jtiernan2008
asked on
IRQL BSOD caused by ntkrpamp.exe
Please find the results of the kernal dump below.
The user has a laptop that keeps trowing this BSOD. Clean OEM system, new RAM and hdd.
RAM check done via memory diagnostics.
Can someone please advise :(
The user has a laptop that keeps trowing this BSOD. Clean OEM system, new RAM and hdd.
RAM check done via memory diagnostics.
Can someone please advise :(
oading Dump File [C:\Users\Justin\Desktop\work\MEMORY.DMP]
Kernel Summary Dump File: Only kernel address space is available
Symbol search path is: SRV*c:\websymbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows Server 2008/Windows Vista Kernel Version 6001 (Service Pack 1) MP (2 procs) Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS Personal
Built by: 6001.18226.x86fre.vistasp1_gdr.090302-1506
Machine Name:
Kernel base = 0x81e42000 PsLoadedModuleList = 0x81f59c70
Debug session time: Wed May 27 12:30:54.771 2009 (GMT+1)
System Uptime: 0 days 23:29:16.564
Loading Kernel Symbols
...............................................................
................................................................
................................
Loading User Symbols
Loading unloaded module list
..
ERROR: FindPlugIns 8007007b
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck A, {48f9f9cf, ff, 0, 81efdde2}
Probably caused by : ntkrpamp.exe ( nt!PpmCallIdleHandler+2c )
Followup: MachineOwner
---------
1: kd> !analyze -v
ERROR: FindPlugIns 8007007b
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: 48f9f9cf, memory referenced
Arg2: 000000ff, IRQL
Arg3: 00000000, bitfield :
bit 0 : value 0 = read operation, 1 = write operation
bit 3 : value 0 = not an execute operation, 1 = execute operation (only on chips which support this level of status)
Arg4: 81efdde2, address which referenced memory
Debugging Details:
------------------
READ_ADDRESS: 48f9f9cf
CURRENT_IRQL: 2
FAULTING_IP:
nt!PpmCallIdleHandler+2c
81efdde2 ff17 call dword ptr [edi]
DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT
BUGCHECK_STR: 0xA
PROCESS_NAME: System
TRAP_FRAME: 803ecc7c -- (.trap 0xffffffff803ecc7c)
ErrCode = 00000000
eax=869c9b70 ebx=0003709c ecx=869c9d00 edx=00000000 esi=869c9ac0 edi=869c9bcc
eip=81efdde2 esp=803eccf0 ebp=803eccf8 iopl=0 nv up di ng nz ac po cy
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010093
nt!PpmCallIdleHandler+0x2c:
81efdde2 ff17 call dword ptr [edi] ds:0023:869c9bcc={intelppm!MWaitIdle (8d6e74c0)}
Resetting default scope
LAST_CONTROL_TRANSFER: from 81efdde2 to 81e9cd24
STACK_TEXT:
803ecc7c 81efdde2 badb0d00 00000000 00000f43 nt!KiTrap0E+0x2ac
803eccf8 81efdd32 869c9ac0 00000000 85c26568 nt!PpmCallIdleHandler+0x2c
803ecd50 81ef6ea1 00000000 0000000e 00000000 nt!PoIdle+0x2d1
803ecd54 00000000 0000000e 00000000 00000000 nt!KiIdleLoop+0xd
STACK_COMMAND: kb
FOLLOWUP_IP:
nt!PpmCallIdleHandler+2c
81efdde2 ff17 call dword ptr [edi]
SYMBOL_STACK_INDEX: 1
SYMBOL_NAME: nt!PpmCallIdleHandler+2c
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: nt
IMAGE_NAME: ntkrpamp.exe
DEBUG_FLR_IMAGE_TIMESTAMP: 49ac8fb4
FAILURE_BUCKET_ID: 0xA_nt!PpmCallIdleHandler+2c
BUCKET_ID: 0xA_nt!PpmCallIdleHandler+2c
Followup: MachineOwner
---------
Have you updated to Vista SP2 yet? Try this first. Also try and update all your device drivers for your laptop from the manufacturers web site. Also check your event logs to see if this will help pin point the exact problem.
The timestamp on the dump shows that particular BSOD occurred over 2 weeks ago. Have you had any more recent BSODs?
I see that it is Vista SP1 and that it is a full kernel dump. There s/b mini kernel dumps in \windows\minidump. If you would also be so kind as to re-run the dump thru the debugger, but when it comes time to click on the blue !analyze -v, please enter the line in the code box into the kd> line at the bottom of the debugger and then re-post the output.
The driver listed as "probably caused by" is an NT Kernel component and in no way is responsible here. I agree with Pete Zed that the device drivers should be updated, but I would hold off on SP2 if possible right now. I would rather see the driver verifier run as it is really the only chance here of identifying a problematic driver, assuming this is software related. That is your call, of course. Here are the instructions - http://www.techsupportforu m.com/2110 308-post3. html
In the interim, if you would please re-run the debugger w/ the code snippet in the kd> cmd line, it will afford me a look at the loaded drivers at the time of the BSOD.
Also, the bugcheck on the BSOD = 0xa - which may indicate RAM, but I think it is worth while to look at the drivers 1st.
Thank you -
jcgriff2
I see that it is Vista SP1 and that it is a full kernel dump. There s/b mini kernel dumps in \windows\minidump. If you would also be so kind as to re-run the dump thru the debugger, but when it comes time to click on the blue !analyze -v, please enter the line in the code box into the kd> line at the bottom of the debugger and then re-post the output.
The driver listed as "probably caused by" is an NT Kernel component and in no way is responsible here. I agree with Pete Zed that the device drivers should be updated, but I would hold off on SP2 if possible right now. I would rather see the driver verifier run as it is really the only chance here of identifying a problematic driver, assuming this is software related. That is your call, of course. Here are the instructions - http://www.techsupportforu
In the interim, if you would please re-run the debugger w/ the code snippet in the kd> cmd line, it will afford me a look at the loaded drivers at the time of the BSOD.
Also, the bugcheck on the BSOD = 0xa - which may indicate RAM, but I think it is worth while to look at the drivers 1st.
Thank you -
jcgriff2
!analyze -v;r;kv;lmtn
ASKER
Hi,
thanks a million for your responses. I am the manufacturer technical support second level. It is not a driver issue as it is a clean system and only OEM drivers installed. (the customer has the computer). If it was a driver issue the issue would be reproduced across the lineup. The BSOD is ongoing even after we replaced the RAM and the hdd. The BSOD dump writes over the old one so this must be the latest one.
Also, what is the driver verifier tool do exactly? What do those instructions do?
on a side note, jcgriff2, that is a very interesting and helpful post. Where do you get this info from? I would like to learn this? Can you advise any books etc.?
thanks a million for your responses. I am the manufacturer technical support second level. It is not a driver issue as it is a clean system and only OEM drivers installed. (the customer has the computer). If it was a driver issue the issue would be reproduced across the lineup. The BSOD is ongoing even after we replaced the RAM and the hdd. The BSOD dump writes over the old one so this must be the latest one.
Also, what is the driver verifier tool do exactly? What do those instructions do?
on a side note, jcgriff2, that is a very interesting and helpful post. Where do you get this info from? I would like to learn this? Can you advise any books etc.?
Hi -
You're welcome. You said it is a "clean system" yet OEM drivers installed. Does this mean that the OEM Vista DVD (recovery DVD) was used to load Vista? If so, there are probably apps that came pre-installed on the OEM Vista DVD along with the drivers. Those apps along with new ones the user installed and any 3rd party manufacturer driver updates that came in on their own or via Windows Updates -- it is all suspect and could be contributing to the BSODs. Just some food for thought.
If you don't mind, I would really like to see the loaded driver list from the kernel dump. It is very quick for you - bring the debugger back up and when you would normally click on the blue !analyze -v - don't click. Look down at the bottom of the dbgger screen for kd> - paste this into that line -
!analyze -v;r;kv;lmtn
Then please post the debugger output like in the 1st post - only this one will have the loaded drivers on it.
I do understand that it was a full kernel dump file and that \windows\memory.dmp is overwritten each time. Usually, a mini kernel dump will be produced in addition to the kernel dump. They are in c:\windows\minidump. If you zip them up and attach or add the file extension TXT & attach to post, I'll run them.
It would be interesting to know if the other bugchecks were 0xa and if the memory addresses contained in 2 of the 4 parms are in close proximity to each other. I know that 0xa can be hardware, however I can show you 100's of threads that will tell us ~50% (guesstimate) are driver related - not necessarily device drivers. Vista has the 0x124 WHEA (Windows Hardware Error Architecture) bugcheck and I would have expected to see it or a 0x101 CLOCK_WATCHDOG_TIMEOUT bugcheck given that the program instruction it failed on was nt!PpmCallIdleHandler+2c - which I think involves "Ppm" = processor power management. So I am unsure if this would/ could tie in to RAM as being the culprit in this BSOD. I don't know why NT called upon an object and then ordered "CallIdleHandler". That sound CPU related to me.
Did you look at the drivers at any time before replacing the HDD and RAM? I don't know how old the system is but I think it could have been a driver. I'll say that the possibility exists. The reason being Window Updates.. The "faulting module" ntkrpamp.exe has a timestamp = 49ac8fb4 which = Mon Mar 02 18:02:28 2009. So it's fairly new and could have come in just around the time the BSODs started.... possibly .?
The Driver Verifier simply puts drivers through a stress test and monitors them. Its not foolproof, but it is a good way to check the drivers out. I don't include Microsoft drivers because I consider them to be the last to worry about. 3rd party 1st.
As far as learning BSOD crash dump analysis, it really is done so at your comfort level. I learned this on my own and alone. It was just something I picked up because BSOD threads in general would be answered with "check Device Manager, memtest, etc.." and the dumps were not being read. So I changed that about 1 year ago and began answering BSOD threads. Since then I have processed > 10,000 dump files easily. It is an ongoing learning process as the debugger has thousands of command combinations to it alone. Also, as you probably know, this is not the literal definition of debugging as one must have source code in order to debug. There is no source code. So that leaves us with probable causes - which as told by the debugger are often wrong. One place you can obtain insight into the disassemblement process is by looking at old posts of mine.
I found a thread of mine with a 0xa bugcheck. I ran ~30 dumps some which were driver verifier enabled and the cause of the BSODs .. . . . an Intel wifi driver that needed an update because Windows Updates came through.
http://www.techsupportforu m.com/micr osoft-supp ort/window s-vista-su pport/2892 45-solved- irql_not_l ess_or_equ al.html#po st1693096
That particular post shows the stack text and explains how the driver verifier helped. I own no books on this subject, have never read any, looked at any,.... Mostly trial and error in the beginning and of course Google. But I ask for much more usually than just the dump files - I request a ton of system info - about 25-50 MB of files to start with. I ask BSOD OPs to run a batch script file that collects everything and runs ~ 20 apps/ utilities. You can see it HERE.
I'll be glad to answer any questions that you may have. Also - it may be good to provide the dumps and I can show you step-by-step to some degree what I find and its relevance in my mind to the crashes. If it is a hardware problem, the dumps won't be of any use other than to rule some things out.
You're welcome. You said it is a "clean system" yet OEM drivers installed. Does this mean that the OEM Vista DVD (recovery DVD) was used to load Vista? If so, there are probably apps that came pre-installed on the OEM Vista DVD along with the drivers. Those apps along with new ones the user installed and any 3rd party manufacturer driver updates that came in on their own or via Windows Updates -- it is all suspect and could be contributing to the BSODs. Just some food for thought.
If you don't mind, I would really like to see the loaded driver list from the kernel dump. It is very quick for you - bring the debugger back up and when you would normally click on the blue !analyze -v - don't click. Look down at the bottom of the dbgger screen for kd> - paste this into that line -
!analyze -v;r;kv;lmtn
Then please post the debugger output like in the 1st post - only this one will have the loaded drivers on it.
I do understand that it was a full kernel dump file and that \windows\memory.dmp is overwritten each time. Usually, a mini kernel dump will be produced in addition to the kernel dump. They are in c:\windows\minidump. If you zip them up and attach or add the file extension TXT & attach to post, I'll run them.
It would be interesting to know if the other bugchecks were 0xa and if the memory addresses contained in 2 of the 4 parms are in close proximity to each other. I know that 0xa can be hardware, however I can show you 100's of threads that will tell us ~50% (guesstimate) are driver related - not necessarily device drivers. Vista has the 0x124 WHEA (Windows Hardware Error Architecture) bugcheck and I would have expected to see it or a 0x101 CLOCK_WATCHDOG_TIMEOUT bugcheck given that the program instruction it failed on was nt!PpmCallIdleHandler+2c - which I think involves "Ppm" = processor power management. So I am unsure if this would/ could tie in to RAM as being the culprit in this BSOD. I don't know why NT called upon an object and then ordered "CallIdleHandler". That sound CPU related to me.
Did you look at the drivers at any time before replacing the HDD and RAM? I don't know how old the system is but I think it could have been a driver. I'll say that the possibility exists. The reason being Window Updates.. The "faulting module" ntkrpamp.exe has a timestamp = 49ac8fb4 which = Mon Mar 02 18:02:28 2009. So it's fairly new and could have come in just around the time the BSODs started.... possibly .?
The Driver Verifier simply puts drivers through a stress test and monitors them. Its not foolproof, but it is a good way to check the drivers out. I don't include Microsoft drivers because I consider them to be the last to worry about. 3rd party 1st.
As far as learning BSOD crash dump analysis, it really is done so at your comfort level. I learned this on my own and alone. It was just something I picked up because BSOD threads in general would be answered with "check Device Manager, memtest, etc.." and the dumps were not being read. So I changed that about 1 year ago and began answering BSOD threads. Since then I have processed > 10,000 dump files easily. It is an ongoing learning process as the debugger has thousands of command combinations to it alone. Also, as you probably know, this is not the literal definition of debugging as one must have source code in order to debug. There is no source code. So that leaves us with probable causes - which as told by the debugger are often wrong. One place you can obtain insight into the disassemblement process is by looking at old posts of mine.
I found a thread of mine with a 0xa bugcheck. I ran ~30 dumps some which were driver verifier enabled and the cause of the BSODs .. . . . an Intel wifi driver that needed an update because Windows Updates came through.
http://www.techsupportforu
That particular post shows the stack text and explains how the driver verifier helped. I own no books on this subject, have never read any, looked at any,.... Mostly trial and error in the beginning and of course Google. But I ask for much more usually than just the dump files - I request a ton of system info - about 25-50 MB of files to start with. I ask BSOD OPs to run a batch script file that collects everything and runs ~ 20 apps/ utilities. You can see it HERE.
I'll be glad to answer any questions that you may have. Also - it may be good to provide the dumps and I can show you step-by-step to some degree what I find and its relevance in my mind to the crashes. If it is a hardware problem, the dumps won't be of any use other than to rule some things out.
ASKER
Really interesting read... sorry I can only give you 500 points when this is resolved :)
I know that it is not an OEM driver or software as I know the lineup and this issue doesnt reproduce. I think it is a hardware problem but I need to zero into exactly what device is causing it so that I can alert the repair centre to replace the part.
I have contacted the customer and requested to follow the instructions you provided.
I know that it is not an OEM driver or software as I know the lineup and this issue doesnt reproduce. I think it is a hardware problem but I need to zero into exactly what device is causing it so that I can alert the repair centre to replace the part.
I have contacted the customer and requested to follow the instructions you provided.
ASKER
Hi,
please find attached as requested.
Justin
please find attached as requested.
Justin
ARNING: Whitespace at end of path element
Loading Dump File [C:\Users\Justin\Desktop\Mini061509-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available
WARNING: Whitespace at end of path element
Symbol search path is: SRV*c:\websymbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows Server 2008/Windows Vista Kernel Version 6001 (Service Pack 1) MP (2 procs) Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS Personal
Built by: 6001.18226.x86fre.vistasp1_gdr.090302-1506
Machine Name:
Kernel base = 0x81e02000 PsLoadedModuleList = 0x81f19c70
Debug session time: Mon Jun 15 20:17:25.614 2009 (GMT+1)
System Uptime: 0 days 0:01:12.457
Loading Kernel Symbols
...............................................................
................................................................
....................
Loading User Symbols
Loading unloaded module list
............
ERROR: FindPlugIns 8007007b
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck D1, {916da1b3, 2, 8, 916da1b3}
Unable to load image \SystemRoot\system32\DRIVERS\mozy.sys, Win32 error 0n2
*** WARNING: Unable to verify timestamp for mozy.sys
*** ERROR: Module load completed but symbols could not be loaded for mozy.sys
Probably caused by : mozy.sys ( mozy+c1b3 )
Followup: MachineOwner
---------
1: kd> !analyze -v
ERROR: FindPlugIns 8007007b
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: 916da1b3, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000008, value 0 = read operation, 1 = write operation
Arg4: 916da1b3, address which referenced memory
Debugging Details:
------------------
READ_ADDRESS: GetPointerFromAddress: unable to read from 81f39868
Unable to read MiSystemVaType memory at 81f19420
916da1b3
CURRENT_IRQL: 2
FAULTING_IP:
mozy+c1b3
916da1b3 ?? ???
CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: VERIFIER_ENABLED_VISTA_MINIDUMP
BUGCHECK_STR: 0xD1
PROCESS_NAME: mozybackup.exe
TRAP_FRAME: a58d6b94 -- (.trap 0xffffffffa58d6b94)
ErrCode = 00000010
eax=9370a000 ebx=9070f3e0 ecx=b3050002 edx=00000000 esi=916d8234 edi=aede0f68
eip=916da1b3 esp=a58d6c08 ebp=a58d6c10 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010246
mozy+0xc1b3:
916da1b3 ?? ???
Resetting default scope
LAST_CONTROL_TRANSFER: from 916da1b3 to 81e5cd24
FAILED_INSTRUCTION_ADDRESS:
mozy+c1b3
916da1b3 ?? ???
STACK_TEXT:
a58d6b94 916da1b3 badb0d00 00000000 00000000 nt!KiTrap0E+0x2ac
WARNING: Stack unwind information not available. Following frames may be wrong.
a58d6c04 817c4b98 aede0f68 a58d6c34 820e46be mozy+0xc1b3
a58d6c10 820e46be 9070f3e0 aede0f68 aede0f78 0x817c4b98
a58d6c34 81ebdf8a aede0fd8 967dcb50 9070f3e0 nt!IovCallDriver+0x23f
a58d6c48 82021120 00000000 00000000 967dcb38 nt!IofCallDriver+0x1b
a58d6c8c 820465e7 967dcb50 821c2110 967dcb38 nt!IopDeleteFile+0x178
a58d6ca8 81e538c9 967dcb50 00000000 a467d030 nt!ObpRemoveObjectRoutine+0x13d
a58d6cd0 8201f4ca a25c5410 a467d030 00000458 nt!ObfDereferenceObject+0xa1
a58d6d14 8201f6c0 a25c5410 a3e878b0 a465e318 nt!ObpCloseHandleTableEntry+0x24e
a58d6d44 8201f8e5 a465e318 a467d001 a467d001 nt!ObpCloseHandle+0x73
a58d6d58 81e59a1a 00000458 0136fe40 778e9a94 nt!NtClose+0x20
a58d6d58 778e9a94 00000458 0136fe40 778e9a94 nt!KiFastCallEntry+0x12a
0136fe40 00000000 00000000 00000000 00000000 0x778e9a94
STACK_COMMAND: kb
FOLLOWUP_IP:
mozy+c1b3
916da1b3 ?? ???
SYMBOL_STACK_INDEX: 1
SYMBOL_NAME: mozy+c1b3
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: mozy
IMAGE_NAME: mozy.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 4a0daf55
FAILURE_BUCKET_ID: 0xD1_VRF_CODE_AV_BAD_IP_mozy+c1b3
BUCKET_ID: 0xD1_VRF_CODE_AV_BAD_IP_mozy+c1b3
Followup: MachineOwner
---------
1: kd> !analyze -v;r;kv;lmtn
ERROR: FindPlugIns 8007007b
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: 916da1b3, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000008, value 0 = read operation, 1 = write operation
Arg4: 916da1b3, address which referenced memory
Debugging Details:
------------------
READ_ADDRESS: GetPointerFromAddress: unable to read from 81f39868
Unable to read MiSystemVaType memory at 81f19420
916da1b3
CURRENT_IRQL: 2
FAULTING_IP:
mozy+c1b3
916da1b3 ?? ???
CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: VERIFIER_ENABLED_VISTA_MINIDUMP
BUGCHECK_STR: 0xD1
PROCESS_NAME: mozybackup.exe
TRAP_FRAME: a58d6b94 -- (.trap 0xffffffffa58d6b94)
ErrCode = 00000010
eax=9370a000 ebx=9070f3e0 ecx=b3050002 edx=00000000 esi=916d8234 edi=aede0f68
eip=916da1b3 esp=a58d6c08 ebp=a58d6c10 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010246
mozy+0xc1b3:
916da1b3 ?? ???
Resetting default scope
LAST_CONTROL_TRANSFER: from 916da1b3 to 81e5cd24
FAILED_INSTRUCTION_ADDRESS:
mozy+c1b3
916da1b3 ?? ???
STACK_TEXT:
a58d6b94 916da1b3 badb0d00 00000000 00000000 nt!KiTrap0E+0x2ac
WARNING: Stack unwind information not available. Following frames may be wrong.
a58d6c04 817c4b98 aede0f68 a58d6c34 820e46be mozy+0xc1b3
a58d6c10 820e46be 9070f3e0 aede0f68 aede0f78 0x817c4b98
a58d6c34 81ebdf8a aede0fd8 967dcb50 9070f3e0 nt!IovCallDriver+0x23f
a58d6c48 82021120 00000000 00000000 967dcb38 nt!IofCallDriver+0x1b
a58d6c8c 820465e7 967dcb50 821c2110 967dcb38 nt!IopDeleteFile+0x178
a58d6ca8 81e538c9 967dcb50 00000000 a467d030 nt!ObpRemoveObjectRoutine+0x13d
a58d6cd0 8201f4ca a25c5410 a467d030 00000458 nt!ObfDereferenceObject+0xa1
a58d6d14 8201f6c0 a25c5410 a3e878b0 a465e318 nt!ObpCloseHandleTableEntry+0x24e
a58d6d44 8201f8e5 a465e318 a467d001 a467d001 nt!ObpCloseHandle+0x73
a58d6d58 81e59a1a 00000458 0136fe40 778e9a94 nt!NtClose+0x20
a58d6d58 778e9a94 00000458 0136fe40 778e9a94 nt!KiFastCallEntry+0x12a
0136fe40 00000000 00000000 00000000 00000000 0x778e9a94
STACK_COMMAND: kb
FOLLOWUP_IP:
mozy+c1b3
916da1b3 ?? ???
SYMBOL_STACK_INDEX: 1
SYMBOL_NAME: mozy+c1b3
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: mozy
IMAGE_NAME: mozy.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 4a0daf55
FAILURE_BUCKET_ID: 0xD1_VRF_CODE_AV_BAD_IP_mozy+c1b3
BUCKET_ID: 0xD1_VRF_CODE_AV_BAD_IP_mozy+c1b3
Followup: MachineOwner
---------
eax=803d1120 ebx=00000002 ecx=81f021f8 edx=000000d5 esi=803d113c edi=a58d6808
eip=81e5cd24 esp=a58d6b7c ebp=a58d6b94 iopl=0 nv up ei pl nz na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000202
nt!KiTrap0E+0x2ac:
81e5cd24 833d640cf38100 cmp dword ptr [nt!KiFreezeFlag (81f30c64)],0 ds:0023:81f30c64=????????
ChildEBP RetAddr Args to Child
a58d6b94 916da1b3 badb0d00 00000000 00000000 nt!KiTrap0E+0x2ac (FPO: [0,0] TrapFrame @ a58d6b94)
WARNING: Stack unwind information not available. Following frames may be wrong.
a58d6c04 817c4b98 aede0f68 a58d6c34 820e46be mozy+0xc1b3
a58d6c10 820e46be 9070f3e0 aede0f68 aede0f78 0x817c4b98
a58d6c34 81ebdf8a aede0fd8 967dcb50 9070f3e0 nt!IovCallDriver+0x23f
a58d6c48 82021120 00000000 00000000 967dcb38 nt!IofCallDriver+0x1b
a58d6c8c 820465e7 967dcb50 821c2110 967dcb38 nt!IopDeleteFile+0x178
a58d6ca8 81e538c9 967dcb50 00000000 a467d030 nt!ObpRemoveObjectRoutine+0x13d
a58d6cd0 8201f4ca a25c5410 a467d030 00000458 nt!ObfDereferenceObject+0xa1
a58d6d14 8201f6c0 a25c5410 a3e878b0 a465e318 nt!ObpCloseHandleTableEntry+0x24e
a58d6d44 8201f8e5 a465e318 a467d001 a467d001 nt!ObpCloseHandle+0x73
a58d6d58 81e59a1a 00000458 0136fe40 778e9a94 nt!NtClose+0x20
a58d6d58 778e9a94 00000458 0136fe40 778e9a94 nt!KiFastCallEntry+0x12a (FPO: [0,3] TrapFrame @ a58d6d64)
0136fe40 00000000 00000000 00000000 00000000 0x778e9a94
start end module name
80403000 8040b000 kdcom kdcom.dll Sat Jan 19 07:31:53 2008 (4791A769)
8040b000 8046b000 mcupdate_GenuineIntel mcupdate_GenuineIntel.dll Sat Jan 19 07:29:43 2008 (4791A6E7)
8046b000 8047c000 PSHED PSHED.dll Sat Jan 19 07:31:21 2008 (4791A749)
8047c000 80484000 BOOTVID BOOTVID.dll Sat Jan 19 07:27:15 2008 (4791A653)
80484000 804c5000 CLFS CLFS.SYS Sat Jan 19 05:28:01 2008 (47918A61)
804c5000 805a5000 CI CI.dll Fri Feb 22 05:00:56 2008 (47BE5708)
80605000 80681000 Wdf01000 Wdf01000.sys Sat Jan 19 05:52:21 2008 (47919015)
80681000 8068e000 WDFLDR WDFLDR.SYS Sat Jan 19 05:52:19 2008 (47919013)
8068e000 806d4000 acpi acpi.sys Sat Jan 19 05:32:48 2008 (47918B80)
806d4000 806dd000 WMILIB WMILIB.SYS Sat Jan 19 05:53:08 2008 (47919044)
806dd000 806e5000 msisadrv msisadrv.sys Sat Jan 19 05:32:51 2008 (47918B83)
806e5000 8070c000 pci pci.sys Sat Jan 19 05:32:57 2008 (47918B89)
8070c000 8071b000 partmgr partmgr.sys Sat Jan 19 05:49:54 2008 (47918F82)
8071b000 8071d900 compbatt compbatt.sys Sat Jan 19 05:32:47 2008 (47918B7F)
8071e000 80728000 BATTC BATTC.SYS Sat Jan 19 05:32:45 2008 (47918B7D)
80728000 80737000 volmgr volmgr.sys Sat Jan 19 05:49:51 2008 (47918F7F)
80737000 80781000 volmgrx volmgrx.sys Sat Jan 19 05:50:00 2008 (47918F88)
80781000 80791000 mountmgr mountmgr.sys Sat Jan 19 05:49:13 2008 (47918F59)
80791000 807bb000 ks ks.sys Sat Jan 19 05:49:21 2008 (47918F61)
807bb000 807ef000 usbhub usbhub.sys Tue Feb 05 04:21:42 2008 (47A7E456)
807ef000 80800000 NDProxy NDProxy.SYS Sat Jan 19 05:56:28 2008 (4791910C)
81e02000 821bb000 nt ntkrpamp.exe Tue Mar 03 02:02:28 2009 (49AC8FB4)
821bb000 821ee000 hal halmacpi.dll Sat Jan 19 05:27:20 2008 (47918A38)
8420a000 842d8000 iaStor iaStor.sys Wed Apr 16 01:07:31 2008 (48054343)
842d8000 842e0000 atapi atapi.sys Sat Jan 19 05:49:40 2008 (47918F74)
842e0000 842fe000 ataport ataport.SYS Sat Jan 19 05:49:40 2008 (47918F74)
842fe000 84330000 fltmgr fltmgr.sys Sat Jan 19 05:28:10 2008 (47918A6A)
84330000 84340000 fileinfo fileinfo.sys Sat Jan 19 05:34:27 2008 (47918BE3)
84340000 84349200 PxHelp20 PxHelp20.sys Thu Mar 13 01:57:44 2008 (47D88A18)
8434a000 843bb000 ksecdd ksecdd.sys Sat Jan 19 05:41:20 2008 (47918D80)
843bb000 843cf000 raspptp raspptp.sys Sat Jan 19 05:56:34 2008 (47919112)
843cf000 843e4000 rassstp rassstp.sys Sat Jan 19 05:56:43 2008 (4791911B)
843e4000 843f4000 termdd termdd.sys Sat Jan 19 06:01:06 2008 (47919222)
84405000 84510000 ndis ndis.sys Sat Jan 19 05:55:51 2008 (479190E7)
84510000 8453b000 msrpc msrpc.sys Sat Jan 19 05:48:15 2008 (47918F1F)
8453b000 84575000 NETIO NETIO.SYS Sat Jan 19 05:56:19 2008 (47919103)
84575000 845a3000 msiscsi msiscsi.sys Sat Jan 19 05:50:44 2008 (47918FB4)
845a3000 845e4000 storport storport.sys Sat Jan 19 05:49:49 2008 (47918F7D)
845e4000 845f3000 raspppoe raspppoe.sys Sat Jan 19 05:56:33 2008 (47919111)
845f3000 84600000 umbus umbus.sys Sat Jan 19 05:53:40 2008 (47919064)
8460a000 84719000 Ntfs Ntfs.sys Sat Jan 19 05:28:54 2008 (47918A96)
84719000 84752000 volsnap volsnap.sys Sat Jan 19 05:50:10 2008 (47918F92)
ASKER
I think a bit was left out so the correct output of the minidump is as follows;
ARNING: Whitespace at end of path element
Loading Dump File [C:\Users\Justin\Desktop\Mini061509-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available
WARNING: Whitespace at end of path element
Symbol search path is: SRV*c:\websymbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows Server 2008/Windows Vista Kernel Version 6001 (Service Pack 1) MP (2 procs) Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS Personal
Built by: 6001.18226.x86fre.vistasp1_gdr.090302-1506
Machine Name:
Kernel base = 0x81e02000 PsLoadedModuleList = 0x81f19c70
Debug session time: Mon Jun 15 20:17:25.614 2009 (GMT+1)
System Uptime: 0 days 0:01:12.457
Loading Kernel Symbols
...............................................................
................................................................
....................
Loading User Symbols
Loading unloaded module list
............
ERROR: FindPlugIns 8007007b
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck D1, {916da1b3, 2, 8, 916da1b3}
Unable to load image \SystemRoot\system32\DRIVERS\mozy.sys, Win32 error 0n2
*** WARNING: Unable to verify timestamp for mozy.sys
*** ERROR: Module load completed but symbols could not be loaded for mozy.sys
Probably caused by : mozy.sys ( mozy+c1b3 )
Followup: MachineOwner
---------
1: kd> !analyze -v
ERROR: FindPlugIns 8007007b
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: 916da1b3, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000008, value 0 = read operation, 1 = write operation
Arg4: 916da1b3, address which referenced memory
Debugging Details:
------------------
READ_ADDRESS: GetPointerFromAddress: unable to read from 81f39868
Unable to read MiSystemVaType memory at 81f19420
916da1b3
CURRENT_IRQL: 2
FAULTING_IP:
mozy+c1b3
916da1b3 ?? ???
CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: VERIFIER_ENABLED_VISTA_MINIDUMP
BUGCHECK_STR: 0xD1
PROCESS_NAME: mozybackup.exe
TRAP_FRAME: a58d6b94 -- (.trap 0xffffffffa58d6b94)
ErrCode = 00000010
eax=9370a000 ebx=9070f3e0 ecx=b3050002 edx=00000000 esi=916d8234 edi=aede0f68
eip=916da1b3 esp=a58d6c08 ebp=a58d6c10 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010246
mozy+0xc1b3:
916da1b3 ?? ???
Resetting default scope
LAST_CONTROL_TRANSFER: from 916da1b3 to 81e5cd24
FAILED_INSTRUCTION_ADDRESS:
mozy+c1b3
916da1b3 ?? ???
STACK_TEXT:
a58d6b94 916da1b3 badb0d00 00000000 00000000 nt!KiTrap0E+0x2ac
WARNING: Stack unwind information not available. Following frames may be wrong.
a58d6c04 817c4b98 aede0f68 a58d6c34 820e46be mozy+0xc1b3
a58d6c10 820e46be 9070f3e0 aede0f68 aede0f78 0x817c4b98
a58d6c34 81ebdf8a aede0fd8 967dcb50 9070f3e0 nt!IovCallDriver+0x23f
a58d6c48 82021120 00000000 00000000 967dcb38 nt!IofCallDriver+0x1b
a58d6c8c 820465e7 967dcb50 821c2110 967dcb38 nt!IopDeleteFile+0x178
a58d6ca8 81e538c9 967dcb50 00000000 a467d030 nt!ObpRemoveObjectRoutine+0x13d
a58d6cd0 8201f4ca a25c5410 a467d030 00000458 nt!ObfDereferenceObject+0xa1
a58d6d14 8201f6c0 a25c5410 a3e878b0 a465e318 nt!ObpCloseHandleTableEntry+0x24e
a58d6d44 8201f8e5 a465e318 a467d001 a467d001 nt!ObpCloseHandle+0x73
a58d6d58 81e59a1a 00000458 0136fe40 778e9a94 nt!NtClose+0x20
a58d6d58 778e9a94 00000458 0136fe40 778e9a94 nt!KiFastCallEntry+0x12a
0136fe40 00000000 00000000 00000000 00000000 0x778e9a94
STACK_COMMAND: kb
FOLLOWUP_IP:
mozy+c1b3
916da1b3 ?? ???
SYMBOL_STACK_INDEX: 1
SYMBOL_NAME: mozy+c1b3
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: mozy
IMAGE_NAME: mozy.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 4a0daf55
FAILURE_BUCKET_ID: 0xD1_VRF_CODE_AV_BAD_IP_mozy+c1b3
BUCKET_ID: 0xD1_VRF_CODE_AV_BAD_IP_mozy+c1b3
Followup: MachineOwner
---------
1: kd> !analyze -v;r;kv;lmtn
ERROR: FindPlugIns 8007007b
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: 916da1b3, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000008, value 0 = read operation, 1 = write operation
Arg4: 916da1b3, address which referenced memory
Debugging Details:
------------------
READ_ADDRESS: GetPointerFromAddress: unable to read from 81f39868
Unable to read MiSystemVaType memory at 81f19420
916da1b3
CURRENT_IRQL: 2
FAULTING_IP:
mozy+c1b3
916da1b3 ?? ???
CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: VERIFIER_ENABLED_VISTA_MINIDUMP
BUGCHECK_STR: 0xD1
PROCESS_NAME: mozybackup.exe
TRAP_FRAME: a58d6b94 -- (.trap 0xffffffffa58d6b94)
ErrCode = 00000010
eax=9370a000 ebx=9070f3e0 ecx=b3050002 edx=00000000 esi=916d8234 edi=aede0f68
eip=916da1b3 esp=a58d6c08 ebp=a58d6c10 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010246
mozy+0xc1b3:
916da1b3 ?? ???
Resetting default scope
LAST_CONTROL_TRANSFER: from 916da1b3 to 81e5cd24
FAILED_INSTRUCTION_ADDRESS:
mozy+c1b3
916da1b3 ?? ???
STACK_TEXT:
a58d6b94 916da1b3 badb0d00 00000000 00000000 nt!KiTrap0E+0x2ac
WARNING: Stack unwind information not available. Following frames may be wrong.
a58d6c04 817c4b98 aede0f68 a58d6c34 820e46be mozy+0xc1b3
a58d6c10 820e46be 9070f3e0 aede0f68 aede0f78 0x817c4b98
a58d6c34 81ebdf8a aede0fd8 967dcb50 9070f3e0 nt!IovCallDriver+0x23f
a58d6c48 82021120 00000000 00000000 967dcb38 nt!IofCallDriver+0x1b
a58d6c8c 820465e7 967dcb50 821c2110 967dcb38 nt!IopDeleteFile+0x178
a58d6ca8 81e538c9 967dcb50 00000000 a467d030 nt!ObpRemoveObjectRoutine+0x13d
a58d6cd0 8201f4ca a25c5410 a467d030 00000458 nt!ObfDereferenceObject+0xa1
a58d6d14 8201f6c0 a25c5410 a3e878b0 a465e318 nt!ObpCloseHandleTableEntry+0x24e
a58d6d44 8201f8e5 a465e318 a467d001 a467d001 nt!ObpCloseHandle+0x73
a58d6d58 81e59a1a 00000458 0136fe40 778e9a94 nt!NtClose+0x20
a58d6d58 778e9a94 00000458 0136fe40 778e9a94 nt!KiFastCallEntry+0x12a
0136fe40 00000000 00000000 00000000 00000000 0x778e9a94
STACK_COMMAND: kb
FOLLOWUP_IP:
mozy+c1b3
916da1b3 ?? ???
SYMBOL_STACK_INDEX: 1
SYMBOL_NAME: mozy+c1b3
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: mozy
IMAGE_NAME: mozy.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 4a0daf55
FAILURE_BUCKET_ID: 0xD1_VRF_CODE_AV_BAD_IP_mozy+c1b3
BUCKET_ID: 0xD1_VRF_CODE_AV_BAD_IP_mozy+c1b3
Followup: MachineOwner
---------
eax=803d1120 ebx=00000002 ecx=81f021f8 edx=000000d5 esi=803d113c edi=a58d6808
eip=81e5cd24 esp=a58d6b7c ebp=a58d6b94 iopl=0 nv up ei pl nz na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000202
nt!KiTrap0E+0x2ac:
81e5cd24 833d640cf38100 cmp dword ptr [nt!KiFreezeFlag (81f30c64)],0 ds:0023:81f30c64=????????
ChildEBP RetAddr Args to Child
a58d6b94 916da1b3 badb0d00 00000000 00000000 nt!KiTrap0E+0x2ac (FPO: [0,0] TrapFrame @ a58d6b94)
WARNING: Stack unwind information not available. Following frames may be wrong.
