Solved

Please help analyzing minidump

Posted on 2010-08-30
26
812 Views
Last Modified: 2013-11-17
Hi

I have a HP Elitebook 2530p WinXP Pro SP3. I already had BSOD's on this machine a few weeks ago. After I installed an older graphic driver, the problem was fixed.

Now it crashed again and created the minidump attached. Could someone please help me analyzing the dump-file?

Thanks and best regards!
Mini082910-01.dmp.txt
0
Comment
Question by:marcus_w
  • 10
  • 9
  • 5
  • +1
26 Comments
 
LVL 3

Expert Comment

by:Willy Van den Houten
ID: 33556939
I use Bluescreenviewer

I att. you have the zipped program
0
 
LVL 3

Expert Comment

by:Willy Van den Houten
ID: 33556946
Problem to get the attachment inside.

Here is the URL

http://www.nirsoft.net/utils/blue_screen_view.html
0
 

Author Comment

by:marcus_w
ID: 33556958
Thanks for replying!

I already used bluescreen viewer to view the file but my problem is, that i still don't know what to do.
0
 
LVL 3

Expert Comment

by:Willy Van den Houten
ID: 33557019
you should click right and check the properties.

IRQL_NOT_LESS_OR_EQUAL

PArmaters

0x1000000a
0x00000000

etc.

Check google

Possible you have faulting hardware...


0
 
LVL 23

Expert Comment

by:edbedb
ID: 33557226
Has it crashed just this one time since replacing the display adapter?
0
 

Author Comment

by:marcus_w
ID: 33557272
It was running without any crash for a few weeks now. Then yesterday it crashed about 4 times but I found only this one minidump file on c:\windows.
0
 
LVL 23

Expert Comment

by:edbedb
ID: 33557294
Check the system logs in the Event Viewer for errors.
Click Start then Run and enter this command
Eventvwr.msc
0
 
LVL 3

Expert Comment

by:Willy Van den Houten
ID: 33557419
It could be a :

- hardware problem - > Mostly faulting RAM
- driver problem
- virus problem : Check with : http://onecare.live.com/site/en-us/default.htm
0
 
LVL 3

Expert Comment

by:Willy Van den Houten
ID: 33557541
I saw also 3 TM files pointing to Trend Micro Software.

I think the problem came from your officescan Trend Micro Software

tmactmon.sys
tmevtmgr.sys
tmcomm.sys

Try upgrading your software to the latest version
0
 

Author Comment

by:marcus_w
ID: 33557595
Ok I will check the system log and will let you know what I found there.
Trend Micro already runs with the latest version.
0
 
LVL 6

Accepted Solution

by:
che6ausc earned 500 total points
ID: 33557608
The problem is your keyboard driver  HpqKbFiltr.sys.  It is not playing well with the Microsoft keyboard class driver kbdclass.sys.  See if you can find an updated driver on the HP site.

As an alternative try another keyboard.


Use !analyze -v to get detailed debugging information.



BugCheck 1000000A, {0, 1c, 1, 80502cd6}



Unable to load image HpqKbFiltr.sys, Win32 error 0n2

*** WARNING: Unable to verify timestamp for HpqKbFiltr.sys

*** ERROR: Module load completed but symbols could not be loaded for HpqKbFiltr.sys

Probably caused by : kbdclass.sys ( kbdclass!KeyboardClassServiceCallback+182 )





0: kd> lmvm kbdclass

start    end        module name

ba3f0000 ba3f6000   kbdclass # (pdb symbols)          c:\websymbols\kbdclass.pdb\227A15B4C380417181684895714317F31\kbdclass.pdb

    Loaded symbol image file: kbdclass.sys

    Mapped memory image file: c:\websymbols\kbdclass.sys\480253726000\kbdclass.sys

    Image path: kbdclass.sys

    Image name: kbdclass.sys

    Timestamp:        Sun Apr 13 14:39:46 2008 (48025372)

    CheckSum:         00011FF4

    ImageSize:        00006000

    File version:     5.1.2600.5512

    Product version:  5.1.2600.5512

    File flags:       0 (Mask 3F)

    File OS:          40004 NT Win32

    File type:        3.7 Driver

    File date:        00000000.00000000

    Translations:     0405.04b0

    CompanyName:      Microsoft Corporation

    ProductName:      Operacní systém Microsoft® Windows®

    InternalName:     kbdclass.sys

    OriginalFilename: kbdclass.sys

    ProductVersion:   5.1.2600.5512

    FileVersion:      5.1.2600.5512 (xpsp.080413-2108)

    FileDescription:  Keyboard Class Driver

    LegalCopyright:   © Microsoft Corporation. Všechna práva vyhrazena.

Open in new window

0
 
LVL 6

Expert Comment

by:che6ausc
ID: 33557652
0
 

Author Comment

by:marcus_w
ID: 33557653
that's the driver choice on hp.com (see picture).
2530p-hp-drivers-xp.jpg
0
Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

 

Author Comment

by:marcus_w
ID: 33557676
Well I think I have already the newest versions of these drivers but I can give it a try anyway. So you think I should install the 4 drivers above which had a previous version, right?
0
 
LVL 6

Expert Comment

by:che6ausc
ID: 33557702
The timestamp on the driver in question(HpqKbFiltr.sys) has a timestamp of June 18,2007. See code box.From a google search this is the HP quick launch button driver which has an update dated June 18, 2010.
0: kd> lmvm HpqKbFiltr.sys
start    end        module name
0: kd> lmvm HpqKbFiltr
start    end        module name
ba3e0000 ba3e4180   HpqKbFiltr T (no symbols)           
    Loaded symbol image file: HpqKbFiltr.sys
    Image path: HpqKbFiltr.sys
    Image name: HpqKbFiltr.sys
    Timestamp:        Mon Jun 18 18:12:03 2007 (46770333)
    CheckSum:         0000FCCA
    ImageSize:        00004180
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4

Open in new window

0
 
LVL 6

Expert Comment

by:che6ausc
ID: 33557739
It shouldn't hurt to update all the keyboard drivers. You can rollback if you encounter any additional problems,but HpqKbFiltr.sys was cited in the dump.
0
 

Author Comment

by:marcus_w
ID: 33557895
That's really strange with this 2007 time stamp because I updated the notebook drivers just a few month ago and even the previous version was from 2010. But ok, I will now update these drivers again.
0
 

Author Comment

by:marcus_w
ID: 33557923
I meant weeks ago, not months ago ;-)
0
 
LVL 3

Expert Comment

by:Willy Van den Houten
ID: 33557963
the latest dumps from Trend Micro are from 19/07/2010 , so I think I was right.

There is a solution from Trend Micro concerning these files
0
 
LVL 3

Expert Comment

by:Willy Van den Houten
ID: 33558141
Maybe your PC was infected with a Smitfraud variant, causing these problems with Trend Micro.
0
 

Author Comment

by:marcus_w
ID: 33558225
I updated now the drivers mentioned above.
In the system log I could not find anything special.

@wvdhoute: i tried to check with http://onecare.live.com/site/en-us/default.htm but it didn't work. I am now running a full system scan with TM office scan.
 
0
 
LVL 3

Expert Comment

by:Willy Van den Houten
ID: 33558883
If you received a blank page on that one, that could be a virus.

Same if you go to windows update site

It's a propertiy of an infection to not let you on update sites and virus scan sites.

You could also try Malware Bytes to check your PC.
0
 

Author Comment

by:marcus_w
ID: 33558957
No that's not the case. I got an microsoft error message that something went wrong and I should try later. But i then tried it also on another pc with the same result.
0
 
LVL 6

Expert Comment

by:che6ausc
ID: 33559295
wvdhoute,

Bluescreenview often is contrary to Windbg as far as citing drivers.  Which is why most people who analyze dumps do not use it.

There is no indication from the analysis of the dump using Windbg that Trend Micro is involved at all.

marcus_w,

If you incur another bsod upload the minidump for analysis.
Use !analyze -v to get detailed debugging information.

