Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 824
  • Last Modified:

Can you trace the cause of a regular BSOD?

I'm getting a BSOD on my laptop at least once a day, anywhere from 10 minutes to several hours after I boot. Since it's regularly occurring can we trace the cause of it? Let me know what other info I need to post here. Thanks! - Alan.

BSOD @ 16:56 15/04/2005:

A problem has been detected and Windows has been shut down to prevent damage
to your computer.

IRQL_NOT_LESS_OR_EQUAL

If this is the first time you've seen this Stop error screen,
restart your computer. If this screen appears again, follow
these steps:

Check to make sure any new hardware or software is properly installed.
If this is a new installation, ask your hardware or software manager manufacturer
for any windows updates you might need.

If problems continue, disable or remove any newly installed hardware
or software. Disable BIOS memory options such as caching or shadowing.
If you need to use Safe Mode to remove or disable components, restart
your computer, press F8 to select Advanced Startup options, and then
select Safe Mode.

Technical information:

*** STOP: 0x0000000A (0xFF8C4000, 0x00000002, 0x00000001, 0x804DA4FB)


Beginning dump of physical memory
Physical memory dump complete.
Contact your system administrator or technical support group for further
assistance.
0
alanbergin
Asked:
alanbergin
  • 15
  • 12
  • 2
  • +2
1 Solution
 
craylordCommented:
I would guess it to be a driver issue. The third parameter indicates it's a write issue. What programs were running at the time. I had problems when running highly intensive graphics programs.

Here are a couple good rundowns of the 0x0000000A problem.
http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3BQ314063
http://support.microsoft.com/?id=130802
0
 
andymsmith18Commented:
i wood test your ram with memtest from http://www.memtest86.com/
0
 
MereteCommented:
alanbergin  have a look in your control panel>administrative tools>event viewer> applications.
or from start>all programs>accessories>system tools>system information>components problem devices.
from start run type in dxdiag run some tests.
Here is what Microsoft says:


Explanation:
This Stop message indicates that a kernel-mode process or driver attempted to access a memory address to which it did not have permission to access. The most common cause of this error is an incorrect or corrupted pointer that references an incorrect location in memory. A pointer is a variable used by a program to refer to a block of memory. If the variable has an incorrect value in it, the program tries to access memory that it should not. When this occurs in a user-mode application, it generates an access violation. When it occurs in kernel mode, it generates a STOP 0x0000000A message. If you encounter this error while upgrading to a newer version of Windows, it might be caused by a device driver, a system service, a virus scanner, or a backup tool that is incompatible with the new version.

User Action:
Roll back any new drivers recently updated. Check that all hardware are seated properly including cdroms ide cables etc.
This error usually occurs after the installation of a buggy device driver, system service, or BIOS. To resolve it quickly, restart your computer, and press F8 at the character-mode menu that displays the operating system choices. At the post acreen, choose the Last Known Good Configuration option.  it might be caused by a device driver, a system service, a virus scanner, or a backup tool that is incompatible with this windows version. . Contact the software manufacturers to obtain updates of these tools.  Disabling memory caching of the BIOS might also resolve this error. You should also run hardware diagnostics supplied by the system manufacturer, especially the memory scanner. For details on these procedures, see the owner’s manual for your computer.
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
alanberginAuthor Commented:
craylord,
The programs are not intensive. EMule is one possible culprit but I ran it for months with no problems before this BSOD started happening. The only hardware I can remember installing in the last few months has been a usb mouse that I no longer use and two usb keys.

I am going to try option 2 in the article (turning off various caching, shadowing, etc) - but what do I do then? Just turn them back on one by one until I find the culprit (if any)?

andymsmith18,
I have tried making a bootable cd for memtest and have failed 4 times so far. I also could not figure out how to use a usb key for the same purpose. If you know of a specific how-to guide or another way to use the program please tell me! (my laptop doesn't have a floppy drive)

Metete,
> have a look in your control panel>administrative tools>event viewer> applications
What am I looking for here?

> start>all programs>accessories>system tools>system information>components problem devices
This section is empty.

> dxdiag
Says no problems found.
0
 
cpc2004Commented:
When Windows crashes with blue screen, it writes a system event 1001 and a minidump to the folder \windows\minidump. Check system event 1001 and it has the content of the blue screen

Control Panel -> Adminstrative Tools -> Event Viewer -> System -> Event 1001. Copy the content and paste it back here

Zip 3 to 4 minidumps and attach the zip files at any webspace. I will study the dump and find out the culprit.
0
 
alanberginAuthor Commented:
Hi, here are some 1001's:

The computer has rebooted from a bugcheck.  The bugcheck was: 0x1000000a (0xff900000, 0x00000002, 0x00000001, 0x804da0f6). A dump was saved in: C:\WINDOWS\Minidump\Mini042105-01.dmp.

