Win 7 BSODs

[Fred Garvin]

If one of you guys could take a quick look at these dumps, I'd appreciate it. I can't run the BSOD script at the moment because I'm working on this remotely and the PC is offline.
I believe this PC was a Vista to Win 7 x64 upgrade. Thanks

 

[Wrench97]

The dumps are all over the place, with 3B being the most proific.

BugCheck 19, {20, fffff8a00b2226a0, fffff8a00b2227d0, 5130315}
Probably caused by : fltmgr.sys ( fltmgr!FltpPerformPreCallbacks+8f0 )
¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨``
BugCheck 3B, {c0000005, fffff960001935a3, fffff88005b67fe0, 0}
Probably caused by : hardware ( win32k+c35a3 )
¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨``
BugCheck FC, {fffff8a002158dc8, ee90000067407963, fffff880046d4f70, 2}
Probably caused by : rdbss.sys ( rdbss!RxFsdDispatch+2cf3 )
¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨``
BugCheck 3B, {c0000005, fffff9600019c913, fffff880035fae30, 0}
Probably caused by : win32k.sys ( win32k+10c913 )
¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨``
BugCheck 1E, {ffffffffc0000005, fffff960000d8bcd, 0, 105005d}
Probably caused by : win32k.sys ( win32k+88bcd )
¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨``
BugCheck 6B, {ffffffffc0000428, 3, 0, 0}
Probably caused by : ntkrnlmp.exe ( nt!PspLocateSystemDll+13e )
¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨

I would start with Memtest torule out ram first.

 

[Jared]

What was the PC doing when it crashed?
Is it anything in particular?

I'm having a mixed opinion about these crashes to be honest.

[B]BAD_POOL_HEADER (19)[/B]
The pool is already corrupt at the time of the current request.
This may or may not be due to the caller.
The internal pool links must be walked to figure out a possible cause of
the problem, and then special pool applied to the suspect tags or the driver
verifier to a suspect driver.
Arguments:
Arg1: 0000000000000020, [COLOR="#008000"]a pool block header size is corrupt.[/COLOR]
Arg2: [COLOR="#800080"]fffff8a00b2226a0[/COLOR], The pool entry we were looking for within the page.
Arg3: [COLOR="#FF0000"]fffff8a00b2227d0[/COLOR], The next pool entry.
Arg4: 0000000005130315, (reserved)

Essentially, something has corrupted a pool block header causing an inconsistency within a linked list.
So lets look at the actual pool that is having problems.

0: kd> [COLOR="#008000"]!pool fffff8a00b2227d0[/COLOR]
Pool page fffff8a00b2227d0 region is Paged pool
 fffff8a00b222000 size:  430 previous size:    0  (Allocated)  AvN 
 fffff8a00b222430 size:   90 previous size:  430  (Allocated)  CMNb (Protected)
 fffff8a00b2224c0 size:   90 previous size:   90  (Allocated)  IoNm
 fffff8a00b222550 size:  150 previous size:   90  (Allocated)  FMfn
[COLOR="#800080"] [B]fffff8a00b2226a0[/B] size:  130[/COLOR] previous size:  150  (Free )  [COLOR="#FF0000"]FMfn[/COLOR]

I would say from the looks of it, a filter driver is corrupting the pool, given that the NAME_CACHE_NODE structure appears to be corrupted I would say this looks more like a software issue.

---

[B]SYSTEM_SERVICE_EXCEPTION (3b)[/B]
An exception happened while executing a system service routine.
Arguments:
Arg1: [COLOR="#FF0000"]00000000c0000005[/COLOR], Exception code that caused the bugcheck
Arg2: fffff960001935a3, Address of the instruction which caused the bugcheck
Arg3: fffff88005b67fe0, Address of the context record for the exception that caused the bugcheck
Arg4: 0000000000000000, zero.

So we have a system service exception, this was caused by an access violation.
The question is why? Well, lets take a look.

fffff880`05b689c0 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : [COLOR="#FF0000"]win32k!AllocQueue+0x113[/COLOR]

Well... This isn't helpful at all, all we have is a Windows subsystem Kernel device driver allocating a queue of some kind.
Any other ideas? Actually, the "Probably caused by" states it's a hardware error, I never normally listen to this, although I can see why...

