Sample Minidumps(Memory Dumps)

[Adrynalyne]

I had a PM requesting to post some sample minidumps.

The zip file contains two:

Mini030404-01.dmp is a dump created from a crash I had on shutdown back a few months ago.

The stop code was 0x86427532, no filenames were mentioned.

http://www.majorgeeks.com/vb/showthr...oto=nextnewest

--This was the thread that started it all.

Check online, you will find that there are no real documented solutions for what causes the error, except here :D

Even the internal MS KB says nothing of it.

Goldfish and I (He had the same error) had our suspicions, but the debug provided the proof:

http://majorgeeks.com/vb/showthread.php?t=32284


Your debug output should look like below. If you get errors, or it looks different, check your symbols path.



Microsoft (R) Windows Debugger Version 6.3.0017.0
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\Documents and Settings\Jeremy\Desktop\Mini030404-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: srv*c:\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows XP Kernel Version 2600 (Service Pack 1) UP Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 2600.xpsp2.030422-1633
Kernel base = 0x804d4000 PsLoadedModuleList = 0x80543530
Debug session time: Thu Mar 04 10:20:12 2004
System Uptime: 0 days 0:09:10.390
Loading Kernel Symbols
..........................................................................................................................
Loading unloaded module list
........
Loading User Symbols
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 86427532, {1db, 2, 3, b}

Unable to load image pavdrv51.sys, Win32 error 2
*** WARNING: Unable to verify timestamp for pavdrv51.sys
*** ERROR: Module load completed but symbols could not be loaded for pavdrv51.sys
Probably caused by : pavdrv51.sys ( pavdrv51+7fc0 )

Followup: MachineOwner
---------

kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

Unknown bugcheck code (86427532)
Unknown bugcheck description
Arguments:
Arg1: 000001db
Arg2: 00000002
Arg3: 00000003
Arg4: 0000000b

Debugging Details:
------------------


CUSTOMER_CRASH_COUNT: 1

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0x86427532

LAST_CONTROL_TRANSFER: from f3e41fc0 to 804f4103

STACK_TEXT:
afaab964 f3e41fc0 86427532 000001db 00000002 nt!KeBugCheckEx+0x19
WARNING: Stack unwind information not available. Following frames may be wrong.
afaabba0 f3e4220b 860eb8b0 f3e45cf0 00000000 pavdrv51+0x7fc0
afaabc34 804ea221 86338030 861bf890 806ad190 pavdrv51+0x820b
afaabc44 8055d0fe 861bf900 861322f0 861bf890 nt!IopfCallDriver+0x31
afaabc58 8055de46 86338030 861bf890 861322f0 nt!IopSynchronousServiceTail+0x5e
afaabd00 80556cea 000000a0 00000000 00000000 nt!IopXxxControlFile+0x5c2
afaabd34 8052d571 000000a0 00000000 00000000 nt!NtDeviceIoControlFile+0x28
afaabd34 7ffe0304 000000a0 00000000 00000000 nt!KiSystemService+0xc4
00cdff70 00000000 00000000 00000000 00000000 SharedUserData!SystemCallStub+0x4


FOLLOWUP_IP:
pavdrv51+7fc0
f3e41fc0 ?? ???

SYMBOL_STACK_INDEX: 1

FOLLOWUP_NAME: MachineOwner

SYMBOL_NAME: pavdrv51+7fc0

MODULE_NAME: pavdrv51

IMAGE_NAME: pavdrv51.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 3e8c072b

STACK_COMMAND: kb

BUCKET_ID: 0x86427532_pavdrv51+7fc0

Followup: MachineOwner
---------


The second memory dump (nick.dmp) is my aunt's computer, that my cousin keeps crashing

The stop error was 0XC0000218 Registry_File_Failure

The debug looks like this:


Microsoft (R) Windows Debugger Version 6.3.0017.0
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\Documents and Settings\Jeremy\Desktop\nick.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: srv*c:\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows XP Kernel Version 2600 (Service Pack 1) UP Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 2600.xpsp2.030422-1633
Kernel base = 0x804d4000 PsLoadedModuleList = 0x80543530
Debug session time: Fri Jun 11 10:22:46 2004
System Uptime: 0 days 0:00:24.187
Loading Kernel Symbols
.................................................
Loading unloaded module list

Loading User Symbols
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck C0000218, {e144c418, 0, 0, 0}

Probably caused by : ntoskrnl.exe ( nt!ExRaiseHardError+13c )

Followup: MachineOwner
---------

kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

Unknown bugcheck code (c0000218)
Unknown bugcheck description
Arguments:
Arg1: e144c418
Arg2: 00000000
Arg3: 00000000
Arg4: 00000000

Debugging Details:
------------------


BUGCHECK_STR: 0xc0000218

ERROR_CODE: (NTSTATUS) 0xc0000218 - {Registry File Failure} The registry cannot load the hive (file): %hs or its log or alternate. It is corrupt, absent, or not writable.

DEFAULT_BUCKET_ID: DRIVER_FAULT

LAST_CONTROL_TRANSFER: from 8062be87 to 804f4103

STACK_TEXT:
f96f0870 8062be87 0000004c c0000218 f96f09d4 nt!KeBugCheckEx+0x19
f96f0a20 805e9f96 c0000218 00000001 00000001 nt!ExpSystemErrorHandler+0x44c
f96f0bcc 805ea21c c0000218 00000001 00000001 nt!ExpRaiseHardError+0x9a
f96f0c3c 805fb94c c0000218 00000001 00000001 nt!ExRaiseHardError+0x13c
f96f0dac 805aa2b6 00000000 00000000 00000000 nt!CmpLoadHiveThread+0x16a
f96f0ddc 805319c6 805fb7e2 00000001 00000000 nt!PspSystemThreadStartup+0x34
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16


FOLLOWUP_IP:
nt!ExRaiseHardError+13c
805ea21c 837dfc00 cmp dword ptr [ebp-0x4],0x0

SYMBOL_STACK_INDEX: 3

FOLLOWUP_NAME: MachineOwner

SYMBOL_NAME: nt!ExRaiseHardError+13c

MODULE_NAME: nt

IMAGE_NAME: ntoskrnl.exe

DEBUG_FLR_IMAGE_TIMESTAMP: 3ea80977

STACK_COMMAND: kb

BUCKET_ID: 0xc0000218_nt!ExRaiseHardError+13c

Followup: MachineOwner
---------


This one unfortunately is not as obvious. This is a machine I am still working on.


There are some minidumps here as well:

http://majorgeeks.com/vb/showthread.php?t=33794

This is still an active thread, so if you have suggestions for pegg, by all means, post em

Memory dump debugging doesn't always give us an exact answer (well sometimes it does), but it gives a starting point on where the problem may lie.

[Adrynalyne]

For the really ambitious, you can make your computer dump the memory at will:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\i8042prt\Parameters

Add a DWORD value called CrashOnCtrlScroll and set it to a value of 1(hex).

Reboot.

Then you hold ctrl(I think its the right ctrl key) and tap ScrollLock twice.

Your machine will give a stop error (self inflicted, not really an error) and dumps the contents of ram.

This is only for testing, of course.

[Adrynalyne]

Take note on the above. This DOES crash your computer, and any unsaved work WILL be lost

Ok, thats my disclaimer.

[alanc]

Cool. Crash-on-demand


An idea for a prank comes to mind...:D

[alanc]

The crash-on-demand reg tweak works like a charm, although in going thru it I learned something I hadn't known before. Windows (2k at least) has a problem creating a crash dump if your pagefile is not on the %systemroot% drive (mine is on D:, Windows on C: ). So I had to create an additional small pagefile on C: to get it to work. Once I got a dump to debug I got symbol and timestamp errors (see output below, is this normal?), but even with the errors the
"Probably caused by : i8042prt.sys"
line tells the story. I recognize that from the reg tweak.

I didn't get any errors running the two dumps you posted.

All in all I think this is a very cool tool


Microsoft (R) Windows Debugger Version 6.3.0017.0
Copyright (c) Microsoft Corporation. All rights reserved.

Loading Dump File [C:\WINNT\Minidump\Mini062304-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: SRV*c:\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Unable to load image ntoskrnl.exe, Win32 error 2
*** WARNING: Unable to verify timestamp for ntoskrnl.exe
*** ERROR: Module load completed but symbols could not be loaded for ntoskrnl.exe
Windows 2000 Kernel Version 2195 (Service Pack 4) UP Free x86 compatible
Kernel base = 0x80400000 PsLoadedModuleList = 0x8046e8f0
Debug session time: Wed Jun 23 17:32:32 2004
System Uptime: not available
Unable to load image ntoskrnl.exe, Win32 error 2
*** WARNING: Unable to verify timestamp for ntoskrnl.exe
*** ERROR: Module load completed but symbols could not be loaded for ntoskrnl.exe
Loading Kernel Symbols
..................................................................................................
Loading unloaded module list
..............
Loading User Symbols
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck E2, {0, 0, 0, 0}

***** Kernel symbols are WRONG. Please fix symbols to do analysis.

*** WARNING: Unable to verify timestamp for i8042prt.sys
*** ERROR: Module load completed but symbols could not be loaded for i8042prt.sys
Probably caused by : i8042prt.sys ( i8042prt+207e )

Followup: MachineOwner
---------

[da chicken]

Nice work Ad. Wanted to know how to do this stuff for a long time.

[alanc]

I got symbol and timestamp errors running pegg's minidump too, but the memory corruption cause was still listed.

[DanTekGeek]

just a quick question. what is the purpose of all this?

[alanc]

This thread is a follow up to this one:
http://www.majorgeeks.com/vb/showthread.php?t=35246

[Adrynalyne]

alanc, at first I was gonna say you had the wrong symbols path, however a dump from my 2K machine gave the same error.

***** Kernel symbols are WRONG. Please fix symbols to do analysis.

However, as you can see, even with an incorrect symbols path, you were able to delve useful information.

Look at the difference in my output with an XP minidmp:



Microsoft (R) Windows Debugger Version 6.3.0017.0
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\Documents and Settings\Jeremy\Desktop\Mini062204-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: srv*c:\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows XP Kernel Version 2600 (Service Pack 1) MP (2 procs) Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 2600.xpsp2.030422-1633
Kernel base = 0x804d4000 PsLoadedModuleList = 0x8054a230
Debug session time: Tue Jun 22 22:23:15 2004
System Uptime: 0 days 0:01:00.718
Loading Kernel Symbols
...............................................................................................................................
Loading unloaded module list
..
Loading User Symbols
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck E2, {0, 0, 0, 0}

Probably caused by : i8042prt.sys ( i8042prt!I8xProcessCrashDump+235 )

Followup: MachineOwner
---------

0: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

MANUALLY_INITIATED_CRASH (e2)
The user manually initiated this crash dump.
Arguments:
Arg1: 00000000
Arg2: 00000000
Arg3: 00000000
Arg4: 00000000

Debugging Details:
------------------


BUGCHECK_STR: MANUALLY_INITIATED_CRASH

CUSTOMER_CRASH_COUNT: 1

DEFAULT_BUCKET_ID: DRIVER_FAULT

LAST_CONTROL_TRANSFER: from f8738681 to 804f5471

STACK_TEXT:
8053e33c f8738681 000000e2 00000000 00000000 nt!KeBugCheckEx+0x19
8053e358 f8737efb 0025fcc0 01a337c6 00000000 i8042prt!I8xProcessCrashDump+0x235
8053e3a0 805343e5 ff71d428 8225fc08 00010009 i8042prt!I8042KeyboardInterruptService+0x21c
8053e3a0 f882fc7e ff71d428 8225fc08 00010009 nt!KiInterruptDispatch+0x45
8053e450 80534a6c 00000000 0000000e 00000000 processr!AcpiC1Idle+0x12


FOLLOWUP_IP:
i8042prt!I8xProcessCrashDump+235
f8738681 5d pop ebp

SYMBOL_STACK_INDEX: 1

FOLLOWUP_NAME: MachineOwner

SYMBOL_NAME: i8042prt!I8xProcessCrashDump+235

MODULE_NAME: i8042prt

IMAGE_NAME: i8042prt.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 3d6de41d

STACK_COMMAND: kb

BUCKET_ID: MANUALLY_INITIATED_CRASH_i8042prt!I8xProcessCrashDump+235

Followup: MachineOwner
---------

[Adrynalyne]

On pegg's first memory dump, this is the only error I received:

*** WARNING: Unable to verify timestamp for aswMon2.SYS
*** ERROR: Module load completed but symbols could not be loaded for aswMon2.SYS

Microsoft only provides symbols for their files. This one is not MS.

However, if you still got the error:

***** Kernel symbols are WRONG. Please fix symbols to do analysis.

Then your symbols path needs to be re-entered.

These tools are incredibly stupid, er sensitive when it comes to symbols path, even if it looks correct, it needs to be re-entered.