Constant BSOD with 0x000000f4 & csrss.exe (I think)

[Iceyburnz]

All:

Attached are the minidumps from when the issue first started happening(they are all the same size but I included 3 for posterity) and some complete memory dumps. I am thinking of rebuilding this laptop as it has some other issues but I want to make sure it is is not hardware related before I rebuild for nothing

The other issues are:

When I go to My Computer, it takes an extremely long time(flashlight going back and forth) before it shows anything

When i go to Network Places, my network adapters dont show up (both are working as I can see their IP addresses from ipconfig) (Ive tried stopping and restarting the network svcs service but the issue still occurs)

XP SP2

Please let me know if you need any other info

Thanks!

Minidump.zip

[cluberti]

Each and every one of these dumps shows a stop error when trying to copy data from the disk (pagefile.sys, so the paging file) to RAM - and each time, it fails with the error 0xc00000009), which is an insufficient resources error (rather than a hardware failure error, so the hardware is likely not at fault here). What I'm guessing is that there's a memory leak on the system causing the issue ultimately over time, but with a minidump none of the vm information is in the dump file so I cannot say with any certainty. Here's the stack, the error, and the reason, for what it's worth:

kd> kn
 # ChildEBP RetAddr  
00 f8895520 805c7827 nt!KeBugCheckEx+0x1b
01 f8895544 805c87a1 nt!PspCatchCriticalBreak+0x75
02 f8895574 8053d428 nt!NtTerminateProcess+0x7d
03 f8895574 804ff18d nt!KiFastCallEntry+0xf8
04 f88955f4 804fccb6 nt!ZwTerminateProcess+0x11
05 f88959b0 80500411 nt!KiDispatchException+0x3a0
06 f8895d34 80540c69 nt!KiRaiseException+0x175
07 f8895d50 8053d428 nt!NtRaiseException+0x31
08 f8895d50 75b7b3b9 nt!KiFastCallEntry+0xf8
WARNING: Frame IP not in any known module. Following frames may be wrong.
09 006afff4 00000000 0x75b7b3b9

kd> .trap 0xf8895d64
ErrCode = 00000000
eax=75b7b3b9 ebx=00000001 ecx=006afeec edx=75b489a0 esi=00000001 edi=0000000c
eip=75b7b3b9 esp=006afed4 ebp=006afff4 iopl=3		 nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000			 efl=00003202
001b:75b7b3b9 ??			  ???
kd> u eip
75b7b3b9 ??			  ???
		^ Memory access error in 'u eip'

kd> .exr 0xfffffffff88959d8
ExceptionAddress: 75b7b3b9
   ExceptionCode: c0000006 (In-page I/O error)
  ExceptionFlags: 00000000
NumberParameters: 3
   Parameter[0]: 00000008
   Parameter[1]: 75b7b3b9
   Parameter[2]: c000009a
Inpage operation failed at 75b7b3b9, due to I/O error c000009a

kd> !error c000009a
Error code: (NTSTATUS) 0xc000009a (3221225626) - Insufficient system resources exist to complete the API.

If you want anything deeper, you're going to have to provide a *complete* memory dump somewhere.

[Iceyburnz]

I changed the option so the system would provide a complete memory dump instead of a minidump. The files from yesterday and the day before are the files that came out after I made the change. All the other files are from when the issue was still occurring (All the 100kb files). I dont know how to force the issue to happen...Is there anything else that I have to do to force it to happen to get the complete memory dump?

[cluberti]

No, just make sure the option is set, and your paging file is on the same volume as the \Windows folder and it's at least sized RAM+50MB.

[Iceyburnz]

The option was set. if you look at the dump files, the ones that were created with a newer date are smaller than the other ones(so something changed)..... Ill recheck the paging file when I get home to make sure it is the proper size

[Iceyburnz]

Also, I would have thought a complete memory dump would have been bigger as opposed to the smaller size of the newer files that come up now...

[cluberti]

These are all minidumps (note the names all start with "Mini"). A kernel or complete memory dump will be (by default) in %windir% called "memory.dmp".

[Iceyburnz]

Ahhh. Ill check the windows dir when I get home and repost it.

