New
#11
Done reinstalling the 3 Realtek Drivers. When I ran the verifier again, it gave me the IRQL_NOT_LESS_ OR_EQUAL again.
What should I do? Shoulvd reinstall my OS?
Here are the new dump files, together with the old ones.
Done reinstalling the 3 Realtek Drivers. When I ran the verifier again, it gave me the IRQL_NOT_LESS_ OR_EQUAL again.
What should I do? Shoulvd reinstall my OS?
Here are the new dump files, together with the old ones.
Two out of the three new dumps are debuggable, and they both show the culprit as MBfilt64.sys, which again, is
Realtek HiDefinition Audio driver (file labelled as Creative Audio Driver).
You can reinstall the OS if you'd like, it's entirely up to you. However, realistically you should just have to uninstall Realtek's drivers from programs & features, restart, and then install the newer ones. I'd maybe give Driver Sweeper a try too to get rid of any old Realtek library files and the uninstallation.
I already reinstalled all the Realtek's drivers using the installers coming from their website. I'll try Driver Sweeper.
After cleaning Realtek's sound and rebooting, I got a BSoD.
Last edited by shriekyphantom; 24 Mar 2012 at 23:14.
Latest dump culprit labeled ntkrnlmp, which is more than unlikely the cause of the crash.
Enable Driver Verifier:
Driver Verifier:
Read the following to enable Driver Verifier. Use Driver Second if Memtest finds nothing, as it's likely a software / driver issue, we just aren't being told what it is, and hopefully Driver Verifier will than force a crash if it finds the violating driver.
Before enabling Driver Verifier, my recommendation is to set a backup / restore point as in severe cases Driver Verifier can break your Windows. If you have difficulty getting into Windows, boot into Safe Mode and disable Driver Verifier there.
Code:Microsoft (R) Windows Debugger Version 6.12.0002.633 AMD64 Copyright (c) Microsoft Corporation. All rights reserved. Loading Dump File [C:\Users\Icarus\Downloads\032512-27003-01.dmp] Mini Kernel Dump File: Only registers and stack trace are available Symbol search path is: http://msdl.microsoft.com/download/symbols Executable search path is: Windows 7 Kernel Version 7600 MP (4 procs) Free x64 Product: WinNt, suite: TerminalServer SingleUserTS Built by: 7600.16385.amd64fre.win7_rtm.090713-1255 Machine Name: Kernel base = 0xfffff800`02e0f000 PsLoadedModuleList = 0xfffff800`0304ce50 Debug session time: Sat Mar 24 23:28:20.236 2012 (UTC - 4:00) System Uptime: 0 days 0:00:40.625 Loading Kernel Symbols ............................................................... ................................................................ ..................................... Loading User Symbols Loading unloaded module list .... ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* Use !analyze -v to get detailed debugging information. BugCheck 3B, {c0000005, fffff80002e5d7ff, fffff88009dc6a70, 0} Probably caused by : ntkrnlmp.exe ( nt!KiDeliverApc+a7 ) Followup: MachineOwner --------- 0: kd> !analyze -v ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* SYSTEM_SERVICE_EXCEPTION (3b) An exception happened while executing a system service routine. Arguments: Arg1: 00000000c0000005, Exception code that caused the bugcheck Arg2: fffff80002e5d7ff, Address of the instruction which caused the bugcheck Arg3: fffff88009dc6a70, Address of the context record for the exception that caused the bugcheck Arg4: 0000000000000000, zero. Debugging Details: ------------------ EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s. FAULTING_IP: nt!KiDeliverApc+a7 fffff800`02e5d7ff 498b4a30 mov rcx,qword ptr [r10+30h] CONTEXT: fffff88009dc6a70 -- (.cxr 0xfffff88009dc6a70) rax=0000000000000002 rbx=fffffa800b464060 rcx=0000000000000001 rdx=0000000000000000 rsi=fffffa800b4640b0 rdi=0000000000000003 rip=fffff80002e5d7ff rsp=fffff88009dc7450 rbp=0000000000000000 r8=ff49fa800b4640b0 r9=0000000000000000 r10=ff49fa800b4640a0 r11=fffffa800b464060 r12=0000000000000001 r13=0000000000000000 r14=fffffa800bc27b30 r15=fffff88009dc7560 iopl=0 nv up ei ng nz na po cy cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00010287 nt!KiDeliverApc+0xa7: fffff800`02e5d7ff 498b4a30 mov rcx,qword ptr [r10+30h] ds:002b:ff49fa80`0b4640d0=???????????????? Resetting default scope CUSTOMER_CRASH_COUNT: 1 DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT BUGCHECK_STR: 0x3B PROCESS_NAME: explorer.exe CURRENT_IRQL: 2 LAST_CONTROL_TRANSFER: from 0000000000000000 to fffff80002e5d7ff STACK_TEXT: fffff880`09dc7450 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiDeliverApc+0xa7 FOLLOWUP_IP: nt!KiDeliverApc+a7 fffff800`02e5d7ff 498b4a30 mov rcx,qword ptr [r10+30h] SYMBOL_STACK_INDEX: 0 SYMBOL_NAME: nt!KiDeliverApc+a7 FOLLOWUP_NAME: MachineOwner MODULE_NAME: nt IMAGE_NAME: ntkrnlmp.exe DEBUG_FLR_IMAGE_TIMESTAMP: 4a5bc600 STACK_COMMAND: .cxr 0xfffff88009dc6a70 ; kb FAILURE_BUCKET_ID: X64_0x3B_nt!KiDeliverApc+a7 BUCKET_ID: X64_0x3B_nt!KiDeliverApc+a7 Followup: MachineOwner ---------
I've got a new error with verifier running .
Dump files together with the old ones.
All of them are still A* bugcheck with MBfilt64.sys culprit. The newest one however points to dxgkrnl.sys, which is the DirectX Graphics Kernel. You can either repair or or ensure you're up to date by downloading this.
Regardless, we should not be constantly seeing this audio driver culprits if you've successfully removed them. You have uninstalled everything Realtek related, even gave cleaning Realtek with Driver Sweeper a try, correct? Well, you went ahead and installed the latest Realtek drivers for your system, right?
Dumps for reference:
Code:Microsoft (R) Windows Debugger Version 6.12.0002.633 AMD64 Copyright (c) Microsoft Corporation. All rights reserved. Loading Dump File [C:\Users\Icarus\Downloads\032712-26691-01.dmp] Mini Kernel Dump File: Only registers and stack trace are available Symbol search path is: http://msdl.microsoft.com/download/symbols Executable search path is: Windows 7 Kernel Version 7600 MP (4 procs) Free x64 Product: WinNt, suite: TerminalServer SingleUserTS Built by: 7600.16385.amd64fre.win7_rtm.090713-1255 Machine Name: Kernel base = 0xfffff800`02e55000 PsLoadedModuleList = 0xfffff800`03092e50 Debug session time: Tue Mar 27 07:35:30.260 2012 (UTC - 4:00) System Uptime: 0 days 0:00:23.665 Loading Kernel Symbols ............................................................... ................................................................ ......... Loading User Symbols Loading unloaded module list ... ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* Use !analyze -v to get detailed debugging information. BugCheck 3B, {c0000005, fffff8800530b541, fffff8800748ee90, 0} Probably caused by : dxgkrnl.sys ( dxgkrnl!DpiDispatchClose+45 ) Followup: MachineOwner --------- 1: kd> !analyze -v ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* SYSTEM_SERVICE_EXCEPTION (3b) An exception happened while executing a system service routine. Arguments: Arg1: 00000000c0000005, Exception code that caused the bugcheck Arg2: fffff8800530b541, Address of the instruction which caused the bugcheck Arg3: fffff8800748ee90, Address of the context record for the exception that caused the bugcheck Arg4: 0000000000000000, zero. Debugging Details: ------------------ EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s. FAULTING_IP: dxgkrnl!DpiDispatchClose+45 fffff880`0530b541 ffd0 call rax CONTEXT: fffff8800748ee90 -- (.cxr 0xfffff8800748ee90) rax=0004000000000000 rbx=0000000000000000 rcx=fffffa800b66b200 rdx=fffff98024fd8ee0 rsi=fffff98024fd8ee0 rdi=fffffa800b66b200 rip=fffff8800530b541 rsp=fffff8800748f870 rbp=fffffa800b66b350 r8=fffffa800a9f9610 r9=fffff98024fd8fb0 r10=fffff8000335bbb0 r11=fffffa800a31cb40 r12=0000000000000000 r13=0000000000000000 r14=fffffa800b66b200 r15=0000000000000000 iopl=0 nv up ei pl nz na po nc cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00210206 dxgkrnl!DpiDispatchClose+0x45: fffff880`0530b541 ffd0 call rax {00040000`00000000} Resetting default scope CUSTOMER_CRASH_COUNT: 1 DEFAULT_BUCKET_ID: VERIFIER_ENABLED_VISTA_MINIDUMP BUGCHECK_STR: 0x3B PROCESS_NAME: csrss.exe CURRENT_IRQL: 0 LAST_CONTROL_TRANSFER: from 0000000000000000 to fffff8800530b541 STACK_TEXT: fffff880`0748f870 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : dxgkrnl!DpiDispatchClose+0x45 FOLLOWUP_IP: dxgkrnl!DpiDispatchClose+45 fffff880`0530b541 ffd0 call rax SYMBOL_STACK_INDEX: 0 SYMBOL_NAME: dxgkrnl!DpiDispatchClose+45 FOLLOWUP_NAME: MachineOwner MODULE_NAME: dxgkrnl IMAGE_NAME: dxgkrnl.sys DEBUG_FLR_IMAGE_TIMESTAMP: 4a5bc590 STACK_COMMAND: .cxr 0xfffff8800748ee90 ; kb FAILURE_BUCKET_ID: X64_0x3B_VRF_dxgkrnl!DpiDispatchClose+45 BUCKET_ID: X64_0x3B_VRF_dxgkrnl!DpiDispatchClose+45 Followup: MachineOwner --------- Microsoft (R) Windows Debugger Version 6.12.0002.633 AMD64 Copyright (c) Microsoft Corporation. All rights reserved. Loading Dump File [C:\Users\Icarus\Downloads\032512-16848-01.dmp] Mini Kernel Dump File: Only registers and stack trace are available Symbol search path is: http://msdl.microsoft.com/download/symbols Executable search path is: Windows 7 Kernel Version 7600 MP (4 procs) Free x64 Product: WinNt, suite: TerminalServer SingleUserTS Built by: 7600.16385.amd64fre.win7_rtm.090713-1255 Machine Name: Kernel base = 0xfffff800`02c18000 PsLoadedModuleList = 0xfffff800`02e55e50 Debug session time: Sat Mar 24 12:45:34.074 2012 (UTC - 4:00) System Uptime: 0 days 0:00:22.479 Loading Kernel Symbols ............................................................... ................................................................ .... Loading User Symbols Loading unloaded module list ... ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* Use !analyze -v to get detailed debugging information. BugCheck A, {0, 2, 0, fffff80002c8e0b6} Unable to load image \SystemRoot\system32\drivers\MBfilt64.sys, Win32 error 0n2 *** WARNING: Unable to verify timestamp for MBfilt64.sys *** ERROR: Module load completed but symbols could not be loaded for MBfilt64.sys Probably caused by : MBfilt64.sys ( MBfilt64+1817 ) Followup: MachineOwner --------- 1: kd> !analyze -v ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* IRQL_NOT_LESS_OR_EQUAL (a) An attempt was made to access a pageable (or completely invalid) address at an interrupt request level (IRQL) that is too high. This is usually caused by drivers using improper addresses. If a kernel debugger is available get the stack backtrace. Arguments: Arg1: 0000000000000000, memory referenced Arg2: 0000000000000002, IRQL Arg3: 0000000000000000, bitfield : bit 0 : value 0 = read operation, 1 = write operation bit 3 : value 0 = not an execute operation, 1 = execute operation (only on chips which support this level of status) Arg4: fffff80002c8e0b6, address which referenced memory Debugging Details: ------------------ READ_ADDRESS: GetPointerFromAddress: unable to read from fffff80002ec00e0 0000000000000000 CURRENT_IRQL: 2 FAULTING_IP: nt!KeSetEvent+226 fffff800`02c8e0b6 488b09 mov rcx,qword ptr [rcx] CUSTOMER_CRASH_COUNT: 1 DEFAULT_BUCKET_ID: VERIFIER_ENABLED_VISTA_MINIDUMP BUGCHECK_STR: 0xA PROCESS_NAME: System TRAP_FRAME: fffff88003324a50 -- (.trap 0xfffff88003324a50) NOTE: The trap frame does not contain all registers. Some register values may be zeroed or incorrect. rax=fffff880065b32d0 rbx=0000000000000000 rcx=0000000000000000 rdx=0000000000000001 rsi=0000000000000000 