Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Blue Screen! Big Problems.


  • Please log in to reply

#1
blueraider

blueraider

    Member

  • Member
  • PipPip
  • 31 posts
I have been getting help on the Malware board because of computer problems. Now over the past couple of days I have been getting a blue screen saying:

IRQL_NOT_LESS_OR_EQUAL. It dumped memory and I had to restart. an alert popped up saying the system had recovered from a serious error. This is the error signature:
BCCode : a BCP1 : 00000000 BCP2 : 00000002 BCP3 : 00000000
BCP4 : 805339A6 OSVer : 5_1_2600 SP : 2_0 Product : 256_1

And this was in the error report:
C:\DOCUME~1\DEREKM~1\LOCALS~1\Temp\WER818b.dir00\Mini041009-01.dmp
C:\DOCUME~1\DEREKM~1\LOCALS~1\Temp\WER818b.dir00\sysdata.xml

I have been unable to download the latest updates. My computer will start to download them and then will stop saying there was an error and windows may not properly work. I read the pinned post about it but I have not put in any new hardware in quite some time. I think some of this may be due to my computer trying to install SP3. Any help would be greatly appreciated.
  • 0

Advertisements


#2
rshaffer61

rshaffer61

    Moderator

  • Moderator
  • 34,114 posts
Has the tech helping you in Malware forum given you a clean bill of health yet?
  • 0

#3
Oreo Collas

Oreo Collas

    Member

  • Member
  • PipPipPip
  • 242 posts
Hey rshaffer61 , I reviewed his malware thread and it looks like they did give him a clean bill and directed him to post here.
  • 0

#4
rshaffer61

rshaffer61

    Moderator

  • Moderator
  • 34,114 posts
Thanks Oreo Collas. That helps, don't want to deal with a infection and try to help.
That being verified let's see what we can do.
Blueraider is the BSOD coming up on bootup or in windows?
Is it happening in a certain program?
Can you boot into safe mode?
Have you tried to boot to last know configuration?
Can you boot into normal mode for any length of time?
If you can get into normal mode lets try the following


Download WhoCrashed from the link in my signature below
This program checks for any drivers which may have been causing your computer to crash....

Click on the file you just downloadedand run it
Put a tick in accept thenclick on next
Put a tick in the don't create a start menu folder then click next
Put a tick in create a desktop icon then click on install and make sure there is a tick in launch whocrashed before clicking finish
Click Analyze ...
It will want to download the debugger and install it...say yes...
WhoCrashed will create report...you have to scroll down to see it
Copy and paste it into your next reply...


Lets see what you have in your startup
Please click on
Start>>Run>>Type in msconfig>>>press enter
Now click on Startups
Then uncheck everything and restart.
If system boots correctly and is running smoothly and faster then we have a startup problem
Try going back into msconfig and check one item and reboot
Keep doing that till you have found the problem or all are finally checked.
Post back with the results

Lets see what you have in your startup services area
Please click on
Start>>Run>>Type in msconfig>>>press enter
Now click on Services
Click on Hide All Microsoft Services
Then uncheck everything and restart.
If system boots correctly and is running smoothly and faster then we have a service problem
Try going back into msconfig and check one item and reboot
Keep doing that till you have found the problem or all are finally checked.
Post back with the results
  • 0

#5
blueraider

blueraider

    Member

  • Topic Starter
  • Member
  • PipPip
  • 31 posts
I have been in normal mode. My computer will be working fine then all the sudden will crash and get the blue screen.
Here's the who crashed log:
Analysis
--------------------------------------------------------------------------------

Crash dump directory: C:\WINDOWS\Minidump

Crash dumps are enabled on your computer.


On Mon 4/13/2009 2:33:00 AM your computer crashed
This was likely caused by the following module: ntkrnlpa.exe
Bugcheck code: 0x1000008E (0xC0000005, 0x805B2CA9, 0xF6C67A50, 0x0)
Error: KERNEL_MODE_EXCEPTION_NOT_HANDLED_M
file path: C:\WINDOWS\system32\ntkrnlpa.exe
product: Microsoft® Windows® Operating System
company: Microsoft Corporation
description: NT Kernel & System
The crash took place in a standard Microsoft module. Likely the culprit is another driver on your system which cannot be identified.



On Sun 4/12/2009 5:29:21 PM your computer crashed
This was likely caused by the following module: ntkrnlpa.exe
Bugcheck code: 0xA (0x0, 0x2, 0x0, 0x805339A6)
Error: IRQL_NOT_LESS_OR_EQUAL
file path: C:\WINDOWS\system32\ntkrnlpa.exe
product: Microsoft® Windows® Operating System
company: Microsoft Corporation
description: NT Kernel & System
The crash took place in a standard Microsoft module. Likely the culprit is another driver on your system which cannot be identified.



