BSOD at shutdown

G

Guest

My system: Gigabyte 8VM533M-RZ, MoBo: P2M266A-8235, Processor: 2.4GHz Intel
Pentium 4, 2x HDD (Seagate 160Gb and 80Gb), Memory: 2,048Gb PC3200 (2x
Kingston KVR400X64C3A/1G)), Windows XP Pro SP2 (2600), Mcafee Internet Suit
2006. NEW HARDWARE: External USB 2.0 HDD (Seagate 160Gb). NEW SOFTWARE:
Acronis True Image 9.0.0.3677

Problem: Everytime I shut down the PC I get a BSOD with a PAGE FAULT IN NON
PAGED AREA error message - 0x00000050 (0xe168a000, 1, 0x805d428c, 1). When I
run Windbg I get the following:


Microsoft (R) Windows Debugger Version 6.6.0003.5
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\WINDOWS\Minidump\Mini072306-08.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is:
c:\windows\symbols;SRV*c:\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
c:\windows\System32;http://www.alexander.com/SymServe
*** ERROR: Symbol file could not be found. Defaulted to export symbols for
ntoskrnl.exe -
Windows XP Kernel Version 2600 (Service Pack 2) UP Free x86 compatible
Product: WinNt
Built by: 2600.xpsp_sp2_gdr.050301-1519
Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055a420
Debug session time: Sun Jul 23 19:40:21.880 2006 (GMT+8)
System Uptime: 0 days 6:32:44.114
*** ERROR: Symbol file could not be found. Defaulted to export symbols for
ntoskrnl.exe -
Loading Kernel Symbols
...................................................................................................................................................
Loading User Symbols
Loading unloaded module list
...................................................
*******************************************************************************
*
*
* Bugcheck Analysis
*
*
*
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 50, {e168a000, 1, 805d428c, 1}

***** Kernel symbols are WRONG. Please fix symbols to do analysis.

Probably caused by : ntoskrnl.exe ( nt!NtDeleteFile+685 )

Followup: MachineOwner
---------

kd> !analyze -v
*******************************************************************************
*
*
* Bugcheck Analysis
*
*
*
*******************************************************************************

PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by try-except,
it must be protected by a Probe. Typically the address is just plain bad or
it
is pointing at freed memory.
Arguments:
Arg1: e168a000, memory referenced.
Arg2: 00000001, value 0 = read operation, 1 = write operation.
Arg3: 805d428c, If non-zero, the instruction address which referenced the
bad memory
address.
Arg4: 00000001, (reserved)

Debugging Details:
------------------

***** Kernel symbols are WRONG. Please fix symbols to do analysis.


MODULE_NAME: nt

FAULTING_MODULE: 804d7000 nt

DEBUG_FLR_IMAGE_TIMESTAMP: 42250ff9

WRITE_ADDRESS: unable to get nt!MmSpecialPoolStart
unable to get nt!MmSpecialPoolEnd
unable to get nt!MmPoolCodeStart
unable to get nt!MmPoolCodeEnd
e168a000

FAULTING_IP:
nt!NtDeleteFile+685
805d428c f3a5 rep movsd

MM_INTERNAL_CODE: 1

CUSTOMER_CRASH_COUNT: 8

DEFAULT_BUCKET_ID: COMMON_SYSTEM_FAULT

BUGCHECK_STR: 0x50

LAST_CONTROL_TRANSFER: from 80523f44 to 8053331e

STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may be
wrong.
a7c42a8c 80523f44 00000050 e168a000 00000001 nt!KeBugCheckEx+0x1b
a7c42ad8 804e1718 00000001 e168a000 00000000 nt!IoSetFileOrigin+0xc050
a7c42b08 8058f9c6 e3c4a008 00042020 00000000 nt!Kei386EoiHelper+0x26bc
a7c42b78 805d4365 00042020 00000031 e3c4a008 nt!RtlGenerate8dot3Name+0x1a1a
a7c42bac 805d4807 016fc378 000133b0 00041dd8 nt!NtDeleteFile+0x75e
a7c42bf4 805d48b2 e26fc378 00013338 00041d60 nt!NtDeleteFile+0xc00
a7c42c34 805d41c5 e165a000 00000400 00000001 nt!NtDeleteFile+0xcab
a7c42c64 80653e29 e26fc378 00000020 e3c4a008 nt!NtDeleteFile+0x5be
a7c42c98 8064be75 00000020 000006dc 00000003
nt!LsaDeregisterLogonProcess+0xafd2
a7c42cbc 804de7ec e31bbbb0 000006dc a7c42d54
nt!LsaDeregisterLogonProcess+0x301e
a7c42ccc 804dd6f9 badb0d00 a7c42d44 8064bd01 nt!ZwYieldExecution+0xb78
a7c42d54 804de7ec 00000094 000006dc 0006f8b8 nt!ZwSaveKey+0x11
a7c42ddc 804fa4da 805b69df 00000003 00000000 nt!ZwYieldExecution+0xb78
a7c42de0 805b69df 00000003 00000000 0000027f nt!KeInitializeTimer+0x107
a7c42de4 00000000 00000000 0000027f 00000000 nt!PsSetLegoNotifyRoutine+0x61f


