General discussion
-
CreatorTopic
-
July 16, 2008 at 10:36 am #2150523
PC is now rebooting intermittently due to bugcheck
Lockedby marcj3 · about 15 years, 9 months ago
My PC is now rebooting intermittently with the error:
Event Source: Save Dump + Event ID: 1001
The computer has rebooted from a bugcheck. The bugcheck was: 0x100000d1 (0x00000020, 0x00000002, 0x00000001, 0xf4aa227f). A dump was saved in: C:\WINDOWS\Minidump\Mini071608-01.dmp.It has rebooted
june 29, 306am
july 5, 302am
july 10, 303am
july 13, 1209am
july 16, 304amMy PC is a Dell GX260, running WinXP SP2. I run
Zone Alarm Pro Firewall ver 7.0.483.000 – spyware scan at 2am
Win XP BlackIce personal firewall is turned off
CA eTrust Real Time monitoring
CA eTrust antivirus PC scanning at 3am.
Spybot Search and Destroy antispaywareI didn’t upgrade any software prior to this happening.
I would upload the minidump files for analysis to hopefully determine if it’s faulty memory or
due to which application, but doesn’t seem to be a way to do that.Can anyone help determine the cause of the reboots please. Thanks.
Topic is locked -
CreatorTopic
All Comments
-
AuthorReplies
-
-
July 16, 2008 at 11:25 am #2926234
Try these steps…
by iam_mordac · about 15 years, 9 months ago
In reply to PC is now rebooting intermittently due to bugcheck
Did you add any hardware? Update drivers? There was an issue with ZoneAlarm and the recent M$ updates, given the 2am scan and the 3 AM reboots I would look into that. Is it possible your Windows Update is active? 3AM is the default patch time, iirc.
While I understand the desire for a secure pc, is it really necessary to dup/trip-licate your AV/Spyware? Pick one suite, (I personally like ZoneAlarm) and dump the rest. Use Spybot to do a manual scan on occaision, but don’t leave it active. You are chewing up system resources and it’s quite possible the competing programs could step on each others toes.
Is the minidump not showing up in the folder? You may have to enable viewing of Hidden and System folders to see it.
Good luck!
I found these posts on other forums, try the steps listed, YMMV.
[The Stop 0xD1 message indicates that the system attempted to access pageable memory using a kernel process IRQL that was too high. Drivers that have used improper addresses typically cause this error.
Interpreting the Message
This Stop message has four parameters:Memory referenced.
IRQL at time of reference.
Type of access (0x00000000 = read operation, 0x00000001 = write operation).
Address that referenced memory.Stop 0xD1 messages can occur after installing faulty drivers or system services. If a driver is listed by name, disable, remove, or roll back that driver to confirm that this resolves the error. If so, contact the manufacturer about a possible update. Using updated software is especially important for backup programs, multimedia applications, antivirus scanners, DVD playback, and CD mastering tools.
For more information about Stop 0xD1 messages, see the Microsoft Knowledge Base link on the Web Resources page at http://www.microsoft.com/windows/reskits/webresources. Search using keywords winnt, 0x000000D1, and 0xD1.][This error is usually indicative of either a bad or corrupted driver, bad RAM or a corrupted page file.
For bad RAM download these two memory diagnostic programs:
1. Memtest86+ from http://www.memtest.org/
2. Windows Memory Diagnostic Tool from
http://oca.microsoft.com/en/windiag.aspThese will create bootable CD drives. Run both diagnostics. Let each
one run for a long time, several hours each. If errors occur change the
ram.For drivers have you installed any new software lately or installed any
new hardware? If so remove them or update the drivers.For the pagefile issue first turn off the pagefile. Right click My
computer, choose properties, advanced. Click the settings button under
Performance, then the Advanced tab . Click “change” under virtual
memory. Select the driver were the pagefile exits and put a tic mark in
No paging file. Click Set, then OK out. Reboot the computer, then go
back in to the same menu, highlight the C: drive and click on System
managed. Ok out again. ]-
July 16, 2008 at 12:28 pm #2926219
PC is now rebooting intermittently due to bugcheck
by marcj3 · about 15 years, 9 months ago
In reply to Try these steps…
The only app I recently installed was DLINK SW for Wireless G USB adapter.
I also upgraded ZoneAlarm to 7.0.483.000 to counter the Window hotfix that created DNS issues and
no web browsing after that. The Zone Alarm upgrade resolved the DNS problem.I don’t think spybot S& D is tripping over Zone Alarm Pro,
———————————————————————————————————
I installed 32-bit windbg.
I ran windbg for the last 3 crash dumps:Microsoft (R) Windows Debugger Version 6.9.0003.113 X86
File, symbol file path, in the symbol search path window, enter
srv*c:\symbols*http://msdl.microsoft.com/download/symbolsfile, open crash dump:
path C:\WINDOWS\Minidump
Mini071608-01.dmpIn the window that pops up:
Microsoft (R) Windows Debugger Version 6.9.0003.113 X86
Copyright (c) Microsoft Corporation. All rights reserved.Loading Dump File [C:\WINDOWS\Minidump\Mini071608-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are availableSymbol search path is: srv*c:\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows XP Kernel Version 2600 (Service Pack 2) UP Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 2600.xpsp_sp2_gdr.070227-2254
Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055a620
Debug session time: Wed Jul 16 03:04:24.343 2008 (GMT-4)
System Uptime: 2 days 2:03:09.536
Loading Kernel Symbols
…………………………………………………………………………………………………………
Loading User Symbols
Loading unloaded module list
………………….
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************Use !analyze -v to get detailed debugging information.
BugCheck 100000D1, {20, 2, 1, f4aa227f}
Probably caused by : TDI.SYS ( TDI!CTEpEventHandler+32 )Followup: MachineOwner
———
in the kd> prompt at the bottom, entered: !analyze -vkd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: 00000020, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000001, value 0 = read operation, 1 = write operation
Arg4: f4aa227f, address which referenced memoryDebugging Details:
——————WRITE_ADDRESS: 00000020
CURRENT_IRQL: 2
FAULTING_IP:
afd!AfdDereferenceEndpoint+f
f4aa227f f00fc108 lock xadd dword ptr [eax],ecxCUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: DRIVER_FAULT
BUGCHECK_STR: 0xD1
PROCESS_NAME: System
LAST_CONTROL_TRANSFER: from f4aa27f6 to f4aa227f
STACK_TEXT:
f7ca4990 f4aa27f6 00000000 840dd088 83d39348 afd!AfdDereferenceEndpoint+0xf
f7ca49a8 f4a9769f 840dd088 00000001 85965288 afd!AfdFreePollInfo+0x31
f7ca49e4 f4aa297d 85965288 00000001 00000000 afd!AfdIndicatePollEventReal+0x1c4
f7ca4a18 f4b6486c 00000001 8592be98 f4b6486c afd!AfdReceiveDatagramEventHandler+0x334
f7ca4ac0 f4b6ff31 8592be98 0100007f 00004504 tcpip!UDPDeliver+0x1be
f7ca4b18 f4b63ef5 86208de8 0100007f 0100007f tcpip!UDPRcv+0x164
f7ca4b78 f4b63b19 00000020 86208de8 f4b64592 tcpip!DeliverToUser+0x18e
f7ca4bf4 f4b63836 f4ba3570 86208de8 f7ca4d10 tcpip!DeliverToUserEx+0x95e
f7ca4cac f4b71364 86208de8 f7ca4d24 00000009 tcpip!IPRcvPacket+0x6cb
f7ca4d58 f7b593e4 f4ba3300 86208de8 f4ba3310 tcpip!LoopXmitRtn+0x195
f7ca4d74 804e426b 86208de8 00000000 867c4020 TDI!CTEpEventHandler+0x32
f7ca4dac 8057d0f1 f4ba3300 00000000 00000000 nt!ExpWorkerThread+0x100
f7ca4ddc 804f827a 804e4196 00000001 00000000 nt!PspSystemThreadStartup+0x34
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16STACK_COMMAND: kb
FOLLOWUP_IP:
TDI!CTEpEventHandler+32
f7b593e4 5f pop ediSYMBOL_STACK_INDEX: a
SYMBOL_NAME: TDI!CTEpEventHandler+32
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: TDI
IMAGE_NAME: TDI.SYS
DEBUG_FLR_IMAGE_TIMESTAMP: 41107d33
FAILURE_BUCKET_ID: 0xD1_W_TDI!CTEpEventHandler+32
BUCKET_ID: 0xD1_W_TDI!CTEpEventHandler+32
Followup: MachineOwner
———
———————————————————————————————————
run it on july 13, 1209am crash dump: Mini071308-01.dmpMicrosoft (R) Windows Debugger Version 6.9.0003.113 X86
Copyright (c) Microsoft Corporation. All rights reserved.Loading Dump File [C:\WINDOWS\Minidump\Mini071308-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are availableSymbol search path is: srv*c:\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows XP Kernel Version 2600 (Service Pack 2) UP Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 2600.xpsp_sp2_gdr.070227-2254
Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055a620
Debug session time: Sun Jul 13 00:08:49.921 2008 (GMT-4)
System Uptime: 2 days 21:05:02.534
Loading Kernel Symbols
…………………………………………………………………………………………………………
Loading User Symbols
Loading unloaded module list
…………………………
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************Use !analyze -v to get detailed debugging information.
