Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


Win2k 'random' stop codes, especially at night. 0x000000d1 and sometimes c000021a

Posted on 2005-04-23
Medium Priority
Last Modified: 2010-05-18
This is about a Dell Dimension 4300, running Windows 2000 with all current updates. It's on a home network behind a Netgear router/firewall, connected to a wireless broadband Internet link.

A few months ago, the machine started getting random BSOD's. Sometimes while in use (even playing solitaire) but mostly at night: in the morning, it almost always is displaying a BSOD.

memtest86 is clean
drivers are all up to date

Most common error: stop 0x000000d1 ( 0x00000000, 0x00000002, 0x00000000, 0x00000000 )
NO driver listed
NO dump recorded (even though enabled)
NO entry in the system log

On occasion, I also see
  stop c000021a Unknown Hard Error

(not 0xc000021a, just c000021a, fwiw)

Would *love* help resolving this one!!! Even getting better dump/log records would be great!
Question by:pholzmann
  • 7
  • 7
  • 4
  • +2
LVL 20

Expert Comment

ID: 13852173
No clues and I have to study your minidumps. Most likely it is related to faulty RAM. Attach 4 to 5 minidumps at any webspace and you can find the minidump at the folder \winnt\minidump

Author Comment

ID: 13855896
Perhaps you missed my statement:

>NO dump recorded (even though enabled)

There are no minidumps! Maybe we should begin there. I've enabled, disabled, re-enabled mini dumps but never get one.

I was thinking RAM trouble too, which is why I ran a nice long memtest86... but it passed w/ flying colors.

Any ideas how to proceed?

thanks much!
LVL 20

Expert Comment

ID: 13856184
System event 1001 is the only clue of your problem

Control Panel -> Adminstrative Tools -> Event Viewer -> System -> Event 1001. Copy the content and paste it back here
[Webinar] Database Backup and Recovery

Does your company store data on premises, off site, in the cloud, or a combination of these? If you answered “yes”, you need a data backup recovery plan that fits each and every platform. Watch now as as Percona teaches us how to build agile data backup recovery plan.


Expert Comment

ID: 13856780
I meet the same problem
Adapter Intel(R) PRO/100 VE Network Connection: Adapter Link Up

0000: 00040000 00580002 00000000 40040005
0010: 00000000 00000000 00000000 00000000
0020: 00000000 00000000 40040005

Author Comment

ID: 13858294
cpc2004 >  System event 1001 is the only clue of your problem

If that's true, then I'm hosed. As I said in the original posting:
>NO entry in the system log

NO events are being logged in relation to the BSOD.

Anyone else have an idea how to get started with this? It does seem like a tough one, which is why I'm valuing it at 500 points!
LVL 20

Expert Comment

ID: 13859052
What is the size of your W2K's paging space?

Expert Comment

ID: 13863247
LVL 20

Expert Comment

ID: 13863424
No log and dump. It is impossible to find out the culprit. Re-install W2K

Author Comment

ID: 13870438

Note: this machine works fine most of the time. Any idea how to re-enable minidumps and 1001 event logging?

(Related question: could the lack-of-log be a clue? I.e., what if it's in the low level hard drive code?)

Final procedural question: if we must back up to this "enabling log and dump" issue, should I request this question be closed, and open a different one?
LVL 20

Expert Comment

ID: 13870577
enable dump option
Control Panel --> System --> Advance --> Startup and Recovery --> Write debugging information -->  minidump

Do you install Zone Alarm? What display card and printer are you using?

Author Comment

ID: 13874964
The dump option is already enabled, yet doesn't do anything. I've tried disabling/re-enabling. Just had one idea: I've disabled auto-reboot. Perhaps that's causing a problem of some kind.

FW is Kerio (ver 2) not ZA.
Display is nVidia GeForce2 MX, 64mb
Printer is Canon S9000

No hardware changes in about a year. Most likely something related to software...

Author Comment

ID: 13874996
I *may* have found the no-log, no-minidump problem.

The system is configured with a separate partition for disk cache.

When I go to modify the minidump setting, a warning pops up "If your C partition is configured with less than 0 MB cache, it is possible that a log file cannot be stored". I had ignored this warning since (a) I have plenty of cache, and (b) it's a nonsense message (LESS than 0mb??!!) ...

