[SOLVED] BSOD Loop on Windows 7 SP1 x64 - Most likely related to the GPU

Aura

Aura

Sysnative Staff, Security Analyst
Staff member
Joined
Mar 16, 2015
Posts
8,061
So a few computers at my workplace are having the same issue: randomly, the computer will throw a BSOD and then stay stuck in a BSOD loop until manual intervention. At first, I thought that it was because of the outdated graphic card drivers, so what I was doing is that I would boot in Safe Mode, disable every programs in Startup, and every third-party services under msconfig, then restart the computer normally, install the drivers, re-enable everything and it would work. Now, some computers still have that BSOD loop issue, even if they have fully updated graphic card drivers. I got one this morning and tried to run the Sysnative BSOD Dump Collection App, but I can't download it since it's flagged as a virus by our firewall (Palo Alto). I'll ask the Sysadmin to whitelist it but for now I cannot give you the report. Also, the perform command fails with an error saying that there's no "trust relation" between the local user and the computer. I'll investigate this as well. The only thing I can give you right now is two Minidumps (one from before I upgraded the graphic card drivers, and one from after I upgraded them) and answers to the questions below. I'll work on getting the rest after.

Information on the system:

Windows 7 SP1 Professional x64
The original OS installed on our Lenovo M73 is an OEM Windows 8.1 Professional x64, but we wipe them and install our own, custom Windows 7 SP1 x64 image via SCCM.
Our licences are most likely part of a Volume Licencing bundle.
That computer was imaged on March 11th 2015, so the computer was probably built around that time. It's only a few months old.

CPU: Intel Core i5 4670
GPU: Intel Core 4th Generation integrated GPUs (so Intel Graphics 4000+, 4600 probably).
Motherboard: No idea, I can run Speccy on the computer if needed to get that information.
Power Supply: No idea, I can run Speccy on the computer if needed to get that information.
The computer is a Lenovo ThinkCentre M73 desktop (they all are).

I know it's not a lot of information to start with, but I'm working on getting the rest as soon as possible.

View attachment Minidumps.zip
 
I love a challenge! :0)

Can you generate these reports?
MSINFO32:
Please go to Start and type in "msinfo32.exe" (without the quotes) and press Enter
Save the report as an .nfo file, then zip up the .nfo file and upload/attach the .zip file with your next post.
Also, save a copy as a .txt file and include it also (it's much more difficult to read, but we have greater success in getting the info from it).

If you're having difficulties with the format, please open an elevated (Run as administrator) Command Prompt and type (or copy/paste) "msinfo32 /nfo %USERPROFILE%\Desktop\TEST.NFO" (without the quotes) and press Enter. Then navigate to Desktop to retrieve the TEST.NFO file. If you have difficulties with making this work, please post back. Then zip up the .nfo file and upload/attach the .zip file with your next post.

systeminfo:
Please open an elevated (Run as administrator) Command Prompt and type (or copy/paste) "systeminfo.exe >%USERPROFILE%\Desktop\systeminfo.txt" (without the quotes) and press Enter. Then navigate to Desktop to retrieve the syteminfo.txt file. If you have difficulties with making this work, please post back. Then zip up the .txt file and upload/attach the .zip file with your next post.
Click to expand...

Note the presence of hal.dll in the stack text. Hal communicates between the hardware and the OS. I most frequently find this when there's a compatibility issue, but it can be due to many other things. Also, notice the word "legacy" in one of the functions before the crash - it implies that something isn't current.
fffff880`033f56b0 fffff880`0421a289 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 :hal!x86BiosCall+0x22
fffff880`033f56f0 fffff880`04208443 : 00000000`00000007 00000000`00000000 fffff880`033f5848 00000000`000007ff : VIDEOPRT!VpInt10CallBios+0xb1
fffff880`033f5750 fffff880`04205b16 : fffffa80`0a218a28 fffffa80`0a210000 fffff880`04212000 fffff880`033f59c0 : vga!InitializeModeTable+0x157
fffff880`033f5810 fffff880`0422825b : 00000000`00000000 fffff8a0`00000000 00000000`00000000 00000000`00000000 : vga!VgaInitialize+0x1e
fffff880`033f5840 fffff880`04227e6e : 006f0056`00000000 fffff8a0`002199d0 00000000`00000000 00000000`00000000 : VIDEOPRT!VideoPortLegacyFindAdapter+0x3a3
fffff880`033f5930 fffff880`042057f9 : fffffa80`00000004 00000000`00000000 00000000`00000000 fffff8a0`002199d0 : VIDEOPRT!VideoPortInitialize+0x58a
fffff880`033f59a0 fffff800`03024ff7 : 00000000`00000001 00000000`00000001 00000000`69526f49 fffffa80`07746990 : vga!VgaReinitializationCallback+0x79
fffff880`033f5a60 fffff800`02d83206 : 00000000`00000000 00000000`00000000 00000000`00000001 00000000`00000000 : nt!IopCallDriverReinitializationRoutines+0x57
fffff880`033f5a90 fffff800`02d837a4 : 00000000`00000000 00000000`00000000 00000000`32706e50 00000000`00000084 : nt!PnpCompleteSystemStartProcess+0x76
fffff880`033f5ad0 fffff800`02c8c921 : fffff800`02d83610 fffffa80`0670e601 00000000`00000000 00000000`00000000 : nt!PnpDeviceActionWorker+0x194
fffff880`033f5b70 fffff800`02f1b31a : 00000000`00000000 fffffa80`0670e660 00000000`00000080 fffffa80`066fe040 : nt!ExpWorkerThread+0x111
fffff880`033f5c00 fffff800`02c74626 : fffff880`031d7180 fffffa80`0670e660 fffff880`031e1fc0 00000000`00000000 : nt!PspSystemThreadStartup+0x5a
fffff880`033f5c40 00000000`00000000 : fffff880`033f6000 fffff880`033f0000 fffff880`033f5750 00000000`00000000 : nt!KiStartSystemThread+0x16
Click to expand...

Uninstall LogMeIn. Although it's older driver (it dates from 2007) isn't usually the cause of a BSOD - it's age alone makes it suspect.

Real old TrendMicro driver present: tmtdi.sys Mon Nov 8 05:59:00 2010 (4CD7D7F4)
Probably should see if IT will update that.

And this little bugger: sxuptp.sys Thu Jan 24 20:50:27 2013
Probably related to a Belkin F5L009 Network USB hub - USB and networking don't mix well.
Lot's of people don't have problems with it - but those that do must remove it.

Can you run Driver Verifier on this system? If so, please use my instructions here: Driver Verifier Settings

I still suspect a compatibility issue - but the above steps will help to narrow it down

Good luck!

Analysis:
The following is for informational purposes only.
Code: 
[font=lucida console]**************************Tue Sep  8 08:05:04.396 2015 (UTC - 4:00)**************************
Loading Dump File [C:\Users\John\SysnativeBSODApps\090815-15693-01.dmp]
Windows 7 Kernel Version 7601 (Service Pack 1) MP (4 procs) Free x64
Built by: [B]7601[/B].23002.amd64fre.win7sp1_ldr.150316-1651
System Uptime:[B]0 days 0:00:06.692[/B]
Probably caused by :[B]vga.sys ( vga!InitializeModeTable+157 )[/B]
BugCheck [B]1000007E, {ffffffffc0000420, fffff800032082da, fffff880033f5478, fffff880033f4cd0}[/B]
BugCheck Info: [url=http://www.carrona.org/bsodindx.html#0x1000007E]SYSTEM_THREAD_EXCEPTION_NOT_HANDLED_M (1000007e)[/url]
Arguments: 
Arg1: ffffffffc0000420, The exception code that was not handled
Arg2: fffff800032082da, The address that the exception occurred at
Arg3: fffff880033f5478, Exception Record Address
Arg4: fffff880033f4cd0, Context Record Address
BUGCHECK_STR:  0x7E
DEFAULT_BUCKET_ID:  WIN7_DRIVER_FAULT
PROCESS_NAME:  System
FAILURE_BUCKET_ID: [B]X64_0x7E_vga!InitializeModeTable+157[/B]
CPUID:        "Intel(R) Core(TM) i3-4130 CPU @ 3.40GHz"
MaxSpeed:     3400
CurrentSpeed: [B]3392[/B]
  BIOS Version                  FCKT57AUS
  BIOS Release Date             07/10/2014
  Manufacturer                  LENOVO
  Product Name                  10B7S01600
  Baseboard Product              
¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨``
**************************Fri Aug 14 23:05:09.960 2015 (UTC - 4:00)**************************
Loading Dump File [C:\Users\John\SysnativeBSODApps\081415-13322-01.dmp]
Windows 7 Kernel Version 7601 (Service Pack 1) MP (4 procs) Free x64
Built by: [B]7601[/B].23002.amd64fre.win7sp1_ldr.150316-1651
System Uptime:[B]0 days 0:00:06.255[/B]
Probably caused by :[B]vga.sys ( vga!InitializeModeTable+157 )[/B]
BugCheck [B]1000007E, {ffffffffc0000420, fffff80002c2d2da, fffff880033f5478, fffff880033f4cd0}[/B]
BugCheck Info: [url=http://www.carrona.org/bsodindx.html#0x1000007E]SYSTEM_THREAD_EXCEPTION_NOT_HANDLED_M (1000007e)[/url]
Arguments: 
Arg1: ffffffffc0000420, The exception code that was not handled
Arg2: fffff80002c2d2da, The address that the exception occurred at
Arg3: fffff880033f5478, Exception Record Address
Arg4: fffff880033f4cd0, Context Record Address
BUGCHECK_STR:  0x7E
DEFAULT_BUCKET_ID:  WIN7_DRIVER_FAULT
PROCESS_NAME:  System
FAILURE_BUCKET_ID: [B]X64_0x7E_vga!InitializeModeTable+157[/B]
CPUID:        "Intel(R) Core(TM) i3-4130 CPU @ 3.40GHz"
MaxSpeed:     3400
CurrentSpeed: [B]3392[/B]
  BIOS Version                  FCKT57AUS
  BIOS Release Date             07/10/2014
  Manufacturer                  LENOVO
  Product Name                  10B7S01600
  Baseboard Product              
¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨``
[/font]

3rd Party Drivers:
The following is for information purposes only.
Any drivers in red should be updated or removed from your system. And should have been discussed in the body of my post.
Code: 
[font=lucida console]**************************Tue Sep  8 08:05:04.396 2015 (UTC - 4:00)**************************
[COLOR=RED][B]ramirr.sys                  Tue Apr 10 18:32:50 2007 (461C1092)[/B][/COLOR]
intelppm.sys                Mon Jul 13 19:19:25 2009 (4A5BC0FD)
amdxata.sys                 Fri Mar 19 12:18:18 2010 (4BA3A3CA)
tmtdi.sys                   Mon Nov  8 05:59:00 2010 (4CD7D7F4)
HECIx64.sys                 Mon Dec 17 14:32:21 2012 (50CF7345)
Rt64win7.sys                Wed Dec 26 12:17:50 2012 (50DB313E)
sxuptp.sys                  Thu Jan 24 20:50:27 2013 (5101E4E3)
iaStorA.sys                 Mon Mar 18 19:36:36 2013 (5147A504)
iaStorF.sys                 Mon Mar 18 19:36:37 2013 (5147A505)
iusb3hub.sys                Fri Mar 29 08:36:15 2013 (51558ABF)
iusb3xhc.sys                Fri Mar 29 08:36:19 2013 (51558AC3)
iusb3hcs.sys                Fri Mar 29 08:37:59 2013 (51558B27)
IntcDAud.sys                Wed Nov 27 09:25:44 2013 (529600E8)
igdkmd64.sys                Wed Jan 22 17:42:16 2014 (52E04948)
[/font]
http://www.carrona.org/drivers/driver.php?id=ramirr.sys
http://www.carrona.org/drivers/driver.php?id=intelppm.sys
http://www.carrona.org/drivers/driver.php?id=amdxata.sys
http://www.carrona.org/drivers/driver.php?id=tmtdi.sys
http://www.carrona.org/drivers/driver.php?id=HECIx64.sys
http://www.carrona.org/drivers/driver.php?id=Rt64win7.sys
http://www.carrona.org/drivers/driver.php?id=sxuptp.sys
http://www.carrona.org/drivers/driver.php?id=iaStorA.sys
http://www.carrona.org/drivers/driver.php?id=iaStorF.sys
http://www.carrona.org/drivers/driver.php?id=iusb3hub.sys
http://www.carrona.org/drivers/driver.php?id=iusb3xhc.sys
http://www.carrona.org/drivers/driver.php?id=iusb3hcs.sys
http://www.carrona.org/drivers/driver.php?id=IntcDAud.sys
http://www.carrona.org/drivers/driver.php?id=igdkmd64.sys
 
PS - have a look here at the Usual Causes section: BSOD Index
Also scroll down and look at the rest of the info after the KB articles
Particularly - Windows Updates and BIOS updates
 
Can you generate these reports?
Click to expand...

Yes, I'll call the user and get them :)

Uninstall LogMeIn. Although it's older driver (it dates from 2007) isn't usually the cause of a BSOD - it's age alone makes it suspect.
Click to expand...

Sadly I cannot do that. It's a driver for RemotelyAnywhere, which is installed on every computers we have to allow remote assistance :/

Real old TrendMicro driver present: tmtdi.sys Mon Nov 8 05:59:00 2010 (4CD7D7F4)
Probably should see if IT will update that.
Click to expand...

Our Windows Security team is currently working on the TrendMicro upgrade project. We are running an old version of OfficeScan (10.5 I think) and the recent Cryptoware infection we got (over 12) is putting pressure on them to upgrade our Antivirus as soon as possible.

And this little bugger: sxuptp.sys Thu Jan 24 20:50:27 2013
Probably related to a Belkin F5L009 Network USB hub - USB and networking don't mix well.
Lot's of people don't have problems with it - but those that do must remove it.
Click to expand...

USB Hub? I didn't think that these desktops had a USB Hub in them. This is what you're referring to?

https://www.google.ca/search?q=Belk...ved=0CAYQ_AUoAWoVChMIi6z8_cPnxwIVihgeCh33VA7q

Can you run Driver Verifier on this system? If so, please use my instructions here: Driver Verifier Settings
Click to expand...

This will have to be when the user isn't present on his computer, I'll ask him.

To sum it up, this will be quite hard to troubleshoot due to the limitations I have :P
 
That's the device. Here's a PDF for it (UK - the US version won't load for me): http://www.belkin.com/support/dl/p75465_f5l009_mnl_hi-res.pdf
If it's not needed, uninstall it.
The driver actually comes from Silex Technology: Silex Technology America | Reliable Wi-Fi Connectivity Solutions
You may want to talk w/IT about it also - it may be a part of some proprietary software that they use.

The reports are the most helpful thing for us after the memory dumps.
We've had many cases where we've had to work around workplace restrictions - it's not a big deal, it just makes the troubleshooting take longer.
But, in this case where there are many computers with the same problem, it's better to take our time and identify the exact problem. That way fixing the others will be simpler.

How much leeway is IT giving you to work on this system(s)?
 
That's the device. Here's a PDF for it (UK - the US version won't load for me): Belkin USA Site
If it's not needed, uninstall it.
The driver actually comes from Silex Technology: Silex Technology America | Reliable Wi-Fi Connectivity Solutions
You may want to talk w/IT about it also - it may be a part of some proprietary software that they use.
Click to expand...

We use Silex programs and drivers here, and this is one of the computer that uses a such program so it makes sense that it would be installed.

The reports are the most helpful thing for us after the memory dumps.
We've had many cases where we've had to work around workplace restrictions - it's not a big deal, it just makes the troubleshooting take longer.
But, in this case where there are many computers with the same problem, it's better to take our time and identify the exact problem. That way fixing the others will be simpler.
Click to expand...

Would it help if I can get you Minidumps from 2-3 other computers with the same issue?

How much leeway is IT giving you to work on this system(s)?
Click to expand...

As much as I want, I'm a Tier 2 Technical Support there. I just can't uninstall drivers and/or programs that are required (like LogMeIn RemotelyAnywhere, the Silex driver, outdated TrendMicro, etc.)
 
On a side note, I have to send a request to the Security team to get the download URL whitelisted (for the Sysnative BSOD Collection App). They'll download it, analyze it to see if it's malicious and if it's not, whitelist. Hopefully it'll be done by tomorrow. I just need that request approved by my superior first.
 
Does the symptoms of the minidumps I provided matches the one for this bug?
 
The reports depend upon what's easiest for you.
I only use the MSINFO32 report and the systeminfo.txt report.
I do look at the others occasionally - but not very often.

Only 234 Windows Updates installed. Most systems have 300 or more. Please visit Windows Update and get ALL available updates (it may take several trips to get them all).
This may be controlled by IT also - see what they have to say about it.
There's many, many Windows Update failures in the WER section of MSINFO32 - not a good sign

Beyond that, there doesn't appear to be anything obviously wrong with the system.
Since there are older drivers that we aren't able to mess with, I think that the best thing would be to arrange to run Driver Verifier.
It would be best to have Windows fully updated before trying it, but if we can't we'll just have to wing it.
If we're lucky, it'll crash immediately. If it does crash quickly, make it crash several times (so we have a couple of memory dumps to work on).

My plan here is to figure out what's wrong with this one system (and fix it) - then we'll see if the fix works on other systems.
I strongly suspect the problem is complicated by the Windows Updates errors/missing updates - and then having older drivers to deal with also.
As you're not allowed to do anything with the drivers - then Driver Verifier will be the most likely way to pin the blame on a particular driver

So, what's the plan if it proves to be one of the drivers that you can't touch?
What are the Silex programs/drivers used for there?
 
Only 234 Windows Updates installed. Most systems have 300 or more. Please visit Windows Update and get ALL available updates (it may take several trips to get them all).
This may be controlled by IT also - see what they have to say about it.
There's many, many Windows Update failures in the WER section of MSINFO32 - not a good sign
Click to expand...

That's normal. We used to deliver our Windows Update via WSUS, but switched to SCCM. Only Security Updates are allowed to go throught, and specific ones on top of that. Optional/Recommended updates aren't delivered.

Since there are older drivers that we aren't able to mess with, I think that the best thing would be to arrange to run Driver Verifier.
It would be best to have Windows fully updated before trying it, but if we can't we'll just have to wing it.
If we're lucky, it'll crash immediately. If it does crash quickly, make it crash several times (so we have a couple of memory dumps to work on).
Click to expand...

I'll see if I can work on it tomorrow during the employee's lunch time.

I strongly suspect the problem is complicated by the Windows Updates errors/missing updates - and then having older drivers to deal with also.
As you're not allowed to do anything with the drivers - then Driver Verifier will be the most likely way to pin the blame on a particular driver
Click to expand...

It's still weird that these BSODs only affects our Lenovo M73 desktops, and not our other desktop computers: HP Elite 8000, 8200 and 6300.

So, what's the plan if it proves to be one of the drivers that you can't touch?
What are the Silex programs/drivers used for there?
Click to expand...

If it proves to be one of the drivers I cannot touch, I'll report it to the Tier 3 team so they can make the proper adjustement. We're supposed to upgrade our RemotelyAnywhere (by LogMeIn) version soon. When, I don't know.
I work for a pharmacy chain and we have our own proprietary "signature" software (for the pharmacists), so it's most likely used for one of the sub-programs or the main program itself.
 
Got another computer this morning with this issue. Here's more information on the system:

GPU: Intel HD Graphics 4400
Motherboard information (that's all I have since it's a prebuilt):
Code: 
Manufacturer	LENOVO
Version	ThinkCentre M73
Chipset Vendor	Intel
Chipset Model	Haswell
Chipset Revision	06
Southbridge Vendor	Intel
Southbridge Model	H81
Southbridge Revision	C1

I have both versions of the msinfo32 logs, the SystemInfo log and two Minidump files.

Working on getting a perfmon report right now.

View attachment Second Computer Logs.zip
 
Code: 
3: kd> .bugcheck
Bugcheck code 1000007E
Arguments ffffffff`c0000420 fffff800`032052da fffff880`033e7478 fffff880`033e6cd0

1st parameter is our key here:

Code: 
ffffffffc0000420

NTSTATUS 0xc0000420 implies an assertion failure occurred.

Code: 
3: kd> .exr fffff880033e7478
ExceptionAddress: fffff800032052da (hal!x86BiosCall+0x0000000000000022)

Note where the exception occurred, the function for executing software interrupts in shadow memory regarding the x86 BIOS emulator.

Code: 
3: kd> knL
  *** Stack trace for last set context - .thread/.cxr resets it
 # Child-SP          RetAddr           Call Site
00 fffff880`033e76b0 fffff880`0400c289 hal!x86BiosCall+0x22
01 fffff880`033e76f0 fffff880`043eb443 VIDEOPRT!VpInt10CallBios+0xb1
02 fffff880`033e7750 fffff880`043e8b16 vga!InitializeModeTable+0x157
03 fffff880`033e7810 fffff880`0401a25b vga!VgaInitialize+0x1e
04 fffff880`033e7840 fffff880`04019e6e VIDEOPRT!VideoPortLegacyFindAdapter+0x3a3
05 fffff880`033e7930 fffff880`043e87f9 VIDEOPRT!VideoPortInitialize+0x58a
06 fffff880`033e79a0 fffff800`03021ff7 vga!VgaReinitializationCallback+0x79
07 fffff880`033e7a60 fffff800`02d80206 nt!IopCallDriverReinitializationRoutines+0x57
08 fffff880`033e7a90 fffff800`02d807a4 nt!PnpCompleteSystemStartProcess+0x76
09 fffff880`033e7ad0 fffff800`02c89921 nt!PnpDeviceActionWorker+0x194
0a fffff880`033e7b70 fffff800`02f1831a nt!ExpWorkerThread+0x111
0b fffff880`033e7c00 fffff800`02c71626 nt!PspSystemThreadStartup+0x5a
0c fffff880`033e7c40 00000000`00000000 nt!KiStartSystemThread+0x16

We're doing a lot of video stuff on a worker thread, and go off the rails from a VIDEOPRT call to the x86BiosCall function. This is probably a hardware problem, either board or GPU, but I'll need a kernel dump with verifier enabled to know for sure.
 
Alright, so you want me to run Driver Verifier on both computers and give you the logs?
 
Yes, but make sure it's generating kernel dumps and not minidumps.

The former really isn't going to do anything for us with an issue like this, unfortunately.
 
Alright, I'll set both computers so they generate that kind of log and will get the logs. I never really used Driver Verifier, but I guess that with the tutorial I should be good.
 
Its settings depend on the situation, but we should be okay for now with the tutorial recommended settings.
 
No I mean, I need to set the system to product a full kernel dump, not minidumps :P
 

Has Sysnative Forums helped you? Please consider donating to help us support the site!

Back
Top