SFCFix - Some corruptions could not be fixed automatically

[ryanjn]

Hello everyone. Long story short is I've been having random BSOD's in Windows 8.1 x64. I've swapped out memory and gpu, updated bios and any drivers I could get my hands on. I finally gave sfc a shot, which found files it could not repair, which lead me to SFCFix, and now here.

I've attached the SFCFix.txt file, along with the 4 most recent minidumps produced by the crashes.

Any suggestions would be welcomed.

Thank you in advance!

 

[Go The Power]

Hello ryanjn and welcome to the forum :)

I will be able to assist in fixing these corrupt files, but wont be much help for the BSOD issue. For the BSOD issue please follow the instructions here:
https://www.sysnative.com/forums/bs...ctions-windows-8-1-8-7-and-windows-vista.html

---

Lets fix up these files :)

CORRUPT: C:\windows\winsxs\amd64_microsoft-windows-font-truetype-yumin_31bf3856ad364e35_6.3.9600.16384_none_aede1a913e7066fd\yumindb.ttf
CORRUPT: C:\windows\winsxs\amd64_microsoft-windows-t..etpc-mathinputpanel_31bf3856ad364e35_6.3.9600.16384_none_bb5fe32324e277e4\mip.exe

SFCFix Script

Warning: this fix is specific to the user in this thread. No one else should follow these instructions as it may cause more harm than good. If you are after assistance, please start a thread of your own.

1. Download SFCFix.exe (by niemiro) and save this to your Desktop.
2. Download SFCFix.zip, and save this to your Desktop. Ensure that this file is named SFCFix.zip - do not rename it.
3. Save any open documents and close all open windows.
4. On your Desktop, you should see two files: SFCFix.exe and SFCFix.zip.
5. Drag the file SFCFix.zip onto the file SFCFix.exe and release it.
6. SFCFix will now process the script.
7. Upon completion, a file should be created on your Desktop: SFCFix.txt.
8. Copy (Ctrl+C) and Paste (Ctrl+V) the contents of this file into your next post for me to analyse please - put [CODE][/CODE] tags around the log to break up the text.

SFC /SCANNOW

1. Right click on the
   
   button
2. Click on Command prompt (Admin) => Press Yes on the prompt
3. Inside the Command Prompt windows copy and paste the following command SFC /SCANNOW
4. Please wait for this to Finish before continuing with rest of the steps.

Convert CBS.log to CBS.txt

1. Right click on the
   
   button
2. Click on Run => Inside the run box copy and paste the following command:
   

   cmd /c copy %windir%\logs\cbs\cbs.log "%userprofile%\Desktop\cbs.txt"

3. Press Enter
4. Once this has completed please go to your Desktop and you will find CBS.txt => Please upload CBS.txt to this thread

Please Note:: if the file is too big to upload to you next post please upload via Dropbox or ge.tt

 

[Jared]

I actually forgot about this thread, I subscribed to it but I missed it.
I'll take a look at the BSODs shortly.

 

[Go The Power]

Thanks Jared :)

 

[Jared]

KERNEL_SECURITY_CHECK_FAILURE (139)
A kernel component has corrupted a critical data structure.  The corruption
could potentially allow a malicious user to gain control of this machine.
Arguments:
Arg1: [COLOR="#FF0000"][B]0000000000000003, A LIST_ENTRY has been corrupted (i.e. double remove).[/B][/COLOR]
Arg2: fffff80098899960, Address of the trap frame for the exception that caused the bugcheck
Arg3: fffff800988998b8, Address of the exception record for the exception that caused the bugcheck
Arg4: 0000000000000000, Reserved

This is one of the most difficult types of 0x139 as it indicates a linked list has become corrupted, the reason for this being difficult is that the list doesn't necessarily become corrupt and bugcheck straight away.
Lets first take a look at the callstack.

