• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 3721
  • Last Modified:

Memory Dump (WinDbg Provided)

This is the 1st Dump that I have not been able to figure out, and am also learning how to read them
Using the [WinDbg] as well.
Could someone please assist me with information on how to analyze these Dumps better?
Basically, explain it to me better on what I am looking for?
And were to find the information for it?
Thank you
Carrzkiss
=================================================================
kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced.  This cannot be protected by try-except,
it must be protected by a Probe.  Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: ef7ffffd, memory referenced.
Arg2: 00000000, value 0 = read operation, 1 = write operation.
Arg3: b784bc9a, If non-zero, the instruction address which referenced the bad memory
      address.
Arg4: 00000000, (reserved)

Debugging Details:
------------------

***** Kernel symbols are WRONG. Please fix symbols to do analysis.


MODULE_NAME:  nt

FAULTING_MODULE: 80400000 nt

DEBUG_FLR_IMAGE_TIMESTAMP:  4344ec59

READ_ADDRESS: unable to get nt!MmPoolCodeEnd
unable to get nt!MmSpecialPoolEnd
unable to get nt!MmPagedPoolEnd
unable to get nt!MmNonPagedPoolEnd
unable to get nt!MmNonPagedPoolStart
unable to get nt!MmSpecialPoolStart
unable to get nt!MmPagedPoolStart
unable to get nt!MmNonPagedPoolExpansionStart
unable to get nt!MmPoolCodeStart
 ef7ffffd

FAULTING_IP:
+ffffffffb784bc9a
b784bc9a ??               ???

MM_INTERNAL_CODE:  0

CUSTOMER_CRASH_COUNT:  1

DEFAULT_BUCKET_ID:  DRIVER_FAULT

BUGCHECK_STR:  0x50

LAST_CONTROL_TRANSFER:  from 00000000 to 80449d15

STACK_TEXT:  
b6bce994 00000000 ef7ffffd 00000000 b784bc9a nt+0x49d15


STACK_COMMAND:  .bugcheck ; kb

FOLLOWUP_NAME:  MachineOwner

BUCKET_ID:  WRONG_SYMBOLS

Followup: MachineOwner
---------
0
Wayne Barron
Asked:
Wayne Barron
2 Solutions
 
MiguelSilvestreCommented:
Hi carrzkiss,

The "service expert" for dump files is cpc2004 :))

But for the first look do you have the correct symbols ?

Miguel
0
 
Wayne BarronAuthor, Web DeveloperAuthor Commented:
Im guessing these are it? I found them a while back, so I am not really sure?

http://msdl.microsoft.com/download/symbols
0
 
MiguelSilvestreCommented:
Hi carrzkiss,

Yap :)) Is that the server, or you can download the symbol pack you need, take a look at here:

http://www.microsoft.com/whdc/devtools/debugging/debugstart.mspx

Miguel
0
Get your problem seen by more experts

Be seen. Boost your question’s priority for more expert views and faster solutions

 
MiguelSilvestreCommented:
Hi carrzkiss,

Also if you want, upload a dump file to a public webspace (something like http://www.rapidshare.de) and post here the download link.

Miguel
0
 
Wayne BarronAuthor, Web DeveloperAuthor Commented:
0
 
jkrCommented:
>>LAST_CONTROL_TRANSFER:  from 00000000 to 80449d15

The dump might not really be helpful, it seems the whole stack was blown away...
0
 
Wayne BarronAuthor, Web DeveloperAuthor Commented:
This is from the EV

The computer has rebooted from a bugcheck.  The bugcheck was: 0x00000050 (0xef7ffffd, 0x00000000, 0xb784bc9a, 0x00000000). Microsoft Windows 2000 [v15.2195]. A dump was saved in: C:\WINNT\Minidump\Mini032006-01.dmp.
0
 
MiguelSilvestreCommented:
Hi carrzkiss,

Here's my analyzes :

Symbol search path is: C:\WINDOWS\Symbols
Executable search path is:
Unable to load image ntoskrnl.exe, Win32 error 2
*** WARNING: Unable to verify timestamp for ntoskrnl.exe
Windows 2000 Kernel Version 2195 (Service Pack 4) UP Free x86 compatible
Kernel base = 0x80400000 PsLoadedModuleList = 0x80481580
Debug session time: Mon Mar 20 16:15:18.781 2006 (GMT+0)
System Uptime: not available
Unable to load image ntoskrnl.exe, Win32 error 2
*** WARNING: Unable to verify timestamp for ntoskrnl.exe
Loading Kernel Symbols
....................................................................................................................
Loading unloaded module list
..................................................
Loading User Symbols
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 50, {ef7ffffd, 0, b784bc9a, 0}


Could not read faulting driver name
Probably caused by : memory_corruption ( nt!MiDeleteSystemPagableVm+3d6 )

