Code:
3: kd> .bugcheck
Bugcheck code 1000007E
Arguments ffffffff`c0000005 fffff801`5d776967 ffffd000`349df608 ffffd000`349dee10
Reason for bug check was an access violation.
Code:
3: kd> .exr ffffd000349df608
ExceptionAddress: fffff8015d776967 (WppRecorder!WppAutoLogTrace+0x000000000000011f)
ExceptionCode: c0000005 (Access violation)
As you can see, the violation occurred in WppRecorder!WppAutoLogTrace+0x000000000000011f.
This is a function regarding Windows' WPP event tracing. See more here -
https://msdn.microsoft.com/en-us/li...204(v=vs.85).aspx?f=255&MSPPError=-2147217396
Code:
3: kd> .cxr ffffd000349dee10
rax=0000000000000000 rbx=fffff80120931640 rcx=000000000000524c
rdx=00000000001a67c0 rsi=0000000000000008 rdi=fffff8015e9da5a0
rip=fffff8015d776967 rsp=ffffd000349df840 rbp=0000000000000000
r8=0000000000000004 r9=00000000001a67f0 r10=0000000000000030
r11=fffff801209316c0 r12=0000000000000004 r13=ffffe0005c5f9850
r14=0000000000000000 r15=ffffe0005c241010
iopl=0 nv up ei pl zr ac po nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00010256
WppRecorder!WppAutoLogTrace+0x11f:
fffff801`5d776967 66894208 mov word ptr [rdx+8],ax ds:002b:00000000`001a67c8=????
It failed trying to set the memory at address rdx+8 to the least significant 2 bytes of the eax register, ax.
Code:
3: kd> !pte ax
VA 0000000000000000
PXE at FFFFF6FB7DBED000 PPE at FFFFF6FB7DA00000 PDE at FFFFF6FB40000000 PTE at FFFFF68000000000
contains 02500000005B7867 contains 0000000000000000
GetUlongFromAddress: unable to read from fffff801209df10c
pfn 5b7 ---DA--UWEV not valid
Code:
3: kd> !pte rdx
VA 00000000001a67c0
PXE at FFFFF6FB7DBED000 PPE at FFFFF6FB7DA00000 PDE at FFFFF6FB40000000 PTE at FFFFF68000000D30
contains 02500000005B7867 contains 0000000000000000
pfn 5b7 ---DA--UWEV not valid
Neither are valid regarding their contents.
Code:
3: kd> knL
*** Stack trace for last set context - .thread/.cxr resets it
# Child-SP RetAddr Call Site
00 ffffd000`349df840 fffff801`5e9d079e WppRecorder!WppAutoLogTrace+0x11f [COLOR=#008000]// We go off the rails here starting the trace[/COLOR]
01 ffffd000`349df8a0 fffff801`5e9cf539 HIDCLASS!WPP_RECORDER_SF_qqL+0xce
02 ffffd000`349df910 fffff801`5e9cc27c HIDCLASS!HidpIrpMajorDeviceControl+0xa9
03 ffffd000`349df9a0 fffff801`5d8651ca HIDCLASS!HidpMajorHandler+0x27c
04 ffffd000`349dfa30 fffff801`5d865760 pdc!PdcSystemButtonHandler+0x35e
05 ffffd000`349dfa70 fffff801`5d857269 pdc!PdcpPolicyWorkerMain+0x24
06 ffffd000`349dfaa0 fffff801`207296bc pdc!PdcpPolicyWorkerThread+0x69 [COLOR=#008000]// Looks to be a worker thread regarding a domain controller[/COLOR]
07 ffffd000`349dfad0 fffff801`2077c36c nt!ExpWorkerThread+0x28c [COLOR=#008000]// It's a worker thread[/COLOR]
08 ffffd000`349dfb80 fffff801`207d32c6 nt!PspSystemThreadStartup+0x58
09 ffffd000`349dfbe0 00000000`00000000 nt!KiStartSystemThread+0x16 [COLOR=#008000]// Starting a system thread[/COLOR]
Probably a 3rd party kernel-mode driver messing up the trace, or causing a problem with it. I think it may be AVG, but let's enable verifier to be sure.
Driver Verifier:
What is Driver Verifier?
Driver Verifier monitors Windows kernel-mode drivers, graphics drivers, and even 3rd party drivers to detect illegal function calls or actions that might corrupt the system. Driver Verifier can subject the Windows drivers to a variety of stresses and tests to find improper behavior.
Essentially, if there's a 3rd party driver believed to be causing the issues at hand, enabling Driver Verifier will help us see which specific driver is causing the problem.
Before enabling Driver Verifier, it is recommended to create a System Restore Point:
Vista - START | type rstrui - create a restore point
Windows 7 - START | type create | select "Create a Restore Point"
Windows 8/8.1 -
Restore Point - Create in Windows 8
How to enable Driver Verifier:
Start > type "verifier" without the quotes > Select the following options -
1. Select - "Create custom settings (for code developers)"
2. Select - "Select individual settings from a full list"
3. Check the following boxes -
- Special Pool
- Pool Tracking
- Force IRQL Checking
- Deadlock Detection
- Security Checks (only on Windows 7 & 8/8.1)
- DDI compliance checking (only on Windows 8/8.1)
- Miscellaneous Checks
4. Select - "Select driver names from a list"
5. Click on the "Provider" tab. This will sort all of the drivers by the provider.
6. Check EVERY box that is
NOT provided by Microsoft / Microsoft Corporation.
7. Click on Finish.
8. Restart.
Important information regarding Driver Verifier:
- Perhaps the most important which I will now clarify as this has been misunderstood often, enabling Driver Verifier by itself is
not! a solution, but instead a diagnostic utility. It will tell us if a driver is causing your issues, but again it will not outright solve your issues.
- If Driver Verifier finds a violation, the system will BSOD. To expand on this a bit more for the interested, specifically what Driver Verifier actually does is it looks for any driver making illegal function calls, causing memory leaks, etc. When and/if this happens, system corruption occurs if allowed to continue. When Driver Verifier is enabled per my instructions above, it is monitoring
all 3rd party drivers (as we have it set that way) and when it catches a driver attempting to do this, it will quickly flag that driver as being a troublemaker, and bring down the system safely before any corruption can occur.
- After enabling Driver Verifier and restarting the system, depending on the culprit, if for example the driver is on start-up, you may not be able to get back into normal Windows because Driver Verifier will detect it in violation almost straight away, and as stated above, that will cause / force a BSOD.
If this happens, do not panic, do the following:
- Boot into Safe Mode by repeatedly tapping the F8 key during boot-up.
- Once in Safe Mode - Start > Search > type "cmd" without the quotes.
- To turn off Driver Verifier, type in cmd "verifier /reset" without the quotes.
- Restart and boot into normal Windows.
If your OS became corrupt or you cannot boot into Windows after disabling verifier via Safe Mode:
- Boot into Safe Mode by repeatedly tapping the F8 key during boot-up.
- Once in Safe Mode - Start > type "system restore" without the quotes.
- Choose the restore point you created earlier.
-- Note that Safe Mode for Windows 8/8.1 is a bit different, and you may need to try different methods:
5 Ways to Boot into Safe Mode in Windows 8 & Windows 8.1
How long should I keep Driver Verifier enabled for?
I recommend keeping it enabled for at least 24 hours. If you don't BSOD by then, disable Driver Verifier. I will usually say whether or not I'd like for you to keep it enabled any longer.
My system BSOD'd with Driver Verifier enabled, where can I find the crash dumps?
- If you have the system set to generate Small Memory Dumps, they will be located in
%systemroot%\Minidump.
- If you have the system set to generate Kernel Memory Dumps,
it will be located in
%systemroot% and labeled MEMORY.DMP.
Any other questions can most likely be answered by this article:
http://support.microsoft.com/kb/244617