jclarkw Posted December 2, 2011 Author Share Posted December 2, 2011 The issue may be caused by the ShadowProtect snapshot driver (stcvsm.sys):...So update or uninstall the tool and try it again.THANKS; this looks like really useful information! I will try it...One more ignorant follow-up question, if I may:Is there a way to get a list of currently installed drivers? I can see that a couple of ShadowProtect services are running in the background (even though I didn't intend that), but I don't know how to tell if the driver, stcvsm.sys, is currently active. (Perhaps I can just temporarily disable it?)At least I can (probably) determine the driver version number and see if an update makes any difference... Link to comment Share on other sites More sharing options...
MagicAndre1981 Posted December 2, 2011 Share Posted December 2, 2011 Process Hacker can list all drivers and allows to modify the start type. Link to comment Share on other sites More sharing options...
jclarkw Posted December 2, 2011 Author Share Posted December 2, 2011 The issue may be caused by the ShadowProtect snapshot driver (stcvsm.sys):...So update or uninstall the tool and try it again.Well, I uninstalled ShadowProtect Desktop and ran Ccleaner for good measure. stcvsm.sys no longer exists anywhere on the system. Nevertheless, I still get the same BSOD (described in detail earlier in this thread). Attached is the current minidump, in hopes that it will help..Just ouf of curiosity, ince the BSOD mentions NTFS.sys, I checked its version: 5.1.2600.5512 (xpsp.080413-2111). Note that there is a discussion of Stop x24 that may occur during a Windows Vista install at http://support.microsoft.com/kb/935806; but none of its conditions seem to really apply to my case, especially since WinPE manifestly CAN access other NTFS directories without trouble. (In fact, I also get the BSOD if I try to examine the winpe\mount directory with Windows Explorer just after the imagex command the presumably populates it -- that would be while the WinPE command window is still open. After the BSOD restart the directory still exists but is empty.)Mini120211-02.zip Link to comment Share on other sites More sharing options...
MagicAndre1981 Posted December 3, 2011 Share Posted December 3, 2011 ok, also remove / update Kaspersky:b4e407c4 804ef19f Ntfs!NtfsFsdDispatchWait+0x1cb4e407d4 b9de1459 nt!IopfCallDriver+0x31b4e407dc 804ef19f sr!SrPassThrough+0x31b4e407ec b9e057a9 nt!IopfCallDriver+0x31b4e40818 b9e07d56 fltmgr!FltpQueryInformationFile+0x99b4e40860 b9e08329 fltmgr!SetStreamListStandardInformationFlags+0x7eb4e40884 b77a3ade fltmgr!FltIsDirectory+0x4bWARNING: Stack unwind information not available. Following frames may be wrong.b4e408ac b778ceb1 klif+0x18adeb4e4091c b9df3ef3 klif+0x1eb1b4e40984 b9df6338 fltmgr!FltpPerformPostCallbacks+0x1c5b4e40998 b9df6867 fltmgr!FltpProcessIoCompletion+0x10b4e409a8 b9df6d24 fltmgr!FltpPassThroughCompletion+0x89b4e409d8 b9e03754 fltmgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x94b4e40a14 804ef19f fltmgr!FltpCreate+0x26ab4e40a24 80583220 nt!IopfCallDriver+0x31b4e40b04 805bf488 nt!IopParseDevice+0xa12b4e40b7c 805bba14 nt!ObpLookupObjectName+0x53cb4e40bd0 80576feb nt!ObOpenObjectByName+0xeab4e40d54 8054167c nt!NtQueryAttributesFile+0xf1b4e40d54 7c90e514 nt!KiFastCallEntry+0xfc0013f3dc 00000000 0x7c90e514Your version is very old: Image name: klif.sysTimestamp: Tue Sep 22 12:32:04 2009 Link to comment Share on other sites More sharing options...
jclarkw Posted December 3, 2011 Author Share Posted December 3, 2011 ok, also remove / update Kaspersky:...Image name: klif.sysTimestamp: Tue Sep 22 12:32:04 2009OK, this MIGHT have been installed by my current version of ZoneAlarm Extreme Security (9.3.037 -- not the latest because versions 10.x do not work properly on my system -- another investigation in progress...) OR it MIGHT have survived Ccleaner after a "clean" uninstall of ZAES 10.x. (I do remember that, after running, Ccleaner I searched for and deleted any remaining directories with names containing "ZoneAlarm" or "Checkpoint," but I forgot to check for "ZoneLabs." I do not remember whether ZA currently uses Kaspersky, or whether it was only in an earlier version. I will try to find out, but it may take a day or two. More later... Link to comment Share on other sites More sharing options...
MagicAndre1981 Posted December 3, 2011 Share Posted December 3, 2011 Sorry I don't know if ZA uses the Kaspersky engine. Link to comment Share on other sites More sharing options...
jclarkw Posted December 5, 2011 Author Share Posted December 5, 2011 ok, also remove / update Kaspersky:...Your version is very old:Image name: klif.sysTimestamp: Tue Sep 22 12:32:04 2009Dear MagicAndre1981 -- Thanks. You were dead right about klif.sys -- only your second try (details below just in case anyone else is intersted)!Question: How can I figure this out for myself next time I'm hit with the BSOD (pretty rare in XP SP3)? I'm not an IT -- these modern systems are way over my head -- but I do have a lot of experience with Window plus considerably direct programming in Forth, C, Basic, Fortran, etc. Is there a tool that I can safely use to solve these problems for myself? (I was trying to get "Dumpchk.exe" from Debugging Tools in Windows SDK for x86, but it seems not to be there and anyhow is apparently not much good. Somebody else suggested http://www.nirsoft.net/utils/blue_screen_view.html, but ZoneAlarm Extreme Security advises me that the site is "known to distribute spyware." )Details: After uninstalling ShadowProtect 3.5 (GREAT software, but I need to update it anyhow) to get rid of stcvsm.sys (without solving the problem), I also clean-uninstalled Zone Alarm Extreme Security 9.3.037 to get rid of klif.sys. Then I uninstalled and re-installed WAIK, just in case that installation had been interrered with by ZAES. On re-installing WAIK, I found that the WinPE 2.0 build went smoothly -- no BSOD. To confirm I re-installed ZAES 9.3.037 (bringing back the old version of klif.sys, and another WinPE build immediately brought on the same BSOD. (I didn't try the newest version of ZAES, which I am told has a new version of the Kaspersky AV engine, but that's another story and is OK because I now have the PE boot CD that I wanted and no longer need WAIK.) Thanks again! -- jclarkw Link to comment Share on other sites More sharing options...
MagicAndre1981 Posted December 5, 2011 Share Posted December 5, 2011 ok, enjoy your WinPE now and remember this for the feature if you need to build a new Image with the WAIK Link to comment Share on other sites More sharing options...
jclarkw Posted December 6, 2011 Author Share Posted December 6, 2011 (edited) I found two ways to do myself at least part of what you did for me. Perhaps they will help some other readers:BlueScreenView works like a champ and has the added benefit of no "install." It found both of my suspect drivers right away (after the fact, or course, since you had already pointed them out). Next time I think I can do it on my own with this tiny tool.Next I tried the free-for-home-use version of WhoCrashed from Resplendence (referenced in one of the BlueScreenView reviews that I read), which requires the Windows Debugging Tools ("http://msdl.microsoft.com/download/symbols/debuggers/dbg_x86_6.11.1.404.msi" for my version of Windows), but which gives even more specific results. Having also installed those tools, I now see Dumpchk.exe in the Debugging Tools root directory. Dumpchk output even shows up now in BlueScreenView.I even figured out how to incorporate Win XP SP3 symbols, although not those for the 3rd-party drivers, into the Debugging Tools (and into Dumpchk) by downloading them from "http://msdl.microsoft.com/download/symbols/packages/windowsxp/WindowsXP-KB936929-SP3-x86-symbols-full-ENU.exe." (WhoCrashed won't incorporate symbol stores unless you pay for the "Professional" version.)Both free progarms seem to be winners, although WhoCrashed takes a lot more overhead.Best Regards. - jclarkw Edited December 7, 2011 by jclarkw Link to comment Share on other sites More sharing options...
MagicAndre1981 Posted December 6, 2011 Share Posted December 6, 2011 I use WinDbg from the Windows Debugging Tools to get the cause. Link to comment Share on other sites More sharing options...
jclarkw Posted December 7, 2011 Author Share Posted December 7, 2011 I use WinDbg from the Windows Debugging Tools to get the cause.Thanks again, MagicAndre1981. I'd like to give you credit for solving my problem, but I don't immediately see how... -- jclarkw Link to comment Share on other sites More sharing options...
MagicAndre1981 Posted December 7, 2011 Share Posted December 7, 2011 I'm happy that you fixed the issue this is enough. Enjoy using the WAIK and discuss with other users here on msfn maybe you can help others Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now