a58d6c04 817c4b98 aede0f68 a58d6c34 820e46be mozy+0xc1b3
a58d6c10 820e46be 9070f3e0 aede0f68 aede0f78 0x817c4b98
a58d6c34 81ebdf8a aede0fd8 967dcb50 9070f3e0 nt!IovCallDriver+0x23f
a58d6c48 82021120 00000000 00000000 967dcb38 nt!IofCallDriver+0x1b
a58d6c8c 820465e7 967dcb50 821c2110 967dcb38 nt!IopDeleteFile+0x178
a58d6ca8 81e538c9 967dcb50 00000000 a467d030 nt!ObpRemoveObjectRoutine+0x13d
a58d6cd0 8201f4ca a25c5410 a467d030 00000458 nt!ObfDereferenceObject+0xa1
a58d6d14 8201f6c0 a25c5410 a3e878b0 a465e318 nt!ObpCloseHandleTableEntry+0x24e
a58d6d44 8201f8e5 a465e318 a467d001 a467d001 nt!ObpCloseHandle+0x73
a58d6d58 81e59a1a 00000458 0136fe40 778e9a94 nt!NtClose+0x20
a58d6d58 778e9a94 00000458 0136fe40 778e9a94 nt!KiFastCallEntry+0x12a (FPO: [0,3] TrapFrame @ a58d6d64)
0136fe40 00000000 00000000 00000000 00000000 0x778e9a94
start end module name
80403000 8040b000 kdcom kdcom.dll Sat Jan 19 07:31:53 2008 (4791A769)
8040b000 8046b000 mcupdate_GenuineIntel mcupdate_GenuineIntel.dll Sat Jan 19 07:29:43 2008 (4791A6E7)
8046b000 8047c000 PSHED PSHED.dll Sat Jan 19 07:31:21 2008 (4791A749)
8047c000 80484000 BOOTVID BOOTVID.dll Sat Jan 19 07:27:15 2008 (4791A653)
80484000 804c5000 CLFS CLFS.SYS Sat Jan 19 05:28:01 2008 (47918A61)
804c5000 805a5000 CI CI.dll Fri Feb 22 05:00:56 2008 (47BE5708)
80605000 80681000 Wdf01000 Wdf01000.sys Sat Jan 19 05:52:21 2008 (47919015)
80681000 8068e000 WDFLDR WDFLDR.SYS Sat Jan 19 05:52:19 2008 (47919013)
8068e000 806d4000 acpi acpi.sys Sat Jan 19 05:32:48 2008 (47918B80)
806d4000 806dd000 WMILIB WMILIB.SYS Sat Jan 19 05:53:08 2008 (47919044)
806dd000 806e5000 msisadrv msisadrv.sys Sat Jan 19 05:32:51 2008 (47918B83)
806e5000 8070c000 pci pci.sys Sat Jan 19 05:32:57 2008 (47918B89)
8070c000 8071b000 partmgr partmgr.sys Sat Jan 19 05:49:54 2008 (47918F82)
8071b000 8071d900 compbatt compbatt.sys Sat Jan 19 05:32:47 2008 (47918B7F)
8071e000 80728000 BATTC BATTC.SYS Sat Jan 19 05:32:45 2008 (47918B7D)
80728000 80737000 volmgr volmgr.sys Sat Jan 19 05:49:51 2008 (47918F7F)
80737000 80781000 volmgrx volmgrx.sys Sat Jan 19 05:50:00 2008 (47918F88)
80781000 80791000 mountmgr mountmgr.sys Sat Jan 19 05:49:13 2008 (47918F59)
80791000 807bb000 ks ks.sys Sat Jan 19 05:49:21 2008 (47918F61)
807bb000 807ef000 usbhub usbhub.sys Tue Feb 05 04:21:42 2008 (47A7E456)
807ef000 80800000 NDProxy NDProxy.SYS Sat Jan 19 05:56:28 2008 (4791910C)
81e02000 821bb000 nt ntkrpamp.exe Tue Mar 03 02:02:28 2009 (49AC8FB4)
821bb000 821ee000 hal halmacpi.dll Sat Jan 19 05:27:20 2008 (47918A38)
8420a000 842d8000 iaStor iaStor.sys Wed Apr 16 01:07:31 2008 (48054343)
842d8000 842e0000 atapi atapi.sys Sat Jan 19 05:49:40 2008 (47918F74)
842e0000 842fe000 ataport ataport.SYS Sat Jan 19 05:49:40 2008 (47918F74)
842fe000 84330000 fltmgr fltmgr.sys Sat Jan 19 05:28:10 2008 (47918A6A)
84330000 84340000 fileinfo fileinfo.sys Sat Jan 19 05:34:27 2008 (47918BE3)
84340000 84349200 PxHelp20 PxHelp20.sys Thu Mar 13 01:57:44 2008 (47D88A18)
8434a000 843bb000 ksecdd ksecdd.sys Sat Jan 19 05:41:20 2008 (47918D80)
843bb000 843cf000 raspptp raspptp.sys Sat Jan 19 05:56:34 2008 (47919112)
843cf000 843e4000 rassstp rassstp.sys Sat Jan 19 05:56:43 2008 (4791911B)
843e4000 843f4000 termdd termdd.sys Sat Jan 19 06:01:06 2008 (47919222)
84405000 84510000 ndis ndis.sys Sat Jan 19 05:55:51 2008 (479190E7)
84510000 8453b000 msrpc msrpc.sys Sat Jan 19 05:48:15 2008 (47918F1F)
8453b000 84575000 NETIO NETIO.SYS Sat Jan 19 05:56:19 2008 (47919103)
84575000 845a3000 msiscsi msiscsi.sys Sat Jan 19 05:50:44 2008 (47918FB4)
845a3000 845e4000 storport storport.sys Sat Jan 19 05:49:49 2008 (47918F7D)
845e4000 845f3000 raspppoe raspppoe.sys Sat Jan 19 05:56:33 2008 (47919111)
845f3000 84600000 umbus umbus.sys Sat Jan 19 05:53:40 2008 (47919064)
8460a000 84719000 Ntfs Ntfs.sys Sat Jan 19 05:28:54 2008 (47918A96)
84719000 84752000 volsnap volsnap.sys Sat Jan 19 05:50:10 2008 (47918F92)
Hi -
Thank you for running the additional commands and for the VERIFIER_ENABLED_VISTA_MIN
I see a Vista SP1 system that crashed after being up only 1 min 12 secs.
The Bugcheck = 0xd1 (0x916da1b3, 0x2, 0x8, 0x916da1b3)
0xd1 = driver tried to access paged memory when it should not have.
The Driver Verifier flagged mozy.sys timestamp = 4a0daf55 = Fri May 15 11:07:17 2009
The process running at the time of the crash = mozybackup.exe.
The stack text clearly shows mozy at fault - 2nd line down
00000 00000000 nt!KiTrap0E+0x2ac (FPO: [0,0] Tra
d6c34 820e46be mozy+0xc1b3
e0f68 aede0f78 0x817c4b98
dcb50 9070f3e0 nt!IovCallDriver+0x23f
00000 967dcb38 nt!IofCallDriver+0x1b
c2110 967dcb38 nt!IopDeleteFile+0x178
00000 a467d030 nt!ObpRemoveObjectRoutine+
7d030 00000458 nt!ObfDereferenceObject+0x
The driver verifier flagged the Mozy driver and I have no doubt that Mozy would have caused problems for you in the near future. I know it is some type of backup app, but I would un-install it.
I noticed in the dump that a Nero driver is present - PxHelp20.sys - I don't see any other Nero drivers offhand.
Bugcheck 0xa and 0xd1 are nearly identical -
0xa = IRQL_NOT_LESS_OR_EQUAL
0xd1 = DRIVER_IRQL_NOT_LESS_OR_EQ
The difference is the word "driver". 0xa includes Microsoft drivers; 0xd1 does not. The 1st posted BSOD dbg log showed a 0xa bugcheck and named the NT Kernel as the probable cause. The Driver Verifier went to work and now the bugcheck changed to the 0xa-sister bugcheck 0xd1 and now flags mozy.sys as the definite cause.
This is the stack text from the 1st BSOD - you can see !nt (NT) is named - because it is the only one that could be identified at the time.
TACK_TEXT:
00000 00000f43 nt!KiTrap0E+0x2ac
00000 85c26568 nt!PpmCallIdleHandler+0x2c
0000e 00000000 nt!PoIdle+0x2d1
00000 00000000 nt!KiIdleLoop+0xd
This crash is obviously driver related. The memory addresses are completely different than those in the 1st crash which I would expect knowing that this was a verifier enabled crash dump. I could stretch things a little and say that the 1st BSOD was caused by mozy as well because NT would have been involved in the calling of Mozi and when called, it caused the 1st crash. But I do not have definitive proof of that at this time, just suspicion.
I would suggest that you un-install Mozy and see if the BSODs return.
Regards. . .
jcgriff2
.
ASKER
Yes I was thought that as well but this is a red herring.
The customer installed Mozy in order to upload the first kernal dump as well so that I could access it.
I have asked him to uninstall Mozy and wait for another mini dump
And will update it as soon as I get it.
Thanks for the update on this file
The customer installed Mozy in order to upload the first kernal dump as well so that I could access it.
I have asked him to uninstall Mozy and wait for another mini dump
And will update it as soon as I get it.
Thanks for the update on this file
Wow! Now I don't even have suspicion!
That of course is just fine - as the real cause needs to be found.
You may want to ask the user to go through the Reliability Monitor and look at the day of the 1st crash - May 27 - and see if anything installed on that day -
START | perfmon /rel
Also, could you please rerun the 1st dump through the dbugger with the commands
!analyze -v;r;kv;lmtn;.bugcheck
and post the output Thank you.
Is the verifier still running?
That of course is just fine - as the real cause needs to be found.
You may want to ask the user to go through the Reliability Monitor and look at the day of the 1st crash - May 27 - and see if anything installed on that day -
START | perfmon /rel
Also, could you please rerun the 1st dump through the dbugger with the commands
!analyze -v;r;kv;lmtn;.bugcheck
and post the output Thank you.
Is the verifier still running?
ASKER
I will get him to send in the perfmon as a html... it has that option.
I still have the kernal dump and ran it through the debugger with that command as requested.
The output is in the codebox
the verifier is still running on the customer's computer
I still have the kernal dump and ran it through the debugger with that command as requested.
The output is in the codebox
the verifier is still running on the customer's computer
Loading Dump File [C:\Users\Justin\Desktop\work\MEMORY.DMP]
Kernel Summary Dump File: Only kernel address space is available
Symbol search path is: SRV*c:\websymbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows Server 2008/Windows Vista Kernel Version 6001 (Service Pack 1) MP (2 procs) Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS Personal
Built by: 6001.18226.x86fre.vistasp1_gdr.090302-1506
Machine Name:
Kernel base = 0x81e42000 PsLoadedModuleList = 0x81f59c70
Debug session time: Wed May 27 12:30:54.771 2009 (GMT+1)
System Uptime: 0 days 23:29:16.564
Loading Kernel Symbols
...............................................................
................................................................
................................
Loading User Symbols
Loading unloaded module list
..
