[SOLVED] Windows 7 BSOD Help Please

Code: 
0: kd> !verifier -f

Verify Level 92b ... enabled options are:
    Special pool
    Special irql
    All pool allocations checked on unload
    Deadlock detection enabled
    Security checks enabled
    Miscellaneous checks enabled

Summary of All Verifier Statistics

RaiseIrqls                             0x0
AcquireSpinLocks                       0x53f4e
Synch Executions                       0x6379
Trims                                  0x24eb4

Pool Allocations Attempted             0x2c897
Pool Allocations Succeeded             0x2c897
Pool Allocations Succeeded SpecialPool 0x2c897
Pool Allocations With NO TAG           0x0
Pool Allocations Failed                0x0
Resource Allocations Failed Deliberately   0x0

Current paged pool allocations         0x6b for 00313030 bytes
Peak paged pool allocations            0x7c for 003147D0 bytes
Current nonpaged pool allocations      0x2b8c for 005D6B2C bytes
Peak nonpaged pool allocations         0x2f39 for 006157DC bytes

GetPointerFromAddress: unable to read from fffff80003102100
Unable to read verifier list at fffff80003078e90.

Verifier appears to still be enabled, however, it's now failing to detect a driver. With this said, possible hardware fault at this point. Given Memtest has run overnight with no errors, RAM may be okay. Before beginning diagnostics though, please do the following:

1. wdcsam64.sys is listed and loaded which is the Western Digital SES (SCSI Enclosure Services) driver. Please remove this software ASAP as it's troublesome and is also not necessary to the functionality of your system.

2. Uninstall Logitech QuickCam Pro 3000 (and/or any other Logitech Software) and remove the device itself. The device drivers are too old.

Regards,

Patrick
 
Patrick,Have remove wdcsam64.sys and unplugged the camera, didn't have any specific software for it. The only logitech software is for the keyboard and mouse and I sought of need those.Given all the cashes I have run a SFC scannow and no errors were reported. I have also turned off Driver Verifier. Will now attempt to perform a file copy action that has in the past been in operation when a crash occurred.It is looking more and more like hardware, but I can't see what. The Mobo isn't that old. The processor is however fairly ancient with the RAM being of the same vintage. Graphics card and power supply are fairly new.TonyTony
 
Great, let me know how everything goes since performing the recommended steps.

Regards,

Patrick
 
Patrick,

I am now getting crashes without the benefit of a dump at all. Every time I try copying through the USB3 ports to the NAS, it crashes. I have rolled back the Realtek LAN driver but no change. I have tried using different USB3 Drives but no change.

Do you know of a Realtek diagnostic or stress test tool? Also, I suppose I should try and check the Renesas drivers as well.

Tony
 
Check the Renesas drivers, yes. Also, have you tried (if possible) copying from USB 2 > NAS and seeing if a crash occurs? I know it'll be dreadfully slow, but just for testing purposes.

Regards,

Patrick
 
Patrick,

Since last update, I have had a succession of crashes, some with and without dumps. Those I have are attached. The Renesas drivers were very old and have been updated, but I had a crash after they were updated. The copy processes seemed to work OK from USB 2. I'm not sure if that has any bearing as there have been other BSOD's since, or maybe I am fixing issues and others are appearing.

Any clues on diagnostics I will take. I am proposing to take all the RAM out and shuffle. I know this seems irrelevant given the MEMTEST results, but I can't think of anything else.

Cheers,

Tony
 

Attachments

MEMORY_MANAGEMENT (1a)

This indicates that a severe memory management error occurred.

BugCheck 1A, {41284, 43947001, 2360, fffff70001080000}

- The 1st parameter of the bug check is 41284 which indicates a PTE or the working set list is corrupted.

The best advice I can give currently is to (if possible) go as long as you can transferring from USB 2.0 > NAS. As you said, it yielded positive results, and I'd like to see if over time there are no crashes.

Regards,

Patrick
 
Patrick,

I think I have to accept that I have a fundamental hardware issue. I swapped the RAM around and the "crash rate" hasn't changed. So now Its looking like something with the mobo, or cpu.

Thanks for all your help. The latest crash, a bad_pool_header with an error code that didn't dump caused Windows to go into system repair. Fortunately it did repair and restarted.

I am happy for this thread to be closed unless you can offer any more wisdom on what to do next.
 
I don't close threads or stop helping a user unless they want me to, disappear, or the issue is solved. With that said, unless either of those occurs, I'm here until the end.

Now, when you used USB 2.0 > NAS transferring, I presume the crashes were still occurring?

Regards,

Patrick
 
Patrick,

Thanks. There wasn't a crash while using USB 2.0. The crashes are only occurring when the PC is under load of some sort. The most recent where while using Calibre to add ebooks from one library to another. Calibre is updated to current version. There have been other crashes while browsing with Chrome. This was while on Youtube viewing a clip. Also while using IE using a citrix client on a remote desktop.

The only pattern I can see is load. No issues with any of these software before the crashes started.

Tony
 
Understood, thanks for the information. I wanted to be sure that these crashes were occurring in instances other than when transferring from USB 3.0 > NAS. If that is indeed the case, can you please do two things:

1. Enable Driver Verifier:

Driver Verifier:

What is Driver Verifier?

Driver Verifier is included in Windows 8/8.1, 7, Windows Server 2008 R2, Windows Vista, Windows Server 2008, Windows 2000, Windows XP, and Windows Server 2003 to promote stability and reliability; you can use this tool to troubleshoot driver issues. Windows kernel-mode components can cause system corruption or system failures as a result of an improperly written driver, such as an earlier version of a Windows Driver Model (WDM) driver.

Essentially, if there's a 3rd party driver believed to be at issue, enabling Driver Verifier will help flush out the rogue driver if it detects a violation.

Before enabling Driver Verifier, it is recommended to create a System Restore Point:

Vista - START | type rstrui - create a restore point
Windows 7 - START | type create | select "Create a Restore Point"
Windows 8/8.1 - Restore Point - Create in Windows 8

How to enable Driver Verifier:

Start > type "verifier" without the quotes > Select the following options -

1. Select - "Create custom settings (for code developers)"
2. Select - "Select individual settings from a full list"
3. Check the following boxes -
- Special Pool
- Pool Tracking
- Force IRQL Checking
- Deadlock Detection
- Security Checks (Windows 7 & 8)
- DDI compliance checking (Windows 8)
- Miscellaneous Checks
4. Select - "Select driver names from a list"
5. Click on the "Provider" tab. This will sort all of the drivers by the provider.
6. Check EVERY box that is NOT provided by Microsoft / Microsoft Corporation.
7. Click on Finish.
8. Restart.

Important information regarding Driver Verifier:

- If Driver Verifier finds a violation, the system will BSOD. To expand on this a bit more for the interested, specifically what Driver Verifier actually does is it looks for any driver making illegal function calls, causing memory leaks, etc. When and/if this happens, system corruption occurs if allowed to continue. When Driver Verifier is enabled, it is monitoring all 3rd party drivers (as we have it set that way) and when it catches a driver attempting to do this, it will quickly flag that driver as being a troublemaker, and bring down the system safely before any corruption can occur.

- After enabling Driver Verifier and restarting the system, depending on the culprit, if for example the driver is on start-up, you may not be able to get back into normal Windows because Driver Verifier will detect it in violation almost straight away, and as stated above, that will cause / force a BSOD.

If this happens, do not panic, do the following:

- Boot into Safe Mode by repeatedly tapping the F8 key during boot-up.

- Once in Safe Mode - Start > Search > type "cmd" without the quotes.

- To turn off Driver Verifier, type in cmd "verifier /reset" without the quotes.
・ Restart and boot into normal Windows.

If your OS became corrupt or you cannot boot into Windows after disabling verifier via Safe Mode:

- Boot into Safe Mode by repeatedly tapping the F8 key during boot-up.

- Once in Safe Mode - Start > type "system restore" without the quotes.

- Choose the restore point you created earlier.

-- Note that Safe Mode for Windows 8/8.1 is a bit different, and you may need to try different methods: 5 Ways to Boot into Safe Mode in Windows 8 & Windows 8.1

How long should I keep Driver Verifier enabled for?

I recommend keeping it enabled for at least 24 hours. If you don't BSOD by then, disable Driver Verifier. I will usually say whether or not I'd like for you to keep it enabled any longer.

My system BSOD'd with Driver Verifier enabled, where can I find the crash dumps?

They will be located in %systemroot%\Minidump

Any other questions can most likely be answered by this article:
Using Driver Verifier to identify issues with Windows drivers for advanced users

2. When the system crashes after doing #1, please upload a kernel-dump to Onedrive, and then paste the link to it here.

Kernel-dumps are located at C:\Windows and named MEMORY.DMP. If there is nothing there, you may need to enable generation of them - Creating a Kernel-Mode Dump File (Windows Debuggers)

Regards,

Patrick
 
Patrick,

Firstly to help with defining what is happening, I will refer to events where the computer just suddenly restarts with not dumps as a crash, and a restart with dumps as a BSOD.

Since last post, the verifier has been turned back on. There have been 2 crashes, one complete system freeze (where absolutely everything stopped including the reset button on the box) and one BSOD. The link to the Memory dump is below for the BSOD.

https://onedrive.live.com/redir?resid=EEECE53EFC34615D!2988

At the time I was doing a CHKDSK /R on the 2tb data drive to check that there has been no damage from all the crashes et al. There were by the way when it finally finished. This was the only activity during these events.

Cheers,

Tony
 
Thanks for the kernel-dump, Tony!

IRQL_NOT_LESS_OR_EQUAL (a) bug check.

This indicates that Microsoft Windows or a kernel-mode driver accessed paged memory at DISPATCH_LEVEL or above.

This bug check is issued if paged memory (or invalid memory) is accessed when the IRQL is too high. The error that generates this bug check usually occurs after the installation of a faulty device driver, system service, or BIOS.


At this point, we have two likely possibilities:

1. Faulty video card.

2. Driver causing corruption.

Regarding #2, I dumped the verifier logs (thanks for enabling), and after a bit of searching, found this:

Code: 
Thread fffffa8006c1d8d0
fffff8000336b1f2 [COLOR=#4b0082]nt!VerifierKeEnterCriticalRegion+0x92[/COLOR]
fffff8800f162e5d [COLOR=#ff0000]nvlddmkm+0x100e5d[/COLOR]
fffff80003215157 nt! ?? ::NNGAKEGL::`string'+0x284cd
fffff800031bd2be nt!PspCreateThread+0x246
fffff800031c1569 nt!NtCreateThreadEx+0x25d
fffff80002ed0e53 nt!KiSystemServiceCopyEnd+0x13

^^ nvlddmkm.sys (nVidia video driver) calls into nt!VerifierKeEnterCriticalRegion.

What I can only assume happened here was nvlddmkm.sys disabled APCs by calling the KeEnterCriticalRegion function. With this said, nvlddmkm.sys needed to perform a critical operation, disabled APCs, and did not say afterwards "Hey, I am all done", so the original APC count was never set back to its original value. When this happens, the bugcheck is called.

Ensure you have the latest video card drivers. If you are already on the latest video card drivers, uninstall and install a version or a few versions behind the latest to ensure it's not a latest driver only issue. If you have already experimented with the latest video card driver and many previous versions, please give the beta driver for your card a try.


If the above fails, I'd recommend uninstalling your video card drivers, shutting down, removing your video card, and either using integrated graphics or a secondary video card if available for troubleshooting purposes.

Regards,

Patrick
 
Patrick,

I have wound back the driver to an earlier version, after the dump at the link below was produced. I have had two more crashes post this with no more dumps. I will try a yet older driver before trying the uninstall of the gpu. I don't have another gpu to try with so if this dump confirms a video issue I will buy a new one as it wasn't that expensive as I recall and it would be good to have another backup card anyway.

https://onedrive.live.com/redir?resid=EEECE53EFC34615D!2989

Cheers,

Tony
 
Hmm... not what I expected, I'll tell you that much.

ATTEMPTED_WRITE_TO_READONLY_MEMORY (be)

This is issued if a driver attempts to write to a read-only memory segment.

Code: 
3: kd> k
Child-SP          RetAddr           Call Site
fffff880`031b5be8 fffff800`02ef37c6 nt!KeBugCheckEx
fffff880`031b5bf0 fffff800`02e73cee nt! ?? ::FNODOBFM::`string'+0x44cde
fffff880`031b5d50 fffff880`012fcd0e [COLOR=#006400]nt!KiPageFault+0x16e[/COLOR]
fffff880`031b5ee0 fffff880`01303be5 [COLOR=#ff0000]Ntfs!LfsWriteLogRecordIntoLogPage+0x1ee[/COLOR] [COLOR=#4b0082]<--- As the LFS data is being written to the LFS log, we call into a pagefault.[/COLOR]
fffff880`031b5f80 fffff880`012ff536 [COLOR=#ff0000]Ntfs!LfsWrite+0x145[/COLOR] [COLOR=#4b0082]<--- Writing to the LFS.[/COLOR]
fffff880`031b6040 fffff880`013002ef [COLOR=#ff0000]Ntfs!NtfsWriteLog+0x466[/COLOR] [COLOR=#4b0082]<--- Preparing to call the LFS.[/COLOR]
fffff880`031b6290 fffff880`013013ad [COLOR=#ff0000]Ntfs!NtfsChangeAttributeValue+0x34f[/COLOR] [COLOR=#4b0082]<--- Changing some sort of value, which NTFS works a lot with. Unsure of what an attribute value is, though.[/COLOR]
fffff880`031b6480 fffff880`012cea70 [COLOR=#ff0000]Ntfs!NtfsUpdateStandardInformation+0x26b[/COLOR] [COLOR=#4b0082]<--- Looks like we have some sort of update to information.[/COLOR]
fffff880`031b6590 fffff880`012cf41d [COLOR=#ff0000]Ntfs!NtfsCommonFlushBuffers+0x1f0[/COLOR] [COLOR=#4b0082]<--- Again.[/COLOR]
fffff880`031b6670 fffff800`0331ed26 [COLOR=#ff0000]Ntfs!NtfsFsdFlushBuffers+0x10d[/COLOR] [COLOR=#4b0082]<--- File System Driver Creation (FSD) buffer flush.[/COLOR]
fffff880`031b66e0 fffff880`01041bcf nt!IovCallDriver+0x566
fffff880`031b6740 fffff880`010406df fltmgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x24f
fffff880`031b67d0 fffff800`0331ed26 fltmgr!FltpDispatch+0xcf
fffff880`031b6830 fffff800`0317f17b nt!IovCallDriver+0x566
fffff880`031b6890 fffff800`03113ea1 nt!IopSynchronousServiceTail+0xfb
fffff880`031b6900 fffff800`02e74e53 nt!NtFlushBuffersFile+0x171
fffff880`031b6990 fffff800`02e71410 nt!KiSystemServiceCopyEnd+0x13
fffff880`031b6b28 fffff800`03114c5f nt!KiServiceLinkage
fffff880`031b6b30 fffff800`03114a20 nt!CmpFileFlush+0x3f
fffff880`031b6b70 fffff800`03114caa nt!HvWriteDirtyDataToHive+0xe0
fffff880`031b6be0 fffff800`03105bbf nt!HvOptimizedSyncHive+0x32
fffff880`031b6c10 fffff800`03105d25 nt!CmpDoFlushNextHive+0x197
fffff880`031b6c70 fffff800`02e7f261 nt!CmpLazyFlushWorker+0xa5
fffff880`031b6cb0 fffff800`031122ea nt!ExpWorkerThread+0x111
fffff880`031b6d40 fffff800`02e668e6 nt!PspSystemThreadStartup+0x5a
fffff880`031b6d80 00000000`00000000 nt!KxStartSystemThread+0x16

Right, so to expand on what I have outlined above, the LFS (Log File Service) was designed primarily to provide logging and recovery services for the NTFS. NTFS calls the LFS to read and write the restart area, using it to store context information, such as the location in the logging area from which the NTFS will begin reading from during a recovery from a system failure.

Bug check (BE) as I noted above indicates that there was an attempt to write to readonly memory. The attempt to write to readonly memory was this call right here - Ntfs!LfsWriteLogRecordIntoLogPage+0x1ee. So, why did Ntfs.sys (kernel mode routine part of the file system) make an attempt to access readonly memory, causing a pagefault to occur? Generally, in almost all cases, you will not see a system driver and/or non-3rd party driver accessing invalid, readonly, etc, memory.


With this said, please run Chkdsk (paste log afterwards) + Seatools:

Chkdsk:
There are various ways to run Chkdsk~

Method 1:

Start > Search bar > Type cmd (right click run as admin to execute Elevated CMD)

Elevated CMD should now be opened, type the following:

chkdsk x: /r

x implies your drive letter, so if your hard drive in question is letter c, it would be:

chkdsk c: /r

Restart system and let chkdsk run.

Method 2:


Open the "Computer" window
Right-click on the drive in question
Select the "Tools" tab
In the Error-checking area, click <Check Now>.

If you'd like to get a log file that contains the chkdsk results, do the following:

Press Windows Key + R and type powershell.exe in the run box

Paste the following command and press enter afterwards:

get-winevent -FilterHashTable @{logname="Application"; id="1001"}| ?{$_.providername –match "wininit"} | fl timecreated, message | out-file Desktop\CHKDSKResults.txt

This will output a .txt file on your Desktop containing the results of the chkdsk.

If chkdsk turns out okay, run Seatools -

SeaTools | Seagate

You can run it via Windows or DOS. Do note that the only difference is simply the environment you're running it in. In Windows, if you are having what you believe to be device driver related issues that may cause conflicts or false positive, it may be a wise decision to choose the most minimal testing environment (DOS).

Run all tests EXCEPT: Fix All and anything Advanced.

Regards,

Patrick
 
Last edited:
Patrick,

There were errors in this run of CHKDSK. None in the previous run a couple of days ago. The details of the last two runs follow.

TimeCreated : 23/04/2014 9:57:50 AM
Message :

Checking file system on C:
The type of the file system is NTFS.

A disk check has been scheduled.
Windows will now check the disk.

CHKDSK is verifying files (stage 1 of 5)...
1168384 file records processed.
File verification completed.
677 large file records processed.
0 bad file records processed.
0 EA records processed.
44 reparse records processed.
CHKDSK is verifying indexes (stage 2 of 5)...
2469652 index entries processed.
Index verification completed.
0 unindexed files scanned.
0 unindexed files recovered.
CHKDSK is verifying security descriptors (stage 3 of 5)...
1168384 file SDs/SIDs processed.
Cleaning up 64 unused index entries from index $SII of file 0x9.
Cleaning up 64 unused index entries from index $SDH of file 0x9.
Cleaning up 64 unused security descriptors.
CHKDSK is compacting the security descriptor stream
650635 data files processed.
CHKDSK is verifying Usn Journal...
34586904 USN bytes processed.
Usn Journal verification completed.
CHKDSK is verifying file data (stage 4 of 5)...
1168368 files processed.
File data verification completed.
CHKDSK is verifying free space (stage 5 of 5)...
75681452 free clusters processed.
Free space verification is complete.
Correcting errors in the Volume Bitmap.
Windows has made corrections to the file system.

488280235 KB total disk space.
183877048 KB in 507557 files.
392748 KB in 650638 indexes.
0 KB in bad sectors.
1284631 KB in use by the system.
65536 KB occupied by the log file.
302725808 KB available on disk.

4096 bytes in each allocation unit.
122070058 total allocation units on disk.
75681452 allocation units available on disk.

Internal Info:
00 d4 11 00 3d ac 11 00 5d 8b 1e 00 00 00 00 00 ....=...].......
b0 03 00 00 2c 00 00 00 00 00 00 00 00 00 00 00 ....,...........
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................

Windows has finished checking your disk.
Please wait while your computer restarts.



TimeCreated : 20/04/2014 9:45:54 PM
Message :

Checking file system on C:
The type of the file system is NTFS.

A disk check has been scheduled.
Windows will now check the disk.

CHKDSK is verifying files (stage 1 of 5)...
1168384 file records processed.
File verification completed.
676 large file records processed.
0 bad file records processed.
0 EA records processed.
44 reparse records processed.
CHKDSK is verifying indexes (stage 2 of 5)...
2469436 index entries processed.
Index verification completed.
0 unindexed files scanned.
0 unindexed files recovered.
CHKDSK is verifying security descriptors (stage 3 of 5)...
1168384 file SDs/SIDs processed.
Cleaning up 564 unused index entries from index $SII of file 0x9.
Cleaning up 564 unused index entries from index $SDH of file 0x9.
Cleaning up 564 unused security descriptors.
Security descriptor verification completed.
650527 data files processed.
CHKDSK is verifying Usn Journal...
36178488 USN bytes processed.
Usn Journal verification completed.
CHKDSK is verifying file data (stage 4 of 5)...
1168368 files processed.
File data verification completed.
CHKDSK is verifying free space (stage 5 of 5)...
76039063 free clusters processed.
Free space verification is complete.
Windows has checked the file system and found no problems.

488280235 KB total disk space.
182440604 KB in 507349 files.
392596 KB in 650528 indexes.
0 KB in bad sectors.
1290779 KB in use by the system.
65536 KB occupied by the log file.
304156256 KB available on disk.

4096 bytes in each allocation unit.
122070058 total allocation units on disk.
76039064 allocation units available on disk.

Internal Info:
00 d4 11 00 01 ab 11 00 82 88 1e 00 00 00 00 00 ................
a4 03 00 00 2c 00 00 00 00 00 00 00 00 00 00 00 ....,...........
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................

Windows has finished checking your disk.
Please wait while your computer restarts.

I will run SEATOOLS as you describe and advise.

Cheers,

Tony
 
Patrick,

No errors reported by Seatools. Two crashes today when reading data from the NAS through the NIC. I will get a new graphics card tomorrow and advise.

Cheers,

Tony
 
Patrick,

Disappointingly the new graphics card made no difference. Following the install I tried using Simplicity to read the NAS to compare music file for duplicates. I have been using this as a canary in the mine as it uses a fair amount of processor, memory and the NIC. Every run resulted in a crash. No logs, dumps or anything else to go on.

It looks like something fundamental. Mobo, Processor or RAM. Do you agree?

Tony
 
Back
Top