BSOD UNEXPECTED_KERNEL_MODE_TRAP (7f)

I enabled verifier.exe, and I rebooted. Windows 7 immediately gave a BSOD, but the info on the screen was not there long enough for me to read it. I tried one more time, with the same results. Then I booted into safe more and typed "verifier /reset". The system rebooted normally. I see no minidump nor full dump, and I see no eventlog entries with any diagnostic information. Is there a verifier log somewhere? What should I do next? In verifier I selected all options except Low Resources Simulation, and for the drivers I selected all non-MS drivers.

--Barry Finkel

Well, we can establish that either Driver Verifier has found a driver loading at boot which is causing problems, but couldn't save the dump files because not all the necessary data structures etc. were loaded to save the dump files. Driver Verifier will produce a BSOD upon a problem, which basically is the log file.

Boot into Safe Mode with Networking, and then report if any crashes occur within Safe Mode.

I have been in safe mode for 1.5 hours, and the system has not crashed. I checked, and verifier is running. I will stay in safe mode for a while. I have opened all of the non-MS applications that I normally have open. I will have more details later.
--Barry Finkel

I decided that verifier.exe was not going to find anything in safe mode, because the other verifier BSODs occurred during startup. So, I took my camera and shot a video of Win 7 booting. Right after the four colors in the Win 7 logo come together, I had a BSOD:

BAD_POOL_CALLER
STOP: 0x000000C2 (0x00000009D, 0x00000419, 0x00000000, 0x865DC556)
SmartDefragDriver.sys - Address 865DC556 base at 0x865DB000,
DateStamp 4cedf7e3b

As that driver is IObit, I opened a problem report with them. I will wait for their response. Via a Google search I saw lots of postings with this error, but none had a resolution that applied, or the problems were too old.

As today is patch Tuesday, I will hold off testing for a few days, as I do not want to make too many changes at once.

Further testing I want to do - 1) Run verifier.exe in safe mode and try SmartDefrag to see if I can get a dump. 2) Run verifier.exe but exclude SmartDefragDriver.sys and see what verifier.exe finds.

--Barry Finkel

Personally, I would remove IOBit completely from your system.

Here is a summary of verifier.exe:

1) SmartDefragDriver.sys BSODs immediately, and my analysis of the BSOD screen says that the error should not be fatal. BAD_POOL_CALLER (c2). Parm 1 = 9D, and Parm 2 = x419. I have a support ticket open with iObit.

2) KERNEL_MODE_EXCEPTION_NOT_HANDLED_M (1000008e). IMAGE_NAME: WRkrn.sys. I have an open ticket with Webroot.

3) I started verifier again this afternoon at 2PM (without SmartDefragDriver and WRkrn), and I will leave it running untl the next BSOD.

--Barry Finkel

Okay, thanks for the update :)

A further update. I have experienced two more BSODs. One (9/13 13:12) was "NTFS_FILE_SYSTEM (24)", and I had experienced a similar BSOD (08/15 00:11). There were two more previously this year with my old motherboard. I did not look at the dump, and I assume that verifier.exe (which I an stiil running) was NOT the "cause". The other BSOD (09/14 13:34) was "DRIVER_CORRUPTED_EXPOOL (c5)"; this is my first BSOD with this symptom string, and I assume it was "caused" by verifier. I did not look at the windbg output in detail to find a possible driver name. I have uploaded a new SF_15-09-2013.zip file.
--Barry Finkel

Code:

BugCheck C5, {4, 2, 0, 82f3b495}

Probably caused by : ntkrpamp.exe ( nt!ExFreePoolWithTag+9da )

Code:

aea8a9ec -- (.trap 0xffffffffaea8a9ec)
ErrCode = 00000000
eax=8b5478e0 ebx=82f506c0 ecx=8b5478e8 edx=00000000 esi=000001ff edi=8b547920
eip=82f3b495 esp=aea8aa60 ebp=aea8aabc iopl=0         nv up ei ng nz ac pe cy
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010297
nt!ExFreePoolWithTag+0x9da:
82f3b495 8b5204          mov     edx,dword ptr [edx+4] ds:0023:00000004=????????

We can see from the trap frame, that a exception happened because a driver attempted to divide data by zero, this points further back to device driver issues.

From a Stop 0x24 dump:

Code:

1: kd> !error 0xc0000005
Error code: (NTSTATUS) 0xc0000005 (3221225477) - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.

The context of both dump files are similar, a driver has attempted to access a invalid memory address, which it either didn't have rights to or the MMU was able to translate.

Have you removed those IOBit programs? Sorry for the really slow reply.

I am not sure how to interpret your reply. I don 't mind the slow response, as I was away from my computer for close to 4 days. You looked at the "DRIVER_CORRUPTED_EXPOOL (c5)" dump, and you said that it was probably caused by ntkrpamp.exe . What is that? Via a Google search I see lots of BSOD/ntkrpamp.exe problems. Is ntkrpamp a MS routine? Where is it found? I do not find it in my C:\Windows directory, nor in the Program Files directory. Is there evidence in the dump that tells what device driver is involved in this crash? I am still running verifier.

I have not uninstalled IObit products, as I have no evidence that they are causing any of my BSODs. I had a verifier BSOD related to SmartDerfagDriver.sys, and I have an open trouble ticket with IObit support. I looked at that BSOD, and I conclude that SmartDefrag is using an identifier that is not an alphanumeric string. This does not cause a problem with the code when it runs, but it immediately causes verifier to BSOD. I took that driver out of the verifier list.

I had another verifier BSOD from wrkrn.sys (Webroot SecureAnywhere). Webroot had me uninstall WRSA and then install something (I do not know what the changes were). I got another verifier BSOD, so I am working with Webroot support on this set of BSODs.

Sunday morning the system was running slowly; one process was using lots of CPU. So I started closing applications in preparation for a reboot. I closed Acrobat Reader, and I got a "MEMORY MANAGEMENT (1a)" BSOD. I have not done much with that dump, and I have not uploaded it. I want to figure out the ntkrpamp.exe problem first.

--Barry Finkel