BugCheck 1000000A, {0, 1c, 1, 80502cd6}

Unable to load image HpqKbFiltr.sys, Win32 error 0n2
*** WARNING: Unable to verify timestamp for HpqKbFiltr.sys
*** ERROR: Module load completed but symbols could not be loaded for HpqKbFiltr.sys
Probably caused by : kbdclass.sys ( kbdclass!KeyboardClassServiceCallback+182 )

Followup: MachineOwner
---------

0: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high.  This is usually
caused by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: 00000000, memory referenced
Arg2: 0000001c, IRQL
Arg3: 00000001, bitfield :
	bit 0 : value 0 = read operation, 1 = write operation
	bit 3 : value 0 = not an execute operation, 1 = execute operation (only on chips which support this level of status)
Arg4: 80502cd6, address which referenced memory

Debugging Details:
------------------


WRITE_ADDRESS:  00000000 

CURRENT_IRQL:  1c

FAULTING_IP: 
nt!KiUnlinkThread+c
80502cd6 8916            mov     dword ptr [esi],edx

CUSTOMER_CRASH_COUNT:  1

DEFAULT_BUCKET_ID:  DRIVER_FAULT

BUGCHECK_STR:  0xA

PROCESS_NAME:  Idle

LAST_CONTROL_TRANSFER:  from 80502d38 to 80502cd6

STACK_TEXT:  
80551304 80502d38 89dfeda8 00000000 00000100 nt!KiUnlinkThread+0xc
80551318 804ffb07 00000006 00000000 00000006 nt!KiUnwaitThread+0x12
8055132c 804fc4db 845d6750 845d6710 00000000 nt!KiInsertQueueApc+0x14f
8055134c 804f17f6 845d6750 89dbfc18 00000000 nt!KeInsertQueueApc+0x51
80551380 ba3f1314 00000000 89d22c42 8a131680 nt!IopfCompleteRequest+0x1d8
8055139c ba3e098e 0000000c 89d22c40 845d6858 kbdclass!KeyboardClassServiceCallback+0x182
WARNING: Stack unwind information not available. Following frames may be wrong.
805513c4 b94ca712 00000001 89d22c34 89d22c40 HpqKbFiltr+0x98e
80551428 80545ebf 8a036284 01036020 00000000 i8042prt!I8042KeyboardIsrDpc+0xf0
80551450 80545da4 00000000 0000000e 00000000 nt!KiRetireDpcList+0x61
80551454 00000000 0000000e 00000000 00000000 nt!KiIdleLoop+0x28


STACK_COMMAND:  kb

FOLLOWUP_IP: 
kbdclass!KeyboardClassServiceCallback+182
ba3f1314 6a18            push    18h

SYMBOL_STACK_INDEX:  5

SYMBOL_NAME:  kbdclass!KeyboardClassServiceCallback+182

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: kbdclass

IMAGE_NAME:  kbdclass.sys

DEBUG_FLR_IMAGE_TIMESTAMP:  48025372

FAILURE_BUCKET_ID:  0xA_kbdclass!KeyboardClassServiceCallback+182

BUCKET_ID:  0xA_kbdclass!KeyboardClassServiceCallback+182

Followup: MachineOwner
---------

Open in new window

0
 

Author Comment

by:marcus_w
ID: 33564782
che6ausc:

I updated now the HP Quick Launch Buttons; Synaptics Touchpad and Authentec Fingerprint Sensor Drivers and I will post the new minidump if it happens again.
Thanks a lot so far...
0
 
LVL 3

Expert Comment

by:Willy Van den Houten
ID: 33564904
http://www.youtube.com/watch?v=MSN_Qb2S7JQ

This vid explains how to work with the windbg program
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

The Samsung SSD 840 EVO and 840 EVO mSATA have a well-known problem with a drop in read performance. I first learned about this in an interesting thread here at Experts Exchange: http://www.experts-exchange.com/Hardware/Storage/Hard_Drives/Q_2852…
Sometimes a user will call me frantically, explaining that something has gone wrong and they have tried everything (read - they have messed it up more and now need someone to clean up) and it still does no good, can I help them?!  Usually the standa…
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now