Page 1 of 2 12 Last
  1. #1

    Join Date
    Jul 2017
    Location
    Cincinnati
    Posts
    19

    BSOD - Windows 10x64 Pro- NTOSKRNL.EXE / hal.dll

    Have been fighting a recurring BSOD issue for the past couple of weeks. All appear to point to ntoskrnl.exe and hall.dll, but the BSOD messages vary. Some system files report inaccurate dates (including hal.dll), but actual file size and date match other systems. Previously, sfc/scannow and DISM failed to fix problems. Yesterday system became more unstable, tried a repair install from fresh Windows 10 DVD, appeared to install, but security warning at final boot and then system rolled back. Ran Kaspersky malware scan, system comes up clean. SFCFix will not run.

    OS - Windows 10, 8.1, 8, 7, Vista ? - Windows 10
    x86 (32-bit) or x64 ? x64
    What was original installed OS on system? Windows 8.1
    Is the OS an OEM version (came pre-installed on system) or full retail version (YOU purchased it from retailer)? Windows 10 upgraded from retail version of 8.1
    Age of system (hardware) System is approximately six years old. Samsung SSD 840, 1 TB installed new with Windows 8.1
    Age of OS installation - have you re-installed the OS? OS will not reinstall. Enter setup from a flash drive, mounted image, or DVD and Windows 10 appears to complete a repair install, but after final boot, it rolls back to prior installation. Yesterday system became unbootable, completely. After several hours working with Bootrec, I was able to get the system running. Previously had tried repairs using DISM and SFC/Scannow which reported corrupt files, but could not repair. SFCFix will not run.

    CPU - AMD A6-3650
    Video Card ASUS R9 290 DirectCU II OC 4GB
    MotherBoard - (if NOT a laptop) GIGABYTE GA-A75M-UD2H
    Power Supply - brand & wattage (if laptop, skip this one) Corsair CX750

    System Manufacturer Originally a Medion, but internals replaced with new motherboard, graphics, and power supply. Using a Samsung 840 SSD, 1 TB boot drive.
    Exact model number (if laptop, check label on bottom)

    Laptop or Desktop? Desktop


    • Ad Bot

      advertising
      Beep.

        
       

  2. #2
    Moderator
    BSOD Kernel Dump Analyst
    Windows Update Senior Analyst
    softwaremaniac's Avatar
    Join Date
    Oct 2014
    Location
    Croatia
    Age
    22
    Posts
    10,249
    • specs System Specs
      • Motherboard:
        ASUS MAXIMUS ROG HERO X
      • CPU:
        Intel Core i7-8700K 3.7GHz
      • Memory:
        Crucial 2x8GB DDR4 2666 MHz
      • Graphics:
        Gigabyte GTX 1080 G1 Gaming 8 GB
      • Sound Card:
        Asus Xonar DSX
      • Hard Drives:
        WD Caviar Black 1TB SATA III 7200rpm, WD Caviar Black 6TB SATA III 7200rpm
      • Disk Drives:
        Samsung 960 Evo 256GB NVME PCIe
      • Power Supply:
        Corsair HX 750W 80+ Platinum
      • Case:
        Fractal Design Define R6
      • Cooling:
        Noctua NH-D14
      • Display:
        Philips Brilliance BDM4065UC 4K 3840x2160
      • Operating System:
        Windows 10 Pro 1803 x64

    Re: BSOD - Windows 10x64 Pro- NTOSKRNL.EXE / hal.dll

    Please follow these instructions and attach the required file: Blue Screen of Death (BSOD) Posting Instructions - Windows 10, 8.1, 8, 7 + Vista

  3. #3

    Join Date
    Jul 2017
    Location
    Cincinnati
    Posts
    19

    Re: BSOD - Windows 10x64 Pro- NTOSKRNL.EXE / hal.dll

    Please find attached requested file. I thought it had been attached to the original message.
    Attached Files Attached Files

  4. #4
    Moderator
    BSOD Kernel Dump Analyst
    Windows Update Senior Analyst
    softwaremaniac's Avatar
    Join Date
    Oct 2014
    Location
    Croatia
    Age
    22
    Posts
    10,249
    • specs System Specs
      • Motherboard:
        ASUS MAXIMUS ROG HERO X
      • CPU:
        Intel Core i7-8700K 3.7GHz
      • Memory:
        Crucial 2x8GB DDR4 2666 MHz
      • Graphics:
        Gigabyte GTX 1080 G1 Gaming 8 GB
      • Sound Card:
        Asus Xonar DSX
      • Hard Drives:
        WD Caviar Black 1TB SATA III 7200rpm, WD Caviar Black 6TB SATA III 7200rpm
      • Disk Drives:
        Samsung 960 Evo 256GB NVME PCIe
      • Power Supply:
        Corsair HX 750W 80+ Platinum
      • Case:
        Fractal Design Define R6
      • Cooling:
        Noctua NH-D14
      • Display:
        Philips Brilliance BDM4065UC 4K 3840x2160
      • Operating System:
        Windows 10 Pro 1803 x64

    Re: BSOD - Windows 10x64 Pro- NTOSKRNL.EXE / hal.dll

    Thank you.

    Follow these instructions:
    Test RAM With Memtest86+

    After that please download HD Tune and install it. Take a screenshot of the Health tab and run the test in the Error Scan tab. When running the test make sure that the Quick Scan option is uncheck.

    Post back with the results.

  5. #5

    Join Date
    Jul 2017
    Location
    Cincinnati
    Posts
    19

    Re: BSOD - Windows 10x64 Pro- NTOSKRNL.EXE / hal.dll

    Screenshot of HD Tune, Health and Error Scan tabs. No issues reported. I have downloaded MemTest86+ and will run before I go home. Did run Windows memory test previously with no issues reported.
    Attached Thumbnails Attached Thumbnails BSOD - Windows 10x64 Pro- NTOSKRNL.EXE / hal.dll-hd_tune_error_scan-jpg   BSOD - Windows 10x64 Pro- NTOSKRNL.EXE / hal.dll-hd_tune_health_tab-jpg  

  6. #6
    x BlueRobot's Avatar
    Join Date
    May 2013
    Location
    Minkowski Space
    Posts
    1,872

    Re: BSOD - Windows 10x64 Pro- NTOSKRNL.EXE / hal.dll

    Code:
    BugCheck 139, {3, ffff9a80a379bde0, ffff9a80a379bd38, 0}
    
    Probably caused by : ntkrnlmp.exe ( nt!KiFastFailDispatch+d0 )
    The first parameter of the bugcheck indicates that a LIST_ENTRY has been corrupted in some manner. This is the typical linked list data structure. The third parameter contains the address of the exception record which will provide us with some details of how the exception was caused.

    Code:
    3: kd> .exr 0xffff9a80a379bd38
    ExceptionAddress: fffff80029a600f5 (nt!CmpCreateKeyControlBlock+0x00000000001afd95)
       ExceptionCode: c0000409 (Security check failure or stack buffer overrun)
      ExceptionFlags: 00000001
    NumberParameters: 1
       Parameter[0]: 0000000000000003
    Subcode: 0x3 FAST_FAIL_CORRUPT_LIST_ENTRY
    The exception code is quite generic and applies to a range of different circumstances. NTSTATUS error codes will typically be prefixed with 0xC; we can dump the status code:

    Code:
    3: kd> !error c0000409 
    Error code: (NTSTATUS) 0xc0000409 (3221226505) - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.
    The sub-code of the exception is slightly more interesting, and indicates the security assertion feature which is used to check list operations, a fast fail error shows us that no exception handling will be invoked and the system will immediately BSOD itself.

    Let's unwind the call stack, and the instruction which appears to have caused the bugcheck:

    Code:
    3: kd> knL
     # Child-SP          RetAddr           Call Site
    00 ffff9a80`a379bab8 fffff800`295fe8a9 nt!KeBugCheckEx
    01 ffff9a80`a379bac0 fffff800`295fec10 nt!KiBugCheckDispatch+0x69 << Our BSOD is dispatched
    02 ffff9a80`a379bc00 fffff800`295fdbf7 nt!KiFastFailDispatch+0xd0 << This our FAST_FAIL_CORRUPT_LIST_ENTRY exception
    03 ffff9a80`a379bde0 fffff800`29a600f5 nt!KiRaiseSecurityCheckFailure+0xf7 << The bugcheck process is intitated here
    04 ffff9a80`a379bf70 fffff800`29920be7 nt!CmpCreateKeyControlBlock+0x1afd95
    05 ffff9a80`a379c000 fffff800`2992495b nt!CmpWalkOneLevel+0x5c7
    06 ffff9a80`a379c140 fffff800`2992f306 nt!CmpDoParseKey+0x134b
    07 ffff9a80`a379c520 fffff800`2992961b nt!CmpParseKey+0x266
    08 ffff9a80`a379c6f0 fffff800`2992d150 nt!ObpLookupObjectName+0x46b
    09 ffff9a80`a379c8c0 fffff800`2992de54 nt!ObOpenObjectByNameEx+0x1e0
    0a ffff9a80`a379ca00 fffff800`29930b7f nt!CmOpenKey+0x274
    0b ffff9a80`a379cc00 fffff800`295fe413 nt!NtOpenKeyEx+0xf
    0c ffff9a80`a379cc40 00007ffe`36aa7634 nt!KiSystemServiceCopyEnd+0x13
    0d 000000f6`3a67cb78 00000000`00000000 0x00007ffe`36aa7634
    We can disassemble the return address and find the following:

    Code:
    3: kd> ub fffff800`29a600f5
    nt!CmpCreateKeyControlBlock+0x1afd77:
    fffff800`29a600d7 eb0a            jmp     nt!CmpCreateKeyControlBlock+0x1afd83 (fffff800`29a600e3)
    fffff800`29a600d9 e5ff            in      eax,0FFh
    fffff800`29a600db b903000000      mov     ecx,3 << Exception Code
    fffff800`29a600e0 cd29            int     29h << Exception Invoked
    fffff800`29a600e2 488d0df7f0d8ff  lea     rcx,[nt!CmpAllocBucketLock (fffff800`297ef1e0)]
    fffff800`29a600e9 e892a6a8ff      call    nt!ExReleaseFastMutex (fffff800`294ea780)
    fffff800`29a600ee eb0d            jmp     nt!CmpCreateKeyControlBlock+0x1afd9d (fffff800`29a600fd)
    fffff800`29a600f0 b903000000      mov     ecx,3
    I've dumped the IDT entry from a different dump file, but the information is the exact same:

    Code:
    6: kd> !idt 29h
    
    Dumping IDT: ffffe480d98ac000
    
    29:    fffff8013b97ab00 nt!KiRaiseSecurityCheckFailure
    I've also dumped the raw stack, and it appears that there was some transversal within the registry:

    Code:
    3: kd> !dpx
    Start memory scan  : 0xffff9a80a379bab8 ($csp)
    End memory scan    : 0xffff9a80a379d000 (Stack Base)
    
                   rsp : 0xffff9a80a379bab8 : 0xfffff800295fe8a9 : nt!KiBugCheckDispatch+0x69
    0xffff9a80a379bab8 : 0xfffff800295fe8a9 : nt!KiBugCheckDispatch+0x69
    0xffff9a80a379bbd0 : 0xfffff800297ef1c0 : nt!CmpFreeKCBListHead
    0xffff9a80a379bbf8 : 0xfffff800295fec10 : nt!KiFastFailDispatch+0xd0
    0xffff9a80a379bcd8 : 0xfffff800294edd81 : nt!SepNormalAccessCheck+0x281
    0xffff9a80a379bd10 : 0xfffff800297ef1c0 : nt!CmpFreeKCBListHead
    0xffff9a80a379bd88 : 0xffffe089c398a9d0 :  !da ""Advapi  0""
    0xffff9a80a379bdb8 : 0xfffff800294ed5dd : nt!SepAccessCheck+0x31d
    0xffff9a80a379bdc8 : 0xffffe089c398a9d0 :  !da ""Advapi  0""
    0xffff9a80a379bdd0 : 0xffffe089c398a9d0 :  !da ""Advapi  0""
    0xffff9a80a379bdd8 : 0xfffff800295fdbf7 : nt!KiRaiseSecurityCheckFailure+0xf7
    0xffff9a80a379bde0 : 0x0000000000000000 :  Trap @ ffff9a80a379bde0
    0xffff9a80a379be20 : 0xfffff800297ef1e0 : nt!CmpAllocBucketLock
    0xffff9a80a379be58 : 0xffffe089d12d8462 :  !du "{B5382653-DAEB-4A48-BF96-CA9BA654CA78}\1.0"
    0xffff9a80a379be68 : 0xffffe089d12d8462 :  !du "{B5382653-DAEB-4A48-BF96-CA9BA654CA78}\1.0"
    0xffff9a80a379bee8 : 0xffffe089c398a9d0 :  !da ""Advapi  0""
    0xffff9a80a379bf18 : 0xfffff800294c426c : nt!KeAbPreAcquire+0xec
    0xffff9a80a379bf28 : 0xfffff800297ef1e0 : nt!CmpAllocBucketLock
    0xffff9a80a379bf98 : 0xfffff800294e843d : nt!HvpMapEntryGetBlockAddress+0x4d
    0xffff9a80a379bfb8 : 0xfffff800299231a5 : nt!HvpReleaseCellPaged+0x75
    0xffff9a80a379bff8 : 0xfffff80029920be7 : nt!CmpWalkOneLevel+0x5c7
    0xffff9a80a379c0c8 : 0xffffe089d12d8462 :  !du "{B5382653-DAEB-4A48-BF96-CA9BA654CA78}\1.0"
    0xffff9a80a379c248 : 0xffffe089d12d8430 :  !du "SOFTWARE\CLASSES\TYPELIB\{B5382653-DAEB-4A48-BF96-CA9BA654CA78}\1.0"
    0xffff9a80a379c2e8 : 0xfffff80008ec5f80 : FLTMGR!FltpPerformFastIoCall+0x280
    0xffff9a80a379c300 : 0xffffe089d12d8462 :  !du "{B5382653-DAEB-4A48-BF96-CA9BA654CA78}\1.0"
    0xffff9a80a379c378 : 0xfffff80008ec45cc : FLTMGR!FltpFreeIrpCtrl+0x11c
    0xffff9a80a379c3f8 : 0xfffff800294e89f7 : nt!ExpAcquireResourceSharedLite+0x97
    0xffff9a80a379c400 : 0xffffe089c398a9d0 :  !da ""Advapi  0""
    0xffff9a80a379c408 : 0xfffff80029c317c8 : nt!SepMediumDaclSd
    0xffff9a80a379c438 : 0xffffe089d12d8430 :  !du "SOFTWARE\CLASSES\TYPELIB\{B5382653-DAEB-4A48-BF96-CA9BA654CA78}\1.0"
    0xffff9a80a379c448 : 0xffffe089d12d8442 :  !du "CLASSES\TYPELIB\{B5382653-DAEB-4A48-BF96-CA9BA654CA78}\1.0"
    0xffff9a80a379c458 : 0xffffe089d12d8452 :  !du "TYPELIB\{B5382653-DAEB-4A48-BF96-CA9BA654CA78}\1.0"
    0xffff9a80a379c468 : 0xffffe089d12d8462 :  !du "{B5382653-DAEB-4A48-BF96-CA9BA654CA78}\1.0"
    0xffff9a80a379c4c8 : 0xfffff800294ec714 : nt!SeAccessCheckWithHint+0x604
    0xffff9a80a379c518 : 0xfffff8002992f306 : nt!CmpParseKey+0x266
    0xffff9a80a379c528 : 0xfffff800294ea059 : nt!ExAcquirePushLockExclusiveEx+0xe9
    0xffff9a80a379c568 : 0xfffff8002992a865 : nt!ObpIncrementHandleCountEx+0x255
    0xffff9a80a379c578 : 0xffffe089d12d8430 :  !du "SOFTWARE\CLASSES\TYPELIB\{B5382653-DAEB-4A48-BF96-CA9BA654CA78}\1.0"
    0xffff9a80a379c6a8 : 0xffffe089d12d8430 :  !du "SOFTWARE\CLASSES\TYPELIB\{B5382653-DAEB-4A48-BF96-CA9BA654CA78}\1.0"
    0xffff9a80a379c6c8 : 0xfffff80029487000 : "nt!TmInitSystemPhase2 <PERF> (nt+0x0)"
    0xffff9a80a379c6d8 : 0xfffff8002992f0a0 : nt!CmpParseKey
    0xffff9a80a379c6e8 : 0xfffff8002992961b : nt!ObpLookupObjectName+0x46b
    0xffff9a80a379c708 : 0xfffff80029923101 : nt!HvpGetCellPaged+0x71
    0xffff9a80a379c768 : 0xffffe089d12d8430 :  !du "SOFTWARE\CLASSES\TYPELIB\{B5382653-DAEB-4A48-BF96-CA9BA654CA78}\1.0"
    0xffff9a80a379c7a8 : 0xfffff8002992da91 : nt!ObpCaptureObjectName+0x151
    0xffff9a80a379c7e0 : 0xffffe089d12d8430 :  !du "SOFTWARE\CLASSES\TYPELIB\{B5382653-DAEB-4A48-BF96-CA9BA654CA78}\1.0"
    0xffff9a80a379c7e8 : 0xfffff800294eae83 : nt!ExReleaseResourceLite+0xa3
    0xffff9a80a379c848 : 0xfffff80029922f29 : nt!CmQueryValueKey+0x4e9
    0xffff9a80a379c858 : 0xfffff800294e89f7 : nt!ExpAcquireResourceSharedLite+0x97
    0xffff9a80a379c8b8 : 0xfffff8002992d150 : nt!ObOpenObjectByNameEx+0x1e0
    0xffff9a80a379c960 : 0xffffe089d12d8430 :  !du "SOFTWARE\CLASSES\TYPELIB\{B5382653-DAEB-4A48-BF96-CA9BA654CA78}\1.0"
    0xffff9a80a379c980 : 0xffffe089c398a9d0 :  !da ""Advapi  0""
    0xffff9a80a379c9f8 : 0xfffff8002992de54 : nt!CmOpenKey+0x274
    0xffff9a80a379cbf8 : 0xfffff80029930b7f : nt!NtOpenKeyEx+0xf
    0xffff9a80a379cc38 : 0xfffff800295fe413 : nt!KiSystemServiceCopyEnd+0x13
    0xffff9a80a379cc40 : 0xffffaa8558214080 :  Trap @ ffff9a80a379cc40
    To my knowledge, I believe that the Windows Registry uses linked lists in order to maintain its internal block, and from the bugcheck, it appears that a driver has attempted to add an update to the registry with disasterous results.

    The Cm prefix is the Configuration Manager, which is the technical term for the Windows Registry. Essentially, from the call stack it appears that a registry key was opened and a Key Control Block (_CM_KEY_CONTROL_BLOCK) was going to be created, however, an error occured during the creation resulting in the crash. This may also explain the bugcheck which is Stop 0x109.

    Code:
    3: kd> !reg openkeys
    
    CmpMasterHive couldn't be read(2)
    Some exploration I would like to do isn't going to work with a Minidump. Could you please check the following directory for any Kernel Memory Dumps?

    Code:
    %systemroot%\MEMORY.DMP
    Please following softwaremanic's instructions, and if no errors are raised, I would consider running Driver Verifier for 48 hours using the following instructions - Driver Verifier - BSOD related - Windows 10, 8.1, 8, 7 &amp; Vista
    Machines Can Think

    We don't make mistakes; we just have happy accidents.

  7. #7

    Join Date
    Jul 2017
    Location
    Cincinnati
    Posts
    19

    Re: BSOD - Windows 10x64 Pro- NTOSKRNL.EXE / hal.dll

    Allowed MemTest86+ to run 9 passes. No errors.

  8. #8

    Join Date
    Jul 2017
    Location
    Cincinnati
    Posts
    19

    Re: BSOD - Windows 10x64 Pro- NTOSKRNL.EXE / hal.dll

    Yes. There is a large MEMORY.DMP file. 823 MB. Zipped, it is still 157 MB. Is there something I can check on this end and report back?

    Some exploration I would like to do isn't going to work with a Minidump. Could you please check the following directory for any Kernel Memory Dumps?

    Code:
    %systemroot%\MEMORY.DMP

  9. #9

    Join Date
    Jul 2017
    Location
    Cincinnati
    Posts
    19

    Re: BSOD - Windows 10x64 Pro- NTOSKRNL.EXE / hal.dll

    When I load the MEMORY.DMP file in windbg, I find the following:
    *******************************************************************************
    * *
    * Bugcheck Analysis *
    * *
    *******************************************************************************

    Use !analyze -v to get detailed debugging information.

    BugCheck 109, {a39ff16440582796, 0, 65f4713cf80ce013, 101}

    Probably caused by : Unknown_Image ( ANALYSIS_INCONCLUSIVE )

    Followup: MachineOwner
    ---------

  10. #10

    Join Date
    Jul 2017
    Location
    Cincinnati
    Posts
    19

    Re: BSOD - Windows 10x64 Pro- NTOSKRNL.EXE / hal.dll

    Clicking on !analyze -v provides:
    1: kd> !analyze -v
    *******************************************************************************
    * *
    * Bugcheck Analysis *
    * *
    *******************************************************************************

    CRITICAL_STRUCTURE_CORRUPTION (109)
    This bugcheck is generated when the kernel detects that critical kernel code or
    data have been corrupted. There are generally three causes for a corruption:
    1) A driver has inadvertently or deliberately modified critical kernel code
    or data. See Access Denied
    2) A developer attempted to set a normal kernel breakpoint using a kernel
    debugger that was not attached when the system was booted. Normal breakpoints,
    "bp", can only be set if the debugger is attached at boot time. Hardware
    breakpoints, "ba", can be set at any time.
    3) A hardware corruption occurred, e.g. failing RAM holding kernel code or data.
    Arguments:
    Arg1: a39ff16440582796, Reserved
    Arg2: 0000000000000000, Reserved
    Arg3: 65f4713cf80ce013, Failure type dependent information
    Arg4: 0000000000000101, Type of corrupted region, can be
    0 : A generic data region
    1 : Modification of a function or .pdata
    2 : A processor IDT
    3 : A processor GDT
    4 : Type 1 process list corruption
    5 : Type 2 process list corruption
    6 : Debug routine modification
    7 : Critical MSR modification
    8 : Object type
    9 : A processor IVT
    a : Modification of a system service function
    b : A generic session data region
    c : Modification of a session function or .pdata
    d : Modification of an import table
    e : Modification of a session import table
    f : Ps Win32 callout modification
    10 : Debug switch routine modification
    11 : IRP allocator modification
    12 : Driver call dispatcher modification
    13 : IRP completion dispatcher modification
    14 : IRP deallocator modification
    15 : A processor control register
    16 : Critical floating point control register modification
    17 : Local APIC modification
    18 : Kernel notification callout modification
    19 : Loaded module list modification
    1a : Type 3 process list corruption
    1b : Type 4 process list corruption
    1c : Driver object corruption
    1d : Executive callback object modification
    1e : Modification of module padding
    1f : Modification of a protected process
    20 : A generic data region
    21 : A page hash mismatch
    22 : A session page hash mismatch
    23 : Load config directory modification
    24 : Inverted function table modification
    25 : Session configuration modification
    26 : An extended processor control register
    27 : Type 1 pool corruption
    28 : Type 2 pool corruption
    29 : Type 3 pool corruption
    2a : Type 4 pool corruption
    101 : General pool corruption
    102 : Modification of win32k.sys

    Debugging Details:
    ------------------


    DUMP_CLASS: 1

    DUMP_QUALIFIER: 401

    BUILD_VERSION_STRING: 15063.0.amd64fre.rs2_release.170317-1834

    SYSTEM_MANUFACTURER: Gigabyte Technology Co., Ltd.

    SYSTEM_PRODUCT_NAME: GA-A75M-UD2H

    BIOS_VENDOR: Award Software International, Inc.

    BIOS_VERSION: F6

    BIOS_DATE: 09/28/2012

    BASEBOARD_MANUFACTURER: Gigabyte Technology Co., Ltd.

    BASEBOARD_PRODUCT: GA-A75M-UD2H

    DUMP_TYPE: 1

    BUGCHECK_P1: a39ff16440582796

    BUGCHECK_P2: 0

    BUGCHECK_P3: 65f4713cf80ce013

    BUGCHECK_P4: 101

    PG_MISMATCH: 200000000000

    MEMORY_CORRUPTOR: ONE_BIT

    CPU_COUNT: 4

    CPU_MHZ: a28

    CPU_VENDOR: AuthenticAMD

    CPU_FAMILY: 12

    CPU_MODEL: 1

    CPU_STEPPING: 0

    DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULT

    BUGCHECK_STR: 0x109

    PROCESS_NAME: csrss.exe

    CURRENT_IRQL: 2

    ANALYSIS_SESSION_HOST: HERM-HARRISON

    ANALYSIS_SESSION_TIME: 07-31-2017 09:39:24.0874

    ANALYSIS_VERSION: 10.0.15063.468 amd64fre

    STACK_TEXT:
    ffff8c81`85a5aeb8 00000000`00000000 : 00000000`00000109 a39ff164`40582796 00000000`00000000 65f4713c`f80ce013 : nt!KeBugCheckEx


    STACK_COMMAND: kb

    THREAD_SHA1_HASH_MOD_FUNC: 81a83ae0317433a47fcc36991983df3b6e638b71

    THREAD_SHA1_HASH_MOD_FUNC_OFFSET: 6e16edd8c7dd677734fdbcd2397a2e35e9fae964

    THREAD_SHA1_HASH_MOD: 76cd06466d098060a9eb26e5fd2a25cb1f3fe0a3

    SYMBOL_NAME: ANALYSIS_INCONCLUSIVE

    FOLLOWUP_NAME: MachineOwner

    MODULE_NAME: Unknown_Module

    IMAGE_NAME: Unknown_Image

    DEBUG_FLR_IMAGE_TIMESTAMP: 0

    FAILURE_BUCKET_ID: MEMORY_CORRUPTION_ONE_BIT

    BUCKET_ID: MEMORY_CORRUPTION_ONE_BIT

    PRIMARY_PROBLEM_CLASS: MEMORY_CORRUPTION_ONE_BIT

    TARGET_TIME: 2017-07-28T06:07:02.000Z

    OSBUILD: 15063

    OSSERVICEPACK: 0

    SERVICEPACK_NUMBER: 0

    OS_REVISION: 0

    SUITE_MASK: 272

    PRODUCT_TYPE: 1

    OSPLATFORM_TYPE: x64

    OSNAME: Windows 10

    OSEDITION: Windows 10 WinNt TerminalServer SingleUserTS

    OS_LOCALE:

    USER_LCID: 0

    OSBUILD_TIMESTAMP: 2017-07-07 02:06:35

    BUILDDATESTAMP_STR: 170317-1834

    BUILDLAB_STR: rs2_release

    BUILDOSVER_STR: 10.0.15063.0.amd64fre.rs2_release.170317-1834

    ANALYSIS_SESSION_ELAPSED_TIME: a96

    ANALYSIS_SOURCE: KM

    FAILURE_ID_HASH_STRING: km:memory_corruption_one_bit

    FAILURE_ID_HASH: {e3faf315-c3d0-81db-819a-6c43d23c63a7}

    Followup: MachineOwner
    ---------

  11. #11
    writhziden's Avatar
    Join Date
    May 2012
    Location
    Colorado
    Posts
    2,328
    • specs System Specs
      • Manufacturer:
        Sony
      • Model Number:
        VPCF232FX/B
      • Motherboard:
        Sony Corporation VAIO
      • CPU:
      • Memory:
        8.00 GB Crucial CT2KIT51264BF1339 DDR3 1333
      • Graphics:
      • Sound Card:
        Realtek High Definition Audio/nVidia High Definition Audio
      • Hard Drives:
        TOSHIBA MK5061GSY 500 GB (465 GB actual)
      • Case:
        Laptop black matte case with backlit keyboard
      • Cooling:
        Air cooling via fan and heat exchanger heatsink
      • Display:
        Laptop display
      • Operating System:
        Windows 7 Home Premium 64 Bit

    Re: BSOD - Windows 10x64 Pro- NTOSKRNL.EXE / hal.dll

    You will need to upload the MEMORY.DMP file to another hosting site. You can use Microsoft's OneDrive or Dropbox to upload the file for free.

  12. #12

    Join Date
    Jul 2017
    Location
    Cincinnati
    Posts
    19

    Re: BSOD - Windows 10x64 Pro- NTOSKRNL.EXE / hal.dll

    Quote Originally Posted by writhziden View Post
    You will need to upload the MEMORY.DMP file to another hosting site. You can use Microsoft's OneDrive or Dropbox to upload the file for free.

    https://1drv.ms/f/s!AqVJ1YZxJQNi83enKJQEnGE2OFZW

  13. #13
    x BlueRobot's Avatar
    Join Date
    May 2013
    Location
    Minkowski Space
    Posts
    1,872

    Re: BSOD - Windows 10x64 Pro- NTOSKRNL.EXE / hal.dll

    Code:
    BugCheck 109, {a39ff16440582796, 0, 65f4713cf80ce013, 101}
    
    Probably caused by : Unknown_Image ( ANALYSIS_INCONCLUSIVE )
    The fourth parameter indicates a type of pool corruption, which leads me to believe that the third parameter may be an corrupted address within a pool page.

    Code:
    !pool 65f4713cf80ce013
    Pool page 65f4713cf80ce013 region is Unknown
    65f4713cf80ce000 is not a valid large pool allocation, checking large session pool...
    Unable to read large session pool table (Session data is not present in mini and kernel-only dumps)
    65f4713cf80ce000 is not valid pool. Checking for freed (or corrupt) pool
    Address 65f4713cf80ce000 could not be read. It may be a freed, invalid or paged out page
    We'll not going to get much information from a Stop 0x109, I would strongly suggest running Driver Verifier using the following instructions - Driver Verifier - BSOD related - Windows 10, 8.1, 8, 7 &amp; Vista
    runuts says thanks for this.
    Machines Can Think

    We don't make mistakes; we just have happy accidents.

  14. #14

    Join Date
    Jul 2017
    Location
    Cincinnati
    Posts
    19

    Re: BSOD - Windows 10x64 Pro- NTOSKRNL.EXE / hal.dll

    Added minidump file to https://1drv.ms/u/s!AqVJ1YZxJQNi83ppm-N7EW9FHxBC . Problem may be related to AVG. When I restarted after running driver verifier, the computer BSOD listing file avgwfpa.sys. Rolled the computer back to the restore point, removed AVG and will re-run verifier.

  15. #15

    Join Date
    Jul 2017
    Location
    Cincinnati
    Posts
    19

    Re: BSOD - Windows 10x64 Pro- NTOSKRNL.EXE / hal.dll

    Quote Originally Posted by x BlueRobot View Post
    We'll not going to get much information from a Stop 0x109, I would strongly suggest running Driver Verifier using the following instructions - Driver Verifier - BSOD related - Windows 10, 8.1, 8, 7 &amp; Vista
    Diver Verifier caused a BSOD on first boot, I couldn't catch the complete message, but did get the filename, avgwfpa.sys. Used System Restore to go back and was able to delete AVG in its entirety. Restarted and restarted driver verifier in the background. The system booted without error. I'll let driver verifier run over night and report back with the results.

  16. #16
    x BlueRobot's Avatar
    Join Date
    May 2013
    Location
    Minkowski Space
    Posts
    1,872

    Re: BSOD - Windows 10x64 Pro- NTOSKRNL.EXE / hal.dll

    Thanks runuts, hopefully that has resolved the issue. If you don't have another crash, then disable Driver Verifier and continue to use your system normally.
    Machines Can Think

    We don't make mistakes; we just have happy accidents.

  17. #17

    Join Date
    Jul 2017
    Location
    Cincinnati
    Posts
    19

    Re: BSOD - Windows 10x64 Pro- NTOSKRNL.EXE / hal.dll

    Quote Originally Posted by x BlueRobot View Post
    Thanks runuts, hopefully that has resolved the issue. If you don't have another crash, then disable Driver Verifier and continue to use your system normally.
    Unfortunately the BSOD continue. Two more yesterday and looking at BlueScreenView, two overnight. Verifier has been running now about 24 hours. How should I post the output? Copy and past the output from "verifier/query"?

  18. #18
    x BlueRobot's Avatar
    Join Date
    May 2013
    Location
    Minkowski Space
    Posts
    1,872

    Re: BSOD - Windows 10x64 Pro- NTOSKRNL.EXE / hal.dll

    Please disable Driver Verifier, and then upload the dump files in the usual manner.
    Machines Can Think

    We don't make mistakes; we just have happy accidents.

  19. #19

    Join Date
    Jul 2017
    Location
    Cincinnati
    Posts
    19

    Re: BSOD - Windows 10x64 Pro- NTOSKRNL.EXE / hal.dll

    New Sysnative Collection attached. Current memory.dmp uploaded to same link location. Current date 08/03/2017.
    Attached Files Attached Files

  20. #20
    x BlueRobot's Avatar
    Join Date
    May 2013
    Location
    Minkowski Space
    Posts
    1,872

    Re: BSOD - Windows 10x64 Pro- NTOSKRNL.EXE / hal.dll

    Could you please try and upload an additional dump file? I appear to be getting symbol errors with the current one?
    Machines Can Think

    We don't make mistakes; we just have happy accidents.

Page 1 of 2 12 Last

Similar Threads

  1. [SOLVED] BSOD REFRENCE_BY_POINTER ntoskrnl.exe - Windows 8.1 x64
    By christantoan in forum BSOD, Crashes, Kernel Debugging
    Replies: 14
    Last Post: 08-03-2015, 06:17 AM
  2. [SOLVED] BSOD 0x7f UNEXPECTED_KERNEL_MODE_TRAP caused by ntoskrnl.exe - Windows 7 x64
    By xOrrangee in forum BSOD, Crashes, Kernel Debugging
    Replies: 8
    Last Post: 07-23-2015, 06:42 PM
  3. [SOLVED] BSOD 0x7f UPEXPECTED_KERNEL_TRAP_MODE caused by ntoskrnl.exe - Windows 8.1 x64
    By error01671 in forum BSOD, Crashes, Kernel Debugging
    Replies: 14
    Last Post: 06-08-2015, 05:23 AM
  4. BSOD IRQL_NOT_LESS_OR_EQUAL ntoskrnl.exe+1509a0 - Windows 8.1 x64
    By tonyx1024 in forum BSOD, Crashes, Kernel Debugging
    Replies: 8
    Last Post: 03-15-2015, 10:10 PM
  5. [SOLVED] BSOD 0x7f UNEXPECTED_KERNEL_MODE_TRAP caused by ntoskrnl.exe Windows 8.1
    By Renault925 in forum BSOD, Crashes, Kernel Debugging
    Replies: 3
    Last Post: 11-11-2014, 04:32 PM

Log in

Log in