Solved

Please help me decipher this BSOD Minidump ASAP

Posted on 2013-05-15
13
394 Views
Last Modified: 2013-12-06
Microsoft (R) Windows Debugger Version 6.2.9200.20512 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\Users\administrator\Desktop\JAMESTEPER.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: *** Invalid ***
****************************************************************************
* Symbol loading may be unreliable without a symbol search path.           *
* Use .symfix to have the debugger choose a symbol path.                   *
* After setting your symbol path, use .reload to refresh symbol locations. *
****************************************************************************
Executable search path is:
*********************************************************************
* Symbols can not be loaded because symbol path is not initialized. *
*                                                                   *
* The Symbol Path can be set by:                                    *
*   using the _NT_SYMBOL_PATH environment variable.                 *
*   using the -y <symbol_path> argument when starting the debugger. *
*   using .sympath and .sympath+                                    *
*********************************************************************
Unable to load image ntoskrnl.exe, Win32 error 0n2
*** WARNING: Unable to verify timestamp for ntoskrnl.exe
*** ERROR: Module load completed but symbols could not be loaded for ntoskrnl.exe
Windows 7 Kernel Version 7601 (Service Pack 1) MP (8 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Machine Name:
Kernel base = 0xfffff800`01c64000 PsLoadedModuleList = 0xfffff800`01ea7670
Debug session time: Wed May 15 11:38:01.703 2013 (UTC - 5:00)
System Uptime: 0 days 18:12:51.790
*********************************************************************
* Symbols can not be loaded because symbol path is not initialized. *
*                                                                   *
* The Symbol Path can be set by:                                    *
*   using the _NT_SYMBOL_PATH environment variable.                 *
*   using the -y <symbol_path> argument when starting the debugger. *
*   using .sympath and .sympath+                                    *
*********************************************************************
Unable to load image ntoskrnl.exe, Win32 error 0n2
*** WARNING: Unable to verify timestamp for ntoskrnl.exe
*** ERROR: Module load completed but symbols could not be loaded for ntoskrnl.exe
Loading Kernel Symbols
...............................................................
................................................................
.............................
Loading User Symbols
Loading unloaded module list
.......
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck F4, {3, fffffa800ab51b30, fffffa800ab51e10, fffff80001fe0350}

