Ken Schaefer : Causes, and tips for debugging, a STOP 0x0000000A (IRQL_NOT_LESS_OR_EQUAL) bugcheck/blue screen

Tuesday, October 3, 2006 10:18 PM by Ken

Causes, and tips for debugging, a STOP 0x0000000A (IRQL_NOT_LESS_OR_EQUAL) bugcheck/blue screen - Part 2

Update: I have now added Part 3 - where I cover enabling the Driver Verifier tool. This can be handy if you are getting STOP 0xA crashes, but the faulting stack is different/corrupt each time.

Update 2: If you are getting random STOP numbers each time your machine blue screens (e.g. the bugcheck is different each time), then it's possible that your machine has a hardware issue. Do some basic hardware troubleshooting first (e.g. run a memory tester application, remove unnecessary peripherals etc)

In Part 1 we looked at common causes for IRQL_NOT_LESS_OR_EQUAL BSODs. If you end up in the unfortunate situation where you are experiencing a STOP 0XA BSODs, what can you do about it?

If you'd like to confirm the actual STOP error you are getting visually, then you need to change a setting in Windows XP and Windows Server 2003. By default the system automatically restarts upon a BSOD and you may miss the information that's printed on the screen. To view the actual BSOD use the System Control Panel -> Advanced Tab -> Startup and Recovery Settings button -> uncheck Automatically Restart on System Failure. The System control panel is available in the Control Panel folder, or by right-clicking on My Computer and choosing Properties.

To determine what is causing the problem we want to use a debugging tool such as WinDBG. WinDBG is available for free as part of the Debugging Tools for Windows. There are separate downloads for x32 and x64 systems.

After downloading and installing the Debugging Tools start WinDBG. Press Ctrl+D to open a crash dump, and navigate to %systemroot%\minidump (%systemroot% is where your Windows/WINNT folder is located). Each time Windows has crashed, there should be a minidump file there (by default). Open the minidump file that corresponds to your crash.

Ensure that your system has access to the internet (in particular the Microsoft Public Symbol Server) and type in the following commands at the kd> prompt:
.symfix
.reload
kb

After hitting .reload, it may take some time for WinDBG to download the corresponding symbols that match the dump file (depending on your internet connection speed). These symbols allow you to see what functions are being called within files supplied by Microsoft (for third party files, you need to get symbols from those vendors. You can supply your own symbols for you own code). Because the offsets for functions potentially change with each update to Windows (service packs, hotfixes etc) being able to contact the public symbol server allows you to get the correct symbols that match the exact build in the dump file.

The kb command allows you to get a stack backtrace of the faulting thread. In most cases you can get a faulting driver from the stack. The stack should be read from the bottom up. Here is an example:

STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may be wrong.
8055052c f94c7ef9 81ae08d8 6600a8c0 6500a8c0 A3AB+0x15d90 <== Our culprit
8055058c f94c7b19 f9722404 819ab000 818a0ef0 tcpip!DeliverToUser+0x18e
80550608 f94c780a f97307a0 818a0ef0 00000054 tcpip!DeliverToUserEx+0x95f
805506d0 f988bf7f 81b184d8 fff0bdc0 ffffffff tcpip!IPRcvPacket+0x6a0
805506f8 f987354b 81b184d8 00000064 819ae0d8 NDIS!NdisMSetTimer+0x8b
8055070c f96fdd98 81b184d8 00000064 819ab000 NDIS!NdisSetTimer+0x44
80550764 804dcaad 81b18500 81b184d8 00000283 A3AB+0x2fd98
80550880 805508ac 81a915f4 804e4fd5 81aa39c0 nt!KiTimerListExpire+0x122
80550890 f988f712 00000000 80559580 80559320 nt!KiDoubleFaultStack+0x2d2c
805508ac 804dc179 81a91608 81a915f4 00000000 NDIS!ndisMDpc+0xff
805508d0 804dc0ed 00000000 0000000e 00000000 nt!KiRetireDpcList+0x46
805508d4 00000000 0000000e 00000000 00000000 nt!KiIdleLoop+0x26

The faulting driver isnt always at the top of the stack, but it's generally easy to spot. In this case, a quick search for a3ab.sys lead us to the driver that needs updating (it was for a network card).

Additional information about the modules loaded can be obtained by using the lmv command at the kd> prompt. In this dump file:

f96b7000 f96cd680   ndiswan    (deferred)
    Mapped memory image file: ndiswan.sys\41107EC616680\ndiswan.sys
    Image path: ndiswan.sys
    Image name: ndiswan.sys
    Timestamp:        Wed Aug 04 16:14:30 2004 (41107EC6)
    CheckSum:         00016813
    ImageSize:        00016680
    File version:     5.1.2600.2180
    Product version: 5.1.2600.2180
    File flags:       0 (Mask 3F)
    File OS:          40004 NT Win32
    File type:        3.6 Driver
    File date:        00000000.00000000
    Translations:     0409.04b0
    CompanyName:      Microsoft Corporation
    ProductName:      Microsoft® Windows® Operating System
    InternalName:     NDISWAN.SYS
    OriginalFilename: NDISWAN.SYS
    ProductVersion:   5.1.2600.2180
    FileVersion:      5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
    FileDescription: MS PPP Framing Driver (Strong Encryption)
    LegalCopyright:   © Microsoft Corporation. All rights reserved.
f96ce000 f973bf60   A3AB     T (no symbols)
    Loaded symbol image file: A3AB.sys
    Image path: A3AB.sys
    Image name: A3AB.sys
    Timestamp:        Wed Mar 23 14:17:32 2005 (4240DFCC)
    CheckSum:         00072B2D
    ImageSize:        0006DF60
    Translations:     0000.04b0 0000.04e0 0409.04b0 0409.04e0
f973c000 f975ee80   USBPORT    (deferred)
    Mapped memory image file: USBPORT.SYS\41107D6222e80\USBPORT.SYS
    Image path: USBPORT.SYS
    Image name: USBPORT.SYS
    Timestamp:        Wed Aug 04 16:08:34 2004 (41107D62)
    CheckSum:         0002F594
    ImageSize:        00022E80
    File version:     5.1.2600.2180
    Product version: 5.1.2600.2180
    File flags:       0 (Mask 3F)
    File OS:          40004 NT Win32
    File type:        2.0 Dll
    File date:        00000000.00000000
    Translations:     0409.04b0
    CompanyName:      Microsoft Corporation
    ProductName:      Microsoft® Windows® Operating System
    InternalName:     usbport.sys
    OriginalFilename: usbport.sys
    ProductVersion:   5.1.2600.2180
    FileVersion:      5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
    FileDescription: USB 1.1 & 2.0 Port Driver
    LegalCopyright:   © Microsoft Corporation. All rights reserved.

Happy debugging!

Edit: Forgot my references! Other than sites that I've listed previously, the following documents have been used:
IRQL and Scheduling Whitepaper from Microsoft and
Windows Internals by Mark Russinovich and David Solomon

Filed under: Debugging

Comments

# re: Causes, and tips for debugging, a STOP 0x0000000A (IRQL_NOT_LESS_OR_EQUAL) bugcheck/blue screen - Part 2

Friday, November 3, 2006 10:37 PM by lauren

hi! thanks for the info, but for all of my crash dumps (at least, the ones i can even open) it says the mini kernal data is not present. can you think of anything obvious i might be missing? -lauren -aseariel(at)gmail.com

# re: Causes, and tips for debugging, a STOP 0x0000000A (IRQL_NOT_LESS_OR_EQUAL) bugcheck/blue screen - Part 2

Thursday, December 28, 2006 2:54 PM by cona jones

i did what you said and it just crashed again but with DRIVER_ infront and then it crashed again with the same thing as before but without the DRIVER_ please help asap crazyapeboy@hoymail.com

# re: Causes, and tips for debugging, a STOP 0x0000000A (IRQL_NOT_LESS_OR_EQUAL) bugcheck/blue screen - Part 2

Monday, January 1, 2007 5:40 AM by Ken

Hi CrazyApeBoy,

What is the output from WinDBG? Without that, it's a bit pointless me trying to help you - we need information about your crash to be able to diagnose what the problem is.

# Causes, and tips for debugging, a STOP 0x0000000A (IRQL_NOT_LESS_OR_EQUAL) bugcheck/blue screen - Part 3

Wednesday, January 10, 2007 7:52 AM by Ken Schaefer

Sometimes when looking at your dump files, the actual cause isn't possible to determine due to issues

# re: Causes, and tips for debugging, a STOP 0x0000000A (IRQL_NOT_LESS_OR_EQUAL) bugcheck/blue screen - Part 2

Friday, February 2, 2007 5:23 PM by Bob Thurmond

I'm stumped. I receive 2 or 3 STOP errors per day (!) and cannot find a cause. Anyone willing to look at the miniump files?

# re: Causes, and tips for debugging, a STOP 0x0000000A (IRQL_NOT_LESS_OR_EQUAL) bugcheck/blue screen - Part 2

Sunday, February 4, 2007 3:40 AM by Ken

Bob,

There are a few things you probably need to do first:

a) What STOP errors are you getting? If you are getting different stop errors each time, you may have a hardware issue. Hardware problems (e.g. faulty RAM) tend to give you seemingly random crashes, with random STOP errors. So the first step is to work out what STOP errors you are getting, and whether they point to a hardware issue.

b) If you are getting STOP 0xA or STOP 0x1000000A errors consistently, then use WinDBG to look at your dump files. See if you can identity a faulting driver.

c) If you are getting STOP 0xA but the stacks look like gibberish, then enable Driver Verifier (see Part 3 in the series) to get a clean dump file.

# re: Causes, and tips for debugging, a STOP 0x0000000A (IRQL_NOT_LESS_OR_EQUAL) bugcheck/blue screen - Part 2

Saturday, February 17, 2007 1:45 AM by Mr X

Hi, i'm not good with computers so bare with me I'm in minidump and you said to open the file which 'corresponds' to my crash... How do i know which one coresponds to my crash... all i see is aload of files with random number names

# re: Causes, and tips for debugging, a STOP 0x0000000A (IRQL_NOT_LESS_OR_EQUAL) bugcheck/blue screen - Part 2

Saturday, February 17, 2007 2:48 AM by Ken

Hi Mr X,

The numbers aren't random. They are dates :-)

The file mini010107-01.dmp was the first dump file created on 1st January 2007. Likewise the file mini010107-02.dmp would be the second minidump file created on 1st Jan 2007. Hope that helps.

# re: Causes, and tips for debugging, a STOP 0x0000000A (IRQL_NOT_LESS_OR_EQUAL) bugcheck/blue screen - Part 2

Monday, February 19, 2007 7:27 PM by aristazibal

I've just started having this problem, but I think it might be related to the most recent round of Windows updates. Is that possible? The reason I think so is because I when I restart using the last known good settings, the only thing that changes (that I'm aware of) is that it notifies me that the updates are available again. I only get the BSoD on startup, and only after I've installed the updates (so far). Is it possible that the new security updates have created a conflict somewhere? I've changed my settings and turned off the auto-updates, just to see if that fixes it, but I'm not real happy with that, either. Any ideas?

# re: Causes, and tips for debugging, a STOP 0x0000000A (IRQL_NOT_LESS_OR_EQUAL) bugcheck/blue screen - Part 2

Tuesday, February 20, 2007 1:25 AM by Ken

Hi aristazibal,

After you get your PC working again, visit the WindowsUpdate website (rather than relying on Automatic Updates) -or- configure Automatic Updates to download updates but not install them automatically. That will give you an opportunity to review exactly what updates are attempting to be installed onto your system.

For what it's worth, there was a very short period a couple of days ago where a Via chipset driver was offered via AU (even if you did not have a Via chipset) that caused BSODs.

However I do not know (a) what you are installing and (b) what your Bugcheck code is, so it's big hard to provide any more detailed advice as to what the cause might be.

# re: Causes, and tips for debugging, a STOP 0x0000000A (IRQL_NOT_LESS_OR_EQUAL) bugcheck/blue screen - Part 2

Sunday, March 11, 2007 8:13 PM by Matt

Im getting this debugg below, what is nt? it keeps on coming up for all my minidumps. WARNING: Stack unwind information not available. Following frames may be wrong. f775ebe4 80574526 f775ec94 00000000 f775ed64 nt+0x1ac00 f775ecd4 80574473 829bb950 00000360 829ab4d8 nt+0x9d526 f775ed40 804df06b 00000108 00000360 ffffffff nt+0x9d473 f775ed64 7c90eb94 badb0d00 0052fea4 00000000 nt+0x806b f775ed68 badb0d00 0052fea4 00000000 00000000 0x7c90eb94 f775ed6c 0052fea4 00000000 00000000 00000000 0xbadb0d00 f775ed70 00000000 00000000 00000000 00000000 0x52fea4 Any help would be appreciated thanks

# re: Causes, and tips for debugging, a STOP 0x0000000A (IRQL_NOT_LESS_OR_EQUAL) bugcheck/blue screen - Part 2

Sunday, March 11, 2007 10:10 PM by Ken

Hi Matt,

Have you downloaded the symbols for your Windows installation?

If you haven't, then please do so (use commands above).

If you have, then please look at Part 3 (also linked to above, on enabling Driver Verifier tool)

# re: Causes, and tips for debugging, a STOP 0x0000000A (IRQL_NOT_LESS_OR_EQUAL) bugcheck/blue screen - Part 2

Monday, March 12, 2007 12:20 AM by Matt

Hi Ken, Thanks for replying, I have already downloaded the symbols but I am unclear on enabling driver verifier tool. Also I debugged more minidumps and I always tend to get "nt + xxxxxx", do know what "nt" is and how to solve the error? I have recently just reformatted the hdd (WindXP) and installed all the neccessary drivers.

# re: Causes, and tips for debugging, a STOP 0x0000000A (IRQL_NOT_LESS_OR_EQUAL) bugcheck/blue screen - Part 2

Monday, March 12, 2007 3:25 AM by Ken

Hi,

nt! would normally be ntsokrnl.exe. The +xxxxxxxx is the offset (in bytes) in the .exe where the function is located. If you have correct symbols, then the function name should be displayed instead of the offset.

Driver Verifier can be enabled by running verifier.exe from a command prompt, or via Start -> Run

# re: Causes, and tips for debugging, a STOP 0x0000000A (IRQL_NOT_LESS_OR_EQUAL) bugcheck/blue screen - Part 2

Monday, March 12, 2007 6:37 PM by Thomas Augestad

Hi! I get this message, doesnt give me much. This is a dumpfile from another computer, does this matter? 80550074 804dc4a8 0298d0a0 0000003a 8055019c nt!KiWaitTest+0x30 80550180 804dc378 80558e80 80558c20 ffdff000 nt!KiTimerListExpire+0x7a 805501ac 804dbbd4 80559280 00000000 0000a93a nt!KiTimerExpiration+0xaf 805501d0 804dbb4d 00000000 0000000e 00000000 nt!KiRetireDpcList+0x46 805501d4 00000000 0000000e 00000000 00000000 nt!KiIdleLoop+0x26 Thanx!

# re: Causes, and tips for debugging, a STOP 0x0000000A (IRQL_NOT_LESS_OR_EQUAL) bugcheck/blue screen - Part 2

Tuesday, March 13, 2007 1:28 AM by Ken

hi,

The fact that the dump file is from another computer shouldn't matter - as long as you have the correct symbols (use the .symfix and .reload commands to get the right symbols).

The thread stack you have doesn't help much unfortunately - is that all you can see?

Try using the "!analyze -v" to get some automated analysis of the file.

# re: Causes, and tips for debugging, a STOP 0x0000000A (IRQL_NOT_LESS_OR_EQUAL) bugcheck/blue screen - Part 2

Tuesday, March 13, 2007 6:27 AM by Thomas Augestad

Hi! I am impressed by the swift answer! This is my output with the !analyse -v option: kd> .symfix No downstream store given, using C:\Programfiler\Debugging Tools for Windows\sym kd> .reload Loading Kernel Symbols ........................................................................................................................... Loading User Symbols Loading unloaded module list ................ kd> !analyze -v ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* IRQL_NOT_LESS_OR_EQUAL (a) An attempt was made to access a pageable (or completely invalid) address at an interrupt request level (IRQL) that is too high. This is usually caused by drivers using improper addresses. If a kernel debugger is available get the stack backtrace. Arguments: Arg1: 5e434116, memory referenced Arg2: 00000002, IRQL Arg3: 00000000, value 0 = read operation, 1 = write operation Arg4: 804dbda3, address which referenced memory Debugging Details: ------------------ READ_ADDRESS: 5e434116 CURRENT_IRQL: 2 FAULTING_IP: nt!KiWaitTest+30 804dbda3 6683781601 cmp word ptr [eax+16h],1 CUSTOMER_CRASH_COUNT: 1 DEFAULT_BUCKET_ID: DRIVER_FAULT BUGCHECK_STR: 0xA PROCESS_NAME: Idle LAST_CONTROL_TRANSFER: from 804dc4a8 to 804dbda3 STACK_TEXT: 80550074 804dc4a8 d67f78a0 000000d4 8055019c nt!KiWaitTest+0x30 80550180 804dc378 80558e80 80558c20 ffdff000 nt!KiTimerListExpire+0x7a 805501ac 804dbbd4 80559280 00000000 0014d5d4 nt!KiTimerExpiration+0xaf 805501d0 804dbb4d 00000000 0000000e 00000000 nt!KiRetireDpcList+0x46 805501d4 00000000 0000000e 00000000 00000000 nt!KiIdleLoop+0x26 STACK_COMMAND: kb FOLLOWUP_IP: nt!KiWaitTest+30 804dbda3 6683781601 cmp word ptr [eax+16h],1 SYMBOL_STACK_INDEX: 0 FOLLOWUP_NAME: MachineOwner MODULE_NAME: nt IMAGE_NAME: ntoskrnl.exe DEBUG_FLR_IMAGE_TIMESTAMP: 42250ff9 SYMBOL_NAME: nt!KiWaitTest+30 FAILURE_BUCKET_ID: 0xA_nt!KiWaitTest+30 BUCKET_ID: 0xA_nt!KiWaitTest+30 Followup: MachineOwner --------- It crashes sporadicaly, and has crashed twice at that adress (804dbda3), I have only had the opportunity to look at two minidump files for now.

# re: Causes, and tips for debugging, a STOP 0x0000000A (IRQL_NOT_LESS_OR_EQUAL) bugcheck/blue screen - Part 2

Thursday, April 5, 2007 9:26 AM by Dennis Rich

I have had this problem--two days ago, April 3, I sent (under comments to Part 1) in a long comment with summary and then complete information on two of the dumps I had. I have not see it posted there. I was wondering-- 1) Are you still receiving comments? 2) Was my long comment too long? Thanks.

# re: Causes, and tips for debugging, a STOP 0x0000000A (IRQL_NOT_LESS_OR_EQUAL) bugcheck/blue screen - Part 2

Tuesday, April 10, 2007 8:20 AM by Ken

Hi Dennis,

Sorry for the delay in replying. I seem to get about 100 blog spam messages a day, and only about 1 legitimate comment. It takes a while to wade through the spam to get to the legitimate posts! I'll see if I can find your original post.

# re: Causes, and tips for debugging, a STOP 0x0000000A (IRQL_NOT_LESS_OR_EQUAL) bugcheck/blue screen - Part 2

Wednesday, April 11, 2007 4:20 PM by Dennis Rich

Ken, Thanks for replying--I see you did find my orignal in Part 1, but my attempt at a summary seems to have been lost. Therefore, I'll put a summary of the two error messages here: I've had 3 blue screens IRQL_NOT_LESS_OR_EQUAL in 1 month (Windows XP SP20. I loaded WinDBG and downloaded the Windows XP Retail Symbols. 1ST & 2ND blue screens had identical error messages, the 3rd had similar, but slightly different messages. I've enclosed the entire WindDBG for the 1st & 3rd dumps below AFTER I give what I think is a summary of the error. 1ST & 3RD DUMP SUMMARY OF ERROR: ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* IRQL_NOT_LESS_OR_EQUAL (a) An attempt was made to access a pageable (or completely invalid) address at an interrupt request level (IRQL) that is too high. This is usually caused by drivers using improper addresses. If a kernel debugger is available get the stack backtrace. Arguments: Arg1: 00000008, memory referenced Arg2: 0000001c, IRQL Arg3: 00000000, value 0 = read operation, 1 = write operation Arg4: 804f9fef, address which referenced memory Debugging Details: ------------------ READ_ADDRESS: 00000008 CURRENT_IRQL: 1c FAULTING_IP: nt!NtCancelTimer+7a 804f9fef 8b02 mov eax,dword ptr [edx] CUSTOMER_CRASH_COUNT: 1 DEFAULT_BUCKET_ID: DRIVER_FAULT BUGCHECK_STR: 0xA PROCESS_NAME: wmiprvse.exe LAST_CONTROL_TRANSFER: from 80534881 to 804f9fef STACK_TEXT: b0b50458 80534881 00000000 85adf608 80534778 nt!NtCancelTimer+0x7a b0b50480 f7370571 85e4cc30 00000000 85e4cd28 nt!Ki386GetSelectorParameters+0x130 WARNING: Stack unwind information not available. Following frames may be wrong. b0b5049c 8056af03 850a2570 85e4cc30 85ae9fa0 Fastfat+0x1e571 b0b505ec 8050ec21 850a2570 b0b506bc 00000000 nt!IopDeleteFile+0x25 b0b50614 804e4315 85ae9fd0 00000000 00000000 nt!IopDoDeferredSetInterfaceState+0x2e b0b5069c f736d043 850799d8 00000000 00000000 nt!KeRemoveByKeyDeviceQueue+0x65 b0b506c4 f736d1b9 85d8b538 e1302cf0 00000001 Fastfat+0x1b043 b0b5071c f736d356 85d8b538 86773da0 00000001 Fastfat+0x1b1b9 b0b50738 f736313c 85d8b538 85e4cd28 00000001 Fastfat+0x1b356 b0b50788 f735bae3 85d8b538 84fe3338 85e4cd28 Fastfat+0x1113c b0b509d0 f7359ce0 85d8b538 867e7608 b0b50000 Fastfat+0x9ae3 b0b50a14 804eeec5 85e4cc30 867e7608 84fe3338 Fastfat+0x7ce0 b0b50a70 804eeec5 86772c80 00000001 867e7608 nt!MiAddViewsForSection+0x56 b0b50b60 805bdcf8 8676c030 00000000 85af3958 nt!MiAddViewsForSection+0x56 b0b50bd8 805ba380 00000000 b0b50c18 00000040 nt!NtCreatePagingFile+0x408 b0b50c2c 80574e37 00000000 00000000 00000001 nt!CcPfParametersRead+0x77 b0b50ca8 805757ae 00a8e338 00100001 00a8e308 nt!FsRtlIsNameInExpression+0x40 b0b50d04 80578f6d 00a8e338 00100001 00a8e308 nt!HvMarkCellDirty+0xb8 b0b50d44 8054061c 00a8e338 00100001 00a8e308 nt!NtOpenMutant+0x4a b0b50d64 7c90eb94 badb0d00 00a8e2e4 00000000 nt!RtlIpv4StringToAddressA+0x10d b0b50d78 00000000 00000000 00000000 00000000 0x7c90eb94 2ND DUMP SUMMARY OF ERROR: ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* IRQL_NOT_LESS_OR_EQUAL (a) An attempt was made to access a pageable (or completely invalid) address at an interrupt request level (IRQL) that is too high. This is usually caused by drivers using improper addresses. If a kernel debugger is available get the stack backtrace. Arguments: Arg1: 00000004, memory referenced Arg2: 0000001c, IRQL Arg3: 00000000, value 0 = read operation, 1 = write operation Arg4: 804fcc12, address which referenced memory Debugging Details: ------------------ Unable to load image Fastfat.sys, Win32 error 2 *** WARNING: Unable to verify timestamp for Fastfat.sys READ_ADDRESS: 00000004 CURRENT_IRQL: 1c FAULTING_IP: nt!_real+5a 804fcc12 8b5e04 mov ebx,dword ptr [esi+4] CUSTOMER_CRASH_COUNT: 1 DEFAULT_BUCKET_ID: DRIVER_FAULT BUGCHECK_STR: 0xA PROCESS_NAME: wmiprvse.exe LAST_CONTROL_TRANSFER: from 805347e7 to 804fcc12 STACK_TEXT: afe8c69c 805347e7 00000000 00000000 00001908 nt!_real+0x5a afe8c6cc f736d207 f736d1cc 00000000 86771b90 nt!Ki386GetSelectorParameters+0x96 afe8c6d0 f736d1cc 00000000 86771b90 afe8cab4 Fastfat!FatFlushDirectory+0x175 afe8c71c f736d356 85dcbbf8 85e4ec98 00000001 Fastfat!FatFlushDirectory+0x144 afe8c738 f736313c 85dcbbf8 86771b90 00000001 Fastfat!FatFlushVolume+0x24 afe8c788 f735bae3 85dcbbf8 8501faf8 86771b90 Fastfat!FatOpenVolume+0xc7 afe8c9d0 f7359ce0 85dcbbf8 850445d0 afe80000 Fastfat!FatCommonCreate+0x3c0 afe8ca14 804eeec5 86771a98 850445d0 8501faf8 Fastfat!FatFsdCreate+0x52 afe8ca70 804eeec5 85e4dc80 00000001 850445d0 nt!MiAddViewsForSection+0x56 afe8cb60 805bdcf8 85e4a030 00000000 850c0278 nt!MiAddViewsForSection+0x56 afe8cbd8 805ba380 00000000 afe8cc18 00000040 nt!NtCreatePagingFile+0x408 afe8cc2c 80574e37 00000000 00000000 00000001 nt!CcPfParametersRead+0x77 afe8cca8 805757ae 00a8e338 00100001 00a8e308 nt!FsRtlIsNameInExpression+0x40 afe8cd04 80578f6d 00a8e338 00100001 00a8e308 nt!HvMarkCellDirty+0xb8 afe8cd44 8054061c 00a8e338 00100001 00a8e308 nt!NtOpenMutant+0x4a afe8cd64 7c90eb94 badb0d00 00a8e2e4 00000000 nt!RtlIpv4StringToAddressA+0x10d WARNING: Frame IP not in any known module. Following frames may be wrong. afe8cd78 00000000 00000000 00000000 00000000 0x7c90eb94

# re: Causes, and tips for debugging, a STOP 0x0000000A (IRQL_NOT_LESS_OR_EQUAL) bugcheck/blue screen - Part 2

Tuesday, April 17, 2007 3:47 PM by Eric Mueller

I have been using Windows XP professional on my Dell GX-240 for over a year now without any problems. The machine has a ATI Rage 128 Ultra Video card installed. This week my Symantic Internet Security 2005 expired and I unstalled it and began to install Internet Security 2007. During the Symantic Live Update process, not all updates were included and now when the machine is told to shut down, I get the Blue Screen dump and the system reboots. I have gone around in circles with Symantic without a solution. We have confirmed the machine does not have any known viruses, nor is the machine exposed to receiving unknown viruses. My stop code shows Stop 0x1000000a (0x000000b0, 0x00000002, 0x00000000, 0x8050d4da). Please advise. Thanks, Eric

# re: Causes, and tips for debugging, a STOP 0x0000000A (IRQL_NOT_LESS_OR_EQUAL) bugcheck/blue screen - Part 2

Wednesday, April 25, 2007 11:59 PM by Ken

Eric,

You need to get the minidump files in c:\windows\minidump and analyze them using WinDBG per my instructions above. The faulting driver should be on the stack.

If you do not feel comfortable doing this, open a support call with Microsoft and have an engineer do this for you.

# re: Causes, and tips for debugging, a STOP 0x0000000A (IRQL_NOT_LESS_OR_EQUAL) bugcheck/blue screen - Part 2

Monday, April 30, 2007 3:19 AM by Tsvi Mostovicz

I need some help here, I've been having for the past couple of months BsoD's since the end of March. 14 according to the count of minidump files. I've analyzed the last 7 of them. They all seem to be caused by different applications according to !analyze -v. It gives as causes afd, nt, Azureus, Explorer, Firefox, kmixer just to name a few. They all seem to be caused randomly with different causes. The only clue I could find was that in alot of cases the last two or three lines of kb gave the following output: b1968d34 7c90eb94 0000019c 00000238 00000000 nt!KiFastCallEntry+0xf8 WARNING: Frame IP not in any known module. Following frames may be wrong. 011decb8 00000000 00000000 00000000 00000000 0x7c90eb94 b0d4ad34 7c90eb94 000017ac 000016c8 00000000 nt!KiFastCallEntry+0xf8 WARNING: Frame IP not in any known module. Following frames may be wrong. 1120f74c 00000000 00000000 00000000 00000000 0x7c90eb94 b08a3d3c 7c90eb94 01010055 74de0520 00000001 nt!KiFastCallEntry+0xf8 0012b25c 00000000 00000000 00000000 00000000 0x7c90eb94 It seems this address is always there. Does this mean I have memory trouble? Or am I in the wrong direction? I suppose the fact I've had multiple crashes in the past month when each one seems to be caused at different occasions should point me to hardware trouble. Any pointers?

# re: Causes, and tips for debugging, a STOP 0x0000000A (IRQL_NOT_LESS_OR_EQUAL) bugcheck/blue screen - Part 2

Wednesday, May 2, 2007 9:37 AM by Ken

Hi Tsvi,

That looks potentially like memory corruption. Either you have a hardware issue (stop overclocking anything, run hardware diagnostics) -or- you have something running in kernel mode that is corrupting memory. What is crashing is the victim (i.e. that's had it's memory corrupted) rather the actual culprit. Typical cause is some code that overflows a buffer (it requests 100bytes of memory, but writes 150 bytes, overwriting some memory belonging to something else).

Try enabling Driver Verifier (verifier.exe). The machine will still BSOD, but at least you'll be able to get a good dump (assuming a software issue) since verifier will catch the culprit when it does something it's not supposed to.

Cheers

Ken

# re: Causes, and tips for debugging, a STOP 0x0000000A (IRQL_NOT_LESS_OR_EQUAL) bugcheck/blue screen - Part 2

Friday, May 4, 2007 8:24 AM by Dan

Hi Ken:

Thanks for this very very useful post. Even for a non-tech like me-I could follow your explanation.

I have had random BSODs on my Dell Dimension 9100 with 3 GHz P4HT, 1 GB corsair, Seagate 300Gb SATA HDD, nVidia 256 MB PCIE 7600GS, WinXP MCE 2005, for a long time now-I have run all the hardware diagnostics, memtest, changed my memory (even though the old seemed fine), video card, PSU, HD and reformatted and even dual booted with Vista(which still does random BSODs). Originally, WinDBg indicated usbport.sys and ntkrpamp.exe most of the time. Recently after looking at the processor thermal paste, I put new paste (Arctic silver) on the processor and the heat sink-now it crashes less but still does-now with ntoskrnl and win32 as the main culprits! It seems to be a hardware issue-but except for the mobo-I have replaced practically everything! Can you help me? Here is my latest dump file-[PS- I will be reading Part 3 to see the driver verifier-but the BSODs seem random to me-pointing to perhaps hardware-the machine runs great when it is not crashing :)]

Here's one of the latest dump:

Loading Dump File [C:\WINDOWS\Minidump\Mini050407-02.dmp]

Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: C:\WINDOWS\Symbols

Executable search path is:

Unable to load image ntoskrnl.exe, Win32 error 2

*** WARNING: Unable to verify timestamp for ntoskrnl.exe

Windows XP Kernel Version 2600 (Service Pack 2) MP (2 procs) Free x86 compatible

Product: WinNt, suite: TerminalServer SingleUserTS

Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055c700

Debug session time: Fri May 4 03:07:47.921 2007 (GMT-5)

System Uptime: 0 days 2:29:42.651

Unable to load image ntoskrnl.exe, Win32 error 2

*** WARNING: Unable to verify timestamp for ntoskrnl.exe

Loading Kernel Symbols

............................................................................................................................................

Loading User Symbols

Loading unloaded module list

.............

ERROR: FindPlugIns 8007007b

*******************************************************************************

* *

* Bugcheck Analysis *

* *

*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 100000D1, {addedb40, 2, 0, 892cd0e1}

Probably caused by : ntoskrnl.exe ( nt!ExSnapShotPool+32 )

Followup: MachineOwner

---------

1: kd> !analyze -v

ERROR: FindPlugIns 8007007b

*******************************************************************************

* *

* Bugcheck Analysis *

* *

*******************************************************************************

DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)

An attempt was made to access a pageable (or completely invalid) address at an

interrupt request level (IRQL) that is too high. This is usually

caused by drivers using improper addresses.

If kernel debugger is available get stack backtrace.

Arguments:

Arg1: addedb40, memory referenced

Arg2: 00000002, IRQL

Arg3: 00000000, value 0 = read operation, 1 = write operation

Arg4: 892cd0e1, address which referenced memory

Debugging Details:

------------------

READ_ADDRESS: addedb40

CURRENT_IRQL: 2

FAULTING_IP:

+ffffffff892cd0e1

892cd0e1 6934894846444f imul esi,dword ptr [ecx+ecx*4],4F444648h

CUSTOMER_CRASH_COUNT: 2

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0xD1

PROCESS_NAME: Idle

LAST_CONTROL_TRANSFER: from 80545d0c to 892cd0e1

STACK_TEXT:

WARNING: Frame IP not in any known module. Following frames may be wrong.

bacd3cac 80545d0c 892cd230 892cd0e0 887850b0 0x892cd0e1

bacd3d9c 00000000 00000000 00000000 00000000 nt!ExSnapShotPool+0x32

STACK_COMMAND: kb

FOLLOWUP_IP:

nt!ExSnapShotPool+32

80545d0c ?? ???

SYMBOL_STACK_INDEX: 1

SYMBOL_NAME: nt!ExSnapShotPool+32

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: nt

IMAGE_NAME: ntoskrnl.exe

DEBUG_FLR_IMAGE_TIMESTAMP: 45e53f9d

FAILURE_BUCKET_ID: 0xD1_nt!ExSnapShotPool+32

BUCKET_ID: 0xD1_nt!ExSnapShotPool+32

Followup: MachineOwner

---------

# re: Causes, and tips for debugging, a STOP 0x0000000A (IRQL_NOT_LESS_OR_EQUAL) bugcheck/blue screen - Part 2

Friday, May 11, 2007 4:08 AM by Pedro

Hi everyone..I´m having since a couples of weeks BSODs..

They just happened everytime that i want to turn my laptop off, theres the "NET broadcast event windows error"..when i choose the option "end program now" . The error code is always the same "0x0000000a(0x0000f779,0x00000002,0x00000001,0x806e5a8e)"

I tried reinstalling differents versions of windows, but the problem persists.

OK, now i did the thing with the WinDbg, opened the dump file and this is what i get:

1: kd> kb

ChildEBP RetAddr Args to Child

f793bc38 804eee62 f793bc6c f6f0eb16 f793bc60 hal!KeAcquireQueuedSpinLock+0x42

f793bc40 f6f0eb16 f793bc60 846637d8 80545e4c nt!IoAcquireCancelSpinLock+0xe

f793bc6c f6f0f754 026e6f44 846630e0 846630e0 USBPORT!USBPORT_DoneTransfer+0xf6

f793bca4 f6f10f6a 84663028 80545e4c 84663230 USBPORT!USBPORT_FlushDoneTransferList+0x16c

f793bcd0 f6f1efb0 84663028 80545e4c 84663028 USBPORT!USBPORT_DpcWorker+0x224

f793bd0c f6f1f128 84663028 00000001 8055b0a0 USBPORT!USBPORT_IsrDpcWorker+0x37e

f793bd28 805451ff 8466364c 6b755044 00000000 USBPORT!USBPORT_IsrDpc+0x166

f793bd50 805450e4 00000000 0000000e 00000000 nt!KiRetireDpcList+0x61

f793bd54 00000000 0000000e 00000000 00000000 nt!KiIdleLoop+0x28

FOLLOWUP_IP:

USBPORT!USBPORT_DoneTransfer+f6

f6f0eb16 8b7df8 mov edi,dword ptr [ebp-8]

SYMBOL_STACK_INDEX: 2

SYMBOL_NAME: USBPORT!USBPORT_DoneTransfer+f6

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: USBPORT

IMAGE_NAME: USBPORT.SYS

DEBUG_FLR_IMAGE_TIMESTAMP: 41107d62

FAILURE_BUCKET_ID: 0xA_W_USBPORT!USBPORT_DoneTransfer+f6

BUCKET_ID: 0xA_W_USBPORT!USBPORT_DoneTransfer+f6

Followup: MachineOwner

Now the question: Its a hardware problem?? or driver problem? i think that maybe my laptop´s motherboard is faulty....

I must say again, that my Bsods ocurrs only when i try to shutdown my laptop.

Thanks in advance

# re: Causes, and tips for debugging, a STOP 0x0000000A (IRQL_NOT_LESS_OR_EQUAL) bugcheck/blue screen - Part 2

Friday, May 11, 2007 3:20 PM by Pedro

Hi...this is my 2nd post...i got BSODs when i try to reboot or shutdown my laptop, the error code is always the same. I dont know whats wrong with my laptop...can anyone help me STACK_COMMAND: kb FOLLOWUP_IP: USBPORT!USBPORT_DoneTransfer+f6 f6f0eb16 8b7df8 mov edi,dword ptr [ebp-8] SYMBOL_STACK_INDEX: 2 SYMBOL_NAME: USBPORT!USBPORT_DoneTransfer+f6 FOLLOWUP_NAME: MachineOwner MODULE_NAME: USBPORT IMAGE_NAME: USBPORT.SYS DEBUG_FLR_IMAGE_TIMESTAMP: 41107d62 FAILURE_BUCKET_ID: 0xA_W_USBPORT!USBPORT_DoneTransfer+f6 BUCKET_ID: 0xA_W_USBPORT!USBPORT_DoneTransfer+f6 STACK_TEXT: f793bc38 804eee62 f793bc6c f6f0eb16 f793bc60 hal!KeAcquireQueuedSpinLock+0x42 f793bc40 f6f0eb16 f793bc60 846637d8 80545e4c nt!IoAcquireCancelSpinLock+0xe f793bc6c f6f0f754 026e6f44 846630e0 846630e0 USBPORT!USBPORT_DoneTransfer+0xf6 f793bca4 f6f10f6a 84663028 80545e4c 84663230 USBPORT!USBPORT_FlushDoneTransferList+0x16c f793bcd0 f6f1efb0 84663028 80545e4c 84663028 USBPORT!USBPORT_DpcWorker+0x224 f793bd0c f6f1f128 84663028 00000001 8055b0a0 USBPORT!USBPORT_IsrDpcWorker+0x37e f793bd28 805451ff 8466364c 6b755044 00000000 USBPORT!USBPORT_IsrDpc+0x166 f793bd50 805450e4 00000000 0000000e 00000000 nt!KiRetireDpcList+0x61 f793bd54 00000000 0000000e 00000000 00000000 nt!KiIdleLoop+0x28 Use !analyze -v to get detailed debugging information. BugCheck 1000000A, {ffdf, 2, 1, 806e5a8e} ***** Kernel symbols are WRONG. Please fix symbols to do analysis. ***** Kernel symbols are WRONG. Please fix symbols to do analysis. Probably caused by : USBPORT.SYS ( USBPORT+ab16 ) The problem is some sort of driver, or hardware...??? I got the same BSOD with differents versions of WIN XP. Thanks in advance

# re: Causes, and tips for debugging, a STOP 0x0000000A (IRQL_NOT_LESS_OR_EQUAL) bugcheck/blue screen - Part 2

Saturday, May 12, 2007 7:00 AM by Ken

Hi Dan,

Do all your memory dumps look the same? Or are you getting different stacks each time? The code inside ntoskrnl.exe is pretty much bug free. So what you are seeing is either memory corruption (try Driver Verifier) or hardware problem

# re: Causes, and tips for debugging, a STOP 0x0000000A (IRQL_NOT_LESS_OR_EQUAL) bugcheck/blue screen - Part 2

Sunday, May 13, 2007 12:20 AM by Pedri

Hi Ken, well i took a look at my dump files, and the stacks are almost the same..the difference is minimal not entire lines, just numbers, but the 98% i say, its the same. I run memtest and all went fine, so i think its not a memory problem. I tried Driver verifier..and the only thing i got was more bsods and windows didn´t boot, so i tried win in safe mode and disabled verifier.exe and everything seems to be normal again. If my Bsod has the same code everytime.....and the windbg reported that the problem was USBPORT.SYS...its a motherboard problem?? or is anything else? Thanks again

# re: Causes, and tips for debugging, a STOP 0x0000000A (IRQL_NOT_LESS_OR_EQUAL) bugcheck/blue screen - Part 2

Monday, May 14, 2007 6:59 AM by Ken

Hi Pedro,

Enable Driver Verifier (for all drivers on your system). The machine will still crash, but your dump file should be better this time. Verifier does a number of things - for example it ensure that drivers can not write more data than the memory they have requested (which prevents buffer overflows that corrupt memory) by using guard pages.

If your machine crashes during boot up, then do this 3-4 times to get 3-4 new dump files. Then disable Verifier via Safe Mode and analyze these 3-4 new dumps. Hopefully you have the culprit.

When you have enabled Verifier, the BSOD codes will be different. When Verifier detects something illegal happening, it has it's own code (e.g. STOP 0x000000C1 SPECIAL_POOL_DETECTED_MEMORY_CORRUPTION)

That tells you that Verifier is catching the culprit in the act.

# re: Causes, and tips for debugging, a STOP 0x0000000A (IRQL_NOT_LESS_OR_EQUAL) bugcheck/blue screen - Part 2

Monday, May 14, 2007 11:10 AM by Evelyn

I got one BSOD concerning IRQL yesterday, and my stream reads as: WARNING: Stack unwind information not available. Following frames may be wrong. b9172b0c 80585524 00a20000 00010000 00000004 nt+0x9692a b9172d4c 804dd98f 00000005 00a20000 00010000 nt+0xae524 b9172d64 7c90eb94 badb0d00 007be32c b9172d98 nt+0x698f b9172d68 badb0d00 007be32c b9172d98 b9172dcc 0x7c90eb94 b9172d6c 007be32c b9172d98 b9172dcc 00000000 0xbadb0d00 b9172d70 b9172d98 b9172dcc 00000000 00000000 0x7be32c b9172d74 b9172dcc 00000000 00000000 00000000 0xb9172d98 b9172d98 00000000 74290023 000ac970 000f68a0 0xb9172dcc Also, the day before yesterday I had another one (though I'm not sure if it concerned the IRQL), which reads as: WARNING: Stack unwind information not available. Following frames may be wrong. 805535c8 80712bf7 0000009c 00000004 805535f0 nt+0x602a2 805536f4 8070dc52 80042000 00000000 00000000 hal+0x5bf7 00000000 00000000 00000000 00000000 00000000 hal+0xc52 I hope this is enough info for you to help me. Thanks in advance! :)

# re: Causes, and tips for debugging, a STOP 0x0000000A (IRQL_NOT_LESS_OR_EQUAL) bugcheck/blue screen - Part 2

Friday, May 18, 2007 12:30 AM by Ken

Hi Evelyn,

Ensure that you have the correct symbols loaded (using .reload command).

If you still see the same output, then you have memory corruption. Enable Driver Verifier to get a proper dump next time.

# re: Causes, and tips for debugging, a STOP 0x0000000A (IRQL_NOT_LESS_OR_EQUAL) bugcheck/blue screen - Part 2

Tuesday, May 22, 2007 8:56 AM by Evelyn

I used Driver Verifier as you recommended, and the next time I rebooted my PC I got the following error: DRIVER_PAGE_FAULT_IN_FREED_SPECIAL_POOL 0x000000D5 (0x869D6F3C, 0x00000001, 0xF49A0304, 0x00000000) I had to use Last Known Configuration for my system to boot up correctly. Any ideas?

# re: Causes, and tips for debugging, a STOP 0x0000000A (IRQL_NOT_LESS_OR_EQUAL) bugcheck/blue screen - Part 2

Wednesday, May 23, 2007 3:36 AM by Ken

Hi Evelyn,

That means that Driver Verifier caught the faulty driver in the act. You should get the latest dump file, and analyze using WinDBG and that should give you the faulting driver.

# re: Causes, and tips for debugging, a STOP 0x0000000A (IRQL_NOT_LESS_OR_EQUAL) bugcheck/blue screen - Part 2

Saturday, May 26, 2007 5:39 PM by Jerry

I just wanted to say that this site is very informative and extremely helpful in solving an IRQL error that I have been having. Great job, and please keep it up!

# re: Causes, and tips for debugging, a STOP 0x0000000A (IRQL_NOT_LESS_OR_EQUAL) bugcheck/blue screen - Part 2

Thursday, June 21, 2007 1:07 AM by Yuriy

Hallo, I have a problem. Error 0x0000000A appears in Windows 2000 SP4 system and server reboot. I Installed WinDbg and start it when I download dump file and have saw thise massege: Bugcheck code 0000000A Arguments 00000000 00000002 00000001 8044acc9 ChildEBP RetAddr Args to Child WARNING: Stack unwind information not available. Following frames may be wrong. bfc9d440 00000000 00000000 00000002 00000001 nt+0x6b1ac WaitForEvent failed Compyter have access to the Internet. Then I typed this commands: .symfix .reload kb The result you can see above: 1: kd> .symfix No downstream store given, using C:\Program Files\Debugging Tools for Windows\sym 1: kd> .reload Unable to load image ntoskrnl.exe, Win32 error 2 *** WARNING: Unable to verify timestamp for ntoskrnl.exe *** ERROR: Module load completed but symbols could not be loaded for ntoskrnl.exe Loading Kernel Symbols .......................................................................................... Loading User Symbols Loading unloaded module list ..... 1: kd> kb ChildEBP RetAddr Args to Child WARNING: Stack unwind information not available. Following frames may be wrong. bfc9d440 00000000 00000000 00000002 00000001 nt+0x6b1ac How can I undestand what is the Problem? Please help me.

# re: Causes, and tips for debugging, a STOP 0x0000000A (IRQL_NOT_LESS_OR_EQUAL) bugcheck/blue screen - Part 2

Friday, July 6, 2007 9:46 PM by Johny

Hi, I've been getting a BSOD, everytime I either try to shutdown or restart my computer, with the following IRQL message: STOP: 0X0000000A (0X000000B0, 0X00000002, 0x00000000, 0x8052D4DA)....Begin dump of physical memory....Physical memory dump complete... I get the same bugcheck everytime and this has been happening for almost 3 months now. However, when I navigate to the C:\windows\minidump folder, I cannot see any recent dump files. The most recent one is from 2006. I don't believe that this file from 2006 is relevant to the present problem. Since the error message indicated that there was some sort of memory dump performed by the system, I did a search for .dmp files on my PC, only to find the same 2006 dump file. I haven't installed anything new and the Device manager finds all devices OK. Could someone help me please?

# re: Causes, and tips for debugging, a STOP 0x0000000A (IRQL_NOT_LESS_OR_EQUAL) bugcheck/blue screen - Part 2

Sunday, July 15, 2007 8:34 PM by J

Hi, I get a BSOD with the following error: stop: 0x0000000a (0x000000b0, 0x00000002, 0x00000000, 0x8052d4da). A portion of the dump: ................... ................................ kb ChildEBP RetAddr Args to Child f2b649d0 8052d4da badb0d00 80560100 f2b64b38 nt!KiTrap0E+0x233 Unable to load image sonypvl3.sys, Win32 error 2 *** WARNING: Unable to verify timestamp for sonypvl3.sys *** ERROR: Module load completed but symbols could not be loaded for sonypvl3.sys f2b64a50 f88c623c 82555d10 f88c52e4 82ee6ec0 nt!IoDetachDevice+0x27 WARNING: Stack unwind information not available. Following frames may be wrong. f2b64a84 f88c52f5 8252d250 82ee6ec0 8252d308 sonypvl3+0x223c f2b64ae0 80508369 83376030 00000000 82ee6e00 sonypvl3+0x12f5 f2b64af8 f854460c 82ee6e00 804d9050 82ee6ec0 nt!IoDeleteDevice+0x7b f2b64b0c f8544706 82ee6ec0 00000008 82555d10 fltmgr!FltpCleanupDeviceObject+0x76 f2b64b28 f8548df3 82555d10 80557fd0 00fe000a fltmgr!FltpDetachFromFileSystemDevice+0x44 f2b64c50 f85491c8 82555d10 00000000 f2b64c7c fltmgr!FltpFsNotificationActual+0x4f f2b64c60 805bad62 82555d10 00000000 fed1c564 fltmgr!FltpFsNotification+0x10 f2b64c7c f2ffcc82 82555d10 f2b64ce8 804e37f7 nt!IoUnregisterFileSystem+0x3f f2b64c88 804e37f7 82555d10 fed1c488 8252d370 Cdfs!CdShutdown+0xe f2b64c98 f88c63d5 8252d508 8335f3a8 00000000 nt!IopfCallDriver+0x31 f2b64ce8 804e37f7 8252d250 fed1c488 fed1c488 sonypvl3+0x23d5 f2b64cf8 f853cfbb 83376030 8252d508 82f30ab0 nt!IopfCallDriver+0x31 f2b64d20 804e37f7 8252d508 fed1c488 82f30ab0 fltmgr!FltpDispatch+0x6f f2b64d30 8065e6df 8055fe90 00000001 00000000 nt!IopfCallDriver+0x31 f2b64d5c 80663504 00000000 80561640 fdf0d020 nt!IoShutdownSystem+0x62 f2b64d74 804e426b 00000000 00000000 fdf0d020 nt!PopGracefulShutdown+0xbe f2b64dac 8057d0f1 00000000 00000000 00000000 nt!ExpWorkerThread+0x100 f2b64ddc 804f827a 804e4196 80000000 00000000 nt!PspSystemThreadStartup+0x34 ............................... It appears that sonypvl3.sys is causing the problem. However, this driver doesn't seem to be installed anywhere - Device Manager, Program Files.. Could someone help please?

# re: Causes, and tips for debugging, a STOP 0x0000000A (IRQL_NOT_LESS_OR_EQUAL) bugcheck/blue screen - Part 2

Monday, July 16, 2007 6:59 AM by Ken

Hi,

I would suggest that there is a bug in sonypvl3.sys (which apparently is a driver associated with Sony DVD Handycams).

You would probably find that file in c:\windows\system32\drivers

The driver startup state would be set in the registry in HKLM\System\CurrentControlset\Control (or \Services if it's loaded by a service)

# re: Causes, and tips for debugging, a STOP 0x0000000A (IRQL_NOT_LESS_OR_EQUAL) bugcheck/blue screen - Part 2

Saturday, September 8, 2007 11:39 PM by Daniel

Another long bugcheck thing..

I get bluescreens all the time.

And this is on a brand new computer.

it's driving me nuts.

Help is greatly appreciated...

Microsoft (R) Windows Debugger Version 6.7.0005.1

Loading Dump File [C:\WINDOWS\Minidump\Mini090907-05.dmp]

Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: C:\WINDOWS\Symbols

Executable search path is:

Unable to load image ntoskrnl.exe, Win32 error 0n2

*** WARNING: Unable to verify timestamp for ntoskrnl.exe

Windows XP Kernel Version 2600 (Service Pack 2) MP (2 procs) Free x86 compatible

Product: WinNt, suite: TerminalServer SingleUserTS

Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055c700

Debug session time: Sun Sep 9 04:10:39.156 2007 (GMT+2)

System Uptime: 0 days 0:10:52.921

Unable to load image ntoskrnl.exe, Win32 error 0n2

*** WARNING: Unable to verify timestamp for ntoskrnl.exe

Loading Kernel Symbols

............................................................................................................................................................

Loading User Symbols

Loading unloaded module list

..........

*******************************************************************************

* *

* Bugcheck Analysis *

* *

*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 1000000A, {20202024, 2, 0, 8053501b}

Unable to load image Ntfs.sys, Win32 error 0n2

*** WARNING: Unable to verify timestamp for Ntfs.sys

Unable to load image fltMgr.sys, Win32 error 0n2

*** WARNING: Unable to verify timestamp for fltMgr.sys

Probably caused by : ntoskrnl.exe ( nt!KiEmulateAtlThunk+142 )

Followup: MachineOwner

---------

0: kd> !analyze -v

*******************************************************************************

* *

* Bugcheck Analysis *

* *

*******************************************************************************

IRQL_NOT_LESS_OR_EQUAL (a)

An attempt was made to access a pageable (or completely invalid) address at an

interrupt request level (IRQL) that is too high. This is usually

caused by drivers using improper addresses.

If a kernel debugger is available get the stack backtrace.

Arguments:

Arg1: 20202024, memory referenced

Arg2: 00000002, IRQL

Arg3: 00000000, bitfield :

bit 0 : value 0 = read operation, 1 = write operation

bit 3 : value 0 = not an execute operation, 1 = execute operation (only on chips which support this level of status)

Arg4: 8053501b, address which referenced memory

Debugging Details:

------------------

READ_ADDRESS: 20202024

CURRENT_IRQL: 2

FAULTING_IP:

nt!KiEmulateAtlThunk+142

8053501b 8b4104 mov eax,dword ptr [ecx+4]

CUSTOMER_CRASH_COUNT: 5

DEFAULT_BUCKET_ID: COMMON_SYSTEM_FAULT

BUGCHECK_STR: 0xA

PROCESS_NAME: iexplore.exe

LAST_CONTROL_TRANSFER: from 805354bd to 8053501b

STACK_TEXT:

b5474ab4 805354bd b5474acc b5474c04 e30600d0 nt!KiEmulateAtlThunk+0x142

b5474ad8 ba5f5017 88d666d0 00000001 029cef18 nt!MiTrimWorkingSet+0x86

b5474c30 ba676e93 883cfba8 00000001 029cef18 Ntfs!NtfsOpenAttributeCheck+0x193

b5474c58 ba682b32 00000005 00000000 b5474c8c fltMgr!FltGetIrpName+0x23

b5474cac 80579a82 883cfba8 00000001 029cef18 fltMgr!FltpFastIoLock+0x17a

b5474d48 8054086c 00001244 029cef30 029cef18 nt!SepDuplicateToken+0x2b8

b5474d64 7c90eb94 badb0d00 029cef04 b53e0d98 nt!RtlIpv4StringToAddressExA+0x149

WARNING: Frame IP not in any known module. Following frames may be wrong.

b5474d78 00000000 00000000 00000000 00000000 0x7c90eb94

STACK_COMMAND: kb

FOLLOWUP_IP:

nt!KiEmulateAtlThunk+142

8053501b 8b4104 mov eax,dword ptr [ecx+4]

SYMBOL_STACK_INDEX: 0

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: nt

IMAGE_NAME: ntoskrnl.exe

DEBUG_FLR_IMAGE_TIMESTAMP: 45e53f9d

SYMBOL_NAME: nt!KiEmulateAtlThunk+142

FAILURE_BUCKET_ID: 0xA_nt!KiEmulateAtlThunk+142

BUCKET_ID: 0xA_nt!KiEmulateAtlThunk+142

Followup: MachineOwner

# re: Causes, and tips for debugging, a STOP 0x0000000A (IRQL_NOT_LESS_OR_EQUAL) bugcheck/blue screen - Part 2

Sunday, September 9, 2007 10:37 PM by Ken

Daniel.

You may have a memory corruption issue here. What happens if you enable Driver Verifier (verifier.exe)?

You'll still get a BSOD, but it should catch the faulting driver, rather than something else that's just being stomped on.

Cheers

Ken

# re: Causes, and tips for debugging, a STOP 0x0000000A (IRQL_NOT_LESS_OR_EQUAL) bugcheck/blue screen - Part 2

Monday, November 5, 2007 8:49 AM by Snowflake

Hello. I'm getting a BSOD that reads 0x0000000A (0xE4051008, 0x00000002, 0x00000000, 0x804DB548). My mini crush dump was: 0: kd> kb ChildEBP RetAddr Args to Child WARNING: Stack unwind information not available. Following frames may be wrong. ba60f968 87c2ade0 87c2afdc 00000000 00000000 bdfsdrv+0x1c94 ba60f99c b96b6b39 84aecb48 84cd23d0 84b28000 0x87c2ade0 ba60fa00 804e13d9 84b28000 87c2ade0 80702428 bdfsdrv+0xb39 ba60fa34 8057ddc2 848fad70 85bfc4a8 ba60fc04 nt+0xa3d9 ba60fb14 8057d1b5 84cd2318 00000000 84ae70b8 nt+0xa6dc2 ba60fb4c 80571ef1 848fad70 00000000 84ae70b8 nt+0xa61b5 ba60fbc4 8056f2a8 000002a0 ba60fc04 00000040 nt+0x9aef1 ba60fc18 8057e41e 00000000 00000000 fde6bc01 nt+0x982a8 ba60fc94 8057e4ed 02fdf324 00100080 02fdf30c nt+0xa741e ba60fcf0 8057e530 02fdf324 00100080 02fdf30c nt+0xa74ed ba60fd30 804dd99f 02fdf324 00100080 02fdf30c nt+0xa7530 ba60fd64 7c90eb94 badb0d00 02fde690 849add00 nt+0x699f *** WARNING: Unable to verify timestamp for DefragFS.sys *** ERROR: Module load completed but symbols could not be loaded for DefragFS.sys ba60fd68 badb0d00 02fde690 849add00 00000000 0x7c90eb94 ba60fd6c 02fde690 849add00 00000000 00000000 DefragFS+0xbd00 ba60fd70 849add00 00000000 00000000 00000000 0x2fde690 ba60fd74 00000000 00000000 00000000 00000000 0x849add00 Any ideas to help me? Thanks in advance!

# re: Causes, and tips for debugging, a STOP 0x0000000A (IRQL_NOT_LESS_OR_EQUAL) bugcheck/blue screen - Part 2

Thursday, November 8, 2007 10:38 PM by Ken

Hi Snowflake,

You need to fix your symbols first (using .symfix and .reload). Ensure that you have an internet connection when you do this.

However it looks like the bug is in bdfsdrv.sys - which is part of BitDefender AV -or- DefragFS.sys which is part of Partition Magic.

But fix your symbols first and rerun the !analyze -v command

Cheers

Ken

# re: Causes, and tips for debugging, a STOP 0x0000000A (IRQL_NOT_LESS_OR_EQUAL) bugcheck/blue screen - Part 2

Sunday, January 27, 2008 6:06 AM by EagleOne

Hi i am having a problem with blue screen of death 0x0000000a (16,2,0,0x804e4694) the info below is what i got off the dump please help me.

Thank you for ur time

Microsoft (R) Windows Debugger Version 6.8.0004.0 X86

Loading Dump File [C:\WINDOWS\MEMORY.DMP]

Kernel Complete Dump File: Full address space is available

Symbol search path is: C:\WINDOWS\Symbols

Executable search path is:

**************************************************************************

THIS DUMP FILE IS PARTIALLY CORRUPT.

KdDebuggerDataBlock is not present or unreadable.

**************************************************************************

Unable to read PsLoadedModuleList

**************************************************************************

THIS DUMP FILE IS PARTIALLY CORRUPT.

KdDebuggerDataBlock is not present or unreadable.

**************************************************************************

# re: Causes, and tips for debugging, a STOP 0x0000000A (IRQL_NOT_LESS_OR_EQUAL) bugcheck/blue screen - Part 2

Wednesday, January 30, 2008 7:24 AM by Ken

Hi EagleOne,

Your dump file is corrupt. You may wish to check the minidump file in c:\windows\minidump, and see if that smaller file is OK

# re: Causes, and tips for debugging, a STOP 0x0000000A (IRQL_NOT_LESS_OR_EQUAL) bugcheck/blue screen - Part 2

Friday, February 1, 2008 12:38 PM by Greg

This will probably sound odd, but I have searched in all the folders on my C:\ drive and cannot find the dump files to point Debugger to. The box is checked on "write an event. . ." under Startup and Recovery. What am I missing?

# re: Causes, and tips for debugging, a STOP 0x0000000A (IRQL_NOT_LESS_OR_EQUAL) bugcheck/blue screen - Part 2

Friday, February 1, 2008 8:17 PM by I see you are busy, but.............

I have a system that appears to be getting worse. I have 6 logs in the debugging, five of which are: Loading Dump File [C:\WINDOWS\Minidump\Mini020108-01.dmp] Mini Kernel Dump File: Only registers and stack trace are available Symbol search path is: SRV**http://msdl.microsoft.com/download/symbols Executable search path is: Windows XP Kernel Version 2600 (Service Pack 2) MP (2 procs) Free x86 compatible Product: WinNt Built by: 2600.xpsp_sp2_gdr.070227-2254 Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055c700 Debug session time: Fri Feb 1 06:44:44.906 2008 (GMT-7) System Uptime: 0 days 6:53:07.664 Loading Kernel Symbols ...................................................... Loading User Symbols Loading unloaded module list ................. ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* Use !analyze -v to get detailed debugging information. BugCheck A, {10000004, 1c, 1, 8053fd19} Probably caused by : ntkrpamp.exe ( nt!KeReleaseQueuedSpinLockFromDpcLevel+1d ) Followup: MachineOwner I also have one dump that states that memory is corrupt. ANY help would be greatly appreciated!

# re: Causes, and tips for debugging, a STOP 0x0000000A (IRQL_NOT_LESS_OR_EQUAL) bugcheck/blue screen - Part 2

Wednesday, February 13, 2008 6:20 AM by Ken

Hi " I see you are busy, but",

I like your name. Please run the commands indicated in the blog post (.symfix .reload and then !analyze -v) to see if we can get useful information from the dump file.

# re: Causes, and tips for debugging, a STOP 0x0000000A (IRQL_NOT_LESS_OR_EQUAL) bugcheck/blue screen - Part 2

Monday, March 10, 2008 8:09 PM by lee

hi. i'm trying to fix my pc. can't re-format or boot in safe drive. i think it's a hardware issue but don't know where to start. error is 0x0000000A (0x000A0008, 0x00000002, 0x00000001, 0x0x8081c652) Please help if you can. X

# re: Causes, and tips for debugging, a STOP 0x0000000A (IRQL_NOT_LESS_OR_EQUAL) bugcheck/blue screen - Part 2

Tuesday, March 11, 2008 8:04 PM by Matt

Hi, I am unable to boot without BSOD. Ive spent a few days trying to troubleshoot hardware. Brief History: Replaced MB about 6 months ago due to a USB cable short. Two nights ago my girlfriend was DL Pronto chat client for school and the PC rebooted during install. PC started restart loop. I Was able to keep it in safe mode all day yesterday updating video drivers and trying to remove pronto. After driver updates I turned off auto restart, and now it blue screens every time. All BSOD's have been different (about 6) before i turned off auto restart I grabbed a couple mini dumps. 1st one references "pronto.exe" the other 4 reference "idle" I have 4 more from the 4 following boots. Microsoft (R) Windows Debugger Version 6.8.0004.0 X86 Copyright (c) Microsoft Corporation. All rights reserved. Loading Dump File [F:\Dumps\Mini030908-01.dmp] Mini Kernel Dump File: Only registers and stack trace are available Symbol search path is: C:\WINDOWS\Symbols Executable search path is: Unable to load image ntoskrnl.exe, Win32 error 0n2 *** WARNING: Unable to verify timestamp for ntoskrnl.exe Windows XP Kernel Version 2600 (Service Pack 2) UP Free x86 compatible Product: WinNt, suite: TerminalServer SingleUserTS Kernel base = 0x804d7000 PsLoadedModuleList = 0x805533a0 Debug session time: Sun Mar 9 19:09:32.526 2008 (GMT-5) System Uptime: 6 days 1:25:15.350 Unable to load image ntoskrnl.exe, Win32 error 0n2 *** WARNING: Unable to verify timestamp for ntoskrnl.exe Loading Kernel Symbols ................................................................................................................................................. Loading User Symbols Loading unloaded module list .................................................. Unable to load image P17.sys, Win32 error 0n2 *** WARNING: Unable to verify timestamp for P17.sys *** ERROR: Module load completed but symbols could not be loaded for P17.sys ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* Use !analyze -v to get detailed debugging information. BugCheck 100000D1, {28, 8, 0, f576828d} *** WARNING: Unable to verify timestamp for portcls.sys Probably caused by : P17.sys ( P17+2028d ) Followup: MachineOwner --------- kd> !analyze -v ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1) An attempt was made to access a pageable (or completely invalid) address at an interrupt request level (IRQL) that is too high. This is usually caused by drivers using improper addresses. If kernel debugger is available get stack backtrace. Arguments: Arg1: 00000028, memory referenced Arg2: 00000008, IRQL Arg3: 00000000, value 0 = read operation, 1 = write operation Arg4: f576828d, address which referenced memory Debugging Details: ------------------ READ_ADDRESS: 00000028 CURRENT_IRQL: 8 FAULTING_IP: P17+2028d f576828d 8b4128 mov eax,dword ptr [ecx+28h] CUSTOMER_CRASH_COUNT: 1 DEFAULT_BUCKET_ID: DRIVER_FAULT BUGCHECK_STR: 0xD1 PROCESS_NAME: pronto.exe LAST_CONTROL_TRANSFER: from f577136a to f576828d STACK_TEXT: WARNING: Stack unwind information not available. Following frames may be wrong. f79fff14 f577136a 000000d8 859e0030 8460b008 P17+0x2028d f79fff2c f5766d5a 000006c0 85a638ac f574ecd3 P17+0x2936a f79fff58 f574ed36 000000d8 8053be90 00000000 P17+0x1ed5a f79fff74 f574ed8c 00000e80 84f026b0 f572b716 P17+0x6d36 f79fffb8 f5725497 84f026b0 806d02e7 ffdff000 P17+0x6d8c f79fffd0 80540f7d 8673da18 8673da08 00000000 portcls!CServiceGroup::ServiceDpc+0x2a ffdff980 00000000 f7a00000 04167a01 00000000 nt!RtlIpv4StringToAddressExW+0x146 STACK_COMMAND: kb FOLLOWUP_IP: P17+2028d f576828d 8b4128 mov eax,dword ptr [ecx+28h] SYMBOL_STACK_INDEX: 0 SYMBOL_NAME: P17+2028d FOLLOWUP_NAME: MachineOwner MODULE_NAME: P17 IMAGE_NAME: P17.sys DEBUG_FLR_IMAGE_TIMESTAMP: 40c0327f FAILURE_BUCKET_ID: 0xD1_P17+2028d BUCKET_ID: 0xD1_P17+2028d Followup: MachineOwner ---------

# re: Causes, and tips for debugging, a STOP 0x0000000A (IRQL_NOT_LESS_OR_EQUAL) bugcheck/blue screen - Part 2

Tuesday, March 18, 2008 5:04 AM by Ken

Hi Matt,

Appears to be an issue in your Sound Blaster Live drivers

Cheers

Ken

# re: Causes, and tips for debugging, a STOP 0x0000000A (IRQL_NOT_LESS_OR_EQUAL) bugcheck/blue screen - Part 2

Tuesday, March 18, 2008 5:05 AM by Ken

Hi Lee,

Please run the command indicated to get an analysis of your dump file.

Thanks

# re: Causes, and tips for debugging, a STOP 0x0000000A (IRQL_NOT_LESS_OR_EQUAL) bugcheck/blue screen - Part 2

Saturday, March 29, 2008 8:40 PM by Jay

I keep getting blue screen with 0x0000000A Here is what came up from the dump: Microsoft (R) Windows Debugger Version 6.6.0007.5 Copyright (c) Microsoft Corporation. All rights reserved. Loading Dump File [C:\WINDOWS\Minidump\Mini032908-01.dmp] Mini Kernel Dump File: Only registers and stack trace are available Symbol search path is: SRV*C:\Program Files\Debugging Tools for Windows\symbols*http://msdl.microsoft.com/download/symbols Executable search path is: Windows XP Kernel Version 2600 (Service Pack 2) MP (2 procs) Free x86 compatible Product: WinNt, suite: TerminalServer SingleUserTS Personal Built by: 2600.xpsp_sp2_gdr.070227-2254 Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055c700 Debug session time: Sat Mar 29 21:58:21.484 2008 (GMT+0) System Uptime: 0 days 0:25:08.180 Loading Kernel Symbols ............................................................................................................................ Loading User Symbols Loading unloaded module list .................. ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* Use !analyze -v to get detailed debugging information. BugCheck 1000000A, {100008, 2, 0, 804e8178} Probably caused by : ntkrpamp.exe ( nt!CcUnmapVacbArray+b0 ) Followup: MachineOwner --------- 0: kd> .reload Loading Kernel Symbols ............................................................................................................................ Loading User Symbols Loading unloaded module list .................. 0: kd> kb ChildEBP RetAddr Args to Child ba4e7acc 804e51ec 00000000 00000000 8943406c nt!CcUnmapVacbArray+0xb0 ba4e7ae8 804e54a7 89434008 89d32478 89434008 nt!CcUnmapAndPurge+0x20 ba4e7b18 804e5c07 00000000 e4492970 89d32478 nt!CcDeleteSharedCacheMap+0xc5 ba4e7b34 b9e84c35 00000000 00000000 00000000 nt!CcUninitializeCacheMap+0x12d ba4e7b58 b9e82c1b e4492970 00000000 00000000 Ntfs!NtfsDeleteInternalAttributeStream+0x98 ba4e7b74 b9e5d800 894a5008 e4492970 00000000 Ntfs!NtfsRemoveScb+0x77 ba4e7b90 b9e61550 894a5008 e44928a8 00000000 Ntfs!NtfsPrepareFcbForRemoval+0x52 ba4e7be0 b9e82c7c 894a5008 8a468100 e3a2fcc8 Ntfs!NtfsTeardownFromLcb+0x2bc ba4e7c38 b9e5d7b0 894a5008 e3a2fd90 e3a2ff28 Ntfs!NtfsTeardownStructures+0x125 ba4e7c64 b9e804b5 894a5008 01a2fd90 e3a2ff28 Ntfs!NtfsDecrementCloseCounts+0x9e ba4e7ce8 b9e853e3 894a5008 e3a2fd90 e3a2fcc8 Ntfs!NtfsCommonClose+0x397 ba4e7d7c 805379bd 00000000 00000000 8a5385b8 Ntfs!NtfsFspClose+0xe3 ba4e7dac 805ce84c 00000000 00000000 00000000 nt!ExpWorkerThread+0xef ba4e7ddc 8054532e 805378ce 00000000 00000000 nt!PspSystemThreadStartup+0x34 00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16 I also got before i done the symbols thing that it may be ntoskrnl.exe ( nt+2b1b4 )

# re: Causes, and tips for debugging, a STOP 0x0000000A (IRQL_NOT_LESS_OR_EQUAL) bugcheck/blue screen - Part 2

Saturday, March 29, 2008 8:44 PM by Jay

Also not sure if i done the symbols thing properly, i clicked file then symbol path and put SRV*C:\Program Files\Debugging Tools for Windows\symbols*http://msdl.microsoft.com/download/symbols also got this, which memory is corrupt. Microsoft (R) Windows Debugger Version 6.6.0007.5 Copyright (c) Microsoft Corporation. All rights reserved. Loading Dump File [C:\WINDOWS\Minidump\Mini032808-01.dmp] Mini Kernel Dump File: Only registers and stack trace are available Symbol search path is: SRV*C:\Program Files\Debugging Tools for Windows\symbols*http://msdl.microsoft.com/download/symbols Executable search path is: Windows XP Kernel Version 2600 (Service Pack 2) MP (2 procs) Free x86 compatible Product: WinNt, suite: TerminalServer SingleUserTS Personal Built by: 2600.xpsp_sp2_gdr.070227-2254 Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055c700 Debug session time: Fri Mar 28 01:35:00.593 2008 (GMT+0) System Uptime: 0 days 3:37:22.157 Loading Kernel Symbols ................................................................................................................................ Loading User Symbols Loading unloaded module list ......................... ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* Use !analyze -v to get detailed debugging information. BugCheck 1A, {41284, d0f32001, 24a2, c0e00000} Probably caused by : memory_corruption ( nt!MiLocateWsle+c1 ) Followup: MachineOwner --------- 0: kd> kb ChildEBP RetAddr Args to Child bacebbec 805225e5 0000001a 00041284 d0f32001 nt!KeBugCheckEx+0x1b bacebc24 8051a560 000024a2 89651008 8a527c20 nt!MiLocateWsle+0xc1 bacebc68 805699cc d0f32000 00aeef38 00000000 nt!MmUnmapViewInSystemCache+0xd6 bacebc80 804e81ad 8a527c20 89651008 00000000 nt!CcUnmapVacb+0x2a bacebcb0 804e51ec 00000000 00000000 8965106c nt!CcUnmapVacbArray+0xe5 bacebccc 804e54a7 89651008 806e4a4c 89651008 nt!CcUnmapAndPurge+0x20 bacebcfc 804e4aa9 00000001 80558690 899ae268 nt!CcDeleteSharedCacheMap+0xc5 bacebd34 804e7081 8a536298 80563720 8a538340 nt!CcWriteBehind+0x357 bacebd7c 805379bd 8a536298 00000000 8a538340 nt!CcWorkerThread+0x12f bacebdac 805ce84c 8a536298 00000000 00000000 nt!ExpWorkerThread+0xef bacebddc 8054532e 805378ce 00000000 00000000 nt!PspSystemThreadStartup+0x34 00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16

# re: Causes, and tips for debugging, a STOP 0x0000000A (IRQL_NOT_LESS_OR_EQUAL) bugcheck/blue screen - Part 2

Sunday, March 30, 2008 9:07 PM by Jay

Hey ran the analysis: Microsoft (R) Windows Debugger Version 6.6.0007.5 Copyright (c) Microsoft Corporation. All rights reserved. Loading Dump File [C:\WINDOWS\Minidump\Mini033008-01.dmp] Mini Kernel Dump File: Only registers and stack trace are available Symbol search path is: SRV*C:\Program Files\Debugging Tools for Windows\symbols*http://msdl.microsoft.com/download/symbols Executable search path is: Windows XP Kernel Version 2600 (Service Pack 2) MP (2 procs) Free x86 compatible Product: WinNt, suite: TerminalServer SingleUserTS Personal Built by: 2600.xpsp_sp2_gdr.070227-2254 Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055c700 Debug session time: Sun Mar 30 21:03:41.328 2008 (GMT+1) System Uptime: 0 days 1:50:40.045 Loading Kernel Symbols ....................................................................................................................... Loading User Symbols Loading unloaded module list ............................ ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* Use !analyze -v to get detailed debugging information. BugCheck 1A, {41284, d0f90001, a76a, c0e00000} Probably caused by : memory_corruption ( nt!MiLocateWsle+c1 ) Followup: MachineOwner --------- 1: kd> !analyze -v ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* MEMORY_MANAGEMENT (1a) # Any other values for parameter 1 must be individually examined. Arguments: Arg1: 00041284, A PTE or the working set list is corrupt. Arg2: d0f90001 Arg3: 0000a76a Arg4: c0e00000 Debugging Details: ------------------ BUGCHECK_STR: 0x1a_41284 CUSTOMER_CRASH_COUNT: 1 DEFAULT_BUCKET_ID: DRIVER_FAULT PROCESS_NAME: fssm32.exe LAST_CONTROL_TRANSFER: from 805225e5 to 804f9deb STACK_TEXT: a54878e0 805225e5 0000001a 00041284 d0f90001 nt!KeBugCheckEx+0x1b a5487918 8051a560 0000a76a 891f0d10 8a3f21d0 nt!MiLocateWsle+0xc1 a548795c 805699cc d0f90000 00015c28 00000000 nt!MmUnmapViewInSystemCache+0xd6 a5487974 804e853e 8a3f21d0 8a3883b8 00000000 nt!CcUnmapVacb+0x2a a54879ec 804e8837 891f0d10 00000000 00000000 nt!CcGetVacbMiss+0x246 a5487a14 805682c4 001f0d10 00000000 00000000 nt!CcGetVirtualAddress+0x83 a5487aac b9e5e368 89c106a0 a5487b60 00001000 nt!CcCopyRead+0x2be a5487b88 b9e5e016 8929d7a0 88d5c0c8 00000001 Ntfs!NtfsCommonRead+0xcc2 a5487c28 804ef095 8a389360 88d5c0c8 8a34ca80 Ntfs!NtfsFsdRead+0x22d a5487c38 b9eff459 a5487c7c 804ef095 8a389c10 nt!IopfCallDriver+0x31 a5487c40 804ef095 8a389c10 88d5c0c8 88d5c0c8 sr!SrPassThrough+0x31 a5487c50 b9f1509e 88d5c0c8 8a3bf918 8a23aa18 nt!IopfCallDriver+0x31 a5487c7c 804ef095 8a26e570 88d5c0c8 806e4410 fltMgr!FltpDispatch+0x152 a5487c8c 8057e70a 88d5c27c 88d5c0c8 89c106a0 nt!IopfCallDriver+0x31 a5487ca0 8057b7eb 8a26e570 88d5c0c8 89c106a0 nt!IopSynchronousServiceTail+0x60 a5487d38 8054086c 00000124 00000000 00000000 nt!NtReadFile+0x55d a5487d38 7c90eb94 00000124 00000000 00000000 nt!KiFastCallEntry+0xfc WARNING: Frame IP not in any known module. Following frames may be wrong. 00f7f364 00000000 00000000 00000000 00000000 0x7c90eb94 STACK_COMMAND: kb FOLLOWUP_IP: nt!MiLocateWsle+c1 805225e5 2b45f0 sub eax,dword ptr [ebp-10h] SYMBOL_STACK_INDEX: 1 FOLLOWUP_NAME: MachineOwner MODULE_NAME: nt DEBUG_FLR_IMAGE_TIMESTAMP: 45e53f9d SYMBOL_NAME: nt!MiLocateWsle+c1 IMAGE_NAME: memory_corruption FAILURE_BUCKET_ID: 0x1a_41284_nt!MiLocateWsle+c1 BUCKET_ID: 0x1a_41284_nt!MiLocateWsle+c1 Followup: MachineOwner --------- Microsoft (R) Windows Debugger Version 6.6.0007.5 Copyright (c) Microsoft Corporation. All rights reserved. Loading Dump File [C:\WINDOWS\Minidump\Mini032908-01.dmp] Mini Kernel Dump File: Only registers and stack trace are available Symbol search path is: SRV*C:\Program Files\Debugging Tools for Windows\symbols*http://msdl.microsoft.com/download/symbols Executable search path is: Windows XP Kernel Version 2600 (Service Pack 2) MP (2 procs) Free x86 compatible Product: WinNt, suite: TerminalServer SingleUserTS Personal Built by: 2600.xpsp_sp2_gdr.070227-2254 Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055c700 Debug session time: Sat Mar 29 22:58:21.484 2008 (GMT+1) System Uptime: 0 days 0:25:08.180 Loading Kernel Symbols ............................................................................................................................ Loading User Symbols Loading unloaded module list .................. ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* Use !analyze -v to get detailed debugging information. BugCheck 1000000A, {100008, 2, 0, 804e8178} Probably caused by : ntkrpamp.exe ( nt!CcUnmapVacbArray+b0 ) Followup: MachineOwner --------- 0: kd> !analyze -v ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* IRQL_NOT_LESS_OR_EQUAL (a) An attempt was made to access a pageable (or completely invalid) address at an interrupt request level (IRQL) that is too high. This is usually caused by drivers using improper addresses. If a kernel debugger is available get the stack backtrace. Arguments: Arg1: 00100008, memory referenced Arg2: 00000002, IRQL Arg3: 00000000, value 0 = read operation, 1 = write operation Arg4: 804e8178, address which referenced memory Debugging Details: ------------------ READ_ADDRESS: 00100008 CURRENT_IRQL: 2 FAULTING_IP: nt!CcUnmapVacbArray+b0 804e8178 66837e0800 cmp word ptr [esi+8],0 CUSTOMER_CRASH_COUNT: 1 DEFAULT_BUCKET_ID: DRIVER_FAULT BUGCHECK_STR: 0xA PROCESS_NAME: System LAST_CONTROL_TRANSFER: from 804e51ec to 804e8178 STACK_TEXT: ba4e7acc 804e51ec 00000000 00000000 8943406c nt!CcUnmapVacbArray+0xb0 ba4e7ae8 804e54a7 89434008 89d32478 89434008 nt!CcUnmapAndPurge+0x20 ba4e7b18 804e5c07 00000000 e4492970 89d32478 nt!CcDeleteSharedCacheMap+0xc5 ba4e7b34 b9e84c35 00000000 00000000 00000000 nt!CcUninitializeCacheMap+0x12d ba4e7b58 b9e82c1b e4492970 00000000 00000000 Ntfs!NtfsDeleteInternalAttributeStream+0x98 ba4e7b74 b9e5d800 894a5008 e4492970 00000000 Ntfs!NtfsRemoveScb+0x77 ba4e7b90 b9e61550 894a5008 e44928a8 00000000 Ntfs!NtfsPrepareFcbForRemoval+0x52 ba4e7be0 b9e82c7c 894a5008 8a468100 e3a2fcc8 Ntfs!NtfsTeardownFromLcb+0x2bc ba4e7c38 b9e5d7b0 894a5008 e3a2fd90 e3a2ff28 Ntfs!NtfsTeardownStructures+0x125 ba4e7c64 b9e804b5 894a5008 01a2fd90 e3a2ff28 Ntfs!NtfsDecrementCloseCounts+0x9e ba4e7ce8 b9e853e3 894a5008 e3a2fd90 e3a2fcc8 Ntfs!NtfsCommonClose+0x397 ba4e7d7c 805379bd 00000000 00000000 8a5385b8 Ntfs!NtfsFspClose+0xe3 ba4e7dac 805ce84c 00000000 00000000 00000000 nt!ExpWorkerThread+0xef ba4e7ddc 8054532e 805378ce 00000000 00000000 nt!PspSystemThreadStartup+0x34 00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16 STACK_COMMAND: kb FOLLOWUP_IP: nt!CcUnmapVacbArray+b0 804e8178 66837e0800 cmp word ptr [esi+8],0 SYMBOL_STACK_INDEX: 0 SYMBOL_NAME: nt!CcUnmapVacbArray+b0 FOLLOWUP_NAME: MachineOwner MODULE_NAME: nt IMAGE_NAME: ntkrpamp.exe DEBUG_FLR_IMAGE_TIMESTAMP: 45e53f9d FAILURE_BUCKET_ID: 0xA_nt!CcUnmapVacbArray+b0 BUCKET_ID: 0xA_nt!CcUnmapVacbArray+b0 Followup: MachineOwner --------- there are some of the logs all recent

# re: Causes, and tips for debugging, a STOP 0x0000000A (IRQL_NOT_LESS_OR_EQUAL) bugcheck/blue screen - Part 2

Thursday, May 1, 2008 5:14 PM by joe

hi, i just found this page. it's the only place i can find with any meaningful info about how to troubleshoot repeated BSOD crashes. background info: i built this pc (asus p5w mobo) about 18 months ago, haven't had any BSOD problems with it. had a virus or something a week ago (explorer.exe crashing every few seconds) and decided to reinstall xp. everything went fine but a game i play a lot (battlefield 2142) gives me either a CTD or BSOD about 1 minute after i start playing, every time. it's not consistent - sometimes i'll get 3 CTD in a row, then a driver_irql STOP then an irql_ STOP. anyway i have followed the instructions here and the dump points to usbuhci.sys. the usbuhci.sys file in my system32/drivers folder was installed with SP3 and i was getting the same error with SP2. this never happened in the previous xp install i ran for 18 months. i already tried reinstalling xp twice (this is my 3rd reinstall this week) and i can't get past a couple minutes in the game. what are my next steps?

# re: Causes, and tips for debugging, a STOP 0x0000000A (IRQL_NOT_LESS_OR_EQUAL) bugcheck/blue screen - Part 2

Thursday, August 7, 2008 1:00 PM by Chad

Hello I am trying to reinstall windows xp sp2 on my computer and every time it gives me an BSOD.... It ranges from IRQL to some type of POOL HEADER and page fault in nonpaged area.... I have tried using a new HD, New IDE cables, unplugged all extra components to the computer, tried to replace the ram... and I have tried to use a new power supply trying process of elimination but it seems to not be working.... The most often error BSOD I am getting is the IRQL 0xA I know it has to be something I am overlooking.... got any ideas... I am hoing it isn't the processor or the MB... Thanks for the help.....

# re: Causes, and tips for debugging, a STOP 0x0000000A (IRQL_NOT_LESS_OR_EQUAL) bugcheck/blue screen - Part 2

Wednesday, August 13, 2008 12:54 PM by robert w

Hi Ken, i need your help!! i get similar BSOD error message as follows - stop:0x0000000a (0xf96860b0,0x00000002,0x00000001,0x804d9bba) i can only get into safe mode on that comp so cannot download the win_debugger...any advice would be most appreciated...my knowledge of computers is very average. my email is raw181@hotmail.com if u can assist. thanks u kindly. Robert

# re: Causes, and tips for debugging, a STOP 0x0000000A (IRQL_NOT_LESS_OR_EQUAL) bugcheck/blue screen - Part 2

Saturday, September 13, 2008 11:56 AM by Miles32

...Well, does anyone know how to debug my dad's laptop if you can't even boot into Safe Mode? I get IRQL_NOT_LESS_OR_EQUAL at the exact moment you would expect Windows to boot. No safe mode, no last known config, no Windows. Only the power-on BIOS screen works. As soon as Windows tries to boot, blue screen. Is he pretty much effed or is there some way to debug it?

# re: Causes, and tips for debugging, a STOP 0x0000000A (IRQL_NOT_LESS_OR_EQUAL) bugcheck/blue screen - Part 2

Tuesday, September 16, 2008 1:21 PM by Lvstigers

Is this board still active? I could use some help with fixing my BSOD.

# re: Causes, and tips for debugging, a STOP 0x0000000A (IRQL_NOT_LESS_OR_EQUAL) bugcheck/blue screen - Part 2

Saturday, September 20, 2008 7:12 AM by Ken

Hi,

I only review old posts infrequently. I would suggest an actual forum (rather than a blog if you require assistance).

Cheers

Ken

# Causes, and tips for debugging, a STOP 0x0000000A (IRQL_NOT_LESS_OR_EQUAL) bugcheck/blue screen - Part 3

Sunday, May 1, 2011 12:57 AM by Ken Schaefer

Sometimes when looking at your dump files, the actual cause isn't possible to determine due to issues

New Comments to this post are disabled

Ken Schaefer

Tags

Archives

Blogs Worth Reading

Navigation

Causes, and tips for debugging, a STOP 0x0000000A (IRQL_NOT_LESS_OR_EQUAL) bugcheck/blue screen - Part 2

Comments

# re: Causes, and tips for debugging, a STOP 0x0000000A (IRQL_NOT_LESS_OR_EQUAL) bugcheck/blue screen - Part 2

# re: Causes, and tips for debugging, a STOP 0x0000000A (IRQL_NOT_LESS_OR_EQUAL) bugcheck/blue screen - Part 2

# re: Causes, and tips for debugging, a STOP 0x0000000A (IRQL_NOT_LESS_OR_EQUAL) bugcheck/blue screen - Part 2

# Causes, and tips for debugging, a STOP 0x0000000A (IRQL_NOT_LESS_OR_EQUAL) bugcheck/blue screen - Part 3

# re: Causes, and tips for debugging, a STOP 0x0000000A (IRQL_NOT_LESS_OR_EQUAL) bugcheck/blue screen - Part 2

# re: Causes, and tips for debugging, a STOP 0x0000000A (IRQL_NOT_LESS_OR_EQUAL) bugcheck/blue screen - Part 2

# re: Causes, and tips for debugging, a STOP 0x0000000A (IRQL_NOT_LESS_OR_EQUAL) bugcheck/blue screen - Part 2

# re: Causes, and tips for debugging, a STOP 0x0000000A (IRQL_NOT_LESS_OR_EQUAL) bugcheck/blue screen - Part 2

# re: Causes, and tips for debugging, a STOP 0x0000000A (IRQL_NOT_LESS_OR_EQUAL) bugcheck/blue screen - Part 2

# re: Causes, and tips for debugging, a STOP 0x0000000A (IRQL_NOT_LESS_OR_EQUAL) bugcheck/blue screen - Part 2

# re: Causes, and tips for debugging, a STOP 0x0000000A (IRQL_NOT_LESS_OR_EQUAL) bugcheck/blue screen - Part 2

# re: Causes, and tips for debugging, a STOP 0x0000000A (IRQL_NOT_LESS_OR_EQUAL) bugcheck/blue screen - Part 2

# re: Causes, and tips for debugging, a STOP 0x0000000A (IRQL_NOT_LESS_OR_EQUAL) bugcheck/blue screen - Part 2

# re: Causes, and tips for debugging, a STOP 0x0000000A (IRQL_NOT_LESS_OR_EQUAL) bugcheck/blue screen - Part 2

# re: Causes, and tips for debugging, a STOP 0x0000000A (IRQL_NOT_LESS_OR_EQUAL) bugcheck/blue screen - Part 2

# re: Causes, and tips for debugging, a STOP 0x0000000A (IRQL_NOT_LESS_OR_EQUAL) bugcheck/blue screen - Part 2

# re: Causes, and tips for debugging, a STOP 0x0000000A (IRQL_NOT_LESS_OR_EQUAL) bugcheck/blue screen - Part 2

# re: Causes, and tips for debugging, a STOP 0x0000000A (IRQL_NOT_LESS_OR_EQUAL) bugcheck/blue screen - Part 2

# re: Causes, and tips for debugging, a STOP 0x0000000A (IRQL_NOT_LESS_OR_EQUAL) bugcheck/blue screen - Part 2

# re: Causes, and tips for debugging, a STOP 0x0000000A (IRQL_NOT_LESS_OR_EQUAL) bugcheck/blue screen - Part 2

# re: Causes, and tips for debugging, a STOP 0x0000000A (IRQL_NOT_LESS_OR_EQUAL) bugcheck/blue screen - Part 2

# re: Causes, and tips for debugging, a STOP 0x0000000A (IRQL_NOT_LESS_OR_EQUAL) bugcheck/blue screen - Part 2

# re: Causes, and tips for debugging, a STOP 0x0000000A (IRQL_NOT_LESS_OR_EQUAL) bugcheck/blue screen - Part 2

# re: Causes, and tips for debugging, a STOP 0x0000000A (IRQL_NOT_LESS_OR_EQUAL) bugcheck/blue screen - Part 2

# re: Causes, and tips for debugging, a STOP 0x0000000A (IRQL_NOT_LESS_OR_EQUAL) bugcheck/blue screen - Part 2

# re: Causes, and tips for debugging, a STOP 0x0000000A (IRQL_NOT_LESS_OR_EQUAL) bugcheck/blue screen - Part 2

# re: Causes, and tips for debugging, a STOP 0x0000000A (IRQL_NOT_LESS_OR_EQUAL) bugcheck/blue screen - Part 2

# re: Causes, and tips for debugging, a STOP 0x0000000A (IRQL_NOT_LESS_OR_EQUAL) bugcheck/blue screen - Part 2

# re: Causes, and tips for debugging, a STOP 0x0000000A (IRQL_NOT_LESS_OR_EQUAL) bugcheck/blue screen - Part 2

# re: Causes, and tips for debugging, a STOP 0x0000000A (IRQL_NOT_LESS_OR_EQUAL) bugcheck/blue screen - Part 2

# re: Causes, and tips for debugging, a STOP 0x0000000A (IRQL_NOT_LESS_OR_EQUAL) bugcheck/blue screen - Part 2

# re: Causes, and tips for debugging, a STOP 0x0000000A (IRQL_NOT_LESS_OR_EQUAL) bugcheck/blue screen - Part 2

# re: Causes, and tips for debugging, a STOP 0x0000000A (IRQL_NOT_LESS_OR_EQUAL) bugcheck/blue screen - Part 2

# re: Causes, and tips for debugging, a STOP 0x0000000A (IRQL_NOT_LESS_OR_EQUAL) bugcheck/blue screen - Part 2

# re: Causes, and tips for debugging, a STOP 0x0000000A (IRQL_NOT_LESS_OR_EQUAL) bugcheck/blue screen - Part 2

# re: Causes, and tips for debugging, a STOP 0x0000000A (IRQL_NOT_LESS_OR_EQUAL) bugcheck/blue screen - Part 2

# re: Causes, and tips for debugging, a STOP 0x0000000A (IRQL_NOT_LESS_OR_EQUAL) bugcheck/blue screen - Part 2

# re: Causes, and tips for debugging, a STOP 0x0000000A (IRQL_NOT_LESS_OR_EQUAL) bugcheck/blue screen - Part 2

# re: Causes, and tips for debugging, a STOP 0x0000000A (IRQL_NOT_LESS_OR_EQUAL) bugcheck/blue screen - Part 2

# re: Causes, and tips for debugging, a STOP 0x0000000A (IRQL_NOT_LESS_OR_EQUAL) bugcheck/blue screen - Part 2

# re: Causes, and tips for debugging, a STOP 0x0000000A (IRQL_NOT_LESS_OR_EQUAL) bugcheck/blue screen - Part 2

# re: Causes, and tips for debugging, a STOP 0x0000000A (IRQL_NOT_LESS_OR_EQUAL) bugcheck/blue screen - Part 2

# re: Causes, and tips for debugging, a STOP 0x0000000A (IRQL_NOT_LESS_OR_EQUAL) bugcheck/blue screen - Part 2

# re: Causes, and tips for debugging, a STOP 0x0000000A (IRQL_NOT_LESS_OR_EQUAL) bugcheck/blue screen - Part 2

# re: Causes, and tips for debugging, a STOP 0x0000000A (IRQL_NOT_LESS_OR_EQUAL) bugcheck/blue screen - Part 2

# re: Causes, and tips for debugging, a STOP 0x0000000A (IRQL_NOT_LESS_OR_EQUAL) bugcheck/blue screen - Part 2

# re: Causes, and tips for debugging, a STOP 0x0000000A (IRQL_NOT_LESS_OR_EQUAL) bugcheck/blue screen - Part 2

# re: Causes, and tips for debugging, a STOP 0x0000000A (IRQL_NOT_LESS_OR_EQUAL) bugcheck/blue screen - Part 2

# re: Causes, and tips for debugging, a STOP 0x0000000A (IRQL_NOT_LESS_OR_EQUAL) bugcheck/blue screen - Part 2

# re: Causes, and tips for debugging, a STOP 0x0000000A (IRQL_NOT_LESS_OR_EQUAL) bugcheck/blue screen - Part 2

# re: Causes, and tips for debugging, a STOP 0x0000000A (IRQL_NOT_LESS_OR_EQUAL) bugcheck/blue screen - Part 2

# re: Causes, and tips for debugging, a STOP 0x0000000A (IRQL_NOT_LESS_OR_EQUAL) bugcheck/blue screen - Part 2

# re: Causes, and tips for debugging, a STOP 0x0000000A (IRQL_NOT_LESS_OR_EQUAL) bugcheck/blue screen - Part 2

# re: Causes, and tips for debugging, a STOP 0x0000000A (IRQL_NOT_LESS_OR_EQUAL) bugcheck/blue screen - Part 2

# re: Causes, and tips for debugging, a STOP 0x0000000A (IRQL_NOT_LESS_OR_EQUAL) bugcheck/blue screen - Part 2

# re: Causes, and tips for debugging, a STOP 0x0000000A (IRQL_NOT_LESS_OR_EQUAL) bugcheck/blue screen - Part 2

# re: Causes, and tips for debugging, a STOP 0x0000000A (IRQL_NOT_LESS_OR_EQUAL) bugcheck/blue screen - Part 2

# re: Causes, and tips for debugging, a STOP 0x0000000A (IRQL_NOT_LESS_OR_EQUAL) bugcheck/blue screen - Part 2

# re: Causes, and tips for debugging, a STOP 0x0000000A (IRQL_NOT_LESS_OR_EQUAL) bugcheck/blue screen - Part 2

# re: Causes, and tips for debugging, a STOP 0x0000000A (IRQL_NOT_LESS_OR_EQUAL) bugcheck/blue screen - Part 2

# re: Causes, and tips for debugging, a STOP 0x0000000A (IRQL_NOT_LESS_OR_EQUAL) bugcheck/blue screen - Part 2

# Causes, and tips for debugging, a STOP 0x0000000A (IRQL_NOT_LESS_OR_EQUAL) bugcheck/blue screen - Part 3