Analyzing Crash Dumps

Lee W, MVP
Lee W, MVP used Ask the Experts™
on
I have usually relied on the STOP error and a google search to determine the cause of a crash... but I know I can open the .dmp file generated and examine that for probably more thorough information.  Can anyone tell me what software will open this file?  I have access to TechNet and MSDN, so I think I should be able to get my hands on the appropriate tool... I just don't know what that tool is, so I guess that's the question - what's the tool??
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
leew:

     Take a look at the following: http://support.microsoft.com/default.aspx?scid=kb;en-us;315271  Its provided with XP (The CD anyway).  And should allow you to do exact what you need to read and even understand the dumps.  Enjoy, and good luck.  If you have any questions, feel free to ask.

Regards,
Jay
Lee W, MVPTechnology and Business Process Advisor
Most Valuable Expert 2013

Author

Commented:
Have a question:

Unloaded modules:
bdc82000 bdca7000   kmixer.sys    Timestamp: unavailable (00000000)
beec3000 beee8000   kmixer.sys    Timestamp: unavailable (00000000)
bf15d000 bf16a000   DMusic.sys    Timestamp: unavailable (00000000)
bf16d000 bf17b000   swmidi.sys    Timestamp: unavailable (00000000)
bf19d000 bf1ad000   Serial.SYS    Timestamp: unavailable (00000000)
f2130000 f2139000   redbook.sys    Timestamp: unavailable (00000000)
f23a8000 f23ad000   Cdaudio.SYS    Timestamp: unavailable (00000000)
f24f0000 f24f3000   Sfloppy.SYS    Timestamp: unavailable (00000000)

What exactly are "unloaded modules"

I've had repeated crashes on a 2000 server that happened since I put in an older but supposedly working dual 10/100 Compaq NIC card.  I DOWNGRADED the drive and it became more solid, but still crashes seemingly randomly, roughly 3-4 times a week.  The above "unloaded modules occur in the first mini dump I have from 8/17 and the last from 10/2 - and I suspect in all the others (16 more) between.

The stop error is a D1, which COULD be faulty RAM but from how I'm reading things, is PROBABLY a bad driver.  (I do need to upgrade a disk or two in the server and will likely power down and reseat the RAM - ABOUT 8/15, I did some work on it and took out the RAM and then put it back in - maybe something isn't seated quite right - or perhaps I blew a stick).
leew:

     Well I can say the problem you seem to be having is most likly steming from bad drivers.  But could absolutly be a problem with the RAM.  Be sure to double check you video drivers as well.

     As far as I know "Unloaded modules" are drivers which were not loaded/intitialized.  This could be the problem as well.  Looking over it, it has a few audio entries.  Reinstalling audio drivers might be in order as well.

     Hope this is of help.  As always, if you have any questions, feel free to ask.

Regards,
Jay
Rowby Goren Makes an Impact on Screen and Online

Learn about longtime user Rowby Goren and his great contributions to the site. We explore his method for posing questions that are likely to yield a solution, and take a look at how his career transformed from a Hollywood writer to a website entrepreneur.

Commented:
Debugging Tools from Microsoft
1) Create folder c:\symbols
2) Download and install the http://www.microsoft.com/whdc/devtools/debugging/installx86.mspx
3) Locate your latest memory.dmp file- C:\WINDOWS\ Minidump\Mini011005-01.dmp or whatever
4) open a CMD prompt and cd\program files\debugging tools for windows\
5) type the following stuff:

Code:
c:\program files\debugging tools>kd -z C:\WINDOWS\Minidump\Mini011005-01.dmp
kd> .logopen c:\debuglog.txt
kd> .sympath srv*c:\symbols*http://msdl.microsoft.com/download/symbols
kd> .reload;!analyze -v;r;kv;lmnt;.logclose;q

You now have a debuglog.txt in c:\, open it in notepad and post to this thread.

Lee W, MVPTechnology and Business Process Advisor
Most Valuable Expert 2013

Author

Commented:
Fascinating... using dumpchk, I got the stop error code and parameters as follows:

Bugcheck code 000000D1
Arguments 00000003 00000002 00000000 f2112917

(I believe that was also displayed shortly after executing kd).  I then looked up the memory address of f2112917, which, if I understand this all correctly, falls in between f2110000 [and] f211e2c0 [which happens to be]  mvstdi5x mvstdi5x.sys Thu Sep 02 15:18:40 2004 (41377210), which, when I look it up, is the McAfee Enterprise 8 Mini-Firewall.  SOOOOOO, if I'm interpreting this correctly, something is creating a problem with mvstdi5x.sys OR there is a problem with mvstdi5x.sys.  My first attempt to fix this problem should probably be checking for updates to McAfee Enterprise 8.  Am I right?

Opened log file 'c:\debuglog100205-01.txt'
1: kd> .sympath srv*c:\symbols*http://msdl.microsoft.com/download/symbols
Symbol search path is: srv*c:\symbols*http://msdl.microsoft.com/download/symbols
1: kd> .reload;!analyze -v;r;kv;lmnt;.logclose;q
Unable to load image ntoskrnl.exe, Win32 error 2
*** WARNING: Unable to verify timestamp for ntoskrnl.exe
*** ERROR: Module load completed but symbols could not be loaded for ntoskrnl.exe
Loading Kernel Symbols
......................................................................................................
Loading unloaded module list
........
Loading User Symbols
No export analyze found
eax=82af513c ebx=0000000a ecx=00000000 edx=40000000 esi=f2112917 edi=00000003
eip=8046b12c esp=f24238d0 ebp=f24238e4 iopl=0         nv up ei ng nz na po nc
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00000286
nt+0x6b12c:
8046b12c ??               ???
ChildEBP RetAddr  Args to Child              
WARNING: Stack unwind information not available. Following frames may be wrong.
f24238cc 00000000 00000003 00000002 00000000 nt+0x6b12c
start    end        module name
80062000 80078e00   hal      hal.dll      Thu Mar 20 21:04:11 2003 (3E7A731B)
80400000 805a2840   nt       ntoskrnl.exe Fri May 06 07:44:59 2005 (427B58BB)
a0000000 a0001000   win32k   win32k.sys   unavailable (00000000)
a018f000 a0190000   atidrab  atidrab.dll  unavailable (00000000)
a07e0000 a07e1000   RDPDD    RDPDD.dll    unavailable (00000000)
bdc12000 bdc27f20   RDPWD    RDPWD.SYS    Fri Jun 17 02:41:40 2005 (42B270A4)
bdce3000 bdce5100   EntDrv50 EntDrv50.sys Wed Jul 28 03:16:11 2004 (410752BB)
bdcf7000 bdd116e0   naiavf5x naiavf5x.sys Fri Aug 20 07:42:57 2004 (4125E3C1)
be3df000 be3e1f20   spud     spud.sys     Fri Nov 19 18:36:27 1999 (3835DEFB)
be71b000 be72aa20   ipsec    ipsec.sys    Tue Apr 29 19:04:59 2003 (3EAF051B)
be773000 be795ac0   Fastfat  Fastfat.SYS  Thu Dec 02 22:33:50 2004 (41AFDE9E)
be7e6000 be7f6600   ipnat    ipnat.sys    Wed Aug 11 19:42:38 2004 (411AAEEE)
be91f000 be92e600   Cdfs     Cdfs.SYS     Fri Apr 01 20:23:36 2005 (424DF418)
be98f000 be997a60   termdd   termdd.sys   Fri Mar 21 16:43:08 2003 (3E7B876C)
beb3f000 beb64920   sfmsrv   sfmsrv.sys   Mon Sep 09 20:17:41 2002 (3D7D3A25)
bedbd000 bedc5560   ipfltdrv ipfltdrv.sys Sat Oct 30 18:35:58 1999 (381B72CE)
bedcd000 bedd5240   Fips     Fips.SYS     Tue May 09 11:28:29 2000 (39182E9D)
bee5d000 bee97440   srv      srv.sys      Tue May 03 04:10:42 2005 (42773202)
