Memory dumps are best analyzed in groups, and with a detailed history of the events leading up to the blue screen events. That way you can see the relationship between the events and attempt to figure out a common factor. Often it's something that seems insignificant that can reveal the fix for an issue.
Most BSOD's are caused by drivers, with malware being the next most common reason. Causes due to a Windows corruption are actually pretty rare. A hardware malfuntion can also cause this sort of problem.
Here's a how-to on generating an analysis of the Blue Screen events:
http://usasma.vox.co...ed-02oct08.html It may appear a bit complicated, but following it step by step will result in a useful analysis. Once you get the hang of it it'll take about 30 seconds to generate the report.
All of that being said, here's the analysis' of the memory dumps that were uploaded (in order from oldest to most recent):
Microsoft ® Windows Debugger Version 6.9.0003.113 AMD64
Copyright © Microsoft Corporation. All rights reserved.
Loading Dump File [C:\Users\FUBAR\Downloads\Minidump\Mini041009-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available
Symbol search path is: SRV*c:\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows XP Kernel Version 2600 (Service Pack 2) UP Free x86 compatible
Product: WinNt
Built by: 2600.xpsp_sp2_gdr.080814-1233
Kernel base = 0x804d7000 PsLoadedModuleList = 0x80553420
Debug session time: Fri Apr 10 14:14:10.968 2009 (GMT-4)
System Uptime: 0 days 2:00:13.532
Loading Kernel Symbols
....................................................................................................
...........................................
Loading User Symbols
Loading unloaded module list
...........
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck A, {0, 2, 0, 805339a6}
Probably caused by : ntkrnlpa.exe ( nt!ExpGetProcessInformation+15c )
Followup: MachineOwner
---------
kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: 00000000, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000000, bitfield :
bit 0 : value 0 = read operation, 1 = write operation
bit 3 : value 0 = not an execute operation, 1 = execute operation (only on chips which support this level of status)
Arg4: 805339a6, address which referenced memory
Debugging Details:
------------------
READ_ADDRESS: 00000000
CURRENT_IRQL: 2
FAULTING_IP:
nt!ExpGetProcessInformation+15c
805339a6 8b3f mov edi,dword ptr [edi]
CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: DRIVER_FAULT
BUGCHECK_STR: 0xA
TRAP_FRAME: aa36f9f8 -- (.trap 0xffffffffaa36f9f8)
ErrCode = 00000000
eax=00002348 ebx=f7c0afd0 ecx=86042740 edx=aa36fa78 esi=860426e8 edi=00000000
eip=805339a6 esp=aa36fa6c ebp=aa36fae8 iopl=0 nv up ei pl nz na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010206
nt!ExpGetProcessInformation+0x15c:
805339a6 8b3f mov edi,dword ptr [edi] ds:0023:00000000=????????
Resetting default scope
LAST_CONTROL_TRANSFER: from 805339a6 to 8053fa93
STACK_TEXT:
aa36f9f8 805339a6 badb0d00 aa36fa78 855b8b78 nt!KiTrap0E+0x233
aa36fae8 80606d98 852b8000 00001000 aa36fd14 nt!ExpGetProcessInformation+0x15c
aa36fd30 8611ad10 00000005 852b8000 00001000 nt!NtQuerySystemInformation+0x728
WARNING: Frame IP not in any known module. Following frames may be wrong.
aa36fdac 805c4d5a 86174084 00000000 00000000 0x8611ad10
aa36fddc 805411e2 86107266 86174084 00000000 nt!PspSystemThreadStartup+0x34
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16
STACK_COMMAND: kb
FOLLOWUP_IP:
nt!ExpGetProcessInformation+15c
805339a6 8b3f mov edi,dword ptr [edi]
SYMBOL_STACK_INDEX: 1
SYMBOL_NAME: nt!ExpGetProcessInformation+15c
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: nt
IMAGE_NAME: ntkrnlpa.exe
DEBUG_FLR_IMAGE_TIMESTAMP: 48a3f93a
FAILURE_BUCKET_ID: 0xA_nt!ExpGetProcessInformation+15c
BUCKET_ID: 0xA_nt!ExpGetProcessInformation+15c
Followup: MachineOwner
---------
Microsoft ® Windows Debugger Version 6.9.0003.113 AMD64
Copyright © Microsoft Corporation. All rights reserved.
