locked
Bluescreen issue RRS feed

  • Question

  • A user we support is having frequent bluescreens every few weeks.We have looked at the minidump file in bluescreen viewer and it says

    Bug Check String:

    KERNEL_DATA_INPAGE_ERROR

    Bug Check Code

    0x0000007a 

    Parameter 1

    0xc05d6ad0

    Parameter 2

    0xc000009d

        

    Parameter 3

    0x3e08a8c0

    Parameter 4

    0xbad5a77e    

    Caused By Driver

    ntkrnlpa.exe    

    Caused By Address

    ntkrnlpa.exe+dfc24 

    Processor

     32-bit    

    Crash Address

    ntkrnlpa.exe+dfc24    

    Stack Address 1

    ntkrnlpa.exe+a4572

    Stack Address 2   

    ntkrnlpa.exe+a7e9c    

    Stack Address 3

    ntkrnlpa.exe+91254        C:\Users\james.berryman\Documents\082216-21652-01.dmp

    Procesors Count

    2    

    Major Version

    15    

    Minor Version

    7601    

     

    What we have already tried is:

    Updating Windows

    Disk Check

    System File Check

    After research it seemed to suggest this was linked to power management and a transition to or from standy mode - inlight of this we set it to high performance mode in power management and disabled any form of sleep mode or turning the screen off.

    The issue still persists, however this time the blue screen occured while the user was scrolling through excel so the PC was in use.

    Any help would be appreciated

    Kind Regards,

    James

    Thursday, August 25, 2016 12:18 PM

All replies

  •  
    We do need the actual log files (called a DMP files) as they contain the only record of the sequence of events leading up to the crash, what drivers were loaded, and what was responsible.


    Please follow our instructions for finding and uploading the files we need to help you fix your computer. They can be found here
    If you have any questions about the procedure please ask

    Wanikiya and Dyami--Team Zigzag Windows IT-PRO (MS-MVP)

    Thursday, August 25, 2016 12:33 PM
  • https://www.dropbox.com/s/gi23w80u79220kx/MiniDump.rar?dl=0

    Thanks for the fast reply. The last 2 minidump files have been uploaded to dropbox and the above link should allow you access.

    Cheers


    Thursday, August 25, 2016 12:54 PM
  • There is a HD issue

    To test a suspect HD You should do 2 things as described in this wiki

    Microsoft (R) Windows Debugger Version 10.0.14321.1024 AMD64
    Copyright (c) Microsoft Corporation. All rights reserved.
    
    
    Loading Dump File [C:\Users\zigza\Desktop\MiniDump\082216-21652-01.dmp]
    Mini Kernel Dump File: Only registers and stack trace are available
    
    
    ************* Symbol Path validation summary **************
    Response                         Time (ms)     Location
    Deferred                                       SRV*D:\symbols*https://msdl.microsoft.com/download/symbols
    Symbol search path is: SRV*D:\symbols*https://msdl.microsoft.com/download/symbols
    Executable search path is: 
    Windows 7 Kernel Version 7601 (Service Pack 1) MP (2 procs) Free x86 compatible
    Product: WinNt, suite: TerminalServer SingleUserTS
    Built by: 7601.23418.x86fre.win7sp1_ldr.160408-2045
    Machine Name:
    Kernel base = 0x82a10000 PsLoadedModuleList = 0x82b5ce30
    Debug session time: Mon Aug 22 10:26:37.800 2016 (UTC - 4:00)
    System Uptime: 3 days 23:59:51.712
    Loading Kernel Symbols
    ...............................................................
    ................................................................
    ...........................
    Loading User Symbols
    Loading unloaded module list
    ......................................
    *******************************************************************************
    *                                                                             *
    *                        Bugcheck Analysis                                    *
    *                                                                             *
    *******************************************************************************
    
    Use !analyze -v to get detailed debugging information.
    
    BugCheck 7A, {c05d6ad0, c000009d, 3e08a8c0, bad5a77e}
    
    Probably caused by : memory_corruption ( nt!MiWaitForInPageComplete+302 )
    
    Followup:     MachineOwner
    ---------
    
    1: kd> !analyze -v
    *******************************************************************************
    *                                                                             *
    *                        Bugcheck Analysis                                    *
    *                                                                             *
    *******************************************************************************
    
    KERNEL_DATA_INPAGE_ERROR (7a)
    The requested page of kernel data could not be read in.  Typically caused by
    a bad block in the paging file or disk controller error. Also see
    KERNEL_STACK_INPAGE_ERROR.
    If the error status is 0xC000000E, 0xC000009C, 0xC000009D or 0xC0000185,
    it means the disk subsystem has experienced a failure.
    If the error status is 0xC000009A, then it means the request failed because
    a filesystem failed to make forward progress.
    Arguments:
    Arg1: c05d6ad0, lock type that was held (value 1,2,3, or PTE address)
    Arg2: c000009d, error status (normally i/o status code)
    Arg3: 3e08a8c0, current process (virtual address for lock type 3, or PTE)
    Arg4: bad5a77e, virtual address that could not be in-paged (or PTE contents if arg1 is a PTE address)
    
    Debugging Details:
    ------------------
    
    
    DUMP_CLASS: 1
    
    DUMP_QUALIFIER: 400
    
    BUILD_VERSION_STRING:  7601.23418.x86fre.win7sp1_ldr.160408-2045
    
    DUMP_TYPE:  2
    
    BUGCHECK_P1: ffffffffc05d6ad0
    
    BUGCHECK_P2: ffffffffc000009d
    
    BUGCHECK_P3: 3e08a8c0
    
    BUGCHECK_P4: ffffffffbad5a77e
    
    ERROR_CODE: (NTSTATUS) 0xc000009d - STATUS_DEVICE_NOT_CONNECTED
    
    DISK_HARDWARE_ERROR: There was error with disk hardware
    
    BUGCHECK_STR:  0x7a_c000009d
    
    CPU_COUNT: 2
    
    CPU_MHZ: 898
    
    CPU_VENDOR:  GenuineIntel
    
    CPU_FAMILY: 6
    
    CPU_MODEL: f
    
    CPU_STEPPING: d
    
    CPU_MICROCODE: 6,f,d,0 (F,M,S,R)  SIG: A3'00000000 (cache) 0'00000000 (init)
    
    CUSTOMER_CRASH_COUNT:  1
    
    DEFAULT_BUCKET_ID:  WIN7_DRIVER_FAULT
    
    PROCESS_NAME:  chrome.exe
    
    CURRENT_IRQL:  0
    
    ANALYSIS_SESSION_HOST:  DESKTOP-D9IOKO8
    
    ANALYSIS_SESSION_TIME:  08-25-2016 09:44:26.0245
    
    ANALYSIS_VERSION: 10.0.14321.1024 amd64fre
    
    TRAP_FRAME:  8bbd2af4 -- (.trap 0xffffffff8bbd2af4)
    ErrCode = 00000000
    eax=bad5a77e ebx=bad17003 ecx=8bef6000 edx=00003f0c esi=bad5a77e edi=85ace6c8
    eip=82c6d499 esp=8bbd2b68 ebp=8bbd2b70 iopl=0         nv up ei ng nz na pe nc
    cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010286
    nt!MiApplyCompressedFixups+0x15:
    82c6d499 8a06            mov     al,byte ptr [esi]          ds:0023:bad5a77e=00
    Resetting default scope
    
    LAST_CONTROL_TRANSFER:  from 82ab4572 to 82aefc24
    
    STACK_TEXT:  
    8bbd295c 82ab4572 0000007a c05d6ad0 c000009d nt!KeBugCheckEx+0x1e
    8bbd29cc 82ab7e9c 8bbd2a20 82b7e280 8bbd2a40 nt!MiWaitForInPageComplete+0x302
    8bbd2a5c 82aa1254 82b7e280 bad5a77e 874914c8 nt!MiIssueHardFault+0x3b3
    8bbd2adc 82a50fa8 00000000 bad5a77e 00000000 nt!MmAccessFault+0x29fc
    8bbd2adc 82c6d499 00000000 bad5a77e 00000000 nt!KiTrap0E+0xdc
    8bbd2b70 82c6c2be 8bef6000 5a6f0000 c045f7b0 nt!MiApplyCompressedFixups+0x15
    8bbd2bac 82c6b7ab 85ace6c8 5a6f0000 00000001 nt!MiPerformFixups+0x6d
    8bbd2bd0 82ab43cb 85ace6c8 00000000 00000fc3 nt!MiRelocateImagePfn+0x105
    8bbd2c3c 82ab7e9c 8bbd2c60 85f27528 8bbd2c80 nt!MiWaitForInPageComplete+0x15b
    8bbd2c9c 82aa1424 85f27528 5d2e37f0 86da3009 nt!MiIssueHardFault+0x3b3
    8bbd2d1c 82a50fa8 00000008 5d2e37f0 00000001 nt!MmAccessFault+0x2bcc
    8bbd2d1c 5d2e37f0 00000008 5d2e37f0 00000001 nt!KiTrap0E+0xdc
    WARNING: Frame IP not in any known module. Following frames may be wrong.
    0670f990 00000000 00000000 00000000 00000000 0x5d2e37f0
    
    
    STACK_COMMAND:  kb
    
    THREAD_SHA1_HASH_MOD_FUNC:  1a5097ebf3abf37e6a63669d8a02e243be902809
    
    THREAD_SHA1_HASH_MOD_FUNC_OFFSET:  73e862e7ed812da540092de8fea12f701a4aa95f
    
    THREAD_SHA1_HASH_MOD:  dc844b1b94baa204d070855e43bbbd27eee98b94
    
    FOLLOWUP_IP: 
    nt!MiWaitForInPageComplete+302
    82ab4572 cc              int     3
    
    FAULT_INSTR_CODE:  144b8bcc
    
    SYMBOL_STACK_INDEX:  1
    
    SYMBOL_NAME:  nt!MiWaitForInPageComplete+302
    
    FOLLOWUP_NAME:  MachineOwner
    
    MODULE_NAME: nt
    
    DEBUG_FLR_IMAGE_TIMESTAMP:  5708958e
    
    IMAGE_VERSION:  6.1.7601.23418
    
    IMAGE_NAME:  memory_corruption
    
    FAILURE_BUCKET_ID:  0x7a_c000009d_nt!MiWaitForInPageComplete+302
    
    BUCKET_ID:  0x7a_c000009d_nt!MiWaitForInPageComplete+302
    
    PRIMARY_PROBLEM_CLASS:  0x7a_c000009d_nt!MiWaitForInPageComplete+302
    
    TARGET_TIME:  2016-08-22T14:26:37.000Z
    
    OSBUILD:  7601
    
    OSSERVICEPACK:  1000
    
    SERVICEPACK_NUMBER: 0
    
    OS_REVISION: 0
    
    SUITE_MASK:  272
    
    PRODUCT_TYPE:  1
    
    OSPLATFORM_TYPE:  x86
    
    OSNAME:  Windows 7
    
    OSEDITION:  Windows 7 WinNt (Service Pack 1) TerminalServer SingleUserTS
    
    OS_LOCALE:  
    
    USER_LCID:  0
    
    OSBUILD_TIMESTAMP:  2016-04-09 01:39:26
    
    BUILDDATESTAMP_STR:  160408-2045
    
    BUILDLAB_STR:  win7sp1_ldr
    
    BUILDOSVER_STR:  6.1.7601.23418.x86fre.win7sp1_ldr.160408-2045
    
    ANALYSIS_SESSION_ELAPSED_TIME: 4d2
    
    ANALYSIS_SOURCE:  KM
    
    FAILURE_ID_HASH_STRING:  km:0x7a_c000009d_nt!miwaitforinpagecomplete+302
    
    FAILURE_ID_HASH:  {4c587644-ce3c-2e93-8904-305cda63e0c2}
    
    Followup:     MachineOwner
    ---------
    
    


    Wanikiya and Dyami--Team Zigzag Windows IT-PRO (MS-MVP)

    Thursday, August 25, 2016 1:45 PM
  • Thanks,

    I will get the user to restart tonight when they finish work and i will connect in in the morning to collect the logs from CHKDSK and post them here as well as find the Hd manufacturer and run their hard drive checking utility.

    Thanks for all the help so far.

    Thursday, August 25, 2016 3:48 PM
  • Hi James Berryman,

    According to the dump file you provided, probably it could be caused by: memory_corruption. We could check the HD and the memory. Also I suggest that we could try upgrading to the latest BIOS for your motherboard

    If the issue still insists, I think the fastest way to track this on is to use a testing tool called Driver Verifier. If this tool finds a problem, your machine will crash again.  Hopefully with it enabled, it will allow you to easily identify the bad driver.

    Enable driver verifier

    1) Open an elevated command prompt

    2) Type "verifier /standard /all"  (no quotes)

    3) Reboot your machine

    4) Use machine again until it crashes (hopefully this will be fast :)

    After the crash & reboot, go into safe mode. Taking a look at the new memory dump.

    Disable driver verifier

    1) Open an elevated command prompt

    2) Type "verifier /reset" (no quotes)

    3) Reboot your machine

    Hope it will be helpful to you


    Please remember to mark the replies as an answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, August 26, 2016 6:18 AM
  • Okay the ChKDSK has come back here is the leg from event viewer

    Log Name:      Application
    Source:        Microsoft-Windows-Wininit
    Date:          25/08/2016 18:52:35
    Event ID:      1001
    Task Category: None
    Level:         Information
    Keywords:      Classic
    User:          N/A
    Computer:      ASLEISURE-WNDY2.asleisuredom.local
    Description:


    Checking file system on C:
    The type of the file system is NTFS.

    A disk check has been scheduled.
    Windows will now check the disk.                         

    CHKDSK is verifying files (stage 1 of 5)...
      188928 file records processed.                                         

    File verification completed.
      937 large file records processed.                                   

      0 bad file records processed.                                     

      31408 EA records processed.                                           

      102 reparse records processed.                                      

    CHKDSK is verifying indexes (stage 2 of 5)...
      243792 index entries processed.                                        

    Index verification completed.
      0 unindexed files scanned.                                        

      0 unindexed files recovered.                                      

    CHKDSK is verifying security descriptors (stage 3 of 5)...
      188928 file SDs/SIDs processed.                                        

    Cleaning up 150 unused index entries from index $SII of file 0x9.
    Cleaning up 150 unused index entries from index $SDH of file 0x9.
    Cleaning up 150 unused security descriptors.
    Security descriptor verification completed.
      27433 data files processed.                                           

    CHKDSK is verifying Usn Journal...
      35517248 USN bytes processed.                                            

    Usn Journal verification completed.
    CHKDSK is verifying file data (stage 4 of 5)...
      188912 files processed.                                                

    File data verification completed.
    CHKDSK is verifying free space (stage 5 of 5)...
      47215979 free clusters processed.                                        

    Free space verification is complete.
    Windows has checked the file system and found no problems.

     244093951 KB total disk space.
      54839960 KB in 148018 files.
         89884 KB in 27434 indexes.
             0 KB in bad sectors.
        300191 KB in use by the system.
         65536 KB occupied by the log file.
     188863916 KB available on disk.

          4096 bytes in each allocation unit.
      61023487 total allocation units on disk.
      47215979 allocation units available on disk.

    Internal Info:
    00 e2 02 00 f6 aa 02 00 f7 f5 04 00 00 00 00 00  ................
    23 01 00 00 66 00 00 00 00 00 00 00 00 00 00 00  #...f...........
    40 8c 05 00 50 01 04 00 90 19 04 00 00 00 04 00  @...P...........

    Windows has finished checking your disk.
    Please wait while your computer restarts.

    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="Microsoft-Windows-Wininit" Guid="{206f6dea-d3c5-4d10-bc72-989f03c8b84b}" EventSourceName="Wininit" />
        <EventID Qualifiers="16384">1001</EventID>
        <Version>0</Version>
        <Level>4</Level>
        <Task>0</Task>
        <Opcode>0</Opcode>
        <Keywords>0x80000000000000</Keywords>
        <TimeCreated SystemTime="2016-08-25T17:52:35.000000000Z" />
        <EventRecordID>37317</EventRecordID>
        <Correlation />
        <Execution ProcessID="0" ThreadID="0" />
        <Channel>Application</Channel>
        <Computer>ASLEISURE-WNDY2.asleisuredom.local</Computer>
        <Security />
      </System>
      <EventData>
        <Data>

    Checking file system on C:
    The type of the file system is NTFS.

    A disk check has been scheduled.
    Windows will now check the disk.                         

    CHKDSK is verifying files (stage 1 of 5)...
      188928 file records processed.                                         

    File verification completed.
      937 large file records processed.                                   

      0 bad file records processed.                                     

      31408 EA records processed.                                           

      102 reparse records processed.                                      

    CHKDSK is verifying indexes (stage 2 of 5)...
      243792 index entries processed.                                        

    Index verification completed.
      0 unindexed files scanned.                                        

      0 unindexed files recovered.                                      

    CHKDSK is verifying security descriptors (stage 3 of 5)...
      188928 file SDs/SIDs processed.                                        

    Cleaning up 150 unused index entries from index $SII of file 0x9.
    Cleaning up 150 unused index entries from index $SDH of file 0x9.
    Cleaning up 150 unused security descriptors.
    Security descriptor verification completed.
      27433 data files processed.                                           

    CHKDSK is verifying Usn Journal...
      35517248 USN bytes processed.                                            

    Usn Journal verification completed.
    CHKDSK is verifying file data (stage 4 of 5)...
      188912 files processed.                                                

    File data verification completed.
    CHKDSK is verifying free space (stage 5 of 5)...
      47215979 free clusters processed.                                        

    Free space verification is complete.
    Windows has checked the file system and found no problems.

     244093951 KB total disk space.
      54839960 KB in 148018 files.
         89884 KB in 27434 indexes.
             0 KB in bad sectors.
        300191 KB in use by the system.
         65536 KB occupied by the log file.
     188863916 KB available on disk.

          4096 bytes in each allocation unit.
      61023487 total allocation units on disk.
      47215979 allocation units available on disk.

    Internal Info:
    00 e2 02 00 f6 aa 02 00 f7 f5 04 00 00 00 00 00  ................
    23 01 00 00 66 00 00 00 00 00 00 00 00 00 00 00  #...f...........
    40 8c 05 00 50 01 04 00 90 19 04 00 00 00 04 00  @...P...........

    Windows has finished checking your disk.
    Please wait while your computer restarts.
    </Data>
      </EventData>
    </Event>

    The Manufacturer is (Standard Disk Drives)

    Model ST3250310AS ATA Device

    Where would i go for the disk check utility?

    Friday, August 26, 2016 9:16 AM
  • Wed Aug 10 12:34:09.197 2016 (UTC - 4:00)

    BugCheck 7A, {c0604000, c000000e, b1b34880, c0800000}

    *** WARNING: Unable to verify timestamp for tmevtmgr.sys
    *** ERROR: Module load completed but symbols could not be loaded for tmevtmgr.sys
    Probably caused by : tmevtmgr.sys ( tmevtmgr+7636 )

    I would uninstall Trend Micro and install MSE

    Uninstalling Trend Micro Security software using the Diagnostic Toolkit

    WARNING: Whitespace at end of path element
    Error: Empty Path.
    Symbol search path is: SRV*c:\symbols*http://msdl.microsoft.com/download/symbols 
    Executable search path is: 
    Windows 7 Kernel Version 7601 (Service Pack 1) MP (2 procs) Free x86 compatible
    Product: WinNt, suite: TerminalServer SingleUserTS
    Built by: 7601.23418.x86fre.win7sp1_ldr.160408-2045
    Machine Name:
    Kernel base = 0x82a1c000 PsLoadedModuleList = 0x82b68e30
    Debug session time: Wed Aug 10 12:34:09.197 2016 (UTC - 4:00)
    System Uptime: 0 days 7:51:32.284
    Loading Kernel Symbols
    ...............................................................
    ................................................................
    ..........................
    Loading User Symbols
    Loading unloaded module list
    ..............
    *******************************************************************************
    *                                                                             *
    *                        Bugcheck Analysis                                    *
    *                                                                             *
    *******************************************************************************
    
    Use !analyze -v to get detailed debugging information.
    
    BugCheck 7A, {c0604000, c000000e, b1b34880, c0800000}<== same error 
    
    *** WARNING: Unable to verify timestamp for tmevtmgr.sys
    *** ERROR: Module load completed but symbols could not be loaded for tmevtmgr.sys
    Probably caused by : tmevtmgr.sys ( tmevtmgr+7636 )
    
    Followup:     MachineOwner
    ---------
    
    1: kd> !analyze -v
    *******************************************************************************
    *                                                                             *
    *                        Bugcheck Analysis                                    *
    *                                                                             *
    *******************************************************************************
    
    KERNEL_DATA_INPAGE_ERROR (7a)
    The requested page of kernel data could not be read in.  Typically caused by
    a bad block in the paging file or disk controller error. Also see
    KERNEL_STACK_INPAGE_ERROR.
    If the error status is 0xC000000E, 0xC000009C, 0xC000009D or 0xC0000185,
    it means the disk subsystem has experienced a failure.
    If the error status is 0xC000009A, then it means the request failed because
    a filesystem failed to make forward progress.
    Arguments:
    Arg1: c0604000, lock type that was held (value 1,2,3, or PTE address)
    Arg2: c000000e, error status (normally i/o status code)
    Arg3: b1b34880, current process (virtual address for lock type 3, or PTE)
    Arg4: c0800000, virtual address that could not be in-paged (or PTE contents if arg1 is a PTE address)
    
    Debugging Details:
    ------------------
    
    
    DUMP_CLASS: 1
    
    DUMP_QUALIFIER: 400
    
    BUILD_VERSION_STRING:  7601.23418.x86fre.win7sp1_ldr.160408-2045
    
    SYSTEM_MANUFACTURER:  FUJITSU SIEMENS
    
    SYSTEM_PRODUCT_NAME:  ESPRIMO EDITION P2530         
    
    SYSTEM_VERSION:          
    
    BIOS_VENDOR:  FUJITSU SIEMENS // Phoenix Technologies Ltd.
    
    BIOS_VERSION:  6.00 R1.02.2740.A2              
    
    BIOS_DATE:  05/09/2008
    
    BASEBOARD_MANUFACTURER:  FUJITSU SIEMENS
    
    BASEBOARD_PRODUCT:  D2740-A2
    
    BASEBOARD_VERSION:  S26361-D2740-A2
    
    DUMP_TYPE:  2
    
    BUGCHECK_P1: ffffffffc0604000
    
    BUGCHECK_P2: ffffffffc000000e
    
    BUGCHECK_P3: ffffffffb1b34880
    
    BUGCHECK_P4: ffffffffc0800000
    
    ERROR_CODE: (NTSTATUS) 0xc000000e - A device which does not exist was specified.
    
    DISK_HARDWARE_ERROR: There was error with disk hardware
    
    BUGCHECK_STR:  0x7a_c000000e
    
    CPU_COUNT: 2
    
    CPU_MHZ: 897
    
    CPU_VENDOR:  GenuineIntel
    
    CPU_FAMILY: 6
    
    CPU_MODEL: f
    
    CPU_STEPPING: d
    
    CPU_MICROCODE: 6,f,d,0 (F,M,S,R)  SIG: A4'00000000 (cache) A3'00000000 (init)
    
    CUSTOMER_CRASH_COUNT:  1
    
    DEFAULT_BUCKET_ID:  WIN7_DRIVER_FAULT
    
    PROCESS_NAME:  smss.exe
    
    CURRENT_IRQL:  0
    
    ANALYSIS_SESSION_HOST:  DESKTOP-35KC5VJ
    
    ANALYSIS_SESSION_TIME:  08-28-2016 22:09:09.0813
    
    ANALYSIS_VERSION: 10.0.10586.567 amd64fre
    
    TRAP_FRAME:  8c99edc8 -- (.trap 0xffffffff8c99edc8)
    ErrCode = 00000000
    eax=c0800000 ebx=00007ffa ecx=00000002 edx=00007ffd esi=00000003 edi=c0800000
    eip=82ab4c23 esp=8c99ee3c ebp=8c99ee64 iopl=0         nv up ei pl nz na pe nc
    cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010206
    nt!RtlFindClearBits+0x80:
    82ab4c23 0b30            or      esi,dword ptr [eax]  ds:0023:c0800000=77324011
    Resetting default scope
    
    LAST_CONTROL_TRANSFER:  from 82ac0572 to 82afbc24
    
    STACK_TEXT:  
    8c99ec64 82ac0572 0000007a c0604000 c000000e nt!KeBugCheckEx+0x1e
    8c99ecd4 82ac3e9c 8c99ecf8 86142f18 8c99ed18 nt!MiWaitForInPageComplete+0x302
    8c99ed34 82aad424 86142f18 c0800000 87250e70 nt!MiIssueHardFault+0x3b3
    8c99edb0 82a5cfa8 00000000 c0800000 00000000 nt!MmAccessFault+0x2bcc
    8c99edb0 82ab4c23 00000000 c0800000 00000000 nt!KiTrap0E+0xdc
    8c99ee64 82c79e86 8c99ee88 00000004 00000002 nt!RtlFindClearBits+0x80
    8c99ee9c 82c5c32a 0000000f ffffffff 8c99f1c4 nt!MiScanUserAddressSpace+0x9e
    8c99f0fc 82a59dc6 ffffffff 00000029 8c99f1ac nt!NtSetInformationProcess+0x1cef
    8c99f0fc 82a58d09 ffffffff 00000029 8c99f1ac nt!KiSystemServicePostCall
    8c99f184 82c9249a ffffffff 00000029 8c99f1ac nt!ZwSetInformationProcess+0x11
    8c99f214 82c6e6a7 00000000 00000000 00000000 nt!RtlCreateUserStack+0x161
    8c99f2c4 82c6eb56 86142d28 85dc724c 00000000 nt!PspAllocateThread+0x2c2
    8c99f48c 82c927c8 8c99fb3c 001fffff 8c99fb14 nt!PspCreateThread+0x1b7
    8c99f8c0 91807636 8c99fb3c 001fffff 8c99fb14 nt!NtCreateThreadEx+0x20b
    WARNING: Stack unwind information not available. Following frames may be wrong.
    8c99f904 9180820a 0000000b 8c99fa00 82c925bd tmevtmgr+0x7636
    8c99f9e0 91804bd6 00000000 8c99fa2c 91804f61 tmevtmgr+0x820a
    8c99f9ec 91804f61 8703db5c 8c99fa00 8c99fb08 tmevtmgr+0x4bd6
    8c99fa2c 82a59dc6 8703db5c 8c99fb3c 001fffff tmevtmgr+0x4f61
    8c99fa2c 82a579e5 8703db5c 8c99fb3c 001fffff nt!KiSystemServicePostCall
    8c99fad4 82ca2865 8c99fb3c 001fffff 8c99fb14 nt!ZwCreateThreadEx+0x11
    8c99fb6c 82bffc81 00000001 00000000 00000000 nt!RtlpCreateUserThreadEx+0xa4
    8c99fb9c 82c073f1 80001b20 a767c3ba 00000000 nt!EtwpInjectThread+0x47
    8c99fbec 82c0763f 86142d28 b513e6e0 86142340 nt!EtwpQueueNotification+0x1d4
    8c99fc2c 82b40133 00000000 82b5f200 85087e88 nt!EtwpSendDataBlock+0x16b
    8c99fc30 00000000 82b5f200 85087e88 00000000 nt!ExFreePoolWithTag+0x678
    
    
    STACK_COMMAND:  kb
    
    THREAD_SHA1_HASH_MOD_FUNC:  10795c98be22ee385e6e51a1f59863eb15f5958c
    
    THREAD_SHA1_HASH_MOD_FUNC_OFFSET:  9f65acc85e81bd240c4b78cb3e3d5d75947ae071
    
    THREAD_SHA1_HASH_MOD:  2e2c839fd8e5f94f3324d56477b711cca34d8910
    
    FOLLOWUP_IP: 
    tmevtmgr+7636
    91807636 ??              ???
    
    SYMBOL_STACK_INDEX:  e
    
    SYMBOL_NAME:  tmevtmgr+7636
    
    FOLLOWUP_NAME:  MachineOwner
    
    MODULE_NAME: tmevtmgr
    
    IMAGE_NAME:  tmevtmgr.sys
    
    DEBUG_FLR_IMAGE_TIMESTAMP:  57060c90
    
    FAILURE_BUCKET_ID:  0x7a_c000000e_tmevtmgr+7636
    
    BUCKET_ID:  0x7a_c000000e_tmevtmgr+7636
    
    PRIMARY_PROBLEM_CLASS:  0x7a_c000000e_tmevtmgr+7636
    
    TARGET_TIME:  2016-08-10T16:34:09.000Z
    
    OSBUILD:  7601
    
    OSSERVICEPACK:  1000
    
    SERVICEPACK_NUMBER: 0
    
    OS_REVISION: 0
    
    SUITE_MASK:  272
    
    PRODUCT_TYPE:  1
    
    OSPLATFORM_TYPE:  x86
    
    OSNAME:  Windows 7
    
    OSEDITION:  Windows 7 WinNt (Service Pack 1) TerminalServer SingleUserTS
    
    OS_LOCALE:  
    
    USER_LCID:  0
    
    OSBUILD_TIMESTAMP:  2016-04-09 01:39:26
    
    BUILDDATESTAMP_STR:  160408-2045
    
    BUILDLAB_STR:  win7sp1_ldr
    
    BUILDOSVER_STR:  6.1.7601.23418.x86fre.win7sp1_ldr.160408-2045
    
    ANALYSIS_SESSION_ELAPSED_TIME: 55b
    
    ANALYSIS_SOURCE:  KM
    
    FAILURE_ID_HASH_STRING:  km:0x7a_c000000e_tmevtmgr+7636
    
    FAILURE_ID_HASH:  {e59339ff-9683-a29d-c294-91a18b9d58a1}
    
    Followup:     MachineOwner
    ---------
    
    1: kd> !THREAD
    GetPointerFromAddress: unable to read from 82b89854
    THREAD 850444f0  Cid 0004.0094  Teb: 00000000 Win32Thread: 00000000 RUNNING on processor 1
    Not impersonating
    GetUlongFromAddress: unable to read from 82b48524
    Owning Process            84f42ab0       Image:         <Unknown>
    Attached Process          86142d28       Image:         smss.exe
    ffdf0000: Unable to get shared data
    Wait Start TickCount      1813596      
    Context Switch Count      14260          IdealProcessor: 0             
    ReadMemory error: Cannot get nt!KeMaximumIncrement value.
    UserTime                  00:00:00.000
    KernelTime                00:00:00.000
    Win32 Start Address nt!EtwpLogger (0x82c48623)
    Stack Init 8c99ffd0 Current 8c99f180 Base 8c9a0000 Limit 8c99d000 Call 0
    Priority 15 BasePriority 15 UnusualBoost 0 ForegroundBoost 0 IoPriority 2 PagePriority 5
    ChildEBP RetAddr  Args to Child              
    8c99ec64 82ac0572 0000007a c0604000 c000000e nt!KeBugCheckEx+0x1e
    8c99ecd4 82ac3e9c 8c99ecf8 86142f18 8c99ed18 nt!MiWaitForInPageComplete+0x302
    8c99ed34 82aad424 86142f18 c0800000 87250e70 nt!MiIssueHardFault+0x3b3
    8c99edb0 82a5cfa8 00000000 c0800000 00000000 nt!MmAccessFault+0x2bcc
    8c99edb0 82ab4c23 00000000 c0800000 00000000 nt!KiTrap0E+0xdc (FPO: [0,0] TrapFrame @ 8c99edc8)
    8c99ee64 82c79e86 8c99ee88 00000004 00000002 nt!RtlFindClearBits+0x80
    8c99ee9c 82c5c32a 0000000f ffffffff 8c99f1c4 nt!MiScanUserAddressSpace+0x9e
    8c99f0fc 82a59dc6 ffffffff 00000029 8c99f1ac nt!NtSetInformationProcess+0x1cef
    8c99f0fc 82a58d09 ffffffff 00000029 8c99f1ac nt!KiSystemServicePostCall (FPO: [0,3] TrapFrame @ 8c99f114)
    8c99f184 82c9249a ffffffff 00000029 8c99f1ac nt!ZwSetInformationProcess+0x11 (FPO: [4,0,0])
    8c99f214 82c6e6a7 00000000 00000000 00000000 nt!RtlCreateUserStack+0x161
    8c99f2c4 82c6eb56 86142d28 85dc724c 00000000 nt!PspAllocateThread+0x2c2
    8c99f48c 82c927c8 8c99fb3c 001fffff 8c99fb14 nt!PspCreateThread+0x1b7
    8c99f8c0 91807636 8c99fb3c 001fffff 8c99fb14 nt!NtCreateThreadEx+0x20b
    WARNING: Stack unwind information not available. Following frames may be wrong.
    8c99f904 9180820a 0000000b 8c99fa00 82c925bd tmevtmgr+0x7636
    8c99f9e0 91804bd6 00000000 8c99fa2c 91804f61 tmevtmgr+0x820a
    8c99f9ec 91804f61 8703db5c 8c99fa00 8c99fb08 tmevtmgr+0x4bd6
    8c99fa2c 82a59dc6 8703db5c 8c99fb3c 001fffff tmevtmgr+0x4f61
    8c99fa2c 82a579e5 8703db5c 8c99fb3c 001fffff nt!KiSystemServicePostCall (FPO: [0,3] TrapFrame @ 8c99fa64)
    8c99fad4 82ca2865 8c99fb3c 001fffff 8c99fb14 nt!ZwCreateThreadEx+0x11 (FPO: [11,0,0])
    8c99fb6c 82bffc81 00000001 00000000 00000000 nt!RtlpCreateUserThreadEx+0xa4
    8c99fb9c 82c073f1 80001b20 a767c3ba 00000000 nt!EtwpInjectThread+0x47
    8c99fbec 82c0763f 86142d28 b513e6e0 86142340 nt!EtwpQueueNotification+0x1d4
    8c99fc2c 82b40133 00000000 82b5f200 85087e88 nt!EtwpSendDataBlock+0x16b
    8c99fc30 00000000 82b5f200 85087e88 00000000 nt!ExFreePoolWithTag+0x678
    
    

    Monday, August 29, 2016 2:15 AM
  • We have to be using Trend Micro within the Business, was cant use MSE.
    Tuesday, September 6, 2016 8:57 AM
  • Did you run the HD makers HD utility?

    Wanikiya and Dyami--Team Zigzag Windows IT-PRO (MS-MVP)

    Tuesday, September 6, 2016 1:05 PM
  • Hi ZigZag3143x,

    I haven't as it says,

    The Manufacturer is (Standard Disk Drives)

    Model ST3250310AS ATA Device

    Where would i go for the disk check utility?


    Monday, September 19, 2016 10:11 AM
  • That is a seagate drive and that is where you need to  go.

    Wanikiya and Dyami--Team Zigzag Windows IT-PRO (MS-MVP)

    Monday, September 19, 2016 11:00 AM
  • Hi ZigZag3143,

    I ran the SeaTools utility from seagate and did a long fix scan.

    The utility came back with 'pass' any more suggestions? maybe i didnt run the right test?

    Cheers,

    James

    Tuesday, September 27, 2016 8:05 AM
  • Just curious. Do you still have MBAM installed? What version.. free or paid? Either way, if you did, or do have MBAM installed, please make sure all of its files are completely removed, because it might be conflicting with TrendMicro. 

    Unloaded modules:
    b080b000 b081b000   usbaapl.sys
        Timestamp: unavailable (00000000)
        Checksum:  00000000
        ImageSize:  00010000
    b09e7000 b09f7000   usbaapl.sys
        Timestamp: unavailable (00000000)
        Checksum:  00000000
        ImageSize:  00010000
    b09e7000 b09f7000   usbaapl.sys
        Timestamp: unavailable (00000000)
        Checksum:  00000000
        ImageSize:  00010000
    b097d000 b09e7000   spsys.sys
        Timestamp: unavailable (00000000)
        Checksum:  00000000
        ImageSize:  0006A000
        ImageSize:  0006A000
    8ff7d000 8ffcd000   tmcomm.sys
        Timestamp: unavailable (00000000)
        Checksum:  00000000
        ImageSize:  00050000
    919eb000 919fd000   tmevtmgr.sys
        Timestamp: unavailable (00000000)
        Checksum:  00000000
        ImageSize:  00012000
    9fc04000 9fc24000   tmactmon.sys
        Timestamp: unavailable (00000000)
        Checksum:  00000000
        ImageSize:  00020000
    9182d000 919b4000   VSApiNt.sys
        Timestamp: unavailable (00000000)
        Checksum:  00000000
        ImageSize:  00187000
    8b8a3000 8b8b0000   TmPreFlt.sys
        Timestamp: unavailable (00000000)
        Checksum:  00000000
        ImageSize:  0000D000
    8b8b0000 8b919000   TmXPFlt.sys
        Timestamp: unavailable (00000000)
        Checksum:  00000000
        ImageSize:  00069000
    8a41f000 8a431000   TMUMH.sys
        Timestamp: unavailable (00000000)
        Checksum:  00000000
        ImageSize:  00012000

        ImageSize:  0006A000
        ImageSize:  0006A000
    b0986000 b09b3000   MBAMSwissArm
        Timestamp: unavailable (00000000)
        Checksum:  00000000
        ImageSize:  0002D000
    b0959000 b0986000   MBAMSwissArm
        Timestamp: unavailable (00000000)
        Checksum:  00000000
        ImageSize:  0002D000
    b092c000 b0959000   MBAMSwissArm
        Timestamp: unavailable (00000000)
        Checksum:  00000000
        ImageSize:  0002D000
    b0880000 b08ea000   spsys.sys
        Timestamp: unavailable (00000000)
        Checksum:  00000000
        ImageSize:  0006A000
    8b89a000 8b8a3000   mbam.sys
        Timestamp: unavailable (00000000)
        Checksum:  00000000
        ImageSize:  00009000
    b090b000 b092c000   MBAMSwissArm
        Timestamp: unavailable (00000000)
        Checksum:  00000000
        ImageSize:  00021000
    b08ea000 b090b000   MBAMSwissArm
        Timestamp: unavailable (00000000)
        Checksum:  00000000
        ImageSize:  00021000

    To do that, run the tool linked below.

    How do I uninstall Malwarebytes Anti-Malware?

    https://support.malwarebytes.com/customer/portal/articles/1835311-how-do-i-uninstall-malwarebytes-anti-malware-?b_id=6438

    After confirming that all MBAM Files have been removed, and you still want to run MBAM either as a second opinion, backup scanner or as a secondary Antivirus product with real-time protection, you need to download and install a fresh copy of MBAM and set exclusions to avoid any conflicts that may arise, but if only for scanning, be sure to decline the "free trial" of the premium version.

    How to run Malwarebytes alongside another Antivirus.

    http://www.howtogeek.com/230158/how-to-run-malwarebytes-alongside-another-antivirus/

    Wednesday, September 28, 2016 1:17 AM