Before i post my debug logs id like to mention that all these stops started on win2000 server which i upgraded to win2003 server. only devices that i came from old system are : memory; video card; hard disk and network interface card (and also 8signs firewall software).
Yesterday i applied SP1 and it didnot changed anything - stops continue to happen.
This is my last debug log (without symbols installed yet) :
Microsoft (R) Windows Debugger Version 6.5.0003.7
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [*********]
Kernel Complete Dump File: Full address space is available
Symbol search path is: *** Invalid ***
************************************************** **************************
* Symbol loading may be unreliable without a symbol search path. *
* Use .symfix to have the debugger choose a symbol path. *
* After setting your symbol path, use .reload to refresh symbol locations. *
************************************************** **************************
Executable search path is:
************************************************** *******************
* Symbols can not be loaded because symbol path is not initialized. *
* *
* The Symbol Path can be set by: *
* using the _NT_SYMBOL_PATH environment variable. *
* using the -y <symbol_path> argument when starting the debugger. *
* using .sympath and .sympath+ *
************************************************** *******************
*** ERROR: Symbol file could not be found. Defaulted to export symbols for ntoskrnl.exe -
Windows Server 2003 Kernel Version 3790 (Service Pack 1) UP Free x86 compatible
Product: Server, suite: Enterprise TerminalServer SingleUserTS
Built by: 3790.srv03_sp1_rtm.050324-1447
Kernel base = 0x80800000 PsLoadedModuleList = 0x808a8e48
Debug session time: Thu Jul 14 02:19:41.359 2005 (GMT+3)
System Uptime: 0 days 3:56:08.938
************************************************** *******************
* Symbols can not be loaded because symbol path is not initialized. *
* *
* The Symbol Path can be set by: *
* using the _NT_SYMBOL_PATH environment variable. *
* using the -y <symbol_path> argument when starting the debugger. *
* using .sympath and .sympath+ *
************************************************** *******************
*** ERROR: Symbol file could not be found. Defaulted to export symbols for ntoskrnl.exe -
Loading Kernel Symbols
.................................................. ...................................
Loading unloaded module list
.......
Loading User Symbols
************************************************** *****************************
* *
* Bugcheck Analysis *
* *
************************************************** *****************************
Use !analyze -v to get detailed debugging information.
BugCheck A, {cfbb440, 2, 1, 8082d69f}
***** Kernel symbols are WRONG. Please fix symbols to do analysis.
*** ERROR: Module load completed but symbols could not be loaded for afd.sys
*** ERROR: Symbol file could not be found. Defaulted to export symbols for tcpip.sys -
************************************************** ***********************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!_KPRCB ***
*** ***
************************************************** ***********************
*** ERROR: Symbol file could not be found. Defaulted to export symbols for TDI.SYS -
Probably caused by : TDI.SYS ( TDI+1064 )
Followup: MachineOwner
---------
kd> !analyze -v
************************************************** *****************************
* *
* Bugcheck Analysis *
* *
************************************************** *****************************
IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: 0cfbb440, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000001, value 0 = read operation, 1 = write operation
Arg4: 8082d69f, address which referenced memory
Debugging Details:
------------------
***** Kernel symbols are WRONG. Please fix symbols to do analysis.
************************************************** ***********************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!_KPRCB ***
*** ***
************************************************** ***********************
MODULE_NAME: TDI
FAULTING_MODULE: 80800000 nt
DEBUG_FLR_IMAGE_TIMESTAMP: 42435cd6
WRITE_ADDRESS: unable to get nt!MmSpecialPoolStart
unable to get nt!MmSpecialPoolEnd
unable to get nt!MmPoolCodeStart
unable to get nt!MmPoolCodeEnd
0cfbb440
CURRENT_IRQL: 2
FAULTING_IP:
nt!MmUnlockPages+112
8082d69f c20400 ret 0x4
DEFAULT_BUCKET_ID: DRIVER_FAULT
BUGCHECK_STR: 0xA
LAST_CONTROL_TRANSFER: from 8082d69f to 80826493
STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may be wrong.
