Windows 7 Forums
Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: Blue Screen - Please help analyzing


13 Apr 2010   #1
nil

Windows 7
 
 
Blue Screen - Please help analyzing

Blue Screen - Please help analyzing. Running Windows 7 64bit on brand new desktop computer, no overclocking or modifications.

WinDBG was run on XP. I installed symbols for Windows 64 and set symbol file path, but somehow WinDbg had problems finding them. I installed Windows_Win7.7600.16385.090713-1255.X64FRE.Symbols.msi

Find dump file attached.

Any ideas, e.g. could it be USB device Problems, e.g. mouse or scanner? 1TB hard disk? Graphic card driver?

Thanks!

- Fabian

----------------------------------------------------------------------
1: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

UNEXPECTED_KERNEL_MODE_TRAP (7f)
This means a trap occurred in kernel mode, and it's a trap of a kind
that the kernel isn't allowed to have/catch (bound trap) or that
is always instant death (double fault). The first number in the
bugcheck params is the number of the trap (8 = double fault, etc)
Consult an Intel x86 family manual to learn more about what these
traps are. Here is a *portion* of those codes:
If kv shows a taskGate
use .tss on the part before the colon, then kv.
Else if kv shows a trapframe
use .trap on that value
Else
.trap on the appropriate frame will show where the trap was taken
(on x86, this will be the ebp that goes with the procedure KiTrap)
Endif
kb will then show the corrected stack.
Arguments:
Arg1: 0000000000000008, EXCEPTION_DOUBLE_FAULT
Arg2: 0000000080050031
Arg3: 00000000000406f8
Arg4: fffff80002a7c9df

Debugging Details:
------------------

***** Kernel symbols are WRONG. Please fix symbols to do analysis.

*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!_KPRCB ***
*** ***
*************************************************************************
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!KPRCB ***
*** ***
*************************************************************************
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!_KPRCB ***
*** ***
*************************************************************************
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!KPRCB ***
*** ***
*************************************************************************
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!_KPRCB ***
*** ***
*************************************************************************
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!_KPRCB ***
*** ***
*************************************************************************
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!_KPRCB ***
*** ***
*************************************************************************
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!_KPRCB ***
*** ***
*************************************************************************

ADDITIONAL_DEBUG_TEXT:
Use '!findthebuild' command to search for the target build information.
If the build information is available, run '!findthebuild -s ; .reload' to set symbol path and load symbols.

MODULE_NAME: nt

FAULTING_MODULE: fffff80002a05000 nt

DEBUG_FLR_IMAGE_TIMESTAMP: 4a5bc600

BUGCHECK_STR: 0x7f_8

CUSTOMER_CRASH_COUNT: 1

DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT

CURRENT_IRQL: 0

LAST_CONTROL_TRANSFER: from fffff80002a76469 to fffff80002a76f00

STACK_TEXT:
fffff880`009efc68 fffff800`02a76469 : 00000000`0000007f 00000000`00000008 00000000`80050031 00000000`000406f8 : nt+0x71f00
fffff880`009efc70 00000000`0000007f : 00000000`00000008 00000000`80050031 00000000`000406f8 fffff800`02a7c9df : nt+0x71469
fffff880`009efc78 00000000`00000008 : 00000000`80050031 00000000`000406f8 fffff800`02a7c9df 00000000`00000000 : 0x7f
fffff880`009efc80 00000000`80050031 : 00000000`000406f8 fffff800`02a7c9df 00000000`00000000 00000000`00000000 : 0x8
fffff880`009efc88 00000000`000406f8 : fffff800`02a7c9df 00000000`00000000 00000000`00000000 00000000`00000000 : 0x80050031
fffff880`009efc90 fffff800`02a7c9df : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x406f8
fffff880`009efc98 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt+0x779df


STACK_COMMAND: kb

FOLLOWUP_IP:
nt+71f00
fffff800`02a76f00 48894c2408 mov qword ptr [rsp+8],rcx

SYMBOL_STACK_INDEX: 0

SYMBOL_NAME: nt+71f00

FOLLOWUP_NAME: MachineOwner

IMAGE_NAME: ntoskrnl.exe

BUCKET_ID: WRONG_SYMBOLS

Followup: MachineOwner
---------


My System SpecsSystem Spec
.

13 Apr 2010   #2
Microsoft MVP

 
 

Please fill out your system spec's completely.
Please upload the information in this post: SF Diagnostic Tool

The memory dump doesn't provide much in the way of information. With the information that I requested above, we'll be able to figure out the next steps to take.

Summary of the BSOD:
Code:
  
Built by: 7600.16385.amd64fre.win7_rtm.090713-1255
Debug session time: Tue Apr 13 11:09:08.340 2010 (GMT-4)
System Uptime: 0 days 0:17:30.010
BugCheck 7F, {8, 80050031, 406f8, fffff80002a7c9df}
Probably caused by : ntkrnlmp.exe ( nt!KiDoubleFaultAbort+b2 )
BUGCHECK_STR:  0x7f_8
PROCESS_NAME:  System
My System SpecsSystem Spec
25 Apr 2010   #3
nil

Windows 7
 
 
Providing requested information

I had some problems attaching the files ("Upload of file failed."), so here's an external link:
- Requested eventlogs, msinfo32, driverlist, minidumps (small file)
RapidShare: 1-CLICK Web hosting - Easy Filehosting

- Bigger memory.dmp with hopefully more infos (big file)
RapidShare: 1-CLICK Web hosting - Easy Filehosting

I compiled the information manually (sorry, I was reluctant to install programs from unknown source), so please inform me if something is missing or in wrong format.

It would be great if you could find something! I ran a basic memory test with windows memory diagnostic, which found no error.

Many thanks in advance.

- Fabian
My System SpecsSystem Spec
.


25 Apr 2010   #4

Windows 7 Professional x64
 
 

Going from the probably caused line, I see memory corruption and your network drivers. Download a copy of Memtest86 and burn the ISO to a CD using Iso Recorder. Boot from the CD, and run at least 5 passes.

Also, update your network card drivers in Device Manager, or uninstall them and install a fresh copy.

Code:
Microsoft (R) Windows Debugger Version 6.11.0001.404 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\Users\Jonathan\AppData\Local\Temp\Temp1_dumpinfo.zip\dumpinfo\dumps\042010-19671-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: SRV*c:\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is: 
Windows 7 Kernel Version 7600 MP (2 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS Personal
Built by: 7600.16539.amd64fre.win7_gdr.100226-1909
Machine Name:
Kernel base = 0xfffff800`02a57000 PsLoadedModuleList = 0xfffff800`02c94e50
Debug session time: Tue Apr 20 09:15:35.384 2010 (GMT-4)
System Uptime: 0 days 5:06:12.054
Loading Kernel Symbols
...............................................................
................................................................
........................
Loading User Symbols
Loading unloaded module list
......
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 7F, {8, 80050031, 406f8, fffff80002acd0df}

*** WARNING: Unable to verify timestamp for win32k.sys
*** ERROR: Module load completed but symbols could not be loaded for win32k.sys
Probably caused by : memory_corruption

Followup: memory_corruption
---------

1: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

UNEXPECTED_KERNEL_MODE_TRAP (7f)
This means a trap occurred in kernel mode, and it's a trap of a kind
that the kernel isn't allowed to have/catch (bound trap) or that
is always instant death (double fault).  The first number in the
bugcheck params is the number of the trap (8 = double fault, etc)
Consult an Intel x86 family manual to learn more about what these
traps are. Here is a *portion* of those codes:
If kv shows a taskGate
        use .tss on the part before the colon, then kv.
Else if kv shows a trapframe
        use .trap on that value
Else
        .trap on the appropriate frame will show where the trap was taken
        (on x86, this will be the ebp that goes with the procedure KiTrap)
Endif
kb will then show the corrected stack.
Arguments:
Arg1: 0000000000000008, EXCEPTION_DOUBLE_FAULT
Arg2: 0000000080050031
Arg3: 00000000000406f8
Arg4: fffff80002acd0df

Debugging Details:
------------------


BUGCHECK_STR:  0x7f_8

CUSTOMER_CRASH_COUNT:  1

DEFAULT_BUCKET_ID:  CODE_CORRUPTION

PROCESS_NAME:  System

CURRENT_IRQL:  2

LAST_CONTROL_TRANSFER:  from fffff80002ac6b69 to fffff80002ac7600

STACK_TEXT:  
fffff880`009efc68 fffff800`02ac6b69 : 00000000`0000007f 00000000`00000008 00000000`80050031 00000000`000406f8 : nt!KeBugCheckEx
fffff880`009efc70 fffff800`02ac5032 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiBugCheckDispatch+0x69
fffff880`009efdb0 fffff800`02acd0df : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiDoubleFaultAbort+0xb2
fffff880`02f16000 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!SepAccessCheck+0x1cf


