Gerry said:
TW
Any complete Stop Error message would be helpful, random or otherwise.
Same with Event Viewer Reports. Other more trained observers will picks
up on details that you might not see as significant.
Following, separated by lines of tildes are windbg.exe !analyze -v
results on minidump files from the last four crashes:
Loading Dump File [C:\WINDOWS\Minidump\Mini030407-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available
Symbol search path is:
C:\WINDOWS\Symbols;C:\WINDOWS\Symbols\sys;C:\WINDOWS\Symbols\exe;C:\WINDOWS\Symbols\com
Executable search path is:
Unable to load image ntoskrnl.exe, Win32 error 2
*** WARNING: Unable to verify timestamp for ntoskrnl.exe
Windows XP Kernel Version 2600 (Service Pack 2) UP Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Kernel base = 0x804d7000 PsLoadedModuleList = 0x805531a0
Debug session time: Sun Mar 4 11:00:02.315 2007 (GMT-5)
System Uptime: 0 days 2:28:11.141
Unable to load image ntoskrnl.exe, Win32 error 2
*** WARNING: Unable to verify timestamp for ntoskrnl.exe
Loading Kernel Symbols
............................................................................................................................
Loading User Symbols
Loading unloaded module list
................
*******************************************************************************
*
*
* Bugcheck Analysis
*
*
*
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck 1000000A, {9296b3db, 2, 0, 804f98b7}
Probably caused by : ntoskrnl.exe ( nt!CcGetVacbMiss+307 )
Followup: MachineOwner
---------
kd> !analyze -v
*******************************************************************************
*
*
* Bugcheck Analysis
*
*
*
*******************************************************************************
IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pageable (or completely invalid) address
at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: 9296b3db, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000000, value 0 = read operation, 1 = write operation
Arg4: 804f98b7, address which referenced memory
Debugging Details:
------------------
READ_ADDRESS: 9296b3db
CURRENT_IRQL: 2
FAULTING_IP:
nt!CcGetVacbMiss+307
804f98b7 803b02 cmp byte ptr [ebx],2
CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: DRIVER_FAULT
BUGCHECK_STR: 0xA
PROCESS_NAME: firefox.exe
LAST_CONTROL_TRANSFER: from 805b4a5c to 804f98b7
STACK_TEXT:
b9504cec 805b4a5c 00000001 00000006 b9504d01 nt!CcGetVacbMiss+0x307
b9504d50 8053c808 000003a8 00000000 00000000
nt!SepRmCommandServerThreadInit+0x132
b9504d64 7c90eb94 badb0d00 01b8fe78 00000000 nt!ObpPushStackInfo+0x75
WARNING: Frame IP not in any known module. Following frames may be wrong.
b9504d70 00000000 00000000 00000000 00000000 0x7c90eb94
STACK_COMMAND: kb
FOLLOWUP_IP:
nt!CcGetVacbMiss+307
804f98b7 803b02 cmp byte ptr [ebx],2
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: nt!CcGetVacbMiss+307
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: nt
IMAGE_NAME: ntoskrnl.exe
DEBUG_FLR_IMAGE_TIMESTAMP: 42250a1d
FAILURE_BUCKET_ID: 0xA_nt!CcGetVacbMiss+307
BUCKET_ID: 0xA_nt!CcGetVacbMiss+307
Followup: MachineOwner
---------
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Loading Dump File [C:\WINDOWS\Minidump\Mini030407-02.dmp]
Mini Kernel Dump File: Only registers and stack trace are available
Symbol search path is:
C:\WINDOWS\Symbols;C:\WINDOWS\Symbols\sys;C:\WINDOWS\Symbols\exe;C:\WINDOWS\Symbols\com
Executable search path is:
Unable to load image ntoskrnl.exe, Win32 error 2
*** WARNING: Unable to verify timestamp for ntoskrnl.exe
Windows XP Kernel Version 2600 (Service Pack 2) UP Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Kernel base = 0x804d7000 PsLoadedModuleList = 0x805531a0
Debug session time: Sun Mar 4 11:53:20.343 2007 (GMT-5)
System Uptime: 0 days 0:01:28.953
Unable to load image ntoskrnl.exe, Win32 error 2
*** WARNING: Unable to verify timestamp for ntoskrnl.exe
Loading Kernel Symbols
............................................................................................................................
Loading User Symbols
Loading unloaded module list
............
Unable to load image win32k.sys, Win32 error 2
*** WARNING: Unable to verify timestamp for win32k.sys
*******************************************************************************
*
*
* Bugcheck Analysis
*
*
*
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck 10000050, {874dab58, 0, bf820923, 0}
Could not read faulting driver name
Probably caused by : win32k.sys ( win32k!xxxCalcValidRects+267 )
Followup: MachineOwner
---------
kd> !analyze -v
*******************************************************************************
*
*
* Bugcheck Analysis
*
*
*
*******************************************************************************
PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by
try-except,
it must be protected by a Probe. Typically the address is just plain
bad or it
is pointing at freed memory.
Arguments:
Arg1: 874dab58, memory referenced.
Arg2: 00000000, value 0 = read operation, 1 = write operation.
Arg3: bf820923, If non-zero, the instruction address which referenced
the bad memory
address.
Arg4: 00000000, (reserved)
Debugging Details:
------------------
Could not read faulting driver name
READ_ADDRESS: 874dab58
FAULTING_IP:
win32k!xxxCalcValidRects+267
bf820923 397718 cmp dword ptr [edi+18h],esi
MM_INTERNAL_CODE: 0
CUSTOMER_CRASH_COUNT: 2
DEFAULT_BUCKET_ID: DRIVER_FAULT
BUGCHECK_STR: 0x50
PROCESS_NAME: explorer.exe
LAST_CONTROL_TRANSFER: from bf80f0b6 to bf820923
STACK_TEXT:
b9e12c40 bf80f0b6 00000001 b9e12c68 bf80f17a win32k!xxxCalcValidRects+0x267
b9e12c4c bf80f17a 864a0ae8 00000001 00000000 win32k!ProtectHandle+0x58
b9e12c68 805c6f99 864a0ae8 00000001 864a0ae8 win32k!FillRect+0x47
b9e12d14 805c73d0 00000000 00000000 864a0ae8 nt!IopBuildCmResourceList+0xd0
b9e12d34 805c7710 864a0ae8 00000000 b9e12d64
nt!IopWriteAllocatedResourcesToRegistry+0x8e
b9e12d54 8053c808 00000000 00000000 0142ff74 nt!RtlpAddToMergedRange+0x89
b9e12d64 7c90eb94 badb0d00 0142ff3c 00000000 nt!ObpPushStackInfo+0x75
WARNING: Frame IP not in any known module. Following frames may be wrong.
b9e12d70 00000000 00000000 00000000 00000000 0x7c90eb94
STACK_COMMAND: kb
FOLLOWUP_IP:
win32k!xxxCalcValidRects+267
bf820923 397718 cmp dword ptr [edi+18h],esi
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: win32k!xxxCalcValidRects+267
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: win32k
IMAGE_NAME: win32k.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 43446a58
FAILURE_BUCKET_ID: 0x50_win32k!xxxCalcValidRects+267
BUCKET_ID: 0x50_win32k!xxxCalcValidRects+267
Followup: MachineOwner
---------
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Mini Kernel Dump File: Only registers and stack trace are available
Symbol search path is:
C:\WINDOWS\Symbols;C:\WINDOWS\Symbols\sys;C:\WINDOWS\Symbols\exe;C:\WINDOWS\Symbols\com
Executable search path is:
Unable to load image ntoskrnl.exe, Win32 error 2
*** WARNING: Unable to verify timestamp for ntoskrnl.exe
Windows XP Kernel Version 2600 (Service Pack 2) UP Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Kernel base = 0x804d7000 PsLoadedModuleList = 0x805531a0
Debug session time: Sun Mar 4 16:08:51.671 2007 (GMT-5)
System Uptime: 0 days 0:27:31.270
Unable to load image ntoskrnl.exe, Win32 error 2
*** WARNING: Unable to verify timestamp for ntoskrnl.exe
Loading Kernel Symbols
.............................................................................................................................
Loading User Symbols
Loading unloaded module list
............
Unable to load image smwdm.sys, Win32 error 2
*** WARNING: Unable to verify timestamp for smwdm.sys
*** ERROR: Module load completed but symbols could not be loaded for
smwdm.sys
*******************************************************************************
*
*
* Bugcheck Analysis
*
*
*
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck 100000D1, {80, 2, 0, f6d29a22}
Probably caused by : smwdm.sys ( smwdm+36a22 )
Followup: MachineOwner
---------
kd> !analyze -v
*******************************************************************************
*
*
* Bugcheck Analysis
*
*
*
*******************************************************************************
DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or completely invalid) address
at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: 00000080, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000000, value 0 = read operation, 1 = write operation
Arg4: f6d29a22, address which referenced memory
Debugging Details:
------------------
READ_ADDRESS: 00000080
CURRENT_IRQL: 2
FAULTING_IP:
smwdm+36a22
f6d29a22 0fbf3c0f movsx edi,word ptr [edi+ecx]
CUSTOMER_CRASH_COUNT: 3
DEFAULT_BUCKET_ID: DRIVER_FAULT
BUGCHECK_STR: 0xD1
PROCESS_NAME: Idle
LAST_CONTROL_TRANSFER: from 80548db0 to f6d29a22
STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may be
wrong.
80548d00 80548db0 863df8f4 861808d8 85fef000 smwdm+0x36a22
80548d0c 85fef000 79d61610 ffd505c0 00000200 nt!Ke386SetLdtProcess+0x82
80548d1c f6d2bd8f 8629e870 00000080 00000000 0x85fef000
80548d20 8629e870 00000080 00000000 863df8f4 smwdm+0x38d8f
80548d24 00000000 00000000 863df8f4 85fef000 0x8629e870
STACK_COMMAND: kb
FOLLOWUP_IP:
smwdm+36a22
f6d29a22 0fbf3c0f movsx edi,word ptr [edi+ecx]
SYMBOL_STACK_INDEX: 0
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: smwdm
IMAGE_NAME: smwdm.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 40842bbb
SYMBOL_NAME: smwdm+36a22
FAILURE_BUCKET_ID: 0xD1_smwdm+36a22
BUCKET_ID: 0xD1_smwdm+36a22
Followup: MachineOwner
---------
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~`
as well as the link date of the driver/image that contains this address.
Some common problems are exception code 0x80000003. This means a hard
coded breakpoint or assertion was hit, but this system was booted
/NODEBUG. This is not supposed to happen as developers should never have
hardcoded breakpoints in retail code, but ...
If this happens, make sure a debugger gets connected, and the
system is booted /DEBUG. This will let us see why this breakpoint is
happening.
Arguments:
Arg1: c000001d, The exception code that was not handled
Arg2: 00000104, The address that the exception occurred at
Arg3: f46d2a38, Trap Frame
Arg4: 00000000
Debugging Details:
------------------
EXCEPTION_CODE: (NTSTATUS) 0xc000001d - {EXCEPTION} Illegal Instruction
An attempt was made to execute an illegal instruction.
FAULTING_IP:
+104
00000104 ?? ???
TRAP_FRAME: f46d2a38 -- (.trap fffffffff46d2a38)
ErrCode = 00000000
eax=000000df ebx=804fd7ee ecx=804fd77c edx=0000e000 esi=bbe511f8
edi=bf827826
eip=00000104 esp=f46d2aac ebp=f46d2ad4 iopl=0 nv up ei ng nz na
po cy
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
efl=00010283
00000104 ?? ???
Resetting default scope
CUSTOMER_CRASH_COUNT: 4
DEFAULT_BUCKET_ID: COMMON_SYSTEM_FAULT
BUGCHECK_STR: 0x8E
PROCESS_NAME: csrss.exe
LAST_CONTROL_TRANSFER: from 00000000 to 00000104
FAILED_INSTRUCTION_ADDRESS:
+104
00000104 ?? ???
SYMBOL_ON_RAW_STACK: 1
STACK_ADDR_RAW_STACK_SYMBOL: 17002000010004
STACK_COMMAND: dds F46D2ADC-0x20 ; kb
STACK_TEXT:
f46d2abc 00000000
f46d2ac0 00000000
f46d2ac4 00000000
f46d2ac8 fffffff8
f46d2acc 00000003
f46d2ad0 00000000
f46d2ad4 f46d2d30
f46d2ad8 bf888d45 win32k!NtGdiResetDC+0x66
f46d2adc 00000022
f46d2ae0 006dfff4
f46d2ae4 bf8010a7 win32k!ThreadUnlock1+0x12
f46d2ae8 00180016
f46d2aec bf98f264 win32k!MessageTable+0x984
f46d2af0 00000000
f46d2af4 86707e90
f46d2af8 8677f06c
f46d2afc f46d2b24
f46d2b00 00000000
f46d2b04 000000aa
f46d2b08 0000000f
f46d2b0c 00000000
f46d2b10 f46d2b44
f46d2b14 8666a020
f46d2b18 866a5000
f46d2b1c f46e24a8
f46d2b20 00000001
f46d2b24 00000001
f46d2b28 00000000
f46d2b2c 867c8028
f46d2b30 865cc6e0
f46d2b34 ffffffff
f46d2b38 000000aa
FOLLOWUP_IP:
win32k!NtGdiResetDC+66
bf888d45 ?? ???
SYMBOL_NAME: win32k!NtGdiResetDC+66
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: win32k
IMAGE_NAME: win32k.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 43446a58
FAILURE_BUCKET_ID: 0x8E_BAD_IP_win32k!NtGdiResetDC+66
BUCKET_ID: 0x8E_BAD_IP_win32k!NtGdiResetDC+66
Followup: MachineOwner
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Are the BSODs occuring on booting or post boot?
Post boot, in use or unattended (random intervals).
Disable automatic restart on system failure. This should help by
allowing time to write down the STOP code properly. Keep pressing the
F8 key during StartUp and select option - Disable automatic restart on
system failure.
Did this as soon as the problem started
Please post copies of all Error and Warning Reports appearing in the
System and Application logs in Event Viewer for the last boot. No
Information Reports please.
There are none