Jump to content

Welcome to MSFN Forum
Register now to gain access to all of our features. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more. This message will be removed once you have signed in.
Login to Account Create an Account


Photo

BSOD during WAIK Customization of WinPE Image

- - - - -

  • Please log in to reply
26 replies to this topic

#1
jclarkw

jclarkw

    Newbie

  • Member
  • 21 posts
  • OS:XP Pro x86
  • Country: Country Flag
I'm running Windows Automated Installation Kit (the original 2/13/2007 version) on an up-to-date Windows XP SP3 machine, trying to produce a customized WinPE 2.0 image file to boot from CD. If I make no modifications to the original winpe.wim, (for example, following steps in at http://technet.micro...ibrary/dd799303), I have no problems.

After imagex is used to mount the original winpe.wim, however, ANY reference to the \mount directory (with Windows Explorer, with 'dir' at the WAIK command prompt, or with another WAIK command such as 'peimg /list /image=c:\winpe\mount' from the more comprehensive steps at http://www.svrops.co...winvistape2.htm) seems to result in the Blue Screen of Death. (The BSOD says, "STOP 0x00000024..." and mentions ntfs.sys. And yes, I did disable my virus scanner before doing any of this.) I get the same results with WAIK for Windows Vista SP1 (4/9/2009 version), which is also supposed to run on XP, although neither version explicitly mentions SP3.

Old Stuff, but this seems to be the place. Anybody know what I'm doing wrong?


How to remove advertisement from MSFN

#2
MagicAndre1981

MagicAndre1981

    after Windows 7 GA still Vista lover :)

  • Patrons
  • 6,024 posts
  • OS:Vista Ultimate x86
  • Country: Country Flag

Donator

run chkdsk /r /f to detect and fix NTFS issues.
Posted Image

#3
jclarkw

jclarkw

    Newbie

  • Member
  • 21 posts
  • OS:XP Pro x86
  • Country: Country Flag
MagicAndre1981 -- I did that; no joy. Chkdsk did find and fix problems, but the screen flashed by so fast I could not read it. I can't find the log file; where would it be?

Still the same BSOD with the same STOP code at the same sequence. It did a dump of physical memory (3 GB!), but I doubt you would want to see it even if I could find it.

Any other thoughts? -- jclarkw

#4
MagicAndre1981

MagicAndre1981

    after Windows 7 GA still Vista lover :)

  • Patrons
  • 6,024 posts
  • OS:Vista Ultimate x86
  • Country: Country Flag

Donator

Have you checked the SMART values of your HDD?

Also upload the minidump files from C:\Windows\Minidumps, please.
Posted Image

#5
jclarkw

jclarkw

    Newbie

  • Member
  • 21 posts
  • OS:XP Pro x86
  • Country: Country Flag

>>Have you checked the SMART values of your HDD?<<

Sorry. Now you've lost me. I don't know what 'SMART' values are, how to find them, nor what they would tell me.

>>Also upload the minidump files from C:\Windows\Minidumps, please.<<

Sorry again. That directory is empty. Is there some dump setting that I need to change to get a 'minidump' instead of a 'physical memory dump' (which I can't find anyhow)?



#6
MagicAndre1981

MagicAndre1981

    after Windows 7 GA still Vista lover :)

  • Patrons
  • 6,024 posts
  • OS:Vista Ultimate x86
  • Country: Country Flag

Donator

SMART = Self-Monitoring, Analysis and Reporting Technology:

http://en.wikipedia....wiki/S.M.A.R.T.

There are several tools which can read the data (Speedfan, HDTune, AIDA64).
Posted Image

#7
Tripredacus

Tripredacus

    K-Mart-ian Legend

  • Super Moderator
  • 9,807 posts
  • OS:Server 2012
  • Country: Country Flag

Donator

It did a dump of physical memory (3 GB!), but I doubt you would want to see it even if I could find it.


It should be c:\windows\MEMORY.DMP
MSFN RULES | GimageX HTA for PE 3-5 | lol probloms
msfn2_zpsc37c7153.jpg

#8
jclarkw

jclarkw

    Newbie

  • Member
  • 21 posts
  • OS:XP Pro x86
  • Country: Country Flag

>>It should be c:\windows\MEMORY.DMP<<




Sorry. Not there.

#9
jclarkw

jclarkw

    Newbie

  • Member
  • 21 posts
  • OS:XP Pro x86
  • Country: Country Flag

>>http://en.wikipedia....ki/S.M.A.R.T.<<



MagicAndre1981 -- This is probably way above my pay grade, but I will give it a look.

What about the missing 'minidump?' Why isn't that there?