Loading Dump File [C:\Users\FUBAR\Downloads\Minidump\Mini041209-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available
Symbol search path is: SRV*c:\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows XP Kernel Version 2600 (Service Pack 2) UP Free x86 compatible
Product: WinNt
Built by: 2600.xpsp_sp2_gdr.080814-1233
Kernel base = 0x804d7000 PsLoadedModuleList = 0x80553420
Debug session time: Sun Apr 12 03:42:13.656 2009 (GMT-4)
System Uptime: 1 days 13:22:46.207
Loading Kernel Symbols
....................................................................................................
...........................................
Loading User Symbols
Loading unloaded module list
..............
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck A, {0, 2, 0, 805339a6}
Probably caused by : ntkrnlpa.exe ( nt!ExpGetProcessInformation+15c )
Followup: MachineOwner
---------
kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: 00000000, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000000, bitfield :
bit 0 : value 0 = read operation, 1 = write operation
bit 3 : value 0 = not an execute operation, 1 = execute operation (only on chips which support this level of status)
Arg4: 805339a6, address which referenced memory
Debugging Details:
------------------
READ_ADDRESS: 00000000
CURRENT_IRQL: 2
FAULTING_IP:
nt!ExpGetProcessInformation+15c
805339a6 8b3f mov edi,dword ptr [edi]
CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: DRIVER_FAULT
BUGCHECK_STR: 0xA
TRAP_FRAME: aa4fd9f8 -- (.trap 0xffffffffaa4fd9f8)
ErrCode = 00000000
eax=00006130 ebx=f7bacd78 ecx=869f69a8 edx=aa4fda78 esi=869f6950 edi=00000000
eip=805339a6 esp=aa4fda6c ebp=aa4fdae8 iopl=0 nv up ei pl nz na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010206
nt!ExpGetProcessInformation+0x15c:
805339a6 8b3f mov edi,dword ptr [edi] ds:0023:00000000=????????
Resetting default scope
LAST_CONTROL_TRANSFER: from 805339a6 to 8053fa93
STACK_TEXT:
aa4fd9f8 805339a6 badb0d00 aa4fda78 8285f7c8 nt!KiTrap0E+0x233
aa4fdae8 80606d98 f82e3000 00001000 aa4fdd14 nt!ExpGetProcessInformation+0x15c
aa4fdd30 8613fd10 00000005 f82e3000 00001000 nt!NtQuerySystemInformation+0x728
WARNING: Frame IP not in any known module. Following frames may be wrong.
aa4fddac 805c4d5a 86199084 00000000 00000000 0x8613fd10
aa4fdddc 805411e2 8612c266 86199084 00000000 nt!PspSystemThreadStartup+0x34
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16
STACK_COMMAND: kb
FOLLOWUP_IP:
nt!ExpGetProcessInformation+15c
805339a6 8b3f mov edi,dword ptr [edi]
SYMBOL_STACK_INDEX: 1
SYMBOL_NAME: nt!ExpGetProcessInformation+15c
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: nt
IMAGE_NAME: ntkrnlpa.exe
DEBUG_FLR_IMAGE_TIMESTAMP: 48a3f93a
FAILURE_BUCKET_ID: 0xA_nt!ExpGetProcessInformation+15c
BUCKET_ID: 0xA_nt!ExpGetProcessInformation+15c
Followup: MachineOwner
---------
Microsoft ® Windows Debugger Version 6.9.0003.113 AMD64
Copyright © Microsoft Corporation. All rights reserved.
Loading Dump File [C:\Users\FUBAR\Downloads\Minidump\Mini041209-02.dmp]
Mini Kernel Dump File: Only registers and stack trace are available
Symbol search path is: SRV*c:\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows XP Kernel Version 2600 (Service Pack 2) UP Free x86 compatible
Product: WinNt
Built by: 2600.xpsp_sp2_gdr.080814-1233
Kernel base = 0x804d7000 PsLoadedModuleList = 0x80553420
Debug session time: Sun Apr 12 17:51:16.953 2009 (GMT-4)
System Uptime: 0 days 4:22:12.500
Loading Kernel Symbols
....................................................................................................
...........................................
Loading User Symbols
Loading unloaded module list
............
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck 1000008E, {c0000005, 805b2ca9, f6c67a50, 0}
Probably caused by : usbehci.sys ( usbehci!EHCI_HardwarePresent+12 )
Followup: MachineOwner
---------
kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
KERNEL_MODE_EXCEPTION_NOT_HANDLED_M (1000008e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Some common problems are exception code 0x80000003. This means a hard
coded breakpoint or assertion was hit, but this system was booted
/NODEBUG. This is not supposed to happen as developers should never have
hardcoded breakpoints in retail code, but ...
