Greetings, I have received a BSOD recently. My system specs are:
Microsoft (R) Windows Debugger Version 6.2.9200.20512 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:\Windows\MEMORY.DMP]
Kernel Summary Dump File: Only kernel address space is available
Symbol search path is: srv*
Executable search path is: srv*
Windows 7 Kernel Version 7601 (Service Pack 1) MP (4 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS Personal
Built by: 7601.18044.amd64fre.win7sp1_gdr.130104-1431
Machine Name:
Kernel base = 0xfffff800`03068000 PsLoadedModuleList = 0xfffff800`032ac670
Debug session time: Tue Oct 29 22:00:02.767 2013 (UTC - 5:00)
System Uptime: 0 days 5:20:00.610
Loading Kernel Symbols
...............................................................
................................................................
........................
Loading User Symbols
Loading unloaded module list
........
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck 109, {a3a039d89b4317a9, b3b7465eedbfe6ff, fffff80003412fea, 1}
Probably caused by : ntkrnlmp.exe ( nt! ?? ::NNGAKEGL::`string'+f140 )
Followup: MachineOwner
---------
2: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
CRITICAL_STRUCTURE_CORRUPTION (109)
This bugcheck is generated when the kernel detects that critical kernel code or
data have been corrupted. There are generally three causes for a corruption:
1) A driver has inadvertently or deliberately modified critical kernel code
or data. See http://www.microsoft.com/whdc/driver/kernel/64bitPatching.mspx
2) A developer attempted to set a normal kernel breakpoint using a kernel
debugger that was not attached when the system was booted. Normal breakpoints,
"bp", can only be set if the debugger is attached at boot time. Hardware
breakpoints, "ba", can be set at any time.
3) A hardware corruption occurred, e.g. failing RAM holding kernel code or data.
Arguments:
Arg1: a3a039d89b4317a9, Reserved
Arg2: b3b7465eedbfe6ff, Reserved
Arg3: fffff80003412fea, Failure type dependent information
Arg4: 0000000000000001, Type of corrupted region, can be
0 : A generic data region
1 : Modification of a function or .pdata
2 : A processor IDT
3 : A processor GDT
4 : Type 1 process list corruption
5 : Type 2 process list corruption
6 : Debug routine modification
7 : Critical MSR modification
Debugging Details:
------------------
FAULTING_IP:
nt! ?? ::NNGAKEGL::`string'+f140
fffff800`03412fea 488b4108 mov rax,qword ptr [rcx+8]
DEFAULT_BUCKET_ID: WIN7_DRIVER_FAULT
BUGCHECK_STR: 0x109
PROCESS_NAME: System
CURRENT_IRQL: 0
STACK_TEXT:
fffff880`033cb498 00000000`00000000 : 00000000`00000109 a3a039d8`9b4317a9 b3b7465e`edbfe6ff fffff800`03412fea : nt!KeBugCheckEx
STACK_COMMAND: kb
FOLLOWUP_IP:
nt! ?? ::NNGAKEGL::`string'+f140
fffff800`03412fea 488b4108 mov rax,qword ptr [rcx+8]
SYMBOL_NAME: nt! ?? ::NNGAKEGL::`string'+f140
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: nt
IMAGE_NAME: ntkrnlmp.exe
DEBUG_FLR_IMAGE_TIMESTAMP: 50e79935
FAILURE_BUCKET_ID: X64_0x109_1_nt!_??_::NNGAKEGL::_string_+f140
BUCKET_ID: X64_0x109_1_nt!_??_::NNGAKEGL::_string_+f140
Followup: MachineOwner
---------
2: kd> lmvm nt
start end module name
fffff800`03068000 fffff800`0364f000 nt (pdb symbols) C:\Program Files (x86)\Windows Kits\8.0\Debuggers\x64\sym\ntkrnlmp.pdb\B09DFEAFE5F546ECA785C4F8577A2CC02\ntkrnlmp.pdb
Loaded symbol image file: ntkrnlmp.exe
Image path: ntkrnlmp.exe
Image name: ntkrnlmp.exe
Timestamp: Fri Jan 04 21:08:37 2013 (50E79935)
CheckSum: 0054E86D
ImageSize: 005E7000
File version: 6.1.7601.18044
Product version: 6.1.7601.18044
File flags: 0 (Mask 3F)
File OS: 40004 NT Win32
File type: 1.0 App
File date: 00000000.00000000
Translations: 0409.04b0
CompanyName: Microsoft Corporation
ProductName: Microsoft® Windows® Operating System
InternalName: ntkrnlmp.exe
OriginalFilename: ntkrnlmp.exe
ProductVersion: 6.1.7601.18044
FileVersion: 6.1.7601.18044 (win7sp1_gdr.130104-1431)
FileDescription: NT Kernel & System
LegalCopyright: © Microsoft Corporation. All rights reserved.
A few months back I got another crash while browsing a safe website. Here is the debug info for it:
Microsoft (R) Windows Debugger Version 6.2.9200.20512 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:\Windows\MEMORY.DMP]
Kernel Summary Dump File: Only kernel address space is available
Symbol search path is: srv*
Executable search path is: srv*
Windows 7 Kernel Version 7601 (Service Pack 1) MP (4 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS Personal
Built by: 7601.18044.amd64fre.win7sp1_gdr.130104-1431
Machine Name:
Kernel base = 0xfffff800`0300b000 PsLoadedModuleList = 0xfffff800`0324f670
Debug session time: Thu Jul 25 04:57:10.157 2013 (UTC - 5:00)
System Uptime: 0 days 4:35:05.001
Loading Kernel Symbols
.................................................. .............
.................................................. ..............
........................
Loading User Symbols
PEB is paged out (Peb.Ldr = 000007ff`fffd8018). Type ".hh dbgerr001" for details
Loading unloaded module list
.....
************************************************** *****************************
* *
* Bugcheck Analysis *
* *
************************************************** *****************************
Use !analyze -v to get detailed debugging information.
BugCheck 1E, {ffffffffc0000005, fffff8000336eb51, 0, ffffffffffffffff}
Probably caused by : ntkrnlmp.exe ( nt!ObLogSecurityDescriptor+c2 )
Followup: MachineOwner
---------
3: kd> !analyze -v
************************************************** *****************************
* *
* Bugcheck Analysis *
* *
************************************************** *****************************
KMODE_EXCEPTION_NOT_HANDLED (1e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Arguments:
Arg1: ffffffffc0000005, The exception code that was not handled
Arg2: fffff8000336eb51, The address that the exception occurred at
Arg3: 0000000000000000, Parameter 0 of the exception
Arg4: ffffffffffffffff, Parameter 1 of the exception
Debugging Details:
------------------
READ_ADDRESS: 0000000000000000
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.
FAULTING_IP:
nt!ObLogSecurityDescriptor+c2
fffff800`0336eb51 8b4614 mov eax,dword ptr [rsi+14h]
BUGCHECK_STR: 0x1E_c0000005_R
DEFAULT_BUCKET_ID: WIN7_DRIVER_FAULT
PROCESS_NAME: svchost.exe
CURRENT_IRQL: 0
LAST_CONTROL_TRANSFER: from fffff800030cb7e8 to fffff80003080c40
STACK_TEXT:
fffff880`09512c88 fffff800`030cb7e8 : 00000000`0000001e ffffffff`c0000005 fffff800`0336eb51 00000000`00000000 : nt!KeBugCheckEx
fffff880`09512c90 fffff800`030802c2 : fffff880`09513468 00000000`00000000 fffff880`09513510 00019a2f`00000000 : nt! ?? ::FNODOBFM::`string'+0x487ed
fffff880`09513330 fffff800`0307ebca : fffff8a0`0b52af24 fffff8a0`0b52af30 fffffa80`06676c8c 00000000`00000001 : nt!KiExceptionDispatch+0xc2
fffff880`09513510 fffff800`0336eb51 : 00000001`00800002 00000003`00140011 10000000`00000101 00000000`00004000 : nt!KiGeneralProtectionFault+0x10a
fffff880`095136a0 fffff800`0336e2e7 : 00000000`00000104 fffff880`09513740 ffffdcea`00000010 00000000`00000104 : nt!ObLogSecurityDescriptor+0xc2
fffff880`09513710 fffff800`0336f6f7 : fffff880`09513c40 fffffa80`06676c8c fffffa80`06676c40 00000000`00000000 : nt!SeDefaultObjectMethod+0x57
fffff880`09513760 fffff800`0336e572 : fffff8a0`02c77d60 fffffa80`0a6e28e0 00000000`00000000 00000000`00000000 : nt!ObpAssignSecurity+0xc7
fffff880`095137d0 fffff800`03370da3 : ffffffff`ffffffff fffffa80`0a18bb30 fffffa80`06b1cb50 00000000`00000000 : nt!ObInsertObjectEx+0x1e2
fffff880`09513a20 fffff800`033701ae : fffffa80`06b1cb50 fffffa80`0a18bb30 fffff880`09513ec0 fffff880`09513c00 : nt!PspInsertThread+0x2f3
fffff880`09513ba0 fffff800`03374049 : fffff8a0`0865e440 00000000`00000000 00000000`00000001 fffff880`095143d0 : nt!PspCreateThread+0x246
fffff880`09513e20 fffff800`0307fed3 : 00000000`00000000 00000000`00000000 00000000`00f80014 fffff8a0`0c66a7e0 : nt!NtCreateThreadEx+0x25d
fffff880`09514570 fffff800`0307c490 : fffff800`033767c8 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13
fffff880`09514778 fffff800`033767c8 : 00000000`00000000 00000000`00000000 00000000`00000000 ffffdcea`65170e74 : nt!KiServiceLinkage
fffff880`09514780 fffff800`03073ec2 : 00000000`0000005c fffff880`09514a28 00000000`00000000 fffffa80`0aa901f0 : nt!RtlpCreateUserThreadEx+0x138
fffff880`095148a0 fffff800`0306c2a8 : 00000000`00000000 fffff880`09514a28 fffff880`09514b00 00000000`00000001 : nt!ExpWorkerFactoryCreateThread+0x92
fffff880`09514960 fffff800`0306c09b : 000007fe`00000001 fffffa80`09a56df0 fffff880`09514b60 00000000`00000000 : nt!ExpWorkerFactoryCheckCreate+0x180
fffff880`095149e0 fffff800`0307fed3 : fffffa80`0aa901f0 00000000`773445c0 00000000`00000000 00000000`0066ee38 : nt!NtWaitForWorkViaWorkerFactory+0x4da
fffff880`09514ae0 00000000`77292c1a : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13
00000000`0066fad8 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x77292c1a
STACK_COMMAND: kb
FOLLOWUP_IP:
nt!ObLogSecurityDescriptor+c2
fffff800`0336eb51 8b4614 mov eax,dword ptr [rsi+14h]
SYMBOL_STACK_INDEX: 4
SYMBOL_NAME: nt!ObLogSecurityDescriptor+c2
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: nt
IMAGE_NAME: ntkrnlmp.exe
DEBUG_FLR_IMAGE_TIMESTAMP: 50e79935
FAILURE_BUCKET_ID: X64_0x1E_c0000005_R_nt!ObLogSecurityDescriptor+c2
BUCKET_ID: X64_0x1E_c0000005_R_nt!ObLogSecurityDescriptor+c2
Followup: MachineOwner
---------
3: kd> lmvm nt
start end module name
fffff800`0300b000 fffff800`035f2000 nt (pdb symbols) C:\Program Files (x86)\Windows Kits\8.0\Debuggers\x64\sym\ntkrnlmp.pdb\B09DFEAFE5 F546ECA785C4F8577A2CC02\ntkrnlmp.pdb
Loaded symbol image file: ntkrnlmp.exe
Image path: ntkrnlmp.exe
Image name: ntkrnlmp.exe
Timestamp: Fri Jan 04 21:08:37 2013 (50E79935)
CheckSum: 0054E86D
ImageSize: 005E7000
File version: 6.1.7601.18044
Product version: 6.1.7601.18044
File flags: 0 (Mask 3F)
File OS: 40004 NT Win32
File type: 1.0 App
File date: 00000000.00000000
Translations: 0409.04b0
CompanyName: Microsoft Corporation
ProductName: Microsoft® Windows® Operating System
InternalName: ntkrnlmp.exe
OriginalFilename: ntkrnlmp.exe
ProductVersion: 6.1.7601.18044
FileVersion: 6.1.7601.18044 (win7sp1_gdr.130104-1431)
FileDescription: NT Kernel & System
LegalCopyright: © Microsoft Corporation. All rights reserved.
