I've recently installed Ghost 14 on my Win XP PC. I get a BSoD failure each time I try to create my recovery disc. It seems to finish collecting driver details and then crash immediately the next stage begins. I can make a recovery disc in Safe Mode.
Here's a little more information
STOP: 0x00000024 (0x001902FE, 0xECDD13BC, 0xECDD10B8, 0xF5B09736)
Ntfs.sys - Address F5B09736 base at F5B09000 Datestamp 48025be5
I have been getting some help on this on another forum (Tiscali) but I would like to see if anyone here can help out. I have seen similar problems for others but they seem a bit different to my difficulty.
Somone on the Tiscali Forum analysed the crash dump file for me (there's no way I could do that) and came up with this:
****************************** ****************************** *******************
* *
* Bugcheck Analysis *
* *
****************************** ****************************** *******************
Use !analyze -v to get detailed debugging information.
BugCheck 24, {1902fe, ec3dc3bc, ec3dc0b8, f5af2736}
*** WARNING: Unable to verify timestamp for symsnap.sys
*** ERROR: Module load completed but symbols could not be loaded for symsnap.sys
*** WARNING: Unable to verify timestamp for klif.sys
*** ERROR: Module load completed but symbols could not be loaded for klif.sys
Probably caused by : Ntfs.sys ( Ntfs!NtfsDecodeFileObject+37 )
Followup: MachineOwner
---------
kd> !analyze -v
****************************** ****************************** *******************
* *
* Bugcheck Analysis *
* *
****************************** ****************************** *******************
NTFS_FILE_SYSTEM (24)
If you see NtfsExceptionFilter on the stack then the 2nd and 3rd
parameters are the exception record and context record. Do a .cxr
on the 3rd parameter and then kb to obtain a more informative stack
trace.
Arguments:
Arg1: 001902fe
Arg2: ec3dc3bc
Arg3: ec3dc0b8
Arg4: f5af2736
Debugging Details:
------------------
EXCEPTION_RECORD: ec3dc3bc -- (.exr 0xffffffffec3dc3bc)
ExceptionAddress: f5af2736 (Ntfs!NtfsDecodeFileObject+0x0 0000037)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: 00000004
Attempt to read from address 00000004
CONTEXT: ec3dc0b8 -- (.cxr 0xffffffffec3dc0b8)
eax=00000000 ebx=ec3dc574 ecx=faf0a5f8 edx=ec3dc4c0 esi=ec3dc4d0 edi=ec3dc748
eip=f5af2736 esp=ec3dc484 ebp=ec3dc488 iopl=0 nv up ei pl nz na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010202
Ntfs!NtfsDecodeFileObject+0x37 :
f5af2736 8b4804 mov ecx,dword ptr [eax+4] ds:0023:00000004=????????
Resetting default scope
CUSTOMER_CRASH_COUNT: 1
PROCESS_NAME: ModifiableSRD.e
ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.
READ_ADDRESS: 00000004
BUGCHECK_STR: 0x24
DEFAULT_BUCKET_ID: NULL_CLASS_PTR_DEREFERENCE
LAST_CONTROL_TRANSFER: from f5b19edc to f5af2736
STACK_TEXT:
ec3dc488 f5b19edc ec3dc574 ec3dccc0 ec3dc4c4 Ntfs!NtfsDecodeFileObject+0x37
ec3dc4fc f5b1849c ec3dc574 fa0f4d98 fcc3aac8 Ntfs!NtfsCommonQueryInformatio n+0x56
ec3dc560 f5b184d5 ec3dc574 fa0f4d98 00000001 Ntfs!NtfsFsdDispatchSwitch+0x1 2a
ec3dc684 e0bce129 fcbfa770 fa0f4d98 fccd1680 Ntfs!NtfsFsdDispatchWait+0x1c
ec3dc694 f5bca459 ec3dc6d0 e0bce129 fcbfa020 nt!IopfCallDriver+0x31
ec3dc69c e0bce129 fcbfa020 fa0f4d98 fa0f4d98 sr!SrPassThrough+0x31
ec3dc6ac f5bb1563 fcc3aa10 fcc3aa10 00000000 nt!IopfCallDriver+0x31
WARNING: Stack unwind information not available. Following frames may be wrong.
ec3dc6d0 f5baed7e fa0f4f70 fa0f4d98 fcc48490 symsnap+0x8563
ec3dc6e4 e0bce129 fcc3aa10 fa0f4d98 fa0f4d98 symsnap+0x5d7e
ec3dc6f4 f5bee7a9 00000000 fbd95730 00000000 nt!IopfCallDriver+0x31
ec3dc720 f5bf0d56 fcc3aa10 ec3dccc0 ec3dc748 fltmgr!FltpQueryInformationFil e+0x99
ec3dc768 f5bf1329 fc407328 00000000 e0c2ae20 fltmgr!SetStreamListStandardIn formationFlags+0x7e
ec3dc78c ebf5f504 ec3dccc0 fbd95730 fa2f2a70 fltmgr!FltIsDirectory+0x4b
00000000 00000000 00000000 00000000 00000000 klif+0xf504
FOLLOWUP_IP:
Ntfs!NtfsDecodeFileObject+37
f5af2736 8b4804 mov ecx,dword ptr [eax+4]
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: Ntfs!NtfsDecodeFileObject+37
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: Ntfs
IMAGE_NAME: Ntfs.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 48025be5
STACK_COMMAND: .cxr 0xffffffffec3dc0b8 ; kb
FAILURE_BUCKET_ID: 0x24_Ntfs!NtfsDecodeFileObject +37
BUCKET_ID: 0x24_Ntfs!NtfsDecodeFileObject +37
Followup: MachineOwner
---------
Although the crash was caused by NTFS.sys, there's not a lot I can recommend as that's a critical XP system file. Also, the other file mentioned (symsnap.sys) is the Norton Ghost driver so there's not much you can do about that either.
However, the third file (klif.sys) that's mentioned and shows at the bottom of the stack, when I Googled it, appears to be something to do with Kaspersky. Do a search for that file, and if you find it, right-click -> Properties -> "Version" tab. See what it says for the description, and if it is Kaspersky related, go into Add/Remove programs and see if there's anything to uninstall from there. Before you start your search make sure you tick both boxes to search System folders and hidden files/folders.
If you find it and it's nothing to do with Kaspersky then let us know what information you discover about that file.
I have yet to try the advice about the klif.sys file but will do that when I am next on the PC.
If anyone is interested a full account of the problem is on that other forum.
Many thanks
Martin