win 7 BOSD occurs every day on first boot up and works fine afterwards

tom1231244343 · 03 May 2011

hello,

I have been having win7 BOSD everyday. It occurs on the first boot up every day, but it works fine after the second boot. The BOSD problem comes back if i shut the pc for over night or more than a couples of hours.

anyone knows the causes and fixes would be really appreciated. I have attached minidump files.

my hardware details:

mb: Asus p7h55/usb3
cpu: i5 760@2.80ghz
graphic card: Geforece GTS450 dedicated DDR5 memory
memory: 8 ghz
os win 7 64 bit

SledgeDG · 04 May 2011

hello tom and welcome to SF

I checked your dump files and they list among others memory corruption as a reason. That could mean defective hardware but it could also be caused by a defective driver.
For further testing I recommend you follow this tutorial and post the results. and make sure you include any new crashdumps.
Driver Verifier - Enable and Disable

Code:

*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 4E, {99, 98d7b, 2, 9547a}

Probably caused by : memory_corruption ( nt!MiBadShareCount+4c )

Followup: MachineOwner
---------

2: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

PFN_LIST_CORRUPT (4e)
Typically caused by drivers passing bad memory descriptor lists (ie: calling
MmUnlockPages twice with the same list, etc).  If a kernel debugger is
available get the stack trace.
Arguments:
Arg1: 0000000000000099, A PTE or PFN is corrupt
Arg2: 0000000000098d7b, page frame number
Arg3: 0000000000000002, current page state
Arg4: 000000000009547a, 0

Debugging Details:
------------------


BUGCHECK_STR:  0x4E_99

CUSTOMER_CRASH_COUNT:  1

DEFAULT_BUCKET_ID:  VISTA_DRIVER_FAULT

PROCESS_NAME:  avp.exe

CURRENT_IRQL:  2

LAST_CONTROL_TRANSFER:  from fffff8000311df5c to fffff80003098640

STACK_TEXT:  
fffff880`09b8c418 fffff800`0311df5c : 00000000`0000004e 00000000`00000099 00000000`00098d7b 00000000`00000002 : nt!KeBugCheckEx
fffff880`09b8c420 fffff800`03047cf2 : ffffffff`ffffffff 00000000`00000001 ffffffff`ffffffff 00000000`0000000f : nt!MiBadShareCount+0x4c
fffff880`09b8c460 fffff800`0319695a : fffffa80`09a98ec8 fffff880`09b8c670 00000000`00000000 fffffa80`0000000f : nt! ?? ::FNODOBFM::`string'+0x21513
fffff880`09b8c650 fffff800`032d95ed : fffffa80`0a7db060 ffffffff`00000001 ffffffff`ffffffff fffff880`09b8cca0 : nt!MiEmptyWorkingSet+0x24a
fffff880`09b8c700 fffff800`034e73ed : 00000000`00000001 fffff8a0`01a5c100 00000000`00000000 00000000`00000000 : nt!MmAdjustWorkingSetSizeEx+0xad
fffff880`09b8c780 fffff800`033eb3cb : 00000000`00000008 00000000`00000000 00000000`00000001 00000000`06f1e700 : nt!PspSetQuotaLimits+0x32d
fffff880`09b8c8d0 fffff800`030978d3 : fffffa80`0a7db060 fffff880`09b8cca0 00000000`7e5ea000 00000000`7e5ea000 : nt! ?? ::NNGAKEGL::`string'+0x4b860
fffff880`09b8cc20 00000000`770a14da : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13
00000000`06f1e6c8 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x770a14da


STACK_COMMAND:  kb

FOLLOWUP_IP: 
nt!MiBadShareCount+4c
fffff800`0311df5c cc              int     3

SYMBOL_STACK_INDEX:  1

SYMBOL_NAME:  nt!MiBadShareCount+4c

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: nt

DEBUG_FLR_IMAGE_TIMESTAMP:  4ce7951a

IMAGE_NAME:  memory_corruption

FAILURE_BUCKET_ID:  X64_0x4E_99_nt!MiBadShareCount+4c

BUCKET_ID:  X64_0x4E_99_nt!MiBadShareCount+4c
-----------------------------------------------------------------------------------------------------
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck BE, {20008, a1200001ca3ca005, fffff8800a9bb990, a}

Probably caused by : ntkrnlmp.exe ( nt! ?? ::FNODOBFM::`string'+443cb )

Followup: MachineOwner
---------

1: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

ATTEMPTED_WRITE_TO_READONLY_MEMORY (be)
An attempt was made to write to readonly memory.  The guilty driver is on the
stack trace (and is typically the current instruction pointer).
When possible, the guilty driver's name (Unicode string) is printed on
the bugcheck screen and saved in KiBugCheckDriver.
Arguments:
Arg1: 0000000000020008, Virtual address for the attempted write.
Arg2: a1200001ca3ca005, PTE contents.
Arg3: fffff8800a9bb990, (reserved)
Arg4: 000000000000000a, (reserved)

Debugging Details:
------------------


CUSTOMER_CRASH_COUNT:  1

DEFAULT_BUCKET_ID:  VISTA_DRIVER_FAULT

BUGCHECK_STR:  0xBE

PROCESS_NAME:  svchost.exe

CURRENT_IRQL:  2

TRAP_FRAME:  fffff8800a9bb990 -- (.trap 0xfffff8800a9bb990)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=0000000000020000 rbx=0000000000000000 rcx=0000000000000002
rdx=fffffa8006b70f98 rsi=0000000000000000 rdi=0000000000000000
rip=fffff800030cc6fe rsp=fffff8800a9bbb20 rbp=fffff8800a9bbca0
 r8=fffffa8006b70fc1  r9=0000000000020000 r10=0000000000000000
r11=fffff8800a9bba60 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up ei pl nz na po nc
nt!NtWaitForWorkViaWorkerFactory+0x45d:
fffff800`030cc6fe f04883700801    lock xor qword ptr [rax+8],1 ds:00000000`00020008=????????????????
Resetting default scope

LAST_CONTROL_TRANSFER:  from fffff8000308a807 to fffff800030e0640

STACK_TEXT:  
fffff880`0a9bb828 fffff800`0308a807 : 00000000`000000be 00000000`00020008 a1200001`ca3ca005 fffff880`0a9bb990 : nt!KeBugCheckEx
fffff880`0a9bb830 fffff800`030de76e : 00000000`00000001 fffff880`0a9bbbe0 fffff880`0a9bbbc8 fffffa80`06b70f00 : nt! ?? ::FNODOBFM::`string'+0x443cb
fffff880`0a9bb990 fffff800`030cc6fe : 00000000`00000001 fffff880`0a9bbba8 fffff880`0a9bbbc8 00000000`003bdd01 : nt!KiPageFault+0x16e
fffff880`0a9bbb20 fffff800`030df8d3 : fffffa80`085e8b60 00000000`77d445c0 00000000`00000000 fffffa80`068b4430 : nt!NtWaitForWorkViaWorkerFactory+0x45d
fffff880`0a9bbc20 00000000`77c92c1a : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13
00000000`01cafb28 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x77c92c1a


STACK_COMMAND:  kb

FOLLOWUP_IP: 
nt! ?? ::FNODOBFM::`string'+443cb
fffff800`0308a807 cc              int     3

SYMBOL_STACK_INDEX:  1

SYMBOL_NAME:  nt! ?? ::FNODOBFM::`string'+443cb

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: nt

IMAGE_NAME:  ntkrnlmp.exe

DEBUG_FLR_IMAGE_TIMESTAMP:  4ce7951a

FAILURE_BUCKET_ID:  X64_0xBE_nt!_??_::FNODOBFM::_string_+443cb

BUCKET_ID:  X64_0xBE_nt!_??_::FNODOBFM::_string_+443cb

Followup: MachineOwner

tom1231244343 · 05 May 2011

thank you. i will get back you once the verifying is done.

tom1231244343 · 05 May 2011

Hello again,

I have had a few bosds today. All debug results pointing at avp.exe, after searched i found it was a part of kaspersky

internet security software, therefore I deleted it. After installed windows security essentials, the bosds start to

point to MsMpEng.exe, which is a part of windows security essentials software. I think there should not be any driver

compatibility issue with windows security essentials, as it is from the Microsoft. This narrow it down to the memory

problem, what is your diagnose ?

I have attached dump files for you to have a look.

Many Thanks

SledgeDG · 05 May 2011

Hello tom! You said you have deleted Kaspersky. Yet the crashes mostly point at klif.sys (another part of Kaspersky's package. Especially for AV products one should always use the special removal tools!

Hopefully the Kaspersky removal tool from here can still take care of this for you.

Removal tool for Kaspersky Lab products

To verify if RAM is the problem, this would be your "weapon of choice"
RAM - Test with Memtest86+

Code:

*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck C4, {0, 0, 1, 0}

Unable to load image \SystemRoot\system32\DRIVERS\klif.sys, Win32 error 0n2
*** WARNING: Unable to verify timestamp for klif.sys
*** ERROR: Module load completed but symbols could not be loaded for klif.sys
Probably caused by : klif.sys ( klif+4c0a6 )

Followup: MachineOwner
---------

1: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

DRIVER_VERIFIER_DETECTED_VIOLATION (c4)
A device driver attempting to corrupt the system has been caught.  This is
because the driver was specified in the registry as being suspect (by the
administrator) and the kernel has enabled substantial checking of this driver.
If the driver attempts to corrupt the system, bugchecks 0xC4, 0xC1 and 0xA will
be among the most commonly seen crashes.
Arguments:
Arg1: 0000000000000000, caller is trying to allocate zero bytes
Arg2: 0000000000000000, current IRQL
Arg3: 0000000000000001, pool type
Arg4: 0000000000000000, number of bytes

Debugging Details:
------------------


OVERLAPPED_MODULE: Address regions for 'NisDrvWFP' and 'spsys.sys' overlap

BUGCHECK_STR:  0xc4_0

CURRENT_IRQL:  0

CUSTOMER_CRASH_COUNT:  1

DEFAULT_BUCKET_ID:  VERIFIER_ENABLED_VISTA_MINIDUMP

PROCESS_NAME:  avp.exe

LAST_CONTROL_TRANSFER:  from fffff8000350a3dc to fffff80003083640

STACK_TEXT:  
fffff880`073ab498 fffff800`0350a3dc : 00000000`000000c4 00000000`00000000 00000000`00000000 00000000`00000001 : nt!KeBugCheckEx
fffff880`073ab4a0 fffff800`0350ae1b : fffff980`01578fd8 00000000`0000004b 00000000`00000000 0000007f`00000000 : nt!VerifierBugCheckIfAppropriate+0x3c
fffff880`073ab4e0 fffff800`0351ba98 : 00000000`55654c4b 00000000`00000081 00000000`00000000 00000000`00000000 : nt!ExAllocatePoolSanityChecks+0xcb
fffff880`073ab520 fffff800`0351bd3d : fffff980`01578ff0 fffff880`073ab660 00000000`55654c4b fffff880`0169d4b8 : nt!VeAllocatePoolWithTagPriority+0x88
fffff880`073ab590 fffff880`016760a6 : fffffa80`08a00be0 fffff880`0169d4b8 00000000`00000000 fffff880`0169d4d0 : nt!VerifierExAllocatePoolEx+0x1d
fffff880`073ab5d0 fffffa80`08a00be0 : fffff880`0169d4b8 00000000`00000000 fffff880`0169d4d0 00000000`00000000 : klif+0x4c0a6
fffff880`073ab5d8 fffff880`0169d4b8 : 00000000`00000000 fffff880`0169d4d0 00000000`00000000 00000000`00000000 : 0xfffffa80`08a00be0
fffff880`073ab5e0 00000000`00000000 : fffff880`0169d4d0 00000000`00000000 00000000`00000000 00000000`00000000 : klif+0x734b8


STACK_COMMAND:  kb

FOLLOWUP_IP: 
klif+4c0a6
fffff880`016760a6 ??              ???

SYMBOL_STACK_INDEX:  5

SYMBOL_NAME:  klif+4c0a6

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: klif

IMAGE_NAME:  klif.sys

DEBUG_FLR_IMAGE_TIMESTAMP:  4c5c4306

FAILURE_BUCKET_ID:  X64_0xc4_0_VRF_klif+4c0a6

BUCKET_ID:  X64_0xc4_0_VRF_klif+4c0a6

Followup: MachineOwner
---------

1: kd> lmvm klif
start             end                 module name
fffff880`0162a000 fffff880`016c0000   klif     T (no symbols)           
    Loaded symbol image file: klif.sys
    Image path: \SystemRoot\system32\DRIVERS\klif.sys
    Image name: klif.sys
    Timestamp:        Fri Aug 06 13:14:46 2010 (4C5C4306)
    CheckSum:         0008BF30
    ImageSize:        00096000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4