[SOLVED] Unrepeatable BSOD, fixed few problems I think, more inside - Windows 8.1 x64

[Xivinas]

I am unable to run perfmon, as it gives me an error saying I'm not an administrator while I'm the only user account. If there is a way around this please notify me.

I am getting a few BSOD that I think are not all from the same problem source. They occur under load while playing video games within 8-60 minutes, or while at desktop downloading files.


OS - Windows 8.1 Pro 64-bit, clean install on 128GB Samsung 840 pro. Acquired through Dreamspark, installed by myself.
Age of hardware - 2 days as of this post
Age of OS installation - 2 days as of this post

CPU - Intel i5 4670K @ 3.4GHz, idle temperatures 28-30C
Video card - ATI AMD Radeon HD 7950 3GB - idle temperature 53C
Motherboard - MSI Z87 G45 Gaming
PSU - Corsair HX750 80PLUS Gold
RAM - G.Skill Ripjaws X F3-12800Cl9D-8GBXL 8GB 2X4GB DDR3-1600 CL9-9-9-24

Desktop

I have done some updates since the first minidump file such as update the bios, gpu driver, network driver, audio driver.
Driver verifier is currently running as of this posting.

 

[Jared]

BugCheck 1000007E, {[COLOR=#ff0000]ffffffffc0000005[/COLOR], [COLOR=#008000]fffff80073e58241[/COLOR], ffffd0007db064d8, ffffd0007db05ce0}

This bugcheck indicates a system thread generated an exception which tried to access memory that the CPU couldn't address.

EXCEPTION_RECORD:  ffffd0007db064d8 -- (.exr 0xffffd0007db064d8)ExceptionAddress: fffff80073e58241 ([COLOR=#ff0000]bwcW8x64+0x000000000000c241[/COLOR])
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 0000000000000000
   Parameter[1]: ffffffffffffffff
Attempt to read from address [COLOR=#ff0000]ffffffffffffffff[/COLOR]

In this case it was your Killer Bandwidth Control Filter Driver.

[/FONT][/COLOR][/FONT]0: kd> [COLOR=#008000]u fffff80073e58241[/COLOR]bwcW8x64+0xc241:
fffff800`73e58241 448a4006        [COLOR=#ff0000]mov[/COLOR]     r8b,byte ptr [[COLOR=#ff0000]rax+6[/COLOR]]
fffff800`73e58245 4484c5          test    bpl,r8b
fffff800`73e58248 0f85e1000000    jne     bwcW8x64+0xc32f (fffff800`73e5832f)
fffff800`73e5824e 8a500b          mov     dl,byte ptr [rax+0Bh]
fffff800`73e58251 0a500a          or      dl,byte ptr [rax+0Ah]
fffff800`73e58254 0a5009          or      dl,byte ptr [rax+9]
fffff800`73e58257 0a5008          or      dl,byte ptr [rax+8]

fffff800`73e5825a 0a5007          or      dl,byte ptr [rax+7][FONT=Times New Roman][COLOR=#000000][FONT=verdana]

We can see the mov instruction caused the exception.

[/FONT][/COLOR][/FONT]0: kd> [COLOR=#008000]lmvm bwcw8x64[/COLOR]start             end                 module name
fffff800`73e4c000 fffff800`73fa1000   bwcW8x64 T (no symbols)           
    Loaded symbol image file: bwcW8x64.sys
    Image path: bwcW8x64.sys
    Image name: bwcW8x64.sys
    Timestamp:        [COLOR=#ff0000]Wed Feb 13 17:25:48 2013[/COLOR] (511BCC9C)
    CheckSum:         0001741F
    ImageSize:        00155000

    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4[FONT=Times New Roman][COLOR=#000000][FONT=verdana]

It's quite outdated so I recommend updating it via device manager.

 

[jcgriff2]

Driver Reference Table - bwcW8x64.sys

 

[Xivinas]

BugCheck 1000007E, {[COLOR=#ff0000]ffffffffc0000005[/COLOR], [COLOR=#008000]fffff80073e58241[/COLOR], ffffd0007db064d8, ffffd0007db05ce0}

This bugcheck indicates a system thread generated an exception which tried to access memory that the CPU couldn't address.

EXCEPTION_RECORD:  ffffd0007db064d8 -- (.exr 0xffffd0007db064d8)ExceptionAddress: fffff80073e58241 ([COLOR=#ff0000]bwcW8x64+0x000000000000c241[/COLOR])
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 0000000000000000
   Parameter[1]: ffffffffffffffff
Attempt to read from address [COLOR=#ff0000]ffffffffffffffff[/COLOR]

In this case it was your Killer Bandwidth Control Filter Driver.

0: kd> [COLOR=#008000]u fffff80073e58241[/COLOR]bwcW8x64+0xc241:
fffff800`73e58241 448a4006        [COLOR=#ff0000]mov[/COLOR]     r8b,byte ptr [[COLOR=#ff0000]rax+6[/COLOR]]
fffff800`73e58245 4484c5          test    bpl,r8b
fffff800`73e58248 0f85e1000000    jne     bwcW8x64+0xc32f (fffff800`73e5832f)
fffff800`73e5824e 8a500b          mov     dl,byte ptr [rax+0Bh]
fffff800`73e58251 0a500a          or      dl,byte ptr [rax+0Ah]
fffff800`73e58254 0a5009          or      dl,byte ptr [rax+9]
fffff800`73e58257 0a5008          or      dl,byte ptr [rax+8]

fffff800`73e5825a 0a5007          or      dl,byte ptr [rax+7]

We can see the mov instruction caused the exception.

0: kd> [COLOR=#008000]lmvm bwcw8x64[/COLOR]start             end                 module name
fffff800`73e4c000 fffff800`73fa1000   bwcW8x64 T (no symbols)           
    Loaded symbol image file: bwcW8x64.sys
    Image path: bwcW8x64.sys
    Image name: bwcW8x64.sys
    Timestamp:        [COLOR=#ff0000]Wed Feb 13 17:25:48 2013[/COLOR] (511BCC9C)
    CheckSum:         0001741F
    ImageSize:        00155000

    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4

It's quite outdated so I recommend updating it via device manager.

Is this referring to which dump file? I am attempting to update the driver now. The one I had updated with last was the one on the MSI motherboard website.

I just ran memtest to no errors. driver verifier still running in background.

edit// Just updated driver from the Qualcom website.

 

[Xivinas]

Update: Ever since updated network driver haven't had a bluescreen until now. I think it has something to do with directx. Blue screen error was a system service exception of dxgmms1.sys. The dump file is attached. Should I reinstall graphics driver again?

 

[Jared]

If it ain't broke, don't fix it.
Post back how everything goes.

 

[Xivinas]

Just had another bsod, error code DRIVER_IRQL_NOT_LESS_OR_EQUAL (tcpip.sys)

I don't have a dump file for this one.

edit: Also, when I updated the network driver, the version on the Qualcomm website is 1.1.38.1281, which I currently have installed. The previous version I had was from the MSI motherboard website for the Z87 G45 I have, version 1.1.42.1045.

 

[Xivinas]

Still not solved. Here's a dump file for the latest crash. Any advice what to do? SYSTEM_THREAD_EXCEPTION_NOT_HANDLED (atikmdag.sys)

 

[Jared]

Okay, this one is very similar but a different cause.

BugCheck 1000007E, {[COLOR=#ff0000]ffffffffc0000005[/COLOR], [COLOR=#008000]fffff8000939ddbb[/COLOR], ffffd000321c5128, ffffd000321c4930}

As you can see another access violation, so lets look at the details of it.

EXCEPTION_RECORD:  ffffd000321c5128 -- (.exr 0xffffd000321c5128)
ExceptionAddress: fffff8000939ddbb ([COLOR=#ff0000]atikmdag+0x00000000000c7dbb[/COLOR])
   ExceptionCode: [COLOR=#ff0000]c0000005 (Access violation)[/COLOR]
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 0000000000000000
   Parameter[1]: 00000000000006a8
Attempt to read from address [COLOR=#ff0000]00000000000006a8[/COLOR]

The address trying to be read is invalid as this is reserved system memory for user mode space on boot up.
I believe the first accessible memory address is 0x10000, if I'm wrong its something similar.

Lets do a bit of dissembling.

2: kd> [COLOR=#008000]u fffff8000939ddbb
[/COLOR]atikmdag+0xc7dbb:
[COLOR=#0000ff]fffff800`0939ddbb[/COLOR] 488b83a8060000  [COLOR=#ff0000]mov[/COLOR]     rax,qword ptr [[COLOR=#ff0000]rbx+6A8h[/COLOR]]
fffff800`0939ddc2 4883c420        add     rsp,20h
fffff800`0939ddc6 5b              pop     rbx
fffff800`0939ddc7 c3              ret
fffff800`0939ddc8 cc              int     3
fffff800`0939ddc9 cc              int     3
fffff800`0939ddca cc              int     3
fffff800`0939ddcb cc              int     3

So the failing instruction was a movement instruction to move CPU register information from place to place.
Lets look at the registers at the time of the access violation.

CONTEXT:  ffffd000321c4930 -- (.cxr 0xffffd000321c4930;r)
rax=0000000000000000 [COLOR=#ff0000]rbx=0000000000000000[/COLOR] rcx=0000000000000000
rdx=0000000000000000 rsi=0000000000080000 rdi=0000000000000002
rip=fffff8000939ddbb rsp=ffffd000321c5360 rbp=ffffe0002f25c960
 r8=0000000000000002  r9=000000f417dc0000 r10=0000000000000000
r11=fffff80008af5587 r12=ffffe00030df2040 r13=ffffe0002f40db80
r14=ffffe00032149010 r15=fffff800092d6000
iopl=0         nv up ei pl zr na po nc
cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246
atikmdag+0xc7dbb:
[COLOR=#0000ff]fffff800`0939ddbb[/COLOR] 488b83a8060000  [COLOR=#008000]mov[/COLOR]     rax,qword ptr [[COLOR=#ff0000]rbx+6A8h[/COLOR]] ds:002b:00000000`000006a8=????????????????

There's the faulting instruction, the rbx register is zeroed out which isn't good, although it might be due to the minidump not recording the information.

2: kd> [COLOR=#008000]lmvm atikmdag[/COLOR]
start             end                 module name
fffff800`092d6000 fffff800`0a1e6000   atikmdag T (no symbols)           
    Loaded symbol image file: atikmdag.sys
    Image path: atikmdag.sys
    Image name: atikmdag.sys
    Timestamp:        [COLOR=#ff0000]Fri Apr 18 03:13:16 2014[/COLOR] (53508A3C)
    CheckSum:         00EAEEE6
    ImageSize:        00F10000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4

The latest drivers have caused a couple of issues, try rolling back a bit.
Late 2013 is probably the best option although I've never used an AMD card so I can't say what versions are stable, I am thinking of switching as Nvidia is giving me nothing but problems.

Let me know how everything goes :)

 

[Xivinas]

Hi Jared thanks for the quick reply.
.
Okay so when I download the latest driver from AMD with the catalyst control centre etc, it gives me a driver version 14.100.0.0. I was just using that one when I had the error you replied about just now.
Windows update wanted me to update it, so I did and it gave me a driver version 13.251.9001.0. Now tell me if I'm wrong, but logically that tells me it's an older driver version. I'll stick with it for now to see what happens though.

Regarding the network driver before, I switched back to the one provided on the MSI motherboard website. If I have issues with it I'll switch back to the one provided on the Qualcomm website I guess.

 

[Xivinas]

I rolled back the gpu driver to 13.251.0.0 from 13/6/2013 and that seems to be more stable during games and video. If someone could analyze this dump file it would be greatly appreciated. My guess is it's network driver this time but I'd like to confirm.

 

[Jared]

BugCheck [COLOR=#ff0000]F7[/COLOR], {[COLOR=#ff0000]8[/COLOR][COLOR=#0000ff]f05c6bbaac49[/COLOR], [COLOR=#00ffff]f[/COLOR][COLOR=#00ffff]05c6bbaac49[/COLOR], ffff0fa3944553b6, 0}

This bugcheck indicates a driver stack buffer overflow which is mainly caused by malicious code trying to corrupt the system
So how does it do this?

Well It overwrites a functions return address (which when the function returns the code in the return address will be executed) on the callstack in order to execute malicious code located in the return address.

Now I'm not too familiar with this but the first and second parameters are buffer security checks, now the second parameter is the address that should have been return and the first parameter is the actual address being returned to.

Notice the flipped bit?
Doesn't really sound like a malicious attack to be honest but rather a driver causing a problem.

[COLOR=#ff0000]0xF7_ONE_BIT[/COLOR]

I believe this means a flipped bit which looks like has happened.

