[Zenoxio]

I am getting BSODs in WinXP SP3.

Here is what Microsoft is telling me:
http://wer.microsoft.com/responses/R...5-9d6bf2d11f07

How can I narrow down what is causing them?

[Rollin' Rog]

Well "System Restore" might be a good first shot, which does not require identiffying the device and the problem is relatively recent.

Did it begin immediately after the SP3 update? If so, a System Restore would remove the update, and I would wait to see if we can identify the issue more specifically first.


I can run a debugging utility on the dump files if you do this:

1 > create a new folder on the desktop and call it "dumpcheck" or whatever you like
2 > navigate to c:\windows\minidump and copy the last few minidump files to that folder. *this assumes 'c' is your boot drive, if it is not, subsitute accordingly
3 > close the folder and right click on it and select Send to Compressed (zipped) Folder.
4 > use the "manage attachments" in the "advanced" reply window to upload that zip file here as an attachment.

This might point us to a non Microsoft driver causing the error, if one exists for it.

[Zenoxio]

I don't know how long ago these BSODs started, and I'd rather not have to try a system restore and then wait a month before seeing if I get a BSOD or not.

Attached is the folder.

[Zenoxio]

Hm, another BSOD today. Wasn't even doing anything. Attached is the latest dump file.

[Rollin' Rog]

All of these are looking like corruption of the disk drive -- possibly just the paging file.

Has chkdsk been run on the drive?
Do you see "disk" errors in the Event Viewer system log (run eventvw.msc)

If the paging file is "system managed", you might try setting it to fixed values -- typically 1 1/2 to 2x the value of installed ram. If it is already custom set, try changing it to system managed.

Here is a recent link where a similar problem may have been resolved >>

http://forums.techguy.org/windows-vi...ml#post6780449

Quote:

Debug session time: Tue Jan 20 15:10:58.889 2009 (GMT-7)
BugCheck 4E, {99, a6b9, 3, 0}

Probably caused by : memory_corruption ( nt!MiDecrementShareCount+53 )

http://msdn.microsoft.com/en-gb/library/ms793247.aspx

-----------------------------------------------------------------

Debug session time: Mon Jun 29 08:27:49.703 2009 (GMT-7)
BugCheck 24, {1902fe, f3bb65a0, f3bb629c, f73f0b20}

*** WARNING: Unable to verify timestamp for aswMon2.SYS
*** ERROR: Module load completed but symbols could not be loaded for aswMon2.SYS
Probably caused by : Ntfs.sys ( Ntfs!NtfsLookupNameLengthViaLcb+44 )

---------------------------------------------------------------------------

Debug session time: Mon Jun 29 08:26:48.718 2009 (GMT-7)
BugCheck 1000008E, {c0000005, 8054c0b9, f18ebb90, 0}

Probably caused by : Pool_Corruption ( nt!ExDeferredFreePool+fd )

--------------------------------------------------------------------------

Debug session time: Mon Mar 30 08:35:50.390 2009 (GMT-7)
BugCheck 1000000A, {40586470, 2, 0, 804e667d}

Probably caused by : memory_corruption ( nt!MiRemovePageByColor+d2 )

---------------------------------------------------
Debug session time: Tue Jun 30 08:59:50.421 2009 (GMT-7)

MEMORY_MANAGEMENT (1a)
# Any other values for parameter 1 must be individually examined.
Arguments:
Arg1: 00041284, A PTE or the working set list is corrupt.
Arg2: 02dc5001
Arg3: 000013b9
Arg4: c0503000

I would also test the ram >>

Since almost all bugchecks can be caused by faulty ram, I would recommend you perform memory tests.

