intermittent fatal crashes [DUMP DATA]

Two crashes in nine days after no crashes for half a year. Please suggest what could be the problem,
Thanks in advance,
George

Symptoms:
monitor displays "Input out of range ", system does not respond to keyboard.

Conditions:
First crash (9 days ago): happened when closing Firefox with several (about 7) tabs with heavy pages.
Second crash (today): happened on idle system

Recent changes (preceding the first crash):
processor upgrade and increase fsb speed from 333 (166) to 400 (200) Mhz
Memory tested with memtest86 and microsoft test program: no errors found.
I plan to reinstall video drivers but have not done so yet

Crash dumps are similar but not identical. Dump of crash 2 and sysinfo in Re:

Crash1 dump

Opened log file 'c:\debuglog.txt'

.........................................................................................................................................
Loading unloaded module list
....................
Loading User Symbols
************************************************** *****************************
* *
* Bugcheck Analysis *
* *
************************************************** *****************************

Use !analyze -v to get detailed debugging information.

BugCheck 1000008E, {c0000005, bf80109d, ae94cb90, 0}

Probably caused by : win32k.sys ( win32k!ThreadUnlock1+8 )

Followup: MachineOwner
---------

kd> !analyze -v;r;kv;lmtn;.logclose;q
************************************************** *****************************
* *
* Bugcheck Analysis *
* *
************************************************** *****************************

KERNEL_MODE_EXCEPTION_NOT_HANDLED_M (1000008e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Some common problems are exception code 0x80000003. This means a hard
coded breakpoint or assertion was hit, but this system was booted
/NODEBUG. This is not supposed to happen as developers should never have
hardcoded breakpoints in retail code, but ...
If this happens, make sure a debugger gets connected, and the
system is booted /DEBUG. This will let us see why this breakpoint is
happening.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: bf80109d, The address that the exception occurred at
Arg3: ae94cb90, Trap Frame
Arg4: 00000000

Debugging Details:
------------------


OVERLAPPED_MODULE: Fastfat

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx ". The memory could not be "%s ".

FAULTING_IP:
win32k!ThreadUnlock1+8
bf80109d 8b11 mov edx,[ecx]

TRAP_FRAME: ae94cb90 -- (.trap ffffffffae94cb90)
.trap ffffffffae94cb90
ErrCode = 00000000
eax=e1201248 ebx=00000000 ecx=6d154067 edx=bc510001 esi=e1201248 edi=00000000
eip=bf80109d esp=ae94cc04 ebp=ae94cc34 iopl=0 nv up ei pl nz na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010202
win32k!ThreadUnlock1+0x8:
bf80109d 8b11 mov edx,[ecx] ds:0023:6d154067=????????
.trap
Resetting default scope

CUSTOMER_CRASH_COUNT: 1

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0x8E

LAST_CONTROL_TRANSFER: from bf845878 to bf80109d

STACK_TEXT:
ae94cc00 bf845878 82ef4d98 e1201248 00000000 win32k!ThreadUnlock1+0x8
ae94cc10 bf846054 8210d020 00000000 00000000 win32k!DestroyThreadsObjects+0x1a
ae94cc34 bf80ef6e 00000001 ae94cc5c bf80f032 win32k!xxxDestroyThreadInfo+0x1cf
ae94cc40 bf80f032 8210d020 00000001 00000000 win32k!UserThreadCallout+0x4b
ae94cc5c 8056a932 8210d020 00000001 8210d020 win32k!W32pThreadCallout+0x3d
ae94cd08 8057e508 00000000 8210d020 00000000 nt!PspExitThread+0x40b
ae94cd28 8058af06 8210d020 00000000 ae94cd64 nt!PspTerminateThreadByPointer+0x52
ae94cd54 804df06b 00000000 00000000 0012feec nt!NtTerminateProcess+0x118
ae94cd54 7c90eb94 00000000 00000000 0012feec nt!KiFastCallEntry+0xf8
WARNING: Frame IP not in any known module. Following frames may be wrong.
0012fdec 00000000 00000000 00000000 00000000 0x7c90eb94


FOLLOWUP_IP:
win32k!ThreadUnlock1+8
bf80109d 8b11 mov edx,[ecx]

SYMBOL_STACK_INDEX: 0

FOLLOWUP_NAME: MachineOwner

SYMBOL_NAME: win32k!ThreadUnlock1+8

MODULE_NAME: win32k

IMAGE_NAME: win32k.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 41107f7a