I can't find anything on the raw stack apart from an I/O completion which could mean anything.

---

Can you update your network driver?

We might need to enable Driver Verifier.


What is Driver Verifier?

Driver Verifier is a driver monitoring program built into Windows from Windows 2000 and later.
Depending on the settings Driver Verifier stresses the driver selected and tries to force them to crash which causes a BSOD.


How to enable Driver Verifier:

Go to Start
Type in verifier.exe
Click on Create customer settings (for code developers)
Select Standard settings and IRP Logging
Then hit next
Click Select driver names from a list
Select all drivers not created by Microsoft, Macrovision or Unknown
Finally click finish then reboot your computer


What happens if it finds something?

When Driver Verifier finds a violation with a driver it bugchecks the system hopefully with the driver responsible identified.


How long should I run it for?

Normally around 24 hours, if it finds nothing by then chances are it's not a driver issue.


Do I need to do anything in particular when running Driver Verifier?

No, just do what you normally do when the system crashes to help maximize the chances of a crash.

 

[Xivinas]

I ran driver verifier for last day, here are four dump files that came from it. Thanks for your help, I really appreciate it.

 

[Jared]

Your Killer Bandwidth control filter driver is causing issues, its also up to date, it might be infected.

*** WARNING: Unable to verify timestamp for bwcW8x64.sys*** ERROR: Module load completed but symbols could not be loaded for bwcW8x64.sys
Probably caused by : [COLOR=#ff0000]bwcW8x64.sys[/COLOR] ( bwcW8x64+3492 )

BugCheck [COLOR=#ff0000]139[/COLOR], {3, ffffd001ab37d860, ffffd001ab37d7b8, 0}

Its still the same Kernel memory check regarding stack buffer overruns.

Can you run virus scans using your scanner and Kaspersky's TDSSKiller, to find any rootkits.

Anti-rootkit utility TDSSKiller

 

[Xivinas]

Even though driver verifier was running during those bluescreens there might be a problem still? I'm currently running scans and the Kapersky TDSSKiller.

I was about to go buy an intel ethernet card to bypass this problem.

Edit: All scans came clean. Windows defender, malwarebytes, and the rootkitkiller.

 

[Xivinas]

Uninstalled the killer e2200, installed a new intel ethernet card. went all day today without a crash until tonight. I'm not sure where the issue is with this one. Maybe the video driver? Please take a look.

 

[Xivinas]

Actually after looking into that dump file, it doesn't seem to give me a specific driver or piece of hardware at fault. Just "IMAGE_NAME: hardware". Any idea what to do?

 

[x BlueRobot]

2: kd> [COLOR=#008000]lmvm e1q63x64; lmvm NTIOLib_X64[/COLOR]
start             end                 module name
fffff801`ab400000 fffff801`ab474000   e1q63x64   (deferred)             
    Image path: e1q63x64.sys
    Image name: e1q63x64.sys
    Timestamp:        [COLOR=#ff0000]Wed Mar 27 17:12:50 2013[/COLOR] (51532892)
    CheckSum:         0007F55D
    ImageSize:        00074000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
start             end                 module name
fffff801`ad2db000 fffff801`ad2e2000   NTIOLib_X64   (deferred)             
    Image path: NTIOLib_X64.sys
    Image name: NTIOLib_X64.sys
    Timestamp:        [COLOR=#ff0000]Fri Oct 26 02:46:44 2012[/COLOR] (5089EB84)
    CheckSum:         0000F468
    ImageSize:        00007000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4

I went through and checked your loaded driver modules, the first driver is related to your Intel network card, and I would suggest you update the driver if possible. Secondly, NTIOLib_X64.sys belongs to MSI Afterburner which is known to cause problems with Windows, I would suggest removing this program at least testing purposes.

A Stop 0x139 doesn't necessarily mean malware or rootkits, it can just be poor programming on the developers behalf.

 

[Xivinas]

I'll try and find an update for the Intel network card that wasn't automatically found by Windoes update. Regarding MSI Afterburner... I've never used it on the computer? I'm trying to find it but can't.

 

[Xivinas]

Removed "VGA Boost" which is only usable with an MSI gpu, which I don't have. That's the only thing I could find that would be related to the NTIOLib_X64.sys.

I've updated the Intel network card from their website. The driver version didn't appear to change though (12.7.27.0).