Is this Dells version of Windows?

Shintaro · Jul 30, 2012

I was looking at a crash dump from a Vista system and Windbg threw the following:

Symbol search path is: srv*c:\symbols*http://msdl.microsoft.com/download/...ls*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows Server 2008/Windows Vista Kernel Version 6002 (Service Pack 2) MP (2 procs) Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS Personal
Built by: 6002.18607.x86fre.vistasp2_gdr.120402-0336
Machine Name:
Kernel base = 0x83249000 PsLoadedModuleList = 0x83360c70
Debug session time: Sun Jul 15 05:19:26.491 2012 (UTC + 10:00)
System Uptime: 0 days 2:07:13.332
Loading Kernel Symbols
...............................................................
................................................................
........................................
Loading User Symbols
Loading unloaded module list

*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 124, {0, 8eab3020, b6000000, 181}

*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: pshed!_WHEA_ERROR_RECORD_HEADER ***
*** ***
*************************************************************************
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: pshed!_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR ***
*** ***
*************************************************************************
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: pshed!_WHEA_ERROR_RECORD_HEADER ***
*** ***
*************************************************************************
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: pshed!_WHEA_ERROR_RECORD_HEADER ***
*** ***
*************************************************************************
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: pshed!_WHEA_ERROR_RECORD_HEADER ***
*** ***
*************************************************************************
Probably caused by : hardware

Well I downloaded the symbols for x86 SP2. So that is odd?
So I turned on !sym noisy

So it says that the symbols are not in either MS symbol server or my symbol store. Odd?

SYMSRV: c:\symbols\ntoskrnl.exe\4F79A9BE3ba000\ntoskrnl.exe not found
SYMSRV: http://msdl.microsoft.com/download/symbols/ntoskrnl.exe/4F79A9BE3ba000/ntoskrnl.exe not found
SYMSRV: c:\symbols\ntkrnlup.exe\4F79A9BE3ba000\ntkrnlup.exe not found
SYMSRV: http://msdl.microsoft.com/download/symbols/ntkrnlup.exe/4F79A9BE3ba000/ntkrnlup.exe not found
DBGHELP: c:\symbols\ntkrnlpa.exe\4F79A9BE3ba000\ntkrnlpa.exe - OK
DBGENG: c:\symbols\ntkrnlpa.exe\4F79A9BE3ba000\ntkrnlpa.exe - Mapped image memory
DBGHELP: nt - public symbols
c:\symbols\ntkrpamp.pdb\8B8346938BD24632B8896060E508F4032\ntkrpamp.pdb
Loading Kernel Symbols
.
SYMSRV: c:\symbols\halaacpi.dll\49E018D933000\halaacpi.dll not found
SYMSRV: http://msdl.microsoft.com/download/symbols/halaacpi.dll/49E018D933000/halaacpi.dll not found
SYMSRV: c:\symbols\halacpi.dll\49E018D933000\halacpi.dll not found
SYMSRV: http://msdl.microsoft.com/download/symbols/halacpi.dll/49E018D933000/halacpi.dll not found
SYMSRV: c:\symbols\halapic.dll\49E018D933000\halapic.dll not found
SYMSRV: http://msdl.microsoft.com/download/symbols/halapic.dll/49E018D933000/halapic.dll not found

Therefore !errrec <address> doesn't give a possible culprit.

I am unsure of how to get around this problem with symbols. Or is it impossible because they are Dell's?

Wrench97 · Jul 30, 2012

So I googled it and found JC had the same issue in 2010> http://www.techsupportforum.com/forums/showpost.php?p=2667350 on an Acer system with XP.
Looks like it used with Sysprep> http://support.microsoft.com/kb/309283

I get the same results both using wdbg 6.11 and 6.12.
Do you know this system?
I wonder if it could be a patched validation setup?

Shintaro · Jul 30, 2012

This fellow is running Dell Inspiron 531 desktop with Vista SP2 32-bit.

Sorry mate what is a "patched validation setup"?

I was thinking that Dell made some modifications to the Kernel etc for their special hardware. Is that what you are saying?

Vir Gnarus · Jul 31, 2012

What's the output for .reload /o /f /v?

usasma · Jul 31, 2012

I work on a lot of Dell's and have never seen this.
I have to wonder if it's a pirated copy - especially as it's having trouble not only with the kernel, but with the HAL also.

Wrench97 · Jul 31, 2012

Shintaro said:
This fellow is running Dell Inspiron 531 desktop with Vista SP2 32-bit.

Sorry mate what is a "patched validation setup"?

I was thinking that Dell made some modifications to the Kernel etc for their special hardware. Is that what you are saying?

That's normally found on a pirated copy, the validation/activation is patched so that windows believes it has passed both.
I've run into a few that were installed by shops reloading on a bios repair, see it on XP a lot were it running XP pro on a lower end system, sure enough the customer says oh *** PC shop had to reinstall a couple years ago when the hard drive failed................but the drive is dated the same year as PC and has a Dell part number sticker on it......

Shintaro · Jul 31, 2012

WOW, Thank you guys,
Very interesting. Is there any other way to confirm this via the minidump or should I ask them to prove it via some MS utility?

BTW output from what Vir Gnarus asked for:

Code:

1: kd> .reload /o /f /v
Loading Kernel Symbols
AddImage: \SystemRoot\system32\hal.dll
 DllBase  = 83216000
 Size     = 00033000
 Checksum = 0003343c
 TimeDateStamp = 49e018d9
AddImage: \SystemRoot\system32\kdcom.dll
 DllBase  = 80609000
 Size     = 00007000
 Checksum = 00009b6b
 TimeDateStamp = 49e037d9
AddImage: \SystemRoot\system32\PSHED.dll
 DllBase  = 80610000
 Size     = 00011000
 Checksum = 00013d00
 TimeDateStamp = 49e037dc
AddImage: \SystemRoot\system32\BOOTVID.dll
 DllBase  = 80621000
 Size     = 00008000
 Checksum = 00006de9
 TimeDateStamp = 4791a653
AddImage: \SystemRoot\system32\CLFS.SYS
 DllBase  = 80629000
 Size     = 00041000
 Checksum = 0003efb6
 TimeDateStamp = 49e018ff
AddImage: \SystemRoot\system32\CI.dll
 DllBase  = 8066a000
 Size     = 000e0000
 Checksum = 00096aab
 TimeDateStamp = 49e037d2
AddImage: \SystemRoot\system32\drivers\Wdf01000.sys
 DllBase  = 8074a000
 Size     = 0007c000
 Checksum = 000831d4
 TimeDateStamp = 47919015
AddImage: \SystemRoot\system32\drivers\WDFLDR.SYS
 DllBase  = 807c6000
 Size     = 0000d000
 Checksum = 00014b62
 TimeDateStamp = 47919013
AddImage: \SystemRoot\system32\drivers\acpi.sys
 DllBase  = 83c0c000
 Size     = 00046000
 Checksum = 0004e011
 TimeDateStamp = 49e01a37
AddImage: \SystemRoot\system32\drivers\WMILIB.SYS
 DllBase  = 83c52000
 Size     = 00009000
 Checksum = 0000b6f9
 TimeDateStamp = 47919044


Press ctrl-c (cdb, kd, ntsd) or ctrl-break (windbg) to abort symbol loads that take too long.
Run !sym noisy before .reload to track down problems loading symbols.

AddImage: \SystemRoot\system32\drivers\msisadrv.sys
 DllBase  = 83c5b000
 Size     = 00008000
 Checksum = 0000837d
 TimeDateStamp = 47918b83
AddImage: \SystemRoot\system32\drivers\pci.sys
 DllBase  = 83c63000
 Size     = 00027000
 Checksum = 00026a3a
 TimeDateStamp = 49e01a44
AddImage: \SystemRoot\System32\drivers\partmgr.sys
 DllBase  = 83c8a000
 Size     = 00010000
 Checksum = 0001496d
 TimeDateStamp = 4f68bbfc
Unable to load image \SystemRoot\System32\drivers\partmgr.sys, Win32 error 0n2
*** WARNING: Unable to verify timestamp for partmgr.sys
*** ERROR: Module load completed but symbols could not be loaded for partmgr.sys
AddImage: \SystemRoot\system32\drivers\volmgr.sys
 DllBase  = 83c9a000
 Size     = 0000f000
 Checksum = 000153dd
 TimeDateStamp = 47918f7f
AddImage: \SystemRoot\System32\drivers\volmgrx.sys
 DllBase  = 83ca9000
 Size     = 0004a000
 Checksum = 0004be7a
 TimeDateStamp = 49e01efd
AddImage: \SystemRoot\system32\drivers\pciide.sys
 DllBase  = 83cf3000
 Size     = 00007000
 Checksum = 000077e1
 TimeDateStamp = 49e01eee
AddImage: \SystemRoot\system32\drivers\PCIIDEX.SYS
 DllBase  = 83cfa000
 Size     = 0000e000
 Checksum = 0001883b
 TimeDateStamp = 49e01eed
AddImage: \SystemRoot\System32\drivers\mountmgr.sys
 DllBase  = 83d08000
 Size     = 00010000
 Checksum = 0001c5d3
 TimeDateStamp = 47918f59
AddImage: \SystemRoot\system32\drivers\nvraid.sys
 DllBase  = 83d18000
 Size     = 00019000
 Checksum = 0001bb9b
 TimeDateStamp = 4522ff6b
Unable to load image \SystemRoot\system32\drivers\nvraid.sys, Win32 error 0n2
*** WARNING: Unable to verify timestamp for nvraid.sys
*** ERROR: Module load completed but symbols could not be loaded for nvraid.sys
AddImage: \SystemRoot\system32\drivers\CLASSPNP.SYS
 DllBase  = 83d31000
 Size     = 00021000
 Checksum = 0002ac36
 TimeDateStamp = 49e01ee9
AddImage: \SystemRoot\system32\drivers\atapi.sys
 DllBase  = 83d52000
 Size     = 00008000
 Checksum = 00007c1c
 TimeDateStamp = 49e01eed
AddImage: \SystemRoot\system32\drivers\ataport.SYS
 DllBase  = 83d5a000
 Size     = 0001e000
 Checksum = 00028795
 TimeDateStamp = 49e01eee
AddImage: \SystemRoot\system32\drivers\nvstor32.sys
 DllBase  = 83d78000
 Size     = 0001d000
 Checksum = 00026a43
 TimeDateStamp = 46bb58d8
Unable to load image \SystemRoot\system32\drivers\nvstor32.sys, Win32 error 0n2
*** WARNING: Unable to verify timestamp for nvstor32.sys
*** ERROR: Module load completed but symbols could not be loaded for nvstor32.sys
AddImage: \SystemRoot\system32\drivers\storport.sys
 DllBase  = 83d95000
 Size     = 00041000
 Checksum = 00026e2b
 TimeDateStamp = 49e01ef7
AddImage: \SystemRoot\system32\DRIVERS\nvstor.sys
 DllBase  = 83dd6000
 Size     = 0000d000
 Checksum = 0000a096
 TimeDateStamp = 458d543d
Unable to load image \SystemRoot\system32\DRIVERS\nvstor.sys, Win32 error 0n2
*** WARNING: Unable to verify timestamp for nvstor.sys
*** ERROR: Module load completed but symbols could not be loaded for nvstor.sys
AddImage: \SystemRoot\system32\drivers\fltmgr.sys
 DllBase  = 83e09000
 Size     = 00032000
 Checksum = 00037c8c
 TimeDateStamp = 49e01907
AddImage: \SystemRoot\system32\drivers\fileinfo.sys
 DllBase  = 83e3b000
 Size     = 00010000
 Checksum = 0001d398
 TimeDateStamp = 47918be3
AddImage: \SystemRoot\System32\Drivers\DRVMCDB.SYS
 DllBase  = 83e4b000
 Size     = 00015fe0
 Checksum = 00020568
 TimeDateStamp = 44c11aef
Unable to load image \SystemRoot\System32\Drivers\DRVMCDB.SYS, Win32 error 0n2
*** WARNING: Unable to verify timestamp for DRVMCDB.SYS
*** ERROR: Module load completed but symbols could not be loaded for DRVMCDB.SYS
AddImage: \SystemRoot\System32\Drivers\PxHelp20.sys
 DllBase  = 83e61000
 Size     = 000094c0
 Checksum = 000131d0
 TimeDateStamp = 4addfa1e
Unable to load image \SystemRoot\System32\Drivers\PxHelp20.sys, Win32 error 0n2
*** WARNING: Unable to verify timestamp for PxHelp20.sys
*** ERROR: Module load completed but symbols could not be loaded for PxHelp20.sys
AddImage: \SystemRoot\System32\Drivers\ksecdd.sys
 DllBase  = 83e6b000
 Size     = 00072000
 Checksum = 000793ad
 TimeDateStamp = 4fc93a77
AddImage: \SystemRoot\system32\drivers\ndis.sys
 DllBase  = 83edd000
 Size     = 0010b000
 Checksum = 0008df51
 TimeDateStamp = 49e02080
AddImage: \SystemRoot\system32\drivers\msrpc.sys
 DllBase  = 807d3000
 Size     = 0002b000
 Checksum = 00000000
 TimeDateStamp = 00000000
Unable to load image \SystemRoot\system32\drivers\msrpc.sys, Win32 error 0n2
*** WARNING: Unable to verify timestamp for msrpc.sys
*** ERROR: Module load completed but symbols could not be loaded for msrpc.sys
AddImage: \SystemRoot\system32\drivers\NETIO.SYS
 DllBase  = 88e0d000
 Size     = 0003b000
 Checksum = 0003bc94
 TimeDateStamp = 49e0209d
AddImage: \SystemRoot\System32\Drivers\Ntfs.sys
 DllBase  = 88e48000
 Size     = 00110000
 Checksum = 0010c4b9
 TimeDateStamp = 49e0192a
AddImage: \SystemRoot\system32\drivers\volsnap.sys
 DllBase  = 88f58000
 Size     = 00039000
 Checksum = 00041434
 TimeDateStamp = 49e01f09
AddImage: \SystemRoot\System32\Drivers\spldr.sys
 DllBase  = 88f91000
 Size     = 00008000
 Checksum = 0000f57b
 TimeDateStamp = 467b17dd
*** ERROR: Module load completed but symbols could not be loaded for spldr.sys
AddImage: \SystemRoot\system32\speedfan.sys
 DllBase  = 88f99000
 Size     = 00004100
 Checksum = 0000bfef
 TimeDateStamp = 4d83838d
Unable to load image \SystemRoot\system32\speedfan.sys, Win32 error 0n2
*** WARNING: Unable to verify timestamp for speedfan.sys
*** ERROR: Module load completed but symbols could not be loaded for speedfan.sys
AddImage: \SystemRoot\System32\Drivers\mup.sys
 DllBase  = 88f9e000
 Size     = 0000f000
 Checksum = 00019334
 TimeDateStamp = 49e01914
AddImage: \SystemRoot\system32\giveio.sys
 DllBase  = 88fad000
 Size     = 00000680
 Checksum = 00003355
 TimeDateStamp = 316334f5
Unable to load image \SystemRoot\system32\giveio.sys, Win32 error 0n2
*** WARNING: Unable to verify timestamp for giveio.sys
*** ERROR: Module load completed but symbols could not be loaded for giveio.sys
AddImage: \SystemRoot\System32\drivers\ecache.sys
 DllBase  = 88fae000
 Size     = 00027000
 Checksum = 000270b9
 TimeDateStamp = 49e01f2c
AddImage: \SystemRoot\system32\drivers\disk.sys
 DllBase  = 88fd5000
 Size     = 00011000
 Checksum = 000124f0
 TimeDateStamp = 49e01ef2
AddImage: \SystemRoot\system32\drivers\crcdisk.sys
 DllBase  = 88fe6000
 Size     = 00009000
 Checksum = 00006d96
 TimeDateStamp = 4549b1cb
AddImage: \SystemRoot\system32\DRIVERS\null.sys
 DllBase  = 88fef000
 Size     = 00007000
 Checksum = 00000000
 TimeDateStamp = 00000000
Unable to load image \SystemRoot\system32\DRIVERS\null.sys, Win32 error 0n2
*** WARNING: Unable to verify timestamp for null.sys
*** ERROR: Module load completed but symbols could not be loaded for null.sys
AddImage: \SystemRoot\system32\DRIVERS\tunnel.sys
 DllBase  = 83fe8000
 Size     = 0000b000
 Checksum = 0000dffb
 TimeDateStamp = 4b7d244d
AddImage: \SystemRoot\system32\DRIVERS\tunmp.sys
 DllBase  = 83ff3000
 Size     = 00009000
 Checksum = 000049a7
 TimeDateStamp = 479190dc
AddImage: \SystemRoot\system32\DRIVERS\amdk8.sys
 DllBase  = 8ce06000
 Size     = 00010000
 Checksum = 0000f637
 TimeDateStamp = 47918a38
AddImage: \SystemRoot\system32\DRIVERS\fdc.sys
 DllBase  = 8ce16000
 Size     = 0000b000
 Checksum = 00013788
 TimeDateStamp = 47918f71
AddImage: \SystemRoot\system32\DRIVERS\usbohci.sys
 DllBase  = 8ce21000
 Size     = 0000a000
 Checksum = 00007eb5
 TimeDateStamp = 49e01fcc
AddImage: \SystemRoot\system32\DRIVERS\USBPORT.SYS
 DllBase  = 8ce2b000
 Size     = 0003e000
 Checksum = 00044c16
 TimeDateStamp = 49e01fcf
AddImage: \SystemRoot\system32\DRIVERS\usbehci.sys
 DllBase  = 8ce69000
 Size     = 0000f000
 Checksum = 00019188
 TimeDateStamp = 49e01fcc
AddImage: \SystemRoot\system32\DRIVERS\bcmwl6.sys
 DllBase  = 8ce78000
 Size     = 00102000
 Checksum = 00103d1e
 TimeDateStamp = 470ff55c
Unable to load image \SystemRoot\system32\DRIVERS\bcmwl6.sys, Win32 error 0n2
*** WARNING: Unable to verify timestamp for bcmwl6.sys
*** ERROR: Module load completed but symbols could not be loaded for bcmwl6.sys
AddImage: \SystemRoot\system32\DRIVERS\HDAudBus.sys
 DllBase  = 8d209000
 Size     = 0008d000
 Checksum = 0009543a
 TimeDateStamp = 49e01fc1
AddImage: \SystemRoot\system32\DRIVERS\nvmfdx32.sys
 DllBase  = 8d296000
 Size     = 00100e00
 Checksum = 00110e14
 TimeDateStamp = 45edc11d
Unable to load image \SystemRoot\system32\DRIVERS\nvmfdx32.sys, Win32 error 0n2
*** WARNING: Unable to verify timestamp for nvmfdx32.sys
*** ERROR: Module load completed but symbols could not be loaded for nvmfdx32.sys
AddImage: \SystemRoot\System32\Drivers\DLACDBHM.SYS
 DllBase  = 8d397000
 Size     = 00001740
 Checksum = 0000ee17
 TimeDateStamp = 45cbf2f8
Unable to load image \SystemRoot\System32\Drivers\DLACDBHM.SYS, Win32 error 0n2
*** WARNING: Unable to verify timestamp for DLACDBHM.SYS
*** ERROR: Module load completed but symbols could not be loaded for DLACDBHM.SYS
AddImage: \SystemRoot\system32\DRIVERS\cdrom.sys
 DllBase  = 8d399000
 Size     = 00018000
 Checksum = 000166ec
 TimeDateStamp = 49e01ef5
AddImage: \SystemRoot\System32\Drivers\GEARAspiWDM.sys
 DllBase  = 8d3b1000
 Size     = 00005280
 Checksum = 00008fb0
 TimeDateStamp = 4a1151b5
Unable to load image \SystemRoot\System32\Drivers\GEARAspiWDM.sys, Win32 error 0n2
*** WARNING: Unable to verify timestamp for GEARAspiWDM.sys
*** ERROR: Module load completed but symbols could not be loaded for GEARAspiWDM.sys
AddImage: \SystemRoot\system32\DRIVERS\nvlddmkm.sys
 DllBase  = 8d60d000
 Size     = 00af3000
 Checksum = 00add7b9
 TimeDateStamp = 4fb2071b
Unable to load image \SystemRoot\system32\DRIVERS\nvlddmkm.sys, Win32 error 0n2
*** WARNING: Unable to verify timestamp for nvlddmkm.sys
*** ERROR: Module load completed but symbols could not be loaded for nvlddmkm.sys
AddImage: \SystemRoot\System32\drivers\dxgkrnl.sys
 DllBase  = 8e100000
 Size     = 000a0000
 Checksum = 000a384d
 TimeDateStamp = 4d383dc1
AddImage: \SystemRoot\System32\drivers\watchdog.sys
 DllBase  = 8e1a0000
 Size     = 0000c000
 Checksum = 000124ae
 TimeDateStamp = 49e01b13
AddImage: \SystemRoot\system32\DRIVERS\serscan.sys
 DllBase  = 8e1ac000
 Size     = 00008000
 Checksum = 00008378
 TimeDateStamp = 47919532
AddImage: \SystemRoot\system32\DRIVERS\msiscsi.sys
 DllBase  = 8e1b4000
 Size     = 0002f000
 Checksum = 000306b0
 TimeDateStamp = 49e01f27
AddImage: \SystemRoot\system32\DRIVERS\TDI.SYS
 DllBase  = 8e1e3000
 Size     = 0000b000
 Checksum = 00006f68
 TimeDateStamp = 47919136
AddImage: \SystemRoot\system32\DRIVERS\rasl2tp.sys
 DllBase  = 8d3b7000
 Size     = 00017000
 Checksum = 0001580f
 TimeDateStamp = 47919111
AddImage: \SystemRoot\system32\DRIVERS\ndistapi.sys
 DllBase  = 8e1ee000
 Size     = 0000b000
 Checksum = 0000945a
 TimeDateStamp = 47919108
AddImage: \SystemRoot\system32\DRIVERS\ndiswan.sys
 DllBase  = 8d3ce000
 Size     = 00023000
