[SOLVED] BSODs related to ntoskrnl.exe // Looking for professional advice - Windows 7 x64

P

patatusco

Member
Joined
Mar 27, 2014
Posts
8
Hi guys, first of all thanks a lot for your time and effort.

I'm experiencing BSODs related to ntoskrnl.exe since I reinstalled my OS, 6 months ago. I've been many hours looking for solutions and I've tried plenty of proposals (uninstalling Daemon Tools, certain drivers or programs mainly) with no result. Now I ask for your help. I'm running Driver Verifier right now and I will also run a memtest86, although I don't think the cause is RAM because my laptop has 1 year and a half with not much use (and before reinstalling Windows, I didn't have this problem). So I hope you can find something strange in my dmp and other files. By the way, checked HDD and no problems either.

Data of my system:
Windows 7 Premium Home Edition ‎(X64)‎ Service Pack 1 - Full retail version
Intel Core i3 2370M
NVIDIA GeForce GT 525M
Motherboard Compal PBL11
Laptop

Please find attached the required files.
Should you need more information, please let me know.
Thanks again, I really appreciate your help

patatusco
 

Attachments

Hi,

I will do my best to professionally assist you! :grin1:

We have various bug checks:

IRQL_NOT_LESS_OR_EQUAL (a)

This indicates that Microsoft Windows or a kernel-mode driver accessed paged memory at DISPATCH_LEVEL or above.

This bug check is issued if paged memory (or invalid memory) is accessed when the IRQL is too high. The error that generates this bug check usually occurs after the installation of a faulty device driver, system service, or BIOS.

IMAGE_NAME: hardware

MODULE_NAME: hardware

^^ Hardware image/module named faults, interesting that we'd see that.

Code: 
0: kd> kv
Child-SP          RetAddr           : Args to Child                                                           : Call Site
fffff880`0a825c78 fffff800`048ca169 : 00000000`0000000a 00000000`00000021 00000000`00000002 00000000`00000001 : nt!KeBugCheckEx
fffff880`0a825c80 fffff800`048c8de0 : 00000000`00000000 00000000`00000000 fffffa80`09745410 fffffa80`07b55d08 : nt!KiBugCheckDispatch+0x69
fffff880`0a825dc0 fffff800`04811771 : fffffa80`07b20a70 fffffa80`045a1a60 00000000`00000001 fffffa80`07b55d08 : nt!KiPageFault+0x260 (TrapFrame @ fffff880`0a825dc0)
fffff880`0a825f58 fffffa80`07b55d08 : fffffa80`07b55d00 00000000`00000050 00000000`00000000 00000000`af2c9aa0 : [COLOR=#ff0000]hal!HalpMapTransfer+0x2f1[/COLOR]
fffff880`0a825fe8 fffffa80`07b55d00 : 00000000`00000050 00000000`00000000 00000000`af2c9aa0 fffffa80`07b20a01 : 0xfffffa80`07b55d08
fffff880`0a825ff0 00000000`00000050 : 00000000`00000000 00000000`af2c9aa0 fffffa80`07b20a01 fffffa80`08e31402 : 0xfffffa80`07b55d00
fffff880`0a825ff8 00000000`00000000 : 00000000`af2c9aa0 fffffa80`07b20a01 fffffa80`08e31402 fffff800`0481094f : 0x50

Hardware Abstraction Layer (why we saw the hardware image/module faults) calling into a pagefault.

PAGE_FAULT_IN_NONPAGED_AREA (50)

This indicates that invalid system memory has been referenced.

Bug check 0x50 usually occurs after the installation of faulty hardware or in the event of failure of installed hardware (usually related to defective RAM, be it main memory, L2 RAM cache, or video RAM).

Another common cause is the installation of a faulty system service.

Antivirus software can also trigger this error, as can a corrupted NTFS volume.

BugCheck 50, {fffff14001f52620, 1, fffff80004b39878, 7}

^^ Address fffff14001f52620 was written to by the instruction at address fffff80004b39878.

Code: 
2: kd> !pte fffff14001f52620
                                           VA fffff14001f52620
PXE at FFFFF6FB7DBEDF10    PPE at FFFFF6FB7DBE2800    PDE at FFFFF6FB7C500078    PTE at FFFFF6F8A000FA90
contains 0000000000000000
[COLOR=#ff0000][B]not valid[/B][/COLOR]

^^ We can see from the above that the address fffff14001f52620 is indeed invalid. With this said, why did fffff14001f52620 attempt to write to fffff80004b39878?

Code: 
2: kd> kv
Child-SP          RetAddr           : Args to Child                                                           : Call Site
fffff880`0a10b4f8 fffff800`0490453b : 00000000`00000050 fffff140`01f52620 00000000`00000001 fffff880`0a10b660 : nt!KeBugCheckEx
fffff880`0a10b500 fffff800`04885cee : 00000000`00000001 fffff140`01f52620 0000012f`00000000 fffff8a0`036f8c10 : nt! ?? ::FNODOBFM::`string'+0x43781
fffff880`0a10b660 fffff800`04b39878 : fffff8a0`00e0da88 fffff8a0`00e0da70 fffff8a0`00e0da70 00000000`0026fd01 : nt!KiPageFault+0x16e (TrapFrame @ [COLOR=#ff0000]fffff880`0a10b660[/COLOR])
fffff880`0a10b7f0 fffff800`04b74780 : 00000000`00000198 fffff8a0`00e0da88 fffff8a0`00e0da70 00000000`00000000 : nt!RtlpAtomMapAtomToHandleEntry+0x48
fffff880`0a10b820 fffff800`04b79ec8 : fffff8a0`00e0da70 00000000`00000034 fffff880`0a10baf8 00000000`0045f874 : nt!RtlLookupAtomInAtomTable+0x100
fffff880`0a10b880 fffff800`04886e53 : fffffa80`0995f060 00000000`0045f838 fffffa80`0995f060 fffffa80`0a47fa90 : nt!NtFindAtom+0xe7
fffff880`0a10bae0 00000000`74de2e09 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`0a10bae0)
00000000`0026eae8 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x74de2e09

Code: 
2: kd> .trap [COLOR=#ff0000]fffff880`0a10b660[/COLOR]
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=fffff8a001020660 rbx=0000000000000000 rcx=fffff8a000f31fc0
rdx=fffff8a000f31f90 rsi=0000000000000000 rdi=0000000000000000
rip=fffff80004b39878 [COLOR=#006400]rsp=fffff8800a10b7f0[/COLOR] rbp=fffff8800a10bb60
 r8=fffff8a001020000  r9=0000000000000198 r10=00000000000015c7
r11=fffff8a000e0da70 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up ei ng nz na po nc
nt!RtlpAtomMapAtomToHandleEntry+0x48:
[COLOR=#008080]fffff800`04b39878[/COLOR] f0830c2400      lock or dword ptr [rsp],0 ss:0018:[COLOR=#0000ff]fffff880`0a10b7f0[/COLOR]=00e0da88

On the instrucion we failed on, address fffff800`04b39878 deferenced rsp where rsp is fffff8800a10b7f0. All of this would result in a memory write to the address fffff880`0a10b7f0.

Code: 
2: kd> dd fffff880`0a10b7f0
fffff880`0a10b7f0  00e0da88 fffff8a0 00e0da70 fffff8a0
fffff880`0a10b800  00e0da70 fffff8a0 0026fd01 00000000
fffff880`0a10b810  00000000 00000000 04b74780 fffff800
fffff880`0a10b820  00000198 00000000 00e0da88 fffff8a0
fffff880`0a10b830  00e0da70 fffff8a0 00000000 00000000
fffff880`0a10b840  00000000 00000000 0995f060 fffffa80
fffff880`0a10b850  0026fd01 00000000 0a10b8b0 fffff880
fffff880`0a10b860  04fc3434 00000000 0045f874 00000000

Code: 
2: kd> r cr2
Last set context:
cr2=[COLOR=#ff0000]fffff14001f52620[/COLOR]

^^ The 1st parameter address was stored in cr2 prior to calling the page fault handler.

Right, so from all of the above, fffff880`0a10b7f0 was meant to be written to and appears to be a valid address. However, the bugcheck 1st parameter and cr2 indicate a failure to write to fffff14001f52620. This does not make any sense whatsoever.

Another way to describe it - RtlpAtomMapAtomToHandleEntry asked the hardware to write to fffff880`0a10b7f0, and the hardware came back and said 'I cannot write to fffff14001f52620'. This is very likely a hardware issue. I would be absolutely stunned if this was related to software.

DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)

This indicates that a kernel-mode driver attempted to access pageable memory at a process IRQL that was too high.

A driver tried to access an address that is pageable (or that is completely invalid) while the IRQL was too high. This bug check is usually caused by drivers that have used improper addresses.

Code: 
0: kd> .trap fffff800`00ba2080
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=0000000000000000 rbx=0000000000000000 rcx=0000000000000000
rdx=fffffa8008f19916 rsi=0000000000000000 rdi=0000000000000000
[COLOR=#4b0082]rip=fffff88004f222f3[/COLOR] rsp=fffff80000ba2210 rbp=0000000000000001
 r8=fffffa80081d7000  r9=0000000000000001 r10=0000000000000000
r11=fffff80000ba2110 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up ei pl zr na po nc
[COLOR=#ff0000]rtwlane+0x4e2f3[/COLOR]:
fffff880`04f222f3 41b1ff          mov     r9b,0FFh

Code: 
0: kd> u @rip
rtwlane+0x4e2f3:
fffff880`04f222f3 41b1ff          mov     r9b,0FFh
fffff880`04f222f6 4438a3aaa80000  cmp     byte ptr [rbx+0A8AAh],r12b
fffff880`04f222fd 7409            [COLOR=#ff0000]je[/COLOR]      [COLOR=#ff0000]rtwlane+0x4e308[/COLOR] (fffff880`04f22308)
fffff880`04f222ff 4439a354f71600  cmp     dword ptr [rbx+16F754h],r12d
fffff880`04f22306 7407            [COLOR=#ff0000]je[/COLOR]      [COLOR=#ff0000]rtwlane+0x4e30f[/COLOR] (fffff880`04f2230f)
fffff880`04f22308 44888b4c9a0000  mov     byte ptr [rbx+9A4Ch],r9b
fffff880`04f2230f 488b872c030000  mov     rax,qword ptr [rdi+32Ch]
fffff880`04f22316 0fb74f14        movzx   ecx,word ptr [rdi+14h]

^^ rtwlane.sys is the Realtek PCI-E Wireless LAN NIC NDIS driver.

INTERRUPT_EXCEPTION_NOT_HANDLED (3d)

This bug check appears very infrequently.

^^ Generally shows up when hardware is the issue.



Before declaring this is hardware, let's take a look at the raw stack of the most recent crash dump (the 0xA):

Code: 
fffff880`0a825db8  fffff800`048c8de0 nt!KiPageFault+0x260
fffff880`0a825dc0  00000000`00000000
fffff880`0a825e20  fffff880`0a825e30
fffff880`0a825e28  fffff880`018d42a0 ndis!ndisAcquireReadLockPerCpuRefCnt+0x20
fffff880`0a825e30  00000000`00000000
fffff880`0a825e88  00000000`00000000
fffff880`0a825e90  00000000`00000021
fffff880`0a825e98  fffff880`01805efc NETIO!KfdClassify+0x24c
fffff880`0a825ea0  fffffa80`0a040004
fffff880`0a825ee8  fffffa80`07b20930
fffff880`0a825ef0  fffffa80`07b20a70
fffff880`0a825ef8  fffff800`0480e593 hal!HalpDmaMapScatterTransfer+0xa3
fffff880`0a825f00  fffffa80`07b20a70
fffff880`0a825f08  fffffa80`07b20a00
fffff880`0a825f10  00000000`00000aa0
fffff880`0a825f18  fffffa80`07b20a70
fffff880`0a825f20  00000000`00000002
fffff880`0a825f28  fffff800`04811771 hal!HalpMapTransfer+0x2f1
fffff880`0a825f30  00000000`00000010
fffff880`0a825f90  fffffa80`07b20930
fffff880`0a825fc8  00000000`00000001
fffff880`0a825fd0  fffffa80`045a1a60
fffff880`0a825fd8  fffff800`04811472 hal!IoMapTransfer+0x8e
fffff880`0a825fe0  fffffa80`07b55d08
fffff880`0a826010  fffffa80`08e31402
fffff880`0a826018  fffff800`0481094f hal!HalpAllocateAdapterCallback+0xc7
fffff880`0a826020  00000000`00000000
fffff880`0a826028  fffff800`0480dfb9 hal!HalpDmaAllocateMapRegisters+0x71
fffff880`0a826030  00000000`00000000
fffff880`0a826038  00000000`00000002
fffff880`0a826040  fffffa80`07b55d08
fffff880`0a826048  fffff880`018ed701 ndis!ndisReleaseReadWriteLockX+0x41
fffff880`0a826068  00000000`00000000
fffff880`0a826070  fffff880`04ebbe20Unable to load image \SystemRoot\system32\DRIVERS\Rt64win7.sys, Win32 error 0n2
*** WARNING: Unable to verify timestamp for Rt64win7.sys
*** ERROR: Module load completed but symbols could not be loaded for Rt64win7.sys
 Rt64win7+0x1fe20

^^ I chopped quite a bit of it, but kept it informative enough. Right, so this is why we're seeing mention of the Hardware Abstraction Layer (HAL), and Realtek's NDIS driver. Rt64win7.sys = Realtek RTL8168D/8111D Family PCI-E Gigabit Ethernet NIC. Above that, we have various network related routines (ndis, tcpip, etc).

Again, before absolutely claiming this is hardware, I'd like to remove avast! from the equation and replace it with MSE as it may be causing NETBIOS conflicts and fooling Windows into thinking this is a hardware problem.

avast! removal - avast! Uninstall Utility | Download aswClear for avast! Removal

MSE - Microsoft Security Essentials - Microsoft Windows

-- Also be sure all of your Realtek network drivers are up to date from the manufacturers website. You can alternatively check this site - Realtek

Regards,

Patrick
 
Last edited:
Thanks for your professional response :P

Ok:
-I have installed the last driver for Realtek RTL8168D/8111D Family PCI-E Gigabit Ethernet NIC, although I am using various programs to automatically update my drivers and all of them say my system is fine. If the problem persist, do you recommend me trying to uninstall Rt64win7.sys?
-Uninstalled avast! properly and installed MSE.
-Just run a memtest86, no errors.
-Something I didn't mention: I have an "unknown device" in my laptop that Windows can't recognize, not even the driver-updaters. This didn't happen before I reinstalled the OS. Anyway, since everything seemed to run smoothly (apart from the BSODs every 2-3 days), I didn't go deeper into it.
-The driver verifier has been running for 12h but no BSOD triggered yet.

Should I run any specific test to give you more information, or just wait for another BSOD?
Thanks again,

patatusco
 
although I am using various programs to automatically update my drivers
Click to expand...

What programs, 3rd party driver-updating programs? If so, big no-no. Despite what they advertise (which is to install the latest drivers for your devices), they install out-of-date, broken, and buggy drivers. Always get your drivers from the manufacturers website.

Should I run any specific test to give you more information, or just wait for another BSOD?
Click to expand...

Nope, great work! We play the waiting game now.

Keep me updated!

Regards,

Patrick
 
Ok, will keep in mind that info about 3rd party driver-updaters!

Now I have some news:
After modifying the parameters of Driver Verifier, so it analyzes not only drivers that are not from Microsoft, but all of them, I got a new BSOD (dmp attached) when my system was initiating. I don't know if this info is useful because you provide other parameters for Driver Verifier, but since that wasn't triggering the BSOD, maybe this can help.

Anyway, I will wait a few days without forcing the error to see if we solved it :)
Thanks,

patatusco
 

Attachments

DRIVER_VERIFIER_DETECTED_VIOLATION (c4)

This is the general bug check code for fatal errors found by Driver Verifier.
Code: 
1: kd> kv
Child-SP          RetAddr           : Args to Child                                                           : Call Site
fffff880`035af488 fffff800`04d5d4ec : 00000000`000000c4 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KeBugCheckEx
fffff880`035af490 fffff800`04d5df2b : fffffa80`005f5300 fffff800`048fb84c ffffffff`ffffffff fffff800`049d8d2b : nt!VerifierBugCheckIfAppropriate+0x3c
fffff880`035af4d0 fffff800`04d6eba8 : 00000000`6547654c 00000000`00000080 00000000`00000010 fffff800`0000003f : nt!ExAllocatePoolSanityChecks+0xcb
fffff880`035af510 fffff800`04d6ee17 : 00000000`00000000 00000000`00000000 fffff980`6547654c fffff980`19e6afec : nt!VeAllocatePoolWithTagPriority+0x88
fffff880`035af580 fffff880`0817d5a1 : 00000000`00000000 00000000`00000000 fffff980`19e6afd0 fffff800`04d6a13c : nt!VerifierExAllocatePoolWithTagPriority+0x17
fffff880`035af5c0 fffff880`0817c7bb : fffff880`08183c20 fffff980`19e6afd0 fffff980`1e800f90 fffff980`19e6afd0 : [COLOR=#ff0000]tcpipreg!InterfaceAddressRegKeyChangeHandler+0x109[/COLOR]
fffff880`035af6f0 fffff880`0817ba59 : fffff880`00000001 00000000`00000103 fffff980`1e800f70 00000000`00000001 : tcpipreg!TcpipRegQueryAndUpdateKeyValue+0x363
fffff880`035af780 fffff880`01994754 : fffff880`08181a60 00000000`00000004 00000000`00000000 00000000`00010202 : tcpipreg!TcpipRegStartRegistryKeyNotification+0xbd
fffff880`035af7d0 fffff880`0817c293 : 00000000`00000000 00000000`00000000 00000000`00000000 fffff880`08187073 : NETIO!RtlInvokeStartRoutines+0x34
fffff880`035af810 fffff800`04cbb467 : 00000000`00000006 fffffa80`0abeda80 fffffa80`0a43e000 00000000`00000001 : tcpipreg!DriverEntry+0x257
fffff880`035af860 fffff800`04cbb865 : 00000000`00000010 00000000`00000000 00000000`00000010 00000000`00010206 : nt!IopLoadDriver+0xa07
fffff880`035afb30 fffff800`048da261 : fffff880`00000000 ffffffff`800007e0 fffff800`04cbb810 fffffa80`04a22660 : nt!IopLoadUnloadDriver+0x55
fffff880`035afb70 fffff800`04b6d2ea : 00000000`00000000 fffffa80`04a22660 00000000`00000080 fffffa80`03f7e300 : nt!ExpWorkerThread+0x111
fffff880`035afc00 fffff800`048c18e6 : fffff880`033d7180 fffffa80`04a22660 fffff880`033e1fc0 00000000`00000000 : nt!PspSystemThreadStartup+0x5a
fffff880`035afc40 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiStartSystemThread+0x16

Do you have KB976035 as far as Windows Updates goes installed?

You can see this by going to Start > Windows Update > View update history > see Installed Updates. Look for it there. If you see it, boot to Safe Mode and uninstall it. Afterwards, boot back into Windows and see if you crash again.

If you do, or if it's not even listed as installed, this is a hardware issue (faulty NIC is what it looks like, or motherboard in general).

Off to bed, will check the thread when I get settled in after I awake!

Regards,

Patrick
 
3 days, and no BSOD! That's quite an achievement :D

If everything keeps working smoothly after a week, I will consider the problem as officially solved :D I will also post a summary of what I changed in my system, so others can deal with this kind of BSODs too.

Thanks,
patatusco
 
Well, it was nice while it lasted :P

Just got a new BSOD, this time aiming at a Nvidia driver. Tried this tutorial Nvidia - Nvlddmkm.sys error message , but didn't work for me. Now I am making a clean installation of the whole pack of Nvidia drivers.

Anyway, to me, 4 days without BSOD is a great progress. So we are going in the right direction :)

Thanks,
patatusco
 

Attachments

Let me know how the system behaves after the nVidia clean install goes. If you still crash after that, we'll need to proceed accordingly.

Regards,

Patrick
 
Forth day without BSOD :D

Will keep you updated. As said, after a clean week I will post the kit of solutions that worked for me (even though my last steps are written here).

Regards,
patatusco
 
Ok guys! As promised, after a week with no BSODs, here you have my thoughts:
- Thanks to the steps followed here, I went from experiencing a BSOD every 2-3 days, to have a completely error-clean week.
- I'm pretty sure this hotfix was key to the solution. After trying lots and lots of hints from people suffering from ntoskrnl.exe BSODs, this was the only one I achieved real progress with.
- Nevertheless, because of the fact I did try other possible solutions, I just can't know if the combination of them was needed for the problem to stop.
- Also, considering the last BSOD I experienced was AFTER the hotfix and related to something really unexpected to me (nVidia driver), I don't feel comfortable enough to say I definitely solved the problem (I will tell you after 2-3 weeks). Be as it be, the progress I made is huge and it deserves a list of the solutions I have tried during the last months (starting from the las week):

· Clean installation of nVidia drivers
· STOP 0xC4 may occur in tcpipreg.sys following a reboot after Driver Verifier is enabled on Windows 7 SP1 or Windows Server 2008 R2 SP1
· Activation of Driver Verifier with full parameters -not only the ones this forum proposes-, and deep investigation on the dump file extracted from triggered BSOD (this is what led me to the hotfix, but maybe you will find different solutions for your problem on Google)
· Clean installation of Network card driver
· Replacement of Avast by Microsoft Security Essentials
· Uninstallation of any virtual drive program like Daemon Tools and their drivers (SPTD...). I honestly think this is also a great part of the solution. Now I am using this software instead: portable and allows to uninstall the driver after its use.
· Disabling sound drivers that might interfere between them (in my case, nVidia and Realtek)
· RAM and HDD tests.
· Deep search on Google and analysis of dump files of my BSODs to find specific solutions, like uninstalling certain programs/drivers/updates (MalwareBytes, Intel Rapid Storage, Windows updates...), or playing with the config of certain Windows utilities... I'm sorry I can't remember more specific details, but just don't think this helped in my case.

And indeed that's all. I hope this gives you some hope to solve these annoying BSODs without making a clean installation of Windows or replacing hardware :)
Thanks Sysnative and thanks Patrick, I really appreciate your support! My laptop is running smoothly and happy again.
Regards,

patatusco
 
My pleasure, very glad to hear everything is working as intended.

You did some excellent troubleshooting and overall work yourself. Thank you very much for posting back with such detailed steps. It will definitely help those with similar issues in the future that may happen to stumble on this thread.

Regards,

Patrick
 

Has Sysnative Forums helped you? Please consider donating to help us support the site!

Back
Top