Windows XP SP2 has a tendency to crash

Julian Hansen
Julian Hansen used Ask the Experts™
on
This is a shot in the dark but I am hoping someone has an idea on this before I go the route of rebuilding the machine.

I organised a laptop for a friend of mine about 3 months ago - Toshiba. This came with Windows XP SP1 which we upgraded to SP2 the minute it was out of the box.

About a month ago the laptop started crashing. There is a quick flash of a blue screen and the machine reboots - this can be while the machine is standing doing nothing or while working in Word, Outlook etc.

Further investigation showed that the Toshiba PadExe.exe startup utility was crashing with the standard "Send Error Report" dialog. We found that every time this application was launched it caused this dialog to come up but not the machine to crash.

However, an attempt to open Norton Antivirus (ver 2005) causes the machine to crash and reboot.

We tried removing Norton but the problem seemed to persist afterwards.

Before I embark on a tiresom rebuild of the machine is there anything else I should be looking at - anyone else had this problem and solved it?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Most Valuable Expert 2017
Distinguished Expert 2018

Author

Commented:
One more point - the reason I mentioned the PadExe - it appears that PadExe tries to hook the OS in some way. I imagine Norton does the same - there may be a relationship there i.e. with applications trying to hook into the OS causing a problem.
Top Expert 2007

Commented:
First of all - eliminate that 'quick flash' by doing the following:

Start->Run->sysdm.cpl
Advanced Tab
Settings (under Startup and Recovery)
and deselect Automatically Restart

Then I would pursue removing startup entries by:

Start->Run->MSConfig.  From the Services tab, check the "Hide MS Services" and then deselect the remaining items.  Proceed to the Startup tab and deselect items from there.  This can become a trial and error routine, eliminating items from this tab until the problem no longer occurs.

Lastly, I'd check www.blackviper.com for his list of services that you can safely disable (Error reporting being one of them).

Good luck!

Commented:
Whenever windows crash, it writes a system event 1001 and a minidump
Check system event log and look system event 1001.
Control Panel --> Adminstrative Tools -> Event Viewer --> System --> Event 1001
Copy the content of all the record 1001 and paste them back here

The bugcheck code and its parameter list is very useful to diagnostic your problem.
Microsoft Azure 2017

Azure has a changed a lot since it was originally introduce by adding new services and features. Do you know everything you need to about Azure? This course will teach you about the Azure App Service, monitoring and application insights, DevOps, and Team Services.

Most Valuable Expert 2015

Commented:
What exactly is PadEXE.exe? I've got a feeling this is some malware. normally files don't end with exe.exe but often Virae do. I'd try to disable System Restore (control panel, system), then but into safe mode and run msconfig. Remove everything from starting which can, particularly PedEXE.exe, if you can see it there. Then reboot to safe mode a 2nd time and look for the file PadEXE.exe. try to rename it or move it to some other place on the disk. Now reboot again and trun on those things you need to start again via msconfig.

Upgrade your Antivirus definition files and run a thorough AV Scan, do the same with some antimalware programm, like spybot search and destroy.
Most Valuable Expert 2017
Distinguished Expert 2018

Author

Commented:
Thanks for all the feedback

sirbounty: Thanks had already done that - should have mentioned it. Will check out the other running processes.

cpc2004: No 1001 errors but a few 1000 errors. Caused by different applications

Basically reads: Faulting application Word.exe (or PadExe.EXE) etc version (the version of the app) faulting module (module) followed by version and address

Here are some of the faults caused
services.exe in rpcrt4.dll and also unknown on subsequent event
Winword.exe module unknown
Unknown module rpcrt4.dll
svchost.exe in kernel32.dll
PadExe in Padhook.dll
ccapp.exe in kernel32.dll

To list but a few - does not seem to be a particular app that caused it.

rindi: PadExe is a utility distributed by Toshiba that handles single clicks with the touch pad. I don't think it is causing the problem but rather showing the effects of the problem.

I have subsequently removed Norton and while some apps are still crashing as before (my test case is PadExe) the machine does not seem to be doing its reboot thing.

Some more info on Norton: On boot with norton installed WinXP was reporting that Norton was not running. However, the security console in Control Panel showed it as on. Any attempt to go into Norton crashed the machine.

Will check the malware issue as soon as I can get the laptop on a network.

Thanks for the rapid response so far.


