Frequent crashes and blue screens in WinXP -- please help me diagnose

[Samizdat]

I never used to have problems with blue screens but recently my WinXP Pro computer has begun to crash and blue-screen on me very often; I've had five crashes already today! What's odd is that I hadn't installed any new hardware or drivers when it started happening. I've been running some long video encodes overnight, but I'd done that before without any problem until now. I upgraded the mobo/cpu in this computer in April and it ran fine until November when the crashing began.

System specs:
- Asus A8V mobo with Via K8T800 Pro
- 1GB (2 x 512) DDR400 RAM
- Athlon XP 3000+ cpu
- ATI Radeon 9600XT videocard
- onboard audio (Realtek AC97)
- Windows XP Professional SP2 (fully patched)
- Boot drive is a partition on a 120GB Western Digital drive running as Master on the 1st IDE channel (a second 120GB WD drive is the slave on this channel)
- 2nd IDE channel master and slave are a Lite-On DVD-ROM drive and a TDK CD-RW burner
- On-board RAID controller running two SATA 320GB WD drives in RAID 1 (mirror)
- Westell DSL modem

A few pertinent facts:

- The blue screen is often (but not always) an IRQL_NOT_LESS_OR_EQUAL 0x0A error.

- I monitor the temperature and voltage with Asus Probe but it never shows the CPU temp rising more than 42 C even when it crashes, and the mobo temp never gets above 26 C. (And I've run the unit with the case open but that didn't help.)

- Asus Probe usually shows the +12V voltage line as being around 11.6 and the +3.3 around 3.28, but it still displays "OK" for these.

- I have installed the newest BIOS and the newest chipset, video and audio drivers (after cleaning out the old ones with DriverCleaner).

- I have run two memory tests (memtest and Windows Memory Diagnostic) overnight each but found no errors.

- I've examined the memory dumps with Windbg. Most often these point to avg7rsxp.sys (my anti-virus software) as the culprit, but I've read this could be misleading since the antivirus software may just be active when the crash happens. So I uninstalled AVG antivirus, and the dumps usually point to ntkrnlpa.exe, but sometimes to ati2mtag.sys, sr.sys or ntfs.sys.

- I reinstalled Windows using the "Repair Installation" option, but it didn't help.

- I've run chkdsk /r and found only minor problems (e.g., free space allocation) and no bad sectors.

- Sometimes the blue screens have happened while I was running some long task (like encoding or defragging) but sometimes they've happened while I was running nothing at all.

- I removed, cleaned and reseated the RAM modules in different slots, but it didn't help.

This has been going on for weeks now and it makes the machine virtually useless since running long operations on it is hit-or-miss. My questions:

- Could re-installing Windows from scratch help? (The Repair Installation I tried did not.) I'd really rather not re-install it (and all my apps) from scratch if I can avoid it.

- Could the memory be bad even if memtest found no errors? Does that seem likely? I have no spare modules to test. I don't mind buying new memory, but I'd love to know if that's likely before I spend $100 on it for no good reason.

- I am including with this post a zip file of the five minidumps from today. Can anyone tell anything more from them?

A couple of other things: Coincidentally (I think) the optical drive I was using in this machine -- a Plextor 708A DVD burner -- died about a week ago. I had hoped that might have been the cause somehow, but I replaced it with the Lite-On DVD ROM and the computer still crashes. Also, FWIW I have Ubuntu Linux installed on a different partition of this machine (which I don't often boot just because most of what I do requires Windows) but maybe I could use it to somehow test the machine further?

I would really appreciate any help with this really maddening problem. Thanks!

 

[Rik]

What make and wattage psu are you using??

 

[Samizdat]

Right, I forgot to include that: it's a 500 watt Antec SmartPower 2.0.

Keep in mind that I had no problems with this combination of hardware from April to November.

 

[Rik]

Next question, what antivirus, antispyware, and firewall software do you use??

 

[Samizdat]

I've been using AVG ant-virus, ZoneAlarm firewall (both free versions) and Webroot SpySweeper (which I get free from my ISP). I also run AdAware.

^^ I should add, I uninstalled AVG (and am currently running without any antivirus software) because I didn't want it to turn up falsely as the culprit when I ran the memory dumps through WinDbg.

^^ OK, replying to my own post for the second time, but I just thought of something: since I have two sticks of RAM (2 x 512 MB), can I test the memory by running the machine with just one stick at a time? After all, it's unlikely that *both* sticks have suddenly gone bad. So if the machine runs fine with one stick but not the other, then I know which module is bad. And if the machine still crashes with *either* module installed, then I know it's not a bad memory issue. What do you think? Anyway, I'm going to give it a try now (after my sixth crash of the day).

 

[cpc2004]

Cache Memory is bad??

Hi,

Three of the crashes at nt!CcSetFileSizes and it is cache memory reservation request. Probably the cache memory is bad (ie CPU L2 cache memory). The stack trace of one system crash has the footprint of AVG and the other 2 crashes has no AVG footprint.


Mini120306-01.dmp BugCheck A, {10567d44, 2, 0, 804e52e4}
Probably caused by : avg7rsw.sys ( avg7rsw+45c )
STACK_TEXT:
b884f660 804e52e4 badb0d00 00000000 00000000 nt!KiTrap0E+0x233
b884f700 f73b49fc 10567d30 b884f784 00000058 nt!CcSetFileSizes+0x3c
Remark 10567d30 is invalid (ie invalid address 10567d30 + 14 = 10567d44)
b884f7d8 f73d8e51 857c2958 e182a338 efc9d4d0 Ntfs!NtOfsSetLength+0x3f2
b884f87c f73f138f 857c2958 e182a338 efc9d478 Ntfs!NtOfsPutData+0x4e
b884f910 f73d8a75 857c2958 00010000 857c2958 Ntfs!NtfsWriteUsnJournalChanges+0x19c
b884f9d0 f737f397 857c2958 e4f764d0 00000001 Ntfs!NtfsPostUsnChange+0x495
b884fbbc f7374c97 857c2958 8616c500 8616c500 Ntfs!NtfsCommonWrite+0xdd1
b884fc20 804eddf9 86d32020 8616c500 86effcc0 Ntfs!NtfsFsdWrite+0xf3
b884fc30 f74173ca f7ba69f0 86974fb0 b884fc84 nt!IopfCallDriver+0x31
b884fc40 804eddf9 86d33dd0 e49477c8 8616c500 sr!SrWrite+0xaa
b884fc50 f7ba645c 8551c658 86724698 8616c500 nt!IopfCallDriver+0x31
WARNING: Stack unwind information not available. Following frames may be wrong.
b884fc84 805716a2 86974ef8 8616c500 85fc6e90 avg7rsw+0x45c
b884fd38 8053c808 0000031c 0000034c 00000000 nt!NtWriteFile+0x602
b884fd38 7c90eb94 0000031c 0000034c 00000000 nt!KiFastCallEntry+0xf8
00adfa88 00000000 00000000 00000000 00000000 0x7c90eb94

Mini120306-04.dmp BugCheck A, {4d4, 2, 0, 804e52e4}
Mini120306-04.dmp Probably caused by : ntkrnlpa.exe ( nt!CcSetFileSizes+3c )
STACK_TEXT:
b8056884 804e52e4 badb0d00 00000000 00000000 nt!KiTrap0E+0x233
b8056924 f73b49fc 000004c0 b80569a8 00000058 nt!CcSetFileSizes+0x3c
Remark 000004co is invalid (ie invalid address 4c0+14=4d4)
b80569fc f73d8e51 869b4ef0 e1880608 084e7fd0 Ntfs!NtOfsSetLength+0x3f2
b8056aa0 f73f138f 869b4ef0 e1880608 084e7f78 Ntfs!NtOfsPutData+0x4e
b8056b34 f73d17c8 869b4ef0 e3c3d0d0 86629028 Ntfs!NtfsWriteUsnJournalChanges+0x19c
b8056ba4 f739848a 869b4ef0 e3c3d0d0 e3c3d008 Ntfs!NtfsCommonClose+0x1d7
b8056c44 804eddf9 86d4c020 8579f538 86f412f8 Ntfs!NtfsFsdClose+0x21f
b8056c54 f7417459 b8056ca4 804eddf9 86f356a8 nt!IopfCallDriver+0x31
b8056c5c 804eddf9 86f356a8 8579f538 8579f538 sr!SrPassThrough+0x31
b8056c6c 80577c84 86629010 00000000 00000000 nt!IopfCallDriver+0x31
b8056ca4 805af547 00629028 86629010 00000000 nt!IopDeleteFile+0x132 <---
b8056cc0 80521e47 86629028 00000000 00000344 nt!ObpRemoveObjectRoutine+0xdf
b8056ce4 805b0547 868c4b20 e2996448 86644840 nt!ObfDereferenceObject+0x5f
b8056cfc 805b05dd e2996448 86629028 00000344 nt!ObpCloseHandleTableEntry+0x155
b8056d44 805b0715 00000344 00000001 00000000 nt!ObpCloseHandle+0x87
b8056d58 8053c808 00000344 00adfa84 7c90eb94 nt!NtClose+0x1d
b8056d58 7c90eb94 00000344 00adfa84 7c90eb94 nt!KiFastCallEntry+0xf8

ErrCode = 00000000
eax=00000000 ebx=00000000 ecx=0a2c5b00 edx=00000000 esi=e1849840 edi=b89579c0
eip=804e52e4 esp=b89578f8 ebp=b8957924 iopl=0 nv up ei pl zr ac pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010256

804e52df 8b5d08 mov ebx,dword ptr [ebp+8] (ie ebp is the address of the stack)
804e52e2 8ac8 mov cl,al
nt!CcSetFileSizes+0x3c:
804e52e4 8b4314 mov eax,dword ptr [ebx+14h] ds:0023:00000014=????????

edit
Further investigation it crashes because eax is invalid and the root cause is the input paramater to nt!CcSetFileSizes is invalid. It is not a hardware error, maybe the filesystem is corrupted and windows picks up the invalid value from the corrupted filesystem. Run chkdsk /r at safe mode to make sure that the file structure of your windows is clean.

804e52e4 8b4314 mov eax,dword ptr [ebx+14h]

 

[Samizdat]

Hmm, I had run chkdsk /r a few days ago (after booting from a BartPE CD) and it corrected a few apparently minor things but found no bad sectors. I'll try it again tonight; I'm off to work soon.

One note: FWIW, the reason that AVG shows up in one crash dump but not others is probably because during the first few crashes AVG antivirus was running, but then I deliberately uninstalled it so it the later minidumps would not point to it spuriously (as I have read happens with antivirus software).

Also FWIW, I went ahead and removed one stick of RAM last night and ran a moderately long video encode overnight, and the system has not crashed yet. Can't prove a negative, of course... but it hasn't run successfully overnight like that for weeks. I'm going to leave it running again while I'm at work and see what happens. Still, you say explicitly it is not a hardware error, so maybe this is a false hope.

And for the heck of it I am uploading the sixth minidump created yesterday (it's currently the most recent one).

Thanks!

OK, I just tried doing something I often do -- running a program using "Run As" under a different username -- and the system crashed again. I'm uploading the minidump, which points to ntfs.sys. Curiously, WinDbg shows the full dump (MEMORY.DMP) as pointing to sr.sys. Would it help if I zip and upload the full dump?

I also swapped out the memory module just to see what happens with the other one. Tonight I'll run chkdsk /r again. If it's really not hardware related, would a wipe and re-install of Windows correct the problem?

 

[PCTechie316]

wiping the hard drive probably would correct the problems. But before you do anything, keep testing your hardware. Did you test the memory, one stick at a time in each slot. I've had that problem too in the past. didnt have any memory errors, but then I tested one stick at a time in each slot and found that one stick is bad. I usually went about 15 min in each slot. Also based on prefrence, I like avast virus protection better, its free, and comes with 6-7 scanners.

Also try Spy Doctor for removing spyware.

 

[Samizdat]

Well I ran memtest86 overnight with both sticks installed and found no errors. So I removed one stick and left the machine running Windows and this morning it crashed again. I then swapped out that stick for the other stick, so if it crashes again I guess it's probably not bad RAM (unless BOTH stick suddenly developed a problem simultaneously).

Were you using memtest86 to test your RAM?

Tonight I'll install and run Spy Doctor and Avast. Maybe they'll turn up something. If not, I'll probably try wiping and reinstalling. I'll be *happy* if that really solves the problem; I don't know what I'll do if this recurs with a brand new installation since I seem to be ruling out most hardware problems...

 

[Hatrick]

I don't know if this is relevant, (doesn't seem to be) or how you could check it, but I noticed a reference to Ubuntu.

When I installed that, it worked perfectly, as did XP - until I tried to use Partition Magic, which said there were boundary errors (or something like that).- I let it fix them and, on next reboot, neither system would boot. Some sort of conflict between Gparted and PM, I assume, although why, when they both have the same info to hand, I can't imagine.

 

[Samizdat]

I use a boot manager called BootitNG to select between Ubuntu and Windows (the XP partition in question, and an old Win98SE partition). It's never given me any problem and multi-booting still functions fine right now, so I'd guess it's not that. I wish I could replicate the problem under Ubuntu, as then I'd have reason to think it's definitely hardware related.

 

[cpc2004]

From the minidump, your windows install ZoneAlarm and Mcafee Personnel Firewall (ie MPFirewall). I'm afraid you do not uninstall MPFirewall successfully. What is Truecrypt.sys? UDFReadr.SYS, DVDVRRdr_xp.SYS and cdudf_xp.SYS have timestamp. Your windows has a lot of junks. Re-install may fix the blue screen problem.


b818d000 b81bc1c0 truecrypt truecrypt.sys Sat Nov 26 06:43:19 2005 (43879387)
b82d5000 b8326480 srv srv.sys Mon Aug 14 18:34:39 2006 (44E051BF)
b834f000 b83d4000 CVPNDRVA CVPNDRVA.sys Sat Nov 05 01:20:39 2005 (436B9867)
b843d000 b843fde0 ppsio2 ppsio2.SYS Sat Jun 13 14:38:14 1998 (35821E56)
bacd0000 bad2e680 vsdatant vsdatant.sys Thu Aug 24 13:21:14 2006 (44ED374A)
bad2f000 bad56c00 netbt netbt.sys Wed Aug 04 14:14:36 2004 (41107ECC)
bad57000 bad6b000 MpFirewall MpFirewall.sys unavailable (00000000)
bade8000 bae1a000 UDFReadr UDFReadr.SYS unavailable (00000000)
bae54000 bae77000 DVDVRRdr_xp DVDVRRdr_xp.SYS unavailable (00000000)
bae89000 baed0000 cdudf_xp cdudf_xp.SYS unavailable (00000000)

 

[Samizdat]

I used to use McAfee (antivirus and firewall) but I ran into trouble trying to upgrade it so I tried to remove it entirely months ago; I guess it wasn't completely removed (even with McAfee tech support's help!) TrueCrypt is an open-source encryption program that's never caused me problems before. The others are all part of Roxio Easy Media Creator 7.

I have discovered one thing that always seems to cause a crash: trying to run a program (in this case, Internet Explorer) as another user via the "Run As" command. I tried it twice and both times it crashed immediately (latest minidump attached). Also I tested each stick of RAM in the computer separately and it crashed either way, so I guess it's not the memory.

 

[Samizdat]

^^ Scratch that: I just used "Run As" again under the same circumstances and it worked. Weird though that it crashed right away both previous times. --Sorry Howard I just saw your note about editing rather than responding to my own posts; I won't do it again!