NOD32 eamon.sys bugcheck Vista SP1 x86 Free

[blin]

Microsoft (R) Windows Debugger Version 6.10.0003.233 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [D:\WinDDK\Dumps\Fi\MEMORY.DMP]
Kernel Summary Dump File: Only kernel address space is available

Symbol search path is: SRV*d:\winddk\Symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows Server 2008/Windows Vista SP1 Kernel Version 6001 (Service Pack 1) MP (2 procs) Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS Personal
Built by: 6001.18145.x86fre.vistasp1_gdr.080917-1612
Machine Name:
Kernel base = 0x81c09000 PsLoadedModuleList = 0x81d20c70
Debug session time: Sat Jan 24 13:43:19.071 2009 (GMT+0)
System Uptime: 0 days 0:01:22.930
Loading Kernel Symbols
...............................................................
................................................................
...................
Loading User Symbols
PEB is paged out (Peb.Ldr = 7ffdb00c). Type ".hh dbgerr001" for details
Loading unloaded module list
....
*** ERROR: Symbol file could not be found. Defaulted to export symbols for eamon.sys -
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 18, {bad0b0b0, 81222b88, 2, 81d0b824}

Page 600db not present in the dump file. Type ".hh dbgerr004" for details
PEB is paged out (Peb.Ldr = 7ffdb00c). Type ".hh dbgerr001" for details
PEB is paged out (Peb.Ldr = 7ffdb00c). Type ".hh dbgerr001" for details
Probably caused by : eamon.sys ( eamon+31d8 )

Followup: MachineOwner
---------

1: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

REFERENCE_BY_POINTER (18 )
Arguments:
Arg1: bad0b0b0, Object type of the object whose reference count is being lowered
Arg2: 81222b88, Object whose reference count is being lowered
Arg3: 00000002, Reserved
Arg4: 81d0b824, Reserved
The reference count of an object is illegal for the current state of the object.
Each time a driver uses a pointer to an object the driver calls a kernel routine
to increment the reference count of the object. When the driver is done with the
pointer the driver calls another kernel routine to decrement the reference count.
Drivers must match calls to the increment and decrement routines. This bugcheck
can occur because an object's reference count goes to zero while there are still
open handles to the object, in which case the fourth parameter indicates the number
of opened handles. It may also occur when the object’s reference count drops below zero
whether or not there are open handles to the object, and in that case the fourth parameter
contains the actual value of the pointer references count.

Debugging Details:
------------------

Page 600db not present in the dump file. Type ".hh dbgerr004" for details
PEB is paged out (Peb.Ldr = 7ffdb00c). Type ".hh dbgerr001" for details
PEB is paged out (Peb.Ldr = 7ffdb00c). Type ".hh dbgerr001" for details

DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT

BUGCHECK_STR: 0x18

PROCESS_NAME: MSASCui.exe

CURRENT_IRQL: 0

LAST_CONTROL_TRANSFER: from 9d6681d8 to 81c5a88e

STACK_TEXT:
9fead8ec 9d6681d8 81221258 81221238 81287ee0 nt!ObfDereferenceObject+0x66
WARNING: Stack unwind information not available. Following frames may be wrong.
9feada28 9d66a092 9feada40 9feada58 81221238 eamon+0x31d8
9feada5c 9d668c5a 81221238 00000000 81c4b601 eamon+0x5092
9feadab0 81cc4fd3 00000d08 81253330 811bc554 eamon+0x3c5a
9feadac8 81e29d11 05e64055 811bfdc4 87369df8 nt!IofCallDriver+0x63
9feadb98 81e4f3ff 87369e10 00000000 811bfd20 nt!IopParseDevice+0xf61
9feadc28 81e270f6 00000000 9feadc80 00000040 nt!ObpLookupObjectName+0x5a8
9feadc88 81e28bf3 000ff17c 00000000 00000001 nt!ObOpenObjectByName+0x13c
9feadcfc 81e19639 000ff1a8 00100021 000ff17c nt!IopCreateFile+0x63b
9feadd44 81c60a1a 000ff1a8 00100021 000ff17c nt!NtOpenFile+0x2a
9feadd44 77839a94 000ff1a8 00100021 000ff17c nt!KiFastCallEntry+0x12a
000ff19c 00000000 00000000 00000000 00000000 0x77839a94


STACK_COMMAND: kb

FOLLOWUP_IP:
eamon+31d8
9d6681d8 b868d6699d mov eax,offset eamon!PsGetThreadProcessId+0x333f4 (9d69d66

SYMBOL_STACK_INDEX: 1

SYMBOL_NAME: eamon+31d8

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: eamon

IMAGE_NAME: eamon.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 4869d3d5

FAILURE_BUCKET_ID: 0x18_BADMEMREF_eamon+31d8

BUCKET_ID: 0x18_BADMEMREF_eamon+31d8

Followup: MachineOwner
---------

1: kd> lmvm eamon
start end module name
9d665000 9d6b2000 eamon (export symbols) eamon.sys
Loaded symbol image file: eamon.sys
Image path: \SystemRoot\system32\DRIVERS\eamon.sys
Image name: eamon.sys
Timestamp: Tue Jul 01 07:51:01 2008 (4869D3D5)
CheckSum: 00018854
ImageSize: 0004D000
Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4

[Marcos]

No info about the installed version of EAV?

[blin]

Here you go Marcos

http://img6.imageshack.us/img6/8655/esetml6.jpg


Bugchecking on a daily basis on this machine now:


Microsoft (R) Windows Debugger Version 6.10.0003.233 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [D:\WinDDK\Dumps\Fi\2\MEMORY.DMP]
Kernel Summary Dump File: Only kernel address space is available

Symbol search path is: SRV*d:\winddk\Symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows Server 2008/Windows Vista SP1 Kernel Version 6001 (Service Pack 1) MP (2 procs) Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS Personal
Built by: 6001.18145.x86fre.vistasp1_gdr.080917-1612
Machine Name:
Kernel base = 0x81c40000 PsLoadedModuleList = 0x81d57c70
Debug session time: Thu Feb 5 19:08:55.076 2009 (GMT+0)
System Uptime: 0 days 0:01:00.997
Loading Kernel Symbols
...............................................................
................................................................
...................
Loading User Symbols
PEB is paged out (Peb.Ldr = 7ffd900c). Type ".hh dbgerr001" for details
Loading unloaded module list
....
*** ERROR: Symbol file could not be found. Defaulted to export symbols for eamon.sys -
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 18, {0, 9debe020, 2, 9dc655c0}

Page 5ef9f not present in the dump file. Type ".hh dbgerr004" for details
PEB is paged out (Peb.Ldr = 7ffd900c). Type ".hh dbgerr001" for details
PEB is paged out (Peb.Ldr = 7ffd900c). Type ".hh dbgerr001" for details
Probably caused by : eamon.sys ( eamon+31d8 )

Followup: MachineOwner
---------

1: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

REFERENCE_BY_POINTER (1
Arguments:
Arg1: 00000000, Object type of the object whose reference count is being lowered
Arg2: 9debe020, Object whose reference count is being lowered
Arg3: 00000002, Reserved
Arg4: 9dc655c0, Reserved
The reference count of an object is illegal for the current state of the object.
Each time a driver uses a pointer to an object the driver calls a kernel routine
to increment the reference count of the object. When the driver is done with the
pointer the driver calls another kernel routine to decrement the reference count.
Drivers must match calls to the increment and decrement routines. This bugcheck
can occur because an object's reference count goes to zero while there are still
open handles to the object, in which case the fourth parameter indicates the number
of opened handles. It may also occur when the object’s reference count drops below zero
whether or not there are open handles to the object, and in that case the fourth parameter
contains the actual value of the pointer references count.

Debugging Details:
------------------

Page 5ef9f not present in the dump file. Type ".hh dbgerr004" for details
PEB is paged out (Peb.Ldr = 7ffd900c). Type ".hh dbgerr001" for details
PEB is paged out (Peb.Ldr = 7ffd900c). Type ".hh dbgerr001" for details

DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT

BUGCHECK_STR: 0x18

PROCESS_NAME: rundll32.exe

CURRENT_IRQL: 0

LAST_CONTROL_TRANSFER: from 9c6741d8 to 81c9188e

STACK_TEXT:
a10608ec 9c6741d8 9de51690 9de51670 9073b440 nt!ObfDereferenceObject+0x66
WARNING: Stack unwind information not available. Following frames may be wrong.
a1060a28 9c676092 a1060a40 a1060a58 9de51670 eamon+0x31d8
a1060a5c 9c674c5a 9de51670 00000000 81c82601 eamon+0x5092
a1060ab0 81cfbfd3 00000d28 8edf3c80 9e2a23bc eamon+0x3c5a
a1060ac8 81e60d11 bb57a5c9 9d6285ac 87499df8 nt!IofCallDriver+0x63
a1060b98 81e863ff 87499e10 00000000 9d628508 nt!IopParseDevice+0xf61
a1060c28 81e5e0f6 00000000 a1060c80 00000040 nt!ObpLookupObjectName+0x5a8
a1060c88 81e5fbf3 001ced44 00000000 00000001 nt!ObOpenObjectByName+0x13c
a1060cfc 81e50639 001cedb0 001200a9 001ced44 nt!IopCreateFile+0x63b
a1060d44 81c97a1a 001cedb0 001200a9 001ced44 nt!NtOpenFile+0x2a
a1060d44 77ad9a94 001cedb0 001200a9 001ced44 nt!KiFastCallEntry+0x12a
001cf110 00000000 00000000 00000000 00000000 0x77ad9a94


STACK_COMMAND: kb

FOLLOWUP_IP:
eamon+31d8
9c6741d8 b868966a9c mov eax,offset eamon!PsGetThreadProcessId+0x333f4 (9c6a966

SYMBOL_STACK_INDEX: 1

SYMBOL_NAME: eamon+31d8

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: eamon

IMAGE_NAME: eamon.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 4869d3d5

FAILURE_BUCKET_ID: 0x18_eamon+31d8

BUCKET_ID: 0x18_eamon+31d8

Followup: MachineOwner
---------

1: kd> lmvm eamon
start end module name
9c671000 9c6be000 eamon (export symbols) eamon.sys
Loaded symbol image file: eamon.sys
Image path: \SystemRoot\system32\DRIVERS\eamon.sys
Image name: eamon.sys
Timestamp: Tue Jul 01 07:51:01 2008 (4869D3D5)
CheckSum: 00018854
ImageSize: 0004D000
Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4


Let me know if you would like some of these crash dumps uploaded.

[Marcos]

Version 3.0.669 is quite old. Please uninstall it and install the latest version 3.0.684.

[blin]

willdo - thanks.

[blin]

Still bugchecking with 3.0.684.0


Microsoft (R) Windows Debugger Version 6.10.0003.233 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [D:\WinDDK\Dumps\Fi\3\MEMORY.DMP]
Kernel Summary Dump File: Only kernel address space is available

Symbol search path is: SRV*d:\winddk\Symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows Server 2008/Windows Vista SP1 Kernel Version 6001 (Service Pack 1) MP (2 procs) Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS Personal
Built by: 6001.18145.x86fre.vistasp1_gdr.080917-1612
Machine Name:
Kernel base = 0x81c14000 PsLoadedModuleList = 0x81d2bc70
Debug session time: Mon Feb 9 20:29:19.873 2009 (GMT+0)
System Uptime: 0 days 0:00:44.794
Loading Kernel Symbols
...............................................................
................................................................
...................
Loading User Symbols
PEB is paged out (Peb.Ldr = 7ffd400c). Type ".hh dbgerr001" for details
Loading unloaded module list
....
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 8E, {c0000005, 81e403a5, 9ef63768, 0}

*** ERROR: Symbol file could not be found. Defaulted to export symbols for eamon.sys -
Page 5f102 not present in the dump file. Type ".hh dbgerr004" for details
PEB is paged out (Peb.Ldr = 7ffd400c). Type ".hh dbgerr001" for details
PEB is paged out (Peb.Ldr = 7ffd400c). Type ".hh dbgerr001" for details
Probably caused by : eamon.sys ( eamon+325d )

Followup: MachineOwner
---------

0: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

KERNEL_MODE_EXCEPTION_NOT_HANDLED (8e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Some common problems are exception code 0x80000003. This means a hard
coded breakpoint or assertion was hit, but this system was booted
/NODEBUG. This is not supposed to happen as developers should never have
hardcoded breakpoints in retail code, but ...
If this happens, make sure a debugger gets connected, and the
system is booted /DEBUG. This will let us see why this breakpoint is
happening.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: 81e403a5, The address that the exception occurred at
Arg3: 9ef63768, Trap Frame
Arg4: 00000000

Debugging Details:
------------------

Page 5f102 not present in the dump file. Type ".hh dbgerr004" for details
PEB is paged out (Peb.Ldr = 7ffd400c). Type ".hh dbgerr001" for details
PEB is paged out (Peb.Ldr = 7ffd400c). Type ".hh dbgerr001" for details

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.

FAULTING_IP:
nt!AlpcpProcessSynchronousRequest+116
81e403a5 f00fb117 lock cmpxchg dword ptr [edi],edx

TRAP_FRAME: 9ef63768 -- (.trap 0xffffffff9ef6376
ErrCode = 00000002
eax=00000000 ebx=00040001 ecx=0003fff9 edx=00000011 esi=80c32e28 edi=0003fff9
eip=81e403a5 esp=9ef637dc ebp=9ef6384c iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010246
nt!AlpcpProcessSynchronousRequest+0x116:
81e403a5 f00fb117 lock cmpxchg dword ptr [edi],edx ds:0023:0003fff9=??
Resetting default scope

DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT

BUGCHECK_STR: 0x8E

PROCESS_NAME: sttray.exe

CURRENT_IRQL: 0

LAST_CONTROL_TRANSFER: from 81c4a590 to 81ce10e3

STACK_TEXT:
9ef63328 81c4a590 0000008e c0000005 81e403a5 nt!KeBugCheckEx+0x1e
9ef636f8 81c6c5da 9ef63714 00000000 9ef63768 nt!KiDispatchException+0x1a9
9ef63760 81c6c58e 9ef6384c 81e403a5 badb0d00 nt!CommonDispatchException+0x4a
9ef63788 82338ba7 8771a600 00000000 00000000 nt!Kei386EoiHelper+0x186
9ef6384c 81e40fe6 80c32e28 00020002 9ef638e8 fltmgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x251
9ef638ac 81df2a95 80c32e28 9ef638e8 00000000 nt!LpcpRequestWaitReplyPort+0x66
9ef638c8 9be6825d 80c32e28 9ef638e8 9ef638e8 nt!LpcRequestWaitReplyPort+0x1b
WARNING: Stack unwind information not available. Following frames may be wrong.
9ef63a10 9be6a166 9ef63a28 9ef63a40 00000000 eamon+0x325d
9ef63a44 9be68d37 80c32ea0 00000000 00000000 eamon+0x5166
9ef63a98 81ccffd3 00000c80 8eccd290 80c3974c eamon+0x3d37
9ef63ab0 81e34d11 9d3b03a3 9d707adc 875976f0 nt!IofCallDriver+0x63
9ef63b80 81e5a3ff 87597708 00000000 9d707a38 nt!IopParseDevice+0xf61
9ef63c10 81e320f6 00000000 9ef63c68 00000040 nt!ObpLookupObjectName+0x5a8
9ef63c70 81e33bf3 0367e854 00000000 00000001 nt!ObOpenObjectByName+0x13c
9ef63ce4 81e3afea 0367e8b8 80100080 0367e854 nt!IopCreateFile+0x63b
9ef63d30 81c6ba1a 0367e8b8 80100080 0367e854 nt!NtCreateFile+0x34
9ef63d30 777b9a94 0367e8b8 80100080 0367e854 nt!KiFastCallEntry+0x12a
0367e8b0 00000000 00000000 00000000 00000000 0x777b9a94


STACK_COMMAND: kb

FOLLOWUP_IP:
eamon+325d
9be6825d 8bf0 mov esi,eax

SYMBOL_STACK_INDEX: 7

SYMBOL_NAME: eamon+325d

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: eamon

IMAGE_NAME: eamon.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 49021686

FAILURE_BUCKET_ID: 0x8E_eamon+325d

BUCKET_ID: 0x8E_eamon+325d

Followup: MachineOwner
---------

0: kd> lmvm eamon
start end module name
9be65000 9beb2000 eamon (export symbols) eamon.sys
Loaded symbol image file: eamon.sys
Image path: \SystemRoot\system32\DRIVERS\eamon.sys
Image name: eamon.sys
Timestamp: Fri Oct 24 19:40:06 2008 (49021686)
CheckSum: 0000E350
ImageSize: 0004D000
Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4

c0000005 is STATUS_ACCESS_VIOLATION (as you well know I'm sure).

let me know if you want more information.