Re: Looking for help with a Kernal Memory Dump
Thanks for your reply. If i'm reading it correctly, !analyze shows
ntkrpamp.exe as the offending driver, however i believe that's an OS driver.
Device Manager does show a hidden serial device with error code 24 (This
device is not present, is not working properly, or does not have all its
drivers installed). I will try and track down proper drivers for it but is
there a way that i can be more certain that that's what caused the crash?
Use !analyze -v to get detailed debugging information.
BugCheck 50, {dbcc1000, 0, 808ce49f, 0}
Probably caused by : ntkrpamp.exe ( nt!CmpFileWrite+5d )
Followup: MachineOwner
---------
1: kd>
1: kd> !analyze -v
*******************************************************************************
*
*
* Bugcheck Analysis
*
*
*
*******************************************************************************
PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by try-except,
it must be protected by a Probe. Typically the address is just plain bad or
it
is pointing at freed memory.
Arguments:
Arg1: dbcc1000, memory referenced.
Arg2: 00000000, value 0 = read operation, 1 = write operation.
Arg3: 808ce49f, If non-zero, the instruction address which referenced the
bad memory
address.
Arg4: 00000000, (reserved)
Debugging Details:
------------------
READ_ADDRESS: dbcc1000
FAULTING_IP:
nt!CmpFileWrite+5d
808ce49f 0fbe32 movsx esi,byte ptr [edx]
MM_INTERNAL_CODE: 0
DEFAULT_BUCKET_ID: DRIVER_FAULT
BUGCHECK_STR: 0x50
PROCESS_NAME: System
CURRENT_IRQL: 1
TRAP_FRAME: f712ac04 -- (.trap fffffffff712ac04)
ErrCode = 00000000
eax=dbcc2000 ebx=e334ba80 ecx=00000047 edx=dbcc1000 esi=00000068 edi=00000000
eip=808ce49f esp=f712ac78 ebp=f712acd0 iopl=0 nv up ei ng nz na pe cy
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010287
nt!CmpFileWrite+0x5d:
808ce49f 0fbe32 movsx esi,byte ptr [edx]
ds:0023:dbcc1000=??
Resetting default scope
LAST_CONTROL_TRANSFER: from 8085e6cd to 80827447
STACK_TEXT:
f712ab74 8085e6cd 00000050 dbcc1000 00000000 nt!KeBugCheckEx+0x1b
f712abec 8088bc18 00000000 dbcc1000 00000000 nt!MmAccessFault+0xb25
f712abec 808ce49f 00000000 dbcc1000 00000000 nt!KiTrap0E+0xdc
f712acd0 808befdf e334ba80 00000001 e2d40000 nt!CmpFileWrite+0x5d
f712ad28 808bf9a5 00000053 e334ba80 e334bd78 nt!HvpWriteLog+0x2cd
f712ad3c 808c134d e334ba01 8b3798d0 808a4828 nt!HvSyncHive+0x71
f712ad58 808ca4b5 00000001 e334bd78 f712ad78 nt!CmpDoFlushNextHive+0xe1
f712ad80 8087f92f 00000000 00000000 8b3798d0 nt!CmpLazyFlushWorker+0x7f
f712adac 80948bd0 00000000 00000000 00000000 nt!ExpWorkerThread+0xeb
f712addc 8088d4e2 8087f844 00000001 00000000 nt!PspSystemThreadStartup+0x2e
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16
STACK_COMMAND: kb
FOLLOWUP_IP:
nt!CmpFileWrite+5d
808ce49f 0fbe32 movsx esi,byte ptr [edx]
SYMBOL_STACK_INDEX: 3
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: nt
IMAGE_NAME: ntkrpamp.exe
DEBUG_FLR_IMAGE_TIMESTAMP: 45ebdefe
SYMBOL_NAME: nt!CmpFileWrite+5d
FAILURE_BUCKET_ID: 0x50_nt!CmpFileWrite+5d
BUCKET_ID: 0x50_nt!CmpFileWrite+5d
Followup: MachineOwner
---------
"Mathieu CHATEAU" wrote:
> Hello,
>
> !analyze doesn't show up the name of the driver that crashed ?
>
> this may help:
> Explanation of error codes generated by Device Manager in Microsoft Windows
> XP Professional
> http://support.microsoft.com/default.aspx?scid=kb;EN-US;310123
>
>
>
> --
> Cordialement,
> Mathieu CHATEAU
> http://lordoftheping.blogspot.com
>
>
> "Bryan" <Bryan@discussions.microsoft.com> wrote in message
> news:0B562C27-C896-46D6-848A-A03489309165@microsoft.com...
> > Hi All,
> > I'm looking for some guidence on debugging a Kernal Dump from a Windows
> > 2003
> > SP1 server. I've been able to read the dump using WinDbg and it appears
> > to
> > be driver related but i can't determine any further what driver is causing
> > a
> > problem. Is there a place that i can submit the crash to be analyzed?
> >
> > thanks kindly!
>
>