BSOD on shutdown - Heeeelp

[Guest]

My system: Gigabyte 8VM533M-RZ, MoBo: P2M266A-8235, Processor: 2.4GHz Intel
Pentium 4, 2x HDD (Seagate 160Gb and 80Gb), Memory: 2,048Gb PC3200 (2x
Kingston KVR400X64C3A/1G)), Windows XP Pro SP2 (2600), Mcafee Internet Suit
2006. NEW HARDWARE: External USB 2.0 HDD (Seagate 160Gb). NEW SOFTWARE:
Acronis True Image 9.0.0.3677

Problem: Everytime I shut down the PC I get a BSOD with a PAGE FAULT IN NON
PAGED AREA error message - 0x00000050 (0xe168a000, 1, 0x805d428c, 1). When I
run Windbg I get the following:


Microsoft (R) Windows Debugger Version 6.6.0003.5
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\WINDOWS\Minidump\Mini072306-08.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is:
c:\windows\symbols;SRV*c:\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
c:\windows\System32;http://www.alexander.com/SymServe
*** ERROR: Symbol file could not be found. Defaulted to export symbols for
ntoskrnl.exe -
Windows XP Kernel Version 2600 (Service Pack 2) UP Free x86 compatible
Product: WinNt
Built by: 2600.xpsp_sp2_gdr.050301-1519
Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055a420
Debug session time: Sun Jul 23 19:40:21.880 2006 (GMT+8)
System Uptime: 0 days 6:32:44.114
*** ERROR: Symbol file could not be found. Defaulted to export symbols for
ntoskrnl.exe -
Loading Kernel Symbol
..................................................................................................................................................
Loading User Symbols
Loading unloaded module list
..................................................
*******************************************************************************
*
*
* Bugcheck Analysis
*
*

*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 50, {e168a000, 1, 805d428c, 1}

***** Kernel symbols are WRONG. Please fix symbols to do analysis.

Probably caused by : ntoskrnl.exe ( nt!NtDeleteFile+685 )

Followup: MachineOwner
---------

kd> !analyze -
*******************************************************************************
*
*
* Bugcheck Analysis
*
*

*******************************************************************************

PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by try-except,
it must be protected by a Probe. Typically the address is just plain bad or
it
is pointing at freed memory.
Arguments:
Arg1: e168a000, memory referenced.
Arg2: 00000001, value 0 = read operation, 1 = write operation.
Arg3: 805d428c, If non-zero, the instruction address which referenced the
bad memory
address.
Arg4: 00000001, (reserved)

Debugging Details:
------------------

***** Kernel symbols are WRONG. Please fix symbols to do analysis.


MODULE_NAME: nt

FAULTING_MODULE: 804d7000 nt

DEBUG_FLR_IMAGE_TIMESTAMP: 42250ff9

WRITE_ADDRESS: unable to get nt!MmSpecialPoolStart
unable to get nt!MmSpecialPoolEnd
unable to get nt!MmPoolCodeStart
unable to get nt!MmPoolCodeEnd
e168a000

