BSODs when PC is waken from sleep - Windows 7 x64

[toms]

Hi guys! Please help me resolve my BSOD issue.

I noticed that the Sysnative BSOD app collected all my minidumps and I have a lot of them. Here is a little story about them:

BSODs till 2015.05.11 (including) - OLD RAM KIT

These BSODs mostly occured when PC was waking up from sleep, sometimes when PC was idling, but never while actively using the PC.

The first thing I did was scanned each memory module individually with MemTest86. MemTest86 reported that one of the modules had errors in the Test 13 (Hammer Test). Then, by testing each RAM module individually for couple of weeks, I found the culprit, it was one of the RAM modules. Interesting was that the faulty one was the one without MemTest86 errors, the one with the errors was working ok (without BSODs). The RAM kit was exchanged for a new one. I got the new one on 2015.06.10 but from 2015.06.11 BSODs again!

BSODs from 2015.06.11 (see attached image) - NEW RAM KIT

The first thing I did was scanned each memory module individually with MemTest86. And with this kit the situation was like before, MemTest86 reported that one of the modules had errors in the Test 13 (Hammer Test). Then I tested each module individually for a week. The module without MemTest86 errors worked well without any BSODs. The module with errors gave only one BSOD (not convincing). But when I put them both back in the system BSODs started to occure frequently (especially in the last few days).

BSODs with the empty bug check string occured while playing Battlefield Bad Company 2, but I fixed them by uninstalling gigabyte software. The rest of BSODs occured only when PC was waken from sleep (they occur random not always when PC is waken from sleep).

Could it be that it's RAM fault again?

OS: Windows 7 64-bit
CPU: Intel i5-4590
MB: Gigabyte H97-D3H
RAM: Crucial Ballistix Sport (2x4GB kit)
PSU: FSP Aurum S 500W (80 PLUS Gold)

P.s. sorry for my english.

 

[x BlueRobot]

[COLOR=#ff0000]BugCheck D1[/COLOR], {[COLOR=#008000]fffff8a014410958[/COLOR], [COLOR=#0000cd]2[/COLOR], 0, [COLOR=#800080]fffff88003cb6150[/COLOR]}

Probably caused by : [COLOR=#ff0000]avgtdia.sys[/COLOR] ( avgtdia+a150 )

3: kd>[COLOR=#006400] lmvm avgtdia[/COLOR]

start             end                 module name
fffff880`03cac000 fffff880`03cf2000   avgtdia  T (no symbols)           
    Loaded symbol image file: avgtdia.sys
    Image path: \SystemRoot\system32\DRIVERS\avgtdia.sys
    Image name: avgtdia.sys
    Timestamp:        [COLOR=#ff0000]Fri Oct 10 14:14:19 2014 (5437DBAB)[/COLOR]
    CheckSum:         0005224F
    ImageSize:        00046000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4

Please remove AVG from your system since it appearing to be causing issues. For an alternative AV, I would suggest reading this thread - https://www.sysnative.com/forums/general-help-and-information/412-whats-best-antivirus.html

You may also wish to read this thread to gain understanding of some of the security set ups which use at Sysnative - https://www.sysnative.com/forums/the-lounge/15834-share-your-security-setup.html

The issue appears to lie with AVG referencing an invalid address at the wrong IRQL Level. The trap frame gives slightly more information:

3: kd> [COLOR=#008000].trap 0xfffff88002b581e0[/COLOR]
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=0000000000000000 rbx=0000000000000000 rcx=fffff8a014410960
rdx=fffffa8007c7e1e0 rsi=0000000000000000 rdi=0000000000000000
rip=fffff88003cb6150 rsp=fffff88002b58370 rbp=fffffa8009bdb070
 r8=fffffa8007c7e1b0  r9=0000000000000000 r10=0000000000001027
r11=fffffa800bc7f500 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up ei ng nz na pe cy
[COLOR=#ff0000]avgtdia+0xa150[/COLOR]:
[COLOR=#800080]fffff880`03cb6150[/COLOR] 483969f8        cmp     qword ptr [[COLOR=#ff0000]rcx-8[/COLOR]],rbp ds:[COLOR=#008000]fffff8a0`14410958[/COLOR]=fffffa8006660680

The purple address is the address which referenced the invalid memory address which is stored in a pointer as seen above.

 

[toms]

Thank you for replying!

Is the examined AVG BSOD from 2014.12.12? If yes than it's not actual since that BSOD occured from the old RAM kit.

However I did unistall AVG, but it didn't help. Today I got another BSOD, something about: memory_corruption, X64_MEMORY_CORRUPTION_ONE_BIT_LARGE (see the attached zip file).

 

[x BlueRobot]

[COLOR=#ff0000]BugCheck 3B[/COLOR], {[COLOR=#008000]c0000096[/COLOR], fffff800034c5677, fffff8800a024ca0, 0}


Probably caused by : ntkrnlmp.exe ( nt!SwapContext_PatchXSave+a7 )

1: kd> [COLOR=#008000]!error c0000096[/COLOR]
Error code: (NTSTATUS) 0xc0000096 (3221225622) - {EXCEPTION}  [COLOR=#ff0000]Privileged instruction[/COLOR].

Some driver has attempted to run some privileged code.

1: kd> [COLOR=#008000].cxr 0xfffff8800a024ca0[/COLOR]
rax=0000000000000000 rbx=fffff880009ef180 rcx=fffffa80091adba2
rdx=[COLOR=#ff0000]fffffa80091adb38[/COLOR] rsi=fffffa80067f6b50 rdi=fffffa80066f0040
rip=fffff800034c5677 rsp=fffff8800a025680 rbp=fffffa80066f0040
 r8=fffffa80091adb98  r9=0000000000000000 r10=fffffffffffffffd
r11=fffff88003322e50 r12=0000000000000000 r13=0000000000000000
r14=fffffa80091adb10 r15=0000000000000005
iopl=0         nv up ei pl zr na po nc
cs=0010  ss=0000  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246
nt!SwapContext_PatchXSave+0xa7:
fffff800`034c5677 0f22da          mov     [COLOR=#ff0000]cr3,rdx[/COLOR]

It appears that something was possibly wishing to change the page directory tables by changing the address stored within the PDBR. I would suggest running Driver Verifier since the stack doesn't reveal much - https://www.sysnative.com/forums/bs...er-bsod-related-windows-10-8-1-8-7-vista.html

 

[toms]

I did run driver verifier for a while and nothing, didn't get any BSODs. Will now try to test each RAM module individually to see if something changes.