ERROR: FindPlugIns 8007007b
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck A, {48f9f9cf, ff, 0, 81efdde2}
Probably caused by : ntkrpamp.exe ( nt!PpmCallIdleHandler+2c )
Followup: MachineOwner
---------
1: kd> !analyze -v;r;kv;lmtn;.bugcheck
ERROR: FindPlugIns 8007007b
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: 48f9f9cf, memory referenced
Arg2: 000000ff, IRQL
Arg3: 00000000, bitfield :
bit 0 : value 0 = read operation, 1 = write operation
bit 3 : value 0 = not an execute operation, 1 = execute operation (only on chips which support this level of status)
Arg4: 81efdde2, address which referenced memory
Debugging Details:
------------------
READ_ADDRESS: 48f9f9cf
CURRENT_IRQL: 2
FAULTING_IP:
nt!PpmCallIdleHandler+2c
81efdde2 ff17 call dword ptr [edi]
DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT
BUGCHECK_STR: 0xA
PROCESS_NAME: System
TRAP_FRAME: 803ecc7c -- (.trap 0xffffffff803ecc7c)
ErrCode = 00000000
eax=869c9b70 ebx=0003709c ecx=869c9d00 edx=00000000 esi=869c9ac0 edi=869c9bcc
eip=81efdde2 esp=803eccf0 ebp=803eccf8 iopl=0 nv up di ng nz ac po cy
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010093
nt!PpmCallIdleHandler+0x2c:
81efdde2 ff17 call dword ptr [edi] ds:0023:869c9bcc={intelppm!MWaitIdle (8d6e74c0)}
Resetting default scope
LAST_CONTROL_TRANSFER: from 81efdde2 to 81e9cd24
STACK_TEXT:
803ecc7c 81efdde2 badb0d00 00000000 00000f43 nt!KiTrap0E+0x2ac
803eccf8 81efdd32 869c9ac0 00000000 85c26568 nt!PpmCallIdleHandler+0x2c
803ecd50 81ef6ea1 00000000 0000000e 00000000 nt!PoIdle+0x2d1
803ecd54 00000000 0000000e 00000000 00000000 nt!KiIdleLoop+0xd
STACK_COMMAND: kb
FOLLOWUP_IP:
nt!PpmCallIdleHandler+2c
81efdde2 ff17 call dword ptr [edi]
SYMBOL_STACK_INDEX: 1
SYMBOL_NAME: nt!PpmCallIdleHandler+2c
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: nt
IMAGE_NAME: ntkrpamp.exe
DEBUG_FLR_IMAGE_TIMESTAMP: 49ac8fb4
FAILURE_BUCKET_ID: 0xA_nt!PpmCallIdleHandler+2c
BUCKET_ID: 0xA_nt!PpmCallIdleHandler+2c
Followup: MachineOwner
---------
eax=803d1120 ebx=000000ff ecx=81f421f8 edx=000000f3 esi=803d113c edi=803ec8f0
eip=81e9cd24 esp=803ecc64 ebp=803ecc7c iopl=0 nv up ei pl nz na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000202
nt!KiTrap0E+0x2ac:
81e9cd24 833d640cf78100 cmp dword ptr [nt!KiFreezeFlag (81f70c64)],0 ds:0023:81f70c64=00000000
ChildEBP RetAddr Args to Child
803ecc7c 81efdde2 badb0d00 00000000 00000f43 nt!KiTrap0E+0x2ac (FPO: [0,0] TrapFrame @ 803ecc7c)
803eccf8 81efdd32 869c9ac0 00000000 85c26568 nt!PpmCallIdleHandler+0x2c
803ecd50 81ef6ea1 00000000 0000000e 00000000 nt!PoIdle+0x2d1
803ecd54 00000000 0000000e 00000000 00000000 nt!KiIdleLoop+0xd (FPO: [0,0,0])
start end module name
8040d000 80415000 kdcom kdcom.dll Sat Jan 19 07:31:53 2008 (4791A769)
80415000 80475000 mcupdate_GenuineIntel mcupdate_GenuineIntel.dll Sat Jan 19 07:29:43 2008 (4791A6E7)
80475000 80486000 PSHED PSHED.dll Sat Jan 19 07:31:21 2008 (4791A749)
80486000 8048e000 BOOTVID BOOTVID.dll Sat Jan 19 07:27:15 2008 (4791A653)
8048e000 804cf000 CLFS CLFS.SYS Sat Jan 19 05:28:01 2008 (47918A61)
804cf000 805af000 CI CI.dll Fri Feb 22 05:00:56 2008 (47BE5708)
80601000 8067d000 Wdf01000 Wdf01000.sys Sat Jan 19 05:52:21 2008 (47919015)
8067d000 8068a000 WDFLDR WDFLDR.SYS Sat Jan 19 05:52:19 2008 (47919013)
8068a000 806d0000 acpi acpi.sys Sat Jan 19 05:32:48 2008 (47918B80)
806d0000 806d9000 WMILIB WMILIB.SYS Sat Jan 19 05:53:08 2008 (47919044)
806d9000 806e1000 msisadrv msisadrv.sys Sat Jan 19 05:32:51 2008 (47918B83)
806e1000 80708000 pci pci.sys Sat Jan 19 05:32:57 2008 (47918B89)
80708000 80717000 partmgr partmgr.sys Sat Jan 19 05:49:54 2008 (47918F82)
80717000 80719900 compbatt compbatt.sys Sat Jan 19 05:32:47 2008 (47918B7F)
8071a000 80724000 BATTC BATTC.SYS Sat Jan 19 05:32:45 2008 (47918B7D)
80724000 80733000 volmgr volmgr.sys Sat Jan 19 05:49:51 2008 (47918F7F)
80733000 8077d000 volmgrx volmgrx.sys Sat Jan 19 05:50:00 2008 (47918F88)
8077d000 8078d000 mountmgr mountmgr.sys Sat Jan 19 05:49:13 2008 (47918F59)
8078d000 807b7000 ks ks.sys Sat Jan 19 05:49:21 2008 (47918F61)
807b7000 807eb000 usbhub usbhub.sys Tue Feb 05 04:21:42 2008 (47A7E456)
81e0f000 81e42000 hal halmacpi.dll Sat Jan 19 05:27:20 2008 (47918A38)
81e42000 821fb000 nt ntkrpamp.exe Tue Mar 03 02:02:28 2009 (49AC8FB4)
89c01000 89ccf000 iaStor iaStor.sys Wed Apr 16 01:07:31 2008 (48054343)
89ccf000 89cd7000 atapi atapi.sys Sat Jan 19 05:49:40 2008 (47918F74)
89cd7000 89cf5000 ataport ataport.SYS Sat Jan 19 05:49:40 2008 (47918F74)
89cf5000 89d27000 fltmgr fltmgr.sys Sat Jan 19 05:28:10 2008 (47918A6A)
89d27000 89d37000 fileinfo fileinfo.sys Sat Jan 19 05:34:27 2008 (47918BE3)
89d37000 89d40200 PxHelp20 PxHelp20.sys Thu Mar 13 01:57:44 2008 (47D88A18)
89d41000 89db2000 ksecdd ksecdd.sys Sat Jan 19 05:41:20 2008 (47918D80)
89db2000 89dc6000 raspptp raspptp.sys Sat Jan 19 05:56:34 2008 (47919112)
89dc6000 89ddb000 rassstp rassstp.sys Sat Jan 19 05:56:43 2008 (4791911B)
89ddb000 89de8000 umbus umbus.sys Sat Jan 19 05:53:40 2008 (47919064)
89de8000 89df9000 NDProxy NDProxy.SYS Sat Jan 19 05:56:28 2008 (4791910C)
89e01000 89f0c000 ndis ndis.sys Sat Jan 19 05:55:51 2008 (479190E7)
89f0c000 89f37000 msrpc msrpc.sys Sat Jan 19 05:48:15 2008 (47918F1F)
89f37000 89f71000 NETIO NETIO.SYS Sat Jan 19 05:56:19 2008 (47919103)
89f71000 89f9f000 msiscsi msiscsi.sys Sat Jan 19 05:50:44 2008 (47918FB4)
89f9f000 89fe0000 storport storport.sys Sat Jan 19 05:49:49 2008 (47918F7D)
89fe0000 89fef000 raspppoe raspppoe.sys Sat Jan 19 05:56:33 2008 (47919111)
89fef000 89fff000 termdd termdd.sys Sat Jan 19 06:01:06 2008 (47919222)
8a006000 8a115000 Ntfs Ntfs.sys Sat Jan 19 05:28:54 2008 (47918A96)
8a115000 8a14e000 volsnap volsnap.sys Sat Jan 19 05:50:10 2008 (47918F92)
8a14e000 8a156000 spldr spldr.sys Fri Jun 22 01:29:17 2007 (467B17DD)
8a156000 8a165000 mup mup.sys Sat Jan 19 05:28:20 2008 (47918A74)
8a165000 8a18c000 ecache ecache.sys Sat Jan 19 05:50:47 2008 (47918FB7)
8a18c000 8a19d000 disk disk.sys Sat Jan 19 05:49:47 2008 (47918F7B)
8a19d000 8a1be000 CLASSPNP CLASSPNP.SYS Sat Jan 19 05:49:36 2008 (47918F70)
8a1be000 8a1c7000 crcdisk crcdisk.sys Sat Jan 19 05:50:29 2008 (47918FA5)
8a1d4000 8a1f7000 ndiswan ndiswan.sys Sat Jan 19 05:56:32 2008 (47919110)
8d600000 8d60a000 mssmbios mssmbios.sys Sat Jan 19 05:32:55 2008 (47918B87)
8d60a000 8d67d000 btwavdt btwavdt.sys Fri Jun 27 19:22:31 2008 (48652FE7)
8d6da000 8d6e5000 tunnel tunnel.sys Sat Jan 19 05:55:50 2008 (479190E6)
8d6e5000 8d6f4000 intelppm intelppm.sys Sat Jan 19 05:27:20 2008 (47918A38)
8d6f4000 8d6f7780 CmBatt CmBatt.sys Sat Jan 19 05:32:47 2008 (47918B7F)
8d6f8000 8d736000 USBPORT USBPORT.SYS Tue Feb 05 04:21:30 2008 (47A7E44A)
8d736000 8d748000 HDAudBus HDAudBus.sys Tue Nov 27 23:18:41 2007 (474CA5D1)
8d748000 8d794000 yk60x86 yk60x86.sys Thu Feb 21 16:35:35 2008 (47BDA857)
8d794000 8d7c3200 SynTP SynTP.sys Tue Jun 17 19:37:15 2008 (4858045B)
8d7c4000 8d7dc000 cdrom cdrom.sys Sat Jan 19 05:49:50 2008 (47918F7E)
8d7dc000 8d7f3000 rasl2tp rasl2tp.sys Sat Jan 19 05:56:33 2008 (47919111)
8d7f3000 8d7fe000 ndistapi ndistapi.sys Sat Jan 19 05:56:24 2008 (47919108)
8dc00000 8dc0b000 TDI TDI.SYS Sat Jan 19 05:57:10 2008 (47919136)
8dc0b000 8e32cec0 nvlddmkm nvlddmkm.sys Wed May 14 18:36:48 2008 (482B2330)
8e32d000 8e3cc000 dxgkrnl dxgkrnl.sys Sat Aug 02 02:01:19 2008 (4893B1DF)
8e3cc000 8e3d9000 watchdog watchdog.sys Sat Jan 19 05:35:29 2008 (47918C21)
8e3d9000 8e3e4000 usbuhci usbuhci.sys Tue Feb 05 04:21:25 2008 (47A7E445)
8e3e4000 8e3f3000 usbehci usbehci.sys Tue Feb 05 04:21:26 2008 (47A7E446)
8e3f3000 8e3fd000 GEARAspiWDM GEARAspiWDM.sys Thu Mar 19 15:32:37 2009 (49C26595)
