cluberti

I hate to pile on, but I have to state that I too have had many an HP laptop (laptops in particular) that just wouldn't load a WIM file as a PE image larger than about 267 - 270MB, due to some sort of BIOS-induced memory constraints (these systems all had 2-4GB of RAM). For reference, the x64 Windows 7 boot.wim file is 163MB (approximately), so what is on this PE image that ballooned it to double that size? If you're targeting HP machines, you really do have the good possibility that you just can't have a WIM file larger than 267MB or so.

Seems like this is software from a company called Lowrance, and the first version they have (and it requires a post-install patch) that works on Vista is MapCreate 7. 6.3.282 is reported to "work", as long as you run the installer *and* the resulting application in Windows XP compatibility mode. You may also have to completely disable UAC to actually even get it installed, and the USB MMC reader software driver it installs appears to be the main problem in compatibility (it's not Vista compatible). That's all I can tell from using Google.

http://www.cluberti.com/blog/2009/08/10/md...from-a-usb-key/, for example.

OK, your box is using a uniprocessor kernel and the issue is the same, meaning it's not a serialization/threadsafe issue. At this point, I'd be harassing HP or Broadcom to have them look into it, because whatever happened it was inside the BTStackServer.exe module. Again, it *could* be the audio driver or something about it on the system, but it doesn't seem likely. The only time I've *ever* seen pMalloc crashes in setupapi (and they looked JUST like this) were when I had called a free() on a block that I'd GlobalAlloc()'ed, which is a no-no. It's a programming error, plain and simple.

The page file at 1.5x was also a relic from a time that 32 - 64MB of actual RAM on a workstation was a lot. In Win7, Microsoft changed the algorithm from 1.5x to 1.0x RAM, and that's mostly because you need that much paging space for storing a .dmp file if a complete dump happens. You can actually get away with very little if you've got a lot of RAM and don't mind the fact you can't store a paging file on crash - I personally run machines with 256MB of paging file, and I could go lower but knowing a bit about how the paging executive works I'm sticking at 256MB for now to be safe, "just in case".

Question - what does menu.bat or mstart.bat do? It's the only common denominator here, and you've not included it in your list of things that run yet. I'm betting the problem is in there, not in what you've put in startnet. Also, rename them to .cmd rather than .bat - there's a small difference in that a .cmd doesn't load up the 16bit interpreter (command.com), whereas .bat does. You'll note that startnet.cmd for example is a cmd, not a .bat. It's not what's causing it, but you should be running .cmd's in WinPE, not .bat's.

Can you tell us what you need access to (either how you got to it in Vista or XP), and what you've tried on Win7? Win7 Home Premium doesn't have access to joining a domain, but it should be able to access domain resources depending on what type. It won't necessarily be as easy as it would be in Professional, Ultimate, or Enterprise though, obviously, as those have windows domains support.

Send me a PM with which ones, and why.

Go to device manager, and right-click on the item under Computer (usually ACPI multiprocessor PC) and select "Update" driver. Select "Install from a specific location", "Don't search...", and then select "Standard PC" from the list and click Next and finish. After a reboot, you will be down to one processor (you can use the same steps to go back to the multiprocessor kernel after testing is done).

If you see a guest_<username>, it's an account that's been removed from the DB but is still showing up in the user list for some reason. It happens from time to time that a deleted account can login, and we have to do some database synchronizing to make sure deleted accounts really are deleted, just to be sure. But yes, we keep the user list as trimmed as is possible, to 1. alleviate strain on the database, and 2. to keep performance to a maximum whilst keeping overhead on the backend servers to a minimum.

Only if the defaults aren't valid. And, may I ask, why you are unable to use MDT? Maybe we can help, as that's a much better approach than hoping to image and re-image a machine without sysprep with Vista or Win7. It was easier with XP, because it was an OS based on the NT 3.1 setup engine. Vista and Win7 being images themselves, restoring them can be a pain, and that's something MDT tries to alleviate.

