I am somewhat familiar with how to deal with BSOD crash dumps, but not really versed on how to interpret. This is what I got in one of my computers, not really sure what is triggering or what to do. Any help will be appreciated.
Mini Kernel Dump File: Only registers and stack trace are available
WARNING: Whitespace at end of path element
Symbol search path is: srv*c:\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows XP Kernel Version 2600 (Service Pack 3) MP (2 procs) Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 2600.xpsp_sp3_gdr.090206-1234
Machine Name:
Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055d720
Debug session time: Fri Jul 3 03:25:40.109 2009 (GMT-7)
System Uptime: 0 days 0:01:06.812
Loading Kernel Symbols
...............................................................
................................................................
...........
Loading User Symbols
Loading unloaded module list
..........
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck 1000008E, {c0000005, 805c314f, a5c90a48, 0}
Probably caused by : ntkrpamp.exe ( nt!ObInsertObject+1ad )
Followup: MachineOwner
---------
1: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
KERNEL_MODE_EXCEPTION_NOT_HANDLED_M (1000008e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Some common problems are exception code 0x80000003. This means a hard
coded breakpoint or assertion was hit, but this system was booted
/NODEBUG. This is not supposed to happen as developers should never have
hardcoded breakpoints in retail code, but ...
If this happens, make sure a debugger gets connected, and the
system is booted /DEBUG. This will let us see why this breakpoint is
happening.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: 805c314f, The address that the exception occurred at
Arg3: a5c90a48, Trap Frame
Arg4: 00000000
Debugging Details:
------------------
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.
FAULTING_IP:
nt!ObInsertObject+1ad
805c314f 8b4e1c mov ecx,dword ptr [esi+1Ch]
TRAP_FRAME: a5c90a48 -- (.trap 0xffffffffa5c90a48)
ErrCode = 00000000
eax=a5c90bb8 ebx=00000000 ecx=8a5bde00 edx=00000000 esi=00000001 edi=00000000
eip=805c314f esp=a5c90abc ebp=a5c90b8c iopl=0 nv up ei ng nz na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010286
nt!ObInsertObject+0x1ad:
805c314f 8b4e1c mov ecx,dword ptr [esi+1Ch] ds:0023:0000001d=????????
Resetting default scope
CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: DRIVER_FAULT
BUGCHECK_STR: 0x8E
PROCESS_NAME: explorer.exe
LAST_CONTROL_TRANSFER: from 805d0e99 to 805c314f
STACK_TEXT:
a5c90b8c 805d0e99 89325be0 a5c90bb8 001f0fff nt!ObInsertObject+0x1ad
a5c90ce4 805d11b9 00dce5f8 001f0fff 00000000 nt!PspCreateProcess+0x635
a5c90d38 8054162c 00dce5f8 001f0fff 00000000 nt!NtCreateProcessEx+0x77
a5c90d38 7c90e514 00dce5f8 001f0fff 00000000 nt!KiFastCallEntry+0xfc
WARNING: Frame IP not in any known module. Following frames may be wrong.
00dcec64 00000000 00000000 00000000 00000000 0x7c90e514
STACK_COMMAND: kb
FOLLOWUP_IP:
nt!ObInsertObject+1ad
805c314f 8b4e1c mov ecx,dword ptr [esi+1Ch]
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: nt!ObInsertObject+1ad
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: nt
IMAGE_NAME: ntkrpamp.exe
DEBUG_FLR_IMAGE_TIMESTAMP: 498c11d3
FAILURE_BUCKET_ID: 0x8E_nt!ObInsertObject+1ad
BUCKET_ID: 0x8E_nt!ObInsertObject+1ad
Followup: MachineOwner
---------
1: kd> lmvm nt
start end module name
804d7000 806e4000 nt # (pdb symbols) c:\symbols\ntkrpamp.pdb\909FE6B806E4444B9230BAAF21EC5C271\ntkrpamp.pdb
Loaded symbol image file: ntkrpamp.exe
Mapped memory image file: c:\symbols\ntkrpamp.exe\498C11D320d000\ntkrpamp.exe
Image path: ntkrpamp.exe
Image name: ntkrpamp.exe
Timestamp: Fri Feb 06 02:32:51 2009 (498C11D3)
CheckSum: 001F9D43
ImageSize: 0020D000
File version: 5.1.2600.5755
Product version: 5.1.2600.5755
File flags: 0 (Mask 3F)
File OS: 40004 NT Win32
File type: 1.0 App
File date: 00000000.00000000
Translations: 0405.04b0
CompanyName: Microsoft Corporation
ProductName: OperačnĂ* systĂ©m Microsoft® Windows®
InternalName: ntkrpamp.exe
OriginalFilename: ntkrpamp.exe
ProductVersion: 5.1.2600.5755
FileVersion: 5.1.2600.5755 (xpsp_sp3_gdr.090206-1234)
FileDescription: NT Kernel & System
LegalCopyright: © Microsoft Corporation. Všechna práva vyhrazena.
Bookmarks