Random Crash and Restart

NoddyPirate

Grand Master
Hooray! I finally get to use @ubuysa skills first hand! I didn't actually see this one happening - I just saw the Splash Screen so I can't tell if the system froze for a while or not.....

Event Log says the system restarted after a bug check - memory dump file is uploading to my OneDrive as I speak so I will post that link here when it's ready to go.

My best guess is that the restart might have been related to my undervolt on my OC. Yesterday I increased the undervolt amount - and it is entirely possible that I had an unstable idle if the undervolt was pushing it.

However, around the time of the restart it shows a number of critical errors for the Bits Client where the number of jobs exceeded the Jobs limit. I have just run a quick check of the jobs list in Command Prompt (bitsadmin /list) and every single one of the 60 jobs listed are Microsoft Outlook related. So I'm not so sure anymore. These critical errors have been occuring all day it seems along with some DCOM errors also - and looking back further they have been occuring now and again from the day I got the machine - and well before my undervolt and even any OC fiddling at all - so I'm not so sure.

Any ideas anyone?
 

NoddyPirate

Grand Master
:eek:

Ran the minidump through WinDbg and got this:

"
DRIVER_OVERRAN_STACK_BUFFER (f7)
A driver has overrun a stack-based buffer. This overrun could potentially
allow a malicious user to gain control of this machine.
DESCRIPTION
A driver overran a stack-based buffer (or local variable) in a way that would
have overwritten the function's return address and jumped back to an arbitrary
address when the function returned. This is the classic "buffer overrun"
hacking attack and the system has been brought down to prevent a malicious user
from gaining complete control of it.
Do a kb to get a stack backtrace -- the last routine on the stack before the
buffer overrun handlers and bugcheck call is the one that overran its local
variable(s).
Arguments:
Arg1: ffffc000088391b0, Actual security check cookie from the stack
Arg2: 00000795e524664e, Expected security check cookie
Arg3: fffff86a1adb99b1, Complement of the expected security check cookie"

I'm scared now. Wot duz all dat meen? My Company have remote control of the work OneDrive install and Microsoft Outlook also - I have been trialling some access control stuff for them recently - wonder if that's involved now?

🤔
 

NoddyPirate

Grand Master
Aha - just realised that my CPU Cooler wasn't the correct shade of calming purple - it's controlled by Armoury Crate - which I opened and reset the colour - then the system crashed again...... 🤔 🤔

The plot does thicken somewhat....
 

ubuysa

The BSOD Doctor
:eek:

Ran the minidump through WinDbg and got this:

"
DRIVER_OVERRAN_STACK_BUFFER (f7)
A driver has overrun a stack-based buffer. This overrun could potentially
allow a malicious user to gain control of this machine.
DESCRIPTION
A driver overran a stack-based buffer (or local variable) in a way that would
have overwritten the function's return address and jumped back to an arbitrary
address when the function returned. This is the classic "buffer overrun"
hacking attack and the system has been brought down to prevent a malicious user
from gaining complete control of it.
Do a kb to get a stack backtrace -- the last routine on the stack before the
buffer overrun handlers and bugcheck call is the one that overran its local
variable(s).
Arguments:
Arg1: ffffc000088391b0, Actual security check cookie from the stack
Arg2: 00000795e524664e, Expected security check cookie
Arg3: fffff86a1adb99b1, Complement of the expected security check cookie"

I'm scared now. Wot duz all dat meen? My Company have remote control of the work OneDrive install and Microsoft Outlook also - I have been trialling some access control stuff for them recently - wonder if that's involved now?

[emoji848]

It means the sky is falling! Run for the hills! Duck and cover!

Sorry, I got a bit carried away there. [emoji2960]

DCOM errors in the log is common. That stop code is always a driver, the question is which one and why. :)

I'll grab the files and get back to you tomorrow morning if that's OK?
 

NoddyPirate

Grand Master
It means the sky is falling! Run for the hills! Duck and cover!

Sorry, I got a bit carried away there. [emoji2960]

DCOM errors in the log is common. That stop code is always a driver, the question is which one and why. :)

I'll grab the files and get back to you tomorrow morning if that's OK?
It is so OK that I am lost for words. You already know what I think of your skills!
 

NoddyPirate

Grand Master
@ubuysa - just fyi and fwiw - I'm finding Adobe Desktop Service in one of the minidumps and the main memory dump and runtimebroker in the other minidump - I think the runtimebroker just manages permissions and so on, but now that I see the Adobe reference I do now recall seeing a desktop message yesterday about an issue with the Adobe Creative Cloud app.

EDIT - I also fiddled with the Windows Power Plan yesterday and changed it to High Performance from Balanced (playing with RM and OC EDC settings)

I won't change anything back to the way it was as it would be helpful to keep it as is and see if happens again I think. Then a suggested fix can be better proven to resolve it also. Think - willing Guinea Pig. (y)
 
Last edited:

NoddyPirate

Grand Master
Officially Technified!
What's worse is that when I first saw the restart I instantly thought it was the undervolt causing idle instability - now it's looking like it probably wasn't I feel kind of disappointed. Almost as though an issue with the OC would have been more exciting and help better understand it all.

The idea that it might some driver glitch is - well - just a bit boring to me now. :rolleyes:

:D
 

NoddyPirate

Grand Master
Two more minidumps: One from the second crash this evening and another I didn't know I had from last month.


The March one seems to relate to a GPU Memory controller and the most recent one to svchost.exe - so it's all a bit random - but has me pondering the Nvidia Drivers now which I changed to the Creators set rather than the Gaming version a while ago - me think me might not have thoroughly removed the Driver that is not in use. 🤔

MalwareBytes scan completed with no threats detected fwiw.
 
Last edited:

NoddyPirate

Grand Master
BSOD now while using the PC. There is a new updated Studio Driver from Nvidia and I was in the process of updating it when the BSOD happened - stop code was the same DRIVE_OVERRAN_STACK_BUFFER as before.

I was performing a custom install using Gefore Experience - and had selected the option to remove previous drivers to perform a clean install. Wondering if I should be using DDU to remove it all now to be safe.

What's the story with DDU? The instructions say to disconnect from the internet completely until you have removed the old driver and installed the new one. Do you just simply download the new driver file manually but not install it, then disconnect from the web and install it after the clean?
 

SpyderTracks

We love you Ukraine
BSOD now while using the PC. There is a new updated Studio Driver from Nvidia and I was in the process of updating it when the BSOD happened - stop code was the same DRIVE_OVERRAN_STACK_BUFFER as before.

I was performing a custom install using Gefore Experience - and had selected the option to remove previous drivers to perform a clean install. Wondering if I should be using DDU to remove it all now to be safe.

What's the story with DDU? The instructions say to disconnect from the internet completely until you have removed the old driver and installed the new one. Do you just simply download the new driver file manually but not install it, then disconnect from the web and install it after the clean?
Yep, exactly, it's just to avoid windows update applying one automatically on reboot which could cause a conflict.
 

NoddyPirate

Grand Master
Hmmmm. Another crash and restart now while opening Lightroom. Perhaps I won't wait after all!

No Minidump or Memory Dump available this time. Not sure if that's significant? 🤔

(EDIT - event viewer shows it as a kernel-power event again. Me wonders if my Undervolt may be the problem after all!)

(EDIT SQUARED - so it seems from the event log that I have actually had another 10 crashes and restarts or so that I wasn't aware of - starting on the day I recevied the PC from PCS. I assume I was simply away form the PC when these happened and never noticed. Event Log summary is here in case it is useful:)


(EDIT CUBED - Actually I now recall that a good few of these crashes a few weeks ago will actually be related to my OC’s through inadequate voltage at high clocks - so the footprint of those would be an interesting comparison to today’s issues...)
 
Last edited:

ubuysa

The BSOD Doctor
Rule number 1 when troubleshooting BSODs is to remove all overclocks and undervolts first.....

To the dumps from last night then......

The first minidump (041821-8687-01.dmp timestamped Sun Apr 18 18:19:20.362 2021) is a DRIVER_OVERRAN_STACK_BUFFER stop code. A buffer overrrun (trying to write beyond the end of an allocated buffer) is a classic attack vector, that's why these are always BSODs.

The process in control was RuntimeBroker.exe, which manages permissions for all Microsoft Store apps.

The stack trace shows that registry operations were in progress at the time; we see an nt!CmQueryValueKey function call to query a registry key value, followed immediately by an nt!_report_gsfailure call, which is the buffer overrrun detection, and then the nt!KeBugCheckEx, which is the bug check itself.

Some research on nt!CmQueryValueKey reveals that a buffer overrrun detection results if the buffer pointed to by whatever called this function is not long enough to hold the resulting data (http://www.codewarrior.cn/ntdoc/winnt/config/CmQueryValueKey.htm).

The buffer overrun occurred then in the nt!CmQueryValueKey function call because whatever called it supplied an invalid buffer - or possibly because the RAM holding that buffer was flaky. The address at the bottom of the stack (the original caller) is 0x00007ffe`9930d004 and that's user mode code (because it starts with 0x0000) so this is probably runtimebroker.exe (although in the dump that address is invalid, ie. not allocated).

BTW. I can also see from this dump that you're running BitDefender and in the absence of other more likely factors (the undervolt and overclock) this would be high on my list of suspects.

=======================

The second minidump (041821-8750-01.dmp timestamped Sun Apr 18 18:20:24.636 2021) is also a DRIVER_OVERRAN_STACK_BUFFER stop code.

This one however can be confidently laid at the door of BitDefender. The debugger initial triage points confidently at bddci.sys and that's a BitDefender driver.

The process in control was Adobe Desktop Service.exe and the stack trace for the active thread clearly shows a call to bddci+0xa5fe7 immediately prior to the bug check, confirming BitDefender as the direct cause.

This BSOD is down to BitDefender.

=======================

The kernel dump is also timestamped Sun Apr 18 18:20:24.636 2021 and is a copy of the second minidump. This is quite common, minidumps can be taken on the fly by the dump command, so what's happened is that error recovery has taken a minidump as part of recovery processing but recovery failed and we ended up with a bug check and a kernel dump as well.

The stack trace for the active thread here is more complete than in the minidump and we can see that network activity was taking place. There are calls to TCP/IP functions and NETIO functions prior to two bddci.sys calls and then a bug check. This is a BitDefender failure for sure.

Although your first minidump doesn't point directly at BitDefender the other dumps do. I would uninstall BitDefender - and before you adjust either your undervolt or overclock - despite what I said at the start.

BTW. The Kenel Power Event 41 error has nothing to do with power. It just indicates that Windows didn't shut down properly last time - it's kind of saying 'the power went off before we expected'.
 
Last edited:

NoddyPirate

Grand Master
Fantastical @ubuysa - Thank you so much!

What a shame it points to BitDefender as I do like it - and have many years happily living with it up to now.

Given your flaky RAM reference at the start, I might ask if my RAM OC could be involved there? It passed all (hours and hours of) MemTest and Windows Memory Diagnostic tests at the time. 🤔

Although as I write this realising some restart events predate my OC’s, and BitDefender was one of my first installs - I have likely answered my own question!

BitDefender shall be removed as step number 1....
 

ubuysa

The BSOD Doctor
Fantastical @ubuysa - Thank you so much!

What a shame it points to BitDefender as I do like it - and have many years happily living with it up to now.

Given your flaky RAM reference at the start, I might ask if my RAM OC could be involved there? It passed all (hours and hours of) MemTest and Windows Memory Diagnostic tests at the time. [emoji848]

Although as I write this realising some restart events predate my OC’s, and BitDefender was one of my first installs - I have likely answered my own question!

BitDefender shall be removed as step number 1....
It could still be the RAM overclock of course, but getting rid of Bit Defender first is a wise move. You can always reinstall it if you find out in the future that it was RAM all along.
 

NoddyPirate

Grand Master
It could still be the RAM overclock of course, but getting rid of Bit Defender first is a wise move. You can always reinstall it if you find out in the future that it was RAM all along.
Super - yes I don't just want to stop the crashes - I want to find out what is truly causing them - and one thing at a time is the only way to do that really.... (y)
 
Top