Windows 7 Forums

Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: ntoskrnl.exe problem

27 Jun 2013   #11
Arc

Microsoft Community Contributor Award Recipient

Microsoft Windows 10 Pro Insider Preview 64-bit
 
 

How long you ran it? How many passes?


My System SpecsSystem Spec
.
27 Jun 2013   #12
Flory Robert

window7
 
 

for 3 hours and 4 passes
My System SpecsSystem Spec
27 Jun 2013   #13
Flory Robert

window7
 
 

hope this may help its the system info and the minidump folder
My System SpecsSystem Spec
.

27 Jun 2013   #14
Vir Gnarus

Microsoft Community Contributor Award Recipient

Windows 7 64-bit
 
 

I may be wrong, but it looks like your system is infected, or an AV is doing something I don't know about. First thing is to scan for any potential threats. I recommend starting with Malwarebytes and provide us the log from it. If given the option to clean, do not do it.

Otherwise, turn on Driver Verifier since I noticed it was not on during these crashes. Read the entire article carefully.

Analysts:

0x109 bugchecks showing up a corruption in the NT module. However, the name of the module is strange, being altered to nt_fffff80000b95000, which the address is the base address for it. I assume it got tagged with it in the name because there's already an existing module named nt. I am very confident there shouldn't be two nt modules present at one time. Even stranger is they're both different nt module variants, and the suspect one either has no image header for it or has been paged out onto disk prior to the crash. The nt module doesn't page out its image header, however. You can tell by doing a !dh on the nt module and then locating the section header that's named .rsrc. If one of the flags is Discardable, it means it can be paged out. Otherwise, it sticks into memory as long as the image is loaded.

Or I could just be misinterpreting the whole output. I hope not.

Code:
2: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

CRITICAL_STRUCTURE_CORRUPTION (109)
This bugcheck is generated when the kernel detects that critical kernel code or
data have been corrupted. There are generally three causes for a corruption:
1) A driver has inadvertently or deliberately modified critical kernel code
 or data. See http://www.microsoft.com/whdc/driver/kernel/64bitPatching.mspx
2) A developer attempted to set a normal kernel breakpoint using a kernel
 debugger that was not attached when the system was booted. Normal breakpoints,
 "bp", can only be set if the debugger is attached at boot time. Hardware
 breakpoints, "ba", can be set at any time.
3) A hardware corruption occurred, e.g. failing RAM holding kernel code or data.
Arguments:
Arg1: a3a039d89eba46f0, Reserved
Arg2: b3b7465ef13884b2, Reserved
Arg3: fffff80000b96bb0, Failure type dependent information
Arg4: 0000000000000006, Type of corrupted region, can be
    0 : A generic data region
    1 : Modification of a function or .pdata
    2 : A processor IDT
    3 : A processor GDT
    4 : Type 1 process list corruption
    5 : Type 2 process list corruption
    6 : Debug routine modification
    7 : Critical MSR modification

Debugging Details:
------------------

TRIAGER: Could not open triage file : C:\Program Files (x86)\Windows Kits\8.0\Debuggers\x64\triage\modclass.ini, error 2

FAULTING_IP: 
nt_fffff80000b95000+1bb0
fffff800`00b96bb0 48895c2408      mov     qword ptr [rsp+8],rbx

CUSTOMER_CRASH_COUNT:  1

DEFAULT_BUCKET_ID:  WIN7_DRIVER_FAULT

BUGCHECK_STR:  0x109

PROCESS_NAME:  System

CURRENT_IRQL:  0

STACK_TEXT:  
fffff880`033c45d8 00000000`00000000 : 00000000`00000109 a3a039d8`9eba46f0 b3b7465e`f13884b2 fffff800`00b96bb0 : nt!KeBugCheckEx


STACK_COMMAND:  kb

FOLLOWUP_IP: 
nt_fffff80000b95000+1bb0
fffff800`00b96bb0 48895c2408      mov     qword ptr [rsp+8],rbx

SYMBOL_NAME:  nt_fffff80000b95000+1bb0

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: nt_fffff80000b95000

IMAGE_NAME:  ntoskrnl.exe

DEBUG_FLR_IMAGE_TIMESTAMP:  5149a99c

FAILURE_BUCKET_ID:  X64_0x109_6_nt_fffff80000b95000+1bb0

BUCKET_ID:  X64_0x109_6_nt_fffff80000b95000+1bb0

Followup: MachineOwner
---------

2: kd> lmsm
start             end                 module name

...

fffff800`03601000 fffff800`03be7000   nt         (pdb symbols)          c:\localsymbols\ntkrnlmp.pdb\4406EA3F2CE044878BDFDEF95E07708E2\ntkrnlmp.pdb
fffff800`00b95000 fffff800`00bb0000   nt_fffff80000b95000 T (no symbols)           

...

