Link to home
Create AccountLog in
Avatar of Wayne Barron
Wayne BarronFlag for United States of America

asked on

Memory Dump (WinDbg Provided)

This is the 1st Dump that I have not been able to figure out, and am also learning how to read them
Using the [WinDbg] as well.
Could someone please assist me with information on how to analyze these Dumps better?
Basically, explain it to me better on what I am looking for?
And were to find the information for it?
Thank you
Carrzkiss
=================================================================
kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced.  This cannot be protected by try-except,
it must be protected by a Probe.  Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: ef7ffffd, memory referenced.
Arg2: 00000000, value 0 = read operation, 1 = write operation.
Arg3: b784bc9a, If non-zero, the instruction address which referenced the bad memory
      address.
Arg4: 00000000, (reserved)

Debugging Details:
------------------

***** Kernel symbols are WRONG. Please fix symbols to do analysis.


MODULE_NAME:  nt

FAULTING_MODULE: 80400000 nt

DEBUG_FLR_IMAGE_TIMESTAMP:  4344ec59

READ_ADDRESS: unable to get nt!MmPoolCodeEnd
unable to get nt!MmSpecialPoolEnd
unable to get nt!MmPagedPoolEnd
unable to get nt!MmNonPagedPoolEnd
unable to get nt!MmNonPagedPoolStart
unable to get nt!MmSpecialPoolStart
unable to get nt!MmPagedPoolStart
unable to get nt!MmNonPagedPoolExpansionStart
unable to get nt!MmPoolCodeStart
 ef7ffffd

FAULTING_IP:
+ffffffffb784bc9a
b784bc9a ??               ???

MM_INTERNAL_CODE:  0

CUSTOMER_CRASH_COUNT:  1

DEFAULT_BUCKET_ID:  DRIVER_FAULT

BUGCHECK_STR:  0x50

LAST_CONTROL_TRANSFER:  from 00000000 to 80449d15

STACK_TEXT:  
b6bce994 00000000 ef7ffffd 00000000 b784bc9a nt+0x49d15


STACK_COMMAND:  .bugcheck ; kb

FOLLOWUP_NAME:  MachineOwner

BUCKET_ID:  WRONG_SYMBOLS

Followup: MachineOwner
---------
Avatar of MiguelSilvestre
MiguelSilvestre

Hi carrzkiss,

The "service expert" for dump files is cpc2004 :))

But for the first look do you have the correct symbols ?

Miguel
Avatar of Wayne Barron

ASKER

Im guessing these are it? I found them a while back, so I am not really sure?

http://msdl.microsoft.com/download/symbols
Hi carrzkiss,

Yap :)) Is that the server, or you can download the symbol pack you need, take a look at here:

http://www.microsoft.com/whdc/devtools/debugging/debugstart.mspx

Miguel
Hi carrzkiss,

Also if you want, upload a dump file to a public webspace (something like http://www.rapidshare.de) and post here the download link.

Miguel
>>LAST_CONTROL_TRANSFER:  from 00000000 to 80449d15

The dump might not really be helpful, it seems the whole stack was blown away...
This is from the EV

The computer has rebooted from a bugcheck.  The bugcheck was: 0x00000050 (0xef7ffffd, 0x00000000, 0xb784bc9a, 0x00000000). Microsoft Windows 2000 [v15.2195]. A dump was saved in: C:\WINNT\Minidump\Mini032006-01.dmp.
SOLUTION
Avatar of MiguelSilvestre
MiguelSilvestre

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer
Hi

So ... my result is :

BugCheck 50, {ef7ffffd, 0, b784bc9a, 0}
Probably caused by : memory_corruption ( nt!MiDeleteSystemPagableVm+3d6 )

Miguel
On this:
BugCheck 50, {ef7ffffd, 0, b784bc9a, 0}
Probably caused by : memory_corruption ( nt!MiDeleteSystemPagableVm+3d6 )

I had already seem some information on the [Error 50].

What exactly does this mean for me to do?
memory_corruption ( nt!MiDeleteSystemPagableVm+3d6 )
Am I reading this part correctly, and does it want me to "Delete System Page File" ?
Or am I reading it incorrectly?

-----------------------------
OK.
II downloaded the "Symbols" from the site.
In [Symbol File Path] I "Browsed" and added the link in. Am I still missing something?
This is what I have:
=============-------------==============------------=================--------======

Microsoft (R) Windows Debugger  Version 6.5.0003.7
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\WINNT\Minidump\Mini032006-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: D:\Windows\Debuggin\Store\symbols
Executable search path is:
Unable to load image ntoskrnl.exe, Win32 error 2
*** WARNING: symbols timestamp is wrong 0x4344ec59 0x427b58bb for ntoskrnl.exe
Windows 2000 Kernel Version 2195 (Service Pack 4) UP Free x86 compatible
Kernel base = 0x80400000 PsLoadedModuleList = 0x80481580
Debug session time: Mon Mar 20 11:15:18.781 2006 (GMT-5)
System Uptime: not available
Unable to load image ntoskrnl.exe, Win32 error 2
*** WARNING: symbols timestamp is wrong 0x4344ec59 0x427b58bb for ntoskrnl.exe
Loading Kernel Symbols
....................................................................................................................
Loading unloaded module list
..................................................
Loading User Symbols
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 50, {ef7ffffd, 0, b784bc9a, 0}


Could not read faulting driver name
Unable to load image win32k.sys, Win32 error 2
*** WARNING: symbols timestamp is wrong 0x4344ef76 0x42168832 for win32k.sys
*** WARNING: Unable to verify timestamp for hal.dll
*** ERROR: Module load completed but symbols could not be loaded for hal.dll
Probably caused by : win32k.sys ( win32k!hdcOpenDCW+183 )

Followup: MachineOwner
---------

kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced.  This cannot be protected by try-except,
it must be protected by a Probe.  Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: ef7ffffd, memory referenced.
Arg2: 00000000, value 0 = read operation, 1 = write operation.
Arg3: b784bc9a, If non-zero, the instruction address which referenced the bad memory
      address.
Arg4: 00000000, (reserved)

Debugging Details:
------------------


Could not read faulting driver name

READ_ADDRESS: unable to read from 80481518
unable to read from 804811c8
unable to read from 804810a8
unable to read from 80472de0
unable to read from 804810c0
unable to read from 804811c4
unable to read from 80472de4
unable to read from 80481284
unable to read from 804814b8
 ef7ffffd

FAULTING_IP:
+ffffffffb784bc9a
b784bc9a ??               ???

MM_INTERNAL_CODE:  0

CUSTOMER_CRASH_COUNT:  1

DEFAULT_BUCKET_ID:  INTEL_CPU_MICROCODE_ZERO

BUGCHECK_STR:  0x50

LAST_CONTROL_TRANSFER:  from 00000000 to 80449d15

SYMBOL_ON_RAW_STACK:  1

STACK_TEXT:  
b6bce994 00000000 ef7ffffd 00000000 b784bc9a nt!MmAccessFault+0x757


STACK_COMMAND:  dds @$csp ; kb

FOLLOWUP_IP:
win32k!hdcOpenDCW+183
a00e3880 ??               ???

FOLLOWUP_NAME:  MachineOwner

SYMBOL_NAME:  win32k!hdcOpenDCW+183

MODULE_NAME:  win32k

IMAGE_NAME:  win32k.sys

DEBUG_FLR_IMAGE_TIMESTAMP:  4344ef76

FAILURE_BUCKET_ID:  0x50_win32k!hdcOpenDCW+183

BUCKET_ID:  0x50_win32k!hdcOpenDCW+183

Followup: MachineOwner
---------

ASKER CERTIFIED SOLUTION
Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
Thanks cpc2004.

This is the first time that the system "Blue Screened"
It is a Laptop, and have had it for about 3yrs now.
The dump happened 3-days ago, so I will have to wait for a few days to see if it happens again.

During the time that the BSOD happened, Explorer & IE were acting up somewhat, and I was
Fixing to close out of all opened Windows when the BSOD acured.

Thank you both: cpc2004 & MiguelSilvestre
For all your assistance and Information.
One last thing.

I meant to say "Desktop" not "Laptop"
As the Laptop also rebooted unexpectedly as well, but with no .dmp file recorded.

Take Care