STACK_COMMAND:  kb

CHKIMG_EXTENSION: !chkimg -lo 50 -d !nt
    fffff80002acd805 - nt!SwapContext_PatchXSave+2
    [ 01:21 ]
    fffff80002acd8e8 - nt!SwapContext_PatchXRstor+2 (+0xe3)
    [ 09:29 ]
    fffff80002acdaa5 - nt!EnlightenedSwapContext_PatchXSave+2 (+0x1bd)
    [ 01:21 ]
    fffff80002acdb8a - nt!EnlightenedSwapContext_PatchXRstor+2 (+0xe5)
    [ 09:29 ]
4 errors : !nt (fffff80002acd805-fffff80002acdb8a)

MODULE_NAME: memory_corruption

IMAGE_NAME:  memory_corruption

FOLLOWUP_NAME:  memory_corruption

DEBUG_FLR_IMAGE_TIMESTAMP:  0

MEMORY_CORRUPTOR:  ONE_BIT_LARGE

FAILURE_BUCKET_ID:  X64_MEMORY_CORRUPTION_ONE_BIT_LARGE

BUCKET_ID:  X64_MEMORY_CORRUPTION_ONE_BIT_LARGE

Followup: memory_corruption
---------
My System SpecsSystem Spec
24 May 2010   #5
nil

Windows 7
 
 
New Dumps

Hi, I ran Memtest86 over night with 23 passes, and no error.

I also installed new Network drivers (manufactor's instead of Windows default), but the machine keeps crashing.

I uploaded two recent crashes here:
RapidShare: 1-CLICK Web hosting - Easy Filehosting
RapidShare: 1-CLICK Web hosting - Easy Filehosting

Maybe you can find a pattern, of which component is causing the blue screen?

I thought that two dumps should be enough for a start, but I can provide more.

Best regards and thanks

- Fabian
My System SpecsSystem Spec
24 May 2010   #6

Windows 7 Professional x64
 
 

I'll look through them, give me a minute. In the future, could you please upload the dmps to SF instead of RapidShare?

http://www.sevenforums.com/tutorials...en-forums.html

Also, please configure your system to create a minidump. Let us know if you need help.

Attachment 74660
My System SpecsSystem Spec
24 May 2010   #7

Windows 7 Professional x64
 
 

It looks as if ZoneAlarm is causing the issue. Funny, it didn't appear in all the dmps.

Remove ZA and then run this removal tool: http://download.zonealarm.com/bin/fr...cpes_clean.exe

Replace it with Microsoft Security Essentials.

Code:
Microsoft (R) Windows Debugger Version 6.11.0001.404 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\Users\Jonathan\AppData\Local\Temp\Temp1_MEMORY.12.05.2010.zip\MEMORY.12.05.2010.DMP]
Kernel Summary Dump File: Only kernel address space is available

Symbol search path is: SRV*c:\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is: 
Windows 7 Kernel Version 7600 MP (2 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS Personal
Built by: 7600.16539.amd64fre.win7_gdr.100226-1909
Machine Name:
Kernel base = 0xfffff800`02a15000 PsLoadedModuleList = 0xfffff800`02c52e50
Debug session time: Wed May 12 10:10:35.078 2010 (GMT-4)
System Uptime: 0 days 2:42:24.748
Loading Kernel Symbols
...............................................................
................................................................
.........................
Loading User Symbols

Loading unloaded module list
.....
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 7F, {8, 80050031, 406f8, fffff80002a8ac91}

*** ERROR: Module load completed but symbols could not be loaded for vsdatant.sys
*** ERROR: Module load completed but symbols could not be loaded for Rt64win7.sys
Probably caused by : NETIO.SYS ( NETIO!CompareSecurityContexts+6a )

Followup: MachineOwner
---------
My System SpecsSystem Spec
Reply

 Blue Screen - Please help analyzing




Thread Tools




Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 10:28 AM.
Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App
  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33