Windows XP 64 - Blue Screen of Death - no event logging?

Hi all,
So I have set Event logging with small memory dump in XP 64 bit, in the
System Properties/Startup & Recovery, in order to diagnose a BSOD in
win32k.sys, page_fault_in_nonpaged_area.
Unfortunately, when my PC blue screens, no event is written, and no minidump
appears in the minidump folder.
I have tried this both with letting the PC reboot automatically, and without.
How do I ensure a minidump appears, and a system log entry is written?

Cheers
Vandervecken

PS Crossposted purposely in XP 64 bit discussion, and accidentally in XP
Media Center.

Did this start happening after the last windows update?

If it did then there is malware on your computer.


"Vandervecken" wrote in message
...
Hi all,
So I have set Event logging with small memory dump in XP 64 bit, in the
System Properties/Startup & Recovery, in order to diagnose a BSOD in
win32k.sys, page_fault_in_nonpaged_area.
Unfortunately, when my PC blue screens, no event is written, and no
minidump
appears in the minidump folder.
I have tried this both with letting the PC reboot automatically, and
without.
How do I ensure a minidump appears, and a system log entry is written?

Cheers
Vandervecken

PS Crossposted purposely in XP 64 bit discussion, and accidentally in XP
Media Center.

On Feb 16, 1:20*pm, Vandervecken
wrote:
Hi all,
So I have set Event logging with small memory dump in XP 64 bit, in the
System Properties/Startup & Recovery, in order to diagnose a BSOD in
win32k.sys, page_fault_in_nonpaged_area.
Unfortunately, when my PC blue screens, no event is written, and no minidump
appears in the minidump folder.
I have tried this both with letting the PC reboot automatically, and without.
How do I ensure a minidump appears, and a system log entry is written?

Cheers
Vandervecken

PS Crossposted purposely in XP 64 bit discussion, and accidentally in XP
Media Center.

Have you searched your system for files that start with mini and/or
end in .dmp?

Some confusion here - Event viewer can be used to view the "log" on a remote
computer (the 32 machine) - setting the terms of event capture on the 64
machine does not effect logging on the 32 machine

An option may be activate boot logging on the BSOD computer (Providing you
can do so via Safe Mode menu options).

Hi guys,
I thought I had found the source and removed a small Firewire card that had
some errors, but it isn't the cause. They are back.

In answer to your questions:
1) I don't think this started happening after the windows update.
I do pretty good malware checking on my machine, and I thought the
rootkit-related problem caused much more regular problems. This problem is
very intermittent.
2) I have gone looking for the minidump files. There are no recent
minidumps anywhere on C drive corresponding to the correct event times.
3) There is no 32bit machine. There is just the 64 bit one. The BSOD is
not immediate, I have run the computer just fine over the last couple of
days. I have activated event logging, but events are not being logged.

Regards,
Vandervecken

"Al" wrote:

Some confusion here - Event viewer can be used to view the "log" on a remote
computer (the 32 machine) - setting the terms of event capture on the 64
machine does not effect logging on the 32 machine

An option may be activate boot logging on the BSOD computer (Providing you
can do so via Safe Mode menu options).

.

On Sat, 20 Feb 2010 01:01:06 -0800
Vandervecken
articulated:

Hi guys,
I thought I had found the source and removed a small Firewire card
that had some errors, but it isn't the cause. They are back.

In answer to your questions:
1) I don't think this started happening after the windows update.
I do pretty good malware checking on my machine, and I thought the
rootkit-related problem caused much more regular problems. This
problem is very intermittent.
2) I have gone looking for the minidump files. There are no recent
minidumps anywhere on C drive corresponding to the correct event
times. 3) There is no 32bit machine. There is just the 64 bit one.
The BSOD is not immediate, I have run the computer just fine over the
last couple of days. I have activated event logging, but events are
not being logged.

Try this site: http://oca.microsoft.com/en/windiag.asp

You might find something useful.

