Stop 0x0000000A(BOSD) error, please help!

Status
Not open for further replies.
hey EZ thanks for reply to me, I've found 22 minidump files on my C drive. I've attached five of the minidump files here, however, they are not the most recent one. If you want to see the most recent one, try to look for "Unable to open minidump files, please help me" post in Window OS forum, I've attached them there.
I hope you can find out what caused the BOSD from the minidump files, and also give me possible solution. Thank you
 
can you provide us with a scenario ? what are you doing when that you get the BSOD ?

in what intervals you are getting the BSOD ? 1 hour ? 1 day ? a month ?

as much information you will provide it will be easyer to find the source of the problem.

Cheers,
EZ
 
The BSOD only show up when I tried to shut down. This is the way I shut down: start -> turn off, just right after the screen " Window is shutting down", the BSOD immediately appear. Hope this will help
 
howard_hopkinso said:
All threads merged.

Please don`t open multiple threads for the same issue, it only gets confusing.

Thanks.

Regards Howard :)


Thanks Howard... I was following adu123 all over Techspot :D
 
adu123,

I have looked at your minidumps. I will suggest that you to remove win-defender and verify if its fixing your problem. if this will not fix your problem , it may be a virus/torjan that installed a rootkit on your system or other security software.

for more tech pepole that want to know what I have seen. here is a more detailed anaylsis :

looking at the minidumps , I have noticed a pattren, the pattren is that every dump is somehow related to accessing the processes list and looking at the process data structure.

here is one of the call stacks from the a dump :

bae0ca74 804fee8d babe27e0 00000e50 ff87f700 nt!ExpCopyThreadInfo+0xd
bae0cb04 80583b47 0010c008 00008000 bae0cd30 nt!ExpGetProcessInformation+0x153
bae0cd4c 804de7ec 00000005 0010c008 00008000 nt!NtQuerySystemInformation+0x728
bae0cd4c 7c90eb94 00000005 0010c008 00008000 nt!KiFastCallEntry+0xf8

as you can see , NtQuerySysteminformation is called. this is a native kernel function that basicly provide a user application with system information. by looking at the parameters passing to this function you can see : 804de7ec 00000005 0010c008 00008000 .

the first parameter is always the return address from this function, second parameter is the first parameter of the NtQuerySystemInformation. looking at the MSDN , i found that the 5 related to query the process list. it does make sense because the next function : ExpGetProcessInformation.

ExpGetProcessInformation is kind of a sub-function of NtQuerySystemInformation that provides the processes information. (or a specific process information).

The next operation is nt!ExpCopyThreadInfo. the ExpGetprocessInformation is trying to get some of the process thread information,but this time crashes.

dumping on my PC the nt!ExpCopyThreadInfo shows :

nt!ExpCopyThreadInfo:
804fed85 8bff mov edi,edi
804fed87 55 push ebp
804fed88 8bec mov ebp,esp
804fed8a 56 push esi
804fed8b 8b7508 mov esi,dword ptr [ebp+8]
804fed8e 57 push edi
804fed8f 8b7d0c mov edi,dword ptr [ebp+0Ch]
804fed92 8b87440100 mov eax,dword ptr [edi+144h]

the crash is related to 804fed92, which shows that a parameter to the EXpCopyThreadInfo function is currpted. the register edi recieved a parameter from [ebp+0c]. now eax is trying to access a member variable of the last parameter in offset 0x144 (edi+144h). and crash.

looking at the CPU registers when the crash accords shows :
kd> r
eax=00000e50 ebx=babe2668 ecx=ff9b1c03 edx=00000000 esi=babe27e0 edi=00000e50
eip=804fed92 esp=bae0ca6c ebp=bae0ca74 iopl=0 nv up ei ng nz na pe cy
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010287
nt!ExpCopyThreadInfo+0xd:
804fed92 8b8744010000 mov eax,dword ptr [edi+144h] ds:0023:00000f94=????????

edi -> e50. e50 is not a valid address , and the OS crashed. (address that small mostly means an invalid virtual address).

so somthing did happen to one of the processes data-structures before the crash. from my experience , problems like that accords while using service table hooking. both virus/rootkits/security application are doing things like that. one of the most known reason they do is to hide their product processes.

another thing to point out is that the process that tried to query the processes information in the first place is : MsMpEng.exe.

