Windows Vista Vista BugCheck 7E, {c0000005, 0, 87c6382c, 87c63528}

Hi! I'm new to this forum. I get this BSOD quite often, most commonly during boot. Windows then runs startup repair after the reboot and continues with boot.

It seems to me this is a driver issue, I have tested the RAM and upgraded all drivers I could find. I have the 100MB dump which I analyzed and got the following result, how would I go about finding what is causing the problem?


Microsoft (R) Windows Debugger Version 6.11.0001.404 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\temp\MEMORY.DMP]
Kernel Summary Dump File: Only kernel address space is available

Symbol search path is: SRV*c:\windows\symbols*http://msdl.microsoft.com/download/...ls*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows Vista Kernel Version 6000 MP (2 procs) Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS Personal
Built by: 6000.16901.x86fre.vista_gdr.090805-0102
Machine Name:
Kernel base = 0x82000000 PsLoadedModuleList = 0x82111e10
Debug session time: Sat Nov 21 06:54:28.984 2009 (GMT+1)
System Uptime: 0 days 0:01:16.734
Loading Kernel Symbols
...............................................................
...............
Loading User Symbols

*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 7E, {c0000005, 0, 87c6382c, 87c63528}

Probably caused by : ntkrpamp.exe ( nt!IofCallDriver+63 )

Followup: MachineOwner
---------

0: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

SYSTEM_THREAD_EXCEPTION_NOT_HANDLED (7e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: 00000000, The address that the exception occurred at
Arg3: 87c6382c, Exception Record Address
Arg4: 87c63528, Context Record Address

Debugging Details:
------------------


EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - Instruktionen p 0x%08lx refererade till minnet p 0x%08lx. Det gick inte att utf ra en minnes tg rd. F ljande fel returnerades: The memory could not be %s.

FAULTING_IP:
+0
00000000 ?? ???

EXCEPTION_RECORD: 87c6382c -- (.exr 0xffffffff87c6382c)
ExceptionAddress: 00000000
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000008
Parameter[1]: 00000000
Attempt to execute non-executable address 00000000

CONTEXT: 87c63528 -- (.cxr 0xffffffff87c63528)
eax=85ad1000 ebx=85a488c0 ecx=0000001b edx=85a488c0 esi=85810028 edi=85a489c0
eip=00000000 esp=87c638f4 ebp=87c63908 iopl=0 nv up ei pl nz na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00210206
00000000 ?? ???
Resetting default scope

DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT

PROCESS_NAME: System

CURRENT_IRQL: 0

ERROR_CODE: (NTSTATUS) 0xc0000005 - Instruktionen p 0x%08lx refererade till minnet p 0x%08lx. Det gick inte att utf ra en minnes tg rd. F ljande fel returnerades: The memory could not be %s.

EXCEPTION_PARAMETER1: 00000008

EXCEPTION_PARAMETER2: 00000000

WRITE_ADDRESS: 00000000

FOLLOWUP_IP:
nt!IofCallDriver+63
82027f9f 5e pop esi

FAILED_INSTRUCTION_ADDRESS:
+63
00000000 ?? ???

BUGCHECK_STR: 0x7E

LOCK_ADDRESS: 8212e080 -- (!locks 8212e080)

Resource @ nt!PiEngineLock (0x8212e080) Exclusively owned
Threads: 83a87d78-01<*>
1 total locks, 1 locks currently held

PNP_TRIAGE:
Lock address : 0x8212e080
Thread Count : 1
Thread address: 0x83a87d78
Thread wait : 0x132f

LAST_CONTROL_TRANSFER: from 82225589 to 820d8781

STACK_TEXT:
WARNING: Frame IP not in any known module. Following frames may be wrong.
87c638f0 82027f9f 85810028 85a488c0 87c63974 0x0
87c63908 821af4c5 c00000bb 87c639a4 8e33473c nt!IofCallDriver+0x63
87c63938 821b0548 8595e028 87c63950 87c639a4 nt!IopSynchronousCall+0xce
87c63978 821af94e 8e33473c 8212e060 859c3008 nt!PpIrpQueryResourceRequirements+0x3a
87c639d0 821b73d6 00000001 8e33473c 00000000 nt!IopQueryDeviceResources+0x14b
87c63a04 821b83ff 87c63a58 8e33a658 8e334818 nt!PnpGetResourceRequirementsForAssignTable+0x173
87c63a60 821b7865 00000007 8e334700 00000000 nt!PnpAllocateResources+0x4c
87c63abc 821b7949 00000007 8e334700 87c63b3c nt!PnpAssignResourcesToDevices+0xae
87c63aec 821b67b3 8e334700 00000000 87c63b3c nt!PnpProcessAssignResources+0xc9
87c63cec 820072f5 83a40360 855949d0 87c63d38 nt!PipProcessDevNodeTree+0x98
87c63d44 82078fc0 00000000 00000000 83a87d78 nt!PnpDeviceActionWorker+0x21b
87c63d7c 82225544 00000000 87c68680 00000000 nt!ExpWorkerThread+0xfd
87c63dc0 820915fe 82078ec3 00000001 00000000 nt!PspSystemThreadStartup+0x9d
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16


