locked
ntoskrnl.exe causing multiple BSODs RRS feed

  • Question

  • I've been experiencing many BSODs on my computer. I've tried reinstalling my OS (Win7 x64 Home Premium), but the BSODs still happen. I am also having a hard time installing all Windows Updates. Sometimes the computer BSODs when installing the updates.

    I am using BlueScreenView to view the dump logs. 90% of the logs are showing ntoskrnl.exe as the driver that is causing the issue. Here are the most recent dump logs:

    Dump File Crash Time Bug Check String Bug Check Code Parameter 1 Parameter 2 Parameter 3 Parameter 4 Caused By Driver Caused By Address File Description Product Name Company File Version Processor Crash Address Stack Address 1 Stack Address 2 Stack Address 3 Computer Name Full Path Processors Count Major Version Minor Version Dump File Size Dump File Time
    060214-71027-01.dmp 6/2/2014 9:57:09 PM MEMORY_MANAGEMENT 0x0000001a 00000000`00005003 fffff700`01080000 00000000`0002161a 00000000`0dd10009 ntoskrnl.exe ntoskrnl.exe+75bc0 NT Kernel & System Microsoft® Windows® Operating System Microsoft Corporation 6.1.7601.18247 (win7sp1_gdr.130828-1532) x64 ntoskrnl.exe+75bc0         C:\Windows\Minidump\060214-71027-01.dmp 4 15 7601 291,184 6/2/2014 9:58:54 PM
    060214-11138-01.dmp 6/2/2014 8:24:53 PM SYSTEM_THREAD_EXCEPTION_NOT_HANDLED 0x1000007e ffffffff`c000001d fffff880`011e2829 fffff880`03768928 fffff880`03768180 volsnap.sys volsnap.sys+2e829 Volume Shadow Copy Driver Microsoft® Windows® Operating System Microsoft Corporation 6.1.7600.16385 (win7_rtm.090713-1255) x64 volsnap.sys+2e829         C:\Windows\Minidump\060214-11138-01.dmp 4 15 7601 291,656 6/2/2014 8:26:29 PM
    060214-10779-01.dmp 6/2/2014 2:04:18 AM BAD_POOL_HEADER 0x00000019 00000000`00000022 fffff8a0`025ca000 00000000`00000001 00000000`00000000 ntoskrnl.exe ntoskrnl.exe+75bc0 NT Kernel & System Microsoft® Windows® Operating System Microsoft Corporation 6.1.7601.18247 (win7sp1_gdr.130828-1532) x64 ntoskrnl.exe+75bc0         C:\Windows\Minidump\060214-10779-01.dmp 4 15 7601 284,096 6/2/2014 8:19:03 AM
    060214-11107-01.dmp 6/2/2014 2:01:17 AM CACHE_MANAGER 0x00000034 00000000`00050853 fffff880`09814818 fffff880`09814070 fffff800`02f013b6 ntoskrnl.exe ntoskrnl.exe+75bc0 NT Kernel & System Microsoft® Windows® Operating System Microsoft Corporation 6.1.7601.18247 (win7sp1_gdr.130828-1532) x64 ntoskrnl.exe+75bc0         C:\Windows\Minidump\060214-11107-01.dmp 4 15 7601 291,640 6/2/2014 2:03:16 AM
    060114-10062-01.dmp 6/1/2014 11:20:12 AM SYSTEM_THREAD_EXCEPTION_NOT_HANDLED 0x1000007e ffffffff`c0000005 fffff800`02eb7817 fffff880`009a88f8 fffff880`009a8150 ntoskrnl.exe ntoskrnl.exe+56817 NT Kernel & System Microsoft® Windows® Operating System Microsoft Corporation 6.1.7601.18247 (win7sp1_gdr.130828-1532) x64 ntoskrnl.exe+56817         C:\Windows\Minidump\060114-10062-01.dmp 4 15 7601 266,576 6/1/2014 11:21:11 AM
    060114-8860-01.dmp 6/1/2014 10:56:28 AM KMODE_EXCEPTION_NOT_HANDLED 0x0000001e ffffffff`c0000005 fffff880`08bf6760 00000000`00000000 00000000`00000000 ntoskrnl.exe ntoskrnl.exe+75bc0 NT Kernel & System Microsoft® Windows® Operating System Microsoft Corporation 6.1.7601.18247 (win7sp1_gdr.130828-1532) x64 ntoskrnl.exe+75bc0         C:\Windows\Minidump\060114-8860-01.dmp 4 15 7601 290,472 6/1/2014 11:05:36 AM
    060114-10857-01.dmp 6/1/2014 10:55:13 AM SYSTEM_THREAD_EXCEPTION_NOT_HANDLED 0x1000007e ffffffff`c0000005 fffff800`031c58f5 fffff880`031fc898 fffff880`031fc0f0 ntoskrnl.exe ntoskrnl.exe+3728f5 NT Kernel & System Microsoft® Windows® Operating System Microsoft Corporation 6.1.7601.18247 (win7sp1_gdr.130828-1532) x64 ntoskrnl.exe+3728f5         C:\Windows\Minidump\060114-10857-01.dmp 4 15 7601 291,320 6/1/2014 10:56:16 AM
    060114-10389-01.dmp 6/1/2014 10:43:28 AM CACHE_MANAGER 0x00000034 00000000`00050853 fffff880`026bc518 fffff880`026bbd70 fffff800`02f0d547 ntoskrnl.exe ntoskrnl.exe+75bc0 NT Kernel & System Microsoft® Windows® Operating System Microsoft Corporation 6.1.7601.18247 (win7sp1_gdr.130828-1532) x64 ntoskrnl.exe+75bc0         C:\Windows\Minidump\060114-10389-01.dmp 4 15 7601 291,608 6/1/2014 10:44:05 AM
    060114-9375-01.dmp 6/1/2014 10:35:07 AM PFN_LIST_CORRUPT 0x0000004e 00000000`00000099 00000000`000aed4b 00000000`00000000 00000000`000aef3b ntoskrnl.exe ntoskrnl.exe+75bc0 NT Kernel & System Microsoft® Windows® Operating System Microsoft Corporation 6.1.7601.18247 (win7sp1_gdr.130828-1532) x64 ntoskrnl.exe+75bc0         C:\Windows\Minidump\060114-9375-01.dmp 4 15 7601 291,680 6/1/2014 10:36:06 AM
    060114-9765-01.dmp 6/1/2014 10:10:00 AM SYSTEM_THREAD_EXCEPTION_NOT_HANDLED 0x1000007e ffffffff`c0000005 fffff800`02e56817 fffff880`009a8b38 fffff880`009a8390 ntoskrnl.exe ntoskrnl.exe+56817 NT Kernel & System Microsoft® Windows® Operating System Microsoft Corporation 6.1.7601.18247 (win7sp1_gdr.130828-1532) x64 ntoskrnl.exe+56817         C:\Windows\Minidump\060114-9765-01.dmp 4 15 7601 266,576 6/1/2014 10:21:41 AM


    Any idea what I can do to fix this? Thanks!

    Tuesday, June 3, 2014 5:26 AM

Answers

  • As ZZ said above, you have bad RAM. Very rarely is the problem bad DIMM slots on the board, however, it's always worth being sure of by testing one stick at a time in each DIMM slot as I have seen it here & there.

    Regards,

    Patrick

    “Be kind whenever possible. It is always possible.” - Dalai Lama

    • Marked as answer by fmpeyton Wednesday, June 4, 2014 2:57 PM
    Wednesday, June 4, 2014 2:27 PM

All replies

  • Hi,

    In order to assist you, we will need the .DMP files to analyze what exactly occurred at the time of the crash, etc.

    If you don't know where .DMP files are located, here's how to get to them:

    1. Navigate to the %systemroot%\Minidump folder.

    2. Copy any and all DMP files in the Minidump folder to your Desktop and then zip up these files.

    3. Upload the zip containing the .DMP files to Onedrive or a hosting site of your choice and paste in your reply. Preferred sites: Onedrive, Mediafire, Dropbox, etc. Nothing with wait-timers, download managers, etc.

    4 (optional): The type of .DMP files located in the Minidump folder are known as Small Memory Dumps. In %systemroot% there will be what is known as a Kernel-Dump (if your system is set to generate). It is labeled MEMORY.DMP. The difference between Small Memory Dumps and Kernel-Dumps in the simplest definition is a Kernel-Dump contains much more information at the time of the crash, therefore allowing further debugging of your issue. If your upload speed permits it, and you aren't going against any strict bandwidth and/or usage caps, etc, the Kernel-Dump is the best choice. Do note that Kernel-Dumps are much larger in size due to containing much more info, which is why I mentioned upload speed, etc.

    If you are going to use Onedrive but don't know how to upload to it, please visit the following:

    Upload photos and files to Onedrive.

    After doing that, to learn how to share the link to the file if you are unaware, please visit the following link - Share files and folders and change permissions and view 'Get a link'.

    Please note that any "cleaner" programs such as TuneUpUtilities, CCleaner, etc, by default will delete .DMP files upon use. With this said, if you've run such software, you will need to allow the system to crash once again to generate a crash dump.

    If your computer is not generating .DMP files, please do the following:

    1. Start > type %systemroot% which should show the Windows folder, click on it. Once inside that folder, ensure there is a Minidump folder created. If not, CTRL-SHIFT-N to make a New Folder and name it Minidump.

    2. Windows key + Pause key. This should bring up System. Click Advanced System Settings on the left > Advanced > Performance > Settings > Advanced > Ensure there's a check-mark for 'Automatically manage paging file size for all drives'.

    3. Windows key + Pause key. This should bring up System. Click Advanced System Settings on the left > Advanced > Startup and Recovery > Settings > System Failure > ensure there is a check mark next to 'Write an event to the system log'.

    Ensure Small Memory Dump is selected and ensure the path is %systemroot%\Minidump.

    4. Double check that the WERS is ENABLED:

    Start > Search > type services.msc > Under the name tab, find Windows Error Reporting Service > If the status of the service is not Started then right click it and select Start. Also ensure that under Startup Type it is set to Automatic rather than Manual. You can do this by right clicking it, selecting properties, and under General selecting startup type to 'Automatic', and then click Apply.

    If you cannot get into normal mode to do any of this, please do this via Safe Mode.

    Regards,

    Patrick

    “Be kind whenever possible. It is always possible.” - Dalai Lama

    Tuesday, June 3, 2014 5:55 AM
  • Hi Patrick,

    Thanks for the reply. Here are both my minidump files and my memory.dmp file:

    Minidump: https://mega.co.nz/#!iZJDTCgQ!2DMYliJpmbZPNToEmkSv9ObgCCeb1rcY5uV3R39DHug

    Memory: https://mega.co.nz/#!nMh1RZjK!oQsdghBEK5ogd0YEPzUrmSCUoLN6Py0TqLeq-KmFSU8


    Let me know if you need anything else,

    Fillip




    • Edited by fmpeyton Tuesday, June 3, 2014 2:53 PM
    Tuesday, June 3, 2014 2:51 PM
  • Thanks very much!

    Well, this looks like a RAM/hardware problem at first glance.

    MEMORY_MANAGEMENT (1a)

    This indicates that a severe memory management error occurred.

    BugCheck 1A, {5003, fffff70001080000, 2161a, dd10009}

    - The 1st parameter of the bug check is 5003 which indicates the working set free list is corrupt.

    SYSTEM_THREAD_EXCEPTION_NOT_HANDLED_M (1000007e)

    This indicates that a system thread generated an exception which the error handler did not catch.

    BugCheck 1000007E, {ffffffffc000001d, fffff880011e2829, fffff88003768928, fffff88003768180}

    The 1st parameter is 0xc000001d which indicates an illegal instruction occurred. Essentially, an attempt was made to execute an illegal instruction.

    CHKIMG_EXTENSION: !chkimg -lo 50 -d !volsnap
        fffff880011e282a - volsnap!VspWriteSnapshot+47a
    	[ 2b:2f ]
    1 error : !volsnap (fffff880011e282a)
    

    BAD_POOL_HEADER (19)

    This indicates that a pool header is corrupt.

    BugCheck 19, {22, fffff8a0025ca000, 1, 0}

    0: kd> !pool fffff8a0025ca000
    Pool page fffff8a0025ca000 region is Paged pool
    GetUlongFromAddress: unable to read from fffff80003077a38
    Unable to get pool big page table. Check for valid symbols.
    fffff8a0025ca000 is not valid pool. Checking for freed (or corrupt) pool
    Bad previous allocation size @fffff8a0025ca000, last size was 0
    
    ***
    *** An error (or corruption) in the pool was detected;
    *** Attempting to diagnose the problem.
    ***
    *** Use !poolval fffff8a0025ca000 for more details.
    
    
    Pool page [ fffff8a0025ca000 ] is __inVALID.
    
    Analyzing linked list...
    [ fffff8a0025ca000 ]: invalid previous size [ 0x68 ] should be [ 0x0 ]
    [ fffff8a0025ca000 --> fffff8a0025ca9a0 (size = 0x9a0 bytes)]: Corrupt region
    
    
    Scanning for single bit errors...
    
    None found
    

    CACHE_MANAGER (34)

    This indicates that a problem occurred in the file system's cache manager.

    One possible cause of this bug check is depletion of nonpaged pool memory. If the nonpaged pool memory is completely depleted, this error can stop the system. However, during the indexing process, if the amount of available nonpaged pool memory is very low, another kernel-mode driver requiring nonpaged pool memory can also trigger this error.


    KMODE_EXCEPTION_NOT_HANDLED (1e)

    This indicates that a kernel-mode program generated an exception which the error handler did not catch.

    BugCheck 1E, {ffffffffc0000005, fffff88008bf6760, 0, 0}

    3: kd> k
    Child-SP          RetAddr           Call Site
    fffff880`08bf66a8 fffff800`02f621bb nt!KeBugCheckEx
    fffff880`08bf66b0 fffff800`02f23d18 nt!KipFatalFilter+0x1b
    fffff880`08bf66f0 fffff800`02efbcdc nt! ?? ::FNODOBFM::`string'+0x83d
    fffff880`08bf6730 fffff800`02efb75d nt!_C_specific_handler+0x8c
    fffff880`08bf67a0 fffff800`02efa535 nt!RtlpExecuteHandlerForException+0xd
    fffff880`08bf67d0 fffff800`02f0b4c1 nt!RtlDispatchException+0x415
    fffff880`08bf6eb0 fffff800`02ed0242 nt!KiDispatchException+0x135
    fffff880`08bf7550 fffff800`02eceb4a nt!KiExceptionDispatch+0xc2
    fffff880`08bf7730 fffff800`02eadc25 nt!KiGeneralProtectionFault+0x10a
    fffff880`08bf78c0 fffff880`01647059 nt!RtlLookupEntryHashTable+0x55
    fffff880`08bf78f0 fffff880`01646fd9 tcpip!WfpAlepLookupPeerInformation+0x49
    fffff880`08bf7940 fffff880`016437d8 tcpip!WfpAleAcquirePeerInformation+0x11d
    fffff880`08bf79b0 fffff880`01644426 tcpip!WfpAleFindPeerInformationForPeerName+0x78
    fffff880`08bf7a40 00000000`00000000 tcpip!WfpAlepAuthorizeSend+0x576
    

    Various tcpip.sys calls in the stack.

    -------------------------

    1. Run Memtest for NO less than ~8 passes (several hours):

    Memtest86+:

    Download Memtest86+ here:

    http://www.memtest.org/

    Which should I download?

    You can either download the pre-compiled ISO that you would burn to a CD and then boot from the CD, or you can download the auto-installer for the USB key. What this will do is format your USB drive, make it a bootable device, and then install the necessary files. Both do the same job, it's just up to you which you choose, or which you have available (whether it's CD or USB).

    Do note that some older generation motherboards do not support USB-based booting, therefore your only option is CD (or Floppy if you really wanted to).

    How Memtest works:

    Memtest86 writes a series of test patterns to most memory addresses, reads back the data written, and compares it for errors.

    The default pass does 9 different tests, varying in access patterns and test data. A tenth test, bit fade, is selectable from the menu. It writes all memory with zeroes, then sleeps for 90 minutes before checking to see if bits have changed (perhaps because of refresh problems). This is repeated with all ones for a total time of 3 hours per pass.

    Many chipsets can report RAM speeds and timings via SPD (Serial Presence Detect) or EPP (Enhanced Performance Profiles), and some even support changing the expected memory speed. If the expected memory speed is overclocked, Memtest86 can test that memory performance is error-free with these faster settings.

    Some hardware is able to report the "PAT status" (PAT: enabled or PAT: disabled). This is a reference to Intel Performance acceleration technology; there may be BIOS settings which affect this aspect of memory timing.

    This information, if available to the program, can be displayed via a menu option.

    Any other questions, they can most likely be answered by reading this great guide here:

    http://forum.canardpc.com/threads/28864-FAQ-please-read-before-posting

    2. If Memtest passes with NO errors, please run Chkdsk and Seatools:

    Chkdsk:
    There are various ways to run Chkdsk~


    Method 1:

    Start > Search bar > Type cmd (right click run as admin to execute Elevated CMD)

    Elevated CMD should now be opened, type the following:

    chkdsk x: /r

    x implies your drive letter, so if your hard drive in question is letter c, it would be:

    chkdsk c: /r

    Restart system and let chkdsk run.

    Method 2:


        Open the "Computer" window
        Right-click on the drive in question
        Select the "Tools" tab
        In the Error-checking area, click <Check Now>.

    If you'd like to get a log file that contains the chkdsk results, do the following:

    Press Windows Key + R and type powershell.exe in the run box

    Paste the following command and press enter afterwards:

    get-winevent -FilterHashTable @{logname="Application"; id="1001"}| ?{$_.providername –match "wininit"} | fl timecreated, message | out-file Desktop\CHKDSKResults.txt

    This will output a .txt file on your Desktop containing the results of the chkdsk.

    If chkdsk turns out okay, run Seatools -

    http://www.seagate.com/support/downloads/seatools/

    You can run it via Windows or DOS. Do note that the only difference is simply the environment you're running it in. In Windows, if you are having what you believe to be driver related issues that may cause conflicts or a false positive, it may be a wise decision to choose the most minimal testing environment (DOS). I always recommend running Seatools in DOS if absolutely possible.

    -- Run all tests EXCEPT: Fix All and anything Advanced.

    Regards,

    Patrick

    “Be kind whenever possible. It is always possible.” - Dalai Lama

    Tuesday, June 3, 2014 11:32 PM
  • Thanks for the reply! I will run my tests and get back to you with the results.

    Fil

    Wednesday, June 4, 2014 12:10 AM
  • My pleasure, I look forward to your update.

    Regards,

    Patrick

    “Be kind whenever possible. It is always possible.” - Dalai Lama

    Wednesday, June 4, 2014 12:21 AM
  • So I ran memtest for 12hrs (~5 passes, sorry, I forgot you said 8 =X), but I'm pretty sure its black and white anyway:

    http://oi62.tinypic.com/2a8nn1v.jpg

    As someone who has never ran this program before, I can even tell that's bad. Question is, where do I go from here? Do I start removing RAM sticks and re-running memtests?


    • Edited by fmpeyton Wednesday, June 4, 2014 2:07 PM
    Wednesday, June 4, 2014 2:06 PM
  • Fmpeyton

    Just to  save you some time before Patrick returns.  If you are running memtest with more than one stick and can remove them (for desktops of course) you should re-run memtest with one stick at a time to identify the bad stick.

    Memtest can ony ID if the RAM/Mobo slot combination is bad.  99% of the time it is the ram.

    Patrick will explain the results.


    Wanikiya and Dyami--Team Zigzag

    Wednesday, June 4, 2014 2:12 PM
  • As ZZ said above, you have bad RAM. Very rarely is the problem bad DIMM slots on the board, however, it's always worth being sure of by testing one stick at a time in each DIMM slot as I have seen it here & there.

    Regards,

    Patrick

    “Be kind whenever possible. It is always possible.” - Dalai Lama

    • Marked as answer by fmpeyton Wednesday, June 4, 2014 2:57 PM
    Wednesday, June 4, 2014 2:27 PM
  • Thanks everyone for the replies. I'll look to identify a bad stick with memtest a few more times.
    Wednesday, June 4, 2014 2:57 PM