Code:
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck 1A, {41790, fffffa80017a7bf0, ffff, 0}
Probably caused by : ntkrnlmp.exe ( nt! ?? ::FNODOBFM::`string'+36024 )
Followup: MachineOwner
---------
2: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
MEMORY_MANAGEMENT (1a)
# Any other values for parameter 1 must be individually examined.
Arguments:
Arg1: 0000000000041790, The subtype of the bugcheck.
Arg2: fffffa80017a7bf0
Arg3: 000000000000ffff
Arg4: 0000000000000000
Debugging Details:
------------------
BUGCHECK_STR: 0x1a_41790
CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT
PROCESS_NAME: WerFault.exe
CURRENT_IRQL: 0
LAST_CONTROL_TRANSFER: from fffff80002301fd0 to fffff80002294640
STACK_TEXT:
fffff880`09df4828 fffff800`02301fd0 : 00000000`0000001a 00000000`00041790 fffffa80`017a7bf0 00000000`0000ffff : nt!KeBugCheckEx
fffff880`09df4830 fffff800`022c7fd9 : 00000000`00000000 00000000`77aeefff fffffa80`00000000 fffff880`00000000 : nt! ?? ::FNODOBFM::`string'+0x36024
fffff880`09df49f0 fffff800`025ab731 : fffffa80`064efb80 00000000`00000000 00000000`00000000 00000000`00000000 : nt!MiRemoveMappedView+0xd9
fffff880`09df4b10 fffff800`025abb33 : 0000007f`00000000 00000000`779d0000 fffffa80`00000001 fffffa80`05936010 : nt!MiUnmapViewOfSection+0x1b1
fffff880`09df4bd0 fffff800`022938d3 : 00000000`00000000 00000000`77a74481 fffffa80`06b9ea00 00000000`77a71610 : nt!NtUnmapViewOfSection+0x5f
fffff880`09df4c20 00000000`77c415ba : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13
00000000`000be378 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x77c415ba
STACK_COMMAND: kb
FOLLOWUP_IP:
nt! ?? ::FNODOBFM::`string'+36024
fffff800`02301fd0 cc int 3
SYMBOL_STACK_INDEX: 1
SYMBOL_NAME: nt! ?? ::FNODOBFM::`string'+36024
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: nt
IMAGE_NAME: ntkrnlmp.exe
DEBUG_FLR_IMAGE_TIMESTAMP: 4ce7951a
FAILURE_BUCKET_ID: X64_0x1a_41790_nt!_??_::FNODOBFM::_string_+36024
BUCKET_ID: X64_0x1a_41790_nt!_??_::FNODOBFM::_string_+36024
Followup: MachineOwner
---------
How to Enable or Disable Werfault.exe
The Werfault.exe process is a part of Windows Error Reporting in Windows Vista. This feature allows Microsoft to monitor and solve problems in the Vista operating system, features and applications, and enables users to send error data and receive updates and solutions. The werfault.exe program allows the developers to find and address errors to improve the quality of the product in the long run.
You can opt to turn the feature on or off here depending on your preference. If you want to use the feature, you can customize it according to your requirements. If you do not want certain executable files or programs to send error reports, you may also create a block list. Let us now have a look at the steps that you can follow to customize Error Reporting on Windows Vista.
- Go to Windows Error Reporting, open Control Panel.
- Click System and Maintenance, and then click Problem Reports and Solutions.
- Click Change Settings located in the left panel of the Problem Reports and Solutions window.
- Select an option to configure how you want Windows to look for a solution to your problems. You may allow Windows to do it automatically or ask you every time to check if problem occurs.
- Next, click the Advanced settings link.
- Select On or Off to configure whether you want to use Error Reporting or not.
- Click Change settings and choose the appropriate option to configure how you want problem reporting to be set for all users and programs.
- If you choose to use Error Reporting, then click the second Change setting button to configure how error reporting is set for all users. Here, you can choose from the following consent levels:
- Ask each time a problem occurs – Windows Error Reporting will ask for permission before sending an error report
- Automatically check for solutions – Minimal data is sent to find a possible fix. After consent is given, more data may be sent if requested by Microsoft.
