Blue screens over various computers for same user

P

PatD

Well-known member
Joined
Dec 26, 2015
Posts
125
I have a user that has been having blue screens on her system since we took over IT for this company 18 months ago. Previous IT provider would just buy her new hardware every 12 months. User has insisted on that again mainly because we haven't been given the opportunity to troubleshoot.

So. . . She has brand new hardware. All drivers, firmware, etc., up-to-date. I'm 99.9% positive this is not a driver or hardware issue. User has had the laptop for two weeks and already getting blue screens.

She has minimal software and is insistent that no one else with the same software has these issues (Which I concur with.) Many of the software she has installs plug-ins in Outlook and her Outlook has issues occasionally. So my first response is to point the blow torch there. Unfortunately, user has been unwilling to work without her add-ins (Salesforce, Zoom, etc.) as she needs those for work. We finally got her to allow us to uninstall them all (Just now.) So we wait.

In the meantime, I did get a few minidumps from her machine. I would be most grateful if someone looked them over. Nothing in them is jumping out at me, but I'm just looking using bluescreenview.

Files are located here - Dropbox - Minidump20181119.zip

Any help is appreciated! Thanks!
 
Hi PatD,

The dumps don't have much in common except they seem to be caused by random memory corruption. I don't see any drivers I recognize as having caused problems on other systems and all of the 3rd party drivers look quite recent.

The only thing I see in common with 2 of the dumps is what looks like a pnp issue:
Code: 
5: kd> !blackboxpnp
    PnpActivityId      : {00000000-0000-0000-0000-000000000000}
    PnpActivityTime    : 131871186615641219
    PnpEventInformation: 3
    PnpEventInProgress : 0
    PnpProblemCode     : 24
    PnpVetoType        : 0
    DeviceId           : SWD\DAFWSDProvider\urn:uuid:0f114574-110f-d1fc-c0d5-b1052cee5e16
    VetoString         :

The problem code is 24 and I believe this site has the meanings for those codes (not 100 percent sure, though.) I think the device ID is a printer but not sure about that, either. Printer drivers aren't kernel drivers so shouldn't cause bugchecks but maybe it is intermittently having issues which is confusing something in the kernel which doesn't expect it to be having problems... maybe. An old printer driver being installed via a driver disc that came with the printer, perhaps? I'm just speculating, really. It could explain the problem being common amongst several computers. However, 1 of the dumps doesn't show a pnp problem.

The randomness of the bugcheck codes and callstacks would have me suspecting hardware, honestly. What hardware diagnostics have you done which makes you confident it's not a hardware problem?

 
Last edited:
Honestly, I've done no hardware diagnostics. I'm confident it's software though (Can't prove it) because these issues have followed the user through 3-4 laptops now. She said she was getting constant blue screens yesterday until I went in and yanked a bunch of crap HP loads with their printers and every add-in from Outlook got yanked. No complaints in 24 hours (Though user also has a tendency to not mention issues until she has 50 of them and blows things out of proportions.)
 
It is not, though the users work(ed) in the same office (The user in that post left the company a few months after.) We never resolved the issue. We sent her a loaner laptop and she continued on with that without issue. I really feel her original machine was having a hardware issue, but no amount of troubleshooting could get it to blue screen. We rebuilt it and it got used as a loaner I believe - never heard any more about it.
 
Starting to wonder if this is hardware now. More work on the machine today in terms of fixing some odd Outlook issues. During Office repairs, it blue screens. I logged in as myself instead of the end user and it's now blue screening on my profile, which it was not doing before. Can only get one-two minutes on the machine before it blue screens again. I was able to grab a full memory dump from one of these blue screens. https://www.dropbox.com/s/ot1j8v4p07kp8by/MEMORY 20181127.zip?dl=1

Anything? Unfortunately, I'll probably have to get the user to ship the machine to me to start really running diags unless the memory dump turns something up.
 
Idk if you're still checking in on this, but...

Code: 
4: kd> ln fffff803b0cd8258
Browse module
Set bu breakpoint

(fffff803`b0cd81f0)   nt!HvpGetCellPaged+0x68   |  (fffff803`b0cd82d0)   nt!HvpReleaseCellPaged

Exception occurred in the HvpGetCellPaged function, specifically 0x68. We also see mention of ReleaseCellPaged, both of which are functions that are involved in the Windows registry.

Code: 
PROCESS_NAME:  Registry

We can see the process that crashed at the bug check was also the registry process itself.

Code: 
4: kd> !process registry
PROCESS ffffdd01958e0040
    SessionId: none  Cid: 0078    Peb: 00000000  ParentCid: 0004
    DirBase: 483400002  ObjectTable: ffffba8e6e226040  HandleCount:   0.
    Image: Registry

Code: 
4: kd> knL
  *** Stack trace for last set context - .thread/.cxr resets it
 # Child-SP          RetAddr           Call Site
00 ffff8202`4d8770b8 fffff803`b0d0ed30 nt!HvpGetCellPaged+0x68
01 ffff8202`4d8770c0 fffff803`b0e97cac nt!CmpDoCompareKeyName+0x30
02 ffff8202`4d877120 fffff803`b0d0e1d3 nt!CmpCompareInIndex+0x18992c
03 ffff8202`4d877170 fffff803`b0d0c1e6 nt!CmpFindSubKeyInRoot+0x83
04 ffff8202`4d8771e0 fffff803`b0cddbf4 nt!CmpWalkOneLevel+0x726
05 ffff8202`4d8772e0 fffff803`b0cd4cdd nt!CmpDoParseKey+0x1414
06 ffff8202`4d8776b0 fffff803`b0cdb2ab nt!CmpParseKey+0x26d
07 ffff8202`4d877890 fffff803`b0cecd1f nt!ObpLookupObjectName+0x73b
08 ffff8202`4d877a70 fffff803`b0cec9c8 nt!ObOpenObjectByNameEx+0x1df
09 ffff8202`4d877bb0 fffff803`b0ce903a nt!CmOpenKey+0x298
0a ffff8202`4d877e00 fffff803`b09aef13 nt!NtOpenKey+0x12
0b ffff8202`4d877e40 00007ff9`918fa1d4 nt!KiSystemServiceCopyEnd+0x13
0c 00000000`04b6da78 00000000`00000000 0x00007ff9`918fa1d4

We're doing some registry key stuff at the time of the crash, all stemming from the opening of a preexisting key. I'm really curious about buggy malware here, so I recommend running a scan. I'd start with Malwarebytes.
 
Still following, thanks so much for replying! Almost out of ideas!

I'll see if I can get the machine back online long enough to run some scans. Thanks.
 
No dice. Was able to get on the machine today and MalwareBytes shows a very clean machine. Kept crashing after that.

User is going to be local next week and I'll have my hands on the machine then. We'll see.
 
MWB wouldn't show a rootkit which was my theory, however I wanted a MWB scan just to be sure there was nothing else going on.

I'm going to recommend enabling Driver Verifier on this machine to be sure before we continue, just so we can rule out any glaring driver issues. If none, it's either some nasty/buggy rootkit or perhaps OS corruption. It's really hard to say with just minidumps and nothing to really go off of for now. Keep us updated.
 
@Patrick, reply number 6 has a link to a full kernel dump - just in case you missed it.
 
Finally have the machine in my hands. It's running the built-in Lenovo diagnostics now. CPU already passed, it's testing RAM now and it's completed all but the last test, which says it will take about three hours.

Any other diagnostics that are recommended? @Patrick, did you get a chance to look at the full kernel dump?

I'll run the driver verifier this afternoon once diags are done, assuming I can get it back in to Windows. May be doing a rebuild since it my first few attempts to boot to Windows resulted in blue screens with different codes each time.
 
I'm going to take a look yet because of what you said here:

May be doing a rebuild since it my first few attempts to boot to Windows resulted in blue screens with different codes each time.
Click to expand...

On-boot or shortly after-boot crashes indicate a potential driver issue that is loaded from startup or once again shortly after. Enable DV, restart, and then we'll go from there. Ensure that the next crash you post here is a kernel dump like you did in post #6, please.
 
I'm going to say this machine is toast. All hardware diagnostics (From Lenovo) passed. However, I can't get it to boot in to Windows no matter what. And. . . When I put my flash drive in to reimage it from scratch - also blue screens. I either get a stop code of 0xc000021a or APC_INDEX_MISMATCH. So I can't even rebuild from scratch!
 
PatD said:
So. . . She has brand new hardware. All drivers, firmware, etc., up-to-date. I'm 99.9% positive this is not a driver or hardware issue. User has had the laptop for two weeks and already getting blue screens.
Click to expand...
RE: Highlighted area - BSODs are caused by either hardware issues (usually outright hardware failure) or software - most often by a 3rd party (non-Microsoft) kernel-mode driver.

So, in your highlighted statement, you claim that you're 99.9% sure that the BSOD cause IS NOT a driver nor hardware, but the question begs -- what else is there besides driver (software) or a hardware issue that could cause a BSOD?

The cause of a BSOD has to be one of the two.

Any dodgy apps that she has installed on this new system? Any apps at all installed on her own outside of those sanctioned by the company? (Most companies do not allow the installation of random 3rd party apps onto work-owned computers).

If all OK initially with brand new system for two weeks, then suddenly BSODs appear, it could be related to the installation of an app whose driver(s) don't play nice with Windows 10's drivers. The W10 drivers and the app's drivers may clash, often times over memory addresses, and BSODs result. However, there are many, many other reasons as well that can cause BSODs. But - the reason HAS TO BE either hardware or software.

Check the Reliability Monitor (RELMON) for app crashes/crash info as well as [possible] app installation info (not sure if RELMON reports app install info or not). You may find signs of the offensive app (assuming that a driver is responsible) crashing, but not causing a BSOD. Both APPCRASH info and BSOD info is available in RELMON. Look around and see if any APPCRASHes and BSODs share anything in common.

Hit WIN KEY; type or paste perfmon /rel; select either perfmon /rel or Reliability Monitor, whichever appears; analyze output as mentioned above and a few other items are below.

You can also enter perfmon /rel into a CMD screen, if easier for you.

It will take about a minute for RELMON to populate. Then. . .

You can click on the red "x" and blue circles containing the letter "i" for additional info below the graph.

You can also click on most items shown below the graph that are colored blue.

Once you've chosen a red or blue item (not sure if there are other colors - mine just shows red and blue items in the graph), you can then double-click on the line item below the graph. This will provide additional detailed info that may be helpful to us; not sure - no way to know until we see it. You should be able to select all (CTRL-A), then copy/paste into a post. If you do so, please enclose the info inside of a code box (click on the number sign/hash tag) in the editor menu. You'll see this appear:

Code: 
[PLAIN][CODE]
[/PLAIN][/CODE]

Insert the code between the tags.

My apologies for the introductory detail info if you already know all of this. I have no way of knowing what you do or do not know.

Create as many code boxes as you need to.

Any other changes that she has made to the computer prior to the BSODs starting that you know of?

By the way, RELMON will reveal the exact start date of the BSODs.

EDIT: Are there any external devices like a DVD player or LCD Writing Tablet attached to the system? Any external devices at all? If YES, does the device require either software &/or a driver?

Lastly, can you please run - Blue Screen of Death (BSOD) Posting Instructions - Windows 10, 8.1, 8, 7 + Vista

... and ATTACH the resulting ZIP file to your post?

Just run steps 1 and 2. No need to create a new thread and the rest of the steps have pretty much been taken care of.

Regards. . .

jcgriff2
 
Last edited:
jcgriff2,

Thanks for the well written response. You're right - hardware or drivers is generally it. I jumped the gun on hardware only because this user has had issues no matter what hardware we have given her for years.

Anyway, thanks to everyone for your help. Has to be hardware at this point. Lenovo agrees and they're sending a tech with a system board, RAM and a drive since they can't be certain which is causing the issue.

--Pat
 
I'm just going to let you know that 0x1 is a typically a device driver problem 99% of the time with the rare occasion of a file system or drive issue, and I am once again trying to reiterate that enabling verifier and providing us with a post-verifier kernel dump will lead us in the right direction. You seem to have already convinced yourself otherwise though, so I wish you luck.
 
Patrick - I would be happy to enable verifier - but how? I can't get the machine to boot in regular mode. I can't get to safe mode because it won't respond to F8. So I tried to boot from an ISO to adjust bcd for safe mode, and it still blue screens. Also can't boot to the flash drive/ISO to rebuild.

If you have a way for me to enable verifier without getting the machine to boot, I'm all for it. The fact that I can't boot off of an ISO on a USB flash drive (And other test machines boot fine from the same ISO/flash) would lead me to believe hardware, no?
 

Has Sysnative Forums helped you? Please consider donating to help us support the site!

Back
Top