• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 511
  • Last Modified:

Can someone analyze this dmp file?

I have a user with a HP nc8230 laptop. Worked fine until today when he closed Windows Media Player and system rebooted. He had MS Word open and after the reboot he could not maximize the file from the tray. He was also working from an addtional monitor so I got him to change a few settings and then the word file was ok and he was able to view normally.

I checked the event viewer and there was a system error. Ran the debugger tool and got the following. Any idea of what the problem is?

Microsoft (R) Windows Debugger Version 6.9.0003.113 X86
Copyright (c) Microsoft Corporation. All rights reserved.

Loading Dump File [C:\Mini061608-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows XP Kernel Version 2600 (Service Pack 2) UP Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 2600.xpsp_sp2_gdr.070227-2254
Kernel base = 0x804d7000 PsLoadedModuleList = 0x805533a0
Debug session time: Mon Jun 16 09:50:53.734 2008 (GMT-3)
System Uptime: 10 days 19:32:29.981
Loading Kernel Symbols
Loading User Symbols
Loading unloaded module list
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *

Use !analyze -v to get detailed debugging information.

BugCheck 1000007E, {c0000005, 806d0753, f6bc5c28, f6bc5924}

Probably caused by : ntkrnlpa.exe ( nt!FsRtlRemovePerStreamContext+1e )

Followup: MachineOwner

kd> !analyze -v
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *

This is a very common bugcheck.  Usually the exception address pinpoints
the driver/function that caused the problem.  Always note this address
as well as the link date of the driver/image that contains this address.
Some common problems are exception code 0x80000003.  This means a hard
coded breakpoint or assertion was hit, but this system was booted
/NODEBUG.  This is not supposed to happen as developers should never have
hardcoded breakpoints in retail code, but ...
If this happens, make sure a debugger gets connected, and the
system is booted /DEBUG.  This will let us see why this breakpoint is
Arg1: c0000005, The exception code that was not handled
Arg2: 806d0753, The address that the exception occurred at
Arg3: f6bc5c28, Exception Record Address
Arg4: f6bc5924, Context Record Address

Debugging Details:

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".

806d0753 ff09            dec     dword ptr [ecx]

EXCEPTION_RECORD:  f6bc5c28 -- (.exr 0xfffffffff6bc5c28)
ExceptionAddress: 806d0753 (hal!ExAcquireFastMutex+0x0000000f)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 00000001
   Parameter[1]: 00300039
Attempt to write to address 00300039

CONTEXT:  f6bc5924 -- (.cxr 0xfffffffff6bc5924)
eax=0000003d ebx=87fa3264 ecx=00300039 edx=f6bc5d20 esi=e628fb18 edi=8965be58
eip=806d0753 esp=f6bc5cf0 ebp=f6bc5d00 iopl=0         nv up ei pl nz na po nc
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010202
806d0753 ff09            dec     dword ptr [ecx]      ds:0023:00300039=????????
Resetting default scope




ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".

WRITE_ADDRESS:  00300039


LAST_CONTROL_TRANSFER:  from 804ec8b4 to 806d0753

f6bc5cec 804ec8b4 8965be58 87fa3264 8965be50 hal!ExAcquireFastMutex+0xf
f6bc5d00 f72c3808 e628fb18 87fa3008 e628fb18 nt!FsRtlRemovePerStreamContext+0x1e
f6bc5d2c f72c4d56 87fa3008 89662ad8 87cd0cd8 fltMgr!FltpDeleteAllStreamListCtrls+0x62
f6bc5d48 f72b75f7 87fa308c 00000008 89662ad8 fltMgr!FltpFreeVolume+0xa4
f6bc5d60 f72bb34e 87cd0cd8 00000008 8055a3fc fltMgr!FltpCleanupDeviceObject+0x61
f6bc5d74 80533fe6 89662ad8 00000000 898a8b30 fltMgr!FltpFastIoDetachDeviceWorker+0x14
f6bc5dac 805c4cce 89662ad8 00000000 00000000 nt!ExpWorkerThread+0x100
f6bc5ddc 805411c2 80533ee6 80000001 00000000 nt!PspSystemThreadStartup+0x34
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16

804ec8b4 8b5510          mov     edx,dword ptr [ebp+10h]


SYMBOL_NAME:  nt!FsRtlRemovePerStreamContext+1e

FOLLOWUP_NAME:  MachineOwner


IMAGE_NAME:  ntkrnlpa.exe


STACK_COMMAND:  .cxr 0xfffffffff6bc5924 ; kb

FAILURE_BUCKET_ID:  0x7E_nt!FsRtlRemovePerStreamContext+1e

BUCKET_ID:  0x7E_nt!FsRtlRemovePerStreamContext+1e

Followup: MachineOwner

  • 4
  • 3
1 Solution
I officially have no idea about this stuff:  So why am I posting?  I found someone else with your problem and they narrowed it down to a memory problem.  Replacing the machines ram seemed to fix it.  Worth a try?  Got a similar system you can just swap memory with?  

I doubt it...but hope it helps.
IMAGE_NAME:  ntkrnlpa.exe

That is what failed.  That is your Kernel for Windows.  I also seen a few Memory Errors as well.

The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".

My first suggestion is to run MemTest86.


Download the LiveCD burn it and run it for at least 4 hours to see if you get any errors.  If not then the RAM is fine.  

After that you will have to do a repair install of Windows XP with the CD to reapir the Kernel issue.

occ_userAuthor Commented:
authen-tech, I do have other systems of the same model that I could swap RAM with so that may be an option.

Makaveli213, I think I will try that MemTest86 tonight and see what happens.

Introducing Cloud Class® training courses

Tech changes fast. You can learn faster. That’s why we’re bringing professional training courses to Experts Exchange. With a subscription, you can access all the Cloud Class® courses to expand your education, prep for certifications, and get top-notch instructions.

occ_userAuthor Commented:
Does anyone know what ntkrnlpa.exe is?
I stated in teh beginning of my last response.  It is the Kernel for Windows.

ntkrnlpa.exe - ntkrnlpa process information
Process name: NT Kernel & System


It is a mandatory file.  Even more so than explorer.exe which is the user interface.  Without the Kernel Windows can not even load, like you see.  The Kernel is the heart of the Operating System.
occ_userAuthor Commented:
Ran the Memtest without any errors.
Then i would suggest trying to do a repair install.  I gave a link to specific instructions in my first response.
occ_userAuthor Commented:
Don't know if the repair worked or not. No crash since.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: Amazon Web Services - Basic

Are you thinking about creating an Amazon Web Services account for your business? Not sure where to start? In this course you’ll get an overview of the history of AWS and take a tour of their user interface.

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now