?
Solved

Memory Dump (WinDbg Provided)

Posted on 2006-03-20
13
Medium Priority
?
3,696 Views
Last Modified: 2012-06-21
This is the 1st Dump that I have not been able to figure out, and am also learning how to read them
Using the [WinDbg] as well.
Could someone please assist me with information on how to analyze these Dumps better?
Basically, explain it to me better on what I am looking for?
And were to find the information for it?
Thank you
Carrzkiss
=================================================================
kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced.  This cannot be protected by try-except,
it must be protected by a Probe.  Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: ef7ffffd, memory referenced.
Arg2: 00000000, value 0 = read operation, 1 = write operation.
Arg3: b784bc9a, If non-zero, the instruction address which referenced the bad memory
      address.
Arg4: 00000000, (reserved)

Debugging Details:
------------------

***** Kernel symbols are WRONG. Please fix symbols to do analysis.


MODULE_NAME:  nt

FAULTING_MODULE: 80400000 nt

DEBUG_FLR_IMAGE_TIMESTAMP:  4344ec59

READ_ADDRESS: unable to get nt!MmPoolCodeEnd
unable to get nt!MmSpecialPoolEnd
unable to get nt!MmPagedPoolEnd
unable to get nt!MmNonPagedPoolEnd
unable to get nt!MmNonPagedPoolStart
unable to get nt!MmSpecialPoolStart
unable to get nt!MmPagedPoolStart
unable to get nt!MmNonPagedPoolExpansionStart
unable to get nt!MmPoolCodeStart
 ef7ffffd

FAULTING_IP:
+ffffffffb784bc9a
b784bc9a ??               ???

MM_INTERNAL_CODE:  0

CUSTOMER_CRASH_COUNT:  1

DEFAULT_BUCKET_ID:  DRIVER_FAULT

BUGCHECK_STR:  0x50

LAST_CONTROL_TRANSFER:  from 00000000 to 80449d15

STACK_TEXT:  
b6bce994 00000000 ef7ffffd 00000000 b784bc9a nt+0x49d15


STACK_COMMAND:  .bugcheck ; kb

FOLLOWUP_NAME:  MachineOwner

BUCKET_ID:  WRONG_SYMBOLS

Followup: MachineOwner
---------
0
Comment
Question by:Wayne Barron
13 Comments
 
LVL 15

Expert Comment

by:MiguelSilvestre
ID: 16240652
Hi carrzkiss,

The "service expert" for dump files is cpc2004 :))

But for the first look do you have the correct symbols ?

Miguel
0
 
LVL 31

Author Comment

by:Wayne Barron
ID: 16240844
Im guessing these are it? I found them a while back, so I am not really sure?

http://msdl.microsoft.com/download/symbols
0
 
LVL 15

Expert Comment

by:MiguelSilvestre
ID: 16240952
Hi carrzkiss,

Yap :)) Is that the server, or you can download the symbol pack you need, take a look at here:

http://www.microsoft.com/whdc/devtools/debugging/debugstart.mspx

Miguel
0
New feature and membership benefit!

New feature! Upgrade and increase expert visibility of your issues with Priority Questions.

 
LVL 15

Expert Comment

by:MiguelSilvestre
ID: 16240977
Hi carrzkiss,

Also if you want, upload a dump file to a public webspace (something like http://www.rapidshare.de) and post here the download link.

Miguel
0
 
LVL 31

Author Comment

by:Wayne Barron
ID: 16241001
0
 
LVL 86

Expert Comment

by:jkr
ID: 16241042
>>LAST_CONTROL_TRANSFER:  from 00000000 to 80449d15

The dump might not really be helpful, it seems the whole stack was blown away...
0
 
LVL 31

Author Comment

by:Wayne Barron
ID: 16241071
This is from the EV

The computer has rebooted from a bugcheck.  The bugcheck was: 0x00000050 (0xef7ffffd, 0x00000000, 0xb784bc9a, 0x00000000). Microsoft Windows 2000 [v15.2195]. A dump was saved in: C:\WINNT\Minidump\Mini032006-01.dmp.
0
 
LVL 15

Assisted Solution

by:MiguelSilvestre
MiguelSilvestre earned 300 total points
ID: 16241118
Hi carrzkiss,

Here's my analyzes :

Symbol search path is: C:\WINDOWS\Symbols
Executable search path is:
Unable to load image ntoskrnl.exe, Win32 error 2
*** WARNING: Unable to verify timestamp for ntoskrnl.exe
Windows 2000 Kernel Version 2195 (Service Pack 4) UP Free x86 compatible
Kernel base = 0x80400000 PsLoadedModuleList = 0x80481580
Debug session time: Mon Mar 20 16:15:18.781 2006 (GMT+0)
System Uptime: not available
Unable to load image ntoskrnl.exe, Win32 error 2
*** WARNING: Unable to verify timestamp for ntoskrnl.exe
Loading Kernel Symbols
....................................................................................................................
Loading unloaded module list
..................................................
Loading User Symbols
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 50, {ef7ffffd, 0, b784bc9a, 0}


