re: BSOD keeps coming back - Windows 8.1
Thanks!
We have two consistent bug checks:
SYSTEM_SERVICE_EXCEPTION (3b)
This indicates that an exception happened while executing a routine that transitions from non-privileged code to privileged code.
This error has been linked to excessive paged pool usage and may occur due to user-mode graphics drivers crossing over and passing bad data to the kernel code.
BugCheck 3B, {c0000005,
fffff801dbd32c02, ffffd00021548d90, 0}
Code:
4: kd> ln fffff801dbd32c02
(fffff801`dbd32bf0) nt!KxWaitForLockOwnerShip+0x12 | (fffff801`dbd32c38) nt!ObReferenceObjectSafe
The exception occurred in
nt!KxWaitForLockOwnerShip+0x12.
We're likely dealing with a deadlock here.
NTFS_FILE_SYSTEM (24)
This indicates a problem occurred in ntfs.sys, the driver file that allows the system to read and write to NTFS drives.
One possible cause of this bug check is disk corruption. Corruption in the NTFS file system or bad blocks (sectors) on the hard disk can induce this error. Corrupted SCSI and IDE drivers can also adversely affect the system's ability to read and write to disk, thus causing the error.
Another possible cause is depletion of nonpaged pool memory. If the nonpaged pool memory is completely depleted, this error can stop the system. However, during the indexing process, if the amount of available nonpaged pool memory is very low, another kernel-mode driver requiring nonpaged pool memory can also trigger this error.
BugCheck 24, {b500190637,
ffffd00026d3d8a8,
ffffd00026d3d0b0, fffff800de0e5c1c}
Code:
4: kd> .exr 0xffffd00026d3d8a8
ExceptionAddress: fffff800de0e5c1c (nt!KxWaitForLockOwnerShipWithIrql+0x0000000000000014)
ExceptionCode: c0000005 (Access violation)
The access violation occurred in
nt!KxWaitForLockOwnerShipWithIrql+0x0000000000000014.
Again, likely a deadlock.
Code:
4: kd> .trap ffffd000`26d3d950
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=0000000000000000 rbx=0000000000000000 rcx=ffffd00026d3db30
rdx=0270000000000000 rsi=0000000000000000 rdi=0000000000000000
rip=fffff800de0e5c1c rsp=ffffd00026d3dae0 rbp=ffffd00026d3db50
r8=ffffd00026d3db80 r9=0000000000000020 r10=0000000000000020
r11=000000000000000b r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up di pl zr na po nc
nt!KxWaitForLockOwnerShipWithIrql+0x14:
fffff800`de0e5c1c 48890a mov qword ptr [rdx],rcx ds:02700000`00000000=????????????????
Code:
4: kd> u @rip
nt!KxWaitForLockOwnerShipWithIrql+0x14:
fffff800`de0e5c1c 48890a mov qword ptr [rdx],rcx
fffff800`de0e5c1f 4d85c0 test r8,r8
fffff800`de0e5c22 7410 je nt!KxWaitForLockOwnerShipWithIrql+0x2c (fffff800`de0e5c34)
fffff800`de0e5c24 440f20c2 mov rdx,cr8
fffff800`de0e5c28 410fb600 movzx eax,byte ptr [r8]
fffff800`de0e5c2c 440f22c0 mov cr8,rax
fffff800`de0e5c30 418810 mov byte ptr [r8],dl
fffff800`de0e5c33 fb sti
Hard to say whether it's a driver holding a lock and causing a deadlock, or if this is a hardware issue. We'll need to go one step at a time.
1. Uninstall Glary Utilities ASAP, I've seen it cause a ton of issues lately.
2. Ensure your SSD firmware is 100% up to date via the manufacturers website.
3. If the above fails, please enable Driver Verifier so we can see whether or not a 3rd party driver is holding a lock:
Driver Verifier:
What is Driver Verifier?
Driver Verifier monitors Windows kernel-mode drivers, graphics drivers, and even 3rd party drivers to detect illegal function calls or actions that might corrupt the system. Driver Verifier can subject the Windows drivers to a variety of stresses and tests to find improper behavior.
Essentially, if there's a 3rd party driver believed to be causing the issues at hand, enabling Driver Verifier will help us see which specific driver is causing the problem.
Before enabling Driver Verifier, it is recommended to create a System Restore Point:
Vista - START | type rstrui - create a restore point
Windows 7 - START | type create | select "Create a Restore Point"
Windows 8/8.1 -
Restore Point - Create in Windows 8
How to enable Driver Verifier:
Start > type "verifier" without the quotes > Select the following options -
1. Select - "Create custom settings (for code developers)"
2. Select - "Select individual settings from a full list"
3. Check the following boxes -
- Special Pool
- Pool Tracking
- Force IRQL Checking
- Deadlock Detection
- Security Checks (Windows 7 & 8/8.1)
- DDI compliance checking (Windows 8/8.1)
- Miscellaneous Checks
4. Select - "Select driver names from a list"
5. Click on the "Provider" tab. This will sort all of the drivers by the provider.
6. Check EVERY box that is
NOT provided by Microsoft / Microsoft Corporation.
7. Click on Finish.
8. Restart.
Important information regarding Driver Verifier:
- If Driver Verifier finds a violation, the system will BSOD. To expand on this a bit more for the interested, specifically what Driver Verifier actually does is it looks for any driver making illegal function calls, causing memory leaks, etc. When and/if this happens, system corruption occurs if allowed to continue. When Driver Verifier is enabled per my instructions above, it is monitoring
all 3rd party drivers (as we have it set that way) and when it catches a driver attempting to do this, it will quickly flag that driver as being a troublemaker, and bring down the system safely before any corruption can occur.
- After enabling Driver Verifier and restarting the system, depending on the culprit, if for example the driver is on start-up, you may not be able to get back into normal Windows because Driver Verifier will detect it in violation almost straight away, and as stated above, that will cause / force a BSOD.
If this happens, do not panic, do the following:
- Boot into Safe Mode by repeatedly tapping the F8 key during boot-up.
- Once in Safe Mode - Start > Search > type "cmd" without the quotes.
- To turn off Driver Verifier, type in cmd "verifier /reset" without the quotes.
・ Restart and boot into normal Windows.
If your OS became corrupt or you cannot boot into Windows after disabling verifier via Safe Mode:
- Boot into Safe Mode by repeatedly tapping the F8 key during boot-up.
- Once in Safe Mode - Start > type "system restore" without the quotes.
- Choose the restore point you created earlier.
-- Note that Safe Mode for Windows 8/8.1 is a bit different, and you may need to try different methods:
5 Ways to Boot into Safe Mode in Windows 8 & Windows 8.1
How long should I keep Driver Verifier enabled for?
I recommend keeping it enabled for at least 24 hours. If you don't BSOD by then, disable Driver Verifier. I will usually say whether or not I'd like for you to keep it enabled any longer.
My system BSOD'd with Driver Verifier enabled, where can I find the crash dumps?
- If you have the system set to generate Small Memory Dumps, they will be located in
%systemroot%\Minidump.
- If you have the system set to generate Kernel-Memory Dumps,
it will be located in
%systemroot% and labeled MEMORY.DMP.
Any other questions can most likely be answered by this article:
Using Driver Verifier to identify issues with Windows drivers for advanced users
Regards,
Patrick