Full Version: Etwgetkerneltracetimestamp And Bsod
After trying to decipher a bunch of minidumps it seems like it is EtwGetKernelTraceTimestamp which is causing my IRQL_NOT_LESS_OR_EQUAL, but I can't seem to find anything about it. Anybody got any ideas of where to look?
Could you post a bit more from the dump file?
I found this, but have no clue about what it's saying (way over my head!): http://www.osronline.com/showthread.cfm?link=102490
I'm starting to think that the Etw has something to do with Event Tracing in Windows (from this google: http://www.google.com/search?hl=en&cli...amp;btnG=Search )
Still doesn't point to a particular driver, or any particular hardware tho'.
I'm starting to think that the Etw has something to do with Event Tracing in Windows (from this google: http://www.google.com/search?hl=en&cli...amp;btnG=Search )
Still doesn't point to a particular driver, or any particular hardware tho'.
I think you were on the right track in your first reply usama.
There should be more info in the dump file to go on.
There are at least a half dozen issues with vista and nvidia chips\chipsets.
Anybody using them with vista should get the latest bios update, motherboard chipset drivers and nvidia graphics drivers, in that order, then go from there. There are also a few patches that should be applied.
There should be more info in the dump file to go on.
There are at least a half dozen issues with vista and nvidia chips\chipsets.
Anybody using them with vista should get the latest bios update, motherboard chipset drivers and nvidia graphics drivers, in that order, then go from there. There are also a few patches that should be applied.
More dump coming up.
CODE
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: 00000008, memory referenced
Arg2: 00000004, IRQL
Arg3: 00000001, value 0 = read operation, 1 = write operation
Arg4: 81c70dc9, address which referenced memory
Debugging Details:
------------------
WRITE_ADDRESS: GetPointerFromAddress: unable to read from 81d315ac
Unable to read MiSystemVaType memory at 81d11780
00000008
CURRENT_IRQL: 4
FAULTING_IP:
nt!EtwGetKernelTraceTimestamp+77
81c70dc9 894608 mov dword ptr [esi+8],eax
CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: VISTA_RC
BUGCHECK_STR: 0xA
PROCESS_NAME: Idle
TRAP_FRAME: 8786ec10 -- (.trap ffffffff8786ec10)
ErrCode = 00000002
eax=3afa7075 ebx=8786ecc8 ecx=00800063 edx=00000044 esi=00000000 edi=8786ecbc
eip=81c70dc9 esp=8786ec84 ebp=8786ec84 iopl=0 nv up ei pl nz ac pe cy
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010217
nt!EtwGetKernelTraceTimestamp+0x77:
81c70dc9 894608 mov dword ptr [esi+8],eax ds:0023:00000008=????????
Resetting default scope
LAST_CONTROL_TRANSFER: from 81c70dc9 to 81c8fc44
STACK_TEXT:
8786ec10 81c70dc9 badb0d00 00000044 8787e000 nt!KiTrap0E+0x2ac
8786ec84 81c70d2d 20004000 84415780 8787e000 nt!EtwGetKernelTraceTimestamp+0x77
8786ecac 81c908ad 83c29008 00000002 ffffffff nt!EtwGetInterruptTimeStamp+0x1c
8786ecd0 81c907b9 81faba02 00000052 81cf8740 nt!KiChainedDispatch2ndLvl+0xb1
8786ecd0 81fb42a6 81faba02 00000052 81cf8740 nt!KiChainedDispatch+0x29
8786ed50 81c91272 00000000 0000000e 00000000 hal!HalProcessorIdle+0x2
8786ed54 00000000 0000000e 00000000 00000000 nt!KiIdleLoop+0xa
STACK_COMMAND: kb
FOLLOWUP_IP:
nt!EtwGetKernelTraceTimestamp+77
81c70dc9 894608 mov dword ptr [esi+8],eax
SYMBOL_STACK_INDEX: 1
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: nt