(I don't think I mentioned that this is a Lenovo T61 laptop, so it might have some wierd Lenovo (or IBM Thinkpad) garbage still on it.) -- jclarkw

#10
MagicAndre1981

MagicAndre1981

    after Windows 7 GA still Vista lover :)

  • Patrons
  • 6,024 posts
  • OS:Vista Ultimate x86
  • Country: Country Flag

Donator

have you setup Windows correctly to generate dumps?

http://support.microsoft.com/kb/254649

Have you enabled the pagefile (Virtual memory) in Windows?
Posted Image

#11
jclarkw

jclarkw

    Newbie

  • Member
  • 21 posts
  • OS:XP Pro x86
  • Country: Country Flag
Thanks for the reference on memory dumps. I assume you still want a 'minidump.' i will try to generate that and post back.

Virtual memory is currently enabled with a paging file size of 4605 MB. 'Pagefile.sys' show up as a comparably large file in C:\.. (As I said, the system contains 3 GB of ram, although I realize that XP cannot use that much.)

#12
jclarkw

jclarkw

    Newbie

  • Member
  • 21 posts
  • OS:XP Pro x86
  • Country: Country Flag

Also upload the minidump files from C:\Windows\Minidumps, please.



"Error You aren't permitted to upload this kind of file"

How am I supposed to upload "Mini113011-01.dmp?" -- jclarkw

#13
MagicAndre1981

MagicAndre1981

    after Windows 7 GA still Vista lover :)

  • Patrons
  • 6,024 posts
  • OS:Vista Ultimate x86
  • Country: Country Flag

Donator

zip it and attach it or use a 1 click hoster like mediafire.com
Posted Image

#14
jclarkw

jclarkw

    Newbie

  • Member
  • 21 posts
  • OS:XP Pro x86
  • Country: Country Flag

zip it and attach it or use a 1 click hoster like mediafire.com



Dear MagicAndre1981 -- I have finally straightened out my CrashControl settings (they were set to "Complete memory dump"), produced a 'minidump,' and attempted to attach a PKZipped version hereto. The details of the crash are the same as before, running from an 'administrator' account on Windows XP SP3 without loading antivirus: Start/Programs/Windows AIK[original Vista version from 7/13/07]/PE Tools Command Prompt/"copype x86 c:\winpe"<enter>; "imagex /mountrw c:\winpe\winpe.wim 1 c:\winpe\mount"<enter>; "cd mount"<enter>; BSOD, "STOP: 0x00000024... ntfs.sys..." There's no problem with a "dir" from the \winpe directroy that lists the 'mount' directory, but almost anything directly involving the \mount directory itself (e.g., "peimg /list /image=c:\winpe\mount"<enter>) will cause the same crash. Thanks for any help! -- jclarkw

Attached Files



#15
MagicAndre1981

MagicAndre1981

    after Windows 7 GA still Vista lover :)

  • Patrons
  • 6,024 posts
  • OS:Vista Ultimate x86
  • Country: Country Flag

Donator

The issue may be caused by the ShadowProtect snapshot driver (stcvsm.sys):

ChildEBP RetAddr
b51b8f60 b9d1ffef nt!KeBugCheckEx+0x1b
b51b8f90 b9d757d1 Ntfs!NtfsExceptionFilter+0x1cc
b51b8f9c 80539b71 Ntfs!NtfsFsdDispatchSwitch+0x146
b51b8fc4 80546e7e nt!_except_handler3+0x61
b51b8fe8 80546e50 nt!ExecuteHandler2+0x26
b51b9098 804fe5b4 nt!ExecuteHandler+0x24
b51b9454 805420e5 nt!KiDispatchException+0x13e
b51b94bc 80542096 nt!CommonDispatchException+0x4d
b51b94d0 b9d37492 nt!Kei386EoiHelper+0x18a
b51b953c b9d39edc Ntfs!NtfsFsdClose+0x3be
b51b95b0 b9d3849c Ntfs!NtfsCommonQueryInformation+0x56
b51b9614 b9d384d5 Ntfs!NtfsFsdDispatchSwitch+0x12a
b51b9738 804ef19f Ntfs!NtfsFsdDispatchWait+0x1c
b51b9748 b9de1459 nt!IopfCallDriver+0x31
b51b9750 804ef19f sr!SrPassThrough+0x31
b51b9760 b9dbbf9e nt!IopfCallDriver+0x31
WARNING: Stack unwind information not available. Following frames may be wrong.
b51b9774 b9db8109 stcvsm+0x5f9e
b51b9794 b9dbb1ed stcvsm+0x2109
b51b97c8 b9db9fa2 stcvsm+0x51ed
b51b97dc 804ef19f stcvsm+0x3fa2

b51b97ec b9e057a9 nt!IopfCallDriver+0x31
b51b9818 b9e07d56 fltmgr!FltpQueryInformationFile+0x99


So update or uninstall the tool and try it again.
Posted Image

#16
jclarkw

jclarkw

    Newbie

  • Member
  • 21 posts
  • OS:XP Pro x86
  • Country: Country Flag

The issue may be caused by the ShadowProtect snapshot driver (stcvsm.sys):
...
So update or uninstall the tool and try it again.

