Question

Blue Screen Troubleshooting Help

Asked by: roberts0909

I occasionally get Stop errors after the XP machine has been running for several hours.  I have information to work with but am having trouble figuring out what is important and how it relates to the rest.  


From the system log:

Error code 000000f4, parameter1 00000003, parameter2 896a3da0, parameter3 896a3f14, parameter4 805d297c.

This is preceded by several of the following warnings in sys log:

"An error was detected on device \Device\Harddisk3\D during a paging operation."

However, this is a bit confusing, since HD3 is an external USB drive I use for backups but D: is the optical drive.  


To make things more interesting, WinDB gives this result from the minidump (including the full text to show the version of analyzer etc.:

"Microsoft (R) Windows Debugger Version 6.11.0001.404 X86
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\WINDOWS\Minidump\Mini092709-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: C:\websymbols
Executable search path is:
Windows XP Kernel Version 2600 (Service Pack 3) MP (2 procs) Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 2600.xpsp_sp3_gdr.090206-1234
Machine Name:
Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055d720
Debug session time: Sun Sep 27 08:44:26.109 2009 (GMT-5)
System Uptime: 2 days 1:24:58.685
Loading Kernel Symbols
...............................................................
................................................................
.............................
Loading User Symbols
Loading unloaded module list
........................
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck F4, {3, 896a3da0, 896a3f14, 805d297c}

Unable to load image TfSysMon.sys, Win32 error 0n2
*** WARNING: Unable to verify timestamp for TfSysMon.sys
*** ERROR: Module load completed but symbols could not be loaded for TfSysMon.sys
*** WARNING: Unable to verify timestamp for cmdguard.sys
*** ERROR: Module load completed but symbols could not be loaded for cmdguard.sys
unable to get nt!KiCurrentEtwBufferOffset
unable to get nt!KiCurrentEtwBufferBase
Probably caused by : hardware_disk

Followup: MachineOwner"


TfSysMon.sys (C:\WINDOWS\system32\drivers) is part of ThreatFire, the AV program I use.  But if that's the cause then why the conclusion of WinDB "Probably caused by : hardware_disk"?


Side note: how do I get WinXP to give me a full dump?






This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.

Subscribe now for full access to Experts Exchange and get

Instant Access to this Solution

  • Plus...
  • 30 Day FREE access, no risk, no obligation
  • Collaborate with the world's top tech experts
  • Unlimited access to our exclusive solution database
  • Never be left without tech help again

Subscribe Now

Asked On
2009-09-27 at 09:52:01ID24765270
Tags

Microsoft XP Pro

,

SP3

Topics

Windows XP Operating System

,

Microsoft Windows Operating Systems

,

Microsoft Operating Systems

Participating Experts
2
Points
500
Comments
10

Trusted by hundreds of thousands everyday for fast, accurate and reliable tech support.

  • "The time we save is the biggest benefit of Experts Exchange to Warner Bros. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange." Mike Kapnisakis, Warner Bros.
  • "Our team likes having a resource that is more secure than just using Google and most experts using this service really know their stuff. It's nice to look here first versus using Google." Dayna Sellner, Lockheed Martin
  • "Anytime that I've been stumped with a problem, 9 out of 10 times Experts Exchange has either the accepted solution or an open discussion of the potential solution to the problem." Kenny Red, eBay Inc.

See what Experts Exchange can do for you.

Got a question?

We've got the answer.

Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.

Screenshot of Experts Exchange Knowledgebase

Need individual assistance?

Our experts are ready to help.

If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.

Screenshot of Experts Exchange Knowledgebase

Want to learn from the best?

Read articles from industry experts.

Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.

Screenshot of an Article

Working on a long term project?

Store your work and research.

Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.

Screenshot of Experts Exchange Knowledgebase

Access the answers to your technology questions today.

Subscribe Now

30-day free trial. Register in 60 seconds.

What Makes Experts Exchange Unique?

Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.

Trusted by the world's most respected brands.

image of each brand's logo

Faithfully serving IT professionals since 1996.

Experts Exchange Logo

Try it out and discover for yourself.

Subscribe Now

30-day free trial. Register in 60 seconds.

