Most Notable BSOD Kernel Dump Analysis posts

jcgriff2 · Jun 18, 2012

Vir Gnarus said:
They are offsets from the function start. When you look at a callstack like this, it start from the bottom and goes like "this function called the function above me, which called the function above it, and so on and so forth." For each function listed, you have the three parts: the module name, the function name, and the offset, respectively, as followed:

Code:

USBPORT!USBPORT_AssertSig+0x25 /\ /\ /\ module function name offset

Listed with kv or whatever, this portion of the output is the "Call Site" of the listing, which is basically just the name of the return address (RetAddr), complete with symbols to make it readable for humans to interpret what the function is and its intent. It can be read like an address on an envelope. The module name is the city, the function name is the street, and the offset is the address of the house. If you were to just say to someone asking for directions to your place "I live on such-n-such road" they have to scan down the whole road to find you. Otherwise if you add your address, the process of discovering your house is greatly alleviated.

It's important to understand what is going on here in a callstack. Read up on my basic description of code flow in BSOD Method & Tips. I'll add it here for quick reference:

The flow of which all operations are going. The basics of it is you have a thread, and in that thread you have an initial function responsible for a specific task. In order to accomplish it, it will need the assistance of other functions to do so.

Much like a product being built by a company, you have it go through various hands and sometimes even various places before the finished product is made. Tack on also all the other personnel responsible for various indirect duties to supply the needs of those actually creating the product. If you had the same person/people doing all the tasks, then things slow to a crawl and you're lucky to even have a satisfactory result in the end.

That's much like what goes on in your typical code flow. It is not enough to have a "one function to rule them all", that's just daft. Rather, you start with the initial function, like say, for drawing a popup window. There's a multitude of facets to this job, so the initial thread will call one function to do something, like DirectX telling it to draw the window, which DirectX will figure "ok, but with what?" and then pass that request to another, and then that to another, and then so on and so forth. How things fragment and flow through all this process of events is the essence of code flow.

Click to expand...

Once you understand that, it's easier to get an idea what's going on in a callstack. Let's use your example. Starting with nt!KxStartSystemThread at the bottom, this function sets up the thread to start doing work. Then when necessary, it calls into the function above it (nt!PspSystemThreadStartup) to continue it. This continues till what appears to be the real work starting (usbhub!UsbhHubWorker), as the rest is just initial setup. It's then performing various and sundry USB-related tasks for some USB I/O.

It's important to understand that each function is not really calling the function above it from the offset specified in the call site nor from the address specified in the return address (which are both the same thing). Rather, it calls it from the beginning of the function. So, usbhub!UsbhHubWorker is not calling into usbhub!UsbhHubSSH_Worker at offset 0x2d, but is calling it straight into the beginning of the function. The offsets and return addresses are rather just displaying where things continues once and if the function returns. That means the function has done its job, and the flow code operation is now returning to the function below it in the callstack.

I'm sure it's difficult to be able to interpret this process without any visuals, which I really can't provide any. The closest I can provide is to show some disassembly. Let's start with a simple idle loop from a kernel dump I have stored away:

Code:

Child-SP RetAddr Call Site fffffa60`01d8ece0 fffff800`01ca8b83 intelppm+0x29ed fffffa60`01d8ed10 fffff800`01ca88a1 nt!PoIdle+0x183 fffffa60`01d8ed80 fffff800`01e75860 nt!KiIdleLoop+0x21 fffffa60`01d8edb0 00000000`fffffa60 nt!zzz_AsmCodeRange_End+0x4 fffffa60`01d6ad00 00000000`00000000 0xfffffa60

Ignoring the first two frames (it's a little too complicated right now to explain), let's start at nt!KiIdleLoop+0x21. I'll whip out the disassembly window and copy and paste the entire name from module to offset, getting as followed:

Code:

... nt!KiIdleLoop: fffff800`01ca8880 4883ec28 sub rsp,28h fffff800`01ca8884 65488b1c2520000000 mov rbx,qword ptr gs:[20h] fffff800`01ca888d eb20 jmp nt!KiIdleLoop+0x2f (fffff800`01ca88af) fffff800`01ca888f 33c9 xor ecx,ecx fffff800`01ca8891 440f22c1 mov cr8,rcx fffff800`01ca8895 488d8b80380000 lea rcx,[rbx+3880h] fffff800`01ca889c e85f010000 call nt!PoIdle (fffff800`01ca8a00) fffff800`01ca88a1 fb sti fffff800`01ca88a2 b902000000 mov ecx,2 fffff800`01ca88a7 440f22c1 mov cr8,rcx fffff800`01ca88ab 80630700 and byte ptr [rbx+7],0 fffff800`01ca88af 803d9c881c0000 cmp byte ptr [nt!HvlEnableIdleYield (fffff800`01e71152)],0 fffff800`01ca88b6 7402 je nt!KiIdleLoop+0x3a (fffff800`01ca88ba) fffff800`01ca88b8 f390 pause fffff800`01ca88ba fb sti fffff800`01ca88bb 90 nop fffff800`01ca88bc 90 nop fffff800`01ca88bd fa cli ...

The bold is where the disassembly window highlights, telling me that nt!KiIdleLoop+0x21 points exactly to here. As you can tell, its position is 0x21 away from the beginning of the function. Now take notice of the call function right before it. That's the call to nt!PoIdle, which you can see in the callstack is the next function that was called into. What happened is nt!KiIdleLoop started, ran its course, then it eventually said "I need to call PoIdle cuz it needs to do something", so it called it as such. Now, did it call it at nt!PoIdle+0x183 like the callstack said? Nope. Rather, it says it called straight into the beginning of the PoIdle function, at address fffff800`01ca8a00. I'll verify:

Code:

... nt!PoIdle: fffff800`01ca8a00 4883ec68 sub rsp,68h fffff800`01ca8a04 f605ff09130002 test byte ptr [nt!PpmIdlePolicy+0x2 (fffff800`01dd940a)],2 fffff800`01ca8a0b 0f85b9010000 jne nt!PoIdle+0x1ca (fffff800`01ca8bca) fffff800`01ca8a11 48895c2470 mov qword ptr [rsp+70h],rbx fffff800`01ca8a16 4889742458 mov qword ptr [rsp+58h],rsi fffff800`01ca8a1b 48897c2450 mov qword ptr [rsp+50h],rdi fffff800`01ca8a20 488b39 mov rdi,qword ptr [rcx] fffff800`01ca8a23 4885ff test rdi,rdi fffff800`01ca8a26 0f841d050600 je nt! ?? ::FNODOBFM::`string'+0x31b79 (fffff800`01d08f49) fffff800`01ca8a2c 8b5f08 mov ebx,dword ptr [rdi+8] fffff800`01ca8a2f f6c302 test bl,2

Blammo. First line of code in the function is where it pointed too, not the offset described in the callstack. Now what's going to happen here is that PoIdle will runs its stuff, until eventually it, too, needs to call another function. Let's check nt!PoIdle+0x183 which is what the callstack gave us as the call site:

Code:

... fffff800`01ca8b68 0f8456050600 je nt! ?? ::FNODOBFM::`string'+0x31cf4 (fffff800`01d090c4) fffff800`01ca8b6e 83fb02 cmp ebx,2 fffff800`01ca8b71 0f845b050600 je nt! ?? ::FNODOBFM::`string'+0x31d02 (fffff800`01d090d2) fffff800`01ca8b77 33d2 xor edx,edx fffff800`01ca8b79 4a8b4cef28 mov rcx,qword ptr [rdi+r13*8+28h] fffff800`01ca8b7e 42ff54ef20 call qword ptr [rdi+r13*8+20h] fffff800`01ca8b83 85c0 test eax,eax fffff800`01ca8b85 0f8851050600 js nt! ?? ::FNODOBFM::`string'+0x31d0c (fffff800`01d090dc) fffff800`01ca8b8b 85db test ebx,ebx fffff800`01ca8b8d 0f859e050600 jne nt! ?? ::FNODOBFM::`string'+0x31d61 (fffff800`01d09131) fffff800`01ca8b93 33c9 xor ecx,ecx fffff800`01ca8b95 ff1505a60d00 call qword ptr [nt!_imp_KeQueryPerformanceCounter (fffff800`01d831a0)] fffff800`01ca8b9b 492bc6 sub rax,r14 ...

Notice again the call instruction before it? In this case it's a little more convoluted in that the address isn't a static address like before but it's one made by doing some math with some registers and junk and then using the resulting memory address' contents as a reference point. However if we did all of that math n stuff, we'd most likely come up with the start for the next function listed in the callstack, which is somewhere in the module intelppm. What's going to happen, then is that is for whatever reason the function in intelppm returns, the code flow will return to nt!PoIdle+0x183, then if for whatever reason the PoIdle function returns, everything will continue at nt!KiIdleLoop+0x21, and so on.

You're probably wondering why intelppm doesn't have a function listed. That's because in my case, I do not have access to any symbols for intelppm. Because there are no symbols, no function names and whatnot can be displayed, so it just leaves me with intelppm with a very big offset, not an offset from the beginning of a function, but from the beginning of the entire module. So it's important to have symbols whenever possible. It's not impossible to go without em, but it makes things quite more difficulty because then you have to ascertain through disassembling and reading the code just what the function is actually doing. The function names there provided by the symbols are to help you discover what each function's responsibility is.

I hope that kinda clarifies something about what's going on in a callstack. If you need more assistance I'll do what I can to help, but that should at least get things going for ya.

Thank you, Isaac!

Vir Gnarus · Jun 18, 2012

Phew, er, thanks! I want to mention that this does not apply to all cases. Some functions can call into themselves (recursive), and there's other differences to consider like when dealing with leaf functions (name is kinda self-explanatory) and whatnot. However, again, what I've mentioned is the general idea.

jcgriff2 · Jun 22, 2012

Vir Gnarus said:
As Shintaro and JC pointed out, it does look very consistent that we're dealing with the intel network driver here.

Code:

0: kd> !irp fffffa80101b3bd0 1 Irp is active with 5 stacks 3 is current (= 0xfffffa80101b3d30) No Mdl: No System Buffer: Thread 00000000: Irp stack trace. Flags = 00000000 ThreadListEntry.Flink = fffffa80101b3bf0 ThreadListEntry.Blink = fffffa80101b3bf0 IoStatus.Status = c00000bb IoStatus.Information = 00000000 RequestorMode = 00000000 Cancel = 00 CancelIrql = 0 ApcEnvironment = 00 UserIosb = 00000000 UserEvent = 00000000 Overlay.AsynchronousParameters.UserApcRoutine = 00000000 Overlay.AsynchronousParameters.UserApcContext = 00000000 Overlay.AllocationSize = 00000000 - 00000000 CancelRoutine = 00000000 UserBuffer = 00000000 &Tail.Overlay.DeviceQueueEntry = fffffa80101b3c48 Tail.Overlay.Thread = 00000000 Tail.Overlay.AuxiliaryBuffer = 00000000 Tail.Overlay.ListEntry.Flink = fffff80003278b00 Tail.Overlay.ListEntry.Blink = fffff80003278b00 Tail.Overlay.CurrentStackLocation = fffffa80101b3d30 Tail.Overlay.OriginalFileObject = 00000000 Tail.Apc = 00000000 Tail.CompletionKey = 00000000 cmd flg cl Device File Completion-Context [ 0, 0] 0 0 00000000 00000000 00000000-00000000 Args: 00000000 00000000 00000000 00000000 [ 0, 0] 0 0 00000000 00000000 00000000-00000000 Args: 00000000 00000000 00000000 00000000 >[ 16, 2] 0 0 fffffa8009a1e050 00000000 00000000-00000000 \Driver\NETwNs64 Args: 00014400 00000000 00000004 00000002 [ 16, 2] 0 e1 fffffa8009989350 00000000 fffff80003315200-fffffa80093194b0 Success Error Cancel pending \Driver\vwifibus nt!PopSystemIrpCompletion Args: 00014400 00000000 00000004 00000002 [ 0, 0] 0 0 00000000 00000000 00000000-fffffa80093194b0 Args: 00000000 00000000 00000000 00000000

It looks like it's held up by a c00000bb, or "request not supported" error. This is during a power IRP sent to it (16 major function code is POWER, 2 is minor function code SET_POWER). Obviously it appears the driver is having a difficult time dealing with setting the network card to power down because it can't understand the request (or it's sending a request that isn't supported?). Either way, the driver isn't that new (Dec 2011), so give it an update.

If that doesn't fix the problem, probably best to turn on Driver Verifier, restart, and let it crash again. Select all checks except Force Pending I/O Requests, IRP Logging, and Low Resource Sim.

jcgriff2 · Jun 25, 2012

Class 101 for 0x101 Bugchecks

And all of the others - BSOD Kernel Dump Analysis Debugging Information

jcgriff2 · Jun 25, 2012

Bugcheck: 0xdeaddead

Vir Gnarus said:
Not only can this be caused by someone manually generating a crash using the keyboard combo, as Shintaro rightly stated, but drivers can force BSODs as well for whatever (dubious) reason through this method, in order to give a notice that something bad has happened with em internally and they need to crash Windows to get you to notice. In fact, taking gander at the callstack:

Code:

STACK_TEXT: fffff800`00ba1e08 fffff880`078c00d2 : 00000000`deaddead 00000000`0f00004b 00000000`0125025b 00000000`30400000 : nt!KeBugCheckEx fffff800`00ba1e10 00000000`deaddead : 00000000`0f00004b 00000000`0125025b 00000000`30400000 00000000`00000000 : NETwNs64+0x3c0d2 fffff800`00ba1e18 00000000`0f00004b : 00000000`0125025b 00000000`30400000 00000000`00000000 fffff880`00000479 : 0xdeaddead fffff800`00ba1e20 00000000`0125025b : 00000000`30400000 00000000`00000000 fffff880`00000479 00000000`00000000 : 0xf00004b fffff800`00ba1e28 00000000`30400000 : 00000000`00000000 fffff880`00000479 00000000`00000000 00000000`00000000 : 0x125025b fffff800`00ba1e30 00000000`00000000 : fffff880`00000479 00000000`00000000 00000000`00000000 fffffa80`0cba87a0 : 0x30400000

NETwNs64.sys shows up immediately before KeBugCheckEx. This kinda gives you a hint that this fella was responsible.

jcgriff2 · Jul 23, 2012

https://www.sysnative.com/forums/showthread.php/2871-bsod?p=21368&viewfull=1#post21368

jcgriff2 · Aug 2, 2012

From the !irp command Vir Gnarus showed us:

Code:

  
Microsoft (R) Windows Debugger Version 6.12.0002.633 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\Windows\Minidump\010111-45801-01.dmp]


 
	Read More: 
	
		 



	Mini Kernel Dump File: Only registers and stack trace are available

DbsSplayTreeRangeMap::Add: ignoring zero-sized range at ?fffff800`00b9c500?
Symbol search path is: SRV*a:\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is: 
Windows 7 Kernel Version 7600 MP (2 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 7600.16617.amd64fre.win7_gdr.100618-1621
Machine Name:
Kernel base = 0xfffff800`02c0f000 PsLoadedModuleList = 0xfffff800`02e4ce50
Debug session time: Sat Jan  1 01:50:19.319 2011 (UTC - 4:00)
System Uptime: 0 days 4:09:19.394
Loading Kernel Symbols
...............................................................
................................................................
........................................
Loading User Symbols
Loading unloaded module list
.......
ERROR: FindPlugIns 8007007b
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.
	 
	
	

BugCheck 9F, {3, fffffa80047d1a20, fffff80000b9c518, fffffa800752caa0}

Probably caused by : pci.sys

Followup: MachineOwner
---------

Code:

 
0: kd> !irp fffffa800752caa0

 
	Read More: 
	
		 



	
Irp is active with 6 stacks 4 is current (= 0xfffffa800752cc48)
 No Mdl: No System Buffer: Thread 00000000:  Irp stack trace.  
     cmd  flg cl Device   File     Completion-Context
 [  0, 0]   0  0 00000000 00000000 00000000-00000000    

			Args: 00000000 00000000 00000000 00000000
 [  0, 0]   0  0 00000000 00000000 00000000-00000000    

			Args: 00000000 00000000 00000000 00000000
 [  0, 0]   0  0 00000000 00000000 00000000-00000000    
	 
	
	
			Args: 00000000 00000000 00000000 00000000
>[ 16, 2]   0  0 fffffa80056f6050 00000000 00000000-00000000    
	      Unable to load image \SystemRoot\system32\DRIVERS\NETwNs64.sys, Win32 error 0n2
*** WARNING: Unable to verify timestamp for NETwNs64.sys
*** ERROR: Module load completed but symbols could not be loaded for NETwNs64.sys
 \Driver\NETwNs64
			Args: 00014400 00000000 00000004 00000002
 [ 16, 2]   0 e1 fffffa800556d7a0 00000000 fffff80002ecaf70-fffffa8004bf3580 Success Error Cancel pending
	       \Driver\vwifibus	nt!PopSystemIrpCompletion
			Args: 00014400 00000000 00000004 00000002
 [  0, 0]   0  0 00000000 00000000 00000000-fffffa8004bf3580    

			Args: 00000000 00000000 00000000 00000000

Code:

 
0: kd> lmvm NETwNs64
start             end                 module name
fffff880`03e6f000 fffff880`045f1000   NETwNs64 T (no symbols)           
    Loaded symbol image file: NETwNs64.sys
    Image path: \SystemRoot\system32\DRIVERS\NETwNs64.sys
    Image name: NETwNs64.sys
    Timestamp:        Wed Jul 14 07:42:54 2010 (4C3DA2BE)
    CheckSum:         00782155
    ImageSize:        00782000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4

NETwNs64.sys = Intel wifi - https://www.sysnative.com/drivers/driver.php?id=NETwNs64.sys

The dump is from my system - just after midnight, Jan 1 2011.

jcgriff2 · Sep 3, 2012

First post-RTM build number for Windows 8 revealed?

usasma · Oct 2, 2012

Infected drivers (haven't seen this very often): http://answers.microsoft.com/en-us/...on/070f3aea-1d5c-44e4-a12f-a463624463e5#_self

Infected drivers are: crfjvnbv.sys and gmvvpcpj.sys
The kmx... drivers are from CA Antivirus - I'll be adding them to the DRT after I finish this.

Analysis:
The following is for information purposes only.

Code:

**************************Sun Sep 30 17:46:59.396 2012 (UTC - 4:00)**************************
Loading Dump File [C:\Users\John\_jcgriff2_\dbug\__Kernel__\093012-60325-01.dmp]
Windows 7 Kernel Version 7601 (Service Pack 1) MP (2 procs) Free x86 compatible
Built by: 7601.17803.x86fre.win7sp1_gdr.120330-1504
System Uptime:0 days 0:00:46.285
BugCheck Code: BugCheck F4, {3, 87f4f540, 87f4f6ac, 82c54df0}
Probably caused by :wininit.exe
BugCheck Info: CRITICAL_OBJECT_TERMINATION (f4)
PROCESS_NAME: wininit.exe
BUGCHECK_STR:  0xF4_c0000005
DEFAULT_BUCKET_ID:  WIN7_DRIVER_FAULT
FAILURE_BUCKET_ID: 0xF4_c0000005_IMAGE_wininit.exe
CPUID:        "Intel(R) Core(TM)2 Duo CPU     T7250  @ 2.00GHz"
MaxSpeed:     2000
CurrentSpeed: 1994
  BIOS Version                  A17
  BIOS Release Date             01/04/2010
  Manufacturer                  Dell Inc.
  Product Name                  Latitude D630                   
¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨``
**************************Sun Sep 30 07:52:16.272 2012 (UTC - 4:00)**************************
Loading Dump File [C:\Users\John\_jcgriff2_\dbug\__Kernel__\093012-51293-01.dmp]
Windows 7 Kernel Version 7601 (Service Pack 1) MP (2 procs) Free x86 compatible
Built by: 7601.17803.x86fre.win7sp1_gdr.120330-1504
System Uptime:0 days 0:00:46.160
BugCheck Code: BugCheck F4, {3, 8669bd40, 8669beac, 82c5ddf0}
Probably caused by :wininit.exe
BugCheck Info: CRITICAL_OBJECT_TERMINATION (f4)
PROCESS_NAME: wininit.exe
BUGCHECK_STR:  0xF4_c0000005
DEFAULT_BUCKET_ID:  WIN7_DRIVER_FAULT
FAILURE_BUCKET_ID: 0xF4_c0000005_IMAGE_wininit.exe
CPUID:        "Intel(R) Core(TM)2 Duo CPU     T7250  @ 2.00GHz"
MaxSpeed:     2000
CurrentSpeed: 1994
  BIOS Version                  A17
  BIOS Release Date             01/04/2010
  Manufacturer                  Dell Inc.
  Product Name                  Latitude D630                   
¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨``
**************************Sat Sep 29 21:26:58.131 2012 (UTC - 4:00)**************************
Loading Dump File [C:\Users\John\_jcgriff2_\dbug\__Kernel__\092912-50949-01.dmp]
Windows 7 Kernel Version 7601 (Service Pack 1) MP (2 procs) Free x86 compatible
Built by: 7601.17803.x86fre.win7sp1_gdr.120330-1504
System Uptime:0 days 0:00:46.035
BugCheck Code: BugCheck F4, {3, 88113d40, 88113eac, 82c64df0}
Probably caused by :wininit.exe
BugCheck Info: CRITICAL_OBJECT_TERMINATION (f4)
PROCESS_NAME: wininit.exe
BUGCHECK_STR:  0xF4_c0000005
DEFAULT_BUCKET_ID:  WIN7_DRIVER_FAULT
FAILURE_BUCKET_ID: 0xF4_c0000005_IMAGE_wininit.exe
CPUID:        "Intel(R) Core(TM)2 Duo CPU     T7250  @ 2.00GHz"
MaxSpeed:     2000
CurrentSpeed: 1994
  BIOS Version                  A17
  BIOS Release Date             01/04/2010
  Manufacturer                  Dell Inc.
  Product Name                  Latitude D630                   
¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨``
**************************Sat Sep 29 11:12:06.818 2012 (UTC - 4:00)**************************
Loading Dump File [C:\Users\John\_jcgriff2_\dbug\__Kernel__\092912-52385-01.dmp]
Windows 7 Kernel Version 7601 (Service Pack 1) MP (2 procs) Free x86 compatible
Built by: 7601.17803.x86fre.win7sp1_gdr.120330-1504
System Uptime:0 days 0:00:46.722
BugCheck Code: BugCheck F4, {3, 8810ed40, 8810eeac, 82c68df0}
Probably caused by :wininit.exe
BugCheck Info: CRITICAL_OBJECT_TERMINATION (f4)
PROCESS_NAME: wininit.exe
BUGCHECK_STR:  0xF4_c0000005
DEFAULT_BUCKET_ID:  WIN7_DRIVER_FAULT
FAILURE_BUCKET_ID: 0xF4_c0000005_IMAGE_wininit.exe
CPUID:        "Intel(R) Core(TM)2 Duo CPU     T7250  @ 2.00GHz"
MaxSpeed:     2000
CurrentSpeed: 1994
  BIOS Version                  A17
  BIOS Release Date             01/04/2010
  Manufacturer                  Dell Inc.
  Product Name                  Latitude D630                   
¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨``
**************************Sat Sep 29 10:13:09.864 2012 (UTC - 4:00)**************************
Loading Dump File [C:\Users\John\_jcgriff2_\dbug\__Kernel__\092912-53477-01.dmp]
Windows 7 Kernel Version 7601 (Service Pack 1) MP (2 procs) Free x86 compatible
Built by: 7601.17803.x86fre.win7sp1_gdr.120330-1504
System Uptime:0 days 0:00:46.768
BugCheck Code: BugCheck F4, {3, 87fded40, 87fdeeac, 82c50df0}
Probably caused by :wininit.exe
BugCheck Info: CRITICAL_OBJECT_TERMINATION (f4)
PROCESS_NAME: wininit.exe
BUGCHECK_STR:  0xF4_c0000005
DEFAULT_BUCKET_ID:  WIN7_DRIVER_FAULT
FAILURE_BUCKET_ID: 0xF4_c0000005_IMAGE_wininit.exe
CPUID:        "Intel(R) Core(TM)2 Duo CPU     T7250  @ 2.00GHz"
MaxSpeed:     2000
CurrentSpeed: 1994
  BIOS Version                  A17
  BIOS Release Date             01/04/2010
  Manufacturer                  Dell Inc.
  Product Name                  Latitude D630                   
¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨``
**************************Sun Sep 30 17:46:59.396 2012 (UTC - 4:00)**************************

3rd Party Drivers:
The following is for information purposes only.
Any drivers in red should be updated or removed from your system. And should have been discussed in the body of my post.

Code:

**************************Sun Sep 30 17:46:59.396 2012 (UTC - 4:00)**************************
VSTCNXT3.SYS                Wed Oct 15 20:29:13 2008 (48F68AD9)
VSTAZL3.SYS                 Wed Oct 15 20:30:03 2008 (48F68B0B)
VSTDPV3.SYS                 Wed Oct 15 20:32:04 2008 (48F68B84)
netw5v32.sys                Thu Mar 26 12:10:37 2009 (49CBA8FD)
b57nd60x.sys                Sun Apr 26 07:15:34 2009 (49F44256)
GEARAspiWDM.sys             Mon May 18 08:16:53 2009 (4A1151B5)
intelppm.sys                Mon Jul 13 19:11:03 2009 (4A5BBF07)
intelide.sys                Mon Jul 13 19:11:19 2009 (4A5BBF17)
oz776.sys                   Tue Sep  8 22:10:13 2009 (4AA70E85)
amdxata.sys                 Fri Mar 19 12:19:01 2010 (4BA3A3F5)
ElRawDsk.sys                Tue Oct 26 05:34:08 2010 (4CC6A090)
KmxFile.sys                 Tue Mar 22 11:09:48 2011 (4D88BBBC)
kmxagent.sys                Wed Mar 23 08:28:49 2011 (4D89E781)
KmxAMRT.sys                 Mon Apr  4 17:12:49 2011 (4D9A3451)
kmxfw.sys                   Sun Apr 24 15:05:24 2011 (4DB47474)
KmxFilter.sys               Mon May  2 08:41:56 2011 (4DBEA694)
kmxcfg.sys                  Thu May 12 16:58:46 2011 (4DCC4A06)
MpFilter.sys                Fri Mar  9 03:43:34 2012 (4F59C2B6)
¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨``
**************************Sat Sep 29 21:26:58.131 2012 (UTC - 4:00)**************************
gmvvpcpj.sys                Wed Sep  2 17:37:57 2009 (4A9EE5B5)
¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨``
**************************Sat Sep 29 11:12:06.818 2012 (UTC - 4:00)**************************
crfjvnbv.sys                Wed Sep  2 17:37:57 2009 (4A9EE5B5)

http://www.carrona.org/drivers/driver.php?id=VSTCNXT3.SYS
http://www.carrona.org/drivers/driver.php?id=VSTAZL3.SYS
http://www.carrona.org/drivers/driver.php?id=VSTDPV3.SYS
http://www.carrona.org/drivers/driver.php?id=netw5v32.sys
http://www.carrona.org/drivers/driver.php?id=b57nd60x.sys
http://www.carrona.org/drivers/driver.php?id=GEARAspiWDM.sys
http://www.carrona.org/drivers/driver.php?id=intelppm.sys
http://www.carrona.org/drivers/driver.php?id=intelide.sys
http://www.carrona.org/drivers/driver.php?id=oz776.sys
http://www.carrona.org/drivers/driver.php?id=amdxata.sys
http://www.carrona.org/drivers/driver.php?id=ElRawDsk.sys
KmxFile.sys - this driver hasn't been added to the DRT as of this run. Please search Google/Bing for the driver if additional information is needed.
kmxagent.sys - this driver hasn't been added to the DRT as of this run. Please search Google/Bing for the driver if additional information is needed.
KmxAMRT.sys - this driver hasn't been added to the DRT as of this run. Please search Google/Bing for the driver if additional information is needed.
kmxfw.sys - this driver hasn't been added to the DRT as of this run. Please search Google/Bing for the driver if additional information is needed.
KmxFilter.sys - this driver hasn't been added to the DRT as of this run. Please search Google/Bing for the driver if additional information is needed.
kmxcfg.sys - this driver hasn't been added to the DRT as of this run. Please search Google/Bing for the driver if additional information is needed.
http://www.carrona.org/drivers/driver.php?id=MpFilter.sys
gmvvpcpj.sys - this driver hasn't been added to the DRT as of this run. Please search Google/Bing for the driver if additional information is needed.
crfjvnbv.sys - this driver hasn't been added to the DRT as of this run. Please search Google/Bing for the driver if additional information is needed.

jcgriff2 · Oct 4, 2012

Based on names, I wonder if they are dynamically allocated.

Have you seen the same named drivers before?

Vir Gnarus · Oct 4, 2012

malware and AVs would most certainly do a random naming convention for their drivers in order to throw off their counterpart. This would be no exception.

usasma · Oct 4, 2012

I've never seen these drivers before.
I posted it because it's rare to even see these drivers in a memory dump.
I may have only seen it once or twice in my entire career!

jcgriff2 · Oct 4, 2012

I asked because I thought we may be headed toward entries like the SPTD variants.

But given rarity, good idea to add them.

usasma · Oct 5, 2012

I'd agree - but we'd still have to keep an eye out for them becoming more common.

I still remember pulling my hair out over the sptd variants,
then figuring that it'd be nice to have them in the DRT,
then realizing that the number of entries would eventually expand to fill many, many pages and would provide no real assistance to anyone!

And now we're stuck with a table full of entries.
Hmmm, I wonder if Laxer can setup a table that's automatically filled with all possible sptd variants - and let them all point to the DRT for clarification?
We could insert that into the apps for any time they showed up (and, maybe, have a "whitelist" for those that belong to other programs).

Wrench97 · Oct 5, 2012

The White list may be shorter, perhaps a simple if loop to eliminate the ones on the white list.

Corrine · Oct 5, 2012

usasma said:
Infected drivers (haven't seen this very often)

Very common on infected computers. Since Microsoft Answers/Communities doesn't handle malware removal, you could refer people to the Security Arena when you see something that.

In addition to walking the OP through the clean-up process, we would also check for outdated/vulnerable third-party software and provide appropriate advice for keeping the computer clean.

usasma · Oct 6, 2012

Thanks Corrine! Great idea!

jcgriff2 · Oct 14, 2012

Been a long time since I've seen bugcheck 0xa0 - Hibernation File

http://www.techsupportforum.com/forums/f299/bsod-trouble-0xa0-hibernation-file-670528.html

jcgriff2 · Oct 29, 2012

Bugcheck 0x119 - https://www.sysnative.com/forums/showthread.php/4216-Bluescreen-119-in-games?p=30794#post30794

Bad Fence IDs

Analysts: - see below:

Vir Gnarus said:
There's an offchance we're dealing with a bug in the graphics drivers. Despite them being relatively new, it's possible a new bug got introduced. Check to see if there isn't a more updated version of the graphics drivers, or try even rolling back the drivers to an older date. You may also want to try completely uninstalling the drivers and reinstalling the graphics drivers at latest version (perhaps try a beta version as well if available).

As Wrench is correct, this was dealing with some bad fence id handling. Commonly bad fence ids are due to driver bugs more than hardware problems. This one does seem quite like a driver bug because the fence id the driver reported to DirectX was waaay off, and doesn't even look like a valid number, so it's clear this wasn't just the driver servicing fence ids out of order. Rather, it's probably a value from somewhere else that wrote over the otherwise valid fence id. The consistency of this crash leads me to suspect moreso that it's a driver problem and not a hardware issue. However if not matter of driver changes seems to fix this, then I guess you'll have to write it off as a bad video card and replace the PC. I take it you have warranty for this new system, to replacing it shouldn't be costly.

Analysts:

If you haven't figured from the correspondence between me and cluberti mentioned in the main post in this thread, Args 2-4 of the bugcheck are the fence ids. Not sure if Arg 3 is the fence id it expected or the most recent previous fence id (with Arg 4 being the one before it) but Arg 2 is certainly the latest and the one to cause the crash. Value looks pretty off-the-wall, so I'm expecting the value got overwritten somehow, most likely by driver bug.

jcgriff2 · Nov 8, 2012

I never knew about the hex --> DEC conversion on this.

AustrAlien said:
Guevara_CF said:

005 Reallocation Sector Count 036 036 00000000-0A43 036

Click to expand...

0A43 in hex converts to decimal 2627.

This is the number of failed sectors currently counted on the hard drive ... and it is a large number!
The hard drive is failing badly and needs to be replaced. There is no doubt about this and further testing is not necessary.

It cannot be fixed/repaired.

The Reallocation Sector Count:

When the hard drive finds a read/write/verification error, it marks that sector as "reallocated" and transfers data to a special reserved area (spare area). This process is also known as remapping, and reallocated sectors are called "remaps". The raw value normally represents a count of the bad sectors that have been found and remapped. Thus, the higher the attribute value, the more sectors the drive has had to reallocate. This allows a drive with bad sectors to continue operation; however, a drive which has had any reallocations at all is significantly more likely to fail in the near future.

Click to expand...

Reference: S.M.A.R.T.

The HDDScan report that you posted for your second hard drive is the same as the one posted for your first hard drive.

Please post the report for your second hard drive so we can check the S.M.A.R.T. values for you.

http://www.techsupportforum.com/for...ing-hard-disk-failure-674536.html#post3947728

Most Notable BSOD Kernel Dump Analysis posts

Co-Founder/AdminBSOD Expert (Ret.)Microsoft MVP (Ret.)PRIMARILY RETIRED

BSOD Kernel Dump Expert

Co-Founder/AdminBSOD Expert (Ret.)Microsoft MVP (Ret.)PRIMARILY RETIRED

Co-Founder/AdminBSOD Expert (Ret.)Microsoft MVP (Ret.)PRIMARILY RETIRED

Co-Founder/AdminBSOD Expert (Ret.)Microsoft MVP (Ret.)PRIMARILY RETIRED

Co-Founder/AdminBSOD Expert (Ret.)Microsoft MVP (Ret.)PRIMARILY RETIRED

Co-Founder/AdminBSOD Expert (Ret.)Microsoft MVP (Ret.)PRIMARILY RETIRED

Attachments

Co-Founder/AdminBSOD Expert (Ret.)Microsoft MVP (Ret.)PRIMARILY RETIRED

Retired Admin

Co-Founder/AdminBSOD Expert (Ret.)Microsoft MVP (Ret.)PRIMARILY RETIRED

BSOD Kernel Dump Expert

Retired Admin

Co-Founder/AdminBSOD Expert (Ret.)Microsoft MVP (Ret.)PRIMARILY RETIRED

Retired Admin

Administrator, Hardware Expert

Administrator, Microsoft MVP, Security Analyst

Retired Admin

Co-Founder/AdminBSOD Expert (Ret.)Microsoft MVP (Ret.)PRIMARILY RETIRED

Co-Founder/AdminBSOD Expert (Ret.)Microsoft MVP (Ret.)PRIMARILY RETIRED

Co-Founder/AdminBSOD Expert (Ret.)Microsoft MVP (Ret.)PRIMARILY RETIRED

Co-Founder/Admin
BSOD Expert (Ret.)
Microsoft MVP (Ret.)
PRIMARILY RETIRED

Co-Founder/Admin
BSOD Expert (Ret.)
Microsoft MVP (Ret.)
PRIMARILY RETIRED

Co-Founder/Admin
BSOD Expert (Ret.)
Microsoft MVP (Ret.)
PRIMARILY RETIRED

Co-Founder/Admin
BSOD Expert (Ret.)
Microsoft MVP (Ret.)
PRIMARILY RETIRED

Co-Founder/Admin
BSOD Expert (Ret.)
Microsoft MVP (Ret.)
PRIMARILY RETIRED

Co-Founder/Admin
BSOD Expert (Ret.)
Microsoft MVP (Ret.)
PRIMARILY RETIRED

Co-Founder/Admin
BSOD Expert (Ret.)
Microsoft MVP (Ret.)
PRIMARILY RETIRED

Co-Founder/Admin
BSOD Expert (Ret.)
Microsoft MVP (Ret.)
PRIMARILY RETIRED

Co-Founder/Admin
BSOD Expert (Ret.)
Microsoft MVP (Ret.)
PRIMARILY RETIRED

Administrator,
Microsoft MVP,
Security Analyst

Co-Founder/Admin
BSOD Expert (Ret.)
Microsoft MVP (Ret.)
PRIMARILY RETIRED

Co-Founder/Admin
BSOD Expert (Ret.)
Microsoft MVP (Ret.)
PRIMARILY RETIRED

Co-Founder/Admin
BSOD Expert (Ret.)
Microsoft MVP (Ret.)
PRIMARILY RETIRED