Monday, December 19, 2011

Troubleshooting 0x1a MEMORY_MANAGEMENT

The Debugging Tools for Windows are required to analyze crash dump files. If you do not have the Debugging Tools for Windows installed or dump files are not being generated on system crash, see this post for installation/configuration instructions:
http://mikemstech.blogspot.com/2011/11/windows-crash-dump-analysis.html

0x0000001A MEMORY_MANAGEMENT is a blue screen of death that occurs when the memory manager detects a severe error. MSDN lists a number of possibilities for parameter 1, but the majority of the possibilities listed identify some sort of corruption of the memory management data structures. The minority of listed codes deal with invalid allocation, references, or deallocation of memory or memory manager structures. In a lot of cases, the faulting module is listed as the NT kernel (ntoskrnl.exe, ntkrnlpa.exe, ntkrnlmp.exe, and ntkrnlpamp.exe). Below is an example of a minidump analysis,

0: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

MEMORY_MANAGEMENT (1a)
    # Any other values for parameter 1 must be individually examined.
Arguments:
Arg1: 0000000000000403, The subtype of the bugcheck.
Arg2: fffff680000697c8
Arg3: adc000002877c867
Arg4: bffff680000697c8

Debugging Details:
------------------


BUGCHECK_STR:  0x1a_403

CUSTOMER_CRASH_COUNT:  1

DEFAULT_BUCKET_ID:  VISTA_DRIVER_FAULT

PROCESS_NAME:  AvastSvc.exe

CURRENT_IRQL:  0

LAST_CONTROL_TRANSFER:  from fffff80002ae7628 to fffff80002a755c0

STACK_TEXT:  
... : nt!KeBugCheckEx
... : nt! ?? ::FNODOBFM::`string'+0x31eb2
... : nt!MiDeleteVirtualAddresses+0x408
... : nt!NtFreeVirtualMemory+0x5ca
... : nt!KiSystemServiceCopyEnd+0x13
... : 0x7760f89a


STACK_COMMAND:  kb

FOLLOWUP_IP: 
nt! ?? ::FNODOBFM::`string'+31eb2
fffff800`02ae7628 cc              int     3

SYMBOL_STACK_INDEX:  1

SYMBOL_NAME:  nt! ?? ::FNODOBFM::`string'+31eb2

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: nt

IMAGE_NAME:  ntkrnlmp.exe

DEBUG_FLR_IMAGE_TIMESTAMP:  4e02aa44

FAILURE_BUCKET_ID:  X64_0x1a_403_nt!_??_::FNODOBFM::_string_+31eb2

BUCKET_ID:  X64_0x1a_403_nt!_??_::FNODOBFM::_string_+31eb2

Followup: MachineOwner
---------
 
 
This particular issue was likely caused by Avast antivirus (see PROCESS_NAME above). It is common for Antivirus software from Norton, McAfee, Trend, AVG, and others to cause this issue.

If a specific driver is listed as a faulting module and the error code listed in parameter 1 is known, then this driver should be examined and either upgraded, downgraded, or disabled. If the error code listed in parameter 1 points to corruption or is unknown, initially troubleshoot the issue as a memory error, and enable driver verifier if no memory errors are detected.

See Also,
Windows Crash Dump Analysis
How to Perform an Offline Integrity Check
How to Disable and Enable Windows Device Drivers
Troubleshooting Memory Errors

No comments:

Post a Comment