bef10000 bef21f80   wdmaud   wdmaud.sys   Wed Apr 16 00:23:02 2003 (3E9CDAA6)
bf012000 bf031140   afd      afd.sys      Mon Apr 11 17:31:21 2005 (425AECA9)
bf032000 bf0562a0   sfmatalk sfmatalk.sys Fri Aug 16 08:28:12 2002 (3D5CEFDC)
bf091000 bf0c4040   exifs    exifs.sys    Tue Jun 18 02:13:17 2002 (3D0ECF7D)
bf17d000 bf1888c0   sysaudio sysaudio.sys Wed Apr 16 00:21:44 2003 (3E9CDA58)
bfa05000 bfa1a180   dump_atapi dump_atapi.sys Tue Apr 01 13:08:25 2003 (3E89D599)
bfa43000 bfaaca40   mrxsmb   mrxsmb.sys   Fri Apr 01 20:23:32 2005 (424DF414)
bfabf000 bfaebac0   rdbss    rdbss.sys    Mon Apr 11 17:31:22 2005 (425AECAA)
bfaec000 bfb13000   vmm      vmm.sys      Fri Oct 01 18:32:54 2004 (415DDB16)
bfb13000 bfb3dd00   netbt    netbt.sys    Fri Apr 01 20:23:24 2005 (424DF40C)
bfb3e000 bfb8c1a0   tcpip    tcpip.sys    Thu May 12 06:24:58 2005 (42832EFA)
bfcf5000 bfd1f3a0   update   update.sys   Wed Apr 16 00:22:01 2003 (3E9CDA69)
bfd32000 bfd55060   rdpdr    rdpdr.sys    Fri Mar 21 16:43:14 2003 (3E7B8772)
bfd56000 bfd7b200   n100nt5  n100nt5.sys  Mon Jun 13 17:11:39 2005 (42ADF68B)
bfd7c000 bfda5680   smc9452m smc9452m.sys Thu May 15 06:33:43 2003 (3EC36D07)
bfda6000 bfdc5d00   KS       KS.SYS       Wed Dec 04 12:09:38 2002 (3DEE36D2)
bfdc6000 bfdea1e0   portcls  portcls.sys  Wed Apr 16 00:11:22 2003 (3E9CD7EA)
bfdeb000 bfe0c160   ctlsb16  ctlsb16.sys  Sat Oct 23 16:09:27 1999 (381215F7)
bfe0d000 bfe1e6c0   atimpab  atimpab.sys  Wed Nov 10 18:34:06 1999 (382A00EE)
bfe1f000 bfe35ba0   ndiswan  ndiswan.sys  Tue Apr 29 19:05:01 2003 (3EAF051D)
bfe7e000 bfe93be0   Mup      Mup.sys      Thu Dec 02 22:37:23 2004 (41AFDF73)
bfe94000 bfebdaa0   NDIS     NDIS.sys     Tue Apr 29 19:05:01 2003 (3EAF051D)
bfebe000 bff3b480   Ntfs     Ntfs.sys     Tue May 10 05:20:29 2005 (42807CDD)
bff3c000 bff4d7c0   KSecDD   KSecDD.sys   Sat Sep 20 20:32:19 2003 (3F6CF193)
bff4e000 bff601c0   Dfs      Dfs.sys      Tue Feb 11 21:19:06 2003 (3E49AF1A)
bff61000 bff62000   fltmgr   fltmgr.sys   unavailable (00000000)
bff83000 bff95180   SCSIPORT SCSIPORT.SYS Thu Dec 30 00:53:36 2004 (41D397E0)
bff96000 bffaa940   adpu160m adpu160m.sys Wed Feb 21 20:07:15 2001 (3A946643)
bffab000 bffc0180   atapi    atapi.sys    Tue Apr 01 13:08:25 2003 (3E89D599)
bffc1000 bffe29c0   dmio     dmio.sys     Wed Jan 15 14:47:04 2003 (3E25BAB8)
bffe3000 bffff5a0   ftdisk   ftdisk.sys   Thu Dec 02 22:29:58 2004 (41AFDDB6)
f2000000 f200e6a0   pci      pci.sys      Wed Jan 15 14:44:07 2003 (3E25BA07)
f2010000 f201b680   isapnp   isapnp.sys   Wed Jan 15 14:43:47 2003 (3E25B9F3)
f2020000 f2028700   CLASSPNP CLASSPNP.SYS Wed Jan 15 14:42:51 2003 (3E25B9BB)
f2050000 f205e000   VMNetSrv VMNetSrv.sys Mon Jun 14 21:18:09 2004 (40CE4E51)
f2060000 f206ca80   rasl2tp  rasl2tp.sys  Tue Apr 29 19:05:06 2003 (3EAF0522)
f2070000 f207bc40   raspptp  raspptp.sys  Wed May 14 19:47:00 2003 (3EC2D574)
f2080000 f208ea20   parallel parallel.sys Wed Jan 15 14:47:14 2003 (3E25BAC2)
f2090000 f209c4c0   VIDEOPRT VIDEOPRT.SYS Wed Jan 15 14:47:20 2003 (3E25BAC8)
f20a0000 f20ab680   i8042prt i8042prt.sys Wed Apr 16 00:00:59 2003 (3E9CD57B)
f20b0000 f20b9ce0   NDProxy  NDProxy.SYS  Thu Sep 30 19:25:35 1999 (37F3F16F)
f20d0000 f20d9be0   usbhub   usbhub.sys   Tue Mar 18 18:30:41 2003 (3E77AC21)