- Automatically check for solutions and send additional information if needed – Minimal data along with data that the application developer has indicated as a requirement is sent. This sent data does not contain any personally identifiable information. After consent is given, more data may be supplied if requested by Microsoft.
- Send all data - All data is sent, no prompt required. This setting is configurable only in Group Policy.
- If you do not want certain executable files or programs to send error reports, you may create a block list. To do this, click Add in the Block list section.
- Browse through your programs and add them to the list.
- Click OK to save your settings.
Code:
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
SYSTEM_THREAD_EXCEPTION_NOT_HANDLED_M (1000007e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Some common problems are exception code 0x80000003. This means a hard
coded breakpoint or assertion was hit, but this system was booted
/NODEBUG. This is not supposed to happen as developers should never have
hardcoded breakpoints in retail code, but ...
If this happens, make sure a debugger gets connected, and the
system is booted /DEBUG. This will let us see why this breakpoint is
happening.
Arguments:
Arg1: ffffffffc0000005, The exception code that was not handled
Arg2: fffff80003213617, The address that the exception occurred at
Arg3: fffff880009a9298, Exception Record Address
Arg4: fffff880009a8af0, Context Record Address
Debugging Details:
------------------
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.
FAULTING_IP:
nt!ExAllocatePoolWithTag+537
fffff800`03213617 48895808 mov qword ptr [rax+8],rbx
EXCEPTION_RECORD: fffff880009a9298 -- (.exr 0xfffff880009a9298)
ExceptionAddress: fffff80003213617 (nt!ExAllocatePoolWithTag+0x0000000000000537)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 0000000000000000
Parameter[1]: ffffffffffffffff
Attempt to read from address ffffffffffffffff
CONTEXT: fffff880009a8af0 -- (.cxr 0xfffff880009a8af0)
rax=00018db600000000 rbx=fffffa8003964790 rcx=fffff80000269110
rdx=0000000000000050 rsi=0000000000000006 rdi=0000000000000101
rip=fffff80003213617 rsp=fffff880009a94d0 rbp=0000000000001000
r8=0000000000000001 r9=fffffa8003964790 r10=fffffa8003964508
r11=0000000000000004 r12=fffffa8003964500 r13=0000000000000000
r14=fffffa80039d2040 r15=0000000054446d4d
iopl=0 nv up ei pl zr na po nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00010246
nt!ExAllocatePoolWithTag+0x537:
fffff800`03213617 48895808 mov qword ptr [rax+8],rbx ds:002b:00018db6`00000008=????????????????
Resetting default scope
CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT
PROCESS_NAME: System
CURRENT_IRQL: 0
ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.
EXCEPTION_PARAMETER1: 0000000000000000
EXCEPTION_PARAMETER2: ffffffffffffffff
READ_ADDRESS: GetPointerFromAddress: unable to read from fffff800033190e8
ffffffffffffffff
FOLLOWUP_IP:
nt!ExAllocatePoolWithTag+537
fffff800`03213617 48895808 mov qword ptr [rax+8],rbx
BUGCHECK_STR: 0x7E
LAST_CONTROL_TRANSFER: from fffff800034ca761 to fffff80003213617
STACK_TEXT:
fffff880`009a94d0 fffff800`034ca761 : 00000000`00000004 00000000`0000004e fffffa80`04a49f30 fffffa80`00000000 : nt!ExAllocatePoolWithTag+0x537
fffff880`009a95c0 fffff800`034ccead : fffff880`009a9738 00000000`00000000 fffffa80`04997800 00000000`00000000 : nt!MmLoadSystemImage+0x791
fffff880`009a96e0 fffff800`03613336 : fffffa80`04997860 fffffa80`04997860 fffffa80`04997830 fffff8a0`0000001c : nt!IopLoadDriver+0x44d
fffff880`009a99b0 fffff800`036144f2 : fffff800`00000000 fffff8a0`0049b590 ffffffff`80000040 fffff8a0`001f26e0 : nt!IopInitializeSystemDrivers+0x1d6
fffff880`009a9a40 fffff800`0361754a : 00000000`00000000 00000000`00000010 ffffffff`8000002c fffff800`008126d0 : nt!IoInitSystem+0x9b2
fffff880`009a9b40 fffff800`03567d99 : 5f890208`4f830473 fffffa80`039d2040 00000000`00000080 fffffa80`03973890 : nt!Phase1InitializationDiscard+0x129a