Well, it looks like there is indeed an issue on the system, but have a look at what happens when it goes to load and create a devicemap of audio drivers into memory: 0:000> kB ChildEBP RetAddr Args to Child 0012f194 779269f8 00000000 00000000 000000d8 ntdll!RtlAllocateHeap+0x24 0012f1a8 7792adaf 000000d8 00000000 00000000 setupapi!pSetupMalloc+0x16 0012f1b8 7792ad3a ffffffff 00000000 00000000 setupapi!AllocateDeviceInfoSet+0xe 0012f1f0 7792b37d 00000000 00000000 00000000 setupapi!SetupDiCreateDeviceInfoListExW+0x2e 0012f48c 7792b604 0012f4f4 00000000 00000000 setupapi!SetupDiGetClassDevsExW+0xc4 0012f4b0 72d23cbf 0012f4f4 00000000 00000000 setupapi!SetupDiGetClassDevsW+0x1b 0012f508 72d23dfa 72d2178f 00000000 72d24421 wdmaud!wdmaGetGlobalDeviceInterfaceViaSetupAPI+0x47 0012f514 72d24421 72d2178f 00000000 00000000 wdmaud!wdmaOpenKernelDevice+0x16 0012f540 72d217ad 00000000 0012f578 76b431e9 wdmaud!DrvInit+0x1b 0012f54c 76b431e9 00000000 00000001 00000002 wdmaud!DriverProc+0x1e 0012f578 76b43138 00000000 00000002 00000000 winmm!InternalBroadcastDriverMessage+0xc4 0012f594 76b430cf 00000001 00000002 00000000 winmm!DrvSendMessage+0x18 0012f5c0 76b42e87 0012f990 72d20000 0012f5f0 winmm!InternalLoadDriver+0x1b1 0012f6f4 76b42e4c 0012f990 00000000 00000000 winmm!InternalOpenDriver+0x32 0012f70c 76b43886 0012f990 00000000 00000000 winmm!DrvOpen+0x15 0012f980 76b442d7 0012f990 76b609c0 00750061 winmm!mmDrvOpen+0x46 0012f9a0 76b44130 00000001 00000000 76b42b61 winmm!AuxInit+0x30 0012f9b0 76b4403e 00000001 0012fa04 76b42b61 winmm!InitDevices+0xc7 0012f9e4 76b42b94 76b40000 0012fa10 7c90118a winmm!DllProcessAttach+0xe4 0012f9f0 7c90118a 76b40000 00000001 0012fd30 winmm!_DllInstanceInit+0xb3 0012fa10 7c91c4fa 76b42b61 76b40000 00000001 ntdll!LdrpCallInitRoutine+0x14 0012fb18 7c9211b4 0012fd30 7ffdf000 7ffda000 ntdll!LdrpRunInitializeRoutines+0x344 0012fc94 7c9210af 0012fd30 7c900000 0012fce0 ntdll!LdrpInitializeProcess+0x1131 0012fd1c 7c90e457 0012fd30 7c900000 00000000 ntdll!_LdrpInitialize+0x183 00000000 00000000 00000000 00000000 00000000 ntdll!KiUserApcDispatcher+0x7 0:000> du 0012f990 0012f990 "aux" It looks like BTStackServer is attempting to send something to the audio driver (DrvSendMessage), the Device Info list is created for all "aux" audio drivers on the system, and then there's a call to allocate heap with a heap handle of d8 - that handle appears invalid, and since we're calling a heap alloc via a malloc call this is going to fail with heap corruption errors. This could be an audio driver issue still, but it's really hard to tell right now (the audio driver hasn't been called or mapped in yet), so I'm not feeling really good about that angle. It does appear specific to calling the "aux" input though, which is why I'm hesitant to rule it out. I'm wondering if there's something in the BTStackServer code that's causing a race condition with this driver, so I'll pose my next question - it's very possible that the application running here has called a free() on an allocation in memory that's been GlobalAlloc()'ed before the thread using the memory completed, so is it possible to force your XP machine to use the uniprocessor kernel and see if it reproduces with Windows only using one processor?

