Constant BSOD with 0x000000F4 0x00000003 0x82ba4108 0x82ba427c 0x805c8

**Iceyburnz** · September 15, 2010

XP SP2

Just started to recently get BSODs with the stop codes in the subject(Not sure if the codes after the 0xf4 changes on each BSOD). I had this issue once before() and I uninstalled Symantec and the BSODs stopped.

I did a full memory dump with pool tagging enabled and it is linked below on mediafire (131MB).

http://www.mediafire.com/download.php?cu61btk3q9n256a

If any other information is needed, please let me know

Thanks!

Edited September 15, 2010 by Iceyburnz

**Tripredacus** · September 15, 2010

I have some questions to start (I won't be looking at your dump)

1. Are you able to get into Windows at all?

2. Is there a specific reason why you aren't at Service Pack 2?

3. Is your XP OS installed on an IDE drive?

**cluberti** · September 15, 2010

Looks like the system restore filter driver is consuming your kernel nonpaged pool, and running your system out of kernel nonpaged pool memory causing further allocations to fail (and since it's a kernel driver, it can cause a bugcheck when a critical allocation fails):


// It was indeed an F4 bugcheck:
kd> .bugcheck
Bugcheck code 000000F4
Arguments 00000003 82ba4108 82ba427c 805c874a


// The error was an I/O inpage error, due to lack of resources to handle the request:
kd> .exr 0xfffffffff87c59d8
ExceptionAddress: 75b7b1c1 (winsrv!UserHardError)
   ExceptionCode: c0000006 (In-page I/O error)
  ExceptionFlags: 00000000
NumberParameters: 3
   Parameter[0]: 00000008
   Parameter[1]: 75b7b1c1
   Parameter[2]: c000009a
Inpage operation failed at 75b7b1c1, due to I/O error c000009a


// Indeed, not enough of some resource to handle the API request:
kd> !error c000009a
Error code: (NTSTATUS) 0xc000009a (3221225626) - Insufficient system resources exist to complete the API.


// Looking at virtual memory, you're basically out of nonpaged pool:
kd> !vm
*** Virtual Memory Usage ***
	Physical Memory:      130668 (    522672 Kb)
	Page File: \??\C:\pagefile.sys
	  Current:    784008 Kb  Free Space:    484656 Kb
	  Minimum:    784008 Kb  Maximum:      1568016 Kb
	Available Pages:        6647 (     26588 Kb)
	ResAvail Pages:        76942 (    307768 Kb)
	Locked IO Pages:          71 (       284 Kb)
	Free System PTEs:     247397 (    989588 Kb)
	Free NP PTEs:              0 (         0 Kb)
	Free Special NP:           0 (         0 Kb)
	Modified Pages:          563 (      2252 Kb)
	Modified PF Pages:       563 (      2252 Kb)
	NonPagedPool Usage:    32739 (    130956 Kb)
	NonPagedPool Max:      32768 (    131072 Kb)
	********** Excessive NonPaged Pool Usage *****
	PagedPool 0 Usage:      4411 (     17644 Kb)
	PagedPool 1 Usage:      1110 (      4440 Kb)
	PagedPool 2 Usage:      1059 (      4236 Kb)
	PagedPool Usage:        6580 (     26320 Kb)
	PagedPool Maximum:     43008 (    172032 Kb)

	********** 9315 pool allocations have failed **********

	Session Commit:         2103 (      8412 Kb)
	Shared Commit:          1539 (      6156 Kb)
	Special Pool:              0 (         0 Kb)
	Shared Process:         3590 (     14360 Kb)
	PagedPool Commit:       6580 (     26320 Kb)
	Driver Commit:          2826 (     11304 Kb)
	Committed pages:      192240 (    768960 Kb)
	Commit limit:         318306 (   1273224 Kb)
...


// Looking at the top consumers of nonpaged pool, the driver that is consuming memory uses the tag SrFE:
kd> !poolused 2
 Sorting by NonPaged Pool Consumed

               NonPaged                  Paged
 Tag     Allocs         Used     Allocs         Used

 SrFE 4294967294   4294967216  4294967295   4294966264	File information buffer , Binary: sr.sys
 Irp     243087    108741128          0            0	Io, IRP packets 
 R300        48      1310856        188      5804536	ATI video driver 
 MmCm        21      1073696          0            0	Calls made to MmAllocateContiguousMemory , Binary: nt!mm
 Devi       333       874552          0            0	Device objects 
 Wdm        831       697248         19         7656	WDM 
 Thre       515       325480          0            0	Thread objects , Binary: nt!ps
 File      2013       307048          0            0	File objects 
 BaNB      1372       275432          0            0	UNKNOWN pooltag 'BaNB', please update pooltag.txt
 Wmit         6       270336          0            0	Wmi Trace 
...


// SrFE belongs to sr.sys:
kd> !for_each_module s -a @#Base @#End "SrFE"
f84a8bc7  53 72 46 45 68 00 10 00-00 6a 01 ff 15 10 fb 49  SrFEh....j.....I

kd> !address f84a8bc7
  f849f000 - 00012000                           
          Usage       KernelSpaceUsageImage
          ImageName   sr.sys


// The sr.sys module appears to be the system restore binary:
kd> lmvm sr
start    end        module name
f849f000 f84b0f00   sr         (deferred)             
    Image path: sr.sys
    Image name: sr.sys
    Timestamp:        Wed Aug 04 02:06:22 2004 (41107CDE)
    CheckSum:         00016006
    ImageSize:        00011F00
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4


// The thread that threw up the bugcheck:
kd> .trap 0xf87c5d64
ErrCode = 00000000
eax=75b7b1c1 ebx=7c901000 ecx=0053feec edx=75b489a0 esi=00000001 edi=0000000c
eip=75b7b1c1 esp=0053fed4 ebp=0053fff4 iopl=3         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00003202
winsrv!UserHardError:
001b:75b7b1c1 ??              ???

kd> !thread
THREAD 82abada8  Cid 02a4.02bc  Teb: 7ffdc000 Win32Thread: e1c468a0 RUNNING on processor 0
Not impersonating
DeviceMap                 e10087c0
Owning Process            0       Image:         <Unknown>
Attached Process          82ba4108       Image:         csrss.exe
Wait Start TickCount      3108722        Ticks: 0
Context Switch Count      14773                 LargeStack
UserTime                  00:00:00.328
KernelTime                00:00:00.234
Win32 Start Address 0x00055fff
LPC Server thread working on message Id 55fff
Start Address CSRSRV!CsrApiRequestThread (0x75b4461a)
Stack Init f87c6000 Current f87c5bec Base f87c6000 Limit f87c3000 Call 0
Priority 13 BasePriority 13 PriorityDecrement 0 DecrementCount 16
ChildEBP RetAddr  Args to Child              
f87c5520 805c787b 000000f4 00000003 82ba4108 nt!KeBugCheckEx+0x1b (FPO: [Non-Fpo]) (CONV: stdcall)
f87c5544 805c87f5 805c874a 82ba4108 82ba427c nt!PspCatchCriticalBreak+0x75 (FPO: [Non-Fpo]) (CONV: stdcall)
f87c5574 8053d438 82ba4350 c0000006 f87c59b0 nt!NtTerminateProcess+0x7d (FPO: [Non-Fpo]) (CONV: stdcall)
f87c5574 804ff18d 82ba4350 c0000006 f87c59b0 nt!KiFastCallEntry+0xf8 (FPO: [0,0] TrapFrame @ f87c5584)
f87c55f4 804fccb6 ffffffff c0000006 f87c59f8 nt!ZwTerminateProcess+0x11 (FPO: [2,0,0])
f87c59b0 8050041b f87c59d8 00000000 f87c5d64 nt!KiDispatchException+0x3a0 (FPO: [Non-Fpo]) (CONV: stdcall)
f87c5d34 80540c91 0053fbe8 0053fc08 00000000 nt!KiRaiseException+0x175 (FPO: [Non-Fpo]) (CONV: stdcall)
f87c5d50 8053d438 0053fbe8 0053fc08 00000000 nt!NtRaiseException+0x31
f87c5d50 75b7b1c1 0053fbe8 0053fc08 00000000 nt!KiFastCallEntry+0xf8 (FPO: [0,0] TrapFrame @ f87c5d64)
0053fed0 75b447e6 00000000 0053feec 00000005 winsrv!UserHardError (FPO: [Non-Fpo]) (CONV: stdcall)
0053fff4 00000000 0000007c 00000000 00000000 CSRSRV!CsrApiRequestThread+0x1cc (FPO: [Non-Fpo]) (CONV: stdcall)


// It was operating on behalf of another thread in another process:
kd> !lpc message 55fff
Searching message 55fff in threads ...
Client thread 82db43c8 waiting a reply from 55fff                          
    Server thread 82abada8 is working on message 55fff                         
Searching thread 82db43c8 in port rundown queues ...

Server connection port e1023f68  Name: ApiPort
    Handles: 1   References: 133
    Server process  : 82ba4108 (csrss.exe)
    Queue semaphore : 82c61050
    Semaphore state 0 (0x0) 
    The message queue is empty
    The LpcDataInfoChainHead queue is empty
Done.                                              

kd> .thread 82db43c8
Implicit thread is now 82db43c8
kd> !thread 82db43c8 
THREAD 82db43c8  Cid 0004.003c  Teb: 00000000 Win32Thread: 00000000 WAIT: (WrLpcReply) KernelMode Non-Alertable
    82db45bc  Semaphore Limit 0x1
Waiting for reply to LPC MessageId 00055fff:
Current LPC port e1023f68
Not impersonating
DeviceMap                 e10087c0
Owning Process            0       Image:         <Unknown>
Attached Process          82db67c0       Image:         System
Wait Start TickCount      3108719        Ticks: 3 (0:00:00:00.046)
Context Switch Count      136055             
UserTime                  00:00:00.000
KernelTime                00:00:02.281
Start Address nt!ExpWorkerThread (0x805348f6)
Stack Init f8aca000 Current f8ac9a90 Base f8aca000 Limit f8ac7000 Call 0
Priority 12 BasePriority 12 PriorityDecrement 0 DecrementCount 16
ChildEBP RetAddr  Args to Child              
f8ac9aa8 80500cb0 82db4438 82db43c8 804f9d10 nt!KiSwapContext+0x2e (FPO: [Uses EBP] [0,0,4])
f8ac9ab4 804f9d10 82db4590 82db43c8 805537e0 nt!KiSwapThread+0x46 (FPO: [0,0,0]) (CONV: fastcall)
f8ac9adc 80598bb7 00000000 00000011 00000000 nt!KeWaitForSingleObject+0x1c2 (FPO: [Non-Fpo]) (CONV: stdcall)
f8ac9b14 80598d03 e1023f68 82c61050 f8ac9b4c nt!LpcpRequestWaitReplyPort+0x43d (FPO: [Non-Fpo]) (CONV: stdcall)
f8ac9b2c 8060a781 e1023f68 f8ac9b4c f8ac9b4c nt!LpcRequestWaitReplyPortEx+0x21 (FPO: [Non-Fpo]) (CONV: stdcall)
f8ac9cd0 8060a8e2 c0000222 00000001 00000001 nt!ExpRaiseHardError+0x1bd (FPO: [Non-Fpo]) (CONV: stdcall)
f8ac9d40 80573241 c0000222 00000001 00000001 nt!ExRaiseHardError+0x13e (FPO: [Non-Fpo]) (CONV: stdcall)
f8ac9d74 805349f6 00000000 00000000 82db43c8 nt!IopHardErrorThread+0x53 (FPO: [Non-Fpo]) (CONV: stdcall)
f8ac9dac 805c5cf2 00000000 00000000 00000000 nt!ExpWorkerThread+0x100 (FPO: [Non-Fpo]) (CONV: stdcall)
f8ac9ddc 80541be2 805348f6 00000001 00000000 nt!PspSystemThreadStartup+0x34 (FPO: [Non-Fpo]) (CONV: stdcall)
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16

Unfortunately, the thread that created the bugcheck itself was working on behalf of another thread that was itself a worker thread for the real failure. I cannot tell you why the system restore driver is consuming all of that pool, but it would not be doing it on it's own - someone or something is causing it to do so. Obviously, you could disable system restore and it should no longer occur, although perhaps you simply have too many system restore points, or something being saved in your restore points is causing it.

**Iceyburnz** · September 16, 2010

Thanks both for the replies. constant was also a bad word to describe the issue. it was more like annonying/periodic/daily.

@Tripredacus - I am able to get into Windows. I plan to update to SP3 soon (have been busy with work so havent done it yet. OS is installed on an IDE drive(laptop is the machine experiencing the issues)

@cluberti - Thanks for the insight. There was another BSOD when I got home(the two stop codes in the middle were diff this time (0x82b12b90, 0x82b12d04). I can zip up the dump if needed.)

System Restore was active(not sure when I activated it as I never use it). I have disabled it for the time being to see if the issues stop. Will let it run a day or two to see if it comes up with a BSOD and advise.

**Ascii2** · September 16, 2010

If not very had changed (no hardware or software added, removed, or reconfigured) prior to a manifest of the problem, then my first suspicion would be a hardware defect. Note that if automatic updates are/were enable, the software might have changed significantly without you knowing (wherefore, always disable automatic updates).

Check the hardware for defects: Examine capacitors for bulges/leaks, unpopulate hardware sockets/slots other than for CPU and remove dust if any exists, and stress test the memory.

Otherwise, the problem might be software related.

There are many Microsoft hotfix packages that resolve known STOP errors. (I usually integrate these into my unattended Windows XP (different Service Pack levels) images).

You can also try different storage drivers versions if using non-Microsoft versions.

Roll back any recent Microsoft update packages up to when problem began to manifest.

**cluberti** · September 16, 2010

@IceyBurnz: Enabling driver verifier and getting a dump the next time it occurs might be a good thing to try at this point, although in XP it's not as easy to do as it is with Win7 or Vista. Some driver (hopefully not sr.sys, as even SP3 still uses the old August 2004 driver from SP2) is definitely causing this, but it's up to you how far you want to go to troubleshoot it.

Let me know how disabling SR goes.

**Iceyburnz** · September 20, 2010

@cluberti - I googled how to turn on driver verifier and selected the sr.sys driver and restarted (not sure if anything else is needed after doing so). I have caught the machine in 2 more bsod's and have uploaded the dumps

Mem3 http://www.mediafire.com/download.php?1u5u41is3roqcr8

Mem4 http://www.mediafire.com/download.php?g60332l31put0ji

Let me know if you have a chance to look at them. Thanks again for the help

**Iceyburnz** · October 1, 2010

Hey Cluberti

if you have a second, could you take a look at the newer ones posted above?

Thanks!

Sign In

Constant BSOD with 0x000000F4 0x00000003 0x82ba4108 0x82ba427c 0x805c8

Recommended Posts

Iceyburnz

Tripredacus

cluberti

Iceyburnz

Ascii2

cluberti

Iceyburnz

Iceyburnz

Please sign in to comment

Recently Browsing 0 members

Activity

Browse