XP Pro Crashs

[dinnmuzz]

I have a XP pro comp, has been running fine, nothing has been changed,I have updated to SP3 but crashes were happening before that. I have run dubug from Microsoft and results as follows.

Microsoft ® Windows Debugger Version 6.9.0003.113 X86
Copyright © Microsoft Corporation. All rights reserved.


Loading Dump File [C:\WINDOWS\Minidump\Mini062508-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: SRV*c:\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is: 
Windows XP Kernel Version 2600 (Service Pack 3) UP Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 2600.xpsp.080413-2111
Kernel base = 0x804d7000 PsLoadedModuleList = 0x805634c0
Debug session time: Wed Jun 25 00:24:15.937 2008 (GMT+12)
System Uptime: 0 days 14:34:58.468
Loading Kernel Symbols
....................................................................................................
........................................
Loading User Symbols
Loading unloaded module list
.................................
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 1000000A, {4, 1c, 0, 804e90b2}

Probably caused by : win32k.sys ( win32k!GreReleaseSemaphore+a )

Followup: MachineOwner
---------

kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high.  This is usually
caused by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: 00000004, memory referenced
Arg2: 0000001c, IRQL
Arg3: 00000000, bitfield :
	bit 0 : value 0 = read operation, 1 = write operation
	bit 3 : value 0 = not an execute operation, 1 = execute operation (only on chips which support this level of status)
Arg4: 804e90b2, address which referenced memory

Debugging Details:
------------------


READ_ADDRESS:  00000004 

CURRENT_IRQL:  1c

FAULTING_IP: 
nt!KeReleaseSemaphore+14
804e90b2 8b5e04          mov     ebx,dword ptr [esi+4]

CUSTOMER_CRASH_COUNT:  1

DEFAULT_BUCKET_ID:  DRIVER_FAULT

BUGCHECK_STR:  0xA

PROCESS_NAME:  Ezy.exe

LAST_CONTROL_TRANSFER:  from 804e9134 to 804e90b2

STACK_TEXT:  
f2c78cdc 804e9134 00000000 00000000 0000708c nt!KeReleaseSemaphore+0x14
f2c78d0c bf80198c bf82e5d1 00000001 00000000 nt!ExReleaseResourceLite+0x6f
f2c78d10 bf82e5d1 00000001 00000000 f2c78d60 win32k!GreReleaseSemaphore+0xa
f2c78d58 804dd98f e66a39c8 0012f420 7c90e4f4 win32k!GreSaveDC+0x1fb
f2c78d58 7c90e4f4 e66a39c8 0012f420 7c90e4f4 nt!KiFastCallEntry+0xfc
WARNING: Frame IP not in any known module. Following frames may be wrong.
0012f420 00000000 00000000 00000000 00000000 0x7c90e4f4


STACK_COMMAND:  kb

FOLLOWUP_IP: 
win32k!GreReleaseSemaphore+a
bf80198c ff2538cb98bf    jmp     dword ptr [win32k!_imp__KeLeaveCriticalRegion (bf98cb38)]

SYMBOL_STACK_INDEX:  2

SYMBOL_NAME:  win32k!GreReleaseSemaphore+a

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: win32k

IMAGE_NAME:  win32k.sys

DEBUG_FLR_IMAGE_TIMESTAMP:  48025f2a

FAILURE_BUCKET_ID:  0xA_win32k!GreReleaseSemaphore+a

BUCKET_ID:  0xA_win32k!GreReleaseSemaphore+a

Followup: MachineOwner
---------


This is the error log from event viewer,


Cat (102)
Type error
Event 1003

Error code 1000008e, 
parameter1 c0000005,
 parameter2 8070194f,
 parameter3 f32c8420,
 parameter4 00000000.

0000: 53 79 73 74 65 6d 20 45   System E
0008: 72 72 6f 72 20 20 45 72   rror  Er
0010: 72 6f 72 20 63 6f 64 65   ror code
0018: 20 31 30 30 30 30 30 38    1000008
0020: 65 20 20 50 61 72 61 6d   e  Param
0028: 65 74 65 72 73 20 63 30   eters c0
0030: 30 30 30 30 30 35 2c 20   000005, 
0038: 38 30 37 30 31 39 34 66   8070194f
0040: 2c 20 66 33 32 63 38 34   , f32c84
0048: 32 30 2c 20 30 30 30 30   20, 0000
0050: 30 30 30 30               0000

[CoffeeFiend]

Looks like you have the Obsorb trojan (Ezy.exe). Remove the malware, and problem should be solved.

[dinnmuzz]

I have a program that is video program that is Ezy.exe So that is not malware. Again this program has been there for years

[cluberti]

Well, two problems here.

First, since this is only a minidump and we will need to deconstruct the semaphore objects to see why we're in this section of code when a driver caused the crash, you'll need to reconfigure your machine for at least a kernel dump (but a complete dump would be MUCH better) for us to best help you with this.

Second, the IRQL that was in use at the time of the crash is 1c, which is the clock level interrupt. Not all STOP 0xA's are hardware problems, but most that are in IRQL 1c actually are - are we sure the RAM in this box is working properly? Again, a 1c 0xA bugcheck can be a driver error, but it usually is a hardware indicator - I'd at least start by checking the RAM. Assuming the RAM checks out with a memory test app (like memtest86), the other vast majority of 1c IRQL bugchecks are video driver or video card related.

