Help Reading Dump File

shanenin

By shanenin,
in Windows 10, 8, 7, Vista, and XP

 Share Followers 0

Recommended Posts

shanenin

shanenin

Posted
Posted

I am trying to make some sence out of reading a .dmp file. Below is the output I am getting. Any thoughts to what this error means?

I am not sure if the .dmp file loaded properly. Does the error below refer to the memory dump or an improperly loaded .dmp file?

Microsoft (R) Windows Debugger Version 6.10.0003.233 X86
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\WINDOWS\Minidump\Mini121808-03.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: C:\WINDOWS\Symbols
Executable search path is: C:\Windows\I386

Unable to load image ntoskrnl.exe, Win32 error 0n2
Loading symbols for 804d7000	 ntoskrnl.exe ->   ntoskrnl.exe
*** WARNING: Unable to verify timestamp for ntoskrnl.exe
ModLoad: 804d7000 806cf680   ntoskrnl.exe
Windows XP Kernel Version 2600 (Service Pack 3) UP Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Machine Name:
Kernel base = 0x804d7000 PsLoadedModuleList = 0x80554040
Debug session time: Thu Dec 18 20:34:10.353 2008 (GMT-6)
System Uptime: 0 days 5:09:37.046
Unable to load image ntoskrnl.exe, Win32 error 0n2
Loading symbols for 804d7000	 ntoskrnl.exe ->   ntoskrnl.exe
*** WARNING: Unable to verify timestamp for ntoskrnl.exe
ModLoad: 804d7000 806cf680   ntoskrnl.exe
Loading Kernel Symbols
.ModLoad: 806d0000 806f0300   hal.dll 
.ModLoad: bada8000 bada9b80   kdcom.dll
.ModLoad: bacb8000 bacbb000   BOOTVID.dll
.ModLoad: ba779000 ba7a6d80   ACPI.sys
.ModLoad: badaa000 badab100   WMILIB.SYS
.ModLoad: ba768000 ba778a80   pci.sys 
.ModLoad: ba8a8000 ba8b1180   isapnp.sys
.ModLoad: bae70000 bae70d00   pciide.sys
.ModLoad: bab28000 bab2e180   PCIIDEX.SYS
.ModLoad: ba8b8000 ba8c2580   MountMgr.sys
.ModLoad: ba749000 ba767880   ftdisk.sys
.ModLoad: badac000 badad700   dmload.sys
.ModLoad: ba723000 ba748700   dmio.sys
.ModLoad: bab30000 bab34d00   PartMgr.sys
.ModLoad: ba8c8000 ba8d4c80   VolSnap.sys
.ModLoad: ba70b000 ba722900   atapi.sys
.ModLoad: ba6f1000 ba70ac00   nvata.sys
.ModLoad: ba8d8000 ba8e0e00   disk.sys
.ModLoad: ba8e8000 ba8f4180   CLASSPNP.SYS
.ModLoad: ba6d1000 ba6f0b00   fltMgr.sys
.ModLoad: ba6bf000 ba6d0f00   sr.sys  
.ModLoad: ba6a8000 ba6be880   KSecDD.sys
.ModLoad: ba695000 ba6a7f00   WudfPf.sys
.ModLoad: ba608000 ba694600   Ntfs.sys
.ModLoad: ba5db000 ba607980   NDIS.sys
.ModLoad: ba5c1000 ba5dab80   Mup.sys 
.ModLoad: baa78000 baa86000   AmdK8.sys
.ModLoad: baa88000 baa97c00   serial.sys
.ModLoad: bad5c000 bad5fd80   serenum.sys
.ModLoad: ba565000 ba578900   parport.sys
.ModLoad: baa98000 baaa4d00   i8042prt.sys
.ModLoad: bac70000 bac76000   kbdclass.sys
.ModLoad: bac78000 bac7c300   usbohci.sys
.ModLoad: ba541000 ba564200   USBPORT.SYS
.ModLoad: bac80000 bac87600   usbehci.sys
.ModLoad: bac88000 bac8d200   RTL8139.SYS
.ModLoad: ba519000 ba541000   HDAudBus.sys
.ModLoad: baaa8000 baab2480   imapi.sys
.ModLoad: baab8000 baac5440   AFS2K.SYS
.ModLoad: baac8000 baad7600   cdrom.sys
.ModLoad: baad8000 baae6100   redbook.sys
.ModLoad: ba4f6000 ba518700   ks.sys  
