BSOD - Bug Analysis, help interpreting?

Deadbeat · 4 Mar 2013 at 19:39

Hey folks, having a few issues with the gf/s computer. It's been randomly not going to POST on start-up, and when it does boot up it occasionally BSODs on random tasks - opening documents, web browser and so forth. I've done a bit of hunting and unearthed how to read the dump files, but as to how to interpret it, well - not a clue. Anyone out there able to give me a heads-up?

0: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

SYSTEM_SERVICE_EXCEPTION (3b)
An exception happened while executing a system service routine.
Arguments:
Arg1: 00000000c0000005, Exception code that caused the bugcheck
Arg2: fffff9600017263d, Address of the instruction which caused the bugcheck
Arg3: fffff8800a465210, Address of the context record for the exception that caused the bugcheck
Arg4: 0000000000000000, zero.

Debugging Details:
------------------

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.

FAULTING_IP:
win32k!NtUserGetProp+3d
fffff960`0017263d 8b5104 mov edx,dword ptr [rcx+4]

CONTEXT: fffff8800a465210 -- (.cxr 0xfffff8800a465210)
rax=fffff900c0809ad0 rbx=0000000000000000 rcx=fff7f900c0812ac0
rdx=fffffa800a316360 rsi=0000000000000000 rdi=000000000000c048
rip=fffff9600017263d rsp=fffff8800a465bf0 rbp=fffff8800a465ca0
r8=fffff900c1f5d5e0 r9=0000000000000000 r10=fffff96000172600
r11=fffff900c1f5d5e0 r12=0000000000000069 r13=0000000000000001
r14=000000000391f2e0 r15=00000000ff8c1d38
iopl=0 nv up ei ng nz na po nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00010286
win32k!NtUserGetProp+0x3d:
fffff960`0017263d 8b5104 mov edx,dword ptr [rcx+4] ds:002b:fff7f900`c0812ac4=????????
Resetting default scope

CUSTOMER_CRASH_COUNT: 1

DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT

BUGCHECK_STR: 0x3B

PROCESS_NAME: explorer.exe

CURRENT_IRQL: 0

LAST_CONTROL_TRANSFER: from fffff8000308bed3 to fffff9600017263d

STACK_TEXT:
fffff880`0a465bf0 fffff800`0308bed3 : fffffa80`09fb4b50 00000000`0391f0f8 00000000`00000000 00000000`0000c048 : win32k!NtUserGetProp+0x3d
fffff880`0a465c20 00000000`76b888da : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13
00000000`0391f148 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x76b888da

FOLLOWUP_IP:
win32k!NtUserGetProp+3d
fffff960`0017263d 8b5104 mov edx,dword ptr [rcx+4]

SYMBOL_STACK_INDEX: 0

SYMBOL_NAME: win32k!NtUserGetProp+3d

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: win32k

IMAGE_NAME: win32k.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 50e64bda

STACK_COMMAND: .cxr 0xfffff8800a465210 ; kb

FAILURE_BUCKET_ID: X64_0x3B_win32k!NtUserGetProp+3d

BUCKET_ID: X64_0x3B_win32k!NtUserGetProp+3d

Followup: MachineOwner
---------

snips86x · 4 Mar 2013 at 21:19

What are the specs of the machine?
Overclocked?

RHS · 4 Mar 2013 at 22:47

If the PC is not posting and your having issues before the OS takes over you might be looking at a loose component such as RAM or a PCI card. Simple stuff to do would be to reseat cards and ram, HDD sata cables etc do ths even if they look fine. I had a perfectly good PC BSOD due to loose RAM. Also try booting to safe mode to rule out some driver issues. What has changed before the problem occurred? New software installed? Windows updates, new driver? All of these could point at the problem. No matter how small the change it could be the source of the problem. Disable startup program's if you can, via msconfig, could be something there crashing windows.

SaTrOx · 5 Mar 2013 at 02:25

Its software or ram related problem. Type this in google: 0xc0000005 and u should find solution to your problem. Your best bet is to format your hard drive

http://www.fix-this-error.com/error-0xc000005/

i also found this while investigating your problem

if your'e affraid to click this link heres what it says :

So what’s this error 0xc000005? The most common cause for this error is a faulty memory, memory has “addresses” each address has a number, 0xc000005 is just the address of a small (tiny) part of your memory. When this part is corrupted and windows (or any windows program) tries to access it, you get this dreaded access violation error. A faulty memory needs to be replaced, if you have upgraded your memory recently and you suddenly started getting this weird error, try putting your old RAM back and see if it fixes the problem.
The second possibility is a broken registry, the registry is essentially a database that windows uses to keep track of different configurations related to the programs installed on your computer. When the registry is broken or not configured correctly it can sometimes cause errors like these to occur. An access violation error can in many cases be due to a program messing up a few registry entries and unintentionally blocking access to some parts of your memory.
If you don’t think that your computer RAM is the problem, then try RegEasy, it’s a little program that comes with a free scanner and can actually tell you if something is wrong with your windows registry. You can check it out here.

dt97583 · 5 Mar 2013 at 06:10

I'd run memtest86 and possibly SFC /scan now. As above, is the machine overclocked?

Deadbeat · 5 Mar 2013 at 08:11

Hey folks, she's really not sure what gear she has. I know it's an AMD processor and that she got some Crucial Ballistix 12800 RAM last year (https://www.overclockers.co.uk/showproduct.php?prodid=MY-132-CR - strangely, 31.19 in January last year and now £50 before discount :/). Updating her ATI drivers (Sapphire 5830) seemed to help last night, but this morninm another BSOD - this time with a 0x0000001E stop code. Can't boot it up to get the dump file, won't got to POST again, so now's a good a time as any to reseat the RAM, I suppose...

Edit: Booted, minidump appropriated and processed:

*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 1E, {0, 0, 0, 0}

Probably caused by : ntkrnlmp.exe ( nt!KiKernelCalloutExceptionHandler+e )

Followup: MachineOwner
---------

1: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

KMODE_EXCEPTION_NOT_HANDLED (1e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Arguments:
Arg1: 0000000000000000, The exception code that was not handled
Arg2: 0000000000000000, The address that the exception occurred at
Arg3: 0000000000000000, Parameter 0 of the exception
Arg4: 0000000000000000, Parameter 1 of the exception

Debugging Details:
------------------

EXCEPTION_CODE: (Win32) 0 (0) - The operation completed successfully.

FAULTING_IP:
+3937313133326239
00000000`00000000 ?? ???

EXCEPTION_PARAMETER1: 0000000000000000

EXCEPTION_PARAMETER2: 0000000000000000

ERROR_CODE: (NTSTATUS) 0 - STATUS_WAIT_0

BUGCHECK_STR: 0x1E_0

CUSTOMER_CRASH_COUNT: 1

DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT

PROCESS_NAME: System

CURRENT_IRQL: 2

EXCEPTION_RECORD: fffff88002f1bb48 -- (.exr 0xfffff88002f1bb48)
ExceptionAddress: fffff800030829c2 (nt!KiIdleLoop+0x00000000000000d2)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 0000000000000000
Parameter[1]: ffffffffffffffff
Attempt to read from address ffffffffffffffff

TRAP_FRAME: fffff88002f1bbf0 -- (.trap 0xfffff88002f1bbf0)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=000000000018c570 rbx=0000000000000000 rcx=0000000000000002
rdx=0000006600000000 rsi=0000000000000000 rdi=0000000000000000
rip=fffff800030829c2 rsp=fffff88002f1bd80 rbp=0000000000000000
r8=0000000000000000 r9=00000000002fe644 r10=00000000000178d0
r11=fffffa80073a51fe r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up di pl nz na pe nc
nt!KiIdleLoop+0xd2:
fffff800`030829c2 48014718 add qword ptr [rdi+18h],rax ds:00000000`00000018=????????????????
Resetting default scope

LAST_CONTROL_TRANSFER: from fffff8000308263e to fffff8000308ac10

STACK_TEXT:
fffff880`02f1ac28 fffff800`0308263e : fffffa80`0a429380 fffffa80`09cb7680 fffff880`02f1b3a0 fffff800`030b5b80 : nt!KeBugCheck
fffff880`02f1ac30 fffff800`030b584d : 00000000`0010001f fffff880`02f1b3a0 fffff880`02f1bbf0 fffff880`02f1bb48 : nt!KiKernelCalloutExceptionHandler+0xe
fffff880`02f1ac60 fffff800`030b4625 : fffff800`031db008 fffff880`02f1acd8 fffff880`02f1bb48 fffff800`03015000 : nt!RtlpExecuteHandlerForException+0xd
fffff880`02f1ac90 fffff800`030c55b1 : fffff880`02f1bb48 fffff880`02f1b3a0 fffff880`00000000 fff7f880`009f3f40 : nt!RtlDispatchException+0x415
fffff880`02f1b370 fffff800`0308a2c2 : fffff880`02f1bb48 fffff880`009e9180 fffff880`02f1bbf0 fffffa80`09c29060 : nt!KiDispatchException+0x135
fffff880`02f1ba10 fffff800`03088bca : 00000000`000000e8 00000000`000000f8 fffffa80`073a5150 00000000`00000000 : nt!KiExceptionDispatch+0xc2
fffff880`02f1bbf0 fffff800`030829c2 : fffff880`009e9180 fffff880`00000000 00000000`00000000 fffff880`068d2588 : nt!KiGeneralProtectionFault+0x10a
fffff880`02f1bd80 00000000`00000000 : fffff880`02f1c000 fffff880`02f16000 fffff880`02f1bd40 00000000`00000000 : nt!KiIdleLoop+0xd2

STACK_COMMAND: kb

FOLLOWUP_IP:
nt!KiKernelCalloutExceptionHandler+e
fffff800`0308263e 90 nop

SYMBOL_STACK_INDEX: 1

SYMBOL_NAME: nt!KiKernelCalloutExceptionHandler+e

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: nt

IMAGE_NAME: ntkrnlmp.exe

DEBUG_FLR_IMAGE_TIMESTAMP: 50e79935

FAILURE_BUCKET_ID: X64_0x1E_0_nt!KiKernelCalloutExceptionHandler+e

BUCKET_ID: X64_0x1E_0_nt!KiKernelCalloutExceptionHandler+e

Followup: MachineOwner
---------

1: kd> lmvm nt
start end module name
fffff800`03015000 fffff800`035fc000 nt (pdb symbols) c:\symbols\ntkrnlmp.pdb\B09DFEAFE5F546ECA785C4F8577A2CC02\ntkrnlmp.pdb
Loaded symbol image file: ntkrnlmp.exe
Mapped memory image file: c:\symbols\ntoskrnl.exe\50E799355e7000\ntoskrnl.exe
Image path: ntkrnlmp.exe
Image name: ntkrnlmp.exe
Timestamp: Sat Jan 05 03:08:37 2013 (50E79935)
CheckSum: 0054E86D
ImageSize: 005E7000
File version: 6.1.7601.18044
Product version: 6.1.7601.18044
File flags: 0 (Mask 3F)
File OS: 40004 NT Win32
File type: 1.0 App
File date: 00000000.00000000
Translations: 0409.04b0
CompanyName: Microsoft Corporation
ProductName: Microsoft® Windows® Operating System
InternalName: ntkrnlmp.exe
OriginalFilename: ntkrnlmp.exe
ProductVersion: 6.1.7601.18044
FileVersion: 6.1.7601.18044 (win7sp1_gdr.130104-1431)
FileDescription: NT Kernel & System
LegalCopyright: © Microsoft Corporation. All rights reserved.

Edit 2: Sorry, just to clarify no overclock at all