BSOD fvevol.sys. RRS feed

  • Question

  • Hi.

    At my company we're at the moment deploying Win7 on Fujitsu S792 Laptop computers. Several of these clients have experienced BSOD.

    It seems like fvevol.sys is causing the problem. Any hints on this based on the attached dump?

    Microsoft (R) Windows Debugger Version 6.2.9200.16384 AMD64
    Copyright (c) Microsoft Corporation. All rights reserved.

    Loading Dump File [E:\021213-14445-01.dmp]
    Mini Kernel Dump File: Only registers and stack trace are available

    Symbol search path is: SRV*c:\symbols*http://msdl.microsoft.com/download/symbols
    Executable search path is:
    Windows 7 Kernel Version 7601 (Service Pack 1) MP (4 procs) Free x64
    Product: WinNt, suite: TerminalServer SingleUserTS
    Built by: 7601.17944.amd64fre.win7sp1_gdr.120830-0333
    Machine Name:
    Kernel base = 0xfffff800`02813000 PsLoadedModuleList = 0xfffff800`02a57670
    Debug session time: Tue Feb 12 08:19:58.284 2013 (UTC + 1:00)
    System Uptime: 0 days 16:19:57.501
    Loading Kernel Symbols
    Loading User Symbols
    Loading unloaded module list
    *                                                                             *
    *                        Bugcheck Analysis                                    *
    *                                                                             *

    Use !analyze -v to get detailed debugging information.

    BugCheck D1, {2c, 2, 0, fffff880018b141f}

    Probably caused by : fvevol.sys ( fvevol!InitializeNextSubrequest+13f )

    Followup: MachineOwner

    2: kd> !analyze
    *                                                                             *
    *                        Bugcheck Analysis                                    *
    *                                                                             *

    Use !analyze -v to get detailed debugging information.

    BugCheck D1, {2c, 2, 0, fffff880018b141f}

    Probably caused by : fvevol.sys ( fvevol!InitializeNextSubrequest+13f )

    Followup: MachineOwner

    2: kd> !analyze -v
    *                                                                             *
    *                        Bugcheck Analysis                                    *
    *                                                                             *

    An attempt was made to access a pageable (or completely invalid) address at an
    interrupt request level (IRQL) that is too high.  This is usually
    caused by drivers using improper addresses.
    If kernel debugger is available get stack backtrace.
    Arg1: 000000000000002c, memory referenced
    Arg2: 0000000000000002, IRQL
    Arg3: 0000000000000000, value 0 = read operation, 1 = write operation
    Arg4: fffff880018b141f, address which referenced memory

    Debugging Details:

    READ_ADDRESS: GetPointerFromAddress: unable to read from fffff80002ac1100
    GetUlongFromAddress: unable to read from fffff80002ac11c0
     000000000000002c Nonpaged pool


    fffff880`018b141f 448b402c        mov     r8d,dword ptr [rax+2Ch]




    PROCESS_NAME:  System

    TRAP_FRAME:  fffff880091509e0 -- (.trap 0xfffff880091509e0)
    NOTE: The trap frame does not contain all registers.
    Some register values may be zeroed or incorrect.
    rax=0000000000000000 rbx=0000000000000000 rcx=000000045f0c3000
    rdx=fffffa8007eef010 rsi=0000000000000000 rdi=0000000000000000
    rip=fffff880018b141f rsp=fffff88009150b70 rbp=fffffa80075fdb90
     r8=0000000000002000  r9=0000000000000200 r10=00000000c0000095
    r11=00000000ffffffff r12=0000000000000000 r13=0000000000000000
    r14=0000000000000000 r15=0000000000000000
    iopl=0         nv up ei pl zr na po nc
    fffff880`018b141f 448b402c        mov     r8d,dword ptr [rax+2Ch] ds:00000000`0000002c=????????
    Resetting default scope

    LAST_CONTROL_TRANSFER:  from fffff80002891569 to fffff80002891fc0

    fffff880`09150898 fffff800`02891569 : 00000000`0000000a 00000000`0000002c 00000000`00000002 00000000`00000000 : nt!KeBugCheckEx
    fffff880`091508a0 fffff800`028901e0 : 00000000`ffffff7f fffff800`02a04e80 00000000`00000000 00000000`00002000 : nt!KiBugCheckDispatch+0x69
    fffff880`091509e0 fffff880`018b141f : fffffa80`07eef010 00000000`00000201 fffffa80`090fdc60 fffffa80`06db2030 : nt!KiPageFault+0x260
    fffff880`09150b70 fffff880`018b14f6 : 00000000`00000200 fffffa80`06db2030 00000000`00000000 00000000`00000000 : fvevol!InitializeNextSubrequest+0x13f
    fffff880`09150bf0 fffff880`018b17c5 : 00000000`00000000 fffffa80`090fdc60 fffffa80`06db2010 00000000`00000000 : fvevol!InitializeNextReadSubrequest+0x1a
    fffff880`09150c20 fffff880`018b1293 : 00000000`00000000 00000000`00000200 fffffa80`090fdc60 fffffa80`090fdc60 : fvevol!ProcessResourcedReadRequest+0xb1
    fffff880`09150c60 fffff880`0188d34e : fffffa80`090fdc60 00000000`ffffffff 00000000`00000000 fffffa80`075fdb90 : fvevol!FveFilterReadWrite+0x157
    fffff880`09150cc0 fffff880`0188d53c : fffffa80`075fdb90 00000000`00000000 00000000`00000000 00000000`00000000 : fvevol!FveReadWrite+0xd6
    fffff880`09150d00 fffff880`01841031 : 00000000`00000000 00000000`00000022 00000000`00000000 00000000`00000000 : fvevol!FveFilterRundownReadWrite+0x1dc
    fffff880`09150d60 fffff880`01840405 : fffffa80`0761ed90 fffffa80`090fdc60 00000000`00000000 00000000`00000000 : rdyboost!SmdProcessReadWrite+0xbf9
    fffff880`09150ed0 fffff880`011b2df4 : fffffa80`077dc190 fffff880`035085e0 fffffa80`067d3750 00000000`00000000 : rdyboost!SmdDispatchReadWrite+0xd9
    fffff880`09150f00 fffff880`0122939a : fffff880`03508480 00000000`00000000 00000000`00000000 00000000`00000000 : volsnap! ?? ::FNODOBFM::`string'+0x57b
    fffff880`09150f30 fffff800`02889ab7 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : Ntfs!NtfsStorageDriverCallout+0x16
    fffff880`09150f60 fffff800`02889a78 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KxSwitchKernelStackCallout+0x27
    fffff880`03508350 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSwitchKernelStackContinue


    fffff880`018b141f 448b402c        mov     r8d,dword ptr [rax+2Ch]


    SYMBOL_NAME:  fvevol!InitializeNextSubrequest+13f

    FOLLOWUP_NAME:  MachineOwner

    MODULE_NAME: fvevol

    IMAGE_NAME:  fvevol.sys


    FAILURE_BUCKET_ID:  X64_0xD1_fvevol!InitializeNextSubrequest+13f

    BUCKET_ID:  X64_0xD1_fvevol!InitializeNextSubrequest+13f

    Followup: MachineOwner

    2: kd> lmvm fvevol
    start             end                 module name
    fffff880`0188c000 fffff880`018c6000   fvevol     (pdb symbols)          c:\symbols\fvevol.pdb\C7C2E5CC175B47C4934398FDBD9C3AAF1\fvevol.pdb
        Loaded symbol image file: fvevol.sys
        Mapped memory image file: c:\symbols\fvevol.sys\4CE793B63a000\fvevol.sys
        Image path: \SystemRoot\System32\DRIVERS\fvevol.sys
        Image name: fvevol.sys
        Timestamp:        Sat Nov 20 10:24:06 2010 (4CE793B6)
        CheckSum:         000389BC
        ImageSize:        0003A000
        File version:     6.1.7601.17514
        Product version:  6.1.7601.17514
        File flags:       0 (Mask 3F)
        File OS:          40004 NT Win32
        File type:        3.7 Driver
        File date:        00000000.00000000
        Translations:     0000.04b0
        CompanyName:      Microsoft Corporation
        ProductName:      Microsoft® Windows® Operating System
        InternalName:     FVEVOL.SYS
        OriginalFilename: FVEVOL.SYS
        ProductVersion:   6.1.7601.17514
        FileVersion:      6.1.7601.17514 (win7sp1_rtm.101119-1850)
        FileDescription:  BitLocker Drive Encryption Driver
        LegalCopyright:   © Microsoft Corporation. All rights reserved.

    Wednesday, February 20, 2013 1:21 PM


  • Barvesen

    It might have something to do with moc_crypto.sys.  That has deep hooks into the OS, wouldnt be loaded in safe mode, and the driver is two years old.  Just a shot in the dark until we get mode DMPS.

    MS-MVP 2010, 2011, 2012 Team ZigZag

    • Marked as answer by tracycai Monday, February 25, 2013 9:00 AM
    Friday, February 22, 2013 9:26 PM

All replies

  • Barvesan

    Aside from the obvious that it is Bitlocker we would need the DMP for analysis.

     We do need the actual DMP file as it contains the only record of the sequence of events leading up to the crash, what drivers were loaded, and what was responsible.
    You may be able to get the DMP files without crashing by booting into safe mode (F8) with networking.
    If you are overclocking stop.  (chances are if you dont know if you are, you are not)a
    To enable us to assist you with your computer's BSOD symptoms, upload the contents of your "\Windows\Minidump" folder.

    The procedure:

    * Copy the contents of \Windows\Minidump to another (temporary) location somewhere on your machine.
    * Zip up the copy.
    * Attach the ZIP archive to your post using the "paperclip" (file attachments) button. (if available on  your site, MS doesnt have this)
     *Please upload them to a file sharing service like Skydrive or"Rapidshare" and put a link to them in your reply.
    Link for how to  upload below.

    To ensure minidumps are enabled:

    * Go to Start, in the Search Box type: sysdm.cpl, press Enter.
    * Under the Advanced tab, click on the Startup and Recovery Settings... button.
    * Ensure that Automatically restart is unchecked.
    * Under the Write Debugging Information header select Small memory dump (256 kB) in the dropdown box (the 256kb varies).
    * Ensure that the Small Dump Directory is listed as %systemroot%\Minidump.
    * OK your way out.
    * Reboot if changes have been made.

    Please also run MSinfo32 and upload the output as well.
    To run MSinfo32 please go to start>run>MSinfo32
    Go to "file" "save" and upload the saved file with the DMPS
    (Instructions for XP, Vista, Win 7, Win 8)
    Team Zigzag3143.com

    MS-MVP 2010, 2011, 2012 Team ZigZag

    Wednesday, February 20, 2013 6:12 PM
  • Hi, and thx for the reply.

    I have uploaded the dmp file and msinfo information. You can find it zipped here:


    Thursday, February 21, 2013 2:04 PM
  • Hi,

    It seems we do not have the permissions to access the dump files on your SkyDrive. Please upload it on the public folder and post the link here.

    Does the BSOD occur in safe mode as well?

    Also, check your memory stick by using the memory diagnostics tool or Memtest86.


    Tracy Cai
    TechNet Community Support

    Friday, February 22, 2013 6:54 AM
  • Hi again.

    I have not experienced BSOD in safe mode. However, the BSOD does not occur in exreme frequent patterns. But it is a problem as this is a model we are deploying to alot of users, and several has reported cases of BSOD with the model.

    I have already checked the memory with Memtest86, with no problems reported.

    New link below to files:



    Friday, February 22, 2013 11:58 AM
  • Windows Update Error 8024402c

    Windows Update Error 8024001F

    What update / updates are failing?

    What third party drive encryption software are you using?

    Hope this helps, Gerry

    Friday, February 22, 2013 1:02 PM
  • Hi.

    There is no issue regarding updates. The problem seems to be BSOD caused by bitlocker (fvevol.sys).

    Friday, February 22, 2013 2:11 PM
  • Which comes first? The chicken or the egg?

    Please select Start, All Programs, Windows Update, View Update History, double click the failed update and post the Failure Code and Update reference number.

    My question about third party encryption software was partly because there was a Hotfix issued relating to third party encryption to resolve one of the Windows Update errors your system is recording.

    I have discovered since my last post that you have two problem devices.

    Aruba Virtual Adapter              ROOT\NET\0000           This device is disabled.

    Microsoft Teredo Tunneling Adapter               ROOT\*TEREDO\0000              This device cannot start.

    Hope this helps, Gerry

    Friday, February 22, 2013 2:24 PM
  • Barvesen

    It might have something to do with moc_crypto.sys.  That has deep hooks into the OS, wouldnt be loaded in safe mode, and the driver is two years old.  Just a shot in the dark until we get mode DMPS.

    MS-MVP 2010, 2011, 2012 Team ZigZag

    • Marked as answer by tracycai Monday, February 25, 2013 9:00 AM
    Friday, February 22, 2013 9:26 PM
  • No thrid party drive encryption. Using bitlocker.
    Tuesday, March 5, 2013 11:15 AM
  • Update the BIOS to version 2.08:

    You may need to update the BIOS Admin Pack to version 1.08

    Updating the BIOS is not without risk so back up your data files as a precaution. Print and read the pdf files for each download.

    Please download and run Driver View and upload a copy of the report it produces to your Sky Drive.

    Please upload and share with everyone copies of your System and Application logs from your Event Viewer to your Sky Drive and post a link here.

    To access the System log select Start, Control Panel, Administrative Tools, Event Viewer, from the list in the left side of the window select Windows Logs and System. Place the cursor on System, select Action from the Menu and Save All Events as and give the file a name. Do the same for the Applications log.

    Hope this helps, Gerry

    Tuesday, March 5, 2013 1:04 PM
  • Updatet BIOS to 2.08. Report from driver view and logfles can be found at: skydrive.live.com/redir?resid=7A41FE8523AC9454!116&authkey=!AIx5JwQZ_TKXnnY
    Wednesday, March 6, 2013 1:35 PM
  • Log Name:      System
    Source:        Microsoft-Windows-Kernel-PnP
    Date:          06/03/13 12:36:20
    Event ID:      219
    Level:         Warning
    Computer:      MFAW5475.mfadir.no
    The driver \Driver\WUDFRd failed to load for the device USB\Vid_1199&Pid_9011&MI_03\7&188322d1&1&03.

    Sierra Wireless WWAN Device: Universal Serial Bus controllers.

    Install this driver, observe and advise  result:

    Hope this helps, Gerry

    Wednesday, March 6, 2013 3:03 PM