Windows 7 Brand new machine, unexpected shutdowns

Status
Not open for further replies.
Here is the analysis I got which is the signature for Zone Alarm causing problems in the
telecommunication stack.

Code:
Microsoft (R) [COLOR=Red]Windows Debugger Version 6.12.0002.633 AMD64[/COLOR]
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\Users\Frank\AppData\Local\Temp\Rar$DI00.985\071510-31933-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: SRV*c:\websymbols*http://msdl.microsoft.com/download/symbols
Executable search path is: 
Windows 7 Kernel Version 7600 MP (4 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS Personal
Built by: 7600.16539.amd64fre.win7_gdr.100226-1909
Machine Name:
Kernel base = 0xfffff800`02c03000 PsLoadedModuleList = 0xfffff800`02e40e50
Debug session time: Thu Jul 15 13:35:01.945 2010 (UTC - 4:00)
System Uptime: 0 days 1:47:12.553
Loading Kernel Symbols
...............................................................
................................................................
................................
Loading User Symbols
Loading unloaded module list
.....
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 7F, {8, 80050033, 6f8, fffff80002c3be58}

Probably caused by : ntkrnlmp.exe ( nt!KiDoubleFaultAbort+b2 )

Followup: MachineOwner
---------

0: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

UNEXPECTED_KERNEL_MODE_TRAP (7f)
This means a trap occurred in kernel mode, and it's a trap of a kind
that the kernel isn't allowed to have/catch (bound trap) or that
is always instant death (double fault).  The first number in the
bugcheck params is the number of the trap (8 = double fault, etc)
Consult an Intel x86 family manual to learn more about what these
traps are. Here is a *portion* of those codes:
If kv shows a taskGate
        use .tss on the part before the colon, then kv.
Else if kv shows a trapframe
        use .trap on that value
Else
        .trap on the appropriate frame will show where the trap was taken
        (on x86, this will be the ebp that goes with the procedure KiTrap)
Endif
kb will then show the corrected stack.
Arguments:
Arg1: 0000000000000008, EXCEPTION_DOUBLE_FAULT
Arg2: 0000000080050033
Arg3: 00000000000006f8
Arg4: fffff80002c3be58

Debugging Details:
------------------


BUGCHECK_STR:  0x7f_8

CUSTOMER_CRASH_COUNT:  1

DEFAULT_BUCKET_ID:  VISTA_DRIVER_FAULT

PROCESS_NAME:  System

CURRENT_IRQL:  2

LAST_CONTROL_TRANSFER:  from fffff80002c72b69 to fffff80002c73600

STACK_TEXT:  
fffff800`00ba4d28 fffff800`02c72b69 : 00000000`0000007f 00000000`00000008 00000000`80050033 00000000`000006f8 : nt!KeBugCheckEx
fffff800`00ba4d30 fffff800`02c71032 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiBugCheckDispatch+0x69
fffff800`00ba4e70 fffff800`02c3be58 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiDoubleFaultAbort+0xb2
fffff880`077e1be0 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!SeAccessCheckFromState+0x58


STACK_COMMAND:  kb

FOLLOWUP_IP: 
nt!KiDoubleFaultAbort+b2
fffff800`02c71032 90              nop

SYMBOL_STACK_INDEX:  2

SYMBOL_NAME:  nt!KiDoubleFaultAbort+b2

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: nt

IMAGE_NAME:  ntkrnlmp.exe

DEBUG_FLR_IMAGE_TIMESTAMP:  4b88cfeb

FAILURE_BUCKET_ID:  X64_0x7f_8_nt!KiDoubleFaultAbort+b2

BUCKET_ID:  X64_0x7f_8_nt!KiDoubleFaultAbort+b2

Followup: MachineOwner
---------

Simply, no. There is no ZA reference in any of that, specifically. What the heck is a telecommunications stack anyhow?

There is not even a tcp/ip reference.
 
That warning message just means that the symbol table for the module could not be found on the Microsoft symbol server. Probably because you are using an outdated version of Windbg. It does not mean that the driver is causing a problem. It is an Avira minifilter driver and is not causing a problem.

No, when it shows a warning like that, you'd best believe there is a problem with the particular software. And btw, Microsoft does not house symbols for 3rd party software.
 
It does not show up as a warning in the newest version of Windbg if you look at the dump I posted so you are wrong. Using an outdated version of Windbg will only cause more problems.

You are also wrong that Microsoft does not keep symbols for third party drivers because if that were true you would have every third party driver that is loaded giving you that warning message. Where do you think it got the symbols for all the other third party drivers. Im afraid you just don't understand what a symbol table is. There is a symbol table for every driver other wise you would not know where it is loaded into memory and version and timestamp information.

An executable module does not need a symbol table to execute. It is only needed to debug the module. So just because there was no symbol table that does not mean there is a problem with the driver.
 
Last edited:
It does not show up as a warning in the newest version of Windbg if you look at the dump I posted so you are wrong. Using an outdated version of Windbg will only cause more problems.

You are also wrong that Microsoft does not keep symbols for third party drivers because if that were true you would have every third party driver that is loaded giving you that warning message. Where do you think it got the symbols for all the other third party drivers. Im afraid you just don't understand what a symbol table is. There is a symbol table for every driver other wise you would not know where it is loaded into memory and version and timestamp information.

Please stop with the disinformation. Open your symbol cache on your local pc. Do you see any vsdatant.sys? Do you see any ati video drivers? Do you see any NVIDIA video drivers? etc...on and on and on

Every driver/symbol is Microsoft's only.

You're wrong AGAIN!
 
Where do you think Microsoft gets the symbol table for third party software then, the only place is on the symbol server. It may be that Microsoft only puts it's symbols in your cache beacuse of copyright restrictions. They could be sued by the third part developers for disclosing this information. I am not wrong on any count here. You need to take a course in compiler construction before opening your mouth.
 
To answer your question about the telecommunication stack. It is the stack that is used in the part of the kernel that is responsible for input/outout over a telecommunications line.
 
No idea what's going on fellas, but I thought I may as well uninstall ZoneAlarm for a day and see what happens. I'm guessing it's not the issue, based on what's being said, but I have nothing else to go on at present. I'm wondering if it's a faulty memory stick. I may run memtest.
 
No, it's not faulty memory because every crash has been exactly and precisely the same. That means that some specific driver has been the cause.

ZA very well could be the issue, like I've been saying...along with Avira that could also possibly be the issue.

Removal of both should definitely sort the problem.
 
Avira is not the issue here. These people are using an outdated version of Windbg. This will only cause more problems going forward with these guys. Microsoft has buried the newest versions of Windbg in another software package. Probably in an attempt to derail these guys from their comedy of errors and misinformation, hehe.

The warning message about Avira just means that no symbols were found on the symbol server. I cannot believe that these guys have been doing this for years and are not aware of that.

You can see what I mean about a fraternity(the less you know the more you are accepted). It is a downright shame what these people do. They will not accept constructive criticism and try to bend the facts. I know for a fact that Torrentg was banned from a another forum (techsupportforum) for the misinformation that he bandied about.

Edit:

And he still continues to do that here.
 
This is the last time I'm even going to address you on the public forum.

For one, I'm using 6.12.0002.633 X86 since its day of release. Other than that, using an older version of WinDBG has no ill effect.

Some of the things you've said in this thread alone are laughable, such as Microsoft being sued if they placed symbols of third parties. That's just not how it works. The minidump gets it's information directly from the 3rd party drivers on the system itself. Have you ever tried to read a minidump when not connected to the net? Didn't think so.

A certain member of TSF is two-faced. I will not post any names as I feel it would not be in my best interest to do so.
 
Last edited:
You have just contradicted yourself. You said that the minidump gets it's information from the system itself and then said have you ever tried to read a minidump when not connected to the internet.

Of course, you cannot read a minidump without being connected to the internet because all symbol tables for microsoft and third party drivers are on the microsoft symbol server on the internet, hehe.

Disclosing information about third party software is very much a concern of Microsoft because competitors in the software industry would like no better than to mimic industry standards. This can lead to a lawsuit against Microsoft for disclosing the information in the first place.

I stand by every statement I have made in this thread. What is laughable is your attempts to resolve minidumps which are not resolvable 80% to 90 % of the time.

From what I have seen , it is no wonder you were banned from that forum. And your rantings and ravings about how great you were did not help the matter either. To me a 10% - 20% rate of success is not considered great even in baseball, hehe.
 
While probably nobody out there enjoys a good argument more than me, it seems that most of this thread hasn’t done much in the way of actually helping the OP.
While arguing back and forth about the symbol tables used by the debugger and what may or may not be contained in them is interesting and perhaps informative perhaps using the private message utility of this forum may be a better place to resolve the I’m right, no I’m right discussion.
I know personally that I have a great deal of respect for both Captain Jack and TorrentG and their respective abilities to assist various members with a wide range of issues (I’ve seen their work here as well as other forum communities). And while I don’t know Webscaper well, since he’s only been a member here for a little over a month I do see some potential for him becoming a valuable member of this community. However; I do see a bit of arrogance in some of his replies. While arrogance is not necessarily a bad thing, I suspect we all have our share of it because of what we do here, it shouldn’t be allowed to devolve our discourse here into personal attacks.
I’ve never seen much value in critiquing another members post, when he is using his personal knowledge and experience in an attempt to assist the OP, unless of course it would obviously lead to some type of catastrophic result for the OP, and even then I would hope my remarks would be cordial and courteous.
I would hope that in the event that any member here has had experience with a particular piece of software that he or she has seen produce similar problems to the issue at hand would chime in, state his or her experience and suggest that I uninstall it. What could possibly be the harm, generally speaking software can be uninstalled and reinstalled as many times as you like and if it moves the diagnostic discussion along and only cost a few minutes of your time then I would say give it a go and see if it produces any results, positive or negative. The cleaner the OS is the more potential to chase down the problem.
I think everyone knows that often times, without a glaring report from the debugger, troubleshooting a BSOD is a crap shoot and I sense here just some folks that appreciate at least some potential help and from what I’ve seen and continue to see is other members, generally doing their best to provide that.
Just my .02 cents. Discipline or course is up to the discretion of the Admins, but I say, let’s just Rodney King it and try to get along.
 
Last edited:
Hello All,

As webscaper mentioned I'm not certified or trained from any professionals to do the crash dump analysis. It's just my interest and i learned a little from lot of threads in different website. So you could find lot of flaws in my analysis. I didn't claim I'm the best in this area. What i suggest are the things which used to work for me when i help OP's. We all are helping others without expecting any benefits but just we enjoy what we do. You can make suggestions about the thread and point the mistakes I make i'll be happy to correct it. I really don't appreciate such rude comments.

Thanks,
Captain
 
First of all, I would like to say thank you to Kemical for reversing the ban placed on my account by Torrentg. At least someone appreciates my efforts in trying to help people. I am not here to win any awards as I know others are.

I do not mean to be arrogant, but when everything I say and do is shot down by others, well you see how that can get your dander up.

I have no reason to apologize to anyone since everything in this thread that I have stated is true.

Edit:

I do not need any awards or rewards from this forum. I have received all the rewards and awards in life from my schooling and years of experience on the job.

With that said, I will not post any more in this forum. I do not want to correspond with some of the characters in this forum.

Lastly, I know that the majority of people in this forum are nice people. It's too bad I had to get involved with some of the others.
 
Last edited:
Where do you think Microsoft gets the symbol table for third party software then, the only place is on the symbol server. It may be that Microsoft only puts it's symbols in your cache beacuse of copyright restrictions. They could be sued by the third part developers for disclosing this information. I am not wrong on any count here. You need to take a course in compiler construction before opening your mouth.

Here is why this is an incorrect. It's good for people in general and aspiring bsod analysts to know what's real and what's not. I'd imagine that the thread is visited by lots of people around the world, from search engines. The information should be accurate because it's a resource.

Here's my thread at MOTUNATION.com showing how I brought attention to a fault with their driver for years:

MOTUNATION • View topic - Traveler driver always bsod

And this is specifically from the crash dump as seen in the thread:

Code:
0: kd> lmvm motufwa
start    end        module name
924e0000  92554000   motufwa  T (no symbols)           
    Loaded symbol  image file: motufwa.sys
    Image path: motufwa.sys
    Image  name: motufwa.sys
    Timestamp:        Mon Mar 08 12:15:33 2010  (4B9530B5)
    CheckSum:         0007B06B
    ImageSize:         00074000
    Translations:     0000.04b0 0000.04e4 0409.04b0  0409.04e4
See how there are no symbols, yet the other information is still available? Microsoft doesn't have 3rd party symbols on their server. The information was pulled from the driver on the system, itself.

It is in the driver listing as well in the thread, like all other drivers:
Code:
924e0000 92554000   motufwa  motufwa.sys  Mon Mar 08 12:15:33 2010  (4B9530B5)
I don't mean any of this personally, of course. We'd be glad to have you around and analyzing crashes if you're still interested in doing so. All I'd really ask is that if you show advice, that you should be sure of it with facts and not speculative thinking. I don't really even intend that as a mod...basically only as another member on the site.
 
Last edited:
I stand by my statement that just because there is no symbol table it does not mean that the module is problematic.

I wish you knew more about how executable modules are created and the whole compile,link and execute process. A course in compiler construction would be appropriate as I mentioned before.

An executable module does not need a symbol table to execute successfully. In fact, if one is included with the module it does not even know that it exists. It is only needed if the module crashes and a programmer needs to traverse the module in the dump.

I could compile and link a program creating an executable module without a symbol table and register it with Microsoft through the appropriate channels. The module would be loaded with the same warning messages that no symbols could be loaded and the module would execute successfully with no problems.

We are talking about two separate entities. Does the module have a symbol table? And is there a problem with the module? Both are mutually exclusive.

The example you cited was a case where it had no symbol table and the module had a problem. But the fact that it did not have a symbol table did not play a role in the fact that it had a problem.
 
As far as symbols being incorporated into the executable module, that is news to me. If that is indeed true, Microsoft may have allowed that capability especially for drivers in Windbg. After all they have a server devoted to the symbols in the first place. They may not want third parties messing with their server because the symbols are not necessary for the successful execution of the module.
 
According to Technet article about Visual Studio it mentions that we have Debugging Symbols for third party symbol server How to: Use a Symbol Server i think few software also have like Mozilla, Abobe. Mozilla have a symbol server at Link Removed due to 404 Error for debugging Firefox. Google have a symbol server at Link Removed - Invalid URL for debugging Chrome.

- Captain
 
For anyone interested about my remarks concerning the third party symbol table and why it is not included in the cache of symbols placed on your computer during a debugging session from the Microsoft symbol server, you only need to read this article: Symbol table - Wikipedia, the free encyclopedia.

Take note that it is an integral part to those who participate in reverse engineering of the executable to gain an understanding of the original program. Divulging that information would be a violation of copyright restrictions and subject to a lawsuit.
 
Last edited:
Status
Not open for further replies.
Back
Top