Most Valuable Expert 2017
Distinguished Expert 2018

Author

Commented:
Just for interest sake.

sirbounty: disabled
HKLM\...\Run
HKCU\..\Run
c:\Docs & Settings\<owner>\Start Menu\Programs\Startup
c:\Docs & Settings\All Users\Start Menu\Programs\Startup

Restarted - same problem. Certain applications (such as PadExe) crash on load.

Blue screen showed error 0x000008e memory dump was created although it showed nothing obvious.

I hate rebuilding laptops - there is always some manufacturer specific thing you have to load. Unfortunately it does not look like there is any alternative.

I will leave this open for another 2 days just for interest sake to see if any additional info comes to light.

Thanks to all who responded.

Commented:
Can you attach the minidump to any webspace as I wan to study the dump and find out the culprit.

Commented:
You can find minidump at the folder \windows\minidump. If it does not exist, enable the option to take minidump and write system event log.
Control Panel --> System --> Advance --> Startup and Recovery --> Write debugging information --> minidump

The size of minidump is less than 100K and it is no need to disable this option.
Most Valuable Expert 2017
Distinguished Expert 2018

Author

Commented:
I have posted the first 5 last 5 mini dumps to the following URL

http://www.managedprofile.com\downloads\dumps.zip

This should show the first five times the problem happened and the last 5

I have another 60 of these things in the minidump folder produced in the last 2 months.

Commented:
The prelimary finding is ati display card driver. I will update you the detail after I do some search at google.
Most Valuable Expert 2017
Distinguished Expert 2018

Author

Commented:
Much appreciated - if you can save me having to rebuild this thing I will post another 500pt question as bonus.

Commented:
Mini101204-01.dmp   BugCheck 7F, {d, 0, 0, 0}   XP SP1

Mini101504-01.dmp   BugCheck 10000050, {847b6668, 0, 8056d965, 0}   ( nt+96965 )
Mini101804-01.dmp   BugCheck 1000000A, {ffdf, 2, 1, 80703a8e} ( nt+1abb1 )
Mini102004-01.dmp   BugCheck 1000008E, {c0000005, bfa1374f, ece2a044, 0} ( ati2dvag+4074f )
Mini102204-01.dmp   BugCheck 1000008E, {c0000005, bfa1374f, ee3d5854, 0} ( ati2dvag+4074f )
Mini120904-01.dmp   BugCheck 100000D1, {e04ec12f, 2, 0, e04ec12f} ( atapi+765e )
Mini120904-02.dmp   BugCheck 1000008E, {c0000005, bf8103c3, ee33b508, 0} ( win32k+103c3 )
Mini120904-03.dmp   BugCheck 1000008E, {c0000005, bfa13cf9, ee449344, 0}  (ati2dvag+40cf9 )
Mini121004-01.dmp   BugCheck 1000008E, {c0000005, 1f802669, ee4d8c14, 0}  (win32k+25ae )
Mini121004-02.dmp   BugCheck  1000007F, {d, 0, 0, 0}

Three crashes are at atidvag which is ATI display card driver. I don't thin ntokrnl.exe and win32k.sys are the culprit.  Mini101204-01.dmp was taken at XP SP1 and 0 dumps were taken at SP2. It is worth while to upgrade ATIi driver catalyst 4.10 as the most current version 4.11 is unstable. There have several cases open at today and yesterday at Expert-EXchange about software error ATI Radeon Display Card Driver.

Your current ATI driver ati2dvag.dll was creatred on Wed Mar 10 11:29:00 2004 (404E8B7C)

BTW can you attach three more minidump early this month.  I want to confirm the recent crash are related to ATI Display Card Driver. What model of ATI are you using?






Most Valuable Expert 2017
Distinguished Expert 2018

Author

Commented:
Ok,

Posted the next 5 dumps to
http://www.managedprofile.com\downloads\dumps2.zip

The ATI Card is the one that comes with the Toshiba Satelite notebooks (Toshiba Satellite Pro SPA60-662 to be precise)

XP Reports adapter as an ATI MOBILITY RADEON 7000 IGP

cpc2004: Impressive stuff so far ;) I really appreciate the help

Commented:
I've processed the dump and the result are as follows:

