Redstorm
09-14-2006, 08:06 AM
This months security patches blue screen my machine, I have to boot into safe
mode and remove them.
KB920872
KB920685
KB922582
KB919007
Looking at the memory dump CLASSPNP.SYS seams to be the culprit. I confirmed
that it was one of the sec patches by reinstalling them and getting the blue
screen once more. then removed them and everything is fine again.
I wish they would have QA'ed the patches properly.
Event Type: Error
Event Source: System Error
Event Category: (102)
Event ID: 1003
Date: 14/09/2006
Time: 6:43:28 p.m.
User: N/A
Computer: EMPEROR
Description:
Error code 0000000a, parameter1 f8830478, parameter2 00000002, parameter3
00000001, parameter4 805001a6.
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 53 79 73 74 65 6d 20 45 System E
0008: 72 72 6f 72 20 20 45 72 rror Er
0010: 72 6f 72 20 63 6f 64 65 ror code
0018: 20 30 30 30 30 30 30 30 0000000
0020: 61 20 20 50 61 72 61 6d a Param
0028: 65 74 65 72 73 20 66 38 eters f8
0030: 38 33 30 34 37 38 2c 20 830478,
0038: 30 30 30 30 30 30 30 32 00000002
0040: 2c 20 30 30 30 30 30 30 , 000000
0048: 30 31 2c 20 38 30 35 30 01, 8050
0050: 30 31 61 36 01a6
*******************************************************************************
*
*
* Bugcheck Analysis
*
*
*
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck A, {f8830478, 2, 1, 805001a6}
*** ERROR: Module load completed but symbols could not be loaded for
nvraid.sys
*** ERROR: Module load completed but symbols could not be loaded for
nvatabus.sys
Probably caused by : CLASSPNP.SYS ( CLASSPNP!ClassCompleteRequest+11 )
Followup: MachineOwner
---------
kd> !analyze -v
*******************************************************************************
*
*
* Bugcheck Analysis
*
*
*
*******************************************************************************
IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: f8830478, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000001, value 0 = read operation, 1 = write operation
Arg4: 805001a6, address which referenced memory
Debugging Details:
------------------
OVERLAPPED_MODULE:
WRITE_ADDRESS: f8830478 Nonpaged pool expansion
CURRENT_IRQL: 2
FAULTING_IP:
nt!KiUnlinkThread+0
805001a6 095154 or [ecx+0x54],edx
DEFAULT_BUCKET_ID: DRIVER_FAULT
BUGCHECK_STR: 0xA
LAST_CONTROL_TRANSFER: from 80500214 to 805001a6
TRAP_FRAME: 80548b24 -- (.trap ffffffff80548b24)
ErrCode = 00000002
eax=80548bc4 ebx=ba3a1088 ecx=f8830424 edx=00000100 esi=f8830424 edi=00000000
eip=805001a6 esp=80548b98 ebp=80548ba8 iopl=0 nv up ei ng nz ac po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010296
nt!KiUnlinkThread:
805001a6 095154 or [ecx+0x54],edx ds:0023:f8830478=????????
Resetting default scope
STACK_TEXT:
80548b94 80500214 ba3a1080 ba3a1088 00000100 nt!KiUnlinkThread
80548ba8 8050040b 00000000 80548bc4 00000000 nt!KiUnwaitThread+0x12
80548bd4 804f8c60 85cd4d3f 85cd4b40 00000000 nt!KiWaitTest+0xab
80548be8 f71ebed5 ba3a1080 00000000 00000000 nt!KeSetEvent+0x58
80548bfc 804f0362 86c99020 85cd4b40 ba3a1074
Ntfs!NtfsSingleSyncCompletionRoutine+0x16
80548c2c f74c7c70 80548c5c f74c7f54 86cec030 nt!IopfCompleteRequest+0xa2
80548c34 f74c7f54 86cec030 85cd4b40 00000001
CLASSPNP!ClassCompleteRequest+0x11
80548c5c 804f0362 00000000 85d9a6c0 85d9a858
CLASSPNP!TransferPktComplete+0x180
80548c8c f74c7c70 80548cb4 f72f2169 86d28db8 nt!IopfCompleteRequest+0xa2
80548c94 f72f2169 86d28db8 85d9a6c0 00000000
CLASSPNP!ClassCompleteRequest+0x11
WARNING: Stack unwind information not available. Following frames may be
wrong.
80548cb4 f72f35a3 86d28db8 85d9a6c0 f72fa15c nvraid+0x3169
80548cec f72f49e1 85cd0bc8 f72f3554 85cd0bc8 nvraid+0x45a3
80548d40 f72e7c6f 85da0b40 86d290e8 85df1488 nvraid+0x59e1
80548d58 f72e1d42 86d29564 85da0b40 00000000 nvatabus+0xfc6f
80548d8c f72e928f 00d290e8 00000001 00000000 nvatabus+0x9d42
80548db4 f72ea264 86d290e8 00000000 00000060 nvatabus+0x1128f
80548ddc f72ea7f8 00d7b438 00000001 00000000 nvatabus+0x12264
80548e2c 80540d5d 86d7b98c 86d7b438 00000000 nvatabus+0x127f8
80548e50 80540cd6 00000000 0000000e 00000000 nt!KiRetireDpcList+0x46
FOLLOWUP_IP:
CLASSPNP!ClassCompleteRequest+11
f74c7c70 5d pop ebp
SYMBOL_STACK_INDEX: 6
FOLLOWUP_NAME: MachineOwner
SYMBOL_NAME: CLASSPNP!ClassCompleteRequest+11
MODULE_NAME: CLASSPNP
IMAGE_NAME: CLASSPNP.SYS
DEBUG_FLR_IMAGE_TIMESTAMP: 41107ec2
STACK_COMMAND: .trap ffffffff80548b24 ; kb
FAILURE_BUCKET_ID: 0xA_W_CLASSPNP!ClassCompleteRequest+11
BUCKET_ID: 0xA_W_CLASSPNP!ClassCompleteRequest+11
Followup: MachineOwner
---------
mode and remove them.
KB920872
KB920685
KB922582
KB919007
Looking at the memory dump CLASSPNP.SYS seams to be the culprit. I confirmed
that it was one of the sec patches by reinstalling them and getting the blue
screen once more. then removed them and everything is fine again.
I wish they would have QA'ed the patches properly.
Event Type: Error
Event Source: System Error
Event Category: (102)
Event ID: 1003
Date: 14/09/2006
Time: 6:43:28 p.m.
User: N/A
Computer: EMPEROR
Description:
Error code 0000000a, parameter1 f8830478, parameter2 00000002, parameter3
00000001, parameter4 805001a6.
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 53 79 73 74 65 6d 20 45 System E
0008: 72 72 6f 72 20 20 45 72 rror Er
0010: 72 6f 72 20 63 6f 64 65 ror code
0018: 20 30 30 30 30 30 30 30 0000000
0020: 61 20 20 50 61 72 61 6d a Param
0028: 65 74 65 72 73 20 66 38 eters f8
0030: 38 33 30 34 37 38 2c 20 830478,
0038: 30 30 30 30 30 30 30 32 00000002
0040: 2c 20 30 30 30 30 30 30 , 000000
0048: 30 31 2c 20 38 30 35 30 01, 8050
0050: 30 31 61 36 01a6
*******************************************************************************
*
*
* Bugcheck Analysis
*
*
*
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck A, {f8830478, 2, 1, 805001a6}
*** ERROR: Module load completed but symbols could not be loaded for
nvraid.sys
*** ERROR: Module load completed but symbols could not be loaded for
nvatabus.sys
Probably caused by : CLASSPNP.SYS ( CLASSPNP!ClassCompleteRequest+11 )
Followup: MachineOwner
---------
kd> !analyze -v
*******************************************************************************
*
*
* Bugcheck Analysis
*
*
*
*******************************************************************************
IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: f8830478, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000001, value 0 = read operation, 1 = write operation
Arg4: 805001a6, address which referenced memory
Debugging Details:
------------------
OVERLAPPED_MODULE:
WRITE_ADDRESS: f8830478 Nonpaged pool expansion
CURRENT_IRQL: 2
FAULTING_IP:
nt!KiUnlinkThread+0
805001a6 095154 or [ecx+0x54],edx
DEFAULT_BUCKET_ID: DRIVER_FAULT
BUGCHECK_STR: 0xA
LAST_CONTROL_TRANSFER: from 80500214 to 805001a6
TRAP_FRAME: 80548b24 -- (.trap ffffffff80548b24)
ErrCode = 00000002
eax=80548bc4 ebx=ba3a1088 ecx=f8830424 edx=00000100 esi=f8830424 edi=00000000
eip=805001a6 esp=80548b98 ebp=80548ba8 iopl=0 nv up ei ng nz ac po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010296
nt!KiUnlinkThread:
805001a6 095154 or [ecx+0x54],edx ds:0023:f8830478=????????
