Black Hibernate

[MtK]

as long as you know what ur doing...

Microsoft (R) Windows Debugger  Version 6.6.0007.5
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\Users\mtk\Desktop\MEMORY.DMP]
Kernel Complete Dump File: Full address space is available

Symbol search path is: SRV**http://msdl.microsoft.com/download/symbols;SRV*c:\websymbols*http://msdl.microsoft.com/download/symbols;c:\websymbols
Executable search path is: 
Windows Vista Kernel Version 6000 MP (2 procs) Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 6000.16514.x86fre.vista_gdr.070627-1500
Kernel base = 0x82400000 PsLoadedModuleList = 0x82508ab0
Debug session time: Wed Sep 19 22:17:50.716 2007 (GMT+2)
System Uptime: 0 days 3:08:28.865
Loading Kernel Symbols
....................................................................................................
............................................................
Loading User Symbols
....................................................................................................
................
Loading unloaded module list
.....Unable to enumerate user-mode unloaded modules, NTSTATUS 0xC0000147
*******************************************************************************
*																			 *
*						Bugcheck Analysis									*
*																			 *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck E2, {0, 0, 0, 0}

Probably caused by : i8042prt.sys ( i8042prt!I8xProcessCrashDump+255 )

Followup: MachineOwner
---------

0: kd> .symfix
No downstream store given, using C:\Program Files\Debugging Tools for Windows\sym
0: kd> !locks
**** DUMP OF ALL RESOURCE OBJECTS ****
KD: Scanning for held locks...............................................................................................
....................................................................................................
............................................