f20f0000 f20f8fa0   Npfs     Npfs.SYS     Sat Oct 09 19:58:07 1999 (37FFD68F)
f2100000 f2108680   msgpc    msgpc.sys    Wed Jan 15 14:54:25 2003 (3E25BC71)
f2110000 f211e2c0   mvstdi5x mvstdi5x.sys Thu Sep 02 15:18:40 2004 (41377210)
f2120000 f21281a0   netbios  netbios.sys  Tue Oct 12 15:34:19 1999 (38038D3B)
f2280000 f2285520   PCIIDEX  PCIIDEX.SYS  Tue Feb 25 13:31:08 2003 (3E5BB66C)
f2288000 f228f5a0   MountMgr MountMgr.sys Thu Dec 02 22:33:01 2004 (41AFDE6D)
f2290000 f2296760   ultra    ultra.sys    Wed Oct 09 12:29:50 2002 (3DA4597E)
f2298000 f229f720   disk     disk.sys     Wed Jan 15 14:43:05 2003 (3E25B9C9)
f22a0000 f22a5100   agp440   agp440.sys   Wed Jan 15 14:47:07 2003 (3E25BABB)
f22c8000 f22cc400   ptilink  ptilink.sys  Wed Jan 15 14:47:15 2003 (3E25BAC3)
f22d8000 f22dc0e0   raspti   raspti.sys   Fri Oct 08 16:45:10 1999 (37FE57D6)
f2308000 f230ec40   cdrom    cdrom.sys    Wed Jan 15 14:43:04 2003 (3E25B9C8)
f2310000 f2317f40   uhcd     uhcd.sys     Wed Jan 15 14:45:50 2003 (3E25BA6E)
f2328000 f232cfc0   USBD     USBD.SYS     Wed Jan 22 12:05:33 2003 (3E2ECF5D)
f2340000 f2345ec0   kbdclass kbdclass.sys Thu Feb 20 11:37:30 2003 (3E55044A)
f2350000 f2356100   parport  parport.sys  Wed Jan 15 14:47:13 2003 (3E25BAC1)
f2360000 f2361000   fdc      fdc.sys      unavailable (00000000)
f2370000 f2375400   mouclass mouclass.sys Thu Feb 20 11:37:45 2003 (3E550459)
f2380000 f2386a20   EFS      EFS.SYS      Wed Jan 15 14:46:55 2003 (3E25BAAF)
f2398000 f239ca60   flpydisk flpydisk.sys Wed Jan 15 14:42:52 2003 (3E25B9BC)
f23b8000 f23bd240   Msfs     Msfs.SYS     Tue Oct 26 19:21:32 1999 (3816377C)
f23c8000 f23cc8c0   TDTCP    TDTCP.SYS    Fri Mar 21 16:43:08 2003 (3E7B876C)
f23d8000 f23dfd00   wanarp   wanarp.sys   Fri Aug 16 08:25:01 2002 (3D5CEF1D)
f2410000 f2412a20   BOOTVID  BOOTVID.dll  Wed Nov 03 20:24:33 1999 (3820E051)
f2414000 f2416d00   PartMgr  PartMgr.sys  Wed Jan 15 14:43:07 2003 (3E25B9CB)
f2494000 f24962e0   ndistapi ndistapi.sys Wed Jan 15 14:54:15 2003 (3E25BC67)
f24a0000 f24a3e60   TDI      TDI.SYS      Wed Jan 15 14:56:26 2003 (3E25BCEA)
f24ac000 f24ae540   gameenum gameenum.sys Wed Jan 15 14:45:32 2003 (3E25BA5C)
f24f8000 f24fb580   vga      vga.sys      Sat Sep 25 14:37:40 1999 (37ED1674)
f2500000 f2501100   intelide intelide.sys Wed Feb 19 12:19:09 2003 (3E53BC8D)
f2502000 f2503d20   Diskperf Diskperf.sys Wed Feb 12 16:34:38 2003 (3E4ABDEE)
f2504000 f2505000   dmload   dmload.sys   unavailable (00000000)
f2506000 f25077e0   cmdide   cmdide.sys   Wed Dec 22 16:54:17 1999 (38614889)
f2516000 f2517ca0   Fs_Rec   Fs_Rec.SYS   Wed Jan 15 14:53:30 2003 (3E25BC3A)
f251e000 f251fe40   rasacd   rasacd.sys   Sat Sep 25 14:41:23 1999 (37ED1753)
f25ac000 f25ad000   ParVdm   ParVdm.SYS   unavailable (00000000)
f25c8000 f25c8f80   WMILIB   WMILIB.SYS   Sat Sep 25 14:36:47 1999 (37ED163F)
f25d5000 f25d5a40   audstub  audstub.sys  Sat Sep 25 14:35:33 1999 (37ED15F5)
f25eb000 f25ec000   swenum   swenum.sys   Wed Dec 04 12:10:07 2002 (3DEE36EF)
f25fd000 f25fe000   Null     Null.SYS     unavailable (00000000)
f25ff000 f25ffee0   Beep     Beep.SYS     Wed Oct 20 18:18:59 1999 (380E3FD3)
f2602000 f2602f80   mnmdd    mnmdd.SYS    Sat Sep 25 14:37:40 1999 (37ED1674)
f2632000 f2632f80   dump_WMILIB dump_WMILIB.SYS Sat Sep 25 14:36:47 1999 (37ED163F)

