Memory dump help would be much appreciated

[drjon]

I've just upgraded to CommView 5.1 (as 5.0 used to cause BSODs and they assured me there are completely new drivers in 5.1 that will fix that).However I just had a crash while it was running, so I'd be very keen to find out if it was related to CommView or not. If someone could please spare a few minutes to look at the dump I would appreciate it.
Details are:
"The computer has rebooted from a bugcheck. The bugcheck was: 0x000000c5
(0xe56570d4, 0x00000002, 0x00000001, 0x8046a992). Microsoft Windows 2000
[v15.2195]. A dump was saved in: C:\WINNT\MEMORY.DMP."
(Not attaching the Memory Dump as 400MB
Minidump attached.
Thanks again
Jon

 

[elfi]

Well does your pc startup after this or does it just hang.
just go into your BIOS set first startup device to cd-rom
and than enter your windows installation cd into your drive
it wil than starup from your cd after that just do a repair maybe it'l help

 

[drjon]

Runs fine - I'm just keen to find out why it died so I can work around it to stop it happening again (e.g. update a driver, remove an offending app). It's usually very reliable which is why I'd like to chase this down, especially if it's a Commview issue as that could affect a lot of people.
Regards
John

 

[drjon]

Of course having said that, on another computer, I just noticed it has rebooted again (someone else had been playing on it and logged it on again, so I hadn't realised).
I'll include that minidump too. If someone can help with where it's dying I'd be grateful.
Jon

 

[cpc2004]

Hi,

Your windows is w2k sp4 and microsoft does not have the symbolic map for this version. I can't format your minidumps properly. However the full memory dump has the symbolic map. Install mircosoft kd and format the full memory at your windows. The first crash is bugcheck C2 and the second crash is bugcheck 0A. Probably it is caused by faulty ram. Run memtest to stress test the ram.

Mini011306-01.dmp BugCheck C5, {e56570d4, 2, 1, 8046a992}
Mini011306-02.dmp BugCheck A, {1c618f2, 2, 1, 80458f9c}


http://msdn.microsoft.com/msdnmag/issues/05/07/Debugging/

Install Windows Debugging Tools
1) Create folder c:\symbols
2) Download and install the http://www.microsoft.com/whdc/devtools/debugging/installx86.mspx
3) Locate your latest memory.dmp file- C:\WINNT\memory.dmp
4) open a CMD prompt and cd\program files\debugging tools for windows\
5) type the following stuff:

Code:
c:\program files\debugging tools>kd -z C:\WINNT\memory.dmp
kd> .logopen c:\debuglog.txt
kd> .sympath srv*c:\symbols*http://msdl.microsoft.com/download/symbols
kd> .reload;!analyze -v;r;kv;lmnt;.logclose;q

You now have a debuglog.txt in c:\, open it in notepad and post the content to this thread.

 

[drjon]

Thanks, that was excellent help and well written. I'm enclosing the file. While I'm at it I don't suppose you could also post a similar instant guide to turning minidumps into human readable form - I always thought that would be useful to know. Also a bonus question - would the same kd commands be the correct ones to use if my XP system had died?
Thanks again
Jon.

 

[cpc2004]

Hi,

KD can analysis minidump at XP, W2k and W2K. From the stack trace of your debug report, the culprit is faulty memory.

 

[drjon]

I would like to ask why do you think it is faulty memory? I still think it's the Commview 5.1 drivers (The problems started when I installed it, I have uninstalled it and it's been stable ever since, but I'd really like to use it so would be nice to be sure).
Regards
Jon

 

[cpc2004]

Hi,

From the stack trace, I can't find footprint of commview and it is reason why I think it is faulty ram. If commview corrupt the memory, who knows. You can try "last known good config" to restore windows, if it is device driver problem.

