ntoskrnl.exe problem

[Flory Robert]

my laptop Is showing bluescreen and I guess there is some problem with this file ntoskrnl.exe please help

 

[Arc]

Post it following the Blue Screen of Death (BSOD) Posting Instructions.

 

[Flory Robert]

here is the folder after the instructions I followed

 

[Arc]

Your crash dumps are not showing any finite probable cause.

Test your RAM modules for possible errors.
How to Test and Diagnose RAM Issues with Memtest86+
Run memtest for at least 8 passes, preferably overnight.

If memtest comes free of errors, enable Driver Verifier to monitor the drivers.
Driver Verifier - Enable and Disable
Run Driver Verifier for 24 hours or the occurrence of the next crash, whichever is earlier.

   Information

Why Driver Verifier:
It puts a stress on the drivers, ans so it makes the unstable drivers crash. Hopefully the driver that crashes is recorded in the memory dump.

How Can we know that DV is enabled:
It will make the system bit of slow, laggy.

   Warning

Before enabling DV, make it sure that you have earlier System restore points made in your computer. You can check it easily by using CCleaner looking at Tools > System Restore.

If there is no points, make a System Restore Point manually before enabling DV.

   Tip

• If you fail to get on the Desktop because of DV, Boot into Advanced Boot Options > Safe mode. Disable DV there. Now boot normally again, and try following the instruction of enabling DV again.
• If you cannot boot in Safe mode too, do a System Restore to a point you made earlier.

Let us know the results, with the subsequent crash dumps, if any. Post it following the Blue Screen of Death (BSOD) Posting Instructions.
__________________________________________________________________________________
BSOD ANALYSIS:

*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 109, {a3a039d89c58b4ec, b3b7465eeed6f2ae, fffff80000b96bb0, 6}

*** WARNING: Unable to verify timestamp for ntoskrnl.exe
*** ERROR: Module load completed but symbols could not be loaded for ntoskrnl.exe
Probably caused by : ntoskrnl.exe ( nt_fffff80000b95000+1bb0 )

Followup: MachineOwner
---------

3: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

CRITICAL_STRUCTURE_CORRUPTION (109)
This bugcheck is generated when the kernel detects that critical kernel code or
data have been corrupted. There are generally three causes for a corruption:
1) A driver has inadvertently or deliberately modified critical kernel code
 or data. See http://www.microsoft.com/whdc/driver/kernel/64bitPatching.mspx
2) A developer attempted to set a normal kernel breakpoint using a kernel
 debugger that was not attached when the system was booted. Normal breakpoints,
 "bp", can only be set if the debugger is attached at boot time. Hardware
 breakpoints, "ba", can be set at any time.
3) A hardware corruption occurred, e.g. failing RAM holding kernel code or data.
Arguments:
Arg1: a3a039d89c58b4ec, Reserved
Arg2: b3b7465eeed6f2ae, Reserved
Arg3: fffff80000b96bb0, Failure type dependent information
Arg4: 0000000000000006, Type of corrupted region, can be
    0 : A generic data region
    1 : Modification of a function or .pdata
    2 : A processor IDT
    3 : A processor GDT
    4 : Type 1 process list corruption
    5 : Type 2 process list corruption
    6 : Debug routine modification
    7 : Critical MSR modification

Debugging Details:
------------------


FAULTING_IP: 
nt_fffff80000b95000+1bb0
fffff800`00b96bb0 48895c2408      mov     qword ptr [rsp+8],rbx

CUSTOMER_CRASH_COUNT:  1

DEFAULT_BUCKET_ID:  WIN7_DRIVER_FAULT

BUGCHECK_STR:  0x109

PROCESS_NAME:  System

CURRENT_IRQL:  0

STACK_TEXT:  
fffff880`033a85d8 00000000`00000000 : 00000000`00000109 a3a039d8`9c58b4ec b3b7465e`eed6f2ae fffff800`00b96bb0 : nt!KeBugCheckEx


STACK_COMMAND:  kb

FOLLOWUP_IP: 
nt_fffff80000b95000+1bb0
fffff800`00b96bb0 48895c2408      mov     qword ptr [rsp+8],rbx

SYMBOL_NAME:  nt_fffff80000b95000+1bb0

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: nt_fffff80000b95000

IMAGE_NAME:  ntoskrnl.exe

DEBUG_FLR_IMAGE_TIMESTAMP:  5149a99c

FAILURE_BUCKET_ID:  X64_0x109_6_nt_fffff80000b95000+1bb0

BUCKET_ID:  X64_0x109_6_nt_fffff80000b95000+1bb0

Followup: MachineOwner
---------

 

[Flory Robert]

after enabling the driver verifier my laptop is getting hung but its not displaying any bluescreen

 

[Arc]

Have you took the memtest? If not, disable DV now and go for it.

 

[Flory Robert]

"If Memtest does not automatically boot, go into the BIOS and change the CD drive or USB drive to be the first to boot." what does exactly means? how am I supposed to do it?

 

[Flory Robert]

this is the bluescreen that has appeared again
Problem signature:
Problem Event Name: BlueScreen
OS Version: 6.1.7601.2.1.0.768.3
Locale ID: 1033
Additional information about the problem:
BCCode: 109
BCP1: A3A039D89EBA46F0
BCP2: B3B7465EF13884B2
BCP3: FFFFF80000B96BB0
BCP4: 0000000000000006
OS Version: 6_1_7601
Service Pack: 1_0
Product: 768_1
Files that help describe the problem:
C:\Windows\Minidump\062613-19156-01.dmp
C:\Users\HP\AppData\Local\Temp\WER-76643-0.sysdata.xml
Read our privacy statement online:
Windows 7 Privacy Statement - Microsoft Windows
If the online privacy statement is not available, please read our privacy statement offline:
C:\Windows\system32\en-US\erofflps.txt

 

[Arc]

 

[Flory Robert]

It has not detected any errors

 

[Arc]

How long you ran it? How many passes?

 

[Flory Robert]

for 3 hours and 4 passes

 

[Flory Robert]

hope this may help its the system info and the minidump folder

 

[Vir Gnarus]

I may be wrong, but it looks like your system is infected, or an AV is doing something I don't know about. First thing is to scan for any potential threats. I recommend starting with Malwarebytes and provide us the log from it. If given the option to clean, do not do it.

Otherwise, turn on Driver Verifier since I noticed it was not on during these crashes. Read the entire article carefully.

Analysts:

0x109 bugchecks showing up a corruption in the NT module. However, the name of the module is strange, being altered to nt_fffff80000b95000, which the address is the base address for it. I assume it got tagged with it in the name because there's already an existing module named nt. I am very confident there shouldn't be two nt modules present at one time. Even stranger is they're both different nt module variants, and the suspect one either has no image header for it or has been paged out onto disk prior to the crash. The nt module doesn't page out its image header, however. You can tell by doing a !dh on the nt module and then locating the section header that's named .rsrc. If one of the flags is Discardable, it means it can be paged out. Otherwise, it sticks into memory as long as the image is loaded.

Or I could just be misinterpreting the whole output. I hope not.

2: kd> [COLOR=Blue]!analyze -v[/COLOR]
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

CRITICAL_STRUCTURE_CORRUPTION (109)
This bugcheck is generated when the kernel detects that critical kernel code or
data have been corrupted. There are generally three causes for a corruption:
1) A driver has inadvertently or deliberately modified critical kernel code
 or data. See http://www.microsoft.com/whdc/driver/kernel/64bitPatching.mspx
2) A developer attempted to set a normal kernel breakpoint using a kernel
 debugger that was not attached when the system was booted. Normal breakpoints,
 "bp", can only be set if the debugger is attached at boot time. Hardware
 breakpoints, "ba", can be set at any time.
3) A hardware corruption occurred, e.g. failing RAM holding kernel code or data.
Arguments:
Arg1: a3a039d89eba46f0, Reserved
Arg2: b3b7465ef13884b2, Reserved
Arg3: fffff80000b96bb0, Failure type dependent information
Arg4: 0000000000000006, Type of corrupted region, can be
    0 : A generic data region
    1 : Modification of a function or .pdata
    2 : A processor IDT
    3 : A processor GDT
    4 : Type 1 process list corruption
    5 : Type 2 process list corruption
    6 : Debug routine modification
    7 : Critical MSR modification

Debugging Details:
------------------

TRIAGER: Could not open triage file : C:\Program Files (x86)\Windows Kits\8.0\Debuggers\x64\triage\modclass.ini, error 2

FAULTING_IP: 
nt_fffff80000b95000+1bb0
fffff800`00b96bb0 48895c2408      mov     qword ptr [rsp+8],rbx

CUSTOMER_CRASH_COUNT:  1

DEFAULT_BUCKET_ID:  WIN7_DRIVER_FAULT

BUGCHECK_STR:  0x109

PROCESS_NAME:  System

CURRENT_IRQL:  0

STACK_TEXT:  
fffff880`033c45d8 00000000`00000000 : 00000000`00000109 a3a039d8`9eba46f0 b3b7465e`f13884b2 fffff800`00b96bb0 : nt!KeBugCheckEx


STACK_COMMAND:  kb

FOLLOWUP_IP: 
nt_fffff80000b95000+1bb0
fffff800`00b96bb0 48895c2408      mov     qword ptr [rsp+8],rbx

SYMBOL_NAME:  nt_fffff80000b95000+1bb0

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: nt_fffff80000b95000

IMAGE_NAME:  ntoskrnl.exe

DEBUG_FLR_IMAGE_TIMESTAMP:  5149a99c

FAILURE_BUCKET_ID:  X64_0x109_6_nt_fffff80000b95000+1bb0

BUCKET_ID:  X64_0x109_6_nt_fffff80000b95000+1bb0

Followup: MachineOwner
---------

2: kd> [COLOR=Blue]lmsm[/COLOR]
start             end                 module name

...

fffff800`03601000 fffff800`03be7000   [COLOR=Green]nt[/COLOR]         (pdb symbols)          c:\localsymbols\ntkrnlmp.pdb\4406EA3F2CE044878BDFDEF95E07708E2\ntkrnlmp.pdb
fffff800`00b95000 fffff800`00bb0000   [COLOR=Red]nt_fffff80000b95000[/COLOR] T (no symbols)           

...

2: kd> [COLOR=Blue]lmvm [/COLOR][COLOR=Red]nt_fffff80000b95000[/COLOR]
start             end                 module name
fffff800`00b95000 fffff800`00bb0000   nt_fffff80000b95000 T (no symbols)           
    Loaded symbol image file: ntoskrnl.exe
    Image path: [COLOR=Red]ntoskrnl.exe[/COLOR]
    Image name: ntoskrnl.exe
    Timestamp:        Wed Mar 20 08:20:44 2013 (5149A99C)
    CheckSum:         00552B17
    ImageSize:        0001B000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
2: kd> [COLOR=Blue]lmvm [/COLOR][COLOR=Green]nt[/COLOR]
start             end                 module name
fffff800`03601000 fffff800`03be7000   nt         (pdb symbols)          c:\localsymbols\ntkrnlmp.pdb\4406EA3F2CE044878BDFDEF95E07708E2\ntkrnlmp.pdb
    Loaded symbol image file: [COLOR=Green]ntkrnlmp.exe[/COLOR]
    Mapped memory image file: c:\localsymbols\ntoskrnl.exe\5147D9C65e6000\ntoskrnl.exe
    Image path: ntkrnlmp.exe
    Image name: ntkrnlmp.exe
    Timestamp:        Mon Mar 18 23:21:42 2013 (5147D9C6)
    CheckSum:         00552B17
    ImageSize:        005E6000
    File version:     6.1.7601.18113
    Product version:  6.1.7601.18113
    File flags:       0 (Mask 3F)
    File OS:          40004 NT Win32
    File type:        1.0 App
    File date:        00000000.00000000
    Translations:     0409.04b0
    CompanyName:      Microsoft Corporation
    ProductName:      Microsoft® Windows® Operating System
    InternalName:     ntkrnlmp.exe
    OriginalFilename: ntkrnlmp.exe
    ProductVersion:   6.1.7601.18113
    FileVersion:      6.1.7601.18113 (win7sp1_gdr.130318-1533)
    FileDescription:  NT Kernel & System
    LegalCopyright:   © Microsoft Corporation. All rights reserved.

2: kd> [COLOR=Blue]!dh nt[/COLOR]

File Type: EXECUTABLE IMAGE
FILE HEADER VALUES
    8664 machine (X64)
      18 number of sections
5147D9C6 time date stamp Mon Mar 18 23:21:42 2013

       0 file pointer to symbol table
       0 number of symbols
      F0 size of optional header
      22 characteristics
            Executable
            App can handle >2gb addresses

OPTIONAL HEADER VALUES
     20B magic #
    9.00 linker version
  47A400 size of code
   CFC00 size of initialized data
    3400 size of uninitialized data
  2B36F0 address of entry point
    1000 base of code
         ----- new -----
0000000140000000 image base
    1000 section alignment
     200 file alignment
       1 subsystem (Native)
    6.01 operating system version
    6.01 image version
    6.01 subsystem version
  5E6000 size of image
     600 size of headers
  552B17 checksum
0000000000080000 size of stack reserve
0000000000002000 size of stack commit
0000000000100000 size of heap reserve
0000000000001000 size of heap commit
       0  DLL characteristics
  531000 [   109BC] address [size] of Export Directory
  5AB6C4 [      78] address [size] of Import Directory
  5AD000 [   35F48] address [size] of Resource Directory
  27D000 [   2FD90] address [size] of Exception Directory
  549600 [    1B58] address [size] of Security Directory
  5E3000 [    207C] address [size] of Base Relocation Directory
  1A1F00 [      38] address [size] of Debug Directory
       0 [       0] address [size] of Description Directory
       0 [       0] address [size] of Special Directory
       0 [       0] address [size] of Thread Storage Directory
       0 [       0] address [size] of Load Configuration Directory
       0 [       0] address [size] of Bound Import Directory
  1AC000 [     380] address [size] of Import Address Table Directory
       0 [       0] address [size] of Delay Import Directory
       0 [       0] address [size] of COR20 Header Directory
       0 [       0] address [size] of Reserved Directory

...

SECTION HEADER #17
   [COLOR=Green].rsrc [/COLOR]name
   35F48 virtual size
  5AD000 virtual address
   36000 size of raw data
  511400 file pointer to raw data
       0 file pointer to relocation table
       0 file pointer to line numbers
       0 number of relocations
       0 number of line numbers
40000040 flags
         Initialized Data
         (no align specified)      [COLOR=Green]//No 'Discardable' flag[/COLOR]
         Read Only
...

 

[x BlueRobot]

Welcome to the forums Flory Robert,

[COLOR="red"]BugCheck 109[/COLOR], {a3a039d89eba46f0, b3b7465ef13884b2, fffff80000b96bb0, 6}

*** WARNING: Unable to verify timestamp for ntoskrnl.exe
*** ERROR: Module load completed but symbols could not be loaded for ntoskrnl.exe
Probably caused by : ntoskrnl.exe ( nt_fffff80000b95000+1bb0 )

Usual causes:  Device driver, Breakpoint set with no debugger attached, Hardware (Memory in particular)

The bugcheck indicates that kernel data has become corrupted, this can be due to device drivers or hardware failure such as RAM.

*Note* You need to run Memtest86+ for least 9-10 passes, and preferably overnight. Each pass will run several different tests.

Remove:

Start Menu\Programs\Free Registry Cleaner

Removal Tool - Revo Uninstaller Pro - Uninstall Software, Remove Programs easily, Forced Uninstall, Leftovers Uninstaller

Windows 7 doesn't require any programs which make changes to the operating system and registry, these programs tend to cause problems by modifying and deleting files.

• http://www.sevenforums.com/performa...registry-cleaner-tests-why-not-use-one-2.html

Windows is a closed source system. Developers of registry cleaners do not have the core code of Windows 7 and are not working on definitive information, but rather they are going on past knowledge and experience. Automatic cleaners will usually have to do some guesswork.

Modifying registry keys incorrectly can cause Windows instability, or make Windows unbootable. No registry cleaner is completely safe and the potential is ever present to cause more problems than they claim to fix.

Registry cleaners cannot distinguish between good and bad. If you run a registry cleaner, it will delete all those keys which are obsolete and sitting idle; but in reality, those keys may well be needed by some programs or windows at a later time.

Windows 7 is much more efficient at managing the registry than previous Windows versions. If you run any other registry cleaner and do not know precisely what you are doing, you will have problems down the road. There are no gains to be had from using a registry cleaner and the risk is great.

Remove:

Start Menu\Programs\Driver Support

Programs which scan for drivers and then offer driver updates, often install the wrong drivers which are either corrupted or incompatible with your system. The best method is to visit the hardware vendor or manufacturer of your computer, and then obtain driver updates from their support page.

EDIT: Thanks for your input Vir

EDIT2: Regarding, the !dh extension, is this blog post similar? http://analyze-v.com/?p=847