Solved MpFilter.sys, PAGE_FAULT_IN_NONPAGED_AREA

[goodjobwindows]

I'm getting this error a few minutes into booting up. It started showing up on a fresh boot after the computer worked fine the day before.

I used the windows tools (from the F8 Menu during boot) to check RAM and also used chkdisk on my C:\-Drive. Both returned no errors. Windows also doesn't crash in safe mode, or at least it takes much longer (>1 hour) to do so.

I tried examining the minidump but visual studio 2010 tells me debugging isn't supported, because it's an old format. I don't have permissions to install anything on the computer I'm using right now.

Any ideas?

 

[silverro]

More information

OK. Normally, I am no going to post "I have the same problem, but no solution". But in this case, I have done more analysis

1) Windows 7 had several updates on the 9th and not booted till yesterday, when it failed with the exact same BSOD. 0x00000050 in mpfilter.sys 0xfffff8800104c678, 0x00, 0xfffff880101b000,0x00)
However no mini-dump file is created. This is installed on an SSD

2) Windows 8, installed on the same SSD, different partition, also crashes, and produces a mini-dump (see end of post). Had just installed AMD graphics driver (but may be a coincidence). First crash was during installation of windows update patches (again, may be a coincidence)

3) Third bootable system, is Windows 7 on hard driver. Latest windows updates not applied to this system (windows update would like to install 16 important updates).

What I tried

a) Backed out AMD video driver. Did not help
b) Ran malwarebytes on drives - no malware detected
c) Noted that msMpEng (what is crashing Windows 8) and mdfilter (what is crashing windows 7) are both part of the MS Security Essentials. However, PC that is working, has the lastest update of Security Essentials

Thoughts:

• MS Security Essentials do not appear to be the problem - as the latest is installed on my working Windows 7
• Video driver, is not the problem as it has been backed out
• I have no restore point on the windows 7 system (it is a very full SSD and apparently cannot hold a copy of the files that were updated on the last system update)
• SSD is common to the two failing systems - but vendor utilities and a read check show no issues

Next steps:
- remove MS Security Essentials
- See if there is a windows 8 restore point
- back out the windows updates from the 9th one at a time, if possible
- restore to a 6 month old system image and see what happens

---- Windows 8, portion of mini dump ----

PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by try-except,
it must be protected by a Probe. Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: ffffc001843aa467, memory referenced.
Arg2: 0000000000000000, value 0 = read operation, 1 = write operation.
Arg3: fffff80163e95944, If non-zero, the instruction address which referenced the bad memory
address.
Arg4: 0000000000000002, (reserved)

Debugging Details:
------------------


Could not read faulting driver name
TRIAGER: Could not open triage file : e:\dump_analysis\program\triage\modclass.ini, error 2

READ_ADDRESS: fffff802686d5240: Unable to get special pool info
fffff802686d5240: Unable to get special pool info
unable to get nt!MmNonPagedPoolStart
unable to get nt!MmSizeOfNonPagedPoolInBytes
ffffc001843aa467

FAULTING_IP:
WdFilter!MpFileHasMotwAds+114
fffff801`63e95944 0fb74604 movzx eax,word ptr [rsi+4]

MM_INTERNAL_CODE: 2

DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULT

BUGCHECK_STR: AV

PROCESS_NAME: MsMpEng.exe

CURRENT_IRQL: 0

TRAP_FRAME: ffffd00030af9440 -- (.trap 0xffffd00030af9440)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=00000000202c7463 rbx=0000000000000000 rcx=ffffd00030af9600
rdx=ffffd00030af9610 rsi=0000000000000000 rdi=0000000000000000
rip=fffff80163e95944 rsp=ffffd00030af95d0 rbp=ffffd00030af9620
r8=0000000000000001 r9=000000000000002c r10=ffffe000b2d5d1c0
r11=ffffe000b404e010 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei ng nz na po nc
WdFilter!MpFileHasMotwAds+0x114:
fffff801`63e95944 0fb74604 movzx eax,word ptr [rsi+4] ds:00000000`00000004=????
Resetting default scope

LAST_CONTROL_TRANSFER: from fffff8026858e1f1 to fffff8026855eca0

 

[goodjobwindows]

Thanks for the input. I turned off MSE right after booting up and so far no BSOD happened. It looks like Windows update is doing some stuff right now.

Also having no AV running is obviously not that great.. I'll wait a bit longer and try turning MSE on again. Maybe the problem has something to do with the update.

 

[silverro]

Solved

Same here. Removing MS Security Essentials - windows 7 is working fine.
Currently using Avast as an alternative - as a really do not want to risk no AV protection.
Have not yet removed MSE from Windows 8.

Several theories:

• MS Security Essentials - with KB3065979, KB3064209 and KB3040272 installed somehow causes Security Essentials to have a problem (one copy of 7 runs with the latest Security Essentials but not he patches)
• Virus targeted MS Security Essentials and somehow damaged it. AV programs are targets of viral attacks
• Somehow an SSD (which is faster than spinning magnetic) is causing the Microsoft AV to have a problem

Curious if any of the above match up with your system that had the same problem

 

[goodjobwindows]

I only have KB3065979 out of those. It shouldn't be the SSD because I had a SSD/MSE combo for years now. I re-enabled MSE after two hours and did a quick scan. No crash yet. There's some updates waiting to install on shutdown, but I'm not going to do that yet. I'll post what happened on the next boot later.

 

[Clearly Robert]

I have the same issue with this particular BSOD in the past 24 hours....after spending all day on it, I narrowed my problem down to the windows update service....all other services are checked in MSCONFIG except that one...and everything seems to be running fine.

I know I have like 16 updates that need to be done...but as soon as I check windows update service in MSCONFIG, I crash within a minute or two of rebooting to windows 7.

Anyone have solutions for some other way to get windows updates with the hope that one of them is the solution to this problem?

Robert

PS: It seems that I had gone into Task Manager a couple of months ago to turn off some nuisance Windows 10 background task that was burning CPU time but I can't recall what I did! Not sure if that is a clue but I mention it FWIW.

 

[goodjobwindows]

Alright, the updates installed (it said 16, but lists only 12 - see screenshot). I left MSE running and had no crash so far (>1 hour). Looks like MSE and Windows Update messed with each other, which can be avoided by temporarily turning off MSE and letting the update do its thing. As far as I'm concerned, the problem's fixed.

some nuisance Windows 10 background task

Most likely GWX.exe. I kept it around, just hid the icon. I can't see how you managed to remove it through task manager, though.
*
*

 

[Clearly Robert]

goodjob,

I agree with you all...it does seem that mce was the problem.....got all my updates done now except update 3077657 which keeps failing. Not sure what that does, but the crashes seem to have completely stopped.

Thanks to all for helping me find the solution!

Robert

 

[eross]

HAd this yesterday. Unistalled MSE. problem gone.

 

[Marklovin]

Worked for me too. I just uninstalled MSE, installed Windows updates then downloaded and re-installed MSE. Works a charm. No BSODs for a few hours so far. Seems to have fixed it.