Windows 7 Forums

Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: Plagued by random BSoDs

27 Aug 2015   #51
TruePikachu

Windows 7 Home Premium SP1 x64
 
 

It does not look like a hardware issue, working on the assumption that the RAM sticks are assigned in the order they are listed by SMBios. If the assumption holds true, then the 4GB stick would be assigned to 0`00100000..1`000FFFFF and the 2GB stick would be at 1`00100000..1`800FFFFF. Looking at my current progress of isolating the issue (by hand), we have corruption at:
Code:
VIRTUAL ADDRESS     P ADDRESS    CHANGE
fffff980`5603c6c6 = 1`197a66c6 : f1 -> ef
fffff980`5603c6ce = 1`197a66ce : f1 -> ef
fffff980`5603c6d6 = 1`197a66d6 : f1 -> ef
fffff980`5603c6de = 1`197a66de : f1 -> ef
fffff980`5603c6e6 = 1`197a66e6 : f1 -> ef
fffff980`5603c6ee = 1`197a66ee : f1 -> ef
fffff980`5603c6f6 = 1`197a66f6 : f1 -> ef
fffff980`5603c6fe = 1`197a66fe : f1 -> ef
fffff8a0`10fade6e = 1`1b73fe6e : ff -> 38
fffff8a0`10fade76 = 1`1b73fe76 : ff -> 05
fffff8a0`095bfe26 = 0`b73aae26 : ff -> 0c
fffff8a0`095bfe36 = 0`b73aae36 : ff -> 04
The last two rows of the table proper would be on the 4GB, versus the 2GB (working with the mentioned assumption). However, one can note that the low three bits of the address (either physical or virtual; the low 12 bits are always identical) are always 110b ≡ 0x6 or 0xe. This means that whatever is doing the spray is doing something like a `byte ptr [rax+6]` (where RAX is qword-aligned); I _might_ actually copy the most recent (6GB) memory dump to my Linux-based server box and write up a program which searches for any code which would refer to such a pointer. Maybe a smaller dump, actually, since driver code would be in the kernel memory area, right?
EDIT: Current physical address mask is 0_1___10_11_01___1___1______110b; I expect the higher bits to disappear as I do more analysis
EDIT: It simplifies to 110b, so it is almost certain that it is, in fact, spray from SOMEthing.


My System SpecsSystem Spec
.
27 Aug 2015   #52
ThrashZone

Win-7-Pro64bit 7-H-Prem-64bit
 
 

I was reading through "this not sure why" but then noticed this is a 8 month old thread
My System SpecsSystem Spec
27 Aug 2015   #53
TruePikachu

Windows 7 Home Premium SP1 x64
 
 

Hm, well I just confirmed that the spray is what causes Minecraft to craft when it is the JVM which dies. The error log file thing (since I can't manage to get Java to dump on crash) reports RDX=0x009d0006f1678120, and the crashing instruction was using RDX as a pointer. This was just after using RAX as a pointer to get the value into RDX.

Since I have no way to catch the JVM when it crashes, I can't check where it was in the grand scheme of things (either the kernel's virtual address or the system's physical address).
My System SpecsSystem Spec
.

27 Aug 2015   #54
TruePikachu

Windows 7 Home Premium SP1 x64
 
 

And just proved it isn't a problem with any drivers that DriverView lists as 3rd party; even having them all either disabled (renamed to .sys.disabled) or reverted to the OEM version (for drivers which have one) results in a crash from spray.

The issue is either in ir41_qcx.dll (unlikely since it isn't loaded) or one of the 147 Microsoft drivers I have loaded right now. This can be reduced by knowing that it passed a run of SFC, so it is something which either SFC doesn't check, or provided initially through Windows Update (and never registered with SFC).

I do not look forward to getting checksums and versions for all of these verified against my friends. But I'm almost certain it has to be one of these.

EDIT: Wrote up a Powershell script which would provide easily diff(1)able output. For the curious, it is at http://cdusto.selfip.com/getVersionAndMD5.ps1

EDIT: First run, checking against a different local Win7x64 machine, says that apisetschema.dll, cdd.dll, ksecdd.sys, ksecpkg.sys, mountmgr.sys, mrxsmb.sys, mrxsmb10.sys, mrxsmb20.sys, and ntoskrnl.exe (?!) are all outdated. Additionally, the files ntdll.dll, smss.exe, usbrpm.sys, volsnap.sys, and win32k.sys have matching version numbers, but differing checksums. I'll wait for another output log to help isolate against possible corruption on the first tested system, but I'm pretty sure that corruption exists on here.

EDIT: The list of differences between my system and a "stable" Win7x64:
  • apisetschema.dll is 6.1.7601.18798 instead of .18933
  • cdd.dll is 6.1.7601.17514 instead of .17554
  • dxgkrnl.sys is 6.1.7601.22720 instead of .18510
  • dxgmms1.sys is 6.1.7601.22410 instead of .18126
  • ksecdd.sys is 6.1.7601.18912 instead of .18933
  • ksecpkg.sys is 6.1.7601.18912 instead of .18933
  • mountmgr.sys is 6.1.7600.16385 instead of .7601.18933
  • mrxsmb.sys is 6.1.7601.18912 instead of .18933
  • mrxsmb10.sys is 6.1.7601.18912 instead of .18933
  • mrxsmb20.sys is 6.1.7601.18912 instead of .18933
  • ntdll.dll is 6.1.7600.16385, and doesn't match MD5 checksum
  • ntsokrnl.exe is 6.1.7601.18798 instead of .18933
  • smss.exe is 6.1.7600.16385, and doesn't match MD5 checksum
  • usbrpm.sys is 6.1.7600.16385, and doesn't match MD5 checksum
  • volsnap.sys is 6.1.7600.16385, and doesn't match MD5 checksum
  • win32k.sys is 6.1.7600.16385, and doesn't match MD5 checksum
The five files which didn't match checksums all match versions from known-good instances of Win7x64. I'd bet the corruption is coming from one of them.

EDIT: Just installed a batch of updates. cdd.dll is still old, usbrpm.sys and volsnap.sys still mismatch checksums. Why does Microsoft make modifications to system files without changing their version information? It makes locating corruption a lot harder.

EDIT: And issue isn't resolved.
My System SpecsSystem Spec
28 Aug 2015   #55
TruePikachu

Windows 7 Home Premium SP1 x64
 
 

Hmmm...I noticed that one non-OEM driver never was unloaded (LGSHidFilt.sys) - it was determined to be the best driver for my mouse even after being disabled by rename. So I'm doing a disassembly of it right now...I do not really like what I see. For instance, some subroutines have CALL instructions reading from areas of memory (within the driver's image) which appear to never be written to, and are uninitialized (e.g. at virtual address +113C8, referencing +1E550). There are also things like a `call near ptr` pointing to a procedure past the end of the image (this being as early as DriverEntry+1F). While I'm not familiar with driver development or disassembly, it looks to me like this might be the culprit.

I don't know how I would test the driver by elimination without another mouse, since Windows insists on using the (possibly crash-inducing) driver by default, even after renaming it. The main thing is that I've been using Minecraft to test for the issue disappearing (since it both uses a lot of memory and, when the JVM crashes, it helpfully dumps the registers to file so I can check the 7th byte of the registers for corruption), and I need an external mouse to play it; the touchpad on here has a strange "issue" where it doesn't register any input when typing on the keyboard, so it isn't the best thing to use...

EDIT: Driver is WHCP signed, and obtained through WinUpdate or something. Despite the strange stuff I was seeing (as someone more experienced with application disassembly instead), it doesn't look like it would be the problem.
My System SpecsSystem Spec
29 Aug 2015   #56
TruePikachu

Windows 7 Home Premium SP1 x64
 
 

And just hit a crash within 2 1/2 minutes of bootup. X64_IP_MISALIGNED versus an access violation (so it's harder to locate the exact site of corruption), but since there wasn't a lot of time since the drivers loaded, it might be possible to locate the problematic pointer in the dump.
My System SpecsSystem Spec
30 Aug 2015   #57
TruePikachu

Windows 7 Home Premium SP1 x64
 
 

Well then.

Does that bitmask look familiar?

The failing address puts it on the 4GB stick (I believe), but I'll have it check the 2GB alone tonight, just in case. Yes, right now I'm running on a third of my usual memory.


So I'd be looking for PC3-12800 DDR3 4GB tomorrow?

EDIT: Ignore that the pic says DDR2, CPU-Z reports DDR3. As well as PC3-12800.
My System SpecsSystem Spec
30 Aug 2015   #58
Laith

Windows 10 Professional x64
 
 

You must run MemTest86+. Never use 2 different sticks together. Remove one of the sticks. It reports a failing adress on the 4GB RAM module, so it must be failing. A single error means that it's dead.
My System SpecsSystem Spec
30 Aug 2015   #59
TruePikachu

Windows 7 Home Premium SP1 x64
 
 

Quote:
You must run MemTest86+.
That was from MemTest86+ (the + blinks, and was not visible in the picture).

Quote:
Never use 2 different sticks together.
Just want a bit of clarification for this (it doesn't matter for this case anymore), only one socket should be filled when running MemTest86+, or two different sizes of stick together? The memory was supplied by the OEM, so I figured it was acceptable.

Quote:
It reports a failing adress on the 4GB RAM module, so it must be failing. A single error means that it's dead.
I came to the same conclusion, so earlier today I got a pair of new 4GB modules, and have those in right now. I was meaning to upgrade to 8GB for some time, and this was the perfect excuse to do so. I might put the (most likely OK) 2GB card into one of the other laptops over here (which is running on 3GB right now), but I don't know yet.

I just finished getting all the drivers (including outdated OEM ones) re-enabled (since I had disabled many of them for troubleshooting, and later so they wouldn't eat up too much of the 2GB I had), and after a fight with HP DriveGuard not reconising the disk (I got that fixed), this system is back in it's normal configuration. I'll give it time to see if it crashes before I mark solved.
My System SpecsSystem Spec
05 Sep 2015   #60
TruePikachu

Windows 7 Home Premium SP1 x64
 
 

Might not be entirely out of the woods yet, Garry's Mod just crashed with an access violation (according to WinDbg). While I'm sure it is probably just a bug in the code, there _might_ be spray. I can't check unless I get a kernel crash, though.
I might see if I can catch spray by rebuilding the BitCoin blockchain. If even one byte in it gets sprayed on, it won't fully build and will error out.
My System SpecsSystem Spec
Reply

 Plagued by random BSoDs




Thread Tools Search this Thread
Search this Thread:

Advanced Search




Similar help and support threads
Thread Forum
Random BSODs Caused by Random Files with Differing Stop Codes
Since 16 Feb 2013 to today 22 Feb 2013 I've been getting Blue Screens; these appear to be completely random each time with different stop codes and (according to Blue Screen Veiw) are caused by different files. For example; Caused by ntkrnlpa.exe or atikmdag.exe, or ks,sys, or USBPORT.SYS, or...
BSOD Help and Support
Random BSODs during random tasks. Latest error: 0x1000007e
Hey folks. Acer AS4830TG-6808 Win7 Home Premium x64 Acer OEM Machine is less than a month old Added 4GB Ram stick (PNY, now total of 8GB) Have been getting random BSODs over the last week or so. I'm not sure of the reasoning, however I suspect it may be gaming related. Errors began while...
BSOD Help and Support
Plagued by BSOD, win7 x64
I'm wondering if anyone can help me resolve an on-going issue that I am experiencing with repeated BSODs. It's starting to really annoy me! I can't find any common thread as to when they occur and sometimes I can go days without a crash, other times I'll have multiple in one day, sometimes I...
BSOD Help and Support
Just recently been plagued with Blue screens
Hi, I'm new to the forums. It was only just recently that I started getting blue screens. I thought it was from my online game maplestory at first and updated a couple drivers and ran a virus scan. I played and everything seemed to check out. About an hour ago, I got another blue screen and I...
BSOD Help and Support
Windows plagued by 17-year-old privilege escalation bug
Source - Windows plagued by 17-year-old privilege escalation bug ? The Register
News


Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 04:40.

Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App