|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
Blue Screen after latest Sec Patchesmode and remove them. KB920872 KB920685 KB922582 KB919007 Looking at the memory dump CLASSPNP.SYS seams to be the culprit. I confirmed that it was one of the sec patches by reinstalling them and getting the blue screen once more. then removed them and everything is fine again. I wish they would have QA'ed the patches properly. Event Type: Error Event Source: System Error Event Category: (102) Event ID: 1003 Date: 14/09/2006 Time: 6:43:28 p.m. User: N/A Computer: EMPEROR Description: Error code 0000000a, parameter1 f8830478, parameter2 00000002, parameter3 00000001, parameter4 805001a6. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. Data: 0000: 53 79 73 74 65 6d 20 45 System E 0008: 72 72 6f 72 20 20 45 72 rror Er 0010: 72 6f 72 20 63 6f 64 65 ror code 0018: 20 30 30 30 30 30 30 30 0000000 0020: 61 20 20 50 61 72 61 6d a Param 0028: 65 74 65 72 73 20 66 38 eters f8 0030: 38 33 30 34 37 38 2c 20 830478, 0038: 30 30 30 30 30 30 30 32 00000002 0040: 2c 20 30 30 30 30 30 30 , 000000 0048: 30 31 2c 20 38 30 35 30 01, 8050 0050: 30 31 61 36 01a6 ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* Use !analyze -v to get detailed debugging information. BugCheck A, {f8830478, 2, 1, 805001a6} *** ERROR: Module load completed but symbols could not be loaded for nvraid.sys *** ERROR: Module load completed but symbols could not be loaded for nvatabus.sys Probably caused by : CLASSPNP.SYS ( CLASSPNP!ClassCompleteRequest+11 ) Followup: MachineOwner --------- kd> !analyze -v ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* IRQL_NOT_LESS_OR_EQUAL (a) An attempt was made to access a pageable (or completely invalid) address at an interrupt request level (IRQL) that is too high. This is usually caused by drivers using improper addresses. If a kernel debugger is available get the stack backtrace. Arguments: Arg1: f8830478, memory referenced Arg2: 00000002, IRQL Arg3: 00000001, value 0 = read operation, 1 = write operation Arg4: 805001a6, address which referenced memory Debugging Details: ------------------ OVERLAPPED_MODULE: WRITE_ADDRESS: f8830478 Nonpaged pool expansion CURRENT_IRQL: 2 FAULTING_IP: nt!KiUnlinkThread+0 805001a6 095154 or [ecx+0x54],edx DEFAULT_BUCKET_ID: DRIVER_FAULT BUGCHECK_STR: 0xA LAST_CONTROL_TRANSFER: from 80500214 to 805001a6 TRAP_FRAME: 80548b24 -- (.trap ffffffff80548b24) ErrCode = 00000002 eax=80548bc4 ebx=ba3a1088 ecx=f8830424 edx=00000100 esi=f8830424 edi=00000000 eip=805001a6 esp=80548b98 ebp=80548ba8 iopl=0 nv up ei ng nz ac po nc cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010296 nt!KiUnlinkThread: 805001a6 095154 or [ecx+0x54],edx ds:0023:f8830478=???????? Resetting default scope STACK_TEXT: 80548b94 80500214 ba3a1080 ba3a1088 00000100 nt!KiUnlinkThread 80548ba8 8050040b 00000000 80548bc4 00000000 nt!KiUnwaitThread+0x12 80548bd4 804f8c60 85cd4d3f 85cd4b40 00000000 nt!KiWaitTest+0xab 80548be8 f71ebed5 ba3a1080 00000000 00000000 nt!KeSetEvent+0x58 80548bfc 804f0362 86c99020 85cd4b40 ba3a1074 Ntfs!NtfsSingleSyncCompletionRoutine+0x16 80548c2c f74c7c70 80548c5c f74c7f54 86cec030 nt!IopfCompleteRequest+0xa2 80548c34 f74c7f54 86cec030 85cd4b40 00000001 CLASSPNP!ClassCompleteRequest+0x11 80548c5c 804f0362 00000000 85d9a6c0 85d9a858 CLASSPNP!TransferPktComplete+0x180 80548c8c f74c7c70 80548cb4 f72f2169 86d28db8 nt!IopfCompleteRequest+0xa2 80548c94 f72f2169 86d28db8 85d9a6c0 00000000 CLASSPNP!ClassCompleteRequest+0x11 WARNING: Stack unwind information not available. Following frames may be wrong. 