BSOD Windows XP

pim

Member
Joined
Sep 28, 2014
Posts
19
Hello,
I have a Pc with XP SP3 which is continously resetting. I can´t see the error of bluescreen screen. I tried the safe mode but it didn´t work because the PC resetted again. Whit the last known configuration it didn´t work too. With the same disk and another PC I could logged in the Pc but after a short period of time it resetted again. Before I logged in the PC I got the message:
The system proccess C:\Windows\system32\services.exe terminated Unexpectedly with Status Code... (I can´t see anymore)
I could get the minidump file and from it:

[TD="bgcolor: #ffffff"]PAGE_FAULT_IN_NONPAGED_AREA[/TD]
[TD="bgcolor: #ffffff"]0x10000050[/TD]
[TD="bgcolor: #ffffff"]0xfff7fff8[/TD]
[TD="bgcolor: #ffffff"]0x00000000[/TD]
[TD="bgcolor: #ffffff"]0x80551211[/TD]
[TD="bgcolor: #ffffff"]0x00000000[/TD]
[TD="bgcolor: #ffffff"]ntoskrnl.exe[/TD]
[TD="bgcolor: #ffffff"]ntoskrnl.exe+7a211[/TD]
Could anybody help me to debug the error and to know the cause?

Best Regards and thanks in advance
 
I have analyzed with windbg and these are the results, could someone help me?

kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by try-except,
it must be protected by a Probe. Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: fff7fff8, memory referenced.
Arg2: 00000000, value 0 = read operation, 1 = write operation.
Arg3: 80551211, If non-zero, the instruction address which referenced the bad memory
address.
Arg4: 00000000, (reserved)
Debugging Details:
------------------

Could not read faulting driver name
READ_ADDRESS: GetPointerFromAddress: unable to read from 805630e8
GetPointerFromAddress: unable to read from 805630e0
GetUlongFromAddress: unable to read from 80567ce8
fff7fff8
FAULTING_IP:
nt!ExFreePoolWithTag+23a
80551211 668b4efa mov cx,word ptr [esi-6]
MM_INTERNAL_CODE: 0
CUSTOMER_CRASH_COUNT: 6
DEFAULT_BUCKET_ID: COMMON_SYSTEM_FAULT
BUGCHECK_STR: 0x50
PROCESS_NAME: explorer.exe
ANALYSIS_VERSION: 6.3.9600.17237 (debuggers(dbg).140716-0327) x86fre
LAST_CONTROL_TRANSFER: from 80585717 to 80551211
STACK_TEXT:
aa401c3c 80585717 fff7fffe 00000000 e2e01cd8 nt!ExFreePoolWithTag+0x23a
aa401c58 805db77e e2e06828 e2e01cd8 e100dad4 nt!CmpCleanUpKcbValueCache+0x51
aa401c6c 805db82a e2e06828 e2667b60 80572e7c nt!CmpCleanUpKcbCacheWithLock+0x19
aa401c78 80572e7c aa401c8c 80572dbd e2e01cd8 nt!CmpGetDelayedCloseIndex+0x16
aa401c80 80572dbd e2e01cd8 aa401c98 80572d86 nt!CmpAddToDelayedClose+0xa
aa401c8c 80572d86 e2e01cd8 aa401cb0 80573475 nt!CmpDereferenceKeyControlBlockWithLock+0x50
aa401c98 80573475 e2e01cd8 00000000 e2cd9ea0 nt!CmpDereferenceKeyControlBlock+0x12
aa401cb0 8056d73d e2cd9eb8 00000000 e2cd9ea0 nt!CmpDeleteKeyObject+0x92
aa401ccc 804e1947 e2cd9eb8 00000000 000004e2 nt!ObpRemoveObjectRoutine+0xe0
aa401ce4 8056fba7 81598298 e29fa430 81585ba0 nt!ObfDereferenceObject+0x4c
aa401cfc 8056fac5 e29fa430 e2cd9eb8 000004e2 nt!ObpCloseHandleTableEntry+0x155
aa401d44 8056fb0f 000004e2 00000001 00000000 nt!ObpCloseHandle+0x87
aa401d58 804dd98f 000004e2 019df6fc 7c91e4f4 nt!NtClose+0x1d
aa401d58 7c91e4f4 000004e2 019df6fc 7c91e4f4 nt!KiFastCallEntry+0xfc
WARNING: Frame IP not in any known module. Following frames may be wrong.
019df6fc 00000000 00000000 00000000 00000000 0x7c91e4f4

STACK_COMMAND: kb
FOLLOWUP_IP:
nt!ExFreePoolWithTag+23a
80551211 668b4efa mov cx,word ptr [esi-6]
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: nt!ExFreePoolWithTag+23a
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: nt
IMAGE_NAME: ntkrnlmp.exe
DEBUG_FLR_IMAGE_TIMESTAMP: 48025de7
IMAGE_VERSION: 5.1.2600.5512
FAILURE_BUCKET_ID: 0x50_nt!ExFreePoolWithTag+23a
BUCKET_ID: 0x50_nt!ExFreePoolWithTag+23a
ANALYSIS_SOURCE: KM
FAILURE_ID_HASH_STRING: km:0x50_nt!exfreepoolwithtag+23a
FAILURE_ID_HASH: {772a6cc1-5eb2-1276-2b6d-082fdec5b7df}
Followup: MachineOwner
---------
 
ANALYSIS_VERSION: 6.3.9600.17237

This is on Windows XP right?

XP dumps tends to not be as detailed as the new OS's but lets see if it can tell us more.

Download and run this application: BSOD_XP_v1.3_jcgriff2_PROD.exe.
Once it has finished running zip the folder TSF_XP_Support which can be found in your Documents folder.
Attach the zipped file to your next post.
 
Looks like malware to me.
Could we have a Kernel memory dump.

Go the Start
Right click My Computer
Select Properties
Click Advanced system settings
Click on the Advanced tab
Select Settings under Startup and Recovery
Then under Write debugging information select Kernel memory dump.

Once a dump is created go to:

Code:
C:\Windows\memory.dmp

Copy the file to the desktop, zip it up and upload it to a file sharing site like Onedrive. After the upload is done post the download link in your next reply.
 
I can´t execute the program because the computer restarts inmediately and sometimes it doesn´t get to winlogon screen. Appart from this it is a Windows XP SP3. When I get to reach Windows Logon Screen the following message appears when I try to log on:The system process 'C:\WINDOWS\system32\services.exe' terminated unexpectedly with status....(nothing more is shown)
I log in the system, a few seconds (20 or 30) after it restars again.
 
I see Norton on the system, I've seen this many times on a Norton protected system when there is a virus involved.
Have you tried booting into safe mode(by tapping F8 while booting)?
 

Has Sysnative Forums helped you? Please consider donating to help us support the site!

Back
Top