If this happens, make sure a debugger gets connected, and the
system is booted /DEBUG. This will let us see why this breakpoint is
happening.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: 805b2ca9, The address that the exception occurred at
Arg3: f6c67a50, Trap Frame
Arg4: 00000000
Debugging Details:
------------------
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.
FAULTING_IP:
nt!NtQueryDirectoryObject+1ef
805b2ca9 0fb74040 movzx eax,word ptr [eax+40h]
TRAP_FRAME: f6c67a50 -- (.trap 0xfffffffff6c67a50)
Unable to read trap frame at f6c67a50
CUSTOMER_CRASH_COUNT: 2
DEFAULT_BUCKET_ID: DRIVER_FAULT
BUGCHECK_STR: 0x8E
LAST_CONTROL_TRANSFER: from 8053ca48 to 805b2ca9
STACK_TEXT:
f6c67b58 8053ca48 80001490 85ab3000 00010000 nt!NtQueryDirectoryObject+0x1ef
f6c67b58 804fdfd9 80001490 85ab3000 00010000 nt!KiFastCallEntry+0xf8
f6c67c10 f789a39c f7c05c20 f6c67d93 f6c67cf4 nt!ZwQueryDirectoryObject+0x11
f6c67c34 f6c67d08 00000037 00000000 00000166 usbehci!EHCI_HardwarePresent+0x12
WARNING: Frame IP not in any known module. Following frames may be wrong.
f6c67dac 805c4d5a 861d9368 00000000 00000000 0xf6c67d08
f6c67ddc 805411e2 86190870 861d9368 00000000 nt!PspSystemThreadStartup+0x34
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16
STACK_COMMAND: kb
FOLLOWUP_IP:
usbehci!EHCI_HardwarePresent+12
f789a39c 83f8ff cmp eax,0FFFFFFFFh
SYMBOL_STACK_INDEX: 3
SYMBOL_NAME: usbehci!EHCI_HardwarePresent+12
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: usbehci
IMAGE_NAME: usbehci.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 41107d62
FAILURE_BUCKET_ID: 0x8E_usbehci!EHCI_HardwarePresent+12
BUCKET_ID: 0x8E_usbehci!EHCI_HardwarePresent+12
Followup: MachineOwner
---------
Finally, here's the lm (loaded modules) output from the last dump file:
kd> lm
start end module name
804d7000 806cd600 nt (pdb symbols) c:\symbols\ntkrnlpa.pdb\80B61DF4CE8342FE98E7159D75D41A611\ntkrnlpa.pdb
806ce000 806ee380 hal (deferred)
a944f000 a945b000 tmactmon (deferred)
a96f7000 a9718000 tmcomm (deferred)
a981c000 a981e6c0 mdmxsdk (deferred)
a99ed000 a9a3e580 srv (deferred)
a9a67000 a9a7b400 wdmaud (deferred)
a9b44000 a9b84380 HTTP (deferred)
a9bd5000 a9c01400 mrxdav (deferred)
a9d12000 a9d1e000 tmevtmgr (deferred)
a9e42000 a9e50d80 sysaudio (deferred)
a9f2e000 a9f31280 ndisuio (deferred)
a9f4a000 a9f5f3c0 DLAUDF_M (deferred)
a9f60000 a9f77040 DLAUDFAM (deferred)
a9f78000 a9f8d1c0 DLAIFS_M (deferred)
a9fb6000 a9fbe080 ipfltdrv (deferred)
aa056000 aa099000 tmxpflt (deferred)
aa099000 aa1bb320 vsapint (deferred)
aa208000 aa20b920 DLAOPIOM (deferred)
aa314000 aa31d5a0 DRVNDDM (deferred)
aa34c000 aa363480 dump_atapi (deferred)
aa3ac000 aa3ae900 Dxapi (deferred)
aa3b4000 aa422c00 mrxsmb (deferred)
aa423000 aa44e180 rdbss (deferred)
aa44f000 aa48b000 rt2500usb (deferred)
aa48b000 aa4acc80 afd (deferred)
aa4ad000 aa4d4c00 netbt (deferred)
aa4d5000 aa4f5f00 ipnat (deferred)
aa51e000 aa575f80 tcpip (deferred)
aa576000 aa588400 ipsec (deferred)
aa589000 aa5ca000 SbFw (deferred)
aa5ea000 aa604000 cmdguard (deferred)
aa664000 aa671000 tmpreflt (deferred)
aa6a4000 aa6c7980 portcls (deferred)
aa6c8000 aa7bf5e0 sthda (deferred)
bf000000 bf011580 dxg (deferred)
bf012000 bf020000 ialmrnt5 (deferred)
bf020000 bf042000 ialmdnt5 (deferred)
