BSOD UNEXPECTED_KERNEL_MODE_TRAP (7f)

[bsfinkel]

I enabled verifier.exe, and I rebooted. Windows 7 immediately gave a BSOD, but the info on the screen was not there long enough for me to read it. I tried one more time, with the same results. Then I booted into safe more and typed "verifier /reset". The system rebooted normally. I see no minidump nor full dump, and I see no eventlog entries with any diagnostic information. Is there a verifier log somewhere? What should I do next? In verifier I selected all options except Low Resources Simulation, and for the drivers I selected all non-MS drivers.

--Barry Finkel

 

[x BlueRobot]

Well, we can establish that either Driver Verifier has found a driver loading at boot which is causing problems, but couldn't save the dump files because not all the necessary data structures etc. were loaded to save the dump files. Driver Verifier will produce a BSOD upon a problem, which basically is the log file.

Boot into Safe Mode with Networking, and then report if any crashes occur within Safe Mode.

 

[bsfinkel]

I have been in safe mode for 1.5 hours, and the system has not crashed. I checked, and verifier is running. I will stay in safe mode for a while. I have opened all of the non-MS applications that I normally have open. I will have more details later.
--Barry Finkel

 

[bsfinkel]

More Information via verifier.exe

I decided that verifier.exe was not going to find anything in safe mode, because the other verifier BSODs occurred during startup. So, I took my camera and shot a video of Win 7 booting. Right after the four colors in the Win 7 logo come together, I had a BSOD:

BAD_POOL_CALLER
STOP: 0x000000C2 (0x00000009D, 0x00000419, 0x00000000, 0x865DC556)
SmartDefragDriver.sys - Address 865DC556 base at 0x865DB000,
DateStamp 4cedf7e3b

As that driver is IObit, I opened a problem report with them. I will wait for their response. Via a Google search I saw lots of postings with this error, but none had a resolution that applied, or the problems were too old.

As today is patch Tuesday, I will hold off testing for a few days, as I do not want to make too many changes at once.

Further testing I want to do - 1) Run verifier.exe in safe mode and try SmartDefrag to see if I can get a dump. 2) Run verifier.exe but exclude SmartDefragDriver.sys and see what verifier.exe finds.

--Barry Finkel

 

[x BlueRobot]

Personally, I would remove IOBit completely from your system.

 

[bsfinkel]

Here is a summary of verifier.exe:

1) SmartDefragDriver.sys BSODs immediately, and my analysis of the BSOD screen says that the error should not be fatal. BAD_POOL_CALLER (c2). Parm 1 = 9D, and Parm 2 = x419. I have a support ticket open with iObit.

2) KERNEL_MODE_EXCEPTION_NOT_HANDLED_M (1000008e). IMAGE_NAME: WRkrn.sys. I have an open ticket with Webroot.

3) I started verifier again this afternoon at 2PM (without SmartDefragDriver and WRkrn), and I will leave it running untl the next BSOD.

--Barry Finkel

 

[x BlueRobot]

Okay, thanks for the update

 

[bsfinkel]

A further update. I have experienced two more BSODs. One (9/13 13:12) was "NTFS_FILE_SYSTEM (24)", and I had experienced a similar BSOD (08/15 00:11). There were two more previously this year with my old motherboard. I did not look at the dump, and I assume that verifier.exe (which I an stiil running) was NOT the "cause". The other BSOD (09/14 13:34) was "DRIVER_CORRUPTED_EXPOOL (c5)"; this is my first BSOD with this symptom string, and I assume it was "caused" by verifier. I did not look at the windbg output in detail to find a possible driver name. I have uploaded a new SF_15-09-2013.zip file.
--Barry Finkel

 

[x BlueRobot]

[COLOR=Red]BugCheck C5[/COLOR], {4, 2, 0, 82f3b495}

Probably caused by : ntkrpamp.exe ( nt!ExFreePoolWithTag+9da )

aea8a9ec -- ([COLOR=SeaGreen].trap 0xffffffffaea8a9ec[/COLOR])
[COLOR=Red]ErrCode = 00000000[/COLOR]
eax=8b5478e0 ebx=82f506c0 ecx=8b5478e8 [COLOR=Red]edx=00000000[/COLOR] esi=000001ff edi=8b547920
eip=82f3b495 esp=aea8aa60 ebp=aea8aabc iopl=0         nv up ei ng nz ac pe cy
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010297
nt!ExFreePoolWithTag+0x9da:
82f3b495 8b5204          mov     edx,dword ptr [COLOR=Red][edx+4][/COLOR] ds:0023:00000004=????????

We can see from the trap frame, that a exception happened because a driver attempted to divide data by zero, this points further back to device driver issues.

From a Stop 0x24 dump:

1: kd> [COLOR=SeaGreen]!error 0xc0000005[/COLOR]
Error code: (NTSTATUS) 0xc0000005 (3221225477) - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.

The context of both dump files are similar, a driver has attempted to access a invalid memory address, which it either didn't have rights to or the MMU was able to translate.

Have you removed those IOBit programs? Sorry for the really slow reply.

 

[bsfinkel]

I am not sure how to interpret your reply. I don 't mind the slow response, as I was away from my computer for close to 4 days. You looked at the "DRIVER_CORRUPTED_EXPOOL (c5)" dump, and you said that it was probably caused by ntkrpamp.exe . What is that? Via a Google search I see lots of BSOD/ntkrpamp.exe problems. Is ntkrpamp a MS routine? Where is it found? I do not find it in my C:\Windows directory, nor in the Program Files directory. Is there evidence in the dump that tells what device driver is involved in this crash? I am still running verifier.

I have not uninstalled IObit products, as I have no evidence that they are causing any of my BSODs. I had a verifier BSOD related to SmartDerfagDriver.sys, and I have an open trouble ticket with IObit support. I looked at that BSOD, and I conclude that SmartDefrag is using an identifier that is not an alphanumeric string. This does not cause a problem with the code when it runs, but it immediately causes verifier to BSOD. I took that driver out of the verifier list.

I had another verifier BSOD from wrkrn.sys (Webroot SecureAnywhere). Webroot had me uninstall WRSA and then install something (I do not know what the changes were). I got another verifier BSOD, so I am working with Webroot support on this set of BSODs.

Sunday morning the system was running slowly; one process was using lots of CPU. So I started closing applications in preparation for a reboot. I closed Acrobat Reader, and I got a "MEMORY MANAGEMENT (1a)" BSOD. I have not done much with that dump, and I have not uploaded it. I want to figure out the ntkrpamp.exe problem first.

--Barry Finkel

 

[centaur78]

Barry

Sorry to be rude... but ... i would really suggest you to get all your open tickets that you have opened with other forums or other software product services resolved first !!

Its really frustrating when someone doesn't listen.... You are not the only person in here who needs help !!!

 

[bsfinkel]

I have been away from my computer for a while. Here is an update.

1) My problem with IObit SmartDefrag was resolved when I took their driver out of the verifier test list. That driver was doing something that failed with verifier and does not fail without verifier. IObit is looking at their code.

2) The problem with wrkrn.sys was resolved when Webroot had me install new software. I have not had a failure since I installed the new code.

3) With respect to ntkrpamp.exe, which you say is involved in at least one of my BSODs - Where is that routine? I can not find it in my C:\windows directory. Is that a MS-supplied routine? I have not found much via Google searches except for BSOD problem reports with that routine and various versions of Windows.

4) As I have written before, my BSODs seem to be random; I have yet to pinpoint a single cause. My recent BSODs:

09/22 08:32 MEMORY MANAGEMENT (1a) [while I was closing applications to reboot]
09/24 10:26 UNEXPECTED_KERNEL_MODE_TRAP (7f)
09/25 22:23 MEMORY MANAGEMENT (1a)
09/30 02:07 IRQL_NOT_LESS_OR_EQUAL (a)

Note that I am still running verifier on 13 non-MS drivers. I have uploaded a new SF zip file.
Thanks.

 

[centaur78]

Barry The posted system logs are only till 21 June 2013.

Please go to event viewer directly and right click on the system logs and save it as .evtx file as shown below and upload here

View attachment 287825

 

[bsfinkel]

Event Logs Uploaded

I have uploaded the system event log and the application event log. I am not sure what events are logged in which log. I might have uploaded them twice, as I was not sure that the first upload completed successfully. Thanks.
--Barry Finkel

 

[centaur78]

Where are the logs ??

 

[bsfinkel]

I have just (again) uploaded

applog-130930.evtx
systlog-130930.evtx

After the upload completed, the upload window changed to an at@t Yahoo! search window with the search argument "seven forums attachment". I do not remember seeing this behavior before. If the two files have not been uploaded, then there is a problem with the web site. I watched the networking graph as the uploads were happening, and there was networking traffic. The uploads took about 4-5 minutes.
The web page does not say that the two files were uploaded.

--Barry Finkel

 

[bsfinkel]

Upload Problems

I again tried to upload the two eventlog files.
applog-130930.evtx -gave me an error message "invalid file" (tried twice)
systlog-130930.evtx - gave me a timeout after 3-4 minutes (tried thrice)

I tried each separately instead of both together, as I had tried previously.
What do I need to do to get the event logs uploaded? Thanks.

--Barry Finkel

 

[centaur78]

zip it up and upload.

 

[bsfinkel]

Zipped Files Uploaded

I zipped both event logs and uploaded them.
--Barry Finkel