Is there some way to log/track down a freeze in XP?

**heffalump** · November 30, 2007

I recently updated various drivers and programs in my system and am now encountering this annoying problem where XP TOTALLY freezes seemingly at random. Sometimes it works for a very long time then just locks up. This morning it froze rather quickly. Then the only way out of it is to hit the reset button.

I am suspicious of the ATI Catalyst driver because it is the only thing that logs any error. Some kind of CRT related error which according to AMD/ATI is supposedly harmless and only happens at boot time (or when screen resolution changes) but this makes me wonder if maybe something else is broken further along. But I can't confirm that for sure.

So is there some way to log absolutely everything that is going on inside WinXP? So then I can get some idea why it is locking up and what could be the problem? Like I said it is doing this at apparently random times.

I have thoroughly checked using antivirus NOD32. My firewall has not logged anything out of the ordinary. I checked with Spybot and also ran Spyware Blaster. All with latest updates. They can't find anything suspicious. I checked HijackThis log and that seems to be normal as well.

I have also all updates from microsoft. Using service pack 2. This is NOT a slipstreamed install, just normal regular install from my original CD. It is not overheating problem (temperatures are normal)

Event log is not showing any errors before or after the freeze. I ran chkdsk /f already too. Help!

Edited November 30, 2007 by heffalump

**eyeball** · November 30, 2007

you need to create a memory dump to find the cause of error, please see this thread

http://www.msfn.org/board/Creating-memory-dumps-t90244.html

it is the only way to be certain of tracking down the cause, aside from a re-install

**heffalump** · November 30, 2007

Ok I added the registry setting (and installed the debugger beforehand). Then just did a quick test of ctrl-scroll lock. It blue screened and generated the (2gb) dump file. After that I rebooted.

Couple questions Should savedump.exe (dumpsave.exe i forget exactly) run after I reboot? I heard my hard drive grinding away and noticed that was running in task manager after reboot. Since it was just a test run I killed it off which stopped the hard drive activity.

Assuming I get a dump file after an actual lockup what should I do with it? Load it up into the debugger? What should I be looking for in there. Some steps would be helpful Thank you!

Edited November 30, 2007 by heffalump

**cluberti** · November 30, 2007

Couple questions Should savedump.exe (dumpsave.exe i forget exactly) run after I reboot? I heard my hard drive grinding away and noticed that was running in task manager after reboot. Since it was just a test run I killed it off which stopped the hard drive activity.

Savedump.exe was writing the data from your pagefile.sys to the memory.dmp file - do NOT kill that process , otherwise you won't have a memory dump (that's what all that disk activity was).

Assuming I get a dump file after an actual lockup what should I do with it? Load it up into the debugger? What should I be looking for in there. Some steps would be helpful Thank you!

First thing I would do is open the dump file with windbg, run !locks on it, and then post the output here in code tags.

**heffalump** · December 1, 2007

Ok thanks! I was wondering because the bluescreen part said it had dumped file too so I was worried savedump was overwriting the file created by that. I didn't know the bluescreen bit was actually writing to the pagefile!

Now it's just a waiting game to see when it all locks up again. Funnily enough it hasn't yet done so since I posted that query

**heffalump** · December 6, 2007

Hi sorry for the delay in replying. I rolled back to a previous backup and forgot to reinstall the debugger but I am still getting the lockups as described. I don't think it is the video drivers because I used drivercleaner and reinstalled the old set I was using before which worked fine for many months now. The freeze also happened before I reinstalled (but after I removed them!)

Now I have a dump file and tried loading it into the debugger. This is locks output. Any help?


1: kd> !locks
**** DUMP OF ALL RESOURCE OBJECTS ****
KD: Scanning for held locks...............................................................................................
.................................

Resource @ 0x865c6d38    Shared 1 owning threads
     Threads: 89c0d723-01<*> *** Actual Thread 89c0d720
KD: Scanning for held locks..........................................................

Resource @ 0x8650a9e8    Shared 1 owning threads
     Threads: 89c0d723-01<*> *** Actual Thread 89c0d720
KD: Scanning for held locks..

Resource @ 0x8661fe38    Shared 1 owning threads
     Threads: 89c0d4ab-01<*> *** Actual Thread 89c0d4a8
KD: Scanning for held locks.

