Resolved BSOD Minidump

Hi, I just set up a new machine and I'm having at least 2 BSOD a day. Te pc components are:

AMD AM3 Athlon2 Tricore 425
DDR3 4GB OCZ Gold Low Voltage
MSI 770-c45
GeForce 6800 GT 512

I've opened the minidump and apparently the issue is either with ekrn.exe or ntkrnlmp.exe; but I'm afraid I do not have that much experience with dumps Can Anyone confirm this and tell me how to solve it? Here's the minidump:

*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

SYSTEM_SERVICE_EXCEPTION (3b)
An exception happened while executing a system service routine.
Arguments:
Arg1: 00000000c0000005, Exception code that caused the bugcheck
Arg2: fffff80002dc964c, Address of the exception record for the exception that caused the bugcheck
Arg3: fffff880066c2120, Address of the context record for the exception that caused the bugcheck
Arg4: 0000000000000000, zero.

Debugging Details:
------------------


EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.

FAULTING_IP:
nt!ObReferenceObjectByHandleWithTag+10c
fffff800`02dc964c 0fb64518 movzx eax,byte ptr [rbp+18h]

CONTEXT: fffff880066c2120 -- (.cxr 0xfffff880066c2120)
rax=fffefa8005e9dd01 rbx=fffff8a001f61080 rcx=fffefa8005e9dd00
rdx=0000000000000001 rsi=fffff8a001c01b40 rdi=fffffa8004363740
rip=fffff80002dc964c rsp=fffff880066c2b00 rbp=fffefa8005e9dd00
r8=fffff8a002b97000 r9=0000000000000000 r10=fffff80002de80d0
r11=000000000030f5d0 r12=0000000000000000 r13=0000000000000020
r14=0000000000000001 r15=fffffa800575c060
iopl=0 nv up ei ng nz na po nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00010286
nt!ObReferenceObjectByHandleWithTag+0x10c:
fffff800`02dc964c 0fb64518 movzx eax,byte ptr [rbp+18h] ss:0018:fffefa80`05e9dd18=??
Resetting default scope

CUSTOMER_CRASH_COUNT: 1

DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT

BUGCHECK_STR: 0x3B

PROCESS_NAME: ekrn.exe

CURRENT_IRQL: 0

LAST_CONTROL_TRANSFER: from fffff80002de8126 to fffff80002dc964c

STACK_TEXT:
fffff880`066c2b00 fffff800`02de8126 : 00000000`20303c00 00000000`00000001 fffffa80`03cfdc40 00000000`00000001 : nt!ObReferenceObjectByHandleWithTag

+0x10c
fffff880`066c2bd0 fffff800`02ad7153 : fffffa80`04363740 fffff880`066c2ca0 00000000`7efd8000 00000000`00000000 : nt!NtRequestWaitReplyPort+0x56
fffff880`066c2c20 00000000`778600da : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13
00000000`0035e668 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x778600da


FOLLOWUP_IP:
nt!ObReferenceObjectByHandleWithTag+10c
fffff800`02dc964c 0fb64518 movzx eax,byte ptr [rbp+18h]

SYMBOL_STACK_INDEX: 0

SYMBOL_NAME: nt!ObReferenceObjectByHandleWithTag+10c

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: nt

IMAGE_NAME: ntkrnlmp.exe

DEBUG_FLR_IMAGE_TIMESTAMP: 4a5bc600

STACK_COMMAND: .cxr 0xfffff880066c2120 ; kb

FAILURE_BUCKET_ID: X64_0x3B_nt!ObReferenceObjectByHandleWithTag+10c

BUCKET_ID: X64_0x3B_nt!ObReferenceObjectByHandleWithTag+10c

Followup: MachineOwner
---------

2: kd> lmvm nt
start end module name
fffff800`02a66000 fffff800`03043000 nt (pdb symbols) c:\windows\symbols\ntkrnlmp.pdb\F8E2A8B5C9B74BF4A6E4A48F180099942\ntkrnlmp.pdb
Loaded symbol image file: ntkrnlmp.exe
Mapped memory image file: c:\windows\symbols\ntkrnlmp.exe\4A5BC6005dd000\ntkrnlmp.exe
Image path: ntkrnlmp.exe
Image name: ntkrnlmp.exe
Timestamp: Mon Jul 13 20:40:48 2009 (4A5BC600)
CheckSum: 0054B487
ImageSize: 005DD000
File version: 6.1.7600.16385
Product version: 6.1.7600.16385
File flags: 0 (Mask 3F)
File OS: 40004 NT Win32
File type: 1.0 App
File date: 00000000.00000000
Translations: 0409.04b0
CompanyName: Microsoft Corporation
ProductName: Microsoft® Windows® Operating System
InternalName: ntkrnlmp.exe
OriginalFilename: ntkrnlmp.exe
ProductVersion: 6.1.7600.16385
FileVersion: 6.1.7600.16385 (win7_rtm.090713-1255)
FileDescription: NT Kernel & System
LegalCopyright: © Microsoft Corporation. All rights reserved.
2: kd> lmvm nt
start end module name
fffff800`02a66000 fffff800`03043000 nt (pdb symbols) c:\windows\symbols\ntkrnlmp.pdb\F8E2A8B5C9B74BF4A6E4A48F180099942\ntkrnlmp.pdb
Loaded symbol image file: ntkrnlmp.exe
Mapped memory image file: c:\windows\symbols\ntkrnlmp.exe\4A5BC6005dd000\ntkrnlmp.exe
Image path: ntkrnlmp.exe
Image name: ntkrnlmp.exe
Timestamp: Mon Jul 13 20:40:48 2009 (4A5BC600)
CheckSum: 0054B487
ImageSize: 005DD000
File version: 6.1.7600.16385
Product version: 6.1.7600.16385
File flags: 0 (Mask 3F)
File OS: 40004 NT Win32
File type: 1.0 App
File date: 00000000.00000000
Translations: 0409.04b0
CompanyName: Microsoft Corporation
ProductName: Microsoft® Windows® Operating System
InternalName: ntkrnlmp.exe
OriginalFilename: ntkrnlmp.exe
ProductVersion: 6.1.7600.16385
FileVersion: 6.1.7600.16385 (win7_rtm.090713-1255)
FileDescription: NT Kernel & System

Thanks!

 

Yes, I do have nod32 4 Business edition installed. I'll do that and see what happens. By the way, is there a tool to test the cpu or motherboard (much like memtest86 tests RAM)? Thanks for your reply.

 

Ok, yesterday I had no issues with any bluescreen. Today... it's another story. Two BSOD just a few minutes apart one of the other. Here are the dumps:

CRITICAL_OBJECT_TERMINATION (f4)
A process or thread crucial to system operation has unexpectedly exited or been
terminated.
Several processes and threads are necessary for the operation of the
system; when they are terminated (for any reason), the system can no
longer function.
Arguments:
Arg1: 0000000000000003, Process
Arg2: fffffa8005db6b30, Terminating object
Arg3: fffffa8005db6e10, Process image file name
Arg4: fffff80002dc6540, Explanatory message (ascii)

Debugging Details:
------------------


KERNEL_LOG_EXIT_STATUS: Exit Status C0000142

KERNEL_LOG_FAILING_PROCESS: WerFault.exe

PROCESS_OBJECT: fffffa8005db6b30

IMAGE_NAME: csrss.exe

DEBUG_FLR_IMAGE_TIMESTAMP: 0

MODULE_NAME: csrss

FAULTING_MODULE: 0000000000000000

PROCESS_NAME: csrss.exe

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.

BUGCHECK_STR: 0xF4_C0000005

CUSTOMER_CRASH_COUNT: 1

DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT

CURRENT_IRQL: 0

STACK_TEXT:
fffff880`06b44b08 fffff800`02e46c72 : 00000000`000000f4 00000000`00000003 fffffa80`05db6b30 fffffa80`05db6e10 : nt!KeBugCheckEx
fffff880`06b44b10 fffff800`02df40a3 : ffffffff`ffffffff fffffa80`068eab60 fffffa80`05db6b30 fffffa80`05db6b30 : nt!PspCatchCriticalBreak+0x92
fffff880`06b44b50 fffff800`02d7869c : ffffffff`ffffffff 00000000`00000001 fffffa80`05db6b30 00000000`00000008 : nt! ?? ::NNGAKEGL::`string'+0x17936
fffff880`06b44ba0 fffff800`02ab9853 : fffffa80`05db6b30 fffff880`c0000005 00000000`039dfbe0 fffffa80`068eab60 : nt!NtTerminateProcess+0x20c
fffff880`06b44c20 00000000`7704017a : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13
00000000`039deb98 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x7704017a


STACK_COMMAND: kb

FOLLOWUP_NAME: MachineOwner

FAILURE_BUCKET_ID: X64_0xF4_C0000005_IMAGE_csrss.exe

BUCKET_ID: X64_0xF4_C0000005_IMAGE_csrss.exe

Followup: MachineOwner




SECOND DUMP

-----------------------------------------------------------------------------------------------
NTFS_FILE_SYSTEM (24)
If you see NtfsExceptionFilter on the stack then the 2nd and 3rd
parameters are the exception record and context record. Do a .cxr
on the 3rd parameter and then kb to obtain a more informative stack
trace.
Arguments:
Arg1: 00000000001904fb
Arg2: fffff88006dfd5b8
Arg3: fffff88006dfce20
Arg4: fffff880012e36c5

Debugging Details:
------------------


EXCEPTION_RECORD: fffff88006dfd5b8 -- (.exr 0xfffff88006dfd5b8)
ExceptionAddress: fffff880012e36c5 (Ntfs!NtfsDeleteInternalAttributeStream+0x00000000000000c5)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 0000000000000000
Parameter[1]: ffffffffffffffff
Attempt to read from address ffffffffffffffff

CONTEXT: fffff88006dfce20 -- (.cxr 0xfffff88006dfce20)
rax=0000000000000001 rbx=fffff8a00106c140 rcx=fffffa8004bc6880
rdx=0000000000000000 rsi=0004000000000000 rdi=0000000000000000
rip=fffff880012e36c5 rsp=fffff88006dfd7f0 rbp=fffff88006dfe080
r8=0000000000000000 r9=0000000000000000 r10=fffffa8004bc6180
r11=fffff88006dfde30 r12=fffff88006dfde00 r13=0000000000000000
r14=0000000000000702 r15=fffff8a007a802b0
iopl=0 nv up ei pl nz na pe nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00010202
Ntfs!NtfsDeleteInternalAttributeStream+0xc5:
fffff880`012e36c5 66897e5a mov word ptr [rsi+5Ah],di ds:002b:00040000`0000005a=????
Resetting default scope

CUSTOMER_CRASH_COUNT: 1

DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT

PROCESS_NAME: System

CURRENT_IRQL: 0

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.

EXCEPTION_PARAMETER1: 0000000000000000

EXCEPTION_PARAMETER2: ffffffffffffffff

READ_ADDRESS: GetPointerFromAddress: unable to read from fffff80002cc00e0
ffffffffffffffff

FOLLOWUP_IP:
Ntfs!NtfsDeleteInternalAttributeStream+c5
fffff880`012e36c5 66897e5a mov word ptr [rsi+5Ah],di

FAULTING_IP:
Ntfs!NtfsDeleteInternalAttributeStream+c5
fffff880`012e36c5 66897e5a mov word ptr [rsi+5Ah],di

BUGCHECK_STR: 0x24

LAST_CONTROL_TRANSFER: from fffff880012c5d88 to fffff880012e36c5

STACK_TEXT:
fffff880`06dfd7f0 fffff880`012c5d88 : fffff8a0`0106c010 fffff880`06dfe080 fffff8a0`0106c140 fffffa80`03ecd350 : Ntfs!NtfsDeleteInternalAttributeStream

+0xc5
fffff880`06dfd840 fffff880`01234aa9 : fffffa80`04cf16b0 00000000`00000000 fffff880`06dfdd90 fffff880`06ded000 : Ntfs!NtfsCommonCleanup+0x758
fffff880`06dfdc50 fffff800`02a97d4a : fffff880`06dfdd90 00000000`00000000 fffff880`06dfdd10 fffff880`010a48ca : Ntfs!NtfsCommonCleanupCallout+0x19
fffff880`06dfdc80 fffff880`01234662 : fffff880`01234a90 fffff880`06dfdd90 fffff880`06dfe000 00000000`00000000 : nt!KeExpandKernelStackAndCalloutEx+0xda
fffff880`06dfdd60 fffff880`012d6244 : fffff880`06dfde30 fffff880`06dfde30 fffff880`06dfde30 fffff880`00000002 : Ntfs!NtfsCommonCleanupOnNewStack+0x42
fffff880`06dfddd0 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : Ntfs!NtfsFsdCleanup+0x144


SYMBOL_STACK_INDEX: 0

SYMBOL_NAME: Ntfs!NtfsDeleteInternalAttributeStream+c5

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: Ntfs

IMAGE_NAME: Ntfs.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 4a5bc14f

STACK_COMMAND: .cxr 0xfffff88006dfce20 ; kb

FAILURE_BUCKET_ID: X64_0x24_Ntfs!NtfsDeleteInternalAttributeStream+c5

BUCKET_ID: X64_0x24_Ntfs!NtfsDeleteInternalAttributeStream+c5

Followup: MachineOwner

 

Ok, Pete, thanks for all. I'll be checking my RAM today. I'll use memtest86 even though some people say it does not check the ram in the same way windows utilizes it, so, some errors might be overlooked.
If I solve this, I'll post the solution (hopefully, the solution won't be "format + reinstall ").
Cheers.

 

firstly, the dump does not make much sense as the symbols are not available, seems like you were NOT pointing the debugger to the microsoft public symbol server. so we don't exactly know whats going on in the stack and what functions are being called. In the last two dumps, the first BSOD occurred because CSRSS was terminated, CSRSS is the user mode portion of the win32 subsystem and a critical process, the system will always immediately blue screen if this process is terminated.

Thanks,

Madhurjya

 

Hi, thanks for the tip. I guess I have 0 knowledge about minidumps and how to interpret them. Anyway I solved this issue. Turns out it was a faulty 2 GB RAM. I tested my computer for a few days without that module and NO screens at all.
I also tested the module in a friend's pc and right on startup we got a BSOD. A second try also ended in BSOD. So, I took the module to the store and they replaced it within a few days.
Thank you all for the answers and interest!