BSOD memory management after recent RMA

ubuysa

ubuysa

The BSOD Doctor
Quarter said:
Windows Resource Protection did not find any integrity violations.
Click to expand...
That screenshot screams malware at me.

Perhaps you have manually (or accidentally) modified the default app for .dmp files to Internet Explorer? That doesn't explain why you can't access those minidumps though. That's why I'm thinking malware. Malware would certainly want to stop you getting dumps anaylsed because they would likely identify the malware.

I would download Malwarebyte's Antimalware (be sure to NOT activate the Premium/Pro options) and do a thorough scan of your entire system.

In addition I'd get Defender to do an offline scan. Go to Settings > Update & Security > Windows Security and click Open Windows Security.
In Windows Security click Virus & Threat Protection and then under Virus & Threat Protection Updates, click check for updates and run the update checker to get the latest security updates.
Then go back to Virus & Threat Protection and under Current Threats click Scan Options. Select the Microsoft Defender Offline Scan and then click Scan Now. Follow the process through until you're signed out and the offline scan runs. It may take some time to run.
 
Q

Quarter

Silver Level Poster
ubuysa said:
That screenshot screams malware at me.

Perhaps you have manually (or accidentally) modified the default app for .dmp files to Internet Explorer? That doesn't explain why you can't access those minidumps though. That's why I'm thinking malware. Malware would certainly want to stop you getting dumps anaylsed because they would likely identify the malware.

I would download Malwarebyte's Antimalware (be sure to NOT activate the Premium/Pro options) and do a thorough scan of your entire system.

In addition I'd get Defender to do an offline scan. Go to Settings > Update & Security > Windows Security and click Open Windows Security.
In Windows Security click Virus & Threat Protection and then under Virus & Threat Protection Updates, click check for updates and run the update checker to get the latest security updates.
Then go back to Virus & Threat Protection and under Current Threats click Scan Options. Select the Microsoft Defender Offline Scan and then click Scan Now. Follow the process through until you're signed out and the offline scan runs. It may take some time to run.
Click to expand...
Running it now
 
Q

Quarter

Silver Level Poster
ubuysa said:
That screenshot screams malware at me.

Perhaps you have manually (or accidentally) modified the default app for .dmp files to Internet Explorer? That doesn't explain why you can't access those minidumps though. That's why I'm thinking malware. Malware would certainly want to stop you getting dumps anaylsed because they would likely identify the malware.

I would download Malwarebyte's Antimalware (be sure to NOT activate the Premium/Pro options) and do a thorough scan of your entire system.

In addition I'd get Defender to do an offline scan. Go to Settings > Update & Security > Windows Security and click Open Windows Security.
In Windows Security click Virus & Threat Protection and then under Virus & Threat Protection Updates, click check for updates and run the update checker to get the latest security updates.
Then go back to Virus & Threat Protection and under Current Threats click Scan Options. Select the Microsoft Defender Offline Scan and then click Scan Now. Follow the process through until you're signed out and the offline scan runs. It may take some time to run.
Click to expand...
i also did accidently try to open it as internet explorer a month ago when iw as having alot of issues
 
ubuysa

ubuysa

The BSOD Doctor
Quarter said:
i also did accidently try to open it as internet explorer a month ago when iw as having alot of issues
Click to expand...
Well that explains the IE association. Go into default programs in settings and change it to Notepad, see whether that helps.

I don't understand what you can't access them.
 
T

TonyCarter

VALUED CONTRIBUTOR
Could this be caused by turning on one of the Windows security features that keep nagging you to turn on (something like 'controlled folder access')?

Unfortunately I can't test it myself, as I don't have a Minidump folder on my machine - probably because I've had no crashes/BSODs.
 
ubuysa

ubuysa

The BSOD Doctor
TonyCarter said:
Could this be caused by turning on one of the Windows security features that keep nagging you to turn on (something like 'controlled folder access')?

Unfortunately I can't test it myself, as I don't have a Minidump folder on my machine - probably because I've had no crashes/BSODs.
Click to expand...
It could I guess. I think the OP has changed something somewhere because they should have at least read acces to the dmp files.
 
Bhuna50

Bhuna50

Author Level
I'm not sure why but I had an issue trying to access a .dmp file before but all i then did was right click dragged it to desktop and copied it there - i was then able to access it - it was weird as i was admin.
 
Q

Quarter

Silver Level Poster
Bhuna50 said:
I'm not sure why but I had an issue trying to access a .dmp file before but all i then did was right click dragged it to desktop and copied it there - i was then able to access it - it was weird as i was admin.
Click to expand...
Yes that fixed it @ubuysa sorry i was working and i ran malbytes and offline windows it didnt find anything in the scan but here is ur tasty mem dump for whenever ur available to dissect it https://1drv.ms/u/s!AoUAyCFCH0vMff1nURqiijXdC00?e=Mop4M7
 
ubuysa

ubuysa

The BSOD Doctor
Quarter said:
Yes that fixed it @ubuysa sorry i was working and i ran malbytes and offline windows it didnt find anything in the scan but here is ur tasty mem dump for whenever ur available to dissect it https://1drv.ms/u/s!AoUAyCFCH0vMff1nURqiijXdC00?e=Mop4M7
Click to expand...
Good news. We're having Internet issues here at the moment, we have been since last Friday evening. I'm getting a shade over 1.2Mbps download at the moment so I'll download your dump overnight tonight. If I start it now we can't do anything else!

We were due to get fibre this year, they've done one half of the town (the other half of course) and would have done us by now but for COVID. Consequently they're not looking after the copper that we currently use as well as they should........
 
ubuysa

ubuysa

The BSOD Doctor
The stop code is a PAGE_FAULT_IN_NONPAGED_AREA, this indicates that a driver (this one is almost always a driver) has attempted to access memory that has been allocated from a non-pageable pool but encountered a page fault because the memory is either not allocated or paged out. This appears on the face of it to be memory pool corruption.

The process in control was the System process but in the list of driver calls for the active thread is an error for nvlddmkm.sys, the Nvidia graphics driver....
Code: 
ffffdd0a`85904088  fffff800`694114b1 Unable to load image \SystemRoot\System32\DriverStore\FileRepository\nv_dispi.inf_amd64_5be8de9f3373beaf\nvlddmkm.sys, Win32 error 0n2
nvlddmkm+0x1c14b1

The stack trace for the active thread shows three calls to CI functions (CI!I_FreeCatalogData+0x57, CiTrimCatalogs+0x77 and CI!CipPostBootWorker+0x2c), these are followed by two pool cleanup functions (nt!ExFreeHeapPool+0x1dd and nt!ExFreePool+0x9) and then we get the page fault.

The two pool cleanup functions are kernel functions (the nt! prefix) but the three CI functions relate to the Code Integrity module ci.dll (research suggests). Researching CI reveals that it's a component enabled with secure boot whose task is to verify the digital signatures on drivers and system files.

There are I think three possibilities - in descending order of "most likely"...

1. Code Integrity failed because of a problem with a driver - almost certainly nvlddmkm.sys - or with the graphics card itself perhaps?
2. The driver failed because Code Integrity has become corrupted somehow - that would strongly point at malware.
3. You still have a RAM issue. It's unlikely to be the new RAM which might suggest some sort of timing issue on the motherboard or CPU perhaps?

I would open an elevated command prompt and run an sfc /scannow command to see whether that can repair ci.dll

I would also run the Defender Offline Scan as suggested above.

As far as the Nvidia driver goes, I see the two Nvidia audio drivers loaded (nvhda64v.sys and nvvad64v.sys) which in the past have caused conflicts with on-board audio drivers. Perhaps reinstalling the Nvidia graphics driver and being sure NOT to select any audio components might help?

As far as the potential RAM timing issue goes you'd need to talk to PCS again. Whilst this is the least likely cause it cannot be discounted.
 
Q

Quarter

Silver Level Poster
ubuysa said:
The stop code is a PAGE_FAULT_IN_NONPAGED_AREA, this indicates that a driver (this one is almost always a driver) has attempted to access memory that has been allocated from a non-pageable pool but encountered a page fault because the memory is either not allocated or paged out. This appears on the face of it to be memory pool corruption.

The process in control was the System process but in the list of driver calls for the active thread is an error for nvlddmkm.sys, the Nvidia graphics driver....
Code: 
ffffdd0a`85904088  fffff800`694114b1 Unable to load image \SystemRoot\System32\DriverStore\FileRepository\nv_dispi.inf_amd64_5be8de9f3373beaf\nvlddmkm.sys, Win32 error 0n2
nvlddmkm+0x1c14b1

The stack trace for the active thread shows three calls to CI functions (CI!I_FreeCatalogData+0x57, CiTrimCatalogs+0x77 and CI!CipPostBootWorker+0x2c), these are followed by two pool cleanup functions (nt!ExFreeHeapPool+0x1dd and nt!ExFreePool+0x9) and then we get the page fault.

The two pool cleanup functions are kernel functions (the nt! prefix) but the three CI functions relate to the Code Integrity module ci.dll (research suggests). Researching CI reveals that it's a component enabled with secure boot whose task is to verify the digital signatures on drivers and system files.

There are I think three possibilities - in descending order of "most likely"...

1. Code Integrity failed because of a problem with a driver - almost certainly nvlddmkm.sys - or with the graphics card itself perhaps?
2. The driver failed because Code Integrity has become corrupted somehow - that would strongly point at malware.
3. You still have a RAM issue. It's unlikely to be the new RAM which might suggest some sort of timing issue on the motherboard or CPU perhaps?

I would open an elevated command prompt and run an sfc /scannow command to see whether that can repair ci.dll

I would also run the Defender Offline Scan as suggested above.

As far as the Nvidia driver goes, I see the two Nvidia audio drivers loaded (nvhda64v.sys and nvvad64v.sys) which in the past have caused conflicts with on-board audio drivers. Perhaps reinstalling the Nvidia graphics driver and being sure NOT to select any audio components might help?

As far as the potential RAM timing issue goes you'd need to talk to PCS again. Whilst this is the least likely cause it cannot be discounted.
Click to expand...
Should i call pcs or what should i do.

I already made sure to download nvidia without hd audio
 
ubuysa

ubuysa

The BSOD Doctor
Quarter said:
Should i call pcs or what should i do.
Click to expand...
If you call PCS they're going to want to be sure it's not a software issue. I'd want to know what happened between the joyous "it's been running ok for 2 -3 weeks" last Saturday and the BSOD on Sunday? You did say in that Saturday post the there were "no problems while gaming or downloading anything", so what were you downloading?

The evidence we have is that it's been running perfectly for 2 - 3 weeks and now suddenly you've had a BSOD that seems to be driver related. The most likely probability is that it's a software issue related to something you've installed/uninstalled/updated.

You can try calling PCS and point them at this thread and the latest dump and see what they say.
 
Q

Quarter

Silver Level Poster
ubuysa said:
If you call PCS they're going to want to be sure it's not a software issue. I'd want to know what happened between the joyous "it's been running ok for 2 -3 weeks" last Saturday and the BSOD on Sunday? You did say in that Saturday post the there were "no problems while gaming or downloading anything", so what were you downloading?

The evidence we have is that it's been running perfectly for 2 - 3 weeks and now suddenly you've had a BSOD that seems to be driver related. The most likely probability is that it's a software issue related to something you've installed/uninstalled/updated.

You can try calling PCS and point them at this thread and the latest dump and see what they say.
Click to expand...
ubuysa said:
If you call PCS they're going to want to be sure it's not a software issue. I'd want to know what happened between the joyous "it's been running ok for 2 -3 weeks" last Saturday and the BSOD on Sunday? You did say in that Saturday post the there were "no problems while gaming or downloading anything", so what were you downloading?

The evidence we have is that it's been running perfectly for 2 - 3 weeks and now suddenly you've had a BSOD that seems to be driver related. The most likely probability is that it's a software issue related to something you've installed/uninstalled/updated.

You can try calling PCS and point them at this thread and the latest dump and see what they say.
Click to expand...
Hmm the only thing intstalled in the last 5 days is aimlab and csgo. Ill keep using and see if it happens
 
Q

Quarter

Silver Level Poster
There is a new geforce game ready driver should i wait abit before i download it, should i also do this as a clean installation.
 
ubuysa

ubuysa

The BSOD Doctor
Quarter said:
Thank you kind sir, so it should be Custom install leave out Nvidia HD audio and then clean install.
Click to expand...
TBH I would NOT update the driver. You want to see whether uninstalling Aim Lab solves the BSOD problem.

When troubleshooting change one thing at a time...
 
You must log in or register to reply here.
Top