I
Iain Robinson
Our company has several Dell XP Pro PCs and in the last few months
we've seen all but one of them suffer from quite frequent blue screen
STOP errors (ranging from once a fortnight to maybe two or three times
a week). They are a mix of SP1 and SP2 and they all have Automatic
Updates set to download, although the actual installation of the
updates will be erratic as the updates are only installed when an
administrator logs on. I suspected that some Windows Update file was
responsible, as they were all okay and then suddenly most of them
started having problems within a week or so of each other. I looked
around on the web to see if anyone else was suffering from this
recently but didn't find anything to explain why this would suddenly
start happening - plenty of advice on interpreting specific STOP errors
or interrogating minidumps, which I did next. There is one XP Pro PC
that hasn't had any problems at all and the only thing I could see that
separated this PC from the others is that it has no USB peripherals
connected. NB Windows Error Reporting said, after a crash, that an
Iomega driver was probably responsible and I downloaded and installed
the suggested replacement driver. But it hasn't stopped the crashes....
I downloaded and installed the latest 'Debugging Tools for Windows',
set the debugging information to the recommended 'Kernel Memory Dump'
and waited for a crash. Problem is, the debugging tools gave me quite a
bit of info but I'm not sure what it all means. I'm posting it below
hoping that some kind knowledgable person will give me some pointers.
Would be grateful to receive any help with this annoying problem!
Iain
Microsoft (R) Windows Debugger Version 6.5.0003.7
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:\WINDOWS\MEMORY.DMP]
Kernel Summary Dump File: Only kernel address space is available
Symbol search path is:
srv*C:\Symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows XP Kernel Version 2600 (Service Pack 2) UP Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 2600.xpsp_sp2_gdr.050301-1519
Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055a420
Debug session time: Fri Dec 30 16:16:32.837 2005 (GMT+0)
System Uptime: 0 days 5:47:04.418
Loading Kernel Symbols
.......................................................................................................Unable
to add
module at bf9d4000
...............
Loading unloaded module list
....................
Loading User Symbols
PEB is paged out (Peb.Ldr = 7ffdf00c). Type ".hh dbgerr001" for
details
*******************************************************************************
*
*
* Bugcheck Analysis
*
*
*
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck C2, {7, c3e, e2b62b70, e2b41da0}
*** ERROR: Module load completed but symbols could not be loaded for
smwdm.sys
*** ERROR: Module load completed but symbols could not be loaded for
e1000325.sys
*** ERROR: Module load completed but symbols could not be loaded for
ialmnt5.sys
*** WARNING: Unable to verify timestamp for fltmgr.sys
*** ERROR: Module load completed but symbols could not be loaded for
fltmgr.sys
*** WARNING: Unable to verify timestamp for ialmdnt5.dll
*** ERROR: Module load completed but symbols could not be loaded for
ialmdnt5.dll
*** ERROR: Module load completed but symbols could not be loaded for
ialmdev5.DLL
*** WARNING: Unable to verify timestamp for ialmdd5.DLL
*** ERROR: Module load completed but symbols could not be loaded for
ialmdd5.DLL
*** ERROR: Module load completed but symbols could not be loaded for
PlatAlrt.sys
*** ERROR: Module load completed but symbols could not be loaded for
savonaccesscontrol.sys
*** ERROR: Symbol file could not be found. Defaulted to export symbols
for ialmsbw.sys -
*** ERROR: Symbol file could not be found. Defaulted to export symbols
for ialmkchw.sys -
*** ERROR: Module load completed but symbols could not be loaded for
iomdisk.sys
*** ERROR: Symbol file could not be found. Defaulted to export symbols
for drmk.sys -
*** ERROR: Module load completed but symbols could not be loaded for
omci.sys
*** ERROR: Module load completed but symbols could not be loaded for
savonaccessfilter.sys
*** ERROR: Module load completed but symbols could not be loaded for
NetAlrt.sys
*** ERROR: Module load completed but symbols could not be loaded for
ASPI32.SYS
*** WARNING: Unable to verify timestamp for dmload.sys
*** ERROR: Module load completed but symbols could not be loaded for
dmload.sys
*** WARNING: Unable to verify timestamp for ParVdm.SYS
*** ERROR: Module load completed but symbols could not be loaded for
ParVdm.SYS
*** ERROR: Module load completed but symbols could not be loaded for
aeaudio.sys
*** WARNING: Unable to verify timestamp for Null.SYS
*** ERROR: Module load completed but symbols could not be loaded for
Null.SYS
Probably caused by : ntoskrnl.exe ( nt!ExFreePoolWithTag+2be )
Followup: MachineOwner
---------
kd> !analyze -v
*******************************************************************************
*
*
* Bugcheck Analysis
*
*
*
*******************************************************************************
BAD_POOL_CALLER (c2)
The current thread is making a bad pool request. Typically this is at
a bad IRQL level or double freeing the same
allocation, etc.
