A Mind Lost

Anything and everything.

Bye bye Blue Screen

A while back I wrote about reinstalling Windows due to my inability to track down the cause of frequent OS crashes.  About a week ago, they started up again.  Coincidentally, I had also just gotten back in to playing The Lord of the Rings Online again (I’ve been playing off and on since the open beta back in ’07; that lifetime membership has more than paid for itself).

The error, PAGE_FAULT_IN_NONPAGED_AREA, is pretty common and pretty vague.  Simply put, it means that something tried to access a region of memory that it shouldn’t have (an over simplification, to be sure).  To figure out what was really going on I turned to Microsoft’s Debugging Tools for Windows.  I’ve never been particularly good at debugging; unfortunately I fell in to the bad habit of brute-force debugging when I was learning how to program (lots of printf’s scattered throughout my program, removed or ignored via preprocessor macros once things were working properly).


Before any of this is useful, Windows must be configured to write a memory dump upon crashing.  This is done via the “System” control panel applet, or by right-clicking on “Computer” and selecting “Properties->Advanced system settings->Startup and Recovery”. I prefer the system not automatically restart.

One other thing to mention is that the MEMORY.DMP file is created with restrictive permissions that do not allow regular users to read them.  This is easily rectified by modifying the file permissions, either by adding “Everyone” or changing those for your account, granting Full control:


Next, the debugger must be informed of the location of the symbol files, which provide the names of functions and data to make debugging easier:

C:\Program Files\Debugging Tools for Windows (x64)\symbols is the local location I chose to store symbols, while http://msdl.microsoft.com/download/symbols is the online repository used when no information is available locally.

Finally, select “Open Crash Dump” from WinDbg’s File menu, and select C:\Windows\MEMORY.DMP.  The debugger will chug along and finally generate something akin to the following (some whitespace removed for brevity):

Microsoft (R) Windows Debugger Version 6.12.0002.633 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.

Loading Dump File [C:\Windows\MEMORY.DMP]
Kernel Summary Dump File: Only kernel address space is available

Symbol search path is: SRV*c:\Program Files\Debugging Tools for Windows (x64)\symbols\*http://msdl.microsoft.com/download/symbols
Executable search path is: 
Windows 7 Kernel Version 7600 MP (4 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 7600.16385.amd64fre.win7_rtm.090713-1255
Machine Name:
Kernel base = 0xfffff800`03002000 PsLoadedModuleList = 0xfffff800`0323fe50
Debug session time: Fri Mar  4 17:10:23.656 2011 (UTC - 4:00)
System Uptime: 0 days 4:57:37.139
Loading Kernel Symbols
...............................................................
................................................................
.......Page 117623 not present in the dump file. Type ".hh dbgerr004" for details
........................
Loading User Symbols
PEB is paged out (Peb.Ldr = 00000000`fffdf018).  Type ".hh dbgerr001" for details
Loading unloaded module list
........
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 50, {ffffffff87410000, 0, fffff80003093e60, 5}

*** ERROR: Module load completed but symbols could not be loaded for ctoss2k.sys
*** ERROR: Module load completed but symbols could not be loaded for ctaud2k.sys
*** ERROR: Module load completed but symbols could not be loaded for ctprxy2k.sys
Probably caused by : ctoss2k.sys ( ctoss2k+5d92 )

Followup: MachineOwner
---------

Click on !analyze -v and the debugger will attempt to figure out exactly what went wrong.

0: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced.  This cannot be protected by try-except,
it must be protected by a Probe.  Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: ffffffff87410000, memory referenced.
Arg2: 0000000000000000, value 0 = read operation, 1 = write operation.
Arg3: fffff80003093e60, If non-zero, the instruction address which referenced the bad memory address.
Arg4: 0000000000000005, (reserved)

Debugging Details:
------------------
READ_ADDRESS:  ffffffff87410000 

FAULTING_IP: 
nt!MmProbeAndLockPages+130
fffff800`03093e60 410fb601        movzx   eax,byte ptr [r9]

MM_INTERNAL_CODE:  5
DEFAULT_BUCKET_ID:  VISTA_DRIVER_FAULT
BUGCHECK_STR:  0x50
PROCESS_NAME:  lotroclient.ex
CURRENT_IRQL:  0

TRAP_FRAME:  fffff88005ed8480 -- (.trap 0xfffff88005ed8480)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=0000000000000412 rbx=0000000000000000 rcx=0000000000000000
rdx=0000000000000412 rsi=0000000000000000 rdi=0000000000000000
rip=fffff80003093e60 rsp=fffff88005ed8610 rbp=fffff88005ed87b0
 r8=fffffa80042bf030  r9=ffffffff87410000 r10=0000000000000411
r11=0000000000000000 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up ei ng nz ac pe nc
nt!MmProbeAndLockPages+0x130:
fffff800`03093e60 410fb601        movzx   eax,byte ptr [r9] ds:0220:0000=??
Resetting default scope

LAST_CONTROL_TRANSFER:  from fffff800030f1b91 to fffff80003073f00

STACK_TEXT:  
fffff880`05ed8318 fffff800`030f1b91 : 00000000`00000050 ffffffff`87410000 00000000`00000000 fffff880`05ed8480 : nt!KeBugCheckEx
fffff880`05ed8320 fffff800`03071fee : 00000000`00000000 ffffffff`ffffffff fffff6fd`40021500 000bcbfd`03073153 : nt! ?? ::FNODOBFM::`string'+0x40f5b
fffff880`05ed8480 fffff800`03093e60 : 00000000`00000033 00000000`774e6350 00000000`0008d898 00000000`0000002b : nt!KiPageFault+0x16e
fffff880`05ed8610 fffff880`04597d92 : fffffa80`042bf000 fffff880`00000000 00000000`00000002 ffffffff`87410000 : nt!MmProbeAndLockPages+0x130
fffff880`05ed8720 fffff880`044d4c0a : fffffa80`097b90d0 fffffa80`04490430 fffffa80`097b90d0 00000000`00000000 : ctoss2k+0x5d92
fffff880`05ed8760 fffff880`044c184a : 00000000`0000000f fffffa80`090d78c0 fffffa80`097b9100 fffff800`030d2c67 : ctaud2k+0x2bc0a
fffff880`05ed8890 fffff880`044b74ee : 00000000`00000000 00000000`00000000 ffffffff`00000001 fffff6fb`80009e08 : ctaud2k+0x1884a
fffff880`05ed88f0 fffff880`044e3da2 : 00000000`00000424 fffffa80`06e5aec8 00000000`20206f49 00000000`0000000f : ctaud2k+0xe4ee
fffff880`05ed8970 fffff880`057fd785 : fffffa80`04650cf0 fffffa80`06c65d60 fffffa80`04650dc0 00000000`00000001 : ctaud2k+0x3ada2
fffff880`05ed89d0 fffff800`0338c3a7 : fffffa80`06e11890 fffff880`00000000 fffff880`05ed8ca0 fffffa80`06e11890 : ctprxy2k+0x5785
fffff880`05ed8a10 fffff800`0338cc06 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!IopXxxControlFile+0x607
fffff880`05ed8b40 fffff800`03073153 : 00000000`0006814c 00000000`00000004 00000000`750c2450 00000000`0008ec70 : nt!NtDeviceIoControlFile+0x56
fffff880`05ed8bb0 00000000`750c2dd9 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13
00000000`0008ebf8 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x750c2dd9

STACK_COMMAND:  kb
FOLLOWUP_IP: 
ctoss2k+5d92
fffff880`04597d92 488b4b28        mov     rcx,qword ptr [rbx+28h]

SYMBOL_STACK_INDEX:  4
SYMBOL_NAME:  ctoss2k+5d92
FOLLOWUP_NAME:  MachineOwner
MODULE_NAME: ctoss2k
IMAGE_NAME:  ctoss2k.sys
DEBUG_FLR_IMAGE_TIMESTAMP:  4a26b997
FAILURE_BUCKET_ID:  X64_0x50_ctoss2k+5d92
BUCKET_ID:  X64_0x50_ctoss2k+5d92
Followup: MachineOwner
---------

The end result was that ctoss2k.sys was the culprit.  Examining the offending file, it turned out to be part of Creative’s Sound Blaster X-Fi drivers.  The solution was considerably easier than I could have hoped, and is something I recommend everyone in possession of a Creative sound card do:

1) Power down the computer.

2) Unplug the power supply (just in case).

3) Open the computer case.

4) Remove the offending hardware.

5) Throw offending hardware out the nearest window.

6) Never, ever buy another Creative product.  Ever.

I cannot stress #6 enough. I have not been satisfied with a single Creative sound card since my Sound Blaster AWE64 Gold circa 1997.  That includes the Live!, two generations of the Audigy, and now the Xtreme Gamer card.

If this seems like an overly long post that could easily have made its point in at most two paragraphs, you’re absolutely correct.  However, I try to be both informational, and educational whenever possible. I also like the sound of my own digital voice.

I’ve been using my motherboard’s (an ASUS P7P55D) on-board audio (HD AUDIO provided by the VIA 1828S codec), and have not had a single issue. I’m not a hardcore audiophile, but I do listen to a lot of music, and I haven’t been able to discern any noticeable difference in quality between the on-board and Creative hardware.

Advertisements

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: