Question
175 views

Random BSOD and applications constantly crashing

proudscot2k asked on

Hi I was wondering if anyone could possibly assist. I am getting random BSOD's with different reasons each time.

I have checked to see if my drivers are up to date and ran some memtests however nothing is resolving the issue.

Thanks in advance

a copy of my dmp files can be found here

https://onedrive.live.com/redir?resid=ABBFD4161CDB13B1!227&authkey=!APRST5HGiuT_OoA&ithint=folder%2c.dmp

Again thanks for any support.

1 person had this question

Abuse history


The answered status icon Answer
Patrick Barker replied on

Hi,


We have many different bug checks:


BAD_POOL_HEADER (19)

This indicates that a pool header is corrupt.


BugCheck 19, {25, 79, 1, ffffe000d34c78d0}


1: kd> !pool ffffe000d34c78d0
GetPointerFromAddress: unable to read from fffff80143560138
Pool page ffffe000d34c78d0 region is unable to get nt!MmNonPagedPoolStart
unable to get nt!MmSizeOfNonPagedPoolInBytes
Unknown
 ffffe000d34c7000 size:   50 previous size:    0  (Allocated)  VMON
 ffffe000d34c7050 size:   10 previous size:   50  (Free)       Free
 ffffe000d34c7060 size:   50 previous size:   10  (Allocated)  VMON
 ffffe000d34c70b0 size:   50 previous size:   50  (Allocated)  VMON
 ffffe000d34c7100 size:   50 previous size:   50  (Allocated)  VMON
 ffffe000d34c7150 size:   50 previous size:   50  (Allocated)  VMON
 ffffe000d34c71a0 size:   50 previous size:   50  (Allocated)  VMON
 ffffe000d34c71f0 size:   50 previous size:   50  (Allocated)  VMON
 ffffe000d34c7240 size:   50 previous size:   50  (Allocated)  VMON
 ffffe000d34c7290 size:   50 previous size:   50  (Allocated)  VMON
 ffffe000d34c72e0 size:   50 previous size:   50  (Allocated)  VMON
 ffffe000d34c7330 size:   50 previous size:   50  (Allocated)  VMON
 ffffe000d34c7380 size:   50 previous size:   50  (Allocated)  VMON
 ffffe000d34c73d0 size:   50 previous size:   50  (Allocated)  VMON
 ffffe000d34c7420 size:   50 previous size:   50  (Allocated)  VMON
 ffffe000d34c7470 size:   50 previous size:   50  (Free)       VMON
 ffffe000d34c74c0 size:   50 previous size:   50  (Allocated)  VMON
 ffffe000d34c7510 size:   50 previous size:   50  (Allocated)  VMON
 ffffe000d34c7560 size:   50 previous size:   50  (Free)       VMON
 ffffe000d34c75b0 size:   50 previous size:   50  (Allocated)  VMON
 ffffe000d34c7600 size:   50 previous size:   50  (Allocated)  VMON
 ffffe000d34c7650 size:   50 previous size:   50  (Allocated)  VMON
 ffffe000d34c76a0 size:   50 previous size:   50  (Allocated)  VMON
 ffffe000d34c76f0 size:   50 previous size:   50  (Allocated)  VMON
 ffffe000d34c7740 size:   50 previous size:   50  (Allocated)  VMON
 ffffe000d34c7790 size:   50 previous size:   50  (Allocated)  VMON
 ffffe000d34c77e0 size:   50 previous size:   50  (Allocated)  VMON
 ffffe000d34c7830 size:   50 previous size:   50  (Allocated)  VMON
 ffffe000d34c7880 size:   50 previous size:   50  (Free)       VMON
*ffffe000d34c78d0 size:   50 previous size:   50  (Free ) *VMON
        Pooltag VMON : Volume Manager, Binary : volmgr.sys


^^ Looks like the pool block we're looking within belongs to VMware. We can confirm this by dumping the call stack:


1: kd> k
Child-SP          RetAddr           Call Site
ffffd001`b0ec66c8 fffff801`434a2548 nt!KeBugCheckEx
ffffd001`b0ec66d0 fffff800`8a89dab4 nt!ExFreePoolWithTag+0x1268
ffffd001`b0ec67a0 00000000`00000000 vmx86+0x3ab4


^^ VMware Virtualization driver.


MEMORY_MANAGEMENT (1a)

This indicates that a severe memory management error occurred.


BugCheck 1A, {41287, 40, 0, 0}


- The 1st parameter of the bug check is 41287 which indicates an illegal page fault occurred while holding working set synchronization.


DPC_WATCHDOG_VIOLATION (133)

This bug check indicates that the DPC watchdog executed, either because it detected a single long-running deferred procedure call (DPC), or because the system spent a prolonged time at an interrupt request level (IRQL) of DISPATCH_LEVEL or above.


KERNEL_SECURITY_CHECK_FAILURE (139) bug check.

This bug check indicates that the kernel has detected the corruption of a critical data structure.

BugCheck 139, {3, ffffd000811175b0, ffffd00081117508, 0}

The 1st parameter of the bugcheck is 3 which indicates that a LIST_ENTRY was corrupted. Code 3, LIST_ENTRY corruption. This type of bug check can be difficult to track down and indicates that an inconsistency has been introduced into a doubly-linked list (detected when an individual list entry element is added to or removed from the list).

SYSTEM_SERVICE_EXCEPTION (3b)

This indicates that an exception happened while executing a routine that transitions from non-privileged code to privileged code.

This error has been linked to excessive paged pool usage and may occur due to user-mode graphics drivers crossing over and passing bad data to the kernel code.

BugCheck 3B, {c0000005, fffff801d294be07, ffffd00021189cc0, 0}

2: kd> ln fffff801d294be07
(fffff801`d294bdc0)   fltmgr!TreeUnlinkMulti+0x47   |  (fffff801`d294bf60)   fltmgr!FltFreeCallbackData

^^ The exception occurred in fltmgr!TreeUnlinkMulti.

------------------------

1. Please uninstall VMware ASAP.

2. If you're still crashing after #1, please enable Driver Verifier:

Driver Verifier:

What is Driver Verifier?

Driver Verifier is included in Windows 8/8.1, 7, Windows Server 2008 R2, Windows Vista, Windows Server 2008, Windows 2000, Windows XP, and Windows Server 2003 to promote stability and reliability; you can use this tool to troubleshoot driver issues. Windows kernel-mode components can cause system corruption or system failures as a result of an improperly written driver, such as an earlier version of a Windows Driver Model (WDM) driver.

Essentially, if there's a 3rd party driver believed to be at issue, enabling Driver Verifier will help flush out the rogue driver if it detects a violation.

Before enabling Driver Verifier, it is recommended to create a System Restore Point:

Vista - START | type rstrui - create a restore point
Windows 7 - START | type create | select "Create a Restore Point"
Windows 8/8.1 - http://www.eightforums.com/tutorials/4690-restore-point-create-windows-8-a.html

How to enable Driver Verifier:

Start > type "verifier" without the quotes > Select the following options -

1. Select - "Create custom settings (for code developers)"
2. Select - "Select individual settings from a full list"
3. Check the following boxes -
- Special Pool
- Pool Tracking
- Force IRQL Checking
- Deadlock Detection
- Security Checks (Windows 7 & 8)
- DDI compliance checking (Windows 8)
- Miscellaneous Checks
4. Select  - "Select driver names from a list"
5. Click on the "Provider" tab. This will sort all of the drivers by the provider.
6. Check EVERY box that is NOT provided by Microsoft / Microsoft Corporation.
7. Click on Finish.
8. Restart.

Important information regarding Driver Verifier:

- If Driver Verifier finds a violation, the system will BSOD. To expand on this a bit more for the interested, specifically what Driver Verifier actually does is it looks for any driver making illegal function calls, causing memory leaks, etc. When and/if this happens, system corruption occurs if allowed to continue. When Driver Verifier is enabled, it is monitoring all 3rd party drivers (as we have it set that way) and when it catches a driver attempting to do this, it will quickly flag that driver as being a troublemaker, and bring down the system safely before any corruption can occur.

- After enabling Driver Verifier and restarting the system, depending on the culprit, if for example the driver is on start-up, you may not be able to get back into normal Windows because Driver Verifier will detect it in violation almost straight away, and as stated above, that will cause / force a BSOD.

If this happens, do not panic, do the following:

- Boot into Safe Mode by repeatedly tapping the F8 key during boot-up.

- Once in Safe Mode - Start > Search > type "cmd" without the quotes.

- To turn off Driver Verifier, type in cmd "verifier /reset" without the quotes.
・    Restart and boot into normal Windows.

If your OS became corrupt or you cannot boot into Windows after disabling verifier via Safe Mode:

- Boot into Safe Mode by repeatedly tapping the F8 key during boot-up.

- Once in Safe Mode - Start > type "system restore" without the quotes.

- Choose the restore point you created earlier.

-- Note that Safe Mode for Windows 8/8.1 is a bit different, and you may need to try different methods: 5 Ways to Boot into Safe Mode in Windows 8 & Windows 8.1

How long should I keep Driver Verifier enabled for?

I recommend keeping it enabled for at least 24 hours. If you don't BSOD by then, disable Driver Verifier. I will usually say whether or not I'd like for you to keep it enabled any longer.

My system BSOD'd with Driver Verifier enabled, where can I find the crash dumps?

They will be located in %systemroot%\Minidump

Any other questions can most likely be answered by this article:
http://support.microsoft.com/kb/244617

Regards,

Patrick

Debugger/Reverse Engineer.
Be the first person to mark this helpful

Abuse history


progress