XP Crash Dump - Points to CSRSS.EXE

[jimbo385]

Mini080606_29.zipHi,

Although I have been around PCs for a very long tim, this is the first time that I have a persistant problem that has stumped me. It is also the first time that I am reading dumps which is also very confusing.

Here is the problem;

My pc keeps on crashing. It seems to be random but even with my system sat at the User selection stage of bootup, it still re-boots itself. The funny thing is that when the system is active, like now, I do not appear to have a problem in that it does not re-boot. It is only when the system is idle.

I have managed to find the *.dmp file and read it with WINDBG. When I load it in, it points to Image Name csrss.exe. When I search on the net for any information, I find mentioned that this is a fundamental part of XP and therefore can not be deleted etc. Also that it has been targetted before by a Virus. I have run applications that can check with negative results.

Now I am stuck as to what else I can either use or find out from the *.dmp file.

I have attached the file just in case someone out there can read it and give me a bit more information.

Any and all help will be much appreciated.

Cheers,

Jimbo

It looks like the upload has failed due to the files extension. I have therefore ziped the minidump and hopefully it will be uploaded then.

Edited August 6, 2006 by jimbo385

[Mr Snrub]

csrss.exe (in session 0) is a critical process for Windows, so if it crashes it will cause a bugcheck, this is by design.

A quick analysis of your minidump seems to imply an error during an inpage operation - i.e. part of a process's virtual memory was paged to disk and it encountered an error when it came to read it back into physical memory:

CRITICAL_OBJECT_TERMINATION (f4)
A process or thread crucial to system operation has unexpectedly exited or been terminated.
Several processes and threads are necessary for the operation of the system; when they are terminated (for any reason), the system can no longer function.
...
EXCEPTION_RECORD:  b2af29d8 -- (.exr ffffffffb2af29d8)
ExceptionAddress: 7c936bd1
   ExceptionCode: c0000006 (In-page I/O error)
  ExceptionFlags: 00000000
NumberParameters: 3
   Parameter[0]: 00000000
   Parameter[1]: 7c99a3d8
   Parameter[2]: c0000185
Inpage operation failed at 7c99a3d8, due to I/O error c0000185

EXCEPTION_CODE: (NTSTATUS) 0xc0000185 - The I/O device reported an I/O error.

CUSTOMER_CRASH_COUNT:  29

DEFAULT_BUCKET_ID:  COMMON_SYSTEM_FAULT

ERROR_CODE: (NTSTATUS) 0xc0000006 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The required data was not placed into memory because of an I/O error status of "0x%08lx".

IO_ERROR: (NTSTATUS) 0xc0000185 - The I/O device reported an I/O error.
...
STACK_TEXT:  
b2af2520 8062c359 000000f4 00000003 86923020 nt!KeBugCheckEx+0x1b
b2af2544 805f9f46 805f9f88 86923020 86923194 nt!PspCatchCriticalBreak+0x75
b2af2574 804de7ec 86923268 c0000006 b2af29b0 nt!NtTerminateProcess+0x7d
b2af2574 804ddae1 86923268 c0000006 b2af29b0 nt!KiFastCallEntry+0xf8
b2af25f4 8051d696 ffffffff c0000006 b2af29f8 nt!ZwTerminateProcess+0x11
b2af29b0 805064c2 b2af29d8 00000000 b2af2d64 nt!KiDispatchException+0x3a0
b2af2d34 804e206b 0069f22c 0069f24c 00000000 nt!KiRaiseException+0x175
b2af2d50 804de7ec 0069f22c 0069f24c 00000000 nt!NtRaiseException+0x31
b2af2d50 7c936bd1 0069f22c 0069f24c 00000000 nt!KiFastCallEntry+0xf8
WARNING: Frame IP not in any known module. Following frames may be wrong.
0069f528 00000000 00000000 00000000 00000000 0x7c936bd1

Anything changed on the system before the problem appeared?

Driver updates, heatsinks or fans worked on, new software or hardware installed?

Could be heat related, or a problem with RAM, hard disk or a cable not seated correctly.

Does the problem occur in safe mode, if you leave it at the user selection screen?

I would test uninstalling AVG completely to see if the problem still occurs - put it straight back on if the crashes still occur.

