locked
Not enough resources (memory) Computer crashes RRS feed

  • Question

  • Hi,

    for the past week or so we have had this problems whith some machines in our network (around 7 of 160):

    The machine all in a sudden start showing not enough resources to process messages and after that it stop
    responding and at the end it shows a blue screen with a memory dump and restart itself.

    They all have Windows 7 with all the updates, with an antivirus install (it does not detect any viruses, Kaspersky).

    all the machines that present this problem we have restore an image of the machine and they work for a while
    but the same problem appears after a day or so

    Whe check the event viewer and got the following errors:
    Tuesday, March 3, 2015 4:19 PM

Answers

  • Well it's unanimous that the offending party, is the KASPERSKY module, klif.sys. Iwould suggest that you uninstall it and try something else. Since this is an enterprise environment, I assume, I won't be making any recommendations on what you should install in its place... that will be entirely up to you.

    WARNING: Whitespace at end of path element
    Symbol search path is: SRV*c:\symbols*http://msdl.microsoft.com/download/symbols 
    Executable search path is: 
    Windows 7 Kernel Version 7601 (Service Pack 1) MP (4 procs) Free x86 compatible
    Product: WinNt, suite: TerminalServer SingleUserTS
    Built by: 7601.17514.x86fre.win7sp1_rtm.101119-1850
    Machine Name:
    Kernel base = 0x82c4e000 PsLoadedModuleList = 0x82d98850
    Debug session time: Tue Mar  3 11:56:51.981 2015 (UTC - 5:00)
    System Uptime: 0 days 16:03:12.320
    Loading Kernel Symbols
    ...............................................................
    ................................................................
    ....................
    Loading User Symbols
    PEB is paged out (Peb.Ldr = 7ffd800c).  Type ".hh dbgerr001" for details
    Loading unloaded module list
    ......
    2: kd> !analyze -v
    *******************************************************************************
    *                                                                             *
    *                        Bugcheck Analysis                                    *
    *                                                                             *
    *******************************************************************************
    
    KERNEL_MODE_EXCEPTION_NOT_HANDLED (8e)
    This is a very common bugcheck.  Usually the exception address pinpoints
    the driver/function that caused the problem.  Always note this address
    as well as the link date of the driver/image that contains this address.
    Some common problems are exception code 0x80000003.  This means a hard
    coded breakpoint or assertion was hit, but this system was booted
    /NODEBUG.  This is not supposed to happen as developers should never have
    hardcoded breakpoints in retail code, but ...
    If this happens, make sure a debugger gets connected, and the
    system is booted /DEBUG.  This will let us see why this breakpoint is
    happening.
    Arguments:
    Arg1: c0000005, The exception code that was not handled
    Arg2: 83f8b965, The address that the exception occurred at
    Arg3: be64b700, Trap Frame
    Arg4: 00000000
    
    Debugging Details:
    ------------------
    
    *** ERROR: Module load completed but symbols could not be loaded for klif.sys
    
    EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.
    
    FAULTING_IP: 
    klif+31965
    83f8b965 ff7608          push    dword ptr [esi+8]
    
    TRAP_FRAME:  be64b700 -- (.trap 0xffffffffbe64b700)
    ErrCode = 00000000
    eax=be64b788 ebx=00000000 ecx=88377578 edx=00000000 esi=00000000 edi=07744ff0
    eip=83f8b965 esp=be64b774 ebp=be64b794 iopl=0         nv up ei ng nz na pe nc
    cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010286
    klif+0x31965:
    83f8b965 ff7608          push    dword ptr [esi+8]    ds:0023:00000008=????????
    Resetting default scope
    
    DEFAULT_BUCKET_ID:  VISTA_DRIVER_FAULT
    
    BUGCHECK_STR:  0x8E
    
    PROCESS_NAME:  avp.exe
    
    CURRENT_IRQL:  0
    
    LAST_CONTROL_TRANSFER:  from 82d0308c to 82d2cf20
    
    STACK_TEXT:  
    be64b274 82d0308c 0000008e c0000005 83f8b965 nt!KeBugCheckEx+0x1e
    be64b690 82c8cdd6 be64b6ac 00000000 be64b700 nt!KiDispatchException+0x1ac
    be64b6f8 82c8cd8a be64b794 83f8b965 badb0d00 nt!CommonDispatchException+0x4a
    be64b70c 82d6f8c0 00000000 00000000 00000000 nt!Kei386EoiHelper+0x192
    be64b794 83f8c153 b16d9390 88377578 be64b7c0 nt!ExAllocatePoolWithTag+0x8b5
    WARNING: Stack unwind information not available. Following frames may be wrong.
    be64b7f4 83fcd045 883774d8 07744fe0 0bf2e76c klif+0x32153
    be64b980 83f1cad1 83fcb0ba 83f1cad1 883774d8 klif+0x73045
    be64b9d4 83f32641 87202328 07744fe0 000000c9 fltmgr!FltpFilterMessage+0x9d
    be64ba08 83f32a69 882b0000 00000000 07744fe0 fltmgr!FltpMsgDeviceControl+0xa9
    be64ba4c 83f1b339 86bba9f8 87887e38 882b0038 fltmgr!FltpMsgDispatch+0x91
    be64ba78 82c85593 86bba9f8 87887e38 87887e38 fltmgr!FltpDispatch+0x33
    be64ba90 82e7999f 882b0038 87887e38 87887ea8 nt!IofCallDriver+0x63
    be64bab0 82e7cb71 86bba9f8 882b0038 00000000 nt!IopSynchronousServiceTail+0x1f8
    be64bb4c 82ec33f4 86bba9f8 87887e38 00000000 nt!IopXxxControlFile+0x6aa
    be64bb80 83f6ea00 00002330 00000000 00000000 nt!NtDeviceIoControlFile+0x2a
    be64bc04 82c8c1ea 00002330 00000000 00000000 klif+0x14a00
    be64bc04 775070b4 00002330 00000000 00000000 nt!KiFastCallEntry+0x12a
    0bf2e714 00000000 00000000 00000000 00000000 0x775070b4
    
    
    STACK_COMMAND:  kb
    
    FOLLOWUP_IP: 
    klif+31965
    83f8b965 ff7608          push    dword ptr [esi+8]
    
    SYMBOL_STACK_INDEX:  0
    
    SYMBOL_NAME:  klif+31965
    
    FOLLOWUP_NAME:  MachineOwner
    
    MODULE_NAME: klif
    
    IMAGE_NAME:  klif.sys
    
    DEBUG_FLR_IMAGE_TIMESTAMP:  527a56de
    
    FAILURE_BUCKET_ID:  0x8E_klif+31965
    
    BUCKET_ID:  0x8E_klif+31965
    
    Followup: MachineOwner
    ---------
    
    

    • Proposed as answer by Deason Wu Monday, March 9, 2015 3:27 AM
    • Marked as answer by ACuellar23 Thursday, March 12, 2015 6:57 PM
    Tuesday, March 3, 2015 9:15 PM

All replies

  • To be able to troubleshoot what might be causing your system to crash, we need the dump files.

    Please refer to the link below for steps to retrieve, zip and upload them to the file sharing site like onedrive, google's "dropbox, etc.


    Blue Screen of Death Co-Authored by ZigZag3143& JMH3143

    http://answers.microsoft.com/en-us/windows/wiki/windows_other-system/blue-screen-of-death-bsod/1939df35-283f-4830-a4dd-e95ee5d8669d


    Tuesday, March 3, 2015 4:56 PM
  • Hi,

    Thanks for your prompt respond to our problem i am sending you the link to the files yo need

    dl.dropboxusercontent.com/u/102914261/LOGS%20FIAAMELARA.zip

    Thanks again for your help.

    Tuesday, March 3, 2015 8:26 PM
  • 1. Are affected computers of the same brand and configuration?

    2. Chances are that there are optional updates (drivers) installed. Try to return to previous restore point. Compare updates in "good and bad computers".

    3. For analysis start with minidump that are smaller and may give enough initial information. Nirsoft BSOD viewer is the first tool to have some insight into problem.

    HTH

    Milos

    Tuesday, March 3, 2015 8:42 PM
  • computers are not the same brand and configuration

    we already try to return to a existing restore point and did not work.

    Thanks,

    Oscar

    Tuesday, March 3, 2015 9:08 PM
  • Well it's unanimous that the offending party, is the KASPERSKY module, klif.sys. Iwould suggest that you uninstall it and try something else. Since this is an enterprise environment, I assume, I won't be making any recommendations on what you should install in its place... that will be entirely up to you.

    WARNING: Whitespace at end of path element
    Symbol search path is: SRV*c:\symbols*http://msdl.microsoft.com/download/symbols 
    Executable search path is: 
    Windows 7 Kernel Version 7601 (Service Pack 1) MP (4 procs) Free x86 compatible
    Product: WinNt, suite: TerminalServer SingleUserTS
    Built by: 7601.17514.x86fre.win7sp1_rtm.101119-1850
    Machine Name:
    Kernel base = 0x82c4e000 PsLoadedModuleList = 0x82d98850
    Debug session time: Tue Mar  3 11:56:51.981 2015 (UTC - 5:00)
    System Uptime: 0 days 16:03:12.320
    Loading Kernel Symbols
    ...............................................................
    ................................................................
    ....................
    Loading User Symbols
    PEB is paged out (Peb.Ldr = 7ffd800c).  Type ".hh dbgerr001" for details
    Loading unloaded module list
    ......
    2: kd> !analyze -v
    *******************************************************************************
    *                                                                             *
    *                        Bugcheck Analysis                                    *
    *                                                                             *
    *******************************************************************************
    
    KERNEL_MODE_EXCEPTION_NOT_HANDLED (8e)
    This is a very common bugcheck.  Usually the exception address pinpoints
    the driver/function that caused the problem.  Always note this address
    as well as the link date of the driver/image that contains this address.
    Some common problems are exception code 0x80000003.  This means a hard
    coded breakpoint or assertion was hit, but this system was booted
    /NODEBUG.  This is not supposed to happen as developers should never have
    hardcoded breakpoints in retail code, but ...
    If this happens, make sure a debugger gets connected, and the
    system is booted /DEBUG.  This will let us see why this breakpoint is
    happening.
    Arguments:
    Arg1: c0000005, The exception code that was not handled
    Arg2: 83f8b965, The address that the exception occurred at
    Arg3: be64b700, Trap Frame
    Arg4: 00000000
    
    Debugging Details:
    ------------------
    
    *** ERROR: Module load completed but symbols could not be loaded for klif.sys
    
    EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.
    
    FAULTING_IP: 
    klif+31965
    83f8b965 ff7608          push    dword ptr [esi+8]
    
    TRAP_FRAME:  be64b700 -- (.trap 0xffffffffbe64b700)
    ErrCode = 00000000
    eax=be64b788 ebx=00000000 ecx=88377578 edx=00000000 esi=00000000 edi=07744ff0
    eip=83f8b965 esp=be64b774 ebp=be64b794 iopl=0         nv up ei ng nz na pe nc
    cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010286
    klif+0x31965:
    83f8b965 ff7608          push    dword ptr [esi+8]    ds:0023:00000008=????????
    Resetting default scope
    
    DEFAULT_BUCKET_ID:  VISTA_DRIVER_FAULT
    
    BUGCHECK_STR:  0x8E
    
    PROCESS_NAME:  avp.exe
    
    CURRENT_IRQL:  0
    
    LAST_CONTROL_TRANSFER:  from 82d0308c to 82d2cf20
    
    STACK_TEXT:  
    be64b274 82d0308c 0000008e c0000005 83f8b965 nt!KeBugCheckEx+0x1e
    be64b690 82c8cdd6 be64b6ac 00000000 be64b700 nt!KiDispatchException+0x1ac
    be64b6f8 82c8cd8a be64b794 83f8b965 badb0d00 nt!CommonDispatchException+0x4a
    be64b70c 82d6f8c0 00000000 00000000 00000000 nt!Kei386EoiHelper+0x192
    be64b794 83f8c153 b16d9390 88377578 be64b7c0 nt!ExAllocatePoolWithTag+0x8b5
    WARNING: Stack unwind information not available. Following frames may be wrong.
    be64b7f4 83fcd045 883774d8 07744fe0 0bf2e76c klif+0x32153
    be64b980 83f1cad1 83fcb0ba 83f1cad1 883774d8 klif+0x73045
    be64b9d4 83f32641 87202328 07744fe0 000000c9 fltmgr!FltpFilterMessage+0x9d
    be64ba08 83f32a69 882b0000 00000000 07744fe0 fltmgr!FltpMsgDeviceControl+0xa9
    be64ba4c 83f1b339 86bba9f8 87887e38 882b0038 fltmgr!FltpMsgDispatch+0x91
    be64ba78 82c85593 86bba9f8 87887e38 87887e38 fltmgr!FltpDispatch+0x33
    be64ba90 82e7999f 882b0038 87887e38 87887ea8 nt!IofCallDriver+0x63
    be64bab0 82e7cb71 86bba9f8 882b0038 00000000 nt!IopSynchronousServiceTail+0x1f8
    be64bb4c 82ec33f4 86bba9f8 87887e38 00000000 nt!IopXxxControlFile+0x6aa
    be64bb80 83f6ea00 00002330 00000000 00000000 nt!NtDeviceIoControlFile+0x2a
    be64bc04 82c8c1ea 00002330 00000000 00000000 klif+0x14a00
    be64bc04 775070b4 00002330 00000000 00000000 nt!KiFastCallEntry+0x12a
    0bf2e714 00000000 00000000 00000000 00000000 0x775070b4
    
    
    STACK_COMMAND:  kb
    
    FOLLOWUP_IP: 
    klif+31965
    83f8b965 ff7608          push    dword ptr [esi+8]
    
    SYMBOL_STACK_INDEX:  0
    
    SYMBOL_NAME:  klif+31965
    
    FOLLOWUP_NAME:  MachineOwner
    
    MODULE_NAME: klif
    
    IMAGE_NAME:  klif.sys
    
    DEBUG_FLR_IMAGE_TIMESTAMP:  527a56de
    
    FAILURE_BUCKET_ID:  0x8E_klif+31965
    
    BUCKET_ID:  0x8E_klif+31965
    
    Followup: MachineOwner
    ---------
    
    

    • Proposed as answer by Deason Wu Monday, March 9, 2015 3:27 AM
    • Marked as answer by ACuellar23 Thursday, March 12, 2015 6:57 PM
    Tuesday, March 3, 2015 9:15 PM
  • Thanks for your information it has been really helpful, we will look into it as soon as possible, thanks again.
    Tuesday, March 3, 2015 9:32 PM
  • You are welcome!
    Tuesday, March 3, 2015 9:45 PM
  • Hi ACuellar,

    We hope your issue has been resolved by XP ROCK's suggestion, if you've found any suggestion is useful. we would appreciate it if you could mark it as answer.

    If you've found solution by yourself, you also could share with us and mark it so everyone could see it.

    Thanks for your cooperation.

    Regards,

    D. Wu

    Thursday, March 12, 2015 6:52 AM