what is this caused by? Code: Microsoft (R) Windows Debugger Version 6.7.0005.1 Copyright (c) Microsoft Corporation. All rights reserved. Loading Dump File [C:\Documents and Settings\Owner\Desktop\Mini120507-01.dmp] Mini Kernel Dump File: Only registers and stack trace are available Symbol search path is: SRV*C:\Program Files\Debugging Tools for Windows\symbols*http://msdl.microsoft.com/download/symbols Executable search path is: Windows XP Kernel Version 2600 (Service Pack 2) UP Free x86 compatible Product: WinNt, suite: TerminalServer SingleUserTS Built by: 2600.xpsp_sp2_gdr.070227-2254 Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055a620 Debug session time: Wed Dec 5 05:06:52.765 2007 (GMT-5) System Uptime: 0 days 18:47:30.095 Loading Kernel Symbols ..................................................................................................................... Loading User Symbols Loading unloaded module list .............. ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* Use !analyze -v to get detailed debugging information. BugCheck 1000007E, {c0000005, eec2701a, f7a9dae0, f7a9d7dc} *** WARNING: Unable to verify timestamp for lnsfw1.sys *** ERROR: Module load completed but symbols could not be loaded for lnsfw1.sys *** WARNING: Unable to verify timestamp for nltdi.sys *** ERROR: Module load completed but symbols could not be loaded for nltdi.sys Probably caused by : lnsfw1.sys ( lnsfw1+7131 ) Followup: MachineOwner --------- kd> !analyze -v ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* SYSTEM_THREAD_EXCEPTION_NOT_HANDLED_M (1000007e) This is a very common bugcheck. Usually the exception address pinpoints the driver/function that caused the problem. Always note this address as well as the link date of the driver/image that contains this address. Some common problems are exception code 0x80000003. This means a hard coded breakpoint or assertion was hit, but this system was booted /NODEBUG. This is not supposed to happen as developers should never have hardcoded breakpoints in retail code, but ... If this happens, make sure a debugger gets connected, and the system is booted /DEBUG. This will let us see why this breakpoint is happening. Arguments: Arg1: c0000005, The exception code that was not handled Arg2: eec2701a, The address that the exception occurred at Arg3: f7a9dae0, Exception Record Address Arg4: f7a9d7dc, Context Record Address Debugging Details: ------------------ EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s". FAULTING_IP: tcpip!TdiSend+17 eec2701a 034814 add ecx,dword ptr [eax+14h] EXCEPTION_RECORD: f7a9dae0 -- (.exr 0xfffffffff7a9dae0) ExceptionAddress: eec2701a (tcpip!TdiSend+0x00000017) ExceptionCode: c0000005 (Access violation) ExceptionFlags: 00000000 NumberParameters: 2 Parameter[0]: 00000000 Parameter[1]: 01000014 Attempt to read from address 01000014 CONTEXT: f7a9d7dc -- (.cxr 0xfffffffff7a9d7dc) eax=01000000 ebx=856ac5b0 ecx=00000044 edx=eec5d600 esi=8559c9f0 edi=00000044 eip=eec2701a esp=f7a9dba8 ebp=f7a9dbc0 iopl=0 nv up ei pl nz na pe nc cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010206 tcpip!TdiSend+0x17: eec2701a 034814 add ecx,dword ptr [eax+14h] ds:0023:01000014=???????? Resetting default scope CUSTOMER_CRASH_COUNT: 1 DEFAULT_BUCKET_ID: DRIVER_FAULT PROCESS_NAME: System ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s". READ_ADDRESS: 01000014 BUGCHECK_STR: 0x7E LAST_CONTROL_TRANSFER: from eec26766 to eec2701a STACK_TEXT: f7a9dbc0 eec26766 f7a9dbe4 00000000 00000044 tcpip!TdiSend+0x17 f7a9dbf4 eec2423d 8559c9f0 856ac5d4 8559ca7c tcpip!TCPSendData+0x83 f7a9dc10 804e37f7 8619b198 8559c9f0 8559caa0 tcpip!TCPDispatchInternalDeviceControl+0x51 f7a9dc20 eec12131 8559caa8 860571c8 8559c9f0 nt!IopfCallDriver+0x31 WARNING: Stack unwind information not available. Following frames may be wrong. f7a9dc70 eec0b6bf 861839a0 8559c9f0 8559ca84 lnsfw1+0x7131 f7a9dce8 804e37f7 861838e8 8559c9f0 8559cacc lnsfw1+0x6bf f7a9ddac 8057d0f1 00000000 00000000 00000000 nt!IopfCallDriver+0x31 f7a9dd0c eebfab36 86059490 8559c9f0 861838e8 nt!PspSystemThreadStartup+0x34 f7a9dd48 eebfacf0 00000000 eebfaa26 85d6ece8 nltdi+0x2b36 f7a9dd5c eebfc573 8588f928 00000000 f7a9dda4 nltdi+0x2cf0 f7a9dd70 eebfc5e8 85d6ece8 00000000 00000000 nltdi+0x4573 f7a9dd90 eebfc64b f7a9dda4 00000000 86276510 nltdi+0x45e8 f7a9ddac 8057d0f1 00000000 00000000 00000000 nltdi+0x464b f7a9dddc 804f827a eebfc5f8 00000000 00000000 nt!PspSystemThreadStartup+0x34 00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16 FOLLOWUP_IP: lnsfw1+7131 eec12131 ?? ??? SYMBOL_STACK_INDEX: 4 FOLLOWUP_NAME: MachineOwner MODULE_NAME: lnsfw1 IMAGE_NAME: lnsfw1.sys DEBUG_FLR_IMAGE_TIMESTAMP: 4635eb89 SYMBOL_NAME: lnsfw1+7131 STACK_COMMAND: .cxr 0xfffffffff7a9d7dc ; kb FAILURE_BUCKET_ID: 0x7E_lnsfw1+7131 BUCKET_ID: 0x7E_lnsfw1+7131 Followup: MachineOwner --------- its running on a 24/7 machine that seems to restart every day for no reason?
Hi, Could you send me the minidump file at lnssupport@soft4ever.com ? Also tell me which version of Look 'n' Stop you are using. Thanks, Frederic
Thanks for the Minidump file. lnsfw1.sys involvement is very light in this crash. I don't know what could be wrong, since the crash is occuring in windows internals and not directly in lnswf1.sys itself. Do you mean you have the crach once a day ? Do you know the condition it happens (during a file download, just after having allowed an application to connect...) ? Frederic
its running basically on a server, with apache, ftp, ventrilo, ssh, and mysql, and a torrent(azureus) and vnc, untouched , so its under pretty good use, it crashes every like 12 hours, restarts itself, and writes a mini dump file heres the one it wrote yesterday Code: Microsoft (R) Windows Debugger Version 6.7.0005.1 Copyright (c) Microsoft Corporation. All rights reserved. Loading Dump File [C:\Documents and Settings\Owner\Desktop\Mini120707-01.dmp] Mini Kernel Dump File: Only registers and stack trace are available Symbol search path is: SRV*C:\Program Files\Debugging Tools for Windows\symbols*http://msdl.microsoft.com/download/symbols Executable search path is: Windows XP Kernel Version 2600 (Service Pack 2) UP Free x86 compatible Product: WinNt, suite: TerminalServer SingleUserTS Built by: 2600.xpsp_sp2_gdr.070227-2254 Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055a620 Debug session time: Fri Dec 7 05:35:05.027 2007 (GMT-5) System Uptime: 1 days 8:05:20.528 Loading Kernel Symbols .................................................................................................................... Loading User Symbols Loading unloaded module list ............ ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* Use !analyze -v to get detailed debugging information. BugCheck 1000008E, {c0000005, 804ecc18, ed6a8780, 0} *** WARNING: Unable to verify timestamp for lnsfw1.sys *** ERROR: Module load completed but symbols could not be loaded for lnsfw1.sys Probably caused by : lnsfw1.sys ( lnsfw1+7f1d ) Followup: MachineOwner --------- kd> !analyze -v ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* KERNEL_MODE_EXCEPTION_NOT_HANDLED_M (1000008e) This is a very common bugcheck. Usually the exception address pinpoints the driver/function that caused the problem. Always note this address as well as the link date of the driver/image that contains this address. Some common problems are exception code 0x80000003. This means a hard coded breakpoint or assertion was hit, but this system was booted /NODEBUG. This is not supposed to happen as developers should never have hardcoded breakpoints in retail code, but ... If this happens, make sure a debugger gets connected, and the system is booted /DEBUG. This will let us see why this breakpoint is happening. Arguments: Arg1: c0000005, The exception code that was not handled Arg2: 804ecc18, The address that the exception occurred at Arg3: ed6a8780, Trap Frame Arg4: 00000000 Debugging Details: ------------------ EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s". FAULTING_IP: nt!MmMapLockedPagesSpecifyCache+2e6 804ecc18 804b0601 or byte ptr [ebx+6],1 TRAP_FRAME: ed6a8780 -- (.trap 0xffffffffed6a8780) ErrCode = 00000003 eax=f7d25040 ebx=01000000 ecx=0000001f edx=00000001 esi=00000163 edi=00000001 eip=804ecc18 esp=ed6a87f4 ebp=ed6a8818 iopl=0 nv up ei pl zr na pe nc cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010246 nt!MmMapLockedPagesSpecifyCache+0x2e6: 804ecc18 804b0601 or byte ptr [ebx+6],1 ds:0023:01000006=00 Resetting default scope CUSTOMER_CRASH_COUNT: 1 DEFAULT_BUCKET_ID: DRIVER_FAULT BUGCHECK_STR: 0x8E PROCESS_NAME: Azureus.exe LAST_CONTROL_TRANSFER: from eec2f0ed to 804ecc18 STACK_TEXT: ed6a8818 eec2f0ed 01000020 1f000000 c03df498 nt!MmMapLockedPagesSpecifyCache+0x2e6 ed6a8838 eec2427f 01000000 00000010 85c800da tcpip!TcpipBufferVirtualAddress+0x24 ed6a8858 eec25b32 0002a4fa 85c874cc 85cdc958 tcpip!XsumSendChain+0x44 ed6a88d8 eec2594a 85852960 85cdc958 859be8c0 tcpip!UDPSend+0x3ca ed6a88fc eec259b0 006a8920 859befa0 85c8750c tcpip!TdiSendDatagram+0xd5 ed6a8934 eec24308 859be8c0 859be930 859be94c tcpip!UDPSendDatagram+0x4f ed6a8950 804e37f7 85ec4f18 859be8c0 859be970 tcpip!TCPDispatchInternalDeviceControl+0xff ed6a8960 eec12f1d 859be978 861909b8 859be8c0 nt!IopfCallDriver+0x31 WARNING: Stack unwind information not available. Following frames may be wrong. ed6a89d4 eec0b77b 86189a98 859be8c0 859be954 lnsfw1+0x7f1d ed6a8a4c 804e37f7 861899e0 859be8c0 859be99c lnsfw1+0x77b ed6a8aa0 804e37f7 8628df18 859be8c0 8587a7a0 nt!IopfCallDriver+0x31 ed6a8ab0 eeb917f7 ed6a8b9c 00000008 ed6a8b10 nt!IopfCallDriver+0x31 ed6a8b08 eeb88bce 155deeb4 eeb88bce 8587a7a0 afd!AfdFastDatagramSend+0x2fd ed6a8c50 8057d2ee 85be1f90 00000001 155ded84 afd!AfdFastIoDeviceControl+0x2a7 ed6a8d00 8057d281 0000062c 00000ef8 00000000 nt!IopXxxControlFile+0x261 ed6a8d34 804de7ec 0000062c 00000ef8 00000000 nt!NtDeviceIoControlFile+0x2a ed6a8d34 7c90eb94 0000062c 00000ef8 00000000 nt!KiFastCallEntry+0xf8 155dee74 00000000 00000000 00000000 00000000 0x7c90eb94 STACK_COMMAND: kb FOLLOWUP_IP: lnsfw1+7f1d eec12f1d ?? ??? SYMBOL_STACK_INDEX: 8 FOLLOWUP_NAME: MachineOwner MODULE_NAME: lnsfw1 IMAGE_NAME: lnsfw1.sys DEBUG_FLR_IMAGE_TIMESTAMP: 4635eb89 SYMBOL_NAME: lnsfw1+7f1d FAILURE_BUCKET_ID: 0x8E_lnsfw1+7f1d BUCKET_ID: 0x8E_lnsfw1+7f1d Followup: MachineOwner --------- --------- other than that it works great
Hitman Your first minidump point to System as the process Second one points to your bit torrent exe. A better way to find out what is going on is to physicaly connect another computer to the crashing one and look at the kernel dump. The kernel dump file is much larger in size and must be setup in system properties,advanced,startup and recovery settings. You look at the kernel dump with the other computer running windbg.
Ok, so the crash doesn't happen at the same location each time. Did you verify all crashes, and each time it is linked to a network context involving lnsfw1.sys ? Could you send me several crash dump files (not all , but just 4 or 5), maybe I will find some similarities between them. The problem is the crash is not happening directly in lnsfw1, so difficult to say where is the problem. Thanks, Frederic