[irarab]

I have a HP Pavilion dv9933cl notebook. Running Windows Visata Home Premium 64bit. I randomly get a blue screen of death. I attached one of my dump files Mini010709-01.dmp. I had to rename the extension to txt because I was not able to upload it with the dmp extension.

Here is my report from WhoCrashed.

Analysis
--------------------------------------------------------------------------------

Crash dump directory: C:\Windows\Minidump

Crash dumps are enabled on your computer.


On Thu 1/8/2009 1:16:17 PM your computer crashed
This was likely caused by the following module: ntoskrnl.exe
Bugcheck code: 0x4A (0x753F385E, 0x2, 0x0, 0xFFFFFA600BDE5CA0)
Error: IRQL_GT_ZERO_AT_SYSTEM_SERVICE
file path: C:\Windows\system32\ntoskrnl.exe
product: Microsoft® Windows® Operating System
company: Microsoft Corporation
description: NT Kernel & System
The crash took place in a standard Microsoft module. Likely the culprit is another driver on your system which cannot be identified.



On Thu 1/8/2009 1:07:59 AM your computer crashed
This was likely caused by the following module: ntoskrnl.exe
Bugcheck code: 0x4A (0x7595385E, 0x2, 0x0, 0xFFFFFA600BA03CA0)
Error: IRQL_GT_ZERO_AT_SYSTEM_SERVICE
file path: C:\Windows\system32\ntoskrnl.exe
product: Microsoft® Windows® Operating System
company: Microsoft Corporation
description: NT Kernel & System
The crash took place in a standard Microsoft module. Likely the culprit is another driver on your system which cannot be identified.



On Thu 1/8/2009 12:16:17 AM your computer crashed
This was likely caused by the following module: ntoskrnl.exe
Bugcheck code: 0x4A (0x7536385E, 0x2, 0x0, 0xFFFFFA600A475CA0)
Error: IRQL_GT_ZERO_AT_SYSTEM_SERVICE
file path: C:\Windows\system32\ntoskrnl.exe
product: Microsoft® Windows® Operating System
company: Microsoft Corporation
description: NT Kernel & System
The crash took place in a standard Microsoft module. Likely the culprit is another driver on your system which cannot be identified.

Attached Files

•  Mini010709_01.txt   262.95KB   465 downloads

Edited by irarab, 08 January 2009 - 12:17 PM.

[Advertisements]

Hi -

I ran the lone mini kernel dump and came up with the same bugcheck as has been reported -

0x4a (0x7536385e, 0x2, 0x0, 0xfffffa600a475ca0), with the probable cause listed as ntkrnlmp.exe - the NT Kernel.

0x4a = IRQL_GT_ZERO_AT_SYSTEM_SERVICE = a driver (called by system) transitioned from kernel-mode to user-mode while the IRQL was too high. This could be a rogue driver. Even though the NT Kernel is listed as the probable cause of the BSOD, I highly doubt it is to blame here. The loaded driver listing found in the dump appears to me to contain recent Windows Updates. Furthermore, I would expect a different bugcheck if in fact the NT Kernel was involved as that would mean that kernel code corruption.

If this BSOD is software related, the driver actually responsible was not named because it was "protected" (hiding) under the memory address range of the NT Kernel.

One way to try and flush the culprit out is to run the Vista Driver Verifier. The object here is to produce a verifier-enabled mini kernel dump that will hopefully provide the name of a non-ms driver. To run it, please do the following:

START | type cmd.exe | right-click on cmd.exe uptop under programs | Run as Administrator | type verifier & hit enter - the Verifier screen will appear | do the following:

1. Select 2nd option - Create custom settings (for code developers)
2. Select 2nd option - Select individual settings from a full list.
3. Check the boxes
	• Special Pool 
	• Pool Tracking 
	• Force IRQL checking
4. Select last option - Select driver names from a list 
5. Click on the Provider heading - sorts list by Provider
6. Check ALL boxes where Microsoft is not the Provider
7. Click on Finish 
8. Re-boot

If the Driver Verifier (DV) finds a violation (flags a driver), it will result in a BSOD. To see the status of the D/Verifier, bring up an elevated cmd/DOS prompt and type verifier - select the last option on the first screen - "Display information about the currently verified drivers..". If your system becomes too unstable (the d/v utilizes CPU & RAM), turn d/v off - type verifier /reset then re-boot.

If you get a verifier-enabled BSOD, get the mini dump - go to \windows\minidump - copy it out, zip it up and attach.

In the interim, I need system information from you. Please follow THESE instructions. Attach the resulting zip files to your next post.

The full dbug log is attached.

Any ? - please let me know.

Regards. . .

jcgriff2

.

Attached Files

•  _99_windbg_irarab_01_07_09_jcgriff2_.zip   6.49KB   453 downloads

Edited by jcgriff2, 08 January 2009 - 05:54 PM.

[jcgriff2]

Hi -

I ran the lone mini kernel dump and came up with the same bugcheck as has been reported -

0x4a (0x7536385e, 0x2, 0x0, 0xfffffa600a475ca0), with the probable cause listed as ntkrnlmp.exe - the NT Kernel.