Arguments:
Arg1: 00000007, Attempt to free pool which was already freed
Arg2: 00000c3e, (reserved)
Arg3: e2b62b70, Memory contents of the pool block
Arg4: e2b41da0, Address of the block of pool being deallocated
Debugging Details:
------------------
POOL_ADDRESS: e2b41da0 Paged pool
BUGCHECK_STR: 0xc2_7
DEFAULT_BUCKET_ID: DRIVER_FAULT
LAST_CONTROL_TRANSFER: from 8054b741 to 8053331e
STACK_TEXT:
f9365c20 8054b741 000000c2 00000007 00000c3e nt!KeBugCheckEx+0x1b
f9365c70 805da5de e2b41da0 00000000 e2b62b70 nt!ExFreePoolWithTag+0x2be
f9365c8c 8056b7bd e2b62b70 00000000 e2b62b58 nt!CmpFlushNotify+0x80
f9365ca4 805638f7 e2b62b70 e2b62b58 00000000 nt!CmpDeleteKeyObject+0x42
f9365cc0 804e36d5 e2b62b70 00000000 000000ec
nt!ObpRemoveObjectRoutine+0xdf
f9365ce4 80566ab3 ff844da0 e2b42560 ff83fa68
nt!ObfDereferenceObject+0x5f
f9365cfc 80566b1c e2b42560 e2b62b70 000000ec
nt!ObpCloseHandleTableEntry+0x155
f9365d44 80566b66 000000ec 00000001 00000000 nt!ObpCloseHandle+0x87
f9365d58 804de7ec 000000ec 0081fe94 7c90eb94 nt!NtClose+0x1d
f9365d58 7c90eb94 000000ec 0081fe94 7c90eb94 nt!KiFastCallEntry+0xf8
WARNING: Frame IP not in any known module. Following frames may be
wrong.
0081fe94 00000000 00000000 00000000 00000000 0x7c90eb94
FOLLOWUP_IP:
nt!ExFreePoolWithTag+2be
8054b741 83f801 cmp eax,0x1
SYMBOL_STACK_INDEX: 1
FOLLOWUP_NAME: MachineOwner
SYMBOL_NAME: nt!ExFreePoolWithTag+2be
MODULE_NAME: nt
IMAGE_NAME: ntoskrnl.exe
DEBUG_FLR_IMAGE_TIMESTAMP: 42250ff9
STACK_COMMAND: kb
FAILURE_BUCKET_ID: 0xc2_7_nt!ExFreePoolWithTag+2be
BUCKET_ID: 0xc2_7_nt!ExFreePoolWithTag+2be
Followup: MachineOwner
---------
we've seen all but one of them suffer from quite frequent blue screen
STOP errors (ranging from once a fortnight to maybe two or three times
a week). They are a mix of SP1 and SP2 and they all have Automatic
Updates set to download, although the actual installation of the
updates will be erratic as the updates are only installed when an
administrator logs on. I suspected that some Windows Update file was
responsible, as they were all okay and then suddenly most of them
started having problems within a week or so of each other. I looked
around on the web to see if anyone else was suffering from this
recently but didn't find anything to explain why this would suddenly
start happening - plenty of advice on interpreting specific STOP errors
or interrogating minidumps, which I did next. There is one XP Pro PC
that hasn't had any problems at all and the only thing I could see that
separated this PC from the others is that it has no USB peripherals
connected. NB Windows Error Reporting said, after a crash, that an
Iomega driver was probably responsible and I downloaded and installed
the suggested replacement driver. But it hasn't stopped the crashes....
I downloaded and installed the latest 'Debugging Tools for Windows',
set the debugging information to the recommended 'Kernel Memory Dump'
and waited for a crash. Problem is, the debugging tools gave me quite a
bit of info but I'm not sure what it all means. I'm posting it below
hoping that some kind knowledgable person will give me some pointers.
Would be grateful to receive any help with this annoying problem!
Iain
Microsoft (R) Windows Debugger Version 6.5.0003.7
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:\WINDOWS\MEMORY.DMP]
Kernel Summary Dump File: Only kernel address space is available
Symbol search path is:
srv*C:\Symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows XP Kernel Version 2600 (Service Pack 2) UP Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 2600.xpsp_sp2_gdr.050301-1519
Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055a420
Debug session time: Fri Dec 30 16:16:32.837 2005 (GMT+0)
System Uptime: 0 days 5:47:04.418
Loading Kernel Symbols
.......................................................................................................Unable
to add
module at bf9d4000
...............
Loading unloaded module list
....................