Mini110104-01.dmp  BugCheck 100000D1, {0, 6, 0, 0}
Mini102804-02.dmp  BugCheck 10000050, {f8831845, 1, 80580d2c, 0} ( nt+a9d2c )
Mini102804-01.dmp  BugCheck 24, {1902fe, ecef88d8, ecef85d4, f73637c9} ( Ntfs+57c9 )
Mini102804-01.dmp  BugCheck 10000050, {f8831845, 1, 80580d2c, 0} ( nt+a9d2c )
Mini102304-01.dmp  BugCheck 24, {1902fe, edc5681c, edc56518, 1735ef20} Ntfs.sys ( Ntfs+cf6 )

The failure pattern looks like it may be caused by faulty ram as there have a lot of different failing pattern especially for the minidump Mini110104-01.dmp. The failing instruction is 0 which is unusual and looks like it is hardware issue. If this is a hardware problem, the failing pattern is random. However I find two pairs of smptom are exactly the same. It is hard to determine whether it is a softwar error or hardware error base upon the availlabe information.

Mini102004-01.dmp   BugCheck 1000008E, {c0000005, bfa1374f, ece2a044, 0} ( ati2dvag+4074f )
Mini102204-01.dmp   BugCheck 1000008E, {c0000005, bfa1374f, ee3d5854, 0} ( ati2dvag+4074f )

Mini102804-02.dmp  BugCheck 10000050, {f8831845, 1, 80580d2c, 0} ( nt+a9d2c )
Mini102804-01.dmp  BugCheck 10000050, {f8831845, 1, 80580d2c, 0} ( nt+a9d2c )

Can you attach the minidump at December (ie mini120*.dmp)? I want more dump to determine whether it is hardware or software.

My suggestion
1) Install ATI catalyst 4.10
http://www.ati.com/support/drivers/winxp/radeonwdm-xp.html?type=xp&prodType=graphic&prod=productsXPdriver&

2 ) Download Prime 95 to stress test your PC http://www.mersenne.org/freesoft.htm

      
Most Valuable Expert 2017
Distinguished Expert 2018

Author

Commented:
Hi cpc2004,

I have uploaded the next 5 dumps to

http://www.managedprofile.com/downloads/dec07-09.zip

I also tried the driver update - did not want to install - basically I needed the IGP drivers. Found those and downloaded them however the driver updated appeared to be only for the SouthBridge.

Looked on the Toshiba site and the drivers there are the same as the one I have loaded.
Commented:
I find CD-ROM device driver AFS2K.SYS at your minidump. I searched google and there have several hits relating to this driver.

1) AFS2K.SYS is not compatible with XP http://www.cdrom-drivers.com/drivers/88/88115.htm

2) http://www.driversearch.com/forums/sound/6770.html

3) http://forum.alcohol-soft.com/index.php?showtopic=12510
*** STOP: 0X0000007E (0XC0000005,0XF7982DEB,0XF7C720A8,0XF7C71DA8)
*** AFS2K.SYS - ADDRESS F7982DEB base at F797F000, Datestamp 3C7AC329

BTW what CD-ROM/DVD_ROM are you using?
Most Valuable Expert 2017
Distinguished Expert 2018

Author

Commented:
Hi cpc2004,

The CD-ROM is the one that comes with the Toshiba Satellite Pro A60. Device manager reports it as a Toshiba DVD-ROM SD-R6112

I am not sure about the driver compatability thing though. The machine came with a factory loaded operating system and drivers ... Unless

One thing I did find that was interesting was that in some situations Nero 6.3.1.17 can have compatability issues with XP. I checked with the owner of the laptop and she thinks the problems did start around the time she loaded Nero.

I removed Nero but the problems seemed to persist so I reloaded SP2 and since then I have not had a crash. I am not willing to say the problem has been solved, however, none of the apps that regularly crashed before the update are crashing anymore. I am slowly putting back all the software and settings I disabled to see what happens.

What I am not sure of is if the Nero installation could have anything to do with the AFS2K.SYS issue you found above ... will check and report back.

Really awsome responses so far - much appreciated.
Most Valuable Expert 2017
Distinguished Expert 2018

Author

Commented:
I am closing this question.

It appears that the problem was resolved by reinstalling SP2 and that the original cause of the problem was a bad installation of Ahead Nero Express.

After re-applying the service pack and re-installing Norton Antivirus and Nero Express (the latter in Win95 compatibiilty mode) the problem seems to have been fixed.

