July 8, 2008 11:46pm pdt

1. jkr 10,900
2. ravenpl 8,350
3. Infinity08 3,675
4. fridom 3,000
4. mannujam 3,000
6. MicheleM... 2,400
7. ozo 2,300
7. xentelwo... 2,300
9. evilrix 2,085
10. briancassin 2,000
10. jaime_ol... 2,000
10. JohnGaby 2,000
10. Smart_Man 2,000
10. duncan_roe 2,000
10. PCBONEZ 2,000
10. veedar 2,000
10. omarfarid 2,000
10. ebertk 2,000
10. webshock 2,000
10. davidgel... 2,000
10. sanjooz 2,000
10. mish33 2,000
10. Paul1n 2,000
10. murphey2 2,000
10. yuzh 2,000

1. jlevie 48,368
2. wesly_chen 37,200
3. Gns 28,641
4. ravenpl 22,894
5. jkr 22,150
6. duncan_roe 19,967
7. pjedmond 18,145
8. leew 15,200
9. rindi 14,630
10. cookre 13,865
11. sunnycoder 12,277
12. khkremer 9,600
13. ahoffmann 9,391
14. KeremE 8,600
15. ozo 7,900

04.17.2008 at 09:26AM PDT, ID: 23331551

	[x] Attachment Details

[x]

The Solution Rating System

With so many solutions, how can you tell which solutions are most likely to help you and which ones are not? To provide you with a tool to use, we rate our solutions based on various elements that most accurately determine if a solution is a quality solution. To explain what factors affect the solution rating, here are the elements we take into consideration when formulating our solution rating.

The Grade of the Solution
The Zone Rank of the Expert Providing the Solution
The Number of Author and Expert Comments
The Number of Experts Contributing
The Feedback of the Community

Your Input Matters
Because of the way the system is set up, the most important variable in this equation is you. As a member of Experts Exchange, you are able to cast your vote on the quality of the solutions in regard to how complete, accurate, helpful and easy to understand each solution is. When you provide your feedback, each rating is adjusted accordingly. So, if you see a solution that has a poor rating that you think is a good solution, let us know by rating it. As you do, the rating will be adjusted and will become more accurate for other members of our site.

If you have any suggestions that you would like to make for our rating system, please ask a question in the Suggestions Zone of Community Support.

Thank you!

8.8

Help Interpret Kernel Dump File

Zones: Kernel And Operating System Specific Programming, Microsoft Operating Systems, Microsoft Server

Tags: Kernel Dump File

Please help me identify what caulses my server to BSOD.... I have used WinDbg/!analyze although i dont know how to read it..

thank you,...

         
           
             1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:
36:
37:
38:
39:
40:
41:
42:
43:
44:
45:
46:
47:
48:
49:
50:
51:
52:
53:
54:
55:
56:
57:
58:
59:
60:
61:
62:
63:
64:
65:
66:
67:
68:
69:
70:
71:
72:
73:
74:
75:
76:
77:
78:
79:
80:
81:
82:
83:
84:
85:
86:
87:
88:
89:
90:
91:
92:
93:
94:
95:
96:
97:
98:
99:
100:
101:
102:
103:
104:
105:
106:
107:
108:
109:
110:
111:
112:
113:
114:
115:
116:
117:
118:
119:
120:
121:
122:
123:
124:
125:
126:
127:
128:
129:
130:
131:
132:
133:
134:
135:
136:
137:
138:
139:
140:
141:
142:
143:
144:
145:
146:
147:
148:
149:
150:
151:
152:
153:
154:
155:
156:
157:
158:
159:
160:
161:
162:
163:
164:

           
           
             Microsoft (R) Windows Debugger Version 6.8.0004.0 X86
Copyright (c) Microsoft Corporation. All rights reserved.
 
 
Loading Dump File [C:\Documents and Settings\dhenderson\Desktop\MEMORY.DMP]
Kernel Summary Dump File: Only kernel address space is available
 
Symbol search path is: set _NT_SYMBOL_PATH=srv*DownstreamStore*http://msdl.microsoft.com/download/symbols
Executable search path is: 
Windows Server 2003 Kernel Version 3790 (Service Pack 1) MP (2 procs) Free x86 compatible
Product: Server, suite: TerminalServer SingleUserTS
Built by: 3790.srv03_sp1_rtm.050324-1447
Kernel base = 0x80800000 PsLoadedModuleList = 0x808a6ea8
Debug session time: Wed Apr 16 20:04:11.662 2008 (GMT-4)
System Uptime: 0 days 15:19:35.359
Loading Kernel Symbols
..............................................................................................................
Loading User Symbols
PEB is paged out (Peb.Ldr = 7ffd500c).  Type ".hh dbgerr001" for details
Loading unloaded module list
..
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************
 
Use !analyze -v to get detailed debugging information.
 
