Code:
Kernel base = 0x8280f000 PsLoadedModuleList = 0x82957810
Debug session time: Sat Oct 9 13:52:43.894 2010 (GMT-4)
System Uptime: 0 days 0:05:44.188
Loading Kernel Symbols
...............................................................
................................................................
..................
Loading User Symbols
Loading unloaded module list
......
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck 1, {82a89654, 0, 1, 0}
Probably caused by : ntkrpamp.exe ( nt!NtOpenFile+0 )
Followup: MachineOwner
---------
0: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
APC_INDEX_MISMATCH (1)
This is a kernel internal error. The most common reason to see this
bugcheck is when a filesystem or a driver has a mismatched number of
calls to disable and re-enable APCs. The key data item is the
Thread->KernelApcDisable field. A negative value indicates that a driver
has disabled APC calls without re-enabling them. A positive value indicates
that the reverse is true. This check is made on exit from a system call.
Arguments:
Arg1: 82a89654, address of system function (system call)
Arg2: 00000000, Thread->ApcStateIndex << 8 | Previous ApcStateIndex
Arg3: 00000001, Thread->KernelApcDisable
Arg4: 00000000, Previous KernelApcDisable
Debugging Details:
------------------
FAULTING_IP:
nt!NtOpenFile+0
82a89654 8bff mov edi,edi
CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT
BUGCHECK_STR: 0x1
PROCESS_NAME: Steam.exe
CURRENT_IRQL: 0
LAST_CONTROL_TRANSFER: from 77a164f4 to 828527d3
STACK_TEXT:
a10efd34 77a164f4 badb0d00 0846ec98 00000000 nt!KiServiceExit2+0x17a
WARNING: Frame IP not in any known module. Following frames may be wrong.
0846ef88 00000000 00000000 00000000 00000000 0x77a164f4
STACK_COMMAND: .bugcheck ; kb
FOLLOWUP_IP:
nt!NtOpenFile+0
82a89654 8bff mov edi,edi
SYMBOL_NAME: nt!NtOpenFile+0
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: nt
IMAGE_NAME: ntkrpamp.exe
DEBUG_FLR_IMAGE_TIMESTAMP: 4c1c3fac
FAILURE_BUCKET_ID: 0x1_nt!NtOpenFile+0
BUCKET_ID: 0x1_nt!NtOpenFile+0
Followup: MachineOwner
---------
Kernel base = 0x82856000 PsLoadedModuleList = 0x8299e810
Debug session time: Sat Oct 9 14:47:48.106 2010 (GMT-4)
System Uptime: 0 days 0:53:41.400
Loading Kernel Symbols
...............................................................
................................................................
.................
Loading User Symbols
Loading unloaded module list
......
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck D1, {c20f8abe, 2, 1, 93ab1852}
Unable to load image \SystemRoot\system32\DRIVERS\nvlddmkm.sys, Win32 error 0n2
*** WARNING: Unable to verify timestamp for nvlddmkm.sys
*** ERROR: Module load completed but symbols could not be loaded for nvlddmkm.sys
Probably caused by : hardware ( nvlddmkm+9a852 )
Followup: MachineOwner
---------
0: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: c20f8abe, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000001, value 0 = read operation, 1 = write operation
Arg4: 93ab1852, address which referenced memory
Debugging Details:
------------------
WRITE_ADDRESS: GetPointerFromAddress: unable to read from 829be718
Unable to read MiSystemVaType memory at 8299e160
c20f8abe
CURRENT_IRQL: 2
FAULTING_IP:
nvlddmkm+9a852
93ab1852 010f add dword ptr [edi],ecx
CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT
BUGCHECK_STR: 0xD1
PROCESS_NAME: System
TRAP_FRAME: 8297ca74 -- (.trap 0xffffffff8297ca74)
ErrCode = 00000002
eax=00001af3 ebx=00000000 ecx=0023c346 edx=00000000 esi=8539d000 edi=c20f8abe
eip=93ab1852 esp=8297cae8 ebp=8297cb38 iopl=0 nv up ei ng nz na po cy
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010283
nvlddmkm+0x9a852:
93ab1852 010f add dword ptr [edi],ecx ds:0023:c20f8abe=????????
Resetting default scope
MISALIGNED_IP:
nvlddmkm+9a852
93ab1852 010f add dword ptr [edi],ecx
LAST_CONTROL_TRANSFER: from 93ab1852 to 8289c82b
STACK_TEXT:
8297ca74 93ab1852 badb0d00 00000000 ffa47280 nt!KiTrap0E+0x2cf
WARNING: Stack unwind information not available. Following frames may be wrong.