0x4a = IRQL_GT_ZERO_AT_SYSTEM_SERVICE = a driver (called by system) transitioned from kernel-mode to user-mode while the IRQL was too high. This could be a rogue driver. Even though the NT Kernel is listed as the probable cause of the BSOD, I highly doubt it is to blame here. The loaded driver listing found in the dump appears to me to contain recent Windows Updates. Furthermore, I would expect a different bugcheck if in fact the NT Kernel was involved as that would mean that kernel code corruption.

If this BSOD is software related, the driver actually responsible was not named because it was "protected" (hiding) under the memory address range of the NT Kernel.

One way to try and flush the culprit out is to run the Vista Driver Verifier. The object here is to produce a verifier-enabled mini kernel dump that will hopefully provide the name of a non-ms driver. To run it, please do the following:

START | type cmd.exe | right-click on cmd.exe uptop under programs | Run as Administrator | type verifier & hit enter - the Verifier screen will appear | do the following:

1. Select 2nd option - Create custom settings (for code developers)
2. Select 2nd option - Select individual settings from a full list.
3. Check the boxes
	• Special Pool 
	• Pool Tracking 
	• Force IRQL checking
4. Select last option - Select driver names from a list 
5. Click on the Provider heading - sorts list by Provider
6. Check ALL boxes where Microsoft is not the Provider
7. Click on Finish 
8. Re-boot

If the Driver Verifier (DV) finds a violation (flags a driver), it will result in a BSOD. To see the status of the D/Verifier, bring up an elevated cmd/DOS prompt and type verifier - select the last option on the first screen - "Display information about the currently verified drivers..". If your system becomes too unstable (the d/v utilizes CPU & RAM), turn d/v off - type verifier /reset then re-boot.

If you get a verifier-enabled BSOD, get the mini dump - go to \windows\minidump - copy it out, zip it up and attach.

In the interim, I need system information from you. Please follow THESE instructions. Attach the resulting zip files to your next post.

The full dbug log is attached.

Any ? - please let me know.

Regards. . .

jcgriff2

.

Attached Files

•  _99_windbg_irarab_01_07_09_jcgriff2_.zip   6.49KB   453 downloads

Edited by jcgriff2, 08 January 2009 - 05:54 PM.

[irarab]

jcgriff2,

Thank you in advance for all of your help. I tried the Vista Driver Verifier twice and it ran fine (no dump).

I followed the instructions you gave me and I attached a zip file with the output. When I ran the bat file I got this message for the event log:

Dumping Vista System Event Viewer Log. . .  50,000 records

   This will take a minute or so...	executing ...

Failed to read events. The data is invalid.

ECHO is off.
  Fri 01/09/2009  0:28:57.18

   Dumping Vista Application Event Viewer Log. . .  50,000 records
				...   D  O  N  E

Does that mean there is something wrong with the event log? How do I fix it?

It wont let me attach the TSF_Vista_Support zip file, it's bigger then 500k .

I broke it up into 3 files each smaller then 500k using hjsplit and I'm attaching it in the next 3 posts

Ira

Attached Files

•  vista_perfmon_report.zip   130.96KB   350 downloads

Edited by irarab, 09 January 2009 - 12:58 AM.

[irarab]

TSF_Vista_Support part 1 (using hjsplit)

I also had to rename it to allow it to be attached.

Original file name: TSF_Vista_Support.zip.001

New Name: TSF_Vista_Support.zip.001.txt

Attached Files

•  TSF_Vista_Support.zip.001.txt   490KB   339 downloads

Edited by irarab, 09 January 2009 - 12:40 AM.

[irarab]

TSF_Vista_Support part 2 (using hjsplit)

I also had to rename it to allow it to be attached.

Original file name: TSF_Vista_Support.zip.002

New Name: TSF_Vista_Support.zip.002.txt

Attached Files

•  TSF_Vista_Support.zip.002.txt   490KB   453 downloads

[irarab]

TSF_Vista_Support part 3 (using hjsplit)

I also had to rename it to allow it to be attached.

Original file name: TSF_Vista_Support.zip.003

New Name: TSF_Vista_Support.zip.003.txt

That's all of them. I got to jump thru hoops to get this to you . Thank you in advance for all of your help

Attached Files

•  TSF_Vista_Support.zip.003.txt   31.66KB   453 downloads

[jcgriff2]

Hi Ira -

Very nice job splitting the zip files. I was able to re-assemble & un-zip in < 1 minute. Sorry you had so many obstacles. I should have mentioned the aggregate size involved. I do believe it was worthwhile. One question, though - re: the driver verifier. None of the dumps I received were Vista verifier enabled dumps, so I assume that the d/v was executed after the last BSOD? If you have any dumps that are verifier-enabled, please zip up and attach. They would contain potential leads not found in non-ver-enabled dumps.

In the last post, I ran the 1 dump file that you provided w/ timestamp of Wed Jan 7 19:12:36.206 2009 (GMT-5) and named Mini010809-01.dmp. The zip files you attached revealed the presence of 4 additional mini kernel dump files from BSODs that occurred within the next 22 hours.