BugCheck A, {7351f1ec, 2, 1, 808666dd}
 
Page daa5e not present in the dump file. Type ".hh dbgerr004" for details
Page 113cd5 not present in the dump file. Type ".hh dbgerr004" for details
 
PEB is paged out (Peb.Ldr = 7ffd500c).  Type ".hh dbgerr001" for details
 
PEB is paged out (Peb.Ldr = 7ffd500c).  Type ".hh dbgerr001" for details
Probably caused by : memory_corruption ( nt!MiRemovePageByColor+9f )
 
Followup: MachineOwner
---------
 
0: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************
 
IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high.  This is usually
caused by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: 7351f1ec, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000001, bitfield :
	bit 0 : value 0 = read operation, 1 = write operation
	bit 3 : value 0 = not an execute operation, 1 = execute operation (only on chips which support this level of status)
Arg4: 808666dd, address which referenced memory
 
Debugging Details:
------------------
 
Page daa5e not present in the dump file. Type ".hh dbgerr004" for details
Page 113cd5 not present in the dump file. Type ".hh dbgerr004" for details
 
PEB is paged out (Peb.Ldr = 7ffd500c).  Type ".hh dbgerr001" for details
 
PEB is paged out (Peb.Ldr = 7ffd500c).  Type ".hh dbgerr001" for details
 
WRITE_ADDRESS:  7351f1ec 
 
CURRENT_IRQL:  2
 
FAULTING_IP: 
nt!MiRemovePageByColor+9f
808666dd 89540f08        mov     dword ptr [edi+ecx+8],edx
 
DEFAULT_BUCKET_ID:  DRIVER_FAULT
 
BUGCHECK_STR:  0xA
 
PROCESS_NAME:  helpsvc.exe
 
TRAP_FRAME:  b9161c0c -- (.trap 0xffffffffb9161c0c)
ErrCode = 00000002
eax=8089ab34 ebx=00000003 ecx=81600000 edx=ff7f7f7f esi=8276c474 edi=f1f1f1e4
eip=808666dd esp=b9161c80 ebp=b9161ca0 iopl=0         ov up ei ng nz na pe cy
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010a87
nt!MiRemovePageByColor+0x9f:
808666dd 89540f08        mov     dword ptr [edi+ecx+8],edx ds:0023:7351f1ec=????????
Resetting default scope
 
LAST_CONTROL_TRANSFER:  from 808666dd to 8088bdd3
 
STACK_TEXT:  
b9161c0c 808666dd badb0d00 ff7f7f7f 00000008 nt!KiTrap0E+0x2a7
b9161ca0 80866ac6 00000001 00000001 0000001b nt!MiRemovePageByColor+0x9f
b9161cbc 8084dcda c00093f0 c0600048 00000000 nt!MiRemoveZeroPage+0x8a
b9161cd8 8085e90f 0127e000 c00093f0 89661978 nt!MiResolveDemandZeroFault+0x104
b9161d4c 8088bc08 00000001 0127e000 00000001 nt!MmAccessFault+0xd67
b9161d4c 0100a48d 00000001 0127e000 00000001 nt!KiTrap0E+0xdc
WARNING: Frame IP not in any known module. Following frames may be wrong.
005afcfc 00000000 00000000 00000000 00000000 0x100a48d
 
 
STACK_COMMAND:  kb
 
FOLLOWUP_IP: 
nt!MiRemovePageByColor+9f
808666dd 89540f08        mov     dword ptr [edi+ecx+8],edx
 
SYMBOL_STACK_INDEX:  1
 
SYMBOL_NAME:  nt!MiRemovePageByColor+9f
 
FOLLOWUP_NAME:  MachineOwner
 
MODULE_NAME: nt
 
DEBUG_FLR_IMAGE_TIMESTAMP:  42435b14
 
IMAGE_NAME:  memory_corruption
 
FAILURE_BUCKET_ID:  0xA_W_nt!MiRemovePageByColor+9f
 
BUCKET_ID:  0xA_W_nt!MiRemovePageByColor+9f
 
Followup: MachineOwner
---------
 
0: kd> .trap 0xffffffffb9161c0c
ErrCode = 00000002
eax=8089ab34 ebx=00000003 ecx=81600000 edx=ff7f7f7f esi=8276c474 edi=f1f1f1e4
eip=808666dd esp=b9161c80 ebp=b9161ca0 iopl=0         ov up ei ng nz na pe cy
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010a87
nt!MiRemovePageByColor+0x9f:
808666dd 89540f08        mov     dword ptr [edi+ecx+8],edx ds:0023:7351f1ec=????????
0: kd> lmvm nt
start    end        module name
80800000 80a53000   nt         (pdb symbols)          set _NT_SYMBOL_PATH=srv\ntkrpamp.pdb\FEC480982D1145E696432CBBD9BC2C831\ntkrpamp.pdb
    Loaded symbol image file: ntkrpamp.exe
    Image path: ntkrpamp.exe
    Image name: ntkrpamp.exe
    Timestamp:        Thu Mar 24 20:28:04 2005 (42435B14)
    CheckSum:         0023D043
    ImageSize:        00253000
    File version:     5.2.3790.1830
    Product version:  5.2.3790.1830
    File flags:       0 (Mask 3F)
    File OS:          40004 NT Win32
    File type:        1.0 App
    File date:        00000000.00000000
    Translations:     0409.04b0
    CompanyName:      Microsoft Corporation
    ProductName:      Microsoft® Windows® Operating System
    InternalName:     ntkrpamp.exe
    OriginalFilename: ntkrpamp.exe
    ProductVersion:   5.2.3790.1830
    FileVersion:      5.2.3790.1830 (srv03_sp1_rtm.050324-1447)
    FileDescription:  NT Kernel & System
    LegalCopyright:   © Microsoft Corporation. All rights reserved.

           
         

Start your free trial to view this solution

Question Stats

Zone: Programming

Question Asked By: Nmagsaysay

Solution Provided By: xentelworker

Participating Experts: 2

Solution Grade: A

Translate:

Loading Advertisement...

Microsoft

Internet Protocols
Applications

Development
OS

Hardware
Windows Security

Apple

Operating Systems
Hardware

Programming
Networking

Software

Internet

Search Engines
File Sharing
WebTrends / Stats
Spy / Ad Blockers

Web Browsers
New Net Users
Web Development
Chat / IM

Anti Spam
Web Servers
Anti-Virus
Email Clients

Gamers

Tips
Online / MMORPG
Puzzle
Emulators

Action / Adventure
Role Playing
Consoles
Game Programming

Strategy
Sports
Misc
Computer Games

Digital Living

Hardware
New Net Users
New Users

Software
Digital Music
Gaming World

Home Security
Apple
Networking Hardware

Virus & Spyware

Vulnerabilities
IDS
Encryption
Anti-Virus

Operating Systems Security
Software Firewalls
WebApplications
Cell Phones

Operating Systems
Internet
Hardware Firewalls

Hardware

Handhelds / PDAs
Displays / Monitors
Components
Networking Hardware

Peripherals
Laptops/Notebooks
Storage
Servers

Desktops
New Users
Misc
Apple

Software

System Utilities
Industry Specific
Network Management
Photos / Graphics
Page Layout
VMWare
Misc
Web Development

OS
CYGWIN
Voice Recognition
Message Queue
Quality Assurance
Security
Firewalls
MultiMedia Applications

Development
Database
Office / Productivity
Business Management
OS/2 Apps
Server Software
Internet / Email

ITPro

OS
Storage
Encryption
Operating Systems Security
Apple Hardware
Laptops & Notebooks
Servers
Networking Hardware
Peripherals

Devices
Displays / Monitors
WebTrends / Stats
Search Engines
Firewalls
WebApplications
IDS
Vulnerabilities
Email Clients

File Sharing
Spy / Ad Blockers
Web Browsers
Web Servers
Networking
Anti-Virus
Chat / IM
Anti Spam

Developer

Web Servers
Web Browsers
Game Programming
Dev Tools
Industry Specific
Office / Productivity

