Hi, thanks for the files.
I went through the dump files and apart from a few outdated drivers and security oriented software
conflicts, the bug check code is darting around which more often than not
indicates problems regarding the RAM (memory).
- Also take special note of bug check DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1), second from the bottom of the summaries posted below.
Testing the RAM:
Test and Diagnose RAM Issues with Memtest86+:
Tip
- Pay close attention to part 3 of the tutorial "If you have errors"
- Test the RAM with Memtest86+ for at least 7-10 passes. It may take up to 22 passes to find problems. Make sure to run it once after the system has been on for a few hours and is warm, and then also run it again when the system has been off for a few hours and is cold.
When done with the testing procedure take a picture and upload it here.
Code:
UNEXPECTED_KERNEL_MODE_TRAP (7f)
This means a trap occurred in kernel mode, and it's a trap of a kind
that the kernel isn't allowed to have/catch (bound trap) or that
is always instant death (double fault). The first number in the
bugcheck params is the number of the trap (8 = double fault, etc)
Consult an Intel x86 family manual to learn more about what these
traps are. Here is a *portion* of those codes:
If kv shows a taskGate
use .tss on the part before the colon, then kv.
Else if kv shows a trapframe
use .trap on that value
Else
.trap on the appropriate frame will show where the trap was taken
(on x86, this will be the ebp that goes with the procedure KiTrap)
Endif
kb will then show the corrected stack.
Arguments:
Arg1: 0000000000000008, EXCEPTION_DOUBLE_FAULT
Arg2: 0000000080050033
Arg3: 00000000000006f8
Arg4: fffff80002ec1001
Debugging Details:
------------------
BUGCHECK_STR: 0x7f_8
CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: WIN7_DRIVER_FAULT
PROCESS_NAME: chrome.exe
CURRENT_IRQL: 0
LAST_CONTROL_TRANSFER: from fffff80002ec1169 to fffff80002ec1bc0
STACK_TEXT:
fffff800`00ba4d28 fffff800`02ec1169 : 00000000`0000007f 00000000`00000008 00000000`80050033 00000000`000006f8 : nt!KeBugCheckEx
fffff800`00ba4d30 fffff800`02ebf632 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiBugCheckDispatch+0x69
fffff800`00ba4e70 fffff800`02ec1001 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiDoubleFaultAbort+0xb2
00000000`00000000 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceExit+0x1a6
STACK_COMMAND: kb
FOLLOWUP_IP:
nt!KiDoubleFaultAbort+b2
fffff800`02ebf632 90 nop
SYMBOL_STACK_INDEX: 2
SYMBOL_NAME: nt!KiDoubleFaultAbort+b2
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: nt
IMAGE_NAME: ntkrnlmp.exe
DEBUG_FLR_IMAGE_TIMESTAMP: 521ea035
FAILURE_BUCKET_ID: X64_0x7f_8_nt!KiDoubleFaultAbort+b2
BUCKET_ID: X64_0x7f_8_nt!KiDoubleFaultAbort+b2
Followup: MachineOwner
---------
Code:
MEMORY_MANAGEMENT (1a)
# Any other values for parameter 1 must be individually examined.
Arguments:
Arg1: 0000000000005001, The subtype of the bugcheck.
Arg2: fffff70001080000
Arg3: 000000000001d43b
Arg4: 0001d4310003a874
Debugging Details:
------------------
BUGCHECK_STR: 0x1a_5001
CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: WIN7_DRIVER_FAULT
PROCESS_NAME: firefox.exe
CURRENT_IRQL: 0
LAST_CONTROL_TRANSFER: from fffff80002eef5af to fffff80002e86b80
STACK_TEXT:
fffff880`0924b9c8 fffff800`02eef5af : 00000000`0000001a 00000000`00005001 fffff700`01080000 00000000`0001d43b : nt!KeBugCheckEx
fffff880`0924b9d0 fffff800`02e933fe : 00000000`00000001 00000000`1a34f000 fffff880`0924bc20 fffff680`000d1a78 : nt! ?? ::FNODOBFM::`string'+0x2993d
fffff880`0924bac0 fffff800`02e84cae : 00000000`00000001 00000000`1a34f000 00000000`00000001 00000000`0000004a : nt!MmAccessFault+0x5de
fffff880`0924bc20 00000000`6eeb604a : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiPageFault+0x16e
00000000`0024e378 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x6eeb604a
STACK_COMMAND: kb
FOLLOWUP_IP:
nt! ?? ::FNODOBFM::`string'+2993d
fffff800`02eef5af cc int 3
SYMBOL_STACK_INDEX: 1
SYMBOL_NAME: nt! ?? ::FNODOBFM::`string'+2993d
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: nt
IMAGE_NAME: ntkrnlmp.exe
DEBUG_FLR_IMAGE_TIMESTAMP: 51fb06cd
FAILURE_BUCKET_ID: X64_0x1a_5001_nt!_??_::FNODOBFM::_string_+2993d
BUCKET_ID: X64_0x1a_5001_nt!_??_::FNODOBFM::_string_+2993d
Followup: MachineOwner
Code:
BAD_POOL_HEADER (19)
The pool is already corrupt at the time of the current request.
This may or may not be due to the caller.
The internal pool links must be walked to figure out a possible cause of
the problem, and then special pool applied to the suspect tags or the driver
verifier to a suspect driver.
Arguments:
Arg1: 0000000000000020, a pool block header size is corrupt.
Arg2: fffffa8006b25730, The pool entry we were looking for within the page.
Arg3: fffffa8006b25bc0, The next pool entry.
Arg4: 0000000004490015, (reserved)
Debugging Details:
------------------
BUGCHECK_STR: 0x19_20
POOL_ADDRESS: GetPointerFromAddress: unable to read from fffff800030b9100
GetUlongFromAddress: unable to read from fffff800030b91c0
fffffa8006b25730 Nonpaged pool
CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: WIN7_DRIVER_FAULT
PROCESS_NAME: AvastSvc.exe
CURRENT_IRQL: 2
TAG_NOT_DEFINED_c000000f: FFFFF88003722FB0
LAST_CONTROL_TRANSFER: from fffff80002fb4cae to fffff80002e81b80
STACK_TEXT:
fffff880`03722ac8 fffff800`02fb4cae : 00000000`00000019 00000000`00000020 fffffa80`06b25730 fffffa80`06b25bc0 : nt!KeBugCheckEx
fffff880`03722ad0 fffff880`0139a7e1 : fffffa80`042a61a0 00000000`00000001 fffffa80`4c627249 00000000`00000000 : nt!ExDeferredFreePool+0x12da
fffff880`03722b80 fffff880`013a2476 : 00000000`00000002 fffff880`0484f353 fffff880`03722c40 00000000`00000100 : ataport!IdepFreeCrb+0x3d
fffff880`03722bb0 fffff880`0139ce32 : 00000000`00000002 00000000`00000000 fffffa80`00000000 00000000`00000100 : ataport!IdeCompleteCrb+0x2a
fffff880`03722be0 fffff880`013a5821 : fffffa80`042a61a0 fffffa80`06b25740 00000000`00000000 00000000`00000000 : ataport!IdeTranslateCompletedRequest+0x236
fffff880`03722d10 fffff880`013a5120 : fffffa80`042a61a0 00000000`00000000 fffffa80`042a61a0 00000000`00000000 : ataport!IdeProcessCompletedRequests+0x4d5
fffff880`03722e40 fffff800`02e8c30c : fffff880`009e8180 fffffa80`04882db0 fffffa80`042a6050 fffffa80`042a6118 : ataport!IdePortCompletionDpc+0x1a8
fffff880`03722f00 fffff800`02e84d15 : 00000000`00000000 fffffa80`0438c060 00000000`00000000 fffff880`013a4f78 : nt!KiRetireDpcList+0x1bc
fffff880`03722fb0 fffff800`02e84b2c : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KxRetireDpcList+0x5
fffff880`08f68be0 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiDispatchInterruptContinue
STACK_COMMAND: kb
FOLLOWUP_IP:
ataport!IdepFreeCrb+3d
fffff880`0139a7e1 eb19 jmp ataport!IdepFreeCrb+0x58 (fffff880`0139a7fc)
SYMBOL_STACK_INDEX: 2
SYMBOL_NAME: ataport!IdepFreeCrb+3d
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: ataport
IMAGE_NAME: ataport.SYS
DEBUG_FLR_IMAGE_TIMESTAMP: 51fef9b5
FAILURE_BUCKET_ID: X64_0x19_20_ataport!IdepFreeCrb+3d
BUCKET_ID: X64_0x19_20_ataport!IdepFreeCrb+3d
Followup: MachineOwner
---------
Code:
SYSTEM_SERVICE_EXCEPTION (3b)
An exception happened while executing a system service routine.
Arguments:
Arg1: 00000000c0000005, Exception code that caused the bugcheck
Arg2: fffff880044d17c6, Address of the instruction which caused the bugcheck
Arg3: fffff880079c5ea0, Address of the context record for the exception that caused the bugcheck
Arg4: 0000000000000000, zero.
Debugging Details:
------------------
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.
FAULTING_IP:
aswSP+f7c6
fffff880`044d17c6 48396b48 cmp qword ptr [rbx+48h],rbp
CONTEXT: fffff880079c5ea0 -- (.cxr 0xfffff880079c5ea0)
rax=fffff880045063f0 rbx=0000000100000001 rcx=00000000000002c8
rdx=0000000000000000 rsi=fffff880044cf300 rdi=0000000000000200
rip=fffff880044d17c6 rsp=fffff880079c6880 rbp=00000000000002c8
r8=fffffa80047466c0 r9=0000000000000088 r10=0000000000000001
r11=0000000000000000 r12=fffff880079c69c0 r13=0000000000000001
r14=0000000000000001 r15=fffffa80047495e0
iopl=0 nv up ei pl nz na po cy
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00010207
aswSP+0xf7c6:
fffff880`044d17c6 48396b48 cmp qword ptr [rbx+48h],rbp ds:002b:00000001`00000049=????????????????
Resetting default scope
CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: WIN7_DRIVER_FAULT
BUGCHECK_STR: 0x3B
PROCESS_NAME: firefox.exe
CURRENT_IRQL: 0
LAST_CONTROL_TRANSFER: from 0000000000000000 to fffff880044d17c6
STACK_TEXT:
fffff880`079c6880 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : aswSP+0xf7c6
FOLLOWUP_IP:
aswSP+f7c6
fffff880`044d17c6 48396b48 cmp qword ptr [rbx+48h],rbp
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: aswSP+f7c6
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: aswSP
IMAGE_NAME: aswSP.SYS
DEBUG_FLR_IMAGE_TIMESTAMP: 4dc929b6
STACK_COMMAND: .cxr 0xfffff880079c5ea0 ; kb
FAILURE_BUCKET_ID: X64_0x3B_aswSP+f7c6
BUCKET_ID: X64_0x3B_aswSP+f7c6
Followup: MachineOwner
Code:
KMODE_EXCEPTION_NOT_HANDLED (1e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Arguments:
Arg1: ffffffffc000001d, The exception code that was not handled
Arg2: fffff88000000000, The address that the exception occurred at
Arg3: 0000000000000000, Parameter 0 of the exception
Arg4: fffffa8003f0d100, Parameter 1 of the exception
Debugging Details:
------------------
EXCEPTION_CODE: (NTSTATUS) 0xc000001d - {EXCEPTION} Illegal Instruction An attempt was made to execute an illegal instruction.
