Can someone analyze this dmp file?

Posted on 2008-06-16
Last Modified: 2012-05-05
I have a user with a HP nc8230 laptop. Worked fine until today when he closed Windows Media Player and system rebooted. He had MS Word open and after the reboot he could not maximize the file from the tray. He was also working from an addtional monitor so I got him to change a few settings and then the word file was ok and he was able to view normally.

I checked the event viewer and there was a system error. Ran the debugger tool and got the following. Any idea of what the problem is?

Microsoft (R) Windows Debugger Version 6.9.0003.113 X86
Copyright (c) Microsoft Corporation. All rights reserved.

Loading Dump File [C:\Mini061608-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is:
Executable search path is:
Windows XP Kernel Version 2600 (Service Pack 2) UP Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 2600.xpsp_sp2_gdr.070227-2254
Kernel base = 0x804d7000 PsLoadedModuleList = 0x805533a0
Debug session time: Mon Jun 16 09:50:53.734 2008 (GMT-3)
System Uptime: 10 days 19:32:29.981
Loading Kernel Symbols
Loading User Symbols
Loading unloaded module list
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *

Use !analyze -v to get detailed debugging information.

BugCheck 1000007E, {c0000005, 806d0753, f6bc5c28, f6bc5924}

Probably caused by : ntkrnlpa.exe ( nt!FsRtlRemovePerStreamContext+1e )

Followup: MachineOwner

kd> !analyze -v
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *

This is a very common bugcheck.  Usually the exception address pinpoints
the driver/function that caused the problem.  Always note this address
as well as the link date of the driver/image that contains this address.
Some common problems are exception code 0x80000003.  This means a hard
coded breakpoint or assertion was hit, but this system was booted
/NODEBUG.  This is not supposed to happen as developers should never have
hardcoded breakpoints in retail code, but ...
If this happens, make sure a debugger gets connected, and the
system is booted /DEBUG.  This will let us see why this breakpoint is
Arg1: c0000005, The exception code that was not handled
Arg2: 806d0753, The address that the exception occurred at
Arg3: f6bc5c28, Exception Record Address
Arg4: f6bc5924, Context Record Address

Debugging Details:

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".

806d0753 ff09            dec     dword ptr [ecx]

EXCEPTION_RECORD:  f6bc5c28 -- (.exr 0xfffffffff6bc5c28)
ExceptionAddress: 806d0753 (hal!ExAcquireFastMutex+0x0000000f)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 00000001
   Parameter[1]: 00300039
Attempt to write to address 00300039

CONTEXT:  f6bc5924 -- (.cxr 0xfffffffff6bc5924)
eax=0000003d ebx=87fa3264 ecx=00300039 edx=f6bc5d20 esi=e628fb18 edi=8965be58
eip=806d0753 esp=f6bc5cf0 ebp=f6bc5d00 iopl=0         nv up ei pl nz na po nc
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010202
806d0753 ff09            dec     dword ptr [ecx]      ds:0023:00300039=????????
Resetting default scope




ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".

WRITE_ADDRESS:  00300039


LAST_CONTROL_TRANSFER:  from 804ec8b4 to 806d0753

f6bc5cec 804ec8b4 8965be58 87fa3264 8965be50 hal!ExAcquireFastMutex+0xf
f6bc5d00 f72c3808 e628fb18 87fa3008 e628fb18 nt!FsRtlRemovePerStreamContext+0x1e
f6bc5d2c f72c4d56 87fa3008 89662ad8 87cd0cd8 fltMgr!FltpDeleteAllStreamListCtrls+0x62
f6bc5d48 f72b75f7 87fa308c 00000008 89662ad8 fltMgr!FltpFreeVolume+0xa4
f6bc5d60 f72bb34e 87cd0cd8 00000008 8055a3fc fltMgr!FltpCleanupDeviceObject+0x61
f6bc5d74 80533fe6 89662ad8 00000000 898a8b30 fltMgr!FltpFastIoDetachDeviceWorker+0x14
f6bc5dac 805c4cce 89662ad8 00000000 00000000 nt!ExpWorkerThread+0x100
f6bc5ddc 805411c2 80533ee6 80000001 00000000 nt!PspSystemThreadStartup+0x34
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16

804ec8b4 8b5510          mov     edx,dword ptr [ebp+10h]


SYMBOL_NAME:  nt!FsRtlRemovePerStreamContext+1e

FOLLOWUP_NAME:  MachineOwner


IMAGE_NAME:  ntkrnlpa.exe


STACK_COMMAND:  .cxr 0xfffffffff6bc5924 ; kb

FAILURE_BUCKET_ID:  0x7E_nt!FsRtlRemovePerStreamContext+1e

BUCKET_ID:  0x7E_nt!FsRtlRemovePerStreamContext+1e

Followup: MachineOwner

Question by:occ_user
  • 4
  • 3

Expert Comment

ID: 21799104
I officially have no idea about this stuff:  So why am I posting?  I found someone else with your problem and they narrowed it down to a memory problem.  Replacing the machines ram seemed to fix it.  Worth a try?  Got a similar system you can just swap memory with?  

I doubt it...but hope it helps.

Accepted Solution

Makaveli213 earned 250 total points
ID: 21799409
IMAGE_NAME:  ntkrnlpa.exe

That is what failed.  That is your Kernel for Windows.  I also seen a few Memory Errors as well.

The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".

My first suggestion is to run MemTest86.

Download the LiveCD burn it and run it for at least 4 hours to see if you get any errors.  If not then the RAM is fine.  

After that you will have to do a repair install of Windows XP with the CD to reapir the Kernel issue.

Author Comment

ID: 21801926
authen-tech, I do have other systems of the same model that I could swap RAM with so that may be an option.

Makaveli213, I think I will try that MemTest86 tonight and see what happens.


Author Comment

ID: 21801978
Does anyone know what ntkrnlpa.exe is?
Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.


Expert Comment

ID: 21802033
I stated in teh beginning of my last response.  It is the Kernel for Windows.

ntkrnlpa.exe - ntkrnlpa process information
Process name: NT Kernel & System

It is a mandatory file.  Even more so than explorer.exe which is the user interface.  Without the Kernel Windows can not even load, like you see.  The Kernel is the heart of the Operating System.

Author Comment

ID: 21806886
Ran the Memtest without any errors.

Expert Comment

ID: 21807201
Then i would suggest trying to do a repair install.  I gave a link to specific instructions in my first response.

Author Comment

ID: 21933467
Don't know if the repair worked or not. No crash since.

Featured Post

Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Ok I have been working on this for some time having learned and gained certification in XenDesktop 4 along came version 5 which was released last month. Since then I have been working to deploy XenDesktop 5 in a small environment with only 2 virt…
Issue: Unstable cursor in Windows XP and Windows runs extremely slow in that any click will bring up the Hour glass (sometimes for several seconds before giving you what you want) . Troubleshooting Process and the FINAL FIX: This issue see…
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

910 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now