Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Blue Screen (Win XP Pro)


  • Please log in to reply
11 replies to this topic

#1 Quid_Nunc

Quid_Nunc

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:48 PM

Posted 09 December 2008 - 02:29 PM

I have been using a new computer for a few weeks now and have been annoyed with constant blue screens. I found this forum and am attaching my debugger output below and hope that somebody can help me. My laptop has blue screen 3 times this morning, all of them have been the IRQL_NOT_LESS_OR_EQUAL error, but they have happened at different times while I was performing different operations so I don't think its related to a specific application install. Below is the output from my latest one, this happened while I was talking on the phone through the Cisco IP Communicator softphone (VoIP). Please help!


Microsoft ® Windows Debugger Version 6.10.0003.233 X86
Copyright © Microsoft Corporation. All rights reserved.


Loading Dump File [C:\WINDOWS\Minidump\Mini120908-03.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: SRV*c:\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows XP Kernel Version 2600 (Service Pack 3) MP (2 procs) Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 2600.xpsp_sp3_gdr.080814-1236
Machine Name:
Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055d720
Debug session time: Tue Dec 9 14:00:35.804 2008 (GMT-5)
System Uptime: 0 days 1:33:58.656
Loading Kernel Symbols
...............................................................
................................................................
................................................................
..................................
Loading User Symbols
Loading unloaded module list
.............
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 1000000A, {5, 1c, 1, 80502ce8}

Probably caused by : win32k.sys ( win32k!SetWakeBit+b2 )

Followup: MachineOwner
---------

1: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: 00000005, memory referenced
Arg2: 0000001c, IRQL
Arg3: 00000001, bitfield :
bit 0 : value 0 = read operation, 1 = write operation
bit 3 : value 0 = not an execute operation, 1 = execute operation (only on chips which support this level of status)
Arg4: 80502ce8, address which referenced memory

Debugging Details:
------------------


WRITE_ADDRESS: 00000005

CURRENT_IRQL: 1c

FAULTING_IP:
nt!KiUnlinkThread+28
80502ce8 895004 mov dword ptr [eax+4],edx

CUSTOMER_CRASH_COUNT: 3

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0xA

PROCESS_NAME: migwiz.exe

LAST_CONTROL_TRANSFER: from 80502d2e to 80502ce8

STACK_TEXT:
a488a8fc 80502d2e 85b35090 00000100 00000000 nt!KiUnlinkThread+0x28
a488a910 804fa28d 00000002 00000000 e5b5eab0 nt!KiUnwaitThread+0x12
a488a92c bf801703 856a16d0 00000002 00000000 nt!KeSetEvent+0x49
a488a948 bf8087f2 e5b5eab0 00000108 e838d710 win32k!SetWakeBit+0xb2
a488a974 bf87b9cf 00000000 0000c103 00000000 win32k!_PostMessage+0x179
a488aa44 bf87b628 bc6f06e8 0000c103 00000000 win32k!xxxSendBSMtoDesktop+0x321
a488aa84 bf87b421 bc6f06e8 0000c103 00000000 win32k!xxxSendMessageBSM+0xd6
a488aae0 bf80ee88 bc6f06e8 0000c103 00000000 win32k!xxxWrapSendMessageBSM+0x66
a488ab10 8054162c 00010014 0000c103 00000000 win32k!NtUserMessageCall+0x8a
a488ab10 7c90e4f4 00010014 0000c103 00000000 nt!KiFastCallEntry+0xfc
WARNING: Frame IP not in any known module. Following frames may be wrong.
0006dd30 00000000 00000000 00000000 00000000 0x7c90e4f4


STACK_COMMAND: kb

FOLLOWUP_IP:
win32k!SetWakeBit+b2
bf801703 ebe2 jmp win32k!SetWakeBit+0xb2 (bf8016e7)

SYMBOL_STACK_INDEX: 3

SYMBOL_NAME: win32k!SetWakeBit+b2

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: win32k

IMAGE_NAME: win32k.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 48ce513a

FAILURE_BUCKET_ID: 0xA_win32k!SetWakeBit+b2

BUCKET_ID: 0xA_win32k!SetWakeBit+b2

Followup: MachineOwner
---------

BC AdBot (Login to Remove)

 


#2 Quid_Nunc

Quid_Nunc
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:48 PM

Posted 09 December 2008 - 02:35 PM

Regarding the midwiz.exe application itself, I just realized this is an application I don't need anymore and don't want it running so I have just removed it. I don't think it's related to the problem I have been having but will let you know if I get another blue screen even after having it removed.

#3 usasma

usasma

    Still visually handicapped (avatar is memory developed by my Dad


  • BSOD Kernel Dump Expert
  • 25,089 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Southeastern CT, USA
  • Local time:03:48 PM

Posted 09 December 2008 - 03:14 PM

Migwiz.exe was using win32k.sys when win32k.sys crashed.

So, it depends on what else was going on with your system.
It could be an issue with win32k.sys - but that's not likely
It could be an issue with migwiz.exe - and that's more likely
Further BSOD's will help to rule that out also.
My browser caused a flood of traffic, sio my IP address was banned. Hope to fix it soon. Will get back to posting as soon as Im able.

- John  (my website: http://www.carrona.org/ )**If you need a more detailed explanation, please ask for it. I have the Knack. **  If I haven't replied in 48 hours, please send me a message. My eye problems have recently increased and I'm having difficult reading posts. (23 Nov 2017)FYI - I am completely blind in the right eye and ~30% blind in the left eye.<p>If the eye problems get worse suddenly, I may not be able to respond.If that's the case and help is needed, please PM a staff member for assistance.

#4 Quid_Nunc

Quid_Nunc
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:48 PM

Posted 09 December 2008 - 05:06 PM

Happened again! Very frustrating


Microsoft ® Windows Debugger Version 6.10.0003.233 X86
Copyright © Microsoft Corporation. All rights reserved.


Loading Dump File [C:\WINDOWS\Minidump\Mini120908-04.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: SRV*c:\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows XP Kernel Version 2600 (Service Pack 3) MP (2 procs) Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 2600.xpsp_sp3_gdr.080814-1236
Machine Name:
Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055d720
Debug session time: Tue Dec 9 16:54:21.035 2008 (GMT-5)
System Uptime: 0 days 2:53:00.370
Loading Kernel Symbols
...............................................................
................................................................
................................................................
................................
Loading User Symbols
Loading unloaded module list
............
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 1000000A, {96091880, 1c, 1, 80502ce6}

Probably caused by : ntkrpamp.exe ( nt!KiUnlinkThread+26 )

Followup: MachineOwner
---------

0: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: 96091880, memory referenced
Arg2: 0000001c, IRQL
Arg3: 00000001, bitfield :
bit 0 : value 0 = read operation, 1 = write operation
bit 3 : value 0 = not an execute operation, 1 = execute operation (only on chips which support this level of status)
Arg4: 80502ce6, address which referenced memory

Debugging Details:
------------------


WRITE_ADDRESS: 96091880

CURRENT_IRQL: 1c

FAULTING_IP:
nt!KiUnlinkThread+26
80502ce6 8902 mov dword ptr [edx],eax

CUSTOMER_CRASH_COUNT: 4

DEFAULT_BUCKET_ID: COMMON_SYSTEM_FAULT

BUGCHECK_STR: 0xA

PROCESS_NAME: Idle

LAST_CONTROL_TRANSFER: from 80502d2e to 80502ce6

STACK_TEXT:
805512b0 80502d2e 85810780 85810788 00000102 nt!KiUnlinkThread+0x26
805512c4 80502f25 00000000 805512e0 00000000 nt!KiUnwaitThread+0x12
805512f0 8050213e 2b2ed0dc 00000017 80551418 nt!KiWaitTest+0xab
805513fc 8050232b 8055c0c0 ffdff9c0 ffdff000 nt!KiTimerListExpire+0x7a
80551428 80545e7f 8055c4c0 00000000 000a2317 nt!KiTimerExpiration+0xb1
80551450 80545d64 00000000 0000000e 00000000 nt!KiRetireDpcList+0x61
80551454 00000000 0000000e 00000000 00000000 nt!KiIdleLoop+0x28