IMAGE_NAME: ntkrpamp.exe
DEBUG_FLR_IMAGE_TIMESTAMP: 4549ae00
SYMBOL_NAME: nt!EtwGetKernelTraceTimestamp+77
FAILURE_BUCKET_ID: 0xA_W_nt!EtwGetKernelTraceTimestamp+77
BUCKET_ID: 0xA_W_nt!EtwGetKernelTraceTimestamp+77
Followup: MachineOwner
---------
* *
* Bugcheck Analysis *
* *
*******************************************************************************
IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: 00000008, memory referenced
Arg2: 00000004, IRQL
Arg3: 00000001, value 0 = read operation, 1 = write operation
Arg4: 81c70dc9, address which referenced memory
Debugging Details:
------------------
WRITE_ADDRESS: GetPointerFromAddress: unable to read from 81d315ac
Unable to read MiSystemVaType memory at 81d11780
00000008
CURRENT_IRQL: 4
FAULTING_IP:
nt!EtwGetKernelTraceTimestamp+77
81c70dc9 894608 mov dword ptr [esi+8],eax
CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: VISTA_RC
BUGCHECK_STR: 0xA
PROCESS_NAME: Idle
TRAP_FRAME: 8786ec10 -- (.trap ffffffff8786ec10)
ErrCode = 00000002
eax=3afa7075 ebx=8786ecc8 ecx=00800063 edx=00000044 esi=00000000 edi=8786ecbc
eip=81c70dc9 esp=8786ec84 ebp=8786ec84 iopl=0 nv up ei pl nz ac pe cy
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010217
nt!EtwGetKernelTraceTimestamp+0x77:
81c70dc9 894608 mov dword ptr [esi+8],eax ds:0023:00000008=????????
Resetting default scope
LAST_CONTROL_TRANSFER: from 81c70dc9 to 81c8fc44
STACK_TEXT:
8786ec10 81c70dc9 badb0d00 00000044 8787e000 nt!KiTrap0E+0x2ac
8786ec84 81c70d2d 20004000 84415780 8787e000 nt!EtwGetKernelTraceTimestamp+0x77
8786ecac 81c908ad 83c29008 00000002 ffffffff nt!EtwGetInterruptTimeStamp+0x1c
8786ecd0 81c907b9 81faba02 00000052 81cf8740 nt!KiChainedDispatch2ndLvl+0xb1
8786ecd0 81fb42a6 81faba02 00000052 81cf8740 nt!KiChainedDispatch+0x29
8786ed50 81c91272 00000000 0000000e 00000000 hal!HalProcessorIdle+0x2
8786ed54 00000000 0000000e 00000000 00000000 nt!KiIdleLoop+0xa
STACK_COMMAND: kb
FOLLOWUP_IP:
nt!EtwGetKernelTraceTimestamp+77
81c70dc9 894608 mov dword ptr [esi+8],eax
SYMBOL_STACK_INDEX: 1
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: nt
IMAGE_NAME: ntkrpamp.exe
DEBUG_FLR_IMAGE_TIMESTAMP: 4549ae00
SYMBOL_NAME: nt!EtwGetKernelTraceTimestamp+77
FAILURE_BUCKET_ID: 0xA_W_nt!EtwGetKernelTraceTimestamp+77
BUCKET_ID: 0xA_W_nt!EtwGetKernelTraceTimestamp+77
Followup: MachineOwner
---------
Could you run the debugger with the !analyze -v option? That'd give some more info on what was in memory at the time.
I haven't seen the HAL item before (in your stack trace) - so it's looking more like an incompatibility than a driver. But that's just speculation at this point (also looking at what I presume to be attempts to kill an idle loop).
So, on with the usual questions...
Have you added any new hardware?
Have you added/modified any drivers?
How's about any Windows Updates?
Have you added/changed anything else that might have caused this?
Is there anything that you're thinking might have caused it?
Finally, I haven't tried them in Vista yet, but have you tried verifier.exe and sigverif.exe to see if you can identify a suspicious driver from there? Also, you may want to check one of the sites like DriverMax to see what it says are "outdated" drivers.
I haven't seen the HAL item before (in your stack trace) - so it's looking more like an incompatibility than a driver. But that's just speculation at this point (also looking at what I presume to be attempts to kill an idle loop).
