Hardware·18,997 discussions

PC is now rebooting intermittently due to bugcheck

Locked

My PC is now rebooting intermittently with the error:
Event Source: Save Dump + Event ID: 1001
The computer has rebooted from a bugcheck. The bugcheck was: 0x100000d1 (0x00000020, 0x00000002, 0x00000001, 0xf4aa227f). A dump was saved in: C:\WINDOWS\Minidump\Mini071608-01.dmp.

It has rebooted
june 29, 306am
july 5, 302am
july 10, 303am
july 13, 1209am
july 16, 304am

My PC is a Dell GX260, running WinXP SP2. I run
Zone Alarm Pro Firewall ver 7.0.483.000 – spyware scan at 2am
Win XP BlackIce personal firewall is turned off
CA eTrust Real Time monitoring
CA eTrust antivirus PC scanning at 3am.
Spybot Search and Destroy antispayware

I didn’t upgrade any software prior to this happening.

I would upload the minidump files for analysis to hopefully determine if it’s faulty memory or
due to which application, but doesn’t seem to be a way to do that.

Can anyone help determine the cause of the reboots please. Thanks.

Topic

Try these steps…

In reply to PC is now rebooting intermittently due to bugcheck

Did you add any hardware? Update drivers? There was an issue with ZoneAlarm and the recent M$ updates, given the 2am scan and the 3 AM reboots I would look into that. Is it possible your Windows Update is active? 3AM is the default patch time, iirc.

While I understand the desire for a secure pc, is it really necessary to dup/trip-licate your AV/Spyware? Pick one suite, (I personally like ZoneAlarm) and dump the rest. Use Spybot to do a manual scan on occaision, but don’t leave it active. You are chewing up system resources and it’s quite possible the competing programs could step on each others toes.

Is the minidump not showing up in the folder? You may have to enable viewing of Hidden and System folders to see it.

Good luck!

I found these posts on other forums, try the steps listed, YMMV.

[The Stop 0xD1 message indicates that the system attempted to access pageable memory using a kernel process IRQL that was too high. Drivers that have used improper addresses typically cause this error.

Interpreting the Message
This Stop message has four parameters:

Memory referenced.
IRQL at time of reference.
Type of access (0x00000000 = read operation, 0x00000001 = write operation).
Address that referenced memory.

Stop 0xD1 messages can occur after installing faulty drivers or system services. If a driver is listed by name, disable, remove, or roll back that driver to confirm that this resolves the error. If so, contact the manufacturer about a possible update. Using updated software is especially important for backup programs, multimedia applications, antivirus scanners, DVD playback, and CD mastering tools.
For more information about Stop 0xD1 messages, see the Microsoft Knowledge Base link on the Web Resources page at http://www.microsoft.com/windows/reskits/webresources. Search using keywords winnt, 0x000000D1, and 0xD1.]

[This error is usually indicative of either a bad or corrupted driver, bad RAM or a corrupted page file.

For bad RAM download these two memory diagnostic programs:

1. Memtest86+ from http://www.memtest.org/
2. Windows Memory Diagnostic Tool from
http://oca.microsoft.com/en/windiag.asp

These will create bootable CD drives. Run both diagnostics. Let each
one run for a long time, several hours each. If errors occur change the
ram.

For drivers have you installed any new software lately or installed any
new hardware? If so remove them or update the drivers.

For the pagefile issue first turn off the pagefile. Right click My
computer, choose properties, advanced. Click the settings button under
Performance, then the Advanced tab . Click “change” under virtual
memory. Select the driver were the pagefile exits and put a tic mark in
No paging file. Click Set, then OK out. Reboot the computer, then go
back in to the same menu, highlight the C: drive and click on System
managed. Ok out again. ]

PC is now rebooting intermittently due to bugcheck

In reply to Try these steps…

The only app I recently installed was DLINK SW for Wireless G USB adapter.
I also upgraded ZoneAlarm to 7.0.483.000 to counter the Window hotfix that created DNS issues and
no web browsing after that. The Zone Alarm upgrade resolved the DNS problem.

I don’t think spybot S& D is tripping over Zone Alarm Pro,

———————————————————————————————————
I installed 32-bit windbg.
I ran windbg for the last 3 crash dumps:

Microsoft (R) Windows Debugger Version 6.9.0003.113 X86

File, symbol file path, in the symbol search path window, enter
srv*c:\symbols*http://msdl.microsoft.com/download/symbols

file, open crash dump:
path C:\WINDOWS\Minidump
Mini071608-01.dmp

In the window that pops up:
Microsoft (R) Windows Debugger Version 6.9.0003.113 X86
Copyright (c) Microsoft Corporation. All rights reserved.

Loading Dump File [C:\WINDOWS\Minidump\Mini071608-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: srv*c:\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows XP Kernel Version 2600 (Service Pack 2) UP Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 2600.xpsp_sp2_gdr.070227-2254
Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055a620
Debug session time: Wed Jul 16 03:04:24.343 2008 (GMT-4)
System Uptime: 2 days 2:03:09.536
Loading Kernel Symbols
…………………………………………………………………………………………………………
Loading User Symbols
Loading unloaded module list
………………….
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 100000D1, {20, 2, 1, f4aa227f}
Probably caused by : TDI.SYS ( TDI!CTEpEventHandler+32 )

Followup: MachineOwner
———
in the kd> prompt at the bottom, entered: !analyze -v

kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: 00000020, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000001, value 0 = read operation, 1 = write operation
Arg4: f4aa227f, address which referenced memory

Debugging Details:
——————

WRITE_ADDRESS: 00000020

CURRENT_IRQL: 2

FAULTING_IP:
afd!AfdDereferenceEndpoint+f
f4aa227f f00fc108 lock xadd dword ptr [eax],ecx

CUSTOMER_CRASH_COUNT: 1

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0xD1

PROCESS_NAME: System

LAST_CONTROL_TRANSFER: from f4aa27f6 to f4aa227f

STACK_TEXT:
f7ca4990 f4aa27f6 00000000 840dd088 83d39348 afd!AfdDereferenceEndpoint+0xf
f7ca49a8 f4a9769f 840dd088 00000001 85965288 afd!AfdFreePollInfo+0x31
f7ca49e4 f4aa297d 85965288 00000001 00000000 afd!AfdIndicatePollEventReal+0x1c4
f7ca4a18 f4b6486c 00000001 8592be98 f4b6486c afd!AfdReceiveDatagramEventHandler+0x334
f7ca4ac0 f4b6ff31 8592be98 0100007f 00004504 tcpip!UDPDeliver+0x1be
f7ca4b18 f4b63ef5 86208de8 0100007f 0100007f tcpip!UDPRcv+0x164
f7ca4b78 f4b63b19 00000020 86208de8 f4b64592 tcpip!DeliverToUser+0x18e
f7ca4bf4 f4b63836 f4ba3570 86208de8 f7ca4d10 tcpip!DeliverToUserEx+0x95e
f7ca4cac f4b71364 86208de8 f7ca4d24 00000009 tcpip!IPRcvPacket+0x6cb
f7ca4d58 f7b593e4 f4ba3300 86208de8 f4ba3310 tcpip!LoopXmitRtn+0x195
f7ca4d74 804e426b 86208de8 00000000 867c4020 TDI!CTEpEventHandler+0x32
f7ca4dac 8057d0f1 f4ba3300 00000000 00000000 nt!ExpWorkerThread+0x100
f7ca4ddc 804f827a 804e4196 00000001 00000000 nt!PspSystemThreadStartup+0x34
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16

STACK_COMMAND: kb

FOLLOWUP_IP:
TDI!CTEpEventHandler+32
f7b593e4 5f pop edi

SYMBOL_STACK_INDEX: a

SYMBOL_NAME: TDI!CTEpEventHandler+32

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: TDI

IMAGE_NAME: TDI.SYS

DEBUG_FLR_IMAGE_TIMESTAMP: 41107d33

FAILURE_BUCKET_ID: 0xD1_W_TDI!CTEpEventHandler+32

BUCKET_ID: 0xD1_W_TDI!CTEpEventHandler+32

Followup: MachineOwner
———
———————————————————————————————————
run it on july 13, 1209am crash dump: Mini071308-01.dmp

Microsoft (R) Windows Debugger Version 6.9.0003.113 X86
Copyright (c) Microsoft Corporation. All rights reserved.

