|
OS Architecture – Background
u Divided into two main sections
l Kernel mode – high-privilege, direct access to hardware, memory, HAL, MicroKernel, NT Executive Services
l User mode – low privilege, no direct access to hardware, uses APIs to request system resources, environment, and integrated subsystems
Why Do STOP Screens Happen?
u Services, applications, or device drivers are faulty or incompatible
u Hardware problems
u Disk or file system corruption
u Firmware or BIOS outdated or incompatible
u Viruses
u Four categories
u Short startup period (phase four of the boot sequence)
u Software condition detected by the CPU
u Hardware malfunction detected by the CPU
u All the rest of the STOP codes
Most Common STOP Codes
u STOP 0x0000000A IRQL_NOT_LESS_EQUAL
l Caused by a kernel-mode process that tried to access portion of memory at an IRQL that was too high
l Fourth parameter most important
l Usually caused by buggy device drivers, or services from backup utilities or virus scanners
u STOP 0x0000001E KMODE_EXCEPTION_NOT_HANDLED
l Caused when a kernel-mode process tries to execute an illegal or unknown processor instruction
l Second parameter is most important; it is the address where the exception occurred
l If Win32k.sys is the referenced driver, check third-party remote control applications
u STOP 0x00000024 NTFS_FILE_SYSTEM
l Caused by a problem that occurred in Ntfs.sys
l First parameter most important
l Usually caused by disk corruption, disk defragmenters, or (in rare cases) creating a partition larger than 7 GB on a Services for Macintosh volume with a large number of files
u STOP 0x0000002E DATA_BUS_ERROR
l Caused by a parity error in the system memory
l Almost always caused by hardware problems being a configuration issue, defective hardware, incompatible hardware
l If physical RAM was recently added to the system, remove it and see if the error still occurs
l If the error persists, try disabling memory caching in the BIOS
u STOP 0x00000050 PAGE_FAULT_IN_NONPAGED_AREA
l Caused when requested data is not found in memory; the system checks the page file, but the missing data is identified as unable to be written to the page filel First parameter indicates virtual address that caused the fault
l If this occurs on a Terminal Server, check for third-party printer drivers
u STOP 0x0000007B INACCESSIBLE_BOOT_DEVICE
l Caused when Windows lost access to the system partition during the Startup process
l Cannot be debugged because it usually occurs before the debugger is loaded
l This can be caused by: an incorrect driver for a SCSI, RAID, or UDMA IDE controller; incorrect ARC path in the Boot.ini; or a failed boot device
l During install, press F6 at prompt to install third-party Mass Storage drivers
u STOP 0x0000007F UNEXPECTED_KERNEL_MODE_TRAP
l Caused when the CPU generates an error that the kernel does not catch
l First parameter most important (see Knowledge Base article Q137539 for details)
l Usually hardware, especially RAM
l Disable sync negotiation in SCSI BIOS; check SCSI termination
l Can also be caused by CPU over-clocking
u STOP 0x0000009F DRIVER_POWER_STATE_FAILURE
l Caused when drivers do not handle power state transition requests properly
l Most frequently when shutting down or resuming from standby or hibernation mode
l Check CD writing software, applications that attempt to catch crashes, or other similar applications
l Check power management compatibility and settings
u STOP 0x000000D1 DRIVER_IRQL_NOT_LESS_OR_EQUAL
l Occurs when the system attempts to access pageable memory at a process IRQL that is too high
l Fourth parameter is most important, which is the address that referenced the memory
l Very similar to STOP 0xA
l Same troubleshooting as a STOP 0xA
u STOP 0xC000021A STATUS_SYSTEM_PROCESS_TERMINATED
l Caused when the user-mode subsystem (Winlogon or CSRSS) is fatally compromised and security cannot be guaranteed
l One of few user-mode errors that can bring down a machine
l Most common causes are third-party applications or mismatched system files
l Sfc/Scannow
|
Articles 
