Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

BSOD Help Please.


  • Please log in to reply
24 replies to this topic

#1 nolaquest

nolaquest

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:New Orleans
  • Local time:01:48 PM

Posted 20 May 2015 - 10:13 AM

Well here we go, I hope this is solvable. As background Monday my computer started showing some quirky behavior. The screen would sort of flash and then programs like Photoshop would just stop running. I restarted and ran simple clean up stuff as well as webroot scans. Issues continued with Chrome Errors ("He's Dead Jim"). I tried system restore back to last week and then back to May 1. But these did not work. I tried to reinstall Chrome, but got it's Error 7 - update failure etc. 

 

When restarting yesterday after all of this I got the 1st blue screen. the machine restarted and Windows loaded "normally". I came here and signed up and then shut down for the day. Upon Starting this morning, the 1st start things started along a normal path but at the windows background right before logon, windows had a "please wait'. So I did for 13 min.

 

Then I tried to reboot. "Normal Windows Start" - I got a short BSOD and an immediate/auto Restart.

 

Upon that, I started in Safe Mode w/ Network and here we are.

 

I ran the Sysnative BSOD App and have attached it.

However while running the Perfmon /report command I received the following error - 

 

Error:
 
An error occured while attempting to generate the report.
   
The system cannot find the path specified.

 

The Perfmon window does open, but I cannot find any reports.

 

Looking forward to seeing if this is solvable. I really would like to not have to rebuild my drive.

 

Thanks very much,

 

Allan

Attached Files



BC AdBot (Login to Remove)

 


m

#2 ring 0

ring 0

  • BSOD Kernel Dump Expert
  • 89 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:02:48 PM

Posted 20 May 2015 - 02:46 PM

1: kd> .bugcheck
Bugcheck code 0000001A
Arguments 00000000`00041790 fffffa80`03cd5990 00000000`0000ffff 00000000`00000000

1st argument indicates that a page table is corrupt.

1: kd> vertarget
Windows 7 Kernel Version 7601 (Service Pack 1) MP (4 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 7601.18839.amd64fre.win7sp1_gdr.150427-0707
Machine Name:
Kernel base = 0xfffff800`02a0c000 PsLoadedModuleList = 0xfffff800`02c53730
Debug session time: Wed May 20 09:58:58.703 2015 (UTC - 4:00)
System Uptime: 0 days 0:00:30.622

You have an x64 OS, which implies the 2nd argument is the address of the PFN for the corrupted page table.

1: kd> dt nt!_MMPFN fffffa80`03cd5990
   +0x000 u1               : <unnamed-tag>
   +0x008 u2               : <unnamed-tag>
   +0x010 PteAddress       : 0xfffff6fb`41ffbe90 _MMPTE
   +0x010 VolatilePteAddress : 0xfffff6fb`41ffbe90 Void
   +0x010 Lock             : 0n1107279504
   +0x010 PteLong          : 0xfffff6fb`41ffbe90
   +0x018 u3               : <unnamed-tag>
   +0x01c UsedPageTableEntries : 0xffff
   +0x01e VaType           : 0 ''
   +0x01f ViewCount        : 0 ''
   +0x020 OriginalPte      : _MMPTE
   +0x020 AweReferenceCount : 0n128
   +0x028 u4               : <unnamed-tag>

UPTE fell below zero, so although this looks like RAM to me, a driver is possible as well given the above.

 

Enable verifier:

 

Driver Verifier:

What is Driver Verifier?

Driver Verifier monitors Windows kernel-mode drivers, graphics drivers, and even 3rd party drivers to detect illegal function calls or actions that might corrupt the system. Driver Verifier can subject the Windows drivers to a variety of stresses and tests to find improper behavior.

Essentially, if there's a 3rd party driver believed to be causing the issues at hand, enabling Driver Verifier will help us see which specific driver is causing the problem.

Before enabling Driver Verifier, it is recommended to create a System Restore Point:

Vista - START | type rstrui - create a restore point
Windows 7 - START | type create | select "Create a Restore Point"
Windows 8/8.1 - http://www.eightforums.com/tutorials/4690-restore-point-create-windows-8-a.html

How to enable Driver Verifier:

Start > type "verifier" without the quotes > Select the following options -

1. Select - "Create custom settings (for code developers)"
2. Select - "Select individual settings from a full list"
3. Check the following boxes -
- Special Pool
- Pool Tracking
- Force IRQL Checking
- Deadlock Detection
- Security Checks (only on Windows 7 & 8/8.1)
- DDI compliance checking (only on Windows 8/8.1)
- Miscellaneous Checks
4. Select  - "Select driver names from a list"
5. Click on the "Provider" tab. This will sort all of the drivers by the provider.
6. Check EVERY box that is NOT provided by Microsoft / Microsoft Corporation.
7. Click on Finish.
8. Restart.

Important information regarding Driver Verifier:
 
- Perhaps the most important which I will now clarify as this has been misunderstood often, enabling Driver Verifier by itself is not! a solution, but instead a diagnostic utility. It will tell us if a driver is causing your issues, but again it will not outright solve your issues.

- If Driver Verifier finds a violation, the system will BSOD. To expand on this a bit more for the interested, specifically what Driver Verifier actually does is it looks for any driver making illegal function calls, causing memory leaks, etc. When and/if this happens, system corruption occurs if allowed to continue. When Driver Verifier is enabled per my instructions above, it is monitoring all 3rd party drivers (as we have it set that way) and when it catches a driver attempting to do this, it will quickly flag that driver as being a troublemaker, and bring down the system safely before any corruption can occur.

- After enabling Driver Verifier and restarting the system, depending on the culprit, if for example the driver is on start-up, you may not be able to get back into normal Windows because Driver Verifier will detect it in violation almost straight away, and as stated above, that will cause / force a BSOD.

If this happens, do not panic, do the following:

- Boot into Safe Mode by repeatedly tapping the F8 key during boot-up.

- Once in Safe Mode - Start > Search > type "cmd" without the quotes.

- To turn off Driver Verifier, type in cmd "verifier /reset" without the quotes.

- Restart and boot into normal Windows.

If your OS became corrupt or you cannot boot into Windows after disabling verifier via Safe Mode:

- Boot into Safe Mode by repeatedly tapping the F8 key during boot-up.

- Once in Safe Mode - Start > type "system restore" without the quotes.

- Choose the restore point you created earlier.

-- Note that Safe Mode for Windows 8/8.1 is a bit different, and you may need to try different methods: 5 Ways to Boot into Safe Mode in Windows 8 & Windows 8.1

How long should I keep Driver Verifier enabled for?

I recommend keeping it enabled for at least 24 hours. If you don't BSOD by then, disable Driver Verifier. I will usually say whether or not I'd like for you to keep it enabled any longer.

My system BSOD'd with Driver Verifier enabled, where can I find the crash dumps?

- If you have the system set to generate Small Memory Dumps, they will be located in %systemroot%\Minidump.

- If you have the system set to generate Kernel Memory Dumps, it will be located in %systemroot% and labeled MEMORY.DMP.

Any other questions can most likely be answered by this article:

http://support.microsoft.com/kb/244617



#3 0xFFFF

0xFFFF

  • BSOD Kernel Dump Expert
  • 19 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Minkowski Space
  • Local time:07:48 PM

Posted 20 May 2015 - 03:02 PM

It seems possibly like some issues within the Address Translation.

 

I can't investigate much with Minidumps, but at this moment in time, I would suggest running Driver Verifier.



#4 nolaquest

nolaquest
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:New Orleans
  • Local time:01:48 PM

Posted 20 May 2015 - 03:03 PM

So here is a summary of what I have done today to see if I could figure anything out. But I am at a loss in the end really.

 

I ran Multi Tool

 

I uninstalled chrome as it was in the Multi Tool Results file as multiple crashes.

 

I then Ran Windows Memory Diagnostics - No Problems Detected

 

Windows starts normally but ie is very slow to open.

 

Then downloaded and installed AdAware. Down load and install slow but successful

however while AdAware was downloading profiles I ran Windows performance Monitor and got a BSOD

 

I rebooted in Safe Mode and then ran SysNative to get updated info. Got a Blue Screen while SysNative was collecting data

 

I rebooted in Safe Mode but after "Please Wait" the Windows started in "Normal"  And then with only an all black screen and mouse pointer.  The Blue circle coming on intermittently.

 

I force shut down/off via long on button and waited 20 mins.

 

Started up again in safe mode

 

Ran Sysnative - Got BSOD while collecting data again. 

System auto rebooted and I selected Safe Mode.

Received a very long 'Please Wait' again and then the system rebooted with Windows in 'Normal'

 

I tried to run AdAware but definitions would not download

I then Ran Webroot Scan with No Threats. Then Ran Webroot System Analyzer with no issues (this must be a joke though as it stated that my system had little to no crashes)

 

Logged in to bleeping computer forum and entered this info. Windows running in Normal mode.

 

I am very confused.

 

Thanks



#5 nolaquest

nolaquest
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:New Orleans
  • Local time:01:48 PM

Posted 20 May 2015 - 03:05 PM

Thanks,

 

I will try Driver Verifier and get back to you. I was writing the above when Y'all posted.

 

Thanks.



#6 nolaquest

nolaquest
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:New Orleans
  • Local time:01:48 PM

Posted 20 May 2015 - 03:36 PM

Ok, here's what I did.

 

Made a restore point - "successful"

 

Started Driver Verifier and setup as per instructions

 

Manual restart - BSOD

Auto Reboot, prompted & chose "Normally"

Windows started in normal but was slow and choppy

 

Decided to Manually Restart - BSOD

Auto Reboot, prompted & chose "Normally"

Windows began to start normally but BSOD's right before logon.

 

Auto Reboot - Chose Safe Mode

Now in Safe Mode.

Resetting Verifier and then looking for dump files I guess.



#7 nolaquest

nolaquest
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:New Orleans
  • Local time:01:48 PM

Posted 20 May 2015 - 03:52 PM

Ok - Rebooted and Now in Windows "Normal"

 

I just tried to attach the dump file but "not permitted'



#8 ring 0

ring 0

  • BSOD Kernel Dump Expert
  • 89 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:02:48 PM

Posted 20 May 2015 - 03:56 PM

Drag it from the minidump folder to the Desktop, and try zipping it there.



#9 nolaquest

nolaquest
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:New Orleans
  • Local time:01:48 PM

Posted 20 May 2015 - 04:05 PM

Thanks

Attached Files



#10 ring 0

ring 0

  • BSOD Kernel Dump Expert
  • 89 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:02:48 PM

Posted 20 May 2015 - 04:17 PM

Looks like I was right, it's a driver.

0: kd> .bugcheck
Bugcheck code 000000C1
Arguments fffff980`10d12400 fffff980`10d12181 00000000`00974c08 00000000`00000023

Checking the first argument:

0: kd> !poolval fffff98010d12400
Pool page fffff98010d12400 region is Unknown

Validating Pool headers for pool page: fffff98010d12400

Pool page [ fffff98010d12000 ] is __inVALID.

Analyzing linked list...
[ fffff98010d12000 ]: invalid previous size [ 0x8 ] should be [ 0x0 ]


Scanning for single bit errors...
[ fffff98010d12000 ]: previous size [ 0x8 ] should be [ 0x0 ]

We have some corruptipn, obviously.

0: kd> dt nt!_POOL_HEADER fffff98010d12400
   +0x000 PreviousSize     : 0y00000111 (0x7)
   +0x000 PoolIndex        : 0y00001001 (0x9)
   +0x000 BlockSize        : 0y00000000 (0)
   +0x000 PoolType         : 0y00000000 (0)
   +0x000 Ulong1           : 0x907
   +0x004 PoolTag          : 0x97979797
   +0x008 ProcessBilled    : 0x97979797`000025c6 _EPROCESS
   +0x008 AllocatorBackTraceIndex : 0x25c6
   +0x00a PoolTagHash      : 0

The PreviousSize field is wrong.

0: kd> knL
 # Child-SP          RetAddr           Call Site
00 fffff880`07ae5428 fffff800`02b6813a nt!KeBugCheckEx
01 fffff880`07ae5430 fffff800`02be0fc3 nt!MiCheckSpecialPoolSlop+0x9a
02 fffff880`07ae5470 fffff800`02c0c94b nt!MmFreeSpecialPool+0x1d3
03 fffff880`07ae55b0 fffff800`02f85a5b nt!ExAllocatePoolWithTag+0x1683
04 fffff880`07ae5660 fffff880`0111ae12 nt!VerifierExFreePool+0x1b
05 fffff880`07ae5690 00000000`00000000 WRkrn+0x9e12

The driver that caused the single bit pool corruption was WRkrn.sys, WebRoot's driver.

 

Uninstall WebRoot.



#11 nolaquest

nolaquest
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:New Orleans
  • Local time:01:48 PM

Posted 20 May 2015 - 04:29 PM

Will give it a go.



#12 ring 0

ring 0

  • BSOD Kernel Dump Expert
  • 89 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:02:48 PM

Posted 20 May 2015 - 04:45 PM

Let me know how it goes.



#13 nolaquest

nolaquest
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:New Orleans
  • Local time:01:48 PM

Posted 20 May 2015 - 04:50 PM

So I uninstalled Webroot and all seemed normal, I then rebooted and start up seemed normal as well. I opened Control Panel / Programs and Webroot was gone.

 

Then a Windows Popup came that said "Windows Firewall has stopped working" and referenced some files, which I have attached.

 

So far things seem ok but I'm not sure so I will start running some software.



#14 ring 0

ring 0

  • BSOD Kernel Dump Expert
  • 89 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:02:48 PM

Posted 20 May 2015 - 04:57 PM

1. Run Malwarebytes - http://www.malwarebytes.org/downloads/

 

Decline pro trial during install.

 

2. Given the firewall error, after #1, run SFC and repair anything it finds corrupt - http://pcsupport.about.com/od/toolsofthetrade/ht/sfc-scannow.htm



#15 nolaquest

nolaquest
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:New Orleans
  • Local time:01:48 PM

Posted 20 May 2015 - 05:39 PM

Well it's not fixed yet. :mellow:

I installed and ran Malwarebytes - successfully - No Threats detected.

Went to reread the post to run SFC and got BSOD

Auto Reboot  -  Selected Safe Mode  -  Ignored and started Normally  -  BSOD

Auto Reboot  -  Selected Safe Mode  -  Started in Safe Mode

 

In Safe Mode now and currently Running SFC /Scannow

 

I will update after scannow finishes.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users