All of the dumps had identical bugchecks w/ the parms differing slightly b/c they are memory addresses:

0x4a (0x7545385e, 0x2, 0x0, 0xfffffa600c54dca0), probable cause = ntkrnlmp.exe - the NT Kernel. The process that was running during at the time of all 5 BSODs was RIMDeviceManage. Although not specifically named, these 2 drivers found in the dumps fit nicely with the process and their timestamps show them to be almost 2 years old. I believe they contributed in the BSODs:

fffffa60`03714000 fffffa60`03728000  rimmpx64.sys		   Sun Mar 18 23:09:34 2007 (45FDFEEE)
fffffa60`02ff4000 fffffa60`02ffb680  RimSerial_AMD64.sys	Tue Jan 09 11:50:11 2007 (45A3C7C3)

The verbose output of driverquery provides additional information on the 2 drivers above and gives us 3 others. They are all kernel mode drivers; 3 of the 5 auto-start; 4/ 5 were running when these reports were produced:

rimmptsk	 rimmptsk			   Kernel   3/18/2007 11:09:34 PM  C:\Windows\system32\DRIVERS\rimmpx64.sys		 Auto	   Running
rimsptsk	 rimsptsk			   Kernel   2/27/2007 2:10:37 AM   C:\Windows\system32\DRIVERS\rimspx64.sys		 Auto	   Running
RimUsb	   BlackBerry Smartphone  Kernel   4/16/2008 10:49:32 AM  C:\Windows\system32\Drivers\RimUsb_AMD64.sys	 Manual	 Stopped
RimVSerPort  RIM Virtual Serial Por Kernel   1/9/2007 11:50:11 AM   C:\Windows\system32\DRIVERS\RimSerial_AMD64.sys  Manual	 Running
rismxdp	  Ricoh xD-Picture Card  Kernel   3/26/2007 6:48:23 AM   C:\Windows\system32\DRIVERS\rixdpx64.sys		 Auto	   Running

I would start w/ these drivers - see if updates available. Check in with the Device Manager to look for red/yellow flags. Be sure to enable hidden devices under the view tab.
START | devmgmt.msc

I have listed brief summary of the 5 BSODs below in the code box. Full dbug logs are attached to this post.

There is still alot to go over. I will be looking at PERFMON and msinfo32 next along w/ application event log. Speaking of which - go into the Event Viewer and see if you can locate the log named System - you mentioned error and it came to me as empty file. See if it exists and what is in it, please. If you can, save it as an EVTX file - zip up and attach. One can never have too much system info to look at!

Have a good weekend.

Regards. . .

jcgriff2

.

BSOD Bugcheck Summary

Built by: 6001.18145.amd64fre.vistasp1_gdr.080917-1612
Debug session time: Thu Jan  8 17:15:04.167 2009 (GMT-5)
System Uptime: 0 days 8:59:25.504
BugCheck 4A, {7545385e, 2, 0, fffffa600c54dca0}
Probably caused by : ntkrnlmp.exe ( nt!KiSystemServiceExit+209 )
PROCESS_NAME:  RIMDeviceManage
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Built by: 6001.18145.amd64fre.vistasp1_gdr.080917-1612
Debug session time: Thu Jan  8 01:53:31.898 2009 (GMT-5)
System Uptime: 0 days 2:18:46.208
BugCheck 4A, {753f385e, 2, 0, fffffa600bde5ca0}
Probably caused by : ntkrnlmp.exe ( nt!KiSystemServiceExit+209 )
PROCESS_NAME:  RIMDeviceManage
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Built by: 6001.18145.amd64fre.vistasp1_gdr.080917-1612
Debug session time: Wed Jan  7 19:12:36.206 2009 (GMT-5)
System Uptime: 0 days 1:36:29.400
BugCheck 4A, {7536385e, 2, 0, fffffa600a475ca0}
Probably caused by : ntkrnlmp.exe ( nt!KiSystemServiceExit+209 )
PROCESS_NAME:  RIMDeviceManage
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Built by: 6001.18145.amd64fre.vistasp1_gdr.080917-1612
Debug session time: Wed Jan  7 20:06:10.716 2009 (GMT-5)
System Uptime: 0 days 0:52:13.711
BugCheck 4A, {7595385e, 2, 0, fffffa600ba03ca0}
Probably caused by : ntkrnlmp.exe ( nt!KiSystemServiceExit+209 )
PROCESS_NAME:  RIMDeviceManage
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Built by: 6001.18145.amd64fre.vistasp1_gdr.080917-1612
Debug session time: Wed Jan  7 19:12:36.206 2009 (GMT-5)
System Uptime: 0 days 1:36:29.400
BugCheck 4A, {7536385e, 2, 0, fffffa600a475ca0}
Probably caused by : ntkrnlmp.exe ( nt!KiSystemServiceExit+209 )
PROCESS_NAME:  RIMDeviceManage

Attached Files

•  _99_windbg_irarab_kernel_5_01_10_09_jcgriff2_.zip   21.69KB   335 downloads