BSOD Help

[gmail2]

Hi All

I've got 4 machines which have had BSOD's recently (numbers vary between machines). I've downloaded the MS debug tools and ran some debugging on the minidump files. The result seems to point to ntkrpamp.exe, and googling that does bring up alot of BSOD related topics. Can anybody point me in the right direction of what I should do next ? Some more info:

Vista SP2
Office 2007
Symantec Endpoint Protection
Riverbed Steelhead Mobile

*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high.  This is usually
caused by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: 005c0073, memory referenced
Arg2: 0000001b, IRQL
Arg3: 00000001, bitfield :
	bit 0 : value 0 = read operation, 1 = write operation
	bit 3 : value 0 = not an execute operation, 1 = execute operation (only on chips which support this level of status)
Arg4: 81a45485, address which referenced memory

Debugging Details:
------------------


WRITE_ADDRESS: GetPointerFromAddress: unable to read from 81b46868
Unable to read MiSystemVaType memory at 81b26420
 005c0073 

CURRENT_IRQL:  1b

FAULTING_IP: 
nt!KeWaitForGate+126
81a45485 8902            mov     dword ptr [edx],eax

CUSTOMER_CRASH_COUNT:  1

DEFAULT_BUCKET_ID:  VISTA_DRIVER_FAULT

BUGCHECK_STR:  0xA

PROCESS_NAME:  explorer.exe

LAST_CONTROL_TRANSFER:  from 81a503e7 to 81a45485

STACK_TEXT:  
b4477bb4 81a503e7 00000000 88f8d4a8 84d83008 nt!KeWaitForGate+0x126
b4477bcc 81a29a78 1544ebf2 81a29a0f 84d83008 nt!KiAcquireGuardedMutex+0x53
b4477c20 81a29886 87785338 84d83008 81dcf382 nt!FsRtlCancelNotify+0x69
b4477c4c 81c2780e 84d83008 885cd958 8837a030 nt!IoCancelIrp+0x83
b4477c78 81c275c2 1544eb0e 8999e200 40010004 nt!IoCancelThreadIo+0x3a
b4477cdc 81c040b7 40010004 88f8d4a8 88f8d401 nt!PspExitThread+0x4bf
b4477cf4 81ac2ffa 8999e200 b4477d20 b4477d2c nt!PsExitSpecialApc+0x22
b4477d4c 81a59d26 00000001 00000000 b4477d64 nt!KiDeliverApc+0x1dc
b4477d4c 76f35e74 00000001 00000000 b4477d64 nt!KiServiceExit+0x56
WARNING: Frame IP not in any known module. Following frames may be wrong.
03a3fc3c 00000000 00000000 00000000 00000000 0x76f35e74


STACK_COMMAND:  kb

FOLLOWUP_IP: 
nt!KeWaitForGate+126
81a45485 8902            mov     dword ptr [edx],eax

SYMBOL_STACK_INDEX:  0

SYMBOL_NAME:  nt!KeWaitForGate+126

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: nt

IMAGE_NAME:  ntkrpamp.exe

DEBUG_FLR_IMAGE_TIMESTAMP:  4b7d1e08

FAILURE_BUCKET_ID:  0xA_nt!KeWaitForGate+126

BUCKET_ID:  0xA_nt!KeWaitForGate+126

Followup: MachineOwner

Irish Poetry - Karen O'Connor
Irish Poetry and Short Stories - Doghouse Books
Garten und Landschaftsbau

 

[linney]

How often are these faults occurring? Are they the intermittent type of faults which make diagnosing a nightmare, or are they happening several times a day?

When did they first appear? What was installed on your machines at that time?

Are there common and regular errors showing up in the Event Viewer?

Event Logs

http://technet.microsoft.com/en-us/library/cc722404(WS.10).aspx

Event Viewer

http://technet.microsoft.com/en-us/library/cc766042(WS.10).aspx

When looking at the Event Viewer, make sure you are an Administrator.

Better troubleshooting capabilities with Windows Vista's Event Viewer

http://articles.techrepublic.com.com/5100-10878_11-6108150.html

If I was a gambling man, and looking at the 4 items you listed, I would favor Symantec as a possible cause, but that is said without no scientific reason, more so, just a bit of healthy prejudice.

 

[kjv1611]

And I'd also consider checking the RAM in all 4 machines as well. You could use MemTest86 or another utility. UltimateBootCD has a few you can use, and there are others as well.

 

[gmail2]

Sorry for the late reply everybody

Unfortunately the problems are quiet infrequent which of course makes it more difficult to diagnose. We ran memtest86+ on the machines and it seems that the physical RAM is fine. The problem normally occurs when the users are shutting down, but not always.

I agree, Symantec is most likely the cause ... but I need a little proof before I can go back to our internal guy who installed SEP and ask him to look at this.

The event logs don't really show anything useful unfortunately. I'm wondering if verifier can help at all - but after I've configured it, where do I look for any results ? Do I just need to wait for another BSOD and THEN verifier will log extra info ? In that case, where would it be ? In the mini-dump or ... ?

Thanks again

Irish Poetry - Karen O'Connor
Irish Poetry and Short Stories - Doghouse Books
Garten und Landschaftsbau

 

[linney]

Verifier is only going to show you unsigned drivers that are installed on your machine. It will allow you to look at those drivers as a possible cause. A report will be produced.

"The log file is named Sigverif.txt, and it is saved in the Windows folder. Third-party drivers that are unsigned are displayed as "Not signed." Use the drivers in this list as your troubleshooting starting point."

HOW TO: Verify Unsigned Device Drivers in Windows XP

http://support.microsoft.com/support/kb/articles/q308/5/14.asp