CSRSS.exe Causing BSOD's

[marvin-miller]

Hi Folks!

New user here - I came upon this site while doing a search for the root cause behind BSOD's from CSRSS.exe.

I'm working on my Mom's laptop and today she mentioned (again) that it had a BSOD and if I could look into it. The mini dump section had 33 files of identical size all the way back from November of 2006 to yesterday.

I checked 5 of those 33 files and each one of them seemed to be complaining about CSRSS.exe. I don't know what's causing this issue but obviously it's been going on since the laptop was bought new back in 2006. I've kept this machine literally squeaky-clean over the years and in fact just went through it. It's virus-free and has as many updated drivers as I could find.

Anyway, I've zipped up the last 7 mini-dump files in the hopes that someone might take a look and narrow down for me why CSRSS is actually coughing. In the meantime I've enabled full dump reporting from this moment on should it be necessary for more info.

Any help that could lead me to the underlying cause is much appreciated. BTW, it's not a virus The system really is squeaky-clean and all up to date (as far as I can tell). It's Media Center 2005 and csrss.exe is version 5.1.2600.5512. I just did a complete Media Center re-install on my own workstation yesterday and after all updates I have the identical version so it must be the latest.

Thanks everyone!

Minidump.zip

[cluberti]

You really need to at least change the dump type to kernel (and honestly, I'd prefer a *complete* memory dump, as per the instructions in the sticky at the top of this section). Because otherwise, I have no idea what's happening. The dump does indicate that a device was attempted to be accessed that doesn't exist under the hardware_disk category, but that could mean anything (including virtual CD drives, a mounted device, a network device, anything). I need to see the other end of this LPC chain, which doesn't exist in a minidump.

0: kd> !thread
GetPointerFromAddress: unable to read from 80562134
THREAD 86c2aa58  Cid 025c.02bc  Teb: 7ffd6000 Win32Thread: e284ac70 RUNNING on processor 0
Not impersonating
GetUlongFromAddress: unable to read from 805621cc
Owning Process			0	   Image:		 <Unknown>
Attached Process		  86d25020	   Image:		 csrss.exe
ffdf0000: Unable to get shared data
Wait Start TickCount	  605693	   
Context Switch Count	  1019				 LargeStack
ReadMemory error: Cannot get nt!KeMaximumIncrement value.
UserTime				  00:00:00.000
KernelTime				00:00:00.000
Win32 Start Address 0x000045aa
LPC Server thread working on message Id 45aa
Start Address 0x75b44616
Stack Init a9f1d000 Current a9f1cc34 Base a9f1d000 Limit a9f1a000 Call 0
Priority 13 BasePriority 13 PriorityDecrement 0 DecrementCount 16
ChildEBP RetAddr  Args to Child			  
a9f1c520 805d1ac5 000000f4 00000003 86d25020 nt!KeBugCheckEx+0x1b (FPO: [5,0,0])
a9f1c544 805d2a27 805d297c 86d25020 86d25194 nt!PspCatchCriticalBreak+0x75 (FPO: [3,0,0])
a9f1c574 8054162c 86d25268 c0000006 a9f1c9b0 nt!NtTerminateProcess+0x7d (FPO: [2,4,4])
a9f1c574 80501161 86d25268 c0000006 a9f1c9b0 nt!KiFastCallEntry+0xfc (FPO: [0,0] TrapFrame @ a9f1c584)
a9f1c5f4 804fe816 ffffffff c0000006 a9f1c9f8 nt!ZwTerminateProcess+0x11 (FPO: [2,0,0])
a9f1c9b0 805028cf a9f1c9d8 00000000 a9f1cd64 nt!KiDispatchException+0x3a0 (FPO: [Non-Fpo])
a9f1cd34 80544ef7 00bcfbe8 00bcfc08 00000000 nt!KiRaiseException+0x175 (FPO: [Non-Fpo])
a9f1cd50 8054162c 00bcfbe8 00bcfc08 00000000 nt!NtRaiseException+0x33
a9f1cd50 75b7b3b9 00bcfbe8 00bcfc08 00000000 nt!KiFastCallEntry+0xfc (FPO: [0,0] TrapFrame @ a9f1cd64)
WARNING: Frame IP not in any known module. Following frames may be wrong.
00bcfff4 00000000 00000000 00000000 00000000 0x75b7b3b9

0: kd> !lpc message 45aa
Reading LpcPortObjectType failed
Reading LpcWaitablePortObjectType failed
The values for LpcPortObjectType or LpcWaitablePortObjectType are invalid. Please check the symbols.

Note that csrss.exe is not your problem, but csrss.exe is crashing as the victim of something else. Again, we need at least a kernel dump, and preferably a complete dump, before we can give you anything from this.

Minidumps are useless, I'm honestly not sure why they're the default option for dump types in Windows - I wish this would change.

[marvin-miller]

Hi cluberti;

Thanks very much for the reply - I'm not a pro in crash dump analysis so it's nice to be able to talk to someone much more familiar with these things

After reading the other thread on CSRSS I anticipated your request for a full dump and changed the settings on the laptop to do so next time it coughs.

Question: Do I really need to do this step;

1. Create or set the following registry value:

Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\i8042prt\Parameters

Value: CrashOnCtrlScroll

Type: REG_DWORD

Data: 1

or is it enough to just enable a full dump when a BSOD occurs?

Thanks again!

[cluberti]

No, you just need it to crash. You'd only do that if you wanted to crash it via the keyboard on purpose.