hey
I love your forums, in two days I found more infos, todos and small reasons to hope than on all other forums I tried before. I found many starts of explanation, but I don't have the trained eyes to go to the right conclusion.
So, following the procedure here
http://forums.majorgeeks.com/showthread.php?t=35246 that I found on another thread, I did analyze my minidumps a bit. I'll copy down a short version of them, keeping only what seems to be important to my n00b's eyes. If info is missing, the text export of Windbg is attached to this post.
I had this one three times, two times it came from smc.exe, sygate personal firewall (now bought by Norton
), once it was caused by svchost.exe, in which case the exception_code is different (see below).
Windbg extracts:
BugCheck 1000008E, {c0000005, 8054a51a, 9f66fc94, 0}
Probably caused by : memory_corruption
---------
0: kd> !analyze -v
KERNEL_MODE_EXCEPTION_NOT_HANDLED_M (1000008e)
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: 8054a51a, The address that the exception occurred at
Arg3: 9f66fc94, Trap Frame
Arg4: 00000000
Debugging Details:
------------------
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".
FAULTING_IP:
nt!ExFreePoolWithTag+23a
8054a51a 668b4efa mov cx,word ptr [esi-6]
DEFAULT_BUCKET_ID: CODE_CORRUPTION
BUGCHECK_STR: 0x8E
PROCESS_NAME: Smc.exe
/************************/
/* now the svchost exception: */
/************************/
EXCEPTION_CODE: (NTSTATUS) 0xc000001d - {EXCEPTION} Illegal Instruction An attempt was made to execute an illegal instruction.
FAULTING_IP:
nt!IoCreateFile+77
80575797 ff ???
/*****************************/
All three tell me as BUCKET_ID: MEMORY_CORRUPTION_ONE_BIT.
I also had a look at the BSOD and it gave me that:
/*****************************/
Unable to load image ha20x2k.sys, Win32 error 2
*** WARNING: Unable to verify timestamp for ha20x2k.sys
*** ERROR: Module load completed but symbols could not be loaded for ha20x2k.sys
BugCheck 100000D1, {224, 2, 0, a1c400e7}
Probably caused by : ha20x2k.sys ( ha20x2k+a60e7 )
0: kd> !analyze -v
DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
Arguments:
Arg1: 00000224, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000000, value 0 = read operation, 1 = write operation
Arg4: a1c400e7, address which referenced memory
Debugging Details:
------------------
READ_ADDRESS: 00000224
CURRENT_IRQL: 2
FAULTING_IP:
ha20x2k+a60e7
a1c400e7 8b8324020000 mov eax,dword ptr [ebx+224h]
DEFAULT_BUCKET_ID: DRIVER_FAULT
BUGCHECK_STR: 0xD1
PROCESS_NAME: BF2.exe
LAST_CONTROL_TRANSFER: from 00000000 to a1c400e7
STACK_TEXT:
bacc7dc4 00000000 898ca8d4 00000f97 a5ef6844 ha20x2k+0xa60e7
STACK_COMMAND: kb
FOLLOWUP_IP:
ha20x2k+a60e7
a1c400e7 8b8324020000 mov eax,dword ptr [ebx+224h]
SYMBOL_STACK_INDEX: 0
BUCKET_ID: 0xD1_ha20x2k+a60e7
So, I read something on your forums about that ha20x2ks.sys file from X-Fi causing BSOD, and maybe I'll have a problem with that too, but as the crashes seem to happen with different softwares (my firewall and svchost for the moment) and that memory_corruption is a term that appears quite some times here, I wonder if the guilty would be the RAM (which passed memtest 55 times for the memories), and if this default makes happen the other ones (so maybe my firewall is still ok ?).
Now what should I do next ? How can I know which stick is guilty if they pass memtest ? Should I try one stick at a time and try see which one causes the crashes and take that back to the shop ? Or should I go into software solutions (change my firewall, don't know what to do for svchost.exe and try to solve that ha20x2k.sys thing?)
Any advise would make my day...