I also used the analyze function in WhoCrashed and it gave me this info:
[FONT=Segoe UI, Arial]On Wed 10/30/2013 3:00:02 AM GMT your computer crashed
crash dump file: C:\Windows\Minidump\102913-4960-01.dmp
This was probably caused by the following module: [FONT=Segoe UI, Arial]ntoskrnl.exe[/FONT] (nt+0x75C40)
Bugcheck code: 0x109 (0xA3A039D89B4317A9, 0xB3B7465EEDBFE6FF, 0xFFFFF80003412FEA, 0x1)
Error: [FONT=Segoe UI, Arial]CRITICAL_STRUCTURE_CORRUPTION[/FONT]
file path: C:\Windows\system32\ntoskrnl.exe
product: [FONT=Segoe UI, Arial]Microsoft® Windows® Operating System[/FONT]
company: [FONT=Segoe UI, Arial]Microsoft Corporation[/FONT]
description: NT Kernel & System
Bug check description: This indicates that the kernel has detected critical kernel code or data corruption.
This might be a case of memory corruption. More often memory corruption happens because of software errors in buggy drivers, not because of faulty RAM modules.
The crash took place in the Windows kernel. Possibly this problem is caused by another driver that cannot be identified at this time.
[/FONT]
[FONT=Segoe UI, Arial]On Wed 10/30/2013 3:00:02 AM GMT your computer crashed
crash dump file: C:\Windows\memory.dmp
This was probably caused by the following module: [FONT=Segoe UI, Arial]ntkrnlmp.exe[/FONT] (nt!KeBugCheckEx+0x0)
Bugcheck code: 0x109 (0xA3A039D89B4317A9, 0xB3B7465EEDBFE6FF, 0xFFFFF80003412FEA, 0x1)
Error: [FONT=Segoe UI, Arial]CRITICAL_STRUCTURE_CORRUPTION[/FONT]
Bug check description: This indicates that the kernel has detected critical kernel code or data corruption.
This might be a case of memory corruption. More often memory corruption happens because of software errors in buggy drivers, not because of faulty RAM modules.
The crash took place in the Windows kernel. Possibly this problem is caused by another driver that cannot be identified at this time.[/FONT]
[FONT=Segoe UI, Arial]On Thu 7/25/2013 9:57:10 AM GMT your computer crashed
crash dump file: C:\Windows\Minidump\072513-5007-01.dmp
This was probably caused by the following module: [FONT=Segoe UI, Arial]ntoskrnl.exe[/FONT] (nt+0x75C40)
Bugcheck code: 0x1E (0xFFFFFFFFC0000005, 0xFFFFF8000336EB51, 0x0, 0xFFFFFFFFFFFFFFFF)
Error: [FONT=Segoe UI, Arial]KMODE_EXCEPTION_NOT_HANDLED[/FONT]
file path: C:\Windows\system32\ntoskrnl.exe
product: [FONT=Segoe UI, Arial]Microsoft® Windows® Operating System[/FONT]
company: [FONT=Segoe UI, Arial]Microsoft Corporation[/FONT]
description: NT Kernel & System
Bug check description: This indicates that a kernel-mode program generated an exception which the error handler did not catch.
This appears to be a typical software driver bug and is not likely to be caused by a hardware problem.
The crash took place in the Windows kernel. Possibly this problem is caused by another driver that cannot be identified at this time.[/FONT]
Does anyone have any idea what could have caused one or both of these? Could they both be related? Thank you.
Microsoft Windows 7 Home Premium 64-bit
OCZ Vertex 4 512Gb
Seagate 3TB 7200.14 hard drive
Corsair Vengeance 8GB (2x4GB) DDR3 1600
Intel Core i5-3570k 3.4 GHz
Corsair Enthusiast Series TX850M 850W
EVGA GeForce 670 FTW 2GB
Gigabyte GA-Z77-D3H
hp photosmart 5520
Corsair Vengeance 1500 headset
logitech g110 keyboard
logitech g300 mouse
When the crash occurred I was innocuously browsing a safe website. I ran the crash dump through the kernel debug tools for windows and here is what I got.OCZ Vertex 4 512Gb
Seagate 3TB 7200.14 hard drive
Corsair Vengeance 8GB (2x4GB) DDR3 1600
Intel Core i5-3570k 3.4 GHz
Corsair Enthusiast Series TX850M 850W
EVGA GeForce 670 FTW 2GB
Gigabyte GA-Z77-D3H
hp photosmart 5520
Corsair Vengeance 1500 headset
logitech g110 keyboard
logitech g300 mouse
Microsoft (R) Windows Debugger Version 6.2.9200.20512 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:\Windows\MEMORY.DMP]
Kernel Summary Dump File: Only kernel address space is available
Symbol search path is: srv*
Executable search path is: srv*
Windows 7 Kernel Version 7601 (Service Pack 1) MP (4 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS Personal
Built by: 7601.18044.amd64fre.win7sp1_gdr.130104-1431
Machine Name:
Kernel base = 0xfffff800`03068000 PsLoadedModuleList = 0xfffff800`032ac670
Debug session time: Tue Oct 29 22:00:02.767 2013 (UTC - 5:00)
System Uptime: 0 days 5:20:00.610
Loading Kernel Symbols
...............................................................
................................................................
........................
Loading User Symbols
Loading unloaded module list
........
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck 109, {a3a039d89b4317a9, b3b7465eedbfe6ff, fffff80003412fea, 1}
Probably caused by : ntkrnlmp.exe ( nt! ?? ::NNGAKEGL::`string'+f140 )
Followup: MachineOwner
---------
2: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
CRITICAL_STRUCTURE_CORRUPTION (109)
This bugcheck is generated when the kernel detects that critical kernel code or
data have been corrupted. There are generally three causes for a corruption:
1) A driver has inadvertently or deliberately modified critical kernel code
or data. See http://www.microsoft.com/whdc/driver/kernel/64bitPatching.mspx
2) A developer attempted to set a normal kernel breakpoint using a kernel
debugger that was not attached when the system was booted. Normal breakpoints,
"bp", can only be set if the debugger is attached at boot time. Hardware
breakpoints, "ba", can be set at any time.
3) A hardware corruption occurred, e.g. failing RAM holding kernel code or data.
Arguments:
Arg1: a3a039d89b4317a9, Reserved
Arg2: b3b7465eedbfe6ff, Reserved
Arg3: fffff80003412fea, Failure type dependent information
Arg4: 0000000000000001, Type of corrupted region, can be
0 : A generic data region
1 : Modification of a function or .pdata
2 : A processor IDT
3 : A processor GDT
4 : Type 1 process list corruption
5 : Type 2 process list corruption
6 : Debug routine modification
7 : Critical MSR modification
Debugging Details:
------------------
FAULTING_IP:
nt! ?? ::NNGAKEGL::`string'+f140
fffff800`03412fea 488b4108 mov rax,qword ptr [rcx+8]
DEFAULT_BUCKET_ID: WIN7_DRIVER_FAULT
BUGCHECK_STR: 0x109
PROCESS_NAME: System
CURRENT_IRQL: 0
STACK_TEXT:
fffff880`033cb498 00000000`00000000 : 00000000`00000109 a3a039d8`9b4317a9 b3b7465e`edbfe6ff fffff800`03412fea : nt!KeBugCheckEx
STACK_COMMAND: kb
FOLLOWUP_IP:
nt! ?? ::NNGAKEGL::`string'+f140
fffff800`03412fea 488b4108 mov rax,qword ptr [rcx+8]
SYMBOL_NAME: nt! ?? ::NNGAKEGL::`string'+f140
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: nt
IMAGE_NAME: ntkrnlmp.exe
DEBUG_FLR_IMAGE_TIMESTAMP: 50e79935
FAILURE_BUCKET_ID: X64_0x109_1_nt!_??_::NNGAKEGL::_string_+f140
BUCKET_ID: X64_0x109_1_nt!_??_::NNGAKEGL::_string_+f140
Followup: MachineOwner
---------
2: kd> lmvm nt
start end module name
fffff800`03068000 fffff800`0364f000 nt (pdb symbols) C:\Program Files (x86)\Windows Kits\8.0\Debuggers\x64\sym\ntkrnlmp.pdb\B09DFEAFE5F546ECA785C4F8577A2CC02\ntkrnlmp.pdb
Loaded symbol image file: ntkrnlmp.exe
Image path: ntkrnlmp.exe
Image name: ntkrnlmp.exe
Timestamp: Fri Jan 04 21:08:37 2013 (50E79935)
CheckSum: 0054E86D
ImageSize: 005E7000
File version: 6.1.7601.18044
Product version: 6.1.7601.18044
File flags: 0 (Mask 3F)
File OS: 40004 NT Win32
File type: 1.0 App
File date: 00000000.00000000
Translations: 0409.04b0
CompanyName: Microsoft Corporation
ProductName: Microsoft® Windows® Operating System
InternalName: ntkrnlmp.exe
OriginalFilename: ntkrnlmp.exe
ProductVersion: 6.1.7601.18044
FileVersion: 6.1.7601.18044 (win7sp1_gdr.130104-1431)
FileDescription: NT Kernel & System
LegalCopyright: © Microsoft Corporation. All rights reserved.
A few months back I got another crash while browsing a safe website. Here is the debug info for it:
Microsoft (R) Windows Debugger Version 6.2.9200.20512 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:\Windows\MEMORY.DMP]
Kernel Summary Dump File: Only kernel address space is available
Symbol search path is: srv*
Executable search path is: srv*
Windows 7 Kernel Version 7601 (Service Pack 1) MP (4 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS Personal
Built by: 7601.18044.amd64fre.win7sp1_gdr.130104-1431
Machine Name:
Kernel base = 0xfffff800`0300b000 PsLoadedModuleList = 0xfffff800`0324f670
Debug session time: Thu Jul 25 04:57:10.157 2013 (UTC - 5:00)
System Uptime: 0 days 4:35:05.001
Loading Kernel Symbols
.................................................. .............
.................................................. ..............
........................
Loading User Symbols
PEB is paged out (Peb.Ldr = 000007ff`fffd8018). Type ".hh dbgerr001" for details
Loading unloaded module list
.....
************************************************** *****************************
* *
* Bugcheck Analysis *
* *
************************************************** *****************************
Use !analyze -v to get detailed debugging information.
BugCheck 1E, {ffffffffc0000005, fffff8000336eb51, 0, ffffffffffffffff}
Probably caused by : ntkrnlmp.exe ( nt!ObLogSecurityDescriptor+c2 )
Followup: MachineOwner
---------
3: kd> !analyze -v
************************************************** *****************************
* *
* Bugcheck Analysis *
* *
************************************************** *****************************
KMODE_EXCEPTION_NOT_HANDLED (1e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Arguments:
Arg1: ffffffffc0000005, The exception code that was not handled
Arg2: fffff8000336eb51, The address that the exception occurred at
Arg3: 0000000000000000, Parameter 0 of the exception
Arg4: ffffffffffffffff, Parameter 1 of the exception
Debugging Details:
------------------
READ_ADDRESS: 0000000000000000
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.
FAULTING_IP:
nt!ObLogSecurityDescriptor+c2
fffff800`0336eb51 8b4614 mov eax,dword ptr [rsi+14h]
BUGCHECK_STR: 0x1E_c0000005_R
DEFAULT_BUCKET_ID: WIN7_DRIVER_FAULT
PROCESS_NAME: svchost.exe
CURRENT_IRQL: 0
LAST_CONTROL_TRANSFER: from fffff800030cb7e8 to fffff80003080c40
STACK_TEXT:
fffff880`09512c88 fffff800`030cb7e8 : 00000000`0000001e ffffffff`c0000005 fffff800`0336eb51 00000000`00000000 : nt!KeBugCheckEx
fffff880`09512c90 fffff800`030802c2 : fffff880`09513468 00000000`00000000 fffff880`09513510 00019a2f`00000000 : nt! ?? ::FNODOBFM::`string'+0x487ed
fffff880`09513330 fffff800`0307ebca : fffff8a0`0b52af24 fffff8a0`0b52af30 fffffa80`06676c8c 00000000`00000001 : nt!KiExceptionDispatch+0xc2
fffff880`09513510 fffff800`0336eb51 : 00000001`00800002 00000003`00140011 10000000`00000101 00000000`00004000 : nt!KiGeneralProtectionFault+0x10a
fffff880`095136a0 fffff800`0336e2e7 : 00000000`00000104 fffff880`09513740 ffffdcea`00000010 00000000`00000104 : nt!ObLogSecurityDescriptor+0xc2
fffff880`09513710 fffff800`0336f6f7 : fffff880`09513c40 fffffa80`06676c8c fffffa80`06676c40 00000000`00000000 : nt!SeDefaultObjectMethod+0x57
fffff880`09513760 fffff800`0336e572 : fffff8a0`02c77d60 fffffa80`0a6e28e0 00000000`00000000 00000000`00000000 : nt!ObpAssignSecurity+0xc7
fffff880`095137d0 fffff800`03370da3 : ffffffff`ffffffff fffffa80`0a18bb30 fffffa80`06b1cb50 00000000`00000000 : nt!ObInsertObjectEx+0x1e2
fffff880`09513a20 fffff800`033701ae : fffffa80`06b1cb50 fffffa80`0a18bb30 fffff880`09513ec0 fffff880`09513c00 : nt!PspInsertThread+0x2f3
fffff880`09513ba0 fffff800`03374049 : fffff8a0`0865e440 00000000`00000000 00000000`00000001 fffff880`095143d0 : nt!PspCreateThread+0x246
fffff880`09513e20 fffff800`0307fed3 : 00000000`00000000 00000000`00000000 00000000`00f80014 fffff8a0`0c66a7e0 : nt!NtCreateThreadEx+0x25d
fffff880`09514570 fffff800`0307c490 : fffff800`033767c8 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13
fffff880`09514778 fffff800`033767c8 : 00000000`00000000 00000000`00000000 00000000`00000000 ffffdcea`65170e74 : nt!KiServiceLinkage
fffff880`09514780 fffff800`03073ec2 : 00000000`0000005c fffff880`09514a28 00000000`00000000 fffffa80`0aa901f0 : nt!RtlpCreateUserThreadEx+0x138
fffff880`095148a0 fffff800`0306c2a8 : 00000000`00000000 fffff880`09514a28 fffff880`09514b00 00000000`00000001 : nt!ExpWorkerFactoryCreateThread+0x92
fffff880`09514960 fffff800`0306c09b : 000007fe`00000001 fffffa80`09a56df0 fffff880`09514b60 00000000`00000000 : nt!ExpWorkerFactoryCheckCreate+0x180
fffff880`095149e0 fffff800`0307fed3 : fffffa80`0aa901f0 00000000`773445c0 00000000`00000000 00000000`0066ee38 : nt!NtWaitForWorkViaWorkerFactory+0x4da
fffff880`09514ae0 00000000`77292c1a : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13
00000000`0066fad8 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x77292c1a
STACK_COMMAND: kb
FOLLOWUP_IP:
nt!ObLogSecurityDescriptor+c2
fffff800`0336eb51 8b4614 mov eax,dword ptr [rsi+14h]
SYMBOL_STACK_INDEX: 4
SYMBOL_NAME: nt!ObLogSecurityDescriptor+c2
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: nt
IMAGE_NAME: ntkrnlmp.exe
DEBUG_FLR_IMAGE_TIMESTAMP: 50e79935
FAILURE_BUCKET_ID: X64_0x1E_c0000005_R_nt!ObLogSecurityDescriptor+c2
BUCKET_ID: X64_0x1E_c0000005_R_nt!ObLogSecurityDescriptor+c2
Followup: MachineOwner
---------
3: kd> lmvm nt
start end module name
fffff800`0300b000 fffff800`035f2000 nt (pdb symbols) C:\Program Files (x86)\Windows Kits\8.0\Debuggers\x64\sym\ntkrnlmp.pdb\B09DFEAFE5 F546ECA785C4F8577A2CC02\ntkrnlmp.pdb
Loaded symbol image file: ntkrnlmp.exe
Image path: ntkrnlmp.exe
Image name: ntkrnlmp.exe
Timestamp: Fri Jan 04 21:08:37 2013 (50E79935)
CheckSum: 0054E86D
ImageSize: 005E7000
File version: 6.1.7601.18044
Product version: 6.1.7601.18044
File flags: 0 (Mask 3F)
File OS: 40004 NT Win32
File type: 1.0 App
File date: 00000000.00000000
Translations: 0409.04b0
CompanyName: Microsoft Corporation
ProductName: Microsoft® Windows® Operating System
InternalName: ntkrnlmp.exe
OriginalFilename: ntkrnlmp.exe
ProductVersion: 6.1.7601.18044
FileVersion: 6.1.7601.18044 (win7sp1_gdr.130104-1431)
FileDescription: NT Kernel & System
LegalCopyright: © Microsoft Corporation. All rights reserved.
I also used the analyze function in WhoCrashed and it gave me this info:
[FONT=Segoe UI, Arial]On Wed 10/30/2013 3:00:02 AM GMT your computer crashed
crash dump file: C:\Windows\Minidump\102913-4960-01.dmp
This was probably caused by the following module: [FONT=Segoe UI, Arial]ntoskrnl.exe[/FONT] (nt+0x75C40)
Bugcheck code: 0x109 (0xA3A039D89B4317A9, 0xB3B7465EEDBFE6FF, 0xFFFFF80003412FEA, 0x1)
Error: [FONT=Segoe UI, Arial]CRITICAL_STRUCTURE_CORRUPTION[/FONT]
file path: C:\Windows\system32\ntoskrnl.exe
product: [FONT=Segoe UI, Arial]Microsoft® Windows® Operating System[/FONT]
company: [FONT=Segoe UI, Arial]Microsoft Corporation[/FONT]
description: NT Kernel & System
Bug check description: This indicates that the kernel has detected critical kernel code or data corruption.
This might be a case of memory corruption. More often memory corruption happens because of software errors in buggy drivers, not because of faulty RAM modules.
The crash took place in the Windows kernel. Possibly this problem is caused by another driver that cannot be identified at this time.
[/FONT]
[FONT=Segoe UI, Arial]On Wed 10/30/2013 3:00:02 AM GMT your computer crashed
crash dump file: C:\Windows\memory.dmp
This was probably caused by the following module: [FONT=Segoe UI, Arial]ntkrnlmp.exe[/FONT] (nt!KeBugCheckEx+0x0)
Bugcheck code: 0x109 (0xA3A039D89B4317A9, 0xB3B7465EEDBFE6FF, 0xFFFFF80003412FEA, 0x1)
Error: [FONT=Segoe UI, Arial]CRITICAL_STRUCTURE_CORRUPTION[/FONT]
Bug check description: This indicates that the kernel has detected critical kernel code or data corruption.
This might be a case of memory corruption. More often memory corruption happens because of software errors in buggy drivers, not because of faulty RAM modules.
The crash took place in the Windows kernel. Possibly this problem is caused by another driver that cannot be identified at this time.[/FONT]
[FONT=Segoe UI, Arial]On Thu 7/25/2013 9:57:10 AM GMT your computer crashed
crash dump file: C:\Windows\Minidump\072513-5007-01.dmp
This was probably caused by the following module: [FONT=Segoe UI, Arial]ntoskrnl.exe[/FONT] (nt+0x75C40)
Bugcheck code: 0x1E (0xFFFFFFFFC0000005, 0xFFFFF8000336EB51, 0x0, 0xFFFFFFFFFFFFFFFF)
Error: [FONT=Segoe UI, Arial]KMODE_EXCEPTION_NOT_HANDLED[/FONT]
file path: C:\Windows\system32\ntoskrnl.exe
product: [FONT=Segoe UI, Arial]Microsoft® Windows® Operating System[/FONT]
company: [FONT=Segoe UI, Arial]Microsoft Corporation[/FONT]
description: NT Kernel & System
Bug check description: This indicates that a kernel-mode program generated an exception which the error handler did not catch.
This appears to be a typical software driver bug and is not likely to be caused by a hardware problem.
The crash took place in the Windows kernel. Possibly this problem is caused by another driver that cannot be identified at this time.[/FONT]
Does anyone have any idea what could have caused one or both of these? Could they both be related? Thank you.
Facebook
Twitter