New
#1
Win7 BSODs; volsnap.sys identified; how diagnose and resolve?
My three-year old Dell Studio XPS desktop PC running Windows 7 x64 (with SP1) had become sluggish; so about two months ago, I formatted the HDD and then performed a new install. It had been working fine for about a month. Over the last few weeks, however, upon my unlocking the desktop I've been noticing that the system has unexpectedly rebooted. Upon the loading of my profile, Windows will inevitably display a message saying that a critical error occurred and that the system unexpectedly shutdown. Sometimes the system will lock-up right after I enter my credentials to unlock the desktop or even to log in.
The System log shows that the PC has unexpectedly rebooted about 20 times over the last three weeks. The following two error/critical events appear with each unexpected reboot:
Source: EventLog
Event ID: 6008
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Description: The previous system shutdown at ... was unexpected.
Source: Microsoft-Windows-Kernel-Power
Event ID: 41
Task Category: (63)
Level: Critical
Keywords: (2)
User: SYSTEM
Description: The system has rebooted without cleanly shutting down first. This error could be caused if the system stopped responding, crashed, or lost power unexpectedly.
A surface scan of the HDD using SpinRite doesn't report any problems.
I had added memory to the system just prior to my performing the new install. I used MemTest86 utility over the past 36 hours, performing 10 passes; no errors were found.
All Windows Updates are installed.
SFC /SCANNOW reports "Windows Resource Protection did not find any integrity violations."
Full scans in MSE show the system to be clean. Various malware-detecting utilities report the system to be clean, too.
The BlueScreenView utility shows two mini-dump files: one associated with the earliest reboot listed in the System Log (it occurred about three weeks ago) and one associated with a reboot that occurred about a week ago. The PC has unexpectedly rebooted many times since then; not sure why no other dump files are present. For both mini-dump files, the Bug Check String is DRIVER_IRQL_NOT_LESS_OR_EQUAL, the Bug Check Code is 0x000000d1, and the Caused By Driver is volsnap.sys.
Upon analyzing the full memory dump file and the two mini-dump files, the "Who Crashed" utility vaguely reports: "This indicates that a kernel-mode driver attempted to access pageable memory at a process IRQL that was too high. This appears to be a typical software driver bug and is not likely to be caused by a hardware problem. The crash took place in a standard Microsoft module. Your system configuration may be incorrect. Possibly this problem is caused by another driver on your system that cannot be identified at this time."
I only have one restore point, dated today -- even though there is over 440 GB of drive space and the system is configured to use it. Not sure why there are no other restore points. I wonder if this is somehow related to the mention of the volsnap.sys driver associated with the unexpected reboots?
Since unchecking the System failure "Automatically restart" checkbox, I've seen a few of the BSOD's; they all reference volsnap.sys.
I considered using the Verifier tool but it didn't seem relevant -- since volsnap.sys is a Microsoft file.
Suspecting volsnap.sys and learning that it corresponds to the Volume Shadow Copy service, I stopped the service. A few minutes later, however, I noticed it had been started. I stopped the service again, numerous times, but it kept starting; not sure what's causing that. I have now stopped the service and have set it to "Disabled".
I have attached the SF_Diagnostic_Tool ZIP file.
Thank you for any suggestions as to how to diagnose and resolve this problem!
Last edited by cwaters; 10 Dec 2012 at 19:43.
Quote