Thanks to all who responded especially cpc2004 who went above and beyond the call of duty analysing the the mindumps

cpc2004: I have asked another question relating to mindumps here

http://www.experts-exchange.com/Operating_Systems/WinXP/Q_21244657.html

if you are interested

Commented:
Great! Your problem is resolved. Your case is very similar to one of my resolved case. The installation of a nVdia device driver messed up the windows component and it is unable to uninstall it the device driver cleanly. Only re-installation can fix the problem.
http://www.computing.net/windowsxp/wwwboard/forum/119723.html

If you can force a crash dump at your XP, attach the minidump. I can compare the difference of the device drivers of clean and mess XP system.  I always use this approach to find out the culprit. Maybe Nero is the culprit and I have to confirm.

Force a crash dump
1. REGEDIT
2. Locate HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\i8042prt\Parameters
3. Create a new DWORD value and name it CrashOnCtrlScroll
4. Right-click on this newly created value and click on Modify
5. Enter 1 in the Value data field and click on OK.
6. Close regedit and reboot your system.
7. Now you will get a blue screen (crash) your system by holding the right CTRL key and pressing "Scroll Lock" twice.
8. The bugcheck code is E2

Most Valuable Expert 2017
Distinguished Expert 2018

Author

Commented:
Thanks cc2004 - unfortunately the Laptop has gone back to its owner. If I get another opportunity to look at it I will do the above and report.

Commented:
I find out something very strange, the time stamp of your ntoskrnl.exe is different to mine. As I have a lot of minidumps for different cases. Their version of ntoskrnl.exe is same as mine. If you can take a minidump from your friend's PC, I can confirm whether the crash is related to different version of ntoskrnl.exe

my version   ntoskrnl.exe Wed Aug 04 14:19:48 2004 (41108004)
your version ntoskrnl.exe Wed Aug 04 14:18:18 2004 (41107FAA)

Most Valuable Expert 2017
Distinguished Expert 2018

Author

Commented:
cpc2004,

Thanks for the feedback - I will see what I can do. I will have to wait till sometime next week as she is away at the moment.

Regards

Julian

Commented:
Do you download the SP2 from microsoft when you re-install XP SP2? I find out SP2 has two version of ntoskrnl.exe and most users use the version with timestamp 41107FAA and I think the ntoskrnl.exe with timestamp 41108004 has bug. Therefore Microsoft upgrade ntoskrnl.exe to a newer version. If you are using the latest version of ntoskrnl.exe and it maybe the root cause. I will search Microsoft to find out what is the enhancememt of the patch of ntoskrnl.exe
Most Valuable Expert 2017
Distinguished Expert 2018

Author

Commented:
cpc2004,

The version I use is as downloaded by our SUS server - dated 5 August 2004.

I have the exact same problems as the original poster.  Now that I've read this, the problems did seem to start some time after windows sp2 was installed.  Unlike him though, I have not intalled Nero on my computer.  Because of this, it seems that Nero is not the cause of the problem, perhpas?  Should I install sp2 again?  If so, how?  I looked on the microsoft website. It doesn't let me select sp2 to download since my computer already has it installed.  I really need to fix this problem.

Commented:
This problem is owned by JulianH. The proper procedure you should open a new question and refer to this case

Commented:
Hi Julian,

I download the latest windgb and reprocess the minidump Mini121004-01.dmp and I have a new fnding. The crash is caused by hardware error at the motherboard or cpu. It is supposed to branch to address bf802669 (win32k!CheckQuitMessage) and the hardware error change the first byte frin bf to 1f. Hence it transfers to 1f802669 which is an invalid address. I wonder why the re-installation of XP resolve your problem. Does your friend's notebook does not have blue screen any more after re-nstallation of windows?


Mini121004-01.dmp  0x1000008E (0xc0000005, 0x1f802669, 0xee4d8c14, 0x00000000)
kd> r
eax=e22b49f0 ebx=e22bc7a8 ecx=00000108 edx=0000014d esi=e22bc7a8 edi=00000108
eip=1f802669 esp=ee4d8c88 ebp=ee4d8c9c iopl=0         nv up ei pl nz na pe nc
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010202
1f802669 ??               ???
STACK_TEXT:  
WARNING: Frame IP not in any known module. Following frames may be wrong.
ee4d8c84 bf8025ae e22bc7a8 ee4d8d18 00000001 0x1f802669
ee4d8c9c bf801cf8 e22bc7a8 ee4d8d18 00000000 win32k!xxxReadPostMessage+0x15
ee4d8cec bf80f106 ee4d8d18 000025ff 00000000 win32k!xxxRealInternalGetMessage+0x30e
ee4d8d4c 804ddf0f 0012ff1c 00000000 00000000 win32k!NtUserGetMessage+0x27
ee4d8d4c 7c90eb94 0012ff1c 00000000 00000000 nt!KiFastCallEntry+0xfc
0012fec0 00000000 00000000 00000000 00000000 0x7c90eb94