Just set the min and max values to be the same, RAM +64MB. If \Windows is on C:\, make sure the paging file is on there as well (make sure you're setting MIN and MAX size on the file on C:, that should be sufficient).

It depends on the media - if the OEM created a repair or recovery disc and only included the version of Windows that is installed on your PC in the install.wim file, this won't work. However, if the .wim file contains all versions, then this will work. You can see what versions are on your disk if you run the imagex /info command against the .wim file.

Depends on how much RAM you have - the easiest way is to open the registry to HKLM\SYSTEM\ControlSet001\Control\CrashControl and set the CrashDumpEnabled value to 1 (1 == complete dump). Note you have to reboot for this to take effect, so if you just change it and don't reboot it'll generate the previous dump type (and I'm guessing it was set to minidump). One other caveat, to get a complete dump you *must* have a paging file on the same volume as your Windows directory, and it must be equal in MAX size to RAM + ~64MB (not just MIN size).

Found a bug with 0.3.3, specifically with the crash control settings. If I set it to disable automatic restart on crash in the Tweaks section, it creates a .reg file with the following: However, it should be: The last L is missing.

Once you get into Windows, run bcdedit /enum /v to see what that second one is all about.

Well, the next question is, are we restoring to the exact same disk that we captured from, on the same machine? If so, that wouldn't make sense. I don't doubt it can happen, but it doesn't make much sense.

Understood, but unless we know which app that works as an add-on in FF and IE, it's going to be a bit hard to help. Also, not even knowing what the pop-up says relegates this to guessing and crystal-ball usage.

Agreed - moving to nLite section. Please read the section rules before posting going forward, OP. I'll reiterate them here for reference:

It's a minidump, and it's missing crucial info (like the ntkrnlpa.exe headers for starters). So, unfortunately, it's useless - here's what you get from it with sym noisy on: 0: kd> .reload /f nt DBGHELP: C:\Symbols\ntoskrnl.exe\4A77FEB33b9000\ntoskrnl.exe - mismatched DBGHELP: C:\Symbols\ntkrnlup.exe\4A77FEB33b9000\ntkrnlup.exe - mismatched DBGHELP: C:\Symbols\ntkrnlpa.exe\4A77FEB33b9000\ntkrnlpa.exe - mismatched DBGHELP: C:\Symbols\ntkrnlmp.exe\4A77FEB33b9000\ntkrnlmp.exe - mismatched DBGHELP: C:\Symbols\ntkrpamp.exe\4A77FEB33b9000\ntkrpamp.exe - mismatched DBGENG: \SystemRoot\system32\ntkrnlpa.exe - Image mapping disallowed by non-local path. Unable to load image \SystemRoot\system32\ntkrnlpa.exe, Win32 error 0n2 DBGENG: ntkrnlpa.exe - Partial symbol image load missing image info DBGHELP: No header for ntkrnlpa.exe. Searching for dbg file DBGHELP: .\ntkrnlpa.dbg - file not found DBGHELP: .\exe\ntkrnlpa.dbg - path not found DBGHELP: .\symbols\exe\ntkrnlpa.dbg - path not found DBGHELP: ntkrnlpa.exe missing debug info. Searching for pdb anyway DBGHELP: Can't use symbol server for ntkrnlpa.pdb - no header information available DBGHELP: ntkrnlpa.pdb - file not found *** WARNING: Unable to verify timestamp for ntkrnlpa.exe *** ERROR: Module load completed but symbols could not be loaded for ntkrnlpa.exe DBGHELP: nt - no symbols loaded 0: kd> kn # ChildEBP RetAddr WARNING: Stack unwind information not available. Following frames may be wrong. 00 8039decc 81cb4e19 nt+0x4dfb9 01 8039df88 81cb5615 nt+0xa9e19 02 8039dff4 81cb32d5 nt+0xaa615 03 8039dff8 bc6ced10 nt+0xa82d5 04 81cb32d5 00000000 0xbc6ced10 0: kd> dd eip 81c58fb9 9c843d83 0f0081d3 fffdd485 a03d83ff 81c58fc9 0081d3a2 fdc7850f ffb8ffff eb000000 81c58fd9 54a164be 64000000 005405c7 00000000 81c58fe9 45890000 e9e58b68 ffffd673 f700498d 81c58ff9 00007045 ???????? ???????? ???????? 81c59009 ???????? ???????? ???????? ???????? 81c59019 ???????? ???????? ???????? ???????? 81c59029 ???????? ???????? ???????? ????????

