I have a pc that keeps restarting. I pulled the minidumps, but not exactly sure how to interpret them.
There are 3 total.
Microsoft (R) Windows Debugger Version 6.10.0003.233 X86
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File
Mini Kernel Dump File: Only registers and stack trace are available
Symbol search path is: C:\WINDOWS\Symbols
Executable search path is:
Unable to load image ntoskrnl.exe, Win32 error 0n2
*** WARNING: Unable to verify timestamp for ntoskrnl.exe
Windows XP Kernel Version 2600 (Service Pack 3) MP (2 procs) Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Machine Name:
Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055d720
Debug session time: Fri Jan 9 11:55:56.620 2009 (GMT-6)
System Uptime: 0 days 21:15:37.898
Unable to load image ntoskrnl.exe, Win32 error 0n2
*** WARNING: Unable to verify timestamp for ntoskrnl.exe
Loading Kernel Symbols
………………………………………………………
……………………………………………………….
……….
Loading User Symbols
Loading unloaded module list
………………………
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck 4E, {99, 6191d, 0, 0}
Probably caused by : memory_corruption ( nt!MmDeleteKernelStack+bb )
Followup: MachineOwner
———
1: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
PFN_LIST_CORRUPT (4e)
Typically caused by drivers passing bad memory descriptor lists (ie: calling
MmUnlockPages twice with the same list, etc). If a kernel debugger is
available get the stack trace.
Arguments:
Arg1: 00000099, A PTE or PFN is corrupt
Arg2: 0006191d, page frame number
Arg3: 00000000, current page state
Arg4: 00000000, 0
Debugging Details:
——————
BUGCHECK_STR: 0x4E_99
CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: DRIVER_FAULT
PROCESS_NAME: EXCEL.EXE
LAST_CONTROL_TRANSFER: from 80505583 to 804f9f43
STACK_TEXT:
a6a3ea68 80505583 0000004e 00000099 0006191d nt!MmDeleteKernelStack+0xbb
a6a3eaa0 805058ec 010005a9 c004a100 0001386b nt!CcPfCancelTraceTimer+0x2e
a6a3eaa8 c004a100 0001386b 896e8be8 00000000 nt!_output+0x13
WARNING: Frame IP not in any known module. Following frames may be wrong.
a6a3eac8 80505b52 000005a9 c0883cfc c004a100 0xc004a100
a6a3ed38 89bc8500 a6a3ed64 8054162c 00580fc2 nt!_output+0x4e0
a6a3ed48 00000000 0000f020 000204bf 00000000 0x89bc8500
STACK_COMMAND: kb
FOLLOWUP_IP:
nt!MmDeleteKernelStack+bb
804f9f43 5d pop ebp
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: nt!MmDeleteKernelStack+bb
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: nt
DEBUG_FLR_IMAGE_TIMESTAMP: 48a3fbd9
IMAGE_NAME: memory_corruption
FAILURE_BUCKET_ID: 0x4E_99_nt!MmDeleteKernelStack+bb
BUCKET_ID: 0x4E_99_nt!MmDeleteKernelStack+bb
Followup: MachineOwner
———
***********************************************
Microsoft (R) Windows Debugger Version 6.10.0003.233 X86
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File
Mini Kernel Dump File: Only registers and stack trace are available
Symbol search path is: C:\WINDOWS\Symbols
Executable search path is:
Unable to load image ntoskrnl.exe, Win32 error 0n2
*** WARNING: Unable to verify timestamp for ntoskrnl.exe
Windows XP Kernel Version 2600 (Service Pack 3) MP (2 procs) Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Machine Name:
Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055d720
Debug session time: Thu Jan 8 14:40:04.073 2009 (GMT-6)
System Uptime: 1 days 4:59:04.417
Unable to load image ntoskrnl.exe, Win32 error 0n2
*** WARNING: Unable to verify timestamp for ntoskrnl.exe
Loading Kernel Symbols
………………………………………………………
……………………………………………………….
……….
Loading User Symbols
Loading unloaded module list
………………………………………..
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck 1000000A, {815c12f8, 2, 0, 805172d4}
Probably caused by : ntoskrnl.exe ( nt!FsRtlRemoveMcbEntryPrivate+20e )
Followup: MachineOwner
———
1: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: 815c12f8, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000000, bitfield :
bit 0 : value 0 = read operation, 1 = write operation
bit 3 : value 0 = not an execute operation, 1 = execute operation (only on chips which support this level of status)
Arg4: 805172d4, address which referenced memory
Debugging Details:
——————
READ_ADDRESS: 815c12f8
CURRENT_IRQL: 2
FAULTING_IP:
nt!FsRtlRemoveMcbEntryPrivate+20e
805172d4 8b09 mov ecx,dword ptr [ecx]
CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: DRIVER_FAULT
BUGCHECK_STR: 0xA
PROCESS_NAME: msiexec.exe
LAST_CONTROL_TRANSFER: from 805224ab to 805172d4
STACK_TEXT:
a7386bb8 805224ab 826baee4 0000003f 00000000 nt!FsRtlRemoveMcbEntryPrivate+0x20e
a7386bd0 80522c2e e6ab4f18 89add158 89513d80 nt!MiResolveTransitionFault+0x250
a7386be8 805157bb 00000400 00000460 89513dd0 nt!MiNotifyMemoryEvents+0xee
a7386bec 00000000 00000460 89513dd0 0001a000 nt!InbvRotBarInit+0x3
STACK_COMMAND: kb
FOLLOWUP_IP:
nt!FsRtlRemoveMcbEntryPrivate+20e
805172d4 8b09 mov ecx,dword ptr [ecx]
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: nt!FsRtlRemoveMcbEntryPrivate+20e
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: nt
IMAGE_NAME: ntoskrnl.exe
DEBUG_FLR_IMAGE_TIMESTAMP: 48a3fbd9
FAILURE_BUCKET_ID: 0xA_nt!FsRtlRemoveMcbEntryPrivate+20e
BUCKET_ID: 0xA_nt!FsRtlRemoveMcbEntryPrivate+20e
Followup: MachineOwner
———
***********************************************
Microsoft (R) Windows Debugger Version 6.10.0003.233 X86
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File Mini Kernel Dump File: Only registers and stack trace are available
Symbol search path is: C:\WINDOWS\Symbols
Executable search path is:
Unable to load image ntoskrnl.exe, Win32 error 0n2
*** WARNING: Unable to verify timestamp for ntoskrnl.exe
Windows XP Kernel Version 2600 (Service Pack 3) MP (2 procs) Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Machine Name:
Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055d720
Debug session time: Wed Jan 7 09:40:45.328 2009 (GMT-6)
System Uptime: 27 days 17:24:14.296
Unable to load image ntoskrnl.exe, Win32 error 0n2
*** WARNING: Unable to verify timestamp for ntoskrnl.exe
Loading Kernel Symbols
………………………………………………………
……………………………………………………….
………
Loading User Symbols
Loading unloaded module list
…………………………………………..
Unable to load image Ntfs.sys, Win32 error 0n2
*** WARNING: Unable to verify timestamp for Ntfs.sys
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck 10000050, {f190600c, 0, 8050924a, 2}
Could not read faulting driver name
*** WARNING: Unable to verify timestamp for SYMEVENT.SYS
*** ERROR: Module load completed but symbols could not be loaded for SYMEVENT.SYS
Probably caused by : SYMEVENT.SYS ( SYMEVENT+ed80 )
Followup: MachineOwner
———
1: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by try-except,
it must be protected by a Probe. Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: f190600c, memory referenced.
Arg2: 00000000, value 0 = read operation, 1 = write operation.
Arg3: 8050924a, If non-zero, the instruction address which referenced the bad memory
address.
Arg4: 00000002, (reserved)
Debugging Details:
——————
Could not read faulting driver name
READ_ADDRESS: f190600c
FAULTING_IP:
nt!MmDetachSession+35
8050924a 8b530c mov edx,dword ptr [ebx+0Ch]
MM_INTERNAL_CODE: 2
CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: DRIVER_FAULT
BUGCHECK_STR: 0x50
PROCESS_NAME: System
LAST_CONTROL_TRANSFER: from b9e20456 to 8050924a
STACK_TEXT:
ba4eb1ec b9e20456 ba4eb6a4 1f000000 00000001 nt!MmDetachSession+0x35
ba4eb210 b9e2100e 89191008 804ef912 ba4ebd2c Ntfs!NtfsNonCachedIo+0x29c
ba4eb3f0 b9e20c18 ba4eb400 89191008 0110070a Ntfs!NtfsCommonWrite+0x17f7
ba4eb564 804ef19e 8a60a020 89191008 8a5f2a58 Ntfs!NtfsFsdWrite+0x4a
ba4eb584 804ef19e 8a5f5dd0 89191008 804f0054 nt!IopUpdateReadOperationCount+0x2d
ba4eb5ac a8ae0d80 8a5f5dd0 8a551b20 ba4eb5e4 nt!IopUpdateReadOperationCount+0x2d
WARNING: Stack unwind information not available. Following frames may be wrong.
ba4eb5c8 a8ad97b9 ba4eb5e4 804f0054 a8ad9880 SYMEVENT+0xed80
ba4eb608 a8ad996f 89d80178 89191008 8a55d0c8 SYMEVENT+0x77b9
ba4eb61c 804ef19e 89d80178 89191008 89191008 SYMEVENT+0x796f
ba4eb658 804ef19e 8a551b20 89191008 037c9000 nt!IopUpdateReadOperationCount+0x2d
ba4eb67c 8050f082 8a5f3d0a ba4eb6a4 ba4eb744 nt!IopUpdateReadOperationCount+0x2d
ba4eb764 8050faa4 e6158e48 e6158ea0 e6158ea0 nt!IovUtilMarkStack+0x49
ba4eb7a0 804e4554 8a5f3b40 00000000 0000b000 nt!CcDeleteSharedCacheMap+0x74
ba4eb828 b9e41007 0000b000 ba4eb8c8 0000b000 nt!KeRemoveQueue+0xa8
ba4eb8f0 b9e41089 e1020008 e67fe2a0 e6a70760 Ntfs!LfsFlushLfcb+0x512
ba4eb914 b9e4251f e1020008 e67fe2a0 8a60a310 Ntfs!LfsFlushLfcb+0xa2
ba4eb920 8a60a310 e1020008 e53e5928 da6fa931 Ntfs!NtfsFreeRestartTable+0x5
ba4eb96c b9e41cf8 e1020008 000000e0 00000001 0x8a60a310
ba4eb9b8 b9e42278 e16f7170 00000068 ba4eba20 Ntfs!LfsFlushLfcb+0x4c0
ba4ebbe8 b9e42174 ba4ebc1c 8a60a100 00000000 Ntfs!LfsQueryLastLsn+0x22
ba4ebd7c 8053877d 00000000 00000000 8a6753c8 Ntfs!NtfsCheckpointVolume+0xdd2
ba4ebdac 805cff70 00000000 00000000 00000000 nt!MiSetPageModified+0x273
ba4ebddc 805460ee 8053868e 00000000 00000000 nt!IopInitializeDeviceInstanceKey+0x20d
ba4ebe14 00000000 00000000 00000000 00000000 nt!ExpAddTagForBigPages+0x18
STACK_COMMAND: kb
FOLLOWUP_IP:
SYMEVENT+ed80
a8ae0d80 ?? ???
SYMBOL_STACK_INDEX: 6
SYMBOL_NAME: SYMEVENT+ed80
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: SYMEVENT
IMAGE_NAME: SYMEVENT.SYS
DEBUG_FLR_IMAGE_TIMESTAMP: 450f3f43
FAILURE_BUCKET_ID: 0x50_SYMEVENT+ed80
BUCKET_ID: 0x50_SYMEVENT+ed80
Followup: MachineOwner
———