8297cb38 828c004d 86891568 00000000 77d75670 nvlddmkm+0x9a852
8297cb7c 828bfff1 8297fd20 8297cca8 00000001 nt!KiProcessTimerDpcTable+0x50
8297cc68 828bfeae 8297fd20 8297cca8 00000000 nt!KiProcessExpiredTimerList+0x101
8297ccdc 828be20e 000326a2 86065d48 82989280 nt!KiTimerExpiration+0x25c
8297cd20 828be038 00000000 0000000e 00000000 nt!KiRetireDpcList+0xcb
8297cd24 00000000 0000000e 00000000 00000000 nt!KiIdleLoop+0x38
STACK_COMMAND: kb
FOLLOWUP_IP:
nvlddmkm+9a852
93ab1852 010f add dword ptr [edi],ecx
SYMBOL_STACK_INDEX: 1
SYMBOL_NAME: nvlddmkm+9a852
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: hardware
IMAGE_NAME: hardware
DEBUG_FLR_IMAGE_TIMESTAMP: 0
FAILURE_BUCKET_ID: IP_MISALIGNED_nvlddmkm.sys
BUCKET_ID: IP_MISALIGNED_nvlddmkm.sys
Followup: MachineOwner
---------
Kernel base = 0x82840000 PsLoadedModuleList = 0x82988810
Debug session time: Sat Oct 9 17:39:49.291 2010 (GMT-4)
System Uptime: 0 days 0:03:33.585
Loading Kernel Symbols
...............................................................
................................................................
.............
Loading User Symbols
Loading unloaded module list
......
3: kd> !Analyze
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck 24, {1904fb, 8db73898, 8db73470, 82ab8229}
Probably caused by : fileinfo.sys ( fileinfo!FIStreamLog+6f )
Followup: MachineOwner
---------
3: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
NTFS_FILE_SYSTEM (24)
If you see NtfsExceptionFilter on the stack then the 2nd and 3rd
parameters are the exception record and context record. Do a .cxr
on the 3rd parameter and then kb to obtain a more informative stack
trace.
Arguments:
Arg1: 001904fb
Arg2: 8db73898
Arg3: 8db73470
Arg4: 82ab8229
Debugging Details:
------------------
EXCEPTION_RECORD: 8db73898 -- (.exr 0xffffffff8db73898)
ExceptionAddress: 82ab8229 (nt!PfpRpFileKeyUpdate+0x00000199)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: 0055004c
Attempt to read from address 0055004c
CONTEXT: 8db73470 -- (.cxr 0xffffffff8db73470)
eax=9c07afdc ebx=00520052 ecx=9c6a2490 edx=ffffffff esi=82977730 edi=00550048
eip=82ab8229 esp=8db73960 ebp=8db73990 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010246
nt!PfpRpFileKeyUpdate+0x199:
82ab8229 8b5f04 mov ebx,dword ptr [edi+4] ds:0023:0055004c=????????
Resetting default scope
CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: STRING_DEREFERENCE
PROCESS_NAME: System
CURRENT_IRQL: 0
ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.
EXCEPTION_PARAMETER1: 00000000
EXCEPTION_PARAMETER2: 0055004c
READ_ADDRESS: GetPointerFromAddress: unable to read from 829a8718
Unable to read MiSystemVaType memory at 82988160
0055004c
FOLLOWUP_IP:
fileinfo!FIStreamLog+6f
8b7edbc3 8b0d80c77e8b mov ecx,dword ptr [fileinfo!FIGlobals+0x5c0 (8b7ec780)]
FAULTING_IP:
nt!PfpRpFileKeyUpdate+199
82ab8229 8b5f04 mov ebx,dword ptr [edi+4]
BUGCHECK_STR: 0x24
LAST_CONTROL_TRANSFER: from 828d6c0b to 82ab8229
STACK_TEXT:
8db73990 828d6c0b 00000000 9c6a2490 8db73a68 nt!PfpRpFileKeyUpdate+0x199
8db739ec 8b7edbc3 8db73a54 85c7a4b8 9c0d0fd0 nt!PfFileInfoNotify+0x4ae
8db73a78 8b7edd3d 8db73a88 9c0d0fa0 87745e07 fileinfo!FIStreamLog+0x6f
8db73a9c 82fbd5f4 9c0d0fd0 00000008 00000000 fileinfo!FIStreamCleanup+0x79
8db73ab8 82fbd7c0 9c0d0fa0 9c0d0fa0 8db73adc fltmgr!DoFreeContext+0x66
8db73ac8 82fce722 9c0d0fa0 87745e00 87745dd8 fltmgr!DoReleaseContext+0x42
8db73adc 82fdb793 87745e04 87745e00 ffffffff fltmgr!FltpDeleteContextList+0x15c
8db73afc 82fdb9b4 87745dd8 9c6a2490 00000000 fltmgr!CleanupStreamListCtrl+0x1b
8db73b10 82a5e818 87745ddc a25e1dc2 00000000 fltmgr!DeleteStreamListCtrlCallback+0x5a
8db73b50 8b8d1fb2 9c6a2490 9c6a23a0 9c6a2490 nt!FsRtlTeardownPerStreamContexts+0x13a
8db73b6c 8b8c8b3b 00000705 9c6a23c8 9c6a23a0 Ntfs!NtfsDeleteScb+0x214