MsMpEng is part of Windows Defender. but this still doesn't say that the cause of the crash is WinDefender. but their is a big chance it does related to it.

Cheers,
EZ
 
I forgot to tell you one thing, I've perform a full system recovery one month ago, ever since then the BSOD started to show up. So I don't think the cause is related to virus, trojan, spyware..... As for window denfender, I've already uninstall it, but it didn't solve the BSOD issue. You told me you've looked at those minidump, can't you fine out the exact cause from them. Anyway, thank you for helping me
 
if you did change couple things in your PC I will suggest that you will provide the most recent dumps.

after a full system recovery you are not virus safe. you are safer but not 100%.

give your more recent dump and I'll take a look at it. if you will provide me a kernel dump (not a mini dump) I will probably be able to find exactly the cause.

EZ
 
go to control panel -> System -> Choose Advanced tab -> press setting button on statup and recovery -> then change "Write debugging information" to Kernel memory dump.

when you will blue-screen again , your PC will dump the kernel memory to the file specifed (by default : %SystemRoot%\Memory.dmp which means WINDOWS\memory.dmp)

the file may be couple of MBs so you will have to somehow uploaded it.

EZ
 
This problem is related to hardware as one minudmp is crashed with NT status code D. The maximum size of each attachment at this website is 100K. The kernel dump is 100MB abd you have to upload the kernel dump to some website which provides free upload. The kernel dump has the kernel memory unless you want to check the value of kernel memory to confirm the root cause of the problem. We don't have the documentation and logic flow of Microsoft driver or non Microsoft device driver. It is very difficult to interperet the kernel data without the device driver documentation. I have three years of deug experience and less than 5 cases that I require the kernel and full memory dump.
 
Can you find out what cause the BSOD from those minidump I provided? you said the cause is related to the hardware, can you be more specific about that? please ask me if you need any information about my computer in order for you the find out the cause, I will try to answer it the best I can. Thank you for your reply

I don't know how to upload kernel dump, can someone help me out here?
 
Minidump Mini072107-02.dmp is crashed with BC 7F with NT Status code d. Usually it is the symptom of hardware error but it may have exception.

Mini072107-02.dmp BugCheck 1000007F, {d, 0, 0, 0}
Probably caused by : KSecDD.sys ( KSecDD!GatherRandomKey+2a3 )
Failing instruction
nt!ExpGetProcessInformation+0x15c:
80500ab7 8b3f mov edi,dword ptr [edi] ds:0023:ffffffff=????????

Your windows has Acer Modem Driver. The previous version of this driver has known problem which cause BC 7F. You had better re-install the ACER modem driver from Acer WebSite.

Your version of Acer Modem Driver
AGRSM.sys Tue Jun 29 21:07:16 2004 (40E16984)
 
most of the pepole here are not usinkernel dumps to analysis problems.

do u have msn messenger ?

you can upload it throgh messenger to me.
 
Does that mean I am having the previous version of this driver (Acer Modem Driver) install on my computer? Can you also find out what caused the other two BSOD: Stop 0xA and Stop 0x50? Just ask if you need any info about my computer. Thank you

yes, I have
 
The version which has bugcheck 7F is at Fri Jul 25 23:22:50 2003.

Search google with the keyword "BOSD and agrsm.sys" and you will find my post relating to the problem agrsm.sys.
 
You don`t need to zip the dumpfiles up, you can attach them directly to your next reply.

Click the reply button and Scroll down until you see a button Manage Attachments. Click on that and a popup-window opens.
Click on the Browse button, find the minidump file on your PC and doubleclick on it.
Now click on the Upload button in the popup. When done, repeat for anyother minidump files you wish to attach. Then, once you`re finished, click on the Close this window button.
Finish your message-text, then click on Submit Message.

Regards Howard :)
 
Can I attach the kernel dump in my message? They told I can't do that because the kernel dump is too large? Is that true?

Hey EZ123, sorry for the delay, I already have the kernel dump you asked for. If you can give me your MSN e-mail address, I can send it to you right away. I hope you will be able to find out the EXACT cause of the BSOD from it. Thank you. CHEER!
 
Sorry, but no you can`t attach a kernel dump as it`s too large(100mB) and we have a limit of 100kB.

Have you ran Memtest86+ as was suggested? If not, you should do so.

Also, take a look at the posts in this thread by cpc2004.

Regards Howard :)
 
Status
Not open for further replies.
Back