Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Deciphering A Windows 7 DMP File


  • Please log in to reply
4 replies to this topic

#1 LouieChuckyMerry

LouieChuckyMerry

  • Members
  • 151 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:17 AM

Posted 09 September 2011 - 10:31 PM

Greetings once again, and thanks in advance once again for any help. I appreciate it. A couple-three months ago my laptop running Windows 7 Home Premium 64 bit crashed. After Goggling about for a bit I installed Debugging Tools For Windows (x64) so that I could open and read the resultant .dmp file. Of course, opening and reading the file was no problem; understanding what it meant proved much more difficult :blink: . Eventually I came to the conclusion that there was an issue with my Atheros Network driver (athrx.sys), so I uninstalled it, reinstalled it, and made sure it was up to date. This seemed to solve the problem until very recently, as today my laptop crashed for the second time in three days. Now I'm here with the hope that someone with more knowledge than I will take a look at the .dmp file (attached) and point me towards a long-term solution. Thank you.

Microsoft (R) Windows Debugger Version 6.12.0002.633 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\Windows\Minidump\091011-17066-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: SRV*C:\Symbols*http://msdl.microsoft.com/download/symbols
Executable search path is: 
Windows 7 Kernel Version 7601 (Service Pack 1) MP (2 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS Personal
Built by: 7601.17640.amd64fre.win7sp1_gdr.110622-1506
Machine Name:
Kernel base = 0xfffff800`0305c000 PsLoadedModuleList = 0xfffff800`032a1670
Debug session time: Sat Sep 10 10:05:17.714 2011 (UTC + 8:00)
System Uptime: 0 days 11:02:50.197
Loading Kernel Symbols
...............................................................
................................................................
................................
Loading User Symbols
Loading unloaded module list
....................................
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck D1, {44, 2, 0, fffff88003cc18c1}

Unable to load image athrx.sys, Win32 error 0n2
*** WARNING: Unable to verify timestamp for athrx.sys
*** ERROR: Module load completed but symbols could not be loaded for athrx.sys
Probably caused by : athrx.sys ( athrx+5c8c1 )

Followup: MachineOwner
---------

1: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high.  This is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: 0000000000000044, memory referenced
Arg2: 0000000000000002, IRQL
Arg3: 0000000000000000, value 0 = read operation, 1 = write operation
Arg4: fffff88003cc18c1, address which referenced memory

Debugging Details:
------------------


READ_ADDRESS: GetPointerFromAddress: unable to read from fffff8000330b100
 0000000000000044 

CURRENT_IRQL:  2

FAULTING_IP: 
athrx+5c8c1
fffff880`03cc18c1 8b4044          mov     eax,dword ptr [rax+44h]

CUSTOMER_CRASH_COUNT:  1

DEFAULT_BUCKET_ID:  VISTA_DRIVER_FAULT

BUGCHECK_STR:  0xD1

PROCESS_NAME:  System

TRAP_FRAME:  fffff88002f1b420 -- (.trap 0xfffff88002f1b420)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=0000000000000000 rbx=0000000000000000 rcx=fffffa8005d16b88
rdx=fffffa8005d16b88 rsi=0000000000000000 rdi=0000000000000000
rip=fffff88003cc18c1 rsp=fffff88002f1b5b0 rbp=0000000000000000
 r8=0000000000000000  r9=fffffa80048223b8 r10=fffffa80046c9a70
r11=fffffa8005d16b88 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up ei ng nz na pe nc
athrx+0x5c8c1:
fffff880`03cc18c1 8b4044          mov     eax,dword ptr [rax+44h] ds:cb30:00000000`00000044=????????
Resetting default scope

LAST_CONTROL_TRANSFER:  from fffff800030d81e9 to fffff800030d8c40

STACK_TEXT:  
fffff880`02f1b2d8 fffff800`030d81e9 : 00000000`0000000a 00000000`00000044 00000000`00000002 00000000`00000000 : nt!KeBugCheckEx
fffff880`02f1b2e0 fffff800`030d6e60 : fffffa80`046e7030 fffff880`042207bc fffffa80`046e6180 00000000`00000000 : nt!KiBugCheckDispatch+0x69
fffff880`02f1b420 fffff880`03cc18c1 : fffffa80`05d16b88 00000000`00000000 fffffa80`0457e1a0 fffffa80`0461b030 : nt!KiPageFault+0x260
fffff880`02f1b5b0 fffffa80`05d16b88 : 00000000`00000000 fffffa80`0457e1a0 fffffa80`0461b030 fffffa80`0000001a : athrx+0x5c8c1
fffff880`02f1b5b8 00000000`00000000 : fffffa80`0457e1a0 fffffa80`0461b030 fffffa80`0000001a fffffa80`059771b0 : 0xfffffa80`05d16b88


STACK_COMMAND:  kb

FOLLOWUP_IP: 
athrx+5c8c1
fffff880`03cc18c1 8b4044          mov     eax,dword ptr [rax+44h]

SYMBOL_STACK_INDEX:  3

SYMBOL_NAME:  athrx+5c8c1

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: athrx

IMAGE_NAME:  athrx.sys

DEBUG_FLR_IMAGE_TIMESTAMP:  4acea2b7

FAILURE_BUCKET_ID:  X64_0xD1_athrx+5c8c1

BUCKET_ID:  X64_0xD1_athrx+5c8c1

Followup: MachineOwner
---------

Edited by LouieChuckyMerry, 09 September 2011 - 10:37 PM.


BC AdBot (Login to Remove)

 


#2 Allan

Allan

  • BC Advisor
  • 8,576 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Jersey
  • Local time:04:17 AM

Posted 10 September 2011 - 05:37 AM

Download BlueScreenView:
http://www.nirsoft.net/utils/blue_screen_view.html
unzip downloaded file and double click on BlueScreenView.exe to run the program.
when scanning is done, go to EDIT - Select All
Go to FILE - SAVE Selected Items, and save the report as BSOD.txt
Open BSOD.txt in Notepad, copy all of the content, and paste it into your next reply

#3 LouieChuckyMerry

LouieChuckyMerry
  • Topic Starter

  • Members
  • 151 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:17 AM

Posted 10 September 2011 - 06:17 AM

Thanks for your help, Allan. Here's the resulting BSOD.txt:

==================================================
Dump File         : 091011-17066-01.dmp
Crash Time        : 10 Sep 11 10:06:32
Bug Check String  : DRIVER_IRQL_NOT_LESS_OR_EQUAL
Bug Check Code    : 0x000000d1
Parameter 1       : 00000000`00000044
Parameter 2       : 00000000`00000002
Parameter 3       : 00000000`00000000
Parameter 4       : fffff880`03cc18c1
Caused By Driver  : wanarp.sys
Caused By Address : wanarp.sys+2c0a8c1
File Description  : 
Product Name      : 
Company           : 
File Version      : 
Processor         : x64
Crash Address     : ntoskrnl.exe+7cc40
Stack Address 1   : 
Stack Address 2   : 
Stack Address 3   : 
Computer Name     : 
Full Path         : C:\Windows\Minidump\091011-17066-01.dmp
Processors Count  : 2
Major Version     : 15
Minor Version     : 7601
Dump File Size    : 285,392
==================================================


#4 Jacee

Jacee

    Bleeping around


  • Malware Response Team
  • 3,716 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:01:17 AM

Posted 10 September 2011 - 12:21 PM

See Routing and Remote Access http://technet.microsoft.com/en-us/network/bb545655.aspx

MS_MVP.gif
MS MVP Windows-Security 2006-2016
Member of UNITE, the Unified Network of Instructors and Trusted Eliminators

Admin PC Pitstop


#5 LouieChuckyMerry

LouieChuckyMerry
  • Topic Starter

  • Members
  • 151 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:17 AM

Posted 11 September 2011 - 07:42 AM

Thanks for the link, Jacee, but my issue is with a laptop running Windows 7, not a server. Plus, I have all things related to Remote Access disabled. I'll look into the functions of wanarp.sys and ntoskrnl.exe and see if I can find anything.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users