BSOD 0x0000008E randomly at login on several new PCs.

We are deploying 60 Dell Optiplex 980s that were imaged by dell with an image we supplied them.  A random number of these computers are "Blue Screening" after entering their password at the initial domain login screen.  I am supplying minidump files retrieved from one of these computers.  Can someone offer any guidance as to how to determine the root cause of the problem?

Thanks in advance,

Joe Mini122910-01.dmp
Joe_HallAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

sagiamarCommented:
try to disable all stsrutp programs and all none microsoft services from ms config and try to logon...
Joe_HallAuthor Commented:
Saqiamar - Thanks for the speedy reply!

Sorry!  Not really conceivable to disable all of that on all of these computers since it is intermittant.  Out of the 25 computers that have been deployed thus far, 6 or 7 have had the problem and 3 have had it repeatedly.  The one that I sent the minidump from is the one that has BSODed 3 times in 2 weeks.  Do you know if the minidump file tells what is causing the problem.

I am attaching a Hijackthis log as well.  I don't think it tells anything valuable but nonetheless...



Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 11:40:47 AM, on 12/29/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ProPatches\Scheduler\STSchedEx.exe
C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe
C:\Program Files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe
C:\Program Files\Dell\Dell ControlPoint\Security Manager\BcmDeviceAndTaskStatusService.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
c:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\RightFax\Client\faxctrl.exe
C:\WINDOWS\RTDCPL.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmNotify.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
c:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\PROGRA~1\MI1933~1\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\hpmup091.bin
C:\Program Files\EDESuite\EDExpress for Windows 2010-2011\Expres01.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\ntvdm.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\ntvdm.exe
G:\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.msn.com/USREL/1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.bing.com/sphome.aspx
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =  http://www.bing.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://inside.vfao.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.bing.com/sphome.aspx
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://g.msn.com/USREL/1
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O4 - HKLM\..\Run: [StartCCC] "c:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [IAStorIcon] C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe
O4 - HKLM\..\Run: [WavXMgr] C:\Program Files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe
O4 - HKLM\..\Run: [USCService] C:\Program Files\Dell\Dell ControlPoint\Security Manager\BcmDeviceAndTaskStatusService.exe
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [RightFAX Print-to-Fax Driver] C:\Program Files\RightFax\Client\faxctrl.exe
O4 - HKLM\..\Run: [RTHDCPL] RTDCPL.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: TdmNotify.lnk = C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmNotify.exe
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1285692299750
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = bedrock.com
O17 - HKLM\Software\..\Telephony: DomainName = bedrock.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = bedrock.com
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: Intel(R) Rapid Storage Technology (IAStorDataMgrSvc) - Intel Corporation - C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: SecureStorageService - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Secure Storage Manager\SecureStorageService.exe
O23 - Service: Shavlik Remote Scheduler Service (Shavlik Scheduler) - Shavlik Technologies, LLC - C:\WINDOWS\ProPatches\Scheduler\STSchedEx.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - c:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: NTRU TSS v1.2.1.29 TCS (tcsd_win32.exe) - Unknown owner - C:\Program Files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe
O23 - Service: TdmService - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe

--
End of file - 8611 bytes
johnb6767Commented:
3: kd> !process
GetPointerFromAddress: unable to read from 80562134
PROCESS 87caa9f0  SessionId: none  Cid: 1018    Peb: 7ffdb000  ParentCid: 0944
    DirBase: 0b080420  ObjectTable: e65b3470  HandleCount: <Data Not Accessible>
    Image: csc.exe  
    VadRoot 87315498 Vads 70 Clone 0 Private 446. Modified 4. Locked 0.
    DeviceMap e2b713c8
    Token                             e402fcc8
    ReadMemory error: Cannot get nt!KeMaximumIncrement value.
ffdf0000: Unable to get shared data
    ElapsedTime                       00:00:00.000
    UserTime                          00:00:00.000
    KernelTime                        00:00:00.000
    QuotaPoolUsage[PagedPool]         66652
    QuotaPoolUsage[NonPagedPool]      3920
    Working Set Sizes (now,min,max)  (1739, 50, 345) (6956KB, 200KB, 1380KB)
    PeakWorkingSetSize                1739
    VirtualSize                       39 Mb
    PeakVirtualSize                   39 Mb
    PageFaultCount                    1752
    MemoryPriority                    BACKGROUND
    BasePriority                      8
    CommitCharge                      534