I would also check where these drivers come from - look at the dates:

kd> lmvm DLPortIO
start	end		module name
b1ac5000 b1acb000   DLPortIO T (no symbols)		   
	Loaded symbol image file: DLPortIO.SYS
	Image path: DLPortIO.SYS
	Image name: DLPortIO.SYS
	Timestamp:		Fri Sep 27 15:10:46 1996 (324BD256)
	CheckSum:		 00001DD3
	ImageSize:		00006000
	Translations:	 0000.04b0 0000.04e0 0409.04b0 0409.04e0

kd> lmvm mapmem
start	end		module name
f7ace000 f7ace8a0   MAPMEM   T (no symbols)		   
	Loaded symbol image file: MAPMEM.sys
	Image path: MAPMEM.sys
	Image name: MAPMEM.sys
	Timestamp:		Fri May 08 23:25:04 1998 (35537830)
	CheckSum:		 0000786D
	ImageSize:		000008A0
	Translations:	 0000.04b0 0000.04e0 0409.04b0 0409.04e0

In particular, searching the Internet on "dlportio.sys" gives some worrying hits...

If you take AVG off and the problem persists, I would recommend installing an alternative AV package such as Avast! to get a second opinion on the health of the system.

I would also run RootkitRevealer from sysinternals.com to check for hidden nasties, just in case.

[jimbo385]

Hi Mr Snurb,

All this from a dump! I knew it would be useful.

OK here is the lowdown on some of your questions.

All of my troubles started when one day the pc would not boot up. The error I was geting related to a hard disk failure on my C:drive. This is a 120gb MAxtor SATA drive. It took a while to sort out because my system could not read the drive. But I bought an ICy Box SATA disk enclosure that had a USB interface and managed to run CHKDSK from my laptop. Loads of errors were encountered and the disk was readable. I plugged it back into my desktop and everything cam back.

Then I started to get other errors on other disks. I bought an IDE Samsung 250 drive and managed to move a lot of data onto this from another drive that appeard to be giving some problems. All seemed fine until I started to get these repeated errors.

With regards to some of the drivers, the DLportIO driver is required for my hobby and is used to dump the contents of my Radio Controlled transmitter onto my PC for storage purposes. The other one, I am not sure of.

I will take your suggestions on board and see if they work. I will report back with the results.

Question, Is there a way of finding out where the page file is located? I understand that you can move it to a different location. I will try this as well to see if this makes a difference.

Cheers.

[byabba]

you can find out where the page file is, by going to "sytsem properties, advanced, on the "performance, visual effect, processor scheduling etc. press the settings tab, then the advanced tab, down at the bottom you'll see "virtual memory" there is a "change" button there, this will allow you see where the page file is, at present, and move it if you want to.

[HyperHacker]

Try running it without those drivers. If these problems still occurr, you might have a bad disk controller.

[cluberti]

All of the above suggestions are very good, but I would instead suggest that we do NOT change anything, except configuring the machine for a complete memory dump rather than a minidump. There is so much information missing from a minidump as to make troubleshooting with one of these nigh impossible. Mr. Snrub is correct, when csrss.exe (or any critical system process) crashes, it causes a bugcheck by design. Also, these things DO NOT crash on their own, and csrss.exe is going to be the victim here, not the cause.

I would strongly suggest following the instructions below, reboot, then provide us the full memory.dmp file (I can give you FTP if you need it) to review when it happens again. We should be able to look at that and see which driver caused the error.

1. Right-Click on the "My Computer" icon on the desktop and select "Properties"; this will open the "System Properties" window. Go to the "Advanced" tab and click "Performance Options". Click "Change" under "Virtual Memory". Set the pagefile to be located on the partition where the OS is installed, and set it to be equal to Physical RAM + 50 MB.

2. Also in the "System Properties" window, click on the "Advanced" tab, then click "Startup and Recovery". Make sure "Complete Memory Dump" is selected (see 2a if this is not in the list). You can change the location of the memory dump file to a different local partition if you do not have enough room on the partition where the OS is installed.

2a. If the "Complete Memory Dump" option in step 2 is not available, you will need to manually set this registry value:

Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl

Value: CrashDumpEnabled

Type: REG_DWORD

Value: 1

3. You will need to reboot for these changes to take effect.

[jimbo385]

Hi Cluberti,

Sounds like a plan to me!

I will make the changes and get the full dump. Do I just reverse the settings to switch it off? I don't want to create a full dump every time.

By the way, ftp detail will be a good idea. saves me trying to include it here.

Cheers.

Jimbo

[cluberti]

That is correct - once you've got a full dump, go ahead and set it back if you'd like. Since your box shouldn't be crashing regularly, and a complete dump is a much better troubleshooting option than a kernel or minidump in almost all scenarios, I'd suggest leaving it as-is, but that is of course up to you.

[jimbo385]

Hi Cluberti,

I have sent you a mail requesting transportation details for you to receive the file. it is about 1gb!

Jimbo

[cluberti]

Replied to your email with ftp instructions. You might want to zip that .dmp file up before uploading .

[jimbo385]

Hi Cluberti,

FTp has now completed.

Regards,

Jimbo

[cluberti]

The issue appears to be in one of three modules, although I suspect that it is going to be caused by sptd.sys or prosync1.sys, since I do know that Daemon Tools (where sptd.sys comes from) has issues when installed on a machine with StarForce (where prosync1.sys comes from, it's some software protection driver, likely installed with a game you have installed for copy protection), so it could be that prosync1.sys causes sptd.sys to terminate, causing csrss.exe to terminate, or the problem is indeed inside sptd.sys. I also see AVG 7 making a pool allocation in the stack right before the issue occurs, so it may be attempting to scan one of these two drivers as well, causing the issue, although it's not as likely as it being a problem with having Daemon tools and StarForce on the same machine - just something to consider.

I'd say uninstall your antivirus as a test, and if that does not stop the CSRSS bugchecks, upgrade Daemon tools to the latest version or remove either the StarForce drivers or the Daemon Tools software. I can't help you too much more, as I don't have source access for any of those binaries . Here's the debug notes, for reference:

*******************************************************************************
*																			 *
*						Bugcheck Analysis									*
*																			 *
*******************************************************************************

CRITICAL_OBJECT_TERMINATION (f4)
A process or thread crucial to system operation has unexpectedly exited or been
terminated.
Several processes and threads are necessary for the operation of the
system; when they are terminated (for any reason), the system can no
longer function.
Arguments:
Arg1: 00000003, Process
Arg2: 8689e610, Terminating object
Arg3: 8689e784, Process image file name
Arg4: 805f9f88, Explanatory message (ascii)

Debugging Details:
------------------


PROCESS_OBJECT: 8689e610

IMAGE_NAME:  csrss.exe

DEBUG_FLR_IMAGE_TIMESTAMP:  41107c1f

MODULE_NAME: csrss

FAULTING_MODULE: 4a680000 csrss

PROCESS_NAME:  csrss.exe

EXCEPTION_RECORD:  f6ddd9d8 -- (.exr 0xfffffffff6ddd9d8)
.exr 0xfffffffff6ddd9d8
ExceptionAddress: 75b76aad (winsrv!wsprintfW)
   ExceptionCode: c0000006 (In-page I/O error)
  ExceptionFlags: 00000000
NumberParameters: 3
   Parameter[0]: 00000000
   Parameter[1]: 75b76aad
   Parameter[2]: c0000185
Inpage operation failed at 75b76aad, due to I/O error c0000185

EXCEPTION_CODE: (NTSTATUS) 0xc0000185 - The I/O device reported an I/O error.

DEFAULT_BUCKET_ID:  DRIVER_FAULT

ERROR_CODE: (NTSTATUS) 0xc0000006 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The required data was not placed into memory because of an I/O error status of "0x%08lx".

IO_ERROR: (NTSTATUS) 0xc0000185 - The I/O device reported an I/O error.

EXCEPTION_STR:  0xc0000006_c0000185

FAULTING_IP: 
winsrv!wsprintfW+0
75b76aad ??			  ???

BUGCHECK_STR:  0xF4_IOERR_C0000185

STACK_TEXT:  
f6ddd520 8062c359 000000f4 00000003 8689e610 nt!KeBugCheckEx+0x1b
f6ddd544 805f9f46 805f9f88 8689e610 8689e784 nt!PspCatchCriticalBreak+0x75
f6ddd574 804de7ec 8689e858 c0000006 f6ddd9b0 nt!NtTerminateProcess+0x7d
f6ddd574 804ddae1 8689e858 c0000006 f6ddd9b0 nt!KiFastCallEntry+0xf8
f6ddd5f4 8051d696 ffffffff c0000006 f6ddd9f8 nt!ZwTerminateProcess+0x11
f6ddd9b0 805064c2 f6ddd9d8 00000000 f6dddd64 nt!KiDispatchException+0x3a0
f6dddd34 804e206b 0052f240 0052f260 00000000 nt!KiRaiseException+0x175
f6dddd50 804de7ec 0052f240 0052f260 00000000 nt!NtRaiseException+0x31
f6dddd50 75b76aad 0052f240 0052f260 00000000 nt!KiFastCallEntry+0xf8
0052f528 75b7a641 00170c28 75b7aeb0 75b6bf9c winsrv!wsprintfW
0052fe9c 75b7b006 0016a0b8 0000000c 00000001 winsrv!GetHardErrorText+0x733
0052febc 75b7b1d3 00000000 0052feec 00000000 winsrv!UserHardErrorEx+0xe9
0052fed0 75b447a0 00000000 0052feec 00000005 winsrv!UserHardError+0x12
0052fff4 00000000 00000080 00000000 00000000 CSRSRV!CsrApiRequestThread+0x18a
---------

Windows XP Kernel Version 2600 (Service Pack 2) UP Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 2600.xpsp_sp2_gdr.050301-1519
Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055a420
Debug session time: Mon Aug 21 13:22:38.203 2006 (GMT-4)
System Uptime: 0 days 0:31:14.769


!THREAD 868efda8  Cid 04b0.04d0  Teb: 7ffdb000 Win32Thread: e18e3eb0 RUNNING on processor 0
Not impersonating
DeviceMap				 e1004420
Owning Process			8689e610	   Image:		 csrss.exe
Wait Start TickCount	  119985		 Ticks: 0
Context Switch Count	  1625				 LargeStack
UserTime				  00:00:00.0171
KernelTime				00:00:00.0078
Win32 Start Address 0x00009321
LPC Server thread working on message Id 9321
Start Address CSRSRV!CsrApiRequestThread (0x75b44616)
Stack Init f6dde000 Current f6ddd6ac Base f6dde000 Limit f6ddb000 Call 0
Priority 13 BasePriority 13 PriorityDecrement 0 DecrementCount 16
ChildEBP RetAddr  Args to Child			  
f6ddd520 8062c359 000000f4 00000003 8689e610 nt!KeBugCheckEx+0x1b (FPO: [Non-Fpo]) (CONV: stdcall)
f6ddd544 805f9f46 805f9f88 8689e610 8689e784 nt!PspCatchCriticalBreak+0x75 (FPO: [Non-Fpo]) (CONV: stdcall)
f6ddd574 804de7ec 8689e858 c0000006 f6ddd9b0 nt!NtTerminateProcess+0x7d (FPO: [Non-Fpo]) (CONV: stdcall)
f6ddd574 804ddae1 8689e858 c0000006 f6ddd9b0 nt!KiFastCallEntry+0xf8 (FPO: [0,0] TrapFrame @ f6ddd584)
f6ddd5f4 8051d696 ffffffff c0000006 f6ddd9f8 nt!ZwTerminateProcess+0x11 (FPO: [2,0,0])
f6ddd9b0 805064c2 f6ddd9d8 00000000 f6dddd64 nt!KiDispatchException+0x3a0 (FPO: [Non-Fpo]) (CONV: stdcall)
f6dddd34 804e206b 0052f240 0052f260 00000000 nt!KiRaiseException+0x175 (FPO: [Non-Fpo]) (CONV: stdcall)
f6dddd50 804de7ec 0052f240 0052f260 00000000 nt!NtRaiseException+0x31
f6dddd50 75b76aad 0052f240 0052f260 00000000 nt!KiFastCallEntry+0xf8 (FPO: [0,0] TrapFrame @ f6dddd64)
0052f528 75b7a641 00170c28 75b7aeb0 75b6bf9c winsrv!wsprintfW
0052fe9c 75b7b006 0016a0b8 0000000c 00000001 winsrv!GetHardErrorText+0x733 (FPO: [Non-Fpo]) (CONV: stdcall)
0052febc 75b7b1d3 00000000 0052feec 00000000 winsrv!UserHardErrorEx+0xe9 (FPO: [Non-Fpo]) (CONV: stdcall)
0052fed0 75b447a0 00000000 0052feec 00000005 winsrv!UserHardError+0x12 (FPO: [Non-Fpo]) (CONV: stdcall)
0052fff4 00000000 00000080 00000000 00000000 CSRSRV!CsrApiRequestThread+0x18a (FPO: [Non-Fpo]) (CONV: stdcall)


