G
Guest
I have been getting the blue screen and memory dump. I ran the debugger and
it showed that the probable cause was ntkrpamp.exe. When I found that on my
machine it looks like it might be a sp2 file. The only two things that I
have installed recently are a trial of Microsoft expressions web and harry
potter and the order of the phoenix game. Of course, regular updates have
been automatically installed. I will include what I got when I debugged. I
would really appreciate any help Here is what I got when I ran the debugger:
Microsoft (R) Windows Debugger Version 6.7.0005.1
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:\websymbols\Mini071207-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available
Symbol search path is:
SRV*c:\websymbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows XP Kernel Version 2600 (Service Pack 2) MP (2 procs) Free x86
compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 2600.xpsp_sp2_gdr.070227-2254
Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055c700
Debug session time: Thu Jul 12 16:33:46.687 2007 (GMT-5)
System Uptime: 0 days 9:43:32.405
Loading Kernel Symbols
........................................................................................................................................................................................................
Loading User Symbols
Loading unloaded module list
.................
*******************************************************************************
*
*
* Bugcheck Analysis
*
*
*
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck 1000000A, {0, 1c, 1, 804faee4}
Probably caused by : ntkrpamp.exe ( nt!KeWaitForSingleObject+186 )
Followup: MachineOwner
---------
1: kd> !analyze -v
*******************************************************************************
*
*
* Bugcheck Analysis
*
*
*
*******************************************************************************
IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: 00000000, memory referenced
Arg2: 0000001c, IRQL
Arg3: 00000001, bitfield :
bit 0 : value 0 = read operation, 1 = write operation
bit 3 : value 0 = not an execute operation, 1 = execute operation (only on
chips which support this level of status)
Arg4: 804faee4, address which referenced memory
Debugging Details:
------------------
WRITE_ADDRESS: 00000000
CURRENT_IRQL: 1c
FAULTING_IP:
nt!KeWaitForSingleObject+186
804faee4 8939 mov dword ptr [ecx],edi
CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: DRIVER_FAULT
BUGCHECK_STR: 0xA
PROCESS_NAME: System
LAST_CONTROL_TRANSFER: from 806e496b to 804faee4
STACK_TEXT:
f793dcd4 806e496b 00000000 00000000 00000000 nt!KeWaitForSingleObject+0x186
f793dcf4 804ed874 8578ef58 855f1e84 8578ef50 hal!ExAcquireFastMutex+0x2b
f793dd08 f72cf808 e5bfaeb8 855f1c28 e5bfaeb8
nt!FsRtlRemovePerStreamContext+0x1e
f793dd34 f72d0d56 855f1c28 86b3c1a8 8526a818
fltmgr!FltpDeleteAllStreamListCtrls+0x62
f793dd50 f72c35f7 855f1cac 00000008 86b3c1a8 fltmgr!FltpFreeVolume+0xa4
f793dd68 f72c734e 8526a818 00000008 8056375c
fltmgr!FltpCleanupDeviceObject+0x61
f793dd7c 805379bd 86b3c1a8 00000000 871c1b30
fltmgr!FltpFastIoDetachDeviceWorker+0x14
f793ddac 805ce84c 86b3c1a8 00000000 00000000 nt!ExpWorkerThread+0xef
f793dddc 8054532e 805378ce 00000001 00000000 nt!PspSystemThreadStartup+0x34
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16
STACK_COMMAND: kb
FOLLOWUP_IP:
nt!KeWaitForSingleObject+186
804faee4 8939 mov dword ptr [ecx],edi
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: nt!KeWaitForSingleObject+186
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: nt
IMAGE_NAME: ntkrpamp.exe
DEBUG_FLR_IMAGE_TIMESTAMP: 45e53f9d
it showed that the probable cause was ntkrpamp.exe. When I found that on my
machine it looks like it might be a sp2 file. The only two things that I
have installed recently are a trial of Microsoft expressions web and harry
potter and the order of the phoenix game. Of course, regular updates have
been automatically installed. I will include what I got when I debugged. I
would really appreciate any help Here is what I got when I ran the debugger:
Microsoft (R) Windows Debugger Version 6.7.0005.1
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:\websymbols\Mini071207-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available
Symbol search path is:
SRV*c:\websymbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows XP Kernel Version 2600 (Service Pack 2) MP (2 procs) Free x86
compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 2600.xpsp_sp2_gdr.070227-2254
Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055c700
Debug session time: Thu Jul 12 16:33:46.687 2007 (GMT-5)
System Uptime: 0 days 9:43:32.405
Loading Kernel Symbols
........................................................................................................................................................................................................
Loading User Symbols
Loading unloaded module list
.................
*******************************************************************************
*
*
* Bugcheck Analysis
*
*
*
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck 1000000A, {0, 1c, 1, 804faee4}
Probably caused by : ntkrpamp.exe ( nt!KeWaitForSingleObject+186 )
Followup: MachineOwner
---------
1: kd> !analyze -v
*******************************************************************************
*
*
* Bugcheck Analysis
*
*
*
*******************************************************************************
IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: 00000000, memory referenced
Arg2: 0000001c, IRQL
Arg3: 00000001, bitfield :
bit 0 : value 0 = read operation, 1 = write operation
bit 3 : value 0 = not an execute operation, 1 = execute operation (only on
chips which support this level of status)
Arg4: 804faee4, address which referenced memory
Debugging Details:
------------------
WRITE_ADDRESS: 00000000
CURRENT_IRQL: 1c
FAULTING_IP:
nt!KeWaitForSingleObject+186
804faee4 8939 mov dword ptr [ecx],edi
CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: DRIVER_FAULT
BUGCHECK_STR: 0xA
PROCESS_NAME: System
LAST_CONTROL_TRANSFER: from 806e496b to 804faee4
STACK_TEXT:
f793dcd4 806e496b 00000000 00000000 00000000 nt!KeWaitForSingleObject+0x186
f793dcf4 804ed874 8578ef58 855f1e84 8578ef50 hal!ExAcquireFastMutex+0x2b
f793dd08 f72cf808 e5bfaeb8 855f1c28 e5bfaeb8
nt!FsRtlRemovePerStreamContext+0x1e
f793dd34 f72d0d56 855f1c28 86b3c1a8 8526a818
fltmgr!FltpDeleteAllStreamListCtrls+0x62
f793dd50 f72c35f7 855f1cac 00000008 86b3c1a8 fltmgr!FltpFreeVolume+0xa4
f793dd68 f72c734e 8526a818 00000008 8056375c
fltmgr!FltpCleanupDeviceObject+0x61
f793dd7c 805379bd 86b3c1a8 00000000 871c1b30
fltmgr!FltpFastIoDetachDeviceWorker+0x14
f793ddac 805ce84c 86b3c1a8 00000000 00000000 nt!ExpWorkerThread+0xef
f793dddc 8054532e 805378ce 00000001 00000000 nt!PspSystemThreadStartup+0x34
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16
STACK_COMMAND: kb
FOLLOWUP_IP:
nt!KeWaitForSingleObject+186
804faee4 8939 mov dword ptr [ecx],edi
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: nt!KeWaitForSingleObject+186
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: nt
IMAGE_NAME: ntkrpamp.exe
DEBUG_FLR_IMAGE_TIMESTAMP: 45e53f9d