Problem Devices:
Code:
USB Protection Device ROOT\SYNCROSOFT_PROTECTION_DEVICE\0000 This device cannot start.
Laptop Model: Dell Inspiron N5110 (Since you did not fill in your system specs, this is being provided as it is useful info for those helping)
Security Software:
Code:
zlclient.exe c:\program files (x86)\zone labs\zonealarm\zlclient.exe 2692 8 200 1380 3.4.2012 12:00 9.2.106.0 1*019,50 kB (1*043*968 bajtů) 18.4.2011 22:57
avastsvc.exe c:\program files\avast software\avast\avastsvc.exe 1980 8 200 1380 3.4.2012 11:57 6.0.1125.0 41,20 kB (42*184 bajtů) 3.7.2011 15:08
avastui.exe c:\program files\avast software\avast\avastui.exe 1928 8 200 1380 3.4.2012 12:00 6.0.1125.0 3,30 MB (3*459*712 bajtů) 3.7.2011 15:08
forcefield.exe c:\program files\checkpoint\zaforcefield\forcefield.exe 1764 8 200 1380 3.4.2012 12:01 1.5.265.2 1,07 MB (1*123*320 bajtů) 15.2.2011 16:26
iswsvc.exe c:\program files\checkpoint\zaforcefield\iswsvc.exe 2024 8 200 1380 3.4.2012 11:57 1.5.265.2 802,99 kB (822*264 bajtů) 15.2.2011 16:26
sbiectrl.exe c:\program files\sandboxie\sbiectrl.exe 3068 8 200 1380 3.4.2012 11:59 3.54.0.0 583,73 kB (597*736 bajtů) 24.3.2011 12:25
sbiesvc.exe c:\program files\sandboxie\sbiesvc.exe 1368 8 200 1380 3.4.2012 11:55 3.54.0.0 93,73 kB (95*976 bajtů) 24.3.2011 12:24
Code:
-
Microsoft (R) Windows Debugger Version 6.12.0002.633 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [D:\Kingston\BSODDmpFiles\FarleyCZ\Windows_NT6_BSOD_jcgriff2\040312-30669-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available
Symbol search path is: SRV*C:\SymCache*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows 7 Kernel Version 7601 (Service Pack 1) MP (4 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS Personal
Built by: 7601.17640.amd64fre.win7sp1_gdr.110622-1506
Machine Name:
Kernel base = 0xfffff800`03456000 PsLoadedModuleList = 0xfffff800`0369b670
Debug session time: Tue Apr 3 03:53:54.702 2012 (UTC - 6:00)
System Uptime: 0 days 12:22:19.138
Loading Kernel Symbols
...............................................................
................................................................
...........................................
Loading User Symbols
Loading unloaded module list
...........
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck 1E, {0, 0, 0, 0}
Probably caused by : ntkrnlmp.exe ( nt!KiKernelCalloutExceptionHandler+e )
Followup: MachineOwner
---------
0: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
KMODE_EXCEPTION_NOT_HANDLED (1e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Arguments:
Arg1: 0000000000000000, The exception code that was not handled
Arg2: 0000000000000000, The address that the exception occurred at
Arg3: 0000000000000000, Parameter 0 of the exception
Arg4: 0000000000000000, Parameter 1 of the exception
Debugging Details:
------------------
EXCEPTION_CODE: (Win32) 0 (0) - The operation completed successfully.
FAULTING_IP:
+3937656165623861
00000000`00000000 ?? ???
