BSOD caused by ntkrnlmp.exe

Hello,
One of our clients has an annoying problem with BSODS almost daily cause by ntkrnlmp.exe and I couldn't manage to find what REALLY was the cause. Symbols were properly configure and still no clear infos. If someone can have a look over the Minidumps and/or
Memory.DMP here are both:
https://onedrive.live.com/?cid=E0FCDAC93086F976&id=E0FCDAC93086F976%21123
Thank you,
Cozmin

Hi Cozmin V,
This is excessive paged pool usage, this error may occur due to user-mode graphics driver crossing over and passing bad data to the kernel code.
1: kd> !analyze -v
*                        Bugcheck Analysis
SYSTEM_SERVICE_EXCEPTION (3b)
An exception happened while executing a system service routine.
Arguments:
Arg1: 00000000c0000005, Exception code that caused the bugcheck
Arg2: fffff800030a5aae, Address of the instruction which caused the bugcheck
Arg3: fffff8800864c790, Address of the context record for the exception that caused the bugcheck
Arg4: 0000000000000000, zero.
Debugging Details:
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.
FAULTING_IP:
nt!ExEnterCriticalRegionAndAcquireFastMutexUnsafe+26
fffff800`030a5aae f00fba3100      lock btr dword ptr [rcx],0
CONTEXT: fffff8800864c790 -- (.cxr 0xfffff8800864c790)
rax=fffffa80082d63c0 rbx=0000000000000000 rcx=0000000000000000
rdx=fffffa80082d63c0 rsi=00000000ffffffff rdi=fffffa80082d63c0
rip=fffff800030a5aae rsp=fffff8800864d170 rbp=0000000000000001
r8=0000000000000000 r9=fffff96000365ab8 r10=000000000002fcc7
r11=fffff8800864d1c0 r12=0000000000000000 r13=0000000000000001
r14=0000000000000000 r15=fffff900caf4dd30
iopl=0         nv up ei ng nz na pe nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b             efl=00010282
nt!ExEnterCriticalRegionAndAcquireFastMutexUnsafe+0x26:
fffff800`030a5aae f00fba3100      lock btr dword ptr [rcx],0 ds:002b:00000000`00000000=????????
Resetting default scope
DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT
BUGCHECK_STR: 0x3B
PROCESS_NAME: csrss.exe
CURRENT_IRQL: 0
LAST_CONTROL_TRANSFER: from fffff9600060dce0 to fffff800030a5aae
STACK_TEXT:
fffff880`0864d170 fffff960`0060dce0 : 00000000`00000000 000001c4`00000000 0000feed`52052bed 00001f80`00000000 : nt!ExEnterCriticalRegionAndAcquireFastMutexUnsafe+0x26
fffff880`0864d1a0 fffff960`00177748 : 00000000`00000001 fffff900`c00b7010 00000000`00000001 fffff900`caf3c370 : cdd!CddBitmapHw::Release+0xc0
fffff880`0864d1e0 fffff960`002b86b4 : 00000000`00000000 00000000`00000000 fffff900`caf3c370 00000000`00000000 : win32k!SURFACE::bDeleteSurface+0x358
fffff880`0864d330 fffff960`002b8757 : fffff900`c00b7010 00000000`00000001 fffff900`c00b7010 00000000`00000001 : win32k!vDynamicConvertNewSurfaceDCs+0xd8
fffff880`0864d360 fffff960`002b8ff2 : fffff900`c00b7010 00000000`00000001 fffff900`c8e35280 fffff900`c00b7010 : win32k!bDynamicRemoveAllDriverRealizations+0x6f
FOLLOWUP_IP:
cdd!CddBitmapHw::Release+c0
fffff960`0060dce0 488b4738        mov     rax,qword ptr [rdi+38h]
SYMBOL_STACK_INDEX: 1
SYMBOL_NAME: cdd!CddBitmapHw::Release+c0
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: cdd
IMAGE_NAME: cdd.dll
DEBUG_FLR_IMAGE_TIMESTAMP: 4ce7c546
STACK_COMMAND: .cxr 0xfffff8800864c790 ; kb
FAILURE_BUCKET_ID: X64_0x3B_cdd!CddBitmapHw::Release+c0
BUCKET_ID: X64_0x3B_cdd!CddBitmapHw::Release+c0
Followup: MachineOwner
1: kd> lmvm cdd
start             end                 module name
fffff960`00600000 fffff960`00627000   cdd        (pdb symbols)          c:\symbols\cdd.pdb\88BFB882815849F88656925A7675F2BA1\cdd.pdb
    Loaded symbol image file: cdd.dll
    Mapped memory image file: c:\symbols\cdd.dll\4CE7C54627000\cdd.dll
    Image path: \SystemRoot\System32\cdd.dll
    Image name: cdd.dll
    Timestamp:        Sat Nov 20 20:55:34 2010 (4CE7C546)
    CheckSum:         0002D4F0
    ImageSize:        00027000
Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
1: kd> lmtsmn
start             end                 module name
fffff880`00f18000 fffff880`00f6f000   ACPI     ACPI.sys     Sat Nov 20 17:19:16 2010 (4CE79294)
fffff880`068fd000 fffff880`0697d000   ADIHdAud ADIHdAud.sys Wed Jun 16 03:36:52 2010 (4C17D654)
fffff880`048df000 fffff880`04968000   afd     afd.sys      Sat Nov 20 17:23:27 2010 (4CE7938F)
fffff880`04a39000 fffff880`04a4f000   AgileVpn AgileVpn.sys Tue Jul 14 08:10:24 2009 (4A5BCCF0)
fffff880`02ec4000 fffff880`02ed7180   aksdf    aksdf.sys    Mon Nov 21 19:09:56 2011 (4ECA3184)
fffff880`032da000 fffff880`032fae00   aksfridge aksfridge.sys Tue Aug 07 18:34:40 2012 (5020EF40)
fffff880`017f2000 fffff880`017fd000   amdxata amdxata.sys Sat Mar 20 00:18:18 2010 (4BA3A3CA)
fffff880`01e50000 fffff880`01e65000   appid    appid.sys    Sat Nov 20 18:14:37 2010 (4CE79F8D)
fffff880`078fb000 fffff880`07906000   asyncmac asyncmac.sys Tue Jul 14 08:10:13 2009 (4A5BCCE5)
fffff880`013b2000 fffff880`013bb000   atapi    atapi.sys    Tue Jul 14 07:19:47 2009 (4A5BC113)
fffff880`013bb000 fffff880`013e5000   ataport ataport.SYS Sat Nov 20 17:19:15 2010 (4CE79293)
fffff960`00870000 fffff960`008d1000   ATMFD    ATMFD.DLL    Sat Nov 20 17:49:28 2010 (4CE799A8)
fffff880`00fe0000 fffff880`00fec000   BATTC    BATTC.SYS    Tue Jul 14 07:31:01 2009 (4A5BC3B5)
fffff880`04409000 fffff880`04410000   Beep     Beep.SYS     Tue Jul 14 08:00:13 2009 (4A5BCA8D)
fffff880`04b76000 fffff880`04b87000   blbdrive blbdrive.sys Tue Jul 14 07:35:59 2009 (4A5BC4DF)
fffff880`02fb1000 fffff880`02fcf000   bowser   bowser.sys   Wed Feb 23 12:55:04 2011 (4D649328)
fffff960`00600000 fffff960`00627000   cdd      cdd.dll      Sat Nov 20 20:55:34 2010 (4CE7C546)
Unloaded modules:
fffff880`078b6000 fffff880`078c4000   monitor.sys
    Timestamp: unavailable (00000000)
    Checksum: 00000000
    ImageSize: 0000E000
fffff880`078a8000 fffff880`078b6000 monitor.sys
    Timestamp: unavailable (00000000)
    Checksum: 00000000
    ImageSize: 0000E000
fffff880`0789a000 fffff880`078a8000   monitor.sys
    Timestamp: unavailable (00000000)
    Checksum: 00000000
    ImageSize: 0000E000
fffff880`0788c000 fffff880`0789a000   monitor.sys
    Timestamp: unavailable (00000000)
    Checksum: 00000000
    ImageSize: 0000E000
fffff880`0787e000 fffff880`0788c000   monitor.sys
    Timestamp: unavailable (00000000)
    Checksum: 00000000
    ImageSize: 0000E000
By checking your DMP file, we also found it related to cdd.dll which is the Canonical Display Driver from Microsoft, it's a system file. You could refer to this link for more information about cdd and bitmap
http://answers.microsoft.com/en-us/windows/forum/windows_7-system/bluescreen-error-when-alttabbing-out-of-full/267be931-70b1-482f-8164-c3cd8084def0
We suggest you replace your graphic/display driver and keep them up to date, then check the issue again.
Also you have a lot of outdated drivers on your system including cdd.dll. Please update these drivers for good measure.
If you're still crashing after all of the above, enable Driver Verifier to look for further corruption:
Driver Verifier:
What is Driver Verifier?
Driver Verifier is included in Windows 8, 7, Windows Server 2008 R2, Windows Vista, Windows Server 2008, Windows 2000, Windows XP, and Windows Server 2003 to promote stability and reliability; you can use this tool to troubleshoot driver issues. Windows
kernel-mode components can cause system corruption or system failures as a result of an improperly written driver, such as an earlier version of a Windows Driver Model (WDM) driver.
Essentially, if there's a 3rd party driver believed to be at issue, enabling Driver Verifier will help flush out the rogue driver if it detects a violation.
Note: Before enabling Driver Verifier, it is recommended to create a System Restore Point
For more information about Driver Verifier
https://msdn.microsoft.com/en-us/library/windows/hardware/ff545448(v=vs.85).aspx

Similar Messages

Probably caused by : ntkrnlmp.exe ( nt!KiDoubleFaultAbort+b8 )

I am debugging a minidump file but I am not able to make out if the problem is related to hardware or software? The possible culprit could be “ntkrnlmp.exe” but which thread or process faulted is beyond my understanding. Please can someone help a newbie
debugger.
Microsoft (R) Windows Debugger Version 6.12.0002.633 AMD64 Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [D:\Items\Mini030413-01.dmp] Mini Kernel Dump File: Only registers and stack trace are available
Symbol search path is: srv*f:\symbols\websymbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows Server 2008/Windows Vista Kernel Version 6002 (Service Pack 2) MP (16 procs) Free x64
Product: Server, suite: Enterprise TerminalServer SingleUserTS
Built by: 6002.18607.amd64fre.vistasp2_gdr.120402-0336
Machine Name:
Kernel base = 0xfffff800`01e08000 PsLoadedModuleList = 0xfffff800`01fccdd0
Debug session time: Mon Mar 4 07:23:36.821 2013 (UTC + 13:00)
System Uptime: 49 days 13:51:33.653
Loading Kernel Symbols
Loading User Symbols
Loading unloaded module list
*                        Bugcheck Analysis
Use !analyze -v to get detailed debugging information.
BugCheck 7F, {8, 80050033, 6f8, fffff80001e8b4af}
Unable to load image spep.sys, Win32 error 0n2
*** WARNING: Unable to verify timestamp for spep.sys
*** ERROR: Module load completed but symbols could not be loaded for spep.sys
Probably caused by : ntkrnlmp.exe ( nt!KiDoubleFaultAbort+b8 )
Followup: MachineOwner
6: kd> !analyze -v
*                        Bugcheck Analysis
UNEXPECTED_KERNEL_MODE_TRAP (7f)
This means a trap occurred in kernel mode, and it's a trap of a kind
that the kernel isn't allowed to have/catch (bound trap) or that
is always instant death (double fault). The first number in the
bugcheck params is the number of the trap (8 = double fault, etc)
Consult an Intel x86 family manual to learn more about what these
traps are. Here is a *portion* of those codes:
If kv shows a taskGate
        use .tss on the part before the colon, then kv.
Else if kv shows a trapframe
        use .trap on that value
Else
        .trap on the appropriate frame will show where the trap was taken
        (on x86, this will be the ebp that goes with the procedure KiTrap)
Endif
kb will then show the corrected stack.
Arguments:
Arg1: 0000000000000008, EXCEPTION_DOUBLE_FAULT
Arg2: 0000000080050033
Arg3: 00000000000006f8
Arg4: fffff80001e8b4af
Debugging Details:
BUGCHECK_STR: 0x7f_8
CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: DRIVER_FAULT_SERVER_MINIDUMP
PROCESS_NAME: w3wp.exe
CURRENT_IRQL: 1
EXCEPTION_RECORD: fffffa60122c30a8 -- (.exr 0xfffffa60122c30a8)
ExceptionAddress: fffff80001e8767d (nt!RtlVirtualUnwind+0x000000000000016d)
   ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 0000000000000000
   Parameter[1]: 00000000000000d8
Attempt to read from address 00000000000000d8
TRAP_FRAME: fffffa60122c2080 -- (.trap 0xfffffa60122c2080)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=0000000000000005 rbx=0000000000000000 rcx=0000000000000000
rdx=00000000000000d8 rsi=0000000000000000 rdi=0000000000000000
rip=fffff80001e8767d rsp=fffffa60122c2210 rbp=fffffa60122c2450
r8=0000000000000005 r9=fffff80001e08000 r10=ffffffffffffff80
r11=fffff80002006000 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up ei pl zr na po nc
nt!RtlVirtualUnwind+0x16d:
fffff800`01e8767d 488b02          mov     rax,qword ptr [rdx] ds:00000000`000000d8=????????????????
Resetting default scope
LAST_CONTROL_TRANSFER: from fffff80001e5f86e to fffff80001e5fad0
STACK_TEXT:
fffffa60`01f1da68 fffff800`01e5f86e : 00000000`0000007f 00000000`00000008 00000000`80050033 00000000`000006f8 : nt!KeBugCheckEx
fffffa60`01f1da70 fffff800`01e5e0b8 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiBugCheckDispatch+0x6e
fffffa60`01f1dbb0 fffff800`01e8b4af : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiDoubleFaultAbort+0xb8
fffffa60`122bdf40 fffff800`01e98d32 : fffffa60`122bed68 fffffa60`122bee90 fffffa60`122bee10 00000000`00000000 : nt!RtlDispatchException+0x2f
fffffa60`122be630 fffff800`01e5f929 : fffffa60`122bed68 00000000`00000003 fffffa60`122bee10 00000000`00000114 : nt!KiDispatchException+0xc2
fffffa60`122bec30 fffff800`01e5e725 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000003 : nt!KiExceptionDispatch+0xa9
fffffa60`122bee10 fffff800`01e8767d : 00000000`00059d17 fffffa60`122bf078 fffff800`01e08000 fffff800`01e08000 : nt!KiPageFault+0x1e5
fffffa60`122befa0 fffff800`01e8b598 : fffffa60`00000001 00000000`00000000 00000000`00000000 ffffffff`ffffff80 : nt!RtlVirtualUnwind+0x16d
fffffa60`122bf010 fffff800`01e98d32 : fffffa60`122bfe38 fffffa60`122bf810 fffffa60`00000000 00000000`00000000 : nt!RtlDispatchException+0x118
fffffa60`122bf700 fffff800`01e5f929 : fffffa60`122bfe38 00000000`00000003 fffffa60`122bfee0 00000000`00000114 : nt!KiDispatchException+0xc2
fffffa60`122bfd00 fffff800`01e5e725 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000003 : nt!KiExceptionDispatch+0xa9
fffffa60`122bfee0 fffff800`01e8767d : 00000000`00059d17 fffffa60`122c0148 fffff800`01e08000 fffff800`01e08000 : nt!KiPageFault+0x1e5
fffffa60`122c0070 fffff800`01e8b598 : fffffa60`00000001 00000000`00000000 00000000`00000000 ffffffff`ffffff80 : nt!RtlVirtualUnwind+0x16d
fffffa60`122c00e0 fffff800`01e98d32 : fffffa60`122c0f08 fffffa60`122c08e0 fffffa60`00000000 00000000`00000000 : nt!RtlDispatchException+0x118
fffffa60`122c07d0 fffff800`01e5f929 : fffffa60`122c0f08 00000000`00000003 fffffa60`122c0fb0 00000000`00000114 : nt!KiDispatchException+0xc2
fffffa60`122c0dd0 fffff800`01e5e725 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000003 : nt!KiExceptionDispatch+0xa9
fffffa60`122c0fb0 fffff800`01e8767d : 00000000`00059d17 fffffa60`122c1218 fffff800`01e08000 fffff800`01e08000 : nt!KiPageFault+0x1e5
fffffa60`122c1140 fffff800`01e8b598 : fffffa60`00000001 00000000`00000000 00000000`00000000 ffffffff`ffffff80 : nt!RtlVirtualUnwind+0x16d
fffffa60`122c11b0 fffff800`01e98d32 : fffffa60`122c1fd8 fffffa60`122c19b0 fffffa60`00000000 00000000`00000000 : nt!RtlDispatchException+0x118
fffffa60`122c18a0 fffff800`01e5f929 : fffffa60`122c1fd8 00000000`00000003 fffffa60`122c2080 00000000`00000114 : nt!KiDispatchException+0xc2
fffffa60`122c1ea0 fffff800`01e5e725 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000003 : nt!KiExceptionDispatch+0xa9
fffffa60`122c2080 fffff800`01e8767d : 00000000`00059d17 fffffa60`122c22e8 fffff800`01e08000 fffff800`01e08000 : nt!KiPageFault+0x1e5
fffffa60`122c2210 fffff800`01e8b598 : fffffa60`00000001 00000000`00000000 00000000`00000000 ffffffff`ffffff80 : nt!RtlVirtualUnwind+0x16d
fffffa60`122c2280 fffff800`01e98d32 : fffffa60`122c30a8 fffffa60`122c2a80 fffffa60`00000000 00000000`00000000 : nt!RtlDispatchException+0x118
fffffa60`122c2970 fffff800`01e5f929 : fffffa60`122c30a8 00000000`00000003 fffffa60`122c3150 00000000`00000114 : nt!KiDispatchException+0xc2
fffffa60`122c2f70 fffff800`01e5e725 : 00000000`00000000 fffffa60`122c31a0 fffffa80`69d06800 00000000`00000003 : nt!KiExceptionDispatch+0xa9
fffffa60`122c3150 fffff800`01e8767d : 00000000`00059d17 fffffa60`122c33b8 fffff800`01e08000 fffffa60`122c3c80 : nt!KiPageFault+0x1e5
fffffa60`122c32e0 fffff800`01e8b598 : fffffa60`00000001 00000000`00000000 fffffa60`00000000 ffffffff`ffffff80 : nt!RtlVirtualUnwind+0x16d
fffffa60`122c3350 fffff800`01e98d32 : fffffa60`122c4178 fffffa60`122c3b50 fffffa60`00000000 fffffa60`0160a000 : nt!RtlDispatchException+0x118
fffffa60`122c3a40 fffff800`01e5f929 : fffffa60`122c4178 00000000`00000003 fffffa60`122c4220 00000000`00000114 : nt!KiDispatchException+0xc2
fffffa60`122c4040 fffff800`01e5e725 : 00000000`00000000 fffffa80`1cff1010 fffffa80`2340ae00 00000000`00000003 : nt!KiExceptionDispatch+0xa9
fffffa60`122c4220 fffff800`01e8767d : 00000000`00059d17 fffffa60`122c4970 fffff800`01e08000 62206465`00000000 : nt!KiPageFault+0x1e5
fffffa60`122c43b0 fffff800`020ec4b2 : fffff800`00000001 fffffa60`10893500 fffff880`00000000 ffffffff`ffffff80 : nt!RtlVirtualUnwind+0x16d
fffffa60`122c4420 fffff800`01e8cf4d : ffffffff`ffffff80 fffffa80`695fe060 fffffa60`10893570 fffff800`01e08000 : nt!PspGetSetContextInternal+0x36a
fffffa60`122c4970 fffff800`01e811ce : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!PspGetSetContextSpecialApc+0x9d
fffffa60`122c4a80 fffff800`01e61faf : fffffa80`695fe310 00000000`00000000 00000000`00000000 fffffa80`695fe060 : nt!KiDeliverApc+0x19e
fffffa60`122c4b20 fffff800`01e569bb : 00000000`00000007 fffffa60`0161e424 fffffa80`00000005 00000000`00000000 : nt!KiSwapThread+0x3ef
fffffa60`122c4b90 fffff800`01e94dad : ffff0050`00000000 fffffa60`00000005 fffffa80`122c0000 fffffa60`00000000 : nt!KeWaitForSingleObject+0x2cb
fffffa60`122c4c20 fffff800`01e81307 : 00000000`00000000 fffff880`082f6448 fffffa80`3ecdf064 00000000`00000000 : nt!KiSuspendThread+0x29
fffffa60`122c4c60 fffff800`01e84c23 : fffffa60`122c4d80 00000000`00000000 fffff800`01e94d84 00000000`00000000 : nt!KiDeliverApc+0x2d7
fffffa60`122c4d00 fffffa60`00c43093 : fffffa80`1ce4a180 fffffa60`01617601 fffffa80`5c527c40 fffff880`082f0100 : nt!KiApcInterrupt+0x103
fffffa60`122c4e90 fffffa80`1ce4a180 : fffffa60`01617601 fffffa80`5c527c40 fffff880`082f0100 fffffa60`122c5390 : spep+0x40093
fffffa60`122c4e98 fffffa60`01617601 : fffffa80`5c527c40 fffff880`082f0100 fffffa60`122c5390 fffffa80`1c000000 : 0xfffffa80`1ce4a180
fffffa60`122c4ea0 fffff880`082f6140 : fffff880`082f6390 fffff800`01e6dc7c 00000000`00000000 fffffa80`69ae8110 : Ntfs!NtfsCleanupIrpContext+0xd1
fffffa60`122c4ef0 fffff880`082f6390 : fffff800`01e6dc7c 00000000`00000000 fffffa80`69ae8110 fffffa80`69ae8420 : 0xfffff880`082f6140
fffffa60`122c4ef8 fffff800`01e6dc7c : 00000000`00000000 fffffa80`69ae8110 fffffa80`69ae8420 fffffa80`67000d00 : 0xfffff880`082f6390
fffffa60`122c4f00 fffff800`01e649a4 : fffffa80`1bf27000 fffffa60`122c4f68 fffffa80`1ce4a030 00000000`00000000 : nt!KiIpiProcessRequests+0x21c
fffffa60`122c4f50 fffffa60`122c5220 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiIpiInterrupt+0x114
fffffa80`69ae8110 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0xfffffa60`122c5220
STACK_COMMAND: kb
MODULE_NAME: nt
IMAGE_NAME: ntkrnlmp.exe
FOLLOWUP_NAME: MachineOwner
DEBUG_FLR_IMAGE_TIMESTAMP: 4f79ae26
FOLLOWUP_IP:
nt!KiDoubleFaultAbort+b8
fffff800`01e5e0b8 90              nop
SYMBOL_STACK_INDEX: 2
SYMBOL_NAME: nt!KiDoubleFaultAbort+b8
FAILURE_BUCKET_ID: X64_TRAP_FRAME_RECURSION
BUCKET_ID: X64_TRAP_FRAME_RECURSION
Followup: MachineOwner
6: kd> .trap 0xfffffa60122c2080
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=0000000000000005 rbx=0000000000000000 rcx=0000000000000000
rdx=00000000000000d8 rsi=0000000000000000 rdi=0000000000000000
rip=fffff80001e8767d rsp=fffffa60122c2210 rbp=fffffa60122c2450
r8=0000000000000005 r9=fffff80001e08000 r10=ffffffffffffff80
r11=fffff80002006000 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up ei pl zr na po nc
nt!RtlVirtualUnwind+0x16d:
fffff800`01e8767d 488b02          mov     rax,qword ptr [rdx] ds:00000000`000000d8=????????????????

Please understand that debugging is not officially supported in Technet forum, please contact Microsoft Customer Support Service (CSS) if you need any help on dump file debugging. To obtain the phone numbers for specific technology request, please refer
to the website listed below:
http://support.microsoft.com/default.aspx?scid=fh;EN-US;PHONENUMBERS
If you are outside the US, please refer to
http://support.microsoft.com for regional support phone numbers.
For your reference, you can start by implementing the following troubleshooting steps
Run a chkdsk /r with elevated privilege against the system drives to find out any filesystem corruption
Run sfc /scannow to verify the protected Windows files from an administrative command prompt
Do RAM test or use a third-party tool like MemTest86+
Update BIOS and devices drivers.

Randomly BSODs caused by ntoskrnl.exe

I have random BSODs, this is the dump file... any ideas? I tried to update all drivers, but I solved nothing.
Microsoft (R) Windows Debugger Version 6.3.9600.17029 X86
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:\Program Files (x86)\Windows Kits\8.1\Debuggers\x86\061114-29937-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available
Error: Attempts to access '061114-29937-01.dmp' failed: 0x0 - The operation completed successfully.
************* Symbol Path validation summary **************
Response                         Time (ms)     Location
Error                                          061114-29937-01.dmp
Symbol search path is: 061114-29937-01.dmp
Executable search path is:
Unable to load image \SystemRoot\system32\ntoskrnl.exe, Win32 error 0n2
*** WARNING: Unable to verify timestamp for ntoskrnl.exe
*** ERROR: Module load completed but symbols could not be loaded for ntoskrnl.exe
Windows 8 Kernel Version 9600 MP (4 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 9600.17085.amd64fre.winblue_gdr.140330-1035
Machine Name:
Kernel base = 0xfffff800`6e28e000 PsLoadedModuleList = 0xfffff800`6e5582d0
Debug session time: Wed Jun 11 20:29:12.062 2014 (UTC + 2:00)
System Uptime: 0 days 0:22:21.219
Unable to load image \SystemRoot\system32\ntoskrnl.exe, Win32 error 0n2
*** WARNING: Unable to verify timestamp for ntoskrnl.exe
*** ERROR: Module load completed but symbols could not be loaded for ntoskrnl.exe
Loading Kernel Symbols
Loading User Symbols
Loading unloaded module list
************* Symbol Loading Error Summary **************
Module name            Error
ntoskrnl               The system cannot find the file specified
You can troubleshoot most symbol related issues by turning on symbol loading diagnostics (!sym noisy) and repeating the command that caused symbols to be loaded.
You should also verify that your symbol search path (.sympath) is correct.
*                        Bugcheck Analysis
Use !analyze -v to get detailed debugging information.
BugCheck 133, {1, 1e00, 0, 0}
***** Kernel symbols are WRONG. Please fix symbols to do analysis.
***    Either you specified an unqualified symbol, or your debugger   ***
***    doesn't have full symbol information. Unqualified symbol      ***
***    resolution is turned off by default. Please either specify a   ***
***    fully qualified symbol module!symbolname, or enable resolution ***
***    of unqualified symbols by typing ".symopt- 100". Note that   ***
***    enabling unqualified symbol resolution with network symbol     ***
***    server shares in the symbol path may cause the debugger to     ***
***    appear to hang for long periods of time when an incorrect      ***
***    symbol name is typed or the network symbol server is down.     ***
***    For some commands to work properly, your symbol path           ***
***    must point to .pdb files that have full type information.      ***
***    Certain .pdb files (such as the public OS symbols) do not      ***
***    contain the required information. Contact the group that      ***
***    provided you with these symbols if you need this command to    ***
***    work.
***    Type referenced: nt!_KPRCB
5 times more...
***    Either you specified an unqualified symbol, or your debugger   ***
***    doesn't have full symbol information. Unqualified symbol      ***
***    resolution is turned off by default. Please either specify a   ***
***    fully qualified symbol module!symbolname, or enable resolution ***
***    of unqualified symbols by typing ".symopt- 100". Note that   ***
***    enabling unqualified symbol resolution with network symbol     ***
***    server shares in the symbol path may cause the debugger to     ***
***    appear to hang for long periods of time when an incorrect      ***
***    symbol name is typed or the network symbol server is down.     ***
***    For some commands to work properly, your symbol path           ***
***    must point to .pdb files that have full type information.      ***
***    Certain .pdb files (such as the public OS symbols) do not      ***
***    contain the required information. Contact the group that      ***
***    provided you with these symbols if you need this command to    ***
***    work.
***    Type referenced: nt!_KPRCB
Probably caused by : ntoskrnl.exe ( nt+153fa0 )
Followup: MachineOwner
Systeminfo:
OS Name:                   Microsoft Windows 8.1 Pro
OS Version:                6.3.9600 N/A Build 9600
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Standalone Workstation
OS Build Type:             Multiprocessor Free
Original Install Date:     30/10/2013, 13:43:05
System Boot Time:          11/06/2014, 20:29:52
System Manufacturer:       TOSHIBA
System Model:              Satellite L500
System Type:               x64-based PC
Processor(s):              1 Processor(s) Installed.
                           [01]: Intel64 Family 6 Model 37 Stepping 2 GenuineIntel ~2261 Mhz
BIOS Version:              TOSHIBA 2.10, 17/05/2011
Windows Directory:         C:\WINDOWS
System Directory:          C:\WINDOWS\system32
Boot Device:               \Device\HarddiskVolume2
Total Physical Memory:     3.958 MB
Available Physical Memory: 1.792 MB
Virtual Memory: Max Size: 7.926 MB
Virtual Memory: Available: 5.492 MB
Virtual Memory: In Use:    2.434 MB
Page File Location(s):     C:\pagefile.sys
Domain:                    WORKGROUP
Logon Server:
\\MicrosoftAccount
Hotfix(s):                 56 Hotfix(s) Installed.
                           [01]: KB2899189_Microsoft-Windows-CameraCodec-Package
                           [02]: KB2843630
                           [03]: KB2868626
                           [04]: KB2883200
                           [05]: KB2887595
                           [06]: KB2889543
                           [07]: KB2891214
                           [08]: KB2893294
                           [09]: KB2894029
                           [10]: KB2894179
                           [11]: KB2898868
                           [12]: KB2900986
                           [13]: KB2901125
                           [14]: KB2901128
                           [15]: KB2903939
                           [16]: KB2904440
                           [17]: KB2911106
                           [18]: KB2912390
                           [19]: KB2913152
                           [20]: KB2916036
                           [21]: KB2919355
                           [22]: KB2919394
                           [23]: KB2919442
                           [24]: KB2920189
                           [25]: KB2923528
                           [26]: KB2923768
                           [27]: KB2926765
                           [28]: KB2928680
                           [29]: KB2931358
                           [30]: KB2931366
                           [31]: KB2939153
                           [32]: KB2939576
                           [33]: KB2950153
                           [34]: KB2953522
                           [35]: KB2954879
                           [36]: KB2955164
                           [37]: KB2956575
                           [38]: KB2957151
                           [39]: KB2957189
                           [40]: KB2957689
                           [41]: KB2958262
                           [42]: KB2959977
                           [43]: KB2961908
                           [44]: KB2962140
                           [45]: KB2964718
                           [46]: KB2964736
                           [47]: KB2965065
                           [48]: KB2965142
                           [49]: KB2965500
                           [50]: KB2965699
                           [51]: KB2965788
                           [52]: KB2966072
                           [53]: KB2966407
                           [54]: KB2966804
                           [55]: KB2969817
                           [56]: KB976002
Network Card(s):           10 NIC(s) Installed.
                           [01]: Realtek PCIe FE Family Controller
                                 Connection Name: Ethernet
                                 DHCP Enabled:    Yes
                                 DHCP Server:     N/A
                                 IP address(es)
                           [02]: Realtek RTL8191SE Wireless LAN 802.11n PCI-E NIC
                                 Connection Name: Wi-Fi
                                 Status:          Hardware
not present
                           [03]: Hyper-V Virtual Ethernet Adapter
                                 Connection Name: Ethernet 6
                                 Status:          Media
disconnected
                           [04]: Hyper-V Virtual Ethernet Adapter
                                 Connection Name: Ethernet 3
                                 Status:          Media
disconnected
                           [05]: Hyper-V Virtual Ethernet Adapter
                                 Connection Name: Ethernet 5
                                 DHCP Enabled:    Yes
                                 DHCP Server:     192.168.1.1
                                 IP address(es)
                                 [01]: 192.168.1.129
                                 [02]: fe80::1513:f368:3c1e:c173
                           [06]: Hyper-V Virtual Ethernet Adapter
                                 Connection Name: Ethernet 4
                                 DHCP Enabled:    No
                                 IP address(es)
                                 [01]: 169.254.80.80
                                 [02]: fe80::4892:9cb3:7a80:2057
                           [07]: VMware Virtual Ethernet Adapter for VMnet1
                                 Connection Name: VMware Network Adapter VMnet1
                                 DHCP Enabled:    No
                                 IP address(es)
                                 [01]: 192.168.223.1
                                 [02]: fe80::a11c:f4d5:c02f:9fcf
                           [08]: VMware Virtual Ethernet Adapter for VMnet8
                                 Connection Name: VMware Network Adapter VMnet8
                                 DHCP Enabled:    No
                                 IP address(es)
                                 [01]: 192.168.132.1
                                 [02]: fe80::fc9a:9075:a71e:776c
                           [09]: TAP-Windows Adapter V9
                                 Connection Name: Local Area Connection 3
                                 Status:          Media
disconnected
                           [10]: Hyper-V Virtual Ethernet Adapter
                                 Connection Name: vEthernet (TAP-Windows Adapter V9 Virtual Switch)
                                 Status:          Media
disconnected
Hyper-V Requirements:      A hypervisor has been detected. Features required for Hyper-V will not be displayed.

Hi,
In order to assist you, we will need the .DMP files to analyze what exactly occurred at the time of the crash, etc.
If you don't know where .DMP files are located, here's how to get to them:
1. Navigate to the %systemroot%\Minidump folder.
2. Copy any and all DMP files in the Minidump folder to your Desktop and then zip up these files.
3. Upload the zip containing the .DMP files to Onedrive or a hosting site of your choice and paste in your reply. Preferred sites: Onedrive, Mediafire, Dropbox, etc. Nothing with wait-timers, download managers, etc.
4 (optional): The type of .DMP files located in the Minidump folder are known as Small Memory Dumps. In %systemroot% there will be what is known as a Kernel-Dump (if your system is set to generate). It is labeled MEMORY.DMP. The difference
between Small Memory Dumps and Kernel-Dumps in the simplest definition is a Kernel-Dump contains
much more information at the time of the crash, therefore allowing further debugging of your issue. If your upload speed permits it, and you aren't going against any strict bandwidth and/or usage caps, etc, the Kernel-Dump is the best
choice. Do note that Kernel-Dumps are much larger in size due to containing much more info, which is why I mentioned upload speed, etc.
If you are going to use Onedrive but don't know how to upload to it, please visit the following:
Upload photos and files to Onedrive.
After doing that, to learn how to share the link to the file if you are unaware, please visit the following link -
Share files and folders and change permissions and view 'Get a link'.
Please note that any "cleaner" programs such as TuneUpUtilities, CCleaner, etc, by default will delete .DMP files upon use. With this said, if you've run such software, you will need to allow the system to crash once again to generate a crash dump.
If your computer is not generating .DMP files, please do the following:
1. Start > type %systemroot% which should show the Windows folder, click on it. Once inside that folder, ensure there is a Minidump folder created. If not, CTRL-SHIFT-N to make a New Folder and name it Minidump.
2. Windows key + Pause key. This should bring up System. Click Advanced System Settings on the left > Advanced > Performance > Settings > Advanced > Ensure there's a check-mark for 'Automatically manage paging file size for all
drives'.
3. Windows key + Pause key. This should bring up System. Click Advanced System Settings on the left > Advanced > Startup and Recovery > Settings > System Failure > ensure there is a check mark next to 'Write an event to the system
log'.
Ensure Small Memory Dump is selected and ensure the path is %systemroot%\Minidump.
4. Double check that the WERS is ENABLED:
Start > Search > type services.msc > Under the name tab, find Windows Error Reporting Service > If the status of the service is not Started then right click it and select Start. Also ensure that under Startup Type it is set to Automatic rather than
Manual. You can do this by right clicking it, selecting properties, and under General selecting startup type to 'Automatic', and then click Apply.
If you cannot get into normal mode to do any of this, please do this via Safe Mode.
Regards,
Patrick
“Be kind whenever possible. It is always possible.” - Dalai Lama

Touchsmart 310-1110uk - BSoD caused by ntoskrnl.exe

I have had seemingly random Blue Screens of Death when shutting down on my HP Touchsmart 310-1110uk over the last few months. Sometimes when shutting down, the "Shutting down..." message is displayed for a long time and then the BSoD appears. This only happens occasionally and most of the time it shuts down fine. The blue screen only ever appears when shutting down.
It seemed to happen when Connectify was running but after looking into Connectify BSoD problems it seems that this bug was fixed after version 3, and I am running 3.3.0.23104 Pro. Therefore I don't think Connectify is the problem.
I have uploaded the a .zip of the dump files from "C:\Windows\Minidumps" to Dropbox here:
http://dl.dropbox.com/u/9154836/Minidump.zip
I have also downloaded BlueScreenView to try and analyse the error logs. Most of the crashes seem to be the same with the following:
Bug Check String: DRIVER_POWER_STATE_FAILURE
Bug Check Code: 0x0000009f
Caused By Driver: ntoskrnl.exe
Caused By Address: [mostly "ntoskrnl.exe+7cd40" or "ntoskrnl.exe+7cc40"]
I have uploaded the full HTML BlueScreenView report here:
http://dl.dropbox.com/u/9154836/report.html
I haven't installed many programs which might have caused the problem. This has been happening since November 2011 and the only thing I installed around then was Connectify.
From what I can tell it seems to be a driver issue, but because this only happens occasionally (at seemingly random times when shutting down) it's almost impossible to troubleshoot by disabling individual drivers (i.e. trial and error).
I would appreciate some help on this, if you could provide some guidance on fixing this or ask for more specific information.

I have had seemingly random Blue Screens of Death when shutting down on my HP Touchsmart 310-1110uk over the last few months. Sometimes when shutting down, the "Shutting down..." message is displayed for a long time and then the BSoD appears. This only happens occasionally and most of the time it shuts down fine. The blue screen only ever appears when shutting down.
It seemed to happen when Connectify was running but after looking into Connectify BSoD problems it seems that this bug was fixed after version 3, and I am running 3.3.0.23104 Pro. Therefore I don't think Connectify is the problem.
I have uploaded the a .zip of the dump files from "C:\Windows\Minidumps" to Dropbox here:
http://dl.dropbox.com/u/9154836/Minidump.zip
I have also downloaded BlueScreenView to try and analyse the error logs. Most of the crashes seem to be the same with the following:
Bug Check String: DRIVER_POWER_STATE_FAILURE
Bug Check Code: 0x0000009f
Caused By Driver: ntoskrnl.exe
Caused By Address: [mostly "ntoskrnl.exe+7cd40" or "ntoskrnl.exe+7cc40"]
I have uploaded the full HTML BlueScreenView report here:
http://dl.dropbox.com/u/9154836/report.html
I haven't installed many programs which might have caused the problem. This has been happening since November 2011 and the only thing I installed around then was Connectify.
From what I can tell it seems to be a driver issue, but because this only happens occasionally (at seemingly random times when shutting down) it's almost impossible to troubleshoot by disabling individual drivers (i.e. trial and error).
I would appreciate some help on this, if you could provide some guidance on fixing this or ask for more specific information.

X200 Tablet - BSOD -caused by tsmservice.exe

Hello Community,
I got an Lenovo
X200Tablet 7453BD5
BIOS vers.: 7WET71WW (3.21)
I installed a SSD on my Notebook. I installed Windows 7 on it (more than 5 times), the former OS was Vista on the shipped Notebook.
The Software which causes the BSOD is the service 'TabletSVC'/'TABLET Service' with the execution TSMService.exe. If I stop the service or even not allow to start automated it with Windows. I have no problems with shuting down (restart, hibernate, power off) within 15s the notebook is off.
If the service is still running I probably see the shuting down Window for about feeled 10 Minutes until it shows me an BSOD.
What I've tried meantime. Installed other version of the Tablet Shortcut Menu ->[URL=http://support.lenovo.com/de/de/products/laptops-and-netbooks/thinkpad-x-series-tablet-laptops/think...
Tablet Shortcut Menu[/url].
I also installed the system step by step over the lenovo System update, so I saw what caused the problem. Now I use a shortcut on my desktop which do an net stop 'Tablet Service' and an shutdown. That's functionally but not nice.
Does someone else had/have this problem? And have a solution for it?
regards
Norbert

This is caused by an incompatibility between tsmservice.exe and some versions of Lenovo Power Management driver.
Can you check what version of Lenovo Power Management driver is installed?
You need version 1.67.4.5 (or older), or else 1.67.9.3 (or newer).
Versions in between cause this problem. Sorry for this inconvenience.

Ntkrnlmp.exe causing BSOD randomly

Recently we have been having random reboots and BSODs on our TS box
Background:
Windows Server 2012 R2 - RDS/Print/File - VM on Hyper-V Host (Windows server 2012 r2)
https://onedrive.live.com/redir?resid=AF339BCAC63CB706!228&authkey=!AG-5gWy6tUwoAiE&ithint=folder%2c
Attached are the dump files^^^
Ran ran memtest86 on the host with no errors
Ran Windows memory diags on host and VM with no errors
Updated all firmware and drivers for our HP Proliant ML350 gen8 server
Ran Driver Verifier and pointed it towards the problem child (ntoskrnl.exe) and the server bsod twice in a matter of ten minutes with, of course "Driver Verifier detected a Violation"
Checked the version number Ntoskrnl.exe version 6.3.9600.16452 - Removed
Windows Update Rollup - KB2903939
Double checked and verified removed.
Rebooted and ran Driver verifier after update removal - BSOD twice with same scenario as above. Disabled Driver verifier for now.
I'm hoping to find a fix for this as this is the main RDS server.
I appreciate your time. If you need anything else, please let me know.
Thanks!
*Going to add another DUMP that happened today Below*
Microsoft (R) Windows Debugger Version 6.3.9600.17029 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:\Windows\MEMORY.DMP]
Kernel Bitmap Dump File: Only kernel address space is available
************* Symbol Path validation summary **************
Response Time (ms) Location
Deferred .sympath SRV*f:\localsymbols*http://msdl.microsoft.com/download/symbols
Symbol search path is: .sympath SRV*f:\localsymbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
*** ERROR: Symbol file could not be found. Defaulted to export symbols for ntkrnlmp.exe -
Windows 8 Kernel Version 9600 MP (6 procs) Free x64
Product: Server, suite: TerminalServer
Built by: 9600.16422.amd64fre.winblue_gdr.131006-1505
Machine Name:
Kernel base = 0xfffff802`1f286000 PsLoadedModuleList = 0xfffff802`1f54a990
Debug session time: Fri Apr 4 16:32:20.197 2014 (UTC - 4:00)
System Uptime: 0 days 6:36:23.236
*** ERROR: Symbol file could not be found. Defaulted to export symbols for ntkrnlmp.exe -
Loading Kernel Symbols
Loading User Symbols
PEB is paged out (Peb.Ldr = 00007ff6`35f58018). Type ".hh dbgerr001" for details
Loading unloaded module list
************* Symbol Loading Error Summary **************
Module name Error
ntkrnlmp The system cannot find the file specified
You can troubleshoot most symbol related issues by turning on symbol loading diagnostics (!sym noisy) and repeating the command that caused symbols to be loaded.
You should also verify that your symbol search path (.sympath) is correct.
* Bugcheck Analysis *
Use !analyze -v to get detailed debugging information.
BugCheck 3B, {c0000005, fffff8021f2cc740, ffffd000276e0eb0, 0}
***** Kernel symbols are WRONG. Please fix symbols to do analysis.
*** Either you specified an unqualified symbol, or your debugger ***
*** doesn't have full symbol information. Unqualified symbol ***
*** resolution is turned off by default. Please either specify a ***
*** fully qualified symbol module!symbolname, or enable resolution ***
*** of unqualified symbols by typing ".symopt- 100". Note that ***
*** enabling unqualified symbol resolution with network symbol ***
*** server shares in the symbol path may cause the debugger to ***
*** appear to hang for long periods of time when an incorrect ***
*** symbol name is typed or the network symbol server is down. ***
*** For some commands to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** Type referenced: nt!_KPRCB ***
*** Either you specified an unqualified symbol, or your debugger ***
*** doesn't have full symbol information. Unqualified symbol ***
*** resolution is turned off by default. Please either specify a ***
*** fully qualified symbol module!symbolname, or enable resolution ***
*** of unqualified symbols by typing ".symopt- 100". Note that ***
*** enabling unqualified symbol resolution with network symbol ***
*** server shares in the symbol path may cause the debugger to ***
*** appear to hang for long periods of time when an incorrect ***
*** symbol name is typed or the network symbol server is down. ***
*** For some commands to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** Type referenced: nt!KPRCB ***
*** Either you specified an unqualified symbol, or your debugger ***
*** doesn't have full symbol information. Unqualified symbol ***
*** resolution is turned off by default. Please either specify a ***
*** fully qualified symbol module!symbolname, or enable resolution ***
*** of unqualified symbols by typing ".symopt- 100". Note that ***
*** enabling unqualified symbol resolution with network symbol ***
*** server shares in the symbol path may cause the debugger to ***
*** appear to hang for long periods of time when an incorrect ***
*** symbol name is typed or the network symbol server is down. ***
*** For some commands to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** Type referenced: nt!_KPRCB ***
*** Either you specified an unqualified symbol, or your debugger ***
*** doesn't have full symbol information. Unqualified symbol ***
*** resolution is turned off by default. Please either specify a ***
*** fully qualified symbol module!symbolname, or enable resolution ***
*** of unqualified symbols by typing ".symopt- 100". Note that ***
*** enabling unqualified symbol resolution with network symbol ***
*** server shares in the symbol path may cause the debugger to ***
*** appear to hang for long periods of time when an incorrect ***
*** symbol name is typed or the network symbol server is down. ***
*** For some commands to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** Type referenced: nt!KPRCB ***
*** Either you specified an unqualified symbol, or your debugger ***
*** doesn't have full symbol information. Unqualified symbol ***
*** resolution is turned off by default. Please either specify a ***
*** fully qualified symbol module!symbolname, or enable resolution ***
*** of unqualified symbols by typing ".symopt- 100". Note that ***
*** enabling unqualified symbol resolution with network symbol ***
*** server shares in the symbol path may cause the debugger to ***
*** appear to hang for long periods of time when an incorrect ***
*** symbol name is typed or the network symbol server is down. ***
*** For some commands to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** Type referenced: nt!_KPRCB ***
*** Either you specified an unqualified symbol, or your debugger ***
*** doesn't have full symbol information. Unqualified symbol ***
*** resolution is turned off by default. Please either specify a ***
*** fully qualified symbol module!symbolname, or enable resolution ***
*** of unqualified symbols by typing ".symopt- 100". Note that ***
*** enabling unqualified symbol resolution with network symbol ***
*** server shares in the symbol path may cause the debugger to ***
*** appear to hang for long periods of time when an incorrect ***
*** symbol name is typed or the network symbol server is down. ***
*** For some commands to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** Type referenced: nt!_KPRCB ***
*** Either you specified an unqualified symbol, or your debugger ***
*** doesn't have full symbol information. Unqualified symbol ***
*** resolution is turned off by default. Please either specify a ***
*** fully qualified symbol module!symbolname, or enable resolution ***
*** of unqualified symbols by typing ".symopt- 100". Note that ***
*** enabling unqualified symbol resolution with network symbol ***
*** server shares in the symbol path may cause the debugger to ***
*** appear to hang for long periods of time when an incorrect ***
*** symbol name is typed or the network symbol server is down. ***
*** For some commands to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** Type referenced: nt!_KPRCB ***
*** Either you specified an unqualified symbol, or your debugger ***
*** doesn't have full symbol information. Unqualified symbol ***
*** resolution is turned off by default. Please either specify a ***
*** fully qualified symbol module!symbolname, or enable resolution ***
*** of unqualified symbols by typing ".symopt- 100". Note that ***
*** enabling unqualified symbol resolution with network symbol ***
*** server shares in the symbol path may cause the debugger to ***
*** appear to hang for long periods of time when an incorrect ***
*** symbol name is typed or the network symbol server is down. ***
*** For some commands to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** Type referenced: nt!_KPRCB ***
Probably caused by : ntkrnlmp.exe ( nt!RtlAvlRemoveNode+478 )
Followup: MachineOwner

Thanks for the information.
In case you do need to enable Driver Verifier, refer to the following:
Driver Verifier:
What is Driver Verifier?
Driver Verifier is included in Windows 8/8.1, 7, Windows Server 2008 R2, Windows Vista, Windows Server 2008, Windows 2000, Windows XP, and Windows Server 2003 to promote stability and reliability; you can use this tool to troubleshoot driver issues. Windows
kernel-mode components can cause system corruption or system failures as a result of an improperly written driver, such as an earlier version of a Windows Driver Model (WDM) driver.
Essentially, if there's a 3rd party driver believed to be at issue, enabling Driver Verifier will help flush out the rogue driver if it detects a violation.
Before enabling Driver Verifier, it is recommended to create a System Restore Point:
Vista - START | type rstrui - create a restore point
Windows 7 - START | type create | select "Create a Restore Point"
Windows 8/8.1 -
http://www.eightforums.com/tutorials/4690-restore-point-create-windows-8-a.html
How to enable Driver Verifier:
Start > type "verifier" without the quotes > Select the following options -
1. Select - "Create custom settings (for code developers)"
2. Select - "Select individual settings from a full list"
3. Check the following boxes -
- Special Pool
- Pool Tracking
- Force IRQL Checking
- Deadlock Detection
- Security Checks (Windows 7 & 8)
- DDI compliance checking (Windows 8)
- Miscellaneous Checks
4. Select - "Select driver names from a list"
5. Click on the "Provider" tab. This will sort all of the drivers by the provider.
6. Check EVERY box that is NOT provided by Microsoft / Microsoft Corporation.
7. Click on Finish.
8. Restart.
Important information regarding Driver Verifier:
- If Driver Verifier finds a violation, the system will BSOD. To expand on this a bit more for the interested, specifically what Driver Verifier actually does is it looks for any driver making illegal function calls, causing memory leaks, etc. When and/if this
happens, system corruption occurs if allowed to continue. When Driver Verifier is enabled, it is monitoring
all 3rd party drivers (as we have it set that way) and when it catches a driver attempting to do this, it will quickly flag that driver as being a troublemaker, and bring down the system safely before any corruption can occur.
- After enabling Driver Verifier and restarting the system, depending on the culprit, if for example the driver is on start-up, you may not be able to get back into normal Windows because Driver Verifier will detect it in violation almost straight away, and
as stated above, that will cause / force a BSOD.
If this happens, do not panic, do the following:
- Boot into Safe Mode by repeatedly tapping the F8 key during boot-up.
- Once in Safe Mode - Start > Search > type "cmd" without the quotes.
- To turn off Driver Verifier, type in cmd "verifier /reset" without the quotes.
・ Restart and boot into normal Windows.
If your OS became corrupt or you cannot boot into Windows after disabling verifier via Safe Mode:
- Boot into Safe Mode by repeatedly tapping the F8 key during boot-up.
- Once in Safe Mode - Start > type "system restore" without the quotes.
- Choose the restore point you created earlier.
-- Note that Safe Mode for Windows 8/8.1 is a bit different, and you may need to try different methods:
5 Ways to Boot into Safe Mode in Windows 8 & Windows 8.1
How long should I keep Driver Verifier enabled for?
I recommend keeping it enabled for at least 24 hours. If you don't BSOD by then, disable Driver Verifier. I will usually say whether or not I'd like for you to keep it enabled any longer.
My system BSOD'd with Driver Verifier enabled, where can I find the crash dumps?
They will be located in %systemroot%\Minidump
Any other questions can most likely be answered by this article:
http://support.microsoft.com/kb/244617
Regards,
Patrick

Ntkrnlmp.exe causing BSOD intermittently (DUMP Attached)

Recently we have been having random reboots and BSODs on our TS box
Background:
Windows Server 2012 R2 - RDS/Print/File - VM on Hyper-V Host (Windows server 2012 r2
https://onedrive.live.com/redir?resid=AF339BCAC63CB706!228&authkey=!AG-5gWy6tUwoAiE&ithint=folder%2c
Attached are the dump files^^^
Ran ran memtest86 on the host with no errors
Ran Windows memory diags on host and VM with no errors
Updated all firmware and drivers for our HP Proliant ML350 gen8 server
Ran Driver Verifier and pointed it towards the problem child (ntoskrnl.exe) and the server bsod twice in a matter of ten minutes with, of course "Driver Verifier detected a Violation"
Checked the version number Ntoskrnl.exe version 6.3.9600.16452 - Removed
Windows Update Rollup - KB2903939
Double checked and verified removed.
Rebooted and ran Driver verifier after update removal - BSOD twice with same scenario as above. Disabled Driver verifier for now.
I'm hoping to find a fix for this as this is the main RDS server.
I appreciate your time. If you need anything else, please let me know.
Thanks!
*Going to add another DUMP that happened today Below*
Microsoft (R) Windows Debugger Version 6.3.9600.17029 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:\Windows\MEMORY.DMP]
Kernel Bitmap Dump File: Only kernel address space is available
************* Symbol Path validation summary **************
Response Time (ms) Location
Deferred .sympath SRV*f:\localsymbols*http://msdl.microsoft.com/download/symbols
Symbol search path is: .sympath SRV*f:\localsymbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
*** ERROR: Symbol file could not be found. Defaulted to export symbols for ntkrnlmp.exe -
Windows 8 Kernel Version 9600 MP (6 procs) Free x64
Product: Server, suite: TerminalServer
Built by: 9600.16422.amd64fre.winblue_gdr.131006-1505
Machine Name:
Kernel base = 0xfffff802`1f286000 PsLoadedModuleList = 0xfffff802`1f54a990
Debug session time: Fri Apr 4 16:32:20.197 2014 (UTC - 4:00)
System Uptime: 0 days 6:36:23.236
*** ERROR: Symbol file could not be found. Defaulted to export symbols for ntkrnlmp.exe -
Loading Kernel Symbols
Loading User Symbols
PEB is paged out (Peb.Ldr = 00007ff6`35f58018). Type ".hh dbgerr001" for details
Loading unloaded module list
************* Symbol Loading Error Summary **************
Module name Error
ntkrnlmp The system cannot find the file specified
You can troubleshoot most symbol related issues by turning on symbol loading diagnostics (!sym noisy) and repeating the command that caused symbols to be loaded.
You should also verify that your symbol search path (.sympath) is correct.
* Bugcheck Analysis *
Use !analyze -v to get detailed debugging information.
BugCheck 3B, {c0000005, fffff8021f2cc740, ffffd000276e0eb0, 0}
***** Kernel symbols are WRONG. Please fix symbols to do analysis.
*** Either you specified an unqualified symbol, or your debugger ***
*** doesn't have full symbol information. Unqualified symbol ***
*** resolution is turned off by default. Please either specify a ***
*** fully qualified symbol module!symbolname, or enable resolution ***
*** of unqualified symbols by typing ".symopt- 100". Note that ***
*** enabling unqualified symbol resolution with network symbol ***
*** server shares in the symbol path may cause the debugger to ***
*** appear to hang for long periods of time when an incorrect ***
*** symbol name is typed or the network symbol server is down. ***
*** For some commands to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** Type referenced: nt!_KPRCB ***
*** Either you specified an unqualified symbol, or your debugger ***
*** doesn't have full symbol information. Unqualified symbol ***
*** resolution is turned off by default. Please either specify a ***
*** fully qualified symbol module!symbolname, or enable resolution ***
*** of unqualified symbols by typing ".symopt- 100". Note that ***
*** enabling unqualified symbol resolution with network symbol ***
*** server shares in the symbol path may cause the debugger to ***
*** appear to hang for long periods of time when an incorrect ***
*** symbol name is typed or the network symbol server is down. ***
*** For some commands to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** Type referenced: nt!KPRCB ***
*** Either you specified an unqualified symbol, or your debugger ***
*** doesn't have full symbol information. Unqualified symbol ***
*** resolution is turned off by default. Please either specify a ***
*** fully qualified symbol module!symbolname, or enable resolution ***
*** of unqualified symbols by typing ".symopt- 100". Note that ***
*** enabling unqualified symbol resolution with network symbol ***
*** server shares in the symbol path may cause the debugger to ***
*** appear to hang for long periods of time when an incorrect ***
*** symbol name is typed or the network symbol server is down. ***
*** For some commands to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** Type referenced: nt!_KPRCB ***
*** Either you specified an unqualified symbol, or your debugger ***
*** doesn't have full symbol information. Unqualified symbol ***
*** resolution is turned off by default. Please either specify a ***
*** fully qualified symbol module!symbolname, or enable resolution ***
*** of unqualified symbols by typing ".symopt- 100". Note that ***
*** enabling unqualified symbol resolution with network symbol ***
*** server shares in the symbol path may cause the debugger to ***
*** appear to hang for long periods of time when an incorrect ***
*** symbol name is typed or the network symbol server is down. ***
*** For some commands to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** Type referenced: nt!KPRCB ***
*** Either you specified an unqualified symbol, or your debugger ***
*** doesn't have full symbol information. Unqualified symbol ***
*** resolution is turned off by default. Please either specify a ***
*** fully qualified symbol module!symbolname, or enable resolution ***
*** of unqualified symbols by typing ".symopt- 100". Note that ***
*** enabling unqualified symbol resolution with network symbol ***
*** server shares in the symbol path may cause the debugger to ***
*** appear to hang for long periods of time when an incorrect ***
*** symbol name is typed or the network symbol server is down. ***
*** For some commands to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** Type referenced: nt!_KPRCB ***
*** Either you specified an unqualified symbol, or your debugger ***
*** doesn't have full symbol information. Unqualified symbol ***
*** resolution is turned off by default. Please either specify a ***
*** fully qualified symbol module!symbolname, or enable resolution ***
*** of unqualified symbols by typing ".symopt- 100". Note that ***
*** enabling unqualified symbol resolution with network symbol ***
*** server shares in the symbol path may cause the debugger to ***
*** appear to hang for long periods of time when an incorrect ***
*** symbol name is typed or the network symbol server is down. ***
*** For some commands to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** Type referenced: nt!_KPRCB ***
*** Either you specified an unqualified symbol, or your debugger ***
*** doesn't have full symbol information. Unqualified symbol ***
*** resolution is turned off by default. Please either specify a ***
*** fully qualified symbol module!symbolname, or enable resolution ***
*** of unqualified symbols by typing ".symopt- 100". Note that ***
*** enabling unqualified symbol resolution with network symbol ***
*** server shares in the symbol path may cause the debugger to ***
*** appear to hang for long periods of time when an incorrect ***
*** symbol name is typed or the network symbol server is down. ***
*** For some commands to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** Type referenced: nt!_KPRCB ***
*** Either you specified an unqualified symbol, or your debugger ***
*** doesn't have full symbol information. Unqualified symbol ***
*** resolution is turned off by default. Please either specify a ***
*** fully qualified symbol module!symbolname, or enable resolution ***
*** of unqualified symbols by typing ".symopt- 100". Note that ***
*** enabling unqualified symbol resolution with network symbol ***
*** server shares in the symbol path may cause the debugger to ***
*** appear to hang for long periods of time when an incorrect ***
*** symbol name is typed or the network symbol server is down. ***
*** For some commands to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** Type referenced: nt!_KPRCB ***
Probably caused by : ntkrnlmp.exe ( nt!RtlAvlRemoveNode+478 )
Followup: MachineOwner

Please understand that this forum is meant for general windows server queries and we dont really analyze the crash dumps here.
Please
contact Microsoft Customer Service directly so that the memory dump file can be analyzed and this issue can be resolved efficiently.
You
may obtain the phone numbers for specific technology request please take a look at the web site listed below:
https://support.microsoft.com/common/international.aspx?iid=174859&iguid=56907522-6886-4238-a70f-a1d06a4473c7_2_2&rdpath=1
http://www.arabitpro.com

Tdx.sys ntkrnlmp.exe BSOD after P2V Windows 2008 R2 Standard

Hi all,
We ran a P2V against a Server 2008 R2 Standard (SBS) DC on the weekend. Given that VMware hasn't released a cold clone ISO for a while, we used ShadowProtect Recovery Environment and Hardware Independent Restore. It worked a treat, stripped the old physical
NICs out.
Monday morning it threw a BSOD, then again at 10 am that day.
We immediately patched to remove the http.sys BSOD vulnerability to be safe.
We also patched 2008 R2 to SP1 x64 latest versions.
It crashed again last night, then again at 10 am today and every day since.
The BSOD dumps mention ntkrnlmp.exe and tdx.sys
vSphere is a new Intel server S2600CP2 running vSphere 5.5 Update 2.
The VM is running a VMXnet3 NIC, we've had issues before. RAID controller is Intel RMS25PB040.
The server runs AD/DNS, Exchange, File Shares and Printers.
We're combing through tasks, as it may be falling over at the same time every couple of days.
We've disabled Kaspersky Endpoint protection.
We will be planning to swap over the VMXnet3 NIC to E1000 later today, once we have a full backup that runs to USB.
After extensive researching we are leaning towards the NIC/network being a problem under load causing the BSOD.
Anyone else have any other suggestions we can try to resolve the BSOD issues?
Screenshot of the BSOD error codes: http://imgur.com/xRwZcKf
Here is an output of the minidump file:
Debugging Details:
TRIAGER: Could not open triage file : e:\dump_analysis\program\triage\modclass.ini, error 2
BUGCHECK_STR: 0x7f_8
CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: WIN7_DRIVER_FAULT_SERVER
PROCESS_NAME: System
CURRENT_IRQL: 2
LAST_CONTROL_TRANSFER: from fffff80001e911a9 to fffff80001e91c00
STACK_TEXT:
fffff80001d22d28 fffff80001e911a9 : 000000000000007f 0000000000000008 0000000080050031 00000000000406f8 : nt!KeBugCheckEx fffff80001d22d30 fffff80001e8f672 : 0000000000000000 0000000000000000
0000000000000000 0000000000000000 : nt!KiBugCheckDispatch+0x69 fffff80001d22e70 fffff88003413a0c : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : nt!KiDoubleFaultAbort+0xb2
fffff88002b02f90 0000000000000000 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : tdx!TdxIssueQueryAddressRequest+0x5c
STACK_COMMAND: kb
FOLLOWUP_IP: tdx!TdxIssueQueryAddressRequest+5c fffff88003413a0c ff1576370100 call qword ptr [tdx!_imp_ExAllocatePoolWithTag (fffff88003427188)]
SYMBOL_STACK_INDEX: 3
SYMBOL_NAME: tdx!TdxIssueQueryAddressRequest+5c
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: tdx
IMAGE_NAME: tdx.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 4ce79332
FAILURE_BUCKET_ID: X64_0x7f_8_tdx!TdxIssueQueryAddressRequest+5c
BUCKET_ID: X64_0x7f_8_tdx!TdxIssueQueryAddressRequest+5c
Followup: MachineOwner

Hi Sir,
>>We ran a P2V against a Server 2008 R2 Standard (SBS) DC on the weekend. Given that VMware hasn't released a cold clone ISO for a while
It seems that you have performed WMware P2V , it is beyond what we can support . You may need to post this issue into WMware forum :
https://communities.vmware.com/welcome
In windows hyper-v , there is a tool " disk2VHD" can help us to perform P2V :
https://technet.microsoft.com/en-us/library/ee656415.aspx?f=255&MSPPError=-2147217396
Best Regards,
Elton Ji
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected] .

Windows 8.1 BSOD and the culprit is ntkrnlmp.exe

Here is the log of dump file
0: kd> !analyze -v
* Bugcheck Analysis *
DRIVER_VERIFIER_IOMANAGER_VIOLATION (c9)
The IO manager has caught a misbehaving driver.
Arguments:
Arg1: 0000000000000221, An IRP dispatch handler for a PDO has deleted its device object, but the
hardware has not been reported as missing in a bus relations query.
Arg2: fffff8021aa88a78, The address in the driver's code where the error was detected.
Arg3: ffffcf8164f18af0, IRP address.
Arg4: ffffe0008738a8c0, Device object address.
Debugging Details:
BUGCHECK_STR: 0xc9_221
DRIVER_VERIFIER_IO_VIOLATION_TYPE: 221
FAULTING_IP:
nt!ViGenericPnp+0
fffff802`1aa88a78 4c8b05d12dc8ff mov r8,qword ptr [nt!pXdvIRP_MJ_PNP (fffff802`1a70b850)]
FOLLOWUP_IP:
nt!ViGenericPnp+0
fffff802`1aa88a78 4c8b05d12dc8ff mov r8,qword ptr [nt!pXdvIRP_MJ_PNP (fffff802`1a70b850)]
IRP_ADDRESS: ffffcf8164f18af0
DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULT
PROCESS_NAME: System
CURRENT_IRQL: 2
ANALYSIS_VERSION: 6.3.9600.17237 (debuggers(dbg).140716-0327) amd64fre
LAST_CONTROL_TRANSFER: from fffff8021aa786b0 to fffff8021a556fa0
STACK_TEXT:
ffffd001`279861a8 fffff802`1aa786b0 : 00000000`000000c9 00000000`00000221 fffff802`1aa88a78 ffffcf81`64f18af0 : nt!KeBugCheckEx
ffffd001`279861b0 fffff802`1aa7b171 : fffff802`1aa6b470 fffff802`1aa88a78 ffffcf81`64f18af0 ffffe000`8738a8c0 : nt!VerifierBugCheckIfAppropriate+0x3c
ffffd001`279861f0 fffff802`1aa719f0 : ffffe000`899daca0 ffffd001`27986350 ffffe000`83fbdd40 00000000`00000000 : nt!ViErrorFinishReport+0x10d
ffffd001`27986250 fffff802`1aa77bd5 : 00000000`00000000 fffff802`1a7b4f4e ffffe000`899daca0 00000000`00020000 : nt!IovpCallDriver2+0x15c
ffffd001`27986620 fffff802`1aa6c928 : ffffcf81`64f18af0 00000000`00000002 ffffcf81`64f18af0 fffff802`1aa78471 : nt!VfAfterCallDriver+0x289
ffffd001`279866b0 fffff802`1a7b4f4e : ffffe000`8738a8c0 00000000`00000000 ffffd001`279867b0 ffffe000`899daca0 : nt!IovCallDriver+0x3e4
ffffd001`27986700 fffff802`1a8cde24 : 00000000`00000002 ffffd001`279867c9 ffffe000`861fe770 ffffe000`8738a8c0 : nt!IopSynchronousCall+0xfe
ffffd001`27986770 fffff802`1a51e6bb : ffffc000`bea120d0 00000000`0000000a ffffe000`861fe770 00000000`0000000a : nt!IopRemoveDevice+0xe0
ffffd001`27986830 fffff802`1a8cd771 : ffffe000`8738a8c0 ffffe000`861fe770 ffffc000`bd6e0990 fffff802`1a994e36 : nt!PnpRemoveLockedDeviceNode+0x1a7
ffffd001`27986890 fffff802`1a8cd6ea : 00000000`00000000 ffffc000`bd6e0990 ffffe000`861fe770 00000000`3f051397 : nt!PnpDeleteLockedDeviceNode+0x4d
ffffd001`279868d0 fffff802`1a8cc7f3 : ffffe000`861043b0 ffffd001`00000002 00000000`00000000 00000000`00000000 : nt!PnpDeleteLockedDeviceNodes+0x9a
ffffd001`27986950 fffff802`1a7a7139 : ffffc000`bea12000 00000000`00000007 ffffc000`00000000 ffffe000`ffffffff : nt!PnpProcessQueryRemoveAndEject+0x4ef
ffffd001`27986ab0 fffff802`1a7a7571 : ffffc000`bea120d0 00000000`00000000 00000000`00000000 fffff802`1a7a7260 : nt!PnpProcessTargetDeviceEvent+0x9d
ffffd001`27986af0 fffff802`1a456adb : fffff802`1a7a7260 ffffc000`be661440 ffffd001`27986bd0 ffffe000`889c1ab0 : nt!PnpDeviceEventWorker+0x311
ffffd001`27986b50 fffff802`1a4d2794 : 00000000`00000000 ffffe000`832d7880 ffffe000`832d7880 ffffe000`8328c040 : nt!ExpWorkerThread+0x293
ffffd001`27986c00 fffff802`1a55d5c6 : ffffd001`2c3dc180 ffffe000`832d7880 ffffd001`2c3e83c0 00000000`00000000 : nt!PspSystemThreadStartup+0x58
ffffd001`27986c60 00000000`00000000 : ffffd001`27987000 ffffd001`27981000 00000000`00000000 00000000`00000000 : nt!KiStartSystemThread+0x16
STACK_COMMAND: .bugcheck ; kb
SYMBOL_NAME: nt!ViGenericPnp+0
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: nt
IMAGE_NAME: ntkrnlmp.exe
DEBUG_FLR_IMAGE_TIMESTAMP: 5318053f
BUCKET_ID_FUNC_OFFSET: 0
FAILURE_BUCKET_ID: 0xc9_221_VRF_nt!ViGenericPnp
BUCKET_ID: 0xc9_221_VRF_nt!ViGenericPnp
ANALYSIS_SOURCE: KM
FAILURE_ID_HASH_STRING: km:0xc9_221_vrf_nt!vigenericpnp
FAILURE_ID_HASH: {9b03958c-18ab-732a-2c41-f92dcd519377}
Followup: MachineOwner
Could anyone give me a fever for finding the root cause?

Hi,
In order to assist you, we will need the .DMP files to analyze what exactly occurred at the time of the crash, etc.
If you don't know where .DMP files are located, here's how to get to them:
1. Navigate to the %systemroot%\Minidump folder.
-- %systemroot% is the environment variable for your Windows directory. For example, C:\Windows.
2. Copy any and all .DMP files in the Minidump folder to your Desktop, create a new folder on the Desktop to put these .DMP files in, and then zip the folder. You can then either use a 3rd party tool such as 7-Zip/Winrar, or you can use Windows'
default method of zipping folders.
Compress and uncompress files (zip files).
Please note that any "cleaner" programs such as TuneUpUtilities, CCleaner, etc, by default will delete .DMP files upon use. With this said, if you've run such software, and your Minidump folder is empty, you will need
to allow the system to crash once again to generate a crash dump.
3. Upload the .ZIP containing the .DMP files to Onedrive or a hosting site of your choice and paste in your reply.
Preferred sites: Onedrive, Mediafire, Dropbox, etc. Nothing with wait-timers, download managers, etc.
4 (optional): The type of .DMP files located in the Minidump folder are known as Small Memory Dumps. In %systemroot% there will be what is known as a Kernel Memory Dump (if your system is set to generate). It is labeled MEMORY.DMP. The difference
between Small Memory Dumps and Kernel Memory Dumps in the simplest definition is a Kernel Memory Dump contains
much more information at the time of the crash, therefore allowing further debugging of your issue. If your upload speed permits it, and you aren't going against any strict bandwidth and/or usage caps, etc, the Kernel Memory Dump is
the best choice. Do note that Kernel Memory Dumps are much larger
in size due to containing much more info, which is why I mentioned upload speed, etc.
If you are going to use Onedrive but don't know how to upload to it, please visit the following:
Upload photos and files to Onedrive.
After doing that, to learn how to share the link to the file if you are unaware, please visit the following link -
Share files and folders and change permissions and view 'Get a link'.
If your computer is not generating .DMP files, please do the following:
1. Start > type %systemroot% which should show the Windows folder, click on it. Once inside that folder, ensure there is a Minidump folder created. If not, CTRL-SHIFT-N to make a New Folder and name it Minidump.
2. Windows key + Pause key. This should bring up System. Click Advanced System Settings on the left > Advanced > Performance > Settings > Advanced > Ensure there's a check-mark for 'Automatically manage paging file size for
all drives'.
3. Windows key + Pause key. This should bring up System. Click Advanced System Settings on the left > Advanced > Startup and Recovery > Settings > System Failure > ensure there is a check mark next to 'Write an event to the
system log'.
Ensure Small Memory Dump is selected and ensure the path is %systemroot%\Minidump.
4. Double check that the WERS is ENABLED:
Start > Search > type services.msc > Under the name tab, find Windows Error Reporting Service > If the status of the service is not Started then right click it and select Start. Also ensure that under Startup Type it is set to Automatic rather than
Manual. You can do this by right clicking it, selecting properties, and under General selecting startup type to 'Automatic', and then click Apply.
If you cannot get into normal mode to do any of this, please do this via Safe Mode.
Regards,
Patrick
“Be kind whenever possible. It is always possible.” - Dalai Lama

Windows 8.1 x64 BSOD on shutdown - ntoskrnl.exe

This has been happening for several months to me, where in Windows 8.1 x64 when I go to shut down to install any Windows updates, I get a BSOD that says REFERENCE_BY_POINTER. I've uploaded the minidump files here:
https://skydrive.live.com/redir?resid=A0FE33D78854B45A!3350&authkey=!AEZUfKou1Y7rQWQ&ithint=folder%2c.dmp
Can someone help me sort out which driver might be causing the problem? Thanks!
actiprosoftware.com - Professional WPF, WinRT, Silverlight, and WinForms UI controls and components

Hi,
The Ntkrnlmp.exe Bluescreen error may be caused by following factors.
Fail to load drivers.
Require a microcode update that is not applied by the computer's basic input/output system (BIOS).
Are damaged or defective.
Are operating outside their specified ranges for temperature, power, or other conditions.
First, I suggest we disable fast boot for Windows 8.1 to check the issue (below steps are ok for Windows 8.1):
Please refer to this article: Disable Windows 8 fast startup (hibernate file)
http://nvidia.custhelp.com/app/answers/detail/a_id/3152/~/disable-windows-8-fast-startup-(hibernate-file)
If the issue persists, to determine the possible cause, I suggest we test the issue in Clean boot mode and Device clean boot mode:
How to perform a clean boot to troubleshoot a problem in Windows 8, Windows 7, or Windows Vista
http://support.microsoft.com/kb/929135
If the issue doesn’t appear, you can determine which one can be the cause by using dichotomy in MSconfig. Checking on half of Non-Microsoft service and restart, determining which half of the services cause the issue and repeating to check half of the problematic
half services.
Device Clean Boot
=================
1. Type "devmgmt.msc" (without quotation marks) in the Search bar and press Enter.
2. Expand "Sound, video and game controllers".
3. Right click on your sound card and then click "Properties.
4. In the dropdown menu of Device Usage, please choose "Do not use this device (disable)" and click OK.
5. Please use the same method to disable other dubious hardware such as: internal modem, network card and CD-R drive. Please note some devices such as video adapter are not available to be disabled.
Let me know the results after performing my previous suggestions.
If the issue still persist, please post back the latest dump file and system information here for further research.
Kate Li
TechNet Community Support

Blue Screen crash in Windows 7: culprit is ntkrnlmp.exe

Hi, I've been, with increasingly frequency, getting crashes on my Windows 7-run Gateway. Here's what I see when I run the WhoCrashed program (I'm very computer illiterate, sorry!):
On Wed 1/22/2014 11:34:06 PM GMT your computer crashed
crash dump file: C:\Windows\memory.dmp
This was probably caused by the following module:
ntkrnlmp.exe (nt!PsIsProtectedProcess+0x2A0)
Bugcheck code: 0xD1 (0x18, 0x2, 0x0, 0xFFFFF8800188AC49)
Error: DRIVER_IRQL_NOT_LESS_OR_EQUAL
Bug check description: This indicates that a kernel-mode driver attempted to access pageable memory at a process IRQL that was too high.
This appears to be a typical software driver bug and is not likely to be caused by a hardware problem.
The crash took place in the Windows kernel. Possibly this problem is caused by another driver which cannot be identified at this time.
Can anyone help? Thanks a bunch!!!

Hi Ray,
Just additional. Troubleshoot this kind of kernel crash issue, we need to analyze the crash dump file to narrow down the root cause of the issue. Actually, it is not effective
for us to debug the crash dump file here in the forum. If this issues is a state of emergency for you. Please contact Microsoft Customer Service and Support (CSS) via telephone so that a dedicated Support Professional can assist with your request.
To obtain the phone numbers for specific technology request, please refer to the web site listed below:
http://support.microsoft.com/default.aspx?scid=fh;EN-US;OfferProPhone#faq607
Hope this helps.
Best regards,
Justin Gu

Probably caused by : ntoskrnl.exe ( nt+72f40 )

Dear Friend,
I have a windows server 2008R2 running on Hyper v .The host machine is running windows server2012.on this server,Exchange application is running.This server is getting rebooted itself on every 15-20 days.the mini blue dumb for the issue is as below.Please
help me for the solution.
Microsoft (R) Windows Debugger Version 6.2.9200.20512 X86
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:\Users\Administrator\Desktop\032214-16718-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available
Symbol search path is: *** Invalid ***
* Symbol loading may be unreliable without a symbol search path.           *
* Use .symfix to have the debugger choose a symbol path.                   *
* After setting your symbol path, use .reload to refresh symbol locations. *
Executable search path is:
* Symbols can not be loaded because symbol path is not initialized. *
* The Symbol Path can be set by:                                    *
*   using the _NT_SYMBOL_PATH environment variable.                 *
*   using the -y <symbol_path> argument when starting the debugger. *
*   using .sympath and .sympath+
Unable to load image \SystemRoot\system32\ntoskrnl.exe, Win32 error 0n2
*** WARNING: Unable to verify timestamp for ntoskrnl.exe
*** ERROR: Module load completed but symbols could not be loaded for ntoskrnl.exe
Windows 7 Kernel Version 7601 (Service Pack 1) MP (8 procs) Free x64
Product: Server, suite: Enterprise TerminalServer SingleUserTS
Built by: 7601.22411.amd64fre.win7sp1_ldr.130801-1934
Machine Name:
Kernel base = 0xfffff800`01a07000 PsLoadedModuleList = 0xfffff800`01c4b6d0
Debug session time: Sat Mar 22 18:41:25.076 2014 (UTC + 5:30)
System Uptime: 38 days 7:36:33.296
* Symbols can not be loaded because symbol path is not initialized. *
* The Symbol Path can be set by:                                    *
*   using the _NT_SYMBOL_PATH environment variable.                 *
*   using the -y <symbol_path> argument when starting the debugger. *
*   using .sympath and .sympath+
Unable to load image \SystemRoot\system32\ntoskrnl.exe, Win32 error 0n2
*** WARNING: Unable to verify timestamp for ntoskrnl.exe
*** ERROR: Module load completed but symbols could not be loaded for ntoskrnl.exe
Loading Kernel Symbols
Loading User Symbols
Loading unloaded module list
*                        Bugcheck Analysis
Use !analyze -v to get detailed debugging information.
BugCheck 4A, {7773132a, 2, 0, fffff88002594b60}
***** Kernel symbols are WRONG. Please fix symbols to do analysis.
***    Either you specified an unqualified symbol, or your debugger   ***
***    doesn't have full symbol information. Unqualified symbol      ***
***    resolution is turned off by default. Please either specify a   ***
***    fully qualified symbol module!symbolname, or enable resolution ***
***    of unqualified symbols by typing ".symopt- 100". Note that   ***
***    enabling unqualified symbol resolution with network symbol     ***
***    server shares in the symbol path may cause the debugger to     ***
***    appear to hang for long periods of time when an incorrect      ***
***    symbol name is typed or the network symbol server is down.     ***
***    For some commands to work properly, your symbol path           ***
***    must point to .pdb files that have full type information.      ***
***    Certain .pdb files (such as the public OS symbols) do not      ***
***    contain the required information. Contact the group that      ***
***    provided you with these symbols if you need this command to    ***
***    work.
***    Type referenced: nt!_KPRCB
***    Either you specified an unqualified symbol, or your debugger   ***
***    doesn't have full symbol information. Unqualified symbol      ***
***    resolution is turned off by default. Please either specify a   ***
***    fully qualified symbol module!symbolname, or enable resolution ***
***    of unqualified symbols by typing ".symopt- 100". Note that   ***
***    enabling unqualified symbol resolution with network symbol     ***
***    server shares in the symbol path may cause the debugger to     ***
***    appear to hang for long periods of time when an incorrect      ***
***    symbol name is typed or the network symbol server is down.     ***
***    For some commands to work properly, your symbol path           ***
***    must point to .pdb files that have full type information.      ***
***    Certain .pdb files (such as the public OS symbols) do not      ***
***    contain the required information. Contact the group that      ***
***    provided you with these symbols if you need this command to    ***
***    work.
***    Type referenced: nt!KPRCB
***    Either you specified an unqualified symbol, or your debugger   ***
***    doesn't have full symbol information. Unqualified symbol      ***
***    resolution is turned off by default. Please either specify a   ***
***    fully qualified symbol module!symbolname, or enable resolution ***
***    of unqualified symbols by typing ".symopt- 100". Note that   ***
***    enabling unqualified symbol resolution with network symbol     ***
***    server shares in the symbol path may cause the debugger to     ***
***    appear to hang for long periods of time when an incorrect      ***
***    symbol name is typed or the network symbol server is down.     ***
***    For some commands to work properly, your symbol path           ***
***    must point to .pdb files that have full type information.      ***
***    Certain .pdb files (such as the public OS symbols) do not      ***
***    contain the required information. Contact the group that      ***
***    provided you with these symbols if you need this command to    ***
***    work.
***    Type referenced: nt!_KPRCB
***    Either you specified an unqualified symbol, or your debugger   ***
***    doesn't have full symbol information. Unqualified symbol      ***
***    resolution is turned off by default. Please either specify a   ***
***    fully qualified symbol module!symbolname, or enable resolution ***
***    of unqualified symbols by typing ".symopt- 100". Note that   ***
***    enabling unqualified symbol resolution with network symbol     ***
***    server shares in the symbol path may cause the debugger to     ***
***    appear to hang for long periods of time when an incorrect      ***
***    symbol name is typed or the network symbol server is down.     ***
***    For some commands to work properly, your symbol path           ***
***    must point to .pdb files that have full type information.      ***
***    Certain .pdb files (such as the public OS symbols) do not      ***
***    contain the required information. Contact the group that      ***
***    provided you with these symbols if you need this command to    ***
***    work.
***    Type referenced: nt!KPRCB
***    Either you specified an unqualified symbol, or your debugger   ***
***    doesn't have full symbol information. Unqualified symbol      ***
***    resolution is turned off by default. Please either specify a   ***
***    fully qualified symbol module!symbolname, or enable resolution ***
***    of unqualified symbols by typing ".symopt- 100". Note that   ***
***    enabling unqualified symbol resolution with network symbol     ***
***    server shares in the symbol path may cause the debugger to     ***
***    appear to hang for long periods of time when an incorrect      ***
***    symbol name is typed or the network symbol server is down.     ***
***    For some commands to work properly, your symbol path           ***
***    must point to .pdb files that have full type information.      ***
***    Certain .pdb files (such as the public OS symbols) do not      ***
***    contain the required information. Contact the group that      ***
***    provided you with these symbols if you need this command to    ***
***    work.
***    Type referenced: nt!_KPRCB
***    Either you specified an unqualified symbol, or your debugger   ***
***    doesn't have full symbol information. Unqualified symbol      ***
***    resolution is turned off by default. Please either specify a   ***
***    fully qualified symbol module!symbolname, or enable resolution ***
***    of unqualified symbols by typing ".symopt- 100". Note that   ***
***    enabling unqualified symbol resolution with network symbol     ***
***    server shares in the symbol path may cause the debugger to     ***
***    appear to hang for long periods of time when an incorrect      ***
***    symbol name is typed or the network symbol server is down.     ***
***    For some commands to work properly, your symbol path           ***
***    must point to .pdb files that have full type information.      ***
***    Certain .pdb files (such as the public OS symbols) do not      ***
***    contain the required information. Contact the group that      ***
***    provided you with these symbols if you need this command to    ***
***    work.
***    Type referenced: nt!_KPRCB
***    Either you specified an unqualified symbol, or your debugger   ***
***    doesn't have full symbol information. Unqualified symbol      ***
***    resolution is turned off by default. Please either specify a   ***
***    fully qualified symbol module!symbolname, or enable resolution ***
***    of unqualified symbols by typing ".symopt- 100". Note that   ***
***    enabling unqualified symbol resolution with network symbol     ***
***    server shares in the symbol path may cause the debugger to     ***
***    appear to hang for long periods of time when an incorrect      ***
***    symbol name is typed or the network symbol server is down.     ***
***    For some commands to work properly, your symbol path           ***
***    must point to .pdb files that have full type information.      ***
***    Certain .pdb files (such as the public OS symbols) do not      ***
***    contain the required information. Contact the group that      ***
***    provided you with these symbols if you need this command to    ***
***    work.
***    Type referenced: nt!_KPRCB
***    Either you specified an unqualified symbol, or your debugger   ***
***    doesn't have full symbol information. Unqualified symbol      ***
***    resolution is turned off by default. Please either specify a   ***
***    fully qualified symbol module!symbolname, or enable resolution ***
***    of unqualified symbols by typing ".symopt- 100". Note that   ***
***    enabling unqualified symbol resolution with network symbol     ***
***    server shares in the symbol path may cause the debugger to     ***
***    appear to hang for long periods of time when an incorrect      ***
***    symbol name is typed or the network symbol server is down.     ***
***    For some commands to work properly, your symbol path           ***
***    must point to .pdb files that have full type information.      ***
***    Certain .pdb files (such as the public OS symbols) do not      ***
***    contain the required information. Contact the group that      ***
***    provided you with these symbols if you need this command to    ***
***    work.
***    Type referenced: nt!_KPRCB
Probably caused by : ntoskrnl.exe ( nt+72f40 )
Followup: MachineOwner
---------

Hi,
Before you start to use WinDbg you also need to configure the symbol path – just go to file->symbol file path and the path you need to enter for the Microsoft public symbol
server is:
http://msdl.microsoft.com/download/symbols
The related article:
Setting up WinDbg and Using Symbols
http://blogs.msdn.com/b/emeadaxsupport/archive/2011/04/10/setting-up-windbg-and-using-symbols.aspx
Hope this helps.
We
are trying to better understand customer views on social support experience, so your participation in this
interview project would be greatly appreciated if you have time.
Thanks for helping make community forums a great place.

Ebay causes plugin-container.exe to use high cpu

I am using firefox 6.0.1 with Windows XP SP3 and have noticed that opening my ebay summary page causes plugin-container.exe to use between 60 and 80% of available CPU time. I haven't noticed this problem on other pages nor did I notice it before the recent firefox upgrade.
Not sure if this a firefox or ebay issue.

http://support.mozilla.com/en-US/kb/What%20is%20plugin-container?s=PLUGIN-CONTAINER.EXE&as=s

Where is the form / forum to submit BSOD caused by Photoshop CS4 to the technical support ?

Where is the form / forum to submit BSOD caused by Photoshop CS4 to the technical support ?

But if it will make you feel better, the bug report form is here:
http://www.adobe.com/cfusion/mmform/index.cfm?name=wishform
As Bob said, though, this is generally a hardware/driver issue of some sort. I've just seen a case where some malware was causing BSOD when trying to run or install a scanner. When I got the malware off the machine the BSOD problem was instantly cured.

Permanent Disk Activity caused by Acsvc.exe

On my X61 Tablet I have discovered a permanent Disk Activity caused by Acsvc.exe, version 5.02.
The x61 is running Vista Business SP 1.
Any ideas why this happens ?
Any ideas how this can be stopped ?
Thanks in advance

Hello
All the drivers and all the software are on the newest version available from Lenovo.
From analysing the file
C:\Windows\System32\config\systemprofile\AppData\Roaming\Sierra Wireless\SwiApi\SwiApiLog_199.txt
the following text was written by Acsvc.exe:
619501 CSwiDataNdisDrv::Initialize - HSDPA Network Adapter4619595 CSwiDataNdisDrv::Initialize - Driver name: \\.\{9e79c1ec-6907-4956-9fca-a08216ea4ad4}SwiSetHostStartup - %i
4733319 CSwiDataNdisDrv::GetDriverHandle - CreateFile failed 31
4734973 CSwiDataNdisDrv:endFrameToDriver - Failed to get handle
4757905 Sending shutdown message and closing handle.
4757983 CSwiDataNdisDrv::GetDriverHandle - CreateFile failed 31
4757983 CSwiDataNdisDrv:endFrameToDriver - Failed to get handle
4757983 Sending shutdown message and closing handle.
4758092 CSwiDataNdisDrv::GetDriverHandle - CreateFile failed 298
4758124 CSwiDataNdisDrv:endFrameToDriver - Failed to get handle
4758264 Sending shutdown message and closing handle.
The first two occurences of the number after "CreateFile failed" is 31, afterwards 298.
The 3 lines ("CreateFile failed 298", "Failed to get handle", "Sending shutdown message and closing handle") are repeated continously, while the number at the beginning of the file is augmented.
The end of the file looks as follows:
263617868 Sending shutdown message and closing handle.
263617883 CSwiDataNdisDrv::GetDriverHandle - CreateFile failed 298
263617899 CSwiDataNdisDrv:endFrameToDriver - Failed to get handle
263617915 Sending shutdown message and closing handle.
263617946 CSwiDataNdisDrv::GetDriverHandle - CreateFile failed 298
263617961 CSwiDataNdisDrv:endFrameToDriver - Failed to get handle
263617977 Sending shutdown message and closing handle.
263618008 CSwiDataNdisDrv::GetDriverHandle - CreateFile failed 298
I'm looking forward to any ideas what might cause Acsvc.exe to unsuccessfully trying to communicate with the driver and why this is written into a log file.

BSOD caused by ntkrnlmp.exe

Similar Messages

Maybe you are looking for