Answered by:
BSOD on Windows 7 Enterprise computers

Question
-
Hi all,
I need help with BSOD appearing on several new computers with Windows 7 Enterprise, installed from a same image. Here's a partial output from a Memory.dmp file from one of the PCs (I can provide dump files from other PCs, but they all give almost identical information).
2: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: 00000000000000f0, memory referenced
Arg2: 0000000000000002, IRQL
Arg3: 0000000000000001, bitfield :
bit 0 : value 0 = read operation, 1 = write operation
bit 3 : value 0 = not an execute operation, 1 = execute operation (only on chips which support this level of status)
Arg4: fffff80002cdc045, address which referenced memory
Debugging Details:
------------------
WRITE_ADDRESS: 00000000000000f0
CURRENT_IRQL: 2
FAULTING_IP:
nt!KeWaitForMultipleObjects+1cd
fffff800`02cdc045 f00fba2e07 lock bts dword ptr [rsi],7
DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT
BUGCHECK_STR: 0xA
PROCESS_NAME: System
TRAP_FRAME: fffff88006edc750 -- (.trap 0xfffff88006edc750)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=0000000000000000 rbx=0000000000000000 rcx=0000000000000000
rdx=0000000000000000 rsi=0000000000000000 rdi=0000000000000000
rip=fffff80002cdc045 rsp=fffff88006edc8e0 rbp=fffffa8006b0b180
r8=0000000000000000 r9=fffff88002f65180 r10=0000000000000002
r11=000000000002a66f r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei ng nz ac pe nc
nt!KeWaitForMultipleObjects+0x1cd:
fffff800`02cdc045 f00fba2e07 lock bts dword ptr [rsi],7 ds:00000000`00000000=????????
Resetting default scope
LAST_CONTROL_TRANSFER: from fffff80002cd9169 to fffff80002cd9bc0
STACK_TEXT:
fffff880`06edc608 fffff800`02cd9169 : 00000000`0000000a 00000000`000000f0 00000000`00000002 00000000`00000001 : nt!KeBugCheckEx
fffff880`06edc610 fffff800`02cd7de0 : 00000000`00000000 00000000`00000000 00000000`00000000 fffffa80`06b0b168 : nt!KiBugCheckDispatch+0x69
fffff880`06edc750 fffff800`02cdc045 : fffff880`06edc9f0 fffff880`0188da35 00000000`00000000 00000000`00000000 : nt!KiPageFault+0x260
fffff880`06edc8e0 fffff880`0188f6cd : fffffa80`00000002 fffffa80`07660f40 fffffa80`00000001 fffff880`00000000 : nt!KeWaitForMultipleObjects+0x1cd
fffff880`06edcba0 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : HDDfilter+0x36cd
STACK_COMMAND: kb
FOLLOWUP_IP:
HDDfilter+36cd
fffff880`0188f6cd 85c0 test eax,eax
SYMBOL_STACK_INDEX: 4
SYMBOL_NAME: HDDfilter+36cd
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: HDDfilter
IMAGE_NAME: HDDfilter.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 536552cc
FAILURE_BUCKET_ID: X64_0xA_HDDfilter+36cd
BUCKET_ID: X64_0xA_HDDfilter+36cd
Followup: MachineOwner
---------Please, let me know if I can give you additional information, which may help.
Wednesday, December 17, 2014 3:34 PM
Answers
-
DH
Michael was correct (of course) but the driver description is not certain as many manufacturers use HDDfilter. It may be Driver Description: Sonic Solutions HDD Filter Driver (used by many different CD/DVD programs). I would rename hddfilter.sys to hddfilter.BAK so it cannot load and see what complains. Once you find what the offending app is you can chose to remove it or update it to current
Wanikiya and Dyami--Team Zigzag
- Marked as answer by Cloud_TS Monday, December 29, 2014 8:33 AM
Thursday, December 18, 2014 12:23 PM
All replies
-
DH
We need the actual DMP files.
We do need the actual log files (called a DMP files) as they contain the only record of the sequence of events leading up to the crash, what drivers were loaded, and what was responsible.
Please follow our instructions for finding and uploading the files we need to help you fix your computer. They can be found hereIf you have any questions about the procedure please ask
If you are using Blue screen view, who crashed, or a similar application, don't. They are wrong at least as often as they are correctWanikiya and Dyami--Team Zigzag
Wednesday, December 17, 2014 4:53 PM -
Hi dhristov,
From the information that you attached, the BSOD here seems to be related with the hard drive(Disk Protect Driver: HDDfilter.sys, seems to be the cause).
Please take a check to see if any drivers need to be updated, specially for the BIOS. Or you may check with the manufacurer side.
Here is the reference about the Bugcheck information: Bug Check 0xA: IRQL_NOT_LESS_OR_EQUAL
As Mr. Zigzag suggested, please upload the dump file here, we will check and see if more information could be found.
Best regards
Michael Shao
TechNet Community SupportThursday, December 18, 2014 3:01 AM -
Here are memory.dmp files from three computers. They've been installed from one image, they have an identical hardware.
https://www.dropbox.com/s/z78gaz6m57xwyg3/PC_A.zip?dl=0
https://www.dropbox.com/s/lh2ukg95sgrlscd/PC_B.zip?dl=0
https://www.dropbox.com/s/x6hj7ouve55d8z8/PC_C.zip?dl=0I used the WinDbg tool to view the dmp file.
Kind Regards,
DH
- Edited by dhristov Thursday, December 18, 2014 8:43 AM
Thursday, December 18, 2014 8:42 AM -
DH
Michael was correct (of course) but the driver description is not certain as many manufacturers use HDDfilter. It may be Driver Description: Sonic Solutions HDD Filter Driver (used by many different CD/DVD programs). I would rename hddfilter.sys to hddfilter.BAK so it cannot load and see what complains. Once you find what the offending app is you can chose to remove it or update it to current
Wanikiya and Dyami--Team Zigzag
- Marked as answer by Cloud_TS Monday, December 29, 2014 8:33 AM
Thursday, December 18, 2014 12:23 PM -
It turned out to be the Lenovo Active Protection System - version 1.0.0.17. The new version does fix this, so it's ok now.Wednesday, January 14, 2015 2:00 PM