8db73b84 8b83871e 8826bb18 9c6a2490 00000000 Ntfs!NtfsRemoveScb+0xc5
8db73ba0 8b8b90d2 8826bb18 9c6a23a0 00000000 Ntfs!NtfsPrepareFcbForRemoval+0x62
8db73be4 8b835bec 8826bb18 9c6a2490 9c6a2638 Ntfs!NtfsTeardownStructures+0x68
8db73c0c 8b8b555b 8826bb18 9c6a2490 9c6a2638 Ntfs!NtfsDecrementCloseCounts+0xaf
8db73c6c 8b8d44c3 8826bb18 9c6a2490 9c6a23a0 Ntfs!NtfsCommonClose+0x4f2
8db73d00 828adf3b 00000000 00000000 853ae7f0 Ntfs!NtfsFspClose+0x118
8db73d50 82a4e6d3 00000000 a25e1b02 00000000 nt!ExpWorkerThread+0x10d
8db73d90 829000f9 828ade2e 00000000 00000000 nt!PspSystemThreadStartup+0x9e
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x19
SYMBOL_STACK_INDEX: 2
SYMBOL_NAME: fileinfo!FIStreamLog+6f
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: fileinfo
IMAGE_NAME: fileinfo.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 4a5bc18f
STACK_COMMAND: .cxr 0xffffffff8db73470 ; kb
FAILURE_BUCKET_ID: 0x24_fileinfo!FIStreamLog+6f
BUCKET_ID: 0x24_fileinfo!FIStreamLog+6f
Followup: MachineOwner
---------
Kernel base = 0x8280c000 PsLoadedModuleList = 0x82954810
Debug session time: Sat Oct 9 17:03:59.503 2010 (GMT-4)
System Uptime: 0 days 0:00:59.782
Loading Kernel Symbols
...............................................................
................................................................
................
Loading User Symbols
Loading unloaded module list
......
0: kd> !Analyze
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck FC, {fe81de60, 8971f863, 9fdeeba8, 2}
Probably caused by : win32k.sys ( win32k!UT_GetParentDCClipBox+15 )
Followup: MachineOwner
---------
0: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
ATTEMPTED_EXECUTE_OF_NOEXECUTE_MEMORY (fc)
An attempt was made to execute non-executable memory. The guilty driver
is on the stack trace (and is typically the current instruction pointer).
When possible, the guilty driver's name (Unicode string) is printed on
the bugcheck screen and saved in KiBugCheckDriver.
Arguments:
Arg1: fe81de60, Virtual address for the attempted execute.
Arg2: 8971f863, PTE contents.
Arg3: 9fdeeba8, (reserved)
Arg4: 00000002, (reserved)
Debugging Details:
------------------
CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT
BUGCHECK_STR: 0xFC
PROCESS_NAME: Safari.exe
CURRENT_IRQL: 0
TRAP_FRAME: 9fdeeba8 -- (.trap 0xffffffff9fdeeba8)
ErrCode = 00000011
eax=80000000 ebx=0b010b72 ecx=fdcc9010 edx=01e70740 esi=00000003 edi=9fdeecc8
eip=fe81de60 esp=9fdeec1c ebp=9fdeec50 iopl=0 nv up ei ng nz na pe cy
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010287
fe81de60 c60102 mov byte ptr [ecx],2 ds:0023:fdcc9010=??
Resetting default scope
LAST_CONTROL_TRANSFER: from 82852638 to 82891903
STACK_TEXT:
9fdeeb90 82852638 00000008 fe81de60 00000000 nt!MmAccessFault+0x106
9fdeeb90 fe81de60 00000008 fe81de60 00000000 nt!KiTrap0E+0xdc
WARNING: Frame IP not in any known module. Following frames may be wrong.
9fdeec50 9721b7f6 fe4c99a8 9fdeecd0 00000001 0xfe81de60
9fdeec74 9721b648 fe81de60 0b010b72 9fdeecd0 win32k!UT_GetParentDCClipBox+0x15
9fdeec98 9721b493 00000000 9fdeecc8 08eb8a8f win32k!xxxBeginPaint+0x11d
9fdeed24 8284f44a 000201c6 0014e918 00000000 win32k!NtUserBeginPaint+0x4f
9fdeed24 777264f4 000201c6 0014e918 00000000 nt!KiFastCallEntry+0x12a
00000000 00000000 00000000 00000000 00000000 0x777264f4
STACK_COMMAND: kb
FOLLOWUP_IP:
win32k!UT_GetParentDCClipBox+15
9721b7f6 83f801 cmp eax,1
SYMBOL_STACK_INDEX: 3
SYMBOL_NAME: win32k!UT_GetParentDCClipBox+15
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: win32k
IMAGE_NAME: win32k.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 4c1c425a
FAILURE_BUCKET_ID: 0xFC_win32k!UT_GetParentDCClipBox+15
BUCKET_ID: 0xFC_win32k!UT_GetParentDCClipBox+15
Followup: MachineOwner
---------
We are back to drivers again. I find these out of date drivers. Those 2007 drivers are obsolete.