Database
CYGWIN
Web Development
Search Engines
File Sharing
WebTrends / Stats

Programming
Content Management
Application Servers
Protocols

Storage

Removable Backup Media
Storage Technology
Servers

Grid
Remote Access
Backup / Restore

Misc
Hard Drives

Miscellaneous
Security
Development
Linux
VMWare

MainFrame OS
Unix
Apple
OS / 2
AS / 400

BeOS
Microsoft
VMS / OpenVMS

Database

Oracle
Miscellaneous
MySQL
Software
Sybase
Contact Management
PostgreSQL
Data Manipulation
Clarion
InterSystems Cache

Siebel
MUMPS
OLAP
SQLBase
SAS
GIS & GPS
4GL
Berkeley DB
DB2
Informix

Interbase / Firebird
FoxPro
Reporting
LDAP
Filemaker Pro
MS SQL Server
dBase
MS Access

Security

Misc
Web Browsers
Software Firewalls
Operating Systems Security
File Sharing

Spy / Ad Blockers
Vulnerabilities
WebApplications
IDS
Anti-Virus

Encryption
Anti Spam
Email Clients
VPN
Chat / IM

Programming

Editors IDEs
Installation
Handhelds / PDAs
Multimedia Programming
System / Kernel

Algorithms
Game
Signal Processing
Project Management
Open Source

Database
Misc
Languages
Processor Platforms
Theory

Web Development

Scripting
Blogs
Web Servers
Software
Search Engines
Web Graphics
Images

Internet Marketing
Images and Photos
Components
Document Imaging
Web Languages/Standards
Illustration
WebApplications

Fonts
WebTrends / Stats
Authoring
Digital Camera Software
Miscellaneous

Networking

Protocols
Apple Networking
Network Management
Message Queue
Application Servers
Content Management
File Servers
Email Servers
Misc
Java Editors & IDEs

Wireless
Networking Hardware
Backup / Restore
System Utilities
ISPs & Hosting
Web Servers
Storage Technology
Removable Backup Media
Servers
Broadband

Grid
OS / 2
Novell Netware
Unix Networking
Windows Networking
Security
Telecommunications
Operating Systems
Linux Networking

Other

Community Advisor
Lounge
Community Support
New Net Users

Philosophy / Religion
Math / Science
Miscellaneous
URLs

Expert Lounge
Politics
Puzzles / Riddles

Community Support

Suggestions
New to EE
New Topics
Community Advisor

CleanUp
Announcements
General

Feedback
Input
EE Bugs

04.17.2008 at 12:26PM PDT, ID: 21380486

xentelworker:

How often does thie Blue Screen?

Can you enable Driver Verifier at the command prompt:

verifier.exe /all

This will help identify the faulting driver since your dump dosen't point to the culprit.

04.17.2008 at 01:03PM PDT, ID: 21380776

Nmagsaysay:

when I enable Driver Verifier do I have to wait for the next blue screen to determine the culprit?

04.17.2008 at 02:57PM PDT, ID: 21381774

Nickperf:

Hey,

Can you send us the dump file (zip it first)? We never ever try driver verifer as it can cause more issue and can even put your machine in no boot situation. I would recommend you to send us the dump and we can give you the output.

Regards

Nicks

04.17.2008 at 04:28PM PDT, ID: 21382291

Nmagsaysay:

you are right how do i remove / undo the verifier /all comand? (Windows comes up but reboots about 10mins after it comes up)

I cant upload he .dmp file.. its 25 meg compressed ee has a 5meg limit ....

04.17.2008 at 04:32PM PDT, ID: 21382305

Nmagsaysay:

heres the mini .dmp

04.17.2008 at 04:36PM PDT, ID: 21382313

Nmagsaysay:

rename to minidmp.zip

minidmp.txt (12 KB) (Possible File Type Mismatch)

minidmp file

04.17.2008 at 04:55PM PDT, ID: 21382365

Nmagsaysay:

I've attached the mini.dmp analyze results..

                       
         
           
             1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:
36:
37:
38:
39:
40:
41:
42:
43:
44:
45:
46:
47:
48:
49:
50:
51:
52:
53:
54:
55:
56:
57:
58:
59:
60:
61:
62:
63:
64:
65:
66:
67:
68:
69:
70:
71:
72:
73:
74:
75:
76:
77:
78:
79:
80:
81:
82:
83:
84:
85:
86:
87:
88:
89:
90:
91:
92:
93:
94:
95:
96:

           
           
             *******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************
 
Use !analyze -v to get detailed debugging information.
 
BugCheck C4, {81, 896f4850, 82, 0}
 
Unable to load image \SystemRoot\system32\drivers\npf.sys, Win32 error 0n2
*** WARNING: Unable to verify timestamp for npf.sys
*** ERROR: Module load completed but symbols could not be loaded for npf.sys
 
 
Probably caused by : npf.sys ( npf+1e02 )
 
Followup: MachineOwner
---------
 
1: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************
 
DRIVER_VERIFIER_DETECTED_VIOLATION (c4)
A device driver attempting to corrupt the system has been caught.  This is
because the driver was specified in the registry as being suspect (by the
administrator) and the kernel has enabled substantial checking of this driver.
If the driver attempts to corrupt the system, bugchecks 0xC4, 0xC1 and 0xA will
be among the most commonly seen crashes.
        Parameter 1 = 0x1000 .. 0x1020 - deadlock verifier error codes.
               Typically the code is 0x1001 (deadlock detected) and you can
               issue a '!deadlock' KD command to get more information.
Arguments:
Arg1: 00000081, MmMapLockedPages called without MDL_MAPPING_CAN_FAIL
Arg2: 896f4850, MDL address.
Arg3: 00000082, MDL flags.
Arg4: 00000000, 0.
 
Debugging Details:
------------------
 
 
 
 
BUGCHECK_STR:  0xc4_81
 
CUSTOMER_CRASH_COUNT:  5
 
DEFAULT_BUCKET_ID:  DRIVER_FAULT_SERVER_MINIDUMP
 
PROCESS_NAME:  TvServer.exe
 
CURRENT_IRQL:  0
 
LAST_CONTROL_TRANSFER:  from 809b5c62 to 80827451
 
STACK_TEXT:  
b87bfbec 809b5c62 000000c4 00000081 896f4850 nt!KeBugCheckEx+0x1b
b87bfc18 f7738e02 896f4850 00000000 80a56be4 nt!VerifierMmMapLockedPages+0xb8
WARNING: Stack unwind information not available. Following frames may be wrong.
b87bfc50 809b450c 89710dd0 898336c8 898336c8 npf+0x1e02
b87bfc80 8081dcb3 808f4797 b87bfca0 808f4797 nt!IovCallDriver+0x112
b87bfc8c 808f4797 89833738 898336c8 8982af90 nt!IofCallDriver+0x13
b87bfca0 808f196b 89710dd0 898336c8 8982af90 nt!IopSynchronousServiceTail+0x10b
b87bfd38 80888c6c 0000064c 00000000 00000000 nt!NtReadFile+0x5cf
b87bfd38 7c82ed54 0000064c 00000000 00000000 nt!KiFastCallEntry+0xfc
0886fbf0 00000000 00000000 00000000 00000000 0x7c82ed54
 
 
STACK_COMMAND:  kb
 
FOLLOWUP_IP: 
npf+1e02
f7738e02 ??              ???
 
SYMBOL_STACK_INDEX:  2
 
SYMBOL_NAME:  npf+1e02
 
FOLLOWUP_NAME:  MachineOwner
 
MODULE_NAME: npf
 
IMAGE_NAME:  npf.sys
 
DEBUG_FLR_IMAGE_TIMESTAMP:  3e8d8386
 
FAILURE_BUCKET_ID:  0xc4_81_npf+1e02
 
BUCKET_ID:  0xc4_81_npf+1e02
 
Followup: MachineOwner
           
         

Open in New Window

04.17.2008 at 06:36PM PDT, ID: 21382713

xentelworker:

NPF.sys (Which is WinCap) seems to be your issue. Looking at your dump, it looks to be VERY old:

1: kd> lmvm npf
start end module name
f7737000 f773e680 npf T (no symbols)
Loaded symbol image file: npf.sys
Image path: \SystemRoot\system32\drivers\npf.sys
Image name: npf.sys
Timestamp: Fri Apr 04 09:07:18 2003 (3E8D8386)
CheckSum: 00014DC4
ImageSize: 00007680
Translations: 0000.04b0 0000.04e0 0409.04b0 0409.04e0

Here is another post related to the same issue. Either remove or update your WinCap

http://www.winpcap.org/pipermail/winpcap-bugs/2006-July/000249.html

Also, to turn off Driver verifer, goto command prompt and type in verifier.exe /reset.

Accepted Solution

20080236-EE-VQP-29 / EE_QW_2_20070628