Dell XPS13 Laptop BSOD - Stuart - Windows 8.1 x64

G

gdstuart

Member
Joined
Dec 28, 2014
Posts
11
I have a Dell XPS13 laptop which has a checkered past in terms of operating systems. When I bought it, the item description said it would be preloaded with Windows 7. However, it had Windows 8 installed when it arrived. I requested Dell to provide Windows 7 as advertised but they would not do so. They later provided me a Win 8.1 USB stick when the system failed and was unrecoverable after I applied several Windows updates. In the last few months, the BSOD showing KERNEL_DATA_INPAGE ERROR is occurring more frequently, now at least once daily. Initially I did CHKDSK /F to fix it but now that does not work reliably.

Attached is the Sysnative ZIP file, which ran successfully. However, perfmon does not run with the /report flag. I get this error whether I use Admin rights or not in the CMD window:

[TABLE="width: 100%"]
[TR]
[TD]Error:[/TD]
[/TR]
[TR]
[TD][/TD]
[TD]An error occured while attempting to generate the report.[/TD]
[TD][/TD]
[/TR]
[TR]
[TD][/TD]
[TD]The operator or administrator has refused the request.[/TD]
[/TR]
[/TABLE]

When I run perfmon without /report, a window opens and there are three reports logged in System Diagnostics. However, I don't know the location or names of the log files to zip them up for you. If you can provide me that information, I'll zip them and attach them to a post.

The system is currently acting poorly so I will post this now and fill out the info in a later post.

Thanks in advance for this service.

Geoff Stuart

View attachment 10362
 
Last edited by a moderator:
Code: 
[COLOR=#ff0000]BugCheck C000021A[/COLOR], {[COLOR=#ff8c00]ffffc0013825b0d0[/COLOR], [COLOR=#0000cd]ffffffffc0000428[/COLOR], ffffc0013619f7b0, 0}

Probably caused by : ntkrnlmp.exe ( nt! ?? ::OKHAJAOM::`string'+269a )

The second parameter indicates the NT Status Error code, and the first parameter is the address of the string which describes the error.

Code: 
1: kd> [COLOR=#008000]!error ffffffffc0000428[/COLOR]
Error code: (NTSTATUS) 0xc0000428 (3221226536) - Windows cannot verify the digital signature for this file. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

Code: 
1: kd> [COLOR=#008000]dc ffffc0013825b0d0[/COLOR]
ffffc001`3825b0d0  69726556 61636966 6e6f6974 20666f20  Verification of 
ffffc001`3825b0e0  6e4b2061 446e776f 66204c4c 656c6961  a KnownDLL faile
ffffc001`3825b0f0  00002e64 05000000 00000012 fffff800  d...............
ffffc001`3825b100  03050104 4346744e 00000000 00000000  ....[COLOR=#ff0000]NtFC[/COLOR]........
ffffc001`3825b110  0057005c 006e0069 006f0064 00730077  \.W.i.n.d.o.w.s.
ffffc001`3825b120  0053005c 00730079 00650074 0033006d  \.S.y.s.t.e.m.3.
ffffc001`3825b130  005c0032 0073006d 00740063 002e0066  2.\.[COLOR=#ff0000]m.s.c.t.f[/COLOR]...
ffffc001`3825b140  006c0064 0000006c 00000000 00000000  d.l.l...........

The string identifies the pooltag of the DLL which has failed.

Code: 
1: kd> [COLOR=#008000]!pooltag NtFC[/COLOR]
Pooltag NtFC
Description: Create.c
Driver!Module: [COLOR=#ff0000]ntfs.sys[/COLOR]

The pooltag belongs to the NTFS filesystem driver, and therefore it becomes apparent has something has been corrupted within the file system.

Let's examine the call stack; we can see that the call stack is incomplete, and thus we will need to reconstruct the missing function names.

Code: 
1: kd> [COLOR=#008000]knL[/COLOR]
 # Child-SP          RetAddr           Call Site
00 ffffd001`c13466b8 fffff803`4f2049a1 nt!KeBugCheckEx
01 ffffd001`c13466c0 fffff803`4f1fe4fa nt!PopGracefulShutdown+0x2c9
02 ffffd001`c1346700 fffff803`4efd52b3 nt! ?? ::OKHAJAOM::`string'+0x269a \\ nt!NtSetSystemPowerState
03 ffffd001`c1346840 fffff803`4efcd700 nt!KiSystemServiceCopyEnd+0x13
04 ffffd001`c13469d8 fffff803`4f41b8fd nt!KiServiceLinkage
05 ffffd001`c13469e0 fffff803`4f34e9f3 nt! ?? ::NNGAKEGL::`string'+0x746bd \\ nt!PopIssueActionRequest
06 ffffd001`c1346aa0 fffff803`4ef751b2 nt!PopPolicyWorkerAction+0x63
07 ffffd001`c1346b10 fffff803`4eef6acc nt!PopPolicyWorkerThread+0xba
08 ffffd001`c1346b50 fffff803`4ef7a440 nt!ExpWorkerThread+0x28c
09 ffffd001`c1346c00 fffff803`4efd00c6 nt!PspSystemThreadStartup+0x58
0a ffffd001`c1346c60 00000000`00000000 nt!KiStartSystemThread+0x16

With the newly reconstructed call stack, we can see that the system has identified an error, and attempted to gracefully shutdown the computer, hence the reason for the Power Policy Managment functions being present.
 
There is also some additional Event Log entries which support file system corruption:

Code: 
Event[16]:
  Log Name: System
  Source: Ntfs
  Date: 2014-12-27T23:58:19.135
  Event ID: 55
  Task: N/A
  Level: Error
  Opcode: Info
  Keyword: N/A
  User: S-1-5-18
  User Name: NT AUTHORITY\SYSTEM
  Computer: GDSXPS13
  Description: 
A corruption was discovered in the file system structure on volume C:.

A corruption was found in a file system index structure.  The file reference number is 0x200000001cf63.  The name of the file is "\Users\gdstuart\Dropbox\Program Files\thinkTDA\backup.jre\lib\zi\America".  The corrupted index attribute is ":$I30:$INDEX_ALLOCATION".

Code: 
Event[637]:
  Log Name: System
  Source: Ntfs
  Date: 2014-12-26T09:36:20.780
  Event ID: 55
  Task: N/A
  Level: Error
  Opcode: Info
  Keyword: N/A
  User: S-1-5-18
  User Name: NT AUTHORITY\SYSTEM
  Computer: GDSXPS13
  Description: 
A corruption was discovered in the file system structure on volume ??.

The Master File Table (MFT) contains a corrupted file record.  The file reference number is 0xad000000000333.  The name of the file is "<unable to determine file name>".

I would strongly suggest running some hard drive diagnostics on your system, unless you still have warranty?
 
Driver Verifier has been running for 12 hours but since it has been generating several reboots and blue screens, I'm attaching the DMP files from yesterday and today for your analysis, instead of waiting the 24 hours suggested.

BUT, I don't have the required permissions to attach the files. I tried making them Read-Only, and that worked, but I still get a Permission error trying to attach them. Advice please...
 
Can you elaborate on 'attach', please?

Do you mean Windows is throwing a perm error when trying to zip up the crash dumps? If so, you need to copy/paste them from C:\ to the Desktop, and then try.
 
DRIVER_VERIFIER_DETECTED_VIOLATION (c4)

This is the general bug check code for fatal errors found by Driver Verifier.

Code: 
0: kd> .bugcheck
Bugcheck code 000000C4
Arguments 00000000`00091001 fffff801`e5106e40 ffffe000`a27489d0 ffffe000`a2748a58

91001 1st argument, a Windows 8.1 argument only. This tells us a rule condition was violated.

Code: 
0: kd> !ruleinfo 91001

RULE_ID: 0x91001

RULE_NAME: NdisOidComplete

RULE_DESCRIPTION:
This rule verifies if an NDIS miniport driver completes an OID correctly.

At this point we'd run !ndiskd.oid to see what exactly the issue was regarding NdisOidComplete, but as it's not a kernel-dump, we can go no further. There's a ton of network stuff in the stack (no surprise given our violated rule condition - NDIS), so 3rd party software conflicting with the network is likely the issue.

Get rid of McAfee for now and replace it with Windows Defender, as it's likely the problem.

Remove and replace McAfee with Windows 8's built-in Windows Defender for temporary troubleshooting purposes:

McAfee removal - How to uninstall or reinstall supported McAfee products using the Consumer Products Removal tool (MCPR)

Windows Defender (how to turn on after removal)

A.Navigate to Control Panel (with icons). You can do this by hitting Start > Search > Control Panel. Once in Control Panel, change the drop-down from Category to Large and/or Small icons.

B.Among the list of icons, find and click Action Center.

C.Assuming the removal of your prior antivirus software went properly, you will notice for both Spyware and unwated software protection (important) and Virus protection (important), it'll have a button labeled Turn on now. Click this button (it doesn't matter which, as Windows Defender serves as both in Windows 8/8.1).
 
Have you checked for any Kernel Mode Memory Dumps? Hopefully you won't crash again, and I assume that the NDIS crash was the latest one, otherwise the Kernel Mode Memory Dump version would have been overwritten by now.

Kernel Mode Memory Dumps Location:

Code: 
C:\Windows\MEMORY.DMP

The file will need to be zipped and uploaded to a file sharing site if possible.
 
This all went successfully. I ran the MCPR tool even though the de-install appeared to run OK.

Now when I reboot, I get a blue screen with DRIVER_VERIFIER_VIOLATION_DETECTED. The laptop appears to be running better, although slowly, once I get to a desktop. How do I stop the Driver Verifier? Would you recommend this step? I tried entering VERIFIER /? in a CMD window but it flashes a new window so quickly I can't read it.
 
Attach the verifier crash dump(s), please. They will give us info we need.

To disable it run a CMD as admin and type verifier /reset and then restart.
 
Code: 
0: kd> !ndiskd.miniport ffffe00047d5c1a0


MINIPORT

    Intel(R) Centrino(R) Advanced-N 6235

    Ndis handle        ffffe00047d5c1a0
    Ndis API version   v6.30
*** ERROR: Module load completed but symbols could not be loaded for NETwew00.sys
    Adapter context    ffffcf8015fe6d00
    Miniport driver    ffffe00047d1f700 - NETwNe64  v3.2
    Network interface  ffffcf8015f02a20

    Media type         802.3
    Physical medium    Native802.11
    Device instance    PCI\VEN_8086&DEV_088E&SUBSYS_44608086&REV_24\4&24d526ce&0&00E0
    Device object      ffffe00047d5c050    More information
    MAC address        c4-85-08-b4-74-db

Update your Intel wireless drivers, as well as any other/all network drivers.
 
Can't download anything with Chrome or Firefox; they crash when I try to download. IE won't even start up. I did get Intel N6235 driver updated from the Properties page but now I'm stymied by these browser issues. Otherwise, the machine is running better and not crashing.

Any suggestions about the browsers?
 
Code: 
0: kd> [COLOR=#008000]!oid[/COLOR]

ALL PENDING OIDs

    Miniport           ffffe00047d5c1a0 - [COLOR=#0000cd]Intel(R) Centrino(R) Advanced-N 6235[/COLOR]
        Current OID        [COLOR=#ff0000]OID_PM_REMOVE_PROTOCOL_OFFLOAD[/COLOR]
    Filter             ffffcf8016db0c70 - Intel(R) Centrino(R) Advanced-N 6235-WFP Native MAC Layer LightWeight Filter-0000
        Current OID        OID_PM_REMOVE_PROTOCOL_OFFLOAD
    Filter             ffffcf8016decc70 - Intel(R) Centrino(R) Advanced-N 6235-Virtual WiFi Filter Driver-0000
        Current OID        OID_PM_REMOVE_PROTOCOL_OFFLOAD
    Filter             ffffcf8016c00c70 - Intel(R) Centrino(R) Advanced-N 6235-Native WiFi Filter Driver-0000
        Current OID        OID_PM_REMOVE_PROTOCOL_OFFLOAD
    Filter             ffffcf8016d70c70 - Intel(R) Centrino(R) Advanced-N 6235-QoS Packet Scheduler-0000
        Current OID        OID_PM_REMOVE_PROTOCOL_OFFLOAD

The OID_PM_REMOVE_PROTOCOL_OFFLOAD is our pending OID request which has been completed properly with theappropriate function.

Code: 
0: kd> [COLOR=#008000]!ndiskd.oid ffffcf80170a8f10[/COLOR]


OID REQUEST

    OID_PM_REMOVE_PROTOCOL_OFFLOAD

    Request type:      SET
    Completed:        [COLOR=#ff0000] Not completed[/COLOR]
    Cloned from:       OID_PM_REMOVE_PROTOCOL_OFFLOAD
 
I cannot download anything from the Dell website because my browsers all crash when I attempt any download (even a PDF attached to an email crashes). How can I proceed to update drivers?

BlueRobot, interesting diagnostics but I don't see what action to take based on them.
 
This issue didn't start until you updated via the 'update driver' option, yes? If so, rollback the driver and then download/install from Dell.
 
I can't download anything from Dell or anywhere else. Both browsers crash as soon as I start any download process. I turned on Crash Analysis in Chrome but it happens so suddenly that Chrome can't register the crash. In Firefox, when I try to play a WebEx, it has to install the player, and I get the msg "The Active Touch General Container has crashed". Thinking it may be Adobe Flash Player, I tried to download an update but as soon as I select "Save File" on the confirmation dialog, Firefox immediately shuts down. Are there any logs we can query to find out what's going on when these downloads fail?

Patrick, I'll roll back the Intel driver and try again. Will update when I succeed at that.
 

Has Sysnative Forums helped you? Please consider donating to help us support the site!

Back
Top