Sign in with
Sign up | Sign in
Your question

Seeking minidump help

Tags:
  • Windows XP
Last response: in Windows XP
Share
June 14, 2012 1:04:22 AM

Hello, all. New to these forums.

I'm trying to help a friend with an XP sp3 machine. A few weeks ago, he got several BSOD's (9 before he gave up and put the machine away for me to look at). Checking out the minidumps, they have the following similarities:


BugCheck 1000008E, {c0000005, bfxxxxxx, xxxxxx, 0}
Probably caused by : win32k.sys ( win32k! {different sections}

The addresses are different (though all at base bf000000), the section in win32k.sys is different each time, and the process is different each time.

In different minidumps, I've got:
  1. Probably caused by : win32k.sys ( win32k!EXFORMOBJ::bInverse+68 )
  2. ...
  3. PROCESS_NAME: iexplore.exe


or

  1. Probably caused by : win32k.sys ( win32k!xxxSleepTask+384 )
  2. ...
  3. PROCESS_NAME: ctfmon.exe


Other process names referred to include firefox.exe, explorer.exe, but always the same stop error, and always win32k.sys

What's funny is I've booted it up today and it's been on for hours with no BSOD's. I've updated the video drivers, and am about to update the BIOS and run AntiMalwareBytes, but I just hate to send it back to him without being sure I've squashed the problem.

Can anyone tell by looking at these details what caused this?

I just joined the forums, so maybe that's why it's not giving me the option of attaching a file. Hopefully it's not taboo to post a piece from Windbg. Here's one of them. If it's OK to post more so you can see how they vary, I can.
Thanks for any help anyone can offer.

  1. ...........
  2. Unable to load image win32k.sys, Win32 error 0n2
  3. *** WARNING: Unable to verify timestamp for win32k.sys
  4. *******************************************************************************
  5. * *
  6. * Bugcheck Analysis *
  7. * *
  8. *******************************************************************************
  9.  
  10. Use !analyze -v to get detailed debugging information.
  11.  
  12. BugCheck 1000008E, {c0000005, bf801bc5, f00fac44, 0}
  13.  
  14. Probably caused by : win32k.sys ( win32k!xxxSleepTask+384 )
  15.  
  16. Followup: MachineOwner
  17. ---------
  18.  
  19. kd> !analyze -v
  20. *******************************************************************************
  21. * *
  22. * Bugcheck Analysis *
  23. * *
  24. *******************************************************************************
  25.  
  26. KERNEL_MODE_EXCEPTION_NOT_HANDLED_M (1000008e)
  27. This is a very common bugcheck. Usually the exception address pinpoints
  28. the driver/function that caused the problem. Always note this address
  29. as well as the link date of the driver/image that contains this address.
  30. Some common problems are exception code 0x80000003. This means a hard
  31. coded breakpoint or assertion was hit, but this system was booted
  32. /NODEBUG. This is not supposed to happen as developers should never have
  33. hardcoded breakpoints in retail code, but ...
  34. If this happens, make sure a debugger gets connected, and the
  35. system is booted /DEBUG. This will let us see why this breakpoint is
  36. happening.
  37. Arguments:
  38. Arg1: c0000005, The exception code that was not handled
  39. Arg2: bf801bc5, The address that the exception occurred at
  40. Arg3: f00fac44, Trap Frame
  41. Arg4: 00000000
  42.  
  43. Debugging Details:
  44. ------------------
  45.  
  46.  
  47. EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".
  48.  
  49. FAULTING_IP:
  50. win32k!xxxSleepTask+384
  51. bf801bc5 ff4004 inc dword ptr [eax+4]
  52.  
  53. TRAP_FRAME: f00fac44 -- (.trap 0xfffffffff00fac44)
  54. ErrCode = 00000002
  55. eax=7fffe6cc ebx=00000000 ecx=00000000 edx=0007fcec esi=e14e96a0 edi=00000001
  56. eip=bf801bc5 esp=f00facb8 ebp=f00face8 iopl=0 nv up ei pl zr na pe nc
  57. cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010246
  58. win32k!xxxSleepTask+0x384:
  59. bf801bc5 ff4004 inc dword ptr [eax+4] ds:0023:7fffe6d0=????????
  60. Resetting default scope
  61.  
  62. CUSTOMER_CRASH_COUNT: 4
  63.  
  64. DEFAULT_BUCKET_ID: COMMON_SYSTEM_FAULT
  65.  
  66. BUGCHECK_STR: 0x8E
  67.  
  68. PROCESS_NAME: ctfmon.exe
  69.  
  70. LAST_CONTROL_TRANSFER: from bf803677 to bf801bc5
  71.  
  72. STACK_TEXT:
  73. f00face8 bf803677 f00fad14 00000000 00000000 win32k!xxxSleepTask+0x384
  74. f00fad48 804de7ec 0007fde8 00000000 00000000 win32k!xxxSendMessageTimeout+0x7b
  75. f00fad64 7c90e514 badb0d00 0007fcec 00000000 nt!`string'+0xc
  76. WARNING: Frame IP not in any known module. Following frames may be wrong.
  77. f00fad68 badb0d00 0007fcec 00000000 00000000 0x7c90e514
  78. f00fad6c 0007fcec 00000000 00000000 00000000 0xbadb0d00
  79. f00fad70 00000000 00000000 00000000 00000000 0x7fcec
  80.  
  81.  
  82. STACK_COMMAND: kb
  83.  
  84. FOLLOWUP_IP:
  85. win32k!xxxSleepTask+384
  86. bf801bc5 ff4004 inc dword ptr [eax+4]
  87.  
  88. SYMBOL_STACK_INDEX: 0
  89.  
  90. SYMBOL_NAME: win32k!xxxSleepTask+384
  91.  
  92. FOLLOWUP_NAME: MachineOwner
  93.  
  94. MODULE_NAME: win32k
  95.  
  96. IMAGE_NAME: win32k.sys
  97.  
  98. DEBUG_FLR_IMAGE_TIMESTAMP: 4f85831a
  99.  
  100. FAILURE_BUCKET_ID: 0x8E_win32k!xxxSleepTask+384
  101.  
  102. BUCKET_ID: 0x8E_win32k!xxxSleepTask+384
  103.  
  104. Followup: MachineOwner
  105. ---------




More about : seeking minidump

June 14, 2012 8:40:08 AM

chuckman said:
Hello, all. New to these forums.

I'm trying to help a friend with an XP sp3 machine. A few weeks ago, he got several BSOD's (9 before he gave up and put the machine away for me to look at). Checking out the minidumps, they have the following similarities:


BugCheck 1000008E, {c0000005, bfxxxxxx, xxxxxx, 0}
Probably caused by : win32k.sys ( win32k! {different sections}

The addresses are different (though all at base bf000000), the section in win32k.sys is different each time, and the process is different each time.

In different minidumps, I've got:
  1. Probably caused by : win32k.sys ( win32k!EXFORMOBJ::bInverse+68 )
  2. ...
  3. PROCESS_NAME: iexplore.exe


or

  1. Probably caused by : win32k.sys ( win32k!xxxSleepTask+384 )
  2. ...
  3. PROCESS_NAME: ctfmon.exe


Other process names referred to include firefox.exe, explorer.exe, but always the same stop error, and always win32k.sys

What's funny is I've booted it up today and it's been on for hours with no BSOD's. I've updated the video drivers, and am about to update the BIOS and run AntiMalwareBytes, but I just hate to send it back to him without being sure I've squashed the problem.

Can anyone tell by looking at these details what caused this?

I just joined the forums, so maybe that's why it's not giving me the option of attaching a file. Hopefully it's not taboo to post a piece from Windbg. Here's one of them. If it's OK to post more so you can see how they vary, I can.
Thanks for any help anyone can offer.

  1. ...........
  2. Unable to load image win32k.sys, Win32 error 0n2
  3. *** WARNING: Unable to verify timestamp for win32k.sys
  4. *******************************************************************************
  5. * *
  6. * Bugcheck Analysis *
  7. * *
  8. *******************************************************************************
  9.  
  10. Use !analyze -v to get detailed debugging information.
  11.  
  12. BugCheck 1000008E, {c0000005, bf801bc5, f00fac44, 0}
  13.  
  14. Probably caused by : win32k.sys ( win32k!xxxSleepTask+384 )
  15.  
  16. Followup: MachineOwner
  17. ---------
  18.  
  19. kd> !analyze -v
  20. *******************************************************************************
  21. * *
  22. * Bugcheck Analysis *
  23. * *
  24. *******************************************************************************
  25.  
  26. KERNEL_MODE_EXCEPTION_NOT_HANDLED_M (1000008e)
  27. This is a very common bugcheck. Usually the exception address pinpoints
  28. the driver/function that caused the problem. Always note this address
  29. as well as the link date of the driver/image that contains this address.
  30. Some common problems are exception code 0x80000003. This means a hard
  31. coded breakpoint or assertion was hit, but this system was booted
  32. /NODEBUG. This is not supposed to happen as developers should never have
  33. hardcoded breakpoints in retail code, but ...
  34. If this happens, make sure a debugger gets connected, and the
  35. system is booted /DEBUG. This will let us see why this breakpoint is
  36. happening.
  37. Arguments:
  38. Arg1: c0000005, The exception code that was not handled
  39. Arg2: bf801bc5, The address that the exception occurred at
  40. Arg3: f00fac44, Trap Frame
  41. Arg4: 00000000
  42.  
  43. Debugging Details:
  44. ------------------
  45.  
  46.  
  47. EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".
  48.  
  49. FAULTING_IP:
  50. win32k!xxxSleepTask+384
  51. bf801bc5 ff4004 inc dword ptr [eax+4]
  52.  
  53. TRAP_FRAME: f00fac44 -- (.trap 0xfffffffff00fac44)
  54. ErrCode = 00000002
  55. eax=7fffe6cc ebx=00000000 ecx=00000000 edx=0007fcec esi=e14e96a0 edi=00000001
  56. eip=bf801bc5 esp=f00facb8 ebp=f00face8 iopl=0 nv up ei pl zr na pe nc
  57. cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010246
  58. win32k!xxxSleepTask+0x384:
  59. bf801bc5 ff4004 inc dword ptr [eax+4] ds:0023:7fffe6d0=????????
  60. Resetting default scope
  61.  
  62. CUSTOMER_CRASH_COUNT: 4
  63.  
  64. DEFAULT_BUCKET_ID: COMMON_SYSTEM_FAULT
  65.  
  66. BUGCHECK_STR: 0x8E
  67.  
  68. PROCESS_NAME: ctfmon.exe
  69.  
  70. LAST_CONTROL_TRANSFER: from bf803677 to bf801bc5
  71.  
  72. STACK_TEXT:
  73. f00face8 bf803677 f00fad14 00000000 00000000 win32k!xxxSleepTask+0x384
  74. f00fad48 804de7ec 0007fde8 00000000 00000000 win32k!xxxSendMessageTimeout+0x7b
  75. f00fad64 7c90e514 badb0d00 0007fcec 00000000 nt!`string'+0xc
  76. WARNING: Frame IP not in any known module. Following frames may be wrong.
  77. f00fad68 badb0d00 0007fcec 00000000 00000000 0x7c90e514
  78. f00fad6c 0007fcec 00000000 00000000 00000000 0xbadb0d00
  79. f00fad70 00000000 00000000 00000000 00000000 0x7fcec
  80.  
  81.  
  82. STACK_COMMAND: kb
  83.  
  84. FOLLOWUP_IP:
  85. win32k!xxxSleepTask+384
  86. bf801bc5 ff4004 inc dword ptr [eax+4]
  87.  
  88. SYMBOL_STACK_INDEX: 0
  89.  
  90. SYMBOL_NAME: win32k!xxxSleepTask+384
  91.  
  92. FOLLOWUP_NAME: MachineOwner
  93.  
  94. MODULE_NAME: win32k
  95.  
  96. IMAGE_NAME: win32k.sys
  97.  
  98. DEBUG_FLR_IMAGE_TIMESTAMP: 4f85831a
  99.  
  100. FAILURE_BUCKET_ID: 0x8E_win32k!xxxSleepTask+384
  101.  
  102. BUCKET_ID: 0x8E_win32k!xxxSleepTask+384
  103.  
  104. Followup: MachineOwner
  105. ---------


Logical thing to do is repair the OS with System File checker, or boot from Windows CD and select 'r', repair.
m
0
l
June 14, 2012 10:00:02 AM

Use BlueScreenView software
m
0
l
Related resources
June 14, 2012 7:57:42 PM

ksiemb said:
Logical thing to do is repair the OS with System File checker, or boot from Windows CD and select 'r', repair.


Thanks, I tried that and it fixed half a dozen files (none mentioned in the minidumps that I saw).

BlueScreenView from what I see on their website doesn't seem to tell you any more than WinDbg does, right?

Thanks again!
m
0
l
June 14, 2012 10:03:16 PM

chuckman said:
Thanks, I tried that and it fixed half a dozen files (none mentioned in the minidumps that I saw).

BlueScreenView from what I see on their website doesn't seem to tell you any more than WinDbg does, right?

Thanks again!


How far out of date is Windows and all other software on this system. Running SP3 and fully updated ? Heard of Secunia PSI ? Download that and run the scan. Apply all updates to everything.

https://secunia.com/products/consumer/PSI/
m
0
l
!