[Iceyburnz]

Due to the size of the file, I zipped it and uploaded on Zshare

MEMORY.zip - 159.94MB

Please let me know if anything else is needed...Also, is there a site I can check that will walk me thru the basics of checking this dump file and the ins and outs like what you did above. I can usually fix most issues on my PC but this seems way above my pay grade :/ lol

Thanks in advance

[cluberti]

Well, it is as I thought, a leak:

// Running out of nonpaged pool is bad:
kd> !vm

*** Virtual Memory Usage ***
	Physical Memory:	  130668 (	522672 Kb)
	Page File: \??\C:\pagefile.sys
	  Current:	786432 Kb  Free Space:	714960 Kb
	  Minimum:	786432 Kb  Maximum:	  1572864 Kb
	Available Pages:		3856 (	 15424 Kb)
	ResAvail Pages:		78301 (	313204 Kb)
	Locked IO Pages:		 140 (	   560 Kb)
	Free System PTEs:	 252206 (   1008824 Kb)
	Free NP PTEs:			  0 (		 0 Kb)
	Free Special NP:		   0 (		 0 Kb)
	Modified Pages:		  599 (	  2396 Kb)
	Modified PF Pages:	   599 (	  2396 Kb)
	NonPagedPool Usage:	32766 (	131064 Kb)
	NonPagedPool Max:	  32768 (	131072 Kb)
	********** Excessive NonPaged Pool Usage *****
	PagedPool 0 Usage:	  4081 (	 16324 Kb)
	PagedPool 1 Usage:	  1101 (	  4404 Kb)
	PagedPool 2 Usage:	  1128 (	  4512 Kb)
	PagedPool Usage:		6310 (	 25240 Kb)
	PagedPool Maximum:	 43008 (	172032 Kb)

	********** 27235 pool allocations have failed **********

	Session Commit:		  967 (	  3868 Kb)
	Shared Commit:		  1271 (	  5084 Kb)
	Special Pool:			  0 (		 0 Kb)
	Shared Process:		 3189 (	 12756 Kb)
	PagedPool Commit:	   6310 (	 25240 Kb)
	Driver Commit:		  3053 (	 12212 Kb)
	Committed pages:	  125376 (	501504 Kb)
	Commit limit:		 318787 (   1275148 Kb)

// Without pool tagging enabled, I can't see the pool tags to see where it is being consumed:
kd> !poolused
unable to get PoolTrackTable - pool tagging is disabled, enable it to use this command
Use gflags.exe and check the box that says "Enable pool tagging".

// However, I did track the LPC message back to the system driver thread where the *real* error occurred:
kd> !thread 825c8020
THREAD 825c8020  Cid 0004.0024  Teb: 00000000 Win32Thread: 00000000 WAIT: (WrLpcReply) KernelMode Non-Alertable
	825c8214  Semaphore Limit 0x1
Waiting for reply to LPC MessageId 0003a62b:
Current LPC port e15c0e38
Not impersonating
DeviceMap				 e1004460
Owning Process			0	   Image:		 <Unknown>
Attached Process		  825ca830	   Image:		 System
Wait Start TickCount	  1035902		Ticks: 12 (0:00:00:00.187)
Context Switch Count	  86474			 
UserTime				  00:00:00.000
KernelTime				00:00:00.750
Start Address nt!ExpWorkerThread (0x805348ee)
Stack Init f8ab2000 Current f8ab1a90 Base f8ab2000 Limit f8aaf000 Call 0
Priority 12 BasePriority 12 PriorityDecrement 0 DecrementCount 16
ChildEBP RetAddr  Args to Child			  
f8ab1aa8 80500ca6 825c8090 825c8020 804f9d10 nt!KiSwapContext+0x2e (FPO: [Uses EBP] [0,0,4])
f8ab1ab4 804f9d10 825c81e8 825c8020 80553760 nt!KiSwapThread+0x46 (FPO: [0,0,0])
f8ab1adc 80598b53 00000000 00000011 00000000 nt!KeWaitForSingleObject+0x1c2 (FPO: [5,5,4])
f8ab1b14 80598c9f e15c0e38 823da770 f8ab1b4c nt!LpcpRequestWaitReplyPort+0x43d (FPO: [4,4,0])
f8ab1b2c 8060a715 e15c0e38 f8ab1b4c f8ab1b4c nt!LpcRequestWaitReplyPortEx+0x21 (FPO: [3,0,0])
f8ab1cd0 8060a876 c0000222 00000001 00000001 nt!ExpRaiseHardError+0x1bd (FPO: [Non-Fpo])
f8ab1d40 805731bf c0000222 00000001 00000001 nt!ExRaiseHardError+0x13e (FPO: [6,17,0])
f8ab1d74 805349ee 00000000 00000000 825c8020 nt!IopHardErrorThread+0x53 (FPO: [1,3,0])
f8ab1dac 805c5c84 00000000 00000000 00000000 nt!ExpWorkerThread+0x100 (FPO: [1,8,0])
f8ab1ddc 80541bc2 805348ee 00000001 00000000 nt!PspSystemThreadStartup+0x34 (FPO: [Non-Fpo])
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16

kd> !error c0000222
Error code: (NTSTATUS) 0xc0000222 (3221226018) - {Delayed Write Failed}  Windows was unable to save all the data for the file %hs. The data has been lost. This error may be caused by a failure of your computer hardware or network connection. Please try to save this file elsewhere.

It's worth noting that xpoolmap does show a large amount of nonpaged pool used to regions of KernelSpaceUsageNonPagedPoolExpansion, but all of the expanded pool is corrupted:

kd> dc ffbc1000
ffbc1000  0000680d 625a5422 a868c5ff 00000000  .h.."TZb..h.....
ffbc1010  7557e42b 00009aea 625a5422 a86b13c8  +.Wu...."TZb..k.
ffbc1020  00000000 c6bcadd1 00001da2 625a5422  ............"TZb
ffbc1030  a86b7e19 00000000 1664d797 00006e3b  .~k.......d.;n..
ffbc1040  625a5422 a86ee6fe 00000000 858272a9  "TZb..n......r..
ffbc1050  00009ee1 625a5422 a870ce84 00000000  ...."TZb..p.....
ffbc1060  5c08bf59 00006378 625a5422 a871a221  Y..\xc.."TZb!.q.
ffbc1070  00000000 66c7f4ea 00001da2 625a5422  .......f...."TZb
kd> dc 0000680d 
0000680d  ???????? ???????? ???????? ????????  ????????????????
0000681d  ???????? ???????? ???????? ????????  ????????????????
0000682d  ???????? ???????? ???????? ????????  ????????????????
0000683d  ???????? ???????? ???????? ????????  ????????????????
0000684d  ???????? ???????? ???????? ????????  ????????????????
0000685d  ???????? ???????? ???????? ????????  ????????????????
0000686d  ???????? ???????? ???????? ????????  ????????????????
0000687d  ???????? ???????? ???????? ????????  ????????????????

Unfortunately, you're going to have to enable Pool Tagging in your XP install and reboot, and get another complete dump, before this is going to be of real value.

[Iceyburnz]

Thanks for all the help so far.

Here is a dump with pool tagging enabled - MEMORY1.zip - 158.00MB

Please let me know if anything else is needed

[Iceyburnz]

Got your PM. Just realized that the Symantec version was 9.0 (I uninstalled 9.0). I have 10.0 around here but I will hold off on installing to see if it blue screens again. Ill let you know

[Iceyburnz]

Also, dont think this matters but Symantec wasnt uninstalling from Add/Remove programs so I had to uninstall via manual removal instructions:

http://service1.symantec.com/SUPPORT/ent-s...&dtype=corp

Then I used the Norton Removal Tool in case it needed to remove anything:

http://service1.symantec.com/SUPPORT/tsgen...&view=docid

[Iceyburnz]

Havent had a blue screen since I uninstalled....Should I make a new thread regarding the other two issues?

(When I go to My Computer, it takes an extremely long time(flashlight going back and forth) before it shows anything (over 5 minutes)

When i go to Network Places, my network adapters dont show up (both are working as I can see their IP addresses from ipconfig) (Ive tried stopping and restarting the network svcs service but the issue still occurs)

Or should I just rebuild the thing?

[cluberti]

No, make a new thread. Even if you end up rebuilding, it's always a good learning experience (so it doesn't happen on the rebuild, for instance).