STACK_COMMAND: kb

FOLLOWUP_IP:
nt!KiUnlinkThread+26
80502ce6 8902 mov dword ptr [edx],eax

SYMBOL_STACK_INDEX: 0

SYMBOL_NAME: nt!KiUnlinkThread+26

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: nt

IMAGE_NAME: ntkrpamp.exe

DEBUG_FLR_IMAGE_TIMESTAMP: 48a3fbd9

FAILURE_BUCKET_ID: 0xA_nt!KiUnlinkThread+26

BUCKET_ID: 0xA_nt!KiUnlinkThread+26

Followup: MachineOwner
---------

#5 Quid_Nunc

Quid_Nunc
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:48 PM

Posted 09 December 2008 - 06:00 PM

Had back to back crashes, both seem very similar


Microsoft ® Windows Debugger Version 6.10.0003.233 X86
Copyright © Microsoft Corporation. All rights reserved.


Loading Dump File [C:\WINDOWS\Minidump\Mini120908-05.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: SRV*c:\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows XP Kernel Version 2600 (Service Pack 3) MP (2 procs) Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 2600.xpsp_sp3_gdr.080814-1236
Machine Name:
Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055d720
Debug session time: Tue Dec 9 16:59:02.515 2008 (GMT-5)
System Uptime: 0 days 0:04:13.245
Loading Kernel Symbols
...............................................................
................................................................
................................................................
................................
Loading User Symbols
Loading unloaded module list
.........
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 1000000A, {14b880, 1c, 1, 80502ce6}

Probably caused by : ntkrpamp.exe ( nt!KiUnlinkThread+26 )

Followup: MachineOwner
---------

0: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: 0014b880, memory referenced
Arg2: 0000001c, IRQL
Arg3: 00000001, bitfield :
bit 0 : value 0 = read operation, 1 = write operation
bit 3 : value 0 = not an execute operation, 1 = execute operation (only on chips which support this level of status)
Arg4: 80502ce6, address which referenced memory

Debugging Details:
------------------


WRITE_ADDRESS: 0014b880

CURRENT_IRQL: 1c

FAULTING_IP:
nt!KiUnlinkThread+26
80502ce6 8902 mov dword ptr [edx],eax

CUSTOMER_CRASH_COUNT: 5

DEFAULT_BUCKET_ID: COMMON_SYSTEM_FAULT

BUGCHECK_STR: 0xA

PROCESS_NAME: Idle

LAST_CONTROL_TRANSFER: from 80502d2e to 80502ce6

STACK_TEXT:
805512b0 80502d2e 89e927a8 89e927b0 00000102 nt!KiUnlinkThread+0x26
805512c4 80502f25 00000000 805512e0 00000000 nt!KiUnwaitThread+0x12
805512f0 8050213e 96f232a7 0000004f 80551418 nt!KiWaitTest+0xab
805513fc 8050232b 8055c0c0 ffdff9c0 ffdff000 nt!KiTimerListExpire+0x7a
80551428 80545e7f 8055c4c0 00000000 00003f4f nt!KiTimerExpiration+0xb1
80551450 80545d64 00000000 0000000e 00000000 nt!KiRetireDpcList+0x61
80551454 00000000 0000000e 00000000 00000000 nt!KiIdleLoop+0x28