rdi=0000000000000000 rip=fffff80002c8e0b6 rsp=fffff88003324be0 rbp=0000000000000000 r8=0000000000000000 r9=0000000000000100 r10=0000000000000000 r11=0000000000010725 r12=0000000000000000 r13=0000000000000000 r14=0000000000000000 r15=0000000000000000 iopl=0 nv up ei pl nz na po cy nt!KeSetEvent+0x226: fffff800`02c8e0b6 488b09 mov rcx,qword ptr [rcx] ds:4c10:00000000`00000000=???????????????? Resetting default scope LAST_CONTROL_TRANSFER: from fffff80002c89469 to fffff80002c89f00 STACK_TEXT: fffff880`03324908 fffff800`02c89469 : 00000000`0000000a 00000000`00000000 00000000`00000002 00000000`00000000 : nt!KeBugCheckEx fffff880`03324910 fffff800`02c880e0 : 00000000`00000160 fffff880`065b32c8 00000000`00000000 00000000`00000000 : nt!KiBugCheckDispatch+0x69 fffff880`03324a50 fffff800`02c8e0b6 : fffffa80`0b625002 fffffa80`0b6250e0 00000000`00000000 fffff980`032b8ea0 : nt!KiPageFault+0x260 fffff880`03324be0 fffff880`077a9817 : fffff880`00000000 fffff980`00000008 fffff800`02e36400 fffffa80`0b3e4cb0 : nt!KeSetEvent+0x226 fffff880`03324c50 fffff880`00000000 : fffff980`00000008 fffff800`02e36400 fffffa80`0b3e4cb0 fffffa80`0b6250e0 : MBfilt64+0x1817 fffff880`03324c58 fffff980`00000008 : fffff800`02e36400 fffffa80`0b3e4cb0 fffffa80`0b6250e0 fffff800`0312e2eb : 0xfffff880`00000000 fffff880`03324c60 fffff800`02e36400 : fffffa80`0b3e4cb0 fffffa80`0b6250e0 fffff800`0312e2eb fffffa80`0b6250e0 : 0xfffff980`00000008 fffff880`03324c68 fffffa80`0b3e4cb0 : fffffa80`0b6250e0 fffff800`0312e2eb fffffa80`0b6250e0 fffffa80`0b6250e0 : nt!ViVerifyFlags fffff880`03324c70 fffffa80`0b6250e0 : fffff800`0312e2eb fffffa80`0b6250e0 fffffa80`0b6250e0 fffff980`032b9000 : 0xfffffa80`0b3e4cb0 fffff880`03324c78 fffff800`0312e2eb : fffffa80`0b6250e0 fffffa80`0b6250e0 fffff980`032b9000 fffff980`032b8ea0 : 0xfffffa80`0b6250e0 fffff880`03324c80 fffff800`0312e36c : fffff800`02e364e0 00000000`00000080 fffffa80`069bc890 00000080`40000000 : nt!ViPendingCompleteAfterWait+0x7b fffff880`03324cc0 fffff800`02f2d166 : 442af701`57000001 10000000`80000004 0400fd00`43000000 00080000`00000000 : nt!ViPendingWorkerThread+0x2c fffff880`03324d00 fffff800`02c68486 : fffff880`009e9180 fffffa80`07662040 fffff880`009f3fc0 00000100`04000000 : nt!PspSystemThreadStartup+0x5a fffff880`03324d40 00000000`00000000 : fffff880`03325000 fffff880`0331f000 fffff880`033249d0 00000000`00000000 : nt!KxStartSystemThread+0x16 STACK_COMMAND: kb FOLLOWUP_IP: MBfilt64+1817 fffff880`077a9817 ?? ??? SYMBOL_STACK_INDEX: 4 SYMBOL_NAME: MBfilt64+1817 FOLLOWUP_NAME: MachineOwner MODULE_NAME: MBfilt64 IMAGE_NAME: MBfilt64.sys DEBUG_FLR_IMAGE_TIMESTAMP: 4a7267b0 FAILURE_BUCKET_ID: X64_0xA_VRF_MBfilt64+1817 BUCKET_ID: X64_0xA_VRF_MBfilt64+1817 Followup: MachineOwner ---------
I've got the latest DirectX.
I 'll redo the one related with Realtek's.
I've got this error when I restarted, with Verifier off and after uninstalling Realtek's and after using the driver sweeper.
Latest dump points to the culprit as ntkrnlmp.exe, which is more than likely incorrect. We'll most likely need verifier enabled to get an analyzable dump.
I see. Well, I got a BSoD again when I just about to turn the verifier on and the laptop just opened.