On Fri 4/10/2009 6:19:44 PM your computer crashed
This was likely caused by the following module: ntkrnlpa.exe
Bugcheck code: 0xA (0x0, 0x2, 0x0, 0x805339A6)
Error: IRQL_NOT_LESS_OR_EQUAL
file path: C:\WINDOWS\system32\ntkrnlpa.exe
product: Microsoft® Windows® Operating System
company: Microsoft Corporation
description: NT Kernel & System
The crash took place in a standard Microsoft module. Likely the culprit is another driver on your system which cannot be identified.




--------------------------------------------------------------------------------
Conclusion
--------------------------------------------------------------------------------

3 crash dumps have been found and analyzed. Note that it's not always possible to state with certainty whether a reported driver is really responsible for crashing your system or that the root cause is in another module. Nonetheless it's suggested you look for updates for the products that these drivers belong to and regularly visit Windows update or enable automatic updates for Windows. In case a piece of malfunctioning hardware is causing trouble, a search with Google on the bug check errors together with the model name and brand of your computer may help you investigate this further.
  • 0

#6
rshaffer61

rshaffer61

    Moderator

  • Moderator
  • 34,114 posts
Go to
Start>Run>Type in eventvwr.msc Press Enter
On left side click on Applications On right side look for any RED X about the time of a incident
On left side click on Hardware. Onright side look for any Red X about the same time of a incident
Also look for any yellow exclamation mark at the same time in either of the above

Check by double clicking a red x at the same time BSOD happen
for example there was one at 2:33 am this morning
This will give you more info on what caused the crash


Also Let's check your memory and make sure there is no issue with it.Donwload memtest86 from the link in my signature below.


Get the file that is named Download - The one you want is "Download - Pre-compiled Bootable ISO (.zip). When it downloads, it will be labeled "memtest86+2.11.iso.zip"
Unzip the file once you download it. You should have a .iso file in the unzipped directory.

if you don't have a burning program that will burn .ISO files get burncdcc in my signature below.

NOTE...do not put a blank cd in until burncdcc opens the tray for you
1. Start BurnCDCC
2. Browse to the ISO file you want to burn on cd/dvd ....in this case its memtest86.iso
3. Select the ISO file
4. click on Start

Make sure the bios is set for the cd drive as the first boot device
Put the cd in the cd drive and then boot your computer.


Run memtest for at least 2 hours
If it starts showing any errors during that time then you will have to replace the memory
If there are no errors after 2 hours press Esc and that will end the tests
We will then try other options

Include any in next reply

Edited by rshaffer61, 12 April 2009 - 09:41 PM.

  • 0

#7
Broni

Broni

    Kraków my love :)

  • Member
  • PipPipPipPipPipPipPipPip
  • 12,300 posts
Also...

Navigate to: C:\Windows\Minidump folder.
If you see any .dmp files, zip all of them, and attach zipped file to your next reply.
  • 0

#8
blueraider

blueraider

    Member

  • Topic Starter
  • Member
  • PipPip
  • 31 posts
I ran the memtest for over 2 hours and there were no errors. There are many red x's and warnings in the applications, but there wasn't a hardware tab for me to click on. Here's the zip file of the dump file.

Attached Files


  • 0

#9
edge2022

edge2022

    Member 2k

  • Member
  • PipPipPipPipPip
  • 2,117 posts
This is the first time I tried to debug any minidump files. :) I tried yours, but all I could find out is that it was a driver issue. The rest of the data was inconclusive. Wait for Broni's reply though, he looks very experienced in looking at minidumps and finding out the problem. If even he can't find the source of the error, you might want to try to repair Windows. http://www.geekstogo...ws-XP-t138.html
Good Luck!
  • 0

#10
edge2022

edge2022

    Member 2k

  • Member
  • PipPipPipPipPip
  • 2,117 posts
Here are some other things I saw in your minidumps

*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

KERNEL_MODE_EXCEPTION_NOT_HANDLED_M (1000008e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Some common problems are exception code 0x80000003. This means a hard
coded breakpoint or assertion was hit, but this system was booted
/NODEBUG. This is not supposed to happen as developers should never have
hardcoded breakpoints in retail code, but ...
If this happens, make sure a debugger gets connected, and the
system is booted /DEBUG. This will let us see why this breakpoint is
happening.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: 805b2ca9, The address that the exception occurred at
Arg3: f6c67a50, Trap Frame
Arg4: 00000000

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".

