IRQL BSOD caused by ntkrpamp.exe

Have you updated to Vista SP2 yet? Try this first. Also try and update all your device drivers for your laptop from the manufacturers web site. Also check your event logs to see if this will help pin point the exact problem.

The timestamp on the dump shows that particular BSOD occurred over 2 weeks ago.  Have you had any more recent BSODs?
I see that it is Vista SP1 and that it is a full kernel dump.  There s/b mini kernel dumps in \windows\minidump.  If you would also be so kind as to re-run the dump thru the debugger, but when it comes time to click on the blue !analyze -v, please enter the line in the code box into the kd> line at the bottom of the debugger and then re-post the output.
The driver listed as "probably caused by" is an NT Kernel component and in no way is responsible here.  I agree with Pete Zed that the device drivers should be updated, but I would hold off on SP2 if possible right now.  I would rather see the driver verifier run as it is really the only chance here of identifying a problematic driver, assuming this is software related.  That is your call, of course.  Here are the instructions - http://www.techsupportforum.com/2110308-post3.html
In the interim, if you would please re-run the debugger w/ the code snippet in the kd> cmd line, it will afford me a look at the loaded drivers at the time of the BSOD.  
Also, the bugcheck on the BSOD = 0xa - which may indicate RAM, but I think it is worth while to look at the drivers 1st.
Thank you -
jcgriff2

!analyze -v;r;kv;lmtn

Select allOpen in new window

Hi,

thanks a million for your responses. I am the manufacturer technical support second level. It is not a driver issue as it is a clean system and only OEM drivers installed. (the customer has the computer). If it was a driver issue the issue would be reproduced across the lineup. The BSOD is ongoing even after we replaced the RAM and the hdd. The BSOD dump writes over the old one so this must be the latest one.

Also, what is the driver verifier tool do exactly? What do those instructions do?

on a side note, jcgriff2, that is a very interesting and helpful post. Where do you get this info from? I would like to learn this? Can you advise any books etc.?

Hi -
You're welcome.  You said it is a "clean system" yet OEM drivers installed. Does this mean that the OEM Vista DVD (recovery DVD) was used to load Vista?  If so, there are probably apps that came pre-installed on the OEM Vista DVD along with the drivers.  Those apps along with new ones the user installed and any 3rd party manufacturer driver updates that came in on their own or via Windows Updates -- it is all suspect and could be contributing to the BSODs.  Just some food for thought.  
If you don't mind, I would really like to see the loaded driver list from the kernel dump.  It is very quick for you - bring the debugger back up and when you would normally click on the blue !analyze -v  - don't click.  Look down at the bottom of the dbgger screen for kd> - paste this into that line -
!analyze -v;r;kv;lmtn  
 Then please post the debugger output like in the 1st post - only this one will have the loaded drivers on it.
I do understand that it was a full kernel dump file and that \windows\memory.dmp is overwritten each time.  Usually, a mini kernel dump will be produced in addition to the kernel dump.  They are in c:\windows\minidump.  If you zip them up and attach or add the file extension TXT & attach to post, I'll run them.  
It would be interesting to know if the other bugchecks were 0xa and if the memory addresses contained in 2 of the 4 parms are in close proximity to each other.  I know that 0xa can be hardware, however I can show you 100's of threads  that will tell us ~50% (guesstimate) are driver related - not necessarily device drivers.  Vista has the 0x124 WHEA (Windows Hardware Error Architecture) bugcheck and I would have expected to see it or a 0x101 CLOCK_WATCHDOG_TIMEOUT bugcheck given that the program instruction it failed on was nt!PpmCallIdleHandler+2c - which I think involves "Ppm" = processor power management.  So I am unsure if this would/ could tie in to RAM as being the culprit in this BSOD.  I don't know why NT called upon an object and then ordered "CallIdleHandler".  That sound CPU related to me.
Did you look at the drivers at any time before replacing the HDD and RAM?  I don't know how old the system is but I think it could have been a driver.  I'll say that the possibility exists.  The reason being Window Updates..  The "faulting module" ntkrpamp.exe has a timestamp = 49ac8fb4 which = Mon Mar 02 18:02:28 2009.  So it's fairly new and could have come in just around the time the BSODs started....  possibly .?
The Driver Verifier simply puts drivers through a stress test and monitors them.  Its not foolproof, but it is a good way to check the drivers out.  I don't include Microsoft drivers because I consider them to be the last to worry about.  3rd party 1st.
As far as learning BSOD crash dump analysis, it really is done so at your comfort level.  I learned this on my own and alone.  It was just something I picked up because BSOD threads in general would be answered with "check Device Manager, memtest, etc.." and the dumps were not being read.  So I changed that about 1 year ago and began answering BSOD threads.  Since then I have processed > 10,000 dump files easily. It is an ongoing learning process as the debugger has thousands of command combinations to it alone.  Also, as you probably know, this is not the literal definition of debugging as one must have source code in order to debug.  There is no source code.  So that leaves us with probable causes - which as told by the debugger are often wrong.  One place you can obtain insight into the disassemblement process is by looking at old posts of mine.  
I found a thread of mine with a 0xa bugcheck.  I ran ~30 dumps some which were driver verifier enabled and the cause of the BSODs .. . . .  an Intel wifi driver that needed an update because Windows Updates came through.
http://www.techsupportforum.com/microsoft-support/windows-vista-support/289245-solved-irql_not_less_or_equal.html#post1693096
That particular post shows the stack text and explains how the driver verifier helped.  I own no books on this subject, have never read any, looked at any,....  Mostly trial and error in the beginning and of course Google.  But I ask for much more usually than just the dump files - I request a ton of system info - about 25-50 MB of files to start with.  I ask BSOD OPs to run a batch script file that collects everything and runs ~ 20 apps/ utilities.  You can see it  HERE.
I'll be glad to answer any questions that you may have.  Also - it may be good to provide the dumps and I can show you step-by-step to some degree what I find and its relevance in my mind to the crashes.  If it is a hardware problem, the dumps won't be of any use other than to rule some things out.

Really interesting read... sorry I can only give you 500 points when this is resolved :)
I know that it is not an OEM driver or software as I know the lineup and this issue doesnt reproduce. I think it is a hardware problem but I need to zero into exactly what device is causing it so that I can alert the repair centre to replace the part.
I have contacted the customer and requested to follow the instructions you provided.

Hi,

please find attached as requested.

Justin

ARNING: Whitespace at end of path element
 
Loading Dump File [C:\Users\Justin\Desktop\Mini061509-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available
 
WARNING: Whitespace at end of path element
Symbol search path is: SRV*c:\websymbols*http://msdl.microsoft.com/download/symbols
 
Executable search path is: 
Windows Server 2008/Windows Vista Kernel Version 6001 (Service Pack 1) MP (2 procs) Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS Personal
Built by: 6001.18226.x86fre.vistasp1_gdr.090302-1506
Machine Name:
Kernel base = 0x81e02000 PsLoadedModuleList = 0x81f19c70
Debug session time: Mon Jun 15 20:17:25.614 2009 (GMT+1)
System Uptime: 0 days 0:01:12.457
Loading Kernel Symbols
...............................................................
................................................................
....................
Loading User Symbols
Loading unloaded module list
............
ERROR: FindPlugIns 8007007b
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************
 
Use !analyze -v to get detailed debugging information.
 
BugCheck D1, {916da1b3, 2, 8, 916da1b3}
 
Unable to load image \SystemRoot\system32\DRIVERS\mozy.sys, Win32 error 0n2
*** WARNING: Unable to verify timestamp for mozy.sys
*** ERROR: Module load completed but symbols could not be loaded for mozy.sys
Probably caused by : mozy.sys ( mozy+c1b3 )
 
Followup: MachineOwner
---------
 
1: kd> !analyze -v
ERROR: FindPlugIns 8007007b
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************
 
DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high.  This is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: 916da1b3, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000008, value 0 = read operation, 1 = write operation
Arg4: 916da1b3, address which referenced memory
 
Debugging Details:
------------------
 
 
READ_ADDRESS: GetPointerFromAddress: unable to read from 81f39868
Unable to read MiSystemVaType memory at 81f19420
 916da1b3 
 
CURRENT_IRQL:  2
 
FAULTING_IP: 
mozy+c1b3
916da1b3 ??              ???
 
CUSTOMER_CRASH_COUNT:  1
 
DEFAULT_BUCKET_ID:  VERIFIER_ENABLED_VISTA_MINIDUMP
 
BUGCHECK_STR:  0xD1
 
PROCESS_NAME:  mozybackup.exe
 
TRAP_FRAME:  a58d6b94 -- (.trap 0xffffffffa58d6b94)
ErrCode = 00000010
eax=9370a000 ebx=9070f3e0 ecx=b3050002 edx=00000000 esi=916d8234 edi=aede0f68
eip=916da1b3 esp=a58d6c08 ebp=a58d6c10 iopl=0         nv up ei pl zr na pe nc
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010246
mozy+0xc1b3:
916da1b3 ??              ???
Resetting default scope
 
LAST_CONTROL_TRANSFER:  from 916da1b3 to 81e5cd24
 
FAILED_INSTRUCTION_ADDRESS: 
mozy+c1b3
916da1b3 ??              ???
 
