occ_user
asked on
Can someone analyze this dmp file?
I have a user with a HP nc8230 laptop. Worked fine until today when he closed Windows Media Player and system rebooted. He had MS Word open and after the reboot he could not maximize the file from the tray. He was also working from an addtional monitor so I got him to change a few settings and then the word file was ok and he was able to view normally.
I checked the event viewer and there was a system error. Ran the debugger tool and got the following. Any idea of what the problem is?
Microsoft (R) Windows Debugger Version 6.9.0003.113 X86
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:\Mini061608-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available
Symbol search path is: http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows XP Kernel Version 2600 (Service Pack 2) UP Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 2600.xpsp_sp2_gdr.070227-2 254
Kernel base = 0x804d7000 PsLoadedModuleList = 0x805533a0
Debug session time: Mon Jun 16 09:50:53.734 2008 (GMT-3)
System Uptime: 10 days 19:32:29.981
Loading Kernel Symbols
.......................... .......... .......... .......... .......... .......... .......... .......... .......... .......... .......... .......... .......... .......... .......... ..
Loading User Symbols
Loading unloaded module list
.......................... .......... .......... ....
************************** ********** ********** ********** ********** ********** ***
* *
* Bugcheck Analysis *
* *
************************** ********** ********** ********** ********** ********** ***
Use !analyze -v to get detailed debugging information.
BugCheck 1000007E, {c0000005, 806d0753, f6bc5c28, f6bc5924}
Probably caused by : ntkrnlpa.exe ( nt!FsRtlRemovePerStreamCon text+1e )
Followup: MachineOwner
---------
kd> !analyze -v
************************** ********** ********** ********** ********** ********** ***
* *
* Bugcheck Analysis *
* *
************************** ********** ********** ********** ********** ********** ***
SYSTEM_THREAD_EXCEPTION_NO T_HANDLED_ M (1000007e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Some common problems are exception code 0x80000003. This means a hard
coded breakpoint or assertion was hit, but this system was booted
/NODEBUG. This is not supposed to happen as developers should never have
hardcoded breakpoints in retail code, but ...
If this happens, make sure a debugger gets connected, and the
system is booted /DEBUG. This will let us see why this breakpoint is
happening.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: 806d0753, The address that the exception occurred at
Arg3: f6bc5c28, Exception Record Address
Arg4: f6bc5924, Context Record Address
Debugging Details:
------------------
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".
FAULTING_IP:
hal!ExAcquireFastMutex+f
806d0753 ff09 dec dword ptr [ecx]
EXCEPTION_RECORD: f6bc5c28 -- (.exr 0xfffffffff6bc5c28)
ExceptionAddress: 806d0753 (hal!ExAcquireFastMutex+0x 0000000f)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000001
Parameter[1]: 00300039
Attempt to write to address 00300039
CONTEXT: f6bc5924 -- (.cxr 0xfffffffff6bc5924)
eax=0000003d ebx=87fa3264 ecx=00300039 edx=f6bc5d20 esi=e628fb18 edi=8965be58
eip=806d0753 esp=f6bc5cf0 ebp=f6bc5d00 iopl=0 nv up ei pl nz na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010202
hal!ExAcquireFastMutex+0xf :
806d0753 ff09 dec dword ptr [ecx] ds:0023:00300039=????????
Resetting default scope
CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: DRIVER_FAULT
PROCESS_NAME: System
ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".
WRITE_ADDRESS: 00300039
BUGCHECK_STR: 0x7E
LAST_CONTROL_TRANSFER: from 804ec8b4 to 806d0753
STACK_TEXT:
f6bc5cec 804ec8b4 8965be58 87fa3264 8965be50 hal!ExAcquireFastMutex+0xf
f6bc5d00 f72c3808 e628fb18 87fa3008 e628fb18 nt!FsRtlRemovePerStreamCon text+0x1e
f6bc5d2c f72c4d56 87fa3008 89662ad8 87cd0cd8 fltMgr!FltpDeleteAllStream ListCtrls+ 0x62
f6bc5d48 f72b75f7 87fa308c 00000008 89662ad8 fltMgr!FltpFreeVolume+0xa4
f6bc5d60 f72bb34e 87cd0cd8 00000008 8055a3fc fltMgr!FltpCleanupDeviceOb ject+0x61
f6bc5d74 80533fe6 89662ad8 00000000 898a8b30 fltMgr!FltpFastIoDetachDev iceWorker+ 0x14
f6bc5dac 805c4cce 89662ad8 00000000 00000000 nt!ExpWorkerThread+0x100
f6bc5ddc 805411c2 80533ee6 80000001 00000000 nt!PspSystemThreadStartup+ 0x34
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16
FOLLOWUP_IP:
nt!FsRtlRemovePerStreamCon text+1e
804ec8b4 8b5510 mov edx,dword ptr [ebp+10h]
SYMBOL_STACK_INDEX: 1
SYMBOL_NAME: nt!FsRtlRemovePerStreamCon text+1e
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: nt
IMAGE_NAME: ntkrnlpa.exe
DEBUG_FLR_IMAGE_TIMESTAMP: 45e53f9c
STACK_COMMAND: .cxr 0xfffffffff6bc5924 ; kb
FAILURE_BUCKET_ID: 0x7E_nt!FsRtlRemovePerStre amContext+ 1e
BUCKET_ID: 0x7E_nt!FsRtlRemovePerStre amContext+ 1e
Followup: MachineOwner
---------
I checked the event viewer and there was a system error. Ran the debugger tool and got the following. Any idea of what the problem is?