fffff880`009a9d10 fffff800`03385cce : 245c8814`7450245c 00000000`00000080 ef5f0f15`ff000000 fffff800`030d9fd9 : nt!Phase1Initialization+0x9
fffff880`009a9d40 fffff800`030d9fe6 : fffff800`0325ae80 fffffa80`039d2040 fffff800`03268cc0 0ff30000`00a02484 : nt!PspSystemThreadStartup+0x5a
fffff880`009a9d80 00000000`00000000 : fffff880`009aa000 fffff880`009a4000 fffff880`009a7c20 00000000`00000000 : nt!KxStartSystemThread+0x16
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: nt!ExAllocatePoolWithTag+537
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: nt
IMAGE_NAME: ntkrnlmp.exe
DEBUG_FLR_IMAGE_TIMESTAMP: 4ce7951a
STACK_COMMAND: .cxr 0xfffff880009a8af0 ; kb
FAILURE_BUCKET_ID: X64_0x7E_nt!ExAllocatePoolWithTag+537
BUCKET_ID: X64_0x7E_nt!ExAllocatePoolWithTag+537
Followup: MachineOwner
---------
If you recently added hardware to the computer, remove it to see if the error recurs. If existing hardware has failed, remove or replace the faulty component. Run hardware diagnostics that the system manufacturer supplies to determine which hardware component failed.
The memory scanner is especially important. Faulty or mismatched memory can cause this bug check. For more information about these procedures, see the owner's manual for your computer. Check that all adapter cards in the computer are properly seated. Use an ink eraser or an electrical contact treatment, available at electronics supply stores, to ensure adapter card contacts are clean.
If the error appears on a newly installed system, check the availability of updates for the BIOS, the SCSI controller, or network cards. These kind of updates are typically available on the Web site or BBS of the hardware manufacturer.
Confirm that all hard disk drives, hard disk controllers, and SCSI adapters are listed in the Microsoft Windows Marketplace Tested Products List.
If the error occurred after the installation of a new or updated device driver, you should remove or replace the driver. If, under this circumstance, the error occurs during the startup sequence and the system partition is formatted with NTFS, you might be able to use Safe Mode to rename or delete the faulty driver. If the driver is used as part of the system startup process in Safe Mode, you have to start the computer by using the Recovery Console in order to access the file.
Also restart your computer, and then press F8 at the character-based menu that displays the operating system choices. At the Advanced Options menu, select the Last Known Good Configuration option. This option is most effective when you add only one driver or service at a time.
Overclocking (setting the CPU to run at speeds above the rated specification) can cause this error. If you have overclocked the computer that is experiencing the error, return the CPU to the default clock speed setting.
Check the System Log in Event Viewer for additional error messages that might help identify the device or driver that is causing the error. You can also disable memory caching of the BIOS to try to resolve the problem.
If you encountered this error while upgrading to a new version of the Windows operating system, the error might be caused by a device driver, a system service, a virus scanner, or a backup tool that is incompatible with the new version. If possible, remove all third-party device drivers and system services and disable any virus scanners before you upgrade. Contact the software manufacturer to obtain updates of these tools. Also make sure that you have installed the latest Windows Service Pack.
Finally, if all the above steps do not resolve the error, take the system motherboard to a repair facility for diagnostic testing. A crack, a scratched trace, or a defective component on the motherboard can also cause this error.
Code:
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
ATTEMPTED_WRITE_TO_READONLY_MEMORY (be)
An attempt was made to write to readonly memory. The guilty driver is on the
stack trace (and is typically the current instruction pointer).
