Blue screen message: 0x000000C2/0x0000050

By diene1t
May 27, 2009
Topic Status:
Not open for further replies.
  1. Hello!

    I seem to be having a issue of windows crashing and giving me the infamous blue screen with the error 0x000000C2 and it is also interchanged with 0x000000050

    It seems to happen at random times but usually within 5 or 10 mins.. sometimes right on restart when I get on desktop. It happens when I surf the net or even stay Idle... when downloading.. anything.

    I did not replace memory I wanted to see what you guys thought first. I did however, just re inserted the memory sticks and vid card hoping that would do the trick....nope. My system is DELL XPS GEN 2, Windows XP PRO SP2 etc.. should be all up to date. I have Macafee virus scanner.

    I have included some recent minidump files 5/27/09 and 5/26/09 in the attachment. I dont know much on how to read those things but the file name ntoskrnl.exe seem to be common with the files.

    Any help would be GREATLY appreciated!

    Regards,

    Tyler

    Attached Files:

  2. Route44

    Route44 TechSpot Ambassador Posts: 12,109   +21

    All five of your errors are 0x00000050: PAGE_FAULT_IN_NONPAGED_AREA Which defined means requested data was not in memory. An invalid system memory address was referenced. Defective memory (including main memory, L2 RAM cache, video RAM) or incompatible software (including remote control and antivirus software) might cause this Stop message, as may other hardware problems (e.g., incorrect SCSI termination or a flawed PCI card).

    One specifically cited the driver mfeavfk.sys which belongs to McAfee.

    The other four simply cited hardware as the cause. Because you are getting such random crashes regardless of what you do and hardware is cited 4 out of 5 times I strongly suggest running Memtest on your RAM. We are testing for corrupted memory.

    See this link and follow instructions: http://www.techspot.com/vb/topic62524.html

    Let it run for a LONG time. The rule is a minimum of 7 Passes but more is fine. There are 8 individual tests per Pass. Many people will start this test before going to bed and check it the next day.

    If you have errors you have corrupted memory and it needs to be replaced.

    Also, with errors you need to run this test per stick of RAM. Take out one and run the test. Then take that one out and put the other in and run the test. If you start getting errors before 7 Passes you know that stick is corrupted and you don’t need to run the test any further on that stick.

    Also, you mention in your post 0xC2 errors. These are caused by faulty drivers or buggy software. Because McAfee has been cited and if Memtest shows no errors you may want to consider updating McAfee or replacing it, but at this time let Memtest do its job.

    * Get back to us with the results.
  3. diene1t

    diene1t Newcomer, in training Topic Starter

    Ok I seem to be having trouble getting the cd to work for memtest. I got a blank cd and download the file memtest86+-2.11 and then burned the file called memtest.img the only file in the package besides the security log.

    I went to boot options and set it to only boot from cd rom ide device... all I get is a black screen?


    - tyler
  4. Route44

    Route44 TechSpot Ambassador Posts: 12,109   +21

    Is your drive placed as First Bootable in your BIOS? If not do so, place CD in drive and it should take over. Or you may need to reboot with CD in drive.
  5. B00kWyrm

    B00kWyrm TechSpot Paladin Posts: 1,550   +18

    The memtest tutorial did include instructions for burning the iso, so you may have used Nero or some other software already.
    If not... Are you sure that you burned an iso of memtest, or did you just copy the file to the cd?
    If the latter, you will need to discard it (or use it as a coaster, or decoration, or...)
    If you do not know, you probably just copied it...
    You can tell by using Windows Explorer (File Manager) to navigate to the cd, and browse ...
  6. EZ123

    EZ123 Newcomer, in training Posts: 52

    I have been looking at your minidumps and everywhere on any mini-dump I have looked the cause seems to be on McAfee drivers.

    Anyway, remove the antivirus and make sure the problem stopped. If not, please repost new mini-dumps without the antivirus installed.

    Make sure all of the drivers are gone when uninstalling. Go to your Windows\System32\Drivers directory and verify that mfehidk.sys is NOT there.

    EZ123
  7. diene1t

    diene1t Newcomer, in training Topic Starter

    Thanks every for your help. I appreciate it.


    What seems to be the issue is when I open the memtest 2.11.zip I get a folder called BOOT then the only file in there is memtest.IMG and secuirty log... I think the directions said something about a memtest2.11.ISO being there to burn to a cd? I dont see it. I used SONIC! record now for my burn software.

    I could be screwing up the boot to cd but I dont think so.. I go to system set up and then go into boot options and make sure boot to cd-rom ide device is the only one checked? I think thats the bios right?

    I did uninstall MacAfee and made sure that driver was no longer present and my computer has been running all night now with no crashes so thats something new... hopefully in the right direction. If it does crash I will post a new minidump for you guys. I also took out all memory sticks besides one and been running on one memory stick and no crashes yet... :D
  8. diene1t

    diene1t Newcomer, in training Topic Starter

    Damn! just got a crash today... here is the minidump still a 0x00000050 error. page not in default or something so that prob rules out the virus scanner then.
  9. Route44

    Route44 TechSpot Ambassador Posts: 12,109   +21

    The 0x50 error simply cited hardware as the issue. The driver aswSP.sys could not load which belongs to Avast but I really doubt Avast is your issue (good choice, by the way).

    Going back to my first response I still lean strongly to memory as the #1 suspect (but I can still be wrong).

    * As for Memtest, when you unzip it there should be an icon labled memtest.iso with a disk on a sheet of paper image. You should only have to double click that image and your burning software will pop up and easily make a disk.

    Yes, your CD/DVD drive is placed as first bootable in your BIOS but make sure your harddrive is placed at least second.
  10. EZ123

    EZ123 Newcomer, in training Posts: 52

    dient1t,
    just to make sure I understand. did you install Avast after removing McAfee antivirus ? or were those two was there in the first place ?

    If avest was the replacment for the McAfee antivirus I will suspect you have a third party software that was not McAfee Antivirus but one that conflict with the two antiviruses. Let me explain deeper You may not understand what I am trying to say but will provide a direction:

    On most of your minidump, you machine crashes on a specific operation (opcode). here is the repeative pattren :

    a773abe4 805823eb e2829b60 d984ed78 a773acb0 nt!KeInitThread+0xa5
    a773ac58 80582380 e109d378 a773acb0 00000004 nt!CmSetValueKey+0xd0
    a773acec aa3e7a1b 000008a4 01a1ed90 00000000 nt!NtSetValueKey+0x228

    NtSetValueKey is a windows function that set a value in the registry. Antiviruses software are Hooking this function to be able to monitor any key that been writen to the registry. most of the antiviruses and other products may required protection over there own files and registry keys so they will protect those keys ( you will not be able to change them). This is the way it is done. Hooking this function will help them to see if the product keys have changed, and if they are it is possible to fail this function and protect the key.

    Hooking is something that windows does not support and to do that developers needs to do some nasty tricks. One of the most common problems are what will happen when two different products will try to hook the same function. I suspect this is your issue here. While avest does hooking the NtSetValueKey, it seems somthing else do it as well but in the bad way. that is the reason it failed.

    Here is how the hooking looks like :
    Code:
    a773abe4 805823eb e2829b60 d984ed78 a773acb0 nt!KeInitThread+0xa5
    a773ac58 80582380 e109d378 a773acb0 00000004 nt!CmSetValueKey+0xd0
    a773acec aa3e7a1b 000008a4 01a1ed90 00000000 nt!NtSetValueKey+0x228
    WARNING: Stack unwind information not available. Following frames may be wrong.
    a773ad44 804dd99f 000008a4 01a1ed90 00000000 aswSP+0x8a1b
    a773ad44 7c90e514 000008a4 01a1ed90 00000000 nt!KiFastCallEntry+0xfc
    
    KiFastCallEntry responsible for directing an application call to the kernel function using the service table. While calling NtSetValueKey, we can see that it first reach aswSP.sys. This shows the hook. aswSP.sys is then forwarding the call to ntSetValueKey. this is the part which resolve the hook. My question is how CmSetValueKey called KeInitThread which does not make any sense at all. And here we goes deeper :

    I have looked at the minidump stack and disassemble the CmSetValueKey and the real function that should have been called is :CmpFindNameInList. Looking at the internal stack I do see a call to this function but somthing gets courrpted.