Related Solutions

  1. Pc not detecting Optical drives
    This morning when I booted up, I noticed that neither of my CD drives were available in windows explorer. I have two drives dvd-rw and cd-rw. The OS is w2k, AMD 1800 512mb ddr, ATI radeon 64, SBLive Plat Audgiy2, onboard USB2 450w PSU, IBM 40 ATA100. I tried to replace the ...
  2. C:\WINDOWS\System32\Autoexec.nt
    Why do i keep getting this error message C:\WINDOWS\System32\Autoexec.nt
  3. Missing or corrupt \WINNT\SYSTEM32\CONFIG\SYS
    I was getting an error when I tried to start up Windows 2000 Professional. It was saying \WINNT\SYSTEM32\CONFIG\SYSTEM was missing or corrupt. All I wanted was some data off the hard drive so I went into the repair console and copied the \repair\system over the one that was c...
  4. Blue Screen Error -- Kernel_Stack_INPAGE_Error
    I have a Windows 2000 Pro workstation that booted up this morning ok; however, once logged in it went to a blue screen. I shut down and then rebooted and it rebooted ok and the user logged in ok again -- but after a while the blue screen came up again. The message read: ST...
  5. Winnt\System32\config\System Corrupt or missing
    I’m having some serious problems with my O/S http://www.experts-exchange.com/Networking/Microsoft_Network/Q_21469244.html , but this ticket is for “following file is corrupted or missing Winnt\System32\config\system" error im getting when i try to boot to my win2k Serve...
  6. missing or corrupt - winnt\system32\config\system
    I have a windows 2000 pc that fails to boot with an error saying that "the following file is missing or corrupt winnt\system32\config\system". Is this a registry problem and what is the best way to correct it without reformatting the drive?? dc

Free Tech Articles

  1. WARNING: 5 Reasons why you should NEVER fix a computer for free.
    It is in our nature to love the puzzle. We are obsessed. The lot of us. We love puzzles. We love the challenge. We thrive on finding the answer. We hate disarray. It bothers us deep in our soul. W...
  2. SCCM OSD Basic troubleshooting
    SCCM 2007 OSD is a fantastic way to deploy operating systems, however, like most things SCCM issues can sometimes be difficult to resolve due to the sheer volume of logs to sift through and the dispe...
  3. Migrate Small Business Server 2003 to Exchange 2010 and Windows 2008 R2
    This guide is intended to provide step by step instructions on how to migrate from Small Business Server 2003 to Windows 2008 R2 with Exchange 2010. For this migration to work you will need the fo...
  4. Create a Win7 Gadget
    This article shows you how to create a simple "Gadget" -- a sort of mini-application supported by Windows 7 and Vista. Gadgets can be dropped anywhere on the desktop to provide instant information, ...
  5. Outlook continually prompting for username and password
    There have been a lot of questions recently regarding Outlook prompting for a username and password whilst using Exchange 2007. There are a few reasons why this would happen and I will try to cover t...
  6. Backup Exchange 2010 Information Store using Windows Backup
    There seems to be quite a lot of confusion around the ability to backup Exchange 2010 using the built in Windows Backup feature. This stems from the omission of this feature prior to Exchange 2007 s...

Cloud Class Webinars

  1. Avoiding Bugs in Microsoft Access
    Alison Balter takes and in-depth look at avoiding bugs in Access. In this webinar you will learn about using the immediate window to debug your applications, invoking the debugger, using breakpoints to troubleshoot, stepping through code, setting the next statement to execute, ...
  2. Top 10 Best New Features in Visio 2010
    Scott Helmers gives live demonstrations of the top 10 new features in Visio 2010. This webinar will teach you how to create compelling diagrams by adding shapes to the page with a single click, linking the shapes in a diagram to data in Excel (or SQL Server, or SharePoint), ...
  3. IT Consultant Business Secrets Revealed
    Michael Munger, Experts Exchange tech pro and IT consultant, pulls back the curtain on his very successful businesses and answers question on every IT consultant and business owner should know about. He shares secrets on what he did to solve the 5 most common problems in IT, ...
  4. Disaster Recovery and Business Continuity
    Quest CTO, Mike Billon, gives an overview of the steps involved in building a dunamic disaster recovery plan. Through case studies and an examination of software/hardware tooles for monitoring and testing, you'll gain a better understandin of where you are, where you want ...
  5. Organize Your Visio Diagrams with Containers and Lists
    Scott Helmers uses cross functional flowcharts, wireframe diagrams, data graphic legends and seating charts to teach you: how to ustilize all three new structured diagram components in Visio 2010, the best practices for organizeing shapes in previous version of Visio, how to organize ...
  6. How to Us Objects, Properties, Events and Methods in Microsoft Access
    Alison Dalter gives an in-depbth look at objects, properties, events and methods in Microsoft Access. In this webinar you will learn about using the object browser, referring to objects, working with properties and methods, working with object variables, understanding the ...

Join the Community

Give a Little. Get a Lot.

Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.

Join the Community

Answers

 

by: roberts0909Posted on 2009-09-27 at 10:06:32ID: 25434589

Edit:

cmdguard.sys is the driver for Comodo Firewall.  

 

by: akahanPosted on 2009-09-27 at 10:18:51ID: 25434626

To me, this looks like your USB enclosure (not the drive) is going bad.  That is absolutely the most common source of "paging errors" on USB drives (which is what this appears to be).

In your shoes, I would put the drive in a new enclosure, and run chkdsk /f on it (to check for, and hopefully fix,  errors that may have been introduced to the drive while the enclosure was going bad.)

I would feel even more strongly about this diagnosis if you tended to get these errors while doing a lot of disk i/o (e.g, while backing up to the drive), suggesting that the enclosure is overheating.


 

by: houssam_balloutPosted on 2009-09-27 at 10:28:09ID: 25434656

had you try to test running windows without the USB?

 

by: roberts0909Posted on 2009-09-27 at 13:53:47ID: 25435455

The drive is an enclosed (maybe "sealed" is a better word) unit, one of the Seagate FreeAgent series and has been attached for years, but very easy to disconnect.

The drive was not in use at all when the system crashed.  (No backup running, no paging file on this drive, etc.).

My real question about drives is about this line:  \Device\Harddisk3\D.  Disc Management tells me that "Disc 3" is the Seagate USB.  D: is DVDRW (which was empty at the time).  Which one does the Warning referring to?

 

by: akahanPosted on 2009-09-27 at 14:05:30ID: 25435491

Do you ever get these errors when the drive is disconnected?  

In \Device\Harddisk3\D, the "D" at the end is COMPLETELY irrelevant.  It has nothing to do with "Partition D"., or "Drive D".   The string is truncated.  If you were able to see it in full, it would say something like \Device\Harddisk3\DR5.  That is, the DOS name for the drive.  You could run this little piece of software (a USB drive enumerator) to confirm this:

http://www.uwe-sieber.de/files/listusbdrives.zip

 

by: roberts0909Posted on 2009-09-27 at 14:15:50ID: 25435528

running !analyze -v:




0: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

CRITICAL_OBJECT_TERMINATION (f4)
A process or thread crucial to system operation has unexpectedly exited or been
terminated.
Several processes and threads are necessary for the operation of the
system; when they are terminated (for any reason), the system can no
longer function.
Arguments:
Arg1: 00000003, Process
Arg2: 896a3da0, Terminating object
Arg3: 896a3f14, Process image file name
Arg4: 805d297c, Explanatory message (ascii)

Debugging Details:
------------------

unable to get nt!KiCurrentEtwBufferOffset
unable to get nt!KiCurrentEtwBufferBase

PROCESS_OBJECT: 896a3da0

IMAGE_NAME:  hardware_disk

DEBUG_FLR_IMAGE_TIMESTAMP:  0

FAULTING_MODULE: 00000000

PROCESS_NAME:  csrss.exe

EXCEPTION_RECORD:  a575b9d8 -- (.exr 0xffffffffa575b9d8)
ExceptionAddress: 7c963399
   ExceptionCode: c0000006 (In-page I/O error)
  ExceptionFlags: 00000000
NumberParameters: 3
   Parameter[0]: 00000008
   Parameter[1]: 7c963399
   Parameter[2]: c000009a
Inpage operation failed at 7c963399, due to I/O error c000009a

EXCEPTION_CODE: (NTSTATUS) 0xc0000006 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The required data was not placed into memory because of an I/O error status of "0x%08lx".

CUSTOMER_CRASH_COUNT:  1

DEFAULT_BUCKET_ID:  DRIVER_FAULT

ERROR_CODE: (NTSTATUS) 0xc0000006 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The required data was not placed into memory because of an I/O error status of "0x%08lx".

EXCEPTION_PARAMETER1:  00000008

EXCEPTION_PARAMETER2:  7c963399

EXCEPTION_PARAMETER3:  c000009a

IO_ERROR: (NTSTATUS) 0xc000009a - Insufficient system resources exist to complete the API.

EXCEPTION_STR:  0xc0000006_c000009a

FAULTING_IP:
+1e7952f013adfdc
7c963399 ??              ???

