Ntkrnlmp.exe causing BSOD intermittently (DUMP Attached)

Similar Messages

• Ntkrnlmp.exe causing BSOD randomly

  Recently we have been having random reboots and BSODs on our TS box
  Background:
  Windows Server 2012 R2 - RDS/Print/File - VM on Hyper-V Host (Windows server 2012 r2)
  https://onedrive.live.com/redir?resid=AF339BCAC63CB706!228&authkey=!AG-5gWy6tUwoAiE&ithint=folder%2c
  Attached are the dump files^^^
  Ran ran memtest86 on the host with no errors
  Ran Windows memory diags on host and VM with no errors
  Updated all firmware and drivers for our HP Proliant ML350 gen8 server
  Ran Driver Verifier and pointed it towards the problem child (ntoskrnl.exe) and the server bsod twice in a matter of ten minutes with, of course "Driver Verifier detected a Violation"
  Checked the version number Ntoskrnl.exe version 6.3.9600.16452 - Removed
  Windows Update Rollup - KB2903939
  Double checked and verified removed.
  Rebooted and ran Driver verifier after update removal - BSOD twice with same scenario as above. Disabled Driver verifier for now. 
  I'm hoping to find a fix for this as this is the main RDS server. 
  I appreciate your time. If you need anything else, please let me know. 
  Thanks!
  *Going to add another DUMP that happened today Below*
  Microsoft (R) Windows Debugger Version 6.3.9600.17029 AMD64
  Copyright (c) Microsoft Corporation. All rights reserved.
  Loading Dump File [C:\Windows\MEMORY.DMP]
  Kernel Bitmap Dump File: Only kernel address space is available
  ************* Symbol Path validation summary **************
  Response                         Time (ms)     Location
  Deferred                                       .sympath SRV*f:\localsymbols*http://msdl.microsoft.com/download/symbols
  Symbol search path is: .sympath SRV*f:\localsymbols*http://msdl.microsoft.com/download/symbols
  Executable search path is: 
  *** ERROR: Symbol file could not be found.  Defaulted to export symbols for ntkrnlmp.exe - 
  Windows 8 Kernel Version 9600 MP (6 procs) Free x64
  Product: Server, suite: TerminalServer
  Built by: 9600.16422.amd64fre.winblue_gdr.131006-1505
  Machine Name:
  Kernel base = 0xfffff802`1f286000 PsLoadedModuleList = 0xfffff802`1f54a990
  Debug session time: Fri Apr  4 16:32:20.197 2014 (UTC - 4:00)
  System Uptime: 0 days 6:36:23.236
  *** ERROR: Symbol file could not be found.  Defaulted to export symbols for ntkrnlmp.exe - 
  Loading Kernel Symbols
  Loading User Symbols
  PEB is paged out (Peb.Ldr = 00007ff6`35f58018).  Type ".hh dbgerr001" for details
  Loading unloaded module list
  ************* Symbol Loading Error Summary **************
  Module name            Error
  ntkrnlmp               The system cannot find the file specified
  You can troubleshoot most symbol related issues by turning on symbol loading diagnostics (!sym noisy) and repeating the command that caused symbols to be loaded.
  You should also verify that your symbol search path (.sympath) is correct.
  *                        Bugcheck Analysis                                    *
  Use !analyze -v to get detailed debugging information.
  BugCheck 3B, {c0000005, fffff8021f2cc740, ffffd000276e0eb0, 0}
  ***** Kernel symbols are WRONG. Please fix symbols to do analysis.
  ***    Either you specified an unqualified symbol, or your debugger   ***
  ***    doesn't have full symbol information.  Unqualified symbol      ***
  ***    resolution is turned off by default. Please either specify a   ***
  ***    fully qualified symbol module!symbolname, or enable resolution ***
  ***    of unqualified symbols by typing ".symopt- 100". Note that   ***
  ***    enabling unqualified symbol resolution with network symbol     ***
  ***    server shares in the symbol path may cause the debugger to     ***
  ***    appear to hang for long periods of time when an incorrect      ***
  ***    symbol name is typed or the network symbol server is down.     ***
  ***    For some commands to work properly, your symbol path           ***
  ***    must point to .pdb files that have full type information.      ***
  ***    Certain .pdb files (such as the public OS symbols) do not      ***
  ***    contain the required information.  Contact the group that      ***
  ***    provided you with these symbols if you need this command to    ***
  ***    work.                                                          ***
  ***    Type referenced: nt!_KPRCB                                     ***
  ***    Either you specified an unqualified symbol, or your debugger   ***
  ***    doesn't have full symbol information.  Unqualified symbol      ***
  ***    resolution is turned off by default. Please either specify a   ***
  ***    fully qualified symbol module!symbolname, or enable resolution ***
  ***    of unqualified symbols by typing ".symopt- 100". Note that   ***
  ***    enabling unqualified symbol resolution with network symbol     ***
  ***    server shares in the symbol path may cause the debugger to     ***
  ***    appear to hang for long periods of time when an incorrect      ***
  ***    symbol name is typed or the network symbol server is down.     ***
  ***    For some commands to work properly, your symbol path           ***
  ***    must point to .pdb files that have full type information.      ***
  ***    Certain .pdb files (such as the public OS symbols) do not      ***
  ***    contain the required information.  Contact the group that      ***
  ***    provided you with these symbols if you need this command to    ***
  ***    work.                                                          ***
  ***    Type referenced: nt!KPRCB                                      ***
  ***    Either you specified an unqualified symbol, or your debugger   ***
  ***    doesn't have full symbol information.  Unqualified symbol      ***
  ***    resolution is turned off by default. Please either specify a   ***
  ***    fully qualified symbol module!symbolname, or enable resolution ***
  ***    of unqualified symbols by typing ".symopt- 100". Note that   ***
  ***    enabling unqualified symbol resolution with network symbol     ***
  ***    server shares in the symbol path may cause the debugger to     ***
  ***    appear to hang for long periods of time when an incorrect      ***
  ***    symbol name is typed or the network symbol server is down.     ***
  ***    For some commands to work properly, your symbol path           ***
  ***    must point to .pdb files that have full type information.      ***
  ***    Certain .pdb files (such as the public OS symbols) do not      ***
  ***    contain the required information.  Contact the group that      ***
  ***    provided you with these symbols if you need this command to    ***
  ***    work.                                                          ***
  ***    Type referenced: nt!_KPRCB                                     ***
  ***    Either you specified an unqualified symbol, or your debugger   ***
  ***    doesn't have full symbol information.  Unqualified symbol      ***
  ***    resolution is turned off by default. Please either specify a   ***
  ***    fully qualified symbol module!symbolname, or enable resolution ***
  ***    of unqualified symbols by typing ".symopt- 100". Note that   ***
  ***    enabling unqualified symbol resolution with network symbol     ***
  ***    server shares in the symbol path may cause the debugger to     ***
  ***    appear to hang for long periods of time when an incorrect      ***
  ***    symbol name is typed or the network symbol server is down.     ***
  ***    For some commands to work properly, your symbol path           ***
  ***    must point to .pdb files that have full type information.      ***
  ***    Certain .pdb files (such as the public OS symbols) do not      ***
  ***    contain the required information.  Contact the group that      ***
  ***    provided you with these symbols if you need this command to    ***
  ***    work.                                                          ***
  ***    Type referenced: nt!KPRCB                                      ***
  ***    Either you specified an unqualified symbol, or your debugger   ***
  ***    doesn't have full symbol information.  Unqualified symbol      ***
  ***    resolution is turned off by default. Please either specify a   ***
  ***    fully qualified symbol module!symbolname, or enable resolution ***
  ***    of unqualified symbols by typing ".symopt- 100". Note that   ***
  ***    enabling unqualified symbol resolution with network symbol     ***
  ***    server shares in the symbol path may cause the debugger to     ***
  ***    appear to hang for long periods of time when an incorrect      ***
  ***    symbol name is typed or the network symbol server is down.     ***
  ***    For some commands to work properly, your symbol path           ***
  ***    must point to .pdb files that have full type information.      ***
  ***    Certain .pdb files (such as the public OS symbols) do not      ***
  ***    contain the required information.  Contact the group that      ***
  ***    provided you with these symbols if you need this command to    ***
  ***    work.                                                          ***
  ***    Type referenced: nt!_KPRCB                                     ***
  ***    Either you specified an unqualified symbol, or your debugger   ***
  ***    doesn't have full symbol information.  Unqualified symbol      ***
  ***    resolution is turned off by default. Please either specify a   ***
  ***    fully qualified symbol module!symbolname, or enable resolution ***
  ***    of unqualified symbols by typing ".symopt- 100". Note that   ***
  ***    enabling unqualified symbol resolution with network symbol     ***
  ***    server shares in the symbol path may cause the debugger to     ***
  ***    appear to hang for long periods of time when an incorrect      ***
  ***    symbol name is typed or the network symbol server is down.     ***
  ***    For some commands to work properly, your symbol path           ***
  ***    must point to .pdb files that have full type information.      ***
  ***    Certain .pdb files (such as the public OS symbols) do not      ***
  ***    contain the required information.  Contact the group that      ***
  ***    provided you with these symbols if you need this command to    ***
  ***    work.                                                          ***
  ***    Type referenced: nt!_KPRCB                                     ***
  ***    Either you specified an unqualified symbol, or your debugger   ***
  ***    doesn't have full symbol information.  Unqualified symbol      ***
  ***    resolution is turned off by default. Please either specify a   ***
  ***    fully qualified symbol module!symbolname, or enable resolution ***
  ***    of unqualified symbols by typing ".symopt- 100". Note that   ***
  ***    enabling unqualified symbol resolution with network symbol     ***
  ***    server shares in the symbol path may cause the debugger to     ***
  ***    appear to hang for long periods of time when an incorrect      ***
  ***    symbol name is typed or the network symbol server is down.     ***
  ***    For some commands to work properly, your symbol path           ***
  ***    must point to .pdb files that have full type information.      ***
  ***    Certain .pdb files (such as the public OS symbols) do not      ***
  ***    contain the required information.  Contact the group that      ***
  ***    provided you with these symbols if you need this command to    ***
  ***    work.                                                          ***
  ***    Type referenced: nt!_KPRCB                                     ***
  ***    Either you specified an unqualified symbol, or your debugger   ***
  ***    doesn't have full symbol information.  Unqualified symbol      ***
  ***    resolution is turned off by default. Please either specify a   ***
  ***    fully qualified symbol module!symbolname, or enable resolution ***
  ***    of unqualified symbols by typing ".symopt- 100". Note that   ***
  ***    enabling unqualified symbol resolution with network symbol     ***
  ***    server shares in the symbol path may cause the debugger to     ***
  ***    appear to hang for long periods of time when an incorrect      ***
  ***    symbol name is typed or the network symbol server is down.     ***
  ***    For some commands to work properly, your symbol path           ***
  ***    must point to .pdb files that have full type information.      ***
  ***    Certain .pdb files (such as the public OS symbols) do not      ***
  ***    contain the required information.  Contact the group that      ***
  ***    provided you with these symbols if you need this command to    ***
  ***    work.                                                          ***
  ***    Type referenced: nt!_KPRCB                                     ***
  Probably caused by : ntkrnlmp.exe ( nt!RtlAvlRemoveNode+478 )
  Followup: MachineOwner

  Thanks for the information.
  In case you do need to enable Driver Verifier, refer to the following:
  Driver Verifier:
  What is Driver Verifier?
  Driver Verifier is included in Windows 8/8.1, 7, Windows Server 2008 R2, Windows Vista, Windows Server 2008, Windows 2000, Windows XP, and Windows Server 2003 to promote stability and reliability; you can use this tool to troubleshoot driver issues. Windows
  kernel-mode components can cause system corruption or system failures as a result of an improperly written driver, such as an earlier version of a Windows Driver Model (WDM) driver.
  Essentially, if there's a 3rd party driver believed to be at issue, enabling Driver Verifier will help flush out the rogue driver if it detects a violation.
  Before enabling Driver Verifier, it is recommended to create a System Restore Point:
  Vista - START | type rstrui - create a restore point
  Windows 7 - START | type create | select "Create a Restore Point"
  Windows 8/8.1 -
  http://www.eightforums.com/tutorials/4690-restore-point-create-windows-8-a.html
  How to enable Driver Verifier:
  Start > type "verifier" without the quotes > Select the following options -
  1. Select - "Create custom settings (for code developers)"
  2. Select - "Select individual settings from a full list"
  3. Check the following boxes -
  - Special Pool
  - Pool Tracking
  - Force IRQL Checking
  - Deadlock Detection
  - Security Checks (Windows 7 & 8)
  - DDI compliance checking (Windows 8)
  - Miscellaneous Checks
  4. Select  - "Select driver names from a list"
  5. Click on the "Provider" tab. This will sort all of the drivers by the provider.
  6. Check EVERY box that is NOT provided by Microsoft / Microsoft Corporation.
  7. Click on Finish.
  8. Restart.
  Important information regarding Driver Verifier:
  - If Driver Verifier finds a violation, the system will BSOD. To expand on this a bit more for the interested, specifically what Driver Verifier actually does is it looks for any driver making illegal function calls, causing memory leaks, etc. When and/if this
  happens, system corruption occurs if allowed to continue. When Driver Verifier is enabled, it is monitoring
  all 3rd party drivers (as we have it set that way) and when it catches a driver attempting to do this, it will quickly flag that driver as being a troublemaker, and bring down the system safely before any corruption can occur.
  - After enabling Driver Verifier and restarting the system, depending on the culprit, if for example the driver is on start-up, you may not be able to get back into normal Windows because Driver Verifier will detect it in violation almost straight away, and
  as stated above, that will cause / force a BSOD.
  If this happens, do not panic, do the following:
  - Boot into Safe Mode by repeatedly tapping the F8 key during boot-up.
  - Once in Safe Mode - Start > Search > type "cmd" without the quotes.
  - To turn off Driver Verifier, type in cmd "verifier /reset" without the quotes.
  ・    Restart and boot into normal Windows.
  If your OS became corrupt or you cannot boot into Windows after disabling verifier via Safe Mode:
  - Boot into Safe Mode by repeatedly tapping the F8 key during boot-up.
  - Once in Safe Mode - Start > type "system restore" without the quotes.
  - Choose the restore point you created earlier.
  -- Note that Safe Mode for Windows 8/8.1 is a bit different, and you may need to try different methods:
  5 Ways to Boot into Safe Mode in Windows 8 & Windows 8.1
  How long should I keep Driver Verifier enabled for?
  I recommend keeping it enabled for at least 24 hours. If you don't BSOD by then, disable Driver Verifier. I will usually say whether or not I'd like for you to keep it enabled any longer.
  My system BSOD'd with Driver Verifier enabled, where can I find the crash dumps?
  They will be located in %systemroot%\Minidump
  Any other questions can most likely be answered by this article:
  http://support.microsoft.com/kb/244617
  Regards,
  Patrick

• BSOD caused by ntkrnlmp.exe

  Hello, 
  One of our clients has an annoying problem with BSODS almost daily cause by ntkrnlmp.exe and I couldn't manage to find what REALLY was the cause. Symbols were properly configure and still no clear infos. If someone can have a look over the Minidumps and/or
  Memory.DMP here are both:
  https://onedrive.live.com/?cid=E0FCDAC93086F976&id=E0FCDAC93086F976%21123
  Thank you,
  Cozmin