BugCheck 1000007E, {c0000005, 804ef1c5, f7c90ac4, f7c907c0}
Probably caused by : hardware ( nt!FsRtlAcquireFileExclusiveCommon+2f )
Followup: MachineOwner
———kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************SYSTEM_THREAD_EXCEPTION_NOT_HANDLED_M (1000007e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Some common problems are exception code 0x80000003. This means a hard
coded breakpoint or assertion was hit, but this system was booted
/NODEBUG. This is not supposed to happen as developers should never have
hardcoded breakpoints in retail code, but …
If this happens, make sure a debugger gets connected, and the
system is booted /DEBUG. This will let us see why this breakpoint is
happening.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: 804ef1c5, The address that the exception occurred at
Arg3: f7c90ac4, Exception Record Address
Arg4: f7c907c0, Context Record AddressDebugging Details:
——————EXCEPTION_CODE: (NTSTATUS) 0xc0000005 – The instruction at “0x%08lx” referenced memory at “0x%08lx”. The memory could not be “%s”.
FAULTING_IP:
nt!IoGetRelatedDeviceObject+25
804ef1c5 8b4024 mov eax,dword ptr [eax+24h]EXCEPTION_RECORD: f7c90ac4 — (.exr 0xfffffffff7c90ac4)
ExceptionAddress: 804ef1c5 (nt!IoGetRelatedDeviceObject+0x00000025)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: 43504378
Attempt to read from address 43504378CONTEXT: f7c907c0 — (.cxr 0xfffffffff7c907c0)
eax=43504354 ebx=806ee2d0 ecx=00000000 edx=00000000 esi=856bae48 edi=806ee298
eip=804ef1c5 esp=f7c90b8c ebp=f7c90b94 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010246
nt!IoGetRelatedDeviceObject+0x25:
804ef1c5 8b4024 mov eax,dword ptr [eax+24h] ds:0023:43504378=????????
Resetting default scopeCUSTOMER_CRASH_COUNT: 1
PROCESS_NAME: System
ERROR_CODE: (NTSTATUS) 0xc0000005 – The instruction at “0x%08lx” referenced memory at “0x%08lx”. The memory could not be “%s”.
READ_ADDRESS: 43504378
BUGCHECK_STR: 0x7E
DEFAULT_BUCKET_ID: STRING_DEREFERENCE
MISALIGNED_IP:
nt!IoGetRelatedDeviceObject+25
804ef1c5 8b4024 mov eax,dword ptr [eax+24h]LAST_CONTROL_TRANSFER: from 805711f0 to 804ef1c5
STACK_TEXT:
f7c90b94 805711f0 856bae48 806ee298 83d29b50 nt!IoGetRelatedDeviceObject+0x25
f7c90ce0 80571475 856bae48 00000000 00000000 nt!FsRtlAcquireFileExclusiveCommon+0x2f
f7c90cf4 804ec10b 856bae48 80556810 85bf2d68 nt!FsRtlAcquireFileExclusive+0x11
f7c90d2c 804e4f1d 867c61e8 80561640 867c5c98 nt!CcWriteBehind+0x2ec
f7c90d74 804e426b 867c61e8 00000000 867c5c98 nt!CcWorkerThread+0x126
f7c90dac 8057d0f1 867c61e8 00000000 00000000 nt!ExpWorkerThread+0x100
f7c90ddc 804f827a 804e4196 00000000 00000000 nt!PspSystemThreadStartup+0x34
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16FOLLOWUP_IP:
nt!FsRtlAcquireFileExclusiveCommon+2f
805711f0 ff7508 push dword ptr [ebp+8]SYMBOL_STACK_INDEX: 1
SYMBOL_NAME: nt!FsRtlAcquireFileExclusiveCommon+2f
FOLLOWUP_NAME: MachineOwner
IMAGE_NAME: hardware
DEBUG_FLR_IMAGE_TIMESTAMP: 0
STACK_COMMAND: .cxr 0xfffffffff7c907c0 ; kb
MODULE_NAME: hardware
FAILURE_BUCKET_ID: IP_MISALIGNED
BUCKET_ID: IP_MISALIGNED
Followup: MachineOwner
———Microsoft (R) Windows Debugger Version 6.9.0003.113 X86
Copyright (c) Microsoft Corporation. All rights reserved.Loading Dump File [C:\WINDOWS\Minidump\Mini071008-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are availableSymbol search path is: srv*c:\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows XP Kernel Version 2600 (Service Pack 2) UP Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 2600.xpsp_sp2_gdr.070227-2254
Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055a620
Debug session time: Thu Jul 10 03:03:33.845 2008 (GMT-4)
System Uptime: 2 days 7:20:56.805
Loading Kernel Symbols
…………………………………………………………………………………………………………
Loading User Symbols
Loading unloaded module list
…………………………
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************Use !analyze -v to get detailed debugging information.
