Blue Screen of Death caused by ntkrpamp.exe
I have been getting the blue screen and memory dump. I ran the debugger and it showed that the probable cause was ntkrpamp.exe. When I found that on my machine it looks like it might be a sp2 file. The only two things that I
have installed recently are a trial of Microsoft expressions web and harry potter and the order of the phoenix game. Of course, regular updates have been automatically installed. I will include what I got when I debugged. I would really appreciate any help Here is what I got when I ran the debugger: Microsoft (R) Windows Debugger Version 6.7.0005.1 Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:\websymbols\Mini071207-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available
Symbol search path is:
SRV*c:\websymbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows XP Kernel Version 2600 (Service Pack 2) MP (2 procs) Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 2600.xpsp_sp2_gdr.070227-2254
Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055c700
Debug session time: Thu Aug 25 16:33:46.687 2008 (GMT-5)
System Uptime: 0 days 9:43:32.405
Loading Kernel Symbols
.................................................................................................... ....................................................................................................
Loading User Symbols
Loading unloaded module list
.................
*******************************************************************************
*
*
* Bugcheck Analysis
*
*
*
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck 1000000A, {0, 1c, 1, 804faee4}
Probably caused by : ntkrpamp.exe ( nt!KeWaitForSingleObject+186 )
Followup: MachineOwner
---------
1: kd> !analyze -v
*******************************************************************************
*
*
* Bugcheck Analysis
*
*
*
*******************************************************************************
IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: 00000000, memory referenced
Arg2: 0000001c, IRQL
Arg3: 00000001, bitfield :
bit 0 : value 0 = read operation, 1 = write operation
bit 3 : value 0 = not an execute operation, 1 = execute operation (only on chips which support this level of status)
Arg4: 804faee4, address which referenced memory
Debugging Details:
------------------
WRITE_ADDRESS: 00000000
CURRENT_IRQL: 1c
FAULTING_IP:
nt!KeWaitForSingleObject+186
804faee4 8939 mov dword ptr [ecx],edi
CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: DRIVER_FAULT
BUGCHECK_STR: 0xA
PROCESS_NAME: System
LAST_CONTROL_TRANSFER: from 806e496b to 804faee4
STACK_TEXT:
f793dcd4 806e496b 00000000 00000000 00000000 nt!KeWaitForSingleObject+0x186
f793dcf4 804ed874 8578ef58 855f1e84 8578ef50 hal!ExAcquireFastMutex+0x2b
f793dd08 f72cf808 e5bfaeb8 855f1c28 e5bfaeb8
nt!FsRtlRemovePerStreamContext+0x1e
f793dd34 f72d0d56 855f1c28 86b3c1a8 8526a818
fltmgr!FltpDeleteAllStreamListCtrls+0x62
f793dd50 f72c35f7 855f1cac 00000008 86b3c1a8 fltmgr!FltpFreeVolume+0xa4
f793dd68 f72c734e 8526a818 00000008 8056375c
fltmgr!FltpCleanupDeviceObject+0x61
f793dd7c 805379bd 86b3c1a8 00000000 871c1b30
fltmgr!FltpFastIoDetachDeviceWorker+0x14
f793ddac 805ce84c 86b3c1a8 00000000 00000000 nt!ExpWorkerThread+0xef
f793dddc 8054532e 805378ce 00000001 00000000 nt!PspSystemThreadStartup+0x34
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16
STACK_COMMAND: kb
FOLLOWUP_IP:
nt!KeWaitForSingleObject+186
804faee4 8939 mov dword ptr [ecx],edi
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: nt!KeWaitForSingleObject+186
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: nt
IMAGE_NAME: ntkrpamp.exe
DEBUG_FLR_IMAGE_TIMESTAMP: 45e53f9d
.
Re: Blue Screen of Death caused by ntkrpamp.exe
I have the same problem .. but I think it's not the same reason .. I always get the same Bugcheck Analysis .. Any Suggetsions? .. here's the debug results:
========================================================
Note: That always happens when refreshing IE while working on some .net application using MS VS.NET .. I'm using Kaspersky KIS and Zone Alarm at the same time.
Microsoft (R) Windows Debugger Version 6.11.0001.404 X86
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:\WINDOWS\Minidump\Mini090109-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available
Symbol search path is: SRV*c:\websymbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows XP Kernel Version 2600 (Service Pack 2) MP (2 procs) Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 2600.xpsp_sp2_rtm.040803-2158
Machine Name:
Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055c700
Debug session time: Tue Sep 1 20:49:16.203 2009 (GMT+2)
System Uptime: 1 days 5:38:00.937
Loading Kernel Symbols
...............................................................
.........................................................
Loading User Symbols
Loading unloaded module list
................................
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck 100000BE, {7c90eb98, ec1d025, bacdbc10, a}
Probably caused by : ntkrpamp.exe ( nt!CcFlushCache+bf )
Followup: MachineOwner
---------
1: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
ATTEMPTED_WRITE_TO_READONLY_MEMORY (be)
An attempt was made to write to readonly memory. The guilty driver is on the
stack trace (and is typically the current instruction pointer).
When possible, the guilty driver's name (Unicode string) is printed on
the bugcheck screen and saved in KiBugCheckDriver.
Arguments:
Arg1: 7c90eb98, Virtual address for the attempted write.
Arg2: 0ec1d025, PTE contents.
Arg3: bacdbc10, (reserved)
Arg4: 0000000a, (reserved)
Debugging Details:
------------------
CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: DRIVER_FAULT
BUGCHECK_STR: 0xBE
PROCESS_NAME: System
LAST_CONTROL_TRANSFER: from 804e482b to 804e41ed
STACK_TEXT:
bacdbcf0 804e482b b5e3ad64 00000000 00000001 nt!CcFlushCache+0xbf
bacdbd34 804e7041 89e81038 80563720 89e3e998 nt!CcWriteBehind+0x119
bacdbd7c 80537757 89e81038 00000000 89e3e998 nt!CcWorkerThread+0x12f
bacdbdac 805ce794 89e81038 00000000 00000000 nt!ExpWorkerThread+0xef
bacdbddc 805450ce 80537668 00000000 00000000 nt!PspSystemThreadStartup+0x34
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16
STACK_COMMAND: kb
FOLLOWUP_IP:
nt!CcFlushCache+bf
804e41ed ff4604 inc dword ptr [esi+4]
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: nt!CcFlushCache+bf
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: nt
IMAGE_NAME: ntkrpamp.exe
DEBUG_FLR_IMAGE_TIMESTAMP: 41107b0d
FAILURE_BUCKET_ID: 0xBE_nt!CcFlushCache+bf
BUCKET_ID: 0xBE_nt!CcFlushCache+bf
Followup: MachineOwner
---------
Thank you In Advance