Archief - Ineens BSOD ?

gisteren kreeg ik en paar keer BSOD maar windows werkt wel ...
ik heb 2 dumps van gisteren en 2 van vandaag

kan iemand ze lezen want zou niet weten hoe ?

heb ze geupload naar MEGAUPLOAD - The leading online storage and file delivery service

alvast bedankt !

autom reboot afzetten en de errors op het scherm lezen
memtest86 eens draaien

doe je bepaalde handelingen?

Ik heb uw dumps es effe door windbg gehaald. Je kan best kernel dump ipv mini dump instellen, dan kan windbg meer informatie geven.

Van de 4 dumps zijn er telkens 2 met dezelfde oorzaak:
* 010911-22734-01.dmp, 010911-25078-01.dmp: crash in msrpc.sys, process conhost.exe.
* 011011-23468-01.dmp, 011011-25234-01.dmp: crash in ntkrnlmp.exe, process iexplore.exe.

Beide zijn pointerfouten. Kan zijn dat dit bugs in het OS zijn, of geheugencorruptie door slechte drivers, of kapot geheugen. Je kan met google wat zoeken, mss heeft nog iemand dezelfde bugchecks gehad.


---------- 010911-22734-01.dmp ----------

Microsoft (R) Windows Debugger Version 6.11.0001.404 X86
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [D:\DOWNLOAD\dumps\010911-22734-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: srv*DownstreamStore*Symbol information
Executable search path is:
Windows 7 Kernel Version 7600 MP (2 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 7600.16617.amd64fre.win7_gdr.100618-1621
Machine Name:
Kernel base = 0xfffff800`02c4d000 PsLoadedModuleList = 0xfffff800`02e8ae50
Debug session time: Sun Jan 9 19:11:07.560 2011 (GMT+1)
System Uptime: 0 days 0:01:20.326
Loading Kernel Symbols
...............................................................
................................................................
............................
Loading User Symbols
Loading unloaded module list
....
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck A, {90, 2, 0, fffff80002cc4995}

Probably caused by : msrpc.sys ( msrpc!LRPC_CASSOCIATION::OpenSecurityContext+118 )

Followup: MachineOwner
---------

1: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: 0000000000000090, memory referenced
Arg2: 0000000000000002, IRQL
Arg3: 0000000000000000, bitfield :
bit 0 : value 0 = read operation, 1 = write operation
bit 3 : value 0 = not an execute operation, 1 = execute operation (only on chips which support this level of status)
Arg4: fffff80002cc4995, address which referenced memory

Debugging Details:
------------------


READ_ADDRESS: GetPointerFromAddress: unable to read from fffff80002ef50e0
0000000000000090

CURRENT_IRQL: 2

FAULTING_IP:
nt!KiCommitThreadWait+1d5
fffff800`02cc4995 488bbb90000000 mov rdi,qword ptr [rbx+90h]

CUSTOMER_CRASH_COUNT: 1

DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT

BUGCHECK_STR: 0xA

PROCESS_NAME: conhost.exe

TRAP_FRAME: fffff88009c3f2f0 -- (.trap 0xfffff88009c3f2f0)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=000007fffffd0001 rbx=0000000000000000 rcx=fffff88009c3f440
rdx=00000000000007ff rsi=0000000000000000 rdi=0000000000000000
rip=fffff80002cc4995 rsp=fffff88009c3f480 rbp=0000000000000001
r8=0000000000000000 r9=0000000000007e00 r10=0000000000000009
r11=fffffa8005c1c4be r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei ng nz na po nc
nt!KiCommitThreadWait+0x1d5:
fffff800`02cc4995 488bbb90000000 mov rdi,qword ptr [rbx+90h] ds:00000000`00000090=????????????????
Resetting default scope

LAST_CONTROL_TRANSFER: from fffff80002cbcca9 to fffff80002cbd740

STACK_TEXT:
fffff880`09c3f1a8 fffff800`02cbcca9 : 00000000`0000000a 00000000`00000090 00000000`00000002 00000000`00000000 : nt!KeBugCheckEx
fffff880`09c3f1b0 fffff800`02cbb920 : fffffa80`0746ea20 00000000`00000000 00000000`0d640318 fffff880`009e9180 : nt!KiBugCheckDispatch+0x69
fffff880`09c3f2f0 fffff800`02cc4995 : fffffa80`07fb9b60 fffffa80`07fb9b60 fffff800`00000000 fffff880`00000001 : nt!KiPageFault+0x260
fffff880`09c3f480 fffff800`02cc6cff : fffff880`009e9180 fffff880`009e9180 00000000`00000073 fffffa80`073296d0 : nt!KiCommitThreadWait+0x1d5
fffff880`09c3f510 fffff880`014631c8 : 00000000`00000000 fffff8a0`00000000 00000000`00000000 fffffa80`07d10200 : nt!KeWaitForSingleObject+0x19f
fffff880`09c3f5b0 fffff880`0146205d : fffffa80`07fb9b60 fffff8a0`0244fd30 00000000`00000001 fffffa80`cd637052 : msrpc!LRPC_CASSOCIATION::OpenSecurityContext+0x118
fffff880`09c3f620 fffff880`0146237b : fffff8a0`01efbd30 00000000`00000000 fffff8a0`01efbd30 fffff8a0`0244fd30 : msrpc!LRPC_BASE_BINDING_HANDLE::BaseBindingCopy+0x15d
fffff880`09c3f760 fffff880`014659d2 : fffff8a0`0244fd30 fffff8a0`0244fd30 00000000`00000001 00000000`00000058 : msrpc!LRPC_FAST_BINDING_HANDLE::BindingCopy+0x8b
fffff880`09c3f790 fffff960`003154f3 : fffff8a0`02430340 fffff900`c07ddce0 00000000`00000001 00000000`000007ff : msrpc!RpcBindingCopy+0x42
fffff880`09c3f7c0 fffff960`000924b1 : fffff900`c07ddce0 00000000`00000000 fffffa80`07b50b30 00000000`00000000 : win32k!PlaySoundPostMessage+0x77
fffff880`09c3f820 fffff960`000ed081 : 00000000`00000030 fffffa80`07fb9b60 fffff880`09c3fc20 fffffa80`07b50b30 : win32k!PostPlaySoundMessage+0x25
fffff880`09c3f850 fffff960`000e421f : fffff900`c07ddce0 fffff880`09c3fc20 00000000`ffffffff fffffa80`07b50b30 : win32k!DestroyProcessInfo+0x125
fffff880`09c3f880 fffff960`000e431a : fffffa80`06c9ab00 fffff900`c07ddce0 00020508`00000000 fffff8a0`00146401 : win32k!xxxUserProcessCallout+0x15f
fffff880`09c3f8d0 fffff800`02fa2a01 : fffffa80`06c9aba0 00000000`00000000 00000000`00000000 fffffa80`07fb9b60 : win32k!W32pProcessCallout+0x4e
fffff880`09c3f900 fffff800`02f7b635 : 00000000`00000000 fffff800`02fbc101 fffffa80`78457300 00000000`00000000 : nt!PspExitThread+0x561
fffff880`09c3f9c0 fffff800`02c9a1db : fffffa80`07dd4001 fffffa80`07aed710 00000000`00000000 00000000`00000000 : nt!PsExitSpecialApc+0x1d
fffff880`09c3f9f0 fffff800`02c9a620 : 00000000`003df690 fffff880`09c3fa70 fffff800`02f7b74c 00000000`00000001 : nt!KiDeliverApc+0x2eb
fffff880`09c3fa70 fffff800`02cbca37 : 00000000`000004de 00000000`00000001 fffffa80`07fb9b60 0000007f`ffffffff : nt!KiInitiateUserApc+0x70
fffff880`09c3fbb0 00000000`771a008a : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceExit+0x9c
00000000`01c1ed28 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x771a008a


STACK_COMMAND: kb

FOLLOWUP_IP:
msrpc!LRPC_CASSOCIATION::OpenSecurityContext+118
fffff880`014631c8 8b7710 mov esi,dword ptr [rdi+10h]

SYMBOL_STACK_INDEX: 5

SYMBOL_NAME: msrpc!LRPC_CASSOCIATION::OpenSecurityContext+118

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: msrpc

IMAGE_NAME: msrpc.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 4a5bc17c

FAILURE_BUCKET_ID: X64_0xA_msrpc!LRPC_CASSOCIATION::OpenSecurityContext+118

BUCKET_ID: X64_0xA_msrpc!LRPC_CASSOCIATION::OpenSecurityContext+118

Followup: MachineOwner
---------




---------- 011011-23468-01.dmp ----------


Microsoft (R) Windows Debugger Version 6.11.0001.404 X86
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [D:\DOWNLOAD\dumps\011011-23468-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: srv*DownstreamStore*Symbol information
Executable search path is:
Windows 7 Kernel Version 7600 MP (2 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 7600.16617.amd64fre.win7_gdr.100618-1621
Machine Name:
Kernel base = 0xfffff800`02c4c000 PsLoadedModuleList = 0xfffff800`02e89e50
Debug session time: Mon Jan 10 08:13:18.708 2011 (GMT+1)
System Uptime: 0 days 0:25:53.473
Loading Kernel Symbols
...............................................................
................................................................
...........................
Loading User Symbols
Loading unloaded module list
.....
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 1E, {ffffffffc0000005, fffff80002c9c7e7, 0, 7efa0000}

Probably caused by : ntkrnlmp.exe ( nt!RtlImageNtHeaderEx+3f )

Followup: MachineOwner
---------

1: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

KMODE_EXCEPTION_NOT_HANDLED (1e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Arguments:
Arg1: ffffffffc0000005, The exception code that was not handled
Arg2: fffff80002c9c7e7, The address that the exception occurred at
Arg3: 0000000000000000, Parameter 0 of the exception
Arg4: 000000007efa0000, Parameter 1 of the exception

Debugging Details:
------------------


EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".

FAULTING_IP:
nt!RtlImageNtHeaderEx+3f
fffff800`02c9c7e7 66390a cmp word ptr [rdx],cx

EXCEPTION_PARAMETER1: 0000000000000000

EXCEPTION_PARAMETER2: 000000007efa0000

READ_ADDRESS: GetPointerFromAddress: unable to read from fffff80002ef40e0
000000007efa0000

CUSTOMER_CRASH_COUNT: 1

DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT

BUGCHECK_STR: 0x1E

PROCESS_NAME: iexplore.exe

CURRENT_IRQL: 0

EXCEPTION_RECORD: fffff88002ffd768 -- (.exr 0xfffff88002ffd768)
ExceptionAddress: fffff80002c9c7e7 (nt!RtlImageNtHeaderEx+0x000000000000003f)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 0000000000000000
Parameter[1]: 000000007efa0000
Attempt to read from address 000000007efa0000

TRAP_FRAME: fffff88002ffd810 -- (.trap 0xfffff88002ffd810)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=0000000000000000 rbx=0000000000000000 rcx=0000000000005a4d
rdx=000000007efa0000 rsi=0000000000000000 rdi=0000000000000000
rip=fffff80002c9c7e7 rsp=fffff88002ffd9a8 rbp=fffff88002ffdae0
r8=0000000000000000 r9=fffff88002ffd9e8 r10=0000000000000000
r11=0000000000000000 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei pl nz na pe nc
nt!RtlImageNtHeaderEx+0x3f:
fffff800`02c9c7e7 66390a cmp word ptr [rdx],cx ds:00000000`7efa0000=????
Resetting default scope

LAST_CONTROL_TRANSFER: from fffff80002cf6a39 to fffff80002cbc740

STACK_TEXT:
fffff880`02ffcf98 fffff800`02cf6a39 : 00000000`0000001e ffffffff`c0000005 fffff800`02c9c7e7 00000000`00000000 : nt!KeBugCheckEx
fffff880`02ffcfa0 fffff800`02cbbd82 : fffff880`02ffd768 fffffa80`064e6010 fffff880`02ffd810 fffffa80`05240b60 : nt!KiDispatchException+0x1b9
fffff880`02ffd630 fffff800`02cba8fa : 00000000`00000000 fffffa80`064e6010 fffffa80`05240b00 fffff880`02ffd970 : nt!KiExceptionDispatch+0xc2
fffff880`02ffd810 fffff800`02c9c7e7 : fffff800`02c9c872 00000000`00000010 00000000`00000082 fffff880`02ffd9d8 : nt!KiPageFault+0x23a
fffff880`02ffd9a8 fffff800`02c9c872 : 00000000`00000010 00000000`00000082 fffff880`02ffd9d8 fffffa80`05240b60 : nt!RtlImageNtHeaderEx+0x3f
fffff880`02ffd9b0 fffffa80`06208d7c : fffff880`02ffdae0 00000000`00000000 fffffa80`0620d260 fffffa80`062115a0 : nt!RtlImageNtHeader+0x1e
fffff880`02ffd9e0 fffff880`02ffdae0 : 00000000`00000000 fffffa80`0620d260 fffffa80`062115a0 00000000`00000000 : 0xfffffa80`06208d7c
fffff880`02ffd9e8 00000000`00000000 : fffffa80`0620d260 fffffa80`062115a0 00000000`00000000 00000000`00000000 : 0xfffff880`02ffdae0


STACK_COMMAND: kb

FOLLOWUP_IP:
nt!RtlImageNtHeaderEx+3f
fffff800`02c9c7e7 66390a cmp word ptr [rdx],cx

SYMBOL_STACK_INDEX: 4

SYMBOL_NAME: nt!RtlImageNtHeaderEx+3f

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: nt

IMAGE_NAME: ntkrnlmp.exe

DEBUG_FLR_IMAGE_TIMESTAMP: 4c1c44a9

FAILURE_BUCKET_ID: X64_0x1E_nt!RtlImageNtHeaderEx+3f

BUCKET_ID: X64_0x1E_nt!RtlImageNtHeaderEx+3f

Followup: MachineOwner
---------

thx maar heb het al gevonden met format tot gevolg

eergisteren is hier familie op de PC geweest en kreeg ineens meldingen van AVG dat er files besmet waren met trojans...

vandaag waren dat important files en ook bestanden die ik dagelijks gebruik bvb exec van msn etc etc

toch bedankt voor de hulp !

-=Spyder.LA=- zei:

thx maar heb het al gevonden met format tot gevolg

eergisteren is hier familie op de PC geweest en kreeg ineens meldingen van AVG dat er files besmet waren met trojans...

vandaag waren dat important files en ook bestanden die ik dagelijks gebruik bvb exec van msn etc etc

toch bedankt voor de hulp !

Klik om te vergroten...

Ach zo. Best een login met beperkte rechten creëren voor gastgebuikers zou ik zeggen. Veel succes