Resource @ 0x88c55f80	Shared 1 owning threads
	Contention Count = 1
	 Threads: 8893bd78-01<*> 
KD: Scanning for held locks...............................................................................................
....................................................................................................
....................................................................................................
....................................................................................................
....................................................................................................
....................................................................................................
....................................................................................................
....................................................................................................
......................
34080 total locks, 1 locks currently held
0: kd> .thread 8893bd78
Implicit thread is now 8893bd78
0: kd> .reload /user
Loading User Symbols
....................................................................................................
................
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for ntdll.dll - 
0: kd> !thread 8893bd78
THREAD 8893bd78  Cid 0470.0f44  Teb: 7ff8a000 Win32Thread: 00000000 WAIT: (Executive) KernelMode Non-Alertable
	9b096c64  NotificationEvent
IRP List:
	86db1de0: (0006,0220) Flags: 00020900  Mdl: 00000000
	86cff100: (0006,0220) Flags: 00000884  Mdl: 00000000
Impersonation token:  a0512360 (Level Impersonation)
Owning Process			88eda550	   Image:		 svchost.exe
Wait Start TickCount	  724917		 Ticks: 5 (0:00:00:00.078)
Context Switch Count	  115839			 
UserTime				  00:00:00.0374
KernelTime				00:00:28.0969
Win32 Start Address sysmain!PfRbPrefetchWorker (0x6f524b78)
Stack Init 9b098000 Current 9b096a38 Base 9b098000 Limit 9b095000 Call 0
Priority 9 BasePriority 7 PriorityDecrement 1
*** ERROR: Module load completed but symbols could not be loaded for amon.sys
ChildEBP RetAddr  Args to Child			  
9b096a50 824697c6 8893be00 8893bd78 8893be30 nt!KiSwapContext+0x26 (FPO: [Uses EBP] [0,0,4])
9b096a8c 8246721c 8893bd78 9b096b14 9b096d10 nt!KiSwapThread+0x36d
9b096ae8 830bed88 9b096c64 00000000 00000000 nt!KeWaitForSingleObject+0x414
9b096b08 830ba3a6 9b096d10 00000000 00000000 Ntfs!NtfsWaitOnIo+0x1c (FPO: [Non-Fpo])
9b096c2c 830b6241 9b096d10 86cd8cf8 a2d3a610 Ntfs!NtfsNonCachedIo+0x402 (FPO: [Non-Fpo])
9b096d00 830b5282 9b096d10 86cd8cf8 00c0070a Ntfs!NtfsCommonRead+0xefd (FPO: [Non-Fpo])
9b096e38 82467928 8654f498 86cd8cf8 86cd8cf8 Ntfs!NtfsFsdRead+0x273 (FPO: [Non-Fpo])
9b096e50 8332ca5c 86548438 86cd8cf8 00000000 nt!IofCallDriver+0x63
9b096e74 8332cc18 9b096e94 86548438 00000000 fltmgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x22a (FPO: [Non-Fpo])
9b096eac 82467928 86548438 86cd8cf8 982ed2b4 fltmgr!FltpDispatch+0xc2 (FPO: [Non-Fpo])
9b096ec4 982a96b6 00000000 8715b2a8 82467928 nt!IofCallDriver+0x63
WARNING: Stack unwind information not available. Following frames may be wrong.
9b096ee8 8249ab0e 8a24ba34 8a24ba54 8893bd78 amon+0x46b6
9b096f04 82459a11 00000043 8893bd78 8a24ba60 nt!IoPageRead+0x176
9b096fb8 82457f18 c4b80000 b732a5f0 00000000 nt!MiDispatchFault+0xbde
9b097028 82497b7d 00000000 c4b80000 00000000 nt!MmAccessFault+0xe36
9b097070 825d77f1 c4b80000 00000000 9b09cbbc nt!MmCheckCachedPageState+0x69b
9b0970fc 830b4c8c 86b2c028 9b097140 000001ff nt!CcCopyRead+0x417
9b097128 830b62a7 86b9b760 86b2c028 86db1de0 Ntfs!NtfsCachedRead+0x11e (FPO: [Non-Fpo])
9b097204 830b5282 86b9b760 86db1de0 9b8a7ca0 Ntfs!NtfsCommonRead+0xf63 (FPO: [Non-Fpo])
9b097274 82467928 8654f498 86db1de0 86db1de0 Ntfs!NtfsFsdRead+0x273 (FPO: [Non-Fpo])
9b09728c 8332ca5c 86548438 86db1de0 00000000 nt!IofCallDriver+0x63
9b0972b0 8332cc18 9b0972d0 86548438 00000000 fltmgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x22a (FPO: [Non-Fpo])
9b0972e8 82467928 86548438 86db1de0 982ed2b4 fltmgr!FltpDispatch+0xc2 (FPO: [Non-Fpo])
9b097300 982a96b6 86b2c028 8715b2a8 82467928 nt!IofCallDriver+0x63
9b097324 825c80bb 86db1de0 86db1fdc 86b2c028 amon+0x46b6
9b097344 825e084b 8715b2a8 86b2c028 00000001 nt!IopSynchronousServiceTail+0x1e0
9b0973d0 82445f7a 8715b2a8 86db1de0 00000000 nt!NtReadFile+0x646
9b0973d0 82444959 8715b2a8 86db1de0 00000000 nt!KiFastCallEntry+0x12a (FPO: [0,3] TrapFrame @ 9b0973fc)
9b09746c 982aa26c 000007c8 00000000 00000000 nt!ZwReadFile+0x11 (FPO: [9,0,0])
9b0974a8 982aac7e 000007c8 890e2308 000001ff amon+0x526c
9b0974cc 982a92c7 890e22e8 00000000 00000000 amon+0x5c7e
9b097518 82467928 8715b2a8 86cff100 88ec0bb4 amon+0x42c7
9b097530 825c8e87 9b09cea8 88fe4c10 86475d20 nt!IofCallDriver+0x63
9b0975e8 8261857b 8715b2a8 00000000 86c7f008 nt!IopParseDevice+0xcff
9b097620 825da839 88fe4c10 00000000 86c7f008 nt!IopParseFile+0x46
9b0976b0 825cc97e 80000810 9b097708 00000240 nt!ObpLookupObjectName+0x13e
9b097710 825f1f9c 9b09795c 00000000 8654f500 nt!ObOpenObjectByName+0x13c
9b097784 8261c4fc 9b097938 00000081 9b09795c nt!IopCreateFile+0x5ec
9b0977e0 83340c2a 9b097938 00000081 9b09795c nt!IoCreateFileEx+0x9d
9b097864 83321042 85b81530 00000000 9b097938 fltmgr!FltCreateFileEx2+0xae (FPO: [Non-Fpo])

