Help for debug a BSOD with microsoft debugging tools

[newton]

Hi friends!

at first, sorry my poor english.

I need help of anybody that can help me to debug a memory.dump of a
BSOD that I received recently.

I have been suffering BSOD since I got my PC. It's not a easy problem.
I have tried fix it with many methods without success: updating
drivers, updating to windows vista, changing graphic card, changing
memory....and nothing. Only motherboard and processor hadn't been
changed (due to his high price, I'm waiting it as last resource)

I have been reading some bsod debug tutorials but as my problem it's a
bit different, I don't know what commands I need to use in my case.

Please, If anybody can help me, please: (e-mail address removed) it's my
MSN for try debug . I won't spend many of your time.

If you prefer it, I can post the debug step by step and wait your
advices.

Thank you very much and sorry my poor english another one.

 

[Gerry]

Please post a copy of the Stop Error Report.

Disable automatic restart on system failure. This should help by
allowing time to write down the STOP code properly. Right click on
the My Computer icon on the Desktop and select Properties, Advanced,
Start-Up and Recovery, System Failure and uncheck box before
Automatically Restart.

Do not re-enable automatic restart on system failure until you have
resolved the problem. Check for variants of the Stop Error message.

An alternative is to keep pressing the F8 key during Start-Up and select
option - Disable automatic restart on system failure.

If you are using a wireless keyboard and the F8 key does not work
substitute a wired keyboard and mouse for this exercise only.

--



Hope this helps.

Gerry
~~~~
FCA
Stourport, England
Enquire, plan and execute
~~~~~~~~~~~~~~~~~~~

 

[devil_himself]

Please post a copy of the Stop Error Report.

Disable automatic restart on system failure. This should help by
allowing time to write down the STOP code properly. Right click on
the My Computer icon on the Desktop and select Properties, Advanced,
Start-Up and Recovery, System Failure and uncheck box before
Automatically Restart.

Do not re-enable automatic restart on system failure until you have
resolved the problem. Check for variants of the Stop Error message.

An alternative is to keep pressing the F8 key during Start-Up and select
option - Disable automatic restart on system failure.

If you are using a wireless keyboard and the F8 key does not work
substitute a wired keyboard and mouse for this exercise only.

--

Hope this helps.

Gerry
~~~~
FCA
Stourport, England
Enquire, plan and execute
~~~~~~~~~~~~~~~~~~~

Navigate To C:\Windows\Minidump
Zip some of the recent Minidumps and Upload them to any free web
hosting and give us the link

 

[Gerry]

Not for me. Thanks.


--



Hope this helps.

Gerry
~~~~
FCA
Stourport, England
Enquire, plan and execute
~~~~~~~~~~~~~~~~~~~

 

[newton]

Navigate To C:\Windows\Minidump
Zip some of the recent Minidumps and Upload them to any free web
hosting and give us the link

I don't need help to create the memory.dump, I need help for debug it.
I already have created a full memory.dump.
This night I will post some debug info of this dump, maybe then
somebody can help me to continue.

Thanks!

 

[newton]

Hi friends,

here my debug info. I hope that anybody can help me:


####################################
1.- First Step: Opened the memory.dump
####################################
------------------------------------------------------------------------------

Microsoft (R) Windows Debugger Version 6.8.0004.0 X86
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\WINDOWS\MEMORY.DMP_1]
Kernel Complete Dump File: Full address space is available

Symbol search path is: SRV*c:\websymbols*http://msdl.microsoft.com/
download/symbols
Executable search path is:
Windows XP Kernel Version 2600 (Service Pack 2) UP Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 2600.xpsp_sp2_rtm.040803-2158
Kernel base = 0x804d7000 PsLoadedModuleList = 0x805531a0
Debug session time: Thu Jan 10 22:26:19.234 2008 (GMT+1)
System Uptime: 0 days 0:04:42.834
Loading Kernel Symbols
................................................................................................................................
Loading User Symbols

Loading unloaded module list
............
*******************************************************************************
*
*
* Bugcheck
Analysis *
*
*
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck A, {5858855c, 2, 0, 804e3f93}

Probably caused by : ntkrnlpa.exe ( nt!CcGetDirtyPages+97 )

Followup: MachineOwner
---------

#################################
2.- Second Step: I ran "kd> !analyze -v"
#################################