STACK_TEXT:
f246bcd4 8044cfbe 821e0000 00000427 00000001 nt!RtlClearBits+0x4a
f246bcec 80440afb 00427082 003ffffc c03ddc10 nt!MiReleasePageFileSpace+0x42
f246bd50 80440186 c03ddc10 00000019 00000001 nt!MiMakeOutswappedPageResident+0x2c9
f246bd7c 8046397d 823a0a00 00000000 00000000 nt!MmInPageKernelStack+0x10e
f246bd90 80463942 00000000 00000000 00000000 nt!KiInSwapKernelStacks+0x2f
f246bda8 80454ab2 00000000 00000000 00000000 nt!KeSwapProcessOrStack+0x80
f246bddc 804692a2 804638c2 00000000 00000000 nt!PspSystemThreadStartup+0x54
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16

 

[joaquin.torres]

Here is a dump file

IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pageable (or completely invalid) address at an interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: 817ffff6, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000000, value 0 = read operation, 1 = write operation
Arg4: 80847a69, address which referenced memory

Debugging Details:
------------------
READ_ADDRESS: 817ffff6
CURRENT_IRQL: 2
FAULTING_IP:
nt!MiRemovePageByColor+21
80847a69 8a5e0e mov bl,[esi+0xe]

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0xA

LAST_CONTROL_TRANSFER: from 80847a69 to 80837ed5

STACK_TEXT:
b8e87ac4 80847a69 badb0d00 00000015 80840440 nt!KiTrap0E+0x2a7
b8e87b58 8082f2b2 000fffff fa13846c bf908994 nt!MiRemovePageByColor+0x21
b8e87b90 8082f796 e19d3460 00008000 00000001 nt!MiResolveMappedFileFault+0x508
b8e87bc4 8084a5e8 00000000 bf908994 c02fe420 nt!MiResolveProtoPteFault+0x1a6
b8e87c5c 80849ce5 00000001 bf908994 c02fe420 nt!MiDispatchFault+0x834
STACK_COMMAND: kb

FOLLOWUP_IP:
win32k!NtUserCallOneParam+23
bf87f76c 83ff20 cmp edi,0x20

SYMBOL_STACK_INDEX: 8

FOLLOWUP_NAME: MachineOwner

SYMBOL_NAME: win32k!NtUserCallOneParam+23

MODULE_NAME: win32k

IMAGE_NAME: win32k.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 42435de9

FAILURE_BUCKET_ID: 0xA_win32k!NtUserCallOneParam+23

BUCKET_ID: 0xA_win32k!NtUserCallOneParam+23

Followup: MachineOwner
---------

eax=f772713c ebx=00000002 ecx=00000001 edx=00000000 esi=f7727120 edi=817ffff6
eip=80837ed5 esp=b8e87aac ebp=b8e87ac4 iopl=0 nv up ei ng nz na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000286
nt!KiTrap0E+0x2a7:
80837ed5 833d00ee8a8000 cmp dword ptr [nt!KiFreezeFlag (808aee00)],0x0 ds:0023:808aee00=00000000
ChildEBP RetAddr Args to Child
b8e87ac4 80847a69 badb0d00 00000015 80840440 nt!KiTrap0E+0x2a7 (FPO: [0,0] TrapFrame @ b8e87ac4)
b8e87b58 8082f2b2 000fffff fa13846c bf908994 nt!MiRemovePageByColor+0x21 (FPO: [Non-Fpo])
b8e87b90 8082f796 e19d3460 00008000 00000001 nt!MiResolveMappedFileFault+0x508 (FPO: [Non-Fpo])
b8e87bc4 8084a5e8 00000000 bf908994 c02fe420 nt!MiResolveProtoPteFault+0x1a6 (FPO: [Non-Fpo])
b8e87c5c 80849ce5 00000001 bf908994 c02fe420 nt!MiDispatchFault+0x834 (FPO: [Non-Fpo])
b8e87cb8 80837d0a 00000000 bf908994 00000000 nt!MmAccessFault+0x64a (FPO: [Non-Fpo])
b8e87cb8 bf908994 00000000 bf908994 00000000 nt!KiTrap0E+0xdc (FPO: [0,0] TrapFrame @ b8e87cd0)
b8e87d40 bf87f76c 00000000 b8e87d64 0012fcac win32k!_GetKeyboardType (FPO: [Non-Fpo])
b8e87d54 80834d3f 00000000 00000029 0012fcb8 win32k!NtUserCallOneParam+0x23 (FPO: [Non-Fpo])
b8e87d54 7c82ed54 00000000 00000029 0012fcb8 nt!KiFastCallEntry+0xfc (FPO: [0,0] TrapFrame @ b8e87d64)
WARNING: Frame IP not in any known module. Following frames may be wrong.
0012fcb8 00000000 00000000 00000000 00000000 0x7c82ed54
start end module name
80800000 80a75000 nt ntkrnlmp.exe Thu Mar 24 18:42:08 2005 (42435E60)
80a75000 80aa1000 hal halmacpi.dll Thu Mar 24 18:28:37 2005 (42435B35)
b8906000 b8917980 NAVENG NAVENG.sys Mon Nov 28 18:03:55 2005 (438B9AEB)
b8918000 b89cdec0 NAVEX15 NAVEX15.sys Mon Nov 28 17:52:12 2005 (438B982C)
b8a46000 b8a71000 RDPWD RDPWD.SYS Thu Mar 24 18:27:16 2005 (42435AE4)
b8a9d000 b8aa0600 prepdrv prepdrv.sys Mon Jun 28 01:09:18 2004 (40DFB60E)
b8c79000 b8cb7000 NAVAP NAVAP.sys Thu Mar 04 20:01:02 2004 (4047DF5E)
b8cb7000 b8cc7a60 SYMEVENT SYMEVENT.SYS Wed May 14 00:45:43 2003 (3EC1D807)
b9790000 b97ba000 Fastfat Fastfat.SYS Thu Mar 24 18:40:20 2005 (42435DF4)
b98da000 b98e5000 TDTCP TDTCP.SYS Thu Mar 24 18:27:15 2005 (42435AE3)
b9a3a000 b9a4b000 NAVAPEL NAVAPEL.SYS Thu Mar 04 20:01:07 2004 (4047DF63)
b9b13000 b9b72000 srv srv.sys Thu Mar 24 18:40:19 2005 (42435DF3)
b9cb6000 b9cb8600 lm78nt lm78nt.sys Fri Apr 04 05:24:52 2003 (3E8D6B84)
ba02a000 ba033000 ndisuio ndisuio.sys Thu Mar 24 18:33:16 2005 (42435C4C)
ba072000 ba087000 Cdfs Cdfs.SYS Thu Mar 24 18:40:55 2005 (42435E17)
ba0d7000 ba0e8000 Fips Fips.SYS Thu Mar 24 18:40:33 2005 (42435E01)
ba0e8000 ba15e000 mrxsmb mrxsmb.sys Thu Mar 24 18:41:13 2005 (42435E29)
ba186000 ba1b6000 rdbss rdbss.sys Thu Mar 24 18:40:49 2005 (42435E11)
ba1b6000 ba1e0000 afd afd.sys unavailable (FFFFFFFE)
ba1e0000 ba211000 netbt netbt.sys Thu Mar 24 18:40:31 2005 (42435DFF)
ba211000 ba272000 tcpip tcpip.sys Thu Mar 24 18:40:31 2005 (42435DFF)
ba272000 ba28b000 ipsec ipsec.sys Thu Mar 24 18:40:49 2005 (42435E11)
ba34b000 ba35f000 usbhub usbhub.sys Thu Mar 24 18:30:46 2005 (42435BB6)
ba67f000 ba745000 dmboot dmboot.sys unavailable (FFFFFFFE)
ba79f000 ba7df000 update update.sys Thu Mar 24 18:40:27 2005 (42435DFB)
ba83f000 ba849000 Dxapi Dxapi.sys Tue Mar 25 01:06:01 2003 (3E7FFFD9)
ba85f000 ba86d000 dump_symmpi dump_symmpi.sys Fri May 23 09:15:25 2003 (3ECE2CFD)
ba86f000 ba879000 dump_diskdump dump_diskdump.sys Thu Mar 24 18:28:56 2005 (42435B48)
ba87f000 ba8b6000 rdpdr rdpdr.sys Thu Mar 24 18:30:20 2005 (42435B9C)
ba8b6000 ba8c9000 raspptp raspptp.sys Thu Mar 24 18:40:43 2005 (42435E0B)
ba8c9000 ba8e3000 ndiswan ndiswan.sys Thu Mar 24 18:40:46 2005 (42435E0E)
ba8e3000 ba8f8000 rasl2tp rasl2tp.sys Thu Mar 24 18:40:29 2005 (42435DFD)
ba8f8000 ba915a80 b57xp32 b57xp32.sys Mon Aug 23 16:49:29 2004 (412A6669)
ba916000 ba940000 USBPORT USBPORT.SYS Thu Mar 24 18:30:43 2005 (42435BB3)
ba940000 ba968000 ks ks.sys Thu Mar 24 18:41:03 2005 (42435E1F)
ba968000 ba97c000 redbook redbook.sys Thu Mar 24 18:28:46 2005 (42435B3E)
ba97c000 ba991000 cdrom cdrom.sys Thu Mar 24 18:28:57 2005 (42435B49)
ba991000 ba9a4000 i8042prt i8042prt.sys Thu Mar 24 18:41:05 2005 (42435E21)
ba9a4000 ba9b8000 mf mf.sys Thu Mar 24 18:34:12 2005 (42435C84)
ba9b8000 ba9d3000 VIDEOPRT VIDEOPRT.SYS Thu Mar 24 18:29:53 2005 (42435B81)
ba9d3000 baa26d80 ati2mpad ati2mpad.sys Thu Jul 18 20:13:20 2002 (3D3767B0)
baadd000 baae3000 TWGSYSIN TWGSYSIN.SYS Thu Apr 03 11:37:58 2003 (3E8C7176)
bab15000 bab1c160 tlmkagent_2_1_0_0 tlmkagent-2_1_0_0.sys Fri Jul 02 f7011000 f701a000 mssmbios mssmbios.sys Thu Mar 24 18:34:14 2005 (42435C86)
f7021000 f702d680 baspxp32 baspxp32.sys Wed Feb 05 14:17:52 2003 (3E417170)
f7031000 f703c000 ptilink ptilink.sys Thu Mar 24 18:28:25 2005 (42435B29)
f7051000 f7059ee0 smbushc smbushc.sys Fri Apr 04 05:23:40 2003 (3E8D6B3C)
f7061000 f706e000 wanarp wanarp.sys Thu Mar 24 18:34:07 2005 (42435C7F)
f7071000 f707a5a0 ibmcomw ibmcomw.sys Thu Jul 15 13:10:17 2004 (40F6C889)
f70c5000 f70c8f80 ibmhpa ibmhpa.sys Sat Feb 08 00:55:15 2003 (3E44A9D3)
f7101000 f7120000 Mup Mup.sys Thu Mar 24 18:40:49 2005 (42435E11)
f7120000 f7133080 rdacdisk rdacdisk.sys Thu Jul 22 12:04:56 2004 (40FFF3B8)
f7134000 f716a000 NDIS NDIS.sys Thu Mar 24 18:40:26 2005 (42435DFA)
f716a000 f71ff000 Ntfs Ntfs.sys Thu Mar 24 18:40:29 2005 (42435DFD)
f71ff000 f7226000 KSecDD KSecDD.sys Thu Mar 24 18:28:53 2005 (42435B45)
f7226000 f724b000 fltmgr fltmgr.sys Thu Mar 24 18:30:25 2005 (42435BA1)
f724b000 f725e000 CLASSPNP CLASSPNP.SYS Thu Mar 24 18:40:23 2005 (42435DF7)
f725e000 f727d000 SCSIPORT SCSIPORT.SYS Thu Mar 24 18:40:26 2005 (42435DFA)
f727d000 f7382120 ql2300 ql2300.sys Mon Jul 26 17:49:50 2004 (41058A8E)