FAULTING_IP:
nt!NtDeleteFile+685
805d428c f3a5 rep movsd

MM_INTERNAL_CODE: 1

CUSTOMER_CRASH_COUNT: 8

DEFAULT_BUCKET_ID: COMMON_SYSTEM_FAULT

BUGCHECK_STR: 0x50

LAST_CONTROL_TRANSFER: from 80523f44 to 8053331e

STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may be
wrong.
a7c42a8c 80523f44 00000050 e168a000 00000001 nt!KeBugCheckEx+0x1b
a7c42ad8 804e1718 00000001 e168a000 00000000 nt!IoSetFileOrigin+0xc050
a7c42b08 8058f9c6 e3c4a008 00042020 00000000 nt!Kei386EoiHelper+0x26bc
a7c42b78 805d4365 00042020 00000031 e3c4a008 nt!RtlGenerate8dot3Name+0x1a1a
a7c42bac 805d4807 016fc378 000133b0 00041dd8 nt!NtDeleteFile+0x75e
a7c42bf4 805d48b2 e26fc378 00013338 00041d60 nt!NtDeleteFile+0xc00
a7c42c34 805d41c5 e165a000 00000400 00000001 nt!NtDeleteFile+0xcab
a7c42c64 80653e29 e26fc378 00000020 e3c4a008 nt!NtDeleteFile+0x5be
a7c42c98 8064be75 00000020 000006dc 00000003
nt!LsaDeregisterLogonProcess+0xafd2
a7c42cbc 804de7ec e31bbbb0 000006dc a7c42d54
nt!LsaDeregisterLogonProcess+0x301e
a7c42ccc 804dd6f9 badb0d00 a7c42d44 8064bd01 nt!ZwYieldExecution+0xb78
a7c42d54 804de7ec 00000094 000006dc 0006f8b8 nt!ZwSaveKey+0x11
a7c42ddc 804fa4da 805b69df 00000003 00000000 nt!ZwYieldExecution+0xb78
a7c42de0 805b69df 00000003 00000000 0000027f nt!KeInitializeTimer+0x107
a7c42de4 00000000 00000000 0000027f 00000000 nt!PsSetLegoNotifyRoutine+0x61f


STACK_COMMAND: .bugcheck ; kb

FOLLOWUP_IP:
nt!NtDeleteFile+685
805d428c f3a5 rep movsd

FAULTING_SOURCE_CODE:


FOLLOWUP_NAME: MachineOwner

SYMBOL_NAME: nt!NtDeleteFile+685

IMAGE_NAME: ntoskrnl.exe

BUCKET_ID: WRONG_SYMBOLS

Followup: MachineOwner
---------

I have downloaded the largest XP-SP2 symbols file (195MB) from microsoft
support and used the public symbols server in my symbols path but get
ntoskrnl.pdb is mis-matched.

Three questions: 1) why is my system crashing? 2) why can't windows find the
correct symbols for my ntoskrnl.exe file (version 5.1.2600.2622
(xpsp_sp2_gdr.050301-1519) 3) Where can I get a correct version of
ntoskrnl.exe given all the security updates I've installed since SP2?

If anybody can point me in the right direction I'd really appreciate it.
Thanks

 

[thecreator]

Hi Bobbylani,

The problem might be a bad Memory Stick. Remove one Memory Stick and
boot up and check operation. Then swap out the Memory Card, with the one
just removed to test out the system again.

Once the bad Memory stick is identified, remove it from the Computer.
Contact the Manufacturer of the Memory Stick to exchange / replace the
Memory Stick / Card under its Warranty.

If the Memory Cards are good, report back, but run the tests first.


--
thecreator

My system: Gigabyte 8VM533M-RZ, MoBo: P2M266A-8235, Processor: 2.4GHz
Intel
Pentium 4, 2x HDD (Seagate 160Gb and 80Gb), Memory: 2,048Gb PC3200 (2x
Kingston KVR400X64C3A/1G)), Windows XP Pro SP2 (2600), Mcafee Internet
Suit
2006. NEW HARDWARE: External USB 2.0 HDD (Seagate 160Gb). NEW SOFTWARE:
Acronis True Image 9.0.0.3677

Problem: Everytime I shut down the PC I get a BSOD with a PAGE FAULT IN
NON
PAGED AREA error message - 0x00000050 (0xe168a000, 1, 0x805d428c, 1). When
I
run Windbg I get the following:


Microsoft (R) Windows Debugger Version 6.6.0003.5
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\WINDOWS\Minidump\Mini072306-08.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is:
c:\windows\symbols;SRV*c:\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
c:\windows\System32;http://www.alexander.com/SymServe
*** ERROR: Symbol file could not be found. Defaulted to export symbols
for
ntoskrnl.exe -
Windows XP Kernel Version 2600 (Service Pack 2) UP Free x86 compatible
Product: WinNt
Built by: 2600.xpsp_sp2_gdr.050301-1519
Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055a420
Debug session time: Sun Jul 23 19:40:21.880 2006 (GMT+8)
System Uptime: 0 days 6:32:44.114
*** ERROR: Symbol file could not be found. Defaulted to export symbols
for
ntoskrnl.exe -
Loading Kernel Symbols
.................................................................................................................................................
Loading User Symbols
Loading unloaded module list
..................................................
*******************************************************************************
*
*
* Bugcheck Analysis
*
*
*
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 50, {e168a000, 1, 805d428c, 1}

***** Kernel symbols are WRONG. Please fix symbols to do analysis.

Probably caused by : ntoskrnl.exe ( nt!NtDeleteFile+685 )

Followup: MachineOwner
---------

kd> !analyze -v
*******************************************************************************
*
*
* Bugcheck Analysis
*
*
*
*******************************************************************************

PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by
try-except,
it must be protected by a Probe. Typically the address is just plain bad
or
it
is pointing at freed memory.
Arguments:
Arg1: e168a000, memory referenced.
Arg2: 00000001, value 0 = read operation, 1 = write operation.
Arg3: 805d428c, If non-zero, the instruction address which referenced the
bad memory
address.
Arg4: 00000001, (reserved)

Debugging Details:
------------------

***** Kernel symbols are WRONG. Please fix symbols to do analysis.


MODULE_NAME: nt

FAULTING_MODULE: 804d7000 nt

DEBUG_FLR_IMAGE_TIMESTAMP: 42250ff9

WRITE_ADDRESS: unable to get nt!MmSpecialPoolStart
unable to get nt!MmSpecialPoolEnd
unable to get nt!MmPoolCodeStart
unable to get nt!MmPoolCodeEnd
e168a000

FAULTING_IP:
nt!NtDeleteFile+685
805d428c f3a5 rep movsd

MM_INTERNAL_CODE: 1

CUSTOMER_CRASH_COUNT: 8

DEFAULT_BUCKET_ID: COMMON_SYSTEM_FAULT

BUGCHECK_STR: 0x50

LAST_CONTROL_TRANSFER: from 80523f44 to 8053331e

STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may be
wrong.
a7c42a8c 80523f44 00000050 e168a000 00000001 nt!KeBugCheckEx+0x1b
a7c42ad8 804e1718 00000001 e168a000 00000000 nt!IoSetFileOrigin+0xc050
a7c42b08 8058f9c6 e3c4a008 00042020 00000000 nt!Kei386EoiHelper+0x26bc
a7c42b78 805d4365 00042020 00000031 e3c4a008
nt!RtlGenerate8dot3Name+0x1a1a
a7c42bac 805d4807 016fc378 000133b0 00041dd8 nt!NtDeleteFile+0x75e
a7c42bf4 805d48b2 e26fc378 00013338 00041d60 nt!NtDeleteFile+0xc00
a7c42c34 805d41c5 e165a000 00000400 00000001 nt!NtDeleteFile+0xcab
a7c42c64 80653e29 e26fc378 00000020 e3c4a008 nt!NtDeleteFile+0x5be
a7c42c98 8064be75 00000020 000006dc 00000003
nt!LsaDeregisterLogonProcess+0xafd2
a7c42cbc 804de7ec e31bbbb0 000006dc a7c42d54
nt!LsaDeregisterLogonProcess+0x301e
a7c42ccc 804dd6f9 badb0d00 a7c42d44 8064bd01 nt!ZwYieldExecution+0xb78
a7c42d54 804de7ec 00000094 000006dc 0006f8b8 nt!ZwSaveKey+0x11
a7c42ddc 804fa4da 805b69df 00000003 00000000 nt!ZwYieldExecution+0xb78
a7c42de0 805b69df 00000003 00000000 0000027f nt!KeInitializeTimer+0x107
a7c42de4 00000000 00000000 0000027f 00000000
nt!PsSetLegoNotifyRoutine+0x61f


STACK_COMMAND: .bugcheck ; kb

FOLLOWUP_IP:
nt!NtDeleteFile+685
805d428c f3a5 rep movsd

FAULTING_SOURCE_CODE:


FOLLOWUP_NAME: MachineOwner

SYMBOL_NAME: nt!NtDeleteFile+685

IMAGE_NAME: ntoskrnl.exe

BUCKET_ID: WRONG_SYMBOLS

Followup: MachineOwner
---------

I have downloaded the largest XP-SP2 symbols file (195MB) from microsoft
support and used the public symbols server in my symbols path but get
ntoskrnl.pdb is mis-matched.

Three questions: 1) why is my system crashing? 2) why can't windows find
the
correct symbols for my ntoskrnl.exe file (version 5.1.2600.2622
(xpsp_sp2_gdr.050301-1519) 3) Where can I get a correct version of
ntoskrnl.exe given all the security updates I've installed since SP2?

If anybody can point me in the right direction I'd really appreciate it.
Thanks

 

[Guest]

Creator, thanks for getting back to me. You may be right! I did a full dump
and it had 'corrupt memory' all over it. As these memory sticks (2x Kingston
PC3200 1Gb) are new, I'll do the tests you suggested as well as run MemTest
and get back to you later. Cheers
Bob

 

[Guest]

Creator, thanks for your reply

I've spent all day yesterday testing my RAM sticks one by one. I've got 2x
Kingston 1Gb PC3200 and the older sticks they replaced (but were working
fine) 2x HTL 512Mb PC2700. I performed the following memory tests on all
sticks one by one:

1) Smith Micro Software Inc, Check It Diagnostics v7.1.0.83 (Windows)
2) MemTest86+ v1.65 (DOS)
3) GoldMemory v5.07 (DOS)
4) DocMemory RAM Diagnostics v2.2 (DOS)

All RAM sticks passed all tests with flying colours, they all booted into
Windows XP perfectly and the system always crashed perfectly on shutdown with
a STOP: 0x00000050 (0x1Ennn000,0x00000001,0x805D428C,0x00000001)! (nnn = any
hexedecimal number/letter).

Now, the following analysis of Memory.dmp and mini250706-0x.dmp files
reveals the following:

a) Symbols for NTOSKRNL.SYS can't be found (despite unpacking the 195MB file
from Microsoft to c:\symbols and including that directory in my enviromental
symbols path correctly).
b) All Memory.dmp files refer to 'memory_corruption' and
'MEMORY_CORRUPTION_LARGE' in the KD> !Analyze -v section despite my tests
above on the RAM.
c) All mini250706-0x.dmp files refer 1) to a driver, either: timntr.sys
(twice today and many times before), mup.sys (once) or NSID.sys (once), 2)
'LAST_CONTROL_TRANSFER: from 80523f44 to 8053331e' (ie always the same) and
3) an 'instruction address which referenced the bad memory' as 0x805D428C
(i.e always the same instruction address).

I've also completely disconnected my external USB HDD drive (which is where
my backup is and this is where I have, in the past, mounted an image from -
timntr.exe be looking for this drive?). Anyway the system still crashes

Re backup from c: (160Gb - 110GB used) to d: (80Gb)drive - it won't fit! I
suppose I could install the 160GB external as the D: drive and test it but
I'll wait till you reply to the above issues first

Finally: re ntoskrnl.exe, I have 6 files on the PC. Their properties are all
slightly different (size, size on disk, creation date, modified date or
version number). A checksum on all six files reveals the same CRC32
(F31B3752) and MD5 (4D4CF2C14550A4B7718E94A6E581856E). Do you know where I
can get a definitive version for my system?

If you need any dumps let me know.

