Jump to content

Welcome to MSFN Forum
Register now to gain access to all of our features. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more. This message will be removed once you have signed in.
Login to Account Create an Account



Photo

CSRSS.exe Causing BSOD's

- - - - -

  • Please log in to reply
3 replies to this topic

#1
marvin-miller

marvin-miller
  • Member
  • 2 posts
  • Joined 06-April 09
Hi Folks!

New user here - I came upon this site while doing a search for the root cause behind BSOD's from CSRSS.exe.

I'm working on my Mom's laptop and today she mentioned (again) that it had a BSOD and if I could look into it. The mini dump section had 33 files of identical size all the way back from November of 2006 to yesterday.

I checked 5 of those 33 files and each one of them seemed to be complaining about CSRSS.exe. I don't know what's causing this issue but obviously it's been going on since the laptop was bought new back in 2006. I've kept this machine literally squeaky-clean over the years and in fact just went through it. It's virus-free and has as many updated drivers as I could find.

Anyway, I've zipped up the last 7 mini-dump files in the hopes that someone might take a look and narrow down for me why CSRSS is actually coughing. In the meantime I've enabled full dump reporting from this moment on should it be necessary for more info.

Any help that could lead me to the underlying cause is much appreciated. BTW, it's not a virus :thumbup The system really is squeaky-clean and all up to date (as far as I can tell). It's Media Center 2005 and csrss.exe is version 5.1.2600.5512. I just did a complete Media Center re-install on my own workstation yesterday and after all updates I have the identical version so it must be the latest.

Thanks everyone!

Attached Files




How to remove advertisement from MSFN

#2
cluberti

cluberti

    Gustatus similis pullus

  • Supervisor
  • 11,254 posts
  • Joined 09-September 01
  • OS:Windows 8.1 x64
  • Country: Country Flag
You really need to at least change the dump type to kernel (and honestly, I'd prefer a *complete* memory dump, as per the instructions in the sticky at the top of this section). Because otherwise, I have no idea what's happening. The dump does indicate that a device was attempted to be accessed that doesn't exist under the hardware_disk category, but that could mean anything (including virtual CD drives, a mounted device, a network device, anything). I need to see the other end of this LPC chain, which doesn't exist in a minidump.
0: kd> !thread
GetPointerFromAddress: unable to read from 80562134
THREAD 86c2aa58  Cid 025c.02bc  Teb: 7ffd6000 Win32Thread: e284ac70 RUNNING on processor 0
Not impersonating
GetUlongFromAddress: unable to read from 805621cc
Owning Process			0	   Image:		 <Unknown>
Attached Process		  86d25020	   Image:		 csrss.exe
ffdf0000: Unable to get shared data
Wait Start TickCount	  605693	   
Context Switch Count	  1019				 LargeStack
ReadMemory error: Cannot get nt!KeMaximumIncrement value.
UserTime				  00:00:00.000
KernelTime				00:00:00.000
Win32 Start Address 0x000045aa
LPC Server thread working on message Id 45aa
Start Address 0x75b44616
Stack Init a9f1d000 Current a9f1cc34 Base a9f1d000 Limit a9f1a000 Call 0
Priority 13 BasePriority 13 PriorityDecrement 0 DecrementCount 16
ChildEBP RetAddr  Args to Child			  
a9f1c520 805d1ac5 000000f4 00000003 86d25020 nt!KeBugCheckEx+0x1b (FPO: [5,0,0])
a9f1c544 805d2a27 805d297c 86d25020 86d25194 nt!PspCatchCriticalBreak+0x75 (FPO: [3,0,0])
a9f1c574 8054162c 86d25268 c0000006 a9f1c9b0 nt!NtTerminateProcess+0x7d (FPO: [2,4,4])
a9f1c574 80501161 86d25268 c0000006 a9f1c9b0 nt!KiFastCallEntry+0xfc (FPO: [0,0] TrapFrame @ a9f1c584)
a9f1c5f4 804fe816 ffffffff c0000006 a9f1c9f8 nt!ZwTerminateProcess+0x11 (FPO: [2,0,0])
a9f1c9b0 805028cf a9f1c9d8 00000000 a9f1cd64 nt!KiDispatchException+0x3a0 (FPO: [Non-Fpo])
a9f1cd34 80544ef7 00bcfbe8 00bcfc08 00000000 nt!KiRaiseException+0x175 (FPO: [Non-Fpo])
a9f1cd50 8054162c 00bcfbe8 00bcfc08 00000000 nt!NtRaiseException+0x33
a9f1cd50 75b7b3b9 00bcfbe8 00bcfc08 00000000 nt!KiFastCallEntry+0xfc (FPO: [0,0] TrapFrame @ a9f1cd64)
WARNING: Frame IP not in any known module. Following frames may be wrong.
00bcfff4 00000000 00000000 00000000 00000000 0x75b7b3b9

0: kd> !lpc message 45aa
Reading LpcPortObjectType failed
Reading LpcWaitablePortObjectType failed
The values for LpcPortObjectType or LpcWaitablePortObjectType are invalid. Please check the symbols.

Note that csrss.exe is not your problem, but csrss.exe is crashing as the victim of something else. Again, we need at least a kernel dump, and preferably a complete dump, before we can give you anything from this.

Minidumps are useless, I'm honestly not sure why they're the default option for dump types in Windows - I wish this would change.
MCTS Windows Internals, MCITP Server 2008 EA, MCTS MDT/BDD, MCSE/MCSA Server 2003, Server 2012, Windows 8
--------------------
Please read the rules before posting!
Please consider donating to MSFN to keep it up and running!

#3
marvin-miller

marvin-miller
  • Member
  • 2 posts
  • Joined 06-April 09
Hi cluberti;

Thanks very much for the reply - I'm not a pro in crash dump analysis so it's nice to be able to talk to someone much more familiar with these things :thumbup
After reading the other thread on CSRSS I anticipated your request for a full dump and changed the settings on the laptop to do so next time it coughs.

Question: Do I really need to do this step;

1. Create or set the following registry value:
Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\i8042prt\Parameters
Value: CrashOnCtrlScroll
Type: REG_DWORD
Data: 1

or is it enough to just enable a full dump when a BSOD occurs?

Thanks again!

#4
cluberti

cluberti

    Gustatus similis pullus

  • Supervisor
  • 11,254 posts
  • Joined 09-September 01
  • OS:Windows 8.1 x64
  • Country: Country Flag
No, you just need it to crash. You'd only do that if you wanted to crash it via the keyboard on purpose.
MCTS Windows Internals, MCITP Server 2008 EA, MCTS MDT/BDD, MCSE/MCSA Server 2003, Server 2012, Windows 8
--------------------
Please read the rules before posting!
Please consider donating to MSFN to keep it up and running!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users