Help me analyze this MEMORY.DMP file please...

[InlineFive]

Hey folks,

To make a long story short. I have a Latitude D630 with the latest BIOS running Vista Ultimate. Recently it's been just fine and dandy.

A week ago I decided to use EFS on my entire user directory from the root in addition to the volume being BitLocked. I also backed up the files and installed the latest updates from MU. Then the machine would always BSOD on boot.

I reinstalled Windows and it was fine until I installed all of the updates again. BSOD on boot. THe basic MEMORY.DMP analysis didn't help me much so I did the verbose one. Hopefully someone can help me make something of it.

Thanks in advance for your time! Much appreciated!

I5

Microsoft (R) Windows Debugger Version 6.8.0004.0 X86
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\Users\Thaddeus\Desktop\MEMORY.DMP]
Kernel Summary Dump File: Only kernel address space is available

Symbol search path is: SRV*c:\debug*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows Vista Kernel Version 6000 MP (2 procs) Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 6000.16575.x86fre.vista_gdr.071009-1548
Kernel base = 0x81800000 PsLoadedModuleList = 0x81911e10
Debug session time: Tue Feb 5 21:32:24.023 2008 (GMT-6)
System Uptime: 0 days 0:02:26.804
Loading Kernel Symbols
..............................................................................................................................................
Loading User Symbols
PEB is paged out (Peb.Ldr = 7ffde00c). Type ".hh dbgerr001" for details
Loading unloaded module list
....
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 24, {1904ab, a61d3870, a61d356c, 818e752b}

Page 632ec not present in the dump file. Type ".hh dbgerr004" for details

PEB is paged out (Peb.Ldr = 7ffde00c). Type ".hh dbgerr001" for details

PEB is paged out (Peb.Ldr = 7ffde00c). Type ".hh dbgerr001" for details
Probably caused by : Ntfs.sys ( Ntfs!NtfsContinueIndexEnumeration+196 )

Followup: MachineOwner
---------

1: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

NTFS_FILE_SYSTEM (24)
If you see NtfsExceptionFilter on the stack then the 2nd and 3rd
parameters are the exception record and context record. Do a .cxr
on the 3rd parameter and then kb to obtain a more informative stack
trace.
Arguments:
Arg1: 001904ab
Arg2: a61d3870
Arg3: a61d356c
Arg4: 818e752b

Debugging Details:
------------------

Page 632ec not present in the dump file. Type ".hh dbgerr004" for details

PEB is paged out (Peb.Ldr = 7ffde00c). Type ".hh dbgerr001" for details

PEB is paged out (Peb.Ldr = 7ffde00c). Type ".hh dbgerr001" for details

EXCEPTION_RECORD: a61d3870 -- (.exr 0xffffffffa61d3870)
ExceptionAddress: 818e752b (nt!ExAllocatePoolWithTag+0x00000520)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000001
Parameter[1]: 00000004
Attempt to write to address 00000004

CONTEXT: a61d356c -- (.cxr 0xffffffffa61d356c)
eax=00000000 ebx=8322e184 ecx=8322d2ec edx=00000001 esi=8322d0d0 edi=00f006ec
eip=818e752b esp=a61d3938 ebp=a61d3984 iopl=0 nv up ei pl nz na pe cy
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010207
nt!ExAllocatePoolWithTag+0x520:
818e752b 894804 mov dword ptr [eax+4],ecx ds:0023:00000004=????????
Resetting default scope

PROCESS_NAME: TrustedInstalle

CURRENT_IRQL: 0

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.

WRITE_ADDRESS: 00000004

BUGCHECK_STR: 0x24

DEFAULT_BUCKET_ID: NULL_CLASS_PTR_DEREFERENCE

LAST_CONTROL_TRANSFER: from 873265d9 to 818e752b

STACK_TEXT:
a61d3984 873265d9 00000011 00000100 4946744e nt!ExAllocatePoolWithTag+0x520
a61d39d0 8732991f 8c1f4758 8ebd8598 8805a760 Ntfs!NtfsContinueIndexEnumeration+0x196
a61d3bc8 87329286 8c1f4758 8c9b69a0 84a0f0d8 Ntfs!NtfsQueryDirectory+0x647
a61d3bfc 87328ff4 8c1f4758 8ebd8598 a69a118d Ntfs!NtfsCommonDirectoryControl+0x21c
a61d3c64 81827f83 84a0f020 8c9b69a0 8c9b69a0 Ntfs!NtfsFsdDirectoryControl+0xf4
a61d3c7c 80723a5c 84a111d8 8c9b69a0 00000000 nt!IofCallDriver+0x63
a61d3ca0 80723c18 a61d3cc0 84a111d8 00000000 fltmgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x22a
a61d3cd8 81827f83 84a111d8 8c9b69a0 8c9b69a0 fltmgr!FltpDispatch+0xc2
a61d3cf0 81988f37 000001e4 00a5e168 8198fcd3 nt!IofCallDriver+0x63
a61d3d10 8198fd2e 84a111d8 a49a4338 00000001 nt!IopSynchronousServiceTail+0x1e0
a61d3d30 8188caaa 000001e4 00000000 00000000 nt!NtQueryDirectoryFile+0x5b
a61d3d30 775e0f34 000001e4 00000000 00000000 nt!KiFastCallEntry+0x12a
WARNING: Frame IP not in any known module. Following frames may be wrong.
00a5e1a4 00000000 00000000 00000000 00000000 0x775e0f34


FOLLOWUP_IP:
Ntfs!NtfsContinueIndexEnumeration+196
873265d9 894658 mov dword ptr [esi+58h],eax

SYMBOL_STACK_INDEX: 1

SYMBOL_NAME: Ntfs!NtfsContinueIndexEnumeration+196

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: Ntfs

IMAGE_NAME: Ntfs.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 47214597

STACK_COMMAND: .cxr 0xffffffffa61d356c ; kb

FAILURE_BUCKET_ID: 0x24_Ntfs!NtfsContinueIndexEnumeration+196

BUCKET_ID: 0x24_Ntfs!NtfsContinueIndexEnumeration+196

Followup: MachineOwner
---------

 

[dclive]

Originally posted by: InlineFive
Hey folks,

To make a long story short. I have a Latitude D630 with the latest BIOS running Vista Ultimate. Recently it's been just fine and dandy.

A week ago I decided to use EFS on my entire user directory from the root in addition to the volume being BitLocked. I also backed up the files and installed the latest updates from MU. Then the machine would always BSOD on boot.

I reinstalled Windows and it was fine until I installed all of the updates again. BSOD on boot. THe basic MEMORY.DMP analysis didn't help me much so I did the verbose one. Hopefully someone can help me make something of it.

Thanks in advance for your time! Much appreciated!

I5

See my web page, configure the debugger, post the output of '!analyze -v' after you have it configured.

 

[InlineFive]

Originally posted by: dclive
See my web page, configure the debugger, post the output of '!analyze -v' after you have it configured.

I do have it configured that way.

 

[dclive]

Thanks - you updated your original post to include the full output of the debugger.

If you chkdsk /p C: (I think it's the /p parameter - you want the option to fix all issues) from Windows Recovery Console / Recovery Environment (boot from your CD/DVD and run it) does anything change?

 

[InlineFive]

Originally posted by: dclive
Thanks - you updated your original post to include the full output of the debugger.

If you chkdsk /p C: (I think it's the /p parameter - you want the option to fix all issues) from Windows Recovery Console / Recovery Environment (boot from your CD/DVD and run it) does anything change?

Okay I did that and it worked fine for a little while. This Tuesday I installed one of the SP1 preqrequisite packs and that worked fine. However the Malicious Software Removal Tool would refuse to install. It would install and then appear in WU again.

This time upon rebooting the system it crashes upon boot again. However I can't find a way to pause the BSOD so I can't see the error. Safe Mode and Last Known Good Configuration don't work.

