Windows 8.1 Kernel Data Inpage Error

Great, thanks!

We have two different bug checks:

CRITICAL_PROCESS_DIED (ef)

This indicates that a critical system process died.

BugCheck EF, {ffffe0016475e900, 0, 0, 0}

The 2nd parameter of the bug check is 0 which indicates that a critical system process died. We can check what it was via the 1st parameter:

2: kd> !process ffffe0016475e900 3
GetPointerFromAddress: unable to read from fffff801ce5e2000
PROCESS ffffe0016475e900
    SessionId: none  Cid: 02c0    Peb: 7ff6fd587000  ParentCid: 02b0
    DirBase: 1122a6000  ObjectTable: ffffc00074b59d00  HandleCount: <Data Not Accessible>
    Image: csrss.exe

We can see that the critical system process that died specifically was csrss.exe. This is the Client/Server Runtime Subsystem, and is a component of the Microsoft Windows NT operating system that provides the user mode side of the Win32 subsystem.

Great, so why did csrss.exe die? We'll look at the 0x7a crash for the answer to that question....

KERNEL_DATA_INPAGE_ERROR (7a)

This bug check indicates that the requested page of kernel data from the paging file could not be read into memory.

BugCheck 7A, {4, 0, ffffe001c8c42d30, ffffc001fc6797e8}

ERROR_CODE: (NTSTATUS) 0 - STATUS_SUCCESS

1: kd> k
Child-SP          RetAddr           Call Site
ffffd000`24c99b28 fffff802`771f6089 nt!KeBugCheckEx
ffffd000`24c99b30 fffff802`770fb5f8 nt! ?? ::FNODOBFM::`string'+0x1ebd9
ffffd000`24c99c20 fffff802`770da5f5 nt!MiIssueHardFault+0x184
ffffd000`24c99ce0 fffff802`771d122f nt!MmAccessFault+0x3d5
ffffd000`24c99e20 fffff801`e934c890 nt!KiPageFault+0x12f
ffffd000`24c99fb0 fffff801`e934ee10 fltmgr!FltpGetFileNameInformation+0x2f0
ffffd000`24c9a050 fffff801`ea332142 fltmgr!FltGetFileNameInformation+0x1b0
ffffd000`24c9a0d0 ffffe001`c65feac0 klif+0xd142
ffffd000`24c9a0d8 ffffc001`e91ad501 0xffffe001`c65feac0
ffffd000`24c9a0e0 ffffc001`e91ad5c8 0xffffc001`e91ad501
ffffd000`24c9a0e8 fffff801`e934e9bc 0xffffc001`e91ad5c8
ffffd000`24c9a0f0 ffffc001`e91ad550 fltmgr!FltReleasePushLock+0xc
ffffd000`24c9a120 00000000`00000000 0xffffc001`e91ad550

klif.sys calls a Microsoft Filesystem Filter Manager routine to return the name information for a file name. However, we thereafter call into a pagefault. Why/how do we go from something as easy as Kaspersky (klif.sys is a Kaspersky driver) trying to get a return on a file name, to a crash?

Taking a look at the loaded modules list answers this question.

----------------------------

You have avast! and Kaspersky installed, huge no-no! More than one antivirus on the system is bad because both are installing their own interceptors to the kernel to analyze critical data such as files, network, etc. In this case, Kaspersky was trying to get a return on a file name, and avast! conflicted.

FWIW, I would actually recommend removing and replacing BOTH (not just one) with Windows Defender.

Kaspersky removal - http://support.kaspersky.com/common/service.aspx?el=1464

avast! removal - http://www.avast.com/uninstall-utility

Windows Defender (how to turn on after removal) - http://www.eightforums.com/tutorials/21962-windows-defender-turn-off-windows-8-a.html

Regards,

Patrick

Hi,

In order to assist you, we will need the .DMP files to analyze what exactly occurred at the time of the crash, etc.

If you don't know where .DMP files are located, here's how to get to them:

1. Navigate to the %systemroot%\Minidump folder.

2. Copy any and all DMP files in the Minidump folder to your Desktop and then zip up these files.

3. Upload the zip containing the .DMP files to Onedrive or a hosting site of your choice and paste in your reply. Prefered sites: Onedrive, Mediafire, Dropbox, etc. Nothing with wait-timers.

4 (optional): The type of .DMP files located in the Minidump folder are known as Small Memory Dumps. In %systemroot% there will be what is known as a Kernel-Dump (if your system is set to generate). It is labeled MEMORY.DMP. The difference between Small Memory Dumps and Kernel-Dumps in the simplest definition is a Kernel-Dump contains much more information at the time of the crash, therefore allowing further debugging of your issue. If your upload speed permits it, and you aren't going against any strict bandwidth and/or usage caps, etc, the Kernel-Dump is the best choice. Do note that Kernel-Dumps are much larger in size due to containing much more info, which is why I mentioned upload speed, etc.

If you are going to use Onedrive but don't know how to upload to it, please visit the following:

Upload photos and files to Onedrive.

Please note that any "cleaner" programs such as TuneUp Utilities, CCleaner, etc, by default will delete .DMP files upon use.

If your computer is not generating .DMP files, please do the following:

1. Start > type %systemroot% which should show the Windows folder, click on it. Once inside that folder, ensure there is a Minidump folder created. If not, CTRL-SHIFT-N to make a New Folder and name it Minidump.

2. Windows key + Pause key. This should bring up System. Click Advanced System Settings on the left > Advanced > Performance > Settings > Advanced > Ensure there's a check-mark for 'Automatically manage paging file size for all drives'.

3. Windows key + Pause key. This should bring up System. Click Advanced System Settings on the left > Advanced > Startup and Recovery > Settings > System Failure > ensure there is a check mark next to 'Write an event to the system log'.

Ensure Small Memory Dump is selected and ensure the path is %systemroot%\Minidump.

4. Double check that the WERS is ENABLED:

Start > Search > type services.msc > Under the name tab, find Windows Error Reporting Service > If the status of the service is not Started then right click it and select Start. Also ensure that under Startup Type it is set to Automatic rather than Manual. You can do this by right clicking it, selecting properties, and under General selecting startup type to 'Automatic', and then click Apply.

If you cannot get into normal mode to do any of this, please do this via Safe Mode.

Regards,

Patrick