Greetings. I know how to view kernel dumps on Windows but I don't know very much about interpreting them. Obviously, the dump below indicates ntkrpamp.exe as being the problematic executable. I don't know what the flagged memory addresses mean or anything about the stack dump. Reading the dump itself leads me to believe it's not exactly possible to pinpoint the specific cause. However, I've been reading other threads similar to this issue and suggestions were made that this can be the result of anti-virus software or corrupted virtual memory.
Is anyone able to break this dump down and help me understand it better?
Code:
Microsoft (R) Windows Debugger Version 6.12.0002.633 X86
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:\Documents and Settings\Chris\Desktop\MEMORY.DMP]
Kernel Summary Dump File: Only kernel address space is available
Symbol search path is: C:\Windows\Symbols
Executable search path is:
Windows XP Kernel Version 2600 (Service Pack 3) MP (8 procs) Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 2600.xpsp.080413-2111
Machine Name:
Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055d720
Debug session time: Mon Aug 30 01:54:28.515 2010 (UTC - 4:00)
System Uptime: 0 days 0:55:50.135
Loading Kernel Symbols
...............................................................
............................................
Loading User Symbols
Loading unloaded module list
..............
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck A, {968baa0, 1c, 0, 80502cb7}
Probably caused by : ntkrpamp.exe ( nt!KiUnlinkThread+7 )
Followup: MachineOwner
---------
0: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: 0968baa0, memory referenced
Arg2: 0000001c, IRQL
Arg3: 00000000, bitfield :
bit 0 : value 0 = read operation, 1 = write operation
bit 3 : value 0 = not an execute operation, 1 = execute operation (only on chips which support this level of status)
Arg4: 80502cb7, address which referenced memory
Debugging Details:
------------------
READ_ADDRESS: 0968baa0
CURRENT_IRQL: 1c
FAULTING_IP:
nt!KiUnlinkThread+7
80502cb7 8b10 mov edx,dword ptr [eax]
DEFAULT_BUCKET_ID: DRIVER_FAULT
BUGCHECK_STR: 0xA
PROCESS_NAME: Idle
TRAP_FRAME: 8055123c -- (.trap 0xffffffff8055123c)
ErrCode = 00000000
eax=0968baa0 ebx=8968bae0 ecx=8968b9e8 edx=00000102 esi=8968b9e8 edi=00000000
eip=80502cb7 esp=805512b0 ebp=805512c4 iopl=0 nv up ei pl nz na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010202
nt!KiUnlinkThread+0x7:
80502cb7 8b10 mov edx,dword ptr [eax] ds:0023:0968baa0=????????
Resetting default scope
LAST_CONTROL_TRANSFER: from 80502cb7 to 805446e0
STACK_TEXT:
8055123c 80502cb7 badb0d00 00000102 89075020 nt!KiTrap0E+0x238
805512b0 80502d1e 8968bad8 8968bae0 00000102 nt!KiUnlinkThread+0x7
805512c4 80502f15 00000000 805512e0 00000000 nt!KiUnwaitThread+0x12
805512f0 8050212e ccd654bc 00000088 80551418 nt!KiWaitTest+0xab
805513fc 8050231b 8055c0c0 ffdff9c0 ffdff000 nt!KiTimerListExpire+0x7a
80551428 80545e6f 8055c4c0 00000000 00034588 nt!KiTimerExpiration+0xb1
80551450 80545d54 00000000 0000000e 00000000 nt!KiRetireDpcList+0x61
80551454 00000000 0000000e 00000000 00000000 nt!KiIdleLoop+0x28
STACK_COMMAND: kb
FOLLOWUP_IP:
nt!KiUnlinkThread+7
80502cb7 8b10 mov edx,dword ptr [eax]
SYMBOL_STACK_INDEX: 1
SYMBOL_NAME: nt!KiUnlinkThread+7
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: nt
IMAGE_NAME: ntkrpamp.exe
DEBUG_FLR_IMAGE_TIMESTAMP: 4802516a
FAILURE_BUCKET_ID: 0xA_nt!KiUnlinkThread+7
BUCKET_ID: 0xA_nt!KiUnlinkThread+7
Followup: MachineOwner
---------
Bookmarks