[jclarkw]

I'm running Windows Automated Installation Kit (the original 2/13/2007 version) on an up-to-date Windows XP SP3 machine, trying to produce a customized WinPE 2.0 image file to boot from CD. If I make no modifications to the original winpe.wim, (for example, following steps in at http://technet.micro...ibrary/dd799303), I have no problems.

After imagex is used to mount the original winpe.wim, however, ANY reference to the \mount directory (with Windows Explorer, with 'dir' at the WAIK command prompt, or with another WAIK command such as 'peimg /list /image=c:\winpe\mount' from the more comprehensive steps at http://www.svrops.co...winvistape2.htm) seems to result in the Blue Screen of Death. (The BSOD says, "STOP 0x00000024..." and mentions ntfs.sys. And yes, I did disable my virus scanner before doing any of this.) I get the same results with WAIK for Windows Vista SP1 (4/9/2009 version), which is also supposed to run on XP, although neither version explicitly mentions SP3.

Old Stuff, but this seems to be the place. Anybody know what I'm doing wrong?

[MagicAndre1981]

run chkdsk /r /f to detect and fix NTFS issues.

[jclarkw]

MagicAndre1981 -- I did that; no joy. Chkdsk did find and fix problems, but the screen flashed by so fast I could not read it. I can't find the log file; where would it be?

Still the same BSOD with the same STOP code at the same sequence. It did a dump of physical memory (3 GB!), but I doubt you would want to see it even if I could find it.

Any other thoughts? -- jclarkw

[MagicAndre1981]

Have you checked the SMART values of your HDD?

Also upload the minidump files from C:\Windows\Minidumps, please.

[jclarkw]

MagicAndre1981, on 29 November 2011 - 02:31 PM, said:

>>Have you checked the SMART values of your HDD?<<

Sorry. Now you've lost me. I don't know what 'SMART' values are, how to find them, nor what they would tell me.

>>Also upload the minidump files from C:\Windows\Minidumps, please.<<

Sorry again. That directory is empty. Is there some dump setting that I need to change to get a 'minidump' instead of a 'physical memory dump' (which I can't find anyhow)?

[MagicAndre1981]

SMART = Self-Monitoring, Analysis and Reporting Technology:

http://en.wikipedia....wiki/S.M.A.R.T.

There are several tools which can read the data (Speedfan, HDTune, AIDA64).

[Tripredacus]

jclarkw, on 29 November 2011 - 01:42 PM, said:

It did a dump of physical memory (3 GB!), but I doubt you would want to see it even if I could find it.

It should be c:\windows\MEMORY.DMP

[jclarkw]

Tripredacus, on 30 November 2011 - 09:22 AM, said:

>>It should be c:\windows\MEMORY.DMP<<

Sorry. Not there.

[jclarkw]

MagicAndre1981, on 30 November 2011 - 06:35 AM, said:

>>http://en.wikipedia.org/wiki/S.M.A.R.T.<<

MagicAndre1981 -- This is probably way above my pay grade, but I will give it a look.

What about the missing 'minidump?' Why isn't that there?

(I don't think I mentioned that this is a Lenovo T61 laptop, so it might have some wierd Lenovo (or IBM Thinkpad) garbage still on it.) -- jclarkw

[MagicAndre1981]

have you setup Windows correctly to generate dumps?

http://support.microsoft.com/kb/254649

Have you enabled the pagefile (Virtual memory) in Windows?

[jclarkw]

Thanks for the reference on memory dumps. I assume you still want a 'minidump.' i will try to generate that and post back.

Virtual memory is currently enabled with a paging file size of 4605 MB. 'Pagefile.sys' show up as a comparably large file in C:\.. (As I said, the system contains 3 GB of ram, although I realize that XP cannot use that much.)

[jclarkw]

MagicAndre1981, on 29 November 2011 - 02:31 PM, said:

Also upload the minidump files from C:\Windows\Minidumps, please.

"Error You aren't permitted to upload this kind of file"

How am I supposed to upload "Mini113011-01.dmp?" -- jclarkw

[MagicAndre1981]

zip it and attach it or use a 1 click hoster like mediafire.com

[jclarkw]

MagicAndre1981, on 01 December 2011 - 09:37 AM, said:

zip it and attach it or use a 1 click hoster like mediafire.com

Dear MagicAndre1981 -- I have finally straightened out my CrashControl settings (they were set to "Complete memory dump"), produced a 'minidump,' and attempted to attach a PKZipped version hereto. The details of the crash are the same as before, running from an 'administrator' account on Windows XP SP3 without loading antivirus: Start/Programs/Windows AIK[original Vista version from 7/13/07]/PE Tools Command Prompt/"copype x86 c:\winpe"<enter>; "imagex /mountrw c:\winpe\winpe.wim 1 c:\winpe\mount"<enter>; "cd mount"<enter>; BSOD, "STOP: 0x00000024... ntfs.sys..." There's no problem with a "dir" from the \winpe directroy that lists the 'mount' directory, but almost anything directly involving the \mount directory itself (e.g., "peimg /list /image=c:\winpe\mount"<enter>) will cause the same crash. Thanks for any help! -- jclarkw

Attached File(s)

•  Mini113011-01.zip (23.8K)
  Number of downloads: 4

[MagicAndre1981]

The issue may be caused by the ShadowProtect snapshot driver (stcvsm.sys):

Quote

ChildEBP RetAddr
b51b8f60 b9d1ffef nt!KeBugCheckEx+0x1b
b51b8f90 b9d757d1 Ntfs!NtfsExceptionFilter+0x1cc
b51b8f9c 80539b71 Ntfs!NtfsFsdDispatchSwitch+0x146
b51b8fc4 80546e7e nt!_except_handler3+0x61
b51b8fe8 80546e50 nt!ExecuteHandler2+0x26
b51b9098 804fe5b4 nt!ExecuteHandler+0x24
b51b9454 805420e5 nt!KiDispatchException+0x13e
b51b94bc 80542096 nt!CommonDispatchException+0x4d
b51b94d0 b9d37492 nt!Kei386EoiHelper+0x18a
b51b953c b9d39edc Ntfs!NtfsFsdClose+0x3be
b51b95b0 b9d3849c Ntfs!NtfsCommonQueryInformation+0x56
b51b9614 b9d384d5 Ntfs!NtfsFsdDispatchSwitch+0x12a
b51b9738 804ef19f Ntfs!NtfsFsdDispatchWait+0x1c
b51b9748 b9de1459 nt!IopfCallDriver+0x31
b51b9750 804ef19f sr!SrPassThrough+0x31
b51b9760 b9dbbf9e nt!IopfCallDriver+0x31
WARNING: Stack unwind information not available. Following frames may be wrong.
b51b9774 b9db8109 stcvsm+0x5f9e
b51b9794 b9dbb1ed stcvsm+0x2109
b51b97c8 b9db9fa2 stcvsm+0x51ed
b51b97dc 804ef19f stcvsm+0x3fa2
b51b97ec b9e057a9 nt!IopfCallDriver+0x31
b51b9818 b9e07d56 fltmgr!FltpQueryInformationFile+0x99

So update or uninstall the tool and try it again.

[jclarkw]

MagicAndre1981, on 02 December 2011 - 07:03 AM, said:

The issue may be caused by the ShadowProtect snapshot driver (stcvsm.sys):
...
So update or uninstall the tool and try it again.

THANKS; this looks like really useful information! I will try it...

One more ignorant follow-up question, if I may:
Is there a way to get a list of currently installed drivers? I can see that a couple of ShadowProtect services are running in the background (even though I didn't intend that), but I don't know how to tell if the driver, stcvsm.sys, is currently active. (Perhaps I can just temporarily disable it?)

At least I can (probably) determine the driver version number and see if an update makes any difference...

[MagicAndre1981]

Process Hacker can list all drivers and allows to modify the start type.

[jclarkw]

MagicAndre1981, on 02 December 2011 - 07:03 AM, said:

The issue may be caused by the ShadowProtect snapshot driver (stcvsm.sys):
...
So update or uninstall the tool and try it again.

Well, I uninstalled ShadowProtect Desktop and ran Ccleaner for good measure. stcvsm.sys no longer exists anywhere on the system. Nevertheless, I still get the same BSOD (described in detail earlier in this thread). Attached is the current minidump, in hopes that it will help.
.
Just ouf of curiosity, ince the BSOD mentions NTFS.sys, I checked its version: 5.1.2600.5512 (xpsp.080413-2111). Note that there is a discussion of Stop x24 that may occur during a Windows Vista install at http://support.micro....com/kb/935806; but none of its conditions seem to really apply to my case, especially since WinPE manifestly CAN access other NTFS directories without trouble. (In fact, I also get the BSOD if I try to examine the winpe\mount directory with Windows Explorer just after the imagex command the presumably populates it -- that would be while the WinPE command window is still open. After the BSOD restart the directory still exists but is empty.)

Attached File(s)

•  Mini120211-02.zip (36.35K)
  Number of downloads: 4

[MagicAndre1981]

ok, also remove / update Kaspersky:

Quote

b4e407c4 804ef19f Ntfs!NtfsFsdDispatchWait+0x1c
b4e407d4 b9de1459 nt!IopfCallDriver+0x31
b4e407dc 804ef19f sr!SrPassThrough+0x31
b4e407ec b9e057a9 nt!IopfCallDriver+0x31
b4e40818 b9e07d56 fltmgr!FltpQueryInformationFile+0x99
b4e40860 b9e08329 fltmgr!SetStreamListStandardInformationFlags+0x7e
b4e40884 b77a3ade fltmgr!FltIsDirectory+0x4b
WARNING: Stack unwind information not available. Following frames may be wrong.
b4e408ac b778ceb1 klif+0x18ade
b4e4091c b9df3ef3 klif+0x1eb1
b4e40984 b9df6338 fltmgr!FltpPerformPostCallbacks+0x1c5
b4e40998 b9df6867 fltmgr!FltpProcessIoCompletion+0x10
b4e409a8 b9df6d24 fltmgr!FltpPassThroughCompletion+0x89
b4e409d8 b9e03754 fltmgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x94
b4e40a14 804ef19f fltmgr!FltpCreate+0x26a
b4e40a24 80583220 nt!IopfCallDriver+0x31
b4e40b04 805bf488 nt!IopParseDevice+0xa12
b4e40b7c 805bba14 nt!ObpLookupObjectName+0x53c
b4e40bd0 80576feb nt!ObOpenObjectByName+0xea
b4e40d54 8054167c nt!NtQueryAttributesFile+0xf1
b4e40d54 7c90e514 nt!KiFastCallEntry+0xfc
0013f3dc 00000000 0x7c90e514

Your version is very old:

   
Image name:      klif.sys
Timestamp:        Tue Sep 22 12:32:04 2009

[jclarkw]

MagicAndre1981, on 02 December 2011 - 07:11 PM, said:

ok, also remove / update Kaspersky:
...
Image name: klif.sys
Timestamp: Tue Sep 22 12:32:04 2009

OK, this MIGHT have been installed by my current version of ZoneAlarm Extreme Security (9.3.037 -- not the latest because versions 10.x do not work properly on my system -- another investigation in progress...) OR it MIGHT have survived Ccleaner after a "clean" uninstall of ZAES 10.x. (I do remember that, after running, Ccleaner I searched for and deleted any remaining directories with names containing "ZoneAlarm" or "Checkpoint," but I forgot to check for "ZoneLabs." I do not remember whether ZA currently uses Kaspersky, or whether it was only in an earlier version. I will try to find out, but it may take a day or two. More later...