0: kd> !irp 86db1de0
Irp is active with 12 stacks 11 is current (= 0x86db1fb8)
 No Mdl: No System Buffer: Thread 8893bd78:  Irp stack trace.  
	 cmd  flg cl Device   File	 Completion-Context
 [  0, 0]   0  0 00000000 00000000 00000000-00000000	

			Args: 00000000 00000000 00000000 00000000
 [  0, 0]   0  0 00000000 00000000 00000000-00000000	

			Args: 00000000 00000000 00000000 00000000
 [  0, 0]   0  0 00000000 00000000 00000000-00000000	

			Args: 00000000 00000000 00000000 00000000
 [  0, 0]   0  0 00000000 00000000 00000000-00000000	

			Args: 00000000 00000000 00000000 00000000
 [  0, 0]   0  0 00000000 00000000 00000000-00000000	

			Args: 00000000 00000000 00000000 00000000
 [  0, 0]   0  0 00000000 00000000 00000000-00000000	

			Args: 00000000 00000000 00000000 00000000
 [  0, 0]   0  0 00000000 00000000 00000000-00000000	

			Args: 00000000 00000000 00000000 00000000
 [  0, 0]   0  0 00000000 00000000 00000000-00000000	

			Args: 00000000 00000000 00000000 00000000
 [  0, 0]   0  0 00000000 00000000 00000000-00000000	

			Args: 00000000 00000000 00000000 00000000
 [  0, 0]   0  0 00000000 00000000 00000000-00000000	

			Args: 00000000 00000000 00000000 00000000
>[  3, 0]   0 e0 8654f498 86b2c028 8332c44a-867c4a68 Success Error Cancel 
		   \FileSystem\Ntfs	fltmgr!FltpPassThroughCompletion
			Args: 000001ff 00000000 00000000 00000000
 [  3, 0]   0  1 86548438 86b2c028 00000000-00000000	pending
		   \FileSystem\FltMgr
			Args: 000001ff 00000000 00000000 00000000
0: kd> !irp 86cff100
Irp is active with 12 stacks 12 is current (= 0x86cff2fc)
 No Mdl: No System Buffer: Thread 8893bd78:  Irp stack trace.  
	 cmd  flg cl Device   File	 Completion-Context
 [  0, 0]   0  0 00000000 00000000 00000000-00000000	

			Args: 00000000 00000000 00000000 00000000
 [  0, 0]   0  0 00000000 00000000 00000000-00000000	

			Args: 00000000 00000000 00000000 00000000
 [  0, 0]   0  0 00000000 00000000 00000000-00000000	

			Args: 00000000 00000000 00000000 00000000
 [  0, 0]   0  0 00000000 00000000 00000000-00000000	

			Args: 00000000 00000000 00000000 00000000
 [  0, 0]   0  0 00000000 00000000 00000000-00000000	

			Args: 00000000 00000000 00000000 00000000
 [  0, 0]   0  0 00000000 00000000 00000000-00000000	

			Args: 00000000 00000000 00000000 00000000
 [  0, 0]   0  0 00000000 00000000 00000000-00000000	

			Args: 00000000 00000000 00000000 00000000
 [  0, 0]   0  0 00000000 00000000 00000000-00000000	

			Args: 00000000 00000000 00000000 00000000
 [  0, 0]   0  0 00000000 00000000 00000000-00000000	

			Args: 00000000 00000000 00000000 00000000
 [  0, 0]   0  0 00000000 00000000 00000000-00000000	

			Args: 00000000 00000000 00000000 00000000
 [  0, 0]   0  0 00000000 00000000 00000000-00000000	