FAILURE_BUCKET_ID:  [COLOR="#FF0000"]X64_IP_MISALIGNED[/COLOR]

An instruction pointer misalignment, I won't go into detail about this as I actually made a blog on this here:

Instruction pointer misalignments | bsoddebugging

Basically I wrote that the CPU handles memory in multiples of 4th bytes, when the pointer isn't aligned with memory it can write to the 3rd byte of 5th byte which causes a bus error.
Hence why this is usually a RAM failure.

---

fffff880`046d4e08 fffff800`02b458b8 : 00000000`000000fc fffff8a0`02158dc8 ee900000`67407963 fffff880`046d4f70 : [COLOR="#0000FF"]nt!KeBugCheckEx[/COLOR]
fffff880`046d4e10 fffff800`02ac5cee : 00000000`00000008 fffff8a0`02158dc8 fffffa80`04b4c600 fffff880`03c18ab0 : nt! ?? ::FNODOBFM::`string'+0x44dfc
fffff880`046d4f70 fffff8a0`02158dc8 : fffff880`03c24613 fffffa80`03d479c0 fffffa80`03cbb000 fffff8a0`02158b00 : [COLOR="#FF0000"]nt!KiPageFault+0x16e[/COLOR]
fffff880`046d5108 fffff880`03c24613 : fffffa80`03d479c0 fffffa80`03cbb000 fffff8a0`02158b00 fffff880`046d5200 : 0xfffff8a0`02158dc8
fffff880`046d5110 fffff880`03c23d5e : fffff8a0`02158d00 fffff880`046d5250 fffff8a0`02158b20 00000000`00000000 : [COLOR="#4B0082"]rdbss!RxCloseAssociatedSrvOpen+0x223[/COLOR]
fffff880`046d5170 fffff880`03c04684 : fffffa80`03d479c0 fffff880`046d5200 fffff8a0`02158b20 fffff8a0`02158ec0 : [COLOR="#4B0082"]rdbss!RxCommonClose+0x4de[/COLOR]
fffff880`046d5210 fffff880`03c21b44 : fffffa80`03ea6410 fffffa80`03cbb002 00000000`039ba010 fffff880`0115f2ec : [COLOR="#4B0082"]rdbss!RxFsdCommonDispatch+0x870[/COLOR]
fffff880`046d5300 fffff880`03ed3ade : fffffa80`03ea6528 fffffa80`039ba010 fffffa80`04b45d10 fffffa80`03cbb030 : [COLOR="#4B0082"]rdbss!RxFsdDispatch+0x224[/COLOR]
fffff880`046d5370 fffff880`03e9f563 : 00000000`00000000 fffffa80`039b96b0 fffffa80`03ea6528 00000000`00000001 : [COLOR="#FF8C00"]csc!CscFsdDispatch+0x2ee[/COLOR]
fffff880`046d53f0 fffff880`017e5c40 : fffffa80`0502ebc0 fffffa80`039b9600 00000000`00000101 00000000`00000001 : [COLOR="#FF8C00"]csc!CscSurrogatePreProcess+0x81f[/COLOR]
fffff880`046d5500 fffff880`017e5157 : fffffa80`0502eb10 00000000`00000001 fffffa80`03ea6410 00000000`00000000 : [COLOR="#008000"]mup!MupCallSurrogatePrePost+0x120[/COLOR]
fffff880`046d5560 fffff880`017e67fa : 00000000`00000000 fffffa80`039b9df0 fffffa80`03ea6410 fffffa80`04b45d10 : [COLOR="#008000"]mup!MupStateMachine+0x147[/COLOR]
fffff880`046d55b0 fffff880`0115dbcf : fffffa80`03ea65b8 fffffa80`0502eb10 fffff880`046d5640 fffff800`02c42e02 : [COLOR="#008000"]mup!MupClose+0x146[/COLOR]
fffff880`046d5600 fffff880`0115c6df : fffffa80`039b96b0 fffffa80`03ea6410 fffffa80`03868800 fffffa80`03ea6410 : fltmgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x24f
fffff880`046d5690 fffff800`02dc53ce : fffffa80`04b45d10 00000000`00000001 fffffa80`03ea6410 00000000`00000000 : fltmgr!FltpDispatch+0xcf
fffff880`046d56f0 fffff800`02ad0e54 : fffffa80`04b41eb0 fffff8a0`01a55580 fffffa80`02a89600 fffffa80`00000788 : nt!IopDeleteFile+0x11e
fffff880`046d5780 fffff800`02dbf1f4 : fffff8a0`01a55580 00000000`00000000 fffffa80`0567d600 00000000`00000000 : nt!ObfDereferenceObject+0xd4
fffff880`046d57e0 fffff800`02d7fe00 : 00000000`000002b4 fffff8a0`01a55580 fffff8a0`01bb0ad0 00000000`000002b4 : nt!ObpCloseHandleTableEntry+0xc4
fffff880`046d5870 fffff800`02d7fcf4 : 00000000`00000004 00000000`00000000 fffffa80`04837b30 fffff800`02d6cce1 : nt!ObpCloseHandleProcedure+0x30
fffff880`046d58b0 fffff800`02d8039a : fffff8a0`01aa5001 fffff880`046d5c20 fffffa80`04837b30 00000000`00000001 : nt!ExSweepHandleTable+0x74
fffff880`046d58f0 fffff800`02d9d012 : fffff8a0`01aa5060 00000000`00000000 00000000`00000000 00000000`00000000 : nt!ObKillProcess+0x62
fffff880`046d5930 fffff800`02d81b7d : 00000000`c0000005 00000000`c0000001 000007ff`fff86000 fffffa80`04b4d8b0 : nt!PspExitThread+0x522
fffff880`046d5a30 fffff800`02aba6fa : 00000000`00000100 fffffa80`0567d6c0 00000000`00000001 fffff800`02abd7fd : nt!PsExitSpecialApc+0x1d
fffff880`046d5a60 fffff800`02abaa40 : 00000000`00000000 fffff880`046d5ae0 fffff800`02d81af0 00000000`00000001 : nt!KiDeliverApc+0x2ca
fffff880`046d5ae0 fffff800`02ac6ef7 : fffffa80`0567d600 00000000`ffffffff 00000000`00000000 fffffa80`052964e0 : nt!KiInitiateUserApc+0x70
fffff880`046d5c20 00000000`773612fa : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceExit+0x9c
00000000`033ff4b8 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x773612fa

This is more complex, it's difficult when a lot of the functions are undocumented, networking also isn't a strong point for me so I'm not too familiar with what these routines are doing.

It starts really with some mup routines, mup stands for Multiple UNC Provider which, AFAIK shows the path of the shared network resource such as a shared file etc.
This is followed by csc routines, csc standard for Client Side Caching, this is probbaly related to offline file sharing that is waiting to be tranferred to the server.
Lastly rdbss routines (Redirected Drive Buffering Subsystem), this seems to be a network interface to different parts of the Kernel including the I/O manager, memory manager and cache manager. It's essentially a mini redirector to send information to different parts of the system.

So it would seem that a server is involved with this?
I would say we might have a network driver causing some problems here.

---

I have skipped a few files as they are 0x3Bs and 0x1Es which have very little information recorded, what is recorded seems to be very similar to our previous 0x3B.

[B]PROCESS1_INITIALIZATION_FAILED (6b)[/B]
Arguments:
Arg1: [COLOR="#008000"]ffffffffc0000428[/COLOR], [COLOR="#800080"]Indicates the NT status code that caused the failure.[/COLOR]
Arg2: 0000000000000003, (reserved)
Arg3: 0000000000000000
Arg4: 0000000000000000

This is the interesting one that mainly turned it around and seems to stem from a hardware failure.
Lets look at that NT status code.

0: kd> [COLOR="#008000"]!error ffffffffc0000428[/COLOR]
Error code: (NTSTATUS) 0xc0000428 (3221226536) - Windows cannot verify the digital signature for this file. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

So an a file on boot up hasn't been properly digitally signed, as stated it's either corrupted, something malicious is taking place or hardware failure has corrupted the boot address.
To be honest, the latter seems most likely.