STACK_TEXT:  
a58d6b94 916da1b3 badb0d00 00000000 00000000 nt!KiTrap0E+0x2ac
WARNING: Stack unwind information not available. Following frames may be wrong.
a58d6c04 817c4b98 aede0f68 a58d6c34 820e46be mozy+0xc1b3
a58d6c10 820e46be 9070f3e0 aede0f68 aede0f78 0x817c4b98
a58d6c34 81ebdf8a aede0fd8 967dcb50 9070f3e0 nt!IovCallDriver+0x23f
a58d6c48 82021120 00000000 00000000 967dcb38 nt!IofCallDriver+0x1b
a58d6c8c 820465e7 967dcb50 821c2110 967dcb38 nt!IopDeleteFile+0x178
a58d6ca8 81e538c9 967dcb50 00000000 a467d030 nt!ObpRemoveObjectRoutine+0x13d
a58d6cd0 8201f4ca a25c5410 a467d030 00000458 nt!ObfDereferenceObject+0xa1
a58d6d14 8201f6c0 a25c5410 a3e878b0 a465e318 nt!ObpCloseHandleTableEntry+0x24e
a58d6d44 8201f8e5 a465e318 a467d001 a467d001 nt!ObpCloseHandle+0x73
a58d6d58 81e59a1a 00000458 0136fe40 778e9a94 nt!NtClose+0x20
a58d6d58 778e9a94 00000458 0136fe40 778e9a94 nt!KiFastCallEntry+0x12a
0136fe40 00000000 00000000 00000000 00000000 0x778e9a94
 
 
STACK_COMMAND:  kb
 
FOLLOWUP_IP: 
mozy+c1b3
916da1b3 ??              ???
 
SYMBOL_STACK_INDEX:  1
 
SYMBOL_NAME:  mozy+c1b3
 
FOLLOWUP_NAME:  MachineOwner
 
MODULE_NAME: mozy
 
IMAGE_NAME:  mozy.sys
 
DEBUG_FLR_IMAGE_TIMESTAMP:  4a0daf55
 
FAILURE_BUCKET_ID:  0xD1_VRF_CODE_AV_BAD_IP_mozy+c1b3
 
BUCKET_ID:  0xD1_VRF_CODE_AV_BAD_IP_mozy+c1b3
 
Followup: MachineOwner
---------
 
1: kd> !analyze -v;r;kv;lmtn
ERROR: FindPlugIns 8007007b
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************
 
DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high.  This is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: 916da1b3, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000008, value 0 = read operation, 1 = write operation
Arg4: 916da1b3, address which referenced memory
 
Debugging Details:
------------------
 
 
READ_ADDRESS: GetPointerFromAddress: unable to read from 81f39868
Unable to read MiSystemVaType memory at 81f19420
 916da1b3 
 
CURRENT_IRQL:  2
 
FAULTING_IP: 
mozy+c1b3
916da1b3 ??              ???
 
CUSTOMER_CRASH_COUNT:  1
 
DEFAULT_BUCKET_ID:  VERIFIER_ENABLED_VISTA_MINIDUMP
 
BUGCHECK_STR:  0xD1
 
PROCESS_NAME:  mozybackup.exe
 
TRAP_FRAME:  a58d6b94 -- (.trap 0xffffffffa58d6b94)
ErrCode = 00000010
eax=9370a000 ebx=9070f3e0 ecx=b3050002 edx=00000000 esi=916d8234 edi=aede0f68
eip=916da1b3 esp=a58d6c08 ebp=a58d6c10 iopl=0         nv up ei pl zr na pe nc
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010246
mozy+0xc1b3:
916da1b3 ??              ???
Resetting default scope
 
LAST_CONTROL_TRANSFER:  from 916da1b3 to 81e5cd24
 
FAILED_INSTRUCTION_ADDRESS: 
mozy+c1b3
916da1b3 ??              ???
 
STACK_TEXT:  
a58d6b94 916da1b3 badb0d00 00000000 00000000 nt!KiTrap0E+0x2ac
WARNING: Stack unwind information not available. Following frames may be wrong.
a58d6c04 817c4b98 aede0f68 a58d6c34 820e46be mozy+0xc1b3
a58d6c10 820e46be 9070f3e0 aede0f68 aede0f78 0x817c4b98
a58d6c34 81ebdf8a aede0fd8 967dcb50 9070f3e0 nt!IovCallDriver+0x23f
a58d6c48 82021120 00000000 00000000 967dcb38 nt!IofCallDriver+0x1b
a58d6c8c 820465e7 967dcb50 821c2110 967dcb38 nt!IopDeleteFile+0x178
a58d6ca8 81e538c9 967dcb50 00000000 a467d030 nt!ObpRemoveObjectRoutine+0x13d
a58d6cd0 8201f4ca a25c5410 a467d030 00000458 nt!ObfDereferenceObject+0xa1
a58d6d14 8201f6c0 a25c5410 a3e878b0 a465e318 nt!ObpCloseHandleTableEntry+0x24e
a58d6d44 8201f8e5 a465e318 a467d001 a467d001 nt!ObpCloseHandle+0x73
a58d6d58 81e59a1a 00000458 0136fe40 778e9a94 nt!NtClose+0x20
a58d6d58 778e9a94 00000458 0136fe40 778e9a94 nt!KiFastCallEntry+0x12a
0136fe40 00000000 00000000 00000000 00000000 0x778e9a94
 
 
STACK_COMMAND:  kb
 
FOLLOWUP_IP: 
mozy+c1b3
916da1b3 ??              ???
 