fffff800`98899638 fffff800`96d6bae9 : 00000000`00000139 00000000`00000003 fffff800`98899960 fffff800`988998b8 : [COLOR="#0000FF"]nt!KeBugCheckEx[/COLOR]
fffff800`98899640 fffff800`96d6be10 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : [COLOR="#0000FF"]nt!KiBugCheckDispatch+0x69[/COLOR]
fffff800`98899780 fffff800`96d6b034 : fffffff6`00000004 00000001`ffffffff 00000008`00000005 00000000`95901080 : [COLOR="#0000FF"]nt!KiFastFailDispatch+0xd0[/COLOR]
fffff800`98899960 fffff800`96d82205 : 00000000`00000018 00000000`00da7a64 ffffe000`d7a1b330 ffffe000`00000002 : [COLOR="#FF8C00"]nt!KiRaiseSecurityCheckFailure+0xf4[/COLOR]
fffff800`98899af0 fffff800`96d63aea : fffff800`96ef2180 fffff800`96ef2180 fffff800`96f59a00 ffffe000`d8072080 : [COLOR="#FF0000"]nt! ?? ::FNODOBFM::`string'+0x11d55[/COLOR]
fffff800`98899da0 00000000`00000000 : fffff800`9889a000 fffff800`98894000 00000000`00000000 00000000`00000000 : [COLOR="#800080"]nt!KiIdleLoop+0x5a[/COLOR]

Not much happening, given it's a minidump there isn't much information saved, the CPU is idle in a loop waiting for instructions, it receives something which raises a Kernel security check failure and inevitably the bugcheck.

0: kd> [COLOR="#008000"].exr 0xfffff800988998b8[/COLOR]
ExceptionAddress: fffff80096d82205 (nt! ?? ::FNODOBFM::`string'+0x0000000000011d55)
   ExceptionCode: [COLOR="#FF0000"]c0000409[/COLOR] (Security check failure or stack buffer overrun)
  ExceptionFlags: 00000001
NumberParameters: 1
   Parameter[0]: 0000000000000003

Here we can see the type of error which appears to be a security check failure as stated before a linked list data structure has been corrupted.

0: kd> [COLOR="#008000"].trap 0xfffff80098899960[/COLOR]
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=ffffe000d6f3e500 rbx=0000000000000000 rcx=0000000000000003
rdx=fffff80096eaf200 rsi=0000000000000000 rdi=0000000000000000
rip=[COLOR="#FF0000"]fffff80096d82205[/COLOR] rsp=fffff80098899af0 rbp=fffff80098899bf0
 r8=0000000000000008  r9=fffff80096c0c000 r10=000000000000000f
r11=0000000000000000 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up ei pl nz na pe cy
nt! ?? ::FNODOBFM::`string'+0x11d55:
[COLOR="#FF0000"]fffff800`96d82205[/COLOR] cd29           [COLOR="#FF8C00"][B]int[/B][/COLOR]      29h

This shows us that a software interrupt occurred as indicated by int.

As stated before, it's a minidump so there's only so much we can see.
This bugcheck occurs again with a very similar situation.

Could we have a Kernel memory dump?

Go the Start
Right click My Computer
Select Properties
Click Advanced system settings
Click on the Advanced tab
Select Settings under Startup and Recovery
Then under Write debugging information select Kernel memory dump.

Once a dump is created go to:

C:/Windows/memory.dmp

Copy the file to the desktop, zip it up and upload it to a file sharing site like Onedrive. After the upload is done post the download link in your next reply.

---

Here we have a system service exception.

BugCheck 3B, {[COLOR="#FF0000"]c0000005[/COLOR], [COLOR="#800080"]fffff800983097d0[/COLOR], [COLOR="#008000"]ffffd0013013c650[/COLOR], 0}

An exception (more specifically an access violation) occurred during a system service routine.

ffffd001`3013d080 ffffe000`b30ec440 : ffffd001`3013d1b0 ffffd001`3013da90 00000000`00000000 ffffd001`3013d388 : [COLOR="#FF0000"]atikmdag+0x227d0[/COLOR]
ffffd001`3013d088 ffffd001`3013d1b0 : ffffd001`3013da90 00000000`00000000 ffffd001`3013d388 fffff800`98308cf6 : 0xffffe000`b30ec440
ffffd001`3013d090 ffffd001`3013da90 : 00000000`00000000 ffffd001`3013d388 fffff800`98308cf6 00000000`00000028 : 0xffffd001`3013d1b0
ffffd001`3013d098 00000000`00000000 : ffffd001`3013d388 fffff800`98308cf6 00000000`00000028 ffffd001`3013dabc : 0xffffd001`3013da90