			Args: 00000000 00000000 00000000 00000000
>[  0, 0]   8  0 8715b2a8 88ec0b58 00000000-00000000	
		   \Driver\AMON
			Args: 9b097548 01000160 00070080 00000000
0: kd> lmvm amon
start	end		module name
982a5000 9831f8c0   amon	   (no symbols)		   
	Loaded symbol image file: amon.sys
	Image path: \SystemRoot\system32\drivers\amon.sys
	Image name: amon.sys
	Timestamp:		Thu May 03 17:27:44 2007 (4639F160)
	CheckSum:		 000885D4
	ImageSize:		0007A8C0
	Translations:	 0000.04b0 0000.04e0 0409.04b0 0409.04e0

[cluberti]

OK - two more commands: "!fileobj 86b2c028" and "!fileobj 88ec0b58"

I need to figure out whether the write to disk is pending due to the NOD32 amon.sys driver, or if they're completely unrelated.

[MtK]

Microsoft (R) Windows Debugger  Version 6.6.0007.5
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\Users\mtk\Desktop\MEMORY.DMP]
Kernel Complete Dump File: Full address space is available

Symbol search path is: SRV**http://msdl.microsoft.com/download/symbols;SRV*c:\websymbols*http://msdl.microsoft.com/download/symbols;c:\websymbols
Executable search path is: 
Windows Vista Kernel Version 6000 MP (2 procs) Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 6000.16514.x86fre.vista_gdr.070627-1500
Kernel base = 0x82400000 PsLoadedModuleList = 0x82508ab0
Debug session time: Wed Sep 19 22:17:50.716 2007 (GMT+2)
System Uptime: 0 days 3:08:28.865
Loading Kernel Symbols
....................................................................................................
............................................................
Loading User Symbols
....................................................................................................
................
Loading unloaded module list
.....Unable to enumerate user-mode unloaded modules, NTSTATUS 0xC0000147
*******************************************************************************
*																			 *
*						Bugcheck Analysis									*
*																			 *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck E2, {0, 0, 0, 0}

Probably caused by : i8042prt.sys ( i8042prt!I8xProcessCrashDump+255 )

Followup: MachineOwner
---------

0: kd> .symfix
No downstream store given, using C:\Program Files\Debugging Tools for Windows\sym
0: kd> !locks
**** DUMP OF ALL RESOURCE OBJECTS ****
KD: Scanning for held locks...............................................................................................
....................................................................................................
............................................

Resource @ 0x88c55f80	Shared 1 owning threads
	Contention Count = 1
	 Threads: 8893bd78-01<*> 
KD: Scanning for held locks...............................................................................................
....................................................................................................
....................................................................................................
....................................................................................................
....................................................................................................
....................................................................................................
....................................................................................................
....................................................................................................
......................
34080 total locks, 1 locks currently held
0: kd> .thread 8893bd78
Implicit thread is now 8893bd78
0: kd> .reload /user
Loading User Symbols
....................................................................................................
................
0: kd> !thread 8893bd78
THREAD 8893bd78  Cid 0470.0f44  Teb: 7ff8a000 Win32Thread: 00000000 WAIT: (Executive) KernelMode Non-Alertable
	9b096c64  NotificationEvent
IRP List:
	86db1de0: (0006,0220) Flags: 00020900  Mdl: 00000000
	86cff100: (0006,0220) Flags: 00000884  Mdl: 00000000
Impersonation token:  a0512360 (Level Impersonation)
Owning Process			88eda550	   Image:		 svchost.exe
Wait Start TickCount	  724917		 Ticks: 5 (0:00:00:00.078)
Context Switch Count	  115839			 
UserTime				  00:00:00.0374
KernelTime				00:00:28.0969
Win32 Start Address sysmain!PfRbPrefetchWorker (0x6f524b78)
Stack Init 9b098000 Current 9b096a38 Base 9b098000 Limit 9b095000 Call 0
Priority 9 BasePriority 7 PriorityDecrement 1
*** ERROR: Module load completed but symbols could not be loaded for amon.sys
ChildEBP RetAddr  Args to Child			  
9b096a50 824697c6 8893be00 8893bd78 8893be30 nt!KiSwapContext+0x26 (FPO: [Uses EBP] [0,0,4])
9b096a8c 8246721c 8893bd78 9b096b14 9b096d10 nt!KiSwapThread+0x36d
9b096ae8 830bed88 9b096c64 00000000 00000000 nt!KeWaitForSingleObject+0x414
9b096b08 830ba3a6 9b096d10 00000000 00000000 Ntfs!NtfsWaitOnIo+0x1c (FPO: [Non-Fpo])
9b096c2c 830b6241 9b096d10 86cd8cf8 a2d3a610 Ntfs!NtfsNonCachedIo+0x402 (FPO: [Non-Fpo])
9b096d00 830b5282 9b096d10 86cd8cf8 00c0070a Ntfs!NtfsCommonRead+0xefd (FPO: [Non-Fpo])
9b096e38 82467928 8654f498 86cd8cf8 86cd8cf8 Ntfs!NtfsFsdRead+0x273 (FPO: [Non-Fpo])
9b096e50 8332ca5c 86548438 86cd8cf8 00000000 nt!IofCallDriver+0x63
9b096e74 8332cc18 9b096e94 86548438 00000000 fltmgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x22a (FPO: [Non-Fpo])
9b096eac 82467928 86548438 86cd8cf8 982ed2b4 fltmgr!FltpDispatch+0xc2 (FPO: [Non-Fpo])
9b096ec4 982a96b6 00000000 8715b2a8 82467928 nt!IofCallDriver+0x63
WARNING: Stack unwind information not available. Following frames may be wrong.
9b096ee8 8249ab0e 8a24ba34 8a24ba54 8893bd78 amon+0x46b6
9b096f04 82459a11 00000043 8893bd78 8a24ba60 nt!IoPageRead+0x176
9b096fb8 82457f18 c4b80000 b732a5f0 00000000 nt!MiDispatchFault+0xbde
9b097028 82497b7d 00000000 c4b80000 00000000 nt!MmAccessFault+0xe36
9b097070 825d77f1 c4b80000 00000000 9b09cbbc nt!MmCheckCachedPageState+0x69b
9b0970fc 830b4c8c 86b2c028 9b097140 000001ff nt!CcCopyRead+0x417
9b097128 830b62a7 86b9b760 86b2c028 86db1de0 Ntfs!NtfsCachedRead+0x11e (FPO: [Non-Fpo])
9b097204 830b5282 86b9b760 86db1de0 9b8a7ca0 Ntfs!NtfsCommonRead+0xf63 (FPO: [Non-Fpo])
9b097274 82467928 8654f498 86db1de0 86db1de0 Ntfs!NtfsFsdRead+0x273 (FPO: [Non-Fpo])
9b09728c 8332ca5c 86548438 86db1de0 00000000 nt!IofCallDriver+0x63
9b0972b0 8332cc18 9b0972d0 86548438 00000000 fltmgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x22a (FPO: [Non-Fpo])
9b0972e8 82467928 86548438 86db1de0 982ed2b4 fltmgr!FltpDispatch+0xc2 (FPO: [Non-Fpo])
9b097300 982a96b6 86b2c028 8715b2a8 82467928 nt!IofCallDriver+0x63
9b097324 825c80bb 86db1de0 86db1fdc 86b2c028 amon+0x46b6
9b097344 825e084b 8715b2a8 86b2c028 00000001 nt!IopSynchronousServiceTail+0x1e0
9b0973d0 82445f7a 8715b2a8 86db1de0 00000000 nt!NtReadFile+0x646
9b0973d0 82444959 8715b2a8 86db1de0 00000000 nt!KiFastCallEntry+0x12a (FPO: [0,3] TrapFrame @ 9b0973fc)
9b09746c 982aa26c 000007c8 00000000 00000000 nt!ZwReadFile+0x11 (FPO: [9,0,0])
9b0974a8 982aac7e 000007c8 890e2308 000001ff amon+0x526c
9b0974cc 982a92c7 890e22e8 00000000 00000000 amon+0x5c7e
9b097518 82467928 8715b2a8 86cff100 88ec0bb4 amon+0x42c7
9b097530 825c8e87 9b09cea8 88fe4c10 86475d20 nt!IofCallDriver+0x63
9b0975e8 8261857b 8715b2a8 00000000 86c7f008 nt!IopParseDevice+0xcff
9b097620 825da839 88fe4c10 00000000 86c7f008 nt!IopParseFile+0x46
9b0976b0 825cc97e 80000810 9b097708 00000240 nt!ObpLookupObjectName+0x13e
9b097710 825f1f9c 9b09795c 00000000 8654f500 nt!ObOpenObjectByName+0x13c
9b097784 8261c4fc 9b097938 00000081 9b09795c nt!IopCreateFile+0x5ec
9b0977e0 83340c2a 9b097938 00000081 9b09795c nt!IoCreateFileEx+0x9d
9b097864 83321042 85b81530 00000000 9b097938 fltmgr!FltCreateFileEx2+0xae (FPO: [Non-Fpo])

