Jump to content

Baffling KRNL386.EXE error with WinImage


Prozactive

Recommended Posts

I have WinImage 8.1 installed on my system and periodically use it to update and create various boot disk images. Recently I suddenly started getting a consistent page fault error in KRNL386.EXE upon attempting to load WinImage. This baffled me because I had made no OS changes since the last time I successfully loaded and used WinImage a few months earlier. The only system changes were routine updates of my antivirus and anti-malware definitions. I performed numerous hardware diagnostics and have confirmed that my memory and HDD are error-free and working properly. I also decided to try disabling KernelEx extensions for WinImage system files without any effect (not surprising, as WinImage worked perfectly previously with the default KernelEx settings enabled). The last thing I tried was reinstalling then uninstalling WinImage but I found I still got the exact same page fault error during those operations. Web searches draw a complete blank.. there doesn't seem to be any information about WinImage and KRNL386.EXE errors.

I'd appreciate any thoughts and advice on this puzzling problem. I should note that I do have the updated KRNL386.EXE v.4.10.2000 installed by 98krnlup.exe (Unofficial Krnl386.exe stack corruption fix) from MDGx.

As reference, here is the error that I get: (the Registers: and Stack dump: data change but the specific memory address and Bytes at CS:EIP: are exactly the same every time)

WINIMAGE caused an invalid page fault in

module KRNL386.EXE at 0002:00005c83.

Registers:

EAX=12af0000 CS=015f EIP=00005c83 EFLGS=00000202

EBX=00000004 SS=3317 ESP=00007f66 EBP=00007f6a

ECX=00000000 DS=016f ESI=000047ff FS=0000

EDX=00000000 ES=475f EDI=00000000 GS=0000

Bytes at CS:EIP:

26 88 05 f7 d9 03 cf 58 5f c9 c3 55 8b ec 57 33

Stack dump:

00000000 59627f78 017f47ff 00000000 7f940000 0002516f 47770000 475f0000 47c70000 12af0000 017f14de 7fec47ff 01af0028 00000002 00004777 0000475f

Link to comment
Share on other sites


From the lack of responses, I'm obviously not the only one baffled by this mysterious problem.

I wanted to report that after a lot of effort and work, I finally was able to successfully resolve this error. Hopefully this will help anyone who happens to encounter a similar error in the future.

I did extensive Googling on the specific page fault error I referenced in my original post, and while I did not find any association with WinImage, I did find numerous instances where a wide range of other programs and applications caused an identical page fault error in KRNL386.EXE at 0002:00005c83, with the exact same Bytes at CS:EIP. Unfortunately the vast majority of these were just reports of the problem without any specific solution. I did, however, come upon two cases where the error was successfully resolved - one had to do with some specific registry value and the other involved the location of an .ini file.

WinImage did not have any associated .ini file, but I did install and start using RegCompact to compact my system registry (in the period between the last successful use of WinImage and the first occurrence of the page fault error) after reading the excellent thorough discussion of that utility by CharlotteTheHarlot. I happen to maintain an extensive weekly archive of system registry .cab backups, so I restored a registry backup made just before my first use of RegCompact and lo and behold, WinImage loaded successfully again!

My first thought, naturally, was that RegCompact somehow caused some subtle error(s) in my system registry, but I decided to do some more extensive detailed testing. It turned out that RegCompact was not the cause of this error, as subsequent compacted registries with RegCompact also allowed successful loading of WinImage. I finally was able to isolate the error to a specific time period (between registry backups), but I did not make any OS system changes then and all of the registries test 100% error-free. So, I'm still at a loss as to the specific cause of this error.

I could do more specific "before and after" testing of the registries using a file compare utility and I probably eventually will. One other thing I did note was that now the year in Date/Time Properties has reverted back to its former 4-digit format (i.e., "2013" vs. "13"). The year format had changed to just 2 digits sometime recently and I had no idea how/why it happened nor how to change it back, as Googling it drew a complete blank. I don't know if it's related to the KRNL386 page fault error or not.

Edited by Prozactive
Link to comment
Share on other sites

Just to complete this discussion, I've done more extensive analysis and troubleshooting on this problem and I've definitively determined its root cause. I was mistaken... it wasn't caused by the registry but rather WIN.INI. Somehow WIN.INI had been significantly modified at some point in the past, removing the vast majority of its configuration lines and settings. This directly led to the invalid page fault error in KRNL386.EXE and most likely the 2-digit year format in Date/Time Properties. Restoring WIN.INI to its former state immediately resolves the page fault error. It's still a mystery how WIN.INI got modified, as I certainly did not do so. I suspect some utility program may have modified it but I have no idea how or why.

Hopefully this information will benefit anyone who happens to encounter this error in the future. It's certainly been educational for me.

Edited by Prozactive
Link to comment
Share on other sites

Hopefully this information will benefit anyone who happens to encounter this error in the future. It's certainly been educational for me.

And also shows the value of keeping a library of known-good backups, preferably from incept time...

Congratulations for the successful troubleshooting! :thumbup

Link to comment
Share on other sites

Hopefully this information will benefit anyone who happens to encounter this error in the future. It's certainly been educational for me.

Maybe you could share the "working" WIN.INI, that would probably be most helpful if anyone finds the same issue, which - I presume - might present itself with other programs, besides Winimage.

jaclaz

Edited by jaclaz
Link to comment
Share on other sites

Just to complete this discussion, I've done more extensive analysis and troubleshooting on this problem and I've definitively determined its root cause. I was mistaken... it wasn't caused by the registry but rather WIN.INI. Somehow WIN.INI had been significantly modified at some point in the past, removing the vast majority of its configuration lines and settings. This directly led to the invalid page fault error in KRNL386.EXE and most likely the 2-digit year format in Date/Time Properties. Restoring WIN.INI to its former state immediately resolves the page fault error. It's still a mystery how WIN.INI got modified, as I certainly did not do so. I suspect some utility program may have modified it but I have no idea how or why.

Hopefully this information will benefit anyone who happens to encounter this error in the future. It's certainly been educational for me.

The other day I had 75% completed a reply to you, but got called away.

Anyway, I also have this version of WinImage and IIRC, it has a tendency to always re-register in WIN.INI which then propagates to the registry.

WIN.INI ...

[Extensions]
bwz=C:\YourPath\WinImage.exe ^.bwz
dsk=C:\YourPath\WinImage.exe ^.dsk
ima=C:\YourPath\WinImage.exe ^.ima
img=C:\YourPath\WinImage.exe ^.img
imz=C:\YourPath\WinImage.exe ^.imz
vfd=C:\YourPath\Winimage.exe ^.vfd
wil=C:\YourPath\WinImage.exe ^.wil
wlz=C:\YourPath\WinImage.exe ^.wlz

Registry ...

[HKEY_LOCAL_MACHINE\Software\Classes\.bwz]
[HKEY_LOCAL_MACHINE\Software\Classes\.dsk]
[HKEY_LOCAL_MACHINE\Software\Classes\.ima]
[HKEY_LOCAL_MACHINE\Software\Classes\.img]
[HKEY_LOCAL_MACHINE\Software\Classes\.imz]
[HKEY_LOCAL_MACHINE\Software\Classes\.vfd]
[HKEY_LOCAL_MACHINE\Software\Classes\.wil]
[HKEY_LOCAL_MACHINE\Software\Classes\.wlz]

[HKEY_LOCAL_MACHINE\Software\Classes\BWZfile]
[HKEY_LOCAL_MACHINE\Software\Classes\DSKfile]
[HKEY_LOCAL_MACHINE\Software\Classes\IMAfile]
[HKEY_LOCAL_MACHINE\Software\Classes\IMGfile]
[HKEY_LOCAL_MACHINE\Software\Classes\IMZfile]
[HKEY_LOCAL_MACHINE\Software\Classes\VFDfile]
[HKEY_LOCAL_MACHINE\Software\Classes\WILfile]
[HKEY_LOCAL_MACHINE\Software\Classes\WLZfile]

IIRC the extensions you see in WIN.INI get assimilated because the Win9x kernel at bootstrap splats them into the registry automatically from the Win95 era feature for forward compatibility of programs that only know INI files, creating these registry keys whenever entries appear in [Extensions]. WinImage isn't the only one, sometimes you see entries in WIN.INI for the OLE features of Office9x and other programs also, which then find their way into the registry also.

I was going to suggest that either a large registry hive might be getting to the "tipping point" and gets pushed slightly over after WinImage and Win9x does their thing causing an error, or, perhaps WIN.INI might be reaching the 64 KB limit and cannot be written successfully. Other possibilities are that WIN.INI might be Read Only or System or some other blocking mechanism like an AV or Anti-Malware might be protecting it or those registry keys.

I cannot remember if I located the magic switch in WinImage to tell it to stop the self-register function. It is a pain because as you see it takes over those associations starting in WIN.INI so there is a chain reaction of failure vectors. Of course, WinImage knows both INI and Registry so it is desirable to "tame" this program. I think I used to just run a batch script periodically to clean up WIN.INI and the registry after using WinImage. I'll try to run this down later when I get some free time ( but please don't hold your breath! ).

Link to comment
Share on other sites

@dencorso:

Indeed. This is the first time an older archived registry backup has saved the day but I knew that time would come eventually. Having learned from the school of hard knocks since my first involvement with computers, I've become almost obsessive about maintaining a comprehensive archive of system backups. It's bailed me out of bad situations countless times.

@jaclaz:

I considered doing so but I examined the contents of my WIN.INI and didn't see anything that jumped out at me. I suspect the page fault error derives from some of the hex values in the [Compatibility] sections... perhaps there's some conflict between WinImage and some other program when those settings/addresses are missing. FWIW, I'll attach my WIN.INI for reference as you suggested.

@CharlotteTheHarlot:

Thank you as always for your long thorough technically detailed response. I was not aware of the issues you described but as you stated, I do have those lines associated with WinImage in the [Extensions] section of my WIN.INI. I'm not very familiar with WIN.INI and have never worked with it or examined its settings before. In fact, I'm not sure where they came from originally. As stated in my previous post, the root cause of my page fault error is specifically WIN.INI and not the registry or size-related issues. If the vast majority of the settings in WIN.INI are deleted, then the page fault error immediately occurs in WinImage.

Win.ini

Edited by Prozactive
Link to comment
Share on other sites

  • 2 weeks later...

I have had problems in the past with WIN.INI getting hosed.

In my case it usually was because of low hard drive space, but I also had a problem one time with a video driver corrupting the INI file and one time with a sound card driver corrupting the INI file.

I'm guessing you are using the win98 image in in a virtual computer and may have ran into this problem when your antivirus updated.

While not technically part of the registry in win95,98,ME, INI files are kept for compatibility with older apps, they are opened and the information in them is added to the registry. What I think happened is this, when you updated your antivirus you ran out of virtual hard drive space as windows had written a whole bunch of gobbledy-gook to the swap file, then WIN.INI was messed up when your antivirus wrote to it and had no room to save it, and after that you got the KernalEx error.

Anyway that would be my guess at what you had happen, anyway I'm sure it was something similar that messed up the WIN.INI file on your image and caused the error.

Its quite interesting that overall most KernelEx errors end up being old windows problems.

I'll bet if you do a search leave out KernelEx and make it fairly basic you will find info on the WIN.INI problem from people that are a bit better at explaining things than I am.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...