I've now configured the machine with a gratuitious 50mb cache on C and 2048MB on Z. The warning went away.

We'll see if that provides logs and minidumps now!

Author Comment

ID: 13875051
BTW, the system has not crashed for more than 24 hours, even though we made no explicit changes. Knowing MS, it wouldn't surprise me if this were all due to a bug in one of their famous system updates... which now may have been further updated. Who knows.

I'm not going to assume the system has "fixed itself" until it stays up at least several days.

Obviously, we can't fix a crash that never happens, we can't fix a crash without debug info, and we can't know if I've solved my own debug log/dump problem until we get a crash.

I'll keep you posted...

This idea that cache may be required on drive C is a new one for me. Never noticed it before. Just checked another system, that's running XP. I see the same possible issue there: removing the drive C cache generated no warning, but remove/re-add minidump generates a warning when cache is only on non-C drives. Adding a bit of drive C cache removed the warning. We'll see if this actually changes anything.

Author Comment

ID: 13875063
Just to be clear:

1) Both systems have PLENTY of disk cache, on a dedicated partition. The only subtle issue seems to be whether minidump/syslogging requires that there be a bit of drive C cache.
2) AFAIK, all of this disk cache stuff I'm discovering is ONLY related to successful creation of minidumps and system event logging on a crash. That's just a prerequisite to resolving the "real" problem underlying this thread.
3) Assuming I can get the minidump/log to work (and that the system eventually crashes again ;)), we'll be able to move forward with this question.

THANKS for hanging in there with me!
LVL 20

Expert Comment

ID: 13875185
Repost if you have the system event log 1001 and minidump.

Expert Comment

ID: 13882030
(I'm changing my EE id to MrPete_... marking this as me...)

Expert Comment

ID: 13898628
Time to close this out:

The system began to crash again today, so I made more progress. In fact, I believe I've resolved all issues myself. Hopefully what I've learned will be helpful for others:

I. I *definitely* found, and solved, the issues related to not having crash dumps. Here's the situation and solution (tested on Windows 2000 and Windows XP)

* If you move your system disk cache to a drive other than C:, you will not get crash dumps or event logs! AFAIK this is not documented anywhere, and there is definitely no warning at the time you adjust your cache. (There IS a confusing warning when rearranging the crash dump configuration-- it suggests your C: disk cache should be at least 0MB, which is useless.)
* With a small disk cache on C:, minidumps do work again
* With a large disk cache on C:, full memory dumps work
* Pointing the dump file at another drive is of no help. It must be on C:, and there must be cache on C:.

II. Setting up Windbg
It had been a while since I used windbg. Here's a bit of documentation for anyone who may stop by here to solve BSOD issues, crash dump issues, etc.
* Best reference for setup: http://www.osronline.com/article.cfm?article=221
* Download the current version of windbg from http://www.microsoft.com/whdc/devtools/debugging/default.mspx
* Set up symbols before doing anything else (ctrl-S sets symbol path). See above reference article for instructions
   * To decode any kind of problem without being online while working, download the symbol files for your OS from the same place. The downloads will be about 150-200MB, and will expand to close to 1GB
   * If you've got a good internet link, most of the time you can do full debugging with the MS online symbol server instead of downloaded symbol files. Much quicker than
      all that downloading!
      Learn how to configure windbg to use the symbol server from the above reference article
* If you don't set up for symbols, you still may get helpful info from the following process, but no guarantees.

OK, now you're ready to analyze the crash file(s)

II. Crash dump analysis for my particular problem...

* Strangely, 100% of all my minidump files were invalid. Perhaps just due to the kind of crash? I dunno.
* I changed the setup to do a full memory dump. That worked just fine.

* How to analyze the crash files? It does require some technical expertise/experience. I can't really give you a/b/c instructions leading to "the" solution.  But usually, the problem is in a driver of some kind. The following process/commands should give you useful hints.

1) Open windbg
2) Set up the symbol path if you've not done so already
3) DO save the workspace settings when it asks (that way the symbol path is remembered)
4) Use File->Open Crash Dump to open a minidump or memory.dmp file
5) BE PATIENT - particularly with a full memory dump! Opening can take QUITE a while. (A few minutes for me!)
6) Once the file's open, you may get any of a variety of messages. For example, my minidump files immediately gave an "invalid" message.
7) The command window should eventually fill with some messages, and a cursor allowing you to type a command
Once you get there, type:
   !analyze -v

8) BE PATIENT -- again, with a big crash dump file, the analysis can take several minutes
9) A big report will show up. Look through it to get clues about your problem, particularly the stack trace.

In my case, the crash was in a driver called fwdrv.sys -- now time for some sleuthing.

III. Solving the riddle

Google is your friend :)

I tried:
  fwdrv.sys BSOD
  fwdrv.sys BSOD "windows 2000"

It immediately became clear that:
  - lots of folks are having trouble
  - fwdrv.sys is related to an older version of Kerio Firewall (2.*)
  - the problems are relatively new
  - people solved the problem by eliminating KPF version 2.*

Pretty simple analysis and solution:
  - Microsoft's latest system updates for Windows 2000 have broken Kerio Personal Firewall v2. Too bad -- it was a great, simple, fast firewall!
  - I looked around, discovered Kerio has been hard at work since I gave up on their v 4.0 product. Their new 4.1.3 version is getting good reviews
  - Downloaded and installed KPF v 4.1.3

So far, we've had no more trouble. I'll add another comment in a week or so just to fully confirm that the problem is nailed.

One more note: I think there may be a relationship between flakiness in our internet connection and this BSOD. The BSOD tends to hide until the 'net connect gets bad.

Expert Comment

ID: 13902261
(I'm asking that this question be closed and my points refunded. I hope the above information may be helpful to others.)
LVL 20

Expert Comment

ID: 13903594
I'm glad to know that you've resolved the problem. Thanks for sharing your eperience with me. According to my experience the '!analyze -v' only 20% chance giving the correct culprit because 80% of the failing module is ntoskrnl.exe and win32k. Half of the blue screen are related to hardware error. It is very difficult to diagnostic whether the problem is caused by hardware, software driver error or corrupt by virus. If want to diagnostic windows problem, you have to download a lot of minidumps from different cases. This is the reason why I am here as I enjoy diagnostic windows problem.  Anyway you do a perfect beginning to diagnostc windows. I started windows diagnostic at last year when one of my windows crashed with blue screen. I download windbg and find out that it is software problem of the on-board sound card. I upgraded the sound card driver and I encountered another blue screen and the culprit is the stupid video card driver.

Repost if you want to know more about windbg and I am willing to share my experience with you. Please PAQed this problem and refund the points.

Expert Comment

ID: 13904143
>you do a perfect beginning to diagnostc windows...

Thanks, cpc2004!
I suppose I should be also welcoming *you* to this arena as well :). I've actually used windbg before, but not much and its been quite a while... I've been debugging windows bugs (and MS library bugs) longer than I want to think about :) :)... but mostly in the 95/98 era.

I think you are *absolutely* correct about windbg (or ANY tool/report/etc) only handing over the "right answer" about 20% of the time. When I was doing technology consulting for a living, the vast majority of my work was basically debugging at a low or high level. And really, it was all about asking good questions and being a good detective. You can earn a lot of $$$, or EE points :), that way!

If you've got windbg tales to tell, I'm all ears! I think others would enjoy war stories as well. Maybe we should start another thread for that. In fact, why don't I do that...
See http://www.experts-exchange.com/Operating_Systems/Q_21408665.html :-D

(I've read the latest docs and feel confident about adding it to my toolkit. Helps to have downloaded all of the symbol tables for various versions of Windows. I assume for helping EE folk, you have set up various symbol folders and point windbg at the right one when decoding somebody else's dump files...)

Accepted Solution

PAQ_Man earned 0 total points
ID: 13904709
Question Closed, 500 points refunded.
Community Support Moderator

Featured Post

Become an Android App Developer

Ready to kick start your career in 2018? Learn how to build an Android app in January’s Course of the Month and open the door to new opportunities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
Dropbox has a relatively new feature called Smart Sync.  This feature allows Dropbox Professional (not plus) and Dropbox Business (if enabled) users to store information in Dropbox WITHOUT storing any files on their computer.
Loops Section Overview
As many of you are aware about Scanpst.exe utility which is owned by Microsoft itself to repair inaccessible or damaged PST files, but the question is do you really think Scanpst.exe is capable to repair all sorts of PST related corruption issues?
Suggested Courses
Course of the Month13 days, 23 hours left to enroll

581 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question