SYMBOL_STACK_INDEX:  1
 
SYMBOL_NAME:  mozy+c1b3
 
FOLLOWUP_NAME:  MachineOwner
 
MODULE_NAME: mozy
 
IMAGE_NAME:  mozy.sys
 
DEBUG_FLR_IMAGE_TIMESTAMP:  4a0daf55
 
FAILURE_BUCKET_ID:  0xD1_VRF_CODE_AV_BAD_IP_mozy+c1b3
 
BUCKET_ID:  0xD1_VRF_CODE_AV_BAD_IP_mozy+c1b3
 
Followup: MachineOwner
---------
 
eax=803d1120 ebx=00000002 ecx=81f021f8 edx=000000d5 esi=803d113c edi=a58d6808
eip=81e5cd24 esp=a58d6b7c ebp=a58d6b94 iopl=0         nv up ei pl nz na po nc
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00000202
nt!KiTrap0E+0x2ac:
81e5cd24 833d640cf38100  cmp     dword ptr [nt!KiFreezeFlag (81f30c64)],0 ds:0023:81f30c64=????????
ChildEBP RetAddr  Args to Child              
a58d6b94 916da1b3 badb0d00 00000000 00000000 nt!KiTrap0E+0x2ac (FPO: [0,0] TrapFrame @ a58d6b94)
WARNING: Stack unwind information not available. Following frames may be wrong.
a58d6c04 817c4b98 aede0f68 a58d6c34 820e46be mozy+0xc1b3
a58d6c10 820e46be 9070f3e0 aede0f68 aede0f78 0x817c4b98
a58d6c34 81ebdf8a aede0fd8 967dcb50 9070f3e0 nt!IovCallDriver+0x23f
a58d6c48 82021120 00000000 00000000 967dcb38 nt!IofCallDriver+0x1b
a58d6c8c 820465e7 967dcb50 821c2110 967dcb38 nt!IopDeleteFile+0x178
a58d6ca8 81e538c9 967dcb50 00000000 a467d030 nt!ObpRemoveObjectRoutine+0x13d
a58d6cd0 8201f4ca a25c5410 a467d030 00000458 nt!ObfDereferenceObject+0xa1
a58d6d14 8201f6c0 a25c5410 a3e878b0 a465e318 nt!ObpCloseHandleTableEntry+0x24e
a58d6d44 8201f8e5 a465e318 a467d001 a467d001 nt!ObpCloseHandle+0x73
a58d6d58 81e59a1a 00000458 0136fe40 778e9a94 nt!NtClose+0x20
a58d6d58 778e9a94 00000458 0136fe40 778e9a94 nt!KiFastCallEntry+0x12a (FPO: [0,3] TrapFrame @ a58d6d64)
0136fe40 00000000 00000000 00000000 00000000 0x778e9a94
start    end        module name
80403000 8040b000   kdcom    kdcom.dll    Sat Jan 19 07:31:53 2008 (4791A769)
8040b000 8046b000   mcupdate_GenuineIntel mcupdate_GenuineIntel.dll Sat Jan 19 07:29:43 2008 (4791A6E7)
8046b000 8047c000   PSHED    PSHED.dll    Sat Jan 19 07:31:21 2008 (4791A749)
8047c000 80484000   BOOTVID  BOOTVID.dll  Sat Jan 19 07:27:15 2008 (4791A653)
80484000 804c5000   CLFS     CLFS.SYS     Sat Jan 19 05:28:01 2008 (47918A61)
804c5000 805a5000   CI       CI.dll       Fri Feb 22 05:00:56 2008 (47BE5708)
80605000 80681000   Wdf01000 Wdf01000.sys Sat Jan 19 05:52:21 2008 (47919015)
80681000 8068e000   WDFLDR   WDFLDR.SYS   Sat Jan 19 05:52:19 2008 (47919013)
8068e000 806d4000   acpi     acpi.sys     Sat Jan 19 05:32:48 2008 (47918B80)
806d4000 806dd000   WMILIB   WMILIB.SYS   Sat Jan 19 05:53:08 2008 (47919044)
806dd000 806e5000   msisadrv msisadrv.sys Sat Jan 19 05:32:51 2008 (47918B83)
806e5000 8070c000   pci      pci.sys      Sat Jan 19 05:32:57 2008 (47918B89)
8070c000 8071b000   partmgr  partmgr.sys  Sat Jan 19 05:49:54 2008 (47918F82)
8071b000 8071d900   compbatt compbatt.sys Sat Jan 19 05:32:47 2008 (47918B7F)
8071e000 80728000   BATTC    BATTC.SYS    Sat Jan 19 05:32:45 2008 (47918B7D)
80728000 80737000   volmgr   volmgr.sys   Sat Jan 19 05:49:51 2008 (47918F7F)
80737000 80781000   volmgrx  volmgrx.sys  Sat Jan 19 05:50:00 2008 (47918F88)
80781000 80791000   mountmgr mountmgr.sys Sat Jan 19 05:49:13 2008 (47918F59)
80791000 807bb000   ks       ks.sys       Sat Jan 19 05:49:21 2008 (47918F61)
807bb000 807ef000   usbhub   usbhub.sys   Tue Feb 05 04:21:42 2008 (47A7E456)
807ef000 80800000   NDProxy  NDProxy.SYS  Sat Jan 19 05:56:28 2008 (4791910C)
81e02000 821bb000   nt       ntkrpamp.exe Tue Mar 03 02:02:28 2009 (49AC8FB4)
821bb000 821ee000   hal      halmacpi.dll Sat Jan 19 05:27:20 2008 (47918A38)
8420a000 842d8000   iaStor   iaStor.sys   Wed Apr 16 01:07:31 2008 (48054343)
842d8000 842e0000   atapi    atapi.sys    Sat Jan 19 05:49:40 2008 (47918F74)
842e0000 842fe000   ataport  ataport.SYS  Sat Jan 19 05:49:40 2008 (47918F74)
842fe000 84330000   fltmgr   fltmgr.sys   Sat Jan 19 05:28:10 2008 (47918A6A)
84330000 84340000   fileinfo fileinfo.sys Sat Jan 19 05:34:27 2008 (47918BE3)
84340000 84349200   PxHelp20 PxHelp20.sys Thu Mar 13 01:57:44 2008 (47D88A18)
8434a000 843bb000   ksecdd   ksecdd.sys   Sat Jan 19 05:41:20 2008 (47918D80)
843bb000 843cf000   raspptp  raspptp.sys  Sat Jan 19 05:56:34 2008 (47919112)
843cf000 843e4000   rassstp  rassstp.sys  Sat Jan 19 05:56:43 2008 (4791911B)
843e4000 843f4000   termdd   termdd.sys   Sat Jan 19 06:01:06 2008 (47919222)
84405000 84510000   ndis     ndis.sys     Sat Jan 19 05:55:51 2008 (479190E7)
84510000 8453b000   msrpc    msrpc.sys    Sat Jan 19 05:48:15 2008 (47918F1F)
8453b000 84575000   NETIO    NETIO.SYS    Sat Jan 19 05:56:19 2008 (47919103)
84575000 845a3000   msiscsi  msiscsi.sys  Sat Jan 19 05:50:44 2008 (47918FB4)
845a3000 845e4000   storport storport.sys Sat Jan 19 05:49:49 2008 (47918F7D)
845e4000 845f3000   raspppoe raspppoe.sys Sat Jan 19 05:56:33 2008 (47919111)
845f3000 84600000   umbus    umbus.sys    Sat Jan 19 05:53:40 2008 (47919064)
8460a000 84719000   Ntfs     Ntfs.sys     Sat Jan 19 05:28:54 2008 (47918A96)
84719000 84752000   volsnap  volsnap.sys  Sat Jan 19 05:50:10 2008 (47918F92)

Select allOpen in new window

I think a bit was left out so the correct output of the minidump is as follows;

ARNING: Whitespace at end of path element
 
Loading Dump File [C:\Users\Justin\Desktop\Mini061509-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available
 
WARNING: Whitespace at end of path element
Symbol search path is: SRV*c:\websymbols*http://msdl.microsoft.com/download/symbols
 
Executable search path is: 
Windows Server 2008/Windows Vista Kernel Version 6001 (Service Pack 1) MP (2 procs) Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS Personal
Built by: 6001.18226.x86fre.vistasp1_gdr.090302-1506
Machine Name:
Kernel base = 0x81e02000 PsLoadedModuleList = 0x81f19c70
Debug session time: Mon Jun 15 20:17:25.614 2009 (GMT+1)
System Uptime: 0 days 0:01:12.457
Loading Kernel Symbols
...............................................................
................................................................
....................
Loading User Symbols
Loading unloaded module list
............
ERROR: FindPlugIns 8007007b
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************
 
Use !analyze -v to get detailed debugging information.
 
BugCheck D1, {916da1b3, 2, 8, 916da1b3}
 
Unable to load image \SystemRoot\system32\DRIVERS\mozy.sys, Win32 error 0n2
*** WARNING: Unable to verify timestamp for mozy.sys
*** ERROR: Module load completed but symbols could not be loaded for mozy.sys
Probably caused by : mozy.sys ( mozy+c1b3 )
 
Followup: MachineOwner
---------
 
1: kd> !analyze -v
ERROR: FindPlugIns 8007007b
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************
 
DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high.  This is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: 916da1b3, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000008, value 0 = read operation, 1 = write operation
Arg4: 916da1b3, address which referenced memory
 
Debugging Details:
------------------
 
 
READ_ADDRESS: GetPointerFromAddress: unable to read from 81f39868
Unable to read MiSystemVaType memory at 81f19420
 916da1b3 
 
CURRENT_IRQL:  2
 
FAULTING_IP: 
mozy+c1b3
916da1b3 ??              ???
 
CUSTOMER_CRASH_COUNT:  1
 
DEFAULT_BUCKET_ID:  VERIFIER_ENABLED_VISTA_MINIDUMP
 
BUGCHECK_STR:  0xD1
 
PROCESS_NAME:  mozybackup.exe
 
TRAP_FRAME:  a58d6b94 -- (.trap 0xffffffffa58d6b94)
ErrCode = 00000010
eax=9370a000 ebx=9070f3e0 ecx=b3050002 edx=00000000 esi=916d8234 edi=aede0f68
eip=916da1b3 esp=a58d6c08 ebp=a58d6c10 iopl=0         nv up ei pl zr na pe nc
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010246
mozy+0xc1b3:
916da1b3 ??              ???
Resetting default scope
 
LAST_CONTROL_TRANSFER:  from 916da1b3 to 81e5cd24
 
FAILED_INSTRUCTION_ADDRESS: 
mozy+c1b3
916da1b3 ??              ???
 
STACK_TEXT:  
a58d6b94 916da1b3 badb0d00 00000000 00000000 nt!KiTrap0E+0x2ac
WARNING: Stack unwind information not available. Following frames may be wrong.
a58d6c04 817c4b98 aede0f68 a58d6c34 820e46be mozy+0xc1b3
a58d6c10 820e46be 9070f3e0 aede0f68 aede0f78 0x817c4b98
a58d6c34 81ebdf8a aede0fd8 967dcb50 9070f3e0 nt!IovCallDriver+0x23f
a58d6c48 82021120 00000000 00000000 967dcb38 nt!IofCallDriver+0x1b
a58d6c8c 820465e7 967dcb50 821c2110 967dcb38 nt!IopDeleteFile+0x178
a58d6ca8 81e538c9 967dcb50 00000000 a467d030 nt!ObpRemoveObjectRoutine+0x13d
a58d6cd0 8201f4ca a25c5410 a467d030 00000458 nt!ObfDereferenceObject+0xa1
a58d6d14 8201f6c0 a25c5410 a3e878b0 a465e318 nt!ObpCloseHandleTableEntry+0x24e
a58d6d44 8201f8e5 a465e318 a467d001 a467d001 nt!ObpCloseHandle+0x73
a58d6d58 81e59a1a 00000458 0136fe40 778e9a94 nt!NtClose+0x20
a58d6d58 778e9a94 00000458 0136fe40 778e9a94 nt!KiFastCallEntry+0x12a
0136fe40 00000000 00000000 00000000 00000000 0x778e9a94
 
 
STACK_COMMAND:  kb
 
FOLLOWUP_IP: 
mozy+c1b3
916da1b3 ??              ???
 
