locked
Physical Memory Dump And Blue Screen In Windows 7 Cause? RRS feed

  • Question

  • Every once in a while, maybe once a month, my computer crashes, resulting in a memory dump, a blue screen that I never have time to read fully, and an automatic reboot.

    I'm using Windows 7 Home Premium on a Gateway DX4831-01e with an Intel Core i3 530 @ 2.93GHz with 6GB of RAM and a Radeon HD5670 512MB video card.

    It has happened before a few times over the course of maybe six months, but this is the only dump I've saved. The crash happened with Steam running with no games turned on, Firefox running with a few tabs open, and Thunderbird running minimized to the system tray. Avast, Zone Alarm, and Realtek Audio Manager were also running in the background. If I recall correctly, this seems to be how it has happened in the past.

    I've included this link to a zip file with the dmp file from C:\Windows\Minidump on my public Skydrive folder.

    https://skydrive.live.com/redir.aspx?cid=88f38409f65c84be&resid=88F38409F65C84BE!113&parid=88F38409F65C84BE!111

    I would really appreciate some help from the experts.

    A very sincere thank you for any information or help that you can provide.

    Malt


    Friday, January 6, 2012 9:45 AM

Answers

  • On 1/8/2012 1:48 AM, Malt Whitman wrote:
    > Since it's at a 1:1 ratio right now, set it at custom size, initial
    > and maximum 12000MB?
     
    This should be correct for 2x the physical memory.
     
    > Was fltmgr.sys and/or blue screen with a lack of a memory dump
    > indicative of this kind of thing? Is the (obviously) ultimate goal of
    > running driver verifier a normal start-up of the machine, a start-up
    > with no BSOD?
    >
    >
     
    Typically a memory dump is not generated in 4 cases:
    1. The system page file is disabled or too small, or located on a drive
    other than the one that Windows is instaled on
    2. Severe memory corruption occurs to the extent that the system is
    unable to call the functions that handle kernel mode memory errors (and
    trigger the blue screen)
    3. The drivers (in memory) that are required to write the memory dump
    are corrupted to the point where the memory dump cannot actually be written
    4. User error with configuration.
     
    Fltmgr is heavily involved in the Disk I/O process, so it is possible
    that an issue with something corrupting fltmgr.sys could cause the
    system to not create a crash dump. Let's give an offline verification a
    try and see if it reports any errors related to the filesystem or the
    protected system files,
     
     

    -- Mike Burr
    Technology
    • Marked as answer by Cloud_TS Friday, February 3, 2012 8:01 AM
    Monday, January 9, 2012 2:49 AM

All replies

  • *******************************************************************************
    *                                                                             *
    *                        Bugcheck Analysis                                    *
    *                                                                             *
    *******************************************************************************
    IRQL_GT_ZERO_AT_SYSTEM_SERVICE (4a)
    Returning to usermode from a system call at an IRQL > PASSIVE_LEVEL.
    Arguments:
    Arg1: 0000000073582e09, Address of system function (system call routine)
    Arg2: 0000000000000002, Current IRQL
    Arg3: 0000000000000000, 0
    Arg4: fffff880049d0ca0, 0
    Debugging Details:
    ------------------
    PROCESS_NAME:  vsmon.exe
    BUGCHECK_STR:  RAISED_IRQL_FAULT
    FAULTING_IP: 
    +3839343061303633
    00000000`73582e09 ??              ???
    CUSTOMER_CRASH_COUNT:  1
    DEFAULT_BUCKET_ID:  VISTA_DRIVER_FAULT
    CURRENT_IRQL:  2
    LAST_CONTROL_TRANSFER:  from fffff80002ecb1e9 to fffff80002ecbc40
    STACK_TEXT:  
    fffff880`049d0a68 fffff800`02ecb1e9 : 00000000`0000004a 00000000`73582e09 00000000`00000002 00000000`00000000 : nt!KeBugCheckEx
    fffff880`049d0a70 fffff800`02ecb120 : fffff880`049d0ca0 fffffa80`0683fab0 fffff880`049d0bf8 00000000`00000000 : nt!KiBugCheckDispatch+0x69
    fffff880`049d0bb0 00000000`73582e09 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceExit+0x245
    00000000`03d1ec38 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x73582e09
    STACK_COMMAND:  kb
    FOLLOWUP_IP: 
    nt!KiSystemServiceExit+245
    fffff800`02ecb120 4883ec50        sub     rsp,50h
    SYMBOL_STACK_INDEX:  2
    SYMBOL_NAME:  nt!KiSystemServiceExit+245
    FOLLOWUP_NAME:  MachineOwner
    MODULE_NAME: nt
    IMAGE_NAME:  ntkrnlmp.exe
    DEBUG_FLR_IMAGE_TIMESTAMP:  4e02aaa3
    FAILURE_BUCKET_ID:  X64_RAISED_IRQL_FAULT_vsmon.exe_nt!KiSystemServiceExit+245
    BUCKET_ID:  X64_RAISED_IRQL_FAULT_vsmon.exe_nt!KiSystemServiceExit+245
    Followup: MachineOwner
    ------------------------------------------------------------------------------------------------------------------------------------------------------------------
    The Blue Screen Caused From ( Zone Alarm ) Software , Uninstall the software it solve the Blue Screen.
    Regards,
    



    MCP ✦ MCTS ✦ MCITP
    • Edited by Las D. Rashid Friday, January 6, 2012 1:44 PM
    • Marked as answer by Malt Whitman Friday, January 6, 2012 6:41 PM
    • Unmarked as answer by Malt Whitman Sunday, January 8, 2012 5:53 AM
    Friday, January 6, 2012 1:44 PM
  • Hi,
     
    For general blue screen troubleshooting
     
     
    For this specific error, it appears that a kernel mode component didn't
    lower the IRQL to passive level before returning to user mode, this is
    similar to IRQL_NOT_LESS_OR_EQUAL,
     
     
    Initial indications are that  ZoneAlarm needs to be updated to the
    latest version, but you may need to enable a kernel memory dump (see
    first link above) and enable driver verifier so that we can troubleshoot
    definitively,
     
     
    2: kd> !analyze -v
    *******************************************************************************
    *                                                                            
    *
    *                        Bugcheck
    Analysis                                    *
    *                                                                            
    *
    *******************************************************************************
     
    IRQL_GT_ZERO_AT_SYSTEM_SERVICE (4a)
    Returning to usermode from a system call at an IRQL > PASSIVE_LEVEL.
    Arguments:
    Arg1: 0000000073582e09, Address of system function (system call routine)
    Arg2: 0000000000000002, Current IRQL
    Arg3: 0000000000000000, 0
    Arg4: fffff880049d0ca0, 0
     
    Debugging Details:
    ------------------
     PROCESS_NAME:  vsmon.exe
     
    BUGCHECK_STR:  RAISED_IRQL_FAULT
     
    FAULTING_IP:
    +3839343061303633
    00000000`73582e09 ??              ???
     
    CUSTOMER_CRASH_COUNT:  1
     
    DEFAULT_BUCKET_ID:  VISTA_DRIVER_FAULT
     
    CURRENT_IRQL:  2
     
    LAST_CONTROL_TRANSFER:  from fffff80002ecb1e9 to fffff80002ecbc40
     
    STACK_TEXT:
    fffff880`049d0a68 fffff800`02ecb1e9 : 00000000`0000004a
    00000000`73582e09 00000000`00000002 00000000`00000000 : nt!KeBugCheckEx
    fffff880`049d0a70 fffff800`02ecb120 : fffff880`049d0ca0
    fffffa80`0683fab0 fffff880`049d0bf8 00000000`00000000 :
    nt!KiBugCheckDispatch+0x69
    fffff880`049d0bb0 00000000`73582e09 : 00000000`00000000
    00000000`00000000 00000000`00000000 00000000`00000000 :
    nt!KiSystemServiceExit+0x245
    00000000`03d1ec38 00000000`00000000 : 00000000`00000000
    00000000`00000000 00000000`00000000 00000000`00000000 : 0x73582e09
     STACK_COMMAND:  kb
     
    FOLLOWUP_IP:
    nt!KiSystemServiceExit+245
    fffff800`02ecb120 4883ec50        sub     rsp,50h
     
    SYMBOL_STACK_INDEX:  2
     
    SYMBOL_NAME:  nt!KiSystemServiceExit+245
     
    FOLLOWUP_NAME:  MachineOwner
     
    MODULE_NAME: nt
     
    IMAGE_NAME:  ntkrnlmp.exe
     
    DEBUG_FLR_IMAGE_TIMESTAMP:  4e02aaa3
     
    FAILURE_BUCKET_ID: 
    X64_RAISED_IRQL_FAULT_vsmon.exe_nt!KiSystemServiceExit+245
     
    BUCKET_ID:  X64_RAISED_IRQL_FAULT_vsmon.exe_nt!KiSystemServiceExit+245
     
    Followup: MachineOwner
    ---------
     
     

    -- Mike Burr
    Technology
    • Marked as answer by Malt Whitman Friday, January 6, 2012 6:41 PM
    • Unmarked as answer by Malt Whitman Sunday, January 8, 2012 5:53 AM
    Friday, January 6, 2012 3:51 PM
  • Thank you, Las, and thank you, Mike! I really appreciate your help and your time.

    I will definitely enable a kernel memory dump and enable driver verifier when I have time in the very near future and upload the results for you to examine.

    Additionally, I will uninstall ZoneAlarm and look for an alternative because I recall not liking the changes implemented in the 10.0 branch when I updated it to that version some time ago.

    Very sincerely,

    Malt

    Friday, January 6, 2012 6:37 PM
  • I updated Zone Alarm and, as Mike Burr suggested, decided to try driver verifier.

    My debugging information was set to perform a kernel memory dump. I enabled driver verifier and restarted my system as instructed.

    The result both times after logging in was a blue screen of death (BSOD) and the following information:

    STOP: 0x000000C4 (0x00000000000000F6, 0x0000000000000168, 0xFFFFFA80091D0F0, 0xFFFFF8800128B4DE)

    fltmgr.sys - address FFFFF880128B4DE base at FFFFF8800126700, DateStamp 4CE7929C

    However, there was no MEMORY.DMP left in the Windows folder, no dump file left in the Minidump folder, and a search of the hard drive revealed no MEMORY.DMP file left anywhere else on the drive. What does this mean, please, and where do I go from here?

    Again, a very sincere thank you for any information or help that you can provide.

    Malt


    Sunday, January 8, 2012 6:02 AM
  • What likely occurred was that your page file size is too small, can you
    try increasing it to 1-2 times the physical RAM on your PC?
     

    -- Mike Burr
    Technology
    Sunday, January 8, 2012 7:18 AM
  • I really appreciate your help, Mike.

    My computer has 6GB of physical RAM and Windows is automatically managing my page file, with a system managed sized minimum allowed at 16MB, recommended at 9106MB, and currently allocated at 6071MB. It's on the same drive as the operating system (64-bit Home Premium). I regularly defragment it with PerfectDisk.

    Can I assume the ultimate goal of running driver verifier is a normal start-up of the machine, a start-up with no BSOD?

    Thank you for your time and expertise.

    Sincerely,

    Malt

    UPDATE: I set the page file to 12000MB and ran driver verifier again. Results of BSOD with STOP: 0x000000C4 and fltmgr.sys reported remain the same.
    Sunday, January 8, 2012 8:48 AM
  • On 1/8/2012 1:48 AM, Malt Whitman wrote:
    > Since it's at a 1:1 ratio right now, set it at custom size, initial
    > and maximum 12000MB?
     
    This should be correct for 2x the physical memory.
     
    > Was fltmgr.sys and/or blue screen with a lack of a memory dump
    > indicative of this kind of thing? Is the (obviously) ultimate goal of
    > running driver verifier a normal start-up of the machine, a start-up
    > with no BSOD?
    >
    >
     
    Typically a memory dump is not generated in 4 cases:
    1. The system page file is disabled or too small, or located on a drive
    other than the one that Windows is instaled on
    2. Severe memory corruption occurs to the extent that the system is
    unable to call the functions that handle kernel mode memory errors (and
    trigger the blue screen)
    3. The drivers (in memory) that are required to write the memory dump
    are corrupted to the point where the memory dump cannot actually be written
    4. User error with configuration.
     
    Fltmgr is heavily involved in the Disk I/O process, so it is possible
    that an issue with something corrupting fltmgr.sys could cause the
    system to not create a crash dump. Let's give an offline verification a
    try and see if it reports any errors related to the filesystem or the
    protected system files,
     
     

    -- Mike Burr
    Technology
    • Marked as answer by Cloud_TS Friday, February 3, 2012 8:01 AM
    Monday, January 9, 2012 2:49 AM