8e400000 8e401380 swenum swenum.sys Sat Jan 19 05:49:20 2008 (47918F60)
8e402000 8e789000 NETw5v32 NETw5v32.sys Mon Apr 28 14:29:22 2008 (4815D132)
8e789000 8e798200 ohci1394 ohci1394.sys Sat Jan 19 05:53:33 2008 (4791905D)
8e799000 8e7a6080 1394BUS 1394BUS.SYS Sat Jan 19 05:53:27 2008 (47919057)
8e7a7000 8e7b8000 risdptsk risdptsk.sys Thu May 01 12:04:08 2008 (4819A3A8)
8e7b8000 8e7d2000 rimsptsk rimsptsk.sys Sat May 24 14:35:01 2008 (48381985)
8e7d2000 8e7e5000 i8042prt i8042prt.sys Sat Jan 19 05:49:17 2008 (47918F5D)
8e7e5000 8e7f0000 kbdclass kbdclass.sys Sat Jan 19 05:49:14 2008 (47918F5A)
8e7f0000 8e7f1700 USBD USBD.SYS Tue Feb 05 04:21:23 2008 (47A7E443)
8e7f2000 8e7fd000 mouclass mouclass.sys Sat Jan 19 05:49:14 2008 (47918F5A)
8e7fd000 8e7ff480 SFEP SFEP.sys Fri Aug 03 06:36:08 2007 (46B2BEC8)
8ec0f000 8ee14940 RTKVHDA RTKVHDA.sys Thu Apr 24 11:17:34 2008 (48105E3E)
8ee15000 8ee42000 portcls portcls.sys Sat Jan 19 05:53:17 2008 (4791904D)
8ee42000 8ee67000 drmk drmk.sys Sat Jan 19 06:53:02 2008 (47919E4E)
8ee67000 8eea5000 HSXHWAZL HSXHWAZL.sys Tue Feb 12 22:27:07 2008 (47B21D3B)
8eea5000 8efa8000 HSX_DPV HSX_DPV.sys Tue Feb 12 22:29:13 2008 (47B21DB9)
8efa8000 8efd7800 mfehidk mfehidk.sys Mon Jul 16 18:43:16 2007 (469BAE34)
8f004000 8f0b9000 HSX_CNXT HSX_CNXT.sys Tue Feb 12 22:26:16 2008 (47B21D08)
8f0b9000 8f0c6000 modem modem.sys Sat Jan 19 05:57:16 2008 (4791913C)
8f0c6000 8f0cf000 Fs_Rec Fs_Rec.SYS Sat Jan 19 05:27:57 2008 (47918A5D)
8f0cf000 8f0d6000 Null Null.SYS Sat Jan 19 05:49:12 2008 (47918F58)
8f0d6000 8f0dd000 Beep Beep.SYS Sat Jan 19 05:49:10 2008 (47918F56)
8f0dd000 8f0e9000 vga vga.sys Sat Jan 19 05:52:06 2008 (47919006)
8f0e9000 8f10a000 VIDEOPRT VIDEOPRT.SYS Sat Jan 19 05:52:10 2008 (4791900A)
8f10a000 8f121000 usbccgp usbccgp.sys Tue Feb 05 04:21:34 2008 (47A7E44E)
8f121000 8f129000 RDPCDD RDPCDD.sys Sat Jan 19 06:01:08 2008 (47919224)
8f129000 8f149b80 usbvideo usbvideo.sys Sat Jan 19 05:53:38 2008 (47919062)
8f14a000 8f152000 rdpencdd rdpencdd.sys Sat Jan 19 06:01:09 2008 (47919225)
8f152000 8f15d000 Msfs Msfs.SYS Sat Jan 19 05:28:08 2008 (47918A68)
8f15d000 8f16b000 Npfs Npfs.SYS Sat Jan 19 05:28:09 2008 (47918A69)
8f16b000 8f174000 rasacd rasacd.sys Sat Jan 19 05:56:31 2008 (4791910F)
8f174000 8f182000 netbios netbios.sys Sat Jan 19 05:55:45 2008 (479190E1)
8f182000 8f195000 wanarp wanarp.sys Sat Jan 19 05:56:31 2008 (4791910F)
8f195000 8f1d1000 rdbss rdbss.sys Sat Jan 19 05:28:34 2008 (47918A82)
8f1d1000 8f1db000 nsiproxy nsiproxy.sys Sat Jan 19 05:55:50 2008 (479190E6)
8f1db000 8f1f2000 dfsc dfsc.sys Sat Jan 19 05:28:20 2008 (47918A74)
8f1f2000 8f1ff000 BTHUSB BTHUSB.sys Thu Apr 17 03:33:25 2008 (4806B6F5)
8f407000 8f4ee000 tcpip tcpip.sys Sat Apr 26 07:00:17 2008 (4812C4F1)
8f4ee000 8f509000 fwpkclnt fwpkclnt.sys Sat Jan 19 05:55:44 2008 (479190E0)
8f509000 8f530000 Mpfp Mpfp.sys Fri Jul 13 15:21:09 2007 (46978A55)
8f530000 8f546000 tdx tdx.sys Sat Jan 19 05:55:58 2008 (479190EE)
8f546000 8f558000 ipfltdrv ipfltdrv.sys Sat Jan 19 05:56:23 2008 (47919107)
8f558000 8f56c000 smb smb.sys Sat Jan 19 05:55:27 2008 (479190CF)
8f56c000 8f5b4000 afd afd.sys Sat Jan 19 05:57:00 2008 (4791912C)
8f5b4000 8f5e6000 netbt netbt.sys Sat Jan 19 05:55:33 2008 (479190D5)
8f5e6000 8f5fc000 pacer pacer.sys Sat Apr 05 02:21:42 2008 (47F6D426)
8f5fc000 8f5fcde0 DMICall DMICall.sys Tue Dec 05 07:14:23 2000 (3A2C95CF)
8fc02000 8fc82000 bthport bthport.sys Thu Apr 17 03:33:24 2008 (4806B6F4)
8fc82000 8fc8f000 crashdmp crashdmp.sys Sat Jan 19 05:49:43 2008 (47918F77)
8fc8f000 8fd5d000 dump_iaStor dump_iaStor.sys Wed Apr 16 01:07:31 2008 (48054343)
8fd5d000 8fd86000 rfcomm rfcomm.sys Thu Apr 17 03:33:30 2008 (4806B6FA)
8fd86000 8fd90000 BthEnum BthEnum.sys Thu Apr 17 03:33:26 2008 (4806B6F6)
8fd90000 8fdaa000 bthpan bthpan.sys Sat Jan 19 05:53:44 2008 (47919068)
95860000 95a62000 win32k win32k.sys Mon Feb 09 03:10:21 2009 (498F9E9D)
95a80000 95a89000 TSDDD TSDDD.dll Sat Jan 19 06:01:09 2008 (47919225)
95aa0000 95aae000 cdd cdd.dll Sat Aug 02 04:26:17 2008 (4893D3D9)
95c00000 95c81000 btwaudio btwaudio.sys Fri Jun 27 19:23:46 2008 (48653032)
95c81000 95c8b000 Dxapi Dxapi.sys Sat Jan 19 05:36:12 2008 (47918C4C)
95c8b000 95c95000 btwl2cap btwl2cap.sys Fri Feb 29 16:54:21 2008 (47C838BD)
95c95000 95c97c80 btwrchid btwrchid.sys Fri Jun 27 19:24:21 2008 (48653055)
95c98000 95ca8000 HIDCLASS HIDCLASS.SYS Thu Nov 02 08:55:00 2006 (4549B264)
95ca8000 95cae380 HIDPARSE HIDPARSE.SYS Thu Nov 02 08:55:00 2006 (4549B264)
95caf000 95cbe000 monitor monitor.sys Sat Jan 19 05:52:19 2008 (47919013)
95cbe000 95cd9000 luafv luafv.sys Sat Jan 19 05:30:35 2008 (47918AFB)
95cd9000 95d88000 spsys spsys.sys Fri Jun 22 01:33:02 2007 (467B18BE)
95d88000 95d98000 lltdio lltdio.sys Sat Jan 19 05:55:03 2008 (479190B7)
95d98000 95dc2000 nwifi nwifi.sys Tue May 20 03:07:27 2008 (4832325F)
95dc2000 95dcc000 ndisuio ndisuio.sys Sat Jan 19 05:55:40 2008 (479190DC)
95dcc000 95ddf000 rspndr rspndr.sys Sat Jan 19 05:55:03 2008 (479190B7)
9c200000 9c26b000 HTTP HTTP.sys Sat Jan 19 05:55:21 2008 (479190C9)
9c26b000 9c288000 srvnet srvnet.sys Sat Jan 19 05:29:11 2008 (47918AA7)
9c288000 9c2a1000 bowser bowser.sys Sat Jan 19 05:28:26 2008 (47918A7A)
9c2a1000 9c2b6000 mpsdrv mpsdrv.sys Sat Jan 19 05:54:45 2008 (479190A5)
9c2b6000 9c2d6000 mrxdav mrxdav.sys Sat Jan 19 05:28:44 2008 (47918A8C)
9c2d6000 9c2f5000 mrxsmb mrxsmb.sys Sat Jan 19 05:28:33 2008 (47918A81)
9c2f5000 9c32e000 mrxsmb10 mrxsmb10.sys Wed Aug 27 02:05:40 2008 (48B4A864)
9c32e000 9c346000 mrxsmb20 mrxsmb20.sys Sat Jan 19 05:28:35 2008 (47918A83)
9c346000 9c36d000 srv2 srv2.sys Sat Jan 19 05:29:14 2008 (47918AAA)
9c36d000 9c3b9000 srv srv.sys Tue Dec 16 02:42:35 2008 (4947159B)
9c3b9000 9c3bc180 mdmxsdk mdmxsdk.sys Mon Jun 19 22:26:59 2006 (449716A3)
9ea03000 9eae1000 peauth peauth.sys Mon Oct 23 09:55:32 2006 (453C8384)
9eae1000 9eae2500 regi regi.sys Mon Apr 16 16:19:05 2007 (462393E9)
9eae3000 9eaed000 secdrv secdrv.SYS Wed Sep 13 14:18:32 2006 (45080528)
9eaed000 9eaf9000 tcpipreg tcpipreg.sys Sat Jan 19 05:56:07 2008 (479190F7)
9eaf9000 9eb0d580 WUDFRd WUDFRd.sys Sat Jan 19 05:53:04 2008 (47919040)
9eb0e000 9eb20000 WUDFPf WUDFPf.sys Sat Jan 19 05:52:49 2008 (47919031)
9eb20000 9eb28000 xaudio xaudio.sys Thu Oct 18 23:36:53 2007 (4717E005)
9eb28000 9eb2ef60 mfebopk mfebopk.sys Mon Jul 16 18:46:30 2007 (469BAEF6)
9eb2f000 9eb40b80 mfeavfk mfeavfk.sys Mon Jul 16 18:45:58 2007 (469BAED6)
9eb41000 9eb493e0 mfesmfk mfesmfk.sys Mon Jul 16 18:47:52 2007 (469BAF48)
9eb4a000 9eb60000 cdfs cdfs.sys Sat Jan 19 05:28:02 2008 (47918A62)
9eb60000 9eb669c0 mferkdk mferkdk.sys Mon Jul 16 18:46:54 2007 (469BAF0E)
Unloaded modules:
8a1c7000 8a1d4000 crashdmp.sys
Timestamp: unavailable (00000000)
Checksum: 00000000
8d60c000 8d6da000 dump_iaStor.sys
Timestamp: unavailable (00000000)
Checksum: 00000000
Bugcheck code 0000000A
Arguments 48f9f9cf 000000ff 00000000 81efdde2
ASKER
I will get him to send in more minidumps also
Hi -
I know you said this was a clean system and no drivers installed (except the backup software, post-BSOD). I must then ask how/why a 2+ year old McAfee firewall driver was found in the FIRST BSOD dump -
Mpfp.sys Fri Jul 13 15:21:09 2007 (46978A55) McAfee firewall
That was nothing, really, compared to my next find -- a driver from 2000 -
DMICall.sys Tue Dec 05 07:14:23 2000 (3A2C95CF) Sony DMI call service driver
That 2000 driver just may shed some light on this OEM driver -
SFEP.sys Fri Aug 03 06:36:08 2007 (46B2BEC8) Sony Firmware Extension Parser driver
More info on the last one - http://tjworld.net/snc/
I haven't looked back yet, but I hope you will tell me the laptop involved is a Sony !!
There is more, but first, if I may --- I am spending a ton of time looking things up & searching to perform comparisons in that system using the drivers timestamps. I know it can be done easier and faster. I need to obtain system info. This is what I usually obtain from BSOD OPs so that I have access to the files that I need during debugging and hunting -
http://www.techsupportforu m.com/1871 981-post2. html
Any chance that I may get this from you? I request such because in addition to the above, the MS USB drivers at this time appear to have had a hotfix applied (or other - ?). They are only a few weeks older than their original Vista SP1 dated counterparts. I ran a search through >1,000 dumps and went through 14 Vista hotfixes and have not found any matches for these drivers & timestamps.
usbhub.sys Tue Feb 05 04:21:42 2008 (47A7E456)
usbccgp.sys Tue Feb 05 04:21:34 2008 (47A7E44E)
USBPORT.SYS Tue Feb 05 04:21:30 2008 (47A7E44A)
usbehci.sys Tue Feb 05 04:21:26 2008 (47A7E446)
usbuhci.sys Tue Feb 05 04:21:25 2008 (47A7E445)
USBD.SYS Tue Feb 05 04:21:23 2008 (47A7E443)
I'm not even sure they are all actual MS drivers. Nor am I sure whether there is anything wrong with them or not. I would like to know what USB devices are used, if any.
When you ran the dumps, were there any symbol errors?
Regards. . . jcgriff2
.
I know you said this was a clean system and no drivers installed (except the backup software, post-BSOD). I must then ask how/why a 2+ year old McAfee firewall driver was found in the FIRST BSOD dump -
Mpfp.sys Fri Jul 13 15:21:09 2007 (46978A55) McAfee firewall
That was nothing, really, compared to my next find -- a driver from 2000 -
DMICall.sys Tue Dec 05 07:14:23 2000 (3A2C95CF) Sony DMI call service driver
That 2000 driver just may shed some light on this OEM driver -
SFEP.sys Fri Aug 03 06:36:08 2007 (46B2BEC8) Sony Firmware Extension Parser driver
More info on the last one - http://tjworld.net/snc/
I haven't looked back yet, but I hope you will tell me the laptop involved is a Sony !!
There is more, but first, if I may --- I am spending a ton of time looking things up & searching to perform comparisons in that system using the drivers timestamps. I know it can be done easier and faster. I need to obtain system info. This is what I usually obtain from BSOD OPs so that I have access to the files that I need during debugging and hunting -
http://www.techsupportforu
Any chance that I may get this from you? I request such because in addition to the above, the MS USB drivers at this time appear to have had a hotfix applied (or other - ?). They are only a few weeks older than their original Vista SP1 dated counterparts. I ran a search through >1,000 dumps and went through 14 Vista hotfixes and have not found any matches for these drivers & timestamps.
usbhub.sys Tue Feb 05 04:21:42 2008 (47A7E456)
usbccgp.sys Tue Feb 05 04:21:34 2008 (47A7E44E)
USBPORT.SYS Tue Feb 05 04:21:30 2008 (47A7E44A)
usbehci.sys Tue Feb 05 04:21:26 2008 (47A7E446)
usbuhci.sys Tue Feb 05 04:21:25 2008 (47A7E445)
USBD.SYS Tue Feb 05 04:21:23 2008 (47A7E443)
I'm not even sure they are all actual MS drivers. Nor am I sure whether there is anything wrong with them or not. I would like to know what USB devices are used, if any.
When you ran the dumps, were there any symbol errors?
Regards. . . jcgriff2
.
ASKER
Hi jcgriff2,
It is a Sony laptop with OEM operating system and software installed. There is no bluescreens on another reference model with the exact same setup... i.e. installed from the recovery partition.
I have already requested that from the customer but he will not be able to do this till he comes back from his holiday.
It is a Sony laptop with OEM operating system and software installed. There is no bluescreens on another reference model with the exact same setup... i.e. installed from the recovery partition.
I have already requested that from the customer but he will not be able to do this till he comes back from his holiday.
Hi jtiernan2008,
Just wanted to touch base and make sure that you are not waiting on me for any items at this time.
I do hear you completely when you say that other systems have the same setup. I can only tell you that I have seen multiple "identical" systems side-by-side -- yet they can act differently - some may crash; others do not. It is also possible that hardware itself may play a role as one system may be experiencing a hard drive or NIC issue that causes it to compensate, which the other systems don't have to do.
Can the user of one system have anything different than the others - even something like a screen saver or a post-OS installed application? Can anything be introduced into one that is not introduced to another (e.g., can one system have updated virus defs while another does not)?
It would be interesting to get a set of files (using the batch script in the link that I provided) for one of the other systems not experiencing BSODs. One item that I would look at would be appcrashes & apphangs to see if they are identical or even similar.
Thanks. . . JC
Just wanted to touch base and make sure that you are not waiting on me for any items at this time.
I do hear you completely when you say that other systems have the same setup. I can only tell you that I have seen multiple "identical" systems side-by-side -- yet they can act differently - some may crash; others do not. It is also possible that hardware itself may play a role as one system may be experiencing a hard drive or NIC issue that causes it to compensate, which the other systems don't have to do.
Can the user of one system have anything different than the others - even something like a screen saver or a post-OS installed application? Can anything be introduced into one that is not introduced to another (e.g., can one system have updated virus defs while another does not)?
It would be interesting to get a set of files (using the batch script in the link that I provided) for one of the other systems not experiencing BSODs. One item that I would look at would be appcrashes & apphangs to see if they are identical or even similar.
Thanks. . . JC
ASKER
Thanks a million
I am trying to organise the unit sent in without trying to TS this remotely and will have better access to the system.
thanks a million for your help so far
regards
I am trying to organise the unit sent in without trying to TS this remotely and will have better access to the system.
thanks a million for your help so far
regards
ASKER
Still waiting for the customer to send in the laptop...
you may be interested in this other similar question I have raised in the mean time;
https://www.experts-exchange.com/questions/24553208/BSOD-WHEA-UNCORRECTABLE-ERROR-124-minidump-attached.html?anchorAnswerId=24839398#a24839398
you may be interested in this other similar question I have raised in the mean time;
https://www.experts-exchange.com/questions/24553208/BSOD-WHEA-UNCORRECTABLE-ERROR-124-minidump-attached.html?anchorAnswerId=24839398#a24839398
THANK YOU for the link. I did answer. Waiting to see.
JC
JC
ASKER
The computer was recovered when we recieved it. Left it and stressed tested with everest with the CPU, RAM and HDD for 2 days with no BSOD. Cannot do much if no BSOD also I would believe that the unit would have BSOD if there was an issue with it. I also done the verifer thingy - nothing. I'd say this is a closed case and I will award the points if there is nothing further you would advise.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
thanks a million.... great work as always