BSOD sometimes when waking computer up in the morning

pyrophilus · 02 Apr 2015

My boss's computer at work is driving me mad.

It seems that once every week or two weeks, when he comes into work in the morning, and then tries to wake up the computer, it end up going into BSOD.

I have to hold the power button down to turn it off, and then when i turn it on again, it reboots fine. It has NEVER crashed while he was using it. Only once in a blue moon first thing in the morning.

I have re-installed windows, and same problem surfaces after about a week.
I have even put in a new image that is made by the IT team, and it still crashes.
I have since replaced the desktop with a different one (same make, model), but after about a week, same thing happens.

So I am thinking that it is either some software he is using/installed, or a driver?

I have also swapped out the ram, and still no joy.

I would be forever grateful if someone could tell me what the heck is causing the BSOD. Thank you,

-Sage

pyrophilus · 02 Apr 2015

I have also replaced this computer with one fresh out of the box. Unfortunately, NYC dept of Ed has Lenovo put on all programs in a common image for all of their computers.

We also have about 30 of these computers, and they all work fine, except for this. I have even swapped computers, swapped drives, and the common denominator seems to be the user and the programs they use or the drivers for the specific peripherals that they have.

Again, thank you for any helps.

Boozad · 02 Apr 2015

Welcome to 7F.

Bugchecks 0x50 can be particularly tricky to pinpoint, however one of the more common reasons for this bugcheck is a driver referencing a bad pointer which seems to be the case here. Having looked at your dumps it appears that the offending driver is trying to access a bogus address but there's not trace of the driver.

Code:

*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 50, {fffffaaa0600001b, 0, fffff800038ad79f, 5}


Could not read faulting driver name
Probably caused by : memory_corruption ( nt!MiAgeWorkingSet+425 )

Followup: MachineOwner

1: kd> !pool fffff800038ad79f
Pool page fffff800038ad79f region is Nonpaged pool
GetUlongFromAddress: unable to read from fffff80003a6aa38
Unable to get pool big page table. Check for valid symbols.
fffff800038ad000 is not valid pool. Checking for freed (or corrupt) pool
Bad allocation size @fffff800038ad000, zero is invalid

***
*** An error (or corruption) in the pool was detected;
*** Attempting to diagnose the problem.
***
*** Use !poolval fffff800038ad000 for more details.


Pool page [ fffff800038ad000 ] is __inVALID.

Analyzing linked list...
[ fffff800038ad000 ]: invalid previous size [ 0xff ] should be [ 0x0 ]
[ fffff800038ad000 --> fffff800038ad260 (size = 0x260 bytes)]: Corrupt region
[ fffff800038ad270 --> fffff800038ad2a0 (size = 0x30 bytes)]: Corrupt region


Scanning for single bit errors...

None found

1: kd> !poolval fffff800038ad000
Pool page fffff800038ad000 region is Nonpaged pool

Validating Pool headers for pool page: fffff800038ad000

Pool page [ fffff800038ad000 ] is __inVALID.

Analyzing linked list...
[ fffff800038ad000 ]: invalid previous size [ 0xff ] should be [ 0x0 ]
[ fffff800038ad000 --> fffff800038ad260 (size = 0x260 bytes)]: Corrupt region
[ fffff800038ad270 --> fffff800038ad2a0 (size = 0x30 bytes)]: Corrupt region


Scanning for single bit errors...

None found

Your other dumps (0x4E and 0x1E) both point to a driver/s passing a bad memory descriptor and the Windows kernel detecting an illegal processor instruction. 0x1Es can be caused by invalid memory addresses similar to the 0x50 bugcheck. Luckily the 0x1E has thrown up a driver.

Code:

*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 1E, {ffffffffc0000005, fffff80003bba900, 0, ffffffffffffffff}

Probably caused by : memory_corruption ( nt!MiPerformFixups+80 )

Followup: MachineOwner

fffff880`0c2e4ac8  fffff880`03f32028Unable to load image \SystemRoot\system32\Drivers\SEP\0C0107DF\07DF.105\x64\SRTSP64.SYS, Win32 error 0n2
*** WARNING: Unable to verify timestamp for SRTSP64.SYS
*** ERROR: Module load completed but symbols could not be loaded for SRTSP64.SYS
 SRTSP64+0xba028

The driver belongs to Symantec Realtime Storage Protection. The driver looks old, either update the driver/program, or uninstall Symantec and find an alternative.

pyrophilus · 02 Apr 2015

This is so weird. The Symantec Endpoint Protection is a corporate version and it is run as client that is being managed by the Dept of Ed server.

I will attempt update, but when I do, it just says, "update request has been sent to server"...

Thank you. I guess if there is a manual way to update this driver, I'm all ears...

Boozad · 02 Apr 2015

I've no idea to be honest, I've never used Symantec. There's a remote chance that it's a false positive but I doubt it. If you want you could run Driver Verifier to see if any rogue drivers show up, let me know if you want to go this route and I'll post the instructions. You'd probably be better off letting the system administrator know what's been discovered here and let them tackle the issue, I don't want to advise you to perform tasks that may end up in disciplinary action. This really should be down to your system administrator really but keep us informed if require further help.

Chetan Savade · 03 Apr 2015

Hi,

I am Chetan Savade from Symantec Technical Support Team.

Could you confirm the SEP client version. To confirm the version details open SEP client GUI --> Look at Top right corner, Click Help--> About

SEP 12.1 RU5 (12.1.5337.5000) is the latest version. To upgrade SEP client version YOU need to push latest package from the management server or run setup file manually.

Best Regards,
Chetan

Boozad · 03 Apr 2015

Thanks for the input Chetan. Much appreciated.

pyrophilus · 13 Apr 2015

Thanks guys,

I will check the version, but my own computer in the same building is showing version: 12.1.4013.4013

I will contact system admin. Thanks again,

pyrophilus · 14 Apr 2015

Weird, my SEP is version 12.1.4013.4013.
My GUI is green across the top and running live update says program is up to date.
and I do NOT suffer BSODs.

The problematic PC's SEP version is 12.1.2015.2015.
His SEP GUI also is green across the top and running live update says the program is up to date.

I just asked the system administrator why there are multiple SEP GUI's running on the server-managed systems that all report "up to date".

I tried to uninstall the SEP to re-install the installation they offer, but it asks for a password and no one seems to know what the password is, and ones that were suggested does not seem to work either.

I will report back with more info.