Followup: MachineOwner
---------
kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced.  This cannot be protected by try-except,
it must be protected by a Probe.  Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: ef7ffffd, memory referenced.
Arg2: 00000000, value 0 = read operation, 1 = write operation.
Arg3: b784bc9a, If non-zero, the instruction address which referenced the bad memory
      address.
Arg4: 00000000, (reserved)

Debugging Details:
------------------


Could not read faulting driver name

READ_ADDRESS: unable to read from 80483b80
unable to read from 80483804
unable to read from 80483794
unable to read from 8047a158
unable to read from 80483798
unable to read from 80483808
unable to read from 8047a15c
unable to read from 804838e0
unable to read from 80483b84
 ef7ffffd

FAULTING_IP:
+ffffffffb784bc9a
b784bc9a ??               ???

MM_INTERNAL_CODE:  0

CUSTOMER_CRASH_COUNT:  1

DEFAULT_BUCKET_ID:  INTEL_CPU_MICROCODE_ZERO

BUGCHECK_STR:  0x50

LAST_CONTROL_TRANSFER:  from 80467caf to 80449d15

STACK_TEXT:  
b6bce9d8 80467caf 00000000 ef7ffffd 00000000 nt!MiDeleteSystemPagableVm+0x3d6
b6bce9f0 00000000 e3f5f588 a00e3880 00000139 nt!RtlFindFirstRunClear+0x47


FOLLOWUP_IP:
nt!MiDeleteSystemPagableVm+3d6
80449d15 ??               ???

SYMBOL_STACK_INDEX:  0

FOLLOWUP_NAME:  MachineOwner

SYMBOL_NAME:  nt!MiDeleteSystemPagableVm+3d6

MODULE_NAME:  nt

DEBUG_FLR_IMAGE_TIMESTAMP:  4344ec59

STACK_COMMAND:  kb

IMAGE_NAME:  memory_corruption

FAILURE_BUCKET_ID:  0x50_nt!MiDeleteSystemPagableVm+3d6

BUCKET_ID:  0x50_nt!MiDeleteSystemPagableVm+3d6

Followup: MachineOwner
---------

Miguel
0
 
MiguelSilvestreCommented:
Hi

So ... my result is :

BugCheck 50, {ef7ffffd, 0, b784bc9a, 0}
Probably caused by : memory_corruption ( nt!MiDeleteSystemPagableVm+3d6 )

Miguel
0
 
Wayne BarronAuthor, Web DeveloperAuthor Commented:
On this:
BugCheck 50, {ef7ffffd, 0, b784bc9a, 0}
Probably caused by : memory_corruption ( nt!MiDeleteSystemPagableVm+3d6 )

I had already seem some information on the [Error 50].

What exactly does this mean for me to do?
memory_corruption ( nt!MiDeleteSystemPagableVm+3d6 )
Am I reading this part correctly, and does it want me to "Delete System Page File" ?
Or am I reading it incorrectly?

-----------------------------
OK.
II downloaded the "Symbols" from the site.
In [Symbol File Path] I "Browsed" and added the link in. Am I still missing something?
This is what I have:
=============-------------==============------------=================--------======

Microsoft (R) Windows Debugger  Version 6.5.0003.7
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\WINNT\Minidump\Mini032006-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: D:\Windows\Debuggin\Store\symbols
Executable search path is:
Unable to load image ntoskrnl.exe, Win32 error 2
*** WARNING: symbols timestamp is wrong 0x4344ec59 0x427b58bb for ntoskrnl.exe
Windows 2000 Kernel Version 2195 (Service Pack 4) UP Free x86 compatible
Kernel base = 0x80400000 PsLoadedModuleList = 0x80481580
Debug session time: Mon Mar 20 11:15:18.781 2006 (GMT-5)
System Uptime: not available
Unable to load image ntoskrnl.exe, Win32 error 2
*** WARNING: symbols timestamp is wrong 0x4344ec59 0x427b58bb for ntoskrnl.exe
Loading Kernel Symbols
....................................................................................................................
Loading unloaded module list
..................................................
Loading User Symbols
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 50, {ef7ffffd, 0, b784bc9a, 0}


Could not read faulting driver name
Unable to load image win32k.sys, Win32 error 2
*** WARNING: symbols timestamp is wrong 0x4344ef76 0x42168832 for win32k.sys
*** WARNING: Unable to verify timestamp for hal.dll
*** ERROR: Module load completed but symbols could not be loaded for hal.dll
Probably caused by : win32k.sys ( win32k!hdcOpenDCW+183 )

Followup: MachineOwner
---------

kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced.  This cannot be protected by try-except,
it must be protected by a Probe.  Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: ef7ffffd, memory referenced.
Arg2: 00000000, value 0 = read operation, 1 = write operation.
Arg3: b784bc9a, If non-zero, the instruction address which referenced the bad memory
      address.
Arg4: 00000000, (reserved)

Debugging Details:
------------------


Could not read faulting driver name

READ_ADDRESS: unable to read from 80481518
unable to read from 804811c8
unable to read from 804810a8
unable to read from 80472de0
unable to read from 804810c0
unable to read from 804811c4
unable to read from 80472de4
unable to read from 80481284
unable to read from 804814b8
 ef7ffffd

FAULTING_IP:
+ffffffffb784bc9a
b784bc9a ??               ???

