customer computer... help...

Hello all.. It has been a while since I have posted here. I can fix most computer problems but my weakside is the BSOD. I thought IRQL might mean something like hardware so I updated like crazy on everything. I wasn't able to replicate the BSOD myself so I can't find out if it was a program or something. My customer owns this Jewelry store... and has a program called WinJewel, I clicked on that and it said there was aready another instance of that program running and it said it would close out that one and start a new one.. so i clicked on ok.. and then it gave me a BSOD. This was not the same BSOD but maybe it will prove something I hope. I told the computer to save the DMP file yesterday, so I dont have the DMP file of the original BSOD yet...

DMP file is attached...

Thank you in advance.....

I kind of messed up and did a complete memory dump before.. but i realized and remembered the mini dump file... so here it hopefully it can help.. If it doesnt i guess ill have to wait for the next BSOD.. anyways.. small memory dump or kernel memory dump?



This is windows XP btw...

 

Hello all... I have not gotten a response from anyone... this is kind of urgent...

ive got the correct mini dump now... and it seems to blue screen the longer the computer runs.. it created a mini dump at 2 am and 5 am.. which means its not doing anything while it blue screens which makes lean more towards a hardware issue ??

Anyways here is the minidump.... thankyou..

 

Hi Derron, a quick debug makes me think it's a Windows Defender or MSE problem that triggered this crash.

Code:

Microsoft (R) Windows Debugger Version 6.12.0002.633 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [G:\Documents\Desktop\Mini030311-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: SRV*c:\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is: 
Windows XP Kernel Version 2600 (Service Pack 3) MP (2 procs) Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 2600.xpsp_sp3_gdr.101209-1647
Machine Name:
Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055d720
Debug session time: Thu Mar  3 07:19:49.484 2011 (UTC + 0:00)
System Uptime: 0 days 21:01:04.182
Loading Kernel Symbols
...............................................................
................................................................
......
Loading User Symbols
Loading unloaded module list
..................................................
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 1000000A, {7028, 1c, 1, 804fad53}

Probably caused by : ntkrpamp.exe ( nt!KeWaitForMultipleObjects+23f )

Followup: MachineOwner
---------

1: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high.  This is usually
caused by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: 00007028, memory referenced
Arg2: 0000001c, IRQL
Arg3: 00000001, bitfield :
	bit 0 : value 0 = read operation, 1 = write operation
	bit 3 : value 0 = not an execute operation, 1 = execute operation (only on chips which support this level of status)
Arg4: 804fad53, address which referenced memory

Debugging Details:
------------------


WRITE_ADDRESS:  00007028 

CURRENT_IRQL:  1c

FAULTING_IP: 
nt!KeWaitForMultipleObjects+23f
804fad53 8902            mov     dword ptr [edx],eax

CUSTOMER_CRASH_COUNT:  1

DEFAULT_BUCKET_ID:  DRIVER_FAULT

BUGCHECK_STR:  0xA

[B]PROCESS_NAME:  [COLOR="Blue"]MsMpEng.exe[/COLOR][/B]

LAST_CONTROL_TRANSFER:  from 805c0a7b to 804fad53

STACK_TEXT:  
a99159bc 805c0a7b 0000001b a9915bf0 00000001 nt!KeWaitForMultipleObjects+0x23f
a9915d48 8054167c 0000001b 0096fd30 00000001 nt!NtWaitForMultipleObjects+0x297
a9915d48 7c90e514 0000001b 0096fd30 00000001 nt!KiFastCallEntry+0xfc
WARNING: Frame IP not in any known module. Following frames may be wrong.
0096ffb4 00000000 00000000 00000000 00000000 0x7c90e514


STACK_COMMAND:  kb

FOLLOWUP_IP: 
nt!KeWaitForMultipleObjects+23f
804fad53 8902            mov     dword ptr [edx],eax

SYMBOL_STACK_INDEX:  0

SYMBOL_NAME:  nt!KeWaitForMultipleObjects+23f

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: nt

IMAGE_NAME:  ntkrpamp.exe

DEBUG_FLR_IMAGE_TIMESTAMP:  4d00d46f

FAILURE_BUCKET_ID:  0xA_nt!KeWaitForMultipleObjects+23f

BUCKET_ID:  0xA_nt!KeWaitForMultipleObjects+23f

Followup: MachineOwner
---------

 

Thankyou for your quick reply..

Do you recommend I uninstall it.. and see if it blue screens again after that??

 

Well, that would be one option, I'd check the logs in the program first, if you can, there maybe more info there.

Often these things are not so cut and dried, sometimes it's another security prog that's the real cause, especially if they're not fully up to date.

 

i doubt Avast would be the issue... thats the only thing that would be running at 2 in the morning... and threatfire which I uninstalled cuz it was making Winjewel slow...

I already uninstalled Defender... don't need it anyways..