Code:
-
Loading Dump File [H:\BSODDmpFiles\Coolaidd\Windows_NT6_BSOD_jcgriff2\012612-28704-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available
Symbol search path is: SRV*c:\users\mike\documents\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows 7 Kernel Version 7601 (Service Pack 1) MP (8 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS Personal
Built by: 7601.17640.amd64fre.win7sp1_gdr.110622-1506
Machine Name:
Kernel base = 0xfffff800`0345c000 PsLoadedModuleList = 0xfffff800`036a1670
Debug session time: Wed Jan 25 22:49:38.550 2012 (UTC - 7:00)
System Uptime: 0 days 10:05:57.393
Loading Kernel Symbols
...............................................................
................................................................
.......................................
Loading User Symbols
Loading unloaded module list
.......
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck 1E, {ffffffffc0000005, fffff800034b9f6b, 0, 7fffffa0000}
Probably caused by : ntkrnlmp.exe ( nt!RtlImageNtHeaderEx+3f )
Followup: MachineOwner
---------
4: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
KMODE_EXCEPTION_NOT_HANDLED (1e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Arguments:
Arg1: ffffffffc0000005, The exception code that was not handled
Arg2: fffff800034b9f6b, The address that the exception occurred at
Arg3: 0000000000000000, Parameter 0 of the exception
Arg4: 000007fffffa0000, Parameter 1 of the exception
Debugging Details:
------------------
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.
FAULTING_IP:
nt!RtlImageNtHeaderEx+3f
fffff800`034b9f6b 66390a cmp word ptr [rdx],cx
EXCEPTION_PARAMETER1: 0000000000000000
EXCEPTION_PARAMETER2: 000007fffffa0000
READ_ADDRESS: GetPointerFromAddress: unable to read from fffff8000370b100
000007fffffa0000
ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.
BUGCHECK_STR: 0x1E_c0000005
CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT
PROCESS_NAME: rundll32.exe
CURRENT_IRQL: 0
TRAP_FRAME: fffff880035627b0 -- (.trap 0xfffff880035627b0)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=0000000000000000 rbx=0000000000000000 rcx=0000000000005a4d
rdx=000007fffffa0000 rsi=0000000000000000 rdi=0000000000000000
rip=fffff800034b9f6b rsp=fffff88003562948 rbp=fffff88003562a80
r8=0000000000000000 r9=fffff88003562988 r10=0000000000000000
r11=0000000000000000 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei pl nz na pe nc
nt!RtlImageNtHeaderEx+0x3f:
fffff800`034b9f6b 66390a cmp word ptr [rdx],cx ds:0001:000007ff`fffa0000=????
Resetting default scope
LAST_CONTROL_TRANSFER: from fffff80003524588 to fffff800034d8c40
STACK_TEXT:
fffff880`03561f28 fffff800`03524588 : 00000000`0000001e ffffffff`c0000005 fffff800`034b9f6b 00000000`00000000 : nt!KeBugCheckEx
fffff880`03561f30 fffff800`034d82c2 : fffff880`03562708 fffffa80`092c2b30 fffff880`035627b0 00000000`00000000 : nt! ?? ::FNODOBFM::`string'+0x4977d
fffff880`035625d0 fffff800`034d6e3a : 00000000`00000000 000007ff`fffa0000 00000000`007e0000 fffffa80`092c2b30 : nt!KiExceptionDispatch+0xc2
fffff880`035627b0 fffff800`034b9f6b : fffff800`034ba0fa 00000000`00000010 00000000`00000082 fffff880`03562978 : nt!KiPageFault+0x23a
fffff880`03562948 fffff800`034ba0fa : 00000000`00000010 00000000`00000082 fffff880`03562978 ffffffff`80000a08 : nt!RtlImageNtHeaderEx+0x3f
fffff880`03562950 fffffa80`0626fadf : fffff880`03562a80 00000000`00000000 fffffa80`06273250 fffffa80`06276540 : nt!RtlImageNtHeader+0x1e
fffff880`03562980 fffff880`03562a80 : 00000000`00000000 fffffa80`06273250 fffffa80`06276540 00000000`00000000 : 0xfffffa80`0626fadf
fffff880`03562988 00000000`00000000 : fffffa80`06273250 fffffa80`06276540 00000000`00000000 00000000`00000000 : 0xfffff880`03562a80
STACK_COMMAND: kb
FOLLOWUP_IP:
nt!RtlImageNtHeaderEx+3f
fffff800`034b9f6b 66390a cmp word ptr [rdx],cx
SYMBOL_STACK_INDEX: 4
SYMBOL_NAME: nt!RtlImageNtHeaderEx+3f
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: nt
IMAGE_NAME: ntkrnlmp.exe
DEBUG_FLR_IMAGE_TIMESTAMP: 4e02aaa3
FAILURE_BUCKET_ID: X64_0x1E_c0000005_nt!RtlImageNtHeaderEx+3f
BUCKET_ID: X64_0x1E_c0000005_nt!RtlImageNtHeaderEx+3f
Followup: MachineOwner
---------
-
Loading Dump File [H:\BSODDmpFiles\Coolaidd\Windows_NT6_BSOD_jcgriff2\123011-28688-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available
Symbol search path is: SRV*c:\users\mike\documents\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows 7 Kernel Version 7601 (Service Pack 1) MP (8 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS Personal
Built by: 7601.17640.amd64fre.win7sp1_gdr.110622-1506
Machine Name:
Kernel base = 0xfffff800`03208000 PsLoadedModuleList = 0xfffff800`0344d670
Debug session time: Fri Dec 30 17:40:29.581 2011 (UTC - 7:00)
System Uptime: 0 days 0:04:25.424
Loading Kernel Symbols
...............................................................
................................................................
.........................................
Loading User Symbols
Loading unloaded module list
...........
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck A, {dc, 2, 1, fffff800032b5ab5}
Probably caused by : ntkrnlmp.exe ( nt!KeStackAttachProcess+115 )
Followup: MachineOwner
---------
4: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: 00000000000000dc, memory referenced
Arg2: 0000000000000002, IRQL
Arg3: 0000000000000001, bitfield :
bit 0 : value 0 = read operation, 1 = write operation
bit 3 : value 0 = not an execute operation, 1 = execute operation (only on chips which support this level of status)
Arg4: fffff800032b5ab5, address which referenced memory
Debugging Details:
------------------
WRITE_ADDRESS: GetPointerFromAddress: unable to read from fffff800034b7100
00000000000000dc
CURRENT_IRQL: 2
FAULTING_IP:
nt!KeStackAttachProcess+115
fffff800`032b5ab5 f00fc186dc000000 lock xadd dword ptr [rsi+0DCh],eax
CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT
BUGCHECK_STR: 0xA
PROCESS_NAME: System
TRAP_FRAME: fffff88003569770 -- (.trap 0xfffff88003569770)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=0000000000000008 rbx=0000000000000000 rcx=fffffa80042d80a0
rdx=fffff88003569a58 rsi=0000000000000000 rdi=0000000000000000
rip=fffff800032b5ab5 rsp=fffff88003569900 rbp=fffff88003569a58
r8=fffffa80042d8090 r9=0000000000000130 r10=fffff880009b40c0
r11=fffffa80042d8040 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei pl zr na po nc
nt!KeStackAttachProcess+0x115:
fffff800`032b5ab5 f00fc186dc000000 lock xadd dword ptr [rsi+0DCh],eax ds:0e50:00000000`000000dc=????????
Resetting default scope
LAST_CONTROL_TRANSFER: from fffff800032841e9 to fffff80003284c40
STACK_TEXT:
fffff880`03569628 fffff800`032841e9 : 00000000`0000000a 00000000`000000dc 00000000`00000002 00000000`00000001 : nt!KeBugCheckEx
fffff880`03569630 fffff800`03282e60 : fffff880`035697b0 fffff8a0`09730e50 00000000`0000006b fffffa80`042d8040 : nt!KiBugCheckDispatch+0x69
fffff880`03569770 fffff800`032b5ab5 : 00000000`00000000 fffffa80`042d8040 fffffa80`042d8040 fffff800`03557db3 : nt!KiPageFault+0x260
fffff880`03569900 fffffa80`0626e9a0 : fffff880`03569a80 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KeStackAttachProcess+0x115
fffff880`03569980 fffff880`03569a80 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0xfffffa80`0626e9a0
fffff880`03569988 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0xfffff880`03569a80
STACK_COMMAND: kb
FOLLOWUP_IP:
nt!KeStackAttachProcess+115
fffff800`032b5ab5 f00fc186dc000000 lock xadd dword ptr [rsi+0DCh],eax
SYMBOL_STACK_INDEX: 3
SYMBOL_NAME: nt!KeStackAttachProcess+115
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: nt
IMAGE_NAME: ntkrnlmp.exe
DEBUG_FLR_IMAGE_TIMESTAMP: 4e02aaa3
FAILURE_BUCKET_ID: X64_0xA_nt!KeStackAttachProcess+115
BUCKET_ID: X64_0xA_nt!KeStackAttachProcess+115
Followup: MachineOwner
---------
- Possible causes are Memory problems... Viruses... Corrupted hard disk system files... Corrupted System Files... Lack of Windows updates... Drivers...
Thanks to JMH for helping with my understanding of this crash. - Possible causes are Memory problems... Corrupted hard disk system files... Corrupted System Files... Lack of Windows updates... Antivirus Software... Hardware...
Thanks to Dave76 for help understanding possible causes.
We will start with the common problems first (see bold possible causes). Do the following steps and test after each to see if stability increases (the memory tests you can run concurrently as they will not increase stability unless you are forced to move modules around). Post back your results after each step, and if you get a blue screen crash, upload the files again and await further instructions after we are able to analyze the crash.
Since your problems are not occurring too often, it is up to you whether you want to worry about McAfee, but it is one of the more common antiviruses to cause blue screen crashes.