BSOD : IRQ_NOT_LESS_OR_EQUAL & PAGE_FAULT_IN_NONPAGED_AREA - Windows 8.1 x64

re: BSOD : IRQ_NOT_LESS_OR_EQUAL & PAGE_FAULT_IN_NONPAGED_AREA - Windows 8.1 x64

FAT_FILE_SYSTEM (23)

This indicates that a problem occurred in the FAT file system.

Code: 
0: kd> .bugcheck
Bugcheck code 00000023
Arguments 00000000`000e0117 ffffd001`4a22ef98 ffffd001`4a22e7a0 fffff802`07b36d22

Code: 
0: kd> .exr ffffd0014a22ef98
ExceptionAddress: fffff80207b36d22 (nt!KiTryUnwaitThread+0x0000000000000032)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 0000000000000000
   Parameter[1]: ffffffffffffffff
Attempt to read from address ffffffffffffffff

Taking a look at the exception record regarding the 2nd parameter, we can see we hit an access violation off of KiTryUnwaitThread.

Code: 
0: kd> .cxr ffffd0014a22e7a0
rax=ffffd0014a22f228 rbx=0012b232000f0caf rcx=fffff80207d79180
rdx=fffff80207d79be0 rsi=0000000000000000 rdi=0000000000000000
rip=fffff80207b36d22 rsp=ffffd0014a22f1d0 rbp=fffff80207d79be0
 r8=0000000000000100  r9=0000000000000000 r10=00000000000001c8
r11=ffffe001ac2d2000 r12=0000000000000000 r13=ffffe001ad5e7540
r14=fffff80207d79180 r15=0000000000000100
iopl=0         nv up ei pl zr na po nc
cs=0010  ss=0000  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246
nt!KiTryUnwaitThread+0x32:
fffff802`07b36d22 f0480fba6b4000  lock bts qword ptr [rbx+40h],0 ds:002b:0012b232`000f0cef=????????????????

Looks (?) like it was trying to grab a spinlock but the pointer was invalid.

Code: 
0: kd> !pte 0012b232000f0caf 
                                           VA 0012b232000f0caf
PXE at FFFFF6FB7DBEDB20    PPE at FFFFF6FB7DB64640    PDE at FFFFF6FB6C8C8000    PTE at FFFFF6D919000780
Unable to get PXE FFFFF6FB7DBEDB20
WARNING: noncanonical VA, accesses will fault !

A lot of register/file system stuff in the call stack:

Code: 
ffffd001`4a22f1d0 fffff802`07be0853 nt!KiTryUnwaitThread+0x32
ffffd001`4a22f230 fffff802`07aa6be6 nt! ?? ::FNODOBFM::`string'+0x98a3
ffffd001`4a22f390 fffff802`07b4be73 nt!KiDeliverApc+0x166
ffffd001`4a22f410 fffff802`07b4be1a nt!KiCheckForKernelApcDelivery+0x23
ffffd001`4a22f440 fffff802`07b0ee0d nt!MmWaitForCacheManagerPrefetch+0xa6
ffffd001`4a22f480 fffff802`07e9ca5f nt!CcFetchDataForRead+0xe5
ffffd001`4a22f4d0 fffff802`07b0ebbe nt!CcMapAndCopyFromCache+0xc7
ffffd001`4a22f560 fffff801`3ede3fbb nt!CcCopyReadEx+0x106
ffffd001`4a22f5d0 fffff801`3edbeb40 fastfat!FatCommonRead+0x76f
ffffd001`4a22f720 fffff801`3c5a1cf8 fastfat!FatFsdRead+0x18c
ffffd001`4a22f7b0 fffff801`3c5a00b6 fltmgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x258
ffffd001`4a22f850 fffff802`07e52d68 fltmgr!FltpDispatch+0xb6
ffffd001`4a22f8b0 fffff802`07e50916 nt!IopSynchronousServiceTail+0x170
ffffd001`4a22f980 fffff802`07bd22b3 nt!NtReadFile+0x656
ffffd001`4a22fa70 fffff802`07bca700 nt!KiSystemServiceCopyEnd+0x13
ffffd001`4a22fc78 fffff802`07ec91dd nt!KiServiceLinkage
ffffd001`4a22fc80 fffff802`07ec42e5 nt!CmpFileRead+0xb9
ffffd001`4a22fd30 fffff802`07ec35a7 nt!HvpGetHiveHeader+0x69
ffffd001`4a22fd80 fffff802`07ec2ea5 nt!HvLoadHive+0x3b
ffffd001`4a22fe20 fffff802`07ec282a nt!HvInitializeHive+0x24d
ffffd001`4a22fe80 fffff802`07ec6380 nt!CmpInitializeHive+0x4b6
ffffd001`4a22ff70 fffff802`07ec064b nt!CmpInitHiveFromFile+0x268
ffffd001`4a2300f0 fffff802`07ec0452 nt!CmpCmdHiveOpen+0x8b
ffffd001`4a230300 fffff802`07ebfa1a nt!CmLoadKey+0x12e
ffffd001`4a230440 fffff802`07f5f9f1 nt!NtLoadKeyEx+0x67e
ffffd001`4a2306a0 fffff802`07bd22b3 nt!NtLoadKey2+0x21
ffffd001`4a2306f0 fffff802`07bca700 nt!KiSystemServiceCopyEnd+0x13
ffffd001`4a230888 fffff802`07f53427 nt!KiServiceLinkage
ffffd001`4a230890 fffff802`07f530ee nt!BiLoadHive+0x123
ffffd001`4a230970 fffff802`07f52d0a nt!BiAddStoreFromFile+0x66
ffffd001`4a230a00 fffff802`07f537ec nt!BiLoadSystemStore+0xa2
ffffd001`4a230a40 fffff802`07f53726 nt!BiOpenSystemStore+0xb4
ffffd001`4a230ab0 fffff802`07f4ab4f nt!BcdOpenSystemStore+0x1a
ffffd001`4a230ae0 fffff802`07df0bc2 nt!PopFreeHiberContext+0x2b
ffffd001`4a230b20 fffff802`07af3acc nt!PopUnlockAfterSleepWorker+0x42
ffffd001`4a230b50 fffff802`07b77440 nt!ExpWorkerThread+0x28c
ffffd001`4a230c00 fffff802`07bcd0c6 nt!PspSystemThreadStartup+0x58
ffffd001`4a230c60 00000000`00000000 nt!KiStartSystemThread+0x16

This tells me the issue we're seeing here is probably and likely being caused by a security product (registry calls as well as things like NtReadFile).

Consider not running Malwarebytes premium + Panda at the same time. With that said, try uninstalling MWB for now. If you crash even after uninstalling it, contact Panda for support.
 
re: BSOD : IRQ_NOT_LESS_OR_EQUAL & PAGE_FAULT_IN_NONPAGED_AREA - Windows 8.1 x64

Thank you, Sir. I'll uninstall Malwarebytes and see if it fixes the problem. Also, would you please recommend me a good Anti Malware solution as my Antivirus is free.
 
re: BSOD : IRQ_NOT_LESS_OR_EQUAL & PAGE_FAULT_IN_NONPAGED_AREA - Windows 8.1 x64

My mistake, I thought I saw kernel-mode drivers from MBAM that are loaded when premium is initiated as opposed to its free non-active protection. With that said, keep MWB but remove/replace Panda with Windows Defender for now.

Panda removal - http://www.pandasecurity.com/resources/sop/UNINSTALLER_08.exe

Windows Defender (how to turn on after removal)

A.Navigate to Control Panel (with icons). You can do this by hitting Start > Search > Control Panel. Once in Control Panel, change the drop-down from Category to Large and/or Small icons.

B.Among the list of icons, find and click Action Center.

C.Assuming the removal of your prior antivirus software went properly, you will notice for both Spyware and unwated software protection (important) and Virus protection (important), it'll have a button labeled Turn on now. Click this button (it doesn't matter which, as Windows Defender serves as both in Windows 8/8.1).
 
Hello Sir,
I uninstalled both MWB and PAV and have attached the Sysnative File collection and Performance Reports. Just to inform you, I'm still facing BSODs. Kindly check my reports and recommend me a good Antivirus.
Thank You.
 
Hello Sir,
Now I am facing FAT_FILE_SYSTEM BSOD. Please check the reports and suggest me a solution.
 
I still happen to see a loaded Malwarebytes driver:

Code: 
0: kd> lmvm mbae64
start             end                 module name
fffff800`f59ae000 fffff800`f59bb780   mbae64     (deferred)             
    Image path: \??\C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.sys
    Image name: mbae64.sys
    Timestamp:        Mon Sep 08 14:27:15 2014

Specifically the anti-exploit software.

If you crash again after its removal, enable verifier please or there's not much I can debug:

Driver Verifier:

What is Driver Verifier?

Driver Verifier monitors Windows kernel-mode drivers, graphics drivers, and even 3rd party drivers to detect illegal function calls or actions that might corrupt the system. Driver Verifier can subject the Windows drivers to a variety of stresses and tests to find improper behavior.

Essentially, if there's a 3rd party driver believed to be causing the issues at hand, enabling Driver Verifier will help us see which specific driver is causing the problem.

Before enabling Driver Verifier, it is recommended to create a System Restore Point:

Vista - START | type rstrui - create a restore point
Windows 7 - START | type create | select "Create a Restore Point"
Windows 8/8.1 - Restore Point - Create in Windows 8

How to enable Driver Verifier:

Start > type "verifier" without the quotes > Select the following options -

1. Select - "Create custom settings (for code developers)"
2. Select - "Select individual settings from a full list"
3. Check the following boxes -
- Special Pool
- Pool Tracking
- Force IRQL Checking
- Deadlock Detection
- Security Checks (only on Windows 7 & 8/8.1)
- DDI compliance checking (only on Windows 8/8.1)
- Miscellaneous Checks
4. Select - "Select driver names from a list"
5. Click on the "Provider" tab. This will sort all of the drivers by the provider.
6. Check EVERY box that is NOT provided by Microsoft / Microsoft Corporation.
7. Click on Finish.
8. Restart.

Important information regarding Driver Verifier:

- Perhaps the most important which I will now clarify as this has been misunderstood often, enabling Driver Verifier by itself is not! a solution, but instead a diagnostic utility. It will tell us if a driver is causing your issues, but again it will not outright solve your issues.

- If Driver Verifier finds a violation, the system will BSOD. To expand on this a bit more for the interested, specifically what Driver Verifier actually does is it looks for any driver making illegal function calls, causing memory leaks, etc. When and/if this happens, system corruption occurs if allowed to continue. When Driver Verifier is enabled per my instructions above, it is monitoring all 3rd party drivers (as we have it set that way) and when it catches a driver attempting to do this, it will quickly flag that driver as being a troublemaker, and bring down the system safely before any corruption can occur.

- After enabling Driver Verifier and restarting the system, depending on the culprit, if for example the driver is on start-up, you may not be able to get back into normal Windows because Driver Verifier will detect it in violation almost straight away, and as stated above, that will cause / force a BSOD.

If this happens, do not panic, do the following:

- Boot into Safe Mode by repeatedly tapping the F8 key during boot-up.

- Once in Safe Mode - Start > Search > type "cmd" without the quotes.

- To turn off Driver Verifier, type in cmd "verifier /reset" without the quotes.

- Restart and boot into normal Windows.

If your OS became corrupt or you cannot boot into Windows after disabling verifier via Safe Mode:

- Boot into Safe Mode by repeatedly tapping the F8 key during boot-up.

- Once in Safe Mode - Start > type "system restore" without the quotes.

- Choose the restore point you created earlier.

-- Note that Safe Mode for Windows 8/8.1 is a bit different, and you may need to try different methods: 5 Ways to Boot into Safe Mode in Windows 8 & Windows 8.1

How long should I keep Driver Verifier enabled for?

I recommend keeping it enabled for at least 24 hours. If you don't BSOD by then, disable Driver Verifier. I will usually say whether or not I'd like for you to keep it enabled any longer.

My system BSOD'd with Driver Verifier enabled, where can I find the crash dumps?

- If you have the system set to generate Small Memory Dumps, they will be located in %systemroot%\Minidump.

- If you have the system set to generate Kernel Memory Dumps, it will be located in %systemroot% and labeled MEMORY.DMP.

Any other questions can most likely be answered by this article:

http://support.microsoft.com/kb/244617
 
My apologies, you crashed after its removal just to be sure, correct? If so, you can keep it installed and just enable verifier.
 
Hello Sir,
I enabled Driver verifier as per your instructions and after rebooting my system didn't throw a BSOD. I have gathered the reports after the reboot. Please check them and suggest me solution. Also, should I wait for 24 hours for the verifier to throw a BSOD ?
 
Keep verifier enabled and keep me updated, use the system as you would regularly as if verifier was disabled.
 
Hello Sir,
After enabling the verifier and re-starting my system, everything was working fine and my system didn't throw any BSOD. But by the end of the night, my system enormously slowed down, my applications stopped responding and finally explorer.exe crashed. I had no choice but to disable verifier.exe, but before doing that I generated a sysnative report and zipped my performance logs. I don't know if it will show anything, but I'll run Memory Diagnostic and Disk Check first thing in the morning and update my report here.
 

Attachments

Has Sysnative Forums helped you? Please consider donating to help us support the site!

Back
Top