bf042000 bf0760a0 ialmdev5 (deferred)
bf077000 bf15a000 ialmdd5 (deferred)
bf800000 bf9c2c00 win32k (deferred)
f6da2000 f6dd5200 update (deferred)
f6dde000 f6de0f00 ws2ifsl (deferred)
f6dfe000 f6e2e100 rdpdr (deferred)
f6e2f000 f6e3fe00 psched (deferred)
f6e40000 f6e56680 ndiswan (deferred)
f6e57000 f6e7d000 e100b325 (deferred)
f6e7d000 f6f23300 HSF_CNXT (deferred)
f6f24000 f7022800 HSF_DP (deferred)
f7023000 f7045680 ks (deferred)
f7046000 f7079d00 HSFHWBS2 (deferred)
f707a000 f709ce80 USBPORT (deferred)
f709d000 f70c5000 HDAudBus (deferred)
f70c5000 f70d8780 VIDEOPRT (deferred)
f70d9000 f72170a0 ialmnt5 (deferred)
f7220000 f7223a00 kbdhid (deferred)
f7224000 f7226f80 mouhid (deferred)
f7234000 f7237f00 MODEMCSA (deferred)
f7238000 f723a580 hidusb (deferred)
f7271000 f728b580 Mup (deferred)
f728c000 f72b8a80 NDIS (deferred)
f72b9000 f72cb000 inspect (deferred)
f72cb000 f7357480 Ntfs (deferred)
f7358000 f736b000 WudfPf (deferred)
f736b000 f7381780 KSecDD (deferred)
f7382000 f7397440 DRVMCDB (deferred)
f7398000 f73a9f00 sr (deferred)
f73aa000 f73c8780 fltmgr (deferred)
f73c9000 f73e0800 SCSIPORT (deferred)
f73e1000 f73f8480 atapi (deferred)
f73f9000 f741e700 dmio (deferred)
f741f000 f743d880 ftdisk (deferred)
f743e000 f744ea80 pci (deferred)
f744f000 f747cd80 ACPI (deferred)
f757e000 f7586c00 isapnp (deferred)
f758e000 f7598500 MountMgr (deferred)
f759e000 f75aac80 VolSnap (deferred)
f75ae000 f75b6e00 disk (deferred)
f75be000 f75ca200 CLASSPNP (deferred)
f75de000 f75e6d00 intelppm (deferred)
f75ee000 f75f8380 imapi (deferred)
f75fe000 f760a180 cdrom (deferred)
f760e000 f761c080 redbook (deferred)
f761e000 f762a880 rasl2tp (deferred)
f762e000 f7638200 raspppoe (deferred)
f763e000 f7649d00 raspptp (deferred)
f764e000 f7656900 msgpc (deferred)
f765e000 f7667f00 termdd (deferred)
f766e000 f767d000 sbfwim (deferred)
f767e000 f7687480 NDProxy (deferred)
f76ae000 f76bcb80 drmk (deferred)
f76be000 f76cc100 usbhub (deferred)
f76de000 f76e6700 wanarp (deferred)
f76ee000 f76f6700 netbios (deferred)
f770e000 f771d000 tmtdi (deferred)
f771e000 f7726880 Fips (deferred)
f773e000 f7746d80 HIDCLASS (deferred)
f777e000 f778d900 Cdfs (deferred)
f77fe000 f7804200 PCIIDEX (deferred)
f7806000 f780a900 PartMgr (deferred)
f780e000 f78151c0 cercsr6 (deferred)
f7816000 f781b000 PxHelp20 (deferred)
f781e000 f7822880 TDI (deferred)
f784e000 f7853000 usbuhci (deferred)
f7856000 f785c800 usbehci (deferred)
f785e000 f78643e0 DLABOIOM (deferred)
f786e000 f7875580 Modem (deferred)
f788e000 f7893000 GEARAspiWDM (deferred)
f78a6000 f78aa920 AegisP (deferred)
f78ae000 f78b2580 ptilink (deferred)
f78be000 f78c2080 raspti (deferred)
f78c6000 f78cc000 kbdclass (deferred)
f78ce000 f78d3a00 mouclass (deferred)
f78f6000 f78fa500 watchdog (deferred)
f7906000 f790b860 DLARTL_N (deferred)
f7916000 f791c180 HIDPARSE (deferred)
f791e000 f7923200 vga (deferred)
f792e000 f7932a80 Msfs (deferred)
f793e000 f7945880 Npfs (deferred)
f7956000 f795b000 cmdhlp (deferred)
f798e000 f7991000 BOOTVID (deferred)
f7a2e000 f7a30280 rasacd (deferred)
f7a36000 f7a38580 ndistapi (deferred)
f7a5a000 f7a5dc80 mssmbios (pdb symbols) c:\symbols\mssmbios.pdb\CEAE494998B24A458588AE7866D1B9421\mssmbios.pdb
f7a7e000 f7a7fb80 kdcom (deferred)
f7a80000 f7a81100 WMILIB (deferred)
