1. #1

    Blue screens over various computers for same user

    I have a user that has been having blue screens on her system since we took over IT for this company 18 months ago. Previous IT provider would just buy her new hardware every 12 months. User has insisted on that again mainly because we haven't been given the opportunity to troubleshoot.

    So. . . She has brand new hardware. All drivers, firmware, etc., up-to-date. I'm 99.9% positive this is not a driver or hardware issue. User has had the laptop for two weeks and already getting blue screens.

    She has minimal software and is insistent that no one else with the same software has these issues (Which I concur with.) Many of the software she has installs plug-ins in Outlook and her Outlook has issues occasionally. So my first response is to point the blow torch there. Unfortunately, user has been unwilling to work without her add-ins (Salesforce, Zoom, etc.) as she needs those for work. We finally got her to allow us to uninstall them all (Just now.) So we wait.

    In the meantime, I did get a few minidumps from her machine. I would be most grateful if someone looked them over. Nothing in them is jumping out at me, but I'm just looking using bluescreenview.

    Files are located here - Dropbox - Minidump20181119.zip

    Any help is appreciated! Thanks!

  2. #2

    Re: Blue screens over various computers for same user

    Hi PatD,

    The dumps don't have much in common except they seem to be caused by random memory corruption. I don't see any drivers I recognize as having caused problems on other systems and all of the 3rd party drivers look quite recent.

    The only thing I see in common with 2 of the dumps is what looks like a pnp issue:
    5: kd> !blackboxpnp
        PnpActivityId      : {00000000-0000-0000-0000-000000000000}
        PnpActivityTime    : 131871186615641219
        PnpEventInformation: 3
        PnpEventInProgress : 0
        PnpProblemCode     : 24
        PnpVetoType        : 0
        DeviceId           : SWD\DAFWSDProvider\urn:uuid:0f114574-110f-d1fc-c0d5-b1052cee5e16
        VetoString         :
    The problem code is 24 and I believe this site has the meanings for those codes (not 100 percent sure, though.) I think the device ID is a printer but not sure about that, either. Printer drivers aren't kernel drivers so shouldn't cause bugchecks but maybe it is intermittently having issues which is confusing something in the kernel which doesn't expect it to be having problems... maybe. An old printer driver being installed via a driver disc that came with the printer, perhaps? I'm just speculating, really. It could explain the problem being common amongst several computers. However, 1 of the dumps doesn't show a pnp problem.

    The randomness of the bugcheck codes and callstacks would have me suspecting hardware, honestly. What hardware diagnostics have you done which makes you confident it's not a hardware problem?

  3. #3

    Re: Blue screens over various computers for same user

    Honestly, I've done no hardware diagnostics. I'm confident it's software though (Can't prove it) because these issues have followed the user through 3-4 laptops now. She said she was getting constant blue screens yesterday until I went in and yanked a bunch of crap HP loads with their printers and every add-in from Outlook got yanked. No complaints in 24 hours (Though user also has a tendency to not mention issues until she has 50 of them and blows things out of proportions.)

  4. #4

    Re: Blue screens over various computers for same user

    Is it the same user from this post?

  5. #5

    Re: Blue screens over various computers for same user

    It is not, though the users work(ed) in the same office (The user in that post left the company a few months after.) We never resolved the issue. We sent her a loaner laptop and she continued on with that without issue. I really feel her original machine was having a hardware issue, but no amount of troubleshooting could get it to blue screen. We rebuilt it and it got used as a loaner I believe - never heard any more about it.

  6. #6

    Re: Blue screens over various computers for same user

    Starting to wonder if this is hardware now. More work on the machine today in terms of fixing some odd Outlook issues. During Office repairs, it blue screens. I logged in as myself instead of the end user and it's now blue screening on my profile, which it was not doing before. Can only get one-two minutes on the machine before it blue screens again. I was able to grab a full memory dump from one of these blue screens. https://www.dropbox.com/s/ot1j8v4p07...81127.zip?dl=1

    Anything? Unfortunately, I'll probably have to get the user to ship the machine to me to start really running diags unless the memory dump turns something up.

  7. #7

    Re: Blue screens over various computers for same user

    Idk if you're still checking in on this, but...

    4: kd> ln fffff803b0cd8258
    Browse module
    Set bu breakpoint
    (fffff803`b0cd81f0)   nt!HvpGetCellPaged+0x68   |  (fffff803`b0cd82d0)   nt!HvpReleaseCellPaged
    Exception occurred in the HvpGetCellPaged function, specifically 0x68. We also see mention of ReleaseCellPaged, both of which are functions that are involved in the Windows registry.

    PROCESS_NAME:  Registry
    We can see the process that crashed at the bug check was also the registry process itself.

    4: kd> !process registry
    PROCESS ffffdd01958e0040
        SessionId: none  Cid: 0078    Peb: 00000000  ParentCid: 0004
        DirBase: 483400002  ObjectTable: ffffba8e6e226040  HandleCount:   0.
        Image: Registry
    4: kd> knL
      *** Stack trace for last set context - .thread/.cxr resets it
     # Child-SP          RetAddr           Call Site
    00 ffff8202`4d8770b8 fffff803`b0d0ed30 nt!HvpGetCellPaged+0x68
    01 ffff8202`4d8770c0 fffff803`b0e97cac nt!CmpDoCompareKeyName+0x30
    02 ffff8202`4d877120 fffff803`b0d0e1d3 nt!CmpCompareInIndex+0x18992c
    03 ffff8202`4d877170 fffff803`b0d0c1e6 nt!CmpFindSubKeyInRoot+0x83
    04 ffff8202`4d8771e0 fffff803`b0cddbf4 nt!CmpWalkOneLevel+0x726
    05 ffff8202`4d8772e0 fffff803`b0cd4cdd nt!CmpDoParseKey+0x1414
    06 ffff8202`4d8776b0 fffff803`b0cdb2ab nt!CmpParseKey+0x26d
    07 ffff8202`4d877890 fffff803`b0cecd1f nt!ObpLookupObjectName+0x73b
    08 ffff8202`4d877a70 fffff803`b0cec9c8 nt!ObOpenObjectByNameEx+0x1df
    09 ffff8202`4d877bb0 fffff803`b0ce903a nt!CmOpenKey+0x298
    0a ffff8202`4d877e00 fffff803`b09aef13 nt!NtOpenKey+0x12
    0b ffff8202`4d877e40 00007ff9`918fa1d4 nt!KiSystemServiceCopyEnd+0x13
    0c 00000000`04b6da78 00000000`00000000 0x00007ff9`918fa1d4
    We're doing some registry key stuff at the time of the crash, all stemming from the opening of a preexisting key. I'm really curious about buggy malware here, so I recommend running a scan. I'd start with Malwarebytes.
  8. #8

    Re: Blue screens over various computers for same user

    Still following, thanks so much for replying! Almost out of ideas!

    I'll see if I can get the machine back online long enough to run some scans. Thanks.

  9. #9

    Re: Blue screens over various computers for same user


  10. #10

    Re: Blue screens over various computers for same user

    No dice. Was able to get on the machine today and MalwareBytes shows a very clean machine. Kept crashing after that.

    User is going to be local next week and I'll have my hands on the machine then. We'll see.

  11. #11

    Re: Blue screens over various computers for same user

    MWB wouldn't show a rootkit which was my theory, however I wanted a MWB scan just to be sure there was nothing else going on.

    I'm going to recommend enabling Driver Verifier on this machine to be sure before we continue, just so we can rule out any glaring driver issues. If none, it's either some nasty/buggy rootkit or perhaps OS corruption. It's really hard to say with just minidumps and nothing to really go off of for now. Keep us updated.

  12. #12

    Re: Blue screens over various computers for same user

    @Patrick, reply number 6 has a link to a full kernel dump - just in case you missed it.