Unloaded modules:
bdc82000 bdca7000   kmixer.sys
    Timestamp: unavailable (00000000)
    Checksum:  00000000
beec3000 beee8000   kmixer.sys
    Timestamp: unavailable (00000000)
    Checksum:  00000000
bf15d000 bf16a000   DMusic.sys
    Timestamp: unavailable (00000000)
    Checksum:  00000000
bf16d000 bf17b000   swmidi.sys
    Timestamp: unavailable (00000000)
    Checksum:  00000000
bf19d000 bf1ad000   Serial.SYS
    Timestamp: unavailable (00000000)
    Checksum:  00000000
f2130000 f2139000   redbook.sys
    Timestamp: unavailable (00000000)
    Checksum:  00000000
f23a8000 f23ad000   Cdaudio.SYS
    Timestamp: unavailable (00000000)
    Checksum:  00000000
f24f0000 f24f3000   Sfloppy.SYS
    Timestamp: unavailable (00000000)
    Checksum:  00000000
Closing open log file c:\debuglog100205-01.txt

Commented:
Hi Lee,

Your interpretation is correct but the problem may be hardware problem. You have to analyze 3 to 4 minidumps in order to confirm the culprit. If they all crashes with the same instruction address, it is unlikely it is hardware problem cos hardware problem occurs randomly.

Hope it can help you
cpc2004

Commented:
For example if it is overheat and cause instruction address alignment problem at f2112917 and it is not software error.
Lee W, MVPTechnology and Business Process Advisor
Most Valuable Expert 2013

Author

Commented:
Will do, thanks.

Thanks to both of you - this is pretty much just what I was looking for.
leew:

     No problem.

Regards,
Jay
Lee W, MVPTechnology and Business Process Advisor
Most Valuable Expert 2013

Author

Commented:
I didn't want to go through all these files manually... so I wrote a script that SEEMS to be working for me.  Would appreciate it if cpc2004 were to take a look at it - run it against some dumps he may have and confirm it's outputing good information.  Suggestions are, of course, welcome.