FAULTING_IP:
nt!ObpIncrementUnnamedHandleCount+319
805b2ca9 ?? ???

TRAP_FRAME: f6c67a50 -- (.trap 0xfffffffff6c67a50)
Unable to read trap frame at f6c67a50

CUSTOMER_CRASH_COUNT: 2

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0x8E

STACK_COMMAND: kb

FOLLOWUP_IP:
nt!ObpIncrementUnnamedHandleCount+319
805b2ca9 ?? ???

SYMBOL_STACK_INDEX: 0

SYMBOL_NAME: nt!ObpIncrementUnnamedHandleCount+319

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: nt

IMAGE_NAME: ntkrnlpa.exe

DEBUG_FLR_IMAGE_TIMESTAMP: 48a3f93a

FAILURE_BUCKET_ID: 0x8E_nt!ObpIncrementUnnamedHandleCount+319

BUCKET_ID: 0x8E_nt!ObpIncrementUnnamedHandleCount+319

Followup: MachineOwner


Hope someone can make some sense of this. Try resetting your BIOS settings to the factory defaults.
EDIT: This info is from your latest minidump, the others were IRQL errors, while this was a kernel mode exception not handled error.

Edited by edge2022, 13 April 2009 - 04:15 PM.

  • 0

Advertisements


#11
edge2022

edge2022

    Member 2k

  • Member
  • PipPipPipPipPip
  • 2,117 posts
This is from the IRQL error

IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: 00000000, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000000, bitfield :
bit 0 : value 0 = read operation, 1 = write operation
bit 3 : value 0 = not an execute operation, 1 = execute operation (only on chips which support this level of status)
Arg4: 805339a6, address which referenced memory

Debugging Details:
------------------


READ_ADDRESS: 00000000

CURRENT_IRQL: 2

FAULTING_IP:
nt!ExpScanGeneralLookasideList+9e
805339a6 ?? ???

CUSTOMER_CRASH_COUNT: 1

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0xA

LAST_CONTROL_TRANSFER: from 805339a6 to 8053fa93

STACK_TEXT:
aa36f9f8 805339a6 badb0d00 aa36fa78 855b8b78 nt!KiTrap0C+0x17
aa36fae8 80606d98 852b8000 00001000 aa36fd14 nt!ExpScanGeneralLookasideList+0x9e
aa36fd30 8611ad10 00000005 852b8000 00001000 nt!ExpIsValidUILanguage+0x3e
WARNING: Frame IP not in any known module. Following frames may be wrong.
aa36fd58 861072c0 00000005 aa36fd78 00000000 0x8611ad10
aa36fdac 805c4d5a 86174084 00000000 00000000 0x861072c0
aa36fddc 805411e2 86107266 86174084 00000000 nt!PsReferencePrimaryToken+0x64
00000000 00000000 00000000 00000000 00000000 nt!KeProfileInterrupt+0x6


STACK_COMMAND: kb

FOLLOWUP_IP:
nt!ExpScanGeneralLookasideList+9e
805339a6 ?? ???

SYMBOL_STACK_INDEX: 1

SYMBOL_NAME: nt!ExpScanGeneralLookasideList+9e

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: nt

IMAGE_NAME: ntkrnlpa.exe

DEBUG_FLR_IMAGE_TIMESTAMP: 48a3f93a

FAILURE_BUCKET_ID: 0xA_nt!ExpScanGeneralLookasideList+9e

BUCKET_ID: 0xA_nt!ExpScanGeneralLookasideList+9e

Followup: MachineOwner


  • 0

#12
usasma

usasma

    Member

  • Member
  • PipPipPip
  • 636 posts
  • MVP
Memory dumps are best analyzed in groups, and with a detailed history of the events leading up to the blue screen events. That way you can see the relationship between the events and attempt to figure out a common factor. Often it's something that seems insignificant that can reveal the fix for an issue.

Most BSOD's are caused by drivers, with malware being the next most common reason. Causes due to a Windows corruption are actually pretty rare. A hardware malfuntion can also cause this sort of problem.

Here's a how-to on generating an analysis of the Blue Screen events: http://usasma.vox.co...ed-02oct08.html It may appear a bit complicated, but following it step by step will result in a useful analysis. Once you get the hang of it it'll take about 30 seconds to generate the report.

All of that being said, here's the analysis' of the memory dumps that were uploaded (in order from oldest to most recent):

Microsoft ® Windows Debugger Version 6.9.0003.113 AMD64
Copyright © Microsoft Corporation. All rights reserved.


