Hi,
We have many different bug checks:
KMODE_EXCEPTION_NOT_HANDLED (1e)
This indicates that a kernel-mode program generated an exception which the error handler did not catch.
Code:
BugCheck 1E, {ffffffffc0000005, fffff8025cabb644, 0, 1b540d43}
Code:
5: kd> ln fffff8025cabb644
(fffff802`5cabb340) nt!PpmIdleExecuteTransition+0x304 | (fffff802`5cabba10) nt!PpmTestAndLockProcessors
^^ The exception occurred in
nt!PpmIdleExecuteTransition.
Code:
5: kd> k
Child-SP RetAddr Call Site
ffffd001`a08e9778 fffff802`5cbe06d6 nt!KeBugCheckEx
ffffd001`a08e9780 fffff802`5cb604ed nt!KiFatalExceptionHandler+0x22
ffffd001`a08e97c0 fffff802`5caea105 nt!RtlpExecuteHandlerForException+0xd
ffffd001`a08e97f0 fffff802`5cae8fbf nt!RtlDispatchException+0x1a5
ffffd001`a08e9ec0 fffff802`5cb64bc2 nt!KiDispatchException+0x61f
ffffd001`a08ea5b0 fffff802`5cb63314 nt!KiExceptionDispatch+0xc2
ffffd001`a08ea790 fffff802`5cabb644 nt!KiPageFault+0x214
ffffd001`a08ea920 fffff802`5cabb18a nt!PpmIdleExecuteTransition+0x304
ffffd001`a08eab10 fffff802`5cb5cabc nt!PoIdle+0x27a
ffffd001`a08eac60 00000000`00000000 nt!KiIdleLoop+0x2c
It looks like processor #5 called into a pagefault while attempting to transition from an idle state. As this is only a minidump, we cannot dump the other call stacks from the other processors to determine what may have caused this to occur.
SYSTEM_THREAD_EXCEPTION_NOT_HANDLED_M (1000007e)
This indicates that a system thread generated an exception which the error handler did not catch.
Code:
BugCheck 1000007E, {ffffffffc0000005, fffff801e616bdcf, ffffd000245a3608, ffffd000245a2e10}
^^ The 1st parameter of the bug check is 0xc0000005 which indicates an access violation occurred.
Code:
4: kd> .exr 0xffffd000245a3608
ExceptionAddress: fffff801e616bdcf (nt!KiSwapContext+0x000000000000000f)
ExceptionCode: c0000005 (Access violation)
^^ The violation occurred in
nt!KiSwapContext.
Code:
4: kd> k
Child-SP RetAddr Call Site
ffffd000`245a3848 fffff801`e606bd1e nt!KiSwapContext+0xf
ffffd000`245a3988 fffff801`e606b779 nt!KiSwapThread+0x14e
ffffd000`245a3a28 fffff801`e607bdfa nt!KiCommitThreadWait+0x129
ffffd000`245a3aa8 00000000`00000032 nt!KeWaitForSingleObject+0x22a
ffffd000`245a3b38 fffff801`c72fa5ed 0x32
ffffd000`245a3b40 fffff801`c951433c ndis!NdisMSleep+0x59
ffffd000`245a3bc0 ffffe000`21dab030 athw8x+0x26033c
ffffd000`245a3bc8 fffff801`00000010 0xffffe000`21dab030
ffffd000`245a3bd0 ffffe000`00000008 0xfffff801`00000010
ffffd000`245a3bd8 ffffe000`21d63040 0xffffe000`00000008
ffffd000`245a3be0 ffffe000`21d9f030 0xffffe000`21d63040
ffffd000`245a3be8 ffffe000`1ca72040 0xffffe000`21d9f030
ffffd000`245a3bf0 00000000`00000000 0xffffe000`1ca72040
athw8x.sys (Atheros Wireless LAN driver) called the
ndis!NdisMSleep function which delayed the execution of the caller for a given interval in microseconds, and it
looks like a deadlock may have occurred.
SYSTEM_SERVICE_EXCEPTION (3b)
This indicates that an exception happened while executing a routine that transitions from non-privileged code to privileged code.