So, on with the usual questions...
Have you added any new hardware?
Have you added/modified any drivers?
How's about any Windows Updates?
Have you added/changed anything else that might have caused this?
Is there anything that you're thinking might have caused it?
Finally, I haven't tried them in Vista yet, but have you tried verifier.exe and sigverif.exe to see if you can identify a suspicious driver from there? Also, you may want to check one of the sites like DriverMax to see what it says are "outdated" drivers.
QUOTE(usasma @ Mar 11 2007, 01:23 PM) 
Could you run the debugger with the !analyze -v option? That'd give some more info on what was in memory at the time.
That is the result of the !analyze -v option.QUOTE(usasma @ Mar 11 2007, 01:23 PM)
I haven't seen the HAL item before (in your stack trace) - so it's looking more like an incompatibility than a driver. But that's just speculation at this point (also looking at what I presume to be attempts to kill an idle loop).
So, on with the usual questions...
Have you added any new hardware?
Have you added/modified any drivers?
How's about any Windows Updates?
Have you added/changed anything else that might have caused this?
Is there anything that you're thinking might have caused it?
The Vista installation is pretty fresh so absolutely everything is new.So, on with the usual questions...
Have you added any new hardware?
Have you added/modified any drivers?
How's about any Windows Updates?
Have you added/changed anything else that might have caused this?
Is there anything that you're thinking might have caused it?
QUOTE(usasma @ Mar 11 2007, 01:23 PM)
Finally, I haven't tried them in Vista yet, but have you tried verifier.exe and sigverif.exe to see if you can identify a suspicious driver from there? Also, you may want to check one of the sites like DriverMax to see what it says are "outdated" drivers.
Will do.
That's the -v output! Wow! It seems pretty short to me! I'll have to do a bit more looking around!
With a new install, you're pretty much limited to:
1) Failing hardware
2) Bad/incompatible drivers
3) Corrupt Windows files
Are you running on the drivers that Vista supplied? Any others that you've installed? With the limited availability of Vista drivers it should be an easy matter to remove and reinstall the one's that didn't come with Vista. And, if that doesn't fix it, that leaves the built in drivers as suspect.
After that it would be a matter of stripping all the "not needed" hardware out and then trying each remaining driver until you either eliminate the problem - or confirm that it's not a driver issue.
With a new install, you're pretty much limited to:
1) Failing hardware
2) Bad/incompatible drivers
3) Corrupt Windows files
Are you running on the drivers that Vista supplied? Any others that you've installed? With the limited availability of Vista drivers it should be an easy matter to remove and reinstall the one's that didn't come with Vista. And, if that doesn't fix it, that leaves the built in drivers as suspect.
After that it would be a matter of stripping all the "not needed" hardware out and then trying each remaining driver until you either eliminate the problem - or confirm that it's not a driver issue.
I just had another one:
CODE
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: 00000008, memory referenced
Arg2: 00000005, IRQL
Arg3: 00000001, value 0 = read operation, 1 = write operation
Arg4: 81c70dc9, address which referenced memory
Debugging Details:
------------------
WRITE_ADDRESS: GetPointerFromAddress: unable to read from 81d315ac
Unable to read MiSystemVaType memory at 81d11780
00000008
CURRENT_IRQL: 5
FAULTING_IP:
nt!EtwGetKernelTraceTimestamp+77
81c70dc9 894608 mov dword ptr [esi+8],eax
CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: VISTA_RC
BUGCHECK_STR: 0xA
PROCESS_NAME: Idle
TRAP_FRAME: 82605c10 -- (.trap ffffffff82605c10)
ErrCode = 00000002
eax=f6d9ea6e ebx=82605cc8 ecx=0080005b edx=00000002 esi=00000000 edi=82605cbc
eip=81c70dc9 esp=82605c84 ebp=82605c84 iopl=0 nv up ei pl nz ac po cy
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010213
nt!EtwGetKernelTraceTimestamp+0x77:
81c70dc9 894608 mov dword ptr [esi+8],eax ds:0023:00000008=????????
