New
#11
How long you ran it? How many passes?
ntoskrnl.exe problem
-
-
New #12
for 3 hours and 4 passes
-
New #13
hope this may help its the system info and the minidump folder
-
New #14
I may be wrong, but it looks like your system is infected, or an AV is doing something I don't know about. First thing is to scan for any potential threats. I recommend starting with Malwarebytes and provide us the log from it. If given the option to clean, do not do it.
Otherwise, turn on Driver Verifier since I noticed it was not on during these crashes. Read the entire article carefully.
Analysts:
0x109 bugchecks showing up a corruption in the NT module. However, the name of the module is strange, being altered to nt_fffff80000b95000, which the address is the base address for it. I assume it got tagged with it in the name because there's already an existing module named nt. I am very confident there shouldn't be two nt modules present at one time. Even stranger is they're both different nt module variants, and the suspect one either has no image header for it or has been paged out onto disk prior to the crash. The nt module doesn't page out its image header, however. You can tell by doing a !dh on the nt module and then locating the section header that's named .rsrc. If one of the flags is Discardable, it means it can be paged out. Otherwise, it sticks into memory as long as the image is loaded.
Or I could just be misinterpreting the whole output. I hope not.
Code:2: kd> !analyze -v ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* CRITICAL_STRUCTURE_CORRUPTION (109) This bugcheck is generated when the kernel detects that critical kernel code or data have been corrupted. There are generally three causes for a corruption: 1) A driver has inadvertently or deliberately modified critical kernel code or data. See http://www.microsoft.com/whdc/driver/kernel/64bitPatching.mspx 2) A developer attempted to set a normal kernel breakpoint using a kernel debugger that was not attached when the system was booted. Normal breakpoints, "bp", can only be set if the debugger is attached at boot time. Hardware breakpoints, "ba", can be set at any time. 3) A hardware corruption occurred, e.g. failing RAM holding kernel code or data. Arguments: Arg1: a3a039d89eba46f0, Reserved Arg2: b3b7465ef13884b2, Reserved Arg3: fffff80000b96bb0, Failure type dependent information Arg4: 0000000000000006, Type of corrupted region, can be 0 : A generic data region 1 : Modification of a function or .pdata 2 : A processor IDT 3 : A processor GDT 4 : Type 1 process list corruption 5 : Type 2 process list corruption 6 : Debug routine modification 7 : Critical MSR modification Debugging Details: ------------------ TRIAGER: Could not open triage file : C:\Program Files (x86)\Windows Kits\8.0\Debuggers\x64\triage\modclass.ini, error 2 FAULTING_IP: nt_fffff80000b95000+1bb0 fffff800`00b96bb0 48895c2408 mov qword ptr [rsp+8],rbx CUSTOMER_CRASH_COUNT: 1 DEFAULT_BUCKET_ID: WIN7_DRIVER_FAULT BUGCHECK_STR: 0x109 PROCESS_NAME: System CURRENT_IRQL: 0 STACK_TEXT: fffff880`033c45d8 00000000`00000000 : 00000000`00000109 a3a039d8`9eba46f0 b3b7465e`f13884b2 fffff800`00b96bb0 : nt!KeBugCheckEx STACK_COMMAND: kb FOLLOWUP_IP: nt_fffff80000b95000+1bb0 fffff800`00b96bb0 48895c2408 mov qword ptr [rsp+8],rbx SYMBOL_NAME: nt_fffff80000b95000+1bb0 FOLLOWUP_NAME: MachineOwner MODULE_NAME: nt_fffff80000b95000 IMAGE_NAME: ntoskrnl.exe DEBUG_FLR_IMAGE_TIMESTAMP: 5149a99c FAILURE_BUCKET_ID: X64_0x109_6_nt_fffff80000b95000+1bb0 BUCKET_ID: X64_0x109_6_nt_fffff80000b95000+1bb0 Followup: MachineOwner --------- 2: kd> lmsm start end module name ... fffff800`03601000 fffff800`03be7000 nt (pdb symbols) c:\localsymbols\ntkrnlmp.pdb\4406EA3F2CE044878BDFDEF95E07708E2\ntkrnlmp.pdb fffff800`00b95000 fffff800`00bb0000 nt_fffff80000b95000 T (no symbols) ... 2: kd> lmvm nt_fffff80000b95000 start end module name fffff800`00b95000 fffff800`00bb0000 nt_fffff80000b95000 T (no symbols) Loaded symbol image file: ntoskrnl.exe Image path: ntoskrnl.exe Image name: ntoskrnl.exe Timestamp: Wed Mar 20 08:20:44 2013 (5149A99C) CheckSum: 00552B17 ImageSize: 0001B000 Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4 2: kd> lmvm nt start end module name fffff800`03601000 fffff800`03be7000 nt (pdb symbols) c:\localsymbols\ntkrnlmp.pdb\4406EA3F2CE044878BDFDEF95E07708E2\ntkrnlmp.pdb Loaded symbol image file: ntkrnlmp.exe Mapped memory image file: c:\localsymbols\ntoskrnl.exe\5147D9C65e6000\ntoskrnl.exe Image path: ntkrnlmp.exe Image name: ntkrnlmp.exe Timestamp: Mon Mar 18 23:21:42 2013 (5147D9C6) CheckSum: 00552B17 ImageSize: 005E6000 File version: 6.1.7601.18113 Product version: 6.1.7601.18113 File flags: 0 (Mask 3F) File OS: 40004 NT Win32 File type: 1.0 App File date: 00000000.00000000 Translations: 0409.04b0 CompanyName: Microsoft Corporation ProductName: Microsoft® Windows® Operating System InternalName: ntkrnlmp.exe OriginalFilename: ntkrnlmp.exe ProductVersion: 6.1.7601.18113 FileVersion: 6.1.7601.18113 (win7sp1_gdr.130318-1533) FileDescription: NT Kernel & System LegalCopyright: © Microsoft Corporation. All rights reserved. 2: kd> !dh nt File Type: EXECUTABLE IMAGE FILE HEADER VALUES 8664 machine (X64) 18 number of sections 5147D9C6 time date stamp Mon Mar 18 23:21:42 2013 0 file pointer to symbol table 0 number of symbols F0 size of optional header 22 characteristics Executable App can handle >2gb addresses OPTIONAL HEADER VALUES 20B magic # 9.00 linker version 47A400 size of code CFC00 size of initialized data 3400 size of uninitialized data 2B36F0 address of entry point 1000 base of code ----- new ----- 0000000140000000 image base 1000 section alignment 200 file alignment 1 subsystem (Native) 6.01 operating system version 6.01 image version 6.01 subsystem version 5E6000 size of image 600 size of headers 552B17 checksum 0000000000080000 size of stack reserve 0000000000002000 size of stack commit 0000000000100000 size of heap reserve 0000000000001000 size of heap commit 0 DLL characteristics 531000 [ 109BC] address [size] of Export Directory 5AB6C4 [ 78] address [size] of Import Directory 5AD000 [ 35F48] address [size] of Resource Directory 27D000 [ 2FD90] address [size] of Exception Directory 549600 [ 1B58] address [size] of Security Directory 5E3000 [ 207C] address [size] of Base Relocation Directory 1A1F00 [ 38] address [size] of Debug Directory 0 [ 0] address [size] of Description Directory 0 [ 0] address [size] of Special Directory 0 [ 0] address [size] of Thread Storage Directory 0 [ 0] address [size] of Load Configuration Directory 0 [ 0] address [size] of Bound Import Directory 1AC000 [ 380] address [size] of Import Address Table Directory 0 [ 0] address [size] of Delay Import Directory 0 [ 0] address [size] of COR20 Header Directory 0 [ 0] address [size] of Reserved Directory ... SECTION HEADER #17 .rsrc name 35F48 virtual size 5AD000 virtual address 36000 size of raw data 511400 file pointer to raw data 0 file pointer to relocation table 0 file pointer to line numbers 0 number of relocations 0 number of line numbers 40000040 flags Initialized Data (no align specified) //No 'Discardable' flag Read Only ...
-
New #15
Welcome to the forums Flory Robert,
Code:BugCheck 109, {a3a039d89eba46f0, b3b7465ef13884b2, fffff80000b96bb0, 6} *** WARNING: Unable to verify timestamp for ntoskrnl.exe *** ERROR: Module load completed but symbols could not be loaded for ntoskrnl.exe Probably caused by : ntoskrnl.exe ( nt_fffff80000b95000+1bb0 )The bugcheck indicates that kernel data has become corrupted, this can be due to device drivers or hardware failure such as RAM.Code:Usual causes: Device driver, Breakpoint set with no debugger attached, Hardware (Memory in particular)
*Note* You need to run Memtest86+ for least 9-10 passes, and preferably overnight. Each pass will run several different tests.
Remove:
Removal Tool - Revo Uninstaller Pro - Uninstall Software, Remove Programs easily, Forced Uninstall, Leftovers UninstallerCode:Start Menu\Programs\Free Registry Cleaner
Windows 7 doesn't require any programs which make changes to the operating system and registry, these programs tend to cause problems by modifying and deleting files.
Remove:Windows is a closed source system. Developers of registry cleaners do not have the core code of Windows 7 and are not working on definitive information, but rather they are going on past knowledge and experience. Automatic cleaners will usually have to do some guesswork.
Modifying registry keys incorrectly can cause Windows instability, or make Windows unbootable. No registry cleaner is completely safe and the potential is ever present to cause more problems than they claim to fix.
Registry cleaners cannot distinguish between good and bad. If you run a registry cleaner, it will delete all those keys which are obsolete and sitting idle; but in reality, those keys may well be needed by some programs or windows at a later time.
Windows 7 is much more efficient at managing the registry than previous Windows versions. If you run any other registry cleaner and do not know precisely what you are doing, you will have problems down the road. There are no gains to be had from using a registry cleaner and the risk is great.
Programs which scan for drivers and then offer driver updates, often install the wrong drivers which are either corrupted or incompatible with your system. The best method is to visit the hardware vendor or manufacturer of your computer, and then obtain driver updates from their support page.Code:Start Menu\Programs\Driver Support
EDIT: Thanks for your input Vir :)
EDIT2: Regarding, the !dh extension, is this blog post similar? http://analyze-v.com/?p=847
Quote
Related Discussions