Pack Srv

Posted in January 23, 2009 ¬ 12:35 amh.adminNo Comments »

Pack Srv

Minidump WinDbg Tutorial: Setting and reading files Minidump

This is a tutorial on how to create and read files when you receive a BSOD minidump (Blue screen of death) in attempts to gain a better understanding about the cause of the problem. First things first. Download the latest debugging tools Microsoft site. Search for "Microsoft Debugging Tools" on Google.

Then go to Start / Start Search. I type
cmd <i> </ i>.

Then change directories to:

C: Program FilesDebugging Windows Tools (X86)

using the command:

cd c: filesdebugging program tools for Windows (x86)

It is case sensitive when <i> used cd </ i> prompt.

Then type:
windbg.exe-ze: windowsminidumpmini061909-01.dmp-c "! analyze-v"

Your minidump file is in C: WindowsMinidumpMini062009-01.dmp. It is in the "form" MiniMMDDYY-01.dmp.

Kernel Symbols are wrong. Please correct ANALYSIS SYMBOLS TO DO

If somewhere in the output of the error analysis by an error as:

***** Kernel symbols are wrong. Please fix symbols to do analysis.

So most likely is that you are using symbols and prior inconsistent or corrupted files, or do not have the appropriate symbols in the specified location when the program was trying WinDbg to analyze the minidump file. So what I did was open the WinDbg program is in C: Program FilesDebugging Tools for Windows (x86) (in Vista and I think that is the same location for XP).

Setting the file path WinDbg symbols VIA command line:

This is an important step in ensuring its symbol file path is set correctly so you do not have kernel symbols MAL error or other error. Now set the file path symbols (File / Symbol File Path) to:

SRV * e: http://msdl.microsoft.com/download/symbols symbols *

However, for some reason in my opinion, to set the symbol file path in the "File / Symbol File Path" field can not be changed directly to the area of the "file path / file of symbols." So what I have found it necessary to change it through the command window WinDbg, go to:

"View / Command"

At the bottom of the window next to the command> "kd" prompt, type this in:

. SYMPATH SRV * e: * http://msdl.microsoft.com/download/symbols symbols

The part between the two asterisks (*) is where the symbols Microsoft servers will be downloaded. Is quite large (approximately 22 MB) so be sure you have enough disk space.

SET PATH SYMBOL IN FILE environment variable:

Alternatively, you can set your environment variable, either on your system or user environment variable. To this end, click the WINDOWS KEY + e. The Windows key is the key to the right of the left CTRL key on your keyboard. This will open Windows Explorer.

Then click the System Settings "Advanced" at the top left of the window. This step applies to Vista. For XP users, simply click on the Options tab advanced.

Then click the button "environment variable" in the bottom of the window.

Then click the "New" button under the system variables. Again, you can create the environment as a user environment variable instead.

In the name "Variable" writes:
_NT_SYMBOL_PATH

In the "Variable Value" type:
SymSrv.dll symsrv * * e: http://msdl.microsoft.com/download/symbols symbol *

If you set the symbol file path as a system environment variable I think we may have to restart your computer to take effect.

WinDbg command output

So what follows is the outlet for my fall:

Microsoft (R) Windows Debugger Version 6.11.0001.404 X86
Copyright (c) Microsoft Corporation. All rights reserved.

Loading Dump File [c:] windowsminidumpmini062609-01.dmp
Mini Kernel Archives dump: Only registers and stack trace are available

Symbol search path is: SRV * e: * http://msdl.microsoft.com/download/symbols symbols, R: symbols
Executable search path is:
Windows Server 2008/Windows Vista Kernel Version 6001 (Service Pack 1) MP (2 procs) Free compatible x86
Product: WinNT, suite: Personal SingleUserTS TerminalServer
Created by: 6001.18226.x86fre.vistasp1_gdr.090302-1506
Machine Name:
Kernel base = = 0x8201d000 PsLoadedModuleList 0x82134c70
Debug session time: Fri June 26 16:25:11.288 2009 (GMT-7)
System Uptime: 0 days 21:39:36.148
Loading Kernel Symbols
………………………………………….. ………….
………………………………………….. …………..
………………………………………….. ………
Loading User Symbols
Loading unloaded module list
……………………….
************************************************** *****************************
* *
* Bugcheck Analysis *
* *
************************************************** *****************************

Use! Analyze-v to get detailed debugging info.

A error checking (8cb5bcc0, 1b, 1, 820d0c1f)

Unable to load image SystemRootsystem32DRIVERSSymIMv.sys, Win32 error 0n2
WARNING ***: Unable to verify timestamp for SymIMv.sys
*** ERROR: Module load completed but symbols could not be loaded for SymIMv.sys
Unable to load SystemRootsystem32DRIVERSNETw3v32.sys image, Win32 error 0n2
*** WARNING: Unable to verify timestamp for NETw3v32.sys
*** ERROR: Module load completed, but the symbols can not be charged for NETw3v32.sys
Initial Processing command '! Analyze-v '
The probable cause: tdx.sys (TDx! TdxMessageTlRequestComplete 94)

Tracking: MachineOwner
———

0: kd>! Analyze-v
************************************************** *****************************
* *
* Bugcheck Analysis *
* *
************************************************** *****************************

IRQL_NOT_LESS_OR_EQUAL (A)
Attempt to access a web page (or completely invalid) address at an
interrupt request level (IRQL) too high. This is usually
caused by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: 8cb5bcc0, referenced memory
Arg2: 0000001b, IRQL
Arg3: 00000001, bitfield:
bit 0: value 0 = read operation, 1 = write operation
bit 3: value 0 = not an execute operation, run Operation = 1 (only chips that support this level of status)
Arg4: 820d0c1f, address referring to memory

Debug Details:
——————

WRITE_ADDRESS: GetPointerFromAddress: 82154868 Unable to read
Can not read memory at 82134420 MiSystemVaType
8cb5bcc0

CURRENT_IRQL: 1b

FAULTING_IP:
nt! KiUnwaitThread 19
890th 820d0c1f mov dword ptr [edx], ecx

CUSTOMER_CRASH_COUNT: 1

DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT

BUGCHECK_STR: 0xA

PROCESS_NAME: System

TRAP_FRAME: 821126c4 – (. 0xffffffff821126c4 Trap)
ErrCode = 00000002
eax = 00000000 ebx = 85c5d4d8 8cb5bcc0 ecx = edx = esi = = edition 8cb5bcc0 ed9c7048 85c5d420
eip = esp = 82112738 ebp = 8211274c 820d0c1f iopl = 0 nv up ei pl nz na pe nc
cs = 0008 ss = 0010 ds = 0023 = 0023 fs = 0030 is gs = 0000 efl = 00010206
nt! KiUnwaitThread 0 x19:
Mov 820d0c1f 890th dword ptr [edx], ecx ds: 0023:8 cb5bcc0 =????????
Resetting default scope

LAST_CONTROL_TRANSFER: from 82077d24 to 820d0c1f

STACK_TEXT:
820d0c1f 821126c4 badb0d00 8cb5bcc0 87952ed0 nt! KiTrap0E 0 x2ac
00,000,002 8211274c 8205f486 nt 85c5d420 ed9c7048! KiUnwaitThread 0 x19
Ed9c7048 8205f52a 82112770 ed9c7008 00 million nt! KiInsertQueueApc 0 x2a0
Ed9c7048 82112790 00000000 00000000 8205742b nt! KeInsertQueueApc 0 x4b
E79e1f70 e79e1e88 8f989cd0 821127c8 nt 00 million! IopfCompleteRequest 0 x438
00,000,007 00,000,000 00,000,007 821127e0 8a869ce7 TDx! TdxMessageTlRequestComplete 0 x94
E79e1e88 e79e1f70 8a869d33 82112804 00000000 tcpip! UdpEndSendMessages 0 xfa
8211281c E79e1e88 8a560c7f 00000001 00000000 tcpip! UdpSendMessagesDatagramsComplete 0 x 22
8a86e0ab NETI 889a0558 8211284c 00000000 00000000! NetioDereferenceNetBufferListChain 0 xcf
82112860 8a6d341e 878689e8 tcpip e79e1e88 00 million! FlSendNetBufferListChainComplete 0 x1c
86c440e8 8a6084f1 e79e1e88 82112894 00000000 NDIS! NdisMSendCompleteNetBufferListsInternal 0 xb8
821128a8 00 million 8fe3f0ee 87a092b0 e79e1e88 NDIS! NdisFSendNetBufferListsComplete 0 X1a
E79e1e88 8a6084f1 87a07230 821128cc 00 million pacemakers! PcFilterSendNetBufferListsComplete 0 xba
E79e1e88 00 million 8fe516f7 88940c10 821128e0 NDIS! NdisFSendNetBufferListsComplete 0 X1a
WARNING: Stack unwind information not available. Following frames may be wrong.
8a6084f1 821128fc 00 million 889a67a8 e79e1e88 SymIMv 0 x16f7
91ab182f 889404e0 82112910 NDIS e79e1e88 00 million! NdisFSendNetBufferListsComplete 0 X1a
82112930 00000000 00000000 88939008 91aaf035 nwifi! MP6CancelSend 0 x231
8893fc08 82112954 ed8e6080 91ab064c nwifi 00 million! Dot11SendCompletion 0 x2d
8a6d34dd 8211296c 8893fc08 ed8e6080 nwifi 00 million! Pt6SendComplete 0 x1e
8211298c 00 million 8ee0ef66 86c440e8 ed8e6080 NDIS! NdisMSendNetBufferListsComplete 0 X70
821129ac 8ee76a7e 86f6acb0 NETw3v32 0 x6f66 ed8e6080 00 million
8ee10e46 82112a10 b347a4ff 86013be8 b347a478 NETw3v32 0 x6ea7e
8ee11061 82112a38 82112a64 87091ee0 86f6acb0 NETw3v32 0 x8e46
8ee10c77 82112a48 89533a30 86013be8 86183fc0 NETw3v32 0 x9061
82112a64 00 million 8ee71ba2 86f6acb0 000000cd NETw3v32 0 x8c77
8ee1d623 82112a8c 86f6acb0 NETw3v32 0 x69ba2 b347a478 00 million
872261c8 00 million 8ee2f945 82112aa0 b347a478 NETw3v32 0 x15623
8ee10e46 82112b04 87600b58 89533a30 89beaa20 NETw3v32 0 x27945
82112b58 872261c8 8ee11061 82112b2c 86f6f0d8 NETw3v32 0 x8e46
89533a64 8655dfb8 8ee10c77 82112b3c 89beaa20 NETw3v32 0 x9061
8ee38bc6 82112b58 872261c8 0000009d 0 x8c77 NETw3v32 00 million
874a1004 8771b000 8ee1a0b1 82112ba8 86f37e9c NETw3v32 0 x30bc6
8ee1c082 82112bd0 02dd9e68 874a1004 00000000 NETw3v32 0 x120b1
00,000,041 8729c540 82112c10 87229ea0 8ee1c30b NETw3v32 0 x14082
87229ea0 8ee1879a 82112c50 8729c540 000000ff NETw3v32 0 x1430b
8ee16a89 82112c80 872b4e01 82112c9c 8729c540 NETw3v32 0 x1079a
8ee094a5 82112c90 8729c540 82112cc4 8a6c5115 NETw3v32 0 xea89
87,079,110 8a6c5115 82112c9c 00000000 00000000 0 NETw3v32 x14a5
8a606468 82112cc4 8ee09490 873ffe18 00 million NDIS! NdisMiniportDpc 0 x7a
820d3450 82112ce8 873ffe18 86c440e8 00 million NDIS! NdisInterruptDpc 0 xc4
00,000,000 00,000,000 820d1edd 0000000e 82112d50 nt! KiRetireDpcList 0 x147
0000000e 82112d54 00000000 00000000 00000000 nt! KiIdleLoop 0 X49

STACK_COMMAND: kb

FOLLOWUP_IP:
TDx! TdxMessageTlRequestComplete 94
6.80401 billion 8f989cd0 push 104h

SYMBOL_STACK_INDEX: 5

SYMBOL_NAME: TDX! 94 TdxMessageTlRequestComplete

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: TDX

Image_name: tdx.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 479190ee

FAILURE_BUCKET_ID: 0xA_tdx! TdxMessageTlRequestComplete 94

BUCKET_ID: 0xA_tdx! 94 TdxMessageTlRequestComplete

Tracking: MachineOwner

It looks like a lot of Mumbo Jumbo hieroglyphics. Without But if you look close you can get some idea on the possible problem or because of it. PROCESS_NAME System is suggesting a system process. The MODULE_NAME is TDR.

KD COMMAND OUTPUT: TDX LMVM

The TDX can be clicked to me that running the command:
TDx kd lmvm>

kd as a command. The 'lm' in "Lmvm" module is loaded. The "v" is detailed. The "m" is a pattern match. From the debugger chm manual states:

Pattern m
Specifies a pattern that the module name must match. Pattern may contain a variety of wildcard characters and specifiers. For more information syntax of this information, see Syntax string with wildcards.

You may find a lot of information in the manual chm when download windbg from Microsoft. You are here:
C: FilesDebugging Tools for Windows (x86) Debugger.chm

The output of above is:
0: TDx lmvm kd>
start end module name
8f97f000 8f995000 TDR (AP symbols) c: Program Tools FilesDebugging Windows (x86) symtdx.pdbCFB0726BF9864FDDA4B793D5E641E5531tdx.pdb
Loaded symbol image file: tdx.sys
memory-mapped image file: c: Program FilesDebugging Tools for Windows (x86) symtdx.sys479190EE16000tdx.sys
image path: SystemRootsystem32DRIVERStdx.sys
Image Name: tdx.sys
Timestamp: Jan 18 21:55:58 2008 Fri (479190EE)
Checksum: 0001391F
ImageSize: 00016000
File version: 6.0.6001.18000
Product Version: 6.0.6001.18000
File flags: 0 (Mask 3F)
File OS: Win32 NT 40 004
File type: 3.6 Driver
File date: 00000000.00000000
Translations: 0409.04b0
CompanyName: Microsoft Corporation
ProductName: Microsoft ® Windows ® Operating System
InternalName: tdx.sys
OriginalFilename: tdx.sys
ProductVersion: 6.0.6001.18000
FileVersion: 6.0.6001.18000 (Longhorn_rtm.080118-1840)
FileDescription: TDI Translation Driver
LegalCopyright: © Microsoft Corporation. All rights reserved.

So collect any additional information. Who makes the module and the possible cause of the problem.

I look at the STACK_TEXT and there are references to tcpip and that seems to allude to NETI a network problem. So I searched Google to others with a BSOD and tdx.sys problem and there is no fix for this problem. However, a word of caution please do not download the patch if this particular problem does not apply to you. Microsoft suggests using the Microsoft upgrade procedures that includes all the fixes.

To get the link to the fix for the problem of network Google "microsoft hotfix 934 611."

Do not download this patch, but I chose Service update package. At present, it is in Vista Service Pack 2. I just had Service Pack 1. So I'll see if this solves the problem.

To check which Service Pack you have installed and which version bit (32-bit or 64-bit):

"Home / PC." Click "PC" and then click Properties. You will see the Service Pack information under the heading "Windows Edition." Entitled "System" (About halfway through the page) you will see "System Type" show if you have that 32-bit or 64-bit versions installed.

To obtain Service Pack 2 for Windows Vista Google, "Microsoft Vista Service Pack 2."

About the Author

Vista Tutorial, tips, guides. Victor Kimura
Vista Tutorial Windbg Minidump Tutorial

Site for the differences between XP PRO SP1 and Windows XP PRO SRV SRV Pack 2?

Anybody know where I can find a good website that explains the differences between XP Service Pack 1 and XP Service Pack 2 PRO PRO

Go here: http://technet.microsoft.com/en-us/library/bb490610.aspx

Share and Enjoy:
  • Print
  • Digg
  • Sphinn
  • del.icio.us
  • Facebook
  • Mixx
  • Google Bookmarks
  • Blogplay
Uncategorized

You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Leave a Reply

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

CAPTCHA Image
*