***** Kernel symbols are WRONG. Please fix symbols to do analysis.

----- ETW minidump data unavailable-----
unable to get nt!KiCurrentEtwBufferOffset
unable to get nt!KiCurrentEtwBufferBase
*************************************************************************
***                                                                   ***
***                                                                   ***
***    Either you specified an unqualified symbol, or your debugger   ***
***    doesn't have full symbol information.  Unqualified symbol      ***
***    resolution is turned off by default. Please either specify a   ***
***    fully qualified symbol module!symbolname, or enable resolution ***
***    of unqualified symbols by typing ".symopt- 100". Note that   ***
***    enabling unqualified symbol resolution with network symbol     ***
***    server shares in the symbol path may cause the debugger to     ***
***    appear to hang for long periods of time when an incorrect      ***
***    symbol name is typed or the network symbol server is down.     ***
***                                                                   ***
***    For some commands to work properly, your symbol path           ***
***    must point to .pdb files that have full type information.      ***
***                                                                   ***
***    Certain .pdb files (such as the public OS symbols) do not      ***
***    contain the required information.  Contact the group that      ***
***    provided you with these symbols if you need this command to    ***
***    work.                                                          ***
***                                                                   ***
***    Type referenced: nt!_KPRCB                                     ***
***                                                                   ***
*************************************************************************
*************************************************************************
***                                                                   ***
***                                                                   ***
***    Either you specified an unqualified symbol, or your debugger   ***
***    doesn't have full symbol information.  Unqualified symbol      ***
***    resolution is turned off by default. Please either specify a   ***
***    fully qualified symbol module!symbolname, or enable resolution ***
***    of unqualified symbols by typing ".symopt- 100". Note that   ***
***    enabling unqualified symbol resolution with network symbol     ***
***    server shares in the symbol path may cause the debugger to     ***
***    appear to hang for long periods of time when an incorrect      ***
***    symbol name is typed or the network symbol server is down.     ***
***                                                                   ***
***    For some commands to work properly, your symbol path           ***
***    must point to .pdb files that have full type information.      ***
***                                                                   ***
***    Certain .pdb files (such as the public OS symbols) do not      ***
***    contain the required information.  Contact the group that      ***
***    provided you with these symbols if you need this command to    ***
***    work.                                                          ***
***                                                                   ***
***    Type referenced: nt!KPRCB                                      ***
***                                                                   ***
*************************************************************************
*************************************************************************
***                                                                   ***
***                                                                   ***
***    Either you specified an unqualified symbol, or your debugger   ***
***    doesn't have full symbol information.  Unqualified symbol      ***
***    resolution is turned off by default. Please either specify a   ***
***    fully qualified symbol module!symbolname, or enable resolution ***
***    of unqualified symbols by typing ".symopt- 100". Note that   ***
***    enabling unqualified symbol resolution with network symbol     ***
***    server shares in the symbol path may cause the debugger to     ***
***    appear to hang for long periods of time when an incorrect      ***
***    symbol name is typed or the network symbol server is down.     ***
***                                                                   ***
***    For some commands to work properly, your symbol path           ***
***    must point to .pdb files that have full type information.      ***
***                                                                   ***
***    Certain .pdb files (such as the public OS symbols) do not      ***
***    contain the required information.  Contact the group that      ***
***    provided you with these symbols if you need this command to    ***
***    work.                                                          ***
***                                                                   ***
***    Type referenced: nt!_KPRCB                                     ***
***                                                                   ***
*************************************************************************
*************************************************************************
***                                                                   ***
***                                                                   ***
***    Either you specified an unqualified symbol, or your debugger   ***
***    doesn't have full symbol information.  Unqualified symbol      ***
***    resolution is turned off by default. Please either specify a   ***
***    fully qualified symbol module!symbolname, or enable resolution ***
***    of unqualified symbols by typing ".symopt- 100". Note that   ***
***    enabling unqualified symbol resolution with network symbol     ***
***    server shares in the symbol path may cause the debugger to     ***
***    appear to hang for long periods of time when an incorrect      ***
***    symbol name is typed or the network symbol server is down.     ***
***                                                                   ***
***    For some commands to work properly, your symbol path           ***
***    must point to .pdb files that have full type information.      ***
***                                                                   ***
***    Certain .pdb files (such as the public OS symbols) do not      ***
***    contain the required information.  Contact the group that      ***
***    provided you with these symbols if you need this command to    ***
***    work.                                                          ***
***                                                                   ***
***    Type referenced: nt!KPRCB                                      ***
***                                                                   ***
*************************************************************************
*************************************************************************
***                                                                   ***
***                                                                   ***
***    Either you specified an unqualified symbol, or your debugger   ***
***    doesn't have full symbol information.  Unqualified symbol      ***
***    resolution is turned off by default. Please either specify a   ***
***    fully qualified symbol module!symbolname, or enable resolution ***
***    of unqualified symbols by typing ".symopt- 100". Note that   ***
***    enabling unqualified symbol resolution with network symbol     ***
***    server shares in the symbol path may cause the debugger to     ***
***    appear to hang for long periods of time when an incorrect      ***
***    symbol name is typed or the network symbol server is down.     ***
***                                                                   ***
***    For some commands to work properly, your symbol path           ***
***    must point to .pdb files that have full type information.      ***
***                                                                   ***
***    Certain .pdb files (such as the public OS symbols) do not      ***
***    contain the required information.  Contact the group that      ***
***    provided you with these symbols if you need this command to    ***
***    work.                                                          ***
***                                                                   ***
***    Type referenced: nt!_KPRCB                                     ***
***                                                                   ***
*************************************************************************
*************************************************************************
***                                                                   ***
***                                                                   ***
***    Either you specified an unqualified symbol, or your debugger   ***
***    doesn't have full symbol information.  Unqualified symbol      ***
***    resolution is turned off by default. Please either specify a   ***
***    fully qualified symbol module!symbolname, or enable resolution ***
***    of unqualified symbols by typing ".symopt- 100". Note that   ***
***    enabling unqualified symbol resolution with network symbol     ***
***    server shares in the symbol path may cause the debugger to     ***
***    appear to hang for long periods of time when an incorrect      ***
***    symbol name is typed or the network symbol server is down.     ***
***                                                                   ***
***    For some commands to work properly, your symbol path           ***
***    must point to .pdb files that have full type information.      ***
***                                                                   ***
***    Certain .pdb files (such as the public OS symbols) do not      ***
***    contain the required information.  Contact the group that      ***
***    provided you with these symbols if you need this command to    ***
***    work.                                                          ***
***                                                                   ***
***    Type referenced: nt!_KPRCB                                     ***
***                                                                   ***
*************************************************************************
*************************************************************************
***                                                                   ***
***                                                                   ***
***    Either you specified an unqualified symbol, or your debugger   ***
***    doesn't have full symbol information.  Unqualified symbol      ***
***    resolution is turned off by default. Please either specify a   ***
***    fully qualified symbol module!symbolname, or enable resolution ***
***    of unqualified symbols by typing ".symopt- 100". Note that   ***
***    enabling unqualified symbol resolution with network symbol     ***
***    server shares in the symbol path may cause the debugger to     ***
***    appear to hang for long periods of time when an incorrect      ***
***    symbol name is typed or the network symbol server is down.     ***
***                                                                   ***
***    For some commands to work properly, your symbol path           ***
***    must point to .pdb files that have full type information.      ***
***                                                                   ***
***    Certain .pdb files (such as the public OS symbols) do not      ***
***    contain the required information.  Contact the group that      ***
***    provided you with these symbols if you need this command to    ***
***    work.                                                          ***
***                                                                   ***
***    Type referenced: nt!_KPRCB                                     ***
***                                                                   ***
*************************************************************************
*************************************************************************
***                                                                   ***
***                                                                   ***
***    Either you specified an unqualified symbol, or your debugger   ***
***    doesn't have full symbol information.  Unqualified symbol      ***
***    resolution is turned off by default. Please either specify a   ***
***    fully qualified symbol module!symbolname, or enable resolution ***
***    of unqualified symbols by typing ".symopt- 100". Note that   ***
***    enabling unqualified symbol resolution with network symbol     ***
***    server shares in the symbol path may cause the debugger to     ***
***    appear to hang for long periods of time when an incorrect      ***
***    symbol name is typed or the network symbol server is down.     ***
***                                                                   ***
***    For some commands to work properly, your symbol path           ***
***    must point to .pdb files that have full type information.      ***
***                                                                   ***
***    Certain .pdb files (such as the public OS symbols) do not      ***
***    contain the required information.  Contact the group that      ***
***    provided you with these symbols if you need this command to    ***
***    work.                                                          ***
***                                                                   ***
***    Type referenced: nt!_KPRCB                                     ***
***                                                                   ***
*************************************************************************
Probably caused by : csrss.exe

Followup: MachineOwner
---------

4: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

CRITICAL_OBJECT_TERMINATION (f4)
A process or thread crucial to system operation has unexpectedly exited or been
terminated.
Several processes and threads are necessary for the operation of the
system; when they are terminated (for any reason), the system can no
longer function.
Arguments:
Arg1: 0000000000000003, Process
Arg2: fffffa800ab51b30, Terminating object
Arg3: fffffa800ab51e10, Process image file name
Arg4: fffff80001fe0350, Explanatory message (ascii)

Debugging Details:
------------------

***** Kernel symbols are WRONG. Please fix symbols to do analysis.

----- ETW minidump data unavailable-----
unable to get nt!KiCurrentEtwBufferOffset
unable to get nt!KiCurrentEtwBufferBase
*************************************************************************
***                                                                   ***
***                                                                   ***
***    Either you specified an unqualified symbol, or your debugger   ***
***    doesn't have full symbol information.  Unqualified symbol      ***
***    resolution is turned off by default. Please either specify a   ***
***    fully qualified symbol module!symbolname, or enable resolution ***
***    of unqualified symbols by typing ".symopt- 100". Note that   ***
***    enabling unqualified symbol resolution with network symbol     ***
***    server shares in the symbol path may cause the debugger to     ***
***    appear to hang for long periods of time when an incorrect      ***
***    symbol name is typed or the network symbol server is down.     ***
***                                                                   ***
***    For some commands to work properly, your symbol path           ***
***    must point to .pdb files that have full type information.      ***
***                                                                   ***
***    Certain .pdb files (such as the public OS symbols) do not      ***
***    contain the required information.  Contact the group that      ***
***    provided you with these symbols if you need this command to    ***
***    work.                                                          ***
***                                                                   ***
***    Type referenced: nt!_KPRCB                                     ***
***                                                                   ***
*************************************************************************
*************************************************************************
***                                                                   ***
***                                                                   ***
***    Either you specified an unqualified symbol, or your debugger   ***
***    doesn't have full symbol information.  Unqualified symbol      ***
***    resolution is turned off by default. Please either specify a   ***
***    fully qualified symbol module!symbolname, or enable resolution ***
***    of unqualified symbols by typing ".symopt- 100". Note that   ***
***    enabling unqualified symbol resolution with network symbol     ***
***    server shares in the symbol path may cause the debugger to     ***
***    appear to hang for long periods of time when an incorrect      ***
***    symbol name is typed or the network symbol server is down.     ***
***                                                                   ***
***    For some commands to work properly, your symbol path           ***
***    must point to .pdb files that have full type information.      ***
***                                                                   ***
***    Certain .pdb files (such as the public OS symbols) do not      ***
***    contain the required information.  Contact the group that      ***
***    provided you with these symbols if you need this command to    ***
***    work.                                                          ***
***                                                                   ***
***    Type referenced: nt!KPRCB                                      ***
***                                                                   ***
*************************************************************************
*************************************************************************
***                                                                   ***
***                                                                   ***
***    Either you specified an unqualified symbol, or your debugger   ***
***    doesn't have full symbol information.  Unqualified symbol      ***
***    resolution is turned off by default. Please either specify a   ***
***    fully qualified symbol module!symbolname, or enable resolution ***
***    of unqualified symbols by typing ".symopt- 100". Note that   ***
***    enabling unqualified symbol resolution with network symbol     ***
***    server shares in the symbol path may cause the debugger to     ***
***    appear to hang for long periods of time when an incorrect      ***
***    symbol name is typed or the network symbol server is down.     ***
***                                                                   ***
***    For some commands to work properly, your symbol path           ***
***    must point to .pdb files that have full type information.      ***
***                                                                   ***
***    Certain .pdb files (such as the public OS symbols) do not      ***
***    contain the required information.  Contact the group that      ***
***    provided you with these symbols if you need this command to    ***
***    work.                                                          ***
***                                                                   ***
***    Type referenced: nt!_KPRCB                                     ***
***                                                                   ***
*************************************************************************
*************************************************************************
***                                                                   ***
***                                                                   ***
***    Either you specified an unqualified symbol, or your debugger   ***
***    doesn't have full symbol information.  Unqualified symbol      ***
***    resolution is turned off by default. Please either specify a   ***
***    fully qualified symbol module!symbolname, or enable resolution ***
***    of unqualified symbols by typing ".symopt- 100". Note that   ***
***    enabling unqualified symbol resolution with network symbol     ***
***    server shares in the symbol path may cause the debugger to     ***
***    appear to hang for long periods of time when an incorrect      ***
***    symbol name is typed or the network symbol server is down.     ***
***                                                                   ***
***    For some commands to work properly, your symbol path           ***
***    must point to .pdb files that have full type information.      ***
***                                                                   ***
***    Certain .pdb files (such as the public OS symbols) do not      ***
***    contain the required information.  Contact the group that      ***
***    provided you with these symbols if you need this command to    ***
***    work.                                                          ***
***                                                                   ***
***    Type referenced: nt!KPRCB                                      ***
***                                                                   ***
*************************************************************************
*************************************************************************
***                                                                   ***
***                                                                   ***
***    Either you specified an unqualified symbol, or your debugger   ***
***    doesn't have full symbol information.  Unqualified symbol      ***
***    resolution is turned off by default. Please either specify a   ***
***    fully qualified symbol module!symbolname, or enable resolution ***
***    of unqualified symbols by typing ".symopt- 100". Note that   ***
***    enabling unqualified symbol resolution with network symbol     ***
***    server shares in the symbol path may cause the debugger to     ***
***    appear to hang for long periods of time when an incorrect      ***
***    symbol name is typed or the network symbol server is down.     ***
***                                                                   ***
***    For some commands to work properly, your symbol path           ***
***    must point to .pdb files that have full type information.      ***
***                                                                   ***
***    Certain .pdb files (such as the public OS symbols) do not      ***
***    contain the required information.  Contact the group that      ***
***    provided you with these symbols if you need this command to    ***
***    work.                                                          ***
***                                                                   ***
***    Type referenced: nt!_KPRCB                                     ***
***                                                                   ***
*************************************************************************
*************************************************************************
***                                                                   ***
***                                                                   ***
***    Either you specified an unqualified symbol, or your debugger   ***
***    doesn't have full symbol information.  Unqualified symbol      ***
***    resolution is turned off by default. Please either specify a   ***
***    fully qualified symbol module!symbolname, or enable resolution ***
***    of unqualified symbols by typing ".symopt- 100". Note that   ***
***    enabling unqualified symbol resolution with network symbol     ***
***    server shares in the symbol path may cause the debugger to     ***
***    appear to hang for long periods of time when an incorrect      ***
***    symbol name is typed or the network symbol server is down.     ***
***                                                                   ***
***    For some commands to work properly, your symbol path           ***
***    must point to .pdb files that have full type information.      ***
***                                                                   ***
***    Certain .pdb files (such as the public OS symbols) do not      ***
***    contain the required information.  Contact the group that      ***
***    provided you with these symbols if you need this command to    ***
***    work.                                                          ***
***                                                                   ***
***    Type referenced: nt!_KPRCB                                     ***
***                                                                   ***
*************************************************************************
*************************************************************************
***                                                                   ***
***                                                                   ***
***    Either you specified an unqualified symbol, or your debugger   ***
***    doesn't have full symbol information.  Unqualified symbol      ***
***    resolution is turned off by default. Please either specify a   ***
***    fully qualified symbol module!symbolname, or enable resolution ***
***    of unqualified symbols by typing ".symopt- 100". Note that   ***
***    enabling unqualified symbol resolution with network symbol     ***
***    server shares in the symbol path may cause the debugger to     ***
***    appear to hang for long periods of time when an incorrect      ***
***    symbol name is typed or the network symbol server is down.     ***
***                                                                   ***
***    For some commands to work properly, your symbol path           ***
***    must point to .pdb files that have full type information.      ***
***                                                                   ***
***    Certain .pdb files (such as the public OS symbols) do not      ***
***    contain the required information.  Contact the group that      ***
***    provided you with these symbols if you need this command to    ***
***    work.                                                          ***
***                                                                   ***
***    Type referenced: nt!_KPRCB                                     ***
***                                                                   ***
*************************************************************************
*************************************************************************
***                                                                   ***
***                                                                   ***
***    Either you specified an unqualified symbol, or your debugger   ***
***    doesn't have full symbol information.  Unqualified symbol      ***
***    resolution is turned off by default. Please either specify a   ***
***    fully qualified symbol module!symbolname, or enable resolution ***
***    of unqualified symbols by typing ".symopt- 100". Note that   ***
***    enabling unqualified symbol resolution with network symbol     ***
***    server shares in the symbol path may cause the debugger to     ***
***    appear to hang for long periods of time when an incorrect      ***
***    symbol name is typed or the network symbol server is down.     ***
***                                                                   ***
***    For some commands to work properly, your symbol path           ***
***    must point to .pdb files that have full type information.      ***
***                                                                   ***
***    Certain .pdb files (such as the public OS symbols) do not      ***
***    contain the required information.  Contact the group that      ***
***    provided you with these symbols if you need this command to    ***
***    work.                                                          ***
***                                                                   ***
***    Type referenced: nt!_KPRCB                                     ***
***                                                                   ***
*************************************************************************

ADDITIONAL_DEBUG_TEXT:  
You can run '.symfix; .reload' to try to fix the symbol path and load symbols.

MODULE_NAME: csrss

FAULTING_MODULE: 0000000000000000

DEBUG_FLR_IMAGE_TIMESTAMP:  0

PROCESS_OBJECT: fffffa800ab51b30

IMAGE_NAME:  csrss.exe

DEFAULT_BUCKET_ID:  WIN7_DRIVER_FAULT

BUGCHECK_STR:  0xF4

CURRENT_IRQL:  0

STACK_TEXT:  
fffff880`030129c8 fffff800`02067d22 : 00000000`000000f4 00000000`00000003 fffffa80`0ab51b30 fffffa80`0ab51e10 : nt+0x75c00
fffff880`030129d0 00000000`000000f4 : 00000000`00000003 fffffa80`0ab51b30 fffffa80`0ab51e10 fffff800`01fe0350 : nt+0x403d22
fffff880`030129d8 00000000`00000003 : fffffa80`0ab51b30 fffffa80`0ab51e10 fffff800`01fe0350 00000000`1d12e230 : 0xf4
fffff880`030129e0 fffffa80`0ab51b30 : fffffa80`0ab51e10 fffff800`01fe0350 00000000`1d12e230 fffffa80`0ab51b30 : 0x3
fffff880`030129e8 fffffa80`0ab51e10 : fffff800`01fe0350 00000000`1d12e230 fffffa80`0ab51b30 fffff800`0201408b : 0xfffffa80`0ab51b30
fffff880`030129f0 fffff800`01fe0350 : 00000000`1d12e230 fffffa80`0ab51b30 fffff800`0201408b ffffffff`ffffffff : 0xfffffa80`0ab51e10
fffff880`030129f8 00000000`1d12e230 : fffffa80`0ab51b30 fffff800`0201408b ffffffff`ffffffff fffffa80`073fb060 : nt+0x37c350
fffff880`03012a00 fffffa80`0ab51b30 : fffff800`0201408b ffffffff`ffffffff fffffa80`073fb060 fffffa80`0ab51b30 : 0x1d12e230
fffff880`03012a08 fffff800`0201408b : ffffffff`ffffffff fffffa80`073fb060 fffffa80`0ab51b30 fffffa80`06b9cb30 : 0xfffffa80`0ab51b30
fffff880`03012a10 ffffffff`ffffffff : fffffa80`073fb060 fffffa80`0ab51b30 fffffa80`06b9cb30 00000000`000043f8 : nt+0x3b008b
fffff880`03012a18 fffffa80`073fb060 : fffffa80`0ab51b30 fffffa80`06b9cb30 00000000`000043f8 00000000`00000008 : 0xffffffff`ffffffff
fffff880`03012a20 fffffa80`0ab51b30 : fffffa80`06b9cb30 00000000`000043f8 00000000`00000008 fffffa80`06b9cb30 : 0xfffffa80`073fb060
fffff880`03012a28 fffffa80`06b9cb30 : 00000000`000043f8 00000000`00000008 fffffa80`06b9cb30 00000000`00000000 : 0xfffffa80`0ab51b30
fffff880`03012a30 00000000`000043f8 : 00000000`00000008 fffffa80`06b9cb30 00000000`00000000 fffffa80`073fb060 : 0xfffffa80`06b9cb30
fffff880`03012a38 00000000`00000008 : fffffa80`06b9cb30 00000000`00000000 fffffa80`073fb060 fffff800`01f94144 : 0x43f8
fffff880`03012a40 fffffa80`06b9cb30 : 00000000`00000000 fffffa80`073fb060 fffff800`01f94144 ffffffff`ffffffff : 0x8
fffff880`03012a48 00000000`00000000 : fffffa80`073fb060 fffff800`01f94144 ffffffff`ffffffff 00000000`00000001 : 0xfffffa80`06b9cb30


STACK_COMMAND:  kb

FOLLOWUP_NAME:  MachineOwner

BUCKET_ID:  WRONG_SYMBOLS

Followup: MachineOwner
---------

4: kd> lmvm csrss
start             end                 module name
4: kd> !process fffffa800ab51b30 3
GetPointerFromAddress: unable to read from fffff80001f11000
NT symbols are incorrect, please fix symbols
4: kd> !symfix
4: kd> !fixsym
No export fixsym found
4: kd> !symbolfix
No export symbolfix found
4: kd> lmvm csrss
start             end                 module name
4: kd> !process fffffa800ab51b30 3
GetPointerFromAddress: unable to read from fffff80001f11000
NT symbols are incorrect, please fix symbols
4: kd> .symfix
4: kd> reload
            ^ Bad register error in 'reload'
4: kd> .reload
Loading Kernel Symbols
...............................................................
................................................................
.............................
Loading User Symbols
Loading unloaded module list
.......
4: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

CRITICAL_OBJECT_TERMINATION (f4)
A process or thread crucial to system operation has unexpectedly exited or been
terminated.
Several processes and threads are necessary for the operation of the
system; when they are terminated (for any reason), the system can no
longer function.
Arguments:
Arg1: 0000000000000003, Process
Arg2: fffffa800ab51b30, Terminating object
Arg3: fffffa800ab51e10, Process image file name
Arg4: fffff80001fe0350, Explanatory message (ascii)

Debugging Details:
------------------

----- ETW minidump data unavailable-----

KERNEL_LOG_FAILING_PROCESS:  (null)

PROCESS_OBJECT: fffffa800ab51b30

IMAGE_NAME:  csrss.exe

DEBUG_FLR_IMAGE_TIMESTAMP:  0

MODULE_NAME: csrss

FAULTING_MODULE: 0000000000000000

PROCESS_NAME:  OUTLOOK.EXE

BUGCHECK_STR:  0xF4_OUTLOOK.EXE

DEFAULT_BUCKET_ID:  WIN7_DRIVER_FAULT

CURRENT_IRQL:  0

LAST_CONTROL_TRANSFER:  from fffff80002067d22 to fffff80001cd9c00

STACK_TEXT:  
fffff880`030129c8 fffff800`02067d22 : 00000000`000000f4 00000000`00000003 fffffa80`0ab51b30 fffffa80`0ab51e10 : nt!KeBugCheckEx
fffff880`030129d0 fffff800`0201408b : ffffffff`ffffffff fffffa80`073fb060 fffffa80`0ab51b30 fffffa80`06b9cb30 : nt!PspCatchCriticalBreak+0x92
fffff880`03012a10 fffff800`01f94144 : ffffffff`ffffffff 00000000`00000001 fffffa80`0ab51b30 00000000`00000008 : nt! ?? ::NNGAKEGL::`string'+0x17486
fffff880`03012a60 fffff800`01cd8e93 : fffffa80`0ab51b30 00000000`00000000 fffffa80`073fb060 fffffa80`0ab51b30 : nt!NtTerminateProcess+0xf4
fffff880`03012ae0 00000000`779f15da : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13
00000000`1d12e1f8 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x779f15da


STACK_COMMAND:  kb

FOLLOWUP_NAME:  MachineOwner

FAILURE_BUCKET_ID:  X64_0xF4_OUTLOOK.EXE_IMAGE_csrss.exe

BUCKET_ID:  X64_0xF4_OUTLOOK.EXE_IMAGE_csrss.exe

Followup: MachineOwner
---------

4: kd> !process fffffa800ab51b30 3
GetPointerFromAddress: unable to read from fffff80001f11000
PROCESS fffffa800ab51b30
    SessionId: none  Cid: 0254    Peb: 7fffffd3000  ParentCid: 0240
    DirBase: 20f83d000  ObjectTable: fffff8a0058f2e40  HandleCount: <Data Not Accessible>
    Image: csrss.exe
    VadRoot fffffa800b8d63c0 Vads 111 Clone 0 Private 645. Modified 1780. Locked 0.
    DeviceMap fffff8a000008bc0
    Token                             fffff8a000135c50
    ReadMemory error: Cannot get nt!KeMaximumIncrement value.
fffff78000000000: Unable to get shared data
    ElapsedTime                       00:00:00.000
    UserTime                          00:00:00.000
    KernelTime                        00:00:00.000
    QuotaPoolUsage[PagedPool]         158992
    QuotaPoolUsage[NonPagedPool]      13328
    Working Set Sizes (now,min,max)  (1486, 50, 345) (5944KB, 200KB, 1380KB)
    PeakWorkingSetSize                1553
    VirtualSize                       54 Mb
    PeakVirtualSize                   55 Mb
    PageFaultCount                    3813
    MemoryPriority                    BACKGROUND
    BasePriority                      13
    CommitCharge                      988

        *** Error in reading nt!_ETHREAD @ fffffa800ab8fb50

4: kd> lmvm csrss
start             end                 module name
4: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

CRITICAL_OBJECT_TERMINATION (f4)
A process or thread crucial to system operation has unexpectedly exited or been
terminated.
Several processes and threads are necessary for the operation of the
system; when they are terminated (for any reason), the system can no
longer function.
Arguments:
Arg1: 0000000000000003, Process
Arg2: fffffa800ab51b30, Terminating object
Arg3: fffffa800ab51e10, Process image file name
Arg4: fffff80001fe0350, Explanatory message (ascii)

Debugging Details:
------------------

----- ETW minidump data unavailable-----

KERNEL_LOG_FAILING_PROCESS:  (null)

PROCESS_OBJECT: fffffa800ab51b30

IMAGE_NAME:  csrss.exe

DEBUG_FLR_IMAGE_TIMESTAMP:  0

MODULE_NAME: csrss

FAULTING_MODULE: 0000000000000000

PROCESS_NAME:  OUTLOOK.EXE

BUGCHECK_STR:  0xF4_OUTLOOK.EXE

DEFAULT_BUCKET_ID:  WIN7_DRIVER_FAULT

CURRENT_IRQL:  0

LAST_CONTROL_TRANSFER:  from fffff80002067d22 to fffff80001cd9c00

STACK_TEXT:  
fffff880`030129c8 fffff800`02067d22 : 00000000`000000f4 00000000`00000003 fffffa80`0ab51b30 fffffa80`0ab51e10 : nt!KeBugCheckEx
fffff880`030129d0 fffff800`0201408b : ffffffff`ffffffff fffffa80`073fb060 fffffa80`0ab51b30 fffffa80`06b9cb30 : nt!PspCatchCriticalBreak+0x92
fffff880`03012a10 fffff800`01f94144 : ffffffff`ffffffff 00000000`00000001 fffffa80`0ab51b30 00000000`00000008 : nt! ?? ::NNGAKEGL::`string'+0x17486
fffff880`03012a60 fffff800`01cd8e93 : fffffa80`0ab51b30 00000000`00000000 fffffa80`073fb060 fffffa80`0ab51b30 : nt!NtTerminateProcess+0xf4
fffff880`03012ae0 00000000`779f15da : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13
00000000`1d12e1f8 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x779f15da


STACK_COMMAND:  kb

FOLLOWUP_NAME:  MachineOwner

FAILURE_BUCKET_ID:  X64_0xF4_OUTLOOK.EXE_IMAGE_csrss.exe

BUCKET_ID:  X64_0xF4_OUTLOOK.EXE_IMAGE_csrss.exe

Followup: MachineOwner
---------

4: kd> !process fffffa800ab51b30 3
GetPointerFromAddress: unable to read from fffff80001f11000
PROCESS fffffa800ab51b30
    SessionId: none  Cid: 0254    Peb: 7fffffd3000  ParentCid: 0240
    DirBase: 20f83d000  ObjectTable: fffff8a0058f2e40  HandleCount: <Data Not Accessible>
    Image: csrss.exe
    VadRoot fffffa800b8d63c0 Vads 111 Clone 0 Private 645. Modified 1780. Locked 0.
    DeviceMap fffff8a000008bc0
    Token                             fffff8a000135c50
    ReadMemory error: Cannot get nt!KeMaximumIncrement value.
fffff78000000000: Unable to get shared data
    ElapsedTime                       00:00:00.000
    UserTime                          00:00:00.000
    KernelTime                        00:00:00.000
    QuotaPoolUsage[PagedPool]         158992
    QuotaPoolUsage[NonPagedPool]      13328
    Working Set Sizes (now,min,max)  (1486, 50, 345) (5944KB, 200KB, 1380KB)
    PeakWorkingSetSize                1553
    VirtualSize                       54 Mb
    PeakVirtualSize                   55 Mb
    PageFaultCount                    3813
    MemoryPriority                    BACKGROUND
    BasePriority                      13
    CommitCharge                      988

        *** Error in reading nt!_ETHREAD @ fffffa800ab8fb50


I have nearly the entire company getting the same BSOD and same info in the logs. They have all been upgraded to office 2010 recently and there havent been any other large changes to the infrastructure.
0
Comment
Question by:Alexziogas
  • 4
  • 4
  • 2
  • +2
13 Comments
 
LVL 12

Expert Comment

by:Henk van Achterberg
ID: 39169042
0
 

Author Comment

by:Alexziogas
ID: 39169453
bluescreenview
I tried to snap a shot of all important info, here I have 4 different machines minidumps loaded
0
 
LVL 12

Expert Comment

by:Henk van Achterberg
ID: 39169480
can you look in device manager if you have unknown devices and try updating your drivers with e.g. driver genius.
0
 

Author Comment

by:Alexziogas
ID: 39169575
There are no unknown devices, and I have all latest drivers installed from HP's site and Windows updates. I rather not use a 3rd party driver tool such as driver genius.
0
 
LVL 14

Accepted Solution

by:
Rob Miners earned 250 total points
ID: 39169691
Good to see that you are having a go at reading these Dumps. Lets fix the Sybols.

Open WinDbg click File, click Symbol File Path and copy paste or type in the below command line

SRV*downstream_store*http://msdl.microsoft.com/download/symbols

Save Workspace base as you exit

Refer to this guide

Debugging a Bugcheck 0xF4

http://blogs.msdn.com/b/ntdebugging/archive/2009/07/27/debugging-a-bugcheck-0xf4.aspx
0
 
LVL 12

Expert Comment

by:Henk van Achterberg
ID: 39170525
Can you run memtest on your system and when you are done run a full checkdisk on your drive?

It seems random crashing.
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 91

Expert Comment

by:nobus
ID: 39170601
post the dmp file here - attach as file please
your debugger did not load the proper symbols
0
 

Author Comment

by:Alexziogas
ID: 39171304
This issue is literally happening on 15+ machines in the organization, all of which are using the exact same model of HP computers. I've attached 4 different users dump files.
Dump.zip
0
 
LVL 12

Expert Comment

by:Henk van Achterberg
ID: 39171308
can you post the exact model number of the HP machines where you have this issue?
0
 
LVL 91

Assisted Solution

by:nobus
nobus earned 250 total points
ID: 39171468
they all say : MODULE_NAME: csrss
FAULTING_MODULE: 0000000000000000
PROCESS_NAME:  OUTLOOK.EXE
DEFAULT_BUCKET_ID:  WIN7_DRIVER_FAULT

i would uninstall / reinstall outlook on one to test, or repair outlook from add remove programs; to start

if they all started on the same day; it can be an update - so uninstall the latest ones
0
 

Author Comment

by:Alexziogas
ID: 39171539
HP Model : HP Compaq Elite 8300

I will attempt your troubleshooting steps this morning Nobus
0
 
LVL 11

Expert Comment

by:sparab
ID: 39700549
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

User Beware!  This is a rather permanent solution to removing your email from an exchange server.  The only way to truly go back is to have your exchange administrator restore your mailbox from backups.  This is usually the option of last resort.  A…
Article by: Leon
Software Metering within our group of companies has always been an afterthought until auditing of software and licensing became a pain point. Orchestrator and SCCM metering gave us the answer and it was an exciting process.
The viewer will learn how to use the =DISCRINV command to create a discrete random variable, use this command to model a set of probabilities and outcomes in a Monte Carlo simulation, and learn how to find the standard deviation of a set of probabil…
The viewer will learn how to create a normally distributed random variable in Excel, use a normal distribution to simulate the return on an investment over a period of years, Create a Monte Carlo simulation using a normal random variable, and calcul…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now