Here's the script:

------------------------------8<---------- analyze.cmd ---------------------------
@echo off
Set DebuggerPath=C:\Program Files\Debugging Tools for Windows
Set SymbolsFolderPath=C:\Symbols

For /f "tokens=*" %%a in ('cd') do set curdir=%%a
if "%1" == "*" Goto AnalyzeAll
if "%1" == "" Goto Help
Goto ProcessDump
:Help
Echo %0 - Analyze one or more crash dumps
Echo.
echo USAGE:
echo.
echo     %0 * ^| filename.dmp
echo.
echo         * - Analyze ALL dmp files in the directory
echo         filename.dmp - Analyze only this specific dump
echo.
echo     This script will create a file in dmp file directory called %0.log
echo         This file contains the Bug Check code and the debugger's opinion
echo         of which file caused the crash.
echo.
Goto EOF

:AnalyzeAll
For /f "tokens=1" %%z in ('dir /a-d /b *.dmp') Do Call :ProcessDump %%z
Start Notepad "%curdir%\analyze.log"
Goto EOF

:ProcessDump
cd /d "%debuggerpath%"
if not exist kd.script (
      echo .symfix>>kd.script
      echo !analyze -v>>kd.script
      echo q>>kd.script
) ELSE (
      Echo %0: ***kd.script found - using existing file.***
)
kd -z %curdir%\%1 -logo %curdir%\%1.log -y srv*%symbolsfolderpath%*http://msdl.microsoft.com/download/symbols -v -cf kd.script"
For /f "Skip=2 tokens=*" %%a in ('find "BugCheck" %curdir%\%1.log') do Echo %1 Bug Check: %%a>>%curdir%\analyze.log
For /f "Skip=2 tokens=*" %%a in ('find /i "probably caused by" %curdir%\%1.log') do Echo %1 Probable Cause: %%a>>%curdir%\analyze.log
Echo.>>%curdir%\analyze.log

:EOF
cd /d %curdir%
If "%0" NEQ ":ProcessDump" If Exist "%curdir%\analyze.log" Start Notepad "%curdir%\analyze.log"
------------------------------8<---------- analyze.cmd ---------------------------

Now, using the script, I generated this "analyze.log" file - which seems to confirm my earlier suspicians as all of them seem to have the same basic info:
Mini081705-01.dmp Bug Check: BugCheck D1, {3, 2, 0, f2112917}
Mini081705-01.dmp Probable Cause: Probably caused by : mvstdi5x.sys ( mvstdi5x+2917 )

Mini082005-01.dmp Bug Check: BugCheck D1, {3, 2, 0, f2112917}
Mini082005-01.dmp Probable Cause: Probably caused by : mvstdi5x.sys ( mvstdi5x+2917 )

Mini082205-01.dmp Bug Check: BugCheck D1, {3, 2, 0, f2112917}
Mini082205-01.dmp Probable Cause: Probably caused by : mvstdi5x.sys ( mvstdi5x+2917 )

Mini082605-01.dmp Bug Check: BugCheck D1, {3, 2, 0, f2102917}
Mini082605-01.dmp Probable Cause: Probably caused by : mvstdi5x.sys ( mvstdi5x+2917 )

Mini082905-01.dmp Bug Check: BugCheck D1, {3, 2, 0, f2112917}
Mini082905-01.dmp Probable Cause: Probably caused by : mvstdi5x.sys ( mvstdi5x+2917 )

Mini090105-01.dmp Bug Check: BugCheck D1, {3, 2, 0, f2112917}
Mini090105-01.dmp Probable Cause: Probably caused by : mvstdi5x.sys ( mvstdi5x+2917 )

Mini090305-01.dmp Bug Check: BugCheck D1, {3, 2, 0, f2112917}
Mini090305-01.dmp Probable Cause: Probably caused by : mvstdi5x.sys ( mvstdi5x+2917 )

Mini090405-01.dmp Bug Check: BugCheck D1, {3, 2, 0, f2112917}
Mini090405-01.dmp Probable Cause: Probably caused by : mvstdi5x.sys ( mvstdi5x+2917 )

Mini090505-01.dmp Bug Check: BugCheck D1, {3, 2, 0, f2112917}
Mini090505-01.dmp Probable Cause: Probably caused by : mvstdi5x.sys ( mvstdi5x+2917 )

