Translating memory adresses in windbg output

[algol]

Hi everybody. I've got blue screens pointing to ntfs.sys, many other drivers and ntoskrnl.exe on a pc wich I suspect has memory problems, originating either from the memory controller or the memory itself. I've already tested the only memory stick on the failing pc and another correctly working pc during several ours finding no errors. I'd like to know how to translate memory adresses like "fffff880`03164420" to physical adresses so I can test them more througly. I'd really apreciate any help. Here is the windbg analysis of one of the dups, wich I attached to the post:

Microsoft (R) Windows Debugger Version 6.11.0001.404 X86
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\backup\backup2\MEMORY.DMP]
Kernel Summary Dump File: Only kernel address space is available

Symbol search path is: srv*c:\mss*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows 7 Kernel Version 7601 (Service Pack 1) MP (4 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS Personal
Built by: 7601.17514.amd64fre.win7sp1_rtm.101119-1850
Machine Name:
Kernel base = 0xfffff800`02601000 PsLoadedModuleList = 0xfffff800`02846e90
Debug session time: Tue Jul 8 09:13:21.144 2014 (GMT-3)
System Uptime: 0 days 0:47:25.252
Loading Kernel Symbols
...............................................................
................................................................
.......
Loading User Symbols

Loading unloaded module list
..........
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 24, {1904fb, fffff880031641e8, fffff88003163a40, fffff8000269573a}

Probably caused by : Ntfs.sys ( Ntfs!NtfsCheckpointVolume+35e )

Followup: MachineOwner
---------

2: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

NTFS_FILE_SYSTEM (24)
If you see NtfsExceptionFilter on the stack then the 2nd and 3rd
parameters are the exception record and context record. Do a .cxr
on the 3rd parameter and then kb to obtain a more informative stack
trace.
Arguments:
Arg1: 00000000001904fb
Arg2: fffff880031641e8
Arg3: fffff88003163a40
Arg4: fffff8000269573a

Debugging Details:
------------------


OVERLAPPED_MODULE: Address regions for 'nvlddmkm' and 'nvlddmkm.sys' overlap

EXCEPTION_RECORD: fffff880031641e8 -- (.exr 0xfffff880031641e8)
ExceptionAddress: fffff8000269573a (nt!CcUnpinFileDataEx+0x00000000000000ea)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 0000000000000000
Parameter[1]: 0000000000000008
Attempt to read from address 0000000000000008

CONTEXT: fffff88003163a40 -- (.cxr 0xfffff88003163a40)
rax=0000000000000000 rbx=00000000ffffffff rcx=0000000000000000
rdx=fffffa8002619901 rsi=0000000065084601 rdi=fffffa80036adc80
rip=fffff8000269573a rsp=fffff88003164420 rbp=fffff8000281e600
r8=0000000000000001 r9=0000000000000000 r10=0000000000000000
r11=00000001b10bd975 r12=0000000000000000 r13=fffffa8002619910
r14=00000000000002fd r15=fffffa8002619920
iopl=0 nv up ei ng nz na po nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00010286
nt!CcUnpinFileDataEx+0xea:
fffff800`0269573a 488b4808 mov rcx,qword ptr [rax+8] ds:002b:00000000`00000008=????????????????
Resetting default scope

PROCESS_NAME: System

CURRENT_IRQL: 0

ERROR_CODE: (NTSTATUS) 0xc0000005 - La instrucci n en 0x%08lx hace referencia a la memoria en 0x%08lx. La memoria no se pudo %s.

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - La instrucci n en 0x%08lx hace referencia a la memoria en 0x%08lx. La memoria no se pudo %s.

EXCEPTION_PARAMETER1: 0000000000000000

EXCEPTION_PARAMETER2: 0000000000000008

READ_ADDRESS: 0000000000000008

FOLLOWUP_IP:
Ntfs!NtfsCheckpointVolume+35e
fffff880`012cce7e 4c8b9c24e0000000 mov r11,qword ptr [rsp+0E0h]

FAULTING_IP:
nt!CcUnpinFileDataEx+ea
fffff800`0269573a 488b4808 mov rcx,qword ptr [rax+8]

