Windows XP Pro Blue Screen of Death lol

Discussion in 'Windows Desktop Systems' started by 03bigMark03, Aug 12, 2003.

  1. 03bigMark03

    03bigMark03 Guest

    Hiya all. On my Dad's office computer we have recently been getting a bsod. The computer is running Windows XP Pro and a similar configuration to my PC that is also running Windows XP Pro. Though my PC is a lot older.

    Wen you least expect it the computer in the office gets this error message. I couldn't screen capture it as it all locked up as BSOD's do that. So I took a quick photo of it with my dad's digital camera.

    I recently tried to rid of the problem by updating the modem drivers, updating from XP SP1 tp XP SP1A but all the drivers seemed to be up to date so that's really how far I could get.

    There's Norton System Works on it, we defragment reguarly and do all the Norton checks and have the latest definations, I did a full system vrius scan the other day.

    I don't have the full specifcation of the PC yet but to get you started look at the attached image.
     
  2. j79zlr

    j79zlr Glaanies script monkey Political User

    Messages:
    2,725
    Location:
    Chicago
  3. m4dh0

    m4dh0 Guest

    heres the bugcheck output which seems to point to symevent.sys

    ps. change the crashdump mode to kernel memory dump then next time it happens you will get more info

    the debugger tools are available from
    http://www.microsoft.com/whdc/ddk/debugging/default.mspx


    JSIInc tip 4981 has how to read them

    Code:
    Loading Dump File [Mini080203-01.dmp]
    Mini Kernel Dump File: Only registers and stack trace are available
    
    Symbol search path is: SRV*c:\windows\symbols\winxp*[url]http://msdl.microsoft.com/do[/url]
    wnload/symbols
    Executable search path is: C:\TEMP\xp_cd\I386
    Windows XP Kernel Version 2600 (Service Pack 1) UP Free x86 compatible
    Product: WinNt, suite: TerminalServer SingleUserTS
    Built by: 2600.xpsp1.020828-1920
    Kernel base = 0x804d4000 PsLoadedModuleList = 0x8054be30
    Debug session time: Sat Aug 02 16:36:37 2003
    System Uptime: 0 days 5:20:31.367
    Loading Kernel Symbols
    ................................................................................
    ..........................................
    Loading unloaded module list
    .........
    Loading User Symbols
    *******************************************************************************
    *                                                                             *
    *                        Bugcheck Analysis                                    *
    *                                                                             *
    *******************************************************************************
    
    Use !analyze -v to get detailed debugging information.
    
    BugCheck C2, {7, c3e, b86f, ffb72be0}
    
    !analyze -v
    Bad allocation size @ffb72bd8, zero is invalid
    
    ***
    *** An error (or corruption) in the pool was detected;
    *** Pool Region unknown (0xFFFFFFFFFFB72BD8)
    ***
    *** Use !poolval ffb72000 for more details.
    ***
    
    *** WARNING: Unable to verify timestamp for SYMEVENT.SYS
    *** ERROR: Module load completed but symbols could not be loaded for SYMEVENT.SY
    S
    Probably caused by : SYMEVENT.SYS ( SYMEVENT+6264 )
    
    Followup: MachineOwner
    ---------
    
    kd> ****************************************************************************
    ***
    *                                                                             *
    *                        Bugcheck Analysis                                    *
    *                                                                             *
    *******************************************************************************
    
    BAD_POOL_CALLER (c2)
    The current thread is making a bad pool request.  Typically this is at a bad IRQ
    L level or double freeing the same allocation, etc.
    Arguments:
    Arg1: 00000007, Attempt to free pool which was already freed
    Arg2: 00000c3e, (reserved)
    Arg3: 0000b86f, Memory contents of the pool block
    Arg4: ffb72be0, Address of the block of pool being deallocated
    
    Debugging Details:
    ------------------
    
    Bad allocation size @ffb72bd8, zero is invalid
    
    ***
    *** An error (or corruption) in the pool was detected;
    *** Pool Region unknown (0xFFFFFFFFFFB72BD8)
    ***
    *** Use !poolval ffb72000 for more details.
    ***
    