Loading Dump File [C:\WINDOWS\Minidump\Mini071308-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: srv*c:\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows XP Kernel Version 2600 (Service Pack 2) UP Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 2600.xpsp_sp2_gdr.070227-2254
Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055a620
Debug session time: Sun Jul 13 00:08:49.921 2008 (GMT-4)
System Uptime: 2 days 21:05:02.534
Loading Kernel Symbols
…………………………………………………………………………………………………………
Loading User Symbols
Loading unloaded module list
…………………………
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 1000007E, {c0000005, 804ef1c5, f7c90ac4, f7c907c0}

Probably caused by : hardware ( nt!FsRtlAcquireFileExclusiveCommon+2f )

Followup: MachineOwner
———

kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

SYSTEM_THREAD_EXCEPTION_NOT_HANDLED_M (1000007e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Some common problems are exception code 0x80000003. This means a hard
coded breakpoint or assertion was hit, but this system was booted
/NODEBUG. This is not supposed to happen as developers should never have
hardcoded breakpoints in retail code, but …
If this happens, make sure a debugger gets connected, and the
system is booted /DEBUG. This will let us see why this breakpoint is
happening.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: 804ef1c5, The address that the exception occurred at
Arg3: f7c90ac4, Exception Record Address
Arg4: f7c907c0, Context Record Address

Debugging Details:
——————

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 – The instruction at “0x%08lx” referenced memory at “0x%08lx”. The memory could not be “%s”.

FAULTING_IP:
nt!IoGetRelatedDeviceObject+25
804ef1c5 8b4024 mov eax,dword ptr [eax+24h]

EXCEPTION_RECORD: f7c90ac4 — (.exr 0xfffffffff7c90ac4)
ExceptionAddress: 804ef1c5 (nt!IoGetRelatedDeviceObject+0x00000025)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: 43504378
Attempt to read from address 43504378

CONTEXT: f7c907c0 — (.cxr 0xfffffffff7c907c0)
eax=43504354 ebx=806ee2d0 ecx=00000000 edx=00000000 esi=856bae48 edi=806ee298
eip=804ef1c5 esp=f7c90b8c ebp=f7c90b94 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010246
nt!IoGetRelatedDeviceObject+0x25:
804ef1c5 8b4024 mov eax,dword ptr [eax+24h] ds:0023:43504378=????????
Resetting default scope

CUSTOMER_CRASH_COUNT: 1

PROCESS_NAME: System

ERROR_CODE: (NTSTATUS) 0xc0000005 – The instruction at “0x%08lx” referenced memory at “0x%08lx”. The memory could not be “%s”.

READ_ADDRESS: 43504378

BUGCHECK_STR: 0x7E

DEFAULT_BUCKET_ID: STRING_DEREFERENCE

MISALIGNED_IP:
nt!IoGetRelatedDeviceObject+25
804ef1c5 8b4024 mov eax,dword ptr [eax+24h]

LAST_CONTROL_TRANSFER: from 805711f0 to 804ef1c5

STACK_TEXT:
f7c90b94 805711f0 856bae48 806ee298 83d29b50 nt!IoGetRelatedDeviceObject+0x25
f7c90ce0 80571475 856bae48 00000000 00000000 nt!FsRtlAcquireFileExclusiveCommon+0x2f
f7c90cf4 804ec10b 856bae48 80556810 85bf2d68 nt!FsRtlAcquireFileExclusive+0x11
f7c90d2c 804e4f1d 867c61e8 80561640 867c5c98 nt!CcWriteBehind+0x2ec
f7c90d74 804e426b 867c61e8 00000000 867c5c98 nt!CcWorkerThread+0x126
f7c90dac 8057d0f1 867c61e8 00000000 00000000 nt!ExpWorkerThread+0x100
f7c90ddc 804f827a 804e4196 00000000 00000000 nt!PspSystemThreadStartup+0x34
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16

FOLLOWUP_IP:
nt!FsRtlAcquireFileExclusiveCommon+2f
805711f0 ff7508 push dword ptr [ebp+8]

SYMBOL_STACK_INDEX: 1

SYMBOL_NAME: nt!FsRtlAcquireFileExclusiveCommon+2f

FOLLOWUP_NAME: MachineOwner

IMAGE_NAME: hardware

DEBUG_FLR_IMAGE_TIMESTAMP: 0

STACK_COMMAND: .cxr 0xfffffffff7c907c0 ; kb

MODULE_NAME: hardware

FAILURE_BUCKET_ID: IP_MISALIGNED

BUCKET_ID: IP_MISALIGNED

Followup: MachineOwner
———

Microsoft (R) Windows Debugger Version 6.9.0003.113 X86
Copyright (c) Microsoft Corporation. All rights reserved.

Loading Dump File [C:\WINDOWS\Minidump\Mini071008-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: srv*c:\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows XP Kernel Version 2600 (Service Pack 2) UP Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 2600.xpsp_sp2_gdr.070227-2254
Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055a620
Debug session time: Thu Jul 10 03:03:33.845 2008 (GMT-4)
System Uptime: 2 days 7:20:56.805
Loading Kernel Symbols
…………………………………………………………………………………………………………
Loading User Symbols
Loading unloaded module list
…………………………
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 1000007E, {c0000005, 8054aa32, f760fb74, f760f870}

Probably caused by : afd.sys ( afd!AfdIndicatePollEventReal+1d2 )

Followup: MachineOwner
———

kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

SYSTEM_THREAD_EXCEPTION_NOT_HANDLED_M (1000007e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Some common problems are exception code 0x80000003. This means a hard
coded breakpoint or assertion was hit, but this system was booted
/NODEBUG. This is not supposed to happen as developers should never have
hardcoded breakpoints in retail code, but …
If this happens, make sure a debugger gets connected, and the
system is booted /DEBUG. This will let us see why this breakpoint is
happening.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: 8054aa32, The address that the exception occurred at
Arg3: f760fb74, Exception Record Address
Arg4: f760f870, Context Record Address

Debugging Details:
——————

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 – The instruction at “0x%08lx” referenced memory at “0x%08lx”. The memory could not be “%s”.

FAULTING_IP:
nt!ExFreePoolWithTag+237
8054aa32 668b4efa mov cx,word ptr [esi-6]

EXCEPTION_RECORD: f760fb74 — (.exr 0xfffffffff760fb74)
ExceptionAddress: 8054aa32 (nt!ExFreePoolWithTag+0x00000237)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: 0000007a
Attempt to read from address 0000007a

CONTEXT: f760f870 — (.cxr 0xfffffffff760f870)
eax=00000000 ebx=00000000 ecx=83d38c06 edx=83d48d05 esi=00000080 edi=83d38d63
eip=8054aa32 esp=f760fc3c ebp=f760fc70 iopl=0 nv up ei pl nz na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010202
nt!ExFreePoolWithTag+0x237:
8054aa32 668b4efa mov cx,word ptr [esi-6] ds:0023:0000007a=????
Resetting default scope

CUSTOMER_CRASH_COUNT: 1

PROCESS_NAME: System

ERROR_CODE: (NTSTATUS) 0xc0000005 – The instruction at “0x%08lx” referenced memory at “0x%08lx”. The memory could not be “%s”.

READ_ADDRESS: 0000007a

BUGCHECK_STR: 0x7E

DEFAULT_BUCKET_ID: NULL_CLASS_PTR_DEREFERENCE

LAST_CONTROL_TRANSFER: from 804ef81f to 8054aa32

STACK_TEXT:
f760fc70 804ef81f 00000080 00000000 83d48d50 nt!ExFreePoolWithTag+0x237
f760fc9c f4a976ad 858d2c78 85866900 f760fd2c nt!IopfCompleteRequest+0x156
f760fcd4 f4aaab5c 858d2c78 00000001 00000000 afd!AfdIndicatePollEventReal+0x1d2
83d38c60 00000000 00000070 83f43f00 8588cfb8 afd!AfdRestartBufferReceive+0x1c0

FOLLOWUP_IP:
afd!AfdIndicatePollEventReal+1d2
f4a976ad e9d6feffff jmp afd!AfdIndicatePollEventReal+0x1d2 (f4a97588)

SYMBOL_STACK_INDEX: 2

SYMBOL_NAME: afd!AfdIndicatePollEventReal+1d2

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: afd

IMAGE_NAME: afd.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 41107eb5

STACK_COMMAND: .cxr 0xfffffffff760f870 ; kb

FAILURE_BUCKET_ID: 0x7E_afd!AfdIndicatePollEventReal+1d2

BUCKET_ID: 0x7E_afd!AfdIndicatePollEventReal+1d2

Followup: MachineOwner
———

AIIIEEEE, TMI TMI !!!

In reply to PC is now rebooting intermittently due to bugcheck

I’ll run through your post, it’s gonna be a day or so though. In the meantime, try rolling back the DLINK sw or remove it if you can’t roll back.

You can also look in the Event Viewer, open one of the crash errors, (should have an Event ID of 1001) and click the “More Info” link if it’s available. If not goto http://www.microsoft.com/technet/support/ee/ee_basic.aspx and poke around by looking for the 0x100000d1 (0x00000020, 0x00000002, 0x00000001, 0xf4aa227f)data and whatever looks significant in the Debug listing.

Try the memory testers while your at it too, it could be bad ram.

Good luck and let us know the results.

Any luck?

In reply to AIIIEEEE, TMI TMI !!!

I haven’t had a chance to go over the bugcheck. Any luck with the proposed fixes?

[Author]

Replies