If you have access to one, yeah, you can try it. Clearing the event log can be done manually from eventvwr.msc, by the way. If that doesn't help, omit the -quiet in the command line (it'll skip the call to LogEvent) - you'll get a warning prompt, but it's OK to ignore it and continue.

You've asked a lot of questions about this Sony here on the forums, and they're all related (and you're getting cross-answers in each). I'm merging them - let's try to avoid this in the future, eh? Thanks. I've closed the other two topics, and I've merged the contents into this one and am leaving this one open. Keep install and activation questions about your Sony and Win7 here, thanks.

Looks like csrss.exe crashed, and there were no .dmp files created. Do you have any recent .dmp files anywhere on your Windows partition, perhaps?

It's definitely failing when interacting with wdmaud.drv - the stack is read from the bottom up, with the lowest line being the oldest command, and the topmost line being the most recent: 7c96f07c ntdll!RtlDebugAllocateHeap+0x281 7c96e5df ntdll!RtlpValidateHeap+0x20 7c94b871 ntdll!RtlAllocateHeapSlowly+0xd7c 7c91927d ntdll!RtlAllocateHeapSlowly+0xdc1 7c96f098 ntdll!RtlDebugAllocateHeap+0x298 7c91c368 ntdll!`string'+0x3c 7c915239 ntdll!bsearch+0x42 7c91542b ntdll!RtlpLocateActivationContextSection+0x15a 7c9157c1 ntdll!RtlpFindUnicodeStringInSection+0x7b 7c92218a ntdll!`string'+0x12 7c9354a8 ntdll!LdrpRunInitializeRoutines+0x4e6 7c90e9f5 ntdll!_except_handler3+0xd5 7c9032e3 ntdll!ExecuteHandler2+0x61 7c92accd ntdll!RtlUnwind+0x12f 7c90d06a ntdll!NtContinue+0xc 7c92acf6 ntdll!RtlUnwind+0xb8 00400018 BTStackServer+0x18 00720072 BTStackServer+0x320072 006e0065 BTStackServer+0x2e0065 00560074 BTStackServer+0x160074 00720065 BTStackServer+0x320065 00690073 BTStackServer+0x290073 006e006f BTStackServer+0x2e006f 0049005c BTStackServer+0x9005c 00650067 BTStackServer+0x250067 00460020 BTStackServer+0x60020 006c0069 BTStackServer+0x2c0069 00780045 BTStackServer+0x380045 00630065 BTStackServer+0x230065 00740075 BTStackServer+0x340075 006f0069 BTStackServer+0x2f0069 0070004f BTStackServer+0x30004f 00690074 BTStackServer+0x290074 006e0000 BTStackServer+0x2e0000 005c003b BTStackServer+0x1c003b 00700023 BTStackServer+0x300023 006c0023 BTStackServer+0x2c0023 7c916b1e ntdll!LdrpUpdateLoadCount3+0x6f 7c97e360 ntdll!DefaultExtension+0x0 7c916b99 ntdll!LdrpUpdateLoadCount3+0x517 7c916ba5 ntdll!LdrpUpdateLoadCount3+0x523 7c90eadc ntdll!_NLG_Return2+0x0 7c914ff1 ntdll!RtlAppendUnicodeStringToString+0x45 7c90d5da ntdll!ZwOpenKey+0xc 7c91cbd0 ntdll!LdrpOpenImageFileOptionsKey+0xf7 7c91cbda ntdll!LdrpOpenImageFileOptionsKey+0x101 0052005c BTStackServer+0x12005c 00670065 BTStackServer+0x270065 00730069 BTStackServer+0x330069 00720074 BTStackServer+0x320074 005c0079 BTStackServer+0x1c0079 0061004d BTStackServer+0x21004d 00680063 BTStackServer+0x280063 005c0065 BTStackServer+0x1c0065 00630069 BTStackServer+0x230069 006f0072 BTStackServer+0x2f0072 006f0073 BTStackServer+0x2f0073 006e0069 BTStackServer+0x2e0069 006f0064 BTStackServer+0x2f0064 00730077 BTStackServer+0x330077 004e0020 BTStackServer+0xe0020 005c0054 BTStackServer+0x1c0054 00750043 BTStackServer+0x350043 7c90d98a ntdll!NtQueryVirtualMemory+0xc 7c938392 ntdll!_ValidateEH3RN+0xb6 7c90ea39 ntdll!_global_unwind2+0x18 7c90ea41 ntdll!_global_unwind2+0x20 7c940f3c ntdll!_LdrpInitialize+0x1e6 7c90e9b3 ntdll!_except_handler3+0x93 7c90e9c9 ntdll!_except_handler3+0xa9 7c915fac ntdll!LdrpCheckForLoadedDll+0x608 72d202a8 wdmaud!_imp__GetSecurityDescriptorDacl <PERF> +0x0 7c97e2f0 ntdll!LdrpHashTable+0x90 7c903400 ntdll!$$VProc_ImageExportDirectory+0x0 7c90e48a ntdll!KiUserExceptionDispatcher+0xe 7c9100e8 ntdll!RtlAllocateHeap+0x24 7c9158ff ntdll!RtlDecodeSystemPointer+0x45b 7c915bf8 ntdll!RtlDosApplyFileIsolationRedirection_Ustr+0x346 7c915c5d ntdll!RtlDosApplyFileIsolationRedirection_Ustr+0x3de 7c97e214 ntdll!DllExtension+0xc 72d21250 wdmaud!`string'+0x0 7c94b1b0 ntdll!RtlpCoalesceFreeBlocks+0x3ed 7c92770a ntdll!RtlFreeHeapSlowly+0x3a0 7c912d04 ntdll!LdrLockLoaderLock+0x1d2 7c912d78 ntdll!LdrUnlockLoaderLock+0xb1 7c9101e0 ntdll!CheckHeapFillPattern+0x54 779269f8 setupapi!pSetupMalloc+0x16 7792adaf setupapi!AllocateDeviceInfoSet+0xe 7792ad3a setupapi!SetupDiCreateDeviceInfoListExW+0x2e 7792ad90 setupapi!MiniIconXlate+0x128 7792b37d setupapi!SetupDiGetClassDevsExW+0xc4 7c96f8e8 ntdll!RtlDebugFreeHeap+0x212 7c96f8f0 ntdll!`string'+0x3c 7c96f8cc ntdll!RtlDebugFreeHeap+0x1fb 7c94bc4c ntdll!RtlFreeHeapSlowly+0x37 7c927788 ntdll!CheckHeapFillPattern+0x3c 7c927784 ntdll!RtlFreeHeapSlowly+0x5c2 7c927573 ntdll!RtlFreeHeap+0xf9 7c9148bb ntdll!RtlQueryEnvironmentVariable_U+0x163 7c910435 ntdll!RtlAcquirePebLock+0x28 7c91043e ntdll!RtlAcquirePebLock+0x31 7c901000 ntdll!RtlEnterCriticalSection+0x0 7c914606 ntdll!RtlQueryEnvironmentVariable_U+0x6f 7c910460 ntdll!RtlReleasePebLock+0xf 7c914679 ntdll!RtlQueryEnvironmentVariable_U+0x324 7c917ef3 ntdll!LdrpSnapThunk+0xbd 77922074 setupapi!$$VProc_ImageExportDirectory+0x984 779229d0 setupapi!$$VProc_ImageExportDirectory+0x12e0 779200d8 setupapi!_imp__RegEnumKeyExW <PERF> +0x0 7c917dba ntdll!LdrpGetProcedureAddress+0x186 72d211d8 wdmaud!