BSOD Blues { Critical Structure Corruption}

J

John B

Active member
Joined
Dec 20, 2015
Posts
42
Hi there, like everyone else in here I got the lovely blue screen blues,
Here is the info that I hope you need to help me with this problem

MSconfig.txt

you need the actual Dump file I can provide that.

thanks in advance for any help.
 

Attachments

Hi John,

I haven't looked in-depth in the 0x109 to see if I can make something of them, but I'll post some preliminary analysis of what I've found so far, specifically with the 0xC9.

SaiMini.sys is making a request but whoever it is sent to doesn't support the request.
Unfortunately, I could not find what device or program SaiMini is related to, but it looks to be developed by SaiTek.
Driver Reference Table (DRT) | SaiMini.sys
Code: 
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

DRIVER_VERIFIER_IOMANAGER_VIOLATION (c9)
The IO manager has caught a misbehaving driver.
Arguments:
Arg1: 000000000000023b, The caller has changed the status field of an IRP it does not understand.
Arg2: fffff80c8ba12430, The address in the driver's code where the error was detected.
Arg3: ffffe28cda76cd80, IRP address.
Arg4: 0000000000000000

5: kd> !irp ffffe28cda76cd80 1
Irp is active with 5 stacks 5 is current (= 0xffffe28cda76cf70)
No Mdl: No System Buffer: Thread 00000000: Irp stack trace.
Flags = 40000000
ThreadListEntry.Flink = ffffe28cda76cda0
ThreadListEntry.Blink = ffffe28cda76cda0
IoStatus.Status = c0000010
IoStatus.Information = 00000000
RequestorMode = 00000000
Cancel = 00
CancelIrql = 0
ApcEnvironment = 00
UserIosb = 00000000
UserEvent = 00000000
Overlay.AsynchronousParameters.UserApcRoutine = 00000000
Overlay.AsynchronousParameters.UserApcContext = 00000000
Overlay.AllocationSize = 00000000 - 00000000
CancelRoutine = 00000000
UserBuffer = 00000000
&Tail.Overlay.DeviceQueueEntry = ffffe28cda76cdf8
Tail.Overlay.Thread = 00000000
Tail.Overlay.AuxiliaryBuffer = 00000000
Tail.Overlay.ListEntry.Flink = 00000000
Tail.Overlay.ListEntry.Blink = 00000000
Tail.Overlay.CurrentStackLocation = ffffe28cda76cf70
Tail.Overlay.OriginalFileObject = 00000000
Tail.Apc = 00000000
Tail.CompletionKey = 00000000
cmd flg cl Device File Completion-Context
[N/A(0), N/A(0)]
0 2 00000000 00000000 00000000-00000000

Args: 00000000 00000000 00000000 ffffffffc0000010
[N/A(0), N/A(0)]
0 0 00000000 00000000 00000000-00000000

Args: 00000000 00000000 00000000 00000000
[N/A(0), N/A(0)]
0 0 00000000 00000000 00000000-00000000

Args: 00000000 00000000 00000000 00000000
[IRP_MJ_SYSTEM_CONTROL(17), IRP_MN_???(ff)]
0 2 ffffe28cd3187060 00000000 00000000-00000000
*** WARNING: Unable to verify timestamp for SaiMini.sys
\Driver\SaiMini
Args: ffffe28cdf71e4b0 00000000 00000000 00000000
>[IRP_MJ_SYSTEM_CONTROL(17), IRP_MN_???(ff)]
0 e0 ffffe28cd3187060 00000000 fffff8001ad811b0-ffff800d1e4d8780 Success Error Cancel
\Driver\SaiMini nt!ViIrpSynchronousCompletionRoutine
Args: ffffe28cdf71e4b0 00000000 00000000 00000000

Irp Extension present at 0xffffe28cda76cfb8:

5: kd> !error c0000010
Error code: (NTSTATUS) 0xc0000010 (3221225488) - The specified request is not a valid operation for the target device.

5: kd> lmvm SaiMini
Browse full module list
start end module name
fffff80c`8ba00000 fffff80c`8ba04080 SaiMini T (no symbols)
Loaded symbol image file: SaiMini.sys
Image path: \SystemRoot\System32\drivers\SaiMini.sys
Image name: SaiMini.sys
Browse all global symbols functions data
Timestamp: Mon Jan 23 12:02:39 2017 (5885E2CF)
CheckSum: 0000E54B
ImageSize: 00004080
Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4
Information from resource tables:

5: kd> !devobj ffffe28cd3187060 f
fffff8001a858a70: Unable to get value of ObpRootDirectoryObject
Device object (ffffe28cd3187060) is for:
InfoMask field not found for _OBJECT_HEADER at ffffe28cd3187030
\Driver\SaiMini DriverObject ffffe28cd30e8b40
Current Irp ffffe28cda76cd80 RefCount 0 Type 00000022 Flags 00002050
SecurityDescriptor ffffd2076e72d520 DevExt ffffe28cd31871b0 DevObjExt ffffe28cd3187bc0
ExtensionFlags (0xf0000800) DOE_DEFAULT_SD_PRESENT, DOE_RAW_FDO,
DOE_BOTTOM_OF_FDO_STACK, DOE_DESIGNATED_FDO
Unknown flags 0x10000000
Characteristics (0000000000)
AttachedTo (Lower) ffffe28cdf71e4b0*** WARNING: Unable to verify timestamp for SaiBus.sys
\Driver\SaiNtBus
Device queue is not busy.

5: kd> !drvobj ffffe28cd30e8b40 f
fffff8001a858a70: Unable to get value of ObpRootDirectoryObject
fffff8001a858a70: Unable to get value of ObpRootDirectoryObject
Driver object (ffffe28cd30e8b40) is for:
\Driver\SaiMini

Driver Extension List: (id , addr)

Couldn't read extension at 0xffffe28cd30a9a90

Device Object list:
ffffe28cd318b060 ffffe28cdf720310: Could not read device object


DriverEntry: fffff80c8ba03664 SaiMini
DriverStartIo: 00000000
DriverUnload: fffff80c8ba00944 SaiMini
AddDevice: fffff80c8ba3c280 HIDCLASS!HidpAddDevice

Dispatch routines:
[00] IRP_MJ_CREATE fffff80c8ba12430 HIDCLASS!HidpMajorHandler
[01] IRP_MJ_CREATE_NAMED_PIPE fffff8001a52f8a0 nt!IopInvalidDeviceRequest
[02] IRP_MJ_CLOSE fffff80c8ba12430 HIDCLASS!HidpMajorHandler
[03] IRP_MJ_READ fffff80c8ba12430 HIDCLASS!HidpMajorHandler
[04] IRP_MJ_WRITE fffff80c8ba12430 HIDCLASS!HidpMajorHandler
[05] IRP_MJ_QUERY_INFORMATION fffff8001a52f8a0 nt!IopInvalidDeviceRequest
[06] IRP_MJ_SET_INFORMATION fffff8001a52f8a0 nt!IopInvalidDeviceRequest
[07] IRP_MJ_QUERY_EA fffff8001a52f8a0 nt!IopInvalidDeviceRequest
[08] IRP_MJ_SET_EA fffff8001a52f8a0 nt!IopInvalidDeviceRequest
[09] IRP_MJ_FLUSH_BUFFERS fffff8001a52f8a0 nt!IopInvalidDeviceRequest
[0a] IRP_MJ_QUERY_VOLUME_INFORMATION fffff8001a52f8a0 nt!IopInvalidDeviceRequest
[0b] IRP_MJ_SET_VOLUME_INFORMATION fffff8001a52f8a0 nt!IopInvalidDeviceRequest
[0c] IRP_MJ_DIRECTORY_CONTROL fffff8001a52f8a0 nt!IopInvalidDeviceRequest
[0d] IRP_MJ_FILE_SYSTEM_CONTROL fffff8001a52f8a0 nt!IopInvalidDeviceRequest
[0e] IRP_MJ_DEVICE_CONTROL fffff80c8ba12430 HIDCLASS!HidpMajorHandler
[0f] IRP_MJ_INTERNAL_DEVICE_CONTROL fffff80c8ba12430 HIDCLASS!HidpMajorHandler
[10] IRP_MJ_SHUTDOWN fffff8001a52f8a0 nt!IopInvalidDeviceRequest
[11] IRP_MJ_LOCK_CONTROL fffff8001a52f8a0 nt!IopInvalidDeviceRequest
[12] IRP_MJ_CLEANUP 00000000
[13] IRP_MJ_CREATE_MAILSLOT 00000000
[14] IRP_MJ_QUERY_SECURITY 00000000
[15] IRP_MJ_SET_SECURITY 00000000
[16] IRP_MJ_POWER 00000000
[17] IRP_MJ_SYSTEM_CONTROL 00000000
[18] IRP_MJ_DEVICE_CHANGE 00000000
[19] IRP_MJ_QUERY_QUOTA 00000000
[1a] IRP_MJ_SET_QUOTA 00000000
[1b] IRP_MJ_PNP 00000000


Device Object stacks:

!devstack ffffe28cd318b060 :
!DevObj !DrvObj !DevExt ObjectName
> ffffe28cd318b060 ffffe28cd318b060: Could not read device object or _DEVICE_OBJECT not found
ffffe28cd318b1b0 InfoMask field not found for _OBJECT_HEADER at ffffe28cd318b030


Could not read DeviceObjectExtension from DeviceObject 0xffffe28cd318b060

ffffe28cdf720310: Could not read device object
Error processing device objects. Processed 1 device objects before error.
5: kd> !devobj ffffe28cd318b060
ffffe28cd318b060: Could not read device object or _DEVICE_OBJECT not found

5: kd> !verifier

Verify Flags Level 0x001209bb

STANDARD FLAGS:
[X] (0x00000000) Automatic Checks
[X] (0x00000001) Special pool
[X] (0x00000002) Force IRQL checking
[X] (0x00000008) Pool tracking
[X] (0x00000010) I/O verification
[X] (0x00000020) Deadlock detection
[X] (0x00000080) DMA checking
[X] (0x00000100) Security checks
[X] (0x00000800) Miscellaneous checks
[X] (0x00020000) DDI compliance checking

ADDITIONAL FLAGS:
[ ] (0x00000004) Randomized low resources simulation
[ ] (0x00000200) Force pending I/O requests
[ ] (0x00000400) IRP logging
[ ] (0x00002000) Invariant MDL checking for stack
[ ] (0x00004000) Invariant MDL checking for driver
[ ] (0x00008000) Power framework delay fuzzing
[ ] (0x00010000) Port/miniport interface checking
[ ] (0x00040000) Systematic low resources simulation
[ ] (0x00080000) DDI compliance checking (additional)
[ ] (0x00200000) NDIS/WIFI verification
[ ] (0x00800000) Kernel synchronization delay fuzzing
[ ] (0x01000000) VM switch verification
[ ] (0x02000000) Code integrity checks

RESERVED FLAGS (use of these flags is unsupported):
[X] (0x00100000) Unused or reserved flag

[X] Indicates flag is enabled


Summary of All Verifier Statistics

RaiseIrqls 0x0
AcquireSpinLocks 0x8c
Synch Executions 0x0
Trims 0x3b8

Pool Allocations Attempted 0x5d5b5
Pool Allocations Succeeded 0x5d5b5
Pool Allocations Succeeded SpecialPool 0x5d5b5
Pool Allocations With NO TAG 0x0
Pool Allocations Failed 0x0

Current paged pool allocations 0x1326c for 00DA041A bytes
Peak paged pool allocations 0x13306 for 00DA3ADB bytes
Current nonpaged pool allocations 0x4fc1 for 010EEB4B bytes
Peak nonpaged pool allocations 0x4fc7 for 010F02DF bytes

Additionally, I noticed some programs from IObit.
Code: 
Start Menu\Programs\Advanced SystemCare Public:Start Menu\Programs\Advanced SystemCare Public
Start Menu\Programs\IObit Malware Fighter Public:Start Menu\Programs\IObit Malware Fighter Public
Start Menu\Programs\IObit Uninstaller Public:Start Menu\Programs\IObit Uninstaller Public
I would recommend removing them since quite a few programs of IObit don't have a nice history and there are alternatives that are better suited for the job.
- Advanced SystemCare is a program you really don't need with Windows 10, most of what Advanced SystemCare could do has been built in Windows for a long time with the exception for the registry part because the best a registry cleaner can do is remove unused registry keys but there's no real gain from it.
- IObit Malware Fighter was accused by Malwarebytes for stealing intellectual property a few years ago, aside from that the built-in Windows security is more than sufficient these days.
- IObit Uninstaller, Revo Uninstaller is, in my opinion (and of others (particularly in the security community (example: Answers to common security questions - Best Practices - Anti-Virus, Anti-Malware, and Privacy Software))), better suited for issues with removing software.
 
Last edited:
Thanks Axe0,
I have uninstalled those Iobit programs, and found out a bit more on SaiMini.sys, its a driver from a old Flight stick that my son used to use.
New issue is how do I get rid of the driver that doesnt show up anywere untill it causes problems.
Noob question here; Can I just go into system\drivers\ folder and just delete it. and reboot or is there steps to do this. looked on the web and everyone has their own way of doing it. any suggestions?
 
Generally it is not safe to just delete files in system\drivers, because they're often still tied to a service or program. Removal of just a part of a service or program can make the situation worse if done improperly, think about an unbootable system in a worst case scenario.

Deleting a file, but not knowing, or forgetting, about the rest that's related to it is what causes that kind of problems (unbootable system, error messages, ...). Sometimes, someone will attempt to delete all related files and folders in a difficult way outside Windows, but they're forgetting one thing, the registry. It's possible to delete everything manually, but you have to do a lot of research to find out what you have to delete in the registry and hope you don't accidentally delete something else. As the registry probably has a lot more 'files and folders' (values and keys) than what you see in Windows Explorer it is really easier and safer to go a different route.

Do you know what this software is called that's related to this old Flight stick?
 
I just tryed to do a search to see if the program was still in here somewhere, but I think its just a driver so you can use all of those lovely button and calibrate it. Would instaling updated driver for the flight stick work? its a AV8R-01 model ( dont laugh I know its old)
 
After typing that last reply I didi another search and cam up with this I think this is the program, it has all of the Sai files in here.SaiMF.exe is also on my programs list able to uninstall.
 

Attachments

  • Capture.JPG
    Capture.JPG
    117.5 KB · Views: 3
If you no longer need it, I suggest removing it. Or update it.
 
Unfortunately, it doesn't work like that.

With BSOD crashes, we have to wait to see if they return. Normally the logs can't be used to prevent BSOD crashes, there might be an exception but it is not applicable here.

How long do you have to wait? In your case I'd say about a day or 2. If, after 2 days, no BSOD crash happened then it's safe to say the problem is solved.
 
Ahhh I see. Well in that case, I post next time it happens ( crossing fingers that's not the case) and in two days time if there is no BSOD crash, Ill come back and give the forum a update that all is good. Dank je for your help so far.
 
I'll wait for your update.

Graag gedaan / you're welcome.
 
Hi there Mr Pepka,
I just want to confirm that I have the correct BIOS.
My card is a V4.0 not a 4.1 ( does that matter?)
and with my processor 8350 I would get the F1 from
.gigabyte.com/Motherboard/GA-990FXA-UD3-rev-40/support#support-dl-bios
is this correct?
 
In one of the crash dumps the acedrv11.sys driver was found guilty, which is from the ProtectDISC program. If you don't know what it is, I'm in a hurry to explain. This is an anti-piracy protection used by some games, so check if there is one among the games that are installed,
and uninstall the security itself because it still has the status of EOL (End Of Life)
 
I now this is going to be a loaded question but, is there a program or a n easy way to find out what game/ program is running the acedrv.11.sys?
 
I don't think so. Look in Add / Remove programs if you have ProtectDISC driver 11 (or something similar) on the list and remove it. If the acedrv11.sys driver is still in the system, remove it manually
 

Has Sysnative Forums helped you? Please consider donating to help us support the site!

Back
Top