crash minidump

Discussion in 'LnS English Forum' started by Hitman3266, Dec 5, 2007.

Thread Status:
Not open for further replies.
  1. Hitman3266

    Hitman3266 Registered Member

    Joined:
    Apr 15, 2006
    Posts:
    14
    what is this caused by?

    Code:
    Microsoft (R) Windows Debugger  Version 6.7.0005.1
    Copyright (c) Microsoft Corporation. All rights reserved.
    
    
    Loading Dump File [C:\Documents and Settings\Owner\Desktop\Mini120507-01.dmp]
    Mini Kernel Dump File: Only registers and stack trace are available
    
    Symbol search path is: SRV*C:\Program Files\Debugging Tools for Windows\symbols*http://msdl.microsoft.com/download/symbols
    Executable search path is: 
    Windows XP Kernel Version 2600 (Service Pack 2) UP Free x86 compatible
    Product: WinNt, suite: TerminalServer SingleUserTS
    Built by: 2600.xpsp_sp2_gdr.070227-2254
    Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055a620
    Debug session time: Wed Dec  5 05:06:52.765 2007 (GMT-5)
    System Uptime: 0 days 18:47:30.095
    Loading Kernel Symbols
    .....................................................................................................................
    Loading User Symbols
    Loading unloaded module list
    ..............
    *******************************************************************************
    *                                                                             *
    *                        Bugcheck Analysis                                    *
    *                                                                             *
    *******************************************************************************
    
    Use !analyze -v to get detailed debugging information.
    
    BugCheck 1000007E, {c0000005, eec2701a, f7a9dae0, f7a9d7dc}
    
    *** WARNING: Unable to verify timestamp for lnsfw1.sys
    *** ERROR: Module load completed but symbols could not be loaded for lnsfw1.sys
    *** WARNING: Unable to verify timestamp for nltdi.sys
    *** ERROR: Module load completed but symbols could not be loaded for nltdi.sys
    Probably caused by : lnsfw1.sys ( lnsfw1+7131 )
    
    Followup: MachineOwner
    ---------
    
    kd> !analyze -v
    *******************************************************************************
    *                                                                             *
    *                        Bugcheck Analysis                                    *
    *                                                                             *
    *******************************************************************************
    
    SYSTEM_THREAD_EXCEPTION_NOT_HANDLED_M (1000007e)
    This is a very common bugcheck.  Usually the exception address pinpoints
    the driver/function that caused the problem.  Always note this address
    as well as the link date of the driver/image that contains this address.
    Some common problems are exception code 0x80000003.  This means a hard
    coded breakpoint or assertion was hit, but this system was booted
    /NODEBUG.  This is not supposed to happen as developers should never have
    hardcoded breakpoints in retail code, but ...
    If this happens, make sure a debugger gets connected, and the
    system is booted /DEBUG.  This will let us see why this breakpoint is
    happening.
    Arguments:
    Arg1: c0000005, The exception code that was not handled
    Arg2: eec2701a, The address that the exception occurred at
    Arg3: f7a9dae0, Exception Record Address
    Arg4: f7a9d7dc, Context Record Address
    
    Debugging Details:
    ------------------
    
    
    EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".
    
    FAULTING_IP: 
    tcpip!TdiSend+17
    eec2701a 034814          add     ecx,dword ptr [eax+14h]
    
    EXCEPTION_RECORD:  f7a9dae0 -- (.exr 0xfffffffff7a9dae0)
    ExceptionAddress: eec2701a (tcpip!TdiSend+0x00000017)
       ExceptionCode: c0000005 (Access violation)
      ExceptionFlags: 00000000
    NumberParameters: 2
       Parameter[0]: 00000000
       Parameter[1]: 01000014
    Attempt to read from address 01000014
    
    CONTEXT:  f7a9d7dc -- (.cxr 0xfffffffff7a9d7dc)
    eax=01000000 ebx=856ac5b0 ecx=00000044 edx=eec5d600 esi=8559c9f0 edi=00000044
    eip=eec2701a esp=f7a9dba8 ebp=f7a9dbc0 iopl=0         nv up ei pl nz na pe nc
    cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010206
    tcpip!TdiSend+0x17:
    eec2701a 034814          add     ecx,dword ptr [eax+14h] ds:0023:01000014=????????
    Resetting default scope
    
    CUSTOMER_CRASH_COUNT:  1
    
    DEFAULT_BUCKET_ID:  DRIVER_FAULT
    
    PROCESS_NAME:  System
    
    ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".
    
    READ_ADDRESS:  01000014 
    
    BUGCHECK_STR:  0x7E
    
    LAST_CONTROL_TRANSFER:  from eec26766 to eec2701a
    
    STACK_TEXT:  
    f7a9dbc0 eec26766 f7a9dbe4 00000000 00000044 tcpip!TdiSend+0x17
    f7a9dbf4 eec2423d 8559c9f0 856ac5d4 8559ca7c tcpip!TCPSendData+0x83
    f7a9dc10 804e37f7 8619b198 8559c9f0 8559caa0 tcpip!TCPDispatchInternalDeviceControl+0x51
    f7a9dc20 eec12131 8559caa8 860571c8 8559c9f0 nt!IopfCallDriver+0x31
    WARNING: Stack unwind information not available. Following frames may be wrong.
    f7a9dc70 eec0b6bf 861839a0 8559c9f0 8559ca84 lnsfw1+0x7131
    f7a9dce8 804e37f7 861838e8 8559c9f0 8559cacc lnsfw1+0x6bf
    f7a9ddac 8057d0f1 00000000 00000000 00000000 nt!IopfCallDriver+0x31
    f7a9dd0c eebfab36 86059490 8559c9f0 861838e8 nt!PspSystemThreadStartup+0x34
    f7a9dd48 eebfacf0 00000000 eebfaa26 85d6ece8 nltdi+0x2b36
    f7a9dd5c eebfc573 8588f928 00000000 f7a9dda4 nltdi+0x2cf0
    f7a9dd70 eebfc5e8 85d6ece8 00000000 00000000 nltdi+0x4573
    f7a9dd90 eebfc64b f7a9dda4 00000000 86276510 nltdi+0x45e8
    f7a9ddac 8057d0f1 00000000 00000000 00000000 nltdi+0x464b
    f7a9dddc 804f827a eebfc5f8 00000000 00000000 nt!PspSystemThreadStartup+0x34
    00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16
    
    
    FOLLOWUP_IP: 
    lnsfw1+7131
    eec12131 ??              ???
    
    SYMBOL_STACK_INDEX:  4
    
    FOLLOWUP_NAME:  MachineOwner
    
    MODULE_NAME: lnsfw1
    
    IMAGE_NAME:  lnsfw1.sys
    
    DEBUG_FLR_IMAGE_TIMESTAMP:  4635eb89
    
    SYMBOL_NAME:  lnsfw1+7131
    
    STACK_COMMAND:  .cxr 0xfffffffff7a9d7dc ; kb
    
    FAILURE_BUCKET_ID:  0x7E_lnsfw1+7131
    
    BUCKET_ID:  0x7E_lnsfw1+7131
    
    Followup: MachineOwner
    ---------
    its running on a 24/7 machine that seems to restart every day for no reason?
     
  2. Frederic

    Frederic LnS Developer

    Joined:
    Jan 9, 2003
    Posts:
    4,354
    Location:
    France
    Hi,

    Could you send me the minidump file at lnssupport@soft4ever.com ?
    Also tell me which version of Look 'n' Stop you are using.

    Thanks,

    Frederic
     
  3. Frederic

    Frederic LnS Developer

    Joined:
    Jan 9, 2003
    Posts:
    4,354
    Location:
    France
    Thanks for the Minidump file.

    lnsfw1.sys involvement is very light in this crash.
    I don't know what could be wrong, since the crash is occuring in windows internals and not directly in lnswf1.sys itself.

    Do you mean you have the crach once a day ?
    Do you know the condition it happens (during a file download, just after having allowed an application to connect...) ?

    Frederic
     
  4. Hitman3266

    Hitman3266 Registered Member

    Joined:
    Apr 15, 2006
    Posts:
    14
    its running basically on a server, with apache, ftp, ventrilo, ssh, and mysql, and a torrent(azureus) and vnc, untouched , so its under pretty good use, it crashes every like 12 hours, restarts itself, and writes a mini dump file heres the one it wrote yesterday

    Code:
    
    Microsoft (R) Windows Debugger  Version 6.7.0005.1
    Copyright (c) Microsoft Corporation. All rights reserved.
    
    
    Loading Dump File [C:\Documents and Settings\Owner\Desktop\Mini120707-01.dmp]
    Mini Kernel Dump File: Only registers and stack trace are available
    
    Symbol search path is: SRV*C:\Program Files\Debugging Tools for Windows\symbols*http://msdl.microsoft.com/download/symbols
    Executable search path is: 
    Windows XP Kernel Version 2600 (Service Pack 2) UP Free x86 compatible
    Product: WinNt, suite: TerminalServer SingleUserTS
    Built by: 2600.xpsp_sp2_gdr.070227-2254
    Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055a620
    Debug session time: Fri Dec  7 05:35:05.027 2007 (GMT-5)
    System Uptime: 1 days 8:05:20.528
    Loading Kernel Symbols
    ....................................................................................................................
    Loading User Symbols
    Loading unloaded module list
    ............
    *******************************************************************************
    *                                                                             *
    *                        Bugcheck Analysis                                    *
    *                                                                             *
    *******************************************************************************
    
    Use !analyze -v to get detailed debugging information.
    
    BugCheck 1000008E, {c0000005, 804ecc18, ed6a8780, 0}
    
    *** WARNING: Unable to verify timestamp for lnsfw1.sys
    *** ERROR: Module load completed but symbols could not be loaded for lnsfw1.sys
    Probably caused by : lnsfw1.sys ( lnsfw1+7f1d )
    
    Followup: MachineOwner
    ---------
    
    kd> !analyze -v
    *******************************************************************************
    *                                                                             *
    *                        Bugcheck Analysis                                    *
    *                                                                             *
    *******************************************************************************
    
    KERNEL_MODE_EXCEPTION_NOT_HANDLED_M (1000008e)
    This is a very common bugcheck.  Usually the exception address pinpoints
    the driver/function that caused the problem.  Always note this address
    as well as the link date of the driver/image that contains this address.
    Some common problems are exception code 0x80000003.  This means a hard
    coded breakpoint or assertion was hit, but this system was booted
    /NODEBUG.  This is not supposed to happen as developers should never have
    hardcoded breakpoints in retail code, but ...
    If this happens, make sure a debugger gets connected, and the
    system is booted /DEBUG.  This will let us see why this breakpoint is
    happening.
    Arguments:
    Arg1: c0000005, The exception code that was not handled
    Arg2: 804ecc18, The address that the exception occurred at
    Arg3: ed6a8780, Trap Frame
    Arg4: 00000000
    
    Debugging Details:
    ------------------
    
    
    EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".
    
    FAULTING_IP: 
    nt!MmMapLockedPagesSpecifyCache+2e6
    804ecc18 804b0601        or      byte ptr [ebx+6],1
    
    TRAP_FRAME:  ed6a8780 -- (.trap 0xffffffffed6a8780)
    ErrCode = 00000003
    eax=f7d25040 ebx=01000000 ecx=0000001f edx=00000001 esi=00000163 edi=00000001
    eip=804ecc18 esp=ed6a87f4 ebp=ed6a8818 iopl=0         nv up ei pl zr na pe nc
    cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010246
    nt!MmMapLockedPagesSpecifyCache+0x2e6:
    804ecc18 804b0601        or      byte ptr [ebx+6],1         ds:0023:01000006=00
    Resetting default scope
    
    CUSTOMER_CRASH_COUNT:  1
    
    DEFAULT_BUCKET_ID:  DRIVER_FAULT
    
    BUGCHECK_STR:  0x8E
    
    PROCESS_NAME:  Azureus.exe
    
    LAST_CONTROL_TRANSFER:  from eec2f0ed to 804ecc18
    
    STACK_TEXT:  
    ed6a8818 eec2f0ed 01000020 1f000000 c03df498 nt!MmMapLockedPagesSpecifyCache+0x2e6
    ed6a8838 eec2427f 01000000 00000010 85c800da tcpip!TcpipBufferVirtualAddress+0x24
    ed6a8858 eec25b32 0002a4fa 85c874cc 85cdc958 tcpip!XsumSendChain+0x44
    ed6a88d8 eec2594a 85852960 85cdc958 859be8c0 tcpip!UDPSend+0x3ca
    ed6a88fc eec259b0 006a8920 859befa0 85c8750c tcpip!TdiSendDatagram+0xd5
    ed6a8934 eec24308 859be8c0 859be930 859be94c tcpip!UDPSendDatagram+0x4f
    ed6a8950 804e37f7 85ec4f18 859be8c0 859be970 tcpip!TCPDispatchInternalDeviceControl+0xff
    ed6a8960 eec12f1d 859be978 861909b8 859be8c0 nt!IopfCallDriver+0x31
    WARNING: Stack unwind information not available. Following frames may be wrong.
    ed6a89d4 eec0b77b 86189a98 859be8c0 859be954 lnsfw1+0x7f1d
    ed6a8a4c 804e37f7 861899e0 859be8c0 859be99c lnsfw1+0x77b
    ed6a8aa0 804e37f7 8628df18 859be8c0 8587a7a0 nt!IopfCallDriver+0x31
    ed6a8ab0 eeb917f7 ed6a8b9c 00000008 ed6a8b10 nt!IopfCallDriver+0x31
    ed6a8b08 eeb88bce 155deeb4 eeb88bce 8587a7a0 afd!AfdFastDatagramSend+0x2fd
    ed6a8c50 8057d2ee 85be1f90 00000001 155ded84 afd!AfdFastIoDeviceControl+0x2a7
    ed6a8d00 8057d281 0000062c 00000ef8 00000000 nt!IopXxxControlFile+0x261
    ed6a8d34 804de7ec 0000062c 00000ef8 00000000 nt!NtDeviceIoControlFile+0x2a
    ed6a8d34 7c90eb94 0000062c 00000ef8 00000000 nt!KiFastCallEntry+0xf8
    155dee74 00000000 00000000 00000000 00000000 0x7c90eb94
    
    
    STACK_COMMAND:  kb
    
    FOLLOWUP_IP: 
    lnsfw1+7f1d
    eec12f1d ??              ???
    
    SYMBOL_STACK_INDEX:  8
    
    FOLLOWUP_NAME:  MachineOwner
    
    MODULE_NAME: lnsfw1
    
    IMAGE_NAME:  lnsfw1.sys
    
    DEBUG_FLR_IMAGE_TIMESTAMP:  4635eb89
    
    SYMBOL_NAME:  lnsfw1+7f1d
    
    FAILURE_BUCKET_ID:  0x8E_lnsfw1+7f1d
    
    BUCKET_ID:  0x8E_lnsfw1+7f1d
    
    Followup: MachineOwner
    ---------
    
    
    ---------
    other than that it works great
     
  5. controler

    controler Guest

    Hitman

    Your first minidump point to System as the process
    Second one points to your bit torrent exe.

    A better way to find out what is going on is to physicaly connect another computer to the crashing one and look at the kernel dump. The kernel dump file is much larger in size and must be setup in system properties,advanced,startup and recovery settings. You look at the kernel dump with the other computer running windbg.
     
  6. Frederic

    Frederic LnS Developer

    Joined:
    Jan 9, 2003
    Posts:
    4,354
    Location:
    France
    Ok, so the crash doesn't happen at the same location each time.

    Did you verify all crashes, and each time it is linked to a network context involving lnsfw1.sys ?

    Could you send me several crash dump files (not all ;) , but just 4 or 5), maybe I will find some similarities between them.
    The problem is the crash is not happening directly in lnsfw1, so difficult to say where is the problem.

    Thanks,

    Frederic
     
Thread Status:
Not open for further replies.