Resource @ 0x86e432f8    Shared 1 owning threads
     Threads: 89c0d99b-01<*> *** Actual Thread 89c0d998

Resource @ 0x87bdfb38    Shared 1 owning threads
     Threads: 89c0d99b-01<*> *** Actual Thread 89c0d998

Resource @ 0x89114250    Shared 1 owning threads
     Threads: 865053f3-01<*> *** Actual Thread 865053f0

Resource @ 0x870f9fb8    Shared 1 owning threads
     Threads: 865053f3-01<*> *** Actual Thread 865053f0

Resource @ 0x864b2640    Shared 1 owning threads
     Threads: 865053f3-01<*> *** Actual Thread 865053f0

Resource @ 0x86546138    Shared 1 owning threads
     Threads: 865053f3-01<*> *** Actual Thread 865053f0

Resource @ 0x8664e558    Shared 1 owning threads
     Threads: 865053f3-01<*> *** Actual Thread 865053f0

Resource @ 0x86fee040    Shared 1 owning threads
     Threads: 865053f3-01<*> *** Actual Thread 865053f0

Resource @ 0x865f6fb8    Shared 1 owning threads
     Threads: 865053f3-01<*> *** Actual Thread 865053f0

Resource @ 0x87c51a50    Shared 1 owning threads
     Threads: 865053f3-01<*> *** Actual Thread 865053f0

Resource @ 0x866e1d38    Shared 1 owning threads
     Threads: 865053f3-01<*> *** Actual Thread 865053f0

Resource @ 0x870fdf10    Shared 1 owning threads
     Threads: 865053f3-01<*> *** Actual Thread 865053f0

Resource @ 0x866eba58    Shared 1 owning threads
     Threads: 865053f3-01<*> *** Actual Thread 865053f0

Resource @ 0x8709de60    Shared 1 owning threads
     Threads: 865053f3-01<*> *** Actual Thread 865053f0

Resource @ 0x86498988    Shared 1 owning threads
     Threads: 87069723-01<*> *** Actual Thread 87069720

Resource @ 0x89091c80    Shared 1 owning threads
     Threads: 865053f3-01<*> *** Actual Thread 865053f0

Resource @ 0x8661c1e0    Shared 1 owning threads
     Threads: 865053f3-01<*> *** Actual Thread 865053f0

Resource @ 0x866661b0    Shared 1 owning threads
     Threads: 865053f3-01<*> *** Actual Thread 865053f0

Resource @ 0x8662e4e8    Shared 1 owning threads
     Threads: 865053f3-01<*> *** Actual Thread 865053f0
6043 total locks, 22 locks currently held

Edited December 6, 2007 by heffalump

**cluberti** · December 6, 2007

That's a lot of shared locks, more than I would expect to see. Is there any way you can FTP that file to me? I've PM'ed you a location.

**heffalump** · December 6, 2007

Hi there I am uploading it now though it might take a while because it is a big file and I'm on ADSL (768 kbps up) I did a threads 865053f0 because that one is listed a lot and it is saying image: gene6 ftp which is one I updated recently. I've tried uninstalling that for now via Total Uninstall and hope the freezes go away. The other threads seem to have image: system so I've no clue what those might be. Assuming I'm doing the right thing to begin with hehe Thanks very much for the help!

Add: just noticed !Thread 87069720 is Outpost firewall which I have not updated yet and is same engine/core version as I've used for months now, minus the adware/spyware updates.

Update: ok I totally uninstalled Gene6 but the freeze still happens Here is updated locks


0: kd> !locks
**** DUMP OF ALL RESOURCE OBJECTS ****
KD: Scanning for held locks...............................................................................................
....................................................................................................
.
.........................................

Resource @ 0x86f50240    Shared 1 owning threads
     Threads: 89c0d4ab-01<*> *** Actual Thread 89c0d4a8

Resource @ 0x86909d38    Shared 1 owning threads
     Threads: 89c0dc13-01<*> *** Actual Thread 89c0dc10

Resource @ 0x87ae5d20    Shared 1 owning threads
     Threads: 89c0dc13-01<*> *** Actual Thread 89c0dc10
KD: Scanning for held locks.....................

Resource @ 0x86935f38    Shared 1 owning threads
     Threads: 89c0dc13-01<*> *** Actual Thread 89c0dc10

Resource @ 0x89124040    Shared 1 owning threads
     Threads: 89c0dc13-01<*> *** Actual Thread 89c0dc10
8232 total locks, 5 locks currently held

I'm going to leave this computer alone for a while now since the freeze issue is also interfering with the upload Hope this can be fixed!

Edited December 6, 2007 by heffalump

**nitroshift** · December 7, 2007

Hi there I am uploading it now though it might take a while because it is a big file and I'm on ADSL (768 kbps up) [...]

You can compress the file

**heffalump** · December 7, 2007

It's uploaded after I compressed it. I had to retry several times due to the computer freezing lol Well fingers crossed cluberti can work some magic

**cluberti** · December 7, 2007

// The thread that was "freezing" XP - note that before you caused the bugcheck,
// this thread had been trying to acquire a spinlock for almost 15 seconds...
1: kd> !thread 89c0bda8
THREAD 89c0bda8  Cid 0004.003c  Teb: 00000000 Win32Thread: 00000000 RUNNING on processor 1
IRP List:
	86497e00: (0006,01fc) Flags: 00000070  Mdl: 00000000
Not impersonating
DeviceMap				 e10020f0
Owning Process			89c0e660	   Image:		 System
Wait Start TickCount	  141908		 Ticks: 934 (0:00:00:14.593)
Context Switch Count	  8546			 
UserTime				  00:00:00.000
KernelTime				00:00:14.781
Start Address nt!ExpWorkerThread (0x804e22f1)
Stack Init f78e3000 Current f78e2d24 Base f78e3000 Limit f78e0000 Call 0
Priority 12 BasePriority 12 PriorityDecrement 0 DecrementCount 0
*** ERROR: Module load completed but symbols could not be loaded for sptd.sys
*** ERROR: Module load completed but symbols could not be loaded for PxHelp20.sys
*** ERROR: Module load completed but symbols could not be loaded for ezplay.sys
ChildEBP RetAddr  Args to Child			  
f78e280c f75697fa 000000e2 00000000 00000000 nt!KeBugCheckEx+0x1b (FPO: [Non-Fpo])
f78e2828 f7569032 0009a0d8 01dc00c6 00000000 i8042prt!I8xProcessCrashDump+0x237 (FPO: [Non-Fpo])
f78e2870 804db90f 888a4e18 8909a020 01010009 i8042prt!I8042KeyboardInterruptService+0x21c (FPO: [Non-Fpo])
f78e2870 806ff85e 888a4e18 8909a020 01010009 nt!KiInterruptDispatch+0x45 (FPO: [0,2] TrapFrame @ f78e2894)
f78e29d0 804e13d9 88e4d638 88c37b08 89111190 hal!KfAcquireSpinLock+0x2e (FPO: [0,0,0])
f78e2a6c 8050c76d f78e2dcc f73b7252 f73b7560 nt!IopfCallDriver+0x31 (FPO: [0,0,0])
f78e291c f739dd73 89bab420 8910e008 89111190 nt!IoGetDriverObjectExtension+0x33 (FPO: [Non-Fpo])
WARNING: Stack unwind information not available. Following frames may be wrong.
f78e29a0 804f39b1 0000000f 88c37b08 64747053 sptd+0x21d73
f78e29c0 8908e200 8908e008 f78e29d0 00000000 nt!ExAllocatePoolWithTagPriority+0x58 (FPO: [Non-Fpo])
f78e2a6c 8050c76d f78e2dcc f73b7252 f73b7560 0x8908e200
f78e2a84 f739ebcb 88c240e0 20f31678 00000000 nt!IoGetDriverObjectExtension+0x33 (FPO: [Non-Fpo])
f78e2b10 804e13d9 88e4d638 86497e00 86497e00 sptd+0x22bcb
f78e2b20 f7718115 86497edc f771803a 88ceddb0 nt!IopfCallDriver+0x31 (FPO: [0,0,0])
f78e2b48 f77172e1 88ceddb0 86497e00 86497ef8 PxHelp20+0x1115
f78e2bf4 f759b6ef 88d28b50 86497e00 86497e00 PxHelp20+0x2e1
f78e2c88 f74e847f 88d28b50 86497e00 88e7d310 cdrom!CdRomDeviceControlDispatch+0x4b7 (FPO: [Non-Fpo])
f78e2ca4 804e13d9 88d28b50 86497e00 89107518 CLASSPNP!ClassDeviceControlDispatch+0x48 (FPO: [Non-Fpo])
f78e2cb4 f75a7a35 f78e2d00 f75a8c28 88d2fc60 nt!IopfCallDriver+0x31 (FPO: [0,0,0])
f78e2cbc f75a8c28 88d2fc60 86497e00 00000000 redbook!RedBookSendToNextDriver+0x35 (FPO: [Non-Fpo])
f78e2d00 804e13d9 88d2fc60 86497e00 e24a4508 redbook!RedBookDeviceControl+0x548 (FPO: [Non-Fpo])
f78e2d10 f6ac662e 88e650d0 88e7d310 88e65018 nt!IopfCallDriver+0x31 (FPO: [0,0,0])
f78e2d40 f6ad601e 88e7d310 f78e2d73 f78e2d77 ezplay+0x562e
f78e2d68 8056d03c 88e65018 88e7d310 805694fc ezplay+0x1501e
f78e2d7c 804e23b5 86643b58 00000000 89c0bda8 nt!IopProcessWorkItem+0x13 (FPO: [Non-Fpo])
f78e2dac 80574128 86643b58 00000000 00000000 nt!ExpWorkerThread+0xef (FPO: [Non-Fpo])
f78e2ddc 804ec781 804e22f1 00000001 00000000 nt!PspSystemThreadStartup+0x34 (FPO: [Non-Fpo])
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16

// sptd.sys has this IRP as one of it's parameters, and it's the IRP we're working
// on in this thread at the time of the freeze/hang:
1: kd> !irp 86497e00
Irp is active with 5 stacks 4 is current (= 0x86497edc)
 No Mdl: System buffer=86f31678: Thread 89c0bda8:  Irp stack trace.  Pending has been returned
	 cmd  flg cl Device   File	 Completion-Context
 [  0, 0]   0  0 00000000 00000000 00000000-00000000	

			Args: 00000000 00000000 00000000 00000000
 [  0, 0]   0  0 00000000 00000000 00000000-00000000	

			Args: 00000000 00000000 00000000 00000000
 [  0, 0]   0  0 00000000 00000000 00000000-00000000	

			Args: 00000004 00000000 86ff8568 00000000
>[  e, 1]   0  0 88e4d638 00000000 f759a6cc-8662a740	
		   \Driver\aixpwfa2	cdrom!CdRomClassIoctlCompletion
			Args: 0000004c 0000004c 0004d014 00000000
 [  e, 0]   0  0 88d28b50 00000000 00000000-00000000	
		   \Driver\Cdrom
			Args: 0000004c 0000004c 0004d014 00000000

// The driver we're in at the time, looks like your CD ROM driver?
1: kd> lmvm aixpwfa2
start	end		module name
f6b40000 f6ba6000   aixpwfa2   (no symbols)		   
	Loaded symbol image file: aixpwfa2.SYS
	Image path: \SystemRoot\System32\Drivers\aixpwfa2.SYS
	Image name: aixpwfa2.SYS
	Timestamp:		Mon Jun 04 01:12:12 2007 (46639F2C)
	CheckSum:		 0005673F
	ImageSize:		00066000
	Translations:	 0000.04b0 0000.04e0 0409.04b0 0409.04e0

// I think this is the culprit though - if you uninstall Daemon Tools and
// the SCSI Pass-Through filter Driver it installs, I think your problems
// will go away:
1: kd> lmvm sptd
start	end		module name
f737c000 f7466000   sptd	   (no symbols)		   
	Loaded symbol image file: sptd.sys
	Image path: sptd.sys
	Image name: sptd.sys
	Timestamp:		Mon Jun 18 17:13:19 2007 (4676F56F)
	CheckSum:		 000A7CF2
	ImageSize:		000EA000
	Translations:	 0000.04b0 0000.04e0 0409.04b0 0409.04e0

**heffalump** · December 7, 2007

Thanks very much for the analysis cluberti! That is strange, I have Daemon Tools installed but disabled the autorun/system tray thing and haven't even used the program much. I'm not sure but that drive might be Daemon's virtual drive. I'll uninstall it and hopefully that will fix it! Thanks for the comments in the debug, it is very helpful

Edited December 7, 2007 by heffalump

Sign In

Is there some way to log/track down a freeze in XP?

Recommended Posts

heffalump

eyeball

heffalump

cluberti

heffalump

heffalump

cluberti

heffalump

nitroshift

heffalump

cluberti

heffalump

Create an account or sign in to comment

Create an account

Sign in

Recently Browsing 0 members

Activity

Browse