Just after almost 10 hours after the BSoD above, I got again another one with Verifier on. After some time, BSoD again. BSoD again. OTL
BSoD for the fifth time.
First BSoD: 033112-25147-01.zip
Second BSoD: 033112-24632-01.zip
Thirs BSoD: 033112-22339-01.zip
4th BSoD: 033112-21637-01.rar
5th: 040112-21481-01.zip
Last edited by shriekyphantom; 31 Mar 2012 at 11:13.
Since you edited your post and didn't re-post, it didn't notify me that you ever updated this thread, my apologies!
Probable causes listed: 4x ntkrnlmp.exe dumps and 1x cdd.dll. All of these dumps are verifier enabled and are pointing to Microsoft files, normally it's very unlikely for Microsoft files to be actual causes because MS files are protected by the SFC (System File Checker).
Edit: Alright, I ran a !thread on one of the dumps, and it showed a culprit as ewusbnet.sys, which is the
Huawei DataCard USB PN driver. Please update this driver or uninstall it. Interestingly enough, running a !thread on every ntkrnmp.exe dump shows ewusbnet.sys as a culprit, but not on the cdd.dll dump.
If doing what I recommended for the driver above does not help, move onto this:
Run a chkdsk:
- Open the "Computer" window
- Right-click on the drive in question
- Select the "Tools" tab
- In the Error-checking area, click <Check Now>.
I'd also do a Memtest to ensure that your RAM is not an issue here. You're not getting any memory corruption / management causes, but it's just something to make sure isn't the issue here:
Memtest:
Read the following to test your memory for errors.
Dumps for reference:
Code:Microsoft (R) Windows Debugger Version 6.12.0002.633 AMD64 Copyright (c) Microsoft Corporation. All rights reserved. Loading Dump File [C:\Users\Icarus\Downloads\033112-21637-01.dmp] Mini Kernel Dump File: Only registers and stack trace are available Symbol search path is: http://msdl.microsoft.com/download/symbols Executable search path is: Windows 7 Kernel Version 7600 MP (4 procs) Free x64 Product: WinNt, suite: TerminalServer SingleUserTS Built by: 7600.16385.amd64fre.win7_rtm.090713-1255 Machine Name: Kernel base = 0xfffff800`02e67000 PsLoadedModuleList = 0xfffff800`030a4e50 Debug session time: Sat Mar 31 09:55:57.390 2012 (UTC - 4:00) System Uptime: 0 days 0:17:22.420 Loading Kernel Symbols ............................................................... ................................................................ ............................................ Loading User Symbols Loading unloaded module list ..... ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* Use !analyze -v to get detailed debugging information. BugCheck A, {fffff8000317c166, 2, 0, fffff80002f05f62} Probably caused by : ntkrnlmp.exe ( nt!RtlDispatchException+122 ) Followup: MachineOwner --------- 3: kd> !analyze -v ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* IRQL_NOT_LESS_OR_EQUAL (a) An attempt was made to access a pageable (or completely invalid) address at an interrupt request level (IRQL) that is too high. This is usually caused by drivers using improper addresses. If a kernel debugger is available get the stack backtrace. Arguments: Arg1: fffff8000317c166, memory referenced Arg2: 0000000000000002, IRQL Arg3: 0000000000000000, bitfield : bit 0 : value 0 = read operation, 1 = write operation bit 3 : value 0 = not an execute operation, 1 = execute operation (only on chips which support this level of status) Arg4: fffff80002f05f62, address which referenced memory Debugging Details: ------------------ READ_ADDRESS: GetPointerFromAddress: unable to read from fffff8000310f0e0 