EXCEPTION_PARAMETER1: 0000000000000000
EXCEPTION_PARAMETER2: 0000000000000000
ERROR_CODE: (NTSTATUS) 0 - STATUS_WAIT_0
BUGCHECK_STR: 0x1E_0
CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT
PROCESS_NAME: System
CURRENT_IRQL: 2
EXCEPTION_RECORD: fffff800049569c8 -- (.exr 0xfffff800049569c8)
ExceptionAddress: fffff800034d58e2 (nt!SwapContext_PatchXRstor)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 0000000000000000
Parameter[1]: ffffffffffffffff
Attempt to read from address ffffffffffffffff
TRAP_FRAME: fffff80004956a70 -- (.trap 0xfffff80004956a70)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=0000000000000004 rbx=0000000000000000 rcx=fffff80004956cc0
rdx=0000000000000000 rsi=0000000000000000 rdi=0000000000000000
rip=fffff800034d58e2 rsp=fffff80004956c00 rbp=fffff80004956c70
r8=fffffa80039cc778 r9=0000000000000000 r10=fffffffffffffffe
r11=fffff80003648e80 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei pl nz na pe nc
nt!SwapContext_PatchXRstor:
fffff800`034d58e2 0fae09 fxrstor [rcx] ds:fffff800`04956cc0=7f
Resetting default scope
LAST_CONTROL_TRANSFER: from fffff800034ca5fe to fffff800034d2c10
STACK_TEXT:
fffff800`04955aa8 fffff800`034ca5fe : fffff800`04955c10 00000000`00000002 fffff800`04956220 fffff800`034fe830 : nt!KeBugCheck
fffff800`04955ab0 fffff800`034fe4fd : fffff800`036dc0c8 fffff800`0361d030 fffff800`03456000 fffff800`049569c8 : nt!KiKernelCalloutExceptionHandler+0xe
fffff800`04955ae0 fffff800`034fd2d5 : fffff800`0361d0fc fffff800`04955b58 fffff800`049569c8 fffff800`03456000 : nt!RtlpExecuteHandlerForException+0xd
fffff800`04955b10 fffff800`0350e361 : fffff800`049569c8 fffff800`04956220 fffff800`00000000 fffffa80`067bdb60 : nt!RtlDispatchException+0x415
fffff800`049561f0 fffff800`034d22c2 : fffff800`049569c8 fffff800`03648e80 fffff800`04956a70 fffff800`03656cc0 : nt!KiDispatchException+0x135
fffff800`04956890 fffff800`034d0bca : fffffa80`0761cd78 fffff880`016ec3a5 fffffa80`0743a000 00000000`00000000 : nt!KiExceptionDispatch+0xc2
fffff800`04956a70 fffff800`034d58e2 : fffffa80`00000000 00000000`00000000 00000000`00000000 fffffa80`07d97950 : nt!KiGeneralProtectionFault+0x10a
fffff800`04956c00 fffff800`034caa1d : fffff800`03648e80 fffff800`03656cc0 00000000`00000000 fffff880`016c9a00 : nt!SwapContext_PatchXRstor
fffff800`04956c40 00000000`00000000 : fffff800`04957000 fffff800`04951000 fffff800`04956c00 00000000`00000000 : nt!KiIdleLoop+0x10d
STACK_COMMAND: kb
FOLLOWUP_IP:
nt!KiKernelCalloutExceptionHandler+e
fffff800`034ca5fe 90 nop
SYMBOL_STACK_INDEX: 1
SYMBOL_NAME: nt!KiKernelCalloutExceptionHandler+e
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: nt
IMAGE_NAME: ntkrnlmp.exe
DEBUG_FLR_IMAGE_TIMESTAMP: 4e02aaa3
FAILURE_BUCKET_ID: X64_0x1E_0_nt!KiKernelCalloutExceptionHandler+e
BUCKET_ID: X64_0x1E_0_nt!KiKernelCalloutExceptionHandler+e
Followup: MachineOwner
---------
-
Loading Dump File [D:\Kingston\BSODDmpFiles\FarleyCZ\Windows_NT6_BSOD_jcgriff2\033112-26691-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available
Symbol search path is: SRV*C:\SymCache*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows 7 Kernel Version 7601 (Service Pack 1) MP (4 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS Personal
Built by: 7601.17640.amd64fre.win7sp1_gdr.110622-1506
Machine Name:
Kernel base = 0xfffff800`03400000 PsLoadedModuleList = 0xfffff800`03645670
Debug session time: Sat Mar 31 03:54:44.251 2012 (UTC - 6:00)
System Uptime: 2 days 0:49:08.294
Loading Kernel Symbols
...............................................................
................................................................
............................................
Loading User Symbols
Loading unloaded module list
........................
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck 50, {fffffa800a36bd10, 0, fffff88001b9afaf, 0}
Unable to load image \SystemRoot\System32\Drivers\aswSP.SYS, Win32 error 0n2
*** WARNING: Unable to verify timestamp for aswSP.SYS
*** ERROR: Module load completed but symbols could not be loaded for aswSP.SYS
Could not read faulting driver name
Probably caused by : aswSP.SYS ( aswSP+afaf )
Followup: MachineOwner
---------
0: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by try-except,
it must be protected by a Probe. Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: fffffa800a36bd10, memory referenced.
Arg2: 0000000000000000, value 0 = read operation, 1 = write operation.
Arg3: fffff88001b9afaf, If non-zero, the instruction address which referenced the bad memory
address.
Arg4: 0000000000000000, (reserved)
Debugging Details:
------------------
Could not read faulting driver name
READ_ADDRESS: GetPointerFromAddress: unable to read from fffff800036af100
fffffa800a36bd10
FAULTING_IP:
aswSP+afaf
fffff880`01b9afaf 41f644241008 test byte ptr [r12+10h],8
MM_INTERNAL_CODE: 0
CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT
BUGCHECK_STR: 0x50
PROCESS_NAME: AvastSvc.exe
CURRENT_IRQL: 0
TRAP_FRAME: fffff880098d05e0 -- (.trap 0xfffff880098d05e0)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=0000000000000000 rbx=0000000000000000 rcx=fffffa8008cc2a60
rdx=fffffa800990f881 rsi=0000000000000000 rdi=0000000000000000
rip=fffff88001b9afaf rsp=fffff880098d0770 rbp=fffff880098d0988
r8=fffffa800990f880 r9=0000000000000150 r10=fffff88001bd4000
r11=fffffa8008d6d580 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei pl zr na po nc
aswSP+0xafaf:
fffff880`01b9afaf 41f644241008 test byte ptr [r12+10h],8 ds:00000000`00000010=??
Resetting default scope
LAST_CONTROL_TRANSFER: from fffff800034289fc to fffff8000347cc40
STACK_TEXT:
fffff880`098d0478 fffff800`034289fc : 00000000`00000050 fffffa80`0a36bd10 00000000`00000000 fffff880`098d05e0 : nt!KeBugCheckEx
fffff880`098d0480 fffff800`0347ad6e : 00000000`00000000 fffffa80`0a36bd10 00000000`00000000 00000000`00000000 : nt! ?? ::FNODOBFM::`string'+0x4611f
fffff880`098d05e0 fffff880`01b9afaf : fffff880`098d07e8 fffff800`00000001 fffff8a0`00000003 fffffa80`00000000 : nt!KiPageFault+0x16e
fffff880`098d0770 fffff880`098d07e8 : fffff800`00000001 fffff8a0`00000003 fffffa80`00000000 fa8004a7`ca780460 : aswSP+0xafaf
fffff880`098d0778 fffff800`00000001 : fffff8a0`00000003 fffffa80`00000000 fa8004a7`ca780460 00000000`00000801 : 0xfffff880`098d07e8
fffff880`098d0780 fffff8a0`00000003 : fffffa80`00000000 fa8004a7`ca780460 00000000`00000801 00000000`00000000 : 0xfffff800`00000001
fffff880`098d0788 fffffa80`00000000 : fa8004a7`ca780460 00000000`00000801 00000000`00000000 0000000f`ffffffff : 0xfffff8a0`00000003
fffff880`098d0790 fa8004a7`ca780460 : 00000000`00000801 00000000`00000000 0000000f`ffffffff fffffa80`0a36bd00 : 0xfffffa80`00000000
fffff880`098d0798 00000000`00000801 : 00000000`00000000 0000000f`ffffffff fffffa80`0a36bd00 00000000`00000000 : 0xfa8004a7`ca780460
fffff880`098d07a0 00000000`00000000 : 0000000f`ffffffff fffffa80`0a36bd00 00000000`00000000 fffff880`098d09f0 : 0x801
STACK_COMMAND: kb
FOLLOWUP_IP:
aswSP+afaf
fffff880`01b9afaf 41f644241008 test byte ptr [r12+10h],8
SYMBOL_STACK_INDEX: 3
SYMBOL_NAME: aswSP+afaf
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: aswSP
IMAGE_NAME: aswSP.SYS
DEBUG_FLR_IMAGE_TIMESTAMP: 4dc929b6
FAILURE_BUCKET_ID: X64_0x50_aswSP+afaf
BUCKET_ID: X64_0x50_aswSP+afaf
Followup: MachineOwner
---------
- Possible causes are Memory problems... Viruses... Corrupted hard disk file system... Corrupted System Files... Lack of Windows updates... Drivers...
- Caused by avast! Could be related to network adapter driver corruption, audio driver corruption, or conflicts with other security software.
Make sure your network adapter drivers and audio drivers are up to date:
Do the following to determine what is causing your crashes:- If you are overclocking any hardware, please stop.
- Run SFC /SCANNOW Command - System File Checker up to three times to fix all errors with a restart in between each. Post back if it continues to show errors after a fourth run or if the first run comes back with no integrity violations.
- Run the boot version of Memtest86+ paying close attention to Parts 2 and 3 of the tutorial. Also, in case Memtest86+ misses anything and comes up with no errors, run the extended version of the Windows Memory Diagnostics Tool for at least five passes. These you may want to run overnight since they take a long time to complete (run them an hour before bed each of the next two nights and check before going to sleep that they are still running).
If you swap any memory components, follow these steps for ESD safety:
- Shut down and turn off your computer.
- Unplug all power supplies to the computer (AC Power then battery for laptops, AC power for desktops)
- Hold down the power button for 30 seconds to close the circuit and ensure all power drains from components.
- Make sure you are grounded by using proper grounding techniques, i.e. work on an anti-static workbench, anti-static desk, or an anti-static pad. Hold something metallic while touching it to the anti-static surface, or use an anti-static wristband to attach to the anti-static material while working.
Once these steps have been followed, it is safe to remove and replace components within your computer.
- An underlying driver may be incompatible\conflicting with your system. Run Driver Verifier to find any issues. To run Driver Verifier, do the following:
a.
Backup your system and user files
b.
Create a system restore point
c. If you do not have a Windows 7 DVD,
Create a system repair disc
d. In Windows 7:
- Click the Start Menu
- Type verifier in Search programs and files (do not hit enter)
- Right click verifier and click Run as administrator
- Put a tick in Create custom settings (for code developers) and click next
- Put a tick in Select individual settings from a full list and click next
- Set up the individual settings as in the image and click next
Attachment 205736 - Put a tick in Select driver names from a list
- Put a tick next to all non-Microsoft drivers.
- Click Finish.
- Restart your computer.
If Windows cannot start in normal mode with driver verifier running, start in safe mode. If it cannot start in safe mode or normal mode, restore the system restore point using
System Restore OPTION TWO.
Thanks to zigzag3143 for contributing to the Verifier steps.
If you are unable to start Windows with all drivers being verified or if the blue screen crashes fail to create .dmp files, run them in groups of 5 or 10 until you find a group that causes blue screen crashes and stores the blue screen .dmp files.
The idea with Verifier is to cause the system to crash, so do the things you normally do that cause crashes. After you have a few crashes, upload the crash reports for us to take a look and try to find patterns.