BSOD kernel security check tcpip.sys

[ultron]

Hi. I got a BSOD when I'm watching a movie with MPC-HC. Here's the BlueScreenViewer results:

It seems like ntoskrnl.exe and tcip.sys the cause of the crash. I tried these known methods to solve this:

1/-memtest memory sticks with 4 passes

-video memory stress test

-furmark

-hdtune detailed scan

-prime95 stress test

-virus scan with bitdefender

none of them reported any errors, corruption or malware.

2/I reinstalled all drivers after clean uninstall. now i'm waiting whether the problem reoccurs or not.

How can i analyze the problem and solve it if it will happen again?

I'm using R9 380 GPU, Crimson 15.12, 2*4 gb corsair vengeance 1600 mhz and win 10. There's no overclock on my system.

 

[ultron]

The bugcheck code reference list decribes the parameters. Mine is 00000000`0000000e.

https://msdn.microsoft.com/en-us/li...891(v=vs.85).aspx?f=255&MSPPError=-2147217396

Parameter 1 Description
0 A stack-based buffer has been overrun (legacy /GS violation).
1 VTGuard instrumentation code detected an attempt to use an illegal virtual function table. Typically, a C++ object was corrupted, and then a virtual method call was attempted using the corrupted object's this pointer.
2 Stack cookie instrumentation code detected a stack-based buffer overrun (/GS violation).
3 A LIST_ENTRY was corrupted (for example, a double remove). For more information, see the following Cause section.
4 Reserved
5 An invalid parameter was passed to a function that considers invalid parameters fatal.
6 The stack cookie security cookie was not properly initialized by the loader. This may be caused by building a driver to run only on Windows 8 and attempting to load the driver image on an earlier version of Windows. To avoid this problem, you must build the driver to run on an earlier version of Windows.
7 A fatal program exit was requested.
8 A array bounds check inserted by the compiler detected an illegal array indexing operation.
9 A call to RtlQueryRegistryValues was made specifying RTL_QUERY_REGISTRY_DIRECT without RTL_QUERY_REGISTRY_TYPECHECK, and the target value was not in a trusted system hive

 

[ultron]

WhoCrashed's Crash dump details:

crashdump

Bug check name: KERNEL_SECURITY_CHECK_FAILURE
Bug check code: 0x139
Bug check parm 1: 0xE
Bug check parm 2: 0xFFFFD0018B37D650
Bug check parm 3: 0xFFFFD0018B37D5A8
Bug check parm 4: 0x0
Probably caused by: ntkrnlmp.exe
Driver description:
Driver product:
Driver company:
OS build: Built by: 10586.212.amd64fre.th2_release_sec.160328-1908
Architecture: x64 (64 bit)
CPU count: 6
Page size: 4096

Bug check description:
The kernel has detected the corruption of a critical data structure.

Comments:

The crash took place in the Windows kernel. Possibly this problem is caused by another driver that cannot be identified at this time.

Kernel Stack

nt!KeBugCheckEx+0x0
nt!KiBugCheckDispatch+0x69
nt!KiFastFailDispatch+0xD0
nt!KiRaiseSecurityCheckFailure+0xF3
nt!
??
::NNGAKEGL::`string'+0x12C92
nt!SeCopyClientToken+0x5D
nt!SepCreateClientSecurityEx+0x133
nt!SeCreateClientSecurity+0xB0
nt!AlpcpCreateSecurityContext+0x96
nt!NtAlpcCreateSecurityContext+0x10F
nt!KiSystemServiceCopyEnd+0x13
0x7FFF46A96024

 

[ultron]

WinDBG report:


Microsoft (R) Windows Debugger Version 10.0.10586.567 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.

Loading Dump File [C:\Windows\Minidump\042916-16843-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: srv*
Executable search path is:
Windows 10 Kernel Version 10586 MP (6 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 10586.212.amd64fre.th2_release_sec.160328-1908
Machine Name:
Kernel base = 0xfffff800`de08f000 PsLoadedModuleList = 0xfffff800`de36dcd0
Debug session time: Fri Apr 29 10:29:52.813 2016 (UTC + 3:00)
System Uptime: 1 days 1:36:46.534
Loading Kernel Symbols
.

Press ctrl-c (cdb, kd, ntsd) or ctrl-break (windbg) to abort symbol loads that take too long.
Run !sym noisy before .reload to track down problems loading symbols.

..............................................................
................................................................
.............................
Loading User Symbols
Loading unloaded module list
......................
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 139, {e, ffffd0018b37d650, ffffd0018b37d5a8, 0}

Probably caused by : ntkrnlmp.exe ( nt!KiFastFailDispatch+d0 )

Followup: MachineOwner
---------

1: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

KERNEL_SECURITY_CHECK_FAILURE (139)
A kernel component has corrupted a critical data structure. The corruption
could potentially allow a malicious user to gain control of this machine.
Arguments:
Arg1: 000000000000000e, Type of memory safety violation
Arg2: ffffd0018b37d650, Address of the trap frame for the exception that caused the bugcheck
Arg3: ffffd0018b37d5a8, Address of the exception record for the exception that caused the bugcheck
Arg4: 0000000000000000, Reserved

Debugging Details:
------------------


DUMP_CLASS: 1

DUMP_QUALIFIER: 400

BUILD_VERSION_STRING: 10586.212.amd64fre.th2_release_sec.160328-1908

SYSTEM_MANUFACTURER: To be filled by O.E.M.

SYSTEM_PRODUCT_NAME: To be filled by O.E.M.

SYSTEM_SKU: SKU

SYSTEM_VERSION: To be filled by O.E.M.

BIOS_VENDOR: American Megatrends Inc.

BIOS_VERSION: 2501

BIOS_DATE: 04/07/2014

BASEBOARD_MANUFACTURER: ASUSTeK COMPUTER INC.

BASEBOARD_PRODUCT: M5A97 R2.0

BASEBOARD_VERSION: Rev 1.xx

DUMP_TYPE: 2

BUGCHECK_P1: e

BUGCHECK_P2: ffffd0018b37d650

BUGCHECK_P3: ffffd0018b37d5a8

BUGCHECK_P4: 0

TRAP_FRAME: ffffd0018b37d650 -- (.trap 0xffffd0018b37d650)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=ffecf3f9ffecf3fa rbx=0000000000000000 rcx=000000000000000e
rdx=0000000000000000 rsi=0000000000000000 rdi=0000000000000000
rip=fffff800de5f89e2 rsp=ffffd0018b37d7e0 rbp=0000000000000001
r8=0000000000000000 r9=0000000000000006 r10=0000000000000000
r11=fffff800de1dd397 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei ng nz na po nc
nt! ?? ::NNGAKEGL::`string'+0x12c92:
fffff800`de5f89e2 cd29 int 29h
Resetting default scope

EXCEPTION_RECORD: ffffd0018b37d5a8 -- (.exr 0xffffd0018b37d5a8)
ExceptionAddress: fffff800de5f89e2 (nt! ?? ::NNGAKEGL::`string'+0x0000000000012c92)
ExceptionCode: c0000409 (Security check failure or stack buffer overrun)
ExceptionFlags: 00000001
NumberParameters: 1
Parameter[0]: 000000000000000e
Subcode: 0xe FAST_FAIL_INVALID_REFERENCE_COUNT

CPU_COUNT: 6

CPU_MHZ: db8

CPU_VENDOR: AuthenticAMD

CPU_FAMILY: 15

CPU_MODEL: 2

CPU_STEPPING: 0

CUSTOMER_CRASH_COUNT: 1

DEFAULT_BUCKET_ID: INVALID_REFERENCE_COUNT

BUGCHECK_STR: 0x139

PROCESS_NAME: uTorrent.exe

CURRENT_IRQL: 0

ERROR_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.

EXCEPTION_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.

EXCEPTION_CODE_STR: c0000409

EXCEPTION_PARAMETER1: 000000000000000e

ANALYSIS_SESSION_HOST: DESKTOP-HH247R6

ANALYSIS_SESSION_TIME: 04-29-2016 17:35:07.0076

ANALYSIS_VERSION: 10.0.10586.567 amd64fre

LAST_CONTROL_TRANSFER: from fffff800de1dc2e9 to fffff800de1d1760

STACK_TEXT:
ffffd001`8b37d328 fffff800`de1dc2e9 : 00000000`00000139 00000000`0000000e ffffd001`8b37d650 ffffd001`8b37d5a8 : nt!KeBugCheckEx
ffffd001`8b37d330 fffff800`de1dc610 : ffffe000`00000000 ffffe000`613576b0 00000020`000003a0 000000f4`00000008 : nt!KiBugCheckDispatch+0x69
ffffd001`8b37d470 fffff800`de1db7f3 : ffffd001`8a827000 00000000`00000801 00000000`000006c0 ffffd001`00000001 : nt!KiFastFailDispatch+0xd0
ffffd001`8b37d650 fffff800`de5f89e2 : ffffd001`00000002 ffffc001`b0b93520 00000000`00000002 ffffc001`b1e51060 : nt!KiRaiseSecurityCheckFailure+0xf3
ffffd001`8b37d7e0 fffff800`de481e91 : 00000000`00000000 00000000`00000000 00000000`00000000 ffffd001`8b37db18 : nt! ?? ::NNGAKEGL::`string'+0x12c92
ffffd001`8b37d8b0 fffff800`de481083 : ffffd001`8b37dac8 ffffd001`8b37dac8 ffffc001`b33d8200 00000000`000007ff : nt!SeCopyClientToken+0x5d
ffffd001`8b37d940 fffff800`de481440 : ffffd001`8b37dac8 00000000`00000000 ffffc001`b33d8260 ffffc001`b1e51060 : nt!SepCreateClientSecurityEx+0x133
ffffd001`8b37d9a0 fffff800`de481bf6 : ffffc001`b33d8240 ffffe000`60f33080 00000000`00000001 ffffe000`6192e840 : nt!SeCreateClientSecurity+0xb0
ffffd001`8b37da30 fffff800`de4e6d5b : 00000000`003c3000 00000000`062b0730 ffffd001`8b37db80 00000000`003c3000 : nt!AlpcpCreateSecurityContext+0x96
ffffd001`8b37da90 fffff800`de1dbfa3 : ffffe000`60f33080 00000000`6f0426d0 00000000`00000000 ffffd001`8b37db80 : nt!NtAlpcCreateSecurityContext+0x10f
ffffd001`8b37db00 00007fff`46a96024 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13
00000000`02b0eaa8 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x00007fff`46a96024


STACK_COMMAND: kb

THREAD_SHA1_HASH_MOD_FUNC: b149bcbda74b2222ba6ac073ad6478f560342d69

THREAD_SHA1_HASH_MOD_FUNC_OFFSET: 61d0ee007850ac82400889acb935ee5f81493f91

THREAD_SHA1_HASH_MOD: b28610981796779b4ac02f58898fde25728a775c

FOLLOWUP_IP:
nt!KiFastFailDispatch+d0
fffff800`de1dc610 c644242000 mov byte ptr [rsp+20h],0

FAULT_INSTR_CODE: 202444c6

SYMBOL_STACK_INDEX: 2

SYMBOL_NAME: nt!KiFastFailDispatch+d0

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: nt

IMAGE_NAME: ntkrnlmp.exe

DEBUG_FLR_IMAGE_TIMESTAMP: 56fa1e56

IMAGE_VERSION: 10.0.10586.212

BUCKET_ID_FUNC_OFFSET: d0

FAILURE_BUCKET_ID: 0x139_e_nt!KiFastFailDispatch

BUCKET_ID: 0x139_e_nt!KiFastFailDispatch

PRIMARY_PROBLEM_CLASS: 0x139_e_nt!KiFastFailDispatch

TARGET_TIME: 2016-04-29T07:29:52.000Z

OSBUILD: 10586

OSSERVICEPACK: 0

SERVICEPACK_NUMBER: 0

OS_REVISION: 0

SUITE_MASK: 272

PRODUCT_TYPE: 1

OSPLATFORM_TYPE: x64

OSNAME: Windows 10

OSEDITION: Windows 10 WinNt TerminalServer SingleUserTS

OS_LOCALE:

USER_LCID: 0

OSBUILD_TIMESTAMP: 2016-03-29 09:19:02

BUILDDATESTAMP_STR: 160328-1908

BUILDLAB_STR: th2_release_sec

BUILDOSVER_STR: 10.0.10586.212.amd64fre.th2_release_sec.160328-1908

ANALYSIS_SESSION_ELAPSED_TIME: b20

ANALYSIS_SOURCE: KM

FAILURE_ID_HASH_STRING: km:0x139_e_nt!kifastfaildispatch

FAILURE_ID_HASH: {1faaac6f-d0dd-5c78-ac77-c09952b72e7d}

Followup: MachineOwner
---------

 

[Ketchup]

Looks like the NIC card/driver. If the problem returns, get the later Windows 10 driver for the network card from Asus's website.
https://www.asus.com/us/Motherboards/M5A97_R20/HelpDesk_Download/

If that doesn't work, replacement network cards are about $10, so you may just want to get a replacement.

 

[John Connor]

When this happens it's usually hardware or a driver. Retrace your steps. Did you install a piece of hardware, install a driver or a piece of software recently before this happened?

 

[ultron]

I got my second BSOD today. It looks like my RAM is bad. memtest reported no problems but this tool says OK to my faulty memory stick years ago.

Microsoft (R) Windows Debugger Version 10.0.10586.567 AMD64

Copyright (c) Microsoft Corporation. All rights reserved.



Loading Dump File [C:\Windows\Minidump\043016-17296-01.dmp]

Mini Kernel Dump File: Only registers and stack trace are available


Symbol search path is: srv*

Executable search path is:

Windows 10 Kernel Version 10586 MP (6 procs) Free x64

Product: WinNt, suite: TerminalServer SingleUserTS

Built by: 10586.212.amd64fre.th2_release_sec.160328-1908

Machine Name:

Kernel base = 0xfffff802`c0a02000 PsLoadedModuleList = 0xfffff802`c0ce0cd0

Debug session time: Sat Apr 30 19:32:03.169 2016 (UTC + 3:00)

System Uptime: 1 days 9:01:13.891

Loading Kernel Symbols

.


Press ctrl-c (cdb, kd, ntsd) or ctrl-break (windbg) to abort symbol loads that take too long.

Run !sym noisy before .reload to track down problems loading symbols.


..............................................................

................................................................

...............................

Loading User Symbols

Loading unloaded module list

............................

*******************************************************************************

* *

* Bugcheck Analysis *

* *

*******************************************************************************


Use !analyze -v to get detailed debugging information.


BugCheck 1000007E, {ffffffffc0000005, fffff802c0b1973d, ffffd001f24e9198, ffffd001f24e89b0}


Probably caused by : memory_corruption ( nt!MiDemoteCombinedPte+39 )


Followup: MachineOwner

---------


1: kd> !analyze -v

*******************************************************************************

* *

* Bugcheck Analysis *

* *

*******************************************************************************


SYSTEM_THREAD_EXCEPTION_NOT_HANDLED_M (1000007e)

This is a very common bugcheck. Usually the exception address pinpoints

the driver/function that caused the problem. Always note this address

as well as the link date of the driver/image that contains this address.

Some common problems are exception code 0x80000003. This means a hard

coded breakpoint or assertion was hit, but this system was booted

/NODEBUG. This is not supposed to happen as developers should never have

hardcoded breakpoints in retail code, but ...

If this happens, make sure a debugger gets connected, and the

system is booted /DEBUG. This will let us see why this breakpoint is

happening.

Arguments:

Arg1: ffffffffc0000005, The exception code that was not handled

Arg2: fffff802c0b1973d, The address that the exception occurred at

Arg3: ffffd001f24e9198, Exception Record Address

Arg4: ffffd001f24e89b0, Context Record Address


Debugging Details:

------------------



DUMP_CLASS: 1


DUMP_QUALIFIER: 400


BUILD_VERSION_STRING: 10586.212.amd64fre.th2_release_sec.160328-1908


SYSTEM_MANUFACTURER: To be filled by O.E.M.


SYSTEM_PRODUCT_NAME: To be filled by O.E.M.


SYSTEM_SKU: SKU


SYSTEM_VERSION: To be filled by O.E.M.


BIOS_VENDOR: American Megatrends Inc.


BIOS_VERSION: 2501


BIOS_DATE: 04/07/2014


BASEBOARD_MANUFACTURER: ASUSTeK COMPUTER INC.


BASEBOARD_PRODUCT: M5A97 R2.0


BASEBOARD_VERSION: Rev 1.xx


DUMP_TYPE: 2


BUGCHECK_P1: ffffffffc0000005


BUGCHECK_P2: fffff802c0b1973d


BUGCHECK_P3: ffffd001f24e9198


BUGCHECK_P4: ffffd001f24e89b0


EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.


FAULTING_IP:

nt!MiDemoteCombinedPte+39

fffff802`c0b1973d 48394af0 cmp qword ptr [rdx-10h],rcx


EXCEPTION_RECORD: ffffd001f24e9198 -- (.exr 0xffffd001f24e9198)

ExceptionAddress: fffff802c0b1973d (nt!MiDemoteCombinedPte+0x0000000000000039)

ExceptionCode: c0000005 (Access violation)

ExceptionFlags: 00000000

NumberParameters: 2

Parameter[0]: 0000000000000000

Parameter[1]: ffffffffffffffff

Attempt to read from address ffffffffffffffff


CONTEXT: ffffd001f24e89b0 -- (.cxr 0xffffd001f24e89b0)

rax=fffff0a8dc0b07db rbx=fffdfdfdfffdfdfd rcx=0000000000000001

rdx=8000000000000000 rsi=ffffe0017e617388 rdi=fffff58010810a30

rip=fffff802c0b1973d rsp=ffffd001f24e93d0 rbp=ffffd001f24e95b0

r8=8000000000000000 r9=0000007ffffffff8 r10=0000098000000000

r11=0000058000000000 r12=0000000000000009 r13=fffff6bffefe0618

r14=fffff6bffefe0618 r15=fffffd79f9fff9d0

iopl=0 nv up ei ng nz na po nc

cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00010286

nt!MiDemoteCombinedPte+0x39:

fffff802`c0b1973d 48394af0 cmp qword ptr [rdx-10h],rcx ds:002b:7fffffff`fffffff0=????????????????

Resetting default scope


CPU_COUNT: 6


CPU_MHZ: db8


CPU_VENDOR: AuthenticAMD


CPU_FAMILY: 15


CPU_MODEL: 2


CPU_STEPPING: 0


CUSTOMER_CRASH_COUNT: 1


DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULT


PROCESS_NAME: svchost.exe


CURRENT_IRQL: 2


ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.


EXCEPTION_CODE_STR: c0000005


EXCEPTION_PARAMETER1: 0000000000000000


EXCEPTION_PARAMETER2: ffffffffffffffff


READ_ADDRESS: fffff802c0d80520: Unable to get MiVisibleState

ffffffffffffffff


FOLLOWUP_IP:

nt!MiDemoteCombinedPte+39

fffff802`c0b1973d 48394af0 cmp qword ptr [rdx-10h],rcx


BUGCHECK_STR: AV


ANALYSIS_SESSION_HOST: DESKTOP-HH247R6


ANALYSIS_SESSION_TIME: 04-30-2016 19:35:50.0067


ANALYSIS_VERSION: 10.0.10586.567 amd64fre


LAST_CONTROL_TRANSFER: from fffff802c0a4f339 to fffff802c0b1973d


STACK_TEXT:

ffffd001`f24e93d0 fffff802`c0a4f339 : ffffd001`f69af180 ffffe001`814c6580 fffdfdfd`fffdfdfd 00000000`00000d20 : nt!MiDemoteCombinedPte+0x39

ffffd001`f24e94b0 fffff802`c0a3365a : ffffe001`81429d40 ffffe001`7e617300 ffffe001`81429d40 00000000`00000000 : nt!MiAgeWorkingSet+0x1079

ffffd001`f24e9800 fffff802`c0a330ab : fffff802`00000000 ffffd001`f24e9a80 ffffd001`f24e99b0 00000000`00000000 : nt!MiTrimOrAgeWorkingSet+0x15a

ffffd001`f24e98b0 fffff802`c0aa7e0b : fffff802`00000000 00000000`00000000 00000000`00000150 00000000`00000002 : nt!MiProcessWorkingSets+0x1fb

ffffd001`f24e9a60 fffff802`c0b2819d : 00000000`ffffffff 00000000`00000005 00000000`ffffffff 00000000`00000001 : nt!MiWorkingSetManager+0xa7

ffffd001`f24e9b20 fffff802`c0ae5895 : ffffe001`7e73d040 00000000`00000080 fffff802`c0b2804c 00000000`00000000 : nt!KeBalanceSetManager+0x151

ffffd001`f24e9c10 fffff802`c0b49906 : fffff802`c0d1f180 ffffe001`7e73d040 fffff802`c0ae5854 00000000`00000000 : nt!PspSystemThreadStartup+0x41

ffffd001`f24e9c60 00000000`00000000 : ffffd001`f24ea000 ffffd001`f24e4000 00000000`00000000 00000000`00000000 : nt!KiStartSystemThread+0x16



THREAD_SHA1_HASH_MOD_FUNC: 1b3c43f13d684d4e8c5fa1d2d299b51901f5cbc1


THREAD_SHA1_HASH_MOD_FUNC_OFFSET: ddd6257a2cb150d296f5cb69575f67265b7795c5


THREAD_SHA1_HASH_MOD: cb5f414824c2521bcc505eaa03e92fa10922dad8


FAULT_INSTR_CODE: f04a3948


SYMBOL_STACK_INDEX: 0


SYMBOL_NAME: nt!MiDemoteCombinedPte+39


FOLLOWUP_NAME: MachineOwner


MODULE_NAME: nt


DEBUG_FLR_IMAGE_TIMESTAMP: 56fa1e56


IMAGE_VERSION: 10.0.10586.212


STACK_COMMAND: .cxr 0xffffd001f24e89b0 ; kb


IMAGE_NAME: memory_corruption


BUCKET_ID_FUNC_OFFSET: 39


FAILURE_BUCKET_ID: AV_nt!MiDemoteCombinedPte


BUCKET_ID: AV_nt!MiDemoteCombinedPte


PRIMARY_PROBLEM_CLASS: AV_nt!MiDemoteCombinedPte


TARGET_TIME: 2016-04-30T16:32:03.000Z


OSBUILD: 10586


OSSERVICEPACK: 0


SERVICEPACK_NUMBER: 0


OS_REVISION: 0


SUITE_MASK: 272


PRODUCT_TYPE: 1


OSPLATFORM_TYPE: x64


OSNAME: Windows 10


OSEDITION: Windows 10 WinNt TerminalServer SingleUserTS


OS_LOCALE:


USER_LCID: 0


OSBUILD_TIMESTAMP: 2016-03-29 09:19:02


BUILDDATESTAMP_STR: 160328-1908


BUILDLAB_STR: th2_release_sec


BUILDOSVER_STR: 10.0.10586.212.amd64fre.th2_release_sec.160328-1908


ANALYSIS_SESSION_ELAPSED_TIME: 127d


ANALYSIS_SOURCE: KM


FAILURE_ID_HASH_STRING: km:av_nt!midemotecombinedpte


FAILURE_ID_HASH: {c577c73b-79a7-0c44-6c62-58e1d697b6d8}


Followup: MachineOwner

---------


1: kd> !analyze -v

*******************************************************************************

* *

* Bugcheck Analysis *

* *

*******************************************************************************


SYSTEM_THREAD_EXCEPTION_NOT_HANDLED_M (1000007e)

This is a very common bugcheck. Usually the exception address pinpoints

the driver/function that caused the problem. Always note this address

as well as the link date of the driver/image that contains this address.

Some common problems are exception code 0x80000003. This means a hard

coded breakpoint or assertion was hit, but this system was booted

/NODEBUG. This is not supposed to happen as developers should never have

hardcoded breakpoints in retail code, but ...

If this happens, make sure a debugger gets connected, and the

system is booted /DEBUG. This will let us see why this breakpoint is

happening.

Arguments:

Arg1: ffffffffc0000005, The exception code that was not handled

Arg2: fffff802c0b1973d, The address that the exception occurred at

Arg3: ffffd001f24e9198, Exception Record Address

Arg4: ffffd001f24e89b0, Context Record Address


Debugging Details:

------------------



DUMP_CLASS: 1


DUMP_QUALIFIER: 400


BUILD_VERSION_STRING: 10586.212.amd64fre.th2_release_sec.160328-1908


SYSTEM_MANUFACTURER: To be filled by O.E.M.


SYSTEM_PRODUCT_NAME: To be filled by O.E.M.


SYSTEM_SKU: SKU


SYSTEM_VERSION: To be filled by O.E.M.


BIOS_VENDOR: American Megatrends Inc.


BIOS_VERSION: 2501


BIOS_DATE: 04/07/2014


BASEBOARD_MANUFACTURER: ASUSTeK COMPUTER INC.


BASEBOARD_PRODUCT: M5A97 R2.0


BASEBOARD_VERSION: Rev 1.xx


DUMP_TYPE: 2


BUGCHECK_P1: ffffffffc0000005


BUGCHECK_P2: fffff802c0b1973d


BUGCHECK_P3: ffffd001f24e9198


BUGCHECK_P4: ffffd001f24e89b0


EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.


FAULTING_IP:

nt!MiDemoteCombinedPte+39

fffff802`c0b1973d 48394af0 cmp qword ptr [rdx-10h],rcx


EXCEPTION_RECORD: ffffd001f24e9198 -- (.exr 0xffffd001f24e9198)

ExceptionAddress: fffff802c0b1973d (nt!MiDemoteCombinedPte+0x0000000000000039)

ExceptionCode: c0000005 (Access violation)

ExceptionFlags: 00000000

NumberParameters: 2

Parameter[0]: 0000000000000000

Parameter[1]: ffffffffffffffff

Attempt to read from address ffffffffffffffff


CONTEXT: ffffd001f24e89b0 -- (.cxr 0xffffd001f24e89b0)

rax=fffff0a8dc0b07db rbx=fffdfdfdfffdfdfd rcx=0000000000000001

rdx=8000000000000000 rsi=ffffe0017e617388 rdi=fffff58010810a30

rip=fffff802c0b1973d rsp=ffffd001f24e93d0 rbp=ffffd001f24e95b0

r8=8000000000000000 r9=0000007ffffffff8 r10=0000098000000000

r11=0000058000000000 r12=0000000000000009 r13=fffff6bffefe0618

r14=fffff6bffefe0618 r15=fffffd79f9fff9d0

iopl=0 nv up ei ng nz na po nc

cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00010286

nt!MiDemoteCombinedPte+0x39:

fffff802`c0b1973d 48394af0 cmp qword ptr [rdx-10h],rcx ds:002b:7fffffff`fffffff0=????????????????

Resetting default scope


CPU_COUNT: 6


CPU_MHZ: db8


CPU_VENDOR: AuthenticAMD


CPU_FAMILY: 15


CPU_MODEL: 2


CPU_STEPPING: 0


CUSTOMER_CRASH_COUNT: 1


DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULT


PROCESS_NAME: svchost.exe


CURRENT_IRQL: 2


ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.


EXCEPTION_CODE_STR: c0000005


EXCEPTION_PARAMETER1: 0000000000000000


EXCEPTION_PARAMETER2: ffffffffffffffff


READ_ADDRESS: fffff802c0d80520: Unable to get MiVisibleState

ffffffffffffffff


FOLLOWUP_IP:

nt!MiDemoteCombinedPte+39

fffff802`c0b1973d 48394af0 cmp qword ptr [rdx-10h],rcx


BUGCHECK_STR: AV


ANALYSIS_SESSION_HOST: DESKTOP-HH247R6


ANALYSIS_SESSION_TIME: 04-30-2016 19:35:54.0933


ANALYSIS_VERSION: 10.0.10586.567 amd64fre


LAST_CONTROL_TRANSFER: from fffff802c0a4f339 to fffff802c0b1973d


STACK_TEXT:

ffffd001`f24e93d0 fffff802`c0a4f339 : ffffd001`f69af180 ffffe001`814c6580 fffdfdfd`fffdfdfd 00000000`00000d20 : nt!MiDemoteCombinedPte+0x39

ffffd001`f24e94b0 fffff802`c0a3365a : ffffe001`81429d40 ffffe001`7e617300 ffffe001`81429d40 00000000`00000000 : nt!MiAgeWorkingSet+0x1079

ffffd001`f24e9800 fffff802`c0a330ab : fffff802`00000000 ffffd001`f24e9a80 ffffd001`f24e99b0 00000000`00000000 : nt!MiTrimOrAgeWorkingSet+0x15a

ffffd001`f24e98b0 fffff802`c0aa7e0b : fffff802`00000000 00000000`00000000 00000000`00000150 00000000`00000002 : nt!MiProcessWorkingSets+0x1fb

ffffd001`f24e9a60 fffff802`c0b2819d : 00000000`ffffffff 00000000`00000005 00000000`ffffffff 00000000`00000001 : nt!MiWorkingSetManager+0xa7

ffffd001`f24e9b20 fffff802`c0ae5895 : ffffe001`7e73d040 00000000`00000080 fffff802`c0b2804c 00000000`00000000 : nt!KeBalanceSetManager+0x151

ffffd001`f24e9c10 fffff802`c0b49906 : fffff802`c0d1f180 ffffe001`7e73d040 fffff802`c0ae5854 00000000`00000000 : nt!PspSystemThreadStartup+0x41

ffffd001`f24e9c60 00000000`00000000 : ffffd001`f24ea000 ffffd001`f24e4000 00000000`00000000 00000000`00000000 : nt!KiStartSystemThread+0x16



THREAD_SHA1_HASH_MOD_FUNC: 1b3c43f13d684d4e8c5fa1d2d299b51901f5cbc1


THREAD_SHA1_HASH_MOD_FUNC_OFFSET: ddd6257a2cb150d296f5cb69575f67265b7795c5


THREAD_SHA1_HASH_MOD: cb5f414824c2521bcc505eaa03e92fa10922dad8


FAULT_INSTR_CODE: f04a3948


SYMBOL_STACK_INDEX: 0


SYMBOL_NAME: nt!MiDemoteCombinedPte+39


FOLLOWUP_NAME: MachineOwner


MODULE_NAME: nt


DEBUG_FLR_IMAGE_TIMESTAMP: 56fa1e56


IMAGE_VERSION: 10.0.10586.212


STACK_COMMAND: .cxr 0xffffd001f24e89b0 ; kb


IMAGE_NAME: memory_corruption


BUCKET_ID_FUNC_OFFSET: 39


FAILURE_BUCKET_ID: AV_nt!MiDemoteCombinedPte


BUCKET_ID: AV_nt!MiDemoteCombinedPte


PRIMARY_PROBLEM_CLASS: AV_nt!MiDemoteCombinedPte


TARGET_TIME: 2016-04-30T16:32:03.000Z


OSBUILD: 10586


OSSERVICEPACK: 0


SERVICEPACK_NUMBER: 0


OS_REVISION: 0


SUITE_MASK: 272


PRODUCT_TYPE: 1


OSPLATFORM_TYPE: x64


OSNAME: Windows 10


OSEDITION: Windows 10 WinNt TerminalServer SingleUserTS


OS_LOCALE:


USER_LCID: 0


OSBUILD_TIMESTAMP: 2016-03-29 09:19:02


BUILDDATESTAMP_STR: 160328-1908


BUILDLAB_STR: th2_release_sec


BUILDOSVER_STR: 10.0.10586.212.amd64fre.th2_release_sec.160328-1908


ANALYSIS_SESSION_ELAPSED_TIME: 13bf


ANALYSIS_SOURCE: KM


FAILURE_ID_HASH_STRING: km:av_nt!midemotecombinedpte


FAILURE_ID_HASH: {c577c73b-79a7-0c44-6c62-58e1d697b6d8}


Followup: MachineOwner

---------

 

[John Connor]

How long did you run Memtest? You should do it over night.

I would also test the HDD.

You do have your RAM timings and voltage set correctly in BIOS?

 

[ultron]

How long did you run Memtest? You should do it over night.

I would also test the HDD.

You do have your RAM timings and voltage set correctly in BIOS?

I made a memtest86 again. 4 passes w/o row hammering(because it takes a lot
of time) and 1 pasees with row hammering. It reports no error. I'm gonna wait one day than plug off one of the memory sticks, than if i'll get BSOD again i'll try with another.

It's unreliable test. Maybe there's no problem on my RAM sticks but it failed to detect corrupted RAM once. It was my personel user experience.

I made HDD tests(detailed bad sector scan), video memory stress test, furmark, occt, prime95. They don't report any bad hardware.

 

[John Connor]

In that case please read post #6 again and tell me what you think.

 

[ultron]

In that case please read post #6 again and tell me what you think.

I didn't change any hardware/driver recently. I'm gonna run only one memory stick and then try another, and then try another RAM slot if the problem goes on. Driver verifier maybe help to detect the problem.

 

[John Connor]

Also check your temps, especially the vid card.