SYMBOL_STACK_INDEX:  1
 
SYMBOL_NAME:  mozy+c1b3
 
FOLLOWUP_NAME:  MachineOwner
 
MODULE_NAME: mozy
 
IMAGE_NAME:  mozy.sys
 
DEBUG_FLR_IMAGE_TIMESTAMP:  4a0daf55
 
FAILURE_BUCKET_ID:  0xD1_VRF_CODE_AV_BAD_IP_mozy+c1b3
 
BUCKET_ID:  0xD1_VRF_CODE_AV_BAD_IP_mozy+c1b3
 
Followup: MachineOwner
---------
 
1: kd> !analyze -v;r;kv;lmtn
ERROR: FindPlugIns 8007007b
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************
 
DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high.  This is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: 916da1b3, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000008, value 0 = read operation, 1 = write operation
Arg4: 916da1b3, address which referenced memory
 
Debugging Details:
------------------
 
 
READ_ADDRESS: GetPointerFromAddress: unable to read from 81f39868
Unable to read MiSystemVaType memory at 81f19420
 916da1b3 
 
CURRENT_IRQL:  2
 
FAULTING_IP: 
mozy+c1b3
916da1b3 ??              ???
 
CUSTOMER_CRASH_COUNT:  1
 
DEFAULT_BUCKET_ID:  VERIFIER_ENABLED_VISTA_MINIDUMP
 
BUGCHECK_STR:  0xD1
 
PROCESS_NAME:  mozybackup.exe
 
TRAP_FRAME:  a58d6b94 -- (.trap 0xffffffffa58d6b94)
ErrCode = 00000010
eax=9370a000 ebx=9070f3e0 ecx=b3050002 edx=00000000 esi=916d8234 edi=aede0f68
eip=916da1b3 esp=a58d6c08 ebp=a58d6c10 iopl=0         nv up ei pl zr na pe nc
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010246
mozy+0xc1b3:
916da1b3 ??              ???
Resetting default scope
 
LAST_CONTROL_TRANSFER:  from 916da1b3 to 81e5cd24
 
FAILED_INSTRUCTION_ADDRESS: 
mozy+c1b3
916da1b3 ??              ???
 
STACK_TEXT:  
a58d6b94 916da1b3 badb0d00 00000000 00000000 nt!KiTrap0E+0x2ac
WARNING: Stack unwind information not available. Following frames may be wrong.
a58d6c04 817c4b98 aede0f68 a58d6c34 820e46be mozy+0xc1b3
a58d6c10 820e46be 9070f3e0 aede0f68 aede0f78 0x817c4b98
a58d6c34 81ebdf8a aede0fd8 967dcb50 9070f3e0 nt!IovCallDriver+0x23f
a58d6c48 82021120 00000000 00000000 967dcb38 nt!IofCallDriver+0x1b
a58d6c8c 820465e7 967dcb50 821c2110 967dcb38 nt!IopDeleteFile+0x178
a58d6ca8 81e538c9 967dcb50 00000000 a467d030 nt!ObpRemoveObjectRoutine+0x13d
a58d6cd0 8201f4ca a25c5410 a467d030 00000458 nt!ObfDereferenceObject+0xa1
a58d6d14 8201f6c0 a25c5410 a3e878b0 a465e318 nt!ObpCloseHandleTableEntry+0x24e
a58d6d44 8201f8e5 a465e318 a467d001 a467d001 nt!ObpCloseHandle+0x73
a58d6d58 81e59a1a 00000458 0136fe40 778e9a94 nt!NtClose+0x20
a58d6d58 778e9a94 00000458 0136fe40 778e9a94 nt!KiFastCallEntry+0x12a
0136fe40 00000000 00000000 00000000 00000000 0x778e9a94
 
 
STACK_COMMAND:  kb
 
FOLLOWUP_IP: 
mozy+c1b3
916da1b3 ??              ???
 
SYMBOL_STACK_INDEX:  1
 
SYMBOL_NAME:  mozy+c1b3
 
FOLLOWUP_NAME:  MachineOwner
 
MODULE_NAME: mozy
 
IMAGE_NAME:  mozy.sys
 
DEBUG_FLR_IMAGE_TIMESTAMP:  4a0daf55
 
FAILURE_BUCKET_ID:  0xD1_VRF_CODE_AV_BAD_IP_mozy+c1b3
 
BUCKET_ID:  0xD1_VRF_CODE_AV_BAD_IP_mozy+c1b3
 
Followup: MachineOwner
---------
 
eax=803d1120 ebx=00000002 ecx=81f021f8 edx=000000d5 esi=803d113c edi=a58d6808
eip=81e5cd24 esp=a58d6b7c ebp=a58d6b94 iopl=0         nv up ei pl nz na po nc
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00000202
nt!KiTrap0E+0x2ac:
81e5cd24 833d640cf38100  cmp     dword ptr [nt!KiFreezeFlag (81f30c64)],0 ds:0023:81f30c64=????????
ChildEBP RetAddr  Args to Child              
a58d6b94 916da1b3 badb0d00 00000000 00000000 nt!KiTrap0E+0x2ac (FPO: [0,0] TrapFrame @ a58d6b94)
WARNING: Stack unwind information not available. Following frames may be wrong.
a58d6c04 817c4b98 aede0f68 a58d6c34 820e46be mozy+0xc1b3
a58d6c10 820e46be 9070f3e0 aede0f68 aede0f78 0x817c4b98
a58d6c34 81ebdf8a aede0fd8 967dcb50 9070f3e0 nt!IovCallDriver+0x23f
a58d6c48 82021120 00000000 00000000 967dcb38 nt!IofCallDriver+0x1b
a58d6c8c 820465e7 967dcb50 821c2110 967dcb38 nt!IopDeleteFile+0x178
a58d6ca8 81e538c9 967dcb50 00000000 a467d030 nt!ObpRemoveObjectRoutine+0x13d
a58d6cd0 8201f4ca a25c5410 a467d030 00000458 nt!ObfDereferenceObject+0xa1
a58d6d14 8201f6c0 a25c5410 a3e878b0 a465e318 nt!ObpCloseHandleTableEntry+0x24e
a58d6d44 8201f8e5 a465e318 a467d001 a467d001 nt!ObpCloseHandle+0x73
a58d6d58 81e59a1a 00000458 0136fe40 778e9a94 nt!NtClose+0x20
a58d6d58 778e9a94 00000458 0136fe40 778e9a94 nt!KiFastCallEntry+0x12a (FPO: [0,3] TrapFrame @ a58d6d64)
0136fe40 00000000 00000000 00000000 00000000 0x778e9a94
start    end        module name
80403000 8040b000   kdcom    kdcom.dll    Sat Jan 19 07:31:53 2008 (4791A769)
8040b000 8046b000   mcupdate_GenuineIntel mcupdate_GenuineIntel.dll Sat Jan 19 07:29:43 2008 (4791A6E7)
8046b000 8047c000   PSHED    PSHED.dll    Sat Jan 19 07:31:21 2008 (4791A749)
8047c000 80484000   BOOTVID  BOOTVID.dll  Sat Jan 19 07:27:15 2008 (4791A653)
80484000 804c5000   CLFS     CLFS.SYS     Sat Jan 19 05:28:01 2008 (47918A61)
804c5000 805a5000   CI       CI.dll       Fri Feb 22 05:00:56 2008 (47BE5708)
80605000 80681000   Wdf01000 Wdf01000.sys Sat Jan 19 05:52:21 2008 (47919015)
80681000 8068e000   WDFLDR   WDFLDR.SYS   Sat Jan 19 05:52:19 2008 (47919013)
8068e000 806d4000   acpi     acpi.sys     Sat Jan 19 05:32:48 2008 (47918B80)
806d4000 806dd000   WMILIB   WMILIB.SYS   Sat Jan 19 05:53:08 2008 (47919044)
806dd000 806e5000   msisadrv msisadrv.sys Sat Jan 19 05:32:51 2008 (47918B83)
806e5000 8070c000   pci      pci.sys      Sat Jan 19 05:32:57 2008 (47918B89)
8070c000 8071b000   partmgr  partmgr.sys  Sat Jan 19 05:49:54 2008 (47918F82)
8071b000 8071d900   compbatt compbatt.sys Sat Jan 19 05:32:47 2008 (47918B7F)
8071e000 80728000   BATTC    BATTC.SYS    Sat Jan 19 05:32:45 2008 (47918B7D)
80728000 80737000   volmgr   volmgr.sys   Sat Jan 19 05:49:51 2008 (47918F7F)
80737000 80781000   volmgrx  volmgrx.sys  Sat Jan 19 05:50:00 2008 (47918F88)
80781000 80791000   mountmgr mountmgr.sys Sat Jan 19 05:49:13 2008 (47918F59)
80791000 807bb000   ks       ks.sys       Sat Jan 19 05:49:21 2008 (47918F61)
807bb000 807ef000   usbhub   usbhub.sys   Tue Feb 05 04:21:42 2008 (47A7E456)
807ef000 80800000   NDProxy  NDProxy.SYS  Sat Jan 19 05:56:28 2008 (4791910C)
81e02000 821bb000   nt       ntkrpamp.exe Tue Mar 03 02:02:28 2009 (49AC8FB4)
821bb000 821ee000   hal      halmacpi.dll Sat Jan 19 05:27:20 2008 (47918A38)
8420a000 842d8000   iaStor   iaStor.sys   Wed Apr 16 01:07:31 2008 (48054343)
842d8000 842e0000   atapi    atapi.sys    Sat Jan 19 05:49:40 2008 (47918F74)
842e0000 842fe000   ataport  ataport.SYS  Sat Jan 19 05:49:40 2008 (47918F74)
842fe000 84330000   fltmgr   fltmgr.sys   Sat Jan 19 05:28:10 2008 (47918A6A)
84330000 84340000   fileinfo fileinfo.sys Sat Jan 19 05:34:27 2008 (47918BE3)
84340000 84349200   PxHelp20 PxHelp20.sys Thu Mar 13 01:57:44 2008 (47D88A18)
8434a000 843bb000   ksecdd   ksecdd.sys   Sat Jan 19 05:41:20 2008 (47918D80)
843bb000 843cf000   raspptp  raspptp.sys  Sat Jan 19 05:56:34 2008 (47919112)
843cf000 843e4000   rassstp  rassstp.sys  Sat Jan 19 05:56:43 2008 (4791911B)
843e4000 843f4000   termdd   termdd.sys   Sat Jan 19 06:01:06 2008 (47919222)
84405000 84510000   ndis     ndis.sys     Sat Jan 19 05:55:51 2008 (479190E7)
84510000 8453b000   msrpc    msrpc.sys    Sat Jan 19 05:48:15 2008 (47918F1F)
8453b000 84575000   NETIO    NETIO.SYS    Sat Jan 19 05:56:19 2008 (47919103)
84575000 845a3000   msiscsi  msiscsi.sys  Sat Jan 19 05:50:44 2008 (47918FB4)
845a3000 845e4000   storport storport.sys Sat Jan 19 05:49:49 2008 (47918F7D)
845e4000 845f3000   raspppoe raspppoe.sys Sat Jan 19 05:56:33 2008 (47919111)
845f3000 84600000   umbus    umbus.sys    Sat Jan 19 05:53:40 2008 (47919064)
8460a000 84719000   Ntfs     Ntfs.sys     Sat Jan 19 05:28:54 2008 (47918A96)
84719000 84752000   volsnap  volsnap.sys  Sat Jan 19 05:50:10 2008 (47918F92)

