Finding the driver that caused a double fault blue screen?

[Erik HG]

How do I find the driver that is causing a random double fault blue screen?
I tried KAnalyse and it says that my memory.dmp file is invalid.

This started with the mid-November auto-update for Vista.

Thanks,
-Erik

 

[Mark L. Ferguson]

Have you checked the Control Panel, Device Manager for a device error?

Go to Start/Run, and type DEVMGMT.MSC , highlight the device, Action menu,
"Uninstall", (do Not put a check in 'delete driver") then Action menu,"scan
for hardware changes", to find the device drivers again automatically.

--
Use the "Ratings" feature. It helps the new users.
Please use the Communities guidelines when posting.
http://www.microsoft.com/wn3/locales/help/help_en-us.htm
Mark L. Ferguson MS-MVP
https://mvp.support.microsoft.com/profile/Mark.Ferguson

 

[Erik HG]

I can't do that until I know which device driver caused the error...

 

[Clark]

I can't do that until I know which device driver caused the error...

If you have access (maybe Safe Mode), try disabling different devices in
Device Manager. I had to do that with my modem since I always got a
blue screen during boot if it was enabled. If you don't have access,
try removing any devices you can.

Check all your logs.

If all else fails, can you remove the update?

Clark

 

[Zaphod Beeblebrox]

How do I find the driver that is causing a random double fault blue
screen?
I tried KAnalyse and it says that my memory.dmp file is invalid.

This started with the mid-November auto-update for Vista.

Have you tried looking at the memory.dmp or mini*.dmp files with
Microsoft's Debugging Tools for Windows? I've been able to use it to
analyze .dmp files from Vista, so maybe they will help you.
http://www.microsoft.com/whdc/devtools/debugging/default.mspx

 

[Erik HG]

While I can do that, what I want to know is how to determine what driver
caused the dump from the memory.dmp.

Thanks,
-Erik

 

[Erik HG]

I did a Windbg on the file, of course the posted Symbol files are out of
date, but I get the following:

===========================================
BugCheck 7F, {8, 8015a000, 0, 0}

MODULE_NAME: nt

FAULTING_MODULE: 83018000 nt

DEBUG_FLR_IMAGE_TIMESTAMP: 48d1b7fa

BUGCHECK_STR: 0x7f_8

DEFAULT_BUCKET_ID: WRONG_SYMBOLS

CURRENT_IRQL: 0

LAST_CONTROL_TRANSFER: from 00000000 to 83071b3e

STACK_TEXT:
00000000 00000000 00000000 00000000 00000000 nt!Kei386EoiHelper+0x1736


STACK_COMMAND: kb

FOLLOWUP_IP:
nt!Kei386EoiHelper+1736
83071b3e ebee jmp nt!Kei386EoiHelper+0x1726 (83071b2e)

SYMBOL_STACK_INDEX: 0

SYMBOL_NAME: nt!Kei386EoiHelper+1736

FOLLOWUP_NAME: MachineOwner

IMAGE_NAME: ntkrpamp.exe

BUCKET_ID: WRONG_SYMBOLS

Followup: MachineOwner
---------

0: kd> lmvm nt
start end module name
83018000 833d1000 nt (export symbols) ntkrpamp.exe
Loaded symbol image file: ntkrpamp.exe
Image path: ntkrpamp.exe
Image name: ntkrpamp.exe
Timestamp: Wed Sep 17 21:07:54 2008 (48D1B7FA)
CheckSum: 00379F5D
ImageSize: 003B9000
File version: 6.0.6001.18145
Product version: 6.0.6001.18145
File flags: 0 (Mask 3F)
File OS: 40004 NT Win32
File type: 1.0 App
File date: 00000000.00000000
Translations: 0409.04b0
CompanyName: Microsoft Corporation
ProductName: Microsoft® Windows® Operating System
InternalName: ntkrpamp.exe
OriginalFilename: ntkrpamp.exe
ProductVersion: 6.0.6001.18145
FileVersion: 6.0.6001.18145 (vistasp1_gdr.080917-1612)
FileDescription: NT Kernel & System
LegalCopyright: © Microsoft Corporation. All rights reserved.

===============================
I interpret this to mean that the kernel that was auto-updated in mid
November is bad. Anyone know which of the updates had this kernel in it so I
can undo it?

Thanks,
-Erik