Random BSOD errors 0x00000A/0x000001E

Code:

BugCheck 1E, {ffffffffc0000096, fffff80002ea7dda, 0, 0}

Probably caused by : ntkrnlmp.exe ( nt!KeStackAttachProcess+1ba )

Code:

4: kd> k
Child-SP          RetAddr           Call Site
fffff880`0335aee8 fffff800`02ec2738 nt!KeBugCheckEx
fffff880`0335aef0 fffff800`02e77242 nt! ?? ::FNODOBFM::`string'+0x487ed
fffff880`0335b590 fffff800`02e75b4a nt!KiExceptionDispatch+0xc2
fffff880`0335b770 fffff800`02ea7dda nt!KiGeneralProtectionFault+0x10a
fffff880`0335b900 fffffa80`081b79c8 nt!KeStackAttachProcess+0x1ba
fffff880`0335b980 fffff880`0335ba80 0xfffffa80`081b79c8
fffff880`0335b988 00000000`00000000 0xfffff880`0335ba80

The problem lies with the nt!KeStackAttachProcess, which is a very dangerous function to call and should be used with extreme caution as a result of the difficulties it can cause with IRPs and asynchronous I/O (deadlocks etc.). The function is used to attach a thread to another process' address space, which will explain the the mov instructions being used on both the cr8 and cr3 control registers. These registers can only be called at Ring Level 0.

Code:

4: kd> u
nt!KeStackAttachProcess+0x1ba:
fffff800`02ea7dda 0f22d8          mov     cr3,rax <-- Privileged Instruction (Move data from rax into cr3)
fffff800`02ea7ddd 410fb6c4        movzx   eax,r12b
fffff800`02ea7de1 440f22c0        mov     cr8,rax <-- Privileged Instruction (Move data from rax into cr8)
fffff800`02ea7de5 48c7452000000000 mov     qword ptr [rbp+20h],0
fffff800`02ea7ded 488b7c2460      mov     rdi,qword ptr [rsp+60h]
fffff800`02ea7df2 4c8b642458      mov     r12,qword ptr [rsp+58h]
fffff800`02ea7df7 488bac2480000000 mov     rbp,qword ptr [rsp+80h]
fffff800`02ea7dff 4883c468        add     rsp,68h

Generally, the cr8 register is used to primarily handle priority of external interrupts (interrupts from I/O devices).

The cr3 register is used to for virtual addressing, and converting linear addresses into physical addresses using page tables and page table directories etc. This is probably the most relevant instruction for faulting function call. This is in fact where the problem happened.

I believe the CPU may have still been running at User-Mode level (Ring 3) or any level higher than Ring 0, for this exception to have happened.

Code:

4: kd> !error ffffffffc0000096
Error code: (NTSTATUS) 0xc0000096 (3221225622) - {EXCEPTION}  Privileged instruction.

My general advice would be to run Driver Verifier. The General Protection Fault also makes sense here, since the this exception is called when a privileged instruction is called at the wrong level.

x BlueRobot said:

My general advice would be to run Driver Verifier. The General Protection Fault also makes sense here, since the this exception is called when a privileged instruction is called at the wrong level.

so what exactly is the problem. your post before confused me more than anything. can you dumb it down just a bit? also i am running driver verifier currently and will post back when i learn anything new.

i have been running driver verifier for about 8-10 hours with no bsod at all. Usually by now my computer would bsod on its own without driver verifier running so im a bit confused myself.

ran driver verifier over night. first time i was happy to see it crashed :) I have included the dump files from those crashes that happened over night.

Code:

BugCheck F4, {3, fffffa80091efb30, fffffa80091efe10, fffff800031cd7b0}

----- ETW minidump data unavailable-----
Probably caused by : wininit.exe

Code:

(NTSTATUS) 0xc0000006 - The instruction at 0x%p referenced memory at 0x%p. The required data was not placed into memory because of an I/O error status of 0x%x.

Code:

0: kd> !process fffffa80091efb30 3
GetPointerFromAddress: unable to read from fffff80003100000
PROCESS fffffa80091efb30
    SessionId: none  Cid: 0278    Peb: 7fffffdc000  ParentCid: 01b0
    DirBase: 1c162d000  ObjectTable: fffff8a001e5af90  HandleCount: <Data Not Accessible>
    Image: wininit.exe
    VadRoot fffffa80091ca820 Vads 65 Clone 0 Private 692. Modified 1132. Locked 2.
    DeviceMap fffff8a000007eb0
    Token                             fffff8a001e5a060
    ReadMemory error: Cannot get nt!KeMaximumIncrement value.
fffff78000000000: Unable to get shared data
    ElapsedTime                       00:00:00.000
    UserTime                          00:00:00.000
    KernelTime                        00:00:00.000
    QuotaPoolUsage[PagedPool]         103640
    QuotaPoolUsage[NonPagedPool]      26720
    Working Set Sizes (now,min,max)  (1589, 50, 345) (6356KB, 200KB, 1380KB)
    PeakWorkingSetSize                1589
    VirtualSize                       49 Mb
    PeakVirtualSize                   52 Mb
    PageFaultCount                    1857
    MemoryPriority                    BACKGROUND
    BasePriority                      13
    CommitCharge                      793

There's lots of Stop 0xF4's, which usually indicates some problem with the hard-drive, in this case the paging mechanism seemed to have failed as a result of a I/O error.

Disable Driver Verifier, and have you followed Essenbe's suggestions?

Interesting call stack here too:

Code:

0: kd> k
 # Child-SP          RetAddr           Call Site
00 fffff880`086c6098 fffff800`02f55bf0 nt!KeBugCheckEx
01 fffff880`086c60a0 fffff800`02ed5cee nt! ?? ::FNODOBFM::`string'+0x4518f
02 fffff880`086c6200 fffff800`02f2636e nt!KiPageFault+0x16e
03 fffff880`086c6398 fffff800`032df7fe nt!wcsstr+0x56
04 fffff880`086c63a0 fffff800`032df860 nt!SiIsWinPEBoot+0x4e
05 fffff880`086c63e0 fffff800`032e2952 nt!SiCheckForUfdWinpeBoot+0x30
06 fffff880`086c64c0 fffff800`032e2a1d nt!SiCheckForAlternateSystemDisk+0x12
07 fffff880`086c64f0 fffff800`032e479e nt!SiGetBiosSystemDisk+0x9d
08 fffff880`086c6570 fffff800`032fa4a7 nt!SiGetBiosSystemPartition+0x2e
09 fffff880`086c65c0 fffff800`032dfb5a nt!SiGetSystemPartition+0x27
0a fffff880`086c65f0 fffff800`0326554d nt!SiGetSystemDeviceName+0x3a
0b fffff880`086c6650 fffff800`032e5207 nt!IopRetrieveSystemDeviceName+0xac
0c fffff880`086c66b0 fffff800`0323c6f9 nt!IoQuerySystemDeviceName+0x37
0d fffff880`086c66f0 fffff800`031e33ad nt! ?? ::NNGAKEGL::`string'+0x52a6c
0e fffff880`086c6aa0 fffff800`02ed6e53 nt!NtQuerySystemInformation+0x4d
0f fffff880`086c6ae0 00000000`76fe161a nt!KiSystemServiceCopyEnd+0x13
10 00000000`0104c098 00000000`00000000 0x76fe161a

x BlueRobot said:

Code:

BugCheck F4, {3, fffffa80091efb30, fffffa80091efe10, fffff800031cd7b0}

----- ETW minidump data unavailable-----
Probably caused by : wininit.exe

Code:

(NTSTATUS) 0xc0000006 - The instruction at 0x%p referenced memory at 0x%p. The required data was not placed into memory because of an I/O error status of 0x%x.

Code:

0: kd> !process fffffa80091efb30 3
GetPointerFromAddress: unable to read from fffff80003100000
PROCESS fffffa80091efb30
    SessionId: none  Cid: 0278    Peb: 7fffffdc000  ParentCid: 01b0
    DirBase: 1c162d000  ObjectTable: fffff8a001e5af90  HandleCount: <Data Not Accessible>
    Image: wininit.exe
    VadRoot fffffa80091ca820 Vads 65 Clone 0 Private 692. Modified 1132. Locked 2.
    DeviceMap fffff8a000007eb0
    Token                             fffff8a001e5a060
    ReadMemory error: Cannot get nt!KeMaximumIncrement value.
fffff78000000000: Unable to get shared data
    ElapsedTime                       00:00:00.000
    UserTime                          00:00:00.000
    KernelTime                        00:00:00.000
    QuotaPoolUsage[PagedPool]         103640
    QuotaPoolUsage[NonPagedPool]      26720
    Working Set Sizes (now,min,max)  (1589, 50, 345) (6356KB, 200KB, 1380KB)
    PeakWorkingSetSize                1589
    VirtualSize                       49 Mb
    PeakVirtualSize                   52 Mb
    PageFaultCount                    1857
    MemoryPriority                    BACKGROUND
    BasePriority                      13
    CommitCharge                      793

There's lots of Stop 0xF4's, which usually indicates some problem with the hard-drive, in this case the paging mechanism seemed to have failed as a result of a I/O error.

Disable Driver Verifier, and have you followed Essenbe's suggestions?

i started running the long scan and everytime it gets about 3-4 hours into the scan my computer crashes.

my hard drive is constantly running and has a very noticeable grinding sound. could replacing it resolve these issues? also before every crash my devices connected to the USB ports usually stop working. usually my mouse and headset specifically

i got the hard drive test to finish and it says it found no bad sectors.