Win2k Server & Hyper-Threading [DUMP DATA]

Win2k Server & Hyper-Threading

I built a server about a year ago. Every now & then the system blue screens. I am pulling my hair out. I am now leaning towards Hyper-Threading as being the culprit.

I have the system setup to create a complete memory.dmp. I have made every attempt to try and understand the dump file using WinDbg. Additionally I downloaded the symbols from MS to help troubleshoot.

The system hardware is as follows:

Intel Board S875WP1 entry level server board
P4 - 2.8gHz, One processor ONLY
2 x 512mb Ram DDR400, 800 FSB
2 x 120gb SATA HD, mirrored
On Board Video
Adaptec AHA-2940U2W for Segate Scorpion 40 DDS4 Tape Drive
The BIOS firmware is up to date.
Windows 2000 Server with SP4 and patches up to date.

In the BIOS HyperThreading is Enabled
In Device Manager | Computer : ACPI Multiprocessor PC
In Task Manager | Perfromance Tab shows two processors.

Microsoft recommends turning off Hyperthreading. Intel is too hard to pin-down. Advice through Google is too vast to gain some point of middle ground.

....So what can I do.

1. Can I simple turn off Hyper Threading in the BIOS ?
1a. How will this effect the existing OS loaded ?

2. Can I implement boot.ini switches:
2a. To limit the number of processors | /numproc=number
2b. To specify the HAL | /HAL=filename
2c. To specify the kernel | /kernel=filename

3. Will doing either of the above require that I reload the OS. ie...If I simply turn off HT in the BIOS, should I expect to have start-up problems ?

The blue screen message is:

***stop: 0x0000000A (0xF4921E3E, 0x0000001C, 0x00000000, 0x8043352E)
IRQL_NOT_LESS_OR_EQUAL
***address 8043352E base at 80400000, Datestamp 41773335 - ntoskrnl.exe


***********************
After running a crash dump analysis with WinDbg using !analyze -v, the output is:

Loading Dump File [C:\WINNT\MEMORY.DMP]
Kernel Summary Dump File: Only kernel address space is available

*********************************************************
WARNING: Dump file has inconsistent set-bit count. Data may be missing.
*********************************************************
Symbol search path is: srv*c:\winnt\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows 2000 Kernel Version 2195 (Service Pack 4) MP (2 procs) Free x86 compatible
Product: Server
Kernel base = 0x80400000 PsLoadedModuleList = 0x80484b80
Debug session time: Tue Feb 1 17:54:43.292 2005 (GMT-5)
System Uptime: 0 days 4:10:53.718
Loading Kernel Symbols
............................................Page 7476 not present in the dump file. Type ".hh dbgerr004" for details
........................................................
Loading unloaded module list
.......
Loading User Symbols
*********************************************
* *
* Bugcheck Analysis *
* *
*********************************************

Use !analyze -v to get detailed debugging information.

BugCheck A, {f4921e3e, 1c, 0, 8043352e}

Probably caused by : ntkrnlmp.exe ( nt!KiWaitTest+26 )

Followup: MachineOwner
---------

0: kd> !analyze -v
*********************************************
* *
* Bugcheck Analysis *
* *
*********************************************

IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: f4921e3e, memory referenced
Arg2: 0000001c, IRQL
Arg3: 00000000, value 0 = read operation, 1 = write operation
Arg4: 8043352e, address which referenced memory

Debugging Details:
------------------

OVERLAPPED_MODULE: ipsec

READ_ADDRESS: f4921e3e Nonpaged pool

CURRENT_IRQL: 1c

FAULTING_IP:
nt!KiWaitTest+26
8043352e 66837f1601 cmp word ptr [edi+0x16],0x1

DEFAULT_BUCKET_ID: INTEL_CPU_MICROCODE_ZERO

BUGCHECK_STR: 0xA

LAST_CONTROL_TRANSFER: from 80432984 to 8043352e

TRAP_FRAME: 80474aa8 -- (.trap ffffffff80474aa8)
ErrCode = 00000000
eax=00000001 ebx=01c508b1 ecx=f6921e28 edx=00000000 esi=f6921e20 edi=f4921e28
eip=8043352e esp=80474b1c ebp=80474b30 iopl=0 nv up ei ng nz na po cy
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010287
nt!KiWaitTest+0x26:
8043352e 66837f1601 cmp word ptr [edi+0x16],0x1 ds:0023:f4921e3e=????
Resetting default scope