Loading User Symbols
PEB is paged out (Peb.Ldr = 7ffdf00c). Type ".hh dbgerr001" for
details
*******************************************************************************
*
*
* Bugcheck Analysis
*
*
*
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck C2, {7, c3e, e2b62b70, e2b41da0}
*** ERROR: Module load completed but symbols could not be loaded for
smwdm.sys
*** ERROR: Module load completed but symbols could not be loaded for
e1000325.sys
*** ERROR: Module load completed but symbols could not be loaded for
ialmnt5.sys
*** WARNING: Unable to verify timestamp for fltmgr.sys
*** ERROR: Module load completed but symbols could not be loaded for
fltmgr.sys
*** WARNING: Unable to verify timestamp for ialmdnt5.dll
*** ERROR: Module load completed but symbols could not be loaded for
ialmdnt5.dll
*** ERROR: Module load completed but symbols could not be loaded for
ialmdev5.DLL
*** WARNING: Unable to verify timestamp for ialmdd5.DLL
*** ERROR: Module load completed but symbols could not be loaded for
ialmdd5.DLL
*** ERROR: Module load completed but symbols could not be loaded for
PlatAlrt.sys
*** ERROR: Module load completed but symbols could not be loaded for
savonaccesscontrol.sys
*** ERROR: Symbol file could not be found. Defaulted to export symbols
for ialmsbw.sys -
*** ERROR: Symbol file could not be found. Defaulted to export symbols
for ialmkchw.sys -
*** ERROR: Module load completed but symbols could not be loaded for
iomdisk.sys
*** ERROR: Symbol file could not be found. Defaulted to export symbols
for drmk.sys -
*** ERROR: Module load completed but symbols could not be loaded for
omci.sys
*** ERROR: Module load completed but symbols could not be loaded for
savonaccessfilter.sys
*** ERROR: Module load completed but symbols could not be loaded for
NetAlrt.sys
*** ERROR: Module load completed but symbols could not be loaded for
ASPI32.SYS
*** WARNING: Unable to verify timestamp for dmload.sys
*** ERROR: Module load completed but symbols could not be loaded for
dmload.sys
*** WARNING: Unable to verify timestamp for ParVdm.SYS
*** ERROR: Module load completed but symbols could not be loaded for
ParVdm.SYS
*** ERROR: Module load completed but symbols could not be loaded for
aeaudio.sys
*** WARNING: Unable to verify timestamp for Null.SYS
*** ERROR: Module load completed but symbols could not be loaded for
Null.SYS
Probably caused by : ntoskrnl.exe ( nt!ExFreePoolWithTag+2be )
Followup: MachineOwner
---------
kd> !analyze -v
*******************************************************************************
*
*
* Bugcheck Analysis
*
*
*
*******************************************************************************
BAD_POOL_CALLER (c2)
The current thread is making a bad pool request. Typically this is at
a bad IRQL level or double freeing the same
allocation, etc.
Arguments:
Arg1: 00000007, Attempt to free pool which was already freed
Arg2: 00000c3e, (reserved)
Arg3: e2b62b70, Memory contents of the pool block
Arg4: e2b41da0, Address of the block of pool being deallocated
Debugging Details:
------------------
POOL_ADDRESS: e2b41da0 Paged pool
BUGCHECK_STR: 0xc2_7
DEFAULT_BUCKET_ID: DRIVER_FAULT
LAST_CONTROL_TRANSFER: from 8054b741 to 8053331e
STACK_TEXT:
f9365c20 8054b741 000000c2 00000007 00000c3e nt!KeBugCheckEx+0x1b
f9365c70 805da5de e2b41da0 00000000 e2b62b70 nt!ExFreePoolWithTag+0x2be
f9365c8c 8056b7bd e2b62b70 00000000 e2b62b58 nt!CmpFlushNotify+0x80
f9365ca4 805638f7 e2b62b70 e2b62b58 00000000 nt!CmpDeleteKeyObject+0x42
f9365cc0 804e36d5 e2b62b70 00000000 000000ec
nt!ObpRemoveObjectRoutine+0xdf
f9365ce4 80566ab3 ff844da0 e2b42560 ff83fa68
nt!ObfDereferenceObject+0x5f
f9365cfc 80566b1c e2b42560 e2b62b70 000000ec
nt!ObpCloseHandleTableEntry+0x155
f9365d44 80566b66 000000ec 00000001 00000000 nt!ObpCloseHandle+0x87
f9365d58 804de7ec 000000ec 0081fe94 7c90eb94 nt!NtClose+0x1d
f9365d58 7c90eb94 000000ec 0081fe94 7c90eb94 nt!KiFastCallEntry+0xf8
WARNING: Frame IP not in any known module. Following frames may be
wrong.
0081fe94 00000000 00000000 00000000 00000000 0x7c90eb94
FOLLOWUP_IP:
nt!ExFreePoolWithTag+2be
8054b741 83f801 cmp eax,0x1
SYMBOL_STACK_INDEX: 1
FOLLOWUP_NAME: MachineOwner
SYMBOL_NAME: nt!ExFreePoolWithTag+2be
MODULE_NAME: nt
IMAGE_NAME: ntoskrnl.exe
DEBUG_FLR_IMAGE_TIMESTAMP: 42250ff9
STACK_COMMAND: kb
FAILURE_BUCKET_ID: 0xc2_7_nt!ExFreePoolWithTag+2be
BUCKET_ID: 0xc2_7_nt!ExFreePoolWithTag+2be
Followup: MachineOwner
---------