3: kd> [COLOR="#008000"].cxr 0xffffd0013013c650;r[/COLOR]
rax=0000000000000001 rbx=ffffe000b30ec440 rcx=0000000000000000
rdx=0000000000000001 rsi=0000000000000001 rdi=ffffd0013013da80
rip=fffff800983097d0 rsp=ffffd0013013d080 rbp=ffffd0013013d1b0
 r8=ffffc0005133c000  r9=0000000000000001 r10=0000000000000000
r11=fffff800984b44d3 r12=ffffd0013013da90 r13=ffffd0013013da80
r14=ffffd0013013d388 r15=ffffe000b30ec440
iopl=0         nv up ei ng nz na pe nc
cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b             efl=00010282
atikmdag+0x227d0:
fffff800`983097d0 488b01          [COLOR="#800080"]mov[/COLOR]     [COLOR="#800080"]rax[/COLOR],qword ptr [[COLOR="#FF0000"]rcx[/COLOR]] ds:002b:00000000`00000000=????????????????

A pointer stored in rax was dereferenced which resulted in a move instruction to try and store it inside the rcx register, this register is invalid so it called the bugcheck.

atikmdag is the AMD graphics driver, I suggest you try rolling back or updating this driver which should resolve that issue.

---

The last dump file indicates a system thread exception was not handled by the trap handlers, it was probably unexpected which is why it couldn't catch it.

2: kd> [COLOR="#008000"].exr 0xffffd001b2e7f4f8[/COLOR]
ExceptionAddress: fffff802ccefa025 (nt!MiEmptyPageAccessLog+0x0000000000000225)
   [COLOR="#FF0000"]ExceptionCode: c0000005 (Access violation)[/COLOR]
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 0000000000000000
   Parameter[1]: ffffffffffffffff
[B][COLOR="#FF0000"]Attempt to read from address ffffffffffffffff[/COLOR][/B]

Again it attempted to read from an invalid address...

rax=ffffe00205487ef8 rbx=0000000007594000 rcx=0000000000000100
rdx=0000000000000000 rsi=ffffe00205487dc0 rdi=0000000000000400
rip=fffff802ccefa025 rsp=ffffd001b2e7f730 rbp=0000000000000000
 r8=ffffe00200756900  r9=ffffe00200756900 r10=0000000000000002
r11=ffffe00200715000 r12=ffffe00205487048 [COLOR="#FF0000"]r13=ff362c22ff362c22[/COLOR]
r14=fffff6800017dd80 r15=0000000000000020
iopl=0         nv up ei ng nz na pe nc
cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b             efl=00010282
nt!MiEmptyPageAccessLog+0x225:
fffff802`ccefa025 418b4d38        [COLOR="#800080"]mov[/COLOR]     [COLOR="#800080"]ecx[/COLOR],dword ptr [[COLOR="#FF0000"]r13+38h[/COLOR]] ds:002b:[COLOR="#FF0000"]ff362c22`ff362c5a[/COLOR]=????????

So a pointer was moved from ecx to r13+38 which resulted in the pointer being stored in ff362c22`ff362c5a

So why did it fail?

2: kd> [COLOR="#008000"]!pte ff362c22`ff362c5a[/COLOR]
                                           VA ff362c22ff362c5a
PXE at FFFFF6FB7DBED2C0    PPE at FFFFF6FB7DA58458    PDE at FFFFF6FB4B08BFC8    PTE at FFFFF696117F9B10
Unable to get PXE FFFFF6FB7DBED2C0
[COLOR="#FF0000"]WARNING: noncanonical VA, accesses will fault ![/COLOR]

Here's our problem, anything trying to access it will fail and cause a bugcheck.

It's not very helpful in the cause so it could be lots of things.

But then again, looking at the loaded modules, there's always the Anti Virus to consider.

2: kd> [COLOR="#008000"]lm vm eng64[/COLOR]
start             end                 module name
fffff800`b4c00000 fffff800`b4c22000   ENG64      (deferred)             
    Image path: \??\C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\Data\Definitions\VirusDefs\20140808.003\ENG64.SYS
    Image name: ENG64.SYS
    Timestamp:        [COLOR="#FF0000"]Thu Aug 22 21:38:20 2013[/COLOR] (521676BC)
    CheckSum:         00020BBA
    ImageSize:        00022000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4

It's old and still running so Norton may well be the cause of this, it's very problematic anyway as it seems to be the worst AV out there.

I recommend you remove it and replace it with Microsoft Security Essentials, I can't make a final judgement on the cause without a Kernel dump but it seems likely that this is the cause.

Microsoft Security Essentials - Microsoft Windows

Go The Power will sort out your SFC issues so I'll leave you in good hands, if you still get BSODs post them as I will keep watching over this thread.