f7a82000 f7a83580 intelide (deferred)
f7a84000 f7a85700 dmload (deferred)
f7a88000 f7a895c0 DLACDBHM (deferred)
f7a8e000 f7a8f100 swenum (deferred)
f7a96000 f7a97280 USBD (deferred)
f7a98000 f7a9a000 i2omgmt (deferred)
f7a9c000 f7a9df00 Fs_Rec (deferred)
f7aa0000 f7aa1080 Beep (deferred)
f7aa4000 f7aa5080 mnmdd (deferred)
f7aa8000 f7aa9080 RDPCDD (deferred)
f7aee000 f7aef500 dsunidrv (deferred)
f7b10000 f7b11100 dump_WMILIB (deferred)
f7b44000 f7b458a0 DLAPoolM (deferred)
f7b46000 f7b46d00 pciide (deferred)
f7b6d000 f7b6d980 DLADResN (deferred)
f7bad000 f7badd00 dxgthk (deferred)
f7c32000 f7c32c00 audstub (deferred)
f7c88000 f7c88b80 Null (deferred)
Unloaded modules:
a99a0000 a99ca000 kmixer.sys
f7bea000 f7beb000 drmkaud.sys
a9d72000 a9d7f000 DMusic.sys
a9a7c000 a9a8a000 swmidi.sys
a99ca000 a99ed000 aec.sys
f7aac000 f7aae000 splitter.sys
f76fe000 f770e000 serial.sys
f76ce000 f76db000 i8042prt.sys
f7a22000 f7a26000 kbdhid.sys
f78f6000 f78fb000 Cdaudio.SYS
f7224000 f7227000 Sfloppy.SYS
So, we've got this:
STOP 0x0a in ntkrnlpa.exe
STOP 0x0a in ntkrnlpa.exe (nearly identical to the previous one)
STOP 0x8e in usbehci.sys
All three errors occurred because of memory accesses that weren't valid.
The third one points to the USB drivers
All three errors have similar stack traces (with the USB one being just a tad bit different).
From the stack traces it seems that this occurs after this event: nt!PspSystemThreadStartup
Due to the involvement of the usbehci.sys driver and the Query/Get calls in the stack trace, it's reasonable to assume that this is some sort of routine that's starting and asking for information from the system in an improper way.
Here's a brief description of the first 2 errors:
http://aumha.org/a/stop.php#0x0aAnd here's one of the last error:
http://aumha.org/a/stop.php#0x8eSo, I'd check to see if there's a USB device that's connected to the computer. If so, what is it?
Have you added any new programs/changes to the system recently (just before the Blue Screens started)?
I've just learned (from jcgriff2) about checking the lm list for modules that relate to the problem at hand. I'm not real sure what I'm looking for in there, but would suspect any USB device drivers that are loaded, along with any device drivers that may function on a schedule (this seems unlikely as there doesn't seem to be any relationship between the times that the crashes occurred).
So, the first thing to try would be to remove all attached USB devices and uninstall any software that they may use.
Another possibility is corruption of your motherboard's USB drivers. To fix this, update the drivers for your motherboard/chipset using the latest available version from the manufacturer's website. You can also visually inspect all of your USB ports to see if any are damaged.
It's also possible (but unlikely IMO) that this could be an problem with the RAM on the system. To check this you can use this free memory tester:
http://www.memtest86.com/ Follow the directions carefully and run the test for a minimum of 3 passes (overnight is better). If it starts spitting out errors, you can stop the test immediately.
If that doesn't work, then we can move on to more aggressive techniques.
Edited by usasma, 13 April 2009 - 05:36 PM.
Sign In
Create Account
