Windows shuts down and gives error message

[UniKat53]

Hello, My computer shut down and gave error message *** STOP: 0x0000008E (0xC0000005,0x8056C031,0xB733FAF4,0x00000000) and then when I restarted it, it gave the same message but with 0xB76B7AF4 instead of the B733FAF4 part.
I went into safe mode and tried to do a system restore and it just keeps giving me this error message. Please help

 

[princesiddiqui]

Try to install sp3 upgrade;

http://windows.microsoft.com/en-US/windows/downloads/service-packs

 

[UniKat53]

Try to install sp3 upgrade;

http://windows.microsoft.com/en-US/windows/downloads/service-packs

I already have service pack 3. And after I do the system restore, it tells me it has been successfully restored and yet it keeps shutting down and giving the same error message except that each time the 3rd section of the error message is slightly different: ie 0xB7677AF4 or 0xB76B7AF4 or 0xB733FAF4.

It won't stay on long enough for me to install anything.

 

[SulliedSock]

Hello,

Currently we are having the same issues.... Suddenly multiple machines on our network have BSOD. However, our Stop errors are slightly diffrent* 0x0000008E (0xc0000005, 0x8056c031, 0xA7A5BAF4, 0x00000000)*

At this point we are unable to resolve the issues at hand.

Our minidumps have also been different. Our first minidump showed M_Agent.exe to be our issue. However, after hidding the diectory in safemode and rebooting it now has came up with a different BSOD which states our system is the culprit. Both dumps have included ntoskrnl.exe as the image.

Here is the first minidump:____________________

Microsoft (R) Windows Debugger Version 6.2.8400.4218 X86
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [U:\Minidumps\Mini071212-04.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: C:\Windows\Symbols
Executable search path is:
Unable to load image ntoskrnl.exe, Win32 error 0n2
*** WARNING: Unable to verify timestamp for ntoskrnl.exe
Windows XP Kernel Version 2600 (Service Pack 3) MP (2 procs) Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Machine Name:
Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055d720
Debug session time: Thu Jul 12 07:12:30.125 2012 (UTC - 4:00)
System Uptime: 0 days 0:00:59.796
Unable to load image ntoskrnl.exe, Win32 error 0n2
*** WARNING: Unable to verify timestamp for ntoskrnl.exe
Loading Kernel Symbols
...............................................................
..............................................................
Loading User Symbols
Loading unloaded module list
....
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 1000008E, {c0000005, 8056c031, a7cb7af4, 0}

Probably caused by : ntoskrnl.exe ( nt!ObpFreeObject+140 )

Followup: MachineOwner
---------

1: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

KERNEL_MODE_EXCEPTION_NOT_HANDLED_M (1000008e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Some common problems are exception code 0x80000003. This means a hard
coded breakpoint or assertion was hit, but this system was booted
/NODEBUG. This is not supposed to happen as developers should never have
hardcoded breakpoints in retail code, but ...
If this happens, make sure a debugger gets connected, and the
system is booted /DEBUG. This will let us see why this breakpoint is
happening.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: 8056c031, The address that the exception occurred at
Arg3: a7cb7af4, Trap Frame
Arg4: 00000000

Debugging Details:
------------------


EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.

FAULTING_IP:
nt!ObpFreeObject+140
8056c031 8b5828 mov ebx,dword ptr [eax+28h]

TRAP_FRAME: a7cb7af4 -- (.trap 0xffffffffa7cb7af4)
ErrCode = 00000000
eax=00000000 ebx=00000000 ecx=a7cb7cc0 edx=00000137 esi=e5ece610 edi=a7cb7cc0
eip=8056c031 esp=a7cb7b68 ebp=a7cb7ca8 iopl=0 nv up ei pl nz na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010202
nt!ObpFreeObject+0x140:
8056c031 8b5828 mov ebx,dword ptr [eax+28h] ds:0023:00000028=????????
Resetting default scope

CUSTOMER_CRASH_COUNT: 4

DEFAULT_BUCKET_ID: COMMON_SYSTEM_FAULT

BUGCHECK_STR: 0x8E

PROCESS_NAME: m_agent_service

LAST_CONTROL_TRANSFER: from 8056d073 to 8056c031

STACK_TEXT:
a7cb7ca8 8056d073 a7cb7cc0 00000000 00000000 nt!ObpFreeObject+0x140
a7cb7cbc 804e5f2b a7cb7cc0 00000000 e5ece610 nt!NtQueryVolumeInformationFile+0x68
a7cb7cec 805ab548 a7cb7cc0 a7cb7d64 00eade84 nt!KeContextFromKframes+0x2b4
a7cb7d40 8054168c 00eadeb8 000f0005 00000000 nt!NtSetInformationJobObject+0x7e2
a7cb7d64 7c90e514 badb0d00 00eade68 00000000 nt!RtlIpv4StringToAddressExW+0x10d
WARNING: Frame IP not in any known module. Following frames may be wrong.
a7cb7d78 00000000 00000000 00000000 00000000 0x7c90e514


STACK_COMMAND: kb

FOLLOWUP_IP:
nt!ObpFreeObject+140
8056c031 8b5828 mov ebx,dword ptr [eax+28h]

SYMBOL_STACK_INDEX: 0

SYMBOL_NAME: nt!ObpFreeObject+140

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: nt

IMAGE_NAME: ntoskrnl.exe

DEBUG_FLR_IMAGE_TIMESTAMP: 4fa3ce58

FAILURE_BUCKET_ID: 0x8E_nt!ObpFreeObject+140

BUCKET_ID: 0x8E_nt!ObpFreeObject+140

Followup: MachineOwner
---------


Here is the second after hiding the M_Agent(Meraki) directory:____________

Microsoft (R) Windows Debugger Version 6.2.8400.4218 X86
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [U:\Minidumps\Mini071212-06.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: C:\Windows\Symbols
Executable search path is:
Unable to load image ntoskrnl.exe, Win32 error 0n2
*** WARNING: Unable to verify timestamp for ntoskrnl.exe
Windows XP Kernel Version 2600 (Service Pack 3) MP (2 procs) Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Machine Name:
Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055d720
Debug session time: Thu Jul 12 08:58:44.238 2012 (UTC - 4:00)
System Uptime: 0 days 0:03:57.265
Unable to load image ntoskrnl.exe, Win32 error 0n2
*** WARNING: Unable to verify timestamp for ntoskrnl.exe
Loading Kernel Symbols
...............................................................
................................................................
..
Loading User Symbols
Loading unloaded module list
...........
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 1000000A, {8bdc75f9, 2, 0, 804e4232}

Probably caused by : ntoskrnl.exe ( nt!KeReleaseMutant+12 )

Followup: MachineOwner
---------

0: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: 8bdc75f9, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000000, bitfield :
bit 0 : value 0 = read operation, 1 = write operation
bit 3 : value 0 = not an execute operation, 1 = execute operation (only on chips which support this level of status)
Arg4: 804e4232, address which referenced memory

Debugging Details:
------------------


READ_ADDRESS: GetUlongFromAddress: unable to read from 8055f9e8
8bdc75f9

CURRENT_IRQL: 2

FAULTING_IP:
nt!ExpWorkerThread+cb
804e4232 f6466e01 test byte ptr [esi+6Eh],1

CUSTOMER_CRASH_COUNT: 6

DEFAULT_BUCKET_ID: COMMON_SYSTEM_FAULT

BUGCHECK_STR: 0xA

PROCESS_NAME: System

LAST_CONTROL_TRANSFER: from 804e48c5 to 804e4232

STACK_TEXT:
ba4e7cf0 804e48c5 805ab52b 00000000 00000001 nt!ExpWorkerThread+0xcb
ba4e7d34 804e70db 8a6b4058 80564820 8a6b7488 nt!KeReleaseMutant+0x12
ba4e7d7c 805387dd 8a6b4058 00000000 8a6b7488 nt!MiLocateAndReserveWsle+0x50
ba4e7dac 805cffee 8a6b4058 00000000 00000000 nt!MiResolveTransitionFault+0x3ab
ba4e7ddc 8054616e 805386ee 00000000 00000000 nt!ArbBootAllocation+0x2d
ba4e7df8 00000000 00000000 00000000 00001f80 nt!ExpFindAndRemoveTagBigPages+0x2c


STACK_COMMAND: kb

FOLLOWUP_IP:
nt!KeReleaseMutant+12
804e48c5 ffb694000000 push dword ptr [esi+94h]

SYMBOL_STACK_INDEX: 1

SYMBOL_NAME: nt!KeReleaseMutant+12

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: nt

IMAGE_NAME: ntoskrnl.exe

DEBUG_FLR_IMAGE_TIMESTAMP: 4fa3ce58

FAILURE_BUCKET_ID: 0xA_nt!KeReleaseMutant+12

BUCKET_ID: 0xA_nt!KeReleaseMutant+12

Followup: MachineOwner
---------


If anyone can spot somethng or have any ideas please let us know!

 

[SulliedSock]

I think we actually narrowed this problem down.

It seems Microsoft, and our Meraki Agent is responsible for all of this commotion. Microsoft is releasing a patch now for it. We've had to actually delete the entire Meraki directory in safe mode, and stop AD from pushing it out to the PC's on start up. After removing the directory we then started Microsoft updates to receive the patch. For some reason it was causing the system to crash. So far this has fixed the issue on all machines. I guess for now our problem is handled.

 

[me 1]

@UniKat53

if you know a little dos, you can use cmd via Recovery console, from the xp cd.
boot from cd, press r, type instalation number, password(or just press enter)
First you could run a chkdisk, just in case.
Plan a: Usually 8E errors are related to Ntoskrnl. You might have a backup somwhere on your hard of ntoskrnl.exe (service pack folder, dllcache,etc) . Backup the original(rename its extension) and copy the one U found to system 32.

Plan b: This is kind of a system recovery, from dos:
Using recovery console, go to the System32\Config folder and backup(rename the extension) of the
System,Software, etc files in there. (to see all files use a dir command)
Copy from the repair folder , the System,Software,etc files to to System32\Config folder .
Eg.
copy C:\Windows\Repair\system C:\windows\System 32\Config
or give it a "*.*" command to copy all files at once.

Plan C: Do a repair install, even if I don't like it, sometimes it's the last thing U could do.

for more details write, and I'll write back.

 

[Erica_techsupport]

I am getting this error 2 and have 5 computer down within my network. When i googled Meraki Agent , it appears to be some type of networking hardware equipment. Am I right?

What does this have to do with why my computers are not booting.

How this issue been resolved from anyone?

 

[SulliedSock]

The meraki agent i spoke of is a networking tool yes!.........

However, i believe it may be specific to our circumstance. I believe the new windows updates are what spawned everyone problems. I'm sure if you read your minidump files you will see a specific program that is causing the system to crash. It seems to all fall back to ntoskrnl.exe. The easiest fix that seemed to work for us was to disable the program that was causing the crash(meraki) in windows safe mode with networking. That is also how i received the Minidump file, i copied it to a network drive where i could access it to be read.

"CUSTOMER_CRASH_COUNT: 4

DEFAULT_BUCKET_ID: COMMON_SYSTEM_FAULT

BUGCHECK_STR: 0x8E

PROCESS_NAME: m_agent_service

LAST_CONTROL_TRANSFER: from 8056d073 to 8056c031"

This section here is where i realized M_agent is what triggered a crash in the system. Once it was disabled ( you can't uninstall from safe mode- either delete directory or hide it with a rename * example c:\windows\fonts.... c:\windows\!fonts, the ! tells windows to not pay attention to this when loading. However, i found it to still be loading in a temp file which is the reason i deleted the whole directory) it booted into windows allowing me to go to windows updates and correct the actual issue.

So my friends the fix is making sure you are fully up to date with windows update. The problem might be finding a way to get enough time to to log in and actually install the updates!!!!



Forgive my punctuation and grammar it has been a very long day! This problem alone took up around 4 hours this a.m.