f7383000 f739f000 atapi atapi.sys Thu Mar 24 18:28:49 2005 (42435B41)
f739f000 f73c9000 volsnap volsnap.sys Thu Mar 24 18:29:10 2005 (42435B56)
f73c9000 f73f5000 dmio dmio.sys Thu Mar 24 18:30:02 2005 (42435B8A)
f73f5000 f741c000 ftdisk ftdisk.sys Thu Mar 24 18:29:00 2005 (42435B4C)
f741c000 f7432000 pci pci.sys Thu Mar 24 18:34:14 2005 (42435C86)
f7432000 f7466000 ACPI ACPI.sys Thu Mar 24 18:34:09 2005 (42435C81)
f7487000 f7490000 WMILIB WMILIB.SYS Tue Mar 25 01:13:00 2003 (3E80017C)
f7497000 f74a6000 isapnp isapnp.sys Tue Mar 25 01:16:35 2003 (3E800253)
f74a7000 f74b4000 PCIIDEX PCIIDEX.SYS Thu Mar 24 18:28:48 2005 (42435B40)
f74b7000 f74c7000 MountMgr MountMgr.sys Thu Mar 24 18:27:23 2005 (42435AEB)
f74c7000 f74d2000 PartMgr PartMgr.sys Thu Mar 24 18:40:34 2005 (42435E02)
f74d7000 f74e5000 symmpi symmpi.sys Fri May 23 09:15:25 2003 (3ECE2CFD)
f74e7000 f74f7000 disk disk.sys Thu Mar 24 18:28:58 2005 (42435B4A)
f74f7000 f7503000 Dfs Dfs.sys Thu Mar 24 18:30:28 2005 (42435BA4)
Unloaded modules:
b8918000 b89ce000 NAVEX15.sys
Timestamp: unavailable (00000000)
Checksum: 00000000
b8906000 b8918000 NAVENG.sys
Timestamp: unavailable (00000000)
Checksum: 00000000
b8b73000 b8c29000 NAVEX15.sys
Timestamp: unavailable (00000000)
Checksum: 00000000
b8ac1000 b8ad3000 NAVENG.sys
Timestamp: unavailable (00000000)
Checksum: 00000000
b9ced000 b9d02000 Serial.SYS
Timestamp: unavailable (00000000)
Checksum: 00000000
f76f7000 f7705000 imapi.sys
Timestamp: unavailable (00000000)
Checksum: 00000000
f77d7000 f77df000 Sfloppy.SYS
Timestamp: unavailable (00000000)
Checksum: 00000000
f7507000 f7510000 smbushc.sys
Timestamp: unavailable (00000000)
Checksum: 00000000
Closing open log file c:\debuglog.txt

 

[indytycoon]

I had this same problem, then I updated my video card drivers and it went away.

 

[drjon]

The problem here turned out to be ts_lb.sys, which is the part of CommView that identifies which process is sending network traffic.

I've been chasing them over it and after a couple of even more dud versions their latest effort seems good so far.

I've also worked out how to read memory dumps, which will be handy (though hopefully not too handy).

 

[cpc2004]

Hi Drjon,

From the stack trace we cannot find the footprint of ts_lb.sys. If ts_lb.sys corrupt the windows storage, we cannot find out the culprit unless we install a storage alternation trap to catch the culprit on the spot. For example, some version of ZoneAlarm caused blue screen problem, but most users with the same version do not encounter blue screen problem. Probably ZoneAlarm and some device driver use same piece of common system storage. ZA thinks it is owner of the storage and other device driver such as eMule also thinks it is owner of the storage. When emule is active and corrupt the storage of ZA. Consequently ZA accesses the corrupted storage and windows crashes.

I'm glad to know that your problem is resolved and thanks for your information.