[dinnmuzz]

How do I configure to do a kernal dump, and then get that info

[nitroshift]

Read here: http://www.msfn.org/board/Creating-memory-dumps-t90244.html

[dinnmuzz]

I am not up to speed on the first part copy below

Memory dump of the entire system:

1. Create or set the following registry value:

Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\i8042prt\Parameters

Value: CrashOnCtrlScroll

Type: REG_DWORD

Data: 1

How do you do that? in real simple language for me as a beginner in this area. Step by Step lol

Thanks guys for your help by the way..

[JedMeister]

This bit I can help with (the rest is way beyond me!)

Open the Windows Registry Editor (Click Start>Run>type "regedit" (no quotes)>click ok (or hit <Enter>)

Now navigating in the Windows registry is sort of similar to navigating in Windows file system, it is the same sort of hierarchical folder concept (ie laike a tree of nested folders within folders).

For this next bit only consider the left hand frame for now.

If you expand My Computer (click the little plus next to it) you should see a number of folders, HKEY_LOCAL_MACHINE will be one of these. Then expand that and look for SYSTEM. Again find CurrentControlSet. Keep going in this fashion until you get to Parameters. If yours is the same as mine, then Parameters itself won't expand, but the folder icon will change to an open icon when you click on it.

To confirm you're in the right place it should display the full address right at the bottom of the window

(ie "My Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\i8042prt\Parameters"). Give yourself a pat on the back, you've just navigated to a registry key!

Now look to the right frame of the Registry Editor window. Unless ther is already a value called "CrashOnCtrlScroll" you will have to make one. This is really easy. Now in the right frame, in a blank space away from any values; Right-click > New > DWORD Value. Name it CrashOnCtrlScroll (and press <Enter>). Finally double click your new value and change the value data to "1" (no quotes), click ok and you're done!

Congrats, you've just added a new value to a registry key! Too easy! (I hope so anyway!)

[Volatus]

Let's attack the hardware side of things before asking for a ~1gb upload, sounds alright?

http://www.memtest.org/

Memtest86+.

Grab the bootable ISO. Use a CD burner program to burn it onto a rewritable CD (unless you want to waste a CD-R on it... who knows, it may come in handy later). I suggest ImgBurn if you're not familiar with burning ISOs - besides, ImgBurn just rocks and it REALLY knows its stuff. Leave it in your CD drive and reboot your computer. If your computer was built by anyone with the slightest bit of brain matter, it should be configured to check the CD drive for a bootable disc first. If it starts Windows, that's bad... let it start up, then post back here (with your computer model) and we'll help walk you through booting from CD.

If it starts up to a blue screen (not THAT kind!) and a bunch of information whizzing by, you're set to go. Let it run its course and watch for ANYTHING to show up in the error area (they'll show up in bright red, not a blue background). The program will run continuously until you hit Esc to reboot... you just need to watch the "Pass" progress bar. Once it completes once, you generally don't need to let it continue, unless you have a lot of time to waste (e.g. letting it test while you're at work). Any errors? Misconfigured hardware (RAM itself is almost NEVER bad) or dirty contacts somewhere. If your computer's under warranty, bug them about it.

A memory test is a great way to test your computer's core hardware - it stresses both the CPU (during the random number sequence, mainly) and the memory, to ensure that whatever you do will be done properly. When I see a computer acting strangely, the first thing I do is memtest it, and it generally points out an error right there on the spot

Edited June 25, 2008 by Volatus

[JedMeister]

Let's attack the hardware side of things before asking for a ~1gb upload, sounds alright?

Sounds like a very reasonable proposition to me. Especially considering cluberti's comments earlier:

....are we sure the RAM in this box is working properly? Again, a 1c 0xA bugcheck can be a driver error, but it usually is a hardware indicator - I'd at least start by checking the RAM. Assuming the RAM checks out with a memory test app (like memtest86), the other vast majority of 1c IRQL bugchecks are video driver or video card related....

Sorry I was so eager to help that I didn't encourage dinnmuzz to make sure (s?)he'd done some hardware checks first.

Having said that it did seem that there were possibly 2 errors here did it not? Also must say I had no idea that a full dump would be that huge! ~1GB is a serious upload!!

[cluberti]

It's a binary text file. Even a 4GB dump shouldn't be more than ~500MB or so zipped.

[Volatus]

It's a binary text file. Even a 4GB dump shouldn't be more than ~500MB or so zipped.

...

"Binary" "text file" is an oxymoron...

It's a memory dump. Whatever is in the memory... typically assorted random data, hence, hard to compress depending on how long the computer'd been running (and even if the memory was all zeroed out to begin with). It's just a bad idea to ask for a full memory dump... they're mostly useless anyway. Why bother?

[JedMeister]

I'm certainly no expert in this sort of stuff but in this case would not binary refer to 1s and 0s? If that's the case then I guess it only seems like an "oxymoron" the way cluberti said it. Perhaps it could more correctly be referred to as a text file containing binary?

Ok I'll stop now, don't want to confirm my ignorance too much!

[Volatus]

You're right, but in the world of computers, a "text file" is generally considered a 7-bit-per-byte "binary" file (as all files are binary and stored with 8 bits per byte), and can typically be stored with extraordinary compression. A "binary" file is one that is either already compressed, or encoded in another way. Since a memory dump certainly is not text... it's just a normal binary file. Just wanted to clear that part up.

It's still a terrible suggestion to have someone either make, or upload, a full memory dump.

[nitroshift]

[...]It's just a bad idea to ask for a full memory dump... they're mostly useless anyway. Why bother?

I`ll skip any comment and still ask for the full dump. It`s not so useless as you may think, especially if you know how to read it...