fffff8000317c166 CURRENT_IRQL: 2 FAULTING_IP: nt!RtlDispatchException+122 fffff800`02f05f62 410fb60c24 movzx ecx,byte ptr [r12] CUSTOMER_CRASH_COUNT: 1 DEFAULT_BUCKET_ID: VERIFIER_ENABLED_VISTA_MINIDUMP BUGCHECK_STR: 0xA PROCESS_NAME: System TRAP_FRAME: fffff88003ac0710 -- (.trap 0xfffff88003ac0710) NOTE: The trap frame does not contain all registers. Some register values may be zeroed or incorrect. rax=fffff800030f7348 rbx=0000000000000000 rcx=fffff8000317c1a4 rdx=fffff8000317c10c rsi=0000000000000000 rdi=0000000000000000 rip=fffff80002f05f62 rsp=fffff88003ac08a0 rbp=fffff88003ac1758 r8=0000000000002046 r9=0000000000002045 r10=fffff88003ac1d00 r11=fffff88003ac08e8 r12=0000000000000000 r13=0000000000000000 r14=0000000000000000 r15=0000000000000000 iopl=0 nv up ei pl zr na po nc nt!RtlDispatchException+0x122: fffff800`02f05f62 410fb60c24 movzx ecx,byte ptr [r12] ds:285b:00000000`00000000=?? Resetting default scope LAST_CONTROL_TRANSFER: from fffff80002ed8469 to fffff80002ed8f00 STACK_TEXT: fffff880`03ac05c8 fffff800`02ed8469 : 00000000`0000000a fffff800`0317c166 00000000`00000002 00000000`00000000 : nt!KeBugCheckEx fffff880`03ac05d0 fffff800`02ed70e0 : 00000000`0000e8b3 00000000`0000005a fffff800`03051e80 00000000`00000008 : nt!KiBugCheckDispatch+0x69 fffff880`03ac0710 fffff800`02f05f62 : fffff800`0317c166 fffff880`03ac08e8 fffff880`03ac1758 fffff880`02600000 : nt!KiPageFault+0x260 fffff880`03ac08a0 fffff800`02f131b5 : fffff880`03ac1758 fffff880`03ac0fb0 fffff880`00000000 fffffa80`0c19ab60 : nt!RtlDispatchException+0x122 fffff880`03ac0f80 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiDispatchException+0x135 STACK_COMMAND: kb FOLLOWUP_IP: nt!RtlDispatchException+122 fffff800`02f05f62 410fb60c24 movzx ecx,byte ptr [r12] SYMBOL_STACK_INDEX: 3 SYMBOL_NAME: nt!RtlDispatchException+122 FOLLOWUP_NAME: MachineOwner MODULE_NAME: nt IMAGE_NAME: ntkrnlmp.exe DEBUG_FLR_IMAGE_TIMESTAMP: 4a5bc600 FAILURE_BUCKET_ID: X64_0xA_VRF_nt!RtlDispatchException+122 BUCKET_ID: X64_0xA_VRF_nt!RtlDispatchException+122 Followup: MachineOwner --------- 3: kd> !thread GetPointerFromAddress: unable to read from fffff8000310f000 THREAD fffffa800c19ab60 Cid 0004.0588 Teb: 0000000000000000 Win32Thread: 0000000000000000 RUNNING on processor 3 Not impersonating GetUlongFromAddress: unable to read from fffff8000304db74 Owning Process fffffa8007423740 Image: System Attached Process N/A Image: N/A fffff78000000000: Unable to get shared data Wait Start TickCount 66821 Context Switch Count 44220 ReadMemory error: Cannot get nt!KeMaximumIncrement value. UserTime 00:00:00.000 KernelTime 00:00:00.000 Unable to load image \SystemRoot\system32\DRIVERS\ewusbnet.sys, Win32 error 0n2 *** WARNING: Unable to verify timestamp for ewusbnet.sys *** ERROR: Module load completed but symbols could not be loaded for ewusbnet.sys Win32 Start Address ewusbnet (0xfffff88002605f40) Stack Init fffff88003ac1d70 Current fffff88003ac1670 Base fffff88003ac2000 Limit fffff88003abc000 Call 0 Priority 8 BasePriority 8 UnusualBoost 0 ForegroundBoost 0 IoPriority 2 PagePriority 5 Child-SP RetAddr : Args to Child : Call Site fffff880`03ac05c8 fffff800`02ed8469 : 00000000`0000000a fffff800`0317c166 00000000`00000002 00000000`00000000 : nt!KeBugCheckEx fffff880`03ac05d0 fffff800`02ed70e0 : 00000000`0000e8b3 00000000`0000005a fffff800`03051e80 00000000`00000008 : nt!KiBugCheckDispatch+0x69 fffff880`03ac0710 fffff800`02f05f62 : fffff800`0317c166 fffff880`03ac08e8 fffff880`03ac1758 fffff880`02600000 : nt!KiPageFault+0x260 (TrapFrame @ fffff880`03ac0710) fffff880`03ac08a0 fffff800`02f131b5 : fffff880`03ac1758 fffff880`03ac0fb0 fffff880`00000000 fffffa80`0c19ab60 : nt!RtlDispatchException+0x122 fffff880`03ac0f80 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiDispatchException+0x135 Loading Dump File [C:\Users\Icarus\Downloads\033112-25147-01.dmp] Mini Kernel Dump File: Only registers and stack trace are available Symbol search path is: http://msdl.microsoft.com/download/symbols Executable search path is: Windows 7 Kernel Version 7600 MP (4 procs) Free x64 Product: WinNt, suite: TerminalServer SingleUserTS Built by: 7600.16385.amd64fre.win7_rtm.090713-1255 Machine Name: Kernel base = 0xfffff800`02e50000 PsLoadedModuleList = 0xfffff800`0308de50 Debug session time: Fri Mar 30 20:32:59.556 2012 (UTC - 4:00) System Uptime: 0 days 0:00:33.945 Loading Kernel Symbols ............................................................... ................................................................ ........................................ Loading User Symbols Loading unloaded module list .... ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* Use !analyze -v to get detailed debugging information. BugCheck 1000007E, {ffffffffc0000005, fffff80002e9e7ff, fffff8800927e628, fffff8800927de80} Probably caused by : cdd.dll ( cdd!CDDPDEV::FlushGdiOutput+51 ) Followup: MachineOwner --------- 2: kd> !analyze -v ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* SYSTEM_THREAD_EXCEPTION_NOT_HANDLED_M (1000007e) This is a very common bugcheck. Usually the exception address pinpoints the driver/function that caused the problem. Always note this address as well as the link date of the driver/image that contains this address. Some common problems are exception code 0x80000003. This means a hard coded breakpoint or assertion was hit, but this system was booted /NODEBUG. This is not supposed to happen as developers should never have hardcoded breakpoints in retail code, but ... If this happens, make sure a debugger gets connected, and the system is booted /DEBUG. This will let us see why this breakpoint is happening. Arguments: Arg1: ffffffffc0000005, The exception code that was not handled Arg2: fffff80002e9e7ff, The address that the exception occurred at Arg3: fffff8800927e628, Exception Record Address Arg4: fffff8800927de80, Context Record Address Debugging Details: ------------------ EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s. FAULTING_IP: nt!KiDeliverApc+a7 fffff800`02e9e7ff 498b4a30 mov rcx,qword ptr [r10+30h] EXCEPTION_RECORD: fffff8800927e628 -- (.exr 0xfffff8800927e628) ExceptionAddress: fffff80002e9e7ff (nt!KiDeliverApc+0x00000000000000a7) ExceptionCode: c0000005 (Access violation) ExceptionFlags: 00000000 NumberParameters: 2 Parameter[0]: 0000000000000000 Parameter[1]: ffffffffffffffff Attempt to read from address ffffffffffffffff CONTEXT: fffff8800927de80 -- (.cxr 0xfffff8800927de80) rax=0000000000000002 rbx=fffffa800b512b60 rcx=0000000000000001 rdx=0000000000000000 rsi=fffffa800b512bb0 rdi=0000000000000000 rip=fffff80002e9e7ff rsp=fffff8800927e860 rbp=0000000000000000 r8=ff49fa800b512bb0 r9=0000000000000000 r10=ff49fa800b512ba0 r11=fffffa80073b5274 r12=0000000000000001 r13=0000000000000000 r14=fffffa800b4a9b30 r15=0000000000000000 iopl=0 nv up ei ng nz na po cy cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00010287 nt!KiDeliverApc+0xa7: fffff800`02e9e7ff 498b4a30 mov rcx,qword ptr [r10+30h] ds:002b:ff49fa80`0b512bd0=???????????????? Resetting default scope CUSTOMER_CRASH_COUNT: 1 DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT PROCESS_NAME: csrss.exe CURRENT_IRQL: 2 ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s. EXCEPTION_PARAMETER1: 0000000000000000 EXCEPTION_PARAMETER2: ffffffffffffffff READ_ADDRESS: GetPointerFromAddress: unable to read from fffff800030f80e0 ffffffffffffffff FOLLOWUP_IP: cdd!CDDPDEV::FlushGdiOutput+51 fffff960`006395a5 40f6c702 test dil,2 BUGCHECK_STR: 0x7E LAST_CONTROL_TRANSFER: from fffff80002e73ba9 to fffff80002e9e7ff STACK_TEXT: fffff880`0927e860 fffff800`02e73ba9 : 00000000`00000000 00000000`00000000 00000000`00000004 00000000`00000001 : nt!KiDeliverApc+0xa7 fffff880`0927e8e0 fffff800`02e57c7d : fffff900`c00c0020 00000000`00000000 00000000`00000000 00000000`00000001 : nt!KiCheckForKernelApcDelivery+0x25 fffff880`0927e910 fffff960`006395a5 : fffffa80`0b4d1830 ffffffff`fffd74ea 00000000`00000004 00000000`00000000 : nt! ?? ::FNODOBFM::`string'+0x4630d fffff880`0927e940 fffff960`00635c21 : ffffffff`fffd74ea 00000000`00000001 00000000`00000001 fffffa80`00000000 : cdd!CDDPDEV::FlushGdiOutput+0x51 fffff880`0927e970 fffff800`03165166 : 00000000`02b0ec59 fffffa80`0b512b60 00000000`00000080 fffffa80`0b4a9b30 : cdd!PresentWorkerThread+0x8b5 fffff880`0927ed00 fffff800`02ea0486 : fffff800`0303ae80 fffffa80`0b512b60 fffff800`03048c40 fffff880`0141ea90 : nt!PspSystemThreadStartup+0x5a fffff880`0927ed40 00000000`00000000 : fffff880`0927f000 fffff880`09279000 fffff880`0927e4b0 00000000`00000000 : nt!KxStartSystemThread+0x16 SYMBOL_STACK_INDEX: 3 SYMBOL_NAME: cdd!CDDPDEV::FlushGdiOutput+51 FOLLOWUP_NAME: MachineOwner MODULE_NAME: cdd IMAGE_NAME: cdd.dll DEBUG_FLR_IMAGE_TIMESTAMP: 4a5bde94 STACK_COMMAND: .cxr 0xfffff8800927de80 ; kb FAILURE_BUCKET_ID: X64_0x7E_cdd!CDDPDEV::FlushGdiOutput+51 BUCKET_ID: X64_0x7E_cdd!CDDPDEV::FlushGdiOutput+51 Followup: MachineOwner --------- 2: kd> !thread GetPointerFromAddress: unable to read from fffff800030f8000 THREAD fffffa800b512b60 Cid 02a0.02d0 Teb: 0000000000000000 Win32Thread: 0000000000000000 RUNNING on processor 2 Not impersonating GetUlongFromAddress: unable to read from fffff80003036b74 Owning Process fffffa800b4a9b30 Image: csrss.exe Attached Process N/A Image: N/A fffff78000000000: Unable to get shared data Wait Start TickCount 2175 Context Switch Count 516 ReadMemory error: Cannot get nt!KeMaximumIncrement value. UserTime 00:00:00.000 KernelTime 00:00:00.000 Win32 Start Address cdd!PresentWorkerThread (0xfffff9600063536c) Stack Init fffff8800927ed70 Current fffff8800927e4b0 Base fffff8800927f000 Limit fffff88009279000 Call 0 Priority 14 BasePriority 14 UnusualBoost 0 ForegroundBoost 0 IoPriority 2 PagePriority 5 Child-SP RetAddr : Args to Child : Call Site fffff880`0927e860 fffff800`02e73ba9 : 00000000`00000000 00000000`00000000 00000000`00000004 00000000`00000001 : nt!KiDeliverApc+0xa7 fffff880`0927e8e0 fffff800`02e57c7d : fffff900`c00c0020 00000000`00000000 00000000`00000000 00000000`00000001 : nt!KiCheckForKernelApcDelivery+0x25 fffff880`0927e910 fffff960`006395a5 : fffffa80`0b4d1830 ffffffff`fffd74ea 00000000`00000004 00000000`00000000 : nt! ?? ::FNODOBFM::`string'+0x4630d fffff880`0927e940 fffff960`00635c21 : ffffffff`fffd74ea 00000000`00000001 00000000`00000001 fffffa80`00000000 : cdd!CDDPDEV::FlushGdiOutput+0x51 fffff880`0927e970 fffff800`03165166 : 00000000`02b0ec59 fffffa80`0b512b60 00000000`00000080 fffffa80`0b4a9b30 : cdd!PresentWorkerThread+0x8b5 fffff880`0927ed00 fffff800`02ea0486 : fffff800`0303ae80 fffffa80`0b512b60 fffff800`03048c40 fffff880`0141ea90 : nt!PspSystemThreadStartup+0x5a fffff880`0927ed40 00000000`00000000 : fffff880`0927f000 fffff880`09279000 fffff880`0927e4b0 00000000`00000000 : nt!KxStartSystemThread+0x16