Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Win32.sys causing blue screens

Status
Not open for further replies.
Apr 2, 2003
58
GB
Hi all,

I have been having odd BSODs for a while now; they mainly happen after the computer has been on a while.

The other day I did a clean install of WinXP PRo and put SP2 on after the re-install.

I have since had a couple of BSODs, and they all seem to relate to win32.sys.

Here are the bugchecks - I debugged the mindmp files using Windbg:

DMP!:
--------------------------------

WARNING: Whitespace at end of path element

Microsoft (R) Windows Debugger Version 6.4.0007.2
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\WINDOWS\Minidump\Mini051405-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: .symfix[+] [DownstreamStore]
;srv*DownstreamStore*Executable search path is:
Windows XP Kernel Version 2600 (Service Pack 2) UP Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 2600.xpsp_sp2_gdr.050301-1519
Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055a420
Debug session time: Sat May 14 14:00:23.265 2005 (GMT+1)
System Uptime: 0 days 3:02:42.824
Loading Kernel Symbols
................................................................................................................................................
Loading unloaded module list
...............
Loading User Symbols
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck C2, {7, cd4, 0, c10f148d}

Probably caused by : win32k.sys ( win32k!HeavyFreePool+bb )

Followup: MachineOwner
---------

kd> !analyse -v
No export analyse found
kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

BAD_POOL_CALLER (c2)
The current thread is making a bad pool request. Typically this is at a bad IRQL level or double freeing the same allocation, etc.
Arguments:
Arg1: 00000007, Attempt to free pool which was already freed
Arg2: 00000cd4, (reserved)
Arg3: 00000000, Memory contents of the pool block
Arg4: c10f148d, Address of the block of pool being deallocated

Debugging Details:
------------------


BUGCHECK_STR: 0xc2_7

CUSTOMER_CRASH_COUNT: 1

DEFAULT_BUCKET_ID: DRIVER_FAULT

LAST_CONTROL_TRANSFER: from 8054b741 to 8053331e

STACK_TEXT:
eff2d794 8054b741 000000c2 00000007 00000cd4 nt!KeBugCheckEx+0x1b
eff2d7e4 bf802abb c10f148d 00000000 eff2d800 nt!ExFreePoolWithTag+0x2be
eff2d7f4 bf805a35 c10f148d eff2d820 bf805a6a win32k!HeavyFreePool+0xbb
eff2d800 bf805a6a c10f148d 00000004 bf814208 win32k!FreeObject+0x25
eff2d80c bf814208 e2a05c10 bf829c2f e2a05c10 win32k!REGION::vDeleteREGION+0x14
eff2d814 bf829c2f e2a05c10 eff2dc00 bf8296c0 win32k!RGNOBJ::vDeleteRGNOBJ+0xc
eff2d820 bf8296c0 c10f148d bc6306e8 e1bda008 win32k!vSpFreeClipResources+0x17
eff2dc00 bf829bea e1bda008 bc6306e8 bc6306e8 win32k!vSpUpdateSpriteVisRgn+0x244
eff2dc14 bf829987 e1bda008 bf9a94c0 00000000 win32k!GreUpdateSpriteVisRgn+0x32
eff2dc34 bf828fbb bc6306e8 0000000c bf9a94c0 win32k!zzzInvalidateDCCache+0x102
eff2dc7c bf82760f bf9a94c0 00000000 bc63bc30 win32k!zzzBltValidBits+0xfa
eff2dcd4 bf82a32a 00000001 001c02a8 eff2dd24 win32k!xxxEndDeferWindowPosEx+0x121
eff2dcf4 bf82b596 bc63bc30 ffffffff 0000012e win32k!xxxSetWindowPos+0x101
eff2dd40 804de7ec bc63bc30 ffffffff 0000012e win32k!NtUserSetWindowPos+0x163
eff2dd40 7c90eb94 bc63bc30 ffffffff 0000012e nt!KiFastCallEntry+0xf8
WARNING: Frame IP not in any known module. Following frames may be wrong.
00c6e9f8 00000000 00000000 00000000 00000000 0x7c90eb94


FOLLOWUP_IP:
win32k!HeavyFreePool+bb
bf802abb 5d pop ebp

SYMBOL_STACK_INDEX: 2

FOLLOWUP_NAME: MachineOwner

SYMBOL_NAME: win32k!HeavyFreePool+bb

MODULE_NAME: win32k

IMAGE_NAME: win32k.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 422511a2

STACK_COMMAND: kb

FAILURE_BUCKET_ID: 0xc2_7_win32k!HeavyFreePool+bb

BUCKET_ID: 0xc2_7_win32k!HeavyFreePool+bb

Followup: MachineOwner
---------

---------------------------------------

DMP 2:


Microsoft (R) Windows Debugger Version 6.4.0007.2
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\WINDOWS\Minidump\Mini051405-02.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: srv*DownstreamStore*Executable search path is:
Windows XP Kernel Version 2600 (Service Pack 2) UP Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 2600.xpsp_sp2_gdr.050301-1519
Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055a420
Debug session time: Sat May 14 22:06:22.437 2005 (GMT+1)
System Uptime: 0 days 3:36:51.985
Loading Kernel Symbols
...............................................................................................................................................
Loading unloaded module list
...............
Loading User Symbols
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 1000008E, {c0000005, 8054ae34, f007caf0, 0}

Probably caused by : win32k.sys ( win32k!HeavyAllocPool+74 )

Followup: MachineOwner
---------

kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

KERNEL_MODE_EXCEPTION_NOT_HANDLED_M (1000008e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Some common problems are exception code 0x80000003. This means a hard
coded breakpoint or assertion was hit, but this system was booted
/NODEBUG. This is not supposed to happen as developers should never have
hardcoded breakpoints in retail code, but ...
If this happens, make sure a debugger gets connected, and the
system is booted /DEBUG. This will let us see why this breakpoint is
happening.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: 8054ae34, The address that the exception occurred at
Arg3: f007caf0, Trap Frame
Arg4: 00000000

Debugging Details:
------------------


EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".

FAULTING_IP:
nt!ExAllocatePoolWithTag+673
8054ae34 897104 mov [ecx+0x4],esi

TRAP_FRAME: f007caf0 -- (.trap fffffffff007caf0)
ErrCode = 00000002
eax=867e5048 ebx=867ee050 ecx=00000000 edx=000001aa esi=867eee48 edi=000001ff
eip=8054ae34 esp=f007cb64 ebp=f007cbb8 iopl=0 nv up ei ng nz na po cy
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010287
nt!ExAllocatePoolWithTag+0x673:
8054ae34 897104 mov [ecx+0x4],esi ds:0023:00000004=????????
Resetting default scope

CUSTOMER_CRASH_COUNT: 2

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0x8E

LAST_CONTROL_TRANSFER: from bf802b5a to 8054ae34

STACK_TEXT:
f007cbb8 bf802b5a 00000001 00000001 35306847 nt!ExAllocatePoolWithTag+0x673
f007cbd8 bf810305 00000d48 35306847 00000000 win32k!HeavyAllocPool+0x74
f007cbec bf805b32 00000d48 35306847 f007ce58 win32k!PALLOCMEM+0x18
f007cc08 bf80b037 00000d48 00000005 00000001 win32k!AllocateObject+0x9a
f007cc50 bf8a0564 000000fc 00000000 00000000 win32k!SURFMEM::bCreateDIB+0x1a7
f007d300 bf8b659e e12f0018 f007d43c e37568c8 win32k!EngTextOut+0x3eb
f007d34c bf8b6731 bf89fe06 f007d3d0 e12f0018 win32k!OffTextOut+0x71
f007d3e0 bf812700 e12f0018 f007d43c e37568c8 win32k!SpTextOut+0x9d
f007d668 bf813bfa f007d908 e3a7de9c e3a7def8 win32k!GreExtTextOutWLocked+0xfbf
f007d7d0 bf80de69 f007d908 7ffdf1dc 0000006c win32k!GreBatchTextOut+0x344
f007d924 804de7be 00000248 0012e42c 0012e444 win32k!NtGdiFlushUserBatch+0x11b
f007d934 7c90eb94 badb0d00 0012e42c 0012eb74 nt!KiFastCallEntry+0xca
WARNING: Frame IP not in any known module. Following frames may be wrong.
0012e444 00000000 00000000 00000000 00000000 0x7c90eb94
f007dbec 80565cec f007dca8 f007dcac f007dc7c nt!KiCallUserMode+0x4
f007dc48 bf813dcd 00000002 f007dc8c 00000018 nt!KeUserModeCallback+0x87
f007dccc bf8035ee bc7231b0 0000000f 00000000 win32k!SfnDWORD+0xa8
f007dd0c bf80f4d8 0096d305 f007dd64 0012f180 win32k!xxxDispatchMessage+0x1dc
f007dd58 804de7ec 0012f2a0 0012f1b8 7c90eb94 win32k!NtUserDispatchMessage+0x39
f007dd58 7c90eb94 0012f2a0 0012f1b8 7c90eb94 nt!KiFastCallEntry+0xf8
0012f148 00000000 00000000 00000000 00000000 0x7c90eb94


FOLLOWUP_IP:
win32k!HeavyAllocPool+74
bf802b5a 8bd0 mov edx,eax

SYMBOL_STACK_INDEX: 1

FOLLOWUP_NAME: MachineOwner

SYMBOL_NAME: win32k!HeavyAllocPool+74

MODULE_NAME: win32k

IMAGE_NAME: win32k.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 422511a2

STACK_COMMAND: .trap fffffffff007caf0 ; kb

FAILURE_BUCKET_ID: 0x8E_win32k!HeavyAllocPool+74

BUCKET_ID: 0x8E_win32k!HeavyAllocPool+74

Followup: MachineOwner
---------

kd> lm N T
Unknown option 'N'
Unknown option 'T'
start end module name
804d7000 806eb100 nt # (pdb symbols) DownstreamStore\ntoskrnl.pdb\32962337F0F646388B39535CD8DD70E82\ntoskrnl.pdb
806ec000 8070c380 hal (deferred)
bf800000 bf9c0500 win32k (pdb symbols) DownstreamStore\win32k.pdb\A3AB09585A2B460A862026EAC39852742\win32k.pdb
bf9c1000 bf9d2580 dxg (deferred)
bf9d3000 bfa0e000 ati2dvag (deferred)
bfa0e000 bfa40000 ati2cqag (deferred)
bfa40000 bfa72000 atikvmag (deferred)
bfa72000 bfca2440 ati3duag (deferred)
bfca3000 bfd37ba0 ativvaxx (deferred)
bffa0000 bffe5c00 ATMFD (deferred)
efd20000 efd49f00 kmixer (deferred)
f001c000 f003e000 RDPWD (deferred)
f017e000 f01be100 HTTP (deferred)
f0467000 f046ab20 PROTECT (deferred)
f046f000 f0471100 FTPFILT (deferred)
f0473000 f0476700 MAILFILT (deferred)
f0477000 f04794e0 POP3FILT (deferred)
f047b000 f047dd60 DNSCACHE (deferred)
f0483000 f0485aa0 HTMLFILT (deferred)
f048b000 f048e0e0 HTTPFILT (deferred)
f052f000 f0581180 srv (deferred)
f05d2000 f05fb4a0 PGPdisk (deferred)
f0624000 f0650400 mrxdav (deferred)
f06e1000 f06f0900 Cdfs (deferred)
f09c6000 f09da400 wdmaud (deferred)
f0b97000 f0b9a280 ndisuio (deferred)
f2c83000 f2c9a480 dump_atapi (deferred)
f2c9b000 f2cbe000 Fastfat (deferred)
f2cbe000 f2d444a0 avg7core (deferred)
f2d6d000 f2ddb400 mrxsmb (deferred)
f2e24000 f2e26900 Dxapi (deferred)
f2e2c000 f2e56a00 rdbss (deferred)
f2e77000 f2e85d80 sysaudio (deferred)
f2ef7000 f2f18d00 afd (deferred)
f2f19000 f2f40c00 netbt (deferred)
f2f41000 f2f61f00 ipnat (deferred)
f2f62000 f2f7bea0 FILTNT (deferred)
f2f7c000 f2fd3d80 tcpip (deferred)
f2fd4000 f2fe6400 ipsec (deferred)
f7098000 f70cb200 update (deferred)
f70cc000 f70fc100 rdpdr (deferred)
f70fd000 f710de00 psched (deferred)
f71ae000 f71c4680 ndiswan (deferred)
f7205000 f7207280 rasacd (deferred)
f7241000 f7244c80 mssmbios (deferred)
f7259000 f725b580 ndistapi (deferred)
f728d000 f72a0900 parport (deferred)
f72a1000 f72bc7a0 ptserlp (deferred)
f72e5000 f7308980 portcls (deferred)
f7309000 f734e500 emu10k1m (deferred)
f734f000 f7371e80 USBPORT (deferred)
f7372000 f7394680 ks (deferred)
f7395000 f73a8780 VIDEOPRT (deferred)
f73a9000 f74af000 ati2mtag (deferred)
f751f000 f7539580 Mup (deferred)
f753a000 f75cd840 vmodem (deferred)
f75ce000 f762f0a0 vpctcom (deferred)
f7630000 f765ca80 NDIS (deferred)
f765d000 f76e9480 Ntfs (deferred)
f76ea000 f7700780 KSecDD (deferred)
f7701000 f77161c0 PQV2i (deferred)
f7717000 f7728f00 sr (deferred)
f7729000 f7747780 fltmgr (deferred)
f7748000 f775f800 SCSIPORT (deferred)
f7760000 f7771380 fasttrak (deferred)
f7772000 f7789480 atapi (deferred)
f778a000 f77af700 dmio (deferred)
f77b0000 f77ce880 ftdisk (deferred)
f77cf000 f77dfa80 pci (deferred)
f77e0000 f780dd80 ACPI (deferred)
f782f000 f7837c00 isapnp (deferred)
f783f000 f7849500 MountMgr (deferred)
f784f000 f785bc80 VolSnap (deferred)
f785f000 f7867e00 disk (deferred)
f786f000 f787b200 CLASSPNP (deferred)
f787f000 f788ec40 vvoice (deferred)
f788f000 f7899800 amdagp (deferred)
f78df000 f78e8480 NDProxy (deferred)
f78ef000 f78fd100 usbhub (deferred)
f790f000 f7917700 wanarp (deferred)
f791f000 f7927080 ipfltdrv (deferred)
f792f000 f7937700 netbios (deferred)
f793f000 f7947f20 PQIMount (deferred)
f794f000 f7957880 Fips (deferred)
f79cf000 f79d9380 Imapi (deferred)
f79df000 f79eb180 cdrom (deferred)
f79ef000 f79fd080 redbook (deferred)
f79ff000 f7a09600 fetnd5b (deferred)
f7a0f000 f7a1db80 drmk (deferred)
f7a1f000 f7a27e80 sfmanm (deferred)
f7a2f000 f7a3ed80 serial (deferred)
f7a3f000 f7a4be00 i8042prt (deferred)
f7a4f000 f7a5a000 PGPsdk (deferred)
f7a5f000 f7a6b880 rasl2tp (deferred)
f7a6f000 f7a79200 raspppoe (deferred)
f7a7f000 f7a8ad00 raspptp (deferred)
f7a8f000 f7a97900 msgpc (deferred)
f7a9f000 f7aa8f00 termdd (deferred)
f7aaf000 f7ab5200 PCIIDEX (deferred)
f7ab7000 f7abb900 PartMgr (deferred)
f7b0f000 f7b16000 GEARAspiWDM (deferred)
f7b17000 f7b1c000 usbuhci (deferred)
f7b1f000 f7b26580 Modem (deferred)
f7b27000 f7b2b280 usbohci (deferred)
f7b2f000 f7b35800 usbehci (deferred)
f7b37000 f7b38000 fdc (deferred)
f7b3f000 f7b44a00 mouclass (deferred)
f7b47000 f7b4d000 kbdclass (deferred)
f7b4f000 f7b53880 TDI (deferred)
f7b57000 f7b5b580 ptilink (deferred)
f7b5f000 f7b63080 raspti (deferred)
f7b67000 f7b6c000 flpydisk (deferred)
f7b77000 f7b7c200 vga (deferred)
f7b7f000 f7b83a80 Msfs (deferred)
f7b87000 f7b8e880 Npfs (deferred)
f7b97000 f7b9c280 avg7rsxp (deferred)
f7bb7000 f7bbb500 watchdog (deferred)
f7c0f000 f7c14500 TDTCP (deferred)
f7c1f000 f7c26e60 ADBLOCK (deferred)
f7c3f000 f7c42000 BOOTVID (deferred)
f7d17000 f7d19980 gameenum (deferred)
f7d1f000 f7d22c80 serenum (deferred)
f7d2f000 f7d30b80 kdcom (deferred)
f7d31000 f7d32100 WMILIB (deferred)
f7d33000 f7d34500 viaide (deferred)
f7d35000 f7d36700 dmload (deferred)
f7d3d000 f7d3eb00 ctlfacem (deferred)
f7d3f000 f7d40100 swenum (deferred)
f7d41000 f7d42280 USBD (deferred)
f7d43000 f7d44f00 Fs_Rec (deferred)
f7d45000 f7d46080 Beep (deferred)
f7d47000 f7d48080 mnmdd (deferred)
f7d49000 f7d4a080 RDPCDD (deferred)
f7d51000 f7d52100 dump_WMILIB (deferred)
f7da5000 f7da6a80 ParVdm (deferred)
f7dab000 f7dac0e0 avgtdi (deferred)
f7de7000 f7de8140 CONTENT (deferred)
f7ded000 f7deea40 IMAPFILT (deferred)
f7df5000 f7df6860 NNTPFILT (deferred)
f7e33000 f7e33b80 Null (deferred)
f7e57000 f7e57fe0 avg7rsw (deferred)
f7e77000 f7e77e80 ctljystk (deferred)
f7e9c000 f7e9cd00 dxgthk (deferred)
f7f52000 f7f52c00 audstub (deferred)

Unloaded modules:
efd20000 efd4a000 kmixer.sys
efd20000 efd4a000 kmixer.sys
efd20000 efd4a000 kmixer.sys
efd20000 efd4a000 kmixer.sys
efd20000 efd4a000 kmixer.sys
eff28000 eff52000 kmixer.sys
efff2000 f001c000 kmixer.sys
f08d9000 f0903000 kmixer.sys
f7ea0000 f7ea1000 drmkaud.sys
f797f000 f798c000 DMusic.sys
f09a3000 f09c6000 aec.sys
f795f000 f796d000 swmidi.sys
f7d75000 f7d77000 splitter.sys
f7b6f000 f7b74000 Cdaudio.SYS
f7209000 f720c000 Sfloppy.SYS


-----------------------------------------


Has anyone had similar issues, what would be the recommended place to start in fixing this issue. I want to get back to having 100% reliability as I have alot of work to do!

Regards,

Muffin Research.
 
Hi the ATI drivers are indeed the latest. I am checking for any mobo drivers that are newer. I have found a newer driver for the RAID so I will update that.

I would be loathed to request a hotfix that is stated to fix a different problem. Maybe I'll leave that as the last resort.

Thanks for you answers and links so far,

muffinresearch.
 
I have had another crash although this time slightly different. I occured when I went to close Picasa 2. Uknown image is not very helpful is there any way to determine the cause?

Regards,

Muffinresearch


Microsoft (R) Windows Debugger Version 6.4.0007.2
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\WINDOWS\Minidump\Mini051505-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: srv*DownstreamStore*Executable search path is:
Windows XP Kernel Version 2600 (Service Pack 2) UP Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 2600.xpsp_sp2_gdr.050301-1519
Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055a420
Debug session time: Sun May 15 22:52:51.750 2005 (GMT+1)
System Uptime: 0 days 3:50:17.313
Loading Kernel Symbols
................................................................................................................................................
Loading unloaded module list
.............
Loading User Symbols
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 100000D1, {4d0056, 2, 0, 4d0056}

Probably caused by : Unknown_Image

Followup: MachineOwner
---------

kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: 004d0056, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000000, value 0 = read operation, 1 = write operation
Arg4: 004d0056, address which referenced memory

Debugging Details:
------------------


READ_ADDRESS: 004d0056

CURRENT_IRQL: 2

FAULTING_IP:
+4d0056
004d0056 ?? ???

CUSTOMER_CRASH_COUNT: 1

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0xD1

LAST_CONTROL_TRANSFER: from f0005d00 to 004d0056

STACK_TEXT:
WARNING: Frame IP not in any known module. Following frames may be wrong.
f0b65cc4 f0005d00 00510020 ff00f100 00510080 0x4d0056
00010246 00000000 00000000 00000000 00000000 0xf0005d00


FAILED_INSTRUCTION_ADDRESS:
+4d0056
004d0056 ?? ???

FOLLOWUP_IP:
+4d0056
004d0056 ?? ???

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: Unknown_Module

IMAGE_NAME: Unknown_Image

DEBUG_FLR_IMAGE_TIMESTAMP: 0

STACK_COMMAND: kb

FAILURE_BUCKET_ID: 0xD1_CODE_AV

BUCKET_ID: 0xD1_CODE_AV

Followup: MachineOwner
---------
 
Turning off Software DEP seems to have helped alot hasn't crashed in quite a while.

I changed the Noexecute line at the end of boot.ini to this:

/NoExecute=AlwaysOff

This can be done from the system panel. Windows-key + Break gets you there then go to advanced and then Start-up and recovery.

hope this helps someone else

TTFN

muffinresearch.
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top