2: kd> lmvm nt_fffff80000b95000
start             end                 module name
fffff800`00b95000 fffff800`00bb0000   nt_fffff80000b95000 T (no symbols)           
    Loaded symbol image file: ntoskrnl.exe
    Image path: ntoskrnl.exe
    Image name: ntoskrnl.exe
    Timestamp:        Wed Mar 20 08:20:44 2013 (5149A99C)
    CheckSum:         00552B17
    ImageSize:        0001B000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
2: kd> lmvm nt
start             end                 module name
fffff800`03601000 fffff800`03be7000   nt         (pdb symbols)          c:\localsymbols\ntkrnlmp.pdb\4406EA3F2CE044878BDFDEF95E07708E2\ntkrnlmp.pdb
    Loaded symbol image file: ntkrnlmp.exe
    Mapped memory image file: c:\localsymbols\ntoskrnl.exe\5147D9C65e6000\ntoskrnl.exe
    Image path: ntkrnlmp.exe
    Image name: ntkrnlmp.exe
    Timestamp:        Mon Mar 18 23:21:42 2013 (5147D9C6)
    CheckSum:         00552B17
    ImageSize:        005E6000
    File version:     6.1.7601.18113
    Product version:  6.1.7601.18113
    File flags:       0 (Mask 3F)
    File OS:          40004 NT Win32
    File type:        1.0 App
    File date:        00000000.00000000
    Translations:     0409.04b0
    CompanyName:      Microsoft Corporation
    ProductName:      Microsoft® Windows® Operating System
    InternalName:     ntkrnlmp.exe
    OriginalFilename: ntkrnlmp.exe
    ProductVersion:   6.1.7601.18113
    FileVersion:      6.1.7601.18113 (win7sp1_gdr.130318-1533)
    FileDescription:  NT Kernel & System
    LegalCopyright:   © Microsoft Corporation. All rights reserved.

2: kd> !dh nt

File Type: EXECUTABLE IMAGE
FILE HEADER VALUES
    8664 machine (X64)
      18 number of sections
5147D9C6 time date stamp Mon Mar 18 23:21:42 2013

       0 file pointer to symbol table
       0 number of symbols
      F0 size of optional header
      22 characteristics
            Executable
            App can handle >2gb addresses

OPTIONAL HEADER VALUES
     20B magic #
    9.00 linker version
  47A400 size of code
   CFC00 size of initialized data
    3400 size of uninitialized data
  2B36F0 address of entry point
    1000 base of code
         ----- new -----
0000000140000000 image base
    1000 section alignment
     200 file alignment
       1 subsystem (Native)
    6.01 operating system version
    6.01 image version
    6.01 subsystem version
  5E6000 size of image
     600 size of headers
  552B17 checksum
0000000000080000 size of stack reserve
0000000000002000 size of stack commit
0000000000100000 size of heap reserve
0000000000001000 size of heap commit
       0  DLL characteristics
  531000 [   109BC] address [size] of Export Directory
  5AB6C4 [      78] address [size] of Import Directory
  5AD000 [   35F48] address [size] of Resource Directory
  27D000 [   2FD90] address [size] of Exception Directory
  549600 [    1B58] address [size] of Security Directory
  5E3000 [    207C] address [size] of Base Relocation Directory
  1A1F00 [      38] address [size] of Debug Directory
       0 [       0] address [size] of Description Directory
       0 [       0] address [size] of Special Directory
       0 [       0] address [size] of Thread Storage Directory
       0 [       0] address [size] of Load Configuration Directory
       0 [       0] address [size] of Bound Import Directory
  1AC000 [     380] address [size] of Import Address Table Directory
       0 [       0] address [size] of Delay Import Directory
       0 [       0] address [size] of COR20 Header Directory
       0 [       0] address [size] of Reserved Directory

...

