locked
BSOD caused by ntkrnlmp.exe RRS feed

  • Question

  • Hello, 

    One of our clients has an annoying problem with BSODS almost daily cause by ntkrnlmp.exe and I couldn't manage to find what REALLY was the cause. Symbols were properly configure and still no clear infos. If someone can have a look over the Minidumps and/or Memory.DMP here are both:

    https://onedrive.live.com/?cid=E0FCDAC93086F976&id=E0FCDAC93086F976%21123

    Thank you,

    Cozmin

    Wednesday, January 28, 2015 8:37 AM

Answers

  • Cozmin.

    Your problem is being caused by conflicts between, Aladdin Security modules, McAfee and Sentinel64.sys, a Rainbow Tech/SafeNet USB Security Device.

    Having that many security related programs or devices is not recommended and is likely causing huge conflicts and leaving your system less secure than it ordinarily would be, with just one Antivirus product installed.

    Please uninstall Aladdin security manually if necessary, and run the McAfee Uninstall tool, linked below.

    How to uninstall or reinstall supported McAfee products using the Consumer Products Removal tool (MCPR).

    http://service.mcafee.com/FAQDocument.aspx?id=TS101331

    Download the MCPR tool from: http://download.mcafee.com/products/licensed/cust_support_patches/MCPR.exe and save it to a folder on your computer.

    Uninstall, Sentinel64.sys

    Image path: \SystemRoot\System32\Drivers\Sentinel64.sys
        Image name: Sentinel64.sys
        Timestamp:        Mon Jun 02 02:14:55 2008 (48438FDF)

    Note: IF, you cannot find it, Download "autoruns" and use it to locate and disable the driver, after making certain that all Microsoft entries have been hidden, to eliminate the possibility of a mistake. (instructions in the youtube video link below.)

    Autoruns for Windows v12.03


    This utility, which has the most comprehensive knowledge of auto-starting locations of any startup monitor, shows you what programs are configured to run during system bootup or login, and shows you the entries in the order Windows processes them. These programs include ones in your startup folder, Run, RunOnce, and other Registry keys. You can configure Autoruns to show other locations, including Explorer shell extensions, toolbars, browser helper objects, Winlogon notifications, auto-start services, and much more. Autoruns goes way beyond the MSConfig utility bundled with Windows Me and XP.
    Autoruns' Hide Signed Microsoft Entries option helps you to zoom in on third-party auto-starting images that have been added to your system and it has support for looking at the auto-starting images configured for other accounts configured on a system


    http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx

    How to use Autoruns.
    https://www.youtube.com/watch?v=HhtSDsQYi28

    When you have finished the steps above, I would suggest that you download, install, update and run a complete scan with Microsoft Security Essentials.

    Microsoft Security Essentials.

    http://windows.microsoft.com/en-US/windows/security-essentials-download

    You should also update if you can, or uninstall if you cant, the following drivers.

    dfmirage.sys Fri Jan 11 16:04:26 2008 (4787D9DA): http://sysnative.com/drivers/driver.php?id=dfmirage.sys

    e1k62x64.sys Tue Apr 06 03:37:39 2010 (4BBAE4C3): http://sysnative.com/drivers/driver.php?id=e1k62x64.sys

     

    ctxusbm.sys Mon Sep 07 14:09:28 2009 : http://sysnative.com/drivers/driver.php?id=ctxusbm.sys

    SYSTEM_SERVICE_EXCEPTION (3b)
    An exception happened while executing a system service routine.
    Arguments:
    Arg1: 00000000c0000005, Exception code that caused the bugcheck
    Arg2: fffff800030a5aae, Address of the instruction which caused the bugcheck
    Arg3: fffff8800864c790, Address of the context record for the exception that caused the bugcheck
    Arg4: 0000000000000000, zero.
    
    Debugging Details:
    ------------------
    
    
    EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.
    
    FAULTING_IP: 
    nt!ExEnterCriticalRegionAndAcquireFastMutexUnsafe+26
    fffff800`030a5aae f00fba3100      lock btr dword ptr [rcx],0
    
    CONTEXT:  fffff8800864c790 -- (.cxr 0xfffff8800864c790)
    rax=fffffa80082d63c0 rbx=0000000000000000 rcx=0000000000000000
    rdx=fffffa80082d63c0 rsi=00000000ffffffff rdi=fffffa80082d63c0
    rip=fffff800030a5aae rsp=fffff8800864d170 rbp=0000000000000001
     r8=0000000000000000  r9=fffff96000365ab8 r10=000000000002fcc7
    r11=fffff8800864d1c0 r12=0000000000000000 r13=0000000000000001
    r14=0000000000000000 r15=fffff900caf4dd30
    iopl=0         nv up ei ng nz na pe nc
    cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b             efl=00010282
    nt!ExEnterCriticalRegionAndAcquireFastMutexUnsafe+0x26:
    fffff800`030a5aae f00fba3100      lock btr dword ptr [rcx],0 ds:002b:00000000`00000000=????????
    Resetting default scope
    
    CUSTOMER_CRASH_COUNT:  1
    
    DEFAULT_BUCKET_ID:  VISTA_DRIVER_FAULT
    
    BUGCHECK_STR:  0x3B
    
    PROCESS_NAME:  csrss.exe
    
    CURRENT_IRQL:  0
    
    LAST_CONTROL_TRANSFER:  from 0000000000000000 to fffff800030a5aae
    
    STACK_TEXT:  
    fffff880`0864d170 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!ExEnterCriticalRegionAndAcquireFastMutexUnsafe+0x26
    
    
    FOLLOWUP_IP: 
    nt!ExEnterCriticalRegionAndAcquireFastMutexUnsafe+26
    fffff800`030a5aae f00fba3100      lock btr dword ptr [rcx],0
    
    SYMBOL_STACK_INDEX:  0
    
    SYMBOL_NAME:  nt!ExEnterCriticalRegionAndAcquireFastMutexUnsafe+26
    
    FOLLOWUP_NAME:  MachineOwner
    
    MODULE_NAME: nt
    
    IMAGE_NAME:  ntkrnlmp.exe
    
    DEBUG_FLR_IMAGE_TIMESTAMP:  4ce7951a
    
    STACK_COMMAND:  .cxr 0xfffff8800864c790 ; kb
    
    FAILURE_BUCKET_ID:  X64_0x3B_nt!ExEnterCriticalRegionAndAcquireFastMutexUnsafe+26
    
    BUCKET_ID:  X64_0x3B_nt!ExEnterCriticalRegionAndAcquireFastMutexUnsafe+26
    
    Followup: MachineOwner



    • Proposed as answer by ZigZag3143x Friday, January 30, 2015 8:04 PM
    • Edited by XP ROCKS Saturday, January 31, 2015 12:18 AM
    • Marked as answer by Cloud_TS Friday, February 6, 2015 5:36 AM
    Friday, January 30, 2015 7:43 PM

All replies

  • Your link doesn't work. Try again. See how to locate, zip, upload and share files, below.

    Blue Screen of Death (BSOD) Created by ZigZag3143 (MS - MVP)
    http://answers.microsoft.com/en-us/windows/wiki/windows_other-system/blue-screen-of-death-bsod/1939df35-283f-4830-a4dd-e95ee5d8669d

    Wednesday, January 28, 2015 4:55 PM
  • Hi Cozmin V,

    This is excessive paged pool usage, this error may occur due to user-mode graphics driver crossing over and passing bad data to the kernel code.

    1: kd> !analyze -v

    *******************************************************************************

    *                                                                             *

    *                        Bugcheck Analysis                                    *

    *                                                                             *

    *******************************************************************************

    SYSTEM_SERVICE_EXCEPTION (3b)

    An exception happened while executing a system service routine.

    Arguments:

    Arg1: 00000000c0000005, Exception code that caused the bugcheck

    Arg2: fffff800030a5aae, Address of the instruction which caused the bugcheck

    Arg3: fffff8800864c790, Address of the context record for the exception that caused the bugcheck

    Arg4: 0000000000000000, zero.

    Debugging Details:

    ------------------

    EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.

    FAULTING_IP:

    nt!ExEnterCriticalRegionAndAcquireFastMutexUnsafe+26

    fffff800`030a5aae f00fba3100      lock btr dword ptr [rcx],0

    CONTEXT:  fffff8800864c790 -- (.cxr 0xfffff8800864c790)

    rax=fffffa80082d63c0 rbx=0000000000000000 rcx=0000000000000000

    rdx=fffffa80082d63c0 rsi=00000000ffffffff rdi=fffffa80082d63c0

    rip=fffff800030a5aae rsp=fffff8800864d170 rbp=0000000000000001

    r8=0000000000000000  r9=fffff96000365ab8 r10=000000000002fcc7

    r11=fffff8800864d1c0 r12=0000000000000000 r13=0000000000000001

    r14=0000000000000000 r15=fffff900caf4dd30

    iopl=0         nv up ei ng nz na pe nc

    cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b             efl=00010282

    nt!ExEnterCriticalRegionAndAcquireFastMutexUnsafe+0x26:

    fffff800`030a5aae f00fba3100      lock btr dword ptr [rcx],0 ds:002b:00000000`00000000=????????

    Resetting default scope

    DEFAULT_BUCKET_ID:  VISTA_DRIVER_FAULT

    BUGCHECK_STR:  0x3B

    PROCESS_NAME:  csrss.exe

    CURRENT_IRQL:  0

    LAST_CONTROL_TRANSFER:  from fffff9600060dce0 to fffff800030a5aae

    STACK_TEXT: 

    fffff880`0864d170 fffff960`0060dce0 : 00000000`00000000 000001c4`00000000 0000feed`52052bed 00001f80`00000000 : nt!ExEnterCriticalRegionAndAcquireFastMutexUnsafe+0x26

    fffff880`0864d1a0 fffff960`00177748 : 00000000`00000001 fffff900`c00b7010 00000000`00000001 fffff900`caf3c370 : cdd!CddBitmapHw::Release+0xc0

    fffff880`0864d1e0 fffff960`002b86b4 : 00000000`00000000 00000000`00000000 fffff900`caf3c370 00000000`00000000 : win32k!SURFACE::bDeleteSurface+0x358

    fffff880`0864d330 fffff960`002b8757 : fffff900`c00b7010 00000000`00000001 fffff900`c00b7010 00000000`00000001 : win32k!vDynamicConvertNewSurfaceDCs+0xd8

    fffff880`0864d360 fffff960`002b8ff2 : fffff900`c00b7010 00000000`00000001 fffff900`c8e35280 fffff900`c00b7010 : win32k!bDynamicRemoveAllDriverRealizations+0x6f

    ……..

    FOLLOWUP_IP:

    cdd!CddBitmapHw::Release+c0

    fffff960`0060dce0 488b4738        mov     rax,qword ptr [rdi+38h]

    SYMBOL_STACK_INDEX:  1

    SYMBOL_NAME:  cdd!CddBitmapHw::Release+c0

    FOLLOWUP_NAME:  MachineOwner

    MODULE_NAME: cdd

    IMAGE_NAME:  cdd.dll

    DEBUG_FLR_IMAGE_TIMESTAMP:  4ce7c546

    STACK_COMMAND:  .cxr 0xfffff8800864c790 ; kb

    FAILURE_BUCKET_ID:  X64_0x3B_cdd!CddBitmapHw::Release+c0

    BUCKET_ID:  X64_0x3B_cdd!CddBitmapHw::Release+c0

    Followup: MachineOwner

    ---------

    1: kd> lmvm cdd

    start             end                 module name

    fffff960`00600000 fffff960`00627000   cdd        (pdb symbols)          c:\symbols\cdd.pdb\88BFB882815849F88656925A7675F2BA1\cdd.pdb

        Loaded symbol image file: cdd.dll

        Mapped memory image file: c:\symbols\cdd.dll\4CE7C54627000\cdd.dll

        Image path: \SystemRoot\System32\cdd.dll

        Image name: cdd.dll

        Timestamp:        Sat Nov 20 20:55:34 2010 (4CE7C546)

        CheckSum:         0002D4F0

        ImageSize:        00027000

    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4

    1: kd> lmtsmn

    start             end                 module name

    fffff880`00f18000 fffff880`00f6f000   ACPI     ACPI.sys     Sat Nov 20 17:19:16 2010 (4CE79294)

    fffff880`068fd000 fffff880`0697d000   ADIHdAud ADIHdAud.sys Wed Jun 16 03:36:52 2010 (4C17D654)

    fffff880`048df000 fffff880`04968000   afd      afd.sys      Sat Nov 20 17:23:27 2010 (4CE7938F)

    fffff880`04a39000 fffff880`04a4f000   AgileVpn AgileVpn.sys Tue Jul 14 08:10:24 2009 (4A5BCCF0)

    fffff880`02ec4000 fffff880`02ed7180   aksdf    aksdf.sys    Mon Nov 21 19:09:56 2011 (4ECA3184)

    fffff880`032da000 fffff880`032fae00   aksfridge aksfridge.sys Tue Aug 07 18:34:40 2012 (5020EF40)

    fffff880`017f2000 fffff880`017fd000   amdxata  amdxata.sys  Sat Mar 20 00:18:18 2010 (4BA3A3CA)

    fffff880`01e50000 fffff880`01e65000   appid    appid.sys    Sat Nov 20 18:14:37 2010 (4CE79F8D)

    fffff880`078fb000 fffff880`07906000   asyncmac asyncmac.sys Tue Jul 14 08:10:13 2009 (4A5BCCE5)

    fffff880`013b2000 fffff880`013bb000   atapi    atapi.sys    Tue Jul 14 07:19:47 2009 (4A5BC113)

    fffff880`013bb000 fffff880`013e5000   ataport  ataport.SYS  Sat Nov 20 17:19:15 2010 (4CE79293)

    fffff960`00870000 fffff960`008d1000   ATMFD    ATMFD.DLL    Sat Nov 20 17:49:28 2010 (4CE799A8)

    fffff880`00fe0000 fffff880`00fec000   BATTC    BATTC.SYS    Tue Jul 14 07:31:01 2009 (4A5BC3B5)

    fffff880`04409000 fffff880`04410000   Beep     Beep.SYS     Tue Jul 14 08:00:13 2009 (4A5BCA8D)

    fffff880`04b76000 fffff880`04b87000   blbdrive blbdrive.sys Tue Jul 14 07:35:59 2009 (4A5BC4DF)

    fffff880`02fb1000 fffff880`02fcf000   bowser   bowser.sys   Wed Feb 23 12:55:04 2011 (4D649328)

    fffff960`00600000 fffff960`00627000   cdd      cdd.dll      Sat Nov 20 20:55:34 2010 (4CE7C546)

    …….

    Unloaded modules:

    fffff880`078b6000 fffff880`078c4000   monitor.sys

        Timestamp: unavailable (00000000)

        Checksum:  00000000

        ImageSize:  0000E000

    fffff880`078a8000 fffff880`078b6000   monitor.sys

        Timestamp: unavailable (00000000)

        Checksum:  00000000

        ImageSize:  0000E000

    fffff880`0789a000 fffff880`078a8000   monitor.sys

        Timestamp: unavailable (00000000)

        Checksum:  00000000

        ImageSize:  0000E000

    fffff880`0788c000 fffff880`0789a000   monitor.sys

        Timestamp: unavailable (00000000)

        Checksum:  00000000

        ImageSize:  0000E000

    fffff880`0787e000 fffff880`0788c000   monitor.sys

        Timestamp: unavailable (00000000)

        Checksum:  00000000

        ImageSize:  0000E000

    ………

    By checking your DMP file, we also found it related to cdd.dll which is the Canonical Display Driver from Microsoft, it's a system file. You could refer to this link for more information about cdd and bitmap

    http://answers.microsoft.com/en-us/windows/forum/windows_7-system/bluescreen-error-when-alttabbing-out-of-full/267be931-70b1-482f-8164-c3cd8084def0

    We suggest you replace your graphic/display driver and keep them up to date, then check the issue again.

    Also you have a lot of outdated drivers on your system including cdd.dll. Please update these drivers for good measure.

    If you're still crashing after all of the above, enable Driver Verifier to look for further corruption:

    Driver Verifier:

    What is Driver Verifier?

    Driver Verifier is included in Windows 8, 7, Windows Server 2008 R2, Windows Vista, Windows Server 2008, Windows 2000, Windows XP, and Windows Server 2003 to promote stability and reliability; you can use this tool to troubleshoot driver issues. Windows kernel-mode components can cause system corruption or system failures as a result of an improperly written driver, such as an earlier version of a Windows Driver Model (WDM) driver.

    Essentially, if there's a 3rd party driver believed to be at issue, enabling Driver Verifier will help flush out the rogue driver if it detects a violation.

    Note: Before enabling Driver Verifier, it is recommended to create a System Restore Point

    For more information about Driver Verifier

    https://msdn.microsoft.com/en-us/library/windows/hardware/ff545448(v=vs.85).aspx

    Friday, January 30, 2015 9:52 AM
  • Cozmin.

    Your problem is being caused by conflicts between, Aladdin Security modules, McAfee and Sentinel64.sys, a Rainbow Tech/SafeNet USB Security Device.

    Having that many security related programs or devices is not recommended and is likely causing huge conflicts and leaving your system less secure than it ordinarily would be, with just one Antivirus product installed.

    Please uninstall Aladdin security manually if necessary, and run the McAfee Uninstall tool, linked below.

    How to uninstall or reinstall supported McAfee products using the Consumer Products Removal tool (MCPR).

    http://service.mcafee.com/FAQDocument.aspx?id=TS101331

    Download the MCPR tool from: http://download.mcafee.com/products/licensed/cust_support_patches/MCPR.exe and save it to a folder on your computer.

    Uninstall, Sentinel64.sys

    Image path: \SystemRoot\System32\Drivers\Sentinel64.sys
        Image name: Sentinel64.sys
        Timestamp:        Mon Jun 02 02:14:55 2008 (48438FDF)

    Note: IF, you cannot find it, Download "autoruns" and use it to locate and disable the driver, after making certain that all Microsoft entries have been hidden, to eliminate the possibility of a mistake. (instructions in the youtube video link below.)

    Autoruns for Windows v12.03


    This utility, which has the most comprehensive knowledge of auto-starting locations of any startup monitor, shows you what programs are configured to run during system bootup or login, and shows you the entries in the order Windows processes them. These programs include ones in your startup folder, Run, RunOnce, and other Registry keys. You can configure Autoruns to show other locations, including Explorer shell extensions, toolbars, browser helper objects, Winlogon notifications, auto-start services, and much more. Autoruns goes way beyond the MSConfig utility bundled with Windows Me and XP.
    Autoruns' Hide Signed Microsoft Entries option helps you to zoom in on third-party auto-starting images that have been added to your system and it has support for looking at the auto-starting images configured for other accounts configured on a system


    http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx

    How to use Autoruns.
    https://www.youtube.com/watch?v=HhtSDsQYi28

    When you have finished the steps above, I would suggest that you download, install, update and run a complete scan with Microsoft Security Essentials.

    Microsoft Security Essentials.

    http://windows.microsoft.com/en-US/windows/security-essentials-download

    You should also update if you can, or uninstall if you cant, the following drivers.

    dfmirage.sys Fri Jan 11 16:04:26 2008 (4787D9DA): http://sysnative.com/drivers/driver.php?id=dfmirage.sys

    e1k62x64.sys Tue Apr 06 03:37:39 2010 (4BBAE4C3): http://sysnative.com/drivers/driver.php?id=e1k62x64.sys

     

    ctxusbm.sys Mon Sep 07 14:09:28 2009 : http://sysnative.com/drivers/driver.php?id=ctxusbm.sys

    SYSTEM_SERVICE_EXCEPTION (3b)
    An exception happened while executing a system service routine.
    Arguments:
    Arg1: 00000000c0000005, Exception code that caused the bugcheck
    Arg2: fffff800030a5aae, Address of the instruction which caused the bugcheck
    Arg3: fffff8800864c790, Address of the context record for the exception that caused the bugcheck
    Arg4: 0000000000000000, zero.
    
    Debugging Details:
    ------------------
    
    
    EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.
    
    FAULTING_IP: 
    nt!ExEnterCriticalRegionAndAcquireFastMutexUnsafe+26
    fffff800`030a5aae f00fba3100      lock btr dword ptr [rcx],0
    
    CONTEXT:  fffff8800864c790 -- (.cxr 0xfffff8800864c790)
    rax=fffffa80082d63c0 rbx=0000000000000000 rcx=0000000000000000
    rdx=fffffa80082d63c0 rsi=00000000ffffffff rdi=fffffa80082d63c0
    rip=fffff800030a5aae rsp=fffff8800864d170 rbp=0000000000000001
     r8=0000000000000000  r9=fffff96000365ab8 r10=000000000002fcc7
    r11=fffff8800864d1c0 r12=0000000000000000 r13=0000000000000001
    r14=0000000000000000 r15=fffff900caf4dd30
    iopl=0         nv up ei ng nz na pe nc
    cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b             efl=00010282
    nt!ExEnterCriticalRegionAndAcquireFastMutexUnsafe+0x26:
    fffff800`030a5aae f00fba3100      lock btr dword ptr [rcx],0 ds:002b:00000000`00000000=????????
    Resetting default scope
    
    CUSTOMER_CRASH_COUNT:  1
    
    DEFAULT_BUCKET_ID:  VISTA_DRIVER_FAULT
    
    BUGCHECK_STR:  0x3B
    
    PROCESS_NAME:  csrss.exe
    
    CURRENT_IRQL:  0
    
    LAST_CONTROL_TRANSFER:  from 0000000000000000 to fffff800030a5aae
    
    STACK_TEXT:  
    fffff880`0864d170 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!ExEnterCriticalRegionAndAcquireFastMutexUnsafe+0x26
    
    
    FOLLOWUP_IP: 
    nt!ExEnterCriticalRegionAndAcquireFastMutexUnsafe+26
    fffff800`030a5aae f00fba3100      lock btr dword ptr [rcx],0
    
    SYMBOL_STACK_INDEX:  0
    
    SYMBOL_NAME:  nt!ExEnterCriticalRegionAndAcquireFastMutexUnsafe+26
    
    FOLLOWUP_NAME:  MachineOwner
    
    MODULE_NAME: nt
    
    IMAGE_NAME:  ntkrnlmp.exe
    
    DEBUG_FLR_IMAGE_TIMESTAMP:  4ce7951a
    
    STACK_COMMAND:  .cxr 0xfffff8800864c790 ; kb
    
    FAILURE_BUCKET_ID:  X64_0x3B_nt!ExEnterCriticalRegionAndAcquireFastMutexUnsafe+26
    
    BUCKET_ID:  X64_0x3B_nt!ExEnterCriticalRegionAndAcquireFastMutexUnsafe+26
    
    Followup: MachineOwner



    • Proposed as answer by ZigZag3143x Friday, January 30, 2015 8:04 PM
    • Edited by XP ROCKS Saturday, January 31, 2015 12:18 AM
    • Marked as answer by Cloud_TS Friday, February 6, 2015 5:36 AM
    Friday, January 30, 2015 7:43 PM