STACK_COMMAND: .trap ffffffffae94cb90 ; kb

FAILURE_BUCKET_ID: 0x8E_win32k!ThreadUnlock1+8

BUCKET_ID: 0x8E_win32k!ThreadUnlock1+8

Followup: MachineOwner
---------

eax=e1201248 ebx=00000000 ecx=6d154067 edx=bc510001 esi=e1201248 edi=00000000
eip=bf80109d esp=ae94cc04 ebp=ae94cc34 iopl=0 nv up ei pl nz na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010202
win32k!ThreadUnlock1+0x8:
bf80109d 8b11 mov edx,[ecx] ds:0023:6d154067=????????
ChildEBP RetAddr Args to Child
ae94cc00 bf845878 82ef4d98 e1201248 00000000 win32k!ThreadUnlock1+0x8 (FPO: [0,0,0])
ae94cc10 bf846054 8210d020 00000000 00000000 win32k!DestroyThreadsObjects+0x1a (FPO: [0,0,0])
ae94cc34 bf80ef6e 00000001 ae94cc5c bf80f032 win32k!xxxDestroyThreadInfo+0x1cf (FPO: [Non-Fpo])
ae94cc40 bf80f032 8210d020 00000001 00000000 win32k!UserThreadCallout+0x4b (FPO: [Non-Fpo])
ae94cc5c 8056a932 8210d020 00000001 8210d020 win32k!W32pThreadCallout+0x3d (FPO: [Non-Fpo])
ae94cd08 8057e508 00000000 8210d020 00000000 nt!PspExitThread+0x40b (FPO: [Non-Fpo])
ae94cd28 8058af06 8210d020 00000000 ae94cd64 nt!PspTerminateThreadByPointer+0x52 (FPO: [Non-Fpo])
ae94cd54 804df06b 00000000 00000000 0012feec nt!NtTerminateProcess+0x118 (FPO: [Non-Fpo])
ae94cd54 7c90eb94 00000000 00000000 0012feec nt!KiFastCallEntry+0xf8 (FPO: [0,0] TrapFrame @ ae94cd64)
WARNING: Frame IP not in any known module. Following frames may be wrong.
0012fdec 00000000 00000000 00000000 00000000 0x7c90eb94
start end module name
804d7000 806eb780 nt ntoskrnl.exe Wed Aug 04 09:19:48 2004 (41108004)
806ec000 8070c380 hal halaacpi.dll Wed Aug 04 08:59:05 2004 (41107B29)
ae44a000 ae46d000 Fastfat Fastfat.SYS Wed Aug 04 09:14:15 2004 (41107EB7)
ae86c000 ae8ac380 HTTP HTTP.sys Wed Aug 04 09:00:09 2004 (41107B69)
aea21000 aea24800 asyncmac asyncmac.sys Wed Aug 04 09:05:02 2004 (41107C8E)
aea8d000 aeadf180 srv srv.sys Wed Aug 04 09:14:44 2004 (41107ED4)
aebf8000 aec24400 mrxdav mrxdav.sys Wed Aug 04 09:00:49 2004 (41107B91)
aec75000 aec89400 wdmaud wdmaud.sys Wed Aug 04 09:15:03 2004 (41107EE7)
aed9f000 aedb2600 dump_nvatabus dump_nvatabus.sys Thu Jun 03 20:40:44 2004 (40BF629C)
aedb3000 aede5a00 Dot4 Dot4.sys Wed Aug 04 08:58:28 2004 (41107B04)
aede6000 aee53680 mrxsmb mrxsmb.sys Thu Oct 28 04:14:16 2004 (418047E8)
aee54000 aee7ea00 rdbss rdbss.sys Thu Oct 28 04:13:57 2004 (418047D5)
aee7f000 aee9ff00 ipnat ipnat.sys Thu Sep 30 01:28:36 2004 (415B3714)
aeea0000 aeec1d00 afd afd.sys Wed Aug 04 09:14:13 2004 (41107EB5)
aeec2000 aeee9c00 netbt netbt.sys Wed Aug 04 09:14:36 2004 (41107ECC)
aeeea000 aef41a80 tcpip tcpip.sys Wed Aug 04 09:14:39 2004 (41107ECF)
aef42000 aef54400 ipsec ipsec.sys Wed Aug 04 09:14:27 2004 (41107EC3)
aef75000 aef8cac0 VETEBOOT VETEBOOT.SYS Fri Dec 10 09:29:46 2004 (41B9506A)
aef8d000 aefff460 VETEFILE VETEFILE.SYS Fri Dec 10 09:29:47 2004 (41B9506B)
bf800000 bf9c0380 win32k win32k.sys Wed Aug 04 09:17:30 2004 (41107F7A)
bf9c1000 bf9d2580 dxg dxg.sys Wed Aug 04 09:00:51 2004 (41107B93)
bf9d3000 bfa0b000 ati2dvag ati2dvag.dll Wed Aug 04 04:37:06 2004 (41103DC2)
bfa0b000 bfa44000 ati2cqag ati2cqag.dll Wed Aug 04 04:18:52 2004 (4110397C)
bfa44000 bfc578a0 ati3duag ati3duag.dll Wed Aug 04 04:34:07 2004 (41103D0F)
bfc58000 bfcce320 ativvaxx ativvaxx.dll Wed Aug 04 04:23:37 2004 (41103A99)
ef10c000 ef11c480 nvarm nvarm.sys Wed May 26 01:58:00 2004 (40B3CF78)
ef11d000 ef208000 nvmcp nvmcp.sys Wed May 26 01:58:01 2004 (40B3CF79)
ef208000 ef268b00 nvapu nvapu.sys Wed May 26 01:58:02 2004 (40B3CF7A)
ef269000 ef29c200 update update.sys Wed Aug 04 08:58:32 2004 (41107B08)
ef29d000 ef2cd100 rdpdr rdpdr.sys Wed Aug 04 09:01:10 2004 (41107BA6)
ef2ce000 ef2dee00 psched psched.sys Wed Aug 04 09:04:16 2004 (41107C60)
ef2df000 ef2f5680 ndiswan ndiswan.sys Wed Aug 04 09:14:30 2004 (41107EC6)
ef2f6000 ef319980 portcls portcls.sys Wed Aug 04 09:15:47 2004 (41107F13)
ef31a000 ef32d900 parport parport.sys Wed Aug 04 08:59:04 2004 (41107B28)
ef32e000 ef341780 VIDEOPRT VIDEOPRT.SYS Wed Aug 04 09:07:04 2004 (41107D08)
ef596000 ef59e700 netbios netbios.sys Wed Aug 04 09:03:19 2004 (41107C27)
ef616000 ef61f480 NDProxy NDProxy.SYS Fri Aug 17 23:55:30 2001 (3B7D84C2)
ef626000 ef634100 usbhub usbhub.sys Wed Aug 04 09:08:40 2004 (41107D68)
ef79a000 ef79ac00 audstub audstub.sys Fri Aug 17 23:59:40 2001 (3B7D85BC)
ef79b000 ef79bb80 msmpu401 msmpu401.sys Fri Aug 17 23:59:59 2001 (3B7D85CF)
f1a82000 f1a85280 ndisuio ndisuio.sys Wed Aug 04 09:03:10 2004 (41107C1E)
f224b000 f2253d80 HIDCLASS HIDCLASS.SYS Wed Aug 04 09:08:18 2004 (41107D52)
f226b000 f227a900 Cdfs Cdfs.SYS Wed Aug 04 09:14:09 2004 (41107EB1)
f228b000 f2293700 wanarp wanarp.sys Wed Aug 04 09:04:57 2004 (41107C89)
f229b000 f22a3880 Fips Fips.SYS Sat Aug 18 04:31:49 2001 (3B7DC585)
f240e000 f2412500 watchdog watchdog.sys Wed Aug 04 09:07:32 2004 (41107D24)
f2851000 f2851da0 aslm75 aslm75.sys Wed Apr 23 04:15:58 1997 (335D62CE)
f2859000 f285df80 point32 point32.sys Thu Jun 03 11:45:18 2004 (40BEE51E)
f2861000 f2866d00 dot4usb dot4usb.sys Fri Aug 17 23:47:24 2001 (3B7D82DC)
f2869000 f286f180 HIDPARSE HIDPARSE.SYS Wed Aug 04 09:08:15 2004 (41107D4F)
f2871000 f2878880 Npfs Npfs.SYS Wed Aug 04 09:00:38 2004 (41107B86)
f2879000 f287da80 Msfs Msfs.SYS Wed Aug 04 09:00:37 2004 (41107B85)
f2881000 f2886200 vga vga.sys Wed Aug 04 09:07:06 2004 (41107D0A)
f2889000 f288e920 VETMONNT VETMONNT.SYS Fri Dec 10 09:18:45 2004 (41B94DD5)
f2891000 f2895ce0 VET_FILT VET-FILT.SYS Fri Dec 10 09:18:44 2004 (41B94DD4)
f28a1000 f28a6000 flpydisk flpydisk.sys Wed Aug 04 08:59:24 2004 (41107B3C)
f5b9a000 f5ba3f00 termdd termdd.sys Wed Aug 04 08:58:52 2004 (41107B1C)
f626d000 f6270c80 mssmbios mssmbios.sys Wed Aug 04 09:07:47 2004 (41107D33)
f6441000 f6443580 ndistapi ndistapi.sys Fri Aug 17 23:55:29 2001 (3B7D84C1)
f6445000 f6447980 gameenum gameenum.sys Wed Aug 04 09:08:20 2004 (41107D54)
f6449000 f644cc80 serenum serenum.sys Wed Aug 04 08:59:06 2004 (41107B2A)
f64a6000 f64aba00 mouclass mouclass.sys Wed Aug 04 08:58:32 2004 (41107B08)
f64ae000 f64b2080 raspti raspti.sys Fri Aug 17 23:55:32 2001 (3B7D84C4)
f64b6000 f64ba580 ptilink ptilink.sys Fri Aug 17 23:49:53 2001 (3B7D8371)
f64be000 f64c2880 TDI TDI.SYS Wed Aug 04 09:07:47 2004 (41107D33)
f69d7000 f69df900 msgpc msgpc.sys Wed Aug 04 09:04:11 2004 (41107C5B)
f69e7000 f69f2d00 raspptp raspptp.sys Wed Aug 04 09:14:26 2004 (41107EC2)
f69f7000 f6a01200 raspppoe raspppoe.sys Wed Aug 04 09:05:06 2004 (41107C92)
f6a07000 f6a13880 rasl2tp rasl2tp.sys Wed Aug 04 09:14:21 2004 (41107EBD)
f6a17000 f6a25b80 drmk drmk.sys Wed Aug 04 09:07:54 2004 (41107D3A)
f6a27000 f6a33e00 i8042prt i8042prt.sys Wed Aug 04 09:14:36 2004 (41107ECC)
f6a37000 f6a46d80 serial serial.sys Wed Aug 04 09:15:51 2004 (41107F17)
f6d23000 f6d29000 kbdclass kbdclass.sys Wed Aug 04 08:58:32 2004 (41107B08)
f6d2b000 f6d31b00 fdc fdc.sys Wed Aug 04 08:59:25 2004 (41107B3D)
f7369000 f7440000 ati2mtag ati2mtag.sys Wed Aug 04 04:36:48 2004 (41103DB0)
f7440000 f7462680 ks ks.sys Wed Aug 04 09:15:20 2004 (41107EF8)
f7a10000 f7a5c200 ptserial ptserial.sys Sat Apr 26 06:29:06 2003 (3EA9FD02)
f7a5d000 f7a73e00 NVENET NVENET.sys Thu Jan 29 10:45:48 2004 (4018C83C)
f7a74000 f7a96e80 USBPORT USBPORT.SYS Wed Aug 04 09:08:34 2004 (41107D62)
f7a9f000 f7aa2280 Dot4Prt Dot4Prt.sys Fri Aug 17 23:47:25 2001 (3B7D82DD)
f7aa3000 f7aa5f80 mouhid mouhid.sys Fri Aug 17 23:47:57 2001 (3B7D82FD)
f7aa7000 f7aa9580 hidusb hidusb.sys Sat Aug 18 00:02:16 2001 (3B7D8658)
f82c0000 f82c2280 rasacd rasacd.sys Fri Aug 17 23:55:39 2001 (3B7D84CB)
f82dc000 f82df920 VET_REC VET-REC.SYS Fri Dec 10 09:18:43 2004 (41B94DD3)
f8321000 f833b580 Mup Mup.sys Wed Aug 04 09:15:20 2004 (41107EF8)
f833c000 f83e5d00 vmodem vmodem.sys Sat Apr 26 06:28:18 2003 (3EA9FCD2)
f83e6000 f84a3c40 vpctcom vpctcom.sys Sat Apr 26 06:27:22 2003 (3EA9FC9A)
f84a4000 f84b40e0 vvoice vvoice.sys Sat Apr 26 06:28:48 2003 (3EA9FCF0)
f84b5000 f84e1a80 NDIS NDIS.sys Wed Aug 04 09:14:27 2004 (41107EC3)
f84e2000 f856e480 Ntfs Ntfs.sys Wed Aug 04 09:15:06 2004 (41107EEA)
f856f000 f8585780 KSecDD KSecDD.sys Wed Aug 04 08:59:45 2004 (41107B51)
f8586000 f85a4780 fltmgr fltmgr.sys Wed Aug 04 09:01:17 2004 (41107BAD)
f85a5000 f85b8600 nvatabus nvatabus.sys Thu Jun 03 20:40:44 2004 (40BF629C)
f85b9000 f85d0480 atapi atapi.sys Wed Aug 04 08:59:41 2004 (41107B4D)
f85d1000 f85f6700 dmio dmio.sys Wed Aug 04 09:07:13 2004 (41107D11)
f85f7000 f8615880 ftdisk ftdisk.sys Fri Aug 17 23:52:41 2001 (3B7D8419)
f8616000 f8626a80 pci pci.sys Wed Aug 04 09:07:45 2004 (41107D31)
f8627000 f8654d80 ACPI ACPI.sys Wed Aug 04 09:07:35 2004 (41107D27)
f8676000 f867ec00 isapnp isapnp.sys Fri Aug 17 23:58:01 2001 (3B7D8559)
f8686000 f8694e80 ohci1394 ohci1394.sys Wed Aug 04 09:10:05 2004 (41107DBD)
f8696000 f86a3000 1394BUS 1394BUS.SYS Wed Aug 04 09:10:03 2004 (41107DBB)
f86a6000 f86b0500 MountMgr MountMgr.sys Wed Aug 04 08:58:29 2004 (41107B05)
f86b6000 f86c2c80 VolSnap VolSnap.sys Wed Aug 04 09:00:14 2004 (41107B6E)
f86c6000 f86cee00 disk disk.sys Wed Aug 04 08:59:53 2004 (41107B59)
f86d6000 f86e2200 CLASSPNP CLASSPNP.SYS Wed Aug 04 09:14:26 2004 (41107EC2)
f8766000 f8774080 redbook redbook.sys Wed Aug 04 08:59:34 2004 (41107B46)
f8846000 f884f200 amdk7 amdk7.sys Wed Aug 04 08:59:19 2004 (41107B37)
f8856000 f8861e00 nvax nvax.sys Wed May 26 01:58:00 2004 (40B3CF78)
f8866000 f8870380 imapi imapi.sys Wed Aug 04 09:00:12 2004 (41107B6C)
f8876000 f8882180 cdrom cdrom.sys Wed Aug 04 08:59:52 2004 (41107B58)
f88e6000 f88f4d80 sysaudio sysaudio.sys Wed Aug 04 09:15:54 2004 (41107F1A)
f88f6000 f88fc200 PCIIDEX PCIIDEX.SYS Wed Aug 04 08:59:40 2004 (41107B4C)
f88fe000 f8902900 PartMgr PartMgr.sys Sat Aug 18 04:32:23 2001 (3B7DC5A7)
f8906000 f890b500 nv_agp nv_agp.sys Sat Apr 03 02:46:39 2004 (406DFB5F)
f893e000 f8942280 usbohci usbohci.sys Wed Aug 04 09:08:34 2004 (41107D62)
f8946000 f894c800 usbehci usbehci.sys Wed Aug 04 09:08:34 2004 (41107D62)
f894e000 f8955580 Modem Modem.SYS Wed Aug 04 09:08:04 2004 (41107D44)
f8a86000 f8a89000 BOOTVID BOOTVID.dll Fri Aug 17 23:49:09 2001 (3B7D8345)
f8a8a000 f8a8c480 compbatt compbatt.sys Fri Aug 17 23:57:58 2001 (3B7D8556)
f8a8e000 f8a91700 BATTC BATTC.SYS Fri Aug 17 23:57:52 2001 (3B7D8550)
f8b22000 f8b24900 Dxapi Dxapi.sys Fri Aug 17 23:53:19 2001 (3B7D843F)
f8b3e000 f8b40e00 PDIHWCTL PDIHWCTL.SYS Tue Dec 10 07:26:44 2002 (3DF57B14)
f8b66000 f8b69f00 MODEMCSA MODEMCSA.sys Fri Aug 17 23:57:37 2001 (3B7D8541)
f8b6a000 f8b6d7e0 VETFDDNT VETFDDNT.SYS Fri Dec 10 09:18:44 2004 (41B94DD4)
f8b76000 f8b77b80 kdcom kdcom.dll Fri Aug 17 23:49:10 2001 (3B7D8346)
f8b78000 f8b79100 WMILIB WMILIB.SYS Sat Aug 18 00:07:23 2001 (3B7D878B)
f8b7a000 f8b7b700 dmload dmload.sys Fri Aug 17 23:58:15 2001 (3B7D8567)
f8b7c000 f8b7d080 RDPCDD RDPCDD.sys Fri Aug 17 23:46:56 2001 (3B7D82C0)
f8b8c000 f8b8d100 dump_WMILIB dump_WMILIB.SYS Sat Aug 18 00:07:23 2001 (3B7D878B)
f8bc2000 f8bc3100 swenum swenum.sys Wed Aug 04 08:58:41 2004 (41107B11)
f8bc4000 f8bc5280 USBD USBD.SYS Sat Aug 18 00:02:58 2001 (3B7D8682)
f8c20000 f8c21a80 ParVdm ParVdm.SYS Fri Aug 17 23:49:49 2001 (3B7D836D)
f8c38000 f8c39f00 Fs_Rec Fs_Rec.SYS Fri Aug 17 23:49:37 2001 (3B7D8361)
f8c3a000 f8c3b080 Beep Beep.SYS Fri Aug 17 23:47:33 2001 (3B7D82E5)
f8c3c000 f8c3d080 mnmdd mnmdd.SYS Fri Aug 17 23:57:28 2001 (3B7D8538)
f8c3e000 f8c3ed00 pciide pciide.sys Fri Aug 17 23:51:49 2001 (3B7D83E5)
f8db7000 f8db7b80 Null Null.SYS Fri Aug 17 23:47:39 2001 (3B7D82EB)
f8dbd000 f8dbdd00 dxgthk dxgthk.sys Fri Aug 17 23:53:12 2001 (3B7D8438)

Unloaded modules:
ae420000 ae44a000 kmixer.sys
Timestamp: unavailable (00000000)
Checksum: 00000000
ae420000 ae44a000 kmixer.sys
Timestamp: unavailable (00000000)
Checksum: 00000000
f6486000 f648d000 USBSTOR.SYS
Timestamp: unavailable (00000000)
Checksum: 00000000
ae443000 ae46d000 kmixer.sys
Timestamp: unavailable (00000000)
Checksum: 00000000
ae443000 ae46d000 kmixer.sys
Timestamp: unavailable (00000000)
Checksum: 00000000
ae443000 ae46d000 kmixer.sys
Timestamp: unavailable (00000000)
Checksum: 00000000
ae443000 ae46d000 kmixer.sys
Timestamp: unavailable (00000000)
Checksum: 00000000
ae443000 ae46d000 kmixer.sys
Timestamp: unavailable (00000000)
Checksum: 00000000
ae443000 ae46d000 kmixer.sys
Timestamp: unavailable (00000000)
Checksum: 00000000
ae443000 ae46d000 kmixer.sys
Timestamp: unavailable (00000000)
Checksum: 00000000
ae443000 ae46d000 kmixer.sys
Timestamp: unavailable (00000000)
Checksum: 00000000
aec8a000 aecb4000 kmixer.sys
Timestamp: unavailable (00000000)
Checksum: 00000000
f26d7000 f26d8000 drmkaud.sys
Timestamp: unavailable (00000000)
Checksum: 00000000
aecb4000 aecd7000 aec.sys
Timestamp: unavailable (00000000)
Checksum: 00000000
f8746000 f8753000 DMusic.sys
Timestamp: unavailable (00000000)
Checksum: 00000000
f8756000 f8764000 swmidi.sys
Timestamp: unavailable (00000000)
Checksum: 00000000
f2ab0000 f2ab2000 splitter.sys
Timestamp: unavailable (00000000)
Checksum: 00000000
f26de000 f26e7000 processr.sys
Timestamp: unavailable (00000000)
Checksum: 00000000
f2899000 f289e000 Cdaudio.SYS
Timestamp: unavailable (00000000)
Checksum: 00000000
f8b72000 f8b75000 Sfloppy.SYS
Timestamp: unavailable (00000000)
Checksum: 00000000
Closing open log file c:\debuglog.txt

 

memory dump of crash 2 and system info

dump of crash 2 does not fit the message. Had to truncate it.


.........................................................................................................................................
Loading unloaded module list
.....................
Loading User Symbols
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 1000008E, {c0000005, e1436008, f5253fe4, 0}

Probably caused by : win32k.sys ( win32k!WatchdogDrvDeleteDeviceBitmap+50 )

Followup: MachineOwner
---------

kd> !analyze -v;r;kv;lmtn;.logclose;q
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

KERNEL_MODE_EXCEPTION_NOT_HANDLED_M (1000008e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Some common problems are exception code 0x80000003. This means a hard
coded breakpoint or assertion was hit, but this system was booted
/NODEBUG. This is not supposed to happen as developers should never have
hardcoded breakpoints in retail code, but ...
If this happens, make sure a debugger gets connected, and the
system is booted /DEBUG. This will let us see why this breakpoint is
happening.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: e1436008, The address that the exception occurred at
Arg3: f5253fe4, Trap Frame
Arg4: 00000000

Debugging Details:
------------------


OVERLAPPED_MODULE: Fastfat

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx ". The memory could not be "%s ".

FAULTING_IP:
+ffffffffe1436008
e1436008 0000 add [eax],al

TRAP_FRAME: f5253fe4 -- (.trap fffffffff5253fe4)
.trap fffffffff5253fe4
ErrCode = 00000002
eax=00000001 ebx=bf9ebb53 ecx=e24e0ea0 edx=e24e0bf8 esi=e214a470 edi=5ec68b5f
eip=e1436008 esp=f5254058 ebp=00000000 iopl=0 nv up ei pl nz ac po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010216
e1436008 0000 add [eax],al ds:0023:00000001=??
.trap
Resetting default scope

CUSTOMER_CRASH_COUNT: 1

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0x8E

LAST_CONTROL_TRANSFER: from 00000000 to e1436008

SYMBOL_ON_RAW_STACK: 1

STACK_TEXT:
WARNING: Frame IP not in any known module. Following frames may be wrong.
00000000 00000000 00000000 00000000 00000000 0xe1436008
f52543e4 80566730 f52544a0 f52544a4 f5254474 nt!KiCallUserMode+0x4
f5254440 bf813d09 00000002 f5254484 00000018 nt!KeUserModeCallback+0x87
f52544c4 bf813ea0 bc64a7e0 0000000f 00000000 win32k!SfnDWORD+0xa8
f525450c bf814092 4064a7e0 0000000f 00000000 win32k!xxxSendMessageToClient+0x176
f5254558 bf80f470 bc64a7e0 0000000f 00000000 win32k!xxxSendMessageTimeout+0x1a6
f525457c bf81eee5 bc64a7e0 0000000f 00000000 win32k!xxxSendMessage+0x1b
f52545a8 bf81edb5 bc64a7e0 00000001 00dff3cc win32k!xxxUpdateWindow2+0x79
f52545c8 bf8319f6 bc64a7e0 00000001 f52545f4 win32k!xxxInternalUpdateWindow+0x6f
f52545d8 bf831a4d bc64a7e0 00dff3cc f525499c win32k!xxxUpdateWindow+0xf
f52545f4 804df06b 00010066 0000005e 00dff3cc win32k!NtUserCallHwndLock+0x4b
f52545f4 7c90eb94 00010066 0000005e 00dff3cc nt!KiFastCallEntry+0xf8
00dff390 00000000 00000000 00000000 00000000 0x7c90eb94
f52548c4 80566730 f52549b8 f52549ac f525499c nt!KiCallUserMode+0x4
f5254920 bf8888f9 00000000 e1243c00 00000400 nt!KeUserModeCallback+0x87
f5254bf4 bf813ea0 bc64a298 0000004a 000100e2 win32k!SfnCOPYDATA+0x1d3
f5254c3c bf83c607 0064a298 0000004a 000100e2 win32k!xxxSendMessageToClient+0x176
f5254cac bf801e58 e1e7ab20 f5254d64 00000000 win32k!xxxReceiveMessage+0x2b5
f5254ce8 bf80365e f5254d14 000025ff 00000000 win32k!xxxRealInternalGetMessage+0x1d7
f5254d48 804df06b 00dfff28 00000000 00000000 win32k!NtUserPeekMessage+0x40
f5254d48 7c90eb94 00dfff28 00000000 00000000 nt!KiFastCallEntry+0xf8
00dffa98 00000000 00000000 00000000 00000000 0x7c90eb94


STACK_COMMAND: .trap fffffffff5253fe4; dds @$csp ; kb

FOLLOWUP_IP:
win32k!WatchdogDrvDeleteDeviceBitmap+50
bf819e10 834dfcff or dword ptr [ebp-0x4],0xffffffff

FOLLOWUP_NAME: MachineOwner

SYMBOL_NAME: win32k!WatchdogDrvDeleteDeviceBitmap+50

MODULE_NAME: win32k

IMAGE_NAME: win32k.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 41107f7a

FAILURE_BUCKET_ID: 0x8E_win32k!WatchdogDrvDeleteDeviceBitmap+50

BUCKET_ID: 0x8E_win32k!WatchdogDrvDeleteDeviceBitmap+50

Followup: MachineOwner
---------

eax=00000001 ebx=bf9ebb53 ecx=e24e0ea0 edx=e24e0bf8 esi=e214a470 edi=5ec68b5f
eip=e1436008 esp=f5254058 ebp=00000000 iopl=0 nv up ei pl nz ac po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010216
e1436008 0000 add [eax],al ds:0023:00000001=??
ChildEBP RetAddr Args to Child
WARNING: Frame IP not in any known module. Following frames may be wrong.
00000000 00000000 00000000 00000000 00000000 0xe1436008
f52543e4 80566730 f52544a0 f52544a4 f5254474 nt!KiCallUserMode+0x4 (FPO: [2,3,4])
f5254440 bf813d09 00000002 f5254484 00000018 nt!KeUserModeCallback+0x87 (FPO: [Non-Fpo])
f52544c4 bf813ea0 bc64a7e0 0000000f 00000000 win32k!SfnDWORD+0xa8 (FPO: [Non-Fpo])
f525450c bf814092 4064a7e0 0000000f 00000000 win32k!xxxSendMessageToClient+0x176 (FPO: [Non-Fpo])
f5254558 bf80f470 bc64a7e0 0000000f 00000000 win32k!xxxSendMessageTimeout+0x1a6 (FPO: [Non-Fpo])
f525457c bf81eee5 bc64a7e0 0000000f 00000000 win32k!xxxSendMessage+0x1b (FPO: [Non-Fpo])
f52545a8 bf81edb5 bc64a7e0 00000001 00dff3cc win32k!xxxUpdateWindow2+0x79 (FPO: [Non-Fpo])
f52545c8 bf8319f6 bc64a7e0 00000001 f52545f4 win32k!xxxInternalUpdateWindow+0x6f (FPO: [Non-Fpo])
f52545d8 bf831a4d bc64a7e0 00dff3cc f525499c win32k!xxxUpdateWindow+0xf (FPO: [Non-Fpo])
f52545f4 804df06b 00010066 0000005e 00dff3cc win32k!NtUserCallHwndLock+0x4b (FPO: [Non-Fpo])
f52545f4 7c90eb94 00010066 0000005e 00dff3cc nt!KiFastCallEntry+0xf8 (FPO: [0,0] TrapFrame @ f5254604)
00dff390 00000000 00000000 00000000 00000000 0x7c90eb94
f52548c4 80566730 f52549b8 f52549ac f525499c nt!KiCallUserMode+0x4 (FPO: [2,3,4])
f5254920 bf8888f9 00000000 e1243c00 00000400 nt!KeUserModeCallback+0x87 (FPO: [Non-Fpo])
f5254bf4 bf813ea0 bc64a298 0000004a 000100e2 win32k!SfnCOPYDATA+0x1d3 (FPO: [Non-Fpo])
f5254c3c bf83c607 0064a298 0000004a 000100e2 win32k!xxxSendMessageToClient+0x176 (FPO: [Non-Fpo])
f5254cac bf801e58 e1e7ab20 f5254d64 00000000 win32k!xxxReceiveMessage+0x2b5 (FPO: [Non-Fpo])
f5254ce8 bf80365e f5254d14 000025ff 00000000 win32k!xxxRealInternalGetMessage+0x1d7 (FPO: [Non-Fpo])
f5254d48 804df06b 00dfff28 00000000 00000000 win32k!NtUserPeekMessage+0x40 (FPO: [Non-Fpo])

System info

Processor
Model : AMD Athlon(tm) XP 3000+
Speed : 2.09GHz
Model Number : 3000 (estimated)
Performance Rating : PR3033 (estimated)
Type : Standard
L2 On-board Cache : 512kB ECC Synchronous, Write-Back, 16-way set, 64 byte line size

Mainboard
Bus(es) : AGP PCI USB FireWire/1394 i2c/SMBus
MP Support : No
MP APIC : No
System BIOS : Phoenix Technologies, LTD ASUS A7N8X-E Deluxe ACPI BIOS Rev 1013
System : ASUSTeK Computer INC. A7N8X-E
Mainboard : ASUSTeK Computer INC. A7N8X-E
Total Memory : 512MB DDR-SDRAM

Chipset 1
Model : ASUSTeK Computer Inc nForce2 AGP Controller
Front Side Bus Speed : 2x 199MHz (398MHz data rate)
Total Memory : 512MB DDR-SDRAM
Memory Bus Speed : 2x 199MHz (398MHz data rate)

Video System
Monitor/Panel : SyncMaster 173P,SyncMaster Magic CX710P (Digital)
Adapter : RADEON 9600 SERIES
Adapter : RADEON 9600 SERIES - Secondary

Physical Storage Devices
Removable Drive : Floppy disk drive
Hard Disk : ST3120026A
Hard Disk : USB 2.0 Flash Disk USB Device
CD-ROM/DVD : HL-DT-ST RW/DVD GCC-4521B (CD 52X Rd, 52X Wr) (DVD 7X Rd)

Logical Storage Devices
1.44MB 3.5" (A : N/A
Hard Disk (C : 39GB (34GB, 87% Free Space) (NTFS)
Home (D : 29GB (24GB, 81% Free Space) (NTFS)
CD-ROM/DVD (E : N/A
Removable Drive (F : 500MB (174MB, 35% Free Space) (FAT)

Peripherals
Serial/Parallel Port(s) : 3 COM / 1 LPT
USB Controller/Hub : Standard OpenHCD USB Host Controller
USB Controller/Hub : Standard OpenHCD USB Host Controller
USB Controller/Hub : Standard Enhanced PCI to USB Host Controller
USB Controller/Hub : USB Root Hub
USB Controller/Hub : USB Root Hub
USB Controller/Hub : USB Root Hub
USB Controller/Hub : Generic USB Hub
USB Controller/Hub : Generic USB Hub
USB Controller/Hub : USB Mass Storage Device
FireWire/1394 Controller/Hub : OHCI Compliant IEEE 1394 Host Controller
Keyboard : Standard 101/102-Key or Microsoft Natural PS/2 Keyboard
Mouse : Microsoft USB Wireless Mouse (IntelliPoint)
Human Interface : HID-compliant consumer control device
Human Interface : HID-compliant consumer control device
Human Interface : USB Human Interface Device
Human Interface : American Power Conversion USB UPS

MultiMedia Device(s)
Device : MPU-401 Compatible MIDI Device
Device : Standard Game Port
Device : NVIDIA(R) nForce(TM) Audio Codec Interface
Device : NVIDIA(R) nForce(TM) MCP Audio Processing Unit

Communication Device(s)
Device : HSP56 MicroModem

Printers and Faxes
Model : PSI PostScript
Model : Microsoft Office Document Image Writer
Model : hp LaserJet 1320 PCL 6
Model : CutePDF Writer
Model : Acrobat Distiller

Power Management
AC Line Status : On-Line

Operating System(s)
Windows System : Microsoft Windows XP/2002 Professional (Win32 x86) 5.01.2600 (Service Pack 2)

Network Services
Adapter : NVIDIA nForce Networking Controller

 

The win32k!ThreadUnlock1+0x8 crash is almost certainly a bug in the application being shutdown at the time (you said firefox?). Would need a full dump and some quality debugging time to be sure, 80% confidence level.


The second dump is more interesting (for dump nerds ). Its crashing because it called back to a user mode message pump, which bjorked the callstack, and when it returned back into kernel, it was off in left field. We MIGHT be able to identify the app, by modifying the 'advanced' command string to include the following:

so it will look like

Hope that makes sense.

Also, there is a strong chance that this is a video card driver problem. You should make sure you are current on the drivers, or consider switching to windowsupdate or OEM drivers to see if that will resolve the phenomenon. I also note from your post above you are running multimon. I would also suggest trying to disable the second monitor for a while, and see if the problem goes away. Its possible that if this is a bad app causing this, its because of the whole multimon thing.

 

dump log with modified advanced string

Thanks a lot for reply, JoeHobart
So here is dump log with modified advanced string:

Opened log file 'c:\debuglog.txt'

Microsoft (R) Windows Debugger Version 6.4.0007.2
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\WINDOWS\Minidump\Mini020905-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: SRV*c:\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is: C:\WINDOWS;C:\WINDOWS\system32;C:\WINDOWS\system32\drivers
Windows XP Kernel Version 2600 (Service Pack 2) UP Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 2600.xpsp_sp2_rtm.040803-2158
Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055ab20
Debug session time: Wed Feb 9 15:46:27.593 2005 (GMT+2)
System Uptime: 0 days 16:57:34.185
Loading Kernel Symbols
.........................................................................................................................................
Loading unloaded module list
.....................
Loading User Symbols
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 1000008E, {c0000005, e1436008, f5253fe4, 0}

Probably caused by : win32k.sys ( win32k!WatchdogDrvDeleteDeviceBitmap+50 )

Followup: MachineOwner
---------

kd> .trap fffffffff5253fe4; dds @$csp ; kb;q
ErrCode = 00000002
eax=00000001 ebx=bf9ebb53 ecx=e24e0ea0 edx=e24e0bf8 esi=e214a470 edi=5ec68b5f
eip=e1436008 esp=f5254058 ebp=00000000 iopl=0 nv up ei pl nz ac po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010216
e1436008 0000 add [eax],al ds:0023:00000001=??
f5254058 f5254090
f525405c 0000ffff
f5254060 bf819e10 win32k!WatchdogDrvDeleteDeviceBitmap+0x50
f5254064 e214a470
f5254068 00000000
f525406c e1436008
f5254070 0000ffff
f5254074 e1cd4cf0
f5254078 f5254068
f525407c f5253adc
f5254080 ffffffff
f5254084 bf985c66 win32k!_except_handler3
f5254088 bf993528 win32k!`string'+0xa4
f525408c 00000000
f5254090 f52540e0
f5254094 bf80b6d5 win32k!SURFACE::bDeleteSurface+0x13f
f5254098 e214a470
f525409c 8f0509d4
f52540a0 bf810175 win32k!NtGdiDeleteObjectApp
f52540a4 f5254100
f52540a8 8282e298
f52540ac e1cfb008
f52540b0 00000001
f52540b4 e1cd5c38
f52540b8 00000000
f52540bc 00000000
f52540c0 00000000
f52540c4 00000000
f52540c8 e1cfb008
f52540cc 00000000
f52540d0 00000000
f52540d4 e214a470
*** Stack trace for last set context - .thread/.cxr resets it
ChildEBP RetAddr Args to Child
WARNING: Frame IP not in any known module. Following frames may be wrong.
00000000 00000000 00000000 00000000 00000000 0xe1436008
f52543e4 80566730 f52544a0 f52544a4 f5254474 nt!KiCallUserMode+0x4
f5254440 bf813d09 00000002 f5254484 00000018 nt!KeUserModeCallback+0x87
f52544c4 bf813ea0 bc64a7e0 0000000f 00000000 win32k!SfnDWORD+0xa8
f525450c bf814092 4064a7e0 0000000f 00000000 win32k!xxxSendMessageToClient+0x176
f5254558 bf80f470 bc64a7e0 0000000f 00000000 win32k!xxxSendMessageTimeout+0x1a6
f525457c bf81eee5 bc64a7e0 0000000f 00000000 win32k!xxxSendMessage+0x1b
f52545a8 bf81edb5 bc64a7e0 00000001 00dff3cc win32k!xxxUpdateWindow2+0x79
f52545c8 bf8319f6 bc64a7e0 00000001 f52545f4 win32k!xxxInternalUpdateWindow+0x6f
f52545d8 bf831a4d bc64a7e0 00dff3cc f525499c win32k!xxxUpdateWindow+0xf
f52545f4 804df06b 00010066 0000005e 00dff3cc win32k!NtUserCallHwndLock+0x4b
f52545f4 7c90eb94 00010066 0000005e 00dff3cc nt!KiFastCallEntry+0xf8
00dff390 00000000 00000000 00000000 00000000 0x7c90eb94
f52548c4 80566730 f52549b8 f52549ac f525499c nt!KiCallUserMode+0x4
f5254920 bf8888f9 00000000 e1243c00 00000400 nt!KeUserModeCallback+0x87
f5254bf4 bf813ea0 bc64a298 0000004a 000100e2 win32k!SfnCOPYDATA+0x1d3
f5254c3c bf83c607 0064a298 0000004a 000100e2 win32k!xxxSendMessageToClient+0x176
f5254cac bf801e58 e1e7ab20 f5254d64 00000000 win32k!xxxReceiveMessage+0x2b5
f5254ce8 bf80365e f5254d14 000025ff 00000000 win32k!xxxRealInternalGetMessage+0x1d7
f5254d48 804df06b 00dfff28 00000000 00000000 win32k!NtUserPeekMessage+0x40
quit:

 

Ok, perfect. So we know that the machine was in the process of cleaning up a 'surface', and something went horribly wrong. This is the same kind of phenomenon that occured with the first crash. This *could* be caused by some really crappy gdi code in a user app, but its much more likely to be caused by the device driver.

I am now much more confident that this is a problem with the video card driver, see above post for my recommendations for moving forward

 

Thanks JoeHobart,
I will certainly reinstall+update video drivers at some point. I wanted to look for alternative causes first as updating ati drivers may often bring new problems. I also now think that I have to try plugging my laser printer into different outlet than computer. Currently printer is connected to the same UPS as computer (though to filtered only, not battery powered outlet) and that might cause problems. After all laser requires more than 0.5kW power, first crash happened shortly after I installed printer (same day), and I cannot exclude that both crashes coincide with printer entering standby mode. I had intermittent video driver problems (infinite loops) with the same system half a year ago that appeared to be PSU related (changing PSU solved all problems). So I will not be surprised this is power again...
So I will replug printer and wait for the next crash, then disable second monitor (I actually have just one monitor that is connected to dvi and VGA plug is empty) wait for the next crash and then will finally reinstall video drivers.
George

 

first crash happened shortly after I installed printer (same day),

Doh! Do you know what the difference is between a print driver and a video driver? Ill give you a hint, the reference for creating these kinds of drivers is called the "Display and Print Devices DDK ".

Ill give you a peek behind the curtain.. Remember in the old days when windows came out, there was this really cool feature called WYSISYG (whizzie-wig). What you saw on the screen in your word processor was exactly what you saw on the paper when you printed it. This is accomplished by making them the same graphics rendering engine, aka Win32k/GDI.

Most applications use BOTH the printer and the video driver to display things on the screen, so that What You See Is What You Get.

If you are saying that you have a new print driver installed, and all of a sudden you start getting crashes, that changes all the assumptions I made in diagnosing your problem. Everything i said before still stands, but amend this:

You are running DOT4.SYS so its USB, yank the cable out and that should keep the drivers from loading (verify this by ensuring it doesnt show up in your controlpanel-printers), or at least set one of your other printers to the 'default' printer.

Don't change too many things at once or you will miss finding out root cause, in case it comes back in the future.

ps: I dont think this is a power thing, this is software doing things it shouldnt. I'd say less that 5% chance this could be memory corruption due to flaky ram, and with two in a row both choking on GDI teardowns, it would be pretty wild if it was power/hardware.

 

Thanks again Joe,
The idea that printer driver causes the problem clearly makes a lot of sense. However, given crashes so far happened very seldom (with nine days interval) one may need to keep printer unplugged (or set to not default) for a month or so to make some conclusions. So currently I have just uninstalled printer and all software that got installed together with printer driver from hp CD and then carefully installed the latest printer driver only. We'll se if that makes any difference. I will update this thread with new dump logs or (hopefully) will report on system stability over a month or so.

George

That is exactly why I hesitate to change video drivers. After all they worked flawlessly for half a year or so...

 

Ok, system was stable for more than month, but today it has crashed again (same symptoms: video mode not supported). Shortly after February crashes I updated video drivers (because I got one more crash, though Windows did not manage to write memory dump), and Firefox (because new version with improved stability was out). Overall it seems that Firefox was involved in all three February crashes and the latest crash was caused by Thunderbird (also Mozilla applications). On the other hand Firefox + Thunderbird are used more than 90% of the time on this computer so it may be just coincidence. Below is some dump data and more data is in the attachment.

*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 1000000A, {4, 2, 0, 804ea364}

Probably caused by : win32k.sys ( win32k!HeavyFreePool+bb )

Followup: MachineOwner
---------

kd> !analyze -v;r;kv;lmtn;.logclose;q
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: 00000004, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000000, value 0 = read operation, 1 = write operation
Arg4: 804ea364, address which referenced memory

Debugging Details:
------------------


READ_ADDRESS: 00000004

CURRENT_IRQL: 2

FAULTING_IP:
nt!KeReleaseSemaphore+12
804ea364 8b5e04 mov ebx,[esi+0x4]

CUSTOMER_CRASH_COUNT: 1

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0xA

LAST_CONTROL_TRANSFER: from 804f15ee to 804ea364

STACK_TEXT:
f2679a50 804f15ee 00000000 00000000 00000020 nt!KeReleaseSemaphore+0x12
f2679a70 804ec7f9 8055ef80 00000002 f2679afc nt!ExReleaseResourceLite+0x53
f2679b14 805495e3 c0384d68 00000000 00000300 nt!MiDeleteSystemPagableVm+0x40d
f2679b50 8054b28b 00000359 f2679c08 e26c922c nt!MiFreePoolPages+0x51b
f2679b90 bf8029ef e1358000 00000000 f2679bd4 nt!ExFreePoolWithTag+0x1b7
f2679ba0 bf8f98fc e1358000 f2679bec f2679c08 win32k!HeavyFreePool+0xbb
f2679bb4 bf8f9723 00000000 f2679cec f2679cec win32k!RFONTOBJ::vDeleteCache+0x36
f2679bd4 bf810397 e118d008 f2679bec 00000000 win32k!RFONTOBJ::bDeleteRFONT+0x13d
f2679c00 bf810751 e26c9008 00000000 f2679d0c win32k!RFONTOBJ::bMakeInactiveHelper+0x219
f2679c4c bf80721d 00000000 f2679cec e1317000 win32k!RFONTOBJ::vMakeInactive+0x63
f2679cb0 bf807462 f2679d0c 00000000 00000002 win32k!RFONTOBJ::bInit+0xda
f2679cc8 bf8d5dcc f2679d0c 00000000 00000002 win32k!RFONTOBJ::vInit+0x16
f2679ce4 bf8d5d7b e118d008 656d616e 00000000 win32k!ulGetFontData2+0x17
f2679d04 bf8d5cf1 e13f59c8 656d616e 00000000 win32k!ulGetFontData+0x48
f2679d48 804df06b a00108bf 656d616e 00000000 win32k!NtGdiGetFontData+0x4d
f2679d48 7c90eb94 a00108bf 656d616e 00000000 nt!KiFastCallEntry+0xf8
WARNING: Frame IP not in any known module. Following frames may be wrong.
00128af0 00000000 00000000 00000000 00000000 0x7c90eb94


FOLLOWUP_IP:
win32k!HeavyFreePool+bb
bf8029ef 5d pop ebp

SYMBOL_STACK_INDEX: 5

FOLLOWUP_NAME: MachineOwner

SYMBOL_NAME: win32k!HeavyFreePool+bb

MODULE_NAME: win32k

IMAGE_NAME: win32k.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 41107f7a

STACK_COMMAND: kb

FAILURE_BUCKET_ID: 0xA_win32k!HeavyFreePool+bb

BUCKET_ID: 0xA_win32k!HeavyFreePool+bb

Followup: MachineOwner
---------

eax=00000001 ebx=00000000 ecx=8055efe0 edx=00000003 esi=00000000 edi=00000358
eip=804ea364 esp=f2679a40 ebp=f2679a50 iopl=0 nv up ei pl nz ac po cy
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010217
nt!KeReleaseSemaphore+0x12:
804ea364 8b5e04 mov ebx,[esi+0x4] ds:0023:00000004=????????
ChildEBP RetAddr Args to Child
f2679a50 804f15ee 00000000 00000000 00000020 nt!KeReleaseSemaphore+0x12 (FPO: [Non-Fpo])
f2679a70 804ec7f9 8055ef80 00000002 f2679afc nt!ExReleaseResourceLite+0x53 (FPO: [0,0,0])
f2679b14 805495e3 c0384d68 00000000 00000300 nt!MiDeleteSystemPagableVm+0x40d (FPO: [Non-Fpo])
f2679b50 8054b28b 00000359 f2679c08 e26c922c nt!MiFreePoolPages+0x51b (FPO: [Non-Fpo])
f2679b90 bf8029ef e1358000 00000000 f2679bd4 nt!ExFreePoolWithTag+0x1b7 (FPO: [Non-Fpo])
f2679ba0 bf8f98fc e1358000 f2679bec f2679c08 win32k!HeavyFreePool+0xbb (FPO: [Non-Fpo])
f2679bb4 bf8f9723 00000000 f2679cec f2679cec win32k!RFONTOBJ::vDeleteCache+0x36 (FPO: [0,0,0])
f2679bd4 bf810397 e118d008 f2679bec 00000000 win32k!RFONTOBJ::bDeleteRFONT+0x13d (FPO: [Non-Fpo])
f2679c00 bf810751 e26c9008 00000000 f2679d0c win32k!RFONTOBJ::bMakeInactiveHelper+0x219 (FPO: [Non-Fpo])
f2679c4c bf80721d 00000000 f2679cec e1317000 win32k!RFONTOBJ::vMakeInactive+0x63 (FPO: [Non-Fpo])
f2679cb0 bf807462 f2679d0c 00000000 00000002 win32k!RFONTOBJ::bInit+0xda (FPO: [Non-Fpo])
f2679cc8 bf8d5dcc f2679d0c 00000000 00000002 win32k!RFONTOBJ::vInit+0x16 (FPO: [Non-Fpo])
f2679ce4 bf8d5d7b e118d008 656d616e 00000000 win32k!ulGetFontData2+0x17 (FPO: [Non-Fpo])
f2679d04 bf8d5cf1 e13f59c8 656d616e 00000000 win32k!ulGetFontData+0x48 (FPO: [Non-Fpo])
f2679d48 804df06b a00108bf 656d616e 00000000 win32k!NtGdiGetFontData+0x4d (FPO: [Non-Fpo])
f2679d48 7c90eb94 a00108bf 656d616e 00000000 nt!KiFastCallEntry+0xf8 (FPO: [0,0] TrapFrame @ f2679d64)
WARNING: Frame IP not in any known module. Following frames may be wrong.
00128af0 00000000 00000000 00000000 00000000 0x7c90eb94
start end module name

 

this looks like pool corruption, its not related to the crashes from before. troubleshooting that is pretty invasive.. lets see if it happens again, first.

 

Ok, now there is one more crash. This time computer was idle for about half an hour and then I heard it rebooting (though automatic restart is unchecked). Dump data below and in the attachment:

*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 1000007F, {8, 80042000, 0, 0}

Probably caused by : win32k.sys ( win32k!HeavyFreePool+bb )

Followup: MachineOwner
---------

kd> !analyze -v;r;kv;lmtn;.logclose;q
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

UNEXPECTED_KERNEL_MODE_TRAP_M (1000007f)
This means a trap occurred in kernel mode, and it's a trap of a kind
that the kernel isn't allowed to have/catch (bound trap) or that
is always instant death (double fault). The first number in the
bugcheck params is the number of the trap (8 = double fault, etc)
Consult an Intel x86 family manual to learn more about what these
traps are. Here is a *portion* of those codes:
If kv shows a taskGate
use .tss on the part before the colon, then kv.
Else if kv shows a trapframe
use .trap on that value
Else
.trap on the appropriate frame will show where the trap was taken
(on x86, this will be the ebp that goes with the procedure KiTrap)
Endif
kb will then show the corrected stack.
Arguments:
Arg1: 00000008, EXCEPTION_DOUBLE_FAULT
Arg2: 80042000
Arg3: 00000000
Arg4: 00000000

Debugging Details:
------------------


OVERLAPPED_MODULE: Fastfat

BUGCHECK_STR: 0x7f_8

CUSTOMER_CRASH_COUNT: 1

DEFAULT_BUCKET_ID: DRIVER_FAULT

LAST_CONTROL_TRANSFER: from 804e4c45 to 804dc31f

UNALIGNED_STACK_POINTER: f6f9c183

STACK_TEXT:
f6f8d504 804e4c45 00000000 00000000 00019060 nt!KiUnwaitThread+0xce
f6f8d520 804e8032 8055f490 00000000 00000000 nt!KeSetEvent+0x47
f6f8d538 804e80dc 00000001 000003e2 81d69900 nt!MiInsertPageInFreeList+0x16e
f6f8d554 804ec783 00001f76 0000000d 8055ef80 nt!MiDecrementShareCount+0x14f
f6f8d600 805495e3 c038bdf4 00000006 00000300 nt!MiDeleteSystemPagableVm+0x272
f6f8d63c 8054b28b 00001f82 00000000 e2f76000 nt!MiFreePoolPages+0x51b
f6f8d67c bf8029ef e2f76000 00000000 f6f8d698 nt!ExFreePoolWithTag+0x1b7
f6f8d68c bf805969 e2f76000 f6f8d6ec bf80b666 win32k!HeavyFreePool+0xbb
f6f8d698 bf80b666 e2f76000 00000005 850106cb win32k!FreeObject+0x25
f6f8d6ec bf80b785 00000000 900508f7 f6f8d710 win32k!SURFACE::bDeleteSurface+0x14b
f6f8d6fc bf810086 00000000 900508f7 e2f76000 win32k!SURFREF::bDeleteSurface+0x12
f6f8d710 bf806d7b 900508f7 900508f7 f6f8d874 win32k!bDeleteSurface+0x20
f6f8d720 bf900ffd 900508f7 0000c4e0 00000001 win32k!GreDeleteObject+0x91
f6f8d874 bf9014e9 23010c17 00000000 00000001 win32k!GreStretchDIBitsInternal+0xcc2
f6f8d8ec 804df06b 23010c17 00000000 00000001 win32k!NtGdiStretchDIBitsInternal+0xd2
f6f8d8ec 7c90eb94 23010c17 00000000 00000001 nt!KiFastCallEntry+0xf8
WARNING: Frame IP not in any known module. Following frames may be wrong.
0012e528 00000000 00000000 00000000 00000000 0x7c90eb94
f6f8dbec 80566730 f6f8dca8 f6f8dcac f6f8dc7c nt!KiCallUserMode+0x4
f6f8dc48 bf813d09 00000002 f6f8dc8c 00000018 nt!KeUserModeCallback+0x87
f6f8dccc bf803522 bc68abc0 0000000f 00000000 win32k!SfnDWORD+0xa8
f6f8dd0c bf80f40a 0050b2b5 f6f8dd64 0012f990 win32k!xxxDispatchMessage+0x1dc
f6f8dd58 804df06b 0012f9f0 0012f9c8 7c90eb94 win32k!NtUserDispatchMessage+0x39
f6f8dd58 7c90eb94 0012f9f0 0012f9c8 7c90eb94 nt!KiFastCallEntry+0xf8
0012f958 00000000 00000000 00000000 00000000 0x7c90eb94


FOLLOWUP_IP:
win32k!HeavyFreePool+bb
bf8029ef 5d pop ebp

SYMBOL_STACK_INDEX: 7

FOLLOWUP_NAME: MachineOwner

SYMBOL_NAME: win32k!HeavyFreePool+bb

MODULE_NAME: win32k

IMAGE_NAME: win32k.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 41107f7a

STACK_COMMAND: kb

FAILURE_BUCKET_ID: 0x7f_8_win32k!HeavyFreePool+bb

BUCKET_ID: 0x7f_8_win32k!HeavyFreePool+bb

Followup: MachineOwner
---------

eax=82fca660 ebx=00000000 ecx=82fca3e8 edx=80560400 esi=82fca3e8 edi=00000000
eip=804dc31f esp=f6f9c183 ebp=f6f8d504 iopl=0 nv up ei pl zr na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010246
nt!KiUnwaitThread+0xce:
804dc31f 5e pop esi
ChildEBP RetAddr Args to Child
f6f8d504 804e4c45 00000000 00000000 00019060 nt!KiUnwaitThread+0xce (FPO: [Non-Fpo])
f6f8d520 804e8032 8055f490 00000000 00000000 nt!KeSetEvent+0x47 (FPO: [Non-Fpo])
f6f8d538 804e80dc 00000001 000003e2 81d69900 nt!MiInsertPageInFreeList+0x16e (FPO: [0,0,0])
f6f8d554 804ec783 00001f76 0000000d 8055ef80 nt!MiDecrementShareCount+0x14f (FPO: [Non-Fpo])
f6f8d600 805495e3 c038bdf4 00000006 00000300 nt!MiDeleteSystemPagableVm+0x272 (FPO: [Non-Fpo])
f6f8d63c 8054b28b 00001f82 00000000 e2f76000 nt!MiFreePoolPages+0x51b (FPO: [Non-Fpo])
f6f8d67c bf8029ef e2f76000 00000000 f6f8d698 nt!ExFreePoolWithTag+0x1b7 (FPO: [Non-Fpo])
f6f8d68c bf805969 e2f76000 f6f8d6ec bf80b666 win32k!HeavyFreePool+0xbb (FPO: [Non-Fpo])
f6f8d698 bf80b666 e2f76000 00000005 850106cb win32k!FreeObject+0x25 (FPO: [Non-Fpo])
f6f8d6ec bf80b785 00000000 900508f7 f6f8d710 win32k!SURFACE::bDeleteSurface+0x14b (FPO: [Non-Fpo])
f6f8d6fc bf810086 00000000 900508f7 e2f76000 win32k!SURFREF::bDeleteSurface+0x12 (FPO: [Non-Fpo])
f6f8d710 bf806d7b 900508f7 900508f7 f6f8d874 win32k!bDeleteSurface+0x20 (FPO: [Non-Fpo])
f6f8d720 bf900ffd 900508f7 0000c4e0 00000001 win32k!GreDeleteObject+0x91 (FPO: [Non-Fpo])
f6f8d874 bf9014e9 23010c17 00000000 00000001 win32k!GreStretchDIBitsInternal+0xcc2 (FPO: [Non-Fpo])
f6f8d8ec 804df06b 23010c17 00000000 00000001 win32k!NtGdiStretchDIBitsInternal+0xd2 (FPO: [Non-Fpo])
f6f8d8ec 7c90eb94 23010c17 00000000 00000001 nt!KiFastCallEntry+0xf8 (FPO: [0,0] TrapFrame @ f6f8d934)
WARNING: Frame IP not in any known module. Following frames may be wrong.
0012e528 00000000 00000000 00000000 00000000 0x7c90eb94
f6f8dbec 80566730 f6f8dca8 f6f8dcac f6f8dc7c nt!KiCallUserMode+0x4 (FPO: [2,3,4])
f6f8dc48 bf813d09 00000002 f6f8dc8c 00000018 nt!KeUserModeCallback+0x87 (FPO: [Non-Fpo])
f6f8dccc bf803522 bc68abc0 0000000f 00000000 win32k!SfnDWORD+0xa8 (FPO: [Non-Fpo])
start end module name

 

Ok, lets go ahead and turn on special pool. Please note that this can put you into a nasty reboot loop, that safe mode may or may not fix. Do not follow these directions unless you are prepared for the worst.


------------------------------------------------
You will need to enable "special pool" and get another crash dump. When it crashes with special pool enabled, you should see the bad driver right on the stack.

Using the registry to enable special pool <---recommended proceedure using *
http://support.microsoft.com/kb/188831/EN-US/

Turn this on, get a new dump.

Things to consider before you enable Driver Verifier Manager on production servers
http://support.microsoft.com/kb/251233/EN-US/

Note that this will increase the frequency of the crashes

 

Thanks for advice Joe.
So I have entered the following key to registry:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\ Memory Management

Value Name: PoolTag
Data Type: REG_DWORD
Data: 0x2A

and rebooted the system. System booted OK but on the second reboot it gave me blue screen and dump pointing to sysaudio.sys. Dump data is below and in the attachment (I am not sure that newest dump is related to previous dumps however). I rebooted system again and since then no new crashes. The only difference in computer behavior is that it now takes nearly 20s to wake up from standby (suspend to RAM). Normally it takes 3-4 s.

*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 1000008E, {c0000005, f2985493, f2bdc8b0, 0}

Probably caused by : sysaudio.sys ( sysaudio!CGraphNodeInstance::CreatePinDescriptors+cb )

Followup: MachineOwner
---------

kd> !analyze -v;r;kv;lmtn;.logclose;q
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

KERNEL_MODE_EXCEPTION_NOT_HANDLED_M (1000008e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Some common problems are exception code 0x80000003. This means a hard
coded breakpoint or assertion was hit, but this system was booted
/NODEBUG. This is not supposed to happen as developers should never have
hardcoded breakpoints in retail code, but ...
If this happens, make sure a debugger gets connected, and the
system is booted /DEBUG. This will let us see why this breakpoint is
happening.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: f2985493, The address that the exception occurred at
Arg3: f2bdc8b0, Trap Frame
Arg4: 00000000

Debugging Details:
------------------


EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx ". The memory could not be "%s ".

FAULTING_IP:
sysaudio!CGraphNodeInstance::CreatePinDescriptors+cb
f2985493 3b4808 cmp ecx,[eax+0x8]

TRAP_FRAME: f2bdc8b0 -- (.trap fffffffff2bdc8b0)
.trap fffffffff2bdc8b0
ErrCode = 00000000
eax=00000004 ebx=96200f98 ecx=00000001 edx=95402fe0 esi=00000001 edi=f2982b4c
eip=f2985493 esp=f2bdc924 ebp=f2bdc954 iopl=0 nv up ei pl zr na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010246
sysaudio!CGraphNodeInstance::CreatePinDescriptors+0xcb:
f2985493 3b4808 cmp ecx,[eax+0x8] ds:0023:0000000c=????????
.trap
Resetting default scope

CUSTOMER_CRASH_COUNT: 1

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0x8E

LAST_CONTROL_TRANSFER: from f29857c7 to f2985493

STACK_TEXT:
f2bdc954 f29857c7 95b1afe0 00000000 f2983021 sysaudio!CGraphNodeInstance::CreatePinDescriptors+0xcb
f2bdc960 f2983021 95b1afe0 95b1aff4 84b12e70 sysaudio!CGraphNodeInstance::Create+0x18
f2bdc970 f2983427 00000004 95b1afe0 f2bdc990 sysaudio!CFilterInstance::CreateGraph+0x6f
f2bdc980 f2983976 955a6fc8 82e4fd28 f2bdc9f4 sysaudio!CFilterInstance::SetDeviceNode+0x41
f2bdc990 f7b86f4c 955a6fc8 82e4fd28 82e4fd20 sysaudio!SetInstanceDevice+0x3c
f2bdc9f4 f7b86ec9 84b12e70 00000004 f29825e0 ks!KspPropertyHandler+0x616
f2bdca18 f2982fb2 84b12e70 00000004 f29825b8 ks!KsPropertyHandler+0x19
f2bdca68 f7b86f85 8292af08 84b12e70 f2bdcab4 sysaudio!CFilterInstance::FilterDispatchIoControl+0x18e
f2bdca78 804e3d77 8292af08 84b12e70 84b12e70 ks!DispatchDeviceIoControl+0x28
f2bdca88 f7b87c47 eb3537d0 f2bdcaf4 00000000 nt!IopfCallDriver+0x31
f2bdcab4 eb344758 82dbc090 00000000 002f0003 ks!KsSynchronousIoControlDevice+0xbd
f2bdcafc eb3466b9 82dbc090 00000003 00000004 wdmaud!SetSysAudioProperty+0x4e
f2bdcbc0 eb347447 8213a000 00000003 95360f68 wdmaud!InitializeGetNumDevs+0x181
f2bdcbe4 eb347387 8213a000 9586efd0 00000003 wdmaud!ProcessDevNodeListItem+0x38
f2bdcc0c eb345bfa 8213a000 82915450 00000003 wdmaud!AddDevNode+0x10c
f2bdcc34 804e3d77 00000000 8213a000 806ee2d0 wdmaud!SoundDispatch+0x142
f2bdcc44 8056a9ab 829b3d6c 82976d18 829b3cd8 nt!IopfCallDriver+0x31
f2bdcc58 8057d9f7 8294f4f0 829b3cd8 82976d18 nt!IopSynchronousServiceTail+0x60
f2bdcd00 8057fbfa 00000804 00000808 00000000 nt!IopXxxControlFile+0x611
f2bdcd34 804df06b 00000804 00000808 00000000 nt!NtDeviceIoControlFile+0x2a
f2bdcd34 7c90eb94 00000804 00000808 00000000 nt!KiFastCallEntry+0xf8
WARNING: Frame IP not in any known module. Following frames may be wrong.
0006f114 00000000 00000000 00000000 00000000 0x7c90eb94


FOLLOWUP_IP:
sysaudio!CGraphNodeInstance::CreatePinDescriptors+cb
f2985493 3b4808 cmp ecx,[eax+0x8]

SYMBOL_STACK_INDEX: 0

FOLLOWUP_NAME: MachineOwner

SYMBOL_NAME: sysaudio!CGraphNodeInstance::CreatePinDescriptors+cb

MODULE_NAME: sysaudio

IMAGE_NAME: sysaudio.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 41107f1a

STACK_COMMAND: .trap fffffffff2bdc8b0 ; kb

FAILURE_BUCKET_ID: 0x8E_sysaudio!CGraphNodeInstance::CreatePinDescriptors+cb

BUCKET_ID: 0x8E_sysaudio!CGraphNodeInstance::CreatePinDescriptors+cb

Followup: MachineOwner
---------

eax=00000004 ebx=96200f98 ecx=00000001 edx=95402fe0 esi=00000001 edi=f2982b4c
eip=f2985493 esp=f2bdc924 ebp=f2bdc954 iopl=0 nv up ei pl zr na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010246
sysaudio!CGraphNodeInstance::CreatePinDescriptors+0xcb:
f2985493 3b4808 cmp ecx,[eax+0x8] ds:0023:0000000c=????????
ChildEBP RetAddr Args to Child
f2bdc954 f29857c7 95b1afe0 00000000 f2983021 sysaudio!CGraphNodeInstance::CreatePinDescriptors+0xcb (FPO: [Non-Fpo])
f2bdc960 f2983021 95b1afe0 95b1aff4 84b12e70 sysaudio!CGraphNodeInstance::Create+0x18 (FPO: [0,0,0])
f2bdc970 f2983427 00000004 95b1afe0 f2bdc990 sysaudio!CFilterInstance::CreateGraph+0x6f (FPO: [0,0,0])
f2bdc980 f2983976 955a6fc8 82e4fd28 f2bdc9f4 sysaudio!CFilterInstance::SetDeviceNode+0x41 (FPO: [Non-Fpo])
f2bdc990 f7b86f4c 955a6fc8 82e4fd28 82e4fd20 sysaudio!SetInstanceDevice+0x3c (FPO: [Non-Fpo])
f2bdc9f4 f7b86ec9 84b12e70 00000004 f29825e0 ks!KspPropertyHandler+0x616 (FPO: [Non-Fpo])
f2bdca18 f2982fb2 84b12e70 00000004 f29825b8 ks!KsPropertyHandler+0x19 (FPO: [Non-Fpo])
f2bdca68 f7b86f85 8292af08 84b12e70 f2bdcab4 sysaudio!CFilterInstance::FilterDispatchIoControl+0x18e (FPO: [Non-Fpo])
f2bdca78 804e3d77 8292af08 84b12e70 84b12e70 ks!DispatchDeviceIoControl+0x28 (FPO: [Non-Fpo])
f2bdca88 f7b87c47 eb3537d0 f2bdcaf4 00000000 nt!IopfCallDriver+0x31 (FPO: [0,0,0])
f2bdcab4 eb344758 82dbc090 00000000 002f0003 ks!KsSynchronousIoControlDevice+0xbd (FPO: [Non-Fpo])
f2bdcafc eb3466b9 82dbc090 00000003 00000004 wdmaud!SetSysAudioProperty+0x4e (FPO: [Non-Fpo])
f2bdcbc0 eb347447 8213a000 00000003 95360f68 wdmaud!InitializeGetNumDevs+0x181 (FPO: [Non-Fpo])
f2bdcbe4 eb347387 8213a000 9586efd0 00000003 wdmaud!ProcessDevNodeListItem+0x38 (FPO: [Non-Fpo])
f2bdcc0c eb345bfa 8213a000 82915450 00000003 wdmaud!AddDevNode+0x10c (FPO: [Non-Fpo])
f2bdcc34 804e3d77 00000000 8213a000 806ee2d0 wdmaud!SoundDispatch+0x142 (FPO: [Non-Fpo])
f2bdcc44 8056a9ab 829b3d6c 82976d18 829b3cd8 nt!IopfCallDriver+0x31 (FPO: [0,0,0])
f2bdcc58 8057d9f7 8294f4f0 829b3cd8 82976d18 nt!IopSynchronousServiceTail+0x60 (FPO: [Non-Fpo])
f2bdcd00 8057fbfa 00000804 00000808 00000000 nt!IopXxxControlFile+0x611 (FPO: [Non-Fpo])
f2bdcd34 804df06b 00000804 00000808 00000000 nt!NtDeviceIoControlFile+0x2a (FPO: [Non-Fpo])
start end module name

 

Did you also set this registry key to 1? PoolTagOverruns
Please confirm exactly what you changed to enable special pool


This crash is the result of pool corruption. So, either it didnt catch it, or somethings not configured right.

 

No. But now I did.

So in total the following keys were entered to registry:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\Session Manager\ Memory Management

Value Name: PoolTag
Data Type: REG_DWORD
Data: 0x2A

Value Name: PoolTagOverruns
Data Type: REG_DWORD
Data: 1


Got blue screen after first reboot again with sysaudio.sys (below). After second reboot system booted normally.

*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 1000007E, {c0000005, f30f5493, f8ac79b4, f8ac76b0}

Probably caused by : sysaudio.sys ( sysaudio!CGraphNodeInstance::CreatePinDescriptors+cb )

Followup: MachineOwner
---------

kd> !analyze -v;r;kv;lmtn;.logclose;q
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

SYSTEM_THREAD_EXCEPTION_NOT_HANDLED_M (1000007e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Some common problems are exception code 0x80000003. This means a hard
coded breakpoint or assertion was hit, but this system was booted
/NODEBUG. This is not supposed to happen as developers should never have
hardcoded breakpoints in retail code, but ...
If this happens, make sure a debugger gets connected, and the
system is booted /DEBUG. This will let us see why this breakpoint is
happening.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: f30f5493, The address that the exception occurred at
Arg3: f8ac79b4, Exception Record Address
Arg4: f8ac76b0, Context Record Address

Debugging Details:
------------------


ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx ". The memory could not be "%s ".

FAULTING_IP:
sysaudio!CGraphNodeInstance::CreatePinDescriptors+cb
f30f5493 3b4808 cmp ecx,[eax+0x8]

EXCEPTION_PARAMETER1: f8ac79b4

CONTEXT: f8ac76b0 -- (.cxr fffffffff8ac76b0)
.cxr fffffffff8ac76b0
eax=00000000 ebx=972f4f98 ecx=00000001 edx=966e2fe0 esi=00000003 edi=f30f2b4c
eip=f30f5493 esp=f8ac7a7c ebp=f8ac7aac iopl=0 nv up ei pl zr na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010246
sysaudio!CGraphNodeInstance::CreatePinDescriptors+0xcb:
f30f5493 3b4808 cmp ecx,[eax+0x8] ds:0023:00000008=????????
.cxr
Resetting default scope

CUSTOMER_CRASH_COUNT: 1

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0x7E

LAST_CONTROL_TRANSFER: from f30f57c7 to f30f5493

STACK_TEXT:
f8ac7aac f30f57c7 9727cfe0 00000000 f30f3021 sysaudio!CGraphNodeInstance::CreatePinDescriptors+0xcb
f8ac7ab8 f30f3021 9727cfe0 9727cff4 8c6f0e70 sysaudio!CGraphNodeInstance::Create+0x18
f8ac7ac8 f30f3427 00000004 9727cfe0 f8ac7ae8 sysaudio!CFilterInstance::CreateGraph+0x6f
f8ac7ad8 f30f3976 965f0fc8 972f2fe8 f8ac7b4c sysaudio!CFilterInstance::SetDeviceNode+0x41
f8ac7ae8 f7ba9f4c 965f0fc8 972f2fe8 972f2fe0 sysaudio!SetInstanceDevice+0x3c
f8ac7b4c f7ba9ec9 8c6f0e70 00000004 f30f25e0 ks!KspPropertyHandler+0x616
f8ac7b70 f30f2fb2 8c6f0e70 00000004 f30f25b8 ks!KsPropertyHandler+0x19
f8ac7bc0 f7ba9f85 82d88300 8c6f0e70 f8ac7c0c sysaudio!CFilterInstance::FilterDispatchIoControl+0x18e
f8ac7bd0 804e3d77 82d88300 8c6f0e70 8c6f0e70 ks!DispatchDeviceIoControl+0x28
f8ac7be0 f7baac47 ebbe57d0 f8ac7c4c 00000000 nt!IopfCallDriver+0x31
f8ac7c0c ebbd6758 82d3ef90 00000000 002f0003 ks!KsSynchronousIoControlDevice+0xbd
f8ac7c54 ebbd86b9 82d3ef90 00000003 00000004 wdmaud!SetSysAudioProperty+0x4e
f8ac7d18 ebbd9447 8223b000 00000003 96afef68 wdmaud!InitializeGetNumDevs+0x181
f8ac7d3c ebbe06ca 8223b000 96972fd0 00000003 wdmaud!ProcessDevNodeListItem+0x38
f8ac7d5c f7ba180b 00000003 82d783c0 80561b7c wdmaud!SysaudioAddRemove+0x2f
f8ac7d74 804e47fe 82d783c0 00000000 8324cda8 ks!WorkerThread+0x45
f8ac7dac 8057dfed 82d783c0 00000000 00000000 nt!ExpWorkerThread+0x100
f8ac7ddc 804fa477 804e4729 00000001 00000000 nt!PspSystemThreadStartup+0x34
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16


FOLLOWUP_IP:
sysaudio!CGraphNodeInstance::CreatePinDescriptors+cb
f30f5493 3b4808 cmp ecx,[eax+0x8]

SYMBOL_STACK_INDEX: 0

FOLLOWUP_NAME: MachineOwner

SYMBOL_NAME: sysaudio!CGraphNodeInstance::CreatePinDescriptors+cb

MODULE_NAME: sysaudio

IMAGE_NAME: sysaudio.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 41107f1a

STACK_COMMAND: .cxr fffffffff8ac76b0 ; kb

FAILURE_BUCKET_ID: 0x7E_sysaudio!CGraphNodeInstance::CreatePinDescriptors+cb

BUCKET_ID: 0x7E_sysaudio!CGraphNodeInstance::CreatePinDescriptors+cb

Followup: MachineOwner
---------

eax=00000000 ebx=972f4f98 ecx=00000001 edx=966e2fe0 esi=00000003 edi=f30f2b4c
eip=f30f5493 esp=f8ac7a7c ebp=f8ac7aac iopl=0 nv up ei pl zr na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010246
sysaudio!CGraphNodeInstance::CreatePinDescriptors+0xcb:
f30f5493 3b4808 cmp ecx,[eax+0x8] ds:0023:00000008=????????
ChildEBP RetAddr Args to Child
f8ac7aac f30f57c7 9727cfe0 00000000 f30f3021 sysaudio!CGraphNodeInstance::CreatePinDescriptors+0xcb (FPO: [Non-Fpo])
f8ac7ab8 f30f3021 9727cfe0 9727cff4 8c6f0e70 sysaudio!CGraphNodeInstance::Create+0x18 (FPO: [0,0,0])
f8ac7ac8 f30f3427 00000004 9727cfe0 f8ac7ae8 sysaudio!CFilterInstance::CreateGraph+0x6f (FPO: [0,0,0])
f8ac7ad8 f30f3976 965f0fc8 972f2fe8 f8ac7b4c sysaudio!CFilterInstance::SetDeviceNode+0x41 (FPO: [Non-Fpo])
f8ac7ae8 f7ba9f4c 965f0fc8 972f2fe8 972f2fe0 sysaudio!SetInstanceDevice+0x3c (FPO: [Non-Fpo])
f8ac7b4c f7ba9ec9 8c6f0e70 00000004 f30f25e0 ks!KspPropertyHandler+0x616 (FPO: [Non-Fpo])
f8ac7b70 f30f2fb2 8c6f0e70 00000004 f30f25b8 ks!KsPropertyHandler+0x19 (FPO: [Non-Fpo])
f8ac7bc0 f7ba9f85 82d88300 8c6f0e70 f8ac7c0c sysaudio!CFilterInstance::FilterDispatchIoControl+0x18e (FPO: [Non-Fpo])
f8ac7bd0 804e3d77 82d88300 8c6f0e70 8c6f0e70 ks!DispatchDeviceIoControl+0x28 (FPO: [Non-Fpo])
f8ac7be0 f7baac47 ebbe57d0 f8ac7c4c 00000000 nt!IopfCallDriver+0x31 (FPO: [0,0,0])
f8ac7c0c ebbd6758 82d3ef90 00000000 002f0003 ks!KsSynchronousIoControlDevice+0xbd (FPO: [Non-Fpo])
f8ac7c54 ebbd86b9 82d3ef90 00000003 00000004 wdmaud!SetSysAudioProperty+0x4e (FPO: [Non-Fpo])
f8ac7d18 ebbd9447 8223b000 00000003 96afef68 wdmaud!InitializeGetNumDevs+0x181 (FPO: [Non-Fpo])
f8ac7d3c ebbe06ca 8223b000 96972fd0 00000003 wdmaud!ProcessDevNodeListItem+0x38 (FPO: [Non-Fpo])
f8ac7d5c f7ba180b 00000003 82d783c0 80561b7c wdmaud!SysaudioAddRemove+0x2f (FPO: [Non-Fpo])
f8ac7d74 804e47fe 82d783c0 00000000 8324cda8 ks!WorkerThread+0x45 (FPO: [Non-Fpo])
f8ac7dac 8057dfed 82d783c0 00000000 00000000 nt!ExpWorkerThread+0x100 (FPO: [Non-Fpo])
f8ac7ddc 804fa477 804e4729 00000001 00000000 nt!PspSystemThreadStartup+0x34 (FPO: [Non-Fpo])
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16
start end module name

 

Quite eventful crash today:
I woke up computer from suspend to RAM. Firefox and Thunderbird application were open, firefox being frontmost. I attempted to connect to a website but failed probably because network connection was not reestablished after waking up (happens from time to time and can be resolved by restarting Firefox). So I closed firefox. Firefox GUI disappeared and a second later I got firefox warning message that flash plug-in performed illegal operation. This was followed by windows message about critical error (drwatson wrote user.dmp, see attachment). One-two seconds later screen went black with familiar "input out of range" and system hanged with HDD led permanently on. Upon reboot system managed to write another dump to windows/minidump folder (below and attached).

windows/minidump:

*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 4E, {99, 1df77, 0, 0}

Probably caused by : memory_corruption ( nt!MiDecrementShareCount+53 )

Followup: MachineOwner
---------

kd> !analyze -v;r;kv;lmtn;.logclose;q
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

PFN_LIST_CORRUPT (4e)
Typically caused by drivers passing bad memory descriptor lists (ie: calling
MmUnlockPages twice with the same list, etc). If a kernel debugger is
available get the stack trace.
Arguments:
Arg1: 00000099, A PTE or PFN is corrupt
Arg2: 0001df77, page frame number[/B]
Arg3: 00000000, current page state
Arg4: 00000000, 0

Debugging Details:
------------------


CUSTOMER_CRASH_COUNT: 1

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0x4E

LAST_CONTROL_TRANSFER: from 80525182 to 805339ae

STACK_TEXT:
f8ae7ce0 80525182 0000004e 00000099 0001df77 nt!KeBugCheckEx+0x1b
f8ae7d0c 804e9502 829cae08 00dd4233 00000001 nt!MiDecrementShareCount+0x53
f8ae7d6c 804e93bd 00e22340 00000000 83172da8 nt!MmOutPageKernelStack+0x16b
f8ae7da8 804e93a5 8057dfed 00000000 00000000 nt!KiOutSwapKernelStacks+0xe4
f8ae7dac 8057dfed 00000000 00000000 00000000 nt!KeSwapProcessOrStack+0x47
f8ae7ddc 804fa477 804e71c0 00000000 00000000 nt!PspSystemThreadStartup+0x34
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16


FOLLOWUP_IP:
nt!MiDecrementShareCount+53
80525182 845804 test [eax+0x4],bl

SYMBOL_STACK_INDEX: 1

FOLLOWUP_NAME: MachineOwner

SYMBOL_NAME: nt!MiDecrementShareCount+53

MODULE_NAME: nt

DEBUG_FLR_IMAGE_TIMESTAMP: 41108004

STACK_COMMAND: kb

IMAGE_NAME: memory_corruption

FAILURE_BUCKET_ID: 0x4E_nt!MiDecrementShareCount+53

BUCKET_ID: 0x4E_nt!MiDecrementShareCount+53

Followup: MachineOwner
---------

eax=ffdff13c ebx=0001df77 ecx=00000000 edx=00000008 esi=81de2328 edi=0001df77
eip=805339ae esp=f8ae7cc8 ebp=f8ae7ce0 iopl=0 nv up ei ng nz na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000286
nt!KeBugCheckEx+0x1b:
805339ae 5d pop ebp
ChildEBP RetAddr Args to Child
f8ae7ce0 80525182 0000004e 00000099 0001df77 nt!KeBugCheckEx+0x1b (FPO: [Non-Fpo])
f8ae7d0c 804e9502 829cae08 00dd4233 00000001 nt!MiDecrementShareCount+0x53 (FPO: [Non-Fpo])
f8ae7d6c 804e93bd 00e22340 00000000 83172da8 nt!MmOutPageKernelStack+0x16b (FPO: [Non-Fpo])
f8ae7da8 804e93a5 8057dfed 00000000 00000000 nt!KiOutSwapKernelStacks+0xe4 (FPO: [Non-Fpo])
f8ae7dac 8057dfed 00000000 00000000 00000000 nt!KeSwapProcessOrStack+0x47 (FPO: [1,0,0])
f8ae7ddc 804fa477 804e71c0 00000000 00000000 nt!PspSystemThreadStartup+0x34 (FPO: [Non-Fpo])
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16
start end module name

DrWatson dump:
......................................................................
(52c.1a4): Access violation - code c0000005 (!!! second chance !!!)
eax=00000000 ebx=00000000 ecx=02eafee8 edx=76b60200 esi=00000960 edi=1005d536
eip=1005d536 esp=02eafeb8 ebp=02eafedc iopl=0 nv up ei pl zr na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
1005d536 ?? ???
0:005> !analyze -v;r;kv;lmtn;.logclose;q
*******************************************************************************
* *
* Exception Analysis *
* *
*******************************************************************************


FAULTING_IP:
+1005d536
1005d536 ?? ???

EXCEPTION_RECORD: ffffffff -- (.exr ffffffffffffffff)
.exr ffffffffffffffff
ExceptionAddress: 1005d536
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: 1005d536
Attempt to read from address 1005d536

DEFAULT_BUCKET_ID: APPLICATION_FAULT

PROCESS_NAME: firefox.exe

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx ". The memory could not be "%s ".

READ_ADDRESS: 1005d536

BUGCHECK_STR: ACCESS_VIOLATION

THREAD_ATTRIBUTES:
LAST_CONTROL_TRANSFER: from 76b454f3 to 1005d536

STACK_TEXT:
WARNING: Frame IP not in any known module. Following frames may be wrong.
02eafeb4 76b454f3 00000960 00000000 02a1de1c 0x1005d536
02eafedc 76b5ae36 1005d536 00000003 00000960 winmm!DriverCallback+0x5c
02eaff18 76b5af3a 00000960 10042354 82961d10 winmm!TimerCompletion+0xf4
02eaffb4 7c80b50b 00000000 0012ef20 10042354 winmm!timeThread+0x53
02eaffec 00000000 76b5aee7 00000000 00000000 kernel32!BaseThreadStart+0x37


FAILED_INSTRUCTION_ADDRESS:
+1005d536
1005d536 ?? ???

FOLLOWUP_IP:
winmm!DriverCallback+5c
76b454f3 33c0 xor eax,eax

SYMBOL_STACK_INDEX: 1

FOLLOWUP_NAME: MachineOwner

SYMBOL_NAME: winmm!DriverCallback+5c

MODULE_NAME: winmm

IMAGE_NAME: winmm.dll

DEBUG_FLR_IMAGE_TIMESTAMP: 411096d6


STACK_COMMAND: .ecxr ; kb

FAILURE_BUCKET_ID: ACCESS_VIOLATION_BAD_IP_winmm!DriverCallback+5c

BUCKET_ID: ACCESS_VIOLATION_BAD_IP_winmm!DriverCallback+5c

Followup: MachineOwner
---------

eax=00000000 ebx=00000000 ecx=02eafee8 edx=76b60200 esi=00000960 edi=1005d536
eip=1005d536 esp=02eafeb8 ebp=02eafedc iopl=0 nv up ei pl zr na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
1005d536 ?? ???
ChildEBP RetAddr Args to Child
WARNING: Frame IP not in any known module. Following frames may be wrong.
02eafeb4 76b454f3 00000960 00000000 02a1de1c 0x1005d536
02eafedc 76b5ae36 1005d536 00000003 00000960 winmm!DriverCallback+0x5c (FPO: [Non-Fpo])
02eaff18 76b5af3a 00000960 10042354 82961d10 winmm!TimerCompletion+0xf4 (FPO: [Non-Fpo])
02eaffb4 7c80b50b 00000000 0012ef20 10042354 winmm!timeThread+0x53 (FPO: [Non-Fpo])
02eaffec 00000000 76b5aee7 00000000 00000000 kernel32!BaseThreadStart+0x37 (FPO: [Non-Fpo])

 

Well, doesnt look like you machine likes to hibernate.

This kernel dump was caused by a corrupt PTE, which is a low level memory contstruct used to map physical memory to virtual memory.

If you wanted to, you could do the 'advanced' thing on my tool, and do a !pfn 0001df77 and then using that output !pte 999999 on the pteaddress output from !pfn. a dc 99999 on the pteaddress would be cool too.

The user dump from firefox needs a little more work too. Do a !vprot 1005d536

To me, it looks like your sound card/driver/widget didnt wake up well from the hibernation. Possible that the page backing that virtual memory was our PTE that caused the bluescreen.

Either way, your ram got messed up. if you collect that output, we should be able to determine to what extent, whether it was a bitflip or something hardcore.

Look at the history so far:

KERNEL_MODE_EXCEPTION_NOT_HANDLED_M (1000008e)- apperent bad callback address
KERNEL_MODE_EXCEPTION_NOT_HANDLED_M (1000008e)- corrupt GDI object
IRQL_NOT_LESS_OR_EQUAL (a) - corrupt pool memory
KERNEL_MODE_EXCEPTION_NOT_HANDLED_M (1000008e)- bad data passed in sound subsystem
Access violation - code c0000005 - bad usermode callback in sound subsystem
PFN_LIST_CORRUPT (4e) - PTE/PFN corruption, 'corrupt memory'.


You've got 5 counts of messed up memory, and 2 counts of potential problems with your sound drivers.

Nothing conclusive yet, but we are certainly seeing a pattern that seems to be bigger than just a bad driver.. More data is needed. Having fun yet?

 

Thanks a lot for care Joe!
I will try advanced settings to get more from dumps. Meanwhile one more crush just few minutes ago on idle machine. This time again sysaudio.sys (but not related to suspend). Looks that crashes have indeed become more frequent.

George

Use !analyze -v to get detailed debugging information.

BugCheck 1000008E, {c0000005, f7da552d, ebec68b0, 0}

Probably caused by : sysaudio.sys ( sysaudio!CGraphNodeInstance::CreatePinDescriptors+28 )

Followup: MachineOwner
---------

kd> !analyze -v;r;kv;lmtn;.logclose;q
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

KERNEL_MODE_EXCEPTION_NOT_HANDLED_M (1000008e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Some common problems are exception code 0x80000003. This means a hard
coded breakpoint or assertion was hit, but this system was booted
/NODEBUG. This is not supposed to happen as developers should never have
hardcoded breakpoints in retail code, but ...
If this happens, make sure a debugger gets connected, and the
system is booted /DEBUG. This will let us see why this breakpoint is
happening.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: f7da552d, The address that the exception occurred at
Arg3: ebec68b0, Trap Frame
Arg4: 00000000

Debugging Details:
------------------


EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx ". The memory could not be "%s ".

FAULTING_IP:
sysaudio!CGraphNodeInstance::CreatePinDescriptors+28
f7da552d 83781000 cmp dword ptr [eax+0x10],0x0

TRAP_FRAME: ebec68b0 -- (.trap ffffffffebec68b0)
.trap ffffffffebec68b0
ErrCode = 00000000
eax=00000000 ebx=9898ef98 ecx=e23e0350 edx=e23dea30 esi=957f2fd8 edi=949eaf70
eip=f7da552d esp=ebec6924 ebp=ebec6954 iopl=0 nv up ei pl nz na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010202
sysaudio!CGraphNodeInstance::CreatePinDescriptors+0x28:
f7da552d 83781000 cmp dword ptr [eax+0x10],0x0 ds:0023:00000010=????????
.trap
Resetting default scope

CUSTOMER_CRASH_COUNT: 1

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0x8E

LAST_CONTROL_TRANSFER: from f7da57c7 to f7da552d

STACK_TEXT:
ebec6954 f7da57c7 99052fe0 00000000 f7da3021 sysaudio!CGraphNodeInstance::CreatePinDescriptors+0x28
ebec6960 f7da3021 99052fe0 99052ff4 866a0e48 sysaudio!CGraphNodeInstance::Create+0x18
ebec6970 f7da3427 00000004 99052fe0 ebec6990 sysaudio!CFilterInstance::CreateGraph+0x6f
ebec6980 f7da3976 94e46fc8 8260b2d8 ebec69f4 sysaudio!CFilterInstance::SetDeviceNode+0x41
ebec6990 f7ba9f4c 94e46fc8 8260b2d8 8260b2d0 sysaudio!SetInstanceDevice+0x3c
ebec69f4 f7ba9ec9 866a0e48 00000004 f7da25e0 ks!KspPropertyHandler+0x616
ebec6a18 f7da2fb2 866a0e48 00000004 f7da25b8 ks!KsPropertyHandler+0x19
ebec6a68 f7ba9f85 822fd2c0 866a0e48 ebec6ab4 sysaudio!CFilterInstance::FilterDispatchIoControl+0x18e
ebec6a78 804e3d77 822fd2c0 866a0e48 866a0e48 ks!DispatchDeviceIoControl+0x28
ebec6a88 f7baac47 ec3ea7d0 ebec6af4 00000000 nt!IopfCallDriver+0x31
ebec6ab4 ec3db758 82e22918 00000000 002f0003 ks!KsSynchronousIoControlDevice+0xbd
ebec6afc ec3dd6b9 82e22918 00000003 00000004 wdmaud!SetSysAudioProperty+0x4e
ebec6bc0 ec3de447 82daa000 00000002 9a730f50 wdmaud!InitializeGetNumDevs+0x181
ebec6be4 ec3de387 82daa000 96f12fd0 00000002 wdmaud!ProcessDevNodeListItem+0x38
ebec6c0c ec3dcbfa 82daa000 8257c268 00000002 wdmaud!AddDevNode+0x10c
ebec6c34 804e3d77 00000000 82daa000 806ee2d0 wdmaud!SoundDispatch+0x142
ebec6c44 8056a9ab 8b13eedc 82f362d0 8b13ee48 nt!IopfCallDriver+0x31
ebec6c58 8057d9f7 825a7898 8b13ee48 82f362d0 nt!IopSynchronousServiceTail+0x60
ebec6d00 8057fbfa 000002b8 000002e0 00000000 nt!IopXxxControlFile+0x611
ebec6d34 804df06b 000002b8 000002e0 00000000 nt!NtDeviceIoControlFile+0x2a
ebec6d34 7c90eb94 000002b8 000002e0 00000000 nt!KiFastCallEntry+0xf8
WARNING: Frame IP not in any known module. Following frames may be wrong.
0012f284 00000000 00000000 00000000 00000000 0x7c90eb94


FOLLOWUP_IP:
sysaudio!CGraphNodeInstance::CreatePinDescriptors+28
f7da552d 83781000 cmp dword ptr [eax+0x10],0x0

SYMBOL_STACK_INDEX: 0

FOLLOWUP_NAME: MachineOwner

SYMBOL_NAME: sysaudio!CGraphNodeInstance::CreatePinDescriptors+28

MODULE_NAME: sysaudio

IMAGE_NAME: sysaudio.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 41107f1a

STACK_COMMAND: .trap ffffffffebec68b0 ; kb

FAILURE_BUCKET_ID: 0x8E_sysaudio!CGraphNodeInstance::CreatePinDescriptors+28

BUCKET_ID: 0x8E_sysaudio!CGraphNodeInstance::CreatePinDescriptors+28

Followup: MachineOwner
---------

eax=00000000 ebx=9898ef98 ecx=e23e0350 edx=e23dea30 esi=957f2fd8 edi=949eaf70
eip=f7da552d esp=ebec6924 ebp=ebec6954 iopl=0 nv up ei pl nz na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010202
sysaudio!CGraphNodeInstance::CreatePinDescriptors+0x28:
f7da552d 83781000 cmp dword ptr [eax+0x10],0x0 ds:0023:00000010=????????
ChildEBP RetAddr Args to Child
ebec6954 f7da57c7 99052fe0 00000000 f7da3021 sysaudio!CGraphNodeInstance::CreatePinDescriptors+0x28 (FPO: [Non-Fpo])
ebec6960 f7da3021 99052fe0 99052ff4 866a0e48 sysaudio!CGraphNodeInstance::Create+0x18 (FPO: [0,0,0])
ebec6970 f7da3427 00000004 99052fe0 ebec6990 sysaudio!CFilterInstance::CreateGraph+0x6f (FPO: [0,0,0])
ebec6980 f7da3976 94e46fc8 8260b2d8 ebec69f4 sysaudio!CFilterInstance::SetDeviceNode+0x41 (FPO: [Non-Fpo])
ebec6990 f7ba9f4c 94e46fc8 8260b2d8 8260b2d0 sysaudio!SetInstanceDevice+0x3c (FPO: [Non-Fpo])
ebec69f4 f7ba9ec9 866a0e48 00000004 f7da25e0 ks!KspPropertyHandler+0x616 (FPO: [Non-Fpo])
ebec6a18 f7da2fb2 866a0e48 00000004 f7da25b8 ks!KsPropertyHandler+0x19 (FPO: [Non-Fpo])
ebec6a68 f7ba9f85 822fd2c0 866a0e48 ebec6ab4 sysaudio!CFilterInstance::FilterDispatchIoControl+0x18e (FPO: [Non-Fpo])
ebec6a78 804e3d77 822fd2c0 866a0e48 866a0e48 ks!DispatchDeviceIoControl+0x28 (FPO: [Non-Fpo])
ebec6a88 f7baac47 ec3ea7d0 ebec6af4 00000000 nt!IopfCallDriver+0x31 (FPO: [0,0,0])
ebec6ab4 ec3db758 82e22918 00000000 002f0003 ks!KsSynchronousIoControlDevice+0xbd (FPO: [Non-Fpo])
ebec6afc ec3dd6b9 82e22918 00000003 00000004 wdmaud!SetSysAudioProperty+0x4e (FPO: [Non-Fpo])
ebec6bc0 ec3de447 82daa000 00000002 9a730f50 wdmaud!InitializeGetNumDevs+0x181 (FPO: [Non-Fpo])
ebec6be4 ec3de387 82daa000 96f12fd0 00000002 wdmaud!ProcessDevNodeListItem+0x38 (FPO: [Non-Fpo])
ebec6c0c ec3dcbfa 82daa000 8257c268 00000002 wdmaud!AddDevNode+0x10c (FPO: [Non-Fpo])
ebec6c34 804e3d77 00000000 82daa000 806ee2d0 wdmaud!SoundDispatch+0x142 (FPO: [Non-Fpo])
ebec6c44 8056a9ab 8b13eedc 82f362d0 8b13ee48 nt!IopfCallDriver+0x31 (FPO: [0,0,0])
ebec6c58 8057d9f7 825a7898 8b13ee48 82f362d0 nt!IopSynchronousServiceTail+0x60 (FPO: [Non-Fpo])
ebec6d00 8057fbfa 000002b8 000002e0 00000000 nt!IopXxxControlFile+0x611 (FPO: [Non-Fpo])
ebec6d34 804df06b 000002b8 000002e0 00000000 nt!NtDeviceIoControlFile+0x2a (FPO: [Non-Fpo])

 

Now it seems that I do something wrong with advanced thing. Does not work. Should the advanced string be like:
-logo c:\debuglog.txt -c "!pfn 0001df77;q" -y SRV*c:\symbols*http://msdl.microsoft.com/down............

Output says:
unable to get PFN database address 8055f4c8

 

well, the pfn isnt there.. ahh. i see, minidump. oh well. no joy from doing that. As far as the pte thing goes.. doesnt really help, either way.

Still want you to try the vprot thing on the userdump.

Something must not be right with your sound card. I dont see how you are getting a crash there. I'd recommend uninstalling the drivers, reseating the card, and reinstalling with latest drivers from the OEM. Lets see if we can troubleshoot that one away. Otherwise ill have till wait till monday to figure out how that function works and what the crash vectors are.