STACK_COMMAND: kb

FOLLOWUP_IP:
nt!KiUnlinkThread+26
80502ce6 8902 mov dword ptr [edx],eax

SYMBOL_STACK_INDEX: 0

SYMBOL_NAME: nt!KiUnlinkThread+26

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: nt

IMAGE_NAME: ntkrpamp.exe

DEBUG_FLR_IMAGE_TIMESTAMP: 48a3fbd9

FAILURE_BUCKET_ID: 0xA_nt!KiUnlinkThread+26

BUCKET_ID: 0xA_nt!KiUnlinkThread+26

Followup: MachineOwner
---------

#6 Quid_Nunc

Quid_Nunc
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:48 PM

Posted 10 December 2008 - 09:08 AM

And here is another one I got last night, this one I get occasionally when my computer sits idle for a while and I see the blue screen when I get back to my desk. The count shows I have gotten this one "BAD_POOL_HEADER" 7 times. Could these two different blue screen messages be related? Or do I have two problems?


Microsoft ® Windows Debugger Version 6.10.0003.233 X86
Copyright © Microsoft Corporation. All rights reserved.


Loading Dump File [C:\WINDOWS\Minidump\Mini120908-07.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: SRV*c:\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows XP Kernel Version 2600 (Service Pack 3) MP (2 procs) Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 2600.xpsp_sp3_gdr.080814-1236
Machine Name:
Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055d720
Debug session time: Tue Dec 9 21:08:30.134 2008 (GMT-5)
System Uptime: 0 days 3:59:56.520
Loading Kernel Symbols
...............................................................
................................................................
................................................................
.................................
Loading User Symbols
Loading unloaded module list
...........
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 19, {20, 84db15e0, 84db1618, 1a070001}

Unable to load image SYMEVENT.SYS, Win32 error 0n2
*** WARNING: Unable to verify timestamp for SYMEVENT.SYS
*** ERROR: Module load completed but symbols could not be loaded for SYMEVENT.SYS
Probably caused by : SYMEVENT.SYS ( SYMEVENT+141c9 )

Followup: MachineOwner
---------

0: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

BAD_POOL_HEADER (19)
The pool is already corrupt at the time of the current request.
This may or may not be due to the caller.
The internal pool links must be walked to figure out a possible cause of
the problem, and then special pool applied to the suspect tags or the driver
verifier to a suspect driver.
Arguments:
Arg1: 00000020, a pool block header size is corrupt.
Arg2: 84db15e0, The pool entry we were looking for within the page.
Arg3: 84db1618, The next pool entry.
Arg4: 1a070001, (reserved)

Debugging Details:
------------------


BUGCHECK_STR: 0x19_20

POOL_ADDRESS: 84db15e0

CUSTOMER_CRASH_COUNT: 7

DEFAULT_BUCKET_ID: COMMON_SYSTEM_FAULT

PROCESS_NAME: svchost.exe

LAST_CONTROL_TRANSFER: from 8054b583 to 804f9f43

STACK_TEXT:
a5456b50 8054b583 00000019 00000020 84db15e0 nt!KeBugCheckEx+0x1b
a5456ba0 80622e21 84db15e8 00000000 00000000 nt!ExFreePoolWithTag+0x2a3
a5456bb8 8062b4a2 e7e1e460 857c2508 8568e440 nt!CmpFreePostBlock+0x4d
a5456bf0 805d24c5 8568e440 8568e440 8568e688 nt!CmNotifyRunDown+0xdc
a5456c90 805d28d4 00000000 00000000 8568e440 nt!PspExitThread+0x433
a5456cb0 805d2c14 8568e440 00000000 c0000001 nt!PspTerminateThreadByPointer+0x52
a5456cd0 a6f181c9 00000000 00000000 89c36aa0 nt!NtTerminateThread+0x70
WARNING: Stack unwind information not available. Following frames may be wrong.
a5456d54 8054162c 00000000 00000000 01e1ffb4 SYMEVENT+0x141c9
a5456d54 7ff9e000 00000000 00000000 01e1ffb4 nt!KiFastCallEntry+0xfc
a5456dc4 00000000 7c90e4f4 0000001b 00000246 0x7ff9e000


STACK_COMMAND: kb

FOLLOWUP_IP:
SYMEVENT+141c9
a6f181c9 ?? ???

