Win xp pro sp3 random restarts & bsod

[andtrds]

Hello all,

i would like to ask for your help/opinion about a problem that i am having.I setup a new pc with win xp pro sp3 and i having random restarts.i am trying to see the.dmp file but i cant configure what is wrong.Could you please help guys?

my configuration is Asus P5k-Vm board, Core2duo cpu,2X1gb ram(800) and i am using the onboard vga.i have try clean install,with latest drivers and all of the windows updates.

thank you,any help will great!!

[cluberti]

Configure the system for a complete dump file, then reboot. The next time the machine crashes, you should have a memory.dmp file in %windir%\ on the system. That can be looked at to see what's happening.

[andtrds]

hello cluberti

thanks for the quick reply

here is my dmp file if you can figure out whats going wrong..

Microsoft ® Windows Debugger Version 6.9.0003.113 X86

Copyright © Microsoft Corporation. All rights reserved.

Loading Dump File [C:\Users\at\Desktop\Mini103108-01.dmp]

Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: C:\Windows\symbols

Executable search path is:

Unable to load image ntoskrnl.exe, Win32 error 0n2

*** WARNING: Unable to verify timestamp for ntoskrnl.exe

*** ERROR: Module load completed but symbols could not be loaded for ntoskrnl.exe

Windows XP Kernel Version 2600 (Service Pack 3) MP (2 procs) Free x86 compatible

Product: WinNt, suite: TerminalServer SingleUserTS

Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055d720

Debug session time: Fri Oct 31 16:53:32.656 2008 (GMT+2)

System Uptime: 0 days 0:02:30.338

Unable to load image ntoskrnl.exe, Win32 error 0n2

*** WARNING: Unable to verify timestamp for ntoskrnl.exe

*** ERROR: Module load completed but symbols could not be loaded for ntoskrnl.exe

Loading Kernel Symbols

....................................................................................................

..............

Loading User Symbols

Loading unloaded module list

.......

*******************************************************************************

* *

* Bugcheck Analysis *

* *

*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 1000000A, {c0e12438, 1, 0, 80505f17}

