BSOD BUg Check ntkrnlmp.exe ( nt!KiDispatchException+3b1

Hello everyone i'm new here but i found several other posts that involved bug checks so i thought i'd give you all a try. I read a couple tutorials and i think i've attached everything you'll need but if there are any other commands that would help resolved this issue let me know and i'll run them.

I think I've narrowed things down to Windows updates. Anytime i try to do a windows update i get the BSOD. I tried installing IE7 same thing, I've had to disabled the automatic updates and background intelligent service or else it just keeps rebooting. I have my system information and a bug check further below. Any help would really be appreciated.

Oh i get services and controller app has encountered an error when i start back up, i have to move the message off to the side to continue working, if i close it or click send error report, it gives me about a minute and then shutdown the computer.

szAppName : services.exe szAppVer : 5.1.2600.2180
szModName : services.exe szModVer : 5.1.2600.2180 offset : 00008e40

I cleaned out the case, replaced fans, reseated the CPU and fan, memory sticks reseated i ran them through memtest no errors, i've completely uninstalled radeon drivers no help. Ran a CHKDSK /r, no help.

I did a repair with an XP CD in which i slipstreamed SP2 on which may be the culprit but i'm not sure if the damage is irreversible. I've

I have free AVG antivirus, Spybot, Radeon 9500, let me know what else you might need to help me. Thanks a million


OS Name Microsoft Windows XP Professional
Version 5.1.2600 Service Pack 2 Build 2600
OS Manufacturer Microsoft Corporation
System Name M1E2N3T4A5L6L7Y
System Manufacturer MICRO-STAR INC.
System Model MS-6728
System Type X86-based PC
Processor x86 Family 15 Model 2 Stepping 9 GenuineIntel ~3000 Mhz
Processor x86 Family 15 Model 2 Stepping 9 GenuineIntel ~3000 Mhz
BIOS Version/Date AMIINT - 10, Version 1.00, 9/29/2004
Windows Directory C:\WINDOWS
System Directory C:\WINDOWS\system32
Boot Device \Device\HarddiskVolume2
Locale United States
Hardware Abstraction Layer Version = "5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) "
User Name M1E2N3T4A5L6L7Y\Jason
Time Zone Eastern Standard Time
Total Physical Memory 256.00 MB i Have 512 not sure why it says 256
Available Physical Memory 60.91 MB
Total Virtual Memory 2.00 GB
Available Virtual Memory 1.96 GB
Page File Space 1.22 GB
Page File C:\pagefile.sys



1: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

KERNEL_MODE_EXCEPTION_NOT_HANDLED (8e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Some common problems are exception code 0x80000003. This means a hard
coded breakpoint or assertion was hit, but this system was booted
/NODEBUG. This is not supposed to happen as developers should never have
hardcoded breakpoints in retail code, but ...
If this happens, make sure a debugger gets connected, and the
system is booted /DEBUG. This will let us see why this breakpoint is
happening.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: b958ad59, The address that the exception occurred at
Arg3: b5f60a28, Trap Frame
Arg4: 00000000

Debugging Details:
------------------


EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx ". The memory could not be "%s ".

FAULTING_IP:
+ffffffffb958ad59
b958ad59 8a1401 mov dl,byte ptr [ecx+eax]

TRAP_FRAME: b5f60a28 -- (.trap ffffffffb5f60a28)
ErrCode = 00000000
eax=00000000 ebx=b9590cfb ecx=0101d000 edx=804e3e5f esi=00001000 edi=0101c000
eip=b958ad59 esp=b5f60a9c ebp=b5f60aa8 iopl=0 nv up ei pl nz na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010206
b958ad59 8a1401 mov dl,byte ptr [ecx+eax] ds:0023:0101d000=??
Resetting default scope

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0x8E

PROCESS_NAME: xmllitesetup.ex

LAST_CONTROL_TRANSFER: from 8052202d to 805371aa

STACK_TEXT:
b5f605f0 8052202d 0000008e c0000005 b958ad59 nt!KeBugCheckEx+0x1b
b5f609b8 804de403 b5f609d4 00000000 b5f60a28 nt!KiDispatchException+0x3b1
b5f60a20 804de3b4 b5f60aa8 b958ad59 badb0d00 nt!CommonDispatchException+0x4d
b5f60a30 804e3e5f 00effa84 00110010 7c808f8e nt!Kei386EoiHelper+0x18a
b5f60a60 804e3e5f 0101d000 00000000 ffffffff nt!ZwQueryInformationFile+0x11
b5f60a78 0101c000 00001000 b9590cfb b5f60aa8 nt!ZwQueryInformationFile+0x11
WARNING: Frame IP not in any known module. Following frames may be wrong.
b5f60b80 80603978 00000534 81eb3b28 00000001 0x101c000
b5f60afc b958cd19 81eb3b28 01000000 01000218 nt!PspCreateThread+0x3a7
b5f60b80 80603978 00000534 81eb3b28 00000001 0xb958cd19
b5f60b80 80603978 00000534 81eb3b28 00000001 nt!PspCreateThread+0x3a7
b5f60cc4 80584c40 00eff868 001f03ff 00000000 nt!PspCreateThread+0x3a7
b5f60d3c 804dd99f 00eff868 001f03ff 00000000 nt!NtCreateThread+0x118
b5f60d3c 7c90eb94 00eff868 001f03ff 00000000 nt!KiFastCallEntry+0xfc
00effee4 00000000 00000000 00000000 00000000 0x7c90eb94


STACK_COMMAND: kb

FOLLOWUP_IP:
nt!KiDispatchException+3b1
8052202d cc int 3

SYMBOL_STACK_INDEX: 1

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: nt

IMAGE_NAME: ntkrnlmp.exe

DEBUG_FLR_IMAGE_TIMESTAMP: 42250f77

SYMBOL_NAME: nt!KiDispatchException+3b1

FAILURE_BUCKET_ID: 0x8E_nt!KiDispatchException+3b1

BUCKET_ID: 0x8E_nt!KiDispatchException+3b1

Followup: MachineOwner
---------

 

First, please turn back on the BITS and any other service you have disabled. They are not playing a role in your issue, but their lack is causing other issues. (such as your backup not working).

Second, you have a failed install of xmllitesetup.exe See if the Windows Installer Cleanup facility will allow you to remove this pending installation: http://support.microsoft.com/default.aspx?scid=kb;en-us;290301

Third, download and try the install of xmllitesetup.exe again:
http://support.microsoft.com/?kbid=915865

Reboot and test.

 

"First, please turn back on the BITS and any other service you have disabled. They are not playing a role in your issue, but their lack is causing other issues. (such as your backup not working). "

I can't turn these services back on or the computer just constantly continues to reboot and i can't do anything

"Second, you have a failed install of xmllitesetup.exe See if the Windows Installer Cleanup facility will allow you to remove this pending installation: http://support.microsoft.com/default...b;en-us;290301 "

I downloaded this utility but it doesn't have an entry pertaining to xmlitesetup.exe, i download the program on it's own, and i tried to install it, and it rebooted the computer, BSOD


Third, download and try the install of xmllitesetup.exe again:
http://support.microsoft.com/?kbid=915865

Reboot and test. "


I've pasted the bugcheck analysis after i tried installing the xmlitesetup.exe below, if you have any other suggestions please advise.

Shouldn't the numbers be 5.1.2600.2622 for the services.exe below? I do remmeber running a sfc /scannow, could that possibly reverted some files to the wrong version and are what's causing the problem? If i understand what's happening when the system attempts to reference ntkrnlmp.exe it should be trying to use ntoskrnl.exe

szAppName : services.exe szAppVer : 5.1.2600.2180
szModName : services.exe szModVer : 5.1.2600.2180 offset : 00008e40



KERNEL_MODE_EXCEPTION_NOT_HANDLED (8e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Some common problems are exception code 0x80000003. This means a hard
coded breakpoint or assertion was hit, but this system was booted
/NODEBUG. This is not supposed to happen as developers should never have
hardcoded breakpoints in retail code, but ...
If this happens, make sure a debugger gets connected, and the
system is booted /DEBUG. This will let us see why this breakpoint is
happening.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: f481ad59, The address that the exception occurred at
Arg3: b91e7a28, Trap Frame
Arg4: 00000000

Debugging Details:
------------------


EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx ". The memory could not be "%s ".

FAULTING_IP:
+fffffffff481ad59
f481ad59 8a1401 mov dl,byte ptr [ecx+eax]

TRAP_FRAME: b91e7a28 -- (.trap ffffffffb91e7a28)
ErrCode = 00000000
eax=00000000 ebx=f4820cfb ecx=0101d000 edx=804e3e5f esi=00001000 edi=0101c000
eip=f481ad59 esp=b91e7a9c ebp=b91e7aa8 iopl=0 nv up ei pl nz na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010206
f481ad59 8a1401 mov dl,byte ptr [ecx+eax] ds:0023:0101d000=??
Resetting default scope

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0x8E

PROCESS_NAME: WindowsXP-KB915

LAST_CONTROL_TRANSFER: from 8052202d to 805371aa

STACK_TEXT:
b91e75f0 8052202d 0000008e c0000005 f481ad59 nt!KeBugCheckEx+0x1b
b91e79b8 804de403 b91e79d4 00000000 b91e7a28 nt!KiDispatchException+0x3b1
b91e7a20 804de3b4 b91e7aa8 f481ad59 badb0d00 nt!CommonDispatchException+0x4d
b91e7a30 804e3e5f 063ac330 00000007 063ac5e0 nt!Kei386EoiHelper+0x18a
b91e7a60 804e3e5f 0101d000 00000000 ffffffff nt!ZwQueryInformationFile+0x11
b91e7a78 0101c000 00001000 f4820cfb b91e7aa8 nt!ZwQueryInformationFile+0x11
WARNING: Frame IP not in any known module. Following frames may be wrong.
b91e7b80 80603978 00000fe8 ff1b1748 00000001 0x101c000
b91e7afc f481cd19 ff1b1748 01000000 01000218 nt!PspCreateThread+0x3a7
b91e7b80 80603978 00000fe8 ff1b1748 00000001 0xf481cd19
b91e7b80 80603978 00000fe8 ff1b1748 00000001 nt!PspCreateThread+0x3a7
b91e7cc4 80584c40 063abca4 001f03ff 00000000 nt!PspCreateThread+0x3a7
b91e7d3c 804dd99f 063abca4 001f03ff 00000000 nt!NtCreateThread+0x118
b91e7d3c 7c90eb94 063abca4 001f03ff 00000000 nt!KiFastCallEntry+0xfc
063ac320 00000000 00000000 00000000 00000000 0x7c90eb94


STACK_COMMAND: kb

FOLLOWUP_IP:
nt!KiDispatchException+3b1
8052202d cc int 3

SYMBOL_STACK_INDEX: 1

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: nt

IMAGE_NAME: ntkrnlmp.exe

DEBUG_FLR_IMAGE_TIMESTAMP: 42250f77

SYMBOL_NAME: nt!KiDispatchException+3b1

FAILURE_BUCKET_ID: 0x8E_nt!KiDispatchException+3b1

BUCKET_ID: 0x8E_nt!KiDispatchException+3b1

Followup: MachineOwner
---------

 

Q1: Shouldn't the numbers be 5.1.2600.2622 for the services.exe below? I do remmeber running a sfc /scannow, could that possibly reverted some files to the wrong version and are what's causing the problem?
A1: This is all fine.

Q2: If i understand what's happening when the system attempts to reference ntkrnlmp.exe it should be trying to use ntoskrnl.exe
A2: NTKRNLMP is fine. It is fine for non-HT and single core CPUs as well as HT and dual core cpus. It is appropriate for your HT enabled processor, which XP identifies properly:

System Type X86-based PC
Processor x86 Family 15 Model 2 Stepping 9 GenuineIntel ~3000 Mhz
Processor x86 Family 15 Model 2 Stepping 9 GenuineIntel ~3000 Mhz

In any case NTKRNLMP is not the issue, which your dump log shows as:

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0x8E

PROCESS_NAME: WindowsXP-KB915


Note that WindowsXP-KB915 == xmllitesetup.exe

So your second dump analysis is identical to the first.

Do a repair reinstallation of XP:

http://www.informationweek.com/LP/showArticle.jhtml?articleID=189400897&pgno=2&queryText=

http://support.microsoft.com/kb/315341

 

I've actually already done a non-destructive repair which didn't seem to resolve my problem. I haven't tried updating in safe mode would that help at all?

 

The only BSOD error I see is one related to IE 7.
Would you please give the full details of any pre-IE 7 BSOD messages.

Also, is there any other activity besides Windows Update that generates a BSOD, and if so, what event precipitates the BSOD error?

You might find all the information you need in your Event Logs.

 

Okay i turned on automatic updates for the time being, and i started installing windows updates individually, and now i've determined that this is the udpate that is causing the reboot so far anyways. Is there anyway to clear out the windows update catalog possibly from being corrupted. Any clues as to what this update is trying to access that's causing the BSOD?
Update for Windows XP (KB922582)
Download size: 0 KB , 0 minutes (Downloaded; ready to install)
A problem has been identified in Filter Manager that can prevent you from installing updates from Windows update. You can help protect your computer by installing this update from Microsoft. After you install this item, you may have to restart your computer. Details...
Don't show this update again

 

Click Start, Choose Run.
In the Run box, type: services.msc
Click OK.
Right-click the Automatic Updates service.
Click Stop.

Stopping the service will take a moment.

Now rename the "SoftwareDistribution" folder:

a) Click Start, click Run, type
%systemroot%
...and then click OK.

b) Right-click the SoftwareDistribution folder, and then click Rename.

c) Type SoftwareDistribution.old and then press ENTER to rename this folder.

Now click Start, and choose Run.
In the Run box, type: services.msc
Click OK.
Right-click the Automatic Updates service.
Click Start.

Starting the service will take a moment.

 

Mr. Castner i can't thank you enough for responding to all of my posts. You kept me going because let me tell you i was about to give up. Anyways i've finally figure out the problem so you can add it to your knowledge. I started google searching BSOD and KB922582 and found this.

http://forums.afterdawn.com/thread_view.cfm/403829

Quote from that thread "OMG! I've been looking over the problem all this time! I apologize. Did you notice it?

In your first SmitfraudFix log:
pe386 detected, use a Rootkit scanner
lzx32 detected, use a Rootkit scanner
msguard detected, use a Rootkit scanner

Download AVG Antirootkit Beta from here

Download ADS Spy from here.

Download F-Secure's BlackLight from here.

Note: Print or copy these instructions to Notepad.

Disconnect from the internet.

* Install AVG Antirootkit Beta.
* Restart before running AVG Antirootkit Beta.
* Open AVG Anti-Rootkit Beta and click "Perform in-depth search." Allow AVG to complete the scan. The AVG scanner will give the "Rootkit path "
* Select the Rootkit Driver by placing a checkmark against it and click "Remove selected items." Next, agree for the terms and conditions that is displayed by AVG and click "OK" to reboot the PC.
* AVG Anti-Rootkit Beta renames the Mailbot.AZ Rootkit Driver so that the driver will not be loaded at the next reboot. But, it doesn't remove the actual Rootkit ADS and its Registry Entries. These can be removed by using ADS Spy.

* Extract ADS Spy to its own folder.
* Open ADS Spy. and select the "Full Scan (all NTFS drives) ".
* Click "Scan the "System for Alternate Data Streams." Once the scan is complete, select rootkit driver and click "Remove selected streams "
* Close ADS Spy and ALL open Windows.

* Open Notepad.(not Wordpad)
* Copy and paste the text inside the box below into Notepad, including the blank line at the end.

-----------------------------------------------------------------------
REGEDIT4

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\pe386]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msguard]

-----------------------------------------------------------------------

Save name as fix.reg and type as "all files" to your desktop.
Close Notepad.
Double click fix.reg and click Yes at prompt.

Open BlackLight.
* Click the Scan button.
* Leave the PC idle while it is scanning.
* When it has completed, click the Close button.
* A text file, fsbl-date/time, will be saved in the Blacklight folder.

Open SmitfraudFix and run Option 1.

Post back with the BlackLight log and the SmitfraidFix log. " End Quote



It turns out i had a rootkit driver called lzx32.sys hidden in my system. I'm not sure what a rootkit is but now that i have it removed i will have time to go and read all about it. After following these insturctions i went back and instaled KB992582 and IE7 without any problems or BSOD's anyone else reading this if your getting BSOD's i would seriously consider following these instructions because i ran all kinds of antivirus scans and nothing ever came back i would have sworn to anyone that my system was clean. And guess waht it wasn't and i'll never think that way again. I hope this helps at least one other person if not many more with their problem. I'll be back when i run into the next big error message. Thanks again

 

Sorry about the rootkit.

I appreciate your response back here.

Best wishes.

 

works for me

Thanks for the info, it helped a lot. I came across this page while searching for answers about a BSOD during the IE7 installer.