Blue screen message: 0x000000C2/0x0000050

[diene1t]

Hello!

I seem to be having a issue of windows crashing and giving me the infamous blue screen with the error 0x000000C2 and it is also interchanged with 0x000000050

It seems to happen at random times but usually within 5 or 10 mins.. sometimes right on restart when I get on desktop. It happens when I surf the net or even stay Idle... when downloading.. anything.

I did not replace memory I wanted to see what you guys thought first. I did however, just re inserted the memory sticks and vid card hoping that would do the trick....nope. My system is DELL XPS GEN 2, Windows XP PRO SP2 etc.. should be all up to date. I have Macafee virus scanner.

I have included some recent minidump files 5/27/09 and 5/26/09 in the attachment. I dont know much on how to read those things but the file name ntoskrnl.exe seem to be common with the files.

Any help would be GREATLY appreciated!

Regards,

Tyler

 

[Route44]

All five of your errors are 0x00000050: PAGE_FAULT_IN_NONPAGED_AREA Which defined means requested data was not in memory. An invalid system memory address was referenced. Defective memory (including main memory, L2 RAM cache, video RAM) or incompatible software (including remote control and antivirus software) might cause this Stop message, as may other hardware problems (e.g., incorrect SCSI termination or a flawed PCI card).

One specifically cited the driver mfeavfk.sys which belongs to McAfee.

The other four simply cited hardware as the cause. Because you are getting such random crashes regardless of what you do and hardware is cited 4 out of 5 times I strongly suggest running Memtest on your RAM. We are testing for corrupted memory.

See this link and follow instructions: https://www.techspot.com/vb/topic62524.html

Let it run for a LONG time. The rule is a minimum of 7 Passes but more is fine. There are 8 individual tests per Pass. Many people will start this test before going to bed and check it the next day.

If you have errors you have corrupted memory and it needs to be replaced.

Also, with errors you need to run this test per stick of RAM. Take out one and run the test. Then take that one out and put the other in and run the test. If you start getting errors before 7 Passes you know that stick is corrupted and you don’t need to run the test any further on that stick.

Also, you mention in your post 0xC2 errors. These are caused by faulty drivers or buggy software. Because McAfee has been cited and if Memtest shows no errors you may want to consider updating McAfee or replacing it, but at this time let Memtest do its job.

* Get back to us with the results.

 

[diene1t]

Ok I seem to be having trouble getting the cd to work for memtest. I got a blank cd and download the file memtest86+-2.11 and then burned the file called memtest.img the only file in the package besides the security log.

I went to boot options and set it to only boot from cd rom ide device... all I get is a black screen?


- tyler

 

[Route44]

Is your drive placed as First Bootable in your BIOS? If not do so, place CD in drive and it should take over. Or you may need to reboot with CD in drive.

 

[B00kWyrm]

The memtest tutorial did include instructions for burning the iso, so you may have used Nero or some other software already.
If not... Are you sure that you burned an iso of memtest, or did you just copy the file to the cd?
If the latter, you will need to discard it (or use it as a coaster, or decoration, or...)
If you do not know, you probably just copied it...
You can tell by using Windows Explorer (File Manager) to navigate to the cd, and browse ...

 

[EZ123]

I have been looking at your minidumps and everywhere on any mini-dump I have looked the cause seems to be on McAfee drivers.

Anyway, remove the antivirus and make sure the problem stopped. If not, please repost new mini-dumps without the antivirus installed.

Make sure all of the drivers are gone when uninstalling. Go to your Windows\System32\Drivers directory and verify that mfehidk.sys is NOT there.

EZ123

 

[diene1t]

Thanks every for your help. I appreciate it.


What seems to be the issue is when I open the memtest 2.11.zip I get a folder called BOOT then the only file in there is memtest.IMG and secuirty log... I think the directions said something about a memtest2.11.ISO being there to burn to a cd? I dont see it. I used SONIC! record now for my burn software.

I could be screwing up the boot to cd but I dont think so.. I go to system set up and then go into boot options and make sure boot to cd-rom ide device is the only one checked? I think thats the bios right?

I did uninstall MacAfee and made sure that driver was no longer present and my computer has been running all night now with no crashes so thats something new... hopefully in the right direction. If it does crash I will post a new minidump for you guys. I also took out all memory sticks besides one and been running on one memory stick and no crashes yet...

 

[diene1t]

Damn! just got a crash today... here is the minidump still a 0x00000050 error. page not in default or something so that prob rules out the virus scanner then.

 

[Route44]

The 0x50 error simply cited hardware as the issue. The driver aswSP.sys could not load which belongs to Avast but I really doubt Avast is your issue (good choice, by the way).

Going back to my first response I still lean strongly to memory as the #1 suspect (but I can still be wrong).

* As for Memtest, when you unzip it there should be an icon labled memtest.iso with a disk on a sheet of paper image. You should only have to double click that image and your burning software will pop up and easily make a disk.

Yes, your CD/DVD drive is placed as first bootable in your BIOS but make sure your harddrive is placed at least second.

 

[EZ123]

dient1t,
just to make sure I understand. did you install Avast after removing McAfee antivirus ? or were those two was there in the first place ?

If avest was the replacment for the McAfee antivirus I will suspect you have a third party software that was not McAfee Antivirus but one that conflict with the two antiviruses. Let me explain deeper You may not understand what I am trying to say but will provide a direction:

On most of your minidump, you machine crashes on a specific operation (opcode). here is the repeative pattren :

a773abe4 805823eb e2829b60 d984ed78 a773acb0 nt!KeInitThread+0xa5
a773ac58 80582380 e109d378 a773acb0 00000004 nt!CmSetValueKey+0xd0
a773acec aa3e7a1b 000008a4 01a1ed90 00000000 nt!NtSetValueKey+0x228

NtSetValueKey is a windows function that set a value in the registry. Antiviruses software are Hooking this function to be able to monitor any key that been writen to the registry. most of the antiviruses and other products may required protection over there own files and registry keys so they will protect those keys ( you will not be able to change them). This is the way it is done. Hooking this function will help them to see if the product keys have changed, and if they are it is possible to fail this function and protect the key.

Hooking is something that windows does not support and to do that developers needs to do some nasty tricks. One of the most common problems are what will happen when two different products will try to hook the same function. I suspect this is your issue here. While avest does hooking the NtSetValueKey, it seems somthing else do it as well but in the bad way. that is the reason it failed.

Here is how the hooking looks like :

a773abe4 805823eb e2829b60 d984ed78 a773acb0 nt!KeInitThread+0xa5
a773ac58 80582380 e109d378 a773acb0 00000004 nt!CmSetValueKey+0xd0
a773acec aa3e7a1b 000008a4 01a1ed90 00000000 nt!NtSetValueKey+0x228
WARNING: Stack unwind information not available. Following frames may be wrong.
a773ad44 804dd99f 000008a4 01a1ed90 00000000 aswSP+0x8a1b
a773ad44 7c90e514 000008a4 01a1ed90 00000000 nt!KiFastCallEntry+0xfc

KiFastCallEntry responsible for directing an application call to the kernel function using the service table. While calling NtSetValueKey, we can see that it first reach aswSP.sys. This shows the hook. aswSP.sys is then forwarding the call to ntSetValueKey. this is the part which resolve the hook. My question is how CmSetValueKey called KeInitThread which does not make any sense at all. And here we goes deeper :

I have looked at the minidump stack and disassemble the CmSetValueKey and the real function that should have been called is :CmpFindNameInList. Looking at the internal stack I do see a call to this function but somthing gets courrpted.

Here is the CmSetValueKey disassemble, I have looked at the return address from the KeInitThread to see were the call to KeInitThread was done and here is what I saw :

kd> u 805823eb-5

** u = unassemble, -5 because we are on the return address. -5 will help us to get to the calling address and not the return address.

nt!CmSetValueKey+0xcb:
805823e6 e85a030000      call    nt!CmpFindNameInList (80582745)
805823eb 84c0            test    al,al

As you can see CmpFindNameinList is here. Now I'll look at the stack trace from KeInitThread :

kd> dps a773abe4-50
a773ab94  a773abe4
a773ab98  a773ac48
a773ab9c  00000030
a773aba0  00000000
a773aba4  e2829b60
a773aba8  0008dd50
a773abac  a773abe4
a773abb0  00000002
a773abb4  805755ad nt!KeInitThread+0xa5
a773abb8  00000008
a773abbc  00010202
a773abc0  8058276b nt!CmpFindNameInList+0x26
a773abc4  e2829b60
a773abc8  0008fc50
a773abcc  d984ed54
a773abd0  e109d378
a773abd4  0008dd50
a773abd8  a773aba8
a773abdc  00000001
a773abe0  ffffffff
a773abe4  a773ac58
a773abe8  805823eb nt!CmSetValueKey+0xd0
a773abec  e2829b60
a773abf0  d984ed78
a773abf4  a773acb0
a773abf8  a773ac2c
a773abfc  a773ac30
a773ac00  e2d5f6b8
a773ac04  00000000
a773ac08  00000004
a773ac0c  e109d378
a773ac10  8057302f nt!CmQueryValueKey+0x10d
kd> dps
a773ac14  01a1ecd8
a773ac18  00000000
a773ac1c  00000000
a773ac20  ffffffff
a773ac24  0008dd50
a773ac28  fc82d590
a773ac2c  e1a63fb8
a773ac30  00000001
a773ac34  e2829b60
a773ac38  0017cc90
a773ac3c  0073ac60
a773ac40  a773ac00
a773ac44  fc82d590
a773ac48  a773acdc
a773ac4c  804e2ed8 nt!_except_handler3
a773ac50  804f4208 nt!`string'+0x190
a773ac54  ffffffff
a773ac58  a773acec
a773ac5c  80582380 nt!NtSetValueKey+0x228

What we do see is that the function call is nt!CmpFindNameInList+0x26 and it means that the real crash was caused here . 0x26 bytes into CmpFindNameinList lets disassemble it :

kd> u nt!CmpFindNameInList
nt!CmpFindNameInList:
80582745 8bff            mov     edi,edi
80582747 55              push    ebp
80582748 8bec            mov     ebp,esp
8058274a 83ec0c          sub     esp,0Ch
8058274d 8b450c          mov     eax,dword ptr [ebp+0Ch]
80582750 834dfcff        or      dword ptr [ebp-4],0FFFFFFFFh
80582754 53              push    ebx
80582755 56              push    esi
kd> u
nt!CmpFindNameInList+0x11:
80582756 57              push    edi
80582757 33ff            xor     edi,edi
80582759 3938            cmp     dword ptr [eax],edi
8058275b 0f8484a80300    je      nt!CmpFindNameInList+0xfb (805bcfe5)
80582761 ff7004          push    dword ptr [eax+4]
80582764 8b7508          mov     esi,dword ptr [ebp+8]
80582767 56              push    esi
80582768 ff5604          call    dword ptr [esi+4] <---
8058276b 8bd8            mov     ebx,eax

0x6b-0x45 = 0x26 the return adress is 8058276b. The calling address is 80582768 which we can refer as a call dword ptr [esi+4].

This is a dynamic call and may result the crash. This is very common compiled call but with a minidump I just cant resolve it. I need to uderstand where [esi+4] addres to. I assume that knowing that will probably show us the faulty driver. To continue with the next step I will have to get a kernel dump.

Here is how to generate a kernel dump :

Go to control panel -> System -> Choose Advanced tab.
Under "Startup and Recovery" press the Settings button.
Under System failure -> Write debugging Information -> Choose Kernel Dump.

You should notice the directory it choose to dump the file. By default it should be dumped at \Windows\memory.dmp file.

When you finish setting up the kernel dump, just wait for next BSOD. this time it will take much longer to create the dump. When the dump will be created, log in back to your machine. Zip the memory.dmp file and just send it over somehow. The dump is larger and may be the side of 100-200MB uncompressed.

EZ

 

[theatkinshomeb]

BSOD after windows update

I too am experiencing the infamous BSOD. It usually happens directly following a windows automatic update. To get the machine operational again, I have to boot "last known good config.". Here's what I can provide on the error so far.

Bugcheck a. Parameters=
0x880
0xC
0x1
0xfffff80002a7e995

Insight please?

 

[EZ123]

theatkinshomeb,
You may want to open your own thread so someone can help you. BSODs are not the same. there are plenty of types and reasons.

Open a new thread, post a minidump and someone will help you I believe.

EZ

 

[diene1t]

Wow! This is pretty deep. haha. I set the settings to kernal debug under system failure. and currently waiting for a bsod.

I installed avast after I thought it could of been a macafee issue. I uninstalled macafee and made the sure the driver was no longer present then installed avast home edition scanner.

on the memtest issue. is there a specific program i need to unzip it? maybe that is why im not seeing the iso file (just the .IMG (about 1 meg in size) and The secuirty log)? Im downloading the pre-compiled memtest86+2.11.iso.zip for memtest.org the latest version.

Again, Thanks for all the help and education haha.


-tyler

 

[diene1t]

Just some clarification when the dump is created, place in a zip file and post as attachment.. correct? Hopefully it wont be too big to post you think? I dont know what the limitations are exactly.

-tyler

 

[diene1t]

Here we go, I got the kernal dump memory and uploading to this link:

http://www.filefactory.com/file/ag400gg/n/MEMORY_zip

you can do the free download option and get it, its compressed to 24.3 mb

I also included the most recent crash minidump in attachments which was today.


I also go memtest to work! all the memory has passed i ran the test 5-6 times on each stick and ran the test 3 times so far on all sticks... no errors.. i will run the test through the night just in case.

Thanks for all the help!!

 

[diene1t]

I ran memtest 15 times with no errors. just wondering if we had any updates? I seem to still be getting the error 0x50. either right on start up or the computer will restart automatically a couple times then give me the blue screen error.

 

[Route44]

Sorry the delay. I read your minidump and it only said hardware as the cause but what hardware it doesn't say.

What power supply do you have? Are you able to go to your harddrive manufacturer's website and download and run their free utility to test your harddrive? If so run all the tests and tell us the results.

I know you uninstalled McAfee but have you checked to9 see if there are any remnants left?

Have you updated your NIC card drivers lately? If not, do so.