When possible, the guilty driver's name (Unicode string) is printed on
the bugcheck screen and saved in KiBugCheckDriver.
Arguments:
Arg1: fffff68000000080, Virtual address for the attempted write.
Arg2: 0110000071a88025, PTE contents.
Arg3: fffff880061a07b0, (reserved)
Arg4: 000000000000000b, (reserved)
Debugging Details:
------------------
CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT
BUGCHECK_STR: 0xBE
PROCESS_NAME: AppleMobileDev
CURRENT_IRQL: 0
TRAP_FRAME: fffff880061a0aa0 -- (.trap 0xfffff880061a0aa0)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=00000c0400000c04 rbx=0000000000000000 rcx=0000000000010020
rdx=fffffa8006d3a000 rsi=0000000000000000 rdi=0000000000000000
rip=fffff800030940ad rsp=fffff880061a0c38 rbp=fffff880061a1ca0
r8=0000000000001904 r9=00000000000000c8 r10=0000000000006001
r11=0000000000010000 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei pl nz na pe nc
nt!memcpy+0xbd:
fffff800`030940ad 488941e0 mov qword ptr [rcx-20h],rax ds:0003:00000000`00010000=????????????????
Resetting default scope
LAST_CONTROL_TRANSFER: from fffff80003048e82 to fffff8000309d640
STACK_TEXT:
fffff880`061a0648 fffff800`03048e82 : 00000000`000000be fffff680`00000080 01100000`71a88025 fffff880`061a07b0 : nt!KeBugCheckEx
fffff880`061a0650 fffff800`0309b76e : 00000000`00000001 fffff680`00000080 fffffa80`0154f900 00000000`00000000 : nt! ?? ::FNODOBFM::`string'+0x45d6e
fffff880`061a07b0 fffff800`030aaf34 : 00000000`00000000 00000000`00000000 ffffffff`ffffffff 00000000`ffffffde : nt!KiPageFault+0x16e
fffff880`061a0940 fffff800`0309b76e : 00000000`00000001 00000000`00010000 fffffa80`0667fb00 00000000`00010000 : nt!MmAccessFault+0x914
fffff880`061a0aa0 fffff800`030940ad : fffff800`0334cef1 fffffa80`06d4a000 fffffa80`06d4bb30 00000000`00d60000 : nt!KiPageFault+0x16e
fffff880`061a0c38 fffff800`0334cef1 : fffffa80`06d4a000 fffffa80`06d4bb30 00000000`00d60000 fffff800`0334c95d : nt!memcpy+0xbd
fffff880`061a0c40 fffff800`0334a95b : fffffa80`06685b30 ffffffff`ffffff01 fffffa80`06d4bb30 00000000`00000000 : nt!PspCopyAndFixupParameters+0xa1
fffff880`061a0cd0 fffff800`03347bd8 : fffffa80`06685b30 fffffa80`06d4bb30 fffff880`061a0f40 fffff880`061a16f0 : nt!PspSetupUserProcessAddressSpace+0x13b
fffff880`061a0db0 fffff800`03348944 : 00000000`00000000 00000000`01243380 fffff880`061a16f0 fffffa80`06d4ac04 : nt!PspAllocateProcess+0x7e8
fffff880`061a1080 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!NtCreateUserProcess+0x4a3
STACK_COMMAND: kb
FOLLOWUP_IP:
nt! ?? ::FNODOBFM::`string'+45d6e
fffff800`03048e82 cc int 3
SYMBOL_STACK_INDEX: 1
SYMBOL_NAME: nt! ?? ::FNODOBFM::`string'+45d6e
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: nt
IMAGE_NAME: ntkrnlmp.exe
DEBUG_FLR_IMAGE_TIMESTAMP: 4ce7951a
FAILURE_BUCKET_ID: X64_0xBE_nt!_??_::FNODOBFM::_string_+45d6e
BUCKET_ID: X64_0xBE_nt!_??_::FNODOBFM::_string_+45d6e
Followup: MachineOwner
---------
What ever this "Apple Mobile Dev Team" program is that what is causing your blue screen if it happens again uninstall it.