 Checksum = 00029c50
 TimeDateStamp = 49e020a7
AddImage: \SystemRoot\system32\DRIVERS\raspppoe.sys
 DllBase  = 8d3f1000
 Size     = 0000f000
 Checksum = 00010ad9
 TimeDateStamp = 49e020a6
AddImage: \SystemRoot\system32\DRIVERS\raspptp.sys
 DllBase  = 8cf7a000
 Size     = 00014000
 Checksum = 00015d93
 TimeDateStamp = 47919112
AddImage: \SystemRoot\system32\DRIVERS\rassstp.sys
 DllBase  = 8cf8e000
 Size     = 00015000
 Checksum = 00012289
 TimeDateStamp = 49e020b0
AddImage: \SystemRoot\system32\DRIVERS\wanatw4.sys
 DllBase  = 8e1f9000
 Size     = 00005020
 Checksum = 000104d2
 TimeDateStamp = 3d343a62
Unable to load image \SystemRoot\system32\DRIVERS\wanatw4.sys, Win32 error 0n2
*** WARNING: Unable to verify timestamp for wanatw4.sys
*** ERROR: Module load completed but symbols could not be loaded for wanatw4.sys
AddImage: \SystemRoot\system32\DRIVERS\termdd.sys
 DllBase  = 8cfa3000
 Size     = 00010000
 Checksum = 0000ec93
 TimeDateStamp = 49e021c2
AddImage: \SystemRoot\system32\DRIVERS\kbdclass.sys
 DllBase  = 8d600000
 Size     = 0000b000
 Checksum = 00015921
 TimeDateStamp = 47918f5a
AddImage: \SystemRoot\system32\DRIVERS\mouclass.sys
 DllBase  = 8cfb3000
 Size     = 0000b000
 Checksum = 00008e20
 TimeDateStamp = 47918f5a
AddImage: \SystemRoot\system32\DRIVERS\SBFWIM.sys
 DllBase  = 8cfbe000
 Size     = 00015700
 Checksum = 00022baa
 TimeDateStamp = 4e7afa1e
Unable to load image \SystemRoot\system32\DRIVERS\SBFWIM.sys, Win32 error 0n2
*** WARNING: Unable to verify timestamp for SBFWIM.sys
*** ERROR: Module load completed but symbols could not be loaded for SBFWIM.sys
AddImage: \SystemRoot\system32\DRIVERS\swenum.sys
 DllBase  = 8d60b000
 Size     = 00001380
 Checksum = 0000b837
 TimeDateStamp = 47918f60
AddImage: \SystemRoot\system32\DRIVERS\ks.sys
 DllBase  = 8cfd4000
 Size     = 0002a000
 Checksum = 00033333
 TimeDateStamp = 49e01ed7
AddImage: \SystemRoot\system32\DRIVERS\mssmbios.sys
 DllBase  = 83c00000
 Size     = 0000a000
 Checksum = 00015a04
 TimeDateStamp = 47918b87
AddImage: \SystemRoot\system32\DRIVERS\umbus.sys
 DllBase  = 8e60d000
 Size     = 0000d000
 Checksum = 0000e69b
 TimeDateStamp = 47919064
AddImage: \SystemRoot\system32\DRIVERS\flpydisk.sys
 DllBase  = 8e61a000
 Size     = 0000a000
 Checksum = 00000000
 TimeDateStamp = 00000000
Unable to load image \SystemRoot\system32\DRIVERS\flpydisk.sys, Win32 error 0n2
*** WARNING: Unable to verify timestamp for flpydisk.sys
*** ERROR: Module load completed but symbols could not be loaded for flpydisk.sys
AddImage: \SystemRoot\system32\DRIVERS\usbhub.sys
 DllBase  = 8e624000
 Size     = 00035000
 Checksum = 000327b5
 TimeDateStamp = 49e01fe2
AddImage: \SystemRoot\System32\Drivers\NDProxy.SYS
 DllBase  = 8e659000
 Size     = 00011000
 Checksum = 00015341
 TimeDateStamp = 4791910c
AddImage: \SystemRoot\system32\drivers\RTKVHDA.sys
 DllBase  = 8e800000
 Size     = 001f45c0
 Checksum = 001fc95c
 TimeDateStamp = 47987129
Unable to load image \SystemRoot\system32\drivers\RTKVHDA.sys, Win32 error 0n2
*** WARNING: Unable to verify timestamp for RTKVHDA.sys
*** ERROR: Module load completed but symbols could not be loaded for RTKVHDA.sys
AddImage: \SystemRoot\system32\drivers\portcls.sys
 DllBase  = 8e66a000
 Size     = 0002d000
 Checksum = 00036b7b
 TimeDateStamp = 49e01fc8
Unable to load image \SystemRoot\system32\drivers\portcls.sys, Win32 error 0n2
*** WARNING: Unable to verify timestamp for portcls.sys
*** ERROR: Module load completed but symbols could not be loaded for portcls.sys
AddImage: \SystemRoot\system32\drivers\drmk.sys
 DllBase  = 8e697000
 Size     = 00025000
 Checksum = 0002c1c6
 TimeDateStamp = 47919e4e
Unable to load image \SystemRoot\system32\drivers\drmk.sys, Win32 error 0n2
*** WARNING: Unable to verify timestamp for drmk.sys
*** ERROR: Module load completed but symbols could not be loaded for drmk.sys
AddImage: \SystemRoot\System32\Drivers\Fs_Rec.SYS
 DllBase  = 8e9f5000
 Size     = 00009000
 Checksum = 00000000
 TimeDateStamp = 00000000
Unable to load image \SystemRoot\System32\Drivers\Fs_Rec.SYS, Win32 error 0n2
*** WARNING: Unable to verify timestamp for Fs_Rec.SYS
*** ERROR: Module load completed but symbols could not be loaded for Fs_Rec.SYS
AddImage: \SystemRoot\System32\Drivers\Beep.SYS
 DllBase  = 8e6bc000
 Size     = 00007000
 Checksum = 0000dc76
 TimeDateStamp = 47918f56
AddImage: \SystemRoot\System32\Drivers\DLARTL_M.SYS
 DllBase  = 8e6c3000
 Size     = 000052e0
 Checksum = 0000958a
 TimeDateStamp = 45cbf2d9
Unable to load image \SystemRoot\System32\Drivers\DLARTL_M.SYS, Win32 error 0n2
*** WARNING: Unable to verify timestamp for DLARTL_M.SYS
*** ERROR: Module load completed but symbols could not be loaded for DLARTL_M.SYS
AddImage: \??\C:\Windows\system32\drivers\SBREdrv.sys
 DllBase  = 8e6c9000
 Size     = 00017080
 Checksum = 0001a741
 TimeDateStamp = 4f1efbb5
Unable to load image \??\C:\Windows\system32\drivers\SBREdrv.sys, Win32 error 0n2
*** WARNING: Unable to verify timestamp for SBREdrv.sys
*** ERROR: Module load completed but symbols could not be loaded for SBREdrv.sys
AddImage: \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
 DllBase  = 8e6ea000
 Size     = 00006380
 Checksum = 00014cdb
 TimeDateStamp = 4791904c
AddImage: \SystemRoot\System32\drivers\vga.sys
 DllBase  = 8e6f1000
 Size     = 0000c000
 Checksum = 000080ad
 TimeDateStamp = 47919006
AddImage: \SystemRoot\System32\drivers\VIDEOPRT.SYS
 DllBase  = 8e6fd000
 Size     = 00021000
 Checksum = 0001c348
 TimeDateStamp = 4791900a
AddImage: \SystemRoot\System32\DRIVERS\RDPCDD.sys
 DllBase  = 8e71e000
 Size     = 00008000
 Checksum = 000108b3
 TimeDateStamp = 47919224
AddImage: \SystemRoot\system32\drivers\rdpencdd.sys
 DllBase  = 8e726000
 Size     = 00008000
 Checksum = 0000bf16
 TimeDateStamp = 47919225
AddImage: \SystemRoot\System32\Drivers\Msfs.SYS
 DllBase  = 8e72e000
 Size     = 0000b000
 Checksum = 00000000
 TimeDateStamp = 00000000
Unable to load image \SystemRoot\System32\Drivers\Msfs.SYS, Win32 error 0n2
*** WARNING: Unable to verify timestamp for Msfs.SYS
*** ERROR: Module load completed but symbols could not be loaded for Msfs.SYS
AddImage: \SystemRoot\System32\Drivers\Npfs.SYS
 DllBase  = 8e739000
 Size     = 0000e000
 Checksum = 00015de4
 TimeDateStamp = 49e01909
AddImage: \SystemRoot\System32\DRIVERS\rasacd.sys
 DllBase  = 8e747000
 Size     = 00009000
 Checksum = 00005e0b
 TimeDateStamp = 4791910f
AddImage: \SystemRoot\System32\drivers\tcpip.sys
 DllBase  = 8f009000
 Size     = 000ea000
 Checksum = 000e6987
 TimeDateStamp = 4f746a14
AddImage: \SystemRoot\System32\drivers\fwpkclnt.sys
 DllBase  = 8f0f3000
 Size     = 0001b000
 Checksum = 00027016
 TimeDateStamp = 49e02076
AddImage: \SystemRoot\system32\DRIVERS\tdx.sys
 DllBase  = 8f10e000
 Size     = 00016000
 Checksum = 00018f45
 TimeDateStamp = 49e02084
AddImage: \SystemRoot\system32\drivers\SbFw.sys
 DllBase  = 8f124000
 Size     = 00054000
 Checksum = 000380c4
 TimeDateStamp = 4f880d77
Unable to load image \SystemRoot\system32\drivers\SbFw.sys, Win32 error 0n2
*** WARNING: Unable to verify timestamp for SbFw.sys
*** ERROR: Module load completed but symbols could not be loaded for SbFw.sys
AddImage: \SystemRoot\system32\DRIVERS\smb.sys
 DllBase  = 8f178000
 Size     = 00014000
 Checksum = 00013db0
 TimeDateStamp = 49e02062
AddImage: \SystemRoot\System32\DRIVERS\netbt.sys
 DllBase  = 8f18c000
 Size     = 00032000
 Checksum = 00032ab7
 TimeDateStamp = 49e0206f
AddImage: \SystemRoot\system32\drivers\afd.sys
 DllBase  = 8e750000
 Size     = 00048000
 Checksum = 00043cfb
 TimeDateStamp = 4db03801
AddImage: \SystemRoot\system32\DRIVERS\pacer.sys
 DllBase  = 8f1be000
 Size     = 00016000
 Checksum = 0001e77c
 TimeDateStamp = 49e0207f
AddImage: \SystemRoot\system32\DRIVERS\netbios.sys
 DllBase  = 8f1d4000
 Size     = 0000e000
 Checksum = 0001677a
 TimeDateStamp = 479190e1
AddImage: \SystemRoot\system32\DRIVERS\wanarp.sys
 DllBase  = 8f1e2000
 Size     = 00013000
 Checksum = 00011f6b
 TimeDateStamp = 4791910f
AddImage: \SystemRoot\system32\DRIVERS\rdbss.sys
 DllBase  = 8e798000
 Size     = 0003c000
 Checksum = 000370ea
 TimeDateStamp = 49e01922
AddImage: \SystemRoot\system32\drivers\nsiproxy.sys
 DllBase  = 8f1f5000
 Size     = 0000a000
 Checksum = 0000acfb
 TimeDateStamp = 479190e6
AddImage: \SystemRoot\System32\Drivers\dfsc.sys
 DllBase  = 8e7d4000
 Size     = 00017000
 Checksum = 0001cba9
 TimeDateStamp = 4da70bb7
AddImage: \SystemRoot\System32\Drivers\crashdmp.sys
 DllBase  = 8e7eb000
 Size     = 0000d000
 Checksum = 000183ed
 TimeDateStamp = 49e01ef0
AddImage: \SystemRoot\System32\Drivers\dump_diskdump.sys
 DllBase  = 8e600000
 Size     = 0000a000
 Checksum = 00008c25
 TimeDateStamp = 49e01eef
AddImage: \SystemRoot\System32\Drivers\dump_nvstor32.sys
 DllBase  = 83de3000
 Size     = 0001d000
 Checksum = 00026a43
 TimeDateStamp = 46bb58d8
Unable to load image \SystemRoot\System32\Drivers\dump_nvstor32.sys, Win32 error 0n2
*** WARNING: Unable to verify timestamp for dump_nvstor32.sys
*** ERROR: Module load completed but symbols could not be loaded for dump_nvstor32.sys
AddImage: \SystemRoot\system32\DRIVERS\usbccgp.sys
 DllBase  = 99c06000
 Size     = 00017000
 Checksum = 0001c806
 TimeDateStamp = 47919059
AddImage: \SystemRoot\system32\DRIVERS\USBD.SYS
 DllBase  = 99c1d000
 Size     = 00001700
 Checksum = 000024b0
 TimeDateStamp = 4791904d
AddImage: \SystemRoot\system32\DRIVERS\hidusb.sys
 DllBase  = 99c1f000
 Size     = 00009000
 Checksum = 0001001a
 TimeDateStamp = 49e01fc8
AddImage: \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
 DllBase  = 99c28000
 Size     = 00010000
 Checksum = 0000c7ed
 TimeDateStamp = 49e01fc7
AddImage: \SystemRoot\system32\DRIVERS\kbdhid.sys
 DllBase  = 99c38000
 Size     = 00009000
 Checksum = 0001196e
 TimeDateStamp = 49e01ed0
AddImage: \SystemRoot\system32\DRIVERS\NuidFltr.sys
 DllBase  = 99c41000
 Size     = 00007000
 Checksum = 00008bc4
 TimeDateStamp = 4a03eede
Unable to load image \SystemRoot\system32\DRIVERS\NuidFltr.sys, Win32 error 0n2
*** WARNING: Unable to verify timestamp for NuidFltr.sys
*** ERROR: Module load completed but symbols could not be loaded for NuidFltr.sys
AddImage: \SystemRoot\system32\DRIVERS\mouhid.sys
 DllBase  = 99c48000
 Size     = 00008000
 Checksum = 00010b45
 TimeDateStamp = 47918f5c
AddImage: \SystemRoot\system32\DRIVERS\point32k.sys
 DllBase  = 99c50000
 Size     = 0000b000
 Checksum = 00011e09
 TimeDateStamp = 4551810e
Unable to load image \SystemRoot\system32\DRIVERS\point32k.sys, Win32 error 0n2
*** WARNING: Unable to verify timestamp for point32k.sys
*** ERROR: Module load completed but symbols could not be loaded for point32k.sys
AddImage: \SystemRoot\System32\win32k.sys
 DllBase  = 9ac10000
 Size     = 00205000
 Checksum = 00000000
 TimeDateStamp = 00000000
Unable to load image \SystemRoot\System32\win32k.sys, Win32 error 0n2
*** WARNING: Unable to verify timestamp for win32k.sys
*** ERROR: Module load completed but symbols could not be loaded for win32k.sys
AddImage: \SystemRoot\System32\drivers\Dxapi.sys
 DllBase  = 99c5b000
 Size     = 0000a000
 Checksum = 00005342
 TimeDateStamp = 47918c4c
AddImage: \SystemRoot\system32\DRIVERS\USBSTOR.SYS
 DllBase  = 99c65000
 Size     = 00015000
 Checksum = 0001fa86
 TimeDateStamp = 49e01fcf
AddImage: \SystemRoot\system32\DRIVERS\monitor.sys
 DllBase  = 99c7a000
 Size     = 0000f000
 Checksum = 0000cb18
 TimeDateStamp = 47919013
AddImage: \SystemRoot\System32\TSDDD.dll
 DllBase  = 9ae30000
 Size     = 00009000
 Checksum = 00000000
 TimeDateStamp = 00000000
Unable to load image \SystemRoot\System32\TSDDD.dll, Win32 error 0n2
*** WARNING: Unable to verify timestamp for TSDDD.dll
*** ERROR: Module load completed but symbols could not be loaded for TSDDD.dll
AddImage: \SystemRoot\System32\cdd.dll
 DllBase  = 9ae50000
 Size     = 0000e000
 Checksum = 00000000
 TimeDateStamp = 00000000
Unable to load image \SystemRoot\System32\cdd.dll, Win32 error 0n2
*** WARNING: Unable to verify timestamp for cdd.dll
*** ERROR: Module load completed but symbols could not be loaded for cdd.dll
AddImage: \SystemRoot\System32\ATMFD.DLL
 DllBase  = 9ae60000
 Size     = 0004d000
 Checksum = 00000000
 TimeDateStamp = 00000000
Unable to load image \SystemRoot\System32\ATMFD.DLL, Win32 error 0n2
*** WARNING: Unable to verify timestamp for ATMFD.DLL
*** ERROR: Module load completed but symbols could not be loaded for ATMFD.DLL
AddImage: \SystemRoot\system32\drivers\luafv.sys
 DllBase  = 99c89000
 Size     = 0001b000
 Checksum = 0001ee65
 TimeDateStamp = 47918afb
AddImage: \SystemRoot\system32\DRIVERS\sbapifs.sys
 DllBase  = 99ca4000
 Size     = 00011580
 Checksum = 00015f5f
 TimeDateStamp = 4ed440d9
Unable to load image \SystemRoot\system32\DRIVERS\sbapifs.sys, Win32 error 0n2
*** WARNING: Unable to verify timestamp for sbapifs.sys
*** ERROR: Module load completed but symbols could not be loaded for sbapifs.sys
AddImage: \SystemRoot\System32\Drivers\DRVNDDM.SYS
 DllBase  = 99cb6000
 Size     = 0000a600
 Checksum = 00013389
 TimeDateStamp = 45ccdaa6
Unable to load image \SystemRoot\System32\Drivers\DRVNDDM.SYS, Win32 error 0n2
*** WARNING: Unable to verify timestamp for DRVNDDM.SYS
*** ERROR: Module load completed but symbols could not be loaded for DRVNDDM.SYS
AddImage: \SystemRoot\System32\DLA\DLADResM.SYS
 DllBase  = 99cc1000
 Size     = 000009c0
 Checksum = 00007001
 TimeDateStamp = 454142d3
Unable to load image \SystemRoot\System32\DLA\DLADResM.SYS, Win32 error 0n2
*** WARNING: Unable to verify timestamp for DLADResM.SYS
*** ERROR: Module load completed but symbols could not be loaded for DLADResM.SYS
AddImage: \SystemRoot\System32\DLA\DLAIFS_M.SYS
 DllBase  = 99cc2000
 Size     = 00017d60
 Checksum = 00022379
 TimeDateStamp = 45414247
Unable to load image \SystemRoot\System32\DLA\DLAIFS_M.SYS, Win32 error 0n2
*** WARNING: Unable to verify timestamp for DLAIFS_M.SYS
*** ERROR: Module load completed but symbols could not be loaded for DLAIFS_M.SYS
AddImage: \SystemRoot\System32\DLA\DLAOPIOM.SYS
 DllBase  = 99cda000
 Size     = 00004bc0
 Checksum = 0000f9e2
 TimeDateStamp = 454142a3
Unable to load image \SystemRoot\System32\DLA\DLAOPIOM.SYS, Win32 error 0n2
*** WARNING: Unable to verify timestamp for DLAOPIOM.SYS
*** ERROR: Module load completed but symbols could not be loaded for DLAOPIOM.SYS
AddImage: \SystemRoot\System32\DLA\DLAPoolM.SYS
 DllBase  = 99cdf000
 Size     = 00001dc0
 Checksum = 0001306c
 TimeDateStamp = 4541424a
Unable to load image \SystemRoot\System32\DLA\DLAPoolM.SYS, Win32 error 0n2
*** WARNING: Unable to verify timestamp for DLAPoolM.SYS
*** ERROR: Module load completed but symbols could not be loaded for DLAPoolM.SYS
AddImage: \SystemRoot\System32\DLA\DLABMFSM.SYS
 DllBase  = 99ce1000
 Size     = 00006e20
 Checksum = 00014f0a
 TimeDateStamp = 45414281
Unable to load image \SystemRoot\System32\DLA\DLABMFSM.SYS, Win32 error 0n2
*** WARNING: Unable to verify timestamp for DLABMFSM.SYS
*** ERROR: Module load completed but symbols could not be loaded for DLABMFSM.SYS
AddImage: \SystemRoot\System32\DLA\DLABOIOM.SYS
 DllBase  = 99ce8000
 Size     = 000063e0
 Checksum = 0000e760
 TimeDateStamp = 4541427c
Unable to load image \SystemRoot\System32\DLA\DLABOIOM.SYS, Win32 error 0n2
*** WARNING: Unable to verify timestamp for DLABOIOM.SYS
*** ERROR: Module load completed but symbols could not be loaded for DLABOIOM.SYS
AddImage: \SystemRoot\System32\DLA\DLAUDFAM.SYS
 DllBase  = 99cef000
 Size     = 000156c0
 Checksum = 0002518a
 TimeDateStamp = 4541426e
Unable to load image \SystemRoot\System32\DLA\DLAUDFAM.SYS, Win32 error 0n2
*** WARNING: Unable to verify timestamp for DLAUDFAM.SYS
*** ERROR: Module load completed but symbols could not be loaded for DLAUDFAM.SYS
AddImage: \SystemRoot\System32\DLA\DLAUDF_M.SYS
 DllBase  = 99d05000
 Size     = 00016340
 Checksum = 0001863c
 TimeDateStamp = 45414259
Unable to load image \SystemRoot\System32\DLA\DLAUDF_M.SYS, Win32 error 0n2
*** WARNING: Unable to verify timestamp for DLAUDF_M.SYS
*** ERROR: Module load completed but symbols could not be loaded for DLAUDF_M.SYS
AddImage: \SystemRoot\system32\drivers\spsys.sys
 DllBase  = 99d24000
 Size     = 000b0000
 Checksum = 000b02c1
 TimeDateStamp = 49b69f04
Unable to load image \SystemRoot\system32\drivers\spsys.sys, Win32 error 0n2
*** WARNING: Unable to verify timestamp for spsys.sys
*** ERROR: Module load completed but symbols could not be loaded for spsys.sys
AddImage: \SystemRoot\system32\DRIVERS\lltdio.sys
 DllBase  = 99dd4000
 Size     = 00010000
 Checksum = 0000f753
 TimeDateStamp = 479190b7
AddImage: \SystemRoot\system32\DRIVERS\nwifi.sys
 DllBase  = a0a00000
 Size     = 0002a000
 Checksum = 0002a3c9
 TimeDateStamp = 49e01fef
AddImage: \SystemRoot\system32\DRIVERS\ndisuio.sys
 DllBase  = a0a2a000
 Size     = 0000a000
 Checksum = 00008cc7
 TimeDateStamp = 479190dc
AddImage: \SystemRoot\system32\DRIVERS\rspndr.sys
 DllBase  = a0a34000
 Size     = 00013000
 Checksum = 0000f1c9
 TimeDateStamp = 479190b7
AddImage: \SystemRoot\system32\drivers\HTTP.sys
 DllBase  = a0a47000
 Size     = 0006d000
 Checksum = 00067345
 TimeDateStamp = 4b804bcb
AddImage: \SystemRoot\System32\DRIVERS\srvnet.sys
 DllBase  = a0ab4000
 Size     = 0001d000
 Checksum = 00026d84
 TimeDateStamp = 4dbabc34
AddImage: \SystemRoot\system32\DRIVERS\bowser.sys
 DllBase  = a0ad1000
 Size     = 00019000
 Checksum = 0001e5a7
 TimeDateStamp = 4d63b8ea
AddImage: \SystemRoot\System32\drivers\mpsdrv.sys
 DllBase  = a0aea000
 Size     = 00015000
 Checksum = 0001d27c
 TimeDateStamp = 479190a5
AddImage: \SystemRoot\system32\drivers\mrxdav.sys
 DllBase  = a0aff000
 Size     = 00021000
 Checksum = 00020709
 TimeDateStamp = 49e0192f
AddImage: \SystemRoot\system32\DRIVERS\mrxsmb.sys
 DllBase  = a0b20000
 Size     = 0001f000
 Checksum = 00021743
 TimeDateStamp = 4dbabc17
AddImage: \SystemRoot\system32\DRIVERS\mrxsmb10.sys
 DllBase  = a0b3f000
 Size     = 00039000
 Checksum = 0004360d
 TimeDateStamp = 4e147fe2
AddImage: \SystemRoot\system32\DRIVERS\mrxsmb20.sys
 DllBase  = a0b78000
 Size     = 00018000
 Checksum = 0001a549
 TimeDateStamp = 4dbabc19
AddImage: \SystemRoot\System32\DRIVERS\srv2.sys
 DllBase  = a0b90000
 Size     = 00028000
 Checksum = 00025450
 TimeDateStamp = 4dbabc35
AddImage: \SystemRoot\System32\DRIVERS\srv.sys
 DllBase  = a1807000
 Size     = 0004f000
 Checksum = 0004c60d
 TimeDateStamp = 4d5e7c30
AddImage: \??\C:\Windows\system32\drivers\cpuz135_x32.sys
 DllBase  = a186e000
 Size     = 00009000
 Checksum = 0000749e
 TimeDateStamp = 4e799f34
Unable to load image \??\C:\Windows\system32\drivers\cpuz135_x32.sys, Win32 error 0n2
*** WARNING: Unable to verify timestamp for cpuz135_x32.sys
*** ERROR: Module load completed but symbols could not be loaded for cpuz135_x32.sys
AddImage: \SystemRoot\system32\DRIVERS\dsunidrv.sys
 DllBase  = a1877000
 Size     = 00001500
 Checksum = 000080fa
 TimeDateStamp = 45d89b66
Unable to load image \SystemRoot\system32\DRIVERS\dsunidrv.sys, Win32 error 0n2
*** WARNING: Unable to verify timestamp for dsunidrv.sys
*** ERROR: Module load completed but symbols could not be loaded for dsunidrv.sys
AddImage: \SystemRoot\System32\Drivers\fastfat.SYS
 DllBase  = a1879000
 Size     = 00028000
 Checksum = 00023ebe
 TimeDateStamp = 49e01900
AddImage: \SystemRoot\system32\drivers\peauth.sys
 DllBase  = a18a1000
 Size     = 000de000
 Checksum = 000dbd03
 TimeDateStamp = 453c8384
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for peauth.sys - 
AddImage: \SystemRoot\System32\Drivers\secdrv.SYS
 DllBase  = a197f000
 Size     = 0000a000
 Checksum = 0000f9e8
 TimeDateStamp = 45080528
Unable to load image \SystemRoot\System32\Drivers\secdrv.SYS, Win32 error 0n2
*** WARNING: Unable to verify timestamp for secdrv.SYS
*** ERROR: Module load completed but symbols could not be loaded for secdrv.SYS
AddImage: \SystemRoot\System32\drivers\tcpipreg.sys
 DllBase  = a1989000
 Size     = 0000c000
 Checksum = 0000f162
 TimeDateStamp = 4b1e8c3a
AddImage: \SystemRoot\system32\DRIVERS\WUDFRd.sys
 DllBase  = a1995000
 Size     = 00014580
 Checksum = 0001d526
 TimeDateStamp = 47919040
AddImage: \SystemRoot\system32\DRIVERS\WUDFPf.sys
 DllBase  = a19aa000
 Size     = 00012000
 Checksum = 00016d86
 TimeDateStamp = 47919031
AddImage: \??\C:\Windows\system32\FsUsbExDisk.SYS
 DllBase  = a19bc000
 Size     = 00008f20
 Checksum = 000179ed
 TimeDateStamp = 4acea1a5
Unable to load image \??\C:\Windows\system32\FsUsbExDisk.SYS, Win32 error 0n2
*** WARNING: Unable to verify timestamp for FsUsbExDisk.SYS
*** ERROR: Module load completed but symbols could not be loaded for FsUsbExDisk.SYS
AddImage: \SystemRoot\system32\drivers\tdtcp.sys
 DllBase  = a19c5000
 Size     = 0000b000
 Checksum = 0000a3bc
 TimeDateStamp = 47919224
AddImage: \SystemRoot\System32\DRIVERS\tssecsrv.sys
 DllBase  = a19d0000
 Size     = 0000c000
 Checksum = 0000ecc7
 TimeDateStamp = 4791922b
AddImage: \SystemRoot\System32\Drivers\RDPWD.SYS
 DllBase  = a0bb8000
 Size     = 00033000
 Checksum = 00030923
 TimeDateStamp = 4f9fed41
AddImage: \SystemRoot\system32\DRIVERS\cdfs.sys
 DllBase  = a19dc000
 Size     = 00016000
 Checksum = 0001be30
 TimeDateStamp = 47918a62
AddImage: \SystemRoot\system32\DRIVERS\sbwtis.sys
 DllBase  = a1856000
 Size     = 00015000
 Checksum = 0002075e
 TimeDateStamp = 4f880ded
Unable to load image \SystemRoot\system32\DRIVERS\sbwtis.sys, Win32 error 0n2
*** WARNING: Unable to verify timestamp for sbwtis.sys
*** ERROR: Module load completed but symbols could not be loaded for sbwtis.sys
AddImage: \??\C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys
 DllBase  = a186b000
 Size     = 00001280
 Checksum = 00002fd2
 TimeDateStamp = 4525108a
Unable to load image \??\C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys, Win32 error 0n2
*** WARNING: Unable to verify timestamp for DSproct.sys
*** ERROR: Module load completed but symbols could not be loaded for DSproct.sys

Loading User Symbols
Loading unloaded module list
......
1: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

WHEA_UNCORRECTABLE_ERROR (124)
A fatal hardware error has occurred. Parameter 1 identifies the type of error
source that reported the error. Parameter 2 holds the address of the
WHEA_ERROR_RECORD structure that describes the error conditon.
Arguments:
Arg1: 00000000, Machine Check Exception
Arg2: 8eab3020, Address of the WHEA_ERROR_RECORD structure.
Arg3: b6000000, High order 32-bits of the MCi_STATUS value.
Arg4: 00000181, Low order 32-bits of the MCi_STATUS value.

Debugging Details:
------------------

*************************************************************************
***                                                                   ***
***                                                                   ***
***    Your debugger is not using the correct symbols                 ***
***                                                                   ***
***    In order for this command to work properly, your symbol path   ***
***    must point to .pdb files that have full type information.      ***
***                                                                   ***
***    Certain .pdb files (such as the public OS symbols) do not      ***
***    contain the required information.  Contact the group that      ***
***    provided you with these symbols if you need this command to    ***
***    work.                                                          ***
***                                                                   ***
***    Type referenced: pshed!_WHEA_ERROR_RECORD_HEADER                ***
***                                                                   ***
*************************************************************************
*************************************************************************
***                                                                   ***
***                                                                   ***
***    Your debugger is not using the correct symbols                 ***
***                                                                   ***
***    In order for this command to work properly, your symbol path   ***
***    must point to .pdb files that have full type information.      ***
***                                                                   ***
***    Certain .pdb files (such as the public OS symbols) do not      ***
***    contain the required information.  Contact the group that      ***
***    provided you with these symbols if you need this command to    ***
***    work.                                                          ***
***                                                                   ***
***    Type referenced: pshed!_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR                ***
***                                                                   ***
*************************************************************************
*************************************************************************
***                                                                   ***
***                                                                   ***
***    Your debugger is not using the correct symbols                 ***
***                                                                   ***
***    In order for this command to work properly, your symbol path   ***
***    must point to .pdb files that have full type information.      ***
***                                                                   ***
***    Certain .pdb files (such as the public OS symbols) do not      ***
***    contain the required information.  Contact the group that      ***
***    provided you with these symbols if you need this command to    ***
***    work.                                                          ***
***                                                                   ***
***    Type referenced: pshed!_WHEA_ERROR_RECORD_HEADER                ***
***                                                                   ***
*************************************************************************
*************************************************************************
***                                                                   ***
***                                                                   ***
***    Your debugger is not using the correct symbols                 ***
***                                                                   ***
***    In order for this command to work properly, your symbol path   ***
***    must point to .pdb files that have full type information.      ***
***                                                                   ***
***    Certain .pdb files (such as the public OS symbols) do not      ***
***    contain the required information.  Contact the group that      ***
***    provided you with these symbols if you need this command to    ***
***    work.                                                          ***
***                                                                   ***
***    Type referenced: pshed!_WHEA_ERROR_RECORD_HEADER                ***
***                                                                   ***
*************************************************************************
*************************************************************************
***                                                                   ***
***                                                                   ***
***    Your debugger is not using the correct symbols                 ***
***                                                                   ***
***    In order for this command to work properly, your symbol path   ***
***    must point to .pdb files that have full type information.      ***
***                                                                   ***
***    Certain .pdb files (such as the public OS symbols) do not      ***
***    contain the required information.  Contact the group that      ***
***    provided you with these symbols if you need this command to    ***
***    work.                                                          ***
***                                                                   ***
***    Type referenced: pshed!_WHEA_ERROR_RECORD_HEADER                ***
***                                                                   ***
*************************************************************************

BUGCHECK_STR:  0x124_AuthenticAMD

DEFAULT_BUCKET_ID:  VISTA_DRIVER_FAULT

PROCESS_NAME:  SYSTEM

CURRENT_IRQL:  1c

STACK_TEXT:  
805d8488 8321c9dd 00000124 00000000 8eab3020 nt!KeBugCheckEx+0x1e
805d84dc 8330a4e0 8eab3020 85fc3008 85fc3008 hal!HalBugCheckSystem+0xe1
805d8508 8321c8f1 85fc3008 8322ffb4 805d8544 nt!WheaReportHwError+0x1d0
805d8518 8321cfed 00000003 85fc3008 00000000 hal!HalpReportMachineCheck+0x31
805d8544 8321899f 805d3130 73006900 75002000 hal!HalpMcaExceptionHandler+0x115
805d8544 00000000 805d3130 73006900 75002000 hal!HalpMcaExceptionHandlerWrapper+0x77


STACK_COMMAND:  kb

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: hardware

IMAGE_NAME:  hardware

DEBUG_FLR_IMAGE_TIMESTAMP:  0

FAILURE_BUCKET_ID:  0x124_AuthenticAMD__UNKNOWN

BUCKET_ID:  0x124_AuthenticAMD__UNKNOWN

Followup: MachineOwner
---------

Vir Gnarus · Aug 1, 2012

Very strange. I see the correct PSHED is indeed loaded, but it still is complaining about symbols. Try one more time, only this time make it .reload /f /o /v PSHED.dll . Shouldn't be any different, but worth a shot.

Ultimately, either the symbols provided by the symbol server are faulty, or we got a messed up module here. Try running !chkimg on the PSHED module to see what we're dealing with. Preferably use the -d, -v and -db options.

Shintaro · Aug 1, 2012

Thanks for replying,

Code:

1: kd> .reload /f /o /v PSHED.dll
AddImage: \SystemRoot\system32\PSHED.dll
 DllBase  = 80610000
 Size     = 00011000
 Checksum = 00013d00
 TimeDateStamp = 49e037dc
1: kd> .reload
Loading Kernel Symbols
...............................................................
................................................................
........................................
Loading User Symbols
Loading unloaded module list
......

Code:

1: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

WHEA_UNCORRECTABLE_ERROR (124)
A fatal hardware error has occurred. Parameter 1 identifies the type of error
source that reported the error. Parameter 2 holds the address of the
WHEA_ERROR_RECORD structure that describes the error conditon.
Arguments:
Arg1: 00000000, Machine Check Exception
Arg2: 8eab3020, Address of the WHEA_ERROR_RECORD structure.
Arg3: b6000000, High order 32-bits of the MCi_STATUS value.
Arg4: 00000181, Low order 32-bits of the MCi_STATUS value.

Debugging Details:
------------------

*************************************************************************
***                                                                   ***
***                                                                   ***
***    Your debugger is not using the correct symbols                 ***
***                                                                   ***
***    In order for this command to work properly, your symbol path   ***
***    must point to .pdb files that have full type information.      ***
***                                                                   ***
***    Certain .pdb files (such as the public OS symbols) do not      ***
***    contain the required information.  Contact the group that      ***
***    provided you with these symbols if you need this command to    ***
***    work.                                                          ***
***                                                                   ***
***    Type referenced: pshed!_WHEA_ERROR_RECORD_HEADER                ***
***                                                                   ***
*************************************************************************
*************************************************************************
***                                                                   ***
***                                                                   ***
***    Your debugger is not using the correct symbols                 ***
***                                                                   ***
***    In order for this command to work properly, your symbol path   ***
***    must point to .pdb files that have full type information.      ***
***                                                                   ***
***    Certain .pdb files (such as the public OS symbols) do not      ***
***    contain the required information.  Contact the group that      ***
***    provided you with these symbols if you need this command to    ***
***    work.                                                          ***
***                                                                   ***
***    Type referenced: pshed!_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR                ***
***                                                                   ***
*************************************************************************
*************************************************************************
***                                                                   ***
***                                                                   ***
***    Your debugger is not using the correct symbols                 ***
***                                                                   ***
***    In order for this command to work properly, your symbol path   ***
***    must point to .pdb files that have full type information.      ***
***                                                                   ***
***    Certain .pdb files (such as the public OS symbols) do not      ***
***    contain the required information.  Contact the group that      ***
***    provided you with these symbols if you need this command to    ***
***    work.                                                          ***
***                                                                   ***
***    Type referenced: pshed!_WHEA_ERROR_RECORD_HEADER                ***
***                                                                   ***
*************************************************************************
*************************************************************************
***                                                                   ***
***                                                                   ***
***    Your debugger is not using the correct symbols                 ***
***                                                                   ***
***    In order for this command to work properly, your symbol path   ***
***    must point to .pdb files that have full type information.      ***
***                                                                   ***
***    Certain .pdb files (such as the public OS symbols) do not      ***
***    contain the required information.  Contact the group that      ***
***    provided you with these symbols if you need this command to    ***
***    work.                                                          ***
***                                                                   ***
***    Type referenced: pshed!_WHEA_ERROR_RECORD_HEADER                ***
***                                                                   ***
*************************************************************************
*************************************************************************
***                                                                   ***
***                                                                   ***
***    Your debugger is not using the correct symbols                 ***
***                                                                   ***
***    In order for this command to work properly, your symbol path   ***
***    must point to .pdb files that have full type information.      ***
***                                                                   ***
***    Certain .pdb files (such as the public OS symbols) do not      ***
***    contain the required information.  Contact the group that      ***
***    provided you with these symbols if you need this command to    ***
***    work.                                                          ***
***                                                                   ***
***    Type referenced: pshed!_WHEA_ERROR_RECORD_HEADER                ***
***                                                                   ***
*************************************************************************

BUGCHECK_STR:  0x124_AuthenticAMD

DEFAULT_BUCKET_ID:  VISTA_DRIVER_FAULT

PROCESS_NAME:  SYSTEM

CURRENT_IRQL:  1c

STACK_TEXT:  
805d8488 8321c9dd 00000124 00000000 8eab3020 nt!KeBugCheckEx+0x1e
805d84dc 8330a4e0 8eab3020 85fc3008 85fc3008 hal!HalBugCheckSystem+0xe1
805d8508 8321c8f1 85fc3008 8322ffb4 805d8544 nt!WheaReportHwError+0x1d0
805d8518 8321cfed 00000003 85fc3008 00000000 hal!HalpReportMachineCheck+0x31
805d8544 8321899f 805d3130 73006900 75002000 hal!HalpMcaExceptionHandler+0x115
805d8544 00000000 805d3130 73006900 75002000 hal!HalpMcaExceptionHandlerWrapper+0x77


STACK_COMMAND:  kb

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: hardware

IMAGE_NAME:  hardware

DEBUG_FLR_IMAGE_TIMESTAMP:  0

FAILURE_BUCKET_ID:  0x124_AuthenticAMD__UNKNOWN

BUCKET_ID:  0x124_AuthenticAMD__UNKNOWN

Followup: MachineOwner

---------

Code:

1: kd> !chkimg pshed.dll -d -v -db
Searching for module with expression: pshed.dll
Will apply relocation fixups to file used for comparison
Will ignore NOP/LOCK errors
Will ignore patched instructions
Image specific ignores will be applied
Comparison image path: c:\symbols\PSHED.dll\49E037DC11000\PSHED.dll
No range specified

Scanning section:    .text
Size: 10364
Range to scan: 80611000-8061387c
Total bytes compared: 10364(100%)
Number of errors: 0

Scanning section:   PAGELK
Size: 92
Range to scan: 80617000-8061705c
Total bytes compared: 92(100%)
Number of errors: 0

Scanning section:     PAGE
Size: 571
Range to scan: 80618000-8061823b
Total bytes compared: 571(100%)
Number of errors: 0
0 errors : pshed.dll

Attached is another crash. The user ran Seagate Tools on their Seagate drive, then rebooted and it crashed.
That crash doesn't have problems? Very strange.
I think that it is a rootkit.
I don't know very much about how smart the rootkit people are, but isit possible they are patching ntoskrnl.exe on the fly?
As soon as the user has done some malware checks I'll report back.

Vir Gnarus · Aug 2, 2012

Ha, ok, oooone mroe time on that crashdump, do !chkimg -d -db -v -np PSHED. The -np option will cause it to recognize any patches to its code. You may wanna use -as as well.

Shintaro · Aug 2, 2012

Nah, no good mate. Don't stress it, it's probably a rootkit or the like.

Code:

1: kd> !chkimg -d -db -v -np PSHED
Searching for module with expression: PSHED
Will apply relocation fixups to file used for comparison
Will ignore NOP/LOCK errors
Will _NOT_ ignore patched instructions
Image specific ignores will be applied
Comparison image path: c:\symbols\PSHED.dll\49E037DC11000\PSHED.dll
No range specified

Scanning section:    .text
Size: 10364
Range to scan: 80611000-8061387c
Total bytes compared: 10364(100%)
Number of errors: 0

Scanning section:   PAGELK
Size: 92
Range to scan: 80617000-8061705c
Total bytes compared: 92(100%)
Number of errors: 0

Scanning section:     PAGE
Size: 571
Range to scan: 80618000-8061823b
Total bytes compared: 571(100%)
Number of errors: 0
0 errors : PSHED

Code:

1: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

WHEA_UNCORRECTABLE_ERROR (124)
A fatal hardware error has occurred. Parameter 1 identifies the type of error
source that reported the error. Parameter 2 holds the address of the
WHEA_ERROR_RECORD structure that describes the error conditon.
Arguments:
Arg1: 00000000, Machine Check Exception
Arg2: 8eab3020, Address of the WHEA_ERROR_RECORD structure.
Arg3: b6000000, High order 32-bits of the MCi_STATUS value.
Arg4: 00000181, Low order 32-bits of the MCi_STATUS value.

Debugging Details:
------------------

*************************************************************************
***                                                                   ***
***                                                                   ***
***    Your debugger is not using the correct symbols                 ***
***                                                                   ***
***    In order for this command to work properly, your symbol path   ***
***    must point to .pdb files that have full type information.      ***
***                                                                   ***
***    Certain .pdb files (such as the public OS symbols) do not      ***
***    contain the required information.  Contact the group that      ***
***    provided you with these symbols if you need this command to    ***
***    work.                                                          ***
***                                                                   ***
***    Type referenced: pshed!_WHEA_ERROR_RECORD_HEADER                ***
***                                                                   ***
*************************************************************************
*************************************************************************
***                                                                   ***
***                                                                   ***
***    Your debugger is not using the correct symbols                 ***
***                                                                   ***
***    In order for this command to work properly, your symbol path   ***
***    must point to .pdb files that have full type information.      ***
***                                                                   ***
***    Certain .pdb files (such as the public OS symbols) do not      ***
***    contain the required information.  Contact the group that      ***
***    provided you with these symbols if you need this command to    ***
***    work.                                                          ***
***                                                                   ***
***    Type referenced: pshed!_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR                ***
***                                                                   ***
*************************************************************************
*************************************************************************
***                                                                   ***
***                                                                   ***
***    Your debugger is not using the correct symbols                 ***
***                                                                   ***
***    In order for this command to work properly, your symbol path   ***
***    must point to .pdb files that have full type information.      ***
***                                                                   ***
***    Certain .pdb files (such as the public OS symbols) do not      ***
***    contain the required information.  Contact the group that      ***
***    provided you with these symbols if you need this command to    ***
***    work.                                                          ***
***                                                                   ***
***    Type referenced: pshed!_WHEA_ERROR_RECORD_HEADER                ***
***                                                                   ***
*************************************************************************
*************************************************************************
***                                                                   ***
***                                                                   ***
***    Your debugger is not using the correct symbols                 ***
***                                                                   ***
***    In order for this command to work properly, your symbol path   ***
***    must point to .pdb files that have full type information.      ***
***                                                                   ***
***    Certain .pdb files (such as the public OS symbols) do not      ***
***    contain the required information.  Contact the group that      ***
***    provided you with these symbols if you need this command to    ***
***    work.                                                          ***
***                                                                   ***
***    Type referenced: pshed!_WHEA_ERROR_RECORD_HEADER                ***
***                                                                   ***
*************************************************************************
*************************************************************************
***                                                                   ***
***                                                                   ***
***    Your debugger is not using the correct symbols                 ***
***                                                                   ***
***    In order for this command to work properly, your symbol path   ***
***    must point to .pdb files that have full type information.      ***
***                                                                   ***
***    Certain .pdb files (such as the public OS symbols) do not      ***
***    contain the required information.  Contact the group that      ***
***    provided you with these symbols if you need this command to    ***
***    work.                                                          ***
***                                                                   ***
***    Type referenced: pshed!_WHEA_ERROR_RECORD_HEADER                ***
***                                                                   ***
*************************************************************************

BUGCHECK_STR:  0x124_AuthenticAMD

DEFAULT_BUCKET_ID:  VISTA_DRIVER_FAULT

PROCESS_NAME:  SYSTEM

CURRENT_IRQL:  1c

STACK_TEXT:  
805d8488 8321c9dd 00000124 00000000 8eab3020 nt!KeBugCheckEx+0x1e
805d84dc 8330a4e0 8eab3020 85fc3008 85fc3008 hal!HalBugCheckSystem+0xe1
805d8508 8321c8f1 85fc3008 8322ffb4 805d8544 nt!WheaReportHwError+0x1d0
805d8518 8321cfed 00000003 85fc3008 00000000 hal!HalpReportMachineCheck+0x31
805d8544 8321899f 805d3130 73006900 75002000 hal!HalpMcaExceptionHandler+0x115
805d8544 00000000 805d3130 73006900 75002000 hal!HalpMcaExceptionHandlerWrapper+0x77


STACK_COMMAND:  kb

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: hardware

IMAGE_NAME:  hardware

DEBUG_FLR_IMAGE_TIMESTAMP:  0

FAILURE_BUCKET_ID:  0x124_AuthenticAMD__UNKNOWN

BUCKET_ID:  0x124_AuthenticAMD__UNKNOWN

Followup: MachineOwner
---------

Code:

1: kd> !chkimg -d -db -v -np -as PSHED
Searching for module with expression: PSHED
Will apply relocation fixups to file used for comparison
Will ignore NOP/LOCK errors
Will _NOT_ ignore patched instructions
Image specific ignores will be applied
Comparison image path: c:\symbols\PSHED.dll\49E037DC11000\PSHED.dll
No range specified

Scanning section:    .text
Size: 10364
Range to scan: 80611000-8061387c
Total bytes compared: 10364(100%)
Number of errors: 0

Scanning section:    .data
Size: 6144
Range to scan: 80614000-80615800
Total bytes compared: 0(0%)
Number of errors: 0

Scanning section:   PAGELK
Size: 92
Range to scan: 80617000-8061705c
Total bytes compared: 92(100%)
Number of errors: 0

Scanning section:     PAGE
Size: 571
Range to scan: 80618000-8061823b
Total bytes compared: 571(100%)
Number of errors: 0

Scanning section:   .edata
Size: 732
Range to scan: 80619000-806192dc
Total bytes compared: 732(100%)
Number of errors: 0
0 errors : PSHED

Code:

1: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

WHEA_UNCORRECTABLE_ERROR (124)
A fatal hardware error has occurred. Parameter 1 identifies the type of error
source that reported the error. Parameter 2 holds the address of the
WHEA_ERROR_RECORD structure that describes the error conditon.
Arguments:
Arg1: 00000000, Machine Check Exception
Arg2: 8eab3020, Address of the WHEA_ERROR_RECORD structure.
Arg3: b6000000, High order 32-bits of the MCi_STATUS value.
Arg4: 00000181, Low order 32-bits of the MCi_STATUS value.

Debugging Details:
------------------

*************************************************************************
***                                                                   ***
***                                                                   ***
***    Your debugger is not using the correct symbols                 ***
***                                                                   ***
***    In order for this command to work properly, your symbol path   ***
***    must point to .pdb files that have full type information.      ***
***                                                                   ***
***    Certain .pdb files (such as the public OS symbols) do not      ***
***    contain the required information.  Contact the group that      ***
***    provided you with these symbols if you need this command to    ***
***    work.                                                          ***
***                                                                   ***
***    Type referenced: pshed!_WHEA_ERROR_RECORD_HEADER                ***
***                                                                   ***
*************************************************************************
*************************************************************************
***                                                                   ***
***                                                                   ***
***    Your debugger is not using the correct symbols                 ***
***                                                                   ***
***    In order for this command to work properly, your symbol path   ***
***    must point to .pdb files that have full type information.      ***
***                                                                   ***
***    Certain .pdb files (such as the public OS symbols) do not      ***
***    contain the required information.  Contact the group that      ***
***    provided you with these symbols if you need this command to    ***
***    work.                                                          ***
***                                                                   ***
***    Type referenced: pshed!_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR                ***
***                                                                   ***
*************************************************************************
*************************************************************************
***                                                                   ***
***                                                                   ***
***    Your debugger is not using the correct symbols                 ***
***                                                                   ***
***    In order for this command to work properly, your symbol path   ***
***    must point to .pdb files that have full type information.      ***
***                                                                   ***
***    Certain .pdb files (such as the public OS symbols) do not      ***
***    contain the required information.  Contact the group that      ***
***    provided you with these symbols if you need this command to    ***
***    work.                                                          ***
***                                                                   ***
***    Type referenced: pshed!_WHEA_ERROR_RECORD_HEADER                ***
***                                                                   ***
*************************************************************************
*************************************************************************
***                                                                   ***
***                                                                   ***
***    Your debugger is not using the correct symbols                 ***
***                                                                   ***
***    In order for this command to work properly, your symbol path   ***
***    must point to .pdb files that have full type information.      ***
***                                                                   ***
***    Certain .pdb files (such as the public OS symbols) do not      ***
***    contain the required information.  Contact the group that      ***
***    provided you with these symbols if you need this command to    ***
***    work.                                                          ***
***                                                                   ***
***    Type referenced: pshed!_WHEA_ERROR_RECORD_HEADER                ***
***                                                                   ***
*************************************************************************
*************************************************************************
***                                                                   ***
***                                                                   ***
***    Your debugger is not using the correct symbols                 ***
***                                                                   ***
***    In order for this command to work properly, your symbol path   ***
***    must point to .pdb files that have full type information.      ***
***                                                                   ***
***    Certain .pdb files (such as the public OS symbols) do not      ***
***    contain the required information.  Contact the group that      ***
***    provided you with these symbols if you need this command to    ***
***    work.                                                          ***
***                                                                   ***
***    Type referenced: pshed!_WHEA_ERROR_RECORD_HEADER                ***
***                                                                   ***
*************************************************************************

BUGCHECK_STR:  0x124_AuthenticAMD
DEFAULT_BUCKET_ID:  VISTA_DRIVER_FAULT
PROCESS_NAME:  SYSTEM
CURRENT_IRQL:  1c
STACK_TEXT:  
805d8488 8321c9dd 00000124 00000000 8eab3020 nt!KeBugCheckEx+0x1e
805d84dc 8330a4e0 8eab3020 85fc3008 85fc3008 hal!HalBugCheckSystem+0xe1
805d8508 8321c8f1 85fc3008 8322ffb4 805d8544 nt!WheaReportHwError+0x1d0
805d8518 8321cfed 00000003 85fc3008 00000000 hal!HalpReportMachineCheck+0x31
805d8544 8321899f 805d3130 73006900 75002000 hal!HalpMcaExceptionHandler+0x115
805d8544 00000000 805d3130 73006900 75002000 hal!HalpMcaExceptionHandlerWrapper+0x77
STACK_COMMAND:  kb
FOLLOWUP_NAME:  MachineOwner
MODULE_NAME: hardware
IMAGE_NAME:  hardware
DEBUG_FLR_IMAGE_TIMESTAMP:  0
FAILURE_BUCKET_ID:  0x124_AuthenticAMD__UNKNOWN
BUCKET_ID:  0x124_AuthenticAMD__UNKNOWN
Followup: MachineOwner

Tj Belfiore · Aug 2, 2012

This is just a hunch, but are you running WinDBG at Admin level? It might not be recognizing the kernel files because you aren't getting access to them. ????

Shintaro · Aug 2, 2012

Thanks for the reply.
I never run as Admin as there is never any reason to, if the correct permissions are applied.

But I tried running Windbg as Admin anyway, just to see if there was a difference. It was the same result.

Thanks anyway.

Vir Gnarus · Aug 3, 2012

I don't think we're dealing with a rootkit here. If PSHED was replaced, we should be seeing a good bit of errors (or at least a jmp instruction worth) from !chkimg because it doesn't match up with the one saved by the MS symbol server. There is the possibility that for whatever reason the PSHED module had a section or two paged out onto the paging file on disk, which obviously cannot be retrieved when creating a crashdump. Otherwise I do not see how this could be faulting on ya.

Btw, does anything come up when you type in dt !_WHEA_ERROR_RECORD_HEADER?

The last test we haven't done is use either of the -nar and -noplock switches for !chkimg. The first is used in very rare cases and I'm not entirely sure how it operates but it may or may not work. I think it's only used for live debugging but not certain on that. The latter option forces it to also checking between two extra types of instructions.

One last thing that I don't believe we've seen you do, and that's to do lmvm PSHED and see what that comes up with.

Other than all this, I'm pretty much stumped.

Shintaro · Aug 3, 2012

Mate,

Thanks for your patience.

Code:

1: kd> dt !_WHEA_ERROR_RECORD_HEADER
hal!_WHEA_ERROR_RECORD_HEADER
   +0x000 Signature        : Uint4B
   +0x004 Revision         : _WHEA_REVISION
   +0x006 SignatureEnd     : Uint4B
   +0x00a SectionCount     : Uint2B
   +0x00c Severity         : _WHEA_ERROR_SEVERITY
   +0x010 ValidBits        : _WHEA_ERROR_RECORD_HEADER_VALIDBITS
   +0x014 Length           : Uint4B
   +0x018 Timestamp        : _WHEA_TIMESTAMP
   +0x020 PlatformId       : _GUID
   +0x030 PartitionId      : _GUID
   +0x040 CreatorId        : _GUID
   +0x050 NotifyType       : _GUID
   +0x060 RecordId         : Uint8B
   +0x068 Flags            : _WHEA_ERROR_RECORD_HEADER_FLAGS
   +0x06c PersistenceInfo  : _WHEA_PERSISTENCE_INFO
   +0x074 Reserved         : [12] UChar

Code:

1: kd> lmvm PSHED
start    end        module name
80610000 80621000   PSHED      (pdb symbols)          c:\symbols\pshed.pdb\F21E46EE8A7C4F30AF782AF5D031DFAB1\pshed.pdb
    Loaded symbol image file: PSHED.dll
    Mapped memory image file: c:\symbols\PSHED.dll\49E037DC11000\PSHED.dll
    Image path: \SystemRoot\system32\PSHED.dll
    Image name: PSHED.dll
    Timestamp:        Sat Apr 11 16:25:32 2009 (49E037DC)
    CheckSum:         00013D00
    ImageSize:        00011000
    File version:     6.0.6002.18005
    Product version:  6.0.6002.18005
    File flags:       0 (Mask 3F)
    File OS:          40004 NT Win32
    File type:        3.7 Driver
    File date:        00000000.00000000
    Translations:     0409.04b0
    CompanyName:      Microsoft Corporation
    ProductName:      Microsoft® Windows® Operating System
    InternalName:     pshed.dll
    OriginalFilename: pshed.dll
    ProductVersion:   6.0.6002.18005
    FileVersion:      6.0.6002.18005 (lh_sp2rtm.090410-1830)
    FileDescription:  Platform Specific Hardware Error Driver
    LegalCopyright:   © Microsoft Corporation. All rights reserved.

Vir Gnarus · Aug 6, 2012

Well that shows that your symbols appear ok and are being read. I personally scrutinized over the data structures myself from the minidump and found everything seems to fit ok, but I haven't been able to progress further to find Section 3 where the actual error code is located. Maybe I'm looking at it wrong, but what I found strange is that it only appears there's one section available, and not 3 which is typical:

Code:

1: kd> dt !_WHEA_ERROR_RECORD 8eab3020
hal!_WHEA_ERROR_RECORD
   +0x000 Header           : _WHEA_ERROR_RECORD_HEADER
   +0x080 SectionDescriptor : [1] _WHEA_ERROR_RECORD_SECTION_DESCRIPTOR

I believe there should be an array of 3 section descriptors, not just one. Again, I'm concerned I may be looking at it wrong, but when I did expand everything I could not find any other sections. Maybe the problem here was that in the minidump the other sections were not written by the drivers responsible, and therefore !errrec took it as bad symbols? I dunno. Either way, it looks like one has to figure this out through the MCi_Status code, as explained here.

usasma · Aug 7, 2012

I wonder if this is the result of some sort of plug-in (for PSHED) misbehavior or if there's a problem with the way that ETW events are preserved through a BSOD crash and reboot. I discussed a bit about this here: https://www.sysnative.com/forums/sh...s-happens-WinDbg?p=23119&viewfull=1#post23119

I don't have a clue about how to go about fixing it tho'
I do wonder about the Gteko diagnostic drivers (I think they're licensed to Dell for the wifi stuff) tho. They're the only obvious "diagnostic" stuff that I can see.

cluberti · Aug 7, 2012

For what it's worth, I cheated a bit and managed to get your dump opened and had a peek at the error record:

Code:

 1: kd> !errrec 8eab3020
===============================================================================
Common Platform Error Record @ 8eab3020
-------------------------------------------------------------------------------
Revision      : 2.1
Record Id     : 01cd61e3d017cea3
Severity      : Fatal (1)
Length        : 1730
Creator       : Microsoft
Notify Type   : Machine Check Exception
Timestamp     : 7/14/2012 19:19:26 (UTC)
Flags         : 0x00000000

===============================================================================
Section 0     : Processor Generic
-------------------------------------------------------------------------------
Descriptor    @ 8eab30a0
Section       @ 8eab3178
Offset        : 344
Length        : 192
Flags         : 0x00000001 Primary
Severity      : Fatal
No valid data fields are present.

===============================================================================
Section 1     : {390f56d5-ca86-4649-95c4-73a408ae5834}
-------------------------------------------------------------------------------
Descriptor    @ 8eab30e8
Section       @ 8eab3238
Offset        : 536
Length        : 658
Flags         : 0x00000000
Severity      : Fatal
*** Unknown section format ***

===============================================================================
Section 2     : Error Packet
-------------------------------------------------------------------------------
Descriptor    @ 8eab3130
Section       @ 8eab34ca
Offset        : 1194
Length        : 536
Flags         : 0x00000000
Severity      : Fatal
   WHEA Error Packet Info Section (@ 8eab34ca)
   Flags            : 0x00000000
   Size             : 0x218
   RawDataLength    : 0x392
   Context          : 0x0000000000000000
   ErrorType        : 0x0 - Processor
   ErrorSeverity    : 0x1 - Fatal
   ErrorSourceId    : 0x0
   ErrorSourceType  : 0x0 - MCE
   Version          : 00000002
   Cpu              : 0000000000000001
   RawDataFormat    : 0x1 - x86 MCA
   Raw Data         : Located @ FFFFFFFF8EAB35E2
Processor Error: (Bus Interconnect Error)
This error means either the processor is damaged or perhaps
voltage and/or temperature thresholds have been exceeded.
If the problem continues to occur, replace the processor.
Processor Number : 1
Bank Number      : 1
   Status  : B600000000000181
   Address : 000000000303BBC0 (V)
   Misc    : 0000000000000000 (I)


1: kd> lmvm nt
start    end        module name
83249000 83603000   nt         (private pdb symbols)
    Loaded symbol image file: ntkrpamp.exe
    Mapped memory image file: d:\symcache\ntkrnlpa.exe\4F79A9BE3ba000\ntkrnlpa.exe
    Image path: ntkrpamp.exe
    Image name: ntkrpamp.exe
    Timestamp:        Mon Apr 02 09:29:34 2012 (4F79A9BE)
    CheckSum:         003749BC
    ImageSize:        003BA000
    File version:     6.0.6002.18607
    Product version:  6.0.6002.18607
    File flags:       0 (Mask 3F)
    File OS:          40004 NT Win32
    File type:        1.0 App
    File date:        00000000.00000000
    Translations:     0409.04b0
    CompanyName:      Microsoft Corporation
    ProductName:      Microsoft® Windows® Operating System
    InternalName:     ntkrpamp.exe
    OriginalFilename: ntkrpamp.exe
    ProductVersion:   6.0.6002.18607
    FileVersion:      6.0.6002.18607 (vistasp2_gdr.120402-0336)
    FileDescription:  NT Kernel & System
    LegalCopyright:   © Microsoft Corporation. All rights reserved.

1: kd> lmvm hal
start    end        module name
83216000 83249000   hal        (private pdb symbols)
    Loaded symbol image file: halmacpi.dll
    Mapped memory image file: d:\symcache\halmacpi.dll\49E018D933000\halmacpi.dll
    Image path: halmacpi.dll
    Image name: halmacpi.dll
    Timestamp:        Sat Apr 11 00:13:13 2009 (49E018D9)
    CheckSum:         0003343C
    ImageSize:        00033000
    File version:     6.0.6002.18005
    Product version:  6.0.6002.18005
    File flags:       0 (Mask 3F)
    File OS:          40004 NT Win32
    File type:        2.0 Dll
    File date:        00000000.00000000
    Translations:     0409.04b0
    CompanyName:      Microsoft Corporation
    ProductName:      Microsoft® Windows® Operating System
    InternalName:     halmacpi.dll
    OriginalFilename: halmacpi.dll
    ProductVersion:   6.0.6002.18005
    FileVersion:      6.0.6002.18005 (lh_sp2rtm.090410-1830)
    FileDescription:  Hardware Abstraction Layer DLL
    LegalCopyright:   © Microsoft Corporation. All rights reserved.

Shintaro · Aug 7, 2012

!errrec 8eab3020

That doesn't work for me.

Code:

1: kd> !errrec 8eab3020
===============================================================================
Common Platform Error Record @ 8eab3020
-------------------------------------------------------------------------------
*************************************************************************
***                                                                   ***
***                                                                   ***
***    Your debugger is not using the correct symbols                 ***
***                                                                   ***
***    In order for this command to work properly, your symbol path   ***
***    must point to .pdb files that have full type information.      ***
***                                                                   ***
***    Certain .pdb files (such as the public OS symbols) do not      ***
***    contain the required information.  Contact the group that      ***
***    provided you with these symbols if you need this command to    ***
***    work.                                                          ***
***                                                                   ***
***    Type referenced: pshed!_WHEA_ERROR_RECORD_HEADER                ***
***                                                                   ***
*************************************************************************
*************************************************************************
***                                                                   ***
***                                                                   ***
***    Your debugger is not using the correct symbols                 ***
***                                                                   ***
***    In order for this command to work properly, your symbol path   ***
***    must point to .pdb files that have full type information.      ***
***                                                                   ***
***    Certain .pdb files (such as the public OS symbols) do not      ***
***    contain the required information.  Contact the group that      ***
***    provided you with these symbols if you need this command to    ***
***    work.                                                          ***
***                                                                   ***
***    Type referenced: pshed!_WHEA_ERROR_RECORD_HEADER                ***
***                                                                   ***
*************************************************************************
Signature     : *** INVALID ***
*************************************************************************
***                                                                   ***
***                                                                   ***
***    Your debugger is not using the correct symbols                 ***
***                                                                   ***
***    In order for this command to work properly, your symbol path   ***
***    must point to .pdb files that have full type information.      ***
***                                                                   ***
***    Certain .pdb files (such as the public OS symbols) do not      ***
***    contain the required information.  Contact the group that      ***
***    provided you with these symbols if you need this command to    ***
***    work.                                                          ***
***                                                                   ***
***    Type referenced: pshed!_WHEA_ERROR_RECORD_HEADER                ***
***                                                                   ***
*************************************************************************
Revision      : 0.0
*************************************************************************
***                                                                   ***
***                                                                   ***
***    Your debugger is not using the correct symbols                 ***
***                                                                   ***
***    In order for this command to work properly, your symbol path   ***
***    must point to .pdb files that have full type information.      ***
***                                                                   ***
***    Certain .pdb files (such as the public OS symbols) do not      ***
***    contain the required information.  Contact the group that      ***
***    provided you with these symbols if you need this command to    ***
***    work.                                                          ***
***                                                                   ***
***    Type referenced: pshed!_WHEA_ERROR_RECORD_HEADER                ***
***                                                                   ***
*************************************************************************
Record Id     : 0000000000000000
*************************************************************************
***                                                                   ***
***                                                                   ***
***    Your debugger is not using the correct symbols                 ***
***                                                                   ***
***    In order for this command to work properly, your symbol path   ***
***    must point to .pdb files that have full type information.      ***
***                                                                   ***
***    Certain .pdb files (such as the public OS symbols) do not      ***
***    contain the required information.  Contact the group that      ***
***    provided you with these symbols if you need this command to    ***
***    work.                                                          ***
***                                                                   ***
***    Type referenced: pshed!_WHEA_ERROR_RECORD_HEADER                ***
***                                                                   ***
*************************************************************************
Severity      : Recoverable (0)
*************************************************************************
***                                                                   ***
***                                                                   ***
***    Your debugger is not using the correct symbols                 ***
***                                                                   ***
***    In order for this command to work properly, your symbol path   ***
***    must point to .pdb files that have full type information.      ***
***                                                                   ***
***    Certain .pdb files (such as the public OS symbols) do not      ***
***    contain the required information.  Contact the group that      ***
***    provided you with these symbols if you need this command to    ***
***    work.                                                          ***
***                                                                   ***
***    Type referenced: pshed!_WHEA_ERROR_RECORD_HEADER                ***
***                                                                   ***
*************************************************************************
Length        : 0
*************************************************************************
***                                                                   ***
***                                                                   ***
***    Your debugger is not using the correct symbols                 ***
***                                                                   ***
***    In order for this command to work properly, your symbol path   ***
***    must point to .pdb files that have full type information.      ***
***                                                                   ***
***    Certain .pdb files (such as the public OS symbols) do not      ***
***    contain the required information.  Contact the group that      ***
***    provided you with these symbols if you need this command to    ***
***    work.                                                          ***
***                                                                   ***
***    Type referenced: pshed!_WHEA_ERROR_RECORD_HEADER                ***
***                                                                   ***
*************************************************************************
Creator       : {7264675f-312e-3032-3430-322d30333336}
*************************************************************************
***                                                                   ***
***                                                                   ***
***    Your debugger is not using the correct symbols                 ***
***                                                                   ***
***    In order for this command to work properly, your symbol path   ***
***    must point to .pdb files that have full type information.      ***
***                                                                   ***
***    Certain .pdb files (such as the public OS symbols) do not      ***
***    contain the required information.  Contact the group that      ***
***    provided you with these symbols if you need this command to    ***
***    work.                                                          ***
***                                                                   ***
***    Type referenced: pshed!_WHEA_ERROR_RECORD_HEADER                ***
***                                                                   ***
*************************************************************************
Notify Type   : {7264675f-312e-3032-3430-322d30333336}
*************************************************************************
***                                                                   ***
***                                                                   ***
***    Your debugger is not using the correct symbols                 ***
***                                                                   ***
***    In order for this command to work properly, your symbol path   ***
***    must point to .pdb files that have full type information.      ***
***                                                                   ***
***    Certain .pdb files (such as the public OS symbols) do not      ***
***    contain the required information.  Contact the group that      ***
***    provided you with these symbols if you need this command to    ***
***    work.                                                          ***
***                                                                   ***
***    Type referenced: pshed!_WHEA_ERROR_RECORD_HEADER                ***
***                                                                   ***
*************************************************************************
*************************************************************************
***                                                                   ***
***                                                                   ***
***    Your debugger is not using the correct symbols                 ***
***                                                                   ***
***    In order for this command to work properly, your symbol path   ***
***    must point to .pdb files that have full type information.      ***
***                                                                   ***
***    Certain .pdb files (such as the public OS symbols) do not      ***
***    contain the required information.  Contact the group that      ***
***    provided you with these symbols if you need this command to    ***
***    work.                                                          ***
***                                                                   ***
***    Type referenced: pshed!_WHEA_ERROR_RECORD_HEADER                ***
***                                                                   ***
*************************************************************************
Flags         : 0x00000000

*************************************************************************
***                                                                   ***
***                                                                   ***
***    Your debugger is not using the correct symbols                 ***
***                                                                   ***
***    In order for this command to work properly, your symbol path   ***
***    must point to .pdb files that have full type information.      ***
***                                                                   ***
***    Certain .pdb files (such as the public OS symbols) do not      ***
***    contain the required information.  Contact the group that      ***
***    provided you with these symbols if you need this command to    ***
***    work.                                                          ***
***                                                                   ***
***    Type referenced: pshed!_WHEA_ERROR_RECORD_HEADER                ***
***                                                                   ***
*************************************************************************
*************************************************************************
***                                                                   ***
***                                                                   ***
***    Your debugger is not using the correct symbols                 ***
***                                                                   ***
***    In order for this command to work properly, your symbol path   ***
***    must point to .pdb files that have full type information.      ***
***                                                                   ***
***    Certain .pdb files (such as the public OS symbols) do not      ***
***    contain the required information.  Contact the group that      ***
***    provided you with these symbols if you need this command to    ***
***    work.                                                          ***
***                                                                   ***
***    Type referenced: pshed!_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR                ***
***                                                                   ***
*************************************************************************
*************************************************************************
***                                                                   ***
***                                                                   ***
***    Your debugger is not using the correct symbols                 ***
***                                                                   ***
***    In order for this command to work properly, your symbol path   ***
***    must point to .pdb files that have full type information.      ***
***                                                                   ***
***    Certain .pdb files (such as the public OS symbols) do not      ***
***    contain the required information.  Contact the group that      ***
***    provided you with these symbols if you need this command to    ***
***    work.                                                          ***
***                                                                   ***
***    Type referenced: pshed!_WHEA_ERROR_RECORD_HEADER                ***
***                                                                   ***
*************************************************************************
*************************************************************************
***                                                                   ***
***                                                                   ***
***    Your debugger is not using the correct symbols                 ***
***                                                                   ***
***    In order for this command to work properly, your symbol path   ***
***    must point to .pdb files that have full type information.      ***
***                                                                   ***
***    Certain .pdb files (such as the public OS symbols) do not      ***
***    contain the required information.  Contact the group that      ***
***    provided you with these symbols if you need this command to    ***
***    work.                                                          ***
***                                                                   ***
***    Type referenced: pshed!_WHEA_ERROR_RECORD_HEADER                ***
***                                                                   ***
*************************************************************************

How were you able to get around the errors?

cluberti · Aug 8, 2012

I have the correct symbols in my cache - try not caching at all:

Code:

.logopen %userprofile%\desktop\symbols.log
sympath SRV*http://msdl.microsoft.com/download/symbols
!sym noisy
.reload /f
!analyze -v
!errrec 8eab3020
.logclose

If that doesn't work, it could be a problem with the public symbol server. You should have a log on your desktop called symbols.log at that point that you can upload and I can look at as well.

Is this Dells version of Windows?

Well-known member

Attachments

Administrator, Hardware Expert

Well-known member

BSOD Kernel Dump Expert

Retired Admin

Administrator, Hardware Expert

Well-known member

BSOD Kernel Dump Expert

Well-known member

Attachments

BSOD Kernel Dump Expert

Well-known member

Well-known member

Well-known member

BSOD Kernel Dump Expert

Well-known member

BSOD Kernel Dump Expert

Retired Admin

Senior Member

Well-known member

Senior Member