[SOLVED] Need help with random BSOD's (Packard Bell EasyNote ML61)

F

fancypants

Active member
Joined
Apr 4, 2013
Posts
26
Hello!

I got help resolving an earlier issue with this laptop a while back (thanks tom982 and niemiro), so I thought i might aswell ask and see if there is a solution for the BSOD problems I've been having lately.

So, I'm having trouble with random BSOD's. I can't see any pattern to them other than that they seem a lot more frequent after i "wake up" my laptop after it has been to sleep for a longer time.

I have read the posting instructions at https://www.sysnative.com/forums/bs...structions-windows-8-7-and-windows-vista.html. However, when i run Jcgriff2's program i get caught in an endless loop of "Waiting for SystemInfo" when it is close to the end. I will attach what the "griff report" has collected up to that point and the perfmon report.

View attachment griff&perfmon.rar

Below is the system information:OS: Windows 7 professional N, 64 bitOriginal
OS: I believe it was Windows Vista
Is the OS an OEM version? No, I got it from MSDNAA so it is full retail.
Age of system? Not 100% sure, but I would say 5-6 years old.
Age of OS installation? Roughly 1 year.

CPU: AMD Athlon 64 X2 QL-60
Video Card: ATI Mobility Radeon 3400

System Manufacturer: Packard Bell
Exact Model Number: EasyNote ML61

I hope the information is conclusive.

Best regards
Fancypants

PS. I did some research before i posted and saw you advice against using Iobit's software because it's a bit aggressive. I have had it running since the reinstallation of windows, just so you know. DS.
 
Could you please upload the dump files manually? I would prefer Kernel Memory dumps, because we can gather much more information from them, Minidumps only reliably contains registers and a stack trace of the last saved context, which is usually right before the crash.

They should be located in this directory:

Code: 
C:\Windows\MEMORY.DMP

Compress the files and then place into a zipped folder, and upload to a file sharing site such as Dropbox or Skydrive. Then post the URL to the files.

Please remove IOBit, since it tends to cause problems. I've seen it cause a BSODs too.
 
Hey Bluerobot,

Thank you for the quick reply.

Sure thing! I zipped and uploaded the memory.dmp file and it is available at the link below.
https://dl.dropboxusercontent.com/u/88512428/MEMORY.rar

Also, i removed any IObit programs i had installed. I don't want to be cheeky, but do you have any recommendations on what program to use for cleaning the registry and scanning for malware, instead of IObit?

Cheers
/Fancypants
 
I'm downloading the dump now. It usually downloads rather fast as I have FiOS, although it appears to be taking a bit... ~25 minutes? Must be having server trouble over at DB. I'm sure BlueRobot will have a few additions aside from my analysis as well regardless.

I don't want to be cheeky, but do you have any recommendations on what program to use for cleaning the registry and scanning for malware, instead of IObit?
Click to expand...

Don't clean the registry, period.

First off, one big thing about registry cleaning is it is by no means and should not be a computer maintenance task. Clearing your browser's cache and cookies every week? Great, no harm there. Running your favorite registry cleaner every week? NOT GREAT.

If we're being honest and straightforward here, cleaning the registry is an entirely unnecessary thing to do. So far, what I've said makes it sound like I despise registry cleaners. Do I? No, I don't despise them, but as I said, they are unnecessary and if used carelessly can render your Operating System a paperweight.

So why would you even use a registry cleaner in the first place? Well, they have to do something right or they wouldn't even be allowed to be sold (if paid for) or if they were free (CCleaner for example) there would be a huge backlash, more than what there already is in IT with regards to opinions based on registry cleaners.
Registry cleaning software is useful mainly for one thing, and it can be done very well depending on the algorithm the cleaner software itself is using, and that's removing remnants of old uninstalled software or entries with now invalid path names. At times, it can also possibly be useful for removing traces of malware that may have been stored in the registry that was not successfully removed after running a virus scan, etc.

Other than that, it's not going to do anything. It will not increase your system's performance by any means whatsoever. Nothing noticeable. A 'smaller registry' in theory would have one assume that things load faster, etc, but in reality there is no performance difference whatsoever.