BugCheck 1000007E, {c0000005, 8054aa32, f760fb74, f760f870}
Probably caused by : afd.sys ( afd!AfdIndicatePollEventReal+1d2 )
Followup: MachineOwner
———kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************SYSTEM_THREAD_EXCEPTION_NOT_HANDLED_M (1000007e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Some common problems are exception code 0x80000003. This means a hard
coded breakpoint or assertion was hit, but this system was booted
/NODEBUG. This is not supposed to happen as developers should never have
hardcoded breakpoints in retail code, but …
If this happens, make sure a debugger gets connected, and the
system is booted /DEBUG. This will let us see why this breakpoint is
happening.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: 8054aa32, The address that the exception occurred at
Arg3: f760fb74, Exception Record Address
Arg4: f760f870, Context Record AddressDebugging Details:
——————EXCEPTION_CODE: (NTSTATUS) 0xc0000005 – The instruction at “0x%08lx” referenced memory at “0x%08lx”. The memory could not be “%s”.
FAULTING_IP:
nt!ExFreePoolWithTag+237
8054aa32 668b4efa mov cx,word ptr [esi-6]EXCEPTION_RECORD: f760fb74 — (.exr 0xfffffffff760fb74)
ExceptionAddress: 8054aa32 (nt!ExFreePoolWithTag+0x00000237)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: 0000007a
Attempt to read from address 0000007aCONTEXT: f760f870 — (.cxr 0xfffffffff760f870)
eax=00000000 ebx=00000000 ecx=83d38c06 edx=83d48d05 esi=00000080 edi=83d38d63
eip=8054aa32 esp=f760fc3c ebp=f760fc70 iopl=0 nv up ei pl nz na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010202
nt!ExFreePoolWithTag+0x237:
8054aa32 668b4efa mov cx,word ptr [esi-6] ds:0023:0000007a=????
Resetting default scopeCUSTOMER_CRASH_COUNT: 1
PROCESS_NAME: System
ERROR_CODE: (NTSTATUS) 0xc0000005 – The instruction at “0x%08lx” referenced memory at “0x%08lx”. The memory could not be “%s”.
READ_ADDRESS: 0000007a
BUGCHECK_STR: 0x7E
DEFAULT_BUCKET_ID: NULL_CLASS_PTR_DEREFERENCE
LAST_CONTROL_TRANSFER: from 804ef81f to 8054aa32
STACK_TEXT:
f760fc70 804ef81f 00000080 00000000 83d48d50 nt!ExFreePoolWithTag+0x237
f760fc9c f4a976ad 858d2c78 85866900 f760fd2c nt!IopfCompleteRequest+0x156
f760fcd4 f4aaab5c 858d2c78 00000001 00000000 afd!AfdIndicatePollEventReal+0x1d2
83d38c60 00000000 00000070 83f43f00 8588cfb8 afd!AfdRestartBufferReceive+0x1c0FOLLOWUP_IP:
afd!AfdIndicatePollEventReal+1d2
f4a976ad e9d6feffff jmp afd!AfdIndicatePollEventReal+0x1d2 (f4a97588)SYMBOL_STACK_INDEX: 2
SYMBOL_NAME: afd!AfdIndicatePollEventReal+1d2
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: afd
IMAGE_NAME: afd.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 41107eb5
STACK_COMMAND: .cxr 0xfffffffff760f870 ; kb
FAILURE_BUCKET_ID: 0x7E_afd!AfdIndicatePollEventReal+1d2
BUCKET_ID: 0x7E_afd!AfdIndicatePollEventReal+1d2
Followup: MachineOwner
———-
July 16, 2008 at 12:56 pm #2926203
AIIIEEEE, TMI TMI !!!
by iam_mordac · about 15 years, 9 months ago
In reply to PC is now rebooting intermittently due to bugcheck
I’ll run through your post, it’s gonna be a day or so though. In the meantime, try rolling back the DLINK sw or remove it if you can’t roll back.
You can also look in the Event Viewer, open one of the crash errors, (should have an Event ID of 1001) and click the “More Info” link if it’s available. If not goto http://www.microsoft.com/technet/support/ee/ee_basic.aspx and poke around by looking for the 0x100000d1 (0x00000020, 0x00000002, 0x00000001, 0xf4aa227f)data and whatever looks significant in the Debug listing.
Try the memory testers while your at it too, it could be bad ram.
Good luck and let us know the results.
-
July 24, 2008 at 10:53 am #2914873
Any luck?
by iam_mordac · about 15 years, 9 months ago
In reply to AIIIEEEE, TMI TMI !!!
I haven’t had a chance to go over the bugcheck. Any luck with the proposed fixes?
-
-
-
-
AuthorReplies