POSSIBLE_INVALID_CONTROL_TRANSFER:  from bf8025a9 to bf802669
TWO_BIT_ERROR:  dbdbdbdb
FOLLOWUP_NAME:  MachineOwner
MODULE_NAME:  hardware
IMAGE_NAME:  hardware
DEBUG_FLR_IMAGE_TIMESTAMP:  0
STACK_COMMAND:  .trap ffffffffee4d8c14 ; kb

BUCKET_ID:  TWO_BIT_CPU_CALL_ERROR

Followup: MachineOwner
---------
 *** Possible invalid call from bf8025a9 ( win32k!xxxReadPostMessage+0x10 )
 *** Expected target bf802669 ( win32k!CheckQuitMessage+0x0 )

kd> u bf8025a0 l9
win32k!xxxReadPostMessage+0x7:
bf8025a0 751c             jnz     win32k!xxxReadPostMessage+0x21 (bf8025be)
bf8025a2 8b5d08           mov     ebx,[ebp+0x8]
bf8025a5 ff750c           push    dword ptr [ebp+0xc]
bf8025a8 53               push    ebx
bf8025a9 e8bb000000       call    win32k!CheckQuitMessage (bf802669)  <-----branch address is changed to 1f802669
bf8025ae 85c0             test    eax,eax
bf8025b0 0f85c3feffff     jne     win32k!xxxReadPostMessage+0x4c (bf802479)
bf8025b6 6a00             push    0x0
bf8025b8 ff7518           push    dword ptr [ebp+0x18]


Most Valuable Expert 2017
Distinguished Expert 2018

Author

Commented:
cpc2004,

This is very interesting.

The client brought the machine back again last week with a new but similar problem. The machine started blue screening on startup and shutdown (mainly startup) sometimes it works fine other times not. When it does BS it generates a 0x000007E stop on shutdown the one I saw was a 0x0000024 in NTFS.SYS. Once the machine is up and running it seems to be fine - only on startup does it have a tendency to BS but not all the time - about 1 in 3 or 1 in 4 times.

Suspecting a hardware fault I have returned it to the supplier for testing but this is very valuable info - I will pass it on to them as they will only get around to testing it Monday.

As soon as this is resolved I will post another question with points for you.


Commented:
According to my experience, most of the bugcheck x'24' is  caused by hardware.  Attach the latest minidump here and I can confirm whether it is caused by hardware or not.
Most Valuable Expert 2017
Distinguished Expert 2018

Author

Commented:
Unfortunately I don't have it at the moment as the machine is with the supplier. But I will try get a copy on Monday when I go through to get some data off the machine.

Commented:
Do you any update for your laptop BSOD problem?
Most Valuable Expert 2017
Distinguished Expert 2018

Author

Commented:
Yes,

I took it back to the supplier. They tested it for 2 weeks and told me nothing was wrong. I referred them to the mini dumps on the machine and this thread. They suggested changing the hard drive - which they did. A few days later they proclaimed the machine fixed. Just before I was to fetch it they phoned me to say the machine had BSoD again - ruling out the HDD and the installation. The next prognosis was the motherboard. That was about 3 weeks ago - I am still waiting for the machine to be returned. The local Toshiba office does not keep spares and we had to wait for one to be shipped from Germany. This was supposed to have been here 26th March but so far no word from the supplier.

Thats about all I have for now. Hopefully the machine will be ready this week and can go back to the client and we will see if the problem goes away.

Commented:
Which hardware component is faulty?
Most Valuable Expert 2017
Distinguished Expert 2018

Author

Commented:
Hi cpc2004,

It was the motherboard - took the supplier 2 months to switch it. They had to order a new one for Germany but it appears to have sorted out the problem.

Thanks for all the assistenace and follow up ;)

Julian

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial