locked
Blue Screen of Death w/Lenovo Thinkpad RRS feed

  • Question

  • Since early February I have started experiencing BSOD on my laptop. It will appear suddenly while I am working and even when I have left the machine alone. In all cases I am connected online.

    There are files in the Minidump folder that I can post for review. What do you think?

    Thanks for the help,

    Ellen

    Tuesday, February 17, 2015 9:28 PM

Answers

  • Ellen

    Easy.  These were related to rapportcerberus64_80120.sys is part of Rapport Trusteer.  I would remove it AND McAfee and use Microsoft Security essentials in their place

    McAffe often contributes to BSOD'S

    I would remove and replace it with Microsoft Security Essentials

    http://download.mcafee.com/products/licensed/cust_support_patches/MCPR.exe

    http://www.microsoft.com/security_essentials/

    Microsoft (R) Windows Debugger Version 6.3.9600.17298 AMD64
    Copyright (c) Microsoft Corporation. All rights reserved.
    
    
    Loading Dump File [C:\Users\Ken\Desktop\Dump\021715-19921-01.dmp]
    Mini Kernel Dump File: Only registers and stack trace are available
    
    WARNING: Whitespace at start of path element
    WARNING: Whitespace at end of path element
    Error: Empty Path.
    Symbol search path is: 
    SRV*e:\symbols*http://msdl.microsoft.com/download/symbols 
    Executable search path is: 
    Windows 7 Kernel Version 7601 (Service Pack 1) MP (4 procs) Free x64
    Product: WinNt, suite: TerminalServer SingleUserTS Personal
    Built by: 7601.18717.amd64fre.win7sp1_gdr.150113-1808
    Machine Name:
    Kernel base = 0xfffff800`03216000 PsLoadedModuleList = 0xfffff800`0345a890
    Debug session time: Tue Feb 17 15:29:01.875 2015 (UTC - 5:00)
    System Uptime: 0 days 3:17:07.248
    Loading Kernel Symbols
    ...............................................................
    ................................................................
    ................................................................
    .
    Loading User Symbols
    Loading unloaded module list
    ..................................................
    *******************************************************************************
    *                                                                             *
    *                        Bugcheck Analysis                                    *
    *                                                                             *
    *******************************************************************************
    
    Use !analyze -v to get detailed debugging information.
    
    BugCheck 1E, {ffffffffc0000005, fffff8800491e790, 1, 971}
    
    *** WARNING: Unable to verify timestamp for RapportCerberus64_80120.sys
    *** ERROR: Module load completed but symbols could not be loaded for RapportCerberus64_80120.sys
    Probably caused by : RapportCerberus64_80120.sys ( RapportCerberus64_80120+80790 )
    
    Followup: MachineOwner
    ---------
    
    3: kd> !analyze -v
    *******************************************************************************
    *                                                                             *
    *                        Bugcheck Analysis                                    *
    *                                                                             *
    *******************************************************************************
    
    KMODE_EXCEPTION_NOT_HANDLED (1e)
    This is a very common bugcheck.  Usually the exception address pinpoints
    the driver/function that caused the problem.  Always note this address
    as well as the link date of the driver/image that contains this address.
    Arguments:
    Arg1: ffffffffc0000005, The exception code that was not handled
    Arg2: fffff8800491e790, The address that the exception occurred at
    Arg3: 0000000000000001, Parameter 0 of the exception
    Arg4: 0000000000000971, Parameter 1 of the exception
    
    Debugging Details:
    ------------------
    
    
    READ_ADDRESS: GetPointerFromAddress: unable to read from fffff800034c4100
    GetUlongFromAddress: unable to read from fffff800034c41c0
     0000000000000000 Nonpaged pool
    
    EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.
    
    FAULTING_IP: 
    RapportCerberus64_80120+80790
    fffff880`0491e790 c681d104000000  mov     byte ptr [rcx+4D1h],0
    
    BUGCHECK_STR:  0x1E_c0000005_R
    
    CUSTOMER_CRASH_COUNT:  1
    
    DEFAULT_BUCKET_ID:  WIN7_DRIVER_FAULT
    
    PROCESS_NAME:  lsass.exe
    
    CURRENT_IRQL:  0
    
    ANALYSIS_VERSION: 6.3.9600.17298 (debuggers(dbg).141024-1500) amd64fre
    
    TRAP_FRAME:  fffff88002c63220 -- (.trap 0xfffff88002c63220)
    NOTE: The trap frame does not contain all registers.
    Some register values may be zeroed or incorrect.
    rax=0000000000000000 rbx=0000000000000000 rcx=00000000000004a0
    rdx=0000000000000000 rsi=0000000000000000 rdi=0000000000000000
    rip=fffff8800491e790 rsp=fffff88002c633b8 rbp=fffffa8007d36930
     r8=0000000000000000  r9=0000000000000001 r10=0000000000000001
    r11=fffff88002c631a0 r12=0000000000000000 r13=0000000000000000
    r14=0000000000000000 r15=0000000000000000
    iopl=0         nv up ei ng nz na po nc
    RapportCerberus64_80120+0x80790:
    fffff880`0491e790 c681d104000000  mov     byte ptr [rcx+4D1h],0 ds:00000000`00000971=??
    Resetting default scope
    
    LAST_CONTROL_TRANSFER:  from fffff800032d6698 to fffff8000328aec0
    
    STACK_TEXT:  
    fffff880`02c62998 fffff800`032d6698 : 00000000`0000001e ffffffff`c0000005 fffff880`0491e790 00000000`00000001 : nt!KeBugCheckEx
    fffff880`02c629a0 fffff800`0328a542 : fffff880`02c63178 00000000`00000000 fffff880`02c63220 00000000`00000000 : nt! ?? ::FNODOBFM::`string'+0x487ed
    fffff880`02c63040 fffff800`032890ba : 00000000`00000001 00000000`00000971 fffff880`02c63500 00000000`00000000 : nt!KiExceptionDispatch+0xc2
    fffff880`02c63220 fffff880`0491e790 : fffff880`0493c3b6 fffff8a0`0cd4a7f0 fffff880`0495e900 00000000`00000000 : nt!KiPageFault+0x23a
    fffff880`02c633b8 fffff880`0493c3b6 : fffff8a0`0cd4a7f0 fffff880`0495e900 00000000`00000000 00000000`00000000 : RapportCerberus64_80120+0x80790
    fffff880`02c633c0 fffff8a0`0cd4a7f0 : fffff880`0495e900 00000000`00000000 00000000`00000000 00000000`000004a0 : RapportCerberus64_80120+0x9e3b6
    fffff880`02c633c8 fffff880`0495e900 : 00000000`00000000 00000000`00000000 00000000`000004a0 fffff880`048fff77 : 0xfffff8a0`0cd4a7f0
    fffff880`02c633d0 00000000`00000000 : 00000000`00000000 00000000`000004a0 fffff880`048fff77 00000000`00000ff0 : RapportCerberus64_80120+0xc0900
    
    
    STACK_COMMAND:  kb
    
    FOLLOWUP_IP: 
    RapportCerberus64_80120+80790
    fffff880`0491e790 c681d104000000  mov     byte ptr [rcx+4D1h],0
    
    SYMBOL_STACK_INDEX:  4
    
    SYMBOL_NAME:  RapportCerberus64_80120+80790
    
    FOLLOWUP_NAME:  MachineOwner
    
    MODULE_NAME: RapportCerberus64_80120
    
    IMAGE_NAME:  RapportCerberus64_80120.sys
    
    DEBUG_FLR_IMAGE_TIMESTAMP:  54981f76
    
    FAILURE_BUCKET_ID:  X64_0x1E_c0000005_R_RapportCerberus64_80120+80790
    
    BUCKET_ID:  X64_0x1E_c0000005_R_RapportCerberus64_80120+80790
    
    ANALYSIS_SOURCE:  KM
    
    FAILURE_ID_HASH_STRING:  km:x64_0x1e_c0000005_r_rapportcerberus64_80120+80790
    
    FAILURE_ID_HASH:  {b954211c-0101-9d0d-edda-9a4eb12297e6}
    
    Followup: MachineOwner
    ---------
    
    


    Wanikiya and Dyami--Team Zigzag

    • Proposed as answer by Karen Hu Wednesday, February 18, 2015 3:09 PM
    • Marked as answer by FangZhou Chen Saturday, February 21, 2015 1:27 AM
    Wednesday, February 18, 2015 2:38 AM

All replies

  •  We do need the actual log files (called a DMP files) as they contain the only record of the sequence of events leading up to the crash, what drivers were loaded, and what was responsible.  


    Please follow our instructions for finding and uploading the files we need to help you fix your computer. They can be found here
    If you have any questions about the procedure please ask


    Wanikiya and Dyami--Team Zigzag

    Tuesday, February 17, 2015 11:21 PM
  • Thank you for the help. Here is the link: https:

    //onedrive.live.com/redir?resid=5558BE3CAFF01AB9!106&authkey=!AOJ-nK9Yf8EU_Tw&ithint=folder%2czip

    Ellen

    Wednesday, February 18, 2015 2:10 AM
  • Ellen

    Easy.  These were related to rapportcerberus64_80120.sys is part of Rapport Trusteer.  I would remove it AND McAfee and use Microsoft Security essentials in their place

    McAffe often contributes to BSOD'S

    I would remove and replace it with Microsoft Security Essentials

    http://download.mcafee.com/products/licensed/cust_support_patches/MCPR.exe

    http://www.microsoft.com/security_essentials/

    Microsoft (R) Windows Debugger Version 6.3.9600.17298 AMD64
    Copyright (c) Microsoft Corporation. All rights reserved.
    
    
    Loading Dump File [C:\Users\Ken\Desktop\Dump\021715-19921-01.dmp]
    Mini Kernel Dump File: Only registers and stack trace are available
    
    WARNING: Whitespace at start of path element
    WARNING: Whitespace at end of path element
    Error: Empty Path.
    Symbol search path is: 
    SRV*e:\symbols*http://msdl.microsoft.com/download/symbols 
    Executable search path is: 
    Windows 7 Kernel Version 7601 (Service Pack 1) MP (4 procs) Free x64
    Product: WinNt, suite: TerminalServer SingleUserTS Personal
    Built by: 7601.18717.amd64fre.win7sp1_gdr.150113-1808
    Machine Name:
    Kernel base = 0xfffff800`03216000 PsLoadedModuleList = 0xfffff800`0345a890
    Debug session time: Tue Feb 17 15:29:01.875 2015 (UTC - 5:00)
    System Uptime: 0 days 3:17:07.248
    Loading Kernel Symbols
    ...............................................................
    ................................................................
    ................................................................
    .
    Loading User Symbols
    Loading unloaded module list
    ..................................................
    *******************************************************************************
    *                                                                             *
    *                        Bugcheck Analysis                                    *
    *                                                                             *
    *******************************************************************************
    
    Use !analyze -v to get detailed debugging information.
    
    BugCheck 1E, {ffffffffc0000005, fffff8800491e790, 1, 971}
    
    *** WARNING: Unable to verify timestamp for RapportCerberus64_80120.sys
    *** ERROR: Module load completed but symbols could not be loaded for RapportCerberus64_80120.sys
    Probably caused by : RapportCerberus64_80120.sys ( RapportCerberus64_80120+80790 )
    
    Followup: MachineOwner
    ---------
    
    3: kd> !analyze -v
    *******************************************************************************
    *                                                                             *
    *                        Bugcheck Analysis                                    *
    *                                                                             *
    *******************************************************************************
    
    KMODE_EXCEPTION_NOT_HANDLED (1e)
    This is a very common bugcheck.  Usually the exception address pinpoints
    the driver/function that caused the problem.  Always note this address
    as well as the link date of the driver/image that contains this address.
    Arguments:
    Arg1: ffffffffc0000005, The exception code that was not handled
    Arg2: fffff8800491e790, The address that the exception occurred at
    Arg3: 0000000000000001, Parameter 0 of the exception
    Arg4: 0000000000000971, Parameter 1 of the exception
    
    Debugging Details:
    ------------------
    
    
    READ_ADDRESS: GetPointerFromAddress: unable to read from fffff800034c4100
    GetUlongFromAddress: unable to read from fffff800034c41c0
     0000000000000000 Nonpaged pool
    
    EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.
    
    FAULTING_IP: 
    RapportCerberus64_80120+80790
    fffff880`0491e790 c681d104000000  mov     byte ptr [rcx+4D1h],0
    
    BUGCHECK_STR:  0x1E_c0000005_R
    
    CUSTOMER_CRASH_COUNT:  1
    
    DEFAULT_BUCKET_ID:  WIN7_DRIVER_FAULT
    
    PROCESS_NAME:  lsass.exe
    
    CURRENT_IRQL:  0
    
    ANALYSIS_VERSION: 6.3.9600.17298 (debuggers(dbg).141024-1500) amd64fre
    
    TRAP_FRAME:  fffff88002c63220 -- (.trap 0xfffff88002c63220)
    NOTE: The trap frame does not contain all registers.
    Some register values may be zeroed or incorrect.
    rax=0000000000000000 rbx=0000000000000000 rcx=00000000000004a0
    rdx=0000000000000000 rsi=0000000000000000 rdi=0000000000000000
    rip=fffff8800491e790 rsp=fffff88002c633b8 rbp=fffffa8007d36930
     r8=0000000000000000  r9=0000000000000001 r10=0000000000000001
    r11=fffff88002c631a0 r12=0000000000000000 r13=0000000000000000
    r14=0000000000000000 r15=0000000000000000
    iopl=0         nv up ei ng nz na po nc
    RapportCerberus64_80120+0x80790:
    fffff880`0491e790 c681d104000000  mov     byte ptr [rcx+4D1h],0 ds:00000000`00000971=??
    Resetting default scope
    
    LAST_CONTROL_TRANSFER:  from fffff800032d6698 to fffff8000328aec0
    
    STACK_TEXT:  
    fffff880`02c62998 fffff800`032d6698 : 00000000`0000001e ffffffff`c0000005 fffff880`0491e790 00000000`00000001 : nt!KeBugCheckEx
    fffff880`02c629a0 fffff800`0328a542 : fffff880`02c63178 00000000`00000000 fffff880`02c63220 00000000`00000000 : nt! ?? ::FNODOBFM::`string'+0x487ed
    fffff880`02c63040 fffff800`032890ba : 00000000`00000001 00000000`00000971 fffff880`02c63500 00000000`00000000 : nt!KiExceptionDispatch+0xc2
    fffff880`02c63220 fffff880`0491e790 : fffff880`0493c3b6 fffff8a0`0cd4a7f0 fffff880`0495e900 00000000`00000000 : nt!KiPageFault+0x23a
    fffff880`02c633b8 fffff880`0493c3b6 : fffff8a0`0cd4a7f0 fffff880`0495e900 00000000`00000000 00000000`00000000 : RapportCerberus64_80120+0x80790
    fffff880`02c633c0 fffff8a0`0cd4a7f0 : fffff880`0495e900 00000000`00000000 00000000`00000000 00000000`000004a0 : RapportCerberus64_80120+0x9e3b6
    fffff880`02c633c8 fffff880`0495e900 : 00000000`00000000 00000000`00000000 00000000`000004a0 fffff880`048fff77 : 0xfffff8a0`0cd4a7f0
    fffff880`02c633d0 00000000`00000000 : 00000000`00000000 00000000`000004a0 fffff880`048fff77 00000000`00000ff0 : RapportCerberus64_80120+0xc0900
    
    
    STACK_COMMAND:  kb
    
    FOLLOWUP_IP: 
    RapportCerberus64_80120+80790
    fffff880`0491e790 c681d104000000  mov     byte ptr [rcx+4D1h],0
    
    SYMBOL_STACK_INDEX:  4
    
    SYMBOL_NAME:  RapportCerberus64_80120+80790
    
    FOLLOWUP_NAME:  MachineOwner
    
    MODULE_NAME: RapportCerberus64_80120
    
    IMAGE_NAME:  RapportCerberus64_80120.sys
    
    DEBUG_FLR_IMAGE_TIMESTAMP:  54981f76
    
    FAILURE_BUCKET_ID:  X64_0x1E_c0000005_R_RapportCerberus64_80120+80790
    
    BUCKET_ID:  X64_0x1E_c0000005_R_RapportCerberus64_80120+80790
    
    ANALYSIS_SOURCE:  KM
    
    FAILURE_ID_HASH_STRING:  km:x64_0x1e_c0000005_r_rapportcerberus64_80120+80790
    
    FAILURE_ID_HASH:  {b954211c-0101-9d0d-edda-9a4eb12297e6}
    
    Followup: MachineOwner
    ---------
    
    


    Wanikiya and Dyami--Team Zigzag

    • Proposed as answer by Karen Hu Wednesday, February 18, 2015 3:09 PM
    • Marked as answer by FangZhou Chen Saturday, February 21, 2015 1:27 AM
    Wednesday, February 18, 2015 2:38 AM
  • I deactivated McAfee and used Microsoft security and that seemed to help because it isn't shutting down anymore.  Thank you!


    Ellen

    Saturday, February 21, 2015 1:31 AM
  • ellen

    Thanks for letting us know & good luck


    Wanikiya and Dyami--Team Zigzag

    Saturday, February 21, 2015 2:50 AM