Solved

USBSTOR.SYS Causing Blue Screen Errors

Posted on 2007-03-29
5
4,002 Views
Last Modified: 2008-01-09
Hey There!

I have a Win XP Pro SP2 workstation (with USB1.1) that's been bluescreening.  I've looked at the dump files with WinDbg and USBSTOR.SYS is the culprit in each file.

My client is using a PNY Micro Attache 12GB Flash drive (USB 2.0) to move between work and home (directly modifying files on the USB drive).

I have two minidumps which occured prior to the purchase of the Attache drive which indicate USBSTOR.SYS as the likely culprit.  My client states no other USB drives have been attached to the system.

How should I go about preventing these bluescreens at this point?  
Do you think the drive is the problem considering the pre-purchase minidumps?
Can I refresh/reload USBSTOR.SYS?  If so, what is the best practice to accomplish this?

TIA

PS - In case you're interested, and in an attempt to aid others having this issue, here are the stop error codes (there is no filename reference on the blue screen):

Error code 1000007e
parameter1 c0000005
parameter2 00000000
parameter3 f7a85abc
parameter4 f7a857b8
0
Comment
Question by:ttist25
  • 2
  • 2
5 Comments
 
LVL 6

Expert Comment

by:kane77573
ID: 18818380
Please post the mini dump files so i can look into them and pinpoint problem
0
 
LVL 4

Expert Comment

by:Kitezh
ID: 18819009
File usbstor.sys is located in the folder C:\Windows\System32\drivers. The file size on Windows XP is 26496 bytes.
The driver can be started or stopped from Services in the Control Panel or by other programs so you can test this way. The file is a Windows system file. The program is not visible. usbstor.sys is a Microsoft signed file.

Important: Some malware camouflage themselves as usbstor.sys, particularly if they are located in c:\windows or c:\windows\system32 folder. Thus check the usbstor.sys process on your pc whether it is pest.

if you are using any file or folder protection software make sure to disable this also.

Also find the file usbstor.sys and rename to say something like usbstor.bac reboot and see if the OS recreates it after the boot
0
 
LVL 1

Author Comment

by:ttist25
ID: 18819693
Thanks for the responses.  I dropped the dmp files in a zip at the following location:

http://www.kntnetworks.com/dumps/minidumps.zip

Your analysis will be greatly appreciated.  Thanks for the offer.

I checked the filesize of the usbstor.sys and it is the same size you quoted.  Also, I don't see the file in system or system32 folders.  

As soon as the system is available to me I will log on and run SysInternals Process Explorer to verify that the instance is signed and that there are no other instances running.

Would it be acceptable to copy usbstor.sys from one machine to another (I have verified the same size and version numbers through file properties)?

Thanks again.
0
 
LVL 4

Accepted Solution

by:
Kitezh earned 250 total points
ID: 18820799
yes you could try copy the file from another PC or download it - http://www.usb-drivers.com/drivers/28/28628.htm - free registration required for this particular site
0
 
LVL 6

Assisted Solution

by:kane77573
kane77573 earned 250 total points
ID: 18820924
BINGO
Problem Is the
DEFAULT_BUCKET_ID:  DRIVER_FAULT   <-------------MEANS ITS A DRIVER ERROR
USBSTOR.SYS <-----------REINSTALL DRIVER

I would replace that files, I assume it has got corrupted and what not.
So replace it with a new one.
All the dmps point to the same issue, the dmp is posted below


Debugging Details:
------------------


EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".

FAULTING_IP:
+0
00000000 ??              ???

EXCEPTION_RECORD:  f7a75abc -- (.exr fffffffff7a75abc)
ExceptionAddress: 00000000
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 00000008
   Parameter[1]: 00000000
Attempt to execute non-executable address 00000000

CONTEXT:  f7a757b8 -- (.cxr fffffffff7a757b8)
eax=85fea7e0 ebx=00000000 ecx=00000003 edx=862c1868 esi=85fea898 edi=8604a230
eip=00000000 esp=f7a75b84 ebp=f7a75bb0 iopl=0         nv up ei ng nz na pe nc
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00210286
00000000 ??              ???
Resetting default scope

CUSTOMER_CRASH_COUNT:  1

DEFAULT_BUCKET_ID:  DRIVER_FAULT

PROCESS_NAME:  System

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".

WRITE_ADDRESS:  00000000

BUGCHECK_STR:  0x7E

LAST_CONTROL_TRANSFER:  from ef9b66ff to 00000000

STACK_TEXT:  
WARNING: Frame IP not in any known module. Following frames may be wrong.
f7a75b80 ef9b66ff 00000000 68627375 70646f52 0x0
f7a75bb0 ef9bd661 85fea7e0 8604a230 862c17b0 usbhub!USBH_PdoRemoveDevice+0x41
f7a75bd0 ef9b6952 85fea898 862c17b0 00000002 usbhub!USBH_PdoPnP+0x5b
f7a75bf4 ef9b41d8 01fea898 862c17b0 f7a75c28 usbhub!USBH_PdoDispatch+0x5a
f7a75c04 804edfe3 85fea7e0 862c17b0 862af638 usbhub!USBH_HubDispatch+0x48
f7a75c14 f7984db4 862af580 862af638 862c17b0 nt!IopfCallDriver+0x31
f7a75c28 f7986980 862af580 862c17b0 862c188c USBSTOR!USBSTOR_FdoRemoveDevice+0xac
f7a75c40 804edfe3 862af580 862c17b0 f7a75ccc USBSTOR!USBSTOR_Pnp+0x4e
f7a75c50 80587021 85fea7e0 85fea7e0 00000002 nt!IopfCallDriver+0x31
f7a75c7c 80587145 862af580 f7a75ca8 00000000 nt!IopSynchronousCall+0xb7
f7a75cd0 804f5d12 85fea7e0 00000002 00000000 nt!IopRemoveDevice+0x93
f7a75cf8 80588c56 e3dbd8f0 00000018 e1b718d8 nt!IopRemoveLockedDeviceNode+0x160
f7a75d10 80588cbd 862bb008 00000002 e1b718d8 nt!IopDeleteLockedDeviceNode+0x34
f7a75d44 80588d61 85fea7e0 02b718d8 00000002 nt!IopDeleteLockedDeviceNodes+0x3f
f7a75d74 80533fe6 86331698 00000000 867c3da8 nt!IopDelayedRemoveWorker+0x4b
f7a75dac 805c4cce 86331698 00000000 00000000 nt!ExpWorkerThread+0x100
f7a75ddc 805411c2 80533ee6 00000001 00000000 nt!PspSystemThreadStartup+0x34
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16


FOLLOWUP_IP:
USBSTOR!USBSTOR_FdoRemoveDevice+ac
f7984db4 ff760c          push    dword ptr [esi+0Ch]

SYMBOL_STACK_INDEX:  6

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: USBSTOR

IMAGE_NAME:  USBSTOR.SYS

DEBUG_FLR_IMAGE_TIMESTAMP:  41107d6c

SYMBOL_NAME:  USBSTOR!USBSTOR_FdoRemoveDevice+ac

STACK_COMMAND:  .cxr 0xfffffffff7a757b8 ; kb

FAILURE_BUCKET_ID:  0x7E_USBSTOR!USBSTOR_FdoRemoveDevice+ac

BUCKET_ID:  0x7E_USBSTOR!USBSTOR_FdoRemoveDevice+ac

Followup: MachineOwner
---------

0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

There are 2 things you must have in order to connect to the internet behind a router, The "Gateway IP" of the router, which is usually something like 192.168.xxx.1, I've seen routers with default values of: 192.168.0.1, 192.168.1.1, 192.168.11.1, …
Can you find a fax from a vendor you saved a decade ago in seconds? Have you ever cursed your PC under your breath during an audit because you couldn’t find the requested statement or driver history?  If you answered no to the first question or yes …
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now