Select allOpen in new window

Hi -
Thank you for running the additional commands and for the VERIFIER_ENABLED_VISTA_MINIDUMP !
I see a Vista SP1 system that crashed after being up only 1 min 12 secs.  
The Bugcheck = 0xd1 (0x916da1b3, 0x2, 0x8, 0x916da1b3)
0xd1 = driver tried to access paged memory when it should not have.
The Driver Verifier flagged mozy.sys timestamp = 4a0daf55 = Fri May 15 11:07:17 2009
The process running at the time of the crash = mozybackup.exe.
The stack text clearly shows mozy at fault  - 2nd line down
00000 00000000 nt!KiTrap0E+0x2ac (FPO: [0,0] Tra
d6c34 820e46be mozy+0xc1b3
e0f68 aede0f78 0x817c4b98
dcb50 9070f3e0 nt!IovCallDriver+0x23f
00000 967dcb38 nt!IofCallDriver+0x1b
c2110 967dcb38 nt!IopDeleteFile+0x178
00000 a467d030 nt!ObpRemoveObjectRoutine+0x13d
7d030 00000458 nt!ObfDereferenceObject+0xa1

The driver verifier flagged the Mozy driver and I have no doubt that Mozy would have caused problems for you in the near future.  I know it is some type of backup app, but I would un-install it.
I noticed in the dump that a Nero driver is present - PxHelp20.sys - I don't see any other Nero drivers offhand.
Bugcheck 0xa and 0xd1 are nearly identical -
0xa  = IRQL_NOT_LESS_OR_EQUAL
0xd1 = DRIVER_IRQL_NOT_LESS_OR_EQUAL
The difference is the word "driver".  0xa includes Microsoft drivers; 0xd1 does not.  The 1st posted BSOD dbg log showed a 0xa  bugcheck and named the NT Kernel as the probable cause.  The Driver Verifier went to work and now the bugcheck changed to the 0xa-sister bugcheck 0xd1 and now flags mozy.sys as the definite cause.
This is the stack text from the 1st BSOD - you can see !nt (NT) is named - because it is the only one that could be identified at the time.
TACK_TEXT:  
00000 00000f43 nt!KiTrap0E+0x2ac
00000 85c26568 nt!PpmCallIdleHandler+0x2c
0000e 00000000 nt!PoIdle+0x2d1
00000 00000000 nt!KiIdleLoop+0xd
This crash is obviously driver related.  The memory addresses are completely different than those in the 1st crash which I would expect knowing that this was a verifier enabled crash dump.  I could stretch things a little and say that the 1st BSOD was caused by mozy as well because NT would have been involved in the calling of Mozi and when called, it caused the 1st crash.  But I do not have definitive proof of that at this time, just suspicion.
I would suggest that you un-install Mozy and see if the BSODs return.
Regards. . .
jcgriff2
.
 

Yes I was thought that as well but this is a red herring.
The customer installed Mozy in order to upload the first kernal dump as well so that I could access it.
I have asked him to uninstall Mozy and wait for another mini dump
And will update it as soon as I get it.
Thanks for the update on this file

Wow!  Now I don't even have suspicion!
That of course is just fine - as the real cause needs to be found.
You may want to ask the user to go through the Reliability Monitor and look at the day of the 1st crash - May 27 - and see if anything installed on that day -
START | perfmon /rel
Also, could you please rerun the 1st dump through the dbugger with the commands
!analyze -v;r;kv;lmtn;.bugcheck
and post the output  Thank you.
Is the verifier still running?
 

I will get him to send in the perfmon as a html... it has that option.
I still have the kernal dump and ran it through the debugger with that command as requested.
The output is in the codebox
the verifier is still running on the customer's computer

Loading Dump File [C:\Users\Justin\Desktop\work\MEMORY.DMP]
Kernel Summary Dump File: Only kernel address space is available
 
Symbol search path is: SRV*c:\websymbols*http://msdl.microsoft.com/download/symbols
Executable search path is: 
Windows Server 2008/Windows Vista Kernel Version 6001 (Service Pack 1) MP (2 procs) Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS Personal
Built by: 6001.18226.x86fre.vistasp1_gdr.090302-1506
Machine Name:
Kernel base = 0x81e42000 PsLoadedModuleList = 0x81f59c70
Debug session time: Wed May 27 12:30:54.771 2009 (GMT+1)
System Uptime: 0 days 23:29:16.564
Loading Kernel Symbols
...............................................................
................................................................
................................
Loading User Symbols
 
Loading unloaded module list
..
ERROR: FindPlugIns 8007007b
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************
 
Use !analyze -v to get detailed debugging information.
 
BugCheck A, {48f9f9cf, ff, 0, 81efdde2}
 
Probably caused by : ntkrpamp.exe ( nt!PpmCallIdleHandler+2c )
 
Followup: MachineOwner
---------
 
1: kd> !analyze -v;r;kv;lmtn;.bugcheck
ERROR: FindPlugIns 8007007b
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************
 
IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high.  This is usually
caused by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: 48f9f9cf, memory referenced
Arg2: 000000ff, IRQL
Arg3: 00000000, bitfield :
	bit 0 : value 0 = read operation, 1 = write operation
	bit 3 : value 0 = not an execute operation, 1 = execute operation (only on chips which support this level of status)
Arg4: 81efdde2, address which referenced memory
 
Debugging Details:
------------------
 
 
READ_ADDRESS:  48f9f9cf 
 
CURRENT_IRQL:  2
 
FAULTING_IP: 
nt!PpmCallIdleHandler+2c
81efdde2 ff17            call    dword ptr [edi]
 
DEFAULT_BUCKET_ID:  VISTA_DRIVER_FAULT
 
BUGCHECK_STR:  0xA
 
PROCESS_NAME:  System
 
TRAP_FRAME:  803ecc7c -- (.trap 0xffffffff803ecc7c)
ErrCode = 00000000
eax=869c9b70 ebx=0003709c ecx=869c9d00 edx=00000000 esi=869c9ac0 edi=869c9bcc
eip=81efdde2 esp=803eccf0 ebp=803eccf8 iopl=0         nv up di ng nz ac po cy
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010093
nt!PpmCallIdleHandler+0x2c:
81efdde2 ff17            call    dword ptr [edi]      ds:0023:869c9bcc={intelppm!MWaitIdle (8d6e74c0)}
Resetting default scope
 
