Bsod, bad pool header /page fault in nonpaged area

jivex5k · 17 Feb 2012

Hey guys,
I've learned quite a bit from these forums now by lurking and finally got my debugging tools working right with the symbols and all.
Anyways, I wanted some second opinions on these dumps.
Here's info on the system:

Code:

-x64 Embedded (App compatibility template) ?
- 3 weeks old, unused hardware, fresh install.

Im guessing it's memory and not driver related because I get these errors:

Code:

PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced.  This cannot be protected by try-except,
it must be protected by a Probe.  Typically the address is just plain bad or it
is pointing at freed memory.
Could not read faulting driver name

Code:

BAD_POOL_HEADER (19)
The pool is already corrupt at the time of the current request.
This may or may not be due to the caller.
The internal pool links must be walked to figure out a possible cause of
the problem, and then special pool applied to the suspect tags or the driver
verifier to a suspect driver.

Seems like both of those are related to memory.
I've also got some memory corruption errors too.

Thanks in advance for any input on these. Curious if i'm on the right track.

writhziden · 17 Feb 2012

Code:


Microsoft (R) Windows Debugger Version 6.11.0001.404 X86
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\Users\Mike\Documents\Kingston\BSODDmpFiles\jivex5k\Windows_NT6_BSOD_jcgriff2\020212-15865-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: SRV*C:\SymCache*http://msdl.microsoft.com/download/symbols
Executable search path is: 
Windows 7 Kernel Version 7601 (Service Pack 1) MP (4 procs) Free x64
Product: WinNt, suite: TerminalServer EmbeddedNT SingleUserTS
Built by: 7601.17640.amd64fre.win7sp1_gdr.110622-1506
Machine Name:
Kernel base = 0xfffff800`02858000 PsLoadedModuleList = 0xfffff800`02a9d670
Debug session time: Wed Feb  1 15:08:02.495 2012 (GMT-7)
System Uptime: 0 days 0:23:46.743
Loading Kernel Symbols
...............................................................
................................................................
..
Loading User Symbols
Loading unloaded module list
......
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 19, {22, 2100000000, 0, 0}

Probably caused by : win32k.sys ( win32k!bDeleteBrush+274 )

Followup: MachineOwner
---------

0: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

BAD_POOL_HEADER (19)
The pool is already corrupt at the time of the current request.
This may or may not be due to the caller.
The internal pool links must be walked to figure out a possible cause of
the problem, and then special pool applied to the suspect tags or the driver
verifier to a suspect driver.
Arguments:
Arg1: 0000000000000022, 
Arg2: 0000002100000000
Arg3: 0000000000000000
Arg4: 0000000000000000

Debugging Details:
------------------


BUGCHECK_STR:  0x19_22

POOL_ADDRESS: GetPointerFromAddress: unable to read from fffff80002b07100
 0000002100000000 

CUSTOMER_CRASH_COUNT:  1

DEFAULT_BUCKET_ID:  VISTA_DRIVER_FAULT

PROCESS_NAME:  MainConsole.ex

CURRENT_IRQL:  2

LAST_CONTROL_TRANSFER:  from fffff800028614ce to fffff800028d4c40

STACK_TEXT:  
fffff880`062c2478 fffff800`028614ce : 00000000`00000019 00000000`00000022 00000021`00000000 00000000`00000000 : nt!KeBugCheckEx
fffff880`062c2480 fffff800`02a041fa : 00000000`00000000 fffff880`062c25d0 fffff880`062c2550 00000000`00000001 : nt! ?? ::FNODOBFM::`string'+0x72d6
fffff880`062c2510 fffff960`0018d754 : 00000000`00000000 00000000`00000001 00000000`03300bff 00000000`00000000 : nt!ExFreePoolWithTag+0x46a
fffff880`062c25c0 fffff960`0018e801 : 00000000`03300bff fffff880`00000001 00000000`00000001 fffff900`00000000 : win32k!bDeleteBrush+0x274
fffff880`062c2670 fffff960`00185e80 : 00000000`00000894 fffff880`062c2a00 fffff900`c1a1d010 00000000`00000000 : win32k!NtGdiCloseProcess+0x181
fffff880`062c26d0 fffff960`001855af : 00000000`00000000 fffff880`062c2ae0 fffffa80`061bcb60 00000000`00000000 : win32k!GdiProcessCallout+0x200
fffff880`062c2750 fffff800`02baaa81 : 00000000`00000000 00000000`00000000 00000000`00000000 fffffa80`061bcb00 : win32k!W32pProcessCallout+0x6b
fffff880`062c2780 fffff800`02b8e09d : 00000000`c0000005 00000000`00000001 00000000`78457300 00000000`00000000 : nt!PspExitThread+0x4d1
fffff880`062c2880 fffff800`028c83fa : 00000000`00000000 00000000`00000000 00000000`00000000 fffff880`062c2920 : nt!PsExitSpecialApc+0x1d
fffff880`062c28b0 fffff800`028c8740 : 00000000`00000246 fffff880`062c2930 fffff800`02b8e010 00000000`00000001 : nt!KiDeliverApc+0x2ca
fffff880`062c2930 fffff800`028d3f77 : ffffffff`ffffffff 0000007f`ffffffff 00000000`0652fb78 00000980`00000004 : nt!KiInitiateUserApc+0x70
fffff880`062c2a70 00000000`73db2e09 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceExit+0x9c
00000000`04fdf0f8 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x73db2e09


STACK_COMMAND:  kb

FOLLOWUP_IP: 
win32k!bDeleteBrush+274
fffff960`0018d754 488b4b20        mov     rcx,qword ptr [rbx+20h]

SYMBOL_STACK_INDEX:  3

SYMBOL_NAME:  win32k!bDeleteBrush+274

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: win32k

IMAGE_NAME:  win32k.sys

DEBUG_FLR_IMAGE_TIMESTAMP:  4ecdcd5a

FAILURE_BUCKET_ID:  X64_0x19_22_win32k!bDeleteBrush+274

BUCKET_ID:  X64_0x19_22_win32k!bDeleteBrush+274

Followup: MachineOwner
---------

Loading Dump File [C:\Users\Mike\Documents\Kingston\BSODDmpFiles\jivex5k\Windows_NT6_BSOD_jcgriff2\020112-14086-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: SRV*C:\SymCache*http://msdl.microsoft.com/download/symbols
Executable search path is: 
Windows 7 Kernel Version 7601 (Service Pack 1) MP (4 procs) Free x64
Product: WinNt, suite: TerminalServer EmbeddedNT SingleUserTS
Built by: 7601.17640.amd64fre.win7sp1_gdr.110622-1506
Machine Name:
Kernel base = 0xfffff800`02809000 PsLoadedModuleList = 0xfffff800`02a4e670
Debug session time: Wed Feb  1 10:03:42.553 2012 (GMT-7)
System Uptime: 0 days 1:22:24.802
Loading Kernel Symbols
...............................................................
................................................................
...
Loading User Symbols
Loading unloaded module list
..............
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 50, {fffffad8044c8820, 1, fffff8800120dcff, 5}


Could not read faulting driver name
Probably caused by : Ntfs.sys ( Ntfs!NtfsRemoveClose+83 )

Followup: MachineOwner
---------

2: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced.  This cannot be protected by try-except,
it must be protected by a Probe.  Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: fffffad8044c8820, memory referenced.
Arg2: 0000000000000001, value 0 = read operation, 1 = write operation.
Arg3: fffff8800120dcff, If non-zero, the instruction address which referenced the bad memory
	address.
Arg4: 0000000000000005, (reserved)

Debugging Details:
------------------


Could not read faulting driver name

WRITE_ADDRESS: GetPointerFromAddress: unable to read from fffff80002ab8100
 fffffad8044c8820 

FAULTING_IP: 
Ntfs!NtfsRemoveClose+83
fffff880`0120dcff 48894808        mov     qword ptr [rax+8],rcx

MM_INTERNAL_CODE:  5

CUSTOMER_CRASH_COUNT:  1

DEFAULT_BUCKET_ID:  VISTA_DRIVER_FAULT

BUGCHECK_STR:  0x50

PROCESS_NAME:  System

CURRENT_IRQL:  0

TRAP_FRAME:  fffff8800317e8e0 -- (.trap 0xfffff8800317e8e0)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=fffffad8044c8818 rbx=0000000000000000 rcx=fffff88001263040
rdx=fffffa80041bb6b8 rsi=0000000000000000 rdi=0000000000000000
rip=fffff8800120dcff rsp=fffff8800317ea70 rbp=fffff80002a26260
 r8=00000000ffffffff  r9=00000000000001d0 r10=fffff80002809000
r11=fffff88001263018 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up ei pl nz ac po nc
Ntfs!NtfsRemoveClose+0x83:
fffff880`0120dcff 48894808        mov     qword ptr [rax+8],rcx ds:0100:fffffad8`044c8820=????????????????
Resetting default scope

LAST_CONTROL_TRANSFER:  from fffff800028303bf to fffff80002885c40

STACK_TEXT:  
fffff880`0317e778 fffff800`028303bf : 00000000`00000050 fffffad8`044c8820 00000000`00000001 fffff880`0317e8e0 : nt!KeBugCheckEx
fffff880`0317e780 fffff800`02883d6e : 00000000`00000001 fffffad8`044c8820 fffffa80`0436b300 fffffa80`041bb670 : nt! ?? ::FNODOBFM::`string'+0x44791
fffff880`0317e8e0 fffff880`0120dcff : 00000000`00000000 fffff880`01263000 00000000`00000000 00000000`00000000 : nt!KiPageFault+0x16e
fffff880`0317ea70 fffff880`0129224e : fffffa80`0436b310 00000000`00000000 fffff8a0`081b19f0 fffffa80`04db0180 : Ntfs!NtfsRemoveClose+0x83
fffff880`0317eaa0 fffff800`02890001 : 00000000`00000000 fffff800`02b7c900 fffffa80`03d25901 00000000`00000002 : Ntfs!NtfsFspClose+0x56
fffff880`0317eb70 fffff800`02b20fee : 59cfb493`27bf978f fffffa80`03d259e0 00000000`00000080 fffffa80`03cc8890 : nt!ExpWorkerThread+0x111
fffff880`0317ec00 fffff800`028775e6 : fffff880`02f65180 fffffa80`03d259e0 fffff880`02f6ffc0 fa6ce394`ffc8b38f : nt!PspSystemThreadStartup+0x5a
fffff880`0317ec40 00000000`00000000 : fffff880`0317f000 fffff880`03179000 fffff880`0317e8a0 00000000`00000000 : nt!KxStartSystemThread+0x16


STACK_COMMAND:  kb

FOLLOWUP_IP: 
Ntfs!NtfsRemoveClose+83
fffff880`0120dcff 48894808        mov     qword ptr [rax+8],rcx

SYMBOL_STACK_INDEX:  3

SYMBOL_NAME:  Ntfs!NtfsRemoveClose+83

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: Ntfs

IMAGE_NAME:  Ntfs.sys

DEBUG_FLR_IMAGE_TIMESTAMP:  4ce792f9

FAILURE_BUCKET_ID:  X64_0x50_Ntfs!NtfsRemoveClose+83

BUCKET_ID:  X64_0x50_Ntfs!NtfsRemoveClose+83

Followup: MachineOwner
---------

Loading Dump File [C:\Users\Mike\Documents\Kingston\BSODDmpFiles\jivex5k\Windows_NT6_BSOD_jcgriff2\013112-15927-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: SRV*C:\SymCache*http://msdl.microsoft.com/download/symbols
Executable search path is: 
Windows 7 Kernel Version 7601 (Service Pack 1) MP (4 procs) Free x64
Product: WinNt, suite: TerminalServer EmbeddedNT SingleUserTS
Built by: 7601.17640.amd64fre.win7sp1_gdr.110622-1506
Machine Name:
Kernel base = 0xfffff800`02818000 PsLoadedModuleList = 0xfffff800`02a5d670
Debug session time: Tue Jan 31 10:27:03.858 2012 (GMT-7)
System Uptime: 0 days 0:02:08.732
Loading Kernel Symbols
...............................................................
................................................................
..........
Loading User Symbols
Loading unloaded module list
.....
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck A, {babb4038, 2, 0, fffff800028b34b2}

Probably caused by : memory_corruption ( nt!MiResolveProtoPteFault+142 )

Followup: MachineOwner
---------

0: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high.  This is usually
caused by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: 00000000babb4038, memory referenced
Arg2: 0000000000000002, IRQL
Arg3: 0000000000000000, bitfield :
	bit 0 : value 0 = read operation, 1 = write operation
	bit 3 : value 0 = not an execute operation, 1 = execute operation (only on chips which support this level of status)
Arg4: fffff800028b34b2, address which referenced memory

Debugging Details:
------------------


READ_ADDRESS: GetPointerFromAddress: unable to read from fffff80002ac7100
 00000000babb4038 

CURRENT_IRQL:  2

FAULTING_IP: 
nt!MiResolveProtoPteFault+142
fffff800`028b34b2 f6403820        test    byte ptr [rax+38h],20h

CUSTOMER_CRASH_COUNT:  1

DEFAULT_BUCKET_ID:  VISTA_DRIVER_FAULT

BUGCHECK_STR:  0xA

PROCESS_NAME:  WmiPrvSE.exe

TRAP_FRAME:  fffff88007438450 -- (.trap 0xfffff88007438450)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=000007fefa7c7000 rbx=0000000000000000 rcx=0000000000005a4d
rdx=000007fefa720000 rsi=0000000000000000 rdi=0000000000000000
rip=fffff80002875f6b rsp=fffff880074385e8 rbp=fffff80002a3ed00
 r8=0000000000000000  r9=fffff88007438628 r10=0000000000000000
r11=0000000000000000 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up ei pl nz na pe nc
nt!RtlImageNtHeaderEx+0x3f:
fffff800`02875f6b 66390a          cmp     word ptr [rdx],cx ds:0720:000007fe`fa720000=????
Resetting default scope

LAST_CONTROL_TRANSFER:  from fffff800028941e9 to fffff80002894c40

STACK_TEXT:  
fffff880`07437e78 fffff800`028941e9 : 00000000`0000000a 00000000`babb4038 00000000`00000002 00000000`00000000 : nt!KeBugCheckEx
fffff880`07437e80 fffff800`02892e60 : fffff880`07438360 fffffa80`05a68e40 fffff880`00000001 80000000`8dfe9121 : nt!KiBugCheckDispatch+0x69
fffff880`07437fc0 fffff800`028b34b2 : 00000000`00000000 00000000`00000000 00000000`00000000 fffff880`074382d0 : nt!KiPageFault+0x260
fffff880`07438150 fffff800`028b2053 : 00000000`0009f546 000007fe`fa720000 fffff683`ff7d3900 fffffa80`06577b18 : nt!MiResolveProtoPteFault+0x142
fffff880`074381e0 fffff800`028a1f19 : 00000000`00000000 000007fe`fa720000 fffffa80`05a68e40 00000000`00000000 : nt!MiDispatchFault+0x1c3
fffff880`074382f0 fffff800`02892d6e : 00000000`00000000 000007fe`fa720000 00000000`00000000 00000000`00000000 : nt!MmAccessFault+0x359
fffff880`07438450 fffff800`02875f6b : fffff800`028760fa 00000000`000003d0 fffff880`07438740 00000000`00000101 : nt!KiPageFault+0x16e
fffff880`074385e8 fffff800`028760fa : 00000000`000003d0 fffff880`07438740 00000000`00000101 fffffa80`00000000 : nt!RtlImageNtHeaderEx+0x3f
fffff880`074385f0 fffff800`02bd06a1 : fffffa80`04c87900 00000000`00000000 fffff880`07438700 00000000`00000000 : nt!RtlImageNtHeader+0x1e
fffff880`07438620 fffff800`02bb220c : 00000000`00000538 00000000`00000000 00000000`00000001 00000000`00000001 : nt! ?? ::NNGAKEGL::`string'+0x1d464
fffff880`07438700 fffff800`02bb1eff : 00000000`000a7000 fffffa80`06577998 fffffa80`0610cdf0 00000000`00000000 : nt!PsCallImageNotifyRoutines+0xdc
fffff880`07438760 fffff800`02bae487 : fffffa80`0610cdf0 fffffa80`06577780 fffff880`07438a10 fffff880`07438a08 : nt!MiMapViewOfImageSection+0x48f
fffff880`074388b0 fffff800`02bae78e : fffffa80`00000004 fffffa80`06577780 fffff880`07438a10 00000000`00000000 : nt!MiMapViewOfSection+0x367
fffff880`074389a0 fffff800`02893ed3 : 00000000`00000564 fffffa80`065e8600 00000000`0085d298 00000000`0085d501 : nt!NtMapViewOfSection+0x2bd
fffff880`07438a70 00000000`7757159a : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13
00000000`0085d278 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x7757159a


STACK_COMMAND:  kb

FOLLOWUP_IP: 
nt!MiResolveProtoPteFault+142
fffff800`028b34b2 f6403820        test    byte ptr [rax+38h],20h

SYMBOL_STACK_INDEX:  3

SYMBOL_NAME:  nt!MiResolveProtoPteFault+142

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: nt

DEBUG_FLR_IMAGE_TIMESTAMP:  4e02aaa3

IMAGE_NAME:  memory_corruption

FAILURE_BUCKET_ID:  X64_0xA_nt!MiResolveProtoPteFault+142

BUCKET_ID:  X64_0xA_nt!MiResolveProtoPteFault+142

Followup: MachineOwner
---------

Loading Dump File [C:\Users\Mike\Documents\Kingston\BSODDmpFiles\jivex5k\Windows_NT6_BSOD_jcgriff2\013112-19546-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: SRV*C:\SymCache*http://msdl.microsoft.com/download/symbols
Executable search path is: 
Windows 7 Kernel Version 7601 (Service Pack 1) MP (4 procs) Free x64
Product: WinNt, suite: TerminalServer EmbeddedNT SingleUserTS
Built by: 7601.17640.amd64fre.win7sp1_gdr.110622-1506
Machine Name:
Kernel base = 0xfffff800`02809000 PsLoadedModuleList = 0xfffff800`02a4e670
Debug session time: Tue Jan 31 05:47:25.763 2012 (GMT-7)
System Uptime: 0 days 14:36:02.012
Loading Kernel Symbols
...............................................................
................................................................
....
Loading User Symbols
Loading unloaded module list
......................
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 1E, {ffffffffc0000005, fffff800028677a9, 0, 88}

Probably caused by : memory_corruption ( nt!MiValidateImagePages+339 )

Followup: MachineOwner
---------

0: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

KMODE_EXCEPTION_NOT_HANDLED (1e)
This is a very common bugcheck.  Usually the exception address pinpoints
the driver/function that caused the problem.  Always note this address
as well as the link date of the driver/image that contains this address.
Arguments:
Arg1: ffffffffc0000005, The exception code that was not handled
Arg2: fffff800028677a9, The address that the exception occurred at
Arg3: 0000000000000000, Parameter 0 of the exception
Arg4: 0000000000000088, Parameter 1 of the exception

Debugging Details:
------------------


EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.

FAULTING_IP: 
nt!MiValidateImagePages+339
fffff800`028677a9 498b8d88000000  mov     rcx,qword ptr [r13+88h]

EXCEPTION_PARAMETER1:  0000000000000000

EXCEPTION_PARAMETER2:  0000000000000088

READ_ADDRESS: GetPointerFromAddress: unable to read from fffff80002ab8100
 0000000000000088 

CUSTOMER_CRASH_COUNT:  1

DEFAULT_BUCKET_ID:  VISTA_DRIVER_FAULT

BUGCHECK_STR:  0x1E

PROCESS_NAME:  svchost.exe

CURRENT_IRQL:  0

TRAP_FRAME:  fffff88003af7fa0 -- (.trap 0xfffff88003af7fa0)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=fffffa8000d471b0 rbx=0000000000000000 rcx=fffff800029fbe80
rdx=0000058000000000 rsi=0000000000000000 rdi=0000000000000000
rip=fffff800028677a9 rsp=fffff88003af8130 rbp=fffff820079345f8
 r8=fffffa8000000008  r9=fffffa8003a03200 r10=0000000000000000
r11=fffff88003af8128 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up ei pl zr na po nc
nt!MiValidateImagePages+0x339:
fffff800`028677a9 498b8d88000000  mov     rcx,qword ptr [r13+88h] ds:00000000`00000088=????????????????
Resetting default scope

LAST_CONTROL_TRANSFER:  from fffff800028d1588 to fffff80002885c40

STACK_TEXT:  
fffff880`03af7718 fffff800`028d1588 : 00000000`0000001e ffffffff`c0000005 fffff800`028677a9 00000000`00000000 : nt!KeBugCheckEx
fffff880`03af7720 fffff800`028852c2 : fffff880`03af7ef8 00000000`00046d09 fffff880`03af7fa0 fffff8a0`079345f8 : nt! ?? ::FNODOBFM::`string'+0x4977d
fffff880`03af7dc0 fffff800`02883e3a : 00000000`00000000 00000000`00000088 fffff880`02b56300 00000000`00046d09 : nt!KiExceptionDispatch+0xc2
fffff880`03af7fa0 fffff800`028677a9 : fffffa80`035525d0 00000000`00000002 fffff8a0`00000001 fffffa80`035525d0 : nt!KiPageFault+0x23a
fffff880`03af8130 fffff800`02b61d21 : fffffa80`06770cc0 fffff6fc`40069b70 fffff8a0`00000002 00000000`00000000 : nt!MiValidateImagePages+0x339
fffff880`03af81e0 fffff800`02b61e60 : ffffffff`ffffffff 00000000`00000001 fffff8a0`07940000 00000000`000000bc : nt!MiSwitchBaseAddress+0x61
fffff880`03af8210 fffff800`02b829ff : 00000000`00000004 00000000`00000080 00000000`01000000 00000000`01000000 : nt!MiRelocateImageAgain+0x100
fffff880`03af8260 fffff800`02b61596 : fffff880`03af84b0 fffff880`03af8700 fffff880`03af8558 fffff880`03af84a8 : nt!MmCreateSection+0x2df
fffff880`03af8460 fffff800`02ce29c3 : 00000000`00000000 fffff8a0`01ca0240 00000000`00000000 00000000`00000001 : nt!NtCreateSection+0x171
fffff880`03af84e0 fffff800`02ce2f51 : 00000000`00000000 fffff8a0`01ca0240 fffffa80`05994a40 fffff880`00000060 : nt!PfpFileBuildReadSupport+0x163
fffff880`03af85d0 fffff800`02ceb06e : fffff8a0`00000000 fffff8a0`00000098 fffff8a0`000000b3 fffff8a0`00000000 : nt!PfpPrefetchFilesTrickle+0x121
fffff880`03af86d0 fffff800`02cebc07 : 00000000`00000000 fffff880`03af8b60 fffff880`03af88c8 fffff8a0`00ec9060 : nt!PfpPrefetchRequestPerform+0x30e
fffff880`03af8820 fffff800`02cf81de : fffff880`03af88c8 00000000`00000001 fffffa80`061b08b0 00000000`00000000 : nt!PfpPrefetchRequest+0x176
fffff880`03af8890 fffff800`02cfca0a : 00000000`00000000 00000000`0000004f 00000000`00000000 fffffa80`05ebd901 : nt!PfSetSuperfetchInformation+0x1ad
fffff880`03af8970 fffff800`02884ed3 : fffffa80`07062510 00000000`00000000 00000000`00000001 00000000`00000001 : nt!NtSetSystemInformation+0xc8d
fffff880`03af8ae0 00000000`76de2a0a : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13
00000000`00a0fa38 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x76de2a0a


STACK_COMMAND:  kb

FOLLOWUP_IP: 
nt!MiValidateImagePages+339
fffff800`028677a9 498b8d88000000  mov     rcx,qword ptr [r13+88h]

SYMBOL_STACK_INDEX:  4

SYMBOL_NAME:  nt!MiValidateImagePages+339

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: nt

DEBUG_FLR_IMAGE_TIMESTAMP:  4e02aaa3

IMAGE_NAME:  memory_corruption

FAILURE_BUCKET_ID:  X64_0x1E_nt!MiValidateImagePages+339

BUCKET_ID:  X64_0x1E_nt!MiValidateImagePages+339

Followup: MachineOwner
---------

Possible cause is Drivers...
Caused by your file system driver for your hard disk. Other possible causes are Memory problems... Graphics card memory problems... BIOS... Corrupted hard disk file system... Corrupted System Files... Missing Windows Updates... Drivers...
Possible causes are Memory problems... Corrupted hard disk file system... Corrupted System Files... BIOS... Lack of Windows updates... Antivirus Software... Backup... Hardware...
Possible causes are Memory problems... Viruses... Corrupted hard disk file system... Corrupted System Files... Lack of Windows updates... Drivers...
Thanks to JMH for helping with my understanding of this crash.

Thanks to Dave76 for help understanding possible causes.

We will start with the common problems first (see bold possible causes). Do the following steps and test after each to see if stability increases (the memory tests you can run concurrently as they will not increase stability unless you are forced to move modules around). Post back your results after each step, and if you get a blue screen crash, upload the files again and await further instructions after we are able to analyze the crash.

If you are overclocking any hardware, please stop.
Run Disk Check with both boxes checked for all HDDs and with Automatically fix file system errors checked for all SSDs. Post back your logs for the checks after finding them using Check Disk (chkdsk) - Read Event Viewer Log
Run the boot version of Memtest86+ paying close attention to Parts 2 and 3 of the tutorial. Also, in case Memtest86+ misses anything and comes up with no errors, run the extended version of the Windows Memory Diagnostics Tool for at least five passes. These you may want to run overnight since they take a long time to complete (run them an hour before bed each of the next two nights and check before going to sleep that they are still running).

If you swap any memory components, follow these steps for ESD safety:
1. Shut down and turn off your computer.
2. Unplug all power supplies to the computer (AC Power then battery for laptops, AC power for desktops)
3. Hold down the power button for 30 seconds to close the circuit and ensure all power drains from components.
4. Make sure you are grounded by using proper grounding techniques, i.e. work on an anti-static workbench, anti-static desk, or an anti-static pad. Hold something metallic while touching it to the anti-static surface, or use an anti-static wristband to attach to the anti-static material while working.
Once these steps have been followed, it is safe to remove and replace components within your computer.
An underlying driver may be incompatible\conflicting with your system. Run Driver Verifier to find any issues. To run Driver Verifier, do the following:

a. Backup your system and user files
b. Create a system restore point
c. If you do not have a Windows 7 DVD, Create a system repair disc
d. Run Driver Verifier

If Windows cannot start in normal mode with driver verifier running, start in safe mode. If it cannot start in safe mode or normal mode, restore the system restore point using System Restore OPTION TWO.

Thanks to zigzag3143 for contributing to the Verifier steps.
If you are unable to start Windows with all drivers being verified or if the blue screen crashes fail to create .dmp files, run them in groups of 5 or 10 until you find a group that causes blue screen crashes and stores the blue screen .dmp files.

jivex5k · 21 Feb 2012

Thanks for all the help =)
Memtest came up clean I ran it all weekend.
Now I have had verifier running since yesterday and no crash yet.
I updated some drivers too, graphics and lan.
I'll let it go until it breaks, if it does.

writhziden · 21 Feb 2012

Alright, post back after you've had a few crashes with Verifier running. That will allow us to determine any patterns between crashes.

Did you have any crashes with Verifier enabled?

jivex5k · 14 Mar 2012

No crashes =), maybe the driver updates fixed the issue.

writhziden · 14 Mar 2012

Great! Feel free to mark the thread solved. :)

jivex5k · 14 Mar 2012

LOL didn't even know you could do that.
Done now =)

writhziden · 14 Mar 2012

Thank you. Glad your system is responding well to the new drivers. :)