The computer has rebooted from a bugcheck.  The bugcheck was: 0x1000000a (0xff8a1000, 0x00000002, 0x00000001, 0x804da0f6). A dump was saved in: C:\WINDOWS\Minidump\Mini042005-01.dmp.

The computer has rebooted from a bugcheck.  The bugcheck was: 0x1000000a (0xff8cc000, 0x00000002, 0x00000001, 0x804da0f6). A dump was saved in: C:\WINDOWS\Minidump\Mini041905-02.dmp.

The computer has rebooted from a bugcheck.  The bugcheck was: 0x1000000a (0xff8d9000, 0x00000002, 0x00000001, 0x804da0f6). A dump was saved in: C:\WINDOWS\Minidump\Mini041905-01.dmp.

The zip of those minidumps is at http://student.dcu.ie/~bergina2/minidumps.zip
0
 
cpc2004Commented:
I've studied the dump and they are crashed at the same instruction address.
nt!memset+0x41:804da0f6 f3ab             rep     stosd                  es:ff8cc000=????????

It is hardware error such as faulty mother M/B or CPU. I don't think it is related to faulty RAM as the failing instruction is consistent. I am not coninved why the failing instruction as hardware error usually occurs randomly (ie the failing instruction should vary).  If it is really hardware error, I will expect your laptop have a huge Dr Watson log. Can you attach the doctor watson log at any webspace.

C:\Documents and Settings\All Users\Documents\DrWatson\user.dmp
C:\Documents and Settings\All Users\Documents\DrWatson\drwtsn32.log

If you don't have a huge Dr Watson log, it is a software error and I have to spend more time to find out the culprit.

STACK_TEXT:  
8054fef8 806f2df8 0004231b 804e32f6 806f2df8 nt!memset+0x41
8054fef8 8054ff98 0004231b 804e32f6 806f2df8 hal!HalpClockInterrupt+0xa8
ff8d81a8 00000000 00000000 00000000 00000000 nt!KiDoubleFaultStack+0x2b18
FAILURE_BUCKET_ID:  0xA_W_nt!KiDoubleFaultStack+2b18
0
 
alanberginAuthor Commented:
What's DrWatson? I don't think I have that (Windows XP).
0
 
cpc2004Commented:
Hardware error occurs randomly. If it occurs at kernel mode, windows crashes with blue screen. If hardware occurs at user mode, an user dump is created and the debugging information writes to Dr Watson Log.

Do you find the following files?
C:\Documents and Settings\All Users\Documents\DrWatson\drwtsn32.log

Refer the following url to understand what is Dr. Watson
http://support.microsoft.com/default.aspx?scid=kb;en-us;308538
0
 
alanberginAuthor Commented:
0
 
alanberginAuthor Commented:
ALANLAPTOP, DBIC_SERVER_1 and SERVER01 are all the same computer.
0
 
cpc2004Commented:
Your user.dump was taken at 29 Aug 2004 and your last entry was taken at last year . Do you disable Dr Watson? If yes enable Dr Watson

Activate Dr. Watson
http://support.microsoft.com/default.aspx?scid=kb;en-us;308538
0
 
alanberginAuthor Commented:
Strange.. I wouldn't have purposely disabled it.
So I just run drwtsn32.exe and hit OK?
What then?
0
 
cpc2004Commented:
Make sure that you enable Dr Watson
Delete the Dr Watson File and the user.dump.  If hardware occurs at user mode, Dr Watson will write the debugging information into Dr Watson.  If nothing is written to Dr Watson within a week, it is unlikely it is a hardware error.

