Windows 7: BSOD-Maybe USB devices-need analysis

Bigdaddyflo · 23 Dec 2009

Hello
I have been researching this issue with not much luck. I have updated all drivers and the OS itself. Want some experts to give a look--
Thanks

Problem signature:
Problem Event Name: BlueScreen
OS Version: 6.1.7600.2.0.0.256.48
Locale ID: 1033

Additional information about the problem:
BCCode: c5
BCP1: 0000000300000009
BCP2: 0000000000000002
BCP3: 0000000000000000
BCP4: FFFFF80002FB2000
OS Version: 6_1_7600
Service Pack: 0_0
Product: 256_1

Files that help describe the problem:
C:\Windows\Minidump\122309-25100-01.dmp
C:\Users\Andy\AppData\Local\Temp\WER-28906-0.sysdata.xml

Attached Minidump

**Pauly** · 23 Dec 2009

That is actually a dump he posted ^^^ without the txt filext

Bugcheck 0xC5 Driver_Corrupted_Expool

Looks like a driver issue

Run system file check to verify your system files
type cmd in search, right click run as admin, type SFC /SCANOW

If you have any more dumps please post them as well, should make it easier to pinpoint your issue

You could also try driver verifier to track down the rogue driver

UnderCover00J · 23 Dec 2009

Below is analysis of your crash log. It does actually state it is a driver error, but how true this is, I don't know!

Quote:

Loading Dump File [C:\Users\Jamie\Desktop\122309-25100-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: *** Invalid ***
****************************************************************************
* Symbol loading may be unreliable without a symbol search path. *
* Use .symfix to have the debugger choose a symbol path. *
* After setting your symbol path, use .reload to refresh symbol locations. *
****************************************************************************
Executable search path is:
*********************************************************************
* Symbols can not be loaded because symbol path is not initialized. *
* *
* The Symbol Path can be set by: *
* using the _NT_SYMBOL_PATH environment variable. *
* using the -y <symbol_path> argument when starting the debugger. *
* using .sympath and .sympath+ *
*********************************************************************
Unable to load image \SystemRoot\system32\ntoskrnl.exe, Win32 error 0n2
*** WARNING: Unable to verify timestamp for ntoskrnl.exe
*** ERROR: Module load completed but symbols could not be loaded for ntoskrnl.exe
Windows 7 Kernel Version 7600 MP (4 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 7600.16385.amd64fre.win7_rtm.090713-1255
Machine Name:
Kernel base = 0xfffff800`02e0e000 PsLoadedModuleList = 0xfffff800`0304be50
Debug session time: Wed Dec 23 22:32:00.946 2009 (GMT+0)
System Uptime: 0 days 14:43:05.006
*********************************************************************
* Symbols can not be loaded because symbol path is not initialized. *
* *
* The Symbol Path can be set by: *
* using the _NT_SYMBOL_PATH environment variable. *
* using the -y <symbol_path> argument when starting the debugger. *
* using .sympath and .sympath+ *
*********************************************************************
Unable to load image \SystemRoot\system32\ntoskrnl.exe, Win32 error 0n2
*** WARNING: Unable to verify timestamp for ntoskrnl.exe
*** ERROR: Module load completed but symbols could not be loaded for ntoskrnl.exe
Loading Kernel Symbols
...............................................................
................................................................
.....................
Loading User Symbols
Loading unloaded module list
.....
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck C5, {300000009, 2, 0, fffff80002fb2000}

***** Kernel symbols are WRONG. Please fix symbols to do analysis.

*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!_KPRCB ***
*** ***
*************************************************************************
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!_KPRCB ***
*** ***
*************************************************************************
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!_KPRCB ***
*** ***
*************************************************************************
*********************************************************************
* Symbols can not be loaded because symbol path is not initialized. *
* *
* The Symbol Path can be set by: *
* using the _NT_SYMBOL_PATH environment variable. *
* using the -y <symbol_path> argument when starting the debugger. *
* using .sympath and .sympath+ *
*********************************************************************
*********************************************************************
* Symbols can not be loaded because symbol path is not initialized. *
* *
* The Symbol Path can be set by: *
* using the _NT_SYMBOL_PATH environment variable. *
* using the -y <symbol_path> argument when starting the debugger. *
* using .sympath and .sympath+ *
*********************************************************************
Probably caused by : ntoskrnl.exe ( nt+1a4000 )