Loading Dump File [C:\Users\FUBAR\Downloads\Minidump\Mini041009-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: SRV*c:\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows XP Kernel Version 2600 (Service Pack 2) UP Free x86 compatible
Product: WinNt
Built by: 2600.xpsp_sp2_gdr.080814-1233
Kernel base = 0x804d7000 PsLoadedModuleList = 0x80553420
Debug session time: Fri Apr 10 14:14:10.968 2009 (GMT-4)
System Uptime: 0 days 2:00:13.532
Loading Kernel Symbols
....................................................................................................
...........................................
Loading User Symbols
Loading unloaded module list
...........
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck A, {0, 2, 0, 805339a6}

Probably caused by : ntkrnlpa.exe ( nt!ExpGetProcessInformation+15c )

Followup: MachineOwner
---------

kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: 00000000, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000000, bitfield :
bit 0 : value 0 = read operation, 1 = write operation
bit 3 : value 0 = not an execute operation, 1 = execute operation (only on chips which support this level of status)
Arg4: 805339a6, address which referenced memory

Debugging Details:
------------------


READ_ADDRESS: 00000000

CURRENT_IRQL: 2

FAULTING_IP:
nt!ExpGetProcessInformation+15c
805339a6 8b3f mov edi,dword ptr [edi]

CUSTOMER_CRASH_COUNT: 1

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0xA

TRAP_FRAME: aa36f9f8 -- (.trap 0xffffffffaa36f9f8)
ErrCode = 00000000
eax=00002348 ebx=f7c0afd0 ecx=86042740 edx=aa36fa78 esi=860426e8 edi=00000000
eip=805339a6 esp=aa36fa6c ebp=aa36fae8 iopl=0 nv up ei pl nz na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010206
nt!ExpGetProcessInformation+0x15c:
805339a6 8b3f mov edi,dword ptr [edi] ds:0023:00000000=????????
Resetting default scope

LAST_CONTROL_TRANSFER: from 805339a6 to 8053fa93

STACK_TEXT:
aa36f9f8 805339a6 badb0d00 aa36fa78 855b8b78 nt!KiTrap0E+0x233
aa36fae8 80606d98 852b8000 00001000 aa36fd14 nt!ExpGetProcessInformation+0x15c
aa36fd30 8611ad10 00000005 852b8000 00001000 nt!NtQuerySystemInformation+0x728
WARNING: Frame IP not in any known module. Following frames may be wrong.
aa36fdac 805c4d5a 86174084 00000000 00000000 0x8611ad10
aa36fddc 805411e2 86107266 86174084 00000000 nt!PspSystemThreadStartup+0x34
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16


STACK_COMMAND: kb

FOLLOWUP_IP:
nt!ExpGetProcessInformation+15c
805339a6 8b3f mov edi,dword ptr [edi]

SYMBOL_STACK_INDEX: 1

SYMBOL_NAME: nt!ExpGetProcessInformation+15c

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: nt

IMAGE_NAME: ntkrnlpa.exe

DEBUG_FLR_IMAGE_TIMESTAMP: 48a3f93a

FAILURE_BUCKET_ID: 0xA_nt!ExpGetProcessInformation+15c

BUCKET_ID: 0xA_nt!ExpGetProcessInformation+15c

Followup: MachineOwner
---------

Microsoft ® Windows Debugger Version 6.9.0003.113 AMD64
Copyright © Microsoft Corporation. All rights reserved.


Loading Dump File [C:\Users\FUBAR\Downloads\Minidump\Mini041209-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: SRV*c:\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows XP Kernel Version 2600 (Service Pack 2) UP Free x86 compatible
Product: WinNt
Built by: 2600.xpsp_sp2_gdr.080814-1233
Kernel base = 0x804d7000 PsLoadedModuleList = 0x80553420
Debug session time: Sun Apr 12 03:42:13.656 2009 (GMT-4)
System Uptime: 1 days 13:22:46.207
Loading Kernel Symbols
....................................................................................................
...........................................
Loading User Symbols
Loading unloaded module list
..............
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck A, {0, 2, 0, 805339a6}

Probably caused by : ntkrnlpa.exe ( nt!ExpGetProcessInformation+15c )

Followup: MachineOwner
---------

kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: 00000000, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000000, bitfield :
bit 0 : value 0 = read operation, 1 = write operation
bit 3 : value 0 = not an execute operation, 1 = execute operation (only on chips which support this level of status)
Arg4: 805339a6, address which referenced memory

Debugging Details:
------------------


READ_ADDRESS: 00000000

CURRENT_IRQL: 2

FAULTING_IP:
nt!ExpGetProcessInformation+15c
805339a6 8b3f mov edi,dword ptr [edi]

CUSTOMER_CRASH_COUNT: 1

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0xA

TRAP_FRAME: aa4fd9f8 -- (.trap 0xffffffffaa4fd9f8)
ErrCode = 00000000
eax=00006130 ebx=f7bacd78 ecx=869f69a8 edx=aa4fda78 esi=869f6950 edi=00000000
eip=805339a6 esp=aa4fda6c ebp=aa4fdae8 iopl=0 nv up ei pl nz na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010206
nt!ExpGetProcessInformation+0x15c:
805339a6 8b3f mov edi,dword ptr [edi] ds:0023:00000000=????????
Resetting default scope

LAST_CONTROL_TRANSFER: from 805339a6 to 8053fa93

STACK_TEXT:
aa4fd9f8 805339a6 badb0d00 aa4fda78 8285f7c8 nt!KiTrap0E+0x233
aa4fdae8 80606d98 f82e3000 00001000 aa4fdd14 nt!ExpGetProcessInformation+0x15c
aa4fdd30 8613fd10 00000005 f82e3000 00001000 nt!NtQuerySystemInformation+0x728
WARNING: Frame IP not in any known module. Following frames may be wrong.
aa4fddac 805c4d5a 86199084 00000000 00000000 0x8613fd10
aa4fdddc 805411e2 8612c266 86199084 00000000 nt!PspSystemThreadStartup+0x34
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16


STACK_COMMAND: kb

FOLLOWUP_IP:
nt!ExpGetProcessInformation+15c
805339a6 8b3f mov edi,dword ptr [edi]

SYMBOL_STACK_INDEX: 1

SYMBOL_NAME: nt!ExpGetProcessInformation+15c

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: nt

IMAGE_NAME: ntkrnlpa.exe

DEBUG_FLR_IMAGE_TIMESTAMP: 48a3f93a

FAILURE_BUCKET_ID: 0xA_nt!ExpGetProcessInformation+15c

BUCKET_ID: 0xA_nt!ExpGetProcessInformation+15c

Followup: MachineOwner
---------

Microsoft ® Windows Debugger Version 6.9.0003.113 AMD64
Copyright © Microsoft Corporation. All rights reserved.


Loading Dump File [C:\Users\FUBAR\Downloads\Minidump\Mini041209-02.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: SRV*c:\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows XP Kernel Version 2600 (Service Pack 2) UP Free x86 compatible
Product: WinNt
Built by: 2600.xpsp_sp2_gdr.080814-1233
Kernel base = 0x804d7000 PsLoadedModuleList = 0x80553420
Debug session time: Sun Apr 12 17:51:16.953 2009 (GMT-4)
System Uptime: 0 days 4:22:12.500
Loading Kernel Symbols
....................................................................................................
...........................................
Loading User Symbols
Loading unloaded module list
............
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 1000008E, {c0000005, 805b2ca9, f6c67a50, 0}

Probably caused by : usbehci.sys ( usbehci!EHCI_HardwarePresent+12 )

Followup: MachineOwner
---------

kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

KERNEL_MODE_EXCEPTION_NOT_HANDLED_M (1000008e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Some common problems are exception code 0x80000003. This means a hard
coded breakpoint or assertion was hit, but this system was booted
/NODEBUG. This is not supposed to happen as developers should never have
hardcoded breakpoints in retail code, but ...
If this happens, make sure a debugger gets connected, and the
system is booted /DEBUG. This will let us see why this breakpoint is
happening.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: 805b2ca9, The address that the exception occurred at
Arg3: f6c67a50, Trap Frame
Arg4: 00000000

Debugging Details:
------------------


EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.

FAULTING_IP:
nt!NtQueryDirectoryObject+1ef
805b2ca9 0fb74040 movzx eax,word ptr [eax+40h]

TRAP_FRAME: f6c67a50 -- (.trap 0xfffffffff6c67a50)
Unable to read trap frame at f6c67a50

CUSTOMER_CRASH_COUNT: 2

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0x8E

LAST_CONTROL_TRANSFER: from 8053ca48 to 805b2ca9

STACK_TEXT:
f6c67b58 8053ca48 80001490 85ab3000 00010000 nt!NtQueryDirectoryObject+0x1ef
f6c67b58 804fdfd9 80001490 85ab3000 00010000 nt!KiFastCallEntry+0xf8
f6c67c10 f789a39c f7c05c20 f6c67d93 f6c67cf4 nt!ZwQueryDirectoryObject+0x11
f6c67c34 f6c67d08 00000037 00000000 00000166 usbehci!EHCI_HardwarePresent+0x12
WARNING: Frame IP not in any known module. Following frames may be wrong.
f6c67dac 805c4d5a 861d9368 00000000 00000000 0xf6c67d08
f6c67ddc 805411e2 86190870 861d9368 00000000 nt!PspSystemThreadStartup+0x34
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16