    
    BUGCHECK_STR:  0xc2_7
    
    DEFAULT_BUCKET_ID:  DRIVER_FAULT
    
    LAST_CONTROL_TRANSFER:  from 8053d4a1 to 805266db
    
    STACK_TEXT:
    f9987a00 8053d4a1 000000c2 00000007 00000c3e nt!KeBugCheckEx+0x19
    f9987a48 baeed80d ffb72be0 00000000 8134c898 nt!ExFreePoolWithTag+0x237
    f9987a70 baec1b70 ff915838 f9987aa0 f9987aa5 Ntfs!NtfsDeleteFcb+0x76
    f9987ac0 baeedac7 ff915838 8134c738 e11065d8 Ntfs!NtfsTeardownFromLcb+0x1ff
    f9987b18 baebcf02 ff915838 e11066a0 00000000 Ntfs!NtfsTeardownStructures+0x127
    f9987b44 baedd8a7 ff915838 011066a0 00000000 Ntfs!NtfsDecrementCloseCounts+0x9c
    f9987bcc baedd715 ff915838 e11066a0 e11065d8 Ntfs!NtfsCommonClose+0x37a
    f9987c6c 804eca36 8134c658 ff744678 f9987cc4 Ntfs!NtfsFsdClose+0x1f3
    f9987c7c f640d264 00000000 f9987cc4 811c6108 nt!IopfCallDriver+0x31
    WARNING: Stack unwind information not available. Following frames may be wrong.
    f9987d28 8057e49d 00b3f5f0 ffb3f5d8 00000000 SYMEVENT+0x6264
    f9987d44 804ecc07 ffb3f5f0 00000000 806c9158 nt!ObpRemoveObjectRoutine+0xdd
    f9987d68 804e6e38 8054c478 ffb3f878 806c9190 nt!ObfDereferenceObject+0x5d
    f9987d8c 804dfecb e1117370 00000000 8133cda8 nt!MiSegmentDelete+0xdb
    f9987dac 8057c73a 00000000 00000000 00000000 nt!MiDereferenceSegmentThread+0x9c
    f9987ddc 805124c1 804dfe37 00000000 00000000 nt!PspSystemThreadStartup+0x34
    00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16
    
    
    FOLLOWUP_IP:
    SYMEVENT+6264
    f640d264 ??               ???
    
    FOLLOWUP_NAME:  MachineOwner
    
    SYMBOL_NAME:  SYMEVENT+6264
    
    MODULE_NAME:  SYMEVENT
    
    IMAGE_NAME:  SYMEVENT.SYS
    
    DEBUG_FLR_IMAGE_TIMESTAMP:  3ec1d807
    
    STACK_COMMAND:  kb
    
    BUCKET_ID:  0xc2_7_SYMEVENT+6264
    
    Followup: MachineOwner
    
     
  4. 03bigMark03

    03bigMark03 Guest

    Thanks for debuging guys. I set it to kernal dump, it's bound to do it some time to. Here is the hard ware exported from System Information, should have everything you need.

    I checked for the Blaster virus "no virus found" few and also installed a load od XP Updates. Just going to see how well it performs for a while now.
     
  5. Corvette

    Corvette Sauske!

    Messages:
    761
    Ahhh someone forgot to close a tag with ],
    The ending tag was supposed to be [/CODE]
     
  6. m4dh0

    m4dh0 Guest

    i had a little too much to drink that night ......
     
  7. 03bigMark03

    03bigMark03 Guest

    Well the updates did nothing to improve the problem, at least it's protected by the blaster worm virus. Well I had to create a cach in order to get a kernal dump on the root of c (it was on d) so gona have to wait a lil while for it to crash.
     
  8. 03bigMark03

    03bigMark03 Guest

    Well well well. Not a crash in a while. Though it did crash a few days ago. Maybe the updates for his XP Pro system are working. I've set it all up to kernal dump so ill bump this post wen it crashes.
     
  9. Brando457

    Brando457 Guest

  10. 03bigMark03

    03bigMark03 Guest

    Hi. I went to check Dad's PC and were the folder is stored to see if there is a kernal dump. Wuhey there's one, it was 40meg so I packed it up in rar format and uploaded it to my host. It's about 11meg in rar format. See wat you can do with it please.

    Kernal Dump
     
  11. m4dh0

    m4dh0 Guest

    The Stop 0xC2 error message indicates that a kernel-mode process or driver incorrectly attempted to perform a memory operation. This error message is typically caused by a faulty device driver or software.

    i know its a pain but try to find updated versions of the drivers

    here is the debug output


    you could also try the driver verifier on the system

    Code:
    kd> !analyze -v
    *******************************************************************************
    *                                                                             *
    *                        Bugcheck Analysis                                    *
    *                                                                             *
    *******************************************************************************
    
    BAD_POOL_CALLER (c2)
    The current thread is making a bad pool request.  Typically this is at a bad IRQ
    L level or double freeing the same allocation, etc.
    Arguments:
    Arg1: 00000007, Attempt to free pool which was already freed
    Arg2: 00000c3e, (reserved)
    Arg3: 000068ce, Memory contents of the pool block
    Arg4: 811982d8, Address of the block of pool being deallocated
    
    Debugging Details:
    ------------------
    
    Bad allocation size @811982d0, zero is invalid
    
    ***
    *** An error (or corruption) in the pool was detected;
    *** Attempting to diagnose the problem.
    ***
    *** Use !poolval 81198000 for more details.
    ***
    
    Pool page [ 81198000 ] is INVALID.
    
    Analyzing linked list...
    [ 81198278 --> 81198310 (size = 0x98 bytes)]: Corrupt region
    
    
    Scanning for single bit errors...
    
    None found
    
    
    BUGCHECK_STR:  0xc2_7
    
    DEFAULT_BUCKET_ID:  DRIVER_FAULT
    
    LAST_CONTROL_TRANSFER:  from 8053428f to 804f404f
    
    STACK_TEXT:
    f69b4bc4 8053428f 000000c2 00000007 00000c3e nt!KeBugCheckEx+0x19
    f69b4c0c 80507c3e 811982d8 00000000 ffb323d8 nt!ExFreePoolWithTag+0x237
    f69b4c48 805ac3e9 01b323d8 8127a2f8 40010004 nt!MmCleanProcessAddressSpace+0x26e
    
    f69b4cf0 805ac5ac 40010004 ffa31598 804f81b5 nt!PspExitThread+0x668
    f69b4cfc 804f81b5 8127a2f8 f69b4d48 f69b4d3c nt!PsExitSpecialApc+0x20
    f69b4d4c 8052d4ba 00000001 00000000 f69b4d64 nt!KiDeliverApc+0x1ad
    f69b4d4c 7ffe0304 00000001 00000000 f69b4d64 nt!KiServiceExit+0x58
    0006ff90 00000000 00000000 00000000 00000000 SharedUserData!SystemCallStub+0x4
    
    
    FOLLOWUP_IP:
    nt!ExFreePoolWithTag+237
    8053428f 8b45f8           mov     eax,[ebp-0x8]
    
    FOLLOWUP_NAME:  MachineOwner
    
    SYMBOL_NAME:  nt!ExFreePoolWithTag+237
    
    MODULE_NAME:  nt
    
    IMAGE_NAME:  ntoskrnl.exe
    
    DEBUG_FLR_IMAGE_TIMESTAMP:  3e39bded
    
    STACK_COMMAND:  kb
    
    BUCKET_ID:  0xc2_7_nt!ExFreePoolWithTag+237
    
    Followup: MachineOwner
    ---------
    
     
  12. 03bigMark03

    03bigMark03 Guest

    Cool thanks for trying to look at the problem. I'm just wondering if there is anyway as to how you can see in that error message which driver it actualy is thats causing the problem. Thanks if you can help guys.
     
  13. m4dh0

    m4dh0 Guest

    unfortunatly the bugcheck stops at ntoskrnl.exe, just out of intrest what version of the file do you have ?
     
  14. 03bigMark03

    03bigMark03 Guest

    How do I find that out (ntoskrnl.exe)?
     
  15. m4dh0

    m4dh0 Guest

    via my computer go into the drive with windows directory, then into system32. right click on ntoskrnl.exe, goto properties then the version tab

    mine shows
    File Version: 5.1.2600.1224
    Description: NT Kernel & System
     
  16. 03bigMark03

    03bigMark03 Guest

    5.1.2600.1159
    (xpsp2.021217-1051)

    That wat you need?
     
  17. m4dh0

    m4dh0 Guest

  18. 03bigMark03

    03bigMark03 Guest

    I just downloaded it. Will install it on his pc tomorrow.
     
  19. 03bigMark03

    03bigMark03 Guest

    Hey all. Installed the patched (finaly) and it's at 5.1.2600.1159. We still get the crash. Also wen we use the scanner we've noticed it crashing a lot then. I just wondered if it might be a problem with the twain drivers (or a newer version). His scanner is a Trust Easy Connect 19200 chained with an Epson Style Photo printer (using the printer style connections).