Question
Applies to
154 views

Windows 7 BSOD Errors

xdominos asked on
I have started having an issue that shortly after launch windows crashes and gives me a BSOD, recently it has begun to happen during boot, I can still enter safe mode. Below is the windows has recovered from an unexpected shutdown message, and further below are the minidump files.



BCCode:    1e
  BCP1:    FFFFFFFFC0000005
  BCP2:    FFFFF800037D3BBA
  BCP3:    0000000000000001
  BCP4:    0000000000000018
  OS Version:    6_1_7601
  Service Pack:    1_0
  Product:    768_1


Link To Dump Files:
https://skydrive.live.com/redir?resid=2B7188D2B957DD81!107&authkey=!ALR4VyK3P3VPJvQ

1 person had this question

Abuse history


The answered status icon Answer
Patrick Barker replied on

Ah, here we go!

The attached DMP file is of the DRIVER_VERIFIER_IOMANAGER_VIOLATION (c9) bugcheck which indicates that the IO manager has caught a misbehaving driver.

If we take a look at the call stack:

2: kd> kv
Child-SP          RetAddr           : Args to Child                                                           : Call Site
fffff880`033d1d88 fffff800`0355f3f0 : 00000000`000000c9 00000000`00000004 fffffa80`09788c20 00000000`00000000 : nt!KeBugCheckEx
fffff880`033d1d90 fffff800`0397fb8f : fffffa80`066d1120 00000000`00000000 fffffa80`00000240 00000000`00000000 : nt!VfBugCheckNoStackUsage+0x30
fffff880`033d1dd0 fffff800`037d6fdc : 00000000`00000004 fffffa80`0a9d5cc8 fffffa80`09787910 fffffa80`09729930 : nt!IovCallDriver+0x3cf
fffff880`033d1e30 fffff800`037d2958 : fffffa80`09788e40 fffff800`00000000 fffffa80`0a9d5b10 fffff880`00000000 : nt!IopParseDevice+0x14d3
fffff880`033d1f90 fffff800`037d3b76 : 00000000`00000000 fffffa80`0a9d5b10 fffff880`033d2090 fffffa80`06767600 : nt!ObpLookupObjectName+0x588
fffff880`033d2080 fffff800`037d547c : fffffa80`09788b00 00000000`00000000 00000000`00000000 fffff800`03974a55 : nt!ObOpenObjectByName+0x306
fffff880`033d2150 fffff800`037bfa84 : fffff880`033d2750 fffff800`00100001 fffff880`033d2500 fffff880`033d24f0 : nt!IopCreateFile+0x2bc
fffff880`033d21f0 fffff800`034d4e93 : fffff880`033d22d0 00000000`00000000 fffff880`033d22d8 00120116`00120089 : nt!NtOpenFile+0x58
fffff880`033d2280 fffff800`034d1450 : fffffa80`0ade66bc fffffa80`0677be70 00000000`00000200 fffffa80`0adeb400 : nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`033d22f0)
fffff880`033d2488 fffffa80`0ade66bc : fffffa80`0677be70 00000000`00000200 fffffa80`0adeb400 fffffa80`0adec3d0 : nt!KiServiceLinkage
fffff880`033d2490 fffffa80`0677be70 : 00000000`00000200 fffffa80`0adeb400 fffffa80`0adec3d0 fffffa80`00000001 : 0xfffffa80`0ade66bc
fffff880`033d2498 00000000`00000200 : fffffa80`0adeb400 fffffa80`0adec3d0 fffffa80`00000001 fffff800`00000020 : 0xfffffa80`0677be70
fffff880`033d24a0 fffffa80`0adeb400 : fffffa80`0adec3d0 fffffa80`00000001 fffff800`00000020 00000000`000000e8 : 0x200
fffff880`033d24a8 fffffa80`0adec3d0 : fffffa80`00000001 fffff800`00000020 00000000`000000e8 fffff800`00b9ebb3 : 0xfffffa80`0adeb400
fffff880`033d24b0 fffffa80`00000001 : fffff800`00000020 00000000`000000e8 fffff800`00b9ebb3 00000000`0000013a : 0xfffffa80`0adec3d0
fffff880`033d24b8 fffff800`00000020 : 00000000`000000e8 fffff800`00b9ebb3 00000000`0000013a fffffa80`0adf68ba : 0xfffffa80`00000001
fffff880`033d24c0 00000000`000000e8 : fffff800`00b9ebb3 00000000`0000013a fffffa80`0adf68ba 00000000`00820080 : 0xfffff800`00000020
fffff880`033d24c8 fffff800`00b9ebb3 : 00000000`0000013a fffffa80`0adf68ba 00000000`00820080 fffff880`033d2530 : 0xe8
fffff880`033d24d0 00000000`0000013a : fffffa80`0adf68ba 00000000`00820080 fffff880`033d2530 00000000`00000000 : kdcom+0x1bb3
fffff880`033d24d8 fffffa80`0adf68ba : 00000000`00820080 fffff880`033d2530 00000000`00000000 00000000`00000000 : 0x13a
fffff880`033d24e0 00000000`00820080 : fffff880`033d2530 00000000`00000000 00000000`00000000 00650078`00000030 : 0xfffffa80`0adf68ba
fffff880`033d24e8 fffff880`033d2530 : 00000000`00000000 00000000`00000000 00650078`00000030 00000000`00000000 : 0x820080
fffff880`033d24f0 00000000`00000000 : 00000000`00000000 00650078`00000030 00000000`00000000 fffff880`033d24e0 : 0xfffff880`033d2530


We can see a kdcom.dll call matches up with the failure bucket ID - FAILURE_BUCKET_ID:  X64_0xc9_4_VRF_kdcom+1bb3

kdcom.dll is a module associated with Microsoft® Windows® Operating System from Microsoft Corporation. kdcom.dll is a system process that is needed for your Windows system to work properly.

Since this is the culprit  it's most likely corrupt, and with this said, I am going to recommend running the System File Checker:

SFC /SCANNOW:

What does running SFC /SCANNOW do?

The sfc /scannow command (System File Checker) scans the integrity of all protected Windows 7 system files and replaces incorrect corrupted, changed/modified, or damaged versions with the correct versions if possible.

To run the SFC /SCANNOW command in Windows 7:

- Open an elevated command promt (run cmd as administrator).

- In elevated command prompt, type "sfc /scannow" without the quotes, and press enter. Do note this can take some time to finish.

To see and read only the "SFC" scan results from the CBS.log:

- Open an elevated command promt (run cmd as administrator).

- Copy and paste the following and then press enter:

findstr /c:"[SR]" %windir%\Logs\CBS\CBS.log >C:\sfcdetails.txt

This will create a file called sfcdetails.txt at the root of your system (C:\) containing only the SFC scan results from the CBS.log.

Regards,

Patrick
Debugger/Reverse Engineer.
1 person found this helpful

Abuse history


progress