THANKS; this looks like really useful information! I will try it...

One more ignorant follow-up question, if I may:
Is there a way to get a list of currently installed drivers? I can see that a couple of ShadowProtect services are running in the background (even though I didn't intend that), but I don't know how to tell if the driver, stcvsm.sys, is currently active. (Perhaps I can just temporarily disable it?)

At least I can (probably) determine the driver version number and see if an update makes any difference...

#17
MagicAndre1981

MagicAndre1981

    after Windows 7 GA still Vista lover :)

  • Patrons
  • 6,024 posts
  • OS:Vista Ultimate x86
  • Country: Country Flag

Donator

Process Hacker can list all drivers and allows to modify the start type.

Posted Image
Posted Image

#18
jclarkw

jclarkw

    Newbie

  • Member
  • 21 posts
  • OS:XP Pro x86
  • Country: Country Flag

The issue may be caused by the ShadowProtect snapshot driver (stcvsm.sys):
...
So update or uninstall the tool and try it again.

Well, I uninstalled ShadowProtect Desktop and ran Ccleaner for good measure. stcvsm.sys no longer exists anywhere on the system. Nevertheless, I still get the same BSOD (described in detail earlier in this thread). Attached is the current minidump, in hopes that it will help.
.
Just ouf of curiosity, ince the BSOD mentions NTFS.sys, I checked its version: 5.1.2600.5512 (xpsp.080413-2111). Note that there is a discussion of Stop x24 that may occur during a Windows Vista install at http://support.micro....com/kb/935806; but none of its conditions seem to really apply to my case, especially since WinPE manifestly CAN access other NTFS directories without trouble. (In fact, I also get the BSOD if I try to examine the winpe\mount directory with Windows Explorer just after the imagex command the presumably populates it -- that would be while the WinPE command window is still open. After the BSOD restart the directory still exists but is empty.)

Attached Files



#19
MagicAndre1981

MagicAndre1981

    after Windows 7 GA still Vista lover :)

  • Patrons
  • 6,024 posts
  • OS:Vista Ultimate x86
  • Country: Country Flag

Donator

ok, also remove / update Kaspersky:

b4e407c4 804ef19f Ntfs!NtfsFsdDispatchWait+0x1c
b4e407d4 b9de1459 nt!IopfCallDriver+0x31
b4e407dc 804ef19f sr!SrPassThrough+0x31
b4e407ec b9e057a9 nt!IopfCallDriver+0x31
b4e40818 b9e07d56 fltmgr!FltpQueryInformationFile+0x99
b4e40860 b9e08329 fltmgr!SetStreamListStandardInformationFlags+0x7e
b4e40884 b77a3ade fltmgr!FltIsDirectory+0x4b
WARNING: Stack unwind information not available. Following frames may be wrong.
b4e408ac b778ceb1 klif+0x18ade
b4e4091c b9df3ef3 klif+0x1eb1

b4e40984 b9df6338 fltmgr!FltpPerformPostCallbacks+0x1c5
b4e40998 b9df6867 fltmgr!FltpProcessIoCompletion+0x10
b4e409a8 b9df6d24 fltmgr!FltpPassThroughCompletion+0x89
b4e409d8 b9e03754 fltmgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x94
b4e40a14 804ef19f fltmgr!FltpCreate+0x26a
b4e40a24 80583220 nt!IopfCallDriver+0x31
b4e40b04 805bf488 nt!IopParseDevice+0xa12
b4e40b7c 805bba14 nt!ObpLookupObjectName+0x53c
b4e40bd0 80576feb nt!ObOpenObjectByName+0xea
b4e40d54 8054167c nt!NtQueryAttributesFile+0xf1
b4e40d54 7c90e514 nt!KiFastCallEntry+0xfc
0013f3dc 00000000 0x7c90e514


Your version is very old:

Image name:      klif.sys
Timestamp:        Tue Sep 22 12:32:04 2009

Posted Image

#20
jclarkw

jclarkw

    Newbie

  • Member
  • 21 posts
  • OS:XP Pro x86
  • Country: Country Flag

ok, also remove / update Kaspersky:
...
Image name: klif.sys
Timestamp: Tue Sep 22 12:32:04 2009




OK, this MIGHT have been installed by my current version of ZoneAlarm Extreme Security (9.3.037 -- not the latest because versions 10.x do not work properly on my system -- another investigation in progress...) OR it MIGHT have survived Ccleaner after a "clean" uninstall of ZAES 10.x. (I do remember that, after running, Ccleaner I searched for and deleted any remaining directories with names containing "ZoneAlarm" or "Checkpoint," but I forgot to check for "ZoneLabs." I do not remember whether ZA currently uses Kaspersky, or whether it was only in an earlier version. I will try to find out, but it may take a day or two. More later...

#21
MagicAndre1981

MagicAndre1981

    after Windows 7 GA still Vista lover :)

  • Patrons
  • 6,024 posts
  • OS:Vista Ultimate x86
  • Country: Country Flag

Donator

Sorry I don't know if ZA uses the Kaspersky engine.
Posted Image

#22
jclarkw

jclarkw

    Newbie

  • Member
  • 21 posts
  • OS:XP Pro x86
  • Country: Country Flag

ok, also remove / update Kaspersky:
...
Your version is very old:
Image name: klif.sys
Timestamp: Tue Sep 22 12:32:04 2009




Dear MagicAndre1981 -- Thanks. You were dead right about klif.sys -- only your second try (details below just in case anyone else is intersted)!

Question: How can I figure this out for myself next time I'm hit with the BSOD (pretty rare in XP SP3)? I'm not an IT -- these modern systems are way over my head -- but I do have a lot of experience with Window plus considerably direct programming in Forth, C, Basic, Fortran, etc. Is there a tool that I can safely use to solve these problems for myself? (I was trying to get "Dumpchk.exe" from Debugging Tools in Windows SDK for x86, but it seems not to be there and anyhow is apparently not much good. Somebody else suggested http://www.nirsoft.n...creen_view.html, but ZoneAlarm Extreme Security advises me that the site is "known to distribute spyware." )

Details: After uninstalling ShadowProtect 3.5 (GREAT software, but I need to update it anyhow) to get rid of stcvsm.sys (without solving the problem), I also clean-uninstalled Zone Alarm Extreme Security 9.3.037 to get rid of klif.sys. Then I uninstalled and re-installed WAIK, just in case that installation had been interrered with by ZAES. On re-installing WAIK, I found that the WinPE 2.0 build went smoothly -- no BSOD. To confirm I re-installed ZAES 9.3.037 (bringing back the old version of klif.sys, and another WinPE build immediately brought on the same BSOD. (I didn't try the newest version of ZAES, which I am told has a new version of the Kaspersky AV engine, but that's another story and is OK because I now have the PE boot CD that I wanted and no longer need WAIK.) Thanks again! -- jclarkw

#23
MagicAndre1981

MagicAndre1981

    after Windows 7 GA still Vista lover :)

  • Patrons
  • 6,024 posts
  • OS:Vista Ultimate x86
  • Country: Country Flag

Donator

ok, enjoy your WinPE now and remember this for the feature if you need to build a new Image with the WAIK :)
Posted Image

#24
jclarkw

jclarkw

    Newbie

  • Member
  • 21 posts
  • OS:XP Pro x86
  • Country: Country Flag
I found two ways to do myself at least part of what you did for me. Perhaps they will help some other readers:

BlueScreenView works like a champ and has the added benefit of no "install." It found both of my suspect drivers right away (after the fact, or course, since you had already pointed them out). Next time I think I can do it on my own with this tiny tool.

Next I tried the free-for-home-use version of WhoCrashed from Resplendence (referenced in one of the BlueScreenView reviews that I read), which requires the Windows Debugging Tools ("http://msdl.microsof...6.11.1.404.msi" for my version of Windows), but which gives even more specific results. Having also installed those tools, I now see Dumpchk.exe in the Debugging Tools root directory. Dumpchk output even shows up now in BlueScreenView.

I even figured out how to incorporate Win XP SP3 symbols, although not those for the 3rd-party drivers, into the Debugging Tools (and into Dumpchk) by downloading them from "http://msdl.microsof...-full-ENU.exe." (WhoCrashed won't incorporate symbol stores unless you pay for the "Professional" version.)

Both free progarms seem to be winners, although WhoCrashed takes a lot more overhead.

Best Regards. - jclarkw

Edited by jclarkw, 06 December 2011 - 09:20 PM.


#25
MagicAndre1981

MagicAndre1981

    after Windows 7 GA still Vista lover :)

  • Patrons
  • 6,024 posts
  • OS:Vista Ultimate x86
  • Country: Country Flag

Donator

I use WinDbg from the Windows Debugging Tools to get the cause.
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users



How to remove advertisement from MSFN