0: kd> !irp 86db1de0
Irp is active with 12 stacks 11 is current (= 0x86db1fb8)
 No Mdl: No System Buffer: Thread 8893bd78:  Irp stack trace.  
	 cmd  flg cl Device   File	 Completion-Context
 [  0, 0]   0  0 00000000 00000000 00000000-00000000	

			Args: 00000000 00000000 00000000 00000000
 [  0, 0]   0  0 00000000 00000000 00000000-00000000	

			Args: 00000000 00000000 00000000 00000000
 [  0, 0]   0  0 00000000 00000000 00000000-00000000	

			Args: 00000000 00000000 00000000 00000000
 [  0, 0]   0  0 00000000 00000000 00000000-00000000	

			Args: 00000000 00000000 00000000 00000000
 [  0, 0]   0  0 00000000 00000000 00000000-00000000	

			Args: 00000000 00000000 00000000 00000000
 [  0, 0]   0  0 00000000 00000000 00000000-00000000	

			Args: 00000000 00000000 00000000 00000000
 [  0, 0]   0  0 00000000 00000000 00000000-00000000	

			Args: 00000000 00000000 00000000 00000000
 [  0, 0]   0  0 00000000 00000000 00000000-00000000	

			Args: 00000000 00000000 00000000 00000000
 [  0, 0]   0  0 00000000 00000000 00000000-00000000	

			Args: 00000000 00000000 00000000 00000000
 [  0, 0]   0  0 00000000 00000000 00000000-00000000	

			Args: 00000000 00000000 00000000 00000000
>[  3, 0]   0 e0 8654f498 86b2c028 8332c44a-867c4a68 Success Error Cancel 
		   \FileSystem\Ntfs	fltmgr!FltpPassThroughCompletion
			Args: 000001ff 00000000 00000000 00000000
 [  3, 0]   0  1 86548438 86b2c028 00000000-00000000	pending
		   \FileSystem\FltMgr
			Args: 000001ff 00000000 00000000 00000000
0: kd> !irp 86cff100
Irp is active with 12 stacks 12 is current (= 0x86cff2fc)
 No Mdl: No System Buffer: Thread 8893bd78:  Irp stack trace.  
	 cmd  flg cl Device   File	 Completion-Context
 [  0, 0]   0  0 00000000 00000000 00000000-00000000	

			Args: 00000000 00000000 00000000 00000000
 [  0, 0]   0  0 00000000 00000000 00000000-00000000	

			Args: 00000000 00000000 00000000 00000000
 [  0, 0]   0  0 00000000 00000000 00000000-00000000	

			Args: 00000000 00000000 00000000 00000000
 [  0, 0]   0  0 00000000 00000000 00000000-00000000	

			Args: 00000000 00000000 00000000 00000000
 [  0, 0]   0  0 00000000 00000000 00000000-00000000	

			Args: 00000000 00000000 00000000 00000000
 [  0, 0]   0  0 00000000 00000000 00000000-00000000	

			Args: 00000000 00000000 00000000 00000000
 [  0, 0]   0  0 00000000 00000000 00000000-00000000	

			Args: 00000000 00000000 00000000 00000000
 [  0, 0]   0  0 00000000 00000000 00000000-00000000	

			Args: 00000000 00000000 00000000 00000000
 [  0, 0]   0  0 00000000 00000000 00000000-00000000	

			Args: 00000000 00000000 00000000 00000000
 [  0, 0]   0  0 00000000 00000000 00000000-00000000	

			Args: 00000000 00000000 00000000 00000000
 [  0, 0]   0  0 00000000 00000000 00000000-00000000	

			Args: 00000000 00000000 00000000 00000000
>[  0, 0]   8  0 8715b2a8 88ec0b58 00000000-00000000	
		   \Driver\AMON
			Args: 9b097548 01000160 00070080 00000000
0: kd> lmvm amon
start	end		module name
982a5000 9831f8c0   amon	   (no symbols)		   
	Loaded symbol image file: amon.sys
	Image path: \SystemRoot\system32\drivers\amon.sys
	Image name: amon.sys
	Timestamp:		Thu May 03 17:27:44 2007 (4639F160)
	CheckSum:		 000885D4
	ImageSize:		0007A8C0
	Translations:	 0000.04b0 0000.04e0 0409.04b0 0409.04e0

Unable to enumerate user-mode unloaded modules, NTSTATUS 0xC0000147
0: kd> !fileobj 86b2c028

\Windows\System32\Msdtc\KtmRmTmContainer00000000000000000002

Device Object: 0x865224a0   \Driver\volmgr
Vpb: 0x8656c070
Access: Read SharedRead SharedWrite SharedDelete 

Flags:  0x40042
	Synchronous IO
	Cache Supported
	Handle Created

File Object is currently busy and has 0 waiters.

FsContext: 0xa2d3a610	FsContext2: 0xa2d3a768
Private Cache Map: 0x86d57c68
CurrentByteOffset: 0
Cache Data:
  Section Object Pointers: 8a7fa8bc
  Shared Cache Map: 86d57b90		 File Offset: 0 in VACB number 0
  Vacb: 85770e90
  Your data is at: c4b80000
0: kd> !fileobj 88ec0b58

WINDOWS\SYSTEM32\MSDTC\KTMRMTMCONTAINER00000000000000000002

Related File Object: 0x88fe4c10

Device Object: 0x865224a0   \Driver\volmgr
Vpb is NULL

Flags:  0x2
	Synchronous IO

CurrentByteOffset: 0

[cluberti]

The first IRP shows us trying to write to the file on the filesystem, but we also see a second IRP in the antivirus driver which is working on the file at the same time.

Have we tried completely removing NOD32 to see if the behavior changes at all?

[MtK]

I just removed it completely - No Change...

(can I put it back?)

[cluberti]

Yeah, I'd put it back. I just wanted to make sure it wasn't interfering. At this point, it's hard to say what the problem is, other than it appears that we're in Ntfs waiting on I/O to a file (WINDOWS\SYSTEM32\MSDTC\KTMRMTMCONTAINER00000000000000000002) and an event has been signaled we're waiting on. Usually cases like these end up being more of a live debug, so I'm thinking that if you can reproduce the problem after running msconfig to disable everything non-Microsoft, that it'll be something at the actual driver level (underneath Windows) that will be very difficult to catch. At least I can say with a fair amount of certainty that it'll be down in an actual device driver (likely the disk controller).

[MtK]

I thought this would be an easy task, but first let me state this:

1. I have another PC (not notebook) with Vista with the same problem.

2. neither of these 2 installation had a working progress bar when hibernating.

I'm guess this must be something from MS.

NOD32 was a good guess since it is installed in both computers...

To your request, I did remove every non-MS service & startup item (I also tried a Diagnostic Boot), but after I restarted I tried to Hibernate but could not start the Dump process. (on a regular boot it works fine)

any minimum requirements that I should know of...?