fffff880`009a9928 fffff800`02f1588e : 00000000`0000006b ffffffff`c0000428 00000000`00000003 00000000`00000000 : [COLOR="#0000FF"]nt!KeBugCheckEx[/COLOR]
fffff880`009a9930 fffff800`02f15b69 : 00000000`002a0028 00000000`00000000 00000000`00000001 fffff800`02fcbac0 : [COLOR="#800080"]nt!PspLocateSystemDll+0x13e[/COLOR]
fffff880`009a9a00 fffff800`02fff48d : fffff800`008128b0 00000000`00000002 00000000`00000000 fffff800`02c48e80 : [COLOR="#800080"]nt!PsLocateSystemDlls+0x69[/COLOR]
fffff880`009a9a40 fffff800`03002610 : 00000000`00000007 00000000`00000010 ffffffff`8000002c fffff800`00818270 : [COLOR="#800080"]nt!IoInitSystem+0x85d[/COLOR]
fffff880`009a9b40 fffff800`02f52e29 : 48651374`00347d80 fffffa80`02a78b50 00000000`00000080 fffffa80`02a78040 : nt!Phase1InitializationDiscard+0x1270
fffff880`009a9d10 fffff800`02d6973a : 207d3840`ff33ea8b 00000000`00000080 48704d8b`48000001 fffff800`02abe8d9 : nt!Phase1Initialization+0x9
fffff880`009a9d40 fffff800`02abe8e6 : fffff800`02c48e80 fffffa80`02a78b50 fffff800`02c56cc0 4127733c`5d3b0000 : nt!PspSystemThreadStartup+0x5a
fffff880`009a9d80 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KxStartSystemThread+0x16

Well the callstack just reveals the system dynamic link libraries being initialised when be bugcheck.

---

The last dump file is related to a push lock, it's very similar to a spin lock but that's for another time.

So we seem to be at a mix here so I'll give a few suggestions.

1. Remove Avast! and AVG as they are both installed, this isn't helpful and could easily cause crashes, I suggest replacing them with MSE.

Download these removal tools and run them.

avast! Uninstall Utility | Download aswClear for avast! Removal

http://www.avg.com/gb-en/utilities

2. Update the
Intel(R) PRO/1000 PCI Express Network Connection Driver as it's outdated (2009), it may be contributing to these problems.

3. Memtest, it may well be RAM failing so memtest would be a good indicator.

I suggest you run Memtest86 for at least 8 passes.

Which one should I download?

You have two options to choose from, you can either download the ISO version then burn it do a CD and boot it from there.
The other option is downloading the auto installer for USB sticks, you then boot from that USB stick.
Be warned though, it will format your USB then install the files needed to make it bootable so any files left over will be wiped off.

Download it here:

Memtest86+ - Advanced Memory Diagnostic Tool

So how does it work?

It works by writing a series of test patterns to most memory addresses over 9 tests, it then reads the data back to compare it for errors.

The default pass does 9 different tests varying in access patterns and test data. A tenth pass is optional from the menu which writes all the memory in zeroes then sleeps for 90 minutes and compares it to see if any address have changed, this takes 3 hours per pass each time.

My memtest86 isn't booting! What should I do?

This can be caused by a number of different reasons, common ones include your BIOS not setting using the correct settings, you might want to change your boot priority order.
Other causes include your motherboard not supporting bootable USB sticks in which case you'll need to use a CD (or floppy drive).

Any other issues you might want to look here:

FAQ : please read before posting

Edit: Bruce beat me to it by 2 minutes!

 

[Fred Garvin]

The dumps are all over the place, with 3B being the most proific.

I would start with Memtest to rule out ram first.

Thanks, Wrench, I agree. I'm planning on running Memtest when I can get to the PC in person. Because the dumps are all over the place, I figured I'd ask the experts.

Jared, all I can say is WOW!! What an analysis!

What was the PC doing when it crashed?
Is it anything in particular?

I have no idea what it was doing. I think it was crashing when woken up from hibernation. It's only used occasionally for one program.

I'm having a mixed opinion about these crashes to be honest.

1. Remove Avast! and AVG as they are both installed, this isn't helpful and could easily cause crashes,
2. Update the
Intel(R) PRO/1000 PCI Express Network Connection Driver as it's outdated (2009), it may be contributing to these problems.
3. Memtest, it may well be RAM failing so memtest would be a good indicator.

I removed Avast a few days ago so you may be seeing it show up in earlier dumps. AVG isn't installed, but maybe there are some remnants.
I think I tried updating the network driver several months ago and the installed driver is the latest ver. I found.

It's not connected to a server OS, but some files are manually moved to another PC over the network every once in a while.
I did notice a lot of Master Browser errors logged in Event Viewer, but haven't looked into them.

Thanks again guys. I'll start with a memory test when I can and see what happens.