BSOD - Windows 7 Pro x64 - rawo5qot.sys

L

LBuckingham

Member
Joined
Oct 19, 2013
Posts
20
Hi guys.

BSOD screen pointed to something called rawo5qot.vbh whilst 'WhoCrashed' reported the culprit as rawo5qot.sys. I have no idea what they're related to and can't find anything on multiple net searches. There's nothing even close anywhere on my PC as far as I can see. Any suggestions as to how I can find more info?

Many thanks
Darren
 
Hi Patrick. Info files attached as requested.

This is on a home-build PC which is updated hardware-wise as and when necessary, so I can't really put an age on it. It's running (and always has) a full retail version of Windows 7 x64. Specs are as follows:

Phenom II x4 955 CPU
HD5750 and HD7450 graphics cards
ASRock 970 Extreme 3 motherboard
Corsair 750w PSU

View attachment Permon output.zip
View attachment 11072

Many thanks
Darren
 
A little more info:
Have run driver verifier as per the instructions, but this throws the machine reboot loop (gets as far as displaying the logo before rebooting).

I'd already run disk and memory checks prior to posting and no problems identified.
 
BSOD code when rebooting after running driver verifier is 0x000000CD. I have to use 'Last known good configuration' to get it to boot up again.
 
Re-enable verifier and let it crash on boot. When it does, boot into safe mode and get the dump on a USB/whatever. Then disable it and upload it here.
 
Did as you asked, but there's no dump file created for the post-verifier BSOD. There's only one dump file and that's the one relating to rawo5qot.
 
Okay, well, I'll debug it w/o verifier:

Code: 
3: kd> .bugcheck
Bugcheck code 1000007E
Arguments ffffffff`c0000006 fffff880`0c14dab9 fffff880`0ba5d848 fffff880`0ba5d0a0

Code: 
3: kd> .exr fffff880`0ba5d848
ExceptionAddress: fffff8800c14dab9 (rawo5qot+0x0000000000103ab9)
   ExceptionCode: c0000006 (In-page I/O error)
  ExceptionFlags: 00000000
NumberParameters: 3
   Parameter[0]: 0000000000000000
   Parameter[1]: 000000001818a9a2
   Parameter[2]: 00000000c000000e
Inpage operation failed at 000000001818a9a2, due to I/O error 00000000c000000e

Okay, so it looks like the unhandled exception occurred due to a failure to read memory from the disk, and whatever rawo5qot is had a say in it.

Code: 
3: kd> .cxr fffff880`0ba5d0a0
rax=0000000000000000 rbx=fffff8a03bab5020 rcx=fffff8800ba5dc00
rdx=fffff8800ba5db00 rsi=fffff8a017ae49f3 rdi=000000001818a9a2
rip=fffff8800c14dab9 rsp=fffff8800ba5da80 rbp=0000000000000000
 r8=fffff8800ba5db08  r9=fffff8800ba5db00 r10=0000000000000000
r11=fffff8a017ae4b68 r12=fffff8a03b8e3020 r13=fffff8a017b39590
r14=fffff8a03bab5028 r15=fffff8a017ae4968
iopl=0         nv up ei pl zr na po nc
cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246
rawo5qot+0x103ab9:
fffff880`0c14dab9 0fb617          movzx   edx,byte ptr [rdi] ds:002b:00000000`1818a9a2=??

Taking a look at rawo5qot's instruction, it was copying the value at address rdi to edx and zero extending the value.

Code: 
3: kd> !pte 000000001818a9a2
                                           VA 000000001818a9a2
PXE at FFFFF6FB7DBED000    PPE at FFFFF6FB7DA00000    PDE at FFFFF6FB40000600    PTE at FFFFF680000C0C50
Unable to get PXE FFFFF6FB7DBED000

Can't check rdi's contents due to small dump restrictions.

Code: 
3: kd> k
  *** Stack trace for last set context - .thread/.cxr resets it
Child-SP          RetAddr           Call Site
fffff880`0ba5da80 00000000`00000000 rawo5qot+0x103ab9

The only thing in the stack at the time of the crash on the thread was literally just rawo5qot.

So I think the main question we have is, what the hell is rawo5qot?

Code: 
3: kd> lmvm rawo5qot
start             end                 module name
fffff880`0c04a000 fffff880`0c254d40   rawo5qot T (no symbols)           
    Loaded symbol image file: rawo5qot.vbt
    Image path: rawo5qot.vbt
    Image name: rawo5qot.vbt
    Timestamp:        Tue Mar 03 11:04:57 2015

It's a .vbt extension, which is an extension that is associated solely with 3rd party antivirus (mostly antimalware) solutions. It can also be malware itself, although I've never personally seen malware masked into a .vbt extension. It's not showing a path, but we can find it if we need to.

You overall have a lot of unnecessary/redundant software that is probably causing conflicts, especially since most of it is 4/5 years old.

1. Emisoft.

2. CryptBox.

3. Magic ISO.

4. UltraMon:

Code: 
3: kd> lmvm ultramonutility
start             end                 module name
fffff880`08812000 fffff880`0881b000   UltraMonUtility   (deferred)             
    Image path: UltraMonUtility.sys
    Image name: UltraMonUtility.sys
    Timestamp:        Thu Nov 13 20:10:30 2008

2008 kernel-mode driver, lol. The amount of bugs in this... I don't even want to know.

Get rid of all of the above.
 
Thanks Patrick. Just a couple of things..

Emsisoft Anti-malware - This isn't actually installed. There's an option to get rid of the program files folder when uninstalling - I must not have ticked the checkbox.

Cryptbox - I'd struggle to live without this. It's a relatively recent purchase from Abelssoft and just creates encrypted vaults.

Magic ISO - Can't find this anywhere on my PC

Ultramon - If I continue to suffer problems, I'll uninstall and test. If possible, I'd like to keep it. Though the last update was 2012, it doesn't appear to have caused any problems in the several years I've been running it.

Thanks again
 
Sure, the last update was 2012, but not to their kernel driver.

In any case, I'd really need a driver verifier crash dump (and memory.dmp at that) to give a definitive answer. It's 100% guesswork right now. Ensure all of this is in place, and check again for a dump named MEMORY.DMP in C:\Windows:

1. Windows key + Pause key. This should bring up System. Click Advanced System Settings on the left > Advanced > Performance > Settings > Advanced > Ensure there's a check-mark for 'Automatically manage paging file size for all drives'.

2. Windows key + Pause key. This should bring up System. Click Advanced System Settings on the left > Advanced > Startup and Recovery > Settings > System Failure > ensure there is a check mark next to 'Write an event to the system log'.

3. Double check that the WERS is ENABLED:

Start > Search > type services.msc > Under the name tab, find Windows Error Reporting Service > If the status of the service is not Started then right click it and select Start. Also ensure that under Startup Type it is set to Automatic rather than Manual. You can do this by right clicking it, selecting properties, and under General selecting startup type to 'Automatic', and then click Apply.
 
I think I need to put this on hold, at least for a little while. Other issues have started surfacing (long before it gets as far as Windows). I think my mobo may be on its way out, so it obviously makes sense to get to the bottom of that first.

Many, many thanks for your help to this point Patrick. As soon as I get the other issues sorted, I'll post again.
 
Well I was actually going to mention that your HDD is a possibility as well, considering the inpage errors. I'd replace that first before the board.
 
Well the problem I'm having now is with the sata ports on the mb - which I assume would manifest itself in what you're seeing. Basically, the BIOS seems to be having trouble picking up the drives consistently. Most of the time it's picking up all 4, occasionally 3, 2 or even just 1 and there's no logic to it in terms of port/cable/device combinations.
 

Has Sysnative Forums helped you? Please consider donating to help us support the site!

Back
Top