crash dump analysis:

Hi there, my win xp sp2 laptop crashed ~4 times in the last few weeks with the blue screen/reboot, which is a completely new phenomenon for me since the times of win95....
I suspect there may be a driver/hardware problem, but I am not able to analyze the crash dumps - I have 2 last ones.
The first crash happened upon computer wake up when the battery was very low, and I was running IE7, adobe reader 8, word, excel, copernic, netscape, and maybe also gimp.
The second crash happened while I attempted connecting to a samba fileserver which has been updated and therefore the links were no more functional. I therefore attempted to connect to a higher level - not directly to my share - and the comp crashed.
Can anyone make any sense of my crash dumps?
Thanks!

Oh BTW, the line
Die Anweisung in "0x%08lx" verweist auf Speicher in "0x%08lx ". Der Vorgang "%s" konnte nicht auf dem Speicher durchgef hrt werden.

translates as (at least that's what I think)
- The instruction at 0x%08lx referenced memory at 0x%08lx.

***************FIRST FILE***************
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: SRV*c:\local cache*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows XP Kernel Version 2600 (Service Pack 2) MP (2 procs) Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS Personal
Built by: 2600.xpsp.050928-1517
Kernel base = 0x804d7000 PsLoadedModuleList = 0x805624a0
Debug session time: Mon Mar 5 23:26:17.328 2007 (GMT+1)
System Uptime: 5 days 2:25:32.135
Loading Kernel Symbols
.........................................................................................................................................
Loading User Symbols
Loading unloaded module list
..................................................
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 1000007E, {c0000005, f6c47f0d, f7cb7c38, f7cb7934}

Probably caused by : ks.sys ( ks!KsDispatchIrp+a3 )

Followup: MachineOwner
---------

1: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

SYSTEM_THREAD_EXCEPTION_NOT_HANDLED_M (1000007e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Some common problems are exception code 0x80000003. This means a hard
coded breakpoint or assertion was hit, but this system was booted
/NODEBUG. This is not supposed to happen as developers should never have
hardcoded breakpoints in retail code, but ...
If this happens, make sure a debugger gets connected, and the
system is booted /DEBUG. This will let us see why this breakpoint is
happening.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: f6c47f0d, The address that the exception occurred at
Arg3: f7cb7c38, Exception Record Address
Arg4: f7cb7934, Context Record Address

Debugging Details:
------------------


EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - Die Anweisung in "0x%08lx" verweist auf Speicher in "0x%08lx ". Der Vorgang "%s" konnte nicht auf dem Speicher durchgef hrt werden.

FAULTING_IP:
ks!KsDispatchIrp+a3
f6c47f0d ff10 call dword ptr [eax]

EXCEPTION_RECORD: f7cb7c38 -- (.exr fffffffff7cb7c38)
ExceptionAddress: f6c47f0d (ks!KsDispatchIrp+0x000000a3)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: 01b80003
Attempt to read from address 01b80003

CONTEXT: f7cb7934 -- (.cxr fffffffff7cb7934)
eax=01b80003 ebx=8622c6f8 ecx=0000000e edx=84d6d478 esi=84d6d478 edi=8622c578
eip=f6c47f0d esp=f7cb7d00 ebp=f7cb7d08 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010246
ks!KsDispatchIrp+0xa3:
f6c47f0d ff10 call dword ptr [eax] ds:0023:01b80003=????????
Resetting default scope

CUSTOMER_CRASH_COUNT: 1

DEFAULT_BUCKET_ID: DRIVER_FAULT

PROCESS_NAME: System

ERROR_CODE: (NTSTATUS) 0xc0000005 - Die Anweisung in "0x%08lx" verweist auf Speicher in "0x%08lx ". Der Vorgang "%s" konnte nicht auf dem Speicher durchgef hrt werden.

READ_ADDRESS: 01b80003

BUGCHECK_STR: 0x7E

LAST_CONTROL_TRANSFER: from aafceb75 to f6c47f0d

STACK_TEXT:
f7cb7d08 aafceb75 8622c578 84d6d478 8622c630 ks!KsDispatchIrp+0xa3
f7cb7d1c aafcd4fd 8622c578 84d6d478 00000001 portcls!KsoDispatchIrp+0x40
f7cb7d34 aafceeea 8622c578 8622c630 00000000 portcls!CompletePendedIrps+0x34
f7cb7d54 aafc9ea5 00000001 00000001 8622c578 portcls!DevicePowerWorker+0x67
f7cb7d68 8056d03c 8622c578 e17f5978 805694fc portcls!EnqueuedIoWorkItemCallback+0x28
f7cb7d7c 804e23a5 84d06250 00000000 867c2da8 nt!IopProcessWorkItem+0x13
f7cb7dac 80574128 84d06250 00000000 00000000 nt!ExpWorkerThread+0xef
f7cb7ddc 804efc51 804e22e1 00000001 00000000 nt!PspSystemThreadStartup+0x34
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16


FOLLOWUP_IP:
ks!KsDispatchIrp+a3
f6c47f0d ff10 call dword ptr [eax]

SYMBOL_STACK_INDEX: 0

SYMBOL_NAME: ks!KsDispatchIrp+a3

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: ks

IMAGE_NAME: ks.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 41107ef8

STACK_COMMAND: .cxr 0xfffffffff7cb7934 ; kb

FAILURE_BUCKET_ID: 0x7E_ks!KsDispatchIrp+a3

BUCKET_ID: 0x7E_ks!KsDispatchIrp+a3

Followup: MachineOwner
---------

************SECOND FILE***********

Microsoft (R) Windows Debugger Version 6.6.0007.5
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\Dokumente und Einstellungen\Lucie\Lokale Einstellungen\Temp\WERcf25.dir00\Mini031307-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: SRV*c:\local cache*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows XP Kernel Version 2600 (Service Pack 2) MP (2 procs) Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS Personal
Built by: 2600.xpsp.050928-1517
Kernel base = 0x804d7000 PsLoadedModuleList = 0x805624a0
Debug session time: Tue Mar 13 13:00:59.906 2007 (GMT+1)
System Uptime: 7 days 13:34:16.717
Loading Kernel Symbols
.........................................................................................................................................
Loading User Symbols
Loading unloaded module list
..................................................
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 1000007E, {c0000005, 804e1918, a76d1c58, a76d1954}

Probably caused by : Mup.sys ( Mup!DfsCloseIpcConnection+16 )

Followup: MachineOwner
---------

1: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

SYSTEM_THREAD_EXCEPTION_NOT_HANDLED_M (1000007e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Some common problems are exception code 0x80000003. This means a hard
coded breakpoint or assertion was hit, but this system was booted
/NODEBUG. This is not supposed to happen as developers should never have
hardcoded breakpoints in retail code, but ...
If this happens, make sure a debugger gets connected, and the
system is booted /DEBUG. This will let us see why this breakpoint is
happening.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: 804e1918, The address that the exception occurred at
Arg3: a76d1c58, Exception Record Address
Arg4: a76d1954, Context Record Address

Debugging Details:
------------------


EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - Die Anweisung in "0x%08lx" verweist auf Speicher in "0x%08lx ". Der Vorgang "%s" konnte nicht auf dem Speicher durchgef hrt werden.

FAULTING_IP:
nt!ObfDereferenceObject+1c
804e1918 f00fc13e lock xadd dword ptr [esi],edi

EXCEPTION_RECORD: a76d1c58 -- (.exr ffffffffa76d1c58)
ExceptionAddress: 804e1918 (nt!ObfDereferenceObject+0x0000001c)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000001
Parameter[1]: 00560034
Attempt to write to address 00560034

CONTEXT: a76d1954 -- (.cxr ffffffffa76d1954)
eax=00000001 ebx=0056004c ecx=0056004c edx=00000000 esi=00560034 edi=ffffffff
eip=804e1918 esp=a76d1d20 ebp=a76d1d34 iopl=0 nv up ei ng nz na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010286
nt!ObfDereferenceObject+0x1c:
804e1918 f00fc13e lock xadd dword ptr [esi],edi ds:0023:00560034=????????
Resetting default scope

CUSTOMER_CRASH_COUNT: 1

DEFAULT_BUCKET_ID: DRIVER_FAULT

PROCESS_NAME: System

ERROR_CODE: (NTSTATUS) 0xc0000005 - Die Anweisung in "0x%08lx" verweist auf Speicher in "0x%08lx ". Der Vorgang "%s" konnte nicht auf dem Speicher durchgef hrt werden.

WRITE_ADDRESS: 00560034

BUGCHECK_STR: 0x7E

LAST_CONTROL_TRANSFER: from f7678906 to 804e1918

STACK_TEXT:
a76d1d28 f7678906 863d5bd0 a76d1d7c f767aeb4 nt!ObfDereferenceObject+0x1c
a76d1d34 f767aeb4 e2a309c0 8670c2f4 805694c0 Mup!DfsCloseIpcConnection+0x16
a76d1d7c 804e23a5 8670c2f0 00000000 84af68d0 Mup!DnrInsertReferralAndResume+0x9f
a76d1dac 80574128 8670c2f0 00000000 00000000 nt!ExpWorkerThread+0xef
a76d1ddc 804efc51 804e22e1 80000000 00000000 nt!PspSystemThreadStartup+0x34
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16


FOLLOWUP_IP:
Mup!DfsCloseIpcConnection+16
f7678906 83661400 and dword ptr [esi+14h],0

SYMBOL_STACK_INDEX: 1

SYMBOL_NAME: Mup!DfsCloseIpcConnection+16

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: Mup

IMAGE_NAME: Mup.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 4320f253

STACK_COMMAND: .cxr 0xffffffffa76d1954 ; kb

FAILURE_BUCKET_ID: 0x7E_Mup!DfsCloseIpcConnection+16

BUCKET_ID: 0x7E_Mup!DfsCloseIpcConnection+16

Followup: MachineOwner

 

crash data analysis

Thanks for the tip, but no success
I ran the test including the extended test, and no errors discovered.
I realize I didn't post my hw config so here it is in case it may be helpful:
Samsung X60 laptop with Core Duo 1.6, 1GB RAM PC2-4300, ATI X1600 (256+256)
Is there anything specific that I can extract from the file?
Thanks!

 

Ks.sys and mup.sys are Windows (driver?) files. If the dumps referred to third party driver files you could look for updates for those. Since these are part of Windows I would look at updating the base drivers which are the chipset/motherboard drivers. You will find them at the Samsung website for your model. The major chipset manufacturers (like Intel) have released some new updates, so if the Samsung version are several years old, look for updates at the chipset manufacturer's website (Intel's are July 2006).

Update any other major drivers (eg., graphics) listed at the Samsung website as well.

In a web search I see some reference to ks.sys and Hyperthreading. You should be able to turn off Hyperthreading in the BIOS settings at startup (although this may go back to having a good set of chipset drivers).

Matt

 

Thanks Mattmann, I updated everything that was available for update so now I can only wait for a few days / weeks / months to see if the updates helped.
What is really bothering me is that I don't know what caused the error. I googled to find out about ks.sys, mup.sys, but found nothing helpful.

 

That's all you can do unless someone can see a specific cause of the problem.

Of course, post back here if it continues (post back if it seems to have helped ).

Since it relates to Windows files you may have a basic problem with Windows itself, but I still think that where it mentions "drivers" the main system drivers may come into play, which are the chipset drivers.

We could try to find out what those files actually do and try to work from there.

If you find errors in other areas, maybe it is a piece of hardware malfunctioning. If the error is different each time, I think it would be a major piece of hardware malfunctioning. You have checked the RAM, it may be the CPU (mmm...Hyperthreading?), a power problem or maybe components overheating.

If it continued to show problems with Windows driver files I might wonder if there was a problem with a Windows update and even consider a repair/reinstall of Windows.

Next time it happens make a note of what programs you are running and how these drivers may come into play.

Matt

 

So I didn't have to wait long for my crash
It happened yesterday again upon waking up from hibernation.
Before leaving work and closing the lid, I had been running the following applications:
Several instances of IE7 each with multiple tabs opened, Acrobat REader 8, Netscape email client, Copernic Desktop Search, Word, Excel, and I was also connected to our samba fileserver.
I switched the computer on, it started waking up as usual, I typed in my password, the log-in seemed to take place - at least the og-in window disappeared - but when the desktop started, the BSOD appeard, OS said good-bye and rebooted. After the reboot, everything was fine again.
Yesterday I updated the following drivers:
Intel Chipset Driver 7.2.2.1006
ATI Graphix driver 8.233.0.0
LAN driver to ver 9.1.34.0
I also downloaded a "TPM Driver ver 1.80.2.0" and ran the setup file, but nothing seemed to have happened. To be honest, I don't know what thes TPM driver is, but when I open the DrvInfo.ini file, it says HID_0 = ACPI\IFX0102, so I thought it may have something to do with power management and potentially hibernation, and potentially with my crash.
This is my crash dump:
*************************

Microsoft (R) Windows Debugger Version 6.6.0007.5
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\Dokumente und Einstellungen\Lucie\Lokale Einstellungen\Temp\WERe4d8.dir00\Mini031907-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: SRV*c:\local cache*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows XP Kernel Version 2600 (Service Pack 2) MP (2 procs) Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS Personal
Built by: 2600.xpsp_sp2_qfe.061219-0311
Kernel base = 0x804d7000 PsLoadedModuleList = 0x805624a0
Debug session time: Mon Mar 19 21:10:15.390 2007 (GMT+1)
System Uptime: 0 days 7:03:58.169
Loading Kernel Symbols
......................................................................................................................................
Loading User Symbols
Loading unloaded module list
............
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 1000007E, {c0000005, f69b7f0d, f7ccbc38, f7ccb934}

Probably caused by : ks.sys ( ks!KsDispatchIrp+a3 )

Followup: MachineOwner
---------

1: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

SYSTEM_THREAD_EXCEPTION_NOT_HANDLED_M (1000007e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Some common problems are exception code 0x80000003. This means a hard
coded breakpoint or assertion was hit, but this system was booted
/NODEBUG. This is not supposed to happen as developers should never have
hardcoded breakpoints in retail code, but ...
If this happens, make sure a debugger gets connected, and the
system is booted /DEBUG. This will let us see why this breakpoint is
happening.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: f69b7f0d, The address that the exception occurred at
Arg3: f7ccbc38, Exception Record Address
Arg4: f7ccb934, Context Record Address

Debugging Details:
------------------


EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - Die Anweisung in "0x%08lx" verweist auf Speicher in "0x%08lx ". Der Vorgang "%s" konnte nicht auf dem Speicher durchgef hrt werden.

FAULTING_IP:
ks!KsDispatchIrp+a3
f69b7f0d ff10 call dword ptr [eax]

EXCEPTION_RECORD: f7ccbc38 -- (.exr fffffffff7ccbc38)
ExceptionAddress: f69b7f0d (ks!KsDispatchIrp+0x000000a3)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: 01b80003
Attempt to read from address 01b80003

CONTEXT: f7ccb934 -- (.cxr fffffffff7ccb934)
eax=01b80003 ebx=86084460 ecx=0000000e edx=84cc54e8 esi=84cc54e8 edi=860842e0
eip=f69b7f0d esp=f7ccbd00 ebp=f7ccbd08 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010246
ks!KsDispatchIrp+0xa3:
f69b7f0d ff10 call dword ptr [eax] ds:0023:01b80003=????????
Resetting default scope

CUSTOMER_CRASH_COUNT: 1

DEFAULT_BUCKET_ID: DRIVER_FAULT

PROCESS_NAME: System

ERROR_CODE: (NTSTATUS) 0xc0000005 - Die Anweisung in "0x%08lx" verweist auf Speicher in "0x%08lx ". Der Vorgang "%s" konnte nicht auf dem Speicher durchgef hrt werden.

READ_ADDRESS: 01b80003

BUGCHECK_STR: 0x7E

LAST_CONTROL_TRANSFER: from aafceb75 to f69b7f0d

STACK_TEXT:
f7ccbd08 aafceb75 860842e0 84cc54e8 86084398 ks!KsDispatchIrp+0xa3
f7ccbd1c aafcd4fd 860842e0 84cc54e8 00000001 portcls!KsoDispatchIrp+0x40
f7ccbd34 aafceeea 860842e0 86084398 00000000 portcls!CompletePendedIrps+0x34
f7ccbd54 aafc9ea5 00000001 00000001 860842e0 portcls!DevicePowerWorker+0x67
f7ccbd68 8056d03c 860842e0 e354dc88 8056955c portcls!EnqueuedIoWorkItemCallback+0x28
f7ccbd7c 804e23b5 84dc4330 00000000 867c1020 nt!IopProcessWorkItem+0x13
f7ccbdac 80574128 84dc4330 00000000 00000000 nt!ExpWorkerThread+0xef
f7ccbddc 804ec791 804e22f1 00000001 00000000 nt!PspSystemThreadStartup+0x34
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16


FOLLOWUP_IP:
ks!KsDispatchIrp+a3
f69b7f0d ff10 call dword ptr [eax]

SYMBOL_STACK_INDEX: 0

SYMBOL_NAME: ks!KsDispatchIrp+a3

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: ks

IMAGE_NAME: ks.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 41107ef8

STACK_COMMAND: .cxr 0xfffffffff7ccb934 ; kb

FAILURE_BUCKET_ID: 0x7E_ks!KsDispatchIrp+a3

BUCKET_ID: 0x7E_ks!KsDispatchIrp+a3

Followup: MachineOwner
Followup: MAchineOwner get very, very angry
*************************

It's again the KS. What did you say about hyperthreading?
Any new ideas?
Thanks!

 

KB article about KS.SYS and HyperThreading: http://support.microsoft.com/kb/812035

 

John (usasma), that fix relates to pre-SP2, I was thinking about disabling Hyperthreading in the BIOS settings(??).

You asked for it

There are several internet programs mentioned in your last post and the original post, you also mention "coming out of hibernation" (hibernation is memory/RAM intensive, because everything that is running is stored into RAM and the rest of the system is "put to sleep ").

If there are other, similar, laptops around, try borrowing some RAM from those and see if you can reproduce the crashes.

That is quite a few programs to be running, if you have complicated documents open in Word or maybe a few spreadsheets open in excel it can start chewing up the system's resourses, having a few extra programs open might be a recipe for disaster. If you can remember what you had running and open, load them again, look in Task Manager -> Performance and see what "Available" memory there is compared to Total. Also remember that anything listed at that stage, plus bits and pieces, are all going to be stored in RAM if the system hibernates.

As I mentioned first, there are quite a few internet programs open, one or two may conflict trying to "control" the connection. See if you can isolate one of those programs.

My workmate had a problem with a program he needs to use through a remote server. He was losing the connection. After no success with over the phone IT people he asked me. I could see what was wrong, he had put a password lock on his screensaver, I removed it and all went back to normal. This is just to say that if you have made "extraordinary" settings in Windows it may also be a possible source.

Matt

 

So I have spent most of my working day trying to crash my computer: no success
I opened 123 images in Gimp (some images VERY large like >20MB, some small ~1MB), 50 pdf documents in Acrobat 8, 2 instances of Visual Basic express 2005 and loaded projects in them, 5 instances of Excel with spreadsheets with macros, 3 word documents with images, styles, macros etc, 3 instances of IE7 each with 10 - 20 tabs open (used mostly sites that I found in my browsing history from yesterday), Netscape, copernic, and notepad, and I connected to the samba fileserver. The memory usage indicated was about 1300MB, number of processes running 64. Pretty scary, he?
The computer behaved just fine. It is also worth mentioning that this computer does not overheat - even in this situation it stays really cool, and also during heavy gaming it only gets warm but never hot.
I put it to hibernate and woke it up again: everything fine.
I tried the same on battery and without LAN - OK.
Tried to torture it even more by putting it on standby, waking up, hibernating, waking up, closing the lid, opening......it just refuses to crash.
I am now thinking about repeating the torture test once more and put it in my bag in order to better mimic the previous crash situations: maybe the machine wants to be in my bag before crashing Maybe there is something scary in my bag which causes the crash later on...hmmmmmmmmmmm.
BTW, I also lock the screen - I also have password protected screensaver, but I somehow don't see how could that be a problem?
The computer has been working fine including hibernation periods since August 2006 and now about a month ago it started...that's weird isn;t it?
Also, something weird happened this morning when it crashed (yesterday evening I did not take the comp out of my bag at home, so it crashed today morning at work instead) - todays crash did not leave any crash dump - what does that mean?
Thanks mattman + everybody else for your help!

 

You take it in your bag in hibernation mode (if I am reading correctly)? Is that OK by the User Guide? Quite possibly, but me, I wouldn't transport a computer that was still powered on. I am desktop person though.

You gave it a good "torture" test This is going to be a "sometimes" problem which are very hard to trace.

I am low on ideas. Do you have another browser? Try installing Firefox and using that for a while instead of IE7. IE7 is has had one or two teething problems (and it is almost part of Windows). Run Error Checking (chkdsk) on the drive/s. If it the errors keep relating to those files, consider replacing them using System File Checker.

ks.sys is for streaming videos.
Did you look for the Hyperthreading setting in the BIOS at startup (you should be able to find it in the User Guide/manual). If Hyperthreading seemed to be the cause, you may want to look for the latest BIOS upgrade for your laptop at the manufacturer's website.

Matt

 

Hi MAttman,
thanks for your input. Sorry to hear you are low on ideas... So you suspect also IE7. I am myself also not sure about that one, I'll stop using it for the next few days and see if it helps.

I already checked the disk - everything clear.

The Hyperthreading issue: I did look in the BIOS - is "Core Multi-Processing" the same thing? It is set to enabled, so I guess if I would disable this option, my core duo will only function as 1 normal processor, right? I just downloaded a new bios but I am somehow lacking courage for bios update at the moment. I think I need my daily crash to happen first

I am not sure whether I understand what this ks.sys file is (thanks for the info, maybe I just need to read it again ) : When I hover the mouse over the ks.sys, file, it says "Kernel CSA Library" 5.3.2600.2180 04/08/2004, 137kb. The ks file is listed in driver detail section under Device manager - Audio, video, and gamecontroller - SoundMAX Integrated Digital HD Audio - Driver details. So I also updated audio drivers available from samsung, but this file did not change. Still the same version, date, size.

The hibernation issue:
Yes, I take it in my backpack in hibernation mode. I have been doing that ever since I got my first laptop - actulally my firs lappy couldn't hibernate, so I used only standby, which still drains power.
But as long as the computer really goes to hibernate / standby mode, transport in the bag is ok - you only get in trouble if it doesn;t go to sleep - then it may overheat I guess.

So the transport shouldn't be the problem

Now the follow-up of my yesterday's story:
After all these torture tests, I also tried the trick with the bag (I was thinking maybe there is some electricity generated by the friction of the lappy sliding in my backpack )
Well it refused to crash. I tried again at home - no crash. I tried again - CRASH! I didn't touch anything, I just woke it up, logged in - no crash, and did the same in 30 minutes: crash. Hmmmm.
The crash dump looks different this time, even though ks.sys is again guilty:
'**************
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 100000BE, {f6cb55ae, 11f8d121, f7cbbc88, b}

Probably caused by : ks.sys ( ks!KsServiceBusEnumCreateRequest+3 )

Followup: MachineOwner
---------

1: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

ATTEMPTED_WRITE_TO_READONLY_MEMORY (be)An attempt was made to write to readonly memory. The guilty driver is on the
stack trace (and is typically the current instruction pointer).
When possible, the guilty driver's name (Unicode string) is printed on
the bugcheck screen and saved in KiBugCheckDriver.
Arguments:
Arg1: f6cb55ae, Virtual address for the attempted write.
Arg2: 11f8d121, PTE contents.
Arg3: f7cbbc88, (reserved)
Arg4: 0000000b, (reserved)

Debugging Details:
------------------


CUSTOMER_CRASH_COUNT: 1

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0xBE

PROCESS_NAME: System

LAST_CONTROL_TRANSFER: from f6cb55ae to 84f62631

STACK_TEXT:
WARNING: Frame IP not in any known module. Following frames may be wrong.
f7cbbcf8 f6cb55ae 86324030 825f92f8 f7cbbd54 0x84f62631
f7cbbd00 825f92f8 f7cbbd54 aafceb75 86324030 ks!KsServiceBusEnumCreateRequest+0x3
f7cbbd1c aafcd4fd 86324030 825f92f8 00000001 0x825f92f8
f7cbbd34 aafceeea 86324030 863240e8 00000000 portcls!CompletePendedIrps+0x34
f6cac400 4d8b51ec fc65830c 8b575600 f78b087d portcls!DevicePowerWorker+0x67
f6cac40c f78b087d 425c15ff 4588f6cb 107d8308 0x4d8b51ec
f6cac410 425c15ff 4588f6cb 107d8308 03850f01 VolSnap!_NULL_IMPORT_DESCRIPTOR <PERF> (VolSnap+0xc87d)
f6cac414 4588f6cb 107d8308 03850f01 8b000003 0x425c15ff
f6cac418 107d8308 03850f01 8b000003 74f73b36 0x4588f6cb
f6cac41c 03850f01 8b000003 74f73b36 a84e8d1f 0x107d8308
f6cac420 8b000003 74f73b36 a84e8d1f 518dc033 0x3850f01
f6cac424 74f73b36 a84e8d1f 518dc033 85028738 0x8b000003
f6cac428 a84e8d1f 518dc033 85028738 de840fc0 0x74f73b36
f6cac42c 518dc033 85028738 de840fc0 f600000e 0xa84e8d1f
f6cac430 85028738 de840fc0 f600000e 0f011445 0x518dc033
f6cac434 de840fc0 f600000e 0f011445 0002d285 0x85028738
f6cac438 f600000e 0f011445 0002d285 fc4d8900 0xde840fc0
f6cac43c 0f011445 0002d285 fc4d8900 8b08558a 0xf600000e
f6cac440 0002d285 fc4d8900 8b08558a 15ff0c4d 0xf011445
f6cac444 fc4d8900 8b08558a 15ff0c4d f6cb4260 0x2d285
f6cac448 8b08558a 15ff0c4d f6cb4260 5ffc458b 0xfc4d8900
f6cac44c 15ff0c4d f6cb4260 5ffc458b 10c2c95e 0x8b08558a
f6cac450 f6cb4260 5ffc458b 10c2c95e 90909000 0x15ff0c4d
f6cac454 5ffc458b 10c2c95e 90909000 ff8b9090 ks!_imp_KfReleaseSpinLock
f6cb4260 00020fe4 00021000 00000000 ffffffff 0x5ffc458b
f6cb4264 00021000 00000000 ffffffff f6cbb8de 0x20fe4
f6cb4268 00000000 ffffffff f6cbb8de f6cbb8f1 0x21000


STACK_COMMAND: kb

FOLLOWUP_IP:
ks!KsServiceBusEnumCreateRequest+3
f6cb55ae 8bec mov ebp,esp

SYMBOL_STACK_INDEX: 1

SYMBOL_NAME: ks!KsServiceBusEnumCreateRequest+3

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: ks

IMAGE_NAME: ks.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 41107ef8

FAILURE_BUCKET_ID: 0xBE_ks!KsServiceBusEnumCreateRequest+3

BUCKET_ID: 0xBE_ks!KsServiceBusEnumCreateRequest+3

Followup: MachineOwner
'***********************

Does that tell you anything new?
Going home now to perform the obligatory crash,
cheers!

 

I'll just speak as though it was me with the problem (I've replaced the guy that has any new ideas )

Test running it without IE7 for a while. We don't want make serious changes if that happened to be the cause.

ks.sys appears to stream audio and visual (AVStream), if I am reading that quote correctly. If this always happens after you "log on" maybe it is trying to get a stream from your Samba server (?). Do you have anything set for automatically retrieving audio or visual off the internet (example, make this webpage available offline)?

Something is trying to load the drivers for audio/visual streaming. I would ask myself why? I might not rule out spyware or a trojan.

I have an AMD processor, I don't know much about Core Duos. Put the wording of the setting into a websearch before changing it and make certain of what it does. If it is not similar to Hyperthreading it may not be the answer. Using a setting "Setup defaults" or "Fail-Safe defaults" may have the same result.

Extract a new version of that file using System File Checker. It may have been included in a Windows update, but I would download that update again and reinstall it, otherwise it will be amongst the SP2 files if you installed SP2 separately.

If I couldn't find a cause, I would do a repair/reinstall.

Matt

 

Hi,
so I haven't experienced any problems for the last 3 days. It could be that the audio drivers update did the trick... .?
That would be great.
I have to say that I really don;t feel like doing a full win reinstall.
If I find out the cause of the trouble or anything new/interesting, I'll let you know so that we can learn something from this story.
Thanks again for your help mattman.
cheers, skl

 

It would!

If I had the choice of going away fishing or staying home to reinstall Windows, it would be a really hard decision

Let us know how it goes. If it works it may it may force someone that was looking forward to reinstalling Windows just have to go away for a fishing trip instead.

Matt
PS If it gets to that stage, do an install of Windows until after you "accept the agreement ", then follow the prompts to do a "repair" of Windows, that should reinstall all the drivers again.