locked
Blue Screen Laptop Windows 7 RRS feed

  • Question

  • Hello, I used Windbg to look at the memory.dmp. Can I get some assistance to find out why it's bluescreening or what's the driver that needs updating etc? Thanks very much

    *******************************************************************************
    *                                                                             *
    *                        Bugcheck Analysis                                    *
    *                                                                             *
    *******************************************************************************

    IRQL_NOT_LESS_OR_EQUAL (a)
    An attempt was made to access a pageable (or completely invalid) address at an
    interrupt request level (IRQL) that is too high.  This is usually
    caused by drivers using improper addresses.
    If a kernel debugger is available get the stack backtrace.
    Arguments:
    Arg1: 0000001000000094, memory referenced
    Arg2: 0000000000000002, IRQL
    Arg3: 0000000000000000, bitfield :
     bit 0 : value 0 = read operation, 1 = write operation
     bit 3 : value 0 = not an execute operation, 1 = execute operation (only on chips which support this level of status)
    Arg4: fffff800030daaa5, address which referenced memory


    Paula

    Thursday, November 19, 2015 2:42 PM

Answers

  • Hi Paula,

    We have analyzed the dump file which you uploaded, and you can see detailed information below.

    Microsoft (R) Windows Debugger Version 6.12.0002.633 AMD64
    Copyright (c) Microsoft Corporation. All rights reserved.
    
    
    Loading Dump File [C:\Users\Administrator\Desktop\MEMORY.DMP]
    Kernel Summary Dump File: Only kernel address space is available
    
    Symbol search path is: SRV*C:\Symbols*http://msdl.microsoft.com/download/symbols
    Executable search path is: 
    Windows 7 Kernel Version 7601 (Service Pack 1) MP (4 procs) Free x64
    Product: WinNt, suite: TerminalServer SingleUserTS
    Built by: 7601.19045.amd64fre.win7sp1_gdr.151019-1254
    Machine Name:
    Kernel base = 0xfffff800`03003000 PsLoadedModuleList = 0xfffff800`0324a730
    Debug session time: Tue Nov 24 23:09:17.231 2015 (UTC + 8:00)
    System Uptime: 0 days 0:08:02.504
    Loading Kernel Symbols
    ...............................................................
    ................................................................
    ................................................
    Loading User Symbols
    
    Loading unloaded module list
    ......
    *******************************************************************************
    *                                                                             *
    *                        Bugcheck Analysis                                    *
    *                                                                             *
    *******************************************************************************
    
    Use !analyze -v to get detailed debugging information.
    
    BugCheck D1, {a, 2, 0, fffff88002d8cc59}
    
    *** ERROR: Module load completed but symbols could not be loaded for vfilter.sys
    *** ERROR: Module load completed but symbols could not be loaded for e1d62x64.sys
    Probably caused by : vfilter.sys ( vfilter+1c59 )
    
    Followup: MachineOwner
    ---------
    
    0: kd> !analyze -v
    *******************************************************************************
    *                                                                             *
    *                        Bugcheck Analysis                                    *
    *                                                                             *
    *******************************************************************************
    
    DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
    An attempt was made to access a pageable (or completely invalid) address at an
    interrupt request level (IRQL) that is too high.  This is usually
    caused by drivers using improper addresses.
    If kernel debugger is available get stack backtrace.
    Arguments:
    Arg1: 000000000000000a, memory referenced
    Arg2: 0000000000000002, IRQL
    Arg3: 0000000000000000, value 0 = read operation, 1 = write operation
    Arg4: fffff88002d8cc59, address which referenced memory
    
    Debugging Details:
    ------------------
    
    
    READ_ADDRESS:  000000000000000a 
    
    CURRENT_IRQL:  2
    
    FAULTING_IP: 
    vfilter+1c59
    fffff880`02d8cc59 440fb7500a      movzx   r10d,word ptr [rax+0Ah]
    
    DEFAULT_BUCKET_ID:  VISTA_DRIVER_FAULT
    
    BUGCHECK_STR:  0xD1
    
    PROCESS_NAME:  System
    
    TRAP_FRAME:  fffff80000b9a5d0 -- (.trap 0xfffff80000b9a5d0)
    NOTE: The trap frame does not contain all registers.
    Some register values may be zeroed or incorrect.
    rax=0000000000000000 rbx=0000000000000000 rcx=fffff98004ce8e20
    rdx=fffff9800524cdd0 rsi=0000000000000000 rdi=0000000000000000
    rip=fffff88002d8cc59 rsp=fffff80000b9a760 rbp=0000000000000000
     r8=0000000000000000  r9=fffff88001459d08 r10=fffff80000b9ab90
    r11=fffff80000b9a710 r12=0000000000000000 r13=0000000000000000
    r14=0000000000000000 r15=0000000000000000
    iopl=0         nv up ei ng nz na po nc
    vfilter+0x1c59:
    fffff880`02d8cc59 440fb7500a      movzx   r10d,word ptr [rax+0Ah] ds:0030:00000000`0000000a=????
    Resetting default scope
    
    LAST_CONTROL_TRANSFER:  from fffff800030761e9 to fffff80003076c40
    
    STACK_TEXT:  
    fffff800`00b9a488 fffff800`030761e9 : 00000000`0000000a 00000000`0000000a 00000000`00000002 00000000`00000000 : nt!KeBugCheckEx
    fffff800`00b9a490 fffff800`03074e60 : 00000000`00000000 fffff880`0140b490 00000000`00000020 fffff980`0524cdd0 : nt!KiBugCheckDispatch+0x69
    fffff800`00b9a5d0 fffff880`02d8cc59 : fffff880`0140b490 fffff880`01401921 00000000`00000000 fffff880`0140b490 : nt!KiPageFault+0x260
    fffff800`00b9a760 fffff880`02d8c973 : fffff980`0524cdd0 fffff980`0524cdd0 fffff980`00000000 fffff980`0524cdd0 : vfilter+0x1c59
    fffff800`00b9a7e0 fffff880`014231c7 : fffffa80`0bc641a0 fffff980`04e08e20 00000000`00000002 fffffa80`09ccb6c0 : vfilter+0x1973
    fffff800`00b9a840 fffff880`04442f73 : fffffa80`0bdb9000 00000000`00000002 fffff980`04e08e20 fffff980`04e08e20 : ndis! ?? ::FNODOBFM::`string'+0xcd8f
    fffff800`00b9a890 fffff880`04443162 : 00000000`00000001 fffff980`04ce8e20 fffffa80`0bdb9000 fffff800`0313df3b : e1d62x64+0x25f73
    fffff800`00b9a8d0 fffff880`04434d54 : fffffa80`0bdb9000 fffffa80`0bdb9000 00000000`00000000 fffff980`00000000 : e1d62x64+0x26162
    fffff800`00b9a950 fffff880`04432ed0 : fffff880`014883e0 fffff800`03538250 00000001`00000000 fffffa80`0b362740 : e1d62x64+0x17d54
    fffff800`00b9aa50 fffff880`04434fe8 : fffffa80`09cc26c0 00000001`00000000 fffff800`031f9080 00000000`00000000 : e1d62x64+0x15ed0
    fffff800`00b9aac0 fffff880`01401921 : 00000000`00000000 00000000`000096e3 fffffa80`09d53c70 01d126ca`000e0846 : e1d62x64+0x17fe8
    fffff800`00b9ab00 fffff800`03081c1c : fffff980`048e8e78 00000000`00000000 00000000`00000000 fffff800`031f6e80 : ndis!ndisInterruptDpc+0x151
    fffff800`00b9ab90 fffff800`0306e94a : fffff800`031f6e80 fffff800`03204cc0 00000000`00000000 fffff880`014017d0 : nt!KiRetireDpcList+0x1bc
    fffff800`00b9ac40 00000000`00000000 : fffff800`00b9b000 fffff800`00b95000 fffff800`00b9ac00 00000000`00000000 : nt!KiIdleLoop+0x5a
    
    
    STACK_COMMAND:  kb
    
    FOLLOWUP_IP: 
    vfilter+1c59
    fffff880`02d8cc59 440fb7500a      movzx   r10d,word ptr [rax+0Ah]
    
    SYMBOL_STACK_INDEX:  3
    
    SYMBOL_NAME:  vfilter+1c59
    
    FOLLOWUP_NAME:  MachineOwner
    
    MODULE_NAME: vfilter
    
    IMAGE_NAME:  vfilter.sys
    
    DEBUG_FLR_IMAGE_TIMESTAMP:  4d0af841
    
    FAILURE_BUCKET_ID:  X64_0xD1_VRF_vfilter+1c59
    
    BUCKET_ID:  X64_0xD1_VRF_vfilter+1c59
    
    Followup: MachineOwner
    ---------
    

    The issue may be caused by a driver which called "vfilter.sys". Based on my research, this driver is not managed by Microsoft. You would better contact the software vendor to get the correct driver for it.

    Good luck to fix it.

    Best Regards

    Simon


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    • Marked as answer by ptt2014 Thursday, November 26, 2015 3:37 PM
    Thursday, November 26, 2015 9:44 AM

All replies

  •  
    We do need the actual log files (called a DMP files) as they contain the only record of the sequence of events leading up to the crash, what drivers were loaded, and what was responsible.


    Please follow our instructions for finding and uploading the files we need to help you fix your computer. They can be found here
    If you have any questions about the procedure please ask


    Wanikiya and Dyami--Team Zigzag Windows IT-PRO (MS-MVP)

    Thursday, November 19, 2015 2:54 PM
  • Thursday, November 19, 2015 6:59 PM
  • These crashes were related to memory corruption (probably caused by a driver). 

    Please run these two tests to verify your memory and find which driver is causing the problem.  Please run verifier first.  You do not need to run memtest yet unless verifier does not find the cause, or you want to.


    If you are over-clocking anything reset to default before running these tests.
    In other words STOP!!!  If you do not know what this means you probably are not


    1-Driver verifier (for complete directions see our wiki here)

    2-Memtest. (You can read more about running memtest here)

    Wanikiya and Dyami--Team Zigzag Windows IT-PRO (MS-MVP)

    Friday, November 20, 2015 12:16 AM
  • Hi Wani and Dyami

    Thank you for looking at the previous file.

    I uploaded the one generated by driver verifier (should be there soon).

    https://onedrive.live.com/?id=325D341C9466F667%2132037&cid=325D341C9466F667&group=0



    Paula

    Tuesday, November 24, 2015 3:22 PM
  • Paula

    Your link is broken.  Try it again


    Wanikiya and Dyami--Team Zigzag Windows IT-PRO (MS-MVP)

    Tuesday, November 24, 2015 3:56 PM
  • sorry about that

    https://onedrive.live.com/redir?resid=325D341C9466F667!32037&authkey=!AG9vlONMfop_m58&ithint=folder%2cDMP


    Paula

    Tuesday, November 24, 2015 6:26 PM
  • Hi Paula,

    We have analyzed the dump file which you uploaded, and you can see detailed information below.

    Microsoft (R) Windows Debugger Version 6.12.0002.633 AMD64
    Copyright (c) Microsoft Corporation. All rights reserved.
    
    
    Loading Dump File [C:\Users\Administrator\Desktop\MEMORY.DMP]
    Kernel Summary Dump File: Only kernel address space is available
    
    Symbol search path is: SRV*C:\Symbols*http://msdl.microsoft.com/download/symbols
    Executable search path is: 
    Windows 7 Kernel Version 7601 (Service Pack 1) MP (4 procs) Free x64
    Product: WinNt, suite: TerminalServer SingleUserTS
    Built by: 7601.19045.amd64fre.win7sp1_gdr.151019-1254
    Machine Name:
    Kernel base = 0xfffff800`03003000 PsLoadedModuleList = 0xfffff800`0324a730
    Debug session time: Tue Nov 24 23:09:17.231 2015 (UTC + 8:00)
    System Uptime: 0 days 0:08:02.504
    Loading Kernel Symbols
    ...............................................................
    ................................................................
    ................................................
    Loading User Symbols
    
    Loading unloaded module list
    ......
    *******************************************************************************
    *                                                                             *
    *                        Bugcheck Analysis                                    *
    *                                                                             *
    *******************************************************************************
    
    Use !analyze -v to get detailed debugging information.
    
    BugCheck D1, {a, 2, 0, fffff88002d8cc59}
    
    *** ERROR: Module load completed but symbols could not be loaded for vfilter.sys
    *** ERROR: Module load completed but symbols could not be loaded for e1d62x64.sys
    Probably caused by : vfilter.sys ( vfilter+1c59 )
    
    Followup: MachineOwner
    ---------
    
    0: kd> !analyze -v
    *******************************************************************************
    *                                                                             *
    *                        Bugcheck Analysis                                    *
    *                                                                             *
    *******************************************************************************
    
    DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
    An attempt was made to access a pageable (or completely invalid) address at an
    interrupt request level (IRQL) that is too high.  This is usually
    caused by drivers using improper addresses.
    If kernel debugger is available get stack backtrace.
    Arguments:
    Arg1: 000000000000000a, memory referenced
    Arg2: 0000000000000002, IRQL
    Arg3: 0000000000000000, value 0 = read operation, 1 = write operation
    Arg4: fffff88002d8cc59, address which referenced memory
    
    Debugging Details:
    ------------------
    
    
    READ_ADDRESS:  000000000000000a 
    
    CURRENT_IRQL:  2
    
    FAULTING_IP: 
    vfilter+1c59
    fffff880`02d8cc59 440fb7500a      movzx   r10d,word ptr [rax+0Ah]
    
    DEFAULT_BUCKET_ID:  VISTA_DRIVER_FAULT
    
    BUGCHECK_STR:  0xD1
    
    PROCESS_NAME:  System
    
    TRAP_FRAME:  fffff80000b9a5d0 -- (.trap 0xfffff80000b9a5d0)
    NOTE: The trap frame does not contain all registers.
    Some register values may be zeroed or incorrect.
    rax=0000000000000000 rbx=0000000000000000 rcx=fffff98004ce8e20
    rdx=fffff9800524cdd0 rsi=0000000000000000 rdi=0000000000000000
    rip=fffff88002d8cc59 rsp=fffff80000b9a760 rbp=0000000000000000
     r8=0000000000000000  r9=fffff88001459d08 r10=fffff80000b9ab90
    r11=fffff80000b9a710 r12=0000000000000000 r13=0000000000000000
    r14=0000000000000000 r15=0000000000000000
    iopl=0         nv up ei ng nz na po nc
    vfilter+0x1c59:
    fffff880`02d8cc59 440fb7500a      movzx   r10d,word ptr [rax+0Ah] ds:0030:00000000`0000000a=????
    Resetting default scope
    
    LAST_CONTROL_TRANSFER:  from fffff800030761e9 to fffff80003076c40
    
    STACK_TEXT:  
    fffff800`00b9a488 fffff800`030761e9 : 00000000`0000000a 00000000`0000000a 00000000`00000002 00000000`00000000 : nt!KeBugCheckEx
    fffff800`00b9a490 fffff800`03074e60 : 00000000`00000000 fffff880`0140b490 00000000`00000020 fffff980`0524cdd0 : nt!KiBugCheckDispatch+0x69
    fffff800`00b9a5d0 fffff880`02d8cc59 : fffff880`0140b490 fffff880`01401921 00000000`00000000 fffff880`0140b490 : nt!KiPageFault+0x260
    fffff800`00b9a760 fffff880`02d8c973 : fffff980`0524cdd0 fffff980`0524cdd0 fffff980`00000000 fffff980`0524cdd0 : vfilter+0x1c59
    fffff800`00b9a7e0 fffff880`014231c7 : fffffa80`0bc641a0 fffff980`04e08e20 00000000`00000002 fffffa80`09ccb6c0 : vfilter+0x1973
    fffff800`00b9a840 fffff880`04442f73 : fffffa80`0bdb9000 00000000`00000002 fffff980`04e08e20 fffff980`04e08e20 : ndis! ?? ::FNODOBFM::`string'+0xcd8f
    fffff800`00b9a890 fffff880`04443162 : 00000000`00000001 fffff980`04ce8e20 fffffa80`0bdb9000 fffff800`0313df3b : e1d62x64+0x25f73
    fffff800`00b9a8d0 fffff880`04434d54 : fffffa80`0bdb9000 fffffa80`0bdb9000 00000000`00000000 fffff980`00000000 : e1d62x64+0x26162
    fffff800`00b9a950 fffff880`04432ed0 : fffff880`014883e0 fffff800`03538250 00000001`00000000 fffffa80`0b362740 : e1d62x64+0x17d54
    fffff800`00b9aa50 fffff880`04434fe8 : fffffa80`09cc26c0 00000001`00000000 fffff800`031f9080 00000000`00000000 : e1d62x64+0x15ed0
    fffff800`00b9aac0 fffff880`01401921 : 00000000`00000000 00000000`000096e3 fffffa80`09d53c70 01d126ca`000e0846 : e1d62x64+0x17fe8
    fffff800`00b9ab00 fffff800`03081c1c : fffff980`048e8e78 00000000`00000000 00000000`00000000 fffff800`031f6e80 : ndis!ndisInterruptDpc+0x151
    fffff800`00b9ab90 fffff800`0306e94a : fffff800`031f6e80 fffff800`03204cc0 00000000`00000000 fffff880`014017d0 : nt!KiRetireDpcList+0x1bc
    fffff800`00b9ac40 00000000`00000000 : fffff800`00b9b000 fffff800`00b95000 fffff800`00b9ac00 00000000`00000000 : nt!KiIdleLoop+0x5a
    
    
    STACK_COMMAND:  kb
    
    FOLLOWUP_IP: 
    vfilter+1c59
    fffff880`02d8cc59 440fb7500a      movzx   r10d,word ptr [rax+0Ah]
    
    SYMBOL_STACK_INDEX:  3
    
    SYMBOL_NAME:  vfilter+1c59
    
    FOLLOWUP_NAME:  MachineOwner
    
    MODULE_NAME: vfilter
    
    IMAGE_NAME:  vfilter.sys
    
    DEBUG_FLR_IMAGE_TIMESTAMP:  4d0af841
    
    FAILURE_BUCKET_ID:  X64_0xD1_VRF_vfilter+1c59
    
    BUCKET_ID:  X64_0xD1_VRF_vfilter+1c59
    
    Followup: MachineOwner
    ---------
    

    The issue may be caused by a driver which called "vfilter.sys". Based on my research, this driver is not managed by Microsoft. You would better contact the software vendor to get the correct driver for it.

    Good luck to fix it.

    Best Regards

    Simon


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    • Marked as answer by ptt2014 Thursday, November 26, 2015 3:37 PM
    Thursday, November 26, 2015 9:44 AM
  • Amazing!!!

    Thanks so much


    Paula

    Thursday, November 26, 2015 3:37 PM