SYMBOL_STACK_INDEX: 7

SYMBOL_NAME: SYMEVENT+141c9

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: SYMEVENT

IMAGE_NAME: SYMEVENT.SYS

DEBUG_FLR_IMAGE_TIMESTAMP: 478bf054

FAILURE_BUCKET_ID: 0x19_20_SYMEVENT+141c9

BUCKET_ID: 0x19_20_SYMEVENT+141c9

Followup: MachineOwner
---------

#7 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:48 AM

Posted 10 December 2008 - 04:36 PM

Check your devices in Device Manager (Start > Run > type "devmgmt.msc" (without the quotes) and press Enter). Look for any "!", "?" or "X" symbols.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#8 Quid_Nunc

Quid_Nunc
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:48 PM

Posted 12 December 2008 - 10:05 AM

Device manager is clean, no alarms, no conflicts

#9 Luser

Luser

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:03:48 PM

Posted 12 December 2008 - 11:16 AM

Update all hardware drivers.

BSOD 9 out of 10 times are caused by faulty, wrong or old Hardware drivers.
Dont want to have problems with your computer?
Solution : install a good free anti virus, anti spyware & and stay away from misleading applications. Update your OS and vital programs as often as you can, to shut down those open security holes.
Stay away from shareware and trailware applications, avoid installing browser addins and toolbars. Read up on things before trying new applications.

Learn more about : Viruses, malmware & trojans | Need a bootdisk? | Want to know what that EventID mean? | Cybercrimes what is that?

#10 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:48 AM

Posted 12 December 2008 - 04:04 PM

You could also try running some hardware diagnostics such as Memtest86, and a hard disk diagnostic from the drive manufacturer's website.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#11 usasma

usasma

    Still visually handicapped (avatar is memory developed by my Dad


  • BSOD Kernel Dump Expert
  • 25,089 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Southeastern CT, USA
  • Local time:03:48 PM

Posted 13 December 2008 - 02:06 PM

Symantec/Norton was cited in the last BSOD - and Symantec products typically are involved in your system in a very basic level.
So, I'd start with uninstalling your Symantec/Norton programs.
Then run the Norton Removal Tool (free from here: http://service1.symantec.com/Support/tsgen...005033108162039 )

Install another antivirus for protection while you're testing (There's a list of free one's in this thread: http://www.bleepingcomputer.com/forums/topic3616.html

Also, try running SFC.EXE /SCANNOW from the Run dialog. More info on that here: http://www.bleepingcomputer.com/forums/t/43051/how-to-use-sfcexe-to-repair-system-files/

If this stops the BSOD's - then you can presume that a corruption of the Symantec/Norton product was to blame. If the BSOD's keep coming we'll have to suspect:
- a malfunctioning hardware device (memory is on the top of this list)
- a corruption of Windows
My browser caused a flood of traffic, sio my IP address was banned. Hope to fix it soon. Will get back to posting as soon as Im able.

- John  (my website: http://www.carrona.org/ )**If you need a more detailed explanation, please ask for it. I have the Knack. **  If I haven't replied in 48 hours, please send me a message. My eye problems have recently increased and I'm having difficult reading posts. (23 Nov 2017)FYI - I am completely blind in the right eye and ~30% blind in the left eye.<p>If the eye problems get worse suddenly, I may not be able to respond.If that's the case and help is needed, please PM a staff member for assistance.

#12 Quid_Nunc

Quid_Nunc
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:48 PM

Posted 15 December 2008 - 10:34 AM

Ran memtest86 and it failed 5 hours into the test so I swapped out the RAM and it's been 4 days now without any blue screens. Yippee!

:thumbsup:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users