        THREAD 8762e020  Cid 1018.1778  Teb: 7ffdf000 Win32Thread: e70e5400 RUNNING on processor 3

What is this app?
Python 3 Fundamentals

This course will teach participants about installing and configuring Python, syntax, importing, statements, types, strings, booleans, files, lists, tuples, comprehensions, functions, and classes.

Joe_HallAuthor Commented:
Johnb6767 - Below is the info I found regarding the executable file that is contained in the text you asked about.

The file process csc.exe is known as the C# Compiler or the C-Sharp Compiler. The executable program file functions in combination with the dynamic link library called cscomp.dll which has the real compiler code in it.
Joe_HallAuthor Commented:
Below is minidump from two other occurences on the same computer.  both of the PROCESS_IDs were explorer.exe instead of csc.exe.  Jjust more pieces to the puzzle...



Microsoft (R) Windows Debugger Version 6.12.0002.633 X86
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\Windows\minidump\Mini122010-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

WARNING: Whitespace at end of path element
Symbol search path is: SRV*c:\websymbols*http://msdl.microsoft.com/download/symbols


Executable search path is:
Windows XP Kernel Version 2600 (Service Pack 3) MP (4 procs) Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 2600.xpsp_sp3_gdr.100427-1636
Machine Name:
Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055d720
Debug session time: Mon Dec 20 07:41:19.140 2010 (UTC - 5:00)
System Uptime: 0 days 0:00:54.093
Loading Kernel Symbols
...............................................................
........................................................
Loading User Symbols
Loading unloaded module list
......
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 1000008E, {c0000005, 805c3133, a5be1a48, 0}

Probably caused by : ntkrpamp.exe ( nt!ObInsertObject+1ad )

Followup: MachineOwner
---------

3: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

KERNEL_MODE_EXCEPTION_NOT_HANDLED_M (1000008e)
This is a very common bugcheck.  Usually the exception address pinpoints
the driver/function that caused the problem.  Always note this address
as well as the link date of the driver/image that contains this address.
Some common problems are exception code 0x80000003.  This means a hard
coded breakpoint or assertion was hit, but this system was booted
/NODEBUG.  This is not supposed to happen as developers should never have
hardcoded breakpoints in retail code, but ...
If this happens, make sure a debugger gets connected, and the
system is booted /DEBUG.  This will let us see why this breakpoint is
happening.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: 805c3133, The address that the exception occurred at
Arg3: a5be1a48, Trap Frame
Arg4: 00000000

Debugging Details:
------------------


EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.

FAULTING_IP:
nt!ObInsertObject+1ad
805c3133 8b4e1c          mov     ecx,dword ptr [esi+1Ch]

TRAP_FRAME:  a5be1a48 -- (.trap 0xffffffffa5be1a48)
ErrCode = 00000000
eax=a5be1bb8 ebx=00000000 ecx=8a8a5000 edx=00000000 esi=00000001 edi=00000000
eip=805c3133 esp=a5be1abc ebp=a5be1b8c iopl=0         nv up ei ng nz na pe nc
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010286
nt!ObInsertObject+0x1ad:
805c3133 8b4e1c          mov     ecx,dword ptr [esi+1Ch] ds:0023:0000001d=????????
Resetting default scope

CUSTOMER_CRASH_COUNT:  1

DEFAULT_BUCKET_ID:  DRIVER_FAULT

BUGCHECK_STR:  0x8E

PROCESS_NAME:  explorer.exe

LAST_CONTROL_TRANSFER:  from 805d0e8b to 805c3133

STACK_TEXT:  
a5be1b8c 805d0e8b 8a816bc0 a5be1bb8 001f0fff nt!ObInsertObject+0x1ad
a5be1ce4 805d11ab 0235d910 001f0fff 00000000 nt!PspCreateProcess+0x635
a5be1d38 8054164c 0235d910 001f0fff 00000000 nt!NtCreateProcessEx+0x77
a5be1d38 7c90e514 0235d910 001f0fff 00000000 nt!KiFastCallEntry+0xfc
WARNING: Frame IP not in any known module. Following frames may be wrong.
0235df7c 00000000 00000000 00000000 00000000 0x7c90e514


STACK_COMMAND:  kb

FOLLOWUP_IP:
nt!ObInsertObject+1ad
805c3133 8b4e1c          mov     ecx,dword ptr [esi+1Ch]

SYMBOL_STACK_INDEX:  0

SYMBOL_NAME:  nt!ObInsertObject+1ad

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: nt

IMAGE_NAME:  ntkrpamp.exe

DEBUG_FLR_IMAGE_TIMESTAMP:  4bd6e0e8

FAILURE_BUCKET_ID:  0x8E_nt!ObInsertObject+1ad

BUCKET_ID:  0x8E_nt!ObInsertObject+1ad

Followup: MachineOwner
---------




Microsoft (R) Windows Debugger Version 6.12.0002.633 X86
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\Windows\minidump\Mini122110-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

WARNING: Whitespace at end of path element
Symbol search path is: SRV*c:\websymbols*http://msdl.microsoft.com/download/symbols


Executable search path is:
Windows XP Kernel Version 2600 (Service Pack 3) MP (4 procs) Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 2600.xpsp_sp3_gdr.100427-1636
Machine Name:
Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055d720
Debug session time: Tue Dec 21 08:02:45.265 2010 (UTC - 5:00)
System Uptime: 0 days 0:05:02.843
Loading Kernel Symbols
...............................................................
.........................................................
Loading User Symbols
Loading unloaded module list
......
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 1000008E, {c0000005, 805c3133, 9c208a48, 0}

Probably caused by : ntkrpamp.exe ( nt!ObInsertObject+1ad )

Followup: MachineOwner
---------

3: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

KERNEL_MODE_EXCEPTION_NOT_HANDLED_M (1000008e)
This is a very common bugcheck.  Usually the exception address pinpoints
the driver/function that caused the problem.  Always note this address
as well as the link date of the driver/image that contains this address.
Some common problems are exception code 0x80000003.  This means a hard
coded breakpoint or assertion was hit, but this system was booted
/NODEBUG.  This is not supposed to happen as developers should never have
hardcoded breakpoints in retail code, but ...
If this happens, make sure a debugger gets connected, and the
system is booted /DEBUG.  This will let us see why this breakpoint is
happening.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: 805c3133, The address that the exception occurred at
Arg3: 9c208a48, Trap Frame
Arg4: 00000000

Debugging Details:
------------------


EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.

FAULTING_IP:
nt!ObInsertObject+1ad
805c3133 8b4e1c          mov     ecx,dword ptr [esi+1Ch]

TRAP_FRAME:  9c208a48 -- (.trap 0xffffffff9c208a48)
ErrCode = 00000000
eax=9c208bb8 ebx=00000000 ecx=8a8a5000 edx=00000000 esi=00000001 edi=00000000
eip=805c3133 esp=9c208abc ebp=9c208b8c iopl=0         nv up ei ng nz na pe nc
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010286
nt!ObInsertObject+0x1ad:
805c3133 8b4e1c          mov     ecx,dword ptr [esi+1Ch] ds:0023:0000001d=????????
Resetting default scope

CUSTOMER_CRASH_COUNT:  1

DEFAULT_BUCKET_ID:  DRIVER_FAULT

BUGCHECK_STR:  0x8E

PROCESS_NAME:  explorer.exe

LAST_CONTROL_TRANSFER:  from 805d0e8b to 805c3133

STACK_TEXT:  
9c208b8c 805d0e8b 880dcb28 9c208bb8 001f0fff nt!ObInsertObject+0x1ad
9c208ce4 805d11ab 0241e5f8 001f0fff 00000000 nt!PspCreateProcess+0x635
9c208d38 8054164c 0241e5f8 001f0fff 00000000 nt!NtCreateProcessEx+0x77
9c208d38 7c90e514 0241e5f8 001f0fff 00000000 nt!KiFastCallEntry+0xfc
WARNING: Frame IP not in any known module. Following frames may be wrong.
0241ec64 00000000 00000000 00000000 00000000 0x7c90e514


STACK_COMMAND:  kb

FOLLOWUP_IP:
nt!ObInsertObject+1ad
805c3133 8b4e1c          mov     ecx,dword ptr [esi+1Ch]

SYMBOL_STACK_INDEX:  0

SYMBOL_NAME:  nt!ObInsertObject+1ad

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: nt

IMAGE_NAME:  ntkrpamp.exe

DEBUG_FLR_IMAGE_TIMESTAMP:  4bd6e0e8

FAILURE_BUCKET_ID:  0x8E_nt!ObInsertObject+1ad

BUCKET_ID:  0x8E_nt!ObInsertObject+1ad

Followup: MachineOwner
---------

johnb6767Commented:
Might have to go through the process of elimination.....

Go to start>run>msconfig, and on the startup, and the services tab, click the box to Disable all....Then reboot. Let it run, until you would have expected it to have crashed.....Any better? If so, you can start enabling them in small groups until you narrow it down and nail it....

What other apps are common to these maqchines when this happens?

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
JonveeCommented:
Are any of the blue screening computers running UltraMon Realtime Soft ?
Worth asking;  there's a previous E_E thread with a similar error >>

"minidump help":
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Windows/XP/Q_26317785.html
Joe_HallAuthor Commented:
Jonvee - No Ultramon.  Thanks for the suggestion.  We are working a theory that I would like to solicit opinions on as to whether this could be the cause of the issue.  

We have the computers automatically waking up at 10:55 PM via Dell bios.  At 11:00pm a batch file that runs maintenance.

cleanmgr.exe /sagerun
defrag.exe c: -f
shutdown -s -f

The scheduled task is set to run as a local user called maintenance which is supposed to be in the local administrators group.  This batch of BSOD computers were configured using a batch file to create the scheduled job and maintenance user account but the batch file was not adding the account to the local administrators group and the batch file was generating a DCOM error in the eventlog with event ID of 10016.

The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID
{000C101C-0000-0000-C000-000000000046}
 to the user b1q1o5\maintenance SID (S-1-5-21-3617156352-1342789089-2455571365-1008).  This security permission can be modified using the Component Services administrative tool.

This error shows up at 11:00:01 on every computer the night before a BSOD at login the next morning.  This has got to be related although I don't quite understand how.  Once we added the maintenance local user to the local administrators group, the problem seems to have gone away but I'm still left not knowing for sure.

Any thoughts on this would be greatly appreciated.

Best Regards,

Joe
JonveeCommented:
Joe
Thanks for the report, in which you appear to be on the right track, but i'm regrettably unable to help on this one.  Hopefully others can come forward & assist.
johnb6767Commented:
You need to search the registry and find out what CLSID this is....

000C101C-0000-0000-C000-000000000046

Should be a good place to start.....

Youre Doing DiskCleanup AND a defrag every night?

If I had to guess, S-1-5-21-3617156352-1342789089-2455571365-1008 is the "domain\maintenance" user, and that CLSID might be related to either Defrag/DiskCleanup......

Joe_HallAuthor Commented:
johnb - Thanks for the reply.

000C101C-0000-0000-C000-000000000046 is listed as MSIServer.
Joe_HallAuthor Commented:
This problem is continuing to occur on a regular basis randomly within the fleet of Dell Optiplex 980s that we are deploying.  I am convinced it is a faulty batch of RAM and have sent one of the PCs back to Dell engineers for their own research.  We have had a total of 15 BSoDs across maybe 10 different PCs.  They were all imaged identically.

Thank you all for your help and I will attempt to post a final resolution if one is discovered since I am certain we are not the only customer of Dell experiencing this issue.

Best Regards,

Joe
JonveeCommented:
Thanks for the update.  We would appreciate hearing of a final resolution, should one be discovered, after you've heard from Dell.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows XP

From novice to tech pro — start learning today.