Microsoft (R) Windows Debugger Version 6.9.0003.113 X86
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:\Mini061608-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available
Symbol search path is: http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows XP Kernel Version 2600 (Service Pack 2) UP Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 2600.xpsp_sp2_gdr.070227-2
Kernel base = 0x804d7000 PsLoadedModuleList = 0x805533a0
Debug session time: Mon Jun 16 09:50:53.734 2008 (GMT-3)
System Uptime: 10 days 19:32:29.981
Loading Kernel Symbols
..........................
Loading User Symbols
Loading unloaded module list
..........................
**************************
* *
* Bugcheck Analysis *
* *
**************************
Use !analyze -v to get detailed debugging information.
BugCheck 1000007E, {c0000005, 806d0753, f6bc5c28, f6bc5924}
Probably caused by : ntkrnlpa.exe ( nt!FsRtlRemovePerStreamCon
Followup: MachineOwner
---------
kd> !analyze -v
**************************
* *
* Bugcheck Analysis *
* *
**************************
SYSTEM_THREAD_EXCEPTION_NO
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Some common problems are exception code 0x80000003. This means a hard
coded breakpoint or assertion was hit, but this system was booted
/NODEBUG. This is not supposed to happen as developers should never have
hardcoded breakpoints in retail code, but ...
If this happens, make sure a debugger gets connected, and the
system is booted /DEBUG. This will let us see why this breakpoint is
happening.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: 806d0753, The address that the exception occurred at
Arg3: f6bc5c28, Exception Record Address
Arg4: f6bc5924, Context Record Address
Debugging Details:
------------------
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".
FAULTING_IP:
hal!ExAcquireFastMutex+f
806d0753 ff09 dec dword ptr [ecx]
EXCEPTION_RECORD: f6bc5c28 -- (.exr 0xfffffffff6bc5c28)
ExceptionAddress: 806d0753 (hal!ExAcquireFastMutex+0x
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000001
Parameter[1]: 00300039
Attempt to write to address 00300039
CONTEXT: f6bc5924 -- (.cxr 0xfffffffff6bc5924)
eax=0000003d ebx=87fa3264 ecx=00300039 edx=f6bc5d20 esi=e628fb18 edi=8965be58
eip=806d0753 esp=f6bc5cf0 ebp=f6bc5d00 iopl=0 nv up ei pl nz na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010202
hal!ExAcquireFastMutex+0xf
806d0753 ff09 dec dword ptr [ecx] ds:0023:00300039=????????
Resetting default scope
CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: DRIVER_FAULT
PROCESS_NAME: System
ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".
WRITE_ADDRESS: 00300039
BUGCHECK_STR: 0x7E
LAST_CONTROL_TRANSFER: from 804ec8b4 to 806d0753
STACK_TEXT:
f6bc5cec 804ec8b4 8965be58 87fa3264 8965be50 hal!ExAcquireFastMutex+0xf
f6bc5d00 f72c3808 e628fb18 87fa3008 e628fb18 nt!FsRtlRemovePerStreamCon
f6bc5d2c f72c4d56 87fa3008 89662ad8 87cd0cd8 fltMgr!FltpDeleteAllStream
f6bc5d48 f72b75f7 87fa308c 00000008 89662ad8 fltMgr!FltpFreeVolume+0xa4
f6bc5d60 f72bb34e 87cd0cd8 00000008 8055a3fc fltMgr!FltpCleanupDeviceOb
f6bc5d74 80533fe6 89662ad8 00000000 898a8b30 fltMgr!FltpFastIoDetachDev
f6bc5dac 805c4cce 89662ad8 00000000 00000000 nt!ExpWorkerThread+0x100
f6bc5ddc 805411c2 80533ee6 80000001 00000000 nt!PspSystemThreadStartup+
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16
FOLLOWUP_IP:
nt!FsRtlRemovePerStreamCon
804ec8b4 8b5510 mov edx,dword ptr [ebp+10h]
SYMBOL_STACK_INDEX: 1
SYMBOL_NAME: nt!FsRtlRemovePerStreamCon
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: nt
IMAGE_NAME: ntkrnlpa.exe
DEBUG_FLR_IMAGE_TIMESTAMP:
STACK_COMMAND: .cxr 0xfffffffff6bc5924 ; kb
FAILURE_BUCKET_ID: 0x7E_nt!FsRtlRemovePerStre
BUCKET_ID: 0x7E_nt!FsRtlRemovePerStre
Followup: MachineOwner
---------
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
ASKER
authen-tech, I do have other systems of the same model that I could swap RAM with so that may be an option.
Makaveli213, I think I will try that MemTest86 tonight and see what happens.
Thanks!
Makaveli213, I think I will try that MemTest86 tonight and see what happens.
Thanks!
ASKER
Does anyone know what ntkrnlpa.exe is?
I stated in teh beginning of my last response. It is the Kernel for Windows.
ntkrnlpa.exe - ntkrnlpa process information
Process name: NT Kernel & System
http://www.liutilities.com/products/wintaskspro/processlibrary/ntkrnlpa/
It is a mandatory file. Even more so than explorer.exe which is the user interface. Without the Kernel Windows can not even load, like you see. The Kernel is the heart of the Operating System.
ntkrnlpa.exe - ntkrnlpa process information
Process name: NT Kernel & System
http://www.liutilities.com/products/wintaskspro/processlibrary/ntkrnlpa/
It is a mandatory file. Even more so than explorer.exe which is the user interface. Without the Kernel Windows can not even load, like you see. The Kernel is the heart of the Operating System.
ASKER
Ran the Memtest without any errors.
Then i would suggest trying to do a repair install. I gave a link to specific instructions in my first response.
ASKER
Don't know if the repair worked or not. No crash since.
I doubt it...but hope it helps.