Resetting default scope
STACK_TEXT:
80548b94 80500214 ba3a1080 ba3a1088 00000100 nt!KiUnlinkThread
80548ba8 8050040b 00000000 80548bc4 00000000 nt!KiUnwaitThread+0x12
80548bd4 804f8c60 85cd4d3f 85cd4b40 00000000 nt!KiWaitTest+0xab
80548be8 f71ebed5 ba3a1080 00000000 00000000 nt!KeSetEvent+0x58
80548bfc 804f0362 86c99020 85cd4b40 ba3a1074
Ntfs!NtfsSingleSyncCompletionRoutine+0x16
80548c2c f74c7c70 80548c5c f74c7f54 86cec030 nt!IopfCompleteRequest+0xa2
80548c34 f74c7f54 86cec030 85cd4b40 00000001
CLASSPNP!ClassCompleteRequest+0x11
80548c5c 804f0362 00000000 85d9a6c0 85d9a858
CLASSPNP!TransferPktComplete+0x180
80548c8c f74c7c70 80548cb4 f72f2169 86d28db8 nt!IopfCompleteRequest+0xa2
80548c94 f72f2169 86d28db8 85d9a6c0 00000000
CLASSPNP!ClassCompleteRequest+0x11
WARNING: Stack unwind information not available. Following frames may be
wrong.
80548cb4 f72f35a3 86d28db8 85d9a6c0 f72fa15c nvraid+0x3169
80548cec f72f49e1 85cd0bc8 f72f3554 85cd0bc8 nvraid+0x45a3
80548d40 f72e7c6f 85da0b40 86d290e8 85df1488 nvraid+0x59e1
80548d58 f72e1d42 86d29564 85da0b40 00000000 nvatabus+0xfc6f
80548d8c f72e928f 00d290e8 00000001 00000000 nvatabus+0x9d42
80548db4 f72ea264 86d290e8 00000000 00000060 nvatabus+0x1128f
80548ddc f72ea7f8 00d7b438 00000001 00000000 nvatabus+0x12264
80548e2c 80540d5d 86d7b98c 86d7b438 00000000 nvatabus+0x127f8
80548e50 80540cd6 00000000 0000000e 00000000 nt!KiRetireDpcList+0x46
FOLLOWUP_IP:
CLASSPNP!ClassCompleteRequest+11
f74c7c70 5d pop ebp
SYMBOL_STACK_INDEX: 6
FOLLOWUP_NAME: MachineOwner
SYMBOL_NAME: CLASSPNP!ClassCompleteRequest+11
MODULE_NAME: CLASSPNP
IMAGE_NAME: CLASSPNP.SYS
DEBUG_FLR_IMAGE_TIMESTAMP: 41107ec2
STACK_COMMAND: .trap ffffffff80548b24 ; kb
FAILURE_BUCKET_ID: 0xA_W_CLASSPNP!ClassCompleteRequest+11
BUCKET_ID: 0xA_W_CLASSPNP!ClassCompleteRequest+11
Followup: MachineOwner
---------