SECTION HEADER #17
   .rsrc name
   35F48 virtual size
  5AD000 virtual address
   36000 size of raw data
  511400 file pointer to raw data
       0 file pointer to relocation table
       0 file pointer to line numbers
       0 number of relocations
       0 number of line numbers
40000040 flags
         Initialized Data
         (no align specified)      //No 'Discardable' flag
         Read Only
...
My System SpecsSystem Spec
27 Jun 2013   #15
x BlueRobot

 

Welcome to the forums Flory Robert,

Code:
BugCheck 109, {a3a039d89eba46f0, b3b7465ef13884b2, fffff80000b96bb0, 6}

*** WARNING: Unable to verify timestamp for ntoskrnl.exe
*** ERROR: Module load completed but symbols could not be loaded for ntoskrnl.exe
Probably caused by : ntoskrnl.exe ( nt_fffff80000b95000+1bb0 )
Code:
Usual causes:  Device driver, Breakpoint set with no debugger attached, Hardware (Memory in particular)
The bugcheck indicates that kernel data has become corrupted, this can be due to device drivers or hardware failure such as RAM.

*Note* You need to run Memtest86+ for least 9-10 passes, and preferably overnight. Each pass will run several different tests.

Remove:

Code:
Start Menu\Programs\Free Registry Cleaner
Removal Tool - Revo Uninstaller Pro - Uninstall Software, Remove Programs easily, Forced Uninstall, Leftovers Uninstaller

Windows 7 doesn't require any programs which make changes to the operating system and registry, these programs tend to cause problems by modifying and deleting files.
Quote:
Windows is a closed source system. Developers of registry cleaners do not have the core code of Windows 7 and are not working on definitive information, but rather they are going on past knowledge and experience. Automatic cleaners will usually have to do some guesswork.

Modifying registry keys incorrectly can cause Windows instability, or make Windows unbootable. No registry cleaner is completely safe and the potential is ever present to cause more problems than they claim to fix.

Registry cleaners cannot distinguish between good and bad. If you run a registry cleaner, it will delete all those keys which are obsolete and sitting idle; but in reality, those keys may well be needed by some programs or windows at a later time.

Windows 7 is much more efficient at managing the registry than previous Windows versions. If you run any other registry cleaner and do not know precisely what you are doing, you will have problems down the road. There are no gains to be had from using a registry cleaner and the risk is great.
Remove:

Code:
Start Menu\Programs\Driver Support
Programs which scan for drivers and then offer driver updates, often install the wrong drivers which are either corrupted or incompatible with your system. The best method is to visit the hardware vendor or manufacturer of your computer, and then obtain driver updates from their support page.

EDIT: Thanks for your input Vir

EDIT2: Regarding, the !dh extension, is this blog post similar? http://analyze-v.com/?p=847
My System SpecsSystem Spec
Reply

 ntoskrnl.exe problem




Thread Tools Search this Thread
Search this Thread:

Advanced Search




Similar help and support threads
Thread Forum
DRIVER_POWER_STATE_FAILURE ntoskrnl.exe problem?
My laptop has been experiencing blue screen of death shutdowns frequently when I leave it by itself for a while, I checked my drivers and they are all up to date, I also scanned it using antivirus and there was no virus found. What could be the problem? I've attached the dump file can you please...
BSOD Help and Support
HIDCLASS.SYS & ntoskrnl.exe Problem's
Hi, i'm using Windows 7 Ultimate x64 and updated Service Pack 1 its like to crash when i'm playing game or just to listen music by winamp application ( sometimes it also happen when i just browsing with google chrome ) i've already re-install the OS, but i got the same thing:cry: this is my...
BSOD Help and Support
ntoskrnl.exe problem?
My computer always need start over twice that can enter the OS. sometime will show the ERROR like "dump of physical memory" or "memory crash". I don't know how to solve this problem. Help plz.
BSOD Help and Support
ntoskrnl.exe Problem
X64 Windows 7 often crashes with blue screen, and error ntoskrnl.exe minidump attached:cry: http://www.google.it/images/cleardot.gif
BSOD Help and Support
Problem ntoskrnl.exe
Windows 7 x 64 frequently reboots with blue screen and gives me error This Was Likely Caused By The Following module: ntoskrnl.exe Bugcheck code: 0xA (0xFFFFF88112BFFA80, 0x2, 0x0, 0xFFFFF80002C7F640) Error: IRQL_NOT_LESS_OR_EQUAL Dump File: C: \ Windows \ Minidump \ 041,710 to 17,316-01.dmp...
Drivers
Win 7 Bluescreen ntoskrnl.exe problem
Hello, I have this non stop problem with my new NW21MF Vaio. I start, first comes a bluescreen or Winows message that Winexplorer found a problem and shout down. I run the dump reader and every bluescreen is following (more then 50 times already): ADDITIONAL_DEBUG_TEXT: Use...
BSOD Help and Support


Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd

All times are GMT -5. The time now is 12:51.

Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App