Beginners Guides: Diagnosing Bad Memory

Memtest86 - A Stand-alone Memory Diagnostic

[Zenoxio]

Which column am I looking for "disk" in? Category? The last entry in System is an Error:

Code:

Event Type:	Error
Event Source:	System Error
Event Category:	(102)
Event ID:	1003
Date:		6/30/2009
Time:		12:02:30 PM
User:		N/A
Computer:	HOUND-NAZ9T2DZ0
Description:
Error code 0000001a, parameter1 00041284, parameter2 02dc5001, parameter3 000013b9, parameter4 c0503000.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 53 79 73 74 65 6d 20 45   System E
0008: 72 72 6f 72 20 20 45 72   rror  Er
0010: 72 6f 72 20 63 6f 64 65   ror code
0018: 20 30 30 30 30 30 30 31    0000001
0020: 61 20 20 50 61 72 61 6d   a  Param
0028: 65 74 65 72 73 20 30 30   eters 00
0030: 30 34 31 32 38 34 2c 20   041284, 
0038: 30 32 64 63 35 30 30 31   02dc5001
0040: 2c 20 30 30 30 30 31 33   , 000013
0048: 62 39 2c 20 63 30 35 30   b9, c050
0050: 33 30 30 30               3000

This around the same time:

Code:

Event Type:	Error
Event Source:	TermService
Event Category:	None
Event ID:	1014
Date:		6/30/2009
Time:		12:01:05 PM
User:		N/A
Computer:	HOUND-NAZ9T2DZ0
Description:
Cannot load illegal module: C:\WINDOWS\system32\Drivers\rdpwd.SYS. 

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

[Zenoxio]

Did a mem test just now with http://www.memtest.org/ on boot CD.

"Pass complete, no errors"

[Rollin' Rog]

A "DisK" error would be an "Event Source" > Event ID: 51

Try running chkdsk on the drive and resetting your paging file as suggested above.

The first error is just for the BSOD, the second suggests an issue with DVD regionalization -- trying to play something from a region not supported by your player -- in any case I don't think it is causing any BSODs

After the disk check is complete and you have rebooted, the results can be viewed in the Applications log > Winlogon entry.

Also, if these BSODs are common, try a "clean boot", it could be antivirus (Avast) or other programs corrupting memory. You might try reinstalling that.

Run msconfig and select the "Services" tab. Check "Hide Microsoft Services" and then disable the rest. Also uncheck "load startup group" on the general page.


Now restart and test the issue at hand

If no problems, run msconfig and recheck half the disabled items on the Services tab. Test again. If the problem recurs, UNcheck half the items you just checked to narrow down the culprit.

If the problem didn't occur, check the other half, so all the Services are enabled -- proceed to do this on the startup tab as well.

Get the idea? You want to isolate the problem to a specific startup if possible.

Note: if you already have items unchecked under msconfig > startups and are in “selective” startup mode – you should note what these are before beginning. They will need to be de-selected again.


http://support.microsoft.com/kb/929135 << written for Vista but apples equally to XP

[Zenoxio]

Quote:

If the paging file is "system managed", you might try setting it to fixed values -- typically 1 1/2 to 2x the value of installed ram. If it is already custom set, try changing it to system managed.

I checked this setting and it has always been set to custom.

Check disk results:

Quote:

The type of the file system is NTFS.

WARNING! F parameter not specified.
Running CHKDSK in read-only mode.

CHKDSK is verifying files (stage 1 of 3)...
File verification completed.
CHKDSK is verifying indexes (stage 2 of 3)...
Deleting index entry Local State in index $I30 of file 142677.
Deleting index entry LOCALS~1 in index $I30 of file 142677.
Index verification completed.

Errors found. CHKDSK cannot continue in read-only mode.

I checked the log, but the only Winlogon logs are not from today. The last is from 5/26/2009 and nothing that would match the check disk I did today.

[Rollin' Rog]

Errors found. CHKDSK cannot continue in read-only mode.

You need to run chkdsk in the "fix errors" mode. I see it found errors but it cannot fix them until you do that.

From a command line this would be chkdsk /f and may require a reboot to complete.

[Zenoxio]

I did a /chkdsk /f earlier and I just got another BSOD today.

[Rollin' Rog]

Upload the new dump file for the BSOD -- and also see if you can locate and copy/paste or upload the chkdsk log here.

That log is found by running eventvwr.msc and opening the Applications Log : Winlogon entry that should be present for the date you ran chkdsk. You can doubleclick that to read the description and there is a double-paper copy icon that can copy it to the clipboard for pasting.

[Zenoxio]

Attached is the dump from the BSOD yesterday.

Here is the chkdsk log:

Quote:

Checking file system on C:
The type of the file system is NTFS.


A disk check has been scheduled.
Windows will now check the disk.
Cleaning up minor inconsistencies on the drive.
Cleaning up 148 unused index entries from index $SII of file 0x9.
Cleaning up 148 unused index entries from index $SDH of file 0x9.
Cleaning up 148 unused security descriptors.
CHKDSK is verifying Usn Journal...
Usn Journal verification completed.

29246332 KB total disk space.
25805216 KB in 165796 files.
73356 KB in 16527 indexes.
0 KB in bad sectors.
374172 KB in use by the system.
65536 KB occupied by the log file.
2993588 KB available on disk.

4096 bytes in each allocation unit.
7311583 total allocation units on disk.
748397 allocation units available on disk.

Internal Info:
e0 f8 02 00 3f c8 02 00 ea 46 04 00 00 00 00 00 ....?....F......
34 41 00 00 02 00 00 00 71 08 00 00 00 00 00 00 4A......q.......
b8 13 ab 06 00 00 00 00 c8 6c 44 f4 00 00 00 00 .........lD.....
90 ff 62 1c 00 00 00 00 00 00 00 00 00 00 00 00 ..b.............
00 00 00 00 00 00 00 00 58 4a e1 2a 01 00 00 00 ........XJ.*....
99 9e 36 00 00 00 00 00 98 38 07 00 a4 87 02 00 ..6......8......
00 00 00 00 00 80 06 27 06 00 00 00 8f 40 00 00 .......'.....@..

Windows has finished checking your disk.
Please wait while your computer restarts.


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

[Rollin' Rog]

Chkdsk shows nothing -- and the minidump adds little except that the searchindexer was running at the time (Chrome was the process in the first).

Quote:

Debug session time: Mon Aug 3 08:41:25.390 2009 (GMT-7)
BugCheck 1000008E, {c0000005, 8054c0b9, f308e834, 0}

Probably caused by : Pool_Corruption ( nt!ExDeferredFreePool+fd )

PROCESS_NAME: searchindexer.e

I would still reset the paging file so that it is cleared and starts fresh. If you make it "system managed" and reboot, that should do it.

You can also try a test with Driver Verifier to see if it flags anything.

USING DRIVER VERIFIER

Windows has a built in driver tester that may find something.
Before using it you must ensure that you can start in Safe Mode and return from it. If verifier issues a STOP screen, rebooting in Safe Mode is the only way to reset it.

In its default configuration verifier tests "unsigned" drivers, but you can have it test all drivers under maximum conditions.

There's less to it than meets the eye in this MS article:

http://support.microsoft.com/default...b;en-us;244617

To run verifier simply go to Start > run and enter:

verifier.exe

and select "standard configuration" and follow the prompts.
It will run on the next reboot. If it finds something you will get a Blue Screen STOP message.

Ignore the STOP parameters -- they are specific to verifier. The only thing important is the driver file name if it finds one.

If you get a STOP screen you will have to reboot to Safe Mode and run verifier again and have it "delete existing settings"

If you do not get a STOP message you can run it again checking all drivers; driver verifier will continue to run on every boot up until you run:

verifier /reset

or use the graphical interface to delete existing settings.

[Zenoxio]

I ran verifier.exe, selected "Create standard settings", Next, Next, Finish and restarted. Nothing came up, didn't see anything new.

Did I do something wrong?