Für den ersten Bluescreen von heute:
Microsoft (R) Windows Debugger Version 6.12.0002.633 X86
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:\WINDOWS\Minidump\Mini092510-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available
Symbol search path is: SRV*C:\symbols*
http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows XP Kernel Version 2600 (Service Pack 3) MP (4 procs) Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 2600.xpsp_sp3_gdr.100427-1636
Machine Name:
Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055d720
Debug session time: Sat Sep 25 12:02:28.156 2010 (UTC + 2:00)
System Uptime: 0 days 0:01:27.126
Loading Kernel Symbols
...............................................................
..................................................
Loading User Symbols
Loading unloaded module list
...........
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck 10000050, {e2acc150, 0, 8054c023, 1}
Could not read faulting driver name
Probably caused by : ntkrpamp.exe ( nt!ExAllocatePoolWithTag+6bb )
Followup: MachineOwner
---------
1: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by try-except,
it must be protected by a Probe. Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: e2acc150, memory referenced.
Arg2: 00000000, value 0 = read operation, 1 = write operation.
Arg3: 8054c023, If non-zero, the instruction address which referenced the bad memory
address.
Arg4: 00000001, (reserved)
Debugging Details:
------------------
Could not read faulting driver name
READ_ADDRESS: e2acc150
FAULTING_IP:
nt!ExAllocatePoolWithTag+6bb
8054c023 668b11 mov dx,word ptr [ecx]
MM_INTERNAL_CODE: 1
CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: DRIVER_FAULT
BUGCHECK_STR: 0x50
PROCESS_NAME: svchost.exe
LAST_CONTROL_TRANSFER: from b7e66a92 to 8054c023
STACK_TEXT:
b3dc448c b7e66a92 00000001 e2acc150 3066744e nt!ExAllocatePoolWithTag+0x6bb
b3dc44a4 b7e6a4ec 8a4487e0 e2ef58e8 0000004a Ntfs!NtfsInsertHashEntry+0x15
b3dc457c b7e6a6f5 b3dc47f8 897f86a8 897f885c Ntfs!NtfsOpenFile+0x53b
b3dc47d4 b7e5a042 b3dc47f8 897f86a8 b3dc4928 Ntfs!NtfsCommonCreate+0x134a
b3dc4980 b7ee0f70 897f86a8 b3dc4c00 8a448020 Ntfs!NtfsNetworkOpenCreate+0x8a
b3dc49a0 b7eee0e8 897f86a8 b3dc4c00 8a44cba8 sr!SrFastIoQueryOpen+0x40
b3dc49c0 b7efac27 000000f2 00000000 b3dc49f8 fltmgr!FltpPerformFastIoCall+0x300
b3dc4a18 805830fe 897f86a8 b3dc4c00 8a37f208 fltmgr!FltpFastIoQueryOpen+0xa1
b3dc4b04 805bf434 8a4a3030 00000000 8a0643c0 nt!IopParseDevice+0x916
b3dc4b7c 805bb9c0 00000000 b3dc4bbc 00000040 nt!ObpLookupObjectName+0x53c
b3dc4bd0 80576fc7 00000000 00000000 e56c6901 nt!ObOpenObjectByName+0xea
b3dc4d54 8054164c 01b3fb4c 01b3fb88 01b3fb6c nt!NtQueryAttributesFile+0xf1
b3dc4d54 7c90e514 01b3fb4c 01b3fb88 01b3fb6c nt!KiFastCallEntry+0xfc
WARNING: Frame IP not in any known module. Following frames may be wrong.
01b3fb6c 00000000 00000000 00000000 00000000 0x7c90e514
STACK_COMMAND: kb
FOLLOWUP_IP:
nt!ExAllocatePoolWithTag+6bb
8054c023 668b11 mov dx,word ptr [ecx]
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: nt!ExAllocatePoolWithTag+6bb
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: nt
IMAGE_NAME: ntkrpamp.exe
DEBUG_FLR_IMAGE_TIMESTAMP: 4bd6e0e8
FAILURE_BUCKET_ID: 0x50_nt!ExAllocatePoolWithTag+6bb
BUCKET_ID: 0x50_nt!ExAllocatePoolWithTag+6bb
Followup: MachineOwner
---------
-------------------------------------------------------------------------------------------------------------------------
Für den zweiten Bluescreen von heute:
Microsoft (R) Windows Debugger Version 6.12.0002.633 X86
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:\WINDOWS\Minidump\Mini092510-02.dmp]
Mini Kernel Dump File: Only registers and stack trace are available
Symbol search path is: SRV*C:\symbols*
http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows XP Kernel Version 2600 (Service Pack 3) MP (4 procs) Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 2600.xpsp_sp3_gdr.100427-1636
Machine Name:
Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055d720
Debug session time: Sat Sep 25 13:06:13.203 2010 (UTC + 2:00)
System Uptime: 0 days 1:03:03.176
Loading Kernel Symbols
...............................................................
.................................................
Loading User Symbols
Loading unloaded module list
................
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck 1000000A, {c0004800, 2, 0, 8051192c}
Probably caused by : memory_corruption ( nt!MiDeleteValidAddress+2e )
Followup: MachineOwner
---------
3: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: c0004800, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000000, bitfield :
bit 0 : value 0 = read operation, 1 = write operation
bit 3 : value 0 = not an execute operation, 1 = execute operation (only on chips which support this level of status)
Arg4: 8051192c, address which referenced memory
Debugging Details:
------------------
READ_ADDRESS: c0004800
CURRENT_IRQL: 2
FAULTING_IP:
nt!MiDeleteValidAddress+2e
8051192c 8b0f mov ecx,dword ptr [edi]
CUSTOMER_CRASH_COUNT: 2
DEFAULT_BUCKET_ID: DRIVER_FAULT
BUGCHECK_STR: 0xA
PROCESS_NAME: avwsc.exe
LAST_CONTROL_TRANSFER: from 805b0233 to 8051192c
STACK_TEXT:
b42f2c14 805b0233 00900201 8a23a020 007ffff8 nt!MiDeleteValidAddress+0x2e
b42f2c34 80513517 8a23a020 8a23a158 8a23a020 nt!MiDeleteAddressesInWorkingSet+0x65
b42f2c68 805d26ea 0023a020 89668da8 89668ff0 nt!MmCleanProcessAddressSpace+0x193
b42f2d08 805d28ac 00000000 89668da8 00000000 nt!PspExitThread+0x680
b42f2d28 805d2a87 89668da8 00000000 b42f2d64 nt!PspTerminateThreadByPointer+0x52
b42f2d54 8054164c 00000000 00000000 0012fec0 nt!NtTerminateProcess+0x105
b42f2d54 7c90e514 00000000 00000000 0012fec0 nt!KiFastCallEntry+0xfc
WARNING: Frame IP not in any known module. Following frames may be wrong.
0012fec0 00000000 00000000 00000000 00000000 0x7c90e514
STACK_COMMAND: kb
FOLLOWUP_IP:
nt!MiDeleteValidAddress+2e
8051192c 8b0f mov ecx,dword ptr [edi]
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: nt!MiDeleteValidAddress+2e
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: nt
DEBUG_FLR_IMAGE_TIMESTAMP: 4bd6e0e8
IMAGE_NAME: memory_corruption
FAILURE_BUCKET_ID: 0xA_nt!MiDeleteValidAddress+2e
BUCKET_ID: 0xA_nt!MiDeleteValidAddress+2e
Followup: MachineOwner
---------
-------------------------------------------------------------------------------------------------------------------------
Für den ersten Bluescreen vom 5.9.2010
Microsoft (R) Windows Debugger Version 6.12.0002.633 X86
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:\WINDOWS\Minidump\Mini090510-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available
Symbol search path is: SRV*C:\symbols*
http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows XP Kernel Version 2600 (Service Pack 3) MP (4 procs) Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 2600.xpsp_sp3_gdr.100427-1636
Machine Name:
Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055d720
Debug session time: Sun Sep 5 20:53:01.421 2010 (UTC + 2:00)
System Uptime: 0 days 0:00:25.375
Loading Kernel Symbols
...............................................................
.......................................
Loading User Symbols
Loading unloaded module list
....
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck 1000008E, {c0000005, 8054bfcb, b8317820, 0}
Probably caused by : ntkrpamp.exe ( nt!ExAllocatePoolWithTag+663 )
Followup: MachineOwner
---------
2: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
KERNEL_MODE_EXCEPTION_NOT_HANDLED_M (1000008e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Some common problems are exception code 0x80000003. This means a hard
coded breakpoint or assertion was hit, but this system was booted
/NODEBUG. This is not supposed to happen as developers should never have
hardcoded breakpoints in retail code, but ...
If this happens, make sure a debugger gets connected, and the
system is booted /DEBUG. This will let us see why this breakpoint is
happening.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: 8054bfcb, The address that the exception occurred at
Arg3: b8317820, Trap Frame
Arg4: 00000000
Debugging Details:
------------------
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".
FAULTING_IP:
nt!ExAllocatePoolWithTag+663
8054bfcb 8b06 mov eax,dword ptr [esi]
TRAP_FRAME: b8317820 -- (.trap 0xffffffffb8317820)
ErrCode = 00000000
eax=8a5532e8 ebx=8a553078 ecx=8a5532e8 edx=00000003 esi=017f0660 edi=000001ff
eip=8054bfcb esp=b8317894 ebp=b83178e8 iopl=0 nv up ei pl nz ac pe cy
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010217
nt!ExAllocatePoolWithTag+0x663:
8054bfcb 8b06 mov eax,dword ptr [esi] ds:0023:017f0660=????????
