BSOD at random intervals. There's no consistency.

Hi

PC has just (a few weeks ago) begun to give BSOD. They don't appear to be consistent.

Windows Update is up to date, OS is geniune and I've used 2 different sticks of memory, but its still unstable. And I've not added anything new.

Can someone have a look at the dump file please?

Thanks
Jay

Welcome to the forums jamiepugh,

Code:

BugCheck A, {fffff880008b5610, 2, 1, fffff8000308576f}

*** WARNING: Unable to verify timestamp for MpFilter.sys
*** ERROR: Module load completed but symbols could not be loaded for MpFilter.sys
Probably caused by : MpFilter.sys ( MpFilter+b4e4 )

It seems that the MSE driver may have referenced invalid memory address, and then attempted to cause a interrupt at a IRQL level which was too high.

Code:

2: kd> lmvm MpFilter
start             end                 module name
fffff880`011c3000 fffff880`011fb000   MpFilter T (no symbols)           
    Loaded symbol image file: MpFilter.sys
    Image path: \SystemRoot\system32\DRIVERS\MpFilter.sys
    Image name: MpFilter.sys
    Timestamp:        Wed Oct 31 22:43:06 2012 (5091A97A)
    CheckSum:         0003BD03
    ImageSize:        00038000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4

1. Remove MSE (Microsoft Security Essentials)
2. Install MSE, and then fully update.
3. Run a Full Scan

Run Driver Verifier to scan for any corrupted drivers which may be causing problems, this program works by running various stress tests on drivers, in order to produce a BSOD which will locate the driver; run for least 24 hours:

• Driver Verifier - Enable and Disable

   Information

Additional Help - Using Driver Verifier to identify issues with Drivers

Hi

I uninstalled MSE and reinstalled. But no difference, its still BSOD regularly.

I'll try verifier next, but here are the latest dumps (maybe there's something else wrong)...

Thanks

There seems to most likely a driver-related cause, could you please enable Driver Verifier, it doesn't seem to be enabled:

Code:

4: kd> !verifier

Verify Level 0 ... enabled options are:

Summary of All Verifier Statistics

RaiseIrqls                             0x0
AcquireSpinLocks                       0x0
Synch Executions                       0x0
Trims                                  0x0

Pool Allocations Attempted             0x0
Pool Allocations Succeeded             0x0
Pool Allocations Succeeded SpecialPool 0x0
Pool Allocations With NO TAG           0x0
Pool Allocations Failed                0x0
Resource Allocations Failed Deliberately   0x0

Current paged pool allocations         0x0 for 00000000 bytes
Peak paged pool allocations            0x0 for 00000000 bytes
Current nonpaged pool allocations      0x0 for 00000000 bytes
Peak nonpaged pool allocations         0x0 for 00000000 bytes

BSOD Analysis:

-----------------------------------------------------------------------------

Code:

BugCheck C2, {7, 109b, 0, fffffa8006821630}

GetPointerFromAddress: unable to read from fffff80003302100
GetUlongFromAddress: unable to read from fffff800033021c0
Probably caused by : ntkrnlmp.exe ( nt!ObpCloseHandleTableEntry+c4 )

Code:

Usual causes:  Device driver, Memory

This bugcheck indicates the current thread was attempting to free the same pool allocation twice, or a device driver was performing incorrect memory operations.

Code:

4: kd> !pool fffffa8006821630
Pool page fffffa8006821630 region is Nonpaged pool
 fffffa8006821000 size:  160 previous size:    0  (Allocated)  Ntfx
 fffffa8006821160 size:   10 previous size:  160  (Free)       CcBc
 fffffa8006821170 size:   30 previous size:   10  (Allocated)  ReEv
 fffffa80068211a0 size:  150 previous size:   30  (Allocated)  File (Protected)
 fffffa80068212f0 size:  150 previous size:  150  (Allocated)  File (Protected)
 fffffa8006821440 size:   10 previous size:  150  (Free)       FMic
 fffffa8006821450 size:  100 previous size:   10  (Allocated)  MmCa
 fffffa8006821550 size:   b0 previous size:  100  (Allocated)  Hal 
*fffffa8006821600 size:   80 previous size:   b0  (Allocated) *Even (Protected)
		Pooltag Even : Event objects
 fffffa8006821680 size:   a0 previous size:   80  (Free)       ViMm
 fffffa8006821720 size:  1b0 previous size:   a0  (Allocated)  MmCi
 fffffa80068218d0 size:  150 previous size:  1b0  (Allocated)  File (Protected)
 fffffa8006821a20 size:  150 previous size:  150  (Allocated)  File (Protected)
 fffffa8006821b70 size:  150 previous size:  150  (Allocated)  File (Protected)
 fffffa8006821cc0 size:  170 previous size:  150  (Allocated)  MmCi
 fffffa8006821e30 size:  1d0 previous size:  170  (Allocated)  Ntfi

Code:

4: kd> !poolval fffffa8006821630
Pool page fffffa8006821630 region is Nonpaged pool

Validating Pool headers for pool page: fffffa8006821630

Pool page [ fffffa8006821000 ] is VALID.

I don't think we are dealing with any pool corruption which is good.

Hi

I can't run Verifier (for non-MS drivers) because all of the drivers are MS.

Any ideas?

Jamie

Please post a screenshot for Step #5 within the Driver Verifier tutorial:

• Screenshots and Files - Upload and Post in Seven Forums
• How to Use the Snipping Tool in Vista

Scan for any missing, modified or corrupted protected Windows files with:

• SFC /SCANNOW Command - System File Checker

Update:

I believe since the Even tag has the Protected bit set added to it, this allows the operating system to check if the pool tag being freed was supposed to be freed, and therefore since the Even tag was freed, but wasn't maybe intended to be, the system then bugchecks with the Stop Code 0xC2.

According to some searching, the Even pool tag belongs to the Event Viewer.

Ok

Don't know why only MS drivers were showing up before, but they are all back now, so I enabled Verifier again. Its BSOD quite a few times since, so here are the new dump files...

BTW: Thanks for the update info above but I'm afraid I don't really understand any of it! Sorry bluerobot. Building houses is my expertise; i'm not very good at code analysis.

Thanks
Jamie

Thanks for the dump files, the problem does seem to be definitely related to drivers which I was expecting :)

BSOD Analysis:

----------------------------------------------------------------------------

Code:

BugCheck C9, {23e, fffff880058cc9ec, fffff98023b7ac10, 0}

Unable to load image \SystemRoot\system32\DRIVERS\shbecr.sys, Win32 error 0n2
*** WARNING: Unable to verify timestamp for shbecr.sys
*** ERROR: Module load completed but symbols could not be loaded for shbecr.sys
Probably caused by : shbecr.sys ( shbecr+69ec )

The shbecr.sys driver marked a IRP pending, but didn't return the STATUS_PENDING flag.

Code:

0: kd> lmvm shbecr
start             end                 module name
fffff880`058c6000 fffff880`058d8000   shbecr   T (no symbols)           
    Loaded symbol image file: shbecr.sys
    Image path: \SystemRoot\system32\DRIVERS\shbecr.sys
    Image name: shbecr.sys
    Timestamp:        Fri May 30 13:28:27 2008 (483FF2EB)
    CheckSum:         00014042
    ImageSize:        00012000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4

The driver at fault here, seems to be linked to Handelsbanken Card Reader driver, and is very outdated, it seems to been have developed by a company called Todos Data System AB. I would check for updates for the driver, however, if it is the latest version then I would remove the device and it's driver.

Their main website isn't loading for me, so here's the Wiki page - http://en.wikipedia.org/wiki/Todos_Data_System

You may disable Driver Verifier now.

Hi

I removed the Handelsbanken driver, but its made no difference, its still regularly BSOD.

I can't enable Verifier because all of the drivers are MS again. I ran the SFC /scannow but this found no issues.

I've attached the latest dump files...

Thanks
Jamie