STACK_COMMAND: kb

FOLLOWUP_IP:
usbehci!EHCI_HardwarePresent+12
f789a39c 83f8ff cmp eax,0FFFFFFFFh

SYMBOL_STACK_INDEX: 3

SYMBOL_NAME: usbehci!EHCI_HardwarePresent+12

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: usbehci

IMAGE_NAME: usbehci.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 41107d62

FAILURE_BUCKET_ID: 0x8E_usbehci!EHCI_HardwarePresent+12

BUCKET_ID: 0x8E_usbehci!EHCI_HardwarePresent+12

Followup: MachineOwner
---------


Finally, here's the lm (loaded modules) output from the last dump file:

kd> lm
start end module name
804d7000 806cd600 nt (pdb symbols) c:\symbols\ntkrnlpa.pdb\80B61DF4CE8342FE98E7159D75D41A611\ntkrnlpa.pdb
806ce000 806ee380 hal (deferred)
a944f000 a945b000 tmactmon (deferred)
a96f7000 a9718000 tmcomm (deferred)
a981c000 a981e6c0 mdmxsdk (deferred)
a99ed000 a9a3e580 srv (deferred)
a9a67000 a9a7b400 wdmaud (deferred)
a9b44000 a9b84380 HTTP (deferred)
a9bd5000 a9c01400 mrxdav (deferred)
a9d12000 a9d1e000 tmevtmgr (deferred)
a9e42000 a9e50d80 sysaudio (deferred)
a9f2e000 a9f31280 ndisuio (deferred)
a9f4a000 a9f5f3c0 DLAUDF_M (deferred)
a9f60000 a9f77040 DLAUDFAM (deferred)
a9f78000 a9f8d1c0 DLAIFS_M (deferred)
a9fb6000 a9fbe080 ipfltdrv (deferred)
aa056000 aa099000 tmxpflt (deferred)
aa099000 aa1bb320 vsapint (deferred)
aa208000 aa20b920 DLAOPIOM (deferred)
aa314000 aa31d5a0 DRVNDDM (deferred)
aa34c000 aa363480 dump_atapi (deferred)
aa3ac000 aa3ae900 Dxapi (deferred)
aa3b4000 aa422c00 mrxsmb (deferred)
aa423000 aa44e180 rdbss (deferred)
aa44f000 aa48b000 rt2500usb (deferred)
aa48b000 aa4acc80 afd (deferred)
aa4ad000 aa4d4c00 netbt (deferred)
aa4d5000 aa4f5f00 ipnat (deferred)
aa51e000 aa575f80 tcpip (deferred)
aa576000 aa588400 ipsec (deferred)
aa589000 aa5ca000 SbFw (deferred)
aa5ea000 aa604000 cmdguard (deferred)
aa664000 aa671000 tmpreflt (deferred)
aa6a4000 aa6c7980 portcls (deferred)
aa6c8000 aa7bf5e0 sthda (deferred)
bf000000 bf011580 dxg (deferred)
bf012000 bf020000 ialmrnt5 (deferred)
bf020000 bf042000 ialmdnt5 (deferred)
bf042000 bf0760a0 ialmdev5 (deferred)
bf077000 bf15a000 ialmdd5 (deferred)
bf800000 bf9c2c00 win32k (deferred)
f6da2000 f6dd5200 update (deferred)
f6dde000 f6de0f00 ws2ifsl (deferred)
f6dfe000 f6e2e100 rdpdr (deferred)
f6e2f000 f6e3fe00 psched (deferred)
f6e40000 f6e56680 ndiswan (deferred)
f6e57000 f6e7d000 e100b325 (deferred)
f6e7d000 f6f23300 HSF_CNXT (deferred)
f6f24000 f7022800 HSF_DP (deferred)
f7023000 f7045680 ks (deferred)
f7046000 f7079d00 HSFHWBS2 (deferred)
f707a000 f709ce80 USBPORT (deferred)
f709d000 f70c5000 HDAudBus (deferred)
f70c5000 f70d8780 VIDEOPRT (deferred)
f70d9000 f72170a0 ialmnt5 (deferred)
f7220000 f7223a00 kbdhid (deferred)
f7224000 f7226f80 mouhid (deferred)
f7234000 f7237f00 MODEMCSA (deferred)
f7238000 f723a580 hidusb (deferred)
f7271000 f728b580 Mup (deferred)
f728c000 f72b8a80 NDIS (deferred)
f72b9000 f72cb000 inspect (deferred)
f72cb000 f7357480 Ntfs (deferred)
f7358000 f736b000 WudfPf (deferred)
f736b000 f7381780 KSecDD (deferred)
f7382000 f7397440 DRVMCDB (deferred)
f7398000 f73a9f00 sr (deferred)
f73aa000 f73c8780 fltmgr (deferred)
f73c9000 f73e0800 SCSIPORT (deferred)
f73e1000 f73f8480 atapi (deferred)
f73f9000 f741e700 dmio (deferred)
f741f000 f743d880 ftdisk (deferred)
f743e000 f744ea80 pci (deferred)
f744f000 f747cd80 ACPI (deferred)
f757e000 f7586c00 isapnp (deferred)
f758e000 f7598500 MountMgr (deferred)
f759e000 f75aac80 VolSnap (deferred)
f75ae000 f75b6e00 disk (deferred)
f75be000 f75ca200 CLASSPNP (deferred)
f75de000 f75e6d00 intelppm (deferred)
f75ee000 f75f8380 imapi (deferred)
f75fe000 f760a180 cdrom (deferred)
f760e000 f761c080 redbook (deferred)
f761e000 f762a880 rasl2tp (deferred)
f762e000 f7638200 raspppoe (deferred)
f763e000 f7649d00 raspptp (deferred)
f764e000 f7656900 msgpc (deferred)
f765e000 f7667f00 termdd (deferred)
f766e000 f767d000 sbfwim (deferred)
f767e000 f7687480 NDProxy (deferred)
f76ae000 f76bcb80 drmk (deferred)
f76be000 f76cc100 usbhub (deferred)
f76de000 f76e6700 wanarp (deferred)
f76ee000 f76f6700 netbios (deferred)
f770e000 f771d000 tmtdi (deferred)
f771e000 f7726880 Fips (deferred)
f773e000 f7746d80 HIDCLASS (deferred)
f777e000 f778d900 Cdfs (deferred)
f77fe000 f7804200 PCIIDEX (deferred)
f7806000 f780a900 PartMgr (deferred)
f780e000 f78151c0 cercsr6 (deferred)
f7816000 f781b000 PxHelp20 (deferred)
f781e000 f7822880 TDI (deferred)
f784e000 f7853000 usbuhci (deferred)
f7856000 f785c800 usbehci (deferred)
f785e000 f78643e0 DLABOIOM (deferred)
f786e000 f7875580 Modem (deferred)
f788e000 f7893000 GEARAspiWDM (deferred)
f78a6000 f78aa920 AegisP (deferred)
f78ae000 f78b2580 ptilink (deferred)
f78be000 f78c2080 raspti (deferred)
f78c6000 f78cc000 kbdclass (deferred)
f78ce000 f78d3a00 mouclass (deferred)
f78f6000 f78fa500 watchdog (deferred)
f7906000 f790b860 DLARTL_N (deferred)
f7916000 f791c180 HIDPARSE (deferred)
f791e000 f7923200 vga (deferred)
f792e000 f7932a80 Msfs (deferred)
f793e000 f7945880 Npfs (deferred)
f7956000 f795b000 cmdhlp (deferred)
f798e000 f7991000 BOOTVID (deferred)
f7a2e000 f7a30280 rasacd (deferred)
f7a36000 f7a38580 ndistapi (deferred)
f7a5a000 f7a5dc80 mssmbios (pdb symbols) c:\symbols\mssmbios.pdb\CEAE494998B24A458588AE7866D1B9421\mssmbios.pdb
f7a7e000 f7a7fb80 kdcom (deferred)
f7a80000 f7a81100 WMILIB (deferred)
f7a82000 f7a83580 intelide (deferred)
f7a84000 f7a85700 dmload (deferred)
f7a88000 f7a895c0 DLACDBHM (deferred)
f7a8e000 f7a8f100 swenum (deferred)
f7a96000 f7a97280 USBD (deferred)
f7a98000 f7a9a000 i2omgmt (deferred)
f7a9c000 f7a9df00 Fs_Rec (deferred)
f7aa0000 f7aa1080 Beep (deferred)
f7aa4000 f7aa5080 mnmdd (deferred)
f7aa8000 f7aa9080 RDPCDD (deferred)
f7aee000 f7aef500 dsunidrv (deferred)
f7b10000 f7b11100 dump_WMILIB (deferred)
f7b44000 f7b458a0 DLAPoolM (deferred)
f7b46000 f7b46d00 pciide (deferred)
f7b6d000 f7b6d980 DLADResN (deferred)
f7bad000 f7badd00 dxgthk (deferred)
f7c32000 f7c32c00 audstub (deferred)
f7c88000 f7c88b80 Null (deferred)

