I've finally figured out the cause of the BSOD when running Norton Ghost 12. I have been running NG12 for about a year with no issues. Recently, I upgraded Norton Internet Security to the 2009 edition. Now, whenever I attempt to copy a drive, I get the BSOD.
I uninstalled NIS 2009 and NG12 works fine. After I finished copying the drive, I tried reinstalling NIS 2009 and I got the BSOD when I tried to copy the drive again with NG 12.
The BSOD is caused by symsnap.sys. I've dumped the bugcheck from the crashdump below:
Microsoft (R) Windows Debugger Version 6.4.0004.4
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:\WINDOWS\Minidump\Mini111708-04.dmp]
Mini Kernel Dump File: Only registers and stack trace are available
Symbol search path is: SRV*D:\temp\winsymbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows XP Kernel Version 2600 (Service Pack 3) MP (4 procs) Free x86 compatible
Product: WinNt
Built by: 2600.xpsp_sp3_gdr.080814-1236
Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055d720
Debug session time: Mon Nov 17 08:52:06.078 2008 (GMT-8)
System Uptime: 0 days 1:44:47.114
Loading Kernel Symbols
.........................................................................................................................................................................
Loading unloaded module list
............................
Loading User Symbols
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck 1000008E, {c0000005, b9e3786e, ae653a80, 0}
*** WARNING: Unable to verify timestamp for symsnap.sys
*** ERROR: Module load completed but symbols could not be loaded for symsnap.sys
Probably caused by : symsnap.sys ( symsnap+786e )
Followup: MachineOwner
---------
3: kd> .reload
Loading Kernel Symbols
..................................Unable to load image symsnap.sys, Win32 error 2
*** WARNING: Unable to verify timestamp for symsnap.sys
*** ERROR: Module load completed but symbols could not be loaded for symsnap.sys
.......................................................................................................................................
Loading unloaded module list
............................
Loading User Symbols
3: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
KERNEL_MODE_EXCEPTION_NOT_HANDLED_M (1000008e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Some common problems are exception code 0x80000003. This means a hard
coded breakpoint or assertion was hit, but this system was booted
/NODEBUG. This is not supposed to happen as developers should never have
hardcoded breakpoints in retail code, but ...
If this happens, make sure a debugger gets connected, and the
system is booted /DEBUG. This will let us see why this breakpoint is
happening.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: b9e3786e, The address that the exception occurred at
Arg3: ae653a80, Trap Frame
Arg4: 00000000
Debugging Details:
------------------
OVERLAPPED_MODULE: vmx86
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".
FAULTING_IP:
symsnap+786e
b9e3786e ?? ???
TRAP_FRAME: ae653a80 -- (.trap ffffffffae653a80)
Unable to read trap frame at ae653a80
CUSTOMER_CRASH_COUNT: 4
DEFAULT_BUCKET_ID: COMMON_SYSTEM_FAULT
BUGCHECK_STR: 0x8E
LAST_CONTROL_TRANSFER: from aedcdf50 to b9e3786e
STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may be wrong.
ae653af0 aedcdf50 89760a60 8b576db8 00000000 symsnap+0x786e
ae653b50 b9e384a1 ae653b68 897609a8 897609a8 0xaedcdf50
ae653b78 b9e35d7e 8b576fd8 8b576db8 8ae42750 symsnap+0x84a1
ae653b8c 804ef19f 897609a8 8b576db8 806e6428 symsnap+0x5d7e
ae653b9c 80658128 00000000 8b576db8 887c12f0 nt!IopfCallDriver+0x31
ae653bc0 b9e66e9b 895a7ad8 8b576db8 88807c18 nt!IovCallDriver+0xa0
ae653be4 b9e6706b ae653c04 895a7ad8 00000000 fltmgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x20b
ae653c1c 804ef19f 895a7ad8 8b576db8 806e6428 fltmgr!FltpDispatch+0x11f
ae653c2c 80658128 888c6400 806e6410 8b576db8 nt!IopfCallDriver+0x31
ae653c50 8057f982 8b576fd8 888c6400 8b576db8 nt!IovCallDriver+0xa0
ae653c64 805807f7 895a7ad8 8b576db8 888c6400 nt!IopSynchronousServiceTail+0x70
ae653d00 80579274 000001fc 00000000 00000000 nt!IopXxxControlFile+0x5c5
ae653d34 8054162c 000001fc 00000000 00000000 nt!NtDeviceIoControlFile+0x2a
ae653d34 7c90e4f4 000001fc 00000000 00000000 nt!KiFastCallEntry+0xfc
00a4f0c0 00000000 00000000 00000000 00000000 0x7c90e4f4
FOLLOWUP_IP:
symsnap+786e
b9e3786e ?? ???
SYMBOL_STACK_INDEX: 0
FOLLOWUP_NAME: MachineOwner
SYMBOL_NAME: symsnap+786e
MODULE_NAME: symsnap
IMAGE_NAME: symsnap.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 0
STACK_COMMAND: .trap ffffffffae653a80 ; kb
FAILURE_BUCKET_ID: 0x8E_symsnap+786e
BUCKET_ID: 0x8E_symsnap+786e
Followup: MachineOwner
---------