Thx for the help
Bob
--

 

[thecreator]

Hi Bob,

We have eliminated memory as the problem. Question: This installation of
Windows XP Professional Edition Service Pack 2 was installed on a clean
partition and was not an upgrade from a previous operating system, that
wasn't XP Professional?

Do a fast check. Use Msconfig. Click on Startup. Remove checks from all
non-Microsoft programs and then click on Services. Hide all Microsoft
Services. Remove the checkmarks from the remaining Non-Microsoft Programs.
Click Apply and restart the computer. This Shutdown / Restart does not
count, if a Blue Screen, since programs and services are still in memory.

Once you have rebooted. Shutdown the computer and see what happens. If
No Blue Screen, then the problem is with the program you removed the
checkmark from.

Start back with Msconfig and click on Services. Restart all
Non-Microsoft Services then reboot and then ShutDown the computer. If no
errors, no back into Msconfig and click on Startup and start checking the
ones you trust. Click Apply and Close to restart and on restart Shutdown and
see what happens.

It takes time to troubleshoot.

Or, you could do a Clean reinstall of Windows XP Professional Edition
and shutdown after each program installs and see what happens. Clean
install, I am referring to is to Reformat and Reinstall Windows XP
Professional Edition. Do you have the Windows XP Professional CD?

 

[Guest]

Creator, thanks for the reply and sorry for the long time in getting back to
you. PLDT here in the Philippines has been playing silly bas****s with the
data lines!

Problem of crash & BSOD was caused by timntr.exe ( an Acronis True Image
Home driver) not closing down properly. I downloaded Microsofts' UHPCleanup
service and have it running full time. Now, every time I shutdown it's clean
and much faster...I don't know why it isn't standard code???

Re my NTOSKRNL.EXE symbol problem, I'm going to post a new thread in this
forum with NTOSKRN in the title if you care to have a look.

Thanks for all your help
Bob

 

[thecreator]

Hi Bob,

Not sure your exact problem, but I did a search at Microsoft Knowledge
Base and came up with some results of the search.

http://support.microsoft.com/search/default.aspx?catalog=LCID=1033&spid=6794&query=NTOSKRNL.EXE&adv=

Where can I get a correct version of ntoskrnl.exe given all the security
updates I've installed since SP2?

http://www.liutilities.com/products/wintaskspro/processlibrary/ntoskrnl/

Also you made want to look at TuneUp Utilities 2006. They have a 30 Day
Trial Use of the program.
http://www.tune-up.com/

This program could help fix your problems too.

 

[Guest]

Problem isn't exactly with nostkrnl.exe but rather the symbols file
ntoskrnl.pdb. The vaild copies I have are all mis-matched to version of the
exe file when I debug a dmp file with Windbg.

I've downloaded the symbol files from M$ twice and the Nostkrnl.pd_ cabinet
is corrupt in both cases. And when I put the public symbol server in my
symbols path it can't find the correct pdb file (or it finds a mis-matched
one). Thus I can't do a full debug on my dmp files after a BSOD.

For full details please see the following thread:

http://www.microsoft.com/technet/co...&tid=92e95af0-c694-4105-90c6-ac9375b1b59d&p=1

Thanks
Bob

 

[thecreator]

Hi Bob,

A newer version of Debugger has been released.
Windows Debugger Version 6.6.0007.5

Not sure which version you install. 32-bit or 64-bit ?

32-bit http://www.microsoft.com/whdc/devtools/debugging/installx86.mspx

64-bit http://www.microsoft.com/whdc/devtools/debugging/install64bit.mspx

Symbol packages found here:
http://www.microsoft.com/whdc/DevTools/Debugging/symbolpkg.mspx

Also Start and right-click My Computer for Properties --- Click on Advanced
then click Environmental Variables

Click New. For Variable name: enter: _NT_SYMBOL_PATH and its Variable value:
C:\WINDOWS\Symbols if where it is installed at. Click Ok and Click OK.

However you also need the _NT_EXECUTABLE_IMAGE_PATH and its Variable
Value: C:\Windows\system32 .