Windows 8 and 8.1 Forums


BSOD roughly once a day during light use

  1. #11


    Redmond
    Posts : 651
    Windows 8.1 x64


    [Update]

    In looking at the kernel dump, it still shows the volsnap driver as causing an MDL issue with a write IRP, but given deadlock detection does not appear to be enabled I can't tell if this is being triggered by the filesystem itself, or an underlying disk hardware or driver issue. The file being queried is actually a whole volume (although not listed, hence my question about being blocked due to a deadlock below at the disk layer):
    Code:
    // The thread in question during the bugcheck:
    4: kd> kn
     # Child-SP          RetAddr           Call Site
    00 ffffd000`651ec8a8 fffff801`66e43d3e nt!KeBugCheckEx
    01 ffffd000`651ec8b0 fffff801`672873f5 nt!MdlInvariantPreProcessing1+0x1d6
    02 ffffd000`651ec920 fffff801`6728dd59 nt!IovpCallDriver1+0x1fd
    03 ffffd000`651eca70 fffff801`6728288c nt!VfBeforeCallDriver+0x165
    04 ffffd000`651ecaa0 fffff800`e75c7817 nt!IovCallDriver+0x348
    05 ffffd000`651ecaf0 fffff800`e75c760d volsnap!VspDecrementIrpRefCount+0x1cb
    06 ffffd000`651ecb50 fffff800`e75c658e volsnap!VspWriteVolumePhase35+0xa9
    07 ffffd000`651ecb90 fffff800`e75c6169 volsnap!VspWriteTableUpdatesCompletionLoop+0x52
    08 ffffd000`651ecbc0 fffff801`66d0a440 volsnap!VspWorkerThread+0xb5
    09 ffffd000`651ecc00 fffff801`66d600c6 nt!PspSystemThreadStartup+0x58
    0a ffffd000`651ecc60 00000000`00000000 nt!KiStartSystemThread+0x16
    
    // The IRP that belongs to this thread does show us in volsnap, waiting on something:
    4: kd> !irp ffffcf818c7fac10
    Irp is active with 10 stacks 9 is current (= 0xffffcf818c7faf20)
     Mdl=ffffe000bc8466e0: No System Buffer: Thread ffffe000b214e040:  Irp stack trace.  Pending has been returned
         cmd  flg cl Device   File     Completion-Context
     [  0, 0]   0  0 00000000 00000000 00000000-00000000    
    
    
                Args: 00000000 00000000 00000000 00000000
     [  0, 0]   0  0 00000000 00000000 00000000-00000000    
    
    
                Args: 00000000 00000000 00000000 00000000
     [  0, 0]   0  0 00000000 00000000 00000000-00000000    
    
    
                Args: 00000000 00000000 00000000 00000000
     [  0, 0]   0  0 00000000 00000000 00000000-00000000    
    
    
                Args: 00000000 00000000 00000000 00000000
     [  4, 0]   0 10 ffffe000b7c7d450 00000000 fffff800e67cb360-00000000    
               \Driver\disk    partmgr!PmIoCompletion
                Args: 00000000 00000000 00000000 00000000
     [  4, 0]   0 10 ffffe000b7c7e040 00000000 fffff800e68d4220-ffffe000b7c85d80    
               \Driver\partmgr    volmgr!VmpReadWriteCompletionRoutine
                Args: 00000000 00000000 00000000 00000000
     [  4, 0]   0 10 ffffe000b7c85c30 00000000 fffff800e72114f0-ffffe000b7cb2181    
               \Driver\volmgr    fvevol!FvePassThroughCompletionRdpLevel2
                Args: 00000000 00000000 00000000 00000000
     [  4, 0]   0 e0 ffffe000b7cb4040 00000000 fffff800e75c39d0-ffffe000b3e30590 Success Error Cancel 
               \Driver\volsnap    volsnap!VspWriteContextCompletionRoutine
                Args: 00010000 00000000 219ef79000 00000000
    >[  4, 0]   0 e1 ffffe000b7cb4040 00000000 fffff800e6e3aa34-ffffd000649d3fe0 Success Error Cancel pending
               \Driver\volsnap    Ntfs!NtfsMasterIrpSyncCompletionRoutine
                Args: 00010000 00000000 219ef79000 00000000
     [  4, 0]   0  0 ffffe000b7ec9030 ffffe000bb89be20 00000000-00000000    
               \FileSystem\Ntfs
                Args: 00100000 00000000 01400000 00000000
    
    // Looking at the file object, it's not a file at all, but a "blank" volume (there should be something there):
    4: kd> !fileobj ffffe000bb89be20
    
    
    <<< where's the file here?  No idea, but this is blank and the device object is the volume manager.... >>>
    
    
    Device Object: 0xffffe000b7c85c30   \Driver\volmgr
    Vpb: 0xffffe000b7c85b70
    Access: Read Write SharedRead SharedWrite SharedDelete 
    
    
    Flags:  0x40100
        Stream File
        Handle Created
    
    
    FsContext: 0xffffc00142df2790    FsContext2: 0x00000000
    CurrentByteOffset: 0
    Cache Data:
      Section Object Pointers: ffffe000b3d53888
      Shared Cache Map: ffffe000bc2f6cd0         File Offset: 0 
      Data at offset 0 not mapped
    
    // The driver object is for the volume manager - there are a LOT of hard drives attached to this device:
    4: kd> !drvobj \Driver\volmgr
    Driver object (ffffe000b4324080) is for:
     \Driver\volmgr
    Driver Extension List: (id , addr)
    
    
    Device Object list:
    ffffe000b7ca1060  ffffe000b7ca0a60  ffffe000b7c98ca0  ffffe000b7c98060
    ffffe000b7c90060  ffffe000b7c969b0  ffffe000b7c85c30  ffffe000b7c85060
    ffffe000b7c882e0  ffffe000b7c886a0  ffffe000b4324cc0
    
    
    4: kd> !devobj ffffe000b7ca1060
    Device object (ffffe000b7ca1060) is for:
     HarddiskVolume10 \Driver\volmgr DriverObject ffffe000b4324080
    Current Irp 00000000 RefCount 25 Type 00000007 Flags 00003050
    Vpb ffffe000b7ca0930 Dacl ffffc1022de990d0 DevExt ffffe000b7ca11b0 DevObjExt ffffe000b7ca1360 Dope ffffe000b7ca08c0 DevNode ffffe000b7ca8010 
    ExtensionFlags (0x80000800)  DOE_DEFAULT_SD_PRESENT, DOE_DESIGNATED_FDO
    Characteristics (0x00020000)  FILE_DEVICE_ALLOW_APPCONTAINER_TRAVERSAL
    AttachedDevice (Upper) ffffe000b7cc4030 \Driver\fvevol
    Device queue is not busy.
    
    4: kd> !devobj ffffe000b7ca0a60
    Device object (ffffe000b7ca0a60) is for:
     HarddiskVolume9 \Driver\volmgr DriverObject ffffe000b4324080
    Current Irp 00000000 RefCount 0 Type 00000007 Flags 00003050
    Vpb ffffe000b957bb70 Dacl ffffc1022de990d0 DevExt ffffe000b7ca0bb0 DevObjExt ffffe000b7ca0d60 Dope ffffe000b7ca09a0 DevNode ffffe000b7ca2490 
    ExtensionFlags (0x80000800)  DOE_DEFAULT_SD_PRESENT, DOE_DESIGNATED_FDO
    Characteristics (0x00020000)  FILE_DEVICE_ALLOW_APPCONTAINER_TRAVERSAL
    AttachedDevice (Upper) ffffe000b7cc1030 \Driver\fvevol
    Device queue is not busy.
    
    4: kd> !devobj ffffe000b7c98ca0
    Device object (ffffe000b7c98ca0) is for:
     HarddiskVolume8 \Driver\volmgr DriverObject ffffe000b4324080
    Current Irp 00000000 RefCount 30 Type 00000007 Flags 00003050
    Vpb ffffe000b7c9e8a0 Dacl ffffc1022de990d0 DevExt ffffe000b7c98df0 DevObjExt ffffe000b7c98fa0 Dope ffffe000b7c98be0 DevNode ffffe000b7ca2770 
    ExtensionFlags (0x80000800)  DOE_DEFAULT_SD_PRESENT, DOE_DESIGNATED_FDO
    Characteristics (0x00020000)  FILE_DEVICE_ALLOW_APPCONTAINER_TRAVERSAL
    AttachedDevice (Upper) ffffe000b7cbe030 \Driver\fvevol
    Device queue is not busy.
    
    4: kd> !devobj ffffe000b7c98060
    Device object (ffffe000b7c98060) is for:
     HarddiskVolume7 \Driver\volmgr DriverObject ffffe000b4324080
    Current Irp 00000000 RefCount 0 Type 00000007 Flags 00003050
    Vpb ffffe000b9dd46c0 Dacl ffffc1022de990d0 DevExt ffffe000b7c981b0 DevObjExt ffffe000b7c98360 Dope ffffe000b7c9ea70 DevNode ffffe000b7ca2a50 
    ExtensionFlags (0x80000800)  DOE_DEFAULT_SD_PRESENT, DOE_DESIGNATED_FDO
    Characteristics (0x00020000)  FILE_DEVICE_ALLOW_APPCONTAINER_TRAVERSAL
    AttachedDevice (Upper) ffffe000b7cbb030 \Driver\fvevol
    Device queue is not busy.
    
    4: kd> !devobj ffffe000b7c90060
    Device object (ffffe000b7c90060) is for:
     HarddiskVolume6 \Driver\volmgr DriverObject ffffe000b4324080
    Current Irp 00000000 RefCount 189 Type 00000007 Flags 00003050
    Vpb ffffe000b7c968a0 Dacl ffffc1022de990d0 DevExt ffffe000b7c901b0 DevObjExt ffffe000b7c90360 Dope ffffe000b7c90fa0 DevNode ffffe000b7ca2d30 
    ExtensionFlags (0x80000800)  DOE_DEFAULT_SD_PRESENT, DOE_DESIGNATED_FDO
    Characteristics (0x00020000)  FILE_DEVICE_ALLOW_APPCONTAINER_TRAVERSAL
    AttachedDevice (Upper) ffffe000b7cb8030 \Driver\fvevol
    Device queue is not busy.
    
    4: kd> !devobj ffffe000b7c969b0
    Device object (ffffe000b7c969b0) is for:
     HarddiskVolume5 \Driver\volmgr DriverObject ffffe000b4324080
    Current Irp 00000000 RefCount 0 Type 00000007 Flags 00003050
    Vpb ffffe000b7c97560 Dacl ffffc1022de990d0 DevExt ffffe000b7c96b00 DevObjExt ffffe000b7c96cb0 Dope ffffe000b7c8e180 DevNode ffffe000b7ca2010 
    ExtensionFlags (0x80000800)  DOE_DEFAULT_SD_PRESENT, DOE_DESIGNATED_FDO
    Characteristics (0x00020000)  FILE_DEVICE_ALLOW_APPCONTAINER_TRAVERSAL
    AttachedDevice (Upper) ffffe000b7cb5030 \Driver\fvevol
    Device queue is not busy.
    
    4: kd> !devobj ffffe000b7c85c30
    Device object (ffffe000b7c85c30) is for:
     HarddiskVolume4 \Driver\volmgr DriverObject ffffe000b4324080
    Current Irp 00000000 RefCount 18013 Type 00000007 Flags 00001150
    Vpb ffffe000b7c85b70 Dacl ffffc1022de990d0 DevExt ffffe000b7c85d80 DevObjExt ffffe000b7c85f30 Dope ffffe000b7c85b00 DevNode ffffe000b7ca1490 
    ExtensionFlags (0x80000800)  DOE_DEFAULT_SD_PRESENT, DOE_DESIGNATED_FDO
    Characteristics (0x00020000)  FILE_DEVICE_ALLOW_APPCONTAINER_TRAVERSAL
    AttachedDevice (Upper) ffffe000b7cb2030 \Driver\fvevol
    Device queue is not busy.
    
    4: kd> !devobj ffffe000b7c85060
    Device object (ffffe000b7c85060) is for:
     HarddiskVolume3 \Driver\volmgr DriverObject ffffe000b4324080
    Current Irp 00000000 RefCount 0 Type 00000007 Flags 00003050
    Vpb ffffe000b7ca78b0 Dacl ffffc1022de990d0 DevExt ffffe000b7c851b0 DevObjExt ffffe000b7c85360 Dope ffffe000b7c85fa0 DevNode ffffe000b7ca1770 
    ExtensionFlags (0x80000800)  DOE_DEFAULT_SD_PRESENT, DOE_DESIGNATED_FDO
    Characteristics (0x00020000)  FILE_DEVICE_ALLOW_APPCONTAINER_TRAVERSAL
    AttachedDevice (Upper) ffffe000b7caf030 \Driver\fvevol
    Device queue is not busy.
    
    4: kd> !devobj ffffe000b7c882e0
    Device object (ffffe000b7c882e0) is for:
     HarddiskVolume2 \Driver\volmgr DriverObject ffffe000b4324080
    Current Irp 00000000 RefCount 7 Type 00000007 Flags 00203050
    Vpb ffffe000b7c88220 Dacl ffffc1022dc8d750 DevExt ffffe000b7c88430 DevObjExt ffffe000b7c885e0 Dope ffffe000b7c881b0 DevNode ffffe000b7ca1a50 
    ExtensionFlags (0x80000000)  DOE_DESIGNATED_FDO
    Characteristics (0x00020100)  FILE_DEVICE_SECURE_OPEN, FILE_DEVICE_ALLOW_APPCONTAINER_TRAVERSAL
    AttachedDevice (Upper) ffffe000b7cac030 \Driver\fvevol
    Device queue is not busy.
    
    4: kd> !devobj ffffe000b7c886a0
    Device object (ffffe000b7c886a0) is for:
     HarddiskVolume1 \Driver\volmgr DriverObject ffffe000b4324080
    Current Irp 00000000 RefCount 19 Type 00000007 Flags 00003050
    Vpb ffffe000b7c8d890 Dacl ffffc1022de990d0 DevExt ffffe000b7c887f0 DevObjExt ffffe000b7c889a0 Dope ffffe000b7c84670 DevNode ffffe000b7ca1d30 
    ExtensionFlags (0x80000800)  DOE_DEFAULT_SD_PRESENT, DOE_DESIGNATED_FDO
    Characteristics (0x00020000)  FILE_DEVICE_ALLOW_APPCONTAINER_TRAVERSAL
    AttachedDevice (Upper) ffffe000b7ca9030 \Driver\fvevol
    Device queue is not busy.
    
    4: kd> !devobj ffffe000b4324cc0
    Device object (ffffe000b4324cc0) is for:
     VolMgrControl \Driver\volmgr DriverObject ffffe000b4324080
    Current Irp 00000000 RefCount 0 Type 00000012 Flags 00000840
    Dacl ffffc1022de990d0 DevExt ffffe000b4324e10 DevObjExt ffffe000b4324fa0 
    ExtensionFlags (0x80000800)  DOE_DEFAULT_SD_PRESENT, DOE_DESIGNATED_FDO
    Characteristics (0x00000100)  FILE_DEVICE_SECURE_OPEN
    AttachedTo (Lower) ffffe000b2c736c0 \Driver\PnpManager
    Device queue is not busy.
    
    // The devstack for this shows that the likely culprit is HarddiskVolume4, or the device it's attached to:
    4: kd> !devstack ffffe000b7cb4040
      !DevObj           !DrvObj            !DevExt           ObjectName
    > ffffe000b7cb4040  \Driver\volsnap    ffffe000b7cb4190  
      ffffe000b7cb2030  \Driver\fvevol     ffffe000b7cb2180  
      ffffe000b7c85c30  \Driver\volmgr     ffffe000b7c85d80  HarddiskVolume4
    !DevNode ffffe000b7ca1490 :
      DeviceInst is "STORAGE\Volume\{0ae72970-437a-11e4-bf19-806e6f6e6963}#0000000021100000"
      ServiceName is "volsnap"
    I have *never* seen this particular stack hang in anything but 3rd party drivers, so I am *very* skeptical that this isn't a deadlock in either the disk hardware, or the driver - I also see truecrypt loaded, VirtualBox disk filters, and GEARAspiWDM (iTunes usually) as well. Ultimately, this is a bit of a mystery, but likely only a bit. Either the VSS space on HarddiskVolume4 is full or corrupt, or the Intel device driver has an issue. Since I rarely see that with the Intel storage driver (and you have a common driver version that I've never seen cause issues like this before), it's also entirely possible that the hard disk itself or the controller is going bad. SMART might give some clues there. I'd be curious if the problem reproduced with iTunes, VirtualBox, and TrueCrypt uninstalled as well, to be fair.
    Last edited by cluberti; 30 Dec 2014 at 17:45.

      My System SpecsSystem Spec

  2. #12


    There is nothing wrong with the system files, this is a problem which is most likely caused by some faulty third party driver. However, sometimes the driver can manage to escape before the system has managed to parse the contents of physical memory into a dump file.

    Code:
    BugCheck C4, {1010, ffffe000b7cb4040, ffffcf818c7fac10, ffffe000bca23000}
    
    Probably caused by : volsnap.sys ( volsnap!VspDecrementIrpRefCount+1cb )
    Typically, system drivers will be blamed, when a low level third-party driver doesn't correctly handle IRPs or sent IRPs to the lower drivers properly, where they are processed for completion. A driver has modified an invariant MDL buffer for a WRITE_IRP, these IRPS are used for writing data to file objects like the hard disk.

    Code:
    4: kd> !irp ffffcf818c7fac10
    Irp is active with 10 stacks 9 is current (= 0xffffcf818c7faf20)
     Mdl=ffffe000bc8466e0: No System Buffer: Thread ffffe000b214e040:  Irp stack trace.  Pending has been returned
         cmd  flg cl Device   File     Completion-Context
     [  0, 0]   0  0 00000000 00000000 00000000-00000000    
    
                Args: 00000000 00000000 00000000 00000000
     [  0, 0]   0  0 00000000 00000000 00000000-00000000    
    
                Args: 00000000 00000000 00000000 00000000
     [  0, 0]   0  0 00000000 00000000 00000000-00000000    
    
                Args: 00000000 00000000 00000000 00000000
     [  0, 0]   0  0 00000000 00000000 00000000-00000000    
    
                Args: 00000000 00000000 00000000 00000000
     [  4, 0]   0 10 ffffe000b7c7d450 00000000 fffff800e67cb360-00000000    
               \Driver\disk    partmgr!PmIoCompletion
                Args: 00000000 00000000 00000000 00000000
     [  4, 0]   0 10 ffffe000b7c7e040 00000000 fffff800e68d4220-ffffe000b7c85d80    
               \Driver\partmgr    volmgr!VmpReadWriteCompletionRoutine
                Args: 00000000 00000000 00000000 00000000
     [  4, 0]   0 10 ffffe000b7c85c30 00000000 fffff800e72114f0-ffffe000b7cb2181    
               \Driver\volmgr    fvevol!FvePassThroughCompletionRdpLevel2
                Args: 00000000 00000000 00000000 00000000
     [  4, 0]   0 e0 ffffe000b7cb4040 00000000 fffff800e75c39d0-ffffe000b3e30590 Success Error Cancel 
               \Driver\volsnap    volsnap!VspWriteContextCompletionRoutine
                Args: 00010000 00000000 219ef79000 00000000
    >[  4, 0]   0 e1 ffffe000b7cb4040 00000000 fffff800e6e3aa34-ffffd000649d3fe0 Success Error Cancel pending
               \Driver\volsnap    Ntfs!NtfsMasterIrpSyncCompletionRoutine
                Args: 00010000 00000000 219ef79000 00000000
     [  4, 0]   0  0 ffffe000b7ec9030 ffffe000bb89be20 00000000-00000000
    The 0x4 Major Function Code indicates that the IRP was a Write IRP; this is additionally shown with the parameter descriptions.

    Code:
    4: kd> dt nt!_MDL ffffe000bc8466e0
       +0x000 Next             : (null) 
       +0x008 Size             : 0n176
       +0x00a MdlFlags         : 0n16396
       +0x00c AllocationProcessorNumber : 0
       +0x00e Reserved         : 0xffff
       +0x010 Process          : (null) 
       +0x018 MappedSystemVa   : 0xffffe000`bca23000 Void
       +0x020 StartVa          : 0xffffe000`bca23000 Void
       +0x028 ByteCount        : 0x10000
       +0x02c ByteOffset       : 0
    The fouth parameter of the bugcheck describes the MDL buffer.

    The Device Object which the IRP was intended for, is shown below:

    Code:
    4: kd> !devobj ffffe000b7cb4040
    Device object (ffffe000b7cb4040) is for:
      \Driver\volsnap DriverObject ffffe000b7c70a30
    Current Irp 00000000 RefCount 0 Type 00000007 Flags 00000010
    Dacl ffffc1022dc77321 DevExt ffffe000b7cb4190 DevObjExt ffffe000b7cb4e48 
    ExtensionFlags (0xa0000800)  DOE_DEFAULT_SD_PRESENT, DOE_RAW_FDO, 
                                 DOE_DESIGNATED_FDO
    Characteristics (0x00000100)  FILE_DEVICE_SECURE_OPEN
    AttachedTo (Lower) ffffe000b7cb2030 \Driver\fvevol
    Device queue is not busy.
    If we view the device stack, we can get a larger picture at which devices the current device object is attached to:

    Code:
    4: kd> !devstack ffffe000b7cb4040
      !DevObj           !DrvObj            !DevExt           ObjectName
    > ffffe000b7cb4040  \Driver\volsnap    ffffe000b7cb4190  
      ffffe000b7cb2030  \Driver\fvevol     ffffe000b7cb2180  
      ffffe000b7c85c30  \Driver\volmgr     ffffe000b7c85d80  HarddiskVolume4
    !DevNode ffffe000b7ca1490 :
      DeviceInst is "STORAGE\Volume\{0ae72970-437a-11e4-bf19-806e6f6e6963}#0000000021100000"
      ServiceName is "volsnap"
    In short, a driver has modified the contents of the buffer described by the MDL, when it shouldn't have which has lead to a crash.

    Code:
    4: kd> knL
     # Child-SP          RetAddr           Call Site
    00 ffffd000`651ec8a8 fffff801`66e43d3e nt!KeBugCheckEx
    01 ffffd000`651ec8b0 fffff801`672873f5 nt!MdlInvariantPreProcessing1+0x1d6
    02 ffffd000`651ec920 fffff801`6728dd59 nt!IovpCallDriver1+0x1fd //MDL Verification
    03 ffffd000`651eca70 fffff801`6728288c nt!VfBeforeCallDriver+0x165
    04 ffffd000`651ecaa0 fffff800`e75c7817 nt!IovCallDriver+0x348 //MDL Verification
    05 ffffd000`651ecaf0 fffff800`e75c760d volsnap!VspDecrementIrpRefCount+0x1cb
    06 ffffd000`651ecb50 fffff800`e75c658e volsnap!VspWriteVolumePhase35+0xa9
    07 ffffd000`651ecb90 fffff800`e75c6169 volsnap!VspWriteTableUpdatesCompletionLoop+0x52
    08 ffffd000`651ecbc0 fffff801`66d0a440 volsnap!VspWorkerThread+0xb5
    09 ffffd000`651ecc00 fffff801`66d600c6 nt!PspSystemThreadStartup+0x58
    0a ffffd000`651ecc60 00000000`00000000 nt!KiStartSystemThread+0x16
      My System SpecsSystem Spec

  3. #13


    Posts : 13
    8.1 Pro 64-bit


    Thank you for digging into this.

    The last minidump and kernel dump were provoked by Driver Verifier about 5 hours after the last boot; this seems a little different from the others.. they all occurred exaclty 24 hours after the last boot.

    Regarding the 3rd party drivers mentioned: Truecrypt (RIP) is still installed but not running (so I assume the driver isn't loaded?); itunes is installed but has never caused issues, VirtualBox is installed but I didn't see any reports of recent BSODs on their forums that weren't caused while running or booting a VM.

    I'm going to check for volsnap space usage in a bit.
    Last edited by beglitched; 06 Jan 2015 at 17:40.
      My System SpecsSystem Spec

  4. #14


    Redmond
    Posts : 651
    Windows 8.1 x64


    The driver is loaded - all filter drivers are loaded regardless of whether or not they're in use. The only way to properly disable them is to uninstall the software that placed them on the system.
      My System SpecsSystem Spec

  5. #15


    Posts : 13
    8.1 Pro 64-bit


    Quote Originally Posted by cluberti View Post
    [Update]

    // The driver object is for the volume manager - there are a LOT of hard drives attached to this device:
    4: kd> !drvobj \Driver\volmgr
    Driver object (ffffe000b4324080) is for:
    \Driver\volmgr
    Driver Extension List: (id , addr)


    Device Object list:
    ffffe000b7ca1060 ffffe000b7ca0a60 ffffe000b7c98ca0 ffffe000b7c98060
    ffffe000b7c90060 ffffe000b7c969b0 ffffe000b7c85c30 ffffe000b7c85060
    ffffe000b7c882e0 ffffe000b7c886a0 ffffe000b4324cc0


    I have *never* seen this particular stack hang in anything but 3rd party drivers, so I am *very* skeptical that this isn't a deadlock in either the disk hardware, or the driver - I also see truecrypt loaded, VirtualBox disk filters, and GEARAspiWDM (iTunes usually) as well. Ultimately, this is a bit of a mystery, but likely only a bit. Either the VSS space on HarddiskVolume4 is full or corrupt, or the Intel device driver has an issue. Since I rarely see that with the Intel storage driver (and you have a common driver version that I've never seen cause issues like this before), it's also entirely possible that the hard disk itself or the controller is going bad. SMART might give some clues there. I'd be curious if the problem reproduced with iTunes, VirtualBox, and TrueCrypt uninstalled as well, to be fair.
    There is one SSD and three spinning drives attached to this system. I *believe* HardDiskVolume 4 is simply a removable flash drive that has a bad sector somewhere - it throws an error in event logs (153, "the operation was retried" or similar) whenever it is connected to the system. It currently isn't though and wasn't inserted when this particular BSOD occurred. HardDiskVolume4 is the System Volume.
    Last edited by beglitched; 03 Jan 2015 at 12:08.
      My System SpecsSystem Spec

  6. #16


    Posts : 13
    8.1 Pro 64-bit


    shadow copy storage space on system drive is only half used.

    Code:
    C:\Windows\system32>vssadmin list shadowstorage
    vssadmin 1.1 - Volume Shadow Copy Service administrative command-line tool
    (C) Copyright 2001-2013 Microsoft Corp.
    
    Shadow Copy Storage association
       For volume: (C:)\\?\Volume{0f014a20-f631-4feb-99e9-6e988aec8370}\
       Shadow Copy Storage volume: (C:)\\?\Volume{0f014a20-f631-4feb-99e9-6e988aec8370}\
       Used Shadow Copy Storage space: 3.94 GB (1%)
       Allocated Shadow Copy Storage space: 6.69 GB (2%)
       Maximum Shadow Copy Storage space: 119 GB (50%)
    
    Shadow Copy Storage association
       For volume: (N:)\\?\Volume{25af785a-d427-4f6b-ba1b-343ad2d450c6}\
       Shadow Copy Storage volume: (N:)\\?\Volume{25af785a-d427-4f6b-ba1b-343ad2d450c6}\
       Used Shadow Copy Storage space: 0 bytes (0%)
       Allocated Shadow Copy Storage space: 0 bytes (0%)
       Maximum Shadow Copy Storage space: 27.9 GB (1%)
      My System SpecsSystem Spec

  7. #17


    Posts : 13
    8.1 Pro 64-bit


    I've switched Driver Verifier off again, going to try and get another BSOD without it. The following is the debug output from the very first BSOD minidump.. can someone explain the significance of the chrome browser process showing up in here? The minidumps that followed have either chrome.exe or svchost.exe listed as parent process in the debug log.

    Code:
    nt!KeBugCheckEx:
    fffff800`b6fc7aa0 48894c2408      mov     qword ptr [rsp+8],rcx ss:0018:ffffd000`2f5cc030=000000000000003b
    5: kd> !analyze -v
    *******************************************************************************
    *                                                                             *
    *                        Bugcheck Analysis                                    *
    *                                                                             *
    *******************************************************************************
    
    SYSTEM_SERVICE_EXCEPTION (3b)
    An exception happened while executing a system service routine.
    Arguments:
    Arg1: 00000000c0000005, Exception code that caused the bugcheck
    Arg2: fffff8005a2ca025, Address of the instruction which caused the bugcheck
    Arg3: ffffd0002f5cc8e0, Address of the context record for the exception that caused the bugcheck
    Arg4: 0000000000000000, zero.
    
    Debugging Details:
    ------------------
    
    
    EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.
    
    FAULTING_IP: 
    ndis!ndisReferenceWithTag+15
    fffff800`5a2ca025 0fb64b01        movzx   ecx,byte ptr [rbx+1]
    
    CONTEXT:  ffffd0002f5cc8e0 -- (.cxr 0xffffd0002f5cc8e0;r)
    rax=0000000000000002 rbx=dc1b0567c3264ef4 rcx=dc1b0567c3264ef4
    rdx=0000000000000007 rsi=ffffe0008506d100 rdi=0000000000000007
    rip=fffff8005a2ca025 rsp=ffffd0002f5cd310 rbp=ffffe00085518a20
     r8=ffffe000853a17f0  r9=0000000000000004 r10=ffffe00082d77f30
    r11=ffffe0008fd64b44 r12=0000000000000000 r13=ffffe0008506d1a0
    r14=0000000000000000 r15=ffffe00085511310
    iopl=0         nv up ei ng nz na pe nc
    cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b             efl=00010282
    ndis!ndisReferenceWithTag+0x15:
    fffff800`5a2ca025 0fb64b01        movzx   ecx,byte ptr [rbx+1] ds:002b:dc1b0567`c3264ef5=??
    Last set context:
    rax=0000000000000002 rbx=dc1b0567c3264ef4 rcx=dc1b0567c3264ef4
    rdx=0000000000000007 rsi=ffffe0008506d100 rdi=0000000000000007
    rip=fffff8005a2ca025 rsp=ffffd0002f5cd310 rbp=ffffe00085518a20
     r8=ffffe000853a17f0  r9=0000000000000004 r10=ffffe00082d77f30
    r11=ffffe0008fd64b44 r12=0000000000000000 r13=ffffe0008506d1a0
    r14=0000000000000000 r15=ffffe00085511310
    iopl=0         nv up ei ng nz na pe nc
    cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b             efl=00010282
    ndis!ndisReferenceWithTag+0x15:
    fffff800`5a2ca025 0fb64b01        movzx   ecx,byte ptr [rbx+1] ds:002b:dc1b0567`c3264ef5=??
    Resetting default scope
    
    CUSTOMER_CRASH_COUNT:  1
    
    DEFAULT_BUCKET_ID:  WIN8_DRIVER_FAULT
    
    BUGCHECK_STR:  0x3B
    
    PROCESS_NAME:  chrome.exe
    
    CURRENT_IRQL:  2
    
    ANALYSIS_VERSION: 6.3.9600.17237 (debuggers(dbg).140716-0327) x86fre
    
    LAST_CONTROL_TRANSFER:  from fffff8005a2d4d97 to fffff8005a2ca025
    
    STACK_TEXT:  
    ffffd000`2f5cd310  fffff800`5a2d4d97 : ffffe000`85512a28 ffffe000`83fe8100  ffffe000`83fda010 ffffe000`83fda4e0 : ndis!ndisReferenceWithTag+0x15
    ffffd000`2f5cd340  fffff800`5a009308 : ffffd000`2f5cd580 00000000`00000000  ffffe000`8fd5f002 00000000`00000008 :  ndis!ndisNsiEnumerateAllInterfaceInformation+0x697
    ffffd000`2f5cd460  fffff800`5b582fc1 : ffffe000`8fd5f000 00000000`00000070  000000d5`cfb8f050 ffffd000`2f5cd668 :  NETIO!NsiEnumerateObjectsAllParametersEx+0x20d
    ffffd000`2f5cd650  fffff800`5b582bea : 00000000`00000000 ffffe000`8b792d90  ffffe000`8b792cc0 00000000`00000000 :  nsiproxy!NsippEnumerateObjectsAllParameters+0x201
    ffffd000`2f5cd840  fffff800`b72581ef : 00000000`00000000 ffffe000`8b792cc0  ffffe000`8b792cc0 00000000`00000001 : nsiproxy!NsippDispatch+0x5a
    ffffd000`2f5cd880  fffff800`b725778e : ffffd000`2f5cda38 00000000`00000000  00000000`00000000 00000000`00000000 : nt!IopXxxControlFile+0xa4f
    ffffd000`2f5cda20  fffff800`b6fd32b3 : ffffe000`902bc040 000000d5`001f0003  000000d5`cfb8eec8 000000d5`00000001 : nt!NtDeviceIoControlFile+0x56
    ffffd000`2f5cda90  00007ffb`a4bf0cba : 00000000`00000000 00000000`00000000  00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13
    000000d5`cfb8ef48  00000000`00000000 : 00000000`00000000 00000000`00000000  00000000`00000000 00000000`00000000 : 0x00007ffb`a4bf0cba
    
    
    FOLLOWUP_IP: 
    NETIO!NsiEnumerateObjectsAllParametersEx+20d
    fffff800`5a009308 8bd8            mov     ebx,eax
    
    SYMBOL_STACK_INDEX:  2
    
    SYMBOL_NAME:  NETIO!NsiEnumerateObjectsAllParametersEx+20d
    
    FOLLOWUP_NAME:  MachineOwner
    
    MODULE_NAME: NETIO
    
    IMAGE_NAME:  NETIO.SYS
    
    DEBUG_FLR_IMAGE_TIMESTAMP:  546029c5
    
    IMAGE_VERSION:  6.3.9600.17485
    
    STACK_COMMAND:  .cxr 0xffffd0002f5cc8e0 ; kb
    
    BUCKET_ID_FUNC_OFFSET:  20d
    
    FAILURE_BUCKET_ID:  0x3B_NETIO!NsiEnumerateObjectsAllParametersEx
    
    BUCKET_ID:  0x3B_NETIO!NsiEnumerateObjectsAllParametersEx
    
    ANALYSIS_SOURCE:  KM
    
    FAILURE_ID_HASH_STRING:  km:0x3b_netio!nsienumerateobjectsallparametersex
    
    FAILURE_ID_HASH:  {86cfd73e-b3d3-1d1d-5d86-14c5da9d00d4}
    
    Followup: MachineOwner
    ---------
    Last edited by beglitched; 06 Jan 2015 at 17:41.
      My System SpecsSystem Spec

  8. #18


    Posts : 13
    8.1 Pro 64-bit


    OK, new mini dump and kernel dump from BSOD exactly 24 hours into user session (Driver Verifier off). The stop code is SYSTEM_SERVICE_EXCEPTION (An exception happened while executing a system service routine).
    This should be comparable to the original dumps and representative of the issue.

    Attachment 55989


    The Dev Center page suggests: "This indicates that an exception happened while executing a routine that transitions from non-privileged code to privileged code" and
    "This error has been linked to excessive paged pool usage and may occur due to user-mode graphics drivers crossing over and passing bad data to the kernel code."

    What is the exact 24 hour interval telling us?

    When I look at the current thread at the time of the crash in the minidump, it names the chrome browser (I have the 64-bit version of chrome installed on this system, and it's always running when the BSODs occur) as the offending owner process:

    Code:
    Loading User Symbols
    Loading unloaded module list
    ..................................
    *******************************************************************************
    *                                                                             *
    *                        Bugcheck Analysis                                    *
    *                                                                             *
    *******************************************************************************
    
    Use !analyze -v to get detailed debugging information.
    
    BugCheck 3B, {c0000005, fffff800f62e5025, ffffd0002a7748e0, 0}
    
    Probably caused by : NETIO.SYS ( NETIO!NsiEnumerateObjectsAllParametersEx+20d )
    
    Followup: MachineOwner
    ---------
    
    nt!KeBugCheckEx:
    fffff802`35bddaa0 48894c2408      mov     qword ptr [rsp+8],rcx ss:0018:ffffd000`2a774030=000000000000003b
    
    6: kd> !thread
    GetPointerFromAddress: unable to read from fffff80235df0000
    THREAD ffffe00170680880  Cid 1644.0250  Teb: 00007ff62bf52000 Win32Thread: fffff901467e9540 RUNNING on processor 6
    IRP List:
        Unable to read nt!_IRP @ ffffe0016a0c3cc0
    Not impersonating
    GetUlongFromAddress: unable to read from fffff80235d3cac0
    Owning Process            ffffe0016b354080       Image:         chrome.exe
    Attached Process          N/A            Image:         N/A
    fffff78000000000: Unable to get shared data
    Wait Start TickCount      5530316      
    Context Switch Count      2125216        IdealProcessor: 0             
    ReadMemory error: Cannot get nt!KeMaximumIncrement value.
    UserTime                  00:00:00.000
    KernelTime                00:00:00.000
    Win32 Start Address 0x00007ffea10133a0
    Stack Init ffffd0002a775c90 Current ffffd0002a775420
    Base ffffd0002a776000 Limit ffffd0002a770000 Call 0
    Priority 9 BasePriority 8 UnusualBoost 1 ForegroundBoost 0 IoPriority 2 PagePriority 5
    Child-SP          RetAddr           : Args to Child                                                           : Call Site
    ffffd000`2a774028 fffff802`35be95e9 : 00000000`0000003b 00000000`c0000005 fffff800`f62e5025 ffffd000`2a7748e0 : nt!KeBugCheckEx
    ffffd000`2a774030 fffff802`35be8efc : ffffd000`2a774260 fffff802`35bda2f6 ffffd000`2a775b00 ffffd000`2a7750d8 : nt!KiBugCheckDispatch+0x69
    ffffd000`2a774170 fffff802`35be4fed : ffffd000`2a7748e0 00000000`00000000 ffffd000`2a7750d8 ffffd000`2a7742e0 : nt!KiSystemServiceHandler+0x7c
    ffffd000`2a7741b0 fffff802`35b67d35 : 00000000`00000001 fffff802`35a8d000 ffffd000`2a775001 00000000`00000000 : nt!RtlpExecuteHandlerForException+0xd
    ffffd000`2a7741e0 fffff802`35b6c0ee : ffffd000`2a7750d8 ffffd000`2a774de0 ffffd000`2a7750d8 00000000`00000007 : nt!RtlDispatchException+0x1a5
    ffffd000`2a7748b0 fffff802`35be96c2 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiDispatchException+0x646
    ffffd000`2a774fa0 fffff802`35be7bfe : 00000000`00020019 ffffd000`2a7754a0 00000000`00020019 00000000`00000000 : nt!KiExceptionDispatch+0xc2
    ffffd000`2a775180 fffff800`f62e5025 : fffff800`f6367a98 00000000`00000000 00000000`00000000 ffffd000`2a775580 : nt!KiGeneralProtectionFault+0xfe (TrapFrame @ ffffd000`2a775180)
    ffffd000`2a775310 fffff800`f62efd97 : ffffe001`66d25a28 ffffe001`645fe000 ffffe001`657d4a20 ffffe001`657d4ef0 : ndis!ndisReferenceWithTag+0x15
    ffffd000`2a775340 fffff800`f6009308 : ffffd000`2a775580 00000000`00000000 ffffe001`78dbc002 00000000`00000008 : ndis!ndisNsiEnumerateAllInterfaceInformation+0x697
    ffffd000`2a775460 fffff800`f7242fc1 : ffffe001`78dbc000 00000000`00000070 00000014`ef16ea00 ffffd000`2a775668 : NETIO!NsiEnumerateObjectsAllParametersEx+0x20d
    ffffd000`2a775650 fffff800`f7242bea : 00000000`00000000 ffffe001`6a0c3d90 ffffe001`6a0c3cc0 00000000`00000000 : nsiproxy!NsippEnumerateObjectsAllParameters+0x201
    ffffd000`2a775840 fffff802`35e6e1ef : 00000000`00000000 ffffe001`6a0c3cc0 ffffe001`6a0c3cc0 00000000`00000001 : nsiproxy!NsippDispatch+0x5a
    ffffd000`2a775880 fffff802`35e6d78e : ffffd000`2a775a38 00007ffe`00000000 00000000`00000000 00000000`00000000 : nt!IopXxxControlFile+0xa4f
    ffffd000`2a775a20 fffff802`35be92b3 : ffffe001`70680880 00000014`001f0003 00000014`ef16e878 00000014`00000001 : nt!NtDeviceIoControlFile+0x56
    ffffd000`2a775a90 00007ffe`a1070cba : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ ffffd000`2a775b00)
    00000014`ef16e8f8 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x00007ffe`a1070cba
    Last edited by beglitched; 09 Jan 2015 at 12:23.
      My System SpecsSystem Spec

  9. #19


    Posts : 13
    8.1 Pro 64-bit


    Going back through the debug information, I noticed that the debugger's heuristics blame netio.sys (the networking I/O subsystem) in most cases for the crash, with some form of network activity (usually chrome.exe or a svchost background process) occurring during the bugcheck, so what if the driver for the wireless PCI card was the common factor? My reasoning was:

    At some point after a reboot (but before 24 hours), the wifi card driver corrupts the kernel memory in some way;
    processes like chrome or a bg process hosted by svchost are making their usual network connections;
    at some point, usually exactly 24 hours after the wifi card first comes online, netio.sys would finally trip over that kernel space corruption and throw the BSOD.

    Interestingly, I got more BSODs while I was trying to uninstall that driver, I had to remove it in safe mode. Now watching to see if the BSODs return.

    Update:
    I am tentatively declaring success with the removal of the network driver. I am going to update the drivers I rolled back initially and add Virtualbox back into the mix over the next couple of days and see if we're still good.

    The driver in question is for the TP-LINK TL-WDN4800 PCI card, which was updated in May 2014 to support w8.1 -- it seems that the MS December updates broke something. I'm going to go with the generic windows driver until the OEM updates that driver again.
    Last edited by beglitched; 08 Jan 2015 at 07:49.
      My System SpecsSystem Spec

  10. #20


    Posts : 13
    8.1 Pro 64-bit


    With all other things being equal, I've come to the conclusion that it was the (OEM) wireless PCI card driver that caused the BSODs. I've reinstalled Virtualbox and upgraded the soundcard driver. I have also updated the wireless PCI card from the Windows driver the current atheros driver (August '14).

    Thank you for the suggestions.. I'll open a new thread if the problem returns.
    Last edited by beglitched; 08 Jan 2015 at 14:37.
      My System SpecsSystem Spec

Page 2 of 2 FirstFirst 12
BSOD roughly once a day during light use
Related Threads
Right now the only thing I can think of that would likely cause a BSOD, is my CPU (i2500k) being overclocked @ 4Ghz, but it has never once caused me an issue over the past year (It's rock solid under prime95). Currently it's running at 4Ghz, and I've never had a hitch under load or just normal...
Recently i've been getting the BSOD out of nowhere. It happens roughly every 30-40 minutes for the past few hours regardless of what im doing and my laptop has become rediculously slow. The blue screen says "KERNEL_DATA_INPAGE_ERROR". Please help me figure it out. Here's my dump files.
Read more at: It's the end of the light bulb as we know it | Appliances - CNET Reviews 28103
Solved CPU Red Light in Drivers & Hardware
Specs: Motherboard: Asus M5A99X Evo CPU: AMD FX-6200 & AMD Athlon 2X GPU: Asus Radeon HD 7870 DCUII PSU: OCZ ModXStream Pro 700W RAM: Corsair Vengance 4GBX2 1600MHz SSD/HDD: OCZ Agility 3 120GB & Seagate Barracuda 3TB So I bought a new HDD (3TB) and a new chassis (Fractal Design R4) for my...
Freze and BSOD after light browsing in BSOD Crashes and Debugging
A couple weeks ago, my Dell Vostro 400 appeared to go into hibernate mode (although I was in the middle of using it). After it wouldn't wake and I restarted, I haven't really been able to do much without getting a BSOD. I don't get BSOD as long as I don't do anything with it and if I leave it...
ssd light flashing in Drivers & Hardware
I installed a Samsung 840 Pro ssd to my Acer laptop a couple of days ago.I noticed that the led light for the hard drive flashes continuously.Does this do any harm to the ssd or is this normal with a ssd.I know that by disabling the DVD drive,this stops the flashing but am more concerned if this is...
Eight Forums Android App Eight Forums IOS App Follow us on Facebook