This error has been linked to excessive paged pool usage and may occur due to user-mode graphics drivers crossing over and passing bad data to the kernel code.
Code:
BugCheck 3B, {c0000005, fffff8035ac5569a, ffffd000285eafc0, 0}
Code:
3: kd> ln fffff8035ac5569a
(fffff803`5ac555cc) nt!NtCreateEvent+0xce | (fffff803`5ac55804) nt!ObInsertObjectEx
^^ The exception occurred in
nt!NtCreateEvent, which is a routine that creates an event object, sets the initial state of the event to the specified value, and opens a handle to the object with the specified desired access.
IRQL_NOT_LESS_OR_EQUAL (a)
This indicates that Microsoft Windows or a kernel-mode driver accessed paged memory at DISPATCH_LEVEL or above.
This bug check is issued if paged memory (or invalid memory) is accessed when the IRQL is too high. The error that generates this bug check usually occurs after the installation of a faulty device driver, system service, or BIOS.
Code:
2: kd> k
Child-SP RetAddr Call Site
ffffd001`42de99c8 fffff801`21965ae9 nt!KeBugCheckEx
ffffd001`42de99d0 fffff801`2196433a nt!KiBugCheckDispatch+0x69
ffffd001`42de9b10 fffff801`218bd47f nt!KiPageFault+0x23a
ffffd001`42de9ca0 fffff801`218ba678 nt!KeAccumulateTicks+0x14f
ffffd001`42de9d30 fffff801`21f9767f nt!KeClockInterruptNotify+0x788
ffffd001`42de9f40 fffff801`218d5363 hal!HalpTimerClockInterrupt+0x4f
ffffd001`42de9f70 fffff801`2195b42a nt!KiCallInterruptServiceRoutine+0xa3
ffffd001`42de9fb0 fffff801`2195b80f nt!KiInterruptSubDispatchNoLockNoEtw+0xea
ffffd001`43d7d7d0 00000000`00000000 nt!KiInterruptDispatchLBControl+0x11f
^^ Processor #2 receives a clock interrupt notifcation, accumulates the ticks, and then calls into a pagefault.
Code:
FAILURE_ID_HASH_STRING: km:ip_misaligned
^^ Misaligned instruction pointer.
KERNEL_SECURITY_CHECK_FAILURE (139)
This bug check indicates that the kernel has detected the corruption of a critical data structure.
Code:
BugCheck 139, {3, ffffd00023148160, ffffd000231480b8, 0}
^^ The first parameter of the bug check is
3, which indicates a LIST_ENTRY corruption occurred. This type of bug check can be difficult to track down and indicates that an inconsistency has been introduced into a doubly-linked list (detected when an individual list entry element is added to or removed from the list).
Code:
5: kd> k
Child-SP RetAddr Call Site
ffffd000`23147e38 fffff803`0c3e2ae9 nt!KeBugCheckEx
ffffd000`23147e40 fffff803`0c3e2e10 nt!KiBugCheckDispatch+0x69
ffffd000`23147f80 fffff803`0c3e2034 nt!KiFastFailDispatch+0xd0
ffffd000`23148160 fffff802`00982987 nt!KiRaiseSecurityCheckFailure+0xf4
ffffd000`231482f0 fffff802`00922855 dxgkrnl!DXGDEVICE::TerminateAllocations+0x5f2f7
ffffd000`23148390 fffff802`00922354 dxgkrnl!DXGDEVICE::DestroyAllocationInternal+0x12d
ffffd000`231483e0 fffff802`00921c11 dxgkrnl!DxgkDestroyAllocationInternal+0x264
ffffd000`231486d0 fffff803`0c3e27b3 dxgkrnl!DxgkDestroyAllocation+0x301
ffffd000`23148b00 00000000`7760741a nt!KiSystemServiceCopyEnd+0x13
00000000`1bafe828 00000000`00000000 0x7760741a
^^ Various DirectX Kernel routines.
PAGE_FAULT_IN_NONPAGED_AREA (50)
This indicates that invalid system memory has been referenced.
Bug check 0x50 usually occurs after the installation of faulty hardware or in the event of failure of installed hardware (usually related to defective RAM, be it main memory, L2 RAM cache, or video RAM).
Another common cause is the installation of a faulty system service.
Antivirus software can also trigger this error, as can a corrupted NTFS volume.
Code:
MODULE_NAME: hardware
FAILURE_BUCKET_ID: IP_MISALIGNED
BUCKET_ID: IP_MISALIGNED
^^ Once again we can see a misaligned instruction pointer.
Code:
BugCheck 50, {ffffffffffffff8d, 1, fffff8002a5d37ba, 0}
^^ Address
ffffffffffffff8d was written to by the instruction at address
fffff8002a5d37ba.
Code:
0: kd> r cr2
Last set context:
cr2=ffffffffffffff8d
^^ The 1st parameter address was stored in cr2 prior to calling the page fault handler.
Code:
0: kd> !pte ffffffffffffff8d
VA ffffffffffffff8d
PXE at FFFFF6FB7DBEDFF8 PPE at FFFFF6FB7DBFFFF8 PDE at FFFFF6FB7FFFFFF8 PTE at FFFFF6FFFFFFFFF8
contains 000000000139F063 contains 00000000013A0063 contains 0000000000ECF063 contains 0000000000000000
GetUlongFromAddress: unable to read from fffff8002a7c8104
pfn 139f ---DA--KWEV pfn 13a0 ---DA--KWEV pfn ecf ---DA--KWEV not valid
^^ We can see from the above that the address
ffffffffffffff8dis indeed invalid. With this said, why did
ffffffffffffff8dattempt to write to
fffff8002a5d37ba?
Code:
0: kd> kv
Child-SP RetAddr : Args to Child : Call Site
ffffd000`215362e8 fffff800`2a5f90e7 : 00000000`00000050 ffffffff`ffffff8d 00000000`00000001 ffffd000`215364d0 : nt!KeBugCheckEx
ffffd000`215362f0 fffff800`2a4db9c9 : 00000000`00000001 ffffe000`10b21880 ffffd000`215364d0 ffffe000`10b21880 : nt! ?? ::FNODOBFM::`string'+0x20c37
ffffd000`21536390 fffff800`2a5d222f : 00000000`00000001 ffffe000`10b21880 ffffe000`00000000 ffffd000`215364d0 : nt!MmAccessFault+0x7a9
ffffd000`215364d0 fffff800`2a5d37ba : ffffe000`10b21880 ffffd000`21536888 ffffd000`21536678 ffffd000`21536750 : nt!KiPageFault+0x12f (TrapFrame @ ffffd000`215364d0)
ffffd000`21536660 fffff800`2a5cbc00 : fffff960`001a42d1 ffffffff`00000001 00000000`00000800 00000000`00000002 : nt!KiSystemServiceCopyEnd+0x1a (TrapFrame @ ffffd000`215366d0)
ffffd000`21536868 fffff960`001a42d1 : ffffffff`00000001 00000000`00000800 00000000`00000002 00000000`00000001 : nt!KiServiceLinkage
ffffd000`21536870 fffff960`001953b6 : ffffe000`10f105a0 00000000`00000000 ffffd000`215369f9 00000000`00000224 : win32k!CTokenManager::ProcessTokens+0x119
ffffd000`21536960 fffff960`0019527f : 00000000`00000000 00000000`00000000 00000000`00000000 000000d5`4999f900 : win32k!CTokenManager::TokenThread+0xea
ffffd000`21536a60 fffff800`2a5d37b3 : ffffe000`10b21880 00000000`00000000 00000000`00000020 00000000`00000000 : win32k!NtTokenManagerThread+0xf7
ffffd000`21536b00 00007ffb`96880e4a : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ ffffd000`21536b00)
000000d5`4999f988 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x00007ffb`96880e4a
Code:
0: kd> .trap ffffd000`215364d0
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=0000000000000002 rbx=0000000000000000 rcx=c7cc9aca2e690000
rdx=ffffe00010d909b0 rsi=0000000000000000 rdi=0000000000000000
rip=fffff8002a5d37ba rsp=ffffd00021536660 rbp=ffffd00021536750
r8=ffffe00010d909b0 r9=00000000000007ff r10=fffff8002a75ae80
r11=ffffd00021536650 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei pl zr na po nc
nt!KiSystemServiceCopyEnd+0x1a:
fffff800`2a5d37ba 00488b add byte ptr [rax-75h],cl ds:ffffffff`ffffff8d=??
^^ On the instruction we failed on, address
fffff800`2a5d37ba deferenced
rax where
rax is
0000000000000002. All of this would result in a memory write to the address
ffffffff`ffffff8d.
Code:
0: kd> !pte ffffffff`ffffff8d
VA ffffffffffffff8d
PXE at FFFFF6FB7DBEDFF8 PPE at FFFFF6FB7DBFFFF8 PDE at FFFFF6FB7FFFFFF8 PTE at FFFFF6FFFFFFFFF8
contains 000000000139F063 contains 00000000013A0063 contains 0000000000ECF063 contains 0000000000000000
pfn 139f ---DA--KWEV pfn 13a0 ---DA--KWEV pfn ecf ---DA--KWEV not valid
Code:
0: kd> dd ffffffff`ffffff8d
ffffffff`ffffff8d ???????? ???????? ???????? ????????
ffffffff`ffffff9d ???????? ???????? ???????? ????????
ffffffff`ffffffad ???????? ???????? ???????? ????????
ffffffff`ffffffbd ???????? ???????? ???????? ????????
ffffffff`ffffffcd ???????? ???????? ???????? ????????
ffffffff`ffffffdd ???????? ???????? ???????? ????????
ffffffff`ffffffed ???????? ???????? ???????? ????????
ffffffff`fffffffd ???????? ???????? ???????? ????????
Right, so the code wanted to write to
ffffffff`ffffff8d which as we can see above is a completely invalid address. The 1st parameter and cr2 note we also fail writing to the same exact address.
1. Remove and replace McAfee with
Windows 8's built-in Windows Defender for temporary troubleshooting purposes as it may be causing conflicts:
McAfee removal - How to uninstall or reinstall supported McAfee products using the Consumer Products Removal tool (MCPR)
Windows Defender (how to turn on after removal) - Windows Defender - Turn On or Off in Windows 8
2. If the above fails, you likely have faulty RAM (or another form of hardware). Please run Memtest for NO LESS than ~8 passes (several hours):
Memtest86+:
Download Memtest86+ here:
Memtest86+ - Advanced Memory Diagnostic Tool
Which should I download?
You can either download the pre-compiled ISO that you would burn to a CD and then boot from the CD, or you can download the auto-installer for the USB key. What this will do is format your USB drive, make it a bootable device, and then install the necessary files. Both do the same job, it's just up to you which you choose, or which you have available (whether it's CD or USB).
Do note that some older generation motherboards do not support USB-based booting, therefore your only option is CD (or Floppy if you really wanted to).
How Memtest works:
Memtest86 writes a series of test patterns to most memory addresses, reads back the data written, and compares it for errors.
The default pass does 9 different tests, varying in access patterns and test data. A tenth test, bit fade, is selectable from the menu. It writes all memory with zeroes, then sleeps for 90 minutes before checking to see if bits have changed (perhaps because of refresh problems). This is repeated with all ones for a total time of 3 hours per pass.
Many chipsets can report RAM speeds and timings via SPD (Serial Presence Detect) or EPP (Enhanced Performance Profiles), and some even support changing the expected memory speed. If the expected memory speed is overclocked, Memtest86 can test that memory performance is error-free with these faster settings.
Some hardware is able to report the "PAT status" (PAT: enabled or PAT: disabled). This is a reference to Intel Performance acceleration technology; there may be BIOS settings which affect this aspect of memory timing.
This information, if available to the program, can be displayed via a menu option.
Any other questions, they can most likely be answered by reading this great guide here:
FAQ : please read before posting
Regards,
Patrick