BSOD - shutdown and banana problems (I am going bananas)

[gyurika]

For a few days I thought I was winning the war, except had no ship to announce it from. (Bush)
Yesterday I witnessed how my rig was struggling six minutes trying to shut down. (Six min is my new 180000 msec timeout now...) It hangs with HDDs running. When I push power it shuts down, will get an event that it was not shut down correctly, and it may or may not come up with a blue screen. For the first time I saw e1rexpress and e1dexpress warnings as the last thing before shutdown Intel Gigabit and Ethernet. Will try to make Event screenshot.
The iastore.sys and ntoskrnl.exe are the usual culprit. Intel rapid is disabled. These are half of the bananas.
For those who can't have enough:
The Service control Manager in this case is for the Windows Color System failed to start... ...in a timely fashion, - and this is not true, because as I said I ratcheted to time limit to 180000 msec, and if I want to start the service manually from services, it shoots up this error window instantaneously, so most people could tell the difference between that and 6 minutes and I am one of those. I downloaded a new WCS into the registry, obviously that did not do a thing.
Also with the Perflib and Perfnet I spent what I will recall as the best time of my youth wasted. Hopefully - because I am 65, - it would have to be from the proper perspective...
So, I was looking for a "begging for help" icon, but you will just have to believe me without expressive visuals.

PS: in the instructions: perfmon/report I understand does not exist in Win 8.1. (I mean the report part.)
Thanks fellaws, George

 

[cluberti]

The problem in some of these dumps is hard to tell due to unloaded modules, but where the problems don't appear to come from the disk subsystem itself, it can clearly be seen the issue is webroot - given webroot works as a disk I/O filter driver, I'd wager this is probably the root cause and not the victim:

10: kd> !thread
GetPointerFromAddress: unable to read from fffff803e01d6000
THREAD ffffe001ca049080  Cid 01f8.06dc  Teb: 000000007ed23000 Win32Thread: 0000000000000000 RUNNING on processor a
IRP List:
    Unable to read nt!_IRP @ ffffcf80b7076a60
Not impersonating
GetUlongFromAddress: unable to read from fffff803e0123b00
Owning Process            ffffe001c9d178c0       Image:         WRSA.exe
Attached Process          N/A            Image:         N/A
fffff78000000000: Unable to get shared data
Wait Start TickCount      1951         
Context Switch Count      2              IdealProcessor: 10             
ReadMemory error: Cannot get nt!KeMaximumIncrement value.
UserTime                  00:00:00.000
KernelTime                00:00:00.000
Win32 Start Address 0x0000000000aca9d0
Stack Init ffffd0002197ac90 Current ffffd0002197a5a0
Base ffffd0002197b000 Limit ffffd00021975000 Call 0
Priority 8 BasePriority 8 UnusualBoost 0 ForegroundBoost 0 IoPriority 2 PagePriority 5
Child-SP          RetAddr           : Args to Child                                                           : Call Site
ffffd000`21978f58 fffff803`dffd33e9 : 00000000`0000003b 00000000`80000003 fffff803`dffce4d8 ffffd000`21979810 : nt!KeBugCheckEx
ffffd000`21978f60 fffff803`dffd2cfc : 00000000`00000000 fffff803`dffba683 ffffd000`2197ab00 fffff803`dfeeb2d7 : nt!KiBugCheckDispatch+0x69
ffffd000`219790a0 fffff803`dffceded : ffffd000`21979810 00000000`00000000 ffffd000`2197a008 ffffd000`21979210 : nt!KiSystemServiceHandler+0x7c
ffffd000`219790e0 fffff803`dfeeb01d : 00000000`00000001 fffff803`dfe79000 ffffd000`2197a001 00000011`00000000 : nt!RtlpExecuteHandlerForException+0xd
ffffd000`21979110 fffff803`dfeef3de : ffffd000`2197a008 ffffd000`21979d10 ffffd000`2197a008 00000000`0000002f : nt!RtlDispatchException+0x1a5
ffffd000`219797e0 fffff803`dffd34c2 : 00000000`00000000 00000000`00000000 00000000`00000000 ffffd000`2197a180 : nt!KiDispatchException+0x646
ffffd000`21979ed0 fffff803`dffd2b33 : ffffd000`2197a181 00000000`00000000 00000000`21970100 6f6e2064`00000042 : nt!KiExceptionDispatch+0xc2
ffffd000`2197a0b0 fffff803`dffce4d8 : fffff803`e008a4d1 ffffd000`2197a3a0 fffff803`dfef2b70 fffff801`af93ea80 : nt!KiDebugServiceTrap+0xf3 (TrapFrame @ ffffd000`2197a0b0)
ffffd000`2197a248 fffff803`e008a4d1 : ffffd000`2197a3a0 fffff803`dfef2b70 fffff801`af93ea80 ffffe001`c6ea6000 : nt!DebugPrompt+0x18
ffffd000`2197a250 fffff801`af968ae2 : fffff801`af93ea80 ffffe001`c6ea6000 fffff801`af968060 00000000`00000007 : nt!DbgPrompt+0x35
ffffd000`2197a2a0 fffff801`af968c7c : 00000000`00000029 ffffe001`c6ebc530 ffffe001`bf0eefa0 fffff801`af9378f8 : fltmgr!FltpvPrintErrors+0x14e
ffffd000`2197a510 fffff801`af96b1a6 : 00000000`00000000 ffffc000`95be12b0 fffff801`af91a000 ffffe001`c6ea6010 : fltmgr!FltpvUnlinkResourceFromFilter+0x104
ffffd000`2197a560 fffff801`af9bb043 : ffffc000`95be1268 fffff801`af91f945 00000000`00000001 fffff803`dfed025a : fltmgr!FltvReleaseContext+0x1b
ffffd000`2197a590 ffffc000`95be1268 : fffff801`af91f945 00000000`00000001 fffff803`dfed025a ffffc000`95be1250 : WRkrn+0x4043
ffffd000`2197a598 fffff801`af91f945 : 00000000`00000001 fffff803`dfed025a ffffc000`95be1250 fffff801`af923b21 : 0xffffc000`95be1268
ffffd000`2197a5a0 fffff801`af9468c5 : 00000000`00000000 fffff801`af91a000 00000000`00000000 ffffc000`95be1268 : fltmgr!TreeUnlinkMulti+0x113
ffffd000`2197a5f0 fffff801`af91c4b2 : ffffe001`c9fdfca0 ffffd000`2197a6c9 ffffe001`c9cc6620 ffffe001`c49f92a0 : fltmgr!FltpDeleteContextList+0xb5
ffffd000`2197a620 fffff801`af91d5ac : ffffd000`2197a830 fffff803`e0240600 00000000`00000000 00000000`00000002 : fltmgr!FltpPerformPreCallbacks+0x712
ffffd000`2197a730 fffff801`af91b5ce : ffffe001`ca058010 ffffd000`2197a7a0 ffffcf80`b7076f68 00000000`00000000 : fltmgr!FltpPassThroughInternal+0x8c
ffffd000`2197a760 fffff801`af91b0aa : ffffe001`c49f8830 00000000`00000002 ffffcf80`b7076a60 ffffe001`c6fadde0 : fltmgr!FltpPassThrough+0x2be
ffffd000`2197a810 fffff803`e04ec911 : ffffcf80`b7076a60 00000000`00000002 00000000`00000001 fffff803`dff07501 : fltmgr!FltpDispatch+0x9a
ffffd000`2197a870 fffff803`e02406b8 : ffffe001`c9fdfca0 ffffe001`c49fa030 ffffcf80`b7076a60 ffffe001`c6fadd40 : nt!IovCallDriver+0x3cd
ffffd000`2197a8c0 fffff803`e024451c : 00000000`00000000 ffffe001`c9fdfca0 ffffe001`bc2879a0 ffffe001`c9fdfc70 : nt!IopDeleteFile+0x128
ffffd000`2197a940 fffff803`dfed244f : 00000000`00000000 ffffd000`2197aa99 ffffe001`c9fdfca0 ffffe001`c9fdfc70 : nt!ObpRemoveObjectRoutine+0x64
ffffd000`2197a9a0 fffff803`e023f995 : ffffe001`bc2879a0 00000000`00000000 00000000`00000000 00000000`00000000 : nt!ObfDereferenceObjectWithTag+0x8f
ffffd000`2197a9e0 fffff803`dffd30b3 : 00000000`00000008 00000000`000006e4 00000000`044cfdb0 00000000`0450fcfc : nt!NtClose+0x205
ffffd000`2197ab00 00000000`77ad2352 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ ffffd000`2197ab00)
00000000`044ced78 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x77ad2352



10: kd> lmvm WRkrn
start             end                 module name
fffff801`af9b7000 fffff801`af9d6000   WRkrn    T (no symbols)           
    Loaded symbol image file: WRkrn.sys
    Image path: \SystemRoot\System32\drivers\WRkrn.sys
    Image name: WRkrn.sys
    Timestamp:        Wed Jul 22 08:20:08 2015 (55AFB4A8)
    CheckSum:         0002B71A
    ImageSize:        0001F000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4

Webroot's own forums have (unsolved, I might add) posts about this particular driver causing bugchecks going back to 2012 - if you completely uninstall and remove WebRoot, does the problem persist? Given the behaviors your describe, the only thing in common would be a filter driver, and this most certainly is a filter driver causing an exception in the filter manager subsystem at times...

 

[MichaelB]

Moin,
the reason might be overclocking among suspected drivers loaded

[CPU Information]
~MHz = REG_DWORD 4250
Component Information = REG_BINARY 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0
Configuration Data = REG_FULL_RESOURCE_DESCRIPTOR ff,ff,ff,ff,ff,ff,ff,ff,0,0,0,0,0,0,0,0
Identifier = REG_SZ Intel64 Family 6 Model 63 Stepping 2
ProcessorNameString = REG_SZ Intel(R) Core(TM) i7-5930K CPU @ 3.50GHz
Update Status = REG_DWORD 0
VendorIdentifier = REG_SZ GenuineIntel
MSR8B = REG_QWORD 2e00000000

Processor may be overclocked!
Expected Frequency: 3500
Actual Frequency: 4250
Overclock Ratio: 1.21

DRIVER_POWER_STATE_FAILURE (9f)
found in 122915-24031-01.dmp

and this
fffff800`45b47000 fffff800`45b50000 CorsairVHidDriver CorsairVHidDriver.sys Wed May 06 15:10:41 2015 (554A12D1)

isn't the best Idea too
something to fix i think.

regards
Michael

 

[cluberti]

Good catch - the i7 5930K turbos up to 3.7GHz, not 4.25GHz. There's a fairly interesting overclock going on here as that's a pretty aggressive overclock for that part if voltage isn't being regulated properly (at least).