8.1 Pro Blue Screens of Death

O

onephenom

Contributor
Joined
Sep 1, 2014
Posts
46
background: i had BSOD errors after building my computer last spring/summer ish. I got help here at https://www.sysnative.com/forums/bs...11068-blue-screen-of-death-windows-8-1-a.html


After replacing the hard drive as advised, I used Linux for several months, but decided to go back to windows because I enjoy gaming and linux sucks at that. Right away... blue screen errors again. this is an unused copy of windows pro 8.1 (student discounts ftw!)


OS - Windows 8.1, 8, 7, Vista ? 8.1
· x86 (32-bit) or x64 ? x64
· What was original installed OS on system? 8 on old hard drive, linux on second hard drive, now 8.1 proView attachment SysnativeFileCollectionApp.zipView attachment NATHAN_20150205-000001.zip
· Is the OS an OEM version? No, full retail.
· Age of system 10 months
· Age of OS installation - 10 months, no reinstall yet.


· CPU
· Video Card- GeForce GTX 650 Ti GPU
· MotherBoard - asus m5a97 LE r2.0
· Power Supply - HighPower Astro GD 600W, 80+ Gold, Single +12 Rails, SLI/Cross Fire ready, Full Module, Active PFC Power Supply




· System Manufacturer -home build


· Desktop




I'm getting blue screens again... i've gotten the kmode except, system service exception, whea unacceptable, watchdog... probably others but I really cannot remember them all. They seem to be completely random, no common program or situation when one happens.


I am not sure if the perfmon report worked. I got this error
"An error occured while attempting to generate the report.The operator or administrator has refused the request.According to this link: command line - Resource and Performance Monitor error - Super User, it still generates the report, and the zipped file i attached was found in C/perflogs/system/diagnostics. it was generated right after I ran perfmon, so I'm pretty sure it is right.

I'm going to run the programs listed on the posting instructions site now, and report back soon. Thanks for your help!!

Nathan
 
Update 1: Driver verifier blue screens after starting verifier and restarting. rebooted in safe mode to my restore.
 
I cannot. I had issues trying to get that file before. I just get the error "file not found or no permission". No luck. I am definitely on an administrator account, and the only account other than the default admin account.
 
I went to the properties to make sure I had permissions, under Advanced in the security tab,it says my account is allowed to view the file, but I can't do anything with it. It won't show the properties because I don't have read permissions.
 
Pretty simple.

DRIVER_VERIFIER_DETECTED_VIOLATION (c4)

This is the general bug check code for fatal errors found by Driver Verifier.

Code: 
2: kd> k
Child-SP          RetAddr           Call Site
ffffd000`5220f768 fffff801`4e898258 nt!KeBugCheckEx
ffffd000`5220f770 fffff801`4e887437 VerifierExt!SLIC_abort+0x5c
ffffd000`5220f7b0 fffff801`4e887452 VerifierExt!SLIC_ZwClose_entry_IrqlZwPassive+0x23
ffffd000`5220f7e0 fffff801`4ff6b9b1 VerifierExt!ZwClose_wrapper+0x1a
ffffd000`5220f810 00007ff6`10be0000 psinknc+0x199b1
ffffd000`5220f818 ffffffff`8000096c 0x00007ff6`10be0000
ffffd000`5220f820 00000000`00000004 0xffffffff`8000096c
ffffd000`5220f828 fffff803`7e4fd130 0x4
ffffd000`5220f830 fffff801`4ff6c350 nt!VerifierExFreePoolWithTag+0x44
ffffd000`5220f860 00100000`00002000 psinknc+0x1a350
ffffd000`5220f868 ffffe000`641b7000 0x00100000`00002000
ffffd000`5220f870 00000000`00000000 0xffffe000`641b7000

psinknc.sys (Panda antivirus variant kernel-mode driver) called the ZwClose function at the improper IRQL. As verifier was enabled, it caught this happening and bug checked the system.

Code: 
2: kd> !irql
Debugger saved IRQL for processor 0x2 -- 1 (APC_LEVEL)

It was called at APC_LEVEL as opposed to its correct IRQL which is PASSIVE_LEVEL.

I'd contact Panda support as that's really all you can do for a fix aside from uninstalling it/trying to reinstall or update it.
 
A kernel-dump is needed to debug 0x101. Check C:\Windows for MEMORY.DMP, upload it 3rd party (OneDrive, whatever), and then paste the link for download here please.
 
Thanks.

Going to be a bit busy until later tonight, so I'll take a look later and post back when I can.
 
You actually just reminded me to check! The KMD isn't 0x101, however.

SYSTEM_SERVICE_EXCEPTION (3b)

This indicates that an exception happened while executing a routine that transitions from non-privileged code to privileged code.

Code: 
0: kd> .bugcheck
Bugcheck code 0000003B
Arguments 00000000`c0000005 fffff801`297035e4 ffffd000`28d3cf00 00000000`00000000

Code: 
0: kd> .cxr ffffd000`28d3cf00
rax=0000000000000000 rbx=0000000000000000 rcx=ffffd00028d3d990
rdx=8a82000000000000 rsi=0000000000d84000 rdi=ffffd00028d3d990
rip=fffff801297035e4 rsp=ffffd00028d3d930 rbp=0000000000000000
 r8=ffffd00028d3d9f0  r9=0000000000000000 r10=ffffe0005a6025e0
r11=000000007f24c000 r12=0000000000000000 r13=0000000000000000
r14=ffffe0005b8e5080 r15=0000000000010001
iopl=0         nv up di pl zr na po nc
cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b             efl=00010046
nt!KxWaitForLockOwnerShipWithIrql+0x14:
fffff801`297035e4 48890a          mov     qword ptr [rdx],rcx ds:002b:8a820000`00000000=????????????????

We went off the rails on the KxWaitForLockOwnerShipWithIrql function, so likely a driver. Now that we're within the context we can check its call stack:

Code: 
0: kd> k
  *** Stack trace for last set context - .thread/.cxr resets it
Child-SP          RetAddr           Call Site
ffffd000`28d3d930 fffff801`2967e9c7 nt!KxWaitForLockOwnerShipWithIrql+0x14
ffffd000`28d3d960 fffff960`002f78f3 nt!ExEnterPriorityRegionAndAcquireResourceExclusive+0x217
ffffd000`28d3d9f0 fffff960`001ed454 win32k!EnterCritAvoidingDitHitTestHazard+0x13
ffffd000`28d3da30 fffff801`297772b3 win32k!NtUserShowWindow+0x14
ffffd000`28d3da80 00000000`77cb2352 nt!KiSystemServiceCopyEnd+0x13
00000000`00b1e938 00000000`00000000 0x77cb2352

Right, so we cannot see, but my guess is a driver is calling on the NtUserShowWindow function, and then we end up entering a critical region and acquiring access to a resource. Due to this, we wait for the lock but as I said go off the rails. Why?

Code: 
0: kd> !pte 8a82000000000000
                                           VA 8a82000000000000
PXE at FFFFF6FB7DBED000    PPE at FFFFF6FB7DA00000    PDE at FFFFF6FB40000000    PTE at FFFFF68000000000
contains 00C000010F286867  contains 0D70000134407867  contains 0000000000000000
pfn 10f286    ---DA--UWEV  pfn 134407    ---DA--UWEV  not valid

WARNING: noncanonical VA, accesses will fault !

Noncanonical, so of course the instruction failed (setting memory at address to rdx to rcx).

Without verifier being enabled, it's impossible to say without guessing really what driver is causing this. With that said, if you could re-enable it and then attach the verifier enabled kernel-dump for when it crashes, that'd be great. It may be a good idea to delete all current KMD's (unless you have them overwrite on creation) so you don't get confused as to which one is which.
 
deleted the current dumps in c/windows/minidump, and driver verifier is run. will update when something happens.
 
Well, KMD's are generated in C:\Windows unless you've changed the path manually. Regardless, I look forward to your update.
 

Has Sysnative Forums helped you? Please consider donating to help us support the site!

Back
Top