Security Software:
Code:
aawservice.exe c:\program files (x86)\lavasoft\ad-aware\aawservice.exe 1440 8 200 1380 4/18/2012 8:54 AM 9.0.0.0 2.05 MB (2,152,152 bytes) 3/20/2012 1:41 PM
aawtray.exe c:\program files (x86)\lavasoft\ad-aware\aawtray.exe 3116 8 200 1380 4/18/2012 8:54 AM 9.0.0.0 1.13 MB (1,187,072 bytes) 3/20/2012 1:41 PM
avastsvc.exe c:\program files\avast software\avast\avastsvc.exe 1352 8 200 1380 4/18/2012 8:54 AM 7.0.1426.0 43.72 KB (44,768 bytes) 3/28/2012 9:20 PM
avastui.exe c:\program files\avast software\avast\avastui.exe 2320 8 200 1380 4/18/2012 8:55 AM 7.0.1426.0 4.05 MB (4,241,512 bytes) 3/28/2012 9:20 PM
Remove either ad-aware or avast! Having two security programs that accomplish the same tasks can cause conflicts and lead to crashes.
Code:
Microsoft (R) Windows Debugger Version 6.12.0002.633 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [D:\Kingston\BSODDmpFiles\ladyinred\BSOD041912\Windows_NT6_BSOD_jcgriff2\041812-83772-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available
Symbol search path is: SRV*C:\SymCache*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows 7 Kernel Version 7601 (Service Pack 1) MP (4 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS Personal
Built by: 7601.17790.amd64fre.win7sp1_gdr.120305-1505
Machine Name:
Kernel base = 0xfffff800`03467000 PsLoadedModuleList = 0xfffff800`036ab650
Debug session time: Wed Apr 18 07:52:04.237 2012 (UTC - 6:00)
System Uptime: 0 days 0:21:22.704
Loading Kernel Symbols
...............................................................
................................................................
........................................
Loading User Symbols
Loading unloaded module list
......
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck 1000007E, {ffffffffc0000005, fffff88001b08d6e, fffff8800854e908, fffff8800854e160}
Probably caused by : volsnap.sys ( volsnap!VspCollectLazyOffsetsPass+1be )
Followup: MachineOwner
---------
3: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
SYSTEM_THREAD_EXCEPTION_NOT_HANDLED_M (1000007e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Some common problems are exception code 0x80000003. This means a hard
coded breakpoint or assertion was hit, but this system was booted
/NODEBUG. This is not supposed to happen as developers should never have
hardcoded breakpoints in retail code, but ...
If this happens, make sure a debugger gets connected, and the
system is booted /DEBUG. This will let us see why this breakpoint is
happening.
Arguments:
Arg1: ffffffffc0000005, The exception code that was not handled
Arg2: fffff88001b08d6e, The address that the exception occurred at
Arg3: fffff8800854e908, Exception Record Address
Arg4: fffff8800854e160, Context Record Address
Debugging Details:
------------------
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.
FAULTING_IP:
volsnap!VspCollectLazyOffsetsPass+1be
fffff880`01b08d6e 44892490 mov dword ptr [rax+rdx*4],r12d
EXCEPTION_RECORD: fffff8800854e908 -- (.exr 0xfffff8800854e908)
ExceptionAddress: fffff88001b08d6e (volsnap!VspCollectLazyOffsetsPass+0x00000000000001be)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 0000000000000001
Parameter[1]: 0000000000000000
Attempt to write to address 0000000000000000
CONTEXT: fffff8800854e160 -- (.cxr 0xfffff8800854e160)
rax=0000000000000000 rbx=0000000000000000 rcx=0000000000000004
rdx=0000000000000000 rsi=0000000000000002 rdi=fffff8800854ec80
rip=fffff88001b08d6e rsp=fffff8800854eb40 rbp=0000000000000001
r8=0000000000000008 r9=0000000000000008 r10=fffff8800854ec50
r11=0000000000000004 r12=0000000000008323 r13=fffffa80073446d8
r14=ffffffffffffffe0 r15=0000000000000000
iopl=0 nv up ei ng nz ac pe cy
cs=0010 ss=0000 ds=002b es=002b fs=0053 gs=002b efl=00210293
volsnap!VspCollectLazyOffsetsPass+0x1be:
fffff880`01b08d6e 44892490 mov dword ptr [rax+rdx*4],r12d ds:002b:00000000`00000000=????????
Resetting default scope
CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: NULL_DEREFERENCE
PROCESS_NAME: System
CURRENT_IRQL: 0
ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.
EXCEPTION_PARAMETER1: 0000000000000001
EXCEPTION_PARAMETER2: 0000000000000000
WRITE_ADDRESS: GetPointerFromAddress: unable to read from fffff80003715100
0000000000000000
FOLLOWUP_IP:
volsnap!VspCollectLazyOffsetsPass+1be
fffff880`01b08d6e 44892490 mov dword ptr [rax+rdx*4],r12d
BUGCHECK_STR: 0x7E
LAST_CONTROL_TRANSFER: from fffff88001b2914c to fffff88001b08d6e
STACK_TEXT:
fffff880`0854eb40 fffff880`01b2914c : 00000000`00000002 fffff880`0854ec40 fffff880`0854ec20 fffff880`0854ec60 : volsnap!VspCollectLazyOffsetsPass+0x1be
fffff880`0854ebd0 fffff880`01b2acde : fffffa80`0001fe40 fffffa80`04bbc190 fffff880`0854ed40 fffffa80`07344728 : volsnap!VspPopulateFreeBlocksBitmap+0x46c
fffff880`0854ecf0 fffff800`0377dfda : fffffa80`00000000 fffffa80`044d6b60 00000000`00000080 fffffa80`03b4d9e0 : volsnap!VspLazyPreCopyOnWriteWorker+0xce
fffff880`0854ed40 fffff800`034d49c6 : fffff880`03163180 fffffa80`044d6b60 fffffa80`03b61b60 00000000`bffff000 : nt!PspSystemThreadStartup+0x5a
fffff880`0854ed80 00000000`00000000 : fffff880`0854f000 fffff880`08549000 fffff880`0854e820 00000000`00000000 : nt!KxStartSystemThread+0x16
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: volsnap!VspCollectLazyOffsetsPass+1be
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: volsnap
IMAGE_NAME: volsnap.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 4ce792c8
STACK_COMMAND: .cxr 0xfffff8800854e160 ; kb
FAILURE_BUCKET_ID: X64_0x7E_volsnap!VspCollectLazyOffsetsPass+1be
BUCKET_ID: X64_0x7E_volsnap!VspCollectLazyOffsetsPass+1be
Followup: MachineOwner
---------
The crashes are related to volume shadow copy, which is part of the Windows backup software. Your older crash from March 28th was the same.
If you are using third party backup software, this could be causing these crashes. I would suggest that you Troubleshoot Application Conflicts by Performing a Clean Startup and see how the system responds. Given how infrequently you are having crashes, this may take a bit of time to debug. I will remain subscribed to the thread as you progress with debugging steps.
NOTE: The above could be related to your security software conflict, as well. It is possible both security programs were trying to access the backup drivers at once and led to the crashes.