Followup: MachineOwner
---------

1: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

DRIVER_CORRUPTED_EXPOOL (c5)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is
caused by drivers that have corrupted the system pool. Run the driver
verifier against any new (or suspect) drivers, and if that doesn't turn up
the culprit, then use gflags to enable special pool.
Arguments:
Arg1: 0000000300000009, memory referenced
Arg2: 0000000000000002, IRQL
Arg3: 0000000000000000, value 0 = read operation, 1 = write operation
Arg4: fffff80002fb2000, address which referenced memory

Debugging Details:
------------------

***** Kernel symbols are WRONG. Please fix symbols to do analysis.

*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!_KPRCB ***
*** ***
*************************************************************************
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!_KPRCB ***
*** ***
*************************************************************************
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!_KPRCB ***
*** ***
*************************************************************************
*********************************************************************
* Symbols can not be loaded because symbol path is not initialized. *
* *
* The Symbol Path can be set by: *
* using the _NT_SYMBOL_PATH environment variable. *
* using the -y <symbol_path> argument when starting the debugger. *
* using .sympath and .sympath+ *
*********************************************************************
*********************************************************************
* Symbols can not be loaded because symbol path is not initialized. *
* *
* The Symbol Path can be set by: *
* using the _NT_SYMBOL_PATH environment variable. *
* using the -y <symbol_path> argument when starting the debugger. *
* using .sympath and .sympath+ *
*********************************************************************

ADDITIONAL_DEBUG_TEXT:
Use '!findthebuild' command to search for the target build information.
If the build information is available, run '!findthebuild -s ; .reload' to set symbol path and load symbols.

MODULE_NAME: nt

FAULTING_MODULE: fffff80002e0e000 nt

DEBUG_FLR_IMAGE_TIMESTAMP: 4a5bc600

BUGCHECK_STR: 0xC5_2

CURRENT_IRQL: 0

FAULTING_IP:
nt+1a4000
fffff800`02fb2000 4c395008 cmp qword ptr [rax+8],r10

CUSTOMER_CRASH_COUNT: 1

DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT

LAST_CONTROL_TRANSFER: from fffff80002e7f469 to fffff80002e7ff00

STACK_TEXT:
fffff880`03193668 fffff800`02e7f469 : 00000000`0000000a 00000003`00000009 00000000`00000002 00000000`00000000 : nt+0x71f00
fffff880`03193670 00000000`0000000a : 00000003`00000009 00000000`00000002 00000000`00000000 fffff800`02fb2000 : nt+0x71469
fffff880`03193678 00000003`00000009 : 00000000`00000002 00000000`00000000 fffff800`02fb2000 fffffa80`00000001 : 0xa
fffff880`03193680 00000000`00000002 : 00000000`00000000 fffff800`02fb2000 fffffa80`00000001 00000000`00000000 : 0x3`00000009
fffff880`03193688 00000000`00000000 : fffff800`02fb2000 fffffa80`00000001 00000000`00000000 00000000`00000000 : 0x2

STACK_COMMAND: .bugcheck ; kb

FOLLOWUP_IP:
nt+1a4000
fffff800`02fb2000 4c395008 cmp qword ptr [rax+8],r10

SYMBOL_NAME: nt+1a4000

FOLLOWUP_NAME: MachineOwner

IMAGE_NAME: ntoskrnl.exe

BUCKET_ID: WRONG_SYMBOLS

Followup: MachineOwner
---------

UnderCover00J · 23 Dec 2009

That's from the analysis above. Definitely a driver..

Quote:

DRIVER_CORRUPTED_EXPOOL (c5)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is
caused by drivers that have corrupted the system pool. Run the driver
verifier against any new (or suspect) drivers, and if that doesn't turn up
the culprit, then use gflags to enable special pool.
Arguments:
Arg1: 0000000300000009, memory referenced
Arg2: 0000000000000002, IRQL
Arg3: 0000000000000000, value 0 = read operation, 1 = write operation
Arg4: fffff80002fb2000, address which referenced memory

usasma · 23 Dec 2009

How to do symbols (paragraph E): WinDbg Analysis Report

Solving Pool Corruption issues is made easier with Driver Verifier. Please follow these instructions:

Code:

Using Driver Verifier is an iffy proposition. Most times it'll crash and it'll tell you what the driver is. But sometimes it'll crash and won't tell you the driver. Other times it'll crash before you can log in to Windows. If you can't get to Safe Mode, then you'll have to resort to offline editing of the registry to disable Driver Verifier.