For reference, take a look at this:

Mark Russinovich (Author of the "Bible", Windows Internals, co-founder of Winternals and Sysinternals, and since both companies were bought by Microsoft, now a senior Microsoft employee) was asked:

[TABLE="class: bbcode-rounded bbcode-rounded-quote"]
[TR]
[TD="class: bbcode-rounded-header"]

[/TD]
[/TR]
[TR]
[TD="class: bbcode-rounded-author"]

[/TD]
[/TR]
[TR]
[/TR]
[/TABLE]
Hi Mark, do you really think that Registry junk left by uninstalled programs could severely slow down the computer? I would like to 'hear' your opinion.
[TABLE="class: bbcode-rounded bbcode-rounded-quote"]
[TR]
[/TR]
[TR]
[TD="class: bbcode-rounded-footer"]
His reply:[/TD]
[/TR]
[/TABLE]
[TABLE="class: bbcode-rounded bbcode-rounded-quote"]
[TR]
[TD="class: bbcode-rounded-header"]

[/TD]
[/TR]
[TR]
[TD="class: bbcode-rounded-author"][/TD]
[/TR]
[TR]
[/TR]
[/TABLE]
No, even if the registry was massively bloated there would be little impact on the performance of anything other than exhaustive searches.

On Win2K Terminal Server systems, however, there is a limit on the total amount of Registry data that can be loaded and so large profile hives can limit the number of users that can be logged on simultaneously.

I haven't and never will implement a Registry cleaner since it's of little practical use on anything other than Win2K terminal servers and developing one that's both safe and effective requires a huge amount of application-specific knowledge.
So, to sum all of this up:

Q: Will using a registry cleaner increase the speed and/or performance of my system?

A: No.

----

Q: Why would I even use a registry cleaner then?

A: I personally wouldn't use one whatsoever and would find the problem you're specifically having and take care of it manually. That is much safer. However, the main use of registry cleaners is to again as stated above, remove remnants of old uninstalled software or entries with now invalid path names. At times, it can also possibly be useful for removing traces of malware that may have been stored in the registry that was not successfully removed after running a virus scan, etc.

----

Q: What is the true danger of using a registry cleaner?

A: You have to remember what you're using is an automated tool that is not perfect by any means. You are putting your trust in an automated tool to be absolutely sure every key it is about to delete is 100% unnecessary. At times, and I have seen it personally myself PLENTY, it can delete a very important key that is necessary to the functionality of your Operating System in some form or another.

----

Q: What if my registry is corrupt, will running a registry cleaner help?

A: Absolutely not.

------------------------------------------------------------------

As for malware, use a secondary scanner such as Malwarebytes - Malwarebytes : Thank You!

Be sure to uncheck the 'Pro-Trial' during install.

Regards,

Patrick
 
Well, no more registry cleaners from now on then.
I've just used it because i've been told its good for "maintenance" and it made me feel like a responsible person. Now i know better... Thanks :D

/Fancypants

PS. I gotta go to bed, but I'll check in tomorrow again. I really appreciate the help. DS.
 
No problem! The MEMORY.dmp is all finished.

It's of the MEMORY_MANAGEMENT (1a) bug check.

This indicates that a severe memory management error occurred.

BugCheck 1A, {411, fffff680001700a0, c001fad2, fffff68000002099}

The 1st parameter of the bug check is 411 which indicates that a page table entry (PTE) has been corrupted. If we view the data structure for the PFN database:

Code: 
1: kd> dt nt!_MMPFN fffff680001700a0
   +0x000 u1               : <unnamed-tag>
   +0x008 u2               : <unnamed-tag>
   +0x010 PteAddress       : (null) 
   +0x010 VolatilePteAddress : (null) 
   +0x010 Lock             : 0n0
   +0x010 PteLong          : 0
   +0x018 u3               : <unnamed-tag>
   +0x01c [COLOR=#ff0000][I][B]UsedPageTableEntries : 0[/B][/I][/COLOR]

We can see that UsedPageTableEntries has dropped to 0. We are likely with this said dealing with a device driver issue and may need the use of Driver Verifier with Special Pool to further analyze this. Before doing so however, let's tackle some things:

1. Remove and replace avast! with Microsoft Security Essentials for temporary troubleshooting purposes:

avast! removal tool - avast! Uninstall Utility | Download aswClear for avast! Removal

MSE - Microsoft Security Essentials - Microsoft Windows

2. In your loaded drivers list, dtsoftbus01.sys is listed which is the Daemon Tools driver. Daemon Tools is a very popular cause of BSOD's in 7/8 based systems. Please uninstall Daemon Tools. Alternative imaging programs are: MagicISO, Power ISO, etc.

3. regfilter.sys is still listed and loaded in your modules list at the time of this crash. This is a component of IObit (the registry part, of course). Was this a crash BEFORE you removed IObit? If so, no worries. If not however, this may still be problematic given you've removed Iobit and this is loaded. If this is the case, navigate to C:\Windows\System32\Drivers. Once there, find and rename regfilter.sys to regfilter.old and restart the system.

-- Also, I am going to note now that BlueRobot likely detected the issue at hand with his IObit removal recommendation. IObit was likely conflicting with avast! and causing corruption.

Regards,

Patrick
 
Code: 
[COLOR=#ff0000]BugCheck 1A[/COLOR], {[COLOR=#0000ff]411[/COLOR], [COLOR=#008000]fffff680001700a0[/COLOR], c001fad2, fffff68000002099}

Probably caused by : ntkrnlmp.exe ( nt! ?? ::FNODOBFM::`string'+6071 )

As Patrick has said, the bugcheck indicates a corrupted PTE. Parameter 2 contains the address of the corrupt PTE.

Code: 
1: kd> [COLOR=#008000]!pte fffff680001700a0[/COLOR]
                                           VA 000000002e014000
PXE at FFFFF6FB7DBED000    PPE at FFFFF6FB7DA00000    PDE at FFFFF6FB40000B80    PTE at [COLOR=#0000ff]FFFFF680001700A0[/COLOR]
contains 63700000803C0867  contains 35D000008350B867  contains 16A000001F4A1867  contains 00000000C001FAD2
pfn 803c0     ---DA--UWEV  pfn 8350b     ---DA--UWEV  pfn 1f4a1     ---DA--UWEV  [COLOR=#ff0000]not valid[/COLOR]
                                                                                  Transition: c001f
                                                                                  Protect: 16 - ReadWriteExecute G

The PTE not being valid, indicates it doesn't have a corresponding physical page resident in memory. The page protection flags indicate that the page is writable, readable and executable, and as a result no access violations should apply to this page. The PTE Protection Bit G, indicates that the page is Global, and can be accessed by all processes, meaning that any page translation would apply to all the processes using that page. I believe the page is either on a Standby or a Modified list, hence the reason for the Transition.

Code: 
1: kd> [COLOR=#008000]knL[/COLOR]
 # Child-SP          RetAddr           Call Site
00 fffff880`0be00238 fffff800`02c60c4d nt!KeBugCheckEx
01 fffff880`0be00240 fffff800`02c79b4d nt! ?? ::FNODOBFM::`string'+0x6071
02 fffff880`0be00290 fffff800`02c71142 [COLOR=#ff0000]nt!MiDecommitPages[/COLOR]+0x36d
03 fffff880`0be00b20 fffff800`02c83e53 [COLOR=#ff0000]nt!NtFreeVirtualMemory[/COLOR]+0x382
04 fffff880`0be00c20 00000000`76f2149a nt!KiSystemServiceCopyEnd+0x13
05 00000000`03cdf308 00000000`00000000 0x76f2149a

I believe the crash occured at Stack Frame 3, since the a page has been decommitted from a virtual address space of a space, even though it wasn't committed to begin with.

Code: 
1: kd> [COLOR=#008000]lmvm atikmdag[/COLOR]

start             end                 module name
fffff880`0724a000 fffff880`07dfd000   atikmdag   (no symbols)           
    Loaded symbol image file: atikmdag.sys
    Image path: \SystemRoot\system32\DRIVERS\atikmdag.sys
    Image name: atikmdag.sys
    Timestamp:        [COLOR=#ff0000]Fri Nov 16 20:18:02 2012[/COLOR] (50A69F7A)
    CheckSum:         00B65E3C
    ImageSize:        00BB3000
    File version:     8.1.1.1248
    Product version:  8.1.1.1248
    File flags:       8 (Mask 3F) Private
    File OS:          40004 NT Win32
    File type:        3.4 Driver
    File date:        00000000.00000000
    Translations:     0409.04b0
    CompanyName:      Advanced Micro Devices, Inc.
    ProductName:      ATI Radeon Family
    InternalName:     atikmdag.sys
    OriginalFilename: atikmdag.sys
    ProductVersion:   8.01.01.1248
    FileVersion:      8.01.01.1248
    FileDescription:  ATI Radeon Kernel Mode Driver
    LegalCopyright:   Copyright (C) 1998-2011 Advanced Micro Devices, Inc.

Please update your AMD graphics card driver to the latest WHQL (November 18th - 13.10) version from here - Download
 
Wow. Memory management and page table entries is not even part of my vocabulary, so i'll just nod and be quiet to avoid looking like a fool.

The last BSOD occured before i removed the IObit programs.

I've gone through these steps so far:
Avast removed - check
MSE installed - check
Daemon Tools removed - check
IObit programs removed - check

About the AMD drivers though. I can't get the 13.10 version from Novemeber 18th, 2013. The latest version I can get for my video card from the AMD page, is the 13.9 legacy drivers from November 15th, 2013.
Another question about installing drivers - do i simply install it "over" the old one, or do i remove the old one and install it in safe mode?

/Fancypants
 
I went ahead and just installed the AMD drivers without doing any fancy removal stuff beforehand.

Got 2 installation errors in the process. First one was the AMD Drag and Drop Transcoding module, the second was the AMD Media Foundation Decoders module. I dont know if this has any significance at all for what we are doing, but i'll attach the installation log below if you should want to take a look at it.

View attachment Catalyst.pdf

/Fancy
 
It seems that the reason of the crash is that the PteAddress member of the PFN entry (FFFFF68000002098 with the lowest two bits cleared) is not equal to the PTE address FFFFF680001700A0. Someone has overwritten the low dword of the PteAddress variable.

Code: 
1: kd> .bugcheck
Bugcheck code 0000001A
Arguments 00000000`00000411 fffff680`001700a0 00000000`c001fad2 fffff680`00002099

Code: 
1: kd> r
rax=fffff68000002098 rbx=00000000c001fad2 rcx=000000000000001a
rdx=0000000000000411 rsi=fffff680001700a0 rdi=fffffa80024005d0
rip=fffff80002c84bc0 rsp=fffff8800be00238 rbp=fffff680001700a0
 r8=fffff680001700a0  r9=00000000c001fad2 r10=ffffffffffffffff
r11=0000000000000011 r12=fffff8800be00b20 r13=0000000000000000
r14=fffffa8006689060 r15=fffff680001b7378
iopl=0         nv up ei ng nz na pe cy
cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b             efl=00000283
nt!KeBugCheckEx:
fffff800`02c84bc0 48894c2408      mov     qword ptr [rsp+8],rcx ss:0018:fffff880`0be00240=1a00000000000000

Code: 
nt!MiLockTransitionLeafPage+0x91:
fffff800`02cb5879 45882c24        mov     byte ptr [r12],r13b
fffff800`02cb587d 488b06          mov     rax,qword ptr [rsi]
fffff800`02cb5880 483bc3          cmp     rax,rbx
fffff800`02cb5883 0f8587b3faff    jne     nt! ?? ::FNODOBFM::`string'+0x6034 (fffff800`02c60c10)

nt!MiLockTransitionLeafPage+0xa1:
fffff800`02cb5889 488b4f10        mov     rcx,qword ptr [rdi+10h]
fffff800`02cb588d 488bc1          mov     rax,rcx
fffff800`02cb5890 4883e0fc        and     rax,0FFFFFFFFFFFFFFFCh [I]// clear two lowest bits[/I]
[COLOR=#ff0000]fffff800`02cb5894 483bc6          cmp     rax,rsi
fffff800`02cb5897 0f8596b3faff    jne     nt! ?? ::FNODOBFM::`string'+0x6057 (fffff800`02c60c33)[/COLOR] // [I]jump to the crash if not equal[/I]

nt! ?? ::FNODOBFM::`string'+0x6057:
fffff800`02c60c33 48894c2420      mov     qword ptr [rsp+20h],rcx [I]// bugcheck parameter 4[/I]
fffff800`02c60c38 4c8bcb          mov     r9,rbx [I]// bugcheck parameter 3[/I]
fffff800`02c60c3b 4c8bc6          mov     r8,rsi [I]// bugcheck parameter 2[/I]
fffff800`02c60c3e b91a000000      mov     ecx,1Ah  [I]// bugcheck code MEMORY_MANAGEMENT[/I]
fffff800`02c60c43 ba11040000      mov     edx,411h [I]// bugcheck parameter 1[/I]
fffff800`02c60c48 e8733f0200      call    nt!KeBugCheckEx (fffff800`02c84bc0)
fffff800`02c60c4d cc              int     3

RSI is the PTE address (the documented bugcheck parameter 2).
Code: 
1: kd> !pte @rsi
                                           VA 000000002e014000
PXE at FFFFF6FB7DBED000    PPE at FFFFF6FB7DA00000    PDE at FFFFF6FB40000B80    PTE at [COLOR=#ff0000]FFFFF680001700A0[/COLOR]
contains 63700000803C0867  contains 35D000008350B867  contains 16A000001F4A1867  contains 00000000C001FAD2
pfn 803c0     ---DA--UWEV  pfn 8350b     ---DA--UWEV  pfn 1f4a1     ---DA--UWEV  not valid
                                                                                  Transition: [COLOR=#008000]c001f[/COLOR]
                                                                                  Protect: 16 - ReadWriteExecute G

RDI is the corresponding PFN entry address, and RDI+10h is the PteAddress member (the undocumented bugcheck parameter 4). RAX is the PteAddress with the two lowest bits cleared.
Code: 
1: kd> !pfn @rdi
    PFN 000[COLOR=#008000]C001F[/COLOR] at address FFFFFA80024005D0
    flink       00001D42  blink / share count 00000001  pteaddress [COLOR=#ff0000]FFFFF68000002099[/COLOR]
    reference count 0001    used entry count  0000      Cached    color 0   Priority 3
    restore pte 2B21500000080  containing page        0C6377  Active             
                   
1: kd> dt nt!_MMPFN @rdi
   +0x000 u1               : <unnamed-tag>
   +0x008 u2               : <unnamed-tag>
   [COLOR=#ff0000]+0x010 PteAddress       : 0xfffff680`00002099 _MMPTE[/COLOR]
   +0x010 VolatilePteAddress : 0xfffff680`00002099 Void
   +0x010 Lock             : 0n8345
   +0x010 PteLong          : 0xfffff680`00002099
   +0x018 u3               : <unnamed-tag>
   +0x01c UsedPageTableEntries : 0
   +0x01e VaType           : 0 ''
   +0x01f ViewCount        : 0 ''
   +0x020 OriginalPte      : _MMPTE
   +0x020 AweReferenceCount : 0n128
   +0x028 u4               : <unnamed-tag>
 
Remove the old drivers in Safe Mode, and then reboot into Windows normally. A generic Windows display driver should be installed, during the installation of the AMD graphics card driver, you should have the option to install only the driver.
 
Disaster and misery :(

I can't even uninstall the AMD drivers, not in safe mode nor regular mode. I can click "repair" though, but that does nothing.

Does this have to do with me installing the drivers the wrong way or with the BSOD problem?

/Fancy
 
Why can't you uninstall the drivers? Do you get any error messages?

Open up Device Manager, and then go to the Display Adapters tab, expand it when clicking the small triangle, and then right-click the name of your graphics card. Do you have the same options as me?

Remove.jpg
 
Well. You cant uninstall it the regular way from the control panel. Instead you need to press "change", then uninstall from there. However, that does not work in safe mode.
I tried what you showed me above, but the amd drivers are still in the list of installed programs. Ill try and reboot to see what happens.
 
Allright. I believe the AMD drivers are sorted now. No installation failures this time.

Whats your next order of business?
 
If the AMD drivers are sorted in addition to my suggestions, we are set for now and now is just a waiting game.

Regards,

Patrick
 
Last edited:
Great :) I shall be vigilant.

Then I want to say thank you for the time, help and support. You guys are superstars.
Also, just for safety, if we don't meet again this year you get an early happy holidays/merry christmas!
 
Back
Top