 days 0:00:31.734
> Loading Kernel Symbols
> .
> 
> Press ctrl-c (cdb, kd, ntsd) or ctrl-break (windbg) to abort symbol loads that take too long.
> Run !sym noisy before .reload to track down problems loading symbols.
> 
> ..............................................................
> ........................................
> Loading User Symbols
> Loading unloaded module list
> ....
> *******************************************************************************
> *                                                                             *
> *                        Bugcheck Analysis                                    *
> *                                                                             *
> *******************************************************************************
> 
> Use !analyze -v to get detailed debugging information.
> 
> BugCheck C0000218, {e25b74e0, 0, 0, 0}
> 
> Probably caused by : ntkrpamp.exe ( nt!ExRaiseHardError+13e )
> 
> Followup: MachineOwner
> ---------
> 
> 0: kd> !analyze -v
> *******************************************************************************
> *                                                                             *
> *                        Bugcheck Analysis                                    *
> *                                                                             *
> *******************************************************************************
> 
> Unknown bugcheck code (c0000218)
> Unknown bugcheck description
> Arguments:
> Arg1: e25b74e0
> Arg2: 00000000
> Arg3: 00000000
> Arg4: 00000000
> 
> Debugging Details:
> ------------------
> 
> 
> BUGCHECK_STR:  0xc0000218
> 
> ERROR_CODE: (NTSTATUS) 0xc0000218 - {Registry File Failure}  The registry cannot load the hive (file):  %hs  or its log or alternate.  It is corrupt, absent, or not writable.
> 
> EXCEPTION_CODE: (NTSTATUS) 0xc0000218 - {Registry File Failure}  The registry cannot load the hive (file):  %hs  or its log or alternate.  It is corrupt, absent, or not writable.
> 
> EXCEPTION_PARAMETER1:  e25b74e0
> 
> EXCEPTION_PARAMETER2:  00000000
> 
> EXCEPTION_PARAMETER3:  00000000
> 
> EXCEPTION_PARAMETER4: 0
> 
> ADDITIONAL_DEBUG_TEXT:  \SystemRoot\System32\Config\SOFTWARE - hive could not be loaded.
> 
> CUSTOMER_CRASH_COUNT:  2
> 
> DEFAULT_BUCKET_ID:  DRIVER_FAULT
> 
> PROCESS_NAME:  System
> 
> LAST_CONTROL_TRANSFER:  from 806573f6 to 804f9f43
> 
> STACK_TEXT:
> f6f5a864 806573f6 0000004c c0000218 f6f5a8a0 nt!KeBugCheckEx+0x1b
> f6f5aa18 80614142 c0000218 00000001 00000001 nt!ExpSystemErrorHandler+0x526
> f6f5abc4 806143c6 c0000218 00000001 00000001 nt!ExpRaiseHardError+0x9a
> f6f5ac34 80627021 c0000218 00000001 00000001 nt!ExRaiseHardError+0x13e
> f6f5adac 805cff62 00000002 00000000 00000000 nt!CmpLoadHiveThread+0x1e5
> f6f5addc 8054612e 80626e3c 00000002 00000000 nt!PspSystemThreadStartup+0x34
> 00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16
> 
> 
> STACK_COMMAND:  kb
> 
> FOLLOWUP_IP:
> nt!ExRaiseHardError+13e
> 806143c6 837dfc00        cmp     dword ptr [ebp-4],0
> 
> SYMBOL_STACK_INDEX:  3
> 
> SYMBOL_NAME:  nt!ExRaiseHardError+13e
> 
> FOLLOWUP_NAME:  MachineOwner
> 
> MODULE_NAME: nt
> 
> IMAGE_NAME:  ntkrpamp.exe
> 
> DEBUG_FLR_IMAGE_TIMESTAMP:  4bd6e0e8
> 
> FAILURE_BUCKET_ID:  0xc0000218_nt!ExRaiseHardError+13e
> 
> BUCKET_ID:  0xc0000218_nt!ExRaiseHardError+13e
> 
> Followup: MachineOwner
> ---------
> 
> 0: kd> !sym noisy
> noisy mode - symbol prompts on
> 0: kd> .reload
> SYMSRV:  c:\symbols\cache\ntoskrnl.exe\4BD6E0E820d000\ntoskrnl.exe not found
> SYMSRV:  http://msdl.microsoft.com/download/symbols/ntoskrnl.exe/4BD6E0E820d000/ntoskrnl.exe not found
> SYMSRV:  c:\symbols\cache\ntkrnlup.exe\4BD6E0E820d000\ntkrnlup.exe not found
> SYMSRV:  http://msdl.microsoft.com/download/symbols/ntkrnlup.exe/4BD6E0E820d000/ntkrnlup.exe not found
> SYMSRV:  c:\symbols\cache\ntkrnlpa.exe\4BD6E0E820d000\ntkrnlpa.exe not found
> SYMSRV:  http://msdl.microsoft.com/download/symbols/ntkrnlpa.exe/4BD6E0E820d000/ntkrnlpa.exe not found
> SYMSRV:  c:\symbols\cache\ntkrnlmp.exe\4BD6E0E820d000\ntkrnlmp.exe not found
> SYMSRV:  http://msdl.microsoft.com/download/symbols/ntkrnlmp.exe/4BD6E0E820d000/ntkrnlmp.exe not found
> DBGHELP: c:\symbols\cache\ntkrpamp.exe\4BD6E0E820d000\ntkrpamp.exe - OK
> DBGENG:  c:\symbols\cache\ntkrpamp.exe\4BD6E0E820d000\ntkrpamp.exe - Mapped image memory
> DBGHELP: nt - public symbols
> c:\symbols\cache\ntkrpamp.pdb\140D20ABBC1B433EA7BF82B979B6BF9D1\ntkrpamp.pdb
> Loading Kernel Symbols
> .
> SYMSRV:  c:\symbols\cache\halaacpi.dll\4802517F20d00\halaacpi.dll not found
> SYMSRV:  http://msdl.microsoft.com/download/symbols/halaacpi.dll/4802517F20d00/halaacpi.dll not found
> SYMSRV:  c:\symbols\cache\halacpi.dll\4802517F20d00\halacpi.dll not found
> SYMSRV:  http://msdl.microsoft.com/download/symbols/halacpi.dll/4802517F20d00/halacpi.dll not found
> SYMSRV:  c:\symbols\cache\halapic.dll\4802517F20d00\halapic.dll not found
> SYMSRV:  http://msdl.microsoft.com/download/symbols/halapic.dll/4802517F20d00/halapic.dll not found
> DBGHELP: c:\symbols\cache\halmacpi.dll\4802517F20d00\halmacpi.dll - OK
> DBGENG:  c:\symbols\cache\halmacpi.dll\4802517F20d00\halmacpi.dll - Mapped image memory
> 
> 
> Press ctrl-c (cdb, kd, ntsd) or ctrl-break (windbg) to abort symbol loads that take too long.
> Run !sym noisy before .reload to track down problems loading symbols.
> 
> .
> DBGHELP: c:\symbols\cache\kdcom.dll\3B7D83461b80\kdcom.dll - OK
> DBGENG:  c:\symbols\cache\kdcom.dll\3B7D83461b80\kdcom.dll - Mapped image memory
> .............................................................
> ........................................
> Loading User Symbols
> Loading unloaded module list
> ....
> 0: kd> !analyze -v
> *******************************************************************************
> *                                                                             *
> *                        Bugcheck Analysis                                    *
> *                                                                             *
> *******************************************************************************
> 
> Unknown bugcheck code (c0000218)
> Unknown bugcheck description
> Arguments:
> Arg1: e25b74e0
> Arg2: 00000000
> Arg3: 00000000
> Arg4: 00000000
> 
> Debugging Details:
> ------------------
> 
> DBGHELP: c:\symbols\cache\mssmbios.sys\480252BD3c80\mssmbios.sys - OK
> DBGENG:  c:\symbols\cache\mssmbios.sys\480252BD3c80\mssmbios.sys - Mapped image memory
> DBGHELP: c:\symbols\cache\KSecDD.sys\4A420B9016b00\KSecDD.sys - OK
> DBGENG:  c:\symbols\cache\KSecDD.sys\4A420B9016b00\KSecDD.sys - Mapped image memory
> DBGHELP: c:\symbols\cache\sr.sys\480252C211f00\sr.sys - OK
> DBGENG:  c:\symbols\cache\sr.sys\480252C211f00\sr.sys - Mapped image memory
> DBGHELP: c:\symbols\cache\rdbss.sys\48025EE62ae80\rdbss.sys - OK
> DBGENG:  c:\symbols\cache\rdbss.sys\48025EE62ae80\rdbss.sys - Mapped image memory
> DBGHELP: c:\symbols\cache\afd.sys\48A4033321d00\afd.sys - OK
> DBGENG:  c:\symbols\cache\afd.sys\48A4033321d00\afd.sys - Mapped image memory
> DBGHELP: c:\symbols\cache\pci.sys\480252BB10a80\pci.sys - OK
> DBGENG:  c:\symbols\cache\pci.sys\480252BB10a80\pci.sys - Mapped image memory
> DBGHELP: c:\symbols\cache\ACPI.sys\480252B12dd80\ACPI.sys - OK
> DBGENG:  c:\symbols\cache\ACPI.sys\480252B12dd80\ACPI.sys - Mapped image memory
> DBGHELP: c:\symbols\cache\Mup.sys\48025C3119b80\Mup.sys - OK
> DBGENG:  c:\symbols\cache\Mup.sys\48025C3119b80\Mup.sys - Mapped image memory
> DBGHELP: c:\symbols\cache\NDIS.sys\48025D032c980\NDIS.sys - OK
> DBGENG:  c:\symbols\cache\NDIS.sys\48025D032c980\NDIS.sys - Mapped image memory
> SYMSRV:  c:\symbols\cache\SYMTDI.SYS\4050ED2D3f0e0\SYMTDI.SYS not found
> SYMSRV:  http://msdl.microsoft.com/download/symbols/SYMTDI.SYS/4050ED2D3f0e0/SYMTDI.SYS not found
> DBGHELP: F:\Documents and Settings\Craig\Desktop\Temp\Minidumps\514559-bsod-over-30-computers\SYMTDI.SYS - file not found
> SYMSRV:  C:\Symbols\Cache\SYMTDI.SYS\4050ED2D3f0e0\SYMTDI.SYS not found
> SYMSRV:  http://msdl.microsoft.com/download/symbols/SYMTDI.SYS/4050ED2D3f0e0/SYMTDI.SYS not found
> DBGENG:  SYMTDI.SYS - Image mapping disallowed by non-local path.
> DBGHELP: c:\symbols\cache\tcpip.sys\485B99AD58480\tcpip.sys - OK
> DBGENG:  c:\symbols\cache\tcpip.sys\485B99AD58480\tcpip.sys - Mapped image memory
> DBGHELP: c:\symbols\cache\rdpdr.sys\480251D22fe80\rdpdr.sys - OK
> DBGENG:  c:\symbols\cache\rdpdr.sys\480251D22fe80\rdpdr.sys - Mapped image memory
> DBGHELP: c:\symbols\cache\psched.sys\4802576410e00\psched.sys - OK
> DBGENG:  c:\symbols\cache\psched.sys\4802576410e00\psched.sys - Mapped image memory
> DBGHELP: c:\symbols\cache\USBPORT.SYS\480254CE23200\USBPORT.SYS - OK
> DBGENG:  c:\symbols\cache\USBPORT.SYS\480254CE23200\USBPORT.SYS - Mapped image memory
> DBGHELP: c:\symbols\cache\VIDEOPRT.SYS\4802549713f00\VIDEOPRT.SYS - OK
> DBGENG:  c:\symbols\cache\VIDEOPRT.SYS\4802549713f00\VIDEOPRT.SYS - Mapped image memory
> DBGHELP: c:\symbols\cache\HDAudBus.sys\4295EF5528000\HDAudBus.sys - OK
> DBGENG:  c:\symbols\cache\HDAudBus.sys\4295EF5528000\HDAudBus.sys - Mapped image memory
> DBGHELP: c:\symbols\cache\usbhub.sys\480254D0e880\usbhub.sys - OK
> DBGENG:  c:\symbols\cache\usbhub.sys\480254D0e880\usbhub.sys - Mapped image memory
> DBGHELP: c:\symbols\cache\fltmgr.sys\480251DA1fb00\fltmgr.sys - OK
> DBGENG:  c:\symbols\cache\fltmgr.sys\480251DA1fb00\fltmgr.sys - Mapped image memory
> DBGHELP: c:\symbols\cache\Ntfs.sys\48025BE58c600\Ntfs.sys - OK
> DBGENG:  c:\symbols\cache\Ntfs.sys\48025BE58c600\Ntfs.sys - Mapped image memory
> 
> BUGCHECK_STR:  0xc0000218
> 
> ERROR_CODE: (NTSTATUS) 0xc0000218 - {Registry File Failure}  The registry cannot load the hive (file):  %hs  or its log or alternate.  It is corrupt, absent, or not writable.
> 
> EXCEPTION_CODE: (NTSTATUS) 0xc0000218 - {Registry File Failure}  The registry cannot load the hive (file):  %hs  or its log or alternate.  It is corrupt, absent, or not writable.
> 
> EXCEPTION_PARAMETER1:  e25b74e0
> 
> EXCEPTION_PARAMETER2:  00000000
> 
> EXCEPTION_PARAMETER3:  00000000
> 
> EXCEPTION_PARAMETER4: 0
> 
> ADDITIONAL_DEBUG_TEXT:  \SystemRoot\System32\Config\SOFTWARE - hive could not be loaded.
> 
> CUSTOMER_CRASH_COUNT:  2
> 
> DEFAULT_BUCKET_ID:  DRIVER_FAULT
> 
> PROCESS_NAME:  System
> 
> LAST_CONTROL_TRANSFER:  from 806573f6 to 804f9f43
> 
> STACK_TEXT:
> f6f5a864 806573f6 0000004c c0000218 f6f5a8a0 nt!KeBugCheckEx+0x1b
> f6f5aa18 80614142 c0000218 00000001 00000001 nt!ExpSystemErrorHandler+0x526
> f6f5abc4 806143c6 c0000218 00000001 00000001 nt!ExpRaiseHardError+0x9a
> f6f5ac34 80627021 c0000218 00000001 00000001 nt!ExRaiseHardError+0x13e
> f6f5adac 805cff62 00000002 00000000 00000000 nt!CmpLoadHiveThread+0x1e5
> f6f5addc 8054612e 80626e3c 00000002 00000000 nt!PspSystemThreadStartup+0x34
> 00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16
> 
> 
> STACK_COMMAND:  kb
> 
> FOLLOWUP_IP:
> nt!ExRaiseHardError+13e
> 806143c6 837dfc00        cmp     dword ptr [ebp-4],0
> 
> SYMBOL_STACK_INDEX:  3
> 
> SYMBOL_NAME:  nt!ExRaiseHardError+13e
> 
> FOLLOWUP_NAME:  MachineOwner
> 
> MODULE_NAME: nt
> 
> IMAGE_NAME:  ntkrpamp.exe
> 
> DEBUG_FLR_IMAGE_TIMESTAMP:  4bd6e0e8
> 
> FAILURE_BUCKET_ID:  0xc0000218_nt!ExRaiseHardError+13e
> 
> BUCKET_ID:  0xc0000218_nt!ExRaiseHardError+13e
> 
> Followup: MachineOwner
> ---------
> 
> 0: kd> !sym quiet
> quiet mode - symbol prompts on
> 
> 0: kd> lmvm mrxsmb
> start    end        module name
> a987f000 a98ee400   mrxsmb     (deferred)
> Image path: mrxsmb.sys
> Image name: mrxsmb.sys
> Timestamp:        Wed Feb 24 15:11:05 2010 (4B852569)
> CheckSum:         00074B5A
> ImageSize:        0006F400
> Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
> 0: kd> lmvm ipsec
> start    end        module name
> a9a23000 a9a35600   ipsec      (deferred)
> Image path: ipsec.sys
> Image name: ipsec.sys
> Timestamp:        Sun Apr 13 21:19:42 2008 (48025CCE)
> CheckSum:         00016389
> ImageSize:        00012600
> Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
> 0: kd> lmvm isapnp
> start    end        module name
> f749f000 f74a8180   isapnp     (deferred)
> Image path: isapnp.sys
> Image name: isapnp.sys
> Timestamp:        Sun Apr 13 20:36:40 2008 (480252B8)
> CheckSum:         0000D074
> ImageSize:        00009180
> Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
> 
> 0: kd> !sysinfo smbios -processor
> [SMBIOS Data Tables v2.3]
> [DMI Version - 35]
> [2.0 Calling Convention - No]
> [Table Size - 2709 bytes]
> 
> [Processor Information (Type 4) - Length 40 - Handle 0400h]
> Socket Designation            Microprocessor
> Processor Type                Central Processor
> Processor Family              b2h - Pentium IV Processor
> Processor Manufacturer        Intel
> Processor ID                  470f0000fffbebbf
> Processor Version             [String Not Specified]
> Processor Voltage             92h - 1.8V
> External Clock                800MHz
> Max Speed                     5200MHz
> Current Speed                 2800MHz
> Status                        Enabled Populated
> Processor Upgrade             ZIF Socket
> L1 Cache Handle               0700h
> L2 Cache Handle               0701h
> L3 Cache Handle               [Not Present]
> Serial Number                 [String Not Specified]
> Asset Tag Number              [String Not Specified]
> Part Number                   [String Not Specified]
> [Cache Information (Type 7) - Length 19 - Handle 0700h]
> Socket Designation            [String Not Specified]
> Cache Configuration           0180h - WB Enabled Int NonSocketed L1
> Maximum Cache Size            0010h - 16K
> Installed Size                0010h - 16K
> Supported SRAM Type           0001h - Other
> Current SRAM Type             0001h - Other
> Cache Speed                   0ns
> Error Correction Type         None
> System Cache Type             Data
> Associativity                 8-way Set-Associative
> [Cache Information (Type 7) - Length 19 - Handle 0701h]
> Socket Designation            [String Not Specified]
> Cache Configuration           0281h - Varies Enabled Int NonSocketed L2
> Maximum Cache Size            0800h - 2048K
> Installed Size                0800h - 2048K
> Supported SRAM Type           0001h - Other
> Current SRAM Type             0001h - Other
> Cache Speed                   0ns
> Error Correction Type         Multi-Bit ECC
> System Cache Type             Unified
> Associativity                 8-way Set-Associative
> 
> I would appreciate it if you could shed light on some of my questions as I am still new to this:
> 
> 1. Why does the analysis say
> Unknown bugcheck code (c0000218)
> Unknown bugcheck description
> when 0x218 is STATUS_CANNOT_LOAD_REGISTRY_FILE
> Is this a symbol problem? I did do a *!sym noisy* and a *.reload*. When doing this some of the other Windows files cannot get symbols (Shown in red above)
> 
> 2. When doing a *lmvm* on modules *mrxsmb, isapnp and ipsec* the symbols are not displayed (shown in green above). Even though these are MS Windows files. It also does not make a difference if I do a .reload _modulename_. Why would this be? Are these files corrupt?
> 
> 3. The user attached 6 minidumps which they say come from 4 different PCs. I am sure they accidentally attached the same dumps so they only come from one PC. To make sure I did a *!sysinfo smbios -processor* to get the Processor ID (shown in blue above). The dumps all had the same processor IDs - Is this conclusive that they came from the same PC or am I misunderstanding Processor IDs?
> Note, I am sure they come from the same PC due to the Time the BSODs happened and the uptime - I was just interested on how you could say it was definitely the same machine.
> 
> 4. Finally from reading some of your other BSOD posts I notice you always tell the users to update one or other driver. Do you use a website to tell you if the driver is old or do you have some sort of time/date baseline? (Everything after that date is ok for Win7, anything before must be updated etc)
> 
> Thank you for any help with this.
> Albert



Hi Albert. . .

The unknown bugcheck here listed as *0xc0000218* is actually a NTSTATUS exception error code - 

0xc0000218 = STATUS_CANNOT_LOAD_REGISTRY_FILE = The registry cannot load the hive (file). It is corrupt, absent, or not writable.

The dumps reveal there is an issue with the file *windows\system32\config\SOFTWARE *

Your post suggesting OP check RAM and HDD is exactly where I would begin; however the OP states that he has 60 systems and these BSODs involve 35 of them - 58.3%. I don't find it feasable that hardware failure can be the cause of 35 systems under one roof to suddenly fail.

Software is the likely cause of most, if not all. I ran 3 of the dumps and found these 3rd party drivers - 


Code:


[font=lucida console]
SYMREDRV.SYS Thu Mar 11 17:50:38 2004 (4050ED3E) - Symantec/ Norton
SYMTDI.SYS   Thu Mar 11 17:50:21 2004 (4050ED2D) - Symantec/ Norton
naveng.sys   Thu Jul 01 14:05:22 2010 (4C2CD8E2) - Symantec/ Norton
navex15.sys  Thu Jul 01 14:13:10 2010 (4C2CDAB6) - Symantec/ Norton
SYMEVENT.SYS Wed Jan 14 21:02:13 2004 (4005F4A5) - Symantec/ Norton
savrt.sys    Mon Feb 09 18:24:30 2004 (402816AE) - Symantec/ Norton
Savrtpel.sys Mon Feb 09 18:24:34 2004 (402816B2) - Symantec/ Norton


Senfilt.sys  Mon Mar 13 12:40:28 2006 (4415A07C) - Creatoie/ SoundMax audio
ADIHdAud.sys Wed Jul 05 16:08:26 2006 (44AC1C3A) - Creative/ SoundMAX HD Audio

igxprd32.dll Fri Jul 21 17:11:44 2006 (44C14310) - Intel video

PxHelp20.sys Fri Feb 02 16:23:57 2007 (45C3ABED) - Roxio

AFS2K.SYS    Thu Oct 07 21:16:03 2004 (4165EA53) - Oak Recording CD driver

RimSerial.sys Tue Jan 09 11:52:20 2007 (45A3C844) - RIM virtual driver - Blackberry..?

DSproct.sys  Tue Jan 10 04:05:03 2006 (43C378BF) - Dell Support driver

b57xp32.sys  Wed May 10 18:00:15 2006 (4462626F) - Broadcom Ethernet
BASFND.sys   Thu Apr 24 19:16:49 2003 (3EA87061) - Broadcom NetDetect Driver -  http://www.broadcom.com/support/
[/font]

The first group belong to Symantec/ Norton. I find it very strange to find drivers with 2004 and 2010 timestamps. Something is wrong with the Symantec/ Norton installation, in my opinion.

XP SP3 has base OS drivers with timestamps = April 2008; however XP OS drivers can date back to 2001 and can be updated via Windows Updates post-SP3, so timestamps can = 2010.

http://jcgriff2.com/0x1/Windows_OS_Driver_Base_Timestamps.html

Symbol files are provided by Microsoft for Windows OS drivers only, i.e., no 3rd party symbols. Also, certain Microsoft security-related drivers will show up as "unavailable". Newer OS drivers from Windows Updates may not yet be added to the MSDL SYM site; others (drivers) may be corrupted and therefore do not match SYM files.

The 3rd party drivers listed above must be addressed - Symantec/ Norton, audio, video, networking, etc... It is likely that Windows Updates came in and the old 3rd party drivers are not getting along well with the updates.

OP should update all 3rd party drivers listed, then run the Driver Verifier. These instructions are for Windows 7 & Vista, but will work for XP as well. Run *verifier* from a CMD/DOS screen.

Driver Verifier --> http://jcgriff2.com/driver_verifier.htm 

I would also suggest that OP focus on one system at a time or make sure to clearly mark the attachments - it gets confusing.


Windbg Logs
--> http://jcgriff2.net/BSOD_Logs/_99-dbug_josua_tailor_XPSP3_09-18-2010_jcgriff2_.txt
--> http://jcgriff2.net/BSOD_Logs/_99-dbug_josua_tailor_XPSP3_09-18-2010_jcgriff2_.txt.zip

Regards. . .

jcgriff2


` 

BSOD BUGCHECK SUMMARY 


Code:


[font=lucida console]
Built by: 2600.xpsp_sp3_gdr.100427-1636
Debug session time: Wed Sep 15 10:49:03.123 2010 (GMT-4)
System Uptime: 1 days 16:32:26.957
Probably caused by : ntkrpamp.exe ( nt!ObpCloseHandleTableEntry+13 )
DEFAULT_BUCKET_ID:  DRIVER_FAULT
BUGCHECK_STR:  0x8E
PROCESS_NAME:  helpsvc.exe
Bugcheck code 1000008E
Arguments c0000005 805bc1e9 a809fc7c 00000000
¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨``
Built by: 2600.xpsp_sp3_gdr.100427-1636
Debug session time: Mon Sep 13 17:51:16.894 2010 (GMT-4)
System Uptime: 0 days 1:36:35.613
Probably caused by : ntkrpamp.exe ( nt!CcGetDirtyPages+9d )
DEFAULT_BUCKET_ID:  DRIVER_FAULT
BUGCHECK_STR:  0xA
PROCESS_NAME:  System
Bugcheck code 1000000A
Arguments fffffff0 00000002 00000000 804e4d51
¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨``
Built by: 2600.xpsp_sp3_gdr.100427-1636
Debug session time: Thu Sep  9 09:26:28.046 2010 (GMT-4)
System Uptime: 0 days 0:00:31.734
Probably caused by : ntkrpamp.exe ( nt!ExRaiseHardError+13e )
BUGCHECK_STR:  0xc0000218
DEFAULT_BUCKET_ID:  DRIVER_FAULT
PROCESS_NAME:  System
Bugcheck code C0000218
Arguments e25b74e0 00000000 00000000 00000000
¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨``
  

by [color=navy]jcgriff2     
             
         J. C. Griffith, Microsoft MVP[/color]   
             
           [url=https://mvp.support.microsoft.com/profile/Griffith][color=#000055][u]https://mvp.support.microsoft.com/profile/Griffith[/u][/color][/url]   
             
           [url=www.jcgriff2.com][color=#000055][u]www.jcgriff2.com[/u][/color][/url] 


¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨


  [/font]


----------



## reventon

In this thread Memtest86+ failed to pick up a faulty stick of RAM but Prime95's Blend Test did - http://www.techsupportforum.com/f217/solved-windows-7-64-bit-bsod-514607.html#post2897510

It could be worth recommending Prime95 over Memtest86+ in future - although to run both is obviously better than relying on just one.


----------



## jcgriff2

User mode dump - 

IE9 Beta x64 crash - http://www.techsupportforum.com/f217/solved-ntdll-dll-issues-513834.html#post2902324

jcgriff2

`


----------



## Jonathan_King

jcgriff2 said:


> User mode dump -
> 
> IE9 Beta x64 crash - http://www.techsupportforum.com/f217/solved-ntdll-dll-issues-513834.html#post2902324
> 
> jcgriff2
> 
> `


Nice! I've wondered for a while how to debug user mode dumps.


----------



## Kalim

reventon said:


> In this thread Memtest86+ failed to pick up a faulty stick of RAM but Prime95's Blend Test did - http://www.techsupportforum.com/f217/solved-windows-7-64-bit-bsod-514607.html#post2897510
> 
> It could be worth recommending Prime95 over Memtest86+ in future - although to run both is obviously better than relying on just one.


Linpack front-ends would work too, due to the additional IMC structures being tested with these apps which can cause large instabilities.


----------



## jcgriff2

jcgriff2 said:


> User mode dump -
> 
> IE9 Beta x64 crash - http://www.techsupportforum.com/f217/solved-ntdll-dll-issues-513834.html#post2902324
> 
> jcgriff2


Now solved - NVIDIA Network Access Manager (NAM) was the cause.

http://www.techsupportforum.com/f217/solved-ntdll-dll-issues-513834.html

`


----------



## jcgriff2

A bad DVD drive on new Dell Windows 7 system causes 100's of BSODs -

http://www.techsupportforum.com/f21...d-0x9f-driver_power_state_failure-485258.html

`


----------



## jcgriff2

Interesting dump output below.

I have attached the dump file for those who wish to see 1st-hand.

Thread --> http://www.techsupportforum.com/f217/bsods-frequent-after-exiting-a-game-518413.html#post2917344



> One of the dumps was corrupted and listed a *0xc0000005* exception code = memory access violation -
> 
> 
> Code:
> 
> 
> [font=lucida console]
> Microsoft (R) Windows Debugger Version 6.11.0001.404 AMD64
> Copyright (c) Microsoft Corporation. All rights reserved.
> 
> 
> Loading Dump File [C:\Users\PalmDesert\_jcgriff2_\dbug\__Kernel__\093010-17955-01.dmp]
> Mini Kernel Dump File: Only registers and stack trace are available
> 
> [B][COLOR=navy]ERROR[/COLOR][/B]: Data block only partially present in dump (RVA 0xDB30, size 0xFF0004)
> ERROR: Data block only partially present in dump (RVA 0xDB34, size 0xFF0004)
> ERROR: Data block only partially present in dump (RVA 0xFB40, size 0x4F0008)
> Symbol search path is: SRV*c:\symbols*http://msdl.microsoft.com/download/symbols
> Executable search path is:
> Exception [COLOR=Red]0xc0000005[/COLOR] while accessing file mapping
> Exception [COLOR=Red]0xc0000005[/COLOR] while accessing file mapping
> Exception [COLOR=Red]0xc0000005[/COLOR] while accessing file mapping
> Windows 7 Kernel Version 7600 MP (4 procs) Free x64
> Product: WinNt, suite: TerminalServer SingleUserTS
> Built by: 7600.16617.amd64fre.win7_gdr.100618-1621
> Machine Name:
> Kernel base = 0xfffff800`03265000 PsLoadedModuleList = 0xfffff800`034a2e50
> Debug session time: Thu Sep 30 14:28:18.298 2010 (GMT-4)
> System Uptime: 0 days 0:00:10.108
> Exception [COLOR=Red]0xc0000005[/COLOR] while accessing file mapping
> Exception [COLOR=Red]0xc0000005[/COLOR] while accessing file mapping
> Exception [COLOR=Red]0xc0000005[/COLOR]  while accessing file mapping
> Loading Kernel Symbols
> ...............................................................
> .............................................
> Loading User Symbols
> *******************************************************************************
> *                                                                             *
> *                        Bugcheck Analysis                                    *
> *                                                                             *
> *******************************************************************************
> 
> Use !analyze -v to get detailed debugging information.
> 
> BugCheck 50, {fffff87fc5faf238, 1, fffff88003e6c41e, 5}
> 
> Exception [COLOR=Red]0xc0000005[/COLOR]  while accessing file mapping
> Exception [COLOR=Red]0xc0000005[/COLOR]  while accessing file mapping
> Exception [COLOR=Red]0xc0000005[/COLOR]  while accessing file mapping
> 
> Could not read faulting driver name
> Exception [COLOR=Red]0xc0000005[/COLOR]  while accessing file mapping
> Exception [COLOR=Red]0xc0000005[/COLOR]  while accessing file mapping
> Exception [COLOR=Red]0xc0000005[/COLOR]  while accessing file mapping
> Exception [COLOR=Red]0xc0000005[/COLOR]  while accessing file mapping
> Exception [COLOR=Red]0xc0000005[/COLOR]  while accessing file mapping
> Exception [COLOR=Red]0xc0000005[/COLOR]  while accessing file mapping
> 
> 
> [/font]
> 
> The bugcheck = *0x50* = invalid memory referenced. This + the 0xc0000005 exception may be an indicator that an issue with RAM or the page file exists.


----------



## DT Roberts

That's very interesting... Take a look at the *System Information*. Is it just something that I haven't yet noticed, or is it strange to have *System Manufacturer* and *System Model* say "To be filled by O.E.M."? Is that what it says when an end-user purchases an OEM copy?


----------



## jcgriff2

I believe that to be the purchase of OEM version from newegg or similar

`


----------



## jcgriff2

"NO DUMP" situation may be caused by page file(s) -

http://www.techsupportforum.com/f217/bsod-on-hp-a6200n-520553.html#post2932120

`


----------



## AlbertMC2

Hope you don't mind me asking BSOD questions here?
So, I have noticed sometimes when debugging and running "lmntsm" (or any variation) it will list the modules but sometimes there will be one or two modules in the form of dump_xxxxx.sys. Further more xxxxx.sys will also be shown in the list of modules.
Why and what is happening?

If you want a specific minidump you can look at http://www.techsupportforum.com/f10/random-bsods-out-of-ideas-need-help-521482.html


----------



## usasma

From page 1130 of Windows Internals, 5th edition:

The dump_xxxxx.sys driver is a copy of the disk miniport driver that's used to write to the boot volume in memory. It does this so that writing of the crash dump can bypass the file system driver and storage system stack (which may be corrupted by the crash) and can write directly to the disk (using the dump_xxxxx.sys driver).


----------



## jcgriff2

AlbertMC2 said:


> Hope you don't mind me asking BSOD questions here?
> So, I have noticed sometimes when debugging and running "lmntsm" (or any variation) it will list the modules but sometimes there will be one or two modules in the form of dump_xxxxx.sys. Further more xxxxx.sys will also be shown in the list of modules.
> Why and what is happening?
> 
> If you want a specific minidump you can look at http://www.techsupportforum.com/f10/random-bsods-out-of-ideas-need-help-521482.html


Hi Albert - 

Ask any question, any time. If we can help, we will.

I ran the *20* mini kernel dumps and found these drivers with dump-xxxx names - 


Code:


[font=lucida console]
fasttx2k.sys      Tue Aug 05 22:43:02 2003 (3F306B36)
dump_fasttx2k.sys Tue Aug 05 22:43:02 2003 (3F306B36)

SCSIPORT.SYS      Sun Apr 13 14:40:29 2008 (4802539D)
dump_scsiport.sys Sun Apr 13 14:40:44 2008 (480253AC)
[/font]

*scsiport.sys* = Microsoft SCSI Port Driver

*fasttx2k.sys* = Promise Technology, Inc., storage controller driver - http://www.promise.com/support/download.aspx?region=en-global&m=89

The probable causes include - 
- *processr.sys* - Microsoft Processor Device Driver
- *PartMgr.sys* - Microsoft Partition Manager
- *VolSnap.sys* - Microsoft Volume Shadow Copy Driver
- *Ntfs.sys* - Microsoft NTFS File system driver - HDD



Code:


[font=lucida console]
BugCheck 100000D1, {e4, 2, 0, f78987f0}
Probably caused by : PartMgr.sys ( PartMgr!PmIoCompletion+26 )
¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨``
BugCheck FC, {f7a3b500, 758a163, f7a3b474, 1}
Probably caused by : VolSnap.sys ( VolSnap!VolSnapWrite+bb )
¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨``
BugCheck 100000D1, {0, ff, 1, f7811d37}
Probably caused by : processr.sys ( processr!AcpiC1Idle+b )
¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨``
BugCheck 100000D1, {0, ff, 1, f6bc7d37}
Probably caused by : processr.sys ( processr!AcpiC1Idle+b )
¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨``
BugCheck 100000D1, {0, ff, 1, f7811d37}
Probably caused by : processr.sys ( processr!AcpiC1Idle+b )
¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨``
BugCheck 100000D1, {0, ff, 1, f6c89d37}
Probably caused by : processr.sys ( processr!AcpiC1Idle+b )
¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨``
BugCheck FC, {b8749470, 25942163, b87493e4, 1}
Probably caused by : VolSnap.sys ( VolSnap!VolSnapRead+26 )
¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨``
BugCheck 1000008E, {c0000005, 80502164, f7a2b7a8, 0}
Probably caused by : ntkrnlpa.exe ( nt!KiXMMIZeroPageNoSave+c )
¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨``
BugCheck 100000D1, {e4, 2, 0, f78987f0}
Probably caused by : PartMgr.sys ( PartMgr!PmIoCompletion+26 )
¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨``
BugCheck 100000D1, {0, ff, 1, f6cbfd37}
Probably caused by : processr.sys ( processr!AcpiC1Idle+b )
¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨``
BugCheck F4, {3, 85d360e8, 85d3625c, 805c8c7c}
Probably caused by : csrss.exe
¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨``
BugCheck 1000000A, {9775ff6d, 2, 0, 8051e95e}
Probably caused by : memory_corruption ( nt!MiInsertPageInList+16 )
¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨``
BugCheck 24, {1902fe, f7a43aac, f7a437a8, f73387b1}
Probably caused by : Ntfs.sys ( Ntfs!NtfsAcquireResourceShared+8 )
¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨``
BugCheck 100000D1, {0, ff, 1, f7711d37}
Probably caused by : processr.sys ( processr!AcpiC1Idle+b )
¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨``
BugCheck 100000D1, {0, ff, 1, f708fd37}
Probably caused by : processr.sys ( processr!AcpiC1Idle+b )
¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨``
BugCheck 1000008E, {c0000005, 80502168, f7a2b7a8, 0}
Probably caused by : ntkrnlpa.exe ( nt!KiXMMIZeroPageNoSave+10 )
¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨``
BugCheck 100000D1, {e4, 2, 0, f78987f0}
Probably caused by : PartMgr.sys ( PartMgr!PmIoCompletion+26 )
¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨``
BugCheck 100000D1, {0, ff, 1, f7781d37}
Probably caused by : processr.sys ( processr!AcpiC1Idle+b )
¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨``
BugCheck 100000D1, {e4, 2, 0, f78987f0}
Probably caused by : PartMgr.sys ( PartMgr!PmIoCompletion+26 )
¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨``
BugCheck 100000D1, {e4, 2, 0, f78987f0}
Probably caused by : PartMgr.sys ( PartMgr!PmIoCompletion+26 )
¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨``
[/font]


After you remove the known Microsoft OS drivers from the driver listing in the dumps, you'll end up with 3rd party drivers that you then need to look at and determine if they need to be updated.

The 20 dumps in the XP thread yielded these 3rd party drivers - 



Code:


[font=lucida console]
mdmxsdk.sys  Wed Apr 09 16:48:53 2003 (3E948735) - Conexant Diagnostic Interface - [url]http://www.conexant.com/support/[/url]
HSF_CNXT.sys Mon Nov 17 08:58:00 2003 (3FB8D3E8) - Conexant soft 56k modem driver - [url]http://www.conexant.com/support/[/url]
HSFHWBS2.sys Mon Nov 17 08:59:18 2003 (3FB8D436) - Conexant soft 56k modem driver - [url]http://www.conexant.com/support/[/url]
HSF_DP.sys   Mon Nov 17 08:56:13 2003 (3FB8D37D) - Conexant soft 56k modem driver - [url]http://www.conexant.com/support/[/url]

ctaud2k.sys  Sun Jun 08 21:44:19 2003 (3EE3E673) - Creative SB X-Fi - [url]http://support.creative.com/[/url]
ctljystk.sys Thu Jul 19 18:28:02 2001 (3B575EF2) - Creative SB X-Fi - [url]http://support.creative.com/[/url]
ctoss2k.sys  Sun Jun 08 21:44:31 2003 (3EE3E67F) - Creative SB X-Fi - [url]http://support.creative.com/[/url]
ha10kx2k.sys Sun Jun 08 21:42:25 2003 (3EE3E601) - Creative SB X-Fi - [url]http://support.creative.com/[/url]

dlkfet5b.sys Wed May 16 07:17:37 2007 (464AE851) - D-Link Systems DFE-530TX PCI Fast Ethernet Adapter - [url]http://www.dlink.com/default.aspx[/url]

NTIDrvr.sys  Wed Jan 15 12:33:02 2003 (3E259B4E) - NTI CD-ROM Filter driver - NewTech Infosystems, Inc. - [url]http://www.nticorp.com/[/url]

nv4_disp.dll Sat May 03 02:26:12 2008 (481C0584) - NVIDIA - [url]http://www.nvidia.com/Download/index.aspx?lang=en-us[/url]
nv4_mini.sys Sat May 03 02:30:37 2008 (481C068D) - NVIDIA - [url]http://www.nvidia.com/Download/index.aspx?lang=en-us[/url]

PxHelp20.sys Wed Jun 20 18:26:00 2007 (4679A978) - Sonic Solutions - [url]http://www.sonic.com/[/url]

giveio.sys   Wed Apr 03 22:33:25 1996 (316334F5) - SpeedFan - [url]http://www.almico.com/sfdownload.php[/url]
speedfan.sys Sun Sep 24 09:28:47 2006 (4516880F) - SpeedFan - [url]http://www.almico.com/sfdownload.php[/url]

sbaphd.sys   Mon Jun 14 12:19:20 2010 (4C165688) - Sunbelt ActiveProtection hook driver/Sunbelt Software - [url]http://www.sunbeltsoftware.com/Home-Home-Office/Sunbelt-Personal-Firewall/[/url]
sbapifs.sys  Mon Jun 14 12:20:05 2010 (4C1656B5) - Sunbelt CounterSpy Driver - [url]http://www.sunbeltsoftware.com/Home-Home-Office/Sunbelt-Personal-Firewall/[/url]
SBREdrv.sys  Thu May 13 05:26:31 2010 (4BEBC5C7) - Sunbelt Firewall Software - [url]http://www.sunbeltsoftware.com/Home-Home-Office/Sunbelt-Personal-Firewall/[/url]
sbhips.sys   Mon Jul 26 19:57:36 2010 (4C4E20F0) - Sunbelt Firewall Software - [url]http://www.sunbeltsoftware.com/Home-Home-Office/Sunbelt-Personal-Firewall/[/url]
sbtis.sys    Mon Jul 26 19:55:22 2010 (4C4E206A) - Sunbelt Firewall Software - [url]http://www.sunbeltsoftware.com/Home-Home-Office/Sunbelt-Personal-Firewall/[/url]
sbfwim.sys   Thu Apr 15 11:54:20 2010 (4BC736AC) - Sunbelt Firewall Software - [url]http://www.sunbeltsoftware.com/Home-Home-Office/Sunbelt-Personal-Firewall/[/url]
SbFw.sys     Mon Jul 26 19:55:30 2010 (4C4E2072) - Sunbelt Personal Firewall driver/Sunbelt Software, Inc - [url]http://www.sunbeltsoftware.com/Home-Home-Office/Sunbelt-Personal-Firewall/[/url]
[/font]

Here is a list of known Microsoft OS driver timestamps - 

http://jcgriff2.com/0x1/Windows_OS_Driver_Base_Timestamps.html

I see many of the bugchecks include a *0xc0000005* exception = memory access violation

Possibilities include - 
- Sunbelt Firewall
- 3rd party outdated drivers - specifically video, audio and networking
- RAM or hardware failure affecting RAM

The HDD should be looked at because of the *0x24* bugcheck, the dump-xxxx drivers and the probable causes listed above.

HDD diagnostics - http://www.techsupportforum.com/2828431-post7.html

memtest86+ - http://www.techsupportforum.com/2863029-post5.html


Windbg Logs
--> http://jcgriff2.net/BSOD_Logs/_99-dbug_mandolin_XPSP3_10-15-2010_jcgriff2_.txt
--> http://jcgriff2.net/BSOD_Logs/_99-dbug_mandolin_XPSP3_10-15-2010_jcgriff2_.txt.zip

Regards. . .

jcgriff2


` 

BSOD BUGCHECK SUMMARY 


Code:


[font=lucida console]
Built by: 2600.xpsp_sp3_gdr.100427-1636
Debug session time: Thu Sep 30 09:39:23.468 2010 (GMT-4)
System Uptime: 3 days 8:27:28.086
Probably caused by : PartMgr.sys ( PartMgr!PmIoCompletion+26 )
DEFAULT_BUCKET_ID:  DRIVER_FAULT
BUGCHECK_STR:  0xD1
PROCESS_NAME:  System
Bugcheck code 100000D1
Arguments 000000e4 00000002 00000000 f78987f0
¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨``
Built by: 2600.xpsp_sp3_gdr.100427-1636
Debug session time: Fri Oct  1 08:41:13.562 2010 (GMT-4)
System Uptime: 0 days 23:01:15.168
BugCheck FC, {f7a3b500, 758a163, f7a3b474, 1}
Probably caused by : VolSnap.sys ( VolSnap!VolSnapWrite+bb )
DEFAULT_BUCKET_ID:  DRIVER_FAULT
BUGCHECK_STR:  0xFC
PROCESS_NAME:  System
Bugcheck code 000000FC
Arguments f7a3b500 0758a163 f7a3b474 00000001
¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨``
Built by: 2600.xpsp_sp3_gdr.100427-1636
Debug session time: Sat Oct  2 11:19:22.671 2010 (GMT-4)
System Uptime: 1 days 2:37:31.282
Probably caused by : processr.sys ( processr!AcpiC1Idle+b )
DEFAULT_BUCKET_ID:  DRIVER_FAULT
BUGCHECK_STR:  0xD1
PROCESS_NAME:  Idle
Bugcheck code 100000D1
Arguments 00000000 000000ff 00000001 f7811d37
¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨``
Built by: 2600.xpsp_sp3_gdr.100427-1636
Debug session time: Sun Oct  3 09:38:02.843 2010 (GMT-4)
System Uptime: 0 days 22:18:03.441
Probably caused by : processr.sys ( processr!AcpiC1Idle+b )
DEFAULT_BUCKET_ID:  DRIVER_FAULT
BUGCHECK_STR:  0xD1
PROCESS_NAME:  Idle
Bugcheck code 100000D1
Arguments 00000000 000000ff 00000001 f6bc7d37
¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨``
Built by: 2600.xpsp_sp3_gdr.100427-1636
Debug session time: Sun Oct  3 21:18:27.031 2010 (GMT-4)
System Uptime: 0 days 11:39:47.643
Probably caused by : processr.sys ( processr!AcpiC1Idle+b )
DEFAULT_BUCKET_ID:  DRIVER_FAULT
BUGCHECK_STR:  0xD1
PROCESS_NAME:  Idle
Bugcheck code 100000D1
Arguments 00000000 000000ff 00000001 f7811d37
¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨``
Built by: 2600.xpsp_sp3_gdr.100427-1636
Debug session time: Mon Oct  4 09:21:08.546 2010 (GMT-4)
System Uptime: 0 days 12:02:04.157
Probably caused by : processr.sys ( processr!AcpiC1Idle+b )
DEFAULT_BUCKET_ID:  DRIVER_FAULT
BUGCHECK_STR:  0xD1
PROCESS_NAME:  Idle
Bugcheck code 100000D1
Arguments 00000000 000000ff 00000001 f6c89d37
¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨``
Built by: 2600.xpsp_sp3_gdr.100427-1636
Debug session time: Tue Oct  5 03:59:15.703 2010 (GMT-4)
System Uptime: 0 days 18:37:30.304
BugCheck FC, {b8749470, 25942163, b87493e4, 1}
Probably caused by : VolSnap.sys ( VolSnap!VolSnapRead+26 )
DEFAULT_BUCKET_ID:  DRIVER_FAULT
BUGCHECK_STR:  0xFC
PROCESS_NAME:  moh_Breakthroug
Bugcheck code 000000FC
Arguments b8749470 25942163 b87493e4 00000001
¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨``
Built by: 2600.xpsp_sp3_gdr.100427-1636
Debug session time: Tue Oct  5 04:36:38.828 2010 (GMT-4)
System Uptime: 0 days 0:36:46.444
Probably caused by : ntkrnlpa.exe ( nt!KiXMMIZeroPageNoSave+c )
DEFAULT_BUCKET_ID:  DRIVER_FAULT
BUGCHECK_STR:  0x8E
PROCESS_NAME:  System
Bugcheck code 1000008E
Arguments c0000005 80502164 f7a2b7a8 00000000
¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨``
Built by: 2600.xpsp_sp3_gdr.100427-1636
Debug session time: Tue Oct  5 17:12:18.515 2010 (GMT-4)
System Uptime: 0 days 2:41:14.125
Probably caused by : PartMgr.sys ( PartMgr!PmIoCompletion+26 )
DEFAULT_BUCKET_ID:  DRIVER_FAULT
BUGCHECK_STR:  0xD1
PROCESS_NAME:  System
Bugcheck code 100000D1
Arguments 000000e4 00000002 00000000 f78987f0
¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨``
Built by: 2600.xpsp_sp3_gdr.100427-1636
Debug session time: Wed Oct  6 04:53:19.312 2010 (GMT-4)
System Uptime: 0 days 2:42:36.922
Probably caused by : processr.sys ( processr!AcpiC1Idle+b )
DEFAULT_BUCKET_ID:  DRIVER_FAULT
BUGCHECK_STR:  0xD1
PROCESS_NAME:  Idle
Bugcheck code 100000D1
Arguments 00000000 000000ff 00000001 f6cbfd37
¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨``
Built by: 2600.xpsp_sp3_gdr.100427-1636
Debug session time: Wed Oct  6 07:58:01.046 2010 (GMT-4)
System Uptime: 0 days 3:04:05.656
BugCheck F4, {3, 85d360e8, 85d3625c, 805c8c7c}
Probably caused by : csrss.exe
PROCESS_NAME:  csrss.exe
DEFAULT_BUCKET_ID:  DRIVER_FAULT
BUGCHECK_STR:  0xF4_C0000005
Bugcheck code 000000F4
Arguments 00000003 85d360e8 85d3625c 805c8c7c
¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨``
Built by: 2600.xpsp_sp3_gdr.100427-1636
Debug session time: Thu Oct  7 13:55:18.031 2010 (GMT-4)
System Uptime: 0 days 0:00:27.656
Probably caused by : memory_corruption ( nt!MiInsertPageInList+16 )
DEFAULT_BUCKET_ID:  DRIVER_FAULT
BUGCHECK_STR:  0xA
PROCESS_NAME:  System
Bugcheck code 1000000A
Arguments 9775ff6d 00000002 00000000 8051e95e
¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨``
Built by: 2600.xpsp_sp3_gdr.100427-1636
Debug session time: Fri Oct  8 04:59:34.750 2010 (GMT-4)
System Uptime: 0 days 15:03:41.343
Probably caused by : Ntfs.sys ( Ntfs!NtfsAcquireResourceShared+8 )
PROCESS_NAME:  System
BUGCHECK_STR:  0x24
DEFAULT_BUCKET_ID:  NULL_DEREFERENCE
Bugcheck code 00000024
Arguments 001902fe f7a43aac f7a437a8 f73387b1
¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨``
Built by: 2600.xpsp_sp3_gdr.100427-1636
Debug session time: Fri Oct  8 10:14:22.375 2010 (GMT-4)
System Uptime: 0 days 5:14:10.984
Probably caused by : processr.sys ( processr!AcpiC1Idle+b )
DEFAULT_BUCKET_ID:  DRIVER_FAULT
BUGCHECK_STR:  0xD1
PROCESS_NAME:  Idle
Bugcheck code 100000D1
Arguments 00000000 000000ff 00000001 f7711d37
¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨``
Built by: 2600.xpsp_sp3_gdr.100427-1636
Debug session time: Fri Oct  8 14:16:17.140 2010 (GMT-4)
System Uptime: 0 days 4:01:17.734
Probably caused by : processr.sys ( processr!AcpiC1Idle+b )
DEFAULT_BUCKET_ID:  DRIVER_FAULT
BUGCHECK_STR:  0xD1
PROCESS_NAME:  Idle
Bugcheck code 100000D1
Arguments 00000000 000000ff 00000001 f708fd37
¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨``
Built by: 2600.xpsp_sp3_gdr.100427-1636
Debug session time: Fri Oct  8 16:16:28.359 2010 (GMT-4)
System Uptime: 0 days 1:59:33.984
Probably caused by : ntkrnlpa.exe ( nt!KiXMMIZeroPageNoSave+10 )
DEFAULT_BUCKET_ID:  COMMON_SYSTEM_FAULT
BUGCHECK_STR:  0x8E
PROCESS_NAME:  System
Bugcheck code 1000008E
Arguments c0000005 80502168 f7a2b7a8 00000000
¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨``
Built by: 2600.xpsp_sp3_gdr.100427-1636
Debug session time: Fri Oct  8 16:46:33.984 2010 (GMT-4)
System Uptime: 0 days 0:29:29.593
Probably caused by : PartMgr.sys ( PartMgr!PmIoCompletion+26 )
DEFAULT_BUCKET_ID:  COMMON_SYSTEM_FAULT
BUGCHECK_STR:  0xD1
PROCESS_NAME:  System
Bugcheck code 100000D1
Arguments 000000e4 00000002 00000000 f78987f0
¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨``
Built by: 2600.xpsp_sp3_gdr.100427-1636
Debug session time: Fri Oct  8 18:05:52.625 2010 (GMT-4)
System Uptime: 0 days 1:18:41.234
Probably caused by : processr.sys ( processr!AcpiC1Idle+b )
DEFAULT_BUCKET_ID:  COMMON_SYSTEM_FAULT
BUGCHECK_STR:  0xD1
PROCESS_NAME:  Idle
Bugcheck code 100000D1
Arguments 00000000 000000ff 00000001 f7781d37
¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨``
Built by: 2600.xpsp_sp3_gdr.100427-1636
Debug session time: Fri Oct  8 19:35:09.343 2010 (GMT-4)
System Uptime: 0 days 1:28:39.953
Probably caused by : PartMgr.sys ( PartMgr!PmIoCompletion+26 )
DEFAULT_BUCKET_ID:  COMMON_SYSTEM_FAULT
BUGCHECK_STR:  0xD1
PROCESS_NAME:  System
Bugcheck code 100000D1
Arguments 000000e4 00000002 00000000 f78987f0
¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨``
Built by: 2600.xpsp_sp3_gdr.100427-1636
Debug session time: Fri Oct  8 20:35:42.296 2010 (GMT-4)
System Uptime: 0 days 0:59:56.890
Probably caused by : PartMgr.sys ( PartMgr!PmIoCompletion+26 )
DEFAULT_BUCKET_ID:  COMMON_SYSTEM_FAULT
BUGCHECK_STR:  0xD1
PROCESS_NAME:  System
Bugcheck code 100000D1
Arguments 000000e4 00000002 00000000 f78987f0
¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨``
  

by [color=navy]jcgriff2     
             
         J. C. Griffith, Microsoft MVP[/color]   
             
           [url=https://mvp.support.microsoft.com/profile/Griffith][color=#000055][u]https://mvp.support.microsoft.com/profile/Griffith[/u][/color][/url]   
             
           [url=www.jcgriff2.com][color=#000055][u]www.jcgriff2.com[/u][/color][/url] 


¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨


  [/font]


----------



## Jonathan_King

Just out of curiousity, what does the dump prefix mean? I've wondered that myself.


----------



## jcgriff2

Post #101 - http://www.techsupportforum.com/f217/bsod-kernel-dump-analysis-discussion-452622.html#post2939037

John

`


----------



## usasma

The dump_ prefix simply means that it's a copy of that driver.
That driver is a storage system miniport driver
The copy is used to write the crash dump directly to disk - bypassing the file system stuff (as it could be corrupted in the crash).


----------



## Jonathan_King

Thank you John(s!).

Apologies Carrona- I missed your reply before.


----------



## AlbertMC2

Thanks Everybody. That actually makes a lot of sense. Never noticed that it is always the storage controller driver before. For interest sake do you know if the dump_xxxx.sys driver is loaded into memory when Windows loads? As it cannot load it when an exception is thrown because then it is too late already?

I will have to get that book, Windows Internals 5th edition. I know it was mentioned earlier in this thread.


----------



## usasma

When the system boots, it checks HKLM\SYSTEM\CurrentControlSet\Control\CrashControl to see if a dump is configured. If so, then it copies the disk miniport driver and prefixes it with the dump_ prefix.

FYI - this is also where it checksums the components involved in writing a crash dump

Then, when KeBugCheckEx executes (this is the "crash"), it calculates the checksum again. If it doesn't match the earlier checksum it doesn't write the dump.


----------



## jcgriff2

Thanks, John -- that one I did not know about !

Great info.

`


----------



## reventon

Image says it all










Yes, this is a screenshot from my computer.

The dumps I was running at the time - http://www.sevenforums.com/1017902-post6.html


----------



## DT Roberts

That's strange, they ran fine for me. Was it one particular dump or all of them have the same result? 

This was a strange one; bugcheck 0xE3:


Code:


Microsoft (R) Windows Debugger Version 6.11.0001.404 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\Users\Devin\AppData\Local\Temp\Rar$DI00.166\101610-18501-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: SRV*c:\websymbols*http://msdl.microsoft.com/download/symbols
Executable search path is: 
Windows 7 Kernel Version 7600 MP (4 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 7600.16617.amd64fre.win7_gdr.100618-1621
Machine Name:
Kernel base = 0xfffff800`02a03000 PsLoadedModuleList = 0xfffff800`02c40e50
Debug session time: Sat Oct 16 18:28:11.697 2010 (GMT-4)
System Uptime: 0 days 0:01:36.040
Loading Kernel Symbols
...............................................................
................................................................
............................
Loading User Symbols
Loading unloaded module list
....
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck E3, {fffff88002a7c1a0, fffffa8004f47b60, 0, 2}

Unable to load image \SystemRoot\system32\DRIVERS\MpFilter.sys, Win32 error 0n2
*** WARNING: Unable to verify timestamp for MpFilter.sys
*** ERROR: Module load completed but symbols could not be loaded for MpFilter.sys
Probably caused by : MpFilter.sys ( MpFilter+21e75 )

Followup: MachineOwner
---------

2: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

RESOURCE_NOT_OWNED (e3)
A thread tried to release a resource it did not own.
Arguments:
Arg1: fffff88002a7c1a0, Address of resource
Arg2: fffffa8004f47b60, Address of thread
Arg3: 0000000000000000, Address of owner table if there is one
Arg4: 0000000000000002

Debugging Details:
------------------


CUSTOMER_CRASH_COUNT:  1

DEFAULT_BUCKET_ID:  VISTA_DRIVER_FAULT

BUGCHECK_STR:  0xE3

PROCESS_NAME:  MpCmdRun.exe

CURRENT_IRQL:  0

LAST_CONTROL_TRANSFER:  from fffff80002ad6e2c to fffff80002a73740

STACK_TEXT:  
fffff880`08fa9648 fffff800`02ad6e2c : 00000000`000000e3 fffff880`02a7c1a0 fffffa80`04f47b60 00000000`00000000 : nt!KeBugCheckEx
fffff880`08fa9650 fffff880`02a97e75 : 00000000`00000000 fffff880`02a7a730 00000000`00000000 fffff880`08fa97e8 : nt! ?? ::FNODOBFM::`string'+0x1a5a8
fffff880`08fa96b0 00000000`00000000 : fffff880`02a7a730 00000000`00000000 fffff880`08fa97e8 00000000`0000000f : MpFilter+0x21e75


STACK_COMMAND:  kb

FOLLOWUP_IP: 
MpFilter+21e75
fffff880`02a97e75 ??              ???

SYMBOL_STACK_INDEX:  2

SYMBOL_NAME:  MpFilter+21e75

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: MpFilter

IMAGE_NAME:  MpFilter.sys

DEBUG_FLR_IMAGE_TIMESTAMP:  4ba463f0

FAILURE_BUCKET_ID:  X64_0xE3_MpFilter+21e75

BUCKET_ID:  X64_0xE3_MpFilter+21e75

Followup: MachineOwner
---------

2: kd> r
rax=0000000000000002 rbx=fffff88002a7c1a0 rcx=00000000000000e3
rdx=fffff88002a7c1a0 rsi=0000000000000000 rdi=0000000000000000
rip=fffff80002a73740 rsp=fffff88008fa9648 rbp=fffffa8004f47b60
 r8=fffffa8004f47b60  r9=0000000000000000 r10=fffff8a000226010
r11=0000000000000000 r12=fffff88002d63180 r13=fffffa8004f47b60
r14=fffff88002a7c100 r15=0000000000000001
iopl=0         nv up di pl zr na po nc
cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b             efl=00000046
nt!KeBugCheckEx:
fffff800`02a73740 48894c2408      mov     qword ptr [rsp+8],rcx ss:0018:fffff880`08fa9650=00000000000000e3
2: kd> k
Child-SP          RetAddr           Call Site
fffff880`08fa9648 fffff800`02ad6e2c nt!KeBugCheckEx
fffff880`08fa9650 fffff880`02a97e75 nt! ?? ::FNODOBFM::`string'+0x1a5a8
fffff880`08fa96b0 00000000`00000000 MpFilter+0x21e75
2: kd> kv
Child-SP          RetAddr           : Args to Child                                                           : Call Site
fffff880`08fa9648 fffff800`02ad6e2c : 00000000`000000e3 fffff880`02a7c1a0 fffffa80`04f47b60 00000000`00000000 : nt!KeBugCheckEx
fffff880`08fa9650 fffff880`02a97e75 : 00000000`00000000 fffff880`02a7a730 00000000`00000000 fffff880`08fa97e8 : nt! ?? ::FNODOBFM::`string'+0x1a5a8
fffff880`08fa96b0 00000000`00000000 : fffff880`02a7a730 00000000`00000000 fffff880`08fa97e8 00000000`0000000f : MpFilter+0x21e75
2: kd> lmntsm,
Unknown option ','
start             end                 module name
fffff880`04d74000 fffff880`04db2000   1394ohci 1394ohci.sys Mon Jul 13 20:07:12 2009 (4A5BCC30)
fffff880`00ee5000 fffff880`00f3c000   ACPI     ACPI.sys     Mon Jul 13 19:19:34 2009 (4A5BC106)
fffff880`02b58000 fffff880`02be2000   afd      afd.sys      Mon Jul 13 19:21:40 2009 (4A5BC184)
fffff880`04dcb000 fffff880`04de1000   AgileVpn AgileVpn.sys Mon Jul 13 20:10:24 2009 (4A5BCCF0)
fffff880`03f89000 fffff880`03f9e000   amdppm   amdppm.sys   Mon Jul 13 19:19:25 2009 (4A5BC0FD)
fffff880`00ec0000 fffff880`00ecb000   amdxata  amdxata.sys  Tue May 19 13:56:59 2009 (4A12F2EB)
fffff880`041f8000 fffff880`04200000   ASACPI   ASACPI.sys   Sun Mar 27 22:30:36 2005 (42476C4C)
fffff880`00e8d000 fffff880`00e96000   atapi    atapi.sys    Mon Jul 13 19:19:47 2009 (4A5BC113)
fffff880`00e96000 fffff880`00ec0000   ataport  ataport.SYS  Mon Jul 13 19:19:52 2009 (4A5BC118)
fffff880`03c77000 fffff880`03c99000   AtiHdmi  AtiHdmi.sys  Tue Mar 09 05:08:38 2010 (4B961E26)
fffff880`046ca000 fffff880`04d74000   atikmdag atikmdag.sys Tue Apr 06 21:47:17 2010 (4BBBE425)
fffff880`03f9e000 fffff880`03fd4000   atikmpag atikmpag.sys Tue Apr 06 21:23:30 2010 (4BBBDE92)
fffff880`01231000 fffff880`01239000   AtiPcie64 AtiPcie64.sys Wed Mar 10 09:33:45 2010 (4B97ADC9)
fffff880`02aac000 fffff880`02ab3000   Beep     Beep.SYS     Mon Jul 13 20:00:13 2009 (4A5BCA8D)
fffff880`03f52000 fffff880`03f63000   blbdrive blbdrive.sys Mon Jul 13 19:35:59 2009 (4A5BC4DF)
fffff880`0454c000 fffff880`0456a000   bowser   bowser.sys   Mon Jul 13 19:23:50 2009 (4A5BC206)
fffff960`00680000 fffff960`006a7000   cdd      cdd.dll      unavailable (00000000)
fffff880`02a4c000 fffff880`02a76000   cdrom    cdrom.sys    Mon Jul 13 19:19:54 2009 (4A5BC11A)
fffff880`00c00000 fffff880`00cc0000   CI       CI.dll       Mon Jul 13 21:32:13 2009 (4A5BE01D)
fffff880`011cc000 fffff880`011fc000   CLASSPNP CLASSPNP.SYS Mon Jul 13 19:19:58 2009 (4A5BC11E)
fffff880`00ce3000 fffff880`00d41000   CLFS     CLFS.SYS     Mon Jul 13 19:19:57 2009 (4A5BC11D)
fffff880`01159000 fffff880`011cc000   cng      cng.sys      Mon Jul 13 19:49:40 2009 (4A5BC814)
fffff880`04dbb000 fffff880`04dcb000   CompositeBus CompositeBus.sys Mon Jul 13 20:00:33 2009 (4A5BCAA1)
fffff880`05aa3000 fffff880`05ab1000   crashdmp crashdmp.sys Mon Jul 13 20:01:01 2009 (4A5BCABD)
fffff880`03eb1000 fffff880`03f34000   csc      csc.sys      Mon Jul 13 19:24:26 2009 (4A5BC22A)
fffff880`03f34000 fffff880`03f52000   dfsc     dfsc.sys     Mon Jul 13 19:23:44 2009 (4A5BC200)
fffff880`03c68000 fffff880`03c77000   discache discache.sys Mon Jul 13 19:37:18 2009 (4A5BC52E)
fffff880`0121b000 fffff880`01231000   disk     disk.sys     Mon Jul 13 19:19:57 2009 (4A5BC11D)
fffff880`02a00000 fffff880`02a22000   drmk     drmk.sys     Mon Jul 13 21:01:25 2009 (4A5BD8E5)
fffff880`05abd000 fffff880`05ac6000   dump_atapi dump_atapi.sys Mon Jul 13 19:19:47 2009 (4A5BC113)
fffff880`05ab1000 fffff880`05abd000   dump_dumpata dump_dumpata.sys Mon Jul 13 19:19:47 2009 (4A5BC113)
fffff880`05ac6000 fffff880`05ad9000   dump_dumpfve dump_dumpfve.sys Mon Jul 13 19:21:51 2009 (4A5BC18F)
fffff880`05d64000 fffff880`05d70000   Dxapi    Dxapi.sys    Mon Jul 13 19:38:28 2009 (4A5BC574)
fffff880`040da000 fffff880`041ce000   dxgkrnl  dxgkrnl.sys  Thu Oct 01 21:00:14 2009 (4AC5509E)
fffff880`04000000 fffff880`04046000   dxgmms1  dxgmms1.sys  Mon Jul 13 19:38:32 2009 (4A5BC578)
fffff880`010e7000 fffff880`010fb000   fileinfo fileinfo.sys Mon Jul 13 19:34:25 2009 (4A5BC481)
fffff880`0109b000 fffff880`010e7000   fltmgr   fltmgr.sys   Mon Jul 13 19:19:59 2009 (4A5BC11F)
fffff880`01211000 fffff880`0121b000   Fs_Rec   Fs_Rec.sys   Mon Jul 13 19:19:45 2009 (4A5BC111)
fffff880`00fb9000 fffff880`00ff3000   fvevol   fvevol.sys   Mon Jul 13 19:22:15 2009 (4A5BC1A7)
fffff880`0159c000 fffff880`015e6000   fwpkclnt fwpkclnt.sys Mon Jul 13 19:21:08 2009 (4A5BC164)
fffff880`05ad9000 fffff880`05adbd00   gamingms gamingms.sys Mon Dec 07 08:22:15 2009 (4B1D0187)
fffff880`0406a000 fffff880`04077000   GEARAspiWDM GEARAspiWDM.sys Mon May 18 08:17:04 2009 (4A1151C0)
fffff880`05d70000 fffff880`05d8d380   GemCCID  GemCCID.sys  Mon Aug 10 08:07:39 2009 (4A800D8B)
fffff800`02fdf000 fffff800`03028000   hal      hal.dll      Mon Jul 13 21:27:36 2009 (4A5BDF08)
fffff880`04046000 fffff880`0406a000   HDAudBus HDAudBus.sys Mon Jul 13 20:06:13 2009 (4A5BCBF5)
fffff880`05a47000 fffff880`05aa3000   HdAudio  HdAudio.sys  Mon Jul 13 20:06:59 2009 (4A5BCC23)
fffff880`05aea000 fffff880`05b03000   HIDCLASS HIDCLASS.SYS Mon Jul 13 20:06:21 2009 (4A5BCBFD)
fffff880`05b03000 fffff880`05b0b080   HIDPARSE HIDPARSE.SYS Mon Jul 13 20:06:17 2009 (4A5BCBF9)
fffff880`05adc000 fffff880`05aea000   hidusb   hidusb.sys   Mon Jul 13 20:06:22 2009 (4A5BCBFE)
fffff880`04484000 fffff880`0454c000   HTTP     HTTP.sys     Mon Jul 13 19:22:16 2009 (4A5BC1A8)
fffff880`01412000 fffff880`0141b000   hwpolicy hwpolicy.sys Mon Jul 13 19:19:22 2009 (4A5BC0FA)
fffff880`04de1000 fffff880`04df0000   kbdclass kbdclass.sys Mon Jul 13 19:19:50 2009 (4A5BC116)
fffff880`05dc3000 fffff880`05dd1000   kbdhid   kbdhid.sys   Mon Jul 13 20:00:20 2009 (4A5BCA94)
fffff800`00bd3000 fffff800`00bdd000   kdcom    kdcom.dll    Mon Jul 13 21:31:07 2009 (4A5BDFDB)
fffff880`03e00000 fffff880`03e43000   ks       ks.sys       Mon Jul 13 20:00:31 2009 (4A5BCA9F)
fffff880`013e4000 fffff880`013fe000   ksecdd   ksecdd.sys   Mon Jul 13 19:20:54 2009 (4A5BC156)
fffff880`01571000 fffff880`0159c000   ksecpkg  ksecpkg.sys  Fri Dec 11 01:03:32 2009 (4B21E0B4)
fffff880`046c0000 fffff880`046c5200   ksthunk  ksthunk.sys  Mon Jul 13 20:00:19 2009 (4A5BCA93)
fffff880`05ddf000 fffff880`05df4000   lltdio   lltdio.sys   Mon Jul 13 20:08:50 2009 (4A5BCC92)
fffff880`05c00000 fffff880`05c23000   luafv    luafv.sys    Mon Jul 13 19:26:13 2009 (4A5BC295)
fffff880`00cc2000 fffff880`00ccf000   mcupdate_AuthenticAMD mcupdate_AuthenticAMD.dll Mon Jul 13 21:29:09 2009 (4A5BDF65)
fffff880`05dd1000 fffff880`05ddf000   monitor  monitor.sys  Mon Jul 13 19:38:52 2009 (4A5BC58C)
fffff880`04df0000 fffff880`04dff000   mouclass mouclass.sys Mon Jul 13 19:19:50 2009 (4A5BC116)
fffff880`05b0e000 fffff880`05b1b000   mouhid   mouhid.sys   Mon Jul 13 20:00:20 2009 (4A5BCA94)
fffff880`00e73000 fffff880`00e8d000   mountmgr mountmgr.sys Mon Jul 13 19:19:54 2009 (4A5BC11A)
fffff880`02a76000 fffff880`02aa3000   MpFilter MpFilter.sys Sat Mar 20 01:58:08 2010 (4BA463F0)
fffff880`078e6000 fffff880`078f6000   MpNWMon  MpNWMon.sys  Sat Mar 20 01:58:00 2010 (4BA463E8)
fffff880`0456a000 fffff880`04582000   mpsdrv   mpsdrv.sys   Mon Jul 13 20:08:25 2009 (4A5BCC79)
fffff880`04582000 fffff880`045af000   mrxsmb   mrxsmb.sys   Sat Feb 27 02:52:19 2010 (4B88CF33)
fffff880`045af000 fffff880`045fd000   mrxsmb10 mrxsmb10.sys Sat Feb 27 02:52:28 2010 (4B88CF3C)
fffff880`04400000 fffff880`04423000   mrxsmb20 mrxsmb20.sys Sat Feb 27 02:52:26 2010 (4B88CF3A)
fffff880`02b11000 fffff880`02b1c000   Msfs     Msfs.SYS     Mon Jul 13 19:19:47 2009 (4A5BC113)
fffff880`00f45000 fffff880`00f4f000   msisadrv msisadrv.sys Mon Jul 13 19:19:26 2009 (4A5BC0FE)
fffff880`010fb000 fffff880`01159000   msrpc    msrpc.sys    Mon Jul 13 19:21:32 2009 (4A5BC17C)
fffff880`03c5d000 fffff880`03c68000   mssmbios mssmbios.sys Mon Jul 13 19:31:10 2009 (4A5BC3BE)
fffff880`01400000 fffff880`01412000   mup      mup.sys      Mon Jul 13 19:23:45 2009 (4A5BC201)
fffff880`0141f000 fffff880`01511000   ndis     ndis.sys     Mon Jul 13 19:21:40 2009 (4A5BC184)
fffff880`04624000 fffff880`04630000   ndistapi ndistapi.sys Mon Jul 13 20:10:00 2009 (4A5BCCD8)
fffff880`05b6e000 fffff880`05b81000   ndisuio  ndisuio.sys  Mon Jul 13 20:09:25 2009 (4A5BCCB5)
fffff880`04630000 fffff880`0465f000   ndiswan  ndiswan.sys  Mon Jul 13 20:10:11 2009 (4A5BCCE3)
fffff880`03fd4000 fffff880`03fe9000   NDProxy  NDProxy.SYS  Mon Jul 13 20:10:05 2009 (4A5BCCDD)
fffff880`03d43000 fffff880`03d52000   netbios  netbios.sys  Mon Jul 13 20:09:26 2009 (4A5BCCB6)
fffff880`03cb9000 fffff880`03cfe000   netbt    netbt.sys    Mon Jul 13 19:21:28 2009 (4A5BC178)
fffff880`01511000 fffff880`01571000   NETIO    NETIO.SYS    Mon Jul 13 19:21:46 2009 (4A5BC18A)
fffff880`05c4a000 fffff880`05d57000   netr28ux netr28ux.sys Tue Sep 15 00:36:45 2009 (4AAF19DD)
fffff880`02b1c000 fffff880`02b2d000   Npfs     Npfs.SYS     Mon Jul 13 19:19:48 2009 (4A5BC114)
fffff880`03c51000 fffff880`03c5d000   nsiproxy nsiproxy.sys Mon Jul 13 19:21:02 2009 (4A5BC15E)
fffff800`02a03000 fffff800`02fdf000   nt       ntkrnlmp.exe Sat Jun 19 00:16:41 2010 (4C1C44A9)
fffff880`01241000 fffff880`013e4000   Ntfs     Ntfs.sys     Mon Jul 13 19:20:47 2009 (4A5BC14F)
fffff880`02aa3000 fffff880`02aac000   Null     Null.SYS     Mon Jul 13 19:19:37 2009 (4A5BC109)
fffff880`05b1b000 fffff880`05b6e000   nwifi    nwifi.sys    Mon Jul 13 20:07:23 2009 (4A5BCC3B)
fffff880`03d07000 fffff880`03d2d000   pacer    pacer.sys    Mon Jul 13 20:09:41 2009 (4A5BCCC5)
fffff880`00f8f000 fffff880`00fa4000   partmgr  partmgr.sys  Mon Jul 13 19:19:58 2009 (4A5BC11E)
fffff880`00f4f000 fffff880`00f82000   pci      pci.sys      Mon Jul 13 19:19:51 2009 (4A5BC117)
fffff880`00e5c000 fffff880`00e63000   pciide   pciide.sys   Mon Jul 13 19:19:49 2009 (4A5BC115)
fffff880`00e63000 fffff880`00e73000   PCIIDEX  PCIIDEX.SYS  Mon Jul 13 19:19:48 2009 (4A5BC114)
fffff880`01200000 fffff880`01211000   pcw      pcw.sys      Mon Jul 13 19:19:27 2009 (4A5BC0FF)
fffff880`07424000 fffff880`074ca000   peauth   peauth.sys   Mon Jul 13 21:01:19 2009 (4A5BD8DF)
fffff880`03db8000 fffff880`03df5000   portcls  portcls.sys  Mon Jul 13 20:06:27 2009 (4A5BCC03)
fffff880`00ccf000 fffff880`00ce3000   PSHED    PSHED.dll    Mon Jul 13 21:32:23 2009 (4A5BE027)
fffff880`04600000 fffff880`04624000   rasl2tp  rasl2tp.sys  Mon Jul 13 20:10:11 2009 (4A5BCCE3)
fffff880`0465f000 fffff880`0467a000   raspppoe raspppoe.sys Mon Jul 13 20:10:17 2009 (4A5BCCE9)
fffff880`0467a000 fffff880`0469b000   raspptp  raspptp.sys  Mon Jul 13 20:10:18 2009 (4A5BCCEA)
fffff880`0469b000 fffff880`046b5000   rassstp  rassstp.sys  Mon Jul 13 20:10:25 2009 (4A5BCCF1)
fffff880`03c00000 fffff880`03c51000   rdbss    rdbss.sys    Mon Jul 13 19:24:09 2009 (4A5BC219)
fffff880`046b5000 fffff880`046c0000   rdpbus   rdpbus.sys   Mon Jul 13 20:17:46 2009 (4A5BCEAA)
fffff880`02af6000 fffff880`02aff000   RDPCDD   RDPCDD.sys   Mon Jul 13 20:16:34 2009 (4A5BCE62)
fffff880`02aff000 fffff880`02b08000   rdpencdd rdpencdd.sys Mon Jul 13 20:16:34 2009 (4A5BCE62)
fffff880`02b08000 fffff880`02b11000   rdprefmp rdprefmp.sys Mon Jul 13 20:16:35 2009 (4A5BCE63)
fffff880`0104c000 fffff880`01086000   rdyboost rdyboost.sys Mon Jul 13 19:34:34 2009 (4A5BC48A)
fffff880`05b81000 fffff880`05b99000   rspndr   rspndr.sys   Mon Jul 13 20:08:50 2009 (4A5BCC92)
fffff880`03d9e000 fffff880`03db8000   SCDEmu   SCDEmu.SYS   Mon Jul 27 13:53:10 2009 (4A6DE986)
fffff880`05d9a000 fffff880`05da8000   scfilter scfilter.sys Mon Jul 13 19:50:17 2009 (4A5BC839)
fffff880`074ca000 fffff880`074d5000   secdrv   secdrv.SYS   Wed Sep 13 09:18:38 2006 (4508052E)
fffff880`041ec000 fffff880`041f8000   serenum  serenum.sys  Mon Jul 13 20:00:33 2009 (4A5BCAA1)
fffff880`03d52000 fffff880`03d6f000   serial   serial.sys   Mon Jul 13 20:00:40 2009 (4A5BCAA8)
fffff880`05d8e000 fffff880`05d9a000   SMCLIB   SMCLIB.SYS   Mon Jul 13 20:00:35 2009 (4A5BCAA3)
fffff880`015f6000 fffff880`015fe000   spldr    spldr.sys    Mon May 11 12:56:27 2009 (4A0858BB)
fffff880`0781f000 fffff880`078b5000   srv      srv.sys      Thu Aug 26 23:38:00 2010 (4C773318)
fffff880`07514000 fffff880`0757b000   srv2     srv2.sys     Thu Aug 26 23:37:46 2010 (4C77330A)
fffff880`074d5000 fffff880`07502000   srvnet   srvnet.sys   Thu Aug 26 23:37:24 2010 (4C7732F4)
fffff880`040d8000 fffff880`040d9480   swenum   swenum.sys   Mon Jul 13 20:00:18 2009 (4A5BCA92)
fffff880`01602000 fffff880`017ff000   tcpip    tcpip.sys    Sun Jun 13 23:39:04 2010 (4C15A458)
fffff880`07502000 fffff880`07514000   tcpipreg tcpipreg.sys Mon Jul 13 20:09:49 2009 (4A5BCCCD)
fffff880`02b4b000 fffff880`02b58000   TDI      TDI.SYS      Mon Jul 13 19:21:18 2009 (4A5BC16E)
fffff880`02b2d000 fffff880`02b4b000   tdx      tdx.sys      Mon Jul 13 19:21:15 2009 (4A5BC16B)
fffff880`03d8a000 fffff880`03d9e000   termdd   termdd.sys   Mon Jul 13 20:16:36 2009 (4A5BCE64)
fffff960`00530000 fffff960`0053a000   TSDDD    TSDDD.dll    Mon Jul 13 20:16:34 2009 (4A5BCE62)
fffff880`03f63000 fffff880`03f89000   tunnel   tunnel.sys   Mon Jul 13 20:09:37 2009 (4A5BCCC1)
fffff880`03e43000 fffff880`03e55000   umbus    umbus.sys    Mon Jul 13 20:06:56 2009 (4A5BCC20)
fffff880`05b0c000 fffff880`05b0df00   USBD     USBD.SYS     Mon Jul 13 20:06:23 2009 (4A5BCBFF)
fffff880`041db000 fffff880`041ec000   usbehci  usbehci.sys  Mon Jul 13 20:06:30 2009 (4A5BCC06)
fffff880`041ce000 fffff880`041db000   usbfilter usbfilter.sys Thu Apr 29 06:43:06 2010 (4BD962BA)
fffff880`03e55000 fffff880`03eaf000   usbhub   usbhub.sys   Mon Jul 13 20:07:09 2009 (4A5BCC2D)
fffff880`04077000 fffff880`04082000   usbohci  usbohci.sys  Mon Jul 13 20:06:30 2009 (4A5BCC06)
fffff880`04082000 fffff880`040d8000   USBPORT  USBPORT.SYS  Mon Jul 13 20:06:31 2009 (4A5BCC07)
fffff880`05da8000 fffff880`05dc3000   USBSTOR  USBSTOR.SYS  Mon Jul 13 20:06:34 2009 (4A5BCC0A)
fffff880`00f82000 fffff880`00f8f000   vdrvroot vdrvroot.sys Mon Jul 13 20:01:31 2009 (4A5BCADB)
fffff880`02ab3000 fffff880`02ac1000   vga      vga.sys      Mon Jul 13 19:38:47 2009 (4A5BC587)
fffff880`02ac1000 fffff880`02ae6000   VIDEOPRT VIDEOPRT.SYS Mon Jul 13 19:38:51 2009 (4A5BC58B)
fffff880`015e6000 fffff880`015f6000   vmstorfl vmstorfl.sys Mon Jul 13 19:42:54 2009 (4A5BC67E)
fffff880`00fa4000 fffff880`00fb9000   volmgr   volmgr.sys   Mon Jul 13 19:19:57 2009 (4A5BC11D)
fffff880`00e00000 fffff880`00e5c000   volmgrx  volmgrx.sys  Mon Jul 13 19:20:33 2009 (4A5BC141)
fffff880`01000000 fffff880`0104c000   volsnap  volsnap.sys  Mon Jul 13 19:20:08 2009 (4A5BC128)
fffff880`05d57000 fffff880`05d64000   vwifibus vwifibus.sys Mon Jul 13 20:07:21 2009 (4A5BCC39)
fffff880`03d2d000 fffff880`03d43000   vwififlt vwififlt.sys Mon Jul 13 20:07:22 2009 (4A5BCC3A)
fffff880`03d6f000 fffff880`03d8a000   wanarp   wanarp.sys   Mon Jul 13 20:10:21 2009 (4A5BCCED)
fffff880`02ae6000 fffff880`02af6000   watchdog watchdog.sys Mon Jul 13 19:37:35 2009 (4A5BC53F)
fffff880`00d41000 fffff880`00de5000   Wdf01000 Wdf01000.sys Mon Jul 13 19:22:07 2009 (4A5BC19F)
fffff880`00de5000 fffff880`00df4000   WDFLDR   WDFLDR.SYS   Mon Jul 13 19:19:54 2009 (4A5BC11A)
fffff880`03cfe000 fffff880`03d07000   wfplwf   wfplwf.sys   Mon Jul 13 20:09:26 2009 (4A5BCCB6)
fffff960`000c0000 fffff960`003cf000   win32k   win32k.sys   Tue Aug 31 22:58:04 2010 (4C7DC13C)
fffff880`04db2000 fffff880`04dbb000   wmiacpi  wmiacpi.sys  Mon Jul 13 19:31:02 2009 (4A5BC3B6)
fffff880`00f3c000 fffff880`00f45000   WMILIB   WMILIB.SYS   Mon Jul 13 19:19:51 2009 (4A5BC117)
fffff880`05c23000 fffff880`05c44000   WudfPf   WudfPf.sys   Mon Jul 13 20:05:37 2009 (4A5BCBD1)
fffff880`078b5000 fffff880`078e6000   WUDFRd   WUDFRd.sys   Mon Jul 13 20:06:06 2009 (4A5BCBEE)

Unloaded modules:
fffff880`01086000 fffff880`01094000   crashdmp.sys
    Timestamp: unavailable (00000000)
    Checksum:  00000000
fffff880`00ff3000 fffff880`00fff000   dump_ataport
    Timestamp: unavailable (00000000)
    Checksum:  00000000
fffff880`00ecb000 fffff880`00ed4000   dump_atapi.s
    Timestamp: unavailable (00000000)
    Checksum:  00000000
fffff880`02a39000 fffff880`02a4c000   dump_dumpfve
    Timestamp: unavailable (00000000)
    Checksum:  00000000
2: kd> lmntsm
start             end                 module name
fffff880`04d74000 fffff880`04db2000   1394ohci 1394ohci.sys Mon Jul 13 20:07:12 2009 (4A5BCC30)
fffff880`00ee5000 fffff880`00f3c000   ACPI     ACPI.sys     Mon Jul 13 19:19:34 2009 (4A5BC106)
fffff880`02b58000 fffff880`02be2000   afd      afd.sys      Mon Jul 13 19:21:40 2009 (4A5BC184)
fffff880`04dcb000 fffff880`04de1000   AgileVpn AgileVpn.sys Mon Jul 13 20:10:24 2009 (4A5BCCF0)
fffff880`03f89000 fffff880`03f9e000   amdppm   amdppm.sys   Mon Jul 13 19:19:25 2009 (4A5BC0FD)
fffff880`00ec0000 fffff880`00ecb000   amdxata  amdxata.sys  Tue May 19 13:56:59 2009 (4A12F2EB)
fffff880`041f8000 fffff880`04200000   ASACPI   ASACPI.sys   Sun Mar 27 22:30:36 2005 (42476C4C)
fffff880`00e8d000 fffff880`00e96000   atapi    atapi.sys    Mon Jul 13 19:19:47 2009 (4A5BC113)
fffff880`00e96000 fffff880`00ec0000   ataport  ataport.SYS  Mon Jul 13 19:19:52 2009 (4A5BC118)
fffff880`03c77000 fffff880`03c99000   AtiHdmi  AtiHdmi.sys  Tue Mar 09 05:08:38 2010 (4B961E26)
fffff880`046ca000 fffff880`04d74000   atikmdag atikmdag.sys Tue Apr 06 21:47:17 2010 (4BBBE425)
fffff880`03f9e000 fffff880`03fd4000   atikmpag atikmpag.sys Tue Apr 06 21:23:30 2010 (4BBBDE92)
fffff880`01231000 fffff880`01239000   AtiPcie64 AtiPcie64.sys Wed Mar 10 09:33:45 2010 (4B97ADC9)
fffff880`02aac000 fffff880`02ab3000   Beep     Beep.SYS     Mon Jul 13 20:00:13 2009 (4A5BCA8D)
fffff880`03f52000 fffff880`03f63000   blbdrive blbdrive.sys Mon Jul 13 19:35:59 2009 (4A5BC4DF)
fffff880`0454c000 fffff880`0456a000   bowser   bowser.sys   Mon Jul 13 19:23:50 2009 (4A5BC206)
fffff960`00680000 fffff960`006a7000   cdd      cdd.dll      unavailable (00000000)
fffff880`02a4c000 fffff880`02a76000   cdrom    cdrom.sys    Mon Jul 13 19:19:54 2009 (4A5BC11A)
fffff880`00c00000 fffff880`00cc0000   CI       CI.dll       Mon Jul 13 21:32:13 2009 (4A5BE01D)
fffff880`011cc000 fffff880`011fc000   CLASSPNP CLASSPNP.SYS Mon Jul 13 19:19:58 2009 (4A5BC11E)
fffff880`00ce3000 fffff880`00d41000   CLFS     CLFS.SYS     Mon Jul 13 19:19:57 2009 (4A5BC11D)
fffff880`01159000 fffff880`011cc000   cng      cng.sys      Mon Jul 13 19:49:40 2009 (4A5BC814)
fffff880`04dbb000 fffff880`04dcb000   CompositeBus CompositeBus.sys Mon Jul 13 20:00:33 2009 (4A5BCAA1)
fffff880`05aa3000 fffff880`05ab1000   crashdmp crashdmp.sys Mon Jul 13 20:01:01 2009 (4A5BCABD)
fffff880`03eb1000 fffff880`03f34000   csc      csc.sys      Mon Jul 13 19:24:26 2009 (4A5BC22A)
fffff880`03f34000 fffff880`03f52000   dfsc     dfsc.sys     Mon Jul 13 19:23:44 2009 (4A5BC200)
fffff880`03c68000 fffff880`03c77000   discache discache.sys Mon Jul 13 19:37:18 2009 (4A5BC52E)
fffff880`0121b000 fffff880`01231000   disk     disk.sys     Mon Jul 13 19:19:57 2009 (4A5BC11D)
fffff880`02a00000 fffff880`02a22000   drmk     drmk.sys     Mon Jul 13 21:01:25 2009 (4A5BD8E5)
fffff880`05abd000 fffff880`05ac6000   dump_atapi dump_atapi.sys Mon Jul 13 19:19:47 2009 (4A5BC113)
fffff880`05ab1000 fffff880`05abd000   dump_dumpata dump_dumpata.sys Mon Jul 13 19:19:47 2009 (4A5BC113)
fffff880`05ac6000 fffff880`05ad9000   dump_dumpfve dump_dumpfve.sys Mon Jul 13 19:21:51 2009 (4A5BC18F)
fffff880`05d64000 fffff880`05d70000   Dxapi    Dxapi.sys    Mon Jul 13 19:38:28 2009 (4A5BC574)
fffff880`040da000 fffff880`041ce000   dxgkrnl  dxgkrnl.sys  Thu Oct 01 21:00:14 2009 (4AC5509E)
fffff880`04000000 fffff880`04046000   dxgmms1  dxgmms1.sys  Mon Jul 13 19:38:32 2009 (4A5BC578)
fffff880`010e7000 fffff880`010fb000   fileinfo fileinfo.sys Mon Jul 13 19:34:25 2009 (4A5BC481)
fffff880`0109b000 fffff880`010e7000   fltmgr   fltmgr.sys   Mon Jul 13 19:19:59 2009 (4A5BC11F)
fffff880`01211000 fffff880`0121b000   Fs_Rec   Fs_Rec.sys   Mon Jul 13 19:19:45 2009 (4A5BC111)
fffff880`00fb9000 fffff880`00ff3000   fvevol   fvevol.sys   Mon Jul 13 19:22:15 2009 (4A5BC1A7)
fffff880`0159c000 fffff880`015e6000   fwpkclnt fwpkclnt.sys Mon Jul 13 19:21:08 2009 (4A5BC164)
fffff880`05ad9000 fffff880`05adbd00   gamingms gamingms.sys Mon Dec 07 08:22:15 2009 (4B1D0187)
fffff880`0406a000 fffff880`04077000   GEARAspiWDM GEARAspiWDM.sys Mon May 18 08:17:04 2009 (4A1151C0)
fffff880`05d70000 fffff880`05d8d380   GemCCID  GemCCID.sys  Mon Aug 10 08:07:39 2009 (4A800D8B)
fffff800`02fdf000 fffff800`03028000   hal      hal.dll      Mon Jul 13 21:27:36 2009 (4A5BDF08)
fffff880`04046000 fffff880`0406a000   HDAudBus HDAudBus.sys Mon Jul 13 20:06:13 2009 (4A5BCBF5)
fffff880`05a47000 fffff880`05aa3000   HdAudio  HdAudio.sys  Mon Jul 13 20:06:59 2009 (4A5BCC23)
fffff880`05aea000 fffff880`05b03000   HIDCLASS HIDCLASS.SYS Mon Jul 13 20:06:21 2009 (4A5BCBFD)
fffff880`05b03000 fffff880`05b0b080   HIDPARSE HIDPARSE.SYS Mon Jul 13 20:06:17 2009 (4A5BCBF9)
fffff880`05adc000 fffff880`05aea000   hidusb   hidusb.sys   Mon Jul 13 20:06:22 2009 (4A5BCBFE)
fffff880`04484000 fffff880`0454c000   HTTP     HTTP.sys     Mon Jul 13 19:22:16 2009 (4A5BC1A8)
fffff880`01412000 fffff880`0141b000   hwpolicy hwpolicy.sys Mon Jul 13 19:19:22 2009 (4A5BC0FA)
fffff880`04de1000 fffff880`04df0000   kbdclass kbdclass.sys Mon Jul 13 19:19:50 2009 (4A5BC116)
fffff880`05dc3000 fffff880`05dd1000   kbdhid   kbdhid.sys   Mon Jul 13 20:00:20 2009 (4A5BCA94)
fffff800`00bd3000 fffff800`00bdd000   kdcom    kdcom.dll    Mon Jul 13 21:31:07 2009 (4A5BDFDB)
fffff880`03e00000 fffff880`03e43000   ks       ks.sys       Mon Jul 13 20:00:31 2009 (4A5BCA9F)
fffff880`013e4000 fffff880`013fe000   ksecdd   ksecdd.sys   Mon Jul 13 19:20:54 2009 (4A5BC156)
fffff880`01571000 fffff880`0159c000   ksecpkg  ksecpkg.sys  Fri Dec 11 01:03:32 2009 (4B21E0B4)
fffff880`046c0000 fffff880`046c5200   ksthunk  ksthunk.sys  Mon Jul 13 20:00:19 2009 (4A5BCA93)
fffff880`05ddf000 fffff880`05df4000   lltdio   lltdio.sys   Mon Jul 13 20:08:50 2009 (4A5BCC92)
fffff880`05c00000 fffff880`05c23000   luafv    luafv.sys    Mon Jul 13 19:26:13 2009 (4A5BC295)
fffff880`00cc2000 fffff880`00ccf000   mcupdate_AuthenticAMD mcupdate_AuthenticAMD.dll Mon Jul 13 21:29:09 2009 (4A5BDF65)
fffff880`05dd1000 fffff880`05ddf000   monitor  monitor.sys  Mon Jul 13 19:38:52 2009 (4A5BC58C)
fffff880`04df0000 fffff880`04dff000   mouclass mouclass.sys Mon Jul 13 19:19:50 2009 (4A5BC116)
fffff880`05b0e000 fffff880`05b1b000   mouhid   mouhid.sys   Mon Jul 13 20:00:20 2009 (4A5BCA94)
fffff880`00e73000 fffff880`00e8d000   mountmgr mountmgr.sys Mon Jul 13 19:19:54 2009 (4A5BC11A)
fffff880`02a76000 fffff880`02aa3000   MpFilter MpFilter.sys Sat Mar 20 01:58:08 2010 (4BA463F0)
fffff880`078e6000 fffff880`078f6000   MpNWMon  MpNWMon.sys  Sat Mar 20 01:58:00 2010 (4BA463E8)
fffff880`0456a000 fffff880`04582000   mpsdrv   mpsdrv.sys   Mon Jul 13 20:08:25 2009 (4A5BCC79)
fffff880`04582000 fffff880`045af000   mrxsmb   mrxsmb.sys   Sat Feb 27 02:52:19 2010 (4B88CF33)
fffff880`045af000 fffff880`045fd000   mrxsmb10 mrxsmb10.sys Sat Feb 27 02:52:28 2010 (4B88CF3C)
fffff880`04400000 fffff880`04423000   mrxsmb20 mrxsmb20.sys Sat Feb 27 02:52:26 2010 (4B88CF3A)
fffff880`02b11000 fffff880`02b1c000   Msfs     Msfs.SYS     Mon Jul 13 19:19:47 2009 (4A5BC113)
fffff880`00f45000 fffff880`00f4f000   msisadrv msisadrv.sys Mon Jul 13 19:19:26 2009 (4A5BC0FE)
fffff880`010fb000 fffff880`01159000   msrpc    msrpc.sys    Mon Jul 13 19:21:32 2009 (4A5BC17C)
fffff880`03c5d000 fffff880`03c68000   mssmbios mssmbios.sys Mon Jul 13 19:31:10 2009 (4A5BC3BE)
fffff880`01400000 fffff880`01412000   mup      mup.sys      Mon Jul 13 19:23:45 2009 (4A5BC201)
fffff880`0141f000 fffff880`01511000   ndis     ndis.sys     Mon Jul 13 19:21:40 2009 (4A5BC184)
fffff880`04624000 fffff880`04630000   ndistapi ndistapi.sys Mon Jul 13 20:10:00 2009 (4A5BCCD8)
fffff880`05b6e000 fffff880`05b81000   ndisuio  ndisuio.sys  Mon Jul 13 20:09:25 2009 (4A5BCCB5)
fffff880`04630000 fffff880`0465f000   ndiswan  ndiswan.sys  Mon Jul 13 20:10:11 2009 (4A5BCCE3)
fffff880`03fd4000 fffff880`03fe9000   NDProxy  NDProxy.SYS  Mon Jul 13 20:10:05 2009 (4A5BCCDD)
fffff880`03d43000 fffff880`03d52000   netbios  netbios.sys  Mon Jul 13 20:09:26 2009 (4A5BCCB6)
fffff880`03cb9000 fffff880`03cfe000   netbt    netbt.sys    Mon Jul 13 19:21:28 2009 (4A5BC178)
fffff880`01511000 fffff880`01571000   NETIO    NETIO.SYS    Mon Jul 13 19:21:46 2009 (4A5BC18A)
fffff880`05c4a000 fffff880`05d57000   netr28ux netr28ux.sys Tue Sep 15 00:36:45 2009 (4AAF19DD)
fffff880`02b1c000 fffff880`02b2d000   Npfs     Npfs.SYS     Mon Jul 13 19:19:48 2009 (4A5BC114)
fffff880`03c51000 fffff880`03c5d000   nsiproxy nsiproxy.sys Mon Jul 13 19:21:02 2009 (4A5BC15E)
fffff800`02a03000 fffff800`02fdf000   nt       ntkrnlmp.exe Sat Jun 19 00:16:41 2010 (4C1C44A9)
fffff880`01241000 fffff880`013e4000   Ntfs     Ntfs.sys     Mon Jul 13 19:20:47 2009 (4A5BC14F)
fffff880`02aa3000 fffff880`02aac000   Null     Null.SYS     Mon Jul 13 19:19:37 2009 (4A5BC109)
fffff880`05b1b000 fffff880`05b6e000   nwifi    nwifi.sys    Mon Jul 13 20:07:23 2009 (4A5BCC3B)
fffff880`03d07000 fffff880`03d2d000   pacer    pacer.sys    Mon Jul 13 20:09:41 2009 (4A5BCCC5)
fffff880`00f8f000 fffff880`00fa4000   partmgr  partmgr.sys  Mon Jul 13 19:19:58 2009 (4A5BC11E)
fffff880`00f4f000 fffff880`00f82000   pci      pci.sys      Mon Jul 13 19:19:51 2009 (4A5BC117)
fffff880`00e5c000 fffff880`00e63000   pciide   pciide.sys   Mon Jul 13 19:19:49 2009 (4A5BC115)
fffff880`00e63000 fffff880`00e73000   PCIIDEX  PCIIDEX.SYS  Mon Jul 13 19:19:48 2009 (4A5BC114)
fffff880`01200000 fffff880`01211000   pcw      pcw.sys      Mon Jul 13 19:19:27 2009 (4A5BC0FF)
fffff880`07424000 fffff880`074ca000   peauth   peauth.sys   Mon Jul 13 21:01:19 2009 (4A5BD8DF)
fffff880`03db8000 fffff880`03df5000   portcls  portcls.sys  Mon Jul 13 20:06:27 2009 (4A5BCC03)
fffff880`00ccf000 fffff880`00ce3000   PSHED    PSHED.dll    Mon Jul 13 21:32:23 2009 (4A5BE027)
fffff880`04600000 fffff880`04624000   rasl2tp  rasl2tp.sys  Mon Jul 13 20:10:11 2009 (4A5BCCE3)
fffff880`0465f000 fffff880`0467a000   raspppoe raspppoe.sys Mon Jul 13 20:10:17 2009 (4A5BCCE9)
fffff880`0467a000 fffff880`0469b000   raspptp  raspptp.sys  Mon Jul 13 20:10:18 2009 (4A5BCCEA)
fffff880`0469b000 fffff880`046b5000   rassstp  rassstp.sys  Mon Jul 13 20:10:25 2009 (4A5BCCF1)
fffff880`03c00000 fffff880`03c51000   rdbss    rdbss.sys    Mon Jul 13 19:24:09 2009 (4A5BC219)
fffff880`046b5000 fffff880`046c0000   rdpbus   rdpbus.sys   Mon Jul 13 20:17:46 2009 (4A5BCEAA)
fffff880`02af6000 fffff880`02aff000   RDPCDD   RDPCDD.sys   Mon Jul 13 20:16:34 2009 (4A5BCE62)
fffff880`02aff000 fffff880`02b08000   rdpencdd rdpencdd.sys Mon Jul 13 20:16:34 2009 (4A5BCE62)
fffff880`02b08000 fffff880`02b11000   rdprefmp rdprefmp.sys Mon Jul 13 20:16:35 2009 (4A5BCE63)
fffff880`0104c000 fffff880`01086000   rdyboost rdyboost.sys Mon Jul 13 19:34:34 2009 (4A5BC48A)
fffff880`05b81000 fffff880`05b99000   rspndr   rspndr.sys   Mon Jul 13 20:08:50 2009 (4A5BCC92)
fffff880`03d9e000 fffff880`03db8000   SCDEmu   SCDEmu.SYS   Mon Jul 27 13:53:10 2009 (4A6DE986)
fffff880`05d9a000 fffff880`05da8000   scfilter scfilter.sys Mon Jul 13 19:50:17 2009 (4A5BC839)
fffff880`074ca000 fffff880`074d5000   secdrv   secdrv.SYS   Wed Sep 13 09:18:38 2006 (4508052E)
fffff880`041ec000 fffff880`041f8000   serenum  serenum.sys  Mon Jul 13 20:00:33 2009 (4A5BCAA1)
fffff880`03d52000 fffff880`03d6f000   serial   serial.sys   Mon Jul 13 20:00:40 2009 (4A5BCAA8)
fffff880`05d8e000 fffff880`05d9a000   SMCLIB   SMCLIB.SYS   Mon Jul 13 20:00:35 2009 (4A5BCAA3)
fffff880`015f6000 fffff880`015fe000   spldr    spldr.sys    Mon May 11 12:56:27 2009 (4A0858BB)
fffff880`0781f000 fffff880`078b5000   srv      srv.sys      Thu Aug 26 23:38:00 2010 (4C773318)
fffff880`07514000 fffff880`0757b000   srv2     srv2.sys     Thu Aug 26 23:37:46 2010 (4C77330A)
fffff880`074d5000 fffff880`07502000   srvnet   srvnet.sys   Thu Aug 26 23:37:24 2010 (4C7732F4)
fffff880`040d8000 fffff880`040d9480   swenum   swenum.sys   Mon Jul 13 20:00:18 2009 (4A5BCA92)
fffff880`01602000 fffff880`017ff000   tcpip    tcpip.sys    Sun Jun 13 23:39:04 2010 (4C15A458)
fffff880`07502000 fffff880`07514000   tcpipreg tcpipreg.sys Mon Jul 13 20:09:49 2009 (4A5BCCCD)
fffff880`02b4b000 fffff880`02b58000   TDI      TDI.SYS      Mon Jul 13 19:21:18 2009 (4A5BC16E)
fffff880`02b2d000 fffff880`02b4b000   tdx      tdx.sys      Mon Jul 13 19:21:15 2009 (4A5BC16B)
fffff880`03d8a000 fffff880`03d9e000   termdd   termdd.sys   Mon Jul 13 20:16:36 2009 (4A5BCE64)
fffff960`00530000 fffff960`0053a000   TSDDD    TSDDD.dll    Mon Jul 13 20:16:34 2009 (4A5BCE62)
fffff880`03f63000 fffff880`03f89000   tunnel   tunnel.sys   Mon Jul 13 20:09:37 2009 (4A5BCCC1)
fffff880`03e43000 fffff880`03e55000   umbus    umbus.sys    Mon Jul 13 20:06:56 2009 (4A5BCC20)
fffff880`05b0c000 fffff880`05b0df00   USBD     USBD.SYS     Mon Jul 13 20:06:23 2009 (4A5BCBFF)
fffff880`041db000 fffff880`041ec000   usbehci  usbehci.sys  Mon Jul 13 20:06:30 2009 (4A5BCC06)
fffff880`041ce000 fffff880`041db000   usbfilter usbfilter.sys Thu Apr 29 06:43:06 2010 (4BD962BA)
fffff880`03e55000 fffff880`03eaf000   usbhub   usbhub.sys   Mon Jul 13 20:07:09 2009 (4A5BCC2D)
fffff880`04077000 fffff880`04082000   usbohci  usbohci.sys  Mon Jul 13 20:06:30 2009 (4A5BCC06)
fffff880`04082000 fffff880`040d8000   USBPORT  USBPORT.SYS  Mon Jul 13 20:06:31 2009 (4A5BCC07)
fffff880`05da8000 fffff880`05dc3000   USBSTOR  USBSTOR.SYS  Mon Jul 13 20:06:34 2009 (4A5BCC0A)
fffff880`00f82000 fffff880`00f8f000   vdrvroot vdrvroot.sys Mon Jul 13 20:01:31 2009 (4A5BCADB)
fffff880`02ab3000 fffff880`02ac1000   vga      vga.sys      Mon Jul 13 19:38:47 2009 (4A5BC587)
fffff880`02ac1000 fffff880`02ae6000   VIDEOPRT VIDEOPRT.SYS Mon Jul 13 19:38:51 2009 (4A5BC58B)
fffff880`015e6000 fffff880`015f6000   vmstorfl vmstorfl.sys Mon Jul 13 19:42:54 2009 (4A5BC67E)
fffff880`00fa4000 fffff880`00fb9000   volmgr   volmgr.sys   Mon Jul 13 19:19:57 2009 (4A5BC11D)
fffff880`00e00000 fffff880`00e5c000   volmgrx  volmgrx.sys  Mon Jul 13 19:20:33 2009 (4A5BC141)
fffff880`01000000 fffff880`0104c000   volsnap  volsnap.sys  Mon Jul 13 19:20:08 2009 (4A5BC128)
fffff880`05d57000 fffff880`05d64000   vwifibus vwifibus.sys Mon Jul 13 20:07:21 2009 (4A5BCC39)
fffff880`03d2d000 fffff880`03d43000   vwififlt vwififlt.sys Mon Jul 13 20:07:22 2009 (4A5BCC3A)
fffff880`03d6f000 fffff880`03d8a000   wanarp   wanarp.sys   Mon Jul 13 20:10:21 2009 (4A5BCCED)
fffff880`02ae6000 fffff880`02af6000   watchdog watchdog.sys Mon Jul 13 19:37:35 2009 (4A5BC53F)
fffff880`00d41000 fffff880`00de5000   Wdf01000 Wdf01000.sys Mon Jul 13 19:22:07 2009 (4A5BC19F)
fffff880`00de5000 fffff880`00df4000   WDFLDR   WDFLDR.SYS   Mon Jul 13 19:19:54 2009 (4A5BC11A)
fffff880`03cfe000 fffff880`03d07000   wfplwf   wfplwf.sys   Mon Jul 13 20:09:26 2009 (4A5BCCB6)
fffff960`000c0000 fffff960`003cf000   win32k   win32k.sys   Tue Aug 31 22:58:04 2010 (4C7DC13C)
fffff880`04db2000 fffff880`04dbb000   wmiacpi  wmiacpi.sys  Mon Jul 13 19:31:02 2009 (4A5BC3B6)
fffff880`00f3c000 fffff880`00f45000   WMILIB   WMILIB.SYS   Mon Jul 13 19:19:51 2009 (4A5BC117)
fffff880`05c23000 fffff880`05c44000   WudfPf   WudfPf.sys   Mon Jul 13 20:05:37 2009 (4A5BCBD1)
fffff880`078b5000 fffff880`078e6000   WUDFRd   WUDFRd.sys   Mon Jul 13 20:06:06 2009 (4A5BCBEE)

Unloaded modules:
fffff880`01086000 fffff880`01094000   crashdmp.sys
    Timestamp: unavailable (00000000)
    Checksum:  00000000
fffff880`00ff3000 fffff880`00fff000   dump_ataport
    Timestamp: unavailable (00000000)
    Checksum:  00000000
fffff880`00ecb000 fffff880`00ed4000   dump_atapi.s
    Timestamp: unavailable (00000000)
    Checksum:  00000000
fffff880`02a39000 fffff880`02a4c000   dump_dumpfve
    Timestamp: unavailable (00000000)
    Checksum:  00000000

Anyway, the probable cause is the dreaded March 2005 version of *ASACPI.SYS*, which has been showing up quite often lately.


----------



## jcgriff2

I ran the 6 dumps - no problems here whatsoever.

I see a *0xc0000005* exception code.... 

I assume you were running at elevated administrative level?

`


----------



## reventon

I re-installed the Debugging Tools and the problem was no more.

Strange that it suddenly broke itself overnight though...


----------



## jcgriff2

Anyone know of a hotfix for Vista SP2 *storport.sys*?




jcgriff2 said:


> 20 of the dumps were VERIFIER_ENABLED, but named the Microsoft Storage Port driver -
> 
> 
> Code:
> 
> 
> [FONT=lucida console]storport.sys Mon [COLOR=red]May 04[/COLOR] 06:12:05 [COLOR=red]2009[/COLOR] (49FEBF75) [/FONT]
> 
> I went through other Vista x86 SP2 dumps and found the timestamp to be -
> 
> 
> Code:
> 
> 
> [FONT=lucida console]storport.sys Sat [COLOR=red]Apr 11[/COLOR] 00:39:19 [COLOR=red]2009[/COLOR] (49E01EF7)  [/FONT]
> 
> Did you apply a hotfix specific to storport.sys?



http://www.techsupportforum.com/f217/bsod-523179.html#post2948137

Thanks. . .

John

`


----------



## jcgriff2

Virtual device gone nuts - dynamically allocating 2007 drivers in Windows 7 x64.

Many sp**.sys drivers named as the probable cause in the *44* BSODs -


Code:


[font=lucida console]
spuh.sys     Sun Oct 11 16:55:14 2009 (4AD24632)
ab86d79h.SYS Thu Sep 06 08:09:33 2007 (46DFEDFD)
sprl.sys     Sun Oct 11 16:55:14 2009 (4AD24632)
a0qzs1gn.SYS Thu Sep 06 08:09:33 2007 (46DFEDFD)
spms.sys     Sun Oct 11 16:55:14 2009 (4AD24632)
afveyakc.SYS Thu Sep 06 08:09:33 2007 (46DFEDFD)
sprt.sys     Sun Oct 11 16:55:14 2009 (4AD24632)
a63iy6v3.SYS Thu Sep 06 08:09:33 2007 (46DFEDFD)
sppb.sys     Sun Oct 11 16:55:14 2009 (4AD24632)
awstkaum.SYS Thu Sep 06 08:09:33 2007 (46DFEDFD)
spon.sys     Sun Oct 11 16:55:14 2009 (4AD24632)
ano0p4hn.SYS Thu Sep 06 08:09:33 2007 (46DFEDFD)
spoz.sys     Sun Oct 11 16:55:14 2009 (4AD24632)
ak0w51ck.SYS Thu Sep 06 08:09:33 2007 (46DFEDFD)
spcw.sys     Sun Oct 11 16:55:14 2009 (4AD24632)
aaw38fht.SYS Thu Sep 06 08:09:33 2007 (46DFEDFD)
spqu.sys     Sun Oct 11 16:55:14 2009 (4AD24632)
ao6ifxlo.SYS Thu Sep 06 08:09:33 2007 (46DFEDFD)
sprw.sys     Sun Oct 11 16:55:14 2009 (4AD24632)
axhcfxjs.SYS Thu Sep 06 08:09:33 2007 (46DFEDFD)
spdn.sys     Sun Oct 11 16:55:14 2009 (4AD24632)
akt0vr9z.SYS Thu Sep 06 08:09:33 2007 (46DFEDFD)
spjr.sys     Sun Oct 11 16:55:14 2009 (4AD24632)
ab171r5z.SYS Thu Sep 06 08:09:33 2007 (46DFEDFD)
spgx.sys     Sun Oct 11 16:55:14 2009 (4AD24632)
ac6ggd3a.SYS Thu Sep 06 08:09:33 2007 (46DFEDFD)
spyw.sys     Sun Oct 11 16:55:14 2009 (4AD24632)
angioo5z.SYS Thu Sep 06 08:09:33 2007 (46DFEDFD)
spbp.sys     Sun Oct 11 16:55:14 2009 (4AD24632)
ahy5zjvj.SYS Thu Sep 06 08:09:33 2007 (46DFEDFD)
speo.sys     Sun Oct 11 16:55:14 2009 (4AD24632)
ayo6esg5.SYS Thu Sep 06 08:09:33 2007 (46DFEDFD)
spry.sys     Sun Oct 11 16:55:14 2009 (4AD24632)
aep1202r.SYS Thu Sep 06 08:09:33 2007 (46DFEDFD)
spbt.sys     Sun Oct 11 16:55:14 2009 (4AD24632)
anj33ugj.SYS Thu Sep 06 08:09:33 2007 (46DFEDFD)
spfl.sys     Sun Oct 11 16:55:14 2009 (4AD24632)
actjmeu6.SYS Thu Sep 06 08:09:33 2007 (46DFEDFD)
sppo.sys     Sun Oct 11 16:55:14 2009 (4AD24632)
akkvnjvb.SYS Thu Sep 06 08:09:33 2007 (46DFEDFD)
spcy.sys     Sun Oct 11 16:55:14 2009 (4AD24632)
a2udtk8o.SYS Thu Sep 06 08:09:33 2007 (46DFEDFD)
splm.sys     Sun Oct 11 16:55:14 2009 (4AD24632)
ayq0eu7s.SYS Thu Sep 06 08:09:33 2007 (46DFEDFD)
sprp.sys     Sun Oct 11 16:55:14 2009 (4AD24632)
aw0fvied.SYS Thu Sep 06 08:09:33 2007 (46DFEDFD)
spqa.sys     Sun Oct 11 16:55:14 2009 (4AD24632)
axycwuqh.SYS Thu Sep 06 08:09:33 2007 (46DFEDFD)
spwj.sys     Sun Oct 11 16:55:14 2009 (4AD24632)
aqwpdiu3.SYS Thu Sep 06 08:09:33 2007 (46DFEDFD)
spee.sys     Sun Oct 11 16:55:14 2009 (4AD24632)
a5g5pzl1.SYS Thu Sep 06 08:09:33 2007 (46DFEDFD)
spcc.sys     Sun Oct 11 16:55:14 2009 (4AD24632)
avdsbfdm.SYS Thu Sep 06 08:09:33 2007 (46DFEDFD)
spev.sys     Sun Oct 11 16:55:14 2009 (4AD24632)
ant3grj6.SYS Thu Sep 06 08:09:33 2007 (46DFEDFD)
spox.sys     Sun Oct 11 16:55:14 2009 (4AD24632)
a1fszth3.SYS Thu Sep 06 08:09:33 2007 (46DFEDFD)
splt.sys     Sun Oct 11 16:55:14 2009 (4AD24632)
alvgsyfa.SYS Thu Sep 06 08:09:33 2007 (46DFEDFD)
spbr.sys     Sun Oct 11 16:55:14 2009 (4AD24632)
a1n3f1lp.SYS Thu Sep 06 08:09:33 2007 (46DFEDFD)
spwy.sys     Sun Oct 11 16:55:14 2009 (4AD24632)
aovnnodk.SYS Thu Sep 06 08:09:33 2007 (46DFEDFD)
spge.sys     Sun Oct 11 16:55:14 2009 (4AD24632)
auy27br7.SYS Thu Sep 06 08:09:33 2007 (46DFEDFD)
spnb.sys     Sun Oct 11 16:55:14 2009 (4AD24632)
spqc.sys     Sun Oct 11 16:55:14 2009 (4AD24632)
spjm.sys     Sun Oct 11 16:55:14 2009 (4AD24632)
spxx.sys     Sun Oct 11 16:55:14 2009 (4AD24632)
spix.sys     Sun Oct 11 16:55:14 2009 (4AD24632)
spku.sys     Sun Oct 11 16:55:14 2009 (4AD24632)
sppt.sys     Sun Oct 11 16:55:14 2009 (4AD24632)
spyn.sys     Sun Oct 11 16:55:14 2009 (4AD24632)
spbi.sys     Sun Oct 11 16:55:14 2009 (4AD24632)
spot.sys     Sun Oct 11 16:55:14 2009 (4AD24632)
spen.sys     Sun Oct 11 16:55:14 2009 (4AD24632)
[/font]


http://www.techsupportforum.com/f217/10-bsods-within-2-hours-522997.html#post2948370

John

`


----------



## AlbertMC2

jcgriff2 said:


> Anyone know of a hotfix for Vista SP2 *storport.sys*?


Maybe this one?


> File name	File version	File size	Date	Time	Platform
> Storport.sys	6.0.6001.22425	121,432	04-May-2009	12:53	x86
> Storport.sys	6.0.6002.22128	120,904	04-May-2009	13:00	x86


http://support.microsoft.com/kb/968675


----------



## jcgriff2

Thank you !!


----------



## jcgriff2

My advice on 3rd party firewalls in Windows 7 & Vista -

http://www.techsupportforum.com/f36/2010-what-firewall-do-you-use-522276.html#post2943614

`


----------



## usasma

Hi all!

I'm wondering about when to start to calling 2009 drivers "outdated" in my postings.
What are your thoughts about this?

I don't want to do this month by month - as that'll be too much work. But I'd like to see if we can reach a consensus here so we're not giving different input to posters.

FWIW - I'd like to start adding 2009 drivers to the "old" pile on Jan 1, 2011
That'll give us a start that's only a year out - and it will gradually move to 2 years old by the end of 2011.

Your thoughts?

PS - just started using the Textarea Cache Window add-on for Firefox. I got sick and tired of losing entire posts due to one errant keystroke. It looks good to me so far! http://rockyourfirefox.com/2010/03/textarea-cache/


----------



## jcgriff2

usasma said:


> Hi all!
> 
> I'm wondering about when to start to calling 2009 drivers "outdated" in my postings.
> What are your thoughts about this?


Hi John . . .

I agree - most 2009 3rd party device drivers are now in fact outdated in both Windows 7 and Vista SP2. 

Some 1Q10 and 2Q10 device drivers outdated as well; specifically - 
- Video
- Audio
- Ethernet
- Wifi

NVIDIA, ATI, Intel, Realtek, etc... have recently updated device drivers once again.



usasma said:


> PS - just started using the Textarea Cache Window add-on for Firefox. I got sick and tired of losing entire posts due to one errant keystroke. It looks good to me so far! http://rockyourfirefox.com/2010/03/textarea-cache/


Looks nice, but I will stick with IE8, IE9 BETA !! :chgrin:

As a sidenote - 

All Vista users should have SP2 installed now. We cannot offer BSOD help unless ALL Windows Updates are installed.

Kind Regards. . .

John



`


----------



## usasma

We're going to hit SP1 for Win7 next year also.
I haven't heard any rumblings about SP3 for Vista, but a lot of posters with SP2 have over 270 hotfixes listed in systeminfo.txt - it can't be far away!

In general I don't mess with older Vista installations - just tell them to:
- visit the PC manufacturer's website and update *ALL* drivers (manufacturer's are pretty good about updating drivers that will cause failures in Service Pack installations)
- then go to Windows Update, get SP1 and SP2, then get *ALL* remaining updates

As for Win7, I like to highlight anything from 2006 or earlier (but still update any that are pre-Win7). My thoughts here are that Vista compatible drivers are more likely to be compatible with Win7 than those from before that time.

Also, I do find that there are problems getting a lot of users to update their older drivers - even when they are having BSOD's. And I feel that the more drivers that we ask to have updated, the less likely it is that it will be done.

So, asking people to update *ALL* drivers - while a good idea - is (IME/IMO) a problem because it asks them to do too much stuff (a lot of drivers) that's also pretty complicated for them to do (finding them at the device manufacturer's website). As such I like to keep the number down to those that I feel are most likely to be causing problems.

And, with the most likely problem drivers removed - any further problems can be dealt with more easily.


----------



## jcgriff2

"To be Determined" = Windows 7 SP1 & Vista SP3 - 

Windows Service Pack Road Map - http://www.microsoft.com/windows/lifecycle/servicepacks.mspx

`


----------



## usasma

I've seen 2 of these errors in the last couple of days. I suspect a recent Windows update has made this program incompatible. The most recent error was in a Vista system from Dell, but I seem to recall that the other one was in a Win7 system w/MSI mobo.

Vista link: http://www.techsupportforum.com/f217/bsod-amdlld-sys-530478.html?highlight=AMDLLD.sys
Win7 link: http://www.techsupportforum.com/f21...of-safe-mode-530127.html?highlight=AMDLLD.sys

It's a STOP 0x8E in AMDLLD.sys and the first parameter is c0000005 (memory access error)
All errors seem to come from the PROCESS_NAME: amd_dc_opt.exe
And it seems to be launched in the startups (extracted from the MSINFO32 report):


> amd_dc_opt c:\program files\amd\dual-core optimizer\amd_dc_opt.exe Public HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run


Here's the entry from the HKLM_Soft_MS_Win_CV_Uninstall.txt file


> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{BCA02FAD-2C86-4C8C-A815-51C09F4E51FF}
> AuthorizedCDFPrefix REG_SZ
> Comments REG_SZ
> Contact REG_SZ
> DisplayVersion REG_SZ 1.1.1.0135
> HelpLink REG_SZ
> HelpTelephone REG_SZ
> InstallDate REG_SZ 20101121
> InstallLocation REG_SZ C:\Program Files\AMD\Dual-Core Optimizer\
> InstallSource REG_SZ C:\Windows\Downloaded Installations\{B377E244-6468-4BE8-B422-0893C67F9C6C}\
> ModifyPath REG_EXPAND_SZ MsiExec.exe /X{BCA02FAD-2C86-4C8C-A815-51C09F4E51FF}
> NoModify REG_DWORD 0x1
> NoRepair REG_DWORD 0x1
> Publisher REG_SZ AMD
> Readme REG_EXPAND_SZ C:\Program Files\AMD\Dual-Core Optimizer\ReadMe.rtf
> Size REG_SZ
> EstimatedSize REG_DWORD 0x55
> UninstallString REG_EXPAND_SZ MsiExec.exe /X{BCA02FAD-2C86-4C8C-A815-51C09F4E51FF}
> URLInfoAbout REG_SZ http://www.amd.com
> URLUpdateInfo REG_SZ
> VersionMajor REG_DWORD 0x1
> VersionMinor REG_DWORD 0x1
> WindowsInstaller REG_DWORD 0x1
> Version REG_DWORD 0x1010001
> Language REG_DWORD 0x409
> DisplayName REG_SZ Dual-Core Optimizer


I suggest first stopping it from loading in the startups (using Autoruns)
Then seeing if they can uninstall it from the Control Panel...Programs...Uninstall a program.


----------



## jcgriff2

Great info & details, John.

Thanks. . .

John

`


----------



## Michael_Larsen

Wow....all this talk of memory dumps brings back memories of high school and college. I went through a lot of memory dumps....

Oh wait....are you guys talking about computers?????

Good day!

Mike

PS: In all seriousness, this stuff fascinates me and brings back memories of troubleshooting computers by manually strobing in hexadecimal addresses to various locations in memory to test system integrity and such. And I would be remiss not to mention the wonderful world of trigonometry, polar to rectangular conversions, and all that fun stuff during my electrical engineering courses. WOOHOO!!


----------



## usasma

Another interesting situation.
Older Dell desktop w/1 bad RAM stick

Wouldn't boot to XP desktop, and presented with a STOP 0x74 error
Parameter 4 was c0000014C (corrupt registry)

I was going to do a manual regisry repair (replacement) in the Recovery Console,
but being lazy, I ran FIXBOOT and FIXMBR from the Recovery Console first.

Amazing! It let me in and I'm busy repairing the XP installation (viruses) now!

The point here is that you can save yourself some time and aggravation by running FIXBOOT and FIXMBR even though it's not called for.


----------



## Jonathan_King

usasma said:


> Another interesting situation.
> Older Dell desktop w/1 bad RAM stick
> 
> Wouldn't boot to XP desktop, and presented with a STOP 0x74 error
> Parameter 4 was c0000014C (corrupt registry)
> 
> I was going to do a manual regisry repair (replacement) in the Recovery Console,
> but being lazy, I ran FIXBOOT and FIXMBR from the Recovery Console first.
> 
> Amazing! It let me in and I'm busy repairing the XP installation (viruses) now!
> 
> The point here is that you can save yourself some time and aggravation by running FIXBOOT and FIXMBR even though it's not called for.


Are you theorizing that those commands repaired the registry, or that the registry error was actually caused by a bad MBR?

FIXBOOT writes a new boot sector, and FIXMBR writes a new MBR; neither the MBR or the boot sector contain the registry.


----------



## usasma

No, I'm theorizing that the particulars of the BSOD error (in particular the NTSTATUS code) are incorrect. 

There is no doubt that the crash dump points to the registry.
Nor is there any doubt that FIXBOOT and FIXMBR don't touch the registry.
Therefore the error has to be wrong.


----------



## jcgriff2

I've never seen a 1.1 *GB* minidump before. 

http://www.techsupportforum.com/f217/random-infuriating-bsods-teach-me-plz-533124.html#post3013498

The zip file ~ 2 MB, which included all system files & the 1.1 GB minidump.

Attachment - http://www.techsupportforum.com/att...sods-teach-me-plz-windows7_vista_jcgriff2.zip

It's rare to find a FULL Kernel dump of this size, let alone a mini kernel dump.


----------



## usasma

http://daol.aol.com/articles/coping-with-a-computer-crash?icid=maing|main5|5|link2|29214

States:


> . . . *Reasons for a computer crash*
> “Sam,” a security engineer who prefers anonymity because of the nature of his job, explains that there are usually two main causes for a computer to freeze or crash: defective computer memory and impending hard disk failure. . . .


Wow! I must be wasting my time then!


----------



## jcgriff2

> ...“Sam,” a security engineer who prefers anonymity...



Nice one, John!!!

If I were Sam, I would prefer anonymity too !!

`


----------



## Jonathan_King

usasma said:


> No, I'm theorizing that the particulars of the BSOD error (in particular the NTSTATUS code) are incorrect.
> 
> There is no doubt that the crash dump points to the registry.
> Nor is there any doubt that FIXBOOT and FIXMBR don't touch the registry.
> Therefore the error has to be wrong.


I understand now, thanks.



usasma said:


> http://daol.aol.com/articles/coping-with-a-computer-crash?icid=maing|main5|5|link2|29214
> 
> States:
> 
> 
> Wow! I must be wasting my time then!


Nice find!

Along those lines: http://www.wikihow.com/Never-See-a-Blue-Screen-of-Death-Again

I thought I'd do them a favor and edit the part about the registry cleaners, but the next day, I saw it had been changed back. Oh well, if the author is intent on it, I'm not going to push it.


----------



## AlbertMC2

Jonathan_King said:


> I understand now, thanks.
> 
> Nice find!
> 
> Along those lines: http://www.wikihow.com/Never-See-a-Blue-Screen-of-Death-Again
> 
> I thought I'd do them a favor and edit the part about the registry cleaners, but the next day, I saw it had been changed back. Oh well, if the author is intent on it, I'm not going to push it.


I liked this one....If you don't want to see the BSOD then just restart the PC....after all if you can't see the problem then there is no problem...right??


----------



## GZ

Do these authors really believe the hype they are spreading?


----------



## jcgriff2

New Daemon Tools driver named in BSOD -


Code:


[FONT=lucida console]IMAGE_NAME:  [COLOR=red]dtsoftbus01.sys[/COLOR][/FONT]
 
[FONT=lucida console]DEBUG_FLR_IMAGE_TIMESTAMP:  [COLOR=navy]4cdba28d[/COLOR][/FONT]

4cdba28d = Thu *Nov 11* 03:00:13 *2010*


http://www.techsupportforum.com/f21...in-the-allocated-time-533627.html#post3018127

`


----------



## usasma

I added it to dvrref.html
Thanks John!
sent you an email....


----------



## GZ

usasma said:


> I added it to dvrref.html
> Thanks John!
> sent you an email....


Usasma, just recently I was on your BSOD site. Great work!


----------



## jcgriff2

John Carrona, aka *usasma*, Microsoft MVP, has done an awesome job indeed - 

http://www.carrona.org/dvrref.html

A HUGE help to those looking for driver updates and for us working BSOD threads.

John

`


----------



## cutiepie17881

This solution worked for me http://windows7forums.com/windows-7...p-files-dmp-saved-after-crash.html#post143462


----------



## reventon

cutiepie17881 said:


> This solution worked for me http://windows7forums.com/windows-7...p-files-dmp-saved-after-crash.html#post143462


Ah yes, the "fake" BSODs. Was someone playing a trick on you? I hope you returned the favor! :laugh:


----------



## jcgriff2

cutiepie17881 said:


> This solution worked for me http://windows7forums.com/windows-7...p-files-dmp-saved-after-crash.html#post143462


Haven't seen that one in a while.


----------



## Jonathan_King

I just got a 662 MB minidump:

http://www.sevenforums.com/crashes-debugging/132476-bsod.html#post1140495


----------



## reventon

Two good quotes:



SystemTech said:


> I'm thinking that my problems all along were being created somehow by Norton NIS 2009,2010,&2011. I say this because it is the most common denominator over the life span of the system of 2 years. But what I don't understand how could* 1 app failing create such a wide variety of misleading dump files.*





SystemTech said:


> So listen up all who read this post and are having BSOD's.........
> 1st thing you all need to do if you are having any symptoms like I was and are running Norton is *get rid of it completely and demand your money back!!!!* And dont ever use their products again. Period.


----------



## DT Roberts

Well we can't really disagree with that can we? :grin:

I think that Norton has been found to be the cause of more BSODs here than any other software, minus the *ASACPI.SYS* craze last year.


----------



## Jonathan_King

I dunno, SPTD has the #1 spot for software causes in my BSOD archive...


----------



## DT Roberts

Jonathan_King said:


> I dunno, SPTD has the #1 spot for software causes in my BSOD archive...


Actually, forgot about that one. It's quieted down a lot in the last few months though. Norton's been a steady cause for years now.


----------



## Jonathan_King

I thought it went the other way around, honestly. I haven't seen Norton 2010 cause a BSOD in a long time, perhaps not ever. It seems the newer versions of these notorious security programs are doing a lot better than older ones.

SPTD is still the same October 2009 version as before, and even the April 2010 version causes BSODs too.


----------



## DT Roberts

On a side note, is this strange or am I going crazy (Don't answer that!)?

http://www.techsupportforum.com/f217/bsod-windows-vista-32bits-537889.html#post3043664


----------



## reventon

Not the first time I have seen that Devin.

http://www.techsupportforum.com/f21...rror-from-ahnlab-hackshield-games-472815.html

The solution is in post #8, basically reset the version and install SP1, SP2.


----------



## DT Roberts

Strange, never seen that one before. Thanks for posting.


----------



## jcgriff2

DT Roberts said:


> I think that Norton has been found to be the cause of more BSODs here than any other software, minus the *ASACPI.SYS* craze last year.
> 
> 
> 
> Jonathan_King said:
> 
> 
> 
> I haven't seen Norton 2010 cause a BSOD in a long time, perhaps not ever. It seems the newer versions of these notorious security programs are doing a lot better than older ones.
> 
> SPTD is still the same October 2009 version as before, and even the April 2010 version causes BSODs too.
Click to expand...

Norton, KIS, McAfee, others, do not have to be named in BSODs to be the cause of them. Look for the tell-tale 0xc0000005 exception. Same goes for VSS/ System Restore failures, Internet connectivity issues, etc...

http://www.techsupportforum.com/f21...equal-sony-vaio-vpcf1-533995.html#post3019376

Same with *spts.sys*.
- How many times have you provided removal instructions for sptd.sys?
- How many dumps have you actually seen sptd.sys named probable cause?
--> The ratio is probably 99:1

Asus ATK0110 problem is still around (asacpi.sys), although not at the levels we saw this time last year -
http://www.techsupportforum.com/f217/bsod-0x00000124-plaguing-me-534332.html#post3021905
http://www.techsupportforum.com/f21...r_power_state_failure-530845.html#post2998544
http://www.techsupportforum.com/f217/bsod-specific-app-534213.html#post3024914
http://www.techsupportforum.com/f217/blue-screens-at-random-or-so-it-seems-535600.html#post3032592

Ever seen asacpi.sys named in a BSOD?

The commonality between Norton, KIS, McAfee, .... (some drivers), sptd.sys, asacpi.sys is that they are boot drivers and generally flee the scene of the crash leaving NT to take the blame.


----------



## Jonathan_King

Honestly, John, I've been noticing a drop in Norton/McAfee/Kaspersky, etc BSODs. I've been keeping track on my site: http://jonathanking.wikidot.com/major-software-causes

I find that usually the cause is an old NIC driver. I did see a couple of Vista BSODs in the past 2 weeks, but as far as Windows 7 goes, I've definitely seen a decrease.


----------



## jcgriff2

NIS/ N360 - 

- Interferes with VSS - [SOLVED] Limited Connectivity; and Error 1114 

[SOLVED] BSOD Windows 7 DRIVER_IRQL_NOT_LESS_OR_EQUAL 

[SOLVED] Youtube/Windows 7 problem 

[SOLVED] New Laptop Issues

I guess the bottom line, Jonathan -- are these decreased numbers you are seeing because many Windows 7 owners do not have NIS/ N360, McAfee, KIS, etc... installed?

Have you noticed some OEMs now pre-installing MSE and not NIS/ N360 any longer?


----------



## Jonathan_King

I won't claim to know everything, John. I can fully accept that possibility. Plus, you've been running far more dumps than I have.


----------



## jcgriff2

No such claim here either, I assure you of that!

Just curious if you are seeing less b/c there are less system w/ the offending apps.


----------



## Jonathan_King

Interesting thread today, on another forum.

http://www.pchelpforum.com/blue-screen-errors/100829-black-screen-death.html#post588351

The event log shows that bluescreens occurred in December and September, but reports that the dump files attached to the error report are from April.


Code:


Event[39]:
  Log Name: Application
  Source: Windows Error Reporting
  Date: 2010-12-22T00:07:09.000
  Event ID: 1001
  Task: N/A
  Level: Information
  Opcode: Info
  Keyword: Classic
  User: N/A
  User Name: N/A
  Computer: Hardeep
  Description: 
Fault bucket , type 0
Event Name: BlueScreen
Response: Not available
Cab Id: 0

Problem signature:
P1: 
P2: 
P3: 
P4: 
P5: 
P6: 
P7: 
P8: 
P9: 
P10: 

Attached files:
C:\Windows\Minidump\042910-14242-01.dmp
C:\Users\Hardeep\AppData\Local\Temp\WER-31559-0.sysdata.xml

These files may be available here:


Analysis symbol: 
Rechecking for solution: 1
Report Id: 042910-14242-01
Report Status: 0

Event[6906]:
  Log Name: Application
  Source: Windows Error Reporting
  Date: 2010-09-21T23:22:07.000
  Event ID: 1001
  Task: N/A
  Level: Information
  Opcode: Info
  Keyword: Classic
  User: N/A
  User Name: N/A
  Computer: Hardeep
  Description: 
Fault bucket , type 0
Event Name: BlueScreen
Response: Not available
Cab Id: 0

Problem signature:
P1: 
P2: 
P3: 
P4: 
P5: 
P6: 
P7: 
P8: 
P9: 
P10: 

Attached files:
C:\Windows\Minidump\042910-14242-01.dmp
C:\Users\Hardeep\AppData\Local\Temp\WER-31559-0.sysdata.xml

These files may be available here:


Analysis symbol: 
Rechecking for solution: 1
Report Id: 042910-14242-01
Report Status: 0

Event[6907]:
  Log Name: Application
  Source: Windows Error Reporting
  Date: 2010-09-21T23:22:05.000
  Event ID: 1001
  Task: N/A
  Level: Information
  Opcode: Info
  Keyword: Classic
  User: N/A
  User Name: N/A
  Computer: Hardeep
  Description: 
Fault bucket , type 0
Event Name: BlueScreen
Response: Not available
Cab Id: 0

Problem signature:
P1: 
P2: 
P3: 
P4: 
P5: 
P6: 
P7: 
P8: 
P9: 
P10: 

Attached files:
C:\Windows\Minidump\042610-16473-01.dmp
C:\Users\Hardeep\AppData\Local\Temp\WER-24944-0.sysdata.xml
C:\Users\Hardeep\AppData\Local\Temp\WER23D4.tmp.WERInternalMetadata.xml

These files may be available here:


Analysis symbol: 
Rechecking for solution: 1
Report Id: 042610-16473-01
Report Status: 0

Event[17437]:
  Log Name: Application
  Source: Windows Error Reporting
  Date: 2010-04-29T02:21:42.000
  Event ID: 1001
  Task: N/A
  Level: Information
  Opcode: Info
  Keyword: Classic
  User: N/A
  User Name: N/A
  Computer: Hardeep
  Description: 
Fault bucket , type 0
Event Name: BlueScreen
Response: Not available
Cab Id: 0

Problem signature:
P1: 
P2: 
P3: 
P4: 
P5: 
P6: 
P7: 
P8: 
P9: 
P10: 

Attached files:
C:\Windows\Minidump\042910-14242-01.dmp
C:\Users\Hardeep\AppData\Local\Temp\WER-31559-0.sysdata.xml

These files may be available here:
C:\Users\Hardeep\AppData\Local\Microsoft\Windows\WER\ReportArchive\Kernel_0_0_cab_08951747

Analysis symbol: 
Rechecking for solution: 0
Report Id: 042910-14242-01
Report Status: 0




Code:


Built by: 7600.16539.amd64fre.win7_gdr.100226-1909
Debug session time: Thu Apr 29 01:20:39.941 2010 (UTC - 5:00)
System Uptime: 0 days 0:00:08.798
Probably caused by : hardware
BUGCHECK_STR:  0x124_AuthenticAMD
DEFAULT_BUCKET_ID:  VISTA_DRIVER_FAULT
PROCESS_NAME:  System
FAILURE_BUCKET_ID:  X64_0x124_AuthenticAMD_PROCESSOR_CACHE_PRV
¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨``
Built by: 7600.16539.amd64fre.win7_gdr.100226-1909
Debug session time: Mon Apr 26 17:08:14.312 2010 (UTC - 5:00)
System Uptime: 0 days 0:00:11.779
Probably caused by : hardware
BUGCHECK_STR:  0x124_AuthenticAMD
DEFAULT_BUCKET_ID:  VISTA_DRIVER_FAULT
PROCESS_NAME:  System
FAILURE_BUCKET_ID:  X64_0x124_AuthenticAMD_PROCESSOR_CACHE_PRV
¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨``


----------



## jcgriff2

The Event Viewer log shows a Windows Error Reporting entry. If WERCON reporting setting are OFF or on MANUAL, the BSODs won't be reported until the user runs "Check for Solutions" solutions in Problem Reports.

Event Viewer entries similar to these would reflect a more accurate BSOD date -


Code:


[FONT=Lucida Console]
The computer has rebooted from a bugcheck.  The bugcheck was: 0x000000c2 (0x00000007, 0x0000113d, 0x00000000, 0xc4112008). A dump was saved in: C:\Windows\MEMORY.DMP.

The previous system shutdown at 12:38:09 PM on 12/23/2010 was unexpected.
[/FONT]

John

`


----------



## Jonathan_King

I don't see any of that either John. A search for "memory.dmp" shows nothing in either file.


----------



## jcgriff2

The BSODs occurred ~7 months prior to WERCON reporting. It's possible the BSOD entries I referred to from April 2010 tolled off the end (deleted) as new Event Viewer entries were recorded.


----------



## Jonathan_King

Very possible; the earliest entries in the $evtx_sys_dump file are 2010-09-16; in the $evtx_app_dump file, 2010-02-27.

I'm just curious; why did WER decide to send old dumps out?

Just to make sure, the OP's problem is not BSODs in that thread. He is getting screen blankouts, but I checked for BSODs anyway.


----------



## jcgriff2

The user may have run Problem Reports to "Check for Solutions"; not sure.

There have been reports of black screens occurring after recent Windows Updates came through. A possible cause has been tentatively ID'd as Yahoo/ Yahoo Toolbar.

I had 2 systems here that booted to black screens - both had Yahoo IM, Yahoo Toolbar installed. One now has a fresh install of Windows 7 x64; the other will have fresh Windows 7 x86 install on Christmas day.

Is AVG installed on the system in question?

http://www.techsupportforum.com/f104/avg-update-causes-windows-64-bit-vista-7-bsod-535078.html

AVG caused a BSOD epidemic this time last year; problems were not limited to BSODs.


----------



## Jonathan_King

Nope, he's using MSE.

I suspect a graphics problem for him. He's tried both his onboard and discreet graphics, but they both use the same October 2010 drivers.


----------



## rowan.bradley

*No kernel memory dump files on BSOD*

In jcgriff2's message "no kernel memory dump files being produced upon BSOD" there is a program WMIC_Recoveros_Pagefile_04-2010_jcgriff2_html.exe for checking one's page file settings. When I download this, unzip and run it in W7 32bit, it opens IE8 but displays a blank page. What's the likely reason for this?

Thanks - Rowan


----------



## jcgriff2

Hi Rowan . . .

That is a very good question - one that I don't have an answer for. 

You are not alone on this. For some reason, the version that produces an HTML output file comes up empty on some systems.

http://sysnative.com/0x8/WMIC_Recoveros_Pagefile_04-2010_jcgriff2_html.exe

Try this one - it produces a text file. Notepad will open with results - 

http://sysnative.com/0x8/WMI_recoveros_pagefile_jcgriff2_com_.exe

Curiosity question, please - Do you have IE or Firefox set as your default browser?

Regards. . .

jcgriff2

`


----------



## rowan.bradley

jcgriff2 said:


> Do you have IE or Firefox set as your default browser?


I have IE8 set as my default browser. I do have Firefox installed, but I only use it when for some reason IE won't do the job (like saving images that are bigger than the screen).

Your program ending _com_ did produce a text file, which I suppose is the correct information although not having seen this output before I can't be sure. Just for interest, here it is (with some blank lines deleted):



Code:


AutoReboot=TRUE
Caption=
DebugFilePath=%SystemRoot%\MEMORY.DMP
DebugInfoType=2
Description=
ExpandedDebugFilePath=C:\Windows\MEMORY.DMP
ExpandedMiniDumpDirectory=C:\Windows\Minidump
KernelDumpOnly=FALSE
MiniDumpDirectory=%SystemRoot%\Minidump
Name=Microsoft Windows 7 Professional |C:\Windows|\Device\Harddisk0\Partition1
OverwriteExistingDebugFile=TRUE
SendAdminAlert=FALSE
SettingID=
WriteDebugInfo=TRUE
WriteToSystemLog=TRUE

AllocatedBaseSize=2039
Caption=C:\pagefile.sys
CurrentUsage=963
Description=C:\pagefile.sys
InstallDate=20101125103007.861232+000
Name=C:\pagefile.sys
PeakUsage=1120
Status=
TempPageFile=FALSE

Caption=c:\ 'pagefile.sys'
Description='pagefile.sys' @ c:\
InitialSize=0
MaximumSize=0
Name=c:\pagefile.sys
SettingID=pagefile.sys @ c:

Thanks - Rowan


----------



## jcgriff2

Hi Rowan . . .

From info posted - 
- System crash settings = produce full kernel & mini kernel BSOD dump in the event that a BSOD occurs
- Windows 7 Professional installed on 25 November 2010
- You have 2 GB RAM (based on page file base allocation = 2039 MB)
- Virtual memory current usage = 963 MB
- Virtual memory peak usage (since last reboot) = 1120 MB
- Your virtual memory (page file) settings have been manually set, i.e., not set on "Automatically manage paging file size for all dives"

It looks to me that you could use a RAM upgrade as the virtual memory numbers are on the high side. RAM upgrade would speed the system up. The other option is to cut down the number of processes currently running via disabling start-up apps.

If you would like to have your system reviewed, three things please - 

1. Run - Blue Screen of Death (BSOD) Posting Instructions
2. Create a thread in Windows 7/ Vista Form - http://www.techsupportforum.com/newthread.php?do=newthread&f=217
3. Place this link in your new thread - BSOD Kernel Dump Analysis - Discussion

Regards. . .

jcgriff2

`


----------



## usasma

Just FYI - there's a 3rd variant of the TDSS rootkit that's causing BSOD's in storage drivers/atapi.sys

The "fix" is to remove the rootkit and then run Startup Repair.

It's also corrupting Norton programs (I've only seen 2 instances, so there may be more). Norton will silently delete .exe's. The "fix" is to uninstall Norton.

Beyond that, I'd say refer them to the Security folks!


----------



## jcgriff2

I've seen *atapi.sys* show up in BSODs lately.

Is it safe to assume that these are probably related to the TDSS rootkit?


----------



## usasma

At work we run TDSSKiller to confirm it (free from Kaspersky here: http://support.kaspersky.com/viruses/solutions?qid=208280684 )

If the system won't boot, it'll have to be run from the Recovery Environment. I'm not familiar with the command line syntax (we use a proprietary GUI in Windows PE at work), but would suspect that it'll work there also - but I don't think that it'll get everything in PE/RE mode - hence the trip to the Security forums once you get it booting again.


----------



## Jonathan_King

Thanks John. I found you can run the TDSkiller.exe file in GUI mode from the command prompt. No advanced command line switches are needed, you can just start the exe and go from there.

I too have been noticing the increase in ataport BSODs.


----------



## usasma

FYI, I found a variant yesterday that deletes the atapi.sys service entry from the registry (so you keep getting BSOD's no matter what you do).

I fixed it by:
- copying an existing atapi.sys service entry from another computer
- edited the .reg file to reflect the remote mounting location (3 entries in the .reg)
- merged the .reg with the remote mount
- rebooted and got into Windows

I got the clues from this post: http://www.iishacks.com/2009/11/11/malwarebytes-atapisys-and-registry-false-positives/


----------



## usasma

Interesting set of dumps here. This comes from a Win7 Sony laptop that won't boot into Windows. It is most likely infected with TDSS because I removed 3 instances of it (and 2 other trojans) from a backup of the system.

Latest BSOD is a *STOP 0x70860002* (3,2,30,0) in IaStor.sys - but trying to open it gives an error. The full MEMORY.DMP for this minidump shows STOP 0xD1 in IaStor.sys (text file of this analysis is attached in the zip file as MEMORY.txt)

I'm at work now, but will be adding this to the BSOD Index page shortly.


----------



## jcgriff2

Nice bugcheck!

I've been seeing *IaStor.sys* show up more often recently.

Thanks John.

John


----------



## usasma

I've been trying to study up on reconstructing boot sectors and partition tables. I'm not sure what TDSSKiller does, but the TrendMicro removal tools prompt when deleting TDSS from the partition table (implying that you'll need to rebuild it).

Can't recall what I did to fix that with the above system. I'll have to remember to look at it tomorrow (if it's still there) to see


----------



## usasma

Here's how we fixed it at work:



> TrendMicro Command Line scanner cleaned TDSS from "partition sector" of C:\
> (system has boot files on C:\ and OS files on D:\)
> 
> Ran Startup Repair 3 times
> Ran bootrec /fixmbr and bootrec /fixboot from command line w/64bit Win7 RE disk
> System booted.


----------



## Cpt.JackSparrow

IaStor.sys seems like a defaulter but most seen in Sony Vaio Laptops not sure why. But John's method* bootrec /fixmbr and bootrec /fixboot from Recovery console* seems to fix that problem.


----------



## AlbertMC2

Hi

Just a quick question about this thread: *http://www.techsupportforum.com/forums/f10/windows-xp-boots-slowly-then-bsod-544963.html*

Some of the modules are "Unavailable" (timestamp and checksum) when running lmntsm. They are all Microsoft modules.


Code:


1: kd> lmntsm
start    end        module name
.....
f74b7000 f74bfe00   disk     disk.sys     Sun Apr 13 20:40:46 2008 (480253AE)
ba73b000 ba760700   dmio     dmio.sys     Sun Apr 13 20:44:45 2008 (4802549D)
f798d000 f798e000   dmload   dmload.sys   unavailable (00000000)
f6013000 f6021b00   drmk     drmk.sys     Sun Apr 13 20:45:12 2008 (480254B8)
ed450000 ed467900   dump_atapi dump_atapi.sys Sun Apr 13 20:40:29 2008 (4802539D)
f79d5000 f79d6100   dump_WMILIB dump_WMILIB.SYS Fri Aug 17 23:07:23 2001 (3B7D878B)
f7837000 f783b980   dvd43llh dvd43llh.sys Mon Feb 07 20:16:49 2005 (4207B091)
ed76f000 ed771900   Dxapi    Dxapi.sys    Fri Aug 17 22:53:19 2001 (3B7D843F)
bf000000 bf011600   dxg      dxg.sys      Sun Apr 13 20:38:27 2008 (48025323)
f6206000 f6206d00   dxgthk   dxgthk.sys   Fri Aug 17 22:53:12 2001 (3B7D8438)
f5d80000 f5da3800   e100b325 e100b325.sys Tue Mar 04 21:56:25 2003 (3E6504E9)
ecc23000 ecc46180   Fastfat  Fastfat.SYS  Sun Apr 13 21:14:28 2008 (48025B94)
f77e7000 f77e8000   fdc      fdc.sys      unavailable (00000000)
f75c7000 f75d1e00   Fips     Fips.SYS     Sun Apr 13 20:33:27 2008 (480251F7)
f7817000 f7818000   flpydisk flpydisk.sys unavailable (00000000)
ba7bf000 ba7deb00   fltmgr   fltmgr.sys   Sun Apr 13 20:32:58 2008 (480251DA)
f7a1f000 f7a20000   Fs_Rec   Fs_Rec.SYS   unavailable (00000000)
ba761000 ba77f880   ftdisk   ftdisk.sys   Fri Aug 17 22:52:41 2001 (3B7D8419)
.....

Could this be corrupt memory? or a corrupt module?


----------



## jcgriff2

I usually see "unavailable" associated with security related drivers, but not always.

See if these commands provide additional info -

1. reload symbols - 


Code:


[FONT=Lucida Console].reload[/FONT]

2. Check detailed info for drivers in question -


Code:


[FONT=Lucida Console]
!for_each_module .echo @#ModuleName fver = @#FileVersion pver = @#ProductVersion 

!for_each_module .echo @#ModuleIndex : @#Base @#End @#ModuleName @#ImageName  @#LoadedImageName
[/FONT]


----------



## AlbertMC2

Hi

The symbol reload did not work - same result.

Finding the information for each module (!for_each_module) gave the expected result. The fileversions, productversions and imagenames were all blank.

I decided to try it on my home PC - same result.
This is the first time I have seen this on the loaded modules (unless I am not looking properly). Admittedly I have not run many minidump debugs.

Interestingly this thread has the same problem (*http://www.techsupportforum.com/forums/f10/blue-screen-problem-545743.html*, only worse. Here there are Microsoft and 3rd party modules that are unavailable and there are unknown loaded modules.



Code:


Windows XP Kernel Version 2600 (Service Pack 3) MP (2 procs) Free x86 compatible
Product: WinNt
Built by: 2600.xpsp_sp3_gdr.100427-1636
Machine Name:
Kernel base = 0x804d7000 PsLoadedModuleList = 0x805634c0
Debug session time: Wed Dec 22 23:35:20.656 2010 (UTC + 2:00)
System Uptime: 0 days 0:00:25.386
Loading Kernel Symbols
...............................................................
......................................................
Loading User Symbols
Loading unloaded module list
.....
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck C5, {c100cc01, 2, 0, 8055196d}

*** WARNING: Unable to verify timestamp for mssmbios.sys
*** ERROR: Module load completed but symbols could not be loaded for mssmbios.sys
Probably caused by : Pool_Corruption ( nt!ExDeferredFreePool+b4 )

Followup: Pool_corruption
---------

1: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

DRIVER_CORRUPTED_EXPOOL (c5)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high.  This is
caused by drivers that have corrupted the system pool.  Run the driver
verifier against any new (or suspect) drivers, and if that doesn't turn up
the culprit, then use gflags to enable special pool.
Arguments:
Arg1: c100cc01, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000000, value 0 = read operation, 1 = write operation
Arg4: 8055196d, address which referenced memory

Debugging Details:
------------------


BUGCHECK_STR:  0xC5_2

CURRENT_IRQL:  2

FAULTING_IP: 
nt!ExDeferredFreePool+b4
8055196d 8b10            mov     edx,dword ptr [eax]

CUSTOMER_CRASH_COUNT:  1

DEFAULT_BUCKET_ID:  DRIVER_FAULT

TRAP_FRAME:  f7c40b8c -- (.trap 0xfffffffff7c40b8c)
ErrCode = 00000000
eax=c100cc01 ebx=00000018 ecx=000001ff edx=8056aae0 esi=8056aac0 edi=87218008
eip=8055196d esp=f7c40c00 ebp=f7c40c40 iopl=0         nv up ei ng nz na po nc
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010282
nt!ExDeferredFreePool+0xb4:
8055196d 8b10            mov     edx,dword ptr [eax]  ds:0023:c100cc01=????????
Resetting default scope

LAST_CONTROL_TRANSFER:  from 8055196d to 804e0abe

STACK_TEXT:  
f7c40b8c 8055196d badb0d00 8056aae0 871028a0 nt!KiTrap0E+0x238
f7c40c40 80551ac7 00000000 873cdfac 873cdf18 nt!ExDeferredFreePool+0xb4
f7c40c80 80703d16 86bf6be8 00000000 806ff6b8 nt!ExFreePoolWithTag+0x47f
f7c40c98 f7a95c91 8738ee80 86bf6be8 00000000 hal!HalPutScatterGatherList+0x1c
f7c40cb8 f775faff 873cdf18 80561f20 f7aa59c0 PCIIDEX!BmFlush+0x29
f7c40d28 804dcd22 8738e0a4 8738e030 00000000 atapi!IdePortCompletionDpc+0x75
f7c40d50 804dcc07 00000000 0000000e c133d131 nt!KiRetireDpcList+0x61
f7c40d54 00000000 0000000e c133d131 37f873ba nt!KiIdleLoop+0x28


STACK_COMMAND:  kb

FOLLOWUP_IP: 
nt!ExDeferredFreePool+b4
8055196d 8b10            mov     edx,dword ptr [eax]

SYMBOL_STACK_INDEX:  1

SYMBOL_NAME:  nt!ExDeferredFreePool+b4

FOLLOWUP_NAME:  Pool_corruption

IMAGE_NAME:  Pool_Corruption

DEBUG_FLR_IMAGE_TIMESTAMP:  0

MODULE_NAME: Pool_Corruption

FAILURE_BUCKET_ID:  0xC5_2_nt!ExDeferredFreePool+b4

BUCKET_ID:  0xC5_2_nt!ExDeferredFreePool+b4

Followup: Pool_corruption
---------

1: kd> lmntsm
start    end        module name
f7825000 f7832080   1394BUS  1394BUS.SYS  Sun Apr 13 20:46:18 2008 (480254FA)
f36a7000 f36ce000   ______________________________________ ꊢꊢꎢꆣ龟ꆠꊡꎣꊢꊢꎣ꒣ꎤꊣꊢꊢꊢꆢꆡꎡꊣꊢꎣꆡꊢꂢꊠꊣꆡꊢꆡꆡꊡꎣ꒣ꎤꊢꊢ unavailable (00000000)
f3564000 f35df000   _________________________________________ ꂠꆠꂡꂠꊡꆢꂡ龟ꆠꆡ龠龞麟麞ꆠꊣꆢꆡꂡꊡꆢꂡꂠꆡꊡꊢꆢꆡꊢꆢꆡꆢꆠꆡꆡꊢꆢꊢꆡꊢꆢ unavailable (00000000)
f7975000 f7984000   _________________________________I 䥉䥉䥉䥉䥉䥉䥉䥉䥉䥉䥉䥉䥉䥉䥉䥉䥉䥉䥉䥉䥉䥉䥉䥉䥉䥉䥉䥉䥉䥉䥉䥉䥉I unavailable (00000000)
f7ae5000 f7aeb000   Aavmker4 Aavmker4.SYS unavailable (00000000)
f77c6000 f77f3d80   ACPI     ACPI.sys     Sun Apr 13 20:36:33 2008 (480252B1)
f3791000 f37b3000   afd      afd.sys      unavailable (00000000)
f7945000 f794f000   aswTdi   aswTdi.SYS   unavailable (00000000)
f7758000 f776f900   atapi    atapi.sys    Sun Apr 13 20:40:29 2008 (4802539D)
f7e14000 f7e15000   audstub  audstub.sys  unavailable (00000000)
f7db9000 f7dbb000   Beep     Beep.SYS     unavailable (00000000)
f7c25000 f7c28000   BOOTVID  BOOTVID.dll  Fri Aug 17 22:49:09 2001 (3B7D8345)
f7a65000 f7a75000   cdrom    cdrom.sys    unavailable (00000000)
f7875000 f7881180   CLASSPNP CLASSPNP.SYS Sun Apr 13 21:16:21 2008 (48025C05)
f7865000 f786de00   disk     disk.sys     Sun Apr 13 20:40:46 2008 (480253AE)
f7770000 f7795700   dmio     dmio.sys     Sun Apr 13 20:44:45 2008 (4802549D)
f7d1b000 f7d1c700   dmload   dmload.sys   Fri Aug 17 22:58:15 2001 (3B7D8567)
f7905000 f7914000   drmk     drmk.sys     unavailable (00000000)
f7dc9000 f7dcb000   dump_WMILIB dump_WMILIB.SYS unavailable (00000000)
f7985000 f7990000   Fips     Fips.SYS     unavailable (00000000)
f7738000 f7757b00   fltmgr   fltmgr.sys   Sun Apr 13 20:32:58 2008 (480251DA)
f7796000 f77b4880   ftdisk   ftdisk.sys   Fri Aug 17 22:52:41 2001 (3B7D8419)
f7a85000 f7a8f000   GEARAspiWDM GEARAspiWDM.sys unavailable (00000000)
806ff000 8071fd00   hal      halmacpi.dll Sun Apr 13 20:31:27 2008 (4802517F)
f6480000 f64a8000   HDAudBus HDAudBus.sys unavailable (00000000)
f7895000 f789e000   HIDCLASS HIDCLASS.SYS unavailable (00000000)
f7bc5000 f7bcc000   HIDPARSE HIDPARSE.SYS unavailable (00000000)
f62d7000 f63d6000   HSF_DP   HSF_DP.sys   unavailable (00000000)
f63f9000 f642f000   HSFHWBS2 HSFHWBS2.sys unavailable (00000000)
f7c29000 f7c2c320   ifp800   ifp800.sys   Mon Mar 29 10:28:22 2004 (4067DE26)
f7a55000 f7a60000   imapi    imapi.sys    unavailable (00000000)
f7d19000 f7d1a580   intelide intelide.sys Sun Apr 13 20:40:29 2008 (4802539D)
f7a25000 f7a2e000   intelppm intelppm.sys unavailable (00000000)
f37db000 f3801000   ipnat    ipnat.sys    unavailable (00000000)
f385a000 f386d000   ipsec    ipsec.sys    unavailable (00000000)
f7835000 f783e180   isapnp   isapnp.sys   Sun Apr 13 20:36:40 2008 (480252B8)
f7be5000 f7beb000   kbdclass kbdclass.sys unavailable (00000000)
f6ef1000 f6ef5000   kbdhid   kbdhid.sys   unavailable (00000000)
f7d15000 f7d16b80   kdcom    kdcom.dll    Fri Aug 17 22:49:10 2001 (3B7D8346)
f63d6000 f63f9000   ks       ks.sys       unavailable (00000000)
f770f000 f7725b00   KSecDD   KSecDD.sys   Wed Jun 24 13:18:40 2009 (4A420B90)
f7af5000 f7afc000   LHidFilt LHidFilt.Sys unavailable (00000000)
f7afd000 f7b05000   LMouFilt LMouFilt.Sys unavailable (00000000)
f7dbb000 f7dbd000   mnmdd    mnmdd.SYS    unavailable (00000000)
f7bb5000 f7bbd000   Modem    Modem.SYS    unavailable (00000000)
f7bed000 f7bf3000   mouclass mouclass.sys unavailable (00000000)
f7845000 f784f580   MountMgr MountMgr.sys Sun Apr 13 20:39:45 2008 (48025371)
f7aad000 f7ab2000   Msfs     Msfs.SYS     unavailable (00000000)
f78d5000 f78de000   msgpc    msgpc.sys    unavailable (00000000)
f6ef9000 f6efd000   mssmbios mssmbios.sys unavailable (00000000)
f7628000 f7641b80   Mup      Mup.sys      Sun Apr 13 21:17:05 2008 (48025C31)
f7642000 f766e980   NDIS     NDIS.sys     Sun Apr 13 21:20:35 2008 (48025D03)
f7ccd000 f7cd0000   ndistapi ndistapi.sys unavailable (00000000)
f6204000 f621b000   ndiswan  ndiswan.sys  unavailable (00000000)
f78f5000 f78ff000   NDProxy  NDProxy.SYS  unavailable (00000000)
f7965000 f796e000   netbios  netbios.sys  unavailable (00000000)
f37b3000 f37db000   netbt    netbt.sys    unavailable (00000000)
f7a35000 f7a45000   nic1394  nic1394.sys  unavailable (00000000)
f7acd000 f7ad5000   Npfs     Npfs.SYS     unavailable (00000000)
804d7000 806ff000   nt       ntkrnlmp.exe Tue Apr 27 15:59:02 2010 (4BD6EDA6)
f766f000 f76fb600   Ntfs     Ntfs.sys     Sun Apr 13 21:15:49 2008 (48025BE5)
f7e5b000 f7e5c000   Null     Null.SYS     unavailable (00000000)
f64bc000 f6ed9000   nv4_mini nv4_mini.sys unavailable (00000000)
f7815000 f7824100   ohci1394 ohci1394.sys Sun Apr 13 20:46:18 2008 (480254FA)
f621b000 f622f000   parport  parport.sys  unavailable (00000000)
f7a9d000 f7aa1d00   PartMgr  PartMgr.sys  Sun Apr 13 20:40:48 2008 (480253B0)
f77b5000 f77c5a80   pci      pci.sys      Sun Apr 13 20:36:43 2008 (480252BB)
f7ddd000 f7dddd00   pciide   pciide.sys   Fri Aug 17 22:51:49 2001 (3B7D83E5)
f7a95000 f7a9b180   PCIIDEX  PCIIDEX.SYS  Sun Apr 13 20:40:29 2008 (4802539D)
f7bbd000 f7bc3000   pfc      pfc.sys      unavailable (00000000)
f38b5000 f38d9000   portcls  portcls.sys  unavailable (00000000)
f61f3000 f6204000   psched   psched.sys   unavailable (00000000)
f7bd5000 f7bda000   ptilink  ptilink.sys  unavailable (00000000)
f7885000 f788db80   PxHelp20 PxHelp20.sys Fri Feb 02 23:23:57 2007 (45C3ABED)
f7d11000 f7d14000   rasacd   rasacd.sys   unavailable (00000000)
f78a5000 f78b2000   rasl2tp  rasl2tp.sys  unavailable (00000000)
f78b5000 f78c0000   raspppoe raspppoe.sys unavailable (00000000)
f78c5000 f78d1000   raspptp  raspptp.sys  unavailable (00000000)
f7bdd000 f7be2000   raspti   raspti.sys   unavailable (00000000)
f61c3000 f61f3000   rdpdr    rdpdr.sys    unavailable (00000000)
f7a75000 f7a84000   redbook  redbook.sys  unavailable (00000000)
f7ad5000 f7add000   SCDEmu   SCDEmu.SYS   unavailable (00000000)
f7cc9000 f7ccd000   serenum  serenum.sys  unavailable (00000000)
f7a45000 f7a55000   serial   serial.sys   unavailable (00000000)
f7726000 f7737f00   sr       sr.sys       Sun Apr 13 20:36:50 2008 (480252C2)
f3801000 f385a000   tcpip    tcpip.sys    unavailable (00000000)
f7bcd000 f7bd2000   TDI      TDI.SYS      unavailable (00000000)
f78e5000 f78ef000   termdd   termdd.sys   unavailable (00000000)
f354c000 f3564000   Unknown_Module_f354c000 Unknown_Module_f354c000 unavailable (00000000)
f36ce000 f373e000   Unknown_Module_f36ce000 Unknown_Module_f36ce000 unavailable (00000000)
f373e000 f3769000   Unknown_Module_f373e000 Unknown_Module_f373e000 unavailable (00000000)
f38d9000 f3afd000   Unknown_Module_f38d9000 Unknown_Module_f38d9000 unavailable (00000000)
f3b15000 f3b18000   Unknown_Module_f3b15000 Unknown_Module_f3b15000 unavailable (00000000)
f622f000 f62d7000   Unknown_Module_f622f000 Unknown_Module_f622f000 unavailable (00000000)
f6ef5000 f6ef8000   Unknown_Module_f6ef5000 Unknown_Module_f6ef5000 unavailable (00000000)
f7955000 f795e000   Unknown_Module_f7955000 Unknown_Module_f7955000 unavailable (00000000)
f79a5000 f79b5000   Unknown_Module_f79a5000 Unknown_Module_f79a5000 unavailable (00000000)
f7aed000 f7af5000   Unknown_Module_f7aed000 Unknown_Module_f7aed000 unavailable (00000000)
f7db3000 f7db5000   Unknown_Module_f7db3000 Unknown_Module_f7db3000 unavailable (00000000)
f7db7000 f7db9000   Unknown_Module_f7db7000 Unknown_Module_f7db7000 unavailable (00000000)
f7dbd000 f7dbf000   Unknown_Module_f7dbd000 Unknown_Module_f7dbd000 unavailable (00000000)
f60c5000 f6123000   update   update.sys   unavailable (00000000)
f7d1d000 f7d1e280   USBD     USBD.SYS     Fri Aug 17 23:02:58 2001 (3B7D8682)
f7bad000 f7bb5000   usbehci  usbehci.sys  unavailable (00000000)
f7915000 f7924000   usbhub   usbhub.sys   unavailable (00000000)
f642f000 f6453000   USBPORT  USBPORT.SYS  unavailable (00000000)
f7b05000 f7b0c000   USBSTOR  USBSTOR.SYS  unavailable (00000000)
f7ba5000 f7bab000   usbuhci  usbuhci.sys  unavailable (00000000)
f7c1d000 f7c23000   vga      vga.sys      unavailable (00000000)
f64a8000 f64bc000   VIDEOPRT VIDEOPRT.SYS unavailable (00000000)
f7855000 f7861c80   VolSnap  VolSnap.sys  Sun Apr 13 20:41:00 2008 (480253BC)
f7bfd000 f7c05000   wacommousefilter wacommousefilter.sys unavailable (00000000)
f7daf000 f7db1000   wacomvhid wacomvhid.sys unavailable (00000000)
f7db1000 f7db3000   WacomVKHid WacomVKHid.sys unavailable (00000000)
f79c5000 f79d2000   WDFLDR   WDFLDR.SYS   unavailable (00000000)
f7d17000 f7d18100   WMILIB   WMILIB.SYS   Fri Aug 17 23:07:23 2001 (3B7D878B)
f76fc000 f770f000   WudfPf   WudfPf.sys   unavailable (00000000)
f6453000 f6480000   yk51x86  yk51x86.sys  unavailable (00000000)

Unloaded modules:
f7935000 f7942000   i8042prt.sys
    Timestamp: unavailable (00000000)
    Checksum:  00000000
    ImageSize:  0000D000
f7c15000 f7c1a000   Cdaudio.SYS
    Timestamp: unavailable (00000000)
    Checksum:  00000000
    ImageSize:  00005000
f7d0d000 f7d10000   Sfloppy.SYS
    Timestamp: unavailable (00000000)
    Checksum:  00000000
    ImageSize:  00003000
f7c0d000 f7c12000   Flpydisk.SYS
    Timestamp: unavailable (00000000)
    Checksum:  00000000
    ImageSize:  00005000
f7c05000 f7c0c000   Fdc.SYS 
    Timestamp: unavailable (00000000)
    Checksum:  00000000
    ImageSize:  00007000

Two of the other minidumps are similar and the other 3 (recent ones) do not even open. Once again I tried it on another PC and reloaded the symbols - no joy. 

Any ideas? The last minidumps I figure are just corrupt so I have requested the OP to check the memory and hdd. I noticed that Atapi was on the Stack could this be a result of the TDSS rootkit as mentioned above?


----------



## jcgriff2

Code:


[FONT=Lucida Console]f7825000 f7832080   1394BUS  1394BUS.SYS  Sun Apr 13 20:46:18 2008 (480254FA)[/FONT]
 
[FONT=Lucida Console]f36a7000 f36ce000   [COLOR=red]______________________________________ ꊢꊢꎢ[/COLOR][/FONT]
[FONT=Lucida Console][COLOR=red]ꆣ龟ꆠꊡꎣꊢꊢꎣ꒣ꎤꊣꊢꊢꊢꆢꆡꎡꊣꊢꎣꆡꊢꂢꊠꊣꆡꊢꆡꆡꊡꎣ꒣ꎤꊢꊢ[/COLOR] unavailable (00000000)[/FONT]
 
[FONT=Lucida Console]f3564000 f35df000   [COLOR=red]_________________________________________ [/COLOR][/FONT]
[FONT=Lucida Console][COLOR=red]ꂠꆠꂡꂠꊡꆢꂡ龟ꆠꆡ龠龞麟麞ꆠꊣꆢꆡꂡꊡꆢꂡꂠꆡꊡꊢꆢꆡꊢꆢꆡꆢꆠꆡꆡꊢꆢꊢꆡꊢꆢ[/COLOR] unavailable (00000000)[/FONT]
 
[FONT=Lucida Console]f7975000 f7984000  [COLOR=red] _________________________________I 䥉䥉䥉䥉[/COLOR][/FONT]
[FONT=Lucida Console][COLOR=red]䥉䥉䥉䥉䥉䥉䥉䥉䥉䥉䥉䥉䥉䥉䥉䥉䥉䥉䥉䥉䥉䥉䥉䥉䥉䥉䥉䥉䥉I[/COLOR] unavailable (00000000)[/FONT]
 
[FONT=Lucida Console]f7ae5000 f7aeb000   Aavmker4 Aavmker4.SYS unavailable (00000000)[/FONT]
[FONT=Lucida Console]f77c6000 f77f3d80   ACPI     ACPI.sys     Sun Apr 13 20:36:33 2008 (480252B1)[/FONT]

I would label that = OS corruption due to unknown hardware failure.

"Unknown Module" points to same - 


Code:


[FONT=Lucida Console]f354c000 f3564000 [COLOR=red]Unknown_Module[/COLOR]_f354c000 Unknown_Module_f354c000 unavailable (00000000)[/FONT]
[FONT=Lucida Console]f36ce000 f373e000 [COLOR=red]Unknown_Module[/COLOR]_f36ce000 Unknown_Module_f36ce000 unavailable (00000000)[/FONT]
[FONT=Lucida Console]f373e000 f3769000 [COLOR=red]Unknown_Module[/COLOR]_f373e000 Unknown_Module_f373e000 unavailable (00000000)[/FONT]
[FONT=Lucida Console]f38d9000 f3afd000 [COLOR=red]Unknown_Module[/COLOR]_f38d9000 Unknown_Module_f38d9000 unavailable (00000000)[/FONT]
[FONT=Lucida Console][/FONT]

Infection also possible, but I'd suggest testing RAM first.


----------



## usasma

Just a thought, but have you cleaned out your symbol cache (by deleting the folder) and then let it reload as the dumps run?

If your symbol path is this:


Code:


SRV*c:\symbols*http://msdl.microsoft.com/download/symbols

delete C:\symbols and then rerun the dumps (it'll be slow until it fills the cache back up).


----------



## AlbertMC2

Hi

Tried deleting the symbol files/folder but it came back with the same errors - unavailable and unknown modules.
The OP posted back today after running Memtest - Memory has plenty of errors and will have to be replaced.
This explains the "funny" and unknown modules in the 2nd thread but I am still stumped with the unavailable timestamp and checksum in the 1st thread.


----------



## Cpt.JackSparrow

Here is a little explanation Crash Dump Analysis » Blog Archive » Crash Dump Analysis Patterns (Part 43)


----------



## lilal100

Hi I finished part 2 of the instructions. I typed perfmon into the run line of the start menu and nothing happened so i just typed perfmon and a program loaded fron there I went to the report tab. I tried to download from there but it would only load as a csv file. How do i get the file to download as a HTML. 

Thanks in advance.


----------



## reventon

lilal100 said:


> How do i get the file to download as a HTML.


I can't immediately find a way to save as HTML from that menu.

Try running from the start line again, the line is:

*perfmon /report*

Make sure you get the space in the right place.


----------



## lilal100

Thanks that did work. How do i find out the what video card I have ?


----------



## Jonathan_King

You can open MSINFO32 (enter it in the start menu), and expand the Components > Display window.


----------



## Jonathan_King

Interesting drivers:


Code:


hiber_diskdump.sys Sat Apr 11 00:39:11 2009 (49E01EEF)
hiber_nvstor32.sys Fri Oct 26 14:50:16 2007 (472236E8)

http://www.techsupportforum.com/forums/f217/dads-vista-bluescreen-546627.html

What does the *hiber* prefix mean? It does seem as if the BSODs occur sometime during the hibernation process.


----------



## usasma

> If the miniport driver is in hibernation mode, the driver name will have a prefix of "hiber_".


Last line on this page: Restrictions on Miniport Drivers that Manage the Boot Drive (Windows Driver Kit)

From this I'd presume that the miniport drivers have moved into the state that they use when hibernating the system - and then the crash occurred.


----------



## usasma

Added these to the dvrref.html page


----------



## jcgriff2

Excellent post by cluberti on 0x77 and corrupted page file - http://www.techsupportforum.com/forums/f217/solved-dads-vista-bluescreen-546627.html#post3106065


----------



## Jonathan_King

Has anyone noticed an increase of 0x101 BSODs lately? It may just be that I'm doing a few more than usual, what do you all think?


----------



## dreikano

View attachment Minidump.zip
This is my last 3 mini dumps i tried the debug but i keep getting a error of using incorrect symbols. I used the command "!Analyze -v":upset::4-dontkno:sigh:


----------



## GZ

Hello dreikano,

You have to set up your symbol path properly...

http://www.techsupportforum.com/for...p-analysis-discussion-452622.html#post2637132

The tutorial linked in the above post will show you what to do. 

Look under *Set your symbol path*


----------



## Jonathan_King

PunkBuster is now causing 0x124 BSODs; BattleField Bad Company 2 (BFBC2) is the game that is using it.

BSOD - Hardware Failure - Windows 7 Forums


----------



## DT Roberts

A possible solution to that issue: http://www.techsupportforum.com/for...ntsokrnle-exe-70740-a-557976.html#post3170455


----------



## Jonathan_King

I've suggested that here Devin: BSOD while playing BFBC2 - Page 2 - Windows 7 Forums

The OP is also using ATI; let's hope it works!

EDIT: http://www.techsupportforum.com/for...g-a-specific-game-bc2-557529.html#post3166667

That guy is using nVidia.


----------



## DT Roberts

That's strange... Perhaps the OP is running the *NVIDIA Control Panel*?

If it's not just ATI, it's going to be very difficult to find a surefire fix on our end. *EA* has some work to do.


----------



## VirGnarus

Jonathan_King said:


> Has anyone noticed an increase of 0x101 BSODs lately? It may just be that I'm doing a few more than usual, what do you all think?


I haven't seen any of them recently, but I do know they're related to a funky cpu or a hang of some sort, most likely a deadlock. Deadlock detection is a good setting to sniff out those probs. Too bad minidumps don't let you change processor context (~#s, # is proc id), otherwise I'd recommend that if it doesn't already switch to that processor context. You can at most check the PRCB (Processor Control Block) that holds some semi-pertinent processor-related info via extension !prcb.


----------



## Jonathan_King

Another user claims to have solved it by uninstalling Gigabyte's ET6 program: BSOD while playing BFBC2 - Page 2 - Windows 7 Forums


----------



## DT Roberts

I think I get it...

*PunkBuster* roots out cheaters by trying to kill off third-party programs that the game is running. Perhaps in this new release, *PunkBuster* is incorrectly determining that these GPU monitoring programs are actually used for cheating. *PunkBuster* attempts to kill the process->the process is linked directly to the GPU, therefore disrupting proper video output->hardware fault.

If this does turn out to be the solution to the issue after some more testing, I think we should sticky it temporarily - either here or in *Games* - until *BFBC2* fixes the bug.


----------



## Jonathan_King

Another OP removed ET6 and had no BSODs: BSOD while playing BFBC2 - Page 2 - Windows 7 Forums

Have you noticed that every such BSOD we've seen thus far has been on Gigabyte motherboards? Correct me if I'm wrong...

I think the ET6 removal may be the best tip we've had yet.


----------



## DT Roberts

Actually that is a good point; I didn't notice they were all *GIGABYTE* boards... But then, why would downgrading *Catalyst* have solved this one? http://www.techsupportforum.com/for...ntsokrnle-exe-70740-a-557976.html#post3170455


----------



## Jonathan_King

Yet another ET6 removal: http://www.techsupportforum.com/for...g-a-specific-game-bc2-557529.html#post3172449

Gigabyte ET6 is an overclocking utility, and if I'm not mistaken, ATI Catalyst has similar functionality?


----------



## DT Roberts

Yes it is and that's what I was thinking before, but *Catalyst* works solely with the GPU as far as I know. *ET6 *seems to be able to overclock other components as well.

That does make sense, though. *ET6* could still be connected to the GPU whether that's all it deals with or not.


----------



## Jonathan_King

This OP solved his problem by uninstalling PunkBuster and reinstalling it: BSOD while playing BFBC2 - Page 2 - Windows 7 Forums


----------



## Jonathan_King

BSOD - possible issue with SATA 3 control?? - Windows 7 Forums

That OP was using SATA II cables with a SATA III hard drive, and getting BSODs. I didn't think of that as a possibility before now!


----------



## jcgriff2

Using *!devobj* command in *0x9f (0x3,,,)* BSOD helped uncover NVIDIA - 




Code:


[FONT=lucida console]0: kd> !devobj fffffa8006f0f310 [/FONT]
[FONT=lucida console][/FONT]
[FONT=lucida console]ffffff80001c3df90: Unable to get value of ObpRootDirectoryObject[/FONT]
[FONT=lucida console]Device object (fffffa8006f0f310) is for:[/FONT]
[FONT=lucida console]InfoMask field not found for _OBJECT_HEADER at fffffa8006f0f2e0[/FONT]
[FONT=lucida console]\Driver\ACPI DriverObject fffffa8006ca1060[/FONT]
[FONT=lucida console]Current Irp 00000000 RefCount 0 Type 00000032 Flags 00004000[/FONT]
[FONT=lucida console]DevExt fffffa8006f11a90 DevObjExt fffffa8006f0f460 [/FONT]
[FONT=lucida console]ExtensionFlags (0x00000800)  [/FONT]
[FONT=lucida console]                          Unknown flags 0x00000800[/FONT]
[FONT=lucida console]AttachedDevice (Upper) fffffa800942f480[/FONT]
[FONT=lucida console]Unable to load image \SystemRoot\system32\DRIVERS\[COLOR=red]nvlddmkm.sys[/COLOR], Win32 error 0n2[/FONT]
[FONT=lucida console]*** WARNING: Unable to verify timestamp for nvlddmkm.sys[/FONT]
[FONT=lucida console]*** ERROR: Module load completed but symbols could not be loaded for nvlddmkm.sys[/FONT]
[FONT=lucida console]\Driver\nvlddmkm[/FONT]
[FONT=lucida console]AttachedTo (Lower) fffffa8006f10a10 \Driver\pci[/FONT]
[FONT=lucida console]Device queue is not busy.[/FONT]


http://www.techsupportforum.com/for...te_failure-0x0000009f-574821.html#post3271835

`


----------



## mgorman87

Solved Black screen crash & restarts, no BSOD - Windows 7 Forums


OP was having issues with black screens and restarts with no BSODs. Enabling DV was showing the Intelppm.sys driver being at fault. I thought it was hardware issues. After going through all the troubleshooting steps, OP went into device manager and attempted to update their CPU drivers. They saw that there was a second processor driver named "Processor" as well as "Intel Processor". By selecting the other driver (Processor), the BSODs stopped and his system became stable.


----------



## jcgriff2

Awesome thread, Mike.

Out of curiosity, I checked my system - intelppm.sys.


----------



## Cpt.JackSparrow

Hi guys,

I came across atleast 4 to 5 cases where MapleStory was causing BSOD. I wasn't able to fix it. When OP contacted the support they asked to just update the drivers and Direct X etc. If anyone fixed it could you please post that thread.

Thanks


----------



## jcgriff2

I've seen Maple Story in mamy BSODs, but do not ever recall a solution.. yet.


----------



## cluberti

mgorman87 said:


> Solved Black screen crash & restarts, no BSOD - Windows 7 Forums
> 
> 
> OP was having issues with black screens and restarts with no BSODs. Enabling DV was showing the Intelppm.sys driver being at fault. I thought it was hardware issues. After going through all the troubleshooting steps, OP went into device manager and attempted to update their CPU drivers. They saw that there was a second processor driver named "Processor" as well as "Intel Processor". By selecting the other driver (Processor), the BSODs stopped and his system became stable.


"Processor" has no sleep states or power management, the "Intel Processor" uses the intelppm driver and allows full power state management. If switching to a processor driver that doesn't allow sleep states "fixes" things, it's likely there's a hardware issue in one (or more) of the CPU cores or L1 caches at that point.


----------



## Cpt.JackSparrow

This is really funny you guys should see it.You can see what John's tool can do :laugh:

YouTube - ‪How to fix maplestory BSOD window 7‬‏


----------



## jcgriff2

I don't know whether to be flattered by the YouTube video or. . . otherwise, because the video shows my copyrighted material (BSOD app) was uploaded to Media Fire for unlawful distribution.

It is a damn good one though, Shyam - perfect timing for Maple Story too.

So.... what is the solution? Video stopped short. 

Thanks...

John


----------



## Cpt.JackSparrow

Just run the app and enjoy the game


----------



## mgorman87

cluberti said:


> "Processor" has no sleep states or power management, the "Intel Processor" uses the intelppm driver and allows full power state management. If switching to a processor driver that doesn't allow sleep states "fixes" things, it's likely there's a hardware issue in one (or more) of the CPU cores or L1 caches at that point.


 
Thanks cluberti. I will pass that info on to the OP


----------



## Jonathan_King

A BIOS update might also be beneficial...you never know.


----------



## Cpt.JackSparrow

Update: 

Maplesea just sent an email to OP:
There has been an increase number of Windows 7 users who have feedback to us about the non-compliance issues with regards to the game clients, however there is no specific time on when they will be compatible with Windows 7. Rest assured that discussion with the system developer is on-going and the game client may be fixed to accustom Windows 7 in the future. Kindly refer to our website for any latest updates on this issue.


----------



## DT Roberts

They'd better get it working fast. Anything that isn't compatible with Windows 7 in the next year or so will become obsolete.


----------



## yardpenalty

jcgriff2 said:


> `
> 
> You got it, Devin !
> 
> The AVG driver *AVGIDSFilter.sys* is the culprit.
> 
> Nice!
> 
> John
> 
> .



That's crazy because I just installed AVG for friend and rid of Webroot and the BSOD is still occuring! I am going to try to remove the AVGIDSFilter.sys component, but this is where I was going with my friends BSOD problem-> http://www.techsupportforum.com/for...-log-off-and-switching-user-vista-580247.html. I havent dont much with Win SDK debugging or any OS debugger. Can anyone post some suggestions please?


----------



## jcgriff2

The post you referenced is from January 2010.

Process of elimination is the order of the day when processing 1,000s of dumps.


----------



## DeanoTeano

I was completely fed up of BSODs on Windows to the point that I was getting one every time I shut down my computer! When I was looking for solutions to the BSOD problem I found this other OS called Zorin Linux which looks like Windows so I didn't have to learn anything to use it but doesn't get these BSODs and can't get viruses and it's free! Here's their DistroWatch page [


----------



## cluberti

Use what works for you. However, in a more useful vein, you might want to consider users will be trying to install Quickbooks, or games, or Photoshop, or... you get the point. And no, WINE is not a good substitute for the real thing.

The way to fix BSOD issues is to track down the source (which, I may add, are almost always driver-related, not problems with the OS itself), which allows you ultimately to keep using the OS that supports the majority of software and users in the world.

While I understand the sentiment, the fact this is your first post leads me to instead say "thank you for trolling playing" instead.


----------



## yardpenalty

I am sorry, but Windows has always been good to me! BSOD's are always curable and the only major problems I have had are self-inflicted one's to learn the OS underneath the hood. I LOVE WINDOWS, especially power shell which is derived from Linux


----------



## cluberti

PowerShell is basically a .net interpreter environment with a scripting language, and is more akin to VMS DCL or AS400 CL than Linux. The Windows Script Host (WSH) inside a DOS command interpreter (cmd.exe), which means scripts executed in cscript.exe (rather than wscript.exe ) is much more akin to the Linux shell environments, for reference.


----------



## yardpenalty

I should have said the concept. I havent had too much experience with Linux so I don't really know much of the mechanics, but I do love Perl scripting and have also done AS400 RPGIV and some DFU so I do see your point. I do believe .net will eventually handle all languages and will be the ruler of whats to come and think it will be a fundamental and the powershell is a prime example of the uses of encapsulation and oop, Just my opinion.


----------



## cluberti

I think you're probably right - one shell to rule them all.


----------



## jcgriff2

Bugcheck *0x118* - http://www.techsupportforum.com/forums/f299/random-freezes-and-restarts-599863.html#post3432850


----------



## jcgriff2

Debugging Tools fo r Windows v6.12 has a bug - *!vm* command - 

*6.12*


Code:


[FONT=Lucida Console]6: kd> !vm 1[/FONT]
 
[FONT=Lucida Console]*** Virtual Memory Usage ***[/FONT]
[FONT=Lucida Console][COLOR=navy]Physical Memory[/COLOR]:     8386102 (  [COLOR=navy]33544408 Kb[/COLOR])[/FONT]
[FONT=Lucida Console]Page File: \??\C:\pagefile.sys[/FONT]
[FONT=Lucida Console]Current:  33544408 Kb  Free Space:  33544404 Kb[/FONT]
[FONT=Lucida Console]Minimum:  33544408 Kb  Maximum:    100633224 Kb[/FONT]
[FONT=Lucida Console]Unimplemented error for MiSystemVaTypeCount[/FONT]
[FONT=Lucida Console]Available Pages:     7821975 (  31287900 Kb)[/FONT]
[FONT=Lucida Console]ResAvail Pages:      8223434 (  32893736 Kb)[/FONT]
[FONT=Lucida Console]Locked IO Pages:           0 (         0 Kb)[/FONT]
[FONT=Lucida Console]Free System PTEs:   33554948 ( 134219792 Kb)[/FONT]
[FONT=Lucida Console]Modified Pages:        75374 (    301496 Kb)[/FONT]
[FONT=Lucida Console]Modified PF Pages:     75306 (    301224 Kb)[/FONT]
[FONT=Lucida Console]NonPagedPool 0 Used:       0 (         0 Kb)[/FONT]
[FONT=Lucida Console]NonPagedPoolNx 0 Used:  6506 (     26024 Kb)[/FONT]
[FONT=Lucida Console]NonPagedPool 1 Used:       0 (         0 Kb)[/FONT]
[FONT=Lucida Console]NonPagedPoolNx 1 Used:  2827 (     11308 Kb)[/FONT]
[FONT=Lucida Console][COLOR=red]NonPagedPool Usage:[/COLOR] 25588688 ( [COLOR=red]102354752 Kb[/COLOR])[/FONT]
[FONT=Lucida Console]NonPagedPoolNx Usage:  26693 (    106772 Kb)[/FONT]
[FONT=Lucida Console]NonPagedPool Max:    6270449 (  25081796 Kb)[/FONT]
[FONT=Lucida Console][COLOR=blue]********** Excessive NonPaged Pool Usage *****[/COLOR][/FONT]
[FONT=Lucida Console]PagedPool 0 Usage:     31500 (    126000 Kb)[/FONT]
[FONT=Lucida Console]PagedPool 1 Usage:      9966 (     39864 Kb)[/FONT]
[FONT=Lucida Console]PagedPool 2 Usage:      3025 (     12100 Kb)[/FONT]
[FONT=Lucida Console]PagedPool Usage:       44491 (    177964 Kb)[/FONT]
[FONT=Lucida Console]PagedPool Maximum:  33554432 ( 134217728 Kb)[/FONT]
[FONT=Lucida Console]Session Commit:         5929 (     23716 Kb)[/FONT]
[FONT=Lucida Console]Shared Commit:         12648 (     50592 Kb)[/FONT]
[FONT=Lucida Console]Special Pool:            757 (      3028 Kb)[/FONT]
[FONT=Lucida Console]Shared Process:        10540 (     42160 Kb)[/FONT]
[FONT=Lucida Console]PagedPool Commit:      44491 (    177964 Kb)[/FONT]
[FONT=Lucida Console]Driver Commit:          2914 (     11656 Kb)[/FONT]
[FONT=Lucida Console]Committed pages:      732275 (   2929100 Kb)[/FONT]
[FONT=Lucida Console]Commit limit:       16772204 (  67088816 Kb)[/FONT]

 
*102 GB* non-paged pool??

non-paged pool can't be > physical memory, which = 32 GB.



Same dump - 

Windbg *6.11*


Code:


[FONT=Lucida Console]6: kd> !vm 1[/FONT]
 
[FONT=Lucida Console]*** Virtual Memory Usage ***[/FONT]
[FONT=Lucida Console]Physical Memory:     8386102 (  33544408 Kb)[/FONT]
[FONT=Lucida Console]Page File: \??\C:\pagefile.sys[/FONT]
[FONT=Lucida Console]Current:  33544408 Kb  Free Space:  33544404 Kb[/FONT]
[FONT=Lucida Console]Minimum:  33544408 Kb  Maximum:    100633224 Kb[/FONT]
[FONT=Lucida Console]unable to get nt!MmSystemLockPagesCount[/FONT]
[FONT=Lucida Console]Available Pages:     7821975 (  31287900 Kb)[/FONT]
[FONT=Lucida Console]ResAvail Pages:      8223434 (  32893736 Kb)[/FONT]
[FONT=Lucida Console]Locked IO Pages:           0 (         0 Kb)[/FONT]
[FONT=Lucida Console]Free System PTEs:   33511428 ( 134045712 Kb)[/FONT]
[FONT=Lucida Console]Modified Pages:        75374 (    301496 Kb)[/FONT]
[FONT=Lucida Console]Modified PF Pages:     75306 (    301224 Kb)[/FONT]
[FONT=Lucida Console]NonPagedPool 0 Used:    6506 (   26024 Kb)[/FONT]
[FONT=Lucida Console]NonPagedPool 1 Used:    2827 (   11308 Kb)[/FONT]
[FONT=Lucida Console][COLOR=red]NonPagedPool[/COLOR] Usage:    26693 (    [COLOR=red]106772 Kb[/COLOR])[/FONT]
[FONT=Lucida Console]NonPagedPool Max:    6270449 (  25081796 Kb)[/FONT]
[FONT=Lucida Console]PagedPool 0 Usage:     31500 (    126000 Kb)[/FONT]
[FONT=Lucida Console]PagedPool 1 Usage:      9966 (     39864 Kb)[/FONT]
[FONT=Lucida Console]PagedPool 2 Usage:      3025 (     12100 Kb)[/FONT]
[FONT=Lucida Console]PagedPool Usage:       44491 (    177964 Kb)[/FONT]
[FONT=Lucida Console]PagedPool Maximum:  33554432 ( 134217728 Kb)[/FONT]
[FONT=Lucida Console]Session Commit:         5929 (     23716 Kb)[/FONT]
[FONT=Lucida Console]Shared Commit:         12648 (     50592 Kb)[/FONT]
[FONT=Lucida Console]Special Pool:            757 (      3028 Kb)[/FONT]
[FONT=Lucida Console]Shared Process:        10540 (     42160 Kb)[/FONT]
[FONT=Lucida Console]PagedPool Commit:      44491 (    177964 Kb)[/FONT]
[FONT=Lucida Console]Driver Commit:          2914 (     11656 Kb)[/FONT]
[FONT=Lucida Console]Committed pages:      732275 (   2929100 Kb)[/FONT]
[FONT=Lucida Console]Commit limit:       16772204 (  67088816 Kb)[/FONT]


----------



## -WOLF-

There are 230 pages in this thread... is there any pertinent and important information that I need that could be summarized? Such as software etc. I already use Blue Screen View. I'd like to get up to speed so I can start learning and start helping with BSODs and other errors.


----------



## jcgriff2

Start w/ Post #1 and install Windbg.

See post #2 re: Blue Screen View.


----------



## jcgriff2

Detailed *!analyze - v* analysis by *VirGnarus* including *rdx*, *rcl registers* + * !pte, **dq* commands - 

http://www.techsupportforum.com/for...zes-netio-sys-cause-607207-2.html#post3527782


----------



## VirGnarus

Thanks for the exposure, JC. I was going to create a thread about it and slap it into my BSOD tips thread, but I don't feel right adding an incomplete example because of the limitation of the minidump used. Kinda like, "Hey, that's a good job! Too bad it accomplished nothing." If there was an answer to that mysterious "d0" value in the rcx register, I wouldn't hesitate to add it to my smorgasbord of BSOD articles.

Also, I have a large one in the works based on my findings from this thread, but I am waiting to confirm if my analysis was accurate and that his hardware change would fix the problem.

Oh, btw, for those wondering about the _dq @r9_, you can use the @ symbol to specify a memory address from a register. So instead of using dps, dd, dw, dq, etc. etc. followed by a memory address, if you know the memory address is in a register, you can simply do @ followed by the register's name (in this case, @r9). It'll look at what's stored in that register and use that as the address for the data you want to gander at. Be careful you are in the right context, however. Otherwise you'll end up getting the register's value, but at a different point in time (typically after KeBugCheckEx was done using it). I think I might explain contexts and add the @ register symbol to my BSOD stuff.


----------



## jcgriff2

Info on *0x116* & *0x117* video TDR timeout -

http://forums.nvidia.com/index.php?showtopic=65161

Courtesy of *VirGnarus*

John


----------



## jcgriff2

Extremely interesting thread - http://www.techsupportforum.com/forums/f299/bsods-on-wake-from-hybrid-sleep-608766.html


----------



## loda117

can someone please take a look at this 
for some reason I can not open his dump file with windbg 
http://www.techsupportforum.com/forums/f299/bsod-618689.html


----------



## Wrench97

Posted the results


----------



## loda117

Thank you Wrench you always save my buns


----------



## loda117

Can someone take a look at this 
I keep getting "unknown_image" with no analysis on all the dump files 

http://www.techsupportforum.com/for...a-secondary-processor-619808.html#post3557212

thanks


----------



## VirGnarus

That's because the windbg analysis engine cannot determine a possible cause for 0x101 bugchecks. To make things even worse for the person debugging, minidumps only carry the context of the currently running thread in which KeBugCheckEx was called. That means only one processor's context was saved, while the rest of the processors are not. That pretty much closes the door on trying to analyze 0x101 bugchecks, because the issue usually occurs in a multi-processor environment where one processor affected the state of another one (usually through an interrupt). It's impossible to diagnose cause when you have access to just one processor - and because that one processor was able to call KeBugCheckEx to perform the crash procedure, obviously it isn't the one that got hung, otherwise it wouldn't even be able to BSOD the PC.

Driver Verifier may help here, so you can direct him to this thread to have him use it, but most likely it won't be of much help unless you're lucky. At least a kernel dump (the _MEMORY.DMP_ file in Windows directory) is required to figure out 0x101 bugchecks. You can ask him for that as well (course he'll need to upload to a 3rd-party filesharing site).


----------



## loda117

hmm interesting 
I will ask him for that 
would you think maybe a BIOS update would fix the issue rather then driver verifier


----------



## VirGnarus

Driver Verifier will just crash his system should it find anything suspicious. Hopefully this will occur early as it will find a driver that is ripe for causing this kind of bugcheck and crash and point finger at it before it gets the chance to do something funky. 

BIOS update could help, it's definitely worth a shot.

Just so you know, the most common cause of 0x101 bugchecks is what's called a _race condition_. It means something occurred between two processors where the timing just ended up being real bad. Drivers can have buggy code that can cause this to occur, or even overclocking which can cause one processor to unexpectedly finish its job before the other one, which can cause problems. However that doesn't seem likely in this case. You can read a bit more on race conditions here.


----------



## loda117

I have got another one 
All dump files are pointing at video drivers 
he has updated them still 
http://www.techsupportforum.com/forums/f299/bsod-dxgkrnl-sys-619625.html
I have no idea what else to go for here


----------



## Wrench97

loda117 said:


> I have got another one
> All dump files are pointing at video drivers
> he has updated them still
> http://www.techsupportforum.com/forums/f299/bsod-dxgkrnl-sys-619625.html
> I have no idea what else to go for here


There are some older drivers on that, get him to update the realtek lan and audio drivers( RTKVHD64.sys Fri Apr 30 05:05:58 2010, Rt64win7.sys Sat Dec 19 04:11:30 2009 ) as well as some questionable Nvidia driver dates, might be a good idea to remove all the nvidia drivers with driver sweeper and start fresh.



Code:


[FONT=Lucida Console]mv91xx.sys      Wed Mar 17 03:53:06 2010 (4BA08A62)
mvxxmm.sys      Wed Mar 17 03:52:37 2010 (4BA08A45)
amdxata.sys     Fri Mar 19 12:18:18 2010 (4BA3A3CA)
nusb3hub.sys    Thu Jan 21 22:22:18 2010 (4B5919EA)
dtsoftbus01.sys Fri Jun 17 03:38:37 2011 (4DFB047D)
nusb3xhc.sys    Thu Jan 21 22:22:21 2010 (4B5919ED)
Edge7x64.sys    Mon May 03 16:31:28 2010 (4BDF32A0)
nvhda64v.sys    Wed Nov 09 09:21:28 2011 (4EBA8C68)
RTKVHD64.sys    Fri Apr 30 05:05:58 2010 (4BDA9D76)
Rt64win7.sys    Sat Dec 19 04:11:30 2009 (4B2C98C2)
nvlddmkm.sys    Wed Nov 23 20:34:43 2011 (4ECD9F33)
nvBridge.kmd    Fri May 20 23:58:23 2011 (4DD7385F)
Xeno7x64.sys    Mon May 03 16:31:29 2010 (4BDF32A1)
nvhda64v.sys    Thu Jul 07 12:21:14 2011 (4E15DCFA)
nvlddmkm.sys    Sat Oct 15 02:07:55 2011 (4E99233B)[/FONT]


----------



## loda117

thank you Wrench


----------



## usasma

If video drivers are blamed and they're updated, then the problem can be either bad hardware - or other (bad) drivers interfering.

Try Furmark and some other stress tests to test the video hardware. Here's the one's that I suggest:


> I suggest starting all troubleshooting with the following diagnostic tests (located at this link: Hardware Diags ). They'll save you a lot of time and heartache if there is a hardware failure, and you'll have the disks on hand in case you need them in the future:
> 
> 
> 
> *H/W Diagnostics:*
> Please start by running these bootable hardware diagnostics:
> Memory Diagnostics (read the details at the link)
> HD Diagnostic (read the details at the link) - Test *ALL* of the hard drives.
> 
> Also, please run one of these free, independent online malware scans to ensure that your current protection hasn't been compromised: Free Online AntiMalware Resources (read the details at the link)
> There are also free, bootable antivirus disks at this link: Free Online AntiMalware Resources - Bootable Disks
> 
> 
> 
> Then, if the above tests pass, I'd try these free stress tests:
> 
> 
> 
> FurMark download site: FurMark: VGA Stress Test, Graphics Card and GPU Stability Test, Burn-in Test, OpenGL Benchmark and GPU Temperature | oZone3D.Net
> *FurMark Setup:*
> - If you have more than one GPU, select Multi-GPU during setup
> - In the Run mode box, select "Stability Test" and "Log GPU Temperature"
> Click "Go" to start the test
> - Run the test until the GPU temperature maxes out - or until you start having problems *(whichever comes first)*.
> *NOTE:* Set the alarm to go off at 90ºC. Then watch the system from that point on. If the system doesn't display a temperature, watch it constantly and turn it off at the first sign of video problems. *DO NOT* leave it it unmonitored, it can *DAMAGE* your video card!!!
> If the temperature gets above *100ºC*, quit the test - the video card is overheating.
> - Click "Quit" to exit
> 
> Click to expand...
> 
> 
> 
> 
> 
> Prime95 download site: Free Software - GIMPS
> *Prime95 Setup:*
> - extract the contents of the zip file to a location of your choice
> - double click on the executable file
> - select "Just stress testing"
> - select the "Blend" test. If you've already run MemTest overnight please run the "Small FFTs" test instead. (run all 3 if you find a problem and note how long it takes to error out with each)
> - "Number of torture test threads to run" should equal the number of CPU's times 2 (if you're using hyperthreading).
> The easiest way to figure this out is to go to Task Manager...Performance tab - and see the number of boxes under CPU Usage History
> Then run the test for 6 to 24 hours - or until you get errors *(whichever comes first)*.
> Monitor the CPU temperature and *DON'T* let it exceed 85ºC. If it does, then you probably have a CPU cooling problem.
> This won't necessarily crash the system - but check the output in the test window for errors.
> The Test selection box and the stress.txt file describes what components that the program stresses.
> More details on the use of this test: Torture test your CPU with Prime95
> 
> Click to expand...
> 
> 
> 
> 
> 
> *More Video Stress Tests:*
> 1. Thanks to VirGnarus for finding this test: https://simtk.org/home/memtest
> 2. Two other video stress tests (may be more stressful than FurMark):
> NOTE: I have had reports that some ISP's will block this website
> Video Memory stress Test - ÐœÐ˜Ð  NVIDIA / Ð£Ñ‚Ð¸Ð»Ð¸Ñ‚Ñ‹ / VMT
> Artifact Locator - ÐœÐ˜Ð  NVIDIA / Ð£Ñ‚Ð¸Ð»Ð¸Ñ‚Ñ‹ / Artifact Locator
> Sorry, but I don't read the language that this website is made in.
> 3. Another interesting test that came to my attention: Download - OCCT Website english
> USE AT YOUR OWN RISK - the program doesn't have a whole bunch of safety features to protect you from yourself!
> 
> Click to expand...
> 
> 
> 
> 
> 
> *CPU Stress Tests:*
> Only need to run 1 or 2 of the tests under most circumstances. I haven't used any of the tests myself, so I listed all that I was able to find.
> - http://downloadcenter.intel.com/Detail_Desc.aspx?agr=Y&DwnldID=19182&lang=eng
> - 7Byte : Hot CPU Tester Pro
> - 7Byte : BurnIn64
> - CPU Stress test
> - Fossil Free Online CPU Load or Stress Test.
> - CPU Stability Test description, System Resources Tune-Up. Downloads List By All Time Popularity | PCWorld | PCWorld
> - CPU Stress test
> - |MG| CPU Stability Test 6.0 Download
> - LinX - A simple Linpack interface
> - the test(s) suggested at this link are bootable: http://www.techsupportforum.com/forums/f15/headless-cpu-stress-testing-393435.html#post2232929
> 
> Click to expand...
Click to expand...


----------



## jcgriff2

Great series by Mark Russinovich -

Windows Hang and Crash Dump Analysis 1/9 - YouTube


----------



## jcgriff2

App not generating dumps after APPCRASH -

http://www.sevenforums.com/crashes-...ate-crash-dump-after-appcrash.html#post707826


----------



## jarekexe

Hi all

I cant seem to find instructions for posting minidumps for XP. Can anyone tell me where I can find it?


----------



## jcgriff2

Hi - 

For XP:

Download these 2 files; save both to My Documents folder - 

*1.* Microsoft SysInternals AutoRuns -  http://live.sysinternals.com/autoruns.exe
*2.* System file collection app -  http_:_//sysnative.com/0x8/BSOD_XP_v1.3_jcgriff2_PROD_.exe

Go to My Documents folder and run #2. It will run #1.

Output = newly created folder in My Docs - *TSF_XP_Support*

Zip up the entire folder and attach to next post.

Also - 
- Run Speccy - Download Speccy 1.11.256 - FileHippo.com
- "File" | "Publish Snapshot" | Paste URL into your next post 

If XP Home, run - http://www.techsupportforum.com/forums/f10/systeminfo-exe-on-xp-home-561666.html#post3191462

Please post in XP forum - http://www.techsupportforum.com/forums/f10/

Regards. . .

jcgriff2

`


----------



## vantheshark

Hi @jcgriff2,

In this thread: http://www.techsupportforum.com/forums/f299/solved-windows-7-asus-and-random-bsods-481541.html 


Could you please explain how could you figure out that was Zone Alarm?
Thanks :blush:


----------



## jcgriff2

Hi - 

The bugcheck and 1st parm = *0x7f (0x8,,,)* + a Microsoft networking related driver listed - 


Code:


[FONT=Lucida Console]BugCheck [COLOR=red]7F[/COLOR], {[COLOR=red]8[/COLOR], 80050031, 6f8, fffff80002a5daaf}[/FONT]
 
[FONT=Lucida Console]Probably caused by : [COLOR=red]NETIO.SYS[/COLOR] ( NETIO!CompareSecurityContexts+6a )[/FONT]

http_:_//sysnative.com/drivers/driver.php?id=NETIO.SYS

That combination usually = Zone Alarm.

Regards. . .

John

`


----------



## jcgriff2

Anatomy of a call stack by *VirGnarus* 




Vir Gnarus said:


> They are offsets from the function start. When you look at a callstack like this, it start from the bottom and goes like "this function called the function above me, which called the function above it, and so on and so forth." For each function listed, you have the three parts: the module name, the function name, and the offset, respectively, as followed:
> 
> 
> 
> Code:
> 
> 
> [COLOR=#0000ff]USBPORT[/COLOR]![COLOR=#008000]USBPORT_AssertSig[/COLOR][COLOR=#ff8c00]+0x25[/COLOR]
> 
> [COLOR=#0000ff]/\[/COLOR]          [COLOR=#008000]/\[/COLOR]          [COLOR=#ff8c00]/\[/COLOR]
> [COLOR=#0000ff]module  [/COLOR][COLOR=#008000]function name[/COLOR]  [COLOR=#ff8c00]offset[/COLOR]
> 
> Listed with _kv_ or whatever, this portion of the output is the "Call Site" of the listing, which is basically just the name of the return address (RetAddr), complete with symbols to make it readable for humans to interpret what the function is and its intent. It can be read like an address on an envelope. The module name is the city, the function name is the street, and the offset is the address of the house. If you were to just say to someone asking for directions to your place "I live on such-n-such road" they have to scan down the whole road to find you. Otherwise if you add your address, the process of discovering your house is greatly alleviated.
> 
> It's important to understand what is going on here in a callstack. Read up on my basic description of code flow in _BSOD Method & Tips_. I'll add it here for quick reference:
> 
> 
> 
> 
> The flow of which all operations are going. The basics of it is you have a thread, and in that thread you have an initial function responsible for a specific task. In order to accomplish it, it will need the assistance of other functions to do so.
> 
> Much like a product being built by a company, you have it go through various hands and sometimes even various places before the finished product is made. Tack on also all the other personnel responsible for various indirect duties to supply the needs of those actually creating the product. If you had the same person/people doing _all_ the tasks, then things slow to a crawl and you're lucky to even have a satisfactory result in the end.
> 
> That's much like what goes on in your typical code flow. It is not enough to have a "one function to rule them all", that's just daft. Rather, you start with the initial function, like say, for drawing a popup window. There's a multitude of facets to this job, so the initial thread will call one function to do something, like DirectX telling it to draw the window, which DirectX will figure "ok, but with what?" and then pass that request to another, and then that to another, and then so on and so forth. How things fragment and flow through all this process of events is the essence of code flow.
> 
> 
> 
> Once you understand that, it's easier to get an idea what's going on in a callstack. Let's use your example. Starting with _nt!KxStartSystemThread _at the bottom, this function sets up the thread to start doing work. Then when necessary, it calls into the function above it (_nt!PspSystemThreadStartup_) to continue it. This continues till what appears to be the real work starting (_usbhub!UsbhHubWorker_), as the rest is just initial setup. It's then performing various and sundry USB-related tasks for some USB I/O.
> 
> It's important to understand that each function is _not really_ calling the function above it from the offset specified in the call site nor from the address specified in the return address (which are both the same thing). Rather, it calls it from the _beginning _of the function. So, _usbhub!UsbhHubWorker_ is not calling into _usbhub!UsbhHubSSH_Worker_ at offset 0x2d, but is calling it straight into the beginning of the function. The offsets and return addresses are rather just displaying where things continues once and if the function _returns_. That means the function has done its job, and the flow code operation is now returning to the function below it in the callstack.
> 
> I'm sure it's difficult to be able to interpret this process without any visuals, which I really can't provide any. The closest I can provide is to show some disassembly. Let's start with a simple idle loop from a kernel dump I have stored away:
> 
> 
> 
> Code:
> 
> 
> Child-SP          RetAddr           Call Site
> fffffa60`01d8ece0 fffff800`01ca8b83 intelppm+0x29ed
> fffffa60`01d8ed10 fffff800`01ca88a1 nt!PoIdle+0x183
> fffffa60`01d8ed80 fffff800`01e75860 nt!KiIdleLoop+0x21
> fffffa60`01d8edb0 00000000`fffffa60 nt!zzz_AsmCodeRange_End+0x4
> fffffa60`01d6ad00 00000000`00000000 0xfffffa60
> 
> Ignoring the first two frames (it's a little too complicated right now to explain), let's start at _nt!KiIdleLoop+0x21_. I'll whip out the disassembly window and copy and paste the entire name from module to offset, getting as followed:
> 
> 
> 
> Code:
> 
> 
> ...
> 
> nt!KiIdleLoop:
> fffff800`01ca8880 4883ec28        sub     rsp,28h
> fffff800`01ca8884 65488b1c2520000000 mov   rbx,qword ptr gs:[20h]
> fffff800`01ca888d eb20            jmp     nt!KiIdleLoop+0x2f (fffff800`01ca88af)
> fffff800`01ca888f 33c9            xor     ecx,ecx
> fffff800`01ca8891 440f22c1        mov     cr8,rcx
> fffff800`01ca8895 488d8b80380000  lea     rcx,[rbx+3880h]
> [COLOR=#0000ff]fffff800`01ca889c e85f010000      call    nt!PoIdle (fffff800`01ca8a00)[/COLOR]
> [B]fffff800`01ca88a1 fb              sti[/B]
> fffff800`01ca88a2 b902000000      mov     ecx,2
> fffff800`01ca88a7 440f22c1        mov     cr8,rcx
> fffff800`01ca88ab 80630700        and     byte ptr [rbx+7],0
> fffff800`01ca88af 803d9c881c0000  cmp     byte ptr [nt!HvlEnableIdleYield (fffff800`01e71152)],0
> fffff800`01ca88b6 7402            je      nt!KiIdleLoop+0x3a (fffff800`01ca88ba)
> fffff800`01ca88b8 f390            pause
> fffff800`01ca88ba fb              sti
> fffff800`01ca88bb 90              nop
> fffff800`01ca88bc 90              nop
> fffff800`01ca88bd fa              cli
> 
> ...
> 
> The bold is where the disassembly window highlights, telling me that _nt!KiIdleLoop+0x21_ points exactly to here. As you can tell, its position is 0x21 away from the beginning of the function. Now take notice of the _call_ function right before it. That's the call to _nt!PoIdle_, which you can see in the callstack is the next function that was called into. What happened is _nt!KiIdleLoop_ started, ran its course, then it eventually said "I need to call _PoIdle_ cuz it needs to do something", so it called it as such. Now, did it call it at _nt!PoIdle+0x183_ like the callstack said? Nope. Rather, it says it called straight into the beginning of the _PoIdle_ function, at address _fffff800`01ca8a00_. I'll verify:
> 
> 
> 
> Code:
> 
> 
> ...
> 
> 
> [COLOR=#0000ff]nt!PoIdle:[/COLOR]
> [B]fffff800`01ca8a00 4883ec68        sub     rsp,68h[/B]
> fffff800`01ca8a04 f605ff09130002  test    byte ptr [nt!PpmIdlePolicy+0x2 (fffff800`01dd940a)],2
> fffff800`01ca8a0b 0f85b9010000    jne     nt!PoIdle+0x1ca (fffff800`01ca8bca)
> fffff800`01ca8a11 48895c2470      mov     qword ptr [rsp+70h],rbx
> fffff800`01ca8a16 4889742458      mov     qword ptr [rsp+58h],rsi
> fffff800`01ca8a1b 48897c2450      mov     qword ptr [rsp+50h],rdi
> fffff800`01ca8a20 488b39          mov     rdi,qword ptr [rcx]
> fffff800`01ca8a23 4885ff          test    rdi,rdi
> fffff800`01ca8a26 0f841d050600    je      nt! ?? ::FNODOBFM::`string'+0x31b79 (fffff800`01d08f49)
> fffff800`01ca8a2c 8b5f08          mov     ebx,dword ptr [rdi+8]
> fffff800`01ca8a2f f6c302          test    bl,2
> 
> Blammo. First line of code in the function is where it pointed too, not the offset described in the callstack. Now what's going to happen here is that _PoIdle_ will runs its stuff, until eventually it, too, needs to call another function. Let's check _nt!PoIdle+0x183_ which is what the callstack gave us as the call site:
> 
> 
> 
> Code:
> 
> 
> ...
> 
> 
> fffff800`01ca8b68 0f8456050600    je      nt! ?? ::FNODOBFM::`string'+0x31cf4 (fffff800`01d090c4)
> fffff800`01ca8b6e 83fb02          cmp     ebx,2
> fffff800`01ca8b71 0f845b050600    je      nt! ?? ::FNODOBFM::`string'+0x31d02 (fffff800`01d090d2)
> fffff800`01ca8b77 33d2            xor     edx,edx
> fffff800`01ca8b79 4a8b4cef28      mov     rcx,qword ptr [rdi+r13*8+28h]
> [COLOR=#0000ff]fffff800`01ca8b7e 42ff54ef20      call    qword ptr [rdi+r13*8+20h][/COLOR]
> [B]fffff800`01ca8b83 85c0            test    eax,eax[/B]
> fffff800`01ca8b85 0f8851050600    js      nt! ?? ::FNODOBFM::`string'+0x31d0c (fffff800`01d090dc)
> fffff800`01ca8b8b 85db            test    ebx,ebx
> fffff800`01ca8b8d 0f859e050600    jne     nt! ?? ::FNODOBFM::`string'+0x31d61 (fffff800`01d09131)
> fffff800`01ca8b93 33c9            xor     ecx,ecx
> fffff800`01ca8b95 ff1505a60d00    call    qword ptr [nt!_imp_KeQueryPerformanceCounter (fffff800`01d831a0)]
> fffff800`01ca8b9b 492bc6          sub     rax,r14
> 
> ...
> 
> Notice again the _call_ instruction before it? In this case it's a little more convoluted in that the address isn't a static address like before but it's one made by doing some math with some registers and junk and then using the resulting memory address' contents as a reference point. However if we did all of that math n stuff, we'd most likely come up with the start for the next function listed in the callstack, which is somewhere in the module _intelppm_. What's going to happen, then is that is for whatever reason the function in _intelppm_ returns, the code flow will return to _nt!PoIdle+0x183_, then if for whatever reason the _PoIdle_ function returns, everything will continue at _nt!KiIdleLoop+0x21_, and so on.
> 
> You're probably wondering why _intelppm_ doesn't have a function listed. That's because in my case, I do not have access to any symbols for _intelppm_. Because there are no symbols, no function names and whatnot can be displayed, so it just leaves me with _intelppm_ with a very big offset, not an offset from the beginning of a function, but from the beginning of the _entire module_. So it's important to have symbols whenever possible. It's not impossible to go without em, but it makes things quite more difficulty because then you have to ascertain through disassembling and reading the code just what the function is actually doing. The function names there provided by the symbols are to help you discover what each function's responsibility is.
> 
> 
> I hope that kinda clarifies _something_ about what's going on in a callstack. If you need more assistance I'll do what I can to help, but that should at least get things going for ya.
Click to expand...

 
http://www.sysnative.com/forums/sho...ssage-calls-mean?p=15996&viewfull=1#post15996


----------



## Krissto

Hi all, I have a WinDbg problem here, I can't seem to get my symbols to work, I have changed the symbols path numerous times and have read a couple of posts about this issue, yet the same error appears whenever debugging.


----------



## Wrench97

Paste this into the symbol path >


HTML:


SRV*c:\mss*http://msdl.microsoft.com/download/symbols


----------



## Krissto

Thanks.


----------



## Krissto

Ok, I'm still getting the same problem here...


----------



## Wrench97

Need to look at threads closer 

What symbols are missing all or just some 3rd party?


----------



## yardpenalty

*Re: AVGIDsFilter thread BSOD Kernel Dump Analysis - Discussion*

My question is why is this AVGIDsFilter process causing a BSOD for many users? I have seen alot of issues with this process being the culprit, but I haven't personally encountered a problem with it. The BSOD I had was thought to be this issue but it was actually a generic OS video driver issue Mirror2 something or other for NVDIA video card that would be created by the OS and had nothing to do with the AVG software. Is AVG aware of this problem? Just kind of curious what you guys think?


----------



## VirGnarus

*@Krissto*

Are you using the environment variable method or just pasting it into the Windbg's Symbol File Path? The env var method is a lot more reliable and you also won't have to worry about it ever again after you set it up. Follow instructions here for the _NT_SYMBOL_PATH env var.

*@yardpenalty*

AVGIDsFilter, like any filter driver, can have the potential with mishandling I/O which can often not manifest until another 3rd-party filter driver later on tries to deal with it and is left with the handbag. Even the opposite can occur. There's a myriad of reasons why this or any other filter driver can harbor bugs that only seem to manifest in certain PC environments or under certain conditions. AVG's filter driver isn't alone in this, but yes, it does have a reputation for showing up more often than not, but sometimes it may just be that it's been given the murder weapon as the suspect fled the scene of the crime.


----------



## Krissto

Wrench97 said:


> Need to look at threads closer
> 
> What symbols are missing all or just some 3rd party?


I am thinking nearly all, because WinDbg only lists nt! and numeric drivers.


----------



## Wrench97

Ah just wanted to make sure you were not just getting 3rd party symbol errors.
Symbols for drivers like ATI and Nvidia are not on the MS server never will be, they are only available from the 3rd party to developers(sometimes).


----------



## VirGnarus

Once you've setup everything as stated in my recommendation, you can then open a crashdump and type the following:



Code:


.reload /f /o /v

Give us the output if it turns out it does not resolve things and that you see errors for all of the modules. Some modules are expected to be missing because, as Wrench said, they're 3rd-party drivers that do not provide public symbols, or you simply don't have them (MS symbol server does not carry symbols for any modules other than their own).


----------



## yardpenalty

@yardpenalty by VirGnarus

AVGIDsFilter, like any filter driver, can have the potential with mishandling I/O which can often not manifest until another 3rd-party filter driver later on tries to deal with it and is left with the handbag. Even the opposite can occur. There's a myriad of reasons why this or any other filter driver can harbor bugs that only seem to manifest in certain PC environments or under certain conditions. AVG's filter driver isn't alone in this, but yes, it does have a reputation for showing up more often than not, but sometimes it may just be that it's been given the murder weapon as the suspect fled the scene of the crime.

@VirGnarus

That clarifies it up for me in one paragraph and makes alot of sense! Thanks for your response. I like how you said it's been given the murder weapon as the suspect fled the scene of the crime. Because that was indeed the case in all of my BSODs that had AVG installations.


----------



## Wrench97

It correctly calls for the stop(bosd) because it is receiving bad data from a address assigned to it, when in fact it was another rouge drive that overwrote the address space allocated and into address space of the driver calling for the stop.

(I'm sure VirGnarus can put it more eloquently and in better detail if needed)


----------



## VirGnarus

Yes, Windows is not very strict nor anal about how it deals with drivers and applications in their use of many types of memory allocations. If it were, system performance would be drastically reduced as the checks needed for all of it would be drastic. You can experience this by using gflags and turning on all memory-related checks. Slows things down to a crawl.

As a result of being more lenient, stuff can write to memory that's not theirs, which then when the actual driver/app owning the memory tries using the overwritten memory, it faults on it and gets blamed.


----------



## Patrick

What's up with Kaspersky causing issues in the W7 environment? Has there been a definition update or something that's causing issues, etc?

I just solved a BSOD case earlier today in which Kaspersky was the issue: http://www.techsupportforum.com/forums/f299/bsod-issues-tera-654673.html#post3808557

I also see many analysts recommend removing it as it is a troublesome AV. Why is that exactly? It would definitely help to know this information for future cases if the user has Kaspersky as their AV.

Regards,

Patrick


----------



## jcgriff2

I have found that all Internet Security Suites - NIS, N360, McAfee, KIS, etc... cause problems in Vista & Windows 7 because 3rd party firewalls tend to block local NETBIOS ports used by system services.


----------



## zigzag3143

PJB said:


> What's up with Kaspersky causing issues in the W7 environment? Has there been a definition update or something that's causing issues, etc?
> 
> I just solved a BSOD case earlier today in which Kaspersky was the issue: http://www.techsupportforum.com/forums/f299/bsod-issues-tera-654673.html#post3808557
> 
> I also see many analysts recommend removing it as it is a troublesome AV. Why is that exactly? It would definitely help to know this information for future cases if the user has Kaspersky as their AV.
> 
> Regards,
> 
> Patrick



Unfortunately not just Kaspersky, for the reasons Griff stated.


----------



## Patrick

Ah, so what's why. 

Thanks guys


----------



## satrow

Anyone who uses software that is frequently updated is likely to fall foul of Kaspersky at some time, online gamers and those that run bots probably more so than others. They're pretty good at sorting it once it's been brought to their attention - until the update the following week when all it starts again.


----------



## Deejay100six

Hiya guys,

This thread looks very interesting but I just don't have time to trawl through it all just now. I'm trying to get back into helping out wherever I think I can but I'm a bit rusty. :smile:

Started trying to help this guy http://www.techsupportforum.com/for...-randomly-restarting-and-freezing-674049.html and have explained to him the importance of getting his system up to date. Is there really any point in trying to help him further until he has updated?

I have seen John's instructions for posting for XP but not sure how to proceed at the moment. Perhaps someone could take a look or leave a note in the staff room for me?

Thanks.


----------



## writhziden

Updating is one of the first things I look at for a few reasons:

Better driver support. Many drivers are designed for the later release or service pack for the OS.
A corrupted OS. I have experienced many systems that were crashing and blaming Windows files that a service pack installation fixed the problem likely because it had updated versions of corrupted Windows files.
Security Vulnerabilities and Stability Increased updates. Malicious items can be detected more readily on an up to date system, and many updates included also provide better stability for software and hardware.

In short: I think your approach is perfectly reasonable and logical.


----------



## Deejay100six

Thanks Mike. :smile:

And thanks to Wrench97 for responding.


----------



## writhziden

You're welcome. Glad to share my own experiences.


----------



## jcgriff2

Deejay100six said:


> Started trying to help this guy http://www.techsupportforum.com/for...-randomly-restarting-and-freezing-674049.html and have explained to him the importance of getting his system up to date. Is there really any point in trying to help him further until he has updated?


XP SP3 is a must.

It was released in 2008.


----------



## Deejay100six

Thats what I thought, thanks John.........and good to "see" you again.


----------



## jcgriff2

Good to see you too!!

As a general rule, I never touch BSOD Kernel dumps on systems without the latest Service Pack installed -- just not worth the time.

However, if the OP has problems installing the Service Pack, I will do all I can to help so as not to leave the OP out in the cold.


----------



## Deejay100six

Yeah, Wrench97 and I tried to help him but it doesn't seem like he wants to heed any advice but we shall see. I'm subscribed to his thread so I'll keep an eye out for him.


----------



## Babbzzz

jcgriff2 said:


> The best beginner's tutorial for debugging authored by the great H2SO4 -->
> 
> Crash Dumps - Analyse Bugcheck and Process - Vista Forums


Thank you Mr. Griffith.


----------



## s_chaney

Can someone help me and tell me what's causing my problem? I've only had the blue screen one time and I restarted my computer and I haven't had any problems since.. Any insight would be greatly appreciated. Thanks in advance. Here's the information.

Windows 7

OS Version: 6.1.7601.2.1.0.768.3
Locale ID: 1033

BCCode: 3b
BCP1: 00000000C0000005
BCP2: FFFFF88004943AE0
BCP3: FFFFF88004632640
BCP4: 0000000000000000
OS Version: 6_1_7601
Service Pack: 1_0
Product: 768_1

Files that help describe the problem:

C:\Windows\Minidump\011013-36941-01.dmp

C:\Users\Chaney\AppData\Local\Temp\WER-70044-0.sysdata.xml


----------



## nehneh

A month ago, I had a blue screen every day for 4 days which was resolved by updating the ATI graphics driver, confirmed by the dump analysis by the TechSupportForum experts.
Last Sunday a blue screen came again. My MS update history showed they just included an ATI update. I updated it with the latest one from the Web since then I had no more blue screen again.
nehneh


----------



## writhziden

s_chaney said:


> Can someone help me and tell me what's causing my problem? I've only had the blue screen one time and I restarted my computer and I haven't had any problems since.. Any insight would be greatly appreciated. Thanks in advance. Here's the information.
> 
> Windows 7
> 
> OS Version: 6.1.7601.2.1.0.768.3
> Locale ID: 1033
> 
> BCCode: 3b
> BCP1: 00000000C0000005
> BCP2: FFFFF88004943AE0
> BCP3: FFFFF88004632640
> BCP4: 0000000000000000
> OS Version: 6_1_7601
> Service Pack: 1_0
> Product: 768_1
> 
> Files that help describe the problem:
> 
> C:\Windows\Minidump\011013-36941-01.dmp
> 
> C:\Users\Chaney\AppData\Local\Temp\WER-70044-0.sysdata.xml



Please start your own thread and follow the blue screen posting instructions. http://www.techsupportforum.com/for...ons-windows-8-windows-7-and-vista-452654.html​


----------



## omprakashkalal

Thank You for sharing !!!!!!!!!!


----------



## BenF

jcgriff2 said:


> The best beginner's tutorial for debugging authored by the great H2SO4 -->
> 
> Crash Dumps - Analyse Bugcheck and Process
> 
> Regards. . .
> 
> jcgriff2
> 
> .


Thanks for the link, I see a lot of BSOD on many computers, and I always just either update the drivers or backup and do a clean install to solve the problem. Seeing that many people I know don't use restore points or do backups of their system.

I'm having some BSOD's recently, so all this will come in handy to figure out what the hell it is, as well as learn something from it.

Thanks again!


----------



## jcgriff2

Glad we could be of help.


----------



## Hawkeye8442

Sorry for puting this here, but can anyone tell me why when I try to post a thread it says page not found?


----------



## SABL

Hi Hawkeye8442....welcome to TSF. Please see my Private Message that has been sent to you.


----------



## Umbert Vohiden

It sounds like a hardware issue if the operating system had several memory dumps with errors. Probably should check the RAM hardware.


----------



## jcgriff2

Here is a thread that reminds us that one can have multiple (different) bugchecks and can be software (driver) related - https://www.techsupportforum.com/fo...efilecollectionapp-1235666-2.html#post7749486

Usually if we end up with varying bugchecks, the cause is usually [unknown] hardware failure.




`


----------