STACK_COMMAND: .bugcheck ; kb

FOLLOWUP_IP:
nt!NtDeleteFile+685
805d428c f3a5 rep movsd

FAULTING_SOURCE_CODE:


FOLLOWUP_NAME: MachineOwner

SYMBOL_NAME: nt!NtDeleteFile+685

IMAGE_NAME: ntoskrnl.exe

BUCKET_ID: WRONG_SYMBOLS

Followup: MachineOwner
---------

I have downloaded the largest XP-SP2 symbols file (195MB) from microsoft
support and used the public symbols server in my symbols path but get
ntoskrnl.pdb is mis-matched.

Three questions: 1) why is my system crashing? 2) why can't windows find the
correct symbols for my ntoskrnl.exe file (version 5.1.2600.2622
(xpsp_sp2_gdr.050301-1519) 3) Where can I get a correct version of
ntoskrnl.exe given all the security updates I've installed since SP2?

If anybody can point me in the right direction I'd really appreciate it.
Thanks
 
R

Rick Rogers

Hi Bobbylani,

Add the path the symbols to the environmental variables, it appears that the
debugger is looking at C:\Windows\symbols and that you have stored them
elsewhere or have not unpacked them.

The problem is a driver error, but what you are seeing is a hang at ntoskrnl
after the driver has passed an instruction with an invalid address. At this
point, you may have better luck with the driver verifier as opposed to the
debugger. You might also try a full kernel or even a core dump instead of
the mini, but picking through it will take quite some time.

--
Best of Luck,

Rick Rogers, aka "Nutcase" - Microsoft MVP

Windows help - www.rickrogers.org

Bobbylani said:
My system: Gigabyte 8VM533M-RZ, MoBo: P2M266A-8235, Processor: 2.4GHz
Intel
Pentium 4, 2x HDD (Seagate 160Gb and 80Gb), Memory: 2,048Gb PC3200 (2x
Kingston KVR400X64C3A/1G)), Windows XP Pro SP2 (2600), Mcafee Internet
Suit
2006. NEW HARDWARE: External USB 2.0 HDD (Seagate 160Gb). NEW SOFTWARE:
Acronis True Image 9.0.0.3677

Problem: Everytime I shut down the PC I get a BSOD with a PAGE FAULT IN
NON
PAGED AREA error message - 0x00000050 (0xe168a000, 1, 0x805d428c, 1). When
I
run Windbg I get the following:


Microsoft (R) Windows Debugger Version 6.6.0003.5
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\WINDOWS\Minidump\Mini072306-08.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is:
c:\windows\symbols;SRV*c:\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
c:\windows\System32;http://www.alexander.com/SymServe
*** ERROR: Symbol file could not be found. Defaulted to export symbols
for
ntoskrnl.exe -
Windows XP Kernel Version 2600 (Service Pack 2) UP Free x86 compatible
Product: WinNt
Built by: 2600.xpsp_sp2_gdr.050301-1519
Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055a420
Debug session time: Sun Jul 23 19:40:21.880 2006 (GMT+8)
System Uptime: 0 days 6:32:44.114
*** ERROR: Symbol file could not be found. Defaulted to export symbols
for
ntoskrnl.exe -
Loading Kernel Symbols
.................................................................................................................................................
Loading User Symbols
Loading unloaded module list
..................................................
*******************************************************************************
*
*
* Bugcheck Analysis
*
*
*
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 50, {e168a000, 1, 805d428c, 1}

***** Kernel symbols are WRONG. Please fix symbols to do analysis.

Probably caused by : ntoskrnl.exe ( nt!NtDeleteFile+685 )

Followup: MachineOwner
---------

kd> !analyze -v
*******************************************************************************
*
*
* Bugcheck Analysis
*
*
*
*******************************************************************************

PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by
try-except,
it must be protected by a Probe. Typically the address is just plain bad
or
it
is pointing at freed memory.
Arguments:
Arg1: e168a000, memory referenced.
Arg2: 00000001, value 0 = read operation, 1 = write operation.
Arg3: 805d428c, If non-zero, the instruction address which referenced the
bad memory
address.
Arg4: 00000001, (reserved)

Debugging Details:
------------------

***** Kernel symbols are WRONG. Please fix symbols to do analysis.


MODULE_NAME: nt

FAULTING_MODULE: 804d7000 nt

DEBUG_FLR_IMAGE_TIMESTAMP: 42250ff9

WRITE_ADDRESS: unable to get nt!MmSpecialPoolStart
unable to get nt!MmSpecialPoolEnd
unable to get nt!MmPoolCodeStart
unable to get nt!MmPoolCodeEnd
e168a000

FAULTING_IP:
nt!NtDeleteFile+685
805d428c f3a5 rep movsd

MM_INTERNAL_CODE: 1

CUSTOMER_CRASH_COUNT: 8

DEFAULT_BUCKET_ID: COMMON_SYSTEM_FAULT

BUGCHECK_STR: 0x50

LAST_CONTROL_TRANSFER: from 80523f44 to 8053331e

STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may be
wrong.
a7c42a8c 80523f44 00000050 e168a000 00000001 nt!KeBugCheckEx+0x1b
a7c42ad8 804e1718 00000001 e168a000 00000000 nt!IoSetFileOrigin+0xc050
a7c42b08 8058f9c6 e3c4a008 00042020 00000000 nt!Kei386EoiHelper+0x26bc
a7c42b78 805d4365 00042020 00000031 e3c4a008
nt!RtlGenerate8dot3Name+0x1a1a
a7c42bac 805d4807 016fc378 000133b0 00041dd8 nt!NtDeleteFile+0x75e
a7c42bf4 805d48b2 e26fc378 00013338 00041d60 nt!NtDeleteFile+0xc00
a7c42c34 805d41c5 e165a000 00000400 00000001 nt!NtDeleteFile+0xcab
a7c42c64 80653e29 e26fc378 00000020 e3c4a008 nt!NtDeleteFile+0x5be
a7c42c98 8064be75 00000020 000006dc 00000003
nt!LsaDeregisterLogonProcess+0xafd2
a7c42cbc 804de7ec e31bbbb0 000006dc a7c42d54
nt!LsaDeregisterLogonProcess+0x301e
a7c42ccc 804dd6f9 badb0d00 a7c42d44 8064bd01 nt!ZwYieldExecution+0xb78
a7c42d54 804de7ec 00000094 000006dc 0006f8b8 nt!ZwSaveKey+0x11
a7c42ddc 804fa4da 805b69df 00000003 00000000 nt!ZwYieldExecution+0xb78
a7c42de0 805b69df 00000003 00000000 0000027f nt!KeInitializeTimer+0x107
a7c42de4 00000000 00000000 0000027f 00000000
nt!PsSetLegoNotifyRoutine+0x61f


STACK_COMMAND: .bugcheck ; kb

FOLLOWUP_IP:
nt!NtDeleteFile+685
805d428c f3a5 rep movsd

FAULTING_SOURCE_CODE:


FOLLOWUP_NAME: MachineOwner

SYMBOL_NAME: nt!NtDeleteFile+685

IMAGE_NAME: ntoskrnl.exe

BUCKET_ID: WRONG_SYMBOLS

Followup: MachineOwner
---------

I have downloaded the largest XP-SP2 symbols file (195MB) from microsoft
support and used the public symbols server in my symbols path but get
ntoskrnl.pdb is mis-matched.

Three questions: 1) why is my system crashing? 2) why can't windows find
the
correct symbols for my ntoskrnl.exe file (version 5.1.2600.2622
(xpsp_sp2_gdr.050301-1519) 3) Where can I get a correct version of
ntoskrnl.exe given all the security updates I've installed since SP2?

If anybody can point me in the right direction I'd really appreciate it.
Thanks
Click to expand...
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

BSOD on shutdown - Heeeelp 8
MULTIPLE_IRP_COMPLETE_REQUESTS (44) blue screens recently. 5
BSoD at Windows Vista during shutdown/restart! PLEASE HELP! 4
wininit - how to restore - bcod 1
Multiple save dumps (with debug info) 4
BSOD - With mrxsmb.sys 2
BSOD -- need help understanding minidump 9
Random reboots 7

Top