***** Kernel symbols are WRONG. Please fix symbols to do analysis.

*** WARNING: Unable to verify timestamp for Ntfs.sys

*************************************************************************

*** ***

*** ***

*** Your debugger is not using the correct symbols ***

*** ***

*** In order for this command to work properly, your symbol path ***

*** must point to .pdb files that have full type information. ***

*** ***

*** Certain .pdb files (such as the public OS symbols) do not ***

*** contain the required information. Contact the group that ***

*** provided you with these symbols if you need this command to ***

*** work. ***

*** ***

*** Type referenced: nt!_KPRCB ***

*** ***

*************************************************************************

*************************************************************************

*** ***

*** ***

*** Your debugger is not using the correct symbols ***

*** ***

*** In order for this command to work properly, your symbol path ***

*** must point to .pdb files that have full type information. ***

*** ***

*** Certain .pdb files (such as the public OS symbols) do not ***

*** contain the required information. Contact the group that ***

*** provided you with these symbols if you need this command to ***

*** work. ***

*** ***

*** Type referenced: nt!KPRCB ***

*** ***

*************************************************************************

*************************************************************************

*** ***

*** ***

*** Your debugger is not using the correct symbols ***

*** ***

*** In order for this command to work properly, your symbol path ***

*** must point to .pdb files that have full type information. ***

*** ***

*** Certain .pdb files (such as the public OS symbols) do not ***

*** contain the required information. Contact the group that ***

*** provided you with these symbols if you need this command to ***

*** work. ***

*** ***

*** Type referenced: nt!_KPRCB ***

*** ***

*************************************************************************

*************************************************************************

*** ***

*** ***

*** Your debugger is not using the correct symbols ***

*** ***

*** In order for this command to work properly, your symbol path ***

*** must point to .pdb files that have full type information. ***

*** ***

*** Certain .pdb files (such as the public OS symbols) do not ***

*** contain the required information. Contact the group that ***

*** provided you with these symbols if you need this command to ***

*** work. ***

*** ***

*** Type referenced: nt!KPRCB ***

*** ***

*************************************************************************

*************************************************************************

*** ***

*** ***

*** Your debugger is not using the correct symbols ***

*** ***

*** In order for this command to work properly, your symbol path ***

*** must point to .pdb files that have full type information. ***

*** ***

*** Certain .pdb files (such as the public OS symbols) do not ***

*** contain the required information. Contact the group that ***

*** provided you with these symbols if you need this command to ***

*** work. ***

*** ***

*** Type referenced: nt!_KPRCB ***

*** ***

*************************************************************************

*************************************************************************

*** ***

*** ***

*** Your debugger is not using the correct symbols ***

*** ***

*** In order for this command to work properly, your symbol path ***

*** must point to .pdb files that have full type information. ***

*** ***

*** Certain .pdb files (such as the public OS symbols) do not ***

*** contain the required information. Contact the group that ***

*** provided you with these symbols if you need this command to ***

*** work. ***

*** ***

*** Type referenced: nt!_KPRCB ***

*** ***

*************************************************************************

*************************************************************************

*** ***

*** ***

*** Your debugger is not using the correct symbols ***

*** ***

*** In order for this command to work properly, your symbol path ***

*** must point to .pdb files that have full type information. ***

*** ***

*** Certain .pdb files (such as the public OS symbols) do not ***

*** contain the required information. Contact the group that ***

*** provided you with these symbols if you need this command to ***

*** work. ***

*** ***

*** Type referenced: nt!_KPRCB ***

*** ***

*************************************************************************

Probably caused by : ntoskrnl.exe ( nt+2ef17 )

Followup: MachineOwner

---------

0: kd> !analyze -v

*******************************************************************************

* *

* Bugcheck Analysis *

* *

*******************************************************************************

IRQL_NOT_LESS_OR_EQUAL (a)

An attempt was made to access a pageable (or completely invalid) address at an

interrupt request level (IRQL) that is too high. This is usually

caused by drivers using improper addresses.

If a kernel debugger is available get the stack backtrace.

Arguments:

Arg1: c0e12438, memory referenced

Arg2: 00000001, IRQL

Arg3: 00000000, bitfield :

bit 0 : value 0 = read operation, 1 = write operation

bit 3 : value 0 = not an execute operation, 1 = execute operation (only on chips which support this level of status)

Arg4: 80505f17, address which referenced memory

Debugging Details:

------------------

***** Kernel symbols are WRONG. Please fix symbols to do analysis.

*************************************************************************

*** ***

*** ***

*** Your debugger is not using the correct symbols ***

*** ***

*** In order for this command to work properly, your symbol path ***

*** must point to .pdb files that have full type information. ***

*** ***

*** Certain .pdb files (such as the public OS symbols) do not ***

*** contain the required information. Contact the group that ***

*** provided you with these symbols if you need this command to ***

*** work. ***

*** ***

*** Type referenced: nt!_KPRCB ***

*** ***

*************************************************************************

*************************************************************************

*** ***

*** ***

*** Your debugger is not using the correct symbols ***

*** ***

*** In order for this command to work properly, your symbol path ***

*** must point to .pdb files that have full type information. ***

*** ***

*** Certain .pdb files (such as the public OS symbols) do not ***

*** contain the required information. Contact the group that ***

*** provided you with these symbols if you need this command to ***

*** work. ***

*** ***

*** Type referenced: nt!KPRCB ***

*** ***

*************************************************************************

*************************************************************************

*** ***

*** ***

*** Your debugger is not using the correct symbols ***

*** ***

*** In order for this command to work properly, your symbol path ***

*** must point to .pdb files that have full type information. ***

*** ***

*** Certain .pdb files (such as the public OS symbols) do not ***

*** contain the required information. Contact the group that ***

*** provided you with these symbols if you need this command to ***

*** work. ***

*** ***

*** Type referenced: nt!_KPRCB ***

*** ***

*************************************************************************

*************************************************************************

*** ***

*** ***

*** Your debugger is not using the correct symbols ***

*** ***

*** In order for this command to work properly, your symbol path ***

*** must point to .pdb files that have full type information. ***

*** ***

*** Certain .pdb files (such as the public OS symbols) do not ***

*** contain the required information. Contact the group that ***

*** provided you with these symbols if you need this command to ***

*** work. ***

*** ***

*** Type referenced: nt!KPRCB ***

*** ***

*************************************************************************

*************************************************************************

*** ***

*** ***

*** Your debugger is not using the correct symbols ***

*** ***

*** In order for this command to work properly, your symbol path ***

*** must point to .pdb files that have full type information. ***

*** ***

*** Certain .pdb files (such as the public OS symbols) do not ***

*** contain the required information. Contact the group that ***

*** provided you with these symbols if you need this command to ***

*** work. ***

*** ***

*** Type referenced: nt!_KPRCB ***

*** ***

*************************************************************************

*************************************************************************

*** ***

*** ***

*** Your debugger is not using the correct symbols ***

*** ***

*** In order for this command to work properly, your symbol path ***

*** must point to .pdb files that have full type information. ***

*** ***

*** Certain .pdb files (such as the public OS symbols) do not ***

*** contain the required information. Contact the group that ***

*** provided you with these symbols if you need this command to ***

*** work. ***

*** ***

*** Type referenced: nt!_KPRCB ***

*** ***

*************************************************************************

*************************************************************************

*** ***

*** ***

*** Your debugger is not using the correct symbols ***

*** ***

*** In order for this command to work properly, your symbol path ***

*** must point to .pdb files that have full type information. ***

*** ***

*** Certain .pdb files (such as the public OS symbols) do not ***

*** contain the required information. Contact the group that ***

*** provided you with these symbols if you need this command to ***

*** work. ***

*** ***

*** Type referenced: nt!_KPRCB ***

*** ***

*************************************************************************

MODULE_NAME: nt

FAULTING_MODULE: 804d7000 nt

DEBUG_FLR_IMAGE_TIMESTAMP: 48a3fbd9

READ_ADDRESS: unable to get nt!MmSpecialPoolStart

unable to get nt!MmSpecialPoolEnd

unable to get nt!MmPoolCodeStart

unable to get nt!MmPoolCodeEnd

c0e12438

CURRENT_IRQL: 1

FAULTING_IP:

nt+2ef17

80505f17 8b0c81 mov ecx,dword ptr [ecx+eax*4]

CUSTOMER_CRASH_COUNT: 1

DEFAULT_BUCKET_ID: WRONG_SYMBOLS

BUGCHECK_STR: 0xA

LAST_CONTROL_TRANSFER: from 8051af5d to 80505f17

STACK_TEXT:

WARNING: Stack unwind information not available. Following frames may be wrong.

a8b0c404 8051af5d c0e0003c 898f8da8 00000000 nt+0x2ef17

a8b0c458 804e2480 c6e34000 00000000 a8b0c584 nt+0x43f5d

a8b0c4a0 804e3f0a 89ba0008 a8b0c4e0 00001000 nt+0xb480

a8b0c534 8056a5ab 89ba7258 a8b0c574 00001000 nt+0xcf0a

a8b0c5a8 b9e67bc3 89ba7258 a8b0c5e8 00001000 nt+0x935ab

a8b0c628 b9e67d21 e13da830 e100fb50 00000028 Ntfs!NtfsRepairItem+0x2f1

a8b0c63c b9e679a2 e13da830 00000010 e100fb50 Ntfs!NtfsRepairItem+0x44f

a8b0c66c b9e676d6 e13da830 e100fb50 00000001 Ntfs!NtfsRepairItem+0xd0

a8b0c748 b9e671ff e100fb50 00000001 a8b0c808 Ntfs!NtfsVerifyAndFixFileRecord+0xa08

a8b0c8cc b9e6759a 89ae3a40 89b9b320 00000000 Ntfs!NtfsVerifyAndFixFileRecord+0x531

a8b0c92c b9e70ffc 89ae3a40 e15d3988 e15d3a50 Ntfs!NtfsVerifyAndFixFileRecord+0x8cc

a8b0c940 b9e71f46 89ae3a40 89ae3a40 e15d3a50 Ntfs!TxfFsctlRollforwardUndo+0x1e2

a8b0ca14 b9e71d6b 89ae3a40 898fc6f0 89423b40 Ntfs!TxfHandleRecoveryError+0x32a

a8b0ca84 b9e49b3b 89ae3a40 89423b40 898fc6f0 Ntfs!TxfHandleRecoveryError+0x14f

a8b0caec 804ef19f 89ba5020 89423b40 89423b50 Ntfs!WPP_SF_D+0x13

a8b0cb84 8054162c 80000638 a8b0cc38 a8b0cc48 nt+0x1819f

a8b0cba0 80500ecd badb0d00 a8b0cc18 ffffffff nt+0x6a62c

a8b0cc50 8063b454 e150b700 00000001 00000400 nt+0x29ecd

a8b0ccd8 8063b8ce e150b758 00000000 e150b758 nt+0x164454

a8b0ccf0 80632a96 e150b701 e13dd5c8 00000000 nt+0x1648ce

a8b0cd04 8062452e e150b758 00000120 a8b0cd64 nt+0x15ba96

a8b0cd58 8054162c 000000fc 00a8f770 7c91e4f4 nt+0x14d52e

a8b0cd64 7c91e4f4 badb0d00 00a8f758 00000000 nt+0x6a62c

a8b0cd68 badb0d00 00a8f758 00000000 00000000 0x7c91e4f4

a8b0cd6c 00a8f758 00000000 00000000 00000000 0xbadb0d00

a8b0cd70 00000000 00000000 00000000 00000000 0xa8f758

STACK_COMMAND: kb

FOLLOWUP_IP:

nt+2ef17

80505f17 8b0c81 mov ecx,dword ptr [ecx+eax*4]

SYMBOL_STACK_INDEX: 0

SYMBOL_NAME: nt+2ef17

FOLLOWUP_NAME: MachineOwner

IMAGE_NAME: ntoskrnl.exe

BUCKET_ID: WRONG_SYMBOLS

Followup: MachineOwner

---------

[cluberti]

No, I don't need the !analyze -v output, I need the .dmp file .

[MCT]

do u have vmware-authd.exe running? for some reason i was getting BSODs & random restarts when it was running.. i havent gotten any since i upgraded to the latest version tho.. maybe this works for u too?

EDIT: did u check your event logs?

Edited November 1, 2008 by MCT

[andtrds]

hello i just upload my dmp file

thanks

Mini103108_01.rar

[andtrds]

...also i dont have vmware-authd.exe installed..

[cluberti]

Well, I was hoping for a complete dump file, as a minidump in this case is fairly useless (I need the memory addresses and loaded module lists, which are not captured in a minidump - there is a reason the instructions I mentioned were for a *complete* memory dump). However, I've seen this particular callstack before:

0: kd> !thread
GetPointerFromAddress: unable to read from 80562134
THREAD 898f8da8  Cid 0240.0288  Teb: 7ffd7000 Win32Thread: e21bc490 RUNNING on processor 0
IRP List:
	Unable to read nt!_IRP @ 89423b40
Not impersonating
GetUlongFromAddress: unable to read from 805621cc
Owning Process			89b27568	   Image:		 lsass.exe
Attached Process		  N/A			Image:		 N/A
ffdf0000: Unable to get shared data
Wait Start TickCount	  9621		 
Context Switch Count	  1914				 LargeStack
ReadMemory error: Cannot get nt!KeMaximumIncrement value.
UserTime				  00:00:00.000
KernelTime				00:00:00.000
Win32 Start Address 0x77e56c7d
Start Address 0x7c8106e9
Stack Init a8b0d000 Current a8b0c860 Base a8b0d000 Limit a8b09000 Call 0
Priority 9 BasePriority 9 PriorityDecrement 0 DecrementCount 16
ChildEBP RetAddr  Args to Child			  
a8b0c404 8051af5d c0e0003c 898f8da8 00000000 nt!MiLocateAndReserveWsle+0x51 (FPO: [Non-Fpo])
a8b0c458 804e2480 c6e34000 00000000 a8b0c584 nt!MmCheckCachedPageState+0x4ed (FPO: [Non-Fpo])
a8b0c4a0 804e3f0a 89ba0008 a8b0c4e0 00001000 nt!CcMapAndRead+0x86 (FPO: [Non-Fpo])
a8b0c534 8056a5ab 89ba7258 a8b0c574 00001000 nt!CcPinFileData+0x204 (FPO: [Non-Fpo])
a8b0c5a8 b9e67bc3 89ba7258 a8b0c5e8 00001000 nt!CcPreparePinWrite+0x93 (FPO: [Non-Fpo])
a8b0c628 b9e67d21 e13da830 e100fb50 00000028 Ntfs!LfsGetLbcb+0x5b (FPO: [Non-Fpo])
a8b0c63c b9e679a2 e13da830 00000010 e100fb50 Ntfs!LfsPrepareLfcbForLogRecord+0x4a (FPO: [Non-Fpo])
a8b0c66c b9e676d6 e13da830 e100fb50 00000001 Ntfs!LfsWriteLogRecordIntoLogPage+0x5c (FPO: [Non-Fpo])
a8b0c748 b9e671ff e100fb50 00000001 a8b0c808 Ntfs!LfsWrite+0x2f7 (FPO: [Non-Fpo])
a8b0c8cc b9e6759a 89ae3a40 89b9b320 00000000 Ntfs!NtfsWriteLog+0x6a2 (FPO: [Non-Fpo])
a8b0c92c b9e70ffc 89ae3a40 e15d3988 e15d3a50 Ntfs!NtfsCommitCurrentTransaction+0x197 (FPO: [Non-Fpo])
a8b0c940 b9e71f46 89ae3a40 89ae3a40 e15d3a50 Ntfs!NtfsCheckpointCurrentTransaction+0x21 (FPO: [Non-Fpo])
a8b0ca14 b9e71d6b 89ae3a40 898fc6f0 89423b40 Ntfs!NtfsSetEndOfFileInfo+0x5ec (FPO: [Non-Fpo])
a8b0ca84 b9e49b3b 89ae3a40 89423b40 898fc6f0 Ntfs!NtfsCommonSetInformation+0x477 (FPO: [Non-Fpo])
a8b0caec 804ef19f 89ba5020 89423b40 89423b50 Ntfs!NtfsFsdSetInformation+0xa3 (FPO: [Non-Fpo])
a8b0cafc 8057b543 a8b0cba0 a8b0cc2c 8057b010 nt!IopfCallDriver+0x31 (FPO: [0,0,0])
a8b0cb84 8054162c 80000638 a8b0cc38 a8b0cc48 nt!NtSetInformationFile+0x533 (FPO: [Non-Fpo])
a8b0cb84 80500ecd 80000638 a8b0cc38 a8b0cc48 nt!KiFastCallEntry+0xfc (FPO: [0,0] TrapFrame @ a8b0cba0)
a8b0cc10 8063bffa 80000638 a8b0cc38 a8b0cc48 nt!ZwSetInformationFile+0x11 (FPO: [5,0,0])
a8b0cc50 8063b454 e150b700 00000001 00000400 nt!CmpDoFileSetSize+0x5e (FPO: [Non-Fpo])
a8b0ccd8 8063b8ce e150b758 00000000 e150b758 nt!HvpDoWriteHive+0x42a (FPO: [Non-Fpo])
a8b0ccf0 80632a96 e150b701 e13dd5c8 00000000 nt!HvSyncHive+0x88 (FPO: [Non-Fpo])
a8b0cd04 8062452e e150b758 00000120 a8b0cd64 nt!CmFlushKey+0x94 (FPO: [Non-Fpo])
a8b0cd58 8054162c 000000fc 00a8f770 7c91e4f4 nt!NtFlushKey+0x88 (FPO: [Non-Fpo])
a8b0cd58 7c91e4f4 000000fc 00a8f770 7c91e4f4 nt!KiFastCallEntry+0xfc (FPO: [0,0] TrapFrame @ a8b0cd64)
WARNING: Frame IP not in any known module. Following frames may be wrong.
00a8f770 00000000 00000000 00000000 00000000 0x7c91e4f4

I've not seen this dump in a while, but knowing what is happening here, it appears to be memory corruption. So, either it's a device driver on the system, or you have faulty memory on the system (RAM, L2 CPU Cache, or Video RAM). I don't see us working in win32k.sys, so no GDI is being used, so that probably rules out the video card or driver. That leaves either your system's disk chipset driver, or the RAM or CPU cache as problematic. I'd start checking your RAM with memtest86 though, as a first.

[andtrds]

no errors with memtest86...

[cluberti]

That would indicate then it's a driver, most likely.

[andtrds]

..but cluberti i am using the latest drivers for all devices ...

do you have anything else on you r mind for troubleshooting?

thanks again

[cluberti]

Just because you have the latest drivers doesn't mean they're working properly . Does the issue reproduce when using safe mode, or safe mode w/networking?