Bringing desktop to same mem state after bsod. 3rd part SW?

[JohnAtanasoff]

Hi, i looked this over on google and did not find the info i want.

I have a desktop PC.
For windows 7; after a bsod, is there a 3rd party tool allowing to bring the OS to the exact same state with the same files open etc before the crash happened?
Like when using hibernate.

I'm getting bsod's followed by a memory dump quite often or when invoking certain SW. Its very annoying when involuntarily i loose my unsaved files and tasks i was doing.


Pls shed your knowledge on this.

 

[Saurabh A]

Hi JohnAtanasoff,

It is important to find out the root cause behind the 'Blue screen'; once treated, you may be able to prevent errors in the system. Not sure if a 'standalone software' is a potential remedy for various 'Blue screen errors'.

Please follow the steps in the following tutorial to capture and share the 'crash dump' details: http://www.sevenforums.com/bsod-help-support/96879-blue-screen-death-bsod-posting-instructions.html

As mentioned in the tutorial, please select 'Grab All' to capture all pertinent information (as in the reference image below)

These details are vitally important to understand the reason of 'errors/crashes' in the system.
Do reply with the information; would be glad to assist.

 

[JohnAtanasoff]

Hi Saurab,

Thanks for this. I am going trough the steps to provide you with complete bsod data for investigation.

My Bsod's apart... And going to my main question of the topic.

Is there SW capable of putting the computer in the same memory state ( same files opened and evferything) right before the crash. I am looking for an answer such as, YES, NO, NOT YET DEVELOPED.

Which one of the three?

 

[Saurabh A]

Hi JohnAtanasoff,

Thank you for the reply.
Apologies for not being able to understand your question correctly in the first place.

From I experience, I've not come across any software/application that would store 'an image' of the 'open files/applications/documents' either in the 'non-volatile memory' or the 'hard drive', just before the 'Blue-screen' occurs.

'Hibernation' is only a power-saving state and it places the open documents and programs on your hard disk. This data can be accessed again (from where you left) when 'Windows' resumes.

The impact of 'Blue-screen' in most cases results in complete 'System Restart' and is liable to override the impact of a process like 'Hibernation'.

Hope this helps.

 

[JohnAtanasoff]

Hi Saurab,

Thanks for the reply! Perhaps a tool that takes snapshots every minute and keeps say 10 snapshots refreshing them everytime could do the trick. In the event of a bsod we are able to revert back in time just the way the system was.

Not sure someone has it developed such an idea.


About my BSOD. Had another one today after using ARO (SW for system cleaning and optimization) is happens almost everytime and i suspect its deleting needed files for the system.


I have the zip ready. Contains 4 dumps from previous dates created yesterday using SF_Diagnostic_Tool, and other files created today. Oddly after the bsod, SF_Diagnostic_Tool did not create a dump from today...


Please if you get time let me know if you spot the main exception causing my computer to crash often. I suspect it to be SW rather than HW. I have lots of SW installed and i need it.

 

[Saurabh A]

Hi JohnAtanasoff,

Thank you for the response.

The mini-dump analysis:

Probably caused by: intelppm.sys
Relates to: 'Intel Processor driver'

*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 124, {0, fffffa800fc51028, fe200000, 41136}

Unable to load image \SystemRoot\system32\DRIVERS\[COLOR="red"]intelppm.sys[/COLOR], Win32 error 0n2
*** WARNING: Unable to verify timestamp for [COLOR="Red"]intelppm.sys[/COLOR]
*** ERROR: Module load completed but symbols could not be loaded for [COLOR="red"]intelppm.sys[/COLOR]
Probably caused by : hardware

Followup: MachineOwner
---------

5: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

[COLOR="red"]WHEA_UNCORRECTABLE_ERROR (124)[/COLOR]
A fatal hardware error has occurred. Parameter 1 identifies the type of error
source that reported the error. Parameter 2 holds the address of the
WHEA_ERROR_RECORD structure that describes the error conditon.
Arguments:
Arg1: 0000000000000000, Machine Check Exception
Arg2: fffffa800fc51028, Address of the WHEA_ERROR_RECORD structure.
Arg3: 00000000fe200000, High order 32-bits of the MCi_STATUS value.
Arg4: 0000000000041136, Low order 32-bits of the MCi_STATUS value.

Debugging Details:
------------------


BUGCHECK_STR:  0x124_GenuineIntel

CUSTOMER_CRASH_COUNT:  1

DEFAULT_BUCKET_ID:  VISTA_DRIVER_FAULT

PROCESS_NAME:  System

CURRENT_IRQL:  f

STACK_TEXT:  
fffff880`034adb58 fffff800`0302aa3b : 00000000`00000124 00000000`00000000 fffffa80`0fc51028 00000000`fe200000 : nt!KeBugCheckEx
fffff880`034adb60 fffff800`031ed633 : 00000000`00000001 fffffa80`0fb448a0 00000000`00000000 fffffa80`0fb448f0 : hal!HalBugCheckSystem+0x1e3
fffff880`034adba0 fffff800`0302a700 : 00000000`00000728 fffffa80`0fb448a0 fffff880`034adf30 fffff880`034adf00 : nt!WheaReportHwError+0x263
fffff880`034adc00 fffff800`0302a052 : fffffa80`0fb448a0 fffff880`034adf30 fffffa80`0fb448a0 00000000`00000000 : hal!HalpMcaReportError+0x4c
fffff880`034add50 fffff800`03029f0d : 00000000`00000008 00000000`00000001 fffff880`034adfb0 00000000`00000000 : hal!HalpMceHandler+0x9e
fffff880`034add90 fffff800`0301de88 : 00000000`00000001 fffff880`034a5180 00000000`00000000 00000000`00000000 : hal!HalpMceHandlerWithRendezvous+0x55
fffff880`034addc0 fffff800`030d552c : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : hal!HalHandleMcheck+0x40
fffff880`034addf0 fffff800`030d5393 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KxMcheckAbort+0x6c
fffff880`034adf30 fffff880`05574c61 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiMcheckAbort+0x153
fffff880`034cdb58 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : intelppm+0x2c61


STACK_COMMAND:  kb

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: hardware

IMAGE_NAME:  [COLOR="red"]hardware[/COLOR]

DEBUG_FLR_IMAGE_TIMESTAMP:  0

FAILURE_BUCKET_ID:  [COLOR="red"]X64_0x124_GenuineIntel_PROCESSOR_CACHE[/COLOR]

BUCKET_ID:  [COLOR="red"]X64_0x124_GenuineIntel_PROCESSOR_CACHE[/COLOR]

Followup: MachineOwner

Please try updating the 'Intel Processor driver' from here: Intel Download Center

Also run a 'Disk Check' (Command Prompt) using the information listed in this tutorial: http://www.sevenforums.com/tutorials/433-disk-check.html

Also try updating 'Windows Updates' to see if that helps: Microsoft Windows Update

Also have a look at the following thread; provides useful troubleshooting steps to handle Stop 0x124 error: http://www.sevenforums.com/crash-lockup-debug-how/35349-stop-0x124-what-means-what-try.html

Another crash dump:
Probably caused by: ntkrnlmp.exe
Driver Description: NT Kernel & System

*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck A, {0, 2, 0, fffff800032c30c7}

Probably caused by : [COLOR="red"]ntkrnlmp.exe[/COLOR] ( nt!ExQuerySystemLockInformation+1a7 )

Followup: MachineOwner
---------

6: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

[COLOR="red"]IRQL_NOT_LESS_OR_EQUAL (a[/COLOR])
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high.  This is usually
caused by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: 0000000000000000, memory referenced
Arg2: 0000000000000002, IRQL
Arg3: 0000000000000000, bitfield :
	bit 0 : value 0 = read operation, 1 = write operation
	bit 3 : value 0 = not an execute operation, 1 = execute operation (only on chips which support this level of status)
Arg4: fffff800032c30c7, address which referenced memory

Debugging Details:
------------------


READ_ADDRESS: GetPointerFromAddress: unable to read from fffff800032b7100
 0000000000000000 

CURRENT_IRQL:  2

FAULTING_IP: 
nt!ExQuerySystemLockInformation+1a7
fffff800`032c30c7 488b09          mov     rcx,qword ptr [rcx]

CUSTOMER_CRASH_COUNT:  1

DEFAULT_BUCKET_ID:  VISTA_DRIVER_FAULT

BUGCHECK_STR:  0xA

PROCESS_NAME:  [COLOR="red"]wireshark.exe[/COLOR]

Try uninstalling 'Wireshark.exe': How to manually remove programs from the Add or Remove Programs tool

IRQL_NOT_LESS_OR_EQUAL
This may be caused by paged memory (or invalid memory) is accessed when the IRQL is too high. Try test the 'System Memory' to check its functionality: http://www.sevenforums.com/tutorials/105647-ram-test-memtest86.html

Another crash dump:
Probably caused by: Ntfs.sys driver
Relates to NT File System Driver

*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 24, {1904fb, fffff8800595cf58, fffff8800595c7b0, fffff800030c37f7}

Probably caused by : [COLOR="red"]Ntfs.sys[/COLOR] ( Ntfs! ?? ::FNODOBFM::`string'+29f9 )

Followup: MachineOwner
---------

2: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

[COLOR="Red"]NTFS_FILE_SYSTEM (24)[/COLOR]
    If you see NtfsExceptionFilter on the stack then the 2nd and 3rd
    parameters are the exception record and context record. Do a .cxr
    on the 3rd parameter and then kb to obtain a more informative stack
    trace.
Arguments:
Arg1: 00000000001904fb
Arg2: fffff8800595cf58
Arg3: fffff8800595c7b0
Arg4: fffff800030c37f7

Bug Check 0x24: NTFS_FILE_SYSTEM
One possible cause of this bug check is disk corruption. Corruption in the NTFS file system or bad blocks (sectors) on the hard disk can induce this error. I've already suggested you 'Disk Check' and 'Memory Diagnostics' in the earlier part of this post. Let us check their results.

Try uninstalling 'Avast Pro Anti-Virus': avast! Uninstall Utility | Download aswClear for avast! Removal > Restart system > Install 'Microsoft Security Essentials' to see if that helps Microsoft Security Essentials - Microsoft Windows > Restart system and check results.

Remove 'CCleaner'; may not be required with 'Windows 7' (Remove to check impact)

If the issue persists, you may also try removing 'Super Anti Spyware' to see if that helps: SUPERAntiSpyware FAQ - How do I uninstall SUPERAntiSpyware?

Hope this helps. Do reply with the findings.

 

[JohnAtanasoff]

Hi Saurabh,

1st off, thanks a lot for taking your time to look at my dumps!

I am still sorting out some things and waiting before i provide some more valuable info.


I updated the processor driver, done a disk check without errors, and MS update.

I cannot remove 'Wireshark.exe' is a tool i am learning.
I cannot remove 'Avast Pro Anti-Virus', 'Super Anti Spyware as its protecting my machine.


Doing a RAM - Test soon and will let you know the results!

 

[Saurabh A]

Hi JohnAtanasoff,

Thank you for the response. Please take your time for the memory test and other relevant investigations.
You may choose to continue using 'Wireshark' & 'Avast Pro'. These were possible suspects; not necessarily the culprits.

Do reply with the findings. Will take it forward from there.