You could also download a copy of 'memtest': http://www.memtest.org/
Run it for 24 hours via USB or floppy disk if possible and see what
transpires,

--
Carmel |::::=======
|::::=======
|===========
|===========
|

On Feb 20, 4:01*am, Vandervecken
wrote:
Hi guys,
I thought I had found the source and removed a small Firewire card that had
some errors, but it isn't the cause. They are back.

In answer to your questions:
1) I don't think this started happening after the windows update.
I do pretty good malware checking on my machine, and I thought the
rootkit-related problem caused much more regular problems. *This problem is
very intermittent.
2) I have gone looking for the minidump files. *There are no recent
minidumps anywhere on C drive corresponding to the correct event times.
3) There is no 32bit machine. *There is just the 64 bit one. *The BSOD is
not immediate, I have run the computer just fine over the last couple of
days. *I have activated event logging, but events are not being logged.

Regards,
Vandervecken



"Al" wrote:
Some confusion here - Event viewer can be used to view the "log" on a remote
computer (the 32 machine) - setting the terms of event capture on the 64
machine does not effect logging on the 32 machine

An option may be activate boot logging on the BSOD computer (Providing you
can do so via Safe Mode menu options).

.

You do not have the affliction related to the MS updates of 02/09/10
or your system would not boot at all until you fixed it.

I am confused with this talk of 23/64 bit. Those are two different
versions of Windows so let's figure out what you have for sure. We
need to clear up event logging and crash dump logging too. They are
not the same thing.

Assume Windows is installed on your C drive.

Click Start, Run and in the box enter:

msinfo32

Click OK, and when the System Summary info appears, click Edit, Select
All, Copy and then paste the information back here.

There will be some personal information (like System Name and User
Name), and whatever appears to be private information to you, just
delete it from the pasted information. There will be no more silly
questions about your system.

The msinfo32 information will look something like this:

OS Name Microsoft Windows XP Professional
Version 5.1.2600 Service Pack 3 Build 2600
OS Manufacturer Microsoft Corporation
System Manufacturer Hewlett-Packard
System Model Presario V4000
System Type X86-based PC
Processor x86 Family 6 Model 13 Stepping 8 GenuineIntel ~1696 Mhz
BIOS Version/Date Phoenix F.14, 4/27/2006
SMBIOS Version 2.31
Windows Directory C:\WINDOWS
System Directory C:\WINDOWS\system32
Boot Device \Device\HarddiskVolume1
Locale United States
Hardware Abstraction Layer Version = "5.1.2600.5512 (xpsp.
080413-2111)"
Time Zone Eastern Standard Time
Total Physical Memory 512.00 MB
Available Physical Memory 220.24 MB
Total Virtual Memory 2.00 GB
Available Virtual Memory 1.96 GB
Page File Space 1.20 GB
Page File C:\pagefile.sys

Configure your Startup and Recovery settings similar to this pictu

http://img15.imageshack.us/img15/705...figuration.png

This setup will keep XP from rebooting when it crashes and lets the
BSOD information stay on the screen so you can write down the
information, and a small 64KB dump file is created where you tell it.

With that setup, when the crash occurs, a Small memory dump (64KB)
will be created in this folder:

%SystemRoot%\Minidump

There is no 32KB option and it has nothing to do with bits.

The BSOD dump files will be directed to:

C:\Windows\Minidump

Empty that folder so there is no confusion.

I just manually created a BSOD (yes, you can create a BSOD on purpose
any time you want) and my single dump file found in C:\Windows
\Minidump and called:

Mini022010-01.dmp (current date and time)

When you have a BSOD, XP may or may not be able to put an event in the
Event Log depending on the severity of the error. If XP is able to
write to the Event Viewer System log, you will see something like this
in the Event Viewer System log:

Event Type: Error
Event Source: System Error
Event Category: (102)
Event ID: 1003
Date: 2/20/2010
Time: 7:53:54 AM
Description:
Error code 000000e2, parameter1 00000000, parameter2 00000000,
parameter3 00000000, parameter4 00000000.

