[SOLVED] [8.1 x64] 0x50 memory_corruption: A strange recurring BSOD issue

Re: A strange recurring BSOD issue

It appears to be the same dump file?

I'm not sure what happened to my other post?!
 
Re: [Win8.1 x64] 0x50 memory_corruption: A strange recurring BSOD issue

Ran Memtest, passed, ran DV passed, SeaTools didn't detect the HDD, although it's seen in the BIOS, in my Computer and I can copy data from and to it without issues.
I've got a CI.dll is missing or corrupt error on startup. Rebooted fine. Ran TDSS Killer to check for rootkits - clean.
 
Re: [Win8.1 x64] 0x50 memory_corruption: A strange recurring BSOD issue

Could you run driver verifier again to see if it flags anything else.

The minidump looks a bit empty to me at first glance, though I'm not really familiair with those arguments.
 
Re: [Win8.1 x64] 0x50 memory_corruption: A strange recurring BSOD issue

Code: 
[COLOR=#ff0000]BugCheck 109[/COLOR], {a3a00f58b57525a0, b3b71bdf07f45b43, [COLOR=#008000]fffff8011bbc8290[/COLOR], [COLOR=#0000ff]1[/COLOR]}

Probably caused by : [COLOR=#ff0000]memory_corruption[/COLOR]

The only useful parameter of this bugcheck is the fourth parameter which reveals which structure has become corrupt. A parameter value of 0x1 indicates that a function has been modified in some manner, or the .pdata section of a binary has become corrupt. I believe that .pdata is used with stack unwinding in some way? We might explain why there isn't a call stack with this dump.

I forgot to mention that this bugcheck is triggered by Windows PatchGuard.

The third parameter indicates the function that has been modified:

Code: 
0: kd> [COLOR=#008000]ln fffff8011bbc8290[/COLOR]

(fffff801`1bbc8290)   Ntfs!NtfsReadMftRecord   |  (fffff801`1bbd72a0)   Ntfs!NtfsCheckFileRecord
Exact matches:
    [COLOR=#ff0000]Ntfs!NtfsReadMftRecord[/COLOR] (void)

Let's run !chkimg:

Code: 
0: kd> [COLOR=#008000]!chkimg !ntfs[/COLOR]
[COLOR=#ff0000]1 error[/COLOR] : !ntfs (fffff8011bbc84a7)

Notice how !chkimg raises an error with the ntfs! module? That's because the function has been modified and doesn't match the version in the Microsoft symbol store.

Here's the corrupt version of the function:

Code: 
0: kd> [COLOR=#008000]u Ntfs!NtfsReadMftRecord+212[/COLOR]
Ntfs!NtfsReadMftRecord+0x210:
fffff801`1bbc84a2 0090488b5c2[COLOR=#ff0000]c[/COLOR]    add     byte ptr [rax+2[COLOR=#ff0000]C[/COLOR]5C8B48h],dl
fffff801`1bbc84a8 684885db74      push    74DB8548h
fffff801`1bbc84ad 07              ???
fffff801`1bbc84ae 816304fffeffff  and     dword ptr [rbx+4],0FFFFFEFFh
fffff801`1bbc84b5 b001            mov     al,1
fffff801`1bbc84b7 88442441        mov     byte ptr [rsp+41h],al
fffff801`1bbc84bb 488b7c2450      mov     rdi,qword ptr [rsp+50h]
fffff801`1bbc84c0 488bb42480000000 mov     rsi,qword ptr [rsp+80h]

Here is the correct version according to the debugger:

Code: 
0: kd> [COLOR=#008000]!chkimg -f !ntfs[/COLOR]
Warning: Any detected errors will be fixed to what we expect!
[COLOR=#ff0000]1 error (fixed)[/COLOR]: !ntfs (fffff8011bbc84a7)

Code: 
0: kd> [COLOR=#008000]u Ntfs!NtfsReadMftRecord+212[/COLOR]
Ntfs!NtfsReadMftRecord+0x210:
fffff801`1bbc84a2 0090488b5c2[COLOR=#ff0000]4[/COLOR]    add     byte ptr [rax+2[COLOR=#ff0000]4[/COLOR]5C8B48h],dl
fffff801`1bbc84a8 684885db74      push    74DB8548h
fffff801`1bbc84ad 07              ???
fffff801`1bbc84ae 816304fffeffff  and     dword ptr [rbx+4],0FFFFFEFFh
fffff801`1bbc84b5 b001            mov     al,1
fffff801`1bbc84b7 88442441        mov     byte ptr [rsp+41h],al
fffff801`1bbc84bb 488b7c2450      mov     rdi,qword ptr [rsp+50h]
fffff801`1bbc84c0 488bb42480000000 mov     rsi,qword ptr [rsp+80h]

Have you ran SFC?
 
Last edited:
Re: [Win8.1 x64] 0x50 memory_corruption: A strange recurring BSOD issue

At least there is consistency with the crashes, however, Stop 0x109's don't contain much information at all! Does the system crash in Safe Mode?
 
Re: [Win8.1 x64] 0x50 memory_corruption: A strange recurring BSOD issue

That's the thing I cannot test. It's one of the computers I use for work and I cannot use it in Safe Mode for a week or more to see if it will crash, since it crashes every week or so under light loads when used normally.
A few hours I did test in Safe Mode, everything worked briliantly.
 
Re: [Win8.1 x64] 0x50 memory_corruption: A strange recurring BSOD issue

Unfortunately, the only thing that I would suggest at the moment, is to continue to use the system with Driver Verifier.
 
Re: [Win8.1 x64] 0x50 memory_corruption: A strange recurring BSOD issue

That's what I'm doing :) Thank you for your support, I've started analyzing BSODs 5 years ago and I know how frustrating it can be.
 
Re: [Win8.1 x64] 0x50 memory_corruption: A strange recurring BSOD issue

Hi all,

from the first dump i had the "feeling" it has something to do with NTFS & Filesystem, so i followed another aproach.
Beside the steps of xBlueRobot i was able to follow also and via pde & !dpx
Code: 
[COLOR=#1e1e1e]0: kd> !dpx[/COLOR]
[COLOR=#1e1e1e]Start memory scan  : 0xfffff803ea881188 ($csp)[/COLOR]
[COLOR=#1e1e1e]End memory scan    : 0xfffff803ea883000 (Kernel Stack Base)[/COLOR]

[COLOR=#1e1e1e]0xfffff803ea8811a8 : [/COLOR][COLOR=#1e1e1e]0xfffff8011bbc8290 : [/COLOR][COLOR=#000080]Ntfs!NtfsReadMftRecord // [/COLOR][COLOR=#ff0000]ln fffff8011bbc8290[/COLOR]
[COLOR=#1e1e1e]0xfffff803ea882d80 : [/COLOR][COLOR=#1e1e1e]0xfffff803e9189000 : [/COLOR][COLOR=#000080]"nt!BcpCursor <PERF> (nt+0x311000)"[/COLOR]
[COLOR=#1e1e1e]0xfffff803ea882d88 : [/COLOR][COLOR=#1e1e1e]0xfffff803e8e78000 : [/COLOR][COLOR=#000080]"nt!_guard_check_icall_fptr <PERF> (nt+0x0)"[/COLOR]

i also examined all avail dumps for unloaded modules and found magdrvamd64.sys multiple times loaded before.
the onlyest driver i found in every dump.
This dump shows in WinDbg too

Code: 
[COLOR=#1e1e1e]Unloaded modules:[/COLOR]
[COLOR=#1e1e1e]fffff801`1dfe8000 fffff801`1dfef000   magdrvamd64.[/COLOR]
[COLOR=#1e1e1e]    Timestamp: unavailable (00000000)[/COLOR]
[COLOR=#1e1e1e]    Checksum:  00000000[/COLOR]
[COLOR=#1e1e1e]    ImageSize:  00007000[/COLOR]
[COLOR=#1e1e1e]fffff801`1dee1000 fffff801`1dee8000   magdrvamd64.[/COLOR]
[COLOR=#1e1e1e]    Timestamp: unavailable (00000000)[/COLOR]
[COLOR=#1e1e1e]    Checksum:  00000000[/COLOR]
[COLOR=#1e1e1e]    ImageSize:  00007000[/COLOR]
[COLOR=#ff0000]fffff801`1deda000[/COLOR][COLOR=#1e1e1e] fffff801`1dee1000   magdrvamd64. [/COLOR][COLOR=#ff0000]// overlapping?[/COLOR]
[COLOR=#1e1e1e]    Timestamp: unavailable (00000000)[/COLOR]
[COLOR=#1e1e1e]    Checksum:  00000000[/COLOR]
[COLOR=#1e1e1e]    ImageSize:  00007000[/COLOR]
[COLOR=#ff0000]fffff801`1deda000[/COLOR][COLOR=#1e1e1e] fffff801`1dee6000   hiber_storpo[/COLOR]
[COLOR=#1e1e1e]    Timestamp: unavailable (00000000)[/COLOR]
[COLOR=#1e1e1e]    Checksum:  00000000[/COLOR]
[COLOR=#1e1e1e]    ImageSize:  0000C000[/COLOR]

Samsungs Magician however was not found within installed software or did i miss?
In Safe Mode this one might not be loaded, so i would uninstall Magician if indeed installed or wipe / get Rid of the deadly rest.
 

Has Sysnative Forums helped you? Please consider donating to help us support the site!

Back
Top