Vista Blue Screen

**TanMan** · April 14, 2009

Well, I'm back again with another blue screen. You guys were so helpful last time, I thought I'd try again.

This machine is a Vista Home Premium x64 machine. I'm getting a blue screen every couple of days. I updated the video driver and ethernet driver a few weeks ago, so I suspect it's one of these. But I'd really like to narrow this down.

I had the blue screen create a Kernel dump (which is the largest dump I can select). !analyze -v shows:

Microsoft ® Windows Debugger Version 6.11.0001.404 X86
Copyright © Microsoft Corporation. All rights reserved.


Loading Dump File [\\kids02\c$\windows\MEMORY.DMP]
Kernel Summary Dump File: Only kernel address space is available

Symbol search path is: srv*DownstreamStore*http://msdl.microsoft.com/download/symbols
Executable search path is: 
Windows Server 2008/Windows Vista Kernel Version 6001 (Service Pack 1) MP (4 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS Personal
Built by: 6001.18145.amd64fre.vistasp1_gdr.080917-1612
Machine Name:
Kernel base = 0xfffff800`01e06000 PsLoadedModuleList = 0xfffff800`01fcbdb0
Debug session time: Mon Apr 13 22:16:55.864 2009 (GMT-4)
System Uptime: 1 days 7:50:19.892
Loading Kernel Symbols
...............................................................
................................................................
............
Loading User Symbols

Loading unloaded module list
.....
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck C7, {fffffa8004df5850, 50, 4, 0}

Probably caused by : ntkrnlmp.exe ( nt! ?? ::FNODOBFM::`string'+4352 )

Followup: MachineOwner
---------

0: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

TIMER_OR_DPC_INVALID (c7)
Kernel timer or DPC used incorrectly.
Arguments:
Arg1: fffffa8004df5850, Type of incorrect usage.
Arg2: 0000000000000050
Arg3: 0000000000000004
Arg4: 0000000000000000

Debugging Details:
------------------


OVERLAPPED_MODULE: Address regions for 'mrxsmb20' and 'nvlddmkm.sys' overlap

DEFAULT_BUCKET_ID:  VISTA_DRIVER_FAULT

BUGCHECK_STR:  0xC7

PROCESS_NAME:  System

CURRENT_IRQL:  f

LAST_CONTROL_TRANSFER:  from fffff80001eaafa5 to fffff80001e5b350

STACK_TEXT:  
fffff800`02e989f8 fffff800`01eaafa5 : 00000000`000000c7 fffffa80`04df5850 00000000`00000050 00000000`00000004 : nt!KeBugCheckEx
fffff800`02e98a00 fffff800`01e637fc : 00000000`00000010 00000000`153cf4fd fffffa80`04df5be0 00000000`0000000c : nt! ?? ::FNODOBFM::`string'+0x4352
fffff800`02e98a70 fffff800`01e64238 : fffff800`02e98cd0 fffffa80`0634d602 fffff800`02e98cc8 fffffa60`00000010 : nt!KiTimerListExpire+0x27c
fffff800`02e98ca0 fffff800`01e64a9f : 000139ca`b8866b54 00000000`00000000 fffff800`00000010 fffff800`01f7da80 : nt!KiTimerExpiration+0x1d8
fffff800`02e98d10 fffff800`01e65b62 : fffff800`01f7a680 fffff800`01f7a680 00000000`00000000 fffff800`01f7fb80 : nt!KiRetireDpcList+0x1df
fffff800`02e98d80 fffff800`020335c0 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiIdleLoop+0x62
fffff800`02e98db0 00000000`fffff800 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!zzz_AsmCodeRange_End+0x4
fffff800`02e920b0 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00680000`00000000 : 0xfffff800


STACK_COMMAND:  kb

FOLLOWUP_IP: 
nt! ?? ::FNODOBFM::`string'+4352
fffff800`01eaafa5 cc              int     3

SYMBOL_STACK_INDEX:  1

SYMBOL_NAME:  nt! ?? ::FNODOBFM::`string'+4352

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: nt

IMAGE_NAME:  ntkrnlmp.exe

DEBUG_FLR_IMAGE_TIMESTAMP:  48d1ba35

FAILURE_BUCKET_ID:  X64_0xC7_nt!_??_::FNODOBFM::_string_+4352

BUCKET_ID:  X64_0xC7_nt!_??_::FNODOBFM::_string_+4352

Followup: MachineOwner
---------

However, I'm at a loss of how to proceed from here. Any advice would be greatly appreciated.

Thanks,

TanMan

**fizban2** · April 14, 2009

OVERLAPPED_MODULE: Address regions for 'mrxsmb20' and 'nvlddmkm.sys' overlap

Here is your issue, video drive is most likely overlapping into another applications memory region, trying dropping back down to the previous version of drivers and see if that helps

**TanMan** · April 14, 2009

I had upgraded those drivers because of a different blue screen I was getting, so downgrading isn't really an option. Is there any way to tell for sure whether it's the video driver?

**cluberti** · April 14, 2009

Overlapped modules aren't going to cause a C7, sorry to break it to you. This is actually normal on a Vista box due to ASLR.

Anyway, this is a driver issue, but without the .dmp file itself (at least a kernel dump) we won't be able to say for sure. However, I can tell you what the dbg help says about a C7 bugcheck:

Bug Check 0xC7: TIMER_OR_DPC_INVALID
The TIMER_OR_DPC_INVALID bug check has a value of 0x000000C7. This is issued if a kernel timer or delayed procedure call (DPC) is found somewhere in memory where it is not permitted.
Parameters
The following parameters are displayed on the blue screen.
Parameter Description
1
0: Timer object
1: DPC object
2: DPC routine
2 Address of object
3 Beginning of memory range checked
4 End of memory range checked
Cause
This condition is usually caused by a driver failing to cancel a timer or DPC before freeing the memory where it resides. When Driver Verifier is active, it will catch such errors and issue this bug check.
Resolving the Problem
If you are the driver writer, use the information obtained through this bug check to fix the bugs in your code.
If you are a system administrator, you should unload the driver if the problem persists.
For full details on Driver Verifier, see the Windows Driver Kit.

If you want a real answer, you're going to have to .zip and post the .dmp file somewhere so we can look at it.

**TanMan** · April 14, 2009

Hey cluberti! Of course I want the real answer!

2 questions. Will you accept a RAR (it's 75% of the ZIP), and can I FTP it to the same location as last time?

**cluberti** · April 14, 2009

Yes, and PM sent for upload location.

**TanMan** · April 14, 2009

Kernel dump uploaded. Thank you.

BTW, with Vista Home Premium x64, I only have two options for dumps, Small Memory Dump, and Kernel Memory Dump. There's no option for a Full Memory Dump. Sometimes M/S's decisions about what to leave out in the Home versions boggles the mind...

**cluberti** · April 15, 2009

Kernel dump uploaded. Thank you.
BTW, with Vista Home Premium x64, I only have two options for dumps, Small Memory Dump, and Kernel Memory Dump. There's no option for a Full Memory Dump. Sometimes M/S's decisions about what to leave out in the Home versions boggles the mind...

It's not there because you have more than 3GB of RAM, likely. You can still set it in the registry, and this has been a problem since Windows 2000, fwiw. It's not a Vista thing.

As to the dump, it appears to be an issue with patch protection on x64, and a misbehaving driver. I do believe it to be the nvidia driver, as the other queued DPCs are all TCPIP timers, but unfortunately I can't seem to get access to the callstack before the dump. I've seen this before though, and either you'll have to install the QFE kernel and hal.dll from KB 950772, or wait for Vista SP2 (the hotfix is included in SP2). It's not entirely easy to get a QFE update on a Vista machine, so unless you want to go through the entire process to extract the QFE for Vista and pkgmgr install it, I'd suggest waiting until Vista SP2 and apply SP2 when it releases to get the fix.

Also, I'd bring this to nvidia's attention, as there is some random odd patterns in the PTE memory for this, which would indicate potential driver corruption (hence the patch protection crash you see here).

Edited April 15, 2009 by cluberti
Added more info

**TanMan** · April 15, 2009

It's not there because you have more than 3GB of RAM, likely. You can still set it in the registry, and this has been a problem since Windows 2000, fwiw. It's not a Vista thing.

Ah. My bad. The only machines I have with 4GB also have Vista Home x64, so you can understand why I thought it was the O/S. I finally found the kb article that references that registry key, so I can create a full memory dump if that's needed.

Were you able to find anything in my kernel dump, or shall I attempt a full memory dump?

**cluberti** · April 15, 2009

See my last post.

**TanMan** · April 15, 2009

As to the dump, it appears to be an issue with patch protection on x64, and a misbehaving driver. I do believe it to be the nvidia driver, as the other queued DPCs are all TCPIP timers, but unfortunately I can't seem to get access to the callstack before the dump. I've seen this before though, and either you'll have to install the QFE kernel and hal.dll from KB 950772, or wait for Vista SP2 (the hotfix is included in SP2). It's not entirely easy to get a QFE update on a Vista machine, so unless you want to go through the entire process to extract the QFE for Vista and pkgmgr install it, I'd suggest waiting until Vista SP2 and apply SP2 when it releases to get the fix.
Also, I'd bring this to nvidia's attention, as there is some random odd patterns in the PTE memory for this, which would indicate potential driver corruption (hence the patch protection crash you see here).

OK. I think I understand the issue. The video driver (it's a Diamond video card with an ATI chipset, not nVidia) is causing memory corruption which in turn is corrupting the virtual memory paging table, which resulted in the Stop C7.

Note that Diamond's latest video driver is from December 2008, while ATI's current video driver is only a few days old. Unfortunately, the ATI driver does not install on my video card, so I have to use Diamond's. I'll try to get some support from them, but since they don't appear to stay current with ATI, I doubt I'll get any satisfaction from them.

Re the QFE kernel, do you think the updated page protection will stop the blue screen? I mean, if memory is getting corrupted by a privileged process, how can the kernel protect itself and stop the blue screen? I'll do this if you think it's worth a try. Let me know.

One more question. Since you think the problem is being caused by the video driver, do you think turning on the drive verifier will add any value?

**cluberti** · April 16, 2009

One more question. Since you think the problem is being caused by the video driver, do you think turning on the drive verifier will add any value?

The PTE table in question is for the nvidia network driver, not the video driver. I'm not sure how you got the video driver from my previous post, but I see nothing wrong with the ATI video driver. The queued DPC error appears to be coming from PTE corruption, and it looks like it's affecting the nvidia network driver (nvlddmkm.sys).

Hopefully I'm being clear, I thought I was.

**TanMan** · April 16, 2009

Hmmm. Curiouser and curiouser.... The network adapter is RealTek, not nVidia, and the drivers are rtlh64.sys and and rtnicprop64.dll. I was not aware that nVidia made network adapters, so I assumed you just meant the video driver. My bad.

So I checked Process Explorer to see if nvlddmkm.sys was loaded, and it was not. I then checked Device Manager to see if I had any nVidia devices at all, and I do not. So I checked my registry, and nvlddmkm.sys is indeed in there (in a couple of places). Based on the keys where I found it, it appears it was indeed used for a video driver.

Then I remembered that the machine had originally come with an nVidia video card which I had replaced with a better ATI card. So it appears nvlddmkm.sys is probably left over from the previous video card. It should never be loaded, however, since that card is no longer in the machine.

I found the offending file in C:\Windows\System32\Devices, so I renamed it. I'll reboot later tonight or tomorrow (the system is busy converting a video library) and see what, if anything, complains. I'll update this thread with those results.

I'm wondering why this driver got loaded at all. Since there was no nVidia device installed, it's no wonder it blue screened.

By the way, sorry if I'm obtuse about some things, I'm not nearly the Windows Internals expert that you guys are.

**TanMan** · April 17, 2009

After the reboot, I had an error in Event Viewer about an nVidia display driver unable to load because a file couldn't be found. Unable to find any nVidia services or devices, I checked Programs and Features and found two nVidia programs installed (a display driver and something called "PyhsX"). I uninstalled both and rebooted. It started up cleanly now. Hopefully this has now resolved the problem.

Thanks again for everyone's help, especially cluberti.

TanMan

April 18, 2009

Overlapped modules aren't going to cause a C7, sorry to break it to you. This is actually normal on a Vista box due to ASLR.
Anyway, this is a driver issue, but without the .dmp file itself (at least a kernel dump) we won't be able to say for sure. However, I can tell you what the dbg help says about a C7 bugcheck:
Bug Check 0xC7: TIMER_OR_DPC_INVALID
The TIMER_OR_DPC_INVALID bug check has a value of 0x000000C7. This is issued if a kernel timer or delayed procedure call (DPC) is found somewhere in memory where it is not permitted.
Parameters
The following parameters are displayed on the blue screen.
Parameter Description
1
0: Timer object
1: DPC object
2: DPC routine
2 Address of object
3 Beginning of memory range checked
4 End of memory range checked
Cause
This condition is usually caused by a driver failing to cancel a timer or DPC before freeing the memory where it resides. When Driver Verifier is active, it will catch such errors and issue this bug check.
Resolving the Problem
If you are the driver writer, use the information obtained through this bug check to fix the bugs in your code.
If you are a system administrator, you should unload the driver if the problem persists.
For full details on Driver Verifier, see the Windows Driver Kit.
If you want a real answer, you're going to have to .zip and post the .dmp file somewhere so we can look at it.

i will not.....

Sign In

Vista Blue Screen

Recommended Posts

TanMan

fizban2

TanMan

cluberti

TanMan

cluberti

TanMan

cluberti

TanMan

cluberti

TanMan

cluberti

TanMan

TanMan

Guest sudioy

Create an account or sign in to comment

Create an account

Sign in

Recently Browsing 0 members

Activity

Browse