`string'+0x0 7c80ae40 kernel32!GetProcAddress+0x0 7c80e0e8 kernel32!`string'+0x58 779216f0 setupapi!$$VProc_ImageExportDirectory+0x0 77920000 setupapi!_imp__RegEnumKeyExW <PERF> +0x0 7792b5e9 setupapi!SetupDiGetClassDevsW+0x0 7c910060 ntdll!CheckHeapFillPattern+0x64 7c91005d ntdll!RtlFreeHeap+0x647 7c801bea kernel32!LoadLibraryExW+0x1e9 72d2128c wdmaud!KSCATEGORY_WDMAUD+0x10 7c917e10 ntdll!`string'+0xc 7c917e09 ntdll!LdrpGetProcedureAddress+0xa6 7c917ec0 ntdll!LdrGetProcedureAddress+0x18 7792fc29 setupapi!_except_handler3+0x0 7792b5d8 setupapi!MiniIconXlate+0x1c8 7792b604 setupapi!SetupDiGetClassDevsW+0x1b 72d23cbf wdmaud!wdmaGetGlobalDeviceInterfaceViaSetupAPI+0x47 72d23dfa wdmaud!wdmaOpenKernelDevice+0x16 72d24421 wdmaud!DrvInit+0x1b 72d2178f wdmaud!DriverProc+0x0 72d24f40 wdmaud!_except_handler3+0x0 72d21270 wdmaud!`string'+0x20 72d217ad wdmaud!DriverProc+0x1e 76b431e9 winmm!InternalBroadcastDriverMessage+0xc4 7c9010e0 ntdll!RtlLeaveCriticalSection+0x0 76b60160 winmm!DriverListCritSec+0x0 7c80ff22 kernel32!GlobalUnlock+0x0 76b43138 winmm!DrvSendMessage+0x18 76b430cf winmm!InternalLoadDriver+0x1b1 76b42e87 winmm!InternalOpenDriver+0x32 72d20000 wdmaud!_imp__GetSecurityDescriptorDacl <PERF> +0x0 76b609bc winmm!guTotalMixerDevs+0x0 76b606c0 winmm!midiindrvZ+0x0 7c8093b8 kernel32!BaseFormatObjectAttributes+0x22 7c90d19a ntdll!ZwCreateSemaphore+0xc 7c81017b kernel32!CreateSemaphoreW+0x5f 40000000 msi!MsiPreviewBillboardA+0x151c5a 005a0058 BTStackServer+0x1a0058 77f65149 shlwapi!SHGlobalCounterCreateNamedA+0x6f 77f65160 shlwapi!SHGlobalCounterCreateNamedA+0x98 7c918f21 ntdll!RtlAllocateHeap+0xe64 40000060 msi!MsiPreviewBillboardA+0x151cba 76b60220 winmm!ResolutionCritSec+0x0 7c919318 ntdll!CheckHeapFillPattern+0x24 7c91930f ntdll!RtlAllocateHeapSlowly+0x113b 76b42e4c winmm!DrvOpen+0x15 76b43886 winmm!mmDrvOpen+0x46 0057005c BTStackServer+0x17005c 004e0049 BTStackServer+0xe0049 004f0044 BTStackServer+0xf0044 00530057 BTStackServer+0x130057 0073005c BTStackServer+0x33005c 00730079 BTStackServer+0x330079 00650074 BTStackServer+0x250074 0033006d btosif+0x6d 005c0032 BTStackServer+0x1c0032 00640077 BTStackServer+0x240077 0061006d BTStackServer+0x21006d 00640075 BTStackServer+0x240075 0064002e BTStackServer+0x24002e 00760072 BTStackServer+0x360072 7c915f75 ntdll!LdrpCheckForLoadedDll+0xe3 7c910000 ntdll!RtlFreeHeap+0x1a4 7c910323 ntdll!RtlpImageNtHeader+0x56 7c910385 ntdll!RtlImageDirectoryEntryToData+0x57 7c9000d0 ntdll!RtlDosPathSeperatorsString <PERF> +0x0 7c92ab21 ntdll!RtlLookupFunctionTable+0xae 7c90e959 ntdll!