  Hi Cozmin V,
  This is excessive paged pool usage, this error may occur due to user-mode graphics driver crossing over and passing bad data to the kernel code.
  1: kd> !analyze -v
  *                        Bugcheck Analysis                                   
  SYSTEM_SERVICE_EXCEPTION (3b)
  An exception happened while executing a system service routine.
  Arguments:
  Arg1: 00000000c0000005, Exception code that caused the bugcheck
  Arg2: fffff800030a5aae, Address of the instruction which caused the bugcheck
  Arg3: fffff8800864c790, Address of the context record for the exception that caused the bugcheck
  Arg4: 0000000000000000, zero.
  Debugging Details:
  EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.
  FAULTING_IP:
  nt!ExEnterCriticalRegionAndAcquireFastMutexUnsafe+26
  fffff800`030a5aae f00fba3100      lock btr dword ptr [rcx],0
  CONTEXT:  fffff8800864c790 -- (.cxr 0xfffff8800864c790)
  rax=fffffa80082d63c0 rbx=0000000000000000 rcx=0000000000000000
  rdx=fffffa80082d63c0 rsi=00000000ffffffff rdi=fffffa80082d63c0
  rip=fffff800030a5aae rsp=fffff8800864d170 rbp=0000000000000001
  r8=0000000000000000  r9=fffff96000365ab8 r10=000000000002fcc7
  r11=fffff8800864d1c0 r12=0000000000000000 r13=0000000000000001
  r14=0000000000000000 r15=fffff900caf4dd30
  iopl=0         nv up ei ng nz na pe nc
  cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b             efl=00010282
  nt!ExEnterCriticalRegionAndAcquireFastMutexUnsafe+0x26:
  fffff800`030a5aae f00fba3100      lock btr dword ptr [rcx],0 ds:002b:00000000`00000000=????????
  Resetting default scope
  DEFAULT_BUCKET_ID:  VISTA_DRIVER_FAULT
  BUGCHECK_STR:  0x3B
  PROCESS_NAME:  csrss.exe
  CURRENT_IRQL:  0
  LAST_CONTROL_TRANSFER:  from fffff9600060dce0 to fffff800030a5aae
  STACK_TEXT: 
  fffff880`0864d170 fffff960`0060dce0 : 00000000`00000000 000001c4`00000000 0000feed`52052bed 00001f80`00000000 : nt!ExEnterCriticalRegionAndAcquireFastMutexUnsafe+0x26
  fffff880`0864d1a0 fffff960`00177748 : 00000000`00000001 fffff900`c00b7010 00000000`00000001 fffff900`caf3c370 : cdd!CddBitmapHw::Release+0xc0
  fffff880`0864d1e0 fffff960`002b86b4 : 00000000`00000000 00000000`00000000 fffff900`caf3c370 00000000`00000000 : win32k!SURFACE::bDeleteSurface+0x358
  fffff880`0864d330 fffff960`002b8757 : fffff900`c00b7010 00000000`00000001 fffff900`c00b7010 00000000`00000001 : win32k!vDynamicConvertNewSurfaceDCs+0xd8
  fffff880`0864d360 fffff960`002b8ff2 : fffff900`c00b7010 00000000`00000001 fffff900`c8e35280 fffff900`c00b7010 : win32k!bDynamicRemoveAllDriverRealizations+0x6f
  FOLLOWUP_IP:
  cdd!CddBitmapHw::Release+c0
  fffff960`0060dce0 488b4738        mov     rax,qword ptr [rdi+38h]
  SYMBOL_STACK_INDEX:  1
  SYMBOL_NAME:  cdd!CddBitmapHw::Release+c0
  FOLLOWUP_NAME:  MachineOwner
  MODULE_NAME: cdd
  IMAGE_NAME:  cdd.dll
  DEBUG_FLR_IMAGE_TIMESTAMP:  4ce7c546
  STACK_COMMAND:  .cxr 0xfffff8800864c790 ; kb
  FAILURE_BUCKET_ID:  X64_0x3B_cdd!CddBitmapHw::Release+c0
  BUCKET_ID:  X64_0x3B_cdd!CddBitmapHw::Release+c0
  Followup: MachineOwner
  1: kd> lmvm cdd
  start             end                 module name
  fffff960`00600000 fffff960`00627000   cdd        (pdb symbols)          c:\symbols\cdd.pdb\88BFB882815849F88656925A7675F2BA1\cdd.pdb
      Loaded symbol image file: cdd.dll
      Mapped memory image file: c:\symbols\cdd.dll\4CE7C54627000\cdd.dll
      Image path: \SystemRoot\System32\cdd.dll
      Image name: cdd.dll
      Timestamp:        Sat Nov 20 20:55:34 2010 (4CE7C546)
      CheckSum:         0002D4F0
      ImageSize:        00027000
  Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
  1: kd> lmtsmn
  start             end                 module name
  fffff880`00f18000 fffff880`00f6f000   ACPI     ACPI.sys     Sat Nov 20 17:19:16 2010 (4CE79294)
  fffff880`068fd000 fffff880`0697d000   ADIHdAud ADIHdAud.sys Wed Jun 16 03:36:52 2010 (4C17D654)
  fffff880`048df000 fffff880`04968000   afd      afd.sys      Sat Nov 20 17:23:27 2010 (4CE7938F)
  fffff880`04a39000 fffff880`04a4f000   AgileVpn AgileVpn.sys Tue Jul 14 08:10:24 2009 (4A5BCCF0)
  fffff880`02ec4000 fffff880`02ed7180   aksdf    aksdf.sys    Mon Nov 21 19:09:56 2011 (4ECA3184)
  fffff880`032da000 fffff880`032fae00   aksfridge aksfridge.sys Tue Aug 07 18:34:40 2012 (5020EF40)
  fffff880`017f2000 fffff880`017fd000   amdxata  amdxata.sys  Sat Mar 20 00:18:18 2010 (4BA3A3CA)
  fffff880`01e50000 fffff880`01e65000   appid    appid.sys    Sat Nov 20 18:14:37 2010 (4CE79F8D)
  fffff880`078fb000 fffff880`07906000   asyncmac asyncmac.sys Tue Jul 14 08:10:13 2009 (4A5BCCE5)
  fffff880`013b2000 fffff880`013bb000   atapi    atapi.sys    Tue Jul 14 07:19:47 2009 (4A5BC113)
  fffff880`013bb000 fffff880`013e5000   ataport  ataport.SYS  Sat Nov 20 17:19:15 2010 (4CE79293)
  fffff960`00870000 fffff960`008d1000   ATMFD    ATMFD.DLL    Sat Nov 20 17:49:28 2010 (4CE799A8)
  fffff880`00fe0000 fffff880`00fec000   BATTC    BATTC.SYS    Tue Jul 14 07:31:01 2009 (4A5BC3B5)
  fffff880`04409000 fffff880`04410000   Beep     Beep.SYS     Tue Jul 14 08:00:13 2009 (4A5BCA8D)
  fffff880`04b76000 fffff880`04b87000   blbdrive blbdrive.sys Tue Jul 14 07:35:59 2009 (4A5BC4DF)
  fffff880`02fb1000 fffff880`02fcf000   bowser   bowser.sys   Wed Feb 23 12:55:04 2011 (4D649328)
  fffff960`00600000 fffff960`00627000   cdd      cdd.dll      Sat Nov 20 20:55:34 2010 (4CE7C546)
  Unloaded modules:
  fffff880`078b6000 fffff880`078c4000   monitor.sys
      Timestamp: unavailable (00000000)
      Checksum:  00000000
      ImageSize:  0000E000
  fffff880`078a8000 fffff880`078b6000   monitor.sys
      Timestamp: unavailable (00000000)
      Checksum:  00000000
      ImageSize:  0000E000
  fffff880`0789a000 fffff880`078a8000   monitor.sys
      Timestamp: unavailable (00000000)
      Checksum:  00000000
      ImageSize:  0000E000
  fffff880`0788c000 fffff880`0789a000   monitor.sys
      Timestamp: unavailable (00000000)
      Checksum:  00000000
      ImageSize:  0000E000
  fffff880`0787e000 fffff880`0788c000   monitor.sys
      Timestamp: unavailable (00000000)
      Checksum:  00000000
      ImageSize:  0000E000
  By checking your DMP file, we also found it related to cdd.dll which is the Canonical Display Driver from Microsoft, it's a system file. You could refer to this link for more information about cdd and bitmap
  http://answers.microsoft.com/en-us/windows/forum/windows_7-system/bluescreen-error-when-alttabbing-out-of-full/267be931-70b1-482f-8164-c3cd8084def0
  We suggest you replace your graphic/display driver and keep them up to date, then check the issue again.
  Also you have a lot of outdated drivers on your system including cdd.dll. Please update these drivers for good measure.
  If you're still crashing after all of the above, enable Driver Verifier to look for further corruption:
  Driver Verifier:
  What is Driver Verifier?
  Driver Verifier is included in Windows 8, 7, Windows Server 2008 R2, Windows Vista, Windows Server 2008, Windows 2000, Windows XP, and Windows Server 2003 to promote stability and reliability; you can use this tool to troubleshoot driver issues. Windows
  kernel-mode components can cause system corruption or system failures as a result of an improperly written driver, such as an earlier version of a Windows Driver Model (WDM) driver.
  Essentially, if there's a 3rd party driver believed to be at issue, enabling Driver Verifier will help flush out the rogue driver if it detects a violation.
  Note: Before enabling Driver Verifier, it is recommended to create a System Restore Point
  For more information about Driver Verifier
  https://msdn.microsoft.com/en-us/library/windows/hardware/ff545448(v=vs.85).aspx

• Tdx.sys ntkrnlmp.exe BSOD after P2V Windows 2008 R2 Standard

  Hi all,
  We ran a P2V against a Server 2008 R2 Standard (SBS) DC on the weekend. Given that VMware hasn't released a cold clone ISO for a while, we used ShadowProtect Recovery Environment and Hardware Independent Restore. It worked a treat, stripped the old physical
  NICs out.
  Monday morning it threw a BSOD, then again at 10 am that day.
  We immediately patched to remove the http.sys BSOD vulnerability to be safe.
  We also patched 2008 R2 to SP1 x64 latest versions.
  It crashed again last night, then again at 10 am today and every day since.
  The BSOD dumps mention ntkrnlmp.exe and tdx.sys
  vSphere is a new Intel server S2600CP2 running vSphere 5.5 Update 2.
  The VM is running a VMXnet3 NIC, we've had issues before. RAID controller is Intel RMS25PB040.
  The server runs AD/DNS, Exchange, File Shares and Printers.
  We're combing through tasks, as it may be falling over at the same time every couple of days.
  We've disabled Kaspersky Endpoint protection.
  We will be planning to swap over the VMXnet3 NIC to E1000 later today, once we have a full backup that runs to USB.
  After extensive researching we are leaning towards the NIC/network being a problem under load causing the BSOD.
  Anyone else have any other suggestions we can try to resolve the BSOD issues?
  Screenshot of the BSOD error codes: http://imgur.com/xRwZcKf
  Here is an output of the minidump file:
  Debugging Details:
  TRIAGER: Could not open triage file : e:\dump_analysis\program\triage\modclass.ini, error 2
  BUGCHECK_STR:  0x7f_8
  CUSTOMER_CRASH_COUNT:  1
  DEFAULT_BUCKET_ID:  WIN7_DRIVER_FAULT_SERVER
  PROCESS_NAME:  System
  CURRENT_IRQL:  2
  LAST_CONTROL_TRANSFER:  from fffff80001e911a9 to fffff80001e91c00
  STACK_TEXT:
  fffff80001d22d28 fffff80001e911a9 : 000000000000007f 0000000000000008 0000000080050031 00000000000406f8 : nt!KeBugCheckEx fffff80001d22d30 fffff80001e8f672 : 0000000000000000 0000000000000000
  0000000000000000 0000000000000000 : nt!KiBugCheckDispatch+0x69 fffff80001d22e70 fffff88003413a0c : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : nt!KiDoubleFaultAbort+0xb2
  fffff88002b02f90 0000000000000000 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : tdx!TdxIssueQueryAddressRequest+0x5c
  STACK_COMMAND:  kb
  FOLLOWUP_IP:  tdx!TdxIssueQueryAddressRequest+5c fffff88003413a0c ff1576370100    call    qword ptr [tdx!_imp_ExAllocatePoolWithTag (fffff88003427188)]
  SYMBOL_STACK_INDEX:  3
  SYMBOL_NAME:  tdx!TdxIssueQueryAddressRequest+5c
  FOLLOWUP_NAME:  MachineOwner
  MODULE_NAME: tdx
  IMAGE_NAME:  tdx.sys
  DEBUG_FLR_IMAGE_TIMESTAMP:  4ce79332
  FAILURE_BUCKET_ID:  X64_0x7f_8_tdx!TdxIssueQueryAddressRequest+5c
  BUCKET_ID:  X64_0x7f_8_tdx!TdxIssueQueryAddressRequest+5c
  Followup: MachineOwner

  Hi Sir,
  >>We ran a P2V against a Server 2008 R2 Standard (SBS) DC on the weekend. Given that VMware hasn't released a cold clone ISO for a while
  It seems that you have performed WMware P2V , it is beyond what we can support . You may need to post this issue into WMware forum :
  https://communities.vmware.com/welcome
  In windows hyper-v , there is a tool " disk2VHD" can help us to perform P2V :
  https://technet.microsoft.com/en-us/library/ee656415.aspx?f=255&MSPPError=-2147217396
  Best Regards,
  Elton Ji
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected] .

• Probably caused by : ntkrnlmp.exe ( nt!KiDoubleFaultAbort+b8 )

  I am debugging a minidump file but I am not able to make out if the problem is related to hardware or software? The possible culprit could be “ntkrnlmp.exe” but which thread or process faulted is beyond my understanding. Please can someone help a newbie
  debugger.
  Microsoft (R) Windows Debugger Version 6.12.0002.633 AMD64 Copyright (c) Microsoft Corporation. All rights reserved.
  Loading Dump File [D:\Items\Mini030413-01.dmp] Mini Kernel Dump File: Only registers and stack trace are available
  Symbol search path is: srv*f:\symbols\websymbols*http://msdl.microsoft.com/download/symbols
  Executable search path is:
  Windows Server 2008/Windows Vista Kernel Version 6002 (Service Pack 2) MP (16 procs) Free x64
  Product: Server, suite: Enterprise TerminalServer SingleUserTS
  Built by: 6002.18607.amd64fre.vistasp2_gdr.120402-0336
  Machine Name:
  Kernel base = 0xfffff800`01e08000 PsLoadedModuleList = 0xfffff800`01fccdd0
  Debug session time: Mon Mar  4 07:23:36.821 2013 (UTC + 13:00)
  System Uptime: 49 days 13:51:33.653
  Loading Kernel Symbols
  Loading User Symbols
  Loading unloaded module list
  *                        Bugcheck Analysis                                   
  Use !analyze -v to get detailed debugging information.
  BugCheck 7F, {8, 80050033, 6f8, fffff80001e8b4af}
  Unable to load image spep.sys, Win32 error 0n2
  *** WARNING: Unable to verify timestamp for spep.sys
  *** ERROR: Module load completed but symbols could not be loaded for spep.sys
  Probably caused by : ntkrnlmp.exe ( nt!KiDoubleFaultAbort+b8 )
  Followup: MachineOwner
  6: kd> !analyze -v
  *                        Bugcheck Analysis              
  UNEXPECTED_KERNEL_MODE_TRAP (7f)
  This means a trap occurred in kernel mode, and it's a trap of a kind
  that the kernel isn't allowed to have/catch (bound trap) or that
  is always instant death (double fault).  The first number in the
  bugcheck params is the number of the trap (8 = double fault, etc)
  Consult an Intel x86 family manual to learn more about what these
  traps are. Here is a *portion* of those codes:
  If kv shows a taskGate
          use .tss on the part before the colon, then kv.
  Else if kv shows a trapframe
          use .trap on that value
  Else
          .trap on the appropriate frame will show where the trap was taken
          (on x86, this will be the ebp that goes with the procedure KiTrap)
  Endif
  kb will then show the corrected stack.
  Arguments:
  Arg1: 0000000000000008, EXCEPTION_DOUBLE_FAULT
  Arg2: 0000000080050033
  Arg3: 00000000000006f8
  Arg4: fffff80001e8b4af
  Debugging Details:
  BUGCHECK_STR:  0x7f_8
  CUSTOMER_CRASH_COUNT:  1
  DEFAULT_BUCKET_ID:  DRIVER_FAULT_SERVER_MINIDUMP
  PROCESS_NAME:  w3wp.exe
  CURRENT_IRQL:  1
  EXCEPTION_RECORD:  fffffa60122c30a8 -- (.exr 0xfffffa60122c30a8)
  ExceptionAddress: fffff80001e8767d (nt!RtlVirtualUnwind+0x000000000000016d)
     ExceptionCode: c0000005 (Access violation)
    ExceptionFlags: 00000000
  NumberParameters: 2
     Parameter[0]: 0000000000000000
     Parameter[1]: 00000000000000d8
  Attempt to read from address 00000000000000d8
  TRAP_FRAME:  fffffa60122c2080 -- (.trap 0xfffffa60122c2080)
  NOTE: The trap frame does not contain all registers.
  Some register values may be zeroed or incorrect.
  rax=0000000000000005 rbx=0000000000000000 rcx=0000000000000000
  rdx=00000000000000d8 rsi=0000000000000000 rdi=0000000000000000
  rip=fffff80001e8767d rsp=fffffa60122c2210 rbp=fffffa60122c2450
   r8=0000000000000005  r9=fffff80001e08000 r10=ffffffffffffff80
  r11=fffff80002006000 r12=0000000000000000 r13=0000000000000000
  r14=0000000000000000 r15=0000000000000000
  iopl=0         nv up ei pl zr na po nc
  nt!RtlVirtualUnwind+0x16d:
  fffff800`01e8767d 488b02          mov     rax,qword ptr [rdx] ds:00000000`000000d8=????????????????
  Resetting default scope
  LAST_CONTROL_TRANSFER:  from fffff80001e5f86e to fffff80001e5fad0
  STACK_TEXT: 
  fffffa60`01f1da68 fffff800`01e5f86e : 00000000`0000007f 00000000`00000008 00000000`80050033 00000000`000006f8 : nt!KeBugCheckEx
  fffffa60`01f1da70 fffff800`01e5e0b8 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiBugCheckDispatch+0x6e
  fffffa60`01f1dbb0 fffff800`01e8b4af : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiDoubleFaultAbort+0xb8
  fffffa60`122bdf40 fffff800`01e98d32 : fffffa60`122bed68 fffffa60`122bee90 fffffa60`122bee10 00000000`00000000 : nt!RtlDispatchException+0x2f
  fffffa60`122be630 fffff800`01e5f929 : fffffa60`122bed68 00000000`00000003 fffffa60`122bee10 00000000`00000114 : nt!KiDispatchException+0xc2
  fffffa60`122bec30 fffff800`01e5e725 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000003 : nt!KiExceptionDispatch+0xa9
  fffffa60`122bee10 fffff800`01e8767d : 00000000`00059d17 fffffa60`122bf078 fffff800`01e08000 fffff800`01e08000 : nt!KiPageFault+0x1e5
  fffffa60`122befa0 fffff800`01e8b598 : fffffa60`00000001 00000000`00000000 00000000`00000000 ffffffff`ffffff80 : nt!RtlVirtualUnwind+0x16d
  fffffa60`122bf010 fffff800`01e98d32 : fffffa60`122bfe38 fffffa60`122bf810 fffffa60`00000000 00000000`00000000 : nt!RtlDispatchException+0x118
  fffffa60`122bf700 fffff800`01e5f929 : fffffa60`122bfe38 00000000`00000003 fffffa60`122bfee0 00000000`00000114 : nt!KiDispatchException+0xc2
  fffffa60`122bfd00 fffff800`01e5e725 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000003 : nt!KiExceptionDispatch+0xa9
  fffffa60`122bfee0 fffff800`01e8767d : 00000000`00059d17 fffffa60`122c0148 fffff800`01e08000 fffff800`01e08000 : nt!KiPageFault+0x1e5
  fffffa60`122c0070 fffff800`01e8b598 : fffffa60`00000001 00000000`00000000 00000000`00000000 ffffffff`ffffff80 : nt!RtlVirtualUnwind+0x16d
  fffffa60`122c00e0 fffff800`01e98d32 : fffffa60`122c0f08 fffffa60`122c08e0 fffffa60`00000000 00000000`00000000 : nt!RtlDispatchException+0x118
  fffffa60`122c07d0 fffff800`01e5f929 : fffffa60`122c0f08 00000000`00000003 fffffa60`122c0fb0 00000000`00000114 : nt!KiDispatchException+0xc2
  fffffa60`122c0dd0 fffff800`01e5e725 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000003 : nt!KiExceptionDispatch+0xa9
  fffffa60`122c0fb0 fffff800`01e8767d : 00000000`00059d17 fffffa60`122c1218 fffff800`01e08000 fffff800`01e08000 : nt!KiPageFault+0x1e5
  fffffa60`122c1140 fffff800`01e8b598 : fffffa60`00000001 00000000`00000000 00000000`00000000 ffffffff`ffffff80 : nt!RtlVirtualUnwind+0x16d
  fffffa60`122c11b0 fffff800`01e98d32 : fffffa60`122c1fd8 fffffa60`122c19b0 fffffa60`00000000 00000000`00000000 : nt!RtlDispatchException+0x118
  fffffa60`122c18a0 fffff800`01e5f929 : fffffa60`122c1fd8 00000000`00000003 fffffa60`122c2080 00000000`00000114 : nt!KiDispatchException+0xc2
  fffffa60`122c1ea0 fffff800`01e5e725 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000003 : nt!KiExceptionDispatch+0xa9
  fffffa60`122c2080 fffff800`01e8767d : 00000000`00059d17 fffffa60`122c22e8 fffff800`01e08000 fffff800`01e08000 : nt!KiPageFault+0x1e5
  fffffa60`122c2210 fffff800`01e8b598 : fffffa60`00000001 00000000`00000000 00000000`00000000 ffffffff`ffffff80 : nt!RtlVirtualUnwind+0x16d
  fffffa60`122c2280 fffff800`01e98d32 : fffffa60`122c30a8 fffffa60`122c2a80 fffffa60`00000000 00000000`00000000 : nt!RtlDispatchException+0x118
  fffffa60`122c2970 fffff800`01e5f929 : fffffa60`122c30a8 00000000`00000003 fffffa60`122c3150 00000000`00000114 : nt!KiDispatchException+0xc2
  fffffa60`122c2f70 fffff800`01e5e725 : 00000000`00000000 fffffa60`122c31a0 fffffa80`69d06800 00000000`00000003 : nt!KiExceptionDispatch+0xa9
  fffffa60`122c3150 fffff800`01e8767d : 00000000`00059d17 fffffa60`122c33b8 fffff800`01e08000 fffffa60`122c3c80 : nt!KiPageFault+0x1e5
  fffffa60`122c32e0 fffff800`01e8b598 : fffffa60`00000001 00000000`00000000 fffffa60`00000000 ffffffff`ffffff80 : nt!RtlVirtualUnwind+0x16d
  fffffa60`122c3350 fffff800`01e98d32 : fffffa60`122c4178 fffffa60`122c3b50 fffffa60`00000000 fffffa60`0160a000 : nt!RtlDispatchException+0x118
  fffffa60`122c3a40 fffff800`01e5f929 : fffffa60`122c4178 00000000`00000003 fffffa60`122c4220 00000000`00000114 : nt!KiDispatchException+0xc2
  fffffa60`122c4040 fffff800`01e5e725 : 00000000`00000000 fffffa80`1cff1010 fffffa80`2340ae00 00000000`00000003 : nt!KiExceptionDispatch+0xa9
  fffffa60`122c4220 fffff800`01e8767d : 00000000`00059d17 fffffa60`122c4970 fffff800`01e08000 62206465`00000000 : nt!KiPageFault+0x1e5
  fffffa60`122c43b0 fffff800`020ec4b2 : fffff800`00000001 fffffa60`10893500 fffff880`00000000 ffffffff`ffffff80 : nt!RtlVirtualUnwind+0x16d
  fffffa60`122c4420 fffff800`01e8cf4d : ffffffff`ffffff80 fffffa80`695fe060 fffffa60`10893570 fffff800`01e08000 : nt!PspGetSetContextInternal+0x36a
  fffffa60`122c4970 fffff800`01e811ce : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!PspGetSetContextSpecialApc+0x9d
  fffffa60`122c4a80 fffff800`01e61faf : fffffa80`695fe310 00000000`00000000 00000000`00000000 fffffa80`695fe060 : nt!KiDeliverApc+0x19e
  fffffa60`122c4b20 fffff800`01e569bb : 00000000`00000007 fffffa60`0161e424 fffffa80`00000005 00000000`00000000 : nt!KiSwapThread+0x3ef
  fffffa60`122c4b90 fffff800`01e94dad : ffff0050`00000000 fffffa60`00000005 fffffa80`122c0000 fffffa60`00000000 : nt!KeWaitForSingleObject+0x2cb
  fffffa60`122c4c20 fffff800`01e81307 : 00000000`00000000 fffff880`082f6448 fffffa80`3ecdf064 00000000`00000000 : nt!KiSuspendThread+0x29
  fffffa60`122c4c60 fffff800`01e84c23 : fffffa60`122c4d80 00000000`00000000 fffff800`01e94d84 00000000`00000000 : nt!KiDeliverApc+0x2d7
  fffffa60`122c4d00 fffffa60`00c43093 : fffffa80`1ce4a180 fffffa60`01617601 fffffa80`5c527c40 fffff880`082f0100 : nt!KiApcInterrupt+0x103
  fffffa60`122c4e90 fffffa80`1ce4a180 : fffffa60`01617601 fffffa80`5c527c40 fffff880`082f0100 fffffa60`122c5390 : spep+0x40093
  fffffa60`122c4e98 fffffa60`01617601 : fffffa80`5c527c40 fffff880`082f0100 fffffa60`122c5390 fffffa80`1c000000 : 0xfffffa80`1ce4a180
  fffffa60`122c4ea0 fffff880`082f6140 : fffff880`082f6390 fffff800`01e6dc7c 00000000`00000000 fffffa80`69ae8110 : Ntfs!NtfsCleanupIrpContext+0xd1
  fffffa60`122c4ef0 fffff880`082f6390 : fffff800`01e6dc7c 00000000`00000000 fffffa80`69ae8110 fffffa80`69ae8420 : 0xfffff880`082f6140
  fffffa60`122c4ef8 fffff800`01e6dc7c : 00000000`00000000 fffffa80`69ae8110 fffffa80`69ae8420 fffffa80`67000d00 : 0xfffff880`082f6390
  fffffa60`122c4f00 fffff800`01e649a4 : fffffa80`1bf27000 fffffa60`122c4f68 fffffa80`1ce4a030 00000000`00000000 : nt!KiIpiProcessRequests+0x21c
  fffffa60`122c4f50 fffffa60`122c5220 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiIpiInterrupt+0x114
  fffffa80`69ae8110 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0xfffffa60`122c5220
  STACK_COMMAND:  kb
  MODULE_NAME: nt
  IMAGE_NAME:  ntkrnlmp.exe
  FOLLOWUP_NAME:  MachineOwner
  DEBUG_FLR_IMAGE_TIMESTAMP:  4f79ae26
  FOLLOWUP_IP:
  nt!KiDoubleFaultAbort+b8
  fffff800`01e5e0b8 90              nop
  SYMBOL_STACK_INDEX:  2
  SYMBOL_NAME:  nt!KiDoubleFaultAbort+b8
  FAILURE_BUCKET_ID:  X64_TRAP_FRAME_RECURSION
  BUCKET_ID:  X64_TRAP_FRAME_RECURSION
  Followup: MachineOwner
  6: kd> .trap 0xfffffa60122c2080
  NOTE: The trap frame does not contain all registers.
  Some register values may be zeroed or incorrect.
  rax=0000000000000005 rbx=0000000000000000 rcx=0000000000000000
  rdx=00000000000000d8 rsi=0000000000000000 rdi=0000000000000000
  rip=fffff80001e8767d rsp=fffffa60122c2210 rbp=fffffa60122c2450
   r8=0000000000000005  r9=fffff80001e08000 r10=ffffffffffffff80
  r11=fffff80002006000 r12=0000000000000000 r13=0000000000000000
  r14=0000000000000000 r15=0000000000000000
  iopl=0         nv up ei pl zr na po nc
  nt!RtlVirtualUnwind+0x16d:
  fffff800`01e8767d 488b02          mov     rax,qword ptr [rdx] ds:00000000`000000d8=????????????????

  Please understand that debugging is not officially supported in Technet forum, please contact Microsoft Customer Support Service (CSS) if you need any help on dump file debugging. To obtain the phone numbers for specific technology request, please refer
  to the website listed below:
  http://support.microsoft.com/default.aspx?scid=fh;EN-US;PHONENUMBERS
  If you are outside the US, please refer to
  http://support.microsoft.com for regional support phone numbers.
  For your reference, you can start by implementing the following troubleshooting steps
  Run a chkdsk /r  with elevated privilege against the system drives to find out any filesystem corruption
  Run sfc /scannow to verify the protected Windows files from an administrative command prompt
  Do RAM test or use a third-party tool like MemTest86+
  Update BIOS and devices drivers.

• Windows 8.1 BSOD and the culprit is ntkrnlmp.exe

  Here is the log of dump file
  0: kd> !analyze -v
  *                        Bugcheck Analysis                                    *
  DRIVER_VERIFIER_IOMANAGER_VIOLATION (c9)
  The IO manager has caught a misbehaving driver.
  Arguments:
  Arg1: 0000000000000221, An IRP dispatch handler for a PDO has deleted its device object, but the
  hardware has not been reported as missing in a bus relations query.
  Arg2: fffff8021aa88a78, The address in the driver's code where the error was detected.
  Arg3: ffffcf8164f18af0, IRP address.
  Arg4: ffffe0008738a8c0, Device object address.
  Debugging Details:
  BUGCHECK_STR:  0xc9_221
  DRIVER_VERIFIER_IO_VIOLATION_TYPE:  221
  FAULTING_IP: 
  nt!ViGenericPnp+0
  fffff802`1aa88a78 4c8b05d12dc8ff  mov     r8,qword ptr [nt!pXdvIRP_MJ_PNP (fffff802`1a70b850)]
  FOLLOWUP_IP: 
  nt!ViGenericPnp+0
  fffff802`1aa88a78 4c8b05d12dc8ff  mov     r8,qword ptr [nt!pXdvIRP_MJ_PNP (fffff802`1a70b850)]
  IRP_ADDRESS: ffffcf8164f18af0
  DEFAULT_BUCKET_ID:  WIN8_DRIVER_FAULT
  PROCESS_NAME:  System
  CURRENT_IRQL:  2
  ANALYSIS_VERSION: 6.3.9600.17237 (debuggers(dbg).140716-0327) amd64fre
  LAST_CONTROL_TRANSFER:  from fffff8021aa786b0 to fffff8021a556fa0
  STACK_TEXT:  
  ffffd001`279861a8 fffff802`1aa786b0 : 00000000`000000c9 00000000`00000221 fffff802`1aa88a78 ffffcf81`64f18af0 : nt!KeBugCheckEx
  ffffd001`279861b0 fffff802`1aa7b171 : fffff802`1aa6b470 fffff802`1aa88a78 ffffcf81`64f18af0 ffffe000`8738a8c0 : nt!VerifierBugCheckIfAppropriate+0x3c
  ffffd001`279861f0 fffff802`1aa719f0 : ffffe000`899daca0 ffffd001`27986350 ffffe000`83fbdd40 00000000`00000000 : nt!ViErrorFinishReport+0x10d
  ffffd001`27986250 fffff802`1aa77bd5 : 00000000`00000000 fffff802`1a7b4f4e ffffe000`899daca0 00000000`00020000 : nt!IovpCallDriver2+0x15c
  ffffd001`27986620 fffff802`1aa6c928 : ffffcf81`64f18af0 00000000`00000002 ffffcf81`64f18af0 fffff802`1aa78471 : nt!VfAfterCallDriver+0x289
  ffffd001`279866b0 fffff802`1a7b4f4e : ffffe000`8738a8c0 00000000`00000000 ffffd001`279867b0 ffffe000`899daca0 : nt!IovCallDriver+0x3e4
  ffffd001`27986700 fffff802`1a8cde24 : 00000000`00000002 ffffd001`279867c9 ffffe000`861fe770 ffffe000`8738a8c0 : nt!IopSynchronousCall+0xfe
  ffffd001`27986770 fffff802`1a51e6bb : ffffc000`bea120d0 00000000`0000000a ffffe000`861fe770 00000000`0000000a : nt!IopRemoveDevice+0xe0
  ffffd001`27986830 fffff802`1a8cd771 : ffffe000`8738a8c0 ffffe000`861fe770 ffffc000`bd6e0990 fffff802`1a994e36 : nt!PnpRemoveLockedDeviceNode+0x1a7
  ffffd001`27986890 fffff802`1a8cd6ea : 00000000`00000000 ffffc000`bd6e0990 ffffe000`861fe770 00000000`3f051397 : nt!PnpDeleteLockedDeviceNode+0x4d
  ffffd001`279868d0 fffff802`1a8cc7f3 : ffffe000`861043b0 ffffd001`00000002 00000000`00000000 00000000`00000000 : nt!PnpDeleteLockedDeviceNodes+0x9a
  ffffd001`27986950 fffff802`1a7a7139 : ffffc000`bea12000 00000000`00000007 ffffc000`00000000 ffffe000`ffffffff : nt!PnpProcessQueryRemoveAndEject+0x4ef
  ffffd001`27986ab0 fffff802`1a7a7571 : ffffc000`bea120d0 00000000`00000000 00000000`00000000 fffff802`1a7a7260 : nt!PnpProcessTargetDeviceEvent+0x9d
  ffffd001`27986af0 fffff802`1a456adb : fffff802`1a7a7260 ffffc000`be661440 ffffd001`27986bd0 ffffe000`889c1ab0 : nt!PnpDeviceEventWorker+0x311
  ffffd001`27986b50 fffff802`1a4d2794 : 00000000`00000000 ffffe000`832d7880 ffffe000`832d7880 ffffe000`8328c040 : nt!ExpWorkerThread+0x293
  ffffd001`27986c00 fffff802`1a55d5c6 : ffffd001`2c3dc180 ffffe000`832d7880 ffffd001`2c3e83c0 00000000`00000000 : nt!PspSystemThreadStartup+0x58
  ffffd001`27986c60 00000000`00000000 : ffffd001`27987000 ffffd001`27981000 00000000`00000000 00000000`00000000 : nt!KiStartSystemThread+0x16
  STACK_COMMAND:  .bugcheck ; kb
  SYMBOL_NAME:  nt!ViGenericPnp+0
  FOLLOWUP_NAME:  MachineOwner
  MODULE_NAME: nt
  IMAGE_NAME:  ntkrnlmp.exe
  DEBUG_FLR_IMAGE_TIMESTAMP:  5318053f
  BUCKET_ID_FUNC_OFFSET:  0
  FAILURE_BUCKET_ID:  0xc9_221_VRF_nt!ViGenericPnp
  BUCKET_ID:  0xc9_221_VRF_nt!ViGenericPnp
  ANALYSIS_SOURCE:  KM
  FAILURE_ID_HASH_STRING:  km:0xc9_221_vrf_nt!vigenericpnp
  FAILURE_ID_HASH:  {9b03958c-18ab-732a-2c41-f92dcd519377}
  Followup: MachineOwner
  Could anyone give me a fever for finding the root cause?

  Hi,
  In order to assist you, we will need the .DMP files to analyze what exactly occurred at the time of the crash, etc.
  If you don't know where .DMP files are located, here's how to get to them:
  1. Navigate to the %systemroot%\Minidump folder.
  -- %systemroot% is the environment variable for your Windows directory. For example, C:\Windows.
  2. Copy any and all .DMP files in the Minidump folder to your Desktop, create a new folder on the Desktop to put these .DMP files in, and then zip the folder. You can then either use a 3rd party tool such as 7-Zip/Winrar, or you can use Windows'
  default method of zipping folders.
  Compress and uncompress files (zip files).
  Please note that any "cleaner" programs such as TuneUpUtilities, CCleaner, etc, by default will delete .DMP files upon use. With this said, if you've run such software, and your Minidump folder is empty, you will need
  to allow the system to crash once again to generate a crash dump.
  3. Upload the .ZIP containing the .DMP files to Onedrive or a hosting site of your choice and paste in your reply.
  Preferred sites: Onedrive, Mediafire, Dropbox, etc. Nothing with wait-timers, download managers, etc.
  4 (optional): The type of .DMP files located in the Minidump folder are known as Small Memory Dumps. In %systemroot% there will be what is known as a Kernel Memory Dump (if your system is set to generate). It is labeled MEMORY.DMP. The difference
  between Small Memory Dumps and Kernel Memory Dumps in the simplest definition is a Kernel Memory Dump contains
  much more information at the time of the crash, therefore allowing further debugging of your issue. If your upload speed permits it, and you aren't going against any strict bandwidth and/or usage caps, etc, the Kernel Memory Dump is
  the best choice. Do note that Kernel Memory Dumps are much larger
  in size due to containing much more info, which is why I mentioned upload speed, etc.
  If you are going to use Onedrive but don't know how to upload to it, please visit the following:
  Upload photos and files to Onedrive.
  After doing that, to learn how to share the link to the file if you are unaware, please visit the following link -
  Share files and folders and change permissions and view 'Get a link'.
  If your computer is not generating .DMP files, please do the following:
  1. Start > type %systemroot% which should show the Windows folder, click on it. Once inside that folder, ensure there is a Minidump folder created. If not, CTRL-SHIFT-N to make a New Folder and name it Minidump.
  2. Windows key + Pause key. This should bring up System. Click Advanced System Settings on the left > Advanced > Performance > Settings > Advanced > Ensure there's a check-mark for 'Automatically manage paging file size for
  all drives'.
  3. Windows key + Pause key. This should bring up System. Click Advanced System Settings on the left > Advanced > Startup and Recovery > Settings > System Failure > ensure there is a check mark next to 'Write an event to the
  system log'.
  Ensure Small Memory Dump is selected and ensure the path is %systemroot%\Minidump.
  4. Double check that the WERS is ENABLED:
  Start > Search > type services.msc > Under the name tab, find Windows Error Reporting Service > If the status of the service is not Started then right click it and select Start. Also ensure that under Startup Type it is set to Automatic rather than
  Manual. You can do this by right clicking it, selecting properties, and under General selecting startup type to 'Automatic', and then click Apply.
  If you cannot get into normal mode to do any of this, please do this via Safe Mode.
  Regards,
  Patrick
  “Be kind whenever possible. It is always possible.” - Dalai Lama

• Blue Screen crash in Windows 7: culprit is ntkrnlmp.exe

  Hi, I've been, with increasingly frequency, getting crashes on my Windows 7-run Gateway.  Here's what I see when I run the WhoCrashed program (I'm very computer illiterate, sorry!):
  On Wed 1/22/2014 11:34:06 PM GMT your computer crashed
  crash dump file: C:\Windows\memory.dmp
  This was probably caused by the following module:
  ntkrnlmp.exe (nt!PsIsProtectedProcess+0x2A0)
  Bugcheck code: 0xD1 (0x18, 0x2, 0x0, 0xFFFFF8800188AC49)
  Error: DRIVER_IRQL_NOT_LESS_OR_EQUAL
  Bug check description: This indicates that a kernel-mode driver attempted to access pageable memory at a process IRQL that was too high.
  This appears to be a typical software driver bug and is not likely to be caused by a hardware problem.
  The crash took place in the Windows kernel. Possibly this problem is caused by another driver which cannot be identified at this time.
  Can anyone help?  Thanks a bunch!!!

  Hi Ray,
  Just additional. Troubleshoot this kind of kernel crash issue, we need to analyze the crash dump file to narrow down the root cause of the issue. Actually, it is not effective
  for us to debug the crash dump file here in the forum. If this issues is a state of emergency for you. Please contact Microsoft Customer Service and Support (CSS) via telephone so that a dedicated Support Professional can assist with your request.
  To obtain the phone numbers for specific technology request, please refer to the web site listed below:
  http://support.microsoft.com/default.aspx?scid=fh;EN-US;OfferProPhone#faq607
  Hope this helps.
  Best regards,
  Justin Gu

• Each time that I go into edit with Photoshop Elements 8 it causes a physical dump and shuts down

  Each time that I go into my Photoshop Elements 8 it causes a physical dump and shuts down.  I have only used this program a few times although I have had it a few years.  The first couple of times it worked fine; but now, it shuts me down each time.  I have already tried unistall and reinstall.  Help!

  Well, can you try opening just the Photoshop Elements 8 (from the Start menu) and see if it opens Editor from Welcome Screen or not?
  It it still crashes, please try couple of probable solutions as mentioned below:
  Solution 1:
  Close Elements.
  Launch the Photoshop Elements Welcome Screen and hold down ctrl + alt + shift as you click Editor.
  Continue to hold the keys until you see a message box asking if you want to delete Photoshop Elements settings file; click Yes. Elements will open with default preferences.
  Solution 2: In case any network printer is attached try to launch without network or printer uninstall or make different printer as default.
  Solution 3: Try launching with anti-virus off or removing PSE from conflicting list.
  Solution 4:
  On the drive on which you have installed PSE,on my machine it is on C:
  Go  to C:\Program Files\Adobe\Photoshop Elements 10\Locales\<locale>\Plug-Ins\Import-Exportand you will find twain  plug-in. Remove that plug-in from that location and copy it somewhere else.
  Now launch PSE and check if it works.

• Reader 9 causes BSOD on Windows XP Pro

  We have a few systems here that are having real problems with Adobe Reader 9. When the users attempt to open a .pdf file, they get a BSOD, and the system reboots. Once the system comes back up, they are able to open the offending file with no problems.
  Here are details of our systems:
  Dell Optiplex 755
  Windows XP Pro SP3
  2GB Ram
  32 Bit OS
  I have found this occurs most often when opening pdf's that were created with earlier versions.
  I'm sure I have left out some vital piece of information, so if you need clarification on something, please ask. Any suggestions would be greatly appreciated!

  [While the original post was for Reader 9, I found this same problem with Acrobat 9 Pro, and found a solution.]
  Problem: Opening one PDF file is fine, but once you open the second file -- BSOD.
  Cause: There is still a problem with Adobe's 2D GPU Acceleration feature.
  Per http://kb.adobe.com/selfservice/viewContent.do?externalId=kb405218&sliceId=1, "If acceleration hardware is detected, then optimization is enabled for all files except the first one opened when Acrobat launches." That is why the first file opens OK, but the second causes BSOD.  Adobe is either not detecting acceleration hardware correctly, or is not calling it correctly.
  Temporary Solution:
    1.  In Acrobat or Adobe Reader, choose to Edit > Preferences.
    2.  Go to the Page Display panel.
    3.  Uncheck Use 2D GPU acceleration.
  I tested my machine [Dell Optiplex 755, ATI Radion HD 2400 XT 8.420.0.0, Win XP Pro, Adobe 9 Pro] with "2D GPU acceleration" checked, attempted open of 4 PDFs from File Explorer -->first one opened, then BSOD, rebooted, unchecked "2D GPU", attempted the exact same operation --> all four opened in their windows and now I am happily typing on this page.
  This is per http://kb.adobe.com/selfservice/viewContent.do?externalId=324073, which is a post from two years ago and relates to Adobe 8.  So, Dell has been fielding calls on this for at least two years.  Way to stick in there, Dell.  Two years ago, Adobe knew the problem ("You are using an desktop ATI video card with driver version 8.291 or 8.301 and have the Acrobat Page Display Preference 'Use 2D GPU acceleration' enabled." was what they said back then, and recommended updating the video drivers.  So, Dell stays with it, Adobe says to update your drivers.  Well, I bought an entirely new Dell to get the latest drivers and it didn't help.
  Permanent solution:
  Adobe needs to get 2D GPU acceleration to really work (how about a line of code where you check whether it is going to work before you execute it?) or ship their product with that feature off by default.

• Drivers cause BSOD {URGENT}

  Good day
  About 2 years ago I bought this laptop for a really good deal and i was impressed with the performance i got with it. Its quite a powerful and quality piece of tech.
  There are some drawbacks...
  In the two years ive had it ive formatted the laptop twice. Once to upgrade to windows 8.1,  and now because windows got corrupted and it didnt want to use a restore point. Which is normal for windows, it doesnt last forever.
  Drivers are a mess. Most i can gather is i'm suppose to download my laptop's drivers from here.
  http://support.hp.com/us-en/drivers/selfservice/HP​-Pavilion-dv6-Entertainment-Notebook-PC-series/522​...
  There are 3 different wireless lan drivers, the chipset drivers cause BSOD's, i can install every single driver on the list and i still have about 4 unknown devices in my device manager.
  Point is Im better off googling for the hardware ID's and scrubbing forums for my drivers.
  Please could Someone supply me a link where i can download a complete Driver DVD image for my laptop model that works.  I am more than willing to download a 1.4 gig torrent if it has proper work everytime drivers.
  Infact i would even drive to hp head office if they could supply me with a hardcopy.
  Help Please!
  Before i break something.
  Back on windows 7 btw

  Hi @Pixelite ,
  Thank you for visiting the HP Support Forums and Welcome. I have looked into your issue about your HP Pavilion dv6-7030ei Notebook and needing a recovery disk. Here is a link to show you how to and or order the Recovery Media you need.
  FWI: The driver page shows all drivers that were installed on all HP Pavilion  Notebooks.
  I would uninstall all the drivers with a yellow mark or caution on it. Restart the Notebook and if they are still there right click on the device and install or update the drivers.
  I hope this helps you out.
  Thanks.
  Please click “Accept as Solution ” if you feel my post solved your issue, it will help others find the solution.
  Click the “Kudos, Thumbs Up" on the bottom to say “Thanks” for helping!

• [b]httpd.exe causing reference error[/b]

  Hello Everybody,
  We are having problems with iPlanet Web Server version 4.1. We have installed this on Windows 2000.
  We are getting "httpd.exe causing reference error" at the time of booting of the machine as well as at the time of starting the web server.
  We tried numerous times uninstalling and re-installing iPlanet 4.1 after clearing the registry. We even tried formatting the hard drive, set up Windows 2000 and installed iPlanet 4.1.
  But, nothing works and keep on getting the same error...
  KIndly someone get me the solution ASAP as we are working on time bound application.
  Sincerely appreciate your time and efforts in advande ...

  You may be running into this if you are using Pentium 4 machine:
  http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsunone%2F7724&zone_32=pentium%204&wholewords=on
  Try disabling the JIT first as suggested in this article and see if it helps. To disable JIT, add the following to jvm12.conf files of the instances:
  java.compiler=NONE
  Hope it helps.
  Thanks,
  Manish

• Ntkrnlpa.exe 22fa3 causing bsod at point of final shutdown

  My minidump file says: "ntkrnlpa.exe+22fa3" has caused the BSOD.
  This BSOD appears at the final point of shut down / restart.
  Other syptoms:
  This DC7700p using SP3 is running slowly - memory seems to over used.
  I have run Malwarebytes, CCleaner, SuperSpyware and NIS is loaded on this machine.
  All report "no problems"
  Also my USB mouse is affecting the audio when moved.
  The later may just be just lack of memory.
  System:
  O/s build 2600 lang: 0809
  RAM 3.6GB
  Bios 786e1 vo3.07
  Tried replacing SP3 and every other thing I have found to sort this problem.
  Fed up reading and searching for the answer.
  Any thoughts

  Hi Silverfox1947,
  I was wondering when was the last time your system was defragmented? Here is a document on how to defragment your disk drive volumes in Windows XP.
  http://support.microsoft.com/kb/314848
  If that does not work the next step would be to do a system restore. Here is a link on how to do that.
  http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/app_system_restore_hs...
  Hope it helps.
  Thanks
  Please click “Accept as Solution ” if you feel my post solved your issue, it will help others find the solution.
  Click the “Kudos, Thumbs Up" on the bottom to say “Thanks” for helping!

• Ituneshelper.exe causing repeated BSODs

  Hi.  I have recently been experiencing a number of BSODs which WinCrashReport is identifying as being caused by ituneshelper.exe.
  Has anybody else experienced this issue and how can i go about finding a solution for this.
  Regards

  Perhaps try a complete uninstall/reinstall of iTunes and related software components, as per the following document? (That should swap out all the ituneshelper.exe componentry.)
  Removing and reinstalling iTunes, QuickTime, and other software components for Windows Vista or Windows 7

• Usb 6501 unresponsive causing BSOD(Blue Screen Error)

  There are a lot posts about the same issue but mine is a little peculiar so i decided to post it.
  I am using two usb DAQ in the same pc(usb-6501, usb-6001), connected to the usb port on the back. The usb-6501 is used to obtain digital inputs from read switches, Sensors through an ssr. The usb-6001 is used to control 2 double valve solenoid, 1 dc motor, 2 indicator lamps. usb-6001 is also used to read analog values of current(using hall effect sensor) and voltage(using potentiometer).
  At first i was facing problems with the usb-6001(the usb-6501 was working fine at this point) resetting during operation accompanied by BSOD. Then i learned it was due to my relay, which requires 30 mA of current to switch so i used the ULN2003a to interface the usb-6001 with the relays and after that the application was running perfectly for 4 days.
  Now the usb-6501 is having the same problem and when i perform "Self Test" from NI MAX it shows "Error Code:50405" and i am able to reset the device from NI MAX only sometimes, other times i would have to unplug the USB device then plug it back in. As the application is used for an automated test rig the customer is frustrated by this problem. Once the card becomes unresponsive(or after the card is reset) BSOD occours.
  I have checked all the device drivers and OS for any errors but they are fine. i have even tried changing the ram to solve the BSOD with no use.
  System Details:
  Windows 7 SP1
  NI MAX 14.0
  power saving is disabled 
  I have attached the latest mini dump files as they might help in finding out the reason behind this problem(File extensions changed for the purpouse of uploading).
  I need to know: Is there any permanent solution for this problem? and what is the reason for this problem.
  Attachments:
  060115-12480-01.txt ‏315 KB
  053015-12324-01.txt ‏315 KB
  052615-17440-01.txt ‏315 KB

  Additional info : i did an analysis of the dump files and this is the result
  0: kd> !analyze -v
  * Bugcheck Analysis *
  DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
  An attempt was made to access a pageable (or completely invalid) address at an
  interrupt request level (IRQL) that is too high. This is usually
  caused by drivers using improper addresses.
  If kernel debugger is available get stack backtrace.
  Arguments:
  Arg1: fffff88009fe10b1, memory referenced
  Arg2: 0000000000000002, IRQL
  Arg3: 0000000000000000, value 0 = read operation, 1 = write operation
  Arg4: fffff8800657922e, address which referenced memory
  Debugging Details:
  READ_ADDRESS: GetPointerFromAddress: unable to read from fffff800032c30e8
  fffff88009fe10b1
  CURRENT_IRQL: 2
  FAULTING_IP:
  nifslk+822e
  fffff880`0657922e 0fb650ff movzx edx,byte ptr [rax-1]
  CUSTOMER_CRASH_COUNT: 1
  DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT
  BUGCHECK_STR: 0xD1
  PROCESS_NAME: System
  TRAP_FRAME: fffff80000b9c6b0 -- (.trap 0xfffff80000b9c6b0)
  NOTE: The trap frame does not contain all registers.
  Some register values may be zeroed or incorrect.
  rax=fffff88009fe10b2 rbx=0000000000000000 rcx=0000000000000000
  rdx=fffff80000b9c8e0 rsi=0000000000000000 rdi=0000000000000000
  rip=fffff8800657922e rsp=fffff80000b9c840 rbp=fffff88009fe10b1
  r8=0000000000000000 r9=0000000000000000 r10=0000000000000000
  r11=0000000000000000 r12=0000000000000000 r13=0000000000000000
  r14=0000000000000000 r15=0000000000000000
  iopl=0 nv up ei ng nz na po nc
  nifslk+0x822e:
  fffff880`0657922e 0fb650ff movzx edx,byte ptr [rax-1] ds:c8e0:fffff880`09fe10b1=??
  Resetting default scope
  LAST_CONTROL_TRANSFER: from fffff80003091be9 to fffff80003092640
  STACK_TEXT:
  fffff800`00b9c568 fffff800`03091be9 : 00000000`0000000a fffff880`09fe10b1 00000000`00000002 00000000`00000000 : nt!KeBugCheckEx
  fffff800`00b9c570 fffff800`03090860 : fffffa80`06adc250 fffffa80`05c3a060 fffffa80`06adc250 00000000`0000ffff : nt!KiBugCheckDispatch+0x69
  fffff800`00b9c6b0 fffff880`0657922e : fffff880`05d47468 fffff880`01d91f90 00000000`00000000 fffff880`09fe0770 : nt!KiPageFault+0x260
  fffff800`00b9c840 fffff880`05d47468 : fffff880`01d91f90 00000000`00000000 fffff880`09fe0770 fffff880`09fe17a0 : nifslk+0x822e
  fffff800`00b9c848 fffff880`01d91f90 : 00000000`00000000 fffff880`09fe0770 fffff880`09fe17a0 fffff880`09fe10b1 : 0xfffff880`05d47468
  fffff800`00b9c850 00000000`00000000 : fffff880`09fe0770 fffff880`09fe17a0 fffff880`09fe10b1 fffff800`00b9c8e0 : nipalk+0x75f90
  STACK_COMMAND: kb
  FOLLOWUP_IP:
  nifslk+822e
  fffff880`0657922e 0fb650ff movzx edx,byte ptr [rax-1]
  SYMBOL_STACK_INDEX: 3
  SYMBOL_NAME: nifslk+822e
  FOLLOWUP_NAME: MachineOwner
  MODULE_NAME: nifslk
  IMAGE_NAME: nifslk.dll
  DEBUG_FLR_IMAGE_TIMESTAMP: 51f2daeb
  FAILURE_BUCKET_ID: X64_0xD1_nifslk+822e
  BUCKET_ID: X64_0xD1_nifslk+822e
  Can anyone help me with what this means?

• Blue Screen of Death - Windows 7 - Dump Attached

  Hi,
  I'm really struggling with this BSOD.  It's a repeating BSOD and I can't start up Windows.  Any help would be greatly appreciated!
  Dump File on Skydrive: http://sdrv.ms/X13pcY
  Thank you!!!
  JOHN

  Hi,
  I'm really struggling with this BSOD.  It's a repeating BSOD and I can't start up Windows.  Any help would be greatly appreciated!
  Dump File on Skydrive: http://sdrv.ms/X13pcY
  Thank you!!!
  JOHN
  *                        Bugcheck Analysis                                    *
  DRIVER_CORRUPTED_EXPOOL (c5)
  An attempt was made to access a pageable (or completely invalid) address at an
  interrupt request level (IRQL) that is too high.  This is
  caused by drivers that have corrupted the system pool.  Run the driver
  verifier against any new (or suspect) drivers, and if that doesn't turn up
  the culprit, then use gflags to enable special pool.
  Arguments:
  Arg1: 0000000000006d65, memory referenced
  Arg2: 0000000000000002, IRQL
  Arg3: 0000000000000000, value 0 = read operation, 1 = write operation
  Arg4: fffff800025bddd3, address which referenced memory
  Debugging Details:
  BUGCHECK_STR:  0xC5_2
  CURRENT_IRQL:  2
  FAULTING_IP: 
  nt!ExFreePoolWithTag+43
  fffff800`025bddd3 418b45f0        mov     eax,dword ptr [r13-10h]
  CUSTOMER_CRASH_COUNT:  1
  DEFAULT_BUCKET_ID:  WIN7_DRIVER_FAULT
  PROCESS_NAME:  System
  TAG_NOT_DEFINED_c000000f:  FFFFF88001E8CFB0
  TRAP_FRAME:  fffff88001e85780 -- (.trap 0xfffff88001e85780)
  NOTE: The trap frame does not contain all registers.
  Some register values may be zeroed or incorrect.
  rax=0000000000000000 rbx=0000000000000000 rcx=0000000000006d75
  rdx=0000000000000000 rsi=0000000000000000 rdi=0000000000000000
  rip=fffff800025bddd3 rsp=fffff88001e85910 rbp=fffffa8011695810
   r8=0000000000000000  r9=0000000000000000 r10=fffffa8011695020
  r11=0000000000000002 r12=0000000000000000 r13=0000000000000000
  r14=0000000000000000 r15=0000000000000000
  iopl=0         nv up ei pl nz na pe nc
  nt!ExFreePoolWithTag+0x43:
  fffff800`025bddd3 418b45f0        mov     eax,dword ptr [r13-10h] ds:ffffffff`fffffff0=????????
  Resetting default scope
  LAST_CONTROL_TRANSFER:  from fffff80002491569 to fffff80002491fc0
  STACK_TEXT:  
  fffff880`01e85638 fffff800`02491569 : 00000000`0000000a 00000000`00006d65 00000000`00000002 00000000`00000000 : nt!KeBugCheckEx
  fffff880`01e85640 fffff800`024901e0 : 00000000`00000000 fffff800`0247c0d9 00000000`00000000 fffffa80`10cc94c0 : nt!KiBugCheckDispatch+0x69
  fffff880`01e85780 fffff800`025bddd3 : 00000000`00000000 fffff880`03d1b38c fffff880`01e680c0 ffff0000`02f8afd4 : nt!KiPageFault+0x260
  fffff880`01e85910 fffff880`0147c845 : 00000000`00000000 00000000`00000000 fffffa80`10d77bd0 00000000`00006d75 : nt!ExFreePoolWithTag+0x43
  fffff880`01e859c0 fffff880`03d6407e : fffffa80`11695810 fffffa80`10ccbe70 00000000`00000000 fffffa80`106871a0 : ndis!NdisFreeMemory+0x15
  fffff880`01e859f0 fffffa80`11695810 : fffffa80`10ccbe70 00000000`00000000 fffffa80`106871a0 00000000`00000000 : VBoxNetFlt+0x307e
  fffff880`01e859f8 fffffa80`10ccbe70 : 00000000`00000000 fffffa80`106871a0 00000000`00000000 fffff880`0153664e : 0xfffffa80`11695810
  fffff880`01e85a00 00000000`00000000 : fffffa80`106871a0 00000000`00000000 fffff880`0153664e fffffa80`10d77b00 : 0xfffffa80`10ccbe70
  STACK_COMMAND:  kb
  FOLLOWUP_IP: 
  VBoxNetFlt+307e
  fffff880`03d6407e ??              ???
  SYMBOL_STACK_INDEX:  5
  SYMBOL_NAME:  VBoxNetFlt+307e
  FOLLOWUP_NAME:  MachineOwner
  MODULE_NAME: VBoxNetFlt
  IMAGE_NAME:  VBoxNetFlt.sys
  DEBUG_FLR_IMAGE_TIMESTAMP:  50d1c564
  FAILURE_BUCKET_ID:  X64_0xC5_2_VBoxNetFlt+307e
  BUCKET_ID:  X64_0xC5_2_VBoxNetFlt+307e
  Followup: MachineOwner
  Bug Check 0xC5 : http://msdn.microsoft.com/en-us/library/windows/hardware/ff560192(v=vs.85).aspx
  ** The Blue Screen caused by (
  VBoxNetFlt.sys ) , Vboxnetflt.sys with description VirtualBox Bridged Networking Driver is a driver file from company Oracle Corporation belonging to product Oracle VM VirtualBox,
  so you can change the Bridged Adapter to Internal Network it solve your Blue Screen.
  To change the Bridged Adapter >> Right Click on your VM Client >> Settings >> Network >> Attached to >> Internal Network
  >> OK.
  Regards,
  MCT / MCITP / MCTS / MCSA / MCSE / C|EH / CCNA