Need Help in the DeBugging Tool Instructions

[Route44]

I took the archived advice here and downloaded and installed Microsoft's Debugging Tool. I also followed the instructions on how to read a minidump from major Geeks. Their instructions are in black and my responses are in blue. Here is where I become confused on what to do:

Once you have downloaded and installed these tools, go to start, all programs, Debugging Tools For Windows, Windbg. Once you open Windbg, you will presented with a blank screen. Click on File, Symbol File Path. Here you will enter the symbols path. Symbols are needed to effectively debug.

I did this with no problems.

The path will be:

SRV*c:\symbols*http://msdl.microsoft.com/download/symbols

Enter in this path and click OK.

I did this, too, with no problems.

Now, go to File, Save Workspace so that your symbols path is saved for future use.

Ditto.


Now what you want to do is locate your memory dumps. They are usually located in %systemroot%/minidump (in my case C:/windows/minidump).

I found my memory via Run and %systemroot%/minidump

If you notice, they are usually named the date, and then a -*number* to indicate the order of minidumps that day. My example is called Mini061904-01.dmp (it happened today).

I understand.

Inside of Windbg, go to File, Open Crash Dump and load the file. You will get a message to save base workspace information. Choose no.

This is where I become confused because when I go to File it lists a bunch of folders but I see no way loading the file to the Open crash Dump. What am I missing? Thanks

 

[Tmagic650]

Name the crash dump file(s) folder a name you can remember. I use the posters nickname, or part of his nickname. I download and extract the crash dump files into the folder. Put a shortcut of WINDBG on your taskbar. While you are still in TechSpot, go down to the WINDBG shortcut and open it. Select the crash dump folder and open it using "Open Crash Dump". Point to the crash dump file folder. Select each minidump file, one at a time. You will have to close WinDBG after each crash dump is debugged, and reopen it for the next minidump file

 

[Route44]

I apologiz ahead of time if I am not to place all this information but this is what I got from my minidump. Is this pointing to my Sunbelt Kerio Firewall? Iused to have crashes with their earlier versions which someone here read for me and pointed to Kerio. Supposedly the newest version of this firewall is much more stable. The problem I just received this minidump just yesterday. It hasn't even been a week.

Microsoft (R) Windows Debugger Version 6.6.0007.5
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\Documents and Settings\Jim\Desktop\Route44\Mini031907-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: SRV*c:\symbols*http://msdl.microsoft.com/downloads/symbols
Executable search path is:
Windows XP Kernel Version 2600 (Service Pack 2) UP Free x86 compatible
Product: WinNt
Built by: 2600.xpsp_sp2_gdr.061219-0316
Kernel base = 0x804d7000 PsLoadedModuleList = 0x805533a0
Debug session time: Mon Mar 19 00:00:05.843 2007 (GMT-4)
System Uptime: 0 days 9:44:13.431
Loading Kernel Symbols
.............................................................................................................................................
Loading User Symbols
Loading unloaded module list
.......................
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck A, {76006d, 2, 0, 804ee591}

*** WARNING: Unable to verify timestamp for fwdrv.sys
*** ERROR: Module load completed but symbols could not be loaded for fwdrv.sys
Probably caused by : fwdrv.sys ( fwdrv+17476 )

Followup: MachineOwner
---------

kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: 0076006d, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000000, value 0 = read operation, 1 = write operation
Arg4: 804ee591, address which referenced memory

Debugging Details:
------------------


READ_ADDRESS: 0076006d

CURRENT_IRQL: 2

FAULTING_IP:
nt!IoGetRelatedDeviceObject+9
804ee591 8b4608 mov eax,dword ptr [esi+8]

CUSTOMER_CRASH_COUNT: 1

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0xA

TRAP_FRAME: a6ecca14 -- (.trap ffffffffa6ecca14)
ErrCode = 00000000
eax=00760065 ebx=a6eccaf8 ecx=00000041 edx=00000002 esi=00760065 edi=86c857d8
eip=804ee591 esp=a6ecca88 ebp=a6ecca8c iopl=0 nv up ei ng nz na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010282
nt!IoGetRelatedDeviceObject+0x9:
804ee591 8b4608 mov eax,dword ptr [esi+8] ds:0023:0076006d=????????
Resetting default scope

LAST_CONTROL_TRANSFER: from 804ee591 to 8053fa73

STACK_TEXT:
a6ecca14 804ee591 badb0d00 00000002 a6ecca54 nt!KiTrap0E+0x233
a6ecca8c a97c6346 00760065 86c857d8 0044005c nt!IoGetRelatedDeviceObject+0x9
a6eccab4 a97cc27b 86c857d8 a6eccb74 a6eccb78 afd!AfdBeginAbort+0x1e
a6eccaf0 a9884476 00000000 a9884476 86a554e8 afd!AfdBReceiveEventHandler+0x4ff
WARNING: Stack unwind information not available. Following frames may be wrong.
a6eccb14 88dfb074 a6eccb30 86a554e8 a97c579e fwdrv+0x17476
a6eccc34 804edfe3 898d65a8 86d3f530 806d02d0 0x88dfb074
a6eccc44 80573dce 86d3f5a0 89992bd0 86d3f530 nt!IopfCallDriver+0x31
a6eccc58 80574c5d 898d65a8 86d3f530 89992bd0 nt!IopSynchronousServiceTail+0x60
a6eccd00 8056d5ba 00000508 00000000 00000000 nt!IopXxxControlFile+0x5e7
a6eccd34 8053ca28 00000508 00000000 00000000 nt!NtDeviceIoControlFile+0x2a
a6eccd34 7c90eb94 00000508 00000000 00000000 nt!KiFastCallEntry+0xf8
0740ae74 00000000 00000000 00000000 00000000 0x7c90eb94


STACK_COMMAND: kb

FOLLOWUP_IP:
fwdrv+17476
a9884476 ?? ???

SYMBOL_STACK_INDEX: 4

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: fwdrv

IMAGE_NAME: fwdrv.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 0

SYMBOL_NAME: fwdrv+17476

FAILURE_BUCKET_ID: 0xA_fwdrv+17476

BUCKET_ID: 0xA_fwdrv+17476

Followup: MachineOwner
---------

kd> lmvm fwdrv
start end module name
a986d000 a98b6000 fwdrv T (no symbols)
Loaded symbol image file: fwdrv.sys
Image path: \SystemRoot\system32\drivers\fwdrv.sys
Image name: fwdrv.sys
Timestamp: unavailable (00000000)
CheckSum: 00000000
ImageSize: 00049000
Translations: 0000.04b0 0000.04e0 0409.04b0 0409.04e0

 

[Tmagic650]

Delete the current version of Kerio, and make sure that you have all the MS Updates for XP, SP2 installed. Mind you, there's nothing wrong with using Kerio, we are just doing this to see if the crashes stop or change... If your system is stable, you can reinstall Kerio, and all should be good

 

[Route44]

I appreciate the replies. The thing is with Kerio that this is my third version of their product. I even saved the emails from their Tech Support that admitted that in their earlier versions that BSODs was an occuring problem

1. I checked my hardware and drivers and they are all compatible.

2. I have all updates installed for Windows SP/2.

3. I know several people online who have had the same issues and it disappeared once they uninstalled Kerio.

So, Tmagic650 what does my information tell you from my minidump?

 

[Route44]

And meet the new boss, same as the old boss. The only difference between the two is the first one I listed earlier was 0x0A Stop Error the second was 0x0D Stop Error, but I think both point to Kerio.

Microsoft (R) Windows Debugger Version 6.6.0007.5
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\Documents and Settings\Jim\Desktop\Route44\Mini031907-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: SRV*c:\symbols*http://msdl.microsoft.com/downloads/symbols
Executable search path is:
Windows XP Kernel Version 2600 (Service Pack 2) UP Free x86 compatible
Product: WinNt
Built by: 2600.xpsp_sp2_gdr.061219-0316
Kernel base = 0x804d7000 PsLoadedModuleList = 0x805533a0
Debug session time: Mon Mar 19 19:12:04.690 2007 (GMT-4)
System Uptime: 0 days 8:46:36.925
Loading Kernel Symbols
..............................................................................................................................................
Loading User Symbols
Loading unloaded module list
........................
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck D1, {65006d, 2, 0, a97a25da}

Unable to load image \SystemRoot\system32\drivers\fwdrv.sys, Win32 error 2
*** WARNING: Unable to verify timestamp for fwdrv.sys
*** ERROR: Module load completed but symbols could not be loaded for fwdrv.sys
Probably caused by : fwdrv.sys ( fwdrv+140f5 )

Followup: MachineOwner
---------

kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: 0065006d, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000000, value 0 = read operation, 1 = write operation
Arg4: a97a25da, address which referenced memory

Debugging Details:
------------------


READ_ADDRESS: 0065006d

CURRENT_IRQL: 2

FAULTING_IP:
afd!AfdDisconnectEventHandler+c7
a97a25da 8b08 mov ecx,dword ptr [eax]

CUSTOMER_CRASH_COUNT: 1

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0xD1

TRAP_FRAME: a6ff1aa8 -- (.trap ffffffffa6ff1aa8)
ErrCode = 00000000
eax=0065006d ebx=874f7c60 ecx=00000000 edx=a6ff1b28 esi=874f7c30 edi=0044005c
eip=a97a25da esp=a6ff1b1c ebp=a6ff1b34 iopl=0 nv up ei pl nz na po cy
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010203
afd!AfdDisconnectEventHandler+0xc7:
a97a25da 8b08 mov ecx,dword ptr [eax] ds:0023:0065006d=????????
Resetting default scope

LAST_CONTROL_TRANSFER: from a97a25da to 8053fa73

STACK_TEXT:
a6ff1aa8 a97a25da badb0d00 a6ff1b28 ffdff000 nt!KiTrap0E+0x233
a6ff1b34 a985a0f5 88521948 00000000 00000000 afd!AfdDisconnectEventHandler+0xc7
WARNING: Stack unwind information not available. Following frames may be wrong.
a6ff1b64 a985a27c a979d90a 88521948 874f7c30 fwdrv+0x140f5
a6ff1b8c a985bbc7 875a5670 00000004 a6ff1bcc fwdrv+0x1427c
a6ff1b9c a985be16 875a5670 00000001 00000004 fwdrv+0x15bc7
a6ff1bcc a984a1b4 878f1000 86cf4528 86cf44b8 fwdrv+0x15e16
a6ff1be8 a9846f29 0000a298 878f1000 a6ff1c10 fwdrv+0x41b4
a6ff1bf8 a98497b4 878f1000 0000203c 86cf44b8 fwdrv+0xf29
a6ff1c10 a9849853 86cf44b8 88cd7d40 89a71570 fwdrv+0x37b4
a6ff1c24 a984998d 898d41f8 86cf44b8 a6ff1c58 fwdrv+0x3853
a6ff1c34 804edfe3 898d41f8 86cf44b8 806d02d0 fwdrv+0x398d
a6ff1c44 80573dce 86cf4528 89c7ad48 86cf44b8 nt!IopfCallDriver+0x31
a6ff1c58 80574c5d 898d41f8 86cf44b8 89c7ad48 nt!IopSynchronousServiceTail+0x60
a6ff1d00 8056d5ba 00000550 00000000 00000000 nt!IopXxxControlFile+0x5e7
a6ff1d34 8053ca28 00000550 00000000 00000000 nt!NtDeviceIoControlFile+0x2a
a6ff1d34 7c90eb94 00000550 00000000 00000000 nt!KiFastCallEntry+0xf8
0700d09c 00000000 00000000 00000000 00000000 0x7c90eb94


STACK_COMMAND: kb

FOLLOWUP_IP:
fwdrv+140f5
a985a0f5 ?? ???

SYMBOL_STACK_INDEX: 2

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: fwdrv

IMAGE_NAME: fwdrv.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 0

SYMBOL_NAME: fwdrv+140f5

FAILURE_BUCKET_ID: 0xD1_fwdrv+140f5

BUCKET_ID: 0xD1_fwdrv+140f5

Followup: MachineOwner
---------

 

[Tmagic650]

This is a Kerio driver problem... Check here and see if the BSODs stop:

http://www.sunbelt-software.com/ihs/skpfreset.exe

Run this tool and allow all warnings

 

[Route44]

T, again, thanks for the reply and the help. I really want this firewall to work because it does everything I ask and is non-intrusive unlike ZA. But these BSODs are rediculous. The two minidumps that I posted here and you interpreted were from version 635, the third and most recent version I tried. Yet I still get the BSoDs. I've cleaned out all of the firewalll and reinstalled. The only issue now is that it is a trail version of 635 and I can't seem to find where it will allow me to upgrade to the full verion or at least let me put my purchase code in to bring it to a full version. i am still within a years time of free upgrades. At this point I don't have NIPS or HIPS.

Now they have a version 734. I am wondering if I should just go ahead and install that instead.

By the way, how did you know it was a driver problem for Kerio? I could read my minidumps but I could not know it was specifically a Kerio driver problem.

 

[Tmagic650]

Ok Route44,
I took fwdrv.sys and inserted into a Google search... try this yourself. Did you try the Kerio reset tool in the link I provided?

 

[Route44]

Ok Route44,
I took fwdrv.sys and inserted into a Google search... try this yourself. Did you try the Kerio reset tool in the link I provided?

Yes, I used the link you provided and downloaded and installed the tool. I don't know how you found it because when you go to Sunbelt's website I find it difficult, if not impossible, to find these tools links.

Another person at Wilder's Security Forums was able to link me to Sunbelt's tool to completely clean their SKPF from your system. But, again, I don't find it on their website. Could be though I am totally blind!

The thing I like about the Wilder's Security forums, which are the official forums for Eset's NOD32 anti-virus product is that it contains the only active and very informative, as well as helpful, Firewall forum that I have come across on the 'net.

Oh, yes, before I forget, I was able to register my product and I am good to go up to September 27th.

By the way, do any trout fishing in Montana (yes, i checked your public profile)?

 

[Tmagic650]

So are you good to go with the BSOD's now? I'm not much into fishing... Google is a powerful tool if you have enough patients to look through all the links

 

[Route44]

So are you good to go with the BSOD's now? I'm not much into fishing... Google is a powerful tool if you have enough patients to look through all the links

Yes, I think I am okay at this point. I'll see if another BSOD occurs under version 635. If it happens I'll know what to look for in the Minidump and I have no problem Googling and going through the links. I didn't realize I could do something as simple as Googling fwdrv.sys and get my answer. I thought one needed a strong background in tech knowledge in order to read it.

By the way, here is latest 744 version from Sunbelt. I don't know what it all means but I certainly took notice of the Crash fixes at various points:

This is taken from the "readme".

* Corrected issue in which registration fails when firewall is enabled.
* Significant improvement in network performance when web filtering is enabled.
* Enhanced Process Injection prevention to prevent code inject attempts into Windows system DLLs.
* Corrected numerous application crashes in the firewall service.
* Corrected various crashes in assist.exe
* Corrected issue in which setting password and checking for update does not cancel authentication form.
* Corrected issue in which binary data appeared in logs.
* Significant improvement in product stability.

 

[Tmagic650]

Good Route44,
I'm glad I could help you with this issue... Happy Computing!