Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

BSOD IBM lenovo T400s


  • Please log in to reply
4 replies to this topic

#1 Schlitzy

Schlitzy

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:DC
  • Local time:06:29 PM

Posted 07 September 2011 - 05:39 PM

Hey all,

I have a client that just started getting BSoDs on W7 32 bit, on multiple laptops for this one user in particular. I'm trying to get it nailed down HW or SW. All HW diags come out clean, no viruses, and Malwarebytes scans with no issues, used Ultimate Boot CD, etc.

So my next step, as suggested by you, is to find the *.dmp files and debug. Followed the steps, and this is my first debug for a client, woot! (rolls eyes)

So the only one I have right now is the minidump file. The actual memory dump is over 300 MBs and is still processing, so I think I will try to copy it out and run it tonight.

Here is the output of the mini, thanks for your help!


Microsoft ® Windows Debugger Version 6.12.0002.633 X86
Copyright © Microsoft Corporation. All rights reserved.


Loading Dump File [C:\Windows\Minidump\090711-60434-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: SRV*c:\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows 7 Kernel Version 7601 (Service Pack 1) MP (2 procs) Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 7601.17640.x86fre.win7sp1_gdr.110622-1506
Machine Name:
Kernel base = 0x82c56000 PsLoadedModuleList = 0x82d9f4f0
Debug session time: Wed Sep 7 13:39:16.120 2011 (UTC - 4:00)
System Uptime: 0 days 0:03:22.759
Loading Kernel Symbols
...............................................................
................................................................
................................................................
...
Loading User Symbols
Loading unloaded module list
.......
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 1000008E, {c0000005, 9b4915f8, b0b809a4, 0}

*** WARNING: Unable to verify timestamp for tmevtmgr.sys
*** ERROR: Module load completed but symbols could not be loaded for tmevtmgr.sys
Probably caused by : tmevtmgr.sys ( tmevtmgr+5e06 )

Followup: MachineOwner
---------

0: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

KERNEL_MODE_EXCEPTION_NOT_HANDLED_M (1000008e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Some common problems are exception code 0x80000003. This means a hard
coded breakpoint or assertion was hit, but this system was booted
/NODEBUG. This is not supposed to happen as developers should never have
hardcoded breakpoints in retail code, but ...
If this happens, make sure a debugger gets connected, and the
system is booted /DEBUG. This will let us see why this breakpoint is
happening.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: 9b4915f8, The address that the exception occurred at
Arg3: b0b809a4, Trap Frame
Arg4: 00000000

Debugging Details:
------------------


EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.

FAULTING_IP:
win32k!MulConvertChildRedirectionDfbSurfaceToDib+38
9b4915f8 f6404c01 test byte ptr [eax+4Ch],1

TRAP_FRAME: b0b809a4 -- (.trap 0xffffffffb0b809a4)
ErrCode = 00000000
eax=fffffff0 ebx=00000000 ecx=b0b809e8 edx=00000001 esi=ff49f0d8 edi=fdd0fa98
eip=9b4915f8 esp=b0b80a18 ebp=b0b80a28 iopl=0 nv up ei ng nz na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010286
win32k!MulConvertChildRedirectionDfbSurfaceToDib+0x38:
9b4915f8 f6404c01 test byte ptr [eax+4Ch],1 ds:0023:0000003c=??
Resetting default scope

CUSTOMER_CRASH_COUNT: 1

DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT

BUGCHECK_STR: 0x8E

PROCESS_NAME: dwm.exe

CURRENT_IRQL: 0

LAST_CONTROL_TRANSFER: from 9b3dd188 to 9b4915f8

STACK_TEXT:
b0b80a28 9b3dd188 00000001 01050aaa 9970ec38 win32k!MulConvertChildRedirectionDfbSurfaceToDib+0x38
b0b80a3c 9b3dcf78 fdc554c8 00000000 9b4cba04 win32k!pConvertDfbSurfaceToDib+0x36
b0b80a68 9b3d77e9 ffb89008 8ad33d30 00000000 win32k!bDynamicRemoveAllDriverRealizations+0x49
b0b80a80 9b3d763f ffb89008 00000000 00000000 win32k!GreRemoveDisplayDriverRealizations+0x15e
b0b80aa0 9b3db0d7 8ad33d30 00002a6c 00000000 win32k!zzzDecomposeDesktop+0xdb
b0b80acc 9b3aed62 8ad33d30 00000001 ff59d6b8 win32k!xxxDwmStopRedirection+0x51
b0b80ae4 9b39d2a2 00000001 2bf58bd8 00000000 win32k!xxxDwmProcessShutdown+0x28
b0b80b30 9b39abdc 8558f030 8558f030 00000000 win32k!xxxDestroyThreadInfo+0x3ef
b0b80b44 9b39ad29 8558f030 00000001 8558f030 win32k!UserThreadCallout+0x77
b0b80b60 82ebf58a 8558f030 00000001 982a2e53 win32k!W32pThreadCallout+0x3a
b0b80bdc 82eb1c5f c00002fe b0b80d18 b0b80d14 nt!PspExitThread+0x457
b0b80c04 aefd9e06 ffffffff c00002fe 87765cbc nt!NtTerminateProcess+0x1fa
WARNING: Stack unwind information not available. Following frames may be wrong.
b0b80c24 aefda8c1 00000002 b0b80d18 82eb1a65 tmevtmgr+0x5e06
b0b80cfc aefd7d86 b0b80d18 b0b80d20 aefd7def tmevtmgr+0x68c1
b0b80d08 aefd7def 87765cbc b0b80d18 ffffffff tmevtmgr+0x3d86
b0b80d20 82c941fa 87765cbc ffffffff c00002fe tmevtmgr+0x3def
b0b80d20 776d70b4 87765cbc ffffffff c00002fe nt!KiFastCallEntry+0x12a
00bff87c 00000000 00000000 00000000 00000000 0x776d70b4


STACK_COMMAND: kb

FOLLOWUP_IP:
tmevtmgr+5e06
aefd9e06 ?? ???

SYMBOL_STACK_INDEX: c

SYMBOL_NAME: tmevtmgr+5e06

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: tmevtmgr

IMAGE_NAME: tmevtmgr.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 4c6e2647

FAILURE_BUCKET_ID: 0x8E_tmevtmgr+5e06

BUCKET_ID: 0x8E_tmevtmgr+5e06

Followup: MachineOwner
---------

BC AdBot (Login to Remove)

 


#2 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:05:29 PM

Posted 07 September 2011 - 07:50 PM

Have you ever tried to remove TrendMicro protection software via Programs and Features? It seemed the drivers might be corrupted.

Reboot the pc and reinstall it.

#3 Schlitzy

Schlitzy
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:DC
  • Local time:06:29 PM

Posted 08 September 2011 - 11:30 AM

Sundavis, are you seeing that in the minidump file or is this just something you have come across previously? Thanks bud.

#4 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:05:29 PM

Posted 08 September 2011 - 12:20 PM

*** WARNING: Unable to verify timestamp for tmevtmgr.sys
*** ERROR: Module load completed but symbols could not be loaded for tmevtmgr.sys
Probably caused by : tmevtmgr.sys ( tmevtmgr+5e06 )



#5 Schlitzy

Schlitzy
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:DC
  • Local time:06:29 PM

Posted 08 September 2011 - 04:13 PM

Okay, thank you very much. We'll give it a shot as soon as the client is available and I'll report back.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users