[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

I need help reading a minidump file.

Posted on 2009-04-28
5
Medium Priority
?
533 Views
Last Modified: 2012-05-06
I am using Windbg and here is what I get.

Microsoft (R) Windows Debugger Version 6.11.0001.404 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\Documents and Settings\jjohnson\Desktop\Minidump\Mini042709-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

WARNING: Whitespace at end of path element
Symbol search path is: Srv*c:\localsymbols*http://msdl.microsoft.com/download/symbols

Executable search path is:
Windows XP Kernel Version 2600 (Service Pack 1) MP (2 procs) Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 2600.xpsp2.050301-1526
Machine Name:
Kernel base = 0x804d7000 PsLoadedModuleList = 0x8054f150
Debug session time: Mon Apr 27 18:19:01.323 2009 (GMT-7)
System Uptime: 0 days 7:47:17.925
Loading Kernel Symbols
...............................................................
................................................................
......
Loading User Symbols
Loading unloaded module list
........................
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 1000008E, {c0000005, 804ee905, eef3a8d0, 0}

*** WARNING: Unable to verify timestamp for SYMTDI.SYS
*** ERROR: Module load completed but symbols could not be loaded for SYMTDI.SYS
Probably caused by : SYMTDI.SYS ( SYMTDI+13e46 )

Followup: MachineOwner
---------

0: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

KERNEL_MODE_EXCEPTION_NOT_HANDLED_M (1000008e)
This is a very common bugcheck.  Usually the exception address pinpoints
the driver/function that caused the problem.  Always note this address
as well as the link date of the driver/image that contains this address.
Some common problems are exception code 0x80000003.  This means a hard
coded breakpoint or assertion was hit, but this system was booted
/NODEBUG.  This is not supposed to happen as developers should never have
hardcoded breakpoints in retail code, but ...
If this happens, make sure a debugger gets connected, and the
system is booted /DEBUG.  This will let us see why this breakpoint is
happening.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: 804ee905, The address that the exception occurred at
Arg3: eef3a8d0, Trap Frame
Arg4: 00000000

Debugging Details:
------------------


EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".

FAULTING_IP:
nt!IopFreeIrp+41
804ee905 f00fc111        lock xadd dword ptr [ecx],edx

TRAP_FRAME:  eef3a8d0 -- (.trap 0xffffffffeef3a8d0)
ErrCode = 00000002
eax=ffdff120 ebx=00000001 ecx=000008e4 edx=00000001 esi=81bc7588 edi=8228faa0
eip=804ee905 esp=eef3a944 ebp=eef3a99c iopl=0         nv up ei pl nz na po nc
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010202
nt!IopFreeIrp+0x41:
804ee905 f00fc111        lock xadd dword ptr [ecx],edx ds:0023:000008e4=????????
Resetting default scope

CUSTOMER_CRASH_COUNT:  1

DEFAULT_BUCKET_ID:  DRIVER_FAULT

BUGCHECK_STR:  0x8E

PROCESS_NAME:  explorer.exe

IRP_ADDRESS:  81bc7588

LAST_CONTROL_TRANSFER:  from 804f3b52 to 804ee905

STACK_TEXT:  
eef3a94c 804f3b52 81bc7588 81bc75c8 81d3d8e0 nt!IopFreeIrp+0x41
eef3a99c 804fcfbd 81bc75c8 eef3a9e8 eef3a9dc nt!IopCompleteRequest+0x316
eef3a9ec 806c0d40 00000000 00000000 eef3aa04 nt!KiDeliverApc+0xb1
eef3a9ec 806c0964 00000000 00000000 eef3aa04 hal!HalpApcInterrupt+0xb0
eef3aa74 804fa731 81bc75c8 81bc7588 00000000 hal!KeReleaseQueuedSpinLock+0x3c
eef3aa94 804f08fb 81bc75c8 8228faa0 00000000 nt!KeInsertQueueApc+0x6b
eef3aac8 efa068eb 80505a06 81bcc5f0 804ee9a8 nt!IopfCompleteRequest+0x1d7
eef3aae4 efa11b44 00bc7588 00000000 00000076 tcpip!TCPDataRequestComplete+0x9e
eef3ab04 efa11ac5 00000010 00000000 00000076 tcpip!TCPQueryInformationExComplete+0x62
eef3ab80 efa09aa2 81bc7588 81bc75f8 81bc75f8 tcpip!TCPQueryInformationEx+0x25d
eef3aba0 efa09a24 81bc7588 81bc75f8 81bc761c tcpip!TCPDispatchDeviceControl+0x1be
eef3abd8 804ee605 81fe6030 81bc7588 81bc7640 tcpip!TCPDispatch+0x127
eef3abe8 ef9dce46 81bc7588 82239940 81bc761c nt!IopfCallDriver+0x31
WARNING: Stack unwind information not available. Following frames may be wrong.
eef3abfc ef9df71a 82239940 82239940 eef3ac30 SYMTDI+0x13e46
eef3ac0c ef9df7ea 82239940 81d3daf0 81ee6f38 SYMTDI+0x1671a
eef3ac30 ef9df8da 81fe4020 81bc7588 eef3ac64 SYMTDI+0x167ea
eef3ac40 804ee605 81fe4020 81bc7588 806c02cc SYMTDI+0x168da
eef3ac50 805694f4 81bc761c 8228faa0 81bc7588 nt!IopfCallDriver+0x31
eef3ac64 8056a218 81fe4020 81bc7588 8228faa0 nt!IopSynchronousServiceTail+0x5e
eef3ad00 805632aa 00000538 00000000 00000000 nt!IopXxxControlFile+0x5a6
eef3ad34 80534814 00000538 00000000 00000000 nt!NtDeviceIoControlFile+0x28
eef3ad34 7ffe0304 00000538 00000000 00000000 nt!KiSystemService+0xc9
0153f598 00000000 00000000 00000000 00000000 SharedUserData!SystemCallStub+0x4


STACK_COMMAND:  kb

FOLLOWUP_IP:
SYMTDI+13e46
ef9dce46 ??              ???

SYMBOL_STACK_INDEX:  d

SYMBOL_NAME:  SYMTDI+13e46

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: SYMTDI

IMAGE_NAME:  SYMTDI.SYS

DEBUG_FLR_IMAGE_TIMESTAMP:  44d7c430

FAILURE_BUCKET_ID:  0x8E_SYMTDI+13e46

BUCKET_ID:  0x8E_SYMTDI+13e46

Followup: MachineOwner
---------

0: kd> !thread
GetPointerFromAddress: unable to read from 8054fb14
THREAD 81d3d8e0  Cid 06d4.0b68  Teb: 7ffac000 Win32Thread: e69f29f0 RUNNING on processor 0
Not impersonating
GetUlongFromAddress: unable to read from 8054fb24
Owning Process            0       Image:         <Unknown>
Attached Process          81db03b8       Image:         explorer.exe
