Microsoft (R) Windows Debugger Version 6.8.0004.0 X86 Copyright (c) Microsoft Corporation. All rights reserved. Loading Dump File [C:\WINDOWS\Minidump\MEMORY050908-2.DMP] Kernel Summary Dump File: Only kernel address space is available Symbol search path is: srv*c:\programfiler\Debugging Tools for Windows\symbols*http://msdl.microsoft.com/downloads/symbols Executable search path is: Windows XP Kernel Version 2600 (Service Pack 2) UP Free x86 compatible Product: WinNt, suite: TerminalServer SingleUserTS Personal Built by: 2600.xpsp_sp2_gdr.070227-2254 Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055a620 Debug session time: Fri May 9 11:13:53.562 2008 (GMT+2) System Uptime: 0 days 0:01:18.140 Loading Kernel Symbols ................................................................................................................................................ Loading User Symbols PEB is paged out (Peb.Ldr = 7ffd600c). Type ".hh dbgerr001" for details Loading unloaded module list ... ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* Use !analyze -v to get detailed debugging information. BugCheck A, {e2afcbe8, 2, 0, 80563ed6} *** ERROR: Module load completed but symbols could not be loaded for nprosec.sys PEB is paged out (Peb.Ldr = 7ffd600c). Type ".hh dbgerr001" for details PEB is paged out (Peb.Ldr = 7ffd600c). Type ".hh dbgerr001" for details Probably caused by : nprosec.sys ( nprosec+dcc ) Followup: MachineOwner --------- kd> !thread THREAD 89cbb640 Cid 03b8.03e8 Teb: 7ffda000 Win32Thread: 00000000 RUNNING on processor 0 Impersonation token: e10e7a68 (Level Impersonation) DeviceMap e232f110 Owning Process 89e626d0 Image: svchost.exe Wait Start TickCount 5001 Ticks: 0 Context Switch Count 29 UserTime 00:00:00.015 KernelTime 00:00:00.015 Win32 Start Address 0x00001996 LPC Server thread working on message Id 1996 Start Address 0x7c810659 Stack Init b741c000 Current b741b928 Base b741c000 Limit b7419000 Call 0 Priority 8 BasePriority 8 PriorityDecrement 0 DecrementCount 0 ChildEBP RetAddr Args to Child b741bb24 80563ed6 badb0d00 00000334 00000032 nt!KiTrap0E+0x233 (FPO: [0,0] TrapFrame @ b741bb24) b741bb98 80563f25 e2afcbb0 00000334 89cbb640 nt!ExpLookupHandleTableEntry+0x15 (FPO: [Non-Fpo]) b741bbbc 80563fa8 e2afcbb0 00000334 00000000 nt!ExMapHandleToPointerEx+0x21 (FPO: [Non-Fpo]) b741bbe4 f7797dcc 00000334 00000000 00000000 nt!ObReferenceObjectByHandle+0x12e (FPO: [Non-Fpo]) WARNING: Stack unwind information not available. Following frames may be wrong. b741bc08 f77980d6 007aefc8 b741bd64 007aec10 nprosec+0xdcc b741bd08 f779909d 007aefc8 001f0fff 007aee68 nprosec+0x10d6 b741bd38 804de7ec 007aefc8 001f0fff 007aee68 nprosec+0x209d b741bd38 7c90eb94 007aefc8 001f0fff 007aee68 nt!KiFastCallEntry+0xf8 (FPO: [0,0] TrapFrame @ b741bd64) 007af634 00000000 00000000 00000000 00000000 0x7c90eb94 kd> !analyze -v ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* IRQL_NOT_LESS_OR_EQUAL (a) An attempt was made to access a pageable (or completely invalid) address at an interrupt request level (IRQL) that is too high. This is usually caused by drivers using improper addresses. If a kernel debugger is available get the stack backtrace. Arguments: Arg1: e2afcbe8, memory referenced Arg2: 00000002, IRQL Arg3: 00000000, bitfield : bit 0 : value 0 = read operation, 1 = write operation bit 3 : value 0 = not an execute operation, 1 = execute operation (only on chips which support this level of status) Arg4: 80563ed6, address which referenced memory Debugging Details: ------------------ PEB is paged out (Peb.Ldr = 7ffd600c). Type ".hh dbgerr001" for details PEB is paged out (Peb.Ldr = 7ffd600c). Type ".hh dbgerr001" for details READ_ADDRESS: e2afcbe8 Paged pool CURRENT_IRQL: 2 FAULTING_IP: nt!ExpLookupHandleTableEntry+15 80563ed6 3b5138 cmp edx,dword ptr [ecx+38h] DEFAULT_BUCKET_ID: DRIVER_FAULT BUGCHECK_STR: 0xA PROCESS_NAME: svchost.exe TRAP_FRAME: b741bb24 -- (.trap 0xffffffffb741bb24) ErrCode = 00000000 eax=000000cd ebx=00000334 ecx=e2afcbb0 edx=00000334 esi=89cbb640 edi=b741bc04 eip=80563ed6 esp=b741bb98 ebp=b741bb98 iopl=0 nv up ei pl nz na po nc cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010202 nt!ExpLookupHandleTableEntry+0x15: 80563ed6 3b5138 cmp edx,dword ptr [ecx+38h] ds:0023:e2afcbe8=00000800 Resetting default scope LAST_CONTROL_TRANSFER: from 80563ed6 to 804e187f STACK_TEXT: b741bb24 80563ed6 badb0d00 00000334 00000032 nt!KiTrap0E+0x233 b741bb98 80563f25 e2afcbb0 00000334 89cbb640 nt!ExpLookupHandleTableEntry+0x15 b741bbbc 80563fa8 e2afcbb0 00000334 00000000 nt!ExMapHandleToPointerEx+0x21 b741bbe4 f7797dcc 00000334 00000000 00000000 nt!ObReferenceObjectByHandle+0x12e WARNING: Stack unwind information not available. Following frames may be wrong. b741bc08 f77980d6 007aefc8 b741bd64 007aec10 nprosec+0xdcc b741bd08 f779909d 007aefc8 001f0fff 007aee68 nprosec+0x10d6 b741bd38 804de7ec 007aefc8 001f0fff 007aee68 nprosec+0x209d b741bd38 7c90eb94 007aefc8 001f0fff 007aee68 nt!KiFastCallEntry+0xf8 007af634 00000000 00000000 00000000 00000000 0x7c90eb94 STACK_COMMAND: kb FOLLOWUP_IP: nprosec+dcc f7797dcc 85c0 test eax,eax SYMBOL_STACK_INDEX: 4 SYMBOL_NAME: nprosec+dcc FOLLOWUP_NAME: MachineOwner MODULE_NAME: nprosec IMAGE_NAME: nprosec.sys DEBUG_FLR_IMAGE_TIMESTAMP: 46de64b6 FAILURE_BUCKET_ID: 0xA_VRF_nprosec+dcc BUCKET_ID: 0xA_VRF_nprosec+dcc Followup: MachineOwner ---------