I opened my dumps in WinDbg, and found something is causing csrss.exe to close;
not sure how to identify which driver could be the culprit, any assistance would be greatly appreciated!
Mini Kernel Dump File: Only registers and stack trace are available
Symbol search path is:
http://msdl.microsoft.com/download/symbols Executable search path is:
Windows 7 Kernel Version 7601 (Service Pack 1) MP (2 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 7601.17640.amd64fre.win7sp1_gdr.110622-1506
Machine Name:
Kernel base = 0xfffff800`0280a000 PsLoadedModuleList = 0xfffff800`02a4f670
Debug session time: Sat Nov 5 01:27:55.397 2011 (GMT-5)
System Uptime: 0 days 1:48:03.020
Loading Kernel Symbols
...............................................................
................................................................
................................
Loading User Symbols
Loading unloaded module list
.......
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck F4, {3, fffffa8004fe9280, fffffa8004fe9560, fffff80002b8a8b0}
Probably caused by : csrss.exe
Followup: MachineOwner
---------
0: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
CRITICAL_OBJECT_TERMINATION (f4)
A process or thread crucial to system operation has unexpectedly exited or been
terminated.
Several processes and threads are necessary for the operation of the
system; when they are terminated (for any reason), the system can no
longer function.
Arguments:
Arg1: 0000000000000003, Process
Arg2: fffffa8004fe9280, Terminating object
Arg3: fffffa8004fe9560, Process image file name
Arg4: fffff80002b8a8b0, Explanatory message (ascii)
Debugging Details:
------------------
PROCESS_OBJECT: fffffa8004fe9280
IMAGE_NAME: csrss.exe
DEBUG_FLR_IMAGE_TIMESTAMP: 0
MODULE_NAME: csrss
FAULTING_MODULE: 0000000000000000
PROCESS_NAME: csrss.exe
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.
BUGCHECK_STR: 0xF4_C0000005
CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT
CURRENT_IRQL: 0
STACK_TEXT:
fffff880`043d00e8 fffff800`02c115e2 : 00000000`000000f4 00000000`00000003 fffffa80`04fe9280 fffffa80`04fe9560 : nt!KeBugCheckEx
fffff880`043d00f0 fffff800`02bbe99b : ffffffff`ffffffff fffffa80`0562fa00 fffffa80`04fe9280 fffffa80`04fe9280 : nt!PspCatchCriticalBreak+0x92
fffff880`043d0130 fffff800`02b3e448 : ffffffff`ffffffff 00000000`00000001 fffffa80`04fe9280 00000000`00000008 : nt! ?? ::NNGAKEGL::`string'+0x176d6
fffff880`043d0180 fffff800`02885ed3 : fffffa80`04fe9280 fffff800`c0000005 fffffa80`0562fa00 00000000`02370a40 : nt!NtTerminateProcess+0xf4
fffff880`043d0200 fffff800`02882470 : fffff800`028d267f fffff880`043d0b78 fffff880`043d08d0 fffff880`043d0c20 : nt!KiSystemServiceCopyEnd+0x13
fffff880`043d0398 fffff800`028d267f : fffff880`043d0b78 fffff880`043d08d0 fffff880`043d0c20 00000000`023715f0 : nt!KiServiceLinkage
fffff880`043d03a0 fffff800`028862c2 : fffff880`043d0b78 00000000`77229c12 fffff880`043d0c20 00000000`023710c8 : nt! ?? ::FNODOBFM::`string'+0x49874
fffff880`043d0a40 fffff800`02884e3a : 00000000`00000001 00000000`02370ff8 00000000`0238e001 00000000`77229c12 : nt!KiExceptionDispatch+0xc2
fffff880`043d0c20 00000000`77229a9b : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiPageFault+0x23a
00000000`02371000 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x77229a9b
STACK_COMMAND: kb
FOLLOWUP_NAME: MachineOwner
FAILURE_BUCKET_ID: X64_0xF4_C0000005_IMAGE_csrss.exe
BUCKET_ID: X64_0xF4_C0000005_IMAGE_csrss.exe
Followup: MachineOwner
---------
0: kd> !analyze -show D1
DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: 0000000000000000, memory referenced
Arg2: 0000000000000000, IRQL
Arg3: 0000000000000000, value 0 = read operation, 1 = write operation
Arg4: 0000000000000000, address which referenced memory