BSOD - Windows 10x64 Pro- NTOSKRNL.EXE / hal.dll

runuts

Member
Joined
Jul 26, 2017
Posts
19
Location
Cincinnati
Have been fighting a recurring BSOD issue for the past couple of weeks. All appear to point to ntoskrnl.exe and hall.dll, but the BSOD messages vary. Some system files report inaccurate dates (including hal.dll), but actual file size and date match other systems. Previously, sfc/scannow and DISM failed to fix problems. Yesterday system became more unstable, tried a repair install from fresh Windows 10 DVD, appeared to install, but security warning at final boot and then system rolled back. Ran Kaspersky malware scan, system comes up clean. SFCFix will not run.

· OS - Windows 10, 8.1, 8, 7, Vista ? - Windows 10
· x86 (32-bit) or x64 ? x64
· What was original installed OS on system? Windows 8.1
· Is the OS an OEM version (came pre-installed on system) or full retail version (YOU purchased it from retailer)? Windows 10 upgraded from retail version of 8.1
· Age of system (hardware) System is approximately six years old. Samsung SSD 840, 1 TB installed new with Windows 8.1
· Age of OS installation - have you re-installed the OS? OS will not reinstall. Enter setup from a flash drive, mounted image, or DVD and Windows 10 appears to complete a repair install, but after final boot, it rolls back to prior installation. Yesterday system became unbootable, completely. After several hours working with Bootrec, I was able to get the system running. Previously had tried repairs using DISM and SFC/Scannow which reported corrupt files, but could not repair. SFCFix will not run.

· CPU - AMD A6-3650
· Video Card ASUS R9 290 DirectCU II OC 4GB
· MotherBoard - (if NOT a laptop) GIGABYTE GA-A75M-UD2H
· Power Supply - brand & wattage (if laptop, skip this one) Corsair CX750

· System Manufacturer Originally a Medion, but internals replaced with new motherboard, graphics, and power supply. Using a Samsung 840 SSD, 1 TB boot drive.
· Exact model number (if laptop, check label on bottom)

· Laptop or Desktop? Desktop
 
Screenshot of HD Tune, Health and Error Scan tabs. No issues reported. I have downloaded MemTest86+ and will run before I go home. Did run Windows memory test previously with no issues reported.
 

Attachments

  • HD_Tune_Error_Scan.jpg
    HD_Tune_Error_Scan.jpg
    123.6 KB · Views: 4
  • HD_Tune_Health_Tab.jpg
    HD_Tune_Health_Tab.jpg
    81.8 KB · Views: 5
Code:
[COLOR=#ff0000]BugCheck 139[/COLOR], {[COLOR=#0000cd]3[/COLOR], ffff9a80a379bde0, [COLOR=#008000]ffff9a80a379bd38[/COLOR], 0}

Probably caused by : ntkrnlmp.exe ( nt!KiFastFailDispatch+d0 )

The first parameter of the bugcheck indicates that a LIST_ENTRY has been corrupted in some manner. This is the typical linked list data structure. The third parameter contains the address of the exception record which will provide us with some details of how the exception was caused.

Code:
3: kd> [COLOR=#008000].exr 0xffff9a80a379bd38[/COLOR]
ExceptionAddress: fffff80029a600f5 ([COLOR=#ff0000]nt!CmpCreateKeyControlBlock[/COLOR]+0x00000000001afd95)
   ExceptionCode: [COLOR=#0000cd]c0000409[/COLOR] (Security check failure or stack buffer overrun)
  ExceptionFlags: 00000001
NumberParameters: 1
   Parameter[0]: 0000000000000003
Subcode: [COLOR=#ff0000]0x3 FAST_FAIL_CORRUPT_LIST_ENTRY[/COLOR]

The exception code is quite generic and applies to a range of different circumstances. NTSTATUS error codes will typically be prefixed with 0xC; we can dump the status code:

Code:
3: kd> [COLOR=#008000]!error c0000409[/COLOR] 
Error code: (NTSTATUS) 0xc0000409 (3221226505) - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.

The sub-code of the exception is slightly more interesting, and indicates the security assertion feature which is used to check list operations, a fast fail error shows us that no exception handling will be invoked and the system will immediately BSOD itself.

Let's unwind the call stack, and the instruction which appears to have caused the bugcheck:

Code:
3: kd> [COLOR=#008000]knL[/COLOR]
 # Child-SP          RetAddr           Call Site
00 ffff9a80`a379bab8 fffff800`295fe8a9 nt!KeBugCheckEx
01 ffff9a80`a379bac0 fffff800`295fec10 [COLOR=#ff0000]nt!KiBugCheckDispatch+0x69[/COLOR] << Our BSOD is dispatched
02 ffff9a80`a379bc00 fffff800`295fdbf7 [COLOR=#ff0000]nt!KiFastFailDispatch+0xd0[/COLOR] << This our FAST_FAIL_CORRUPT_LIST_ENTRY exception
03 ffff9a80`a379bde0 [COLOR=#0000ff]fffff800`29a600f5[/COLOR] [COLOR=#ff0000]nt!KiRaiseSecurityCheckFailure+0xf7[/COLOR] << The bugcheck process is intitated here
04 ffff9a80`a379bf70 fffff800`29920be7 nt!CmpCreateKeyControlBlock+0x1afd95
05 ffff9a80`a379c000 fffff800`2992495b nt!CmpWalkOneLevel+0x5c7
06 ffff9a80`a379c140 fffff800`2992f306 nt!CmpDoParseKey+0x134b
07 ffff9a80`a379c520 fffff800`2992961b nt!CmpParseKey+0x266
08 ffff9a80`a379c6f0 fffff800`2992d150 nt!ObpLookupObjectName+0x46b
09 ffff9a80`a379c8c0 fffff800`2992de54 nt!ObOpenObjectByNameEx+0x1e0
0a ffff9a80`a379ca00 fffff800`29930b7f nt!CmOpenKey+0x274
0b ffff9a80`a379cc00 fffff800`295fe413 nt!NtOpenKeyEx+0xf
0c ffff9a80`a379cc40 00007ffe`36aa7634 nt!KiSystemServiceCopyEnd+0x13
0d 000000f6`3a67cb78 00000000`00000000 0x00007ffe`36aa7634

We can disassemble the return address and find the following:

Code:
3: kd> [COLOR=#008000]ub fffff800`29a600f5[/COLOR]
nt!CmpCreateKeyControlBlock+0x1afd77:
fffff800`29a600d7 eb0a            jmp     nt!CmpCreateKeyControlBlock+0x1afd83 (fffff800`29a600e3)
fffff800`29a600d9 e5ff            in      eax,0FFh
fffff800`29a600db b903000000      mov     ecx,3 << Exception Code
fffff800`29a600e0 cd29            int     [COLOR=#ff0000]29h[/COLOR] << Exception Invoked
fffff800`29a600e2 488d0df7f0d8ff  lea     rcx,[nt!CmpAllocBucketLock (fffff800`297ef1e0)]
fffff800`29a600e9 e892a6a8ff      call    nt!ExReleaseFastMutex (fffff800`294ea780)
fffff800`29a600ee eb0d            jmp     nt!CmpCreateKeyControlBlock+0x1afd9d (fffff800`29a600fd)
fffff800`29a600f0 b903000000      mov     ecx,3

I've dumped the IDT entry from a different dump file, but the information is the exact same:

Code:
6: kd> [COLOR=#008000]!idt 29h[/COLOR]

Dumping IDT: ffffe480d98ac000

29:    fffff8013b97ab00 [COLOR=#ff0000]nt!KiRaiseSecurityCheckFailure[/COLOR]

I've also dumped the raw stack, and it appears that there was some transversal within the registry:

Code:
3: kd> [COLOR=#008000]!dpx[/COLOR]
Start memory scan  : 0xffff9a80a379bab8 ($csp)
End memory scan    : 0xffff9a80a379d000 (Stack Base)

               rsp : 0xffff9a80a379bab8 : 0xfffff800295fe8a9 : nt!KiBugCheckDispatch+0x69
0xffff9a80a379bab8 : 0xfffff800295fe8a9 : nt!KiBugCheckDispatch+0x69
0xffff9a80a379bbd0 : 0xfffff800297ef1c0 : nt!CmpFreeKCBListHead
0xffff9a80a379bbf8 : 0xfffff800295fec10 : nt!KiFastFailDispatch+0xd0
0xffff9a80a379bcd8 : 0xfffff800294edd81 : nt!SepNormalAccessCheck+0x281
0xffff9a80a379bd10 : 0xfffff800297ef1c0 : nt!CmpFreeKCBListHead
0xffff9a80a379bd88 : 0xffffe089c398a9d0 :  [COLOR=#ff0000]!da ""Advapi  0""[/COLOR]
0xffff9a80a379bdb8 : 0xfffff800294ed5dd : nt!SepAccessCheck+0x31d
0xffff9a80a379bdc8 : 0xffffe089c398a9d0 : [COLOR=#ff0000] !da ""Advapi  0""[/COLOR]
0xffff9a80a379bdd0 : 0xffffe089c398a9d0 :  [COLOR=#ff0000]!da ""Advapi  0""[/COLOR]
0xffff9a80a379bdd8 : 0xfffff800295fdbf7 : nt!KiRaiseSecurityCheckFailure+0xf7
0xffff9a80a379bde0 : 0x0000000000000000 :  Trap @ ffff9a80a379bde0
0xffff9a80a379be20 : 0xfffff800297ef1e0 : nt!CmpAllocBucketLock
0xffff9a80a379be58 : 0xffffe089d12d8462 :  [COLOR=#ff0000]!du "{B5382653-DAEB-4A48-BF96-CA9BA654CA78}\1.0"[/COLOR]
0xffff9a80a379be68 : 0xffffe089d12d8462 :  [COLOR=#ff0000]!du "{B5382653-DAEB-4A48-BF96-CA9BA654CA78}\1.0"[/COLOR]
0xffff9a80a379bee8 : 0xffffe089c398a9d0 :  [COLOR=#ff0000]!da ""Advapi  0""[/COLOR]
0xffff9a80a379bf18 : 0xfffff800294c426c : nt!KeAbPreAcquire+0xec
0xffff9a80a379bf28 : 0xfffff800297ef1e0 : nt!CmpAllocBucketLock
0xffff9a80a379bf98 : 0xfffff800294e843d : nt!HvpMapEntryGetBlockAddress+0x4d
0xffff9a80a379bfb8 : 0xfffff800299231a5 : nt!HvpReleaseCellPaged+0x75
0xffff9a80a379bff8 : 0xfffff80029920be7 : nt!CmpWalkOneLevel+0x5c7
0xffff9a80a379c0c8 : 0xffffe089d12d8462 :  [COLOR=#ff0000]!du "{B5382653-DAEB-4A48-BF96-CA9BA654CA78}\1.0"[/COLOR]
0xffff9a80a379c248 : 0xffffe089d12d8430 :  [COLOR=#ff0000]!du "SOFTWARE\CLASSES\TYPELIB\{B5382653-DAEB-4A48-BF96-CA9BA654CA78}\1.0"[/COLOR]
0xffff9a80a379c2e8 : 0xfffff80008ec5f80 : FLTMGR!FltpPerformFastIoCall+0x280
0xffff9a80a379c300 : 0xffffe089d12d8462 :  [COLOR=#ff0000]!du "{B5382653-DAEB-4A48-BF96-CA9BA654CA78}\1.0"[/COLOR]
0xffff9a80a379c378 : 0xfffff80008ec45cc : FLTMGR!FltpFreeIrpCtrl+0x11c
0xffff9a80a379c3f8 : 0xfffff800294e89f7 : nt!ExpAcquireResourceSharedLite+0x97
0xffff9a80a379c400 : 0xffffe089c398a9d0 :  [COLOR=#ff0000]!da ""Advapi  0""[/COLOR]
0xffff9a80a379c408 : 0xfffff80029c317c8 : nt!SepMediumDaclSd
0xffff9a80a379c438 : 0xffffe089d12d8430 :  [COLOR=#ff0000]!du "SOFTWARE\CLASSES\TYPELIB\{B5382653-DAEB-4A48-BF96-CA9BA654CA78}\1.0"[/COLOR]
0xffff9a80a379c448 : 0xffffe089d12d8442 :  [COLOR=#ff0000]!du "CLASSES\TYPELIB\{B5382653-DAEB-4A48-BF96-CA9BA654CA78}\1.0"[/COLOR]
0xffff9a80a379c458 : 0xffffe089d12d8452 :  [COLOR=#ff0000]!du "TYPELIB\{B5382653-DAEB-4A48-BF96-CA9BA654CA78}\1.0"[/COLOR]
0xffff9a80a379c468 : 0xffffe089d12d8462 :  [COLOR=#ff0000]!du "{B5382653-DAEB-4A48-BF96-CA9BA654CA78}\1.0"[/COLOR]
0xffff9a80a379c4c8 : 0xfffff800294ec714 : nt!SeAccessCheckWithHint+0x604
0xffff9a80a379c518 : 0xfffff8002992f306 : nt!CmpParseKey+0x266
0xffff9a80a379c528 : 0xfffff800294ea059 : nt!ExAcquirePushLockExclusiveEx+0xe9
0xffff9a80a379c568 : 0xfffff8002992a865 : nt!ObpIncrementHandleCountEx+0x255
0xffff9a80a379c578 : 0xffffe089d12d8430 :  [COLOR=#ff0000]!du "SOFTWARE\CLASSES\TYPELIB\{B5382653-DAEB-4A48-BF96-CA9BA654CA78}\1.0"[/COLOR]
0xffff9a80a379c6a8 : 0xffffe089d12d8430 :  [COLOR=#ff0000]!du "SOFTWARE\CLASSES\TYPELIB\{B5382653-DAEB-4A48-BF96-CA9BA654CA78}\1.0"[/COLOR]
0xffff9a80a379c6c8 : 0xfffff80029487000 : "nt!TmInitSystemPhase2 <PERF> (nt+0x0)"
0xffff9a80a379c6d8 : 0xfffff8002992f0a0 : nt!CmpParseKey
0xffff9a80a379c6e8 : 0xfffff8002992961b : nt!ObpLookupObjectName+0x46b
0xffff9a80a379c708 : 0xfffff80029923101 : nt!HvpGetCellPaged+0x71
0xffff9a80a379c768 : 0xffffe089d12d8430 :  [COLOR=#ff0000]!du "SOFTWARE\CLASSES\TYPELIB\{B5382653-DAEB-4A48-BF96-CA9BA654CA78}\1.0"[/COLOR]
0xffff9a80a379c7a8 : 0xfffff8002992da91 : nt!ObpCaptureObjectName+0x151
0xffff9a80a379c7e0 : 0xffffe089d12d8430 :  [COLOR=#ff0000]!du "SOFTWARE\CLASSES\TYPELIB\{B5382653-DAEB-4A48-BF96-CA9BA654CA78}\1.0"[/COLOR]
0xffff9a80a379c7e8 : 0xfffff800294eae83 : nt!ExReleaseResourceLite+0xa3
0xffff9a80a379c848 : 0xfffff80029922f29 : nt!CmQueryValueKey+0x4e9
0xffff9a80a379c858 : 0xfffff800294e89f7 : nt!ExpAcquireResourceSharedLite+0x97
0xffff9a80a379c8b8 : 0xfffff8002992d150 : nt!ObOpenObjectByNameEx+0x1e0
0xffff9a80a379c960 : 0xffffe089d12d8430 :  [COLOR=#ff0000]!du "SOFTWARE\CLASSES\TYPELIB\{B5382653-DAEB-4A48-BF96-CA9BA654CA78}\1.0"[/COLOR]
0xffff9a80a379c980 : 0xffffe089c398a9d0 :  [COLOR=#ff0000]!da ""Advapi  0""[/COLOR]
0xffff9a80a379c9f8 : 0xfffff8002992de54 : nt!CmOpenKey+0x274
0xffff9a80a379cbf8 : 0xfffff80029930b7f : nt!NtOpenKeyEx+0xf
0xffff9a80a379cc38 : 0xfffff800295fe413 : nt!KiSystemServiceCopyEnd+0x13
0xffff9a80a379cc40 : 0xffffaa8558214080 :  Trap @ ffff9a80a379cc40

To my knowledge, I believe that the Windows Registry uses linked lists in order to maintain its internal block, and from the bugcheck, it appears that a driver has attempted to add an update to the registry with disasterous results.

The Cm prefix is the Configuration Manager, which is the technical term for the Windows Registry. Essentially, from the call stack it appears that a registry key was opened and a Key Control Block (_CM_KEY_CONTROL_BLOCK) was going to be created, however, an error occured during the creation resulting in the crash. This may also explain the bugcheck which is Stop 0x109.

Code:
3: kd> [COLOR=#008000]!reg openkeys[/COLOR]

CmpMasterHive couldn't be read(2)

Some exploration I would like to do isn't going to work with a Minidump. Could you please check the following directory for any Kernel Memory Dumps?

Code:
%systemroot%\MEMORY.DMP

Please following softwaremanic's instructions, and if no errors are raised, I would consider running Driver Verifier for 48 hours using the following instructions - Driver Verifier - BSOD related - Windows 10, 8.1, 8, 7 & Vista
 
Yes. There is a large MEMORY.DMP file. 823 MB. Zipped, it is still 157 MB. Is there something I can check on this end and report back?

Some exploration I would like to do isn't going to work with a Minidump. Could you please check the following directory for any Kernel Memory Dumps?

Code:
%systemroot%\MEMORY.DMP
 
When I load the MEMORY.DMP file in windbg, I find the following:
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 109, {a39ff16440582796, 0, 65f4713cf80ce013, 101}

Probably caused by : Unknown_Image ( ANALYSIS_INCONCLUSIVE )

Followup: MachineOwner
---------
 
Clicking on !analyze -v provides:
1: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

CRITICAL_STRUCTURE_CORRUPTION (109)
This bugcheck is generated when the kernel detects that critical kernel code or
data have been corrupted. There are generally three causes for a corruption:
1) A driver has inadvertently or deliberately modified critical kernel code
or data. See Access Denied
2) A developer attempted to set a normal kernel breakpoint using a kernel
debugger that was not attached when the system was booted. Normal breakpoints,
"bp", can only be set if the debugger is attached at boot time. Hardware
breakpoints, "ba", can be set at any time.
3) A hardware corruption occurred, e.g. failing RAM holding kernel code or data.
Arguments:
Arg1: a39ff16440582796, Reserved
Arg2: 0000000000000000, Reserved
Arg3: 65f4713cf80ce013, Failure type dependent information
Arg4: 0000000000000101, Type of corrupted region, can be
0 : A generic data region
1 : Modification of a function or .pdata
2 : A processor IDT
3 : A processor GDT
4 : Type 1 process list corruption
5 : Type 2 process list corruption
6 : Debug routine modification
7 : Critical MSR modification
8 : Object type
9 : A processor IVT
a : Modification of a system service function
b : A generic session data region
c : Modification of a session function or .pdata
d : Modification of an import table
e : Modification of a session import table
f : Ps Win32 callout modification
10 : Debug switch routine modification
11 : IRP allocator modification
12 : Driver call dispatcher modification
13 : IRP completion dispatcher modification
14 : IRP deallocator modification
15 : A processor control register
16 : Critical floating point control register modification
17 : Local APIC modification
18 : Kernel notification callout modification
19 : Loaded module list modification
1a : Type 3 process list corruption
1b : Type 4 process list corruption
1c : Driver object corruption
1d : Executive callback object modification
1e : Modification of module padding
1f : Modification of a protected process
20 : A generic data region
21 : A page hash mismatch
22 : A session page hash mismatch
23 : Load config directory modification
24 : Inverted function table modification
25 : Session configuration modification
26 : An extended processor control register
27 : Type 1 pool corruption
28 : Type 2 pool corruption
29 : Type 3 pool corruption
2a : Type 4 pool corruption
101 : General pool corruption
102 : Modification of win32k.sys

Debugging Details:
------------------


DUMP_CLASS: 1

DUMP_QUALIFIER: 401

BUILD_VERSION_STRING: 15063.0.amd64fre.rs2_release.170317-1834

SYSTEM_MANUFACTURER: Gigabyte Technology Co., Ltd.

SYSTEM_PRODUCT_NAME: GA-A75M-UD2H

BIOS_VENDOR: Award Software International, Inc.

BIOS_VERSION: F6

BIOS_DATE: 09/28/2012

BASEBOARD_MANUFACTURER: Gigabyte Technology Co., Ltd.

BASEBOARD_PRODUCT: GA-A75M-UD2H

DUMP_TYPE: 1

BUGCHECK_P1: a39ff16440582796

BUGCHECK_P2: 0

BUGCHECK_P3: 65f4713cf80ce013

BUGCHECK_P4: 101

PG_MISMATCH: 200000000000

MEMORY_CORRUPTOR: ONE_BIT

CPU_COUNT: 4

CPU_MHZ: a28

CPU_VENDOR: AuthenticAMD

CPU_FAMILY: 12

CPU_MODEL: 1

CPU_STEPPING: 0

DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULT

BUGCHECK_STR: 0x109

PROCESS_NAME: csrss.exe

CURRENT_IRQL: 2

ANALYSIS_SESSION_HOST: HERM-HARRISON

ANALYSIS_SESSION_TIME: 07-31-2017 09:39:24.0874

ANALYSIS_VERSION: 10.0.15063.468 amd64fre

STACK_TEXT:
ffff8c81`85a5aeb8 00000000`00000000 : 00000000`00000109 a39ff164`40582796 00000000`00000000 65f4713c`f80ce013 : nt!KeBugCheckEx


STACK_COMMAND: kb

THREAD_SHA1_HASH_MOD_FUNC: 81a83ae0317433a47fcc36991983df3b6e638b71

THREAD_SHA1_HASH_MOD_FUNC_OFFSET: 6e16edd8c7dd677734fdbcd2397a2e35e9fae964

THREAD_SHA1_HASH_MOD: 76cd06466d098060a9eb26e5fd2a25cb1f3fe0a3

SYMBOL_NAME: ANALYSIS_INCONCLUSIVE

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: Unknown_Module

IMAGE_NAME: Unknown_Image

DEBUG_FLR_IMAGE_TIMESTAMP: 0

FAILURE_BUCKET_ID: MEMORY_CORRUPTION_ONE_BIT

BUCKET_ID: MEMORY_CORRUPTION_ONE_BIT

PRIMARY_PROBLEM_CLASS: MEMORY_CORRUPTION_ONE_BIT

TARGET_TIME: 2017-07-28T06:07:02.000Z

OSBUILD: 15063

OSSERVICEPACK: 0

SERVICEPACK_NUMBER: 0

OS_REVISION: 0

SUITE_MASK: 272

PRODUCT_TYPE: 1

OSPLATFORM_TYPE: x64

OSNAME: Windows 10

OSEDITION: Windows 10 WinNt TerminalServer SingleUserTS

OS_LOCALE:

USER_LCID: 0

OSBUILD_TIMESTAMP: 2017-07-07 02:06:35

BUILDDATESTAMP_STR: 170317-1834

BUILDLAB_STR: rs2_release

BUILDOSVER_STR: 10.0.15063.0.amd64fre.rs2_release.170317-1834

ANALYSIS_SESSION_ELAPSED_TIME: a96

ANALYSIS_SOURCE: KM

FAILURE_ID_HASH_STRING: km:memory_corruption_one_bit

FAILURE_ID_HASH: {e3faf315-c3d0-81db-819a-6c43d23c63a7}

Followup: MachineOwner
---------
 
You will need to upload the MEMORY.DMP file to another hosting site. You can use Microsoft's OneDrive or Dropbox to upload the file for free.
 
Code:
[COLOR=#ff0000]BugCheck 109[/COLOR], {a39ff16440582796, 0, [COLOR=#008000]65f4713cf80ce013[/COLOR], [COLOR=#0000ff]101[/COLOR]}

Probably caused by : Unknown_Image ( ANALYSIS_INCONCLUSIVE )

The fourth parameter indicates a type of pool corruption, which leads me to believe that the third parameter may be an corrupted address within a pool page.

Code:
[COLOR=#008000]!pool 65f4713cf80ce013[/COLOR]
Pool page 65f4713cf80ce013 region is Unknown
65f4713cf80ce000 is not a valid large pool allocation, checking large session pool...
Unable to read large session pool table (Session data is not present in mini and kernel-only dumps)
65f4713cf80ce000 is not valid pool. Checking for freed (or corrupt) pool
Address 65f4713cf80ce000 could not be read. It may be a freed, invalid or paged out page

We'll not going to get much information from a Stop 0x109, I would strongly suggest running Driver Verifier using the following instructions - Driver Verifier - BSOD related - Windows 10, 8.1, 8, 7 & Vista
 
We'll not going to get much information from a Stop 0x109, I would strongly suggest running Driver Verifier using the following instructions - Driver Verifier - BSOD related - Windows 10, 8.1, 8, 7 & Vista

Diver Verifier caused a BSOD on first boot, I couldn't catch the complete message, but did get the filename, avgwfpa.sys. Used System Restore to go back and was able to delete AVG in its entirety. Restarted and restarted driver verifier in the background. The system booted without error. I'll let driver verifier run over night and report back with the results.
 
Thanks runuts, hopefully that has resolved the issue. If you don't have another crash, then disable Driver Verifier and continue to use your system normally.
 
Thanks runuts, hopefully that has resolved the issue. If you don't have another crash, then disable Driver Verifier and continue to use your system normally.

Unfortunately the BSOD continue. Two more yesterday and looking at BlueScreenView, two overnight. Verifier has been running now about 24 hours. How should I post the output? Copy and past the output from "verifier/query"?
 
Could you please try and upload an additional dump file? I appear to be getting symbol errors with the current one?
 

Has Sysnative Forums helped you? Please consider donating to help us support the site!

Back
Top