Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


'win32k.sys' windows file corrupted

  • Please log in to reply
3 replies to this topic

#1 Delta16


  • Members
  • 417 posts
  • Gender:Male
  • Location:Malta
  • Local time:03:55 AM

Posted 19 March 2009 - 08:23 AM

Hi, The system is crashing, and the debugger result was that it was coming from 'win32k.sys'

If it could happen, I would like to replace or repair the windows file named 'win32k.sys'

System Specs :

Make- i guess it doesnt have a make because I built it.
CPU : AMD Athlon x64 3.1GHZ, dual core
RAM : 2x 2GB Corsair ( 4GB in all)
Mobo : Gigabyte GA-MA78G-DS3H
HDD : Maxtor 320gb
GPU : Nvidia bliss 8800gt 1GB

Latest debugger output:
Microsoft (R) Windows Debugger Version 6.11.0001.404 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.

Loading Dump File [D:\WINDOWS\Minidump\Mini031509-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: SRV*c:\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is: 
*** WARNING: Unable to verify checksum for ntkrnlmp.exe
Windows Server 2003 Kernel Version 3790 (Service Pack 3) MP (2 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 3790.srv03_sp2_qfe.080813-1204
Machine Name:
Kernel base = 0xfffff800`01000000 PsLoadedModuleList = 0xfffff800`011d71a0
Debug session time: Sun Mar 15 18:52:00.812 2009 (GMT+1)
System Uptime: 0 days 5:14:01.686
*** WARNING: Unable to verify checksum for ntkrnlmp.exe
Loading Kernel Symbols

Loading User Symbols
Loading unloaded module list
*																			 *
*						Bugcheck Analysis									*
*																			 *

Use !analyze -v to get detailed debugging information.

BugCheck 50, {fffffa8004ebc000, 0, fffff97fff1801a4, 0}

Could not read faulting driver name
Probably caused by : win32k.sys ( win32k!NtUserfnINDEVICECHANGE+1bb )

Followup: MachineOwner

0: kd> !analyze -v
*																			 *
*						Bugcheck Analysis									*
*																			 *

Invalid system memory was referenced.  This cannot be protected by try-except,
it must be protected by a Probe.  Typically the address is just plain bad or it
is pointing at freed memory.
Arg1: fffffa8004ebc000, memory referenced.
Arg2: 0000000000000000, value 0 = read operation, 1 = write operation.
Arg3: fffff97fff1801a4, If non-zero, the instruction address which referenced the bad memory
Arg4: 0000000000000000, (reserved)

Debugging Details:

Could not read faulting driver name

READ_ADDRESS:  fffffa8004ebc000 

fffff97f`ff1801a4 8b4630		  mov	 eax,dword ptr [rsi+30h]





PROCESS_NAME:  winamp.exe


TRAP_FRAME:  fffffadf8bfd5bb0 -- (.trap 0xfffffadf8bfd5bb0)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=0000000000000000 rbx=0000000000000000 rcx=fffffa8004ebbfd0
rdx=0000000000000016 rsi=0000000000000000 rdi=0000000000000000
rip=fffff97fff1801a4 rsp=fffffadf8bfd5d40 rbp=00000000001563d8
 r8=0000000000000000  r9=fffffa8004ebbfd0 r10=000003cc00000000
r11=fffffa8004ebbfd0 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0		 nv up ei pl zr na po nc
fffff97f`ff1801a4 8b4630		  mov	 eax,dword ptr [rsi+30h] ds:fdc6:00000000`00000030=????????
Resetting default scope

LAST_CONTROL_TRANSFER:  from fffff800010a64c9 to fffff8000102e950

fffffadf`8bfd5ad8 fffff800`010a64c9 : 00000000`00000050 fffffa80`04ebc000 00000000`00000000 fffffadf`8bfd5bb0 : nt!KeBugCheckEx
fffffadf`8bfd5ae0 fffff800`0102d519 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!MmAccessFault+0xa1f
fffffadf`8bfd5bb0 fffff97f`ff1801a4 : 00000000`00000000 00000000`001563d8 00000000`00000000 00000000`0000002c : nt!KiPageFault+0x119
fffffadf`8bfd5d40 fffff97f`ff0a5961 : fffff97f`f5e20bc0 00000000`000104d4 00000000`0000002c fffffa80`04ebbfd0 : win32k!NtUserfnINDEVICECHANGE+0x1bb
fffffadf`8bfd5de0 fffff800`0102e3fd : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : win32k!NtUserMessageCall+0x142
fffffadf`8bfd5e80 00000000`6b2b5e8a : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x3
00000000`066ed6d8 fffff800`010265d0 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x6b2b5e8a
fffffadf`8bfd6280 00000000`00000000 : fffff800`01037c89 00000000`00000000 00000000`00000000 00000000`00000001 : nt!KiCallUserMode


fffff97f`ff1801a4 8b4630		  mov	 eax,dword ptr [rsi+30h]



FOLLOWUP_NAME:  MachineOwner


IMAGE_NAME:  win32k.sys



BUCKET_ID:  X64_0x50_win32k!NtUserfnINDEVICECHANGE+1bb

Followup: MachineOwner
Winamp is removed from the system, I dont know why it is always appearing in the minidump.

Some methods that I've done, which everything remained the same, are as follows :
  • Method 1
    Did a memory test, no errors were found
  • Method 2
    Disabled and re-enabled virtual memory
  • Method 3
    Disabled also Auto Reboot On System Crash and it kept rebooting when it crash
  • Method 4
    Renamed the file 'win32k.sys' to 'win32k.old', closed the system 32 folder and re opened. The system crashed again with the new file.
The next method that I am going to make before making a format is, a system repair from the windows disk.

If someone could tell me more methods, so I can solve this annoying problem, it will be much appreciated.

Edited by Delta16, 19 March 2009 - 08:24 AM.

BC AdBot (Login to Remove)


#2 Elise


    Bleepin' Blonde

  • Malware Study Hall Admin
  • 61,313 posts
  • Gender:Female
  • Location:Romania
  • Local time:04:55 AM

Posted 19 March 2009 - 08:42 AM

Did you remove half the memory/switch modules etc to see if it changed something?

regards, Elise

"Now faith is the substance of things hoped for, the evidence of things not seen."


Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome


Malware analyst @ Emsisoft

#3 Romeo29


    Learning To Bleep

  • Members
  • 3,194 posts
  • Gender:Not Telling
  • Location:
  • Local time:08:55 PM

Posted 19 March 2009 - 09:22 AM

Try installing this update: http://www.microsoft.com/technet/security/...n/MS09-006.mspx
It will install latest win32k.sys to your system.

Edited by Romeo29, 19 March 2009 - 09:24 AM.

#4 Delta16

  • Topic Starter

  • Members
  • 417 posts
  • Gender:Male
  • Location:Malta
  • Local time:03:55 AM

Posted 19 March 2009 - 10:50 AM

Did you remove half the memory/switch modules etc to see if it changed something?

Yes, I tried a lot of times switching modules but not removing.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users