SYMBOL_STACK_INDEX: 1

SYMBOL_NAME: nt!IofCallDriver+63

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: nt

IMAGE_NAME: ntkrpamp.exe

DEBUG_FLR_IMAGE_TIMESTAMP: 4a7965f4

STACK_COMMAND: .cxr 0xffffffff87c63528 ; kb

FAILURE_BUCKET_ID: 0x7E_NULL_IP_nt!IofCallDriver+63

BUCKET_ID: 0x7E_NULL_IP_nt!IofCallDriver+63

Followup: MachineOwner
---------

 

Thankyou for your quick reply and for editing my post to make it readable.

I've spent the last five hours learning a great deal about the Windows Kernel, what causes a Bugcheck and how to debug it.

First I tested the memory thoroughly, not only with memtest apps but by stressing windows heavily with apps, no errors could be found there.

Then I remembered I read some blog entry a year ago from someone at Microsoft about how to analyze crash dumps.

I could never find the blog entry but I found this screencast:
TechNet Webcast: Windows Hang and Crash Dump Analysis (Level 400)
After looking at it and doing some testing of the methods supplied I can now understand the debugger output better.

If you look at my first post you see that the crash occured when "ntkrpamp.exe" tried to read a block of memory which wasn't availible. Most of my previous crashes have included ntkrpamp.exe, however this is an integral part of the os and heavily tested. As such it is very unlikely it caused the problem.
Therefore windbg classifies the error as "VISTA_DRIVER_FAULT ".

This means "some driver" earlier wrote to this memory page which actually belongs to ntkrpamp.exe. It could be five minutes or five hours before the crash, we have no way of knowing.

This is what they call "an unalazyble bugcheck ". The normal job would be to try and upgrade all drivers, remove each piece of hardware one by one until the problem is gone.

A much better way is use driver verifier, it has a lot of options which are explained in the screencast.

So I run driver verifier, select a few drivers that could maybe be the problem.
Then I go about using the computer, playing some music, downloading files, nothing happens.

So I decide to push it a little, i start Prime95 which puts a lot of stress on ram and cpu.

After less than one minute the the bluescreen occurs (this normally only happens once every other day or so). Here comes the output:

Loading Dump File [C:\tmp\MEMORY.DMP]
Kernel Complete Dump File: Full address space is available

Symbol search path is: SRV*c:\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows Vista Kernel Version 6000 MP (2 procs) Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS Personal
Built by: 6000.16901.x86fre.vista_gdr.090805-0102
Machine Name:
Kernel base = 0x82000000 PsLoadedModuleList = 0x82111e10
Debug session time: Sun Nov 22 00:39:45.558 2009 (GMT+1)
System Uptime: 0 days 0:15:44.240
Loading Kernel Symbols
...............................................................
................................................................
...........
Loading User Symbols
....................................
Loading unloaded module list
........Unable to enumerate user-mode unloaded modules, NTSTATUS 0xC0000147
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck D1, {85e0f2cc, 2, 0, 8dc4dc6d}

*** ERROR: Module load completed but symbols could not be loaded for es1371mp.sys
*** ERROR: Symbol file could not be found. Defaulted to export symbols for audiokse.dll -
*************************************************************************
...snip... (the debugger tried to downloads symbols for es1371mp.sys from microsoft, since it was not mabe by them, they do not have the source and hence not the symbols)
*************************************************************************
Probably caused by : es1371mp.sys ( es1371mp+1c6d )

Followup: MachineOwner
---------

1: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: 85e0f2cc, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000000, value 0 = read operation, 1 = write operation
Arg4: 8dc4dc6d, address which referenced memory

Debugging Details:
------------------

*************************************************************************
...snip...
*************************************************************************

READ_ADDRESS: 85e0f2cc Nonpaged pool

CURRENT_IRQL: 2

FAULTING_IP:
es1371mp+1c6d
8dc4dc6d 3981cc020000 cmp dword ptr [ecx+2CCh],eax

DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT

BUGCHECK_STR: 0xD1

PROCESS_NAME: audiodg.exe

TRAP_FRAME: a4e769c0 -- (.trap 0xffffffffa4e769c0)
ErrCode = 00000000
eax=00000000 ebx=84503008 ecx=85e0f000 edx=00000000 esi=844717cc edi=a4e76ae8
eip=8dc4dc6d esp=a4e76a34 ebp=a4e76a34 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010246
es1371mp+0x1c6d:
8dc4dc6d 3981cc020000 cmp dword ptr [ecx+2CCh],eax ds:0023:85e0f2cc=00000001
Resetting default scope

LAST_CONTROL_TRANSFER: from 8dc4dc6d to 8208fdc4

STACK_TEXT:
a4e769c0 8dc4dc6d badb0d00 00000000 ffffffff nt!KiTrap0E+0x2ac
WARNING: Stack unwind information not available. Following frames may be wrong.
a4e76a34 8dc4d506 00000001 a4e76a64 8e301377 es1371mp+0x1c6d
a4e76a40 8e301377 8468c008 a4e76a60 a4e76ae8 es1371mp+0x1506
a4e76a64 8e2fb238 024717cc a4e76aa0 823ac81a portcls!CPortPinWaveCyclic::GetPosition+0x2c
a4e76a88 8e30142c 02503008 a4e76aa0 85d6f800 portcls!CIrpStream::GetPosition+0x5a
a4e76ae8 8e3015d1 844717c8 85d6f810 85d6f828 portcls!CPortPinWaveCyclic::GetKsAudioPosition+0x1d
a4e76b08 8e2b9164 b2928f48 85d6f828 85d6f800 portcls!CPortPinWaveCyclic::GetKsAudioPosition+0x1c2
a4e76b58 8e2c2a43 b2928f48 00000002 8e30a340 ks!KspPropertyHandler+0x65b
a4e76b7c 8e30b2e5 b2928f48 00000004 8e30a318 ks!KsPropertyHandler+0x19
a4e76b94 8e31718c 00928f48 00000004 8e30a318 portcls!PcHandlePropertyWithTable+0x49
a4e76bdc 8e30b060 844717c8 85d81370 b2928f48 portcls!CPortPinWaveCyclic:eviceIoControl+0x1db
a4e76bfc 8e2c6212 85d81428 b2928f48 a4e76c30 portcls!DispatchDeviceIoControl+0x5b
a4e76c0c 822ce681 85d81370 b2928f48 8445b380 ks!DispatchDeviceIoControl+0x2a
a4e76c30 82027f56 82188f55 b2928f48 85d81370 nt!IovCallDriver+0x252
a4e76c44 82188f55 8445b380 b2928f48 b2928fdc nt!IofCallDriver+0x1b
a4e76c64 82189f15 85d81370 8445b380 00a0fd00 nt!IopSynchronousServiceTail+0x1e0
a4e76d00 8218ee7d 85d81370 b2928f48 00000000 nt!IopXxxControlFile+0x6b7
a4e76d34 8208caea 000000f4 00000219 00000000 nt!NtDeviceIoControlFile+0x2a
a4e76d34 77820f34 000000f4 00000219 00000000 nt!KiFastCallEntry+0x12a
00a0fc54 7781f850 774a7f6b 000000f4 00000219 ntdll!KiFastSystemCallRet
00a0fc58 774a7f6b 000000f4 00000219 00000000 ntdll!ZwDeviceIoControlFile+0xc
00a0fcb8 73a26984 000000f4 002f0003 00a0fd34 kernel32!DeviceIoControl+0xd2
00a0fd08 73a26bb2 000000f4 002f0003 00a0fd34 audiokse!DllRegisterServer+0x1e22e
00a0fd4c 73a09b27 000000f4 00a0fd68 00a0fe60 audiokse!DllRegisterServer+0x1e45c
00a0fda0 73a3b2b6 00a0fdbc 00a0fddc 01b90140 audiokse!DllRegisterServer+0x13d1
00a0fde4 73a3b20a 00a0fe38 01b90030 00a0fe70 audiokse!DllRegisterServer+0x32b60
00a0fe00 73a3b402 00a0fe24 00a0fe38 01570240 audiokse!DllRegisterServer+0x32ab4
00a0fe18 74168af9 01b90030 00a0fe70 00a0fe38 audiokse!DllRegisterServer+0x32cac
00a0fe84 774a3823 00000001 00a0fed0 777fa9bd audioeng!CAudioPump::OutputPumpWorkRoutine+0x8d
00a0fe90 777fa9bd 01570240 00a007b9 00000000 kernel32!BaseThreadInitThunk+0xe
00a0fed0 00000000 74168a6c 01570240 00000000 ntdll!_RtlUserThreadStart+0x23


STACK_COMMAND: kb

FOLLOWUP_IP:
es1371mp+1c6d
8dc4dc6d 3981cc020000 cmp dword ptr [ecx+2CCh],eax

SYMBOL_STACK_INDEX: 1

SYMBOL_NAME: es1371mp+1c6d

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: es1371mp

IMAGE_NAME: es1371mp.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 47449fff

FAILURE_BUCKET_ID: 0xD1_VRF_es1371mp+1c6d

BUCKET_ID: 0xD1_VRF_es1371mp+1c6d

Followup: MachineOwner

This time the error is the very common IRQL which basically means a driver tried to write to memory which it isn't allowed to. Before that would go unnoticed, but now with driver verifier running all such operations are monitored and it immediately does the bugcheck and identifies the driver es1371mp.sys.

A quick google tells us this often causes IRQL and is a driver for an old Creative soundcard. Some people say it is solved by getting the XP driver, I don't like this solution so I replace the sound card with a newer model.

Problem solved.