FAULTING_IP:
+0
fffff880`00000000 ff ???
BUGCHECK_STR: 0x1E_c000001d
CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: WIN7_DRIVER_FAULT
PROCESS_NAME: AvastSvc.exe
CURRENT_IRQL: 0
LAST_CONTROL_TRANSFER: from fffff80002ed5a88 to fffff80002e8afc0
FAILED_INSTRUCTION_ADDRESS:
+0
fffff880`00000000 ff ???
STACK_TEXT:
fffff880`040baa88 fffff800`02ed5a88 : 00000000`0000001e ffffffff`c000001d fffff880`00000000 00000000`00000000 : nt!KeBugCheckEx
fffff880`040baa90 fffff800`02e8a642 : fffff880`040bb268 00000000`00000200 fffff880`040bb310 ffffffff`80004f20 : nt! ?? ::FNODOBFM::`string'+0x487ad
fffff880`040bb130 fffff800`02e8879f : fffff880`040bb310 00000000`00000000 fffffa80`03f0d000 00000000`00000000 : nt!KiExceptionDispatch+0xc2
fffff880`040bb310 fffff880`00000000 : 00000000`00000200 ffffffff`80004f20 fffff8a0`00000005 00000000`000007ff : nt!KiInvalidOpcodeFault+0x11f
fffff880`040bb4a0 00000000`00000200 : ffffffff`80004f20 fffff8a0`00000005 00000000`000007ff fffff880`040bb5c8 : 0xfffff880`00000000
fffff880`040bb4a8 ffffffff`80004f20 : fffff8a0`00000005 00000000`000007ff fffff880`040bb5c8 00000000`00000000 : 0x200
fffff880`040bb4b0 fffff8a0`00000005 : 00000000`000007ff fffff880`040bb5c8 00000000`00000000 ffffffff`80004f20 : 0xffffffff`80004f20
fffff880`040bb4b8 00000000`000007ff : fffff880`040bb5c8 00000000`00000000 ffffffff`80004f20 ffffffff`800046d8 : 0xfffff8a0`00000005
fffff880`040bb4c0 fffff880`040bb5c8 : 00000000`00000000 ffffffff`80004f20 ffffffff`800046d8 00000000`00000000 : 0x7ff
fffff880`040bb4c8 00000000`00000000 : ffffffff`80004f20 ffffffff`800046d8 00000000`00000000 00000000`00000000 : 0xfffff880`040bb5c8
STACK_COMMAND: kb
FOLLOWUP_IP:
nt! ?? ::FNODOBFM::`string'+487ad
fffff800`02ed5a88 cc int 3
SYMBOL_STACK_INDEX: 1
SYMBOL_NAME: nt! ?? ::FNODOBFM::`string'+487ad
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: nt
IMAGE_NAME: ntkrnlmp.exe
DEBUG_FLR_IMAGE_TIMESTAMP: 503f82be
FAILURE_BUCKET_ID: X64_0x1E_c000001d_BAD_IP_nt!_??_::FNODOBFM::_string_+487ad
BUCKET_ID: X64_0x1E_c000001d_BAD_IP_nt!_??_::FNODOBFM::_string_+487ad
Followup: MachineOwner
Code:
DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: 000000b824b48b48, memory referenced
Arg2: 0000000000000002, IRQL
Arg3: 0000000000000008, value 0 = read operation, 1 = write operation
Arg4: 000000b824b48b48, address which referenced memory
Debugging Details:
------------------
READ_ADDRESS: GetPointerFromAddress: unable to read from fffff800030fd100
GetUlongFromAddress: unable to read from fffff800030fd1c0
000000b824b48b48 Nonpaged pool
CURRENT_IRQL: 2
FAULTING_IP:
+0
000000b8`24b48b48 ?? ???
PROCESS_NAME: FlashPlayerPlu
CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: CODE_CORRUPTION
BUGCHECK_STR: 0xD1
TRAP_FRAME: fffff80002ed0170 -- (.trap 0xfffff80002ed0170)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=0000000000000001 rbx=0000000000000000 rcx=0000000000000002
rdx=0000000000000022 rsi=0000000000000000 rdi=0000000000000000
rip=000000b824b48b48 rsp=fffff80002ed0304 rbp=fffff880009e8180
r8=0000000000000029 r9=0000000000000000 r10=0000000000000000
r11=0000000000000064 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei ng nz na pe nc
000000b8`24b48b48 ?? ???
Resetting default scope
LAST_CONTROL_TRANSFER: from fffff80002ec51a9 to fffff80002ec5c00
FAILED_INSTRUCTION_ADDRESS:
+0
000000b8`24b48b48 ?? ???
CHKIMG_EXTENSION: !chkimg -d !nt
604 errors : !nt (fffff80002ed0008-fffff80002ed02ff)
Code:
MEMORY_MANAGEMENT (1a)
# Any other values for parameter 1 must be individually examined.
Arguments:
Arg1: 0000000000005003, The subtype of the bugcheck.
Arg2: fffff70001080000
Arg3: 0000000000001127
Arg4: 00000fa30000224c
Debugging Details:
------------------
BUGCHECK_STR: 0x1a_5003
CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: WIN7_DRIVER_FAULT
PROCESS_NAME: AvastSvc.exe
CURRENT_IRQL: 0
TRAP_FRAME: fffff88003c7a930 -- (.trap 0xfffff88003c7a930)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=0000000000000000 rbx=0000000000000000 rcx=0000000000ed0000
rdx=0000000000ec2000 rsi=0000000000000000 rdi=0000000000000000
rip=fffff800031aa512 rsp=fffff88003c7aac0 rbp=fffff88003c7aca0
r8=0000000000000000 r9=0000000000010000 r10=fffffa80033e99f0
r11=0000000000120189 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei ng nz na po cy
nt!NtReadFile+0x142:
fffff800`031aa512 0fb602 movzx eax,byte ptr [rdx] ds:00000000`00ec2000=??
Resetting default scope
LAST_CONTROL_TRANSFER: from fffff80002e59700 to fffff80002ebfc00
STACK_TEXT:
fffff880`03c7a7c8 fffff800`02e59700 : 00000000`0000001a 00000000`00005003 fffff700`01080000 00000000`00001127 : nt!KeBugCheckEx
fffff880`03c7a7d0 fffff800`02ebdd2e : 00000000`00000000 00000000`00ec2000 00000000`00ec0000 fffffa80`04bd0f20 : nt! ?? ::FNODOBFM::`string'+0x45f7d
fffff880`03c7a930 fffff800`031aa512 : 00000000`0189e700 fffffa80`00000001 fffffa80`033e99f0 fffffa80`058f0601 : nt!KiPageFault+0x16e
fffff880`03c7aac0 fffff800`02ebee93 : ffffffff`ffffffff 00000000`00000000 00000000`00000000 00000000`00000000 : nt!NtReadFile+0x142
fffff880`03c7abb0 00000000`72e62e09 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13
00000000`0189f0f8 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x72e62e09
STACK_COMMAND: kb
FOLLOWUP_IP:
nt! ?? ::FNODOBFM::`string'+45f7d
fffff800`02e59700 cc int 3
SYMBOL_STACK_INDEX: 1
SYMBOL_NAME: nt! ?? ::FNODOBFM::`string'+45f7d
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: nt
IMAGE_NAME: ntkrnlmp.exe
DEBUG_FLR_IMAGE_TIMESTAMP: 5147d9c6
FAILURE_BUCKET_ID: X64_0x1a_5003_nt!_??_::FNODOBFM::_string_+45f7d
BUCKET_ID: X64_0x1a_5003_nt!_??_::FNODOBFM::_string_+45f7d
Followup: MachineOwner
---------