Our company has several Dell XP Pro PCs and in the last few months
we've seen all but one of them suffer from quite frequent blue screen
STOP errors (ranging from once a fortnight to maybe two or three times
a week). They are a mix of SP1 and SP2 and they all have Automatic
Updates set to download, although the actual installation of the
updates will be erratic as the updates are only installed when an
administrator logs on. I suspected that some Windows Update file was
responsible, as they were all okay and then suddenly most of them
started having problems within a week or so of each other. I looked
around on the web to see if anyone else was suffering from this
recently but didn't find anything to explain why this would suddenly
start happening - plenty of advice on interpreting specific STOP errors
or interrogating minidumps, which I did next. There is one XP Pro PC
that hasn't had any problems at all and the only thing I could see that
separated this PC from the others is that it has no USB peripherals
connected. NB Windows Error Reporting said, after a crash, that an
Iomega driver was probably responsible and I downloaded and installed
the suggested replacement driver. But it hasn't stopped the crashes....


I downloaded and installed the latest 'Debugging Tools for Windows',
set the debugging information to the recommended 'Kernel Memory Dump'
and waited for a crash. Problem is, the debugging tools gave me quite a
bit of info but I'm not sure what it all means. I'm posting it below
hoping that some kind knowledgable person will give me some pointers.

Would be grateful to receive any help with this annoying problem!
Iain


Microsoft (R) Windows Debugger Version 6.5.0003.7
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\WINDOWS\MEMORY.DMP]
Kernel Summary Dump File: Only kernel address space is available

Symbol search path is:
srv*C:\Symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows XP Kernel Version 2600 (Service Pack 2) UP Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 2600.xpsp_sp2_gdr.050301-1519
Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055a420
Debug session time: Fri Dec 30 16:16:32.837 2005 (GMT+0)
System Uptime: 0 days 5:47:04.418
Loading Kernel Symbols
.................................................. .................................................. ...Unable
to add

module at bf9d4000
...............
Loading unloaded module list
....................
Loading User Symbols
PEB is paged out (Peb.Ldr = 7ffdf00c). Type ".hh dbgerr001" for
details
************************************************** *****************************
*
*
* Bugcheck Analysis
*
*
*
************************************************** *****************************

Use !analyze -v to get detailed debugging information.

BugCheck C2, {7, c3e, e2b62b70, e2b41da0}

*** ERROR: Module load completed but symbols could not be loaded for
smwdm.sys
*** ERROR: Module load completed but symbols could not be loaded for
e1000325.sys
*** ERROR: Module load completed but symbols could not be loaded for
ialmnt5.sys
*** WARNING: Unable to verify timestamp for fltmgr.sys
*** ERROR: Module load completed but symbols could not be loaded for
fltmgr.sys
*** WARNING: Unable to verify timestamp for ialmdnt5.dll
*** ERROR: Module load completed but symbols could not be loaded for
ialmdnt5.dll
*** ERROR: Module load completed but symbols could not be loaded for
ialmdev5.DLL
*** WARNING: Unable to verify timestamp for ialmdd5.DLL
*** ERROR: Module load completed but symbols could not be loaded for
ialmdd5.DLL
*** ERROR: Module load completed but symbols could not be loaded for
PlatAlrt.sys
*** ERROR: Module load completed but symbols could not be loaded for
savonaccesscontrol.sys
*** ERROR: Symbol file could not be found. Defaulted to export symbols
for ialmsbw.sys -
*** ERROR: Symbol file could not be found. Defaulted to export symbols
for ialmkchw.sys -
*** ERROR: Module load completed but symbols could not be loaded for
iomdisk.sys
*** ERROR: Symbol file could not be found. Defaulted to export symbols
for drmk.sys -
*** ERROR: Module load completed but symbols could not be loaded for
omci.sys
*** ERROR: Module load completed but symbols could not be loaded for
savonaccessfilter.sys
*** ERROR: Module load completed but symbols could not be loaded for
NetAlrt.sys
*** ERROR: Module load completed but symbols could not be loaded for
ASPI32.SYS
*** WARNING: Unable to verify timestamp for dmload.sys
*** ERROR: Module load completed but symbols could not be loaded for
dmload.sys
*** WARNING: Unable to verify timestamp for ParVdm.SYS
*** ERROR: Module load completed but symbols could not be loaded for
ParVdm.SYS
*** ERROR: Module load completed but symbols could not be loaded for
aeaudio.sys
*** WARNING: Unable to verify timestamp for Null.SYS
*** ERROR: Module load completed but symbols could not be loaded for
Null.SYS
Probably caused by : ntoskrnl.exe ( nt!ExFreePoolWithTag+2be )

Followup: MachineOwner
---------

kd> !analyze -v
************************************************** *****************************
*
*
* Bugcheck Analysis
*
*
*
************************************************** *****************************

BAD_POOL_CALLER (c2)
The current thread is making a bad pool request. Typically this is at
a bad IRQL level or double freeing the same

allocation, etc.
Arguments:
Arg1: 00000007, Attempt to free pool which was already freed
Arg2: 00000c3e, (reserved)
Arg3: e2b62b70, Memory contents of the pool block
Arg4: e2b41da0, Address of the block of pool being deallocated

Debugging Details:
------------------


POOL_ADDRESS: e2b41da0 Paged pool

BUGCHECK_STR: 0xc2_7

DEFAULT_BUCKET_ID: DRIVER_FAULT

LAST_CONTROL_TRANSFER: from 8054b741 to 8053331e

STACK_TEXT:
f9365c20 8054b741 000000c2 00000007 00000c3e nt!KeBugCheckEx+0x1b
f9365c70 805da5de e2b41da0 00000000 e2b62b70 nt!ExFreePoolWithTag+0x2be
f9365c8c 8056b7bd e2b62b70 00000000 e2b62b58 nt!CmpFlushNotify+0x80
f9365ca4 805638f7 e2b62b70 e2b62b58 00000000 nt!CmpDeleteKeyObject+0x42
f9365cc0 804e36d5 e2b62b70 00000000 000000ec
nt!ObpRemoveObjectRoutine+0xdf
f9365ce4 80566ab3 ff844da0 e2b42560 ff83fa68
nt!ObfDereferenceObject+0x5f
f9365cfc 80566b1c e2b42560 e2b62b70 000000ec
nt!ObpCloseHandleTableEntry+0x155
f9365d44 80566b66 000000ec 00000001 00000000 nt!ObpCloseHandle+0x87
f9365d58 804de7ec 000000ec 0081fe94 7c90eb94 nt!NtClose+0x1d
f9365d58 7c90eb94 000000ec 0081fe94 7c90eb94 nt!KiFastCallEntry+0xf8
WARNING: Frame IP not in any known module. Following frames may be
wrong.
0081fe94 00000000 00000000 00000000 00000000 0x7c90eb94


FOLLOWUP_IP:
nt!ExFreePoolWithTag+2be
8054b741 83f801 cmp eax,0x1

SYMBOL_STACK_INDEX: 1

FOLLOWUP_NAME: MachineOwner

SYMBOL_NAME: nt!ExFreePoolWithTag+2be

MODULE_NAME: nt

IMAGE_NAME: ntoskrnl.exe

DEBUG_FLR_IMAGE_TIMESTAMP: 42250ff9

STACK_COMMAND: kb

FAILURE_BUCKET_ID: 0xc2_7_nt!ExFreePoolWithTag+2be

BUCKET_ID: 0xc2_7_nt!ExFreePoolWithTag+2be

Followup: MachineOwner
---------

I'm not a huge expert on debugging, but this looks like something to do with
a driver, maybe a conflit with one of the automatic updates you received?
You may want to get a list of installed fixes on your working machine, and
compare it to the ones that are not working and see which hot fixes are
installed that may have caused your problem.

"Iain Robinson" wrote:

> Our company has several Dell XP Pro PCs and in the last few months
> we've seen all but one of them suffer from quite frequent blue screen
> STOP errors (ranging from once a fortnight to maybe two or three times
> a week). They are a mix of SP1 and SP2 and they all have Automatic
> Updates set to download, although the actual installation of the
> updates will be erratic as the updates are only installed when an
> administrator logs on. I suspected that some Windows Update file was
> responsible, as they were all okay and then suddenly most of them
> started having problems within a week or so of each other. I looked
> around on the web to see if anyone else was suffering from this
> recently but didn't find anything to explain why this would suddenly
> start happening - plenty of advice on interpreting specific STOP errors
> or interrogating minidumps, which I did next. There is one XP Pro PC
> that hasn't had any problems at all and the only thing I could see that
> separated this PC from the others is that it has no USB peripherals
> connected. NB Windows Error Reporting said, after a crash, that an
> Iomega driver was probably responsible and I downloaded and installed
> the suggested replacement driver. But it hasn't stopped the crashes....
>
>
> I downloaded and installed the latest 'Debugging Tools for Windows',
> set the debugging information to the recommended 'Kernel Memory Dump'
> and waited for a crash. Problem is, the debugging tools gave me quite a
> bit of info but I'm not sure what it all means. I'm posting it below
> hoping that some kind knowledgable person will give me some pointers.
>
> Would be grateful to receive any help with this annoying problem!
> Iain
>
>
> Microsoft (R) Windows Debugger Version 6.5.0003.7
> Copyright (c) Microsoft Corporation. All rights reserved.
>
>
> Loading Dump File [C:\WINDOWS\MEMORY.DMP]
> Kernel Summary Dump File: Only kernel address space is available
>
> Symbol search path is:
> srv*C:\Symbols*http://msdl.microsoft.com/download/symbols
> Executable search path is:
> Windows XP Kernel Version 2600 (Service Pack 2) UP Free x86 compatible
> Product: WinNt, suite: TerminalServer SingleUserTS
> Built by: 2600.xpsp_sp2_gdr.050301-1519
> Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055a420
> Debug session time: Fri Dec 30 16:16:32.837 2005 (GMT+0)
> System Uptime: 0 days 5:47:04.418
> Loading Kernel Symbols
> .................................................. .................................................. ...Unable
> to add
>
> module at bf9d4000
> ...............
> Loading unloaded module list
> ....................
> Loading User Symbols
> PEB is paged out (Peb.Ldr = 7ffdf00c). Type ".hh dbgerr001" for
> details
> ************************************************** *****************************
> *
> *
> * Bugcheck Analysis
> *
> *
> *
> ************************************************** *****************************
>
> Use !analyze -v to get detailed debugging information.
>
> BugCheck C2, {7, c3e, e2b62b70, e2b41da0}
>
> *** ERROR: Module load completed but symbols could not be loaded for
> smwdm.sys
> *** ERROR: Module load completed but symbols could not be loaded for
> e1000325.sys
> *** ERROR: Module load completed but symbols could not be loaded for
> ialmnt5.sys
> *** WARNING: Unable to verify timestamp for fltmgr.sys
> *** ERROR: Module load completed but symbols could not be loaded for
> fltmgr.sys
> *** WARNING: Unable to verify timestamp for ialmdnt5.dll
> *** ERROR: Module load completed but symbols could not be loaded for
> ialmdnt5.dll
> *** ERROR: Module load completed but symbols could not be loaded for
> ialmdev5.DLL
> *** WARNING: Unable to verify timestamp for ialmdd5.DLL
> *** ERROR: Module load completed but symbols could not be loaded for
> ialmdd5.DLL
> *** ERROR: Module load completed but symbols could not be loaded for
> PlatAlrt.sys
> *** ERROR: Module load completed but symbols could not be loaded for
> savonaccesscontrol.sys
> *** ERROR: Symbol file could not be found. Defaulted to export symbols
> for ialmsbw.sys -
> *** ERROR: Symbol file could not be found. Defaulted to export symbols
> for ialmkchw.sys -
> *** ERROR: Module load completed but symbols could not be loaded for
> iomdisk.sys
> *** ERROR: Symbol file could not be found. Defaulted to export symbols
> for drmk.sys -
> *** ERROR: Module load completed but symbols could not be loaded for
> omci.sys
> *** ERROR: Module load completed but symbols could not be loaded for
> savonaccessfilter.sys
> *** ERROR: Module load completed but symbols could not be loaded for
> NetAlrt.sys
> *** ERROR: Module load completed but symbols could not be loaded for
> ASPI32.SYS
> *** WARNING: Unable to verify timestamp for dmload.sys
> *** ERROR: Module load completed but symbols could not be loaded for
> dmload.sys
> *** WARNING: Unable to verify timestamp for ParVdm.SYS
> *** ERROR: Module load completed but symbols could not be loaded for
> ParVdm.SYS
> *** ERROR: Module load completed but symbols could not be loaded for
> aeaudio.sys
> *** WARNING: Unable to verify timestamp for Null.SYS
> *** ERROR: Module load completed but symbols could not be loaded for
> Null.SYS
> Probably caused by : ntoskrnl.exe ( nt!ExFreePoolWithTag+2be )
>
> Followup: MachineOwner
> ---------
>
> kd> !analyze -v
> ************************************************** *****************************
> *
> *
> * Bugcheck Analysis
> *
> *
> *
> ************************************************** *****************************
>
> BAD_POOL_CALLER (c2)
> The current thread is making a bad pool request. Typically this is at
> a bad IRQL level or double freeing the same
>
> allocation, etc.
> Arguments:
> Arg1: 00000007, Attempt to free pool which was already freed
> Arg2: 00000c3e, (reserved)
> Arg3: e2b62b70, Memory contents of the pool block
> Arg4: e2b41da0, Address of the block of pool being deallocated
>
> Debugging Details:
> ------------------
>
>
> POOL_ADDRESS: e2b41da0 Paged pool
>
> BUGCHECK_STR: 0xc2_7
>
> DEFAULT_BUCKET_ID: DRIVER_FAULT
>
> LAST_CONTROL_TRANSFER: from 8054b741 to 8053331e
>
> STACK_TEXT:
> f9365c20 8054b741 000000c2 00000007 00000c3e nt!KeBugCheckEx+0x1b
> f9365c70 805da5de e2b41da0 00000000 e2b62b70 nt!ExFreePoolWithTag+0x2be
> f9365c8c 8056b7bd e2b62b70 00000000 e2b62b58 nt!CmpFlushNotify+0x80
> f9365ca4 805638f7 e2b62b70 e2b62b58 00000000 nt!CmpDeleteKeyObject+0x42
> f9365cc0 804e36d5 e2b62b70 00000000 000000ec
> nt!ObpRemoveObjectRoutine+0xdf
> f9365ce4 80566ab3 ff844da0 e2b42560 ff83fa68
> nt!ObfDereferenceObject+0x5f
> f9365cfc 80566b1c e2b42560 e2b62b70 000000ec
> nt!ObpCloseHandleTableEntry+0x155
> f9365d44 80566b66 000000ec 00000001 00000000 nt!ObpCloseHandle+0x87
> f9365d58 804de7ec 000000ec 0081fe94 7c90eb94 nt!NtClose+0x1d
> f9365d58 7c90eb94 000000ec 0081fe94 7c90eb94 nt!KiFastCallEntry+0xf8
> WARNING: Frame IP not in any known module. Following frames may be
> wrong.
> 0081fe94 00000000 00000000 00000000 00000000 0x7c90eb94
>
>
> FOLLOWUP_IP:
> nt!ExFreePoolWithTag+2be
> 8054b741 83f801 cmp eax,0x1
>
> SYMBOL_STACK_INDEX: 1
>
> FOLLOWUP_NAME: MachineOwner
>
> SYMBOL_NAME: nt!ExFreePoolWithTag+2be
>
> MODULE_NAME: nt
>
> IMAGE_NAME: ntoskrnl.exe
>
> DEBUG_FLR_IMAGE_TIMESTAMP: 42250ff9
>
> STACK_COMMAND: kb
>
> FAILURE_BUCKET_ID: 0xc2_7_nt!ExFreePoolWithTag+2be
>
> BUCKET_ID: 0xc2_7_nt!ExFreePoolWithTag+2be
>
> Followup: MachineOwner
> ---------
>
>

Thanks for your reply. All the PCs have had the same AU's installed and
are all basically the same spec (Dell Optiplex's of roughly the same
age). If it is that how do I work out which driver is causing the
problem from the memory dump? We never download any driver updates from
Microsoft - only ever from the hardware manufacturers, and we haven't
done that on any of the machines in the timeframe where we have seen
things go wrong.

Iain