    Here is the CmSetValueKey disassemble, I have looked at the return address from the KeInitThread to see were the call to KeInitThread was done and here is what I saw :
    Code:
    
    kd> u 805823eb-5
    
    ** u = unassemble, -5 because we are on the return address. -5 will help us to get to the calling address and not the return address.
    
    nt!CmSetValueKey+0xcb:
    805823e6 e85a030000      call    nt!CmpFindNameInList (80582745)
    805823eb 84c0            test    al,al
    
    As you can see CmpFindNameinList is here. Now I'll look at the stack trace from KeInitThread :

    Code:
    kd> dps a773abe4-50
    a773ab94  a773abe4
    a773ab98  a773ac48
    a773ab9c  00000030
    a773aba0  00000000
    a773aba4  e2829b60
    a773aba8  0008dd50
    a773abac  a773abe4
    a773abb0  00000002
    a773abb4  805755ad nt!KeInitThread+0xa5
    a773abb8  00000008
    a773abbc  00010202
    a773abc0  8058276b nt!CmpFindNameInList+0x26
    a773abc4  e2829b60
    a773abc8  0008fc50
    a773abcc  d984ed54
    a773abd0  e109d378
    a773abd4  0008dd50
    a773abd8  a773aba8
    a773abdc  00000001
    a773abe0  ffffffff
    a773abe4  a773ac58
    a773abe8  805823eb nt!CmSetValueKey+0xd0
    a773abec  e2829b60
    a773abf0  d984ed78
    a773abf4  a773acb0
    a773abf8  a773ac2c
    a773abfc  a773ac30
    a773ac00  e2d5f6b8
    a773ac04  00000000
    a773ac08  00000004
    a773ac0c  e109d378
    a773ac10  8057302f nt!CmQueryValueKey+0x10d
    kd> dps
    a773ac14  01a1ecd8
    a773ac18  00000000
    a773ac1c  00000000
    a773ac20  ffffffff
    a773ac24  0008dd50
    a773ac28  fc82d590
    a773ac2c  e1a63fb8
    a773ac30  00000001
    a773ac34  e2829b60
    a773ac38  0017cc90
    a773ac3c  0073ac60
    a773ac40  a773ac00
    a773ac44  fc82d590
    a773ac48  a773acdc
    a773ac4c  804e2ed8 nt!_except_handler3
    a773ac50  804f4208 nt!`string'+0x190
    a773ac54  ffffffff
    a773ac58  a773acec
    a773ac5c  80582380 nt!NtSetValueKey+0x228
    
    What we do see is that the function call is nt!CmpFindNameInList+0x26 and it means that the real crash was caused here . 0x26 bytes into CmpFindNameinList lets disassemble it :

    Code:
    kd> u nt!CmpFindNameInList
    nt!CmpFindNameInList:
    80582745 8bff            mov     edi,edi
    80582747 55              push    ebp
    80582748 8bec            mov     ebp,esp
    8058274a 83ec0c          sub     esp,0Ch
    8058274d 8b450c          mov     eax,dword ptr [ebp+0Ch]
    80582750 834dfcff        or      dword ptr [ebp-4],0FFFFFFFFh
    80582754 53              push    ebx
    80582755 56              push    esi
    kd> u
    nt!CmpFindNameInList+0x11:
    80582756 57              push    edi
    80582757 33ff            xor     edi,edi
    80582759 3938            cmp     dword ptr [eax],edi
    8058275b 0f8484a80300    je      nt!CmpFindNameInList+0xfb (805bcfe5)
    80582761 ff7004          push    dword ptr [eax+4]
    80582764 8b7508          mov     esi,dword ptr [ebp+8]
    80582767 56              push    esi
    80582768 ff5604          call    dword ptr [esi+4] <---
    8058276b 8bd8            mov     ebx,eax
    
    0x6b-0x45 = 0x26 the return adress is 8058276b. The calling address is 80582768 which we can refer as a call dword ptr [esi+4].

    This is a dynamic call and may result the crash. This is very common compiled call but with a minidump I just cant resolve it. I need to uderstand where [esi+4] addres to. I assume that knowing that will probably show us the faulty driver. To continue with the next step I will have to get a kernel dump.

    Here is how to generate a kernel dump :

    Go to control panel -> System -> Choose Advanced tab.
    Under "Startup and Recovery" press the Settings button.
    Under System failure -> Write debugging Information -> Choose Kernel Dump.

    You should notice the directory it choose to dump the file. By default it should be dumped at \Windows\memory.dmp file.

    When you finish setting up the kernel dump, just wait for next BSOD. this time it will take much longer to create the dump. When the dump will be created, log in back to your machine. Zip the memory.dmp file and just send it over somehow. The dump is larger and may be the side of 100-200MB uncompressed.

    EZ
  11. theatkinshomeb

    theatkinshomeb Newcomer, in training

    BSOD after windows update

    I too am experiencing the infamous BSOD. It usually happens directly following a windows automatic update. To get the machine operational again, I have to boot "last known good config.". Here's what I can provide on the error so far.

    Bugcheck a. Parameters=
    0x880
    0xC
    0x1
    0xfffff80002a7e995

    Insight please?
  12. EZ123

    EZ123 Newcomer, in training Posts: 52

    theatkinshomeb,
    You may want to open your own thread so someone can help you. BSODs are not the same. there are plenty of types and reasons.

    Open a new thread, post a minidump and someone will help you I believe.

    EZ
  13. diene1t

    diene1t Newcomer, in training Topic Starter

    Wow! This is pretty deep. haha. I set the settings to kernal debug under system failure. and currently waiting for a bsod.

    I installed avast after I thought it could of been a macafee issue. I uninstalled macafee and made the sure the driver was no longer present then installed avast home edition scanner.

    on the memtest issue. is there a specific program i need to unzip it? maybe that is why im not seeing the iso file (just the .IMG (about 1 meg in size) and The secuirty log)? Im downloading the pre-compiled memtest86+2.11.iso.zip for memtest.org the latest version.

    Again, Thanks for all the help and education haha.


    -tyler
     
  14. diene1t

    diene1t Newcomer, in training Topic Starter

    Just some clarification when the dump is created, place in a zip file and post as attachment.. correct? Hopefully it wont be too big to post you think? I dont know what the limitations are exactly.

    -tyler
  15. diene1t

    diene1t Newcomer, in training Topic Starter

    Here we go, I got the kernal dump memory and uploading to this link:

    http://www.filefactory.com/file/ag400gg/n/MEMORY_zip

    you can do the free download option and get it, its compressed to 24.3 mb

    I also included the most recent crash minidump in attachments which was today.


    I also go memtest to work! all the memory has passed i ran the test 5-6 times on each stick and ran the test 3 times so far on all sticks... no errors.. i will run the test through the night just in case.

    Thanks for all the help!!
  16. diene1t

    diene1t Newcomer, in training Topic Starter

    I ran memtest 15 times with no errors. just wondering if we had any updates? I seem to still be getting the error 0x50. either right on start up or the computer will restart automatically a couple times then give me the blue screen error.
  17. Route44

    Route44 TechSpot Ambassador Posts: 12,109   +21

    Sorry the delay. I read your minidump and it only said hardware as the cause but what hardware it doesn't say.

    What power supply do you have? Are you able to go to your harddrive manufacturer's website and download and run their free utility to test your harddrive? If so run all the tests and tell us the results.

    I know you uninstalled McAfee but have you checked to9 see if there are any remnants left?

    Have you updated your NIC card drivers lately? If not, do so.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.