Mini091205-01.dmp Bug Check: BugCheck D1, {3, 2, 0, f2112917}
Mini091205-01.dmp Probable Cause: Probably caused by : mvstdi5x.sys ( mvstdi5x+2917 )

Mini091305-01.dmp Bug Check: BugCheck D1, {3, 2, 0, f2112917}
Mini091305-01.dmp Probable Cause: Probably caused by : mvstdi5x.sys ( mvstdi5x+2917 )

Mini091405-01.dmp Bug Check: BugCheck D1, {3, 2, 0, f2112917}
Mini091405-01.dmp Probable Cause: Probably caused by : mvstdi5x.sys ( mvstdi5x+2917 )

Mini092005-01.dmp Bug Check: BugCheck D1, {3, 2, 0, f2112917}
Mini092005-01.dmp Probable Cause: Probably caused by : mvstdi5x.sys ( mvstdi5x+2917 )

Mini092305-01.dmp Bug Check: BugCheck D1, {3, 2, 0, f2112917}
Mini092305-01.dmp Probable Cause: Probably caused by : mvstdi5x.sys ( mvstdi5x+2917 )

Mini092605-01.dmp Bug Check: BugCheck D1, {3, 2, 0, f2112917}
Mini092605-01.dmp Probable Cause: Probably caused by : mvstdi5x.sys ( mvstdi5x+2917 )

Mini092705-01.dmp Bug Check: BugCheck D1, {3, 2, 0, f2112917}
Mini092705-01.dmp Probable Cause: Probably caused by : mvstdi5x.sys ( mvstdi5x+2917 )

Mini100205-01.dmp Bug Check: BugCheck D1, {3, 2, 0, f2112917}
Mini100205-01.dmp Probable Cause: Probably caused by : mvstdi5x.sys ( mvstdi5x+2917 )

Commented:
I will test it and get back to you.

Commented:
Leew, i already have the symbol packs. How would i use the script? I am not much of a programmer.

Commented:
Hi Leew,

Your script is perfect and it can find out the culprit of simple problems. However for complicate problem it may provide wrong information. I need to explain the the meaning of " Probably caused by : mvstdi5x.sys ( mvstdi5x+2917 )' as kd scan the stack trace and look for the first occurence of non-Microsoft module and then microsoft routine.  This assumption may be incorrect.
 
For example

BugCheck 1000000A, {10, 2, 1, 804f6268}
Probably caused by : SYMEVENT.SYS ( SYMEVENT+b124 )
STACK_TEXT:  
f3d0d848 804f5feb dfba0000 03e163f0 00000000 nt!MmCopyToCachedPage+0x3ba
f3d0d8d8 804f5e75 82d17008 03e163f0 f3d0d91c nt!CcMapAndCopy+0x1a9
f3d0d964 f85beb66 82ddd638 f3d0db34 00000010 nt!CcCopyWrite+0x28e
f3d0db58 f85bbc97 829c24a0 82dce748 82dce748 Ntfs!NtfsCommonWrite+0x1d2a
f3d0dbbc 804e37f7 82f57020 82dce748 82f96bf8 Ntfs!NtfsFsdWrite+0xf3
f3d0dbcc f865e3ca 804e8a39 00000000 f3d0dc84 nt!IopfCallDriver+0x31
f3d0dbdc 804e37f7 82fcd3c8 e10d8d28 f3d0dc34 sr!SrWrite+0xaa
f3d0dbec f62f5124 00000000 f3d0dc34 82cb8778 nt!IopfCallDriver+0x31
WARNING: Stack unwind information not available. Following frames may be wrong.
f3d0dc84 805784c0 82e12bf0 82dce748 82ddd638 SYMEVENT+0xb124
f3d0dd38 804de7ec 000017b0 00000000 00000000 nt!NtWriteFile+0x602
f3d0dd38 7c90eb94 000017b0 00000000 00000000 nt!KiFastCallEntry+0xf8
0208fdb0 00000000 00000000 00000000 00000000 0x7c90eb94

Kb reports that ithe culprit is SYMEVENT.SYS and actually the correct answer is faulty ram. This is reason why KB reports that it is probably caused by xxxxx.


Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial