Vista - Bsod irql_not_less_or_equal

RichTaylor1974 · 10-25-2008

Hi,

Thanks in advance for any help.

I've copied the Memory.dmp file below. The only pattern appears to be when I'm opening or using significant memory, e.g copying or moving images, playing Command and Conquer etc.

I've added an external USB HDD, a few software apps and I've loaded the latest drivers for NVidia and Creative because (in my experience) most issues relate to one or the other.

Loading Dump File [C:\Windows\MEMORY.DMP]
Kernel Summary Dump File: Only kernel address space is available

Code:

 
Symbol search path is: SRV*c:\symbols*Symbol information
Executable search path is: 
Windows Server 2008 Kernel Version 6001 (Service Pack 1) MP (2 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS Personal
Built by: 6001.18145.amd64fre.vistasp1_gdr.080917-1612
Kernel base = 0xfffff800`02601000 PsLoadedModuleList = 0xfffff800`027c6db0
Debug session time: Fri Oct 24 23:13:06.585 2008 (GMT+1)
System Uptime: 0 days 0:07:10.413
Loading Kernel Symbols
.........................................................................................................................................................
Loading User Symbols
PEB is paged out (Peb.Ldr = 000007ff`fffdd018). Type ".hh dbgerr001" for details
Loading unloaded module list
...........
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
 
Use !analyze -v to get detailed debugging information.
 
BugCheck 1E, {ffffffffc0000005, fffffa6000a0e248, 0, ffffffffffffffff}
 
Page aa9ba not present in the dump file. Type ".hh dbgerr004" for details
PEB is paged out (Peb.Ldr = 000007ff`fffdd018). Type ".hh dbgerr001" for details
PEB is paged out (Peb.Ldr = 000007ff`fffdd018). Type ".hh dbgerr001" for details
Probably caused by : Unknown_Image ( PAGE_NOT_ZERO_VISTA )
 
Followup: MachineOwner
---------
 
*** Memory manager detected 2 instance(s) of page corruption, target is likely to have memory corruption.
 
1: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
 
KMODE_EXCEPTION_NOT_HANDLED (1e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Arguments:
Arg1: ffffffffc0000005, The exception code that was not handled
Arg2: fffffa6000a0e248, The address that the exception occurred at
Arg3: 0000000000000000, Parameter 0 of the exception
Arg4: ffffffffffffffff, Parameter 1 of the exception
 
Debugging Details:
------------------
 
Page aa9ba not present in the dump file. Type ".hh dbgerr004" for details
PEB is paged out (Peb.Ldr = 000007ff`fffdd018). Type ".hh dbgerr001" for details
PEB is paged out (Peb.Ldr = 000007ff`fffdd018). Type ".hh dbgerr001" for details
 
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.
 
FAULTING_IP: 
fltmgr!TreeFindNodeOrParent+8
fffffa60`00a0e248 498b4220 mov rax,qword ptr [r10+20h]
 
EXCEPTION_PARAMETER1: 0000000000000000
 
EXCEPTION_PARAMETER2: ffffffffffffffff
 
READ_ADDRESS: ffffffffffffffff 
 
DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT
 
BUGCHECK_STR: 0x1E
 
PROCESS_NAME: svchost.exe
 
CURRENT_IRQL: 1
 
BAD_PAGES_DETECTED: 2
 
LAST_CONTROL_TRANSFER: from fffff8000262fe47 to fffff80002656350
 
STACK_TEXT: 
fffffa60`0f231378 fffff800`0262fe47 : 00000000`0000001e ffffffff`c0000005 fffffa60`00a0e248 00000000`00000000 : nt!KeBugCheckEx
fffffa60`0f231380 fffff800`026561a9 : fffffa60`0f231ab8 fffffa80`043abbb8 fffffa60`0f231b60 fffffa80`0447c360 : nt! ?? ::FNODOBFM::`string'+0x29317
fffffa60`0f231980 fffff800`02654d8d : fffffa80`04eac060 80000000`100bc963 00000000`00000002 fffffa60`0101b97f : nt!KiExceptionDispatch+0xa9
fffffa60`0f231b60 fffffa60`00a0e248 : fffffa60`00a0e1cb fffffa80`04c4c010 fffffa80`04c4c028 fffffa80`04c4c010 : nt!KiGeneralProtectionFault+0xcd
fffffa60`0f231cf8 fffffa60`00a0e1cb : fffffa80`04c4c010 fffffa80`04c4c028 fffffa80`04c4c010 fffffa80`052af040 : fltmgr!TreeFindNodeOrParent+0x8
fffffa60`0f231d00 fffffa60`00a3e027 : 00000000`00000000 fffffa80`043abb20 fffffa80`043abb20 00000000`00000001 : fltmgr!TreeInsert+0x2b
fffffa60`0f231d30 fffffa60`00a10c4a : fffffa80`04c4c010 fffffa80`043abb20 fffffa80`0447c300 fffffa80`052afe10 : fltmgr!FltpCacheCreateNames+0x2f7
fffffa60`0f231db0 fffffa60`00a2726c : fffffa80`052af040 fffffa80`052af8d0 fffffa80`041e4c00 fffffa60`0f231e70 : fltmgr! ?? ::FNODOBFM::`string'+0x236f
fffffa60`0f231e20 fffff800`028dbd83 : 00000000`00000060 00000000`00000240 fffffa80`04b3a628 fffff880`098a0210 : fltmgr!FltpCreate+0x25d
fffffa60`0f231ed0 fffff800`028d5672 : fffffa80`052af040 00000000`00000000 fffffa80`0a65eb10 00000000`00000000 : nt!IopParseDevice+0x5e3
fffffa60`0f232070 fffff800`028d9944 : ffffffff`800025cc fffffa80`0a6bcb00 fffffa80`00000240 00000000`00000000 : nt!ObpLookupObjectName+0x202
fffffa60`0f232180 fffff800`028e5ee0 : 00000000`00000081 fffffa60`0f232630 00000000`00000000 fffffa80`0488ca00 : nt!ObOpenObjectByName+0x2f4
fffffa60`0f232250 fffff800`028b261a : fffffa60`0f232518 00000000`00000081 fffff880`098a0210 fffffa60`0f232550 : nt!IopCreateFile+0x290
fffffa60`0f2322f0 fffffa60`00a28dc9 : 00000000`00000000 fffffa60`0f232620 00000000`00000000 00000000`00000081 : nt!IoCreateFileEx+0xfa
fffffa60`0f232390 fffffa60`00a59f50 : 00000000`00000007 00000000`00000000 fffffa60`0f232518 fffffa60`0f232508 : fltmgr!FltCreateFileEx2+0x169
fffffa60`0f232480 fffff800`0295b217 : fffffa80`039c6501 fffff800`0265d201 00000000`00000000 fffffa80`05ccbd60 : fileinfo!FIPfInterfaceOpen+0x400
fffffa60`0f232600 fffff800`02a03aa7 : 00000000`00000081 ffffffff`ffe91ca0 fffffa60`0f232718 fffffa80`00000000 : nt!PfpOpenHandleCreate+0x117
fffffa60`0f2326d0 fffff800`02a05dc6 : 00000000`00000000 fffff880`0da0b980 fffff880`0da00000 fffffa60`00000060 : nt!PfpFileBuildReadSupport+0xe7
fffffa60`0f2327c0 fffff800`02a2f7a9 : fffff880`00000000 00000000`00000001 00000000`000003d9 00000000`00000000 : nt!PfpPrefetchFilesTrickle+0x126
fffffa60`0f2328c0 fffff800`02a2fa62 : 00000000`00000000 fffffa60`0f232ca0 fffffa60`0f232a08 fffff880`0da00001 : nt!PfpPrefetchRequestPerform+0x2f9
fffffa60`0f232960 fffff800`02a2fcc6 : fffffa60`0f232a08 00000000`00000001 fffffa80`0a23bc80 00000000`00000000 : nt!PfpPrefetchRequest+0x171
fffffa60`0f2329d0 fffff800`02a423f8 : 00000000`00000000 00000000`00000004 00000000`00000000 00000000`05ffef01 : nt!PfSetSuperfetchInformation+0x1a5
fffffa60`0f232ab0 fffff800`02655df3 : fffffa80`04eac060 00000000`05fff790 fffffa80`048ea201 00000000`000a47f6 : nt!NtSetSystemInformation+0x8fb
fffffa60`0f232c20 00000000`773370ea : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13
00000000`05fff6e8 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x773370ea
 
 
STACK_COMMAND: kb
 
SYMBOL_NAME: PAGE_NOT_ZERO_VISTA
 
FOLLOWUP_NAME: MachineOwner
 
MODULE_NAME: Unknown_Module
 
IMAGE_NAME: Unknown_Image
 
DEBUG_FLR_IMAGE_TIMESTAMP: 0
 
BUCKET_ID: PAGE_NOT_ZERO_VISTA
 
Followup: MachineOwner
---------
 
*** Memory manager detected 2 instance(s) of page corruption, target is likely to have memory corruption.
 
1: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
 
KMODE_EXCEPTION_NOT_HANDLED (1e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Arguments:
Arg1: ffffffffc0000005, The exception code that was not handled
Arg2: fffffa6000a0e248, The address that the exception occurred at
Arg3: 0000000000000000, Parameter 0 of the exception
Arg4: ffffffffffffffff, Parameter 1 of the exception
 
Debugging Details:
------------------
 
Page aa9ba not present in the dump file. Type ".hh dbgerr004" for details
PEB is paged out (Peb.Ldr = 000007ff`fffdd018). Type ".hh dbgerr001" for details
PEB is paged out (Peb.Ldr = 000007ff`fffdd018). Type ".hh dbgerr001" for details
 
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.
 
FAULTING_IP: 
fltmgr!TreeFindNodeOrParent+8
fffffa60`00a0e248 498b4220 mov rax,qword ptr [r10+20h]
 
EXCEPTION_PARAMETER1: 0000000000000000
 
EXCEPTION_PARAMETER2: ffffffffffffffff
 
READ_ADDRESS: ffffffffffffffff 
 
DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT
 
BUGCHECK_STR: 0x1E
 
PROCESS_NAME: svchost.exe
 
CURRENT_IRQL: 1
 
BAD_PAGES_DETECTED: 2
 
LAST_CONTROL_TRANSFER: from fffff8000262fe47 to fffff80002656350
 
STACK_TEXT: 
fffffa60`0f231378 fffff800`0262fe47 : 00000000`0000001e ffffffff`c0000005 fffffa60`00a0e248 00000000`00000000 : nt!KeBugCheckEx
fffffa60`0f231380 fffff800`026561a9 : fffffa60`0f231ab8 fffffa80`043abbb8 fffffa60`0f231b60 fffffa80`0447c360 : nt! ?? ::FNODOBFM::`string'+0x29317
fffffa60`0f231980 fffff800`02654d8d : fffffa80`04eac060 80000000`100bc963 00000000`00000002 fffffa60`0101b97f : nt!KiExceptionDispatch+0xa9
fffffa60`0f231b60 fffffa60`00a0e248 : fffffa60`00a0e1cb fffffa80`04c4c010 fffffa80`04c4c028 fffffa80`04c4c010 : nt!KiGeneralProtectionFault+0xcd
fffffa60`0f231cf8 fffffa60`00a0e1cb : fffffa80`04c4c010 fffffa80`04c4c028 fffffa80`04c4c010 fffffa80`052af040 : fltmgr!TreeFindNodeOrParent+0x8
fffffa60`0f231d00 fffffa60`00a3e027 : 00000000`00000000 fffffa80`043abb20 fffffa80`043abb20 00000000`00000001 : fltmgr!TreeInsert+0x2b
fffffa60`0f231d30 fffffa60`00a10c4a : fffffa80`04c4c010 fffffa80`043abb20 fffffa80`0447c300 fffffa80`052afe10 : fltmgr!FltpCacheCreateNames+0x2f7
fffffa60`0f231db0 fffffa60`00a2726c : fffffa80`052af040 fffffa80`052af8d0 fffffa80`041e4c00 fffffa60`0f231e70 : fltmgr! ?? ::FNODOBFM::`string'+0x236f
fffffa60`0f231e20 fffff800`028dbd83 : 00000000`00000060 00000000`00000240 fffffa80`04b3a628 fffff880`098a0210 : fltmgr!FltpCreate+0x25d
fffffa60`0f231ed0 fffff800`028d5672 : fffffa80`052af040 00000000`00000000 fffffa80`0a65eb10 00000000`00000000 : nt!IopParseDevice+0x5e3
fffffa60`0f232070 fffff800`028d9944 : ffffffff`800025cc fffffa80`0a6bcb00 fffffa80`00000240 00000000`00000000 : nt!ObpLookupObjectName+0x202
fffffa60`0f232180 fffff800`028e5ee0 : 00000000`00000081 fffffa60`0f232630 00000000`00000000 fffffa80`0488ca00 : nt!ObOpenObjectByName+0x2f4
fffffa60`0f232250 fffff800`028b261a : fffffa60`0f232518 00000000`00000081 fffff880`098a0210 fffffa60`0f232550 : nt!IopCreateFile+0x290
fffffa60`0f2322f0 fffffa60`00a28dc9 : 00000000`00000000 fffffa60`0f232620 00000000`00000000 00000000`00000081 : nt!IoCreateFileEx+0xfa
fffffa60`0f232390 fffffa60`00a59f50 : 00000000`00000007 00000000`00000000 fffffa60`0f232518 fffffa60`0f232508 : fltmgr!FltCreateFileEx2+0x169
fffffa60`0f232480 fffff800`0295b217 : fffffa80`039c6501 fffff800`0265d201 00000000`00000000 fffffa80`05ccbd60 : fileinfo!FIPfInterfaceOpen+0x400
fffffa60`0f232600 fffff800`02a03aa7 : 00000000`00000081 ffffffff`ffe91ca0 fffffa60`0f232718 fffffa80`00000000 : nt!PfpOpenHandleCreate+0x117
fffffa60`0f2326d0 fffff800`02a05dc6 : 00000000`00000000 fffff880`0da0b980 fffff880`0da00000 fffffa60`00000060 : nt!PfpFileBuildReadSupport+0xe7
fffffa60`0f2327c0 fffff800`02a2f7a9 : fffff880`00000000 00000000`00000001 00000000`000003d9 00000000`00000000 : nt!PfpPrefetchFilesTrickle+0x126
fffffa60`0f2328c0 fffff800`02a2fa62 : 00000000`00000000 fffffa60`0f232ca0 fffffa60`0f232a08 fffff880`0da00001 : nt!PfpPrefetchRequestPerform+0x2f9
fffffa60`0f232960 fffff800`02a2fcc6 : fffffa60`0f232a08 00000000`00000001 fffffa80`0a23bc80 00000000`00000000 : nt!PfpPrefetchRequest+0x171
fffffa60`0f2329d0 fffff800`02a423f8 : 00000000`00000000 00000000`00000004 00000000`00000000 00000000`05ffef01 : nt!PfSetSuperfetchInformation+0x1a5
fffffa60`0f232ab0 fffff800`02655df3 : fffffa80`04eac060 00000000`05fff790 fffffa80`048ea201 00000000`000a47f6 : nt!NtSetSystemInformation+0x8fb
fffffa60`0f232c20 00000000`773370ea : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13
00000000`05fff6e8 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x773370ea
 
 
STACK_COMMAND: kb
 
SYMBOL_NAME: PAGE_NOT_ZERO_VISTA
 
FOLLOWUP_NAME: MachineOwner
 
MODULE_NAME: Unknown_Module
 
IMAGE_NAME: Unknown_Image
 
DEBUG_FLR_IMAGE_TIMESTAMP: 0
 
BUCKET_ID: PAGE_NOT_ZERO_VISTA
 
Followup: MachineOwner
---------

*** Memory manager detected 2 instance(s) of page corruption, target is likely to have memory corruption.

**jcgriff2** · 10-29-2008

Hi. . .

The bugcheck found in that full kernel dump is 0x0000001e (0xffffffffc0000005, 0xfffffa6000a0e248, 0x0, 0xffffffffffffffff), listing a probable cause of "unknown image" (the driver name could not be read)and occurred while svchost.exe was running.

0x0000001e = 0x1e = KMODE_EXCEPTION_NOT_HANDLED and indicates that a kernel-mode app generated an exception not caught by the error handler. The exception here can be found by looking at the first parameter (1st # inside the parenthesis) = 0xffffffffc0000005 - which tells us that a memory access violation occurred. Parm #4 is the memory address of the object that the "unknown image" attempted to access. That doesn't do us any good here even w/ a full kernel dump to work with because parm 4 is all high-values and not a valid memory address.

Just to note, I did not find any reference in the dbug log to the infamous IRQL_NOT_LESS_OR_EQUAL, which is a bugcheck 0x0000000a (0xa). Did you have a 0xa BSOD in addition to this 0x1e crash? If so when?

A look at the right side of the stack text tells us that the Microsoft module nt and fltmgr were busy. It appears to me that the red portion BSOD line below "TreeFindNodeOrParent" may be referring to a drive, directory (folder) or parental sub-directory of a newly created object, which could be a system service.

Code:

STACK_TEXT: 
00000`00000000 : nt!KeBugCheckEx
ffa80`0447c360 : nt! ?? ::FNODOBFM::`string'+0x
ffa60`0101b97f : nt!KiExceptionDispatch+0xa9
ffa80`04c4c010 : nt!KiGeneralProtectionFault+0x 
ffa80`052af040 : fltmgr!TreeFindNodeOrParent+0x8  ←←← BSOD
00000`00000001 : fltmgr!TreeInsert+0x2b
ffa80`052afe10 : fltmgr!FltpCacheCreateNames+0
ffa60`0f231e70 : fltmgr! ?? ::FNODOBFM::`strin
ff880`098a0210 : fltmgr!FltpCreate+0x25d
00000`00000000 : nt!IopParseDevice+0x5e3
00000`00000000 : nt!ObpLookupObjectName+0x202
ffa80`0488ca00 : nt!ObOpenObjectByName+0x2f4
ffa60`0f232550 : nt!IopCreateFile+0x290
00000`00000081 : nt!IoCreateFileEx+0xfa
ffa60`0f232508 : fltmgr!FltCreateFileEx2+0x169
ffa80`05ccbd60 : fileinfo!FIPfInterfaceOpen+0x400
ffa80`00000000 : nt!PfpOpenHandleCreate+0x117
ffa60`00000060 : nt!PfpFileBuildReadSupport+0xe
00000`00000000 : nt!PfpPrefetchFilesTrickle+0x1
ff880`0da00001 : nt!PfpPrefetchRequestPerform+0
00000`00000000 : nt!PfpPrefetchRequest+0x171
00000`05ffef01 : nt!PfSetSuperfetchInformation+
00000`000a47f6 : nt!NtSetSystemInformation+0x8
f00000`00000000 : nt!KiSystemServiceCopyEnd+0x13

I think we may be looking for a driver from a system service - or for a service that is having difficulty in creating or locating drives and folders.

I'd like to see a driver query report -
START | type cmd.exe into the start search box | right-click on cmd.exe above under Programs | select Run as Administrator | the black cmd/"DOS" screen will appear | copy/paste the following into it (to paste into the DOS screen, right-click near the top of the screen, select Edit, select Paste) - then hit enter if necessary:

Code:

driverquery /v  >  %temp%\drv.txt & start notepad %temp%\drv.txt

A Notepad will appear containing the driver query - save it as a text file.

Also a msinfo32 NFO file would be helpful -
START | type msinfo32 into the start search box & hit enter | click on File | Save as an NFO file (default extension)

Zip up the msinfo32 NFO file and the driver query text file and attach to your next post.

While you have the admin DOS screen open - run chkdsk /r - then re-boot to allow volume to be dis-mounted.

Regards. . .

jcgriff2

.

RichTaylor1974 · 10-31-2008

Hi,

Thanks for the reply and great insight.

I've attached the driver and info files you mentioned.

In addition, the problem seems to be occuring less since I restored using a restore point. In my view the root cause appears to be related to the NVidia drivers.

Cheers,
Richard

**jcgriff2** · 11-02-2008

Hi Richard. . .

Thanks for the reports.

I hear what you are saying about the NVIDIA drivers - I have seen quite a few roll back the updates. But I found more here than just a possible NVIDIA connection. During the 8 day period from Oct 17 – Oct 25 your system had at least 26 BSODs and 14 app crashes. Only a few of the BSOD buchecks were visible to me in WERCON –

0x109 = CRITICAL_STRUCTURE_CORRUPTION = the kernel has detected corruption.

0xa = IRQL_NOT_LESS_OR_EQUAL = a kernel mode driver accessed paged memory when it should not have. 9/10 times I see this w/ 1st parm (inside parenthesis) = 0xc0000005 – a memory violation by a driver.

0x3b = SYSTEM_SERVICE_EXCEPTION = an exception happened while the app was transitioning into kernel code territory. NVIDIA would certainly fit nicely into this one during a GUI crossing.

0x127 = PAGE_NOT_ZERO = a page (virtual RAM) should have been zeroed out but was not. This could be caused by a kernel driver modifying a page after freeing it

0x50 = PAGE_FAULT_IN_NONPAGED_AREA = invalid system memory was referenced. Usually this is seen after the installation of a faulty hardware, after a program install of system service or HDD corruption – would be good to run chkdsk /r here.

Code:

24/10/2008 22:08              Windows Error Reporting  Fault bucket X64_0xA_nt!MiUnlinkFreeOrZeroedPage+db, type 0&#x000d;&#x000a;Event Name: BlueScreen&#x000d;&#x000a;Response: None&#x000d;&#x000a;C
23/10/2008 20:18              Windows Error Reporting  Fault bucket X64_0x50_Ntfs!memcpy+41, type 0&#x000d;&#x000a;Event Name: BlueScreen&#x000d;&#x000a;Response: None&#x000d;&#x000a;Cab Id: 0&#x000d;
24/10/2008 22:12              Windows Error Reporting  Fault bucket 1051737, type 4&#x000d;&#x000a;Event Name: APPCRASH&#x000d;&#x000a;Response: None&#x000d;&#x000a;Cab Id: 0&#x000d;&#x000a;&#x000d;&#
23/10/2008 21:03              Windows Error Reporting  Fault bucket PAGE_NOT_ZERO_VISTA, type 0&#x000d;&#x000a;Event Name: BlueScreen&#x000d;&#x000a;Response: None&#x000d;&#x000a;Cab Id: 0&#x000d;&#x
23/10/2008 21:15              Windows Error Reporting  Fault bucket PAGE_NOT_ZERO_VISTA, type 0&#x000d;&#x000a;Event Name: BlueScreen&#x000d;&#x000a;Response: None&#x000d;&#x000a;Cab Id: 0&#x000d;&#x
19/10/2008 20:18              Windows Error Reporting  Fault bucket PAGE_NOT_ZERO_VISTA, typeFault bucket 9037808, type 5&#x000d;&#x000a;Event Name: PnPGenericDriverFound&#x000d;&#x000a;Response: None
23/10/2008 20:18              Windows Error Reporting  Fault bucket X64_0x50_Ntfs!memcpy+41, ty17/10/2008 22:56               Application Hang       The program Explorer.EXE version 6.0.6001.18000 stopped interacting with Wind
23/10/2008 21:03              Windows Error Reporting  Fault bucket PAGE_NOT_ZERO_VISTA, type18/10/2008 19:41  Application Hang  The program iexplore.exe version 7.0.6001.18000 stopped interacting with Wind
23/10/2008 21:15              Windows Error Reporting  Fault bucket PAGE_NOT_ZERO_VISTA, type19/10/2008 09:22  Application Hang  The program game.dat version 0.0.0.0 stopped interacting with Windows and wa
19/10/2008 10:14              Application Hang  The program NOTEPAD.EXE version 6.0.6001.18000 stopped interacting with Windows and was closed. To see if more information about the problem is available, check th
19/10/2008 12:10              Application Hang  The program SndVol.exe version 6.0.6001.18000 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the p

That is what I was looking at trying to see into WERCON (Windows Problem Reports & Solutions). Every one of the 12 app hangs had an NT STATUS exception code = 0xc00000005 – a memory access violation. Most of the faulting modules were Microsoft: sysmain.dll (Superfectch), explorer.exe (Windows Explorer), iexplore.exe (IE7), netdll.dll (network/IE7 ), msascui.exe (Windows Defender) and ole32.dll (Outlook). There were also 2 belonging to Kaspersky - kl1.sys and klif.sys.

I found another likely cause of this mess:

Code:

cmdGuard COMODO Firewall Pro Sa COMODO Firewall Pro Sa File System   System     Running    OK         TRUE        FALSE        0          53,248     0      21/05/2008 16:43:03    C:\Windows\system32\DRIVERS\cmdguard.sys         8,192   
 
cmdHlp COMODO Firewall Pro He COMODO Firewall Pro He Kernel        System     Running    OK         TRUE        FALSE        0          16,384     0      21/05/2008 16:40:32    C:\Windows\system32\DRIVERS\cmdhlp.sys           4,096

COMODO could have been responsible for the various bugcheks, but usually when I see such a variety there is a hardware issue. In addition to running chkdsk, run memtest for RAM check. I noticed there was no WERCON hisory before Oct 17 - did you delete it or was this a fresh Vista install? The latter would be a preferred remedy here now. In the interim, I would suggest that you un-install COMODO, re-boot then reset the Windows Firewall. Now run the System File Checker - SFC -
START | type cmd.exe | right-click on cmd.exe above under Programs – type this:

sfc /scannow

Then re-boot to allow repairs to take place that need the HDD dismounted. You should also look at the Event Viewer logs and WERCON (START | type wercon).
I was curious about these 2 -

Code:

E1G60    Intel(R) PRO/1000 NDIS      Kernel    Manual   
08/07/2007          17:15:10               
C:\Windows\system32\DRIVERS\E1G6032E.sys

Code:

 NVENETFD  NVIDIA nForce 10/100/1               Kernel    Manual   
08/01/2008          19:38:28               
C:\Windows\system32\DRIVERS\nvmfdx64

They both appear to be Ethernet. The NVIDIA as you can see is recent and the Intel is Aug 2007. That should have an update should you want it -
http://www.intel.com/support/network/sb/cs-023752.htm

But why both? Don’t they perform the same function?

Please run a Vista health report – but it must be saved in HTML format (web page) to be of any use to me - and it must be run from an elevated admin cmd prompt - bring one up and type:

perfmon /report

It will take ~ 60 seconds. Zip up the HTML file and attach to your next post. I would appreciate knowing the outcome of the COMODO removal & SFC.

Regards. . .

Jcgriff2

.

RichTaylor1974 · 11-09-2008

Hi,

Thanks for the info regarding the COMODO app. Ironically, I've not actually had a single BSOD instance for over 2 weeks since I rolled back the NVIDIA drivers. In my experience of Windows, most issues seem to stem from incompability problems between graphics and soundcards and/or MS drivers.

I installed a new update of COMODO a few days ago, and [touch wood], it seems stable.

I ran a memory test and chkdsk /f a number of times when the BSOD was ocurring often and didn't have any reported problems with either.

Would you still recommend:

1) Uninstalling COMODO and remounting HDD (sfc /scannow)
2) Updating NVIDIA network adapter drivers
3) Running the performance report

Cheers for all your help!

Thanks,
Richard

**jcgriff2** · 11-09-2008

If COMODO is working for you - that's OK. It is just that I have seen COMODO case many problems in Vista. I still am concerned that you have KIS installed as well. I believe COMODO &/or Kaspersky firewall related to all of the 0xc...5 exceptions (memory access violation) causing app crashes (these are not BSODs).

Running sfc /scannow can't hurt here and may be of some help.

You can pass on the performance report for now.

For info, I am a Moderator of Microsoft Support at another forum (I write for several) and have > 5,000 postings in one alone, most dealing with BSODs in the Vista Forum. This is where I have obtained the knowledge about COMODO and KIS re: 0xc..5 exceptions.

Where does the Intel Ethernet fit in here?

Regards. . .

jcgriff2

.

10-29-2008	#2 (permalink)
jcgriff2 Windows 7 , Vista 97 posts	Re: Bsod irql_not_less_or_equal Hi. . . The bugcheck found in that full kernel dump is 0x0000001e (0xffffffffc0000005, 0xfffffa6000a0e248, 0x0, 0xffffffffffffffff), listing a probable cause of "unknown image" (the driver name could not be read)and occurred while svchost.exe was running. 0x0000001e = 0x1e = KMODE_EXCEPTION_NOT_HANDLED and indicates that a kernel-mode app generated an exception not caught by the error handler. The exception here can be found by looking at the first parameter (1st # inside the parenthesis) = 0xffffffffc0000005 - which tells us that a memory access violation occurred. Parm #4 is the memory address of the object that the "unknown image" attempted to access. That doesn't do us any good here even w/ a full kernel dump to work with because parm 4 is all high-values and not a valid memory address. Just to note, I did not find any reference in the dbug log to the infamous IRQL_NOT_LESS_OR_EQUAL, which is a bugcheck 0x0000000a (0xa). Did you have a 0xa BSOD in addition to this 0x1e crash? If so when? A look at the right side of the stack text tells us that the Microsoft module nt and fltmgr were busy. It appears to me that the red portion BSOD line below "TreeFindNodeOrParent" may be referring to a drive, directory (folder) or parental sub-directory of a newly created object, which could be a system service. Code: STACK_TEXT: 00000`00000000 : nt!KeBugCheckEx ffa80`0447c360 : nt! ?? ::FNODOBFM::`string'+0x ffa60`0101b97f : nt!KiExceptionDispatch+0xa9 ffa80`04c4c010 : nt!KiGeneralProtectionFault+0x ffa80`052af040 : fltmgr!TreeFindNodeOrParent+0x8 ←←← BSOD 00000`00000001 : fltmgr!TreeInsert+0x2b ffa80`052afe10 : fltmgr!FltpCacheCreateNames+0 ffa60`0f231e70 : fltmgr! ?? ::FNODOBFM::`strin ff880`098a0210 : fltmgr!FltpCreate+0x25d 00000`00000000 : nt!IopParseDevice+0x5e3 00000`00000000 : nt!ObpLookupObjectName+0x202 ffa80`0488ca00 : nt!ObOpenObjectByName+0x2f4 ffa60`0f232550 : nt!IopCreateFile+0x290 00000`00000081 : nt!IoCreateFileEx+0xfa ffa60`0f232508 : fltmgr!FltCreateFileEx2+0x169 ffa80`05ccbd60 : fileinfo!FIPfInterfaceOpen+0x400 ffa80`00000000 : nt!PfpOpenHandleCreate+0x117 ffa60`00000060 : nt!PfpFileBuildReadSupport+0xe 00000`00000000 : nt!PfpPrefetchFilesTrickle+0x1 ff880`0da00001 : nt!PfpPrefetchRequestPerform+0 00000`00000000 : nt!PfpPrefetchRequest+0x171 00000`05ffef01 : nt!PfSetSuperfetchInformation+ 00000`000a47f6 : nt!NtSetSystemInformation+0x8 f00000`00000000 : nt!KiSystemServiceCopyEnd+0x13 I think we may be looking for a driver from a system service - or for a service that is having difficulty in creating or locating drives and folders. I'd like to see a driver query report - START \| type cmd.exe into the start search box \| right-click on cmd.exe above under Programs \| select Run as Administrator \| the black cmd/"DOS" screen will appear \| copy/paste the following into it (to paste into the DOS screen, right-click near the top of the screen, select Edit, select Paste) - then hit enter if necessary: Code: driverquery /v > %temp%\drv.txt & start notepad %temp%\drv.txt A Notepad will appear containing the driver query - save it as a text file. Also a msinfo32 NFO file would be helpful - START \| type msinfo32 into the start search box & hit enter \| click on File \| Save as an NFO file (default extension) Zip up the msinfo32 NFO file and the driver query text file and attach to your next post. While you have the admin DOS screen open - run chkdsk /r - then re-boot to allow volume to be dis-mounted. Regards. . . jcgriff2 . Last edited by jcgriff2; 10-29-2008 at 09:30 PM..
My System Specs

11-02-2008	#4 (permalink)
jcgriff2 Windows 7 , Vista 97 posts	Re: Bsod irql_not_less_or_equal Hi Richard. . . Thanks for the reports. I hear what you are saying about the NVIDIA drivers - I have seen quite a few roll back the updates. But I found more here than just a possible NVIDIA connection. During the 8 day period from Oct 17 – Oct 25 your system had at least 26 BSODs and 14 app crashes. Only a few of the BSOD buchecks were visible to me in WERCON – 0x109 = CRITICAL_STRUCTURE_CORRUPTION = the kernel has detected corruption. 0xa = IRQL_NOT_LESS_OR_EQUAL = a kernel mode driver accessed paged memory when it should not have. 9/10 times I see this w/ 1st parm (inside parenthesis) = 0xc0000005 – a memory violation by a driver. 0x3b = SYSTEM_SERVICE_EXCEPTION = an exception happened while the app was transitioning into kernel code territory. NVIDIA would certainly fit nicely into this one during a GUI crossing. 0x127 = PAGE_NOT_ZERO = a page (virtual RAM) should have been zeroed out but was not. This could be caused by a kernel driver modifying a page after freeing it 0x50 = PAGE_FAULT_IN_NONPAGED_AREA = invalid system memory was referenced. Usually this is seen after the installation of a faulty hardware, after a program install of system service or HDD corruption – would be good to run chkdsk /r here. Code: 24/10/2008 22:08 Windows Error Reporting Fault bucket X64_0xA_nt!MiUnlinkFreeOrZeroedPage+db, type 0 Event Name: BlueScreen Response: None C 23/10/2008 20:18 Windows Error Reporting Fault bucket X64_0x50_Ntfs!memcpy+41, type 0 Event Name: BlueScreen Response: None Cab Id: 0 24/10/2008 22:12 Windows Error Reporting Fault bucket 1051737, type 4 Event Name: APPCRASH Response: None Cab Id: 0 &# 23/10/2008 21:03 Windows Error Reporting Fault bucket PAGE_NOT_ZERO_VISTA, type 0 Event Name: BlueScreen Response: None Cab Id: 0 &#x 23/10/2008 21:15 Windows Error Reporting Fault bucket PAGE_NOT_ZERO_VISTA, type 0 Event Name: BlueScreen Response: None Cab Id: 0 &#x 19/10/2008 20:18 Windows Error Reporting Fault bucket PAGE_NOT_ZERO_VISTA, typeFault bucket 9037808, type 5 Event Name: PnPGenericDriverFound Response: None 23/10/2008 20:18 Windows Error Reporting Fault bucket X64_0x50_Ntfs!memcpy+41, ty17/10/2008 22:56 Application Hang The program Explorer.EXE version 6.0.6001.18000 stopped interacting with Wind 23/10/2008 21:03 Windows Error Reporting Fault bucket PAGE_NOT_ZERO_VISTA, type18/10/2008 19:41 Application Hang The program iexplore.exe version 7.0.6001.18000 stopped interacting with Wind 23/10/2008 21:15 Windows Error Reporting Fault bucket PAGE_NOT_ZERO_VISTA, type19/10/2008 09:22 Application Hang The program game.dat version 0.0.0.0 stopped interacting with Windows and wa 19/10/2008 10:14 Application Hang The program NOTEPAD.EXE version 6.0.6001.18000 stopped interacting with Windows and was closed. To see if more information about the problem is available, check th 19/10/2008 12:10 Application Hang The program SndVol.exe version 6.0.6001.18000 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the p That is what I was looking at trying to see into WERCON (Windows Problem Reports & Solutions). Every one of the 12 app hangs had an NT STATUS exception code = 0xc00000005 – a memory access violation. Most of the faulting modules were Microsoft: sysmain.dll (Superfectch), explorer.exe (Windows Explorer), iexplore.exe (IE7), netdll.dll (network/IE7 ), msascui.exe (Windows Defender) and ole32.dll (Outlook). There were also 2 belonging to Kaspersky - kl1.sys and klif.sys. I found another likely cause of this mess: Code: cmdGuard COMODO Firewall Pro Sa COMODO Firewall Pro Sa File System System Running OK TRUE FALSE 0 53,248 0 21/05/2008 16:43:03 C:\Windows\system32\DRIVERS\cmdguard.sys 8,192 cmdHlp COMODO Firewall Pro He COMODO Firewall Pro He Kernel System Running OK TRUE FALSE 0 16,384 0 21/05/2008 16:40:32 C:\Windows\system32\DRIVERS\cmdhlp.sys 4,096 COMODO could have been responsible for the various bugcheks, but usually when I see such a variety there is a hardware issue. In addition to running chkdsk, run memtest for RAM check. I noticed there was no WERCON hisory before Oct 17 - did you delete it or was this a fresh Vista install? The latter would be a preferred remedy here now. In the interim, I would suggest that you un-install COMODO, re-boot then reset the Windows Firewall. Now run the System File Checker - SFC - START \| type cmd.exe \| right-click on cmd.exe above under Programs – type this: sfc /scannow Then re-boot to allow repairs to take place that need the HDD dismounted. You should also look at the Event Viewer logs and WERCON (START \| type wercon). I was curious about these 2 - Code: E1G60 Intel(R) PRO/1000 NDIS Kernel Manual 08/07/2007 17:15:10 C:\Windows\system32\DRIVERS\E1G6032E.sys Code: NVENETFD NVIDIA nForce 10/100/1 Kernel Manual 08/01/2008 19:38:28 C:\Windows\system32\DRIVERS\nvmfdx64 They both appear to be Ethernet. The NVIDIA as you can see is recent and the Intel is Aug 2007. That should have an update should you want it - http://www.intel.com/support/network/sb/cs-023752.htm But why both? Don’t they perform the same function? Please run a Vista health report – but it must be saved in HTML format (web page) to be of any use to me - and it must be run from an elevated admin cmd prompt - bring one up and type: perfmon /report It will take ~ 60 seconds. Zip up the HTML file and attach to your next post. I would appreciate knowing the outcome of the COMODO removal & SFC. Regards. . . Jcgriff2 . Last edited by jcgriff2; 11-02-2008 at 09:16 AM..
My System Specs

11-09-2008	#5 (permalink)
RichTaylor1974 x64 3 posts	Re: Bsod irql_not_less_or_equal Hi, Thanks for the info regarding the COMODO app. Ironically, I've not actually had a single BSOD instance for over 2 weeks since I rolled back the NVIDIA drivers. In my experience of Windows, most issues seem to stem from incompability problems between graphics and soundcards and/or MS drivers. I installed a new update of COMODO a few days ago, and [touch wood], it seems stable. I ran a memory test and chkdsk /f a number of times when the BSOD was ocurring often and didn't have any reported problems with either. Would you still recommend: 1) Uninstalling COMODO and remounting HDD (sfc /scannow) 2) Updating NVIDIA network adapter drivers 3) Running the performance report Cheers for all your help! Thanks, Richard
My System Specs

11-09-2008	#6 (permalink)
jcgriff2 Windows 7 , Vista 97 posts	Re: Bsod irql_not_less_or_equal If COMODO is working for you - that's OK. It is just that I have seen COMODO case many problems in Vista. I still am concerned that you have KIS installed as well. I believe COMODO &/or Kaspersky firewall related to all of the 0xc...5 exceptions (memory access violation) causing app crashes (these are not BSODs). Running sfc /scannow can't hurt here and may be of some help. You can pass on the performance report for now. For info, I am a Moderator of Microsoft Support at another forum (I write for several) and have > 5,000 postings in one alone, most dealing with BSODs in the Vista Forum. This is where I have obtained the knowledge about COMODO and KIS re: 0xc..5 exceptions. Where does the Intel Ethernet fit in here? Regards. . . jcgriff2 .
My System Specs

Similar Threads
Thread	Forum
Irql_not_less_or_equal BSOD (0xA...)	General Discussion
BSOD IRQL_NOT_LESS_OR_EQUAL after trying to install .NET Framework 3.5 SP1	General Discussion
x64 BSOD irql_not_less_or_equal	Vista General
BSOD: irql_not_less_or_equal	Vista General
BSOD irql_not_less_or_equal	Vista General