CLFS BSOD every 31 minutes

[zacha]

My Win Pro X64 system has been humming along pretty nicely for a few years, but lately I've been getting blue screens approximately every 31 minutes or so. But only when it's "idle"; never when I'm doing something like typing or browsing the net or running a local program.


Bluescreenview shows clfs.sys and ntoskrnl.exe, and it says it was caused by clfs.sys, mostly CLFS.SYS+a649 or occasionally CLFS.SYS+3e73e.


Things done so far:


Inspected event logs; mostly information level stuff. There are many 1001 Bugcheck reboot events over the last two days and I see no issues in the log before the reboot.
sfc /scannow (multiple times, no integrity violations)
chkdsk /f /r
memtest (2x4 Gb modules, each tested separately)
Uninstalled programs, including avast AV, startup problems galore


Haven't done much with driver verifier, one time it resulted in me having to restart in safe mode to disable it. I let the computer sit for a while in Safe Boot Minimal and it did NOT crash. So I started removing drivers from boot. Removed all non-MS and Intel drivers. Still problems. At that point I had an additional entry in my minidump - HECIx64.sys - along with clfs & ntoskrnl. So after doing a bit of research to see if it was safe, I disabled that Intel driver as well as the heciservice. Left the machine on overnight and no BSOD so I re-enabled all my startup programs and previous disabled drivers, keeping the heci stuff disabled. (I did not reinstall Avast). No BSOD. I ran with this configuration with a day or so and then started getting the CLFS / NTOSKRNL BSODs again.


This is a very consistent issue in that something is going on every approximately every 31 minutes to cause the crash.


I have attached perfmon and filecollection (I did remove all the minidumps except for the most recent, as they are all the same) for my normal startup configuration. The only other change from my normal config is that last night I unplugged all USB devices except for the keyboard (I normally have a scanner, a Focusrite sound/recording device, Midi keyboard, and an old SimpleShare nas plugged in.)


Would appreciate any advice on what to try next as this is my primary home machine.


Thanks.

 

[zacha]

Oh, I forgot to mention. The bsod/reboot will occur even when the computer is just sitting at the logon screen.

 

[zacha]

Since the problem only occurs when the computer is idle, I now have a task going every 20 minutes during idle. All it does is run a batch file that does a "DIR > nul".

Edit: Interestingly, the task history says that the task is not being run because the computer is not idle. This article explains what is considered an idle condition for Windows 7:

Task Idle Conditions (Windows)

Regardless, in the two hours after I created the task, my computer has not blue screened. But I am changing it to run regardless of idle condition.

If this band-aid really proves to do the trick, I'll be a happy camper. Though I'd still like to figure out the culprit!

 

[zacha]

Ah, no go. It's been idle for a few hours and finally blue screened.

Ideas, anyone?

 

[xilolee]

Hi Zacha. :welcome:

See if this helps... I reordered your path; you can set it from Control Panel\System and Security\System - advanced system settings, environment variables:

C:\Program Files (x86)\Bitvise SSH Client;c:\program files (x86)\common files\adobe\agl;c:\program files (x86)\common files\microsoft shared\windows live;c:\program files (x86)\intel\opencl sdk\2.0\bin\x86;c:\program files (x86)\windows live\shared;c:\program files\common files\microsoft shared\windows live;c:\programdata\oracle\java\javapath;c:\utils;c:\windows;c:\windows\system32;C:\Windows\system32\wbem;F:\Program Files (x86)\QuickTime\QTSystem\

If I'm not wrong, there was an error in c:\program files (x86)\windows live\sharedr.
I substituted it with c:\program files (x86)\windows live\shared.
Check if the folder is named like I wrote.

Other problems: perfmon reports you have disabled UAC and there isn't an antivirus installed.

:wave:

 

[zacha]

Wow, talk about coincidences! I was changing my scheduled task to pipe process list into a file every ten minutes hoping I might see something funny before a crash. Was just going to look at my path to see if c:\utils was still there.

So I re-did the path as you suggested correcting two problems. That shared name was incorrect as you surmised, and (less of an issue) it had a Bitvise directory that didn't exist.

UAC: It has always interfered with the day to day management of my home PC, just not enough granularity. I'm very cautious regarding potential malware and have never been bit by anything malicious. I've run rootkit detectors, malwarebytes, av scans, etc, and never found anything suspicious.

AV: Normally I do run Avast, have been for years. There is no anti-virus just until I can figure out what is going on. Figured it was best to eliminate something with a mess of drivers & processes.

Thanks for catching that path error!

 

[xilolee]

Also, you have a F:\program files (x86): does it exist on your system?
And by the way, some months ago someone advised to remove quicktime for windows, because it isn't patched anymore.
I don't provide a link, given it should be simple to find it with a simple search on the web. :wink11a:

 

[zacha]

Yes, I do have an F: drive with that path.

I know abut the Quicktime thing and removed it a while back, but then realized I needed it for a single program, Transcribe! which uses it to play videos. The authored released a newer version that doesn't require Quicktime, but which does require Windows 10. I do have another program that accomplishes the same purpose and if need be can remove QT without a problem, but haven't found anything that points to it as a culprit. But it's certainly easy to uninstall.

My machine crashed again, going to increase the frequency with which I save my process list to see if I can catch things right before a crash.

 

[xilolee]

Like Rogue7, you have the same program:

In c:\windows you have these files:

etdrv.sys
gtdrv.sys
gvtdrv64.sys

They all come from gigabyte utilities:

gigabyte tools
Dynamic Energy Saver Advanced
easy tune

Easytune is available for download from your manufacturer website, hence it could be installed now with some other name or it was installed in the past and it wasn't totally removed.
Search for gigabyte software in your control panel - install/uninstall programs

And clfs.sys is in your c:\windows\system32 instead of c:\windows\system32\drivers: do you know why is it there?
In my win10 it is in c:\windows\system32\drivers; I'm not sure if it should be in it also when using win7, but I think it is highly probable.

 

[zacha]

1) Yes, I have the Gigabyte utilities installed since the beginning of the computer. @bios allows the bios to be updated (bios is current). Autogreen is a power management utility which I don't use. EasyTune is a way to do overclocking & such but I am running with the MB defaults and haven't changed anything in years. On_off charge is a mobile charging utility which I have never used. Since none of these utilities are critical and can be reinstalled if need be, I have removed them all.

2) \windows\system32 is the correct location for clfs.sys on windows 7 X64 Pro, not drivers. (I have also confirmed this on a number of other x64 Win 7 Pro machines. On Server 2008 it is in drivers like Win 10). The version is 6.1.7600.16385. I also have two copies in two C:\Windows\SoftwareDistribution\Download\ directories and these are another version - 6.1.7601.18777. I have not been able to find additional information on why this is so although I did see a MS link (which I can't find right) now that said that my system32 version is correct.

Twenty BSODs overnight. Not quite as regular as the "every 31 minutes" mentioned earlier, but still fairly regular.

 

[xilolee]

Were those three files removed from c:\windows?

 

[zacha]

Interesting: I uninstalled all Gigabyte utilities as mentioned above and the three drivers were NOT uninstalled in the process! I deleted them manually.

I am writing this at 1:15 PM. My last BSOD was at 8:55 AM which is excellent (so far.)

Keeping fingers crossed; I'll update later.

 

[zacha]

12 hours later and no bsod UNTIL I woke up my system. Screen was blank, hit keyboard, system work up and then the dreaded clfs.sys bsod reboot. That is different than my previous pattern of bsod only when idle.

Obviously not great but still better than before.

Any other suggestions let me know.

Thanks.

 

[xilolee]

Could you send the new logs (bsod collection app, new dump included)?

 

[zacha]

This morning I woke up to find that the computer was (again) crashing every 30 minutes or so. This was at a login prompt, so obviously no user-specific programs were responsible. I have attached a new log collection, except that I removed all the minidumps except for the most recent as they are all the same.

PS - I noticed some problems with the autoruns piece of the script. First, it didn't run and I had to reassociate .js with script engine (a common anti-malware preventative is to reassociate files like .vbs, .js, .reg files so that they won't execute by just clicking on a file.) Does the collection app just rely on the .js extension to run this piece instead of explicitly reference Windows Script Host? Second, the autorunsc output just showed the help screen so something must be wrong with the syntax of the command. I re-ran it with

autorunsc -a *

and included that output in the zip file.

Thanks.

 

[zacha]

Still bsod / rebooting on a regular basis. Apparently no one has been able to determine anything from the minidumps. Would a full memory dump help? Is there any other program that can monitor & log what is going on just before the crash?

 

[xilolee]

For the bsod collection app, I'd try to inform administrators (and the creator), if they didn't already read you.

Did you remove some intel paths from your PATH?

In my path there are these intel paths:

C:\Program Files (x86)\Intel\iCLS Client\;
C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL;
C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IPT;
C:\Program Files (x86)\Intel\OpenCL SDK\2.0\bin\x64;
C:\Program Files (x86)\Intel\OpenCL SDK\2.0\bin\x86;
C:\Program Files\Intel\iCLS Client\;
C:\Program Files\Intel\Intel(R) Management Engine Components\DAL;
C:\Program Files\Intel\Intel(R) Management Engine Components\IPT;

I'm not sure you should have the same ones, but I noticed you have these files, like me:

c:\program files (x86)\intel\intel(r) management engine components\dal\jhi_service.exe
c:\program files (x86)\intel\intel(r) management engine components\lms\lms.exe

Maybe you should re-add those paths to your path, or reinstall completely all intel software.

 

[zacha]

I reinstalled the Intel Graphics Driver yesterday. I'll check out the other Intel programs and reinstall.

 

[Xer]

This morning I woke up to find that the computer was (again) crashing every 30 minutes or so. This was at a login prompt, so obviously no user-specific programs were responsible. I have attached a new log collection, except that I removed all the minidumps except for the most recent as they are all the same.

PS - I noticed some problems with the autoruns piece of the script. First, it didn't run and I had to reassociate .js with script engine (a common anti-malware preventative is to reassociate files like .vbs, .js, .reg files so that they won't execute by just clicking on a file.) Does the collection app just rely on the .js extension to run this piece instead of explicitly reference Windows Script Host? Second, the autorunsc output just showed the help screen so something must be wrong with the syntax of the command. I re-ran it with

autorunsc -a *

and included that output in the zip file.

Thanks.

Hi zacha,

Do you still have the Software Certification Toolkit installed, or did you remove it? This last minidump looks related to SysTrace to me, in the past I have seen BSoDs after uninstalling the SCTk if SysTrace is not removed. Make a restore point, and afterwards open Regedit and navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SysTrace, then set the 'Start' key's value to 4. This will set SysTrace to 'disabled'.

IRQL_NOT_LESS_OR_EQUAL (a)An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high.  This is usually
caused by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.

Arguments:
Arg1: 0000000000000040, memory referenced
Arg2: 0000000000000002, IRQL
Arg3: 0000000000000001, bitfield :
    bit 0 : value 0 = read operation, 1 = write operation
    bit 3 : value 0 = not an execute operation, 1 = execute operation (only on chips which support this level of status)
Arg4: fffff800036e5018, address which referenced memory

PROCESS_NAME:  TrustedInstall

0: kd> lmvm systrace
start             end                 module name
fffff880`0105c000 fffff880`0107b000   SysTrace   (deferred)             
    Image path: SysTrace.sys
    Image name: SysTrace.sys
    Timestamp:        Thu Oct 18 10:40:31 2007 (4717705F)
    CheckSum:         00023C59
    ImageSize:        0001F000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{32986791-0A4F-4C52-973F-02438E7C9858}
    AuthorizedCDFPrefix    REG_SZ    
    Comments    REG_SZ    
    Contact    REG_SZ    Microsoft Corporation
    DisplayVersion    REG_SZ    3.5.0.0
    HelpLink    REG_EXPAND_SZ    www.Microsoft.com/WindowsServer/ISV
    HelpTelephone    REG_SZ    
    InstallDate    REG_SZ    20160803
    InstallLocation    REG_SZ    D:\Program Files\Microsoft Logo\Software Certification Toolkit\
    InstallSource    REG_SZ    C:\Users\jw\Desktop\
    ModifyPath    REG_EXPAND_SZ    MsiExec.exe /I{32986791-0A4F-4C52-973F-02438E7C9858}

 

[zacha]

UG, I'm pretty much appalled at Intel driver installation. They have a driver verification tool, but it failed to install properly and googling showed that MANY people get the same install error and Intel's responses have been less than adequate. I looked at the error log and it looks like files gets installed in "Program Files (x86)" but the actual service references C:\Program Files\Intel\SUR\WILLAMETTE\ESRV. So I copies files over there and able to get it running (I only did this on a temporary basis just to do a driver interrogation). The driver tool told me that a version of HD graphics should be updated yet their website didn't even have that version and showed my version to be current! And don't get me started on their long list of Intel Management software (which installs multiple services & drivers), which show multiple versions being current for Windows 7 64-bit and no clear description as to the differences between the various management versions! The heck with it, I uninstalled every Intel program (including the Management Software) except for HD Graphics (10.18.10.4425) and USB 3.0 eXtensible Host Controller Driver.

I also removed the Software Certification Toolkit which was only used for tracking system changes due to application installation (I found that it didn't work well and there are other less intrusive programs that do the same job.)



systrace was listed in the registry but not in services (or in autoruns.) I removed it completely rather than disabling.

I'll wait again to see what happens.

Thank you for the response and suggestions.