Hi,
I hope someone can assist with the below memory dump.
The server had 3 BSOD in the last couple of weeks. Here is the latest dump. I was thinking it could be a printer driver. The below dump suggest anti-virus but that I know may not be correct. Is there anything here I am missing?
Loading Dump File [C:\MOC\MEMORY.DMP]
Kernel Summary Dump File: Only kernel address space is available
************************************************************************
WARNING: Dump file has inconsistent set-bit count. Data may be missing.
************************************************************************
WARNING: Whitespace at start of path element
WARNING: Whitespace at start of path element
Symbol search path is: srv*c:\websymbols*
Executable search path is: c:\windows\System32; c:\windows\system\System32; [
Windows 2000 Kernel Version 2195 (Service Pack 4) MP (2 procs) Free x86 compatible
Product: Server, suite: TerminalServer
Machine Name:
Kernel base = 0x80400000 PsLoadedModuleList = 0x80485b80
Debug session time: Fri Feb 19 01:57:06.140 2010 (GMT+2)
System Uptime: 0 days 5:28:20.062
Loading Kernel Symbols
....................................Page ad5c not present in the dump file. Type ".hh dbgerr004" for details
...........................
........................................
Loading User Symbols
.................................................
Loading unloaded module list
Use !analyze -v to get detailed debugging information.
BugCheck D1, {0, ff, 0, 0}
*************************************************************************
Probably caused by : ntkrnlmp.exe ( nt!KiTrap0E+210 )
Followup: MachineOwner
---------
0: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: 00000000, memory referenced
Arg2: 000000ff, IRQL
Arg3: 00000000, value 0 = read operation, 1 = write operation
Arg4: 00000000, address which referenced memory
Debugging Details:
------------------
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: pci!_FDO_EXTENSION ***
*** ***
*************************************************************************
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: kernel32!pNlsUserInfo ***
*** ***
*************************************************************************
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: kernel32!pNlsUserInfo ***
*** ***
*************************************************************************
READ_ADDRESS: 00000000
CURRENT_IRQL: ff
FAULTING_IP:
+5cbf952f0348de7c
00000000 ?? ???
PROCESS_NAME: caiLogA2.exe
DEFAULT_BUCKET_ID: DRIVER_FAULT
BUGCHECK_STR: 0xD1
TRAP_FRAME: 8905fda8 -- (.trap 0xffffffff8905fda8)
ErrCode = 00000000
eax=804329d9 ebx=00000000 ecx=00000000 edx=8905fe00 esi=88cf1d60 edi=00000000
eip=00000000 esp=8905fe1c ebp=802b5000 iopl=0 nv up di pl zr na pe nc
cs=0008 ss=0010 ds=29d4 es=fe60 fs=fe88 gs=0000 efl=00010046
00000000 ?? ???
Resetting default scope
LAST_CONTROL_TRANSFER: from 00000000 to 8046b1bc
FAILED_INSTRUCTION_ADDRESS:
+5cbf952f0348de7c
00000000 ?? ???
STACK_TEXT:
8905fda8 00000000 00000000 00000000 00000000 nt!KiTrap0E+0x210
WARNING: Frame IP not in any known module. Following frames may be wrong.
8905fe18 00000000 00000000 00000000 00000000 0x0
STACK_COMMAND: kb
FOLLOWUP_IP:
nt!KiTrap0E+210
8046b1bc f7457000000200 test dword ptr [ebp+70h],20000h
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: nt!KiTrap0E+210
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: nt
IMAGE_NAME: ntkrnlmp.exe
DEBUG_FLR_IMAGE_TIMESTAMP: 4a781db2
FAILURE_BUCKET_ID: 0xD1_CODE_AV_NULL_IP_nt!KiTrap0E+210
BUCKET_ID: 0xD1_CODE_AV_NULL_IP_nt!KiTrap0E+210
Followup: MachineOwner
I hope someone can assist with the below memory dump.
The server had 3 BSOD in the last couple of weeks. Here is the latest dump. I was thinking it could be a printer driver. The below dump suggest anti-virus but that I know may not be correct. Is there anything here I am missing?
Loading Dump File [C:\MOC\MEMORY.DMP]
Kernel Summary Dump File: Only kernel address space is available
************************************************************************
WARNING: Dump file has inconsistent set-bit count. Data may be missing.
************************************************************************
WARNING: Whitespace at start of path element
WARNING: Whitespace at start of path element
Symbol search path is: srv*c:\websymbols*
Executable search path is: c:\windows\System32; c:\windows\system\System32; [
Windows 2000 Kernel Version 2195 (Service Pack 4) MP (2 procs) Free x86 compatible
Product: Server, suite: TerminalServer
Machine Name:
Kernel base = 0x80400000 PsLoadedModuleList = 0x80485b80
Debug session time: Fri Feb 19 01:57:06.140 2010 (GMT+2)
System Uptime: 0 days 5:28:20.062
Loading Kernel Symbols
....................................Page ad5c not present in the dump file. Type ".hh dbgerr004" for details
...........................
........................................
Loading User Symbols
.................................................
Loading unloaded module list
Use !analyze -v to get detailed debugging information.
BugCheck D1, {0, ff, 0, 0}
*************************************************************************
Probably caused by : ntkrnlmp.exe ( nt!KiTrap0E+210 )
Followup: MachineOwner
---------
0: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: 00000000, memory referenced
Arg2: 000000ff, IRQL
Arg3: 00000000, value 0 = read operation, 1 = write operation
Arg4: 00000000, address which referenced memory
Debugging Details:
------------------
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: pci!_FDO_EXTENSION ***
*** ***
*************************************************************************
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: kernel32!pNlsUserInfo ***
*** ***
*************************************************************************
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: kernel32!pNlsUserInfo ***
*** ***
*************************************************************************
READ_ADDRESS: 00000000
CURRENT_IRQL: ff
FAULTING_IP:
+5cbf952f0348de7c
00000000 ?? ???
PROCESS_NAME: caiLogA2.exe
DEFAULT_BUCKET_ID: DRIVER_FAULT
BUGCHECK_STR: 0xD1
TRAP_FRAME: 8905fda8 -- (.trap 0xffffffff8905fda8)
ErrCode = 00000000
eax=804329d9 ebx=00000000 ecx=00000000 edx=8905fe00 esi=88cf1d60 edi=00000000
eip=00000000 esp=8905fe1c ebp=802b5000 iopl=0 nv up di pl zr na pe nc
cs=0008 ss=0010 ds=29d4 es=fe60 fs=fe88 gs=0000 efl=00010046
00000000 ?? ???
Resetting default scope
LAST_CONTROL_TRANSFER: from 00000000 to 8046b1bc
FAILED_INSTRUCTION_ADDRESS:
+5cbf952f0348de7c
00000000 ?? ???
STACK_TEXT:
8905fda8 00000000 00000000 00000000 00000000 nt!KiTrap0E+0x210
WARNING: Frame IP not in any known module. Following frames may be wrong.
8905fe18 00000000 00000000 00000000 00000000 0x0
STACK_COMMAND: kb
FOLLOWUP_IP:
nt!KiTrap0E+210
8046b1bc f7457000000200 test dword ptr [ebp+70h],20000h
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: nt!KiTrap0E+210
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: nt
IMAGE_NAME: ntkrnlmp.exe
DEBUG_FLR_IMAGE_TIMESTAMP: 4a781db2
FAILURE_BUCKET_ID: 0xD1_CODE_AV_NULL_IP_nt!KiTrap0E+210
BUCKET_ID: 0xD1_CODE_AV_NULL_IP_nt!KiTrap0E+210
Followup: MachineOwner
