crash minidump

what is this caused by?

Code:

Microsoft (R) Windows Debugger  Version 6.7.0005.1
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\Documents and Settings\Owner\Desktop\Mini120507-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: SRV*C:\Program Files\Debugging Tools for Windows\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is: 
Windows XP Kernel Version 2600 (Service Pack 2) UP Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 2600.xpsp_sp2_gdr.070227-2254
Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055a620
Debug session time: Wed Dec  5 05:06:52.765 2007 (GMT-5)
System Uptime: 0 days 18:47:30.095
Loading Kernel Symbols
.....................................................................................................................
Loading User Symbols
Loading unloaded module list
..............
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 1000007E, {c0000005, eec2701a, f7a9dae0, f7a9d7dc}

*** WARNING: Unable to verify timestamp for lnsfw1.sys
*** ERROR: Module load completed but symbols could not be loaded for lnsfw1.sys
*** WARNING: Unable to verify timestamp for nltdi.sys
*** ERROR: Module load completed but symbols could not be loaded for nltdi.sys
Probably caused by : lnsfw1.sys ( lnsfw1+7131 )

Followup: MachineOwner
---------

kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

SYSTEM_THREAD_EXCEPTION_NOT_HANDLED_M (1000007e)
This is a very common bugcheck.  Usually the exception address pinpoints
the driver/function that caused the problem.  Always note this address
as well as the link date of the driver/image that contains this address.
Some common problems are exception code 0x80000003.  This means a hard
coded breakpoint or assertion was hit, but this system was booted
/NODEBUG.  This is not supposed to happen as developers should never have
hardcoded breakpoints in retail code, but ...
If this happens, make sure a debugger gets connected, and the
system is booted /DEBUG.  This will let us see why this breakpoint is
happening.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: eec2701a, The address that the exception occurred at
Arg3: f7a9dae0, Exception Record Address
Arg4: f7a9d7dc, Context Record Address

Debugging Details:
------------------


EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".

FAULTING_IP: 
tcpip!TdiSend+17
eec2701a 034814          add     ecx,dword ptr [eax+14h]

EXCEPTION_RECORD:  f7a9dae0 -- (.exr 0xfffffffff7a9dae0)
ExceptionAddress: eec2701a (tcpip!TdiSend+0x00000017)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 00000000
   Parameter[1]: 01000014
Attempt to read from address 01000014

CONTEXT:  f7a9d7dc -- (.cxr 0xfffffffff7a9d7dc)
eax=01000000 ebx=856ac5b0 ecx=00000044 edx=eec5d600 esi=8559c9f0 edi=00000044
eip=eec2701a esp=f7a9dba8 ebp=f7a9dbc0 iopl=0         nv up ei pl nz na pe nc
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010206
tcpip!TdiSend+0x17:
eec2701a 034814          add     ecx,dword ptr [eax+14h] ds:0023:01000014=????????
Resetting default scope

CUSTOMER_CRASH_COUNT:  1

DEFAULT_BUCKET_ID:  DRIVER_FAULT

PROCESS_NAME:  System

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".

READ_ADDRESS:  01000014 

BUGCHECK_STR:  0x7E

LAST_CONTROL_TRANSFER:  from eec26766 to eec2701a

STACK_TEXT:  
f7a9dbc0 eec26766 f7a9dbe4 00000000 00000044 tcpip!TdiSend+0x17
f7a9dbf4 eec2423d 8559c9f0 856ac5d4 8559ca7c tcpip!TCPSendData+0x83
f7a9dc10 804e37f7 8619b198 8559c9f0 8559caa0 tcpip!TCPDispatchInternalDeviceControl+0x51
f7a9dc20 eec12131 8559caa8 860571c8 8559c9f0 nt!IopfCallDriver+0x31
WARNING: Stack unwind information not available. Following frames may be wrong.
f7a9dc70 eec0b6bf 861839a0 8559c9f0 8559ca84 lnsfw1+0x7131
f7a9dce8 804e37f7 861838e8 8559c9f0 8559cacc lnsfw1+0x6bf
f7a9ddac 8057d0f1 00000000 00000000 00000000 nt!IopfCallDriver+0x31
f7a9dd0c eebfab36 86059490 8559c9f0 861838e8 nt!PspSystemThreadStartup+0x34
f7a9dd48 eebfacf0 00000000 eebfaa26 85d6ece8 nltdi+0x2b36
f7a9dd5c eebfc573 8588f928 00000000 f7a9dda4 nltdi+0x2cf0
f7a9dd70 eebfc5e8 85d6ece8 00000000 00000000 nltdi+0x4573
f7a9dd90 eebfc64b f7a9dda4 00000000 86276510 nltdi+0x45e8
f7a9ddac 8057d0f1 00000000 00000000 00000000 nltdi+0x464b
f7a9dddc 804f827a eebfc5f8 00000000 00000000 nt!PspSystemThreadStartup+0x34
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16


FOLLOWUP_IP: 
lnsfw1+7131
eec12131 ??              ???

SYMBOL_STACK_INDEX:  4

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: lnsfw1

IMAGE_NAME:  lnsfw1.sys

DEBUG_FLR_IMAGE_TIMESTAMP:  4635eb89

SYMBOL_NAME:  lnsfw1+7131

STACK_COMMAND:  .cxr 0xfffffffff7a9d7dc ; kb

FAILURE_BUCKET_ID:  0x7E_lnsfw1+7131

BUCKET_ID:  0x7E_lnsfw1+7131

Followup: MachineOwner
---------

its running on a 24/7 machine that seems to restart every day for no reason?

 

Hi,

Could you send me the minidump file at lnssupport@soft4ever.com ?
Also tell me which version of Look 'n' Stop you are using.

Thanks,

Frederic

 

Thanks for the Minidump file.

lnsfw1.sys involvement is very light in this crash.
I don't know what could be wrong, since the crash is occuring in windows internals and not directly in lnswf1.sys itself.

Do you mean you have the crach once a day ?
Do you know the condition it happens (during a file download, just after having allowed an application to connect...) ?

Frederic

 

its running basically on a server, with apache, ftp, ventrilo, ssh, and mysql, and a torrent(azureus) and vnc, untouched , so its under pretty good use, it crashes every like 12 hours, restarts itself, and writes a mini dump file heres the one it wrote yesterday

Code:

Microsoft (R) Windows Debugger  Version 6.7.0005.1
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\Documents and Settings\Owner\Desktop\Mini120707-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: SRV*C:\Program Files\Debugging Tools for Windows\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is: 
Windows XP Kernel Version 2600 (Service Pack 2) UP Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 2600.xpsp_sp2_gdr.070227-2254
Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055a620
Debug session time: Fri Dec  7 05:35:05.027 2007 (GMT-5)
System Uptime: 1 days 8:05:20.528
Loading Kernel Symbols
....................................................................................................................
Loading User Symbols
Loading unloaded module list
............
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 1000008E, {c0000005, 804ecc18, ed6a8780, 0}

*** WARNING: Unable to verify timestamp for lnsfw1.sys
*** ERROR: Module load completed but symbols could not be loaded for lnsfw1.sys
Probably caused by : lnsfw1.sys ( lnsfw1+7f1d )

Followup: MachineOwner
---------

kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

KERNEL_MODE_EXCEPTION_NOT_HANDLED_M (1000008e)
This is a very common bugcheck.  Usually the exception address pinpoints
the driver/function that caused the problem.  Always note this address
as well as the link date of the driver/image that contains this address.
Some common problems are exception code 0x80000003.  This means a hard
coded breakpoint or assertion was hit, but this system was booted
/NODEBUG.  This is not supposed to happen as developers should never have
hardcoded breakpoints in retail code, but ...
If this happens, make sure a debugger gets connected, and the
system is booted /DEBUG.  This will let us see why this breakpoint is
happening.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: 804ecc18, The address that the exception occurred at
Arg3: ed6a8780, Trap Frame
Arg4: 00000000

Debugging Details:
------------------


EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".

FAULTING_IP: 
nt!MmMapLockedPagesSpecifyCache+2e6
804ecc18 804b0601        or      byte ptr [ebx+6],1

TRAP_FRAME:  ed6a8780 -- (.trap 0xffffffffed6a8780)
ErrCode = 00000003
eax=f7d25040 ebx=01000000 ecx=0000001f edx=00000001 esi=00000163 edi=00000001
eip=804ecc18 esp=ed6a87f4 ebp=ed6a8818 iopl=0         nv up ei pl zr na pe nc
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010246
nt!MmMapLockedPagesSpecifyCache+0x2e6:
804ecc18 804b0601        or      byte ptr [ebx+6],1         ds:0023:01000006=00
Resetting default scope

CUSTOMER_CRASH_COUNT:  1

DEFAULT_BUCKET_ID:  DRIVER_FAULT

BUGCHECK_STR:  0x8E

PROCESS_NAME:  Azureus.exe

LAST_CONTROL_TRANSFER:  from eec2f0ed to 804ecc18

STACK_TEXT:  
ed6a8818 eec2f0ed 01000020 1f000000 c03df498 nt!MmMapLockedPagesSpecifyCache+0x2e6
ed6a8838 eec2427f 01000000 00000010 85c800da tcpip!TcpipBufferVirtualAddress+0x24
ed6a8858 eec25b32 0002a4fa 85c874cc 85cdc958 tcpip!XsumSendChain+0x44
ed6a88d8 eec2594a 85852960 85cdc958 859be8c0 tcpip!UDPSend+0x3ca
ed6a88fc eec259b0 006a8920 859befa0 85c8750c tcpip!TdiSendDatagram+0xd5
ed6a8934 eec24308 859be8c0 859be930 859be94c tcpip!UDPSendDatagram+0x4f
ed6a8950 804e37f7 85ec4f18 859be8c0 859be970 tcpip!TCPDispatchInternalDeviceControl+0xff
ed6a8960 eec12f1d 859be978 861909b8 859be8c0 nt!IopfCallDriver+0x31
WARNING: Stack unwind information not available. Following frames may be wrong.
ed6a89d4 eec0b77b 86189a98 859be8c0 859be954 lnsfw1+0x7f1d
ed6a8a4c 804e37f7 861899e0 859be8c0 859be99c lnsfw1+0x77b
ed6a8aa0 804e37f7 8628df18 859be8c0 8587a7a0 nt!IopfCallDriver+0x31
ed6a8ab0 eeb917f7 ed6a8b9c 00000008 ed6a8b10 nt!IopfCallDriver+0x31
ed6a8b08 eeb88bce 155deeb4 eeb88bce 8587a7a0 afd!AfdFastDatagramSend+0x2fd
ed6a8c50 8057d2ee 85be1f90 00000001 155ded84 afd!AfdFastIoDeviceControl+0x2a7
ed6a8d00 8057d281 0000062c 00000ef8 00000000 nt!IopXxxControlFile+0x261
ed6a8d34 804de7ec 0000062c 00000ef8 00000000 nt!NtDeviceIoControlFile+0x2a
ed6a8d34 7c90eb94 0000062c 00000ef8 00000000 nt!KiFastCallEntry+0xf8
155dee74 00000000 00000000 00000000 00000000 0x7c90eb94


STACK_COMMAND:  kb

FOLLOWUP_IP: 
lnsfw1+7f1d
eec12f1d ??              ???

SYMBOL_STACK_INDEX:  8

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: lnsfw1

IMAGE_NAME:  lnsfw1.sys

DEBUG_FLR_IMAGE_TIMESTAMP:  4635eb89

SYMBOL_NAME:  lnsfw1+7f1d

FAILURE_BUCKET_ID:  0x8E_lnsfw1+7f1d

BUCKET_ID:  0x8E_lnsfw1+7f1d

Followup: MachineOwner
---------

---------
other than that it works great

 

Hitman

Your first minidump point to System as the process
Second one points to your bit torrent exe.

A better way to find out what is going on is to physicaly connect another computer to the crashing one and look at the kernel dump. The kernel dump file is much larger in size and must be setup in system properties,advanced,startup and recovery settings. You look at the kernel dump with the other computer running windbg.

 

Ok, so the crash doesn't happen at the same location each time.

Did you verify all crashes, and each time it is linked to a network context involving lnsfw1.sys ?

Could you send me several crash dump files (not all , but just 4 or 5), maybe I will find some similarities between them.
The problem is the crash is not happening directly in lnsfw1, so difficult to say where is the problem.

Thanks,

Frederic