New
#1
BSOD, BCCode: d1, Please help with dump file interpretation.
Hi,
I am having trouble finding the cause of some BSOD issues that have appeared recently on one of my systems. Any help would be greatly appreciated.
System Details:
Advantech ARK-3360F
Windows 7 Professional
Processor: Intel(R) Atom(TM) CPU D510 @ 166GHz
RAM: 2.00 GB
Initial error:
Problem signature:
Problem Event Name: BlueScreen
OS Version: 6.1.7600.2.0.0.256.48
Locale ID: 3081
Additional information about the problem:
BCCode: d1
BCP1: 00000000
BCP2: 00000002
BCP3: 00000000
BCP4: 88095E6D
OS Version: 6_1_7600
Service Pack: 0_0
Product: 256_1
Files that help describe the problem:
C:\Windows\Minidump\010515-11765-01.dmp
C:\Users\UNI OF WEST SYD\AppData\Local\Temp\WER-17937-0.sysdata.xml
Read our privacy statement online:
Windows 7 Privacy Statement - Microsoft Windows
If the online privacy statement is not available, please read our privacy statement offline:
C:\Windows\system32\en-US\erofflps.txt
I had a look at the dump file which gave me the following:
Microsoft (R) Windows Debugger Version 6.12.0002.633 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:\DUMP FILES R4\010515-11765-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available
Symbol search path is: SRV*c:\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows 7 Kernel Version 7600 MP (4 procs) Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 7600.16841.x86fre.win7_gdr.110622-1503
Machine Name:
Kernel base = 0x81852000 PsLoadedModuleList = 0x8199a830
Debug session time: Mon Jan 5 19:00:11.299 2015 (UTC + 11:00)
System Uptime: 32 days 17:33:06.996
Loading Kernel Symbols
...............................................................
................................................................
.......................
Loading User Symbols
Loading unloaded module list
........
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck D1, {0, 2, 0, 88095e6d}
Unable to load image \SystemRoot\system32\DRIVERS\e1q6232.sys, Win32 error 0n2
*** WARNING: Unable to verify timestamp for e1q6232.sys
*** ERROR: Module load completed but symbols could not be loaded for e1q6232.sys
Probably caused by : NETIO.SYS ( NETIO!NetioDereferenceNetBufferListChain+ea )
Followup: MachineOwner
---------
2: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: 00000000, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000000, value 0 = read operation, 1 = write operation
Arg4: 88095e6d, address which referenced memory
Debugging Details:
------------------
READ_ADDRESS: GetPointerFromAddress: unable to read from 819ba718
Unable to read MiSystemVaType memory at 8199a180
00000000
CURRENT_IRQL: 2
FAULTING_IP:
tcpip!FlpReturnNetBufferListChain+35
88095e6d 8b08 mov ecx,dword ptr [eax]
CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT
BUGCHECK_STR: 0xD1
PROCESS_NAME: System
TRAP_FRAME: ab51e6b4 -- (.trap 0xffffffffab51e6b4)
ErrCode = 00000000
eax=00000000 ebx=84f76cc0 ecx=840d9bb8 edx=819879c0 esi=84f76d60 edi=ffffffd2
eip=88095e6d esp=ab51e728 ebp=ab51e73c iopl=0 nv up ei ng nz na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010286
tcpip!FlpReturnNetBufferListChain+0x35:
88095e6d 8b08 mov ecx,dword ptr [eax] ds:0023:00000000=????????
Resetting default scope
LAST_CONTROL_TRANSFER: from 88095e6d to 818987cb
STACK_TEXT:
ab51e6b4 88095e6d badb0d00 819879c0 88090ddc nt!KiTrap0E+0x2cf
ab51e73c 87ebc69a 84f7e510 00000005 00000001 tcpip!FlpReturnNetBufferListChain+0x35
ab51e76c 88090d59 00000000 00000001 84e935b8 NETIO!NetioDereferenceNetBufferListChain+0xea
ab51e7e8 88095bcf 84e935b8 84f7e510 00000001 tcpip!Fl48pReceiveArpPackets+0x134
ab51e864 88095d26 84e935b8 84f7e510 00000000 tcpip!FlpReceiveNonPreValidatedNetBufferListChain+0x760
ab51e898 818e20ca 84f7e510 b475838b 846134d8 tcpip!FlReceiveNetBufferListChainCalloutRoutine+0x11e
ab51e900 88095dae 88095c08 ab51e928 00000000 nt!KeExpandKernelStackAndCalloutEx+0x132
ab51e93c 87e6c18d 84e93502 84f7e500 00000000 tcpip!FlReceiveNetBufferListChain+0x7c
ab51e974 87e5a670 84ec7008 84f7e510 00000000 ndis!ndisMIndicateNetBufferListsToOpen+0x188
ab51e99c 87e5a5e7 00000000 84f7e510 849280e0 ndis!ndisIndicateSortedNetBufferLists+0x4a
ab51eb18 87e05ca5 849280e0 00000000 00000000 ndis!ndisMDispatchReceiveNetBufferLists+0x129
ab51eb34 87e5aa2e 849280e0 84f7e510 00000000 ndis!ndisMTopReceiveNetBufferLists+0x2d
ab51eb5c 87e05c1e 849280e0 84f7e510 00000000 ndis!ndisMIndicateReceiveNetBufferListsInternal+0x62
ab51eb84 8b381cc8 849280e0 84f7e510 00000000 ndis!NdisMIndicateReceiveNetBufferLists+0x52
WARNING: Stack unwind information not available. Following frames may be wrong.
ab51ebb4 8b381e03 84e9d000 84f7e510 00000005 e1q6232+0x1acc8
ab51ebf0 8b3773cd 01e9d000 84e9e080 ab51eca0 e1q6232+0x1ae03
ab51ec18 8b377b1f 84e9d000 00000000 ab51eca0 e1q6232+0x103cd
ab51ec54 8b377d54 00000004 00000000 00000000 e1q6232+0x10b1f
ab51ec70 87e5a301 84e9d000 00000000 00000000 e1q6232+0x10d54
ab51ecb0 87e3b6b2 84e9119c 00e91008 00000000 ndis!ndisMiniportDpc+0xda
ab51ed10 87e22976 84e91214 00000000 843326e0 ndis!ndisQueuedMiniportDpcWorkItem+0xd0
ab51ed50 81a60a55 00000002 b475871b 00000000 ndis!ndisReceiveWorkerThread+0xeb
ab51ed90 81912239 87e2288b 00000002 00000000 nt!PspSystemThreadStartup+0x9e
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x19
STACK_COMMAND: kb
FOLLOWUP_IP:
NETIO!NetioDereferenceNetBufferListChain+ea
87ebc69a 5b pop ebx
SYMBOL_STACK_INDEX: 2
SYMBOL_NAME: NETIO!NetioDereferenceNetBufferListChain+ea
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: NETIO
IMAGE_NAME: NETIO.SYS
DEBUG_FLR_IMAGE_TIMESTAMP: 4a5bbf63
FAILURE_BUCKET_ID: 0xD1_NETIO!NetioDereferenceNetBufferListChain+ea
BUCKET_ID: 0xD1_NETIO!NetioDereferenceNetBufferListChain+ea
Followup: MachineOwner
---------
The same error appeared today and I got the following back from the dump file via WinDbg:
Microsoft (R) Windows Debugger Version 6.12.0002.633 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:\DUMP FILES R4\081512-14546-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available
Symbol search path is: SRV*c:\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows 7 Kernel Version 7600 MP (4 procs) Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 7600.16841.x86fre.win7_gdr.110622-1503
Machine Name:
Kernel base = 0x81807000 PsLoadedModuleList = 0x8194f830
Debug session time: Wed Aug 15 17:43:18.317 2012 (UTC + 11:00)
System Uptime: 0 days 0:50:55.973
Loading Kernel Symbols
...............................................................
................................................................
......................
Loading User Symbols
Loading unloaded module list
......
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck A, {0, 2, 1, 8187570c}
Probably caused by : ntkrpamp.exe ( nt!KeRemoveQueueEx+437 )
Followup: MachineOwner
---------
1: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: 00000000, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000001, bitfield :
bit 0 : value 0 = read operation, 1 = write operation
bit 3 : value 0 = not an execute operation, 1 = execute operation (only on chips which support this level of status)
Arg4: 8187570c, address which referenced memory
Debugging Details:
------------------
WRITE_ADDRESS: GetPointerFromAddress: unable to read from 8196f718
Unable to read MiSystemVaType memory at 8194f180
00000000
CURRENT_IRQL: 2
FAULTING_IP:
nt!KeRemoveQueueEx+437
8187570c f00fba2807 lock bts dword ptr [eax],7
CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT
BUGCHECK_STR: 0xA
PROCESS_NAME: services.exe
TRAP_FRAME: 8b84cb7c -- (.trap 0xffffffff8b84cb7c)
ErrCode = 00000002
eax=00000000 ebx=00000000 ecx=3a3f8e11 edx=858ef818 esi=83a3c768 edi=83a3c828
eip=8187570c esp=8b84cbf0 ebp=8b84cc38 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010246
nt!KeRemoveQueueEx+0x437:
8187570c f00fba2807 lock bts dword ptr [eax],7 ds:0023:00000000=????????
Resetting default scope
LAST_CONTROL_TRANSFER: from 8187570c to 8184d7cb
STACK_TEXT:
8b84cb7c 8187570c badb0d00 858ef818 1ec54400 nt!KiTrap0E+0x2cf
8b84cc38 81a38c7d 00000000 858f3101 00000001 nt!KeRemoveQueueEx+0x437
8b84cc90 81878e26 00000000 8b84ccc8 8b84ccf0 nt!IoRemoveIoCompletion+0x23
8b84cd24 8184a3ea 000000c8 0141fddc 0141fe88 nt!NtWaitForWorkViaWorkerFactory+0x1a1
8b84cd24 77b66344 000000c8 0141fddc 0141fe88 nt!KiFastCallEntry+0x12a
WARNING: Frame IP not in any known module. Following frames may be wrong.
0141fe88 00000000 00000000 00000000 00000000 0x77b66344
STACK_COMMAND: kb
FOLLOWUP_IP:
nt!KeRemoveQueueEx+437
8187570c f00fba2807 lock bts dword ptr [eax],7
SYMBOL_STACK_INDEX: 1
SYMBOL_NAME: nt!KeRemoveQueueEx+437
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: nt
IMAGE_NAME: ntkrpamp.exe
DEBUG_FLR_IMAGE_TIMESTAMP: 4e02a493
FAILURE_BUCKET_ID: 0xA_nt!KeRemoveQueueEx+437
BUCKET_ID: 0xA_nt!KeRemoveQueueEx+437
Followup: MachineOwner
---------
I also got the following errors from errors/warnings from the Event Logger:
Event Log:
Error:
The RDP protocol component X.224 detected an error in the protocol stream and has disconnected the client.
Warning:
Intel(R) 82583V Gigabit Network Connection
Network link has been disconnected.
Critical:
The system has rebooted without cleanly shutting down first. This error could be caused if the system stopped responding, crashed, or lost power unexpectedly.
Error:
The computer has rebooted from a bugcheck. The bugcheck was: 0x000000d1 (0x00000000, 0x00000002, 0x00000000, 0x8809ce6d). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 010815-9859-01.
I am having no luck with assertaing the root cause from the dump files. Thanks in advance for even just reading all this!!
Craig.