• Announcements

    • xper

      MSFN Sponsorship and AdBlockers!   07/10/2016

      Dear members, MSFN is made available via subscriptions, donations and advertising revenue. The use of ad-blocking software hurts the site. Please disable ad-blocking software or set an exception for MSFN. Alternatively, become a site sponsor and ads will be disabled automatically and by subscribing you get other sponsor benefits.
Sign in to follow this  
Followers 0
jclarkw

BSOD during WAIK Customization of WinPE Image

27 posts in this topic

I'm running Windows Automated Installation Kit (the original 2/13/2007 version) on an up-to-date Windows XP SP3 machine, trying to produce a customized WinPE 2.0 image file to boot from CD. If I make no modifications to the original winpe.wim, (for example, following steps in at http://technet.microsoft.com/en-us/library/dd799303), I have no problems.

After imagex is used to mount the original winpe.wim, however, ANY reference to the \mount directory (with Windows Explorer, with 'dir' at the WAIK command prompt, or with another WAIK command such as 'peimg /list /image=c:\winpe\mount' from the more comprehensive steps at http://www.svrops.com/svrops/articles/winvistape2.htm) seems to result in the Blue Screen of Death. (The BSOD says, "STOP 0x00000024..." and mentions ntfs.sys. And yes, I did disable my virus scanner before doing any of this.) I get the same results with WAIK for Windows Vista SP1 (4/9/2009 version), which is also supposed to run on XP, although neither version explicitly mentions SP3.

Old Stuff, but this seems to be the place. Anybody know what I'm doing wrong?

0

Share this post


Link to post
Share on other sites

run chkdsk /r /f to detect and fix NTFS issues.

0

Share this post


Link to post
Share on other sites

MagicAndre1981 -- I did that; no joy. Chkdsk did find and fix problems, but the screen flashed by so fast I could not read it. I can't find the log file; where would it be?

Still the same BSOD with the same STOP code at the same sequence. It did a dump of physical memory (3 GB!), but I doubt you would want to see it even if I could find it.

Any other thoughts? -- jclarkw

0

Share this post


Link to post
Share on other sites

Have you checked the SMART values of your HDD?

Also upload the minidump files from C:\Windows\Minidumps, please.

0

Share this post


Link to post
Share on other sites

>>Have you checked the SMART values of your HDD?<<

Sorry. Now you've lost me. I don't know what 'SMART' values are, how to find them, nor what they would tell me.

>>Also upload the minidump files from C:\Windows\Minidumps, please.<<

Sorry again. That directory is empty. Is there some dump setting that I need to change to get a 'minidump' instead of a 'physical memory dump' (which I can't find anyhow)?

0

Share this post


Link to post
Share on other sites

It did a dump of physical memory (3 GB!), but I doubt you would want to see it even if I could find it.

It should be c:\windows\MEMORY.DMP

0

Share this post


Link to post
Share on other sites

>>It should be c:\windows\MEMORY.DMP<<

Sorry. Not there.

0

Share this post


Link to post
Share on other sites

MagicAndre1981 -- This is probably way above my pay grade, but I will give it a look.

What about the missing 'minidump?' Why isn't that there?

(I don't think I mentioned that this is a Lenovo T61 laptop, so it might have some wierd Lenovo (or IBM Thinkpad) garbage still on it.) -- jclarkw

0

Share this post


Link to post
Share on other sites

Thanks for the reference on memory dumps. I assume you still want a 'minidump.' i will try to generate that and post back.

Virtual memory is currently enabled with a paging file size of 4605 MB. 'Pagefile.sys' show up as a comparably large file in C:\.. (As I said, the system contains 3 GB of ram, although I realize that XP cannot use that much.)

0

Share this post


Link to post
Share on other sites

Also upload the minidump files from C:\Windows\Minidumps, please.

"Error You aren't permitted to upload this kind of file"

How am I supposed to upload "Mini113011-01.dmp?" -- jclarkw

0

Share this post


Link to post
Share on other sites

zip it and attach it or use a 1 click hoster like mediafire.com

0

Share this post


Link to post
Share on other sites

zip it and attach it or use a 1 click hoster like mediafire.com

Dear MagicAndre1981 -- I have finally straightened out my CrashControl settings (they were set to "Complete memory dump"), produced a 'minidump,' and attempted to attach a PKZipped version hereto. The details of the crash are the same as before, running from an 'administrator' account on Windows XP SP3 without loading antivirus: Start/Programs/Windows AIK[original Vista version from 7/13/07]/PE Tools Command Prompt/"copype x86 c:\winpe"<enter>; "imagex /mountrw c:\winpe\winpe.wim 1 c:\winpe\mount"<enter>; "cd mount"<enter>; BSOD, "STOP: 0x00000024... ntfs.sys..." There's no problem with a "dir" from the \winpe directroy that lists the 'mount' directory, but almost anything directly involving the \mount directory itself (e.g., "peimg /list /image=c:\winpe\mount"<enter>) will cause the same crash. Thanks for any help! -- jclarkw

Mini113011-01.zip

0

Share this post


Link to post
Share on other sites

The issue may be caused by the ShadowProtect snapshot driver (stcvsm.sys):

ChildEBP RetAddr

b51b8f60 b9d1ffef nt!KeBugCheckEx+0x1b

b51b8f90 b9d757d1 Ntfs!NtfsExceptionFilter+0x1cc

b51b8f9c 80539b71 Ntfs!NtfsFsdDispatchSwitch+0x146

b51b8fc4 80546e7e nt!_except_handler3+0x61

b51b8fe8 80546e50 nt!ExecuteHandler2+0x26

b51b9098 804fe5b4 nt!ExecuteHandler+0x24

b51b9454 805420e5 nt!KiDispatchException+0x13e

b51b94bc 80542096 nt!CommonDispatchException+0x4d

b51b94d0 b9d37492 nt!Kei386EoiHelper+0x18a

b51b953c b9d39edc Ntfs!NtfsFsdClose+0x3be

b51b95b0 b9d3849c Ntfs!NtfsCommonQueryInformation+0x56

b51b9614 b9d384d5 Ntfs!NtfsFsdDispatchSwitch+0x12a

b51b9738 804ef19f Ntfs!NtfsFsdDispatchWait+0x1c

b51b9748 b9de1459 nt!IopfCallDriver+0x31

b51b9750 804ef19f sr!SrPassThrough+0x31

b51b9760 b9dbbf9e nt!IopfCallDriver+0x31

WARNING: Stack unwind information not available. Following frames may be wrong.

b51b9774 b9db8109 stcvsm+0x5f9e

b51b9794 b9dbb1ed stcvsm+0x2109

b51b97c8 b9db9fa2 stcvsm+0x51ed

b51b97dc 804ef19f stcvsm+0x3fa2

b51b97ec b9e057a9 nt!IopfCallDriver+0x31

b51b9818 b9e07d56 fltmgr!FltpQueryInformationFile+0x99

So update or uninstall the tool and try it again.

0

Share this post


Link to post
Share on other sites

The issue may be caused by the ShadowProtect snapshot driver (stcvsm.sys):

...

So update or uninstall the tool and try it again.

THANKS; this looks like really useful information! I will try it...

One more ignorant follow-up question, if I may:

Is there a way to get a list of currently installed drivers? I can see that a couple of ShadowProtect services are running in the background (even though I didn't intend that), but I don't know how to tell if the driver, stcvsm.sys, is currently active. (Perhaps I can just temporarily disable it?)

At least I can (probably) determine the driver version number and see if an update makes any difference...

0

Share this post


Link to post
Share on other sites

The issue may be caused by the ShadowProtect snapshot driver (stcvsm.sys):

...

So update or uninstall the tool and try it again.

Well, I uninstalled ShadowProtect Desktop and ran Ccleaner for good measure. stcvsm.sys no longer exists anywhere on the system. Nevertheless, I still get the same BSOD (described in detail earlier in this thread). Attached is the current minidump, in hopes that it will help.

.

Just ouf of curiosity, ince the BSOD mentions NTFS.sys, I checked its version: 5.1.2600.5512 (xpsp.080413-2111). Note that there is a discussion of Stop x24 that may occur during a Windows Vista install at http://support.microsoft.com/kb/935806; but none of its conditions seem to really apply to my case, especially since WinPE manifestly CAN access other NTFS directories without trouble. (In fact, I also get the BSOD if I try to examine the winpe\mount directory with Windows Explorer just after the imagex command the presumably populates it -- that would be while the WinPE command window is still open. After the BSOD restart the directory still exists but is empty.)

Mini120211-02.zip

0

Share this post


Link to post
Share on other sites

ok, also remove / update Kaspersky:

b4e407c4 804ef19f Ntfs!NtfsFsdDispatchWait+0x1c

b4e407d4 b9de1459 nt!IopfCallDriver+0x31

b4e407dc 804ef19f sr!SrPassThrough+0x31

b4e407ec b9e057a9 nt!IopfCallDriver+0x31

b4e40818 b9e07d56 fltmgr!FltpQueryInformationFile+0x99

b4e40860 b9e08329 fltmgr!SetStreamListStandardInformationFlags+0x7e

b4e40884 b77a3ade fltmgr!FltIsDirectory+0x4b

WARNING: Stack unwind information not available. Following frames may be wrong.

b4e408ac b778ceb1 klif+0x18ade

b4e4091c b9df3ef3 klif+0x1eb1

b4e40984 b9df6338 fltmgr!FltpPerformPostCallbacks+0x1c5

b4e40998 b9df6867 fltmgr!FltpProcessIoCompletion+0x10

b4e409a8 b9df6d24 fltmgr!FltpPassThroughCompletion+0x89

b4e409d8 b9e03754 fltmgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x94

b4e40a14 804ef19f fltmgr!FltpCreate+0x26a

b4e40a24 80583220 nt!IopfCallDriver+0x31

b4e40b04 805bf488 nt!IopParseDevice+0xa12

b4e40b7c 805bba14 nt!ObpLookupObjectName+0x53c

b4e40bd0 80576feb nt!ObOpenObjectByName+0xea

b4e40d54 8054167c nt!NtQueryAttributesFile+0xf1

b4e40d54 7c90e514 nt!KiFastCallEntry+0xfc

0013f3dc 00000000 0x7c90e514

Your version is very old:

   
Image name: klif.sys
Timestamp: Tue Sep 22 12:32:04 2009

0

Share this post


Link to post
Share on other sites

ok, also remove / update Kaspersky:

...

Image name: klif.sys

Timestamp: Tue Sep 22 12:32:04 2009

OK, this MIGHT have been installed by my current version of ZoneAlarm Extreme Security (9.3.037 -- not the latest because versions 10.x do not work properly on my system -- another investigation in progress...) OR it MIGHT have survived Ccleaner after a "clean" uninstall of ZAES 10.x. (I do remember that, after running, Ccleaner I searched for and deleted any remaining directories with names containing "ZoneAlarm" or "Checkpoint," but I forgot to check for "ZoneLabs." I do not remember whether ZA currently uses Kaspersky, or whether it was only in an earlier version. I will try to find out, but it may take a day or two. More later...

0

Share this post


Link to post
Share on other sites

Sorry I don't know if ZA uses the Kaspersky engine.

0

Share this post


Link to post
Share on other sites

ok, also remove / update Kaspersky:

...

Your version is very old:

Image name: klif.sys

Timestamp: Tue Sep 22 12:32:04 2009

Dear MagicAndre1981 -- Thanks. You were dead right about klif.sys -- only your second try (details below just in case anyone else is intersted)!

Question: How can I figure this out for myself next time I'm hit with the BSOD (pretty rare in XP SP3)? I'm not an IT -- these modern systems are way over my head -- but I do have a lot of experience with Window plus considerably direct programming in Forth, C, Basic, Fortran, etc. Is there a tool that I can safely use to solve these problems for myself? (I was trying to get "Dumpchk.exe" from Debugging Tools in Windows SDK for x86, but it seems not to be there and anyhow is apparently not much good. Somebody else suggested http://www.nirsoft.net/utils/blue_screen_view.html, but ZoneAlarm Extreme Security advises me that the site is "known to distribute spyware." )

Details: After uninstalling ShadowProtect 3.5 (GREAT software, but I need to update it anyhow) to get rid of stcvsm.sys (without solving the problem), I also clean-uninstalled Zone Alarm Extreme Security 9.3.037 to get rid of klif.sys. Then I uninstalled and re-installed WAIK, just in case that installation had been interrered with by ZAES. On re-installing WAIK, I found that the WinPE 2.0 build went smoothly -- no BSOD. To confirm I re-installed ZAES 9.3.037 (bringing back the old version of klif.sys, and another WinPE build immediately brought on the same BSOD. (I didn't try the newest version of ZAES, which I am told has a new version of the Kaspersky AV engine, but that's another story and is OK because I now have the PE boot CD that I wanted and no longer need WAIK.) Thanks again! -- jclarkw

0

Share this post


Link to post
Share on other sites

ok, enjoy your WinPE now and remember this for the feature if you need to build a new Image with the WAIK :)

0

Share this post


Link to post
Share on other sites

I found two ways to do myself at least part of what you did for me. Perhaps they will help some other readers:

BlueScreenView works like a champ and has the added benefit of no "install." It found both of my suspect drivers right away (after the fact, or course, since you had already pointed them out). Next time I think I can do it on my own with this tiny tool.

Next I tried the free-for-home-use version of WhoCrashed from Resplendence (referenced in one of the BlueScreenView reviews that I read), which requires the Windows Debugging Tools ("http://msdl.microsoft.com/download/symbols/debuggers/dbg_x86_6.11.1.404.msi" for my version of Windows), but which gives even more specific results. Having also installed those tools, I now see Dumpchk.exe in the Debugging Tools root directory. Dumpchk output even shows up now in BlueScreenView.

I even figured out how to incorporate Win XP SP3 symbols, although not those for the 3rd-party drivers, into the Debugging Tools (and into Dumpchk) by downloading them from "http://msdl.microsoft.com/download/symbols/packages/windowsxp/WindowsXP-KB936929-SP3-x86-symbols-full-ENU.exe." (WhoCrashed won't incorporate symbol stores unless you pay for the "Professional" version.)

Both free progarms seem to be winners, although WhoCrashed takes a lot more overhead.

Best Regards. - jclarkw

Edited by jclarkw
0

Share this post


Link to post
Share on other sites

I use WinDbg from the Windows Debugging Tools to get the cause.

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0

  • Recently Browsing   0 members

    No registered users viewing this page.