f78e29a0 8082d69f badb0d00 867dde40 f78e29d0 nt!Kei386EoiHelper+0x2897
f78e2a38 f6df3c68 84935ca8 849499c8 f78e2a60 nt!MmUnlockPages+0x112
f78e2a78 f6e3ffe2 00000e20 f6e3ffe2 8580e630 afd+0x1dc68
f78e2ae4 f6e3f7ca 866305c8 00001850 f78e2c3c tcpip!IPRcvComplete+0x236e
f78e2ba4 f6e3df9f 86712008 0be115d5 0be115d5 tcpip!IPRcvComplete+0x1b56
f78e2c04 f6e3d9e8 00000024 8644b120 f6e3f54d tcpip!IPRcvComplete+0x32b
f78e2cb8 f6e42fb6 86712008 f78e2d30 0000001c tcpip!IPRcvPacket+0x262
f78e2d64 f75f8064 f6e776c0 86712008 867a2020 tcpip!IPRcvComplete+0x5342
f78e2d80 808203bd 86712008 00000000 867a2020 TDI+0x1064
f78e2dac 80905d2c f6e776c0 00000000 00000000 nt!KeRemoveQueue+0x274
f78e2ddc 80828499 80820300 00000001 00000000 nt!ObGetObjectSecurity+0x107
00000000 00000000 00000000 00000000 00000000 nt!strchr+0x26a
FOLLOWUP_IP:
TDI+1064
f75f8064 5f pop edi
SYMBOL_STACK_INDEX: 8
FOLLOWUP_NAME: MachineOwner
SYMBOL_NAME: TDI+1064
IMAGE_NAME: TDI.SYS
STACK_COMMAND: kb
BUCKET_ID: WRONG_SYMBOLS
Followup: MachineOwner
---------
I can only add that this stop has "Bugcheck String: 0x0000000a" but previous stop had different bugcheck : " Bugcheck String: 0x00000050". Also previous debug log had "IMAGE_NAME: AFD.SYS".
Any comments ?
Yesterday i applied SP1 and it didnot changed anything - stops continue to happen.
This is my last debug log (without symbols installed yet) :
Microsoft (R) Windows Debugger Version 6.5.0003.7
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [*********]
Kernel Complete Dump File: Full address space is available
Symbol search path is: *** Invalid ***
************************************************** **************************
* Symbol loading may be unreliable without a symbol search path. *
* Use .symfix to have the debugger choose a symbol path. *
* After setting your symbol path, use .reload to refresh symbol locations. *
************************************************** **************************
Executable search path is:
************************************************** *******************
* Symbols can not be loaded because symbol path is not initialized. *
* *
* The Symbol Path can be set by: *
* using the _NT_SYMBOL_PATH environment variable. *
* using the -y <symbol_path> argument when starting the debugger. *
* using .sympath and .sympath+ *
************************************************** *******************
*** ERROR: Symbol file could not be found. Defaulted to export symbols for ntoskrnl.exe -
Windows Server 2003 Kernel Version 3790 (Service Pack 1) UP Free x86 compatible
Product: Server, suite: Enterprise TerminalServer SingleUserTS
Built by: 3790.srv03_sp1_rtm.050324-1447
Kernel base = 0x80800000 PsLoadedModuleList = 0x808a8e48
Debug session time: Thu Jul 14 02:19:41.359 2005 (GMT+3)
System Uptime: 0 days 3:56:08.938
************************************************** *******************
* Symbols can not be loaded because symbol path is not initialized. *
* *
* The Symbol Path can be set by: *
* using the _NT_SYMBOL_PATH environment variable. *
* using the -y <symbol_path> argument when starting the debugger. *
* using .sympath and .sympath+ *
************************************************** *******************
*** ERROR: Symbol file could not be found. Defaulted to export symbols for ntoskrnl.exe -
Loading Kernel Symbols
.................................................. ...................................
Loading unloaded module list
.......
Loading User Symbols
************************************************** *****************************
* *
* Bugcheck Analysis *
* *
************************************************** *****************************
Use !analyze -v to get detailed debugging information.
BugCheck A, {cfbb440, 2, 1, 8082d69f}
***** Kernel symbols are WRONG. Please fix symbols to do analysis.
*** ERROR: Module load completed but symbols could not be loaded for afd.sys
*** ERROR: Symbol file could not be found. Defaulted to export symbols for tcpip.sys -
************************************************** ***********************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!_KPRCB ***
*** ***
************************************************** ***********************
*** ERROR: Symbol file could not be found. Defaulted to export symbols for TDI.SYS -
Probably caused by : TDI.SYS ( TDI+1064 )
Followup: MachineOwner
---------
kd> !analyze -v
************************************************** *****************************
* *
* Bugcheck Analysis *
* *
************************************************** *****************************
IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: 0cfbb440, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000001, value 0 = read operation, 1 = write operation
Arg4: 8082d69f, address which referenced memory
Debugging Details:
------------------
***** Kernel symbols are WRONG. Please fix symbols to do analysis.
************************************************** ***********************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!_KPRCB ***
*** ***
************************************************** ***********************
MODULE_NAME: TDI
FAULTING_MODULE: 80800000 nt
DEBUG_FLR_IMAGE_TIMESTAMP: 42435cd6
WRITE_ADDRESS: unable to get nt!MmSpecialPoolStart
unable to get nt!MmSpecialPoolEnd
unable to get nt!MmPoolCodeStart
unable to get nt!MmPoolCodeEnd
0cfbb440
CURRENT_IRQL: 2
FAULTING_IP:
nt!MmUnlockPages+112
8082d69f c20400 ret 0x4
DEFAULT_BUCKET_ID: DRIVER_FAULT
BUGCHECK_STR: 0xA
LAST_CONTROL_TRANSFER: from 8082d69f to 80826493
STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may be wrong.
f78e29a0 8082d69f badb0d00 867dde40 f78e29d0 nt!Kei386EoiHelper+0x2897
f78e2a38 f6df3c68 84935ca8 849499c8 f78e2a60 nt!MmUnlockPages+0x112
f78e2a78 f6e3ffe2 00000e20 f6e3ffe2 8580e630 afd+0x1dc68
f78e2ae4 f6e3f7ca 866305c8 00001850 f78e2c3c tcpip!IPRcvComplete+0x236e
f78e2ba4 f6e3df9f 86712008 0be115d5 0be115d5 tcpip!IPRcvComplete+0x1b56
f78e2c04 f6e3d9e8 00000024 8644b120 f6e3f54d tcpip!IPRcvComplete+0x32b
f78e2cb8 f6e42fb6 86712008 f78e2d30 0000001c tcpip!IPRcvPacket+0x262
f78e2d64 f75f8064 f6e776c0 86712008 867a2020 tcpip!IPRcvComplete+0x5342
f78e2d80 808203bd 86712008 00000000 867a2020 TDI+0x1064
f78e2dac 80905d2c f6e776c0 00000000 00000000 nt!KeRemoveQueue+0x274
f78e2ddc 80828499 80820300 00000001 00000000 nt!ObGetObjectSecurity+0x107
00000000 00000000 00000000 00000000 00000000 nt!strchr+0x26a
FOLLOWUP_IP:
TDI+1064
f75f8064 5f pop edi
SYMBOL_STACK_INDEX: 8
FOLLOWUP_NAME: MachineOwner
SYMBOL_NAME: TDI+1064
IMAGE_NAME: TDI.SYS
STACK_COMMAND: kb
BUCKET_ID: WRONG_SYMBOLS
Followup: MachineOwner
---------
I can only add that this stop has "Bugcheck String: 0x0000000a" but previous stop had different bugcheck : " Bugcheck String: 0x00000050". Also previous debug log had "IMAGE_NAME: AFD.SYS".
Any comments ?