[cluberti]

Not really, just a regular boot. I guess it's good nothing is technically broken, but it's gotta be a little frustrating.

As to it being a Windows problem, it is possible. However, I have 4 laptops, 2 IBM/Lenovo Thinkpads, a Dell, and a Compaq x64, and none of these have the issue. It is possible it's a Windows problem, yes, but it's more likely it's a hardware driver issue - if it really was a Windows problem, it should happen to everyone .

[MtK]

Hi,

after the long waited Format - I did it.

The results are as bad as expected.

I Formatted & reInstalled Vista Enterprice x32.

I did a first Restart, just to check every thing is OK, I didn't install any updates, not even LAN Drivers.

Hibernate = BLACK.

I have now just installed the needed LAN Drivers, & going forward to Windows Update...

[stephens316]

i guess i don't get the big deal about this issue except for you people wanting to know when it is done going into hibernate mode. Personally i have seen this problem but of coruse with my laptop i have to auto hibernate when i close my lid it has worked everytime i do this primarly for school i can pop it out look at something real quick and then close it. You people really get in a bind with ultimate or home editions. thats what i have seen through out the forums. I have the business ed. because that what the government decided to go with and it was free so i guess it woulds better to research the os before you buy or get it. I personnally have a few issue with business but i wait for sp1 before making big changes to the code of the os to see how to fix the issue. wait unsee what happen with sp1 before making big changes.

[MtK]

Sorry, but this wasn't very helpfull to the discussion.

I'm not planning to site & wait for a solution, because that's the whole idea behind Helping & Sharing (see some open-source for reference).

Besides, if no one knows about this problem I doubt it would be fixed by itself in SP1.

I take this forum very seriously & the people helping here will know what to do with it when fix/problem is found...

[waruikoohii]

Vista does not use a progress bar when going into hibernation. A black screen is 100% normal. A change request for this was entered during the Vista Beta, but Microsoft wasn't interested in putting the progress bar back in.

You said that while the screen was black, the HDD light was on? Can you try leaving the computer alone for a while to see if it actually does hibernate? As far as I can tell, it's working properly, but you interupt it before it can finish hibernating.

[MtK]

Vista does not use a progress bar when going into hibernation. A black screen is 100% normal. A change request for this was entered during the Vista Beta, but Microsoft wasn't interested in putting the progress bar back in.

First time I hear this...

You said that while the screen was black, the HDD light was on? Can you try leaving the computer alone for a while to see if it actually does hibernate? As far as I can tell, it's working properly, but you interupt it before it can finish hibernating.

The Hibernate does finish this is totally about the progress bar...

[underdone]

Vista does not use a progress bar when going into hibernation. A black screen is 100% normal. A change request for this was entered during the Vista Beta, but Microsoft wasn't interested in putting the progress bar back in.

First time I hear this...

You said that while the screen was black, the HDD light was on? Can you try leaving the computer alone for a while to see if it actually does hibernate? As far as I can tell, it's working properly, but you interupt it before it can finish hibernating.

The Hibernate does finish this is totally about the progress bar...

As far as I know there isn't an option for a hibernation progress bar. Every computer I have vista on doesn't have the progress bar when hibernating.

[waruikoohii]

Vista does not use a progress bar when going into hibernation. A black screen is 100% normal. A change request for this was entered during the Vista Beta, but Microsoft wasn't interested in putting the progress bar back in.

First time I hear this...

You said that while the screen was black, the HDD light was on? Can you try leaving the computer alone for a while to see if it actually does hibernate? As far as I can tell, it's working properly, but you interupt it before it can finish hibernating.

The Hibernate does finish this is totally about the progress bar...

There is no progress bar in Vista. None. Nada. It is non-existant. You will not find one anywhere. If you want a progress bar you are out of luck.

The black screen is completely normal. Every Vista machine looks like that when going into hibernation.

If the hibernate is finishing fine then I don't get what you're complaining about, there's no problem.