Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

How to find reason of IRQL_NOT_LESS_OR_EQUAL?


  • Please log in to reply
10 replies to this topic

#1 Sergei_28

Sergei_28

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:11:57 AM

Posted 26 May 2009 - 03:07 AM

Found a lot of search results but seems they are not for my stop error

I started after Windows media player asked me to update to 11. It not installed fine and I got IRQL_NOT_LESS_OR_EQUUAL on shut down restart. A couple of days after I got the error on start up. So I back by System to restore point and installed SP3 on my XP pro.
Now the error appears time to time.

IRQL_NOT_LESS_OR_EQUAL
STOP: 0x0000000A (0x00000000, 0x0000001C, 0x00000001, 0x804FAD53)

How to find a driver what couse the error?

Thank you for help

Edited by Sergei_28, 26 May 2009 - 07:46 AM.


BC AdBot (Login to Remove)

 


#2 hamluis

hamluis

    Moderator


  • Moderator
  • 55,559 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:03:57 AM

Posted 26 May 2009 - 09:00 AM

Help Diagnosing BSODs And Crashes (BC) - http://www.bleepingcomputer.com/forums/t/176011/how-to-receive-help-diagnosing-blue-screens-and-windows-crashes/

How to Use Driver Verifier to Troubleshoot Windows Drivers - http://support.microsoft.com/kb/q244617/

Louis

#3 Sergei_28

Sergei_28
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:11:57 AM

Posted 26 May 2009 - 06:11 PM

I have XP build 2600.xpsp_sp3_gdr.090206-1234 SP3
Safe mode

Tried

Help Diagnosing BSODs And Crashes (BC) - http://www.bleepingcomputer.com/forums/t/176011/how-to-receive-help-diagnosing-blue-screens-and-windows-crashes/


1. Tested system by Windows Onecare online, Drweb and Malwarebytes, last one found registry key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Next tried to install debugging tools for Wilndows x86
Got message in Safe mode, I logged as admin - "The system administrator has set polices to prevent this installation"

This is the point I'm stoped now

Please help!

#4 Sergei_28

Sergei_28
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:11:57 AM

Posted 27 May 2009 - 04:55 AM

While Im restart from Safe mode to Normal, received two warnings "windows cannot access specified device... you may not permition to access
mbamguri.exe
mbam.exe

they are Malwarebytes files but I can run MWAM, any suggestions?

I also run Uniblue driverscan
it found 13 out of date drivers

- SDA Standart ncomplaint SD host controller
- Mobile Intel PM965 Express process to DRAM controller 2A00
- Mobile Intel PM965 Express PCI Express root port 2A01
- Laptop integrated webcam
- Intel ICH8M LPC interface controller
- Intel ICH8 Family PCI express root Port 1
- Intel ICH8 Family PCI express root Port 2
- Intel ICH8 Family PCI express root Port 4
- Bluetooth Bus enumerator
- Audio bluetooth
- Hi-audio bluetooth
- Sigmatel High definition audio codec
- Intel ICH8 Family SMBus controller

Sould I perform update? Im in care not to breake system at all

Edited by Sergei_28, 27 May 2009 - 04:56 AM.


#5 hamluis

hamluis

    Moderator


  • Moderator
  • 55,559 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:03:57 AM

Posted 27 May 2009 - 01:16 PM

If you are saying that you cannot debug your dump messages...this is the best that I can suggest (maybe someone else has other ideas): http://support.microsoft.com/kb/314063

One alternative you might try: http://www.winhelponline.com/blog/whocrash...alyzer-windows/

Louis

#6 Sergei_28

Sergei_28
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:11:57 AM

Posted 27 May 2009 - 02:16 PM

Hi Louis,

I solved problem with installation of debugging tools for windows, the reason of problem was not possible to install it in Windows Safe mode

Ok here is a report
Microsoft (R) Windows Debugger Version 6.11.0001.404 X86
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\WINDOWS\Minidump\Mini052609-03.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: SRV*c:\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is: 
Windows XP Kernel Version 2600 (Service Pack 3) MP (2 procs) Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 2600.xpsp_sp3_gdr.090206-1234
Machine Name:
Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055d720
Debug session time: Tue May 26 11:12:19.546 2009 (GMT+3)
System Uptime: 0 days 0:01:21.339
Loading Kernel Symbols
...............................................................
................................................................
.........................
Loading User Symbols
Loading unloaded module list
.....
Unable to load image OADriver.sys, Win32 error 0n2
*** WARNING: Unable to verify timestamp for OADriver.sys
*** ERROR: Module load completed but symbols could not be loaded for OADriver.sys
*******************************************************************************
*																			 *
*						Bugcheck Analysis									*
*																			 *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 1000000A, {0, 1c, 1, 804fad53}

Probably caused by : OADriver.sys ( OADriver+7bbb )

Followup: MachineOwner
---------

0: kd> !analyze -v
*******************************************************************************
*																			 *
*						Bugcheck Analysis									*
*																			 *
*******************************************************************************

IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high.  This is usually
caused by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: 00000000, memory referenced
Arg2: 0000001c, IRQL
Arg3: 00000001, bitfield :
	bit 0 : value 0 = read operation, 1 = write operation
	bit 3 : value 0 = not an execute operation, 1 = execute operation (only on chips which support this level of status)
Arg4: 804fad53, address which referenced memory

Debugging Details:
------------------


WRITE_ADDRESS:  00000000 

CURRENT_IRQL:  1c

FAULTING_IP: 
nt!KeWaitForMultipleObjects+23f
804fad53 8902			mov	 dword ptr [edx],eax

CUSTOMER_CRASH_COUNT:  3

DEFAULT_BUCKET_ID:  DRIVER_FAULT

BUGCHECK_STR:  0xA

PROCESS_NAME:  rundll32.exe

LAST_CONTROL_TRANSFER:  from b5ccabbb to 804fad53

STACK_TEXT:  
b3ddac60 b5ccabbb 00000002 b3ddacc4 00000001 nt!KeWaitForMultipleObjects+0x23f
WARNING: Stack unwind information not available. Following frames may be wrong.
b3ddace8 b5ceb0ba 00000798 00000518 883b9cc0 OADriver+0x7bbb
b3ddad44 8054162c 0007faf8 00100020 0007fa9c OADriver+0x280ba
b3ddad44 7c90e514 0007faf8 00100020 0007fa9c nt!KiFastCallEntry+0xfc
0007fb18 00000000 00000000 00000000 00000000 0x7c90e514


STACK_COMMAND:  kb

FOLLOWUP_IP: 
OADriver+7bbb
b5ccabbb ??			  ???

SYMBOL_STACK_INDEX:  1

SYMBOL_NAME:  OADriver+7bbb

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: OADriver

IMAGE_NAME:  OADriver.sys

DEBUG_FLR_IMAGE_TIMESTAMP:  49f5806c

FAILURE_BUCKET_ID:  0xA_OADriver+7bbb

BUCKET_ID:  0xA_OADriver+7bbb

Followup: MachineOwner
---------

0: kd> !analyze -v
*******************************************************************************
*																			 *
*						Bugcheck Analysis									*
*																			 *
*******************************************************************************

IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high.  This is usually
caused by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: 00000000, memory referenced
Arg2: 0000001c, IRQL
Arg3: 00000001, bitfield :
	bit 0 : value 0 = read operation, 1 = write operation
	bit 3 : value 0 = not an execute operation, 1 = execute operation (only on chips which support this level of status)
Arg4: 804fad53, address which referenced memory

Debugging Details:
------------------


WRITE_ADDRESS:  00000000 

CURRENT_IRQL:  1c

FAULTING_IP: 
nt!KeWaitForMultipleObjects+23f
804fad53 8902			mov	 dword ptr [edx],eax

CUSTOMER_CRASH_COUNT:  3

DEFAULT_BUCKET_ID:  DRIVER_FAULT

BUGCHECK_STR:  0xA

PROCESS_NAME:  rundll32.exe

LAST_CONTROL_TRANSFER:  from b5ccabbb to 804fad53

STACK_TEXT:  
b3ddac60 b5ccabbb 00000002 b3ddacc4 00000001 nt!KeWaitForMultipleObjects+0x23f
WARNING: Stack unwind information not available. Following frames may be wrong.
b3ddace8 b5ceb0ba 00000798 00000518 883b9cc0 OADriver+0x7bbb
b3ddad44 8054162c 0007faf8 00100020 0007fa9c OADriver+0x280ba
b3ddad44 7c90e514 0007faf8 00100020 0007fa9c nt!KiFastCallEntry+0xfc
0007fb18 00000000 00000000 00000000 00000000 0x7c90e514


STACK_COMMAND:  kb

FOLLOWUP_IP: 
OADriver+7bbb
b5ccabbb ??			  ???

SYMBOL_STACK_INDEX:  1

SYMBOL_NAME:  OADriver+7bbb

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: OADriver

IMAGE_NAME:  OADriver.sys

DEBUG_FLR_IMAGE_TIMESTAMP:  49f5806c

FAILURE_BUCKET_ID:  0xA_OADriver+7bbb

BUCKET_ID:  0xA_OADriver+7bbb

Followup: MachineOwner
---------


#7 hamluis

hamluis

    Moderator


  • Moderator
  • 55,559 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:03:57 AM

Posted 27 May 2009 - 03:13 PM

The finger points at http://www.tallemu.com/oasis2/vendor/tall_emu_pty_ltd/7150

More info, http://www.tallemu.com/oasis2/file/tall_em...iver_sys/127423

The first question: Do you have any of the products listed in the first link...installed?

Second question: Is the file the correct size and location on your system?

Suggestion: Uninstall whatever software uses this driver (if valid), see if BSODs continue. Reinstall software after reasonable period of time (whatever it takes to prove/disprove connection with BSODs).

Note: When you read that a driver is likely the cause of trouble...bear in mind that there are all sorts of applications, as well as hardware items, which use drivers in Windows XP. To find such without a debug message is pretty difficult, IMO.

Louis

Related reading: http://support.tallemu.com/vbforum/showthread.php?t=8437

Edited by hamluis, 27 May 2009 - 03:15 PM.


#8 Sergei_28

Sergei_28
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:11:57 AM

Posted 27 May 2009 - 04:19 PM

Hi Louis,

Thanks for attention to my post

Yes it is Online Armor firewall I installed a couple of weeks ago

driver location looks correct: windows/system32/drivers
but size 194 kb against 80,5 k

Im going to remove OA

#9 Sergei_28

Sergei_28
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:11:57 AM

Posted 28 May 2009 - 02:08 PM

Sorry It is not the happy end yet
I uninstalled OA but still get BSOD
It is difficult for me to understand dump, please instruct steps to remove problem
It is in SAFE mode OK

Microsoft (R) Windows Debugger Version 6.11.0001.404 X86
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\WINDOWS\Minidump\Mini052809-02.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: SRV*c:\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is: 
Windows XP Kernel Version 2600 (Service Pack 3) MP (2 procs) Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 2600.xpsp_sp3_gdr.090206-1234
Machine Name:
Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055d720
Debug session time: Thu May 28 18:29:43.765 2009 (GMT+3)
System Uptime: 0 days 0:01:37.562
Loading Kernel Symbols
...............................................................
................................................................
......................
Loading User Symbols
Loading unloaded module list
.....
*******************************************************************************
*																			 *
*						Bugcheck Analysis									*
*																			 *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck F4, {3, 8853eda0, 8853ef14, 805d297c}

unable to get nt!KiCurrentEtwBufferOffset
unable to get nt!KiCurrentEtwBufferBase
Probably caused by : hardware_disk

Followup: MachineOwner
---------

0: kd> !analyze -v
*******************************************************************************
*																			 *
*						Bugcheck Analysis									*
*																			 *
*******************************************************************************

CRITICAL_OBJECT_TERMINATION (f4)
A process or thread crucial to system operation has unexpectedly exited or been
terminated.
Several processes and threads are necessary for the operation of the
system; when they are terminated (for any reason), the system can no
longer function.
Arguments:
Arg1: 00000003, Process
Arg2: 8853eda0, Terminating object
Arg3: 8853ef14, Process image file name
Arg4: 805d297c, Explanatory message (ascii)

Debugging Details:
------------------

unable to get nt!KiCurrentEtwBufferOffset
unable to get nt!KiCurrentEtwBufferBase

PROCESS_OBJECT: 8853eda0

IMAGE_NAME:  hardware_disk

DEBUG_FLR_IMAGE_TIMESTAMP:  0

FAULTING_MODULE: 00000000 

PROCESS_NAME:  csrss.exe

EXCEPTION_RECORD:  b82c79d8 -- (.exr 0xffffffffb82c79d8)
ExceptionAddress: 75b7cff5
   ExceptionCode: c0000006 (In-page I/O error)
  ExceptionFlags: 00000000
NumberParameters: 3
   Parameter[0]: 00000008
   Parameter[1]: 75b7cff5
   Parameter[2]: c000009a
Inpage operation failed at 75b7cff5, due to I/O error c000009a

EXCEPTION_CODE: (NTSTATUS) 0xc0000006 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The required data was not placed into memory because of an I/O error status of "0x%08lx".

CUSTOMER_CRASH_COUNT:  2

DEFAULT_BUCKET_ID:  DRIVER_FAULT

ERROR_CODE: (NTSTATUS) 0xc0000006 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The required data was not placed into memory because of an I/O error status of "0x%08lx".

EXCEPTION_PARAMETER1:  00000008

EXCEPTION_PARAMETER2:  75b7cff5

EXCEPTION_PARAMETER3:  c000009a

IO_ERROR: (NTSTATUS) 0xc000009a - Insufficient system resources exist to complete the API.

EXCEPTION_STR:  0xc0000006_c000009a

FAULTING_IP: 
+1e7952f00b1dfdc
75b7cff5 ??			  ???

BUGCHECK_STR:  0xF4_IOERR_C000009A

STACK_TEXT:  
b82c7520 805d1ac5 000000f4 00000003 8853eda0 nt!KeBugCheckEx+0x1b
b82c7544 805d2a27 805d297c 8853eda0 8853ef14 nt!PspCatchCriticalBreak+0x75
b82c7574 8054162c 8853efe8 c0000006 b82c79b0 nt!NtTerminateProcess+0x7d
b82c7574 80501161 8853efe8 c0000006 b82c79b0 nt!KiFastCallEntry+0xfc
b82c75f4 804fe816 ffffffff c0000006 b82c79f8 nt!ZwTerminateProcess+0x11
b82c79b0 805028cf b82c79d8 00000000 b82c7d64 nt!KiDispatchException+0x3a0
b82c7d34 80544ef7 00d0f288 00d0f2a8 00000000 nt!KiRaiseException+0x175
b82c7d50 8054162c 00d0f288 00d0f2a8 00000000 nt!NtRaiseException+0x33
b82c7d50 75b7cff5 00d0f288 00d0f2a8 00000000 nt!KiFastCallEntry+0xfc
WARNING: Frame IP not in any known module. Following frames may be wrong.
00d0fe9c 00000000 00000000 00000000 00000000 0x75b7cff5


STACK_COMMAND:  kb

FOLLOWUP_IP: 
+1e7952f00b1dfdc
75b7cff5 ??			  ???

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: hardware_disk

FAILURE_BUCKET_ID:  0xF4_IOERR_C000009A_IMAGE_hardware_disk

BUCKET_ID:  0xF4_IOERR_C000009A_IMAGE_hardware_disk

Followup: MachineOwner

Edited by Sergei_28, 28 May 2009 - 02:09 PM.


#10 hamluis

hamluis

    Moderator


  • Moderator
  • 55,559 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:03:57 AM

Posted 28 May 2009 - 02:47 PM

<>

<>

The two above excerpts, along with the various other references to hard disk in your latest message...would tell me that I need to check the boot partition/drive, using a manufacturer's diagnostic.

Hard Drive Installation and Diagnostic Tools - http://www.bleepingcomputer.com/forums/t/28744/hard-drive-installation-and-diagnostic-tools/ Use the utility appropriate for your hard drive.

All of your problems may have resulted from a bad hard drive.

Louis

#11 klopex

klopex

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:03:57 AM

Posted 24 August 2009 - 03:15 PM

This is kinda technical, but here's what I see... And I do not have a solution...

KeWaitForMultipleObjects takes an ObjectArray pointer and a WaitBlockArray pointer. The Object Array can be an array of KTHREAD structures or whatever. In WinDbg, if you look at KeWaitForMultipleObjects+0x23f, it is doing the following (I am pretty sure): *(*(((PUCHAR)&WaitBlockArray) + 0xC) + 0xC).
According to MSDN documentation, the WaitBlockArray does not need to be initialized before being passed to KeWaitForMultipleObjects(). The kernel will init it for you.
So, how did a NULL pointer end up in that structure!?!
I looked at some kernel structures on http://www.nirsoft.net/kernel_struct/vista and learned the following:
((PUCHAR)&WaitBlockArray) + 0xC = WaitBlockArray.Object.
If you look at the minidumps you can find for this bugcheck on the web, you'll find that the address in WaitBlockArray.Object is the address from an ObjectArray member.
In at least one minidump, I saw that the ObjectArray was a KTHREAD array.
Therefore:
*(*(((PUCHAR)&WaitBlockArray) + 0xC) + 0xC) = *(((PUCHAR)&KThread) + 0xC).
Again, on http://www.nirsoft.net/kernel_struct/vista, I found the structure definition for KTHREAD.
*(((PUCHAR)&KThread) + 0xC) = KTHREAD.Header.WaitListHead.FLink

This suggests that in the creation of the KTHREADs (or whatever) the structures are not being inserted successfully into a linked list. Or, it could suggest that someone is trampling the stack. I do not know what to think. I find people doing rather different things and having this bugcheck occur. It seems like there is something fragile in KeWaitForMultipleObjects...

Disclaimer: http://www.nirsoft.net/kernel_struct/vista describes Vista kernel structures. If any of these structures have changed from XP to Vista, then everything I said is incorrect!

Edited by klopex, 24 August 2009 - 03:16 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users