LAST_CONTROL_TRANSFER:  from 81efdde2 to 81e9cd24
 
STACK_TEXT:  
803ecc7c 81efdde2 badb0d00 00000000 00000f43 nt!KiTrap0E+0x2ac
803eccf8 81efdd32 869c9ac0 00000000 85c26568 nt!PpmCallIdleHandler+0x2c
803ecd50 81ef6ea1 00000000 0000000e 00000000 nt!PoIdle+0x2d1
803ecd54 00000000 0000000e 00000000 00000000 nt!KiIdleLoop+0xd
 
 
STACK_COMMAND:  kb
 
FOLLOWUP_IP: 
nt!PpmCallIdleHandler+2c
81efdde2 ff17            call    dword ptr [edi]
 
SYMBOL_STACK_INDEX:  1
 
SYMBOL_NAME:  nt!PpmCallIdleHandler+2c
 
FOLLOWUP_NAME:  MachineOwner
 
MODULE_NAME: nt
 
IMAGE_NAME:  ntkrpamp.exe
 
DEBUG_FLR_IMAGE_TIMESTAMP:  49ac8fb4
 
FAILURE_BUCKET_ID:  0xA_nt!PpmCallIdleHandler+2c
 
BUCKET_ID:  0xA_nt!PpmCallIdleHandler+2c
 
Followup: MachineOwner
---------
 
eax=803d1120 ebx=000000ff ecx=81f421f8 edx=000000f3 esi=803d113c edi=803ec8f0
eip=81e9cd24 esp=803ecc64 ebp=803ecc7c iopl=0         nv up ei pl nz na po nc
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00000202
nt!KiTrap0E+0x2ac:
81e9cd24 833d640cf78100  cmp     dword ptr [nt!KiFreezeFlag (81f70c64)],0 ds:0023:81f70c64=00000000
ChildEBP RetAddr  Args to Child              
803ecc7c 81efdde2 badb0d00 00000000 00000f43 nt!KiTrap0E+0x2ac (FPO: [0,0] TrapFrame @ 803ecc7c)
803eccf8 81efdd32 869c9ac0 00000000 85c26568 nt!PpmCallIdleHandler+0x2c
803ecd50 81ef6ea1 00000000 0000000e 00000000 nt!PoIdle+0x2d1
803ecd54 00000000 0000000e 00000000 00000000 nt!KiIdleLoop+0xd (FPO: [0,0,0])
start    end        module name
8040d000 80415000   kdcom    kdcom.dll    Sat Jan 19 07:31:53 2008 (4791A769)
80415000 80475000   mcupdate_GenuineIntel mcupdate_GenuineIntel.dll Sat Jan 19 07:29:43 2008 (4791A6E7)
80475000 80486000   PSHED    PSHED.dll    Sat Jan 19 07:31:21 2008 (4791A749)
80486000 8048e000   BOOTVID  BOOTVID.dll  Sat Jan 19 07:27:15 2008 (4791A653)
8048e000 804cf000   CLFS     CLFS.SYS     Sat Jan 19 05:28:01 2008 (47918A61)
804cf000 805af000   CI       CI.dll       Fri Feb 22 05:00:56 2008 (47BE5708)
80601000 8067d000   Wdf01000 Wdf01000.sys Sat Jan 19 05:52:21 2008 (47919015)
8067d000 8068a000   WDFLDR   WDFLDR.SYS   Sat Jan 19 05:52:19 2008 (47919013)
8068a000 806d0000   acpi     acpi.sys     Sat Jan 19 05:32:48 2008 (47918B80)
806d0000 806d9000   WMILIB   WMILIB.SYS   Sat Jan 19 05:53:08 2008 (47919044)
806d9000 806e1000   msisadrv msisadrv.sys Sat Jan 19 05:32:51 2008 (47918B83)
806e1000 80708000   pci      pci.sys      Sat Jan 19 05:32:57 2008 (47918B89)
80708000 80717000   partmgr  partmgr.sys  Sat Jan 19 05:49:54 2008 (47918F82)
80717000 80719900   compbatt compbatt.sys Sat Jan 19 05:32:47 2008 (47918B7F)
8071a000 80724000   BATTC    BATTC.SYS    Sat Jan 19 05:32:45 2008 (47918B7D)
80724000 80733000   volmgr   volmgr.sys   Sat Jan 19 05:49:51 2008 (47918F7F)
80733000 8077d000   volmgrx  volmgrx.sys  Sat Jan 19 05:50:00 2008 (47918F88)
8077d000 8078d000   mountmgr mountmgr.sys Sat Jan 19 05:49:13 2008 (47918F59)
8078d000 807b7000   ks       ks.sys       Sat Jan 19 05:49:21 2008 (47918F61)
807b7000 807eb000   usbhub   usbhub.sys   Tue Feb 05 04:21:42 2008 (47A7E456)
81e0f000 81e42000   hal      halmacpi.dll Sat Jan 19 05:27:20 2008 (47918A38)
81e42000 821fb000   nt       ntkrpamp.exe Tue Mar 03 02:02:28 2009 (49AC8FB4)
89c01000 89ccf000   iaStor   iaStor.sys   Wed Apr 16 01:07:31 2008 (48054343)
89ccf000 89cd7000   atapi    atapi.sys    Sat Jan 19 05:49:40 2008 (47918F74)
89cd7000 89cf5000   ataport  ataport.SYS  Sat Jan 19 05:49:40 2008 (47918F74)
89cf5000 89d27000   fltmgr   fltmgr.sys   Sat Jan 19 05:28:10 2008 (47918A6A)
89d27000 89d37000   fileinfo fileinfo.sys Sat Jan 19 05:34:27 2008 (47918BE3)
89d37000 89d40200   PxHelp20 PxHelp20.sys Thu Mar 13 01:57:44 2008 (47D88A18)
89d41000 89db2000   ksecdd   ksecdd.sys   Sat Jan 19 05:41:20 2008 (47918D80)
89db2000 89dc6000   raspptp  raspptp.sys  Sat Jan 19 05:56:34 2008 (47919112)
89dc6000 89ddb000   rassstp  rassstp.sys  Sat Jan 19 05:56:43 2008 (4791911B)
89ddb000 89de8000   umbus    umbus.sys    Sat Jan 19 05:53:40 2008 (47919064)
89de8000 89df9000   NDProxy  NDProxy.SYS  Sat Jan 19 05:56:28 2008 (4791910C)
89e01000 89f0c000   ndis     ndis.sys     Sat Jan 19 05:55:51 2008 (479190E7)
89f0c000 89f37000   msrpc    msrpc.sys    Sat Jan 19 05:48:15 2008 (47918F1F)
89f37000 89f71000   NETIO    NETIO.SYS    Sat Jan 19 05:56:19 2008 (47919103)
89f71000 89f9f000   msiscsi  msiscsi.sys  Sat Jan 19 05:50:44 2008 (47918FB4)
89f9f000 89fe0000   storport storport.sys Sat Jan 19 05:49:49 2008 (47918F7D)
89fe0000 89fef000   raspppoe raspppoe.sys Sat Jan 19 05:56:33 2008 (47919111)
89fef000 89fff000   termdd   termdd.sys   Sat Jan 19 06:01:06 2008 (47919222)
8a006000 8a115000   Ntfs     Ntfs.sys     Sat Jan 19 05:28:54 2008 (47918A96)
8a115000 8a14e000   volsnap  volsnap.sys  Sat Jan 19 05:50:10 2008 (47918F92)
8a14e000 8a156000   spldr    spldr.sys    Fri Jun 22 01:29:17 2007 (467B17DD)
8a156000 8a165000   mup      mup.sys      Sat Jan 19 05:28:20 2008 (47918A74)
8a165000 8a18c000   ecache   ecache.sys   Sat Jan 19 05:50:47 2008 (47918FB7)
8a18c000 8a19d000   disk     disk.sys     Sat Jan 19 05:49:47 2008 (47918F7B)
8a19d000 8a1be000   CLASSPNP CLASSPNP.SYS Sat Jan 19 05:49:36 2008 (47918F70)
8a1be000 8a1c7000   crcdisk  crcdisk.sys  Sat Jan 19 05:50:29 2008 (47918FA5)
8a1d4000 8a1f7000   ndiswan  ndiswan.sys  Sat Jan 19 05:56:32 2008 (47919110)
8d600000 8d60a000   mssmbios mssmbios.sys Sat Jan 19 05:32:55 2008 (47918B87)
8d60a000 8d67d000   btwavdt  btwavdt.sys  Fri Jun 27 19:22:31 2008 (48652FE7)
8d6da000 8d6e5000   tunnel   tunnel.sys   Sat Jan 19 05:55:50 2008 (479190E6)
8d6e5000 8d6f4000   intelppm intelppm.sys Sat Jan 19 05:27:20 2008 (47918A38)
8d6f4000 8d6f7780   CmBatt   CmBatt.sys   Sat Jan 19 05:32:47 2008 (47918B7F)
8d6f8000 8d736000   USBPORT  USBPORT.SYS  Tue Feb 05 04:21:30 2008 (47A7E44A)
8d736000 8d748000   HDAudBus HDAudBus.sys Tue Nov 27 23:18:41 2007 (474CA5D1)
8d748000 8d794000   yk60x86  yk60x86.sys  Thu Feb 21 16:35:35 2008 (47BDA857)
8d794000 8d7c3200   SynTP    SynTP.sys    Tue Jun 17 19:37:15 2008 (4858045B)
8d7c4000 8d7dc000   cdrom    cdrom.sys    Sat Jan 19 05:49:50 2008 (47918F7E)
8d7dc000 8d7f3000   rasl2tp  rasl2tp.sys  Sat Jan 19 05:56:33 2008 (47919111)
8d7f3000 8d7fe000   ndistapi ndistapi.sys Sat Jan 19 05:56:24 2008 (47919108)
8dc00000 8dc0b000   TDI      TDI.SYS      Sat Jan 19 05:57:10 2008 (47919136)
8dc0b000 8e32cec0   nvlddmkm nvlddmkm.sys Wed May 14 18:36:48 2008 (482B2330)
8e32d000 8e3cc000   dxgkrnl  dxgkrnl.sys  Sat Aug 02 02:01:19 2008 (4893B1DF)
8e3cc000 8e3d9000   watchdog watchdog.sys Sat Jan 19 05:35:29 2008 (47918C21)
8e3d9000 8e3e4000   usbuhci  usbuhci.sys  Tue Feb 05 04:21:25 2008 (47A7E445)
8e3e4000 8e3f3000   usbehci  usbehci.sys  Tue Feb 05 04:21:26 2008 (47A7E446)
8e3f3000 8e3fd000   GEARAspiWDM GEARAspiWDM.sys Thu Mar 19 15:32:37 2009 (49C26595)
8e400000 8e401380   swenum   swenum.sys   Sat Jan 19 05:49:20 2008 (47918F60)
8e402000 8e789000   NETw5v32 NETw5v32.sys Mon Apr 28 14:29:22 2008 (4815D132)