_except_handler3+0x39 7c9032a8 ntdll!ExecuteHandler2+0x26 7c9032bc ntdll!ExecuteHandler2+0x3a 7c90327a ntdll!ExecuteHandler+0x24 7c92aa0f ntdll!RtlDispatchException+0xb1 006f0053 BTStackServer+0x2f0053 00740066 BTStackServer+0x340066 00610077 BTStackServer+0x210077 00650072 BTStackServer+0x250072 004d005c BTStackServer+0xd005c 7c80bb20 kernel32!lstrcpyW+0x1c 76b6067a winmm!wszDrivers+0x12 7c80aa56 kernel32!lstrcmpiW+0x20 76b60668 winmm!wszDrivers+0x0 76b43582 winmm!mmRegQuerySystemIni+0x101 7c90d9ba ntdll!NtRaiseException+0xc 7c90e4a5 ntdll!KiUserExceptionDispatcher+0x29 7c90e514 ntdll!KiFastSystemCallRet+0x0 7c809430 kernel32!BaseSetLastNTError+0x17 7c90ff2d ntdll!RtlFreeHeap+0x0 7c81113a kernel32!CreateFileW+0x390 7c810800 kernel32!CreateFileW+0x0 0050005c BTStackServer+0x10005c 77c40017 msvcrt!_vsnwprintf+0x30 7c9666c6 ntdll!RtlRaiseStatus+0x26 7c90d9ca ntdll!ZwRaiseHardError+0xc 7c952b03 ntdll!LdrpInitializationFailure+0x2d 7c940f7e ntdll!_LdrpInitialize+0x241 7c919a48 ntdll!__security_init_cookie_ex+0x65 7c90e900 ntdll!_SEH_prolog+0x35 7c919a00 ntdll!__security_init_cookie_ex+0x9 7c90e920 ntdll!_except_handler3+0x0 7c91b030 ntdll!`string'+0xc8 7c90e457 ntdll!KiUserApcDispatcher+0x7 7c900000 ntdll!RtlDosPathSeperatorsString <PERF> +0x0 004e703c BTStackServer+0xe703c 7c810705 kernel32!BaseProcessStartThunk+0x0 00540042 BTStackServer+0x140042 00540053 BTStackServer+0x140053 00430000 BTStackServer+0x30000 0:000> u eip ntdll!RtlRaiseStatus+0x26: 7c9666c6 c9 leave 7c9666c7 c20400 ret 4 7c9666ca 90 nop 7c9666cb 90 nop 7c9666cc 90 nop 7c9666cd 90 nop 7c9666ce 90 nop ntdll!RtlRandom: 7c9666cf 8bff mov edi,edi 0:000> r eax=0012fc54 ebx=00000000 ecx=0012fca8 edx=7c90e514 esi=c0000005 edi=00000000 eip=7c9666c6 esp=0012fc54 ebp=0012fca4 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246 ntdll!RtlRaiseStatus+0x26: 7c9666c6 c9 leave 0:000> dc 0012fc54 L4 0012fc54 c0000005 00000001 00000000 7c9666c6 .............f.| 0:000> lmvm wdmaud start end module name 72d20000 72d29000 wdmaud (pdb symbols) C:\Debuggers\sym\wdmdrv.pdb\CC3EC71E05C44E6595271A6773E15AF21\wdmdrv.pdb Loaded symbol image file: wdmaud.drv Image path: C:\WINDOWS\system32\wdmaud.drv Image name: wdmaud.drv Timestamp: Sun Apr 13 20:11:24 2008 (4802A12C) CheckSum: 0000CD88 ImageSize: 00009000 File version: 5.1.2600.5512 Product version: 5.1.2600.5512 File flags: 0 (Mask 3F) File OS: 40004 NT Win32 File type: 3.9 Driver File date: 00000000.00000000 Translations: 0409.04b0 CompanyName: Microsoft Corporation ProductName: Microsoft® Windows® Operating System InternalName: WDMAUD.DRV OriginalFilename: WDMAUD.DRV ProductVersion: 5.1.2600.5512 FileVersion: 5.1.2600.5512 (xpsp.080413-2108) FileDescription: WDM Audio driver mapper LegalCopyright: © Microsoft Corporation. All rights reserved. 