.ModLoad: baae8000 baaf2000   nvnetbus.sys
.ModLoad: ba41b000 ba4f5b00   NVNRM.SYS
.ModLoad: ba03c000 ba403d60   nv4_mini.sys
.ModLoad: ba028000 ba03bf00   VIDEOPRT.SYS
.ModLoad: baf1a000 baf1ac00   audstub.sys
.ModLoad: ba938000 ba944880   rasl2tp.sys
.ModLoad: bad6c000 bad6e780   ndistapi.sys
.ModLoad: ba011000 ba027580   ndiswan.sys
.ModLoad: ba948000 ba952200   raspppoe.sys
.ModLoad: ba958000 ba963d00   raspptp.sys
.ModLoad: bac90000 bac94a80   TDI.SYS 
.ModLoad: ba000000 ba010e00   psched.sys
.ModLoad: ba968000 ba970900   msgpc.sys
.ModLoad: bac98000 bac9c580   ptilink.sys
.ModLoad: baca0000 baca4080   raspti.sys
.ModLoad: b9fd0000 b9fffe80   rdpdr.sys
.ModLoad: ba978000 ba981f00   termdd.sys
.ModLoad: baca8000 bacada00   mouclass.sys
.ModLoad: badee000 badef100   swenum.sys
.ModLoad: b9f4a000 b9fa7f00   update.sys
.
ModLoad: bad88000 bad8bc80   mssmbios.sys
.ModLoad: ba988000 ba991e80   NDProxy.SYS
.ModLoad: ba998000 ba9a6880   usbhub.sys
.ModLoad: badf2000 badf3280   USBD.SYS
.ModLoad: ba9a8000 ba9b6400   NVENETFD.sys
.ModLoad: b7412000 b788b000   RtkHDAud.sys
.ModLoad: b73ee000 b7411a80   portcls.sys
.ModLoad: ba9d8000 ba9e6b00   drmk.sys
.ModLoad: badf8000 badf9f00   Fs_Rec.SYS
.ModLoad: baf23000 baf23b80   Null.SYS
.ModLoad: badfa000 badfb080   Beep.SYS
.ModLoad: bab68000 bab6d200   vga.sys 
.ModLoad: badfc000 badfd080   mnmdd.SYS
.ModLoad: badfe000 badff080   RDPCDD.sys
.ModLoad: bab70000 bab74a80   Msfs.SYS
.ModLoad: bab78000 bab7f880   Npfs.SYS
.ModLoad: bad40000 bad42280   rasacd.sys
.ModLoad: b737a000 b738c600   ipsec.sys
.ModLoad: b7321000 b7379380   tcpip.sys
.ModLoad: b72f9000 b7320c00   netbt.sys
.ModLoad: b72d7000 b72f8d00   afd.sys 
.ModLoad: ba9e8000 ba9f0780   netbios.sys
.ModLoad: b72ac000 b72d6e80   rdbss.sys
.ModLoad: b723c000 b72ab780   mrxsmb.sys
.ModLoad: baa08000 baa12e00   Fips.SYS
.ModLoad: b7216000 b723b500   ipnat.sys
.ModLoad: baa18000 baa20700   wanarp.sys
.ModLoad: baa38000 baa47900   Cdfs.SYS
.ModLoad: bab80000 bab87d80   usbccgp.sys
.ModLoad: b9fb8000 b9fba880   hidusb.sys
.ModLoad: baa48000 baa51000   HIDCLASS.SYS
.ModLoad: bab88000 bab8e180   HIDPARSE.SYS
.ModLoad: baa68000 baa70900   LVUSBSta.sys
.ModLoad: b7922000 b7925b00   usbscan.sys
.ModLoad: bab90000 bab96500   usbprint.sys
.ModLoad: bab98000 bab9d440   HPZius12.sys
.ModLoad: b791e000 b7920f80   mouhid.sys
.ModLoad: baaf8000 bab04600   HPZid412.sys
.ModLoad: b7912000 b7915dc0   HPZipr12.sys
.ModLoad: b70f7000 b7110c00   dump_nvata.sys
.ModLoad: bae04000 bae05100   dump_WMILIB.SYS
.ModLoad: bf800000 bf9c2c80   win32k.sys
.ModLoad: bad9c000 bad9e900   Dxapi.sys
.ModLoad: babc0000 babc4500   watchdog.sys
.ModLoad: bf9c3000 bf9d4600   dxg.sys 
.ModLoad: bafae000 bafaed00   dxgthk.sys
.ModLoad: bf9d5000 bfe1e280   nv4_disp.dll
.ModLoad: b6576000 b6579900   ndisuio.sys
.ModLoad: b5ae4000 b5b10180   mrxdav.sys
.ModLoad: bae38000 bae39a80   ParVdm.SYS
.ModLoad: b5a42000 b5a93800   srv.sys 
.ModLoad: bac58000 bac5ca00   LVPr2Mon.sys
.ModLoad: b566d000 b5681480   wdmaud.sys
.ModLoad: b56b2000 b56c0d80   sysaudio.sys
.ModLoad: b5384000 b53c4a80   HTTP.sys
.ModLoad: b4ef9000 b4f23180   kmixer.sys

Loading User Symbols
Loading unloaded module list
..............................................
Loaded dbghelp extension DLL
Loaded ext extension DLL
Loaded exts extension DLL
Loaded kext extension DLL
Loaded kdexts extension DLL
*******************************************************************************
*																			 *
*						Bugcheck Analysis									*
*																			 *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 19, {20, 8894a000, 8894a138, a270000}

Probably caused by : ntoskrnl.exe ( nt!KeContextToKframes+1eb )

Followup: MachineOwner
---------
---------

Link to post
Share on other sites
iccaros

iccaros

Posted
Posted

try this

http://www.iexbeta.com/board/lofiversion/i...php/t48617.html

are you getting a stop code..

There is no real error in this log. everything is loading, just a kernel stamp issue.

The loading of the Kernel is a issue, normally a bad drive (or going bad.. ), strangly MS is reporting a bad keyboard causing this error message also.

a blue screen stop code would be better.. Maybe..

Link to post
Share on other sites
shanenin

shanenin

Posted
  • Author
Posted

I have not been able to get the computer to blue screen while in my possession. That is why I tried reading the .dmp file. This computer is one I have sold to somebody. I have changed every part on it. I also have reloaded it. I am starting to thing they have an environmental problem at their house.

Link to post
Share on other sites
Pete_C

Pete_C

Posted
Posted
a blue screen stop code would be better.. Maybe..

It's there:

BugCheck 19, {20, 8894a000, 8894a138, a270000}
Probably caused by : ntoskrnl.exe

BugCheck 19 => Stop error 0x00000019: BAD_POOL_HEADER

(actually I think this indicates the bad pool header occurs on startup, but not sure)

Sources cited

http://www.aumha.org/a/stop.php

http://msdn.microsoft.com/en-gb/library/ms793223.aspx

Your first parameter is 0x20

8894a000 is The pool entry that should have been found

8894a138 is The next pool entry

The cause is The pool block header size is corrupt.

A pool header issue is a problem with Windows memory allocation. Device driver issues are probably the most common, but this can have diverse causes including bad sectors or other disk write issues, and problems with some routers. (By theory, RAM problems would be suspect for memory pool issues, but I haven’t been able to confirm this as a cause.)

http://support.microsoft.com/?kbid=892260&sd=RMVP

http://support.microsoft.com/?kbid=925259&sd=RMVP

http://support.microsoft.com/?kbid=884585&sd=RMVP

http://support.microsoft.com/?kbid=905795&sd=RMVP

Any chance the machine was infected with w32.bolzano or W32.Funlove. ? They can alter ntoskrnl.exe causing these errors.

http://www.symantec.com/security_response/...-121515-4146-99

The virus modifies only 2 bytes in a security API called SeAccessCheck that is part of ntoskrnl.exe. This way Bolzano is able to give full access to all users to each file regardless of its protection,

Try the ntoskrnl.exe fix tool for funlove that symantec provides

http://www.sarc.com/avcenter/venc/data/dos...9.fix.tool.html

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
×
 Share
Followers 0
Go to topic listing