Resetting default scope
CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: DRIVER_FAULT
BUGCHECK_STR: 0x8E
PROCESS_NAME: lsass.exe
LAST_CONTROL_TRANSFER: from 805bfdc1 to 8054bfcb
STACK_TEXT:
b83178e8 805bfdc1 00000001 00000001 7153624f nt!ExAllocatePoolWithTag+0x663
b831790c 805c0174 e2022d68 b8317938 b831792c nt!ObpGetObjectSecurity+0x53
b831793c 8062e967 e2022d68 8a0a2be8 00000001 nt!ObCheckObjectAccess+0x2c
b8317988 8062f608 e19c2758 00000868 00000000 nt!CmpDoOpen+0x2d5
b8317b88 805bf011 00000868 00000000 8a0a2be8 nt!CmpParseKey+0x5a6
b8317c00 805bb9c0 000000f4 b8317c40 00000040 nt!ObpLookupObjectName+0x119
b8317c54 80624d6e 00000000 8a51c210 805bc401 nt!ObOpenObjectByName+0xea
b8317d50 8054164c 000be984 0002001f 0099f848 nt!NtOpenKey+0x1c8
b8317d50 7c90e514 000be984 0002001f 0099f848 nt!KiFastCallEntry+0xfc
WARNING: Frame IP not in any known module. Following frames may be wrong.
0099f830 00000000 00000000 00000000 00000000 0x7c90e514
STACK_COMMAND: kb
FOLLOWUP_IP:
nt!ExAllocatePoolWithTag+663
8054bfcb 8b06 mov eax,dword ptr [esi]
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: nt!ExAllocatePoolWithTag+663
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: nt
IMAGE_NAME: ntkrpamp.exe
DEBUG_FLR_IMAGE_TIMESTAMP: 4bd6e0e8
FAILURE_BUCKET_ID: 0x8E_nt!ExAllocatePoolWithTag+663
BUCKET_ID: 0x8E_nt!ExAllocatePoolWithTag+663
Followup: MachineOwner
---------
-------------------------------------------------------------------------------------------------------------------------
Für den zweiten Bluescreen vom 5.9.2010
Microsoft (R) Windows Debugger Version 6.12.0002.633 X86
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:\WINDOWS\Minidump\Mini090510-02.dmp]
Mini Kernel Dump File: Only registers and stack trace are available
Symbol search path is: SRV*C:\symbols*
http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows XP Kernel Version 2600 (Service Pack 3) MP (4 procs) Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 2600.xpsp_sp3_gdr.100427-1636
Machine Name:
Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055d720
Debug session time: Sun Sep 5 20:57:01.609 2010 (UTC + 2:00)
System Uptime: 0 days 0:03:23.188
Loading Kernel Symbols
...............................................................
............................................
Loading User Symbols
Loading unloaded module list
..........
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck 1000000A, {1c, 2, 1, 805257c1}
Probably caused by : memory_corruption ( nt!MiDecrementCloneBlockReference+b )
Followup: MachineOwner
---------
1: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: 0000001c, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000001, bitfield :
bit 0 : value 0 = read operation, 1 = write operation
bit 3 : value 0 = not an execute operation, 1 = execute operation (only on chips which support this level of status)
Arg4: 805257c1, address which referenced memory
Debugging Details:
------------------
WRITE_ADDRESS: 0000001c
CURRENT_IRQL: 2
FAULTING_IP:
nt!MiDecrementCloneBlockReference+b
805257c1 ff4b1c dec dword ptr [ebx+1Ch]
CUSTOMER_CRASH_COUNT: 2
DEFAULT_BUCKET_ID: DRIVER_FAULT
BUGCHECK_STR: 0xA
PROCESS_NAME: avgnt.exe
LAST_CONTROL_TRANSFER: from 80523d54 to 805257c1
STACK_TEXT:
b3be7a7c 80523d54 00000000 ffdfffff 8976a768 nt!MiDecrementCloneBlockReference+0xb
b3be7ab8 80523fd8 00000000 00333000 00000000 nt!MiDeletePte+0x392
b3be7b80 8051a1fd e14e2698 00335fff 00000000 nt!MiDeleteVirtualAddresses+0x164
b3be7c30 80513583 8976a768 898739b8 8976a8a0 nt!MiRemoveMappedView+0x237
b3be7c68 805d26ea 0176a768 89765268 897654b0 nt!MmCleanProcessAddressSpace+0x1ff
b3be7d08 805d28ac 00000000 89765268 00000000 nt!PspExitThread+0x680
b3be7d28 805d2a87 89765268 00000000 b3be7d64 nt!PspTerminateThreadByPointer+0x52
b3be7d54 8054164c 00000000 00000000 0012fec0 nt!NtTerminateProcess+0x105
b3be7d54 7c90e514 00000000 00000000 0012fec0 nt!KiFastCallEntry+0xfc
WARNING: Frame IP not in any known module. Following frames may be wrong.
0012fec0 00000000 00000000 00000000 00000000 0x7c90e514
STACK_COMMAND: kb
FOLLOWUP_IP:
nt!MiDecrementCloneBlockReference+b
805257c1 ff4b1c dec dword ptr [ebx+1Ch]
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: nt!MiDecrementCloneBlockReference+b
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: nt
DEBUG_FLR_IMAGE_TIMESTAMP: 4bd6e0e8
IMAGE_NAME: memory_corruption
FAILURE_BUCKET_ID: 0xA_nt!MiDecrementCloneBlockReference+b
BUCKET_ID: 0xA_nt!MiDecrementCloneBlockReference+b
Followup: MachineOwner
---------