Win7 Ultimate Retail, BSOD

[MartinLondonUK]

Hi all,

I received my copy of Win7 Ultimate on Wednesday after Amazon brought forward the delivery date owing to a postal strike that is currently underway in the UK. I proceeded with a clean install (x64 version), installed all my apps and was surprised to see, on my third day of using the OS, a BSOD. I was only running ITunes (my first song was playing in iTunes on this installation) and Outlook. I don't think anything else notable was running. I also have Norton 360 as my file scanner.

Below are my hardware details and underneath that you will find a WinDbg output. Have submitted the crash info to Microsoft via the 'Action' Centre, no fixes yet as obviously it is early days.

Not expecting a solution but grateful for any comments you might have.

Thanks all,
Martin

OS Name Microsoft Windows 7 Ultimate
Version 6.1.7600 Build 7600
OS Manufacturer Microsoft Corporation
System Manufacturer Dell Inc
System Model Dimension E521
System Type x64-based PC
Processor AMD Athlon(tm) 64 X2 Dual Core Processor 5600+, 2800 Mhz, 2 Core(s), 2 Logical Processor(s)
BIOS Version/Date Dell Inc 1.1.11, 02/08/2007
SMBIOS Version 2.4
Windows Directory C:\Windows
System Directory C:\Windows\system32
Boot Device \Device\HarddiskVolume3
Locale United Kingdom
Hardware Abstraction Layer Version = "6.1.7600.16385"
Installed Physical Memory (RAM) 4.00 GB
Total Physical Memory 4.00 GB
Available Physical Memory 1.83 GB
Total Virtual Memory 8.00 GB
Available Virtual Memory 5.55 GB
Page File Space 4.00 GB
Page File C:\pagefile.sys
--
!analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

SYSTEM_THREAD_EXCEPTION_NOT_HANDLED (7e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Arguments:
Arg1: ffffffffc0000005, The exception code that was not handled
Arg2: fffff80002b9853b, The address that the exception occurred at
Arg3: fffff88003124898, Exception Record Address
Arg4: fffff880031240f0, Context Record Address

Debugging Details:
------------------


EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.

FAULTING_IP:
nt!IopDeleteFile+24b
fffff800`02b9853b 488b09 mov rcx,qword ptr [rcx]

EXCEPTION_RECORD: fffff88003124898 -- (.exr 0xfffff88003124898)
ExceptionAddress: fffff80002b9853b (nt!IopDeleteFile+0x000000000000024b)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 0000000000000000
Parameter[1]: 0000001300000000
Attempt to read from address 0000001300000000

CONTEXT: fffff880031240f0 -- (.cxr 0xfffff880031240f0)
rax=fffff8a00f57ddf0 rbx=fffffa800a0b3070 rcx=0000001300000000
rdx=fffff8a00f57ddf1 rsi=fffffa80039db080 rdi=fffffa8004502030
rip=fffff80002b9853b rsp=fffff88003124ad0 rbp=0000000000000001
r8=fffff8a00f57ddf0 r9=0000000000000110 r10=fffff800029ff900
r11=fffff8a010bfcca0 r12=fffffa80044f5d10 r13=fffff8a010c70600
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei pl nz na po nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00010206
nt!IopDeleteFile+0x24b:
fffff800`02b9853b 488b09 mov rcx,qword ptr [rcx] ds:002b:00000013`00000000=????????????????
Resetting default scope

DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT

PROCESS_NAME: System

CURRENT_IRQL: 0

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.

EXCEPTION_PARAMETER1: 0000000000000000

EXCEPTION_PARAMETER2: 0000001300000000

READ_ADDRESS: 0000001300000000

FOLLOWUP_IP:
nt!IopDeleteFile+24b
fffff800`02b9853b 488b09 mov rcx,qword ptr [rcx]

BUGCHECK_STR: 0x7E

LAST_CONTROL_TRANSFER: from fffff8000288a0b4 to fffff80002b9853b

STACK_TEXT:
fffff880`03124ad0 fffff800`0288a0b4 : 00000000`00000000 00000000`00000000 fffffa80`039db080 00000000`00000000 : nt!IopDeleteFile+0x24b
fffff880`03124b60 fffff800`02b72f39 : 00000000`00000000 00000000`0008c081 fffffa80`0a0b3210 fffffa80`0008c081 : nt!ObfDereferenceObject+0xd4
fffff880`03124bc0 fffff800`029aaf6b : fffffa80`0a0b3218 00000000`00000001 00000000`00000000 0f4f072f`00000631 : nt!MiSegmentDelete+0xa1
fffff880`03124c00 fffff800`029ab5dd : 00000000`00000000 00000000`00000080 fffffa80`039cd040 0fc71f0f`00000012 : nt!MiProcessDereferenceList+0x23b
fffff880`03124cc0 fffff800`02b28166 : f2f0f0fc`b4f0f036 8f0c0f29`0e0f2f1f 70d8f4f2`6050f0f4 8f1b050f`0f0d0f0f : nt!MiDereferenceSegmentThread+0x10d
fffff880`03124d40 fffff800`02863486 : fffff800`029fde80 fffffa80`039e4510 fffff800`02a0bc40 0e6d2e0e`0f0f2d8f : nt!PspSystemThreadStartup+0x5a
fffff880`03124d80 00000000`00000000 : fffff880`03125000 fffff880`0311f000 fffff880`03124550 00000000`00000000 : nt!KxStartSystemThread+0x16


SYMBOL_STACK_INDEX: 0

SYMBOL_NAME: nt!IopDeleteFile+24b

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: nt

IMAGE_NAME: ntkrnlmp.exe

DEBUG_FLR_IMAGE_TIMESTAMP: 4a5bc600

STACK_COMMAND: .cxr 0xfffff880031240f0 ; kb

FAILURE_BUCKET_ID: X64_0x7E_nt!IopDeleteFile+24b

BUCKET_ID: X64_0x7E_nt!IopDeleteFile+24b

Followup: MachineOwner
---------

 

[Jacee]

How do your drivers look in 'Devices'? You may need to update one or more.

 

[usasma]

Further info on the STOP 0x7e error: BSOD Index

As it states in the above link, possible causes are:

Insufficient disk space, Device driver, Video card, BIOS, Breakpoint with no debugger attached, Hardware incompatibility, Faulty system service, Memory, 3rd party remote control,

Please check your disk space and let us know how much free space is available.
Please run the Windows 7 Upgrade Advisor to see if there's any incompatibilities noted - and please post the results of the report here (as the results aren't always easy to interpret). (The download is free here: http://www.microsoft.com/downloads/...FamilyID=1b544e90-7659-4bd9-9e51-2497c146af15

 

[H2SO4]

Further info on the STOP 0x7e error: BSOD Index

As it states in the above link, possible causes are:

Insufficient disk space, Device driver, Video card, BIOS, Breakpoint with no debugger attached, Hardware incompatibility, Faulty system service, Memory, 3rd party remote control,

Please check your disk space and let us know how much free space is available.
Please run the Windows 7 Upgrade Advisor to see if there's any incompatibilities noted - and please post the results of the report here (as the results aren't always easy to interpret). (The download is free here: Download details: Windows 7 Upgrade Advisor

I'd like to include one more "possible cause" for a 0x7E - absolutely frickin' anything at all

For the majority of common bugcheck types, those "possible cause" write-ups in the debugger docs are just an attempt to over-simplify that which cannot be simplified.

 

[jcgriff2]

Hi all,

Not expecting a solution but grateful for any comments you might have.

OH YE OF LITTLE FAITH ! ! :0

`

Hi all,

I was only running ITunes (my first song was playing in iTunes on this installation) and Outlook. I don't think anything else notable was running. I also have Norton 360 as my file scanner...

It's nice to see you all gathered here for the party. . . so here are my thoughts on this -

[FONT=lucida console]ERROR_CODE: (NTSTATUS) [COLOR=#cc0033][COLOR=red]0xc0000005[/COLOR][/COLOR] - The instruction at 0x%08lx[/FONT]
[FONT=lucida console]referenced memory at 0x%08lx. The memory could not be %s.[/FONT]
[FONT=lucida console]FAILURE_BUCKET_ID: X64_0x7E_nt![COLOR=blue]IopDeleteFile[/COLOR]+24b[/FONT]

My guesstimate is that N360 is up to old tricks. The 0xc0000005 exception = memory access violation. Combine this with the IopDeleteFile instruction and I see a file deletion (or rename) being interfered with. I suggest the removal of N360 using the Norton Removal Tool.

Instructions --> Tech Support Forum - View Single Post - [SOLVED] Vista will not allow updates to programs

IMHO, 3rd party firewalls tend to interefere with Windows 7 (& Vista) system services by blocking local NETBIOS ports. I would recommend that you use the WIndows Firewall only along with your choice of anti-virus and see how things go.

Lastly, I was curious as to what you are running that is using > 2GB RAM ?

[FONT=Lucida Console]    Total Physical Memory 4.00 GB[/FONT]
[FONT=Lucida Console]    Avail Physical Memory 1.83 GB[/FONT]

Regards. . .

jcgriff2

.

 

[MartinLondonUK]

Hi all again,

Whoa, quite a few responses! Ok, first off:-

How do your drivers look in 'Devices'? You may need to update one or more.

Thanks, Jacee. I went into Device Manager and went through the list from top to bottom. I updated the generic bluetooth adaptor for my Belkin USB, only to find it was unsigned. In the end, I updated it. I also updated my ATI Radeon drivers for my monitor as per the recommendation in the BSOD Index link from usasma:-

Please check your disk space and let us know how much free space is available.
Please run the Windows 7 Upgrade Advisor to see if there's any incompatibilities noted - and please post the results of the report here (as the results aren't always easy to interpret). (The download is free here: http://www.microsoft.com/downloads/d...1-2497c146af15

Usasma, my disk space is plentyful with 126GB from 222GB free on this drive. I have another drive free at the moment that I use for backup, which is the same capacity. Should not think disk space is a problem.

I have run and attached the Upgrade Advisors report for your persual. I also went to the Dell site on the Advisors suggestion, but it provided much the same information that you were offering.

Following on from above, I also went through the following list on the BSOD Index page:-

If a driver is identified in the bug check message, disable the driver or check with the manufacturer for driver updates.
Try changing video adapters.
Check with your hardware vendor for any BIOS updates.
Disable BIOS memory options such as caching or shadowing.

I can confirm that no BIOS updates are available, I suspect because this machine originally came out for the launch of Vista and that is when I got it. I also went into the BIOS and there were no means to configure memory options that I could see, certainly not caching or shadowing. I suspect it might well be a driver, as stated here in the WinDBG report...

DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT

...in which case the action taken above might remedy this. Only time will tell on that.

H2S04, I agree on that - I understand the ntkrnlmp.exe is the Windows Kernal? I.E. the most important file out of the whole B****Y lot! I read somewhere else that when something crashes, the Kernal can get the blame for it even though it is not at fault. So yes, these crash dumps can sometimes be too broad for their own good...

My guesstimate is that N360 is up to old tricks. The 0xc0000005 exception = memory access violation. Combine this with the IopDeleteFile instruction and I see a file deletion (or rename) being interfered with. I suggest the removal of N360 using the Norton Removal Tool.

Instructions --> Tech Support Forum - View Single Post - [SOLVED] Vista will not allow updates to programs

IMHO, 3rd party firewalls tend to interefere with Windows 7 (& Vista) system services by blocking local NETBIOS ports. I would recommend that you use the WIndows Firewall only along with your choice of anti-virus and see how things go.

You could be right jcgriff2, Norton 360 has been a tinker in the past and I have had to reinstall it a few times. I had a few blue screens a year back in Vista (not had any since) and they were torn between Norton and Firefox. Both were implicated in the debug anyway. I will hold out for the moment on Norton in case the action on the drivers has made any difference - one step at a time. That goes for memory too and all the static issues, I have not needed to look inside the box ever since I brought the machine. So handling memory or any other tinkling will be last resort. I choose Norton because at the time of getting Vista, I read about the different packages and how many viruses they could suck up. Norton was in the top three and One care was rock bottom with just 90%. :shock: Maybe it is time to review that choice, but what would be the package to go with these days?

Lastly, I was curious as to what you are running that is using > 2GB RAM ?

Just lots of things running together! I have attached a screen dump for your perusal. Everything looks normal anyway!

Right, that is me done. I am off to have a calorie busting session on the bike. Laters.

Thanks all for your comments and help.
Martin

 

[MartinLondonUK]

Sorry ppl forgot to put the attachments on correctly.

 

[usasma]

Nothing wrong that I could note from the stuff that I asked about.

There is a lot of memory being used by one of the svchost.exe proceses. Checking what's running underneath it with Process Explorer (to include both the processes and the threads) could give a clue as to what's going on. Process Explorer is free from here: Process Explorer

Frankly, I suspect that jcgriff2 has it nailed when referring to Norton. The easiest way to check this is to preserve your Norton licensing data and then uninstall it. Instructions here: Download and run the Norton Removal Tool

Make sure that you have antivirus protection for the time that the Norton is off of your system.

 

[H2SO4]

H2S04, I agree on that - I understand the ntkrnlmp.exe is the Windows Kernal? I.E. the most important file out of the whole B****Y lot! I read somewhere else that when something crashes, the Kernal can get the blame for it even though it is not at fault. So yes, these crash dumps can sometimes be too broad for their own good...

Yes, that's the kernel. Since it oversees and coordinates just about every transaction down there in the guts of the OS, bad data sourced from elsewhere frequently has a way of showing up as a crash "in the kernel". The actual number of times when the kernel itself is at fault is vanishingly small.

For what it's worth, I agree with JCGriff's notion - remove the AV as a test of its complicity.

 

[MartinLondonUK]

Hi again,

Well tonight there was another alarming development. After engaging in other activities and then coming back to the computer, Windows 7 was reporting that it was not a genuine copy(!). That was surprising, considering that it was brought completely legit from Amazon.co.uk and that I actually saw Win successfully authenticate itself yesterday (it pauses for a few days from authenticating unless you specifically ask it too). Re-entering the key as instructed, though correct, did not work either. In the end I rebooted and while it initially said it was potentially counterfeit, after a while it reverted to Genuine. The Certificate, labeling and the disc holograms all seem in order, so maybe it was just a quirk. If I see it again I will be on the phone to Microsoft and Amazon like a shot! I have also taken a screen shot of the authenticated page with product key for future reference. Grr, should not have to do this!

Usasma, I have looked at the svchost line with Process Explorer. Having identified the PID as 956, I quickly located the services that it was tied to. In Process Explorer I was able to note that the command line for it :-

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

You can also see an attachment showing all the threads and the services related to it. Unfortunately I did not know exactly what I was meant to be doing in terms of identifying where the memory is going, just CPU usage (and most of the CPU figures flash there for just a few seconds)...

I gave the notion about Norton some serious thought, now that you are advocating to remove it. I should add that this is the version for Win7, 3.5.2.11, not 3.0 which is the general version for Vista et al. Considering that drivers might also be a factor and that there was a line mentioning vista driver faults in WinDbg, the updates I did in my earlier message might have fixed it. I say might, as that is the million dollar question, and of course I don't know when I will get my next BSOD - days, weeks, months, years, maybe? What I will certainly do is consider having Norton on for 7 days, and then 7 days off, with FreeAVG as the backup. I know that would put things on hold in terms of updating to here for a few days, but if there is any news I will be sure to post. At least I can monitor things over a short period. As I installed last Wednesday I will switch over this Wednesday and if I need to look for a new anti-virus with good coverage, I will. Simple.

I will definitely be back here to report, hopefully success.

Catch you around and thanks again for the help so far. Much appreciated.
Martin

 

[usasma]

Please be forewarned. I did this a couple of months back (with Norton no-less). The system that I was working on had very predictable issues (consuming lot's of stuff in the I/O Other column in the Task Manager...Processes tab)

The next step is to examine the Threads tab for that svchost.exe process - and check the stack text for each entry in the threads table.

It still took me more than 4 hours to burrow down through the processes (using Process Explorer) in order to locate one, lone instance of a Norton program in a thread stack (under the System process).

The Norton issues (that we are familiar with) "normally" show up in relation to issues with networking. The command line for your svchost.exe process shows that networking is involved.

 

[MartinLondonUK]

Phew! Four hours? Would have been quicker to remove Norton! Nothing stops a good learning curve though, so I took up your advice to look in Process Explorer. In the end from what I could see, none of the threads seemed to suggest anything linked to Norton, or networking.

But...I did find a new fangled service from Win7's own nest - Superfetch. Turns out this bit of code is to help to optimize your computer and keep things fresh. But that is an oxymoron when in my case at least, the entire svchost process was taking up 136 mb with Superfetch, and 7.7 mb without! Quite a difference! I have now disabled Superfetch in Services.msc and will keep an eye on general performance in case things really slow down. But so far it is not affected anything one iota. :S

I did read some months ago that Microsoft had found that the average graphics card had 10 times more processing power than the resident CPU. They had the idea therefore of offloading some of the processing to the graphics card, enabling the processor to to other things. I am told that Win7 is the first Windows OS to take advantage of this where possible - hence why a lot of things run well compared to Vista, despite a lot of shared code. Maybe Superfetch is one of those processes that would be priority offloaded to the graphics card in the first instance? I wonder about this as my card is basic, although it does support Aero, etc, My Windows rating is 4.0 for graphics, out of a possible 7.9; its just a musing anyway.

Anyway must dash, will let you know how the 7 days on, 7 days off experiment goes with Norton.



Martin

 

[H2SO4]

Phew! Four hours? Would have been quicker to remove Norton! Nothing stops a good learning curve though, so I took up your advice to look in Process Explorer. In the end from what I could see, none of the threads seemed to suggest anything linked to Norton, or networking.

But...I did find a new fangled service from Win7's own nest - Superfetch. Turns out this bit of code is to help to optimize your computer and keep things fresh. But that is an oxymoron when in my case at least, the entire svchost process was taking up 136 mb with Superfetch, and 7.7 mb without! Quite a difference! I have now disabled Superfetch in Services.msc and will keep an eye on general performance in case things really slow down. But so far it is not affected anything one iota. :S

I did read some months ago that Microsoft had found that the average graphics card had 10 times more processing power than the resident CPU. They had the idea therefore of offloading some of the processing to the graphics card, enabling the processor to to other things. I am told that Win7 is the first Windows OS to take advantage of this where possible - hence why a lot of things run well compared to Vista, despite a lot of shared code. Maybe Superfetch is one of those processes that would be priority offloaded to the graphics card in the first instance? I wonder about this as my card is basic, although it does support Aero, etc, My Windows rating is 4.0 for graphics, out of a possible 7.9; its just a musing anyway.

Anyway must dash, will let you know how the 7 days on, 7 days off experiment goes with Norton.



Martin

Disabling superfetch is not a good idea from a performance standpoint. It optimises the way physical memory is used.

 

[MartinLondonUK]

Disabling superfetch is not a good idea from a performance standpoint. It optimises the way physical memory is used.

So what to do then? Superfetch was taking up the lions share of 136 mb, reduced to 7.7 mb. If I cannot see anything connected to Norton, and taking out Superfetch has this effect while memory remains stable, what are my other options?

 

[H2SO4]

Disabling superfetch is not a good idea from a performance standpoint. It optimises the way physical memory is used.

So what to do then? Superfetch was taking up the lions share of 136 mb, reduced to 7.7 mb. If I cannot see anything connected to Norton, and taking out Superfetch has this effect while memory remains stable, what are my other options?

You sound like a methodical person and I always appreciate that. Please don't mistake my tone for anything other than a purely mechanical attempt to get info across as efficiently as possible.

Unless I've misunderstood, the problem you're troubleshooting is that BSOD, right? If it's ongoing, you may wish to upload a few minidumps so that they can all be checked for consistency.

The advice to test without Norton is only meant to establish whether it is involved in the crash. Personally, I don't do this in order to hand out lofty opinions regarding the merits of one AV against another (and I don't think my esteemed colleagues are into that either), but only to try to identify the cause of a given crash. From an architectural standpoint, the function performed by an AV solution has the potential to cause the type of crash you're experiencing. Therefore, it is logical to test what happens without the AV, because a minidump is a tiny summary which is wholly inadequate for further "debugging" of the crash. What you choose to do afterwards, should it turn out that the Norton AV is indeed part of the problem, is entirely up to you.

As far as superfetch and that svchost instance are concerned, my advice is to forget about it. The behaviour you're describing (130MB when SF is active, <10MB without) is entirely normal and it is vanishingly unlikely to have anything to do with your BSOD. Crashes that occur due to memory exhaustion look very disctinct - this ain't one of 'em. The memory "consumed" by SF pays off in the form of more efficient RAM resource leveraging. You don't have to go far to see examples of people trying to minimise all memory usage in the belief that such an outcome will somehow speed up their system. That's misguided on so many levels it's hard to know where to start.

Suggestions:

1) Establish precisely what it is you're troubleshooting, so that you and those who're trying to help you are in no doubt.

2) If it's the periodic BSODding, upload multiple minidumps.

3) If they all look like the one Usasma and JCGriff looked at, test what happens when you uninstall the AV for a few days. Don't download dubious executables, don't open unknown attachments, and you'll be 'right without AV for a while.

 

[MartinLondonUK]

H2S04,

To answer your questions:-

1. The original query, which still remains as the main query, is the issue of the BSOD. However in the response from jcgriff2, while he also suggested to remove Norton, there was a supplementary question about the amount of RAM in current use and why it appeared to be so high. Usasma then commented that one of the svchost processes seemed to carry a lot of memory and suggested that perhaps it was related to Norton as he had an experience himself. Hence all the sidetracked talk about Superfetch, graphics cards, etc.

2: To date I have only experienced one BSOD in Win7, the one three days after installation. Of course being experienced on a clean install so soon was not a pleasant surprise so that is why I need to establish what happened and prevent it in the future. As I said before, I have no idea when the next BSOD will occur, but hopefully these actions I take from the suggestions here will mitigate them.

3. Given that I have updated some of the 'Vista' drivers, not least due to to a line in the WinDbg report that mentions this as an issue, I'd thought I would see how everything performs under Norton for 7 days from last Wednesday, to finish tomorrow. Of course as we know the crash dumps can be too broad for their own good, so it is difficult to apply an accurate weighting to that line. Then I will take off Norton and test with Free AVG for the next 7 days. During this time I can also keep an eye on the system processes to see how things go. After that, if I want to kick Norton into the long grass, I am clear for take off.

Hope that clears everything up!
Martin

 

[jcgriff2]

Hi -

I noticed in the screenshot that you have Ad-Aware running along with PC Tools security service and the late Norton. As-Aware is one to watch if BSODs return.

I saw your post on Windows 7 looking for its keys. The same thing happened here after testing KIS 2010. I believe its firewall got tangled in something and the next a/v scan somehow quarantined some files; not sure. I'm glad you got your key issue straightened out.

RE: svchost - those running Superfetch have most of the audio related services and it is not uncommon to find that particular svchost runnin >> 120k.

Regards. . .

jcgriff2

.