Unloaded modules:
a99a0000 a99ca000 kmixer.sys
f7bea000 f7beb000 drmkaud.sys
a9d72000 a9d7f000 DMusic.sys
a9a7c000 a9a8a000 swmidi.sys
a99ca000 a99ed000 aec.sys
f7aac000 f7aae000 splitter.sys
f76fe000 f770e000 serial.sys
f76ce000 f76db000 i8042prt.sys
f7a22000 f7a26000 kbdhid.sys
f78f6000 f78fb000 Cdaudio.SYS
f7224000 f7227000 Sfloppy.SYS


So, we've got this:
STOP 0x0a in ntkrnlpa.exe
STOP 0x0a in ntkrnlpa.exe (nearly identical to the previous one)
STOP 0x8e in usbehci.sys

All three errors occurred because of memory accesses that weren't valid.
The third one points to the USB drivers
All three errors have similar stack traces (with the USB one being just a tad bit different).
From the stack traces it seems that this occurs after this event: nt!PspSystemThreadStartup
Due to the involvement of the usbehci.sys driver and the Query/Get calls in the stack trace, it's reasonable to assume that this is some sort of routine that's starting and asking for information from the system in an improper way.

Here's a brief description of the first 2 errors: http://aumha.org/a/stop.php#0x0a
And here's one of the last error: http://aumha.org/a/stop.php#0x8e

So, I'd check to see if there's a USB device that's connected to the computer. If so, what is it?
Have you added any new programs/changes to the system recently (just before the Blue Screens started)?
I've just learned (from jcgriff2) about checking the lm list for modules that relate to the problem at hand. I'm not real sure what I'm looking for in there, but would suspect any USB device drivers that are loaded, along with any device drivers that may function on a schedule (this seems unlikely as there doesn't seem to be any relationship between the times that the crashes occurred).

So, the first thing to try would be to remove all attached USB devices and uninstall any software that they may use.
Another possibility is corruption of your motherboard's USB drivers. To fix this, update the drivers for your motherboard/chipset using the latest available version from the manufacturer's website. You can also visually inspect all of your USB ports to see if any are damaged.
It's also possible (but unlikely IMO) that this could be an problem with the RAM on the system. To check this you can use this free memory tester: http://www.memtest86.com/ Follow the directions carefully and run the test for a minimum of 3 passes (overnight is better). If it starts spitting out errors, you can stop the test immediately.

If that doesn't work, then we can move on to more aggressive techniques.

Edited by usasma, 13 April 2009 - 05:36 PM.

  • 0

#13
edge2022

edge2022

    Member 2k

  • Member
  • PipPipPipPipPip
  • 2,117 posts

It's also possible (but unlikely IMO) that this could be an problem with the RAM on the system. To check this you can use this free memory tester: http://www.memtest86.com/ Follow the directions carefully and run the test for a minimum of 3 passes (overnight is better). If it starts spitting out errors, you can stop the test immediately.

Blueraider has already cleared RAM from the list of possible problems.

I ran the memtest for over 2 hours and there were no errors. There are many red x's and warnings in the applications, but there wasn't a hardware tab for me to click on. Here's the zip file of the dump file.

Thank you usasma for providing that useful link, and the great advice on what to try next.
  • 0

#14
usasma

usasma

    Member

  • Member
  • PipPipPip
  • 636 posts
  • MVP
Sorry! :) I've got some issues with my eyes - so I occasionally miss things in posts.
  • 0

#15
Broni

Broni

    Kraków my love :)

  • Member
  • PipPipPipPipPipPipPipPip
  • 12,300 posts
Couple of thoughts....

IRQL_NOT_LESS_OR_EQUAL error with connection to ntkrnlpa.exe in many cases points to RAM problem.
I understand, the test was run, but software test is never bulletproof. The only sure method to test the RAM, is to start the computer with one stick at a time, and see, if the error occurs again.

Another reason for IRQL_NOT_LESS_OR_EQUAL error may be overheating.
Download, and install SpeedFan: http://www.almico.com/sfdownload.php
Post your computer temperatures:

Posted Image

Provide processor info (hold Windows key, and hit Pause/Break key to find out).

Then, as usasma said, it would be interesting to see what's connected to USB ports, especially miniports, since usbehci.sys is USB Miniport driver.
Are there any errors present in Device Manager?
Another option...uninstall all USB roots, and hubs through Device Manager, and restart computer. They'll be automatically reinstalled.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP