*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck D1, {0, 2, 8, 0}
Probably caused by : ntkrnlmp.exe ( nt!KiPageFault+260 )
Followup: MachineOwner
---------
0: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: 0000000000000000, memory referenced
Arg2: 0000000000000002, IRQL
Arg3: 0000000000000008, value 0 = read operation, 1 = write operation
Arg4: 0000000000000000, address which referenced memory
Debugging Details:
------------------
READ_ADDRESS: GetPointerFromAddress: unable to read from fffff80002eb9100
0000000000000000
CURRENT_IRQL: 2
FAULTING_IP:
+0
00000000`00000000 ?? ???
PROCESS_NAME: System
CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT
BUGCHECK_STR: 0xD1
TRAP_FRAME: fffff80000b9c740 -- (.trap 0xfffff80000b9c740)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=fffff80000b9c801 rbx=0000000000000000 rcx=fffffa80062c9cd8
rdx=fffff80000b9c8d8 rsi=0000000000000000 rdi=0000000000000000
rip=0000000000000000 rsp=fffff80000b9c8d0 rbp=0000000000000000
r8=fffff80000b9c8d0 r9=0000000000000000 r10=0000000000000000
r11=000000005e040600 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei ng nz na pe nc
00000000`00000000 ?? ???
Resetting default scope
LAST_CONTROL_TRANSFER: from fffff80002c861e9 to fffff80002c86c40
FAILED_INSTRUCTION_ADDRESS:
+0
00000000`00000000 ?? ???
STACK_TEXT:
fffff800`00b9c5f8 fffff800`02c861e9 : 00000000`0000000a 00000000`00000000 00000000`00000002 00000000`00000008 : nt!KeBugCheckEx
fffff800`00b9c600 fffff800`02c84e60 : fffffa80`0a90e038 00000000`00000000 fffffa80`0a90e030 00000000`00000000 : nt!KiBugCheckDispatch+0x69
fffff800`00b9c740 00000000`00000000 : 00000000`00000200 00000000`5e040600 00000000`00000000 00000000`00000000 : nt!KiPageFault+0x260
STACK_COMMAND: kb
FOLLOWUP_IP:
nt!KiPageFault+260
fffff800`02c84e60 440f20c0 mov rax,cr8
SYMBOL_STACK_INDEX: 2
SYMBOL_NAME: nt!KiPageFault+260
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: nt
IMAGE_NAME: ntkrnlmp.exe
DEBUG_FLR_IMAGE_TIMESTAMP: 4e02aaa3
FAILURE_BUCKET_ID: X64_0xD1_CODE_AV_NULL_IP_nt!KiPageFault+260
BUCKET_ID: X64_0xD1_CODE_AV_NULL_IP_nt!KiPageFault+260
Followup: MachineOwner
---------
Probably caused by : ntkrnlmp.exe - Don't believe these lies
This is nearly impossible, however the debugger usually shows this as the cause because it's the last thing in the stack trace to show an error. And furthermore, this is usually because it gets sent in bad data following the crash, so the crash dump journalist that places the dumps in your system drive likes to blame it all on that NT symbol. It's honestly the same as to compare a kid that was told a rumour and caught for telling another person, ultimately getting in trouble for something that he heard and just passed on to another person from the being told it by initial "rumour starter" if that makes sense to you.
Argument 1 and 4 show a reference to the memory as shown, and parameter 3 shows that it was from an execution method, meaning it was most likely caused by a driver that was trying to execute a code function when the function itself was paged out and was running at an elevated IRQL, which includes a lock from the operational thread on that function from the process calling to it. This can mean several things for this stop error:
- There was an unloaded driver at the time of the function call to the reference driver
- The function was called by using a function pointer that was an invalid pointer and the address was incorrect
So now the fun begins
1) Download and run
Memtest86 on boot:
http://www.memtest86.com
Make sure to let it run and do it's thing for about the first 6 tests. If it passes those, then everything should be good, otherwise any failure to pass those tests indicates a corruption in your memory.
If you get an error on one of the tests, then you should try by booting up your computer with each RAM inserted separately one at a time. When you find one that doesn't return any errors then test it in every single RAM slot to test for a bad socket.
2) Run driver verifier and post your next crash dump in the following post after mine. This is a more accurate method to determine a conflicting driver for your crash.
Driver Verifier: Note make sure you backup your data first
If you have access to another computer you can contact us through your other working system in case any problems prevent you from getting into Windows. Make a System Restore point as well.
A startup repair disk may assist you in a system restore during boot if you can't get into Windows as well. In Windows 7 you can make a Startup Repair disk by going to Start > All Programs > Maintenance > "Create a System Repair Disc". With Windows Vista you'll have to use your installation CD/DVD or the "Repair your computer" option in the F8/Safe mode boot menu
Follow these steps:
- Go to Start and type in "verifier.exe" and press Enter
- Select "Create custom settings (for code developers)" and click "Next"
- Select "Select individual settings from a full list" and click "Next"
- Select everything EXCEPT FOR "Low Resource Simulation" and click "Next"
- Select "Select driver names from a list" and click "Next"
Then select all drivers NOT provided by Microsoft and click "Next"
- Select "Finish" on the next page.
Reboot the system and wait for it to crash to the BSOD. Continue to use your system normally, and if you know what causes the crash, do that repeatedly. The objective here is to get the system to crash because Driver Verifier is stressing the drivers out. If it doesn't crash for you, then let it run for at least 48 hours (recommended) of continuous operation to make sure.
If you can't get into Windows because it crashes too soon, try it in Safe Mode (recommended) or boot from Last Known Good Configuration.
If you can't get into Safe Mode, try using System Restore from your installation DVD or startup repair menu to set the system back to the previous restore point that you created.
Make sure your minidumps are enabled still, and post the new crash dump logs in the next post.
For crash dumps to be available:
1) The Page file must be on OS drive (set by Windows default)
2) The Page file base allocation size must be more than the installed physical RAM (set by Windows default - system managed)
3) Windows Error Reporting system service should be set to Manual (set by Windows default)
4) Set Page file to system managed, on OS drive (set by Windows default)
Set System Recovery Settings to "Kernel Memory Dump" in the System Properties > Advanced tab, which will allow for the creation of:
1) Full Kernel Memory Dump - C:\Windows\memory.dmp
2) Mini Kernel Dump - C:\Windows\Minidump
The Full Kernel is overwritten on each BSOD, but a new mini kernel dump is created with a different name for each BSOD (different timestamp filenames)
All 3 crash dumps basically have the same pattern as the one in my quoted bugcheck analysis.
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
For your information though, and non-related to the crash dump, I know a bit about computer security, and Mcafee is a horrible AV comparative to others like Kaspersky, Norton (Recommended versions 2010 and up only), and the latest Bitdefender. Personally I like Norton, because it's more configurable than Bitdefender, and it has an amazing firewall, but Kaspersky is also minimal on a system but has a high protection rate.