ffdf0000: Unable to get shared data
Wait Start TickCount      1794427      
Context Switch Count      285589                 LargeStack
ReadMemory error: Cannot get nt!KeMaximumIncrement value.
UserTime                  00:00:00.000
KernelTime                00:00:00.000
Win32 Start Address 0x74b02ed6
Start Address 0x77e7d342
Stack Init eef3b000 Current eef3a788 Base eef3b000 Limit eef36000 Call 0
Priority 8 BasePriority 8 PriorityDecrement 0 DecrementCount 16
ChildEBP RetAddr  Args to Child              
eef3a94c 804f3b52 81bc7588 81bc75c8 81d3d8e0 nt!IopFreeIrp+0x41 (FPO: [1,0,3])
eef3a99c 804fcfbd 81bc75c8 eef3a9e8 eef3a9dc nt!IopCompleteRequest+0x316 (FPO: [Non-Fpo])
eef3a9ec 806c0d40 00000000 00000000 eef3aa04 nt!KiDeliverApc+0xb1 (FPO: [Non-Fpo])
eef3a9ec 806c0964 00000000 00000000 eef3aa04 hal!HalpApcInterrupt+0xb0 (FPO: [0,2] TrapFrame @ eef3aa04)
eef3aa74 804fa731 81bc75c8 81bc7588 00000000 hal!KeReleaseQueuedSpinLock+0x3c (FPO: [0,0,0])
eef3aa94 804f08fb 81bc75c8 8228faa0 00000000 nt!KeInsertQueueApc+0x6b (FPO: [Non-Fpo])
eef3aac8 efa068eb 80505a06 81bcc5f0 804ee9a8 nt!IopfCompleteRequest+0x1d7 (FPO: [Non-Fpo])
eef3aae4 efa11b44 00bc7588 00000000 00000076 tcpip!TCPDataRequestComplete+0x9e (FPO: [Non-Fpo])
eef3ab04 efa11ac5 00000010 00000000 00000076 tcpip!TCPQueryInformationExComplete+0x62 (FPO: [Non-Fpo])
eef3ab80 efa09aa2 81bc7588 81bc75f8 81bc75f8 tcpip!TCPQueryInformationEx+0x25d (FPO: [Non-Fpo])
eef3aba0 efa09a24 81bc7588 81bc75f8 81bc761c tcpip!TCPDispatchDeviceControl+0x1be (FPO: [Non-Fpo])
eef3abd8 804ee605 81fe6030 81bc7588 81bc7640 tcpip!TCPDispatch+0x127 (FPO: [Non-Fpo])
eef3abe8 ef9dce46 81bc7588 82239940 81bc761c nt!IopfCallDriver+0x31 (FPO: [0,0,1])
WARNING: Stack unwind information not available. Following frames may be wrong.
eef3abfc ef9df71a 82239940 82239940 eef3ac30 SYMTDI+0x13e46
eef3ac0c ef9df7ea 82239940 81d3daf0 81ee6f38 SYMTDI+0x1671a
eef3ac30 ef9df8da 81fe4020 81bc7588 eef3ac64 SYMTDI+0x167ea
eef3ac40 804ee605 81fe4020 81bc7588 806c02cc SYMTDI+0x168da
eef3ac50 805694f4 81bc761c 8228faa0 81bc7588 nt!IopfCallDriver+0x31 (FPO: [0,0,1])
eef3ac64 8056a218 81fe4020 81bc7588 8228faa0 nt!IopSynchronousServiceTail+0x5e (FPO: [Non-Fpo])
eef3ad00 805632aa 00000538 00000000 00000000 nt!IopXxxControlFile+0x5a6 (FPO: [Non-Fpo])
eef3ad34 80534814 00000538 00000000 00000000 nt!NtDeviceIoControlFile+0x28 (FPO: [Non-Fpo])
eef3ad34 7ffe0304 00000538 00000000 00000000 nt!KiSystemService+0xc9 (FPO: [0,0] TrapFrame @ eef3ad64)
0153f598 00000000 00000000 00000000 00000000 SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0])

0: kd> !process
GetPointerFromAddress: unable to read from 8054fb14
PROCESS 81db03b8  SessionId: none  Cid: 06d4    Peb: 7ffdf000  ParentCid: 0354
    DirBase: 1cdaf000  ObjectTable: e69bc488  HandleCount: <Data Not Accessible>
    Image: explorer.exe
    VadRoot 81d3f1c0 Vads 232 Clone 0 Private 2806. Modified 4396. Locked 0.
    DeviceMap e662ce80
    Token                             e69b4870
    ReadMemory error: Cannot get nt!KeMaximumIncrement value.
ffdf0000: Unable to get shared data
    ElapsedTime                       00:00:00.000
    UserTime                          00:00:00.000
    KernelTime                        00:00:00.000
    QuotaPoolUsage[PagedPool]         67116
    QuotaPoolUsage[NonPagedPool]      13472
    Working Set Sizes (now,min,max)  (3382, 50, 345) (13528KB, 200KB, 1380KB)
    PeakWorkingSetSize                5343
    VirtualSize                       70 Mb
    PeakVirtualSize                   82 Mb
    PageFaultCount                    48171
    MemoryPriority                    BACKGROUND
    BasePriority                      8
    CommitCharge                      3308

        *** Error in reading nt!_ETHREAD @ 81db08e0

0: kd> kvn
 # ChildEBP RetAddr  Args to Child              
00 eef3a94c 804f3b52 81bc7588 81bc75c8 81d3d8e0 nt!IopFreeIrp+0x41 (FPO: [1,0,3])
01 eef3a99c 804fcfbd 81bc75c8 eef3a9e8 eef3a9dc nt!IopCompleteRequest+0x316 (FPO: [Non-Fpo])
02 eef3a9ec 806c0d40 00000000 00000000 eef3aa04 nt!KiDeliverApc+0xb1 (FPO: [Non-Fpo])
03 eef3a9ec 806c0964 00000000 00000000 eef3aa04 hal!HalpApcInterrupt+0xb0 (FPO: [0,2] TrapFrame @ eef3aa04)
04 eef3aa74 804fa731 81bc75c8 81bc7588 00000000 hal!KeReleaseQueuedSpinLock+0x3c (FPO: [0,0,0])
05 eef3aa94 804f08fb 81bc75c8 8228faa0 00000000 nt!KeInsertQueueApc+0x6b (FPO: [Non-Fpo])
06 eef3aac8 efa068eb 80505a06 81bcc5f0 804ee9a8 nt!IopfCompleteRequest+0x1d7 (FPO: [Non-Fpo])
07 eef3aae4 efa11b44 00bc7588 00000000 00000076 tcpip!TCPDataRequestComplete+0x9e (FPO: [Non-Fpo])
08 eef3ab04 efa11ac5 00000010 00000000 00000076 tcpip!TCPQueryInformationExComplete+0x62 (FPO: [Non-Fpo])
09 eef3ab80 efa09aa2 81bc7588 81bc75f8 81bc75f8 tcpip!TCPQueryInformationEx+0x25d (FPO: [Non-Fpo])
0a eef3aba0 efa09a24 81bc7588 81bc75f8 81bc761c tcpip!TCPDispatchDeviceControl+0x1be (FPO: [Non-Fpo])
0b eef3abd8 804ee605 81fe6030 81bc7588 81bc7640 tcpip!TCPDispatch+0x127 (FPO: [Non-Fpo])
0c eef3abe8 ef9dce46 81bc7588 82239940 81bc761c nt!IopfCallDriver+0x31 (FPO: [0,0,1])
WARNING: Stack unwind information not available. Following frames may be wrong.
0d eef3abfc ef9df71a 82239940 82239940 eef3ac30 SYMTDI+0x13e46
0e eef3ac0c ef9df7ea 82239940 81d3daf0 81ee6f38 SYMTDI+0x1671a
0f eef3ac30 ef9df8da 81fe4020 81bc7588 eef3ac64 SYMTDI+0x167ea
10 eef3ac40 804ee605 81fe4020 81bc7588 806c02cc SYMTDI+0x168da
11 eef3ac50 805694f4 81bc761c 8228faa0 81bc7588 nt!IopfCallDriver+0x31 (FPO: [0,0,1])
12 eef3ac64 8056a218 81fe4020 81bc7588 8228faa0 nt!IopSynchronousServiceTail+0x5e (FPO: [Non-Fpo])
13 eef3ad00 805632aa 00000538 00000000 00000000 nt!IopXxxControlFile+0x5a6 (FPO: [Non-Fpo])
0: kd> lm t n SYMTDI
Unknown option 'S'
Unknown option 'Y'
start    end        module name
0
Comment
Question by:scdiver1
  • 2
  • 2
5 Comments
 
LVL 5

Assisted Solution

by:jbizzle979
jbizzle979 earned 60 total points
ID: 24254990
CUSTOMER_CRASH_COUNT:  1

DEFAULT_BUCKET_ID:  DRIVER_FAULT

BUGCHECK_STR:  0x8E

PROCESS_NAME:  explorer.exe

IRP_ADDRESS:  81bc7588

LAST_CONTROL_TRANSFER:  from 804f3b52 to 804ee905

IMAGE_NAME:  SYMTDI.SYS


This is telling you that explorer.exe has crashed due to an error with symtdi.sys and the string where the crash occurred was 0x8E.
0
 

Author Comment

by:scdiver1
ID: 24255138
I figured that much out, but what/where do I need to go to correct this or get more information?  I know explorer.exe is a windows file and symtdi is a symantec file.  If I re-install symantec, will this solve the problem?

This is my first real troubleshooting with dump files.
0
 
LVL 5

Expert Comment

by:jbizzle979
ID: 24255174
That is a valid step in the right direction.
0
 

Author Comment

by:scdiver1
ID: 24255189
I agree, but what next?
0
 
LVL 93

Accepted Solution

by:
nobus earned 1440 total points
ID: 24258019
try running the removal tool :  http://service1.symantec.com/Support/tsgeninfo.nsf/docid/2005033108162039
then test again
if ok reinstall
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Issue: Unstable cursor in Windows XP and Windows runs extremely slow in that any click will bring up the Hour glass (sometimes for several seconds before giving you what you want) . Troubleshooting Process and the FINAL FIX: This issue see…
For both online and offline retail, the cross-channel business is the most recent pattern in the B2C trade space.
This Micro Tutorial will teach you how to add a cinematic look to any film or video out there. There are very few simple steps that you will follow to do so. This will be demonstrated using Adobe Premiere Pro CS6.
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
Suggested Courses

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question