When you see a BSOD you need to pay attention to what it says on the
screen (now that you can see it). It will look like what is in the
Event Log if Windows was able to write to the Event Log, so pay
attention to both.

Here are some BSOD blue screen of death examples showing information
you need to provide:

http://www.codinghorror.com/blog/ima...ws_XP_BSOD.png
http://techrepublic.com.com/i/tr/dow...ges/bsod_a.jpg

Send the information pointed to with the red arrows (3-4 lines
total). Skip the boring text unless it looks important to you. We
know what a BSOD looks like, we need to know the other information
that is specific to your BSOD.

If the BSOD information screen is insufficient to diagnose your issue,
then the dump file can be analysed. Proper analysis will keep you
from trying things and the "probably/might be some driver" rhetoric
when the problem is not obvious.

If your BSOD makes you suspicious of your RAM and you want to run a
RAM test, go ahead.

Run a test of your RAM with memtest86+ (I know it is boring and will
cost you a CD).

Memtest86+ is a more up to date version of the old memtest program and
they are not the same.

The memtest86+ will not run under Windows, so you will need to
download the ISO file and create a
bootable CD, boot on that and then run the memtest86+ program.

If even a single error is reported that is a failure and should make
you suspicious of your RAM.

If you have multiple sticks of RAM you may need to run the test on
them one at a time and change them out to isolate the failure to a
particular single stick. Always keep at least the first bank of RAM
occupied so the test will find something to do and there is enough to
boot your system.

Sometimes, reseating the RAM in the slots will relieve the RAM error
but any failure is still cause for suspicion.

The file and instructions are he

http://www.memtest.org/

24 hours for memtest86+? That is up to you. If it is defective, you
will generally know it in a few minutes.

I just had another.
I am running memtest now, but have run it before and found no errors.
Here is the info from the BSOD:

The error is in win32k.sys, PAGE_FAULT_IN_NONPAGED_AREA
STOP 0x00000050 (0xFFFFFA8000928000, 0x0000000000000000, 0xFFFFF97FFF180344,
0x0000000000000000)

win32k.sys - Address FFFFF97FFF180344, base at FFFFF97FFF000000, Datestamp
4a8403c8

Any ideas?

"Jose" wrote:

On Feb 20, 4:01 am, Vandervecken
wrote:
Hi guys,
I thought I had found the source and removed a small Firewire card that had
some errors, but it isn't the cause. They are back.

In answer to your questions:
1) I don't think this started happening after the windows update.
I do pretty good malware checking on my machine, and I thought the
rootkit-related problem caused much more regular problems. This problem is
very intermittent.
2) I have gone looking for the minidump files. There are no recent
minidumps anywhere on C drive corresponding to the correct event times.
3) There is no 32bit machine. There is just the 64 bit one. The BSOD is
not immediate, I have run the computer just fine over the last couple of
days. I have activated event logging, but events are not being logged.

Regards,
Vandervecken



"Al" wrote:
Some confusion here - Event viewer can be used to view the "log" on a remote
computer (the 32 machine) - setting the terms of event capture on the 64
machine does not effect logging on the 32 machine

An option may be activate boot logging on the BSOD computer (Providing you
can do so via Safe Mode menu options).

.

You do not have the affliction related to the MS updates of 02/09/10
or your system would not boot at all until you fixed it.

I am confused with this talk of 23/64 bit. Those are two different
versions of Windows so let's figure out what you have for sure. We
need to clear up event logging and crash dump logging too. They are
not the same thing.

Assume Windows is installed on your C drive.

Click Start, Run and in the box enter:

msinfo32

Click OK, and when the System Summary info appears, click Edit, Select
All, Copy and then paste the information back here.

There will be some personal information (like System Name and User
Name), and whatever appears to be private information to you, just
delete it from the pasted information. There will be no more silly
questions about your system.

The msinfo32 information will look something like this:

OS Name Microsoft Windows XP Professional
Version 5.1.2600 Service Pack 3 Build 2600
OS Manufacturer Microsoft Corporation
System Manufacturer Hewlett-Packard
System Model Presario V4000
System Type X86-based PC
Processor x86 Family 6 Model 13 Stepping 8 GenuineIntel ~1696 Mhz
BIOS Version/Date Phoenix F.14, 4/27/2006
SMBIOS Version 2.31
Windows Directory C:\WINDOWS
System Directory C:\WINDOWS\system32
Boot Device \Device\HarddiskVolume1
Locale United States
Hardware Abstraction Layer Version = "5.1.2600.5512 (xpsp.
080413-2111)"
Time Zone Eastern Standard Time
Total Physical Memory 512.00 MB
Available Physical Memory 220.24 MB
Total Virtual Memory 2.00 GB
Available Virtual Memory 1.96 GB
Page File Space 1.20 GB
Page File C:\pagefile.sys

Configure your Startup and Recovery settings similar to this pictu

http://img15.imageshack.us/img15/705...figuration.png

This setup will keep XP from rebooting when it crashes and lets the
BSOD information stay on the screen so you can write down the
information, and a small 64KB dump file is created where you tell it.

With that setup, when the crash occurs, a Small memory dump (64KB)
will be created in this folder:

%SystemRoot%\Minidump

There is no 32KB option and it has nothing to do with bits.

The BSOD dump files will be directed to:

C:\Windows\Minidump

Empty that folder so there is no confusion.

I just manually created a BSOD (yes, you can create a BSOD on purpose
any time you want) and my single dump file found in C:\Windows
\Minidump and called:

Mini022010-01.dmp (current date and time)

When you have a BSOD, XP may or may not be able to put an event in the
Event Log depending on the severity of the error. If XP is able to
write to the Event Viewer System log, you will see something like this
in the Event Viewer System log:

Event Type: Error
Event Source: System Error
Event Category: (102)
Event ID: 1003
Date: 2/20/2010
Time: 7:53:54 AM
Description:
Error code 000000e2, parameter1 00000000, parameter2 00000000,
parameter3 00000000, parameter4 00000000.

When you see a BSOD you need to pay attention to what it says on the
screen (now that you can see it). It will look like what is in the
Event Log if Windows was able to write to the Event Log, so pay
attention to both.

Here are some BSOD blue screen of death examples showing information
you need to provide:

http://www.codinghorror.com/blog/ima...ws_XP_BSOD.png
http://techrepublic.com.com/i/tr/dow...ges/bsod_a.jpg

Send the information pointed to with the red arrows (3-4 lines
total). Skip the boring text unless it looks important to you. We
know what a BSOD looks like, we need to know the other information
that is specific to your BSOD.

If the BSOD information screen is insufficient to diagnose your issue,
then the dump file can be analysed. Proper analysis will keep you
from trying things and the "probably/might be some driver" rhetoric
when the problem is not obvious.

If your BSOD makes you suspicious of your RAM and you want to run a
RAM test, go ahead.

Run a test of your RAM with memtest86+ (I know it is boring and will
cost you a CD).

Memtest86+ is a more up to date version of the old memtest program and
they are not the same.

The memtest86+ will not run under Windows, so you will need to
download the ISO file and create a
bootable CD, boot on that and then run the memtest86+ program.

If even a single error is reported that is a failure and should make
you suspicious of your RAM.

If you have multiple sticks of RAM you may need to run the test on
them one at a time and change them out to isolate the failure to a
particular single stick. Always keep at least the first bank of RAM
occupied so the test will find something to do and there is enough to
boot your system.

Sometimes, reseating the RAM in the slots will relieve the RAM error
but any failure is still cause for suspicion.

The file and instructions are he

http://www.memtest.org/

24 hours for memtest86+? That is up to you. If it is defective, you
will generally know it in a few minutes.



.