!THREAD 8650c558  Cid 0700.0b08  Teb: 7ff7e000 Win32Thread: 00000000 WAIT: (WrLpcReply) UserMode Non-Alertable
	8650c74c  Semaphore Limit 0x1
Waiting for reply to LPC MessageId 00003e76:
Current LPC port e351f378
Not impersonating
DeviceMap				 e1004420
Owning Process			866bf020	   Image:		 svchost.exe
Wait Start TickCount	  33371		  Ticks: 86614 (0:00:22:33.343)
Context Switch Count	  2			 
UserTime				  00:00:00.0000
KernelTime				00:00:00.0000
Win32 Start Address SSDPAPI!GetNotificationLoop (0x74f02555)
Start Address kernel32!BaseThreadStartThunk (0x7c810659)
Stack Init b1210000 Current b120fc50 Base b1210000 Limit b120d000 Call 0
Priority 8 BasePriority 8 PriorityDecrement 0 DecrementCount 0
Kernel stack not resident.
ChildEBP RetAddr  Args to Child			  
b120fc68 804dc0f7 8650c5c8 8650c558 804dc143 nt!KiSwapContext+0x2e (FPO: [Uses EBP] [0,0,4])
b120fc74 804dc143 8650c74c 8650c720 8650c558 nt!KiSwapThread+0x46 (FPO: [0,0,0]) (CONV: fastcall)
b120fc9c 8057719a 00000001 00000011 00000001 nt!KeWaitForSingleObject+0x1c2 (FPO: [Non-Fpo]) (CONV: stdcall)
b120fd50 804de7ec 00001308 0281d010 0281d010 nt!NtRequestWaitReplyPort+0x63d (FPO: [Non-Fpo]) (CONV: stdcall)
b120fd50 7c90eb94 00001308 0281d010 0281d010 nt!KiFastCallEntry+0xf8 (FPO: [0,0] TrapFrame @ b120fd64)
0208fb10 7c90e3ed 77e7c968 00001308 0281d010 ntdll!KiFastSystemCallRet (FPO: [0,0,0])
0208fb14 77e7c968 00001308 0281d010 0281d010 ntdll!ZwRequestWaitReplyPort+0xc (FPO: [3,0,0])
0208fb60 77e7a716 0281d048 0208fb80 77e7a747 RPCRT4!LRPC_CCALL::SendReceive+0x228 (FPO: [Non-Fpo]) (CONV: thiscall)
0208fb6c 77e7a747 0208fb9c 74f01830 0208ff78 RPCRT4!I_RpcSendReceive+0x24 (FPO: [Non-Fpo]) (CONV: stdcall)
0208fb80 77ef3675 0208fbc8 0281d05c 00000000 RPCRT4!NdrSendReceive+0x2b (FPO: [Non-Fpo]) (CONV: stdcall)
0208ff5c 74f0500d 74f01830 74f015fc 0208ff78 RPCRT4!NdrClientCall2+0x222 (FPO: [Non-Fpo]) (CONV: cdecl)
0208ff70 74f02586 02823d98 0208ff98 00000000 SSDPAPI!GetNotificationRpc+0x1b (FPO: [Non-Fpo]) (CONV: stdcall)
0208ffb4 7c80b683 02823d98 00000000 00000000 SSDPAPI!GetNotificationLoop+0x31 (FPO: [Non-Fpo]) (CONV: stdcall)
0208ffec 00000000 74f02555 02823d98 00000000 kernel32!BaseThreadStart+0x37 (FPO: [Non-Fpo]) (CONV: stdcall)