As the failing instruction is consistent and only software bug has consistent error. I have to spend more time to find out the culprit.
0
 
alanberginAuthor Commented:
Okay. It hasn't crashed in a few days (longest it's gone in a while), when it does I'll post the DrWatson logs.
0
 
cpc2004Commented:
From the dump the ntosknl.exe is upgraded to latest version. Do you get blue screen after you upgrade to the latest patch?

ntoskrnl.exe Wed Mar 02 08:59:37 2005
0
 
alanberginAuthor Commented:
The most blue screen crash was on the 21st April. Where do I check for the latest patch?
0
 
cpc2004Commented:
Do you activate the auto update? When did start to have the blue screen? You can check the folder \windows\minidumps
0
 
alanberginAuthor Commented:
Yes I do auto-update. The first blue screen was on 3rd Feb 2005 (Mini020305-01.dmp).
0
 
cpc2004Commented:
Can I have Mini020305-01.dmp?
0
 
alanberginAuthor Commented:
0
 
cpc2004Commented:
Your first dump crashes at the same instruction. Maybe your windows is infected with spyware or adware

Download HijackThis from:
http://www.gatesofdelirium.com/ee/tools/
Place it into a folder of it's own - something like:
C:\HJT\hijackthis.exe or C:\Program Files\HJT\hijackthis.exe
Do not run it directly from the "Zip" file, a "temp" folder, or the Desktop.
HijackThis makes "backups" and it's good to have them in a centralized location.

With all browser windows closed - run HijackThis and
copy and paste the log file into the Analysis site here:
http://www.hijackthis.de/en

Click on the "Analyze" button; and when the analysis is done -
Click on the "Save Analysis" button -
A page will be generated with your saved analysis - Post a LINK to that page back here.
0
 
alanberginAuthor Commented:
Hi, I saved a copy of the analysis here:
http://student.dcu.ie/~bergina2/temp/hijackthis.html
0
 
cpc2004Commented:
I can't find any clues at hijackthis log. Do you any new entries at the Doctor Watson's log?
0
 
alanberginAuthor Commented:
No, it hasn't crashed since I set up Dr Watson.
0
 
MereteCommented:
looks like the doctor fixed it lol , a bit of humour, just re-reading how it was going.
cheers M
0
 
cpc2004Commented:
I don't think Dr Watson fix your problem. Do you have any update of the problem?
0
 
alanberginAuthor Commented:
After not crashing for weeks in finally crashed a few times yesterday. I've uploaded the dr watson log and some minidumps to http://student.dcu.ie/~bergina2/temp/linkfiles.pl
Thanks!
0
 
cpc2004Commented:
The DrWatson shows that Mcshield.exe is in error.

http://www.bugtoaster.com/dw15/reports/DLLVersionDetail.asp?DLLID=9948

Application exception occurred:
        App: C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe (pid=1296)
        When: 5/12/2005 @ 19:24:29.712
        Exception number: e0070001

function: kernel32!RaiseException
        7c81eb1c c9               leave
        7c81eb1d 894dc0           mov     [ebp-0x40],ecx
        7c81eb20 7407             jz      kernel32!RaiseException+0x48 (7c81eb29)
        7c81eb22 57               push    edi
        7c81eb23 8d7dc4           lea     edi,[ebp-0x3c]
        7c81eb26 f3a5             rep     movsd
        7c81eb28 5f               pop     edi
        7c81eb29 8d45b0           lea     eax,[ebp-0x50]
        7c81eb2c 50               push    eax
        7c81eb2d ff150415807c     call    dword ptr [kernel32+0x1504 (7c801504)]
FAULT ->7c81eb33 5e               pop     esi
        7c81eb34 c9               leave
        7c81eb35 c21000           ret     0x10
        7c81eb38 85ff             test    edi,edi
        7c81eb3a 0f8ee6d0feff     jle     kernel32!IsBadCodePtr+0xcf (7c80bc26)
        7c81eb40 8b55fc           mov     edx,[ebp-0x4]
        7c81eb43 89550c           mov     [ebp+0xc],edx
        7c81eb46 0fb716           movzx   edx,word ptr [esi]
        7c81eb49 8b7df8           mov     edi,[ebp-0x8]
        7c81eb4c 8a143a           mov     dl,[edx+edi]
        7c81eb4f 8811             mov     [ecx],dl

*----> Stack Back Trace <----*
WARNING: Stack unwind information not available. Following frames may be wrong.
ChildEBP RetAddr  Args to Child              
01f4f160 0040c10c e0070001 00000001 00000000 kernel32!RaiseException+0x52
01f4ff7c 0040c1fd 01afff40 00000000 00000000 Mcshield+0xc10c
7c809c28 ff006aec 15ff0875 7c801490 8c0fc085 Mcshield+0xc1fd
8b55ff8b 00000000 00000000 00000000 00000000 0xff006aec
0
 
alanberginAuthor Commented:
I uninstalled mcafee and although the computer has crashed once since it does appear to be more stable.
0
 
alanberginAuthor Commented:
Thank you for your help cpc2004!
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

  • 15
  • 12
  • 2
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now