PC BSoD - Need Help with Debugging/Diagnosing

Yamuda · July 11, 2014

PC has been unexpectedly shutting down lately (like every couple hours or so, it will crash). Even without any programs open. I have already scanned it with multiple programs for malware and it seems to be super clean now.

Problem signature:

Problem Event Name: BlueScreen

OS Version: 6.1.7601.2.1.0.256.48

Locale ID: 1033

Additional information about the problem:

BCCode: 109

BCP1: A3A039D89567E558

BCP2: B3B7465EE7E4B4AE

BCP3: FFFFF80002E09453

BCP4: 0000000000000001

OS Version: 6_1_7601

Service Pack: 1_0

Product: 256_1

Files that help describe the problem:

C:\Windows\Minidump\071114-13119-01.dmp

C:\Users\Andal\AppData\Local\Temp\WER-36145-0.sysdata.xml

Read our privacy statement online:

http://go.microsoft.com/fwlink/?linkid=104288&clcid=0x0409

If the online privacy statement is not available, please read our privacy statement offline:

C:\Windows\system32\en-US\erofflps.txt

The WE-36145-0.sysdata.xml file wasn't in the folder so I chose 2 files (a dmp and xml) that were created at the same time, since this problem has been on-going for the past couple days now. If you really want this exact dmp file (without the xml) then I can upload it, just let me know. Thanks.

dmp: https://mega.co.nz/#!sYx2FLQQ!c8i4lPf4_0eERvNVAjdieIiid7OHuzYRVGeWF-hUlnA

xml: https://mega.co.nz/#!oFxxhKbB!mid_Xm7kMw2sJvqOqpdFE8A_x0AVO6OMUGiJcu1j6JY

Yamuda · July 11, 2014

Was able to debug it myself.

TL;DR - Corrupted memory.

Microsoft ® Windows Debugger Version 6.3.9600.17029 AMD64

Copyright © Microsoft Corporation. All rights reserved.

Loading Dump File [C:\Users\Andal\Desktop\071114-12745-01.dmp]

Mini Kernel Dump File: Only registers and stack trace are available

************* Symbol Path validation summary **************

Response Time (ms) Location

Deferred SRV*C:\SymCache*http://msdl.microsoft.com/download/symbols

Symbol search path is: SRV*C:\SymCache*http://msdl.microsoft.com/download/symbols

Executable search path is:

Windows 7 Kernel Version 7601 (Service Pack 1) MP (2 procs) Free x64

Product: WinNt, suite: TerminalServer SingleUserTS

Built by: 7601.18409.amd64fre.win7sp1_gdr.140303-2144

Machine Name:

Kernel base = 0xfffff800`02a5a000 PsLoadedModuleList = 0xfffff800`02c9d890

Debug session time: Fri Jul 11 11:30:03.437 2014 (UTC - 7:00)

System Uptime: 0 days 0:37:20.452

Loading Kernel Symbols

...............................................................

................................................................

....................

Loading User Symbols

Loading unloaded module list

.....

*******************************************************************************

* *

* Bugcheck Analysis *

* *

*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 109, {a3a039d8957167b7, b3b7465ee7ee370d, fffff80002e09426, 1}

*** WARNING: Unable to verify timestamp for win32k.sys

*** ERROR: Module load completed but symbols could not be loaded for win32k.sys

Probably caused by : memory_corruption

Followup: memory_corruption

---------

0: kd> !analyze -v

*******************************************************************************

* *

* Bugcheck Analysis *

* *

*******************************************************************************

CRITICAL_STRUCTURE_CORRUPTION (109)

This bugcheck is generated when the kernel detects that critical kernel code or

data have been corrupted. There are generally three causes for a corruption:

1) A driver has inadvertently or deliberately modified critical kernel code

or data. See http://www.microsoft.com/whdc/driver/kernel/64bitPatching.mspx

2) A developer attempted to set a normal kernel breakpoint using a kernel

debugger that was not attached when the system was booted. Normal breakpoints,

"bp", can only be set if the debugger is attached at boot time. Hardware

breakpoints, "ba", can be set at any time.

3) A hardware corruption occurred, e.g. failing RAM holding kernel code or data.

Arguments:

Arg1: a3a039d8957167b7, Reserved

Arg2: b3b7465ee7ee370d, Reserved

Arg3: fffff80002e09426, Failure type dependent information

Arg4: 0000000000000001, Type of corrupted region, can be

0 : A generic data region

1 : Modification of a function or .pdata

2 : A processor IDT

3 : A processor GDT

4 : Type 1 process list corruption

5 : Type 2 process list corruption

6 : Debug routine modification

7 : Critical MSR modification

Debugging Details:

------------------

FAULTING_IP:

nt! ?? ::NNGAKEGL::`string'+17e50

fffff800`02e09426 83fb01 cmp ebx,1

CUSTOMER_CRASH_COUNT: 1

DEFAULT_BUCKET_ID: CODE_CORRUPTION

BUGCHECK_STR: 0x109

PROCESS_NAME: System

CURRENT_IRQL: 0

ANALYSIS_VERSION: 6.3.9600.17029 (debuggers(dbg).140219-1702) amd64fre

STACK_TEXT:

fffff880`02fe1598 00000000`00000000 : 00000000`00000109 a3a039d8`957167b7 b3b7465e`e7ee370d fffff800`02e09426 : nt!KeBugCheckEx

STACK_COMMAND: kb

CHKIMG_EXTENSION: !chkimg -lo 50 -d !nt

fffff80002e0946c - nt! ?? ::NNGAKEGL::`string'+17e96

[ 74:76 ]

1 error : !nt (fffff80002e0946c)

MODULE_NAME: memory_corruption

IMAGE_NAME: memory_corruption

FOLLOWUP_NAME: memory_corruption

DEBUG_FLR_IMAGE_TIMESTAMP: 0

MEMORY_CORRUPTOR: ONE_BIT

FAILURE_BUCKET_ID: X64_MEMORY_CORRUPTION_ONE_BIT

BUCKET_ID: X64_MEMORY_CORRUPTION_ONE_BIT

ANALYSIS_SOURCE: KM

FAILURE_ID_HASH_STRING: km:x64_memory_corruption_one_bit

FAILURE_ID_HASH: {2dbb898e-c425-bad1-90fe-71c78117521f}

Followup: memory_corruption

---------