BSOD when Updating WIN 10 1909 to version 20H2

axe0 said:
Many driver verifier options do not heavily impact performance, nothing noticeable anyway. There are a few that seriously impact performance up to the point where the computer could start freezing, like Systematic low resources simulation that emulates an environment for drivers where drivers run with very little resources compared to the real environment. If a driver isn't developed to handle situations with little resources, it can impact performance significantly, even cause Windows to freeze, which is why it's an additional option. Additional options are originially designed to be used for specific drivers, not for a whole bunch of drivers. Sysnative lists some additional options as a default configuration for good reason, because they are used to find common problems in the drivers.

You can't and should not just list a random configuration for driver verifier and instruct the user to run them without knowing what they do, that doesn't help anyone.


@RobertH99, I would advise against following Zbook's suggestion for driver verifier using those options. Not only is there a significant chance of unneeded performance problems, but it's also prone to false positives. Also please answer x BlueRobot's question.
Click to expand...
I will take your advice axe0, thanks and I did answer xBlueRobot's question.
 
I uninstalled Veracrypt then
zbook said:
For WDV one of the Sysnative link customized tests was missed during the latest run:
Power framework delay fuzzing

Please turn off the tool and restart with these customized settings: (run for 24 hours)

[ ] 0x00000010 I/O verification
[ ] 0x00000080 DMA checking
[ ] 0x00000200 Force pending I/O requests.
[ ] 0x00000400 IRP logging.
[ ] 0x00002000 Invariant MDL checking for stack.
[ ] 0x00004000 Invariant MDL checking for driver.
[ ] 0x00008000 Power framework delay fuzzing.
[ ] 0x00010000 Port/miniport interface checking.
[ ] 0x00040000 Systematic low resources simulation.
[ ] 0x00080000 DDI compliance checking (additional).
[ ] 0x00200000 NDIS/WIFI verification.
[ ] 0x00800000 Kernel synchronization delay fuzzing.
[ ] 0x01000000 VM switch verification.
[ ] 0x02000000 Code integrity checks.


For any BSOD run the Sysnative log collector:
https://www.sysnative.com/apps/SysnativeBSODCollectionApp.exe


The logs displayed: Av with display name "Microsoft Security Essentials" (stripped name is "Microsoft Security Essentials") has no upgrade exe dir.

If appears as a prior Windows 7 instillation.

After WDV testing and before the next upgrade attempt:
1) Decrypt any Veracrypt files
2) Uninstall Veracrypt using control panel
3) Uninstall Pace Anti-Piracy using control panel
4) Run: Dism /online /get-drivers /format:table > "%userprofile%\desktop\drivers.txt"
5) If the results indicate that Veracrypt and Pace drivers were uninstalled then plan an in place upgrade repair while in clean boot
Click to expand...
I uninstalled Veracrypt and Pace, used the pace cleanup tool, reset PC ran the attached Dism /online /get-drivers /format:table > "%userprofile%\desktop\drivers.txt" and No Veracrypt is seen but PACE Anti-Piracy, Inc. is listed :( What Now?
 

Attachments

Have you checked RtsPer.sys? It was mentioned by @zbook but I didn't see any recommendation for its removal? He was referring to a different thread? To be honest, I'm quite confused what steps have been undertaken and what haven't.
 
WDV can catch drivers that had been incompletely uninstalled.

Seven customized tests were previously used without performance or boot problems.

Typically three customized tests can be run smoothly.

You have flexibility to run in any group or order.

Typically this works well to catch the unused drivers that can interfere with upgrades.

To rule out driver problems please complete the remaining customized tests in the prior post.

For each group you can post a verifier /querysettings to see the tests and drivers tested.

For Veracrypt the files should be decrypted before uninstallation of the software.

The drivers.txt displayed Pace anti-piracy drivers.

I'll work on some commands to remove the them.
 
Incompletely uninstalled = installed, hence why driver verifier can catch them.

These seven settings were carefully selected by experts that have many years under the belt. They don't cause performance problems, because the settings causing performance problems are not included. Boot problems is not directly related to the settings, but more to the drivers selected (See "extra information about driver verifier" in post BSOD when Updating WIN 10 1909 to version 20H2).

Once again, I advise against following Zbook's suggestion regarding the driver verifier configuration. It has a high chance of causing unwanted performance problems randomly and I don't see why that is needed. If nobody beats me to it, I can provide a list of options that are a bit safer to use, tomorrow.
 
zbook said:
This is a Microsoft link on WDV that was created February 2017 and last updated April 2021:
Driver Verifier-- tracking down a mis-behaving driver. - Microsoft Community
Click to expand...
That's just a Microsoft wiki entry which anyone can write and contribute to. I don't see how that supports your argument for using options such as Low Resources Simulation or Kernel Synchronization Delay Fuzzing. And based upon the bugchecks which have been produced so far, they're all related to illegal memory access.

@zbook you mentioned RtsPer.sys in one of your posts? Has that been followed up? You mentioned about a different thread? Could you please clarify what you mean here?
 
zbook said:
WDV can catch drivers that had been incompletely uninstalled.

Seven customized tests were previously used without performance or boot problems.

Typically three customized tests can be run smoothly.

You have flexibility to run in any group or order.

Typically this works well to catch the unused drivers that can interfere with upgrades.

To rule out driver problems please complete the remaining customized tests in the prior post.

For each group you can post a verifier /querysettings to see the tests and drivers tested.

For Veracrypt the files should be decrypted before uninstallation of the software.

The drivers.txt displayed Pace anti-piracy drivers.

I'll work on some commands to remove the them.
Click to expand...
I have started expanding the driver verifier test in smaller chunks. So far so good, see the First 6 selections attached.
FYI: I did find the Pace Anti-Piracy, Inc. driver TPKD.sys in windows>system32>drivers
I will run verifier for a couple days and then setup another selection.
 

Attachments

x BlueRobot said:
@zbook I would suggest reading this article about why it's not advised to use some of the options you've mentioned - https://www.sysnative.com/forums/threads/info-15-driver-verifier.31942/
Click to expand...
Zbook doesn't have access to the guide.

Cut version of the reason: due to the nature of low resources simulation and synchronization delay fuzzing they can impact more than just the drivers being tested. Both options have the potential of crashing components unrelated to what's being tested, that is on top of the potential performance problems.


@RobertH99 please disable driver verifier, there's a chance of false positives which means driver verifier crashes the system and flags a driver because a driver causing problems, but that driver is not designed to handle a particular situation because it's not supposed to handle that situation.
 
x BlueRobot said:
@zbook you mentioned RtsPer.sys in one of your posts? Has that been followed up? You mentioned about a different thread? Could you please clarify what you mean here?
Click to expand...

RtsPer.sys was reported uninstalled and not seen using search.
It was not present in drivers.txt list of 3rd party drivers from the driver store.
If was not present in verifier reports of verified drivers.

Everything search can be used again searching for each:
RtsPer.sys
rtsper.inf
oem154.inf

If the driver appears it can be uninstalled using command line.
 
zbook said:
RtsPer.sys was reported uninstalled and not seen using search.
It was not present in drivers.txt list of 3rd party drivers from the driver store.
If was not present in verifier reports of verified drivers.

Everything search can be used again searching for each:
RtsPer.sys
rtsper.inf
oem154.inf

If the driver appears it can be uninstalled using command line.
Click to expand...
I remember a RtsUer.sys which I found in ntbtlog.txt file dated 4/27/2021
I do not see a rtsper.*
I do see a OEM154.inf in C:\windows\inf
As stated prior the tpkd.sys is in C:\windows\system32\drivers
 
axe0 said:
Zbook doesn't have access to the guide.

Cut version of the reason: due to the nature of low resources simulation and synchronization delay fuzzing they can impact more than just the drivers being tested. Both options have the potential of crashing components unrelated to what's being tested, that is on top of the potential performance problems.


@RobertH99 please disable driver verifier, there's a chance of false positives which means driver verifier crashes the system and flags a driver because a driver causing problems, but that driver is not designed to handle a particular situation because it's not supposed to handle that situation.
Click to expand...
I stopped the verifier and will wait for a plan. I don't know whose recommendations to follow and certainly don't want to upset anyone. I think if we could remove the files in #54 and since I uninstalled Veracrypt and Pace i could do a clean boot upgrade. I would be ok with providing anything else to help solve this mystery...Thanks for everyone's participation... Bob
 
Please run the remaining customized tests except for low resources simulation and synchronization delay fuzzing.
Post a new query.

Make a new free back up image and save the image to another disk drive or the cloud:
It's our Business to protect your data

Plan to make an update or another backup image immediately prior to the next upgrade.

The files in post #24 are missing.
Please maintain the files during the thread.
 
zbook said:
For the other thread this was a portion of the setupmem.dmp


Code: 
Microsoft (R) Windows Debugger Version 10.0.17763.132 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\Users\aaaaaaaa\AppData\Local\Temp\Temp2_RollbackFiles.zip\RB2\Rollback\setupmem.dmp]
Kernel Bitmap Dump File: Kernel address space is available, User address space may not be available.


************* Path validation summary **************
Response                         Time (ms)     Location
Deferred                                       SRV*c:\symbols*https://msdl.microsoft.com/download/symbols
Symbol search path is: SRV*c:\symbols*https://msdl.microsoft.com/download/symbols
Executable search path is:
Windows 10 Kernel Version 19041 MP (12 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 19041.1.amd64fre.vb_release.191206-1406
Machine Name:
Kernel base = 0xfffff806`0f000000 PsLoadedModuleList = 0xfffff806`0fc2a3d0
Debug session time: Sun Apr 18 19:57:58.215 2021 (UTC - 5:00)
System Uptime: 0 days 0:00:39.408
Loading Kernel Symbols
...............................................................
................................................................
...........Page 1001a8a not present in the dump file. Type ".hh dbgerr004" for details
.....................................................
................................................................
.........
Loading User Symbols

Loading unloaded module list
....................
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 7E, {ffffffffc0000005, fffff8061c0f277d, fffff88fdb82f638, fffff88fdb82ee70}

*** ERROR: Module load completed but symbols could not be loaded for RtsPer.sys
Probably caused by : RtsPer.sys ( RtsPer+e277d )

Followup:     MachineOwner
---------

6: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

SYSTEM_THREAD_EXCEPTION_NOT_HANDLED (7e)
This is a very common bugcheck.  Usually the exception address pinpoints
the driver/function that caused the problem.  Always note this address
as well as the link date of the driver/image that contains this address.
Arguments:
Arg1: ffffffffc0000005, The exception code that was not handled
Arg2: fffff8061c0f277d, The address that the exception occurred at
Arg3: fffff88fdb82f638, Exception Record Address
Arg4: fffff88fdb82ee70, Context Record Address

Debugging Details:
------------------


KEY_VALUES_STRING: 1


STACKHASH_ANALYSIS: 1

TIMELINE_ANALYSIS: 1


DUMP_CLASS: 1

DUMP_QUALIFIER: 401

BUILD_VERSION_STRING:  19041.1.amd64fre.vb_release.191206-1406

SYSTEM_MANUFACTURER:  LENOVO

SYSTEM_PRODUCT_NAME:  20QNCTO1WW

SYSTEM_SKU:  LENOVO_MT_20QN_BU_Think_FM_ThinkPad P53

SYSTEM_VERSION:  ThinkPad P53

BIOS_VENDOR:  LENOVO

BIOS_VERSION:  N2NET43W (1.28 )

BIOS_DATE:  01/13/2021

BASEBOARD_MANUFACTURER:  LENOVO

BASEBOARD_PRODUCT:  20QNCTO1WW

BASEBOARD_VERSION:  SDK0J40697 WIN

DUMP_TYPE:  1

BUGCHECK_P1: ffffffffc0000005

BUGCHECK_P2: fffff8061c0f277d

BUGCHECK_P3: fffff88fdb82f638

BUGCHECK_P4: fffff88fdb82ee70

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.

FAULTING_IP:
RtsPer+e277d
fffff806`1c0f277d 418b460c        mov     eax,dword ptr [r14+0Ch]

EXCEPTION_RECORD:  fffff88fdb82f638 -- (.exr 0xfffff88fdb82f638)
ExceptionAddress: fffff8061c0f277d (RtsPer+0x00000000000e277d)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 0000000000000000
   Parameter[1]: ffff8601b55ad00c
Attempt to read from address ffff8601b55ad00c

CONTEXT:  fffff88fdb82ee70 -- (.cxr 0xfffff88fdb82ee70)
rax=ffff8601b55ad000 rbx=fffff8061c145a00 rcx=2f0ff816fc800000
rdx=ffffd4ea753a9000 rsi=ffffb002a4a401a0 rdi=ffffb002a4a40500
rip=fffff8061c0f277d rsp=fffff88fdb82f870 rbp=0000000000000000
r8=0000007ffffffff8  r9=ffffd4ea61806d50 r10=0000000000000001
r11=ffffd4ea753a9000 r12=346dc5d63886594b r13=0000000000000000
r14=ffff8601b55ad000 r15=ffffb002a4a40100
iopl=0         nv up ei pl nz na pe nc
cs=0010  ss=0000  ds=002b  es=002b  fs=0053  gs=002b             efl=00050202
RtsPer+0xe277d:
Page f0000 not present in the dump file. Type ".hh dbgerr004" for details
fffff806`1c0f277d 418b460c        mov     eax,dword ptr [r14+0Ch] ds:002b:ffff8601`b55ad00c=????????
Resetting default scope

CPU_COUNT: c

CPU_MHZ: a20

CPU_VENDOR:  GenuineIntel

CPU_FAMILY: 6

CPU_MODEL: 9e

CPU_STEPPING: d

CPU_MICROCODE: 6,9e,d,0 (F,M,S,R)  SIG: DE'00000000 (cache) DE'00000000 (init)

DEFAULT_BUCKET_ID:  WIN8_DRIVER_FAULT

PROCESS_NAME:  System

CURRENT_IRQL:  0

FOLLOWUP_IP:
RtsPer+e277d
fffff806`1c0f277d 418b460c        mov     eax,dword ptr [r14+0Ch]

BUGCHECK_STR:  AV

READ_ADDRESS: Unable to get offset of nt!_MI_VISIBLE_STATE.SpecialPool
Unable to get value of nt!_MI_VISIBLE_STATE.SessionSpecialPool
ffff8601b55ad00c

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.

EXCEPTION_CODE_STR:  c0000005

EXCEPTION_PARAMETER1:  0000000000000000

EXCEPTION_PARAMETER2:  ffff8601b55ad00c

ANALYSIS_SESSION_HOST:  DESKTOP-9HEBUKS

ANALYSIS_SESSION_TIME:  04-20-2021 22:16:30.0045

ANALYSIS_VERSION: 10.0.17763.132 amd64fre

LAST_CONTROL_TRANSFER:  from fffff8061c111f9e to fffff8061c0f277d

STACK_TEXT:
fffff88f`db82f870 fffff806`1c111f9e : fffff806`1c145a40 fffff806`1c145906 00000000`00000004 ffffffff`80001854 : RtsPer+0xe277d
fffff88f`db82f910 fffff806`1c0f76cc : 00000000`00000001 ffffb002`a4a40050 ffffb002`00000004 ffffb002`00000000 : RtsPer+0x101f9e
fffff88f`db82f9a0 fffff806`0f35a4c5 : ffffb002`a63f5400 ffffb002`a4a40050 ffffb002`928ef040 fffff806`1b698490 : RtsPer+0xe76cc
fffff88f`db82fa00 fffff806`0f225975 : ffffb002`a39430c0 ffffb002`a39430c0 fffff806`0f35a390 ffffb002`00000000 : nt!IopProcessWorkItem+0x135
fffff88f`db82fa70 fffff806`0f317e85 : ffffb002`a39430c0 00000000`00000080 ffffb002`9269a040 000fa56f`b19bbfff : nt!ExpWorkerThread+0x105
fffff88f`db82fb10 fffff806`0f3fd498 : fffff806`0c719180 ffffb002`a39430c0 fffff806`0f317e30 00000000`00000000 : nt!PspSystemThreadStartup+0x55
fffff88f`db82fb60 00000000`00000000 : fffff88f`db830000 fffff88f`db829000 00000000`00000000 00000000`00000000 : nt!KiStartSystemThread+0x28


THREAD_SHA1_HASH_MOD_FUNC:  ae444904fa043cc4301491973aca3661d53eb7a6

THREAD_SHA1_HASH_MOD_FUNC_OFFSET:  bcf6c41e3e8b2d806aaaaa5abf7345ddaa914663

THREAD_SHA1_HASH_MOD:  b31cbcc5afa7ab6f46c900f79e5f69329ea587cd

FAULT_INSTR_CODE:  c468b41

SYMBOL_STACK_INDEX:  0

SYMBOL_NAME:  RtsPer+e277d

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: RtsPer

IMAGE_NAME:  RtsPer.sys

DEBUG_FLR_IMAGE_TIMESTAMP:  5e9919bb

STACK_COMMAND:  .cxr 0xfffff88fdb82ee70 ; kb

BUCKET_ID_FUNC_OFFSET:  e277d

FAILURE_BUCKET_ID:  AV_RtsPer!unknown_function

BUCKET_ID:  AV_RtsPer!unknown_function

PRIMARY_PROBLEM_CLASS:  AV_RtsPer!unknown_function

TARGET_TIME:  2021-04-19T00:57:58.000Z

OSBUILD:  19041

OSSERVICEPACK:  0

SERVICEPACK_NUMBER: 0

OS_REVISION: 0

SUITE_MASK:  272

PRODUCT_TYPE:  1

OSPLATFORM_TYPE:  x64

OSNAME:  Windows 10

OSEDITION:  Windows 10 WinNt TerminalServer SingleUserTS

OS_LOCALE:

USER_LCID:  0

OSBUILD_TIMESTAMP:  1977-10-11 02:04:26

BUILDDATESTAMP_STR:  191206-1406

BUILDLAB_STR:  vb_release

BUILDOSVER_STR:  10.0.19041.1.amd64fre.vb_release.191206-1406

ANALYSIS_SESSION_ELAPSED_TIME:  a4c

ANALYSIS_SOURCE:  KM

FAILURE_ID_HASH_STRING:  km:av_rtsper!unknown_function

FAILURE_ID_HASH:  {5972166a-a6f4-1eee-ba85-d5534a099133}

Followup:     MachineOwner




(The collected logs should report whether there was or was not a setupmem.dmp)


Use: voidtools

These folders can be zipped > post multiple share links using one drive, drop box, or google drive (please keep each share link < 2 GB)

C:\$Windows.~BT\Sources\Rollback
C:\$Windows.~BT\Sources\Panther

also search for: (folders and files)

C:\Windows\inf\setupapi.dev.log
C:\Windows\Logs\CBS
C:\Windows\memory.dmp
Setupmem.dmp

Run these administrative command prompt commands > find new text files on the desktop > post share links
sfc /scannow
findstr /c:"[SR]" %windir%\Logs\CBS\CBS.log >"%userprofile%\Desktop\sfcdetails.txt"
findstr /c:"conx" C:\$Windows.~BT\Sources\Panther\setupact.log >"%userprofile%\Desktop\Setupactdetails.txt"
Click to expand...
Please find requested data here: Collected Logs.rar
 
zbook said:
Please run the remaining customized tests except for low resources simulation and synchronization delay fuzzing.
Post a new query.

Make a new free back up image and save the image to another disk drive or the cloud:
It's our Business to protect your data

Plan to make an update or another backup image immediately prior to the next upgrade.

The files in post #24 are missing.
Please maintain the files during the thread.
Click to expand...
1. axe0 said not to run the remaining test
2. I do a daily system image to a usb drive
3. #24 is completed
 
zbook said:
For the other thread this was a portion of the setupmem.dmp


Code: 
Microsoft (R) Windows Debugger Version 10.0.17763.132 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\Users\aaaaaaaa\AppData\Local\Temp\Temp2_RollbackFiles.zip\RB2\Rollback\setupmem.dmp]
Kernel Bitmap Dump File: Kernel address space is available, User address space may not be available.


************* Path validation summary **************
Response                         Time (ms)     Location
Deferred                                       SRV*c:\symbols*https://msdl.microsoft.com/download/symbols
Symbol search path is: SRV*c:\symbols*https://msdl.microsoft.com/download/symbols
Executable search path is:
Windows 10 Kernel Version 19041 MP (12 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 19041.1.amd64fre.vb_release.191206-1406
Machine Name:
Kernel base = 0xfffff806`0f000000 PsLoadedModuleList = 0xfffff806`0fc2a3d0
Debug session time: Sun Apr 18 19:57:58.215 2021 (UTC - 5:00)
System Uptime: 0 days 0:00:39.408
Loading Kernel Symbols
...............................................................
................................................................
...........Page 1001a8a not present in the dump file. Type ".hh dbgerr004" for details
.....................................................
................................................................
.........
Loading User Symbols

Loading unloaded module list
....................
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 7E, {ffffffffc0000005, fffff8061c0f277d, fffff88fdb82f638, fffff88fdb82ee70}

*** ERROR: Module load completed but symbols could not be loaded for RtsPer.sys
Probably caused by : RtsPer.sys ( RtsPer+e277d )

Followup:     MachineOwner
---------

6: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

SYSTEM_THREAD_EXCEPTION_NOT_HANDLED (7e)
This is a very common bugcheck.  Usually the exception address pinpoints
the driver/function that caused the problem.  Always note this address
as well as the link date of the driver/image that contains this address.
Arguments:
Arg1: ffffffffc0000005, The exception code that was not handled
Arg2: fffff8061c0f277d, The address that the exception occurred at
Arg3: fffff88fdb82f638, Exception Record Address
Arg4: fffff88fdb82ee70, Context Record Address

Debugging Details:
------------------


KEY_VALUES_STRING: 1


STACKHASH_ANALYSIS: 1

TIMELINE_ANALYSIS: 1


DUMP_CLASS: 1

DUMP_QUALIFIER: 401

BUILD_VERSION_STRING:  19041.1.amd64fre.vb_release.191206-1406

SYSTEM_MANUFACTURER:  LENOVO

SYSTEM_PRODUCT_NAME:  20QNCTO1WW

SYSTEM_SKU:  LENOVO_MT_20QN_BU_Think_FM_ThinkPad P53

SYSTEM_VERSION:  ThinkPad P53

BIOS_VENDOR:  LENOVO

BIOS_VERSION:  N2NET43W (1.28 )

BIOS_DATE:  01/13/2021

BASEBOARD_MANUFACTURER:  LENOVO

BASEBOARD_PRODUCT:  20QNCTO1WW

BASEBOARD_VERSION:  SDK0J40697 WIN

DUMP_TYPE:  1

BUGCHECK_P1: ffffffffc0000005

BUGCHECK_P2: fffff8061c0f277d

BUGCHECK_P3: fffff88fdb82f638

BUGCHECK_P4: fffff88fdb82ee70

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.

FAULTING_IP:
RtsPer+e277d
fffff806`1c0f277d 418b460c        mov     eax,dword ptr [r14+0Ch]

EXCEPTION_RECORD:  fffff88fdb82f638 -- (.exr 0xfffff88fdb82f638)
ExceptionAddress: fffff8061c0f277d (RtsPer+0x00000000000e277d)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 0000000000000000
   Parameter[1]: ffff8601b55ad00c
Attempt to read from address ffff8601b55ad00c

CONTEXT:  fffff88fdb82ee70 -- (.cxr 0xfffff88fdb82ee70)
rax=ffff8601b55ad000 rbx=fffff8061c145a00 rcx=2f0ff816fc800000
rdx=ffffd4ea753a9000 rsi=ffffb002a4a401a0 rdi=ffffb002a4a40500
rip=fffff8061c0f277d rsp=fffff88fdb82f870 rbp=0000000000000000
r8=0000007ffffffff8  r9=ffffd4ea61806d50 r10=0000000000000001
r11=ffffd4ea753a9000 r12=346dc5d63886594b r13=0000000000000000
r14=ffff8601b55ad000 r15=ffffb002a4a40100
iopl=0         nv up ei pl nz na pe nc
cs=0010  ss=0000  ds=002b  es=002b  fs=0053  gs=002b             efl=00050202
RtsPer+0xe277d:
Page f0000 not present in the dump file. Type ".hh dbgerr004" for details
fffff806`1c0f277d 418b460c        mov     eax,dword ptr [r14+0Ch] ds:002b:ffff8601`b55ad00c=????????
Resetting default scope

CPU_COUNT: c

CPU_MHZ: a20

CPU_VENDOR:  GenuineIntel

CPU_FAMILY: 6

CPU_MODEL: 9e

CPU_STEPPING: d

CPU_MICROCODE: 6,9e,d,0 (F,M,S,R)  SIG: DE'00000000 (cache) DE'00000000 (init)

DEFAULT_BUCKET_ID:  WIN8_DRIVER_FAULT

PROCESS_NAME:  System

CURRENT_IRQL:  0

FOLLOWUP_IP:
RtsPer+e277d
fffff806`1c0f277d 418b460c        mov     eax,dword ptr [r14+0Ch]

BUGCHECK_STR:  AV

READ_ADDRESS: Unable to get offset of nt!_MI_VISIBLE_STATE.SpecialPool
Unable to get value of nt!_MI_VISIBLE_STATE.SessionSpecialPool
ffff8601b55ad00c

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.

EXCEPTION_CODE_STR:  c0000005

EXCEPTION_PARAMETER1:  0000000000000000

EXCEPTION_PARAMETER2:  ffff8601b55ad00c

ANALYSIS_SESSION_HOST:  DESKTOP-9HEBUKS

ANALYSIS_SESSION_TIME:  04-20-2021 22:16:30.0045

ANALYSIS_VERSION: 10.0.17763.132 amd64fre

LAST_CONTROL_TRANSFER:  from fffff8061c111f9e to fffff8061c0f277d

STACK_TEXT:
fffff88f`db82f870 fffff806`1c111f9e : fffff806`1c145a40 fffff806`1c145906 00000000`00000004 ffffffff`80001854 : RtsPer+0xe277d
fffff88f`db82f910 fffff806`1c0f76cc : 00000000`00000001 ffffb002`a4a40050 ffffb002`00000004 ffffb002`00000000 : RtsPer+0x101f9e
fffff88f`db82f9a0 fffff806`0f35a4c5 : ffffb002`a63f5400 ffffb002`a4a40050 ffffb002`928ef040 fffff806`1b698490 : RtsPer+0xe76cc
fffff88f`db82fa00 fffff806`0f225975 : ffffb002`a39430c0 ffffb002`a39430c0 fffff806`0f35a390 ffffb002`00000000 : nt!IopProcessWorkItem+0x135
fffff88f`db82fa70 fffff806`0f317e85 : ffffb002`a39430c0 00000000`00000080 ffffb002`9269a040 000fa56f`b19bbfff : nt!ExpWorkerThread+0x105
fffff88f`db82fb10 fffff806`0f3fd498 : fffff806`0c719180 ffffb002`a39430c0 fffff806`0f317e30 00000000`00000000 : nt!PspSystemThreadStartup+0x55
fffff88f`db82fb60 00000000`00000000 : fffff88f`db830000 fffff88f`db829000 00000000`00000000 00000000`00000000 : nt!KiStartSystemThread+0x28


THREAD_SHA1_HASH_MOD_FUNC:  ae444904fa043cc4301491973aca3661d53eb7a6

THREAD_SHA1_HASH_MOD_FUNC_OFFSET:  bcf6c41e3e8b2d806aaaaa5abf7345ddaa914663

THREAD_SHA1_HASH_MOD:  b31cbcc5afa7ab6f46c900f79e5f69329ea587cd

FAULT_INSTR_CODE:  c468b41

SYMBOL_STACK_INDEX:  0

SYMBOL_NAME:  RtsPer+e277d

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: RtsPer

IMAGE_NAME:  RtsPer.sys

DEBUG_FLR_IMAGE_TIMESTAMP:  5e9919bb

STACK_COMMAND:  .cxr 0xfffff88fdb82ee70 ; kb

BUCKET_ID_FUNC_OFFSET:  e277d

FAILURE_BUCKET_ID:  AV_RtsPer!unknown_function

BUCKET_ID:  AV_RtsPer!unknown_function

PRIMARY_PROBLEM_CLASS:  AV_RtsPer!unknown_function

TARGET_TIME:  2021-04-19T00:57:58.000Z

OSBUILD:  19041

OSSERVICEPACK:  0

SERVICEPACK_NUMBER: 0

OS_REVISION: 0

SUITE_MASK:  272

PRODUCT_TYPE:  1

OSPLATFORM_TYPE:  x64

OSNAME:  Windows 10

OSEDITION:  Windows 10 WinNt TerminalServer SingleUserTS

OS_LOCALE:

USER_LCID:  0

OSBUILD_TIMESTAMP:  1977-10-11 02:04:26

BUILDDATESTAMP_STR:  191206-1406

BUILDLAB_STR:  vb_release

BUILDOSVER_STR:  10.0.19041.1.amd64fre.vb_release.191206-1406

ANALYSIS_SESSION_ELAPSED_TIME:  a4c

ANALYSIS_SOURCE:  KM

FAILURE_ID_HASH_STRING:  km:av_rtsper!unknown_function

FAILURE_ID_HASH:  {5972166a-a6f4-1eee-ba85-d5534a099133}

Followup:     MachineOwner




(The collected logs should report whether there was or was not a setupmem.dmp)


Use: voidtools

These folders can be zipped > post multiple share links using one drive, drop box, or google drive (please keep each share link < 2 GB)

C:\$Windows.~BT\Sources\Rollback
C:\$Windows.~BT\Sources\Panther

also search for: (folders and files)

C:\Windows\inf\setupapi.dev.log
C:\Windows\Logs\CBS
C:\Windows\memory.dmp
Setupmem.dmp

Run these administrative command prompt commands > find new text files on the desktop > post share links
sfc /scannow
findstr /c:"[SR]" %windir%\Logs\CBS\CBS.log >"%userprofile%\Desktop\sfcdetails.txt"
findstr /c:"conx" C:\$Windows.~BT\Sources\Panther\setupact.log >"%userprofile%\Desktop\Setupactdetails.txt"
Click to expand...
Collected Logs.rar
 
Back
Top