80548cb4 f72f35a3 86d28db8 85d9a6c0 f72fa15c nvraid+0x3169 80548cec f72f49e1 85cd0bc8 f72f3554 85cd0bc8 nvraid+0x45a3 80548d40 f72e7c6f 85da0b40 86d290e8 85df1488 nvraid+0x59e1 80548d58 f72e1d42 86d29564 85da0b40 00000000 nvatabus+0xfc6f 80548d8c f72e928f 00d290e8 00000001 00000000 nvatabus+0x9d42 80548db4 f72ea264 86d290e8 00000000 00000060 nvatabus+0x1128f 80548ddc f72ea7f8 00d7b438 00000001 00000000 nvatabus+0x12264 80548e2c 80540d5d 86d7b98c 86d7b438 00000000 nvatabus+0x127f8 80548e50 80540cd6 00000000 0000000e 00000000 nt!KiRetireDpcList+0x46 FOLLOWUP_IP: CLASSPNP!ClassCompleteRequest+11 f74c7c70 5d pop ebp SYMBOL_STACK_INDEX: 6 FOLLOWUP_NAME: MachineOwner SYMBOL_NAME: CLASSPNP!ClassCompleteRequest+11 MODULE_NAME: CLASSPNP IMAGE_NAME: CLASSPNP.SYS DEBUG_FLR_IMAGE_TIMESTAMP: 41107ec2 STACK_COMMAND: .trap ffffffff80548b24 ; kb FAILURE_BUCKET_ID: 0xA_W_CLASSPNP!ClassCompleteRequest+11 BUCKET_ID: 0xA_W_CLASSPNP!ClassCompleteRequest+11 Followup: MachineOwner --------- Hey Redstorm
MS does test patches pretty heavily, and has a group of non-MS "volunteers" that test them before release. It is however, pretty hard (impossible?) to cover all of the permutations of hardware, driver versions, etc. that are out there. You should apply the patches that do not carry the culprit, and then check for updated BIOS and drivers for your hardware (looks like the nvidia mobo chipset). If you then still cannot install the patch, then call MS at their PCSafety number, letting them know that you are unable to apply that patch. http://support.microsoft.com/?pr=SecurityHome Show quoteHide quote "Redstorm" <Redst***@discussions.microsoft.com> wrote in message news:B3CD39C8-D6D4-4AC6-8C4C-D3A1E7C5E4B7@microsoft.com... > This months security patches blue screen my machine, I have to boot into > safe > mode and remove them. > > KB920872 > KB920685 > KB922582 > KB919007 > > Looking at the memory dump CLASSPNP.SYS seams to be the culprit. I > confirmed > that it was one of the sec patches by reinstalling them and getting the > blue > screen once more. then removed them and everything is fine again. > > I wish they would have QA'ed the patches properly. > > Event Type: Error > Event Source: System Error > Event Category: (102) > Event ID: 1003 > Date: 14/09/2006 > Time: 6:43:28 p.m. > User: N/A > Computer: EMPEROR > Description: > Error code 0000000a, parameter1 f8830478, parameter2 00000002, parameter3 > 00000001, parameter4 805001a6. > > For more information, see Help and Support Center at > http://go.microsoft.com/fwlink/events.asp. > Data: > 0000: 53 79 73 74 65 6d 20 45 System E > 0008: 72 72 6f 72 20 20 45 72 rror Er > 0010: 72 6f 72 20 63 6f 64 65 ror code > 0018: 20 30 30 30 30 30 30 30 0000000 > 0020: 61 20 20 50 61 72 61 6d a Param > 0028: 65 74 65 72 73 20 66 38 eters f8 > 0030: 38 33 30 34 37 38 2c 20 830478, > 0038: 30 30 30 30 30 30 30 32 00000002 > 0040: 2c 20 30 30 30 30 30 30 , 000000 > 0048: 30 31 2c 20 38 30 35 30 01, 8050 > 0050: 30 31 61 36 01a6 > > ******************************************************************************* > * > * > * Bugcheck Analysis > * > * > * > ******************************************************************************* > > Use !analyze -v to get detailed debugging information. > > BugCheck A, {f8830478, 2, 1, 805001a6} > > *** ERROR: Module load completed but symbols could not be loaded for > nvraid.sys > *** ERROR: Module load completed but symbols could not be loaded for > nvatabus.sys > Probably caused by : CLASSPNP.SYS ( CLASSPNP!ClassCompleteRequest+11 ) > > Followup: MachineOwner > --------- > > kd> !analyze -v > ******************************************************************************* > * > * > * Bugcheck Analysis > * > * > * > ******************************************************************************* > > IRQL_NOT_LESS_OR_EQUAL (a) > An attempt was made to access a pageable (or completely invalid) address > at an > interrupt request level (IRQL) that is too high. This is usually > caused by drivers using improper addresses. > If a kernel debugger is available get the stack backtrace. > Arguments: > Arg1: f8830478, memory referenced > Arg2: 00000002, IRQL > Arg3: 00000001, value 0 = read operation, 1 = write operation > Arg4: 805001a6, address which referenced memory > > Debugging Details: > ------------------ > > > OVERLAPPED_MODULE: > > WRITE_ADDRESS: f8830478 Nonpaged pool expansion > > CURRENT_IRQL: 2 > > FAULTING_IP: > nt!KiUnlinkThread+0 > 805001a6 095154 or [ecx+0x54],edx > > DEFAULT_BUCKET_ID: DRIVER_FAULT > > BUGCHECK_STR: 0xA > > LAST_CONTROL_TRANSFER: from 80500214 to 805001a6 > > TRAP_FRAME: 80548b24 -- (.trap ffffffff80548b24) > ErrCode = 00000002 > eax=80548bc4 ebx=ba3a1088 ecx=f8830424 edx=00000100 esi=f8830424 > edi=00000000 > eip=805001a6 esp=80548b98 ebp=80548ba8 iopl=0 nv up ei ng nz ac po > nc > cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 > efl=00010296 > nt!KiUnlinkThread: > 805001a6 095154 or [ecx+0x54],edx > ds:0023:f8830478=???????? > Resetting default scope > > STACK_TEXT: > 80548b94 80500214 ba3a1080 ba3a1088 00000100 nt!KiUnlinkThread > 80548ba8 8050040b 00000000 80548bc4 00000000 nt!KiUnwaitThread+0x12 > 80548bd4 804f8c60 85cd4d3f 85cd4b40 00000000 nt!KiWaitTest+0xab > 80548be8 f71ebed5 ba3a1080 00000000 00000000 nt!KeSetEvent+0x58 > 80548bfc 804f0362 86c99020 85cd4b40 ba3a1074 > Ntfs!NtfsSingleSyncCompletionRoutine+0x16 > 80548c2c f74c7c70 80548c5c f74c7f54 86cec030 nt!IopfCompleteRequest+0xa2 > 80548c34 f74c7f54 86cec030 85cd4b40 00000001 > CLASSPNP!ClassCompleteRequest+0x11 > 80548c5c 804f0362 00000000 85d9a6c0 85d9a858 > CLASSPNP!TransferPktComplete+0x180 > 80548c8c f74c7c70 80548cb4 f72f2169 86d28db8 nt!IopfCompleteRequest+0xa2 > 80548c94 f72f2169 86d28db8 85d9a6c0 00000000 > CLASSPNP!ClassCompleteRequest+0x11 > WARNING: Stack unwind information not available. Following frames may be > wrong. > 80548cb4 f72f35a3 86d28db8 85d9a6c0 f72fa15c nvraid+0x3169 > 80548cec f72f49e1 85cd0bc8 f72f3554 85cd0bc8 nvraid+0x45a3 > 80548d40 f72e7c6f 85da0b40 86d290e8 85df1488 nvraid+0x59e1 > 80548d58 f72e1d42 86d29564 85da0b40 00000000 nvatabus+0xfc6f > 80548d8c f72e928f 00d290e8 00000001 00000000 nvatabus+0x9d42 > 80548db4 f72ea264 86d290e8 00000000 00000060 nvatabus+0x1128f > 80548ddc f72ea7f8 00d7b438 00000001 00000000 nvatabus+0x12264 > 80548e2c 80540d5d 86d7b98c 86d7b438 00000000 nvatabus+0x127f8 > 80548e50 80540cd6 00000000 0000000e 00000000 nt!KiRetireDpcList+0x46 > > > FOLLOWUP_IP: > CLASSPNP!ClassCompleteRequest+11 > f74c7c70 5d pop ebp > > SYMBOL_STACK_INDEX: 6 > > FOLLOWUP_NAME: MachineOwner > > SYMBOL_NAME: CLASSPNP!ClassCompleteRequest+11 > > MODULE_NAME: CLASSPNP > > IMAGE_NAME: CLASSPNP.SYS > > DEBUG_FLR_IMAGE_TIMESTAMP: 41107ec2 > > STACK_COMMAND: .trap ffffffff80548b24 ; kb > > FAILURE_BUCKET_ID: 0xA_W_CLASSPNP!ClassCompleteRequest+11 > > BUCKET_ID: 0xA_W_CLASSPNP!ClassCompleteRequest+11 > > Followup: MachineOwner > --------- >
Show quote
Hide quote
"Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in message .... and note that calls to Microsoft for security patch problems are free.news:egWJa781GHA.2196@TK2MSFTNGP06.phx.gbl... > Hey Redstorm > > MS does test patches pretty heavily, and has a group > of non-MS "volunteers" that test them before release. > It is however, pretty hard (impossible?) to cover all of > the permutations of hardware, driver versions, etc. that > are out there. > > You should apply the patches that do not carry the > culprit, and then check for updated BIOS and drivers > for your hardware (looks like the nvidia mobo chipset). > If you then still cannot install the patch, then call MS at > their PCSafety number, letting them know that you are > unable to apply that patch. > http://support.microsoft.com/?pr=SecurityHome -- kind regards, Karl Levinson, CISSP, CCSA, MCSE [MS MVP] -------------------------------- Microsoft Security FAQ: http://securityadmin.info
Show quote
Hide quote
"karl levinson, mvp" <levinso***@securityadmin.info> wrote in message Yes, and not just free, but they also trigger a straight-shot alertnews:eVo1Mc$1GHA.1288@TK2MSFTNGP03.phx.gbl... > > > "Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in message > news:egWJa781GHA.2196@TK2MSFTNGP06.phx.gbl... >> Hey Redstorm >> >> MS does test patches pretty heavily, and has a group >> of non-MS "volunteers" that test them before release. >> It is however, pretty hard (impossible?) to cover all of >> the permutations of hardware, driver versions, etc. that >> are out there. >> >> You should apply the patches that do not carry the >> culprit, and then check for updated BIOS and drivers >> for your hardware (looks like the nvidia mobo chipset). >> If you then still cannot install the patch, then call MS at >> their PCSafety number, letting them know that you are >> unable to apply that patch. >> http://support.microsoft.com/?pr=SecurityHome > > ... and note that calls to Microsoft for security patch problems are free. > to the MSRC parties responsible for the patch if it is a not yet seen issue, and otherwise go into the impact rating counts used to assess severity of problem with the patch. Roger 
Other interesting topics
Unable to authenticate to untrusted domain NTLM v2 related issue
Excessive computer account logon/logoff loggining on security log How to determine WHO shut down the server EFS Recovery Windows 2000 User/Group Windows Server 2000 and Terminal Server security issue Prevent users creating or renaming folders in top 2 folder levels Logging on to Domain with user account hide sharing & security tab VPN Logons - Certificates How to remove, disable the smart card on the login |
|||||||||||||||||||||||