BUGCHECK_STR:  0xF4_IOERR_C000009A

STACK_TEXT:  
a575b4a4 805d1ac5 000000f4 00000003 896a3da0 nt!KeBugCheckEx+0x1b
a575b4c8 805d2a27 805d297c 896a3da0 896a3f14 nt!PspCatchCriticalBreak+0x75
a575b4f8 ba0feb32 896a3fe8 c0000006 00000000 nt!NtTerminateProcess+0x7d
WARNING: Stack unwind information not available. Following frames may be wrong.
a575b530 a68c80e5 ffffffff c0000006 a5d33074 TfSysMon+0x6b32
a575b574 8054162c ffffffff c0000006 a575b9b0 cmdguard+0x40e5
a575b574 80501161 ffffffff c0000006 a575b9b0 nt!KiFastCallEntry+0xfc
a575b5f4 804fe816 ffffffff c0000006 a575b9f8 nt!ZwTerminateProcess+0x11
a575b9b0 805028cf a575b9d8 00000000 a575bd64 nt!KiDispatchException+0x3a0
a575bd34 80544ef7 010ef81c 010ef83c 00000000 nt!KiRaiseException+0x175
a575bd50 8054162c 010ef81c 010ef83c 00000000 nt!NtRaiseException+0x33
a575bd50 7c963399 010ef81c 010ef83c 00000000 nt!KiFastCallEntry+0xfc
010efe54 00000000 00000000 00000000 00000000 0x7c963399


STACK_COMMAND:  kb

FOLLOWUP_IP:
+1e7952f013adfdc
7c963399 ??              ???

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: hardware_disk

FAILURE_BUCKET_ID:  0xF4_IOERR_C000009A_IMAGE_hardware_disk

BUCKET_ID:  0xF4_IOERR_C000009A_IMAGE_hardware_disk

Followup: MachineOwner
---------

 

by: roberts0909Posted on 2009-09-27 at 17:33:31ID: 25436120

Very nice utility, Akahan.


Friendly Name     = Dell

MountPoint        = J:\
Volume Label      = BU__USB_FreeAgent Drive
Volume Size       = 750 GB (NTFS)
Volume Serial     = 6094-0939
Disk Size         = 750 GB
Volume Name       = \\?\Volume{a3a1bbc4-08b8-11dc-b5da-00123f6f1c10}\
Partition Name    = \Device\Harddisk3\Partition1
Bus Type          = USB
Drive Type        = fixed
Device Types      = ---
Volume DevID      = STORAGE\VOLUME\1&30A96598&0&SIGNATUREA4B57300OFFSET7E00LENGTHAEA8A58400
Drive DevID       = USBSTOR\DISK&VEN_SEAGATE&PROD_FREEAGENT_PRO&REV_400A\____________3QD0WSKM&0
Ctrl  DevID       = USB\VID_0BC2&PID_3010\____________3QD0WSKM
Host Controller   = Intel(R) 82801G (ICH7 Family) USB2 Enhanced Host Controller - 27CC
Volume DosDevName = \Device\HarddiskVolume5
Disk DosDevName   = \Device\Harddisk3\DR7
Removal Policy    = surprise removal ('Optimize for quick removal')
Partition Number  = 1 of 1
Friendly Name     = Seagate FreeAgent Pro
Requested Power   = 0 mA (self powered)
USB Version       = 2.0 (high speed)
USB Friendl. Name = USB device
USB Serial        = ---
USB Port Name     = 5-5


Press any key to close

 

Looks like it was "Disk DosDevName   = \Device\Harddisk3\DR7".  Even though it seems to have more than one DOS name, I'm assuming they all refer to the same USB drive (There are two attached, both are Seagates)

 

by: akahanPosted on 2009-09-27 at 18:08:06ID: 25436234

Right. So I would bet that if the USB drive were disconnected you would not get these errors. And that the problem is the USB enclosure going bad.

 

by: roberts0909Posted on 2009-09-27 at 19:51:52ID: 31634141

You nailed it.  I ran the Seagate tools and it failed.  This is the drive with all the music on it, so great loss, but a good enough excuse to make a trip to the local shop  ;)

 

by: houssam_balloutPosted on 2009-09-27 at 23:34:46ID: 25437067

Well, my post was the same also

20120131-EE-VQP-002

3 Ways to Join

30-Day Free Trial

The Experts

98% positive feedback on 31,087 answers since March 2000. angeliii is a Microsoft Most Valuable Professional for his work with MS SQL Server & Develoment.

He has also proven his knowledge of Visual Basic Programming, PHP Scripting and Oracle Databases.

The Experts

97% positive feedback on 10,752 answers since July 2000. lrmoore has more than 18 years experience in the networking industry.

The six-time Mircosoft MVPs specialties include firewalls, virtual private networking, and network management.

Testimonials

"...and excellent source for support... Kind of like having your very own IT dept." Electriciansnet

Testimonials

"I was apprehensive at signing up at first. However... it has already made my life as an IT administrator much easier." JaCrews

Testimonials

"WOW! You guys have great, active, and knowledgeable people on here." moore50

Business Clients

Business Clients

In the Press

"If you’ve got a question... Experts Exchange can supply an answer.”

In the Press

"...an invaluable aid for both IT professionals and those who require tech support."

In the Press

"where IT professionals provide quick answers on just about any topic"

Business Account Plans

Loading Advertisement...