Windows 7 BSOD Errors

I have started having an issue that shortly after launch windows crashes and gives me a BSOD, recently it has begun to happen during boot, I can still enter safe mode. Below is the windows has recovered from an unexpected shutdown message, and further below are the minidump files.



BCCode:    1e
  BCP1:    FFFFFFFFC0000005
  BCP2:    FFFFF800037D3BBA
  BCP3:    0000000000000001
  BCP4:    0000000000000018
  OS Version:    6_1_7601
  Service Pack:    1_0
  Product:    768_1


Link To Dump Files:
https://skydrive.live.com/redir?resid=2B7188D2B957DD81!107&authkey=!ALR4VyK3P3VPJvQ

Answer
Answer
Ah, here we go!

The attached DMP file is of the DRIVER_VERIFIER_IOMANAGER_VIOLATION (c9) bugcheck which indicates that the IO manager has caught a misbehaving driver.

If we take a look at the call stack:

2: kd> kv
Child-SP          RetAddr           : Args to Child                                                           : Call Site
fffff880`033d1d88 fffff800`0355f3f0 : 00000000`000000c9 00000000`00000004 fffffa80`09788c20 00000000`00000000 : nt!KeBugCheckEx
fffff880`033d1d90 fffff800`0397fb8f : fffffa80`066d1120 00000000`00000000 fffffa80`00000240 00000000`00000000 : nt!VfBugCheckNoStackUsage+0x30
fffff880`033d1dd0 fffff800`037d6fdc : 00000000`00000004 fffffa80`0a9d5cc8 fffffa80`09787910 fffffa80`09729930 : nt!IovCallDriver+0x3cf
fffff880`033d1e30 fffff800`037d2958 : fffffa80`09788e40 fffff800`00000000 fffffa80`0a9d5b10 fffff880`00000000 : nt!IopParseDevice+0x14d3
fffff880`033d1f90 fffff800`037d3b76 : 00000000`00000000 fffffa80`0a9d5b10 fffff880`033d2090 fffffa80`06767600 : nt!ObpLookupObjectName+0x588
fffff880`033d2080 fffff800`037d547c : fffffa80`09788b00 00000000`00000000 00000000`00000000 fffff800`03974a55 : nt!ObOpenObjectByName+0x306
fffff880`033d2150 fffff800`037bfa84 : fffff880`033d2750 fffff800`00100001 fffff880`033d2500 fffff880`033d24f0 : nt!IopCreateFile+0x2bc
fffff880`033d21f0 fffff800`034d4e93 : fffff880`033d22d0 00000000`00000000 fffff880`033d22d8 00120116`00120089 : nt!NtOpenFile+0x58
fffff880`033d2280 fffff800`034d1450 : fffffa80`0ade66bc fffffa80`0677be70 00000000`00000200 fffffa80`0adeb400 : nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`033d22f0)
fffff880`033d2488 fffffa80`0ade66bc : fffffa80`0677be70 00000000`00000200 fffffa80`0adeb400 fffffa80`0adec3d0 : nt!KiServiceLinkage
fffff880`033d2490 fffffa80`0677be70 : 00000000`00000200 fffffa80`0adeb400 fffffa80`0adec3d0 fffffa80`00000001 : 0xfffffa80`0ade66bc
fffff880`033d2498 00000000`00000200 : fffffa80`0adeb400 fffffa80`0adec3d0 fffffa80`00000001 fffff800`00000020 : 0xfffffa80`0677be70
fffff880`033d24a0 fffffa80`0adeb400 : fffffa80`0adec3d0 fffffa80`00000001 fffff800`00000020 00000000`000000e8 : 0x200
fffff880`033d24a8 fffffa80`0adec3d0 : fffffa80`00000001 fffff800`00000020 00000000`000000e8 fffff800`00b9ebb3 : 0xfffffa80`0adeb400
fffff880`033d24b0 fffffa80`00000001 : fffff800`00000020 00000000`000000e8 fffff800`00b9ebb3 00000000`0000013a : 0xfffffa80`0adec3d0
fffff880`033d24b8 fffff800`00000020 : 00000000`000000e8 fffff800`00b9ebb3 00000000`0000013a fffffa80`0adf68ba : 0xfffffa80`00000001
fffff880`033d24c0 00000000`000000e8 : fffff800`00b9ebb3 00000000`0000013a fffffa80`0adf68ba 00000000`00820080 : 0xfffff800`00000020
fffff880`033d24c8 fffff800`00b9ebb3 : 00000000`0000013a fffffa80`0adf68ba 00000000`00820080 fffff880`033d2530 : 0xe8
fffff880`033d24d0 00000000`0000013a : fffffa80`0adf68ba 00000000`00820080 fffff880`033d2530 00000000`00000000 : kdcom+0x1bb3
fffff880`033d24d8 fffffa80`0adf68ba : 00000000`00820080 fffff880`033d2530 00000000`00000000 00000000`00000000 : 0x13a
fffff880`033d24e0 00000000`00820080 : fffff880`033d2530 00000000`00000000 00000000`00000000 00650078`00000030 : 0xfffffa80`0adf68ba
fffff880`033d24e8 fffff880`033d2530 : 00000000`00000000 00000000`00000000 00650078`00000030 00000000`00000000 : 0x820080
fffff880`033d24f0 00000000`00000000 : 00000000`00000000 00650078`00000030 00000000`00000000 fffff880`033d24e0 : 0xfffff880`033d2530


We can see a kdcom.dll call matches up with the failure bucket ID - FAILURE_BUCKET_ID:  X64_0xc9_4_VRF_kdcom+1bb3

kdcom.dll is a module associated with Microsoft® Windows® Operating System from Microsoft Corporation. kdcom.dll is a system process that is needed for your Windows system to work properly.

Since this is the culprit  it's most likely corrupt, and with this said, I am going to recommend running the System File Checker:

SFC /SCANNOW:

What does running SFC /SCANNOW do?

The sfc /scannow command (System File Checker) scans the integrity of all protected Windows 7 system files and replaces incorrect corrupted, changed/modified, or damaged versions with the correct versions if possible.

To run the SFC /SCANNOW command in Windows 7:

- Open an elevated command promt (run cmd as administrator).

- In elevated command prompt, type "sfc /scannow" without the quotes, and press enter. Do note this can take some time to finish.

To see and read only the "SFC" scan results from the CBS.log:

- Open an elevated command promt (run cmd as administrator).

- Copy and paste the following and then press enter:

findstr /c:"[SR]" %windir%\Logs\CBS\CBS.log >C:\sfcdetails.txt

This will create a file called sfcdetails.txt at the root of your system (C:\) containing only the SFC scan results from the CBS.log.

Regards,

Patrick
Debugger/Reverse Engineer.

Was this reply helpful?

Sorry this didn't help.

Great! Thanks for your feedback.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this reply?

Thanks for your feedback.

 
 

Question Info


Last updated December 24, 2017 Views 178 Applies to: