Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

BSOD - Help interpreting and fixing plz


  • Please log in to reply
12 replies to this topic

#1 Huggie Smiles

Huggie Smiles

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:11:42 PM

Posted 09 December 2009 - 11:11 PM

Hi

Windows XP machine - media centre home editon - 2002 -service pack 2;
Pentium 4; 504 RAM

I have had two unexpected BSOD this week. After a few hours unplugged machine has started again both times.

(as an aside my ipod has required itunes to restore twice this week also - are they related or just fluke?)

I have run several malware and antivirus scans and nothing has shown.


I followed the instructions from here: http://www.bleepingcomputer.com/forums/t/176011/how-to-receive-help-diagnosing-blue-screens-and-windows-crashes/


and this is the result of the analysis from the debug screen as requested, dont know what any of it means.


Microsoft ģ Windows Debugger Version 6.11.0001.404 X86
Copyright © Microsoft Corporation. All rights reserved.


Loading Dump File [C:\WINDOWS\Minidump\Mini120909-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: SRV*c:\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows XP Kernel Version 2600 (Service Pack 2) MP (2 procs) Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 2600.xpsp.080413-2111
Machine Name:
Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055d720
Debug session time: Wed Dec 9 06:52:48.093 2009 (GMT-6)
System Uptime: 0 days 0:03:54.765
Loading Kernel Symbols
...............................................................
................................................................
....
Loading User Symbols
Loading unloaded module list
...........
Unable to load image pbfilter.sys, Win32 error 0n2
*** WARNING: Unable to verify timestamp for pbfilter.sys
*** ERROR: Module load completed but symbols could not be loaded for pbfilter.sys
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 1000008E, {c0000005, 8053a583, a9d60b94, 0}

Probably caused by : pbfilter.sys ( pbfilter+10a2 )

Followup: MachineOwner
---------

1: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

KERNEL_MODE_EXCEPTION_NOT_HANDLED_M (1000008e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Some common problems are exception code 0x80000003. This means a hard
coded breakpoint or assertion was hit, but this system was booted
/NODEBUG. This is not supposed to happen as developers should never have
hardcoded breakpoints in retail code, but ...
If this happens, make sure a debugger gets connected, and the
system is booted /DEBUG. This will let us see why this breakpoint is
happening.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: 8053a583, The address that the exception occurred at
Arg3: a9d60b94, Trap Frame
Arg4: 00000000

Debugging Details:
------------------


EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".

FAULTING_IP:
nt!memcpy+33
8053a583 f3a5 rep movs dword ptr es:[edi],dword ptr [esi]

TRAP_FRAME: a9d60b94 -- (.trap 0xffffffffa9d60b94)
ErrCode = 00000002
eax=fb8615dc ebx=00000000 ecx=0009fd74 edx=00000000 esi=fb5e200c edi=00000000
eip=8053a583 esp=a9d60c08 ebp=a9d60c10 iopl=0 nv up ei pl nz ac pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010216
nt!memcpy+0x33:
8053a583 f3a5 rep movs dword ptr es:[edi],dword ptr [esi]
Resetting default scope

CUSTOMER_CRASH_COUNT: 1

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0x8E

PROCESS_NAME: peerblock.exe

LAST_CONTROL_TRANSFER: from f89460a2 to 8053a583

STACK_TEXT:
a9d60c10 f89460a2 00000000 fb5e200c 0027f5d0 nt!memcpy+0x33
WARNING: Stack unwind information not available. Following frames may be wrong.
a9d60c40 804ef18f f903db38 f8ebc718 806e6410 pbfilter+0x10a2
a9d60c50 8057f982 f8ebc788 f90a7bf8 f8ebc718 nt!IopfCallDriver+0x31
a9d60c64 805807f7 f903db38 f8ebc718 f90a7bf8 nt!IopSynchronousServiceTail+0x70
a9d60d00 80579274 000000e0 00000000 00000000 nt!IopXxxControlFile+0x5c5
a9d60d34 8054161c 000000e0 00000000 00000000 nt!NtDeviceIoControlFile+0x2a
a9d60d34 7c90eb94 000000e0 00000000 00000000 nt!KiFastCallEntry+0xfc
0013f1bc 00000000 00000000 00000000 00000000 0x7c90eb94


STACK_COMMAND: kb

FOLLOWUP_IP:
pbfilter+10a2
f89460a2 ?? ???

SYMBOL_STACK_INDEX: 1

SYMBOL_NAME: pbfilter+10a2

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: pbfilter

IMAGE_NAME: pbfilter.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 4ac050d3

FAILURE_BUCKET_ID: 0x8E_pbfilter+10a2

BUCKET_ID: 0x8E_pbfilter+10a2

Followup: MachineOwner
---------



the only bit i recognize is peerblock (similar to peergurdian) so any help appreciated!

THANKS

Edited by Huggie Smiles, 10 December 2009 - 11:14 AM.


BC AdBot (Login to Remove)

 


#2 hamluis

hamluis

    Moderator


  • Moderator
  • 56,086 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:10:42 PM

Posted 10 December 2009 - 02:54 PM

http://forums.peerblock.com/index.php

Pbfilter.sys is another PeerBlock file.

I would uninstall/reinstall, if you have this installed. See Other Criticism at http://en.wikipedia.org/wiki/PeerGuardian.

Louis

#3 Huggie Smiles

Huggie Smiles
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:11:42 PM

Posted 10 December 2009 - 03:59 PM

does any of that debug and stack information mean anything to you? ie does it indicate hardrive issues or windows system issues? (I have no clue)
or does it just point towards that one peice of software being the culprit?

thanks for the response

#4 hamluis

hamluis

    Moderator


  • Moderator
  • 56,086 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:10:42 PM

Posted 10 December 2009 - 04:26 PM

Well...BSODs are often driver problems.

*.sys files are drivers. Programs like that mentioned, AV programs, firewalls, etc...all employ drivers to perform. Any driver for any program can become damaged and the program may then malperform.

BugCheck 1000008E is same as STOP error 8E, left column of http://www.aumha.org/a/stop.htm:

0x0000008E: KERNEL_MODE_EXCEPTION_NOT_HANDLED
A kernel mode program generated an exception which the error handler didnít catch. These are nearly always hardware compatibility issues (which sometimes means a driver issue or a need for a BIOS upgrade).


Is there a problem with uninstalling this program?

<<...does it indicate hardrive issues or windows system issues?>>

No, neither...based on what's been presented thus far. Not all issues are hard drive or Windows issues.

Louis

#5 Huggie Smiles

Huggie Smiles
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:11:42 PM

Posted 10 December 2009 - 09:01 PM

thanks for all the info.

Ive removed peerblock completely and after 3 restarts have not seen a blue screen yet.
so ( at this point) that seems the srce. thanks very much.


I noticed a similar issue in the peerblock forum you linked to. Its advice was to turn off 'device verifier"

http://forums.peerblock.com/read.php?3,2235,2258#msg-2258

and it appeared to work for them.

is that a sensible move?

#6 hamluis

hamluis

    Moderator


  • Moderator
  • 56,086 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:10:42 PM

Posted 10 December 2009 - 09:36 PM

Driver Verifier is what they are referring to...it is a special Windows tool which has to be turned on in order to have any impact on a system (if is off by default setting).

I don't see where that applies to anything you've told us.

The reference to turning it off comes...because it must be turned on and turned off, like a light switch. It's normally used to try to troubleshoot known driver issues (but the specific driver involved is unknown), hence its title. When turned it on, it results in the creation of a BSOD which, hopefully, targets the driver which needs to be replaced or is causing problems.

The next stage after that is to get a .dmp file...we skipped the prelim of playing with Driver Verifier.

Louis

#7 Huggie Smiles

Huggie Smiles
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:11:42 PM

Posted 11 December 2009 - 06:03 PM

one final question ( it think) following these blue screens

I regularly use defraggler to clean up file elements.

it always used to find two - pretty big files: pagefile.sys and hiberfil.sys but never would defrag them

but now it doesn't find pagefile.sys at all

is that of concern?

thanks

Edited by Huggie Smiles, 11 December 2009 - 06:04 PM.


#8 hamluis

hamluis

    Moderator


  • Moderator
  • 56,086 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:10:42 PM

Posted 11 December 2009 - 06:38 PM

I don't know anything about Defraggler, I use Perfect Disk and it allows me to defrag the pagefile and other system files that the Windows defragger ignores.

Your pagefile should be visible from Explorer, looking at the C: partition. I suggest that you leave it on C: and that you let XP manage it.

Unless you use hibernation routinely, you might consider deleting hiberfil.sys from your system.

http://www.google.com/search?hl=en&sou....sys&aqi=g7

Louis

#9 Huggie Smiles

Huggie Smiles
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:11:42 PM

Posted 12 December 2009 - 10:58 AM

I cannot find either pagefile or hibfile .sys files either by visual inspection or by search;
I tried searching by direct name and by large files and within hidden folders

I do have all hidden folders showing;

I checked to see if page file was still checked and it is; i checked to see if hibernation is still checked and it is

something i should be concerned about or just drop my paranoia?

(everything is working fine!)

#10 hamluis

hamluis

    Moderator


  • Moderator
  • 56,086 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:10:42 PM

Posted 12 December 2009 - 11:15 AM

To find either...all you should have to do...is go to Explorer and look at the files listed for C:.

These are files, not folders, and that's the proper place for them.

If you don't have pagefile.sys, that could be a problem.

If you don't have hiberfil.sys and use the hibernation feature...that could be a source of irritation.

Louis

#11 Huggie Smiles

Huggie Smiles
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:11:42 PM

Posted 12 December 2009 - 11:37 AM

If you don't have pagefile.sys, that could be a problem.
Louis


by searching and/ or by looking at c: folder I cannot find this file.

going into the virtual memory options page via my computer, advanced , performance

it is clicked to custum size - min 756 max 1512;

no paging file option is NOT checked.

#12 hamluis

hamluis

    Moderator


  • Moderator
  • 56,086 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:10:42 PM

Posted 12 December 2009 - 12:09 PM

Set the option for XP to manage it.

Louis

#13 Huggie Smiles

Huggie Smiles
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:11:42 PM

Posted 12 December 2009 - 04:39 PM

hi

I set for system to handle the pagefile.sys
restarted the machine and used it for a while

I still cant find the pagefile.sys file either by looking or by searching;

(I rechecked the settings, and rechecked that I am showing hidden items)

For what its worth - the defraggler program says that the hiberfil.sys is there in the root of c: - and I cant visually see it either (or find on a search)

if I search for *.sys it does find two .sys files in the c: folder - fyi
{IO.sys; msdos.sys}

weird!

Edited by Huggie Smiles, 12 December 2009 - 04:41 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users