!THREAD 865ed020  Cid 0224.0b00  Teb: 7ffda000 Win32Thread: 00000000 WAIT: (Executive) KernelMode Non-Alertable
	b0b23a54  NotificationEvent
IRP List:
	8636f008: (0006,0268) Flags: 00000901  Mdl: 8677a6c0
Not impersonating
DeviceMap				 e1004420
Owning Process			863cb8d8	   Image:		 dfrgntfs.exe
Wait Start TickCount	  119731		 Ticks: 254 (0:00:00:03.968)
Context Switch Count	  758			 
UserTime				  00:00:00.0031
KernelTime				00:00:00.0203
Win32 Start Address DfrgNtfs!DefragThread (0x01016b44)
Start Address kernel32!BaseThreadStartThunk (0x7c810659)
Stack Init b0b24000 Current b0b2399c Base b0b24000 Limit b0b21000 Call 0
Priority 8 BasePriority 8 PriorityDecrement 0 DecrementCount 0
ChildEBP RetAddr  Args to Child			  
b0b239b4 804dc0f7 865ed090 865ed020 804dc143 nt!KiSwapContext+0x2e (FPO: [Uses EBP] [0,0,4])
b0b239c0 804dc143 8636f008 8668b7a8 8668b7a8 nt!KiSwapThread+0x46 (FPO: [0,0,0]) (CONV: fastcall)
b0b239e8 f7223ea8 00000000 00000000 00000000 nt!KeWaitForSingleObject+0x1c2 (FPO: [Non-Fpo]) (CONV: stdcall)
b0b23a08 f7233fa0 8668b7a8 8636f24c 8636f008 Ntfs!NtfsWaitSync+0x1c (FPO: [Non-Fpo]) (CONV: stdcall)
b0b23a1c f722fd61 8668b7a8 8636f008 86d78100 Ntfs!NtfsVolumeDasdIo+0x5c (FPO: [Non-Fpo]) (CONV: stdcall)
b0b23af8 f7225fbf 8668b7a8 8636f008 00000001 Ntfs!NtfsCommonRead+0x23d (FPO: [Non-Fpo]) (CONV: stdcall)
b0b23b98 f74118a8 86d78020 8636f008 864ace00 Ntfs!NtfsFsdRead+0x22d (FPO: [Non-Fpo]) (CONV: stdcall)
[b]b0b23bc8 804e37f7 86f8a8e0 86d78020 8636f008 sptd+0x148a8[/b]
b0b23c7c 8056a101 8636f24c 8636f008 864ace00 nt!IopfCallDriver+0x31 (FPO: [0,0,0]) (CONV: fastcall)
b0b23be4 804e37f7 86d79ba8 8636f008 86ec23b8 nt!IopSynchronousServiceTail+0x60 (FPO: [Non-Fpo]) (CONV: stdcall)
b0b23c08 f72f1b2f 86ab6428 8636f008 00000000 nt!IopfCallDriver+0x31 (FPO: [0,0,0]) (CONV: fastcall)
b0b23c1c f72f1ffb b0b23c34 f7a569f0 86f19270 fltmgr!FltpPassThrough+0xf9 (FPO: [Non-Fpo]) (CONV: stdcall)
b0b23c4c 804e37f7 86ab6830 8636f008 8636f008 fltmgr!FltpDispatch+0xf3 (FPO: [Non-Fpo]) (CONV: stdcall)
b0b23c5c f7a5645c 865ed230 86a33358 8636f008 nt!IopfCallDriver+0x31 (FPO: [0,0,0]) (CONV: fastcall)
[b]b0b23c90 805714ba 86a3edf0 8636f008 864ace00 avg7rsw!AvgWrapAllocatePoolWithTag+0x6e[/b]
b0b23d38 804de7ec 00000144 00000000 00000000 nt!NtReadFile+0x580 (FPO: [Non-Fpo]) (CONV: stdcall)
b0b23d38 7c90eb94 00000144 00000000 00000000 nt!KiFastCallEntry+0xf8 (FPO: [0,0] TrapFrame @ b0b23d64)
00cbf0c8 7c90e288 7c801999 00000144 00000000 ntdll!KiFastSystemCallRet (FPO: [0,0,0])
00cbf0cc 7c801999 00000144 00000000 00000000 ntdll!NtReadFile+0xc (FPO: [9,0,0])
00cbf134 0100551b 00000144 0018ac00 00001000 kernel32!ReadFile+0x10d (FPO: [Non-Fpo]) (CONV: stdcall)
00cbf32c 01014f28 00000144 00000043 00000000 DfrgNtfs!DasdReadClusters+0x141 (FPO: [Non-Fpo]) (CONV: stdcall)
00cbf3a8 0101615e 0018ac00 00195d78 00190d68 DfrgNtfs!GetFrs+0x2e8 (FPO: [Non-Fpo]) (CONV: stdcall)
00cbf568 01016c1e 00000000 00000000 774ec8c4 DfrgNtfs!ScanNtfs+0x4f0 (FPO: [Non-Fpo]) (CONV: stdcall)
00cbffb4 7c80b683 00000000 00000000 774ec8c4 DfrgNtfs!DefragThread+0xda (FPO: [Non-Fpo]) (CONV: stdcall)
00cbffec 00000000 01016b44 00000000 00000000 kernel32!BaseThreadStart+0x37 (FPO: [Non-Fpo]) (CONV: stdcall)


Irp is active with 2 stacks 3 is current (= 0x863ad8c8)
 Mdl=8677a6c0: No System Buffer: Thread 00000000:  Irp is completed.  Pending has been returned
	 cmd  flg cl Device   File	 Completion-Context
 [  0, 0]   0  0 00000000 00000000 00000000-00000000	

			Args: 00000000 00000000 00000000 00000000
 [  f, 0]   0  0 86f16a38 00000000 f79f8761-865fb648	
[b] \Driver\viasraid	prosync1[/b]
			Args: 00000000 00000000 00000000 00000000

Notification Event: 00000000 

 [  f, 0] = IRP_MJ_INTERNAL_DEVICE_CONTROL, IRP_MN_??? 

File Object: 00000000 


lmvm avg7rsw
start	end		module name
f7a56000 f7a570c0   avg7rsw	(deferred)			 
	Image path: \SystemRoot\System32\Drivers\avg7rsw.sys
	Image name: avg7rsw.sys
	Timestamp:		Sun Sep 18 20:09:31 2005 (432E01BB)
	CheckSum:		 00003D42
	ImageSize:		000010C0
	Translations:	 0000.04b0 0000.04e0 0409.04b0 0409.04e0


lmvm sptd
start	end		module name
f73fd000 f74cd000   sptd	   (deferred)			 
	Image path: sptd.sys
	Image name: sptd.sys
	Timestamp:		Sat Dec 03 08:59:59 2005 (4391A4DF)
	CheckSum:		 0009EF44
	ImageSize:		000D0000
	Translations:	 0000.04b0 0000.04e0 0409.04b0 0409.04e0


lmvm prosync1
start	end		module name
f79f8000 f79f9b20   prosync1   (deferred)			 
	Image path: prosync1.sys
	Image name: prosync1.sys
	Timestamp:		Sat Sep 06 08:22:06 2003 (3F59D16E)
	CheckSum:		 00009139
	ImageSize:		00001B20
	File version:	 1.5.0.0
	Product version:  3.3.0.0
	File flags:	   0 (Mask 3F)
	File OS:		  40000 NT Base
	File type:		3.0 Driver
	File date:		00000000.00000000
	Translations:	 0409.04b0
	CompanyName:	  Protection Technology
	ProductName:	  StarForce Protection System
	InternalName:	 prosync1
	OriginalFilename: prosync1.sys
	ProductVersion:   3.3
	FileVersion:	  1.5
	FileDescription:  StarForce Protection Synchronization Driver
	LegalCopyright:   © Protection Technology, 2000-2003
	Comments:		 Visit us at www.star-force.com

Edited December 6, 2007 by cluberti

[jimbo385]

Hi Cluberti,

Sorry about the delay.

Many thanks for your report. It was quite interesting and I have tried a few things to find the culprit.

I have uninstalled AVG and Daemontools. However, my system still crashes. I can not find how to un-install the Starforce drivers (prosync1.sys). I have searched for "*Start*.*" and "prosync1.sys" with no luck.

I have FTP'd a new memory dump to your location in the hope that this may reveal the true offender.

Meanwhile as a trial, I have not re-installed AVG. I have installed AVAST instead. Thr dydtrm id dtill crashing.

If anyone has any suggestions...

Cheers.

Jimbo

[jimbo385]

Hi Cluberti & Others,

Just to let you know, I started to experiment a bit. I removed all drives but my Windows hard disk & just 1 DVD/RW drive and booted up. I still got crashes. However, I started to get drivers like PNP680R.SYS & NTFS.sys coming up. I think, even when I re-connected. This was about 4 days ago. I had actually given up and started to sort out other domestic problems drains, decorating, garden etc.

Last night I came in to see that the system had not crashed and it was sitting on my wife's profile and her screen saver running. I checked with her and she last used the pc in the morning. I thought weird , so I logged on with my profile and left it running all night. No crash

I can not explain it but it looks like I am back in business with no crashes

If I do get any more, I will post on the forum but for now, Many thanks indeed for all your help.