locked
Problem debugging dump file with WinDbg RRS feed

  • Question

  • I've followed a load of tutorials on how to do this, but i can't seem to get it working.

    The error (BSOD) is occuring on Windows 7 Professional x86, and i am trying to debug on the same setup.

    In WinDbg, i keep getting the following errors:

    *** WARNING: Unable to verify timestamp for ntkrnlpa.exe
    *** ERROR: Module load completed but symbols could not be loaded for ntkrnlpa.exe
    
    ---
    
    ***** Kernel symbols are WRONG. Please fix symbols to do analysis.
    
    ---
    
    *************************************************************************
    ***                                                                   ***
    ***                                                                   ***
    ***    Your debugger is not using the correct symbols                 ***
    ***                                                                   ***
    ***    In order for this command to work properly, your symbol path   ***
    ***    must point to .pdb files that have full type information.      ***
    ***                                                                   ***
    ***    Certain .pdb files (such as the public OS symbols) do not      ***
    ***    contain the required information.  Contact the group that      ***
    ***    provided you with these symbols if you need this command to    ***
    ***    work.                                                          ***
    ***                                                                   ***
    ***    Type referenced: nt!_IRP                                       ***
    ***                                                                   ***
    *************************************************************************

    I've tried all sorts to fix it...

    - I've reinstalled the Windows SDK

    - I've manually input the path to the MS site ( SRV*C:\Temp\symbols*http://msdl.microsoft.com/download/symbols ) into symbol search path

    - I've set up the environment variable "_NT_SYMBOL_PATH" with SRV*C:\Temp\symbols*http://msdl.microsoft.com/download/symbols as its value

    - I've download the 1.5GB symbols pack from the Microsoft site

    - I've tried various dump files, all got the same error

    - I've given myself access to %windir%\ntkrnlpa.exe in case it is trying to load something from there - nothing going.

    And now i'm stuck. Everyone else seems to be able to debug dump files but me? I can see the generic error but because the symbols fail to load I can't see what's causing it!

     

    Thanks for any help.

    Thursday, January 19, 2012 9:23 AM

Answers

  • tried everything in that article - nothing works. also bearing in mind we're on Windows 7, we don't have an i386 folders.

     

    Dump (i'd rather find out how to do them myself, but here you go):

    https://skydrive.live.com/redir.aspx?cid=91edc982c048bf5f&resid=91EDC982C048BF5F!142&parid=91EDC982C048BF5F!141&authkey=!AIVxmvUN801O_YE

    *******************************************************************************
    *                                                                             *
    *                        Bugcheck Analysis                                    *
    *                                                                             *
    *******************************************************************************
    DRIVER_POWER_STATE_FAILURE (9f)
    A driver is causing an inconsistent power state.
    Arguments:
    Arg1: 00000003, A device object has been blocking an Irp for too long a time
    Arg2: 848bfc40, Physical Device Object of the stack
    Arg3: 8078adb0, Functional Device Object of the stack
    Arg4: 84aa7e00, The blocked IRP
    Debugging Details:
    ------------------
    DRVPOWERSTATE_SUBCODE:  3
    IMAGE_NAME:  ntkrpamp
    DEBUG_FLR_IMAGE_TIMESTAMP:  0
    FAULTING_MODULE: 8f137000 ndiswan
    IRP_ADDRESS:  84aa7e00
    DEVICE_OBJECT: 85a32028
    DRIVER_OBJECT: 85873030
    CUSTOMER_CRASH_COUNT:  1
    DEFAULT_BUCKET_ID:  VISTA_DRIVER_FAULT
    BUGCHECK_STR:  0x9F
    PROCESS_NAME:  TemperatureSer
    CURRENT_IRQL:  2
    STACK_TEXT:  
    8078ad64 82ac6f35 0000009f 00000003 848bfc40 nt!KeBugCheckEx+0x1e
    8078add0 82ac6fae 8078ae70 00000000 8681e400 nt!PopCheckIrpWatchdog+0x1f5
    8078ae08 82a7a039 82b43a60 00000000 0446696a nt!PopCheckForIdleness+0x73
    8078ae4c 82a79fdd 82b2bd20 8078af78 00000001 nt!KiProcessTimerDpcTable+0x50
    8078af38 82a79e9a 82b2bd20 8078af78 00000000 nt!KiProcessExpiredTimerList+0x101
    8078afac 82a7800e 00038006 9c8c7cc0 00000000 nt!KiTimerExpiration+0x25c
    8078aff4 82a777dc 9c8c7c70 00000000 00000000 nt!KiRetireDpcList+0xcb
    8078aff8 9c8c7c70 00000000 00000000 00000000 nt!KiDispatchInterrupt+0x2c
    WARNING: Frame IP not in any known module. Following frames may be wrong.
    82a777dc 00000000 0000001a 00d6850f bb830000 0x9c8c7c70
    STACK_COMMAND:  kb
    FOLLOWUP_NAME:  MachineOwner
    MODULE_NAME: ntkrpamp
    FAILURE_BUCKET_ID:  0x9F_3_IMAGE_ntkrpamp
    BUCKET_ID:  0x9F_3_IMAGE_ntkrpamp
    Followup: MachineOwner
    ---------
    ---------------------------------------------------------------------
    Your BSOD is caused by issues / conflits with ndiswan.sys driver. See that: http://social.technet.microsoft.com/Forums/en/w7itpronetworking/thread/f492544b-a4d7-4441-8155-8a522f141a3d
    Please update your NIC drivers and disable all security softwares that you have. Once done, check results.
    For Windby configuration, you can add srv*c:\symbols*http://msdl.microsoft.com/download/symbols as a symbol path and then start reloading symbols.


