BSOD Windows XP

[pimpo]

Hello,

I have a Pc with XP SP3 which is continously resetting. I can´t see the error of bluescreen screen. I tried the safe mode but it didn´t work because the PC resetted again. Whit the last known configuration it didn´t work too. With the same disk and another PC I could logged in the Pc but after a short period of time it resetted again. Before I logged in the PC I got the message:

The system proccess C:\Windows\system32\services.exe terminated Unexpectedly with Status Code... (I can´t see anymore)

I could get the minidump file and from it:

PAGE_FAULT_IN_NONPAGED_AREA 0x10000050 0xfff7fff8 0x00000000 0x80551211 0x00000000 ntoskrnl.exe ntoskrnl.exe+7a211


Could anybody help me to debug the error and to know the cause?

 

[RaDiKaL_]

Sounds a memory related issue, test your RAM modules one by one using memtest86, it could also be related to your virtual memory (page file in your hard drive), while testing your ram modules you could connect your HDD to another pc and run a chkdsk /r on it to repair it.

 

[pimpo]

Thanks Radikal

Here is the result of windbg:

kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by try-except,
it must be protected by a Probe. Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: fff7fff8, memory referenced.
Arg2: 00000000, value 0 = read operation, 1 = write operation.
Arg3: 80551211, If non-zero, the instruction address which referenced the bad memory
address.
Arg4: 00000000, (reserved)

Debugging Details:
------------------


Could not read faulting driver name

READ_ADDRESS: GetPointerFromAddress: unable to read from 805630e8
GetPointerFromAddress: unable to read from 805630e0
GetUlongFromAddress: unable to read from 80567ce8
fff7fff8

FAULTING_IP:
nt!ExFreePoolWithTag+23a
80551211 668b4efa mov cx,word ptr [esi-6]

MM_INTERNAL_CODE: 0

CUSTOMER_CRASH_COUNT: 6

DEFAULT_BUCKET_ID: COMMON_SYSTEM_FAULT

BUGCHECK_STR: 0x50

PROCESS_NAME: explorer.exe

ANALYSIS_VERSION: 6.3.9600.17237 (debuggers(dbg).140716-0327) x86fre

LAST_CONTROL_TRANSFER: from 80585717 to 80551211

STACK_TEXT:
aa401c3c 80585717 fff7fffe 00000000 e2e01cd8 nt!ExFreePoolWithTag+0x23a
aa401c58 805db77e e2e06828 e2e01cd8 e100dad4 nt!CmpCleanUpKcbValueCache+0x51
aa401c6c 805db82a e2e06828 e2667b60 80572e7c nt!CmpCleanUpKcbCacheWithLock+0x19
aa401c78 80572e7c aa401c8c 80572dbd e2e01cd8 nt!CmpGetDelayedCloseIndex+0x16
aa401c80 80572dbd e2e01cd8 aa401c98 80572d86 nt!CmpAddToDelayedClose+0xa
aa401c8c 80572d86 e2e01cd8 aa401cb0 80573475 nt!CmpDereferenceKeyControlBlockWithLock+0x50
aa401c98 80573475 e2e01cd8 00000000 e2cd9ea0 nt!CmpDereferenceKeyControlBlock+0x12
aa401cb0 8056d73d e2cd9eb8 00000000 e2cd9ea0 nt!CmpDeleteKeyObject+0x92
aa401ccc 804e1947 e2cd9eb8 00000000 000004e2 nt!ObpRemoveObjectRoutine+0xe0
aa401ce4 8056fba7 81598298 e29fa430 81585ba0 nt!ObfDereferenceObject+0x4c
aa401cfc 8056fac5 e29fa430 e2cd9eb8 000004e2 nt!ObpCloseHandleTableEntry+0x155
aa401d44 8056fb0f 000004e2 00000001 00000000 nt!ObpCloseHandle+0x87
aa401d58 804dd98f 000004e2 019df6fc 7c91e4f4 nt!NtClose+0x1d
aa401d58 7c91e4f4 000004e2 019df6fc 7c91e4f4 nt!KiFastCallEntry+0xfc
WARNING: Frame IP not in any known module. Following frames may be wrong.
019df6fc 00000000 00000000 00000000 00000000 0x7c91e4f4


STACK_COMMAND: kb

FOLLOWUP_IP:
nt!ExFreePoolWithTag+23a
80551211 668b4efa mov cx,word ptr [esi-6]

SYMBOL_STACK_INDEX: 0

SYMBOL_NAME: nt!ExFreePoolWithTag+23a

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: nt

IMAGE_NAME: ntkrnlmp.exe

DEBUG_FLR_IMAGE_TIMESTAMP: 48025de7

IMAGE_VERSION: 5.1.2600.5512

FAILURE_BUCKET_ID: 0x50_nt!ExFreePoolWithTag+23a

BUCKET_ID: 0x50_nt!ExFreePoolWithTag+23a

ANALYSIS_SOURCE: KM

FAILURE_ID_HASH_STRING: km:0x50_nt!exfreepoolwithtag+23a

FAILURE_ID_HASH: {772a6cc1-5eb2-1276-2b6d-082fdec5b7df}

Followup: MachineOwner
---------

Do you see any more? I will try memtest.

 

[RaDiKaL_]

Let's see what memtest finds out.