I'm going to try and get SP1 to slipstream and see if that fixes it.

 

[dclive]

I don't understand what you're saying.

You're saying you ran CHKDSK and that fixed it for a little while, and then you rebooted a few times and now it crashes at bootup again (right?)

XP SP2 has a bootup option on the F8 menu to disable automatic restarts for that one bootup; I'm not on a Vista machine right now but I thought Vista had the same option?

Slipstreaming SP1 doesn't do anything different from a normal install of SP1 (aside from the fact you can't then uninstall it).

 

[InlineFive]

Originally posted by: dclive
I don't understand what you're saying.

You're saying you ran CHKDSK and that fixed it for a little while, and then you rebooted a few times and now it crashes at bootup again (right?)

XP SP2 has a bootup option on the F8 menu to disable automatic restarts for that one bootup; I'm not on a Vista machine right now but I thought Vista had the same option?

Slipstreaming SP1 doesn't do anything different from a normal install of SP1 (aside from the fact you can't then uninstall it).

It worked fine until the SP1 prereq and Malicious Software Tool were purportedly installed. Then it started crashing again.

 

[stash]

I would just point out that there is no slipstreaming capability in SP1. There is a tedious manual process that in the end will give you a full Vista build with SP1, but it basically involves installing Vista RTM, installing SP1, running some tools to generalize the machine and then capturing the image.

 

[CrookBloke]

Originally posted by: stash
I would just point out that there is no slipstreaming capability in SP1. There is a tedious manual process that in the end will give you a full Vista build with SP1, but it basically involves installing Vista RTM, installing SP1, running some tools to generalize the machine and then capturing the image.

Hi, stash.

I think I understand you, but I hope I don't. Are you really saying that we won't be able to slipstream SP1 into Vista RTM? Future installations of this OS will mean that we have to install the OS first, then install the latest SP?

If this is so, does it have something to do with the complex DVD image that lets us install our choice of Vista versions based upon the product key used?

 

[stash]

Are you really saying that we won't be able to slipstream SP1 into Vista RTM?

Unfortunately, yes. There is no supported way of doing this. The help file for the Windows Automated Install Kit (WAIK) includes a 12-step process to update Vista RTM images to SP1. But it generally much easier to make a new image from a Vista DVD that has SP1 integrated. These DVDs will be available from MS on MSDN, TechNet, Volume Licensing Site, and retail.

The WAIK process is basically this:

* install a bunch of hotfixes
* Install WAIK 1.1
* Apply the image to a machine using ImageX
* Boot into the machine and download the standalone SP1 update.
* Apply the service pack and reboot when prompted.
* Run sysprep /generalize
* Boot into Windows PE (you also need to update your PE images, because you can't use PE 2.0 and the RTM servicing stack with SP1 images)
* Optionally run VSP1CLN to reclaim disk space used during the SP1 install
* Run postreflect to install the updated drivers for the HAL and kernel
* Capture the image using ImageX

If this is so, does it have something to do with the complex DVD image that lets us install our choice of Vista versions based upon the product key used?

The issue has to do with the servicing stack in Vista, which cannot be updated offline. Since the stack needed to be updated for SP1, there's no way to slipstream SP1, since you can't update the stack offline.

 

[CrookBloke]

Thanks for the explanation, stash.

Yeah, I was ready to get my knickers into a twist, but realized after posting that the integrated image would be available online anyway. I love my Technet subscription. And I love the VLA at work. But I know there are people among my friends and family who will be presenting me with their Vista upgrade and OEM discs at some point in time and asking me to reinstall for them. And this will happen, of course, when I'm far from home and my own copies of the software.

 

[InlineFive]

Okay, it looks like this is probably an issue caused by one of the SP1 "readyness" packages. It has caused this computer to BSOD, another gave WU errors until restarted a few times. The only machine unaffected is one that has SP1 RC1 installed. Looks like this isn't uncommon from what I've seen from a quick Google search.