MM_INTERNAL_CODE:  0

CUSTOMER_CRASH_COUNT:  1

DEFAULT_BUCKET_ID:  INTEL_CPU_MICROCODE_ZERO

BUGCHECK_STR:  0x50

LAST_CONTROL_TRANSFER:  from 00000000 to 80449d15

SYMBOL_ON_RAW_STACK:  1

STACK_TEXT:  
b6bce994 00000000 ef7ffffd 00000000 b784bc9a nt!MmAccessFault+0x757


STACK_COMMAND:  dds @$csp ; kb

FOLLOWUP_IP:
win32k!hdcOpenDCW+183
a00e3880 ??               ???

FOLLOWUP_NAME:  MachineOwner

SYMBOL_NAME:  win32k!hdcOpenDCW+183

MODULE_NAME:  win32k

IMAGE_NAME:  win32k.sys

DEBUG_FLR_IMAGE_TIMESTAMP:  4344ef76

FAILURE_BUCKET_ID:  0x50_win32k!hdcOpenDCW+183

BUCKET_ID:  0x50_win32k!hdcOpenDCW+183

Followup: MachineOwner
---------

0
 
cpc2004Commented:
b6bce994 00000000 ef7ffffd 00000000 b784bc9a nt!MmAccessFault+0x757 <-- This is the sign of faulty memory.

FAILURE_BUCKET_ID:  0x50_win32k!hdcOpenDCW+183 <-- This is also the sign of faulty memory (ram or video memory)


The culprit is faulty memory. You can run memtest to stress the ram. If memtest reports the ram is faulty, ram is bad. However Memtest is not a perfect tool to test the memory as some faulty ram can pass memtest.

Suggestion
1. Check the temperature of the CPU and make sure that it is not overheat (ie temperature < 60C)
   Make sure that the CPU fan works properly
2. Reseat the memory stick to another memory slot. Reseat video card as well.
3. Downclock the ram. Check to default setting if you video card is overclocked.
4. Clean the dust inside the computer case
5. Make sure that the ram is compatible to the motherboard
   For example : If the ram and the motherboard has dual mode compatibility problem, you must stop using dual mode and switch to single channel mode                
   http://www.techspot.com/vb/showthread.php?p=251045#post251045
6. Check the bios setting about memory timing and make sure that it is on
   For example : DIMM1 and DIMM2 do not have the same timing.
   DIMM1: Corsair CMX512-3200C2 512 MB PC3200 DDR SDRAM (2.5-3-3-8 @ 200 MHz) (2.0-3-3-7 @ 166 MHz)
   DIMM2: Corsair CMX512-3200C2 512 MB PC3200 DDR SDRAM (3.0-3-3-8 @ 200 MHz)
   DIMM3: Corsair CMX512-3200C2 512 MB PC3200 DDR SDRAM (3.0-3-3-8 @ 200 MHz)
7. Make sure that your PSU has adequate power to drive all the hardware including USB devices
8. Run chkdsk /r at command prompt
9. Run 3DMark 2005 to test your video card
10. Upgrade BIOS and make sure that the motherboard has no leaking capacitor

If it still crashes, diagnostic which memory stick is faulty
1. Take out one memory stick. If windows does not crash, the removed memory stick is faulty.
2. If you have only one memory stick, replace the ram
0
 
Wayne BarronAuthor, Web DeveloperAuthor Commented:
Thanks cpc2004.

This is the first time that the system "Blue Screened"
It is a Laptop, and have had it for about 3yrs now.
The dump happened 3-days ago, so I will have to wait for a few days to see if it happens again.

During the time that the BSOD happened, Explorer & IE were acting up somewhat, and I was
Fixing to close out of all opened Windows when the BSOD acured.

Thank you both: cpc2004 & MiguelSilvestre
For all your assistance and Information.
0
 
Wayne BarronAuthor, Web DeveloperAuthor Commented:
One last thing.

I meant to say "Desktop" not "Laptop"
As the Laptop also rebooted unexpectedly as well, but with no .dmp file recorded.

Take Care
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: Amazon Web Services - Basic

Are you thinking about creating an Amazon Web Services account for your business? Not sure where to start? In this course you’ll get an overview of the history of AWS and take a tour of their user interface.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now