*******************************************************************************
*
*
* Bugcheck
Analysis *
*
*
*******************************************************************************

IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pageable (or completely invalid)
address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: 5858855c, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000000, bitfield :
bit 0 : value 0 = read operation, 1 = write operation
bit 3 : value 0 = not an execute operation, 1 = execute operation
(only on chips which support this level of status)
Arg4: 804e3f93, address which referenced memory

Debugging Details:
------------------
READ_ADDRESS: 5858855c

CURRENT_IRQL: 2

FAULTING_IP:
nt!CcGetDirtyPages+97
804e3f93 66813efd02 cmp word ptr [esi],2FDh

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0xA

PROCESS_NAME: System

TRAP_FRAME: f78b68dc -- (.trap 0xfffffffff78b68dc)
ErrCode = 00000000
eax=864dd518 ebx=00000000 ecx=5858856c edx=f78b695c esi=5858855c
edi=864dd508
eip=804e3f93 esp=f78b6950 ebp=f78b69b4 iopl=0 ov up ei ng nz
na po cy
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
efl=00010a83
nt!CcGetDirtyPages+0x97:
804e3f93 66813efd02 cmp word ptr [esi],2FDh ds:
0023:5858855c=????
Resetting default scope

LAST_CONTROL_TRANSFER: from 804e3f93 to 8053f853

STACK_TEXT:
f78b68dc 804e3f93 badb0d00 f78b695c f71ec315 nt!KiTrap0E+0x233
f78b69b4 f7208ac9 e100e118 f71e8260 f78b6c14 nt!CcGetDirtyPages+0x97
f78b6be0 f72090a8 f78b6c14 865d7100 00000000 Ntfs!NtfsCheckpointVolume
+0x6f0
f78b6d74 80533dd0 00000000 00000000 865cada8 Ntfs!
NtfsCheckpointAllVolumes+0xd2
f78b6dac 805c4a28 00000000 00000000 00000000 nt!ExpWorkerThread+0x100
f78b6ddc 80540fa2 80533cd0 00000000 00000000 nt!PspSystemThreadStartup
+0x34
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16

STACK_COMMAND: kb

FOLLOWUP_IP:
nt!CcGetDirtyPages+97
804e3f93 66813efd02 cmp word ptr [esi],2FDh

SYMBOL_STACK_INDEX: 1

SYMBOL_NAME: nt!CcGetDirtyPages+97

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: nt
IMAGE_NAME: ntkrnlpa.exe

DEBUG_FLR_IMAGE_TIMESTAMP: 41107b0c

FAILURE_BUCKET_ID: 0xA_nt!CcGetDirtyPages+97

BUCKET_ID: 0xA_nt!CcGetDirtyPages+97

Followup: MachineOwner
---------

#################################
3.- third step: what I should run?
#################################

I have tried:

- !address -- Result ->> address 5858855c not found in any known
Kernel Address Range ----
- !irql 2 -- Result ->> Cannot get PRCB address from processor
0x2

I don't know how to proceed.

 

[Gerry]

Background information on Stop Error message
http://msdn2.microsoft.com/en-us/library/ms793589.aspx

Stop error message in Windows XP with Service Pack 2: "STOP 0x0000001a:
MEMORY_MANAGEMENT" or "STOP 0x0000000a: IRQL_NOT_LESS_OR_EQUAL"
http://support.microsoft.com/kb/929338

--



Hope this helps.

Gerry
~~~~
FCA
Stourport, England
Enquire, plan and execute
~~~~~~~~~~~~~~~~~~~

Hi friends,

here my debug info. I hope that anybody can help me:


####################################
1.- First Step: Opened the memory.dump
####################################
------------------------------------------------------------------------------

Microsoft (R) Windows Debugger Version 6.8.0004.0 X86
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\WINDOWS\MEMORY.DMP_1]
Kernel Complete Dump File: Full address space is available

Symbol search path is: SRV*c:\websymbols*http://msdl.microsoft.com/
download/symbols
Executable search path is:
Windows XP Kernel Version 2600 (Service Pack 2) UP Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 2600.xpsp_sp2_rtm.040803-2158
Kernel base = 0x804d7000 PsLoadedModuleList = 0x805531a0
Debug session time: Thu Jan 10 22:26:19.234 2008 (GMT+1)
System Uptime: 0 days 0:04:42.834
Loading Kernel Symbols
...............................................................................................................................
Loading User Symbols

Loading unloaded module list
...........
*******************************************************************************
*
*
* Bugcheck
Analysis *
*
*
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck A, {5858855c, 2, 0, 804e3f93}

Probably caused by : ntkrnlpa.exe ( nt!CcGetDirtyPages+97 )

Followup: MachineOwner
---------

#################################
2.- Second Step: I ran "kd> !analyze -v"
#################################


*******************************************************************************
*
*
* Bugcheck
Analysis *
*
*
*******************************************************************************

IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pageable (or completely invalid)
address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: 5858855c, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000000, bitfield :
bit 0 : value 0 = read operation, 1 = write operation
bit 3 : value 0 = not an execute operation, 1 = execute operation
(only on chips which support this level of status)
Arg4: 804e3f93, address which referenced memory

Debugging Details:
------------------
READ_ADDRESS: 5858855c

CURRENT_IRQL: 2

FAULTING_IP:
nt!CcGetDirtyPages+97
804e3f93 66813efd02 cmp word ptr [esi],2FDh

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0xA

PROCESS_NAME: System

TRAP_FRAME: f78b68dc -- (.trap 0xfffffffff78b68dc)
ErrCode = 00000000
eax=864dd518 ebx=00000000 ecx=5858856c edx=f78b695c esi=5858855c
edi=864dd508
eip=804e3f93 esp=f78b6950 ebp=f78b69b4 iopl=0 ov up ei ng nz
na po cy
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
efl=00010a83
nt!CcGetDirtyPages+0x97:
804e3f93 66813efd02 cmp word ptr [esi],2FDh ds:
0023:5858855c=????
Resetting default scope

LAST_CONTROL_TRANSFER: from 804e3f93 to 8053f853

STACK_TEXT:
f78b68dc 804e3f93 badb0d00 f78b695c f71ec315 nt!KiTrap0E+0x233
f78b69b4 f7208ac9 e100e118 f71e8260 f78b6c14 nt!CcGetDirtyPages+0x97
f78b6be0 f72090a8 f78b6c14 865d7100 00000000 Ntfs!NtfsCheckpointVolume
+0x6f0
f78b6d74 80533dd0 00000000 00000000 865cada8 Ntfs!
NtfsCheckpointAllVolumes+0xd2
f78b6dac 805c4a28 00000000 00000000 00000000 nt!ExpWorkerThread+0x100
f78b6ddc 80540fa2 80533cd0 00000000 00000000 nt!PspSystemThreadStartup
+0x34
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16

STACK_COMMAND: kb

FOLLOWUP_IP:
nt!CcGetDirtyPages+97
804e3f93 66813efd02 cmp word ptr [esi],2FDh

SYMBOL_STACK_INDEX: 1

SYMBOL_NAME: nt!CcGetDirtyPages+97

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: nt
IMAGE_NAME: ntkrnlpa.exe

DEBUG_FLR_IMAGE_TIMESTAMP: 41107b0c

FAILURE_BUCKET_ID: 0xA_nt!CcGetDirtyPages+97

BUCKET_ID: 0xA_nt!CcGetDirtyPages+97

Followup: MachineOwner
---------

#################################
3.- third step: what I should run?
#################################

I have tried:

- !address -- Result ->> address 5858855c not found in any known
Kernel Address Range ----
- !irql 2 -- Result ->> Cannot get PRCB address from processor
0x2

I don't know how to proceed.

 

[newton]

Thank you very much. I have been seeing many windows msdn docs since I
have this problem without success. In your links appear a recently
patch which is hopefully. I will try it.

Meanwhile, I will continue analyzing other memory.dump that I have
got.

This time the problem is related with emule.exe and klif.sys.
Nevertheless, I think that real problem comes from a more low level
and it has impact in user level's applications, because I have had
this problem since I got my PC and it happen with or without these
applications.

Thank you. We are in contact

 

[newton]

Here my second memory.dump debug (
There seems to be problems with the symbols because they don't have
them for some external components):


**************
1.- First step:
***************

Loading Dump File [C:\WINDOWS\MEMORY.DMP_2]
Kernel Complete Dump File: Full address space is available

Symbol search path is: SRV*c:\websymbols*http://msdl.microsoft.com/
download/symbols
Executable search path is:
Windows XP Kernel Version 2600 (Service Pack 2) UP Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 2600.xpsp_sp2_rtm.040803-2158
Kernel base = 0x804d7000 PsLoadedModuleList = 0x805531a0
Debug session time: Fri Jan 11 23:52:12.750 2008 (GMT+1)
System Uptime: 0 days 2:43:03.358
Loading Kernel Symbols
................................................................................................................................
Loading User Symbols
.............................................
Loading unloaded module list
.........................
*******************************************************************************
*
*
* Bugcheck
Analysis *
*
*
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck A, {8c000000, 2, 1, 804e17a6}

*** ERROR: Module load completed but symbols could not be loaded for
klif.sys
*** WARNING: Unable to verify checksum for es_ES_T.dll
*** ERROR: Module load completed but symbols could not be loaded for
es_ES_T.dll
*************************************************************************
***
***
***
***
*** Your debugger is not using the correct symbols
***
***
***
*** In order for this command to work properly, your symbol path
***
*** must point to .pdb files that have full type information.
***
***
***
*** Certain .pdb files (such as the public OS symbols) do not
***
*** contain the required information. Contact the group that
***
*** provided you with these symbols if you need this command to
***
*** work.
***
***
***
*** Type referenced: kernel32!pNlsUserInfo
***
***
***
*************************************************************************
*************************************************************************
***
***
***
***
*** Your debugger is not using the correct symbols
***
***
***
*** In order for this command to work properly, your symbol path
***
*** must point to .pdb files that have full type information.
***
***
***
*** Certain .pdb files (such as the public OS symbols) do not
***
*** contain the required information. Contact the group that
***
*** provided you with these symbols if you need this command to
***
*** work.
***
***
***
*** Type referenced: kernel32!pNlsUserInfo
***
***
***
*************************************************************************
Probably caused by : klif.sys ( klif+1134b )

Followup: MachineOwner
---------

**************
2.- Second step:
***************

*******************************************************************************
*
*
* Bugcheck
Analysis *
*
*
*******************************************************************************

IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pageable (or completely invalid)
address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: 8c000000, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000001, bitfield :
bit 0 : value 0 = read operation, 1 = write operation
bit 3 : value 0 = not an execute operation, 1 = execute operation
(only on chips which support this level of status)
Arg4: 804e17a6, address which referenced memory

Debugging Details:
------------------

*************************************************************************
***
***
***
***
*** Your debugger is not using the correct symbols
***
***
***
*** In order for this command to work properly, your symbol path
***
*** must point to .pdb files that have full type information.
***
***
***
*** Certain .pdb files (such as the public OS symbols) do not
***
*** contain the required information. Contact the group that
***
*** provided you with these symbols if you need this command to
***
*** work.
***
***
***
*** Type referenced: kernel32!pNlsUserInfo
***
***
***
*************************************************************************
*************************************************************************
***
***
***
***
*** Your debugger is not using the correct symbols
***
***
***
*** In order for this command to work properly, your symbol path
***
*** must point to .pdb files that have full type information.
***
***
***
*** Certain .pdb files (such as the public OS symbols) do not
***
*** contain the required information. Contact the group that
***
*** provided you with these symbols if you need this command to
***
*** work.
***
***
***
*** Type referenced: kernel32!pNlsUserInfo
***
***
***
*************************************************************************

WRITE_ADDRESS: 8c000000

CURRENT_IRQL: 2

FAULTING_IP:
nt!CcAllocateInitializeBcb+82
804e17a6 8902 mov dword ptr [edx],eax

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0xA

PROCESS_NAME: emule.exe

TRAP_FRAME: b8033478 -- (.trap 0xffffffffb8033478)
ErrCode = 00000002
eax=85557370 ebx=8627a398 ecx=856f8086 edx=8c000000 esi=85557360
edi=b8033530
eip=804e17a6 esp=b80334ec ebp=b80334f8 iopl=0 nv up ei ng nz
na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
efl=00010282
nt!CcAllocateInitializeBcb+0x82:
804e17a6 8902 mov dword ptr [edx],eax ds:
0023:8c000000=????????
Resetting default scope

LAST_CONTROL_TRANSFER: from 804e17a6 to 8053f853

STACK_TEXT:
b8033478 804e17a6 badb0d00 8c000000 8054482f nt!KiTrap0E+0x233
b80334f8 804e3192 8627a398 856f8075 b8033530 nt!CcAllocateInitializeBcb
+0x82
b8033584 8055e65e 85a1c840 b80335c4 00000400 nt!CcPinFileData+0x194
b80335f8 f7210017 85a1c840 b8033628 00000400 nt!CcPinMappedData+0xf4
b8033618 f7211045 856062d8 859e47b0 0009e000 Ntfs!NtfsPinMappedData
+0x4f
b80336e0 f72167a7 856062d8 e377e750 e377e770 Ntfs!NtfsWriteFileSizes
+0x231
b80338bc f7216ead 856062d8 e377e750 b80338e4 Ntfs!
NtfsAddAttributeAllocation+0x2b8
b8033978 f721e24b 856062d8 85667718 e377e750 Ntfs!NtfsAddAllocation
+0x386
b8033a6c f7210e2f 856062d8 85667718 8579a5e8 Ntfs!NtfsSetEndOfFileInfo
+0x403
b8033adc f71e9ad8 856062d8 8579a5e8 8579a5e8 Ntfs!
NtfsCommonSetInformation+0x477
b8033b44 804eddf9 85874020 8579a5e8 8579a7c0 Ntfs!NtfsFsdSetInformation
+0xa3
b8033b54 f7297f45 00000006 86584a80 8579a7c0 nt!IopfCallDriver+0x31
b8033b68 804eddf9 859e57d0 e23ea200 00000014 sr!SrSetInformation+0x179
b8033b78 ee5db34b 8579a7c0 86275598 8579a5e8 nt!IopfCallDriver+0x31
WARNING: Stack unwind information not available. Following frames may
be wrong.
b8033c18 ee5dd9b3 002ff020 8579a5e8 804eddf9 klif+0x1134b
b8033ce0 ee5e5296 00000408 0012e7b0 0012e7c0 klif+0x139b3
b8033d44 8056f111 8053c808 00000408 0012e7b0 klif+0x1b296
b8033ddc 80540fa2 8645bf10 85701b08 00000000 nt!NtQueryInformationFile
+0x5fb
b8033e50 bf8056e6 00000001 00000000 00000000 nt!KiThreadStartup+0x16
b8033e58 00000000 00000000 00000000 00008000 win32k!HANDLELOCK::vUnlock
+0x20


STACK_COMMAND: kb

FOLLOWUP_IP:
klif+1134b
ee5db34b 5f pop edi

SYMBOL_STACK_INDEX: e

SYMBOL_NAME: klif+1134b

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: klif

IMAGE_NAME: klif.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 44d328c7

FAILURE_BUCKET_ID: 0xA_W_klif+1134b

BUCKET_ID: 0xA_W_klif+1134b

Followup: MachineOwner
---------

 

[Gerry]

klif.sys is a Kaspersky driver and there are reports of it causing a
BSOD. Most reports are in a foreign language so they are not easily
understood and it is is difficult to sift out duplication.

I found this fix on the Kaspersky support site but there is insufficient
detail to match it to your problem. It may relate.
http://support.kaspersky.com/faq/?qid=208279565

It would be helpful to know your version of Kaspersky and the file
version of klif.sys.

You may als o find it helpful to contact Kaspersky Support for advice.

--



Hope this helps.

Gerry
~~~~
FCA
Stourport, England
Enquire, plan and execute
~~~~~~~~~~~~~~~~~~~

Here my second memory.dump debug (
There seems to be problems with the symbols because they don't have
them for some external components):


**************
1.- First step:
***************

Loading Dump File [C:\WINDOWS\MEMORY.DMP_2]
Kernel Complete Dump File: Full address space is available

Symbol search path is: SRV*c:\websymbols*http://msdl.microsoft.com/
download/symbols
Executable search path is:
Windows XP Kernel Version 2600 (Service Pack 2) UP Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 2600.xpsp_sp2_rtm.040803-2158
Kernel base = 0x804d7000 PsLoadedModuleList = 0x805531a0
Debug session time: Fri Jan 11 23:52:12.750 2008 (GMT+1)
System Uptime: 0 days 2:43:03.358
Loading Kernel Symbols
...............................................................................................................................
Loading User Symbols
............................................
Loading unloaded module list
........................
*******************************************************************************
*
*
* Bugcheck
Analysis *
*
*
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck A, {8c000000, 2, 1, 804e17a6}

*** ERROR: Module load completed but symbols could not be loaded for
klif.sys
*** WARNING: Unable to verify checksum for es_ES_T.dll
*** ERROR: Module load completed but symbols could not be loaded for
es_ES_T.dll
*************************************************************************
***
***
***
***
*** Your debugger is not using the correct symbols
***
***
***
*** In order for this command to work properly, your symbol path
***
*** must point to .pdb files that have full type information.
***
***
***
*** Certain .pdb files (such as the public OS symbols) do not
***
*** contain the required information. Contact the group that
***
*** provided you with these symbols if you need this command to
***
*** work.
***
***
***
*** Type referenced: kernel32!pNlsUserInfo
***
***
***
*************************************************************************
*************************************************************************
***
***
***
***
*** Your debugger is not using the correct symbols
***
***
***
*** In order for this command to work properly, your symbol path
***
*** must point to .pdb files that have full type information.
***
***
***
*** Certain .pdb files (such as the public OS symbols) do not
***
*** contain the required information. Contact the group that
***
*** provided you with these symbols if you need this command to
***
*** work.
***
***
***
*** Type referenced: kernel32!pNlsUserInfo
***
***
***
*************************************************************************
Probably caused by : klif.sys ( klif+1134b )

Followup: MachineOwner
---------

**************
2.- Second step:
***************

*******************************************************************************
*
*
* Bugcheck
Analysis *
*
*
*******************************************************************************

IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pageable (or completely invalid)
address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: 8c000000, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000001, bitfield :
bit 0 : value 0 = read operation, 1 = write operation
bit 3 : value 0 = not an execute operation, 1 = execute operation
(only on chips which support this level of status)
Arg4: 804e17a6, address which referenced memory

Debugging Details:
------------------

*************************************************************************
***
***
***
***
*** Your debugger is not using the correct symbols
***
***
***
*** In order for this command to work properly, your symbol path
***
*** must point to .pdb files that have full type information.
***
***
***
*** Certain .pdb files (such as the public OS symbols) do not
***
*** contain the required information. Contact the group that
***
*** provided you with these symbols if you need this command to
***
*** work.
***
***
***
*** Type referenced: kernel32!pNlsUserInfo
***
***
***
*************************************************************************
*************************************************************************
***
***
***
***
*** Your debugger is not using the correct symbols
***
***
***
*** In order for this command to work properly, your symbol path
***
*** must point to .pdb files that have full type information.
***
***
***
*** Certain .pdb files (such as the public OS symbols) do not
***
*** contain the required information. Contact the group that
***
*** provided you with these symbols if you need this command to
***
*** work.
***
***
***
*** Type referenced: kernel32!pNlsUserInfo
***
***
***
*************************************************************************

WRITE_ADDRESS: 8c000000

CURRENT_IRQL: 2

FAULTING_IP:
nt!CcAllocateInitializeBcb+82
804e17a6 8902 mov dword ptr [edx],eax

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0xA

PROCESS_NAME: emule.exe

TRAP_FRAME: b8033478 -- (.trap 0xffffffffb8033478)
ErrCode = 00000002
eax=85557370 ebx=8627a398 ecx=856f8086 edx=8c000000 esi=85557360
edi=b8033530
eip=804e17a6 esp=b80334ec ebp=b80334f8 iopl=0 nv up ei ng nz
na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
efl=00010282
nt!CcAllocateInitializeBcb+0x82:
804e17a6 8902 mov dword ptr [edx],eax ds:
0023:8c000000=????????
Resetting default scope

LAST_CONTROL_TRANSFER: from 804e17a6 to 8053f853

STACK_TEXT:
b8033478 804e17a6 badb0d00 8c000000 8054482f nt!KiTrap0E+0x233
b80334f8 804e3192 8627a398 856f8075 b8033530
nt!CcAllocateInitializeBcb +0x82
b8033584 8055e65e 85a1c840 b80335c4 00000400 nt!CcPinFileData+0x194
b80335f8 f7210017 85a1c840 b8033628 00000400 nt!CcPinMappedData+0xf4
b8033618 f7211045 856062d8 859e47b0 0009e000 Ntfs!NtfsPinMappedData
+0x4f
b80336e0 f72167a7 856062d8 e377e750 e377e770 Ntfs!NtfsWriteFileSizes
+0x231
b80338bc f7216ead 856062d8 e377e750 b80338e4 Ntfs!
NtfsAddAttributeAllocation+0x2b8
b8033978 f721e24b 856062d8 85667718 e377e750 Ntfs!NtfsAddAllocation
+0x386
b8033a6c f7210e2f 856062d8 85667718 8579a5e8 Ntfs!NtfsSetEndOfFileInfo
+0x403
b8033adc f71e9ad8 856062d8 8579a5e8 8579a5e8 Ntfs!
NtfsCommonSetInformation+0x477
b8033b44 804eddf9 85874020 8579a5e8 8579a7c0
Ntfs!NtfsFsdSetInformation +0xa3
b8033b54 f7297f45 00000006 86584a80 8579a7c0 nt!IopfCallDriver+0x31
b8033b68 804eddf9 859e57d0 e23ea200 00000014 sr!SrSetInformation+0x179
b8033b78 ee5db34b 8579a7c0 86275598 8579a5e8 nt!IopfCallDriver+0x31
WARNING: Stack unwind information not available. Following frames may
be wrong.
b8033c18 ee5dd9b3 002ff020 8579a5e8 804eddf9 klif+0x1134b
b8033ce0 ee5e5296 00000408 0012e7b0 0012e7c0 klif+0x139b3
b8033d44 8056f111 8053c808 00000408 0012e7b0 klif+0x1b296
b8033ddc 80540fa2 8645bf10 85701b08 00000000 nt!NtQueryInformationFile
+0x5fb
b8033e50 bf8056e6 00000001 00000000 00000000 nt!KiThreadStartup+0x16
b8033e58 00000000 00000000 00000000 00008000
win32k!HANDLELOCK::vUnlock +0x20


STACK_COMMAND: kb

FOLLOWUP_IP:
klif+1134b
ee5db34b 5f pop edi

SYMBOL_STACK_INDEX: e

SYMBOL_NAME: klif+1134b

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: klif

IMAGE_NAME: klif.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 44d328c7

FAILURE_BUCKET_ID: 0xA_W_klif+1134b

BUCKET_ID: 0xA_W_klif+1134b

Followup: MachineOwner
---------

 

[newton]

I have received other bsod (I haven't applied MS patch yet) and his
memory.dump (third) is same as first (ntkrnlpa.exe related).

I will update my AV and my WXP SP2 with your patches... and I will
wait the results.

Thank you very much.

 

[newton]

The problem continues with patches already installed.

Recently I have disconnected all components except: Motherboard,
Processor, 512MB DDR400 Kingston (X2), GForce6600 and Hard Disk, but
problem also continue.

Finally, I have noticed that my motherboard gives 2.5v to RAM modules
by default, but my RAM modules works with 2.6v. I have increased the
DDR voltage to 2.6 with motherboard bios. Is it possible that 0.1v in
DDR modules create unstable system and this change fix the problem? I
need to wait... at this moment only has passed 20 minutes running.

 

[newton]

Nothing... sniff :-(

The problem persist. I will try linux. If problem persist, I will
change the motherboard.

Thank you very much in any case!

 

[Gerry]

Newton

Have you tried uninstalling Emule to see if that resolves the problem?

Please post copies of all Error and Warning Reports appearing in
the System and Application logs in Event Viewer for the last boot. No
Information Reports or Duplicates please. Indicate which also appear in
a previous boot.

You can access Event Viewer by selecting Start, Control Panel,
Administrative Tools, and Event Viewer.

HOW TO: View and Manage Event Logs in Event Viewer in Windows XP
http://support.microsoft.com/kb/308427/en-us

A tip for posting copies of Error Reports! Run Event Viewer and double
click on the error you want to copy. In the window, which appears is a
button resembling two pages. Click the button and close Event
Viewer.Now start your message (email) and do a paste into the body of
the message. Make sure this is the first paste after exiting from
Event Viewer.


--



Hope this helps.

Gerry
~~~~
FCA
Stourport, England
Enquire, plan and execute
~~~~~~~~~~~~~~~~~~~