BUGCHECK_STR: 0x24

DEFAULT_BUCKET_ID: NULL_CLASS_PTR_DEREFERENCE

LAST_CONTROL_TRANSFER: from fffff80002642fb5 to fffff8000269573a

STACK_TEXT:
fffff880`03164420 fffff800`02642fb5 : fffffa80`02601980 fffff800`0281e600 fffff800`00001000 00000000`00000000 : nt!CcUnpinFileDataEx+0xea
fffff880`031644a0 fffff880`012cce7e : fffff8a0`00136870 fffff880`01223428 fffff880`03164ab0 fffff880`03164658 : nt!CcGetDirtyPages+0x1d9
fffff880`03164590 fffff880`012d08db : fffff880`03164ab0 fffffa80`02724180 fffff880`03164a00 fffff880`01223000 : Ntfs!NtfsCheckpointVolume+0x35e
fffff880`03164990 fffff880`012cf27b : fffff880`03164ab0 fffffa80`02724180 fffffa80`02724188 fffff880`01216020 : Ntfs!NtfsCheckpointAllVolumesWorker+0x4b
fffff880`031649e0 fffff880`012d1398 : fffff880`03164ab0 00000000`00000000 fffff880`012d0890 fffff880`03164cb8 : Ntfs!NtfsForEachVcb+0x167
fffff880`03164a80 fffff800`0268ba21 : fffff880`0418a500 fffff800`0281e600 fffffa80`015ce000 00000000`00000003 : Ntfs!NtfsCheckpointAllVolumes+0xb8
fffff880`03164cb0 fffff800`0291ecce : 00000000`00000000 fffffa80`015ce040 00000000`00000080 fffffa80`015ab040 : nt!ExpWorkerThread+0x111
fffff880`03164d40 fffff800`02672fe6 : fffff880`02f63180 fffffa80`015ce040 fffff880`02f6dfc0 00000000`00000000 : nt!PspSystemThreadStartup+0x5a
fffff880`03164d80 00000000`00000000 : fffff880`03165000 fffff880`0315f000 fffff880`031649e0 00000000`00000000 : nt!KxStartSystemThread+0x16


SYMBOL_STACK_INDEX: 2

SYMBOL_NAME: Ntfs!NtfsCheckpointVolume+35e

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: Ntfs

IMAGE_NAME: Ntfs.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 4ce792f9

STACK_COMMAND: .cxr 0xfffff88003163a40 ; kb

FAILURE_BUCKET_ID: X64_0x24_Ntfs!NtfsCheckpointVolume+35e

BUCKET_ID: X64_0x24_Ntfs!NtfsCheckpointVolume+35e

Followup: MachineOwner
---------

 

[HarriePateman]

Well i would Recommend testing your RAM sticks before you go too deep into anything, that way we can rule out the obvious straight away.

Il message Boozad to have a look as he has much superior knowledge!

 

[algol]

Well i would Recommend testing your RAM sticks before you go too deep into anything, that way we can rule out the obvious straight away.

Il message Boozad to have a look as he has much superior knowledge!

Thanks for your reply. I've already tested the only memory stick on the failing pc and another correctly working pc during several ours finding no errors. I'd like to know how to translate memory adresses like "fffff880`03164420" to physical adresses so I can test them more througly. Thanks

 

[Boozad]

Please fill in your system specs by following the top link in my signature.

We need more information to analyze your logs. Follow Blue Screen of Death (BSOD) Posting Instructions, let the tool run until it has completely finished and then upload the new logs.

In the meantime, your nVidia Storage driver is causing issues.

fffff880`03163128  fffff880`00c32546Unable to load image \SystemRoot\system32\drivers\nvstor.sys, Win32 error 0n2
[B][COLOR=Red]*** WARNING: Unable to verify timestamp for nvstor.sys
*** ERROR: Module load completed but symbols could not be loaded for nvstor.sys[/COLOR][/B]
 nvstor+0x8546

It is old and needs updating. Search for updates here.

2: kd> lmvm nvstor
start             end                 module name
fffff880`00c2a000 fffff880`00c55000   nvstor   T (no symbols)           
    Loaded symbol image file: nvstor.sys
    Image path: \SystemRoot\system32\drivers\nvstor.sys
    Image name: nvstor.sys
    Timestamp:       [B][COLOR=Red] Fri Mar 19 20:45:11 2010[/COLOR][/B] (4BA3E257)
    CheckSum:         0002FE37
    ImageSize:        0002B000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4

Your nVidia video driver has also been flagged.

fffff880`03164838  fffff880`04a0b0ffUnable to load image \SystemRoot\system32\DRIVERS\nvlddmkm.sys, Win32 error 0n2
[B][COLOR=Red]*** WARNING: Unable to verify timestamp for nvlddmkm.sys
*** ERROR: Module load completed but symbols could not be loaded for nvlddmkm.sys[/COLOR][/B]
 nvlddmkm+0x17f0ff

It is very old and needs updating. Search for updates on the site linked above.

2: kd> lmvm nvlddmkm
start             end                 module name
fffff880`0488c000 fffff880`05392980   nvlddmkm T (no symbols)           
    Loaded symbol image file: nvlddmkm.sys
    Image path: \SystemRoot\system32\DRIVERS\nvlddmkm.sys
    Image name: nvlddmkm.sys
    Timestamp:        [B][COLOR=Red]Fri May 01 07:58:45 2009[/COLOR][/B] (49FA9DA5)
    CheckSum:         00B182FA
    ImageSize:        00B06980
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4

:ar: Run SeaTools to check the integrity of your HDD. http://www.sevenforums.com/tutorials/313457-seatools-dos-windows-how-use.html

:ar: Run chkdsk. http://www.sevenforums.com/tutorials/433-disk-check.html

 

[HarriePateman]

Would this be any help?

Accessing Memory by Physical Address (Windows Debuggers)

 

[algol]

Thanks Bosaad. Sadly, I'v wiped the disk containing the windows install where the blue screens took place. It was a fresh installed windows 32bits starter with only the drivers provided in the asus webpage installed, nothing more. The BSOD took place while deleting a large folder. The disk is a Western Digital and I tested it using Data Lifeguard Tools provided in WD webpage using short and long test. The smart values are also ok. I also used Chkdsk, and no errors showed up. Thank you

 

[algol]

Hi Boozad! I've added the information given by the two diagnostics programs as you asked. Sorry to bother you, but I'd really apreciate if you could tell me wich commands in windbg you used to get this info:
fffff880`03163128 fffff880`00c32546Unable to load image \SystemRoot\system32\drivers\nvstor.sys, Win32 error 0n2 *** WARNING: Unable to verify timestamp for nvstor.sys *** ERROR: Module load completed but symbols could not be loaded for nvstor.sys nvstor+0x8546
Thank you very much!

Please fill in your system specs by following the top link in my signature.

We need more information to analyze your logs. Follow Blue Screen of Death (BSOD) Posting Instructions, let the tool run until it has completely finished and then upload the new logs.

In the meantime, your nVidia Storage driver is causing issues.

fffff880`03163128  fffff880`00c32546Unable to load image \SystemRoot\system32\drivers\nvstor.sys, Win32 error 0n2
[B][COLOR=Red]*** WARNING: Unable to verify timestamp for nvstor.sys
*** ERROR: Module load completed but symbols could not be loaded for nvstor.sys[/COLOR][/B]
 nvstor+0x8546

It is old and needs updating. Search for updates here.

2: kd> lmvm nvstor
start             end                 module name
fffff880`00c2a000 fffff880`00c55000   nvstor   T (no symbols)           
    Loaded symbol image file: nvstor.sys
    Image path: \SystemRoot\system32\drivers\nvstor.sys
    Image name: nvstor.sys
    Timestamp:       [B][COLOR=Red] Fri Mar 19 20:45:11 2010[/COLOR][/B] (4BA3E257)
    CheckSum:         0002FE37
    ImageSize:        0002B000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4

Your nVidia video driver has also been flagged.

fffff880`03164838  fffff880`04a0b0ffUnable to load image \SystemRoot\system32\DRIVERS\nvlddmkm.sys, Win32 error 0n2
[B][COLOR=Red]*** WARNING: Unable to verify timestamp for nvlddmkm.sys
*** ERROR: Module load completed but symbols could not be loaded for nvlddmkm.sys[/COLOR][/B]
 nvlddmkm+0x17f0ff

It is very old and needs updating. Search for updates on the site linked above.

2: kd> lmvm nvlddmkm
start             end                 module name
fffff880`0488c000 fffff880`05392980   nvlddmkm T (no symbols)           
    Loaded symbol image file: nvlddmkm.sys
    Image path: \SystemRoot\system32\DRIVERS\nvlddmkm.sys
    Image name: nvlddmkm.sys
    Timestamp:        [B][COLOR=Red]Fri May 01 07:58:45 2009[/COLOR][/B] (49FA9DA5)
    CheckSum:         00B182FA
    ImageSize:        00B06980
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4

:ar: Run SeaTools to check the integrity of your HDD. http://www.sevenforums.com/tutorials/313457-seatools-dos-windows-how-use.html

:ar: Run chkdsk. http://www.sevenforums.com/tutorials/433-disk-check.html

 

[Boozad]

Have a read of this.

 

[algol]

Have a read of this.

Sorry, I forgot to add the output files of the diagnostic programs in the last post, I added them now. I read the link you gave me and a lot of other pages about windbg commands and usage, but till now I'm unable to pinpoint nvstor.sys and nvlddmkm.sys as problematic drivers. Could you please tell me what commands did you use to arrive at that conclusion? That would be very helpful to me not only to solve this blue screens, but also many others I could find. Pleaseeee