8e789000 8e798200   ohci1394 ohci1394.sys Sat Jan 19 05:53:33 2008 (4791905D)
8e799000 8e7a6080   1394BUS  1394BUS.SYS  Sat Jan 19 05:53:27 2008 (47919057)
8e7a7000 8e7b8000   risdptsk risdptsk.sys Thu May 01 12:04:08 2008 (4819A3A8)
8e7b8000 8e7d2000   rimsptsk rimsptsk.sys Sat May 24 14:35:01 2008 (48381985)
8e7d2000 8e7e5000   i8042prt i8042prt.sys Sat Jan 19 05:49:17 2008 (47918F5D)
8e7e5000 8e7f0000   kbdclass kbdclass.sys Sat Jan 19 05:49:14 2008 (47918F5A)
8e7f0000 8e7f1700   USBD     USBD.SYS     Tue Feb 05 04:21:23 2008 (47A7E443)
8e7f2000 8e7fd000   mouclass mouclass.sys Sat Jan 19 05:49:14 2008 (47918F5A)
8e7fd000 8e7ff480   SFEP     SFEP.sys     Fri Aug 03 06:36:08 2007 (46B2BEC8)
8ec0f000 8ee14940   RTKVHDA  RTKVHDA.sys  Thu Apr 24 11:17:34 2008 (48105E3E)
8ee15000 8ee42000   portcls  portcls.sys  Sat Jan 19 05:53:17 2008 (4791904D)
8ee42000 8ee67000   drmk     drmk.sys     Sat Jan 19 06:53:02 2008 (47919E4E)
8ee67000 8eea5000   HSXHWAZL HSXHWAZL.sys Tue Feb 12 22:27:07 2008 (47B21D3B)
8eea5000 8efa8000   HSX_DPV  HSX_DPV.sys  Tue Feb 12 22:29:13 2008 (47B21DB9)
8efa8000 8efd7800   mfehidk  mfehidk.sys  Mon Jul 16 18:43:16 2007 (469BAE34)
8f004000 8f0b9000   HSX_CNXT HSX_CNXT.sys Tue Feb 12 22:26:16 2008 (47B21D08)
8f0b9000 8f0c6000   modem    modem.sys    Sat Jan 19 05:57:16 2008 (4791913C)
8f0c6000 8f0cf000   Fs_Rec   Fs_Rec.SYS   Sat Jan 19 05:27:57 2008 (47918A5D)
8f0cf000 8f0d6000   Null     Null.SYS     Sat Jan 19 05:49:12 2008 (47918F58)
8f0d6000 8f0dd000   Beep     Beep.SYS     Sat Jan 19 05:49:10 2008 (47918F56)
8f0dd000 8f0e9000   vga      vga.sys      Sat Jan 19 05:52:06 2008 (47919006)
8f0e9000 8f10a000   VIDEOPRT VIDEOPRT.SYS Sat Jan 19 05:52:10 2008 (4791900A)
8f10a000 8f121000   usbccgp  usbccgp.sys  Tue Feb 05 04:21:34 2008 (47A7E44E)
8f121000 8f129000   RDPCDD   RDPCDD.sys   Sat Jan 19 06:01:08 2008 (47919224)
8f129000 8f149b80   usbvideo usbvideo.sys Sat Jan 19 05:53:38 2008 (47919062)
8f14a000 8f152000   rdpencdd rdpencdd.sys Sat Jan 19 06:01:09 2008 (47919225)
8f152000 8f15d000   Msfs     Msfs.SYS     Sat Jan 19 05:28:08 2008 (47918A68)
8f15d000 8f16b000   Npfs     Npfs.SYS     Sat Jan 19 05:28:09 2008 (47918A69)
8f16b000 8f174000   rasacd   rasacd.sys   Sat Jan 19 05:56:31 2008 (4791910F)
8f174000 8f182000   netbios  netbios.sys  Sat Jan 19 05:55:45 2008 (479190E1)
8f182000 8f195000   wanarp   wanarp.sys   Sat Jan 19 05:56:31 2008 (4791910F)
8f195000 8f1d1000   rdbss    rdbss.sys    Sat Jan 19 05:28:34 2008 (47918A82)
8f1d1000 8f1db000   nsiproxy nsiproxy.sys Sat Jan 19 05:55:50 2008 (479190E6)
8f1db000 8f1f2000   dfsc     dfsc.sys     Sat Jan 19 05:28:20 2008 (47918A74)
8f1f2000 8f1ff000   BTHUSB   BTHUSB.sys   Thu Apr 17 03:33:25 2008 (4806B6F5)
8f407000 8f4ee000   tcpip    tcpip.sys    Sat Apr 26 07:00:17 2008 (4812C4F1)
8f4ee000 8f509000   fwpkclnt fwpkclnt.sys Sat Jan 19 05:55:44 2008 (479190E0)
8f509000 8f530000   Mpfp     Mpfp.sys     Fri Jul 13 15:21:09 2007 (46978A55)
8f530000 8f546000   tdx      tdx.sys      Sat Jan 19 05:55:58 2008 (479190EE)
8f546000 8f558000   ipfltdrv ipfltdrv.sys Sat Jan 19 05:56:23 2008 (47919107)
8f558000 8f56c000   smb      smb.sys      Sat Jan 19 05:55:27 2008 (479190CF)
8f56c000 8f5b4000   afd      afd.sys      Sat Jan 19 05:57:00 2008 (4791912C)
8f5b4000 8f5e6000   netbt    netbt.sys    Sat Jan 19 05:55:33 2008 (479190D5)
8f5e6000 8f5fc000   pacer    pacer.sys    Sat Apr 05 02:21:42 2008 (47F6D426)
8f5fc000 8f5fcde0   DMICall  DMICall.sys  Tue Dec 05 07:14:23 2000 (3A2C95CF)
8fc02000 8fc82000   bthport  bthport.sys  Thu Apr 17 03:33:24 2008 (4806B6F4)
8fc82000 8fc8f000   crashdmp crashdmp.sys Sat Jan 19 05:49:43 2008 (47918F77)
8fc8f000 8fd5d000   dump_iaStor dump_iaStor.sys Wed Apr 16 01:07:31 2008 (48054343)
8fd5d000 8fd86000   rfcomm   rfcomm.sys   Thu Apr 17 03:33:30 2008 (4806B6FA)
8fd86000 8fd90000   BthEnum  BthEnum.sys  Thu Apr 17 03:33:26 2008 (4806B6F6)
8fd90000 8fdaa000   bthpan   bthpan.sys   Sat Jan 19 05:53:44 2008 (47919068)
95860000 95a62000   win32k   win32k.sys   Mon Feb 09 03:10:21 2009 (498F9E9D)
95a80000 95a89000   TSDDD    TSDDD.dll    Sat Jan 19 06:01:09 2008 (47919225)
95aa0000 95aae000   cdd      cdd.dll      Sat Aug 02 04:26:17 2008 (4893D3D9)
95c00000 95c81000   btwaudio btwaudio.sys Fri Jun 27 19:23:46 2008 (48653032)
95c81000 95c8b000   Dxapi    Dxapi.sys    Sat Jan 19 05:36:12 2008 (47918C4C)
95c8b000 95c95000   btwl2cap btwl2cap.sys Fri Feb 29 16:54:21 2008 (47C838BD)
95c95000 95c97c80   btwrchid btwrchid.sys Fri Jun 27 19:24:21 2008 (48653055)
95c98000 95ca8000   HIDCLASS HIDCLASS.SYS Thu Nov 02 08:55:00 2006 (4549B264)
95ca8000 95cae380   HIDPARSE HIDPARSE.SYS Thu Nov 02 08:55:00 2006 (4549B264)
95caf000 95cbe000   monitor  monitor.sys  Sat Jan 19 05:52:19 2008 (47919013)
95cbe000 95cd9000   luafv    luafv.sys    Sat Jan 19 05:30:35 2008 (47918AFB)
95cd9000 95d88000   spsys    spsys.sys    Fri Jun 22 01:33:02 2007 (467B18BE)
95d88000 95d98000   lltdio   lltdio.sys   Sat Jan 19 05:55:03 2008 (479190B7)
95d98000 95dc2000   nwifi    nwifi.sys    Tue May 20 03:07:27 2008 (4832325F)
95dc2000 95dcc000   ndisuio  ndisuio.sys  Sat Jan 19 05:55:40 2008 (479190DC)
95dcc000 95ddf000   rspndr   rspndr.sys   Sat Jan 19 05:55:03 2008 (479190B7)
9c200000 9c26b000   HTTP     HTTP.sys     Sat Jan 19 05:55:21 2008 (479190C9)
9c26b000 9c288000   srvnet   srvnet.sys   Sat Jan 19 05:29:11 2008 (47918AA7)
9c288000 9c2a1000   bowser   bowser.sys   Sat Jan 19 05:28:26 2008 (47918A7A)
9c2a1000 9c2b6000   mpsdrv   mpsdrv.sys   Sat Jan 19 05:54:45 2008 (479190A5)
9c2b6000 9c2d6000   mrxdav   mrxdav.sys   Sat Jan 19 05:28:44 2008 (47918A8C)
9c2d6000 9c2f5000   mrxsmb   mrxsmb.sys   Sat Jan 19 05:28:33 2008 (47918A81)
9c2f5000 9c32e000   mrxsmb10 mrxsmb10.sys Wed Aug 27 02:05:40 2008 (48B4A864)
9c32e000 9c346000   mrxsmb20 mrxsmb20.sys Sat Jan 19 05:28:35 2008 (47918A83)
9c346000 9c36d000   srv2     srv2.sys     Sat Jan 19 05:29:14 2008 (47918AAA)
9c36d000 9c3b9000   srv      srv.sys      Tue Dec 16 02:42:35 2008 (4947159B)
9c3b9000 9c3bc180   mdmxsdk  mdmxsdk.sys  Mon Jun 19 22:26:59 2006 (449716A3)
9ea03000 9eae1000   peauth   peauth.sys   Mon Oct 23 09:55:32 2006 (453C8384)
9eae1000 9eae2500   regi     regi.sys     Mon Apr 16 16:19:05 2007 (462393E9)
9eae3000 9eaed000   secdrv   secdrv.SYS   Wed Sep 13 14:18:32 2006 (45080528)
9eaed000 9eaf9000   tcpipreg tcpipreg.sys Sat Jan 19 05:56:07 2008 (479190F7)
9eaf9000 9eb0d580   WUDFRd   WUDFRd.sys   Sat Jan 19 05:53:04 2008 (47919040)
9eb0e000 9eb20000   WUDFPf   WUDFPf.sys   Sat Jan 19 05:52:49 2008 (47919031)
9eb20000 9eb28000   xaudio   xaudio.sys   Thu Oct 18 23:36:53 2007 (4717E005)
9eb28000 9eb2ef60   mfebopk  mfebopk.sys  Mon Jul 16 18:46:30 2007 (469BAEF6)
9eb2f000 9eb40b80   mfeavfk  mfeavfk.sys  Mon Jul 16 18:45:58 2007 (469BAED6)
9eb41000 9eb493e0   mfesmfk  mfesmfk.sys  Mon Jul 16 18:47:52 2007 (469BAF48)
9eb4a000 9eb60000   cdfs     cdfs.sys     Sat Jan 19 05:28:02 2008 (47918A62)
9eb60000 9eb669c0   mferkdk  mferkdk.sys  Mon Jul 16 18:46:54 2007 (469BAF0E)
 
Unloaded modules:
8a1c7000 8a1d4000   crashdmp.sys
    Timestamp: unavailable (00000000)
    Checksum:  00000000
8d60c000 8d6da000   dump_iaStor.sys
    Timestamp: unavailable (00000000)
    Checksum:  00000000
Bugcheck code 0000000A
Arguments 48f9f9cf 000000ff 00000000 81efdde2

Select allOpen in new window

I will get him to send in more minidumps also

Hi -
I know you said this was a clean system and no drivers installed (except the backup software, post-BSOD).  I must then ask how/why a 2+ year old McAfee firewall driver was found in the FIRST BSOD dump -  
Mpfp.sys     Fri Jul 13 15:21:09 2007 (46978A55) McAfee firewall

That was nothing, really, compared to my next find -- a driver from 2000 -
DMICall.sys  Tue Dec 05 07:14:23 2000 (3A2C95CF) Sony DMI call service driver
 
That 2000 driver just may shed some light on this OEM driver  -
SFEP.sys     Fri Aug 03 06:36:08 2007 (46B2BEC8) Sony Firmware Extension Parser driver
More info on the last one - http://tjworld.net/snc/
I haven't looked back yet, but I hope you will tell me the laptop involved is a Sony !!
There is more, but first, if I may ---  I am spending a ton of time looking things up & searching to perform comparisons in that system using the drivers timestamps.  I know it can be done easier and faster.  I need to obtain system info.  This is what I usually obtain from BSOD OPs so that I have access to the files that I need during debugging and hunting -
http://www.techsupportforum.com/1871981-post2.html
Any chance that I may get this from you?  I request such because in addition to the above, the MS USB drivers at this time appear to have had a hotfix applied (or other - ?).  They are only a few weeks older than their original Vista SP1 dated counterparts.  I ran a search through >1,000 dumps and went through 14 Vista hotfixes and have not found any matches for these drivers & timestamps.  
usbhub.sys   Tue Feb 05 04:21:42 2008 (47A7E456)
usbccgp.sys  Tue Feb 05 04:21:34 2008 (47A7E44E)
USBPORT.SYS  Tue Feb 05 04:21:30 2008 (47A7E44A)
usbehci.sys  Tue Feb 05 04:21:26 2008 (47A7E446)
usbuhci.sys  Tue Feb 05 04:21:25 2008 (47A7E445)
USBD.SYS     Tue Feb 05 04:21:23 2008 (47A7E443)
I'm not even sure they are all actual MS drivers.  Nor am I sure whether there is anything wrong with them or not.  I would like to know what USB devices are used, if any.
When you ran the dumps, were there any symbol errors?
Regards. . .  jcgriff2
 
.

 

Hi jcgriff2,

It is a Sony laptop with OEM operating system and software installed. There is no bluescreens on another reference model with the exact same setup... i.e. installed from the recovery partition.

I have already requested that from the customer but he will not be able to do this till he comes back from his holiday.

Hi jtiernan2008,
Just wanted to touch base and make sure that you are not waiting on me for any items at this time.  
I do hear you completely when you say that other systems have the same setup.  I can only tell you that I have seen multiple "identical" systems side-by-side -- yet they can act differently - some may crash; others do not.   It is also possible that hardware itself may play a role as one system may be experiencing a hard drive or NIC issue that causes it to compensate, which the other systems don't have to do.  
Can the user of one system have anything different than the others - even something like a screen saver or a post-OS installed application?  Can anything be introduced into one that is not introduced to another (e.g., can one system have updated virus defs while another does not)?  
It would be interesting to get a set of files (using the batch script in the link that I provided) for one of the other systems not experiencing BSODs.  One item that I would look at would be appcrashes & apphangs to see if they are identical or even similar.
Thanks. . .  JC

Thanks a million

I am trying to organise the unit sent in without trying to TS this remotely and will have better access to the system.

thanks a million for your help so far

regards

Still waiting for the customer to send in the laptop...

you may be interested in this other similar question I have raised in the mean time;
https://www.experts-exchange.com/questions/24553208/BSOD-WHEA-UNCORRECTABLE-ERROR-124-minidump-attached.html?anchorAnswerId=24839398#a24839398

THANK YOU   for the link.  I did answer.  Waiting to see.
JC

The computer was recovered when we recieved it. Left it and stressed tested with everest with the CPU, RAM and HDD for 2 days with no BSOD. Cannot do much if no BSOD also I would believe that the unit would have BSOD if there was an issue with it. I also done the verifer thingy - nothing. I'd say this is a closed case and I will award the points if there is nothing further you would advise.

thanks a million.... great work as always