0:000> lmvm BTStackServer start end module name 00400000 00781000 BTStackServer (no symbols) Loaded symbol image file: BTStackServer.exe Image path: C:\Program Files\WIDCOMM\Bluetooth Software\BTStackServer.exe Image name: BTStackServer.exe Timestamp: Thu Dec 11 17:18:23 2008 (494191AF) CheckSum: 0016FB7B ImageSize: 00381000 File version: 5.5.0.5800 Product version: 5.5.0.5800 File flags: 0 (Mask 3F) File OS: 4 Unknown Win32 File type: 1.0 App File date: 00000000.00000000 Translations: 0409.04b0 CompanyName: Broadcom Corporation. ProductName: Bluetooth Software InternalName: BTStackServer OriginalFilename: BTStackServer.exe ProductVersion: 5.5.0.5800 FileVersion: 5.5.0.5800 PrivateBuild: 5.5.0.5800 SpecialBuild: 5.5.0.5800 FileDescription: Bluetooth Stack COM Server LegalCopyright: Copyright 2000-2008, Broadcom Corporation. LegalTrademarks: Copyright 2000-2008, Broadcom Corporation. Comments: Copyright 2000-2008, Broadcom Corporation. At this point, it's hard to say what the BlueTooth driver wants with your audio driver, but it would seem there's some sort of access violation from applications attempting to use the audio mapper driver (hence why sndvol32.exe crashed as well, likely). It could be one of three things - if BTStackServer.exe isn't the only app crashing on the box, that could mean you need to run an sfc /scannow to repair something that's gone amok with the Windows files for audio mapping, it could mean you have malware (not likely, but still possible), or there's actually something wrong with your audio driver causing the wdmaud mapper to fail on heap operations. I'd actually start with making sure you remove and reinstall the latest certified audio drivers for your PC, then I'd check sfc /scannow to make sure you're in a supportable configuration. Last, I'd get the latest version of the BTStackServer drivers from Broadcom, here, to be sure. After that, if it still crashes, we can enable pageheap on BTStackServer.exe and get another dump the same way as before. To enable pageheap: 1. Open the Debugging Tools for Windows folder from the start menu 2. Click "Global Flags" 3. Click the "Image File" tab 4. Type "BTStackServer.exe" into the box (minus the quotes, of course) 5. Press the TAB key 6. Click the "Enable page heap" box 7. Click the "OK" button Once you've done that, use adplus to spawn and generate new dumps.