So, I'd suggest that you first backup your stuff and then make sure you've got access to another computer so you can contact us if problems arise. Then make a System Restore point (so you can restore the system using the Vista Startup Repair feature).

Then, here's the procedure:
- Go to Start and type in "verifier" (without the quotes) and press Enter
- Select "Create custom settings (for code developers)" and click "Next"
- Select "Select individual settings from a full list" and click "Next"
- Select everything EXCEPT FOR "Low Resource Simulation" and click "Next"
- Select "Select driver names from a list" and click "Next"
Then select all drivers NOT provided by Microsoft and click "Next"
- Select "Finish" on the next page.

Reboot the system and waitfor it to crash to the Blue Screen. Continue to use your system normally, and if you know what causes the crash, do that repeatedly. The objective here is to get the system to crash because Driver Verifier is stressing the drivers out.

Reboot into Windows (after the crash) and turn offDriver Verifier by going back in and selecting "Delete existing settings" on the first page, then locate and zip up the memory dump file and upload it with your next post.

If you can't get into Windows because it crashes too soon, try it in Safe Mode.
If you can't get into Safe Mode, try using System Restore from your installation DVD to set the system back to the previous restore point that you created.
If that doesn't work, post back and we'll have to see about fixing the registry entry off-line.

More info on this at this link: Using Driver Verifier to identify issues with Windows drivers for advanced users

Bigdaddyflo · 24 Dec 2009

Update:
Verified System files--Ok
Ran driver verifier and crashed --said driver vbshield.sys was the problem. Associated it to vexira antivirus I was using. Uninstalled vexira in safe made--rebooted--came up ok.
Need an antivirus program of course so I turned to AVG internet security. Installed and then rebooted--another crash. This time it listed avgidsdriver.sys as the problem. Rebooted in safe mode fine.
I have to have an antivirus program. Using AVG on a win 7 laptop with no problem. Seems to just be a problem on this desktop.

Next?

And thanks for the steps. Merry Christmas.

UnderCover00J · 24 Dec 2009

Quote: Originally Posted by Bigdaddyflo

Update:
Verified System files--Ok
Ran driver verifier and crashed --said driver vbshield.sys was the problem. Associated it to vexira antivirus I was using. Uninstalled vexira in safe made--rebooted--came up ok.
Need an antivirus program of course so I turned to AVG internet security. Installed and then rebooted--another crash. This time it listed avgidsdriver.sys as the problem. Rebooted in safe mode fine.
I have to have an antivirus program. Using AVG on a win 7 laptop with no problem. Seems to just be a problem on this desktop.

Next?

And thanks for the steps. Merry Christmas.

Try Avast.

FREE antivirus software with spyware protection: avast! Home Edition

jcgriff2 · 24 Dec 2009

Hi -

The thread title includes "Maybe USB..." - why did you mention USB?

I ask because of this non-Microsoft driver found in the dump - it may be an AMD driver -

Code:

usbfilter.sys Fri Apr 03 07:39:51 2009 (49D5F587)

Did you include it in the driver verifier runs?

Happy Holidays!

jcgriff2

.

Bigdaddyflo · 24 Dec 2009

In the beginning, anytime I did something with a usb port (plug in jump drive, access external drive, charge a ps3 controller/ps3 headset) it would reset with BSOD. I included all drivers in the verify. Problem is it did not do it EVERY time.

zigzag3143 · 24 Dec 2009

Quote: Originally Posted by Bigdaddyflo

Hello
I have been researching this issue with not much luck. I have updated all drivers and the OS itself. Want some experts to give a look--
Thanks

Problem signature:
Problem Event Name: BlueScreen
OS Version: 6.1.7600.2.0.0.256.48
Locale ID: 1033

Additional information about the problem:
BCCode: c5
BCP1: 0000000300000009
BCP2: 0000000000000002
BCP3: 0000000000000000
BCP4: FFFFF80002FB2000
OS Version: 6_1_7600
Service Pack: 0_0
Product: 256_1

Files that help describe the problem:
C:\Windows\Minidump\122309-25100-01.dmp
C:\Users\Andy\AppData\Local\Temp\WER-28906-0.sysdata.xml

Attached Minidump

Hi and welcome

We really could use the dmp file so we can munge the data. use these to find and upload. http://www.sevenforums.com/crash-loc...d-problem.html

Ken J_

Windows 7: BSOD-Maybe USB devices-need analysis

BSOD-Maybe USB devices-need analysis problems?