Could not read faulting driver name
Probably caused by : memory_corruption ( nt!MiDeleteSystemPagableVm+3d6 )

Followup: MachineOwner
---------
kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced.  This cannot be protected by try-except,
it must be protected by a Probe.  Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: ef7ffffd, memory referenced.
Arg2: 00000000, value 0 = read operation, 1 = write operation.
Arg3: b784bc9a, If non-zero, the instruction address which referenced the bad memory
      address.
Arg4: 00000000, (reserved)

Debugging Details:
------------------


Could not read faulting driver name

READ_ADDRESS: unable to read from 80483b80
unable to read from 80483804
unable to read from 80483794
unable to read from 8047a158
unable to read from 80483798
unable to read from 80483808
unable to read from 8047a15c
unable to read from 804838e0
unable to read from 80483b84
 ef7ffffd

FAULTING_IP:
+ffffffffb784bc9a
b784bc9a ??               ???

MM_INTERNAL_CODE:  0

CUSTOMER_CRASH_COUNT:  1

DEFAULT_BUCKET_ID:  INTEL_CPU_MICROCODE_ZERO

BUGCHECK_STR:  0x50

LAST_CONTROL_TRANSFER:  from 80467caf to 80449d15

STACK_TEXT:  
b6bce9d8 80467caf 00000000 ef7ffffd 00000000 nt!MiDeleteSystemPagableVm+0x3d6
b6bce9f0 00000000 e3f5f588 a00e3880 00000139 nt!RtlFindFirstRunClear+0x47


FOLLOWUP_IP:
nt!MiDeleteSystemPagableVm+3d6
80449d15 ??               ???

SYMBOL_STACK_INDEX:  0

FOLLOWUP_NAME:  MachineOwner

SYMBOL_NAME:  nt!MiDeleteSystemPagableVm+3d6

MODULE_NAME:  nt

DEBUG_FLR_IMAGE_TIMESTAMP:  4344ec59

STACK_COMMAND:  kb

IMAGE_NAME:  memory_corruption

FAILURE_BUCKET_ID:  0x50_nt!MiDeleteSystemPagableVm+3d6

BUCKET_ID:  0x50_nt!MiDeleteSystemPagableVm+3d6

Followup: MachineOwner
---------

Miguel
0
 
LVL 15

Expert Comment

by:MiguelSilvestre
ID: 16241136
Hi

So ... my result is :

BugCheck 50, {ef7ffffd, 0, b784bc9a, 0}
Probably caused by : memory_corruption ( nt!MiDeleteSystemPagableVm+3d6 )

Miguel
0
 
LVL 31

Author Comment

by:Wayne Barron
ID: 16241263
On this:
BugCheck 50, {ef7ffffd, 0, b784bc9a, 0}
Probably caused by : memory_corruption ( nt!MiDeleteSystemPagableVm+3d6 )

I had already seem some information on the [Error 50].

What exactly does this mean for me to do?
memory_corruption ( nt!MiDeleteSystemPagableVm+3d6 )
Am I reading this part correctly, and does it want me to "Delete System Page File" ?
Or am I reading it incorrectly?

-----------------------------
OK.
II downloaded the "Symbols" from the site.
In [Symbol File Path] I "Browsed" and added the link in. Am I still missing something?
This is what I have:
=============-------------==============------------=================--------======

Microsoft (R) Windows Debugger  Version 6.5.0003.7
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\WINNT\Minidump\Mini032006-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: D:\Windows\Debuggin\Store\symbols
Executable search path is:
Unable to load image ntoskrnl.exe, Win32 error 2
*** WARNING: symbols timestamp is wrong 0x4344ec59 0x427b58bb for ntoskrnl.exe
Windows 2000 Kernel Version 2195 (Service Pack 4) UP Free x86 compatible
Kernel base = 0x80400000 PsLoadedModuleList = 0x80481580
Debug session time: Mon Mar 20 11:15:18.781 2006 (GMT-5)
System Uptime: not available
Unable to load image ntoskrnl.exe, Win32 error 2
*** WARNING: symbols timestamp is wrong 0x4344ec59 0x427b58bb for ntoskrnl.exe
Loading Kernel Symbols
....................................................................................................................
Loading unloaded module list
..................................................
Loading User Symbols
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 50, {ef7ffffd, 0, b784bc9a, 0}


Could not read faulting driver name
Unable to load image win32k.sys, Win32 error 2
*** WARNING: symbols timestamp is wrong 0x4344ef76 0x42168832 for win32k.sys
*** WARNING: Unable to verify timestamp for hal.dll
*** ERROR: Module load completed but symbols could not be loaded for hal.dll
Probably caused by : win32k.sys ( win32k!hdcOpenDCW+183 )

Followup: MachineOwner
---------

kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced.  This cannot be protected by try-except,
it must be protected by a Probe.  Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: ef7ffffd, memory referenced.
Arg2: 00000000, value 0 = read operation, 1 = write operation.
Arg3: b784bc9a, If non-zero, the instruction address which referenced the bad memory
      address.
Arg4: 00000000, (reserved)

Debugging Details:
------------------


Could not read faulting driver name

READ_ADDRESS: unable to read from 80481518
unable to read from 804811c8
unable to read from 804810a8
unable to read from 80472de0
unable to read from 804810c0
unable to read from 804811c4
unable to read from 80472de4
unable to read from 80481284
unable to read from 804814b8
 ef7ffffd

FAULTING_IP:
+ffffffffb784bc9a
b784bc9a ??               ???

MM_INTERNAL_CODE:  0

CUSTOMER_CRASH_COUNT:  1

DEFAULT_BUCKET_ID:  INTEL_CPU_MICROCODE_ZERO

BUGCHECK_STR:  0x50

LAST_CONTROL_TRANSFER:  from 00000000 to 80449d15

SYMBOL_ON_RAW_STACK:  1

STACK_TEXT:  
b6bce994 00000000 ef7ffffd 00000000 b784bc9a nt!MmAccessFault+0x757


STACK_COMMAND:  dds @$csp ; kb

FOLLOWUP_IP:
win32k!hdcOpenDCW+183
a00e3880 ??               ???

FOLLOWUP_NAME:  MachineOwner

SYMBOL_NAME:  win32k!hdcOpenDCW+183

MODULE_NAME:  win32k

IMAGE_NAME:  win32k.sys

DEBUG_FLR_IMAGE_TIMESTAMP:  4344ef76

FAILURE_BUCKET_ID:  0x50_win32k!hdcOpenDCW+183

BUCKET_ID:  0x50_win32k!hdcOpenDCW+183

Followup: MachineOwner
---------

0
 
LVL 20

Accepted Solution

by:
cpc2004 earned 700 total points
ID: 16246218
b6bce994 00000000 ef7ffffd 00000000 b784bc9a nt!MmAccessFault+0x757 <-- This is the sign of faulty memory.

FAILURE_BUCKET_ID:  0x50_win32k!hdcOpenDCW+183 <-- This is also the sign of faulty memory (ram or video memory)


The culprit is faulty memory. You can run memtest to stress the ram. If memtest reports the ram is faulty, ram is bad. However Memtest is not a perfect tool to test the memory as some faulty ram can pass memtest.

Suggestion
1. Check the temperature of the CPU and make sure that it is not overheat (ie temperature < 60C)
   Make sure that the CPU fan works properly
2. Reseat the memory stick to another memory slot. Reseat video card as well.
3. Downclock the ram. Check to default setting if you video card is overclocked.
4. Clean the dust inside the computer case
5. Make sure that the ram is compatible to the motherboard
   For example : If the ram and the motherboard has dual mode compatibility problem, you must stop using dual mode and switch to single channel mode                
   http://www.techspot.com/vb/showthread.php?p=251045#post251045
6. Check the bios setting about memory timing and make sure that it is on
   For example : DIMM1 and DIMM2 do not have the same timing.
   DIMM1: Corsair CMX512-3200C2 512 MB PC3200 DDR SDRAM (2.5-3-3-8 @ 200 MHz) (2.0-3-3-7 @ 166 MHz)
   DIMM2: Corsair CMX512-3200C2 512 MB PC3200 DDR SDRAM (3.0-3-3-8 @ 200 MHz)
   DIMM3: Corsair CMX512-3200C2 512 MB PC3200 DDR SDRAM (3.0-3-3-8 @ 200 MHz)
7. Make sure that your PSU has adequate power to drive all the hardware including USB devices
8. Run chkdsk /r at command prompt
9. Run 3DMark 2005 to test your video card
10. Upgrade BIOS and make sure that the motherboard has no leaking capacitor

If it still crashes, diagnostic which memory stick is faulty
1. Take out one memory stick. If windows does not crash, the removed memory stick is faulty.
2. If you have only one memory stick, replace the ram
0
 
LVL 31

Author Comment

by:Wayne Barron
ID: 16246743
Thanks cpc2004.

This is the first time that the system "Blue Screened"
It is a Laptop, and have had it for about 3yrs now.
The dump happened 3-days ago, so I will have to wait for a few days to see if it happens again.

During the time that the BSOD happened, Explorer & IE were acting up somewhat, and I was
Fixing to close out of all opened Windows when the BSOD acured.

Thank you both: cpc2004 & MiguelSilvestre
For all your assistance and Information.
0
 
LVL 31

Author Comment

by:Wayne Barron
ID: 16246769
One last thing.

I meant to say "Desktop" not "Laptop"
As the Laptop also rebooted unexpectedly as well, but with no .dmp file recorded.

Take Care
0

Featured Post

Important Lessons on Recovering from Petya

In their most recent webinar, Skyport Systems explores ways to isolate and protect critical databases to keep the core of your company safe from harm.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
Currently, there is an issue with being able to copy values from an external application to a dropdown list in Project Web Access (PWA).  The standard copy and paste methods don't seem to work properly. Here is a way to accomplish this task to s…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an anti-spam), the admin…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…
Suggested Courses

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question