BSoD at random times, error 0x000000C4 (STOP): Ntfs.sys

Berbe · 04 Jan 2013

Hello,

I have been encountering some BSoD trouble in the recent past.
In the most recent crashed, the Ntfs.sys filename appeared on the BSoD (it was previously some other one).

Following, the BSoD Analysis tutorial, I grabbed the following information during the inspection of the most recent DMP file:

The initial 'Probably caused by' source was the ntoskrnl.exe binary
No analysis was available through '!analysis -v'
Having activated the 'Driver verifier', I restarted normally. The login screen appeared, but when I logged in, another BSoD appeared, but the dump didn't work (stuck, I rebooted forcefully). Still the Ntfs.sys file
I restarted again in normal mode, letting the system finish to work on the HDD (the little light stopped flashing intensively). When I logged, BSoD as before. Still the Ntfs.sys file
I restarted in Safe Mode, then I could log in without problem. No new DMP file existed in the Minidump directory, proof that the dump indeed didn't work at all.
I downloaded, burned and rebooted on the MemTest86+ software, making only 1 pass on the whole RAM, without error. I stopped there because I already have enough suspicions about some other hardware component...
Having rebooted under normal mode, I am now running Prime95, if by any chance that's useful...

Following what I encountered, I have strong evidence against my filesystem and maybe my HDD:

The system's filesystem driver crashes (Ntfs.sys)
When the verifier has been activated the system is unable to write to the disk (that's in coherence with a filesystem's crash: no access to it)
Filesystem is one of the most immediate thing used, the crash at login time probably means that an early faulty action has been done

I am still unsure about what precisely caused the error. It doesn't appear at boot time, not even at logon but at login. The OS has already made plenty of accesses and loaded a lot of stuff. It would mean something happens/is loaded in user space to trigger the error.

Is the filesystem or one of the HDD the source of the problem? Does a format would be useless/usefull? That's kinda huge thing to do, I do not want to waste time if it doesn't change anything.

In case this comes from the filesystem, here is some new information:
I defragmented my whole disks a few days ago, and I ran a 'chkdsk /f' on them after the first following Ntfs.sys BSoD. It seems some little space were in error, but I never launched that command before.
Would it be more of some faulty system's HDD (or the other one's) segment? Or kind of corrupted files on it?

I'd take any help and carefully weight advice :)

koolkat77 · 05 Jan 2013

Hi.

There are a few tools that can help us see the health status of the hard drive. Please do the following:

Perform a clean boot:

Troubleshoot Application Conflicts by Performing a Clean Startup

Upload a screenshot of your hard disk using CrystalDiskInfo:

Make a hard drive test from the hard drive manufacturers website:

Hard Drive Diagnostic Procedure

Hard drive test both short and long with:

SeaTools for Windows

Seatools for DOS as well:

SeaTools for DOS
SeaTools for DOS tutorial

A screenshot of the "Summary" tab of Speccy will also be useful:

Speccy - System Information - Free Download

NTFS errors can also be caused by VIRUS and ANTIVIRUS software.

What antivirus do you use?

Please upload your msinfo32.nfo file. To get this: Start Menu -> Type msinfo32 into the Search programs and files box -> When it opens, go to File, Save -> Save as msinfo32.nfo and save in a place you will remember -> Let it finish the process of gathering and saving the system info -> Right click the .nfo file, click send to compressed (zipped) folder -> Upload the .zip file here.

Please upload your msinfo32.txt file. To get this: Start Menu -> Type msinfo32 into the Search programs and files box -> When it opens, go to File, Export -> Save as msinfo32.txt and save in a place you will remember -> Let it finish the process of gathering and saving the system info -> Right click the .txt file, click send to compressed (zipped) folder -> Upload the .zip file here.

Perform a System File Check:

Click on the start
Type CMD on Search
Left click and Run as Administrator
Type SFC /scannow

Full tutorial here:

SFC /SCANNOW Command - System File Checker

Configure for Small Memory Dumps following this tutorial:

Dump Files - Configure Windows to Create on BSOD

Make scans with the following:

-Kaspersky TDSSKiller

Anti-rootkit utility TDSSKiller

-ESET online scanner

Free Online Virus Scanner | ESET

Look forward to the results.

If Driver verfier is enabled, please disable it for now.

Berbe · 05 Jan 2013

I took note of all that.

I already tried a few steps:

I configured Windows to make a clean boot (without startup software) and I reactivated drivers verifier to check if the BSoD was still happening. Good news: it doesn't. Seems maybe the problem came from somewhere else
I downloaded and installed CrystalDiskInfo and exported the informatio nfrom it. Lighter then pictures, I copied data with the provided function (Edit > Copy) to make a text file with all the information. You'll find that as attachement
I configured Windows to make small memory dumps and not kernel memory dumps anymore. I'll check information in those dumps at the next occurrence of a BSoD
I downloaded the drive testing utility from Seagatefor my HDD. I burned it and I am about to start the test

However, I am a bit reluctant to provide you with my msinfo32.txt file as is, since it contains basically a lot of personal information. Maybe am I paranoid, I have my own reasons. Is there a special part in it that is of your interest and that I could extract for you?

I am using the free Comodo antivirus, shipped with its Defense+ applications monitoring system. It has sometimes proved being a little intrusice, it's one of the leads to follow...
The AV is up-to-date, of course.

koolkat77 · 05 Jan 2013

The text file is hard to read. Can you please upload a snip?

As for .nfo. Don't worry there's no personal information there.

I need to see the list of installed programs so I can rule out some problematic ones.

Here's mine.

Berbe · 05 Jan 2013

I have been doing some work

I ran the SeaTool's 'Long test' on my Seagate primary drive (where the OS is installed). No error at all.
Since it took 1h 1/2, I didn't make the check for the other HDD. I install all my applciations on the first one anyway, the second one is storage.
I discovered something very interesting about the BSoD on boot with the drivers verifier: if I startup with every application and all services but one, the BSoD disappears. Then I activated that service only and deactivated all startup programs and other services and the BSoD came back.
The service is called ASLDR and it is the program from ASUS which captures hotkeys. No dump has ever been made with those ones.
I then used the whole day to seek on the ASUS support website every last version of every driver (the ones listed for my computer are old, probably the ones available when the model went out).
I tried again with the verifier but with the very same service triggers the very same behavior.
I just can't remove that service, or the vast majority of my keyboard shortcuts (screen luminosity, sound volume, keyboard lightning, diaporama mode, touchpad toggle, etc.) don't work anymore.
When booting without the service with the verifier, I tried something funny: going in the directory of the service binary and start it manually... Immediate BSoD, the same as before again.

The problem doesn't seem to be hardware anymore, but rather comes from some collision between the driver and something else. More seriously, I am really considering the ASLDR service driver to be crappy-coded...

You'll find the CrytalDiskInfo snapshot and a msinfo32 file attached

Berbe · 05 Jan 2013

Using my computer, I just triggerad a new BSoD, this time generating a small memory dump.

WinDBG says the probable responsible component could be 'GenuineIntel'.

No analysis available, could tell which driver were the cause, but I don't believe the processor to be responsible for that ;o)

Dumpe + sysinfo (both file generated at crash time) available as attachement.

koolkat77 · 05 Jan 2013

Well. That is a hardware error and I'd suggest you to go through this thread:

Stop 0x124 - what it means and what to try

Will be getting back with a few steps.

Code:

*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 124, {4, fffffa80041a0038, 0, 0}

Probably caused by : GenuineIntel

Followup: MachineOwner
---------

3: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

WHEA_UNCORRECTABLE_ERROR (124)
A fatal hardware error has occurred. Parameter 1 identifies the type of error
source that reported the error. Parameter 2 holds the address of the
WHEA_ERROR_RECORD structure that describes the error conditon.
Arguments:
Arg1: 0000000000000004, PCI Express Error
Arg2: fffffa80041a0038, Address of the WHEA_ERROR_RECORD structure.
Arg3: 0000000000000000
Arg4: 0000000000000000

Debugging Details:
------------------


BUGCHECK_STR:  0x124_GenuineIntel

CUSTOMER_CRASH_COUNT:  1

DEFAULT_BUCKET_ID:  WIN7_DRIVER_FAULT

PROCESS_NAME:  System

CURRENT_IRQL:  b

STACK_TEXT:  
fffff880`033fba78 fffff800`03615a3b : 00000000`00000124 00000000`00000004 fffffa80`041a0038 00000000`00000000 : nt!KeBugCheckEx
fffff880`033fba80 fffff800`031a7b13 : 00000000`00000001 fffffa80`0417cb10 00000000`00000000 fffffa80`0417c1b0 : hal!HalBugCheckSystem+0x1e3
fffff880`033fbac0 fffff880`0119dbcf : fffffa80`00000750 fffffa80`0417cb10 00000000`00000000 fffffa80`0419f010 : nt!WheaReportHwError+0x263
fffff880`033fbb20 fffff880`0119d5f6 : 00000000`00000000 fffff880`033fbc70 fffffa80`04161d80 fffff980`09641000 : pci!ExpressRootPortAerInterruptRoutine+0x27f
fffff880`033fbb80 fffff800`03095e1c : fffff880`033d3180 fffff880`033fbc70 fffffa80`04161d80 00000690`4ecbec01 : pci!ExpressRootPortInterruptRoutine+0x36
fffff880`033fbbf0 fffff800`03091ca2 : fffff880`033d3180 fffff880`00000001 00000000`00000001 fffff880`00000000 : nt!KiInterruptDispatch+0x16c
fffff880`033fbd80 00000000`00000000 : fffff880`033fc000 fffff880`033f6000 fffff880`033fbd40 00000000`00000000 : nt!KiIdleLoop+0x32


STACK_COMMAND:  kb

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: GenuineIntel

IMAGE_NAME:  GenuineIntel

DEBUG_FLR_IMAGE_TIMESTAMP:  0

FAILURE_BUCKET_ID:  X64_0x124_GenuineIntel_PCIEXPRESS

BUCKET_ID:  X64_0x124_GenuineIntel_PCIEXPRESS

Followup: MachineOwner
---------

koolkat77 · 06 Jan 2013

So here are a few:

Uninstall the following software:

Code:

Start Menu\Programs\COMODO	Public:Start Menu\Programs\COMODO	Public
Start Menu\Programs\COMODO\COMODO Antivirus	Public:Start Menu\Programs\COMODO\COMODO Antivirus	Public

Comodo Internet Security is not the best protection software.

Please uninstall it with Revo Uninstaller Free (In advanced mode so you can delete leftover registry entries)

Download Revo Uninstaller Freeware - Free and Full Download - Uninstall software, remove programs, solve uninstall problems

Daemon Tools:

Code:

Start Menu\Programs\DAEMON Tools Lite	Public:Start Menu\Programs\DAEMON Tools Lite	Public

Please uninstall DAEMON Tools. It uses a driver called sptd.sys which is known to cause BSODs in Windows 7. Uninstall the software using Add/Remove Programs. Reboot the system. Once the program is uninstalled, run sptd.sys uninstaller to remove the driver from your system.

As an alternative, many people recommend the use of Total Mounter or Magic ISO

Microsoft Security Essentials.

Recommended from a strict BSOD perspective, compatibility & stability compared to other antiviruses/internet security software. It is free and lightweight:-

Microsoft Security Essentials - Free Antivirus for Windows
- Malwarebytes : Malwarebytes Anti-Malware removes malware including viruses, spyware, worms and trojans, plus it protects your computer
  - Good and Free system security combination.

Warning

Do not start the free trial of Malware Bytes; remember to deselect that option when prompted.

Run a full scan with both (separately) once downloaded, installed and updated.

Reduce items at start-up. Nothing except anti-virus is required:

I hope you have already started following steps in the 124 thread, you will also have to check for a BIOS update:

Code:

Version du BIOS/Date	American Megatrends Inc. 207, 25/12/2009

A "stop 0x124" is fundamentally different to many other types of bluescreens because it stems from a hardware complaint.

Stop 0x124 minidumps contain very little practical information, and it is therefore necessary to approach the problem as a case of hardware in an unknown state of distress.

You can read more on this error and what to try here... Stop 0x124 - what it means and what to try Stop 0x124 - what it means and what to try

Let us know your feedback.

Berbe · 06 Jan 2013

koolkat77 said:

Comodo Internet Security is not the best protection software.

I wonder where you get that assumption from...

Basically, antivirus can't work by design, and if you ever got interested in the internals, in the constraints under which antivirus must work, you'd probably come to the same conclusion.

Comodo is actually a nice one, the best I ever used so far.
It is not magical, but I am satisfied with its efficiency, and it has a nice feature called Defense+, making premptive check on applications access requests and asking for your decision when its heuristics find those suspicious.
It's well balanced between intrusiveness and efficiency, as opposed to other AV I tested in the past, either useless (Avast, Symantec), heavy/slow/unefficient (Kaspersky), etc.

Plus, I don't believe Microsoft is a reference in the virus fight, it needs special skills and a high level of technicity. That's just not their field of expertise.
You'd think their major advantage is to comply perfectly to the specifications on the drivers level, but sometimes... you could be surprised.

=====

I reached another milestone in the trouble tracking.

I removed Comodo/Daemon Tools, I made sure the SPTD driver was removed by using the official SPTD driver tool to uninstall it and I rebooted.
I then triggered again the BSoD by starting the game I used to force the BSoD appearance (always happens in the following minutes). I am 'lucky' to be able to trigger it 'not that randomly'.
It crashed again.

koolkat77 said:

I hope you have already started following steps in the 124 thread, you will also have to check for a BIOS update:

Code:

Version du BIOS/Date    American Megatrends Inc. 207, 25/12/2009

You were right. I thought I had the last version, but I had 207, the latest was 208.
I updated my BIOS, made a complete power discharge (removed battery, emptied condensator, waiting a bit).

I then rebooted and tried that game... Haven't crashed so far. I'll try it a bit later to see if I can trigger the BSoD again. If I can't, I'll reinstall removed software and continue to test regularly. I'll keep you posted of the evolution on that point.

I also tried the verifier again. The ASLDR drive still produces a BSoD at login, one without any dump at all (that I told you about before). But when I start without that driver or without the verifier running, everything runs fine.
I can't remove it because that's the interface managing my Fn+* keys and it's already up-to-date. I guess we're stuck here.

Thanks for your help koolkat77, it has been appreciated very much.
I hope I'll be able to avoid seing that frightening screen in the near future.

koolkat77 · 06 Jan 2013

Berbe said:

I hope I'll be able to avoid seing that frightening screen in the near future.

Lets hope so.:)