1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Blue Screen with debugged Memory Dump log

Discussion in 'Legacy Windows' started by DamianTV, 2006/01/31.

  1. 2006/01/31
    DamianTV

    DamianTV Inactive Thread Starter

    Joined:
    2006/01/31
    Messages:
    5
    Likes Received:
    0
    Ok, Im working on a 2K Server box at work, and I have a Kenwood PhatNoise USB Hard Drive (I can plop it in my car and listen to the same music, 10 gig laptop drive, not a FLASH drive), and I recently got a new cell phone that has Bluetooth junk on it. So being the total geek, I went and got myself a Kensington Bluetooth USB adapter. After installing the bluetooth junk, I now get Memory Dumps every time I try to "safely remove hardware" (actually doesnt really matter, even when I yank the HD out of its USB cradle it still crashes, blah), every time. I've done everything I can think of. I have no driver conflicts listed in my Device Manager (even hidden devices), removed all traces (as best as I can) of the drivers, and devices, reinstalled them, ran sfc /scannow, even formatted the HD (its actually 2 partitions 10 gig, FAT) and tried everything I can possibly think of to fix this myself.

    Advantage is its a consistent error every single time.

    Neither PhatNoise's and Kensingtons tech support will help me (some of their responses make me wonder if they even know where the start button is on their computers, they'd probably point to the power switch in the back of the tower) as neither think this is their fault.

    Im not experienced enough to figure out how to resolve what Im finding in the Kernel Debugger tho, as I have two things that look strange to me, one looks somewhat unrelated.

    OVERLAPPED_MODULE: Address regions for 'Fastfat' and 'kmixer.sys' overlap
    makes no sense but...
    FAULTING_IP:
    MountMgr!MountMgrMountedDeviceRemoval+110
    makes more sense as this occurs when the removable HD is removed (kind of defeats the purpose of being removable tho, dont ya think?)

    So here I am turning to you guys for help.

    -------Debug-------

    Loading Dump File [C:\WINNT\MEMORY.DMP]
    Kernel Complete Dump File: Full address space is available

    Symbol search path is: SRV*c:\symbols*http://msdl.microsoft.com/download/symbols
    Executable search path is:
    Windows 2000 Kernel Version 2195 (Service Pack 4) UP Free x86 compatible
    Product: Server, suite: TerminalServer SingleUserTS
    Kernel base = 0x80400000 PsLoadedModuleList = 0x80481580
    Debug session time: Thu Jan 19 10:07:33.799 2006 (GMT-8)
    System Uptime: 0 days 1:53:42.543
    Loading Kernel Symbols
    .............................................................................................................
    Loading unloaded module list
    ...................
    Loading User Symbols
    *******************************************************************************
    * *
    * Bugcheck Analysis *
    * *
    *******************************************************************************

    Use !analyze -v to get detailed debugging information.

    BugCheck C2, {40, 0, 80000000, 0}

    Probably caused by : MountMgr.sys ( MountMgr!MountMgrMountedDeviceRemoval+110 )

    Followup: MachineOwner
    ---------

    kd> !analyze -v
    *******************************************************************************
    * *
    * Bugcheck Analysis *
    * *
    *******************************************************************************

    BAD_POOL_CALLER (c2)
    The current thread is making a bad pool request. Typically this is at a bad IRQL level or double freeing the same allocation, etc.
    Arguments:
    Arg1: 00000040, Attempt to free usermode address to kernel pool
    Arg2: 00000000, Starting address
    Arg3: 80000000, Start of system address space
    Arg4: 00000000, 0

    Debugging Details:
    ------------------


    OVERLAPPED_MODULE: Address regions for 'Fastfat' and 'kmixer.sys' overlap

    FAULTING_IP:
    MountMgr!MountMgrMountedDeviceRemoval+110
    eb28c8da 53 push ebx

    BUGCHECK_STR: 0xc2_40

    DEFAULT_BUCKET_ID: DRIVER_FAULT

    LAST_CONTROL_TRANSFER: from 8046ac4d to 8046bb4b

    STACK_TEXT:
    eb457ba0 8046ac4d 00000000 8046aae4 e15abe48 nt!MiFreePoolPages+0x79
    eb457bcc 8046aaef 00000000 00000000 eb28c8da nt!ExFreePoolWithTag+0xdb
    eb457bd8 eb28c8da 00000000 eb288900 eb457c90 nt!ExFreePool+0xb
    eb457bf4 eb28be45 e15abe48 e15abe60 80477e60 MountMgr!MountMgrMountedDeviceRemoval+0x110
    eb457c0c 804a602a eb457c7c e15abe48 805322da MountMgr!MountMgrTargetDeviceNotification+0x29
    eb457c18 805322da eb457c94 80477e60 804019c8 nt!IopPnPHydraCallback+0xc
    eb457c58 804a5368 eb28be1c 804a601e eb457c94 nt!MmDispatchWin32Callout+0x4e
    eb457cb4 8050d3b8 804019d8 84ed9d70 00000000 nt!IopNotifyTargetDeviceChange+0x11a
    eb457d3c 8050d769 00000001 80063028 e534bf48 nt!PiProcessQueryRemoveAndEject+0x748
    eb457d54 8050c4f3 eb457d74 859a9208 8047479c nt!PiProcessTargetDeviceEvent+0x33
    eb457d78 80416bfa 859a9208 00000000 00000000 nt!PiWalkDeviceList+0xf7
    eb457da8 80454ab2 859a9208 00000000 00000000 nt!ExpWorkerThread+0xae
    eb457ddc 804692a2 80416b4c 00000001 00000000 nt!PspSystemThreadStartup+0x54
    00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16


    FOLLOWUP_IP:
    MountMgr!MountMgrMountedDeviceRemoval+110
    eb28c8da 53 push ebx

    SYMBOL_STACK_INDEX: 3

    FOLLOWUP_NAME: MachineOwner

    SYMBOL_NAME: MountMgr!MountMgrMountedDeviceRemoval+110

    MODULE_NAME: MountMgr

    IMAGE_NAME: MountMgr.sys

    DEBUG_FLR_IMAGE_TIMESTAMP: 41afde6d

    STACK_COMMAND: kb

    FAILURE_BUCKET_ID: 0xc2_40_MountMgr!MountMgrMountedDeviceRemoval+110

    BUCKET_ID: 0xc2_40_MountMgr!MountMgrMountedDeviceRemoval+110

    Followup: MachineOwner
    ---------

    (Hey lookie! I even got the right symbols loaded, unlike so many debug logs I see)

    Im not sure what else to try as I dont build drivers, Im sure there are more commands Im not familiar with for the debugger to get more data. This one ought to stump even the best of you, (well I hope not anyway) any ideas on how to resolve this?

    (edit: found some other kd commands, more info in THIS log... http://216.105.206.95/debuglog.txt )
     
    Last edited: 2006/01/31
  2. 2006/01/31
    Arie

    Arie Administrator Administrator Staff

    Joined:
    2001/12/27
    Messages:
    15,174
    Likes Received:
    412

  3. to hide this advert.

  4. 2006/01/31
    DamianTV

    DamianTV Inactive Thread Starter

    Joined:
    2006/01/31
    Messages:
    5
    Likes Received:
    0
    I've read it but it doesnt enough sense to me to understand how to resolve this. From what I have so far it keeps citing mountmgr.sys as the faulty driver (I think), but considering that is a Microsoft file, I cant exactly just remove it... I've been googling this heavily, pretty much, I think I just need to ask really really nice if I could get someone to explain this differently...
     
  5. 2006/01/31
    Arie

    Arie Administrator Administrator Staff

    Joined:
    2001/12/27
    Messages:
    15,174
    Likes Received:
    412
    What are the properties of MountMgr.sys ?

    In Win2K SP4 I have version 5.0.2195.6661, 28.5 KB (29,264 bytes)
    In Win2K SP4_Rollup1: version 5.0.2195.7006, 29.6 KB (30,384 bytes)
     
    Arie,
    #4
  6. 2006/01/31
    DamianTV

    DamianTV Inactive Thread Starter

    Joined:
    2006/01/31
    Messages:
    5
    Likes Received:
    0
    5.00.2195.7006 30,384 bytes modified 12/2/2004 in both system32 dllcache and drivers

    5.00.2195.6661 29,264 bytes modified 6/19/2003 in ServicePackFiles/i386 and C:\WINNT\$NtUninstallKB835732$

    5.0.2195.6897 30,160 bytes modified 2/10/2004 in C:\WINNT\$NtUpdateRollupPackUninstall$
     
  7. 2006/02/01
    cpc2004

    cpc2004 Inactive

    Joined:
    2005/07/08
    Messages:
    366
    Likes Received:
    0
  8. 2006/02/03
    DamianTV

    DamianTV Inactive Thread Starter

    Joined:
    2006/01/31
    Messages:
    5
    Likes Received:
    0
    Minidump Debug Logs

    I **** at debugging, somehow I think I got my Symbols path wrong. The Full Debug log I did a couple of days ago had the right symbol path, no wrong symbols errors but now in all the logs I got its coming up with wrong symbols / timestam for ntoskrnl.exe, saying it might be corrupt, what did I goof up there?

    kd> .sympath srv*c:\symbols*http://msdl.microsoft.com/download/symbols

    Im so klewless. Anyhoot. Heres a couple debugs of minidumps. Thanks for helping guys!

    http://216.105.206.95/debug/
     
  9. 2006/02/04
    cpc2004

    cpc2004 Inactive

    Joined:
    2005/07/08
    Messages:
    366
    Likes Received:
    0
    Hi,

    It is not symbol path problem. W2K SP4 does not provide kernel symbol at Microsoft WebSite. You have to change the dump option to full memory and the full memory have the kernel symbol. The crashes have the same symptoms. Usually software problem has consistent symptom and hardware error has various symptom. I believe that it is software problem, bad paging space or firmware problem at the mother board.

    Suggestion
    1. Make sure your windows is not infected with virus
    2. Run chkdsk /r
    3. Re-allocate a new paging space
    5. Check the dump option to full memory dump
     
  10. 2006/02/07
    DamianTV

    DamianTV Inactive Thread Starter

    Joined:
    2006/01/31
    Messages:
    5
    Likes Received:
    0
    Thanks for explaining about the minidumps not having symbol support. There is a FULL debug dump in that link I gave, as I already had full mem dump option turned on. One of the log files is a full dump debug, rest are mini's.

    Im almost 100% sure it is software, considering this problem only started happening after I installed drivers for a Kensington Bluetooth USB device.

    -----following your suggestions--------

    Spyware: None (well if you consider WinPCap & NMapWin, Tight VNC, and PC Anywhere spyware, I've already scanned thoroughly with Spybot, Ad Aware Hijack This and examined my results, Microsoft Anti Spyware, Panda and Trendmicro Online scans)

    Virus: Only a couple thousand. Thats NORMAL. All quarantined. Its a virus scanning mail exchanger so the presence of viruses in the quarantined directories are for our customers email boxes. This server also has no Anti Virus installed on it because it conflicts with mail server anti virus (Norman AV). As a necessity it requires MS-SQL (I know its suseptible to Code Red and its likes..) for the quarantine Database (MySql not an option although its installed also), no firewall. I just use IpSec to block all SQL ports not coming from the primary mail server. Pretty much its very very locked down, and clean, and not only has to function as our primary MX, its my work station.

    Hardware Failure? I still need to do a surface scan and run MemTest86 when I get some time in the middle of the night to take it down just to be 100% that its not, and since surface scans take forever and that this is a server have to do in middle of the night, I doubt bad ram, BSOD's are NOT random, or dying motherboard, I've tried it with non onboard USB 2.0 hardware (I had an extra PCI USB 2.0 card), and still occurs with onboard USB disabled. Firmware, eh, possible, I havent updated the firmware, only changes to the box are software only, specifically that POS Bluetooth Adapter. It has been uninstalled (including from hidden devices in device mgr) and even after software was removed, I only yesterday got a list back from Kensington (their tech support is retarded) and found a few files that remained and some registry ****, BTWUSB.SYS was still there, that could be the cause of my problems, but havent had time to check it.

    Paging space has been reallocated. (Im assuming this means pagefile.sys), I've had to increase the alloted memory for it due to memdumps being a gig, and I only had a gig of virtual memory.

    ----------

    Now, my big question is in reading the debug output, or using the KD, how / is it possible, to tell what drivers / software is conflicting?
     

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.