Resetting default scope
LAST_CONTROL_TRANSFER: from 81c70dc9 to 81c8fc44
STACK_TEXT:
82605c10 81c70dc9 badb0d00 00000002 82605c30 nt!KiTrap0E+0x2ac
82605c84 81c70d2d 20004000 85e24280 82615000 nt!EtwGetKernelTraceTimestamp+0x77
82605cac 81c908ad 85650d08 00000002 81c7fe8f nt!EtwGetInterruptTimeStamp+0x1c
82605cd0 81c907b9 81faba02 00000063 81cf8740 nt!KiChainedDispatch2ndLvl+0xb1
82605cd0 81fb42a6 81faba02 00000063 81cf8740 nt!KiChainedDispatch+0x29
82605d50 81c91272 00000000 0000000e 35003900 hal!HalProcessorIdle+0x2
82605d54 00000000 0000000e 35003900 45004500 nt!KiIdleLoop+0xa
STACK_COMMAND: kb
FOLLOWUP_IP:
nt!EtwGetKernelTraceTimestamp+77
81c70dc9 894608 mov dword ptr [esi+8],eax
SYMBOL_STACK_INDEX: 1
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: nt
IMAGE_NAME: ntkrpamp.exe
DEBUG_FLR_IMAGE_TIMESTAMP: 4549ae00
SYMBOL_NAME: nt!EtwGetKernelTraceTimestamp+77
FAILURE_BUCKET_ID: 0xA_W_nt!EtwGetKernelTraceTimestamp+77
BUCKET_ID: 0xA_W_nt!EtwGetKernelTraceTimestamp+77
Followup: MachineOwner
---------
One of the problems with troubleshooting this BSOD is that I get it only about once a week.
* *
* Bugcheck Analysis *
* *
*******************************************************************************
IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: 00000008, memory referenced
Arg2: 00000005, IRQL
Arg3: 00000001, value 0 = read operation, 1 = write operation
Arg4: 81c70dc9, address which referenced memory
Debugging Details:
------------------
WRITE_ADDRESS: GetPointerFromAddress: unable to read from 81d315ac
Unable to read MiSystemVaType memory at 81d11780
00000008
CURRENT_IRQL: 5
FAULTING_IP:
nt!EtwGetKernelTraceTimestamp+77
81c70dc9 894608 mov dword ptr [esi+8],eax
CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: VISTA_RC
BUGCHECK_STR: 0xA
PROCESS_NAME: Idle
TRAP_FRAME: 82605c10 -- (.trap ffffffff82605c10)
ErrCode = 00000002
eax=f6d9ea6e ebx=82605cc8 ecx=0080005b edx=00000002 esi=00000000 edi=82605cbc
eip=81c70dc9 esp=82605c84 ebp=82605c84 iopl=0 nv up ei pl nz ac po cy
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010213
nt!EtwGetKernelTraceTimestamp+0x77:
81c70dc9 894608 mov dword ptr [esi+8],eax ds:0023:00000008=????????
Resetting default scope
LAST_CONTROL_TRANSFER: from 81c70dc9 to 81c8fc44
STACK_TEXT:
82605c10 81c70dc9 badb0d00 00000002 82605c30 nt!KiTrap0E+0x2ac
82605c84 81c70d2d 20004000 85e24280 82615000 nt!EtwGetKernelTraceTimestamp+0x77
82605cac 81c908ad 85650d08 00000002 81c7fe8f nt!EtwGetInterruptTimeStamp+0x1c
82605cd0 81c907b9 81faba02 00000063 81cf8740 nt!KiChainedDispatch2ndLvl+0xb1
82605cd0 81fb42a6 81faba02 00000063 81cf8740 nt!KiChainedDispatch+0x29
82605d50 81c91272 00000000 0000000e 35003900 hal!HalProcessorIdle+0x2
82605d54 00000000 0000000e 35003900 45004500 nt!KiIdleLoop+0xa
STACK_COMMAND: kb
FOLLOWUP_IP:
nt!EtwGetKernelTraceTimestamp+77
81c70dc9 894608 mov dword ptr [esi+8],eax
SYMBOL_STACK_INDEX: 1
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: nt
IMAGE_NAME: ntkrpamp.exe
DEBUG_FLR_IMAGE_TIMESTAMP: 4549ae00
SYMBOL_NAME: nt!EtwGetKernelTraceTimestamp+77
FAILURE_BUCKET_ID: 0xA_W_nt!EtwGetKernelTraceTimestamp+77
BUCKET_ID: 0xA_W_nt!EtwGetKernelTraceTimestamp+77
Followup: MachineOwner
---------
This is what I've done so far to diagnose the problem:
- Ran Windows Memory diagnostics: Everything fine.
- Ran System File Scanner: Everything fine.
- Ran Spinrite: Everything fine.
- Happens even in Diagnostic Startup mode: Rules our keyboard, mouse, sound and PhysX drivers plus all extra background programs and services.
Hmm, with a fresh install of Vista it's likely to be either an incompatibility or a driver. Has anything revealed itself in the Event Viewer?
I'd suggest:
1) Removing any hardware that you don't need
2) Updating all drivers to the latest Vista version. For any drivers that don't have a Vista version, run the installation in XP SP2 compatibility mode and Run as Administrator.
3) Checking each piece of hardware against the HCL to see if anything pops out.
This is a shotgun approach and should eliminate the drivers as an issue - which would then lead me to wonder about a hardware problem (since it fails under load).
I'd suggest:
1) Removing any hardware that you don't need
2) Updating all drivers to the latest Vista version. For any drivers that don't have a Vista version, run the installation in XP SP2 compatibility mode and Run as Administrator.
3) Checking each piece of hardware against the HCL to see if anything pops out.
This is a shotgun approach and should eliminate the drivers as an issue - which would then lead me to wonder about a hardware problem (since it fails under load).
1) I'm already down to the essentials.
2) All drivers are updated.
3) HLC?
In the event viewer there are a couple errors I don't know what to make of. Under system there is this:
2) All drivers are updated.
3) HLC?
In the event viewer there are a couple errors I don't know what to make of. Under system there is this:
QUOTE
Source: ACPI
Event ID: 6
IRQARB: ACPI BIOS does not contain an IRQ for the device in PCI slot 13, function 0. Please contact your system vendor for technical assistance.
I get the same error at the same time for PCI slots 12, 11 and 14. Under application there is this:Event ID: 6
IRQARB: ACPI BIOS does not contain an IRQ for the device in PCI slot 13, function 0. Please contact your system vendor for technical assistance.
QUOTE
Source: SibeBySide
Event ID: 33
Activation context generation failed for "C:\Windows\WinSxS\x86_microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.762_none_0c178a139ee2a7ed
\MFC80U.DLL". Dependent Assembly Microsoft.VC80.MFCLOC,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50608.0" could not be found. Please use sxstrace.exe for detailed diagnosis.
There is always two of these at the same time.
Event ID: 33
Activation context generation failed for "C:\Windows\WinSxS\x86_microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.762_none_0c178a139ee2a7ed
\MFC80U.DLL". Dependent Assembly Microsoft.VC80.MFCLOC,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50608.0" could not be found. Please use sxstrace.exe for detailed diagnosis.
HCL = Hardware Compatibility List
From the Event Viewer errors, I'm starting to think that this is your motherboard drivers or an incompatibility with your mobo. Try this tool to see what it gets you: http://www.microsoft.com/technet/solutiona...wv/default.mspx
Also, I got some more info on this from my visit to Microsoft this week. They promised me that the slides would be online - so I didn't take notes
Anywho, there are also tools in the ACT 5.0 release that will monitor errors related to compatibility and report back to you - but since I don't have the slides, I don't have the details.
From the Event Viewer errors, I'm starting to think that this is your motherboard drivers or an incompatibility with your mobo. Try this tool to see what it gets you: http://www.microsoft.com/technet/solutiona...wv/default.mspx
Also, I got some more info on this from my visit to Microsoft this week. They promised me that the slides would be online - so I didn't take notes
Anywho, there are also tools in the ACT 5.0 release that will monitor errors related to compatibility and report back to you - but since I don't have the slides, I don't have the details.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.