STACK_TEXT:
80474b30 80432984 0000006e 85bcdbb8 80474c3c nt!KiWaitTest+0x26
80474c20 8043290e 80470a30 ffdff848 ffdff000 nt!KiTimerListExpire+0x6e
80474c4c 80466478 80484300 00000000 000eb36d nt!KiTimerExpiration+0xb6
80474c64 804663d0 0000000e 00000000 00000000 nt!KiRetireDpcList+0x47
80474c6c 00000000 00000000 00000000 00000000 nt!KiIdleLoop+0x28

FOLLOWUP_IP:
nt!KiWaitTest+26
8043352e 66837f1601 cmp word ptr [edi+0x16],0x1

SYMBOL_STACK_INDEX: 0

FOLLOWUP_NAME: MachineOwner

SYMBOL_NAME: nt!KiWaitTest+26

MODULE_NAME: nt

IMAGE_NAME: ntkrnlmp.exe

DEBUG_FLR_IMAGE_TIMESTAMP: 41773335

STACK_COMMAND: .trap ffffffff80474aa8 ; kb

FAILURE_BUCKET_ID: 0xA_nt!KiWaitTest+26

BUCKET_ID: 0xA_nt!KiWaitTest+26

Followup: MachineOwner
---------

Thanks, Don

 

Have you thought about upgrading it to 2003?

 

No dis-respect intended, but I'm not the person that blows away an OS just because a driver doesn't work. And while I recognize that sometimes you need to step back and punt, I'm not ready to acknowledge defeat.

As a follow-up, I did disable HT in the BIOS. But that's it.

Unfortunately the machine blue screened again late this afternoon. While Arg1 referenced a different memory reference, it was still linked to ntoskrnl.exe

 

My point was that 2k only has 6 months of support left.
Time flys I know. its hard to believe 2k is about to turn 5.

You may have already covered the basics so disreguard if you have done.
What brand of memory? Is the memory approved by the motherboard manufactuer?
What about the SATA driver?

Im sure Joe will be along to look at that dump because its just jibberish to me.
I saw one simular to this and it was the Processor. (3.2C)

 

No kidding about that "Time Flys" thing.

Memory. Not sure about compliance, although I buy my hardware from an established vendor near my office.

The Driver for the SATA is Adaptect supplied by Intel and upgraded shortly after I built the box.

btw...While the second BSOD today had a difference arg1 reference. The datestamp was the same
***address 8043352E base at 80400000, Datestamp 41773335 - ntoskrnl.exe.

If it hasn't BSOD'd over night, I will post the latest information. Since I'm not to experienced with WinDBG, Let me know what other commands to use and I will furnish the results.

Thanks again

 

hi jedi

If you can force the crash it is a simple way to test if it is related to HT - you'll not get problems with booting etc just by turning of HT - at least to my expirence - never had problems with it when we tried to compare with and without HT.

regards /ti

 

Some software on your machine freed a timer out from under the system, or blew it looks like

Possible its a syncronization bug, that hyperthreading could expose. I doubt it though, its probably just a bug in a driver somewhere.

You will need to enable special pool to see if the malfunctioning driver can be caught with his hand in the cookie jar.

Joe's got a good writeup on this. I highly recommend you use the regkey, not verifier (for now).
http://www.windowsbbs.com/showpost.php?p=214246&postcount=2

 

Update DUMP DATA

Update since learning about Joe's Thread below.

I have done the following...read below for results
Dump Data collection tool and instructions
http://www.windowsbbs.com/showthread.php?t=33471

In an attempt not to do too many things at once, I have not done any of the suggestions from this thread yet.
http://www.windowsbbs.com/showpost.php?p=214246&postcount=2

History
I have the system setup to create a complete memory.dmp.

The system hardware is as follows:

Intel Board S875WP1 entry level server board
P4 - 2.8gHz, One processor ONLY
2 x 512mb Ram DDR400, 800 FSB
2 x 120gb SATA HD, mirrored
On Board Video
Adaptec AHA-2940U2W for:
(1) Internal Segate Scorpion 40 DDS4 Tape Drive
(1) External HP DDS-3 Tape Drive.

I am NOT trying to use both drives simultaneously

The MB BIOS firmware is up to date.
Windows 2000 Server with SP4 and patches up to date.

In the BIOS HyperThreading is Dis-Enabled now.
In Device Manager | Computer : ACPI Multiprocessor PC
In Task Manager | Perfromance Tab shows ONE processor.

***************************************************

Following your instructions from JoeHobarts thread:

Dump Data collection tool and instructions
http://www.windowsbbs.com/showthread.php?t=33471

The memory.dmp file is the most recent

Here is the cut-n-paste from the windowsbbs tool

Opened log file 'c:\debuglog.txt'

Microsoft (R) Windows Debugger Version 6.4.0007.2
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\WINNT\MEMORY.DMP]
Kernel Complete Dump File: Full address space is available

Symbol search path is: SRV*c:\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is: C:\WINNT;C:\WINNT\system32;C:\WINNT\system32\drivers
Windows 2000 Kernel Version 2195 (Service Pack 4) UP Free x86 compatible
Product: Server
Kernel base = 0x80400000 PsLoadedModuleList = 0x80484b80
Debug session time: Thu Feb 3 15:58:20.140 2005 (GMT-5)
System Uptime: 0 days 1:52:47.468
Loading Kernel Symbols
...............................................................................
Loading unloaded module list
.......
Loading User Symbols
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck A, {f4949e3e, 1c, 0, 8043352e}

Probably caused by : ntkrnlmp.exe ( nt!KiWaitTest+26 )

Followup: MachineOwner
---------

kd> !analyze -v;r;kv;lmtn;.logclose;q
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: f4949e3e, memory referenced
Arg2: 0000001c, IRQL
Arg3: 00000000, value 0 = read operation, 1 = write operation
Arg4: 8043352e, address which referenced memory

Debugging Details:
------------------


OVERLAPPED_MODULE: ati2drad

READ_ADDRESS: f4949e3e Nonpaged pool

CURRENT_IRQL: 1c

FAULTING_IP:
nt!KiWaitTest+26
8043352e 66837f1601 cmp word ptr [edi+0x16],0x1

DEFAULT_BUCKET_ID: INTEL_CPU_MICROCODE_ZERO

BUGCHECK_STR: 0xA

LAST_CONTROL_TRANSFER: from 80432984 to 8043352e

TRAP_FRAME: 80474aa8 -- (.trap ffffffff80474aa8)
.trap ffffffff80474aa8
ErrCode = 00000000
eax=00000001 ebx=01c50a33 ecx=f6949e28 edx=00000000 esi=f6949e20 edi=f4949e28
eip=8043352e esp=80474b1c ebp=80474b30 iopl=0 nv up ei ng nz na po cy
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010287
nt!KiWaitTest+0x26:
8043352e 66837f1601 cmp word ptr [edi+0x16],0x1 ds:0023:f4949e3e=????
.trap
Resetting default scope

STACK_TEXT:
80474b30 80432984 0000005e f6949e38 80474c3c nt!KiWaitTest+0x26
80474c20 8043290e 80470a30 ffdff848 ffdff000 nt!KiTimerListExpire+0x6e
80474c4c 80466478 80484300 00000000 00069bdd nt!KiTimerExpiration+0xb6
80474c64 804663d0 0000000e 00000000 00000000 nt!KiRetireDpcList+0x47
80474c6c 00000000 00000000 00000000 00000000 nt!KiIdleLoop+0x28


FOLLOWUP_IP:
nt!KiWaitTest+26
8043352e 66837f1601 cmp word ptr [edi+0x16],0x1

SYMBOL_STACK_INDEX: 0

FOLLOWUP_NAME: MachineOwner

SYMBOL_NAME: nt!KiWaitTest+26

MODULE_NAME: nt

IMAGE_NAME: ntkrnlmp.exe

DEBUG_FLR_IMAGE_TIMESTAMP: 41773335

STACK_COMMAND: .trap ffffffff80474aa8 ; kb

FAILURE_BUCKET_ID: 0xA_nt!KiWaitTest+26

BUCKET_ID: 0xA_nt!KiWaitTest+26

Followup: MachineOwner
---------

eax=ffdff13c ebx=0000000a ecx=00000000 edx=40000000 esi=8043352e edi=f4949e3e
eip=80469eec esp=80474a94 ebp=80474aa8 iopl=0 nv up ei ng nz na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000286
nt!KiTrap0E+0x210:
80469eec f7457000000200 test dword ptr [ebp+0x70],0x20000 ss:0010:80474b18=00010287
ChildEBP RetAddr Args to Child
80474aa8 8043352e f6949e60 f6949e20 ffdff4dc nt!KiTrap0E+0x210 (FPO: [0,0] TrapFrame @ 80474aa8)
80474b30 80432984 0000005e f6949e38 80474c3c nt!KiWaitTest+0x26 (FPO: [Non-Fpo])
80474c20 8043290e 80470a30 ffdff848 ffdff000 nt!KiTimerListExpire+0x6e (FPO: [Non-Fpo])
80474c4c 80466478 80484300 00000000 00069bdd nt!KiTimerExpiration+0xb6 (FPO: [Non-Fpo])
80474c64 804663d0 0000000e 00000000 00000000 nt!KiRetireDpcList+0x47 (FPO: [0,1,0])
80474c6c 00000000 00000000 00000000 00000000 nt!KiIdleLoop+0x28
start end module name
80062000 80076460 hal halmacpi.dll Thu Mar 20 21:04:42 2003 (3E7A733A)
80400000 805a0340 nt ntkrnlmp.exe Wed Oct 20 23:55:33 2004 (41773335)
a0000000 a018ec40 win32k win32k.sys Fri Dec 24 12:23:30 2004 (41CC5092)
f1c00000 f1c0e6a0 pci pci.sys Wed Jan 15 14:44:07 2003 (3E25BA07)
f1c10000 f1c1b680 isapnp isapnp.sys Wed Jan 15 14:43:47 2003 (3E25B9F3)
f1c20000 f1c28700 CLASSPNP CLASSPNP.SYS Wed Jan 15 14:42:51 2003 (3E25B9BB)
f1c50000 f1c5c4c0 VIDEOPRT VIDEOPRT.SYS Wed Jan 15 14:47:20 2003 (3E25BAC8)
f1c60000 f1c6b680 i8042prt i8042prt.sys Wed Apr 16 00:00:59 2003 (3E9CD57B)
f1c70000 f1c7f400 serial serial.sys Wed Apr 16 00:19:39 2003 (3E9CD9DB)
f1c80000 f1c8ca80 rasl2tp rasl2tp.sys Tue Apr 29 19:05:06 2003 (3EAF0522)
f1c90000 f1c9bc40 raspptp raspptp.sys Wed May 14 19:47:00 2003 (3EC2D574)
f1ca0000 f1caea20 parallel parallel.sys Wed Jan 15 14:47:14 2003 (3E25BAC2)
f1cb0000 f1cb9be0 usbhub usbhub.sys Tue Mar 18 18:30:41 2003 (3E77AC21)
f1cc0000 f1ccc160 usbhub20 usbhub20.sys Wed Jan 15 14:45:59 2003 (3E25BA77)
f1ce0000 f1ce9ce0 NDProxy NDProxy.SYS Thu Sep 30 19:25:35 1999 (37F3F16F)
f1cf0000 f1cf8fa0 Npfs Npfs.SYS Sat Oct 09 19:58:07 1999 (37FFD68F)
f1d00000 f1d08680 msgpc msgpc.sys Wed Jan 15 14:54:25 2003 (3E25BC71)
f1d10000 f1d181a0 netbios netbios.sys Tue Oct 12 15:34:19 1999 (38038D3B)
f1e30000 f1e38240 Fips Fips.SYS Tue May 09 11:28:29 2000 (39182E9D)
f1e80000 f1e85520 PCIIDEX PCIIDEX.SYS Tue Feb 25 13:31:08 2003 (3E5BB66C)
f1e88000 f1e8f4c0 MountMgr MountMgr.sys Tue Feb 10 14:47:53 2004 (40293569)
f1e90000 f1e97720 disk disk.sys Wed Jan 15 14:43:05 2003 (3E25B9C9)
f1e98000 f1e9d100 agp440 agp440.sys Wed Jan 15 14:47:07 2003 (3E25BABB)
f1ea8000 f1eaff40 uhcd uhcd.sys Wed Jan 15 14:45:50 2003 (3E25BA6E)
f1ec0000 f1ec4fc0 USBD USBD.SYS Wed Jan 22 12:05:33 2003 (3E2ECF5D)
f1ed0000 f1ed4c00 usbehci usbehci.sys Mon May 05 16:50:04 2003 (3EB6CE7C)
f1ee0000 f1ee4f40 04mmdat 04mmdat.sys Wed Jul 12 09:56:46 2000 (396C791E)
f1f00000 f1f05ec0 kbdclass kbdclass.sys Thu Feb 20 11:37:30 2003 (3E55044A)
f1f10000 f1f15400 mouclass mouclass.sys Thu Feb 20 11:37:45 2003 (3E550459)
f1f20000 f1f26580 fdc fdc.sys Wed Jan 15 14:42:51 2003 (3E25B9BB)
f1f38000 f1f3e100 parport parport.sys Wed Jan 15 14:47:13 2003 (3E25BAC1)
f1f48000 f1f4ec40 cdrom cdrom.sys Wed Jan 15 14:43:04 2003 (3E25B9C8)
f1f68000 f1f6c400 ptilink ptilink.sys Wed Jan 15 14:47:15 2003 (3E25BAC3)
f1f78000 f1f7c0e0 raspti raspti.sys Fri Oct 08 16:45:10 1999 (37FE57D6)
f1fa0000 f1fa4a60 flpydisk flpydisk.sys Wed Jan 15 14:42:52 2003 (3E25B9BC)
f1fb0000 f1fb6a20 EFS EFS.SYS Wed Jan 15 14:46:55 2003 (3E25BAAF)
f1fd0000 f1fd5240 Msfs Msfs.SYS Tue Oct 26 19:21:32 1999 (3816377C)
f1fe8000 f1fefd00 wanarp wanarp.sys Fri Aug 16 08:25:01 2002 (3D5CEF1D)
f2010000 f2012a20 BOOTVID BOOTVID.dll Wed Nov 03 20:24:33 1999 (3820E051)
f2014000 f2016d00 PartMgr PartMgr.sys Wed Jan 15 14:43:07 2003 (3E25B9CB)
f20ac000 f20af640 serenum serenum.sys Wed Jan 15 14:47:01 2003 (3E25BAB5)
f20b4000 f20b62e0 ndistapi ndistapi.sys Wed Jan 15 14:54:15 2003 (3E25BC67)
f20bc000 f20bf6c0 dump_diskdump dump_diskdump.sys Tue Feb 25 14:18:04 2003 (3E5BC16C)
f20c4000 f20c7e60 TDI TDI.SYS Wed Jan 15 14:56:26 2003 (3E25BCEA)
f20f0000 f20f3580 vga vga.sys Sat Sep 25 14:37:40 1999 (37ED1674)
f2100000 f2101100 intelide intelide.sys Wed Feb 19 12:19:09 2003 (3E53BC8D)
f2102000 f2103d20 Diskperf Diskperf.sys Wed Feb 12 16:34:38 2003 (3E4ABDEE)
f2104000 f2105b80 dmload dmload.sys Wed Jan 15 14:47:06 2003 (3E25BABA)
f2114000 f2115ca0 Fs_Rec Fs_Rec.SYS Wed Jan 15 14:53:30 2003 (3E25BC3A)
f211c000 f211de40 rasacd rasacd.sys Sat Sep 25 14:41:23 1999 (37ED1753)
f2160000 f2161860 ParVdm ParVdm.SYS Mon Sep 27 23:28:16 1999 (37F035D0)
f21c8000 f21c8f80 WMILIB WMILIB.SYS Sat Sep 25 14:36:47 1999 (37ED163F)
f21c9000 f21c9b00 pciide pciide.sys Wed Jan 15 14:43:03 2003 (3E25B9C7)
f21ec000 f21eca40 audstub audstub.sys Sat Sep 25 14:35:33 1999 (37ED15F5)
f21f6000 f21f6d80 swenum swenum.sys Sat Sep 25 14:36:31 1999 (37ED162F)
f2206000 f22069e0 Null Null.SYS Sat Sep 25 14:34:58 1999 (37ED15D2)
f2208000 f2208ee0 Beep Beep.SYS Wed Oct 20 18:18:59 1999 (380E3FD3)
f220b000 f220bf80 mnmdd mnmdd.SYS Sat Sep 25 14:37:40 1999 (37ED1674)
f22c3000 f22c3be0 mbmiodrvr mbmiodrvr.sys Wed Jul 10 20:57:39 2002 (3D2CD803)
f5545000 f5555960 NAVENG NAVENG.sys Thu Dec 30 16:46:10 2004 (41D47722)
f5556000 f55eea60 NAVEX15 NAVEX15.sys Thu Dec 30 16:45:19 2004 (41D476EF)
f55ef000 f562d000 NAVAP NAVAP.sys Sat May 03 00:08:14 2003 (3EB340AE)
f562d000 f563da60 SYMEVENT SYMEVENT.SYS Wed May 14 01:45:43 2003 (3EC1D807)
f592e000 f593da20 ipsec ipsec.sys Tue Apr 29 19:04:59 2003 (3EAF051B)
f595e000 f59803c0 Fastfat Fastfat.SYS Wed Jan 15 14:48:39 2003 (3E25BB17)
f5b89000 f5b9a000 NAVAPEL NAVAPEL.SYS Sat May 03 00:08:21 2003 (3EB340B5)
f5bc2000 f5bfdbc0 srv srv.sys Tue Apr 29 19:05:07 2003 (3EAF0523)
f5d86000 f5d89ee0 Aspi32 Aspi32.SYS Mon May 06 12:43:02 2002 (3CD6B296)
f5e46000 f5e54fe0 Cdfs Cdfs.SYS Tue Apr 15 23:58:53 2003 (3E9CD4FD)
f5ea6000 f5ec34a0 afd afd.sys Wed Apr 30 04:45:29 2003 (3EAF8D29)
f5f40000 f5f42dc0 ndisuio ndisuio.sys Wed Jan 15 14:55:21 2003 (3E25BCA9)
f6804000 f686ac80 ati2drad ati2drad.dll Thu Dec 20 15:57:27 2001 (3C2250B7)
f686b000 f68a18e0 dump_aarich dump_aarich.sys Wed Oct 08 12:07:41 2003 (3F84364D)
f68ca000 f692de40 mrxsmb mrxsmb.sys Mon Nov 01 00:24:54 2004 (4185C8A6)
f6940000 f6969760 rdbss rdbss.sys Fri Oct 15 17:03:40 2004 (41703B2C)
f696a000 f6991e00 netbt netbt.sys Wed Jul 16 15:44:26 2003 (3F15AB1A)
f6992000 f69e3060 tcpip tcpip.sys Tue Apr 29 19:05:31 2003 (3EAF053B)
f724c000 f72763a0 update update.sys Wed Apr 16 00:22:01 2003 (3E9CDA69)
f7277000 f7292b40 ks ks.sys Wed Apr 16 00:02:11 2003 (3E9CD5C3)
f7293000 f72a9ba0 ndiswan ndiswan.sys Tue Apr 29 19:05:01 2003 (3EAF051D)
f72aa000 f72cd600 e100bnt5 e100bnt5.sys Tue Mar 04 14:54:47 2003 (3E650487)
f72ce000 f7318d00 ati2mpad ati2mpad.sys Thu Dec 20 15:56:53 2001 (3C225095)
f7319000 f733ab20 USBPORT USBPORT.SYS Mon Mar 10 10:47:39 2003 (3E6CB39B)
f7383000 f7398640 Mup Mup.sys Wed Jan 15 14:54:01 2003 (3E25BC59)
f7399000 f73c2aa0 NDIS NDIS.sys Tue Apr 29 19:05:01 2003 (3EAF051D)
f73c3000 f74455a0 Ntfs Ntfs.sys Fri May 09 15:46:45 2003 (3EBC05A5)
f7446000 f74577c0 KSecDD KSecDD.sys Sat Sep 20 20:32:19 2003 (3F6CF193)
f7458000 f746a1c0 Dfs Dfs.sys Tue Feb 11 21:19:06 2003 (3E49AF1A)
f746b000 f74c50c0 dmboot dmboot.sys Wed Jan 15 14:47:06 2003 (3E25BABA)
f74c6000 f74dd9a0 otman5 otman5.sys Thu Mar 29 11:41:10 2001 (3AC365A6)
f74de000 f74ef180 drvmcdb drvmcdb.sys Thu Feb 08 17:01:47 2001 (3A83174B)
f74f0000 f7501420 AACMgt AACMgt.sys Tue Jun 17 22:36:19 2003 (3EEFD023)
f7502000 f7517060 adpu160m adpu160m.sys Thu Mar 06 21:27:25 2003 (3E68038D)
f7518000 f752a0c0 SCSIPORT SCSIPORT.SYS Fri May 16 21:11:02 2003 (3EC58C26)
f752b000 f75618e0 aarich aarich.sys Wed Oct 08 12:07:41 2003 (3F84364D)
f7562000 f7577180 atapi atapi.sys Tue Apr 01 13:08:25 2003 (3E89D599)
f7578000 f75999c0 dmio dmio.sys Wed Jan 15 14:47:04 2003 (3E25BAB8)
f759a000 f75b6220 ftdisk ftdisk.sys Mon Mar 31 17:21:58 2003 (3E88BF86)
f75b7000 f75dec20 ACPI ACPI.sys Wed Jan 15 14:44:22 2003 (3E25BA16)

Unloaded modules:
f5350000 f5365000 VGA.dll
Timestamp: unavailable (00000000)
Checksum: 00000000
f6856000 f686b000 VGA.dll
Timestamp: unavailable (00000000)
Checksum: 00000000
f6804000 f686b000 ati2drad.dll
Timestamp: unavailable (00000000)
Checksum: 00000000
f1d20000 f1d29000 redbook.sys
Timestamp: unavailable (00000000)
Checksum: 00000000
f735f000 f7362000 scsichng.sys
Timestamp: unavailable (00000000)
Checksum: 00000000
f1fc0000 f1fc5000 Cdaudio.SYS
Timestamp: unavailable (00000000)
Checksum: 00000000
f20e8000 f20eb000 Sfloppy.SYS
Timestamp: unavailable (00000000)
Checksum: 00000000
Closing open log file c:\debuglog.txt

 

I do not understand the state this latest dump was taken in. No changes, except disable hyperthreading?

You were doing fine in the debugger, only thing different joes thing shows is the drivers and trap frames.

This is the same cause of crash as the other one. i recommend proceeding with special pool.

 

The more i think about this, I think this is whats getting you. Go ahead and use verifier instead of of the registry key to enable special pool. 90% sure you get the timer validation for free.

I found a nice article Things to consider before you enable Driver Verifier Manager on production servers

 

BenMcDonald...The latest dump was AFTER I dis-abled HT...This is certain. I don't understand all the data presented in the DUMP, except to say:

the first dump OVERLAPPED_MODULE: ipsec

the last dump OVERLAPPED_MODULE: ati2drad

I don't know if that means anything, but It jumps out at me.

I will try to get away from the wife tonight and go into the office to use verifier.

Thanks again.

 

Monday Morning Status Update

Aside from below, the only other odd thing that occured was on Friday.
I went into Device manager and rescanned the hardware.
Doing so either updated or re-installed one driver. There was not message of what that driver was.
I looked in Event Viewer, but did not see any evidence of a driver being re-installed.

This could be coincidence, but the system has not blue-screened since.

Anyway...

Saturday night I enabled verifier.exe and then rebooted.
Stayed around for a few hours hoping for the silver bullet.
I even ran a data restore to an empty volume, hoping to create a BSOD.
Nothing

The system was still up this morning.
From the GUI

-Driver Status Tab
Refresh Frequency is normal
Global Flages:
Special Pool : enabled
Force IRQL : enabled
Low Resource : dis-abled
Pool Tracking : enabled
I/O Verification : enabled

-Global Counters
Allocation attempts = allocation succeeded
Failed : 0
Faults injected : 0

-Settings
Verify all drivers
Selected the "Preferred Setting" button.
Special Pool : checked
Force IRQL : checked
Low Resource Sim : empty
Pool Tracking : checked
I/O Verification : checked
Level 2 : enabled

of all the drivers enabled, only five are unloaded
- cdaudio.sys
- redbook.sys
- scsichng.sys
- sfloppy.sys
- vga.dll

Googled
redbook.sys
Microsoft system driver.The Redbook system driver (redbook.sys) is the KS filter that manages the rendering of CD digital audio. The Redbook driver is a client of the SysAudio system driver. The system routes CD digital audio through the file system to the Redbook driver and then to the SysAudio driver.
scsichng.sys - Backup Exec 8.6
sfloppy.sys - something to do with NEC USB driver

This morning, after rebooting the box, I went to the Setting tab.
The Verify all drivers radio button was enabled and the grid was grayed out(dis-abled).
I selected Verify selected drivers which enabled the grid display.
There were several drivers in the
- Verification status column that stated Enabled [reboot needed]
- Provider [not available]

After "applying the settings change, an error dialog box appeared stating
Cannot find driver image dump_aarich.sys clicked ok
Cannot find driver image dump_diskdump.sys clicked ok
Cannot find driver image navapel.sys clicked ok
Cannot find driver image navap.sys clicked ok
Cannot find driver image navex15.sys clicked ok
Cannot find driver image naveng.sys clicked ok

Rebooted the system.

Still, no blue screen.

Do I continue to run Verifier ? It has really slowed down the speed of the box.

What do I need to do now....

Thanks

 

Neither of these files lives on the server
dump_aarich.sys
dump_diskdump.sys

However, I do have the following
aarich.sys | c:\winnt\system32\drivers
diskdump.sys | c:\winnt\system32\drivers

These files live in various Symantec directories...not ..\system32\drivers.
navapel.sys
navap.sys
navex15.sys
naveng.sys

 

well, its entirely up to you where you go from here. If you altered the configuration, or updated/changed a driver, theres a chance you nipped it. The performance penalty can be mitigated with the assumption that none of the microsoft drivers will do this, so you can unverifier them.

 

I have not used the Driver verifier before. I really didn't know what I was suppose to be looking for. Part of me expected some tool to light up like a x-mas tree when it found an error. Hell, I would have settled for a report or even a BSOD.

I will turn off all the Microsoft Signed drivers, which only leaves about 15 drivers.

But what type of feedback should I be getting from the application?
Is it suppose to kickout some debug report at the next BSOD ?...verifier.dmp ?
Does it turn on some registry setting that adds more detail to the Memory.dmp ?
Does is freeze whatever took place into sometype of virtual quarentine so that the system doesn't reboot ?

I am a wannabe and I have no shame admitting it.

I just want to know what to look for.

Let's suppose that one or more drivers was corrupt, missing or something like that. What would driver verifier have found ? How would the program have reported "something" to me ?

I know your time is money and I really do appreciate your time, but If you could impart just a little more wisdom on me, I'd really appreciate it.

Don

 

But what type of feedback should I be getting from the application?
Is it suppose to kickout some debug report at the next BSOD ?...verifier.dmp ?

It will cause your machine to bluescreen with a stopcode of 0x000000C# or 0x0000000D#. This is a result of additional code that is dormant in the kernel that does all kinds of checking, until the correct registry settings are made by the verifier gui. The extra code will cause it to crash in situ, which makes it very easy to read the stack to determine why the code malfunctioned.

 

Thank you.

That was just the information I was hoping to learn...atleast what I should be looking for.

If and when it BSOD's, I will post back to this thread.

As a side note, any idea why verifier is reporting dump_aarich.sys and dump_diskdump.sys, when neither "driver" can be found on the box ?

ps..the "wannabe" line, I am the network admin for our office. A manager of one (me). It's hard to learn "in-depth" trouble shooting when your environment is a fish bowl... Practically all of my 6 years of training has been books, "school-of-hard-knocks" and late nights on the internet.

Thanks again,

Don

 

diskdump is the primitive driver that write out your memory to the disk drive during a bluescreen. it doesnt do anything else. Not worth spending much thought on.

The other one is the intel ide driver.

Getting out here on the forums and newsgroups is the best way to increase your exposure. One of the reasons I come here is to see consumer space issues, rather than fortune 500 managed environments I do all day long.