BSOD - Win7 x64 - Stumped

[kinarism]

OK, first post here, hopefully someone here can help. Here is my story. I am a software developer and all around PC guy (so no need to dumb down anything for me initially, I'll ask for clarification if I need any). I got a new laptop for work back in September. Everything worked fine until the start of December and then I started getting random bluescreens. When I say random, I mean there appears to be no consistency as to when it happens or error message displayed. The problem has gotten progressively worse since then (up to 10+ BSOD on some days). I've gone through everything I can think of and I'm back to where I started so its time to ask for help.

While I'm waiting on the BSOD analysis tools to run, here is a brief breakdown of my setup and troubleshooting steps thus far:

Win7 x64
Dell Lattitude e6440 laptop (intel HD 4600 and AMD Radeon HD 8690M graphics)
i7 processor (4610M @ 3Ghz)
8GB RAM
500GB Hybrid SSD.
(this is a windows software dev machine)

Dell Docking station.
Microsoft 4000 ergonomic KB
Standard Dell wired mouse
Logitech Communicate STX webcam
standard speakers plugged into headphone jack (non-USB)
2 x HP Pavillion 23xi monitors (connected with DVI via docking station).

When this started, I ran through and updated all drivers for all devices via the dell website. I also ran all windows updates (from Microsoft...not just the ones the sysadmin has approved).

Work then gave me a new loaner laptop to use while troubleshooting loaded with only minimal software to get by until the problem was fixed. Problem was that within 2 days of using the loaner (latitude e5410) on the same docking station setup, it started getting BSOD as well. This made me decide that the problem was with something I have plugged into the machine and not the machine itself (unless both machines happened to have the same problem). At this point, I stopped using the loaner and just started focusing on my main machine

Since then, I have systematically started removing hardware and continued to experience BSOD until I was down to just running my external monitors (since I removed the docking station, one now connected via VGA and the other connected via HDMI). Under this setup, the HDMI monitor would occasionally (every 30min or so) blink off and then back on. I still experienced BSOD using this setup. Next, I removed the HDMI monitor and the BSOD went away. I ran 3 days stable in this setup. After that point, I started plugging everything back in one at a time until I was back to everything except the HDMI monitor attached and it was still stable.

From that point:
I swapped monitors (still stable)
Plugged in a single monitor via HDMI instead of VGA (still stable although the blinking on /off increased frequency to ~every 2min (weird).
Swapped HDMI cable (same issue...but stable)
plugged in a single monitor via DVI (stable)
plugged in both monitors via DVI (back to original configuration)....stable for 5+ days.

Oh, and I forgot to mention that I've was running prime95 on torture mode from the point of being down to a single VGA monitor to current (that's why it shows up as 100% CPU in the system gathering info being collected as I type). I also have been running speedfan to monitor temps and they seem stable.

I told our helpdesk to close the ticket and murphy's law decided to show its face. 3hrs later, BSOD again.

So, I'm stumped, our helpdesk is stumped. Its time for me to ask the internet gods for help.

Please, Please, oh internet gods, I submit to your mighty wisdom. Help me see the light.

TIA

 

[Jared]

Hello,
Welcome to sysnative.

2: kd> .bugcheck
Bugcheck code 1000007E
Arguments ffffffff`c0000005 fffff800`03284ac5 fffff880`08bb42a8 fffff880`08bb3b00

[COLOR="#800080"]//System thread exception not handled, access violation[/COLOR]

2: kd> kn
 # Child-SP          RetAddr           Call Site
00 fffff880`08bb44e0 fffff800`033c0d0e nt!ExpInterlockedPopEntrySListFault16 [COLOR="#800080"]//Removing a list entry caused the fault[/COLOR]
01 fffff880`08bb44f0 fffff880`053a9a46 nt!ExAllocatePoolWithTag+0xfe [COLOR="#800080"]//Allocate memory with a tag[/COLOR]
02 fffff880`08bb45e0 fffff880`053b4235 HDAudBus!operator new+0x26 [COLOR="#800080"]//New command?[/COLOR]
03 fffff880`08bb4620 fffff880`053b7ae9 HDAudBus!HdaController::TransferCodecVerbs+0x105 [COLOR="#800080"]//Transferring down the bus, by the looks of it[/COLOR]
04 fffff880`08bb46a0 fffff880`092a1789 HDAudBus!HdaBusInterface::TransferCodecVerbs+0x219 [COLOR="#800080"]//Audio bus functions, transferring sound packets[/COLOR]
05 fffff880`08bb4720 fffffa80`0a2a5810 RTDVHD64+0x4789 [COLOR="#800080"]//Realtek High Definition Audio Function Driver[/COLOR]
06 fffff880`08bb4728 00000000`00000001 0xfffffa80`0a2a5810 [COLOR="#800080"]//Context not saved[/COLOR]
07 fffff880`08bb4730 fffff880`08bb4810 0x1
08 fffff880`08bb4738 00000000`00000000 0xfffff880`08bb4810 [COLOR="#800080"]//Context not saved[/COLOR]

2: kd> !list fffff800`03284ad0
fffff800`03284ad0  49df750a`c70f49f0 0a0d0f41`c35bc08b
fffff800`03284ae0  8149c08b`4c028b49 49e874fe`000000e0
fffff800`03284af0  c149001f`ffffc881 e3c14818`8b4915c8
fffff800`03284b00  8148c9ff`66c88b15 d90b4801`ffffffe1
fffff800`03284b10  ebc9751a`b10f49f0 90cccccc`ccccccbe
fffff800`03284b20  d18b4c09`0d0f5348 8b49da8b`4cca8b48
fffff800`03284b30  74d28408`528b4902 8041c28b`4cc1fe1f
fffff800`03284b40  988d4803`894df0e0 c70f49f0`00010001

49df750a`c70f49f0  ????????`???????? ????????`????????
49df750a`c70f4a00  ????????`???????? ????????`????????
49df750a`c70f4a10  ????????`???????? ????????`????????
49df750a`c70f4a20  ????????`???????? ????????`????????
49df750a`c70f4a30  ????????`???????? ????????`????????
49df750a`c70f4a40  ????????`???????? ????????`????????
49df750a`c70f4a50  ????????`???????? ????????`????????
49df750a`c70f4a60  ????????`???????? ????????`????????

[COLOR="#800080"]//The flink appears to have been removed, was it already freed?
//Minidump doesn't contain the context of the previous pool allocations[/COLOR]

2: kd> lmvm RTDVHD64
start             end                 module name
fffff880`0929d000 fffff880`094c3300   RTDVHD64 T (no symbols)           
    Loaded symbol image file: RTDVHD64.sys
    Image path: \SystemRoot\system32\drivers\RTDVHD64.sys
    Image name: RTDVHD64.sys
    Timestamp:        Tue Aug 27 06:28:08 2013 (521C38E8) [COLOR="#800080"]//Out of date[/COLOR]
    CheckSum:         00232AA4
    ImageSize:        00226300
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4

It looks like a driver bug to me, it's consistent as well.
I suggest updating the Realtek audio driver and go from there.

 

[kinarism]

Thanks for the quick reply.
As I mentioned in the original post, I was already running the latest drivers from the dell website for all hardware.

However, per your suggestion, I went ahead and installed the latest audio drivers from the realtek website instead. I will report back if this seems to help.

Also, I turned on the driver verifier using the settings in this thread. the verifier /query output looks pretty cool but I don't have any knowledge of how to interpret the results. Here are the current querysettings

verifier /querysettings
Special pool: Enabled
Pool tracking: Enabled
Force IRQL checking: Enabled
I/O verification: Disabled
Deadlock detection: Enabled
DMA checking: Disabled
Security checks: Enabled
Force pending I/O requests: Disabled
Low resources simulation: Disabled
IRP Logging: Disabled
Miscellaneous checks: EnabledVerified drivers:
iusb3hcs.sys
tmebc64.sys
iastora.sys
amdxata.sys
stdcfltn.sys
speedfan.sys
iastorf.sys
amdkmpfd.sys
serial.sys
tmcomm.sys
vboxusbmon.sys
vboxdrv.sys
tmtdi.sys
atikmpag.sys
atikmdag.sys
igdkmd64.sys
teedriverx64.sys
e1d62x64.sys
ndis.sys
netwsw00.sys
o2fj2w7x64.sys
scsiport.sys
apfiltr.sys
st_accel.sys
vboxnetadp.sys
vboxnetflt.sys
rtkvhd64.sys
dump_diskdump.sys
dump_iastora.sys
dump_dumpfve.sys
ibtfltcoex.sys
btmhsf.sys
btmaux.sys
cvusbdrv.sys
lvusbs64.sys
lv302v64.sys
ctclsflt.sys
lv302a64.sys
lvrs64.sys
tmpreflt.sys
vsapint.sys
tmxpflt.sys
wbfcvusbdrv.sys
secdrv.sys
lvpr2m64.sys
prepdrv.sys
vpnva64-6.sys
acsock64.sys

 

[Jared]

Driver Verifier is helpful, although I wouldn't recommend enabling it at the moment. It could flag a driver which isn't actually a problem, due to the conditions thta DV sets.
I suggest disabling it, then go from there (with the updated audio drivers).
If it crashes again, upload the dump files and I'll see what the best route is.

 

[kinarism]

Understood. Disabled for now.

 

[kinarism]

Looks like the machine crashed overnight and the Windows has recovered from an unexpected shutdown screen says it was a bluescreen.

minidump attached:

 

[Jared]

0: kd> .bugcheck
Bugcheck code 000000D1
Arguments fffff980`69a7efc8 00000000`00000002 00000000`00000001 fffff880`0b29567b

[COLOR="#800080"]//Pageable memory was written to at an IRQL of 2, which is an illegal operation[/COLOR]

0: kd> kn
 # Child-SP          RetAddr           Call Site
00 fffff880`0dee0468 fffff800`0328f169 nt!KeBugCheckEx [COLOR="#800080"]//Bugcheck[/COLOR]
01 fffff880`0dee0470 fffff800`0328dde0 nt!KiBugCheckDispatch+0x69 [COLOR="#800080"]//Dispatch bugcheck[/COLOR]
02 fffff880`0dee05b0 fffff880`0b29567b nt!KiPageFault+0x260 [COLOR="#800080"]//Referenced pageable memory[/COLOR]
03 fffff880`0dee0748 fffff880`0b291591 acsock64+0x1067b [COLOR="#800080"]//Internal Cisco AnyConnect Secure Mobility Client function[/COLOR]
04 fffff880`0dee0750 fffff880`0b28a1af acsock64+0xc591 [COLOR="#800080"]//Internal Cisco AnyConnect Secure Mobility Client function[/COLOR]
05 fffff880`0dee0758 fffff800`0372e01d acsock64+0x51af [COLOR="#800080"]//Internal Cisco AnyConnect Secure Mobility Client function[/COLOR]
06 fffff880`0dee0760 fffff880`0b2934ef nt!VerifierExAllocatePoolEx+0x1d [COLOR="#800080"]//Driver Verifier hooked function, allocate pool[/COLOR]
07 fffff880`0dee07a0 fffff980`2b238fa0 acsock64+0xe4ef [COLOR="#800080"]//Internal Cisco AnyConnect Secure Mobility Client function[/COLOR]
08 fffff880`0dee07a8 fffff880`0b28fbc5 0xfffff980`2b238fa0 [COLOR="#800080"]//Context not saved[/COLOR]
09 fffff880`0dee07b0 00000000`00000000 acsock64+0xabc5 [COLOR="#800080"]//Internal Cisco AnyConnect Secure Mobility Client function[/COLOR]

Base Address:           fffff800`034c7278
End Address:            fffff800`034c7277
Region Size:            ffffffff`ffffffff
VA Type:                PFNDatabase
VAD Address:            0x4673756f00000007
Commit Charge:          0x100000002
Protection:             0x7feea28ff88 []
Memory Usage:           Private
No Change:              yes
More info:              !vad 0xfffff800034c7278

0: kd> lmvm acsock64
start             end                 module name
fffff880`0b285000 fffff880`0b2a3000   acsock64 T (no symbols)           
    Loaded symbol image file: acsock64.sys
    Image path: \SystemRoot\system32\DRIVERS\acsock64.sys
    Image name: acsock64.sys
    Timestamp:        Wed Sep 04 16:50:05 2013 (522756AD) [COLOR="#800080"]//Over a year old, needs updating[/COLOR]
    CheckSum:         0001D2ED
    ImageSize:        0001E000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4

I recommend you to update your Cisco Secure mobility client software, it's using poor programming methods which is causing the system to crash.

For technical information on the bugcheck, if interested:

Read More:

In case you're wondering, the reaosn this is an illegal operation is because of two rules.
One, the thread running cannot wait for an object when the IRQL is at 2 or above; if it does, the thread scheduler needs to execute another thread.
The problem is that DPC routines (DPC/Dispatch level is IRQL 2) are required for thread scheduling.
Secondly, only non paged memory can be accessed at an IRQL of 2 or above.
When paged memory is accessed at an IRQL of 2, a page fault is incurred because the memory is paged out.
This requires a file system driver to perform a disk I/O to bring the memory in, thus requiring a context switch to execute the functions within the file system driver.
Causing a wait, and as a result, violating the first rule.

0: kd> !irql
Debugger saved IRQL for processor 0x0 -- [COLOR="#FF0000"][B]2 (DISPATCH_LEVEL)[/B][/COLOR]

Lastly, even if a context switch was required, disk I/Os are usually performed at an IRQL 1 (APC_LEVEL), thus requiring the IRQL to be lowered in order for the disk I/O to be executed.
Here we have the problem, you cannot lower the IRQL when there is something on the current IRQL wanting to execute, that has to take priority, but in order for the current thread to execute we need the data which has been paged out, and thus requiring the disk I/O first.
This, in turn creates an infinite loop that cannot be resolved; hence the bugcheck.

 

[kinarism]

Very interesting. That would actually explain why both laptops crashed (I'm connecting via VPN to work network).

Unfortunately, that particular software is managed by our sysadmin and I don't have direct access to modify it.

Question, before I send this over to our helpdesk. I see that the Driver Verifier shows up in that trace. I must have forgotten to reboot the machine after disabling the verifier per your recommendation (see my post on 1/27). Could this be a false positive as you described in your post recommending to turn off the verifier?

 

[Jared]

It *could* be, although given that driver verifier hasn't managed to crash the system, I doubt it.
You could disable DV and go from there. But I'm doubtful that it will help.

 

[kinarism]

The DV has been disabled (I disabled it before the last crash but never rebooted). After the last crash I verified it was still disabled:

C:\Users\Me>verifier /query
1/29/2015, 10:34:10 AM
No drivers are currently verified.

While sending the info about the Cisco VPN client over to my helpdesk (and asking for a newer version to be installed), I had yet another bluescreen (dump attached). Of course this one doesn't show anything about the Cisco driver and from what I can see, completely unrelated to the Audio Drivers as well. This has been the type of runaround I've been dealing with for the past month trying to track this down. It seems like everytime I identify a source of problems, something else pops up which makes me think it is hardware related but everything I try ends up leading nowhere. I guess what I'm saying is Thanks again for all your help :)

 

[Jared]

2: kd> .bugcheck
Bugcheck code 0000003B
Arguments 00000000`c0000005 fffff800`03272ac5 fffff880`08d77480 00000000`00000000

[COLOR="#800080"]//System service exception
[/COLOR]
2: kd> kn
 # Child-SP          RetAddr           Call Site
00 fffff880`08d76bb8 fffff800`0327a169 nt!KeBugCheckEx [COLOR="#800080"]//BSOD[/COLOR]
01 fffff880`08d76bc0 fffff800`03279abc nt!KiBugCheckDispatch+0x69 [COLOR="#800080"]//Unresolved exception, bugcheck[/COLOR]
02 fffff880`08d76d00 fffff800`032a575d nt!KiSystemServiceHandler+0x7c [COLOR="#800080"]//Execute System Service Handler[/COLOR]
03 fffff880`08d76d40 fffff800`032a4535 nt!RtlpExecuteHandlerForException+0xd [COLOR="#800080"]//Transfer control to the Exception Handler[/COLOR]
04 fffff880`08d76d70 fffff800`032b54c1 nt!RtlDispatchException+0x415 [COLOR="#800080"]//Dispatch Exception Handler[/COLOR]
05 fffff880`08d77450 fffff800`0327a242 nt!KiDispatchException+0x135
06 fffff880`08d77af0 fffff800`03278b4a nt!KiExceptionDispatch+0xc2 [COLOR="#800080"]//Exception[/COLOR]
07 fffff880`08d77cd0 fffff800`03272ac5 nt!KiGeneralProtectionFault+0x10a [COLOR="#800080"]//General protection fault, access violation[/COLOR]
08 fffff880`08d77e60 fffff800`033aed0e nt!ExpInterlockedPopEntrySListFault16 [COLOR="#800080"]//Remove interlocked list entry within a singly linked list[/COLOR]
09 fffff880`08d77e70 fffff800`0324627e nt!ExAllocatePoolWithTag+0xfe [COLOR="#800080"]//Allocate pool[/COLOR]
0a fffff880`08d77f60 fffff880`013497b7 nt!FsRtlInsertPerFileObjectContext+0x6a [COLOR="#800080"]//Insert file object into a particular context[/COLOR]
0b fffff880`08d77fa0 00000000`00000000 fltmgr!TargetedIOCtrlAttachAsFoCtx+0x107 [COLOR="#800080"]//Filter manager, I/O function[/COLOR]

2: kd> .cxr 0xfffff88008d77480;r
rax=000000050b310028 rbx=fffffa8010290740 rcx=fffff88003165be0
rdx=1117000210098bd1 rsi=0000000000000006 rdi=0000000000000000
rip=fffff80003272ac5 rsp=fffff88008d77e60 rbp=fffff88003165be0
 r8=1117000210098bd0  r9=fffff80003205000 r10=fffff88003165be0
r11=0000000000000000 r12=fffff8000340a580 r13=0000000000000000
r14=0000000000000002 r15=0000000058434f46
iopl=0         nv up ei pl nz na pe nc
cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b             efl=00010202
nt!ExpInterlockedPopEntrySListFault16:
fffff800`03272ac5 498b08          mov     rcx,qword ptr [r8] ds:002b:11170002`10098bd0=????????????????
[COLOR="#800080"]//Non addressable code, looks like a bad pointer[/COLOR]

This looks more like a bad driver, although bad RAM could be a possibility.
I've got a few suspicions on the cause, but we'll wait and see.

---

I suggest you run Memtest86 for at least 8 passes.

Which one should I download?

You have two options to choose from, you can either download the ISO version then burn it do a CD and boot it from there.
The other option is downloading the auto installer for USB sticks, you then boot from that USB stick.
Be warned though, it will format your USB then install the files needed to make it bootable so any files left over will be wiped off.

Download it here:

Memtest86+ - Advanced Memory Diagnostic Tool

So how does it work?

It works by writing a series of test patterns to most memory addresses over 9 tests, it then reads the data back to compare it for errors.

The default pass does 9 different tests varying in access patterns and test data. A tenth pass is optional from the menu which writes all the memory in zeroes then sleeps for 90 minutes and compares it to see if any address have changed, this takes 3 hours per pass each time.

My memtest86 isn't booting! What should I do?

This can be caused by a number of different reasons, common ones include your BIOS not setting using the correct settings, you might want to change your boot priority order.
Other causes include your motherboard not supporting bootable USB sticks in which case you'll need to use a CD (or floppy drive).

Any other issues you might want to look here:

FAQ : please read before posting

---

Also, can you get me a Full Memory Dump?

Go the Start
Right click My Computer
Select Properties
Click Advanced system settings
Click on the Advanced tab
Select Settings under Startup and Recovery
Then under Write debugging information select Complete memory dump.

Once a dump is created go to:

C:\Windows\memory.dmp

Copy the file to the desktop, zip it up and upload it to a file sharing site like Onedrive. After the upload is done post the download link in your next reply.

 

[kinarism]

I'm running the memtest86 (default configuration) now from a USB stick. Its only 25% through pass 2 (so far no errors) and has been running for almost 2hrs so we still have quite a while.

I didn't read your request for the full memory dump until after I started the test but full memory dumps are already enabled on the machine and I'll provide one from the most recent crash as soon the memtest is done.

btw, would you like me to also run the 90min bit fade test option overnight? Or do you think that the default tests would be sufficient?

 

[Jared]

The default test is perfectly sufficient. The 90min bit fade is optional, you can do it, although it's not required.
All it does is fill your RAM with zeroes, then goes to sleep for 90 minutes, then checks to see if they have changed, if so you have bit corruption and bad RAM, if not then you're fine.

 

[kinarism]

Working on Pass 5 with no errors currently. However, remember the loaner PC I mentioned in my initial post?

Well, I've been using it for the past few hours (no external hardware plugged in) and I've gotten 2 bluescreens and another lockup. It was strange, screen stopped updating and stopped responding to all KB/touchpad input. It powered down immediately when I hit the power button (usually the power button has to be held in for several seconds for this to happen).

I can't help but think that these BSOD are related to the other machine but I don't want to clutter this thread with potential red herrings. Of course, if they are related, my guess would be that it either has to be the VPN driver or it would have to be some sort of Malware (although MalwareBytes and AV scans have come back clean everytime I ran them on the main PC).

Do you want me to post logs from this machine here? Or should I make a new thread? I've been digging around in the "learn to analyze crash dump" tutorials on this site but at the moment its mostly greek to me. Being a software developer, I understand the concepts but I'm missing the answers to "where do I go from here" since I have no experience with this stuff.

 

[Jared]

It's difficult to say, we'll have to see what dumps we get.
By all means, post the logs on this thread, don't bother creating a new one.

 

[kinarism]

OK, since I can't seem to edit my previous posts to explain the 2 laptops situation better, from this point forward, I will refer to my main laptop (the one this thread has been about up to this point) as Laptop#1 and the loaner laptop as Laptop#2. I will try to keep individual posts about a single machine to reduce confusion.

Results of the memtest86 testing.

10 passes, 0 errors, ran for ~11.5hrs. couldn't find a results log so here is a photo I snapped with my phone:


link to full dump as promised from previous BSOD (the one posted at 10:40AM according to the forum timestamp).
https://onedrive.live.com/redir?resid=469B5CD55B3DC661!7142&authkey=!AC1iRG8ukQbNO3s&ithint=file,zip

And last but not least attached is my latest dump file from a crash about 10mins ago (while typing this post...grrr).

 

[kinarism]

Latest dump files from Laptop#1. Fresh BSOD this morning. Full dump also uploaded to Onedrive
https://onedrive.live.com/redir?resid=469B5CD55B3DC661!7145&authkey=!AMLvcycseu43Q5I&ithint=file,zip

 

[kinarism]

Here is the initial report from Laptop#2

This one is a Dell Latitude e5410 (probably a more standard config than the dev machine)
Win7x64
i5 processor (M520 @ 2.4Ghz)
4GB ram
Intel HD graphics

 

[cluberti]

MemoryLaptop1 - I'd wager if both of the devices you're having problems with are work-issued, they're probably both running Trend. Are they both also running dtniq.exe?:

// The crashing thread:
2: kd> !thread fffffa800a337b50THREAD fffffa800a337b50  Cid 0c54.1154  Teb: 000007fffff5c000 Win32Thread: 0000000000000000 RUNNING on processor 2
IRP List:
    fffffa80108eebd0: (0006,0430) Flags: 00000884  Mdl: 00000000
Not impersonating
DeviceMap                 fffff8a000008aa0
Owning Process            fffffa800d3ae060       Image:         TmListen.exe
Attached Process          N/A            Image:         N/A
Wait Start TickCount      1075956        Ticks: 0
Context Switch Count      95395          IdealProcessor: 2             
UserTime                  00:00:00.936
KernelTime                00:00:01.809
Win32 Start Address 0x00000001402d05a0
Stack Init fffff88008d78c70 Current fffff88008d779c0
Base fffff88008d79000 Limit fffff88008d73000 Call 0
Priority 9 BasePriority 8 UnusualBoost 0 ForegroundBoost 0 IoPriority 2 PagePriority 5


Child-SP          RetAddr           : Args to Child                                                           : Call Site
fffff880`08d76bb8 fffff800`0327a169 : 00000000`0000003b 00000000`c0000005 fffff800`03272ac5 fffff880`08d77480 : nt!KeBugCheckEx
fffff880`08d76bc0 fffff800`03279abc : fffff880`08d77c28 fffff880`08d77480 00000000`00000000 fffff800`032a5c50 : nt!KiBugCheckDispatch+0x69
fffff880`08d76d00 fffff800`032a575d : fffff800`0349d81c fffff800`033c1bf0 fffff800`03205000 fffff880`08d77c28 : nt!KiSystemServiceHandler+0x7c
fffff880`08d76d40 fffff800`032a4535 : fffff800`033ca6c4 fffff880`08d76db8 fffff880`08d77c28 fffff800`03205000 : nt!RtlpExecuteHandlerForException+0xd
fffff880`08d76d70 fffff800`032b54c1 : fffff880`08d77c28 fffff880`08d77480 fffff880`00000000 00000000`00000000 : nt!RtlDispatchException+0x415
fffff880`08d77450 fffff800`0327a242 : fffff880`08d77c28 fffffa80`10290740 fffff880`08d77cd0 00000000`00000006 : nt!KiDispatchException+0x135
fffff880`08d77af0 fffff800`03278b4a : fffff800`033b58b8 fffffa80`0df9d960 00000000`00004808 00000000`00004808 : nt!KiExceptionDispatch+0xc2
fffff880`08d77cd0 fffff800`03272ac5 : fffffa80`10290740 fffff800`033aed0e 00000000`00000000 00000000`00100001 : nt!KiGeneralProtectionFault+0x10a (TrapFrame @ fffff880`08d77cd0)
fffff880`08d77e60 fffff800`033aed0e : 00000000`00000000 00000000`00100001 00000000`00000900 00000000`00000000 : nt!ExpInterlockedPopEntrySListFault16
fffff880`08d77e70 fffff800`0324627e : fffff8a0`1adb5290 fffffa80`10290740 fffffa80`0a00e210 00000000`000000b4 : nt!ExAllocatePoolWithTag+0xfe
fffff880`08d77f60 fffff880`013497b7 : 00000000`00000000 00000000`00000000 fffffa80`0774fde0 00000000`00000000 : nt!FsRtlInsertPerFileObjectContext+0x6a
fffff880`08d77fa0 fffff880`0134c270 : fffffa80`00000060 fffffa80`10ae4c98 fffffa80`06f36010 fffffa80`10ae4c98 : fltmgr!TargetedIOCtrlAttachAsFoCtx+0x107
fffff880`08d77ff0 fffff880`01349afe : fffffa80`10ae4c98 00000000`0000004e 00000000`00000000 00000000`0000004e : fltmgr!FltpNormalizeNameComponent+0x1c0
fffff880`08d780f0 fffff880`0134af81 : fffffa80`0000005a 00000000`0000005a 00000000`0000004f 00000000`00000000 : fltmgr!FltpExpandShortNames+0x14e
fffff880`08d78150 fffff880`0134ae1e : fffffa80`06f36010 fffff880`01340000 00000000`00000000 00000000`00000000 : fltmgr!FltpGetNormalizedFileNameWorker+0xc1
fffff880`08d78190 fffff880`0132c4fb : fffffa80`073c8000 00000000`00000000 fffffa80`0a00e1a0 fffff880`08d79000 : fltmgr!FltpCreateFileNameInformation+0xee
fffff880`08d781f0 fffff880`01337b44 : 00000000`00008000 fffffa80`0a00e1a0 00000000`00000000 00000000`00000401 : fltmgr!FltpGetFileNameInformation+0x26b
fffff880`08d78270 fffff880`0137b36b : fffffa80`06f36010 fffff8a0`19a1fcc0 00000000`00000001 fffff880`08d783a0 : fltmgr!FltGetFileNameInformation+0x184
fffff880`08d78300 fffff880`01379bdb : fffff140`33b58667 00000000`00000001 00000000`00000000 00000000`0004a508 : fileinfo!FIStreamGetInfo+0x11f
fffff880`08d78380 fffff880`0132a288 : 00000000`00000000 fffff8a0`19a1fcc0 fffffa80`108eefb8 00000000`00000000 : fileinfo!FIPostCreateCallback+0x1c7
fffff880`08d78410 fffff880`01328d1b : fffffa80`07762030 fffffa80`10ad6220 fffffa80`0a166770 fffffa80`0a166990 : fltmgr!FltpPerformPostCallbacks+0x368
fffff880`08d784e0 fffff880`013482b9 : fffffa80`108eebd0 fffffa80`0774f5a0 fffffa80`108eeb00 fffffa80`0774fde0 : fltmgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x39b
fffff880`08d78570 fffff800`0357aefc : 00000000`00000005 fffffa80`0e50ba58 fffffa80`102f6490 00000000`00000000 : fltmgr!FltpCreate+0x2a9
fffff880`08d78620 fffff800`03576878 : fffffa80`07653cd0 fffff800`00000000 fffffa80`0e50b8a0 fffffa80`00000001 : nt!IopParseDevice+0x14d3
fffff880`08d78780 fffff800`03577a96 : 00000000`00000000 fffffa80`0e50b8a0 fffff880`08d78890 fffffa80`06a02f30 : nt!ObpLookupObjectName+0x588
fffff880`08d78870 fffff800`0357939c : 00000000`00000000 00000000`00000000 00000000`00000001 00000000`00000000 : nt!ObOpenObjectByName+0x306
fffff880`08d78940 fffff800`03584994 : 00000000`0a7fdfe8 00000000`80100080 00000000`0a7fe038 00000000`0a7fdff8 : nt!IopCreateFile+0x2bc
fffff880`08d789e0 fffff800`03279e53 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!NtCreateFile+0x78
fffff880`08d78a70 00000000`76f3180a : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`08d78ae0)
00000000`0a7fdf68 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x76f3180a

// Looking at the Exception record:
2: kd> .exr  0xfffff880`08d77c28 
ExceptionAddress: fffff80003272ac5 (nt!ExpInterlockedPopEntrySListFault16)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 0000000000000000
   Parameter[1]: ffffffffffffffff
Attempt to read from address ffffffffffffffff

// Indeed the trap is on the same thread, so....
2: kd> kn
  *** Stack trace for last set context - .thread/.cxr resets it
 # Child-SP          RetAddr           Call Site
00 fffff880`08d77e60 fffff800`033aed0e nt!ExpInterlockedPopEntrySListFault16
01 fffff880`08d77e70 fffff800`0324627e nt!ExAllocatePoolWithTag+0xfe
02 fffff880`08d77f60 fffff880`013497b7 nt!FsRtlInsertPerFileObjectContext+0x6a
03 fffff880`08d77fa0 fffff880`0134c270 fltmgr!TargetedIOCtrlAttachAsFoCtx+0x107
04 fffff880`08d77ff0 fffff880`01349afe fltmgr!FltpNormalizeNameComponent+0x1c0
05 fffff880`08d780f0 fffff880`0134af81 fltmgr!FltpExpandShortNames+0x14e
06 fffff880`08d78150 fffff880`0134ae1e fltmgr!FltpGetNormalizedFileNameWorker+0xc1
07 fffff880`08d78190 fffff880`0132c4fb fltmgr!FltpCreateFileNameInformation+0xee
08 fffff880`08d781f0 fffff880`01337b44 fltmgr!FltpGetFileNameInformation+0x26b
09 fffff880`08d78270 fffff880`0137b36b fltmgr!FltGetFileNameInformation+0x184
0a fffff880`08d78300 fffff880`01379bdb fileinfo!FIStreamGetInfo+0x11f
0b fffff880`08d78380 fffff880`0132a288 fileinfo!FIPostCreateCallback+0x1c7
0c fffff880`08d78410 fffff880`01328d1b fltmgr!FltpPerformPostCallbacks+0x368
0d fffff880`08d784e0 fffff880`013482b9 fltmgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x39b
0e fffff880`08d78570 fffff800`0357aefc fltmgr!FltpCreate+0x2a9
0f fffff880`08d78620 fffff800`03576878 nt!IopParseDevice+0x14d3
10 fffff880`08d78780 fffff800`03577a96 nt!ObpLookupObjectName+0x588
11 fffff880`08d78870 fffff800`0357939c nt!ObOpenObjectByName+0x306
12 fffff880`08d78940 fffff800`03584994 nt!IopCreateFile+0x2bc
13 fffff880`08d789e0 fffff800`03279e53 nt!NtCreateFile+0x78
14 fffff880`08d78a70 00000000`76f3180a nt!KiSystemServiceCopyEnd+0x13
15 00000000`0a7fdf68 00000000`00000000 0x76f3180a


// ...was the IRP associated with this thread active at the time...:
2: kd> !irp fffffa80108eebd0
Irp is active with 12 stacks 12 is current (= 0xfffffa80108eefb8)
 No Mdl: No System Buffer: Thread fffffa800a337b50:  Irp stack trace.  
     cmd  flg cl Device   File     Completion-Context
 [N/A(0), N/A(0)]
            0  0 00000000 00000000 00000000-00000000    


			Args: 00000000 00000000 00000000 00000000
 [N/A(0), N/A(0)]
            0  0 00000000 00000000 00000000-00000000    


			Args: 00000000 00000000 00000000 00000000
 [N/A(0), N/A(0)]
            0  0 00000000 00000000 00000000-00000000    


			Args: 00000000 00000000 00000000 00000000
 [N/A(0), N/A(0)]
            0  0 00000000 00000000 00000000-00000000    


			Args: 00000000 00000000 00000000 00000000
 [N/A(0), N/A(0)]
            0  0 00000000 00000000 00000000-00000000    


			Args: 00000000 00000000 00000000 00000000
 [N/A(0), N/A(0)]
            0  0 00000000 00000000 00000000-00000000    


			Args: 00000000 00000000 00000000 00000000
 [N/A(0), N/A(0)]
            0  0 00000000 00000000 00000000-00000000    


			Args: 00000000 00000000 00000000 00000000
 [N/A(0), N/A(0)]
            0  0 00000000 00000000 00000000-00000000    


			Args: 00000000 00000000 00000000 00000000
 [N/A(0), N/A(0)]
            0  0 00000000 00000000 00000000-00000000    


			Args: 00000000 00000000 00000000 00000000
 [N/A(0), N/A(0)]
            0  0 00000000 00000000 00000000-00000000    


			Args: 00000000 00000000 00000000 00000000
 [IRP_MJ_CREATE(0), N/A(0)]
            0  0 fffffa8007762030 00000000 fffff8800132a8f0-fffffa8010ad60d0    
	       \FileSystem\Ntfs	fltmgr!FltpSynchronizedOperationCompletion
			Args: 00000000 00000000 00000000 00000000
>[IRP_MJ_CREATE(0), N/A(0)]
            0  0 fffffa800774fde0 fffffa80102f6490 00000000-00000000    
	       \FileSystem\FltMgr
			Args: fffff88008d78728 02000060 00000080 00000000



// ...and what file was it accessing?  A .tmp file used by OfficeScan being accessed by the fltmgr:
2: kd> !fileobj fffffa80102f6490


\Program Files (x86)\Trend Micro\OfficeScan Client\Temp\Sen2415.tmp


Device Object: 0xfffffa8007653cd0   \Driver\volmgr
Vpb: 0xfffffa8007652a20
Access: Read 


Flags:  0x42
	Synchronous IO
	Cache Supported


FsContext: 0xfffff8a019a4a7a0	FsContext2: 0xfffff8a019a4a990
CurrentByteOffset: 0
Cache Data:
  Section Object Pointers: fffffa800cfc27b8
  Shared Cache Map: 00000000

It looks like A/V behavior, but again I must reiterate that I did notice that a process named dtniq.exe was suspended, so I'm not sure what's going on there, and I have no idea what that process is or does. It could be something, or it could be nothing, but it is there.

 

[Patrick]

DTN.IQ - DTN.IQ - Streaming Real-time Stocks, Futures and Option Quotes, and Breaking News: About IQ

DTN.IQ is a real-time, streaming quote and news service with data direct from the exchanges. We own our own ticker plant and our own data centers. That means you are guaranteed fast, reliable quotes and superior customer service.