[SOLVED] BSOD Random occur, mostly hal.dll ntoskrnl.exe error, Win8.1proWMC x64 update latest.

L

lobstergy

Member
Joined
Dec 1, 2014
Posts
8
Hi Sysnative experts,

I'm happy to find you guy's website after I'd been desperately suffered random BSOD since last week. I'd try "blueScreenView" & "WinDbg" with minidump files to locate error, mostly cause by hal.dll, ntoskrnl.exe, but don't know how to fix them. Hope some experts from sysnative.com can help me out, thanks for your time!

My Lenovo y580 laptop info:
· OS - Windows 8.1, 8, 7, Vista ? Win8.1proWMC latest update
· x86 (32-bit) or x64 ?--x64
· What was original installed OS on system? --Linux (design for win7x64)
· Is the OS an OEM version (came pre-installed on system) or full retail version (YOU purchased it from retailer)?--retail win8pro with WMC, update to win8.1proWMC
· Age of system (hardware)--factory 11, 2012
· Age of OS installation - have you re-installed the OS?--update from win8pro about a year ago, 11/26 update setup with MSDN WIN8.1PRO usb when I first got BSOD
· CPU--DualCore Intel Core I5-3210M
· Video Card--Intel® HD Graphics 4000 & NVIDIA GeGorce GTX 660M
· MotherBoard--Lenovo IdeaPad Y580
· Power Supply - brand & wattage (if laptop, skip this one)--laptop
· System Manufacturer --lenovo
· Exact model number (if laptop, check label on bottom)--Lenovo IdeaPad Y580
· Laptop or Desktop? --laptop

Symptom:
BSOD occurred, not very often but randomly, from 11/26 total 8 times. I'd tried everything I can:
1.uninstall / reinstall almost all drivers(especially focus on (Broadcom, Atheros) bluetooth, cos an unknown device display in device manager before I finally find a update bluetooth driver to install);
2.update latest win8.1 update; update reinstall windows 8.1 with MSDN USB install media;
3.backup 11/29 image and then restore recovery image that I update to win8.1 from windows store via 'acronis true image home 2014' still got BSOD, since the question still, then go back to 11/29 image now. next, don't know how.

Upload files:
I'd followed the 'BSOD Posting Instructions', got SysnativeFileCollectionApp.zip, then got problems:
1. can't do 'perfmon /report', 'an error occurred while attempting go generate the report.--the oprator or administrator has refused the request', change to administrator user account is the same issue.
2.Driver verifier setting-> Reboot->BSOD. Halt by selow_x64.sys, which from program softether VPN, I need to uninstall it, right?

So, my files are:SysnativeFileCollectionApp.zip
View attachment 10009

12/01 minidump windbg code & minidump.
View attachment 120114-7609-01.windbg.txt
View attachment 120114-7609-01.dmp.rar

12/02 BSOD after perform "driver verifier": minidump & windbg code.
View attachment 120214-6328-01.windbg.txt
View attachment 120214-6328-01.dmp.rar
 
Hi,

BAD_POOL_CALLER (c2)

This indicates that the current thread is making a bad pool request.

Code: 
{[COLOR=#ff0000]9b[/COLOR], 200, 10, fffff800ac907fd1}

Code: 
ffffd000`c94d05a8 fffff801`214f86b0 nt!KeBugCheckEx
ffffd000`c94d05b0 fffff801`2150eba0 nt!VerifierBugCheckIfAppropriate+0x3c
ffffd000`c94d05f0 fffff801`214edbbd nt!ExAllocatePoolSanityChecks+0x4c
ffffd000`c94d0640 fffff800`aaed6a17 nt!VeAllocatePoolWithTagPriority+0x89
ffffd000`c94d06b0 fffff801`2150860c [COLOR=#008000]VerifierExt!ExAllocatePoolWithTagPriority_internal_wrapper+0x7b[/COLOR]
ffffd000`c94d06f0 fffff800`ab9313cd [COLOR=#0000ff]nt!VerifierPortExAllocatePoolWithTagPriority+0x24[/COLOR]
ffffd000`c94d0730 fffff800`ac907fd1 [COLOR=#0000ff]ndis!ndisVerifierAllocateMemoryWithTag+0x85[/COLOR]
ffffd000`c94d0770 ffffe000`17993c50 [COLOR=#ff0000]SeLow_x64+0x2fd1[/COLOR]
ffffd000`c94d0778 00000000`00000000 0xffffe000`17993c50

The SoftEther VPN driver is attempting to allocate pool with a tag of zero, which is why verifier threw the bug check.

Uninstall the VPN or find a way to make ESET play nice with it as that's what is likely causing it to conflict. Either that, or it's just a bug with the VPN's driver in general.

Regards,

Patrick
 
Hi Patric,

Thanks for such quick responding. I have already uninstalled Softether VPN software, uninstall softether vpn driver. after this,selow_x64 still remain in c disk, then I use everything.exe search and del all selow_x64.* (inf, pnf, sys) files. I've just meant to do verifier again to check drivers when I evolved into another BSOD "UNEXPECTED_KERNEL_MODE_TRAPhal.dll". Bluescreen show problem drivers are hal.dll+6034, ntoskrnl.exe+15c4e9, like all the previous BSOD except last time perform verifier. Always hal.dll and ntoskrnl.exe. Now what? Please help!
The dump file is attached.
View attachment 120214-7953-01.dmp.rar

winDbg code:
Code: 
ADDITIONAL_DEBUG_TEXT:  
You can run '.symfix; .reload' to try to fix the symbol path and load symbols.
MODULE_NAME: nt
FAULTING_MODULE: fffff800d4489000 nt
DEBUG_FLR_IMAGE_TIMESTAMP:  54503718
BUGCHECK_STR:  0x7f_8
CUSTOMER_CRASH_COUNT:  1
DEFAULT_BUCKET_ID:  WIN8_DRIVER_FAULT
CURRENT_IRQL:  0
ANALYSIS_VERSION: 6.3.9600.17298 (debuggers(dbg).141024-1500) amd64fre
LAST_CONTROL_TRANSFER:  from fffff800d45e54e9 to fffff800d45d99a0
STACK_TEXT:  
fffff800`d57ebd28 fffff800`d45e54e9 : 00000000`0000007f 00000000`00000008 fffff800`d57ebe70 fffff800`d57d5ef0 : nt+0x1509a0
fffff800`d57ebd30 00000000`0000007f : 00000000`00000008 fffff800`d57ebe70 fffff800`d57d5ef0 fffff800`d441f034 : nt+0x15c4e9
fffff800`d57ebd38 00000000`00000008 : fffff800`d57ebe70 fffff800`d57d5ef0 fffff800`d441f034 00000000`00000000 : 0x7f
fffff800`d57ebd40 fffff800`d57ebe70 : fffff800`d57d5ef0 fffff800`d441f034 00000000`00000000 5f314bf1`867946cb : 0x8
fffff800`d57ebd48 fffff800`d57d5ef0 : fffff800`d441f034 00000000`00000000 5f314bf1`867946cb c9015d27`1c35dd58 : 0xfffff800`d57ebe70
fffff800`d57ebd50 fffff800`d441f034 : 00000000`00000000 5f314bf1`867946cb c9015d27`1c35dd58 17ee372b`ed80ec61 : 0xfffff800`d57d5ef0
fffff800`d57ebd58 00000000`00000000 : 5f314bf1`867946cb c9015d27`1c35dd58 17ee372b`ed80ec61 5b77b408`b5cb6efd : hal+0x6034
STACK_COMMAND:  kb
FOLLOWUP_IP: 
nt+1509a0
fffff800`d45d99a0 48894c2408      mov     qword ptr [rsp+8],rcx
SYMBOL_STACK_INDEX:  0
SYMBOL_NAME:  nt+1509a0
FOLLOWUP_NAME:  MachineOwner
IMAGE_NAME:  ntoskrnl.exe
BUCKET_ID:  WRONG_SYMBOLS
FAILURE_BUCKET_ID:  WRONG_SYMBOLS
ANALYSIS_SOURCE:  KM
FAILURE_ID_HASH_STRING:  km:wrong_symbols
FAILURE_ID_HASH:  {70b057e8-2462-896f-28e7-ac72d4d365f8}
Followup: MachineOwner
---------
 
First off, the driver is still listed and loaded. With that said, it's either not fully removed or didn't remove properly.

Code: 
fffff801`a33ed000 fffff801`a33f4980   SeLow_x64   (deferred)             
    Image path: \SystemRoot\system32\DRIVERS\SeLow_x64.sys
    Image name: SeLow_x64.sys
    Timestamp:        Tue Mar 25 22:24:40 2014

Go to its path and rename it from .sys to .bak and then restart to break it.

Code: 
fffff800`d57ebd28 fffff800`d45e54e9 nt!KeBugCheckEx
fffff800`d57ebd30 fffff800`d45e35f4 nt!KiBugCheckDispatch+0x69
fffff800`d57ebe70 fffff800`d441f034 nt!KiDoubleFaultAbort+0xb4
fffff800`d57d5ef0 fffff800`d4532577 hal!HalRequestIpi+0x25
fffff800`d57d6170 fffff800`d45317a8 nt!KiIpiSendRequest+0x377
fffff800`d57d6380 fffff800`d4530972 nt!MiFlushTbList+0x2a8
fffff800`d57d64c0 fffff800`d45493e7 nt!MiFlushTbAsNeeded+0xe6
fffff800`d57d6600 fffff800`d4548710 nt!MiAllocatePoolPages+0x14b
fffff800`d57d6650 fffff800`d472d4d3 nt!ExpAllocateBigPool+0xd0
fffff800`d57d6740 fffff801`a5d2b69d nt!ExAllocatePoolWithTag+0xa83
fffff800`d57d6810 ffffe000`7c8d9000 [COLOR=#ff0000]epfw+0x2069d[/COLOR]
fffff800`d57d6818 fffff800`d57d6ed0 0xffffe000`7c8d9000
fffff800`d57d6820 ffffe000`7c8d8d58 0xfffff800`d57d6ed0
fffff800`d57d6828 fffff800`d57d6cf0 0xffffe000`7c8d8d58
fffff800`d57d6830 00000000`00000000 0xfffff800`d57d6cf0

ESET in the stack, calling ExAllocatePoolWithTag to allocate a pool of memory and return a pointer. As we go up the stack we can see we're needing to flush the TB to do this which is an action that requires all processors, so it sends an inter-processor interrupt. This is why we see hal.dll involved, as it handles the call, and then we hit a doublefault.

As I noted, break the driver for now and don't touch ESET. If however the crashes continue after breaking it from loading and restarting, remove and replace ESET with Windows Defender.

Regards,

Patrick
 
1. There are 4 SeLow_x64.* files remain partition c, I'd deleted them all to recycle bin, do I need restore them and rename all to SeLow_x64.bak?
2014-12-02_093032_SeLow_x64.jpg
2.ESET refer to ESET smart security 7, right? Sorry, I don't understand what the "break thedriver for now and don't touch ESET." mean? How to break "the driver"? Do I need to uninstall ESET?

3. Does the 'ntoskrnl.exe' do any wrong causing BSOD? Or just ignoring it, right?
2014-12-02_100337_ntoskrnl.exe.jpg
 
Rename the C:\System32\Drivers one to SeLow_x64.bak, and then restart. That's what I mean by break it, as you're renaming it and causing it to stop loading.

ESET refer to ESET smart security 7, right?
Click to expand...

If that's the ESET software you're using, yes.

Does the 'ntoskrnl.exe' do any wrong causing BSOD?
Click to expand...

ntoskrnl is a variant of the NT Kernel, and has nothing to do with the crash. It's labeled as the crash because Windows knows corruption occurred within kernel mode, but doesn't know what caused it. It cannot say nothing caused the kernel corruption, therefore it says the kernel itself was the issue.

Regards,

Patrick
 
Thanks for the clear explanation Patric. I do right away followed by your instruction to break driver, then do verifier again. Then got BSOD again, restore recovery and report dump file, Please check. Thanks

This time, uim_vimx64.sys appear, bluescreen show that it's from paragon, should I uninstall it and rename sys to bak? Anything else?

View attachment 120214-6609-01.dmp.rar
 
That's the Paragon Image Mounter driver, uninstall that software as well please. Don't rename the driver.

Regards,

Patrick
 
After another round BSOD, locate program name pcmaster with pcmastercoredrv.sys wrong, uninstall it. Finally I reboot into windows 8.1 with verifier turn on which is very exciting.
Unfortunately, it's last only few minutes when login windows and got BSOD again. Several times as the same. The dump files chronologically upload as below:
12/02/2014 12:31
View attachment 120214-12687-01dmp.rar
Faulty driver seem is the LhdX64.sys by Lenovo Disk Driver, my laptop manufacturer, how could that passable?
12/02/2014 12:36
View attachment 120214-11078-01dmp.rar
No specific 3rd part driver list, so I'm stuck, please help me out, thanks.
 
Let's go ahead and remove ESET as I noted above and replace it with Defender. I am curious to see if it's behind the conflicts, or if it's something else. Regardless, we'll get it sorted.

Regards,

Patrick
 
Sorry for feedback late. You're absolutely right,ESET is the culprit. After replace firewall back to windows, BSOD disappear with verifier turned on.
But I really don't used to WFC, as zone alarm and comodo firewall as well, everything different, uncomfortable. Besides I got ESET two years licence, and had used it for almost 10 years. After do some research, find THIS on ESET knowledgebase, quote "OnWindows 8 Enterprise 64-bit installation may trigger BSOD if the previous version was not correctly uninstalled", needs to do manually uninstall, boot under safe mode followed by this guide. Also uninstall Openvpn driver, refference "Constant BSOD with Smart Security 7".
After this, install latest ESET smart security 8, smoothly, quiet and fluent, none BSOD more till now. But with verifier turned on, just last about 50 minutes or so. Would you please check the last two mini dump files for me. It's almost can say "Solved" after all these efforts with your great help,thanks again.

2014-12-05_072703_BSOD solved win8.1&eset8&verifier stable.png

View attachment last two Minidump.rar


 
Er,how can I say, there are some misunderstanding here. Normally run it's ok, butI still got BSOD when verifier turned on, just I can login windows and last longernow. So, I still need help, please check the latest dump file above, thanks.
 

Has Sysnative Forums helped you? Please consider donating to help us support the site!

Back
Top