    This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.  

    Microsoft Student Partner 2010 / 2011
    Microsoft Certified Professional
    Microsoft Certified Systems Administrator: Security
    Microsoft Certified Systems Engineer: Security
    Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows 7, Configuring
    Microsoft Certified Technology Specialist: Designing and Providing Volume Licensing Solutions to Large Organizations
    Microsoft Certified IT Professional: Enterprise Administrator
    Microsoft Certified IT Professional: Server Administrator
    Microsoft Certified Trainer

    • Proposed as answer by zhen tan Tuesday, January 24, 2012 12:54 PM
    • Marked as answer by Nicholas Li Friday, January 27, 2012 6:50 AM
    Friday, January 20, 2012 10:22 PM
  • In this case the analysis doesn;t lead to a conclusive result (sorry Mr.
    X, ndiswan isn't the cause...). looking at the dump, my hunch is that
    McAfee is causing issues (since it hasn't been updated),
     
    88e00000 88e0df00   mfetdik  mfetdik.sys  Wed Jan 06 15:07:34 2010
    (4B4509A6)
    88e3b000 88e8cec0   mfehidk  mfehidk.sys  Wed Jan 06 15:06:49 2010
    (4B450979)
    9896a000 9896fd60   firelm01 firelm01.sys Mon May 10 16:57:26 2010
    (4BE88F56)
     
    My recommendation would be to either update it or remove it. If you need
    a free antivirus solution, Microsoft Security Essentials does well enough...
     
    Additionally, the network driver appears to be out of date,
     
    8e8ae000 8e8e6000   e1e6032  e1e6032.sys  Tue Mar 24 12:16:11 2009
    (49C9236B)
     
    Additionally, your BIOS may also be behind (yours is from 2009),
     
    0: kd> !sysinfo machineid
    Machine ID Information [From Smbios 2.5, DMIVersion 37, Size=2198]
    BiosMajorRelease = 1
    BiosMinorRelease = 28
    BiosVendor = Hewlett-Packard
    BiosVersion = 786F1 v01.28
    BiosReleaseDate = 02/26/2009
    SystemManufacturer = Hewlett-Packard
    SystemProductName = HP Compaq dc7800p Small Form Factor
    SystemFamily = 103C_53307F
    SystemVersion =
    SystemSKU = GC760AV
    BaseBoardManufacturer = Hewlett-Packard
    BaseBoardProduct = 0AA8h
     

    -- Mike Burr
    Interesting Reading on Technology and Finance
    • Marked as answer by Nicholas Li Friday, January 27, 2012 6:51 AM
    Saturday, January 21, 2012 11:45 PM
  • In this case the analysis doesn;t lead to a conclusive result (sorry Mr.
    X, ndiswan isn't the cause...). looking at the dump, my hunch is that
    McAfee is causing issues (since it hasn't been updated),

    I did not said that ndiswan is the cause. I said that the  BSOD is caused by issues / conflits with ndiswan.sys driver

    As a recommendation I gave: Please update your NIC drivers and disable all security softwares that you have. 



    This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.  

    Microsoft Student Partner 2010 / 2011
    Microsoft Certified Professional
    Microsoft Certified Systems Administrator: Security
    Microsoft Certified Systems Engineer: Security
    Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows 7, Configuring
    Microsoft Certified Technology Specialist: Designing and Providing Volume Licensing Solutions to Large Organizations
    Microsoft Certified IT Professional: Enterprise Administrator
    Microsoft Certified IT Professional: Server Administrator
    Microsoft Certified Trainer

    • Marked as answer by Nicholas Li Friday, January 27, 2012 6:50 AM
    Sunday, January 22, 2012 11:41 AM

All replies

  • Hello,

    Please use Microsoft Skydrive to upload dump files (c:\windows\minidump). Once done, post a link here.

    If you want to debug dump files by yourself, refer to that: http://support.microsoft.com/kb/315263

    You can also contact Microsoft CSS for assistance.



    This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. 

    Microsoft Student Partner 2010 / 2011
    Microsoft Certified Professional
    Microsoft Certified Systems Administrator: Security
    Microsoft Certified Systems Engineer: Security
    Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows 7, Configuring
    Microsoft Certified Technology Specialist: Designing and Providing Volume Licensing Solutions to Large Organizations
    Microsoft Certified IT Professional: Enterprise Administrator
    Microsoft Certified IT Professional: Server Administrator
    Microsoft Certified Trainer

    Thursday, January 19, 2012 8:57 PM
  • tried everything in that article - nothing works. also bearing in mind we're on Windows 7, we don't have an i386 folders.

     

    Dump (i'd rather find out how to do them myself, but here you go):

    https://skydrive.live.com/redir.aspx?cid=91edc982c048bf5f&resid=91EDC982C048BF5F!142&parid=91EDC982C048BF5F!141&authkey=!AIVxmvUN801O_YE

    Friday, January 20, 2012 8:58 AM
  • I always use the below

     

    windbg -y srv*c:\symbols*http://msdl.microsoft.com/download/symbols -i c:\windows\i386 -z c:\windows\minidump\minidump.dmp

    use the srv*c:\symbols... exactly as they have put it

    -i should relate to where the installation files for the OS lie, so if you have a cd with the files on and the cd drive is d:\ simply put -i d:\ or if you have a usb drive with them on and the usb shows as the e:\ drive simply put e:\

    -\ relates to the location of the .dmp file including the extension on the end

    so for me i usally have an USB key in with the installation files on it which will be my e:\ drive and i always save the .dmp file to the root of my c:\ and rename the .dmp file to the name of the person who has given me the .dmp file to check

    so for me it would look like, (go to c:\program files shift right click on debugging tools for windows and run command prompt from here)

     windbg -y srv*c:\symbols*http://msdl.microsoft.com/download/symbols -i e:\ -z c:\usersname.dmp

    Works like a treat every time for me... once the debugger has finished type !analyze -v (it will say this on screen) to give the full details

    hope this helps

    Friday, January 20, 2012 2:18 PM
  • Friday, January 20, 2012 4:17 PM
  • tried everything in that article - nothing works. also bearing in mind we're on Windows 7, we don't have an i386 folders.

     

    Dump (i'd rather find out how to do them myself, but here you go):

    https://skydrive.live.com/redir.aspx?cid=91edc982c048bf5f&resid=91EDC982C048BF5F!142&parid=91EDC982C048BF5F!141&authkey=!AIVxmvUN801O_YE

    *******************************************************************************
    *                                                                             *
    *                        Bugcheck Analysis                                    *
    *                                                                             *
    *******************************************************************************
    DRIVER_POWER_STATE_FAILURE (9f)
    A driver is causing an inconsistent power state.
    Arguments:
    Arg1: 00000003, A device object has been blocking an Irp for too long a time
    Arg2: 848bfc40, Physical Device Object of the stack
    Arg3: 8078adb0, Functional Device Object of the stack
    Arg4: 84aa7e00, The blocked IRP
    Debugging Details:
    ------------------
    DRVPOWERSTATE_SUBCODE:  3
    IMAGE_NAME:  ntkrpamp
    DEBUG_FLR_IMAGE_TIMESTAMP:  0
    FAULTING_MODULE: 8f137000 ndiswan
    IRP_ADDRESS:  84aa7e00
    DEVICE_OBJECT: 85a32028
    DRIVER_OBJECT: 85873030
    CUSTOMER_CRASH_COUNT:  1
    DEFAULT_BUCKET_ID:  VISTA_DRIVER_FAULT
    BUGCHECK_STR:  0x9F
    PROCESS_NAME:  TemperatureSer
    CURRENT_IRQL:  2
    STACK_TEXT:  
    8078ad64 82ac6f35 0000009f 00000003 848bfc40 nt!KeBugCheckEx+0x1e
    8078add0 82ac6fae 8078ae70 00000000 8681e400 nt!PopCheckIrpWatchdog+0x1f5
    8078ae08 82a7a039 82b43a60 00000000 0446696a nt!PopCheckForIdleness+0x73
    8078ae4c 82a79fdd 82b2bd20 8078af78 00000001 nt!KiProcessTimerDpcTable+0x50
    8078af38 82a79e9a 82b2bd20 8078af78 00000000 nt!KiProcessExpiredTimerList+0x101
    8078afac 82a7800e 00038006 9c8c7cc0 00000000 nt!KiTimerExpiration+0x25c
    8078aff4 82a777dc 9c8c7c70 00000000 00000000 nt!KiRetireDpcList+0xcb
    8078aff8 9c8c7c70 00000000 00000000 00000000 nt!KiDispatchInterrupt+0x2c
    WARNING: Frame IP not in any known module. Following frames may be wrong.
    82a777dc 00000000 0000001a 00d6850f bb830000 0x9c8c7c70
    STACK_COMMAND:  kb
    FOLLOWUP_NAME:  MachineOwner
    MODULE_NAME: ntkrpamp
    FAILURE_BUCKET_ID:  0x9F_3_IMAGE_ntkrpamp
    BUCKET_ID:  0x9F_3_IMAGE_ntkrpamp
    Followup: MachineOwner
    ---------
    ---------------------------------------------------------------------
    Your BSOD is caused by issues / conflits with ndiswan.sys driver. See that: http://social.technet.microsoft.com/Forums/en/w7itpronetworking/thread/f492544b-a4d7-4441-8155-8a522f141a3d
    Please update your NIC drivers and disable all security softwares that you have. Once done, check results.
    For Windby configuration, you can add srv*c:\symbols*http://msdl.microsoft.com/download/symbols as a symbol path and then start reloading symbols.


    This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.  

    Microsoft Student Partner 2010 / 2011
    Microsoft Certified Professional
    Microsoft Certified Systems Administrator: Security
    Microsoft Certified Systems Engineer: Security
    Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows 7, Configuring
    Microsoft Certified Technology Specialist: Designing and Providing Volume Licensing Solutions to Large Organizations
    Microsoft Certified IT Professional: Enterprise Administrator
    Microsoft Certified IT Professional: Server Administrator
    Microsoft Certified Trainer

    • Proposed as answer by zhen tan Tuesday, January 24, 2012 12:54 PM
    • Marked as answer by Nicholas Li Friday, January 27, 2012 6:50 AM
    Friday, January 20, 2012 10:22 PM
  • In this case the analysis doesn;t lead to a conclusive result (sorry Mr.
    X, ndiswan isn't the cause...). looking at the dump, my hunch is that
    McAfee is causing issues (since it hasn't been updated),
     
    88e00000 88e0df00   mfetdik  mfetdik.sys  Wed Jan 06 15:07:34 2010
    (4B4509A6)
    88e3b000 88e8cec0   mfehidk  mfehidk.sys  Wed Jan 06 15:06:49 2010
    (4B450979)
    9896a000 9896fd60   firelm01 firelm01.sys Mon May 10 16:57:26 2010
    (4BE88F56)
     
    My recommendation would be to either update it or remove it. If you need
    a free antivirus solution, Microsoft Security Essentials does well enough...
     
    Additionally, the network driver appears to be out of date,
     
    8e8ae000 8e8e6000   e1e6032  e1e6032.sys  Tue Mar 24 12:16:11 2009
    (49C9236B)
     
    Additionally, your BIOS may also be behind (yours is from 2009),
     
    0: kd> !sysinfo machineid
    Machine ID Information [From Smbios 2.5, DMIVersion 37, Size=2198]
    BiosMajorRelease = 1
    BiosMinorRelease = 28
    BiosVendor = Hewlett-Packard
    BiosVersion = 786F1 v01.28
    BiosReleaseDate = 02/26/2009
    SystemManufacturer = Hewlett-Packard
    SystemProductName = HP Compaq dc7800p Small Form Factor
    SystemFamily = 103C_53307F
    SystemVersion =
    SystemSKU = GC760AV
    BaseBoardManufacturer = Hewlett-Packard
    BaseBoardProduct = 0AA8h
     

    -- Mike Burr
    Interesting Reading on Technology and Finance
    • Marked as answer by Nicholas Li Friday, January 27, 2012 6:51 AM
    Saturday, January 21, 2012 11:45 PM
  • In this case the analysis doesn;t lead to a conclusive result (sorry Mr.
    X, ndiswan isn't the cause...). looking at the dump, my hunch is that
    McAfee is causing issues (since it hasn't been updated),

    I did not said that ndiswan is the cause. I said that the  BSOD is caused by issues / conflits with ndiswan.sys driver

    As a recommendation I gave: Please update your NIC drivers and disable all security softwares that you have. 



    This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.  

    Microsoft Student Partner 2010 / 2011
    Microsoft Certified Professional
    Microsoft Certified Systems Administrator: Security
    Microsoft Certified Systems Engineer: Security
    Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows 7, Configuring
    Microsoft Certified Technology Specialist: Designing and Providing Volume Licensing Solutions to Large Organizations
    Microsoft Certified IT Professional: Enterprise Administrator
    Microsoft Certified IT Professional: Server Administrator
    Microsoft Certified Trainer

    • Marked as answer by Nicholas Li Friday, January 27, 2012 6:50 AM
    Sunday, January 22, 2012 11:41 AM